Troy’s checklist for preparing for the CCNA: Objective 7

July 21, 2009 at 3:50 pm | Posted in Cisco | 2 Comments
Tags: , ,

I am just back from spending a week teaching security to our nation’s finest at an Air Force base in central Georgia, so I am all ready to dive into this week’s security-related objective for the CCNA exam. This week’s topic is Implement, verify, and troubleshoot NAT and ACLs in a medium-sized Enterprise branch office network.

(Here’s the previous coverage of Objective 1, Objective 2, Objective 3, Objective 4 Part 1, Objective 4 Part II, Objective 5, and Objective 6. The full list of CCNA objectives is at

To begin with, let’s make sure everyone knows what these two concepts are all about. Network Address Translation (NAT) is a service that can run on a server or on a router that converts private IP addresses to public IP addresses. This provides two advantages:

  • It conserves address space on the Internet and allows an enterprise to use private IP addresses inside the network, instead of having to register public IP addresses for all computers that need Internet access.
  • It ‘hides’ the real IP addresses of the internal computers , which makes the first step in the hacking process (discovery) more difficult.

Be able to identify the types of NAT:

  • Static NAT – uses a one to one mapping from public to private. Doesn’t save any IP addresses, but does provide the security of hiding the private addresses.
  • Dynamic – uses a pool of public addresses and dynamically uses the pool to create mappings. Same as static NAT, except that the address mappings keep changing.
  • NAT overload – describes any situation where there are fewer public addresses than private addresses. In this case, the same public address(s) is used over and over and the NAT device identifies each computer by the port number it uses to connect to the router using port address translation (or PAT).

Be able to identify the most appropriate router in a diagram on which to configure NAT. This will usually be the last router before connecting to the Internet.

Understand which interface on the router to apply the following commands:

  • ip nat inside – should be applied on the interface connected to the LAN
  • ip nat outside – should be applied on the interface connected to the Internet

NOTE – You must be able to perform a complete NAT configuration, up to and including a static mapping and NAT overload. Don’t take the exam if you can’t do that!

Access Control Lists (ACLs) can be used to permit and deny traffic going through a router. There are several easy-to-forget facts about ACLs that you should definitely commit to memory:

  • ACLs ONLY affect traffic that is entering the router and then exiting a router. It does NOT affect traffic that is sourced in the router (which could include routing updates, etc.).
  • ACLs consist of a list of Allow and Deny statements. At the end of the list is an implied statement to Deny all traffic. Remember that when you create an ACL, any traffic that you don’t specifically allow will be denied unless you end the list of statements with one that allows all other traffic not specifically listed.
  • Only one access list can be applied to an interface in a given direction, so that means one incoming and one outgoing list. However, the inclusion of multiple statements can introduce the same effect as using multiple lists.
  • Incoming lists are applied to packets before the routing process occurs. Outgoing lists are applied after the routing process has occurred.
  • Access lists use wildcard masks instead of regular masks. See below for explanation of this concept.

With those basic concepts covered, on to the actual exam objective topics.

Know the types of access lists and the capabilities of each.

  • Standard – can only filter based on the source address. Place them as close to the source as possible to limit the amount of network traffic that could ultimately be denied at the destination. Standard lists use numbers 1-99 and 1300-1999.
  • Extended – can filter based on source, destination address, port number, and protocol. Place these as close to the destination as possible to confine their effect to the destination.  Extended lists use numbers 100-199 and 2000-2699.
  • Named – can be either standard or extended and are an alternative to using the number system.

Know the process of creating and applying an access list. It consists of two steps and both steps MUST be done or no filtering will take place. They are:

  1. Create the list.
  2. Apply the list.

An example of a statement that creates an access list:

Router(config)# access-list 110 permit tcp any eq 80

An example of applying the above statement:

Router(config)# interface serial 0/1
Router(config-int)# ip access-group 110 in

Know how to convert a regular mask to a wildcard mask and vice versa. Access lists use wildcard masks. The wildcard mask can be determined by a very simple formula:

Subtract the regular mask value in each octet from 255.

For example, if the regular mask is, you would subtract each octet’s value from 255 in the following way: (255 – 255 = 0), (255 – 255 = 0), (255 – 248 = 7), (255 – 0 = 255), yielding a wildcard mask of

Know that certain keywords can be substituted for a wildcard mask in some cases. The keywords host and any can also be used to specify a single host or an entire network more quickly. The host keyword is the same as the wildcard mask and the any keyword is the same as wildcard mask So, to recap:

  • Any – can take the place of (both of these mean any address)
  • Host – can take the place of (both of these mean an exact address and no other)

Know the syntax to create an extended access list using all parameters. The syntax for creating an extended IP access list is as follows:

access-list access-list-number permit|deny protocol source wildcard-mask destination wildcard-mask operator port

The parameters used in the access-list command can be described as follows:

  • access-list-number: A number between 100 and 199, which is used to denote an extended IP access list.
  • permit|deny: Will allow (permit) or disallow (deny) traffic specified in the access list.
  • Protocol: Used to specify the protocol that will be filtered in the access list. Common values are TCP and UDP.
  • Source: Specifies the source IP addressing information.
  • Wildcard-mask: An optional parameter to further define the source. A wildcard mask can be used to control access to an entire IP network ID rather than a single IP address. A wildcard mask number 255 means “any” and the number “0” means “match exactly.”
  • Destination: Specifies the destination IP addressing information.
  • Operator: Can be applied to define how to interpret the value entered as port parameter. Common values are EQ (equal to the port specified), LT (less than the port number specified), and GT (greater than the port number specified).
  • Port: Specifies the port number. Common port numbers include 21 (FTP), 23 (Telnet), 25 (SMTP), 53 (DNS), 69 (TFTP), and 80 (HTTP).

Know how to use an access list to protect Telnet access to the router. It’s only different in how you apply the list. Here’s an example:

Router(config)# access-list 1 permit
Router(config)# line vty 0 4
Router(config-line)# access-class 1 in

Notice the access-class command is used here, rather than access -group, which would be the command you would use to apply an access list on an interface. This configuration will permit Telnet connections only from hosts on the /24 subnet. For more on this concept, see this reference::

ALERT – You should be able to configure and access list and apply it to an interface. Don’t take the exam if you can’t do that!

Know the following troubleshooting commands related to ACLs:

  • show access-lists: Displays all the access lists in use on the router. It will also show each filter rule of the access list and will return the number of times packets match that rule. The command can also be used with a specific access list number to display this detail on a single IP access list. This command wills not display to which interface an access list has been applied.
  • show ip access-list: Displays all IP access lists in use on the router. It will also show each filter rule of the access list. This command can also be used with a specific access list number to display the details of a single IP access list. This command will not display to which interface an access list has been applied.
  • show ip interface interface-number: Displays when an access list is in effect and will not display the rules in any access lists that are configured . Neither will it display any matches to the individual lines of the access list as the show access-lists command does.

Lastly, you should be able to examine an access list and determine why it is not behaving the way it should. This falls under the subobjective of “troubleshooting access lists.”

Know the Cisco terms below:

An inside global address is a registered IP address assigned by the ISP that represents internal local IP addresses externally.

An inside local address is an IP address (usually private) assigned to a host on the internal network. The inside local address is usually not assigned by the service provider, nor used to represent one or more inside local IP addresses externally

An outside local address is the IP address of an outside host as it appears to the internal network. It is not used to represent one or more inside local IP addresses externally

An outside global address is the IP address assigned to a host on the external network by the host owner. The address is allocated from a globally routable address space. It is not used to represent one or more inside local IP addresses externally.

Finally, know the use of the following troubleshooting commands:

  • show running-config: used to determine if NAT, access lists, interfaces, or pool commands have been configured on a router.
  • show ip nat translations: used to display active NAT translations.

If you need practice with configuring NAT or ACLs, the Kaplan IT CCNA simulator is a great tool for this. See this link:

Only one more objective to go! See you next week.

–Troy McMillan


RSS feed for comments on this post. TrackBack URI

  1. Excellent article, these posts are worth book-marking for the CCNA testers!

    • Thanks! We’re talking Troy into doing a series of posts for all the major introductory Cisco tests, just as soon as he finishes documenting some new features of Windows 7.

      Keep reading!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Entries and comments feeds.

%d bloggers like this: