🏢 Network Security Fundamentals: NAT, ACLs & Firewall

---

Table of Contents

1. 📘 Project Overview
2. 🎯 Project Objective
3. 🌐 Network Topology
4. 🗂️ Device Interface Table
5. 📝 IP Addressing Table
6. 🔧 Lab Steps
7. 💻 Device Configuration
   • 🚦 Office Router R1
   • 🚦 ISP Router R2
   • 🔀 LAN Switch SW1
   • 🔀 Server Switch SW2
   • 🖥️ PC & Server Configuration
8. ✅ Verification
9. ⚡ How to Run Lab
10. 📂 Folder Structure
11. 🎓 Learning Outcomes
12. ℹ️ Repository Info

---

📘 Project overview

This project simulates a small office network with multiple VLANs (HR and IT), a central router, switches, PCs, and a server. It demonstrates key network security concepts, including NAT for internet access and ACLs for controlling inter-department traffic, with testing to ensure proper network segmentation and access restrictions.

---

🎯 Project Objective

• Configure VLANs to separate department traffic.
• Implement NAT to provide internet access for internal PCs.
• Apply ACLs to restrict HR PCs from accessing the server while allowing IT PCs access.
• Verify connectivity, NAT translations, and ACL enforcement.
• Develop basic network troubleshooting skills.

---

🌐 Network Topology

The lab consists of:

• 2 Router (R1 and ISP)
• 2 Switches (SW1 for LAN, SW2 for Server)
• 4 PCs in separate VLANs (HR, IT)
• 1 Server for internal resource access

---

📁 Device Interface Table

Device	Interface	Connected To	Description
R1	S0/3/0	ISP	ISP Router
R1	G0/0	SW1	Internal LAN
R1	G0/1	SW2	Server Switch
SW1	F0/2	PC1-HR	HR PC
SW1	F0/3	PC2-HR	HR PC
SW1	F0/4	PC3-IT	IT PC
SW1	F0/5	PC4-IT	IT PC
SW2	F0/1	WEB Server	Connected to Web Server

---

📝 IP Addressing Table

Device	Interface	IP Address	Subnet Mask	Default Gateway	Notes
R1	G0/0	192.168.10.1	255.255.255.0	-	To internal LAN (PCs)
R1	G0/1	192.168.20.1	255.255.255.0	-	To Server LAN
R1	S0/3/0	200.0.0.2	255.255.255.252	-	Connected to ISP Router
ISP	S0/3/0	200.0.0.1	255.255.255.252	-	Connected to R1 Serial
PC1-HR	NIC	192.168.10.10	255.255.255.0	192.168.10.1	Connected to SW1
PC2-HR	NIC	192.168.10.11	255.255.255.0	192.168.10.1	Connected to SW1
PC3-IT	NIC	192.168.10.20	255.255.255.0	192.168.10.1	Connected to SW1
PC4-IT	NIC	192.168.10.21	255.255.255.0	192.168.10.1	Connected to SW1
Server	NIC	192.168.20.5	255.255.255.0	192.168.20.1	Connected to SW2

---

🔧 Lab Steps

1. Configure VLANs on switches.
2. Assign VLANs to respective ports.
3. Configure Router sub-interfaces for each VLAN.
4. Configure NAT on R1 for Internet access.
5. Create and apply ACLs:
   • Block HR VLAN from accessing server.
   • Allow IT VLAN to access server.
6. Test connectivity:
   • Ping external IP from HR and IT PCs.
   • Ping server from HR (should fail) and IT (should succeed).

---

💻 Device Configuration

🚦 Office Router R1

interface GigabitEthernet0/0
description Connected to SW1 / Internal LAN (PCs)
ip address 192.168.10.1 255.255.255.0
no shutdown
ip access-group ACL_INTERNAL_TO_SERVER in

interface GigabitEthernet0/1
description Connected to SW2 / Server LAN
ip address 192.168.20.1 255.255.255.0
no shutdown

View Full Configuration File →

🚦 ISP Router R2

interface se0/3/0
ip address 200.0.0.1 255.255.255.252
no shutdown
description Connected to R1

! (Optional) simulate Internet side with a loopback for testing NAT/ping

interface loopback0
end
write memory

View Full Configuration File →

🔀 LAN Switch SW1

no ip domain-lookup
interface vlan1
ip address 192.168.10.254 255.255.255.0
no shutdown

! Default gateway so switch management can reach R1/Internet

ip default-gateway 192.168.10.1

View Full Configuration File →

🔀 Server Switch SW2

no ip domain-lookup
interface vlan1
ip address 192.168.20.254 255.255.255.0
no shutdown


! Default gateway so switch management can reach R1/Internet
```text
ip default-gateway 192.168.20.1

View Full Configuration File →

---

💻 PC & Server Configuration

View Full Configuration File →

View Full Configuration File →

View Full Configuration File →

View Full Configuration File →

View Full Configuration File →

---

✅ Verification

** LAB TOPOLOGY **

🔍 Check Interface Status (R1)

R1#show ip interface brief

** Ping to ISP Router Interface **

R1#ping 200.0.0.1

---

🖧 Verify Routing Table (R1)

R1#show ip route

---

📶 Ping Test: LAN Gateway

From PC1:

C:\>ping 192.168.10.1   

From PC3:

C:\>ping 192.168.10.1

---

📶 Ping Test: Inter-VLAN Gateway

From PC1:

C:\>ping 192.168.20.1

---

📶 Ping Test: Server (192.168.20.5)

• From PC1:

C:\>ping 192.168.20.5

• From PC3 (192.168.10.20):

C:\>ping 192.168.20.5

• From PC4 (192.168.10.21):

C:\>ping 192.168.20.5

---

🤝 NAT Verification

On R1:

R1#show ip nat translations

---

🌐 Internet Connectivity Test

From PC1:

C:\>ping 8.8.8.8

From Server (192.168.20.5):

C:\>ping 8.8.8.8

---

🗺️ ACL Verification on R1

R1#show access-lists

---

🔌 ARP Verification

On R1:

R1#show arp

---

🚦 Router Configuration

** Office Router R1 **

R1#show run

** ISP Router R2**

ISP#show run

ISP#show ip interface brief

---

🔀 SWITCH Configurations

** LAN SWITCH SW **

SW1#show run

SW1#show ip interface brief

** SERVER SWITCH SW2 **

SW2#show run

SW2#show ip interface brief

---

⚡ How to Run Lab

1. Download or clone the repository:

   git clone https://github.com/asmymhm/network-security-nat-acl-firewall.git

2. Open the Packet Tracer lab file: lab file/networking-nat-acl-firewall.pkt

3. Load all device configurations from the configs/ folder if needed.

4. Follow the lab steps as described in the "🔧 Lab Steps" section.

5. Verify connectivity between VLANs, NAT translations, ACL restrictions, and server access.

6. Optionally, export topology diagrams from drawio/topology.drawio for documentation.

---

📂 Folder Structure

Network Security Fundamentals: NAT & ACLs │ ├─ configs/ │ ├─ hr1.txt │ ├─ hr.txt │ ├─ it1.txt │ ├─ it2.txt │ ├─ r1.cfg │ ├─ r2-isp.cfg │ ├─ server.txt │ ├─ sw1.cfg │ └─ sw2.cfg │ ├─ screenshots/ │ ├─ isp_running-config.png │ ├─ isp_show_ip_interface_brief.png │ ├─ pc1_browser_http_blocked.png │ ├─ pc1_ipconfig_all.png │ ├─ pc1_ip_ping.png │ ├─ pc1_ping_internet.png │ ├─ pc1_ping_server_blocked.png │ ├─ pc1_to_192.168.20.1.png │ ├─ pc2_ipconfig_all.png │ ├─ pc2_ip_ping.png │ ├─ pc3_browser_http_server.png │ ├─ pc3_ipconfig_all.png │ ├─ pc3_ip_ping.png │ ├─ pc3_ip_ping2.png │ ├─ pc3_ping_server_allowed.png │ ├─ pc4_ipconfig_all.png │ ├─ pc4_ip_ping.png │ ├─ r1_ping.png │ ├─ r1_running_config.png │ ├─ r1_show_access_lists.png │ ├─ r1_show_arp.png │ ├─ r1_show_ip_interface_brief.png │ ├─ r1_show_ip_nat_translations.png │ ├─ r1_show_ip_route_nat.png │ ├─ server_ip_ping.png │ ├─ server_ping_internet.png │ ├─ sw1_running_config.png │ ├─ sw1_show_interface_status.png │ ├─ sw2_running_config.png │ └─ sw2_show_interface_status.png │ ├─ lab file/ │ └─ networking-nat-acl-firewall.pkt ├─ drawio/ │ └─ topology.drawio ├─ topology/ │ ├─ pro2_00_topology.png │ └─ topology_overview.png ├─ License ├─ verification.md └─ README.md

---

🎓 Learning Outcomes

After completing this lab, you will be able to:

• Understand VLAN configuration and segmentation of network traffic.

• Implement NAT for providing internet access to internal hosts.

• Configure and apply ACLs to restrict or allow specific traffic between VLANs.

• Perform basic verification commands: ping, show ip route, show ip nat translations, show access-lists.

• Develop troubleshooting skills for small office network environments.

• Document and organize network lab projects professionally for portfolio purposes.

---

📂 Repository Info

This project is part of my CCNA Lab Portfolio.
Explore more labs here 👉 @asmymhm

---