A bug in Packet Tracer makes it impossible to score points for "username HQadmin password ciscoclass". The highest score is therefore 69/70.

Cnt-Sw

Cnt-Sw(config)# ip domain-name cisco.com
Cnt-Sw(config)# username HQadmin password ciscoclass
Cnt-Sw(config)# username HQadmin privilege 15 (not needed)
Cnt-Sw(config)# crypto key generate rsa
Cnt-Sw(config)# ip ssh version 2
Cnt-Sw(config)# ip ssh authentication-retries 2
Cnt-Sw(config)# ip ssh time-out 60
Cnt-Sw(config)# service password-encryption
Cnt-Sw(config)# line vty 0 15
Cnt-Sw(config-line)# transport input ssh
Cnt-Sw(config-line)# login local
Cnt-Sw(config)# vlan 15
Cnt-Sw(config-vlan)# name Servers
Cnt-Sw(config-vlan)# vlan 30
Cnt-Sw(config-vlan)# name PCs
Cnt-Sw(config-vlan)# vlan 45
Cnt-Sw(config-vlan)# name Native
Cnt-Sw(config-vlan)# vlan 60
Cnt-Sw(config-vlan)# name Management
Cnt-Sw(config)# ip default-gateway 172.16.15.9
Cnt-Sw(config)# int vlan 60
Cnt-Sw(config-if)# ip addr 172.16.15.10 255.255.255.248
Cnt-Sw(config)# int r f0/11-20
Cnt-Sw(config-if-range)# switchport access vlan 15
Cnt-Sw(config)# int r f0/1-10
Cnt-Sw(config-if-range)# switchport mode access
Cnt-Sw(config-if-range)# switchport access vlan 30
Cnt-Sw(config)#int g0/1
Cnt-Sw(config-if)#switchport mode trunk
Cnt-Sw(config-if)#switchport trunk allowed vlan 15,30,45,60 (not needed)
Cnt-Sw(config-if)#switchport trunk native vlan 45
Cnt-Sw(config-if)#int f0/1
Cnt-Sw(config-if)#switchport port-security
Cnt-Sw(config-if)#switchport port-security maximum 2
Cnt-Sw(config-if)#switchport port-security mac-address sticky
Cnt-Sw(config-if)#switchport port-security violation restrict
Cnt-Sw(config)# int r f0/21-24, g0/2
Cnt-Sw(config-if-range)#shutdown

Central

Central(config)# int g0/0.15
Central(config-subif)# encapsulation dot1Q 15
Central(config-subif)# ip addr 172.16.15.17 255.255.255.240
Central(config)# int g0/0.30
Central(config-subif)# encapsulation dot1Q 30
Central(config-subif)# ip address 172.16.15.33 255.255.255.224
Central(config)#int g0/0.45
Central(config-subif)# encapsulation dot1Q 45
Central(config-subif)# encapsulation dot1Q 45 native
Central(config-subif)# ip addr 172.16.15.1 255.255.255.248
Central(config)# int g0/0.60
Central(config-subif)# encapsulation dot1Q 60
Central(config-subif)# ip addr 172.16.15.9 255.255.255.248
Central(config)# int g0/0
Central(config-if)# no sh
Central(config)# ip dhcp pool LAN
Central(dhcp-config)# default-router 172.16.15.33
Central(dhcp-config)# network 172.16.15.32 255.255.255.224
Central(config)# ip route 0.0.0.0 0.0.0.0 s0/1/0
Central(config)# router ospf 1
Central(config-router)# router-id 1.1.1.1
Central(config-router)# network 172.16.15.0 0.0.0.255 area 0
Central(config-router)# passive-interface s0/1/0
Central(config-router)# passive-interface GigabitEthernet0/0
Central(config)# access-list 1 permit 172.16.15.0 0.0.0.255
Central(config)# ip nat pool GLENN 209.165.200.225 209.165.200.226 netmask 255.255.255.252
Central(config)# ip nat inside source static 172.16.15.18 209.165.200.227
Central(config)# int r g0/0.15, g0/0.30, g0/0.45, g0/0.60
Central(config-if-range)#ip nat inside
Central(config)# int s0/0/0
Central(config-if)# ip nat inside
Central(config)# int s0/0/1
Central(config-if)# ip nat inside
Central(config)# int s0/1/0
Central(config-if)# ip nat outside

NetAdmin

Enable DHCP

PC> ssh -l HQadmin 172.16.15.10
PC> ping 64.100.150.10

NA-West

PC> ssh -l HQadmin 172.16.15.10
PC> ping 64.100.150.10

NA-East

PC> ssh -l HQadmin 172.16.15.10
PC> ping 64.100.150.10

Outside Host

PC> ping 209.165.200.227
#  CCNA2