In this project I implemented an NAT server and Access Control Lists on a VLAN network environment between two departments. This project aims to further my networking skills as well as develop hands on experience working with Network configuration on the command line. Below is a link to the Cisco Packet Tracer software, and the project file I completed as well.

https://www.netacad.com/about-networking-academy/packet-tracer

https://drive.google.com/file/d/1lGOcNwWIhAYRq0IMqeUsm7oWzoV9Vi8T/view?usp=sharing

Network Address Translation, or NAT

Network Address Translation (NAT) is a key technology used in modern networks to conserve public IP addresses and enhance security. It allows multiple devices on a local network to share a single public IP address when accessing the internet. By translating private IP addresses into a public IP address (used externally), NAT ensures that organizations don’t run out of unique public IPs, which are limited and costly. This is especially important as the number of internet-connected devices continues to grow.

Beyond saving IP addresses, NAT adds a layer of security by hiding internal network details from the outside world. Devices inside the network can communicate with external servers, but external devices can’t directly see or access the private IPs behind the NAT. This makes it harder for attackers to target specific devices on the internal network. NAT is a simple yet powerful tool that keeps networks efficient, scalable, and secure, and understanding how to implement this feature was really helpful for my studies.

Access Control Lists

Access Control Lists (ACLs) are like the bouncers of a network, deciding who gets in and who gets kicked to the curb. They filter traffic based on rules you set, like blocking certain IP addresses or allowing specific types of data to pass through. ACLs are super useful for securing networks by stopping unwanted traffic, like hackers or random junk, from messing things up. They’re also great for controlling traffic flow between different parts of a network, for example not allowing a receptionist to view classified documents that belong to the engineering team.

But here’s the thing—ACLs can be a little finicky if you don’t set them up right, like this project for example. I had a lot of issues getting the network to behave the way I wanted to, and in the process I learned more about ACLs and networking traffic. ACLs are a lifesaver, keeping your network tidy and secure. As a common networking protocol, it was super helpful to get the hands on experience working with control lists on Cisco routers.

Project

Todays project will simulate a small office consisting of 2 HR members and one IT member(me). I’ll configure this network to provide Network Address Translation on a server to ensure we remain safe when browsing the web, and set up 2 VLAN networks with Access Control Lists so the HR team cannot mess with my PC.

I began by setting up Cisco Packet tracer with a layer 2 Switch, one Router, three PCs and a Server. I’ve connected the server to the router, and not the switch as opposed to the switch in my DHCP project. Always remember to take note of port numbers! Physical connections are just as important as the commands we type into the router and server. For this lab, I have PC0 (IT) connected to the switch on FastEthernet0/3, and PC1 and PC2 are connected to FastEthernet0/4 and 0/5. The router connects to the switch on port FastEthernet0/1. As for the router, I have the switch connected on GigabitEthernet0/0, and the Server is connected on Gigabitethernet0/1. These connections can be done differently to preference or optimized for performance, but as long as we keep track of port numbers and use the right cables we can achieve a working network.

I began by configuring the switch with the VLAN networks.

enable
configure terminal
vlan 10
name HR
exit
vlan 20
name IT
exit

Next, I assigned the VLAN networks to each port:

interface FastEthernet0/3
switchport mode access
switchport access vlan 20
exit
interface FastEthernet0/4
switchport mode access
switchport access vlan 10
exit
interface FastEthernet0/5
switchport mode access
switchport access vlan 10
exit

Last, I configured the port connected to the router as the Trunk Port. A Trunk Port is like a multi lane highway for network traffic, it lets multiple VLANs travel over a single physical connection between a switch and a router. The switch tags each packet with a VLAN ID so the router knows which VLAN it comes from. Without Trunk ports, each VLAN would need its own physical connection. To configure a trunk port:

interface FastEthernet0/1
switchport mode trunk
exit

Next, I moved onto the routers command line interface for some inter VLAN routing.

enable
configure terminal
interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
exit
interface GigabitEthernet0/0.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
exit

Now that we have both sub interfaces configured, we can enable the physical interface:

interface GigabitEthernet0/0
no shutdown
exit

Now the devices on our VLANs should be able to communicate with each other freely. However, if they want to connect to the internet they will show their IP address to the public. Lets fix that by configuring NAT on the router. Start by setting up the external interface first.

interface GigabitEthernet0/1
ip address 200.100.50.1 255.255.255.0
no shutdown
exit

Next we can configure our NAT.

access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 192.168.20.0 0.0.0.255
ip nat inside source list 1 interface GigabitEthernet0/1 overload
interface GigabitEthernet0/0.10
ip nat inside
exit
interface GigabitEthernet0/0.20
ip nat inside
exit
interface GigabitEthernet0/1
ip nat outside
exit

Our first two commands give permission to both the IT and HR VLAN networks to be translated by NAT. Then, we configure our NAT to run on Interface GigabitEthernet0/1 which is our connection to the server, or the outside world. We also make sure the access list 1 is applied to the NAT. The overload keyword lets multiple devices share the same public IP using Port Address Translation. We then set both VLAN interfaces as inside the network, basically just telling the router this network belongs locally. We then end by configuring the GigabitEthernet0/1 as outside, telling the router this is our connection to the outside world.

NAT can have many other practices we are not using here in this project, and you should always consider the needs for your network when setting up NAT. Some other concepts I’ve read on are Static and Dynamic NAT, which can assign either a single IP address (Static), or assign a pool of IP addresses to devices(dynamic). You can also use NAT to translate between IPv6 and IPv4 Networks. There is also specific processes when setting up NAT with a VPN, as NAT can cause conflicts between private IPs on different networks. Hopefully, I will have a chance to implement some of these practices in a project soon.

Now, our IP address is not on the web when we search the internet, and my HR team can browse the web without worrying. Next, I will set up an Access Control List blocking my HR team from pinging my PC. This, as far as I know, is the only permanent solution to IT tickets.

Lets start by creating an ACL, then applying an ACL.

access-list 100 deny icmp 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 echo
access-list 100 permit ip any any

interface GigabitEthernet0/0.10
ip access-group 100 in
exit

A very important note on this ACL is the icmp and echo portion of the ACL command. These commands will allow us to ping PC1 and PC2 from PC0 without having our signal blocked on the way back to us. These two words caused me a lot of headaches when attempting this project, and forced me to further my understanding of the OSI layers and how ACLs work. Lets look at our Network closer to see what were accomplishing with this command.

My original goal for this project was to complete pings from my IT PC to the HR PCs. This ping would succeed as my ACL allowed me to communicate freely with the HR team. To do this, I was using the command:

access-list 100 deny 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

But every time I would try to ping between the VLAN Networks, the ping would fail. This ACL command above does stop HR from pinging IT, but it also blocks the return ping when IT pings HR.

To understand why the original command was blocked lets look at how the data moves through the network during the ping. So, we begin at PC0, which is in the IT VLAN. The signal is sent out and reaches the router, where it sees that IT VLAN has no ACL blocking connections to HR. The signal then continues on to PC1 in HR. After the ping is received, HR then sends the ping back to PC0 in IT. But as the ping reaches the router, we have set HR with no access to IT in our ACL. Fixing this with the icmp and echo commands proved crucial to achieving the network environment I wanted.

Next I configured the IP addresses of the PCs on my network.

• PC0 (IT):
  • IP: 192.168.20.2
  • Subnet Mask: 255.255.255.0
  • Gateway: 192.168.20.1
• PC1 (HR):
  • IP: 192.168.10.2
  • Subnet Mask: 255.255.255.0
  • Gateway: 192.168.10.1
• PC2 (HR):
  • IP: 192.168.10.5
  • Subnet Mask: 255.255.255.0
  • Gateway: 192.168.10.1

Now we should have a fully functioning network with Network Address Translation protecting our IP addresses on the web, and an Access Control List to stop those pesky IT tickets from the HR department.

We can begin our testing by pinging the server from each PC. This should get our router working on the Network Address Translation process. Next, we can start by pinging our HR Department from my IT computer, PC0. When pinging either PC1 or PC2, we should receive a successful response. This is because of the ACL command . And if PC1 or PC2 ping the IT VLAN, it should fail, as the ACL is set to block all traffic headed out from the HR VLAN to IT.

Lastly, we can test our NAT functionality by completing some pings from the PCs to the Server. After we get some successful pings, we can then open the routers command line and see what NAT has been taking place with this command:

show ip nat translations

Summary

Encountering problems like the one I had with ACLs is precisely the reason I utilize Cisco Packet Tracer. In the real world, Networks require unique solutions to achieve the desired result. Navigating problems like these is why I love working in IT, each time you fail is an opportunity to learn way more than you originally did to understand the problem. Overall, this project was a pain in the rear at first, but once I found the solutions I was looking for I was really glad I completed the project. Cisco Packet Tracer has been a great place for me to develop my Networking skills, and I feel like this project has been the most helpful in my series of projects using this software. NAT and ACL are must haves in a lot of network environments in todays connected world, and getting some hands on experience with the setup and results of implementation was super helpful. If you have any questions or comments, you can comment down below or hit the contact page! Thank you for reading!