Professional Documents
Culture Documents
CCBOOTCAMP
375 N. Stephanie Street
Building 21, Suite 2111
Henderson, NV 89014
1.877.654.2243 Toll Free
www.ccbootcamp.com
“Cisco,” the “Cisco Logo,” “CCNA,” “CCNP,” “CCDP,” “CCDA,” “CCIE,” “Cisco Certified
Network Associate,” “Cisco Certified Design Professional,” “Cisco Certified Design
Associate,” “and “Cisco Certified Network Professional,” are registered trademarks of
Cisco Systems, Inc. The contents contained wherein, is not associated or endorsed by
Cisco Systems, Inc.
PLEASE READ THIS SUBSCRIPTION LICENSE AGREEMENT CAREFULLY BEFORE USING THIS PRODUCT.
THIS SUBSCRIPTION LICENSE AGREEMENT APPLIES TO CCBOOTCAMP’s CCIE Security Technology
Lab Workbook.
BY ORDERING THIS PRODUCT YOU ARE CONSENTING TO BE BOUND BY THIS LICENSING AGREEMENT.
IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS LICENSE, THEN DO NOT PURCHASE THIS
PRODUCT.
License Agreement
Copies of this material in any form or fashion are strictly prohibited. If for any
reason a licensed copy of this material is lost or damaged a new copy will be provided
free of charge, except for the cost of printing, shipping and handling.
Individuals or entities that knowingly violate the terms of this licensing agreement
may be subject to punitive damages that CCBOOTCAMP could seek in civil court. Damages
will be limited to a maximum of $500,000.00 per individual and $2,000,000.00 per
entity. In addition, individuals or entities that knowingly violate the terms of this
license agreement may be subject to criminal penalties as are allowed by law.
This License is effective until terminated. Customer may terminate this License at any
time by destroying all copies of written and electronic material of said product.
Customer's rights under this License will terminate immediately without notice from
CCBOOTCAMP, if Customer fails to comply with any provision of this License. Upon
termination, Customer must destroy all copies of material in its possession or
control. The license for the specific user remains valid from the purchase date until
the user passes their lab exam pertaining to the purchased subscription. Once the
customer passes the relevant lab exam the license is terminated and all material
written or electronic in their possession or control must be destroyed or returned to
CCBOOTCAMP.
Warranty
No warranty of any kind is provided with this product. There are no guarantees that
the use of this product will help a customer pass any exams, tests, or certifications,
or enhance their knowledge in any way. The product is provided on an “AS IS” basis.
In no event will CCBOOTCAMP, its suppliers, or licensed resellers be liable for any
incurred costs, lost revenue, lost profit, lost data, or any other damages regardless
of the theory of liability arising out of use or inability to use this product.
For questions: www.securityie.com
s.f.wb.09.04.sm.r08.09.07.doc
Table of Contents:
1. ASA Firewalls
2. IOS Firewalls
3. VPNs
4. IPS
5. Identity Management
6. Control/Management Plane Security
7. Advanced Security
8. Network Attack Mitigation
racks ACS Server, and SecureCRT from there to open all your
sessions there. Access via RDP is described in the FAQ.
Copyright Information
Copyright © 2009 Network Learning, Inc. All rights
reserved.
Cisco©, Cisco© Systems and CCIE are registered trademarks
of Cisco© Systems.
10
11
12
13
14
15
16
17
18
19
20
21
SW3 SW4
22
23
SW3 SW4
24
Task 1.1
Task 1.2
Task 1.3
Task 1.4
Task 1.5
Task 1.6
Task 1.7
25
Task 1.8
Task 1.9
Task 1.10
Task 1.11
Task 1.12
26
Task 1.13
Task 1.14
Verify that you can connect to the ASA using ASDM from the
ACS server and with SSH from R4.
27
Task 1.15
Task 1.16
Task 1.17
Task 1.18
28
Task 1.19
Task 1.20
Task 1.21
Task 1.22
Task 1.23
29
Task 1.24
Task 1.25
30
Task 1.27
Task 1.28
Task 1.29
31
Task 1.30
Task 1.31
Task 1.32
Task 1.33
Task 1.34
Add a single line to the INSIDE ACL that will block R4 and
SW1 from sending e-mail or DNS to servers outside the local
network.
32
Task 1.35
Task 1.36
Task 1.37
Task 1.38
Task 1.39
33
Task 1.40
Task 1.41
Task 1.42
Task 1.43
Task 1.44
34
Task 1.45
Task 1.46
Task 1.47
Task 1.48
35
Task 1.49
Task 1.50
Task 1.51
Drop and log outgoing http traffic from the ACS server when
it contains either of the domain names identified by the
regular expressions.
Task 1.52
36
Task 1.53
Task 1.54
Task 1.55
37
Task 1.56
Task 1.57
Task 1.58
Task 1.59
Task 1.60
Task 1.61
38
Task 1.62
Task 1.63
Task 1.64
Task 1.65
Task 1.66
Task 1.67
39
Task 1.68
Task 1.69
Task 1.70
Task 1.71
40
Task 1.72
Task 1.73
Task 1.74
Task 1.75
41
Task 1.76
Task 1.77
Task 1.78
Task 1.79
42
Task 1.80
Task 1.81
Task 1.1
43
Task 1.2
Task 1.3
Task 1.4
45
Task 1.5
Task 1.6
The date and time are set manually with the “clock set”
command.
Task 1.7
Task 1.8
Task 1.9
47
48
Task 1.10
Task 1.11
Task 1.12
Task 1.13
50
Task 1.14
Verify that you can connect to the ASA using ASDM from the
ACS server and with SSH from R4.
First verify that you can connect using ASDM. Get on the
ACS server, open internet explorer and go to
. You should get to a page that looks
like the example below. Click on run ASDM applet. Finally,
select yes on all security prompts and if prompted for a
username and password use cisco/cisco.
51
To verify that you can SSH to the ASA from R4, connect to
R4 and use ssh –l cisco 192.168.2.100 which will connect
using the username “cisco”. When prompted for the password
use “cisco”.
Password: cisco
Type help or '?' for a list of available commands.
ASA1>
52
Task 1.15
Static routes are done with the “route” command. The order
of the command is route->interface the traffic will be
routed to->ip and subnet of the traffic to be routed->next
hop address. For default routes you can use the shorthand
of 0 0 for the IP and subnet.
Task 1.16
53
Task 1.17
55
Task 1.18
56
R4#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter
area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external
type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 -
IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-
user static route
o - ODR, P - periodic downloaded static route
57
R1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter
area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external
type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 -
IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-
user static route
o - ODR, P - periodic downloaded static route
Task 1.19
ASA1(config)# nat-control
Task 1.20
Then, using the “global” command and the same NAT ID used
to configure the translation. We use the “interface”
keyword but you could also type the IP address or a range
of IPs.
Task 1.21
Task 1.22
Task 1.23
60
Task 1.24
Task 1.25
R4#telnet 24.234.0.1
61
R1#
To see the translation table on the ASA use the “show xlate
detail” command. We can see TCP PAT from R4’s address on
the inside to the ASA’s outside IP. The flags show as “ri”
which indicates a port map and a dynamic translation. We
can also see the static translation for the ACS server
which has the “s” or static flag and the policy NAT which
has the “sr” flags.
62
Task 1.27
Task 1.28
Task 1.29
Task 1.30
Task 1.31
65
R4#
Now, on the ASA, further verify that the ACL allowed the
traffic with “show access-list OUTSIDE”. Notice that the
hit count is 1 for the line which permits the telnet
traffic.
Task 1.32
66
Task 1.33
Task 1.34
Add a single line to the INSIDE ACL that will block R4 and
SW1 from sending e-mail or DNS to servers outside the local
network.
67
Task 1.35
68
Task 1.36
Task 1.37
69
Task 1.38
R2#ping 172.16.22.3
70
Task 1.39
The pings are being dropped at the firewall even though the
security levels of the DMZ interfaces are both 50. This is
the default behavior of an ASA. For the traffic to be
allowed, you must use the “same-security-traffic” command.
We permit “inter-interface” because the traffic is going
from one interface to another. In this case the sub-
interfaces act as different interfaces even though they are
entering and exiting the same physical interface.
R2#ping 172.16.22.3
71
Task 1.40
Task 1.41
72
Task 1.42
Task 1.43
73
Task 1.44
Task 1.45
R4#ping 24.234.0.1
74
Task 1.46
75
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns migrated_dns_map_1, packet 0, drop 0, reset-
drop 0
Inspect: ftp, packet 0, drop 0, reset-drop 0
Inspect: h323 h225 _default_h323_map, packet 0, drop 0,
reset-drop 0
Inspect: h323 ras _default_h323_map, packet 0, drop 0,
reset-drop 0
Inspect: netbios, packet 0, drop 0, reset-drop 0
Inspect: rsh, packet 0, drop 0, reset-drop 0
Inspect: rtsp, packet 0, drop 0, reset-drop 0
Inspect: skinny , packet 0, drop 0, reset-drop 0
Inspect: esmtp _default_esmtp_map, packet 0, drop 0,
reset-drop 0
Inspect: sqlnet, packet 0, drop 0, reset-drop 0
Inspect: sunrpc, packet 0, drop 0, reset-drop 0
Inspect: tftp, packet 0, drop 0, reset-drop 0
Inspect: sip , packet 0, drop 0, reset-drop 0
Inspect: xdmcp, packet 0, drop 0, reset-drop 0
76
R4#ping 24.234.0.1
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: icmp, packet 10, drop 0, reset-drop 0
Task 1.47
77
Task 1.48
R2#telnet 172.16.22.3
Trying 172.16.22.3 ... Open
User Access Verification
Password:
R3>
78
R2#show sessions
Conn Host Address Byte Idle Conn
Name
* 1 172.16.22.3 172.16.22.3 0 0
172.16.22.3
R2#telnet 172.16.22.3
Trying 172.16.22.3 ...
% Connection timed out; remote host not responding
Further verify by viewing the ASA log. Notice that the per
client max has been exceeded.
Task 1.49
79
Task 1.50
Test them with the “test” command. Notice that even though
there is a “www.” before the phrase it still matches.
81
Task 1.51
Drop and log outgoing http traffic from the ACS server when
it contains either of the domain names identified by the
regular expressions.
82
83
Task 1.52
Interface inside:
Service-policy: ACS_HTTP
Class-map: ACS_HTTP
Inspect: http ACS_URL, packet 0, drop 0, reset-drop 0
Interface outside:
Service-policy: R1_ACS
Class-map: R1_ACS
Inspect: ftp strict ACS_FTP, packet 0, drop 0, reset-drop
0
84
Task 1.53
85
Task 1.55
Task 1.56
Task 1.57
88
Task 1.58
R5#ping 24.234.2.6
R5#ping 24.234.2.6
89
Task 1.59
View the log with “show logging”. Notice that the traffic
denied is IP protocol 88 with a destination address of
224.0.0.10. This is EIGRP traffic.
90
91
Task 1.60
92
Task 1.61
93
Task 1.62
Task 1.63
94
Task 1.64
95
Task 1.66
ASA(config)# context c1
Creating context 'c1'... Done. (2)
ASA(config-ctx)# allocate-interface e0/0
ASA(config-ctx)# allocate-interface e0/1.11
ASA(config-ctx)# config-url disk0:c1.cfg
97
Task 1.67
ASA(config)# context c2
Creating context 'c2'... Done. (3)
ASA(config-ctx)# allocate-interface e0/0
ASA(config-ctx)# allocate-interface e0/1.22
ASA(config-ctx)# config-url disk0:c2.cfg
INFO: Converting disk0:c2.cfg to disk0:/c2.cfg
Task 1.68
98
Task 1.69
99
R2#ping 24.234.0.1
100
Task 1.70
101
R3#telnet 24.234.0.1
Trying 24.234.0.1 ... Open
R1#
Task 1.71
ASA(config)# class c1
ASA(config-class)# limit-resource conns 200
ASA(config-class)# context c1
ASA(config-ctx)# member c1
ASA(config)# class c2
102
Task 1.72
Task 1.73
104
Task 1.74
SW2(config)#int fa0/17
SW2(config-if)#sw mode access
SW2(config-if)#sw access vlan 66
SW2(config-if)#int fa0/23
SW2(config-if)#sw mode access
SW2(config-if)# sw access vlan 66
Task 1.75
105
106
Task 1.76
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 5 0 0 0
Xlate_Timeout 0 0 0 0
SIP Session 0 0 0 0
Task 1.77
108
Task 1.78
109
Task 1.79
ASA(config)# no failover
110
ASA(config)# context c1
ASA(config-ctx)# join-failover-group 1
ASA(config-ctx)# context c2
ASA(config-ctx)# join-failover-group 2
Task 1.80
ASA(config)# failover
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 9 0 0 0
Xlate_Timeout 0 0 0 0
SIP Session 0 0 0 0
Task 1.81
R2#telnet 24.234.0.1
Trying 24.234.0.1 ... Open
R1#
R1#
R1#
R1#
113
114
115
116
117
ACS
.101
VLAN 192
192.168.0.0 /16
F0/0
R1
F0/1
VLAN 12
24.234.12.0 /24
F0/0
F0/1 VLAN 23 F0/0
EIGRP 1
R2 24.234.23.0 /24 R3
S0/0/0 F0/1
VLAN 36
S0/0/0 24.234.36.0 /24
Frame Relay
R5
R4 24.234.245.0 /24
RIP v2
F0/0 F0/0
VLAN 4 R6
24.234.4.0 /24
S0/0/0 F0/1
R5 VLAN 6
24.234.6.0 /24
F0/0
VLAN 5
24.234.5.0 /24
118
119
SW3 SW4
120
121
SW3 SW4
122
Task 2.1
Task 2.2
Task 2.3
Task 2.4
123
Task 2.5
Task 2.6
Task 2.7
Task 2.8
Task 2.9
Task 2.10
124
Task 2.11
Task 2.12
Task 2.13
Task 2.14
125
Task 2.15
Task 2.16
Task 2.17
Task 2.18
Task 2.19
Task 2.20
126
Task 2.21
Alerting should be on
Auditing should be on
DNS timeout should be set to 4 seconds
Drop existing half-open sessions when the number rises
above 1000. Stop dropping existing half-open sessions
when the number falls below 800. Drop existing half-
open sessions when the number rises above 700 within a
minute, and stop dropping existing half-open sessions
when the number falls below 500 within a minute.
Allow a maximum of 3000 sessions
Each host can have a maximum of 25 existing half-open
sessions. When this is exceeded, all existing half-
open sessions should be deleted and blocked for 10
minutes.
Manage TCP sessions for only 5 seconds after they have
finished.
Delete TCP sessions after 30 minutes of inactivity.
Delete TCP sessions if not fully established within 20
seconds.
Delete UDP sessions after 20 seconds of inactivity.
127
Task 2.22
Rate limit ICMP traffic from the PRIVATE zone to the PUBLIC
zone to 8000 bps with a burst of 2000 bytes.
Task 2.23
128
Task 2.24
Task 2.25
Task 2.26
Task 2.27
129
Task 2.28
Task 2.29
Task 2.30
130
Task 2.31
Task 2.1
131
R3#configure terminal
R3(config)#ip inspect name CBAC tcp
R3(config)#ip inspect name CBAC udp
R3(config)#ip inspect name CBAC icmp
R3(config)#interface FastEthernet0/1
R3(config-if)#ip inspect CBAC out
R3(config-if)#ip access-group CBAC_ACL in
132
Interface Configuration
Interface FastEthernet0/1
Inbound inspection rule is not set
Outgoing inspection rule is CBAC
tcp alert is on audit-trail is off timeout 3600
udp alert is on audit-trail is off timeout 30
icmp alert is on audit-trail is off timeout 10
Inbound access list is CBAC_ACL
Outgoing access list is not set
You can further verify with ICMP. R1 can ping R6, but pings
initiated from R6 fail.
R1#ping 24.234.36.6
R6#ping 24.234.12.1
133
Task 2.2
R3(config)#logging buffered
R3(config)#logging host 192.168.2.101
134
R6#ping 24.234.23.2
R3#sh logging
Syslog logging: enabled (11 messages dropped, 1 messages rate-
limited,
0 flushes, 0 overruns, xml disabled, filtering
disabled)
Console logging: level debugging, 59 messages logged, xml
disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml
disabled,
filtering disabled
Buffer logging: level debugging, 3 messages logged, xml
disabled,
filtering disabled
Logging Exception size (4096 bytes)
Count and timestamp logging messages: disabled
135
Task 2.3
136
R2#telnet 24.234.36.6
Trying 24.234.36.6 ... Open
Password:
R6#exit
R3 shows the audit trail starting and stopping for the telnet
session from R2 to R6.
R3#sh logging
Syslog logging: enabled (11 messages dropped, 1 messages rate-
limited,
0 flushes, 0 overruns, xml disabled, filtering
disabled)
Console logging: level debugging, 63 messages logged, xml
disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml
disabled,
filtering disabled
Buffer logging: level debugging, 7 messages logged, xml
disabled,
filtering disabled
Logging Exception size (4096 bytes)
Count and timestamp logging messages: disabled
137
The Kiwi Syslog server also shows the audit trail starting
and stopping for the telnet session from R2 to R6.
Task 2.4
138
Task 2.5
140
141
Task 2.6
The TCP and UDP idle timers are measured in seconds. The
default idle time for TCP is 3600 seconds (1 hour) and for
UDP, 30 seconds. The DNS timer is measured in seconds and
the default DNS name lookup timeout is 5 seconds. These can
all be changed using IP inspect with the “idle-time” and
“dns-timeout” keywords.
142
143
Task 2.7
Task 2.8
145
Task 2.9
R3#telnet 24.234.36.6
Trying 24.234.36.6 ... Open
Password:
*Mar 11 17:20:13.083: %FW-6-SESS_AUDIT_TRAIL_START: Start tcp
session: initiator (24.234.36.3:21825) -- responder
(24.234.36.6:23)
R6#
Task 2.10
147
Task 2.11
148
Task 2.12
Task 2.13
149
R3(config)#int f0/1
R3(config-if)#ip virtual-reassembly max-fragments 50 timeout 10
Task 2.14
R3(config)#appfw policy-name IM
R3(cfg-appfw-policy)#application http
R3(cfg-appfw-policy-http)#port-misuse im action reset
150
Task 2.15
Task 2.16
151
Task 2.17
Task 2.18
152
Task 2.19
Task 2.20
153
R2(config-if)#interface Serial0/0/0
R2(config-if)#zone-member security PUBLIC
zone PRIVATE
Description: Inside Networks
Member Interfaces:
FastEthernet0/0
FastEthernet0/1
zone PUBLIC
Description: Outside Networks
Member Interfaces:
Serial0/0/0
154
Task 2.21
Alerting should be on
Auditing should be on
DNS timeout should be set to 4 seconds
Drop existing half-open sessions when the number rises
above 1000. Stop dropping existing half-open sessions
when the number falls below 800. Drop existing half-
open sessions when the number rises above 700 within a
minute, and stop dropping existing half-open sessions
when the number falls below 500 within a minute.
Allow a maximum of 3000 sessions
Each host can have a maximum of 25 existing half-open
sessions. When this is exceeded, all existing half-
open sessions should be deleted and blocked for 10
minutes.
Manage TCP sessions for only 5 seconds after they have
finished.
Delete TCP sessions after 30 minutes of inactivity.
Delete TCP sessions if not fully established within 20
seconds.
Delete UDP sessions after 20 seconds of inactivity.
155
Task 2.22
Rate limit ICMP traffic from the PRIVATE zone to the PUBLIC
zone to 8000 bps with a burst of 2000 bytes.
Task 2.23
157
Task 2.24
158
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#username authproxyuser password cisco
R1(config)#
R1(config)#aaa new-model
R1(config)#aaa authentication login default local
R1(config)#aaa authorization auth-proxy default local
R1(config)#ip auth-proxy name AUTHP http
R1(config)#
R1(config)#
R1(config)#interface FastEthernet0/0
R1(config-if)#ip auth-proxy AUTHP
R1(config-if)#exit
R1(config)#
R1(config)#ip http server
R1(config)#ip http authentication aaa
159
160
Task 2.25
161
Task 2.26
162
Task 2.27
This is done with the list option at the end of the “ip
auth-proxy” command. It allows for control over what
traffic will be authenticated.
163
164
Task 2.28
R2(config-ext-nacl)#interface FastEthernet0/0
R2(config-if)# ip access-group INBOUND in
165
R2(config-if)#line vty 0 4
R2(config-line)# login local
R2(config-line)# autocommand access-enable timeout 2
R1#ping 24.234.245.5
R1#telnet 24.234.12.2
Trying 24.234.12.2 ... Open
Username: locknkey
Password:
[Connection to 24.234.12.2 closed by foreign host]
R1#ping 24.234.245.5
166
R2#show ip access-lists
Extended IP access list INBOUND
10 permit tcp any host 24.234.12.2 eq telnet (81 matches)
20 permit eigrp host 24.234.12.1 host 224.0.0.10 (138
matches)
30 permit eigrp host 24.234.12.1 host 24.234.12.1
40 Dynamic ACCESS permit ip any any
permit ip any any (5 matches) (time left 110)
Task 2.29
R2(config)#line vty 0 4
R2(config-line)#autocommand access-enable host timeout 2
R1#ping 24.234.5.5
167
Username: locknkey
Password:
[Connection to 24.234.12.2 closed by foreign host]
R1#ping 24.234.5.5
R2#sh ip access-lists
Extended IP access list INBOUND
10 permit tcp any host 24.234.12.2 eq telnet (159 matches)
20 permit eigrp host 24.234.12.1 host 224.0.0.10 (1020
matches)
30 permit eigrp host 24.234.12.1 host 24.234.12.1
40 Dynamic ACCESS permit ip any any
permit ip host 24.234.12.1 any (5 matches) (time left
104)
168
Task 2.30
R3(config)#logging buffered
R3(config-ext-nacl)#interface FastEthernet0/1
169
R2#ping 24.234.36.6
R3#show ip access-list
Extended IP access list INBOUND
10 permit udp host 24.234.36.6 host 224.0.0.9 eq rip (12
matches)
20 permit tcp host 24.234.36.6 24.234.0.0 0.0.255.255 eq
telnet
30 evaluate REF
40 deny ip any any log
Extended IP access list OUTBOUND
10 permit tcp any any reflect REF
20 permit udp any any reflect REF
30 permit icmp any any reflect REF (10 matches)
Reflexive IP access list REF
permit icmp host 24.234.36.6 host 24.234.23.2 (20 matches)
(time left 282)
Task 2.31
170
R2(config)#time-range R5
R2(config-time-range)# periodic daily 02:00 to 04:00
R2(config-ext-nacl)#interface s0/0/0
R2(config-if)# ip access-group TIME in
171
R5#ping 2.2.2.2
Set the clock on R2 to a time between 2am and 4am. Try the
ping again. It will fail.
R5#ping 2.2.2.2
172
173
174
175
176
177
SW3 SW4
178
179
SW3 SW4
180
Task 3.1
Task 3.2
Task 3.3
181
Task 3.4
R2 hub
R3/R4 Spokes
GRE network 10.0.0.y/24
New loop 234 of 10.yy.0.y/24
Overlay of eigrp 1 for the 10 networks.
source from loop 0 on each router
IKE 1: dh2, psk cisco, 3des, sha
IKE 2: 3des, sha
Task 3.5
Task 3.6
R6 key server
R3/R4 members
IKE 1 3des, dh2, lifetime 400, psk cisco
IKE 2 3des, sha
182
Task 3.7
183
Task 3.8
184
Task 3.9
185
Task 3.10
186
Task 3.11
Task 3.1
187
188
R1(config)#
Apr 14 17:31:53.115: %SSH-5-ENABLED: SSH 1.99 has been enabled
189
Re-enter password:cisco123
% Generating 1024 bit RSA keys, keys will be non-
exportable...[OK]
% Exporting Certificate Server signing certificate and keys...
ASA-1(config-ca-trustpoint)# exit
ASA-1(config)# ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max =
30/32/40 ms
R5(config)#
*Apr 14 17:52:04.235: %SSH-5-ENABLED: SSH 1.99 has been enabled
R5(config)#crypto ca trustpoint R1-CA
R5(ca-trustpoint)# enrollment retry count 5
R5(ca-trustpoint)# enrollment retry period 3
R5(ca-trustpoint)# enrollment url http://1.1.1.1:80
R5(ca-trustpoint)# revocation-check none
R5(ca-trustpoint)#exit
R5(config)#
R5(config)#!
R5(config)#crypto pki authenticate R1-CA
192
Password:
Re-enter password:
R5(config)#
Apr 14 17:49:37.897: CRYPTO_PKI: Certificate Request
Fingerprint MD5: 68D31458 C10A3DC7 B5113FBD 38132DF8
Apr 14 17:49:37.897: CRYPTO_PKI: Certificate Request
Fingerprint SHA1: EF0CFEDB 71907504 A49B193C 7D700BDC 346789D9
R5(config)#
R5(config)#
R5(config)#
Apr 14 17:49:42.697: %PKI-6-CERTRET: Certificate received from
Certificate Authority
193
Task 3.2
Task 3.3
194
Then isakmp policy is set. This must match what the ASA is
using, so rsa-sig authentication (the default), AES
encryption, SHA for hashing and DH group 2.
The transform set must also match what is being used on the
ASA. ESP with AES and SHA.
196
.!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max =
32/32/36 ms
interface: FastEthernet0/0.70
Crypto map tag: MYMAP, local addr 5.5.5.5
198
Task 3.4
R2 hub
R3/R4 Spokes
GRE network 10.0.0.y/24
New loop 234 of 10.yy.0.y/24
Overlay of eigrp 1 for the 10 networks.
source from loop 0 on each router
IKE 1: dh2, psk cisco, 3des, sha
IKE 2: 3des, sha
Hub configuration:
First we’ll create the loopback interface. Its important to
note that this address isn’t routeable on the existing
nextwork.
R2(config)#interface Tunnel0
R2(config-if)# ip address 10.0.0.2 255.255.255.0
R2(config-if)# bandwidth 1000
R2(config-if)# delay 1000
R2(config-if)# ip mtu 1400
R2(config-if)# ip tcp adjust-mss 1360
Next we’ll set up the ip nhrp command which allows the hub
to use the next hop routing protocol to properly map ip
addresses. The important command here is map mulicast
dynamic, which will allow EIGRP to function properly.
202
R2(config)#router eigrp 1
R2(config-router)# no auto-summary
R2(config-router)# network 10.0.0.0 0.255.255.255
R2(config-router)# exit
R3 Spoke configuration:
To start, the configuration is almost identical to the hub.
The loopback interface is setup, then isakmp, the transform
set and the ipsec profile.
R3(cfg-crypto-trans)# exit
R3(config)#crypto ipsec profile DMVPN_PROFILE
R3(ipsec-profile)# set transform-set ESP-3DES-SHA
R3(ipsec-profile)# exit
R3(config)#interface Tunnel0
R3(config-if)# ip address 10.0.0.3 255.255.255.0
R3(config-if)# bandwidth 1000
R3(config-if)# delay 1000
R3(config-if)# ip mtu 1400
R3(config-if)# ip tcp adjust-mss 1360
204
R3(config)#router eigrp 1
R3(config-router)# no auto-summary
R3(config-router)# network 10.0.0.0 0.255.255.255
R3(config-router)# exit
R4 spoke configuration:
Aside from the ip addresses the other spoke is setup
identical to the first spoke. Cut ‘n paste is the preferred
method for additional spokes since it will save a lot of
time.
205
R4(config)#interface Tunnel0
R4(config-if)# ip address 10.0.0.4 255.255.255.0
R4(config-if)# bandwidth 1000
R4(config-if)# delay 1000
R4(config-if)# ip mtu 1400
R4(config-if)# ip tcp adjust-mss 1360
R4(config)#router eigrp 1
R4(config-router)# no auto-summary
R4(config-router)# network 10.0.0.0 0.255.255.255
R4(config-router)# exit
Task 3.5
207
R2#show ip nhrp
10.0.0.3/32 via 10.0.0.3, Tunnel0 created 00:00:32, expire
00:05:28
Type: dynamic, Flags: unique registered used
NBMA address: 3.3.3.3
10.0.0.4/32 via 10.0.0.4, Tunnel0 created 00:00:37, expire
00:05:22
Type: dynamic, Flags: unique registered used
NBMA address: 4.4.4.4
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 3.3.3.3
A sho ip route verifies that the next hop for the 10.x.x.x
networks is via tunnel 0.
208
R3#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter
area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external
type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 -
IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-
user static route
o - ODR, P - periodic downloaded static route
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 3.3.3.3
inbound ah sas:
outbound ah sas:
211
inbound ah sas:
outbound ah sas:
213
Task 3.6
R6 key server
R3/R4 members
IKE 1 3des, dh2, lifetime 400, psk cisco
IKE 2 3des, sha
interesting traffic icmp between 3.3.3.3 and 4.4.4.4
bidirectional
214
R6(gdoi-local-server)# sa ipsec 1
R6(gdoi-sa-ipsec)# profile gdoi-profile-group1
R6(gdoi-sa-ipsec)# match address ipv4 101
R6(gdoi-sa-ipsec)# replay counter window-size 64
R6(gdoi-sa-ipsec)# address ipv4 6.6.6.6
215
Member R3 configuration:
Now we’ll set up the gdoi. We’ll use the same group and
identity number used on the key server. Instead of server
local we’ll set server to R6’s configured key server
address, 6.6.6.6.
Member R4 configuration:
R4(config-crypto-map)#interface Fa0/0.60
R4(config-subif)# crypto map map-group1
R4(config-subif)# interface Fa0/0.70
R4(config-subif)# crypto map map-group1
interface: FastEthernet0/0.60
Crypto map tag: map-group1, local addr 100.60.10.3
inbound ah sas:
outbound ah sas:
219
inbound ah sas:
outbound ah sas:
220
interface: FastEthernet0/0.70
Crypto map tag: map-group1, local addr 100.70.10.3
inbound ah sas:
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
inbound ah sas:
outbound ah sas:
Task 3.7
group vpn_group
password cisco (for both)
R2 loop 0 is inside interface
allow password storage on clients
user virtual template
224
ASA-1(config-group-policy)# split-tunnel-policy
tunnelspecified
ASA-1(config-group-policy)# split-tunnel-network-list value
vpn_group_splitTunnelAcl
Now we’ll configure the tunnel group. Notice that the type
is remote-access. It will reference the previously created
group policy and address pool. The IPSec attributes are
then set, including the PSK and the isakmp policy we
already created.
225
R2(config)#interface loop 0
R2(config-if)# crypto ipsec client ezvpn EZ_CLIENT inside
R2(config-if)# exit
226
R2(config)#interface FastEthernet0/0.168
R2(config-subif)# crypto ipsec client ezvpn EZ_CLIENT outside
R2(config-subif)# exit
228
Task 3.8
R2#clear crypto sa
R2#
*Apr 14 21:46:48.967: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)
User= Group=vpn_group Server_public_addr=192.168.2.100
Assigned_client_addr=100.60.10.201
R2#
*Apr 14 21:46:49.023: %LINK-3-UPDOWN: Interface Virtual-Access1,
changed state to down
*Apr 14 21:46:50.023: %LINEPROTO-5-UPDOWN: Line protocol on
Interface Virtual-Access1, changed state to down
R2#
*Apr 14 21:46:51.015: %LINK-5-CHANGED: Interface Loopback10000,
changed state to administratively down
*Apr 14 21:46:51.299: EZVPN(EZ_CLIENT): Pending XAuth Request,
Please enter the following command:
*Apr 14 21:46:51.299: EZVPN: crypto ipsec client ezvpn xauth
R2#
*Apr 14 21:46:52.015: %LINEPROTO-5-UPDOWN: Line protocol on
Interface Loopback10000, changed state to down
Password: cisco
R2#
*Apr 14 21:47:02.827: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client)
User=vpn_user Group=vpn_group Server_public_addr=192.168.2.100
Assigned_client_addr=100.60.10.201
R2#
*Apr 14 21:47:02.831: %LINK-3-UPDOWN: Interface Virtual-Access1,
changed state to up
*Apr 14 21:47:03.831: %LINEPROTO-5-UPDOWN: Line protocol on
Interface Virtual-Access1, changed state to up
R2#
*Apr 14 21:47:04.779: %LINK-3-UPDOWN: Interface Loopback10000,
changed state to up
*Apr 14 21:47:05.779: %LINEPROTO-5-UPDOWN: Line protocol on
Interface Loopback10000, changed state to up
R2#clear crypto sa
R2#
*Apr 14 21:47:58.927: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)
User=vpn_user Group=vpn_group Server_public_addr=192.168.2.100
Assigned_client_addr=100.60.10.201
R2#
230
R5#who
231
Task 3.9
232
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 0, drop 0, reset-drop
0
Inspect: ftp, packet 0, drop 0, reset-drop 0
Inspect: h323 h225 _default_h323_map, packet 0, drop 0,
reset-drop 0
Inspect: h323 ras _default_h323_map, packet 0, drop 0,
reset-drop 0
Inspect: netbios, packet 0, drop 0, reset-drop 0
Inspect: rsh, packet 0, drop 0, reset-drop 0
Inspect: rtsp, packet 0, drop 0, reset-drop 0
Inspect: skinny , packet 0, drop 0, reset-drop 0
Inspect: esmtp _default_esmtp_map, packet 0, drop 0,
reset-drop 0
Inspect: sqlnet, packet 0, drop 0, reset-drop 0
Inspect: sunrpc, packet 0, drop 0, reset-drop 0
Inspect: tftp, packet 0, drop 0, reset-drop 0
Inspect: sip , packet 0, drop 0, reset-drop 0
233
Default Queueing
Task 3.10
ASA-1(config)# webvpn
ASA-1(config-webvpn)# enable inside
INFO: WebVPN and DTLS are enabled on 'inside'.
234
Now we’ll configure the group policy for webvpn. The vpn
tunnel protocol is set to webvpn and since no url list is
needed this is set to none.
Next we’ll configure the user, making sure that both the
group policy is set to our previously created policy.
Finally the tunnel group is set up. Note that like the
EasyVPN configuration the type is set to remote access. The
default group policy is set to our policy which is set to
use webvpn. The specific webvpn attributes such as the
alias and URL are set using the tunnel-group <name> webvpn-
attributes command.
235
Task 3.11
R2 configuration:
map. This lets the tunnel be built between the HSRP address
and the R2 l0 address even though the crypto map is applied
to a physical interface.
R2(config)#interface FastEthernet0/0.168
R2(config-subif)# crypto map MYMAP
R2(config-subif)# exit
R3 configuration:
237
238
R3(config)#interface FastEthernet0/0.60
R3(config-subif)# standby 1 name HA
R3(config-subif)# crypto map MYMAP redundancy HA
R3(config-subif)# exit
R3(config)#router ospf 1
R3(config-router)#redistribute static subnets
R3(config-router)#end
R3#debug ip routing
IP routing debugging is on
R4 configuration:
R4(config)#interface FastEthernet0/0.60
R4(config-subif)# standby 1 name HA
R4(config-subif)# crypto map MYMAP redundancy HA
R4(config-subif)# exit
R4(config)#router ospf 1
R4(config-router)#redistribute static subnets
R4(config-router)#end
R4#debug ip routing
IP routing debugging is on
R3#
*Apr 14 22:50:54.571: RT: add 10.22.22.2/32 via 100.60.10.22,
static metric [1/0]
*Apr 14 22:50:54.571: RT: NET-RED 10.22.22.2/32
interface: FastEthernet0/0.60
Crypto map tag: MYMAP, local addr 100.60.10.34
R3#reload
Proceed with reload? [confirm]
You’ll notice that since R4 has now become the active HSRP
router, the static route is created and again redistributed
into OSPF. You’ve now verified that VPN redundancy is
functioning properly.
R4#
*Apr 14 23:00:38.563: RT: add 10.22.22.2/32 via 100.60.10.22,
static metric [1/0]
*Apr 14 23:00:38.563: RT: NET-RED 10.22.22.2/32
interface: FastEthernet0/0.60
Crypto map tag: MYMAP, local addr 100.60.10.34
242
243
244
IPS
.150
ACS
VLAN 200
IPS
.3
R3
VLAN 2
DMZ
172.16.0.0/24
.2
R2
245
IPS
.150
ACS
VLAN 200
IPS
.3
R3
VLAN 2
DMZ
172.16.0.0/24
.2
R2
246
247
SW3 SW4
248
249
SW3 SW4
250
Task 4.1
Log into the IPS with the username “cisco” and password
“ccie5796”
Task 4.2
Task 4.3
Task 4.4
251
Task 4.5
Task 4.6
252
Task 4.7
Task 4.8
Task 4.9
253
Task 4.10
254
Task 4.11
Task 4.12
255
Task 4.13
Task 4.14
Task 4.15
256
Task 4.16
Task 4.17
257
Task 4.18
258
Task 4.19
Task 4.20
259
Task 4.21
Task 4.22
260
Task 4.23
Task 4.24
Enable and modify the rule within sig0 called “icmp flood”
so that it requests a rate limit of 1% of interface
bandwidth and generates an alert. Test the rate limit.
261
Task 4.25
Task 4.26
262
Task 4.27
Task 4.28
Task 4.29
263
Task 4.30
Task 4.31
Task 4.32
264
Task 4.1
Log into the IPS with the username “cisco” and password
“ccie5796”
265
Task 4.2
sensor# setup
At any point you may enter a question mark '?' for help.
User ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.
Current Configuration:
266
service host
network-settings
host-ip 192.168.1.2/24,192.168.1.1
host-name sensor
telnet-option disabled
ftp-timeout 300
no login-banner-text
exit
time-zone-settings
offset 0
standard-time-zone-name UTC
exit
summertime-option disabled
ntp-option disabled
exit
service web-server
port 443
exit
service interface
inline-interfaces pair-1
description Created via setup by user cisco
interface1 FastEthernet1/0
interface2 FastEthernet1/1
exit
inline-interfaces pair-2
description Created via setup by user cisco
interface1 FastEthernet1/2
interface2 FastEthernet1/3
exit
exit
service event-action-rules rules0
overrides
override-item-status Enabled
risk-rating-range 90-100
exit
exit
service host
network-settings
host-ip 192.168.2.150/16,192.168.2.100
host-name IPS
telnet-option disabled
access-list 192.168.0.0/16
ftp-timeout 300
no login-banner-text
exit
time-zone-settings
offset 0
standard-time-zone-name UTC
exit
summertime-option disabled
ntp-option disabled
exit
service web-server
port 443
exit
service interface
inline-interfaces pair-1
description Created via setup by user cisco
interface1 FastEthernet1/0
interface2 FastEthernet1/1
exit
inline-interfaces pair-2
description Created via setup by user cisco
268
interface1 FastEthernet1/2
interface2 FastEthernet1/3
exit
exit
service event-action-rules rules0
overrides
override-item-status Enabled
risk-rating-range 90-100
exit
exit
[0] Go to the command prompt without saving this config.
[1] Return back to the setup without saving this config.
[2] Save this configuration and exit setup.
269
270
Task 4.3
271
Task 4.4
272
Task 4.5
274
275
Task 4.6
276
Task 4.7
277
Task 4.8
Task 4.9
278
Task 4.10
279
Task 4.11
280
Task 4.12
SW1(config)#vlan 99
SW1(config-vlan)#remote-span
SW1(config-vlan)#exit
SW1(config)#monitor session 1 source vlan 3
SW1(config)#monitor session 1 destination remote vlan 99
281
282
Task 4.13
283
Task 4.14
284
285
Task 4.15
286
Now we have to assign g0/0 (and thus the inline vlan pair)
to virtual sensor vs0. This is done exactly the same as
with our promiscuous interface above. Make sure that the
g0/0 interface is enabled as well.
gateway (the ASA) the ping will only succeed if the pair is
bridging between the two.
Task 4.16
288
Task 4.17
289
290
R2#ping 24.234.0.1
292
Task 4.18
293
294
295
296
297
298
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!
!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (1000/1000), round-trip min/avg/max
= 1/3/28 ms
When we view events, notice that the sig only generated one
alert even though we pinged the ACS server 1000 times.
300
Task 4.19
301
302
ASA1# conf t
ASA1(config)# username blocker password blocker privilege 15
ASA1(config)# aaa authentication ssh console LOCAL
ASA1(config)# ssh 192.168.2.150 255.255.255.255 inside
303
Task 4.20
R2#telnet 24.234.0.1
Trying 24.234.0.1 ... Open
Username: baduser
[Connection to 24.234.0.1 closed by foreign host]
305
R2#ping 24.234.0.1
Task 4.21
306
307
Task 4.22
308
R3#telnet 24.234.0.1
Trying 24.234.0.1 ... Open
Username: baduser
[Connection to 24.234.0.1 closed by foreign host]
Task 4.23
309
310
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#username blocker privilege 15 password blocker
R2(config)#aaa new-model
R2(config)#aaa authentication login default local
R2(config)#aaa authorization exec default local
R2(config)#line vty 0 4
R2(config-line)#login authentication default
Task 4.24
Enable and modify the rule within sig0 called icmp flood so
that it requests a rate limit of 1% of interface bandwidth
and generates an alert. Test the rate limit.
311
312
313
The rate limit is clearly working, but you can also verify
the limit under monitoring->rate limits. You can also
remove the rate limit by selecting it and clicking delete.
Task 4.25
314
Task 4.26
316
317
Task 4.27
318
Task 4.28
319
Task 4.29
320
Task 4.30
321
Task 4.31
322
Task 4.32
323
324
325
326
327
328
329
330
SW3 SW4
331
332
SW3 SW4
333
Task 5.1
Task 5.2
Task 5.3
334
Task 5.4
Task 5.5
Task 5.6
Task 5.7
Task 5.8
335
Task 5.9
Verify that this user can login to R6 via telnet and that
all commands are available. Also verify that accounting is
working for both EXEC mode and privilege level 15 commands.
336
Task 5.10
Task 5.11
Ensure that users not found in the ACS local database will
be authenticated against the windows database and will use
the “super” group for authorization.
Task 5.12
337
Task 5.13
Task 5.14
338
Task 5.15
Task 5.16
339
Task 5.17
Task 5.18
Task 5.1
340
R6(config)#aaa new-model
R6(config)#aaa authentication login default group tacacs+
341
We’ll test by logging out of the console port and then back
in. There will be no prompt for username or password.
R6#exit
R6>
Task 5.2
342
Task 5.3
Task 5.4
Task 5.5
344
345
Task 5.6
346
Task 5.7
347
348
Task 5.8
349
Task 5.9
Verify that this user can login to R6 via telnet and that
all commands are available. Also verify that accounting is
working for both EXEC mode and privilege level 15 commands.
350
351
352
Task 5.10
353
Task 5.11
Ensure that users not found in the ACS local database will
be authenticated against the windows database and will use
the “super” group for authorization.
354
355
356
Task 5.12
Telnet from the ACS to R6. After login, your rights will be
the same as they were when you logged in as superuser.
357
Task 5.13
358
359
Task 5.14
360
SW2#ping 192.168.0.6
SW2#telnet 24.234.51.50
Trying 24.234.51.50 ... Open
LOGIN Authentication
Username: enablemode
Password:
Authentication Successful
361
Task 5.15
362
SW2(config)#aaa new-model
SW2(config)#aaa authentication dot1x default group radius
SW2(config)#aaa authorization network default group radius
SW2(config)#aaa accounting dot1x default start-stop group radius
SW2(config)#dot1x system-auth-control
SW2(config)#vlan 111,432
SW2(config-vlan)#exit
SW2(config)#interface FastEthernet0/20
SW2(config-if)# switchport mode access
SW2(config-if)# shutdown
SW2(config-if)# dot1x pae authenticator
SW2(config-if)# dot1x port-control auto
SW2(config-if)# dot1x guest-vlan 432
363
364
Now we’ll need to setup our dot1x user. You should already
know how to create a user. Scroll down to the IETF RADIUS
attributes section. Put check marks in attributes 64, 65
and 81. For attribute 64 select VLAN from the dropdown
menu. For attribute 65 select 802. For attribute 81 type in
VLAN0111 which must exactly match the name of the VLAN on
the switch. This will assign the user to VLAN 111 when they
authenticate successfully.
365
Task 5.16
366
Task 5.17
367
R2(config)#aaa new-model
R2(config)#aaa authentication login AUTHEN local
R2(config)#aaa authorization exec AUTHOR local
R2(config)#line vty 0 4
R2(config-line)#authorization exec AUTHOR
R2(config-line)# login authentication AUTHEN
R5#telnet 24.234.25.2
Trying 24.234.25.2 ... Open
Username: ping
Password:
R2>ping
Protocol [ip]:
Target IP address: 24.234.25.5
Repeat count [5]:
Datagram size [100]: 1000
Timeout in seconds [2]:
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 1000-byte ICMP Echos to 24.234.25.5, timeout is 2
seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max =
1/2/4 ms
Task 5.18
368
369
370
371
With both commands entered, we’ll submit the user again and
verify that we can login to R6 but not issue commands other
than privilege level 1 show and exit. All other commands
will give a command authorization failed.
372
373
374
375
376
377
378
SW3 SW4
379
380
SW3 SW4
381
Task 6.1
Task 6.2
Task 6.3
Task 6.4
Task 6.5
Task 6.6
382
Task 6.7
Task 6.8
383
Task 6.9
Task 6.10
Task 6.11
Task 6.12
Task 6.13
Task 6.14
Task 6.15
Task 6.16
Task 6.17
Task 6.18
385
Task 6.19
Task 6.20
386
Task 6.21
Task 6.22
Configure R6 for logging. Disable logging to the console
and monitor. Configure R6 to limit log generation and
transmission to 100 messages per second except for log
levels 4 (warnings) through 0 (emergencies).
Task 6.23
387
Task 6.24
Task 6.25
Task 6.26
388
Task 6.27
Task 6.28
Task 6.29
Configure R4 so that only the ACS Server can HTTP into it.
Task 6.30
Task 6.31
Task 6.32
389
Task 6.33
Task 6.34
Task 6.35
390
Task 6.1
R1#clear ip route *
R1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter
area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external
type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
391
R1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter
area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external
type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 -
IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-
user static route
o - ODR, P - periodic downloaded static route
392
Task 6.2
393
R2(config)#interface fastethernet0/0
R2(config-if)#ip ospf authentication message-digest
R2(config-if)#ip ospf message-digest-key 1 md5 cisco
R2#
R2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter
area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external
type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 -
IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-
user static route
o - ODR, P - periodic downloaded static route
ASA1 and R2 now have an OSPF adjacency and routes are being
exchanged.
R2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter
area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external
type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 -
IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-
user static route
o - ODR, P - periodic downloaded static route
Task 6.3
396
R3#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter
area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external
type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 -
IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-
user static route
o - ODR, P - periodic downloaded static route
399
Task 6.4
R1(config)#router bgp 1
R1(config-router)#neighbor 24.234.34.4 remote-as 4
R1(config-router)#neighbor 24.234.34.4 ebgp-multihop 2
R1(config-router)#network 192.168.0.0 mask 255.255.0.0
400
R4(config)#router bgp 4
R4(config-router)#neighbor 24.234.10.1 remote-as 1
R4(config-router)#neighbor 24.234.10.1 ebgp-multihop 2
R4(config-router)#network 24.234.4.0 mask 255.255.255.0
R4(config-router)#network 24.234.5.0 mask 255.255.255.0
R4(config-router)#network 24.234.6.0 mask 255.255.255.0
R1#show ip bgp
BGP table version is 7, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, >
best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Task 6.5
R1#conf t
R1(config)#router bgp 1
R1(config-router)#neighbor 24.234.34.4 password cisco
R4#conf t
R4(config)#router bgp 4
R4(config-router)#neighbor 24.234.10.1 password cisco
402
R1#
*Apr 14 21:55:41.503: %BGP-5-ADJCHANGE: neighbor 24.234.34.4 Up
403
Task 6.6
R1#clear ip bgp *
R1#
*Mar 12 18:53:46.175: %BGP-5-ADJCHANGE: neighbor 24.234.34.4
Down User reset
R1#
*Mar 12 18:53:48.687: %BGP-5-ADJCHANGE: neighbor 24.234.34.4 Up
R1#show ip bgp
BGP table version is 4, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, >
best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
404
Task 6.7
R5(config-ext-nacl)#class-map TELNET_DROP_CMAP
R5(config-cmap)#match access-group name TELNET_DROP
R5(config-cmap)#class-map TELNET_RATE_CMAP
R5(config-cmap)#match access-group name TELNET_RATE
405
R5(config-cmap)#policy-map TELNET_PMAP
R5(config-pmap)#class TELNET_DROP_CMAP
R5(config-pmap-c)#drop
R5(config-pmap)#class TELNET_RATE_CMAP
R5(config-pmap-c)#police rate 8000 bps
R5(config-pmap-c-police)#conform-action transmit
R5(config-pmap-c-police)#exceed-action drop
R5(config-pmap-c-police)#exit
R5(config-pmap-c)#exit
R5(config-pmap)#exit
R5(config)#control-plane
R5(config-cp)#service-policy input TELNET_PMAP
R4#telnet 24.234.5.5
Trying 24.234.5.5 ... Open
Password:
R3#telnet 24.234.5.5
Trying 24.234.5.5 ...
% Connection timed out; remote host not responding
Task 6.8
407
408
Match: any
Task 6.9
SW2#telnet 192.168.0.1
Trying 192.168.0.1 ...
% Connection timed out; remote host not responding
Task 6.10
410
Notice, that RIP (UDP 520) is not listed, but the router is
running RIP. Since this port is not listed, RIP will be
blocked. Verify that R1 is no longer learning routes from
ASA1.
R1#clear ip route *
R1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter
area
411
Task 6.11
412
R2(config-pmap-c)#queue-limit 25
R2(config-pmap-c)#exit
R2(config-pmap)#exit
R2(config)#control-plane host
R2(config-cp-host)#service-policy type queue-threshold input
QUEUE_PMAP
R2(config-cp-host)#
*Mar 12 22:18:40.562: %CP-5-FEATURE: Protocol Queue Thresholding
feature enabled on Control plane host path
Task 6.12
413
SW2(config)#interface fastethernet0/14
SW2(config-if)#storm-control unicast level 75 50
Task 6.13
414
SW2(config)#interface fastethernet0/15
SW2(config-if)#storm-control broadcast level bps 3000 1000
SW2(config-if)#storm-control action shutdown
Task 6.14
SW2(config)#interface FastEthernet0/16
SW2(config-if)#storm-control multicast level pps 1000 700
SW2(config-if)#storm-control action trap
415
Task 6.15
Task 6.16
416
Task 6.17
SW2(config)#interface fastethernet0/11
SW2(config-if)#switchport block unicast
SW2(config-if)#switchport block multicast
Task 6.18
SW1(config)#interface fastethernet0/3
SW1(config-if)#switchport port-security
SW1(config-if)#switchport port-security maximum 1
SW1(config-if)#switchport port-security violation shutdown
Task 6.19
SW1(config)#interface fastethernet0/4
SW1(config-if)#switchport port-security mac-address sticky
SW1(config-if)#switchport port-security
Task 6.20
418
R4(config)#interface fastethernet0/0
R4(config-if)#mac-address 0004.0004.0004
SW1#
09:35:36: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/4, changed state to down
SW1#
09:35:38: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/4, changed state to up
09:35:39: %PM-4-ERR_DISABLE: psecure-violation error detected on
Fa0/4, putting Fa0/4 in err-disable state
SW1#
09:35:39: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation
occurred, caused by MAC address 0004.0004.0004 on port
FastEthernet0/4.
SW1#
09:35:40: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/4, changed state to down
09:35:41: %LINK-3-UPDOWN: Interface FastEthernet0/4, changed
state to down
SW1#
09:37:34: %PM-4-ERR_RECOVER: Attempting to recover from psecure-
violation err-disable state on Fa0/4
SW1#
09:37:37: %LINK-3-UPDOWN: Interface FastEthernet0/4, changed
state to up
09:37:39: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/4, changed state to up
Task 6.21
Task 6.22
R6(config)#logging on
R6(config)#no logging console
R6(config)#no logging monitor
R6(config)#logging rate-limit 100 except 4
421
R6#show logging
Syslog logging: enabled (11 messages dropped, 1 messages rate-
limited,
0 flushes, 0 overruns, xml disabled, filtering
disabled)
Console logging: disabled
Monitor logging: disabled
Buffer logging: disabled, xml disabled,
filtering disabled
Logging Exception size (4096 bytes)
Count and timestamp logging messages: disabled
Task 6.23
422
Task 6.24
Task 6.25
R5(config)#interface fastethernet0/0
R5(config-if)#no ip redirects
R5(config-if)#no ip proxy-arp
R5(config-if)#no ip unreachables
423
R5(config-if)#no ip directed-broadcast
R5(config-if)#no ip mask-reply
424
Task 6.26
Task 6.27
425
R5#telnet 24.234.34.3
Trying 24.234.34.3 ... Open
Password:
R6#telnet 24.234.34.3
Trying 24.234.34.3 ...
% Connection refused by remote host
Task 6.28
To enable SSH the router must first have a domain name and
generated crypto keys. Then we’ll create a local user.
426
R5(config)#
*Mar 13 21:06:57.746: %SSH-5-ENABLED: SSH 1.99 has been enabled
R5(config)#username admin password cisco
R5(config)#access-list 2 permit 24.234.6.0 0.0.0.255
R5(config)#line vty 0 4
R5(config-line)#transport input ssh
R5(config-line)#access-class 2 in
R5(config-line)#login local
R6#telnet 24.234.34.3
Trying 24.234.34.3 ...
% Connection refused by remote host
Password:
R5>exit
427
Task 6.29
Configure R4 so that only the ACS Server can HTTP into it.
Task 6.30
428
SW2#telnet 24.234.10.100
Trying 24.234.10.100 ... Open
Password:
Type help or '?' for a list of available commands.
ASA1>
R1#telnet 24.234.10.100
Trying 24.234.10.100 ...
% Connection timed out; remote host not responding
Task 6.31
429
Password:
Type help or '?' for a list of available commands.
ASA1>
Task 6.32
R5#telnet 24.234.5.10
Trying 24.234.5.10 ... Open
430
Username: admin
Password:
SW1#
SW1#show privilege
Current privilege level is 15
Task 6.33
Task 6.34
431
Task 6.35
432
433
434
435
436
437
438
439
440
SW3 SW4
441
442
SW3 SW4
443
Task 7.1
Task 7.2
444
Task 7.3
445
Task 7.4
Task 7.5
446
Task 7.6
447
Task 7.7
Task 7.8
448
Task 7.9
Task 7.10
449
Task 7.11
Task 7.12
Task 7.13
Task 7.14
Task 7.15
450
Task 7.16
Task 7.17
Task 7.18
Task 7.19
451
Task 7.20
Task 7.21
452
Task 7.22
453
Task 7.24
454
Task 7.25
455
Task 7.26
Task 7.1
456
R5#telnet 24.234.234.2
Trying 24.234.234.2 ... Open
Password: cisco
R2#exit
dscp af43
Packets marked 23
Task 7.2
R4(config)#route-map VLAN46_RMAP
R4(config-route-map)#match ip address VLAN46
R4(config-route-map)#set ip precedence immediate
R4(config-route-map)#exit
R4(config)#interface fastethernet0/0
R4(config-if)#ip policy route-map VLAN46_RMAP
459
Match clauses:
ip address (access-lists): VLAN46
Set clauses:
ip precedence immediate
Policy routing matches: 0 packets, 0 byte
R6#ping 24.234.234.2
R4#show route-map
route-map VLAN46_RMAP, permit, sequence 10
Match clauses:
ip address (access-lists): VLAN46
Set clauses:
ip precedence immediate
Policy routing matches: 5 packets, 570 bytes
Task 7.3
460
Task 7.4
461
R5#traceroute 2.2.2.2
R3(config)#interface fastethernet0/1
R3(config-if)#ip policy route-map R2_L0_RMAP
R5#traceroute 2.2.2.2
Task 7.5
SW2#ping 6.6.6.6
463
SW2#ping 6.6.6.6
Task 7.6
464
R3#show ip bgp
BGP table version is 19, local router ID is 3.3.3.3
Status codes: s suppressed, d damped, h history, * valid, >
best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
465
R4#show ip bgp
BGP table version is 19, local router ID is 4.4.4.4
Status codes: s suppressed, d damped, h history, * valid, >
best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
R5#ping 22.22.22.2
R6#ping 22.22.22.2
R2#conf t
466
R3#conf t
R3(config)#ip route 192.0.5.1 255.255.255.255 null0
R3(config)#end
R4#conf t
R4(config)#ip route 192.0.5.1 255.255.255.255 null0
R4(config)#end
R3#clear ip bgp *
R3#show ip bgp
BGP table version is 20, local router ID is 3.3.3.3
Status codes: s suppressed, d damped, h history, * valid, >
best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
467
R4#show ip bgp
BGP table version is 20, local router ID is 4.4.4.4
Status codes: s suppressed, d damped, h history, * valid, >
best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
R5#ping 22.22.22.2
R6#ping 22.22.22.2
468
Task 7.7
R5#telnet 24.234.234.2
Trying 24.234.234.2 ...
% Destination unreachable; gateway or host down
Password:
R2#exit
469
R5#ping 24.234.234.2
Task 7.8
R6#traceroute
470
Protocol [ip]:
Target IP address: 2.2.2.2
Source address:
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]: t
Number of timestamps [ 9 ]:
Loose, Strict, Record, Timestamp, Verbose[TV]:
Type escape sequence to abort.
Tracing the route to 2.2.2.2
1 46.46.46.4 4 msec
Received packet has options
Total option bytes= 40, padded length=40
Timestamp: Type 0. Overflows: 0 length 40, ptr 9
Time=*16:01:07.611 UTC (836FF01B)
>>Current pointer<<
Time= 00:00:00.000 UTC (00000000)
Time= 00:00:00.000 UTC (00000000)
Time= 00:00:00.000 UTC (00000000)
Time= 00:00:00.000 UTC (00000000)
Time= 00:00:00.000 UTC (00000000)
Time= 00:00:00.000 UTC (00000000)
Time= 00:00:00.000 UTC (00000000)
Time= 00:00:00.000 UTC (00000000)
471
R6#traceroute
Protocol [ip]:
Target IP address: 2.2.2.2
Source address:
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]: t
Number of timestamps [ 9 ]:
Loose, Strict, Record, Timestamp, Verbose[TV]:
Type escape sequence to abort.
Tracing the route to 2.2.2.2
1 46.46.46.4 !A
Received packet has options
Total option bytes= 40, padded length=40
Timestamp: Type 0. Overflows: 0 length 40, ptr 9
Time=*15:58:55.915 UTC (836DEDAB)
>>Current pointer<<
Time= 00:00:00.000 UTC (00000000)
Time= 00:00:00.000 UTC (00000000)
Time= 00:00:00.000 UTC (00000000)
Time= 00:00:00.000 UTC (00000000)
Time= 00:00:00.000 UTC (00000000)
Time= 00:00:00.000 UTC (00000000)
Time= 00:00:00.000 UTC (00000000)
Time= 00:00:00.000 UTC (00000000)
* !A
Received packet has options
Total option bytes= 40, padded length=40
Timestamp: Type 0. Overflows: 0 length 40, ptr 9
Time=*15:58:58.915 UTC (836DF963)
>>Current pointer<<
Time= 00:00:00.000 UTC (00000000)
Time= 00:00:00.000 UTC (00000000)
Time= 00:00:00.000 UTC (00000000)
472
R4#show ip access-lists
Extended IP access list IPOPTIONS
10 deny ip any any option timestamp (3 matches)
20 permit ip any any (27 matches)
Task 7.9
R2#ping 46.46.46.6
Task 7.10
474
R6#telnet 46.46.46.2
Trying 46.46.46.2 ... Open
Password:
R2#
Task 7.11
475
Task 7.12
476
Task 7.13
Task 7.14
477
Task 7.15
478
Task 7.16
Task 7.17
R3(config)#interface fastethernet0/1
R3(config-if)#ip verify unicast source reachable-via rx 1
Task 7.18
Task 7.19
Task 7.20
R4(config)#interface fastethernet0/0
R4(config-if)#ip nbar protocol-discovery
481
R6#ping 2.2.2.2
FastEthernet0/0
Input Output
----- ------
Protocol Packet Count Packet
Count
Byte Count Byte Count
5min Bit Rate (bps) 5min Bit
Rate (bps)
5min Max Bit Rate (bps) 5min Max
Bit Rate (bps)
------------------------ ------------------------ -----------
-------------
icmp 5 5
570 570
0 0
0 0
unknown 0 0
0 0
0 0
0 0
Total 47 26
3678 2124
0 0
0 0
482
Task 7.21
Task 7.22
483
R1(config)#interface fastethernet0/1
R1(config-if)#ip flow ingress
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
Task 7.23
485
And then viewing what traffic has been exported with show ip
flow export.
Task 7.24
486
Task 7.25
487
R1#ping 2.2.2.2
Task 7.26
488
R2(config)#policy-map WAN_PMAP
R2(config-pmap)#class VOICE
R2(config-pmap-c)#priority percent 33
R2(config-pmap-c)#exit
R2(config-pmap-c)#class ICMP_CMAP
R2(config-pmap-c)#police 8000 1000 1000
R2(config-pmap-c-police)#conform-action transmit
R2(config-pmap-c-police)#exceed-action drop
489
R2(config-pmap)#class class-default
R2(config-pmap-c)#fair-queue
R2(config-pmap-c)#interface serial0/0/0
R2(config-if)#service-policy output WAN_PMAP
R1#ping 4.4.4.4
Serial0/0/0
Serial0/0/0
492
493
494
R5
S0/0/0
.5 Fa0/0
.3 R3
EIGRP 1
S0/0/0
.1
Fa0/0 outside E0/0.3 E0/1
R1 .1 24.234.1.0/24 .100 .100
ACS
ASA1 .101
E0/0.2 .100
inside
192.168.2.0/16
DMZ Fa0/0
172.16.0.0/24 .4 R4
Fa0/0
.2
R2
495
496
497
498
499
500
501
Task 8.1
Task 8.2
Task 8.3
502
Task 8.4
503
Task 8.5
Task 8.6
You think the attacker may have been scanning because you
are allowing too much information to the outside. ICMP and
telnet should only be allowed incoming from R1 and FTP
should only be allowed from anywhere to R2. Review the ASA
configuration and correct the access allowed.
504
Task 8.7
Task 8.8
Task 8.9
Task 8.10
505
506
Task 8.11
507
Task 8.12
508
Task 8.13
509
Task 8.14
Task 8.15
510
Task 8.16
511
Task 8.17
512
Task 8.18
513
Task 8.19
Task 8.1
Task 8.2
R4(config)#int fa0/0
R4(config-if)#ip virtual-reassembly drop-fragments
Task 8.3
Task 8.4
Task 8.5
516
Task 8.6
You think the attacker may have been scanning because you
are allowing too much information to the outside. ICMP and
telnet should only be allowed incoming from R1 and FTP
should only be allowed from anywhere to R2. Review the ASA
configuration and correct the access allowed.
517
And then add only the access needed. Since we removed the
entire ACL we need to re-apply the new one to the outside
interface.
Task 8.7
RFC 1918 addresses are set aside for private network use.
They should never come in from the internet and can be
blocked with an ACL. We already have an ACL present on the
internet facing interface (s0/0/0) so we first need to
remove our “permit IP any any” statement so the deny
statements will function. After the RFC 1918 addresses are
denied the “permit” statement can be re-applied.
518
Task 8.9
SW1(config)#interface fa0/10
SW1(config-if)#switchport port-security
SW1(config-if)#switchport port-security mac-address sticky
Task 8.10
SW1(config)#interface fa0/11
SW1(config-if)#switchport port-security
SW1(config-if)#switchport port-security maximum 10
520
Task 8.11
Task 8.12
Task 8.13
522
SW1(config)#interface fa0/19
SW1(config-if)#switchport trunk encapsulation dot1q
SW1(config-if)#switchport mode trunk
SW1(config-if)#switchport trunk native vlan 10
Task 8.14
Task 8.15
524
Task 8.16
525
Then R4
526
Now verify the tunnel works, in this case with a ping. The
ping should be successful and the ipsec sa should show
packets encrypted and decrypted.
interface: FastEthernet0/0
Crypto map tag: R3_SMTP, local addr 192.168.2.4
Task 8.17
527
This is often only possible because the DMZ host has more
access to the inside network than it needs. This violates
the concept of least access. First we’ll review the DMZ ACL
to see what might be wrong.
The access list allows DMZ hosts fairly broad access to the
inside network. Since the task made no mention of specific
access needed to the inside by DMZ hosts, it is best to
apply the principal of least access and completely remove
the ACL. This will mean the interface security level will
take over and the DMZ will not be able to initiate any
traffic to the inside.
528
Task 8.18
529
Task 8.19
R1(config)#int fa0/0
R1(config-if)#no ip directed-broadcast
530