corp Sw1

branch

CCNA Security PT Practice SBA
A few things to keep in mind while completing this activity: 1. Do not use the browser Back button or close or reload any Exam windows during the exam. 2. Do not close Packet Tracer when you are done. It will close automatically. 3. Click the Submit Assessment button to submit your work.

Introduction
In this practice Packet Tracer Skills Based Assessment, you will:
• • • • • • •

configure basic device hardening and secure network management configure a CBAC firewall to implement security policies configure devices to protect against STP attacks and to enable broadcast storm control configure port security and disable unused switch ports configure an IOS IPS configure a ZPF to implement security policies configure a site-to-site IPsec VPN

16.10.0 255.16.255.35 192.16.133.250.5 192.0 255.255. Step 1: Configure Basic Device Hardening for the CORP Router.135.1.135.255.0 255.250.0 255.133.5 192.5 10.1 198.250.2 172.10 172.255.254 172.255.255.255.255.1.62 Note: Appropriate verification procedures should be taken after each configuration task to ensure that it has been properly implemented.252 255.250.219.33 172.224 255.99.10 Fa0/1.10.226 10.1.255.1.31. Configure an encrypted privileged level password of ciscoclass.255.255.1.255.62 DNS server n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a 192.255.7.255.133.Addressing Table Device Internet Interface S0/0/0 S0/0/1 S0/1/0 Fa0/0 S0/0/0 Fa0/0 Fa0/1.135.255.1 192.255.16.255.2 192.2 10.1.1.255.5 172.255.255.165. Configure the CORP router to only accept passwords with a minimum length of 10 characters.252 255.255.1.252 255. CORP(config)#enable secret ciscoclass .35 Subnet Mask 255.7.99 S0/0/0 Fa0/0 S0/0/0 Fa0/0 NIC NIC NIC NIC NIC NIC NIC NIC NIC NIC IP Address 209.255.62 192.1 192.2 198.135.25.254 172.1.10.254 172.255.0 255.0 255.5 CORP Branch External Public Svr External Web Svr External PC NTP/Syslog Svr DMZ DNS Svr DMZ Web Svr PC0 PC1 Net Admin Admin PC 255.5 10.254 255.16.25.5 192.25.133.219.25.25 Fa0/1.255.16.255.255.1.250.224 10.255.7.7.255.5 192.31.5 10.255.224 255.1.7.0 255.225 192.0 255.5 10.1.5 10.133.219.165.255.219.31.1.255.16.255.16.254 172.252 255.135.31.25.255.0 172.254 10.224 192.255.31.135.7.250.254 198.1.255.1.31.255.62 192.10.255.200.255.10.7.255.255.219.254 172.1.255.5 10.0 255.5 198.62 255.200.1.224 Gateway n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a 192.255. CORP(config)#security passwords min-length 10 b.252 255.16.16.1.255.0 255.254 198.254 172.255.135.252 255.1 209.255.255.1.1.0 255.31. a.250.16.

c.16. Enable the CORP router: ?? as an NTP client to the NTP/Syslog server CORP(config)#ntp server 172.2 key 0 .25. Configure the console port and all vty lines with the following requirements: Note: CORP is already configured with the username CORPADMIN and the secret password ciscoccnas. CORP(config)#interface serial 0/0/0 CORP(config-if)#no cdp enable Step 2: Configure Secure Network Management for the CORP Router. Disable the CDP protocol only on the link to the Internet router. Enable password encryption for all clear text passwords in the configuration file. CORP(config)#service password-encryption d. ?? ?? use the local database for login disconnect after being idle for 20 minutes CORP(config)#line con 0 CORP(config-line)#login local CORP(config-line)#exec-timeout 20 0 CORP(config)#line vty 0 4 CORP(config-line)#login local CORP(config-line)#exec-timeout 20 0 CORP(config)#line vty 5 15 CORP(config-line)#login local CORP(config-line)#exec-timeout 20 0 d. a.

com ?? RSA encryption key pair using a modulus of 1024 CORP(config)#crypto key generate rsa >>enter>>[1024] ?? SSH version 2.?? to update the router calendar (hardware clock) from the NTP time source CORP(config)#ntp update-calendar ?? to timestamp log messages CORP(config)#service timestamps log datetime msec ?? to send logging messages to the NTP/Syslog server CORP(config)#logging host 172. Use the following guidelines: Note: CORP is already configured with the username SSHAccess and the secret password ciscosshaccess. Configure the CORP router to accept SSH connections.com CORP(config)#ip domain-name theccnas. and 2 authentication retries CORP(config)#ip ssh version 2 CORP(config)#ip ssh time-out 90 CORP(config)#ip ssh authentication-retries 2 ?? all vty lines accept only SSH connections CORP(config-line)#line vty 0 4 CORP(config-line)#transport input ssh CORP(config-line)#line vty 5 15 CORP(config-line)#transport input ssh . ?? domain name is theccnas. timeout of 90 seconds.25.16.2 b.

SW1(config-if-range)#spanning-tree bpduguard enable e. SW1(config-if-range)#switchport mode access ?? Set the maximum number of learned MAC addresses to 2 on FastEthernet ports 0/1 to 0/23. Configure Switch1 to protect against STP attacks. ?? Configure PortFast on FastEthernet ports 0/1 to 0/23. and the enable secret password of ciscoclass. password ciscoccnas. b. Configure the CORP router with AAA authentication and verify its functionality: ?? AAA authentication using the local database as the default for console line and vty lines access CORP(config)#aaa new-model CORP(config)#aaa authentication login default local CORP(config)#aaa authorization exec default local Step 3: Configure Device Hardening for Switch1. SW1(config)#interface range fastEthernet 0/1-23 SW1(config-if-range)#spanning-tree portfast ?? Enable BPDU guard on FastEthernet ports 0/1 to 0/23. Enable storm control for broadcasts on FastEthernet 0/24 with a 50 percent rising suppression level. a.c. Configure port security and disable unused ports. Allow the MAC address to be learned dynamically and to . SW1(config)#interface fastEthernet 0/24 SW1(config-if)#storm-control broadcast level 50 c. Access Switch1 with username CORPADMIN.

CORP(config)#ip ips signature-category CORP(config-ips-category)#category all . create a directory in flash named ipsdir. On the CORP router. CORP#mkdir ipsdir [enter] b. Create an IPS rule named corpips. CORP(config)#ip ips name corpips d. CORP(config)#ip ips config location flash:ipsdir/ retries 1 c. Configure the IPS signature storage location to be flash:ipsdir. Fa0/7-10. SW1(config-if-range)#switchport port-security SW1(config-if-range)#switchport port-security maximum 2 SW1(config-if-range)#switchport port-security violation shutdown SW1(config-if-range)#switchport port-security mac-address sticky ?? Disable unused ports (Fa0/2-5.shutdown the port if a violation occurs. Fa0/13-23). a. Configure the IOS IPS to use the signature categories. SW1(config)#interface range fastEthernet 0/2-5 SW1(config-if-range)#shutdown SW1(config)#interface range fastEthernet 0/7-10 SW1(config-if-range)#shutdown SW1(config)#interface range fastEthernet 0/13-23 SW1(config-if-range)#shutdown Step 4: Configure an IOS IPS on the CORP Router. Retire the all signature category and unretire the ios_ips basic category.

CORP(config)#ip ips signature-definition CORP(config-sigdef)#signature 2004 0 CORP(config-sigdef-sig)#status CORP(config-sigdef-sig-status)#retired false CORP(config-sigdef-sig-status)#enabled true CORP(config-sigdef-sig-status)#exit CORP(config-sigdef-sig)#engine CORP(config-sigdef-sig-engine)#event-action produce-alert CORP(config-sigdef-sig-engine)#event-action deny-packet-inline CORP(config-sigdef-sig-engine)#exit CORP(config-sigdef-sig)#exit . subsig 0). Apply the IPS rule to the Fa0/0 interface. enable the signature. Unretire the echo request signature (signature 2004. Modify the ios_ips basic category. modify the signature event-action to produce an alert and to deny packets that match the signature.CORP(config-ips-category-action)#retired true CORP(config-ips-category-action)#exit CORP(config-ips-category)#category ios_ips basic CORP(config-ips-category-action)#retired false CORP(config-ips-category-action)#exit CORP(config-ips-category)#exit Do you want to accept these changes? [confirm]{enter} e. CORP(config)#interface fastEthernet 0/0 CORP(config-if)#ip ips corpips out f.

[*]command’s by order of execution . however. Verify that IPS is working properly. a.): 1.32/27 is allowed to DMZ Web Svr. the order of ACL statements is significant only because of the scoring need in Packet Tracer. HTTP traffic is allowed to DMZ Web Svr. FTP traffic from the Branch administrator workstations in the subnet of 198.35 CORP(config)#line vty 0 4 CORP(config-line)#access-class 12 in CORP(config)#line vty 5 15 CORP(config-line)#access-class 12 in b.219. All traffic from 172.16. Step 5: Configure ACLs and CBAC on the CORP Router to Implement the Security Policy. 4. Create ACL 12 to implement the security policy regarding the access to the vty lines: ?? Only users connecting from Net Admin and Admin PC are allowed access to the vty lines. and verify an extended named ACL (named DMZFIREWALL) to filter incoming traffic to the DMZ. CORP(config)#access-list 12 permit host 172.16. DNS traffic (both TCP and UDP) is allowed to DMZ DNS Svr.?? The ACL should be created in the order specified in the following guidelines (Please note.219.CORP(config-sigdef)#exit Do you want to accept these changes? [confirm]{enter} g. apply.5 CORP(config)#access-list 12 permit host 198. Net Admin in the internal network cannot ping DMZ Web Svr.25.25.133. 3. 2. Create.0/24 is allowed to enter the DMZ. can ping Net Admin. DMZ Web Svr.133.

1.255 CORP(config-ext-nacl)# 10.1.2 eq ftp permit permit permit permit tcp any host 10. and PC1 cannot open an FTP session to the DMZ Web Svr.0.1. complete the following tests: ?? ?? ?? ?? Admin PC in the branch office can access the URL http://www. and verify an extended named ACL (named INCORP) to control access from the Internet into the CORP router. Create.219.CORP(config)#ip access-list extended DMZFIREWALL CORP(config-ext-nacl)# CORP(config-ext-nacl)# CORP(config-ext-nacl)# CORP(config-ext-nacl)# 10.133. 4.0.0.theccnas.2 eq www tcp any host 10.1.): 1. Allow DNS traffic (both TCP and UDP) to the DMZ DNS Svr.5 eq domain ip 172.255 permit tcp 198. 2. 5.?? The ACL should be created in the order specified in the following guidelines (Please note.16. Allow IP traffic from the Branch Office LAN to the public IP address range .31 host CORP(config-ext-nacl)#exit CORP(config)#interface FastEthernet0/0 CORP(config-if)# ip access-group DMZFIREWALL out c.1. Admin PC can open an FTP session to the DMZ Web Svr with the username cisco and the password cisco.0.0.1.com.0 0.32 0.0 0.0. apply. 3. the order of ACL statements is significant only because of the scoring need in Packet Tracer. Allow HTTP traffic to the DMZ Web Svr.25.5 eq domain udp any host 10. Allow SSH traffic from the Branch Office administrator workstation to the Serial 0/0/0 interface on the CORP router. To verify the DMZFIREWALL ACL. d. Net Admin can open an FTP session to the DMZ Web Svr with the username cisco and the password cisco.1. Allow IP traffic from the Branch router serial interface into the CORP router serial interface.1.1.1.

165.226 CORP(config-ext-nacl)#permit ip 198.com.165. Admin PC can establish an SSH connection to the CORP router (209. Enable CBAC audit messages to be sent to the syslog server.2 host 209.200.200.219.133.165. and UDP traffic between the CORP internal network and any other network.242 eq domain CORP(config-ext-nacl)#permit tcp 198.133.200. ?? g.0.0.226 eq 22 CORP(config-ext-nacl)#permit ip host 198.133.theccnas.15 CORP(config-ext-nacl)#exit CORP(config)# interface Serial0/0/0 CORP(config-if)# ip access-group INCORP in e. CORP(config)#ip inspect name INTOCORP icmp CORP(config)#ip inspect name INTOCORP tcp CORP(config)#ip inspect name INTOCORP udp h.0.165.200.32 0.165.241 eq www CORP(config-ext-nacl)#permit tcp any host 209.200.200.165.240/28).242 eq domain CORP(config-ext-nacl)#permit udp any host 209. To verify the INCORP ACL.200.32 0.200. complete the following tests: ?? ?? Admin PC in the branch office can access the URL http://www.165.200.219.240 0.31 host 209.31 209.0. and External PC cannot establish an SSH connection to the CORP router (209.that is assigned to the CORP site (209. CORP(config)#ip inspect audit-trail CORP(config)#interface Serial0/0/0 .219.226) with the username SSHAccess and password ciscosshaccess. Create and apply a CBAC inspection rule (named INTOCORP) to inspect ICMP. CORP(config)#ip access-list extended INCORP CORP(config-ext-nacl)#permit tcp any host 209.226).165.0. TCP.165.0.

Branch(config)#zone security BR-IN-ZONE exit ?? Create an external zone named BR-OUT-ZONE.0.32 0. ?? ?? ?? PC1 can access the External Web Svr (www. Admin PC in the Branch office can establish an SSH connection to the CORP router with the username SSHAccess and password ciscosshaccess. Access the Branch router with username CORPADMIN. password ciscoccnas and the enable secret password of ciscoclass. ?? Create an ACL (ACL 110) to permit all protocols from the 198. Branch(config)#zone security BR-OUT-ZONE exit c. Step 6: Configure a Zone-Based Policy Firewall on the Branch Router.CORP(config-if)#ip inspect INTOCORP out h.133. b. ?? Create an internal zone named BR-IN-ZONE.externalone. Branch(config)#class-map type inspect match-all BR-IN-CLASS-MAP . PC1 can establish an SSH connection to the External router with username SSHadmin and password ciscosshpa55. Verify the CBAC firewall configuration. Define a traffic class and access list.219. create the firewall zones.31 any ?? Create a class map using the option of class map type inspect with the match-all keyword.0.com).133. a. Match the ACL 110 and name the class map BR-INCLASS-MAP. On the Branch router.32/27 network to any destination.219. Branch(config)#access-list 110 permit ip 198.

. Specify firewall policies. ?? The Admin PC in the Branch office can access the URLs http://www.com and http://www. Branch(config)#policy-map type inspect BR-IN-OUT-PMAP Branch(config-pmap)#class type inspect BR-IN-CLASS-MAP Branch(config-pmap-c)#inspect e. Apply the firewall. ?? Create a pair of zones named IN-OUT-ZPAIR with the source as BR-INZONE and destination as BR-OUT-ZONE. Specify the action of inspect for this policy map. Branch(config-sec-zone-pair)#service-policy type inspect BR-IN-OUT-PMAP ?? Assign interfaces to the appropriate security zones. ?? ?? ?? Create a policy map named BR-IN-OUT-PMAP. Use the BR-IN-CLASS-MAP class map. Verify the ZPF configuration.com. Branch(config)#interface fastEthernet 0/0 Branch(config-if)#zone-member security BR-IN-ZONE Branch(config)#interface serial 0/0/0 Branch(config-if)#zone-member security BR-OUT-ZONE f. Branch(config)#zone-pair security IN-OUT-ZPAIR source BR-IN-ZONE destination BR-OUT-ZONE ?? Specify the policy map BR-IN-OUT-PMAP for handling the traffic between the two zones.externalone.Branch(config-cmap)#match access-group 110 d.theccnas.

219. The interesting traffic is all IP traffic between the two LANs (209.133.133.240 .0. If you get the Corp> prompt.240/28 198.200.32/27).219.32 0.240/28 and 198. The Admin PC in Branch office can establish an SSH connection to the CORP router with the username SSHAccess and password ciscosshaccess.219.0.165.0.165.31.133. Configure an ACL (ACL 120) on the CORP router to identify the interesting traffic.165. External PC cannot ping the Admin PC in the Branch office (198. then your configuration is correct. The following tables list the parameters for the ISAKMP Phase 1 Policy and IPsec Phase 2 Policy:?????????????????????????????????????????? ISAKMP Phase 1 Policy Parameters Key ISAKMP Distribution Method AES Encryption Algorithm Number of 256 Bits Hash SHA-1 Algorithm Authentication Pre-share Method Key Exchange DH 2 IKE SA Lifetime ISAKMP Key 86400 Vpnpass101 ISAKMP Phase 2 Policy Parameters Parameters CORP Router Branch Router Transform Set Name Transform Set Peer Host Name Peer IP Address Encrypted Network Crypto Map Name SA Establishment VPN-SET esp-3des esp-sha-hmac Branch 198.219.165.35).133. CORP(config)#access-list 120 permit ip 209.?? ?? ?? The Admin PC in the Branch office can ping the External PC (192.15 198.219.33).0.31 209.133.133.200.219.200.0.7.200.32 0. Step 7: Configure a Site-to-Site IPsec VPN between the CORP router and the Branch Router.165.240 0.31 Branch(config)#access-list 120 permit ip 198.32/27 VPN-MAP ipsec-isakmp VPN-MAP ipsec-isakmp a.0.2 VPN-SET esp-3des esp-sha-hmac CORP 209.200.226 209.

219. /************************************ ***********config for corp************* ************************************/ CORP(config)#crypto isakmp policy 10 CORP(config-isakmp)#encryption aes 256 CORP(config-isakmp)#authentication pre-share CORP(config-isakmp)#group 2 CORP(config)#crypto isakmp key Vpnpass101 address 198.226 c. /************************************ ***********config for corp************* ************************************/ CORP(config)#crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac CORP(config)#crypto map VPN-MAP 10 ipsec-isakmp CORP(config-crypto-map)#set peer 198. Configure the ISAKMP Phase 1 properties on the CORP router. The crypto ISAKMP policy is 10.0.133.?? Refer to the ISAKMP Phase 1 Policy Parameters Table for the specific details needed. Refer to the ISAKMP Phase 2 Policy Parameters Table for the specific details needed. Configure the ISAKMP Phase 2 properties on the CORP router.0.133.15 b.200.0.219.2 /************************************ ***********config for branch************ ************************************/ Branch (config)#crypto isakmp policy 10 Branch (config-isakmp)#encryption aes 256 Branch (config-isakmp)#authentication pre-share Branch (config-isakmp)#group 2 Branch (config)#crypto isakmp key Vpnpass101 address 209.2 .165.

then reload both CORP and Branch routers. /************************************ ***********config for corp************* ************************************/ .226 Branch (config-crypto-map)#set transform-set VPN-SET Branch (config-crypto-map)#match address 120 d. Bind the VPN-MAP crypto map to the outgoing interface.(done before) f.200.CORP(config-crypto-map)# set transform-set VPN-SET CORP(config-crypto-map)# match address 120 /************************************ ***********config for branch************ ************************************/ Branch(config)#crypto ipsec transform-set VPN-SET esp-3des esp-shahmac Branch (config)#crypto map VPN-MAP 10 ipsec-isakmp Branch (config-crypto-map)#set peer 209. /************************************ ***********config for corp************* ************************************/ CORP(config)#interface Serial0/0/0 CORP(config-if)#crypto map VPN-MAP /************************************ ***********config for branch************ ************************************/ Branch(config)#interface Serial0/0/0 Branch(config-if)#crypto map VPN-MAP e. Save the running-config. Configure IPsec parameters on the Branch router using the same parameters as on the CORP router.165. Note that interesting traffic is defined as the IP traffic from the two LANs.

CORP#copy running-config startup-config [enter] CORP#reload /************************************ ***********config for branch************ ************************************/ Branch#copy running-config startup-config [enter] Branch#reload g. To exit the FTP session. On the Branch router. check that the packets are encrypted. . type quit. Verify the VPN configuration by conducting an FTP session with the username cisco and the password cisco from the Admin PC to the DMZ Web Svr.

Sign up to vote on this title
UsefulNot useful

Master Your Semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master Your Semester with a Special Offer from Scribd & The New York Times

Cancel anytime.