LAB 7 TOPOLOGY & Question

Candidates who are planning for the exam and need

upadates or wish to work on Lab 8 can contact.Also if in
the following solution any errors are detected or if you
have any other views regarding it kindly notify me.

I will be highly obliged if you discuss it with me.

SECTION 1 : - PERIMETER SECURITY

1.1 ASA3 Multiple Security Zones Implementation
Configure ASA3 for multiple security zones using information in those tables.
Interface
Ethernet 0/0
Ethernet 0/2
Ethernet 0/3

Nameif
Outside
Inside
Dmz

Security
0
100
50

IP Address
17.17.4.10/24
7.7.2.10/24
17.17.3.10/24

Configure Static Route on ASA3 :

NETWORK
7.7.16.6/32
17.17.5.0/24
17.17.13.0/24
17.17.12.0/24
17.17.14.0/24
17.17.8.0/24
150.1.7.1/32
150.1.7.20/32

ZONE
Outside
Outside
Outside
Outside
Outside
Outside
Inside
Inside

NEXT HOP
17.17.4.12
17.17.4.12
17.17.4.12
17.17.4.12
17.17.4.12
17.17.4.12
7.7.2.1
7.7.2.1

1.2 ASA1-ASA2 MULTIPLE CONTEXT ACTIVE-ACTIVE FAILOVER IMPLEMENTATION

Configure ASA1-ASA2 in multiple context mode for active-active failover using information in these table.
Context name
Admin
C1
C2

C1 Interfaces
GigabitEthernet0/0
GigabitEthernet0/2

Nameif
Outside
Inside

Interface
Management 0/0
GigabitEthernet0/0,
GigabitEthernet0/2
GigabitEthernet0/1,
GigabitEthernet0/3
Security Level
0
100

Network
4.4.4.4/32
5.5.5.5/32
7.7.16.6/32
17.17.12.0/24
17.17.13.0/24
17.17.14.0/24
17.17.8.0/24

Zone
Inside
Inside
Outside
Outside
Outside
Outside
Outside

Config-url
Admin.cfg
C1.cfg
C2.cfg

Primary IP address
17.17.5.10/24
17.17.4.12/24
Next Hop
17.17.4.10
17.17.4.10
17.17.5.2
17.17.5.6
17.17.5.6
17.17.5.2
17.17.5.6

Standby IP address
17.17.5.11/24
17.17.4.11/24

C2 Interfaces
GigabitEthernet0/1
GigabitEthernet0/3

Name
Outside
Inside

Interface
0
100

Active ip address
17.17.6.10/24
17.17.3.12/24

ASA1_ASA2

Name

Interface

Active ip address

Interface for
failover & Stateful
Communication
ASAs
ASA1
ASA2

Fover

GigabitEthernet0/4

17.17.12.100/24

Role
Primary
Standby

Active
C1
C2

Standby ip address
17.17.6.11/24
17.17.3.11/24
Standby ip
address
17.17.12.101/24

Standby
C2
C1

1.3 ASA3 Nat Implementation

Configure ASA3 for Network Object NAT rules using information in these tables.
Inside address
150.1.7.1
150.1.7.20
Inside address
7.7.2.2

Outside address
4.4.4.4
5.5.5.5
DMZ address
7.7.2.2

1.4 ASA4 Route Mode Implementation

Configure ASA4 using information in these tables.
Interface
Ethernet 0/0
Ethernet 0/1
Ethernet 0/2

Nameif
Outside
Backup
Inside

IP address
17.17.13.10/24
17.17.14.10/24
17.17.15.10/24

To configure static routes

Network
4.4.4.4/32
5.5.5.5/32
7.7.16.6/32

Zone
Outside
Outside
inside

Next hop
17.17.13.3
17.17.13.3
17.17.15.6

1.5 ASA4 Routing implementation

Configure ASA4 for EIGRP peering with SW6 on inside in AS17 and with SW3 on outside in OSPF area 0.
Your routing implementation on both inside & outside of ASA4 should be secured using MD5.
NOTE: - You may use any key string to implement this task.

1.6 ASA4 Route Tracking Implementation

Task: Configure the task as follows.

Track the reachability of 17.17.5.6/32 prefix every 5 sec from the outside interface & if not
reachable, the ASA should install the route to 4.4.4.4/32 and 5.5.5.5/32 prefixes through
backup interface.
If the reachability establishes for the 17.17.5.6/24 prefix then ASA should fall back to
outside interface 4.4.4.4/32 and 5.5.5.5/32 prefixes
The tracking operation should wait for 1000ms to receive a response for the request
packets.
Every reachability test should include 2 packets.
Reachability should last forever and starts as soon as its configured.
Any service level agreement used for this task should be numbered as 17
Any track object used for the task should be numbered as 71

1.7 ASA-SW1 NTP implementation

Task:
Implement NTP as follows
Configure SW1 to sync with NTP server at 150.1.7.254
SW1 should source NTP packets from SVI 150
Configure ASA4 to sync with NTP server at 4.4.4.4
NTP server at 4.4.4.4 should deny all the sync requests except from 150.1.7.254 and ASA4
sync request may originate either from outside or from backup interface
Note: Any access list deployed for this task should be host/protocol/port specific.

SECTION 2. IPS and Content Security

2.1 IPS Initialization
Task: Initialize IPS using information in this table.
Table:
Parameter
Hostname
IP address
Next Hop
Telnet
Secure Web (SSL)
Allowed Hosts: Network

Value
IPS
7.7.2.100/24
7.7.2.1
Enabled
Enabled
150.1.7.0/24,7.7.2.0/24

2.2 Inline VLAN pair mode implementations

Task:
Configure IPS for inline VLAN pair using information in this table
Table:
Parameter
Associated Physical Interface
Associated Subinterface
VLAN pair
Associated Virtual Sensor

Value
GigabitEthernet0/3
1
5,7
VSIV

2.3 Connectivity Troubleshooting (1 break)

Task: From ASA4 host 4.4.4.4 is not reachable. Fix the issue and verify the connectivity

2.4 Inline Bypass Implementation

Task:
Configure IPS to ensure it interrupt the inline traffic if the analysis engine stops packets processing

2.5 Custom signature implementation

Task: configuration custom signatures for the ICMP echo requests packets using information in these table6s:
Parameter
Signature ID
Alert Severity
Signature Name
Destination IP Address
Source IP Address

Value
60001
High
ICMP_Outside
4.4.4.4
17.17.13.10

Table:
Parameter
Signature ID
Alert Severity
Signature Name
Destination IP Address
Source IP Address

Value
60002
Low
ICMP_Backup
4.4.4.4
17.17.14.10

2.6 WSA Initialization and transparent reduction implementation

Task: Initialize WSA using information in this table
Parameter
IP Address
Default Gateway
HTTP port
HTTPS port
HTTP to HTTPS reduction
Hostname

Value
7.7.2.101
7.7.2.1
8080
8443
Enabled
wsa.ccie.com

Note: You may find WSA preconfigured with incorrect parameters that you need to change as part of initialization
Task:
Configure WSA for a transparent redirection using information in this table.
Table:
Parameter
WCCP router
Service password
Service ID
HTTP service port

Values
7.7.2.1/24
Ccie
91
17000

Note:

SW1 should be allowed to accept WCCP Client connection from WSA 7.7.2.101
The reduction should happen only for the session from test PC to HTTP server 7.7.2.2 at port 17000
HTTP server 7.7.2.2 access credentials username cisco password ccie

2.7 WSA initialization and transparent redirection implementation

Task:
Configure WSA to block any exec level commands on R2 when accessed from the test-PC using
http://7.7.130.2:17000 and credentials username : cisco, password: ccie. The blocking should work
when the session uses Firefox browser of any version with HTTP protocol and originated from TestPC.
Use following information to implement this task:

URL category should be named as BAD URL

Identity definition should be named as Test-PC
Access Policy should be named as CCIE
Note:
On SW1, you need to build on Q2.6 to allow redirection from any source to destination 7.7.130.2
for the HTTP session on port 17000.
HTTP server 7.7.130.2 access credentials username: cisco, password: ccie

Section III Secure Access

3.1 GET VPN Troubleshooting (4 Breaks)
It has been reported that finance VPN sites are unable to register the key server at R2. troubleshoot and fix
the issues so that all the finance sites on R1, R4,and R5 are able to register with the key server and the
finance VPN sites are able to encrypt traffic for 10.x.x.x/24 networks among them.
It has been reported that support sites are unable to encrypt traffic 10.x.x.x/24 network. Troubleshoot and
fix issue so that encryption occurs when ever the traffic is sent to 10.x.x.x/24 network from within the
support VPN sites.
Note:- It is not allowed to remove any configuration to fix the issues.
Points:- 5
On R2 access-list is wrong for Support
On R2 No ip domain name & crypto key
On R1 wrong clinet registration interface for fianance group
On R4 or R5 wrong ip for key

3.2 LAN-to-LAN Ikev2 Troubleshooting (6 Breaks)

It has been reported that LAN-to-LAN vpn using IKev2 between R6 and ASA3 is down .
Fix the issues so that tunnel comes up and able to encrypt interesting traffic between
host 192.168.6.6 and server 7.7.130.2
Note:It is not allowed to remove any configuration to fix issues.
It is allowed to add any missing configuration to the issues.
Point:- 5

3.3 WLC Initialization and configuration

Task Initialize WLC using the information on this table
Table
Parameter
Management Username/password
Management interface
Management VLAN
Default Gateway

Value
cisco/Cisco0123
7.7.2.102
2
7.7.2.1

After successful initialization perform the following tasks.

Configuration sw6 as DHCP server so that AP would be able to DHCP ip address from
sw6 and joined WLC
Configuration WLC to push on APA login credential : cisco , Password : Ccie123,
Enable password : Ccie123
Configuration WLC to push on AP hostname CCIE _lab
Configuration WLC to push on AP Static ip address 7.7.2.7/24
Configure following WLANS on WLC:ID: 1 Profile Name :Cisco
ID: 2 profile Name : ccie
Both WLANs should use same SSID : cisco and security policy:[WPA2] [Auth(PSK)]
The PSK should have format and key for both WLANs.

Points:- 5
SECTION IV System Hardening and Availability
4.1 Configuration OSPFV2 Authentication
Task:
Secure OSPF routing domain in the topology using information in this table
Table
Parameter
OSPF Areas
Authentication Type
Key ID
Authentication key

Value
0,2
Message-Digest
17
Ccie

Points: 4

4.2 EIGRP Troubleshooting (2 Breaks)

Task:
R6 and sw6 unable to establish EIGRP neighbour ship . find the issue and Fix them so R6 and
sw6 able to exchange EIGRP routing updates.
Point: 4

SECTION V-Threat Identification and Mitigation

5.1 HTTP Inspect Configure on ASA3
Task:
Configure HTTP inspection the GET request on ASA3 so that should match and
match and log packet if its related to any AAA Configuration command
Points :4

5.2 OSPF Troubleshooting (4 Breaks)

OSPF neighbour ship is Broken between R4,R5,SW3 in area 1. Fix the issue so
that issue so that R4,R5and SW3 are able establish OSPF neighbour ship
Points:4

5.3 Implementation To Prevent Against source spoofing.

Task:
Implement the security feature on R6 so server 101.6.6.6 can only be accessed by the networks
present in the routing table of R6 and those networks should be access able from the same interface
through which packets for the 101.6.6.6 are received. You also need to log any packets which is being
denied by R6 for above implement.
Point: 3

SECTION VI-Identity Management

6.1 MAB Authentication And Authorized Using ISE
Task: Configuration ISE and SW6 to authentication and authorize IP phone Using MAB The Implementation
should need the following requirements

Authentication Rule should be named as MAB

Authentication rule should match for match for Radius attributes Server-Type and NAS-Port for the
wired MAB in the Radius request packet

Authentication rule should check for ip Phone MAC address statically configuration on ISE to allow
the default network access.

The ip phone should be statically binded with phone type 7965 policy

If the rules is not matches the access should denied

Authorization Rule should be named as MAB

Authorization A rule should checked for ip phone MAC address identity group Cisco-IP-Phone
that is already created

Authorization should also check for condition that MAB request should be form the device group
belongs to device type Switch and Location Inside The condition should be named as
NDG_Conditions

Upon successfully meeting the identify group condition as mentioned above ,IP phone should be
moved to voice domain and download DACL Cisco-IP-Phone DACLA permitting all the traffic .
the authorization result having voice domain permission and DACL should be named Cisco-IPPhone

If the rule is not matched the access should be denied.

Notes:

ISE should be accessed using address 5.5.5.5 from SW6

Radius packets from sw6 should be scored from SV1 16

Authentication and accounting messages should be for coded port 1812 and 1813 respective

Any access-list deployed for ISE communication should be host/protocol/port specific

Use access-list 101 for implementation on ASAs

DHCP pool for the voice is defined on and upon successful MAB authentication and authorization IP
Phone will register with CUCME on R6

Points: 6

6.2 802.1x Authentication and Authorization using ISE

> configure ISE and SW6 to authenticate and authorize Test-PC using 802.1x. The implement should meet
the following requirements:
> Authentication rule should be named as "DOT1x".
> Authentication rule should match for radius attributes service-type and NAS-port-type for the wired
802.1x in the radius request packet.
> Authentication rule should check for the username/password "Test-PC/Ccie123" configured as internal
user to allow the default network access.
> If the rule is not matched the access should be denied.
> Authorization rule should be named as "DOT1X".
> Authorization rule should check for user "Test-PC" in the identity group "Test-PC" that needs to be
defined.
> Authorization should also check for condition that 802.1X request should be from the device group
belongs to Device Types "Switch" and locations "inside". The condition should be named as
"NDG_Conditions".
> Upon successfully meeting the identity group and device group conditions as mentioned above user TestPC should be moved to Data Vlan 22 and download DACL "Cisco-Test-PC_DACL", permitting only ip traffic
from any source to 17.17.20.66 R6. The authorization result having VLAN assignment and DACL should be
named as "Test-PC".
> If the rule is not matched the access should be denied.

Notes:

ISE should be accessed using address 5.5.5.5 from SW6

Radius packets from sw6 should be scored from SV1 16

Authentication and accounting messages should be for coded port 1812 and 1813 respective

Any access-list deployed for ISE communication should be host/protocol/port specific

Use access-list 101 for implementation on ASAs

DHCP pool for DATA is defined on SW6

Make sure the task does not break the GUI sessions for IPS,WSA & WLC from test-PC

You may add any route on test-PC to accomplish to this task.

6.3 WEB Auth implementation using ISE

> configure ISE and SW6 to authenticate and authorize guest account using local webauth. The
implementation should meet following requirements:
> Authentication rule should be named as "Web_Auth".
> Authentication rule should match for radius attributes service-type and NAS-port-type for the web_auth
session in the radius access-request packet.
> Authentication rule should check for the username/password "Guest/CCie123" configure as an internal
user to allow the default network access.
> If the rule is not matched the access should be denied.
> Authorization rule should be named as "Web_Auth".
> Authorization rule should check for user "Guest" in the identity group "Guest" that is already created.
> Authorization should also check for condition that webAuth request should be from the device group
belongs to Device Types "Switch" and locations "inside". The condition should be named as
"NDG_Conditions".
> Upon successfully meeting the identity group and device group conditions as mentioned above, DACL
"Guest_DACL" should be downloaded permitting only icmp and telnet traffic from any source to
17.17.20.66 R6. The authorization profile having DACL should be named as "Guest".
> If the rule is not matched the access should be denied.

Notes:

ISE should be accessed using address 5.5.5.5 from SW6

Radius packets from sw6 should be scored from SV1 16

Authentication and accounting messages should be for coded port 1812 and 1813 respective

Any access-list deployed for ISE communication should be host/protocol/port specific

Use access-list 101 for implementation on ASAs

DHCP pool for DATA is defined on SW6

You may change the switchport configuration as required to implement the task.

You may add any route on test-PC to accomplish to this task.

For more updates live:rahulk_ashyap