PT Activity 5.6.

1: Packet Tracer Skills Integration Challenge

Topology Diagram

All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. his doc!ment is Cisco "!#lic In$ormation.

"age 1 o$ 7

CC%A &'ploration Accessing the (A%) AC*s

" Activity +.,.1) "ac-et racer S-ills Integration Challenge

Addressing Ta le
Device Inter!ace S&'&'& S&'&'1 $% S&'1'& (a&'& (a&'1 S&'&'& )1 (a&'& (a&'1 S&'&'& )* (a&'& (a&'1 ISP +e Server S&'&'& (a&'& ,IC IP Address 10.1.1.1 10.1.1.+ 209.1,+.201.2 10.1.+0.1 10.1..0.1 10.1.1.2 10.1.10.1 10.1.20.1 10.1.1., 10.1./0.1 10.1.70.1 209.1,+.201.1 209.1,+.202.129 209.1,+.202.100 S" net #ask 2++.2++.2++.2+2 2++.2++.2++.2+2 2++.2++.2++.2+2 2++.2++.2++.0 2++.2++.2++.0 2++.2++.2++.2+2 2++.2++.2++.0 2++.2++.2++.0 2++.2++.2++.2+2 2++.2++.2++.0 2++.2++.2++.0 2++.2++.2++.2+2 2++.2++.2++.2+2 2++.2++.2++.2+2

-earning . /ectives
Con$ig!re """ 1ith C2A" a!thentication Con$ig!re de$a!lt ro!ting Con$ig!re 3S"4 ro!ting Implement and veri$y m!ltiple AC* sec!rity policies

Introd"ction
In this activity, yo! 1ill demonstrate yo!r a#ility to con$ig!re AC*s that en$orce $ive sec!rity policies. In addition, yo! 1ill con$ig!re """ and 3S"4 ro!ting. he devices are already con$ig!red 1ith I" addressing. he !ser &5&C pass1ord is cisco0 and the privileged &5&C pass1ord is class.

Task 1: Con!ig"re PPP 1ith C$AP A"thentication

Step 1. Con!ig"re the link et1een $% and )1 to "se PPP encaps"lation 1ith C$AP a"thentication. he pass1ord $or C2A" a!thentication is cisco1*2. HQ(config)#username B1 password cisco123 HQ(config)#interface s0/0/0 HQ(config-if)#encapsulation ppp HQ(config-if)#ppp authentication chap B1(config)#username HQ password cisco123 B1(config)#interface s0/0/0 B1(config-if)#encapsulation ppp
All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. his doc!ment is Cisco "!#lic In$ormation. "age 2 o$ 7

CC%A &'ploration Accessing the (A%) AC*s

" Activity +.,.1) "ac-et racer S-ills Integration Challenge

B1(config-if)#ppp authentication chap Step *. Con!ig"re the link et1een $% and )* to "se PPP encaps"lation 1ith C$AP a"thentication. he pass1ord $or C2A" a!thentication is cisco1*2. HQ(config)#username B2 password cisco123 HQ(config)#interface s0/0/1 HQ(config-if)#encapsulation ppp HQ(config-if)#ppp authentication chap B2(config)#username HQ password cisco123 B2(config)#interface s0/0/0 B2(config-if)#encapsulation ppp Step 2. 3eri!y that connectivity is restored et1een the ro"ters. 26 sho!ld #e a#le to ping #oth 71 and 72. he inter$aces may ta-e a $e1 min!tes to come #ac- !p. 8o! can s1itch #ac- and $orth #et1een 9ealtime and Sim!lation mode to speed !p the process. Another possi#le 1or-aro!nd to this "ac-et racer #ehavior is to !se the sh"tdo1n and no sh"tdo1n commands on the inter$aces. %ote) he inter$aces may go do1n at random points d!ring the activity #eca!se o$ a "ac-et racer #!g. he inter$ace normally comes #ac- !p on its o1n i$ yo! 1ait a $e1 seconds. Step 4. Check res"lts. 8o!r completion percentage sho!ld #e 29:. I$ not, clic- Check 5es"lts to see 1hich re;!ired components are not yet completed.

Task *: Con!ig"re De!a"lt 5o"ting

Step 1. Con!ig"re de!a"lt ro"ting !rom $% to ISP. Con$ig!re a de$a!lt ro!te on 26 !sing the exit interface arg!ment to send all de$a!lt tra$$ic to IS". HQ(config)#ip route 0.0.0.0 0.0.0.0 s0/1/0 Step *. Test connectivity to +e Server. 26 sho!ld #e a#le to s!ccess$!lly ping (e# Server at 209.1,+.202.100 as long as the ping is so!rced $rom the Serial0<1<0 inter$ace. Step 2. Check res"lts. 8o!r completion percentage sho!ld #e 02:. I$ not, clic- Check 5es"lts to see 1hich re;!ired components are not yet completed.

Task 2: Con!ig"re .SP( 5o"ting

Step 1. Con!ig"re .SP( on $%. Con$ig!re 3S"4 !sing the process I= 1. Advertise all s!#nets e'cept the 209.1,+.201.0 net1or-. "ropagate the de$a!lt ro!te to 3S"4 neigh#ors. =isa#le 3S"4 !pdates to IS" and to the 26 *A%s.
"age 0 o$ 7

All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. his doc!ment is Cisco "!#lic In$ormation.

CC%A &'ploration Accessing the (A%) AC*s

" Activity +.,.1) "ac-et racer S-ills Integration Challenge

HQ(config)#router ospf 1 HQ(config-router)#network 10.1.1.0 0.0.0.3 area 0 HQ(config-router)#network 10.1.1.4 0.0.0.3 area 0 HQ(config-router)#network 10.1.40.0 0.0.0.255 area 0 HQ(config-router)#network 10.1.50.0 0.0.0.255 area 0 HQ(config-router)#default-information ori inate HQ(config-router)#passi!e-interface fa0/0 HQ(config-router)#passi!e-interface fa0/1 HQ(config-router)#passi!e-interface s0/1/0 Step *. Con!ig"re .SP( on )1 and )*. Con$ig!re 3S"4 !sing the process I= 1. 3n each ro!ter, con$ig!re the appropriate s!#nets. =isa#le 3S"4 !pdates to the *A%s.

B1(config)#router ospf 1 B1(config-router)#network 10.1.1.0 0.0.0.3 area 0 B1(config-router)#network 10.1.10.0 0.0.0.255 area 0 B1(config-router)#network 10.1.20.0 0.0.0.255 area 0 B1(config-router)#passi!e-interface fa0/0 B1(config-router)#passi!e-interface fa0/1 B1(config)#router ospf 1 B1(config-router)#network 10.1.1.4 0.0.0.3 area 0 B1(config-router)#network 10.1."0.0 0.0.0.255 area 0 B1(config-router)#network 10.1.#0.0 0.0.0.255 area 0 B1(config-router)#passi!e-interface fa0/0 B1(config-router)#passi!e-interface fa0/1 Step 2. Test connectivity thro"gho"t the net1ork. he net1or- sho!ld no1 have $!ll end>to>end connectivity. All devices sho!ld #e a#le to s!ccess$!lly ping all other devices, incl!ding (e# Server at 209.1,+.202.100. Step 4. Check res"lts. 8o!r completion percentage sho!ld #e 7,:. I$ not, clic- Check 5es"lts to see 1hich re;!ired components are not yet completed.

Task 4: Implement #"ltiple AC- Sec"rity Policies

Step 1. Implement sec"rity policy n"m er 1. 7loc- the 10.1.10.0 net1or- $rom accessing the 10.1..0.0 net1or-. All other access to 10.1..0.0 is allo1ed. Con$ig!re the AC* on 26 !sing AC* n!m#er 10. ?se a standard or e'tended AC*@ AAAAAAAAAAAAAAAStandard Apply the AC* to 1hich inter$ace@ AAAAAAAAAAAAAAA4a0<1 Apply the AC* in 1hich direction@ AAAAAAAAAAAAAAA3!t

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. his doc!ment is Cisco "!#lic In$ormation. "age . o$ 7

CC%A &'ploration Accessing the (A%) AC*s

" Activity +.,.1) "ac-et racer S-ills Integration Challenge

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HQ(config)#access-list 10 den$ 10.1.10.0 0.0.0.255 HQ(config)#access-list 10 permit an$ HQ(config)#int fa0/1 HQ(config-if)#ip access- roup 10 out Step *. 3eri!y that sec"rity policy n"m er 1 is implemented. A ping $rom "C+ to "C1 sho!ld $ail. Step 2. Check res"lts. 8o!r completion percentage sho!ld #e /0:. I$ not, clic- Check 5es"lts to see 1hich re;!ired components are not yet completed. Step 4. Implement sec"rity policy n"m er *. 2ost 10.1.10.+ is not allo1ed to access host 10.1.+0.7. All other hosts are allo1ed to access 10.1.+0.7. Con$ig!re the AC* on 71 !sing AC* n!m#er 11+. ?se a standard or e'tended AC*@ AAAAAAAAAAAAAAA&'tended Apply the AC* to 1hich inter$ace@ AAAAAAAAAAAAAAA4a0<0

Apply the AC* in 1hich direction@ AAAAAAAAAAAAAAAIn AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA B1(config)#access-list 115 den$ ip host 10.1.10.5 host 10.1.50." B1(config)#access-list 115 permit ip an$ an$ B1(config)#int fa0/0 B1(config-if)#ip access- roup 115 in Step 5. 3eri!y that sec"rity policy n"m er * is implemented. A ping $rom "C+ to "C0 sho!ld $ail. Step 6. Check res"lts. 8o!r completion percentage sho!ld #e /+:. I$ not, clic- Check 5es"lts to see 1hich re;!ired components are not yet completed. Step 6. Implement sec"rity policy n"m er 2. 2osts 10.1.+0.1 thro!gh 10.1.+0.,0 are not allo1ed 1e# access to Intranet server at 10.1./0.1,. All other access is allo1ed. Con$ig!re the AC* on the appropriate ro!ter and !se AC* n!m#er 101. ?se a standard or e'tended AC*@ AAAAAAAAAAAAAAA&'tended Con$ig!re the AC* on 1hich ro!ter@ AAAAAAAAAAAAAA26 Apply the AC* to 1hich inter$ace@ AAAAAAAAAAAAAAA4a0<0
"age + o$ 7

All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. his doc!ment is Cisco "!#lic In$ormation.

CC%A &'ploration Accessing the (A%) AC*s

" Activity +.,.1) "ac-et racer S-ills Integration Challenge

Apply the AC* in 1hich direction@ AAAAAAAAAAAAAAAIn AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HQ(config)#access-list 101 den$ tcp 10.1.50.0 0.0.0.%3 host 10.1.#0.1% e& www HQ(config)#access-list 101 permit ip an$ an$ HQ(config)#interface fa0/0 HQ(config-if)#ip access- roup 101 in Step 7. 3eri!y that sec"rity policy n"m er 2 is implemented. o test this policy, clic- "C0, then the Desktop ta#, and then +e )ro1ser. 4or the ?9*, type in the I" address $or the Intranet server, 10.1./0.1,, and press 8nter. A$ter a $e1 seconds, yo! sho!ld receive a 9e;!est imeo!t message. "C2 and any other "C in the net1or- sho!ld #e a#le to access the Intranet server. Step 9. Check res"lts. 8o!r completion percentage sho!ld #e 90:. I$ not, clic- Check 5es"lts to see 1hich re;!ired components are not yet completed. Step 1&. Implement sec"rity policy n"m er 4. ?se the name ,.:(TP to con$ig!re a named AC* that #loc-s the 10.1.70.0<2. net1or- $rom accessing 4 " services Bport 21C on the $ile server at 10.1.10.2. All other access sho!ld #e allo1ed. %ote) %ames are case>sensitive. ?se a standard or e'tended AC*@ AAAAAAAAAAAAAAA&'tended Con$ig!re the AC* on 1hich ro!ter@ AAAAAAAAAAAAAA72 Apply the AC* to 1hich inter$ace@ AAAAAAAAAAAAAAA4a0<1

Apply the AC* in 1hich direction@ AAAAAAAAAAAAAAAIn AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA B2(config)#ip access-list e'tended ()*+,B2(config-ext-nacl)#den$ tcp 10.1."0.0 0.0.0.255 host 10.1.10.2 e& ftp B2(config-ext-nacl)#permit ip an$ an$ B2(config-ext-nacl)#interface fa0/1 B2(config-if)#ip access- roup ()*+,- in

All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. his doc!ment is Cisco "!#lic In$ormation.

"age , o$ 7

CC%A &'ploration Accessing the (A%) AC*s

" Activity +.,.1) "ac-et racer S-ills Integration Challenge

Step 11. Check res"lts. "ac-et racer does not s!pport testing 4 " access, so yo! 1ill not #e a#le to veri$y this policy. 2o1ever, yo!r completion percentage sho!ld #e 9+:. I$ not, clic- Check 5es"lts to see 1hich re;!ired components are not yet completed. Step 1*. Implement sec"rity policy n"m er 5. Since IS" represents connectivity to the Internet, con$ig!re a named AC* called (I58+A-- in the $ollo1ing order) 1. Allo1 only in#o!nd ping replies $rom IS" and any so!rce #eyond IS". 2. Allo1 only esta#lished C" sessions $rom IS" and any so!rce #eyond IS". 0. &'plicitly #loc- all other in#o!nd access $rom IS" and any so!rce #eyond IS". ?se a standard or e'tended AC*@ AAAAAAAAAAAAAAA&'tended Con$ig!re the AC* on 1hich ro!ter@ AAAAAAAAAAAAAA26 Apply the AC* to 1hich inter$ace@ AAAAAAAAAAAAAAAS0<1<0

Apply the AC* in 1hich direction@ AAAAAAAAAAAAAAAIn AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HQ(confi)#ip access-list e'tended +./01233 HQ(config-ext-nacl)#permit icmp an$ an$ echo-repl$ HQ(config-ext-nacl)#permit tcp an$ an$ esta4lished HQ(config-ext-nacl)#den$ ip an$ an$ HQ(config-ext-nacl)#interface s0/1/0 HQ(config-if)#ip access- roup +./01233 in Step 12. 3eri!y that sec"rity policy n"m er 5 is implemented. o test this policy, any "C sho!ld #e a#le to ping IS" or (e# Server. 2o1ever, neither IS" nor (e# Server sho!ld #e a#le to ping 26 or any other device #ehind the AC*. (I58+A-Step 14. Check res"lts. 8o!r completion percentage sho!ld #e 100:. I$ not, clic- Check 5es"lts to see 1hich re;!ired components are not yet completed.

All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. his doc!ment is Cisco "!#lic In$ormation.

"age 7 o$ 7