Nothing Special   »   [go: up one dir, main page]
Scribd Logo
Upload

Welcome to Scribd!

  • 33 views

    Cisco Packet Tracer Statement

    Uploaded by

    Prawesh Acharya
    This document provides configuration scripts and requirements for securing multiple networking devices, including routers, switches, and a firewall, as part of a culminating skills integration activity. The objectives are to configure basic security features on routers and switches like passwords, banners, and AAA. Additional requirements include setting up SSH access, protecting against login attacks, and establishing a site-to-site IPsec VPN between two routers. A firewall is also configured with zones, ACLs, class/policy maps to implement security policies.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd

    Cisco Packet Tracer Statement

    Uploaded by

    Prawesh Acharya
    33 views7 pages
    This document provides configuration scripts and requirements for securing multiple networking devices, including routers, switches, and a firewall, as part of a culminating skills integration activity. The objectives are to configure basic security features on routers and switches like passwords, banners, and AAA. Additional requirements include setting up SSH access, protecting against login attacks, and establishing a site-to-site IPsec VPN between two routers. A firewall is also configured with zones, ACLs, class/policy maps to implement security policies.

    Original Title

    cisco packet tracer statement

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document provides configuration scripts and requirements for securing multiple networking devices, including routers, switches, and a firewall, as part of a culminating skills integration activity. The objectives are to configure basic security features on routers and switches like passwords, banners, and AAA. Additional requirements include setting up SSH access, protecting against login attacks, and establishing a site-to-site IPsec VPN between two routers. A firewall is also configured with zones, ACLs, class/policy maps to implement security policies.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Download as docx, pdf, or txt
    33 views7 pages

    Cisco Packet Tracer Statement

    Uploaded by

    Prawesh Acharya
    This document provides configuration scripts and requirements for securing multiple networking devices, including routers, switches, and a firewall, as part of a culminating skills integration activity. The objectives are to configure basic security features on routers and switches like passwords, banners, and AAA. Additional requirements include setting up SSH access, protecting against login attacks, and establishing a site-to-site IPsec VPN between two routers. A firewall is also configured with zones, ACLs, class/policy maps to implement security policies.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Download as docx, pdf, or txt
    You are on page 1of 7

    5.2.

    7 workshop

    Router R1

    enable
    configure terminal
    ip access-list standard BRANCH-OFFICE-POLICY
    permit host 192.168.30.3
    permit 192.168.40.0 0.0.0.255
    interface g0/0/0
    ip access-group BRANCH-OFFICE-POLICY out
    ip access-list standard BRANCH-OFFICE-POLICY
    30 permit 209.165.200.224 0.0.0.31
    40 deny any
    end

    Router R3

    enable
    configure terminal
    access-list 1 remark Allow R1 LANs Access
    access-list 1 permit 192.168.10.0 0.0.0.255
    access-list 1 permit 192.168.20.0 0.0.0.255
    access-list 1 deny any
    interface g0/0/0
    ip access-group 1 out
    end

    5.4.12

    Packet Tracer - Configure Extended ACLs - Scenario 1


    R1

    enable
    configure terminal
    access-list 100 permit tcp 172.22.34.64 0.0.0.31 host 172.22.34.62 eq ftp
    access-list 100 permit icmp 172.22.34.64 0.0.0.31 host 172.22.34.62
    interface gigabitEthernet 0/0
    ip access-group 100 in
    ip access-list extended HTTP_ONLY
    permit tcp 172.22.34.96 0.0.0.15
    permit tcp 172.22.34.96 0.0.0.15 host 172.22.34.62 eq www
    permit icmp 172.22.34.96 0.0.0.15 host 172.22.34.62
    interface gigabitEthernet 0/1
    ip access-group HTTP_ONLY in
    switch port security

    !!Script for SW-1


    conf t
    spanning-tree vlan 1 root secondary
    interface range fa0/23 - 24
    spanning-tree guard root
    interface range gi1/1 , fa0/1 , fa0/23 - 24
    storm-control broadcast level 50
    end

    !!!Script for SW-2


    conf t
    interface range fa0/23 - 24
    spanning-tree guard root
    interface range gi1/1 , fa0/1 , fa0/23 - 24
    storm-control broadcast level 50
    end
    !!!Script for SW-A
    conf t
    interface range fastethernet 0/1 - 4
    spanning-tree portfast
    spanning-tree bpduguard enable
    interface range fa0/1 - 22
    switchport mode access
    switchport port-security
    switchport port-security maximum 2
    switchport port-security violation shutdown
    switchport port-security mac-address sticky
    interface range fa0/5 - 22
    shutdown
    end
    !!!Script for SW-B
    conf t
    interface range fastethernet 0/1 - 4
    spanning-tree portfast
    Packet Tracer - Skills Integration Challenge
    Addressing Table
    Device Interface IP Address Subnet Mask Default Gateway

    Fa0/0 209.165.200.233 255.255.255.248 N/A


    R1 S0/0/0 (DCE) 10.10.10.1 255.255.255.252 N/A
    Loopback 1 172.20.1.1 255.255.255.0 N/A
    S0/0/0 10.10.10.2 255.255.255.252 N/A
    R2
    S0/0/1 (DCE) 10.20.20.2 255.255.255.252 N/A
    Fa0/1 172.30.3.1 255.255.255.0 N/A
    R3
    S0/0/1 10.20.20.1 255.255.255.252 N/A
    S1 VLAN 1 192.168.10.11 255.255.255.0 192.168.10.1
    S2 VLAN 1 192.168.10.12 255.255.255.0 192.168.10.1
    S3 VLAN 1 172.30.3.11 255.255.255.0 172.30.3.1
    VLAN 1 (E0/1) 192.168.10.1 255.255.255.0 N/A
    ASA
    VLAN 2 (E0/0) 209.165.200.234 255.255.255.248 N/A
    PC-A NIC 192.168.10.2 255.255.255.0 192.168.10.1
    PC-B NIC 192.168.10.3 255.255.255.0 192.168.10.1
    PC-C NIC 172.16.3.3 255.255.255.0 172.16.3.1

    Objectives
             Configure Basic Router Security
             Configure Basic Switch Security
             Configure AAA Local Authentication
             Configure SSH
             Secure Against Login Attacks
             Configure Site-to-Site IPsec VPNs
             Configure Firewall and IPS Settings
             Configure ASA Basic Security and Firewall Settings

    Scenario
    This culminating activity includes many of the skills that you have acquired during this course. The
    routers and switches are preconfigured with the basic device settings, such as IP addressing and
    routing. You will secure routers using the CLI to configure various IOS features, including AAA, SSH,
    and Zone-Based Policy Firewall (ZPF). You will also configure a site-to-site VPN between R1 and R3.
    You will also secure the switches on the network. In addition, you will also configure firewall
    functionality on the ASA.

    Requirements
    Note: Not all security features will be configured on all devices, although they normally would be in a
    production network.
    Configure Basic Router Security
             Configure the following on R1:
    o    Minimum password length is 10 characters.
    o    Encrypt plaintext passwords.
    o    Privileged EXEC mode secret password is ciscoenapa55.
    o    Console line password is ciscoconpa55, timeout is 15 minutes, and console messages
    should not interrupt command entry.
    o    A message-of-the-day (MOTD) banner should include the word unauthorized.
             Configure the following on R2:
    o    Privileged EXEC mode secret password is ciscoenapa55.
    o    Password for the vty lines is ciscovtypa55, timeout is 15 minutes, and login is required.
    Configure Basic Switch Security
             Configure the following on S1:
    o    Encrypt plaintext passwords.
    o    Privileged EXEC mode secret password is ciscoenapa55.
    o    Console line password is ciscoconpa55, timeout is 5 minutes, and consoles messages
    should not interrupt command entry.
    o    Password for the vty lines is ciscovtypa55, timeout is 5 minutes, and login is required.
    o    A MOTD banner should include the word unauthorized.
             Configure trunking between S1 and S2 with the following settings:
    o    Set the mode to trunk and assign VLAN 99 as the native VLAN.
    o    Disable the generation of DTP frames.
    o    Enable storm control for broadcasts to a 50 percent suppression level.
             Configure the S1 with the following port settings:
    o    Fa0/6 should only allow access mode, set to PortFast, and enable BPDU guard.
    o    Fa0/6 uses basic default port security with dynamically learned MAC addresses added to the
    running configuration.
    o    All other ports should be disabled.
    Note: Although not all ports are checked, your instructor may want to verify that all unused
    ports are disabled.
    Configure AAA Local Authentication
             Configure the following on R1:
    o    Create a local user account of Admin01, a secret password of Admin01pa55, and a privilege
    level of 15.
    o    Enable AAA services.
    o    Implement AAA services using the local database as the first option and then
    the enable password as the backup option.
    Configure SSH
             Configure the following on R1:
    Note: The RSA key is already generated.
    o    The domain name is ccnasecurity.com
    o    The RSA key should be generated with a 1024 modulus bits.
    o    Only SSH version 2 is allowed.
    o    Only SSH is allowed on vty lines.
             Verify that PC-C can remotely access R1 (209.165.200.233) using SSH.
    Secure Against Login Attacks
             Configure the following on R1:
    o    If a user fails to log in twice within a 30-second time span, then disable logins for one minute.
    o    Log all failed login attempts.
    Configure Site-to-Site IPsec VPNs
    Note: Some VPN configurations are not scored. However, you should be able to verify connectivity
    across the IPsec VPN tunnel.
             Configure the following on R1:
    o    Create an access-list to identify interesting traffic on R1.
      Configure ACL 101 to allow traffic from the R1 Lo1 network to the R3 Fa0/1 LAN.
      Explicitly deny all other traffic.
    o    Configure the crypto isakmp policy 10 Phase 1 properties on R1 along with the shared
    crypto key ciscovpnpa55. Use the following parameters:
      Key distribution method: ISAKMP
      Encryption: aes 256
      Hash: sha-1
      Authentication method: pre-shared
      Key exchange: DH Group 5
      IKE SA lifetime: 3600
      ISAKMP key: ciscovpnpa55
    o    Create the transform set VPN-SET to use esp-aes 256 and esp-sha-hmac. Then create the
    crypto map CMAP that binds all of the Phase 2 parameters together. Use sequence
    number 10 and identify it as an ipsec-isakmp map. Use the following parameters:
      Transform Set: VPN-SET
      Transform Encryption: esp-aes 256
      Transform Authentication: esp-sha-hmac
      Perfect Forward Secrecy (PFS): group5
      Crypto Map name: CMAP
      SA Establishment: ipsec-isakmp
    o    Bind the crypto map CMAP to the outgoing interface.
             Repeat the site-to-site VPN configurations on R3 so that they mirror all configurations from R1.
             Ping the Lo1 interface (172.20.1.1) on R1 from PC-C. Then on R3, use the show crypto ipsec
    sa command to verify the number of packets is more than 0, indicating that the IPsec VPN tunnel
    is working.
    Configure Firewall and IPS Settings
             Configure a ZPF on R3 using the following requirements:
    o    Create zones named IN-ZONE and OUT-ZONE.
    o    Create an ACL number 110 that defines internal traffic, permitting all IP protocols from
    the 172.30.3.0/24 source network to any destination. Explicitly deny all other traffic.
    o    Create a class map named INTERNAL-CLASS-MAP that uses the match-all option and
    ACL 110.
    o    Create a policy map named IN-2-OUT-PMAP that uses the class map INTERNAL-CLASS-
    MAP to inspect all matched traffic.
    o    Create a zone pair named IN-2-OUT-ZPAIR that identifies IN-ZONE as the source zone
    and OUT-ZONE as the destination zone.
    o    Specify that the IN-2-OUT-PMAP policy map is to be used to inspect traffic between the two
    zones.
    o    Assign Fa0/1 as an IN-ZONE member and S0/0/1 as an OUT-ZONE member.
             Configure an IPS on R3 using the following requirements:
    Note: Within Packet Tracer, the routers already have the signature files imported and in place.
    They are the default XML files in flash. For this reason, it is not necessary to configure the public
    crypto key and complete a manual import of the signature files.
    o    Create a directory in flash named ipsdir and set it as the location for IPS signature storage.
    o    Create an IPS rule named IPS-RULE.
    o    Retire the all signature category with the retired true command (all signatures within the
    signature release).
    o    Unretire the IOS_IPS Basic category with the retired false command.
    o    Apply the rule inbound on the S0/0/1 interface.
    Configure ASA Basic Security and Firewall Settings
             Configure VLAN interfaces with the following settings:
    o    For the VLAN 1 interface, configure the addressing to use 192.168.10.1/24.
    o    For the VLAN 2 interface, remove the default DHCP setting and configure the addressing to
    use 209.165.200.234/29.
             Configure hostname, domain name, enable password, and Telnet console password using the
    following settings:
    o    The ASA hostname is CCNAS-ASA.
    o    The domain name is ccnasecurity.com.
    o    The enable mode password is ciscoenapa55.
             Create a user and configure AAA to use the local database for remote authentication.
    o    Create a local user account of Admin01 with a secret password of Admin01pa55 and a
    privilege level of 15.
    o    Configure a local user account named admin with the password adminpa55. Do not use
    the encrypted attribute.
    o    Configure AAA to use the local ASA database for Telnet and SSH user authentication.
             Configure Telnet for local ASA console access and SSH for remote ASA console access.
    o    Allow Telnet access from the inside 192.168.10.0/24 network with a timeout of 10 minutes.
    o    Allow SSH access from the outside host 172.30.3.3 with a timeout of 10 minutes.
             Configure the ASA as a DHCP server using the following settings:
    o    Assign IP addresses to inside DHCP clients from 192.168.10.5 to 192.168.10.30.
    o    Enable DHCP to listen for DHCP client requests.
             Configure static routing and NAT.
    o    Create a static default route to the next hop router (R1) IP address.
    o    Create a network object named inside-net and assign attributes to it using
    the subnet and nat commands.
    o    Create a dynamic NAT translation to the outside interface.
             Modify the Cisco Modular Policy Framework (MPF) on the ASA using the following settings:
    o    Configure class-map inspection_default to match default-inspection-traffic, and then exit
    to global configuration mode.
    o    Configure the policy-map list, global_policy. Enter the class inspection_default and enter
    the command to inspect icmp. Then exit to global config mode.
    o    Configure the MPF service-policy to make the global_policy apply globally.

    You might also like