Sunteți pe pagina 1din 105

Cisco Certified Network Professional

ISCW

Lab Manual

Developed by : M.Irfan Ghauri


Ovais Iqbal

Etronics Solution Provider


C 32 / 1 Block-5, Copy rights 2007
Gulshan-e-Iqbal, Karachi. ESP Press
Ph #021-6034003
NO. LABS DESCRIPTION PAGE NO.

1 Site-to-Site VPN using CLI 2

2 Site-to-Site VPN using SDM 5

3 GRE over IPSec using CLI 17

4 GRE over IPSec using SDM 22

5 Establish Easy Vpn b/w Router and PC 35

6 Configure AutoSecure in Router using SDM 52

7 Configure One-step Lockdown using SDM 62

8 Configuring SNMP 65

9 Configuring NTP 75

10 Configuring Syslog Server 76

11 Configure SSH 78

12 Configure AAA server 81

13 Configuring Firewall Feature Set using SDM 88

14 Configure IPS 94

1
Etronics Solution Provider
Lab # 1

Site-to-Site VPN using CLI


Objective

Establish Site-to-Site VPN between 2 VPN Gateways i.e Router A and Router B
using PRE-SHARED KEYS for authentication.

Diagram

Router A Router B

11.0.0.1 11.0.0.2
10.0.0.10 20.0.0.10

PC- A PC- B

20.0.0.1
10.0.0.1

Configuration
1) Bring up the connections and ping end to end (use static route to provide
connectivity between end devices).

2
Etronics Solution Provider
2) Configure Router A as show below.

first enable isakmp

RouterA(config)# crypto isakmp enable ( optional )

Configure isakmp policy set for negotiation

RouterA(config)# crypto isakmp policy 10


RouterA(config-isakmp)# authentication pre-share
RouterA(config-isakmp)# encryption des
RouterA(config-isakmp)# hash md5
RouterA(config-isakmp)# group 2

Configure pre-shared authentication key

RouterA(config)# crypto isakmp key cisco123 address 11.0.0.2

Configure cryto ACL to define which traffic to protect


RouterA(config)# access-list 111 permit ip 10.0.0.0 0.255.255.255 20.0.0.0
0.255.255.255

Configure IPSec transform-set

RouterA(config)# crypto ipsec transform-set aset esp-des esp-md5-hmac

Configure Crypto-map

RouterA(config)# crypto map mymap 10 ipsec-isakmp


RouterA(config-crypto-map)# match address 111
RouterA(config-crypto-map)# set peer 11.0.0.2
RouterA(config-crypto-map)# set transform-set aset

Apply the crypto map to the WAN interface

RouterA(config)# int s 0
RouterA(config-if)# crypto map mymap

3
Etronics Solution Provider
3) Configure Router B as show below.

first enable isakmp

RouterB(config)# crypto isakmp enable ( optional )

Configure isakmp policy set for negotiation

RouterB(config)# crypto isakmp policy 10


RouterB(config-isakmp)# authentication pre-share
RouterB(config-isakmp)# encryption des
RouterB(config-isakmp)# hash md5
RouterB(config-isakmp)# group 2

Configure pre-shared authentication key

RouterB(config)# crypto isakmp key cisco123 address 11.0.0.1

Configure cryto ACL to define which traffic to protect


RouterB(config)# access-list 111 permit ip host 20.0.0.0 0.255.255.255
10.0.0.0 0.255.255.255

Configure IPSec transform-set

RouterB(config)# crypto ipsec transform-set bset esp-des esp-md5-hmac

Configure Crypto-map

RouterB(config)# crypto map mymap 10 ipsec-isakmp


RouterB(config-crypto-map)# match address 111
RouterB(config-crypto-map)# set peer 11.0.0.1
RouterB(config-crypto-map)# set transform-set bset

Apply the crypto map to the WAN interface

RouterB(config)# int s 0
RouterB(config-if)# crypto map mymap

4
Etronics Solution Provider
Lab # 2

Site-to-Site VPN using SDM

Objective
Establish Site-to-Site VPN between 2 VPN Gateways i.e Router A and Router B
using SDM.

Diagram

Router A Router B

11.0.0.1 11.0.0.2

10.0.0.10

PC- A

10.0.0.1

Configuration
1) Bring up the connections and ping end to end.
2) From PC-A open the browser and issue this command.
http://10.0.0.10

5
Etronics Solution Provider
3) Now the following windows appears, Click on the configure tab above

6
Etronics Solution Provider
4) Clicking on Configure tab opens the list of configuration options available,
select VPN from the left menu, now at left click on Create site to site vpn
radio button and then click on the launch the selected task button to launch the
wizard

7
Etronics Solution Provider
5) Now the wizard will start, click on the step by step wizard radio button and
then click next

8
Etronics Solution Provider
6) Now from the following window,
1. Select the interface that is connected to Router B.
2. Specify that the peer is using the static ip address.
3. Enter the ip address.
4. Enter the preshared key for authentication used in ISAKMP phase 1.

9
Etronics Solution Provider
7) In this window, we have to define transform set for phase 1, click on the
Add button to define our own transform set.

8) In this window, define your own parameters for the transform set and then
click OK.

10
Etronics Solution Provider
9) Now click Next.

10) Now in this window you may define transform set for IPSec or phase 2
negotiation

11
Etronics Solution Provider
11) Now define the required parameters and click Ok.

12) Now we can see that user defined Transform set is now listed. Click Next to
continue.

12
Etronics Solution Provider
13) Now define the traffic to be protected

14)
15)
16)
17)
18)
19)
20)
21)
22)
23)
24)
25)
26)
27)
28)
29)
30)
31)
14) Now the following window appears indicating that the wizard is complete.

15)
16)
17)
18)
19)
20)
21)
22)
23)
24)
25)

13
Etronics Solution Provider
15) Click on the start button to test the tunnel connectivity.

14
Etronics Solution Provider
16) If all configuration goes well then u should see the following screen..

Note: test the tunnl connectivity after u have configured


Router B for IPSec !!!!

Configure Router B as shown below.

first enable isakmp

RouterB(config)# crypto isakmp enable ( optional )

Configure isakmp policy set for negotiation

RouterB(config)# crypto isakmp policy 10


RouterB(config-isakmp)# authentication pre-share
RouterB(config-isakmp)# encryption des
RouterB(config-isakmp)# hash md5
RouterB(config-isakmp)# group 2

Configure pre-shared authentication key

RouterB(config)# crypto isakmp key cisco123 address 11.0.0.1

15
Etronics Solution Provider
Configure cryto ACL to define which traffic to protect
RouterB(config)# access-list 111 permit ip host 11.0.0.2 host 11.0.0.1

Configure IPSec transform-set

RouterB(config)# crypto ipsec transform-set bset esp-des esp-md5-hmac

Configure Crypto-map
RouterB(config)# crypto map mymap 10 ipsec-isakmp
RouterB(config-crypto-map)# match address 111
RouterB(config-crypto-map)# set peer 11.0.0.1
RouterB(config-crypto-map)# set transform-set bset

Apply the crypto map to the Ethernet interface

RouterB(config)# int eth 0


RouterB(config-if)# crypto map mymap

16
Etronics Solution Provider
Lab # 3

GRE over IPSec Using Cli


Objective
Establish GRE over IPSec b/w Router A and Router B and enable eigrp routing b/w
Router A and Router B.

Diagram

Router C
Router A Router B
11.0.0.2 12.0.0.1

11.0.0.1 12.0.0.2
10.0.0.10 20.0.0.10
15.0.0.1 15.0.0.2

PC- A PC- B

10.0.0.1 20.0.0.1

Configuration
1) Configure Router C as show below.
RouterC(config)# interface serial 0
RouterC(config-if)# ip address 11.0.0.2 255.0.0.0
RouterC(config-if)# no shutdown
RouterC(config-if)# clock rate 64000
RouterC(config-if)# end

17
Etronics Solution Provider
RouterC(config)# interface serial 1
RouterC(config-if)# ip address 12.0.0.2 255.0.0.0
RouterC(config-if)# no shutdown
RouterC(config-if)# clock rate 64000
RouterC(config-if)# end

2) Configure RouterA as follows.

2-a) Configure static routing to define route for the peer Router
B i.e. network 12.0.0.0

RouterA(config)# ip route 12.0.0.0 255.0.0.0 11.0.0.2

2-b) Configure GRE tunnel on Router A

RouterA(config)# interface tunnel 0


RouterA(config-if)# ip address 15.0.0.1 255.0.0.0
RouterA(config-if)# no shutdown
RouterA(config-if)# tunnel source serial 0
RouterA(config-if)# tunnel destination 12.0.0.2 this ip should be the
global ip of peer
router
RouterA(config-if)# exit

3) Configure Router B as follows.

3-a) Configure static routing to define route for the peer Router
A i.e. network 11.0.0.0

RouterB(config)# ip route 11.0.0.0 255.0.0.0 12.0.0.1

3-b) Configure GRE tunnel on Router B

RouterB(config)# interface tunnel 0


RouterB(config-if)# ip address 15.0.0.2 255.0.0.0
RouterB(config-if)# no shutdown
RouterB(config-if)# tunnel source serial 0
RouterB(config-if)# tunnel destination 11.0.0.1 this ip should be the
global ip of peer
router
RouterB(config-if)# exit

18
Etronics Solution Provider
Verification
To verify the tunnel formation, From router A ping 10.0.0.2 and from router B ping
10.0.0.1, if the ping is successful then tunnel is formed
Use this command also to verify the tunnel information

Show ip interface brief

NOW TO CONFIGURE IPSec b/w Router A and Router B

4) Configure Router A as follows.

first enable isakmp

RouterA(config)# crypto isakmp enable ( optional )

Configure pre-shared authentication key

RouterA(config)# crypto isakmp key cisco123 address 12.0.0.2

Configure isakmp policy set for negotiation

RouterA(config)# crypto isakmp policy 10


RouterA(config-isakmp)# authentication pre-share
RouterA(config-isakmp)# encryption des
RouterA(config-isakmp)# hash md5
RouterA(config-isakmp)# group 2

Configure cryto ACL to define which traffic to protect


RouterA(config)# access-list 111 permit gre host 11.0.0.1 host 12.0.0.2

Configure IPSec transform-set

RouterA(config)# crypto ipsec transform-set aset esp-des esp-md5-hmac

Configure Crypto-map

RouterA(config)# crypto map mymap 10 ipsec-isakmp


RouterA(config-crypto-map)# match address 111
RouterA(config-crypto-map)# set peer 12.0.0.2
RouterA(config-crypto-map)# set transform-set aset

19
Etronics Solution Provider
Apply the crypto map to the WAN interface

RouterA(config)# int s 0
RouterA(config-if)# crypto map mymap

Apply the crypto map to the Tunnel interface

RouterA(config)# int tunnel 0


RouterA(config-if)# crypto map mymap

5) Configure Router B as follows.

first enable isakmp

RouterB(config)# crypto isakmp enable ( optional )

Configure isakmp policy set for negotiation

RouterB(config)# crypto isakmp policy 10


RouterB(config-isakmp)# authentication pre-share
RouterB(config-isakmp)# encryption des
RouterB(config-isakmp)# hash md5
RouterB(config-isakmp)# group 2

Configure pre-shared authentication key

RouterB(config)# crypto isakmp key cisco123 address 11.0.0.1

Configure cryto ACL to define which traffic to protect


RouterB(config)# access-list 111 permit gre host 12.0.0.2 host 11.0.0.1

Configure IPSec transform-set

RouterB(config)# crypto ipsec transform-set bset esp-des esp-md5-hmac

Configure Crypto-map

RouterB(config)# crypto map mymap 10 ipsec-isakmp


RouterB(config-crypto-map)# match address 111
RouterB(config-crypto-map)# set peer 11.0.0.1
RouterB(config-crypto-map)# set transform-set bset

20
Etronics Solution Provider
Apply the crypto map to the WAN interface

RouterB(config)# int s 0
RouterB(config-if)# crypto map mymap

Apply the crypto map to the Tunnel interface

RouterB(config)# int tunnel 0


RouterB(config-if)# crypto map mymap

Verification

Ping end to end from both Routers and experience the delay in ping return time !!!
Use this command to verify the VPN establishment
show crypto ipsec sa

6-a) Enable Eigrp on Router A

RouterA(config)# router eigrp 100


RouterA(config-router)# network 10.0.0.0
RouterA(config-router)# network 11.0.0.0
RouterA(config-router)# network 15.0.0.0

6-b) Enable Eigrp on Router B

RouterB(config)# router eigrp 100


RouterB(config-router)# network 20.0.0.0
RouterB(config-router)# network 12.0.0.0
RouterB(config-router)# network 15.0.0.0

21
Etronics Solution Provider
Lab # 4

GRE over IPSec using SDM


Objective
Establish GRE over IPSec b/w Router A and Router B and enable eigrp routing b/w
Router A and Router B (using SDM )

Diagram

3560
Router A Router B
11.0.0.2 12.0.0.1

11.0.0.1 12.0.0.2

10.0.0.10 20.0.0.10
15.0.0.1 15.0.0.2

PC- B

PC- A

10.0.0.1 20.0.0.1

Configuration

1) Configure Switch-3560 as follows.


Switch-3560(config)# int fa 0/2
Switch-3560(config-if)# no switchport
Switch-3560(config-if)# ip address 11.0.0.2 255.0.0.0
Switch-3560(config-if)# no shutdown
Switch-3560(config-if)# exit
Switch-3560(config)# int fa 0/4
Switch-3560(config-if)# no switchport
Switch-3560(config-if)# ip address 12.0.0.1 255.0.0.0
Switch-3560(config-if)# no shutdown
Switch-3560(config-if)# exit

22
Etronics Solution Provider
Enable ip routing on 3560 switch.

Switch-3560(config)# ip routing

2) Configure RouterA as follows.


Access RouterA SDM using browser on PC-A, issue following command on the
browser .
http://10.0.0.10

Now you should be able to start SDM.

23
Etronics Solution Provider
2-1) This is the starting screen.

24
Etronics Solution Provider
2-2) Select VPN from the left bar
1) Select the option create gre tunnel
2) Click to launch the wizard.

25
Etronics Solution Provider
2-3) This is the welcome screen, click on next to continue.

2-4) Enter the required fields


1) Enter the interface that is connected to the peer.
2) Public ip of the peer router
3) Tunnels ip address
4) Subnet mask
Click Next to Continue.

26
Etronics Solution Provider
2-5) Enter the preshared key and click Next to continue.

2-6) Click on the Add button to define your own transform set for IKE phase 1

27
Etronics Solution Provider
2-7) Enter the required fields and click Ok.

2-8) Click on Next to continue.

28
Etronics Solution Provider
2-9) Now click on Add to define our own transform set for IPSec negotiation.

2-10) Enter the required fields and then click ok.

29
Etronics Solution Provider
2-11) Select the routing protocol to used, we have selected Eigrp.

12) Define the AS number to use, and then click Add to advertise the networks.

30
Etronics Solution Provider
2-13) Enter the network number.

2-14) We have defined all the networks to be advertised. Click on next to


continue.

2-

31
Etronics Solution Provider
2-15) This is the last screen of wizard, we can check our configuration on this
window, click on finish to continue.

3) Configure Router B as follows.

3-a) Configure static routing to define route for the peer Router A
i.e. network 11.0.0.0

RouterB(config)# ip route 11.0.0.0 255.0.0.0 12.0.0.1

3-b) Configure GRE tunnel on Router B

RouterB(config)# interface tunnel 0


RouterB(config-if)# ip address 15.0.0.2 255.0.0.0
RouterB(config-if)# no shutdown
RouterB(config-if)# tunnel source serial 0
RouterB(config-if)# tunnel destination 11.0.0.1 this ip should be the
global ip of peer
router
RouterB(config-if)# exit

32
Etronics Solution Provider
4) Configure Router B for IPSec as follows.

first enable isakmp

RouterB(config)# crypto isakmp enable ( optional )

Configure isakmp policy set for negotiation

RouterB(config)# crypto isakmp policy 10


RouterB(config-isakmp)# authentication pre-share
RouterB(config-isakmp)# encryption des
RouterB(config-isakmp)# hash md5
RouterB(config-isakmp)# group 2

Configure pre-shared authentication key

RouterB(config)# crypto isakmp key 0 cisco123 address 11.0.0.1

Configure cryto ACL to define which traffic to protect


RouterB(config)# access-list 111 permit gre host 12.0.0.2 host 11.0.0.1

Configure IPSec transform-set

RouterB(config)# crypto ipsec transform-set bset esp-des esp-md5-hmac

Configure Crypto-map

RouterB(config)# crypto map mymap 10 ipsec-iskamp


RouterB(config-crypto-map)# match address 111
RouterB(config-crypto-map)# set peer 11.0.0.1
RouterB(config-crypto-map)# set transform-set bset
RouterB(config-crypto-map)# set pfs group1

Apply the crypto map to the Ethernet interface

RouterB(config)# int eth 0


RouterB(config-if)# crypto map mymap

Apply the crypto map to the Tunnel interface

RouterB(config)# int tunnel 0


RouterB(config-if)# crypto map mymap

33
Etronics Solution Provider
Enable Eigrp Routing

RouterB(config)#router eigrp 100


RouterB(confg-router)# network 12.0.0.0
RouterB(confg-router)# network 15.0.0.0

Verification

To verify ping from both routers to each other tunnel and public interfaces
Issue the following command
show crypto ipsec sa

34
Etronics Solution Provider
Lab # 5

EasyVPN b/w Router and PC

Objective
Establish Easy VPN b/w Router A (server) and PC-B ( client) .

Diagram

Router A

20.0.0.10
10.0.0.10

PC- A PC- B

20.0.0.1
10.0.0.1

Configuration
1) Bring up the connections.
2) Access RouterA SDM using browser on PC-A. issue the following command
on the browser
Http://10.0.0.10
3) Now follow the steps shown below

35
Etronics Solution Provider
3-1)Before you can start the Easy VPN wizard first enable AAA.

36
Etronics Solution Provider
3-2) Now click on the User Accounts Tab to create a User for AAA to be
enabled.

37
Etronics Solution Provider
3-3)Enter the desired fields and click ok.

Note: Password is of users own choice !!

3-4) Now Enter the enable password as required then click OK.

38
Etronics Solution Provider
3-5) Now the following window appears, indicating the successful creation of User
for AAA. Click Ok.

39
Etronics Solution Provider
3-6) Now click on enable AAA, on the prompt click yes to enable AAA
successfully.

40
Etronics Solution Provider
3-7) Enter the username/password created in step 6.

3-8) Now the following window indicates that AAA is successfully enabled..

41
Etronics Solution Provider
3-9) Now the Wizard for easy vpn is started Click Next to continue.

3-10) Enter the interface being used for connecting to WAN from where the client
will communicate with RouterA, in this case it is fa0/0. We are using Pre-
shared key for authentication.

42
Etronics Solution Provider
3-11) Click Add to configure our own transform set for IKE phase-1.

3-12) Enter the required fields for the transform set and then click OK.

43
Etronics Solution Provider
3-13) Now click on Add to enter the transform set for IPSEC negotiation.

3-14) Enter the required Fields. And the click OK.

44
Etronics Solution Provider
3-15) Click on the local radio button to specify that the verification of
username/password will be done locally.

45
Etronics Solution Provider
3-16) Enable Xauth, so that after device authentication is complete, the user
authentication is performed, click Add User Credentials.

3-17) Now it asks to create a user, as we can see there is already a user present that
we created in step 6. Now we have to form so click Add.

46
Etronics Solution Provider
3-18) Now enter the required fields, make sure the priviledge level is set to 1.

3-19) Now a new user is added to local database. Click Ok.

47
Etronics Solution Provider
3-20) Now we are prompted for Group policy, click on Add to enter the group
policy.

48
Etronics Solution Provider
3-21) Enter the required Fields and then click Ok.

49
Etronics Solution Provider
3-22) Click on test Vpn connectivity to test the status.

3-23) If successful the following window appears.

Now we must install the easy Vpn client on PC-B

Follow the steps below..

Install the VPN client just like any simple windows utility.

After installing follow the steps to configure the VPN client.

50
Etronics Solution Provider
1) Run the VPN client.. and click on NEW.

2) Enter the required Fields, make sure the group name and password
should match exactly as configured in step 24.

Now click Save.

51
Etronics Solution Provider
Lab # 6

Auto Secure
Objective
Configure Autosecure feature in Router 2811 through SDM.

Diagram
Router 2811

Fa 0/0 10.0.0.10

PC-A
10.0.0.1

Configuration
1) Bring up the connectivity and ping from PC-A to Router Fa0/0.
2) Open browser and type following to launch the wizard.
http:// 10.0.0.10
This will start SDM.

3) Now follow the steps shown below

52
Etronics Solution Provider
3-1) Click on the perform security audit.

53
Etronics Solution Provider
3-2) Click on Next to Continue.

3-3) Select the inside interface and then click Next.

54
Etronics Solution Provider
3-4) This result will tell you about the security changes we need to make, click on
Close.

3-5) Click on Fix all to fix all the security holes or we can choose to fix the
individual settings by clicking only on the desired service check box. Click
on Next.

55
Etronics Solution Provider
3-6) Enter the required fields. And then click Next to continue.

56
Etronics Solution Provider
3-7) Click on Add to continue.

3-8) Enter the desired username and password and then click Ok to continue.

57
Etronics Solution Provider
3-9) Now click on Next to continue.

58
Etronics Solution Provider
3-10) Now Click on Add to define the ip used for login.

3-11) Enter the desired ip and then click Ok.

59
Etronics Solution Provider
3-12) Now click on Next to Continue.

60
Etronics Solution Provider
3-13) Click on Finish to continue.

3-14) Click OK to finish.

61
Etronics Solution Provider
Lab # 7

One-Step Lockdown
Objective

Configure One-step Lockdown feature in Router 2811 through SDM.

Diagram
Router 2811

Fa 0/0 10.0.0.10

PC-A
10.0.0.1

Configuration
1) Bring up the connectivity and ping from PC-A to Router Fa0/0.
2) Open browser and type following to launch the wizard.
http:// 10.0.0.10
This will start SDM.

3) Now follow the steps shown below

62
Etronics Solution Provider
3-1) First Click on One-step lockdown and then click yes to perform the
lockdown.

63
Etronics Solution Provider
3-2) Click on Deliver to send configuration to the router.

64
Etronics Solution Provider
Lab # 8

SNMP
Objective
Configure Snmp for network management of devices on LAN/WAN.

Diagram

R1 R2
S S0
11.0.0.1 11.0.0.2
Eth
10.0.0.40

Fa 0/0 R3
10.0.0.100
PC-A

10.0.0.1

Configuration
1) Bring up the connectivity and ping from PC-A to R2.

65
Etronics Solution Provider
2) Now install snmp server on Pc-A.

3) Now click on server to continue.

66
Etronics Solution Provider
4) Click on Next to Continue.

67
Etronics Solution Provider
5) Enter the ip address of PC-A and click on next to
continue.

6) Click on Next to start the installation.

68
Etronics Solution Provider
7) This window shows that the software is installed successfully.

8) Under Config menu click on Discovery/Polling.

69
Etronics Solution Provider
4- Click on Enable discovery and click on Restart.

5- Click on Add to enter new community strings.

70
Etronics Solution Provider
6- Enter the strings in the Required fields. These strings will be configured on all
devices that we wish to manage.

12) Now configure the following on all routers so they can be managed by the
snmp server.

Router(config)# snmp-server host 10.0.0.1 cisco


Router(config)# snmp-server community test ro
Router(config)# snmp-server community test1 rw

71
Etronics Solution Provider
13 ) Now we can see the graph of our topology building up

72
Etronics Solution Provider
14) Right Click on any device for the necessary settings.

73
Etronics Solution Provider
15) Enter the ro/rw attributes configured on this router.

16) Now double click on the router to manage it.

74
Etronics Solution Provider
Lab # 9

NTP
Objective

Configure NTP between Server and Client.

Diagram

Source Intermediate
S0 S0 S1 S0
11.0.0.1 11.0.0.2 12.0.0.1 12.0.0.2

Configuration

1) Bring up the connectivity.


2) Confgure Server as follows

Server(config)# ntp master 5


Server(config)# ntp authentication-key 1 md5 cisco
Server(config)# ntp peer 11.0.0.2 key 1

3) Configure Intermediate as follows


Intermediate(config)# ntp authentication-key 1 md5 cisco
Intermediate(config)# ntp authentication-key 2 md5 ciscoclient
Intermediate(config)# ntp trusted-key 1
Intermediate(config)# ntp server 11.0.0.1
Intermediate(config)# int serial 1
Intermediate(config-if)# ntp broadcast

4) Configure Client as follows


Client(config)# ntp authentication-key 2 md5 ciscoclient
Client(config)# ntp trusted-key 2
Client(config)# int serial 0
Client(config-if)# ntp broadcast client

75
Etronics Solution Provider
Lab # 10

SYSLOG SERVER
Objective

Configure Syslog server.

Diagram

Router A
Eth 0
10.0.0.10

10.0.0.1

PC-A

Configuration
1) Bring up the connectivity.
2) Install the syslog server.
3) Configure Router A as follows

RouterA(config)#logging on
RouterA(config)#logging 10.0.0.1
RouterA(config)#logging trap 7

76
Etronics Solution Provider
3-1) Now perform different commands on RouterA like shutting down an
interface and then issue a no shut command, and other commands that sends a trap
to syslog server.

77
Etronics Solution Provider
Lab # 11

SSH
Objective
Configure Router to become the SSH server.

Diagram

Router 2811

Fa 0/0 10.0.0.10

PC-A
10.0.0.1

Configuration
1) Bring up the connectivity.
2) Configure Router as follows.

78
Etronics Solution Provider
RouterA#auto secure ssh
--- AutoSecure Configuration ---

*** AutoSecure configuration enhances the security of


the router, but it will not make it absolutely resistant
to all security attacks ***

AutoSecure will modify the configuration of your device.


All configuration changes will be shown. For a detailed
explanation of how the configuration changes enhance security
and any possible side effects, please refer to Cisco.com for
Autosecure documentation.
At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.

Gathering information about the router for AutoSecure

Is this router connected to internet? [no]: no

Configure SSH server? [yes]: yes


Enter the domain-name: cisco.com

This is the configuration generated:

ip domain-name cisco.com
crypto key generate rsa general-keys modulus 1024
ip ssh time-out 60
ip ssh authentication-retries 2
line vty 0 4
transport input ssh telnet
!
end

Apply this configuration to running-config? [yes]: yes

Applying the config generated to running-config


The name for the keys will be: RouterA.cisco.com

% The key modulus size is 1024 bits


% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

RouterA#
*Mar 1 00:02:10.307: %SSH-5-ENABLED: SSH 1.99 has been enabled
*Mar 1 00:02:11.539: %AUTOSEC-5-ENABLED: AutoSecure is configured
on the device

79
Etronics Solution Provider
Configure AAA for local authentication..

RouterA(config)#aaa new-model
RouterA(config)#aaa authentication login default local
RouterA(config)#username cisco password cisco

3) Now Run putty on PC-A, give the ip of Router and click open.

80
Etronics Solution Provider
Lab # 12

AAA Server
Objective
Configure AAA server to perform user authentication and accounting.

Diagram
R2811
Fa 0/0 Fa 0/1
10.0.0.10 20.0.0.10

ACS
server PC-B

10.0.0.1 20.0.0.1

Configuration
1) Bring up the connections and ping end to end.
2) Install ACS for windows.
3) Configure ACS as follows

81
Etronics Solution Provider
3-1) Enter the user setup and enter the username. Click on Add/Edit to define the
password.

82
Etronics Solution Provider
3-2) Enter the password.

83
Etronics Solution Provider
3-3) Enter Network Configuration mode and click on Add entry.

84
Etronics Solution Provider
3-4) Enter the required field as shown in the diagram. And then click on
submit+restart.

85
Etronics Solution Provider
3-5) The following window appears if successful.

86
Etronics Solution Provider
4) Now configure the router to query ACS if any user attempt to connect to it via
telnet.

R2811(config)#aaa new-model
R2811(config)#tacacs-server host 10.0.0.1 key cisco123
R2811(config)#aaa authentication login default group tacacs+
R2811(config)#enable password cisco
R2811(config)#aaa accounting exec default start-stop group tacacs+

5) Now from PC-B telnet to R2811, this time router will ask for
username/password which will be verified against ACS.

87
Etronics Solution Provider
Lab # 13

Firewall Feature Set


Objective
Configure Firewall Feature Set using SDM.

Diagram

Router 2811
Fa 0/0 Fa 0/1
10.0.0.10 20.0.0.10

10.0.0.1 20.0.0.1

PC-A PC-B

Configuration
1) Bring up the connectivity.
2) Launch the SDM from PC-A. Open Internet Explorer and type following.
http://10.0.0.10
3) Configure Router A as follows.

88
Etronics Solution Provider
3-1) Select Basic Firewall and then click on the launch the selected task.

89
Etronics Solution Provider
3-2) Click on Next to continue.

3-3) Select the appropriate interfaces according to the topology diagram and
then click next to continue.

90
Etronics Solution Provider
3-4) Click on Next to continue.

3-5) Enter the DNS server ip ( in this case since we dont have a dns server we
have entered loopback ip 127.0.0.1).

91
Etronics Solution Provider
3-6) Click finish to continue.

3-7) Click ok to finish.

92
Etronics Solution Provider
3-8) Check the status after clicking ok.

93
Etronics Solution Provider
Lab # 14

IPS
Objective
Configure IPS using SDM.

Diagram

Router 2811
Fa 0/0 Fa 0/1
10.0.0.10 20.0.0.10

10.0.0.1 20.0.0.1

PC-A PC-B

Configuration

1) Bring up the connectivity.


2) Launch the SDM from PC-A. Open Internet Explorer and
type following.
http://10.0.0.10

94
Etronics Solution Provider
3-1) Click on the launch the ips rule wizard.

95
Etronics Solution Provider
3-2) Click on Next to continue.

3-4) Select the inbound and outbound interfaces and then click Next to
continue.

96
Etronics Solution Provider
3-5) We are using the default signatures so click Next to continue.

3-6) Click on finish to continue.

97
Etronics Solution Provider
3-7) Click close to proceed.

98
Etronics Solution Provider
3-8) From this screen we can check which signatures are enabled/disabled.

99
Etronics Solution Provider
3-9) Right click on any signature and select actions.

Etronics Solution Provider 100


3-10) Click on drop to specify required action to be taken.

3-11) Click on Apply Changes.

Etronics Solution Provider 101


Etronics Solution Provider 102
3-12) Click OK to continue.

3-13) Click Close to continue.

Etronics Solution Provider 103


Etronics Solution Provider 104