CCNA Security v2 Skill EXAM Answer

A few things to keep in mind while completing this activity:

1. Do not use the browser Back button or close or reload any Exam windows during the exam.
2. Do not close Packet Tracer when you are done. It will close automatically.
3. Click the Submit Assessment button to submit your work.

Introduction
In this practice Packet Tracer Skills Based Assessment, you will do as follows:
 Configure basic device hardening and secure network management
 Configure an ASA firewall to implement security policies
 Configure ACLs to filter network traffic
 Configure devices to protect against STP attacks and to enable broadcast storm control
 Configure port security and disable unused switch ports
 Configure an IOS IPS
 Configure a ZBF to implement security policies
 Configure a site-to-site IPsec VPN

Addressing Table
Device Interfac IP Address Subnet Mask Gateway DNS server
e
Internet S0/0/0 209.165.200.225 255.255.255.252 n/a n/a
S0/0/1 192.31.7.1 255.255.255.252 n/a n/a
S0/1/0 198.133.219.1 255.255.255.252 n/a n/a
 Device Interfac IP Address Subnet Mask Gateway DNS server
e

Gi0/0 192.135.250.1 255.255.255.0 n/a n/a

S0/0/0 209.165.200.226 255.255.255.252 n/a n/a
CORP
Gi0/0 209.165.200.254 255.255.255.240 n/a n/a
VLAN 1 192.168.1.1 255.255.255.0 n/a  
CORP-ASA VLAN 2 209.165.200.253 255.255.255.240 n/a  
VLAN 3 10.1.1.254 255.255.255.0 n/a  
Gi0/0 192.168.1.2 255.255.255.0 n/a  
Gi0/1.10 172.16.10.254 255.255.255.0 n/a  
Internal
Gi0/1.25 172.16.25.254 255.255.255.0 n/a  
Gi0/1.99 172.16.99.254 255.255.255.0 n/a  
S0/0/0 198.133.219.2 255.255.255.252 n/a n/a
Branch
Gi0/0 198.133.219.62 255.255.255.224 n/a n/a
S0/0/0 192.31.7.2 255.255.255.252 n/a n/a
External
Gi0/0 192.31.7.62 255.255.255.224 n/a n/a
Public Svr NIC 192.135.250.5 255.255.255.0 192.135.250.1 n/a
External Web NIC 192.31.7.35 255.255.255.224 192.31.7.62 192.135.250.5
Svr
External PC NIC 192.31.7.33 255.255.255.224 192.31.7.62 192.135.250.5
Internal-DNS Svr NIC 172.16.25.2 255.255.255.0 172.16.25.254 10.1.1.5
NTP Svr NIC 209.165.200.252 255.255.255.240 209.165.200.254  
Syslog Svr NIC 209.165.200.251 255.255.255.240 209.165.200.254
DMZ DNS Svr NIC 10.1.1.5 255.255.255.0 10.1.1.254 192.135.250.5
DMZ Web Svr NIC 10.1.1.2 255.255.255.0 10.1.1.254 10.1.1.5
PC0 NIC 172.16.10.5 255.255.255.0 172.16.10.254 172.16.25.2
PC1 NIC 172.16.10.10 255.255.255.0 172.16.10.254 172.16.25.2
Net Admin NIC 172.16.25.5 255.255.255.0 172.16.25.254 172.16.25.2
Admin PC NIC 198.133.219.35 255.255.255.224 198.133.219.62 192.135.250.5

Note: Appropriate verification procedures should be taken after each configuration task to ensure that it has been properly
implemented.
Step 1: Configure Basic Device Hardening for the CORP Router.
a.     Configure the CORP router to accept only passwords with a minimum length of 10 characters.
CORP(config)#security passwords min-length 10
b.    Configure an encrypted privileged level password of ciscoclass.
CORP(config)#enable secret ciscoclass
c.     Enable password encryption for all clear text passwords in the configuration file.
CORP(config)#service password-encryption
 d.    Configure the console line and all vty lines 0 to 15 with the following requirements:
Note: CORP is already configured with the username CORPADMIN and the secret password Ciscoccnas.
username CORPADMIN secret Ciscoccnas
         use the local database for login
line vty 0 15 
 login authentication default
         disconnect after being idle for 20 minutes
line vty 0 15 
 exec-timeout 20 0

e.     Disable the CDP protocol only on the link to the Internet router.
interface Serial0/0/0
 no cdp enable

Step 2: Configure Secure Network Management for the CORP Router.

a.     Enable the CORP router as follows:
         as an NTP client to the NTP
CORP(config)#ntp server 209.165.200.252
         to update the router calendar (hardware clock) from the NTP time source
CORP(config)#ntp update-calendar
         to timestamp log messages
CORP(config)#service timestamps log datetime msec
         to send logging messages to the Syslog server
CORP(config)#logging host 172.16.25.1
b.    Configure the CORP router to accept SSH connections. Use the following guidelines:
Note: CORP is already configured with the username SSHAccess and the secret password ciscosshaccess.
username SSHAccess secret ciscosshaccess
         domain name is theccnas.com
CORP(config)#ip domain-name theccnas.com
         RSA encryption key pair using a modulus of 1024
Cryto key generate rsa
How many bits in the modulus [512]: 1024
         SSH version 2, timeout of 90 seconds, and 2 authentication retries
ip ssh version 2
ip ssh authentication-retries 2
ip ssh time-out 90
         all vty lines accept only SSH connections
CORP(config)#line vty 0 15
 CORP(config-line)#transport input ssh
c.     Configure the CORP router with AAA server-based authentication and verify its functionality:
aaa new-model
!
aaa authentication login default local 
!
aaa authorization exec default local

Note: The AAA server is already configured with RADIUS service, a username CORPSYS and the
password LetSysIn. The key for the client to access the AAA server is corpradius.
         AAA authentication using the AAA server as the default for console line and vty lines 0 to 4 access. The
local database is used as a backup method in case the AAA server cannot be connected.

Step 3_A: Configure INTERNAL ROUTER

a. Configure inter-vlan routing using IP as shown above
interface GigabitEthernet0/1
no shutdown
!
interface GigabitEthernet0/1.10
encapsulation dot1Q 10
ip address 172.16.10.254 255.255.255.0
!
interface GigabitEthernet0/1.25
encapsulation dot1Q 25
ip address 172.16.25.254 255.255.255.0
!
b. Configure VLAN 99 as native vlan
interface GigabitEthernet0/1.99
encapsulation dot1Q 99 native
ip address 172.16.99.1 255.255.255.0
c. Apply NAT for VLAN 10, VLAN 25 (Inside), G0/0 (Outside)
interface GigabitEthernet0/10
ip nat inside
!
interface GigabitEthernet0/25
ip nat inside
!
interface GigabitEthernet0/0
ip nat outside

d. Configure PAT with POOL name patpool (NAT OVERLOAD with POOL) 192.168.1.5
192.168.1.10
ip nat pool patpool 192.168.1.5 192.168.1.10 netmask 255.255.255.0
 ip nat inside source list 1 pool patpool overload
e. Configure access-list 1 to permit 172.16.0.0 0.0.255.255
access-list 1 permit 172.16.0.0 0.0.255.255
f. Configure static nat 172.16.25.2 192.168.1.3
ip nat inside source static 172.16.25.2 192.168.1.3
g. Configure static nat 172.16.25.5 192.168.1.4

ip nat inside source static 172.16.25.5 192.168.1.4

h. Configure default route to outside

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0

Step 3_B: Configure Device Hardening for Switch1.

a. Access Switch1 with username CORPADMIN, password Ciscoccnas, and the enable secret password
of ciscoclass.
 username CORPADMIN privilege 1 password ciscoccnas
 enable secret  ciscoclass

b.    Enable storm control for broadcasts on GigabitEthernet0/1 with a 50 percent rising suppression level.
interface G0/1
 storm-control broadcast level 50

c.     Assign f0/1-f0/10 for vlan 10, f0/11-f0/15 for vlan 25

int range f0/1-10

switchport access vlan 10
!
int range f0/11-15
switchport access vlan 25

d. Configure Switch1 to protect against STP attacks.

         Configure PortFast on Fast Ethernet ports 0/1 to 0/24.
Interface range  F0/1-24
spanning-tree portfast

e     Enable BPDU guard on Fast Ethernet ports 0/1 to 0/24.

Interface range  F0/1-24
 spanning-tree bpduguard enable

f.    Configure port security and disable unused ports.

         Set the maximum number of learned MAC addresses to 2 on Fast Ethernet ports 0/1 to 0/24.
Allow the MAC address to be learned dynamically and then stored in the running config. Shutdown the port if
a violation occurs.
interface range FastEthernet0/1-24
 switchport port-security (Remark: enable port security)
switchport port-security maximum 2
switchport port-security mac-address sticky  (Remark: Record PC MAC automatically to running config )
switchport port-security violation shutdown
         Disable unused ports (Fa0/2-4, Fa0/6-10, Fa0/13-24).
Interface  range FastEthernet0/2-4, Fa0/6-10, Fa0/13-24
shutdown

protect Drops all the packets from the insecure hosts at the port-security process level but does not
increment the security-violation count.
restrict Drops all the packets from the insecure hosts at the port-security process level and
increments the security-violation count.
shutdown Shuts down the port if there is a security violation.

Step 4: Configure an IOS IPS on the CORP Router.

Note: On the CORP router, a directory in flash named ipsdir has already been created.
a.     Configure the IPS signature storage location to be flash:ipsdir.
CORP# dir flash:
Directory of flash0:/

3 -rw- 33591768 <no date> c1900-universalk9-mz.SPA.151-4.M4.bin

4 drw- 0 <no date> ipsdir
2 -rw- 28282 <no date> sigdef-category.xml
1 -rw- 227537 <no date> sigdef-default.xml

255744000 bytes total (221896413 bytes free

CORP# mkdir ipsdir

ip ips config location flash:ipsdir

b.    Create an IPS rule named corpips.

 ip ips name corpips

c.     Configure the IOS IPS to use the signature categories. Retire the all signature category(ເອົາອອກ) and unretire
(ນໍາໃຊ້) the ios_ips basic category.
ip ips signature-category
  category all
   retired true
!
  category ios_ips basic
   retired false

signature-category
signature-definition

d.    Apply the IPS rule to the Gi0/0 interface outbound.

interface G0/0
 ip ips corpips out

e.     Modify the ios_ips basic category. Unretire the echo request signature (signature 2004, subsig 0); enable the

signature; modify the signature event-action to produce an alert and to deny packets that match the signature.
CORP(config)#ip ips signature-definition
CORP(config-sigdef)#signature 2004 0
CORP(config-sigdef-sig)#status
CORP(config-sigdef-sig-status)#retired false
CORP(config-sigdef-sig-status)#enabled true
CORP(config-sigdef-sig-status)#exit
CORP(config-sigdef-sig)#engine
CORP(config-sigdef-sig-engine)#event-action produce-alert

f.     Verify that IPS is working properly, that Public DNS/WEB/FTP Svr in the External network cannot ping AAA
server, but that AAA server, however, can ping Public DNS/WEB/FTP Svr.
Step 5: Configure CORP-ASA to Implement the Security Policy.
a.     Access CORP-ASA and enter the privileged mode with the enable password of Ciscoccnas.
CORP-ASA(config)#enable password Ciscoccnas
b.    Configure the domain name as theccnas.com.
CORP-ASA(config)#domain-name theccnas.com

c.     Configure the inside, outside, and dmz interfaces with the following information
         VLAN 1 - IP address 192.168.1.1/24, nameif inside, security-level 100, assign to E0/1
Interface e0/1
Switchport access vlan1
 ---------------------------------------------
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
         VLAN 2 - IP address 209.165.200.253/28, nameif outside, security-level 0, assign to E0/0
interface Ethernet0/0
switchport access vlan 2
---------------------------------
interface Vlan2
nameif outside
security-level 0
IP address 209.165.200.253 255.255.255.240

         VLAN 3 - IP address 10.1.1.254/24, nameif dmz, security-level 70, assign to E0/2

interface Ethernet0/2
switchport access vlan 3

interface Vlan3
nameif dmz
no forward interface Vlan1
security-level 70
ip address 10.1.1.254 255.255.255.0
         Enable interfaces
d.    Configure a static default route with the next hop address of the CORP router
route outside 0.0.0.0 0.0.0.0 209.165.200.254
e.     Configure NAT for both inside and dmz network
         Create an object inside-nat with subnet 192.168.1.0/24 and enable the IP addresses of the hosts in the
Internal network to be dynamically translated to access the External network using the outside interface
object network inside-nat
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic interface

         Create an object dmz-dns-server to statically translate the DNS server in DMZ to the public IP
object network dmz-dns-server
host 10.1.1.5
nat (dmz,outside) static 209.165.200.242
         Create an object dmz-web-server to statically translate the web server in DMZ to the public IP
object network dmz-web-server
 host 10.1.1.2
nat (dmz,outside) static 209.165.200.241
f.     Modify the default MPF(Modular Policy Framework) application inspection global service policy to enable hosts in
the Internal network to access the web servers on the Internet
         Create a class inspection_default that matches default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
         Create a policy-map global_policy and specify the inspect http
policy-map global_policy
class inspection_default
inspect http
         Attach the policy map globally to all interfaces
service-policy global_policy global
g.    Configure an ACL to allow access to the DMZ servers from the Internet. The ACL will also allow icmp echo-reply
traffic from the Internet to enter the CORP-ASA
         Create, apply, and verify an extended named ACL (named OUTSIDE-TO-DMZ) to filter incoming traffic
to the CORP-ASA. The ACL should be created in the order specified in the following guidelines (Please
note, the order of ACL statements is significant only because of the scoring need in Packet
Tracer.):
1. HTTP traffic is allowed to DMZ Web Svr.
access-list OUTSIDE-TO-DMZ extended permit tcp any host 209.165.200.241eq www
2. DNS traffic (both TCP and UDP) is allowed to DMZ DNS Server (two separate ACEs)
access-list OUTSIDE-TO-DMZ extended permit tcp any host 209.165.200.242 eq domain
access-list OUTSIDE-TO-DMZ extended permit udp any host 209.165.200.242 eq domain

3. ICMP Echo-reply traffic is allowed to DMZ

OUTSIDE-TO-DMZ extended permit icmp any any echo-reply
4. FTP traffic from the Branch administrator workstation is allowed to DMZ Web Server.
OUTSIDE-TO-DMZ extended permit tcp host 198.133.219.35 host 209.165.200.241 eq ftp
5.     The ACL should contain five ACEs
6.     Verify ASA configurations. Admin PC can access the website www.externalone.com.
Pc0 and PC 1 can access DMZ Web using https://www.theccnas.com or https://10.1.1.2
and https://www.externalone.com
access-group OUTSIDE-TO-DMZ in interface outside
Step 6: Configure ACLs on the CORP Router to Implement the Security Policy.
a.     Create ACL 12 to implement the security policy regarding the access to the vty lines so that only users
connecting from Net Admin and Admin PC are allowed access to the vty lines.
 access-list 12 permit host 192.168.1.4 (Net Admin ) (Via static NAT at Internal Router 172.16.25.5 )
access-list 12 permit host 198.133.219.35(Admin PC )

b.    Create, apply, and verify an extended named ACL (named INCORP) to control access from the Internet into the
CORP router. The ACL should be created in the order specified in the following guidelines (Please note, the
order of ACL statements is significant only because of the scoring need in Packet Tracer.):
ip access-list extended  INCORP
1. Allow HTTP traffic to the DMZ Web Server.
permit tcp any host 209.165.200.241 eq www
2. Allow DNS traffic (both TCP and UDP) to the DMZ DNS Server (two separate ACEs).
permit tcp any host 209.165.200.242 eq domain
permit udp any host 209.165.200.242 eq domain
3. Allow SSH traffic from the Branch Office administrator workstation to the Serial 0/0/0 interface on the
CORP router.
permit tcp host 198.133.219.35 host 209.165.200.226 eq 22
4. Allow IP traffic from the Branch router serial interface into the CORP router serial interface.
permit ip host 198.133.219.2 host 209.165.200.226
5. Allow IP traffic from the Branch Office LAN to the public IP address range that is assigned to the CORP
site (209.165.200.240/28).
permit ip 198.133.219.32 0.0.0.31 209.165.200.240 0.0.0.15
6. Allow echo-reply and host-unreachable traffic from the Internet
permit icmp any any echo-reply
permit icmp any any host-unreachable
7. Allow return TCP traffic from the Internet with the destination of 209.165.200.240/28
permit tcp any 209.165.200.240 0.0.0.15 established
c.     To verify the INCORP ACL, complete the following tests:
         Net Admin PC in the Internal network can access the URL http://www.externalone.com;
         Admin PC can establish an SSH connection to the CORP router (209.165.200.226) with the
username CORPSYS and password LetSysIn. If the password does not work, you may try the backup
usernameSSHAccess and password ciscosshaccess defined in the local database.
         External User cannot establish an SSH connection to the CORP router (209.165.200.226).
Step 7: Configure a Zone-Based Policy Firewall on the Branch Router.
a.     Access the Branch router with username CORPADMIN, password Ciscoccnas and the enable secret password
of ciscoclass.
enable secret ciscoclass
username CORPADMIN password Ciscoccnas
b.    On the Branch router, create the firewall zones.
         Create an internal zone named BR-IN-ZONE.
zone security BR-IN-ZONE
         Create an external zone named BR-OUT-ZONE.
zone security BR-OUT-ZONE
 c.     Define a traffic class and access list.
         Create an ACL 110 to permit all protocols from the 198.133.219.32/27 network to any destination.
access-list 110 permit ip 198.133.219.32 0.0.0.31 any
         Create a class map using the option of class map type inspect with the match-all keyword. Match the
ACL 110 and name the class map BR-IN-CLASS-MAP.
class-map type inspect match-all BR-IN-CLASS-MAP
match access-group 110
d.    Specify firewall policies.
         Create a policy map named BR-IN-OUT-PMAP.
policy-map type inspect BR-IN-OUT-PMAP
         Use the BR-IN-CLASS-MAP class map.
class type inspect BR-IN-CLASS-MAP
         Specify the action of inspect for this policy map.
inspect

e.     Apply the firewall.

         Create a pair of zones named IN-OUT-ZPAIR with the source as BR-IN-ZONE and destination as BR-
OUT-ZONE.
zone-pair security IN-OUT-ZPAIR source BR-IN-ZONE destination BR-OUT-ZONE
         Specify the policy map BR-IN-OUT-PMAP for handling the traffic between the two zones.
service-policy type inspect BR-IN-OUT-PMAP
         Assign interfaces to the appropriate security zones.
Int g0/0
zone-member security BR-IN-ZONE
!
Int s0/0/0
zone-member security BR-OUT-ZONE
f.     Verify the ZBF configuration.
         The Admin PC in the Branch office can access the URLs http://www.theccnas.com and
http://www.externalone.com.
         The Admin PC in the Branch office can ping the External PC (192.31.7.33).
         External User cannot ping the Admin PC in the Branch office (198.133.219.35).
         The Admin PC in Branch office can establish an SSH connection to the CORP router with the
username CORPSYS and password LetSysIn. If the password does not work, you may try the backup
usernameSSHAccess and password ciscosshaccess defined in the local database.
Step 8: Configure a Site-to-Site IPsec VPN between the CORP router and the Branch Router.
The following tables list the parameters for the ISAKMP Phase 1 Policy and IPsec Phase 2 Policy:
ISAKMP Phase 1 Policy Parameters   ISAKMP Phase 2 Policy Parameters
Key Distribution Method ISAKMP   Parameters CORP Router Branch Router
Encryption Algorithm AES   Transform Set Name VPN-SET VPN-SET
   esp-3des  esp-3des 
Number of Bits 256 Transform Set
esp-sha-hmac esp-sha-hmac
Hash Algorithm SHA-1   Peer Host Name Branch CORP
Authentication Method Pre-share   Peer IP Address 198.133.219.2 209.165.200.226
Key Exchange DH 2   Encrypted Network 209.165.200.240/28 198.133.219.32/27
IKE SA Lifetime 86400   Crypto Map Name VPN-MAP VPN-MAP
ISAKMP Key Vpnpass101   SA Establishment ipsec-isakmp ipsec-isakmp
 
a.     Configure an ACL (ACL 120) on the CORP router to identify the interesting traffic. The interesting traffic is all IP
traffic between the two LANs (209.165.200.240/28 and 198.133.219.32/27).
access-list 120 permit ip 209.165.200.240 0.0.0.15 198.133.219.32 0.0.0.31
b.    Configure the ISAKMP Phase 1 properties on the CORP router. The crypto ISAKMP policy is 10. Refer to
the ISAKMP Phase 1 Policy Parameters Table for the specific details needed.
CORP and Branch

crypto isakmp policy 10

encr aes 256
authentication pre-share
group 2
c.     Configure the ISAKMP Phase 2 properties on the CORP router. Refer to the ISAKMP Phase 2 Policy
Parameters Table for the specific details needed.
CORP
crypto map VPN-MAP 10 ipsec-isakmp 
 set peer 198.133.219.2
 set transform-set VPN-SET 
 match address 120
Branch
crypto map VPN-MAP 10 ipsec-isakmp 
 set peer 209.165.200.226
 set transform-set VPN-SET 
 match address 120

d.    Bind the VPN-MAP crypto map to the outgoing interface.

CORP and Branch
interface Serial0/0/0
 crypto map VPN-MAP

e.     Configure IPsec parameters on the Branch router using the same parameters as on the CORP router. Note that
interesting traffic is defined as the IP traffic from the two LANs.
access-list 120 permit ip 198.133.219.32 0.0.0.31 209.165.200.240 0.0.0.15
 f.     Verify the VPN configuration. From the Admin PC, establish an FTP session to www.theccnas.com, using the
username cisco and password cisco.

Also on Admin PC, visit the website www.theccnas.com. On the Branch or CORP router, check that the packets are
encrypted.

Version 2
Created in Packet Tracer 7.2
All contents are Copyright © 1992 - 2014 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Logging synchronous command is useful whenever console messages are being displayed at the same time that
you are trying to input EXEC or configuration commands.

Instead of console messages being intermingled (ປະສົມກັນ) with your input, your input is redisplayed on a single
line at the finish of each console message that "interrupts" your input.

This makes reading your input much easier.

-----------------------------------------------------------

້ ງຂໍ) messages and debug output with

The logging synchronous command is used to synchronize unsolicited (ບໍ່ໄດ້ຮອ
solicited Cisco IOS  Software output.

ປະໂຫຍດໃນການໃຊ້ຄຳສັ່ງ Logging Synchronous

Hate when you exit out of Global Configuration Mode and start another command and you are interrupted by a console or debug
message? Use the logging synchronous command to fix that.

Switch#conf t
Switch(config)#line con 0
Switch(config-line)#logging synchronous
Switch(config-line)#end