Paulo Bastos - Projeto Final

# Paulo Bastos - Projeto Final ![](https://i.imgur.com/PyhCXhR.png) ### HQ-SW1 ```javascript= ena conf t hostname HQ-SW1 line console 0 password cisco login local exit enable secret class username admin password cisco Banner motd "Acesso Restrito" service password-encryption do wr interface range g1/0/1-24 switchport port-security mac-address sticky switchport port-security maximum 1 switchport port-security violation shutdown exit do wr interface range g1/1/1-4 switchport port-security mac-address sticky switchport port-security maximum 1 switchport port-security violation shutdown exit do wr interface range g1/0/19-20 channel-group 1 mode on int po 1 switchport mode dynamic desirable switch mod trunk switchport trunk encapsulation dot1q switch trunk nat vlan 99 switch tr all vlan 1,10,20,99 do wr interface range g1/0/21-22 channel-group 2 mode on int po 2 switchport mode dynamic desirable switch mod trunk switchport trunk encapsulation dot1q switch trunk nat vlan 99 switch tr all vlan 1,10,20,99 do wr int g1/0/24 switchport trunk native vlan 99 switchport trunk allowed vlan 1,10,20,99 switchport trunk encapsulation dot1q switchport mode trunk no switchport nonegotiate do wr exit interface GigabitEthernet1/0/1 no shut switchport access vlan 99 switchport mode access no switchport nonegotiate switchport port-security mac-address sticky vlan 99 name admin exit int vlan 99 no shut exit do wr vlan 20 name Dados exit int vlan 20 no shut exit do wr vlan 10 name Voz exit int vlan 10 no shut exit do wr vtp domain HQ vtp mode server vtp password cisco vtp version 2 do wr spanning-tree mode rapid-pvst spanning-tree vlan 99 priority 24576 spanning-tree vlan 99 root primary do wr int vlan 99 ip address 192.168.99.2 255.255.255.0 exit ip default-gateway 192.168.99.1 do wr ip domain-name HQ-SW1 crypto key generate rsa 1024 ip ssh version 2 line vty 0 4 password cisco transport input ssh login local exit do wr ip access-list standard SSH permit 192.168.99.0 0.0.0.255 deny any exit do wr line vty 0 4 access-class SSH in exit do wr ntp authentication-key 1 md5 CISEG0719 ntp authenticate ntp trusted-key 1 ntp server 192.168.99.1 ``` ### HQ-SW2 ```javascript= ena conf t hostname HQ-SW2 line console 0 password cisco login local exit enable secret class username admin password cisco Banner motd "Acesso Restrito" service password-encryption do wr interface range g1/0/1-24 switchport port-security mac-address sticky switchport port-security maximum 1 switchport port-security violation shutdown exit do wr interface range g1/1/1-4 switchport port-security mac-address sticky switchport port-security maximum 1 switchport port-security violation shutdown exit do wr interface range g1/0/19-20 channel-group 1 mode on int po 1 switchport mode dynamic desirable switch mod trunk switchport trunk encapsulation dot1q switch trunk nat vlan 99 switch tr all vlan 1,10,20,99 do wr interface range g1/0/23-24 channel-group 3 mode on int po 3 switchport mode dynamic desirable switch mod trunk switchport trunk encapsulation dot1q switch trunk nat vlan 99 switch tr all vlan 1,10,20,99 do wr int g1/0/1 no shut switchport mode access switchport access vlan 20 no switchport nonegotiate exit do wr vtp domain HQ vtp mode client vtp password cisco vtp version 2 do wr spanning-tree mode rapid-pvst spanning-tree vlan 20 root primary do wr int vlan 99 ip address 192.168.99.3 255.255.255.0 exit ip default-gateway 192.168.99.1 do wr ip domain-name HQ-SW2 crypto key generate rsa 1024 ip ssh version 2 line vty 0 4 password cisco transport input ssh login local exit do wr ip access-list standard SSH permit 192.168.99.0 0.0.0.255 deny any exit do wr line vty 0 4 access-class SSH in exit do wr ntp authentication-key 1 md5 CISEG0719 ntp authenticate ntp trusted-key 1 ntp server 192.168.99.1 ``` ### HQ-SW3 ```javascript= ena conf t hostname HQ-SW3 line console 0 password cisco login local exit enable secret class username admin password cisco Banner motd "Acesso Restrito" service password-encryption do wr interface range g1/0/1-24 switchport port-security mac-address sticky switchport port-security maximum 1 switchport port-security violation shutdown exit do wr interface range g1/1/1-4 switchport port-security mac-address sticky switchport port-security maximum 1 switchport port-security violation shutdown exit do wr interface range g1/0/23-24 channel-group 3 mode on int po 3 switchport mode dynamic desirable switch mod trunk switchport trunk encapsulation dot1q switch trunk nat vlan 99 switch tr all vlan 1,10,20,99 do wr interface range g1/0/21-22 channel-group 2 mode on int po 2 switchport mode dynamic desirable switch mod trunk switchport trunk encapsulation dot1q switch trunk nat vlan 99 switch tr all vlan 1,10,20,99 do wr int g1/0/2 no shut switchport mode access switchport access vlan 10 no switchport nonegotiate exit do wr vtp domain HQ vtp mode client vtp password cisco vtp version 2 do wr spanning-tree mode rapid-pvst spanning-tree vlan 10 root primary do wr int vlan 99 ip address 192.168.99.4 255.255.255.0 exit ip default-gateway 192.168.99.1 do wr ip domain-name HQ-SW3 crypto key generate rsa 1024 ip ssh version 2 line vty 0 4 password cisco transport input ssh login local exit do wr ip access-list standard SSH permit 192.168.99.0 0.0.0.255 deny any exit do wr line vty 0 4 access-class SSH in exit do wr ntp authentication-key 1 md5 CISEG0719 ntp authenticate ntp trusted-key 1 ntp server 192.168.99.1 ``` ### HQ-RTR ```javascript= ena conf t hostname HQ-RTR line console 0 password cisco login local exit enable secret cisco service password-encryption banner motd "Acesso Restrito" username admin password class do wr interface g0/0 no shut exit do wr ip domain-name HQ-RTR crypto key generate rsa 1024 ip ssh version 2 line vty 0 4 password cisco transport input ssh login local exit do wr line vty 0 4 access-class SSH in exit do wr ip dhcp excluded-address 192.168.10.1 192.168.10.10 ip dhcp excluded-address 192.168.20.1 192.168.20.10 do wr ip dhcp pool Voz network 192.168.10.0 255.255.255.0 default-router 192.168.10.1 option 150 ip 192.168.10.1 dns-server 209.200.50.254 ip dhcp pool Dados network 192.168.20.0 255.255.255.0 default-router 192.168.20.1 int g0/0.10 encapsulation dot1Q 10 ip address 192.168.10.1 255.255.255.0 int g0/0.20 encapsulation dot1Q 20 ip address 192.168.20.1 255.255.255.0 ip nat inside int g0/0.99 encapsulation dot1Q 99 native ip address 192.168.99.1 255.255.255.0 ip nat inside exit do wr int g0/2 no shut ip add 209.200.50.10 255.255.255.0 ip access-group PERMIT_PROTOCOLS/PORTS out ip nat outside crypto map VPN-MAP do wr ip access-list extended VPN_ACCESS permit ip 192.168.20.0 0.0.0.255 172.16.20.0 0.0.0.255 permit ip 192.168.20.0 0.0.0.255 172.16.99.0 0.0.0.255 permit ip 192.168.99.0 0.0.0.255 172.16.99.0 0.0.0.255 permit ip 192.168.99.0 0.0.0.255 172.16.20.0 0.0.0.255 ip access-list standard SSH permit 192.168.99.0 0.0.0.255 deny any ip access-list extended NAT deny ip 192.168.99.0 0.0.0.255 172.16.20.0 0.0.0.255 deny ip 192.168.20.0 0.0.0.255 172.16.20.0 0.0.0.255 deny ip 192.168.20.0 0.0.0.255 172.16.99.0 0.0.0.255 deny ip 192.168.99.0 0.0.0.255 172.16.99.0 0.0.0.255 permit ip 192.168.99.0 0.0.0.255 any permit ip 192.168.20.0 0.0.0.255 any ip access-list extended PERMIT_PROTOCOLS/PORTS permit ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255 permit tcp host 209.200.50.10 any eq www permit tcp host 209.200.50.10 any eq 443 permit udp host 209.200.50.10 any eq domain permit tcp host 209.200.50.10 any eq 123 permit icmp host 209.200.50.10 any deny ip any any ip nat inside source list NAT interface GigabitEthernet0/2 overload ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/2 license boot module c2900 technology-package securityk9 crypto isakmp policy 10 encr aes 256 authentication pre-share group 5 exit crypto isakmp key cisco address 209.200.50.11 crypto ipsec transform-set VPN-SET esp-aes esp-sha-hmac crypto map VPN-MAP 10 ipsec-isakmp description VPN connection to ATEC-RTR set peer 209.200.50.11 set transform-set VPN-SET match address VPN_ACCESS exit do wr ntp authentication-key 1 md5 CISEG0719 ntp authenticate ntp server 209.200.50.254 ntp update-calendar do wr license boot module c2900 technology-package uck9 telephony-service max-dn 2 max-ephones 2 ``` ### ATEC-SW1 ```javascript= ena conf t hostname ATEC-SW1 line console 0 password cisco login local exit enable secret class username admin password cisco Banner motd "Acesso Restrito" service password-encryption do wr interface range f0/1-24 switchport port-security mac-address sticky switchport port-security maximum 1 switchport port-security violation shutdown exit do wr interface range g0/1-2 switchport port-security mac-address sticky switchport port-security maximum 1 switchport port-security violation shutdown exit do wr interface range f0/19-20 channel-group 1 mode on int po 1 switchport mode dynamic desirable switch mod trunk switch trunk nat vlan 99 switch tr all vlan 1,10,20,99 do wr interface range f0/21-22 channel-group 2 mode on int po 2 switchport mode dynamic desirable switch mod trunk switch trunk nat vlan 99 switch tr all vlan 1,10,20,99 exit do wr int g0/2 switchport trunk native vlan 99 switchport trunk allowed vlan 1,10,20,99 switchport trunk encapsulation dot1q switchport mode trunk no switchport nonegotiate do wr exit interface f0/1 no shut switchport access vlan 99 switchport mode access no switchport nonegotiate switchport port-security mac-address sticky vlan 99 name admin exit int vlan 99 no shut exit do wr vlan 20 name Dados exit int vlan 20 no shut exit do wr vlan 10 name Voz exit int vlan 10 no shut exit do wr vtp domain ATEC vtp mode server vtp password cisco vtp version 2 do wr spanning-tree mode rapid-pvst spanning-tree vlan 99 root primary do wr int vlan 99 ip address 172.16.99.2 255.255.255.0 exit ip default-gateway 172.16.99.1 do wr ip domain-name ATEC-SW1 crypto key generate rsa 1024 ip ssh version 2 line vty 0 4 password cisco transport input ssh login local exit do wr ip access-list standard SSH permit 172.16.99.0 0.0.0.255 deny any exit do wr line vty 0 4 access-class SSH in exit do wr ntp authentication-key 1 md5 CISEG0719 ntp authenticate ntp trusted-key 1 ntp server 172.16.99.1 ``` ### ATEC-SW2 ```javascript= ena conf t hostname ATEC-SW2 line console 0 password cisco login local exit enable secret class username admin password cisco Banner motd "Acesso Restrito" service password-encryption do wr interface range f0/1-24 switchport port-security mac-address sticky switchport port-security maximum 1 switchport port-security violation shutdown exit do wr interface range g0/1-2 switchport port-security mac-address sticky switchport port-security maximum 1 switchport port-security violation shutdown exit do wr int f0/1 switchport mode access switchport access vlan 20 interface range f0/19-20 channel-group 1 mode on int po 1 switchport mode dynamic desirable switch mod trunk switch trunk nat vlan 99 switch tr all vlan 1,10,20,99 do wr interface range f0/23-24 channel-group 3 mode on int po 3 switchport mode dynamic desirable switch mod trunk switch trunk nat vlan 99 switch tr all vlan 1,10,20,99 exit do wr vtp domain ATEC vtp mode client vtp password cisco vtp version 2 do wr spanning-tree mode rapid-pvst spanning-tree vlan 20 root primary do wr int vlan 99 ip address 172.16.99.3 255.255.255.0 exit ip default-gateway 172.16.99.1 do wr ip domain-name ATEC-SW2 crypto key generate rsa 1024 ip ssh version 2 line vty 0 4 password cisco transport input ssh login local exit do wr ip access-list standard SSH permit 172.16.99.0 0.0.0.255 deny any exit do wr line vty 0 4 access-class SSH in exit do wr ntp authentication-key 1 md5 CISEG0719 ntp authenticate ntp trusted-key 1 ntp server 172.16.99.1 ``` ### ATEC-SW3 ```javascript= ena conf t hostname ATEC-SW3 line console 0 password cisco login local exit enable secret class username admin password cisco Banner motd "Acesso Restrito" service password-encryption do wr interface range f0/1-24 switchport port-security mac-address sticky switchport port-security maximum 1 switchport port-security violation shutdown exit do wr interface range g0/1-2 switchport port-security mac-address sticky switchport port-security maximum 1 switchport port-security violation shutdown exit do wr int g0/2 switchport mode access switchport access vlan 10 do wr exit interface range f0/21-22 channel-group 2 mode on int po 2 switchport mode dynamic desirable switch mod trunk switch trunk nat vlan 99 switch tr all vlan 1,10,20,99 do wr interface range f0/23-24 channel-group 3 mode on int po 3 switchport mode dynamic desirable switch mod trunk switch trunk nat vlan 99 switch tr all vlan 1,10,20,99 exit do wr vtp domain ATEC vtp mode client vtp password cisco vtp version 2 do wr spanning-tree mode rapid-pvst spanning-tree vlan 10 root primary do wr int vlan 99 ip address 172.16.99.4 255.255.255.0 exit ip default-gateway 172.16.99.1 do wr ip domain-name ATEC-SW3 crypto key generate rsa 1024 ip ssh version 2 line vty 0 4 password cisco transport input ssh login local exit do wr ip access-list standard SSH permit 172.16.99.0 0.0.0.255 deny any exit do wr line vty 0 4 access-class SSH in exit do wr ntp authentication-key 1 md5 CISEG0719 ntp authenticate ntp trusted-key 1 ntp server 172.16.99.1 ``` ### ATEC-RTR ```javascript= ena conf t hostname ATEC-RTR line console 0 password cisco login local exit enable secret cisco service password-encryption banner motd "Acesso Restrito" username admin password class do wr interface g0/2 no shut exit do wr ip dhcp excluded-address 172.16.10.1 172.16.10.10 ip dhcp excluded-address 172.16.20.1 172.16.20.10 do wr ip dhcp pool Voz network 172.16.10.0 255.255.255.0 default-router 172.16.10.1 option 150 ip 172.16.10.1 dns-server 209.200.50.254 ip dhcp pool Dados network 172.16.20.0 255.255.255.0 default-router 172.16.20.1 dns-server 209.200.50.254 exit int g0/2 no shut exit do wr int g0/2.10 encapsulation dot1Q 10 ip address 172.16.10.1 255.255.255.0 int g0/2.20 encapsulation dot1Q 20 ip address 172.16.20.1 255.255.255.0 ip nat inside int g0/2.99 encapsulation dot1Q 99 native ip address 172.16.99.1 255.255.255.0 ip nat inside exit do wr ip domain-name ATEC-RTR crypto key generate rsa 1024 ip ssh version 2 line vty 0 4 password cisco transport input ssh login local exit do wr ip access-list standard SSH permit 172.16.99.0 0.0.0.255 deny any exit do wr line vty 0 4 access-class SSH in exit do wr interface GigabitEthernet0/1 ip address 209.200.50.11 255.255.255.0 ip access-group PERMIT_PROTOCOLS/PORTS out ip nat outside crypto map VPN-MAP exit do wr int g0/2.20 no shut ip nat inside do wr exit int g0/2.99 no shut ip nat inside do wr exit ip nat pool DNAT_POOL 209.200.50.65 209.200.50.126 netmask 255.255.255.0 ip access-list extended VPN_ACCESS permit ip 172.16.20.0 0.0.0.255 192.168.20.0 0.0.0.255 permit ip 172.16.20.0 0.0.0.255 192.168.99.0 0.0.0.255 permit ip 172.16.99.0 0.0.0.255 192.168.99.0 0.0.0.255 permit ip 172.16.99.0 0.0.0.255 192.168.20.0 0.0.0.255 ip access-list standard SSH permit 192.168.99.0 0.0.0.255 deny any ip access-list extended NAT_RULES deny ip 172.16.99.0 0.0.0.255 192.168.20.0 0.0.0.255 deny ip 172.16.20.0 0.0.0.255 192.168.20.0 0.0.0.255 deny ip 172.16.20.0 0.0.0.255 192.168.99.0 0.0.0.255 deny ip 172.16.99.0 0.0.0.255 192.168.99.0 0.0.0.255 permit ip 172.16.99.0 0.0.0.255 any permit ip 172.16.20.0 0.0.0.255 any ip access-list extended PERMIT_PROTOCOLS/PORTS permit ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.255.255 permit tcp 209.200.50.64 0.0.0.63 any eq www permit tcp 209.200.50.64 0.0.0.63 any eq 443 permit udp 209.200.50.64 0.0.0.63 any eq domain permit tcp 209.200.50.64 0.0.0.63 any eq 123 permit icmp 209.200.50.64 0.0.0.63 any ip nat inside source list NAT_RULES pool DNAT_POOL ip route 0.0.0.0 0.0.0.0 gigabitEthernet 0/1 do wr license boot module c2900 technology-package securityk9 crypto isakmp policy 10 encr aes 256 authentication pre-share group 5 exit crypto isakmp key cisco address 209.200.50.10 crypto ipsec transform-set VPN-SET esp-aes esp-sha-hmac crypto map VPN-MAP 10 ipsec-isakmp description VPN connection to HQ-RTR set peer 209.200.50.10 set transform-set VPN-SET match address VPN_ACCESS exit do wr int g0/1 crypto map VPN-MAP exit do wr ```