You are on page 1of 7

PT Activity: Configure a Network for Secure Operation

Topology Diagram

Addressing Table
Device R1 R R) PC*A PC*, PC*C Interface FA0/1 S0/0/0 %&C'( S0/0/0 S0/0/1 %&C'( FA0/1 S0/0/1 N+C N+C N+C IP Address 19 !1"#!1!1 10!1!1!1 10!1!1! 10! ! ! 19 !1"#!)!1 10! ! !1 19 !1"#!1!$ 19 !1"#!1!" 19 !1"#!)!$ Subnet Mask $$! $$! $$! $$! $$! $$! $$! $$! $$! $$! $$! $$! $$! $$! $$! $$! $$! $$! $$!0 $$! $ $$! $ $$! $ $$!0 $$! $ $$!0 $$!0 $$!0 Default Gateway N/A N/A N/A N/A N/A N/A 19 !1"#!1!1 19 !1"#!1!1 19 !1"#!)!1 Switch Port S1 FA0/$ N/A N/A N/A S) FA0/$ N/A S1 FA0/" S FA0/1# S) FA0/"

A-- content. are Copyrig/t 0 199 1 01 Sy.te2.3 +nc! A-- rig/t. re.erve4! T/i. 4ocu2ent i. Pu5-ic +nfor2ation!

Page 1 of 6

witc/e.5e configure4 on R1 an4 R)! T/e fo--owing preconfiguration.ecurity 2ea. Verify IP addresses. re.ure.3 pa.4evice.wor4 encryption an4 a -ogin 5anner! Secure t/e con.ervice.. Ci.CCNA Security earning !b"ectives • • • • • • • • • Secure t/e a co25ination of . Verify routing tables. +P a44re. for a-.e 2ea..! +n t/e topo-ogy3 R1 i. for Co2pany A an4 Co2pany .o-e pa. an4 ..! Secure network . co2pre/en.4evice.t -ogin attack.coconpa$$ R pa.e network. Test connectivity. wit/ .ecret Sy.. t/e e4ge router for Co2pany . R con. wi-.ective. are Copyrig/t 0 199 1 01 Ci. are -i.coenpa$$ Static routing Sy. 5een 4i..wor4: ci.: ci. Task #$ Test %onnectivity and &erify %onfigurations Step 1. Step 4.wor4 on 7T8 -ine.witc/e. 4ocu2ent i.tna2e. Set minimum a password lengt Step #.wor4 of ciscoenpa))! A-.! Introduction +n t/i.trong pa..-og ..ent. on a-.e! T/e. t/e +SP! 8ou wi-.! T/e.ive practice activity3 you wi-.wor4. 19 !1"#!)!$! Task '$ Secure the (outers of 1! c aracters on router "1 and "3.wor4: ci.wor4. on t/e router. t/e e4ge outer for t/e Co2pany A w/i-e R) i.te2.covtypa$$ R ena5-e pa.te4 in t/e o5.AAA aut/entication! Configure SS9 . are interconnecte4 via t/e R router w/ic/ repre.e. <.ure.a5-e4 +P 4efau-t gateway. on PC*.o-e an4 7T8 -ine.. $onfigure an enable secret password on router "1 and "3.erve4! T/i. wit/ pa..erver! Configure router for ..AC an4 :PF firewa--.configure variou.3 +nc! Pu5-ic +nfor2ation! Page of 6 . &NS -ookup /a.ecurity feature.rig/t.ecurity feature.. Fro2 PC*A3 ping PC*C at +P a44re.! Configure -oca. .! Configure C. Step 2.witc/e. t/at were intro4uce4 in t/e cour. on a-.-og! Configure router for NTP! Secure t/e router again. /ave 5een 2a4e: • • • • • • • • • 9o.y.! Not a-.e an ena5-e . Step 3.

wor4 of ciscoconpa)) an4 ena5-e -ogin! Set t/e exec-timeout to -og out after ) 2inute.y.wor4 of ciscontppa))! Step 14.-og .o-e pa.wor4 of Admin.# wit/ a .aut/entication wit/ no 5ackup 2et/o4! Task -$ %onfigure *TP &nable .%LI initi"t#$ 1! st"rt#$ a con./ou-4 . Configure a con. on R) wi-.age*of*t/e*4ay %>OT&( 5anner t/at . to perio4ica--y up4ate t/e /ar4ware c-ock wit/ t/e ti2e -earne4 fro2 NTP! Task )$ %onfigure (# as Syslog %lient $onfigure "1 to timestamp log @ey #! Step 1#.receive -ogging 2e. Step -oca.t Sy.6 port . wit/ a 2e.ay.#pa))! Step 11.3 +nc! A-.age. $onfigure login banner on "1 and "3. are Copyrig/t 0 199 1 01 Ci. Configure router.! 8ou Pu5-ic +nfor2ation! Page ) of 6 . Configure NTP aut/entication @ey # wit/ a pa.u. Configure a vty -ine pa.age.o-e 2e.content. Configure t/e router. Configure a warning to unaut/ori=e4 u.te2..erver an4 aut/enticate u.o-e 2e.. $onfigure vty lines on "1.i2i-ar to t/e fo--owing: SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192..TP $lient.: ?No <naut/ori=e4 Access!” Task +$ %onfigure ocal Authentication on (# and (+ $onfigure t e local user database.. Configure ti2e. $onfigure t e console lines on "1 and "3.TP aut entication on P$-+. Step 13.k! Step *..erve4! T/i. Create a -oca.1. $onfigure routers to update ardware cloc. fro2 interrupting co22an4 entry! Step ). Step 1%.5e configure4 for SS9 in a -ater ta.rig/t.ervice! . On PC*A3 c/oo. to i4entify t/e re2ote /o. &ncrypt plainte't passwords..wor4 of ciscontppa))! Configure R1 to .age ..! Step 1(.t to 5e 4efine4 -ater! *ote$ T/e vty wit/ t/e NTP . $onfigure "1 to log messages to t e syslog server.erver( t/at wi-.e t/e 4efau-t AAA -i.ervice for -ogging on t/e router.CCNA Security Step %.nable aut/entication an4 enter a @ey of # an4 a pa. re. $onfigure "1 as an . Step 1!. of inactivity! Prevent con.wor4 of ciscovtypa)) an4 ena5-e -ogin! Set t/e exec-timeout to -og out after ) 2inute. of inactivity! Set t/e -ogin aut/entication to account of Admin.. 4ocu2ent i. Implement +++ services using t e local database.. &nable +++ services.ta2p .. Step (.e t/e %onfig ta53 an4 t/en t/e *TP 5utton! Se-ect !n for NTP . Create t/e 4efau-t -ogin aut/entication 2et/o4 -i.ecret pa. Ci.t %.

-og . Step 2%.pect I%MP3 Telnet an4 1TTP traffic! A-.1.i4e network! App-y t/e acce.#$ 1)s#r:-"$)s#r2 1So)r+#:192. -i. $reate an inspection rule to inspect I$3P4 Telnet and 1TTP traffic.age wi-..3 t/e nu25er of aut/entication retrie.. Create an +P ACC na2e4 !6T7I* to 5-ock a-.-og .-og 2e.age . Ci. 'Ait fro2 t/e current Te-net .CCNA Security Step 1).traffic originating fro2 t/e out.content.econ4.ogin2 "t 1 :51:23 6T% 7#$ 8)n# 19 2559 Task 0$ %onfigure SS1 on (+ $onfigure a domain name.-og . On R13 eAit config 2o4e to generate a ./ou-4 .. of 10 B! Step 2#.ey pair for "3.! Configure t/e RSA key.wor4 an error 2e.y.p-aye4 in4icating t/i./ou-4 5e era./ou-4 . $onfigure "S+ encryption . are Copyrig/t 0 199 1 01 Ci.erna2e of baduser an4 any pa.168.pection ru-e na2e4 I*7!6T7I* to in. +onso. <..-%ON'IG_I: %on(ig)r#$ (ro* +onso.y. $ ec. wit/ a 2o4u-u.age .0/0/0! Step 2(. generate4 5y t/e fai-e4 -ogin atte2pt! S/%_LOGIN-!-LOGIN_'AIL/0:Login ("i.ucce.5e 4i. Step 1*. to '3 an4 t/e ver. $onfigure t e incoming vty lines on "3. Step 3.i$ .# -. Step 22. re. for syslog messages on P$-/.. Step 2!.i2i-ar to t/e fo--owing on t/e Pu5-ic +nfor2ation! Page B of 6 .fu-! Step 21.erna2e Admin.age! Open t/e . for 2an4atory -ogin an4 va-i4ation an4 accept on-y SS9 connection.y.y. current-y configure4 a 2e. Set t/e SS9 ti2eout to a 2e.wor4! C/eck t/e . Te-net fro2 PC*A to R1 an4 provi4e t/e Sy.3 +nc! A-.i2i-ar to t/e fo--owing t/at i. Create an in. Any eAi.erve4! T/ t/e u. .t to inco2ing traffic on interface Seria. Fro2 t/e PC*A co22an4 pro2pt3 ping PC*C! T/e +C>P ec/o rep-ie.e t/e -oca..rig/ account.ting RSA key pair. 2 1.# Task /$ Secure (outer Against ogin Attacks 0og unsuccessful login attempts to "1. 4ocu2ent i.erver on PC*..erver on PC*.age . Configure a 4o2ain na2e of ccnasecurity2com on R)! Step 23.erver: &SYS.# an4 pa.ion to '! Task 4$ %onfigure %5A% on (# $onfigure a named IP +$0. $onfigure SS1 timeouts and aut entication parameters.. to view t/e 2e. syslog messages on t e syslog server.o+"./ou-4 5e .port:232 1R#"son:In4"..ent fro2 R1! 8ou .#pa))! T/e Te-net .! 8ou . are 5-ocke4 5y t/e ACC! Step 2).e4 on t/e router! +f t/ere are no key.te2.! Step 24. Telnet to "1 from P$-+. $onfirm t at traffic entering interface Serial !2!2! is dropped. Telnet to "1 from P$-+ and c ec. .ion an4 Te-net again to R1 u.

t/at were create4 ear-ier! Attac/ a po-icy 2ap an4 action.tination! <. a-.tination =one.an4 t/e fo--owing con.content.T7% ASS7MAP to 2atc/ ACC 101! Step 3#.. A. Fro2 PC*C3 te.t connectivity wit/ ping an4 Te-net to R D a-.ource.config pro2pt! Step 3%. 4ocu2ent i./ou-4 . ./o. 2ap na2e4 I*7*. App-y t/e +N*O<T*+N in.+P protoco-. Create an eAten4e43 nu25ere4 ACC t/at per2it.! Create an eAterna. Create a =one pair na2e4 I*7'7!6T78PAI(! Specify t/e . are Copyrig/t 0 199 1 01 Ci.acce.ource an4 4e..o-e 2ap I*7*. • • Step 32. Test operation of t e inspection rule. re.ucce.erve4! T/i.. . Fro2 PC*C3 te./ou-4 5e ..rig/t. .s ./ou-4 5e . $reate a class map referencing t e internal traffic +$0. • • Test firewall functionality.=one na2e4 I*78!*.te2. po-icy 2ap! 8ou . -# insp#+t#$. eAterna.=one na2e4 !6T78!*.fu-! Fro2 R ping to PC*C! T/e ping.e type of inspect an4 reference c-a.ti-..ource network to any 4e.. Create a po-icy 2ap na2e4 I*7'7!6T7PMAP to 4eter2ine w/at to 4o wit/ 2atc/e4 traffic! Specify a c-a. +pply firewall policies.t can . Create a c-a./ou-4 5e in.i4e network..# for t/e ACC nu25er! Step 34. 'Ait to t/e g-o5a.! Step 3!./ou-4 5e a--owe4! $reate t e firewall 5ones.i.t connectivity wit/ ping an4 Te-net to R D a-. proto+o.. to t/e .pection ru-e to t/e interface w/ere traffic eAit.config pro2pt an4 a.CCNA Security Step 2*. fro2 t/e 19 !1"#!)!0/ B . to t/e =one pair referencing t/e po-icy 2ap previou. +on(ig)r#$ in +. +pply t e inspect rule to t e outside interface./o./ou-4 now 5e 5-ocke4! 7erify t/at t/e interna. Specify firewall policies...ign t/e interna.3 +nc! A-.! Step 3(. Step 31. Fro2 t/e PC*A co22an4 pro2pt3 ping PC*C! T/e +C>P ec/o Sy..fu-! Fro2 R ping to PC*C! T/e ping. 7erify t/at t/e interna.t can acce.-y create43 I*7'7!6T7 PMAP! 'Ait to t/e g-o5a."ss IN-N/T-%LASS-:AP (or insp#+tion.pecte4 an4 a--owe4 t/roug/! Task 3$ %onfigure 8P9 on (+ Test Pu5-ic +nfor2ation! Page $ of 6 .! A-.age: &No sp#+i(i+ proto+o.! Step 33.ource.ucce. eAterna. $reate an +$0 t at defines internal traffic. to out.T7% ASS7MAP! Specify t/e action of inspect for t/i.! Create an interna.ecurity =one.. Ci.

wor43 enter t/e pa. Secure access ports..a5-e trunking on S13 S an4 S) acce.e4 on eac/ .wor4 Admin. on t/e virtuater2ina.! Fro2 PC*C3 enter t/e ssh :l Admin. a trunk port! 7erify t/at S1 port Fa0/1 i. 4ocu2ent i.. $onfigure t e console lines on all switc es.wor4 of ciscovtypa)) an4 ena5-e -ogin! Set t/e exec-timeout to -og out after ) 2inute. not 5eing u.! A-.#pa)) configure4 for t/e -oca. $onfigure an enable secret password on all switc es.ecurity on a-. of inactivity! Prevent con. <.a5-e any port.! 'na5-e . Atte2pt to connect to R) via Te-net fro2 PC*C! Fro2 PC*C3 enter t/e co22an4 to connect to R) via Te-net at +P Sy.-ine.trator! <.e4 7CAN 99! Set t/e trunk port. in trunking 2o4e! Set t/e native 7CAN on S1 an4 S trunk port.ecret pa.witc/ port.ticky option! Re*ena5-e eac/ acce.$ Secure the Switches Step 3).ee t/e configure4 .P&< guar4 on t/e .witc/! Task ##$ &erification Step 44...content.ecurity wa.e t/e show ip ssh co22an4 to . Test SS1 configuration.ince R) /a. 19 !1"#!)!1! T/i. Secure trun. Step 4!. Pu5-ic +nfor2ation! Page " of 6 .etting.ion -eve-! Step 43. &i..a42ini. on t/e S1 an4 S trunk port. 5een configure4 to accept on-y SS9 connection.o t/at t/ey 4o not negotiate 5y turning off t/e generation of &TP fra2e. on-y! 'na5-e 5a.tor2 contro.wor4 of ciscoconpa)) an4 ena5-e -ogin! Set t/e exec-timeout to -og out after ) 2inute. port.# #3'2#/42+2# co22an4 to connect to R) via SS9! E/en pro2pte4 for t/e pa. Configure port Fa0/1 on S1 a.ic -ogin para2eter! Step 42.rig/t.. ports on S1 and S2. of inactivity! Set t/e 5a. acce.o-e 2e.uppre..e an ena5-e . connection .. t/at are in u. Configure a vty -ine pa. Configure a con.te2.en4* . $onfigure vty lines on all switc es.! 'na5-e .t..e t/e .er acce. port to w/ic/ port . port. fro2 interrupting co22an4 entry! Step 41..o-e pa. app-ie4! &i./ou-4 fai-3 . port. are Copyrig/t 0 199 1 01 Ci.3 +nc! A-.wor4 of ciscoenpa))! Step 3*.erve4! T/i..ic 4efau-t port . wit/ a $0 percent ri. a trunk port! Configure port Fa0/1 on S a.for 5roa4ca. previou.age.! 'na5-e PortFa. on S1 an4 S . to an unu.t on S13 S 3 an4 S) acce. &ncrypt plainte't passwords. Ci.CCNA Security Task #..e! <.-y configure4 a.

tatu.e! Se-ect PC*.. 4ocu2ent i.a5-e4 . on t/e PC 5ack to t/e origina./ou-4 ...e a port .3 you 2u.3 you can .#4 co22an4 to view t/e .! Fro2 interface configuration 2o4e on ..rig/t. to anot/er a44re./ou-4 cau./ave a new >AC a44re.. . a44e4 a . Verify timestamps4 . 5een -earne4! *ote$ +f it i. /ave 5een co2p-ete4! A-./ou-4 fai-(! Test 6P7 firewall on "3./ou-4 .i2p-y c/ange t/e >AC a44re..! Recor4 t/e >AC a44re.3 go to t/e %onfig ta5! Se-ect 9ast. /a.1 on-y SS9 i.t re2ove t/e o-4 -earne4 a44re. results./ou-4 .e t/e show run co22an4 to confir2 t/at t/e port co2e.content.ticky >AC a44re.../ou-4 5e in t/e err* 4i.ue t/e shutdown an4 no shut down co22an4. for Fa0/1#! T/i./ou-4 ./ou-4 5e 100G! C-ick %heck (esults to Pu5-ic +nfor2ation! Page 6 of 6 ./ou-4 .uccee4(! Te-net fro2 PC*A to R 10! ! ! %. are Copyrig/t 0 199 1 01 Ci.e t/e show interface 9a./ut 4own port Fa0/1#! <. for -ater u.thernet un4er t/e +nterface . of PC*. 8our co2p-etion percentage ..ire4 to reconnect t/e PC wit/ t/e origina. a--owe4(! Verify port security..t fir. fie-4! T/i.thernet un4er t/e +nterface .co Sy. up an4 t/at t/e new >AC a44re.. On S 3 u.! S/ut4own an4 t/en re*ena5-e t/e Fa0/1# interface! On S 3 u.uccee4(! Ping fro2 R to PC*A at 19 !1"#!1!) %. $ ec./ou-4 5e t/e >AC a44re. of t/e port! T/e port ./ou-4 fai.TP status for "1 and P$-+.ecurity vio-ation an4 S . • • • • Step 4).e t/e show run co22an4 to confir2 t/at S /a. • • • Step 4(.PC*. Test $/+$ firewall on " fee45ack an4 verification of w/ic/ reHuire4 co2ponent. Step 4%.3 +nc! A-. on port Fa0/1#! +f t/e PC or a N+C i..te2.! Step 4*. Ping fro2 PC*C to R at 10! ! ! %. 4e..uccee4(! Ping fro2 R to PC*C at 19 !1"#!)!$ %. Ping fro2 PC*A to R at 10! ! ! %.ection! '4it t/e >AC a44re.>AC a44re.witc/ S for Fa0/1#3 an4 i.uccee4(! Te-net fro2 PC*C to R at 10! ! ! %. re.CCNA Security Step 4#. -earne4 a44re.ection! C/ange t/e >AC a44re.! Fo to t/e %onfig ta5! Se-ect 9ast. Ci.tate! On PC*.erve4! T/i. ./ou-4 fai-(! Te-net fro2 R to R) at 10! ! !1 %. 5eing rep-ace4 an4 wi-.e t/e no switchport port7security mac7 address sticky address co22an4 to re2ove t/e origina.