In this practice Packet Tracer Skills Based Assessment, you will:

configure basic device hardening and secure network management configure a CBAC firewall to implement security policies configure devices to protect against STP attacks and to enable broadcast storm control configure port security and disable unused switch ports configure an IOS IPS configure a ZPF to implement security policies configure a site-to-site IPsec VPN

Addressing Table Device Interface IP Address S0/0/0 S0/0/1 S0/1/0 Internet Fa0/0 S0/0/0 Fa0/0 Fa0/1.10 Fa0/1.25 CORP Fa0/1.99 Subnet Mask Gateway DNS server n/a n/a n/a n/a n/a n/a n/a n/a n/a

209.165.200.225 255.255.255.252 n/a 192.31.7.1 198.133.219.1 192.135.250.1 255.255.255.252 n/a 255.255.255.252 n/a 255.255.255.0 n/a

209.165.200.226 255.255.255.252 n/a 10.1.1.254 172.16.10.254 172.16.25.254 172.16.99.254 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 n/a n/a n/a n/a

Device

Interface IP Address S0/0/0 198.133.219.2 198.133.219.62 192.31.7.2 192.31.7.62 192.135.250.5

Subnet Mask

Gateway

DNS server n/a n/a n/a n/a n/a

255.255.255.252 n/a 255.255.255.224 n/a 255.255.255.252 n/a 255.255.255.224 n/a 255.255.255.0 192.135.250.1

Branch

Fa0/0 S0/0/0

External Public Svr External Web Svr External PC

Fa0/0 NIC

NIC NIC

192.31.7.35 192.31.7.33 172.16.25.2 10.1.1.5 10.1.1.2 172.16.10.5 172.16.10.10 172.16.25.5 198.133.219.35 198.133.219.40

255.255.255.224 192.31.7.62 255.255.255.224 192.31.7.62 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 172.16.25.254 10.1.1.254 10.1.1.254 172.16.10.254 172.16.10.254 172.16.25.254

192.135.250.5 192.135.250.5 10.1.1.5 192.135.250.5 10.1.1.5 10.1.1.5 10.1.1.5 10.1.1.5

NTP/Syslog Svr NIC DMZ DNS Svr DMZ Web Svr PC0 PC1 Net Admin Admin PC PCB1 NIC NIC NIC NIC NIC NIC NIC

255.255.255.224 198.133.219.62 192.135.250.5 255.255.255.224 198.133.219.62 192.135.250.5

Note: Appropriate verification procedures should be taken after each configuration task to ensure that it has been properly implemented. Step 1: Configure Basic Device Hardening for the CORP Router. a. Configure the CORP router to only accept passwords with a minimum length of 10 characters.

CORP(config)# security password min-length 10

b. Configure an encrypted privileged level password of ciscoclass.

CORP(config)# enable secret ciscoclass

c. Enable password encryption for all clear text passwords in the configuration file.

CORP(config)# service password-encryption

d. Configure the console port and all vty lines with the following requirements: Note: CORP is already configured with the username CORPADMIN and the secret password ciscoccnas.

use the local database for login disconnect after being idle for 20 minutes.

CORP(config)# CORP(config-line)# CORP(config-line)# CORP(config-line)# CORP(config-line)# CORP(config-line)# CORP(config-line)# CORP(config-line)#

line login exec-timeout line exec-timeout line vty login vty login

consol 20 0 20 5

0 local 0 4 local 0 15 local

CORP(config-line)# exec-timeout 20 0
e. Disable the CDP protocol only on the link to the Internet router.

CORP(config)# CORP(config-if)# no cdp enable

interface

s0/0/0

Step 2: Configure Secure Network Management for the CORP Router.

a. Enable the CORP router:

as an NTP client to the NTP/Syslog server to update the router calendar (hardware clock) from the NTP time source to timestamp log messages to send logging messages to the NTP/Syslog server

CORP(config)# CORP(config)#

ntp

server ntp

172.16.25.2 log

key

0 msec

update-calendar datetime

CORP(config)# service timestamps CORP(config)# logging host 172.16.25.2

b. Configure the CORP router to accept SSH connections. Use the following guidelines:

Note: CORP is already configured with the username SSHAccess and the secret password ciscosshaccess. domain name is theccnas.com RSA encryption key pair using a modulus of 1024 SSH version 2, timeout of 90 seconds, and 2 authentication retries all vty lines accept only SSH connections

CORP(config)# CORP(config)# How many bits CORP(config)# CORP(config)# CORP(config)# CORP(config)# CORP(config-line)# CORP(config)# CORP(config-line)# CORP(config-line)# exit ip

ip crypto in ip ip ssh line

domain-name key the ssh ssh vty transport line transport vty input 5 input modulus

theccnas.com generate [512]: version time-out rsa 1024 2 90 2 4 ssh 15 ssh

authentication-retries 0

c. Configure the CORP router with AAA authentication and verify its functionality:

AAA authentication using the local database as the default for console line and vty lines access

CORP(config)# CORP(config)# CORP(config)# CORP(config)# CORP(config-line)# CORP(config-line)# CORP(config-line)# aaa aaa

aaa authentication authorization line login line login vty

new login exec default default 0 5 con

model local local 4 default 15 default 0

authentication vty authentication

CORP(config-line)# line CORP(config-line)# login authentication default

Step 3: Configure Device Hardening for Switch1. a. Access Switch1 with username CORPADMIN, password ciscoccnas, and the enable secret password of ciscoclass. b. Enable storm control for broadcasts on FastEthernet 0/24 with a 50 percent rising suppression level. SW1(config)# interface fa0/24

SW1(config)# storm-control broadcast level 50 c. Configure Switch1 to protect against STP attacks.

Configure PortFast on FastEthernet ports 0/1 to 0/23. Enable BPDU guard on FastEthernet ports 0/1 to 0/23.

SW1(config)#

interface

range

fa0/1-23 portfast

SW1(config-if-range)# spanning-tree SW1(config-if-range)# spanning-tree bpduguard enable

d. Configure port security and disable unused ports.

Set the maximum number of learned MAC addresses to 2 on FastEthernet ports 0/1 to 0/23. Allow the MAC address to be learned dynamically and to shutdown the port if a violation occurs.

SW1(config)# SW1(config-if-range)# SW1(config-if-range)#

interface switchport switchport

range port-security

fa0/1-23 port-security maximum 2

SW1(config-if-range)# switchport port-security violation shutdown SW1(config-if-range)# switchport port-security mac-address sticky

Disable unused ports (Fa0/2-5, Fa0/7-10, Fa0/13-23).

SW1(config)# SW1(config-if-range)# SW1(config)# SW1(config-if-range)# SW1(config)# SW1(config-if-range)# SW1(config-if-range)#

interface interface interface

range range range

fa0/2-5 shutdown fa0/7-10 shutdown fa0/13-23 shutdown end

SW1# copy running-config startup-config

Step 4: Configure an IOS IPS on the CORP Router. a. On the CORP router, create a directory in flash named ipsdir.

CORP# mkdir ipsdir

b. Configure the IPS signature storage location to be flash:ipsdir.

CORP(config)# ip ips config location flash:ipsdir/ retries 1

c. Create an IPS rule named corpips.

CORP(config)# ip ips name corpips

d. Configure the IOS IPS to use the signature categories. Retire the all signature category and unretire the ios_ips basic category.

CORP(config)#

ip

ips category

signature-category all true exit basic false exit exit retired

CORP(config-ips-category)# CORP(config-ips-category-action)# CORP(config-ips-category-action)# CORP(config-ips-category)# CORP(config-ips-category-action)# CORP(config-ips-category-action)# category

ios_ips retired

CORP(config-ips-category)# Do you want to accept these changes? [confirm] [Enter]

e. Apply the IPS rule to the Fa0/0 interface.

CORP(config)# CORP(config-if)# ip ips corpips out

interface

fa0/0

f. Modify the ios_ips basic category. Unretire the echo request signature (signature 2004, subsig 0); enable the signature; modify the signature event-action to produce an alert and to deny packets that match the signature.

CORP(config)#ip CORP(config-sigdef)# CORP(config-sigdef-sig)# CORP(config-sigdef-sig-status)# CORP(config-sigdef-sig-status)# CORP(config-sigdef-sig-status)# CORP(config-sigdef-sig)# CORP(config-sigdef-sig-engine)# CORP(config-sigdef-sig-engine)# CORP(config-sigdef-sig-engine)# CORP(config-sigdef-sig)# CORP(config-sigdef)#

ips signature

signature-definition 2004 retired enable 0 status false true exit engine event-action event-action produce-alert deny-packet-inline exit exit exit

CORP(config)# Do you want to accept these changes? [confirm] [Enter]

exit

g. Verify that IPS is working properly. Net Admin in the internal network cannot ping DMZ Web Svr. DMZ Web Svr, however, can ping Net Admin. Step 5: Configure ACLs and CBAC on the CORP Router to Implement the Security Policy. a. Create ACL 12 to implement the security policy regarding the access to the vty lines:

Only users connecting from Net Admin and Admin PC are allowed access to the vty lines.

CORP(config)# CORP(config)# CORP(config)# CORP(config-line)# CORP(config-line)#

access-list access-list line line

12 12

permit permit vty

host host 0 12 5

172.16.25.5 198.133.219.35 4 in 15

access-class vty

CORP(config-line)# access-class 12 in
b. Create, apply, and verify an extended named ACL (named

DMZFIREWALL) to filter incoming traffic to the DMZ. The ACL should be created in the order specified in the following guidelines (Please note, the order of ACL statements is significant only because of the scoring need in Packet Tracer.): 1. HTTP traffic is allowed to DMZ Web Svr.

2. DNS traffic (both TCP and UDP) is allowed to DMZ DNS Svr. 3. All traffic from 172.16.25.0/24 is allowed to enter the DMZ. 4. FTP traffic from the Branch administrator workstation is allowed to DMZ Web Svr.

CORP(config)#

ip

access-list permit tcp

extended any host

DMZFIREWALL 10.1.1.2 eq www

CORP(config-ext-nacl)#

CORP(config-ext-nacl)# CORP(config-ext-nacl)#

permit permit

tcp udp

any any

host host

10.1.1.5 10.1.1.5

eq eq

domain domain

CORP(config-ext-nacl)# permit ip 172.16.25.0 0.0.0.255 10.1.1.0 0.0.0.255 CORP(config-ext-nacl)# permit tcp host 198.133.219.35 host 10.1.1.2 eq ftp CORP(config-ext-nacl)# CORP(config)# interface CORP(config-if)# ip access-group DMZFIREWALL out
c. To verify the DMZFIREWALL ACL, complete the following tests:

exit fa0/0

Admin PC in the branch office can access the URL http://www.theccnas.com; Admin PC can open an FTP session to the DMZ Web Svr with the username cisco and the password cisco; PCB1 cannot open an FTP session to the DMZ Web Svr. Net Admin can open an FTP session to the DMZ Web Svr with the username cisco and the password cisco; and PC1 cannot open an FTP session to the DMZ Web Svr.

d. Create, apply, and verify an extended named ACL (named INCORP) to control access from the Internet into the CORP router. The ACL should be created in the order specified in the following guidelines (Please note, the order of ACL statements is significant only because of the scoring need in Packet Tracer.): 1. Allow HTTP traffic to the DMZ Web Svr.

2. Allow DNS traffic (both TCP and UDP) to the DMZ DNS Svr. 3. Allow SSH traffic from the Branch Office administrator workstation to the Serial 0/0/0 interface serial on the CORP router. interface. 4. Allow IP traffic from the Branch router serial interface into the CORP router 5. Allow IP traffic from the Branch Office LAN to the public IP address range that is assigned to the CORP site (209.165.200.240/28).

CORP(config)#

ip

access-list

extended

INCORP

CORP(config-ext-nacl)# permit tcp any host 209.165.200.241 eq www CORP(config-ext-nacl)# permit tcp any host 209.165.200.242 eq domain CORP(config-ext-nacl)# permit udp any host 209.165.200.242 eq domain CORP(config-ext-nacl)# 209.165.200.226 CORP(config-ext-nacl)# 209.165.200.226 CORP(config-ext-nacl)# 209.165.200.240 CORP(config-ext-nacl)# CORP(config)# interface CORP(config-ifl)# ip access-group INCORP in
e. To verify the INCORP ACL, complete the following tests:

permit permit permit

tcp ip ip

host eq host

198.133.219.35 198.133.219.2

host 22 host 0.0.0.31 0.0.0.15 exit s0/0/0

198.133.219.32

Admin PC in the branch office can access the URL http://www.theccnas.com; Admin PC can establish an SSH connection to the CORP router (209.165.200.226) with the usernameSSHAccess and password ciscosshaccess; PCB1 cannot establish an SSH connection to the CORP router (209.165.200.226); and External PC cannot establish an SSH connection to the CORP router (209.165.200.226).

f. Create and apply a CBAC inspection rule (named INTOCORP) to inspect ICMP, TCP, and UDP traffic between the CORP internal network and any other network.

CORP(config)#

ip

inspect

name

INTOCORP INTOCORP

icmp tcp

CORP(config)# ip inspect name CORP(config)# ip inspect name INTOCORP udp

g. Enable CBAC audit messages to be sent to the syslog server.

CORP(config)#

ip

inspect

audit-trail s0/0/0

CORP(config)# interface CORP(config-if)# ip inspect INTOCORP out

h. Verify the CBAC firewall configuration.

PC1 can access the External Web Svr (www.externalone.com). PC1 can establish an SSH connection to the External router with username SSHadmin and passwordciscosshpa55. Admin PC in the Branch office can establish an SSH connection to the CORP router with the usernameSSHAccess and password ciscosshaccess.

Step 6: Configure a Zone-Based Policy Firewall on the Branch Router. a. Access the Branch router with username CORPADMIN, password ciscoccnas and the enable secret password of ciscoclass. b. On the Branch router, create the firewall zones.

Create an internal zone named BR-IN-ZONE. Create an external zone named BR-OUT-ZONE.

Branch(config)# Branch(config-sec-zone)#

zone

security security

BR-IN-ZONE exit BR-OUT-ZONE

Branch(config)# zone Branch(config-sec-zone)# exit

c. Define a traffic class and access list.

Create an ACL (ACL 110) to permit all protocols from the 198.133.219.32/27 network to any destination.

Branch(config)# access-list 110 permit ip 198.133.219.32 0.0.0.31 any

Create a class map using the option of class map type inspect with the match-all keyword. Match the ACL 110 and name the class map BR-IN-CLASS-MAP.

Branch(config)# class-map type inspect match-all BR-IN-CLASS-MAP Branch(config-cmap)# match access-group 110
d. Specify firewall policies.

Create a policy map named BR-IN-OUT-PMAP. Use the BR-IN-CLASS-MAP class map. Specify the action of inspect for this policy map.

Branch(config)#

policy-map

type type

inspect inspect

BR-IN-OUT-PMAP BR-IN-CLASS-MAP

Branch(config-pmap)# class Branch(config-pmap-c)# inspect

e. Apply the firewall.

Create a pair of zones named IN-OUT-ZPAIR with the source as BR-IN-ZONE and destination as BR-OUT-ZONE.

Branch(config)# zone-pair security IN-OUT-ZPAIR source BR-IN-ZONE destination BR-OUT-ZONE

Specify the policy map BR-IN-OUT-PMAP for handling the traffic between the two zones.

Branch(config-sec-zone-pair)# service-policy type inspect BR-IN-OUTPMAP

Assign interfaces to the appropriate security zones.

Branch(config)# Branch(config-if)# Branch(config-if)#

interface zone-member security interface

fa0/0 BR-IN-ZONE s0/0/0

Branch(config-if)# zone-member security BR-OUT-ZONE

f. Verify the ZPF configuration.

The Admin PC in the Branch office can access the URLs http://www.theccnas.com and http://www.externalone.com. The Admin PC in the Branch office can ping the External PC (192.31.7.33). External PC cannot ping the Admin PC in the Branch office (198.133.219.35). The Admin PC in Branch office can establish an SSH connection to the CORP router with the usernameSSHAccess and password ciscosshaccess. If you get the Corp> prompt, then your configuration is correct.

Step 7: Configure a Site-to-Site IPsec VPN between the CORP router and the Branch Router. The following tables list the parameters for the ISAKMP Phase 1 Policy and IPsec Phase 2 Policy: ISAKMP Parameters Key Distribution Method Encryption Algorithm AES ISAKMP Parameters Transform Set Name VPN-SET esp-3des Number of Bits 256 Transform Set Peer Host Hash Algorithm Authentication Method Pre-share SHA-1 Name Peer IP Address Encrypted Key Exchange DH 2 Network Crypto Map IKE SA Lifetime 86400 Name SA ISAKMP Key Vpnpass101 Establishment ipsec-isakmp ipsec-isakmp VPN-MAP VPN-MAP 209.165.200.240/28 198.133.219.32/27 198.133.219.2 209.165.200.226 Branch CORP esp-sha-hmac VPN-SET esp-3des esp-sha-hmac CORP Router Branch Router Phase 1 Policy ISAKMP Phase 2 Policy Parameters

a. Configure an ACL (ACL 120) on the CORP router to identify the interesting traffic. The interesting traffic is all IP traffic between the two LANs (209.165.200.240/28 and 198.133.219.32/27).

CORP(config)# access-list 120 permit ip 209.165.200.240 0.0.0.15 198.133.219.32 0.0.0.31

b. Configure the ISAKMP Phase 1 properties on the CORP router. The crypto ISAKMP policy is 10. Refer to the ISAKMP Phase 1 Policy Parameters Table for the specific details needed.

CORP(config)# CORP(config-isakmp)# CORP(config-isakmp)#

crypto

isakmp encryption authentication

policy aes

10 256 pre-share 2

CORP(config-isakmp)#group CORP(config-isakmp)# CORP(config-isakmp)# CORP(config-isakmp)# CORP(config)# crypto isakmp key Vpnpass101 address 198.133.219.2 lifetime hash 86400 sha

(Default/Optional) (Default/optional) exit

c. Configure the ISAKMP Phase 2 properties on the CORP router. Refer to the ISAKMP Phase 2 Policy Parameters Table for the specific details needed.

CORP(config)# crypto ipsec transform-set VPN-SET esp-3des esp-shahmac CORP(config)# crypto map set VPN-MAP peer 10 ipsec-isakmp 198.133.219.2 VPN-SET CORP(config-crypto-map)#

CORP(config-crypto-map)# set transform-set CORP(config-crypto-map)# match address 120

d. Bind the VPN-MAP crypto map to the outgoing interface.

CORP(config)# CORP(config-if)# CORP(config-if)# end crypto

interface map

s0/0/0 VPN-MAP

e. Configure IPsec parameters on the Branch router using the same parameters as on the CORP router. Note that interesting traffic is defined as the IP traffic from the two LANs.

Branch(config)# access-list 120 permit ip 198.133.219.32 0.0.0.31 209.165.200.240 Branch(config)# Branch(config-isakmp)# Branch(config-isakmp)# Branch(config-isakmp)# Branch(config-isakmp)# Branch(config-isakmp)# Branch(config-isakmp)# lifetime hash crypto isakmp encryption authentication group 86400 sha policy aes 0.0.0.15 10 256 pre-share 2 (Default/Optional) (Default/optional) exit

Branch(config)# crypto isakmp key Vpnpass101 address 209.165.200.226 Branch(config)# crypto ipsec transform-set VPN-SET esp-3des esp-shahmac Branch(config)# crypto map set set match interface crypto map VPN-MAP peer 10 ipsec-isakmp 209.165.200.226 VPN-SET 120 exit s0/0/0 VPN-MAP address Branch(config-crypto-map)# Branch(config-crypto-map)# Branch(config-crypto-map)# Branch(config-crypto-map)# Branch(config)# Branch(config-if)# Branch(config-if)# end
f. Save the running-config, then reload both CORP and Branch routers.

transform-set

CORP# copy running-config Branch# copy running-config startup-config

startup-config

g. Verify the VPN configuration by conducting an FTP session with the username cisco and the password cisco from the Admin PC to the DMZ Web Svr. On the Branch router, check that the packets are encrypted. To exit the FTP session, type quit. Thats all. Im not sure which version it this Packet Tracer Activity since its not mine. This CCNA Security SBA contributed by Viktorcsn. Either its version 1.0 or version 1.1. However i noticed that this SBA practice has been published and shared in some website. Im not sure if this practice will be helpful to all of you guys, but i just try to spread it so that maybe someone that in need may get this resource much easier. So finally, thank you to Viktorcsn for the contribution. If you guys have latest version of CCNA Security or anything to share that will benefits all of us, please do not hesitate to drop me an email. Hope it will bring success to all of us.