UNiNets CCNA Cisco Certified Network Associate Security LAB MANUAL
Contents: UniNets CCNA Security LAB MANUAL Section 1 Securing Layer 2 Lab 1-1 Configuring Native VLAN on a Trunk Links Lab 1-2 Disabling Dynamic Trunking Protocol (DTP) Lab 1-3 Preventing Layer 2 Loops with BPDU Guard Lab 1-4 Protecting the Root Bridge using STP Root Guard Lab 1-5 Protecting the CAM Table using Port Security Lab 1-6 Preventing DHCP Rogue Servers by using DHCP Snooping Lab 1-7 Preventing Spoofed ARP via Dynamic ARP Inspection Lab 1-8 Preventing IP Spoofs using IP Source Guard Section 2 Securing the Control Plane Lab 2-1 Configuring Local User Authentication via AAA Lab 2-2 Configuring SSH and HTTPS Management Access Lab 2-3 Configuring Console, Local and Remote System Logging (SYSLOG) Lab 2-4 Configuring Secure NTP (Network Time Protocol) Lab 2-5 Protecting the Cisco IOS File(s) Section 3 Securing the Forwarding Plane Lab 3-1 Securing RIP advertisements using MD5 Authentication Lab 3-2 Securing EIGRP Neighbors using MD5 Authentication Lab 3-3 Securing OSPF Neighbors using MD5 Authentication Lab 3-4 Configuring Cisco IOS ACL Object-Groups Lab 3-5 Configuring Time Based Access Control Lists Section 4 Cisco IOS Firewall Technologies Lab 4-1 Configuring Dynamic NAT (Many to One) on ASA Lab 4-2 Configuring Static NAT (One to One) on ASA Lab 4-3 Configuring Static PAT (IP Port to IP Port) on ASA Lab 4-4 Configuring Cisco IOS Firewall Lab 4-5 Configuring Cisco IOS Firewall Exceptions Lab 4-6 Configuring Basic Cisco IOS Zone Based Firewall Lab 4-7 Configuring Cisco IOS Zone Based Firewall Exceptions
Section 5 Cisco IOS VPN Technologies Lab 5-1 Understanding VPN Technologies Lab 5-2 Configuring ISAKMP Policies Lab 5-3 Configuring Site to Site IPSEC VPN on IOS and ASA Lab 5-4 Configuring an IPSEC GRE Tunnel on IOS and ASA Section 6 Cisco IOS IPS/IDS Lab 6-1 Configuring Basic Cisco IOS IPS/IDS Lab 6-2 Installing new IPS/IDS Signature Libraries Lab 6-3 Managing Cisco IPS/IDS Signatures Lab 6-4 Configuring Cisco IOS Signature Based IPS/IDS Lab 6-5 Configuring Cisco IOS Policy Based IPS/IDS Section 7 Cisco Adaptive Security Appliances Lab 7-1 Overview of the Cisco ASA (Adaptive Security Appliances) Lab 7-2 Configuring ASA Enable and Username Authentication Lab 7-3 Configuring Login and MOTD Banners Lab 7-4 Configuring Interface Addressing, Names and Security Levels Lab 7-5 Configuring Static Routes on the ASA Lab 7-6 Configuring Dynamic Routing on the Cisco ASA Lab 7-7 Configuring SSH and Telnet Remote Management Access Lab 7-8 Configuring ASDM Remote Management Access Lab 7-9 Configuring RADIUS & TACACS+ on the Cisco ASA Lab 7-10 Configuring Cisco ASA Objects, Object Groups and Access Lists Section 8 Cisco Access Control Server 5.x Lab 8-1 Installing Cisco ACS 5.x on VMWare Workstation Lab 8-2 Configuring User Accounts on Cisco ACS 5.x Lab 8-3 Configuring ACS Device Profiles Lab 8-4 Configuring Radius and TACACS+ Servers on Cisco IOS Lab 8-5 Configuring Named AAA Server Group List Lab 8-6 Configuring Cisco IOS AAA Authentication List Lab 8-7 Configuring Cisco ACS Server 5.x Group Based Authentication Policies Lab 8-8 Configuring Cisco IOS AAA Authorization List Lab 8-9 Configuring Cisco ACS Server 5.x Group Based Authorization Policies Lab 8-10 Configuring Cisco IOS AAA Accounting List Lab 8-11 Configuring Cisco ACS Server 5.x Accounting Policies Lab 8-12 Viewing Cisco ACS Server 5.x Accounting Logs
LAB 1 Overview of the Cisco ASA Task From the below physical topology, design the below logical topology which meets the following requirements. Configure Firewall interfaces as follows: - Configure the IP addresses as per the logical topology with Router number in the last octet for Example Router-1 IP address is 10.0.0.1/24 - Enable telnet on all routers so they can be accessible directly into privilege level 15 without any authentication - Router-1 and Router-3 both should telnet to Router-2 and Router-4, Router-2 should also telnet to Router-4 - Use only static routing if required - Do not use access-list for this task - Unnecessary broadcasts are not allowed on any link and network should converge as fast as possible. Topology
Types of software version - 8.2.x and before, lots of features and syntax changes in ASA stating with 8.3 like NAT, Global ACL etc. - 8.4.x and 8.6.x and later, these are same except that 8.6.x (ASA-X) is for specific hardware release - Code 9.x further changes like support of VPNs in multi-context outside the scope The firewall connection to the switch is an 802.1q trunk (the ASA supports 802.1q only, not ISL), you can create sub-interfaces, corresponding to the VLANs carried over the trunk. Do not forget to assign a VLAN number to the sub-interface. The native (untagged) VLAN of the trunk connection maps to the physical interface, and it cannot be assigned to a sub-interface. When configuring interfaces on the ASA in routed mode, the following can be configured: - The command name if <NAME>; it is mandatory and gives the interface a logical name. Without it, even if the interface is in the UP/UP state, it cannot be used for traffic forwarding. - The command ip address <IP> <MASK> secondary <IP> <MASK>; it is mandatory. - Enable Interface configured with the command no shutdown; it is mandatory. - Security Level configured with the command security level <0-100>; it is optional and assigns the Interface a level of trust, based on which there are some implicit firewall rules. - The commands speed [10 100 1000 auto] and duplex [half full auto]; it is optional, and by default all Interfaces are set to auto negotiating both speed and duplex. By default, based on the configured name if, ASA assigns the following implicit security-levels to interfaces: - 100 to a nameif of inside. Most trusted and highest security level. - 0 to a nameif of outside. Least trusted and lowest security level. - 0 to all other nameifs. Least trusted and lowest security level. Without any configured access-lists, ASA implicitly allows or restricts traffic flows based on the securitylevels: - Traffic from high-security level to low-security level is allowed by default (for example, from 100 to 0). - Traffic from low-security level to high-security level is denied by default; to allow traffic in this direction, an ACL must be configured and applied (at interface level or global level). - Traffic between interfaces with an identical security level is denied by default (for example, from 20 to 20, or in our case from 0 to 0); to allow traffic in this direction, the command same-security-traffic permit inter-interface must be configured. The Management0/0 interface is used by default only for management purposes; this is because of the default interface-level command management-only under the management interface.
Firewall: Interface GigabitEthernet1 nameif inside security-level 100 ip address 10.0.0.10 255.255.255.0 interface GigabitEthernet3 nameif dmz security-level 50 ip address 30.0.0.10 255.255.255.0 interface GigabitEthernet2 nameif outside-1 security-level 0 ip address 20.0.0.10 255.255.255.0 interface GigabitEthernet4 nameif outside-2 security-level 0 ip address 40.0.0.10 255.255.255.0 Permit communication between different interfaces with the same security level This will allow telnet from Router2 to Router4 because they are in same security one. same-security-traffic permit inter-interface
Router1: interface GigabitEthernet1/0 ip address 10.0.0.1 255.255.255.0 line vty 0 4 privilege level 15 no login ip route 20.0.0.0 255.255.255.0 10.0.0.10 ip route 40.0.0.0 255.255.255.0 10.0.0.10 Router2: interface GigabitEthernet1/0 ip address 20.0.0.2 255.255.255.0 line vty 0 4 privilege level 15 no login ip route 10.0.0.0 255.255.255.0 20.0.0.10 ip route 30.0.0.0 255.255.255.0 20.0.0.10 ip route 40.0.0.0 255.255.255.0 20.0.0.10
Router3: interface GigabitEthernet1/0 ip address 30.0.0.3 255.255.255.0 line vty 0 4 privilege level 15 no login ip route 20.0.0.0 255.255.255.0 30.0.0.10 ip route 40.0.0.0 255.255.255.0 30.0.0.10 Router4: interface GigabitEthernet1/0 ip address 40.0.0.4 255.255.255.0 line vty 0 4 privilege level 15 no login ip route 10.0.0.0 255.255.255.0 40.0.0.10 ip route 30.0.0.0 255.255.255.0 40.0.0.10 ip route 40.0.0.0 255.255.255.0 40.0.0.10
Verification