[CCNA Security v2] 11.3.1.1 Packet Tracer - Skills Integration Challenge 100%



Packet Tracer - Skills Integration Challenge
Addressing Table


Objectives

·         Configure basic router security
·         Configure basic switch security
·         Configure AAA local authentication
·         Configure SSH
·         Secure against login attacks
·         Configure site-to-site IPsec VPNs
·         Configure firewall and IPS settings
·         Configure ASA basic security and firewall settings
Scenario

This culminating activity includes many of the skills that you have acquired during this course. The routers and switches are preconfigured with the basic device settings, such as IP addressing and routing. You will secure routers using the CLI to configure various IOS features, including AAA, SSH, and Zone-Based Policy Firewall (ZPF). You will configure a site-to-site VPN between R1 and R3. You will secure the switches on the network. In addition, you will also configure firewall functionality on the ASA.

Requirements

Note: Not all security features will be configured on all devices, however, they would be in a production network.

Configure Basic Router Security
·         Configure the following on R1:
o    Minimum password length is 10 characters.
o    Encrypt plaintext passwords.
o    Privileged EXEC mode secret password is ciscoenapa55.
o    Console line password is ciscoconpa55, timeout is 15 minutes, and console messages should not interrupt command entry.
o    A message-of-the-day (MOTD) banner should include the word unauthorized.
·         Configure the following on R2:
o    Privileged EXEC mode secret password is ciscoenapa55.
o    Password for the VTY lines is ciscovtypa55, timeout is 15 minutes, and login is required.
Configure Basic Switch Security
·         Configure the following on S1:
o    Encrypt plaintext passwords.
o    Privileged EXEC mode secret password is ciscoenapa55.
o    Console line password is ciscoconpa55, timeout is 5 minutes, and consoles messages should not interrupt command entry.
o    Password for the VTY lines is ciscovtypa55, timeout is 5 minutes, and login is required.
o    An MOTD banner should include the word unauthorized.
·         Configure trunking between S1 and S2 with the following settings:
o    Set the mode to trunk and assign VLAN 99 as the native VLAN.
o    Disable the generation of DTP frames.
·         Configure the S1 with the following port settings:
o    F0/6 should only allow access mode, set to PortFast, and enable BPDU guard.
o    F0/6 uses basic default port security with dynamically learned MAC addresses added to the running configuration.
o    All other ports should be disabled.
Note: Although not all ports are checked, your instructor may want to verify that all unused ports are disabled.

Configure AAA Local Authentication
·         Configure the following on R1:
o    Create a local user account of Admin01, a secret password of Admin01pa55, and a privilege level of 15.
o    Enable AAA services.
o    Implement AAA services using the local database as the first option and then the enable password as the backup option.
Configure SSH
·         Configure the following on R1:
o    The domain name is ccnasecurity.com
o    The RSA key should be generated with 1024 modulus bits.
o    Only SSH version 2 is allowed.
o    Only SSH is allowed on VTY lines.
·         Verify that PC-C can remotely access R1 (209.165.200.233) using SSH.
Secure Against Login Attacks
·         Configure the following on R1:
o    If a user fails to log in twice within a 30-second time span, disable logins for one minute.
o    Log all failed login attempts.
Configure Site-to-Site IPsec VPNs
Note: Some VPN configurations are not scored. However, you should be able to verify connectivity across the IPsec VPN tunnel.

·         Enable the Security Technology package license on R1.
o    Save the running configuration before reloading.
·         Configure the following on R1:
o    Create an access list to identify interesting traffic on R1.
o    Configure ACL 101 to allow traffic from the R1 Lo1 network to the R3 G0/1 LAN.
·         Configure the crypto isakmp policy 10 Phase 1 properties on R1 and the shared crypto key ciscovpnpa55. Use the following parameters:
o    Key distribution method: ISAKMP
o    Encryption: aes 256
o    Hash: sha
o    Authentication method: pre-shared
o    Key exchange: DH Group 5
o    IKE SA lifetime: 3600
o    ISAKMP key: ciscovpnpa55
·         Create the transform set VPN-SET to use esp-aes 256 and esp-sha-hmac. Then create the crypto map CMAP that binds all of the Phase 2 parameters together. Use sequence number 10 and identify it as an ipsec-isakmp map. Use the following parameters:
o    Transform set: VPN-SET
o    Transform encryption: esp-aes 256
o    Transform authentication: esp-sha-hmac
o    Perfect Forward Secrecy (PFS): group5
o    Crypto map name: CMAP
o    SA establishment: ipsec-isakmp
o    Bind the crypto map (CMAP) to the outgoing interface.
·         Verify that the Security Technology package license is enabled. Repeat the site-to-site VPN configurations on R3 so that they mirror all configurations from R1.
·         Ping the Lo1 interface (172.20.1.1) on R1 from PC-C. On R3, use the show crypto ipsec sa command to verify that the number of packets is more than 0, which indicates that the IPsec VPN tunnel is working.
Configure Firewall and IPS Settings
·         Configure a ZPF on R3 using the following requirements:
o    Create zones named IN-ZONE and OUT-ZONE.
o    Create an ACL number 110 that defines internal traffic, which permits all IP protocols from the 172.30.3.0/24 source network to any destination.
·         Create a class map named INTERNAL-CLASS-MAP that uses the match-all option and ACL 110.
·         Create a policy map named IN-2-OUT-PMAP that uses the class map INTERNAL-CLASS-MAP to inspect all matched traffic.
·         Create a zone pair named IN-2-OUT-ZPAIR that identifies IN-ZONE as the source zone and OUT-ZONE as the destination zone.
o    Specify that the IN-2-OUT-PMAP policy map is to be used to inspect traffic between the two zones.
o    Assign G0/1 as an IN-ZONE member and S0/0/1 as an OUT-ZONE member.
·         Configure an IPS on R3 using the following requirements:
Note: Within Packet Tracer, the routers already have the signature files imported and in place. They are the default XML files in flash. For this reason, it is not necessary to configure the public crypto key and complete a manual import of the signature files.

o    Create a directory in flash named ipsdir and set it as the location for IPS signature storage.
o    Create an IPS rule named IPS-RULE.
o    Retire the all signature category with the retired true command (all signatures within the signature release).
o    Unretire the IOS_IPS Basic category with the retired false command.
o    Apply the rule inbound on the S0/0/1 interface.
Configure ASA Basic Security and Firewall Settings
·         Configure VLAN interfaces with the following settings:
o    For the VLAN 1 interface, configure the addressing to use 192.168.10.1/24.
o    For the VLAN 2 interface, remove the default DHCP setting and configure the addressing to use 209.165.200.234/29.
·         Configure hostname, domain name, enable password, and console password using the following settings:
o    The ASA hostname is CCNAS-ASA.
o    The domain name is ccnasecurity.com.
o    The enable mode password is ciscoenapa55.
·         Create a user and configure AAA to use the local database for remote authentication.
o    Configure a local user account named admin with the password adminpa55. Do not use the encrypted attribute.
o    Configure AAA to use the local ASA database for SSH user authentication.
o    Allow SSH access from the outside host 172.30.3.3 with a timeout of 10 minutes.
·         Configure the ASA as a DHCP server using the following settings:
o    Assign IP addresses to inside DHCP clients from 192.168.10.5 to 192.168.10.30.
o    Enable DHCP to listen for DHCP client requests.
·         Configure static routing and NAT.
o    Create a static default route to the next hop router (R1) IP address.
o    Create a network object named inside-net and assign attributes to it using the subnet and nat commands.
o    Create a dynamic NAT translation to the outside interface.
·         Modify the Cisco Modular Policy Framework (MPF) on the ASA using the following settings:
o    Configure class-map inspection_default to match default-inspection-traffic, and then exit to global configuration mode.
o    Configure the policy-map list global_policy. Enter the class inspection_default and enter the command to inspect icmp. Then exit to global config mode.
o    Configure the MPF service-policy to make the global_policy apply globally.


Configuration R1:

enable
configure terminal
security passwords min-length 10
service password-encryption
enable secret ciscoenapa55
line console 0
 exec-timeout 15 0
 password ciscoconpa55
 logging synchronous
 login
 exit
!
banner motd #unauthorized#
username Admin01 privilege 15 secret Admin01pa55
aaa new-model
aaa authentication login default local enable
ip domain-name ccnasecurity.com
!
crypto key generate rsa
1024
!
ip ssh version 2
!
line vty 0 15
  transport input ssh
  exit
!
login block-for 60 attempts 2 within 30
login on-failure log
!
license boot module c1900 technology-package securityk9
y
!
end
write memory
reload


!
Admin01
Admin01pa55
enable
!
ciscoenapa55
!
configure terminal
access-list 101 permit ip 172.20.1.0 0.0.0.255 172.30.3.0 0.0.0.255
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
 hash sha
 lifetime 3600
 exit
!
crypto isakmp key ciscovpnpa55 address 10.20.20.1
!
crypto ipsec transform-set VPN-SET esp-aes 256 esp-sha-hmac
!
crypto map CMAP 10 ipsec-isakmp
 ! Incomplete
 set peer 10.20.20.1
 set pfs group5
 set transform-set VPN-SET
 match address 101
 exit
!
interface s0/0/0
 crypto map CMAP
 exit
!


Configuration R2:

enable
configure terminal
enable secret ciscoenapa55
!
line vty 0 15
 exec-timeout 15 0
 password ciscovtypa55
 login
 exit
!

Configuration R3:

enable
configure terminal
license boot module c1900 technology-package securityk9
y
end
write memory

reload
enable
configure terminal
access-list 101 permit ip 172.30.3.0 0.0.0.255 172.20.1.0 0.0.0.255
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
 lifetime 3600
 hash sha
 exit
!
crypto isakmp key ciscovpnpa55 address 10.10.10.1
!
crypto ipsec transform-set VPN-SET esp-aes 256 esp-sha-hmac
!
crypto map CMAP 10 ipsec-isakmp
 ! Incomplete
 set peer 10.10.10.1
 set pfs group5
 set transform-set VPN-SET
 match address 101
 exit
!
zone security IN-ZONE
zone security OUT-ZONE
exit
!
access-list 110 permit ip 172.30.3.0 0.0.0.255 any
!
class-map type inspect match-all INTERNAL-CLASS-MAP
 match access-group 110
 exit
!
policy-map type inspect IN-2-OUT-PMAP
 class type inspect INTERNAL-CLASS-MAP
  inspect
  exit
 exit
!
zone-pair security IN-2-OUT-ZPAIR source IN-ZONE destination OUT-ZONE
 service-policy type inspect IN-2-OUT-PMAP
 exit
!
interface GigabitEthernet0/1
 zone-member security IN-ZONE
!
interface Serial0/0/1
 zone-member security OUT-ZONE
 crypto map CMAP
 end
!
mkdir flash:
ipsdir

!
configure terminal
ip ips config location ipsdir
ip ips name IPS-RULE
ip ips signature-category
  category all
   retired true
  category ios_ips basic
   retired false
!
interface Serial0/0/1
 ip ips IPS-RULE in
 exit
!


Configuration S1:

enable
configure terminal
service password-encryption
enable secret ciscoenapa55
line console 0
 password ciscoconpa55
 logging synchronous
 login
 exec-timeout 5 0
!
line vty 0 15
 exec-timeout 5 0
 password ciscovtypa55
 login
 exit
!
banner motd #unauthorized#
!
interface FastEthernet0/1
 switchport trunk native vlan 99
 switchport mode trunk
 switchport nonegotiate
!
interface FastEthernet0/6
 switchport mode access
 switchport port-security
 switchport port-security mac-address sticky
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface range f0/2-5,f0/7-24,g0/1-2
 shutdown
 exit
!

Configuration S2:

enable
configure terminal
interface FastEthernet0/1
 switchport trunk native vlan 99
 switchport mode trunk
 switchport nonegotiate
!

Configuration ASA:

enable

configure terminal
!
interface Vlan1
 ip address 192.168.10.1 255.255.255.0
 no shutdown
!
interface Vlan2
 ip address 209.165.200.234 255.255.255.248
 no shutdown
 exit
!
hostname CCNAS-ASA
domain-name ccnasecurity.com
enable password ciscoenapa55
username admin password adminpa55
aaa authentication ssh console LOCAL
ssh 192.168.10.0 255.255.255.0 inside
ssh 172.30.3.3 255.255.255.255 outside
ssh timeout 10
!
dhcpd address 192.168.10.5-192.168.10.30 inside
dhcpd enable inside
!
route outside 0.0.0.0 0.0.0.0 209.165.200.233
object network inside-net
 subnet 192.168.10.0 255.255.255.0
 nat (inside,outside) dynamic interface
 exit
!
configure terminal
class-map inspection_default
 match default-inspection-traffic
!
policy-map global_policy
 class inspection_default
  inspect icmp
!
service-policy global_policy global
!
Link Download: Here

Nhận xét

Đăng nhận xét

Bài đăng phổ biến từ blog này

[CCNAv6 S2] 2.2.2.4 Packet Tracer - Configuring IPv4 Static and Default Routes

Hình ảnh
Packet Tracer - Configuring IPv4 Static and Default Routes Addressing Table Objectives Part 1: Examine the Network and Evaluate the Need for Static Routing Part 2: Configure Static and Default Routes Part 3: Verify Connectivity Background In this activity, you will configure static and default routes. A static route is a route that is entered manually by the network administrator to create a reliable and safe route. There are four different static routes that are used in this activity: a recursive static route, a directly attached static route, a fully specified static route, and a default route. Part 1:     Examine the Network and Evaluate the Need for Static Routing a.     Looking at the topology diagram, how many networks are there in total? b.    How many networks are directly connected to R1, R2, and R3? c.     How many static routes are required by each router to reach networks that are not directly ...
Đọc thêm

[CCNAv6 S2] 8.3.1.2 Packet Tracer - Skills Integration Challenge

Hình ảnh
Packet Tracer – Skills Integration Challenge Addressing Table VLAN Port Assignments and DHCP Information Scenario In this culminating activity, you will configure VLANs, trunks, DHCP Server, DHCP relay agents, and configure a router as a DHCP client. Requirements Using the information in the tables above, implement the following requirements: ·         Create VLANs on S2 and assign VLANs to appropriate ports. Names are case-sensitive ·         Configure S2 ports for trunking. ·         Configure all non-trunk ports on S2 as access ports. ·         Configure R1 to route between VLANs. Subinterface names should match the VLAN number. ·         Configure R1 to act as a DHCP server for the VLANs attached to S2. -       Create a DHCP pool for each VLAN. Names are case-sensitive. -       Assign the ap...
Đọc thêm

[CCNAv6 S3] 7.2.3.5 Packet Tracer - Troubleshooting EIGRP for IPv4

Hình ảnh
Packet Tracer – Troubleshooting EIGRP for IPv4 Addressing Table Scenario In this activity, you will troubleshoot EIGRP neighbor issues. Use show commands to identify errors in the network configuration. Then, you will document the errors you discover and implement an appropriate solution. Finally, you will verify full end-to-end connectivity is restored. Troubleshooting Process 1.     Use testing commands to discover connectivity problems in the network and document the problem in the Documentation Table. 2.     Use verification commands to discover the source of the problem and devise an appropriate solution to implement. Document the proposed solution in the Documentation Table. 3.     Implement each solution one at a time and verify if the problem is resolved. Indicate the resolution status in the Documentation Table. 4.     If the problem is not resolved, it may be necessary to first remove the implemented solution befor...
Đọc thêm