Documente Academic
Documente Profesional
Documente Cultură
ISCW
Lab Manual
8 Configuring SNMP 65
9 Configuring NTP 75
11 Configure SSH 78
14 Configure IPS 94
1
Etronics Solution Provider
Lab # 1
Establish Site-to-Site VPN between 2 VPN Gateways i.e Router A and Router B
using PRE-SHARED KEYS for authentication.
Diagram
Router A Router B
11.0.0.1 11.0.0.2
10.0.0.10 20.0.0.10
PC- A PC- B
20.0.0.1
10.0.0.1
Configuration
1) Bring up the connections and ping end to end (use static route to provide
connectivity between end devices).
2
Etronics Solution Provider
2) Configure Router A as show below.
Configure Crypto-map
RouterA(config)# int s 0
RouterA(config-if)# crypto map mymap
3
Etronics Solution Provider
3) Configure Router B as show below.
Configure Crypto-map
RouterB(config)# int s 0
RouterB(config-if)# crypto map mymap
4
Etronics Solution Provider
Lab # 2
Objective
Establish Site-to-Site VPN between 2 VPN Gateways i.e Router A and Router B
using SDM.
Diagram
Router A Router B
11.0.0.1 11.0.0.2
10.0.0.10
PC- A
10.0.0.1
Configuration
1) Bring up the connections and ping end to end.
2) From PC-A open the browser and issue this command.
http://10.0.0.10
5
Etronics Solution Provider
3) Now the following windows appears, Click on the configure tab above
6
Etronics Solution Provider
4) Clicking on Configure tab opens the list of configuration options available,
select VPN from the left menu, now at left click on Create site to site vpn
radio button and then click on the launch the selected task button to launch the
wizard
7
Etronics Solution Provider
5) Now the wizard will start, click on the step by step wizard radio button and
then click next
8
Etronics Solution Provider
6) Now from the following window,
1. Select the interface that is connected to Router B.
2. Specify that the peer is using the static ip address.
3. Enter the ip address.
4. Enter the preshared key for authentication used in ISAKMP phase 1.
9
Etronics Solution Provider
7) In this window, we have to define transform set for phase 1, click on the
Add button to define our own transform set.
8) In this window, define your own parameters for the transform set and then
click OK.
10
Etronics Solution Provider
9) Now click Next.
10) Now in this window you may define transform set for IPSec or phase 2
negotiation
11
Etronics Solution Provider
11) Now define the required parameters and click Ok.
12) Now we can see that user defined Transform set is now listed. Click Next to
continue.
12
Etronics Solution Provider
13) Now define the traffic to be protected
14)
15)
16)
17)
18)
19)
20)
21)
22)
23)
24)
25)
26)
27)
28)
29)
30)
31)
14) Now the following window appears indicating that the wizard is complete.
15)
16)
17)
18)
19)
20)
21)
22)
23)
24)
25)
13
Etronics Solution Provider
15) Click on the start button to test the tunnel connectivity.
14
Etronics Solution Provider
16) If all configuration goes well then u should see the following screen..
15
Etronics Solution Provider
Configure cryto ACL to define which traffic to protect
RouterB(config)# access-list 111 permit ip host 11.0.0.2 host 11.0.0.1
Configure Crypto-map
RouterB(config)# crypto map mymap 10 ipsec-isakmp
RouterB(config-crypto-map)# match address 111
RouterB(config-crypto-map)# set peer 11.0.0.1
RouterB(config-crypto-map)# set transform-set bset
16
Etronics Solution Provider
Lab # 3
Diagram
Router C
Router A Router B
11.0.0.2 12.0.0.1
11.0.0.1 12.0.0.2
10.0.0.10 20.0.0.10
15.0.0.1 15.0.0.2
PC- A PC- B
10.0.0.1 20.0.0.1
Configuration
1) Configure Router C as show below.
RouterC(config)# interface serial 0
RouterC(config-if)# ip address 11.0.0.2 255.0.0.0
RouterC(config-if)# no shutdown
RouterC(config-if)# clock rate 64000
RouterC(config-if)# end
17
Etronics Solution Provider
RouterC(config)# interface serial 1
RouterC(config-if)# ip address 12.0.0.2 255.0.0.0
RouterC(config-if)# no shutdown
RouterC(config-if)# clock rate 64000
RouterC(config-if)# end
2-a) Configure static routing to define route for the peer Router
B i.e. network 12.0.0.0
3-a) Configure static routing to define route for the peer Router
A i.e. network 11.0.0.0
18
Etronics Solution Provider
Verification
To verify the tunnel formation, From router A ping 10.0.0.2 and from router B ping
10.0.0.1, if the ping is successful then tunnel is formed
Use this command also to verify the tunnel information
Configure Crypto-map
19
Etronics Solution Provider
Apply the crypto map to the WAN interface
RouterA(config)# int s 0
RouterA(config-if)# crypto map mymap
Configure Crypto-map
20
Etronics Solution Provider
Apply the crypto map to the WAN interface
RouterB(config)# int s 0
RouterB(config-if)# crypto map mymap
Verification
Ping end to end from both Routers and experience the delay in ping return time !!!
Use this command to verify the VPN establishment
show crypto ipsec sa
21
Etronics Solution Provider
Lab # 4
Diagram
3560
Router A Router B
11.0.0.2 12.0.0.1
11.0.0.1 12.0.0.2
10.0.0.10 20.0.0.10
15.0.0.1 15.0.0.2
PC- B
PC- A
10.0.0.1 20.0.0.1
Configuration
22
Etronics Solution Provider
Enable ip routing on 3560 switch.
Switch-3560(config)# ip routing
23
Etronics Solution Provider
2-1) This is the starting screen.
24
Etronics Solution Provider
2-2) Select VPN from the left bar
1) Select the option create gre tunnel
2) Click to launch the wizard.
25
Etronics Solution Provider
2-3) This is the welcome screen, click on next to continue.
26
Etronics Solution Provider
2-5) Enter the preshared key and click Next to continue.
2-6) Click on the Add button to define your own transform set for IKE phase 1
27
Etronics Solution Provider
2-7) Enter the required fields and click Ok.
28
Etronics Solution Provider
2-9) Now click on Add to define our own transform set for IPSec negotiation.
29
Etronics Solution Provider
2-11) Select the routing protocol to used, we have selected Eigrp.
12) Define the AS number to use, and then click Add to advertise the networks.
30
Etronics Solution Provider
2-13) Enter the network number.
2-
31
Etronics Solution Provider
2-15) This is the last screen of wizard, we can check our configuration on this
window, click on finish to continue.
3-a) Configure static routing to define route for the peer Router A
i.e. network 11.0.0.0
32
Etronics Solution Provider
4) Configure Router B for IPSec as follows.
Configure Crypto-map
33
Etronics Solution Provider
Enable Eigrp Routing
Verification
To verify ping from both routers to each other tunnel and public interfaces
Issue the following command
show crypto ipsec sa
34
Etronics Solution Provider
Lab # 5
Objective
Establish Easy VPN b/w Router A (server) and PC-B ( client) .
Diagram
Router A
20.0.0.10
10.0.0.10
PC- A PC- B
20.0.0.1
10.0.0.1
Configuration
1) Bring up the connections.
2) Access RouterA SDM using browser on PC-A. issue the following command
on the browser
Http://10.0.0.10
3) Now follow the steps shown below
35
Etronics Solution Provider
3-1)Before you can start the Easy VPN wizard first enable AAA.
36
Etronics Solution Provider
3-2) Now click on the User Accounts Tab to create a User for AAA to be
enabled.
37
Etronics Solution Provider
3-3)Enter the desired fields and click ok.
3-4) Now Enter the enable password as required then click OK.
38
Etronics Solution Provider
3-5) Now the following window appears, indicating the successful creation of User
for AAA. Click Ok.
39
Etronics Solution Provider
3-6) Now click on enable AAA, on the prompt click yes to enable AAA
successfully.
40
Etronics Solution Provider
3-7) Enter the username/password created in step 6.
3-8) Now the following window indicates that AAA is successfully enabled..
41
Etronics Solution Provider
3-9) Now the Wizard for easy vpn is started Click Next to continue.
3-10) Enter the interface being used for connecting to WAN from where the client
will communicate with RouterA, in this case it is fa0/0. We are using Pre-
shared key for authentication.
42
Etronics Solution Provider
3-11) Click Add to configure our own transform set for IKE phase-1.
3-12) Enter the required fields for the transform set and then click OK.
43
Etronics Solution Provider
3-13) Now click on Add to enter the transform set for IPSEC negotiation.
44
Etronics Solution Provider
3-15) Click on the local radio button to specify that the verification of
username/password will be done locally.
45
Etronics Solution Provider
3-16) Enable Xauth, so that after device authentication is complete, the user
authentication is performed, click Add User Credentials.
3-17) Now it asks to create a user, as we can see there is already a user present that
we created in step 6. Now we have to form so click Add.
46
Etronics Solution Provider
3-18) Now enter the required fields, make sure the priviledge level is set to 1.
47
Etronics Solution Provider
3-20) Now we are prompted for Group policy, click on Add to enter the group
policy.
48
Etronics Solution Provider
3-21) Enter the required Fields and then click Ok.
49
Etronics Solution Provider
3-22) Click on test Vpn connectivity to test the status.
Install the VPN client just like any simple windows utility.
50
Etronics Solution Provider
1) Run the VPN client.. and click on NEW.
2) Enter the required Fields, make sure the group name and password
should match exactly as configured in step 24.
51
Etronics Solution Provider
Lab # 6
Auto Secure
Objective
Configure Autosecure feature in Router 2811 through SDM.
Diagram
Router 2811
Fa 0/0 10.0.0.10
PC-A
10.0.0.1
Configuration
1) Bring up the connectivity and ping from PC-A to Router Fa0/0.
2) Open browser and type following to launch the wizard.
http:// 10.0.0.10
This will start SDM.
52
Etronics Solution Provider
3-1) Click on the perform security audit.
53
Etronics Solution Provider
3-2) Click on Next to Continue.
54
Etronics Solution Provider
3-4) This result will tell you about the security changes we need to make, click on
Close.
3-5) Click on Fix all to fix all the security holes or we can choose to fix the
individual settings by clicking only on the desired service check box. Click
on Next.
55
Etronics Solution Provider
3-6) Enter the required fields. And then click Next to continue.
56
Etronics Solution Provider
3-7) Click on Add to continue.
3-8) Enter the desired username and password and then click Ok to continue.
57
Etronics Solution Provider
3-9) Now click on Next to continue.
58
Etronics Solution Provider
3-10) Now Click on Add to define the ip used for login.
59
Etronics Solution Provider
3-12) Now click on Next to Continue.
60
Etronics Solution Provider
3-13) Click on Finish to continue.
61
Etronics Solution Provider
Lab # 7
One-Step Lockdown
Objective
Diagram
Router 2811
Fa 0/0 10.0.0.10
PC-A
10.0.0.1
Configuration
1) Bring up the connectivity and ping from PC-A to Router Fa0/0.
2) Open browser and type following to launch the wizard.
http:// 10.0.0.10
This will start SDM.
62
Etronics Solution Provider
3-1) First Click on One-step lockdown and then click yes to perform the
lockdown.
63
Etronics Solution Provider
3-2) Click on Deliver to send configuration to the router.
64
Etronics Solution Provider
Lab # 8
SNMP
Objective
Configure Snmp for network management of devices on LAN/WAN.
Diagram
R1 R2
S S0
11.0.0.1 11.0.0.2
Eth
10.0.0.40
Fa 0/0 R3
10.0.0.100
PC-A
10.0.0.1
Configuration
1) Bring up the connectivity and ping from PC-A to R2.
65
Etronics Solution Provider
2) Now install snmp server on Pc-A.
66
Etronics Solution Provider
4) Click on Next to Continue.
67
Etronics Solution Provider
5) Enter the ip address of PC-A and click on next to
continue.
68
Etronics Solution Provider
7) This window shows that the software is installed successfully.
69
Etronics Solution Provider
4- Click on Enable discovery and click on Restart.
70
Etronics Solution Provider
6- Enter the strings in the Required fields. These strings will be configured on all
devices that we wish to manage.
12) Now configure the following on all routers so they can be managed by the
snmp server.
71
Etronics Solution Provider
13 ) Now we can see the graph of our topology building up
72
Etronics Solution Provider
14) Right Click on any device for the necessary settings.
73
Etronics Solution Provider
15) Enter the ro/rw attributes configured on this router.
74
Etronics Solution Provider
Lab # 9
NTP
Objective
Diagram
Source Intermediate
S0 S0 S1 S0
11.0.0.1 11.0.0.2 12.0.0.1 12.0.0.2
Configuration
75
Etronics Solution Provider
Lab # 10
SYSLOG SERVER
Objective
Diagram
Router A
Eth 0
10.0.0.10
10.0.0.1
PC-A
Configuration
1) Bring up the connectivity.
2) Install the syslog server.
3) Configure Router A as follows
RouterA(config)#logging on
RouterA(config)#logging 10.0.0.1
RouterA(config)#logging trap 7
76
Etronics Solution Provider
3-1) Now perform different commands on RouterA like shutting down an
interface and then issue a no shut command, and other commands that sends a trap
to syslog server.
77
Etronics Solution Provider
Lab # 11
SSH
Objective
Configure Router to become the SSH server.
Diagram
Router 2811
Fa 0/0 10.0.0.10
PC-A
10.0.0.1
Configuration
1) Bring up the connectivity.
2) Configure Router as follows.
78
Etronics Solution Provider
RouterA#auto secure ssh
--- AutoSecure Configuration ---
ip domain-name cisco.com
crypto key generate rsa general-keys modulus 1024
ip ssh time-out 60
ip ssh authentication-retries 2
line vty 0 4
transport input ssh telnet
!
end
RouterA#
*Mar 1 00:02:10.307: %SSH-5-ENABLED: SSH 1.99 has been enabled
*Mar 1 00:02:11.539: %AUTOSEC-5-ENABLED: AutoSecure is configured
on the device
79
Etronics Solution Provider
Configure AAA for local authentication..
RouterA(config)#aaa new-model
RouterA(config)#aaa authentication login default local
RouterA(config)#username cisco password cisco
3) Now Run putty on PC-A, give the ip of Router and click open.
80
Etronics Solution Provider
Lab # 12
AAA Server
Objective
Configure AAA server to perform user authentication and accounting.
Diagram
R2811
Fa 0/0 Fa 0/1
10.0.0.10 20.0.0.10
ACS
server PC-B
10.0.0.1 20.0.0.1
Configuration
1) Bring up the connections and ping end to end.
2) Install ACS for windows.
3) Configure ACS as follows
81
Etronics Solution Provider
3-1) Enter the user setup and enter the username. Click on Add/Edit to define the
password.
82
Etronics Solution Provider
3-2) Enter the password.
83
Etronics Solution Provider
3-3) Enter Network Configuration mode and click on Add entry.
84
Etronics Solution Provider
3-4) Enter the required field as shown in the diagram. And then click on
submit+restart.
85
Etronics Solution Provider
3-5) The following window appears if successful.
86
Etronics Solution Provider
4) Now configure the router to query ACS if any user attempt to connect to it via
telnet.
R2811(config)#aaa new-model
R2811(config)#tacacs-server host 10.0.0.1 key cisco123
R2811(config)#aaa authentication login default group tacacs+
R2811(config)#enable password cisco
R2811(config)#aaa accounting exec default start-stop group tacacs+
5) Now from PC-B telnet to R2811, this time router will ask for
username/password which will be verified against ACS.
87
Etronics Solution Provider
Lab # 13
Diagram
Router 2811
Fa 0/0 Fa 0/1
10.0.0.10 20.0.0.10
10.0.0.1 20.0.0.1
PC-A PC-B
Configuration
1) Bring up the connectivity.
2) Launch the SDM from PC-A. Open Internet Explorer and type following.
http://10.0.0.10
3) Configure Router A as follows.
88
Etronics Solution Provider
3-1) Select Basic Firewall and then click on the launch the selected task.
89
Etronics Solution Provider
3-2) Click on Next to continue.
3-3) Select the appropriate interfaces according to the topology diagram and
then click next to continue.
90
Etronics Solution Provider
3-4) Click on Next to continue.
3-5) Enter the DNS server ip ( in this case since we dont have a dns server we
have entered loopback ip 127.0.0.1).
91
Etronics Solution Provider
3-6) Click finish to continue.
92
Etronics Solution Provider
3-8) Check the status after clicking ok.
93
Etronics Solution Provider
Lab # 14
IPS
Objective
Configure IPS using SDM.
Diagram
Router 2811
Fa 0/0 Fa 0/1
10.0.0.10 20.0.0.10
10.0.0.1 20.0.0.1
PC-A PC-B
Configuration
94
Etronics Solution Provider
3-1) Click on the launch the ips rule wizard.
95
Etronics Solution Provider
3-2) Click on Next to continue.
3-4) Select the inbound and outbound interfaces and then click Next to
continue.
96
Etronics Solution Provider
3-5) We are using the default signatures so click Next to continue.
97
Etronics Solution Provider
3-7) Click close to proceed.
98
Etronics Solution Provider
3-8) From this screen we can check which signatures are enabled/disabled.
99
Etronics Solution Provider
3-9) Right click on any signature and select actions.