corp Sw1 branch
CCNA Security PT Practice SBA A few things to keep in mind while completing this activity: 1. Do not use the browser Back button or close or reload any Exam windows during the exam. 2. Do not close Packet Tracer when you are done. It will close automatically. 3. Click the Submit Assessment button to submit your work.
Introduction In this practice Packet Tracer Skills Based Assessment, you will: • • •
• • • •
configure basic device hardening and secure network management configure a CBAC firewall to implement security policies configure devices to protect against STP attacks and to enable broadcast storm control configure port security and disable unused switch ports configure an IOS IPS configure a ZPF to implement security policies configure a site-to-site IPsec VPN
Addressing Table Device Internet
CORP
Branch External Public Svr External Web Svr External PC NTP/Syslog Svr DMZ DNS Svr DMZ Web Svr PC0 PC1 Net Admin Admin PC
Interface S0/0/0 S0/0/1 S0/1/0 Fa0/0 S0/0/0 Fa0/0 Fa0/1.10 Fa0/1.25 Fa0/1.99 S0/0/0 Fa0/0 S0/0/0 Fa0/0 NIC NIC
IP Address 209.165.200.225 192.31.7.1 198.133.219.1 192.135.250.1 209.165.200.226 10.1.1.254 172.16.10.254 172.16.25.254 172.16.99.254 198.133.219.2 198.133.219.62 192.31.7.2 192.31.7.62 192.135.250.5 192.31.7.35
Subnet Mask 255.255.255.252 255.255.255.252 255.255.255.252 255.255.255.0 255.255.255.252 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.252 255.255.255.224 255.255.255.252 255.255.255.224 255.255.255.0 255.255.255.224
Gateway n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a 192.135.250.1 192.31.7.62
DNS server n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a 192.135.250.
NIC NIC
192.31.7.33 172.16.25.2
255.255.255.224 192.31.7.62 255.255.255.0 172.16.25.254
192.135.250. 10.1.1.5
NIC
10.1.1.5
255.255.255.0
10.1.1.254
192.135.250.
NIC
10.1.1.2
255.255.255.0
10.1.1.254
10.1.1.5
NIC NIC NIC NIC
172.16.10.5 172.16.10.10 172.16.25.5 198.133.219.35
255.255.255.0 172.16.10.254 255.255.255.0 172.16.10.254 255.255.255.0 172.16.25.254 255.255.255.224 198.133.219.62
10.1.1.5 10.1.1.5 10.1.1.5 192.135.250.
Note: Appropriate verification procedures should be taken after each configuration task to ensure that it has been properly implemented.
Step 1: Configure Basic Device Hardening for the CORP Router. a. Configure the CORP router to only accept passwords with a minimum length of 10 characters.
CORP(config)#security passwords min-length 10 b. Configure an encrypted privileged level password of ciscoclass.
CORP(config)#enable secret ciscoclass
c. Enable password encryption for all clear text passwords in the configuration file.
CORP(config)#service password-encryption d. Configure the console port and all vty lines with the following requirements: Note: CORP is already configured with the username CORPADMIN and the secret password ciscoccnas. use the local database for login disconnect after being idle for 20 minutes
CORP(config)#line con 0 CORP(config-line)#login local CORP(config-line)#exec-timeout 20 0 CORP(config)#line vty 0 4 CORP(config-line)#login local CORP(config-line)#exec-timeout 20 0 CORP(config)#line vty 5 15 CORP(config-line)#login local CORP(config-line)#exec-timeout 20 0 d. Disable the CDP protocol only on the link to the Internet router.
CORP(config)#interface serial 0/0/0 CORP(config-if)#no cdp enable
Step 2: Configure Secure Network Management for the CORP Router. a. Enable the CORP router: as an NTP client to the NTP/Syslog server
CORP(config)#ntp server 172.16.25.2 key 0
to update the router calendar (hardware clock) from the NTP time source
CORP(config)#ntp update-calendar to timestamp log messages
CORP(config)# service
timestamps log datetime msec
to send logging messages to the NTP/Syslog server
CORP(config)#logging host 172.16.25.2 b. Configure the CORP router to accept SSH connections. Use the following guidelines: Note: CORP is already configured with the username SSHAccess and the secret password ciscosshaccess. domain name is theccnas.com CORP(config)#ip domain-name theccnas.com
RSA encryption key pair using a modulus of 1024
CORP(config)#crypto key generate rsa >>enter>>[1024] SSH version 2, timeout of 90 seconds, and 2 authentication retries
CORP(config)# ip
ssh version 2
CORP(config)# ip
ssh time-out 90
CORP(config)# ip
ssh authentication-retries 2
all vty lines accept only SSH connections CORP(config-line)#line vty 0 4 CORP(config-line)#transport input ssh CORP(config-line)#line vty 5 15 CORP(config-line)#transport input ssh
c. Configure the CORP router with AAA authentication and verify its functionality: ??
AAA authentication using the local database as the default for console line and vty lines access
CORP(config)#aaa new-model CORP(config)# aaa
authentication login default local
CORP(config)# aaa
authorization exec default local
Step 3: Configure Device Hardening for Switch1. a. Access Switch1 with username CORPADMIN, password ciscoccnas, and the enable secret password of ciscoclass. b. Enable storm control for broadcasts on FastEthernet 0/24 with a 50 percent rising suppression level.
SW1(config)#interface fastEthernet 0/24 SW1(config-if)#storm-control broadcast level 50 c. Configure Switch1 to protect against STP attacks. Configure PortFast on FastEthernet ports 0/1 to 0/23.
SW1(config)#interface range fastEthernet 0/1-23 SW1(config-if-range)#spanning-tree portfast Enable BPDU guard on FastEthernet ports 0/1 to 0/23.
SW1(config-if-range)#spanning-tree bpduguard enable e. Configure port security and disable unused ports.
SW1(config-if-range)#switchport mode access ??
Set the maximum number of learned MAC addresses to 2 on FastEthernet ports 0/1 to 0/23. Allow the MAC address to be learned dynamically and to
shutdown the port if a violation occurs. SW1(config-if-range)#switchport port-security SW1(config-if-range)#switchport port-security maximum 2 SW1(config-if-range)#switchport port-security violation shutdown SW1(config-if-range)#switchport port-security mac-address sticky ??
Disable unused ports (Fa0/2-5, Fa0/7-10, Fa0/13-23).
SW1(config)#interface range fastEthernet 0/2-5 SW1(config-if-range)#shutdown SW1(config)#interface range fastEthernet 0/7-10 SW1(config-if-range)#shutdown SW1(config)#interface range fastEthernet 0/13-23 SW1(config-if-range)#shutdown
Step 4: Configure an IOS IPS on the CORP Router. a. On the CORP router, create a directory in flash named ipsdir.
CORP#mkdir ipsdir [enter] b. Configure the IPS signature storage location to be flash:ipsdir.
CORP(config)#ip ips config location flash:ipsdir/ retries 1 c. Create an IPS rule named corpips.
CORP(config)#ip ips name corpips d. Configure the IOS IPS to use the signature categories. Retire the all signature category and unretire the ios_ips basic category.
CORP(config)#ip ips signature-category CORP(config-ips-category)#category all
CORP(config-ips-category-action)#retired true CORP(config-ips-category-action)#exit CORP(config-ips-category)#category ios_ips basic CORP(config-ips-category-action)#retired false CORP(config-ips-category-action)#exit CORP(config-ips-category)#exit Do you want to accept these changes? [confirm]{enter} e. Apply the IPS rule to the Fa0/0 interface.
CORP(config)#interface fastEthernet 0/0 CORP(config-if)#ip ips corpips out f.
Modify the ios_ips basic category. Unretire the echo request signature (signature 2004, subsig 0); enable the signature; modify the signature event-action to produce an alert and to deny packets that match the signature. CORP(config)#ip ips signature-definition CORP(config-sigdef)#signature 2004 0 CORP(config-sigdef-sig)#status CORP(config-sigdef-sig-status)#retired false CORP(config-sigdef-sig-status)#enabled true CORP(config-sigdef-sig-status)#exit CORP(config-sigdef-sig)#engine CORP(config-sigdef-sig-engine)#event-action produce-alert CORP(config-sigdef-sig-engine)#event-action deny-packet-inline CORP(config-sigdef-sig-engine)#exit CORP(config-sigdef-sig)#exit
CORP(config-sigdef)#exit Do you want to accept these changes? [confirm]{enter} g. Verify that IPS is working properly. Net Admin in the internal network cannot ping DMZ Web Svr. DMZ Web Svr, however, can ping Net Admin.
Step 5: Configure ACLs and CBAC on the CORP Router to Implement the Security Policy. a. Create ACL 12 to implement the security policy regarding the access to the vty lines: Only users connecting from Net Admin and Admin PC are allowed access to the vty lines.
CORP(config)#access-list 12 permit host 172.16.25.5 CORP(config)#access-list 12 permit host 198.133.219.35 CORP(config)#line vty 0 4 CORP(config-line)#access-class 12 in CORP(config)#line vty 5 15 CORP(config-line)#access-class 12 in
b. Create, apply, and verify an extended named ACL (named DMZFIREWALL) to filter incoming traffic to the DMZ.?? The ACL should be created in the order specified in the following guidelines ( Please note, the order of ACL statements is significant only because of the scoring need in Packet Tracer. ): 1. HTTP traffic is allowed to DMZ Web Svr. 2. DNS traffic (both TCP and UDP) is allowed to DMZ DNS Svr. 3. All traffic from 172.16.25.0/24 is allowed to enter the DMZ. 4. FTP traffic from the Branch administrator workstations in the subnet of 198.133.219.32/27 is allowed to DMZ Web Svr. [*]command’s by order of execution
CORP(config)# ip
access-list extended DMZFIREWALL CORP(config-ext-nacl)# permit tcp any host 10.1.1.2 eq www CORP(config-ext-nacl)# permit tcp any host 10.1.1.5 eq domain CORP(config-ext-nacl)# permit udp any host 10.1.1.5 eq domain CORP(config-ext-nacl)# permit ip 172.16.25.0 0.0.0.255 10.1.1.0 0.0.0.255 CORP(config-ext-nacl)# permit tcp 198.133.219.32 0.0.0.31 host 10.1.1.2 eq ftp
CORP(config-ext-nacl)#exit CORP(config)# interface CORP(config-if)#
FastEthernet0/0
ip access-group DMZFIREWALL out
c. To verify the DMZFIREWALL ACL, complete the following tests: ??
Admin PC in the branch office can access the URL http://www.theccnas.com;
??
Admin PC can open an FTP session to the DMZ Web Svr with the username cisco and the password cisco;
??
Net Admin can open an FTP session to the DMZ Web Svr with the username cisco and the password cisco; and
??
PC1 cannot open an FTP session to the DMZ Web Svr.
d. Create, apply, and verify an extended named ACL (named INCORP) to control access from the Internet into the CORP router.?? The ACL should be created in the order specified in the following guidelines ( Please note, the order of ACL statements is significant only because of the scoring need in Packet Tracer. ): 1. Allow HTTP traffic to the DMZ Web Svr. 2. Allow DNS traffic (both TCP and UDP) to the DMZ DNS Svr. 3. Allow SSH traffic from the Branch Office administrator workstation to the Serial 0/0/0 interface on the CORP router. 4. Allow IP traffic from the Branch router serial interface into the CORP router serial interface. 5. Allow IP traffic from the Branch Office LAN to the public IP address range
that is assigned to the CORP site (209.165.200.240/28). CORP(config)# ip access-list extended INCORP CORP(config-ext-nacl)# permit tcp any host 209.165.200.241 CORP(config-ext-nacl)# permit tcp any host 209.165.200.242
eq www eq
domain
CORP(config-ext-nacl)# permit
udp any host 209.165.200.242 eq
domain
CORP(config-ext-nacl)# permit
tcp 198.133.219.32 0.0.0.31 host
209.165.200.226 eq 22
CORP(config-ext-nacl)# permit
ip host 198.133.219.2 host
209.165.200.226
CORP(config-ext-nacl)# permit
ip 198.133.219.32 0.0.0.31
209.165.200.240 0.0.0.15
CORP(config-ext-nacl)#exit CORP(config)#
interface Serial0/0/0
CORP(config-if)#
ip access-group INCORP in
e. To verify the INCORP ACL, complete the following tests: ??
Admin PC in the branch office can access the URL http://www.theccnas.com;
??
Admin PC can establish an SSH connection to the CORP router (209.165.200.226) with the username SSHAccess and password ciscosshaccess; and
??
External PC cannot establish an SSH connection to the CORP router (209.165.200.226).
g. Create and apply a CBAC inspection rule (named INTOCORP) to inspect ICMP, TCP, and UDP traffic between the CORP internal network and any other network.
CORP(config)# ip CORP(config)# ip CORP(config)# ip
inspect name INTOCORP icmp inspect name INTOCORP tcp inspect name INTOCORP udp
h. Enable CBAC audit messages to be sent to the syslog server. CORP(config)# ip
inspect audit-trail
CORP(config)# interface
Serial0/0/0
CORP(config-if)# ip
inspect INTOCORP out
h. Verify the CBAC firewall configuration. PC1 can access the External Web Svr (www.externalone.com).
?? ??
PC1 can establish an SSH connection to the External router with username SSHadmin and password ciscosshpa55.
??
Admin PC in the Branch office can establish an SSH connection to the CORP router with the username SSHAccess and password ciscosshaccess.
Step 6: Configure a Zone-Based Policy Firewall on the Branch Router. a. Access the Branch router with username CORPADMIN, password ciscoccnas and the enable secret password of ciscoclass. b. On the Branch router, create the firewall zones. Create an internal zone named BR-IN-ZONE.
??
Branch(config)# zone
security BR-IN-ZONE
exit
Create an external zone named BR-OUT-ZONE.
??
Branch(config)# zone
security BR-OUT-ZONE
exit
c. Define a traffic class and access list. ??
Create an ACL (ACL 110) to permit all protocols from the 198.133.219.32/27 network to any destination.
Branch(config)# access-list
110 permit ip 198.133.219.32 0.0.0.31
any ??
Create a class map using the option of class map type inspect with the match-all keyword. Match the ACL 110 and name the class map BR-INCLASS-MAP.
Branch(config)#class-map type inspect match-all BR-IN-CLASS-MAP
Branch(config-cmap)#match access-group 110 d. Specify firewall policies. ??
Create a policy map named BR-IN-OUT-PMAP.
??
Use the BR-IN-CLASS-MAP class map.
??
Specify the action of inspect for this policy map.
Branch(config)#policy-map type inspect BR-IN-OUT-PMAP Branch(config-pmap)#class type inspect BR-IN-CLASS-MAP Branch(config-pmap-c)#inspect e. Apply the firewall. ??
Create a pair of zones named IN-OUT-ZPAIR with the source as BR-INZONE and destination as BR-OUT-ZONE.
Branch(config)#zone-pair security IN-OUT-ZPAIR source BR-IN-ZONE destination BR-OUT-ZONE ??
Specify the policy map BR-IN-OUT-PMAP for handling the traffic between the two zones.
Branch(config-sec-zone-pair)#service-policy type inspect BR-IN-OUT-PMAP ??
Assign interfaces to the appropriate security zones.
Branch(config)#interface fastEthernet 0/0 Branch(config-if)#zone-member security BR-IN-ZONE
Branch(config)#interface serial 0/0/0 Branch(config-if)#zone-member security BR-OUT-ZONE f. Verify the ZPF configuration. ??
The Admin PC in the Branch office can access the URLs http://www.theccnas.com and http://www.externalone.com.
??
The Admin PC in the Branch office can ping the External PC (192.31.7.33).
??
External PC cannot ping the Admin PC in the Branch office (198.133.219.35).
??
The Admin PC in Branch office can establish an SSH connection to the CORP router with the username SSHAccess and password ciscosshaccess. If you get the Corp> prompt, then your configuration is correct.
Step 7: Configure a Site-to-Site IPsec VPN between the CORP router and the Branch Router. The following tables list the parameters for the ISAKMP Phase 1 Policy and IPsec Phase 2 Policy: ?????????????????????????????????????????? ISAKMP Phase 1 Policy Parameters Key ISAKMP Distribution Method AES Encryption Algorithm Number of 256 Bits Hash SHA-1 Algorithm Authentication Pre-share Method Key Exchange DH 2 IKE SA Lifetime ISAKMP Key
86400 Vpnpass101
ISAKMP Phase 2 Policy Parameters Parameters
CORP Router
Branch Router
Transform Set Name Transform Set Peer Host Name Peer IP Address Encrypted Network Crypto Map Name SA Establishment
VPN-SET
VPN-SET
esp-3des esp-sha-hmac Branch
esp-3des esp-sha-hmac CORP
198.133.219.2
209.165.200.226
209.165.200.240/28
198.133.219.32/27
VPN-MAP
VPN-MAP
ipsec-isakmp
ipsec-isakmp
a. Configure an ACL (ACL 120) on the CORP router to identify the interesting traffic. The interesting traffic is all IP traffic between the two LANs (209.165.200.240/28 and 198.133.219.32/27). CORP(config)#access-list 120 permit ip 209.165.200.240 0.0.0.15 198.133.219.32 0.0.0.31 Branch(config)#access-list 120 permit ip 198.133.219.32 0.0.0.31 209.165.200.240
0.0.0.15 b. Configure the ISAKMP Phase 1 properties on the CORP router. The crypto ISAKMP policy is 10.?? Refer to the ISAKMP Phase 1 Policy Parameters Table for the specific details needed. /************************************ ***********config for corp************* ************************************/ CORP(config)#crypto isakmp policy 10 CORP(config-isakmp)#encryption aes 256 CORP(config-isakmp)#authentication pre-share CORP(config-isakmp)#group 2 CORP(config)# crypto
isakmp key Vpnpass101 address 198.133.219.2
/************************************ ***********config for branch************ ************************************/ Branch (config)#crypto isakmp policy 10 Branch (config-isakmp)#encryption aes 256 Branch (config-isakmp)#authentication pre-share Branch (config-isakmp)#group 2 Branch (config)# crypto
isakmp key Vpnpass101 address 209.165.200.226
c. Configure the ISAKMP Phase 2 properties on the CORP router. Refer to the ISAKMP Phase 2 Policy Parameters Table for the specific details needed. /************************************ ***********config for corp************* ************************************/ CORP(config)# crypto
ipsec transform-set VPN-SET esp-3des esp-sha-hmac
CORP(config)# crypto
map VPN-MAP 10 ipsec-isakmp
CORP(config-crypto-map)#set peer 198.133.219.2
CORP(config-crypto-map)#
set transform-set VPN-SET
CORP(config-crypto-map)#
match address 120
/************************************ ***********config for branch************ ************************************/ Branch(config)# crypto
ipsec transform-set VPN-SET esp-3des esp-sha-
hmac
Branch Branch Branch Branch
(config)# crypto map VPN-MAP 10 ipsec-isakmp (config-crypto-map)# set peer 209.165.200.226 (config-crypto-map)# set transform-set VPN-SET (config-crypto-map)# match address 120
d. Bind the VPN-MAP crypto map to the outgoing interface.
/************************************ ***********config for corp************* ************************************/ CORP(config)# interface CORP(config-if)# crypto
Serial0/0/0
map VPN-MAP
/************************************ ***********config for branch************ ************************************/ Branch(config)# interface Branch(config-if)# crypto
Serial0/0/0
map VPN-MAP
e. Configure IPsec parameters on the Branch router using the same parameters as on the CORP router. Note that interesting traffic is defined as the IP traffic from the two LANs.(done before) f. Save the running-config, then reload both CORP and Branch routers. /************************************ ***********config for corp************* ************************************/
CORP#copy running-config startup-config [enter] CORP#reload /************************************ ***********config for branch************ ************************************/ Branch#copy running-config startup-config [enter] Branch#reload
g. Verify the VPN configuration by conducting an FTP session with the username cisco and the password cisco from the Admin PC to the DMZ Web Svr. On the Branch router, check that the packets are encrypted. To exit the FTP session, type quit.