CCNA Security PT Practice SBA

Similar documents
CCNA Security 1.0 Student Packet Tracer Manual

CCNA Security Instructor Packet Tracer Manual

Packet Tracer - Configure and Verify a Site-to-Site IPsec VPN Using CLI

Teacher s Reference Manual

PT Activity: Configuring a Zone-Based Policy Firewall (ZPF)

Internet. SonicWALL IP Cisco IOS IP IP Network Mask

Packet Tracer - Configure Cisco Routers for Syslog, NTP, and SSH Operations (Instructor Version)

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM

CCNA Semester 2 labs. Labs for chapters 2 10

Chapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM

EIGRP Practice Skills Assessment - Packet Tracer

Lab Configuring and Verifying Extended ACLs Topology

Chapter 11 - CCNA Security Comprehensive Lab

1.1 Configuring HQ Router as Remote Access Group VPN Server

Chapter 8 Lab Configuring a Site-to-Site VPN Using Cisco IOS

Packet Tracer - Skills Integration Challenge Topology

Chapter 10 - Configure ASA Basic Settings and Firewall using ASDM

Configuring Authentication Proxy

Cisco IOS Firewall Authentication Proxy

VPN Connection through Zone based Firewall Router Configuration Example

Fundamentals of Network Security v1.1 Scope and Sequence

Network security session 9-2 Router Security. Network II

Lab - Troubleshooting ACL Configuration and Placement Topology

co Configuring PIX to Router Dynamic to Static IPSec with

Lab - Troubleshooting Standard IPv4 ACL Configuration and Placement Topology

Cradlepoint to Palo Alto VPN Example. Summary. Standard IPSec VPN Topology. Global Leader in 4G LTE Network Solutions

Chapter 4 Lab A: Configuring CBAC and Zone-Based Firewalls

Lab Securing Network Devices

Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

Technology Scenarios. INE s CCIE Security Bootcamp - 1 -

Lab Configure Cisco IOS Firewall CBAC on a Cisco Router

Configuring Authentication Proxy

Cisco Exam Implementing Cisco Network Security Version: 12.0 [ Total Questions: 186 ]

Lab Configuring Switch Security Features Topology

IPsec Anti-Replay Window Expanding and Disabling

Chapter 8: Lab B: Configuring a Remote Access VPN Server and Client

Lab - Examining Telnet and SSH in Wireshark

UniNets CCNA Security LAB MANUAL UNiNets CCNA Cisco Certified Network Associate Security LAB MANUAL UniNets CCNA LAB MANUAL

Configuring Authentication Proxy

Sample Business Ready Branch Configuration Listings

Mediant MSBR. Version 6.8. Security Setup. Configuration Guide. Version 6.8. AudioCodes Family of Multi-Service Business Routers (MSBR)

Loading Internet Protocol Security (IPSec) (CDR-882/780/790/990 Cellular Router)

CCNA 1 Final Exam Answers UPDATE 2012 eg.2

Lab 7 Configuring Basic Router Settings with IOS CLI

Inspection of Router-Generated Traffic

PT Activity: Configure AAA Authentication on Cisco Routers

Configuring a VPN Using Easy VPN and an IPSec Tunnel, page 1

This document is intended to give guidance on how to read log entries from a Cisco PIX / ASA. The specific model in this case was a PIX 501.

Implementing Firewall Technologies

Quick Note. Configure an IPSec VPN tunnel in Aggressive mode between a TransPort LR router and a Cisco router. Digi Technical Support 7 October 2016

AutoSecure. Finding Feature Information. Last Updated: January 18, 2012

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

Configuring Management Access

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

1. Which OSI layers offers reliable, connection-oriented data communication services?

Table of Contents. Cisco IPSec Tunnel through a PIX Firewall (Version 7.0) with NAT Configuration Example

PT Activity 5.6.1: Packet Tracer Skills Integration Challenge Topology Diagram

Lab Using the CLI to Gather Network Device Information Topology

Lab 9: VPNs IPSec Remote Access VPN

Skills Assessment Student Training

Three interface Router without NAT Cisco IOS Firewall Configuration

Configuring a Hub & Spoke VPN in AOS

LAN to LAN IPsec Tunnel Between a Cisco VPN 3000 Concentrator and Router with AES Configuration Example

L2TP IPsec Support for NAT and PAT Windows Clients

exam. Number: Passing Score: 800 Time Limit: 120 min CISCO Interconnecting Cisco Networking Devices Part 1 (ICND)

I N D E X. Numerics. 3DES (triple Data Encryption Standard), 199

Skills Assessment Student Practice

Lab Configuring and Verifying Standard IPv4 ACLs Topology

IPsec Anti-Replay Window: Expanding and Disabling

Note that you can also use the password command but the secret command gives you a better encryption algorithm.

Cisco ASA 5500 LAB Guide

This document is a tutorial related to the Router Emulator which is available at:

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL II. VERSION 2.0

Support for policy-based routing applies to the Barracuda Web Security Gateway running version 6.x only.

Defining IPsec Networks and Customers

Study Guide. Using ACLs to Secure Networks

Abstract. Avaya Solution & Interoperability Test Lab

CyberPatriot Packet Tracer Tool Kit

Security Hardening Checklist for Cisco Routers/Switches in 10 Steps

Lab Configuring and Verifying Standard IPv4 ACLs (Instructor Version Optional Lab)

Viewing Router Information

Skills Assessment. CCNA Routing and Switching: Connecting Networks. Topology. Assessment Objectives. Scenario

Cisco Exam Questions & Answers

Configuring LAN-to-LAN IPsec VPNs

Virtual Private Network. Network User Guide. Issue 05 Date

CCNA 4 PRAKTISK PRØVE NOTER

Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example

Google Cloud VPN Interop Guide

firewall { all-ping enable broadcast-ping disable ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name

Skills Assessment Student Training Exam

Lab Configuring and Verifying Standard ACLs Topology

Device Interface IP Address Subnet Mask Default Gateway

Chapter 10 Lab 10-2, Securing VLANs INSTRUCTOR VERSION

Configuring IPsec and ISAKMP

LAN-to-LAN IPsec VPNs

ITdumpsFree. Get free valid exam dumps and pass your exam test with confidence

Network Security CSN11111

Implementing Traffic Filters and Firewalls for IPv6 Security

Overview of the Cisco NCS Command-Line Interface

Transcription:

A few things to keep in mind while completing this activity: 1. Do not use the browser Back button or close or reload any Exam windows during the exam. 2. Do not close Packet Tracer when you are done. It will close automatically. 3. Click the Submit Assessment button to submit your work. Introduction In this practice Packet Tracer Skills Based Assessment, you will: configure basic device hardening and secure network management configure a CBAC firewall to implement security policies configure devices to protect against STP attacks and to enable broadcast storm control configure port security and disable unused switch ports configure an IOS IPS configure a ZPF to implement security policies configure a site-to-site IPsec VPN Addressing Table Device Interface IP Address Subnet Mask Gateway DNS server Internet CORP Branch External S0/0/0 209.165.200.225 255.255.255.252 n/a n/a S0/0/1 192.31.7.1 255.255.255.252 n/a n/a S0/1/0 198.133.219.1 255.255.255.252 n/a n/a Fa0/0 192.135.250.1 255.255.255.0 n/a n/a S0/0/0 209.165.200.226 255.255.255.252 n/a n/a Fa0/0 10.1.1.254 255.255.255.0 n/a n/a Fa0/1.10 172.16.10.254 255.255.255.0 n/a n/a Fa0/1.25 172.16.25.254 255.255.255.0 n/a n/a Fa0/1.99 172.16.99.254 255.255.255.0 n/a n/a S0/0/0 198.133.219.2 255.255.255.252 n/a n/a Fa0/0 198.133.219.62 255.255.255.224 n/a n/a S0/0/0 192.31.7.2 255.255.255.252 n/a n/a Fa0/0 192.31.7.62 255.255.255.224 n/a n/a Public Svr NIC 192.135.250.5 255.255.255.0 192.135.250.1 n/a External Web Svr NIC 192.31.7.35 255.255.255.224 192.31.7.62 192.135.250.5 External PC NIC 192.31.7.33 255.255.255.224 192.31.7.62 192.135.250.5 NTP/Syslog Svr NIC 172.16.25.2 255.255.255.0 172.16.25.254 10.1.1.5 DMZ DNS Svr NIC 10.1.1.5 255.255.255.0 10.1.1.254 192.135.250.5 DMZ Web Svr NIC 10.1.1.2 255.255.255.0 10.1.1.254 10.1.1.5 PC0 NIC 172.16.10.5 255.255.255.0 172.16.10.254 10.1.1.5 PC1 NIC 172.16.10.10 255.255.255.0 172.16.10.254 10.1.1.5 Net Admin NIC 172.16.25.5 255.255.255.0 172.16.25.254 10.1.1.5 Admin PC NIC 198.133.219.35 255.255.255.224 198.133.219.62 192.135.250.5 All contents are Copyright 1992 2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1 of 5

Note: Appropriate verification procedures should be taken after each configuration task to ensure that it has been properly implemented. Step 1: Configure Basic Device Hardening for the CORP Router. a. Configure the CORP router to only accept passwords with a minimum length of 10 characters. b. Configure an encrypted privileged level password of ciscoclass. c. Enable password encryption for all clear text passwords in the configuration file. d. Configure the console port and all vty lines with the following requirements: Note: CORP is already configured with the username CORPADMIN and the secret password ciscoccnas. use the local database for login disconnect after being idle for 20 minutes e. Disable the CDP protocol only on the link to the Internet router. Step 2: Configure Secure Network Management for the CORP Router. a. Enable the CORP router: as an NTP client to the NTP/Syslog server to update the router calendar (hardware clock) from the NTP time source to timestamp log messages to send logging messages to the NTP/Syslog server b. Configure the CORP router to accept SSH connections. Use the following guidelines: Note: CORP is already configured with the username SSHAccess and the secret password ciscosshaccess. domain name is theccnas.com RSA encryption key pair using a modulus of 1024 SSH version 2, timeout of 90 seconds, and 2 authentication retries all vty lines accept only SSH connections c. Configure the CORP router with AAA authentication and verify its functionality: AAA authentication using the local database as the default for console line and vty lines access Step 3: Configure Device Hardening for Switch1. a. Access Switch1 with username CORPADMIN, password ciscoccnas, and the enable secret password of ciscoclass. b. Enable storm control for broadcasts on FastEthernet 0/24 with a 50 percent rising suppression level. c. Configure Switch1 to protect against STP attacks. Configure PortFast on FastEthernet ports 0/1 to 0/23. Enable BPDU guard on FastEthernet ports 0/1 to 0/23. All contents are Copyright 1992 2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 2 of 5

d. Configure port security and disable unused ports. Set the maximum number of learned MAC addresses to 2 on FastEthernet ports 0/1 to 0/23. Allow the MAC address to be learned dynamically and to shutdown the port if a violation occurs. Disable unused ports (Fa0/2-5, Fa0/7-10, Fa0/13-23). Step 4: Configure an IOS IPS on the CORP Router. a. On the CORP router, create a directory in flash named ipsdir. b. Configure the IPS signature storage location to be flash:ipsdir. c. Create an IPS rule named corpips. d. Configure the IOS IPS to use the signature categories. Retire the all signature category and unretire the ios_ips basic category. e. Apply the IPS rule to the Fa0/0 interface. f. Modify the ios_ips basic category. Unretire the echo request signature (signature 2004, subsig 0); enable the signature; modify the signature event-action to produce an alert and to deny packets that match the signature. g. Verify that IPS is working properly. Net Admin in the internal network cannot ping DMZ Web Svr. DMZ Web Svr, however, can ping Net Admin. Step 5: Configure ACLs and CBAC on the CORP Router to Implement the Security Policy. a. Create ACL 12 to implement the security policy regarding the access to the vty lines: Only users connecting from Net Admin and Admin PC are allowed access to the vty lines. b. Create, apply, and verify an extended named ACL (named DMZFIREWALL) to filter incoming traffic to the DMZ. The ACL should be created in the order specified in the following guidelines (Please note, the order of ACL statements is significant only because of the scoring need in Packet Tracer.): 1. HTTP traffic is allowed to DMZ Web Svr. 2. DNS traffic (both TCP and UDP) is allowed to DMZ DNS Svr. 3. All traffic from 172.16.25.0/24 is allowed to enter the DMZ. 4. FTP traffic from the Branch administrator workstation is allowed to DMZ Web Svr. c. To verify the DMZFIREWALL ACL, complete the following tests: Admin PC in the branch office can access the URL http://www.theccnas.com; Admin PC can open an FTP session to the DMZ Web Svr with the username cisco and the password cisco; PCB1 cannot open an FTP session to the DMZ Web Svr. Net Admin can open an FTP session to the DMZ Web Svr with the username cisco and the password cisco; and PC1 cannot open an FTP session to the DMZ Web Svr. All contents are Copyright 1992 2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 3 of 5

d. Create, apply, and verify an extended named ACL (named INCORP) to control access from the Internet into the CORP router. The ACL should be created in the order specified in the following guidelines (Please note, the order of ACL statements is significant only because of the scoring need in Packet Tracer.): 1. Allow HTTP traffic to the DMZ Web Svr. 2. Allow DNS traffic (both TCP and UDP) to the DMZ DNS Svr. 3. Allow SSH traffic from the Branch Office administrator workstation to the Serial 0/0/0 interface on the CORP router. 4. Allow IP traffic from the Branch router serial interface into the CORP router serial interface. 5. Allow IP traffic from the Branch Office LAN to the public IP address range that is assigned to the CORP site (209.165.200.240/28). e. To verify the INCORP ACL, complete the following tests: Admin PC in the branch office can access the URL http://www.theccnas.com; Admin PC can establish an SSH connection to the CORP router (209.165.200.226) with the username SSHAccess and password ciscosshaccess PCB1 cannot establish an SSH connection to the CORP router (209.165.200.226); and External PC cannot establish an SSH connection to the CORP router (209.165.200.226). f. Create and apply a CBAC inspection rule (named INTOCORP) to inspect ICMP, TCP, and UDP traffic between the CORP internal network and any other network. g. Enable CBAC audit messages to be sent to the syslog server. h. Verify the CBAC firewall configuration. PC1 can access the External Web Svr (www.externalone.com). PC1 can establish an SSH connection to the External router with username SSHadmin and password ciscosshpa55. Admin PC in the Branch office can establish an SSH connection to the CORP router with the username SSHAccess and password ciscosshaccess. Step 6: Configure a Zone-Based Policy Firewall on the Branch Router. a. Access the Branch router with username CORPADMIN, password ciscoccnas and the enable secret password of ciscoclass. b. On the Branch router, create the firewall zones. Create an internal zone named BR-IN-ZONE. Create an external zone named BR-OUT-ZONE. c. Define a traffic class and access list. Create an ACL (ACL 110) to permit all protocols from the 198.133.219.32/27 network to any destination. Create a class map using the option of class map type inspect with the match-all keyword. Match the ACL 110 and name the class map BR-IN-CLASS-MAP. d. Specify firewall policies. Create a policy map named BR-IN-OUT-PMAP. Use the BR-IN-CLASS-MAP class map. Specify the action of inspect for this policy map. All contents are Copyright 1992 2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 4 of 5

e. Apply the firewall. Create a pair of zones named IN-OUT-ZPAIR with the source as BR-IN-ZONE and destination as BR-OUT-ZONE. Specify the policy map BR-IN-OUT-PMAP for handling the traffic between the two zones. Assign interfaces to the appropriate security zones. f. Verify the ZPF configuration. The Admin PC in the Branch office can access the URLs http://www.theccnas.com and http://www.externalone.com. The Admin PC in the Branch office can ping the External PC (192.31.7.33). External PC cannot ping the Admin PC in the Branch office (198.133.219.35). The Admin PC in Branch office can establish an SSH connection to the CORP router with the username SSHAccess and password ciscosshaccess. If you get the Corp> prompt, then your configuration is correct. Step 7: Configure a Site-to-Site IPsec VPN between the CORP router and the Branch Router. The following tables list the parameters for the ISAKMP Phase 1 Policy and IPsec Phase 2 Policy: ISAKMP Phase 1 Policy Parameters ISAKMP Phase 2 Policy Parameters Key Distribution Method ISAKMP Parameters CORP Router Branch Router Encryption Algorithm AES Transform Set Name VPN-SET VPN-SET Number of Bits 256 Transform Set esp-3des esp-sha-hmac Hash Algorithm SHA-1 Peer Host Name Branch CORP esp-3des esp-sha-hmac Authentication Method Pre-share Peer IP Address 198.133.219.2 209.165.200.226 Key Exchange DH 2 Encrypted Network 209.165.200.240/28 198.133.219.32/27 IKE SA Lifetime 86400 Crypto Map Name VPN-MAP VPN-MAP ISAKMP Key Vpnpass101 SA Establishment ipsec-isakmp ipsec-isakmp a. Configure an ACL (ACL 120) on the CORP router to identify the interesting traffic. The interesting traffic is all IP traffic between the two LANs (209.165.200.240/28 and 198.133.219.32/27). b. Configure the ISAKMP Phase 1 properties on the CORP router. The crypto ISAKMP policy is 10. Refer to the ISAKMP Phase 1 Policy Parameters Table for the specific details needed. c. Configure the ISAKMP Phase 2 properties on the CORP router. Refer to the ISAKMP Phase 2 Policy Parameters Table for the specific details needed. d. Bind the VPN-MAP crypto map to the outgoing interface. e. Configure IPsec parameters on the Branch router using the same parameters as on the CORP router. Note that interesting traffic is defined as the IP traffic from the two LANs. f. Save the running-config, then reload both CORP and Branch routers. g. Verify the VPN configuration by conducting an FTP session with the username cisco and the password cisco from the Admin PC to the DMZ Web Svr. On the Branch router, check that the packets are encrypted. To exit the FTP session, type quit. Last updated: September 2012 All contents are Copyright 1992 2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 5 of 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback