Professional Documents
Culture Documents
Somesh Kale Roll No 630 SIC
Somesh Kale Roll No 630 SIC
Addressing Table
Device Interface IP Address Subnet Mask Default Gateway Switch Port
Objectives
Configure OSPF MD5 authentication.
Configure NTP.
Configure routers to log messages to the syslog server.
Configure R3 to support SSH connections.
Background / Scenario
In this activity, you will configure OSPF MD5 authentication for secure routing updates.
The NTP Server is the master NTP server in this activity. You will configure authentication on the NTP server
and the routers. You will configure the routers to allow the software clock to be synchronized by NTP to the
1
time server. Also, you will configure the routers to periodically update the hardware clock with the time learned
from NTP.
The Syslog Server will provide message logging in this activity. You will configure the routers to identify the remote
host (Syslog server) that will receive logging messages.
You will need to configure timestamp service for logging on the routers. Displaying the correct time and date in
Syslog messages is vital when using Syslog to monitor a network.
You will configure R3 to be managed securely using SSH instead of Telnet. The servers have been
preconfigured for NTP and Syslog services respectively. NTP will not require authentication. The routers have
been pre-configured with the following passwords:
Enable password: ciscoenpa55
Password for vty lines: ciscovtypa55
Note: Note: MD5 is the strongest encryption supported in the version of Packet Tracer used to develop this activity
(v6.2). Although MD5 has known vulnerabilities, you should use the encryption that meets the security
requirements of your organization. In this activity, the security requirement specifies MD5.
Step 2: Configure OSPF MD5 authentication for all the routers in area 0. Configure
OSPF MD5 authentication for all the routers in area 0.
R1(config)# router ospf 1
R1(config-router)# area 0 authentication message-digest
R2(config)# router ospf 1
R2(config-router)# area 0 authentication message-digest
Step 3: Configure the MD5 key for all the routers in area 0. Configure an MD5 key on the serial
interfaces on R1, R2 and R3. Use the password MD5pa55 for key 1.
R1(config)# interface s0/0/0
R1(config-if)# ip ospf message-digest-key 1 md5 MD5pa55
2
Step 4: Verify configurations.
a. Verify the MD5 authentication configurations using the commands show ip ospf interface. b.
Verify end-to-end connectivity.
Step 3: Configure routers to update hardware clock. Configure R1, R2, and R3 to periodically
update the hardware clock with the time learned from NTP.
R1(config)# ntp update-calendar
R2(config)# ntp update-calendar
R3(config)# ntp update-calendar
Exit global configuration and verify that the hardware clock was updated using the command show clock.
3
Part 3: Configure Routers to Log Messages to the Syslog Server
Step 1: Configure the routers to identify the remote host (Syslog Server) that will receive
logging messages.
R1(config)# logging host 192.168.1.6
R2(config)# logging host 192.168.1.6
R3(config)# logging host 192.168.1.6
The router console will display a message that logging has started.
Step 3: Configure the incoming vty lines on R3. Use the local user accounts for
mandatory login and validation. Accept only SSH connections.
R3(config)# line vty 0 4
R3(config-line)# login local
R3(config-line)# transport input ssh
4
Step 5: Generate the RSA encryption key pair for R3.
The router uses the RSA key pair for authentication and encryption of transmitted SSH data. Configure the
RSA keys with a modulus of 1024. The default is 512, and the range is from 360 to 2048.
R3(config)# crypto key generate rsa
The name for the keys will be: R3.ccnasecurity.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
Note: The command to generate RSA encryption key pairs for R3 in Packet Tracer differs from those used in
the lab.
5
Step 11: Check results.
Your completion percentage should be 100%. Click Check Results to view the feedback and verification of
which required components have been completed.
6
ip domain-name ccnasecurity.com username SSHadmin
privilege 15 secret ciscosshpa55 line vty 0 4
login local transport input ssh crypto key
zeroize rsa crypto key generate rsa
1024 ip ssh time-out 90 ip ssh
authentication-retries 2
ip ssh version 2
end
7
Practical 2: Packet Tracer - Configure AAA Authentication on
Cisco Routers
Topology
Addressing Table
Objectives
Configure a local user account on R1 and configure authenticate on the console and vty lines using local
AAA.
Verify local AAA authentication from the R1 console and the PC-A client.
8
Configure server-based AAA authentication using TACACS+.
Verify server-based AAA authentication from the PC-B client.
Configure server-based AAA authentication using RADIUS.
Verify server-based AAA authentication from the PC-C client.
Background / Scenario
The network topology shows routers R1, R2 and R3. Currently, all administrative security is based on
knowledge of the enable secret password. Your task is to configure and test local and server-based AAA
solutions.
You will create a local user account and configure local AAA on router R1 to test the console and vty logins. o
User account: Admin1 and password admin1pa55
You will then configure router R2 to support server-based authentication using the TACACS+ protocol. The
TACACS+ server has been pre-configured with the following:
o Client: R2 using the keyword tacacspa55 o User account: Admin2
and password admin2pa55
Finally, you will configure router R3 to support server-based authentication using the RADIUS protocol. The
RADIUS server has been pre-configured with the following:
o Client: R3 using the keyword radiuspa55 o User account: Admin3
and password admin3pa55
9
R1(config)# aaa authentication login default local
Step 4: Configure the line console to use the defined AAA authentication method.
Enable AAA on R1 and configure AAA authentication for the console login to use the default method list.
R1(config)# line console 0
R1(config-line)# login authentication default
Username: Admin1
Password: admin1pa55 R1>
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
2: Configure a named list AAA authentication method for the vty lines on R1.
Configure a named list called SSH-LOGIN to authenticate logins using local AAA.
10
R1(config)# aaa authentication login SSH-LOGIN local
Step 3: Configure the vty lines to use the defined AAA authentication method.
Configure the vty lines to use the named AAA method and only allow SSH for remote access.
R1(config)# line vty 0 4
R1(config-line)# login authentication SSH-LOGIN
R1(config-line)# transport input ssh R1(config-line)#
end
Step 5: Configure the line console to use the defined AAA authentication method.
Configure AAA authentication for console login to use the default AAA authentication method.
R2(config)# line console 0
R2(config-line)# login authentication default
11
Verify the user EXEC login using the AAA TACACS+ server.
R2(config-line)# end
%SYS-5-CONFIG_I: Configured from console by console
R2# exit
Username: Admin2
Password: admin2pa55
R2>
Step 5: Configure the line console to use the defined AAA authentication method.
Configure AAA authentication for console login to use the default AAA authentication method.
R3(config)# line console 0
12
R3(config-line)# login authentication default
Username: Admin3
Password: admin3pa55 R3>
!!!Script for R1
!!!Part 1 config t username Admin1
secret admin1pa55 aaa new-model aaa
authentication login default local
line console 0
login authentication default
!!!Part 2
ip domain-name ccnasecurity.com crypto
key generate rsa
1024
aaa authentication login SSH-LOGIN local
line vty 0 4 login authentication SSH-
LOGIN transport input ssh !!!!Script for
R2
conf t
username Admin2 secret admin2pa55
tacacs-server host 192.168.2.2
tacacs-server key tacacspa55 aaa
new-model
aaa authentication login default group tacacs+ local
line console 0 login authentication default
13
!!!!Script for R3
conf t username Admin3 secret admin3pa55 radius-
server host 192.168.3.2
radius-server key radiuspa55 aaa new-model aaa
authentication login default group radius local
line console 0 login authentication default
14
Practical 3: Configuring Extended ACLs - Scenario 1
Topology
Addressing Table
Objectives
Part 1: Configure, Apply and Verify an Extended Numbered ACL
Part 2: Configure, Apply and Verify an Extended Named ACL
Background / Scenario
Two employees need access to services provided by the server. PC1 needs only FTP access while PC2
needs only web access. Both computers are able to ping the server, but not each other.
15
b. Add 100 to the command, followed by a question mark.
R1(config)# access-list 100 ?
deny Specify packets to reject
permit Specify packets to forward
remark Access list entry comment
d. This ACL permits FTP and ICMP. ICMP is listed above, but FTP is not, because FTP uses TCP.
Therefore,enter tcp to further refine the ACL help.
R1(config)# access-list 100 permit tcp ?
A.B.C.D Source address any
Any source host host A
single source host
e. Notice that we could filter just for PC1 by using the host keyword or we could allow any host. In this case,
any device is allowed that has an address belonging to the 172.22.34.64/27 network. Enter the network
address, followed by a question mark.
R1(config)# access-list 100 permit tcp 172.22.34.64 ?
A.B.C.D Source wildcard bits
f. Calculate the wildcard mask determining the binary opposite of a subnet mask.
11111111.11111111.11111111.11100000 = 255.255.255.224
00000000.00000000.00000000.00011111 = 0.0.0.31
g. Enter the wildcard mask, followed by a question mark.
R1(config)# access-list 100 permit tcp 172.22.34.64 0.0.0.31 ?
A.B.C.D Destination address any Any destination
host eq Match only packets on a given port number
gt Match only packets with a greater port number
host A single destination host lt Match only
packets with a lower port number neq Match only
packets not on a given port number range Match only
packets in the range of port numbers
h. Configure the destination address. In this scenario, we are filtering traffic for a single destination, which is
the server. Enter the host keyword
R1(config)# access-list 100 permit tcp 172.22.34.64 0.0.0.31 host 172.22.34.62
?
dscp Match packets with given dscp value eq
Match only packets on a given port number established
established gt Match only packets with a greater
16
port number lt Match only packets with a lower port
number neq Match only packets not on a given port
number precedence Match packets with given precedence value
range Match only packets in the range of port numbers
<cr>
i. Notice that one of the options is <cr> (carriage return). In other words, you can press Enter and the
statement would permit all TCP traffic. However, we are only permitting FTP traffic; therefore, enter the
eq keyword, followed by a question mark to display the available options. Then, enter ftp and press
Enter.
R1(config)# access-list 100 permit tcp 172.22.34.64 0.0.0.31 host 172.22.34.62
eq ?
<0-65535> Port number ftp File
Transfer Protocol (21) pop3 Post Office
Protocol v3 (110) smtp Simple Mail
Transport Protocol (25) telnet Telnet (23)
www World Wide Web (HTTP, 80)
R1(config)# access-list 100 permit tcp 172.22.34.64 0.0.0.31 host
172.22.34.62 eq ftp
j. Create a second access list statement to permit ICMP (ping, etc.) traffic from PC1 to Server. Note that
the access list number remains the same and no particular type of ICMP traffic needs to be specified.
R1(config)# access-list 100 permit icmp 172.22.34.64 0.0.0.31 host
172.22.34.62
k. All other traffic is denied, by default.
. 17
extended Extended Access List
standard Standard Access List
b. You can configure named standard and extended ACLs. This access list filters both source and
destination IP addresses; therefore, it must be extended. Enter HTTP_ONLY as the name. (For Packet
Tracer scoring, the name is case-sensitive.)
R1(config)# ip access-list extended HTTP_ONLY
c. The prompt changes. You are now in extended named ACL configuration mode. All devices on the PC2
LAN need TCP access. Enter the network address, followed by a question mark.
R1(config-ext-nacl)# permit tcp 172.22.34.96 ?
A.B.C.D Source wildcard bits
d. An alternative way to calculate a wildcard is to subtract the subnet mask from 255.255.255.255.
255.255.255.255
- 255.255.255.240
-----------------
= 0. 0. 0. 15
R1(config-ext-nacl)# permit tcp 172.22.34.96 0.0.0.15 ?
e. Finish the statement by specifying the server address as you did in Part 1 and filtering www traffic.
R1(config-ext-nacl)# permit tcp 172.22.34.96 0.0.0.15 host 172.22.34.62 eq www
f. Create a second access list statement to permit ICMP (ping, etc.) traffic from PC2 to Server. Note: The
prompt remains the same and a specific type of ICMP traffic does not need to be specified.
R1(config-ext-nacl)# permit icmp 172.22.34.96 0.0.0.15 host 172.22.34.62
g. All other traffic is denied, by default. Exit out of extended named ACL configuration mode.
a. Ping from PC2 to Server. The ping should be successful, if the ping is unsuccessful, verify the IP
addresses before continuing.
b. FTP from PC2 to Server. The connection should fail.
c. Open the web browser on PC2 and enter the IP address of Server as the URL. The connection should be
successful.
18
Practical 3: Configuring Extended ACLs - Scenario 2
Topology
Addressing Table
Objectives
Part 1: Configure, Apply and Verify an Extended Numbered ACL
Part 2: Reflection Questions
Background / Scenario
In this scenario, devices on one LAN are allowed to remotely access devices in another LAN using the SSH
protocol. Besides ICMP, all traffic from other networks is denied.
The switches and router have also been pre-configured with the following:
Enable secret password: ciscoenpa55
Console password: ciscoconpa55
Local username and password: Admin / Adminpa55
Packet Tracer - Configuring Extended ACLs - Scenario 2
. 19
SSH traffic from devices on the 10.101.117.32/28 network is allowed to devices on the
10.101.117.0/27 networks.
ICMP traffic is allowed from any source to any destination.
All other traffic to 10.101.117.0/27 is blocked.
f. SSH from PCA to SWB. The access list is placed on G0/2 and does not affect this connection. The
username is Admin, and the password is Adminpa55.
20
g. After logging into SWB, do not log out. SSH to SWC in privileged EXEC mode.
SWB# ssh -l Admin 10.101.117.2
Step 2 4
Part 1 Total 12
Question 2 4
Part 2 Total 8
21
Practical 4: Configure IP ACLs to Mitigate Attacks.
Topology
Addressing Table
Device Interface IP Address Subnet Mask Default Gateway Switch Port
Objectives
Verify connectivity among devices before firewall configuration.
Use ACLs to ensure remote access to the routers is available only from management station PC-C.
Configure ACLs on R1 and R3 to mitigate attacks.
Verify ACL functionality.
Background/Scenario
Access to routers R1, R2, and R3 should only be permitted from PC-C, the management station. PC-C is also
used for connectivity testing to PC-A, which is a server providing DNS, SMTP, FTP, and HTTPS services.
Standard operating procedure is to apply ACLs on edge routers to mitigate common threats based on source
and destination IP address. In this activity, you will create ACLs on edge routers R1 and R3 to achieve this
goal. You will then verify ACL functionality from internal and external hosts.
The routers have been pre-configured with the following:
22
o Enable password: ciscoenpa55 o
Static routing
Step 2: Apply ACL 10 to ingress traffic on the VTY lines. Use the access-class
command to apply the access list to incoming traffic on the VTY lines.
R1(config-line)# access-class 10 in
R2(config-line)# access-class 10 in
R3(config-line)# access-class 10 in
23
b. Establish an SSH session to 192.168.2.1 from PC-A (should fail).
Note: Check Results will not show a correct configuration for ACL 120 until you modify it in Part 4.
Step 1: Verify that PC-C can access the PC-A via HTTPS using the web browser.
Be sure to disable HTTP and enable HTTPS on server PC-A.
Step 2: Configure ACL 120 to specifically permit and deny the specified traffic. Use
the access-list command to create a numbered IP ACL.
R1(config)# access-list 120 permit udp any host 192.168.1.3 eq domain
R1(config)# access-list 120 permit tcp any host 192.168.1.3 eq smtp
R1(config)# access-list 120 permit tcp any host 192.168.1.3 eq ftp
R1(config)# access-list 120 deny tcp any host 192.168.1.3 eq 443
R1(config)# access-list 120 permit tcp host 192.168.3.3 host 10.1.1.1 eq 22
Step 3: Apply the ACL to interface S0/0/0. Use the ip access-group command to apply the
access list to incoming traffic on interface S0/0/0.
Step 4: Verify that PC-C cannot access PC-A via HTTPS using the web browser. Part
Step 1: Verify that PC-A cannot successfully ping the loopback interface on R2.
Step 2: Make any necessary changes to ACL 120 to permit and deny the specified traffic. Use
the access-list command to create a numbered IP ACL.
R1(config)# access-list 120 permit icmp any any echo-reply
R1(config)# access-list 120 permit icmp any any unreachable
R1(config)# access-list 120 deny icmp any any
R1(config)# access-list 120 permit ip any any
24
Step 3: Verify that PC-A can successfully ping the loopback interface on R2. Part
Step 1: Configure ACL 110 to permit only traffic from the inside network. Use
the access-list command to create a numbered IP ACL.
R3(config)# access-list 110 permit ip 192.168.3.0 0.0.0.255 any
Step 2: Apply the ACL to interface G0/1. Use the ip access-group command to apply the
access list to incoming traffic on interface G0/1.
Step 1: Configure ACL 100 to block all specified traffic from the outside network.
You should also block traffic sourced from your own internal address space if it is not an RFC 1918 address.
In this activity, your internal address space is part of the private address space specified in RFC 1918. Use the
access-list command to create a numbered IP ACL. access-list 100 permit tcp 10.0.0.0
R3(config)#
0.255.255.255 eq 22 host
192.168.3.3
R3(config)# access-list 100 deny ip 10.0.0.0 0.255.255.255 any
R3(config)# access-list 100 deny ip 172.16.0.0 0.15.255.255 any
R3(config)# access-list 100 deny ip 192.168.0.0 0.0.255.255 any
R3(config)# access-list 100 deny ip 127.0.0.0 0.255.255.255 any
R3(config)# access-list 100 deny ip 224.0.0.0 15.255.255.255 any R3(config)#
access-list 100 permit ip any any
Step 2: Apply the ACL to interface Serial 0/0/1. Use the ip access-group command to apply the
access list to incoming traffic on interface Serial 0/0/1.
R3(config)# interface s0/0/1
R3(config-if)# ip access-group 100 in
25
Step 3: Confirm that the specified traffic entering interface Serial 0/0/1 is handled correctly.
a. From the PC-C command prompt, ping the PC-A server. The ICMP echo replies are blocked by the ACL
since they are sourced from the 192.168.0.0/16 address space.
b. Establish an SSH session to 192.168.2.1 from PC-C (should be successful).
Step 4: Check results.
Your completion percentage should be 100%. Click Check Results to see feedback and verification of which
required components have been completed.
!!!Script for R1
access-list 10 permit host 192.168.3.3
line vty 0 4
access-class 10 in
access-list 120 permit udp any host 192.168.1.3 eq domain
access-list 120 permit tcp any host 192.168.1.3 eq smtp
access-list 120 permit tcp any host 192.168.1.3 eq ftp access-
list 120 deny tcp any host 192.168.1.3 eq 443 access-list 120
permit tcp host 192.168.3.3 host 10.1.1.1 eq 22 interface
s0/0/0 ip access-group 120 in
access-list 120 permit icmp any any echo-reply
access-list 120 permit icmp any any unreachable
access-list 120 deny icmp any any access-list
120 permit ip any any
!!!Script for R2
access-list 10 permit host 192.168.3.3
line vty 0 4
access-class 10 in
!!!Script for R3
access-list 10 permit host 192.168.3.3
line vty 0 4
access-class 10 in
access-list 100 permit tcp 10.0.0.0 0.255.255.255 eq 22 host 192.168.3.3
access-list 100 deny ip 10.0.0.0 0.255.255.255 any access-list
100 deny ip 172.16.0.0 0.15.255.255 any access-list 100 deny
ip 192.168.0.0 0.0.255.255 any access-list 100 deny ip
127.0.0.0 0.255.255.255 any access-list 100 deny ip 224.0.0.0
15.255.255.255 any
access-list 100 permit ip any any
interface s0/0/1 ip access-group
100 in
access-list 110 permit ip 192.168.3.0 0.0.0.255 any
interface g0/1 ip access-group 110 in
26
Practical 5: Configuring IPv6 ACLs
Topology
Addressing Table
Device Interface IPv6 Address/Prefix Default Gateway
Objectives
Part 1: Configure, Apply, and Verify an IPv6 ACL
Part 2: Configure, Apply, and Verify a Second IPv6 ACL
Step 1: Configure an ACL that will block HTTP and HTTPS access.
Configure an ACL named BLOCK_HTTP on R1 with the following statements. a.
Block HTTP and HTTPS traffic from reaching Server3.
R1(config)# deny tcp any host 2001:DB8:1:30::30 eq www
R1(config)# deny tcp any host 2001:DB8:1:30::30 eq 443
b. Allow all other IPv6 traffic to pass.
R1(config)# permit ipv6 any any
Step 2: Apply the ACL to the correct interface. Apply the ACL on the
interface closest to the source of the traffic to be blocked.
R1(config)# interface GigabitEthernet0/1
R1(config-if)# ipv6 traffic-filter BLOCK_HTTP in
27
Step 3: Verify the ACL implementation.
Verify that the ACL is operating as intended by conducting the following tests:
Open the web browser of PC1 to http://2001:DB8:1:30::30 or https://2001:DB8:1:30::30. The website
should appear.
Open the web browser of PC2 to http://2001:DB8:1:30::30 or https://2001:DB8:1:30::30. The website
should be blocked.
Ping from PC2 to 2001:DB8:1:30::30. The ping should be successful.
28
Practical 6: Configuring a Zone-Based Policy Firewall (ZPF)
Topology
Addressing Table
Device Interface IP Address Subnet Mask Default Gateway Switch Port
Objectives
Verify connectivity among devices before firewall configuration.
Configure a zone-based policy (ZPF) firewall on R3.
Verify ZPF firewall functionality using ping, SSH, and a web browser.
Background/Scenario
ZPFs are the latest development in the evolution of Cisco firewall technologies. In this activity, you will
configure a basic ZPF on an edge router R3 that allows internal hosts access to external resources and
blocks external hosts from accessing internal resources. You will then verify firewall functionality from internal
and external hosts.
The routers have been pre-configured with the following:
o Console password: ciscoconpa55
o Password for vty lines: ciscovtypa55 o Enable password: ciscoenpa55
.
29
Part 1: Verify Basic Network Connectivity
Verify network connectivity prior to configuring the zone-based policy firewall.
. 30
Step 2: Create a class map referencing the internal traffic ACL.
Use the class-map type inspect command with the match-all option to create a class map named IN-
NETCLASS-MAP. Use the match access-group command to match ACL 101.
R3(config)# class-map type inspect match-all IN-NET-CLASS-MAP
R3(config-cmap)# match access-group 101
R3(config-cmap)# exit
Step 2: Specify a class type of inspect and reference class map IN-NET-CLASS-MAP.
R3(config-pmap)# class type inspect IN-NET-CLASS-MAP
Step 2: Specify the policy map for handling the traffic between the two zones.
Attach a policy-map and its associated actions to the zone pair using the service-policy type inspect
command and reference the policy map previously created, IN-2-OUT-PMAP.
R3(config-sec-zone-pair)# service-policy type inspect IN-2-OUT-PMAP
R3(config-sec-zone-pair)# exit
R3(config)#
31
Use the zone-member security command in interface configuration mode to assign G0/1 to IN-ZONE and
S0/0/1 to OUT-ZONE.
R3(config)# interface g0/1
R3(config-if)# zone-member security IN-ZONE
R3(config-if)# exit
R3(config)# interface s0/0/1
R3(config-if)# zone-member security OUT-ZONE R3(config-if)#
exit
.
32
192.168.3.3:1028 (port 1028 is random)
What is the destination IP address and port number?
___________________________________________________________________________________
_
10.2.2.2:22 (SSH = port 22)
Step 3: From PC-C, exit the SSH session on R2 and close the command prompt window.
Step 4: From internal PC-C, open a web browser to the PC-A server web page.
Enter the server IP address 192.168.1.3 in the browser URL field, and click Go. The HTTP session should
succeed. While the HTTP session is active, issue the command show policy-map type inspect zone-pair
sessions on R3 to view established sessions.
Note: If the HTTP session times out before you execute the command on R3, you will have to click the Go
button on PC-C to generate a session between PC-C and PC-A.
R3# show policy-map type inspect zone-pair sessions
33
Step 1: From the PC-A server command prompt, ping PC-C.
From the PC-A command prompt, ping PC-C at 192.168.3.3. The ping should fail.
.
34
Practical 7: Configure IOS Intrusion Prevention System (IPS)
Using the CLI
Topology
Addressing Table
Device Interface IP Address Subnet Mask Default Gateway Switch Port
Objectives
Enable IOS IPS.
Configure logging.
Modify an IPS signature.
Verify IPS.
Background / Scenario
Your task is to enable IPS on R1 to scan traffic entering the 192.168.1.0 network.
The server labeled Syslog is used to log IPS messages. You must configure the router to identify the syslog
server to receive logging messages. Displaying the correct time and date in syslog messages is vital when
using syslog to monitor the network. Set the clock and configure the timestamp service for logging on the
routers. Finally, enable IPS to produce an alert and drop ICMP echo reply packets inline.
The server and PCs have been preconfigured. The routers have also been preconfigured with the following:
35
o Enable password: ciscoenpa55 o Console
Step 4: Configure the IPS signature storage location. On R1, configure the IPS
signature storage location to be the directory you just created.
R1(config)# ip ips config location flash:ipsdir
36
b. If necessary, use the clock set command from privileged EXEC mode to reset the clock. R1#
clock set 10:20:00 10 january 2014
c. Verify that the timestamp service for logging is enabled on the router using the show run
command.
Enable the timestamp service if it is not enabled.
R1(config)# service timestamps log datetime msec
d. Send log messages to the syslog server at IP address 192.168.1.50. R1(config)#
logging host 192.168.1.50
37
R1(config-sigdef-sig)# engine
R1(config-sigdef-sig-engine)# event-action produce-alert R1(config-sigdef-
sig-engine)# event-action deny-packet-inline
R1(config-sigdef-sig-engine)# exit
R1(config-sigdef-sig)# exit
R1(config-sigdef)# exit
Do you want to accept these changes? [confirm] <Enter>
b. From PC-A, attempt to ping PC-C. Were the pings successful? Explain.
___________________________________________________________________________________
_
___________________________________________________________________________________
_
The ping should be successful. This is because the IPS rule does not cover echo reply. When PC-A pings
PC-C, PC-C responds with an echo reply.
!!!Script for R1
clock set 10:20:00 10 january 2014 mkdir
ipsdir
config
t
38
license boot module c1900 technology-package securityk9
yes end reload config t
ip ips config location flash:ipsdir
ip ips name iosips ip ips notify log
service timestamps log datetime msec
logging host 192.168.1.50
ip ips signature-category
category all retired true exit
category ios_ips basic retired
false exit exit interface
g0/1 ip ips iosips out exit ip
ips signature-definition
signature 2004 0 status
retired false enabled true
exit engine event-action
produce-alert event-action
deny-packet-inline exit exit
exit
39
Practical 8: Packet Tracer - Layer 2 Security
Topology
Objectives
Assign the Central switch as the root bridge.
Secure spanning-tree parameters to prevent STP manipulation attacks.
Enable port security to prevent CAM table overflow attacks.
Background / Scenario
There have been a number of attacks on the network recently. For this reason, the network administrator has
assigned you the task of configuring Layer 2 security.
For optimum performance and security, the administrator would like to ensure that the root bridge is the 3560
Central switch. To prevent spanning-tree manipulation attacks, the administrator wants to ensure that the STP
parameters are secure. To prevent against CAM table overflow attacks, the network administrator has
decided to configure port security to limit the number of MAC addresses each switch port can learn. If the
number of MAC addresses exceeds the set limit, the administrator would like the port to be shutdown. All
switch devices have been preconfigured with the following:
o Enable password: ciscoenpa55 o Console password:
ciscoconpa55
o SSH username and password: SSHadmin / ciscosshpa55
. 40
From Central, issue the show spanning-tree command to determine the current root bridge, to see the ports
in use, and to see their status.
Which switch is the current root bridge?
_______________________________________________________________________________________
Current root is SW-1.
Based on the current root bridge, what is the resulting spanning tree? (Draw the spanning-tree topology.)
Step 2: Assign Central as the primary root bridge. Using the spanning-tree vlan 1 root
primary command, and assign Central as the root bridge.
Central(config)# spanning-tree vlan 1 root primary
Step 3: Assign SW-1 as a secondary root bridge. Assign SW-1 as the secondary root bridge using
the spanning-tree vlan 1 root secondary command. SW-1(config)# spanning-tree vlan 1
root secondary
41
BPDU guard is a feature that can help prevent rogue switches and spoofing on access ports. Enable BPDU
guard on SW-A and SW-B access ports.
SW-A(config)# interface range f0/1 - 4
SW-A(config-if-range)# spanning-tree bpduguard enable
42
Why is port security not enabled on ports that are connected to other switch devices?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Ports connected to other switch devices have a multitude of MAC addresses learned for that single port.
Limiting the number of MAC addresses that can be learned on these ports can significantly impact network
functionality.
b. Ping from C1 to C2 and issue the command show port-security interface f0/1 again to verify that the
switch has learned the MAC address for C1.
43
!!!Script for SW-1 conf
t
spanning-tree vlan 1 root secondary
interface range f0/23 - 24
spanning-tree guard root end
44
Practical 9: Layer 2 VLAN Security
.
Topology
Objectives
Connect a new redundant link between SW-1 and SW-2.
Enable trunking and configure security on the new trunk link between SW-1 and SW-2.
Create a new management VLAN (VLAN 20) and attach a management PC to that VLAN.
Implement an ACL to prevent outside users from accessing the management VLAN.
Background / Scenario
trunk ports are configured with native VLAN 15. A network administrator wants to add a redundant link
between switch SW-1 and SW-2. The link must have trunking enabled and all security requirements should
be in place.
In addition, the network administrator wants to connect a management PC to switch SW-A. The administrator
would like to enable the management PC to connect to all switches and the router, but does not want any
other devices to connect to the management PC or the switches. The administrator would like to create a new
VLAN 20 for management purposes.
All devices have been preconfigured with: o
Enable secret password: ciscoenpa55 o
Console password: ciscoconpa55
45
o SSH username and password: SSHadmin / ciscosshpa55 Part
1: Verify Connectivity
Step 2: Enable trunking, including all trunk security mechanisms on the link between SW-1 and
SW-2.
Trunking has already been configured on all pre-existing trunk interfaces. The new link must be configured for
trunking, including all trunk security mechanisms. On both SW-1 and SW-2, set the port to trunk, assign
native VLAN 15 to the trunk port, and disable auto-negotiation.
SW-1(config)# interface f0/23
SW-1(config-if)# switchport mode trunk
SW-1(config-if)# switchport trunk native vlan 15
SW-1(config-if)# switchport nonegotiate
SW-1(config-if)# no shutdown
46
Packet Tracer - Layer 2 VLAN Security
SW-1(config)# vlan 20
SW-1(config-vlan)# exit
SW-2(config)# vlan 20
SW-2(config-vlan)# exit
Central(config)# vlan 20
Central(config-vlan)# exit
b. Create an interface VLAN 20 on all switches and assign an IP address within the 192.168.20.0/24
network.
SW-B(config)# interface vlan 20
SW-B(config-if)# ip address 192.168.20.2 255.255.255.0
47
Part 4: Enable the Management PC to Access Router R1
Step 1: Enable a new subinterface on router R1.
a. Create subinterface g0/0.3 and set encapsulation to dot1q 20 to account for VLAN 20.
R1(config)# interface g0/0.3
R1(config-subif)# encapsulation dot1q 20
b. Assign an IP address within the 192.168.20.0/24 network.
R1(config)# interface g0/0.3
R1(config-subif)# ip address 192.168.20.100 255.255.255.0
48
____________________________________________________________________________________
____________________________________________________________________________________
The pings should have been successful because all devices within the 192.168.20.0 network should be
able to ping one another. Devices within VLAN20 are not required to route through the router.
c. From D1, ping the management PC. Were the pings successful? Explain.
____________________________________________________________________________________
___________________________________________________________________________________
_
____________________________________________________________________________________
The ping should have failed because for a device within a different VLAN to successfully ping a device
within VLAN20, it must be routed. The router has an ACL that prevents all packets from accessing the
192.168.20.0 network.
Step 5: Check results.
Your completion percentage should be 100%. Click Check Results to view feedback and verification of which
required components have been completed.
If all components appear to be correct and the activity still shows incomplete, it could be due to the
connectivity tests that verify the ACL operation.
49
!!! Script for Central conf t vlan 20 exit
interface vlan 20 ip address
192.168.20.5 255.255.255.0
50
Practical 10: Configure and Verify a Site-to-Site IPsec VPN Using
CLI
Topology
Addressing Table
Device Interface IP Address Subnet Mask Default Gateway Switch Port
Objectives
Verify connectivity throughout the network.
Configure R1 to support a site-to-site IPsec VPN with R3.
Background / Scenario
The network topology shows three routers. Your task is to configure R1 and R3 to support a site-to-site IPsec
VPN when traffic flows between their respective LANs. The IPsec VPN tunnel is from R1 to R3 via R2. R2
51
acts as a pass-through and has no knowledge of the VPN. IPsec provides secure transmission of sensitive
information over unprotected networks, such as the Internet. IPsec operates at the network layer and protects
and authenticates IP packets between participating IPsec devices (peers), such as Cisco routers. ISAKMP
Phase 1 Policy Parameters
Parameters R1 R3
Parameters R1 R3
52
a. On R1, issue the show version command to view the Security Technology package license information.
b. If the Security Technology package has not been enabled, use the following command to enable the
package.
R1(config)# license boot module c1900 technology-package securityk9
c. Accept the end-user license agreement.
d. Save the running-config and reload the router to enable the security license.
e. Verify that the Security Technology package has been enabled by using the show version command.
53
R1(config)# interface s0/0/0
Step 3: Configure the IKE Phase 1 ISAKMP properties on R3. Configure the crypto ISAKMP
policy 10 properties on R3 along with the shared crypto key vpnpa55.
R3(config)# crypto isakmp policy 10
R3(config-isakmp)# encryption aes 256
R3(config-isakmp)# authentication pre-share R3(config-isakmp)#
group 5
R3(config-isakmp)# exit
R3(config)# crypto isakmp key vpnpa55 address 10.1.1.2
Step 5: Configure the crypto map on the outgoing interface. Bind the VPN-MAP crypto
map to the outgoing Serial 0/0/1 interface. Note: This is not graded.
R3(config)# interface s0/0/1
R3(config-if)# crypto map VPN-MAP
54
Part 3: Verify the IPsec VPN
Step 1: Verify the tunnel prior to interesting traffic.
Issue the show crypto ipsec sa command on R1. Notice that the number of packets encapsulated,
encrypted, decapsulated, and decrypted are all set to 0.
55
crypto isakmp key vpnpa55 address 10.1.1.2 crypto ipsec
transform-set VPN-SET esp-aes esp-sha-hmac crypto map
VPN-MAP 10 ipsec-isakmp description VPN connection to
R1 set peer 10.1.1.2
set transform-set VPN-SET match address 110 exit
interface S0/0/1 crypto map VPN-MAP
56
Packet Tracer - Configuring ASA Basic Settings and Firewall
Using CLI (Instructor Version)
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.
Topology
IP Addressing Table
Device Interface IP Address Subnet Mask Default Gateway
57
PC-C NIC 172.16.3.3 255.255.255.0 172.16.3.1
Objectives
Verify connectivity and explore the ASA
Configure basic ASA settings and interface security levels using CLI
Configure routing, address translation, and inspection policy using CLI
Configure DHCP, AAA, and SSH
Configure a DMZ, Static NAT, and ACLs
Scenario
Your company has one location connected to an ISP. R1 represents a CPE device managed by the ISP. R2
represents an intermediate Internet router. R3 represents an ISP that connects an administrator from a
network management company, who has been hired to remotely manage your network. The ASA is an edge
CPE security device that connects the internal corporate network and DMZ to the ISP while providing NAT
and DHCP services to inside hosts. The ASA will be configured for management by an administrator on the
internal network and by the remote administrator. Layer 3 VLAN interfaces provide access to the three areas
created in the activity: Inside, Outside, and DMZ. The ISP assigned the public IP address space of
209.165.200.224/29, which will be used for address translation on the ASA.
All router and switch devices have been preconfigured with the following:
o Enable password: ciscoenpa55 o Console password:
ciscoconpa55
o Admin username and password: admin/adminpa55
Note: This Packet Tracer activity is not a substitute for the ASA labs. This activity provides additional practice
and simulates most of the ASA 5505 configurations. When compared to a real ASA 5505, there may be slight
differences in command output or commands that are not yet supported in Packet Tracer.
58
Part 2: Configure ASA Settings and Interface Security Using the CLI
Tip: Many ASA CLI commands are similar to, if not the same, as those used with the Cisco IOS CLI. In
addition, the process of moving between configuration modes and submodes is essentially the same.
59
Part 3: Configure Routing, Address Translation, and Inspection Policy
Using the CLI
Step 1: Configure a static default route for the ASA.
Configure a default static route on the ASA outside interface to enable the ASA to reach external networks.
a. e using the route command, associate it with the ASA outside interface,
and point to the R1 G0/0 IP address (209.165.200.225) as the gateway of last resort.
CCNAS-ASA(config)# route outside 0.0.0.0 0.0.0.0 209.165.200.225
b. Issue the show route command to verify the static default route is in the ASA routing table.
c. Verify that the ASA can ping the R1 S0/0/0 IP address 10.1.1.1. If the ping is unsuccessful, troubleshoot
as necessary.
Step 3: Modify the default MPF application inspection global service policy.
For application layer inspection and other advanced options, the Cisco MPF is available on ASAs.
The Packet Tracer ASA device does not have an MPF policy map in place by default. As a modification, we
can create the default policy map that will perform the inspection on inside-to-outside traffic. When configured
correctly only traffic initiated from the inside is allowed back in to the outside interface. You will need to add
ICMP to the inspection list.
a. Create the class-map, policy-map, and service-policy. Add the inspection of ICMP traffic to the policy map
list using the following commands:
CCNAS-ASA(config)# class-map inspection_default
CCNAS-ASA(config-cmap)# match default-inspection-traffic
CCNAS-ASA(config-cmap)# exit
CCNAS-ASA(config)# policy-map global_policy
CCNAS-ASA(config-pmap)# class inspection_default
CCNAS-ASA(config-pmap-c)# inspect icmp
CCNAS-ASA(config-pmap-c)# exit
CCNAS-ASA(config)# service-policy global_policy global
60
b. From PC-B, attempt to ping the R1 G0/0 interface at IP address 209.165.200.225. The pings should be
successful this time because ICMP traffic is now being inspected and legitimate return traffic is being
allowed. If the pings fail, troubleshoot your configurations.
61
d. Establish an SSH session from PC-B to the ASA (192.168.1.1). Troubleshoot if it is not successful.
PC> ssh -l admin 192.168.1.1
Step 2: Configure static NAT to the DMZ server using a network object.
Configure a network object named dmz-server and assign it the static IP address of the DMZ server
(192.168.2.3). While in object definition mode, use the nat command to specify that this object is used to
translate a DMZ address to an outside address using static NAT, and specify a public translated address of
209.165.200.227.
CCNAS-ASA(config)# object network dmz-server
CCNAS-ASA(config-network-object)# host 192.168.2.3
CCNAS-ASA(config-network-object)# nat (dmz,outside) static 209.165.200.227
CCNAS-ASA(config-network-object)# exit
Step 3: Configure an ACL to allow access to the DMZ server from the Internet.
Configure a named access list OUTSIDE-DMZ that permits the TCP protocol on port 80 from any external
direction.
CCNAS-ASA(config)# access-list OUTSIDE-DMZ permit icmp any host 192.168.2.3
CCNAS-ASA(config)# access-list OUTSIDE-DMZ permit tcp any host 192.168.2.3 eq
80
62
CCNAS-ASA(config)# access-group OUTSIDE-DMZ in interface outside
Note: Unlike IOS ACLs, the ASA ACL permit statement must permit access to the internal private DMZ
address. External hosts access the server using its public static NAT address, the ASA translates it to the
internal host IP address, and then applies the ACL.
Scripts
ASA enable
!<Enter> for password conf t
hostname CCNAS-ASA domain-name
ccnasecurity.com enable
password ciscoenpa55 clock set
13:52:51 June 10 2015 interface
vlan 1 nameif inside
ip address 192.168.1.1 255.255.255.0
security-level 100 interface vlan 2
nameif outside
ip address 209.165.200.226 255.255.255.248
security-level 0
route outside 0.0.0.0 0.0.0.0 209.165.200.225
object network inside-net subnet 192.168.1.0
255.255.255.0 nat (inside,outside) dynamic
interface class-map inspection_default match
default-inspection-traffic exit
policy-map global_policy
class inspection_default
inspect icmp exit
service-policy global_policy global dhcpd
address 192.168.1.5-192.168.1.36 inside dhcpd
dns 209.165.201.2 interface inside dhcpd
enable inside username admin password
adminpa55 aaa authentication ssh console
LOCAL crypto key generate rsa modulus 1024 no
ssh 192.168.1.0 255.255.255.0 inside
ssh 172.16.3.3 255.255.255.255 outside
ssh timeout 10 interface vlan 3
ip address 192.168.2.1 255.255.255.0
no forward interface vlan 1 nameif
dmz security-level 70 interface
Ethernet0/2 switchport access vlan 3
63
object network dmz-server host
192.168.2.3
nat (dmz,outside) static 209.165.200.227 access-list
OUTSIDE-DMZ permit icmp any host 192.168.2.3
access-list OUTSIDE-DMZ permit tcp any host 192.168.2.3 eq 80
access-group OUTSIDE-DMZ in interface outside PC-B
-Change from static to DHCP addressing
64