CCNA Security v1.2 PT Practice SA
Verified today: 10.02.2015 !
Verified today: 10.02.2015 !
A few things to keep in mind while completing
this activity.
1. Do not use the browser Back button or close or reload any Exam windows during the exam.
2. Do not close Packet Tracer when you are done. It will close automatically.
3. Click the Submit Assessment button to submit your work.
1. Do not use the browser Back button or close or reload any Exam windows during the exam.
2. Do not close Packet Tracer when you are done. It will close automatically.
3. Click the Submit Assessment button to submit your work.
Introduction
In this practice Packet Tracer
Skills Based Assessment, you will do as follows:
Configure basic device hardening and secure network management Configure an ASA firewall to implement security policies
Configure ACLs to filter network traffic
Configure devices to protect against STP attacks and to enable broadcast storm control
Configure port security and disable unused switch ports Configure an IOS IPS
Configure a ZBF to implement security policies Configure a site-to-site IPsec VPN
Configure basic device hardening and secure network management Configure an ASA firewall to implement security policies
Configure ACLs to filter network traffic
Configure devices to protect against STP attacks and to enable broadcast storm control
Configure port security and disable unused switch ports Configure an IOS IPS
Configure a ZBF to implement security policies Configure a site-to-site IPsec VPN
Note: Appropriate verification
procedures should be taken after each configuration task to ensure that it has
been properly implemented.
Step
1: Configure Basic Device Hardening for the CORP Router.
a. Configure the CORP router to accept only passwords with a
minimum length of 10 characters.
CORP(config)# security passwords min-length 10
CORP(config)# security passwords min-length 10
b. Configure an encrypted privileged level password of
ciscoclass.
CORP(config)# enable secret ciscoclass
CORP(config)# enable secret ciscoclass
c. Enable password encryption for all clear text passwords
in the configuration file.
CORP(config)# service password-encryption
CORP(config)# service password-encryption
d. Configure the console line and all vty lines 0 to 15 with
the following requirements:
Note: CORP is already configured with the username CORPADMIN and the secret password Ciscoccnas.
– use the local database for login
– disconnect after being idle for 20 minutes
CORP(config)#line consol 0
CORP(config-line)# login local
CORP(config-line)# exec-timeout 20 0
CORP(config-line)# line vty 0 15
CORP(config-line)# login local
CORP(config-line)# exec-timeout 20 0
Note: CORP is already configured with the username CORPADMIN and the secret password Ciscoccnas.
– use the local database for login
– disconnect after being idle for 20 minutes
CORP(config)#line consol 0
CORP(config-line)# login local
CORP(config-line)# exec-timeout 20 0
CORP(config-line)# line vty 0 15
CORP(config-line)# login local
CORP(config-line)# exec-timeout 20 0
e. Disable the CDP protocol only on the link to the Internet
router.
CORP(config)# interface s0/0/0
CORP(config-if)# no cdp enable
CORP(config)# interface s0/0/0
CORP(config-if)# no cdp enable
Step
2: Configure Secure Network Management for the CORP Router.
a. Enable the CORP router as follows:
– as an NTP client to the NTP/Syslog server
CORP(config)# ntp server 209.165.200.252 key 0
– as an NTP client to the NTP/Syslog server
CORP(config)# ntp server 209.165.200.252 key 0
– to update the router calendar (hardware clock) from the
NTP time source
CORP(config)# ntp update-calendar
CORP(config)# ntp update-calendar
– to timestamp log messages
CORP(config)# service timestamps log datetime msec
CORP(config)# service timestamps log datetime msec
– to send logging messages to the NTP/Syslog server
CORP(config)# logging host 209.165.200.252
CORP(config)# logging host 209.165.200.252
b. Configure the CORP router to accept SSH connections. Use
the following guidelines:
Note: CORP is already configured with the username SSHAccess and the secret password ciscosshaccess.
– domain name is theccnas.com
CORP(config)# ip domain-name theccnas.com
Note: CORP is already configured with the username SSHAccess and the secret password ciscosshaccess.
– domain name is theccnas.com
CORP(config)# ip domain-name theccnas.com
– RSA encryption key pair using a modulus of 1024
CORP(config)# crypto key generate rsa (How many bits in the modulus [512]: 1024
CORP(config)# crypto key generate rsa (How many bits in the modulus [512]: 1024
– SSH version 2, timeout of 90 seconds, and 2 authentication
retries
CORP(config)# ip ssh version 2
CORP(config)# ip ssh time-out 90
CORP(config)# ip ssh authentication-retries 2
CORP(config)# ip ssh version 2
CORP(config)# ip ssh time-out 90
CORP(config)# ip ssh authentication-retries 2
– all vty lines accept only SSH connections
CORP(config)# line vty 0 15
CORP(config-line)# transport input ssh
CORP(config-line)# exit
CORP(config)# line vty 0 15
CORP(config-line)# transport input ssh
CORP(config-line)# exit
c. Configure the CORP router with AAA server-based
authentication and verify its functionality:
Note: The AAA server is already configured with RADIUS service, a username CORPSYS and the password LetSysIn. The key for the client to access the AAA server is corpradius.
Note: The AAA server is already configured with RADIUS service, a username CORPSYS and the password LetSysIn. The key for the client to access the AAA server is corpradius.
– AAA authentication using the AAA server as the default for
console line and vty lines 0 to 4 access. The local database is used as a
backup method in case the AAA server cannot be connected.
CORP(config)# aaa new-model
CORP(config)# Radius-server host 209.165.200.252 key corpradius
CORP(config)# aaa authentication login default group radius local
CORP(config)# line vty 0 4
CORP(config-line)# login authentication default
CORP(config-line)# line vty 5 15
CORP(config-line)# login authentication default
CORP(config-line)# line con 0
CORP(config-line)# login authentication default Show running-config
CORP(config)# aaa new-model
CORP(config)# Radius-server host 209.165.200.252 key corpradius
CORP(config)# aaa authentication login default group radius local
CORP(config)# line vty 0 4
CORP(config-line)# login authentication default
CORP(config-line)# line vty 5 15
CORP(config-line)# login authentication default
CORP(config-line)# line con 0
CORP(config-line)# login authentication default Show running-config
Step
3: Configure Device Hardening for Switch1.
a. Access Switch1 with username CORPADMIN, password
Ciscoccnas, and the enable secret password of ciscoclass.
b. Enable storm control for broadcasts on GigabitEthernet0/1
with a 50 percent rising suppression level.
SW1(config)# interface Gig0/1
SW1(config-if)# storm-control broadcast level 50
SW1(config)# interface Gig0/1
SW1(config-if)# storm-control broadcast level 50
c. Configure Switch1 to protect against STP attacks.
– Configure PortFast on Fast Ethernet ports 0/1 to 0/24.
– Enable BPDU guard on Fast Ethernet ports 0/1 to 0/24.
SW1(config)# interface range fa0/1-24 SW1(config-if-range)# spanning-tree portfast
SW1(config-if-range)# spanning-tree bpduguard enable
– Configure PortFast on Fast Ethernet ports 0/1 to 0/24.
– Enable BPDU guard on Fast Ethernet ports 0/1 to 0/24.
SW1(config)# interface range fa0/1-24 SW1(config-if-range)# spanning-tree portfast
SW1(config-if-range)# spanning-tree bpduguard enable
d. Configure port security and disable unused ports.
– Set the maximum number of learned MAC addresses to 2 on Fast Ethernet ports 0/1 to 0/24. Allow the MAC address to be learned dynamically and then stored in the running config. Shutdown the port if a violation occurs.
SW1(config)# interface range fa0/1-24
SW1(config-if-range)# switchport port-security
SW1(config-if-range)# switchport port-security maximum 2
SW1(config-if-range)# switchport port-security violation shutdown
SW1(config-if-range)# switchport port-security mac-address sticky
– Set the maximum number of learned MAC addresses to 2 on Fast Ethernet ports 0/1 to 0/24. Allow the MAC address to be learned dynamically and then stored in the running config. Shutdown the port if a violation occurs.
SW1(config)# interface range fa0/1-24
SW1(config-if-range)# switchport port-security
SW1(config-if-range)# switchport port-security maximum 2
SW1(config-if-range)# switchport port-security violation shutdown
SW1(config-if-range)# switchport port-security mac-address sticky
– Disable unused ports (Fa0/2-4, Fa0/6-10, Fa0/13-24).
SW1(config)# interface range fa0/2-4
SW1(config-if-range)# shutdown
SW1(config)# interface range fa0/6-10
SW1(config-if-range)# shutdown
SW1(config)# interface range fa0/13-24
SW1(config-if-range)# shutdown
SW1(config-if-range)# end
SW1# copy running-config startup-config
SW1(config)# interface range fa0/2-4
SW1(config-if-range)# shutdown
SW1(config)# interface range fa0/6-10
SW1(config-if-range)# shutdown
SW1(config)# interface range fa0/13-24
SW1(config-if-range)# shutdown
SW1(config-if-range)# end
SW1# copy running-config startup-config
Step
4: Configure an IOS IPS on the CORP Router.
Note: On the CORP router, a directory in flash named ipsdir
has already been created.
a. Configure the IPS signature storage location to be flash:ipsdir.
CORP(config)# ip ips config location flash:ipsdir/ retries 1
a. Configure the IPS signature storage location to be flash:ipsdir.
CORP(config)# ip ips config location flash:ipsdir/ retries 1
b. Create an IPS rule named corpips.
CORP(config)# ip ips name corpips
CORP(config)# ip ips name corpips
c. Configure the IOS IPS to use the signature categories.
Retire the all signature category and unretire the ios_ips basic category.
CORP(config)# ip ips signature-category
CORP(config-ips-category)# category all
CORP(config-ips-category-action)# retired true
CORP(config-ips-category-action)# exit
CORP(config-ips-category)# category ios_ips basic
CORP(config-ips-category-action)# retired false
CORP(config-ips-category-action)# exit
CORP(config-ips-category)# exit
Do you want to accept these changes? [confirm] [Enter]
CORP(config)# ip ips signature-category
CORP(config-ips-category)# category all
CORP(config-ips-category-action)# retired true
CORP(config-ips-category-action)# exit
CORP(config-ips-category)# category ios_ips basic
CORP(config-ips-category-action)# retired false
CORP(config-ips-category-action)# exit
CORP(config-ips-category)# exit
Do you want to accept these changes? [confirm] [Enter]
d. Apply the IPS rule to the Gi0/0 interface outbound.
CORP(config)# interface Gig0/0
CORP(config-if)# ip ips corpips out
CORP(config)# interface Gig0/0
CORP(config-if)# ip ips corpips out
e. Modify the ios_ips basic category. Unretire the echo
request signature (signature 2004, subsig 0); enable the signature; modify the
signature event- action to produce an alert and to deny packets that match the
signature.
CORP(config)#ip ips signature-definition
CORP(config-sigdef)# signature 2004 0
CORP(config-sigdef-sig)# status
CORP(config-sigdef-sig-status)# retired false
CORP(config-sigdef-sig-status)# enable true
CORP(config-sigdef-sig-status)# exit
CORP(config-sigdef-sig)# engine
CORP(config-sigdef-sig-engine)# event-action produce-alert
CORP(config-sigdef-sig-engine)# event-action deny-packet-inline
CORP(config-sigdef-sig-engine)# exit
CORP(config-sigdef-sig)# exit
CORP(config-sigdef)# exit
CORP(config)# exit
Do you want to accept these changes? [confirm] [Enter]
CORP(config)#ip ips signature-definition
CORP(config-sigdef)# signature 2004 0
CORP(config-sigdef-sig)# status
CORP(config-sigdef-sig-status)# retired false
CORP(config-sigdef-sig-status)# enable true
CORP(config-sigdef-sig-status)# exit
CORP(config-sigdef-sig)# engine
CORP(config-sigdef-sig-engine)# event-action produce-alert
CORP(config-sigdef-sig-engine)# event-action deny-packet-inline
CORP(config-sigdef-sig-engine)# exit
CORP(config-sigdef-sig)# exit
CORP(config-sigdef)# exit
CORP(config)# exit
Do you want to accept these changes? [confirm] [Enter]
f. Verify that IPS is working properly, that Public
DNS/WEB/FTP Svr in the External network cannot ping AAA server, but that AAA
server, however, can ping Public DNS/WEB/FTP Svr.
Step
5: Configure CORP-ASA to Implement the Security Policy.
a. Access CORP-ASA and enter the privileged mode with the
enable password of Ciscoccnas.
b. Configure the domain name as theccnas.com.
CORP-ASA(config)#domain-name theccnas.com
CORP-ASA(config)#domain-name theccnas.com
c. Configure the inside, outside, and dmz interfaces with
the following information
– VLAN 1 – IP address 192.168.1.1/24, nameif inside, security-level 100, assign to E0/1
CORP-ASA(config)# interface vlan 1
CORP-ASA(config-if) nameif inside
CORP-ASA(config-if)# security-level 100
CORP-ASA(config-if)# ip address 192.168.1.1 255.255.255.0
CORP-ASA(config-if)# exit
CORP-ASA(config) interface e0/1
CORP-ASA(config-if)# switchport access vlan 1
CORP-ASA(config-if)# no shutdown
– VLAN 1 – IP address 192.168.1.1/24, nameif inside, security-level 100, assign to E0/1
CORP-ASA(config)# interface vlan 1
CORP-ASA(config-if) nameif inside
CORP-ASA(config-if)# security-level 100
CORP-ASA(config-if)# ip address 192.168.1.1 255.255.255.0
CORP-ASA(config-if)# exit
CORP-ASA(config) interface e0/1
CORP-ASA(config-if)# switchport access vlan 1
CORP-ASA(config-if)# no shutdown
– VLAN 2 – IP address 209.165.200.253/28, nameif outside,
security- level 0, assign to E0/0
CORP-ASA(config)# interface vlan 2
CORP-ASA(config-if) nameif outside
CORP-ASA(config-if)# security-level 0
CORP-ASA(config-if)# ip address 209.165.200.253 255.255.255.240
CORP-ASA(config-if)# exit
CORP-ASA(config) interface e0/0
CORP-ASA(config-if)# switchport access vlan 2
CORP-ASA(config-if)# no shutdown
CORP-ASA(config)# interface vlan 2
CORP-ASA(config-if) nameif outside
CORP-ASA(config-if)# security-level 0
CORP-ASA(config-if)# ip address 209.165.200.253 255.255.255.240
CORP-ASA(config-if)# exit
CORP-ASA(config) interface e0/0
CORP-ASA(config-if)# switchport access vlan 2
CORP-ASA(config-if)# no shutdown
– VLAN 3 – IP address 10.1.1.254/24, nameif dmz, security-level
70, assign to E0/2
CORP-ASA(config)# interface vlan 3
CORP-ASA(Config-if)#no forward interface vlan 1
CORP-ASA(config-if) nameif dmz
CORP-ASA(config-if)# security-level 70
CORP-ASA(config-if)# ip address 10.1.1.254 255.255.255.0
CORP-ASA(config-if)# exit
CORP-ASA(config)# interface e0/2
CORP-ASA(config-if)# switchport access vlan 3 CORP-ASA(config-if)# no shutdown
CORP-ASA(config)# interface vlan 3
CORP-ASA(Config-if)#no forward interface vlan 1
CORP-ASA(config-if) nameif dmz
CORP-ASA(config-if)# security-level 70
CORP-ASA(config-if)# ip address 10.1.1.254 255.255.255.0
CORP-ASA(config-if)# exit
CORP-ASA(config)# interface e0/2
CORP-ASA(config-if)# switchport access vlan 3 CORP-ASA(config-if)# no shutdown
– Enable interfaces
d. Configure a static default route with the next hop address of the CORP router
CORP-ASA# route outside 0.0.0.0 0.0.0.0 209.165.200.254
Show route
d. Configure a static default route with the next hop address of the CORP router
CORP-ASA# route outside 0.0.0.0 0.0.0.0 209.165.200.254
Show route
e. Configure NAT for both inside and dmz network
– Create an object inside-nat with subnet 192.168.1.0/24 and enable the IP addresses of the hosts in the Internal network to be dynamically translated to access the External network using the outside interface
CORP-ASA(config)# object network inside-nat
CORP-ASA(config-network-object)# subnet 192.168.1.0 255.255.255.0
CORP-ASA(config-network-object)# nat (inside,outside) dynamic interface
CORP-ASA(config-network-object)# end
– Create an object inside-nat with subnet 192.168.1.0/24 and enable the IP addresses of the hosts in the Internal network to be dynamically translated to access the External network using the outside interface
CORP-ASA(config)# object network inside-nat
CORP-ASA(config-network-object)# subnet 192.168.1.0 255.255.255.0
CORP-ASA(config-network-object)# nat (inside,outside) dynamic interface
CORP-ASA(config-network-object)# end
– Create an object dmz-dns-server to statically translate
the DNS server in DMZ to the public IP
CORP-ASA(config)# object network dmz-dns-server
CORP-ASA(config-network-object)# host 10.1.1.5
CORP-ASA(config-network-object)# nat (dmz,outside) static 209.165.200.242
CORP-ASA(config-network-object)# end
CORP-ASA(config)# object network dmz-dns-server
CORP-ASA(config-network-object)# host 10.1.1.5
CORP-ASA(config-network-object)# nat (dmz,outside) static 209.165.200.242
CORP-ASA(config-network-object)# end
– Create an object dmz-web-server to statically translate
the web server in DMZ to the public IP
CORP-ASA(config)# object network dmz-web-server
CORP-ASA(config-network-object)# host 10.1.1.2
CORP-ASA(config-network-object)# nat (dmz,outside) static 209.165.200.241
CORP-ASA(config-network-object)# end
CORP-ASA(config)# object network dmz-web-server
CORP-ASA(config-network-object)# host 10.1.1.2
CORP-ASA(config-network-object)# nat (dmz,outside) static 209.165.200.241
CORP-ASA(config-network-object)# end
f. Modify the default MPF application inspection global
service policy to enable hosts in the Internal network to access the web
servers on the Internet
– Create a class inspection_default that matches default-inspection- traffic
CORP-ASA(config)# class-map inspection_default
CORP-ASA(config-cmap)# match default-inspection-traffic
CORP-ASA(config)# exit
– Create a class inspection_default that matches default-inspection- traffic
CORP-ASA(config)# class-map inspection_default
CORP-ASA(config-cmap)# match default-inspection-traffic
CORP-ASA(config)# exit
– Create a policy-map global_policy and specify the inspect
http
CORP-ASA(config)# policy-map global_policy
CORP-ASA(config-pmap)# class inspection_default
CORP-ASA(config-pmap-c)# inspect HTTP
CORP-ASA(config)# policy-map global_policy
CORP-ASA(config-pmap)# class inspection_default
CORP-ASA(config-pmap-c)# inspect HTTP
– Attach the policy map globally to all interfaces
CORP-ASA(config)# service-policy global_policy global
CORP-ASA(config)# service-policy global_policy global
g. Configure an ACL to allow access to the DMZ servers from
the Internet. The ACL will also allow icmp echo-reply traffic from the Internet
to enter the CORP-ASA
– Create, apply, and verify an extended named ACL (named OUTSIDE- TO-DMZ) to filter incoming traffic to the CORP-ASA.
The ACL should be created in the order specified in the following guidelines (Please note, the order of ACL statements is significant only because of the scoring need in Packet Tracer.):
1. HTTP traffic is allowed to DMZ Web Svr.
CORP-ASA(config)# access-list OUTSIDE-TO-DMZ extended permit tcp any host 10.1.1.2 eq http
– Create, apply, and verify an extended named ACL (named OUTSIDE- TO-DMZ) to filter incoming traffic to the CORP-ASA.
The ACL should be created in the order specified in the following guidelines (Please note, the order of ACL statements is significant only because of the scoring need in Packet Tracer.):
1. HTTP traffic is allowed to DMZ Web Svr.
CORP-ASA(config)# access-list OUTSIDE-TO-DMZ extended permit tcp any host 10.1.1.2 eq http
2. DNS traffic (both TCP and UDP) is allowed to DMZ DNS
Server (two separate ACEs)
CORP-ASA(config)# access-list OUTSIDE-TO-DMZ extended permit tcp any host 10.1.1.5 eq 53
CORP-ASA(config)# access-list OUTSIDE-TO-DMZ extended permit udp any host 10.1.1.5 eq 53
CORP-ASA(config)# access-list OUTSIDE-TO-DMZ extended permit tcp any host 10.1.1.5 eq 53
CORP-ASA(config)# access-list OUTSIDE-TO-DMZ extended permit udp any host 10.1.1.5 eq 53
3. ICMP Echo-reply traffic is allowed to DMZ
CORP-ASA(config)# access-list OUTSIDE-TO-DMZ extended permit icmp any any echo-reply
CORP-ASA(config)# access-list OUTSIDE-TO-DMZ extended permit icmp any any echo-reply
4. FTP traffic from the Branch administrator workstation is
allowed to DMZ Web Server.
CORP-ASA(config)# access-list OUTSIDE-TO-DMZ permit tcp host 198.133.219.35 host 10.1.1.2 eq ftp
CORP-ASA(config)# access-list OUTSIDE-TO-DMZ permit tcp host 198.133.219.35 host 10.1.1.2 eq ftp
5. The ACL should contain five ACEs
CORP-ASA(config)# access-group OUTSIDE-TO-DMZ in interface outside
CORP-ASA(config)# access-group OUTSIDE-TO-DMZ in interface outside
6. Verify ASA configurations. Both Net Admin PC and DMZ Web
Svr can access the website www.externalone.com.
Admin PC can access the website www.theccnas.com.
Admin PC can also establish an FTP connection to www.theccnas.com, with the username cisco and the password cisco.
Admin PC can access the website www.theccnas.com.
Admin PC can also establish an FTP connection to www.theccnas.com, with the username cisco and the password cisco.
Step
6: Configure ACLs on the CORP Router to Implement the Security Policy.
a. Create ACL 12 to implement the security policy regarding
the access to the vty lines so that only users connecting from Net Admin and
Admin PC are allowed access to the vty lines.
CORP(config)# access-list 12 permit host 192.168.1.4
CORP(config)# access-list 12 permit host 198.133.219.35
CORP(config)# line vty 0 4
CORP(config-line)# access-class 12 in
CORP(config)# line vty 5 15
CORP(config-line)# access-class 12 in
CORP(config-line) # end
Show access list
Show running-config
CORP(config)# access-list 12 permit host 192.168.1.4
CORP(config)# access-list 12 permit host 198.133.219.35
CORP(config)# line vty 0 4
CORP(config-line)# access-class 12 in
CORP(config)# line vty 5 15
CORP(config-line)# access-class 12 in
CORP(config-line) # end
Show access list
Show running-config
b. Create, apply, and verify an extended named ACL (named
INCORP) to control access from the Internet into the CORP router. The ACL
should be created in the order specified in the following guidelines (Please note, the order of ACL statements is significant
only because of the scoring need in Packet Tracer.):
CORP(config)# ip access-list extended INCORP
CORP(config)# ip access-list extended INCORP
1. Allow HTTP traffic to the DMZ Web Server.
CORP(config-ext-nacl)# permit tcp any host 209.165.200.241 eq 80
CORP(config-ext-nacl)# permit tcp any host 209.165.200.241 eq 80
2. Allow DNS traffic (both TCP and UDP) to the DMZ DNS
Server (two separate ACEs).
CORP(config-ext-nacl)# permit tcp any host 209.165.200.242 eq domain
CORP(config-ext-nacl)# permit udp any host 209.165.200.242 eq domain
CORP(config-ext-nacl)# permit tcp any host 209.165.200.242 eq domain
CORP(config-ext-nacl)# permit udp any host 209.165.200.242 eq domain
3. Allow SSH traffic from the Branch Office administrator
workstation to the Serial 0/0/0 interface on the CORP router.
CORP(config-ext-nacl)# permit tcp host 198.133.219.35 host 209.165.200.226 eq 22
CORP(config-ext-nacl)# permit tcp host 198.133.219.35 host 209.165.200.226 eq 22
4. Allow IP traffic from the Branch router serial interface
into the CORP router serial interface.
CORP(config-ext-nacl)# permit ip host 198.133.219.2 host 209.165.200.226
CORP(config-ext-nacl)# permit ip host 198.133.219.2 host 209.165.200.226
5. Allow IP traffic from the Branch Office LAN to the public
IP address range that is assigned to the CORP site (209.165.200.240/28).
CORP(config-ext-nacl)# permit ip 198.133.219.32 0.0.0.31 209.165.200.240 0.0.0.15
CORP(config-ext-nacl)# permit ip 198.133.219.32 0.0.0.31 209.165.200.240 0.0.0.15
6. Allow echo-reply and host-unreachable traffic from the
Internet
CORP(config-ext-nacl)# permit icmp any any echo-reply
CORP(config-ext-nacl)# permit icmp any any host-unreachable
CORP(config-ext-nacl)# permit icmp any any echo-reply
CORP(config-ext-nacl)# permit icmp any any host-unreachable
7. Allow return TCP traffic from the Internet with the
destination of 209.165.200.240/28
CORP(config-ext-nacl)# permit tcp any 209.165.200.240 0.0.0.15 established
CORP(config-ext-nacl)# exit
CORP(config)# interface s0/0/0
CORP(config-ifl)# ip access-group INCORP in
CORP(config-ext-nacl)# permit tcp any 209.165.200.240 0.0.0.15 established
CORP(config-ext-nacl)# exit
CORP(config)# interface s0/0/0
CORP(config-ifl)# ip access-group INCORP in
c. To verify the INCORP ACL, complete the following tests:
– Net Admin PC in the Internal network can access the URL http://www.externalone.com;
– Admin PC can establish an SSH connection to the CORP router (209.165.200.226) with the username CORPSYS and password LetSysIn. If the password does not work, you may try the backup username SSHAccess and password ciscosshaccess defined in the local database.
– External User cannot establish an SSH connection to the CORP router (209.165.200.226).
– Net Admin PC in the Internal network can access the URL http://www.externalone.com;
– Admin PC can establish an SSH connection to the CORP router (209.165.200.226) with the username CORPSYS and password LetSysIn. If the password does not work, you may try the backup username SSHAccess and password ciscosshaccess defined in the local database.
– External User cannot establish an SSH connection to the CORP router (209.165.200.226).
Step
7: Configure a Zone-Based Policy Firewall on the Branch Router.
a. Access the Branch router with username CORPADMIN,
password Ciscoccnas and the enable secret password of ciscoclass.
password Ciscoccnas and the enable secret password of ciscoclass.
b. On the Branch router, create the firewall zones.
– Create an internal zone named BR-IN-ZONE.
Branch(config)# zone security BR-IN-ZONE Branch(config-sec-zone)# exit
– Create an internal zone named BR-IN-ZONE.
Branch(config)# zone security BR-IN-ZONE Branch(config-sec-zone)# exit
– Create an external zone named BR-OUT-ZONE.
Branch(config)# zone security BR-OUT-ZONE Branch(config-sec-zone)# exit
Branch(config)# zone security BR-OUT-ZONE Branch(config-sec-zone)# exit
c. Define a traffic class and access list.
– Create an ACL 110 to permit all protocols from the 198.133.219.32/27 network to any destination.
Branch(config)# access-list 110 permit ip 198.133.219.32 0.0.0.31 any
– Create an ACL 110 to permit all protocols from the 198.133.219.32/27 network to any destination.
Branch(config)# access-list 110 permit ip 198.133.219.32 0.0.0.31 any
– Create a class map using the option of class map type
inspect with the match-all keyword. Match the ACL 110 and name the class map
BR- IN-CLASS-MAP.
Branch(config)# class-map type inspect match-all BR-IN-CLASS-MAP
Branch(config-cmap)# match access-group 110
Branch(config)# class-map type inspect match-all BR-IN-CLASS-MAP
Branch(config-cmap)# match access-group 110
d. Specify firewall policies.
– Create a policy map named BR-IN-OUT-PMAP.
Branch(config)# policy-map type inspect BR-IN-OUT-PMAP
– Create a policy map named BR-IN-OUT-PMAP.
Branch(config)# policy-map type inspect BR-IN-OUT-PMAP
– Use the BR-IN-CLASS-MAP class map.
Branch(config-pmap)# class type inspect BR-IN-CLASS-MAP
Branch(config-pmap)# class type inspect BR-IN-CLASS-MAP
– Specify the action of inspect for this policy map.
Branch(config-pmap-c)# inspect
Branch(config-pmap-c)# inspect
e. Apply the firewall.
– Create a pair of zones named IN-OUT-ZPAIR with the source as BR-IN- ZONE and destination as BR-OUT-ZONE.
Branch(config)# zone-pair security IN-OUT-ZPAIR source BR-IN-ZONE destination BR-OUT-ZONE
– Create a pair of zones named IN-OUT-ZPAIR with the source as BR-IN- ZONE and destination as BR-OUT-ZONE.
Branch(config)# zone-pair security IN-OUT-ZPAIR source BR-IN-ZONE destination BR-OUT-ZONE
– Specify the policy map BR-IN-OUT-PMAP for handling the
traffic between the two zones.
Branch(config-sec-zone-pair)# service-policy type inspect BR-IN-OUT-PMAP
Branch(config-sec-zone-pair)# service-policy type inspect BR-IN-OUT-PMAP
– Assign interfaces to the appropriate security zones.
Branch(config)# interface Gig0/0
Branch(config-if)# zone-member security BR-IN-ZONE
Branch(config-if)# interface s0/0/0
Branch(config-if)# zone-member security BR-OUT-ZONE
Branch(config)# interface Gig0/0
Branch(config-if)# zone-member security BR-IN-ZONE
Branch(config-if)# interface s0/0/0
Branch(config-if)# zone-member security BR-OUT-ZONE
f. Verify the ZBF configuration.
– The Admin PC in the Branch office can access the URLs http://www.theccnas.com and http://www.externalone.com.
– The Admin PC in the Branch office can ping the External PC (192.31.7.33).
– External User cannot ping the Admin PC in the Branch office (198.133.219.35).
– The Admin PC in Branch office can establish an SSH connection to the CORP router with the username CORPSYS and password LetSysIn.
– The Admin PC in the Branch office can access the URLs http://www.theccnas.com and http://www.externalone.com.
– The Admin PC in the Branch office can ping the External PC (192.31.7.33).
– External User cannot ping the Admin PC in the Branch office (198.133.219.35).
– The Admin PC in Branch office can establish an SSH connection to the CORP router with the username CORPSYS and password LetSysIn.
If the password does not work, you
may try the backup username SSHAccess and password ciscosshaccess defined in
the local database.Establish a SSH connecton: PC command prompt:
ssh -l ssh access (IP ADDRESS) username etc
ssh -l ssh access (IP ADDRESS) username etc
Step
8: Configure a Site-to-Site IPsec VPN between the CORP router and the Branch
Router.
The following tables list the
parameters for the ISAKMP Phase 1 Policy and IPsec Phase 2 Policy:
ISAKMP Phase 1 Policy Parameters
|
ISAKMP Phase 2 Policy Parameters
|
||||
Key Distribution Method
|
ISAKMP
|
Parameters
|
CORP Router
|
Branch Router
|
|
Encryption Algorithm
|
AES
|
Transform Set Name
|
VPN-SET
|
VPN-SET
|
|
Number of Bits
|
256
|
Transform Set
|
esp-3desesp-sha-hmac
|
esp-3desesp-sha-hmac
|
|
Hash Algorithm
|
SHA-1
|
Peer Host Name
|
Branch
|
CORP
|
|
Authentication Method
|
Pre-share
|
Peer IP Address
|
198.133.219.2
|
209.165.200.226
|
|
Key Exchange
|
DH 2
|
Encrypted Network
|
209.165.200.240/28
|
198.133.219.32/27
|
|
IKE SA Lifetime
|
86400
|
Crypto Map Name
|
VPN-MAP
|
VPN-MAP
|
|
ISAKMP Key
|
Vpnpass10 1
|
SAEstablishment
|
ipsec-isakmp
|
ipsec-isakmp
|
a. Configure an ACL (ACL 120) on the CORP router to identify
the interesting traffic. The interesting traffic is all IP traffic between the
two LANs (209.165.200.240/28 and 198.133.219.32/27).
CORP(config)# access-list 120 permit ip 209.165.200.240 0.0.0.15 198.133.219.32 0.0.0.31
CORP(config)# access-list 120 permit ip 209.165.200.240 0.0.0.15 198.133.219.32 0.0.0.31
b. Configure the ISAKMP Phase 1 properties on the CORP
router. The crypto ISAKMP policy is 10. Refer to the ISAKMP Phase 1 Policy
Parameters Table for the specific details needed.
CORP(config)# crypto isakmp policy 10
CORP(config-isakmp)# encryption aes 256
CORP(config-isakmp)# authentication pre-share
CORP(config-isakmp)#group 2
CORP(config-isakmp)# lifetime 86400 (Default/Optional)
CORP(config-isakmp)# hash sha (Default/optional) CORP(config-isakmp)# exit
CORP(config)# crypto isakmp key Vpnpass101 address 198.133.219.2
CORP(config)# crypto isakmp policy 10
CORP(config-isakmp)# encryption aes 256
CORP(config-isakmp)# authentication pre-share
CORP(config-isakmp)#group 2
CORP(config-isakmp)# lifetime 86400 (Default/Optional)
CORP(config-isakmp)# hash sha (Default/optional) CORP(config-isakmp)# exit
CORP(config)# crypto isakmp key Vpnpass101 address 198.133.219.2
c. Configure the ISAKMP Phase 2 properties on the CORP
router. Refer to the ISAKMP Phase 2 Policy Parameters Table for the specific
details needed.
CORP(config)# crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac
CORP(config)# crypto map VPN-MAP 10 ipsec-isakmp
CORP(config-crypto-map)# set peer 198.133.219.2
CORP(config-crypto-map)# set transform-set VPN-SET
CORP(config-crypto-map)# match address 120
CORP(config-crypto-map)# exit
CORP(config)# crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac
CORP(config)# crypto map VPN-MAP 10 ipsec-isakmp
CORP(config-crypto-map)# set peer 198.133.219.2
CORP(config-crypto-map)# set transform-set VPN-SET
CORP(config-crypto-map)# match address 120
CORP(config-crypto-map)# exit
d. Bind the VPN-MAP crypto map to the outgoing interface.
CORP(config)# interface s0/0/0
CORP(config-if)# crypto map VPN-MAP
CORP(config-if)# end
CORP(config)# interface s0/0/0
CORP(config-if)# crypto map VPN-MAP
CORP(config-if)# end
e. Configure IPsec parameters on the Branch router using the
same parameters as on the CORP router. Note that interesting traffic is defined
as the IP traffic from the two LANs.
Branch(config)# access-list 120 permit ip 198.133.219.32 0.0.0.31 209.165.200.240 0.0.0.15
Branch(config)# crypto isakmp policy 10
Branch(config-isakmp)# encryption aes 256
Branch(config-isakmp)# authentication pre-share
Branch(config-isakmp)# group 2
Branch(config-isakmp)# lifetime 86400 (Default/Optional)
Branch(config-isakmp)# hash sha (Default/optional)
Branch(config-isakmp)# exit
Branch(config)# crypto isakmp key Vpnpass101 address 209.165.200.226
Branch(config)# crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac
Branch(config)# crypto map VPN-MAP 10 ipsec-isakmp
Branch(config-crypto-map)# set peer 209.165.200.226
Branch(config-crypto-map)# set transform-set VPN-SET
Branch(config-crypto-map)# match address 120
Branch(config-crypto-map)# exit
Branch(config)# interface s0/0/0
Branch(config-if)# crypto map VPN-MAP
Branch(config-if)# end
Branch(config)# access-list 120 permit ip 198.133.219.32 0.0.0.31 209.165.200.240 0.0.0.15
Branch(config)# crypto isakmp policy 10
Branch(config-isakmp)# encryption aes 256
Branch(config-isakmp)# authentication pre-share
Branch(config-isakmp)# group 2
Branch(config-isakmp)# lifetime 86400 (Default/Optional)
Branch(config-isakmp)# hash sha (Default/optional)
Branch(config-isakmp)# exit
Branch(config)# crypto isakmp key Vpnpass101 address 209.165.200.226
Branch(config)# crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac
Branch(config)# crypto map VPN-MAP 10 ipsec-isakmp
Branch(config-crypto-map)# set peer 209.165.200.226
Branch(config-crypto-map)# set transform-set VPN-SET
Branch(config-crypto-map)# match address 120
Branch(config-crypto-map)# exit
Branch(config)# interface s0/0/0
Branch(config-if)# crypto map VPN-MAP
Branch(config-if)# end
Save the running-config, then reload both CORP and Branch
routers.
CORP# copy running-config startup-config
Branch# copy running-config startup-config
CORP# copy running-config startup-config
Branch# copy running-config startup-config
That’s all. If you have any
improvement to make sure this CCNA Security Packet Tracer SBA v1.2 to be 100%
correct, please leave your comment below. All credit goes to RBL Hannover.
So if you want 100% you have to put Public IP of the DNS an WEB server from DMZ into ACL.
access-list OUTSIDE-TO-DMZ extended permit tcp any host 209.165.200.241 eq http
access-list OUTSIDE-TO-DMZ extended permit tcp any host 209.165.200.242 eq 53
access-list OUTSIDE-TO-DMZ extended permit udp any host 209.165.200.242 eq 53
access-list OUTSIDE-TO-DMZ extended permit icmp any any echo-reply
access-list OUTSIDE-TO-DMZ permit tcp host 198.133.219.35 host 209.165.200.241 eq ftp
Keep in mind, this is NOT right, you do this only for 100%.
For 100% get CLI for each here:
CORP:
CORPADMIN and the secret password Ciscoccnas
enable
configure terminal
security passwords min-length 10
enable secret ciscoclass
service password-encryption
line consol 0
login local
exec-timeout 20 0
line vty 0 15
login local
exec-timeout 20 0
exit
interface s0/0/0
no cdp enable
exit
ntp server 209.165.200.252 key 0
ntp update-calendar
service timestamps log datetime msec
logging host 209.165.200.252
ip domain-name theccnas.com
-------------
crypto key generate rsa !(How many bits in the modulus [512]: 1024)
ip ssh version 2
ip ssh time-out 90
ip ssh authentication-retries 2
line vty 0 15
transport input ssh
exit
aaa new-model
Radius-server host 209.165.200.252 key corpradius
aaa authentication login default group radius local
line vty 0 4
login authentication default
line vty 5 15
login authentication default
line con 0
login authentication default
Show running-config
exit
ip ips config location flash:ipsdir/ retries 1
ip ips name corpips
ip ips signature-category
category all
retired true
exit
category ios_ips basic
retired false
exit
exit
-----------------Do you want to accept these changes? [confirm] [Enter]
interface Gig0/0
ip ips corpips out
ip ips signature-definition
signature 2004 0
status
retired false
enable true
exit
engine
event-action produce-alert
event-action deny-packet-inline
exit
exit
exit
exit
------------------Do you want to accept these changes? [confirm] [Enter]
access-list 12 permit host 192.168.1.4
access-list 12 permit host 198.133.219.35
line vty 0 4
access-class 12 in
exit
line vty 5 15
access-class 12 in
exit
ip access-list extended INCORP
permit tcp any host 209.165.200.241 eq 80
permit tcp any host 209.165.200.242 eq domain
permit udp any host 209.165.200.242 eq domain
permit tcp host 198.133.219.35 host 209.165.200.226 eq 22
permit ip host 198.133.219.2 host 209.165.200.226
permit ip 198.133.219.32 0.0.0.31 209.165.200.240 0.0.0.15
permit icmp any any echo-reply
permit icmp any any host-unreachable
permit tcp any 209.165.200.240 0.0.0.15 established
exit
interface s0/0/0
ip access-group INCORP in
exit
access-list 120 permit ip 209.165.200.240 0.0.0.15 198.133.219.32 0.0.0.31
crypto isakmp policy 10
encryption aes 256
authentication pre-share
group 2
lifetime 86400
hash sha
exit
crypto isakmp key Vpnpass101 address 198.133.219.2
crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac
crypto map VPN-MAP 10 ipsec-isakmp
set peer 198.133.219.2
set transform-set VPN-SET
match address 120
exit
interface s0/0/0
crypto map VPN-MAP
end
copy running-config startup-config
BRANCH:
Username: CORPADMIN
Password: Ciscoccnas
Branch>en
Password: ciscoclass
Branch#conf t
zone security BR-IN-ZONE
exit
zone security BR-OUT-ZONE
exit
access-list 110 permit ip 198.133.219.32 0.0.0.31 any
class-map type inspect match-all BR-IN-CLASS-MAP
match access-group 110
exit
policy-map type inspect BR-IN-OUT-PMAP
class type inspect BR-IN-CLASS-MAP
inspect
exit
zone-pair security IN-OUT-ZPAIR source BR-IN-ZONE destination BR-OUT-ZONE
service-policy type inspect BR-IN-OUT-PMAP
exit
interface Gig0/0
zone-member security BR-IN-ZONE
EXIT
interface s0/0/0
zone-member security BR-OUT-ZONE
exit
access-list 120 permit ip 198.133.219.32 0.0.0.31 209.165.200.240 0.0.0.15
crypto isakmp policy 10
encryption aes 256
authentication pre-share
group 2
lifetime 86400
hash sha
exit
crypto isakmp key Vpnpass101 address 209.165.200.226
crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac
crypto map VPN-MAP 10 ipsec-isakmp
set peer 209.165.200.226
set transform-set VPN-SET
match address 120
exit
interface s0/0/0
crypto map VPN-MAP
exit
exit
copy running-config startup-config
CORP-ASA:
CORP-ASA>
CORP-ASA>en
Password: Ciscoccnas
conf t
domain-name theccnas.com
interface vlan 1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
exit
interface e0/1
switchport access vlan 1
no shutdown
exit
interface vlan 2
nameif outside
security-level 0
ip address 209.165.200.253 255.255.255.240
exit
interface e0/0
switchport access vlan 2
no shut
no shutdown
exit
interface vlan 3
no forward interface vlan 1
nameif dmz
security-level 70
ip address 10.1.1.254 255.255.255.0
exit
interface e0/2
switchport access vlan 3
no shutdown
exit
exit
conf t
route outside 0.0.0.0 0.0.0.0 209.165.200.254
exit
show route
conf t
object network inside-nat
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic interface
exit
conf t
object network dmz-dns-server
host 10.1.1.5
nat (dmz,outside) static 209.165.200.242
exit
conf t
object network dmz-web-server
host 10.1.1.2
nat (dmz,outside) static 209.165.200.241
exit
conf t
class-map inspection_default
match default-inspection-traffic
exit
policy-map global_policy
class inspection_default
inspect HTTP
exit
service-policy global_policy global
access-list OUTSIDE-TO-DMZ extended permit tcp any host 209.165.200.241 eq 80
access-list OUTSIDE-TO-DMZ extended permit tcp any host 209.165.200.242 eq 53
access-list OUTSIDE-TO-DMZ extended permit udp any host 209.165.200.242 eq 53
access-list OUTSIDE-TO-DMZ extended permit icmp any any echo-reply
access-list OUTSIDE-TO-DMZ permit tcp host 198.133.219.35 host 209.165.200.241 eq ftp
access-group OUTSIDE-TO-DMZ in interface outside
exit
copy running-config startup-config
Switch1:
Username: CORPADMIN
Password: Ciscoccnas
Switch>en
Password: ciscoclass
Switch#conf t
interface Gig0/1
storm-control broadcast level 50
exit
interface range fa0/1-24
spanning-tree portfast
interface range fa0/1-24
spanning-tree portfast
spanning-tree bpduguard enable
exit
interface range fa0/1-24
switchport port-security
switchport port-security maximum 2
switchport port-security violation shutdown
switchport port-security mac-address sticky
exit
interface range fa0/2-4
shutdown
exit
interface range fa0/6-10
shutdown
exit
interface range fa0/13-24
shutdown
exit
exit
copy running-config startup-config
Password: Ciscoccnas
Switch>en
Password: ciscoclass
Switch#conf t
interface Gig0/1
storm-control broadcast level 50
exit
interface range fa0/1-24
spanning-tree portfast
interface range fa0/1-24
spanning-tree portfast
spanning-tree bpduguard enable
exit
interface range fa0/1-24
switchport port-security
switchport port-security maximum 2
switchport port-security violation shutdown
switchport port-security mac-address sticky
exit
interface range fa0/2-4
shutdown
exit
interface range fa0/6-10
shutdown
exit
interface range fa0/13-24
shutdown
exit
exit
copy running-config startup-config
1 comentarii:
Quality articles or reviews is the crucial to interest the visitors to pay a visit the web site, that's what this site is providing. yahoo mail login
Trimiteți un comentariu