Lab 07: Configuration of ACLs, NAT, and DHCP

7.1 Objectives:
• Describe the concept of Access Control List (ACL)
• Describe the concept of Network Address Translation (NAT)
• Describe the concept of Dynamic Host Configuration Protocol (DHCP)
• Implement ACL, NAT, and DHCP for given topologies

7.2 Theory:
As with other labs, this lab will also build up on the concepts and techniques of previous labs.
So, make sure you have properly understood the previous lab contents.

This section explores key networking concepts, including Access Control Lists (ACLs), Net-
work Address Translation (NAT), and Dynamic Host Configuration Protocol (DHCP). ACLs
are introduced as mechanisms for regulating access to network resources, ensuring that only
authorized users or devices can connect to specific services. NAT addresses the limitations
of IPv4 address exhaustion by allowing internal devices to use private IP addresses while a
gateway router translates these to a smaller number of globally unique addresses for internet
communication. DHCP is a protocol that automates the assignment of IP addresses and net-
work configuration, facilitating efficient network management through a server that allocates
addresses from a maintained pool.

7.2.1 Access Control List (ACL)

Defining who can/can’t access what is basically the gist of ACL. In our day-to-day lives, we
apply the ACL concept in many areas. A simple example could be that you need to show your
ID card to enter an office. There is a list of employees, and your ID is checked against that list
to grant access. Similar access controls are in effect virtually everywhere, especially in places
where security is critical. In the digital world, this access control is needed so that only the
allowed ones can access a certain digital resource. For example, only admins would be allowed
access to the backend of a web server, or only database admins would be allowed to access a
database server, etc.
In networked devices, ACLs allow only authorized persons/devices to access a certain resource.
For example, you can define that only a certain host device can access your webserver. You
can also define ACLs so that hosts belonging to a particular network can not communicate
with hosts of certain other networks. More scenarios can be defined depending on the needs of
an administrator.
In this part of the lab, we will learn about Cisco IP ACL, i.e., filtering network traffic based
on IP address. Several ACL types can be configured on a Cisco device. However, we will only
focus on Numbered Standard IPv4 ACL. There are two steps to implement an ACL. First,
define the rule. Second, apply the rule to an interface.

The command format for defining a numbered standard IP ACL is:

Router(config)# access-list access_list_number {permit|deny}
{(source_address source_wildcard)|any}

1
You can either permit or deny a packet based on the source IP of the packet in numbered stan-
dard IP ACL. Like the OSPF configuration, you must specify a wildcard mask to permit/deny
a range of source IP addresses based on the given pattern. You should remember that when-
ever you apply an ACL to an interface, all the traffic that does not match any ACL rule will
be discarded by default. For example, you have defined an ACL to deny a certain source IP.
Whenever you apply that rule to an interface, all packets other than the denied source will also
be discarded because there is no matching rule for those packets. So, you must allow other
traffic explicitly by defining another ACL. The any keyword is handy in this case. To permit
(or deny) any packet other than the previously specified rules, you can add the keyword any
in place of the source_address and source_wildcard like the following:
Router(config)# access-list 1 permit any
Another thing is you can only use numbers from 1 to 99 to specify the access list number. Other
numbers are used for extended numbered ACLs. After defining the ACL rule, we must apply
it to an interface. Remember that the ACL has no effect until you apply it. The command
format for applying an ACL to an interface is:
Router(config-if)# ip access-group access_list_number {in|out}
The ACL is applied either for inbound or outbound traffic of an interface, and you need to
specify the corresponding keyword, i.e., in or out for that. One best practice before applying
an ACL to an interface is to verify the rule by using the following command:
Router# show access-lists

7.2.2 Network Address Translation (NAT)

You already know from your theory lectures that IPv6 was born partly due to the address space
exhaustion of IPv4. One great technique that was the key to the survival of IPv4 is NAT. If
not for NAT, IPv4 would be long gone by now. And that gave the world some time to adopt
IPv6 on a mass scale. In this part of the lab, you will learn about this special technique called
NAT.

Basically, the idea of NAT is that there will be a set of IP addresses for the hosts in the internal
network, and to the outside world, those internal hosts will be exposed using a different set of
IP addresses. You know that each host is recognized through its IP address on the internet.
To conform with this, each host connected to the internet must have a unique IP, which would
readily become nearly impossible considering billions of connected devices.

NAT allows you to assign arbitrary IP addresses from the Private IP range to your internal
hosts where these addresses are only locally significant, i.e., locally unique. Then, in the edge
or gateway router of the network, you will have one or a set of IP addresses that are globally
unique. That edge or gateway router will convert/translate from a globally unique address to
a locally unique one or vice versa. The outside world will not know the actual IP addresses
of internal hosts. Moreover, your organization can buy only a handful of global IP addresses
from the ISP but can use those with much greater Private IP addresses for the internal hosts
through NAT. The following figure summarizes what we just talked about.

2
Figure 7.1: Network Address Translation from internal Private IP addresses to the globally
unique IP address.

Now that we know the basics of NAT let us get technical. There are three types of NAT that
you can define in Cisco devices: Static, Dynamic, and Overloaded or Port Address Translation
(PAT).

Static NAT
It allows one-to-one mapping between local and global addresses. You will have to configure
one global IP address for each internal host you want NAT to translate. The command to
enable the static translation is as follows:
Router(config)# ip nat inside source static local_ip global_ip
After you have specified the translation, you must do two things — first, you need to specify
the inside interface, and second, you need to specify the outside interface. The inside
interface denotes that the hosts connected to it will have their IPs translated to the global
one. The outside interface denotes that the translated packets will go out to the world through
it. There can be more than one inside or outside interface. After you specify these interfaces,
NAT will start the specified translations. You also need to specify these inside and outside
interfaces for the other two NAT types. Following are the commands to specify the inside and
outside interfaces:
Router(config-if)# ip nat inside
Router(config-if)# ip nat outside
Dynamic NAT
This type of NAT establishes a mapping between a local address and a pool of global addresses.
A global IP address will be selected dynamically from the pool for a single local address. When
not in use, the assigned global IP will be released after a certain time-out period so other hosts
can reuse it. This is more convenient than the static one as you do not need to manually
configure every mapping. To configure dynamic NAT, you must create an access list that
permits the local addresses to be translated. The command format for defining a numbered
standard IP ACL is:

3
Router(config)# access-list access_list_number permit source_address
source_wildcard
Then, you have to specify the pool of global IP addresses from where the IPs will be allocated.
The pool is a range of IP addresses in a given network where the subnet mask will specify the
corresponding network portion. The command to specify the pool is as follows:
Router(config)# ip nat pool POOL_NAME start_ip end_ip netmask subnet_mask
Then, you must establish the relation between the earlier defined access list and the nat pool
through the following command:
Router(config)# ip nat inside source list access_list_number pool POOL_NAME
After that, you must specify the inside and outside interfaces, such as the static NAT.
Port Address Translation (PAT)
In the worst case, you would need as many global IP addresses as the internal hosts for dy-
namic NAT. This is not plausible in most circumstances where you have limited global IP and
hundreds of local hosts. It is where PAT comes in. PAT establishes a many-to-one mapping
between local hosts and a global IP address. It uses the Port (TCP/UDP port) information
to distinguish between different internal hosts and assign a single global IP to all those ad-
dresses, thus greatly conserving the global address pool. The configuration of PAT is almost
similar to dynamic NAT, except you just have to add the overload keyword at the very end
while specifying the relation between the access list and the nat pool. The command format
is below:
Router(config)# ip nat inside source list access_list_number pool POOL_NAME
overload

7.2.3 Dynamic Host Configuration Protocol (DHCP)

DHCP is a network management protocol used to automate the process of configuring devices
on IP networks, thus allowing them to use network services such as DNS, NTP, and any com-
munication protocol based on UDP or TCP. A DHCP server dynamically assigns an IP address
and other network configuration parameters to each device on a network so it can communicate
with other IP networks.

The DHCP server maintains a database of available IP addresses and configuration informa-
tion. When it receives a request from a client, the DHCP server determines the network to
which the DHCP client is connected, then allocates an IP address or prefix appropriate for the
client from that network, and sends configuration information appropriate for that client.

The DHCP server and DHCP client must be connected to the same network link. In larger net-
works, each network link contains one or more DHCP relay agents. These DHCP relay agents
receive messages from DHCP clients and forward them to DHCP servers. DHCP servers send
responses back to the relay agent, and the relay agent then sends these responses to the DHCP
client on the local network link.

DHCP servers typically grant IP addresses to clients for a limited interval called a lease. DHCP
clients are responsible for renewing their IP address before that interval has expired and must
stop using it once it has expired if they have not been able to renew it.

4
7.3 Configuration of NAT, DHCP, and ACL with Cisco Devices:
7.3.1 Configure ACL
A router of device model 2911, three switches of device model 2960, and three PCs have been
used in the sample topology shown in Figure 7.2 for the ACL configuration.

Figure 7.2: A sample network topology for the configuration of ACL.

a. Configure R1 Interfaces
Router(config)# int g0/0
Router(config-if)# ip address 192.168.10.1 255.255.255.0
Router(config-if)# no shutdown
Router(config-if)# exit
Router(config)# int g0/1
Router(config-if)# ip address 192.168.20.1 255.255.255.0
Router(config-if)# no shutdown
Router(config-if)# exit
Router(config)# int g0/2
Router(config-if)# ip address 192.168.30.1 255.255.255.0
Router(config-if)# no shutdown

Router(config-if)# end
Router# copy running-config startup-config

b. Configure PC0
IP: 192.168.10.5
Mask: 255.255.255.0
Gateway: 192.168.10.1

c. Configure PC1

5
 IP: 192.168.20.5
Mask: 255.255.255.0
Gateway: 192.168.20.1

d. Configure PC1
IP: 192.168.30.5
Mask: 255.255.255.0
Gateway: 192.168.30.1

e. Define ACL
Router(config)# access-list 1 deny 192.168.10.0 0.0.0.255
Router(config)# access-list 1 permit any

f. Verify ACL
Router# show access-lists

g. Apply ACL
Router(config)# interface g0/2
Router(config-if)# ip access-group 1 out

h. Verify if ACL has been applied to the router interface

i. Go to the simulation mode.
ii. From the event list, allow only ICMP-type messages.
iii. Ping a message from PC0 to PC2.
iv. The message will not be sent to the PC1 from the router. Instead, it will send back a
notification message to PC0.

6
7.3.2 Configure Static NAT
Two routers of device model 2811, one switch of device model 2960, two PCs, and one server
have been used in the sample topology shown in Figure 7.3 for the NAT configuration.

Figure 7.3: A sample network topology for the configuration of NAT.

a. Configure R0 Interfaces
Router(config)# int fa0/0
Router(config-if)# ip address 192.168.10.1 255.255.255.0
Router(config-if)# no shutdown
Router(config)# int fa0/1
Router(config-if)# ip address 20.20.20.1 255.255.255.252
Router(config-if)# no shutdown
Router(config-if)# exit
Router(config)# ip route 10.0.0.0 255.255.255.0 20.20.20.2
Router(config)# exit
Router# copy running-config startup-config

b. Configure R1 Interfaces
Router(config)# int fa0/1
Router(config-if)# ip address 10.0.0.1 255.255.255.0
Router(config-if)# no shutdown
Router(config)# int fa0/0
Router(config-if)# ip address 20.20.20.2 255.255.255.252
Router(config-if)# no shutdown
Router(config-if)# exit
Router(config)# ip route 192.168.10.0 255.255.255.0 20.20.20.1
Router(config)# exit
Router# copy running-config startup-config

7
c. Configure PC0
IP: 192.168.10.5
Mask: 255.255.255.0
Gateway: 192.168.10.1

d. Configure PC1
IP: 192.168.10.10
Mask: 255.255.255.0
Gateway: 192.168.10.1

e. Configure Server0
IP: 10.0.0.5
Mask: 255.255.255.0
Gateway: 10.0.0.1

f. Enable static NAT insider Router1

Router(config)# ip nat inside source static 10.0.0.5 50.0.0.5
Router(config)# int fa0/1
Router(config-if)# ip nat inside
Router(config)# int fa0/0
Router(config-if)# ip nat outside
Router(config-if)# end
Router# copy running-config startup-config

g. Verify NAT
Router# show ip nat translations
Router# show ip nat statistics

8
7.3.3 Configure Dynamic NAT
The exact network topology with the same device models, as shown in Figure 7.3, has been
used for this configuration.

The parts Configure R0 Interfaces, Configure R1 Interfaces, Configure all the PCs
and Server0, and Verify NAT are the same as the section 7.3.2. The only difference is in
the configuration of NAT inside Router1.
a. Enable static NAT insider Router1
Create an ACL that permits all the IP addresses from the network 192.168.10.0/24.
Router(config)# access-list 1 permit 192.168.10.0 0.0.0.255

Create a NAT Pool for the Global IP Addresses from the network 50.0.0.0/30
Router(config)# ip nat pool NAT_Pool 50.0.0.1 50.0.0.3 netmask 255.255.255.252

Configure the NAT translation for the ACL to the NAT pool and configure the interfaces
with appropriate inside and outside NAT commands.
Router(config)#ip nat inside source list 1 pool NAT_Pool
Router(config)# int fa0/1
Router(config-if)# ip nat inside
Router(config)# int fa0/0
Router(config-if)# ip nat outside
Router(config-if)# end
Router# copy running-config startup-config

9
7.3.4 Configure DHCP (using server)
A router of device model 2811, two switches of device model 2960, two PCs, two laptops,
and one server have been used in the sample topology shown in Figure 7.4 for the DHCP
configuration.

Figure 7.4: A sample network topology for the configuration of DHCP.

a. Configure DHCP Server

IP Address: 192.168.1.2
Default: 192.168.1.1

b. Make DHCP Pools

Go to Services and then DHCP, and change the following fields.
Pool Name: dotONEnetwork
Default: 192.168.1.1
Start IP: 192.168.1.3
Max Number: 20

Select Add to add the Address Pool to the server. Select Save to save the modification to
the server.
To add another pool to the server, change the information as follows and then hit Add and
Save buttons again.
Pool Name: dotTWOnetwork
Default: 192.168.2.1
Start IP: 192.168.2.2
Max Number: 20

Do not forget to turn on the DHCP server.

10
c. Configure R1 Interfaces
R1(config)#int fa0/0
R1(config-if)# ip address 192.168.1.1 255.255.255.0
R1(config-if)# ip helper-address 192.168.1.2
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#int fa0/1
R1(config-if)# ip address 192.168.2.1 255.255.255.0
R1(config-if)# ip helper-address 192.168.1.2
R1(config-if)#no shutdown
R1(config-if)# end
R1# copy running-config startup-config

d. Configure all the PCs

Just click DHCP and the server will do the rest.
e. Verify
Ping PC1 from PC0

7.3.5 Configure DHCP (using router)

The exact network topology with the same device models, as shown in Figure 7.4, has been
used for this configuration.

Configure the DHCP server in the router instead of a server.

R1(config)# ip dhcp pool dotONEnetwork
R1(dhcp-config)# default-router 192.168.1.1
R1(dhcp-config)# network 192.168.1.0 255.255.255.0
R1(dhcp-config)# exit

R1(config)# ip dhcp pool dotTWOnetwork

R1(dhcp-config)# default-router 192.168.2.1
R1(dhcp-config)# network 192.168.2.0 255.255.255.0
R1(dhcp-config)# exit
The rest of the configuration, i.e., Configure R1 Interfaces, Configure all the PCs, and Verify
are same as the section 7.3.4.

Use show ip dhcp binding inside the router to see the status of the configured DHCP.

11