Packet Tracer - Skills Integratin Challenge Tplgy 2015 Cisc and/r its affiliates. All rights reserved. This dcument is Cisc Public. Page 1 f 6
Packet Tracer - Skills Integratin Challenge Addressing Table R1 R2 R3 Objectives Scenari Device Interface IP Address Subnet Mask Default Gateway G0/0 209.165.200.233 255.255.255.248 N/A S0/0/0 (DCE) 10.10.10.1 255.255.255.252 N/A Lpback 1 172.20.1.1 255.255.255.0 N/A S0/0/0 10.10.10.2 255.255.255.252 N/A S0/0/1 (DCE) 10.20.20.2 255.255.255.252 N/A G0/1 172.30.3.1 255.255.255.0 N/A S0/0/1 10.20.20.1 255.255.255.252 N/A S1 VLAN 1 192.168.10.11 255.255.255.0 192.168.10.1 S2 VLAN 1 192.168.10.12 255.255.255.0 192.168.10.1 S3 VLAN 1 172.30.3.11 255.255.255.0 172.30.3.1 ASA VLAN 1 (E0/1) 192.168.10.1 255.255.255.0 N/A VLAN 2 (E0/0) 209.165.200.234 255.255.255.248 N/A PC-A NIC 192.168.10.2 255.255.255.0 192.168.10.1 PC-B NIC 192.168.10.3 255.255.255.0 192.168.10.1 PC-C NIC 172.30.3.3 255.255.255.0 172.30.3.1 Cnfigure basic ruter security Cnfigure basic switch security Cnfigure AAA lcal authenticatin Cnfigure SSH Secure against lgin attacks Cnfigure site-t-site IPsec VPNs Cnfigure firewall and IPS settings Cnfigure ASA basic security and firewall settings This culminating activity includes many f the skills that yu have acquired during this curse. The ruters and switches are precnfigured with the basic device settings, such as IP addressing and ruting. Yu will secure ruters using the CLI t cnfigure varius IOS features, including AAA, SSH, and Zne-Based Plicy Firewall (ZPF). Yu will cnfigure a site-t-site VPN between R1 and R3. Yu will secure the switches n the netwrk. In additin, yu will als cnfigure firewall functinality n the ASA. Requirements Nte: Nt all security features will be cnfigured n all devices, hwever, they wuld be in a prductin netwrk. 2015 Cisc and/r its affiliates. All rights reserved. This dcument is Cisc Public. Page 2 f 6
Packet Tracer - Skills Integratin Challenge Cnfigure Basic Ruter Security Cnfigure the fllwing n R1: Minimum passwrd length is 10 characters. Encrypt plaintext passwrds. Privileged EXEC mde secret passwrd is ciscenapa55. Cnsle line passwrd is cisccnpa55, timeut is 15 minutes, and cnsle messages shuld nt interrupt cmmand entry. A message-f-the-day (MOTD) banner shuld include the wrd unauthrized. Cnfigure the fllwing n R2: Privileged EXEC mde secret passwrd is ciscenapa55. Passwrd fr the VTY lines is ciscvtypa55, timeut is 15 minutes, and lgin is required. Cnfigure Basic Switch Security Cnfigure the fllwing n S1: Encrypt plaintext passwrds. Privileged EXEC mde secret passwrd is ciscenapa55. Cnsle line passwrd is cisccnpa55, timeut is 5 minutes, and cnsles messages shuld nt interrupt cmmand entry. Passwrd fr the VTY lines is ciscvtypa55, timeut is 5 minutes, and lgin is required. An MOTD banner shuld include the wrd unauthrized. Cnfigure trunking between S1 and S2 with the fllwing settings: Set the mde t trunk and assign VLAN 99 as the native VLAN. Disable the generatin f DTP frames. Cnfigure the S1 with the fllwing prt settings: F0/6 shuld nly allw access mde, set t PrtFast, and enable BPDU guard. F0/6 uses basic default prt security with dynamically learned MAC addresses added t the running cnfiguratin. All ther prts shuld be disabled. Nte: Althugh nt all prts are checked, yur instructr may want t verify that all unused prts are disabled. Cnfigure AAA Lcal Authenticatin Cnfigure the fllwing n R1: Cnfigure SSH Create a lcal user accunt f Admin01, a secret passwrd f Admin01pa55, and a privilege level f 15. Enable AAA services. Implement AAA services using the lcal database as the first ptin and then the enable passwrd as the backup ptin. Cnfigure the fllwing n R1: The dmain name is ccnasecurity.cm 2015 Cisc and/r its affiliates. All rights reserved. This dcument is Cisc Public. Page 3 f 6
Packet Tracer - Skills Integratin Challenge The RSA key shuld be generated with 1024 mdulus bits. Only SSH versin 2 is allwed. Only SSH is allwed n VTY lines. Verify that PC-C can remtely access R1 (209.165.200.233) using SSH. Secure Against Lgin Attacks Cnfigure the fllwing n R1: If a user fails t lg in twice within a 30-secnd time span, disable lgins fr ne minute. Lg all failed lgin attempts. Cnfigure Site-t-Site IPsec VPNs Nte: Sme VPN cnfiguratins are nt scred. Hwever, yu shuld be able t verify cnnectivity acrss the IPsec VPN tunnel. Enable the Security Technlgy package license n R1. Save the running cnfiguratin befre relading. Cnfigure the fllwing n R1: Create an access list t identify interesting traffic n R1. Cnfigure ACL 101 t allw traffic frm the R1 L1 netwrk t the R3 G0/1 LAN. Cnfigure the crypt isakmp plicy 10 Phase 1 prperties n R1 and the shared crypt key ciscvpnpa55. Use the fllwing parameters: Key distributin methd: ISAKMP Encryptin: aes 256 Hash: sha Authenticatin methd: pre-shared Key exchange: DH Grup 5 IKE SA lifetime: 3600 ISAKMP key: ciscvpnpa55 Create the transfrm set VPN-SET t use esp-aes 256 and esp-sha-hmac. Then create the crypt map CMAP that binds all f the Phase 2 parameters tgether. Use sequence number 10 and identify it as an ipsec-isakmp map. Use the fllwing parameters: Transfrm set: VPN-SET Transfrm encryptin: esp-aes 256 Transfrm authenticatin: esp-sha-hmac Perfect Frward Secrecy (PFS): grup5 Crypt map name: CMAP SA establishment: ipsec-isakmp Bind the crypt map (CMAP) t the utging interface. Verify that the Security Technlgy package license is enabled. Repeat the site-t-site VPN cnfiguratins n R3 s that they mirrr all cnfiguratins frm R1. Ping the L1 interface (172.20.1.1) n R1 frm PC-C. On R3, use the shw crypt ipsec sa cmmand t verify that the number f packets is mre than 0, which indicates that the IPsec VPN tunnel is wrking. 2015 Cisc and/r its affiliates. All rights reserved. This dcument is Cisc Public. Page 4 f 6
Packet Tracer - Skills Integratin Challenge Cnfigure Firewall and IPS Settings Cnfigure a ZPF n R3 using the fllwing requirements: Create znes named IN-ZONE and OUT-ZONE. Create an ACL number 110 that defines internal traffic, which permits all IP prtcls frm the 172.30.3.0/24 surce netwrk t any destinatin. Create a class map named INTERNAL-CLASS-MAP that uses the match-all ptin and ACL 110. Create a plicy map named IN-2-OUT-PMAP that uses the class map INTERNAL-CLASS-MAP t inspect all matched traffic. Create a zne pair named IN-2-OUT-ZPAIR that identifies IN-ZONE as the surce zne and OUT-ZONE as the destinatin zne. Specify that the IN-2-OUT-PMAP plicy map is t be used t inspect traffic between the tw znes. Assign G0/1 as an IN-ZONE member and S0/0/1 as an OUT-ZONE member. Cnfigure an IPS n R3 using the fllwing requirements: Nte: Within Packet Tracer, the ruters already have the signature files imprted and in place. They are the default XML files in flash. Fr this reasn, it is nt necessary t cnfigure the public crypt key and cmplete a manual imprt f the signature files. Create a directry in flash named ipsdir and set it as the lcatin fr IPS signature strage. Create an IPS rule named IPS-RULE. Retire the all signature categry with the retired true cmmand (all signatures within the signature release). Unretire the IOS_IPS Basic categry with the retired false cmmand. Apply the rule inbund n the S0/0/1 interface. Cnfigure ASA Basic Security and Firewall Settings Cnfigure VLAN interfaces with the fllwing settings: Fr the VLAN 1 interface, cnfigure the addressing t use 192.168.10.1/24. Fr the VLAN 2 interface, remve the default DHCP setting and cnfigure the addressing t use 209.165.200.234/29. Cnfigure hstname, dmain name, enable passwrd, and cnsle passwrd using the fllwing settings: The ASA hstname is CCNAS-ASA. The dmain name is ccnasecurity.cm. The enable mde passwrd is ciscenapa55. Create a user and cnfigure AAA t use the lcal database fr remte authenticatin. Cnfigure a lcal user accunt named admin with the passwrd adminpa55. D nt use the encrypted attribute. Cnfigure AAA t use the lcal ASA database fr SSH user authenticatin. Allw SSH access frm the utside hst 172.30.3.3 with a timeut f 10 minutes. Cnfigure the ASA as a DHCP server using the fllwing settings: Assign IP addresses t inside DHCP clients frm 192.168.10.5 t 192.168.10.30. Enable DHCP t listen fr DHCP client requests. 2015 Cisc and/r its affiliates. All rights reserved. This dcument is Cisc Public. Page 5 f 6
Packet Tracer - Skills Integratin Challenge Cnfigure static ruting and NAT. Create a static default rute t the next hp ruter (R1) IP address. Create a netwrk bject named inside-net and assign attributes t it using the subnet and nat cmmands. Create a dynamic NAT translatin t the utside interface. Mdify the Cisc Mdular Plicy Framewrk (MPF) n the ASA using the fllwing settings: Cnfigure class-map inspectin_default t match default-inspectin-traffic, and then exit t glbal cnfiguratin mde. Cnfigure the plicy-map list glbal_plicy. Enter the class inspectin_default and enter the cmmand t inspect icmp. Then exit t glbal cnfig mde. Cnfigure the MPF service-plicy t make the glbal_plicy apply glbally. 2015 Cisc and/r its affiliates. All rights reserved. This dcument is Cisc Public. Page 6 f 6