You are on page 1of 36

CCNA SECURITY LAB GUIDE

LAB SECURITY_2: NTP SERVER CONFIGURATION AND VERIFICATION

Network Devices need to be accurately synchronized with a reliable time source such as an
NTP server. It is very important as we want to be confirmed that logging information and
timestamps have the accurate time and date.

The router can be updated and synchronized with a public NTP server. This will ensure the
router's time is constantly synchronized, however it will not act as an NTP server for internal
hosts. The Internal hosts can be synchronized with the router.

Be noted that, here loopback adapter is accessible to Internet through our Ethernet LAN Card
of Local host. So that NTP Server can be updated with the server located in the Internet.
Follow this step before go to the GNS3 –

Find your host Ethernet Adapter > Right click on it > Properties

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE

FULL VIRTUALIZED LAB………


YOU WILL GET THE REAL FLAVOUR
Just 15 USD……Payment Method is PayPal
PDF Copy is Available
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE

Go to the sharing tab

Check as follows, select your Loopback Adapter. Here I have renamed it to Virtual Adapter. At
the end I will show you how to add Loopback Adapter in your PC.

The final window as following. Now OK.

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE

Finally mark the IP Address of your Loopback Adapter. It will be the default Gateway for your
Routers stated as below figure on GNS3 !

Now I will describe how to add Loopback Adapter on Windows 7 Host

1. Go to Computer > Right click on computer > Properties

Device Manager > right Click on your PC (Here Ashish-PC) > Add legacy Hardware

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE

Click Next

Click next (nothing change to here)

Click Next

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE

Select Network Adapters > Next

Wait for a bit. A window will comes, from here select Microsoft from left Pannel and select
Microsoft loopback Adapter from the right panel as shown in figure

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE

Click next

clikc next > then finish

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE

After reboot you can now use your Loopback Adapter

Configuration of Router R1 (For Internet Access through Loopback Adapter)


R1#conf t
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 192.168.137.2 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.137.1
R1(config)#ip domain-lookup
R1(config)#ip name-server 8.8.8.8
R1(config)#exit

A brief discussion:

Domain-lookup will allow the Cisco to resolve domains, ip domain-lookup command to enable
DNS host name-to-IP address translation.

Here 8.8.8.8 takes care of internet resolving. Name server is to define the DNS to query for
unknown host.
At this state any DNS request will be forwarded to 8.8.8.8 and the Cisco will act as the
"middle man" between the client and the DNS.

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE

There is a nice way to use a Cisco as a DNS server. This is the way to save some money
without the need for additional devices.

Verification

Apply ping to Google to ensure that the R1 is connected to the Internet

Configuration on R2
R2#conf t
R2(config)#interface fastEthernet 0/1
R2(config-if)#ip address 172.16.10.2 255.255.255.0
R2(config-if)#no shutdown

OSPF Configuration (as a dynamic Routing)


R2(config)#router ospf 1
R2(config-router)#network 172.16.10.0 0.0.0.255 area 0
R2(config-router)#end
R2(config)#ip domain-lookup
R2(config)#ip name-server 8.8.8.8

OSPF Configuration on R1
R1(config)#router ospf 1
R1(config-router)#network 172.16.10.0 0.0.0.255 area 0
R1(config-router)#default-information originate
R1(config-router)#end

Here, the OSPF router does not, by default, generate a default route into the OSPF domain. In
order for OSPF to generate a default route, you must use the default-information originate
command.
Configure NAT on R1 Router so that R2 Router can be connected with the Internet

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE

R1(config)#interface fastEthernet 0/1


R1(config-if)#ip nat inside
R1(config-if)#exit
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip nat outside
R1(config-if)#exit
R1(config)#access-list 1 permit 172.16.10.0 0.0.0.255
R1(config)#ip nat inside source list 1 interface fastEthernet 0/0 overload

Verification
Apply ping to Google to ensure that the R2 is connected to the Internet

NTP Configuration
First we will check the time on R1 Router
R1#show clock detail
*00:18:45.843 UTC Fri Mar 1 2002
No time source

Now we will call NTP Server from global Internet Source


R1#conf t
R1(config)#ntp source fastEthernet 0/1
R1(config)#ntp master 2

A stratum 2 device because it’s one NTP hop further away from the source.
R1(config)#ntp server pool.ntp.org
Translating "pool.ntp.org"...domain server (8.8.8.8) [OK]

Check the time again


R1#show clock detail
11:46:54.831 UTC Thu Jan 4 2018
Time source is NTP

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE

We can see that R1 time is synchronized with the Internet NTP Server
Apply show ntp associations on R1 and verify

Configuration on R2
Here we call the R1 as a NTP Server which will synchronized with Local Router (R2)
R2(config)#ntp server 172.16.10.1
R2(config)#exit

Verify if the time of R2 is updated with R1

R2#show clock detail


.11:47:08.935 UTC Thu Jan 4 2018
Time source is NTP
.......................................................Fine!!! Updated!!!

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE

AUTHENTICATION

Authentication is used to prevent tampering with the timestamps on the logs generated by
devices. To implement an attack on NTP, a hacker would make their rogue host appear to be
a valid NTP server.
R1(config)# ntp authenticate
R1(config)# ntp authentication-key 1 md5 cisco123
R1(config)# ntp trusted-key 1

R2(config)# ntp authenticate


R2(config)# ntp authentication-key 1 md5 cisco123
R2(config)# ntp trusted-key 1
R2(config)# ntp server 172.16.10.1 key 1

Parameters
Key-id

Specifies an ID for an authentication key. The range is from 1 through 65535.

Md5 md5-string

Specifies a string for the MD5 message-digest algorithm. The string can be a maximum of 15

ASCII characters.

Ntp trusted-key: An additional subset of trusted keys which can be used for NTP authentication.

LAB 4: How to Configure ASA on GNS3

I have used

 Cisco ASA 8.4.2

 GNS3 Version 1.3.3

 asa842-initrd.gz and asa842-vmlinuz

 JavaJDK 6

First Right click on GNS3

 Run as an Administrator

 Edit

 Preferences
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE

Click on QEMU > Check mark on Use the local server > OK

Now Click on QEMU VMs > New

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE

Now select Type – ASA 8.4(2)

Name field give a name as follows > Next

Keep it default and click next

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE

Browse the Image File (Keep the image file other than C Drive)

Select as following

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE

Click must be on ‘No’

Repeat this for 2nd image file as follows

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE

Click on “No”

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE

Finally this will be as follows

Now click on Apply > Ok

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE

Drag and drop the ASA in the right panel > clikc on Start button (green arrow)

Now click on Console

The following will appear after booting the ASA

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE

Now we need to activate the ASA. So follow the commands and Enter Activation Key as
following steps

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE

After Reload the following will appear. Now ASA is ready for working!!

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE

Add ASDM and connect your ASA

Follow the steps below to do this:

 Add a Loop-back to your computer, Assign IP : 192.168.10.1/24


 Drag and drop ‘Cloud’ to the GNS3 work-space and connect it with an Ethernet Switch.

 Right click on ‘Cloud’ and add the Loop-back adapter


 Open a console on ASA and run the following command:

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE

ciscoasa #config terminal


ciscoasa(config)# interface GigabitEthernet1
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# ip address 192.168.10.5 255.255.255.0
ciscoasa(config-if)# no shut

 Now try to ping your computers Loopback IP from the ASA and also from your PC to
ASA to verify if it is successful
 Download ASDM ( asdm-649.bin)
 Install a TFTP server in your local PC and keep the above file in its root directory.

Now upload the asdm-649.bin to the ASA flash using the below commands:

ciscoasa# copy tftp: flash:

Address or name of remote host? 192.168.10.1

Source filename? asdm-649.bin

Destination filename [asdm-649.bin]? press Enter

Accessing tftp://192.168.10.1/asdm-

649.bin…!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

18927088 bytes copied in 143.10 secs (132357 bytes/sec)

Enter the commands to load ASDM on the ASA and enable http server:

ciscoasa(config)# asdm image flash:asdm-649.bin

ciscoasa(config)# http server enable

ciscoasa(config)# http 192.168.10.5 255.255.255.0 inside

ciscoasa(config)# username admin password admin123 privilege 15

ciscoasa(config)# write memory

At our local PC, open a browser and type https://192.168.10.5

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE

Click on ‘Run ASDM’ and enter with the username and password.

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE

LAB 5: ASA Basic Security-level Configuration

Security Levels are applied to an interface to describe a level of trust.

The following are the security levels used on the Cisco ASA:

Security level 100

The highest possible level and most trusted, it is used by the inside interface by default.

Security level 0

The lowest possible level, most untrusted, it’s used by the outside interface by default.

Security levels 1–99

Can be assigned to any other interface on the ASA. The inside is typically 100, the outside is
0, and the dmz interface is 50.

We can create as many security levels as we want!

An interface with a high security level can access an interface with a low security level but
the other way around is not possible unless we configure an access-list.

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE

ciscoasa# conf t

ciscoasa(config)# hostname Venus

Venus(config)# interface gigabitEthernet 1


Venus(config-if)# description INSIDE INTERFACE_ INTERNAL NETWORK

Venus(config-if)# nameif inside

Venus(config-if)# security-level 100

Venus(config-if)# ip address 192.168.10.1 255.255.255.0


Venus(config-if)# no shutdown

Venus(config-if)# exit

Venus(config)# interface gigabitEthernet 0

Venus(config-if)# description OUTSIDE Interface

Venus(config-if)# nameif outside


Venus(config-if)# security-level 0

Venus(config-if)# ip address 103.13.148.1 255.255.255.252

Venus(config-if)# no shutdown

Venus(config-if)# exit

Venus(config)# interface gigabitEthernet 2

Venus(config-if)# description DMZ Interface

Venus(config-if)# nameif dmz

Venus(config-if)# security-level 50
Venus(config-if)# ip address 172.16.10.1 255.255.255.0

Venus(config-if)# no shutdown
Venus(config-if)#

Router Configuration

R1#conf t
R1(config)#hostname ISP

ISP(config)#interface fastEthernet 0/0


ISP(config-if)#description ISP>Firewall ASA Interface

ISP(config-if)#ip address 103.13.148.2 255.255.255.252


ISP(config-if)#no shutdown
ISP(config-if)#exit
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE

ISP(config)#interface fastEthernet 0/1

ISP(config-if)#ip address 10.10.10.1 255.255.255.0


ISP(config-if)#description Global Internet
ISP(config-if)#no shutdown

ISP(config-if)#exit

ASA static routes

1. Default Static route for Internet access, and


2. Normal static route

It's configuration is simply difference than the Cisco Router.


The format of the static route command is:

ASA(config)# route [interface name] [destination address] [netmask] [gateway]

 A static route is created manually by a network administrator.


 A Default Route (also known as the gateway of last resort) is a special type of static
route. It specifies a path where the router doesn’t know how to reach the destination.

Configure Default Route on ASA going to Internet

Venus(config)# route outside 0.0.0.0 0.0.0.0 103.13.148.2

Configure Static Routes on ISP Router to inside Network and DMZ

ISP(config)#ip route 192.168.10.0 255.255.255.0 103.13.148.1

ISP(config)#ip route 172.16.10.0 255.255.255.0 103.13.148.1

Now we will assign IP to all PCs and apply ping from ASA to all Hosts as follows :

Venus(config)# ping 10.10.10.10

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 40/90/120 ms

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE

Venus(config)# ping 192.168.10.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:


!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Venus(config)# ping 172.16.10.2

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 172.16.10.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

By default ping is disabled from Inside to Outside, we will create an ACL to permit ICMP
from Inside to outside

Venus(config)# access-list inside-in permit icmp any any


Venus(config)# access-list inside-in permit tcp any any
Venus(config)# access-list inside-in permit ip any any

Venus(config)# access-list outside-in permit icmp any any echo-reply

Apply these to ASA Interface

Venus(config)# access-group inside-in in interface inside

Venus(config)# access-group outside-in in interface outside

C:\> ping 172.16.10.2 (Inside to Outside)

Reply from 10.10.10.10: bytes=32 time<1ms TTL=128


Reply from 10.10.10.10: bytes=32 time<1ms TTL=128

Reply from 10.10.10.10: bytes=32 time<1ms TTL=128


Reply from 10.10.10.10: bytes=32 time<1ms TTL=128

Now we apply ping from outside host to inside host...

Not Successful..right? Actually we never allow outside users to allow ICMP to inside hosts

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE

N.B. Same Security Level


What if the interfaces have the same security level? The default behavior is to deny traffic
between interfaces with the same security level. But it can be changed by using the same-
security-traffic permit inter-interface command. This will allow traffic between all
interfaces of the same level.

LAB 6. ASA Management (with the Previous Figure and Configuration)

The ASA supports remote administration trough SSH and Telnet. Telnet was designed to work
within a private network and not across a public network where threats can appear. Because
of this, all the data is transmitted in plain text, including passwords. This is a major security
issue and the developers of SSH used encryptions to make it harder for other people to sniff
the password and other relevant information.

Secure Shell (SSH) is a protocol which provides a secure remote access connection to network
devices. Communication between the client and server is encrypted in SSH.

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE

SSH uses cryptographic technology for privacy (encryption), origin authentication


(public/private key pairs), and data integrity (hash algorithms). The same thing is applied
using HTTPS instead of HTTP for GUI access to the device.

There are two versions: version 1 and 2. Version 2 is more secure and commonly used.

Step 1: Create a username and password to manage the ASA with SSH/Telnet/ASDM

Venus(config)# username ashish password cisco123 privilege 15

Step2: Enable SSH to generate a key, it will encrypt the traffic between the user and the ASA

Ashish(config)# crypto key generate rsa modulus 1024


INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...

Step 3:Use the username previously created to connect to the ASA with SSH

Ashish(config)# aaa authentication ssh console LOCAL


Local AAA means that we are performing AAA without the use of an external database. When
performing local AAA, we can authenticate with a username and password that is part of the
configuration of the security appliance.
Step 4: We will Define the IP addresses which are allowed to connect to the ASA

Ashish(config)# ssh 10.10.10.10 255.255.255.255 outside


Ashish(config)# ssh 192.168.10.2 255.255.255.255 inside

Step 5: Enable ASDM for GUI and define the IP addresses that are allowed to connect to the
ASA with ASDM

Ashish(config)# http server enable

Ashish(config)# aaa authentication http console LOCAL


Ashish(config)# http 192.168.10.0 255.255.255.0 inside

Verification:

1. Verifying the LOCAL database

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE

2. Verify SSH Access from Outside Host, So we will open putty from our Desktop

Configure SSH Access on ISP Router

Step 1: Configure hostname and domain name

The name of the RSA keypair will be the hostname and domain name of the router.

ISP(config)#hostname ISPRouter

ISPRouter(config)#ip domain-name ashish.com

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE

Step 2: Create the username password

ISPRouter(config)#username ashish privilege 15 secret cisco123

Step 2 :Generate the RSA Keys

ISPRouter(config)#crypto key generate rsa

The name for the keys will be: ISPRouter.ashish.com


Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]: 1024


% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

Key sizes of 1024 or smaller should be avoided. Larger key sizes take longer time to calculate
and enhance more security

Step 3: SSH version 1 is the default version. So change it to version 2

ISPRouter(config)#ip ssh version 2

Step 4 : Setup the Line VTY configurations

ISPRouter(config)#aaa new-model

ISPRouter(config)#aaa authentication login default local

ISPRouter(config)#line vty 0 5

ISPRouter(config-line)#transport input ssh


ISPRouter(config-line)#login authentication default

Here AAA uses the local username database for authentication

Step 5: Create enable password

ISPRouter(config)#enable secret cisco123

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE

Step 6: Verify SSH access

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE

AND MANY MORE LABS: WITH EASY EXPANATION

Contents

LAB 1: Securing Passwords ------------------------------------------------------------------------------------------------- 6

LAB 2: Secure Device Access with configuring privilege levels ------------------------------------------------------10

LAB 3: CONFIGURING SSH ON CISCO Devices --------------------------------------------------------------------------13

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE

LAB 4: Configuring SNMPV3 ------------------------------------------------------------------------------------------------18

LAB 5: NTP SERVER CONFIGURATION AND VERIFICATION -----------------------------------------------------------24

LAB 6: Configure routers to use Cisco Access Control Server (ACS) and TACACs+ Authentication ---------35

LAB 7: Configure ACL and Block Web Sites ------------------------------------------------------------------------------57

LAB 8: Role-based access control (RBAC) --------------------------------------------------------------------------------62

LAB 9: Configure RIP Authentication ------------------------------------------------------------------------------------ 66

LAB 10: EIGRP Authentication ----------------------------------------------------------------------------------------------71

LAB 11: OSPF Authentication -----------------------------------------------------------------------------------------------73

LAB 12: How to Configure ASA on GNS3 ---------------------------------------------------------------------------------77

LAB 13: ASA Basic Security-level Configuration ----------------------------------------------------------------------- 90

LAB 14. ASA Management ---------------------------------------------------------- -------------------------------------- 94

LAB 15 : ASA Access Control List ------------------------------------------------------------------------------------------98

LAB 16 : ASA Object Groups -----------------------------------------------------------------------------------------------103

LAB 17: Static NAT Configuration on ASA -----------------------------------------------------------------------------108

LAB 18: Static NAT with multiple outside IP addresses -------------------------------------------------------------110

LAB 19: Static NAT to Multiple Service on same Outside IP Address such as HTTP, HTTPS, TELNET, SSH ...-

----------------------------------------------------------------------------------------------------------------------------------..115

LAB 20: Dynamic NAT-Many-to-one NAT ------------------------------------------------------------------------------120

LAB 21: Dynamic NAT (Many to Many) ---------------------------------------------------------------------------------122

LAB 22: PAT Configuration -----------------------------------------------------------------------------------------------124

LAB 23: Static NAT Port Forwarding on ASA ---------------------------------------------------------------------------126

LAB 24: ASA Active/Standby Failover Configuration -----------------------------------------------------------------131

LAB 25: ASA Security Contexts:(Virtualization) ------------------------------------------------------------------------137

LAB 26 : Port Security of Switch -------------------------------------------------------------------------------------------148

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE

LAB 27 : Configure BPDU Guard on Cisco Switch ----------------------------------------------------------------------155

LAB 28: Configure Root Guard on Cisco Switch ------------------------------------------------------------------------156

LAB 29 : DHCP Snooping--------------------------------------------------------------------------------------------------- 159

LAB 30: Configuration of IPSEC VPN between two ASA --------------------------------------------------------------166

LAB 31: IPSec SITE-TO-SITE VPN BETWEEN TWO CISCO ROUTER ------------------------------------------------- 190

LAB 32: Clientless SSL VPN Remote Access (using a web browser) -----------------------------------------------195

LAB 33: SSL or IPsec (IKEv2) VPN Remote Access (using Cisco AnyConnect client)--------------------------- 211

LAB 34 : Configure GRE Tunnel ------------------------------------------------------------------------------------------- 229

LAB 35 : IPS/IDS ---------------------------------------------------------------------------------------------------------------232

LAB 36: PRIVATE VLAN ------------------------------------------------------------------------------------------------------250

-----------------------------------------------255 Pages---------- ----------------------------------------------

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved