In today’s practice lab, we have the main objective that we need to

focus on, there are configurations in this network that were supposed
to be preconfigured for you, then to focus on the main objective, but,
I will do the initial configurations with you, then to work on the main
objective so you can have an idea how this lab been prepared for you.
The interfaces on the devices has been configured for you already, but
for now, I will start by doing the configurations that we will need for
our lab, I will start with the Remote router.
ON the description of this video, you will find two files, one for the
Packet Tracer’s source file, and the documents to walk you through
the lab step by step.
I hope my video are helpful for who are seeking to be Cisco certified,
if you like my videos, please subscribe to my channel, and share the
videos on your facebook page, and give me the thumb up, and please
send me if you have any suggestions, questions or comments.
I will configure NAT

On Remote router:
# conf t
# ip nat inside source list 1 interface s0/0/0 overload
# int g0/0
# ip nat inside
# int g0/1
# ip nat inside.
# int s0/0/0
# ip nat outside
Next,
I will configure a default route
# conf t
# ip route 0.0.0.0 0.0.0.0 209.165.200.226 100

Next,
I will configure DHCP on the router for LAN 1 and LAN 2
# conf t
# ip dhcp excluded-address 192.168.1.1 192.168.1.9
# ip dhcp excluded-address 192.168.0.1 192.168.0.9
The pool name for LAN 1 is G0
# ip dhcp pool G0
# network 192.168.0.0 255.255.255.0
# default-router 192.168.0.1
# dns-server 209.165.201.29
Next, I will configure DHCP for LAN 2
The pool name for LAN 2 is G1
# ip dhcp pool G1
# network 192.168.1.0 255.255.255.0
# default-router 192.168.1.1
# dns-server 209.165.201.29
Let’s check the PCs if they received their IP configuration.

Next,
I will configure IPv6 EIGRP on the router with AS 65001 and router ID:
2.2.2.2
# ipv6 unicast-routing
# ipv6 router eigrp 65001
# eigrp router-id 2.2.2.2
# exit
# int g0/0
# ipv6 eigrp 65001
# int g0/1
# ipv6 eigrp 65001
# int s0/0/0
# ipv6 eigrp 65001

The Main router.

I will configure NAT on the router.
# conf t
# ip nat inside source list 1 interface s0/0/0 overload
# int g0/0
# ip nat inside
# int g0/1
# ip nat inside
# int s0/0/0
# ip nat outside
# exit

NEXT,
I will configure a default route
# conf t
# ip route 0.0.0.0 0.0.0.0 209.165.200.230

Next:
I will configure DHCP on the Main router.
# conf t
# ip dhcp excluded-address 192.168.2.1 192.168.2.9
# ip dhcp pool G0
# network 192.168.2.0 255.255.255.0
# default-router 192.168.2.1
# dns-server 209.165.201.29
Let me check to see if the PC in LAN 2 got its IP configuration.
I will configure IPv6 EIGRP with AS 65001
# ipv6 unicast-routing
# ipv6 router eigrp 65011
# eigrp router-id 1.1.1.1
# exit
# int g0/0
# ipv6 eigrp 65001
# int g0/1
# ipv6 eigrp 65001
# int s0/0/0
# ipv6 eigrp 65001

NEXT:
The Outside router.
I will configure a username of “Admin1”, privilege of 15 and a
password of cisco
# conf t
# username Admin1 privilege 15 password cisco
Another username of “User” and password of “cisco”
# username User password cisco

Next:
I will configure SSH on Outside router.
# line vty 0 4
# transport input ssh
# login local
# exit
# ip domain-name CompanyPrivate
# crypto key generate rsa
# 1024

NEXT:
I will configure DHCP on the router
# ip dhcp excluded-address 192.168.3.1 192.168.3.9
# ip dhcp pool G1
# network 192.168.3.0 255.255.255.0
# default-router 192.168.3.1
# dns-server 209.165.201.29
Let us check to see if the Outside PC received it’s IP configurations
I will configure NAT on the router.
# conf t
# ip nat inside source list 1 interface s0/0/0 overload
# int g0/1
# ip nat inside
# int s0/0/0
# ip nat outside

NEXT:
I will configure IPv6 EIGRP with AS 65001 on the router.
# ipv6 unicast-routing
# ipv6 router eigrp 65001
# eigrp router-id 3.3.3.3
# exit
# int g0/1
# ipv6 eigrp 65001
# int s0/0/0
# ipv6 eigrp 65001

Next,
I will configure a default router
# ip route 0.0.0.0 0.0.0.0 209.165.200.237

NEXT:
The ISP-2 router.
I will configure IPv6 EIGRP AS 65001
# conf t
# ipv6 unicast-routing
# ipv6 router eigrp 65001
# eigrp router-id 5.5.5.5
# exit
# int g0/1
# ipv6 eigrp 65001
# int s0/0/0
# ipv6 eigrp 65001
# int s0/1/1
# ipv6 eigrp 65001

Next,
I will configure DHCP on the router.
# ip dhcp excluded-address 209.165.201.1 209.165.201.9
# ip dhcp pool G1
# network 209.165.201.0 255.255.255.224
# default-router 209.165.201.1
# dns-server 209.165.201.29
Let me check to see if the External PC receives it’s IP configurations.

Next,
I will configure static route on ISP-2:
# conf t
# ip route 209.165.200.224 255.255.255.252 209.165.200.233
The network between Remote and ISP1
# ip route 209.165.200.228 255.255.255.252 209.165.200.233
The Network between Main router and ISP-1
# ip route 209.165.202.128 255.255.255.224 209.165.200.233
The Main Svr on LAN 1

NEXT:
The ISP-1 Router
I will configure IPv6 EIGRP AS 65001 on the ISP-1 router
# conf t
# ipv6 unicast-routing
# # ipv6 router eigrp 65001
# eigrp router-id 4.4.4.4
# exit
# int s0/1/1
# ipv6 eigrp 65001
# int s0/0/1
# ipv6 eigrp 65001
# int s0/0/0
# ipv6 eigrp 65001

Next
I will configure PPP and CHAP on the ISP-1 router.
# int s0/0/1
# encapsulation ppp
# ppp authentication chap
# int s0/0/0
# encapsulation ppp
# ppp authentication chap
I will configure two usernames “ Main” and “Remote” with password
of “cisco”
# username Main password cisco
# username Remote password cisco

NEXT:
I will configure BGP on the ISP-1 router.
# conf t
# router bgp 65001
# neighbor 209.165.200.229 remote-as 65020
# redistribute static
# exit

Next,
I will configure static routes on the router.
# conf t
# ip route 209.165.201.0 255.255.255.224 209.165.200.234
The external network on the LAN of the ISP-2
# ip route 209.165.200.236 255.255.255.252 209.165.200.234
The network between ISP-2 and the Outside router

NOW, as I am done with the initial configurations, I will

work on the main objectives.
I will configure PPP encapsulation and CHAP authentication for the
serial links
Then I will configure GRE tunnel between the Remote router and the
Main router.
Then I will configure OSPF on the network
After that I will configure BGP,
And then I will configure standard and extended IPv4 ACLs, and also
IPV6 ACLs.
When you download the files located on the description of this video,
run the show run commands on the devices, do it for each router one
at a time, and take your time studying them.
On the Remote router, I will configure PPP and CHAP authentication
on the appropriate interface, and I also will configure GRE and OSPF
and IPv4 ACL.
On the Outside router, I will only configure standard IPv4 ACL.
On the Main router, I will configure PPP and CHAP authentication on
the appropriate interface, then configure GRE tunnel, OSPF, and both
standard and extended IPv4 ACL, and also IPv6 ACL.
I will start by configuring PPP encapsulation and authentication for
the link between Main router and ISP-1 router, and the link between
Remote router and the ISP-1 router.

On Main Router:
# conf t
# int s0/0/0
# encapsulation ppp

On Remote Router:
# conf t
# int s0/0/0
# encapsulation ppp
Router ISP-1 is already preconfigured
Next, I will configure CHAP between the links

On Main Router:
# ppp authentication chap

On Remote Router:
# ppp authentication chap

Next,
I will configure the correct username and the password “cisco” for
CHAP authentication on both Main and Remote routers.

On the Main router:

# conf t
# username ISP-1 password cisco

On the Remote router:

# username ISP-1 password cisco

NEXT,
I will configure GRE tunnel with routing between the Main router and
the Remote router.

On the Main router:

# conf t
# int tunnel 0
# tunnel mode gre ip
# tunnel source s0/0/0
# tunnel destination 209.165.200.225
# ip address 172.16.1.1 255.255.255.252

On the Remote router:

# conf t
# int tunnel 0
# # tunnel mode gre ip
# tunnel source s0/0/0
# tunnel destination 209.165.200.229
# ip address 172.16.1.2 255.255.255.252

NEXT:
I will configure OSPF 1 to route the traffic between the LANs of Main
router and Remote router through the GRE, I will use area “0”.

On the Main router:

# conf t
# router ospf 1
I will use the command “ show ip route connected” on the Main
router to see the directly connected networks.
# do show ip route connected.
Notice the networks showing in the routing table.
# network 172.16.1.0 0.0.0.3 area 0
# network 192.168.2.0 0.0.0.255 area 0
On the Remote router:
# conf t
# router ospf 1
# network 172.16.1.0 0.0.0.3 area 0
# network 192.168.0.0 0.0.0.255 area 0
# network 192.168.1.0 0.0.0.255 area 0

NEXT:
I will configure the Main router with BGP.
I will configure BGP between the ISP-1 and the 209.165.202.128/27
network on the Main router, I will use the AS 65020 on the Main
Router.

On the Main router:

# conf t
# router bgp 65020
ISP-1 should be used as the BGP neighbor.
# neighbor 209.165.200.230 remote-as 65001
I will advertise only LAN 2 on the Main router with the IP address
209.165.202.128/27
# network 209.165.202.128 mask 255.255.255.224
# show ip route.
Notice the OSPF and the BGP on the routing table.

NEXT,
I will configure ACL for NAT
I will configure a standard access list numbered “1” on the Remote
router to allow NAT translation for hosts in networks 192.168.0.0/23,
I will use only one statement for both LANs.

On the Remote router:

# conf t
# access-list 1 permit 192.168.0.0 0.0.1.255 ( for both LANs 1 and 2)

NEXT,
I will configure a standard access list numbered “1” on the Main
router to allow NAT translation for hosts in network 192.168.2.0/24, I
will use only one statement for my ACL.

On Main router:
# access-list 1 permit 192.168.2.0 0.0.0.255

NEXT,
I will configure a standard access list numbered “1” on Outside router
to allow NAT translation for hosts in network 192.168.3.0/24, I will
also use one statement in the ACL.
# access-list 1 permit 192.168.3.0 0.0.0.255

Next,
I will configure a standard ACL to restrict remote administrative
access to the Outside router.
A standard ACL named “ADMIN” is configured to limit access via VTY
to the Outside router, this ACL will only allow hosts from the LAN
attached to the G0/1 interface, and the hosts from the LANs on
Remote router to access the Outside router, all other connections to
VTY should fail, I must use the “host” and “ any” keywords where
appropriate.

On Outside router:
# conf t
# ip access-list standard ADMIN
I will configure one ACL named “ADMIN” with three ACEs “ Access
Controls Entries “
The first is to allow any hosts from the LAN attached to the G0/1
interface of Outside router to access the router remotely.
# permit 192.168.3.0 0.0.0.255
The second one is to use the NAT- Translated public address to allow
the hosts from the LANs in the Remote network to access the Outside
router remotely

On Outside router:
# conf t
# permit host 209.165.200.225
The third one to deny all other remote connections.
# deny any
Next, I will apply the ACL to the appropriate interface.
# line vty 0 4
# access-class ADMIN in

NEXT,
I will configure an extended ACL to restrict access to the Main router.
I will configure an extended ACL named “ HTTP_ACCESS” that allows
Remote LANs, Other LANs and the LAN inside Main router to access
the Main server via the web browser.
I will configure this ACL with 5 ACEs
The first one, I will use NAT-Translated public address to allow the
hosts from the Remote router LANs to access the NAT-Translated
public address of the Main server via a web browser.

On the Main router:

# conf t
# ip access-list extended HTTP_ACCESS
# permit tcp host 209.165.200.225 host 209.165.202.158 eq 80
I will use NAT-translated public address to allow the hosts from the
Outside router LANs to access the NAT-translated public address of
the Main Srv via web browser.
# permit tcp host 209.165.200.238 host 209.165.202.158 eq 80

Next,
I will allow the Main internal network 192.168.2.0/24 to access the
Main Srv.
# permit ip 192.168.2.0 0.0.255 host 209.165.202.158

Next:
I will allow ICMP echo replies to Main Svr from any network
# permit icmp any host 209.165.202.158 echo-reply

Next,
I will explicitly deny all other traffic from accessing Main Svr
# deny ip any host 209.165.202.158

Finally,
I will apply the ACL to the Main router’s G0/1 interface.
# int g0/1
# ip access-group HTTP_ACCESS out

NEXT:
I will configure IPv6 access list to restrict access to the Main LAN.
I will configure an IPv6 list named “ HTTP6” that allows Remote LANs,
the Outside LANs and the LAN inside Main to access Main Svr via the
web browser.
# conf t
# ipv6 access-list HTTP6
I will allow the hosts from the Remote router LAN 1 to access the
Main Svr.
# permit tcp 2001:DB8:ABCD::/64 host 2001:DB8:ABCD:B::158 eq 80
I will also allow the hosts from Remote LAN 2 to access the Main Svr.
# permit tcp 2001:DB8:ABCD:1::/64 host 2001:DB8:ABCD:B::158 eq 80
Next, I will allow the hosts from Outside LAN to access Main Svr
# permit tcp 2001:DB8:ABCD:3::/64 host 2001:DB8:ABCD:B::158 eq 80
Next, I will allow the Main internal network 2001:DB8:ABCD:2::/64 to
access the Main Svr
# permit ipv6 2001:DB8:ABCD:2::/64 host 2001:DB8:ABCD:B::158

Next
I will allow ICMP echo reply to Main Svr from other networks
# permit icmp any host 2001:DB8:ABCD:B::158 echo-reply

Finally,
I will apply the ACL to the Main router’s G0/1 interface
# int g0/1
# ipv6 traffic-filter HTTP6 out