tfte cisco. Cisco Networking Academy’ Mind Wide Open’ Ce Packet Tracer - Skills Integration Challenge (Instructor Version) Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only. Topology 172.20.1.0/24 172.30.3.0/24 (© 2015 Cisco andor its alates. Alright reserved. This document is Cisco Publi. Page 1 of 10Packet Tracer - Skills integration Challenge Addressing Table Device | Interface IP Address | Subnet Mask Default Gateway G00 209,165.200,233 | 256.255.255.248 | NIA RI ‘S0/0/0 (DCE) 10.10.1014 (255.255.255.252 | N/A Loopback 1 | 172.20.1.1 255.255.255.0 | NIA 0/010 10.10.10.2 255.255.255.252 | NIA Re S0/0/1 (DCE) | 10.20.20.2 255.255.255.252 | NIA Gort 172,30.3.1 256.255.255.0__| NIA *8 ‘So/0/1 10.20.20.1 255.255.255.252 | N/A st VLAN 1 192,168.10.11 | 255.255.255.0 | 192.168.10.1 82 VLAN 1 192.168.1012 | 255.255.2550 | 192.168.10.1 $3 VIAN 1 172.30.3.11 256.255.255.0 _| 172.3084 VLAN 1(EO/1) | 192.168.10.1 (255.255.255.0 NIA ASA VLAN 2(E0/0) | 209.165.200.234 | 255.255.255.248 N/A PCA NIC 192,168.10.2 | 256.255.255.0 | 192.168.10.1 PCB NIC 192.168.10.3 | 256.255.255.0 | 192.168.10.1 PCC NIC 172.30.3.3 256.255.2550 | 172.3084 Objectives ‘+ Configure basic router security ‘+ Configure basic switch security ‘+ Configure AAA local authentication ‘+ Configure SSH + Secure against login attacks + Configure site-to-site IPsec VPNs + Configure firewall and IPS settings + Configure ASA basic security and firewall settings Scenario This culminating activity Includes many of the skils that you have acquired during this course. The routers land switches are preconfigured with the basic device settings, such as IP addressing and routing. You will Secure routers using the CLI to configure various IOS features, including AAA, SSH, and Zone-Based Policy Firewall (ZPF). You will configure a site-to-site VPN between Rt and R3. You will secure the switches on the network. In addition, you will also configure firewall functionality on the ASA. Requirements Note: Not al security features will be configured on all devices, however, they would be in a production network. ©2015 Cisco andlor its afilates. Al rights reserved, This document's Cisco Puble, Page 2 of 10Packet Tracer - Skills integration Challenge Configure Basic Router Security = Configure the following on R1 2 Minimum password length is 10 characters. © Encrypt plaintext passwords, © Privileged EXEC mode secret password is ciscoenapass. © Console line password is ciscoconpa$5, timeout is 15 minutes, and console messages should not interrupt command entry. © Amessage-of-the-day (MOTD) banner should include the word unauthorized. ‘+ Configure the following on R2: © Privileged EXEC mode secret password is ciscoenapaés. © Password for the VTY lines is ciscovtypaSs, timeout is 15 minutes, and login is required Configure Basic Switch Security + Configure the following on $1 ‘© Encrypt plaintext passwords Privileged EXEC mode secret password is ciscoenapass. © Console line password is ciscoconpaSs, timeout is 5 minutes, and consoles messages should not interrupt command entry ‘© Password forthe VTY lines is ciscovtypaSs, timeout is § minutes, and login is required © AnMOTO banner should include the word unauthorized. + Configure trunking between $1 and $2 withthe following settings: Set the mode to trunk and assign VLAN 99 as the native VLAN. Disable the generation of DTP frames. + Configure the $1 with the following port settings: © FOI6 should only allow access mode, set to PortFast, and enable BPDU guard © FOI6 uses basic default port security with dynamically leaned MAC addresses added to the running configuration. © Allother ports should be disabled. Note: Although not all poris are checked, your instructor may want to veriy that all unused ports are disabled, Configure AAA Local Authentication ‘+ Configure the following on R1: © Create a local user account of Admin01, a secret password of Admin01paSS, and a privilege level of 15. 2 Enable AAA services, ‘© Implement AAA services using the local database as the first option and then the enable password as the backup option, Configure SSH + Configure the following on Rt ©The domain name is cenasecurity.com {© 2016 Cisco andior ts afliates. All rights reserved, This document is Cisco Puble, Page 3 of 10Packet Tracer - Skills integration Challenge © The RSA key should be generated with 1024 modulus bits. © Only SSH version 2 is allowed. © Only SSH is allowed on VTY lines. ‘= Verify that PC-C can remotely access R1 (209.165.200.233) using SSH, Attacks ‘+ Configure the following on R1: © Ifa.user fails to log in twice within a 30-second time span, disable logins for one minute, © Log all failed login attempts. Secure Against Lo: Configure Site-to-Site IPsec VPNs Note: Some VPN configurations are not scored. However, you should be able to verify connectivity across the IPsec VPN tunnel. Enable the Security Technology package license on Rt. © Save the running configuration before reloading, Configure the following on R1 © Create an access list to identify interesting traffic on Rt © Configure ACL 101 to allow traffic from the R1 Lot network to the R3 GO/t LAN. Configure the crypto isakmp policy 10 Phase 1 properties on R1 and the shared crypto key ciscovpnpass. Use the following parameters: © Key distribution method: ISAKMP © Encryption: aes 256 Hash: sha Authentication method: pre-shared Key exchange: DH Group 5 IKE SA lifetime: 3600 © ISAKMP key: ciscovpnpaSS + Create the transform set VPN-SET to use esp-aes 256 and esp-sha-hmac. Then create the crypto map CMAP that binds all of the Phase 2 parameters together. Use sequence number 10 and identify it as an ipsec-isakmp map. Use the following parameters: © Transform set: VPN-SET © Transform encryption: es| 8 256 © Transform authentication: esp-sha-hmac © Perfect Forward Secrecy (PFS): group5 © Crypto map name: CMAP © SAestablishment: ipsec-isakmp © Bind the crypto map (CMAP) to the outgoing interface. = Verify that the Security Technology package license is enabled, Repeat the site-to-site VPN. configurations on R3 so that they mirror all configurations from Rt ‘+ Ping the Lot interface (172.20.1.1) on R1 from PC-C. On R3, use the show crypto ipsec sa command to verify that the number of packets is more than 0, which indicates that the IPsec VPN tunnel is working. {© 2016 Cisco andior ts afliates. All ights reserved, This document is Cisco Puble, Page 4 of 10Packet Tracer - Skills integration Challenge Configure Firewall and IPS Settings Configure a ZPF on R3 using the following requirements: 9 Create zones named IN-ZONE and OUT-ZONE, 9 Create an ACL number 110 that defines internal traffic, which permits all IP protocols from the 172,30.3.0/24 source network to any destination Create a class map named INTERNAL-CLASS-MAP that uses the match-all option and ACL 110. Create a policy map named IN-2-OUT-PMAP that uses the class map INTERNAL-CLASS-MAP to inspect all matched traffic. Create a zone pair named IN-2-OUT-ZPAIR that identifies IN-ZONE as the source zone and OUT-ZONE. as the destination zone. © Specify that the IN-2-OUT-PMAP policy map is to be used to inspect traffic between the two zones. © Assign GO/1 as an IN-ZONE member and S0/0/1 as an OUT-ZONE member. Configure an IPS on R8 using the following requirements: Note: Within Packet Tracer, the routers already have the signature files imported and in place. They are the default XML files in flash. For this reason, itis not necessary to configure the public crypto key and complete ‘a manual import of the signature files. © Create a directory in flash named ipsdir and set it as the location for IPS signature storage. © Create an IPS rule named IPS-RULE. © Retire the all signature category with the retired true command (all signatures within the signature release). © Unretire the 1OS_IPS Basie category with the retired false command © Apply the rule inbound on the S0/0/1 interface. Configure ASA Basic Security and Firewall Settings + Configure VLAN interfaces with the following settings: © Forthe VLAN 1 interface, configure the addressing to use 192.168.10.1/24. © For the VLAN 2 interface, remove the default DHCP setting and configure the addressing to use 209.165.200.234/29. + Configure hostname, domain name, enable password, and console password using the following settings: © The ASA hostname is CCNAS-ASA, © The domain name is cenasecurity.com. ©The enable mode password is ciscoenapass. ‘+ Create a user and configure AAA to use the local database for remote authentication. ‘© Configure a local user account named admin with the password adminpaSS. Do not use the encrypted attribute. © Configure AAA to use the local ASA database for SSH user authentication. © Allow SSH access from the outside host 172,30.3.3 with a timeout of 10 minutes. ‘+ Configure the ASA as a DHCP server using the following settings: © Assign IP addresses to inside DHCP clients from 192. 168.10.5 to 192.168.10.30. 9 Enable DHCP to listen for DHCP client requests {© 2016 Cisco andior ts afliates. All ights reserved, This document is Cisco Puble, Page 5 of 10Packet Tracer - Skills integration Challenge ‘+ Configure static routing and NAT. © Create a static default route to the next hop router (R1) IP address. © Create a network object named inside-net and assign attributes to it using the subnet and nat ‘commands. © Create a dynamic NAT translation to the outside interface, ‘+ Modify the Cisco Modular Policy Framework (MPF) on the ASA using the following settings: © Configure class-map inspection_default to match default-Inspection-traffic, and then exit to global configuration mode. ‘© Configure the policy-map list global_policy. Enter the class inspection_default and enter the ‘command t \spect icmp. Then exit to global config mode, © Configure the MPF service-policy to make the global_policy apply globally. Step-by-Step Scripts !Configure Basic Router Security IRL conf t security passwords min-length 10 enable secret ciscoenapaSs service password-encryption Line console 0 password ciscoconpass exec-timeout 15 0 login logging synchronous banner motd $Unauthorized access strictly prohibited and prosecuted to the full extent of the law!$ end 12 cont © enable secret ciscoenapass Line vty 0 4 password ciscovtypass exec-timeout 15 0 Login end Configure Switch Security "si confit service password-encryption enable secret ciscoenapa5s Line console 0 {© 2016 Cisco andior ts afliates. All ights reserved, This document is Cisco Puble,i i i i : : {© 2015 Cisco andor its alates. Al rights reserved. This document is Cisco Public Page 70f 10i i i i : : {© 2015 Cisco andor its alates. Al rights reserved. This document is Cisco Public Page 8 of 10i i i i : : {© 2015 Cisco andor its alates. Al rights reserved. This document is Cisco Public Page 8 of 10Packet Tracer - Skills integration Challenge {© 2015 Cisco andor its alates. Al rights reserved. This document is Cisco Public Page 10 of 10