CCNAS v1.1 Skills-Based Assessment Hands On Answers
CCNAS v1.1 Skills-Based Assessment Hands On Answers
CCNAS v1.1 Skills-Based Assessment Hands On Answers
IP Addressing Table
Device R1 Interface FA0/0 S0/0/0 (DCE) Loopback 1 S0/0/0 S0/0/1 (DCE) FA0/1 S0/0/1 IP Address 209.165.200.233 10.10.10.1 172.20.1.1 10.10.10.2 10.20.20.2 172.30.3.1 10.20.20.1 Subnet Mask 255.255.255.248 255.255.255.252 255.255.255.0 255.255.255.252 255.255.255.252 255.255.255.0 255.255.255.252 Default Gateway N/A N/A N/A N/A N/A N/A N/A Switch Port ASA E0/0 N/A N/.A N/A N/A S3 FA0/5 N/A
Page 1 of 10
R2
R3
All contents are Copyright 19922012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
CCNA Security Default Gateway 192.168.10.1 192.168.10.1 172.30.3.1 NA NA 192.168.10.1 192.168.10.1 172.30.3.1
Interface VLAN 1 VLAN 1 VLAN 1 VLAN 1 (E0/1) VLAN 2 (E0/0) NIC NIC NIC
Subnet Mask 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.248 255.255.255.0 255.255.255.0 255.255.255.0
Switch Port N/A N/A N/A S2 FA0/24 R1 FA0/0 S1 FA0/6 S2 FA0/18 S3 FA0/18
Objectives
Part 1: Verify Basic Device Settings Part 2: Configure Secure Router Administrative Access Configure encrypted passwords and a login banner. Configure EXEC timeout on console and VTY lines. Configure login failure rates and VTY login enhancements. Configure SSH access and disable Telnet. Configure RADIUS/TACACS+/Local AAA authentication.
Part 3: Configure a Site-to-Site VPN between ISRs Configure an IPsec site-to-site VPN between R1 and R3 using CCP.
Part 4: Configure an ISR firewall and Intrusion Prevention System Configure a zone-based policy (ZPF) firewall on an ISR using CCP. Configure an Intrusion Prevention System (IPS) on an ISR using CCP.
Part 5: Secure Network Switches Configure passwords and a login banner. Configure management VLAN access. Secure trunk ports. Secure access ports. Protect against STP attacks. Configure port security and disable unused ports.
Part 6: Configure ASA Basic Settings and Firewall Configure basic settings, passwords, date and time. Configure the inside and outside VLAN interfaces. Configure port address translation (PAT) for the inside network. Configure a DHCP server for the inside network.
All contents are Copyright 19922012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 2 of 10
CCNA Security Configure administrative access via Telnet and SSH. Configure a static default route for the ASA. Configure RADIUS/TACACS+/Local AAA user authentication. Verify address translation and firewall functionality
Part 7: Configure ASA AnyConnect SSL VPN Remote Access Configure a remote access AnyConnect SSL VPN using ASDM. Verify AnyConnect SSL VPN access to the portal.
Exam Overview
The Case Study is divided into six parts. The parts should be completed sequentially. In Part 1 you verify that the basic device settings have been preconfigured by your group. In Part 2, you secure a network router using the CLI to configure various IOS features including AAA and SSH. In Part 3 you configure a site-to-site VPN between R1 and R3 through the ISP router (R2). In Part 4 you configure a ZPF firewall and IPS on an ISR. Part 5 configures network switches using the CLI. In Parts 6 and 7 you configure the ASA firewall functionality and Anyconnect SSL VPN remote access.
** Host names and interface IP addresses >> Refer to table above! R1(config)#interface S0/0/0 R1(config-if)#clock rate 64000 R2(config)#interface S0/0/1 R2(config-if)#clock rate 64000 o DNS lookup disabled on each router.
R1(config)#ip route 0.0.0.0 0.0.0.0 10.10.10.2 R3(config)#ip route 0.0.0.0 0.0.0.0 10.20.20.2 o Static routes from R2 to the R1 simulated LAN (Loopback 1), the R1 Fa0/0-to-ASA subnet and the R3 LAN.
R2(config)#ip route 10.10.10.2 255.255.255.0 172.20.1.1 R1(config)#ip route 209.165.200.233 255.255.255.248 172.30.3.1
All contents are Copyright 19922012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
CCNA Security S1(config)#interface vlan 1 S1(config)#ip address 192.168.10.11 255.255.255.0 S1(config)#no shutdown S1(config)#ip default-gateway 192.168.10.1 S2(config)#interface vlan 1 S2(config)#ip address 192.168.10.12 255.255.255.0 S2(config)#no shutdown S2(config)#ip default-gateway 192.168.10.1 S3(config)#interface vlan 1 S3(config)#ip address 172.30.3.11 255.255.255.0 S3(config)#no shutdown S3(config)#ip default-gateway 172.30.3.1 o DNS lookup disabled on each switch.
On PC-C >> ping 172.20.1.1 (loopback 1) >> ping 209.165.200.233 (R1 Fa0/0)
CCNA Security R1(config)#line console 0 R1(config-line)#password ciscoconpa55 R1(config-line)#exec-timeout 15 0 R1(config-line)#login R1(config-line)#logging synchronous
All contents are Copyright 19922012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 5 of 10
CCNA Security
All contents are Copyright 19922012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 6 of 10
CCNA Security b. Enable the HTTP server on R3. R3(config)# ip http server c. Add user Admin01 to the local database with a privileged level of 15, and a password of Admin01pa55. R3(config)# username Admin01 privilege 15 secret Admin01pa55 d. Configure local database authentication of HTTP sessions. R3(config)# ip http authentication local
b. Specify the pre-shared VPN key cisco12345. In the Authentication section, click Pre-shared Keys, and enter the pre-shared VPN key cisco12345. Re-enter the key for confirmation. Click Next to continue.
c.
Encrypt traffic between the R3 LAN and the R1 Loopback 1 simulated LAN. On the IKE Proposals screen, click Next to continue. On the Transform Set screen, click Next to continue. On the Traffic to protect screen, enter the following information;
Local Network (R3 LAN) IP address: 172.30.3.1 Subnet Mask: 255.255.255.0 Click Next to continue.
All contents are Copyright 19922012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 7 of 10
CCNA Security Review the Summary of the Configuration screen. You can scroll down to see the IPsec rule (ACL) that CCP creates for R3, which permits all traffic from network 172.30.3.1/24 to network 172.20.1.1/24. Click Finish to go to the Deliver Configuration to Device screen. On the Deliver Configuration to Device screen, select Save running config. to devices startup config, and click the Deliver button. After the commands have been delivered, click OK.
To save these configuration commands for later editing or documentation purposes; Click Save to file button.
Click the Configure button at the top of the CCP screen. Choose Security > VPN > Site-to-Site VPN. Click the Edit Site to Site VPN tab. Select the VPN policy you just configured on R1 and click the Generate Mirror button in the lower right of the window. The Generate Mirror window displays the commands necessary to configure R3 as a VPN peer. Scroll through the window to see all the commands generated.
b. Apply the crypto map to the R1 VPN interface. On R1, enter privileged EXEC mode and then global config mode. Copy the commands from the text file into the R1 CLI.
To apply the crypto map to R1 VPN interface, enter the following; R1(config)#interface S0/0/0 R1(config-if)#crypto map SDM_CMAP_1
b. Ping from PC-C to the R1 Lo1 interface at 172.16.1.1 to generate some interesting traffic. On PC-C >> ping 172.16.1.1
c. Issue the show crypto isakmp sa command on R3 to view the security association created. R3#show crypto isakmp sa
All contents are Copyright 19922012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 8 of 10
CCNA Security d. Issue the show crypto ipsec sa command on R1 to verify packets are being received from R3 and decrypted by R1. R1#show crypto isakmp sa
b. Use the Low Security setting, and complete the Firewall wizard. Move the slider to Low Security and click the Preview Commands button to preview the commands that are delivered to the router. Click Next to continue. On the Review the Firewall Configuration Summary screen, click Finish to complete the Firewall wizard.
a. Verify that the IOS-Sxxx-CLI.pkg signature package file is in the default TFTP folder. The xxx is the version number and varies depending on which file was downloaded from Cisco.com. b. Verify that the realm-cisco.pub.key.txt file is available and note its location on PC-C.
All contents are Copyright 19922012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 9 of 10
CCNA Security c. Verify or create the IPS directory, ipsdir, in router flash on R3. R3#mkdir ipsdir R3#dir flash: Note: For router R3, the IPS signature (.xml) files in the flash:/ipsdir/ directory should have been deleted and the directory removed prior to starting the SBA. The files must be deleted from the directory in order to remove it. Note: If the ipsdir directory is listed and there are files in it, contact your instructor. This directory must be empty before configuring IPS. If there are no files in it you may proceed to configure IPS.
b. Specify the signature file with a URL and use TFTP to retrieve the file from PC-C. Signature File and Public Key window, click the ellipsis () button next to Specify the Signature File You Want to Use with IOS IPS to open the Specify Signature File window. Confirm that the Specify signature file using URL option is chosen. For Protocol, select tftp from the drop-down menu. Enter the IP address of the PC-C TFTP server and the filename. The address is 172.30.3.3/IOS-Sxxx-CLI.pkg (where xxx is the number of the package) Click OK to return to the Signature File and Public Key window.
c. Name the public key file realm-cisco.pub. In the Configure Public Key section of the Signature File and Public Key window, enter realm-cisco.pub in the Name field. d. Copy the text from the public key file to the CCP IPS wizard. Open the realm-cisco-pub-key.txt file located on PC-C. Copy the text between the phrase key-string and the word quit into the Key field in the Configure Public Key section. Click Next to display the Config Location and Category window. e. Specify the flash:/ipsdir/ directory name as the location to store the signature information. In the Config Location and Category window in the Config Location section, click the ellipsis (...) button next to Config Location to add the location. Verify that Specify the config location on this router is selected. Click the ellipsis (...) button.
Page 10 of 10
All contents are Copyright 19922012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
CCNA Security Click the plus sign (+) next to flash. Choose ipsdir and then click OK. f. Choose the basic category. In the Choose Category field of the Config Location and Category window, choose basic.
g. Complete the wizard. Click Next in the Cisco CCP IPS Policies Wizard window. Click Finish in the IPS Policies Wizard window and review the commands that will be delivered to the router. Click Deliver. Click OK when the Commands Deliver Status window is ready. When the signature configuration process has completed, you return to the IPS window with the Edit IPS tab selected.
All contents are Copyright 19922012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 11 of 10
CCNA Security
Step 2: Change the native VLAN to 99 for the trunk ports on S1 and S2.
S1(config)#interface Fa0/1 S1(config-if)#switchport trunk native vlan 99 S1(config-if)#end S2(config)#interface Fa0/1 S2(config-if)#switchport trunk native vlan 99 S2(config-if)#end
All contents are Copyright 19922012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 12 of 10
Step 2: Bypass Setup Mode and configure the VLAN/routed interfaces using CLI.
a. The VLAN 1 logical interface will be used by PC-B to access ASDM on ASA physical interface E0/1. Configure interface VLAN 1 and name it inside. Specify IP address 192.168.10.1 and subnet mask 255.255.255.0. Verify that the security level is set to 100.
All contents are Copyright 19922012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 13 of 10
CCNA Security ciscoasa(config)# interface vlan 1 ciscoasa(config-if)# nameif inside INFO: Security level for "inside" set to 100 by default. ciscoasa(config-if)# ip address 192.168.10.1 255.255.255.0 ciscoasa(config-if)# exit b. Pre-configure interface VLAN 2 and name it outside, and add physical interface E0/0 to VLAN 2. You will assign the IP address using ASDM. Verify that the security level is set to 0. ciscoasa(config)# interface vlan 2 ciscoasa(config-if)# nameif outside INFO: Security level for "outside" set to 0 by default. ciscoasa(config-if)# ciscoasa(config-if)# ciscoasa(config-if)# ciscoasa(config-if)# interface e0/0 switchport access vlan 2 no shut exit
c. Test Connectivity to the ASA by pinging from PC-B to ASA interface VLAN 1 IP address 192.168.10.1. The pings should be successful. On PC-B >> ping 192.168.10.1
Step 3: Configure and verify access to the ASA from the inside network.
a. Configure the ASA to accept HTTPS connections and to allow access to ASDM from any host on the inside network 192.168.10.0/24. ciscoasa(config)# http server enable ciscoasa(config)# http 192.168.10.0 255.255.255.0 inside b. Open a browser on PC-B and test the HTTPS access to the ASA ASDM GUI. On PC-B >> https://192.168.10.1
Task 2: Configure basic ASA settings using the ASDM Startup Wizard.
Step 1: Access the Configuration menu and launch the Startup wizard.
Click the Configuration button at the top left of the screen. There are five main configuration areas: Device Setup Firewall Remote Access VPN Site-to-Site VPN Device Management
All contents are Copyright 19922012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
CCNA Security On step 2 wizard screen, enter the following; Hostname: CCNAS-ASA Domain name: ccnasecurity.com Password: ciscoenapa55 << You must click the checkbox for changing the enable mode password and change it from blank (no password) to ciscoenapa55
Enable the DHCP server on the Inside Interface and specify a starting IP address of 192.168.10.5 and ending IP address of 192.168.10.30. Enter the DNS server 1 address of 10.3.3.3 and domain name ccnasecurity.com. On step 6 wizard screen >> select checkbox Enable DHCP server on the inside interface. Enter the following; Starting IP address: 192.168.10.5 Ending IP address: 192.168.10.30 DNS Server 1: 10.3.3.3 Domain Name: ccnasecurity.com
b.
Configure the ASA to use port address translation (PAT) using the IP address of the outside interface. On step 7 wizard screen >> Ensure Use Port Address Translation (PAT) and Use the IP address on the outside interface is selected only.
c.
Add Telnet access to the ASA for the inside network 192.168.10.0 with a subnet mask of 255.255.255.0. Add SSH access to the ASA from host 172.30.3.3 on the outside network. On step 8 wizard screen >> Add the following entries >> Click Add. Type: Telnet Interface: inside IP address: 192.168.10.0 Mask: 255.255.255.0 Type: SSH Interface: outside IP address: 172.30.3.3 Mask: 255.255.255.255 Ensure that Enable HTTP server for HTTPS/ASDM access is checked. On step 9 wizard Startup Wizard Summary >> review the settings, click Finish. Restart ASDM and provide the new enable password ciscoenapa55 with no username. Return to the Device Dashboard and check the Interface Status window.
Page 15 of 10
All contents are Copyright 19922012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
CCNA Security
From a command prompt or GUI Telnet client on PC-B, Telnet to the ASA inside interface at IP address 192.168.10.1. >> telnet 192.168.10.1
Click on the ellipsis button (. .) next to Network. Select Any from the list of network objects, then click OK. The selection of Any translates to a quad zero route. For the Gateway IP, enter 209.165.200.233 Click OK and click Apply to send the commands to the ASA.
Create a new user named admin with a password of cisco123. Allow this user Full access (ASDM, SSH, Telnet, and console) and set the privilege level to 15. Configuration screen > Device Management area > click Users/AAA Click User Accounts and then Add. Create a new user named admin Enter cisco123 as the password and enter the password again to confirm it.
Page 16 of 10
All contents are Copyright 19922012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
CCNA Security
b.
Allow this user Full access (ASDM, SSH, Telnet, and console) under Access Restrictions. Set privilege level to 15. Click OK to add the user and click Apply to send the command to the ASA.
Require authentication for HTTP/ASDM, SSH and Telnet connections and specify the LOCAL server group for each connection type. Configuration screen > Device Management area > click Users/AAA Click AAA Access. On the Authentication tab, click the checkbox to require authentication for HTTP/ASDM, SSH and Telnet connections Specify the LOCAL server group for each enabled connection type. Click Apply to send the commands to the ASA.
c.
From PC-C, open an SSH client such as PuTTY and attempt to access the ASA outside interface at 209.165.200.234. You should be able to establish the connection.
Open PuTTY on PC-C > select the SSH option. Ensure the port number is 22. Enter the IP address: 209.165.200.234
All contents are Copyright 19922012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
CCNA Security
To verify the connection profile; Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection Profiles. From this window the VPN configuration can be verified and edited.
All contents are Copyright 19922012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 18 of 10