Cisco ICND2 – Explain the basic operation of NAT

Network Address Translation allows private IPv4 addresses to be translated to an IPv4 public address to communicate over the Internet. This saves public IP addresses as not every device needs a public IP address and if we allowed that we would’ve run out of IPv4 addresses by now.

NAT allows multiple private IPv4 addresses to be translated to one public IP address, therefore saving public IP addresses.

There are three different types of NAT.

  1. Static NAT – This is a one-to-one translation, one private IP address will be translated to one public IP address
  2. Dynamic NAT – You don’t need to manually map each IP static with dynamic NAT but you do need to ensure you have enough public IPs for the private IPs to be translated to.
  3. Overloading (PAT) – This is a many-to-one translation, multiple private IP addresses will be translated to one public IP, kinda cool right? This is the reason we haven’t run out of IPv4 addresses yet.

Cisco ICND2 – Troubleshoot ACL implementation issues

Some tips when troubleshooting ACL:

  • Ensure correct IP and wildcast masks are correctly entered into the ACL
  • Ensure an access-group is applied to an interface
  • If no traffic is permitted, all traffic will be denied, there is an explicit deny.
  • Access-lists are read top to bottom, if a first match is found it will stop reading. So if a deny is specified it may block a permit statement. Order of ACL is important.
  • Remarks can be added to ACL to make reading them in future easier using the access-list <number> remark “This ACL blocks FTP”

Cisco ICND2 – Configure and apply access control lists based on network filtering requirements

I have created two access lists, one extended and one standard. The first is an extended access to stop PC1 ( from FTPing to the FTP server

On Router1 – the access-list has been placed on Fa0/0 as its the closest to the source.

configure terminal
access-list 101 deny tcp any eq ftp host
access-list 101 permit ip any any
interface fa0/0
ip access-group 101 in

When creating an access-list, if a match isn’t found then there is an explicit deny. As can see from above I have created a permit for any IP traffic  Without these lines, OSPF wasn’t being advertised and I had no way of testing PC1 could ping the FTP server to verify connectivity and to ensure that FTP was indeed being blocked and not all traffic.

The next access list is an standard access list, the point of this one is to deny host from communicating with the network. However, host can ping the network.

On Router0 I have placed the access list on the Fa0/0 as this is the closest to the destination.

configure terminal
access-list 1 deny host
access-list 1 permit any
interface fa0/0
ip access-group 1 out

Cisco ICND2 – Describe the purpose and types of access control lists

Describe the purpose and types of access control lists – Access lists are used to restrict or allow access to traffic via an interface. You may want to allow redirect port 25 (SMTP) to your Exchange server and allow traffic to flow in and out of the port. This is possible with access lists.

There are two types of access lists standard and extended.


Standard access lists filter based on source IP address. Telnet, Web, SMTP etc cannot be filtered by a standard access list. Standard access-lists can be created between 1-99 and 1300-1999. An example:

configure terminal
access-list 1 permit


Extended access list can filter by source, destination and port. Extended access lists can be created byween 100-199 and 2000-2699.

configure terminal
access-list 100 permit tcp any eq 25 host

Both standard and extended access lists can be placed either inbound or outbound on an interface allowing for greater control on what packets can be sent/received.

configure terminal
interface s0/0
ip access-group 100 in
ip access-group 100 out

Cisco ICND2 – Implement basic router security

Basic router security includes but not limited to:

    • Configuring an enable secret
configure terminal
enable secret 'password'
      • Secure passwords
configure terminal
service password-encryption
    • Displaying a motd
configure terminal
banner #motd#
banner #login#
    • Locking down the console port
configure terminal
line console 0
password 'password'
    • Configuring terminal lines for remote access
configure terminal
line vty 0 4
password 'password'
transport input telnet ssh (remove telnet for ssh only)