Professional Documents
Culture Documents
CCIE Security v5.0 - Configuration - Question - Final Release - 10-03-2018 - Lab 1
CCIE Security v5.0 - Configuration - Question - Final Release - 10-03-2018 - Lab 1
CCIE Security v5.0 - Configuration - Question - Final Release - 10-03-2018 - Lab 1
Configuration Lab
Lab 1
Real Labs
v5.0
www.passsecuritylabs.com
www.passseclabs.com 1 www.ccieseclabs.com
www.passsecuritylabs.com Final Release LAB 1:10-Mar-2018
www.passseclabs.com 2 www.ccieseclabs.com
www.passsecuritylabs.com Final Release LAB 1:10-Mar-2018
1. We highly discourage sharing of the workbook hence the workbooks are mapped to Laptop/Desktop
MAC address. If one tries to open the workbook on other desktop or laptop than the registered MAC
address; account will get locked and we will not unlock it for any reasons.
2. The workbook does not have print access; kindly do not request to enable to print access.
3. One will be provided with free updates up to 90 days from the date of purchase, post that one need
to renew his/her account to access the latest update. Post 90 days the workbooks will cease to open.
4. If one wish to renew their subscription/account, you need to renew within 90 days or before the
account gets expired. Post 90 days one can renew their account however the renewal will be
considered has a new purchase. Hence we encourage one to renew within 90 days of the purchase.
5. The renewal cost is 1999 USD if one pay within 90 days, if one fail to renew then the cost will be
equivalent of a new purchase. (The renewal price can be changed at any time, without informing the
client)
6. Every workbook is uniquely identified for each user with hidden words. If one shares his/her
workbooks with others, and if the system detects the share, the account will be banned and we will not
entertain any explanation of any sort.
8. We do require CSCO ID, CCIE number and Official email id for security purposes. One should have
CCIE written passed and CCIE lab should be booked within 90 days. We do not sell without these
details. We do background verification of the details provided, so request to give us the correct CSCO
ID and official email id.
9. The workbooks are in secured pdf format and delivered via email.
10. License is provided for only one Device. And we don’t give license again if the device crashes or
company security policies. Please install license on the device cautiously as the license will not be
provided again.
11. We do support devices running Windows OS, Mac OS, Android and Mac iOS only
12. We do not provide Refund in any circumstances once the product is sold.
www.passseclabs.com 3 www.ccieseclabs.com
www.passsecuritylabs.com Final Release LAB 1:10-Mar-2018
13. This policy is in effect from 23 November 2016 and in immediate effect for new clients and new
renewals. Old clients will continue with the old Policies until the accounts get expired.
14. If there is any update, one will receive the update automatically on their registered email-id.
15. For any future update you can check our update page on www.passsecuritylabs.com
www.passseclabs.com 4 www.ccieseclabs.com
www.passsecuritylabs.com Final Release LAB 1:10-Mar-2018
ASA1_V
Interface Gi0/0:
Address Primary Standby: 20.1.1.1/24 - 20.1.1.2/24
Name: outside
Interface Gi0/1:
Address Primary Standby: 10.1.11.1/24 - 10.1.11.2/24
Name: inside
Failover:
Unit: Primary
Lan-Link interfaces: Gi0/2
Primary Standby: 10.10.11.1/24 - 10.10.11.2/24
Name: FO
EIGRP Routing:
Autonomous System: 12
Network: 10.1.11.0/24
EIGRP Authentication:
Mode: MD5
Key-ID: 1
Password: cisco
www.passseclabs.com 5 www.ccieseclabs.com
www.passsecuritylabs.com Final Release LAB 1:10-Mar-2018
ASA11_V
Failover:
Unit: Secondary
Lan-Link Interfaces: Gi0/2
Primary Standby: 10.10.11.1/24 - 10.10.11.2/24
Name: FO
Note:
Make sure that all the interfaces are being monitored for this failover implementation.
www.passseclabs.com 6 www.ccieseclabs.com
www.passsecuritylabs.com Final Release LAB 1:10-Mar-2018
ASA2_V
Interface Gi0/0:
Address Primary-Standby: 20.1.2.1/24-20.1.2.2/24
Name: Outside
Interface Gi0/1:
Address Primary-Standby: 10.1.22.1/24-10.1.22.2/24
Name: Inside
Failover:
Unit: Primary
Lan-Link Interface: Gi0/2
Primary-Standby: 10.10.22.1/24-10.10.22.2/24
Name: FO
EIGRP Routing:
Autonomous System: 12
Network: 10.1.22.0/24
EIGRP Authentication:
Mode: MD5
Key-ID: 1
Password: cisco
ASA22_V
Failover:
Unit: Secondary
Lan-Link interface: Gi0/2
Primary-Standby: 10.10.22.1/24- 10.10.22.2/24
Name: FO
www.passseclabs.com 7 www.ccieseclabs.com
www.passsecuritylabs.com Final Release LAB 1:10-Mar-2018
Note:
Make sure that all the interfaces are being monitored for this failover implementation.
www.passseclabs.com 8 www.ccieseclabs.com
www.passsecuritylabs.com Final Release LAB 1:10-Mar-2018
Task 1.2: Configure ASA1 and ASA2 for the Active-Active Failover
Your Configuration should meet the following requirements:
ASA1-System
Interface Gi0/0.1:
vlan: 2
Interface Gi0/0.2:
vlan: 3
Interface Gi0/1.1:
vlan: 4
Interface Gi0/1.2:
vlan: 5
Interface Gi0/2.1:
vlan: 6
Interface Gi0/2.2:
vlan: 7
Failover:
Unit: Primary
Lan Interface: Gi0/3
Primary-Standby: 10.100.201.1/24-10.100.201.2
Name: LAN
Contexts:
Name: admin
Allocate Interface: Management 0/0
URL:admin.cfg
www.passseclabs.com 9 www.ccieseclabs.com
www.passsecuritylabs.com Final Release LAB 1:10-Mar-2018
Name: c1
Allocate Interfaces: GigabitEthernet0/0.1, GigabitEthernet0/1.1, GigabitEthernet0/2.1
Labels Respectively: inside_c1, dmz_c1, outside_c1
Join Failover Group: 1
URL: c1.cfg
Name: c2
Allocate Interfaces: GigabitEthernet0/0.2, GigabitEthernet0/1.2, GigabitEthernet0/2.2
Labels Respectively: inside_c2, dmz_c2, outside_c2
Join Failover Group: 2
URL: c2.cfg
ASA1-Admin
Interface Management0/0:
Address Primary-Standby: 150.1.7.57/24-150.1.7.58
Name: Management
Security Level: 100
ASA1-c1
Interface inside_c1:
Address Primary-Standby: 10.100.2.1/24-10.100.2.2
Name: inside
Interface dmz_c1:
Address Primary-Standby: 10.100.4.1/24-10.100.4.2
Name: dmz
Security Level: 50
Interface outside_c1:
Address Primary-Standby: 10.100.6.1/24-10.100.6.2
Name: outside
Address Translation:
Server5 should be accessible from outside using outside interface.
Network object used for the translation should be named “server5_c1”
Traffic Filtering:
Server5 should be accessible only from 192.168.10.0/24 network for the HTTP traffic at port 80 and
ICMP Echo message.
ACL for the traffic filtering should be named “server5_c1”
www.passseclabs.com 10 www.ccieseclabs.com
www.passsecuritylabs.com Final Release LAB 1:10-Mar-2018
Static Routes:
Server5 network accessible via next hop R7
192.168.10.0/24 network accessible via next hop R9
ASA1-c2
Interface inside_c2:
Address Primary-Standby: 10.100.3.1/24-10.100.3.2
Name: inside
Interface dmz_c2:
Address Primary-Standby: 10.100.5.1/24-10.100.5.2
Name: dmz
Security Level: 50
Interface outside_c2:
Address Primary-Standby: 10.100.7.1/24-10.100.7.2
Name: outside
Address Translation:
Server6 should be accessible from outside using outside interface. Network object used for the
translation should be named “server6_c2”.
Traffic Filtering:
Server6 should be accessible only from 192.168.11.0/24 network for the HTTP at port 80 and ICMP
Echo messages.
ACL for the traffic filtering should be named “server6_c2”
ACL should be network and host specific.
Static Routes:
Server6 network accessible via next hop R8.
192.168.11.0/24 network accessible via next hop R9.
www.passseclabs.com 11 www.ccieseclabs.com
www.passsecuritylabs.com Final Release LAB 1:10-Mar-2018
ASA2-system
Failover:
Unit: Secondary
Note:
Make sure that all the interfaces are being monitored for this failover implementation.
www.passseclabs.com 12 www.ccieseclabs.com
www.passsecuritylabs.com Final Release LAB 1:10-Mar-2018
ASA3-System
Interface Mode:
Spanned
Interface: Port-channel1:
Subinterface: 1.8
Under: vlan 8
Subinterface: 1.9
Under: vlan 9
Subinterface:1.10
Under: vlan 10
Interface: Gi0/0
Member of Channel-group: 1
Interface: Gi0/1
Member of Channel-group: 1
ASA3-admin
Management Interface:
Name: mgmt
Address: 150.1.7.59/24
www.passseclabs.com 13 www.ccieseclabs.com
www.passsecuritylabs.com Final Release LAB 1:10-Mar-2018
Address Translation:
Server3 should be accessible from inside via 19.16.103.14
Network objects used for the translation should be named “server3” and “server3_t” for and to
translated addresses respectively.
Traffic Filtering:
Server3 192.168.103.14 should be accessible only from security- group name “PC1” for the HTTP traffic
at port 80.
Server4 192.168.104.14 should be accessible only from security-group name “PC2” for the HTTP traffic
at port 80.
ACL for the traffic filtering should be named “server3-4”.
ACL should be host specific.
Static Routes:
Server3 network accessible via next hop R14
Server4 network accessible via next hop R14
ASA4-System
www.passseclabs.com 14 www.ccieseclabs.com
www.passsecuritylabs.com Final Release LAB 1:10-Mar-2018
Rule2: Allow HTTP traffic at port 8080 from 172.16.1.0/24 network to “Server1” and “Server2”
172.16.0.1/24 should be in the external zone
“Server1” and “Server2” should be in the internal zone.
Enable logging for the rules at the beginning of the connection.
Rule 3: Allow HTTP traffic at port 8080 from 10.1.22.0/24 network to “Server1” and “Server2”
10.1.22.1/24 should be in the external zone
“Server1” and “Server2” should be in the internal Zone.
Enable logging for the rules at the beginning of the connection.
Note:
Any information not provided to implement this task can be assumed by the candidate.
www.passseclabs.com 15 www.ccieseclabs.com
www.passsecuritylabs.com Final Release LAB 1:10-Mar-2018
Task 2.1: Configure WCCP Redirection On R2 For Server1 and Server2 HTTP
Traffic Originated From “client_pc1”.
Note:
This task can only be verified after the successful implementation of task 1.1a, task 1.4 and Task 4.1 (To
be able to perform end-to-end connectivity test)
www.passseclabs.com 16 www.ccieseclabs.com
www.passsecuritylabs.com Final Release LAB 1:10-Mar-2018
HTTP Traffic at port 8080 originated from 172.16.1.0/24 network directed to Server1 and Server2
should be allowed if FireFox as a browser is used but dropped if originated from the Internet Explorer,
all the other traffic should be allowed.
Identification Profile 1:
Name: Monitor Profile
Check for source 172.16.1.0/24
Check for browser Type – Version: FireFox-Any
Identification Profile 2:
Name: Block Profile
Check for source 172.16.1.0/24
Check for browser Type – Version: IE-Any
URL Category should be named as “CCIE Lab Rule ” monitoring for “server1.cisco.com”and
“server2.cisco.com” .
Corresponding access policies should be named as “Monitor Policy” and “Block Policy” respectively and
referencing “CCIE Lab Rule”.
Note:
This task can only be verified after the successful implementation of Task1.1a, Task 1.4, Task 2.1 and
Task 4.1 (To be able to perform end-to-end connectivity test)
www.passseclabs.com 17 www.ccieseclabs.com
www.passsecuritylabs.com Final Release LAB 1:10-Mar-2018
www.passseclabs.com 18 www.ccieseclabs.com
www.passsecuritylabs.com Final Release LAB 1:10-Mar-2018
Task 3.1: Configure Clientless SSL VPN Between ASA2_V and “client_pc2”.
Your Configuration should meet the following requirements on ASA 2_V:
The Web acl implementation should only allow the following URLs:
http://server1.cisco.com:8080
http://server2.cisco.com:8080
The bookmarks for the above servers should appear in the WebVPN portal as “Server1” and “Server2”
respectively.
Notes:
On “client_pc2” connection stub “ssl_vpn” has been created in the FireFox to test the implementation.
The verification of this task depends on the successful implementation of task 1.1b and Task 1.4
VPN session should be in established state and you are able to open the sessions to Server1 and
Server2 when you have ended your lab.
The VPN session should terminate on ASA2_v being the an Active ASA in the pair.
Make sure that even when you close the RDP connection to “cient_pc2”, that should not tear down the
established VPN session. The DNS server is at 150.1.7.200
Any information not provided for this task can be assumed by the candidate.
www.passseclabs.com 19 www.ccieseclabs.com
www.passsecuritylabs.com Final Release LAB 1:10-Mar-2018
The VPN session should secure traffic between 192.168.15.0/24 and 192.168.16.0/24 networks.
Note:
Any information not provided for this task can be assumed by the candidate.
www.passseclabs.com 20 www.ccieseclabs.com
www.passsecuritylabs.com Final Release LAB 1:10-Mar-2018
Rekeying authentication should use RSA key “cciekey” for both sites.
The implementation should secure traffic for site_a between 192.168.4.0/24 and 192.168.5.0/24
networks.
The implementation should secure traffic for site_b between 192.168.4.0/24 and 192.168.5.0/24
networks.
EIGRP routing process for site_a and site_b should be authenticated using mode MD5 and password
“ccie”
Notes:
Refer to the topology for addressing, VLAN and EIGRP routing information.
Sw1_V is preconfigured for this task.
Any information not provided for this task can be assumed by the candidate.
www.passseclabs.com 21 www.ccieseclabs.com
www.passsecuritylabs.com Final Release LAB 1:10-Mar-2018
Loopback1 interfaces on R9,R10 and R11 should be included in the EIGRP routing domain.
Tu34 should secure the traffic between 192.168.10.0/24 and host 10.100.6.1
Tu35 should secure the traffic between 192.168.11.0/24 and host 10.100.7.1
Notes:
The verification of this task depend on the successful implementation of Task 1.2
Refer to the Topology for addressing and EIGRP routing information. Any Information not provided for
this task can be assumed by the candidate.
www.passseclabs.com 22 www.ccieseclabs.com
www.passsecuritylabs.com Final Release LAB 1:10-Mar-2018
The SXP session between SW2_P and ASA3 should be authenticated using password “ccie”
ASA3 should download the CTS enviroment data from ISE.
Note:
TFTP Server is available on Candidate_PC.
Use Vlan 8 network for SXP
SW2 will receive supplicant authentication/authorization request.
Any information not provided in this task can be assumed by the candidate.
www.passseclabs.com 23 www.ccieseclabs.com
www.passsecuritylabs.com Final Release LAB 1:10-Mar-2018
The tunnel should negotiate IKEv2 policy and IPSec proposal for AES-256 encryption.
The tunnel should only secure traffic for Server1 and Server2
The client address pool should be 172.16.1.0-172.16.10.0/24
The session tunnel should remain connected for 48 hours even without any activity.
The Group alias for the session should be “ccieprofile”
The trustpoint for the implementation should be named “ccietrust” using RSA key pair “cciekey”
ASA should authenticate the session using AAA with ISE at 150.1.7.212.
Credentials should be Username: cisco, Password: Midhumo2
User “cisco” should be part of ISE internal database.
ISE should check for NAS IP address to authorize the session.
Note:
The verification of this task depends on successful implementation of Task 1.1a, Task 1.4, Task 2.1 and
Task 2.2
Tunnel destination “asa1.cisco.com” resolves to ASA1 outside address.
VPN session should be terminated on ASA1_V being the an Active ASA in the pair.
VPN session should be in established state when you have ended the Configuration module.
Use the FireFox browser to test your connectivity with Server1 and Server2.
Any information not provided for this task can be assumed by the candidate.
www.passseclabs.com 24 www.ccieseclabs.com
www.passsecuritylabs.com Final Release LAB 1:10-Mar-2018
Dot1x session should DHCP IP address from the SW2_P local pool in VLAN 8.
ISE should authenticate Dot1x user “ccie”, password should be set to “Ccie123”. User “ccie” should be
part of ISE internal database.
ISE should authorize session based on the NAS IP address.
On successful authorization ISE should assign the session VLAN 8, SGT of “PC2” and push DACL to
permit IP traffic from any source to any destination.
From “dot1x_pc” you should be able to only browse Server4 to verify the implementation.
Notes:
The verification of this task depends on the successful
Implementation of Task 1.3 and Task 3.5
Make sure your implementation of AAA should not impact SW2_P console access.
Dot1x session should be in established state when you have ended your lab.
Any information not provided to implement this task can be assumed by the candidate.
www.passseclabs.com 25 www.ccieseclabs.com
www.passsecuritylabs.com Final Release LAB 1:10-Mar-2018
Notes:
You need to test the SSH from candidate PC where “r1.csisco.com”
Connection profile has been created in Putty client.
SSH session should be in the established state when you have ended your configuration module.
If required, use account ccie/Cisco123 to join ISE with AD.
Any information not provided to implement this task can be assumed by the candidate.
www.passseclabs.com 26 www.ccieseclabs.com
www.passsecuritylabs.com Final Release LAB 1:10-Mar-2018
The “mab-pc” should DHCP address from the SW2_P local pool in VLAN 8
IP Phone should DHCP address from the SW2_P local pool in vlan 215 and assign TFTP address of
150.1.7.215
On successful authorization ISE should assign “mab_pc” VLAN 8, SGTof “PC1” and push DACL to permit
ip traffic from any source to any destination.
On successful authorization ISE should push the DACL to permit IP traffic from any source to any
destination for the IP phone.
From “mab_pc” you should be able to only browse Server3 to verify the implementation.
From SW2 you should be able to ping IP Phone IP address and CUCM IP address to verify the
implementation.
Notes:
The verification of this task depends on the successful implementation of Task 1.3 and Task 3.5
Make sure your implementation of AAA should not impact SW2_P console access.
MAB sessions should be in the established state when you have ended the Lab
Any information not provided to implement this task can be assumed by the candidate.
www.passseclabs.com 27 www.ccieseclabs.com
www.passsecuritylabs.com Final Release LAB 1:10-Mar-2018
R1 should send information level messages to Syslog server setup at the Candidate PC.
Message seen from R1 on the Syslog server are marked with R1 hostname.
R17 should send debug level messages to Syslog server setup at the Candidate PC.
Messages seen from on R17 on the Syslog server are marked with string “CA”.
Notes:
Candidate PC is preconfigured with Kiwi Syslog server for this task.
www.passseclabs.com 28 www.ccieseclabs.com
www.passsecuritylabs.com Final Release LAB 1:10-Mar-2018
WLC:
Management interface should have address of 10.100.102.1
Configure the WLAN 1 with SSID “podYY”. “YY” is your pod number that can be seen in your
commserver hostname.
Layer 2 Security should be WPA with ASCII format PSK and having string “Cisco123” “0”Not Zero.
Encryption type should be AES.
SW2_P:
AP should be authenticated on port Gi1/0/7 using MAB with ISE as the RADIUS server.
ISE:
On successful authorization of AP ISE should push DACL to permit IP traffic from any source to any
destination.
ISE should authorize the session based on the NAS IP address.
AP:
Candidate may need to configure the following on AP if not pre-configured:
AP IP address: 10.100.102.33/24
AP Default-Gateway: 10.100.102.1
Primary Controller Name: cciewlc
Primary Controller IP: 10.100.102.1
Wireless_Client:
Candidate needs to configure the following for the “Wireless_Client”
Wireless NIC:
IP Address: 10.100.102.1YY/24. “YY” is your pod number that can be seen in your commserver
hostname.
Default Gateway: 10.100.102.33
Notes:
AP Username/Password/Enable is Cisco/Cisco/Cisco and this should NOT be changed.
AP hostname “ccieap” should not be changed.
The “Wireless_Client” should be able to associate with SSID
“podYY”. “YY” is your pod number that can be seen in your commserver hostname.!!!DO NOT
associate with any other SSID!!! As a task verification, you should be able to ping 10.100.102.11 and
10.100.102.22 from “Wireless_Client” after you are able connect to “podYY” SSID.
www.passseclabs.com 29 www.ccieseclabs.com
www.passsecuritylabs.com Final Release LAB 1:10-Mar-2018
Any information not provided for this task can be assumed by the candidate.
www.passseclabs.com 30 www.ccieseclabs.com
www.passsecuritylabs.com Final Release LAB 1:10-Mar-2018
www.passseclabs.com 31 www.ccieseclabs.com
www.passsecuritylabs.com Final Release LAB 1:10-Mar-2018
www.passseclabs.com 32 www.ccieseclabs.com