Lab 1.4 - HackMD

# Lab 1.4 ###### tags: `Lab` ![](https://i.imgur.com/QwTAUbT.png) ![](https://i.imgur.com/GK8Owap.jpg) ## Reset ``` ena write erase reload <Read what you get here and think ty> ``` ## Flow van het labo ### fase 1: netwrek intern opzetten ### fase 2: tunnel opzetten ,maar beide interfaces moeten eerste een dynamisch dhcp address krigjen vanuit het school netwerk, dit zal vervolgens als statisch ingesteld moeten worden en vervolgens default gateway instellen op die van de klas 172.23.80.1 er mag maar 1 acceslist zijn op de vpn tunnel configuratie en maar 1 acces list naar buiten (met andere woorden, maar 1 keer een weg naar buiten configureren om effetief naar het internet te mogen gaan trafiek tusen bedie sbnetten mag niet ge-nat worden) Tijdens het spelen met acces lists moet je onthouden dat je die acceslist niet zomaar kan aanpassen > bij het aanpassen van een acces list is het belangrijk dat je de juiste voglorde hanteerd, deze volgorde is belangrijkt (als je dus iets wilt aanapssen best alles verwijderen en daarna alles weer terug configureren - van de acceslist ofc) ## BRa ```there shall be layout ena conf t no ip domain-lookup hostname br_a int fa0/0 desc wan_a ip add dhcp #ip add 172.23.80.47 255.255.254.0 ip nat outside no shut int fa0/1 desc lan_a ip add 192.168.1.1 255.255.255.0 ip nat inside no shut int fa0/3/0 desc lan_c ip add 192.168.10.1 255.255.255.0 ip nat inside no shut ip dhcp excluded-address 192.168.1.1 ip dhcp pool network_br_a network 192.168.1.0 255.255.255.0 default-router 192.168.1.1 dns-server 8.8.8.8 service dhcp ip dhcp excluded-address 192.168.10.1 ip dhcp pool network_br_c network 192.168.10.0 255.255.255.0 default-router 192.168.10.1 dns-server 8.8.8.8 service dhcp ip route 0.0.0.0 0.0.0.0 172.23.80.1 crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 lifetime 86400 crypto isakmp key firewallcx 172.23.80.45 ip access-list extend VPN-TRAFFIC permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 permit ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.255 permit ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 crypto ipsec transform-set TS esp-3des esp-md5-hmac crypto map CMAP 10 set peer 172.23.80.45 set transform-set TS match address VPN-TRAFFIC int Fa0/0 crypto map CMAP ip nat inside source list 100 interface fastethernet0/0 overload access-list 100 remark -=[Define NAT Service]=- access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.255 access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 access-list 100 permit ip 192.168.1.0 0.0.0.255 any access-list 100 permit ip 192.168.10.0 0.0.0.255 any access-list 100 remark end ``` ## BRb ```retarded hoe dit zelf werkt kekw ena conf t no ip domain-lookup hostname br_b int fa0/0 desc wan_b ip add dhcp # ip add 172.23.80.45 255.255.254.0 ip nat outside no shut int fa0/1 desc lan_b ip address 192.168.2.1 255.255.255.0 ip nat inside no shut ip route 0.0.0.0 0.0.0.0 fa0/0 access-list 1 permit 192.168.2.0 0.0.0.255 ip nat inside source list 1 interface fa0/0 overload end ``` ### Change default route ``` ena conf t no ip route 0.0.0.0 0.0.0.0 fa0/0 ip route 0.0.0.0 0.0.0.0 172.23.80.1 ``` ### Setup VPN ``` no access-list 1 crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 lifetime 86400 crypto isakmp key firewallcx address 172.23.80.47 ip access-list extended VPN-TRAFFIC permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 crypto ipsec transform-set TS esp-3des esp-md5-hmac crypto map CMAP 10 ipsec-isakmp set peer 172.23.80.47 set transform-set TS match address VPN-TRAFFIC interface FastEthernet0/0 crypto map CMAP ``` ### Setup NAT ``` ip nat inside source list 100 interface fastethernet0/0 overload access-list 100 remark -=[Define NAT Service]=- access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 100 permit ip 192.168.2.0 0.0.0.255 any access-list 100 remark ``` ### Setup extra subnet ``` conf t int fa0/3/1 desc lan_d ip add 192.168.20.1 255.255.255.0 ip nat inside no shut ``` ### Setup DHCP ``` ip dhcp excluded-address 192.168.2.1 ip dhcp pool network_br_b network 192.168.2.0 255.255.255.0 default-router 192.168.2.1 dns-server 8.8.8.8 service dhcp ip dhcp excluded-address 192.168.20.1 ip dhcp pool network_br_d network 192.168.20.0 255.255.255.0 default-router 192.168.20.1 dns-server 8.8.8.8 service dhcp ``` ### Setup extra VPN shit ``` ip access-list extended VPN-TRAFFIC permit ip 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255 permit ip 192.168.20.0 0.0.0.255 192.168.1.0 0.0.0.255 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 no access-list 100 ip nat inside source list 100 interface fastethernet0/0 overload access-list 100 remark -=[Define NAT Service]=- access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255 access-list 100 deny ip 192.168.20.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 100 deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 access-list 100 permit ip 192.168.2.0 0.0.0.255 any access-list 100 permit ip 192.168.20.0 0.0.0.255 any access-list 100 remark ``` # Wanker 2c33.11be.f358