Ultimate Guide to Configuring a Secured Network Using Cisco Packet Tracer

Designing a secure and efficient network requires thoughtful configuration, especially when departments have different access levels. In this guide, we walk you through setting up a network step-by-step, covering VLANs, inter-VLAN routing, DHCP, NAT, firewall rules, and wireless settings. The network diagram below shows a sample configuration for a company using Cisco Packet Tracer.

---

Network Diagram Overview

The network consists of the following elements:

• Router: Responsible for routing between VLANs and connecting to the internet (IP: 203.1.1.1).

• Firewall (ASA 5505): Provides protection between internal and external networks.

  • Security Levels:

    • 100 (Inside): Trusted internal network.

    • 0 (Outside): Untrusted external network.

    • 1-99 (DMZ): Semi-trusted zone for public-facing servers.

• Switches: Manage VLANs and trunk connections for inter-device communication.

• Departments:

  • Administration (VLAN 50): Full access to all servers.

  • IT Team (VLAN 10), HR Team (VLAN 30), Finance Team (VLAN 40): Limited access.

  • Server Room (VLAN 20): Hosts DNS, DHCP, FTP, and email servers.

• Wireless Network: A wireless router (192.168.1.2) provides connectivity for mobile devices.

---

Step 1: Switch Configuration

1.1 Create VLANs
To isolate network traffic, create VLANs on all switches for each department and assign them a unique ID:

Commands:

Switch> enable  
Switch# configure terminal  
Switch(config)# vlan 10  
Switch(config-vlan)# name IT_Team  
Switch(config-vlan)# exit  
Switch(config)# vlan 20  
Switch(config-vlan)# name Server_Room  
Switch(config-vlan)# exit

1.2 Assign Ports to VLANs
To assign ports to specific VLANs:

Switch(config)# interface fa0/1  
Switch(config-if)# switchport mode access  
Switch(config-if)# switchport access vlan 10  
Switch(config-if)# exit

Repeat for other VLANs and ports.

1.3 Trunk Ports
For switch-to-switch and switch-to-router connections, enable trunk ports:

Switch(config)# interface fa0/24  
Switch(config-if)# switchport mode trunk  
Switch(config-if)# switchport trunk allowed vlan 10,20,30,40,50  
Switch(config-if)# exit

---

Step 2: Router Configuration for Inter-VLAN Routing

Configure subinterfaces on the router to allow communication between VLANs.

Commands:

Router> enable  
Router# configure terminal  
Router(config)# interface gig0/0.10  
Router(config-subif)# encapsulation dot1Q 10  
Router(config-subif)# ip address 10.0.0.1 255.255.255.0  
Router(config-subif)# exit

Repeat the process for VLANs 20, 30, 40, and 50.

---

Step 3: DHCP Configuration

Enable DHCP for dynamic IP assignment in VLANs that require it (e.g., Administration, IT, HR, Finance).

Example (VLAN 50 - Wireless):

Router(config)# ip dhcp pool VLAN50  
Router(dhcp-config)# network 192.168.1.0 255.255.255.0  
Router(dhcp-config)# default-router 192.168.1.1  
Router(dhcp-config)# dns-server 8.8.8.8  
Router(dhcp-config)# exit

Repeat for other VLANs (except the server room).

---

Step 4: NAT Configuration for Internet Access

Configure Network Address Translation (NAT) to allow VLANs to access the internet:

Commands:

Router(config)# interface gig0/1  
Router(config-if)# ip address 203.1.1.1 255.255.255.0  
Router(config)# ip nat inside source list 1 interface gig0/1 overload  
Router(config)# access-list 1 permit 10.0.0.0 0.0.0.255  
Router(config)# access-list 1 permit 30.0.0.0 0.0.0.255  
Router(config)# access-list 1 permit 40.0.0.0 0.0.0.255  
Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255

---

Step 5: Firewall Configuration for Access Control

The firewall blocks unauthorized access while allowing the Administration department full access to the servers.

Access Control List (ACL) Configuration:

Router(config)# access-list 100 permit ip 172.168.1.0 0.0.0.255 20.0.0.0 0.0.0.255  
Router(config)# access-list 100 deny ip 10.0.0.0 0.0.0.255 20.0.0.0 0.0.0.255  
Router(config)# access-list 100 deny ip 30.0.0.0 0.0.0.255 20.0.0.0 0.0.0.255  
Router(config)# access-list 100 deny ip 40.0.0.0 0.0.0.255 20.0.0.0 0.0.0.255  
Router(config)# access-list 100 permit ip any any  
Router(config)# interface gig0/0.20  
Router(config-if)# ip access-group 100 in

---

Step 6: Wireless Router Configuration

Set up the wireless router:

• SSID: CompanySecure

• IP Address: 192.168.1.2

• Subnet Mask: 255.255.255.0

• Default Gateway: 192.168.1.1

Ensure WPA2 Personal security is enabled.

---

Step 7: Server Configuration

Assign static IP addresses for the servers in VLAN 20:

Secure the Servers:

• DNS Server: Restrict queries to known IPs only.

• Email Server: Enable SMTP authentication and TLS.

• FTP Server: Use SFTP/FTPS instead of standard FTP.

Example (DNS Server Configuration):

nano /etc/named.conf  
allow-query { 172.168.1.0/24; 20.0.0.0/24; };  
systemctl restart named

---

Step 8: VPN Configuration for Remote Access

To allow secure remote access to the servers, configure the VPN:

Firewall(config)# ip local pool VPNPOOL 192.168.1.100-192.168.1.200  
Firewall(config)# crypto ikev1 policy 10  
Firewall(config-ikev1-policy)# authentication pre-share  
Firewall(config)# tunnel-group RemoteVPN type remote-access  
Firewall(config)# tunnel-group RemoteVPN ipsec-attributes  
Firewall(config-ipsec)# ikev1 pre-shared-key cisco123

---

Step 9: Testing and Verification

1. Inter-VLAN Traffic: Test that only the administration VLAN has access to the servers.

2. NAT Configuration: Ensure devices have internet access.

3. VPN Access: Verify remote users can securely connect to VLAN 20.

---

Step 10: Maintenance and Monitoring

• Use SNMP and Syslog: For monitoring traffic and logs.

• Firmware Updates: Regularly update network devices.

• Security Audits: Periodically check for vulnerabilities.

By following this comprehensive guide, you can build a secure, efficient network with proper access control, dynamic addressing, and secure server communication.