Topology

IP Addressing Table
Device
R1

Interface
FA0/1

IP Address
172.16.1.1

Subnet Mask
255.255.255.0

Default Gateway
N/A

Switch Port
S1 FA0/5

S0/0/0 (DCE)

10.10.10.1

255.255.255.252

N/A

N/A

S0/0/0

10.10.10.2

255.255.255.252

N/A

N/A

S0/0/1 (DCE)

10.20.20.2

255.255.255.252

N/A

N/A

FA0/1

172.16.3.1

255.255.255.0

N/A

S3 FA0/5

S0/0/1

10.20.20.1

255.255.255.252

N/A

N/A

S1

VLAN 1

172.16.1.11

255.255.255.0

172.16.1.1

N/A

S2

VLAN 1

172.16.1.12

255.255.255.0

172.16.1.1

N/A

S3

VLAN 1

172.16.3.11

255.255.255.0

172.16.3.1

N/A

PC-A

NIC

172.16.1.3

255.255.255.0

172.16.1.1

S1 FA0/6

PC-B

NIC

172.16.1.2

255.255.255.0

172.16.1.1

S2 FA0/18

PC-C

NIC

172.16.3.3

255.255.255.0

172.16.3.1

S3 FA0/18

R2
R3

Objectives
Part 1: Build the network and configure basic device settings
Part 2: Secure Network Routers

Configure encrypted passwords and a login banner.

Configure EXEC timeout on console and VTY lines.

Configure login failure rates and virtual login enhancements

Configure SSH access and disable Telnet.

Configure local AAA authentication.

Configure a zone-based policy firewall (ZPF) and ACLs

Part 1: Build the Network and Configure Basic Settings.

In Part 1, you set up the network topology and configure basic settings, such as the hostname,
interface IP addresses and static routing. Perform steps on routers and switches as indicated.

Step 1: Cable the network as shown in the topology.

Instructor note: The instructor may wish to set up the topology in advance due to time
constraints.
If the SBA topology is already set up, go to Step 2. Otherwise, attach the devices shown in the
topology diagram, and cable as necessary.

Step 2: Configure basic settings for all routers.

a. Configure host names as shown in the topology.
b. Configure the interface IP addresses as shown in the IP addressing table.
c.

Configure a clock rate for the routers with a DCE serial cable attached to their serial
interface.
R1(config)#interface S0/0/0
R1(config-if)#clock rate 64000
R2(config)#interface S0/0/1
R2(config-if)#clock rate 64000

d. Disable DNS lookup to prevent the router from attempting to translate incorrectly entered
commands as though they were host names.
R1(config)#no ip domain-lookup

Step 3: Configure static default routes on edge routers (R1 and R3).
Configure a static default route from R1 to R2 and from R3 to R2.
R1(config)#ip route 0.0.0.0 0.0.0.0 10.10.10.2
R3(config)#ip route 0.0.0.0 0.0.0.0 10.20.20.2

Step 4: Configure static routes on the ISP router (R2).

Configure a static route from R2 to the R1 LAN and from R2 to the R3 LAN.
R2(config)#ip route 172.16.1.0 255.255.255.0 10.10.10.1
R2(config)#ip route 172.16.3.0 255.255.255.0 10.20.20.1

Step 5: Configure basic settings for each switch.

a. Configure host names as shown in the topology.
b. Configure the VLAN 1 management address on each switch as shown in the IP
Addressing table.
S1(config)#interface vlan 1
S1(config)#ip address 172.16.1.11 255.255.255.0
S1(config)#no shutdown
S2(config)#interface vlan 1
S2(config)#ip address 172.16.1.12 255.255.255.0
S2(config)#no shutdown
S3(config)#interface vlan 1
S3(config)#ip address 172.16.3.11 255.255.255.0
S3(config)#no shutdown
c.

Configure the IP default gateway for each of the three switches. The gateway for the S1
and S2 switches is the R1 Fa0/1 interface IP address. The gateway for the S3 switch is
the R3 Fa0/1 interface IP address.
S1(config)#ip default-gateway 172.16.1.1
S2(config)#ip default-gateway 172.16.1.1
S3(config)#ip default-gateway 172.16.3.1

d. Disable DNS lookup to prevent the switches from attempting to translate incorrectly
entered commands as though they were host names.
S1(config)#no ip domain-lookup

Step 6: Configure PC host IP settings.

Configure a static IP address, subnet mask, and default gateway for PC-A, PC-B, and PC-C,
as shown in the IP addressing table.

Step 7: Verify connectivity between PC-A and PC-C.

PC-A:\>ping 172.16.3.3

Step 8: Save the basic running configuration for each router and switch.

Part 2: Secure Network Routers

In Part 2, you configure device access, passwords, firewalls, and intrusion prevention. Perform
steps on routers as indicated.

Task 1: Configure Passwords and a Login Banner.

Step 1: Configure a minimum password length of 10 characters on all routers.
R1(config)#security passwords min-length 10

Step 2: Configure the enable secret password on all routers.

Use an enable secret password of ciscoenapa55.
R1(config)#enable secret ciscoenapa55

Step 3: Encrypt plaintext passwords.

R1(config)#service password-encryption

Step 4: Configure the console lines on all routers.

Configure a console password of ciscoconpa55 and enable login. Set the exec-timeout to
log out after 5 minutes of inactivity. Prevent console messages from interrupting command
entry.
R1(config)#line console 0
R1(config-line)#password ciscoconpa55
R1(config-line)#exec-timeout 5 0
R1(config-line)#login
R1(config-line)#logging synchronous

Step 5: Configure the vty lines on R2.

Configure a vty lines password of ciscovtypa55 and enable login. Set the exec-timeout to
log out after 5 minutes of inactivity.
R2(config)#line vty 0 4
R2(config-line)#password ciscovtypa55
R2(config-line)#exec-timeout 5 0
R2(config-line)#login
Note: The vty lines for R1 and R3 are configured for SSH in Task 3.

Step 6: Configure a login warning banner on routers R1 and R3.

Configure a warning to unauthorized users with a message-of-the-day (MOTD) banner that
says: Unauthorized access strictly prohibited and prosecuted to the full extent of the law!.
R1(config)#banner motd $Unauthorized access strictly prohibited and
prosecuted to the full extent of the law!$

Task 2: Configure Local Authentication Using AAA on R1 and R3.

Step 1: Configure the local user database on R1.
Create a local user account of Admin01 with a secret password of Admin01pa55.
R1(config)#username Admin01 privilege 15 secret Admin01pa55

Step 2: Enable AAA services on R1.

R1(config)#aaa new-model

Step 3: Implement AAA services using the local database on R1.

a. Create the default login authentication method list using local authentication as the first
option and the enable password as the backup option.
R1(config)#aaa authentication login default local enable
b. Exit to the initial router screen that displays: R1 con0 is now available, Press RETURN
to get started.
c.

Log in to the console as Admin01 with a password of Admin01pa55 to verify that AAA
with local authentication is functioning correctly.

d. Exit to the initial router screen that displays: R1 con0 is now available, Press RETURN
to get started.
e. Attempt to log in to the console as baduser with a bad password to verify that users not
defined in the local router database are denied access.

Step 4: Repeat Steps 1 through 3 to configure AAA with local authentication on R3.

Task 3: Configure the SSH Server on Routers R1 and R3.

Step 1: Configure the domain name ccnasecurity.com on R1.
R1(config)#ip domain-name ccnasecurity.com

Step 2: Configure the incoming vty lines on R1.

Specify a privilege level of 15 so that a user with the highest privilege level (15) will default to
privileged EXEC mode when accessing the vty lines. Other users will default to user EXEC
mode. Specify that the vty lines will accept only SSH connections.
R1(config)#line vty 0 4
R1(config-line)#privilege level 15
R1(config-line)#transport input ssh
R1(config-line)#exit

Step 3: Generate the RSA encryption key pair for router R1.
Configure the RSA keys with 1024 as the number of modulus bits.
R1(config)#crypto key generate rsa general-keys modulus 1024
The name for the keys will be: R1.ccnasecurity.com
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be nonexportable...[OK]
R1(config)#
*May 26 19:08:58.215: %SSH-5-ENABLED: SSH 1.99 has been enabled

Step 4: Verify SSH connectivity to R1 from PC-A.

Launch the SSH client (TeraTerm or PuTTY) on PC-A, enter the Fa0/1 IP address, and login
in as Admin01 with the password Admin01pa55.
Step 5: Repeat Steps 1 through 4 to configure SSH on R3 and test the connection from

PC-C to R3.

Task 4: Secure against login attacks on R1 and R3.

Step 1: Configure the following parameters on R1 to provide enhanced login security
for virtual logins.

Blocking period when login attack detected: 60

Maximum login failures with the device: 2

Maximum time period for crossing the failed login attempts: 30

Log all failed login attempts

R1(config)#login block-for 60 attempts 2 within 30
R1(config)# login on-failure log

Step 2: Save the running configuration to the startup configuration for R1.
Step 3: Repeat steps 1 and 2 to configure enhanced login security for virtual logins
for router R3.

Task 5: Configure a Zone-based Policy Firewall (ZPF) Firewall on R1 and

R3.
Step 1: Configure a ZPF on R1
Inside (trusted) check box for FastEthernet0/1 and the Outside (untrusted) Serial0/0/0

Step 2:
Create two security zones Inside and Outside.
Create one class map IN2OUT_MAP to match all traffic and another OUT2SELF_MAP to
math only telnet traffic.
Create policy-map IN2OUT_PMAP to inspect traffic from class map IN2OUT_MAP
Create policy-map OUT2SELF_PMAP to drop traffic from class map OUT2SELF_MAP and
pass everything else
Create zone-pair IN2OUT_PAIR for the outside direction and apply IN2OUT_PMAP policymap
Create zone-pair OUT2SELF for Outside to Self zone and apply OUT2SELF_PMAP policymap

Tests:
a. From PC-A, ping external router R2 interface S0/0/0 at IP address 10.10.10.2. The pings
should be successful.
b. From external router R2, ping PC-A at IP address 172.16.1.3. The pings should NOT be
successful.
c.

From router R2, telnet to R1 at IP address 10.10.10.1. The telnet attempt should NOT be
successful.

Submission:
Save the file with your name using capital letter followed by your first name, e.g. SMITH_John
Upload the file to the Weblearn via the Skills Assessment Practice Assignment on the Weblearn.