CCNASv1.1 Chp09 Lab-A Sec-Pol Instructor 8.25.37 AM
Comments
Description
CCNA SecurityChapter 9 Lab A: Security Policy Development and Implementation (Instructor Version) Grey Highlighting – indicates answers provided on instructor lab copies only Topology Note: IS R G2 devic es have Gigabit Ethernet interfaces instead of Fast Ethernet Interfaces. All contents are Copy right © 1992–2012 Cisco Sy stems, Inc. All rights reserv ed. This document is Cisco Public Inf ormation. Page 1 of 59 CCNA Security IP Addressing Table Device R1 R2 R3 S1 S2 S3 PC-A PC-B PC-C Interface FA0/1 S0/0/0 (DCE) S0/0/0 S0/0/1 (DCE) FA0/1 S0/0/1 VLAN 1 VLAN 1 VLAN 1 NIC NIC NIC IP Address 192.168.1.1 10.1.1.1 10.1.1.2 10.2.2.2 192.168.3.1 10.2.2.1 192.168.1.11 192.168.1.12 192.168.3.11 192.168.1.3 192.168.1.2 192.168.3.3 Subnet Mask 255.255.255.0 255.255.255.252 255.255.255.252 255.255.255.252 255.255.255.0 255.255.255.252 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 Default Gateway N/A N/A N/A N/A N/A N/A 192.168.1.1 192.168.1.1 192.168.3.1 192.168.1.1 192.168.1.1 192.168.3.1 Switch Port S1 FA0/5 N/A N/A N/A S3 FA0/5 N/A N/A N/A N/A S1 FA0/6 S2 FA0/18 S3 FA0/18 Objectives Part 1: Create a Basic Technical Security Policy Develop a Network Device Security Guidelines document. Part 2: Ba sic Network Device Configuration Configure hostnames, interface IP addresses, and passwords. Configure static routing. Part 3: Secure Network Routers Configure passwords and a login banner. Configure SSH access and disable Telnet. Configure HTTP secure server access. Configure a synchronized time source using NTP. Configure router syslog support. Configure centralized authentication using AAA and RA DIUS. Use Cisco IOS to disable unneeded services and secure against login attacks. Use CCP to disable unneeded services. Configure a CBA C firewall. Configure a ZBF firewall. Configure intrusion prevention system (IPS) using Cisco IOS and CCP. Back up and secure the Cisco IOS image and configuration files. Part 4: Secure Network Switches Configure passwords, and a login banner. Configure management VLAN access. All contents are Copy right © 1992–2012 Cisco Sy stems, Inc. All rights reserv ed. This document is Cisco Public Inf ormation. Page 2 of 59 CCNA Security Configure a synchronized time source using NTP. Configure syslog support. Configure SSH access. Configure AAA and RADIUS. Secure trunk ports. Secure access ports. Protect against STP attacks. Configure port security and disable unused ports. Part 5: Configure VPN remote access Use CCP to configure Easy VPN Server. Use the Cisco VPN Client to test the remote access VPN. Background A comprehensive security policy covers three main areas: governing policies, end-user policies, and technical policies. Tec hnical policies can include e-mail, remote access, telephony, applic ations, and network policies , such as device access controls and logging. The focus of this lab is the creation of a technical network policy that specifies security measures to be configured for network devices and implementation of those measures. In Part 1 of this lab, you create a basic Network Device Security Guidelines document that can serve as part of a comprehensive policy. This document addresses specific router and switch security measures and describes the security requirements to be implement ed on the infrastructure equipment. The Network Device Security Guidelines doc ument is presented to your instructor for review prior to starting Part 2 of the lab. In Part 2, you build the network and configure basic devic e settings. In Parts 3 and 4, you secure rout ers and switches. In Part 5, you configure a router for VP N remote access. The Net work Devic e Security Guidelines policy is used as the guiding document. The company you are working for has two locations connected by an ISP. Router R1 represents a remote site, and R3 represents the corporate headquarters. Rout er R2 represents the ISP. Note: The router commands and output in this lab are from a Cisco 1841 with Cisco IOS Release 12. 4(20)T (Advanced IP image). The switch commands and output are from a Cisco WS-C2960-24TT-L with Cisco IOS Release 12. 2(46)SE (C2960-LA NBASEK9-M image). Other routers, switches, and Cisco IOS versions can be used. See the Router Interface Summary table at the end of the lab to determine which int erface identifiers to use based on the equipment in the lab. Depending on the router or switch model and Cisco IOS version, the commands available and output produced might vary from what is shown in this lab. Note: Make sure that the routers and switches have been erased and have no startup configurations. Instructor Note: Instructions for erasing both the switch and router are provided in the Lab Manual, located on Academy Connection in the Tools section. Required Resources 2 rout ers (Cisco 1841 with Cisco IOS Release 12.4(20)T1 Advanced IP Service or comparable) 1 rout er (Cisco 1841 with Cisco IOS Release 12.4(20)T1 IP Base or comparable) 3 switches (Cisco 2960 with Cisco IOS Release 12.2(46)SE C2960-LA NBASEK9-M image or comparable) PC-A: Windows XP, Vista, or Windows 7 with CCP 2.5, RADIUS, TFTP, and syslog servers plus PuTTY and Cisco VPN Client software available PC-B: Windows XP, Vista, or Windows 7 Page 3 of 59 All contents are Copy right © 1992–2012 Cisco Sy stems, Inc. All rights reserv ed. This document is Cisco Public Inf ormation. CCNA Security PC-C: Windows XP, Vista, or Windows 7 with CCP 2.5, RADIUS, TFTP, and syslog servers plus PuTTY software available and SuperScan (optional) Serial and Ethernet cables as shown in the topology Rollover cables to configure the routers via the console CCP Note s: Refer to Chp 00 Lab A for instructions on how to install and run CCP. Hardware/software recommendations for CCP include Windows XP, Vista, or Windows 7 with Java version 1.6.0_11 up to 1.6.0_21, Internet Explorer 6.0 or above and Flash Player Version 10.0.12.36 and later. If the PC on which CCP is installed is running Windows Vista or Windows 7, it may be necessary to right-click on the CCP icon or menu item, and choose Run as administrator. In order to run CCP, it may be necessary to temporarily disable antivirus programs and O/S firewalls. Make sure that all pop-up blockers are turned off in the browser. Instructor Notes: This lab is divided into five parts. Part 1 can be performed separately but must be performed before parts 2 through 5. Parts 2 through 5 can be performed individually or in combination with others as time permits, but should be performed sequentially. In some cases, a task assumes the configuration of certain features in a prior task. The main goal is to create the basic Net work Device Security Guidelines document and then implement the network equipment configuration using the security techniques learned in this course. For the main configuration tasks, the related course chapter is indicated so that the student can reference previous course mat erial and labs when configuring devices. This lab is written in the style of a challenge lab and does not provide many commands for the student. Students must use their memory, Cisco IOS help, or commands shown in previous labs to complete the tasks. Commands are shown in some cases where they differ signific antly from the ones used in previous labs or where the student should be familiar with the material but it was not a focus area for the course. Students present their Net work Device Security Guidelines from Part 1 to the instructor for review prior to starting lab Part 2. Make sure that they have included all elements of the sample shown in Part 1. The switches in the topology are an integral part of this lab and are secured along with the routers. The final running configs for all devices are found at the end of the lab. All contents are Copy right © 1992–2012 Cisco Sy stems, Inc. All rights reserv ed. This document is Cisco Public Inf ormation. Page 4 of 59 CCNA Security Part 1: Create a Basic Technical Security Policy In Part 1, you create a Network Device Security Guidelines document that can serve as part of a comprehensive network security policy. This document addresses specific router and switch security measures and describes the security requirements to be implemented on the infrastructure equipment. Task 1: Identify potential sections of a basic network security policy (Chapter 9) A network security policy should include several key sections that can address potential issues for users, network access, device access and other areas. List some key sections you think could be part of good basic security policy. Answers will vary but could include the following: Introduction Acceptable Use Policy E-mail and Communications Activities Antivirus Policy Identity Policy Password Policy Encryption Policy Remote Access Policy Virtual Private Network (VPN) Policy Extranet Policy Device management policy Physical device security policy Task 2: Create Network Equipment Security Guidelines as a Supplement to a Basic Security Policy (Chapter 9) Step 1: Review the objectives from previous CCNA Security labs. a. b. Open each of the previous labs completed from chapters one through eight and review the objectives listed for each one. Copy the objectives to a separate document for use as a starting point. Focus mainly on those objectives that involve security practices and device configuration. Step 2: Create a Network Device Security Guidelines document for router and switch security. Create a high-level list of tasks to include for net work access and device security. This doc ument should reinforce and supplement the information pres ented in a basic Security Policy. It is based on the content of previous CCNA Security labs and on the networking devices present in the course lab topology. Note: The Network Device Security Guidelines document should be no more than two pages and is the basis for the equipment configuration in the remaining parts of the lab. Step 3: Submit the Network Device Security Guidelines to your instructor. Provide the Net work Device Security Guidelines documents to your instructor for review before starting Part 2 of the lab. You can send them as e-mail attachments or put them on removable storage media, such as a flash drive. All contents are Copy right © 1992–2012 Cisco Sy stems, Inc. All rights reserv ed. This document is Cisco Public Inf ormation. Page 5 of 59 console. Encrypt all passwords. numbers. Page 6 of 59 All contents are Copy right © 1992–2012 Cisco Sy stems. Configure an SS H server and disable Telnet access. lowercase. Configure centralized authentication for each site using AAA and RADIUS. 8. 4. 4.CCNA Security Instructor Note: The following is an example of how the Net work Device Security Guidelines document might look. which should be a minimum of 10 characters. Configure an administrative user with privilege level 15 and a secret password. Be sure the students have addressed the categories and steps shown here. and vty passwords. 10. Inc. This document is Cisco Public Inf ormation. Encrypt all passwords. 7. Configure a centralized synchronized time source using NTP. Router Firewalls and Intrusion Prevention Configure a firewall on edge routers using Context-Based Access Control (CBAC) or CCP zone-based firewall tools. Configure NTP to access a centralized synchroniz ed time sourc e. 5. Disable unneeded servic es. 5. Configure a login banner warning unauthorized us ers of the penalties of access ing this device. Configure static routing between edge routers and the ISP. The firewall must allow external SSH connections. Configure an SS H server and disable Telnet access. 2. . Configure an administrative user with privilege level 15 and a secret password. All rights reserv ed. and special characters. Configure syslog support on edge rout ers. console. Configure the enable secret. 6. 6. Switch Security Measures The following steps should be taken to secure and harden switches : 1. 3. Configure a Cisco IOS Intrusion Prevention System (IPS) on the internal and external interfaces of the edge router. and special characters. 11. VPN traffic. numbers. 3. 9. 2. Disable the HTTP server. lowercase. Configure centralized authentication using AAA and RA DIUS. Passwords should include a combination of uppercase. Technical Policies Supplement to Security Policies Network Device Security Guidelines Unless otherwise indicated. these policy guidelines apply to all primary network devices such as switches and routers. Router Administrative Access The following steps must be taken to secure and harden rout ers : 1. Configure a login banner warning unauthorized us ers of the penalties of accessing this device. Passwords should include a combination of uppercase. Enable HTTP secure server for web-based access. 7. and NTP. which should be a minimum of 10 characters. 8. Configure the enable secret. and vty passwords. Configure port security.1. Disable unus ed ports.0. 3. VPN Remote Access 1. Device Operating System and Configuration File Security 1. Inc.0. 10.0 0.0. Configure all active non-trunk ports as access ports. Part 2: Basic Network Device Configuration (Chapters 2 and 6) In Part 2. Provide the Cisco VPN Client on external hosts.2 R3(config)# ip route 0. 14. you set up the net work topology and configure basic settings.0 0. Back up device running configs to a TFTP server. Configure corporate router support for remote access IPsec VPN connections. 13. Attach the devices shown in the topology diagram.2.0 10. c. Configure the interface IP addresses as shown in the IP addressing table.0. b.2. This document is Cisco Public Inf ormation. R1(config)# no ip domain-lookup Step 3: Configure static default routes on R1 and R3. All contents are Copy right © 1992–2012 Cisco Sy stems. 15. Configure a static route from R2 to the R1 LA N and from R2 to the R3 LAN. All rights reserv ed. Disable DNS lookup to prevent the router from attempting to translate incorrectly entered commands as though they were hostnames.0. Configure forced trunking mode on trunk ports. R1(config)# interface S0/0/0 R1(config-if)# clock rate 64000 d. Configure a clock rate for the routers with a DCE serial cable attached to their serial interface. 11. Enable PortFast and BPDU guard on all active ports. Change the native VLA N for trunk ports to an unused VLAN. Configure hostnames as shown in the topology.1.2 Step 4: Configure static routes on R2. and cable as necessary. Perform steps on routers and switches as indicate d.CCNA Security 9.0. such as the interface IP addresses and static routing. Secure the Cisco IOS image and configuration files. 2. 12. R1(config)# ip route 0. Configure a static default route from R1 to R2 and from R3 to R2. Step 1: Cable the network as shown in the topology.0 10. Page 7 of 59 . Back up device Cisco IOS images to a TFTP server. a. 2. Step 2: Configure basic settings for all routers.0. Enable storm control for broadc asts.0. The gateway for the S3 switch is the R3 Fa0/1 interface IP address.0 S2(config)# no shutdown S3(config)# interface vlan 1 S3(config)# ip address 192.3 Step 8: Save the basic running configuration for each router.168. Configure the VLA N 1 management addresses as shown in the IP Addressing table. Configure the IP default gateway for each of the three switches.168. a.2. Page 8 of 59 .1. and default gateway for P C-A.1.0 255.1 R2(config)# ip route 192. Disable DNS lookup to prevent the switches from attempting to translat e incorrectly entered commands as though they were hostnames.11 255.3.255. as shown in the IP addressing table. Part 3: Secure Network Routers In Part 3.1.0 S3(config)# no shutdown c.3.2. Configure hostnames as shown in the topology.1. The gat eway for the S 1 and S2 switches is the R1 Fa0/1 int erface IP address.1 S3(config)# ip default-gateway 192.168.CCNA Security R2(config)# ip route 192. Configure a static IP address.12 255. S1(config)# ip default-gateway 192. and intrusion prevention.255.168.0 S1(config)# no shutdown S2(config)# interface vlan 1 S2(config)# ip address 192.1 Step 5: Configure basic settings for each switch. Perform steps on routers as indicated.3.168.0 255. you configure device access.168.3. PC-A:\> ping 192. firewalls.1. This document is Cisco Public Inf ormation. and PC-C.255. Inc. All rights reserv ed.255.1 S2(config)# ip default-gateway 192.11 255.1 d.168. S1(config)# no ip domain-lookup Step 6: Configure PC host IP settings.1.255. S1(config)# interface vlan 1 S1(config)# ip address 192. R1(config)# security passwords min-length 10 All contents are Copy right © 1992–2012 Cisco Sy stems.1.168. Step 7: Verify connectivity between PC-A and PC-C.0 10. passwords.255. PC-B.255. subnet mask.255.255.168. Task 1: Configure Passwords and a Login Banner (Chapter 2) Step 1: Configure a minimum password length of 10 characters on all routers.0 10.255. b. .CCNA Security Step 2: Configure the enable secret password on all routers. All rights reserv ed. Prevent console messages from int errupting command entry. Other users will default to user E XE C mode. Set the exec-timeout to log out after 5 minutes of inactivity. R2(config)# line R2(config-line)# R2(config-line)# R2(config-line)# vty 0 4 password ciscovtypass exec-timeout 5 0 login Note: The vty lines for R1 and R3 are configured for SSH in Task 2. R1(config)# enable secret cisco12345 Step 3: Encrypt plaintext passwords. and accept only SSH connections. R1(config)# username Admin01 privilege 15 secret Admin01pa55 Step 2: Configure the domain name ccnasecurity. Configure a console password of ci scoconpa ss and enable login. R1(config)# line R1(config-line)# R1(config-line)# R1(config-line)# vty 0 4 privilege level 15 login local transport input ssh Page 9 of 59 All contents are Copy right © 1992–2012 Cisco Sy stems. Inc.com Step 3: Configure the incoming vty lines. This document is Cisco Public Inf ormation. Configure a vty lines password of ci scovtypa ss and enable login.com. R1(config)# ip domain-name ccnasecurity. R1(config)# service password-encryption Step 4: Configure the console lines on all routers. Specify local user accounts for mandatory login and validation. Set the exec-timeout to log out after 5 minutes of inactivity. Specify a privilege level of 15 so that a user with the highest privilege level (15) will default to privileged E XEC mode when accessing the vty lines. Create the us er Admin01 account with a privilege level of 15 and a secret password of Admin01pa55. R1(config)# line R1(config-line)# R1(config-line)# R1(config-line)# R1(config-line)# console 0 password ciscoconpass exec-timeout 5 0 login logging synchronous Step 5: Configure the vty lines on R2. Configure a warning to unauthorized use rs with a message-of-the-day (MOTD) banner that says “Unauthorized access strictly prohibited and prosecuted to the full extent of the law ”. R1(config)# banner motd $Unauthorized access strictly prohibited and prosecuted to the full extent of the law$ Task 2: Configure the SSH Server on Routers R1 and R3 (Chapter 2) Step 1: Configure a privileged user for login from the SSH client. Step 6: Configure a login warning banner on routers R1 and R3. Use an enable secret password of ci sco12345. 2 127.1.079 UTC Wed Mar 14 2012 b. Launch the SSH client.1. a.outlyer. All other routers and switches learn their time from it. and enter the Admin01 username and password Admin01pa55. ~ configured All contents are Copy right © 1992–2012 Cisco Sy stems. R2(config)# ntp master 3 Step 2: Configure R1 and R3 as NTP clients.2. enter the Fa0/1 IP address. Ensure that R2 has the correct coordinated universal time. If the SSH client is not already installed. R1(config)# ntp server 10.7 * sys.. Verify that R1 and R3 have made an association with R2 using the show ntp associations command.[OK] R1(config)# *Feb 11 19:08:58.2 R3(config)# ntp update-calendar b. Inc. Set the time if it is not correct.1. R1# show ntp associations address ref clock st when poll reach delay offset disp ~10. b. .127.99 has been enabled R1(config)# exit Step 5: Verify SSH connectivity to R1 from PC-A.. x falseticker. Task 3: Configure a Synchronized Time Source Using NTP (Chapter 2) Step 1: Set up the NTP master using Cisco IOS commands. This document is Cisco Public Inf ormation. a.CCNA Security R1(config-line)# exit Step 4: Generate the RSA encryption key pair for the router.ccnasecurity.peer. Page 10 of 59 .1. Configure R2 as the NTP master with a stratum number of 3.303 UTC Tue Mar 13 2012 R2# clock set 19:30:00 Mar 14 2012 R2# show clock 19:30:09.215: %SSH-5-ENABLED: SSH 1. R2# show clock 17:28:40.2. R1(config)# crypto key generate rsa general-keys modulus 1024 The name for the keys will be: R1.1. R2 will be the master NTP server. All rights reserv ed. # selected. d ownload either TeraTerm or PuTTY. Configure R1 and R3 to become NTP clients of R2. Configure the RSA keys with 1024 for the number of modulus bits.com % The key modulus size is 1024 bits % Generating 1024 bit RSA keys. keys will be non-exportable.1 3 15 64 3 0.000 -54108. either directly or indirectly. 3937. a.2 R1(config)# ntp update-calendar R3(config)# ntp server 10. + candidate. c. If the pings are not successful. http://www.com. b. Compatibility settings: a.com/winradius-20914.168. There is no installation setup. a.com or Tftpd32 from http://tftpd32. download the lat est version of Kiwi from http://www. Start the WinRadius.1 from PC-C.net and install it on your desktop. Configure logging on the router to send syslog messages to the syslog server. Page 11 of 59 . R3(config)# logging 192. This document is Cisco Public Inf ormation. 2. select the Compatibility tab. 168.suggestsoft.jounin. If a syslog server is not currently installed on the host.CCNA Security Task 4: Configure Router Syslog Support (Chapter 2) Step 1: (Optional) Install the syslog server on PC-A and PC-C. Task 5: Configure Authentication Using AAA and RADIUS (Chapter 3) PC-A will serve as the local RADIUS server for the remote site and R1 accesses the external RA DIUS server for user authentication. While in the Properties dialog box. troubles hoot as necessary before continuing.com/soft/itconsult2000/winradius/ .3. download the latest version from http://www.exe icon and select Properties. 3.3 b. if it is appropriate for your system. 168.soft32.3 b. a. All contents are Copy right © 1992–2012 Cisco Sy stems. Configure logging on the router to send syslog messages to the syslog server.1. If the application is being started for the first time. In this tab.exe file is executable. b. Step 3: Configure R3 to log messages to the PC-C syslog server. Inc. Then in the drop down menu below. All rights reserv ed.exe icon and select Properties. Verify that you have connectivity between R1 and host PC-A by pinging the R1 Fa0/1 interface IP address 192. Note: If WinRadius is used on a PC that uses the Microsoft Windows Vista operating system or the Microsoft Windows 7 operating system. 1. Right click on the WinRadius. Verify that you have connectivity between R3 and the host PC-C by pinging the R3 Fa0/1 interface IP address 192.kiwisyslog. Right click on the WinRadius. If WinRadius is not currently installed on PC-A. go to Step 2. http://winradius. troubleshoot as necessary before continuing.exe application. The freeware RA DIUS server WinRadius is used for this section of the lab. Step 1: (Optional) Download and configure the WinRadius software. ODBC may fail to creat e successfully because it cannot write to the registry. If it is already installed.1 from PC-A. Click OK.brothersoft.html. The extracted WinRadius. Possible solutions: 1.168. Run as Admini strator settings: a. follow the instructions to configure the WinRadius server database. If the pings are not successful. R1(config)# logging 192. select the checkbox for Run thi s program in compatibility mode for . Step 2: Configure R1 to log messages to the PC-A syslog server. choose Window s XP (Service Pack 3) for ex ample. a. Step 6: Specify a RADIUS server on R1. select the Compatibility tab. Ping from R1 to PC-A. b. click Yes in the User Account Control dialog box. Specify port numbers 1812 and 1813.CCNA Security b. Log in with the username RadAdmin and password RadAdminpa55.3 If the pings are not successful. enter the username RadAdmin defined on the RA DIUS server and the password RadAdminpa55. In this tab. a. 3.1. Click OK. Add username RadUser with a password of RadUserpa55. troubleshoot the PC and router configuration before continuing. Use the aaa new-model command to enable AAA.1. When WinRadius launches. a. Configure the router to access the RADIUS server at the PC-A IP address. Clear the log display for the WinRadius server by choosing Log > Clear. While in the Properties dialog box. select the checkbox for Run thi s program as administrator in the Privilege Level section. c. Step 3: Enable AAA on R1. b. Right click on the WinRadius. Use PuTTY or anot her terminal emulation client to open an SSH session from PC-A to R1. along with the default secret key of WinRadius for the RADIUS server. and there was negligible delay as R1 was able to access the RA DIUS server to validate the username and password.168. Add username RadAdmin with a password of RadAdminpa55. R1(config)# radius-server host 192. Exit to the initial rout er screen that displays the following: R1 con0 is now available . R1(config)# aaa authentication login default group radius local Step 5: Verify connectivity between R1 and the PC-A RADIUS server.168. R1(config)# aaa new-model Step 4: Configure the default login authentication list. At the login prompt. Page 12 of 59 . Step 8: Test your configuration by connecting to R1 with SSH. c. R1# ping 192. Are you able to login to R1? Yes All contents are Copy right © 1992–2012 Cisco Sy stems. Step 2: Configure users and passwords on the WinRadius server. you must recreat e the user accounts from Step 2. Are you able to login with minimal delay? Yes.exe icon and select Run a s administrator. All rights reserv ed. a. Run as Admini stration for each launch: a. Configure the list to first use radius for the authentication service and then local to allow access based on the local router database i f a RA DIUS server cannot be reached. Inc. Note: If you close the WinRadius server and restart it. b.3 auth-port 1812 acct-port 1813 key WinRadius Step 7: Test your configuration by logging into the console on R1. b. This document is Cisco Public Inf ormation. Inc. Are you able to login to R1? No. Tip: You can issue the auto secure management command to see the management related commands that would be generated. service finger service pad service udp-small-servers service tcp-small-servers cdp run ip bootp server ip http server ip finger ip source-route ip gratuitous-arps ip identd R1(config)# R1(config)# R1(config)# R1(config)# R1(config)# R1(config)# R1(config)# R1(config)# R1(config)# R1(config)# R1(config)# no no no no no no no no no no no service finger service pad service udp-small-servers service tcp-small-servers cdp run ip bootp server ip http server ip finger ip source-route ip gratuitous-arps ip identd Note: Disabling the HTTP server prevents web -based access to the router via CCP.CCNA Security d. Exit the SSH session. you can enable it using the command ip http secure-server. With the WinRadius server unavailable. the default login authentication list specifies that the local database can be used for authentication if a RA IDUS server cannot be reached. disable the following interfac e services. b. Close the SSH client and open another SSH session to R1 and attempt to log in as Admin01 with a password of Admin01pa55. e. If you want secure access to the router via CCP. access denied. Stop the WinRadius server on PC-A by choosing Operation > Exit. a. Open an SSH session and attempt to log in again as RadAdmin. Task 6: Use CLI to Disable Unneeded Services on R1 and Secure Against Login Attacks (Chapter 2) Step 1: Use CLI to disable common IP services that can be exploited for network attacks. f. When prompted with “Apply this configuration to running-config? [yes]:” respond NO and then selectively copy the desired commands to a text file for editing and application to the router. g. Page 13 of 59 . E ven though the RADIUS server on PC-A was shut down. For each serial interface. This document is Cisco Public Inf ormation. Disable the following global services on the router. Repeat steps 1 through 6 to configure R3 to access PC-C as a RADIUS server. User Admin01 was previously defined as a user in the local database. All rights reserv ed. are you able to log in to R1? Why or why not? Yes. Step 9: Configure RADIUS support on R3. ip redirects All contents are Copy right © 1992–2012 Cisco Sy stems. For each Fast Ethernet interface. All rights reserv ed. ip redirects ip proxy-arp ip unreachables ip directed-broadcast ip mask-reply mop enabled R1(config)# interface FastEthernet0/0 R1(config-if)# no ip redirects R1(config-if)# no ip proxy-arp R1(config-if)# no ip unreachables R1(config-if)# no ip directed-broadcast R1(config-if)# no ip mask-reply R1(config-if)# no mop enabled R1(config-if)# R1(config-if)# R1(config-if)# R1(config-if)# R1(config-if)# R1(config-if)# R1(config-if)# interface FastEthernet0/1 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabled Step 2: Secure against login attacks on R1 and R3. disable the following interface services. Inc. Configure the following parameters: Blocking period when login attack detected: 60 Maximum login failures with the device: 2 Maximum time period for crossing the failed login attempts: 30 R1(config)# login block-for 60 attempts 2 within 30 R3(config)# login block-for 60 attempts 2 within 30 All contents are Copy right © 1992–2012 Cisco Sy stems. Page 14 of 59 .CCNA Security ip ip ip ip proxy-arp unreachables directed-broadcast mask-reply interface Serial0/0/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply R1(config-if)# R1(config-if)# R1(config-if)# R1(config-if)# R1(config-if)# R1(config-if)# R1(config-if)# interface Serial0/0/1 R1(config-if)# no ip redirects R1(config-if) #no ip proxy-arp R1(config-if)# no ip unreachables R1(config-if)# no ip directed-broadcast R1(config-if)# no ip mask-reply c. This document is Cisco Public Inf ormation. R3(config)# username admin privilege 15 password 0 cisco12345 c. b. Run the CCP application on PC-C. Create an admin account on R3 with privilege level 15 and password ci sco12345 for use with AAA and CCP. b. R3(config)# ip http secure-server b. Click Next to view a summary of the problems that will be fixed. Choose Configure > Security > Security Audit and click the Perform Security Audit button. Page 15 of 59 .1 in the first IP Address/Hostname field. input the R3 IP address 192. View the Security Audit report and note which services did not pass. If the discovery process fails. All contents are Copy right © 1992–2012 Cisco Sy stems. and pings to the R3 VPN server LA N. and ci sco12345 in the Password field. Step 3: Begin the security audit. a. Enter admin in the Username field. This document is Cisco Public Inf ormation. 168. click the Di scovery button to discover and connect to R3. R3(config)# ip http authentication local Step 2: Access CCP and discover R3. All rights reserv ed. Enable the HTTP server on R3. In the Fix It window.CCNA Security Step 3: Save the running configuration to the startup configuration for R1 and R3. 3. Have CCP use the local database to authenticate web sessions . The VPN server is configured in Part 5 of the lab. At the CCP Das hboard. Click Next at the welcome screen Choose Fa stEthernet 0/1 as the Inside Trusted interface and Serial 0/0/1 as the Outside Unt rusted interface. use the Di scover Details button to determine the problem in order to resolve the issue. R3(config)# ip http server Or enable the HTTP secure server to connect securely. Task 7: Use CCP to Disable Unneeded Services on R3 (Chapter 2) Step 1: Configure user credentials for HTTP router access prior to starting CCP. a. a. In the Select/Manage Community window. specific ally with interface Fa0/1. click Fix it to disable the following global and int erface services: Global services to disable: service pad cdp run ip bootp server ip source-route Per-interface service to disable: ip redirects ip unreachables mop enabled Note: Do not fix (disable) Proxy ARP bec ause this disables ARP on all R3 interfac es and causes a problem. Clic k Close . c. Click on the OK button. e. Inc. d. Click Finish and deliver the commands to the router. AutoSecure Configuration --*** AutoSecure configuration enhances the security of the router.1. All rights reserv ed. use the auto secure command and specify the firewall option. but it will not make it absolutely resistant to all security attacks *** AutoSecure will modify the configuration of your device.CCNA Security Task 8: Configure a CBAC Firewall on R1 (Chapter 4) Step 1: Use the Cisco IOS AutoSecure feature to enable a CBAC firewall on R1. Gathering information about the router for AutoSecure Is this router connected to internet? [no]: yes Enter the number of interfaces facing the internet [1]: 1 Interface FastEthernet0/0 FastEthernet0/1 Serial0/0/0 Serial0/0/1 IP-Address unassigned 192.com for Autosecure documentation. All configuration changes will be shown.1 10.1. please refer to Cisco. Respond as shown in the following AutoSecure output to the AutoSecure questions and prompts. To configure only the Context Based Access Control (CBAC) firewall on R1. R1# auto secure firewall --. Use ctrl-c to abort this session at any prompt.1. For a detailed explanation of how the configuration changes enhance security and any possible side effects. Inc.1 unassigned OK? Method Status Protocol YES unset administratively down down YES manual up YES SLARP YES unset up up up administratively down down Enter the interface name that is facing the internet: serial0/0/0 Configure CBAC Firewall feature? [yes/no]: yes This is the configuration generated: ip inspect audit-trail ip inspect dns-timeout 7 ip inspect tcp idle-time 14400 ip inspect udp idle-time 1800 ip inspect name autosec_inspect cuseeme timeout 3600 ip inspect name autosec_inspect ftp timeout 3600 ip inspect name autosec_inspect http timeout 3600 ip inspect name autosec_inspect rcmd timeout 3600 ip inspect name autosec_inspect realaudio timeout 3600 ip inspect name autosec_inspect smtp timeout 3600 ip inspect name autosec_inspect tftp timeout 30 ip inspect name autosec_inspect udp timeout 15 ip inspect name autosec_inspect tcp timeout 3600 ip access-list extended autosec_firewall_acl permit udp any any eq bootpc deny ip any any All contents are Copy right © 1992–2012 Cisco Sy stems. This document is Cisco Public Inf ormation. Page 16 of 59 . At any prompt you may enter '?' for help. The res ponses are in bold.168. a. 1. ping the R2 int erface S0/0/0 at IP address 10.responder (10.3:8) sent 128 bytes -. ICMP was not included in the autosec_inspect list.1. Page 17 of 59 .040: %AUTOSEC-5-ENABLED: AutoSecure is configured on the device Step 2: Review the AutoSecure CBAC configuration. To which int erface is the aut osec_inspect name applied and in what direction? Serial0/ 0/0 interface outbound. What is the purpose of the ACL autosec_firewall_acl? It allows only bootpc traffic to enter the S0/0/0 interface and blocks all other non-established connections from outside R1.3:8) -. ICMP is now included in the autos ec_inspect list.168.Feb 12 19:02:48. Are the pings successful? Why or why not? No. This document is Cisco Public Inf ormation.2. All rights reserv ed. 1. From R2 ping PC-A. b.2:0) sent 128 bytes Step 6: From R2. Step 4: Add ICMP to the autosec_inspect list. c.1. b. b. R2# ping 192. From PC-A.168.Feb 12 19:02:56. a. R1(config)# . ping the R2 external WAN interface.743: %FW-6-SESS_AUDIT_TRAIL: Stop icmp session: initiator (192. a.1. ping the R2 external WAN interface. 1.1.1. so the pings that PC-A sends are blocked from returning.1. ping the R2 int erface S0/0/0 at IP address 10.3 Are the pings successful? Why or why not? No The connection was initiated from outside the R1 LA N and is blocked by the firewall ACL All contents are Copy right © 1992–2012 Cisco Sy stems. a. Inc.451: %FW-6-SESS_AUDIT_TRAIL_START: Start icmp session: initiator (192. ping PC-A. To which int erface is the ACL autosec_firewall_acl applied and in which direction? S0/ 0/0 interface inbound. From PC-A. so the ICMP replies for ICMP requests originating from within the R1 LA N are allowed to return.2. Step 3: From PC-A.1. Configure R1 to inspect ICMP and allow ICMP echo replies from outside hosts with a timeout of 60 seconds.CCNA Security interface Serial0/0/0 ip inspect autosec_inspect out ip access-group autosec_firewall_acl in ! end Apply this configuration to running-config? [yes]: yes Applying the config generated to running-config R1# Feb 12 18:34:58.2:0) R1(config)# .168.1.responder (10. R1(config)# ip inspect name autosec_inspect icmp timeout 60 Step 5: From PC-A. Are the pings successful? Why or why not? Yes. From external host PC-C.0 0.168. Page 18 of 59 . Step 8: Configure the R1 firewall to allow SSH access from external hosts on the 192.168.1. Configure R1 to allow Net work Time Protocol (NTP) updates from R2 by adding a statement to the extended ACL autosec_firewall_acl that permits the NTP (UDP port 123). a. Is the SSH session connection successful? Why or why not? No.168. start a PuTTY session to R1. All rights reserv ed.2 host 10. From the SS H session on R1.0.168.1 and log in as RADIUS user RadA dmin with a password of RadA dminpa55. From PC-A. Display the extended ACL named autosec _firewall_acl that is applied to S0/0/0 inbound. and PC-A will be the remote client.1.1. R1(config-ext-nacl)# 18 permit esp any any R1(config-ext-nacl)# end c. d.0. a.1.255 any eq 22 R1(config-ext-nacl)# end c. a.3.1 eq ntp (3 matches) 18 permit esp any any 20 deny ip any any (21 matches) Step 10: Test Telnet access from internal PC-A to external router R2. From external host PC-C. R1(config)# ip access-list extended autosec_firewall_acl R1(config-ext-nacl)# 13 permit tcp 192.1. R3 will be configured as a VPN server.1. The connection was initiated from outside and is blocked by the firewall A CL. Display the modified extended ACL autosec_firewall_acl.1.2 host 10.3. Configure R1 to allow IPsec VPN traffic between PC-A and R3 by adding a statement to the extended ACL aut osec_firewall_acl that permits the IPsec Encapsulating Security Protocol (ESP). R1# show access-list autosec_firewall_acl Extended IP access list autosec_firewall_acl 10 permit udp any any eq bootpc 13 permit tcp 192.CCNA Security Step 7: Test SSH access from PC-C to R1.255 any eq 22 (67 matches) 15 permit udp host 10.1.0. display the modified extended ACL autosec_firewall_acl. R1(config)# ip access-list extended autosec_firewall_acl R1(config-ext-nacl)# 15 permit udp host 10.1. R1# show access-list autosec_firewall_acl Extended IP access list autosec_firewall_acl 10 permit udp any any eq bootpc 20 deny ip any any (57 matches) b.255 any eq 22 (16 matches) 20 deny ip any any (60 matches) Step 9: Configure the R1 firewall to allow NTP and VPN traffic.1.0.0/24 network. Inc. R1# show access-list autosec_firewall_acl Extended IP access list autosec_firewall_acl 10 permit udp any any eq bootpc 13 permit tcp 192. Telnet to R2 at IP address 10.1.1. Configure R1 to allow SSH access by adding a statement to the extended ACL autosec_firewall_acl that permits the SSH TCP port 22.1 eq ntp b. All contents are Copy right © 1992–2012 Cisco Sy stems. start a PuTTY SSH session to R1 at IP address 10.3.0. This document is Cisco Public Inf ormation. Note: In Part 5 of the lab.0 0.2 using the vty line password ci scovtypa ss.0.3.0 0. ping the R2 interface S0/0/1 at IP address 10. This document is Cisco Public Inf ormation. If the discovery process fails.. Step 11: Display CBAC inspection sessions.3.1. In the Summary window. 3. Telnet to R3 at IP address 10. a.2.3. From PC-C. Check the Inside (trusted) check box for Fa st Ethernet0/1 and the Outside (untrusted) check box for Serial0/0/1.2. click Next. Display the IP inspect session to see the active Telnet session from PC -A to R2.2. Page 19 of 59 . b..2.1. Choose Low Security and click Next. Select Basic Firewall and click the Launch the selected task button. c. input the R3 IP address 192. Leave the Telnet session open. The ping was initiated from outside and was blocked.1. b. ICMP echo replies are allowed by the sdm-permiticmpreply policy.3:1045)=>(10. remote host not responding Is the Telnet attempt successful? Why or why not? No.168. click Finish and deliver the commands to the router.CCNA Security C:\> telnet 10. C:\> ping 10. 2. From router R2. Step 2: Use the CCP Firewall wizard to configure a ZBF on R3. All contents are Copy right © 1992–2012 Cisco Sy stems.3 R2# ping 192. a. ping PC-C at IP address 192. R2# telnet 10. Click Next.2 Is the Telnet attempt successful? Why or why not? Yes. c. Run the CCP application on PC-C. b. and then click Security > Firewall > Firewall.1. b. and ci sco12345 in the Password field. % Connection timed out.168.1. d.2. At the CCP Das hboard. On the Basic Firewall Configuration wizard screen. The connection session was initiated from within the R1 LA N and is permitted. e. Click OK in the Commands Delivery Status window.2. Enter admin in the Username field. Click the Configure button at the top of the CCP screen.168. Click OK when the CCP access warning is displayed. Telnet was initiated from outside R3 S0/0/ 1 and was blocked.2. click on the Discovery button to discover and connect to R3.1 Trying 10.2. R1# show ip inspect sessions Established Sessions Session 6576FE20 (192.3 Are the pings successful? Why or why not? No. a. use the Di scover Details button to determine the problem in order to resolve the issue. All rights reserv ed. From external router R2.1. Click on the OK button.2:23) tcp SIS_OPEN Session Task 9: Configure a ZBF Firewall on R3 (Chapter 4) Step 1: Use CCP to discover R3. 168. Inc.2.1 in the first IP Address/Hostname field.2 Are the pings successful? Why or why not? Yes.2. Step 3: Verify ZBF functionality. In the Select/Manage Community window.1 . 2. This document is Cisco Public Inf ormation.txt file is available and note its location on PC-A. Last heard 00:00:22 Bytes sent (initiator:responder) [45:235] Step 4: Save the running configuration to the startup configuration. Page 20 of 59 . From the R1 CLI. Inc. R1# show flash d. go to Step 2.2. the IOS IPS Signature package file and public crypto key fil es must be available on PC-A. Telnet to R2 at IP address 10.2 and us e password ci scovtypass.2 User Access verification Password: ciscovtypass e.com with a valid us er account that has proper aut horization.net and install it on your desktop. b.x.2. C:\> telnet 10. Task 10: Configure Intrusion Prevention System (IPS) on R1 Using Cisco IOS (Chapter 5) Step 1: (Optional) Install the TFTP server on PC-A. R1# cd ipsdir All contents are Copy right © 1992–2012 Cisco Sy stems.jounin. To configure Cisco IOS IPS 5.2. Switch to the ipsdir directory and verify that you are in the directory.2.pub. you must remove the files to perform this part of the lab. Check whet her the ipsdir directory exists and if it has files in it. All rights reserv ed. R3# show policy-map type inspect zone-pair session <output omitted> Inspect Number of Established Sessions = 1 Established Sessions Session 6578550 (192. Verify that the IOS-S xxx-CLI. R1# mkdir ipsdir Create directory filename [ipsdir]? Press Enter Created dir flash:ipsdir e. a. Check with your instructor if these files are not on the PC. If the ipsdir directory is not listed. create it.3:3443)=>(10.168.CCNA Security d. This is the public crypto key used by IOS IPS. From PC-C on the R3 internal LAN. Continue pressing Enter until you see an Inspect Established session section toward the end.3. and then return to the flash root directory when you are finished. If it is already installed. Step 2: Prepare the router and TFTP server. The xxx is the version number and varies depending on which file was downloaded.2:23) tacacs:tcp SIS_OPEN Created 00:00:38. issue the command show policy-map type inspect zone-pair session on R3. c.2. Remove the files from the directory. If a TFTP server is not currently installed on PC-A. Verify or create the IPS directory in router flash on R1. Verify that the realm-ci sco. Thes e files can be downloaded from Cisco.pkg signature package file is in a TFTP folder. If the ipsdir directory exists and the signature files are in it. With the Telnet session open from P C-C to R2. download Tftpd32 from http://tftpd32. display the content of flash memory using the show flash command.key. xml? [confirm] Delete flash:/ipsdir/R1-sigdef-default. Specify the location flash:ipsdir where the signature files will be stored. The contents should look similar to the following: crypto key pubkey-chain rsa named-key realm-cisco.CCNA Security R1# pwd flash:/ipsdir/ R1# delete R1* Delete filename [/ipsdir/R1*]? Delete flash:/ipsdir/R1-sigdef-typedef. R1(config)# ip ips signature-category R1(config-ips-category)# category all R1(config-ips-category-action)# retired true R1(config-ips-category-action)# exit R1(config-ips-category)# category ios_ips basic R1(config-ips-category-action)# retired false All contents are Copy right © 1992–2012 Cisco Sy stems. All rights reserv ed.key. Retire all signatures in the “ all” category and then unretire the ios_ips ba sic category. enter global config mode.xml? [confirm] Delete flash:/ipsdir/R1-seap-delta.xml? [confirm] Delete flash:/ipsdir/R1-sigdef-delta. On R1. copy the contents of the file.xml? [confirm] Delete flash:/ipsdir/R1-seap-typedef.xml? [confirm] R1# cd flash:/ R1# pwd flash:/ Step 3: Open the IPS crypto key file and copy the contents to the router. Page 21 of 59 . create an IPS rule named iosips. Inc. R1(config)# ip ips config location flash:ipsdir Step 6: Configure Cisco IOS IPS to use a pre-defined signature category.xml? [confirm] Delete flash:/ipsdir/R1-sigdef-category. On PC-A.txt and open it using Notepad or anot her text editor. On R1. locate the crypto key file named realm-cisco. This document is Cisco Public Inf ormation. R1(config)# ip ips name iosips Step 5: Configure the IPS signature storage location in router flash memory. and paste the contents to the router. This rule will be used later on an interface to enable IPS.pub signature key-string 30820122 300D0609 2A864886 F70D0101 00C19E93 A8AF124A D6CC7A24 5097A975 17E630D5 C02AC252 912BE27F 37FDD9C8 B199ABCB D34ED0F9 085FADC1 359C189E 5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 FE3F0C87 89BCB7BB 994AE74C FA9E481D 50437722 FFBE85B9 5E4189FF CC189CB9 006CF498 079F88F8 A3B3FB1F 9FB7B3CB 2F56D826 8918EF3C 80CA4F4D 87BFCA3B F3020301 0001 quit 01050003 206BE3A2 11FC7AF7 F30AF10A 9479039D F65875D6 69C46F9C 5539E1D1 BFF668E9 82010F00 06FBA13F DCDD81D9 C0EFB624 20F30663 85EAF974 A84DFBA5 9693CCBB 689782A5 3082010A 6F12CB5B 43CDABC3 7E0764BF 9AC64B93 6D9CC8E3 7A0AF99E 551F78D2 CF31CB6E 02820101 4E441F16 6007D128 3E53053E C0112A35 F0B08B85 AD768C36 892356AE B4B094D3 Step 4: Create an IPS rule.pub. pkg idconf b. a. Allow time for this process to complete. If a signature file is not present. Note: Us e the newest signature file available if the router memory can support it. R1# copy tftp://192. contact your instructor before continuing. c. To which interfaces and in which direction is the iosips rule applied? S0/0/ 0 inbound and Fa0/ 1 inbound. Use the copy tftp command to retrieve the signature file.CCNA Security R1(config-ips-category-action)# exit R1(config-ips-category)# exit Do you want to accept these changes? [confirm] <Enter> Step 7: Apply the IPS rule to interfaces S0/0/0 and Fa0/1. a.xml R1-seap-delta. -rw-rw-rw-rw-rw-rw230621 255 6632 28282 304 491 Jan Jan Jan Jan Jan Jan 6 6 6 6 6 6 2008 2008 2008 2008 2008 2008 03:19:42 01:35:26 03:17:48 03:17:52 01:35:28 01:35:28 +00:00 +00:00 +00:00 +00:00 +00:00 +00:00 R1-sigdef-default. It can take several minutes.168. Step 9: Copy the signature package from the TFTP server to the router. where xxx is the signature file version.1. R1# dir flash:ipsdir Directory of flash:/ipsdir/ 16 15 14 13 10 18 c.xml R1-sigdef-typedef. Verify that the P C has the IPS signature package file in a directory on the TFTP server. Verify connectivity between R1 and P C-A. R1(config)# interface serial0/0/0 R1(config-if)# ip ips iosips in b. Display the contents of the ipsdir directory created earlier.xml R1-sigdef-category. Note: Immediately after the signature package is loaded to the router. b.3/IOS-S364-CLI. Apply the iosips rule that you created on the S0/0/0 interface in the inbound direction. All rights reserv ed. Be sure to use the idconf keyword at the end of the copy command. This document is Cisco Public Inf ormation. This file is typically named IOS-S xxx-CLI. Start the TFTP server and set the default directory to the one that contains the IPS signature package. Inc.xml Use the show ip ips all command to see an IPS configuration status summary. Page 22 of 59 . the TFTP server.xml R1-seap-typedef. R1# show ip ips all IPS Signature File Configuration Status Configured Config Locations: flash:ipsdir/ Last signature default load time: 18:47:52 UTC Feb 13 2009 Last signature delta load time: 20:11:35 UTC Feb 13 2009 Last event action (SEAP) load time: -noneGeneral SEAP Config: Global Deny Timeout: 3600 seconds All contents are Copy right © 1992–2012 Cisco Sy stems. signature compiling begins. Apply the IPS rule to the R1 Fa0/1 interface in the inbound direction. R1(config)# interface fa0/1 R1(config-if)# ip ips iosips in Step 8: Verify the IOS IPS signature package location and TFTP server setup a.pkg.xml R1-sigdef-delta. Verify or create the IPS directory in router flash on R1. contact your instructor before continuing. The xxx is the version number and varies depending on which file was downloaded. a. download Tft pd32 from http://tftpd32. c. From the R1 CLI. If a TFTP server is not currently installed on PC-C. R3# show flash All contents are Copy right © 1992–2012 Cisco Sy stems. the IOS IPS signature package file and public crypto key files must be available on PC-C. Inc.com with a valid us er account that has proper aut horization.pkg signature package file is in a TFTP folder. All rights reserv ed.net and install it on your desktop.key. This is the public crypto key used by Cisco IOS IPS. To configure Cisco IOS IPS 5. Verify that the IOS-S xxx-CLI. go to Step 2. This document is Cisco Public Inf ormation.txt file is available and note its location on PC-C. Check with your instructor if these files are not on the PC. Note: Us e the newest signature file available if the router memory can support it. Verify that the realm-ci sco. These files can be downloaded from Cisco.CCNA Security Global Overrides Status: Enabled Global Filters Status: Enabled IPS Auto Update is not currently configured IPS Syslog and SDEE Notification Status Event notification through syslog is enabled Event notification through SDEE is enabled IPS Signature Status Total Active Signatures: 339 Total Inactive Signatures: 2096 IPS Packet Scanning and Interface Status IPS Rule Configuration IPS name iosips IPS fail closed is disabled IPS deny-action ips-interface is false Interface Configuration Interface Serial0/0/0 Inbound IPS rule is iosips Outgoing IPS rule is not set Interface FastEthernet0/1 Inbound IPS rule is iosips Outgoing IPS rule is not set IPS Category CLI Configuration: Category all: Retire: True Category ios_ips basic: Retire: False Step 10: Save the running configuration to the startup configuration. Task 11: Configure IPS on R3 Using CCP (Chapter 5) Step 1: (Optional) Install the TFTP server on PC-C. If a signature file is not present.jounin. If it is already installed. b. Step 2: Prepare the router and TFTP server.x.pub. display the content of flash memory and check to see if the ips dir directory exists. Page 23 of 59 . In the Choose Category field of the Config Location and Category window.” Paste the text into the Key field in the Configure Public Key section. c. a. download the SuperScan 4. Click the Configure button at the top of the CCP screen and then choose Security > Intrusion Prevention > Create IPS . Click OK. input R3 IP address 192. Enter the IP address of the P C-C TFTP server and the filename. b. If the ipsdir directory is not listed. Click on the OK button. Note: Allow the signature configuration process to complete. In the Config Location and Category window. using the ping command. Click the Host and Service Discovery tab.CCNA Security d. g. In the Select/Manage Community window. create it in privileged E XE C mode.3. where xxx is the signature file version number. e. Inc. Start SuperScan on P C-C. Click Next. the TFTP server. Enter admin in the Username field. Click the Launch IPS Rule Wizard button to begin the IPS configuration. Click OK. and uncheck the Echo Reque st check box. a. and ci sco12345 in the Password fi eld. In the Signature File and Public Key window. b. In the Signature File and Public Key window. c.1 in the first IP Address/Hostname field. b. c. This document is Cisco Public Inf ormation. Click OK. Click Next at the welcome screen.com. Take note of the filename for use in the next step. Verify connectivity between R3 and P C-C. Click Next. This file is typically named IOS-S xxx-CLI. All contents are Copy right © 1992–2012 Cisco Sy stems. and click Finish and deliver the commands to the router. click OK. Step 6: (Optional) Verify IPS functionality with CCP Monitor and SuperScan. R3# mkdir ipsdir Create directory filename [ipsdir]? Press Enter Created dir flash:ipsdir Step 3: Verify the IOS IPS signature package and TFTP server setup. If the discovery process fails. If SuperScan is not on PC-C.2) in the Hostname/IP field. Verify that the P C has the IPS signature package file in a directory on the TFTP server. h. Step 4: Configure R3 to allow CCP Access and Discovery. Run the CCP application on PC-C. foundstone. Scroll the UDP and TCP port selection lists and notice the range of ports that will be scanned. Check the Timestamp Request check box.0 tool from the Scanning Tools group at http://www. a. specify the signature file with a URL and use TFTP to retrieve the file from PC-C.pub.2. Note: If this file is not present. choose basic. click on the Discovery button to discover and connect to R3. contact your instructor before continuing. use the Di scover Details button to determine the problem in order to resolve the issue. At the CCP Das hboard. This can tak e several minutes. Click the Scan tab and ent er the IP address of R2 S0/ 0/1 (10. specify flash:/ipsdir as the location to store the signature information.2. Open the public key file and copy the text that is between the phrase “key -string” and the word “quit. d. Start Tftpd32 or another TFTP server and set the default directory to the one with the IPS signature package in it. Page 24 of 59 . If prompted regarding S DEE notification. a. All rights reserv ed. enter the name of the public key file realm-ci sco. f.168. Click Next to display the Summary window. Step 5: Use the CCP IPS wizard to configure IPS. Apply the IPS rule in the inbound direction for FastEthernet0/1 and Serial0/0/1.pkg. b. This document is Cisco Public Inf ormation.” Step 8: Save the running configuration to the startup configuration.3 Destination filename [ r1-confg]? !! 5248 bytes copied in 0. Create a directory for the IOS images on P C-A and PC-C.168.bin tftp Address or name of remote host []? 192. Enter the logging buffered command in config mode on R3. a.CCNA Security Note: You can also specify an address range. Click the button with the blue arrow in the lower left corner of the screen to start the scan. c. 1. Click the Update button. by entering an address in the Start IP and End IP fields. Copy the R1 startup-config file to the PC-A TFTP server as a backup.T1.1. Copy the R3 IOS image to the TFTP server as a backup in case the current image bec omes corrupted. What syslog messages did you see? You should see syslog messages on R3 and entries in the CCP Monitor Log with descripti ons that include one of these phrases: “Invalid DHCP Packet” or “DNS Version Request. d.060 secs (87467 bytes/sec All contents are Copy right © 1992–2012 Cisco Sy stems. Task 12: Back Up and Secure the Cisco Router IOS Image and Configuration Files (Chapter 2) Note: The procedures described here can also be used to back up the switch IOS images and configuration files. a.254. R1# copy flash:c1841-advipservicesk9-mz. b. Inc. From Cisco CCP. Note: The IOS image on R1 should be the same as the one for R3. c. All rights reserv ed. d. Copy the R1 IOS image to the PC-A TFTP server as a backup in case the current image becomes corrupted. Step 2: Back up the configuration files from R1 and R3 to a TFTP server.1. Start the TFTP server on PC-C and choose the IOS images directory as the default directory. You will see that Cisco IOS IPS has been logging the port scans generat ed by SuperScan.bin]? !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 37081324 bytes copied in 130. b. The program scans all hosts with addresses in the range specified.124-20.168. such as 10. Step 1: Back up the IOS Image from R1 and R3 to a TFTP server.124-20. so a single backup could suffice for both routers. Start the TFTP server on PC-A and choose the Configs directory as the default directory. Create a directory for configurations on PC-A and PC-C. R1# copy startup-config tftp Address or name of remote host []? 192.1. e.T1.1. Start the TFTP server on PC-A and choose the IOS images directory as the default directory. Page 25 of 59 . a. b. Step 7: Check the results with CCP logging.1. choose Monitor > Router > Logging.820 secs (283453 bytes/sec) d.3 Destination filename [c1841-advipservicesk9-mz. c.1 to 10. Step 3: Secure the Cisco IOS image and archive a copy of the running configuration for R1 and R3. e.runcfg-20090213-165247. Configure a console password of ci scoconpa ss and enable login. Configure a warning to unauthorized use rs with a message-of-the-day (MOTD) banner that says “Unauthorized access strictly prohibited and prosecuted to the full extent of the law ”. Set the exec-timeout to log out after 5 minutes of inactivity.ar] Step 4: Verify that the image and configuration are secured. you can save them to the start up config before backing up the config file. S1(config)# service password-encryption Step 3: Configure the console line.551: %IOS_RESILIENCE-5-IMAGE_RESIL_ACTIVE: Successfully secured running image b. R1(config)# secure boot-config R1(config)# .Feb 13 16:52:48.411: %IOS_RESILIENCE-5-CONFIG_RESIL_ACTIVE: Successfully secured config archive [flash:. All rights reserv ed. S1(config)# enable secret cisco12345 Step 2: Encrypt a plaintext password. This document is Cisco Public Inf ormation. Start the TFTP server on PC-C and choose the Configs directory as the default directory.Feb 13 16:52:32. Secure the router running configuration and securely archive it in persistent storage (flash). R1(config)# secure boot-image R1(config)# .CCNA Security Note: If changes have been made to the running config. S1(config)# line S1(config-line)# S1(config-line)# S1(config-line)# S1(config-line)# console 0 password ciscoconpass exec-timeout 5 0 login logging synchronous Note: The vty lines for the switches are configured for SSH in Task 2. All contents are Copy right © 1992–2012 Cisco Sy stems. Prevent console messages from int errupting command entry. Page 26 of 59 . Step 4: Configure a login warning banner. R1# show secure bootset Part 4: Secure Network Switches (Chapter 6) Task 1: Configure Passwords and a Login Banner on All Switches (Chapter 2) Step 1: Configure the enable secret password. Use an enable secret password of ci sco12345. Display the status of configuration resilience and the primary bootset filename. Secure the IOS boot image to enable Cisco IOS image resilience and hide the file from dir and show commands. Inc. a. d. Copy the R3 startup-config file to the PC-C TFTP server as a backup. 1.1. S1(config)# no ip http server S1(config)# no ip http secure-server Task 2: Configure Switches as NTP Clients (Chapter 2) Note: Router R2 is the master NTP server.1.1 3 19 64 77 25. Step 1: Configure S1. and S3 to become NTP clients of R2. download the lat est version of Kiwi from http://www. Configure the syslog servic e on the switch to send syslog messages to the syslog server. Inc. If a syslog server is not currently installed on the host.2 127.candidate.1.2 Step 2: Verify that S1 has made an association with R2. disable the HTTP server and HTTP secure server. S2.1.1 * master (synced).35 376.2.1.jounin.1. a.168.2 S3(config)# ntp server 10. troubleshoot as necessary before continuing.127. Step 2: Configure S1 to log messages to the PC-A syslog server. To prevent HTTP access. either directly or indirectly. Task 4: Configure the SSH Server on All Switches (Chapter 2) Step 1: Configure a domain name. All rights reserv ed. If the pings are not successful.com All contents are Copy right © 1992–2012 Cisco Sy stems. # master (unsynced). + selected. HTTP access to the switch is enabled by default. S1(config)# logging 192.net and install it on your desktop. Page 27 of 59 . S1(config)# ntp server 10.CCNA Security S1(config)# banner motd $Unauthorized access strictly prohibited and prosecuted to the full extent of the law$ S1(config)#exit Step 5: Disable HTTP access.3 b. Verify that you have connectivity between S1 and host PC-A by pinging the S1 VLAN 1 int erface IP address 192. This document is Cisco Public Inf ormation.kiwisyslog. S1(config)# ip domain-name ccnasecurity. All other routers and switches learn their time fro m it.11 from P C-A.1.9 9. . S1# show ntp associations address ref clock st when poll reach delay offset disp *~10.2. go to Step 2.com or Tftpd32 from http://tftpd32. 1. ~ configured Task 3: Configure Syslog Support on All Switches (Chapter 2) Step 1: (Optional) Install the syslog server on PC-A and PC-C. 168.2 S2(config)# ntp server 10. If it is already installed. Enter global configuration mode and set the domain name. exe file is executable.com/soft/itconsult2000/winradius/. Specify that a privilege level of 15 is required to access the vty lines.exe application.com Instructor Note: If only the crypto key generate rsa command is issued with no additional parameters. There is no installation setup. The Telnet session fails because only SSH is enabled as input for the vty lines. Use the username command to creat e the user ID with the highest possible privilege level and a secret password. If the application is being started for the first time. Configure vty access on lines 0 through 15. S1(config)# username Admin01 privilege 15 secret Admin01pa55 Step 3: Configure the incoming vty lines.html.com/winradius-20914. The extracted WinRadius. . This document is Cisco Public Inf ormation. and enter the Admin01 username and password. All rights reserv ed.com. the default keys generated will be a general purpose key pair for signing and enc ryption.. Configure the RSA keys with 1024 for the number of modulus bits. The default is 512 bits. follow the instructions to configure the WinRadius server database. Try to open a Telnet session to switch S1 from P C-A. All contents are Copy right © 1992–2012 Cisco Sy stems. Inc. Launch the client. http://www. download the latest version from http://www.CCNA Security Step 2: Configure a privileged user for login from the SSH client. Task 5: Configure Authentication Using AAA and RADIUS on All Switches (Chapter 3) Step 1: (Optional) Download and configure the WinRadius software. Start the WinRadius. Close the PuTTY SSH session window with the exit or quit command. If the SSH client is not already installed. S1(config)# crypto key generate rsa general-keys modulus 1024 The name for the keys will be: S1.brothersoft.suggestsoft. a. In addition you will be prompted for the number of bits in the modulus. c. a. The switch uses the RSA key pair for authentication and encryption of transmitted SSH data.[OK] S1(config)# 00:15:36: %SSH-5-ENABLED: SSH 1. and accept only SSH connections. download either TeraTerm or PuTTY. enter the VLAN 1 IP address.99 has been enabled Step 5: Verify SSH connectivity to S1 from the SSH client PC-A.soft32. S1(config)# line S1(config-line)# S1(config-line)# S1(config-line)# S1(config-line)# S1(config-line)# vty 0 4 privilege level 15 exec-timeout 5 0 login local transport input ssh exit Step 4: Generate the RSA encryption key pair.ccnasecurity. keys will be non-exportable. http://winradius. Are you able to open the Telnet session? Why or why not? No. If WinRadius is not currently installed on PC -A and PC-C. Page 28 of 59 b.. d. b. % The key modulus size is 1024 bits % Generating 1024 bit RSA keys. use the local user accounts for mandatory login and validation. 1.3 auth-port 1812 acct-port 1813 key WinRadius Step 7: Test the RADIUS configuration by logging in to the console on S1. Press RETURN to get started . you must recreate the user accounts from Step 2. Ping from S1 to PC-A. Note: If the RADIUS user accounts were previously configured. Use PuTTY or anot her terminal emulation client to open an SSH session from PC -A to S1. Exit to the initial switch screen that displays the following: S1 con0 is now available. Log in with the username RadAdmin and password RadAdminpa55. a. Specify auth-port 1812 and acct-port 1813. Clear the log on the WinRadius server by choosing Log > Clear. along with the IP address and secret key of WinRadius for the RA DIUS server.168. If the RA DIUS server has been shut down and restarted. Note: If you exit the WinRadius server and restart it. At the login prompt. Configure the switch to access the RADIUS server at PC -A. to allow access based on the local switch database if a RA DIUS server cannot be reached. S1(config)# interface FastEthernet 0/1 S1(config-if)# switchport mode trunk All contents are Copy right © 1992–2012 Cisco Sy stems. Inc. All rights reserv ed. you must recreate the user accounts. Step 6: Specify a RADIUS server. c. S1(config)# aaa new-model Step 4: Configure the default login authentication list. Page 29 of 59 . troubleshoot the PC and switch configuration before continuing. Step 8: Test your configuration by connecting to S1 with SSH. and there was negligible delay bec ause S1 was able to access the RA DIUS server to validate the username and password.3 If the pings are not successful. Add username RadAdmin with a password of RadAdminpa55. Can you log in with minimal delay? Yes. a. a. Add username RadUser with a password of RadUserpa55. This document is Cisco Public Inf ormation. b. Create a AAA new model to enable AAA. S1(config)# aaa authentication login default group radius local Step 5: Verify connectivity between S1 and the PC-A RADIUS server.168. Configure port Fa0/1 on S1 as a trunk port. Are you able to login to S1? Yes Task 6: Secure Trunk Ports (Chapter 6) Step 1: Configure trunk ports on S1 and S2. Configure the list to first use RADIUS for the authentication service and then loc al. you can skip this step. Step 3: Enable AAA. S1# ping 192.CCNA Security Step 2: Configure users and passwords on the WinRadius server. a. S1(config)# radius-server host 192. b. b. enter the username RadAdmin defined on the RA DIUS server and a password of RadAdminpa55.1. Configure port Fa0/1 on S2 as a trunk port. S2(config)# interface FastEthernet 0/1 S2(config-if)# switchport mode trunk c. Inc.CCNA Security b.1q Status trunking Native vlan 99 Vlans allowed on trunk 1-4094 Vlans allowed and active in management domain 1 Vlans in spanning tree forwarding state and not pruned 1 Page 30 of 59 All contents are Copy right © 1992–2012 Cisco Sy stems. Set the native VLAN on the S1 Fa0/1 trunk interface to an unused VLAN 99. Set the native VLAN on the S2 Fa0/1 trunk interface to VLAN 99. Set the trunk ports on S1 and S2 so that they do not negotiat e by turning off the generation of DTP frames. This document is Cisco Public Inf ormation. All rights reserv ed. S1(config)# interface fa0/1 S1(config-if)# switchport trunk native vlan 99 S1(config-if)# end b. . S1(config)# interface fa0/1 S1(config-if)# switchport nonegotiate S2(config)# interface fa0/1 S2(config-if)# switchport nonegotiate Step 4: Verify the trunking configuration on port Fa0/1.1q Status trunking Native vlan 1 Vlans allowed on trunk 1-4094 Vlans allowed and active in management domain 1 Vlans in spanning tree forwarding state and not pruned 1 Step 2: Change the native VLAN for the trunk ports on S1 and S2. Verify that S1 port Fa0/ 1 is in trunking mode. S1# show interface fa0/1 trunk Port Fa0/1 Port Fa0/1 Port Fa0/1 Port Fa0/1 Mode on Encapsulation 802. S2(config)# interface fa0/1 S2(config-if)# switchport trunk native vlan 99 S2(config-if)# end Step 3: Prevent the use of DTP on S1 and S2. a. S1# show interfaces trunk Port Fa0/1 Port Fa0/1 Port Fa0/1 Port Fa0/1 Mode on Encapsulation 802. Changing the native VLAN for trunk ports to an unused VLA N helps prevent VLAN hopping attacks. Inc. This document is Cisco Public Inf ormation. S1(config)# interface FastEthernet 0/1 S1(config-if)# storm-control broadcast level 50 S2(config)# interface FastEthernet 0/1 S2(config-if)# storm-control broadcast level 50 Step 6: Verify the configuration with the show run command. S1# show run | beg 0/1 interface FastEthernet0/1 switchport trunk native vlan 99 switchport mode trunk switchport nonegotiate storm-control broadcast level 50. Enable storm control for broadc asts on the trunk port with a 50 percent rising suppression level using the storm-control broadcast command.00 <Output omitted> Task 7: Secure Access Ports (Chapter 6) By manipulating the S TP root bridge parameters.CCNA Security S1# show interface fa0/1 switchport Name: Fa0/1 Switchport: Enabled Administrative Mode: trunk Operational Mode: trunk Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Negotiation of Trunking: Off Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 99 (Inactive) Administrative Native VLAN tagging: enabled Voice VLAN: none Administrative private-vlan host-association: none Administrative private-vlan mapping: none Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk Native VLAN tagging: enabled Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk private VLANs: none Operational private-vlan: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Capture Mode Disabled Capture VLANs Allowed: ALL Protected: false Unknown unicast blocked: disabled Unknown multicast blocked: disabled Appliance trust: none Step 5: Enable storm control for broadcasts. Page 31 of 59 . network attackers hope to spoof his or her system as the root bridge in the topology. they can spoof a rogue switch that they added to the network as the All contents are Copy right © 1992–2012 Cisco Sy stems. Alternatively. All rights reserv ed. S2. S2(config)# interface FastEthernet 0/18 S2(config-if)# switchport mode access c. you enable some switch security features that can help reduc e the possibility of an attacker manipulating switches via STP-related met hods. configure ports Fa0/5 and F0/6 as access mode only. S3(config)# interface FastEthernet 0/5 S3(config-if)# switchport mode access S3(config)# interface FastEthernet 0/18 S3(config-if)# switchport mode access Task 8: Protect Against STP Attacks (Chapter 6) The topology has only two switches and no redundant paths. On S3.CCNA Security root bridge. PortFast is configured on access ports that connect to a single workstation or server to enable them to become active more quickly. Inc. and S3 access ports. S2(config)# interface FastEthernet 0/18 S2(config-if)# spanning-tree portfast c. All rights reserv ed. Step 1: Enable PortFast on S1. S1(config)# interface FastEthernet 0/5 S1(config-if)# switchport mode access S1(config)# interface FastEthernet 0/6 S1(config-if)# switchport mode access b. a. configure ports Fa0/5 and Fa0/18 as access mode only. and S3 access ports. but STP is still active. If a port that is configured with PortFast receives a BPDU. This document is Cisco Public Inf ormation. Enable PortFast on the S1 Fa0/5 and Fa0/6 access ports. configure Fa0/18 as access mode only. In this step. S3(config)# interface FastEthernet 0/5 S3(config-if)# spanning-tree portfast S3(config)# interface FastEthernet 0/18 S3(config-if)# spanning-tree portfast Step 2: Enable BPDU guard on the S1. a. S2. All contents are Copy right © 1992–2012 Cisco Sy stems. On S1. S2. BPDU guard is a feature that can help prevent rogue switches and spoofing on access ports. On S2. Page 32 of 59 . and S3 access ports. Step 1: Disable trunking on S1. Enable BPDU guard on the switch ports previously configured as access only. Enable PortFast on the S3 Fa0/5 and Fa0/18 access port. Enable PortFast on the S2 Fa0/18 access port. STP can put the port into the blocking state by using a feature called BPDU guard. S1(config)# interface FastEthernet 0/5 S1(config-if)# spanning-tree portfast S1(config)# interface FastEthernet 0/6 S1(config-if)# spanning-tree portfast b. to be added to the switch running configuration. Shut down all end-user access ports that are in use and enable basic default port security. Reissue the port security command using the sticky option to allow the secure MAC address that is dynamically learned on a port. All contents are Copy right © 1992–2012 Cisco Sy stems. Re-enable each access port to which port security was applied. Page 33 of 59 . This document is Cisco Public Inf ormation. As a further security measure. This sets the maximum MAC addresses to 1 and the violation action to shutdown. All rights reserv ed. Inc. disable any ports not being used on the switch.CCNA Security S1(config)# interface FastEthernet 0/5 S1(config-if)# spanning-tree bpduguard enable S1(config)# interface FastEthernet 0/6 S1(config-if)# spanning-tree bpduguard enable S2(config)# interface FastEthernet 0/18 S2(config-if)# spanning-tree bpduguard enable S3(config)# interface FastEthernet 0/5 S3(config-if)# spanning-tree bpduguard enable S3(config)# interface FastEthernet 0/18 S3(config-if)# spanning-tree bpduguard enable Task 9: Configure Port Security and Disable Unused Ports (Chapter 6) Step 1: Configure basic port security. S1(config)# interface FastEthernet 0/5 S1(config-if)# shutdown S1(config-if)# switchport port-security S1(config-if)# switchport port-security mac-address sticky S1(config-if)# no shutdown S1(config)# interface FastEthernet 0/6 S1(config-if)# shutdown S1(config-if)# switchport port-security S1(config-if)# switchport port-security mac-address sticky S1(config-if)# no shutdown S2(config)# interface FastEthernet 0/18 S2(config-if)# shutdown S2(config-if)# switchport port-security S2(config-if)# switchport port-security mac-address sticky S2(config-if)# no shutdown S3(config)# interface FastEthernet 0/5 S3(config-if)# shutdown S3(config-if)# switchport port-security S3(config-if)# switchport port-security mac-address sticky S3(config-if)# no shutdown S3(config)# interface FastEthernet 0/18 S3(config-if)# shutdown S3(config-if)# switchport port-security S3(config-if)# switchport port-security mac-address sticky S3(config-if)# no shutdown Step 2: Disable unused ports on S1 and S2. All rights reserv ed. Note: The following configuration allows you to manage either switch remotely from eit her P C-A or PC-B. Configure a new VLA N for users on each switch using the following commands.6 S1(config-if)# switchport access vlan 10 All contents are Copy right © 1992–2012 Cisco Sy stems. Shut down the remaining Fast Ethernet ports and the two Gigabit Ethernet ports.4 S1(config-if-range)# shutdown S1(config-if-range)# interface range Fa0/7 . or HTTP. because Telnet and HTTP have been disabled. SSH. You can only access the switches remotely using SS H. You can also change the management VLAN from VLA N 1 to another VLAN. As a further security measure. This document is Cisco Public Inf ormation.2 S1(config-if-range)# shutdown b. The procedure for switch S3 is also shown. Shut down the remaining Fast Ethernet ports and the two Gigabit Ethernet ports.CCNA Security a. but you must have at least one end-user host port in that VLAN to manage the switch remotely using Telnet.17 S2(config-if-range)# shutdown S2(config-if-range)# interface range Fa0/19 . S1(config)# interface range fa0/5 . but it would not communicate with VLAN 10 on switches S1 and S2.17 S3(config-if-range)# shutdown S3(config-if-range)# interface range Fa0/19 . Inc. Note: You could also configure VLAN 10 on switch S3.2 S3(config-if)# shutdown Step 3: (Optional) Move active ports to another VLAN and change the management VLAN. S1(config)# vlan 10 S1(config-vlan)# name Users S2(config)# vlan 10 S2(config-vlan)# name Users S3(config)# vlan 30 S3(config-vlan)# name Users b. Ports Fa01/ and Fa0/18 are used on switch S2.24 S3(config-if-range)# shutdown S3(config-if-range)# exit S3(config-if-range)# interface range gigabitethernet0/1 . Page 34 of 59 .2 S2(config-if)# shutdown c. S1(config)# interface range Fa0/2 . a. S2(config)# interface range Fa0/2 . you can move all active end -user and router ports to a VLAN other than the default VLA N 1 on the switches. Add the current active access (non -trunk) ports to the new VLAN. S3(config)# interface range Fa0/1 .24 S1(config-if-range)# shutdown S1(config-if-range)# interface range gigabitethernet0/1 .24 S2(config-if-range)# shutdown S2(config-if-range)# exit S3(config-if-range)# interface range gigabitethernet0/1 . Shut down the remaining Fast Ethernet ports and the two Gigabit Ethernet ports. and Fa0/6 are used on switch S1. Ports Fa0/5 and Fa0/18 are used on switch S3.4 S3(config-if-range)# shutdown S3(config)# interface range Fa0/6 . Fa0/5. Ports Fa0/1. CCNA Security S2(config)# interface fa0/18 S2(config-if)# switchport access vlan 10 S3(config)# interface fa0/5 S3(config-if)# switchport access vlan 30 S3(config)# interface fa0/18 S3(config-if)# switchport access vlan 30 c. S1(config)# interface vlan 1 S1(config-if)# no ip address S1(config-if)# shutdown d.11 255.255. The PC-A host simulates an employee connecting from home or a remote office over the Internet.255.1. R3(config)# ip http server Or enable the HTTP secure server to connect securely.255. All rights reserv ed.3.1 in the first IP Address/Hostname field.168. configure a remote access IPsec VPN. Create an admin account on R3 with privilege level 15 for use with AAA and CCP.168. In the Select/Manage Community window. Task 1: Use the CCP VPN Wizard to Configure the Easy VPN Server (Chapter 8) Step 1: Configure R3 to allow CCP Access and Discovery. a. and ci sco12345 in the Password field. R3(config)# ip http secure-server b. Enable the HTTP server on R3. Configure a management VLAN IP address for the VLA N 30 interface on S3 and enable it. R3 is configured via CCP as an Easy VPN server. Enter admin in the Username field. input the R3 IP address 192. 168. Router R2 simulates an Internet ISP router.1. Inc.12 255. On each switch. This document is Cisco Public Inf ormation.0 S3(config-if)# no shutdown Step 4: Save the running-config to the startup-config. S3(config)# interface vlan 30 S3(config-if)# ip address 192. 3.11 255.255.255. and the Cisco VPN Client is configured on PC-A. remove the management VLAN IP address from VLA N 1 (configured in Part 1 of the lab) and shut it down.0 S1(config-if)# no shutdown S2(config)# interface vlan 10 S2(config-if)# ip address 192. Page 35 of 59 All contents are Copy right © 1992–2012 Cisco Sy stems. R3(config)# ip http authentication local d. Have CCP use the local database to authenticate web sessions. R3(config)# username admin privilege 15 password 0 cisco12345 c. .168. Configure a management VLAN IP address for the VLA N 10 interface on S1 and S2 and enable it.0 S2(config-if)# no shutdown e. Part 5: Configuring VPN Remote Access In Part 5. Click on the OK button. S1(config)# interface vlan 10 S1(config-if)# ip address 192. Run the CCP application on PC-C.255. and a subnet mask of 255. the default CCP transform set is used. Choose the interface on which the client connections terminate. a. In the Transform Sets window.3. a. Click OK to accept the entries. a. an ending address of 192. Click OK to close the User Accounts window. At the CCP Das hboard. Choose Pre-shared Keys for the authentication type and click Next to continue. and then click Launch Easy VPN Server Wizard . Click Add to create a group policy. Leave the Pool Information box checked. Enter a new pre-shared key of ci sco12345 and then re-enter it.255.CCNA Security e. This document is Cisco Public Inf ormation. In the Us er Accounts window. check the Enable User Authentication check box and choose Local Only. Which user account is currently defined locally? Admin01 Add the new user VPNUser1 with a password of VPNUser1pa55 and click OK. Click the Unnumbered to radio button. choose the Local option. the default IKE proposal is used for R3. Step 7: Configure user authentication (XAuth). c. In the Group Authorization and Group Policy Lookup window. the Enable AAA window displays.3.250. b. Step 3: Configure the virtual tunnel interface and authentication. Click Next. Click Next to accept the default transform set. b. If the discovery process fails. click the Discover Details button to det ermine the problem in order to resolve the issue. AAA was enabled on the router previously. d. In the Internet Key Exchange (IKE) Propos als window. In the Group Authorization and User Group Policies window. Step 6: Specify the group authorization and group policy lookup.255. Step 4: Select an IKE proposal. All contents are Copy right © 1992–2012 Cisco Sy stems. enter VPN-Acce ss in the Name of This Group field. If AAA is not enabled. click on the Discovery button to discover and connect to R3. Click Next on the Welcome Screen to continue. and choose the Serial0/0/1 interface from the drop-down menu. b. In the Add Group Policy window. Step 2: Launch the Easy VPN Server wizard. you must creat e at least one g roup policy for the VPN server. Click the Configure button at the top of the CCP home scree n and choose Security > VPN > Easy VPN Server. you can view currently defined local users or add new users. In the User Authentication (XA uth) window. Click the Add User Credentials button. a. c.200. Click Next to create a new AAA method list for group policy lookup that uses the local router database. Enter a starting address of 192.0. Inc. Step 8: Specify group authorization and user group policies. Step 5: Select the transform set.168.168. Page 36 of 59 . b. Clic k Next to accept the default IKE policy. Note: The Easy VPN Server Wizard checks the router configuration to see if AAA is enabled. All rights reserv ed. 168. When the Cisco Tunneling Control Protocol (c TCP ) window displays. Step 2: Configure PC-A as a VPN client to access the R3 VPN server a. Click OK if a firewall warning message displays. a. Click Next to continue.1. you created a VP N connection ent ry on the VPN client computer P C-A. . Inc.3.2.168.2. Step 4: Establish a VPN connection and login. Step 10: Test the VPN Server You are returned to the main VPN window wit h the Edit VPN Server tab selected. Open a command prompt on PC-A and ping the PC-C IP address at 192. Note: In the previous step. All rights reserv ed. Start the Cisco VPN Client. e. Check the Configure Idle Timer check box and enter 1 hour. which cannot access the internal R3 LAN.3 on the R3 LA N. Enter the following information to define the new connection entry. Select Connection Entrie s > New or click the New icon with the plus sign (+) on it. and 0 seconds.0/24). install it now. Task 2: Use the Cisco VPN Client to Test the Remote Access VPN (Chapter 8) Step 1: (Optional) Install the Cisco VPN client. A CCP warning message displays indicating that the IP address pool and the Fast Ethernet 0/1 address are in the same subnet.168. g. This option allows CCP to modify the firewall on S0/0/1 to allow IPsec VPN traffic to reach the internal LA N. Click Save when you are finished. Click Finish. do not enable c TCP.3. Choose the newly created connection VP N-Corp and click the Connect icon. b. 0 minutes. Scroll through the commands that CCP will send to the router.3. Click Ye s to continue.CCNA Security d.1 (IP address of the R3 S0/0/1 interface) Group Authentication Name: VPN-Acce ss (specifies the address pool configured in Task 2) Password: ci sco12345 (pre-shared key configured in Task 2) Confirm Password: ci sco12345 Note: The group authentication name and password are case-sensitive and must match the ones created on the VPN Server. In the VPN Troubleshooting window. make sure that the Action Modify check box is checked. If the Cisco VPN Client soft ware is not already installed on host PC-A. You can also doubleclick the connection entry. but have not activated it yet. click the Start button. The pings failed because PC-A still has an IP address of 192. Page 37 of 59 All contents are Copy right © 1992–2012 Cisco Sy stems. f. PC-A cannot access the internal PC-C host without a VPN connection and an address from within R3 LAN address space (192. This document is Cisco Public Inf ormation. Connection E ntry: VPN-Corp Description: Connection to R3 corporate network Host: 10. Step 3: Test access from PC-A without a VPN connection. Are the pings successful? Why or why not? No. contact your instructor. Click the Te st VPN Server button in the lower right corner of the screen. Step 9: Review the configuration summary and deliver the commands. When the Easy VPN Server Pass-through Configuration window displays. Click Close to exit the VPN Troubleshooting window. If you do not have the Cisco VPN Client software or are unsure of the process. 168. When it is open. Click OK to continue. With the VPN connection from comput er PC-A to rout er R3 activated. Are the pings successful? Why or why not? The pings are now successful because PC-A has an IP address (192. Step 5: Test access from the client with the VPN connection. Page 38 of 59 . The VPN Client window minimizes to a lock icon in the tools tray of the taskbar. This document is Cisco Public Inf ormation.3 on the R3 LAN. the VPN connection is down. All contents are Copy right © 1992–2012 Cisco Sy stems.3. Inc. open a command prompt on PC-A and ping the R3 default gat eway at 192.3. the VPN tunnel is up. When the VPN Client User Authentication dialog box displays. enter the username VPNUser1 created previously on the VPN router R3.1.CCNA Security b. Then ping the P C-C IP address at 192. When the lock is closed. All rights reserv ed. and enter the password of VPNUser1pa55.168.3.168.200 in this case) that was assigned by the VPN server and is inside the R3 LA N. Inc.CCNA Security Router Interface Summary Table Router Interface Summary Rout er Model 1800 Ethernet Interface #1 Ethernet Interface #2 Serial Interface #1 Serial Interface #2 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0/0 Serial 0/0/1 (Fa0/ 0) (Fa0/ 1) (S0/0/0) (S0/0/1) Gigabit Ethernet 0/0 Gigabit Ethernet 0/1 Serial 0/0/0 Serial 0/0/1 1900 (G0/0) (G0/1) (S0/0/0) (S0/0/1) Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0/0 Serial 0/0/1 2800 (Fa0/ 0) (Fa0/ 1) (S0/0/0) (S0/0/1) Gigabit Ethernet 0/0 Gigabit Ethernet 0/1 Serial 0/0/0 Serial 0/0/1 2900 (G0/0) (G0/1) (S0/0/0) (S0/0/1) Note: To find out how the router is configured. Router R1 R1#sh run Building configuration. This table includes identifiers for the possible combinations of Ethernet and Serial interfaces in the device.. This document is Cisco Public Inf ormation. Device Configs Note: IS R G2 devices have Gigabit Ethernet interfaces instead of Fast Ethernet Interfaces. There is no way to effectively list all the combinations of configurations for each router class.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname R1 ! boot-start-marker boot-end-marker ! security passwords min-length 10 logging message-counter syslog enable secret 5 $1$WORF$PpQaR7eAt3Mfj9WuM8vfL0 ! aaa new-model ! aaa authentication login default group radius local ! aaa session-id common dot11 syslog All contents are Copy right © 1992–2012 Cisco Sy stems. Current configuration : 4008 bytes ! ! No configuration change since last restart ! version 12. Page 39 of 59 . An example of this might be an ISDN BRI interface.. The table does not include any other type of int erface. The string in parenthesis is the legal abbreviation that can be used in Cisco IOS commands to represent the interface. All rights reserv ed. even though a specific router may contain one. look at the interfaces to identify the type of rout er and how many interfaces the router has. CCNA Security no no ! ip no no ip ip ip ! ip ip source-route ip gratuitous-arps cef ip bootp server ip domain lookup domain name ccnasecurity. Inc.pub signature key-string 30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101 00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16 17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128 B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E 5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35 FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85 50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36 006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE 2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3 F3020301 0001 quit ! All contents are Copy right © 1992–2012 Cisco Sy stems.com ips config location flash:ipsdir/ retries 1 ips name iosips ips signature-category category all retired true category ios_ips basic retired false ! ip inspect audit-trail ip inspect udp idle-time 1800 ip inspect dns-timeout 7 ip inspect tcp idle-time 14400 ip inspect name autosec_inspect cuseeme timeout 3600 ip inspect name autosec_inspect ftp timeout 3600 ip inspect name autosec_inspect http timeout 3600 ip inspect name autosec_inspect rcmd timeout 3600 ip inspect name autosec_inspect realaudio timeout 3600 ip inspect name autosec_inspect smtp timeout 3600 ip inspect name autosec_inspect tftp timeout 30 ip inspect name autosec_inspect udp timeout 15 ip inspect name autosec_inspect tcp timeout 3600 ip inspect name autosec_inspect icmp timeout 60 login block-for 60 attempts 2 within 30 ! login block-for 60 attempts 2 within 30 no ipv6 cef ! multilink bundle-name authenticated ! username Admin01 privilege 15 secret 5 $1$qxLL$FrcT5yJHGnKc2yS0Wp. This document is Cisco Public Inf ormation.CE1 archive log config logging enable hidekeys ! crypto key pubkey-chain rsa named-key realm-cisco. Page 40 of 59 . All rights reserv ed. 0. Page 41 of 59 .0 no ip redirects no ip unreachables no ip proxy-arp ip ips iosips in duplex auto speed auto no mop enabled ! interface FastEthernet0/1/0 ! interface FastEthernet0/1/1 ! interface FastEthernet0/1/2 ! interface FastEthernet0/1/3 ! interface Serial0/0/0 ip address 10.252 ip access-group autosec_firewall_acl in no ip redirects no ip unreachables no ip proxy-arp ip ips iosips in ip inspect autosec_inspect out clock rate 64000 ! interface Serial0/0/1 no ip address no ip redirects no ip unreachables no ip proxy-arp shutdown clock rate 2000000 ! interface Vlan1 no ip address ! ip forward-protocol nd ip route 0.1.0. This document is Cisco Public Inf ormation.168.CCNA Security interface FastEthernet0/0 no ip address no ip redirects no ip unreachables no ip proxy-arp shutdown duplex auto speed auto no mop enabled ! interface FastEthernet0/1 ip address 192.1.2 no ip http server no ip http secure-server ! ip access-list extended autosec_firewall_acl permit udp any any eq bootpc permit tcp 192.0 0.1 255.255 any eq 22 permit udp host 10.1 eq ntp All contents are Copy right © 1992–2012 Cisco Sy stems.1.0.2 host 10.168. All rights reserv ed.255.1.3.255.0.0.255.1.1.0 10.1.0 0. Inc.1.1 255.0.255.1. All rights reserv ed.1. This document is Cisco Public Inf ormation.4 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname R2 ! boot-start-marker boot-end-marker ! security passwords min-length 10 logging message-counter syslog enable secret 5 $1$KV/.168.1.1. Current configuration : 1511 bytes ! ! No configuration change since last restart ! version 12.nkal9PRFBM.168.1.2 end R1# Router R2 R2#sh run Building configuration.CCNA Security permit esp any any deny ip any any ! logging 192.3 auth-port 1812 acct-port 1813 key 7 053C0F01134D4 A000C16 ! control-plane ! banner motd ^CUnauthorized access strictly prohibited and prosecuted to the full extent of the law^C ! line con 0 exec-timeout 0 0 password 7 0802455D0A4906181C1B0D517F logging synchronous line aux 0 line vty 0 4 privilege level 15 transport input ssh ! scheduler allocate 20000 1000 ntp update-calendar ntp server 10. Inc. Page 42 of 59 ..$0GD..3 no cdp run ! radius-server host 192.GFCVzU0 ! no aaa new-model dot11 syslog ip source-route ! ip cef All contents are Copy right © 1992–2012 Cisco Sy stems. 1.255.0 255.2. All rights reserv ed.0 255.0 10.255.CCNA Security no ip domain lookup ! no ipv6 cef multilink bundle-name authenticated ! archive log config hidekeys ! interface FastEthernet0/0 no ip address shutdown duplex auto speed auto ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface FastEthernet0/1/0 ! interface FastEthernet0/1/1 ! interface FastEthernet0/1/2 ! interface FastEthernet0/1/3 ! interface Serial0/0/0 ip address 10.2.252 clock rate 64000 ! interface Vlan1 no ip address ! ip forward-protocol nd ip route 192.1.255. Page 43 of 59 .255.1. This document is Cisco Public Inf ormation.1 no ip http server no ip http secure-server ! control-plane ! banner motd ^CUnauthorized access strictly prohibited and prosecuted to the full extent of the law^C ! line con 0 exec-timeout 0 0 password 7 05280F1C221C4D06171516475E logging synchronous login line aux 0 line vty 0 4 All contents are Copy right © 1992–2012 Cisco Sy stems.2 255.255.252 no fair-queue ! interface Serial0/0/1 ip address 10.255.2. Inc.168.1.255.168.2 255.0 10.255.2.3.1 ip route 192.1. Inc. Current configuration : 9256 bytes ! ! Last configuration change at 13:54:06 UTC Wed Feb 18 2009 by RadAdmin ! version 12.CCNA Security exec-timeout 5 0 password 7 05280F1C221C581D001516475E login ! scheduler allocate 20000 1000 ntp master 3 end R2# Router R3 R3#sh run Building configuration. Page 44 of 59 .4 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname R3 ! boot-start-marker boot-end-marker ! security passwords min-length 10 logging message-counter syslog no logging buffered enable secret 5 $1$CEbk$zRJMKAVt3zQUrNZc2IYqs.. This document is Cisco Public Inf ormation.. ! aaa new-model ! aaa authentication login default group radius local aaa authentication login ciscocp_vpn_xauth_ml_1 local aaa authorization network ciscocp_vpn_group_ml_1 local ! aaa session-id common dot11 syslog no ip source-route ! ip cef no ip bootp server no ip domain lookup ip domain name ccnasecurity.com ip ips config location flash:/ipsdir/ retries 1 ip ips notify SDEE ip ips name sdm_ips_rule ! ip ips signature-category category all retired true category ios_ips basic retired false All contents are Copy right © 1992–2012 Cisco Sy stems. All rights reserv ed. All rights reserv ed.255. Inc. This document is Cisco Public Inf ormation. Page 45 of 59 .0 crypto isakmp profile ciscocp-ike-profile-1 match identity group VPN-Access client authentication list ciscocp_vpn_xauth_ml_1 isakmp authorization list ciscocp_vpn_group_ml_1 client configuration address respond virtual-template 1 ! All contents are Copy right © 1992–2012 Cisco Sy stems.255.CCNA Security ! login block-for 60 attempts 2 within 30 ! no ipv6 cef multilink bundle-name authenticated ! crypto pki trustpoint TP-self-signed-1561489156 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1561489156 revocation-check none rsakeypair TP-self-signed-1561489156 ! crypto pki certificate chain TP-self-signed-1561489156 certificate self-signed 01 3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 31353631 34383931 3536301E 170D3039 30323138 31313531 33385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 35363134 38393135 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100A07D 3F5B0E20 5B5E2515 59AA444E 48727C1A 244011BB E3CA1CCC 96C3FD35 6C2261A1 DACE7B1F B86B735B CE6842A6 6A7E99DB 454E7C96 7E5D73FA 566B14B6 7312CA82 6871B3F7 A9F8EFA9 CC693C59 57F883D8 5800C3DA DCBAAEFE 6CF3C3CD 75A55EFB A53E5843 BC951FE3 0E7BF141 07A7A338 2592D804 66D6E6F0 2D086C5F 2BB70203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603 551D1104 17301582 1352332E 63636E61 73656375 72697479 2E636F6D 301F0603 551D2304 18301680 144EBAC4 8487C362 FB5EE53B 3CA54D7B 3F0BD823 D3301D06 03551D0E 04160414 4EBAC484 87C362FB 5EE53B3C A54D7B3F 0BD823D3 300D0609 2A864886 F70D0101 04050003 81810021 3475ABA3 2B23A5A0 79DD368F B00E522F 44FE5B3F 00FF0655 79D52E37 B077DB6D B86A2B25 E729CBF3 E70A541E 337B46B3 0710CB8B C9AA805C 6E93DE9F 55943C45 E22ED273 F9952224 594D2F4F 9D4AB07E 8D1B1A11 994A0D97 78EDAB9B D48C3DFC 820D4B4B 8444EBB2 01123699 2F72F7A0 07016AD7 5BFE2BAC 19F88414 044C38 quit ! username Admin01 privilege 15 secret 5 $1$GwWP$bgRxLcK8wAysy4ygs8hjn1 username admin privilege 15 password 7 060506324F41584B564347 username VPNUser1 secret 5 $1$ZMng$jKSLYD6sG0TrWERfagNwD1 archive log config hidekeys ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group VPN-Access key cisco12345 pool SDM_POOL_1 netmask 255. This document is Cisco Public Inf ormation.CCNA Security crypto IPsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto ipsec profile CiscoCP_Profile1 set security-association idle-time 3600 set transform-set ESP-3DES-SHA set isakmp-profile ciscocp-ike-profile-1 ! crypto key pubkey-chain rsa named-key realm-cisco. All rights reserv ed.pub key-string 30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E 006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E F3020301 0001 quit ! class-map type inspect match-any SDM_AH match access-group name SDM_AH class-map type inspect match-any ccp-skinny-inspect match protocol skinny class-map type inspect match-any ccp-cls-insp-traffic match protocol cuseeme match protocol dns match protocol ftp match protocol https match protocol icmp match protocol imap match protocol pop3 match protocol netshow match protocol shell match protocol realmedia match protocol rtsp match protocol smtp extended match protocol sql-net match protocol streamworks match protocol tftp match protocol vdolive match protocol tcp match protocol udp class-map type inspect match-all ccp-insp-traffic match class-map ccp-cls-insp-traffic class-map type inspect match-any SDM_IP match access-group name SDM_IP class-map type inspect match-any SDM_ESP match access-group name SDM_ESP class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC match protocol isakmp match protocol ipsec-msft match class-map SDM_AH match class-map SDM_ESP class-map type inspect match-all SDM_EASY_VPN_SERVER_PT match class-map SDM_EASY_VPN_SERVER_TRAFFIC All contents are Copy right © 1992–2012 Cisco Sy stems. 02820101 4E441F16 6007D128 3E53053E C0112A35 F0B08B85 AD768C36 892356AE B4B094D3 Page 46 of 59 . Inc. Page 47 of 59 . Inc. All rights reserv ed. This document is Cisco Public Inf ormation.CCNA Security class-map type inspect match-any ccp-h323nxg-inspect match protocol h323-nxg class-map type inspect match-any ccp-cls-icmp-access match protocol icmp match protocol tcp match protocol udp class-map type inspect match-any ccp-h225ras-inspect match protocol h225ras class-map type inspect match-any ccp-h323annexe-inspect match protocol h323-annexe class-map type inspect match-any ccp-h323-inspect match protocol h323 class-map type inspect match-all ccp-icmp-access match class-map ccp-cls-icmp-access class-map type inspect match-all ccp-invalid-src match access-group 100 class-map type inspect match-any ccp-sip-inspect match protocol sip class-map type inspect match-all ccp-protocol-http match protocol http ! ! policy-map type inspect ccp-permit-icmpreply class type inspect ccp-icmp-access inspect class class-default pass policy-map type inspect ccp-inspect class type inspect ccp-invalid-src drop log class type inspect ccp-protocol-http inspect class type inspect ccp-insp-traffic inspect class type inspect ccp-sip-inspect inspect class type inspect ccp-h323-inspect inspect class type inspect ccp-h323annexe-inspect inspect class type inspect ccp-h225ras-inspect inspect class type inspect ccp-h323nxg-inspect inspect class type inspect ccp-skinny-inspect inspect class class-default drop policy-map type inspect ccp-permit class type inspect SDM_EASY_VPN_SERVER_PT pass class class-default drop policy-map type inspect sdm-permit-ip class type inspect SDM_IP pass class class-default drop log All contents are Copy right © 1992–2012 Cisco Sy stems. Page 48 of 59 . All rights reserv ed.255. Inc.3.0 no ip redirects no ip unreachables ip ips sdm_ips_rule in ip virtual-reassembly zone-member security in-zone duplex auto speed auto no mop enabled ! interface FastEthernet0/1/0 ! interface FastEthernet0/1/1 ! interface FastEthernet0/1/2 ! interface FastEthernet0/1/3 ! interface Serial0/0/0 no ip address no ip redirects no ip unreachables shutdown no fair-queue clock rate 2000000 ! interface Serial0/0/1 description $FW_OUTSIDE$ All contents are Copy right © 1992–2012 Cisco Sy stems.255. This document is Cisco Public Inf ormation.168.1 255.CCNA Security ! zone security out-zone zone security in-zone zone security ezvpn-zone zone-pair security ccp-zp-self-out source self destination out-zone service-policy type inspect ccp-permit-icmpreply zone-pair security ccp-zp-in-out source in-zone destination out-zone service-policy type inspect ccp-inspect zone-pair security ccp-zp-out-self source out-zone destination self service-policy type inspect ccp-permit zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone service-policy type inspect sdm-permit-ip zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone service-policy type inspect sdm-permit-ip zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone service-policy type inspect sdm-permit-ip zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone service-policy type inspect sdm-permit-ip ! interface FastEthernet0/0 no ip address no ip redirects no ip unreachables shutdown duplex auto speed auto no mop enabled ! interface FastEthernet0/1 description $FW_INSIDE$ ip address 192. 0.255 any access-list 100 permit ip 127.2.252 no ip redirects no ip unreachables ip ips sdm_ips_rule in ip virtual-reassembly zone-member security out-zone ! interface Virtual-Template1 type tunnel ip unnumbered Serial0/0/1 zone-member security ezvpn-zone tunnel mode ipsec ipv4 tunnel protection ipsec profile CiscoCP_Profile1 ! interface Vlan1 no ip address ! ip local pool SDM_POOL_1 192.2.0 0.168.0.255 any access-list 100 permit ip 10.CCNA Security ip address 10.168.0.2. Inc.0.2.0 0.255. All rights reserv ed.255.168.255.255.255.3.0.2 ip http server ip http authentication local ip http secure-server ! ip access-list extended SDM_AH remark CCP_ACL Category=1 permit ahp any any ip access-list extended SDM_ESP remark CCP_ACL Category=1 permit esp any any ip access-list extended SDM_IP remark CCP_ACL Category=1 permit ip any any ! logging 192.0.0 0.2.3.250 ip forward-protocol nd ip route 0. Page 49 of 59 .255.168.0.3 access-list 100 remark CCP_ACL Category=128 access-list 100 permit ip host 255.3.3 any no cdp run ! radius-server host 192.1 255.0 10.2.0. This document is Cisco Public Inf ormation.3 auth-port 1812 acct-port 1813 key 7 097B47072B041 31B1E1F ! control-plane ! banner motd ^CUnauthorized access strictly prohibited and prosecuted to the full extent of the law^C ! line con 0 exec-timeout 0 0 password 7 13261E01085C07252534296660 logging synchronous line aux 0 line vty 0 4 privilege level 15 transport input ssh ! scheduler allocate 20000 1000 All contents are Copy right © 1992–2012 Cisco Sy stems.200 192.3. 2 end R3# Switch S1 S1#sh run Building configuration..2 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname S1 ! boot-start-marker boot-end-marker ! enable secret 5 $1$O2hv$LN64LNWZZikWtLmFTj8zn1 ! username Admin01 privilege 15 secret 5 $1$4zeE$aTl4FBDlPu0kROScWdzCx0 aaa new-model ! ! aaa authentication login default group radius local ! aaa session-id common system mtu routing 1500 ip subnet-zero ! no ip domain lookup ip domain-name ccnasecurity. Inc.com ! spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! interface FastEthernet0/1 switchport trunk native vlan 99 switchport mode trunk switchport nonegotiate storm-control broadcast level 50.00 ! interface FastEthernet0/2 shutdown ! interface FastEthernet0/3 shutdown ! interface FastEthernet0/4 shutdown All contents are Copy right © 1992–2012 Cisco Sy stems.. Page 50 of 59 .2.2. All rights reserv ed. This document is Cisco Public Inf ormation. Current configuration : 2910 bytes ! version 12.CCNA Security ntp update-calendar ntp server 10. All rights reserv ed. This document is Cisco Public Inf ormation. Inc.a5cd All contents are Copy right © 1992–2012 Cisco Sy stems.db04.5325. Page 51 of 59 .CCNA Security ! interface FastEthernet0/5 switchport access vlan 10 switchport mode access switchport port-security switchport port-security mac-address switchport port-security mac-address spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/6 switchport access vlan 10 switchport mode access switchport port-security switchport port-security mac-address switchport port-security mac-address spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/7 shutdown ! interface FastEthernet0/8 shutdown ! interface FastEthernet0/9 shutdown ! interface FastEthernet0/10 shutdown ! interface FastEthernet0/11 shutdown ! interface FastEthernet0/12 shutdown ! interface FastEthernet0/13 shutdown ! interface FastEthernet0/14 shutdown ! interface FastEthernet0/15 shutdown ! interface FastEthernet0/16 shutdown ! interface FastEthernet0/17 shutdown ! interface FastEthernet0/18 shutdown ! interface FastEthernet0/19 shutdown ! sticky sticky 001b.256f sticky sticky 000b. All rights reserv ed.1 no ip http server no ip http secure-server logging 192.168.1.1.1.CCNA Security interface FastEthernet0/20 shutdown ! interface FastEthernet0/21 shutdown ! interface FastEthernet0/22 shutdown ! interface FastEthernet0/23 shutdown ! interface FastEthernet0/24 shutdown ! interface GigabitEthernet0/1 shutdown ! interface GigabitEthernet0/2 shutdown ! interface Vlan1 no ip address no ip route-cache shutdown ! interface Vlan10 ip address 192.2 end S1# All contents are Copy right © 1992–2012 Cisco Sy stems.1.168. Page 52 of 59 .3 auth-port 1812 acct-port 1813 key 7 1079001737161 6021917 ! control-plane ! banner motd ^CUnauthorized access strictly prohibited and prosecuted to the full extent of the law^C ! line con 0 exec-timeout 0 0 password 7 02250D4808560C2E425E084C50 logging synchronous line vty 0 4 privilege level 15 transport input ssh line vty 5 15 ! ntp clock-period 36032520 ntp server 10.1.255.1.0 no ip route-cache ! ip default-gateway 192.168.168. Inc. This document is Cisco Public Inf ormation.3 ! radius-server host 192.11 255.255. com ! crypto pki trustpoint TP-self-signed-1180859136 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1180859136 revocation-check none rsakeypair TP-self-signed-1180859136 ! crypto pki certificate chain TP-self-signed-1180859136 certificate self-signed 01 3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 31313830 38353931 3336301E 170D3933 30333031 30303030 35345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31383038 35393133 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 81009DF6 4B4DBCD6 0B977A06 88AE8984 DFB743C3 45EC91AA 149E4696 2C2C88EF 22315F71 BDD60D44 5D4A7ECC C438B2F9 4AC4E855 A7B187CA 7683B3AE C98D0471 FFB2D268 CD19D0E4 4B0F3F7A 9A0AE716 485A0AA7 D02871D8 66C44475 05F0D5A0 D631475C 617430AD 0EB88D64 F7B6310E EB6ADCA0 7FDE3FDD 9E7BC3C0 60849315 D4810203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603 551D1104 17301582 1353322E 63636E61 73656375 72697479 2E636F6D 301F0603 551D2304 18301680 14BB0B37 B20BD4F1 103B066F 3BFC5CBD 913E9AAD E1301D06 03551D0E 04160414 BB0B37B2 0BD4F110 3B066F3B FC5CBD91 3E9AADE1 300D0609 2A864886 F70D0101 04050003 8181006B 157BC915 1EE5DDED E636BA9E E0895C04 C33CDDA3 EA56CB9C 8F638B51 70D1A433 436F8131 F44FE890 333F6E19 F1B22359 E0E1B69A BF4F1BA5 2FE1BA5B 1F6CFE83 BD52C7A5 58D72F28 ADE581CB 3E69B416 All contents are Copy right © 1992–2012 Cisco Sy stems. Current configuration : 4014 bytes ! version 12. Inc. All rights reserv ed.. Page 53 of 59 .JbHhxcFA81 ! username Admin01 privilege 15 secret 5 $1$cbXS$5C3Of2NUdmhQry4Ycm5kx1 aaa new-model ! aaa authentication login default group radius local ! aaa session-id common system mtu routing 1500 ip subnet-zero ! no ip domain lookup ip domain-name ccnasecurity..2 no service pad service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname S2 ! boot-start-marker boot-end-marker ! enable secret 5 $1$v/4O$YdWlK0Q55V6.CCNA Security Switch S2 S2#sh run Building configuration. This document is Cisco Public Inf ormation. 00 ! interface FastEthernet0/2 shutdown ! interface FastEthernet0/3 shutdown ! interface FastEthernet0/4 shutdown ! interface FastEthernet0/5 shutdown ! interface FastEthernet0/6 shutdown ! interface FastEthernet0/7 shutdown ! interface FastEthernet0/8 shutdown ! interface FastEthernet0/9 shutdown ! interface FastEthernet0/10 shutdown ! interface FastEthernet0/11 shutdown ! interface FastEthernet0/12 shutdown ! interface FastEthernet0/13 shutdown ! interface FastEthernet0/14 shutdown ! interface FastEthernet0/15 shutdown ! interface FastEthernet0/16 All contents are Copy right © 1992–2012 Cisco Sy stems. This document is Cisco Public Inf ormation. Page 54 of 59 .CCNA Security 5C60D986 59A884EF 385864D8 EDFA8CF3 6F755FD0 2947B0E2 8C2E0840 73C00971 F1042461 C9F73179 237F2BCD 1CB7E3 quit ! spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! interface FastEthernet0/1 switchport trunk native vlan 99 switchport mode trunk switchport nonegotiate storm-control broadcast level 50. All rights reserv ed. Inc. 1.168.3 radius-server host 192.1.3 auth-port 1812 acct-port 1813 key 7 081645403B180 11E0718 ! control-plane ! banner motd ^CUnauthorized access strictly prohibited and All contents are Copy right © 1992–2012 Cisco Sy stems.255. This document is Cisco Public Inf ormation. Page 55 of 59 .1. All rights reserv ed.e963.168.CCNA Security shutdown ! interface FastEthernet0/17 shutdown ! interface FastEthernet0/18 switchport access vlan 10 switchport mode access switchport port-security switchport port-security mac-address sticky switchport port-security mac-address sticky 0007.168.1.1 no ip http server ip http secure-server logging 192.0 no ip route-cache ! ip default-gateway 192.12 255. Inc.ce53 spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/19 shutdown ! interface FastEthernet0/20 shutdown ! interface FastEthernet0/21 shutdown ! interface FastEthernet0/22 shutdown ! interface FastEthernet0/23 shutdown ! interface FastEthernet0/24 shutdown ! interface GigabitEthernet0/1 shutdown ! interface GigabitEthernet0/2 shutdown ! interface Vlan1 no ip address no ip route-cache shutdown ! interface Vlan10 ip address 192.168.255. . Inc.1.CCNA Security prosecuted to the full extent of the law^C ! line con 0 exec-timeout 0 0 password 7 13261E01085C07252534296660 logging synchronous line vty 0 4 privilege level 15 line vty 5 15 ! ntp clock-period 36031991 ntp server 10.com ! crypto pki trustpoint TP-self-signed-1180859136 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1180859136 revocation-check none rsakeypair TP-self-signed-1180859136 ! crypto pki certificate chain TP-self-signed-1180859136 certificate self-signed 01 3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 All contents are Copy right © 1992–2012 Cisco Sy stems.2 no service pad service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname S3 ! boot-start-marker boot-end-marker ! enable secret 5 $1$v/4O$YdWlK0Q55V6.JbHhxcFA81 ! username Admin01 privilege 15 secret 5 $1$cbXS$5C3Of2NUdmhQry4Ycm5kx1 aaa new-model ! aaa authentication login default group radius local ! aaa session-id common system mtu routing 1500 ip subnet-zero ! no ip domain lookup ip domain-name ccnasecurity.2 end S2# Switch S3 S3#sh run Building configuration.1. This document is Cisco Public Inf ormation.. All rights reserv ed. Page 56 of 59 . Current configuration : 4014 bytes ! version 12. Page 57 of 59 .530d. All rights reserv ed.CCNA Security 69666963 35345A17 4F532D53 35393133 81009DF6 22315F71 FFB2D268 D631475C D4810203 551D1104 551D2304 03551D0E 2A864886 C33CDDA3 E0E1B69A 5C60D986 F1042461 quit 6174652D 0D323030 656C662D 3630819F 4B4DBCD6 BDD60D44 CD19D0E4 617430AD 010001A3 17301582 18301680 04160414 F70D0101 EA56CB9C BF4F1BA5 59A884EF C9F73179 31313830 31303130 5369676E 300D0609 0B977A06 5D4A7ECC 4B0F3F7A 0EB88D64 73307130 1353322E 14BB0B37 BB0B37B2 04050003 8F638B51 2FE1BA5B 385864D8 237F2BCD 38353931 30303030 65642D43 2A864886 88AE8984 C438B2F9 9A0AE716 F7B6310E 0F060355 63636E61 B20BD4F1 0BD4F110 8181006B 70D1A433 1F6CFE83 EDFA8CF3 1CB7E3 3336301E 305A3031 65727469 F70D0101 DFB743C3 4AC4E855 485A0AA7 EB6ADCA0 1D130101 73656375 103B066F 3B066F3B 157BC915 436F8131 BD52C7A5 6F755FD0 170D3933 312F302D 66696361 01050003 45EC91AA A7B187CA D02871D8 7FDE3FDD FF040530 72697479 3BFC5CBD FC5CBD91 1EE5DDED F44FE890 58D72F28 2947B0E2 30333031 06035504 74652D31 818D0030 149E4696 7683B3AE 66C44475 9E7BC3C0 030101FF 2E636F6D 913E9AAD 3E9AADE1 E636BA9E 333F6E19 ADE581CB 8C2E0840 30303030 03132649 31383038 81890281 2C2C88EF C98D0471 05F0D5A0 60849315 301E0603 301F0603 E1301D06 300D0609 E0895C04 F1B22359 3E69B416 73C00971 ! spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! interface FastEthernet0/1 shutdown ! interface FastEthernet0/2 shutdown ! interface FastEthernet0/3 shutdown ! interface FastEthernet0/4 shutdown ! interface FastEthernet0/5 switchport access vlan 30 switchport mode access switchport port-security switchport port-security mac-address sticky switchport port-security mac-address sticky 001b.6029 spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/6 shutdown ! interface FastEthernet0/7 shutdown ! interface FastEthernet0/8 shutdown ! interface FastEthernet0/9 shutdown ! interface FastEthernet0/10 All contents are Copy right © 1992–2012 Cisco Sy stems. Inc. This document is Cisco Public Inf ormation. Inc. All rights reserv ed.e948.da37 spanning-tree portfast spanning-tree bpduguard enable ! interface FastEthernet0/19 shutdown ! interface FastEthernet0/20 shutdown ! interface FastEthernet0/21 shutdown ! interface FastEthernet0/22 shutdown ! interface FastEthernet0/23 shutdown ! interface FastEthernet0/24 shutdown ! interface GigabitEthernet0/1 shutdown ! interface GigabitEthernet0/2 shutdown ! interface Vlan1 no ip address All contents are Copy right © 1992–2012 Cisco Sy stems. This document is Cisco Public Inf ormation.CCNA Security shutdown ! interface FastEthernet0/11 shutdown ! interface FastEthernet0/12 shutdown ! interface FastEthernet0/13 shutdown ! interface FastEthernet0/14 shutdown ! interface FastEthernet0/15 shutdown ! interface FastEthernet0/16 shutdown ! interface FastEthernet0/17 shutdown ! interface FastEthernet0/18 switchport access vlan 30 switchport mode access switchport port-security switchport port-security mac-address sticky switchport port-security mac-address sticky 0007. Page 58 of 59 . 2 end S3# All contents are Copy right © 1992–2012 Cisco Sy stems.11 255.0 no ip route-cache ! ip default-gateway 192. This document is Cisco Public Inf ormation.2.168.1 no ip http server ip http secure-server logging 192.3.3.3. Page 59 of 59 . Inc.168.168.255.3 ! radius-server host 192.168.255.3. All rights reserv ed.CCNA Security no ip route-cache shutdown ! interface Vlan30 ip address 192.3 auth-port 1812 acct-port 1813 key 7 081645403B180 11E0718 ! control-plane ! banner motd ^CUnauthorized access strictly prohibited and prosecuted to the full extent of the law^C ! line con 0 exec-timeout 0 0 password 7 13261E01085C07252534296660 logging synchronous line vty 0 4 privilege level 15 line vty 5 15 ! ntp clock-period 36031991 ntp server 10.2.
Copyright © 2024 DOKUMEN.SITE Inc.