Professional Documents
Culture Documents
cwna
cwna
cwna
c. Configure the INSIDE, OUTSIDE, and DMZ interfaces with the following:
HQ-ASA5506
enable
Thecar1Admin
conf term
domain-name thecar1.com
hostname HQ-ASA5506
interface g1/1
nameif OUTSIDE
security-level 1
interface g1/2
nameif INSIDE
security-level 100
no shutdown
interface g1/3
nameif DMZ
security-level 70
no shutdown
exit
HQ-ASA5506
HQ-ASA5506
HQ G0/0 209.165.200.254
HQ-ASA5506
ntp authenticate
ntp authentication-key 1 md5 corpkey
ntp server 192.168.10.10
AAA/NTP/SyslogSvr NIC 192.168.10.10
ntp trusted-key 1
HQ-ASA5506
yes
ssh timeout 20
Step 5: Configure NAT Service for the ASA device for both
INSIDE and DMZ networks.
a. Create a network object called INSIDE-nat with subnet 192.168.10.0/24 and enable the IP addresses of
the hosts in the internal network to be dynamically translated to access the external network via the outside
interface.
b. Create a network object DMZ-web-server to statically translate the DMZ web server internal IP address to
the outside public IP address 209.165.200.241.
c. Create a network object DMZ-dns-server to statically translate the DMZ DNS server internal IP address to
the outside public IP address 209.165.200.242.
HQ-ASA5506
object network INSIDE-nat
exit
configure terminal
host 192.168.20.2
exit
configure terminal
host 192.168.20.5
exit
a. Configure a named extended ACL to permit inside hosts to be translated to the pool of outside IP
addresses. Name the ACL NAT-IP-ALL.
b. Apply NAT-IP-ALL ACL to the DMZ and OUTSIDE interfaces in the inward direction.
c. Configure an ACL to allow access to the DMZ servers from the internet. Create an extended named ACL
(named OUTSIDE-TO-DMZ) to filter incoming traffic to the HQ ASA. The ACL statements should be created in
the order specified in the following guidelines:
(Note: The order of ACL statements is significant only because of the scoring requirements for this
assessment.)
Note: For the purposes of this assessment, do NOT apply this ACL.
HQ-ASA5506
configure terminal
access-list OUTSIDE-TO-DMZ extended permit tcp host 198.133.219.35 host 209.165.200.241 eq ftp
end
show run
b. Configure all unused ports in static access mode so that they will not negotiate trunks.
Switch 1
Enable
conf t
shutdown
switchport nonegotiate
Switch 1
switchport port-security
switchport nonegotiate
Step 3: Implement STP Security
On Switch1, implement STP security measures on the active ports that are connected to hosts.
b. Configure the ports to quickly go into STP forwarding mode without going through the STP transitional
modes. Do this on a port-by-port basis, not on the entire switch.
Switch 1
spanning-tree portfast
end
Configure a site-to-site IPsec VPN between the HQ and Branch routers according to the requirements
below.
EncryptionAlgorithm AES
HashAlgorithm SHA-1
Key Distribution Method ISAKMP
AuthenticationMethod Pre-share
KeyExchange DH2
ISAKMPKey Vpnpass101
IPsec Phase 2 Policy Parameters Table
Parameters HQ Router Branch Router
a.Configure ACL 120 on the HQ router to identify the interesting traffic to be sent across the VPN. The
interesting traffic is all IP traffic from the HQ LAN to the Branch LAN.
b.Configure the ISAKMP Phase 1 properties on the HQ router. The crypto ISAKMP policy is 10. Refer to the
ISAKMP Phase 1 Policy Parameters Table for the specific details needed.
c.Configure the ISAKMP Phase 2 properties on the HQ router using 10 as the sequence number. Refer to the
ISAKMP Phase 2 Policy Parameters Table for the specific details needed.
e.Configure IPsec parameters on the Branch router using the same parameters as on the HQ router. Note
that interesting traffic is defined as the IP traffic from the Branch LAN to the LAN that is attached to HQ.
f.Save the running-config, then reload both the HQ and Branch routers.
HQ Router
Username: CORPADMIN
Password: NetSec-Admin1
enable
Password: RTR-AdminP@55
conf ter
EncryptionAlgorithm AES
hash sha
HashAlgorithm SHA-1
authentication pre-share
AuthenticationMethod Pre-share
group 2
KeyExchange DH2
lifetime 1800
exit
ISAKMPKey Vpnpass101
exit
int s0/0/0
end
Branch Router
Username: CORPADMIN
Password: NetSec-Admin1
enable
Password: RTR-AdminP@55
conf ter
hash sha
authentication pre-share
group 2
lifetime 1800
exit
exit
int s0/0/0
end