SNHU - Implementing NAT and Allowing

Remote Access

Introduction

Objective

CompTIA Security+ Domain:

Domain 1: Network Security

CompTIA Security+ Objective Mapping:

Objective 1.1: Implement security conﬁguration parameters on network devices and other

technologies.

Objective 1.2: Given a scenario, use secure network administration principles.



Overview

NAT stands for Network Address Translation and allows many machines with private IP

addresses to use a single Public IP Address to connect to the Internet. In this lab, you will

implement NAT on a ﬁrewall.

ﬁrewall

A ﬁrewall can block trafﬁc or redirect trafﬁc to hosts on the internal network.

pfSense is an open source ﬁrewall that uses a BSD-based ﬁrewall.

NAT

Network Address Translation can be used to allow internal IP addresses access

to the WAN.

VPN

Virtual Private Network allows you to connect to a LAN for the Internet and

access resources.

pfSense an open source ﬁrewall that is widely used in the industry

ping

an operating system utility that allows you to test for TCP/IP connectivity

between hosts

Understanding NAT

Key

Term

Description

Click on the Windows 10 icon in the topology, then double-click on the desktopcmd

- Shortcut.

Verify that you can ping the external Windows 8 machine on the WAN by typing

the following command and then press Enter.

C:\Users\student>

ping 175.45.176.200

C:\Users\student>

exit

Type the following command then press Enterto leave the Command Prompt

session.

Double-click on the Wireshark shortcut to launch the protocol analyzer.



Double-click on the Ethernet0 from the list of available interfaces to start Wireshark.



Click the — bar in the right hand corner to minimize Wireshark.

Double-click on the cmd - Shortcut to open the Command Prompt on Windows 10.

C:\Users\student>

ping 175.45.176.200 −t

and then press Enter.

Perform a continuous ping on the external Windows 8 machine on the WAN by

typing

Click Wireshark in the Windows taskbar to bring the program back into focus.

Click the Stop button to stop the capture.

In the Wireshark ﬁlter pane, type

ip.dst == 175.45.176.200

and then click the

Apply this ﬁlter strain to the display button

Apply this ﬁlter strain to the display button.

View the diagram below. NAT allows internal hosts on the LAN with private IP

addresses to communicate with external hosts on the WAN with public IP addresses.

Click File from the Wireshark menu bar and then click Close. Click Continue without

Saving.

Click File from the Wireshark menu bar and thenclick Quit.

Click on the external Windows 8.1 icon on the topology. Then double-clickon the

desktopcmd - Shortcut link.

View the diagram. A machine on the WAN can only reach other machines on the

WAN. Only if the ﬁrewall redirects the user to the internal machine or the WAN

machine uses a VPN can a user from the public Internet (WAN) reach a machine that

is on the LAN.

C:\>

nmap 203.0.113.100

C:\>

exit

Type the following command and then press Enter to determine what ports are open

on the ﬁrewall.

Type

exit

and then press Enter, to leave your Command Prompt session.

Double-click on the shortcut to Wireshark on the desktop.

Select Capture from the menu bar and then choose Interfaces.

Click Start to start the Wireshark capture.

Click the Stop button to stop the capture.

In the Wireshark Filter pane, type

ip.dst == 175.45.176.200

and then click

Apply.

View the diagram below. The external machine can only see the trafﬁc originating

from the WAN IP, not the LAN IP that is using NAT to reach its destination on the

WAN.

Click File from the Wireshark menu bar and then click Close, then click the Continue

without Saving button.

Click File from the Wireshark menu bar and the click Quit.

S i h b k h i l Wi d 10 hi h LAN Cli k h X i h

C:\Users\student>

exit

Conﬁguring NAT

Switch back to the internal Windows 10 machine on the LAN. Click the X in the

upper right corner to close the Command Prompt.

Double-click on the cmd - Shortcut.

C:\Users\student>

ping 175.45.176.200

and then press Enter.

C:\Users\student>

exit

Verify NAT works by pinging the external Windows 8 machine on the WAN by

typing

Type the following command and press Enter, to leave the Command Prompt

session.

Click the Edge icon in the taskbar on the bottom of the Windows 10 machine.

Type

http://192.168.1.254

and click the next arrow.

For the Username, type

admin

, and for the Password, type

pfsense

. Click Login.

Click the X to close “Would you like to save your password for 192.168.1.254?”



Click on Firewall and then click on Rules.

Note: It might take up to 20 seconds to display the Firewall Rules.

Click on the LAN icon on the desktop to launch the Firewall: Rules for LAN.

Check the all boxes on the left and click the X button on the right hand side to delete

it.

Click OK when you are asked Doyou really want to delete this rule for each rule.

Click Apply changes to apply the rule.

Your screenshot might vary slightly with different rules.

C:\Users\student>

ping 175 45 176 200

Click the — bar in the right top part of Edge to minimize the window.

Double-click on the cmd - Shortcut.

Verify NAT fails by pinging the external Windows 8 machine on the WAN by typing

the following command. Thenpress Enter.

C:\Users\student>

ping 175.45.176.200

C:\Users\student>

exit

Type the following command and then press Enter,to leave the Command Prompt

session.

Click Edge in the Windows taskbar to bring the program back into focus.

Click the + button in the top right hand corner to add a rule.

Your screenshot might vary slightly with different rules.

Click the arrow on the Protocol box and select any.

ClickSave.

Click Apply changes to apply the rule.

Your screenshot might vary slightly with different rules.

Click the X in the right corner to close the Edge browser.

C:\Users\student>

ping 175.45.176.200

Double-click on the cmd - Shortcut.

Verify NAT works again by pinging the external Windows 8 machine on the by

typing the following command. Then press Enter.

C:\Users\student>

exit

Secure Remote Login

Type the following command and press Enter,to leave the Command Prompt

session.

Click on the Windows Server icon on the topology. After the server is

loaded,presstheSend Ctrl+Alt+Delete buttonin the upper right corner.

Note: If you do not see the blue desktop, click the desktop.

Log onas

administrator

with the password of

P@ssw0rd

, thenclickthearrow.



Click on the Start button, go to Administrative Tools, and select Routing and Remote

Access.

Right-click on the SERVER (local) and select Conﬁgure and Enable Routing and

Remote Access.

Click Next and the Welcome to the Routing and Remote Access Server Setup

Wizard.

Click Custom conﬁguration and click Next.

Check the box for VPN Access and then click Next.

Click Finish.

Click Start service.

Double-click on the Command Prompt shortcut on the Windows Server 2008

desktop.

C:\>

dsa.msc



Type the following command and press Enter, to open the Active Directory Users

and Computers interface.

Expand the + boxon the left ofcampus.edu domain and double-click on the Users

container.

Right-click on Administrator and select Properties.

Click the Dial-in tab and then click Allow access. Click OK.



Clickonthe Windows 10 machine. Then clickon the Edge icon in the taskbar.

Type

http://192.168.1.254

and click the next arrow.

For the Username, type

admin

, and for the Password, type

pfsense

. Click Login.

When asked Would you like to save your password for 192.168.1.252?, click the X to

close this dialogue.

Click VPN and then select PPTP.

Note: this may take up to 20 seconds to show the PPTP Conﬁguration.

Select Redirect incoming PPTP connections to: and type

192.168.1.10

into the

PPTP redirection box, then Click Save.

Click on the external Windows 8.1 machine in the topology. Right-click on the

Windows button in the lower left-hand corner and then select Control Panel from the

list of links.

In the Control Panel menu, select Network and Internet.

Click the link to the Network and Sharing Center.

Click the link to set up a new connection or network.

Click Connect to a workplace and click Next.

Click Use my Internet connection (VPN).

Click I’ll set up an Internet connection later.

Type

203.0.113.100

for the Internet address and click Create.

Click Change adapter settings.

Right-click the VPN Connection and select Properties.

Click the Security tab. Click the drop down box and select Point to Point Tunnelling

Protocol (PPTP). Click the radio button to Allow these protocols. Click OK.

Right-click on VPN Connection and select Connect / Disconnect.

Click the VPN Connection in the right hand pane. Click Connect.

In the top box, type

administrator@campus.edu

. Type the password of

P@ssw0rd

Click OK.

You will see a message that the VPN Connection is Connected.

Note: Press the STOP button to complete the lab.