www.CareerCert.

info

CCIE Security Lab Workbook Version 3.0
Authored By:

Khawar Butt
CCIE # 12353
(R/S, Security, SP, Voice) Comprehensive Coverage of the CCIE Security Lab Exam based on Version 3.0 Blueprint

Netmetric Solutions
http://www.netmetric-solutions.com
Copyrights Netmetric Solutions 2006-2010 Website: http://www.netmetric-solutions.com; Email: khawarb@khawarb.com Page 1 of 307

www.CareerCert.info

A Note from the Author
I would like to take this opportunity to thank you for investing in the CCIE Security Lab Work Book Version 3.0 from Netmetric Solutions. I have tried to match the book pattern to the CCIE Security Blueprint. It is broken down into 7 Modules. The first 6 modules focus on the Blueprint technologies. These labs give you the foundations to attempt the Full lab which are called the Super Labs. Although, my recommendation is to go thru the Technology labs before you start the Super Lab, but if you feel comfortable with the technologies, you can start with the Super Labs. There are 3 Super Labs currently in the workbook and you will be getting another 3 by the end of June as promised. I will also be adding an additional 4 labs by the end of July. The book will be shipped with the AVI for the Labs being performed, which you can play in Real Player or Media Player. I would highly recommend downloading Camtasia Studio from http://www.techsmith.com. The quality of the videos increases drastically when viewed in Camtasia. The initial and final (Golden) configuration files are available to download at http://www.netmetric-solutions.com. We will e-mail you use a username and password. You can use this to download the files from the website. I am also in the process of setting up a support forum. You will also be given access and information about the support forum thru the email. In terms of the Rack Rental companies, I would highly recommend http://CCIE2BE.com, http://cconlinelabs.com and http://ciscolabs.ca. They have topologies wired specifically for this Workbook. Thanks again for choosing us for your CCIE Preparation. I am sure you will not be disappointed Khawar Butt CCIE # 12353 (R/S, Security, SP, Voice) MSN IM: khawarb@khawarb.com

Copyrights Netmetric Solutions 2006-2010 Website: http://www.netmetric-solutions.com; Email: khawarb@khawarb.com Page 2 of 307

www.CareerCert.info

About CCIE® Security Certification
CCIE® certification in Security indicates expert level knowledge of Security solutions in the enterprise. Candidates should be able to install, configure and maintain Security solutions over IP networks.

Requirement’s for Becoming a CCIE® Security
There are no formal prerequisites for CCIE® certification. Other professional certifications and/or specific training courses are not required. Instead, candidates are expected to have an in-depth understanding of the subtleties, intricacies and challenges of end-to-end networking. You are encouraged to have on hands on experience with the devices used in the Lab. A Bootcamp is also recommended to guide you in a focused path towards the CCIE certification. To obtain your CCIE®, you must first pass a written qualification exam and then a corresponding hands-on lab exam.

CCIE® Security Lab Workbook
• • • • • • •

Written by Khawar Butt, author of several popular CCIE Security Workbooks. Extensive coverage of all the CCIE Security Version 3.0 blueprint topics. 38 Labs including 3 Super Labs (100 point Lab) and 35 topic/technology specific labs and around 150 mini-labs. Additional 7 Super Labs will be given at no extra charge by the end of July. Total 10 Super Labs. Covers Security on the Routers, Switches, ASA and IPS Devices. It also covers the ACS Server. Startup and Golden Configurations for each Lab including Minilabs and Super Labs. The book includes Live video replay DVD that has each and every lab solved.

Video Replay DVD
The solutions DVD contains live videos for all the labs in this lab workbook. We believe in good old saying, "picture says thousand words" and we wanted to put that in practice. The DVD contains our lab solution in video format. You will simply need to insert the DVD and watch the labs being done. Click on the solution video for the lab you are working on and it should play the video. You will be able to fast forward,
Copyrights Netmetric Solutions 2006-2010 Website: http://www.netmetric-solutions.com; Email: khawarb@khawarb.com Page 3 of 307

www.CareerCert.info

rewind, pause, stop and replay these videos as many times as you desire. The DVD should help you prepare for the labs in this workbook and make you more informed and better equipped engineer. This will also help you in the real world to see how complex technologies are being implemented in a step-by-step manner.

Netmetric Solutions Bootcamps
• • •

• • •

• • • • • •

Instructed by a Well-known Quad CCIE Instructor. 7 days of intense CCIE® Training. 40 hours of more rack time before and/or after the lab boot camp which allows our delegates to reinforce what they learn during the CCIE® Security lab boot camp. Covers all the topics listed on CCIE® Security Lab Version 3.0 Blue Print. Each topic will be discussed in the class room environment by our expert instructor. Super Lab [Mock CCIE® Security Lab] will be conducted and graded during the last day and a half to analyze your knowledge and readiness. Includes our CCIE® Security Lab Bootcamp Workbook for free. Lab Boot Camp Student Kit labs are different than Lab Workbook labs for additional exposure and scenarios. Access to our expert instructor staff after the CCIE® Security Lab Boot Camp. Can be purchased with the Travel Package. For a group of four or more, we can bring this boot camp to your office anywhere in the world. Excellent Retake Policy, which allows you to retake this course for free for up to one year, as far as there is a seat available in the class. Compliant with latest CCIE changes announced by Cisco Systems.

For International Customers
Netmetric Solutions is offering attractive and convenient travel package for our customers traveling from around the world to attend our training programs. Netmetric Solutions has worked out special rates and perks from nearby hotels at our Hyderabad and New Delhi campuses which offer our delegates complete turnkey solution to their travel related needs. Netmetric Solutions will assign a dedicated account manager to work with our delegates travel needs. Single point of contact will make your travel and learning experience unique and easy. Please check our online schedule and contact us for any training requirements in international locations.
Copyrights Netmetric Solutions 2006-2010 Website: http://www.netmetric-solutions.com; Email: khawarb@khawarb.com Page 4 of 307

www.CareerCert.info

Additional Reading References
• • • • • • • • • • •

CCIE® Practical Studies: Security (CCIE® Self-Study) (Bokotey, Mason, Morrow, ISBN# 1587051109) CCIE® Security Exam Certification Guide (CCIE® Self-Study), 2nd Edition (Benjamin, ISBN: 1587201356) CCIE® Security Practice Labs (CCIE® Self-Study) (Bhaiji, ISBN# 1587051346) Cisco Access Control Security: AAA Administration Services (Carroll, ISBN# 1587051249) Cisco Router Firewall Security (Deal, ISBN# 1587051753) Designing Network Security, Second Edition (Kaeo, ISBN# 1587051176) Network Security Architectures (Convery, ISBN# 158705115X) Network Security First-Step (Thomas, ISBN# 1587200996) Network Security Fundamentals (De Laet, Schauwers, ISBN# 1587051672) Network Security Principles and Practices (Malik, ISBN# 1587050250) Troubleshooting Virtual Private Networks (VPN) (Lewis, ISBN# 1587051044)

General Publications
• • •

• •

Cisco Security Architectures (Held and Hundley, McGraw Hill, ISBN# B00005UMKL) Firewalls and Internet Security, Second Edition (Cheswick, Bellovin, and Rubin, Addison-Wesley, ISBN# 020163466X) Internetworking with TCP/IP Volume I: Principles, Protocols, and Architecture (4th Edition) (Comer and Stevens, Prentice Hall, ISBN# 0130183806) Internet Security Protocols : Protecting IP Traffic (Black, Prentice Hall, ISBN# 0130142492) IPSec: The New Security Standard for the Internet, Intranet and Virtual Private Networks (Doraswamy and Harkins, Prentice Hall, ISBN# 013046189X) Network Security: Private Communication in a Public World, Second Edition (Kaufman, Perlman, Speciner, Prentice Hall, ISBN# 0130460192)

Copyrights Netmetric Solutions 2006-2010 Website: http://www.netmetric-solutions.com; Email: khawarb@khawarb.com Page 5 of 307

www.CareerCert.info

Disclaimer
CCDA®, CCDP®, CCIE®, CCIP®,CCNA®, CCNP®, Cisco® IOS®, Cisco® Systems, the Cisco® logo, and Networking Academy are registered trademarks or trademarks of Cisco® Systems Inc. and/or affiliates in the U.S. and certain other countries. All other trademarks mentioned in this document or Web site are the property of their respective owners.

Cisco NDA Compliance Notice
Netmetric Solutions’ CCIE® Security lab workbook is in compliance of Cisco Non Disclosure Agreement (NDA). All of the scenarios in this lab workbook are based on hypothetical scenarios and are tested on our remote racks. It is our attempt to train our clients on the technologies and not merely exam preparedness. Often you will find scenarios in our lab workbook which is exactly how it happened to be in some real world situation. We strongly encourage you to abide by Cisco Non Disclosure Agreement (NDA) and never ask any question on our support forum or by email or any other way, which is directly taken from the real CCIE® lab exam. If we suspect such an activity, we will forward the communication to Cisco authorities and disable all access to our systems immediately.

Copyrights Netmetric Solutions 2006-2010 Website: http://www.netmetric-solutions.com; Email: khawarb@khawarb.com Page 6 of 307

com Page 7 of 307 .www.14 – Configuring Multicast Routing on the ASA 1.6 2.7 – Configuring Management Protocols on the ASA 1.12 – Running OSPF on the ASA 1.3 3.5 – – – – – Configuring Multiple Contexts Active/Active Failover using Security Contexts Multi-Mode Transparent Firewall Interface Redundancy Route Tracking Using SLA Monitor Lab 4 – IOS Firewall – Basic Configurations Copyrights Netmetric Solutions 2006-2010 Website: http://www.1 – Basic Configurations 1.6 – Configuring Timeouts and Connection Limits 1. Email: khawarb@khawarb.10 – Object Groups 1.netmetric-solutions.4 2. ActiveX and URL Filtering Lab 2 – Advanced ASA Configurations Lab Lab Lab Lab Lab Lab Lab Lab Lab 2.4 3.2 3.9 – – – – – – – – – Layer 2 Transparent Firewall Configuring Management on a Transparent Firewall Configuring ACLs on a Transparent Firewall Configuring ARP Inspection on a Transparent Firewall Configuring Failover Configuring Statefull Failover Configuring Application Aware Inspection Configuring QoS on the ASA Configuring TCP Normalization Lab 3 – Security Contexts and Redundancy Lab Lab Lab Lab Lab 3.13 – Running EIGRP on the ASA 1.2 – Configure Static and Default Routes 1.2 2.9 – Access Control 1.8 2.4 – Configuring communications between interface with the same security level interfaces.5 2.15 – Configuring Java.3 2.CareerCert.8 – Configuring Service Protocols on the ASA 1.11 – Running RIP on the ASA 1.1 3.5 – Configuring Translations 1.1 2.com. 1.info Table of Contents Module 1 – Firewalls – ASA & IOS Firewall Lab 1 – Basic ASA/IOS Configurations Lab Lab Lab Lab Lab Lab Lab Lab Lab Lab Lab Lab Lab Lab Lab 1.3 – Translations using Dynamic NAT/PAT configurations 1.7 2.

Email: khawarb@khawarb.3 8.5 – – – – – IPSec LAN-to-LAN Router to Router VPN GRE/IPSec Using IPSec Profiles IPSec LAN-to-LAN Router to ASA VPN IPSec LAN-to-LAN Disabling NAT-T thru ASA Multi-Point GRE Tunnel Lab 7 –LAN-to-LAN – Advanced Lab Lab Lab Lab Lab Lab 7.4 8.5 – – – – – Basic IOS Firewall Configurations Tuning DoS attack parameters Enabling Auditing Filtering (Java and URL Filtering) PAM Lab 5 – IOS Firewall – Advanced Configurations Lab 5.4 6.netmetric-solutions.3 7.CareerCert.5 – – – – – EZVPN Router-Router – Client Mode EZVPN Router-Router – Network Extension Mode EZVPN with Router-Cisco VPN Client EZVPN ASA to Router/Cisco VPN client IPSec Hairpinning with EZVPN Lab 9 – IPSec using CA Server Lab 9.com Page 8 of 307 .1 4.2 7.2 – DMVPN Using CA Server Copyrights Netmetric Solutions 2006-2010 Website: http://www.info Lab Lab Lab Lab Lab 4.5 7.3 4.2 – Configuring Zone Based Firewall – Configuring Traffic Policies for Inter-zone Traffic Lab 5.com.1 6.1 7.4 4.6 – – – – – – IPSec LAN-to-LAN using DMVPN IPSec LAN-to-LAN with NAT (Overlapping Subnets) High Availability VPN – Without HSRP High Availability VPN – Using HSRP IPSec LAN-to-LAN using GET VPN IPSec LAN-to-LAN using ISAKMP Profiles Lab 8 – EZVPN Configurations Lab Lab Lab Lab Lab 8.2 4.2 6.3 6.3 – Configuring Parameter-Maps for DoS Thresholds and Deep Packet Inspections Module 2 – Virtual Private Networks (VPN) Lab 6 – LAN to LAN Tunnels – Basic Lab Lab Lab Lab Lab 6.1 – IPSec LAN-to-LAN Router Using CA Server Lab 9.1 – Configuring Zone Based Firewall – Creation of Zones Lab 5.1 8.4 7.www.2 8.

2 12.3 13.info Lab 10 – SSL VPN Lab 10.2 – Configuring QoS with IPSec – ASA Module 3 – IPS/IDS Lab 12 – IPS Sensor Configurations – Promiscuous Mode Lab Lab Lab Lab Lab Lab Lab 12.7 – – – – – – – Configuring SPAN/RSPAN Initial IPS Sensor Settings from the CLI IPS Sensor in Promiscuous Mode Blocking using a Router Rate-Limiting using Router Blocking using a ASA Configuring Multiple Virtual Sensors – Prom.3 12. Mode Lab 13 – IPS Sensor Configurations – Inline Mode Lab Lab Lab Lab 13. Email: khawarb@khawarb.com.1 12.com Page 9 of 307 .netmetric-solutions.2 – SSL VPN on the ASA – Advanced Lab 11 – QoS with IPSec Lab 11.1 – Configuring QoS with IPSec – Router Lab 11.4 – – – – IPS Sensor in Inline Mode Signature Tuning on IPS Sensor Signature Firing – Throttle Parameters Configuring Multiple Virtual Sensors – Inline Mode Lab 14 – Custom Signatures Lab Lab Lab Lab Lab 14.4 14.CareerCert.5 12.1 – SSL VPN on the ASA – Basic Lab 10.3 14.4 12.2 14.1 14.6 12.2 13.5 – – – – – Configuring Configuring Configuring Configuring Configuring Custom Custom Custom Custom Custom Stream Signatures Packet Signatures HTTP Signatures Meta Signatures AIC Signatures Copyrights Netmetric Solutions 2006-2010 Website: http://www.1 13.www.

netmetric-solutions.1X Lab 21 – Configuring Control Plane Security Copyrights Netmetric Solutions 2006-2010 Website: http://www.2 – Configuring AAA Command Authorization for ASA Lab 19 – Configuring AAA Accounting Lab 19.info Lab 15 – IPS Sensor Tuning Lab Lab Lab Lab 15.7 – Configuring Lab Lab Lab Lab 20.1 – Configuring AAA Accounting for Router/Switches Lab 19.4 Authorization Proxy on the Router Authorization Proxy on the ASA Downloadable ACLS on the ASA HTTP Authentication & Authorization on LAC Features Network Access Profiles with NAF NAC Framework – 802.4 – – – – Configuring Configuring Configuring Configuring AAA Clients on ACS Server User & Group Accounts on the ACS Server AAA Authentication on Routers/Switches AAA Authentication on ASA Lab 18 – Configuring AAA for Command Authorization Lab 18.com Page 10 of 307 .com.1 – Configuring IOS IPS – Basic Lab 16.3 – Configuring AAA Usage Quotas For Users Lab 20 – Configuring Advanced Features – Configuring – Configuring – Configuring – Configuring the Router Lab 20.CareerCert.1 – Configuring AAA Command Authorization for Routers/Switches Lab 18.1 20. Email: khawarb@khawarb.3 15.5 – Configuring Lab 20.www.3 17.6 – Configuring Lab 20.Advanced Module 4 – Access Management Lab 17 – Configuring AAA Authentication for Management Access Lab Lab Lab Lab 17.3 20.4 – – – – Tuning Fragmentation Parameters on the IPS Sensor Configuring Event Overrides Configuring Event Filtering Configuring SNMP Traps Lab 16 – Cisco IOS IPS Configurations Lab 16.2 15.2 17.2 20.1 15.1 17.2 – Configuring AAA Accounting for ASA Lab 19.2 – Configuring IOS IPS .

1 – Configuring Routing Protocol Security – Authentication and Filtering Lab 21.3 – Configuring CPU Protection Module 5 – Network and Switch Security using IOS Features Lab 22 – ACL Lab Lab Lab Lab 22.4 – – – – Time-based Access List Reflexive Access List Dynamic Access List Preventing IP Spoofing Using ACL’s and RPF Lab 23 – IOS Services Lab Lab Lab Lab 23.info Lab 21.1 – Configuring CB-WFQ Lab 24.3 – Using NBAR for Traffic Analysis Copyrights Netmetric Solutions 2006-2010 Website: http://www.3 – Rate-limiting Lab 25 – Using NBAR Lab 25.2 22.3 22.4 – – – – Configuring NAT on Routers Configuring IP TCP Intercept Configuring NTP Disabling Unnecessary Services on the Routers Lab 24 – Implementing QoS for Traffic Control and Congestion Management Lab 24.2 23.www.netmetric-solutions.CareerCert.2 – Using NBAR for LLQ Lab 25.2 – Configuring CP Policing Lab 21.3 23.1 – Using NBAR for CB-WFQ Lab 25. Email: khawarb@khawarb.1 22.2 – Configuring LLQ Lab 24.1 23.com Page 11 of 307 .com.

2 – IP Spoofing Attacks Lab 28 – Mitigating Layer 2 Attacks Lab Lab Lab Lab Lab 28.2 – Mitigating DoS and Syn attacks using CBAC Lab 29.1 – Mitigating DoS attacks using CAR Lab 29.2 28.6 26.3 – Mitigating DoS and Syn attacks using IP TCP Intercept Lab 30 – Mitigating Attacks using NBAR and FPM Lab Lab Lab Lab 30.netmetric-solutions.3 28.CareerCert.5 26. Smurf and Fragment Attacks Lab 27.4 – – – – Blocking Blocking Blocking Blocking HTTP attacks using NBAR File Transfer Attacks using NBAR Fragmented UDP Attacks using FPM TCP SYN Flood Attacks using FPM Lab 31 – Service Provider Security Lab 31.2 – Blocking Attacks Using Remote Triggered Black Hole Module 7 – Troubleshooting Copyrights Netmetric Solutions 2006-2010 Website: http://www.1 – Blocking Fraggle.com Page 12 of 307 .2 30.3 30.3 26.2 26.1 30.www.5 – – – – – Mitigating MAC Spoofing Attacks Mitigating ARP Spoofing Attacks Mitigating Man-in-the-Middle Attacks Preventing VLAN Hopping Attacks Mitigating DHCP Attacks Lab 29 – Preventing DoS Attacks Lab 29. Email: khawarb@khawarb.info Lab 26 – Catalyst Switch Security Lab Lab Lab Lab Lab Lab Lab 26.4 28.7 – – – – – – – Controlling Management Protocols Port Security Configuring Spanning Tree Portfast Enabling DHCP Snooping Configuring Dynamic ARP Inspection (DAI) Configuring Dot1x Authentication Configuring filtering using VLAN Maps Module 6 – Network Attacks Lab 27 – Blocking Attacks Using ACL’s Lab 27.1 – Blocking Attacks using PBR Lab 31.1 26.4 26.com.1 28.

Email: khawarb@khawarb.1 – Troubleshooting DMVPN Super Lab Breakdown Section Section Section Section Section Section Section Section Section 1 2 3 4 5 6 7 8 9 – – – – – – – – – ASA/IOS FW Configuration – Basic ASA/IOS Configuration – Advanced IPS Configuration – Basic IPS Configuration – Advanced VPN Configuration – Basic VPN Configuration – Advanced Access Management (ACS) Network / Switch Security Network Attacks Copyrights Netmetric Solutions 2006-2010 Website: http://www.com.netmetric-solutions.CareerCert.com Page 13 of 307 .www.1 – Troubleshooting Initial Configuration Issues and BGP Thru ASA Lab 33 – Troubleshooting DMVPN Lab 33.info Lab 32 – Troubleshooting ASA Lab 32.

Email: khawarb@khawarb.info CCIE Security Lab Workbook Version 3.netmetric-solutions.com Copyrights Netmetric Solutions 2006-2010 Website: http://www.0 Module 1: Firewalls – ASA/IOS Lab 1 – Basic ASA Configurations Netmetric Solutions http://www.com.netmetric-solutions.CareerCert.com Page 14 of 307 .www.

10) F0/0 (.CareerCert.1(.6) ASA-2 F 0/0(.3.6(.10) 191.22.66.0/24 VLAN 55 F 0/0 (.0/24 VLAN 11 R3 F0/0 (.10) 10.2) 192.10) F0/0 (.www.0/24 VLAN 100 F 0/0 (.55.info Lab 1 – Basic ASA Configurations Before you Start Load the initial configuration files from the DVD/CD for the devices used in this Lab.1.0/24 VLAN 66 F 0/1.1) R1 F 0/0 (.22.1.netmetric-solutions.1) 10.22.168.10) 10.com Page 15 of 307 .1.0/24 VLAN 10 F 0/1 (.1.66.0/24 VLAN 33 F0/2 (.5) R5 192.11.0/24 S 0/0 (.10) F 0/1.4. Email: khawarb@khawarb. Syslog.55) R6 F 0/0 (. IEV.1 IDM.11.44) R4 192.33) ASA-1 192. Network Diagram 1.22.2) R2 S 0/0 (. AAA and CA (.0/24 VLAN 44 F0/3 (.125.25) 10.0/24 VLAN 12 F 0/0 (.com.168.20) BB1 Copyrights Netmetric Solutions 2006-2010 Website: http://www.10) F0/1 (.22.

22.com. Task 3 Configure the Management interface with an IP Address of 10.66.22.10/24 10.100 DNS Server : 192.100.1.3. Configure the Switch by assigning the ASA-1 ports in the appropriate VLANs.55.1 F 0/1.10/24 10.10/24.22.10/24 Task 5 At this point.35 Copyrights Netmetric Solutions 2006-2010 Website: http://www.55.10/24 Task 2 At this point.66. Configure the Test Workstation PC with an IP Address of 10.netmetric-solutions.info Lab 1.1.25/24.1 – Initial Setup of ASA Lab Objectives: Task 1 Configure ASA-1 with the following IP configuration for the Interfaces: Interface F 0/0 F 0/1 F 0/2 F 0/3 Name Outside Inside DMZ3 DMZ4 Security Level 0 100 50 50 IP Address 192.66.6 Name Outside Inside DMZ6 Security Level 0 100 50 IP Address 192.168. Configure the Switch with the Test Workstation PC and Management Interface of the ASA in the same VLAN.22.66. Configure the Switch by assigning the ASA-2 ports in the appropriate VLANs.10/24 10.10/24 192.com Page 16 of 307 . Task 6 Configure the ASA-2 to give out IP Configuration on the DMZ6 interface using the following information: IP Range : 10.1.100.www. Task 4 Configure ASA-2 with the following IP configuration for the Interfaces: Interface F 0/0 F 0/1.66.51 – 10. Email: khawarb@khawarb.66.100.CareerCert. the ASA should be able to ping all the surrounding routers. the ASA should be able to ping all the surrounding routers.168.4.22.10/24 192.100.

R5 should be configured as the Master with a Stratum of 2. ASA-1 and R2 are located in San Jose and ASA-2 and R5 are located in Dubai.com.169 Task 7 Configure both the ASA’s to get the clock from R2 and R5. Set the buffer size to 32768 bytes Routing Error messages for RIP and OSPF should be sent to an email address of khawarb@khawarb. Configure R2 as the preferred master and R5 as the secondary master for ASA-1.com Page 17 of 307 . R5 should be configured as the Master with a Stratum of 2.22. Email: khawarb@khawarb. It should be seen from ASA@WB.com.CareerCert. Configure R5 the preferred master and R2 as the secondary master for ASA-2. Task 8 Configure logging on ASA-1 using the following: IKE.1. WebVPN. Configure it with a key id of 1 and a MD5 key of cciesec.66.info WINS Server : 10.66.com.66. ASA should use a SMTP Server of 192.25 to send mail.36 TFTP-Server : 10.www.netmetric-solutions. Configure it with a key id of 1 and a MD5 key of cciesec. IPSec and VPN Client messages should be sent to the buffer for critical messages. Copyrights Netmetric Solutions 2006-2010 Website: http://www.66.

netmetric-solutions. DMZ3 and DMZ4 interfaces.2 – Static and Default Routes Before you Start This Lab builds on the configuration of the previous lab. Copyrights Netmetric Solutions 2006-2010 Website: http://www.com. Note: At this point.com Page 18 of 307 . Internal Networks include networks off of the Inside.CareerCert. Email: khawarb@khawarb. Task 3 Configure ASA-2 with Static Routes for all internal networks including loopbacks. Task 2 Configure a default route on ASA-1 pointing towards R2. Internal Networks include networks off of the Inside and DMZ3 interfaces.www.info Lab 1. Task 4 Configure a default route on ASA-2 pointing towards R5. They should also have full connectivity to the Frame Cloud and each other. the Firewalls should have full connectivity to their respective internal networks. Lab Objectives: Task 1 Configure ASA-1 with Static Routes for all internal networks including loopbacks.

1. Copyrights Netmetric Solutions 2006-2010 Website: http://www.200. Task 2 ASA-1 should translate internal networks (including DMZ3 and DMZ4) to outside using a pool of 192.22. Task 5 Allow this network to access the outside network using it’s own address.51 – 192.3 – Translations and Connections Before you Start This Lab builds on the configuration of the previous lab.1.6/24. Assign it an address of 100.1.55. Task 3 Create a loopback 100 on R6. Lab Objectives: Task 1 Make sure packets going towards the Frame Cloud from ASA-1 go thru a Translation rule before they are allowed out. Task 4 Configure ASA-2 and R5 with a static route for this network.6.1.55. Task 6 Configure a NAT/PAT combination on ASA-2 to allow the internal networks (including DMZ6) to access the outside using a pool of 192.55. Do not use the Static command to accomplish this task.99.6. Email: khawarb@khawarb.100 to back this pool up.CareerCert.com Page 19 of 307 .22.info Lab 1.151 – 192. Use 192.1.www. Back this pool up by using a PAT address of the outside interface.com.netmetric-solutions.

4 – Same-Security-Level Communications Before you Start This Lab builds on the configuration of the previous lab. Copyrights Netmetric Solutions 2006-2010 Website: http://www. Task 3 No need to test this. Lab Objectives: Task 1 Allow DMZ3 and DMZ4 networks to communicate to each other.netmetric-solutions.CareerCert. Email: khawarb@khawarb. Just put the configuration commands.com Page 20 of 307 . Task 2 Also allow traffic to enter and exit the same interface on ASA-1.com.info Lab 1.www.

Lab Objectives: Task 1 Configure Static translation for R1 F 0/0 as 192. If a packet is received destined to the outside interface for port 25. Assign it an IP Address of 192. This network should be allowed to go out using it’s own address towards R5 F 0/0 interface only. Assign it an IP Address of 192. it is seen as 192.1.55.22.info Lab 1.com.66/24.45.1.55. Don’t use an Access-list to accomplish this task. Task 6 Configure another loopback interface on R6.66. it should be redirected towards 192.21 and when it communicates with R5 (55.netmetric-solutions.1. Task 2 Configure ASA-1 such that when it receives a packet destined to the outside interface for port 23.4.22.168. Task 5 Configure a loopback interface on R6.55) Loopback. It should not be able to go out to the rest of the inter-network.22. Be very specific in your translations.22.168.1.1 on the outside interface and the internal PC (ACS) as 192.66.166/24. Task 3 Configure ASA-1 such that when R3 F0/0 communicates with R2 Loopback (22.22.44. it should be redirected towards 192. Task 4 Configure ASA-2 such that BB1 sees R5 as 10.22.22.1.55.20.CareerCert.22.166.4.com Page 21 of 307 . Do not use the static command to accomplish this task.1.5 and the outside sees BB1 as 192.5 – Advanced Translations Before you Start This Lab builds on the configuration of the previous lab.25 on the outside interface.22).www. it is seen as 192. Copyrights Netmetric Solutions 2006-2010 Website: http://www.22. This address should be seen as itself on the outside. Email: khawarb@khawarb.

Email: khawarb@khawarb.com Page 22 of 307 . Task 2 Re-configure the Dynamic NAT/PAT translations to a maximum of 100 incoming TCP connections.com. Dynamic Translations are cleared Task 4 Configure ASA-2 such that UDP connections should timeout after 90 seconds of in-activity.www.6 – Connections Limits and Timeouts Before you Start This Lab builds on the configuration of the previous lab.netmetric-solutions. Task 3 Configure ASA-2 such that automatically after 60 minutes. Also.info Lab 1. Lab Objectives: Task 1 Configure ASA-1 such that it should only allow a maximum of 1000 simultaneous TCP connections to R1 from the outside networks.CareerCert. block the SYN-Flood attack against this host by restricting the number of half-open connections to 200. Task 5 Configure ASA-2 such that ICMP connections should timeout after 60 seconds of in-activity. Copyrights Netmetric Solutions 2006-2010 Website: http://www. It should also restrict the simultaneous UDP connections to 750.

7 – Configuring Management Protocols Before you Start This Lab builds on the configuration of the previous lab.22. Task 4 Create a username of BBB1 with a password of cciesec.netmetric-solutions.com.22.0/24 network to access it for management. Copyrights Netmetric Solutions 2006-2010 Website: http://www. ASA-1 should allow the 10. The idle timeout for SSH connections should be 2 minutes.www. Lab Objectives: Task 1 Configure the Firewalls for Telnet Management from the Inside interface. Have the ASA authenticate against the Local Username database.com Page 23 of 307 .0/24 network to access it for management.CareerCert. Task 2 Configure the Telnet password as cciesec on both the Firewalls.11.22. Allow BB1 to connect to ASA-1 for Management from the outside interface using SSH Version 2. ASA-2 should allow the 10.22.info Lab 1. Email: khawarb@khawarb.0/24 and the 10. Task 3 Enable SSH on ASA-1.11.

Task 2 Configure a SNMP Server with an IP Address of 10. Task 3 Enable the following traps to be sent to the SNMP Server: Standard Event Traps (linkup linkdown) IPSec Event Traps (start stop) Remote Access Traps (session-threshold-exceeded) Copyrights Netmetric Solutions 2006-2010 Website: http://www.com.22.netmetric-solutions.info Lab 1.8 – Configuring SNMP Before you Start This Lab builds on the configuration of the previous lab. Configure the ASA to communicate to this SNMP Server using port 25000. Lab Objectives: Task 1 Configure SNMP on ASA-1 with a Global SNMP-Community of ASACCIE.www. It will be using SNMP Version 2c to the management station at 10. The management station uses a non-standard port of 25000 to listen for Traps. Email: khawarb@khawarb.50. It should be configured with a community name of CC1ESecure.22.com Page 24 of 307 .50.CareerCert.22.22.

22. Task 5 Configure the ASA-1 such that it should be able to ping outside but nobody should be able to ping ASA-1’s outside interface. This translation was done earlier in Lab 1. and the RADIUS ports. SSH and HTTP.www.com. Task 4 Your Network Administrator has configured BGP between R5 and BB1.5 Task 2. Allow the peering to form thru ASA-2.1.info Lab 1.9 – Access Control Before you Start This Lab builds on the configuration of the previous lab.CareerCert.1. You should only allow traffic for Telnet. Task 3 Allow Telnet and SSH Traffic to come into R3 from R2 and R5 Loopbacks. Task 2 Allow traffic destined to the outside interface for ports SMTP and Telnet to come in. Lab Objectives: Task 1 Allow traffic in for R1’s translated address 192.1 (Lab 1. R3 used 192.1.22 when it communicated to R5. ASA-2 should be able to ping outside and get a response.22. Email: khawarb@khawarb.netmetric-solutions.5 Task1). TACACS+. Task 6 Configure ASA-2 such that only R2 Loopback 0 and R5 Loopback 0 should be able to ping its outside interface.1.22.com Page 25 of 307 .22.25 in for HTTP.21 to communicate with R2 and it used 192. Also allow traffic for the ACS server which was translated to 192. Copyrights Netmetric Solutions 2006-2010 Website: http://www.

168.22.203 192. FTP HTTP.205 192.168.1.22. FTP SMTP SMTP DNS. Email: khawarb@khawarb.206 192.1.4.4.207 Applications HTTP.1.168.4.1. Lab Objectives: Task 1 DMZ4 contains the following Application Servers and Applications: Real IP Address 192.com.22.202 192.1.168.1. FTP HTTP.22.4.203 192.22.netmetric-solutions. Copyrights Netmetric Solutions 2006-2010 Website: http://www.22. Task 3 Allow access to the Application Servers with the minimum number of lines possible. TFTP Task 2 Create one-on-one static translations based on the above table.1.207 Translated Address 192. HTTPS.4.CareerCert.201 192.10 – Object Groups Before you Start This Lab builds on the configuration of the previous lab. HTTPS.204 192.206 192.202 192.22.168.com Page 26 of 307 . HTTPS.168.205 192.www.info Lab 1.168. TFTP DNS.204 192.201 192.4.4.

com. Disable auto-summarization of routes. The Routers are preconfigured with the Routing Protocols. Copyrights Netmetric Solutions 2006-2010 Website: http://www. Email: khawarb@khawarb. You will be configuring Dynamic Routing protocols on them to learn routes.com Page 27 of 307 .www. Lab Objectives: Task 1 Clear all the static routes on ASA-1.info Lab 1. Task 2 Configure RIP V2 on the ASA-1 on the DMZ3 and DMZ4 interface.CareerCert.netmetric-solutions. Task 3 R3 and R4 are configured with RIP V2 authentication of Key 1 and password of cciesec.11 – Running RIP V2 Before you Start This Lab builds on the configuration of the previous lab. Configure ASA-1 with the same to allow it to receive routes from the routers.

CareerCert.122. Configure the ASA to receive routes from R2. Task 4 Configure OSPF on the outside interface of ASA-2 as Area 0.111. Task 3 Clear all the static routes on ASA-2.com. Copyrights Netmetric Solutions 2006-2010 Website: http://www. Email: khawarb@khawarb. Task 2 R2 is configured with a key of 1 and a password of cciesec.com Page 28 of 307 .122. Lab Objectives: Task 1 Configure OSPF on the outside interface of ASA-1 in Area 0. Hard-code the Router-id as 111.netmetric-solutions. Hard-code the Router-id as 122.122.12 – Running OSPF Before you Start This Lab builds on the configuration of the previous lab.www.111. Task 5 R5 is configured with a key of 1 and a password of cciesec.info Lab 1.111. Configure ASA-2 to receive routes from R5.

www. Email: khawarb@khawarb.13 – Running EIGRP Before you Start This Lab builds on the configuration of the previous lab. Task 2 R1 is configured with a key of 1 and a password of cciesec. Disable Auto-summarization. Task 5 Perform Route Redistribution such that all devices have a complete picture of the entire topology.com Page 29 of 307 . Configure ASA-2 to receive routes from BB1. Copyrights Netmetric Solutions 2006-2010 Website: http://www.info Lab 1.netmetric-solutions. Task 4 BB1 is configured with a key of 1 and a password of cciesec.com. Task 3 Configure EIGRP on the inside and DMZ interfaces of ASA-2 in AS 200.CareerCert. Lab Objectives: Task 1 Configure EIGRP on the inside interface of ASA-1 in AS 100. Disable Auto-summarization. Configure the ASA-1 to receive routes from R1.

com Page 30 of 307 .14 – Multicast Routing Before you Start This Lab builds on the configuration of the previous lab.com. Email: khawarb@khawarb.netmetric-solutions. Configure the ASA to point to R2 as the RP for that particular group. Lab Objectives: Task 1 Multicast Routing has been enabled on R2.2.2. Task 3 R2 is configured as the RP for the Multicast Group 225.2. It has a Member part of the Multicast group 225.info Lab 1.2. Task 2 Configure ASA-1 to communicate to R2 using PIM. Copyrights Netmetric Solutions 2006-2010 Website: http://www.2.CareerCert.2.www.

22. Task 2 Filter all Java content from the 10. 443 and 8080.netmetric-solutions. Configure ASA-1 to point to it as the URL Server.0 networks towards 55.77 on the inside network of the ASA-1.55. the packets should be allowed to go out.22. Task 4 Configure ASA-1 for URL Filtering on port 80. Copyrights Netmetric Solutions 2006-2010 Website: http://www. Task 5 If the URL Server is down.22.www.22. Lab Objectives: Task 1 Filter all ActiveX content from the 10.55.22.com.CareerCert.com Page 31 of 307 . Filtering should be done on Port 80 and 8080.55/0 network on ASA-1.15 – Content Filtering Before you Start This Lab builds on the configuration of the previous lab.0 networks towards 55. Filtering should be done on Port 80 and 8080.22.55. Task 3 There is a Websense URL Server located at 10.info Lab 1. Email: khawarb@khawarb.0/24 network on ASA-1.

netmetric-solutions.com Copyrights Netmetric Solutions 2006-2010 Website: http://www.CareerCert.0 Module 1: Firewalls – ASA/IOS Lab 2 – Advanced ASA Configurations Netmetric Solutions http://www.com.www. Email: khawarb@khawarb.com Page 32 of 307 .info CCIE Security Lab Workbook Version 3.netmetric-solutions.

22.22.11.netmetric-solutions.22.com.1) R1 F 0/0 (.0/24 VLAN 1 F 0/1 (.0/24 VLAN 22 F 0/0 (.11.2) R2 Copyrights Netmetric Solutions 2006-2010 Website: http://www. Network Diagram 1.1) 10.2 10. Email: khawarb@khawarb.0/24 VLAN 11 Inside ASA Outside 10.CareerCert.www.info Lab 2 – Advanced ASA Configurations Before you Start Load the initial configuration files from the DVD/CD for the devices used in this Lab.com Page 33 of 307 .22.

netmetric-solutions. Bring the Interface up.www. Bring the Interface up.1 – Layer 2 Transparent Firewall Lab Objectives: Task 1 Configure the ASA-1 Firewall as a Single Mode Transparent Firewall. Task 3 Configure F 0/1 as the inside interface with a security level of 100.info Network Diagram 1. Copyrights Netmetric Solutions 2006-2010 Website: http://www. Task 2 Configure F 0/0 as the outside interface with a security level of 0. Task 4 Configure the devices in the appropriate VLAN’s on the Switch(s).com.CareerCert.2 Lab 2.com Page 34 of 307 . Email: khawarb@khawarb.

Task 2 Allow Management of ASA-1 only from VLAN 11 devices.10/24 with a default gateway of 10.com Page 35 of 307 . Copyrights Netmetric Solutions 2006-2010 Website: http://www.2.CareerCert. Telnet and SSH access to the ASA should be allowed from the inside interface only.22.2 – Configuring Management of SMTF Before you Start This Lab builds on the configuration of the previous lab.22.netmetric-solutions.22. Lab Objectives: Task 1 Assign ASA-1 an IP address of 10. Email: khawarb@khawarb.www.com.info Lab 2.22.

info Lab 2. SMTP and DNS traffic only. Task 2 Allow R1 to Telnet and HTTP into R2. allow BPDU packets and packets with a EtherType 0x2111 thru the Firewall. Lab Objectives: Task 1 Configure ASA-1 to allow R2 and R1 to communicate to each other to exchange Routing information. Make sure the Firewall allows them to communicate to each other.com.www.netmetric-solutions.com Page 36 of 307 . Task 4 You will be configuring MPLS-Unicast Routing on R1 and R2 in the future. Copyrights Netmetric Solutions 2006-2010 Website: http://www.3 – ACL’s in Transparent Mode Before you Start This Lab builds on the configuration of the previous lab. Email: khawarb@khawarb. Task 3 Allow devices on the inside of the ASA should be able to go out for Web. Also. R2 and R1 are running RIP V2 as the routing protocol.CareerCert.

Lab Objectives: Task 1 Configure ASA-1 such that it examines all the ARP Packets (reply or gratuitous ARP) on the outside interface before forwarding the packet.com Page 37 of 307 . Email: khawarb@khawarb. Configure the Aging time for Dynamically learned addresses to 10 minutes. It should look in the Static ARP table for a matching entry and if it does not exist. it should drop the packet.netmetric-solutions.com. Task 3 Disable the ability of ASA-1 to dynamically learn MAC addresses on the outside interface.info Lab 2.www. Copyrights Netmetric Solutions 2006-2010 Website: http://www.CareerCert. Create a Static MAC address entry for R2’s MAC address Task 4 ASA-1 should learn MAC addresses dynamically on the inside interface.4 – ARP Inspection & Static ARP Before you Start This Lab builds on the configuration of the previous lab. Task 2 Create a Static ARP entry for R2 IP to MAC mapping on the respective interface.

4) R4 Copyrights Netmetric Solutions 2006-2010 Website: http://www.22.4(.1) 10.2) R2 F 0/0 (.netmetric-solutions.5 – Active/Standby Failover Before you Start Load the initial configuration files from the DVD/CD for the devices used in this Lab Network Diagram 1.0/24 VLAN 11 F0/1 (.3) R3 F 0/0.com Page 38 of 307 .11.10) F0/1 (.info Lab 2.www.22.11) 192.1.1) R1 F 0/0 (.0/24 VLAN 23 F 0/0.25) 10.3) 192.11) ASA-1 F0/0 (. AAA and CA (.11.34.0/24 VLAN 12 F 0/1 (.10) ASA-2 F0/0 (.CareerCert.22.com.3 IDM. Syslog.0/24 VLAN 10 F 0/1 (.0/24 VLAN 34 F 0/0(.1.23.10(. Email: khawarb@khawarb. IEV.2) 192.1.

201 – 192.com Page 39 of 307 .11/24 10.22.22. ASA-1 will be the Primary Firewall and ASA-2 will be the Secondary Firewall.22.netmetric-solutions. Also assign it an active IP address of 10.22. Copyrights Netmetric Solutions 2006-2010 Website: http://www.1/24 with a standby address of 10.22.10/24 10.CareerCert. Task 4 Configure ASA-2 with the appropriate configuration to enable Failover.1.info Lab Objectives: Task 1 ASA-1 and ASA-2 will be configured in a Active/Standby Failover Setup. Email: khawarb@khawarb. This interface will be used to transmit Failover control messages.22. Task 7 Allow the inside networks to go out using a Outside pool of 192. Task 2 Configure F 0/2 as the Failover Link.22. Task 5 Configure ASA-1 with the following Primary and Standby IP Addresses: Interface F 0/0 F 0/1 Name Outside Inside Security Level 0 100 System IP 192. Task 3 Authenticate the Failover Control messages using a Key of cciesec. Assign the Firewall interfaces in the appropriate VLANs on the appropriate Switches.100. Use VLAN’s of your own choice for Failover LAN and Link connections. Assign it a name of FC.10/24 Standby IP 192.22.com.100.100.1.1.www.100.254.11/24 Task 6 Configure RIP V2 as the routing protocol on both the inside and outside interfaces.1.2.

Task 3 Assign the ports to a VLAN of your choice on the appropriate Switches.101. Email: khawarb@khawarb.com.info Lab 2.www.CareerCert. Copyrights Netmetric Solutions 2006-2010 Website: http://www.101.netmetric-solutions.101. Lab Objectives: Task 1 Configure F 0/3 with an IP Address of 10.101. Assign it a name of SFF.com Page 40 of 307 .6 – Statefull Failover Before you Start This Lab builds on the configuration of the previous lab.1/24 as the Active Address and 10.2/24 as the Standby address. Task 2 The SFF link should be used to replicate the Translations and State table from the Active to the Standby Firewall.

7 – Application Aware Inspection Before you Start This Lab builds on the configuration of the previous lab.info Lab 2.1. Also configure FTP to be inspected on port 2100 in addition to port 21. Lab Objectives: Task 1 Configure ASA-1 to inspect HTTP on ports 80 and 8080.21.www. Task 7 Copyrights Netmetric Solutions 2006-2010 Website: http://www. Task 4 There is a FTP Server located at 10.22.com. Allow Web traffic to this Server from the outside. Email: khawarb@khawarb.22. Translate this server as 192.22.21 on the outside. Translate this server as 192.1.80 on the outside. Port 80 should be inspected under the existing class. Task 5 FTP traffic destined to this server should not be able to execute the following commands: Put Rmd Rnfr dele Task 6 There is a Web Server located at 10.22. Task 2 Disable Application inspection in the Default inspection policy for the following protocols: NetBIOS XDMCP Task 3 Enable Application inspection in the Default inspection policy for the ICMP.22.22.netmetric-solutions.80. Do not use an access-list to accomplish this task.com Page 41 of 307 . Allow FTP traffic to this Server from the outside.CareerCert.

Task 11 Do not configure this under the Global policy. Email: khawarb@khawarb.97 and 10.98 to be able to use either MSN IM or Yahoo IM. Allow this relationship to come up thru ASA from either side. Also. set the maximum number of half-open connections to this Web server to 200. R1 should be seen as itself on the outside of the ASA. Task 9 A BGP neighbor relationship has been configured between R1 and R2 in AS 1200.22. The neighbor relationship should be authenticated.netmetric-solutions. Task 8 Configure maximum number of incoming connections towards this Web server to 500. deny any web traffic that has the word CMD anywhere in the URL coming towards this server.22.CareerCert. Task 10 You don’t want any users on the inside of ASA-1 except for 10. Set the embryonic Timeout to 1 minute. Copyrights Netmetric Solutions 2006-2010 Website: http://www.22. They should be dropped.com.info The ASA-1 should not allow the MOVE and COPY Extensions to this server.22. Also.com Page 42 of 307 .www.

com.com Page 43 of 307 . Copyrights Netmetric Solutions 2006-2010 Website: http://www.CareerCert.netmetric-solutions. Task 2 Also configure Policing to control the traffic for the following Applications: Outbound Web Traffic (HTTP/HTTPS) – 256 kbps Outbound FTP Traffic – 128 Kbps Outbound SMTP Traffic – 128 kbps Outbound Telnet Traffic – LLQ Task 3 Traffic coming into the configured FTP and HTTP servers should be limited to 256 kbps. Email: khawarb@khawarb. Lab Objectives: Task 1 Voice Signaling (DSCP = af31) and Data (DSCP =ef) traffic should be sent out without any delay from ASA-1 towards the outside interface. Task 4 Do not use the Default Global Policy for this lab.info Lab 2.www.8 – QoS on the Firewall Before you Start This lab builds on the configuration of the previous lab. Configure LLQ on ASA-1 to allow for this.

com. Clear the reserved bits in any packets that have it set.info Lab 2.9 – TCP Normalization Before you Start This lab builds on the configuration of the previous lab. Email: khawarb@khawarb.www. and then allow the packet.netmetric-solutions. SSH and FTP traffic is either allowed or dropped based on the following criteria: If Checksum is not correct. the packet should be dropped. Drop any packets that have data in the Syn Packet. Copyrights Netmetric Solutions 2006-2010 Website: http://www.com Page 44 of 307 . Lab Objectives: Task 1 Configure ASA-1 such that all Telnet. Allow packets whose data length exceeds the TCP Maximum segment size.CareerCert.

com Copyrights Netmetric Solutions 2006-2010 Website: http://www. Email: khawarb@khawarb.netmetric-solutions.com Page 45 of 307 .netmetric-solutions.0 Module 1: Firewalls – ASA/PIX/IOS Lab 3 – Security Contexts Netmetric Solutions http://www.www.com.CareerCert.info CCIE Security Lab Workbook Version 3.

0/24 VLAN 20 ASA1-C2 F 0/1.4 (.2 (.0/24 VLAN 30 F 0/0 (.22.11) 10.com Page 46 of 307 .0/24 VLAN 40 F 0/0 (.1.www.21) (Shared) ASA1-C1 F 0/0 (.info Lab 3 – Security Contexts Before you Start Load the initial configuration files from the DVD/CD for the devices used in this Lab.CareerCert.3 (.com. Email: khawarb@khawarb.0/24 VLAN 100 R4 10.2) F 0/0 (.3) R2 R3 Copyrights Netmetric Solutions 2006-2010 Website: http://www.1) 192.100.netmetric-solutions. Network Diagram 1.22.4 R1 F 0/0 (.44.11) F 0/1.4) F 0/1.44.21) 10.22.22.11) (Shared) F 0/0 (.

Configure ASA-C1 to allow the inside network access to the outside networks using Dynamic Translation. (Note: Delete any existing . Task 3 Configure two contexts on ASA-1.2 E 0/1.com. Configure them with configuration files ASA-C1.CareerCert.cfg files in flash before creating the context) Task 4 Configure Interfaces in Context ASA-C1 as follows: Interface E 0/0 E 0/1. Lab Objectives: Task 1 Configure both ASA’s for Multiple Contexts. and E 0/1.22. Name them ASA-C1 and ASA-C2.com Page 47 of 307 .44.cfg respectively on Flash. Task 2 Bring interface E0/0.22.21/24 10.3 Name Outside (Shared) Inside Security Level 0 100 IP Address 192.cfg and ASA-C2.11/24 10.100.22. Assign the appropriate ports in the appropriate VLANs for this Lab. Split E 0/1 into 3 sub-interfaces based on the Network diagram on ASA-1.1. Email: khawarb@khawarb.info Lab 3.11/24 Task 5 Configure Interfaces in Context ASA-C2 as follows: Interface E 0/0 E 0/1.69.22.11/24 10.4 Name Outside (Shared) Inside DMZ Security Level 0 100 50 IP Address 192.1.1.1 – Security Contexts on the ASA using Shared Interface Before you Start Load the Initial configuration files for all Routers and Switches used in this lab.44.100.100.1. Allocate the appropriate interface to the appropriate contexts based on the Network Diagram.21/24 Task 6 Enable NAT-control on ASA-C1.100.netmetric-solutions.51 – 192. Backup the NAT pool with a PAT Copyrights Netmetric Solutions 2006-2010 Website: http://www.www. Use a pool of 192.

3.3. Task 8 Configure Static Routes on ASA-C1 and ASA-C2 for all internal networks. Create a Static Translation for R4 as 192.70. Task 7 Configure ASA-C2 to allow the inside network access to the outside networks using Dynamic Translation. Also configure a default route on ASA-C1 and ASA-C2 towards R1.90.100. Backup the NAT pool with a PAT Pool using an IP Address of 192.1.www.100. Copyrights Netmetric Solutions 2006-2010 Website: http://www.100. Use a pool of 192. R3 – 10. Create a Static Translation for R3 as 192.89. (R2 – 10.2.CareerCert.info Pool using an IP Address of 192.1.netmetric-solutions.1.2.2 on the outside network.com.71 – 192.0/24).100.0/24.1.com Page 48 of 307 .100. R2 should be seen as 192.1.100.100. Email: khawarb@khawarb.4.3 as the Translated address on the Outside interface.1.1.

info Lab 3.12) 10.22. Network Diagram 1.11) R2 R3 Lab Objectives: Task 1 Configure ASA-2 to back up ASA-1 from the previous lab.22.2 – Configuring Active/Active Failover Before you Start Builds on the configuration of the previous Lab.com.44.netmetric-solutions.1/24 with a standby address of 10.22. Configure E 0/2 as the Failover Link. Task 2 Configure ASA-2 with the appropriate configuration to enable Failover.100. Assign the appropriate ports in the appropriate VLANs for this Lab.1.2 (.12) (. Email: khawarb@khawarb.11) (.com Page 49 of 307 . Assign it a name of FC.11) C1 (. Copyrights Netmetric Solutions 2006-2010 Website: http://www.5 R1 10.0/24 VLAN 100 (.100. Also assign it an active IP address of 10.22) (.0/24 VLAN 40 (.12) (.22.44.4) ASA-1 C2 ASA-2 (. Authenticate the Failover Control messages using a Key of cciesec.0/24 VLAN 20 (.100.100.www.21) C1 C2 R4 (.100.CareerCert.3) F 0/1.2.21) 10. This interface will be used to transmit Failover control messages.11) (.0/24 VLAN 30 (.2) (.1) 192.22) (.

100.11/24 10.101.22/24 10.101. Task 6 Configure Failover in such a way that C1 will try to become Active on ASA-1 and C2 will try to become Active on ASA-2.1.44.info Task 3 Re-Configure ASA-1 with the following Primary and Standby IP Addresses for ASA-C1: Interface E 0/0 E 0/1.22.22.22.netmetric-solutions.11/24 10. Email: khawarb@khawarb.44. Assign it a name of SFF.21/24 10.1.1.22. The SFF link should be used to replicate the Translations and State table from the Active to the Standby Firewall.22.3 Name Outside Inside Security Level 0 100 System IP 192.11/24 Standby IP 192.com.2/24 as the Standby address.22/24 Task 5 Configure E 0/3 with an IP Address of 10.100.CareerCert.21/24 Standby IP 192.12/24 10.22.1/24 as the Active Address and 10.www.22.4 Name Outside Inside DMZ Security Level 0 100 50 System IP 192.44.101.2 E 0/1.1.12/24 Task 4 Re-Configure ASA-1 with the following primary and standby IP address for ASA-C2 Interfaces as follows: Interface E 0/0 E 0/1.101.100.12/24 10. Copyrights Netmetric Solutions 2006-2010 Website: http://www.22.100.com Page 50 of 307 .44.

1) R1 F 0/1.0/24 VLAN 100 F 0/0 (. Lab Objectives: Copyrights Netmetric Solutions 2006-2010 Website: http://www.4) 10.1) 192.CareerCert.44.2 (.3 (.44.0/24 VLAN 22 ASA-2-C2 F0/3 192. Load the Initial configuration files for all Routers and Switches used in this lab.info Lab 3.12.com Page 51 of 307 . Load the Initial configuration files for all Routers and Switches used in this lab.netmetric-solutions.12.1.1.3) R2 R3 Before you Start Reload all the devices.10) ASA1 F 0/0 (.10) 192.1. Email: khawarb@khawarb.1.100.1) 192.0/24 VLAN 33 F 0/0 (.0/24 VLAN 13 F0/0 F0/2 ASA-2-C1 F0/1 192.2) F 0/0 (. Network Diagram 1.1.3 – Multi-Mode Transparent Firewall Before you Start Reload all the devices.0/24 VLAN 44 F 0/1 (.com.13.6 R4 F 0/0 (.13.www.0/24 VLAN 12 F 0/1.

SMTP.Cfg ASA-C1. DNS and TFTP. DNS and TFTP only.cfg Interfaces F F F F 0/0 0/1 0/2 0/3 Task 4 Configure Interfaces for MMTF-C1 based on the Network diagram as with either Inside or outside. Email: khawarb@khawarb.info Task 1 Configure ASA-2 in multi context mode. Task 5 Allow R1 and R2 to exchange RIP routes. Task 8 Configure Interfaces for MMTF-C2 based on the Network diagram as with either Inside or outside.CareerCert. HTTPS. Name them Admin. Task 3 Create three contexts on ASA-2. Task 9 Allow R1 and R3 to exchange OSPF routes.netmetric-solutions.com Page 52 of 307 . Task 10 Allow VLAN 33 to communicate to the outside networks for HTTP.10 /24.com.cfg ASA-C2. Configure the context with the following: Context Admin MMTF-C1 MMTF-C2 Config File Admin. MMTF-C1 and MMTF-C2. HTTPS.1.www. Task 7 Allow VLAN 22 and VLAN 12 to SSH into MMTF-C1 for management. Task 6 Allow VLAN 22 to communicate to the outside networks for HTTP. Copyrights Netmetric Solutions 2006-2010 Website: http://www. SMTP.12. Task 2 Configure the Switch to map over the Interfaces on ASA-2 to the proper VLANs. MMTF-C1 should have an IP Address of 192. It should be in Transparent Mode.

CareerCert. Copyrights Netmetric Solutions 2006-2010 Website: http://www.1.netmetric-solutions.com Page 53 of 307 .com.13.10 /24.info Task 11 Only allow R3 to Telnet into MMTF-C2 for management.www. Email: khawarb@khawarb. MMTF-C2 should have an IP Address of 192.

1.11.22.CareerCert.7 10.0/24 S 0/0.5) S 0/0.4 (.www.1.netmetric-solutions.22.4) 192.2 (.2) R4 S 0/0 (.0/24 VLAN 11 F 0/1 F 0/0 ASA-1 F 0/2 192. Network Diagram 1. Load the Initial configuration files for all Routers and Switches used in this lab. Copyrights Netmetric Solutions 2006-2010 Website: http://www.com Page 54 of 307 .4 – Interface Redundancy Before you Start Reload all the devices.45.2) F 0/0 (.1) R1 F 0/0 (.0/24 VLAN 1 F 0/1 (.1.1.0/24 192.5) R5 Lab Objectives: Task 1 Configure the F 0/0 and F 0/1 as part of Redundant Interface 1 in that order.24.4) R2 S 0/0 (. Email: khawarb@khawarb.info Lab 3. Assign it a virtual mac-address of your choice.22.1) 10.11.com.0/24 VLAN 24 F 0/0 (.25.0/24 VLAN 22 F 0/3 192.

www.22.netmetric-solutions.com Page 55 of 307 .1.1.22.22.info Task 2 Configure ASA-1 with the following IP configuration for the Interfaces: Interface Redundant 1 F 0/2 F 0/3 Name Inside Outside-1 Outside-2 Security Level 100 0 0 IP Address 10.10/24 192. put Copyrights Netmetric Solutions 2006-2010 Website: http://www.CareerCert.24. Also. Email: khawarb@khawarb.10/24 192.com.10/24 Task 3 Configure the Switch to accommodate this configuration.

com. Task 2 If the link between R2 and R5 goes down. ASA-1 should use the backup default gateway to route the packets.netmetric-solutions. Copyrights Netmetric Solutions 2006-2010 Website: http://www.www.CareerCert.5 – Route Tracking using SLA Monitor Before you Start This Lab builds on the configuration of the previous lab. Lab Objectives: Task 1 Configure ASA-1 such that it uses R2 as its primary Default gateway and R4 as the backup default gateway. Set the timeout value to 1 second.info Lab 3. Send 3 packets every 3 seconds. Email: khawarb@khawarb.com Page 56 of 307 .

www.netmetric-solutions.0 Module 1: Firewalls – ASA/PIX/IOS Lab 4 – IOS Firewall – Basic Configurations Netmetric Solutions http://www.info CCIE Security Lab Workbook Version 3.com. Email: khawarb@khawarb.com Page 57 of 307 .CareerCert.com Copyrights Netmetric Solutions 2006-2010 Website: http://www.netmetric-solutions.

info Lab 4 – IOS Firewall – Basic Configurations Before you Start Load the initial configuration files from the DVD/CD for the devices used in this Lab.1.123.www.com.1) R1 192.1. Network Diagram 1.12.56 (.0/24 VLAN 56 F 0/0 (.2) 192.1.3) F 0/0.CareerCert. Syslog.3) 192.4 (.34. Email: khawarb@khawarb.com Page 58 of 307 . IEV.1.8 IDM.56.1) F 0/0 (.1.6) R5 R6 Copyrights Netmetric Solutions 2006-2010 Website: http://www.0/24 VLAN 12 F 0/0 (.25) 192.10.3) 192.4) R3 F 0/0.0/24 VLAN 10 F 0/1 (.2) R4 R2 S 0/0 (.0/24 F 0/0 (.netmetric-solutions. AAA and CA (.0/24 VLAN 34 F 0/0 (.2) R2 S 0/0 (.5) F 0/0 (.

10.10. Optimize CBAC throughput by configuring the number of buckets in a hash table to 2048.12.netmetric-solutions. DNS and ICMP traffic should be allowed back. Routing Traffic from R2.11 Allow incoming traffic to a SMTP server located at 192.www. All other commands should be blocked. Allow R2 to Telnet and SSH to R1. SMTP.1.10.10. Email: khawarb@khawarb. Use the following to define incoming traffic: Allow incoming traffic to a HTTP/HTTPS server located at 192.1 – Basic IOS Firewall Configurations Network Diagram 1.12 that are defined in the RFC 821 Section 4.com.13. Copyrights Netmetric Solutions 2006-2010 Website: http://www.1. SMTP.1.1. FTP. Task 4 R1 is seeing approximately 2000 simultaneous connections. Task 2 Only allow the SMTP commands coming into the SMTP Server located at 192. FTP. Task 3 Ensure only traffic from VLAN 10 to HTTP. DNS and ICMP is allowed to originate out of the network.com Page 59 of 307 .5. Allow incoming traffic to a Telnet server located at 192. Return traffic from VLAN 10 for outbound HTTP.2 Lab Objectives: Task 1 Configure a policy on R1 to control traffic coming in and going out of the network.info Lab 4.CareerCert.

it should delete the oldest 200 half-open connections. Email: khawarb@khawarb. Lab Objectives: Task 1 Configure R1 such that it does not allow more than 600 half-open connections. Task 2 If the number of connections in the last one minute exceeds 400.com Page 60 of 307 . If R1 has 600 half-open connections.info Lab 4. CBAC should delete the oldest connection to accommodate the new connection.www. Task 4 DNS lookups should be deleted after 20 seconds of inactivity.CareerCert. you should delete the oldest 100 half-open connections.2 – Tuning DoS Parameters Before you Start This Lab builds on the configuration of the previous lab. Copyrights Netmetric Solutions 2006-2010 Website: http://www.netmetric-solutions. Task 5 If the number of half-open connections exceeds 75 for a single host.com. Task 3 CBAC should delete inactive tcp and udp connections. TCP connections should be deleted after 5 minutes of inactivity and UDP connections should be deleted after 2 minutes of inactivity.

www. Lab Objectives: Task 1 Do not send any alert messages to the console except for Telnet Alerts. Task 3 Disable Auditing for the outbound HTTP/HTTPS connection.com Page 61 of 307 .CareerCert.info Lab 4.netmetric-solutions. Email: khawarb@khawarb.com.3 – Enabling Auditing Before you Start This Lab builds on the configuration of the previous lab. Copyrights Netmetric Solutions 2006-2010 Website: http://www. Task 2 Enable Auditing of connections for all connections.

0.1. Configure R1 to accomplish this. Before users from VLAN 10 are allowed to go out for Web access.Cisco.Netmetric-solutions.yyy.com Task 4 The following domains should always be allowed by R1: .75(Primary).0/24 networks.0. Lab Objectives: Task 1 Configure R1 such that when inside users access Web pages outside.76(Secondary).com .1.xxx. Task 2 There is a N2H2 server located 192.com Page 62 of 307 .10.0.10.Ccie.CareerCert.zzz.0. Email: khawarb@khawarb.com . they should only be able to download Java applets from 22. the router should consult the N2H2 server(s).com Copyrights Netmetric Solutions 2006-2010 Website: http://www. There is another N2H2 server located at 192. Task 3 The following domains should always be blocked by R1: .0/8 and 33.com .netmetric-solutions.4 – Java and URL Filtering Before you Start This Lab builds on the configuration of the previous lab.com .com.info Lab 4.www.

Copyrights Netmetric Solutions 2006-2010 Website: http://www.12 and not for any SMTP traffic. Lab Objectives: Task 1 Users in VLAN 10 access Websites that are running on ports 8000.12 is running on ports 25 and 25000. 8080 – 85. Email: khawarb@khawarb. Allow CBAC to do inspection on these non-standard ports.netmetric-solutions.1. Configure it such that it inspects port 25000 only if the traffic is destined for 192.10. Allow CBAC to do inspection of SMTP on the non-standard port.10.5 – Port Mapping Before you Start This Lab builds on the configuration of the previous lab.com.com Page 63 of 307 .info Lab 4.1.CareerCert. Task 2 The SMTP Server running at 192.www.

Email: khawarb@khawarb.netmetric-solutions.com.com Page 64 of 307 .info CCIE Security Lab Workbook Version 3.com Copyrights Netmetric Solutions 2006-2010 Website: http://www.CareerCert.netmetric-solutions.0 Module 1: Firewalls – ASA/PIX/IOS Lab 5 – IOS Firewall – Advanced Configurations Netmetric Solutions http://www.www.

com Page 65 of 307 .1.0/24 VLAN 12 F 0/0 (.0/24 VLAN 56 F 0/0 (.12.2) 192. If you don’t have the current configuration of Lab 4.1.com.6) R5 R6 Copyrights Netmetric Solutions 2006-2010 Website: http://www. Email: khawarb@khawarb.1) F 0/0 (.4 (. IEV.25) 192.2) R4 R2 S 0/0 (.0/24 VLAN 34 F 0/0 (.3) 192.1.10.2) R2 S 0/0 (.5) F 0/0 (. then load the Final Configs for 4.www. AAA and CA (.56 (.0/24 VLAN 10 F 0/1 (. Syslog. Network Diagram 1.123.info Lab 5 – IOS Firewall – Advanced Configurations Before you Start This lab builds on the configuration of Lab 4.netmetric-solutions.5 for the DVD/CD for the devices used in this lab.8 IDM.3) 192.3) F 0/0.1.4) R3 F 0/0.CareerCert.1) R1 192.1.56.0/24 F 0/0 (.34.

Copyrights Netmetric Solutions 2006-2010 Website: http://www.com Page 66 of 307 .info Lab 5.com.www. Task 3 Configure the Frame Cloud as the “INTERNET” Zone.netmetric-solutions.1 – ConfiguringDiagram 1. Task 2 Configure VLAN 34 as the “DMZ” Zone.2 Zone-based Firewall – Network Creation of Zones Lab Objectives: Task 1 Configure VLAN 56 as the “LOCAL” Zone. Task 4 Assign the appropriate Interfaces to the appropriate Zones.CareerCert. Email: khawarb@khawarb.

1.2 Zone-based Firewall – Network Configuring Traffic Policies for Inter-Zone Traffic Lab Objectives: Task 1 Configure the Zone Policy for traffic originating from Local Zone as follows: Allow DNS.netmetric-solutions. Email: khawarb@khawarb.CareerCert.info Lab 5. HTTP.50 to access a SMTP server 192.34.com.2 – ConfiguringDiagram 1.1.50 located on the DMZ zone Task 3 Configure the Zone Policy for traffic originating from the DMZ Zone as follows: Allow the SMTP server 192.com Page 67 of 307 . SMTP and ICMP traffic from Local to Internet Allow HTTP Access from the Local zone to all servers on the DMZ Zone Task 2 Configure the Zone Policy for traffic coming in from the Internet as follows: Allow Web Access to a server 192.50 located in the Local zone Copyrights Netmetric Solutions 2006-2010 Website: http://www.55 located on the DMZ zone Allow SMTP Access to a server 192.www. TFTP. FTP.1.34.34. HTTPS.1.56.

com Page 68 of 307 . the Firewall should stop deleting the half-open connections.1.2 Thresholds and Deep Packet Inspections Parameter-Map Lab Objectives: Task 1 Set the following DoS Protection parameters for the Web Server (defined in the previous lab) from Internet to DMZ Zone: When the number of Half-open connections hits 300. the Firewall should start deleting the connections When the number of Half-open connections drop to 200. Check with the websense server before allowing access to Internet Webpages for Local-->Internet Traffic. Task 2 Configure the SMTP Policy (Internet-->DMZ) for the configured SMTP Server as follows: Disallow e-mail's with a size greater than 500000 Set the tcp idle-time to 4 minutes Turn on the audit trail Task 3 A Websense server exists at 192. If the Websense server is down.netmetric-solutions. the web requests should be allowed to go out.111.34. Copyrights Netmetric Solutions 2006-2010 Website: http://www.com.info Lab 5. Email: khawarb@khawarb.www.CareerCert.3 – Configuring Parameter-Maps for DoS Network Diagram 1.

CareerCert.com Page 69 of 307 .com Copyrights Netmetric Solutions 2006-2010 Website: http://www.netmetric-solutions.info CCIE Security Lab Workbook Version 3.0 Module 2: Virtual Private Networks Lab 6 – IPSec LAN-to-LAN Tunnels – Basic Netmetric Solutions http://www.com. Email: khawarb@khawarb.netmetric-solutions.www.

22.1.11.1) R1 R2 F 0/0 (.22.0/24 VLAN 11 F 0/0 (.146.com Page 70 of 307 .4) R4 F 0/0.0/24 VLAN 122 F 0/0.10) ASA-1 F0/0 (.0/24 VLAN 12 10.10) F0/1(.1.0/24 VLAN 30 192.6) BB1 (.11.25) F 0/1 (.0/24 S 0/0 (.1 IDM.3 (.1.netmetric-solutions.20) R6 F 0/0 (. Syslog.22.10) 192.1.145.30.6) F 0/0 (.www. AAA and CA 10.3) 192.5 (.0/24 VLAN 5 R3 F 0/0 (.0/24 S 0/0 (. IEV.55.info Lab 6 – IPSec LAN-To-LAN Tunnels – Basic Before you Start Load the initial configuration files from the DVD/CD for the devices used in this Lab.1) F0/1 (.0/24 VLAN 10 (. Email: khawarb@khawarb.66.122.10) SW1 192.5) R5 (.6 (.111.25) 192.5) F 0/0 (.0/24 VLAN 66 VPN Client Copyrights Netmetric Solutions 2006-2010 Website: http://www.3) 192.4) S 0/0.1.4) S 0/0.134. Network Diagram 2.2 (.10) 192.1.1.0/24 S 0/0 (.4) 192.1 (.0/24 VLAN 111 ASA-2 F0/0 (.4) S 0/0.1.com.1.CareerCert.2) 192.

1.0 networks.CareerCert.1.0 and 192. Copyrights Netmetric Solutions 2006-2010 Website: http://www.66.0/24 and 192.1.1.0 segment has an application that is setting the DF-Bit on.30.1.netmetric-solutions.0.com Page 71 of 307 .1 – Router-Router IPSec Tunnel Lab Objectives: Task 1 Configure an IPSec Tunnel between the 192.30.info Lab 6.com.0. This command should be Interface Specific and should not affect any other tunnel that may be formed on other interfaces.www. Use the following settings for the Tunnel: ISAKMP Parameters o Authentication : Pre-shared o Group : 2 o Encryption : 3DES o Pre-Shared Key : cciesec IPSec Parameters o Encryption : ESP-3DES o Authentication : ESP-MD5-HMAC Interesting Traffic o All IP traffic between 192. Email: khawarb@khawarb.0 Tunnel Endpoints o R6 S 0/0 to R3 S 0/0 Task 2 The 192.1.66.0 and 33. Configure R3 such that it fragments the IPSec traffic if it exceeds the MTU size of the interface.0 o All IP traffic between 192.66.30.

Email: khawarb@khawarb. Make sure the IPSec mode is for end-to-end tunnels.com Page 72 of 307 .netmetric-solutions. Secure the GRE tunnel by using a Key of 4545.5.com.CareerCert. Use EIGRP 45 to exchange the Loopback 45 between the 2 routers.0/24 as the tunnel network.4/24 R5 – Loopback 45 – 172.45. Configure the following ISAKMP and IPSec Policies: ISAKMP Parameters o Authentication : Pre-shared o Group : 2 o Encryption : 3DES IPSec Parameters o Encryption : ESP-3DES o Authentication : ESP-MD5-HMAC Task 4 Do not create an ACL or a Crypto Map for this Lab. Task 3 Configure an IPSec to encrypt the traffic on the GRE Tunnel.4. Run EIGRP in AS 45 on the Tunnel.16. Use 172.16.2 – GRE/IPSec Using IPSec Profiles Before you Start This Lab builds on the configuration of the previous lab.16.www.info Lab 6.5/24 Task 2 Configure a GRE Tunnel between R4 and R5. Copyrights Netmetric Solutions 2006-2010 Website: http://www. Lab Objectives: Task 1 Configure the following Loopbacks on R4 and R5: R4 – Loopback 45 – 172.

www.CareerCert.info

Lab 6.3 – Router-ASA IPSec Tunnel
Before you Start
This Lab builds on the configuration of the previous lab.

Lab Objectives:
Task 1 Configure a IPSec Tunnel to encrypt traffic from 10.44.44.0/24 on R4 to the 10.22.22.0/24 network behind ASA-1. Task 2 Use the following Parameters for the Tunnel between R4 and ASA-1: ISAKMP Parameters o Authentication : Pre-shared o Encryption : 3DES o Group : 2 o Pre-Shared Key : cciesec IPSec Parameters o Encryption : ESP-3DES o Authentication : ESP-SHA-HMAC Task 4 You are allowed to configure Static routes for this Lab.

Copyrights Netmetric Solutions 2006-2010 Website: http://www.netmetric-solutions.com; Email: khawarb@khawarb.com Page 73 of 307

www.CareerCert.info

Lab 6.4 – Router-Router IPSec Tunnel Thru ASA
Before you Start
This Lab builds on the configuration of the previous lab.

Lab Objectives:
Task 1 Configure an IPSec Tunnel between the 192.1.66.0/24 and the 10.11.11.0/24 behind R1. R1 should be seen as 192.1.111.11 on the outside. Use the following settings for the Tunnel: ISAKMP Parameters o Authentication : Pre-shared o Group : 2 o Encryption : 3DES o Pre-Shared Key : cciesec IPSec Parameters o Encryption : ESP-3DES o Authentication : ESP-MD5-HMAC Interesting Traffic o All IP traffic from 192.1.66.0 to 10.11.11.0 Tunnel Endpoints o R1 F 0/0 to R6 S 0/0 Task 2 Configure the Routers such that NAT-T is disabled. Task 3 Allow the appropriate entries in the ASA-1 inbound ACL to allow the IPSec to form. Task 4 You are allowed to configure Static routes to accomplish this Lab.

Copyrights Netmetric Solutions 2006-2010 Website: http://www.netmetric-solutions.com; Email: khawarb@khawarb.com Page 74 of 307

www.CareerCert.info

Lab 6.5 – Multipoint GRE Tunnel
Before you Start
Load the initial configuration files from the DVD/CD for the devices used in this Lab. This lab covers the configuration of Multipoint GRE Tunnels. Network Diagram 2.2
R3

F0/0 (.3) 192.1.10.0/24 VLAN 10

F0/1 (.10)

ASA-1
F0/0 (.10) 192.1.12.0/24 VLAN 12

F 0/0 (.1)

F 0/0 (.2)

R1

R2

Lab Objectives:
Task 1 Configure the following Loopback interfaces: R1 – Interface Loopback 15 – 172.16.1.1/24 R2 – Interface Loopback 15 – 172.16.2.2/24 R3 – Interface Loopback 15 – 172.16.3.3/24 Task 2 Configure a MGRE tunnel to route traffic between the newly created Loopbacks using the following parameters: NHRP Parameters o NHRP ID – 123 o NHRP Authentication key – DMVPN o NHRP Hub – R3 Tunnel Parameters
Copyrights Netmetric Solutions 2006-2010 Website: http://www.netmetric-solutions.com; Email: khawarb@khawarb.com Page 75 of 307

www.CareerCert.info

o IP address : 172.16.123.0/24 o IP MTU : 1416 o Tunnel Authentication Key : 123 Routing Protocol Parameters o EIGRP 123

Copyrights Netmetric Solutions 2006-2010 Website: http://www.netmetric-solutions.com; Email: khawarb@khawarb.com Page 76 of 307

www.CareerCert.info

CCIE Security Lab Workbook Version 3.0

Module 2:
Virtual Private Networks

Lab 7 – IPSec LAN-To-LAN Tunnels – Advanced

Netmetric Solutions
http://www.netmetric-solutions.com
Copyrights Netmetric Solutions 2006-2010 Website: http://www.netmetric-solutions.com; Email: khawarb@khawarb.com Page 77 of 307

www.CareerCert.info

Lab 7 – IPSec LAN-To-LAN Tunnels – Advanced
Before you Start
Load the initial configuration files from the DVD/CD for the devices used in this Lab. Network Diagram 2.3

R1
10.22.22.0/24 VLAN 11 F 0/0 (.1)

F 0/1 (.10)

ASA-1
F 0/0 (.10) 192.1.22.0/24 VLAN 22 F 0/0 (.2)

R2
192.1.23.0/24

S 0/0.3 (.2) S 0/0.5 (.2) S 0/0.6 (.2) 192.1.25.0/24

R3

S 0/0.2(.3)

S 0/0 (.5) S 0/0.6(.3)

R5
192.1.36.0/24 192.1.26.0/24 S 0/0.3 (.6) S 0/0.2 (.6)

R6
F 0/0 (.6) 192.1.46.0/24 VLAN 46

F 0/0 (.4)

R4

Copyrights Netmetric Solutions 2006-2010 Website: http://www.netmetric-solutions.com; Email: khawarb@khawarb.com Page 78 of 307

R5 and R6 to encrypt traffic between the 4 new Loopback networks.3/24 172.16. R2 should be the NHRP Hub.netmetric-solutions.16.16.5/24 172.3.2.16. R3.5.1 – DMVPN Configurations Lab Objectives: Task 1 Configure the following Loopback interfaces: R2 R3 R5 R6 – – – – Interface Interface Interface Interface Loopback Loopback Loopback Loopback 15 15 15 15 – – – – 172.6.com.6/24 Task 2 Configure a DMVPN between R2.0/24 o IP MTU : 1416 o Tunnel Authentication Key : 100 o Tunnel Source: Loopback 0 Routing Protocol Parameters o EIGRP 100 ISAKMP Parameters o Authentication : Pre-shared o Encryption : 3DES o Pre-Shared Key : cciesec IPSec Parameters o Encryption : ESP-3DES o Authentication : ESP-MD5-HMAC Copyrights Netmetric Solutions 2006-2010 Website: http://www. Use the following Configuration Parameters: NHRP Parameters o NHRP ID – 100 o NHRP Authentication key .com Page 79 of 307 .16.CareerCert. Email: khawarb@khawarb.www.info Lab 7.2/24 172.100.DMVPN Tunnel Parameters o IP address : 172.

info Lab 7. Configure R1 and R4 in such a manner that an alias cannot be created for the global address.14.14.www. Lab Objectives: Task 1 R1 and R4 are configured with Loopback 14 networks that are the same (10.1. Use the following parameters for the IPSec tunnel: Authentication type = Pre-shared Keys Hash = MD5 Diffie-Hellman = 2 IPSec Encryption = ESP-DES IPSec Authentication = ESP-MD5-HMAC Task 4 Configure the appropriate entries on the ASA-1 to allow the IPSec tunnel to be established.14. Task 2 R1 should be seen as 192.14. Task 5 You are allowed static routes to make this configuration work.0/24).168.0 network behind R4 into a range of Class C addresses (192.22. Task 3 Configure an IPSec Tunnel to encrypt traffic from the translated addresses on R1 and R4.CareerCert.0/24).0 network behind R1 into a range of Class C addresses (192.2 –IPSec Tunnels for Duplicate Subnets Before you Start This Lab builds on the configuration of the previous lab.11.com.44.0).168.com Page 80 of 307 . Translate the 10.14. Copyrights Netmetric Solutions 2006-2010 Website: http://www. Translate the 10.netmetric-solutions.14.1 on the outside of ASA-1. Email: khawarb@khawarb.

com Page 81 of 307 .0/24.33.11/24 R3 – Loopback 13 – 172. Copyrights Netmetric Solutions 2006-2010 Website: http://www.netmetric-solutions. Email: khawarb@khawarb. Configure the following Policies: ISAKMP Parameters o Authentication : Pre-shared o Group : 2 o Encryption : 3DES IPSec Parameters o Encryption : ESP-3DES o Authentication : ESP-MD5-HMAC Task 3 The tunnel should provide redundancy wherever possible.16. Task 5 Allow the appropriate traffic on ASA-1. Lab Objectives: Task 1 Configure the following Loopbacks on R1 and R3: R1 – Loopback 13 – 172.3 – High Availability IPSec – Without HSRP Before you Start This Lab builds on the configuration of the previous lab.16. Task 4 “Dead Peer Detection” packets should be send by ISAKMP every 10 seconds.11.16.0/24 and 172.11. You are allowed to create static routes.com.CareerCert. Do not use multiple “Set peer” commands on R1.www.33.33/24 Task 2 Configure an IPSec to encrypt the traffic between 172.16.info Lab 7.

4 – High Availability IPSec – Using HSRP Before you Start Load the initial configuration files from the DVD/CD for the devices used in this Lab.0/24 VLAN 4 F 0/0 (.1.1.1) F 0/0 (.0 and 192.5) F 0/0 (.123.CareerCert.34.12 as the Standby address.4 192.125.4.www.125.3) S 0/0 (.4) F 0/0 (.4.1. Set the Priority for R1 as 105. Task 2 Configure a High Availability IPSec Tunnel to encrypt IP traffic between 192.info Lab 7. R1 should be the Active Router and R2 should be the Standby router. Use the following parameters: • Authentication type = Pre-shared Keys Copyrights Netmetric Solutions 2006-2010 Website: http://www.3) F 0/1 (.0/24 R2 192.1.1.4) R4 R1 R5 F 0/1 (. Network Diagram 2.0/24 VLAN 125 192.123.2) F 0/0 (.com Page 82 of 307 .1) S 0/0 (.2) R3 192. Use 192.netmetric-solutions.1.0/24 VLAN 123 Lab Objectives: Task 1 Configure HSRP between R1 and R2 on the outside Ethernet segment.0 networks. Email: khawarb@khawarb. Use HA as the name of the HSRP Group.1. Enable Reverse Route injection on R1 and R2 and configure them such that the “VPN Route” is injected into the routing table of R5.com.

info • • • • • Hash = MD5 Diffie-Hellman = 2 IPSec Encryption = ESP-3DES IPSec Authentication = ESP-MD5-HMAC Tunnel Endpoints = R4 to HSRP Virtual IP of R1 and R2. R2 and the R4 to send IKE Keepalive messages to and from one another every 10 seconds. Task 4 Run EIGRP in AS 200 between R1. Email: khawarb@khawarb.www. R2 and R5 to inject the VPN routes into R5.netmetric-solutions. Copyrights Netmetric Solutions 2006-2010 Website: http://www. Task 5 Verify the Configuration by bringing down the F 0/0 interface of R1.com Page 83 of 307 .com.CareerCert. Task 3 Configure R1.

10) 192.4) R4 Copyrights Netmetric Solutions 2006-2010 Website: http://www.25.2) 192.3 R1 10.6) R6 F 0/0 (.0/24 192.6(.2 (.1.6) S 0/0.1) F 0/1 (.26.10) ASA-1 F 0/0 (.1. Network Diagram 2.5) S 0/0.23.2) S 0/0.0/24 VLAN 46 F 0/0 (.netmetric-solutions.22.com.2) S 0/0.3 (.22.www.CareerCert.1.1.5 (.3 (.3) S 0/0 (.info Lab 7.6) 192.3) R5 192.22. Email: khawarb@khawarb.1.36.0/24 R3 S 0/0.6 (.46.0/24 S 0/0.com Page 84 of 307 .1.0/24 VLAN 22 F 0/0 (.2(.0/24 S 0/0.5 – GET VPN Configuration Before you Start Load the initial configuration files from the DVD/CD for the devices used in this Lab.0/24 VLAN 11 F 0/0 (.2) R2 192.

Copyrights Netmetric Solutions 2006-2010 Website: http://www.0. Use the Parameters listed for the Key server to configure the Devices. Use the following parameters for the KS ISAKMP Parameters o Authentication : Pre-shared o Encryption : 3DES o Pre-Shared Key : cciesec o Group : 2 IPSec Parameters o Encryption : ESP-3DES o Authentication : ESP-MD5-HMAC o SA Lifetime : 3600 Key Server Parameters o Identity Number : 100 o Interesting Traffic : Any traffic on the 172.0 major network. o Local Address : Loopback 0 Task 3 Configure R3 and R6 to use R2 as the Key Server.3/24 R6 – Interface Loopback 15 – 172.16.com Page 85 of 307 .16.6/24 Task 2 Configure R2 as the Key Server for your GET VPN to encrypt data between R3 and R6.www.3. Task 4 Advertise the loopbacks in your existing Routing protocol.CareerCert. Email: khawarb@khawarb. Use the most reliable interface.16.info Lab Objectives: Task 1 Configure the following Loopback interfaces: R3 – Interface Loopback 15 – 172.6.com.netmetric-solutions.

info Lab 7. Lab Objectives: Task 1 Configure the following Loopbacks on R4 and R5: R4 – Loopback 45 – 172. Configure the following Policies: ISAKMP Parameters o Authentication : Pre-shared o Group : 2 o Encryption : 3DES IPSec Parameters o Encryption : ESP-3DES o Authentication : ESP-MD5-HMAC Task 3 Do not use the “Crypto ISAKMP key” command for this lab. Copyrights Netmetric Solutions 2006-2010 Website: http://www.netmetric-solutions.com Page 86 of 307 .www.16. Task 4 You are allowed to create static routes.CareerCert.16.16.4/24 R5 – Loopback 45 – 172. Email: khawarb@khawarb.6 – IPSec LAN-to-LAN using ISAKMP Profiles Before you Start This Lab builds on the configuration of the previous lab.16.com.4.5.5/24 Task 2 Configure an IPSec to encrypt the traffic between 172.5.0/24 and 172.4.0/24.

www.info CCIE Security Lab Workbook Version 3.netmetric-solutions.com.netmetric-solutions.0 Module 2: Virtual Private Networks Lab 8 – EZVPN Configurations Netmetric Solutions http://www.com Page 87 of 307 . Email: khawarb@khawarb.CareerCert.com Copyrights Netmetric Solutions 2006-2010 Website: http://www.

1 (. Network Diagram 2.com.1.11.1.4) 192.0/24 VLAN 30 .1.com Page 88 of 307 .info Lab 8 – EZVPN Configurations Before you Start Load the initial configuration files from the DVD/CD for the devices used in this Lab.55.0/24 VLAN 5 R3 F 0/0 (. Syslog.3) 192.5 IDM.10) F 0/0 (.0/24 VLAN 10 (.5) R5 (.4) S 0/0.1.22.5) F 0/0 (.25) F 0/1 (.10) F 0/0 (.30.5 (.3 (.1. Email: khawarb@khawarb.25 VPN Client Copyrights Netmetric Solutions 2006-2010 Website: http://www.11.www.0/24 S 0/0 (.15) SW1 192. AAA and CA 10.0/24 VLAN 111 F0/0.1) ASA-1 192.1) R1 10.3) 192.0/24 VLAN 11 F0/1 (.4) R4 S 0/0.111.22.CareerCert.134.0/24 S 0/0 (.145. IEV.netmetric-solutions.

0/24 networks.15.com Pool = EZP Split Tunneling = Only Encrypt the traffic for this that needs to go to 192.www. Use the previously configured Transform-set in the Dynamic Map.168.com Page 89 of 307 .55. Configure the Dynamic map such that the pool address will be advertised to SW1 using the configured routing protocol.1.50 Domain Name = NM.1. Copyrights Netmetric Solutions 2006-2010 Website: http://www. Task 4 Configure an ISAKMP Client Group called EZC with the following parameters: Key = cciesec Dns address = 192.info Lab 8.168.201 thru 192.netmetric-solutions.0/24 and 10.55.49 WINS address = 192. Task 2 Configure the following ISAKMP and IPSec Policies: ISAKMP Parameters o Authentication : Pre-shared o Group : 2 o Encryption : 3DES IPSec Parameters o Encryption : ESP-3DES o Authentication : ESP-MD5-HMAC Task 3 Configure a Pool called EZP.55.com.55. Task 5 Configure a Local Database of Users for Extended Authentication based on the following: Username : User1 Password: cisco Username : User2 Password: cisco Task 6 Configure a Dynamic Crypto Map. Email: khawarb@khawarb. Use 192.CareerCert.225 as the pool addresses.55. This pool will be assigned to EZVPN clients.15.1 – EZVPN Router-Router – Client Mode Lab Objectives: Task 1 Configure R5 as the EZVPN Server.1. Enable AAA on the router and configure network authorization based on the Local Database.

com. Task 8 Configure R3 as a EZVPN client using the following parameters: Mode : Client. Copyrights Netmetric Solutions 2006-2010 Website: http://www.CareerCert. Connect : Auto Group Name : EZC Key : cciesec Traffic : Network 10.1. Configure Extended Authentication to be done based on the Local Username database. Configure a Crypto map that uses the Dynamic Crypto Map to respond to client requests.33.145.netmetric-solutions.info Task 7 Configure crypto map authorization to be done based on the Local Client Group. Peer Address : 192.5.com Page 90 of 307 .33. Apply the Crypto map to the appropriate interface.www.0/24 (Loopback33) going outside of the S 0/0 interface. Email: khawarb@khawarb.

com Page 91 of 307 . Task 3 You are allowed to create static routes to accomplish this task. Lab Objectives: Task 1 Configure R5 as a EZVPN Server for R1.info Lab 8.netmetric-solutions.www.11. Email: khawarb@khawarb.com.1. Connect : Auto Group Name : EZN Key : cisco Traffic : Network 192. use the following parameters: Key = cisco Dns address = 192.5.145.1.CareerCert.50 Domain Name = NM.55. Copyrights Netmetric Solutions 2006-2010 Website: http://www.1.0/24 (Loopback11) going outside of the F 0/0 interface. Configure an ISAKMP Client Group called EZN for R1.com Task 2 Configure R1 as a EZVPN client using the following parameters: Mode : Network Extension Peer Address : 192.1.55.49 WINS address = 192.2 – EZVPN Router-Router – NetworkExtension Mode Before you Start This lab builds on the configuration of the previous lab.

0.1.0/8 and 55.201 thru 192.44. Create the following user in the local database: Username : cciewb Password : cciewb Task 2 Configure the following ISAKMP and IPSec Policies: ISAKMP Parameters o Authentication : Pre-shared o Group : 2 o Encryption : 3DES IPSec Parameters o Encryption : ESP-3DES o Authentication : ESP-MD5-HMAC Task 3 Configure a Pool called EZP.com. Lab Objectives: Task 1 Configure R4 as the EZVPN Server. Email: khawarb@khawarb.44.0.www.0/8. Also configure a Domain name of NM.168.info Lab 8. Use 192. 44.com Page 92 of 307 .50 Domain Name = NM. This pool will be assigned to EZVPN clients. Use the previously configured Transform-set in the Dynamic Map.168.0. Copyrights Netmetric Solutions 2006-2010 Website: http://www.44.1.49 WINS address = 192.0/8 networks thru this tunnel.com Pool = EZP Task 5 Configure a Dynamic Crypto Map. Task 4 Configure an ISAKMP Client Group called EZS.netmetric-solutions.3 – EZVPN Router-Cisco VPN Client Before you Start This lab builds on the configuration of the previous lab.0.44.com. The clients using this group should only send traffic for the 33. Use the following parameters for the EZS group: Key = cciewb Dns address = 192.225 as the pool addresses.0. Enable AAA on the router and configure login authentication and network authorization based on the Local Database.0.CareerCert.

CareerCert.4 as the EZVPN Address. Copyrights Netmetric Solutions 2006-2010 Website: http://www.com Page 93 of 307 .1. Configure a Crypto map that uses the Dynamic Crypto Map to respond to client requests.www. Connect to test the connection. Configure 192.netmetric-solutions. Email: khawarb@khawarb. Task 7 Configure the VPN client for the EZS group with a password of cciewb. Apply the Crypto map to the appropriate interface.134.info Task 6 Configure crypto map login authentication and authorization to be done based on the Local Client Group.com.

1 thru 192. This pool will be assigned to Remote Access clients.4 – EZVPN ASA to Router/VPN Client Before you Start Reload the Devices with the Initial configuration files for this section. Email: khawarb@khawarb.11.11. Configure the following ISAKMP and IPSec Policies: ISAKMP Parameters o Authentication : Pre-shared o Group : 2 o Encryption : 3DES IPSec Parameters o Encryption : ESP-3DES o Authentication : ESP-MD5-HMAC Task 2 Configure a Pool called EZP. Task 4 Configure a couple a local users with the following attributes: Username : EZR5 – Password : cciewb Task 5 Configure a Remote Access Tunnel Group called EZC. Use a pre-shared key of cciesec.CareerCert.254 as the pool addresses.168. Assign IP addresses to this group from the EZP Local pool.info Lab 8. Authentication and Authorization for this group should be done using the Local Database. Task 6 Configure the ASA-1 such that all traffic going towards the 192.www.168.com Page 94 of 307 .0/24 is allowed to go out un-translated.netmetric-solutions. Task 3 Configure an internal group called EZ.168. Lab Objectives: Task 1 Configure ASA-1 as a Remote Access/EZVPN Server for Software and Hardware Clients. Task 7 Copyrights Netmetric Solutions 2006-2010 Website: http://www.11. Use 192. Configure the VPN idle timeout to 10 minutes.com.

com Page 95 of 307 .info Create a dynamic map to use the previously created IPSec transform set.netmetric-solutions.CareerCert.0/24 (Loopback55) going outside of the S 0/0 interface.www. Email: khawarb@khawarb.com. Connect : Auto Group Name : EZC Key : cciesec Traffic : Network 10.10. Task 9 You are allowed to configure Static routes to accomplish this task.55. Task 8 Configure R5 as a EZVPN client using the following parameters: Mode : Client.1.111.55. Peer Address : 192. Copyrights Netmetric Solutions 2006-2010 Website: http://www.

com.5 – IPSec Hairpinning with Easy VPN Before you Start This lab builds on the configuration of the previous lab. Task 4 You are allowed to configure Static routes to accomplish this task. Task 3 Configure the ASA-1 such that when R5 connects to ASA-1 as a EZVPN Client.CareerCert. Copyrights Netmetric Solutions 2006-2010 Website: http://www.1.0/24 networks. Lab Objectives: Task 1 Configure a LAN-to-LAN tunnel between ASA-1 and R3.1. it can also send encrypted traffic to 192.0 using the LAN-toLAN tunnel that is setup between ASA-1 and R3.22. Match the same on R3.0/24 and 192.info Lab 8.30.www.netmetric-solutions.30.com Page 96 of 307 . Email: khawarb@khawarb. Task 2 Use the already configured Transform-sets and ISAKMP policies on ASA1.22. Encrypt traffic from between the 10.

netmetric-solutions.info CCIE Security Lab Workbook Version 3.com Copyrights Netmetric Solutions 2006-2010 Website: http://www.com Page 97 of 307 .netmetric-solutions.0 Module 2: Virtual Private Networks Lab 9 – IPSec Using CA Server Netmetric Solutions http://www.CareerCert. Email: khawarb@khawarb.www.com.

25 VPN Client Copyrights Netmetric Solutions 2006-2010 Website: http://www.145.5) R5 (.3) 192.25) F 0/1 (. Email: khawarb@khawarb. AAA and CA 10.1 (.0/24 VLAN 30 .22.netmetric-solutions.1.4) S 0/0.30.11.com Page 98 of 307 .0/24 VLAN 5 R3 F 0/0 (.55.5 (.0/24 VLAN 11 F0/1 (.0/24 VLAN 111 F0/0.5 IDM.10) F 0/0 (. IEV.0/24 S 0/0 (.15) SW1 192.3 (. Network Diagram 2.1.111.com.1.3) 192.1) R1 10.info Lab 9 – IPSec using CA Server Before you Start Load the initial configuration files from the DVD/CD for the devices used in this Lab. Syslog.22.1.10) F 0/0 (.5) F 0/0 (.0/24 VLAN 10 (.4) 192.1.0/24 S 0/0 (.www.4) R4 S 0/0.134.11.CareerCert.1) ASA-1 192.

33.com.com Page 99 of 307 .NM.33. Keep redundancy in mind when pointing to the CA Server.netmetric-solutions.info Lab 9. Copyrights Netmetric Solutions 2006-2010 Website: http://www. Configure R3 to request a certificate from R4. Task 3 Generate 512 Bit RSA keys on R3 and R5.33. Use the following parameters for the tunnel: Authentication type = RSA-SIG Hash = MD5 Diffie-Hellman = 2 Encryption = 3DES IPSec Encryption = ESP-3DES IPSec Authentication = ESP-MD5-HMAC Task 6 You are allowed to create static routes for this configuration.33.www.com. Configure R4 to be the CA Server to automatically grant certificates using the following parameters: RSA Key Size: 512 Bits Key Label: IOS-CA Any Passphrase: CCIESEC3 Encryption: 3DES Key Location: NVRAM Issuer Name: CN=IOS-CA.1 – Router-Router IPSec Tunnel Using CA Lab Objectives: Task 1 Assign R4 a domain name of NM.33/24 R5 – Loopback 55 – 10.55/24 Task 5 Configure an IPSec Tunnel to encrypt traffic between 10. Use CCIESEC3 as the recovery password.55. the IOS-based CA Server. Task 4 Configure the following Loopback addresses on R3 and R5: R3 – Loopback 33 – 10.CareerCert. Email: khawarb@khawarb. Also set the timezone and clock to the current timezone and time. Also set the timezone and clock to the current timezone and time.55.0 and 10.0 networks.com.55.55.com L=ND C=IN Task 2 Assign R3 and R5 a domain name of NM.

com.www. Also set the timezone and clock to the current timezone and time. the IOS-based CA Server. Configure R4 to be the CA Server to automatically grant certificates using the following parameters: RSA Key Size: 512 Bits Key Label: IOS-CA Any Passphrase: CCIESEC3 Encryption: 3DES Key Location: NVRAM Issuer Name: CN=IOS-CA. Configure R3 to request a certificate from R4.com.5.com L=ND C=IN Task 2 Assign R3 and R5 a domain name of NM.16. R3 should be the NHRP Hub. Task 3 Generate 512 Bit RSA keys on R3 and R5. Also set the timezone and clock to the current timezone and time.netmetric-solutions.DMVPN Tunnel Parameters Copyrights Netmetric Solutions 2006-2010 Website: http://www.16. Task 4 Configure the following Loopback interfaces: R3 – Interface Loopback 15 – 172.com. Keep redundancy in mind when pointing to the CA Server. Email: khawarb@khawarb.5/24 Task 5 Configure a DMVPN between R3 and R5 to encrypt traffic between the new Loopback networks.NM.2– DMVPN Using CA Before you Start Reload the Devices with the Initial configuration files for this section.com Page 100 of 307 .3. Lab Objectives: Task 1 Assign R4 a domain name of NM.CareerCert.3/24 R5 – Interface Loopback 15 – 172. Use CCIESEC3 as the recovery password. Use the following Configuration Parameters: NHRP Parameters o NHRP ID – 100 o NHRP Authentication key .info Lab 9.

Email: khawarb@khawarb.100.16.netmetric-solutions.com.0/24 o IP MTU : 1416 o Tunnel Authentication Key : 100 o Tunnel Source: Loopback 0 Routing Protocol Parameters o EIGRP 100 ISAKMP Parameters o Authentication : RSA-SIG o Encryption : 3DES o Group : 2 IPSec Parameters o Encryption : ESP-3DES o Authentication : ESP-MD5-HMAC Copyrights Netmetric Solutions 2006-2010 Website: http://www.com Page 101 of 307 .CareerCert.www.info o IP address : 172.

com.com Copyrights Netmetric Solutions 2006-2010 Website: http://www.info CCIE Security Lab Workbook Version 3. Email: khawarb@khawarb.CareerCert.netmetric-solutions.netmetric-solutions.0 Module 2: Virtual Private Networks Lab 10 – SSL VPN Netmetric Solutions http://www.com Page 102 of 307 .www.

4) S 0/0.55.1.www.4) 192.22.3 (.1.5 (.30.134.5) F 0/0 (.25) F 0/1 (.25 VPN Client Copyrights Netmetric Solutions 2006-2010 Website: http://www.1.netmetric-solutions. Syslog.0/24 S 0/0 (.22.145.1.0/24 VLAN 5 R3 F 0/0 (.10) F 0/0 (.5) R5 (. IEV.5 IDM.11.10) F 0/0 (.1) R1 10. Email: khawarb@khawarb.1 (. Network Diagram 2.0/24 VLAN 10 (.11.0/24 VLAN 30 .15) SW1 192.com.3) 192.111.1) ASA-1 192.CareerCert.3) 192.info Lab 10 – SSL VPN Before you Start Load the initial configuration files from the DVD/CD for the devices used in this Lab.com Page 103 of 307 . AAA and CA 10.0/24 S 0/0 (.1.0/24 VLAN 11 F0/1 (.4) R4 S 0/0.0/24 VLAN 111 F0/0.

Group-Policy – W-VPN Task 5 Connect into the ASA-1 from the VPN Client to establish the connection.info Lab 10.www. Also configure the following attributes for this group: Port-forwarding – R1 – Local Port 25000 – Server – R1 – Port 23 Task 4 Configure a user called WVPNUSER with a password WVPNPASS. Task 3 Configure an internal User-group named W-VPN.com.netmetric-solutions. If a packet is received on the outside interface for port 80.1 – SSL VPN on the ASA – Basic Lab Objectives: Task 1 Enable the HTTP service on R1 and enable Telnet on it as well. Copyrights Netmetric Solutions 2006-2010 Website: http://www.com Page 104 of 307 . Task 2 Enable Web VPN on ASA-1 on the outside interface. Email: khawarb@khawarb. it should be redirected to 443.CareerCert. Configure this group for Web VPN as the only tunneling protocol.

The user will specify the Pipe “|” as the username delimiter. Task 4 Connect into the ASA-1 from the VPN Client to establish the connection. Task 2 Configure R1 with a secret password of cisco.www.netmetric-solutions. Use port 11000 for secure POP3. All other web servers should be allowed.11.22.com Page 105 of 307 .22. Copyrights Netmetric Solutions 2006-2010 Website: http://www. Task 3 Configure POP3 Support. Email: khawarb@khawarb.com and http://11.110.com. The POP3S is located at 10.2– SSL VPN on the ASA – Advanced Before you Start This Lab builds on the configuration of the previous lab.CareerCert. Lab Objectives: Task 1 Block the following URL for the W-VPN group: Filter – Block URL Access to http://NMConfidential.11.11.info Lab 10.

www.com Page 106 of 307 .info CCIE Security Lab Workbook Version 3.0 Module 2: Virtual Private Networks Lab 11 – QoS With IPSec Netmetric Solutions http://www.com.com Copyrights Netmetric Solutions 2006-2010 Website: http://www. Email: khawarb@khawarb.netmetric-solutions.netmetric-solutions.CareerCert.

11.10) 192.1) R1 F 0/0 (. Syslog.25) VPN Client Copyrights Netmetric Solutions 2006-2010 Website: http://www.6 IDM.0/24 S 0/0 (. Email: khawarb@khawarb.netmetric-solutions.22.66.5 (.www.1.1 (. AAA and CA 10.0/24 VLAN 111 ASA-2 F0/0.22.10) R2 F 0/0 (.4) S 0/0.25) F 0/1 (.0/24 VLAN 122 F 0/0.0/24 VLAN 66 (.122.1.0/24 VLAN 10 (.0/24 VLAN 12 F0/1(.6) 192.2) 10.111.1.11. IEV.2 (.6 (. Network Diagram 2.22.0/24 VLAN 11 F0/1 (.22.1) 10.10) ASA-1 F0/0(.com.6) R6 F 0/0 (.(.CareerCert.4) R4 F 0/0.146.10) 192.4) 192.1.info Lab 11 – QoS with IPSec Before you Start Load the initial configuration files from the DVD/CD for the devices used in this Lab.4) S 0/0.com Page 107 of 307 .

Use the following parameters for the IPSec tunnel: Authentication type = Pre-shared Keys Hash = MD5 IPSec Encryption = ESP-3DES IPSec Authentication = ESP-MD5-HMAC Task 2 R4 should allocate 25 percent of the bandwidth for encrypted traffic. The access list for the class map should have ESP traffic as interesting traffic.0.1 – Configuring QoS with IPSec – Router Lab Objectives: Task 1 Configure an IPSec Tunnel to encrypt traffic from the 44.0.0. The access list for the class map should have IP traffic from 66.0.0 network as interesting traffic.com. Task 3 R6 should allocate 256 kbps for encrypted traffic.0.0.com Page 108 of 307 .0 network to the 66.www.0.info Lab 11. Copyrights Netmetric Solutions 2006-2010 Website: http://www.CareerCert. The Frame Relay interfaces on the respectively routers should act as the Tunnel endpoints.0 network.0 network to 44. Email: khawarb@khawarb.0.netmetric-solutions.

com.netmetric-solutions.0.2 – Configuring QoS with IPSec – ASA Before you Start This lab builds on the configuration of the previous lab.info Lab 11.22. Lab Objectives: Task 1 Configure an IPSec Tunnel to encrypt traffic from the 44.CareerCert. Copyrights Netmetric Solutions 2006-2010 Website: http://www.www.0.0 networks behind ASA-2.0 network to the 10.22.0 and 22. Configure ASA-2 for LLQ for this IPSec tunnel. Email: khawarb@khawarb.0.com Page 109 of 307 .0. Use the following parameters for the IPSec tunnel: Authentication type = Pre-shared Keys Hash = SHA Group = 2 Encryption = 3des IPSec Encryption = ESP-3DES IPSec Authentication = ESP-SHA-HMAC Task 2 You would like to use LLQ for this LAN-to-LAN IPSec traffic from ASA-2 towards R4.

info CCIE Security Lab Workbook Version 3.com Copyrights Netmetric Solutions 2006-2010 Website: http://www.netmetric-solutions.com.0 Module 3: Intrusion Prevention Systems (IPS) Lab 12 – IPS Sensor Configuration – Promiscuous Mode Netmetric Solutions http://www.com Page 110 of 307 .netmetric-solutions.www.CareerCert. Email: khawarb@khawarb.

Email: khawarb@khawarb.CareerCert.www.22.15) ASA-1 IPS Sensor F0/0 (.5) 192.22.1) R1 F 0/0 (.25) 10.22.1.11.11.1.10) C & C (. AAA and CA (.0/24 VLAN 55 VPN Client (.0/24 VLAN 10 F 0/1 (.6) R5 F 0/0 (.com Page 111 of 307 .com.1 IDM.0/24 VLAN 12 F 0/0 (. Syslog.0/24 VLAN 11 F0/1 (. Network Diagram 3.10) Monitoring 192.2) R2 S 0/0 (. IEV.info Lab 13 – IPS Sensor Configurations – 12 Promiscuous Mode Before you Start Load the initial configuration files from the DVD/CD for the devices used in this Lab.126.55.1) 10.netmetric-solutions.25) Copyrights Netmetric Solutions 2006-2010 Website: http://www.2) 192.1.0/24 S 0/0 (.

com.CareerCert. Email: khawarb@khawarb.info Lab 12. If RSPAN has to be configured. Copyrights Netmetric Solutions 2006-2010 Website: http://www.com Page 112 of 307 . Task 2 The SPAN/RSPAN session should monitor any traffic that has been send into VLAN 12. configure 550 as the Remote SPAN VLAN.netmetric-solutions.www. Task 3 The destination of the SPAN/RSPAN session should be the First Monitoring interface on the IPS device.1 – Configuring SPAN/RSPAN Lab Objectives: Task 1 Configure SPAN/RSPAN on the appropriate switch.

1 Telnet – Enabled Allowed Hosts – 10.2 – Initial IPS Sensor Settings from CLI Before you Start This Lab builds on the configuration of the previous lab.11.25 Task 2 When users login into the IPS. Email: khawarb@khawarb. they should see the following message: Netmetric Authorized Users Only !!!.netmetric-solutions.11. Lab Objectives: Task 1 Configure the IPS Sensor with the following parameters: Hostname – IPS-WB IP Address – 10.11.11.11.info Lab 12. Please disconnect if you are not a Netmetric Administrator. Copyrights Netmetric Solutions 2006-2010 Website: http://www.com Page 113 of 307 .15/24 Default Gateway – 10.www.CareerCert.11.com.

Email: khawarb@khawarb.info Lab 12.Viewer Username – NMOper – Password – ccie12353 Role – Operator Task 2 Configure the first sensing Interface on the IPS Sensor to Detect Attacks in promiscuous mode. Task 4 Change the severity level to High.3 – IPS Sensor in Promiscuous Mode Before you Start This Lab builds on the configuration of the previous lab. Task 5 Verify that the Signature is firing by pinging ASA-1 from R5.com Page 114 of 307 .netmetric-solutions.www. Lab Objectives: Task 1 Create the following users with the appropriate roles: Username – NMView – Password – ccie12353 Role . Task 3 Enable the ICMP Echo Request signature. Assign it to the Default Virtual Sensor.com. Copyrights Netmetric Solutions 2006-2010 Website: http://www.CareerCert.

com.4 – Blocking Using a Router Before you Start This Lab builds on the configuration of the previous lab. Task 3 Configure R2 as the Blocking device using the appropriate parameters.netmetric-solutions.com Page 115 of 307 . Task 5 Verify the creation of the ACL by pinging the outside interface of ASA-1 from R5. Also configure it with a enable secret password of cciesec.1. Lab Objectives: Task 1 Configure the Sensor to communicate to R2. Copyrights Netmetric Solutions 2006-2010 Website: http://www. Task 2 Configure R2 with a Telnet password of cciesec.22. Email: khawarb@khawarb. Task 4 Configure the 2004 signature to block any device that fires the signature.info Lab 12.15 on the outside of the ASA-1. The Blocking ACL should be applied to the WAN interface.www.CareerCert. Sensor should be seen as 192.

www. Copyrights Netmetric Solutions 2006-2010 Website: http://www.CareerCert.5 – Rate-Limiting Using a Router Before you Start This Lab builds on the configuration of the previous lab. Email: khawarb@khawarb.netmetric-solutions. The signature should also produce an alert. Lab Objectives: Task 1 A device from VLAN 12 is trying to do an ICMP Smurf attack against your network.com. Configure the IPS Sensor to rate-limit this traffic on R2.info Lab 12. It should be done based on a limit of 10%.com Page 116 of 307 .

Task 3 Configure the Sensor to communicate to the ASA using SSH 3DES. Ping R1 from R2.CareerCert. Task 5 Translate R1 as 192.info Lab 12. Check the shun on ASA-1 Copyrights Netmetric Solutions 2006-2010 Website: http://www. Lab Objectives: Task 1 Configure SSH on the ASA.netmetric-solutions. Task 4 Configure the ASA as the Blocking device using the appropriate parameters.22. Allow ICMP destined towards R1 to test the Shun. Email: khawarb@khawarb.1.1 on the outside of ASA-1.com Page 117 of 307 .com. Task 2 Delete R2 as the blocking device.6 – Blocking Using a ASA Before you Start This Lab builds on the configuration of the previous lab.www. Configure a local username of IPS-WB with a password of IPS-WB. Allow the Sensor to connect to the ASA for SSH.

www.7 – Configuring Multiple Virtual Sensors – Promiscuous Mode Before you Start This Lab builds on the configuration of the previous lab. Task 3 Configure the following parameters for the 3 signatures in this Virtual Sensor: ICMP o o ICMP o o ICMP o o Echo Request Action – Produce Alert Severity – Medium Echo Reply Action – Produce Alert Severity – Medium Fragmented Packet Action – Produce Alert Severity – High Copyrights Netmetric Solutions 2006-2010 Website: http://www.info Lab 12.CareerCert.netmetric-solutions. Lab Objectives: Task 1 Configure SPAN/RSPAN to monitor VLAN 55. Assign the traffic that is received from VLAN 55 to this Virtual Sensor. Task 2 Configure a new Virtual Sensor VS1 using a Signature Definition (Sig1). Email: khawarb@khawarb.com Page 118 of 307 .com.

netmetric-solutions.www.com Page 119 of 307 .0 Module 3: Intrusion Prevention System (IPS) Lab 13 – IPS Sensor Configuration – Inline Mode Netmetric Solutions http://www. Email: khawarb@khawarb.com Copyrights Netmetric Solutions 2006-2010 Website: http://www.netmetric-solutions.info CCIE Security Lab Workbook Version 3.com.CareerCert.

com Page 120 of 307 . IEV.15) 10.1.2) 192.11.1.1.CareerCert. Syslog.com. Email: khawarb@khawarb.25) VPN Client Copyrights Netmetric Solutions 2006-2010 Website: http://www.10) ASA-1 F0/0 (.0/24 VLAN 15 IPS Sensor 192.2 IDM.10) 192.2) R2 F0/1 (. Network Diagram 3. AAA and CA R1 F 0/0(.22.1) (.11.25) 10.11.13.0/24 VLAN 12 F0/1 (.netmetric-solutions.13.www.0/24 VLAN 10 IPS Sensor C & C (.info Lab 13 – IPS Sensor Configurations – Inline Mode Before you Start Load the initial configuration files from the DVD/CD for the devices used in this Lab.0/24 VLAN 25 (.0/24 VLAN 22 F0/0 (.11.

11. Task 4 Test the inline pair by connecting into ASA-1 using Telnet from R1.11.11. Copyrights Netmetric Solutions 2006-2010 Website: http://www.11.15/24 Default Gateway – 10.10 Allowed Hosts – 10.www.1 – IPS Sensor in Inline Mode Lab Objectives: Task 1 Configure the IPS Sensor with the following parameters: Hostname – IPS-WB IP Address – 10.11.0/24 network to Telnet into it.11.netmetric-solutions.info Lab 13.11.com. Email: khawarb@khawarb.11. Task 3 Configure ASA-1 to allow the 10. Assign it to the Default Virtual Sensor.CareerCert.25 Task 2 Configure the first 2 interfaces on your IPS Sensor as an Inline pair to connect VLAN 10 and VLAN 12.com Page 121 of 307 .

info Lab 13. Produce Alert Severity – High Copyrights Netmetric Solutions 2006-2010 Website: http://www.www. Email: khawarb@khawarb.CareerCert. Lab Objectives: Task 1 Enable the ICMP Echo Request and ICMP Echo Reply Signatures in the Default Virtual Sensor.2 – Signature Tuning on IPS Sensor Before you Start This Lab builds on the configuration of the previous lab. Produce Alert Severity – Medium Echo Request Action – Deny Attacker Inline. Task 2 Configure the following parameters for the 2 signatures: ICMP o o ICMP o o Echo Reply Action – Deny Packet Inline .com.netmetric-solutions.com Page 122 of 307 .

info Lab 13. Email: khawarb@khawarb.CareerCert.com Page 123 of 307 . Task 2 Configure the ICMP Echo Reply Signature with the following threshold parameters: Summary Mode – Fire all Summary Threshold – 40 Global Summary Threshold – 100 Summary Interval – 45 seconds Summary Key – Source and Destination IP Address Copyrights Netmetric Solutions 2006-2010 Website: http://www.com. Lab Objectives: Task 1 Configure the ICMP Echo Request to fire after 20 occurrence from the Same source IP Address to the same Destination IP Address within the last 90 seconds.www.3 – Signature Firing – Throttle Parameters Before you Start This Lab builds on the configuration of the previous lab.netmetric-solutions.

info Lab 13.com. Email: khawarb@khawarb. Task 3 Configure the following parameters for the 3 signatures in this Virtual Sensor: ICMP o o ICMP o o ICMP o o Echo Request Action – Deny Packet Inline. Lab Objectives: Task 1 Configure the third sensing interface on the IPS Sensor as an Inline pair to connect VLAN 15 and VLAN 25. It should only have the Inline Pair that connects VLAN’s 15 and 25 to each other.4 – Configuring Multiple Virtual Sensors – Inline Mode Before you Start This Lab builds on the configuration of the previous lab.CareerCert. Produce Alert Severity – Medium Echo Reply Action – Deny Packet Inline. It should use Signature Definition 1.com Page 124 of 307 . Task 2 Configure a new Virtual Sensor VS1. Produce Alert Severity – High Copyrights Netmetric Solutions 2006-2010 Website: http://www. Produce Alert Severity – Medium Fragmented Packet Action – Deny Attacker Inline.netmetric-solutions.www.

netmetric-solutions. Email: khawarb@khawarb.com.www.com Page 125 of 307 .com Copyrights Netmetric Solutions 2006-2010 Website: http://www.CareerCert.netmetric-solutions.info CCIE Security Lab Workbook Version 3.0 Module 3: Intrusion Prevention System (IPS) Lab 14 – Custom Signatures Netmetric Solutions http://www.

1) (. IEV.25) VPN Client Copyrights Netmetric Solutions 2006-2010 Website: http://www.0/24 VLAN 15 IPS Sensor 192.11.com Page 126 of 307 .0/24 VLAN 22 F0/0 (.0/24 VLAN 10 IPS Sensor C & C (.25) 10.www.13.1.netmetric-solutions.10) ASA-1 F0/0 (. Email: khawarb@khawarb. Syslog.11.2) R2 F0/1 (.1.10) 192.11.1.com.15) 10.info Lab 14 – Custom Signatures Before you Start This lab in based on the Previous Lab 13.22. AAA and CA R1 F 0/0(.0/24 VLAN 12 F0/1 (.2 IDM.4 Network Diagram 3.CareerCert.2) 192.11.0/24 VLAN 25 (.13.

com. Task 7 Assign this signature to VS0 only. Copyrights Netmetric Solutions 2006-2010 Website: http://www. This should be done for the same victim address. Task 3 Make sure the alarm should be case-insensitive.netmetric-solutions. Email: khawarb@khawarb. Task 2 Fire an alarm is the traffic is directed to Telnet (23) or Telnet (3040). Task 5 Configure the Signature to change its response to a summary alert if the alert fires more than 5 times in 60 seconds. Task 4 The IPS Sensor should deny the Attacker Inline and also produce an alert.com Page 127 of 307 .CareerCert.1 – Configuring Custom Stream Signature Lab Objectives: Task 1 Configure a Custom stream signature called “CCIE” to detect traffic that contains the word “ccie”. a global summary should be sent. Task 6 If the alert fires more than 12 times.www.info Lab 14. Task 8 Telnet into ASA-1 from R1 to test this.

com Page 128 of 307 . Copyrights Netmetric Solutions 2006-2010 Website: http://www. Lab Objectives: Task 1 Configure a custom signature to fire on a single TCP packet.2 – Configuring Custom Packet Signature Before you Start This Lab builds on the configuration of the previous lab. Task 2 The Packet should Fire for when TCP packets are set with SYN flag set and ACK not set.info Lab 14.com.CareerCert. Email: khawarb@khawarb. Alarms should be generated for every occurrence.netmetric-solutions. Task 5 Assign this signature to the second Virtual Sensor only. Task 3 Configure the Signature with a Severity Level of High. Task 4 The IPS Sensor should deny the packet inline and also produce an alert.www.

com.com Page 129 of 307 . Lab Objectives: Task 1 Create a custom signature that fires when a HTTP packet is received with the word “attack” anywhere in the url.info Lab 14. Copyrights Netmetric Solutions 2006-2010 Website: http://www. Email: khawarb@khawarb. Task 4 Assign this signature to the first Virtual Sensor only.www.CareerCert. Task 2 The packet should not be allowed to go thru and also produce an alert.netmetric-solutions.3 – Configuring Custom HTTP Signature Before you Start This Lab builds on the configuration of the previous lab. Task 3 Only fire the signature if 2 such packets are received in the last 90 seconds.

4 – Configuring Custom Meta Signature Before you Start This Lab builds on the configuration of the previous lab.com Page 130 of 307 .com.netmetric-solutions.CareerCert. Task 4 The component signatures should have fired within the last 2 minutes for the Custom signature to fire. Lab Objectives: Task 1 Create a custom signature that fires when a Nimda attack is occurring. Task 2 Nimda should trigger when the following built-in signatures fire: 5081 5124 5114 3215 3216 Task 3 Produce an alarm for the Custom signature.www. Email: khawarb@khawarb. Copyrights Netmetric Solutions 2006-2010 Website: http://www.info Lab 14. Task 5 Assign this signature to the first Virtual Sensor only.

netmetric-solutions.com. Task 3 Assign this signature to the first Virtual Sensor only. Before you Start This Lab builds on the configuration of the previous lab.info Lab 14.5 – Configuring Custom AIC Engine Sig. It should have a severity of High. Lab Objectives: Task 1 Configure a Custom Signature for HTTP Packets based on the AIC Engine. Copyrights Netmetric Solutions 2006-2010 Website: http://www.www.CareerCert. Email: khawarb@khawarb. Task 2 Use Signature ID of 60005 with the name of “AIC HTTP”. It should deny any packet inline and produce an alert that has a max-outstanding-request of 8.com Page 131 of 307 .

Email: khawarb@khawarb.com.com Page 132 of 307 .CareerCert.0 Module 3: Intrusion Prevention Systems (IPS) Lab 15 – Sensor Tuning Netmetric Solutions http://www.com Copyrights Netmetric Solutions 2006-2010 Website: http://www.netmetric-solutions.www.info CCIE Security Lab Workbook Version 3.netmetric-solutions.

11.0/24 VLAN 12 F0/1 (. IEV.2 IDM. Email: khawarb@khawarb.1.1.0/24 VLAN 25 (.1.15) 10.22.2) R2 F0/1 (.13.25) 10.0/24 VLAN 15 IPS Sensor 192.11.com Page 133 of 307 . Syslog.0/24 VLAN 10 IPS Sensor C & C (.10) 192.11.10) ASA-1 F0/0 (.25) VPN Client Copyrights Netmetric Solutions 2006-2010 Website: http://www. AAA and CA R1 F 0/0(.CareerCert. Network Diagram 3.11.1) (.info Lab 15 – IPS Sensor Tuning Before you Start This lab in based on the Previous Lab.com.0/24 VLAN 22 F0/0 (.netmetric-solutions.13.2) 192.www.

Task 2 Configure TCP reassembly for both Virtual Sensors such that TCP handshakes are required. Copyrights Netmetric Solutions 2006-2010 Website: http://www. Email: khawarb@khawarb.CareerCert.info Lab 15.com Page 134 of 307 .netmetric-solutions. if a packet in a stream in missed.www.com. The Sensor should allow stream reassembly on a “best-effort” basis.1 – Configuring General Sensor Options Lab Objectives: Task 1 Configure the first Virtual Sensor to use IP reassembly using the Linux operating system.

2 – Configuring Event Overrides Before you Start This Lab builds on the configuration of the previous lab.30 – Mission Cirtical Task 2 Configure the Sensor such that it denies all packets and the attacker in the future if the Risk rating is between 95 and 100.netmetric-solutions.11.11. Email: khawarb@khawarb.11.www.info Lab 15. Lab Objectives: Task 1 Configure the following Target Value Ratings for a couple of devices in your network: IP Address: 10.CareerCert.11.25 – Mission Critical IP Address: 10. Copyrights Netmetric Solutions 2006-2010 Website: http://www.com Page 135 of 307 .com.

50. Task 4 Don’t fire the 2004 alarm when the packet is coming in from R2 towards R1.1.13. Email: khawarb@khawarb.13. Copyrights Netmetric Solutions 2006-2010 Website: http://www.com Page 136 of 307 .50. Lab Objectives: Task 1 Configure the Sensor such that it does not fire any alarms from the ASA (10.com. Task 3 Configure the “CCIE” attack such that it does not fire from the range 192.13.1-192.1.CareerCert. Task 2 Configure an event variable to create a range of 192.22.1.10).1 – 192.netmetric-solutions.3 – Configuring Event Filters Before you Start This Lab builds on the configuration of the previous lab.www.22.info Lab 15.1.13.

Copyrights Netmetric Solutions 2006-2010 Website: http://www. Send the traps to the following: Default Community – PublicRO Trap Destination IP Address – 10.25 Trap Destination Port Number – UDP/166 Trap Community .com. Email: khawarb@khawarb. Lab Objectives: Task 1 Configure SNMP on the Sensor for GET/SET SNMP commands using the following parameters: Read-only Community – PublicRO Read-write Community – PublicRW Sensor Contact – IPS-Admin Sensor Location – Sydney Sensor Protocol/Port – UDP/165 Task 2 Configure SNMP Traps for Fatal.com Page 137 of 307 .4 – Configuring SNMP Traps Before you Start This Lab builds on the configuration of the previous lab.www.netmetric-solutions.CareerCert. Error and Warnings.PublicRO Task 3 Configure the ICMP Echo Request Signature on both Virtual Sensors to also send a SNMP Trap as one of its actions.info Lab 15.11.11.

com.0 Module 3: Intrusion Prevention Systems (IPS) Lab 16 – Cisco IOS IPS Configurations Netmetric Solutions http://www.info CCIE Security Lab Workbook Version 3.www. Email: khawarb@khawarb.com Page 138 of 307 .com Copyrights Netmetric Solutions 2006-2010 Website: http://www.CareerCert.netmetric-solutions.netmetric-solutions.

3 IDM.1) 10.11.10) ASA-1 F0/0 (.1.11. AAA and CA (. Network Diagram 3.www. Syslog.com.22.22.com Page 139 of 307 .CareerCert.10) 192.5) R5 Copyrights Netmetric Solutions 2006-2010 Website: http://www.0/24 VLAN 11 F0/1 (.22.1.2) R2 192.1) R1 F 0/0 (.0/24 S 0/0 (. IEV.0/24 VLAN 12 F 0/0 (.2) S 0/0 (.info Lab 16 – Cisco IOS IPS Configurations Before you Start Load the initial configuration files from the DVD/CD for the devices used in this Lab.125. Email: khawarb@khawarb.25) 10.0/24 VLAN 10 F 0/1 (.netmetric-solutions.

www.sdf signature file. Task 3 Configure R2 to detect attacks coming into R2 from the Frame Cloud based on the newly created Signature file. Email: khawarb@khawarb.CareerCert.com Page 140 of 307 . Use MYIPS as the IPS name Rule name. Task 4 Enable SDEE notifications.netmetric-solutions.1 – Configuring IOS IPS – Basic Lab Objectives: Task 1 Configure R2 to merge the Built-in signatures with the Attack-drop. Allow 300 events to be stored in the buffer.com.sdf.info Lab 16. Task 2 The new signature file should be called MYSIF. Copyrights Netmetric Solutions 2006-2010 Website: http://www.

1.com.netmetric-solutions.com Page 141 of 307 .www. Task 3 Disable the Ping of Death signature on R2.2 – Configuring IOS IPS – Advanced Before you Start This Lab builds on the configuration of the previous lab. Task 2 R2 should not fire alarms 2000 and 2004 from a Host 200. Copyrights Netmetric Solutions 2006-2010 Website: http://www. Lab Objectives: Task 1 The IPS rule set created should not fire alarms for any packets coming from R5.1.1.CareerCert.info Lab 16. Email: khawarb@khawarb.

CareerCert.com Copyrights Netmetric Solutions 2006-2010 Website: http://www.com Page 142 of 307 .netmetric-solutions.www.netmetric-solutions.0 Module 4: Access Management Lab 17 – Configuring AAA Authentication for Management Access Netmetric Solutions http://www. Email: khawarb@khawarb.info CCIE Security Lab Workbook Version 3.com.

11.10) 192. IEV.1 IDM.22.0/24 VLAN 23 F 0/0 (.25) (.0/24 VLAN 22 F 0/0 (.netmetric-solutions. Network Diagram 4.1) 10.2) R2 F 0/1 (.16) F 0/1 (.0/24 VLAN 11 SW1 F0/1 (.1) 10.1. Syslog.www.22.23.10) ASA-1 F0/0 (.CareerCert.22.11.com Page 143 of 307 .0/24 VLAN 10 (.2) 192.com. AAA and CA (.15) SW3 R1 F 0/0 (.info Lab 17 – Configuring AAA Authentication For Management Access Before you Start Load the initial configuration files from the DVD/CD for the devices used in this Lab.3) R3 Copyrights Netmetric Solutions 2006-2010 Website: http://www.1. Email: khawarb@khawarb.

25 on the outside interface of the ASA.22.1 – Configuring AAA Clients on ACS Server Lab Objectives: Task 1 Translate the ACS server as 192.com Page 144 of 307 . Use TACACS+ as the authentication protocol. ACS Server sees the concentrator as 10. Allow RADIUS ports to this Server from the 192.11.10.www. Set the secret key to ccie-acs.netmetric-solutions. ACS Server sees ASA-1 as 10. ACS Server sees SW1 as 10. Copyrights Netmetric Solutions 2006-2010 Website: http://www.25.22. The Router’s should use their own specific key for the secret key. Use RADIUS as the authentication Protocol.11.15.22.22. Assign AAA Clients for R1 – R3 to this group. Use TACACS+ as the authentication protocol. Use TACACS+ as the authentication protocol. Task 2 Configure R1 as a client to the ACS Server.0 network. Email: khawarb@khawarb.11. Set the secret key to ccie-acs. ACS Server sees R1 as 11. Use RADIUS as the authentication protocol.info Lab 17.23. Task 5 Configure one entry on the ACS Server for R2 and R3. Task 7 Create a Network Device Group called Routers. Task 6 Configure the Concentrator as a client to the ACS Server.11. Set the secret key to ccie-acs. Set the secret key to ccie-acs. Task 4 Configure ASA-1 as a client to the ACS Server. Task 3 Configure SW1 as a client to the ACS Server.22. Set the secret key to ccie-acs.com.1.11.1.CareerCert.

Use the minimum number of lines in the NAR dialog box. The maximum number of simultaneous sessions should be limited to 5 to this group.CareerCert.com.www. Task 4 Create the following users and make them members of the FW-Admins group: Username – FWuser1 Password: fwuser1 Username – FWuser2 Password: fwuser2 Copyrights Netmetric Solutions 2006-2010 Website: http://www. Email: khawarb@khawarb. Lab Objectives: Task 1 Configure a group called R-Admins on the ACS server using the following parameters: The R-Admins group should be allowed to login Daily from 9:00 AM to 9:00 PM. This group should only be able to manage the ASA-1. This group should only be able to manage routers.info Lab 17. Task 2 Create the following users and make them members of the R-Admin group: Username – Ruser1 Password: ruser1 Username – Ruser2 Password: ruser2 Task 3 Configure a group called FW-Admins on the ACS server using the following parameters: The maximum number of simultaneous sessions should be limited to 2 for the users of this group.netmetric-solutions.com Page 145 of 307 .2 – Configuring User and Group Accounts on ACS Server Before you Start This lab builds on the configuration of the previous lab.

www. This group should only be able to manage Switch 1.com Page 146 of 307 . Email: khawarb@khawarb.info Task 5 Configure a group called SW-Admins on the ACS server using the following parameters: The maximum number of simultaneous sessions should be limited to 3 for the users of this group. Task 6 Create the following users and make them members of the SW-Admins group: Username – SWuser1 Password: swuser1 Username – SWuser2 Password: swuser2 Copyrights Netmetric Solutions 2006-2010 Website: http://www.netmetric-solutions.CareerCert.com.

Email: khawarb@khawarb. the router should fallback on the Local database for authentication. the router should fallback on the Local database for authentication. Task 6 Configure Telnet Authentication to be done based on the ACS server. Lab Objectives: Task 1 Configure R1 to communicate with the ACS server for authentication.info Lab 17. the router should fallback on the Local database for authentication. Create a user on the router called admin with a password of admin. Task 2 Configure Telnet Authentication to be done based on the ACS server. Copyrights Netmetric Solutions 2006-2010 Website: http://www.www. Task 4 Configure Telnet Authentication to be done based on the ACS server. Use the key and address defined in Lab 17.1. Create a user on the router called admin with a password of admin. If the ACS server is not available.netmetric-solutions.CareerCert. If the ACS server is not available. Task 3 Configure R2 to communicate with the ACS server for authentication. Create a user on the router called admin with a password of admin.com. Use the key and address defined in Lab 17. Disable authentication on the Console and Aux ports. Disable authentication on the Console and Aux ports.com Page 147 of 307 .1.3 – Configuring AAA Authentication on Routers and Switches Before you Start This lab builds on the configuration of the previous lab. If the ACS server is not available. Disable authentication on the Console and Aux ports. Task 5 Configure R3 to communicate with the ACS server for authentication. Use the key and address defined in Lab 17.1.

SW1 should fallback on the Local database for authentication.CareerCert.com Page 148 of 307 .info Task 7 Configure SW1 to communicate with the ACS server for authentication. If the ACS server is not available.com.www. Copyrights Netmetric Solutions 2006-2010 Website: http://www. Create a user on the Switch called admin with a password of admin. Use the key and address defined in Lab 17.1. Disable authentication on the Console port.netmetric-solutions. Task 8 Configure Telnet Authentication to be done based on the ACS server. Email: khawarb@khawarb.

4 – Configuring AAA Authentication on PIX/ASA Before you Start This lab builds on the configuration of the previous lab. Configure SSH Authentication to be done based on the ACS server.netmetric-solutions. Task 3 Allow SSH from the 10.22. If the ACS server is not available.1. Email: khawarb@khawarb.CareerCert.www.11.22.0 subnet only.0 and 10.com.info Lab 17.com Page 149 of 307 . Copyrights Netmetric Solutions 2006-2010 Website: http://www. Task 2 Configure the ASA-1 for SSH.11. Use the key and address defined in Lab 17. the router should fallback on the Local database for authentication. Lab Objectives: Task 1 Configure ASA-1 to communicate with the ACS server for authentication. Create a user on ASA-1 called admin with a password of admin.

com Page 150 of 307 .www.0 Module 4: Access Management Lab 18 – Configuring AAA for Command Authorization Netmetric Solutions http://www.info CCIE Security Lab Workbook Version 3.com.netmetric-solutions.CareerCert.netmetric-solutions. Email: khawarb@khawarb.com Copyrights Netmetric Solutions 2006-2010 Website: http://www.

info Lab 18 – Configuring AAA For Command Authorization Before you Start This lab builds on the successful completion of Lab 17.2) R2 F 0/1 (.22. Network Diagram 4.0/24 VLAN 23 F 0/0 (.com Page 151 of 307 .11.10) 192. Syslog.11.www.23.1.1 IDM.16) F 0/1 (.1. Email: khawarb@khawarb. ACS and CA (.10) ASA-1 F0/0 (.3) R3 Copyrights Netmetric Solutions 2006-2010 Website: http://www.1) 10.CareerCert.0/24 VLAN 10 (.netmetric-solutions.0/24 VLAN 22 F 0/0 (.com.22.22.15) SW3 R1 F 0/0 (.1) 10. IEV.25) (.0/24 VLAN 11 SW1 F0/1 (.2) 192.

Email: khawarb@khawarb.info Lab 18.www. Task 5 Configure Privilege Level 4 on SW 1 with the above commands.1 – Configuring AAA Command Authorization for Router’s/Switch’s Lab Objectives: Task 1 Configure Privilege Level 5 with the following commands on R1: Show ip interface brief Show ip route Enable Ip routing Configure Router Network Task 2 Configure a Command Authorization set for Routers using the following commands on the ACS Server: Show ip interface brief Show ip route Enable Ip routing Configure Router Network Task 3 Assign this Command Authorization set to Ruser2.CareerCert.com Page 152 of 307 .com. Ruser2 should only be allowed to issue these commands on R1. Task 4 Configure the Router to authorize Exec and Commands on Telnet connection based on the ACS server for R1. Task 6 Copyrights Netmetric Solutions 2006-2010 Website: http://www. Make sure no authorization is done on the Console Line.netmetric-solutions. Assign Ruser2 to privilege level 5 on the ACS Server. Ruser1 should be allowed to execute all commands.

Copyrights Netmetric Solutions 2006-2010 Website: http://www. SWuser2 should be restricted to Privilege Level 4 commands. Task 7 Configure the Switch to authorize Exec and Commands on Telnet connection based on the Local Database for Switch 1. Email: khawarb@khawarb. Make sure no authorization is done on the Console Line. Use the same command authorization set from before.netmetric-solutions.CareerCert.com.www.com Page 153 of 307 .info SWuser1 should be allowed to execute all commands.

Copyrights Netmetric Solutions 2006-2010 Website: http://www.2 – Configuring AAA Command Authorization for ASA/PIX Before you Start This lab builds on the configuration of the previous lab. Configure Route Router Network Task 2 Configure a Command Authorization set for the ASA using the following commands: Show ip Enable Configure Exit Route Router Network Login Logout Task 3 Assign this Command Authorization set to FWuser2. Lab Objectives: Task 1 Configure the following commands for Privilege 5 on ASA-1. Task 4 FWuser1 should be allowed to execute all commands.com. FWuser2 should only be allowed to issue these commands on ASA-1.www.netmetric-solutions. Do not assign any specific commands under the User Configuration Screen.com Page 154 of 307 . Task 5 Enable mode authentication should also be done thru ACS.info Lab 18. Configure the ASA appropriately to authorize SSH connections based on the ACS Server.CareerCert. Email: khawarb@khawarb.

netmetric-solutions.www. Email: khawarb@khawarb.CareerCert.com Copyrights Netmetric Solutions 2006-2010 Website: http://www.com Page 155 of 307 .netmetric-solutions.info CCIE Security Lab Workbook Version 3.0 Module 4: Access Management Lab 19 – Configuring AAA for Accounting Netmetric Solutions http://www.com.

0/24 VLAN 10 (.1.15) SW3 R1 F 0/0 (.22.1) 10.10) ASA-1 F0/0 (. IEV. Network Diagram 4.netmetric-solutions.0/24 VLAN 22 F 0/0 (.1 IDM.3) R3 Copyrights Netmetric Solutions 2006-2010 Website: http://www. AAA and CA (.0/24 VLAN 23 F 0/0 (.22.16) F 0/1 (.22. Email: khawarb@khawarb.25) (.2) 192.2) R2 F 0/1 (.CareerCert.www.23.11.0/24 VLAN 11 SW1 F0/1 (.info Lab 19 – Configuring AAA For Accounting Before you Start This lab builds on the successful completion of Lab 18.1.10) 192. Syslog.1) 10.11.com Page 156 of 307 .com.

com Page 157 of 307 . Task 4 Log only logins and logouts done into Switch1 thru Telnet.netmetric-solutions. All Command Logging should also be sent to the ACS Server. Copyrights Netmetric Solutions 2006-2010 Website: http://www.www.info Lab 19. Task 5 Send the logs to the ACS Server. Email: khawarb@khawarb.CareerCert.com. Task 3 Limit the command logging to Privilege Levels 5 and 15.1 – Configuring AAA Accounting for Router’s/Switch’s Lab Objectives: Task 1 Track all logins and logouts thru telnet into R1 to the ACS Server. Task 2 Log all commands typed by the users while logged in thru telnet.

www.CareerCert.info

Lab 19.2 – Configuring AAA Accounting for ASA/PIX
Before you Start
This lab builds on the configuration of the previous lab.

Lab Objectives:
Task 1 Log all Logins and Logout thru SSH into the ASA to the ACS Server. Task 2 Also log all commands typed by the user while connected via SSH. All commands should be sent to the ACS Server. Note: If you cannot log into ASA-1 thru console, SSH in from R1 as FWuser1 and issue the following commands: Aaa authentication serial console TAC Write Reload Once it reloads, you should be able to login from the console as FWuser1.

Copyrights Netmetric Solutions 2006-2010 Website: http://www.netmetric-solutions.com; Email: khawarb@khawarb.com Page 158 of 307

www.CareerCert.info

Lab 19.3 – Configuring AAA Usage Quotas For Users
Before you Start
This lab builds on the configuration of the previous lab.

Lab Objectives:
Task 1 Create a Group called ExtClients. Task 2 Configure the following users on the ACS server. Make these users members of ExtClients. Username – Client1 Password – client1 Username – Client2 Password – client2 Task 3 Client 1 should be Limited to 20 hours of online time per week. He should not be able to split it into more than 5 sessions. Task 4 Client 2 should be Limited to 200 hours of online time total. He should not be able to have more than 4 session per week.

Copyrights Netmetric Solutions 2006-2010 Website: http://www.netmetric-solutions.com; Email: khawarb@khawarb.com Page 159 of 307

www.CareerCert.info

CCIE Security Lab Workbook Version 3.0

Module 4:
Access Management

Lab 20 – Configuring Authentication Proxy & Downloadable ACLs

Netmetric Solutions
http://www.netmetric-solutions.com
Copyrights Netmetric Solutions 2006-2010 Website: http://www.netmetric-solutions.com; Email: khawarb@khawarb.com Page 160 of 307

www.CareerCert.info

Lab 20 – Configuring Authentication Proxy & Downloadable ACLs
Before you Start
Load the initial configuration files from the DVD/CD for the devices used in this Lab. Network Diagram 4.1

IDM, IEV, Syslog, AAA and CA

(.25) (.16) F 0/1 (.1)

10.11.11.0/24 VLAN 10 (.15)

SW3 R1
F 0/0 (.1) 10.22.22.0/24 VLAN 11

SW1

F0/1 (.10)

ASA-1
F0/0 (.10)

192.1.22.0/24 VLAN 22 F 0/0 (.2)

R2
F 0/1 (.2) 192.1.23.0/24 VLAN 23

F 0/0 (.3)

R3

Copyrights Netmetric Solutions 2006-2010 Website: http://www.netmetric-solutions.com; Email: khawarb@khawarb.com Page 161 of 307

www.CareerCert.info

Lab 20.1 – Configuring Authentication Proxy on the Routers
Lab Objectives:
Task 1 You have the following servers located on VLAN 23: Web Server: SMTP Server: DNS Server: 192.1.23.101 192.1.23.102 192.1.23.103

Task 2 R1 wants to control who can access these servers from VLAN 10. Task 3 Configure R1 with Authentication Proxy to allow access to these server based on successful authentication only. Task 4 Authentication and Authorization should be done based on the ACS server located at 10.11.11.25 using TACACS+. Console should not get authenticated. Task 5 Once authenticated, the user should be able to access any of these 3 servers. Task 6 If the uses has been idle for 7 minutes, the user’s authentication credentials should be removed. Task 7 If a user tries to log in and fails for 3 times, he should be black listed and prevented from accessing the Server for 1 hour.

Copyrights Netmetric Solutions 2006-2010 Website: http://www.netmetric-solutions.com; Email: khawarb@khawarb.com Page 162 of 307

www.CareerCert.info

Lab 20.2 – Configuring Authentication Proxy on ASA
Before you Start
This lab builds on the configuration of the previous lab.

Lab Objectives:
Task 1 Remove the Authentication Proxy from R1 F 0/1 interface. Configure ASA-1 to communicate to the ACS server located at 10.11.11.25 using TACACS+ as the authentication protocol. Configure the ACS to allow the PIX to act as AAA Client. They should use ccie-acs as the shared secret key. Task 2 Configure Authentication proxy on the ASA such that before allowing the following protocols to go out, the users must be authenticated for the following: TELNET TFTP FTP Task 3 Use 10.22.22.5 as the Virtual Telnet IP. Also configure the same address for Virtual HTTP. Task 4 Configure ACS with the following user accounts in the default group: Username – User-1 Password – user1 Username – User-2 Password – user2 Task 5 User-1 should be allowed to go out for Telnet and SMTP. User-2 should be allowed to go out for Telnet and FTP.

Copyrights Netmetric Solutions 2006-2010 Website: http://www.netmetric-solutions.com; Email: khawarb@khawarb.com Page 163 of 307

There is a group of users that will need access to this Server. Email: khawarb@khawarb. Copyrights Netmetric Solutions 2006-2010 Website: http://www. Task 6 Make sure that users get access to this application server even if the interface ACL does not allow access. Reconfigure the ACS to support this. Authentication should be done based on ACS Server.3 – Configuring Downloadable ACLs on ASA Before you Start This lab builds on the configuration of the previous lab. Create a group called CustomAPP. Task 5 The ACS Server should be configured with an ACL that will allow access to this Custom application server.netmetric-solutions. The ACL should be applied to the CustomAPP group. Create a couple of users with the following Username and passwords and make them members of the CustomAPP group: Username – Cuser1 Password – cuser1 Username – Cuser2 Password – cuser2 Task 3 Only allow access to this server based on successful authentication. Configure ACS server to use RADIUS as the authentication protocol with the same key.com.CareerCert.1.55.com Page 164 of 307 .www.info Lab 20. The Custom application uses TCP Port 25000.23. Task 4 Users can use the Virtual Telnet address created in the previous lab. Lab Objectives: Task 1 Remove the AAA configuration from the previous labs by typing the following commands: Clear configure aaa Clear configure aaa-server Task 2 There is a Custom application server located at 192.

Task 3 When the users login.www.4 – Configuring HTTP Authentication & Authorization on the Router Before you Start This lab builds on the configuration of the previous lab.com Page 165 of 307 . It should only allow HTTP Management from VLAN 10.info Lab 20. Email: khawarb@khawarb. Copyrights Netmetric Solutions 2006-2010 Website: http://www. . Task 4 Create the following users on the ACS Server: Username – R2-User1 Password: cisco Privilege: 15 Username – R2-User2 Password: cisco Privilege: 15 Task 5 Make sure there is no authentication or authorization done on the Aux. Console and Telnet lines.com. Lab Objectives: Task 1 Configure R1 to allow HTTP Management. they should be assigned the privilege level from the ACS Server.netmetric-solutions. Task 2 Authenticate and Authorize the users connecting into R1 for HTTP using the ACS server.CareerCert.

1.12.com.1.12.com.55 and 192. This user should have a password of ccie.1.1.netmetric-solutions. Lab Objectives: Task 1 You have a L2TP Access Concentrator (LAC) located on your network.57 as a backup.55 vpdn:l2tp-tunnel-password=CISCO Task 3 Configure the service-type for this connection to be outbound.12.56 and 192.CareerCert.cisco. Copyrights Netmetric Solutions 2006-2010 Website: http://www.www. in case the first 2 are down.12.1. It should have the following parameters for outbound connections: vpdn:tunnel-id=LACT vpdn:tunnel-type=l2tp vpdn:ip-addresses=192.12.5 – Configuring L2TP Access Concentrator (LAC) Features Before you Start This Lab builds on the configuration of the previous lab.57) on the network. there are another 2 LNS server (192.com Page 166 of 307 .12. Task 2 The LAC should get the information about the LNS from the RADIUS server.55 LNS. It is configured for allowing incoming connection using PPP. the LAC should connect to the L2TP Network Server(LNS).56 LNS Use 192. Configure RADIUS for the following: Load Balance between the 192.1. Based on the PPP client connections.12. You need to configure the RADIUS server to support this type of configuration for a user ccie. Email: khawarb@khawarb. Task 4 Besides the 192.info Lab 20.1.

Copyrights Netmetric Solutions 2006-2010 Website: http://www. Task 6 If the user is successfully authenticated. UDP and ICMP traffic. Task 2 Configure SW1 to Authenticate Telnet for login using the RADIUS server. Email: khawarb@khawarb. Lab Objectives: Task 1 Configure SW1 to communicate with the ACS Server.com. The Network Access profile should only allow requests from SW1 for user SW1-User1.com Page 167 of 307 .6 – Configuring Network Access Profiles with NAF Before you Start This Lab builds on the configuration of the previous lab. the ACS should download an ACL to allow this user access for all TCP.CareerCert.www. Task 3 Create the following users on the ACS Server: Username – SW1-User1 Password: cisco Username – SW1-User2 Password: cisco Task 4 Configure a Network access Profile (NAP).netmetric-solutions. Task 5 The profile should authenticate using the local ACS database.info Lab 20. Make sure that the Console and AUX port do not require authentication. Configure the SW1/ACS connection using the appropriate RADIUS Protocol and a key of radccie. It should use PAP and CHAP as the protocols.

Task 2 Configure SW1 to Authenticate Telnet for login using the RADIUS server.CareerCert. Email: khawarb@khawarb. Copyrights Netmetric Solutions 2006-2010 Website: http://www. Lab Objectives: Task 1 Configure SW1 to communicate with the ACS Server. It should use PAP and CHAP as the protocols. the ACS should download an ACL to allow this user access for all TCP. Make sure that the Console and AUX port do not require authentication. Task 6 If the user is successfully authenticated. UDP and ICMP traffic.netmetric-solutions. The Network Access profile should only allow requests from SW1 for user SW1-User1. Configure the SW1/ACS connection using the appropriate RADIUS Protocol and a key of radccie.com.7 – Configuring LDAP on the ACS Server Before you Start This Lab builds on the configuration of the previous lab.info Lab 20.www. Task 3 Create the following users on the ACS Server: Username – SW1-User1 Password: cisco Username – SW1-User2 Password: cisco Task 4 Configure a Network access Profile (NAP).com Page 168 of 307 . Task 5 The profile should authenticate using the local ACS database.

65 and 81.netmetric-solutions. the device should be put in VLAN 802. Task 3 Enable the IETF RADIUS attributes.1x authentication.info Lab 20.1x authentication for Ports F 0/10 – 11 on Switch 1. Task 4 Configure a Group on the ACS Server called NAC.com Page 169 of 307 . Email: khawarb@khawarb. Task 2 If the user authenticates successfully.1X Lab Objectives: Task 1 Configure 802. it should be put in VLAN 333. Assign it a name of “VLAN802”.com. Make it a member of the NAC group.8 – Configuring L2 NAC Framework – 802.CareerCert. Create this VLAN on the switch. Task 5 Configure a user NAC with a password of 8021x. 64.www. Configure the group to notify the Switch that it should put the device in VLAN 802 upon successful authentication. If the user does not successfully authenticate or the user does support 802. Copyrights Netmetric Solutions 2006-2010 Website: http://www.

Task 5 Configure a ACL that will be used as a default interface ACL for the EAPoUDP ports using the following requirements: All Traffic destined for UDP / 21862 Requests from DHCP Clients towards the DHCP servers All Traffic destined for DNS requests HTTP access to a Patch Server located at 10.99 Task 6 Implement a EAPoUDP policy on ports F 0/15-17.com.www.11. configure DHCP Snooping for VLAN 10.9 – Configuring L2IP NAC Framework Lab Objectives: Task 1 Configure SW3 to communicate with the ACS Server. Task 3 Configure the Switch to send Framed-IP-Address RADIUS attribute in access-request or accounting-request packets.CareerCert. The Switch should authenticate. Email: khawarb@khawarb. Configure the SW3/ACS connection using the appropriate RADIUS Protocol and a key of radccie. Task 7 The Switch should wait for 2 minutes after a failed credential validation attempt before a new association can be retried. The DHCP Server is connected on Port F 0/11 on the switch. Also. authorize and account for EAPoUDP against the RADIUS server configured in the previous task.info Lab 20. Copyrights Netmetric Solutions 2006-2010 Website: http://www.com Page 170 of 307 . Task 4 Enable IP Device Tracking on the Switch. Only allow the traffic from the Default ACL created in the previous task. Task 2 Configure NAC L2 IP on the switch. configure the switch to recognize and use vendor-specific attributes. Also.netmetric-solutions.11.

info Task 8 Configure a NAC L2 IP profile using the default template on the ACS Server.www.netmetric-solutions.com Page 171 of 307 .CareerCert. Change the defaults based on the following parameters: Required Condition Types Posture Validation Policies Assessment Result Configuration Cisco PA. Cisco Host CTA. Windows Result Healthy Checkup Transition Quarantine Infected Unknown Message Your Device is Healthy Your Decice needs Checkup Your Device is in Transition Your Device has been Quarantined Your Device is infected Your Device is in an Unknown state Task 9 The NAC L2 IP profile should be the top Profile in the list of Posture Validation profiles.com. Email: khawarb@khawarb. Task 10 Enable the default Authorization rules. Copyrights Netmetric Solutions 2006-2010 Website: http://www.

netmetric-solutions.netmetric-solutions.com Copyrights Netmetric Solutions 2006-2010 Website: http://www.com Page 172 of 307 .www. Email: khawarb@khawarb.info CCIE Security Lab Workbook Version 3.0 Module 4: Access Management Lab 21 – Configuring Control Plane Security Netmetric Solutions http://www.CareerCert.com.

1) (.info Lab 21 – Configuring Control Plane Security Before you Start Load the initial configuration files from the DVD/CD for the devices used in this Lab.4) F 0/0 (.11. IEV.CareerCert.0/24 VLAN 23 F 0/0 (.www.3) F 0/0 (. AAA and CA (.10) ASA-1 F0/0 (.15) R1 F 0/0 (.0/24 VLAN 10 F 0/1 (.22.2) 192.25) 10.com.1.netmetric-solutions.com Page 173 of 307 . Syslog.1) 10.22.1. Email: khawarb@khawarb.2) R4 R2 F 0/1 (.11.10) 192.0/24 VLAN 11 SW1 F0/1 (.22.2 IDM.0/24 VLAN 22 F 0/0 (.23.5) R3 R5 Copyrights Netmetric Solutions 2006-2010 Website: http://www. Network Diagram 4.

Copyrights Netmetric Solutions 2006-2010 Website: http://www.1. Do not configure this on SW1.X.202. Use a Key of 1 and a key-string of “cciesec3”.74.1.netmetric-solutions. Use a Key of 1 and a key-string of “cciesec3”. block the following networks from coming into R2: 199.info Lab 21.90.X.0/24 199.0/24 from R1. Task 2 Devices on VLAN 22 have been configured with EIGRP as the routing protocol.1 – Configuring Routing Protocol Security Network Diagram 1.1.1.CareerCert.1.0/24 199. Configure these devices such that they authenticate the updates from each other using the highest level of authentication.0/24 from the ASA.com Page 174 of 307 . Task 4 Mutual Route Redistribution has been pre-configured on the appropriate routers such that all routes from are reachable on all routers. Use a Key of 1 and a key-string of “cciesec3”. R2 is receiving several routes from the 199. block all even networks from coming into SW1. Using the minimum number of deny statement(s). Task 3 Devices on VLAN 23 have been configured with OSPF as the routing protocol.0/24 199.www.1.2 Lab Objectives: Task 1 Devices on VLAN 10 and VLAN 11 have been configured with RIP V2 as the routing protocol. Email: khawarb@khawarb. Configure these devices such that they authenticate the updates from each other using the highest level of authentication.218.com. Configure these devices such that they authenticate the updates from each other using the highest level of authentication.0/24 Task 5 SW1 is receiving several routes from the 200. Using the minimum number of deny statement(s).

30. Email: khawarb@khawarb.11.com.2 – Configuring CP Policing Before you Start This Lab builds on the configuration of the previous lab.www.11.netmetric-solutions.CareerCert. Lab Objectives: Task 1 R3 has been configured to allow telnet access for management purposes.com Page 175 of 307 .info Lab 21.11. Task 2 This policy should not apply to traffic originating from hosts 10.11. Copyrights Netmetric Solutions 2006-2010 Website: http://www. control the rate of Telnet traffic to 64000 bps. Using Control Plane Policing.25 and 10.

com Page 176 of 307 .www.3 – Configuring CP Protection Before you Start This Lab builds on the configuration of the previous lab.info Lab 21.CareerCert. Copyrights Netmetric Solutions 2006-2010 Website: http://www. Lab Objectives: Task 1 Configure R5 with a port-filter to drop all traffic destined to a closed or non-listened port except for a custom port 11223 Task 2 Configure a queue-threshold on R3 such that it set’s the queue depth for HTTP and Telnet traffic to 75 and all other protocols to 200. Email: khawarb@khawarb.com.netmetric-solutions.

netmetric-solutions.com.com Copyrights Netmetric Solutions 2006-2010 Website: http://www.info CCIE Security Lab Workbook Version 3.com Page 177 of 307 .CareerCert.www.netmetric-solutions. Email: khawarb@khawarb.0 Module 5: Network and Switch Security using IOS Features Lab 22 – IOS Access Control Lists Netmetric Solutions http://www.

Network Diagram 5.1. Syslog. Email: khawarb@khawarb.1) 10.1.10) ASA-1 F0/0 (.netmetric-solutions.22.1 IDM.0/24 VLAN 11 SW1 F0/1 (.0/24 VLAN 22 F 0/0 (.10) 192.0/24 VLAN 10 F 0/1 (.CareerCert.22.com.3) R3 Copyrights Netmetric Solutions 2006-2010 Website: http://www.2) R2 F 0/1 (. IEV.11.0/24 VLAN 23 F 0/0 (.25) 10.1) (.www.2) 192.15) R1 F 0/0 (.22.com Page 178 of 307 . AAA and CA (.23.11.info Lab 22 – IOS Access Control Lists Before you Start Load the initial configuration files from the DVD/CD for the devices used in this Lab.

25 is a Web and DNS Server.22.2 – Time Based ACL Lab Objectives: Task 1 The device at 10. ASA-1 should translate this server as 192.CareerCert.11.www. Task 5 Configure an ACL on R2 that denies access to this server during the maintenance times coming in thru F 0/1 interface. Task 2 This server will be going down for maintenance from 10:00 PM – 11:30 PM from Monday – Friday.netmetric-solutions. Copyrights Netmetric Solutions 2006-2010 Website: http://www.1. It should allow Web and DNS traffic to it. Configure a Time-range that specifies the Maintenance Schedule on R2. It will also go down for maintenance from 8:00 PM to 11:00 PM on Saturday and Sunday.1Network Diagram 1. Access should be allowed at all other times.info Lab 22.11. Email: khawarb@khawarb.com.25 on the outside interface. Task 4 Configure the clock on R2 to the current time.com Page 179 of 307 . Task 3 This time range should be activated from the first of next month and should remain in effect till the end of the year.

11.11.CareerCert.15 DNS Traffic destined to 10.com Page 180 of 307 . UDP and ICMP traffic from VLAN 10 should be allowed to go out of the F 0/0 interface and return.25.com.25 Telnet Traffic destined to 10. Copyrights Netmetric Solutions 2006-2010 Website: http://www.www.11.11.11.11.2 – Reflexive ACL Before you Start This Lab builds on the configuration of the previous lab.netmetric-solutions. Task 2 Only allow the following traffic to come into R1 F 0/0 that is initiated from the outside: Web Traffic destined to 10. Lab Objectives: Task 1 Configure R1 such that all TCP. Email: khawarb@khawarb.info Lab 22.

Email: khawarb@khawarb.22. Task 2 Create a username called dacl with a password of dacl on R1.1. Set the idle timeout for the dynamically created entry to 2 minutes. Translate R1 as 192.0 network. The authentication will be done by establishing a Telnet session to the F 0/0 interface.www. Allow telnet access to this IP on ASA-1 for both the standard and non-standard telnet port. Task 3 Allow the administrator to Telnet into R1 for management by connecting to port 3065.11. Lab Objectives: Task 1 Configure R1 such that it allows access to 10.info Lab 22.com. Enable Vty lines 0 3 for allowing users to authenticate and creating the entry.11. If the Telnet session is successful. Copyrights Netmetric Solutions 2006-2010 Website: http://www.11. it should allow the host to access the 10.0 for any TCP-based application servers based on successful authentication. Task 4 Telnet in from R2 to test the creation of the dynamic entry in the ACL.CareerCert. This should be allowed thru F 0/0 interface.1 on the outside of ASA-1.11.netmetric-solutions. Create a user called admin with a password of admin.3 – Dynamic ACL Before you Start This Lab builds on the configuration of the previous lab.com Page 181 of 307 .

Task 3 Use Strict RPF to prevent IP spoofing using network addresses from the internal networks.netmetric-solutions.www. Email: khawarb@khawarb.4 – Preventing IP Spoofing using ACL & RPF Before you Start This Lab builds on the configuration of the previous lab. Allow the default route to satisfy the route check.com.info Lab 22. Task 2 Also block any RFC 1918 address from the Class C address space.CareerCert.com Page 182 of 307 . Lab Objectives: Task 1 No Class A or Class B network traffic should be allowed coming in thru the F 0/1 interface on R2. Copyrights Netmetric Solutions 2006-2010 Website: http://www.

Email: khawarb@khawarb.0 Module 5: Network and Switch Security using IOS Features Lab 23 – IOS Services Netmetric Solutions http://www.com Page 183 of 307 .CareerCert.com Copyrights Netmetric Solutions 2006-2010 Website: http://www.info CCIE Security Lab Workbook Version 3.www.netmetric-solutions.netmetric-solutions.com.

www.CareerCert.info

Lab 23 – IOS Services
Before you Start
Load the initial configuration files from the DVD/CD for the devices used in this Lab. Network Diagram 5.2

IDM, IEV, Syslog, AAA and CA

(.25)

10.11.11.0/24 VLAN 10

F 0/1 (.1)

R1
10.22.22.0/24 VLAN 12 F 0/0 (.1)

VLAN 12 (.15)

F 0/0 (.2)

R2 SW1
S 0/0 (.2) 192.1.123.0/24

F 0/0 (.2)

R2
S 0/0 (.3)

R4
10.44.44.0/24 VLAN 34 F 0/0.4 (.3)

R3
F 0/0.56 (.3) 192.1.56.0/24 VLAN 56

F 0/0 (.5)

F 0/0 (.6)

R5 R6

Copyrights Netmetric Solutions 2006-2010 Website: http://www.netmetric-solutions.com; Email: khawarb@khawarb.com Page 184 of 307

www.CareerCert.info

Lab 23.1 – Configuring NAT on Routers Network Diagram 1.2
Lab Objectives:
Task 1 Configure NAT on R2 such that networks 10.11.11.0/24 and 10.22.22.0/24 networks can go out using a pool of Public address 199.1.1.4 – 199.1.1.254. Task 2 Configure the following static mapping on R2: R1 – Real IP – 10.22.22.1 Public IP – 199.1.1.1 ACS – Real IP – 10.11.11.25 Public IP – 199.1.1.2 Switch 1 – Real IP – 10.22.22.15 Public IP – 199.1.1.3 Task 3 Configure R3 such that the 10.44.44.0/24 can go out using the S 0/0 interface of R3 as the public IP. Configure it such that all the hosts on Network 10.44.44.0/24 use the same IP on the outside. Task 4 Configure R3 for NAT in such a way that if a request comes into R3 S 0/0 for 23, it should be redirected towards 10.44.44.4. Additionally, if a request comes into R3 S 0/0 for 80, it should be redirected towards 10.44.44.45. This is a web server that will be deployed in the future.

Copyrights Netmetric Solutions 2006-2010 Website: http://www.netmetric-solutions.com; Email: khawarb@khawarb.com Page 185 of 307

www.CareerCert.info

Lab 23.2 – Configuring IP TCP Intercept
Before you Start
This Lab builds on the configuration of the previous lab.

Lab Objectives:
Task 1 The Web Server at 192.1.56.55 is getting overwhelmed by syn-attacks. R3 should watch the traffic and if it does not complete the TCP handshake in 20 seconds, it should drop the packets. Task 2 R3 should start deleting half open connection to this server if the number reaches 1000. It should stop deleting half open connection if they reach 800. Set the same parameters for the connection made in the last minute.

Copyrights Netmetric Solutions 2006-2010 Website: http://www.netmetric-solutions.com; Email: khawarb@khawarb.com Page 186 of 307

www.CareerCert.info

Lab 23.3 – Configuring NTP
Before you Start
This Lab builds on the configuration of the previous lab.

Lab Objectives:
Task 1 Configure R2 as a NTP Master with a stratum of 2. It should authenticate the clients using a key id of 235. The Key string should be ccie12353. R2 is in Los Angeles. Configure the appropriate Time Zone setting. Task 2 Configure R3 to receive its clock from R1. R3 is in Dubai. Configure R3 such that it automatically adjusts the clock based on the time zone Task 3 Configure R5 to receive its clock from R3. R5 is located in Singapore. Do not use the NTP Server command to receive the clock. Do not configure any commands under the interface to accomplish this task.

Copyrights Netmetric Solutions 2006-2010 Website: http://www.netmetric-solutions.com; Email: khawarb@khawarb.com Page 187 of 307

www.CareerCert.info

Lab 23.4 – Disabling Unnecessary Services on the Router
Before you Start
This Lab builds on the configuration of the previous lab.

Lab Objectives:
Task 1 Disable the ability of R4 to act as a DHCP Server. Task 2 R4 should not send ICMP unreachable messages if it cannot route packets to a particular host or network. Disable it on the E 0/0 interface. Task 3 Disable the Finger service Task 4 Disable all services that are running on ports 19 and lower on R4.

Copyrights Netmetric Solutions 2006-2010 Website: http://www.netmetric-solutions.com; Email: khawarb@khawarb.com Page 188 of 307

www.CareerCert.info

CCIE Security Lab Workbook Version 3.0

Module 5:
Network and Switch Security using IOS Features

Lab 24 – Implementing QoS for Traffic Control and Congestion Management

Netmetric Solutions
http://www.netmetric-solutions.com
Copyrights Netmetric Solutions 2006-2010 Website: http://www.netmetric-solutions.com; Email: khawarb@khawarb.com Page 189 of 307

5) F 0/0 (.2) 192.22.com.44.25) 10. Syslog.11.0/24 VLAN 56 F 0/0 (.1) VLAN 12 (. AAA and CA (.56.netmetric-solutions.2) R2 SW1 S 0/0 (. Network Diagram 5.com Page 190 of 307 .56 (.4 (. IEV.CareerCert.2) R2 S 0/0 (.0/24 F 0/0 (.3) R3 F 0/0.0/24 VLAN 34 F 0/0. Email: khawarb@khawarb.15) F 0/0 (.2 IDM.0/24 VLAN 12 F 0/0 (.11.1) R1 10.123.3) R4 10.1.22.44.0/24 VLAN 10 F 0/1 (.info Lab 24 – Implementing QoS for Traffic Control and Congestion Management Before you Start Load the initial configuration files from the DVD/CD for the devices used in this Lab.www.6) R5 R6 Copyrights Netmetric Solutions 2006-2010 Website: http://www.1.3) 192.

netmetric-solutions.com Page 191 of 307 .2 Lab Objectives: Task 1 Configure R2 Serial 0/0 interface for CB-WFQ using the following requirement: HTTP and HTTPS traffic = 25% of the bandwidth SMTP traffic = 20% of the bandwidth Task 2 Configure R3 Serial 0/0 interface for CB-WFQ using the following requirement: Any traffic from R5 towards R1 = 25% of the bandwidth Any traffic from R4 towards R1 = 20% of the bandwidth HTTP traffic = 20% of the bandwidth Copyrights Netmetric Solutions 2006-2010 Website: http://www. Email: khawarb@khawarb.www.1 – Configuring CB-WFQ Network Diagram 1.com.info Lab 24.CareerCert.

info Lab 24.netmetric-solutions.com. Email: khawarb@khawarb.2 – Configuring LLQ Before you Start This Lab builds on the configuration of the previous lab.com Page 192 of 307 . Task 2 Configure R3’s existing Policy map for LLQ such that any traffic with an IP precedence of 5 will use LLQ with a bandwidth percent of 25%.CareerCert. Copyrights Netmetric Solutions 2006-2010 Website: http://www. Lab Objectives: Task 1 Configure R2’s existing Policy map for LLQ such that Telnet traffic will use LLQ with a bandwidth percent of 20%.www.

com Page 193 of 307 .55.CareerCert.com.0 network going towards the frame segment using the following parameters: TFTP traffic should be limited to 400 kbps FTP traffic should be limited to 750 kbps Copyrights Netmetric Solutions 2006-2010 Website: http://www. FTP should be limited to 400 Kbps with a Normal burst of 16 KB and Excess burst of 24 KB.55. All other traffic should be limited to 144 Kbps with a Normal burst of 16 KB and Excess burst of 24 KB. Email: khawarb@khawarb. Lab Objectives: Task 1 You want to control the flow of traffic inbound and outbound on R5 E 0/0 using the following criteria: HTTP should be limited to 1 Mbps with a Normal burst of 16 KB and Excess burst of 24 KB.netmetric-solutions.info Lab 24.3 – Rate-Limiting Before you Start This Lab builds on the configuration of the previous lab.www. Task 2 Configure R3 for Rate Limiting for traffic originating from the 55.

CareerCert.0 Module 5: Network and Switch Security using IOS Features Lab 25 – Using NBAR Netmetric Solutions http://www.www. Email: khawarb@khawarb.netmetric-solutions.com Page 194 of 307 .info CCIE Security Lab Workbook Version 3.netmetric-solutions.com Copyrights Netmetric Solutions 2006-2010 Website: http://www.com.

1.22. Network Diagram 5.6) R5 R6 Copyrights Netmetric Solutions 2006-2010 Website: http://www.11.com.22.2) 192.2 IDM.5) F 0/0 (.0/24 VLAN 56 F 0/0 (.15) F 0/0 (.1) VLAN 12 (.www. Email: khawarb@khawarb.3) R3 F 0/0.3) 192.1. IEV. Syslog.11.2) R2 SW1 S 0/0 (.com Page 195 of 307 .netmetric-solutions.0/24 F 0/0 (.3) R4 10.0/24 VLAN 12 F 0/0 (.CareerCert.4 (.2) R2 S 0/0 (.123.56.44.1) R1 10. AAA and CA (.info Lab 25 – Using NBAR Before you Start Load the initial configuration files from the DVD/CD for the devices used in this Lab.0/24 VLAN 10 F 0/1 (.0/24 VLAN 34 F 0/0.44.25) 10.56 (.

Email: khawarb@khawarb.netmetric-solutions.com” will be assigned at least 25% of the bandwidth.com” or “Netmetric-solutions.com Page 196 of 307 .CareerCert. Do not use any ACL’s to accomplish this task.2 Lab Objectives: Task 1 R2 has a Citrix server on the Ethernet segment. Copyrights Netmetric Solutions 2006-2010 Website: http://www. Task 2 Also configure the policy such that HTTP traffic destined towards any url that contains “cisco.www.com.1 – Configuring CB-WFQ Network Diagram 1.info Lab 25. You would like to assign 20% of the bandwidth to Citrix server on the outbound traffic towards the frame cloud. Citrix Server is running on ports UDP 15000 and udp 15500 rather than its Standard ports.

should also use the LLQ with 10% of the bandwidth.com Page 197 of 307 . Email: khawarb@khawarb. Copyrights Netmetric Solutions 2006-2010 Website: http://www.www.netmetric-solutions. should be assigned to the LLQ.2 – Using NBAR for LLQ Before you Start This Lab builds on the configuration of the previous lab.com. Task 2 Also configure R3 such that any traffic destined to any SQLNet Server that uses a port number of 1530.CareerCert.info Lab 25. Configure it with 15% of the bandwidth.com” in the url. Lab Objectives: Task 1 Configure R3 such that if http traffic destined for any url that contains “khawarb.

com. Lab Objectives: Task 1 You need to discover all protocols that are running on the E 0/0 segments of R3.www. Copyrights Netmetric Solutions 2006-2010 Website: http://www. Email: khawarb@khawarb.CareerCert.com Page 198 of 307 .netmetric-solutions.3 – Using NBAR for Traffic Analysis Before you Start This Lab builds on the configuration of the previous lab.info Lab 25. You should obtain statistics about the protocols like the number of input and output packets and the number of bytes.

Email: khawarb@khawarb.info CCIE Security Lab Workbook Version 3.com.com Copyrights Netmetric Solutions 2006-2010 Website: http://www.0 Module 5: Network and Switch Security using IOS Features Lab 26 – Catalyst Switch Security Netmetric Solutions http://www.com Page 199 of 307 .netmetric-solutions.netmetric-solutions.www.CareerCert.

0/24 F 0/0 (.com.44.com Page 200 of 307 .2) R2 S 0/0 (.0/24 VLAN 34 F 0/0. R2 and Switch1 only. Email: khawarb@khawarb.56 (.1) VLAN 12 (.1.3) R3 F 0/0.0/24 VLAN 12 F 0/0 (. IEV.3) 192.info Lab 26 – Catalyst Switch Security Before you Start Load the initial configuration files from the DVD/CD for the devices used in this Lab.0/24 VLAN 56 F 0/0 (.CareerCert.56.11. AAA and CA (.netmetric-solutions.25) 10.2 IDM.44. Syslog.1.5) F 0/0 (.22.0/24 VLAN 10 F 0/1 (.1) R1 10.4 (.6) R5 R6 Copyrights Netmetric Solutions 2006-2010 Website: http://www.2) R2 SW1 S 0/0 (. Load the initial configuration for R1.2) 192.www.15) F 0/0 (. Although the rest of the devices are on the Diagram they are NOT used in the lab. Network Diagram 5.22.11.3) R4 10.123. This Lab covers Catalyst Switch Security.

Task 2 Configure the Switch for SSH Management. The authentication should be done based on the local database.22.22.22. Task 4 Configure the rest of the VTY lines to accept only Telnet connections.1 – ControllingDiagram 1.com as the domain name. Generate a RSA key such that it will use a separate key for encryption and a separate key for signatures. Task 3 Configure the VTY lines such that Lines 0 – 2 accepts SSH connections only.com Page 201 of 307 . SSH connections should be allowed from VLAN 11 and VLAN 12 only. Use Netmetric-solutions.2 Management Protocols Network Lab Objectives: Task 1 Configure Switch1 with an IP address of 10.netmetric-solutions.15 for interface VLAN 12.www. Create a user called admin with password of admin on SW1. Authentication should also be done based on the local database.0. Copyrights Netmetric Solutions 2006-2010 Website: http://www. The telnet connections should be limited to Port 3053 from network 10. Email: khawarb@khawarb.22.com.CareerCert.info Lab 26. Configure RIP V2 as the routing protocol on Switch1.

info Lab 26. Copyrights Netmetric Solutions 2006-2010 Website: http://www. Do not configure an ACL to accomplish this. Enable Port security for these ports such that only 1 MAC address can be connected to them. They should be able to connect to other devices in the network. Lab Objectives: Task 1 Configure ports F 0/19 and F 0/20 as part of VLAN 12.www.CareerCert. If another port tries to connect to these ports they should be barred from connecting to the 2 file servers configured in the previous task. These 2 ports have a couple of File Servers connected to them respectively.com. These ports should not be able to communicate to each other.com Page 202 of 307 .netmetric-solutions.2 – Port Security Before you Start This Lab builds on the configuration of the previous lab. Email: khawarb@khawarb. Task 2 Configure Switch1 such that only R1 F0/0 and R2 F0/0 can connect to Ports F 0/1 and F 0/2 respectively. You would like to learn the MAC address dynamically. Task 3 Configure F 0/3 – F 0/6 in VLAN 12.

they should be disabled.www. Lab Objectives: Task 1 Configure ports F 0/1 – 6 on Switch 1 such that they transition immediately into forwarding state as soon as they come up.com.netmetric-solutions.3 – Configuring Spanning Tree Portfast Before you Start This Lab builds on the configuration of the previous lab.com Page 203 of 307 . Task 2 If a bpdu is received on any of these ports.CareerCert. Email: khawarb@khawarb. Copyrights Netmetric Solutions 2006-2010 Website: http://www.info Lab 26.

It should be enabled for VLAN 12.netmetric-solutions.4 – Enabling DHCP Snooping Before you Start This Lab builds on the configuration of the previous lab. It should maintain a MAC-IP database based on the Addresses assigned to DHCP Clients from DHCP Servers.com Page 204 of 307 . Email: khawarb@khawarb. Task 3 Make sure the switch only allows DHCP replies from port F 0/17 on Switch1.info Lab 26.www. Assign this port to VLAN 12.com. Task 2 The DHCP server resides on the F 0/17 on Switch1. Lab Objectives: Task 1 Configure DHCP Snooping on Switch1. Copyrights Netmetric Solutions 2006-2010 Website: http://www.CareerCert.

It should drop any violating packets. It should verify IP-MAC mappings against the DHCP Snooping Database. Lab Objectives: Task 1 Configure Switch1 such that it intercepts all packets received on untrusted ports.com Page 205 of 307 .info Lab 26.com.www. Task 2 It should be enabled on VLAN 12.CareerCert. Copyrights Netmetric Solutions 2006-2010 Website: http://www.5 – Dynamic ARP Inspection Before you Start This Lab builds on the configuration of the previous lab.netmetric-solutions. Email: khawarb@khawarb.

Task 3 The Switch should re-authenticate every 2 hours.6 – Configuring Dot 1X Authentication Before you Start This Lab builds on the configuration of the previous lab. This authentication should use CSACS located at 10. Copyrights Netmetric Solutions 2006-2010 Website: http://www.11.netmetric-solutions.www. Task 2 Unauthenticated users must go to guest VLAN 999. Note: Just configure the Switch. If the client does not have Dot1x capabilities.11.CareerCert.25 using “ccie12353” as the key.com Page 206 of 307 . they should also be put in VLAN 999. Email: khawarb@khawarb.info Lab 26.com. Lab Objectives: Task 1 The PCs that are connected or will be connected to Cat-1 ports F0/19 – 20 should get authenticated before they are allowed access to the network. I am NOT concerned with the ACS configuration in this lab.

info Lab 26.22.www.100.CareerCert. Task 2 Do not apply any access-list on any of the interfaces.2222 trying to attack VLAN 12. Hosts in VLAN 10 should not have access to a server located at 10. Only host 10.22. Block this MAC address from accessing any device on VLAN 12. Copyrights Netmetric Solutions 2006-2010 Website: http://www. Lab Objectives: Task 1 Configure the following policy for VLAN 12.101. There is a Custom Application server located at 10.11.22.netmetric-solutions.7 – VLAN Access-Maps Before you Start This Lab builds on the configuration of the previous lab.22.com Page 207 of 307 . This application uses UDP port 50000. There is a MAC Address 0001.0012.25 should be able to access this application server.com. Email: khawarb@khawarb.11.

com Page 208 of 307 .www. Email: khawarb@khawarb.CareerCert.netmetric-solutions.netmetric-solutions.com.0 Module 6: Network Attacks Lab 27 – Blocking Attacks Using ACLs Netmetric Solutions http://www.com Copyrights Netmetric Solutions 2006-2010 Website: http://www.info CCIE Security Lab Workbook Version 3.

2) R2 SW1 S 0/0 (. Syslog.0/24 VLAN 22 E 0/0 (.1.1 IDM.1.6) R5 R6 Copyrights Netmetric Solutions 2006-2010 Website: http://www.0/24 F 0/0 (.11.11. AAA and CA (.1.22.1.0/24 VLAN 14 F 0/0 (.www.2) R2 S 0/0 (.10) VLAN 22 (.10) ASA-1 192.com. Email: khawarb@khawarb.1) R4 192. Network Diagram 6.1) 192.CareerCert.1) R1 F 0/1 (.5) F 0/0 (.56.0/24 VLAN 10 E 0/1 (.15) F 0/0 (.0/24 VLAN 56 F 0/0 (.info Lab 27 – Blocking Attacks using ACLs Before you Start Load the initial configuration files from the DVD/CD for the devices used in this Lab.2) 192.25) 10. IEV.14.netmetric-solutions.com Page 209 of 307 .12.

Task 2 R2 is also receiving a bunch of fragmented packet destined for a web server located at 192.1.2Smurf & Fragment Network Diagram Attacks Lab Objectives: Task 1 R2 is experiencing a Fraggle and Smurf attack from the Frame Network.www. Protect R4 from being a Smurf and Fraggle victim from VLAN 14. You deem these packets to be attack packets. Protect R2 from being a Smurf and Fraggle reflector from the Frame Cloud. Block any packets that are destined to this server that are fragmented.CareerCert.com. You suspect to be a Smurf and Fraggle victim.com Page 210 of 307 .1.netmetric-solutions.30. Email: khawarb@khawarb. You suspect being used as a Smurf and Fraggle reflector.22.info Lab 27. Task 3 R4 is also under a Fraggle and Smurf attack from VLAN 14. Copyrights Netmetric Solutions 2006-2010 Website: http://www.1 – Blocking Fraggle.

2 – IP Spoofing Attacks Before you Start This Lab builds on the configuration of the previous lab. Do not use an ACL to accomplish this task.com. Multicast addresses.x). These packets are either using the RFC 1918 address space. Copyrights Netmetric Solutions 2006-2010 Website: http://www.CareerCert.x.com Page 211 of 307 . Lab Objectives: Task 1 R1 is receiving a lot of Spoofed packets from the Frame cloud.netmetric-solutions. These internal networks should not come in from the outside as source addresses.info Lab 27.x. Task 2 You have a set of public IP addresses on the inside network. Email: khawarb@khawarb. Block all these attacks using the minimum number of lines possible. Loopback addresses and experimental addresses (above 240.www.

info CCIE Security Lab Workbook Version 3.www.com Page 212 of 307 . Email: khawarb@khawarb.com.0 Module 6: Network Attacks Lab 28 – Mitigating Layer 2 Attacks Netmetric Solutions http://www.netmetric-solutions.com Copyrights Netmetric Solutions 2006-2010 Website: http://www.netmetric-solutions.CareerCert.

they are NOT used in the lab.14.1.0/24 VLAN 56 F 0/0 (.com Page 213 of 307 .1) 192. R2 and Switch1 only. Email: khawarb@khawarb.1) R1 F 0/1 (. Network Diagram 6.com.www.2) 192. AAA and CA (.0/24 VLAN 14 F 0/0 (.1.2) R2 S 0/0 (.10) VLAN 22 (. Load the initial configuration for R1.1 IDM. This Lab covers Catalyst Switch Security.1.15) F 0/0 (.0/24 F 0/0 (.CareerCert.1.56.info Lab 28 – Mitigating Layer 2 Attacks Before you Start Load the initial configuration files from the DVD/CD for the devices used in this Lab. Syslog.11.0/24 VLAN 10 E 0/1 (.1) R4 192.0/24 VLAN 22 E 0/0 (. IEV.10) ASA-1 192. Although the rest of the devices are on the Diagram.22.12.netmetric-solutions.25) 10.5) F 0/0 (.6) R5 R6 Copyrights Netmetric Solutions 2006-2010 Website: http://www.11.2) R2 SW1 S 0/0 (.

Email: khawarb@khawarb.com Page 214 of 307 . Task 2 Users are complaining about temporarily losing connectivity to a server located on Port F 0/4 on Switch 2. Upon further investigation.2 Spoofing Attacks MAC Network Lab Objectives: Task 1 Switch2 is forwarding packets Destined to a specific device to all ports on the switch. Mitigate this attack by only allowing one MAC address on this port. Upon looking at the MAC Address table.1 – Mitigating Diagram 1. there is an entry for Port F 0/4 for the servers MAC address.www. you notice that your MAC Address table is full (CAM Table Overflow Attack). Mitigate this attack by Hard coding the MAC address of the Server (0001. If you check MAC address table after sometime. you notice that there is no entry for the Port F 0/4 in the MAC Address table but the MAC address of the server appears under port F 0/7.netmetric-solutions. This port is connected to an end device.1234) to F 0/4 on Switch 2. It has a bunch of MAC addresses connected to port F 0/3 on Switch 2. Copyrights Netmetric Solutions 2006-2010 Website: http://www.AB11. This goes happening intermittently throughout the day (MAC Spoofing Attack).info Lab 28. This MAC address should be learned Dynamically and copied into your configuration file.com.CareerCert. If a violation occurs. the port should be shutdown preventing this attack.

info Lab 28. Mitigate this attack by validating ARP responses on Switch 2. Task 3 Configure Switch 2 such that all the ARP replies are verified against the DHCP server dynamically assigned IP address. it shows a bunch of IP Addresses using the same MAC address (ARP Spoofing Attack). Task 2 The clients are assigned IP addresses based on a DHCP Server on port F 0/8 of Switch 2 which is in VLAN 35. Configure the Switch that this should be the only DHCP server to assign IP addresses in this VLAN.netmetric-solutions.com Page 215 of 307 . When you check the ARP table on hosts.www.2 – Mitigating ARP Spoofing Attacks Before you Start This Lab builds on the configuration of the previous lab. Email: khawarb@khawarb.CareerCert. Copyrights Netmetric Solutions 2006-2010 Website: http://www. Users in this VLAN are complaining about losing access to the network.com. Lab Objectives: Task 1 Ports F 0/5 – 9 are in VLAN 35.

Copyrights Netmetric Solutions 2006-2010 Website: http://www. Ports F 0/10 – 11 and F 0/17 -18 are members of VLAN 78. they cannot to devices outside of their segment.3 – Mitigating Man-in-the-Middle Attacks Before you Start This Lab builds on the configuration of the previous lab. Port F 0/17 is connected to the DHCP Server for this VLAN. Task 2 Configure Switch 2 such that all the ARP replies are verified before allowing them to go out. you discover that ARP cache of the devices has an invalid MAC address for the IP address of the default Gateway (Man in the Middle Attack). Verify the Source-MAC Destination-MAC and IP addresses in the ARP packet. Email: khawarb@khawarb. Lab Objectives: Task 1 Users in VLAN 78 are experiencing similar type of symptoms like the users on VLAN 35.com.netmetric-solutions.com Page 216 of 307 .CareerCert.www.info Lab 28. Don’t check port F 0/17 and F 0/18 as they are connected to the DHCP Server and the Router. Although they are able to connect to devices within their own segment. Upon further investigation.

www.com Page 217 of 307 .com. Lab Objectives: Task 1 A couple of users have accessed devices in other VLAN bypassing Router Security. Mitigate this attack by making sure that end devices do not have the ability to establish trunking with the Switch. Upon further investigation. Task 2 This should be done on all ports that are part of VLAN 35 and VLAN 78. Email: khawarb@khawarb.netmetric-solutions.info Lab 28.4 – Preventing VLAN Hoping Attacks Before you Start This Lab builds on the configuration of the previous lab. Copyrights Netmetric Solutions 2006-2010 Website: http://www.CareerCert. you find out that the users have established a trunk port with the Switch (VLAN Hoping Attack).

netmetric-solutions.5 – Mitigating DHCP Attacks Before you Start This Lab builds on the configuration of the previous lab. Task 3 The DHCP Server is getting overwhelmed by the number of rogue DHCP requests it is receiving. Copyrights Netmetric Solutions 2006-2010 Website: http://www. Lab Objectives: Task 1 You have installed a DHCP server on Port F 0/17 in VLAN 78 on Switch 2.com.www. Control the number of packets on un-trusted DHCP ports to 100 requests per second.com Page 218 of 307 .info Lab 28.CareerCert. But you find out the addresses given out to the Clients are not coming from this DHCP Server (Rogue DHCP Server). Task 2 Make sure that the only DHCP server in VLAN 78 is located at F 0/17 on Switch 2. Email: khawarb@khawarb.

com Copyrights Netmetric Solutions 2006-2010 Website: http://www.0 Module 6: Network Attacks Lab 29 – Mitigating DoS Attacks Netmetric Solutions http://www.www.CareerCert.com Page 219 of 307 .com.netmetric-solutions.info CCIE Security Lab Workbook Version 3.netmetric-solutions. Email: khawarb@khawarb.

1) R4 192.netmetric-solutions. Syslog.0/24 VLAN 22 E 0/0 (.2) 192.CareerCert.0/24 VLAN 56 F 0/0 (.1) R1 F 0/1 (. IEV.1. AAA and CA (.11.14.1. Email: khawarb@khawarb.www.com.1 IDM.10) VLAN 22 (.2) R2 SW1 S 0/0 (.1.12.22.0/24 F 0/0 (.5) F 0/0 (.10) ASA-1 192.0/24 VLAN 14 F 0/0 (.1.com Page 220 of 307 .0/24 VLAN 10 E 0/1 (.11.56.info Lab 29 – Mitigating DoS Attacks Before you Start Load the initial configuration files from the DVD/CD for the devices used in this Lab.25) 10.2) R2 S 0/0 (.6) R5 R6 Copyrights Netmetric Solutions 2006-2010 Website: http://www. Network Diagram 6.15) F 0/0 (.1) 192.

www.1 – Mitigating DoS Attacks Using CAR Network Diagram 1. Use 16 KB and 24 KB for normal and excess burst values. Email: khawarb@khawarb. Use 16 KB and 24 KB for normal and excess burst values.CareerCert.2 Lab Objectives: Task 1 R1 is experiencing a DoS attack against your network.com Page 221 of 307 .netmetric-solutions. Task 2 R1 is also experiencing a lot of traffic for udp port 1434 and TCP port 1433 (SQL Slammer).com. Copyrights Netmetric Solutions 2006-2010 Website: http://www.info Lab 29. Control this traffic by limiting the traffic to 64 kbps coming into the Frame Link.Blaster). You turn on Netflow on R3 and see a lot of packets for TCP ports 135 and 4444 and UDP port 69 (W32. Control this traffic by limiting the traffic to 128 kbps coming into the Frame Link.

65.CareerCert.com. Configure R2 such that if there are more than 400 half-open connections.2 – Mitigating DoS and SYN Attacks using CBAC Before you Start This Lab builds on the configuration of the previous lab. Task 2 After configuring this. Copyrights Netmetric Solutions 2006-2010 Website: http://www. it should delete the oldest 100 connections. If more than 40 connection are made to a specific host. it should only allow new connections to be made by deleting the oldest entry for this specific host. This is the only server that should be accessed from the frame cloud.www.22. All routing traffic should be allowed into R2. Users from inside networks should be able to go out and return for any traffic.netmetric-solutions.com Page 222 of 307 .1. Lab Objectives: Task 1 There is a Web server located at 192.info Lab 29. the Web server experiencing a SYN Flood attack. Email: khawarb@khawarb.

you notice that the Web servers are getting overwhelmed with SYN packets that are in half-open state. Task 2 Configure R1 such that it does not allow any Web request towards VLAN 14.com Page 223 of 307 .netmetric-solutions. Task 3 R1 should start deleting half open connections if the number reaches 600.info Lab 29. Upon further investigation. Copyrights Netmetric Solutions 2006-2010 Website: http://www. It should stop deleting half open connection if they reach 400. Lab Objectives: Task 1 All Web servers located on VLAN 14 are not able to service Web requests.www. Email: khawarb@khawarb.3 – Mitigating DoS and SYN Attacks using IP TCP Intercept Feature Before you Start This Lab builds on the configuration of the previous lab. It should answer on behalf of the Web servers located on VLAN 14 and only pass the connections if they complete.com. Set the same parameters for the connection made in the last minute.CareerCert.

0 Module 6: Network Attacks Lab 30 – Mitigating Attacks Using NBAR Netmetric Solutions http://www.CareerCert.com Copyrights Netmetric Solutions 2006-2010 Website: http://www.info CCIE Security Lab Workbook Version 3.com Page 224 of 307 .netmetric-solutions.netmetric-solutions.com.www. Email: khawarb@khawarb.

netmetric-solutions.6) R5 R6 Copyrights Netmetric Solutions 2006-2010 Website: http://www.com.0/24 VLAN 14 F 0/0 (. Syslog.0/24 VLAN 56 F 0/0 (.10) ASA-1 192. IEV.1) R1 F 0/1 (.0/24 VLAN 22 E 0/0 (.1) R4 192.1.5) F 0/0 (.1) 192. AAA and CA (. Network Diagram 6.0/24 VLAN 10 E 0/1 (.11.2) R2 SW1 S 0/0 (.10) VLAN 22 (.1.www.22.0/24 F 0/0 (.2) R2 S 0/0 (.12.com Page 225 of 307 .1.25) 10.15) F 0/0 (.CareerCert.14.1 IDM.info Lab 30 – Mitigating Attacks Using NBAR Before you Start Load the initial configuration files from the DVD/CD for the devices used in this Lab.56.2) 192. Email: khawarb@khawarb.11.1.

netmetric-solutions.www.exe” “root.com Page 226 of 307 . Email: khawarb@khawarb.1 – Blocking HTTP Attacks Using NBAR Network Diagram 1. You turn on a Packet Analyzer to capture packets and see the following url’s: “.2 Lab Objectives: Task 1 R2 is experiencing a DoS attack against your Webserver located on VLAN 22.info Lab 30.exe” “readme. The policy should be applied on the S 0/0 interface of R2. Copyrights Netmetric Solutions 2006-2010 Website: http://www.CareerCert.eml” This is the footprint of the Nimda Attack.ida” “cmd.com. Task 2 Configure R2 such that any packet that has the preceding patterns in the url of http packets should be dropped.

2 – Blocking File Transfer Attacks Using NBAR Before you Start This Lab builds on the configuration of the previous lab.CareerCert. The main Peer-to-Peer File sharing that are causing it are listed below: Kazaa Grokster iMesh BearShare Limewire Morpheus ToadNode Task 2 Mitigate this problem by dropping any traffic from these applications from R1 towards the Frame Cloud. Copyrights Netmetric Solutions 2006-2010 Website: http://www.netmetric-solutions. Do not use an Access List to accomplish this task.com Page 227 of 307 .info Lab 30. it is found that Peer-to-Peer applications are causing this.com. Email: khawarb@khawarb. Lab Objectives: Task 1 The Frame Relay network is overwhelmed by File Transfer traffic. Upon deeper analysis.www.

Lab Objectives: Task 1 Configure R5 to block Fragmented UDP packets coming into F 0/0.com.3 – Blocking Fragmented UDP Attacks using FPM Before you Start This Lab builds on the configuration of the previous lab. the packets should be dropped.info Lab 30. Email: khawarb@khawarb.www. Task 4 Do not use an Access-list for this Lab.netmetric-solutions. Task 2 The matching criteria should be as follows: Fragment Offset should not be equal to 0.CareerCert. Task 3 If the above criteria matches.com Page 228 of 307 . Copyrights Netmetric Solutions 2006-2010 Website: http://www. More Fragments bit in the flag field should be set to 1.

com. Copyrights Netmetric Solutions 2006-2010 Website: http://www.1. Task 2 The matching criteria should be as follows: The SYN Flag in the TCP Control Bits Field should be on.22.22.info Lab 30. the packets should be dropped. Task 4 Do not use an Access-list for this Lab. Task 3 If the above criteria matches.22.www. The traffic should be TCP Traffic and coming from 192.CareerCert. Email: khawarb@khawarb.com Page 229 of 307 .4 – Blocking TCP SYN Flood Attacks using FPM Before you Start This Lab builds on the configuration of the previous lab.netmetric-solutions. Lab Objectives: Task 1 R6 is receiving a TCP SYN Flood attack from 192.22.1.

com Copyrights Netmetric Solutions 2006-2010 Website: http://www.com Page 230 of 307 .netmetric-solutions.www.0 Module 6: Network Attacks Lab 31 – Service Provider Security Netmetric Solutions http://www.netmetric-solutions.com. Email: khawarb@khawarb.info CCIE Security Lab Workbook Version 3.CareerCert.

2) R2 S 0/0 (.11.1) R1 F 0/1 (.10) ASA-1 192.0/24 VLAN 56 F 0/0 (.56.22.1 IDM.www. AAA and CA (.15) F 0/0 (.6) R5 R6 Copyrights Netmetric Solutions 2006-2010 Website: http://www.netmetric-solutions.0/24 F 0/0 (.5) F 0/0 (.2) R2 SW1 S 0/0 (.14.2) 192.1) 192.12.com.1.10) VLAN 22 (.1) R4 192.0/24 VLAN 22 E 0/0 (.1. Email: khawarb@khawarb.0/24 VLAN 14 F 0/0 (.1. IEV.1.25) 10.0/24 VLAN 10 E 0/1 (.11.info Lab 31 – Service Provider Security Before you Start Load the initial configuration files from the DVD/CD for the devices used in this Lab.com Page 231 of 307 .CareerCert. Syslog. Network Diagram 6.

com Page 232 of 307 .1 – Blocking Attacks Using PBR Network Diagram 1. From your sniffer trace. Block packets that are either destined towards R2 or thru it from the Frame cloud with these characteristics.www.CareerCert.com. you see the size of these packets is 376 bytes. You suspect these packets to be attack packets for the Deloder Worm. Email: khawarb@khawarb. Copyrights Netmetric Solutions 2006-2010 Website: http://www.info Lab 31.netmetric-solutions.2 Lab Objectives: Task 1 R2 is seeing a lot of packets coming in towards UDP port 1434. Task 2 These packets should be black holed on R2. Prevent your router from sending ICMP unreachable messages to the sender of these packets.

com. You can only create one static route on each router.0.netmetric-solutions. Email: khawarb@khawarb.info Lab 31. R1 is peering with all the routers and is acting as a Route-Reflector Server.0/24 and 144.0.CareerCert. Task 4 Use R1 as the Trigger Router. The Traffic destined for these two networks should be black holed on all routers in the AS.0. R4. Copyrights Netmetric Solutions 2006-2010 Website: http://www.0. Lab Objectives: Task 1 Routers R1.www. R5 and R6 are in AS 12456. These networks are behind R4. Task 3 Configure BGP such that all the Routers in the AS drop any packets destined for these two networks.com Page 233 of 307 .2 – Blocking Attacks Using Remote Triggered Black Holing Before you Start This Lab builds on the configuration of the previous lab. Task 2 It has come to your attention that 44. R2.0/8 networks are under a denial of service attack.

info CCIE Security Lab Workbook Version 3. Email: khawarb@khawarb.0 Module 7: Troubleshooting Lab 32 – Troubleshooting ASA Netmetric Solutions http://www.com Copyrights Netmetric Solutions 2006-2010 Website: http://www.netmetric-solutions.www.netmetric-solutions.CareerCert.com Page 234 of 307 .com.

22.0/24 VLAN 55 F 0/0 (.22.10) F0/0 (.1.0/24 VLAN 66 R6 ASA-2 F 0/1.2) R2 S 0/0 (.22. IEV.1.1 IDM. Network Diagram 7.www.20) BB1 Copyrights Netmetric Solutions 2006-2010 Website: http://www. AAA and CA (. Syslog.33.com.22.1.1) 10.0/24 VLAN 44 R4 F0/0 (.5) R5 F 0/0 (.2) 192.10) F 0/1.33) F0/2 (.66.com Page 235 of 307 .10) 10.44.0/24 VLAN 12 F 0/0 (.44) 192.10) 10.11.0/24 VLAN 33 F0/1 (.0/24 VLAN 11 ASA-1 R3 10.55.10) F0/3 (.netmetric-solutions.info Lab 32 – Troubleshooting ASA Before you Start Load the initial configuration files from the DVD/CD for the devices used in this Lab.0/24 VLAN 10 F 0/1 (.22.CareerCert.0/24 S 0/0 (.6(. This lab covers Basic configurations on the ASA firewall. Email: khawarb@khawarb.1(.33.10) 10.44.25) 10.1) R1 F 0/0 (.66.0/24 VLAN 100 F 0/0(.55) 192.125.10) F0/0 (.11.

com Page 236 of 307 .1 – Troubleshooting Initial Configuration Issues Lab Objectives: Before you Start Load the initial configuration files from the DVD/CD for the devices used in this Lab. Task 3 It should have been configured to give out IP Configuration using the following: IP Range : 10.22.22.33. Fix it.44.100 DNS Server : 192.10/24 10. Copyrights Netmetric Solutions 2006-2010 Website: http://www.10/24 10.33. Task 5 A BGP neighbor relationship has been configured between R6 and BB1 in AS 600.35 WINS Server : 10. Lab Objectives: Task 1 The ASA-1 should have been configuration for the Interfaces: Interface F 0/0 F 0/1 F 0/2 F 0/3 Name Outside Inside DMZ3 DMZ4 configured with the following IP Security Level 0 100 50 50 IP Address 192.com. The neighbor relationship is not coming up.1.22.22.info Lab 32.22.44.22.22.22.22.22.www.22.6 Task 4 The above requirements are not working.10/24 10.5 TFTP-Server : 10.22.51 – 10.10/24 Task 2 It should have been able to ping all the surrounding routers.1.CareerCert. Email: khawarb@khawarb.netmetric-solutions. Fix it.

com Copyrights Netmetric Solutions 2006-2010 Website: http://www.com Page 237 of 307 .CareerCert. Email: khawarb@khawarb.info CCIE Security Lab Workbook Version 3.0 Module 7: Troubleshooting Lab 33 – Troubleshooting DMVPN Netmetric Solutions http://www.netmetric-solutions.netmetric-solutions.www.com.

0/24 VLAN 10 F0/1 (. Email: khawarb@khawarb.com Page 238 of 307 . R3 F0/0 (.10) ASA-1 F0/0 (.www.0/24 VLAN 12 F 0/0 (.12.netmetric-solutions.com.10.1.info Lab 33 – Troubleshooting DMVPN Before you Start Load the initial configuration files from the DVD/CD for the devices used in this Lab.10) 192.2) R1 R2 Copyrights Netmetric Solutions 2006-2010 Website: http://www.1) F 0/0 (.3) 192.1.CareerCert.

Copyrights Netmetric Solutions 2006-2010 Website: http://www.0/24 o IP MTU : 1416 o Tunnel Authentication Key : 123 Routing Protocol Parameters o EIGRP 123 ISAKMP Parameters o Authentication : Pre-shared o Encryption : 3DES o Pre-Shared Key : cciesec IPSec Parameters o Encryption : ESP-3DES o Authentication : ESP-MD5-HMAC Task 2 The Tunnel is not coming up.DMVPN Tunnel Parameters o IP address : 172.16. R2 and R3 to encrypt traffic between the Loopback networks.info Lab 33.1 – Troubleshooting DMVPN Before you Start Load the initial configuration files from the DVD/CD for the devices used in this Lab. Lab Objectives: Task 1 DMVPN has been configured between R1.com.123.www. Bring it up.netmetric-solutions. R3 is the NHRP Hub. Email: khawarb@khawarb.CareerCert. The DMVPN is supposed to be using the following Configuration Parameters: NHRP Parameters o NHRP ID – 123 o NHRP Authentication key .com Page 239 of 307 .

com.netmetric-solutions.com Copyrights Netmetric Solutions 2006-2010 Website: http://www.www. Email: khawarb@khawarb.info CCIE Security Lab Workbook Version 3.CareerCert.com Page 240 of 307 .0 Module 8: Super Labs Lab 34 – Super Lab 1 Netmetric Solutions http://www.netmetric-solutions.

2) 192.10) 192.0/24 VLAN 10 R1 10.0/24 VLAN 51 F0/0 (.22.22.0/24 192.11.0/24 VLAN 62 ASA-2 F 0/1 (.1.166.25.26.1) C & C (.CareerCert. Email: khawarb@khawarb.1) IPS Sensor F 0/1 IPS Sensor 10.51.5) R5 F 0/1 (. IEV.1.5 (.0/24 VLAN 22 F 0/0 (.20) F 0/0 (. AAA and CA (.1.info Super Lab – 1 IDM. Syslog.2) S 0/0.1.4) R4 VPN Client Copyrights Netmetric Solutions 2006-2010 Website: http://www.2) S 0/0.0/24 S 0/0.15) 192.22.22.netmetric-solutions.1.0/24 VLAN 52 R3 F 0/0 (.30.3 (.www.20) R2 192.3) S 0/0 (.23.11.15) 10.1.0/24 VLAN 11 F 0/0 (.66.1.52.25) 192.66.com Page 241 of 307 .10) (.6 (.6) 192.10) 192.0/24 VLAN 30 S 0/0 (.0/24 VLAN 63 (.1.6) SW1 R6 F 0/0 (.22.1.5) 192.2) 192.5) (.0/24 VLAN 61 F 1/0 BB1 IPS Sensor F 1/1 F 0/0(.25) F 0/1 (.1.0/24 VLAN 12 F 0/1 (.10) F 0/1 BB2 ASA-1 F 0/0 (.3) S 0/0(.0/24 F 0/0(.com.

52.6/24 192.10/24 192.51.66.2/24 192.netmetric-solutions.1.22.11.55.55/8 192.26.info IP Addressing Scheme Device R1 Port F 0/0 F 0/1 Loopback 0 F 0/0 S 0/0.6 Loopback 0 F 0/0 S 0/0 Loopback 0 F 0/0 Loopback 0 F 0/0 F 0/1 S 0/0 Loopback 0 F 0/0 S 0/0 Loopback 0 F 0/0 F 0/1 F 0/0 F 0/1 C&C Interface VLAN 52 F 0/0 F 0/1 IP Address 10.25.www.66.30.3 S 0/0.1.11.CareerCert.1.1.22/8 192.1. Email: khawarb@khawarb.1.55.33.11/8 192.22.22.23.10/24 10.166.66/8 192.25.66.20/24 192.1.2/24 192.44.44.2/24 192.33.5 S 0/0.1/24 11.10/24 10.5/24 192.1.51.6/24 66.15/24 192.22.10/24 192.11.33/8 192.com.com Page 242 of 307 .20/24 R2 R3 R4 R5 R6 ASA-1 ASA-2 IPS Switch 1 BB1 BB2 Copyrights Netmetric Solutions 2006-2010 Website: http://www.22.166.11.11.1.1.52.1.1.15/24 192.1.1.4/24 44.1.1.44/8 192.22.5/24 55.66.26.3/24 192.1.22.5/24 192.30.2/24 22.23.22.3/24 33.1.11.1/24 10.

www.CareerCert.com Page 243 of 307 .info OSPF Network Diagram ASA-1 R2 Area 0 R3 R5 R6 SW1 ASA-2 EIGRP Network Diagram R3 AS 230 BB1 Copyrights Netmetric Solutions 2006-2010 Website: http://www.netmetric-solutions.com. Email: khawarb@khawarb.

www.CareerCert.info

RIP Network Diagram

R1

R4

ASA-1

ASA-2

BGP Network Diagram

R5

AS 500

BB2

Copyrights Netmetric Solutions 2006-2010 Website: http://www.netmetric-solutions.com; Email: khawarb@khawarb.com Page 244 of 307

www.CareerCert.info

Startup Configurations
Pre-load the Initial Configurations for all the devices

Section 1 – ASA/IOS FW Configuration – Basic (8 Points)
1.1 – Basic IP Configuration of ASA-1 and ASA-2 (4 Points)
Task 1 Configure IP Addresses on the Outside and Inside interfaces of ASA-1 and ASA-2 based on the IP Addressing Scheme Table. Configure the Switch to make sure that ASA-1 and ASA-2 can communicate to directly connected devices. Task 2 Configure ASA-1 to allow inside networks in your topology to go out using the a pool of 192.1.22.51-192.1.22.99. If the pool is exhausted, it should still allow the users to go out using 192.1.22.101 as a backup address. Task 3 Make sure that it there is no translation rule on the ASA-1 for a network, it should not be able to go out. Task 4 There is a DHCP Server located at 192.1.66.25. This server has been configured to give out IP Configuration to VLAN 63. Configure ASA-2 such it allows the clients on VLAN 63 to receive IP Configuration from the DHCP. ASA-2 should make sure the DHCP reply points to 192.1.166.10 as the default gateway for these clients. Task 5 Run OSPF as the routing protocol on ASA-1 on the outside interface. Task 6 Run RIP as the routing protocol on ASA-1 on the inside interface. Make sure R1 learns all outside routes from ASA-1. Task 7 Run OSPF as the routing protocol on ASA-2 on the outside interface. Task 8

Copyrights Netmetric Solutions 2006-2010 Website: http://www.netmetric-solutions.com; Email: khawarb@khawarb.com Page 245 of 307

www.CareerCert.info

Run RIP as the routing protocol on ASA-2 on the inside interface. Make sure R4 learns all outside routes from ASA-2. Also, make sure that R6 learns about the 192.1.166.0/24 network.

1.2 – Translations (4 Points)
Task 1 Configure static translations for R1 as 192.1.22.1 on the outside network on ASA-1. The ACS server should be seen as 192.1.22.100 on the outside. IPS Sensor should be seen as 192.1.22.15. Task 2 There is a Server located at 10.22.22.99. It is a Web Server, SMTP Server and a DNS Server. This server should appear as 3 separate servers for the outside users. Use the following for the translations and allow the appropriate entry in the ACL: Web Server – 192.1.22.41 SMTP Server – 192.1.22.42 DNS Server – 192.1.22.43 Task 3 Configure ASA-1 such that when R2 communicates to R1, R2 should be seen as 10.22.22.2. Allow R2 to ping R1.

Copyrights Netmetric Solutions 2006-2010 Website: http://www.netmetric-solutions.com; Email: khawarb@khawarb.com Page 246 of 307

www.CareerCert.info

Section 2 – ASA/IOS FW Configuration – Advanced (12 Points)
2.1 – Blocking Instant Messaging using MPF (4 Points)
Task 1 You don’t want any users on the inside of ASA-1 except for 10.22.22.97 and 10.22.22.98 to be able to use either MSN IM or Yahoo IM. Task 2 Do not configure this under the Global policy.

2.2 – Configuring SNMP (4 Points)
Task 1 Configure SNMP on ASA-1 with a Global SNMP-Community of ASACCIE. Task 2 Configure a SNMP Server with an IP Address of 10.22.22.50. It should be configured with a community name of CCIESecure. It will be using SNMP Version 2c to the management station at 10.22.22.50. The management station uses a non-standard port of 25000 to listen for Traps. Configure the ASA to communicate to this SNMP Server using port 25000. Task 3 Enable the following traps to be sent to the SNMP Server: Standard Event Traps (linkup linkdown) IPSec Event Traps (start stop) Remote Access Traps (session-threshold-exceeded)

1.3 – Zone-Based Firewall (4 Points)
Task 1 Configure VLAN 52 as the Local Zone. Configure the Frame Cloud as the Internet Zone. Configure VLAN 51 as the DMZ zone. Task 2 Configure the Zone Policy for traffic originating from Local Zone as follows: Allow DNS, HTTP, HTTPS, FTP, TFTP, SMTP and ICMP traffic from Local to Internet. Allow HTTP Access from the Local zone to all servers on the DMZ Zone
Copyrights Netmetric Solutions 2006-2010 Website: http://www.netmetric-solutions.com; Email: khawarb@khawarb.com Page 247 of 307

www.CareerCert.info

Task 3 Configure the Zone Policy for traffic coming in from the Internet as follows: Allow Web Access to a server 192.1.51.55 located on the DMZ zone Allow SMTP Access to a server 192.1.51.50 located on the DMZ zone Task 4 Configure the Zone Policy for traffic originating from the DMZ Zone as follows: Allow the SMTP server 192.1.51.50 to access a SMTP server 192.1.52.50 located in the Local zone.

Copyrights Netmetric Solutions 2006-2010 Website: http://www.netmetric-solutions.com; Email: khawarb@khawarb.com Page 248 of 307

www.CareerCert.info

Section 3 – IPS/IDS Configuartion – Basic (6 Points)
3.1 – Initial Configuration (2 Points)
Task 1 Configure the IPS Sensor with the following parameters: Hostname – IPS-WB IP Address – 10.11.11.15/24 Default Gateway – 10.11.11.1 Web Server Port number – 4430 Allowed Hosts – 10.11.11.0/24, 10.22.22.0/24, 192.1.22.0/24

3.2 – IPS Sensor Configuration in Inline mode (4 Points)
Task 1 Configure Inline pair to connect R1 to ASA-1. Use the First Sensing interface for this pair. Task 2 Configure the switch to accommodate this configuration. Task 3 Make sure only the appropriate traffic is send to the IPS Interface. Task 4 Assign this Pair to the original Virtual Sensor. Task 5 Configure Inline pair to connect R6 to ASA-2. Use the Second and Third Sensing interfaces for this pair. Task 6 Configure the switch to accommodate this configuration. Task 7 Configure a new Virtual Sensor (VS1) using a Signature Configuration (Sig1). Assign this Inline pair to this Virtual Sensor.

Copyrights Netmetric Solutions 2006-2010 Website: http://www.netmetric-solutions.com; Email: khawarb@khawarb.com Page 249 of 307

com. make sure you can Telnet into R3. Email: khawarb@khawarb.com Page 250 of 307 . Set the severity level of the signature to High.1 – Blocking using a Router (4 Points) Task 1 A device from VLAN 30 is trying to do an ICMP Smurf attack against your internal networks behind R2 and R6.www. This should only affect Virtual Sensor 0. Task 4 This should only be done for Virtual Sensor 1. Configure the IPS Sensor with the appropriate login details. Task 2 R3 is pre-configured with a Telnet password of C1SC0.netmetric-solutions. Make sure the never block address is the appropriate address.info Section 4 – IPS/IDS Configuration – Advanced (10 Points) 4. Also. Configure the ACL’s on the F 0/0 interface in the inbound direction. It should be done based on a limit of 10%. 4. Configure an enable secret password of CISCO. Copyrights Netmetric Solutions 2006-2010 Website: http://www. Task 2 Only fire the signature if 2 such packets are received in the last 60 seconds Task 3 Generate an alarm and drop the packet. Task 3 R3 should be used for Blocking and Rate-limiting. Task 4 Configure a Rate Limit policy for a maximum of 10 percent for ICMP traffic. Make sure the signature is case-sensitive.2 – Custom HTTP Signature (4 Points) Task 1 Create a custom TCP String signature that will fire if a word “resume” is detected in a packet destined for HTTP.CareerCert. Configure the IPS Sensor to ratelimit this traffic on the F 0/0 interface of R3. The signature should also produce an alert.

5.0/24 as the tunnel network.com Page 251 of 307 . Copyrights Netmetric Solutions 2006-2010 Website: http://www.netmetric-solutions. Configure the following ISAKMP and IPSec Policies: ISAKMP Parameters o Authentication : Pre-shared o Group : 2 o Encryption : 3DES IPSec Parameters o Encryption : ESP-3DES o Authentication : ESP-MD5-HMAC Task 4 Do not create a Crypto Map for this Lab.com.3/24 R4 – Loopback 34 – 172. Use the following parameters for the KS.16.2 – GET VPN (4 Points) Task 1 Configure the following Loopback interfaces: R3 – Interface Loopback 15 – 172.6. Use 172.info Section 5 – VPN Configuration – Basic (8 Points) 5.3.CareerCert. Secure the GRE tunnel by using a Key of 3434. Task 3 Configure an IPSec to encrypt the traffic on the GRE Tunnel.16. Use EIGRP 34 to exchange the Loopback 34 between the 2 routers. Make sure the IPSec mode is for end-to-end tunnels.6/24 Task 2 Configure R2 as the Key Server for your GET VPN to encrypt data between R3 and R6.16. Email: khawarb@khawarb.www. Run EIGRP in AS 34 on the Tunnel.34.16.16.3.3/24 R6 – Interface Loopback 15 – 172.4.1 – LAN-To-LAN IPSec/GRE Tunnel (4 Points) Task 1 Configure the following Loopbacks on R3 and R4: R3 – Loopback 34 – 172.4/24 Task 2 Configure a GRE Tunnel between R3 and R4.

www.0 major network.0. Task 4 You are allowed to create Static routes for this lab.CareerCert.info ISAKMP Parameters o Authentication : Pre-shared o Encryption : 3DES o Pre-Shared Key : cciesec o Group : 2 IPSec Parameters o Encryption : ESP-3DES o Authentication : ESP-MD5-HMAC o SA Lifetime : 3600 Key Server Parameters o Identity Number : 100 o Interesting Traffic : Any traffic on the 172. Copyrights Netmetric Solutions 2006-2010 Website: http://www. Use the Parameters listed for the Key server to configure the Devices.netmetric-solutions.com Page 252 of 307 .com. o Local Address : Loopback 0 Task 3 Configure R3 and R6 to use R2 as the Key Server.16. Email: khawarb@khawarb.

168. This pool will be assigned to Remote Access clients.CareerCert.com. Configure the VPN idle timeout to 10 minutes. Task 8 Copyrights Netmetric Solutions 2006-2010 Website: http://www.1 thru 192.11.168.www.1 – EZVPN with ASA-1 as Server (4 Points) Task 1 Configure ASA-1 as a Remote Access/EZVPN Server for Software and Hardware Clients.0/24 is allowed to go out un-translated. Task 6 Configure the ASA-1 such that all traffic going towards the 192.11. Email: khawarb@khawarb.netmetric-solutions.168. Configure the following ISAKMP and IPSec Policies: ISAKMP Parameters o Authentication : Pre-shared o Group : 2 o Encryption : 3DES IPSec Parameters o Encryption : ESP-3DES o Authentication : ESP-MD5-HMAC Task 2 Configure a Pool called EZP. Assign IP addresses to this group from the EZP Local pool.11. Task 4 Configure a couple a local users with the following attributes: Username : EZR5 – Password : cciewb Task 5 Configure a Remote Access Tunnel Group called EZC. Authentication and Authorization for this group should be done using the Local Database. Task 3 Configure an internal group called EZ. Use a pre-shared key of cciesec. Task 7 Create a dynamic map to use the previously created IPSec transform set.254 as the pool addresses. Use 192.info Section 6 – VPN Configuration – Advanced (8 Points) 6.com Page 253 of 307 .

com.netmetric-solutions.CareerCert.2.25. It was supposed to encrypt traffic from the Loopback 172’s to each other.16. 6. It was supposed to use the following parameters: Use the following Parameters for the Tunnel: ISAKMP Tunnel : o Authentication – Pre-share o Hash MD5 o Pre-shared Key .0/24 o Tunnel Key – 25 EIGRP Tunnel Parameters: o EIGRP AS Number – 25 Task 3 The Tunnel is not coming up. R2 – Loopback 172 – 172. Troubleshoot to bring the tunnel up.www.16.info Test the configuration by establishing a VPN from the VPN Client.5/24 Task 2 A DMVPN Tunnel has been configured between R2 and R5.16. Copyrights Netmetric Solutions 2006-2010 Website: http://www.2 – Troubleshooting DMVPN (4 Points) Task 1 The following Loopbacks have been configured on R2 and R5.5. Email: khawarb@khawarb.CISCO IPSec Tunnel : o Encryption – ESP-3DES o Authentication – ESP-MD5-HMAC NHRP Parameters: o NHRP ID – 25 o NHRP Authentication Key – DMVPN o NHRP Hub (NHS) – R2 GRE Tunnel Parameters: o Tunnel IP Address – 172.2/24 R5 – Loopback 172 – 172.com Page 254 of 307 .

Task 2 Management of R3 should be allowed from the 192.1 – Configuring R3 for Authentication. Create a local username admin with a password of admin. Task 4 Create the following users on the ACS Server: Username – R3-User1 Password: cisco Privilege: 15 Username – R3-User2 Password: cisco Privilege: 15 Task 5 When the users login.1. they should be assigned the privilege level from the ACS Server. Task 3 Telnet Authentication should be done based on the ACS Server.netmetric-solutions. If the ACS Server is not available.0/24 and R1 networks only using Telnet. Authorization and Accounting (4 Points) Task 1 Configure R3 to communicate with the ACS server using TACACS+ as the authentication protocol and key. Do not use the Default list to accomplish this task. Allow the appropriate entries in the ASA-1 to allow R3 to communicate with the ACS Server.www. Task 6 Only allow R3-User1 to access R3.30. Email: khawarb@khawarb.com Page 255 of 307 .info Section Points) 7 – Access/Identify Management (16 7. authentication should be done based on the local database. He should have access to all commands on R3. He should have only be able to execute the following commands: Configure Terminal Hostname Router OSPF o Network Copyrights Netmetric Solutions 2006-2010 Website: http://www.com.CareerCert. Use the most specific entries in the ACL. Make sure there is no authentication done on the Console and Aux ports. Task 7 Only allow R3-User2 to access R3.

1.info o Redistribute Interface Fastethernet 0/0 o Ip address o Shutdown Sh version Sh privilege Task 7 Log all login and logouts for Telnet.www. authorize and account for EAPoUDP against the RADIUS server configured in the previous task. it should authenticate the user against the ACS server.2 – Authentication Proxy on the ASA-2 (4 Points) Task 1 Configure the ASA-2 to communicate to the ACS server using TACACS+ as the authentication protocol. log all commands typed in by the users while connected via Telnet.1. TFTP and Web.netmetric-solutions. User2 should be allowed to access the server for Telnet and Web.66. Email: khawarb@khawarb.254 as the Virtual Telnet IP. The Switch should authenticate. Configure the ACS to allow ASA-2 to act as AAA Client. Task 2 Configure Authentication proxy on ASA-2 such that before allowing access to a server 192. They should use tacccie as the shared secret key. 8. 7.CareerCert.23 for Telnet. Task 3 Use 192. Also. Copyrights Netmetric Solutions 2006-2010 Website: http://www.3 – Configuring L2IP NAC Framework (4 Points) Task 1 Configure SW1 to communicate with the ACS Server. Task 4 Configure ACS with the following user accounts in the default group: Username – User-1 Password – user1 Username – User-2 Password – user2 Task 5 User-1 should be allowed to access the server for Telnet and TFTP.com. Task 2 Configure NAC L2IP on the switch.166. Configure the SW1/ACS connection using the appropriate RADIUS Protocol and a key of radccie.com Page 256 of 307 .

Also.11. Only allow the traffic from the Default ACL created in the previous task.www.com. Also. Task 5 Configure a ACL that will be used as a default interface ACL for the EAPoUDP ports using the following requirements: All Traffic destined for UDP / 21862 Requests from DHCP Clients towards the DHCP servers All Traffic destined for DNS requests HTTP access to a Patch Server located at 10.com Page 257 of 307 .CareerCert. Task 4 Enable IP Device Tracking on the Switch. Windows Result Healthy Checkup Transition Quarantine Infected Unknown Message Your Device is Healthy Your Decice needs Checkup Your Device is in Transition Your Device has been Quarantined Your Device is infected Your Device is in an Copyrights Netmetric Solutions 2006-2010 Website: http://www. Cisco Host CTA. configure the switch to recognize and use vendor-specific attributes. Task 7 The Switch should wait for 2 minutes after a failed credential validation attempt before a new association can be retried. Change the defaults based on the following parameters: Required Condition Types Posture Validation Policies Assessment Result Configuration Cisco PA.netmetric-solutions.99 Task 6 Implement a EAPoUDP policy on ports F 0/15-17. The DHCP Server is connected on Port F 0/11 on the switch. configure DHCP Snooping for VLAN 10. Email: khawarb@khawarb.11.info Task 3 Configure the Switch to send Framed-IP-Address RADIUS attribute in access-request or accounting-request packets. Task 8 Configure a NAC L2 IP profile using the default template on the ACS Server.

200. the LAC should connect to the L2TP Network Server(LNS).56 LNS Use 192. 7. Task 4 Besides the 192.55 vpdn:l2tp-tunnel-password=CISCO Task 3 Configure the service-type for this connection to be outbound.1.57 as a backup. in case the first 2 are down.info Unknown state Task 9 The NAC L2 IP profile should be the top Profile in the list of Posture Validation profiles.1. Based on the PPP client connections. Email: khawarb@khawarb. You need to configure the RADIUS server to support this type of configuration for a user ccie. It is configured for allowing incoming connection using PPP. Configure RADIUS for the following: Load Balance between the 192. Task 2 The LAC should get the information about the LNS from the RADIUS server.1.com Page 258 of 307 .57) on the network. there are another 2 LNS server (192.200.cisco.55 and 192.1.com.www.200. Copyrights Netmetric Solutions 2006-2010 Website: http://www.200.56 and 192.200.com.netmetric-solutions. Task 10 Enable the default Authorization rules.1.200. It should have the following parameters for outbound connections: vpdn:tunnel-id=LACT vpdn:tunnel-type=l2tp vpdn:ip-addresses=192.55 LNS.200. This user should have a password of ccie.CareerCert.1.1.4 – Configuring the ACS for L2TP Remote Users (4 Points) Task 1 You have a L2TP Access Concentrator (LAC) located on your network.

Using Control Plane Policing. Email: khawarb@khawarb.66.1.11. 8.www. It should maintain a MAC-IP database based on the Addresses assigned to DHCP Clients from DHCP Servers. control the rate of Telnet traffic to 64000 bps. Assign this port to VLAN 112.1 – DHCP Snooping (4 Points) Task 1 Configure DHCP Snooping on Switch2.2 – Configuring CP Policing (4 Points) Task 1 R3 has been configured to allow telnet access for management purposes.netmetric-solutions. Task 3 Make sure the switch only allows DHCP replies from port F 0/17 on Switch2. Task 2 The DHCP server resides on the F 0/17 on Switch2.com. It should be enabled on VLAN 112.3 – Port Security with SNMP Traps (2 Points) Task 1 Configure Switch1 such that only R1 F0/0 and R2 F0/0 can connect to Ports F 0/1 and F 0/2 respectively.25 and 10.com Page 259 of 307 .11. Copyrights Netmetric Solutions 2006-2010 Website: http://www.info Section 8 – Network and Switch Security (16 Points) 8.11. It should verify valid IP-MAC mappings against the DHCP Snooping Database.30. If it does not match. If another port tries to connect to these ports they should generate a trap towards a SNMP Server. Configure SW1 to send traps for Port Security Violations.CareerCert. Task 2 The SNMP Server is located at 192. 8.11. Use “Publ1c” as the community name.75. It should be enabled for VLAN 112. it should drop the packets. Task 4 Configure Switch2 such that it intercepts all packets received on untrusted ports. Task 2 This policy should not apply to traffic originating from hosts 10.

Copyrights Netmetric Solutions 2006-2010 Website: http://www.com Page 260 of 307 .www.netmetric-solutions.info 8. Make sure the proper times are propagated to the routers. Task 4 Set the clock on R1 to the current time.CareerCert.com. R2 is located in New York. R3 should have been configured to automatically adjusts the clock based on the time zone Task 3 R2 should have been configured to receive its clock from R3. R3 is in Chicago. The Key string should be ccie12353. Configure the appropriate Time Zone setting. Task 2 R3 should have been configured to receive its clock from R1. Email: khawarb@khawarb. R1 is in Los Angeles. It should authenticate the clients using a key id of 135.4 – Configuring NTP (4 Points) Task 1 R1 should have been configured as a NTP Master with a stratum of 2.

22.22.2 – PBR (4 Points) Task 1 R5 is seeing a lot of ICMP packets coming in towards VLAN 51 and VLAN 52 with a size of 250. Task 3 If the above criteria matches.30.info Section 9 – Network Attacks (16 Points) 9. 9. the packets should be dropped. 9.www. Task 4 Do not use an Access-list for this Lab.1. Block these packets. Protect R2 from being a Smurf and Fraggle reflector from the Frame Cloud. Block any packets that are destined to this server that are fragmented. The traffic should be TCP Traffic and coming from 192.com. Protect R6 from being a Smurf and Fraggle victim from VLAN 51.CareerCert. You suspect being used as a Smurf and Fraggle reflector.1.com Page 261 of 307 . Task 3 R6 is also under a Fraggle and Smurf attack from VLAN 51.1 – Fraggle and Smurf Attack (4 Points) Task 1 R2 is experiencing a Fraggle and Smurf attack from the Frame Network.30. Email: khawarb@khawarb. Task 2 The matching criteria should be as follows: The SYN Flag in the TCP Control Bits Field should be on.netmetric-solutions. You suspect to be a Smurf and Fraggle victim. You deem these packets to be attack packets. Task 2 R2 is also receiving a bunch of fragmented packet destined for a web server located at 192.3 – Blocking TCP SYN Flood Attack (4 Points) Task 1 R6 is receiving a TCP SYN Flood attack from 192.30. You suspect these packets to be attack packets. Copyrights Netmetric Solutions 2006-2010 Website: http://www.1.22.

This port is connected to an end device.com. Upon further investigation.AB11.netmetric-solutions.info 9. Mitigate this attack by Hard coding the MAC address of the Server (0001.1234) to F 0/4 on Switch 2. Task 2 Users are complaining about temporarily losing connectivity to a server located on Port F 0/4 on Switch 2. you notice that your MAC Address table is full (CAM Table Overflow Attack). Mitigate this attack by only allowing one MAC address on this port. the port should be shutdown preventing this attack. It has a bunch of MAC addresses connected to port F 0/3 on Switch 2.CareerCert.4 – Mitigating MAC Spoofing Attack (4 Points) Task 1 Switch2 is forwarding packets Destined to a specific device to all ports on the switch. This goes happening intermittently throughout the day (MAC Spoofing Attack).www. there is an entry for Port F 0/4 for the servers MAC address. If you check MAC address table after sometime. you notice that there is no entry for the Port F 0/4 in the MAC Address table but the MAC address of the server appears under port F 0/7. Email: khawarb@khawarb.com Page 262 of 307 . Upon looking at the MAC Address table. This MAC address should be learned Dynamically and copied into your configuration file. Copyrights Netmetric Solutions 2006-2010 Website: http://www. If a violation occurs.

netmetric-solutions.com Copyrights Netmetric Solutions 2006-2010 Website: http://www.info CCIE Security Lab Workbook Version 3.netmetric-solutions. Email: khawarb@khawarb.www.com Page 263 of 307 .com.CareerCert.0 Module 8: Super Labs Lab 35 – Super Lab 2 Netmetric Solutions http://www.

42 (.11) F0/1.1 (.1) 10.4) 192.0/24 VLAN 42 R4 S 0/0.2 (.4) F 0/0.0/24 VLAN 11 C & C (.4) 192.1 (.1.20) VPN Client BB2 Copyrights Netmetric Solutions 2006-2010 Website: http://www.11) ASA2-C1 F0/0.12) F0/1.1.5) F 0/0 (.25) (.info Super Lab – 2 IDM.4) S 0/0.22.1.5) R5 (.2 (.2 (.11) ASA2-C2 192.12) F0/1.15.56 (.2) 10.56.0/24 VLAN 41 F 0/0. Email: khawarb@khawarb.1 (. IEV.0/24 VLAN 30 (.1.16) SW2 SW2 192.15) R2 F 0/0 (.3 (.15.11.55.11) ASA1-C1 F0/0.42.22.16) SW1 192.1.com Page 264 of 307 .66.12) ASA1-C2 F0/0.0/24 VLAN 15 R3 F 0/0 (.25) 10.22.30.com.0/24 S 0/0 (.0/24 VLAN 66 F 0/0 (.6) (.0/24 VLAN 12 IPS Sensor F0/1.0/24 S 0/0 (.41 (.15) (.CareerCert.0/24 VLAN 55 10.12) F0/0.www.1.3) 192.11.134.netmetric-solutions. AAA and CA (.22.1 (.6) F 0/0 (.41.1.1) R1 F 0/0 (.3) S 0/0 (.2 (. Syslog.0/24 VLAN 10 F 0/1 (.20) R6 BB1 192.

1.41.com Page 265 of 307 .15/24 15.1.42 S 0/0.1.1/24 11.12/24 192.2 F 0/0.11/24 10.12/24 10.22.30.netmetric-solutions.1 F 0/1.22.1.5/24 55. Email: khawarb@khawarb.56.11.22.6/24 66.15.2 C&C VLAN 15 Loopback VLAN 15 VLAN 55 Loopback IP Address 10.134.com.12/24 192.22.www.11/24 10.66.11.55.1 F 0/0.56 Loopback F 0/0 S 0/0 Loopback F 0 /0 S 0/0 Loopback F 0/0.6/24 192.66.11/8 10.56.1.1.11.4/24 44.1.15.41 F 0/0.1 F 0/1.22.15.11/24 10.1.55/8 192.12/24 10.22.CareerCert.1 F 0/0.1/24 10.22.22.55.41.16/24 0 0 R2 R3 0 R4 0 R5 0 R6 0 ASA1-C1(Active) ASA1-C2 (Standby) ASA2-C1(Standby) ASA2-C2 (Active) IPS SW1 SW2 0 0 Copyrights Netmetric Solutions 2006-2010 Website: http://www.4/24 192.2 F 0/1.16/24 16.3 S 0/0.2/24 22.33.33.33/8 192.66.44/8 192.55.15.5/24 192.16/24 192.11.66/8 192.42.1.15.15/24 10.22.1.42.16.3/24 192.11.11/24 192.42.2 F 0/1.22.44.22/8 192.15/8 10.15.3/24 33.1.44.22.16.56.22.1.134.11.info IP Addressing Scheme Device R1 Port F 0/0 F 0/1 Loopback F 0/0 Loopback F 0/0 S 0/0 Loopback F 0/0.22.55.1.4/24 192.41.1.4/24 192.22.1.

info RIP V2 Network Diagram R3 BB1 SW 2 SW 1 R4 OSPF Network Diagram R5 Area 0 SW 2 Copyrights Netmetric Solutions 2006-2010 Website: http://www.netmetric-solutions.CareerCert.com.com Page 266 of 307 .www. Email: khawarb@khawarb.

www.com Page 267 of 307 .CareerCert.netmetric-solutions.info EIGRP Network Diagram R4 R6 BB2 R5 AS 2456 Copyrights Netmetric Solutions 2006-2010 Website: http://www.com. Email: khawarb@khawarb.

1/24 and a standby address of 10. Name them Admin. Name this interface FC.100. Configure the Sub-interfaces based on the following: Interface F 0/0.2 – Configuring Active/Active Failover (4 Points) Task 1 Configure F 0/2 for LAN Based Failover.netmetric-solutions.1 F 0/1.1 F 0/0.com.cfg C2.100.2 VLAN 41 42 11 12 Task 3 Create three contexts on ASA-1.2 F 0/1.cfg Interfaces Interface Names F F F F 0/0.100.info Startup Configurations Pre-load the Initial Configurations for all the devices Section 1 – ASA/IOS FW Configuration – Basic (12 Points) 1.2 0/1.100.2 C1_OUT C1_INS C2_OUT C2_INS Task 4 Configure the Switch to accommodate this configuration. Task 2 Copyrights Netmetric Solutions 2006-2010 Website: http://www. 1. Task 2 Configure F 0/0 and F 0/1 with 2 sub-interfaces each.2. Email: khawarb@khawarb.www.1 0/1.com Page 268 of 307 . C1 and C2.CareerCert.1 – Configure ASA-1 for Multiple Context (4 Points) Task 1 Configure ASA-1 and ASA-2 in multi context mode.1 0/0. Assign it an Active IP address of 10. Configure the context with the following: Context Admin C1 C2 Config File Admin.Cfg C1.

1.101.11/24 100 10.12/24 Task 2 Configure Interfaces in Context C2 as follows: Interface C2_OUT C2_INS Name Outside Inside Security Active IP Level 0 192.101. Task 4 Configure F 0/3 as the Statefull Failover link.22. Email: khawarb@khawarb.22.11/24 Standby IP 192.101. Task 7 Configure the Switch to accommodate this configuration. Failover Group 2 should be the Secondary and it should also preempt.11/24 100 10.1.42. Task 3 Designate ASA-1 as the Primary unit for the system execution space.info Protect your Failover messages using a key ccie12353.22.1.CareerCert.12/24 Copyrights Netmetric Solutions 2006-2010 Website: http://www.101.netmetric-solutions.1.22.12/24 10.2/24.41.com.3 – Configuring Interfaces in the Appropriate Contexts (4 Points) Task 1 Configure Interfaces in Context C1 as follows: Interface C1_OUT C1_INS Name Outside Inside Security Active IP Level 0 192.41.22.11/24 Standby IP 192. Task 6 Assign C1 to the Failover Group 1 and C2 to the Failover Group 2.com Page 269 of 307 . Enable Failover on both ASA’s.22.42.1.22. Failover Group 1 should be Primary and should preempt.www.12/24 10. Configure ASA-2 as the secondary unit for the system execution space. Assign a name of SFF with an Active IP Address of 10.1 and a standby address of 10.22. Task 5 Configure 2 Failover Groups.

1.CareerCert. Also translated R1 F 0/0 as 192.com.1.41.info Section 2 – ASA/IOS FW Configuration – Advanced (8 Points) 2.112.41.1.200.com Page 270 of 307 .101 – 192.1. Backup the NAT pool with PAT using an IP Address of 192.41. Use the minimum number of lines possible to accomplish this in the ACL.111.1.42.0/24 segment.1. Use a pool of 192.100 as the Translated address on the Outside interface on the appropriate ASA.11.11.11.netmetric-solutions.41.42.1/24 and Loopback 112: 10. Task 6 Create a Static Translation for the ACS/CA server using 192.199. Translate these servers to 192.24 and 10.www.42.41. Loopback 111: 10. Backup the NAT pool with PAT using an IP Address of 192.26.1 on the outside interface.1.26 respectively. Task 5 Configure C2 to allow the inside network access to the outside networks using Dynamic Translation.112.111.1/24 Task 8 Copyrights Netmetric Solutions 2006-2010 Website: http://www.1. R4.1 – Configuring the ASA’s (4 Points) Task 1 There are going to be 2 Application servers installed on the 10.1.1.41. Email: khawarb@khawarb.24 and 192.101 – 192. Task 7 Configure 2 Loopback interfaces on R2. R5 and R6. Task 2 The applications located on these servers are the following: Telnet HTTP HTTPS DNS TFTP Task 3 Allow access to these servers from the loopbacks of R3.41. Use a pool of 192.11.199. The IP addresses will be 10.11.200. Task 4 Configure ASA-C1 to allow the inside network access to the outside networks using Dynamic Translation.11.

55. SMTP and ICMP traffic from Local to Internet Task 3 There is a web server located at 192.www.com Page 271 of 307 .0/24 and 10.11.0/8. HTTPS.55.0. TFTP.111. Task 11 Configure static routes on C2 with a default gateway pointing towards R4. 10.1.com. Task 5 Configure the SMTP Policy (Internet-->Local) as follows: Set the tcp idle-time to 4 minutes Turn on the audit trail Task 6 Configure the HTTP Policy (Local-Internet) as follows: Reset URI's greater thean 350 Copyrights Netmetric Solutions 2006-2010 Website: http://www.0/24 network.111.56.1 communicates to 55.112.55. Allow Access to it. Email: khawarb@khawarb.55.CareerCert.1. HTTP.0.112. it should be translated to 192.0. Configure Serial interface in the Internet Zone Task 2 Allow DNS. Task 4 There is a SMTP server located at 192.111.netmetric-solutions.1. FTP. it should be translated to 192. Task 9 Configure ASA-C2 such that when 10.30.30. 2.1.0.112. Allow Access to it.112.0/24 and 11.112.1 communicates to 55.111.55.55. Task 10 Configure static routes on ASA-C1 with a default gateway pointing towards R4.2 – Zone Based Firewall (4 Points) Task 1 Configure VLAN 30 in the Local Zone.0/8 networks.55. Also create static routes towards 22.111.42.info Configure ASA-C2 such that when 10.42. Also create static routes towards 10.11.

1 – IOS IPS Configuration (4 Points) Task 1 Configure R4 to merge the Built-in signatures with the Attack-drop. Task 5 The IPS rule set created should not fire alarms for any packets coming from R6.com Page 272 of 307 .11. Task 2 The new signature file should be called MYSIG. Task 7 Disable the Ping of Death signature on R4.11.netmetric-solutions. Task 4 Enable SDEE notifications.CareerCert.11. Task 3 Configure R4 to detect attacks coming into R4 from the Frame Cloud based on the newly created Signature file.sdf. Email: khawarb@khawarb. Allow 300 events to be stored in the buffer.com.11. Task 4 The Sensing interface(s) should be assigned in such a way that VLAN 41 should be checked against the default sensor and VLAN 42 should be Copyrights Netmetric Solutions 2006-2010 Website: http://www.2 – Basic IPS Sensor Configuration in Promiscuous mode (4 Points) Task 1 Configure the IPS Sensor’s Command and Control Interface through the CLI with an IP Address of 10.sdf signature file. Task 6 R4 should not fire alarms 2000.15/24.info Section 3 – IPS/IDS Configuartion – Basic (8 Points) 3.25) only. 2004 and 2154. 3. Task 3 Configure SPAN/RSPAN to monitor traffic for VLAN’s 41 and 42.www. Task 2 Allow access to the Sensor from the IDM PC (10.

Copyrights Netmetric Solutions 2006-2010 Website: http://www.www.com.CareerCert.com Page 273 of 307 .netmetric-solutions.info checked against a new Virtual Sensor (VS1) using a new Signature definition (Sig1). Email: khawarb@khawarb.

Email: khawarb@khawarb. Copyrights Netmetric Solutions 2006-2010 Website: http://www. Task 4 The component signatures should have fired within the last 2 minutes for the Custom signature to fire.www.1 – Custom Nimda Signature (4 Points) Task 1 Create a custom signature that fires when a Nimda attack is occurring.netmetric-solutions.CareerCert. Task 2 Nimda should trigger when the following built-in signatures fire: 5081 5124 5114 3215 3216 Task 3 Only generate the alarm for the Custom signature and not for the component signatures. Task 5 This should only be done for VLAN 41 traffic.info Section 4 – IPS/IDS Configuartion – Advanced (8 Points) 4. 4.com.com Page 274 of 307 . Task 4 This should only be done for VLAN 42 traffic. Task 2 Only fire the signature if 2 such packets are received in the last 60 seconds Task 3 Generate an alarm.2 – Signature Tuning (4 Points) Task 1 Enable Signature 2154. Set the Alarm Severity to Medium and Signature Fidelity Rating of 50.

com.16.4/24 Task 2 Configure an IPSec to encrypt the traffic between 172.info Section 5 – VPN Configuration – Basic (8 Points) 5.2.com.2 – IPSec LAN-To-LAN Tunnel using IOS CA Server (4 Points) Task 1 Assign R4 a domain name of NM.com Page 275 of 307 .16.www.2/24 R4 – Loopback 172 – 172. Also set the timezone and clock to the current timezone and time. Email: khawarb@khawarb.CareerCert. Configure R4 to be the CA Server to automatically grant certificates using the following parameters: RSA Key Size: 512 Bits Key Label: IOS-CA Any Passphrase: CCIESEC3 Encryption: 3DES Key Location: NVRAM Issuer Name: CN=IOS-CA.4.com L=ND C=IN Task 2 Copyrights Netmetric Solutions 2006-2010 Website: http://www.0/24 and 172.netmetric-solutions. Configure the following Policies: ISAKMP Parameters o Authentication : Pre-shared o Group : 2 o Encryption : 3DES IPSec Parameters o Encryption : ESP-3DES o Authentication : ESP-MD5-HMAC Task 3 Do not use the “Crypto ISAKMP key” command on R4 to accomplish this task. 5. Task 4 You are allowed to create static routes to accomplish this task.NM.2. Make sure you use the Crypto ISAKMP key command on R2.16.1 – IPSec Tunnel between R2 and R4 (4 Points) Task 1 Configure the following Loopbacks on R2 and R4: R2 – Loopback 172 – 172.16.0/24.4.

33. Copyrights Netmetric Solutions 2006-2010 Website: http://www. Configure R3 to request a certificate from R4.com Page 276 of 307 .55. Task 3 Generate 512 Bit RSA keys on R3 and R5.33/24 R5 – Loopback 55 – 10.55.55.netmetric-solutions.com.CareerCert.info Assign R3 and R5 a domain name of NM. the IOS-based CA Server. Keep redundancy in mind when pointing to the CA Server.33.55/24 Task 5 Configure an IPSec Tunnel to encrypt traffic between 10. Email: khawarb@khawarb. Use CCIESEC3 as the recovery password. Use the following parameters for the tunnel: Authentication type = RSA-SIG Hash = MD5 Diffie-Hellman = 2 Encryption = 3DES IPSec Encryption = ESP-3DES IPSec Authentication = ESP-MD5-HMAC Task 6 You are allowed to create static routes for this configuration. Task 4 Configure the following Loopback addresses on R3 and R5: R3 – Loopback 33 – 10.33.www.com.0 and 10.0 networks.55.33. Also set the timezone and clock to the current timezone and time.

Task 2 The following parameters should have been configured for the GET VPN tunnel: ISAKMP Parameters o Authentication : Pre-shared o Encryption : 3DES o Pre-Shared Key : cciesec o Group : 2 IPSec Parameters o Encryption : ESP-3DES o Authentication : ESP-MD5-HMAC o SA Lifetime : 3600 Key Server Parameters o Identity Number : 100 o Interesting Traffic : Any traffic on the 172. R5 and R6.netmetric-solutions. Email: khawarb@khawarb.com Page 277 of 307 . Bring it up.16.com.2 – EZVPN with R1 as the EZVPN Server (4 Points) Task 1 Configure R1 as the EZVPN Server.info Section 6 – VPN Configuration – Basic (8 Points) 6.www.1 – Configuring and Troubleshooting GET VPN (4 Points) Task 1 A GET VPN Tunnel has been configured between R3. o Local Address : Loopback 0 Task 3 The Tunnel is not coming up. Also configure a Domain name of NM.0 major network. 6. Enable AAA on the router and configure network authorization based on the Local Database. R4 has been configured as the Key Server. Task 2 Configure the following ISAKMP and IPSec Policies: ISAKMP Parameters o Authentication : Pre-shared o Group : 2 o Encryption : 3DES IPSec Parameters Copyrights Netmetric Solutions 2006-2010 Website: http://www.0.com.CareerCert.

1.50 Domain Name = NM.CareerCert.com Page 278 of 307 . Apply the Crypto map to the appropriate interface.1.info o Encryption : ESP-3DES o Authentication : ESP-MD5-HMAC Task 3 Configure a Pool called EZP.225 as the pool addresses.49 WINS address = 192.com.netmetric-solutions. Email: khawarb@khawarb. Task 4 Configure an ISAKMP Client Group called EZC with the following parameters: Key = cciesec Dns address = 192. Task 7 Configure crypto map authorization to be done based on the Local Client Group.201 thru 192.www.41.0/24 network. Task 5 Configure a Local Database of Users for Extended Authentication based on the following: Username : User1 Password: cisco Username : User2 Password: cisco Task 6 Configure a Dynamic Crypto Map.168. Task 8 Test this from the Cisco VPN Client.11.com Pool = EZP Split Tunneling = Only Encrypt the traffic for this that needs to go to 10. Copyrights Netmetric Solutions 2006-2010 Website: http://www. This pool will be assigned to EZVPN clients. Configure Extended Authentication to be done based on the Local Username database. Use 192.55.11. Configure the Dynamic map such that the pool address will be advertised to PIX using the configured routing protocol.55.41.168. Configure a Crypto map that uses the Dynamic Crypto Map to respond to client requests.

55.www. Switch 1 should be seen on the outside as 192. Task 7 Create the following users and make them members of the SW-Admin group: Username – SW-user1 Password: swuser1 Username – SW-user2 Password: swuser2 Task 8 Configure Switch 1 to communicate with the ACS server using the appropriate protocol and key.15. Email: khawarb@khawarb.CareerCert. Allow the appropriate entries in the appropriate devices for this traffic.info Section 7 – Access/Identity Management (16 Points) 7.1. Task 5 Create the following users and make them members of the R-Admin group: Username – R-user1 Password: ruser1 Username – R-user2 Password: ruser2 Task 6 Configure a group called SW-Admins on the ACS server. Task 9 Copyrights Netmetric Solutions 2006-2010 Website: http://www.netmetric-solutions. Task 3 Configure R6 with TACACS+ as the Authentication Protocol and a key of tacccie. Task 4 Configure a group called R-Admins on the ACS server.com.com Page 279 of 307 .1 – Configuring the ACS server for Authentication and Exec Authorization (4 Points) Task 1 Configure the ACS to allow Switch1 and R6 as ACS clients. Task 2 Switch1 should use RADIUS as the Authentication Protocol with a key of radccie.

Allow the appropriate entries in the appropriate devices for this traffic. 7. The Authenticated users should be assigned a Privilege Level of 15. This should be done by the ACS Server. 7. He should not be able to split it into more than 5 sessions. Authentication should be done based on the ACS server. He should not be able to have more than 4 session per week. Task 10 Management of the Switch 1 and R6 should be limited to SSH sessions. It should use PAP and CHAP as the protocols. Task 2 Configure R2 to Authenticate for login using the RADIUS server. Allow the appropriate entries in ASA-1 to allow R2 to communicate with the ACS Server. Task 2 R3-User2 should be Limited to 200 hours of online time total. Copyrights Netmetric Solutions 2006-2010 Website: http://www.www.2 – Usage Quotas (4 Points) Task 1 R3-User1 should be Limited to 20 hours of online time per week.CareerCert. Configure the R2/ACS connection using the appropriate RADIUS Protocol and a key of radccie. Make sure that the Console and AUX port do not require authentication.3 – Network Access Profiles (4 Points) Task 1 Configure R2 to communicate with the ACS Server.com Page 280 of 307 .netmetric-solutions. Email: khawarb@khawarb.info Configure R6 to communicate with the ACS server using the appropriate protocol and key.com. Task 3 Create the following users on the ACS Server: Username – R2-User1 Password: cisco Username – R2-User2 Password: cisco Task 4 Configure a Network access Profile (NAP). The Network Access profile should only allow requests from R2 for user R2-User1. Task 5 The profile should authenticate using the local ACS database.

Copyrights Netmetric Solutions 2006-2010 Website: http://www.com Page 281 of 307 . Task 4 Configure a Group on the ACS Server called NAC.4 – 802. Email: khawarb@khawarb. Task 3 Enable the IETF RADIUS attributes.info Task 6 If the user is successfully authenticated. the ACS should download an ACL to allow this user access for all TCP.1x authentication. 65 and 81. Assign it a name of “VLAN802”.1x authentication for Ports F 0/10 – 11 on Switch 1. 64. Create this VLAN on the switch. Configure the group to notify the Switch that it should put the device in VLAN 802 upon successful authentication.www.1X NAC (4 Points) Task 1 Configure 802. it should be put in VLAN 333.netmetric-solutions. If the user does not successfully authenticate or the user does support 802. UDP and ICMP traffic.CareerCert.com. 7. Task 5 Configure a user NAC with a password of 8021x. Task 2 If the user authenticates successfully. the device should be put in VLAN 802. Make it a member of the NAC group.

218.0/24 199.4 – Blocking URL using NBAR (4 Points) Copyrights Netmetric Solutions 2006-2010 Website: http://www.202. The ACL should only block traffic from these networks.33.netmetric-solutions. prevent Ether types 0x4321 and 0x5432 coming into this VLAN.com. 8. There is a MAC Address 0001.2222 trying to attack VLAN 22.74. Email: khawarb@khawarb.0012.0/24 199. 8. 8.CareerCert. You would like to block Telnet traffic coming in from these networks into R3: 199. Block this MAC address from accessing any device on VLAN 22.www. Also.33.1 – Advanced ACL Wildcard Mask (4 Points) Task 1 You are receiving a set of routes from BB1.3 – Layer 2 Filtering (4 Points) Task 1 Configure the following policy for VLAN 22 on SW1. Task 2 Do not apply any access-list on any of the interfaces.33.0/24 Task 2 Use the minimum number of lines in the ACL to block the specified traffic from coming in.33.com Page 282 of 307 .2 – Configuring CP Protection (4 Points) Task 1 Configure R5 with a port-filter to drop all traffic destined to a closed or non-listened port except for a custom port 11223 Task 2 Configure a queue-threshold on R3 such that it set’s the queue depth for HTTP and Telnet traffic to 75 and all other protocols to 200.info Section 8 – Network and Switch Security (16 Points) 8.0/24 199.90.

com espn.netmetric-solutions.CareerCert.com Page 283 of 307 .com cmd. Copyrights Netmetric Solutions 2006-2010 Website: http://www.exe Task 2 Configure only one class map to block this type of traffic on R6.com. Email: khawarb@khawarb.info Task 1 You would like to block traffic going out with any of the following in the url field from R6: xxx.www.

9. Email: khawarb@khawarb.netmetric-solutions.4 – CAR and Priority Queuing (4 Points) Copyrights Netmetric Solutions 2006-2010 Website: http://www. Prevent this on Routing Devices. Task 2 Configure the Switch that this should be the only DHCP server to assign IP addresses in this VLAN.CareerCert.info Section 9 – Network Attacks (16 Points) 9. Task 4 Do not use an Access-list for this Task.com Page 284 of 307 . 9. VLAN 35 contains ports F 0/17 and 0/18 on Switch 2 in it. This packets are deemed to be attack packets. More Fragments bit in the flag field should be set to 1.www. Task 3 Prevent the ARP Spoofing attack by having the Switch validate IP – MAC Ip address mappings in this VLAN. Task 2 The matching criteria should be as follows: Fragment Offset should not be equal to 0. the packets should be dropped.1 – Re-routing Attack (4 Points) Task 1 Your Network is under a re-routing attack. Task 3 If the above criteria matches. Task 2 Use a Key ID 1 and a key-string of CCIE12353.2 – ARP Spoofing Attack (4 Points) Task 1 VLAN 35 is under a ARP Spoofing attack.com. 9.3 – Mitigating the UDP Fragmented Attack (4 Points) Task 1 R3 is receiving a lots of Fragmented UDP packets from the Frame Cloud. There is a DHCP Server located on port 0/18.

Use a legacy mechanism to accomplish this task. R5 and R6.netmetric-solutions. Use Normal Burst of 16 KB and Excess burst of 24KB.www.com. Do not use Policy-map to accomplish this task.com Page 285 of 307 . Limit this traffic to 128000 bps on either interface. You suspect these packets to be attacks. Copyrights Netmetric Solutions 2006-2010 Website: http://www.info Task 1 R3 is seeing a lot of packets coming in towards UDP port 1434 from ASA1.CareerCert. Email: khawarb@khawarb. Task 2 You would also like to prioritize RIP traffic towards R4. This traffic should be allowed to go out before any other traffic.

info CCIE Security Lab Workbook Version 3.com. Email: khawarb@khawarb.netmetric-solutions.CareerCert.www.com Copyrights Netmetric Solutions 2006-2010 Website: http://www.com Page 286 of 307 .0 Module 8: Super Labs Lab 36 – Super Lab 3 Netmetric Solutions http://www.netmetric-solutions.

1) C & C (.6) 192.52.15) 192.1.10) F 0/1 BB2 ASA-1 F 0/0 and F0/2 (. Email: khawarb@khawarb.15) 10.66.23.0/24 VLAN 63 (.0/24 SW1 R6 F 0/0 (.com.22.3) R5 F 0/1 (. AAA and CA (.info Super Lab – 3 IDM.1.5) S 0/0.0/24 VLAN 62 ASA-2 F 0/1 (.1.2) 192.5) (.11.30.com Page 287 of 307 .25) 192.6(.2) S 0/0.1.2) S 0/0.0/24 VLAN 12 F 0/1 and F0/3 (.1.0/24 VLAN 10 R1 10.3) S 0/0.11.0/24 VLAN 52 R3 F 0/0 (.2) 192.36.2(. IEV.1.6) 192.22.0/24 VLAN 30 S 0/0.2 (.6) S 0/0.1.10) (.CareerCert.0/24 192.3) S 0/0 (.0/24 F 0/0(.1.netmetric-solutions.1.3 (.0/24 VLAN 22 F 0/0 (.22.10) 192.25.0/24 VLAN 51 F0/0 (.4) R4 VPN Client Copyrights Netmetric Solutions 2006-2010 Website: http://www.5) 192.0/24 VLAN 61 F 1/0 BB1 IPS Sensor F 1/0 F 0/0(.6 (.5 (.1.20) F 0/0 (.0/24 S 0/0.25) F 0/1 (.66.22.1.10) 192.www.100) R2 192.0/24 VLAN 11 F 0/0 (.66.26.1) IPS Sensor F 0/1 IPS Sensor 10. Syslog.22.3 (.51.

www.6/24 192.55.15/8 R2 R3 R4 R5 R6 ASA-1 ASA-2 IPS Switch 1 Copyrights Netmetric Solutions 2006-2010 Website: http://www.3/24 192.2 S 0/0.1.11.1.com.1.1.1.5/24 192.5/24 192.11.23.44.25.3 S 0/0.1.2/24 192.11/8 192.15/24 192.2/24 192.22.2/24 192.66.1.6/24 192.66.44.2 S 0/0.1.22.1/24 11.33/8 192.23.10/24 192.22.1.66.1.3/24 192.3 Loopback 0 Redundant 1 Redundant 2 Mgmt IP C&C Interface VLAN 52 Loopback 0 IP Address 10.1.1.66.1/24 10.1.1.30.10/24 10.info IP Addressing Scheme Device R1 Port F 0/0 F 0/1 Loopback 0 F 0/0 S 0/0.15.15/24 15.4/24 44.36.11.44/8 192.52.26.11.11.22. Email: khawarb@khawarb.1.netmetric-solutions.com Page 288 of 307 .36.1.3/24 33.CareerCert.2/24 22.52.6 Loopback 0 F 0/0 S 0/0.51.11.15.22.33.5 S 0/0.22.33.1.25.10/24 10.5/24 55.66.22/8 192.55.6/24 66.26.55/8 192.66/8 192.22.22.6 Loopback 0 F 0/0 Loopback 0 F 0/0 F 0/1 S 0/0 Loopback 0 F 0/0 S 0/0.

Email: khawarb@khawarb.info OSPF Network Diagram ASA-1 R2 Area 0 R3 R5 R6 SW1 Copyrights Netmetric Solutions 2006-2010 Website: http://www.com.com Page 289 of 307 .CareerCert.netmetric-solutions.www.

www.info EIGRP Network Diagram R3 AS 230 BB1 RIP Network Diagram R1 ASA-1 Copyrights Netmetric Solutions 2006-2010 Website: http://www.CareerCert.com Page 290 of 307 .com.netmetric-solutions. Email: khawarb@khawarb.

Task 3 Configure ASA-1 to give out IP Addresses on the Inside Interface based on the following: IP Range : 10.www. Task 4 Configure the Switch to accordingly. If the pool is exhausted.22.com.51 – 10.22.1 – Configuring Interface Redundancy (4 Points) Task 1 Configure the F 0/0 and F 0/2 as part of Redundant Interface 1 in that order. it should not be able to go out.com Page 291 of 307 .1.netmetric-solutions. Task 2 Make sure that it there is no translation rule on the ASA-1 for a network.22.36 TFTP-Server : 10.169 Copyrights Netmetric Solutions 2006-2010 Website: http://www.22. Assign it a virtual mac-address of your choice.1.22. Assign it a virtual mac-address of your choice. Email: khawarb@khawarb. 1.22.1.1.51-192. Task 2 Configure the F 0/1 and F 0/3 as part of Redundant Interface 2 in that order.info Startup Configurations Pre-load the Initial Configurations for all the devices Section 1 – ASA/IOS FW Configuration – Basic (8 Points) 1.22.99. Task 3 Configure ASA-1 with the IP Configuration based on the IP Addressing table.22.35 WINS Server : 10.22.101 as a backup address.22.CareerCert.2 – Basic IP Configuration of ASA-1 (4 Points) Task 1 Configure ASA-1 to allow inside networks in your topology to go out using the a pool of 192.100 DNS Server : 192. it should still allow the users to go out using 192.22.22.

Task 6 Statically translate the ACS server as 192. Copyrights Netmetric Solutions 2006-2010 Website: http://www.1.www.com.100 on the outside of ASA-1.22. Email: khawarb@khawarb.netmetric-solutions.CareerCert.com Page 292 of 307 .info Task 4 Run OSPF as the routing protocol on ASA-1 on the outside interface. Task 5 Run RIP as the routing protocol on ASA-1 on the inside interface. Make sure R1 learns all outside routes from ASA-1.

it should drop the packet.1. Task 3 You will be configuring MPLS-Unicast Routing on R4 and R6 in the future. allow BPDU packets and packets with a EtherType 0x2111 thru the Firewall.66. Copyrights Netmetric Solutions 2006-2010 Website: http://www.CareerCert. It should look in the Static ARP table for a matching entry and if it does not exist. Task 2 Configure F 0/0 as the outside interface with a security level of 0. Task 6 Allow devices on the inside of the ASA-2 should be able to go out for Web. 2.com.info Section 2 – ASA/IOS FW Configuration – Advanced (12 Points) 2. Email: khawarb@khawarb. Configure F 0/1 as the inside interface with a security level of 100. Make sure the Firewall allows them to communicate to each other. Task 4 Allow Management of ASA only from VLAN 63 devices.1 – ASA-2 Transparent Firewall Configuration (4 Points) Task 1 Configure the ASA-2 as a Transparent Firewall. Telnet and SSH access to the ASA should be allowed from the inside interface only. Task 3 Assign the ASA an IP address of 192.66. FTP and DNS traffic only.10/24 with a default gateway of 192.2 – Layer 2 Filtering (4 Points) Task 1 Configure the ASA-2 such that it examines all the ARP Packets (reply or gratuitous ARP) on the outside interface before forwarding the packet.com Page 293 of 307 .1.www.netmetric-solutions. Also. Task 5 Allow R6 to Telnet and HTTP into R4. Task 2 Create a Static ARP entry for R6 IP to MAC mapping on the respective interfaces.6.

CareerCert.1. Check with the websense server before allowing access to Internet Webpages for Local-->Internet Traffic Copyrights Netmetric Solutions 2006-2010 Website: http://www.55 located on the DMZ zone Allow SMTP Access to a server 192.www. SMTP and ICMP traffic from Local to Internet Allow HTTP Access from the Local zone to all servers on the DMZ Zone Task 3 Configure the Zone Policy for traffic coming in from the Internet as follows: Allow Web Access to a server 192. HTTP.51.51. HTTPS. FTP.1.1.50 located on the DMZ zone Task 4 Configure the Zone Policy for traffic originating from the DMZ Zone as follows: Allow the SMTP server 192.0/24 Task 6 A Websense server exists at 192. TFTP.0/24 and 44.111. Task 5 Configure Java Applets coming in from 44.52.3 – Zone-Based Firewall (4 Points) Task 1 Configure VLAN 52 as the Local Zone. Email: khawarb@khawarb.44.50 to access a SMTP server 192. Task 2 Configure the Zone Policy for traffic originating from Local Zone as follows: Allow DNS.50 located in the Local zone.com Page 294 of 307 .netmetric-solutions. Configure the Frame Cloud as the Internet Zone.51.44.1.1.45.51. Configure VLAN 51 as the DMZ zone.com.44.info 2.

0/24.11.info Section 3 – IPS/IDS Configuartion – Basic (8 Points) 3.11.22.11.15/24 Default Gateway – 10. 192. Task 4 Configure Inline pair to connect R6 to ASA-2. Use the appropriate interface to accomplish this.11.22. Configure a new Signature Definition for VS1 Copyrights Netmetric Solutions 2006-2010 Website: http://www. Task 5 Configure the switch to accommodate this configuration.11. Task 6 Make sure only the appropriate traffic is send to the IPS Interface.CareerCert.1 Web Server Port number – 4430 Allowed Hosts – 10.22. Task 7 Assign the Inline pair for R1-ASA-1 connectivity to Virtual Sensor 0 and the Inline pair for R6-ASA-2 to Virtual Sensor 1 (VS1). Use the appropriate interface to accomplish this.www. Task 2 Configure the switch to accommodate this configuration. Email: khawarb@khawarb.2 – IPS Sensor Configuration in Inline mode (4 Points) Task 1 Configure Inline pair to connect R1 to ASA-1.0/24 3.netmetric-solutions.11.1 – Initial Configuration (4 Points) Task 1 Configure the IPS Sensor with the following parameters: Hostname – IPS-WB IP Address – 10.0/24. Task 3 Make sure only the appropriate traffic is send to the IPS Interface.com.com Page 295 of 307 .1. 10.

Task 2 Configure the ICMP Echo Reply Signature with the following threshold parameters: Summary Mode – Fire all Summary Threshold – 50 Global Summary Threshold – 150 Summary Interval – 75 seconds Summary Key – Source IP Address Task 3 Make sure this is done for all traffic thru the Sensor 4.com. Task 3 Configure a Custom signature “I-Phone” to block these requests. Do not use the TCP String signature engine to accomplish this. The URL for theses requests are http://www.www.2 – Custom Signature – I-Phone Applications (4 Points) Task 1 You network users are complaining about slow Internet connection.info Section 4 – IPS/IDS Configuartion – Advanced (8 Points) 4. Task 2 The signature should have a severity of Medium. Copyrights Netmetric Solutions 2006-2010 Website: http://www.apple. Email: khawarb@khawarb.netmetric-solutions. Task 4 This signature should only fire when traffic is coming is passing thru ASA-1 towards R1 and vice-versa.com Page 296 of 307 .CareerCert.com.1 – Signature Throttling (4 Points) Task 1 Configure the ICMP Echo Request to fire after 15 occurrences from the Same source IP Address to any destination within the last 60 seconds. You run network monitoring tools and find that the users are using the Internet connection to download application and songs from apple’s website for the I-Phone.

netmetric-solutions.1 URL-List – Intranet Web Server – http://10.29 Task 4 Configure a user called W-VPNUSER with a password WVPNPASS.22. Also configure the following attributes for this group: Port-forwarding – R1 – Local Port 25000 – Server – R1 – Port 23 Filter – Block URL Access to http://NMConfidential. Task 3 Configure an internal User-group named W-VPN. Email: khawarb@khawarb.com. Group-Policy – W-VPN Task 5 Connect into the ASA-1 from the VPN Client to establish the connection.22. Configure this group for Web VPN as the tunneling protocol only.1 – SSL VPN on ASA-1 (4 Points) Task 1 Enable the HTTP service on R1 and enable Telnet on it as well. Task 2 Enable Web VPN on ASA-1 on the outside interface.22.com Page 297 of 307 . Copyrights Netmetric Solutions 2006-2010 Website: http://www. All other web servers should be allowed.22. Also configure the following attributes for this group: URL-List – R1 – http://10.info Section 5 – VPN Configuration – Basic (8 Points) 5. Task 6 Configure the Web VPN login page with the following parameters: Title – Netmetric Solutions Login Message – Welcome to Netmetric Solutions Logout Message – Thanks for using Netmetric Solution’s Web VPN Logo – Do not show the Cisco Systems logo Task 7 Configure an internal User-group named W-VPN. If a packet is received on the outside interface for port 80.www. Configure this group for Web VPN as the tunneling protocol only.com.CareerCert. it should be redirected to 443.

2 – DMVPN (4 Points) Task 1 Configure the following Loopbacks on R2.22.256 Copyrights Netmetric Solutions 2006-2010 Website: http://www. Use the following parameters: Use the following Parameters for the Tunnel: ISAKMP Tunnel : o Authentication – Pre-share o Hash MD5 o Pre-shared Key .16.6. R5 and R6.6/24 Task 2 Configure a DMVPN Tunnel between R2. R5 and R6.5/24 R6 – Loopback 172 – 172.0/24 o Tunnel Key – 256 EIGRP Tunnel Parameters: o EIGRP AS Number .110.info Task 8 Configure POP3 Support.5.16.2/24 R5 – Loopback 172 – 172. R2 – Loopback 172 – 172.16. Use port 11000 for secure POP3.CareerCert. Email: khawarb@khawarb.CISCO IPSec Tunnel : o Encryption – ESP-3DES o Authentication – ESP-MD5-HMAC NHRP Parameters: o NHRP ID – 256 o NHRP Authentication Key – DMVPN o NHRP Hub (NHS) – R2 GRE Tunnel Parameters: o Tunnel IP Address – 172. The user will specify the Pipe “|” as the username delimiter and “@” as the server delimeter.www. The POP3S is located at 10. 5.16.22.56.com.com Page 298 of 307 .netmetric-solutions. Encrypt traffic from the Loopback 172’s to each other.2.

16.1.www.16.0/24. BB1 is pre-configured for the IPSec tunnel using the following parameters: Authentication type = Pre-shared Keys Copyrights Netmetric Solutions 2006-2010 Website: http://www.3/24 Task 2 Configure an IPSec to encrypt the traffic between 172.0/24. Do not use multiple “Set peer” commands on R1.16/24.16.com Page 299 of 307 .1/24 R3 – Loopback 13 – 172.netmetric-solutions.3.0/24 and 172. Configure an IPSec Tunnel to encrypt traffic from the newly created Loopback network to a network 10. This network exists behind BB1.1.116.16.3.0 have no restrictions in communicating to each other.16.16.16.116. Task 5 “Dead Peer Detection” packets should be send by ISAKMP every 10 seconds.2 – R4 to BB1 IPSec Tunnel thru ASA-2 (4 Points) Task 1 Configure an Loopback interface on R6 as 10.info Section 6 – VPN Configuration – Advanced (8 Points) 6. Email: khawarb@khawarb. Task 4 Make sure that networks 172.CareerCert.1.0 and 172.1 – High Availability IPSec between R1 and R3 without HSRP (4 Points) Task 1 Configure the following Loopbacks on R1 and R3: R1 – Loopback 13 – 172.16. 6.3. Configure the following Policies: ISAKMP Parameters o Authentication : Pre-shared o Group : 2 o Encryption : 3DES IPSec Parameters o Encryption : ESP-3DES o Authentication : ESP-MD5-HMAC Task 3 The tunnel should provide redundancy wherever possible.com.

16.116. Task 2 Configure R6 to form a Tunnel with BB1 using the above parameters.info Hash = MD5 Diffie-Hellman = 2 Pre-shared-key = cciesec IPSec Encryption = ESP-3DES IPSec Authentication = ESP-SHA-HMAC Interesting Traffic = 10.16 to bring the tunnel up. Task 3 You are allowed to create a static route on R6 to accomplish this task.netmetric-solutions.116 from 10.116.116.com.116. Ping 10.16. Email: khawarb@khawarb.16.16.www.0/24 Peer Address: BB1 is configured with Redundancy in mind. .0/24 to 10.com Page 300 of 307 .CareerCert. Copyrights Netmetric Solutions 2006-2010 Website: http://www.

Task 3 Configure a local user admin with a password of admin to accomplish this. Task 6 Make sure there is no authentication or authorization done on the Aux and Telnet lines. Task 4 Create the following users on the ACS Server: Username – R1-User1 Password: cisco Privilege: 15 Username – R1-User2 Password: cisco Privilege: 15 Task 5 When the users login. Task 3 Authenticate the users connecting into R1 for HTTP using the ACS server.com Page 301 of 307 .2 – SSH Configuration (4 Points) Task 1 Configure ASA-1 for SSH. 7. Task 4 Configure ASA-1 as a Client for the ACS Server. Don’t use the default RSA key for this.netmetric-solutions. Task 2 Allow SSH connections from the inside interfaces only. Email: khawarb@khawarb.1 – HTTP Management (4 Points) Task 1 Configure R1 to communicate with the ACS server using TACACS+ as the authentication protocol. Task 2 Configure R1 to allow HTTP Management.info Section Points) 7 – Access/Identify Management (16 7. Copyrights Netmetric Solutions 2006-2010 Website: http://www.CareerCert.www. It should only allow HTTP Management from VLAN 10.com. Use CC1E as the key. they should be assigned the privilege level from the ACS Server.

7. Console should not get authenticated.3 – IOS Authentication Proxy (4 Points) Task 1 You have the following servers located on VLAN 30: Web Server: SMTP Server: DNS Server: 192. he should be black listed and prevented from accessing the Server for 1 hour. Email: khawarb@khawarb. 7.103 Task 2 R3 wants to control who can access these servers from VLAN 30.101 192. Task 6 If the uses has been idle for 7 minutes.info Task 5 SSH Authentication should be done based on the ACS server.CareerCert.1.1.30.com. use the Local Database as a backup authentication mechanism. Task 4 Authentication and Authorization should be done based on the ACS server using TACACS+. Task 5 Once authenticated. If the ACS server is down. the user should be able to access any of these 3 servers. Task 3 Configure R3 with Authentication Proxy to allow access to these servers based on successful authentication only.30.com Page 302 of 307 .www.30.4 – AAA Authentication and Authorization (4 Points) Task 1 Configure Command Authorization set for Routers using the following commands on the ACS Server: Show ip interface brief Copyrights Netmetric Solutions 2006-2010 Website: http://www.netmetric-solutions. the user’s authentication credentials should be removed. Task 7 If a user tries to log in and fails for 3 times.102 192.1.

Make sure no authorization is done on the Console Line.com Page 303 of 307 . Copyrights Netmetric Solutions 2006-2010 Website: http://www.netmetric-solutions.CareerCert. Ruser2 should only be allowed to issue these commands on R3. Assign Ruser2 to privilege level 15 on the ACS Server.www.com. Email: khawarb@khawarb. Task 3 Configure the Router to authenticate the logins and authorize Exec and Commands on Telnet connection based on the ACS server for R3. Ruser1 should also be assigned to Privilege 15.info Show ip route Ip routing Configure Router Network Access-list Task 2 Assign this Command Authorization set to Ruser2. Ruser1 should be allowed to execute all commands.

Do not configure any commands under the interface to accomplish this task. Email: khawarb@khawarb. Once the connection gets established.25 is a Web and DNS Server.netmetric-solutions. It should authenticate the clients using a key id of 256. It will also go down for maintenance from 8:00 Copyrights Netmetric Solutions 2006-2010 Website: http://www. R2 is in Chicago. Set the same parameters for the connection made in the last minute. R3 should complete the 3-Way TCP handshake on behalf of this Server. Task 2 This server will be going down for maintenance from 10:00 PM – 11:30 PM from Monday – Friday.45. 8.com.1 – IP TCP Intercept (4 Points) Task 1 There is a Web Server located at 192. Do not use the NTP Server command to receive the clock.1.CareerCert.2 – NTP (4 Points) Task 1 Configure R5 as a NTP Master with a stratum of 2. Configure the appropriate Time Zone setting. Task 2 R3 should start deleting half open connection if the number reaches 600.info Section 8 – Network and Switch Security (16 Points) 8. the router should pass the connection information to the server. Configure R2 such that it automatically adjusts the clock based on the time zone Task 3 Configure R6 to receive its clock from R2. R5 is in Los Angeles. R6 is located in New York. It should stop deleting half open connection if they reach 400. Also configure R5 to automatically change to Summer Time at 2:00 AM on the 2nd Sunday of March and change it back on the First Sunday of November. It is getting overwhelmed by syn-attacks.www.66.com Page 304 of 307 . The Key string should be ccie12353. 8. It should not allow client to directly open a TCP connection to this server.30.1.3 – Time-based ACL (4 Points) Task 1 The device at 192. Task 2 Configure R2 to receive its clock from R5.

Configure a Time-range that specifies the Maintenance Schedule on R6. Task 2 Use Strict RPF to prevent IP spoofing using network addresses from the internal networks. The route could use the default gateway to check for the source address. Copyrights Netmetric Solutions 2006-2010 Website: http://www. Task 3 This time range should be activated from the first of next month and should remain in effect till the end of the year.netmetric-solutions.4 – IP Spoofing Prevention (4 Points) Task 1 Block any RFC 1918 address coming into R6.www.com Page 305 of 307 .CareerCert. Email: khawarb@khawarb. 8. Access should be allowed at all other times. Task 4 Configure an ACL on R4 that denies access to this server during the maintenance times coming in thru F 0/1 interface.info PM to 11:00 PM on Saturday and Sunday.com.

make sure all the ports in VLAN 30 cannot conduct a DHCP Starvation attack. Use 16 KB and 24 KB for normal and excess burst values. You turn on Netflow on R1 and see a lot of packets for TCP ports 135 and 4444 and UDP port 69 (W32. Use a Dynamic mechanism to accomplish this task.1 – DHCP Server Attacks (3 Points) Task 1 The DHCP server for VLAN 30 has been hit by a DHCP Starvation attack. Task 2 The actual DHCP server is on Port F 0/10 of SW1.CareerCert. Task 2 R1 is also experiencing a lot of traffic for udp port 1434 and TCP port 1433 (SQL Slammer).com.www. Email: khawarb@khawarb. Make sure this is the only DHCP Server for this VLAN. Task 3 The port should start sending these packets when their respective traffic falls below 25% of the bandwidth of the interface. It has run out of all IP’s in its Pool. You also see another DHCP server is giving out IP Addresses in this VLAN. 9.Blaster). 9. Task 3 Also.com Page 306 of 307 . Control this traffic by limiting the traffic to 64 Copyrights Netmetric Solutions 2006-2010 Website: http://www.2 – Storm Control (3 Points) Task 1 You are experiencing a Broadcast and a Multicast storm on Port F 0/11 of SW1.3 – Mitigating DoS attacks using CAR (4 Points) Task 1 R1 is experiencing a DoS attack against your network. Task 2 Control the traffic in such a way that the port blocks Broadcast or Multicast traffic if it exceeds 50% of the bandwidth of the interface. You suspect somebody in VLAN 30 is doing this by requesting addresses unnecessarily and then making itself the DHCP Server. Control this traffic by limiting the traffic to 128 kbps coming into the Frame Link.netmetric-solutions.info Section 10 – Network Attacks (16 Points) 9.

info kbps coming into the Frame Link. Use 16 KB and 24 KB for normal and excess burst values.www.CareerCert. It should be in VLAN 11 with R1 F0/0 MAC address using an IP address of 10.com Page 307 of 307 .com. 9.22.netmetric-solutions. Email: khawarb@khawarb.4 – IP Source Guard (4 Points) Task 1 Turn on the Source Guard feature on SW1 such that F 0/0 should only allow R1 to connect up. Copyrights Netmetric Solutions 2006-2010 Website: http://www.1/24.22.

Sign up to vote on this title
UsefulNot useful