This lab demonstrates internal network connectivity and edge firewall configuration using Cisco devices in Packet Tracer.
Author: <MH. Mohamed Asmy>
Date: <2025-09-18>
Table of Contents
| Item | Details |
|---|---|
| Project Name | NAT and Edge Firewall Lab |
| Objective | Configure NAT on the router and implement edge firewall rules on ASA5505 to secure network traffic while allowing internal PCs to access external network resources. |
| Devices Used | Router X2 (2911, 2811), Switch X1 (2960), PCs X2, Server-PT X1, ASA5505 Firewall |
| Software | Cisco Packet Tracer (Windows Environment) |
| Key Concepts | NAT (Static/Dynamic), PAT, Access Control Lists (ACLs), Edge Firewall Configuration, End-to-End Connectivity Verification |
Limitation: Packet Tracer ASA5505 cannot perform NAT/PAT via CLI or GUI. Therefore, traffic from internal PCs to the outside network (Router 2811 / Internet) cannot be demonstrated.
Physical Cabling Table
| Device | Interface | Connected To | Device Interface |
|---|---|---|---|
| Router 2911 | G0/0 | Switch 2960 | Fa0/1 |
| Router 2911 | G0/1 | Server-PT | Fa0 |
| Router 2911 | G0/2 | ASA5505 | Et0/0 |
| Switch 2960 | Fa0/2 | PC1 | NIC |
| Switch 2960 | Fa0/3 | PC2 | NIC |
| Switch 2960 | Fa0/4 | ASA5505 | Et0/2 |
| ASA5505 | Et0/1 | Router 2811 | Fa0/0 |
| Device | Interface | IP Address | Subnet Mask | Default Gateway |
|---|---|---|---|---|
| PC1 | NIC | 192.168.10.10 | 255.255.255.0 | 192.168.10.1 |
| PC2 | NIC | 192.168.10.11 | 255.255.255.0 | 192.168.10.1 |
| Server-PT | Fa0 | 192.168.20.10 | 255.255.255.0 | 192.168.20.1 |
| Router 2911 | G0/0 | 192.168.10.1 | 255.255.255.0 | – |
| Router 2911 | G0/1 | 192.168.20.1 | 255.255.255.0 | – |
| Router 2911 | G0/2 | 10.0.0.1 | 255.255.255.252 | – |
| ASA5505 | Et0/0 | 10.0.0.2 | 255.255.255.252 | – |
| ASA5505 | Et0/1 | 172.16.0.2 | 255.255.255.0 | – |
| Router 2811 | Fa0/0 | 172.16.0.1 | 255.255.255.0 | – |
- Router:
router-configs/R1.cfg - Firewall:
firewall-configs/FW1.cfg - PC:
pc-configs/PC.cfg - Server:
server-configs/Server.txt
enable
configure terminal
! Hostname
hostname R1
! Inside LAN interface
interface GigabitEthernet0/1
description Inside LAN
ip address 192.168.20.1 255.255.255.0
no shutdown
! Outside interface towards ASA
interface GigabitEthernet0/2
description Link to ASA (outside)
ip address 10.0.0.1 255.255.255.252
no shutdown
! Default route: send unknown traffic to ASA
ip route 0.0.0.0 0.0.0.0 10.0.0.2
end
write memory
| Device | IP Address | Subnet Mask | Default Gateway |
|---|---|---|---|
| PC1 | 192.168.10.10 | 255.255.255.0 | 192.168.10.1 |
| PC2 | 192.168.10.11 | 255.255.255.0 | 192.168.10.1 |
| Device | IP Address | Subnet Mask | Default Gateway |
|---|---|---|---|
| Server-PT | 192.168.20.20 | 255.255.255.0 | 192.168.20.1 |
enable
configure terminal
hostname FW1
! VLAN Interfaces
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
no shutdown
interface Vlan2
nameif outside
security-level 0
ip address 10.0.0.2 255.255.255.252
no shutdown
! Assign Ethernet Ports to VLANs
interface Ethernet0/0
switchport access vlan 2 ! outside link to R1
no shutdown
interface Ethernet0/1
switchport access vlan 1 ! internal / management
no shutdown
interface Ethernet0/2
switchport access vlan 1 ! internal / management
no shutdown
! Access Control Rules ! Allow outside HTTP traffic to internal Server (192.168.20.10)
access-list OUTSIDE_IN extended permit tcp any host 192.168.20.10 eq www
! Apply ACL to outside interface
access-group OUTSIDE_IN in interface outside
! Notes
! NAT / PAT not configured here ! because Packet Tracer ASA does not support full NAT features. ! R1 provides inside routing, ASA enforces firewall ACL. ! End-to-end testing limited to: ! - ICMP ping tests ! - HTTP allowed ! - Telnet denied
write memory
-
Configure routers, ASA, PCs, and server as above.
-
Assign VLANs and IP addresses.
-
Configure ACL on ASA for allowed traffic (TCP port 80).
-
Verify VLANs, interfaces, and connectivity inside.
-
Test allowed traffic (HTTP) and denied traffic (Telnet / TCP23) from outside.
-
Save all configurations.
Purpose: Verify VLANs are up and IP addresses are correct.
Expected Results:
ACL allows TCP port 80 to 192.168.20.10
All other traffic blocked by default
Hit count increments after HTTP test
show interface ip brief
Test Allowed Traffic (HTTP)
Command (from outside network / PC or R1):
Expected Result: HTTP page loads successfully
http://192.168.20.10
Test Denied Traffic (Telnet)
Command (from outside network / PC or R1):
Expected Result: Connection refused ❌
telnet 192.168.20.10 23
Test internal network connectivity to confirm PCs, Server, and Router communicate correctly.
Tests to perform:
| Source Device | Destination Device | Command | Expected Result |
|---|---|---|---|
| PC1 | PC2 | ping 192.168.10.11 |
Success ✅ |
| PC1 | Server-PT | ping 192.168.20.20 |
Success ✅ |
| PC2 | Server-PT | ping 192.168.20.20 |
Success ✅ |
| PC1 | Router2911 G0/1 | ping 192.168.20.1 |
Success ✅ |
| Router2911 G0/2 | FW1 outside | ping 10.0.0.2 |
Timeout |
PC1 to PC2
ping 192.168.10.11
PC1 to Server-PT
ping 192.168.20.20
PC2 to Server-PT
ping 192.168.20.20
PC1 to R1
ping 192.168.20.1
R1 to FW1 outside
ping 10.0.0.2
networking-nat-firewall/ ├── README.md ├── labs ├── diagrams │ └── topology.png ├── router-configs/ │ └── R1.cfg ├── pc-configs/ │ ├── PC.cfg ├── server-configs/ │ └── Server.cfg ├── firewall-configs/ │ └── FW1.cfg ├── screenshots/ │ ├── FW1_interface.png │ ├── HTTP_test.png │ ├── PC1_ping_PC2.png │ ├── PC1_ping_R1.png │ ├── PC1_ping_Server.png │ └── PC2_ping_Server.png │ └── R1_ping_FW1.png │ └── Telnet_blocked.png ├── verification.md └── LICENSE
This project is licensed under the MIT License.