PT Activity: Configure a Network for Secure Operation Topology Diagram
Addressing Table Device R1
Interface
IP Address
Subnet Mask
Default Gateway
Switch Port
FA0/1
19!1"#!1!1
$$!$$!$$!0
N/A
S1 FA0/$
S0/0/0 %&C'(
10!1!1!1
$$!$$!$$!$
N/A
N/A
S0/0/0
10!1!1!
$$!$$!$$!$
N/A
N/A
S0/0/1 %&C'(
10!!!
$$!$$!$$!$
N/A
N/A
FA0/1
19!1"#!)!1
$$!$$!$$!0
N/A
S) FA0/$
S0/0/1
10!!!1
$$!$$!$$!$
N/A
N/A
PC*A
N+C
19!1"#!1!$
$$!$$!$$!0
19!1"#!1!1
S1 FA0/"
PC*,
N+C
19!1"#!1!"
$$!$$!$$!0
19!1"#!1!1
S FA FA0/1#
PC*C
N+C
19!1"#!)!$
$$!$$!$$!0
19!1"#!)!1
S) FA0/"
R R)
A-- content. are Copyrigt 19901 19901 Ci.co Sy.te2.3 +nc! A-- rigt. rigt. re.erve4! Ti. 4ocu2ent i. Ci.co Ci.co Pu5-ic +nfor2ation!
Page 1 of 6
CCNA Security
earning !b"ectives •
Secure te router. wit .trong pa..wor4.3 pa..wor4 encryption an4 a -ogin 5anner!
•
Secure te con.o-e an4 7T8 -ine. wit pa..wor4.!
•
Configure -oca- AAA autentication!
•
Configure SS .erver!
•
Configure router for .y.-og!
•
Configure router for NTP!
•
Secure te router again.t -ogin attack.!
•
Configure C,AC an4 PF firewa--.!
•
Secure network .witce.!
Introduction +n ti. co2preen.ive practice activity3 you wi-- app-y a co25ination of .ecurity 2ea.ure. tat were intro4uce4 in te cour.e! Te.e 2ea.ure. are -i.te4 in te o5;ective.! +n te topo-ogy3 R1 i. te e4ge outer for te Co2pany A wi-e R) i. te e4ge router for Co2pany ,! Te.e network. are interconnecte4 via te R router wic repre.ent. te +SP! 8ou wi-- configure variou. .ecurity feature. on te router. an4 .witce. for Co2pany A an4 Co2pany ,! Not a-- .ecurity feature. wi-- 5e configure4 on R1 an4 R)! Te fo--owing preconfiguration. ave 5een 2a4e:
Task #$
•
o.tna2e. on a-- 4evice.
•
+P a44re..e. on a-- 4evice.
•
R con.o-e pa..wor4: ci.coconpa$$
•
R pa..wor4 on 7T8 -ine.: ci.covtypa$$
•
R ena5-e pa..wor4: ci.coenpa$$
•
Static routing
•
Sy.-og .ervice. on PC*,
•
&NS -ookup a. 5een 4i.a5-e4
•
+P 4efau-t gateway. for a-- .witce.
Test %onnectivity and &erify %onfigurations
Step 1. Verify IP addresses. Step 2. Verify routing tables. Step 3. Test connectivity. Fro2 PC*A3 ping PC*C at +P a44re.. 19!1"#!)!$!
Task '$
Secure the (outers
Step 4. Set minimum a password lengt of 1! caracters on router "1 and "3. Step #. $onfigure an enable secret password on router "1 and "3. <.e an ena5-e .ecret pa..wor4 of ciscoenpa))!
A-- content. are Copyrigt 19901 Ci.co Sy.te2.3 +nc! A-- rigt. re.erve4! Ti. 4ocu2ent i. Ci.co Pu5-ic +nfor2ation!
Page of 6
CCNA Security
Step %. &ncrypt plainte't passwords. Step (. $onfigure te console lines on "1 and "3. Configure a con.o-e pa..wor4 of ciscoconpa)) an4 ena5-e -ogin! Set te exec-timeout to -og out after ) 2inute. of inactivity! Prevent con.o-e 2e..age. fro2 interrupting co22an4 entry!
Step ). $onfigure vty lines on "1. Configure a vty -ine pa..wor4 of ciscovtypa)) an4 ena5-e -ogin! Set te exec-timeout to -og out after ) 2inute. of inactivity! Set te -ogin autentication to u.e te 4efau-t AAA -i.t to 5e 4efine4 -ater! *ote$ Te vty -ine. on R) wi-- 5e configure4 for SS in a -ater ta.k!
Step *. $onfigure login banner on "1 and "3. Configure a warning to unautori=e4 u.er. wit a 2e..age*of*te*4ay %>OT&( 5anner tat .ay.: ?No
Task +$
%onfigure ocal Authentication on (# and (+
Step 1!.
$onfigure te local user database.
Create a -oca- u.er account of Admin,# wit a .ecret pa..wor4 of Admin,#pa))!
Step 11.
&nable +++ services.
Step 12.
Implement +++ services using te local database.
Create te 4efau-t -ogin autentication 2eto4 -i.t u.ing -oca- autentication wit no 5ackup 2eto4!
Task -$
%onfigure *TP
Step 13.
&nable ,TP autentication on P$-+.
On PC*A3 coo.e te %onfig ta53 an4 ten te *TP 5utton! Se-ect !n for NTP .ervice! .nable autentication an4 enter a @ey of # an4 a pa..wor4 of ciscontppa))!
Step 14.
$onfigure "1 as an ,TP $lient.
Configure NTP autentication @ey # wit a pa..wor4 of ciscontppa))! Configure R1 to .yncroni=e wit te NTP .erver an4 autenticate u.ing @ey #!
Step 1#.
$onfigure routers to update ardware cloc.
Configure router. to perio4ica--y up4ate te ar4ware c-ock wit te ti2e -earne4 fro2 NTP!
Task )$
%onfigure (# as Syslog %lient
Step 1%.
$onfigure "1 to timestamp log messages.
Configure ti2e.ta2p .ervice for -ogging on te router.!
Step 1(.
$onfigure "1 to log messages to te syslog server.
Configure te router. to i4entify te re2ote o.t %.y.-og .erver( tat wi-- receive -ogging 2e..age. ! 8ou .ou-4 .ee a con.o-e 2e..age .i2i-ar to te fo--owing: SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.1.6 port 1! st"rt#$ - %LI initi"t#$
A-- content. are Copyrigt 19901 Ci.co Sy.te2.3 +nc! A-- rigt. re.erve4! Ti. 4ocu2ent i. Ci.co Pu5-ic +nfor2ation!
Page ) of 6
CCNA Security
Step 1).
$ec for syslog messages on P$-/.
On R13 eit config 2o4e to generate a .y.-og 2e..age! Open te .y.-og .erver on PC*, to view te 2e..age .ent fro2 R1! 8ou .ou-4 .ee a 2e..age .i2i-ar to te fo--owing on te .y.-og .erver: &SYS--%ON'IG_I: %on(ig)r#$ (ro* +onso,# +onso,#
Task /$
Secure (outer Against ogin Attacks
Step 1*.
0og unsuccessful login attempts to "1.
Step 2!.
Telnet to "1 from P$-+.
Te-net fro2 PC*A to R1 an4 provi4e te u.erna2e Admin,# an4 pa..wor4 Admin,#pa))! Te Te-net .ou-4 5e .ucce..fu-!
Step 21.
Telnet to "1 from P$-+ and cec syslog messages on te syslog server.
'it fro2 te current Te-net .e..ion an4 Te-net again to R1 u.ing te u.erna2e of baduser an4 any pa..wor4! Ceck te .y.-og .erver on PC*,! 8ou .ou-4 .ee an error 2e..age .i2i-ar to te fo--owing tat i. generate4 5y te fai-e4 -ogin atte2pt! S/%_LOGIN-!-LOGIN_'AIL/0:Login ("i,#$ )s#r:"$)s#r So)r+#:192.168.1. ,o+",port:23 R#"son:In4",i$ ,ogin "t 1:51:23 T% 7#$ )n# 1 2559
Task 0$
%onfigure SS1 on (+
Step 22.
$onfigure a domain name.
Configure a 4o2ain na2e of ccnasecurity2com on R)!
Step 23.
$onfigure te incoming vty lines on "3.
<.e te -oca- u.er account. for 2an4atory -ogin an4 va-i4ation an4 accept on-y SS connection.!
Step 24.
$onfigure "S+ encryption ey pair for "3.
Any ei.ting RSA key pair. .ou-4 5e era.e4 on te router! +f tere are no key. current-y configure4 a 2e..age wi-- 5e 4i.p-aye4 in4icating ti.! Configure te RSA key. wit a 2o4u-u. of 10B!
Step 2#.
$onfigure SS timeouts and autentication parameters.
Set te SS ti2eout to 3, .econ4.3 te nu25er of autentication retrie. to '3 an4 te ver.ion to '!
Task 4$
%onfigure %5A% on (#
Step 2%.
$onfigure a named IP +$0.
Create an +P AC na2e4 !6T7I* to 5-ock a-- traffic originating fro2 te out.i4e network! App-y te acce.. -i.t to inco2ing traffic on interface Seria- 0/0/0!
Step 2(.
Step 3. $onfirm tat traffic entering interface Serial !!! is dropped.
Fro2 te PC*A co22an4 pro2pt3 ping PC*C! Te +C>P eco rep-ie. are 5-ocke4 5y te AC!
Step 2).
$reate an inspection rule to inspect I$P Telnet and TTP traffic.
Create an in.pection ru-e na2e4 I*7!6T7I* to in.pect I%MP3 Telnet an4 1TTP traffic!
A-- content. are Copyrigt 19901 Ci.co Sy.te2.3 +nc! A-- rigt. re.erve4! Ti. 4ocu2ent i. Ci.co Pu5-ic +nfor2ation!
Page B of 6
CCNA Security
Step 2*.
+pply te inspect rule to te outside interface.
App-y te +N*O
Step 3!.
Test operation of te inspection rule.
Fro2 te PC*A co22an4 pro2pt3 ping PC*C! Te +C>P eco rep-ie. .ou-4 5e in.pecte4 an4 a--owe4 troug!
Task 3$
%onfigure 8P9 on (+
Step 31.
Test connectivity.
7erify tat te interna- o.t can acce.. eterna- re.ource.! •
Fro2 PC*C3 te.t connectivity wit ping an4 Te-net to RD a-- .ou-4 5e .ucce..fu-!
•
Fro2 R ping to PC*C! Te ping. .ou-4 5e a--owe4!
Step 32.
$reate te firewall 5ones.
Create an interna- =one na2e4 I*78!*.! Create an eterna- =one na2e4 !6T78!*.!
Step 33.
$reate an +$0 tat defines internal traffic.
Create an eten4e43 nu25ere4 AC tat per2it. a-- +P protoco-. fro2 te 19!1"#!)!0/B .ource network to any 4e.tination! <.e #,# for te AC nu25er!
Step 34.
$reate a class map referencing te internal traffic +$0.
Create a c-a.. 2ap na2e4 I*7*.T7%ASS7MAP to 2atc AC 101!
Step 3#.
Specify firewall policies.
Create a po-icy 2ap na2e4 I*7'7!6T7PMAP to 4eter2ine wat to 4o wit 2atce4 traffic! Specify a c-a.. type of inspect an4 reference c-a.. 2ap I*7*.T7%ASS7MAP ! Specify te action of inspect for ti. po-icy 2ap! 8ou .ou-4 .ee te fo--owing con.o-e 2e..age: &No sp#+i(i+ proto+o, +on(ig)r#$ in +,"ss IN-N/T-%LASS-AP (or insp#+tion. A,, proto+o,s ;i,, # insp#+t#$.
'it to te g-o5a- config pro2pt!
Step 3%.
+pply firewall policies.
Create a =one pair na2e4 I*7'7!6T78PAI( ! Specify te .ource an4 4e.tination =one. tat were create4 ear-ier! Attac a po-icy 2ap an4 action. to te =one pair referencing te po-icy 2ap previou.-y create43 I*7'7!6T7 PMAP! 'it to te g-o5a- config pro2pt an4 a..ign te interna- an4 eterna- interface. to te .ecurity =one.!
Step 3(.
Test firewall functionality.
7erify tat te interna- o.t can .ti-- acce.. eterna- re.ource.! •
Fro2 PC*C3 te.t connectivity wit ping an4 Te-net to RD a-- .ou-4 5e .ucce..fu-!
•
Fro2 R ping to PC*C! Te ping. .ou-4 now 5e 5-ocke4!
A-- content. are Copyrigt 19901 Ci.co Sy.te2.3 +nc! A-- rigt. re.erve4! Ti. 4ocu2ent i. Ci.co Pu5-ic +nfor2ation!
Page $ of 6
CCNA Security
Task #,$ Secure the Switches Step 3).
$onfigure an enable secret password on all switces.
<.e an ena5-e .ecret pa..wor4 of ciscoenpa))!
Step 3*.
&ncrypt plainte't passwords.
Step 4!.
$onfigure te console lines on all switces.
Configure a con.o-e pa..wor4 of ciscoconpa)) an4 ena5-e -ogin! Set te exec-timeout to -og out after ) 2inute. of inactivity! Prevent con.o-e 2e..age. fro2 interrupting co22an4 entry!
Step 41.
$onfigure vty lines on all switces.
Configure a vty -ine pa..wor4 of ciscovtypa)) an4 ena5-e -ogin! Set te exec-timeout to -og out after ) 2inute. of inactivity! Set te 5a.ic -ogin para2eter!
Step 42.
Secure trun ports on S1 and S2.
Configure port Fa0/1 on S1 a. a trunk port! Configure port Fa0/1 on S a. a trunk port! 7erify tat S1 port Fa0/1 i. in trunking 2o4e! Set te native 7AN on S1 an4 S trunk port. to an unu.e4 7AN 99! Set te trunk port. on S1 an4 S .o tat tey 4o not negotiate 5y turning off te generation of &TP fra2e.! 'na5-e .tor2 contro- for 5roa4ca.t. on te S1 an4 S trunk port. wit a $0 percent ri.ing .uppre..ion -eve-!
Step 43.
Secure access ports.
&i.a5-e trunking on S13 S an4 S) acce.. port.! 'na5-e PortFa.t on S13 S3 an4 S) acce.. port.! 'na5-e ,P&< guar4 on te .witc port. p reviou.-y configure4 a. acce.. on-y! 'na5-e 5a.ic 4efau-t port .ecurity on a-- en4*u.er acce.. port. tat are in u.e! <.e te .ticky option! Re*ena5-e eac acce.. port to wic port .ecurity wa. app-ie4! &i.a5-e any port. not 5eing u.e4 on eac .witc!
Task ##$ &erification Step 44.
Test SS configuration.
Atte2pt to connect to R) via Te-net fro2 PC*C! Fro2 PC*C3 enter te co22an4 to connect to R) via Te-net at +P a44re.. 19!1"#!)!1! Ti. connection .ou-4 fai-3 .ince R) a. 5een configure4 to accept on-y SS connection. on te virtuater2ina- -ine.! Fro2 PC*C3 enter te ssh :l Admin,# #3'2#/42+2# co22an4 to connect to R) via SS! Een pro2pte4 for te pa..wor43 enter te pa..wor4 Admin,#pa)) configure4 for te -oca- a42ini.trator! <.e te show ip ssh co22an4 to .ee te configure4 .etting.!
A-- content. are Copyrigt 19901 Ci.co Sy.te2.3 +nc! A-- rigt. re.erve4! Ti. 4ocu2ent i. Ci.co Pu5-ic +nfor2ation!
Page " of 6
CCNA Security
Step 4#.
Verify timestamps ,TP status for "1 and P$-+.
Step 4%.
Test $/+$ firewall on "1.
•
Ping fro2 PC*A to R at 10!!! %.ou-4 .uccee4(!
•
Te-net fro2 PC*A to R 10!!! %.ou-4 .uccee4(!
•
Ping fro2 R to PC*A at 1 9!1"#!1!) %.ou-4 fai-(!
Step 4(.
Test 6P7 firewall on "3.
•
Ping fro2 PC*C to R at 10!!! %.ou-4 .uccee4(!
•
Te-net fro2 PC*C to R at 10!!! %.ou-4 .uccee4(!
•
Ping fro2 R to PC*C at 19!1"#!)!$ %.ou-4 fai-(!
•
Te-net fro2 R to R) at 10!!!1 %.ou-4 fai- on-y SS i. a--owe4(!
Step 4).
Verify port security.
On S3 u.e te show run co22an4 to confir2 tat S a. a44e4 a .ticky >AC a44re.. for Fa0/1#! Ti. .ou-4 5e te >AC a44re.. of PC*,! Recor4 te >AC a44re.. for -ater u.e! Se-ect PC*,! o to te %onfig ta5! Se-ect 9ast.thernet un4er te +nterface .ection! '4it te >AC a44re.. fie-4! Ti. .ou-4 cau.e a port .ecurity vio-ation an4 S .ou-4 .ut 4own port Fa0/1#! <.e te show interface 9a,;#4 co22an4 to view te .tatu. of te port! Te port .ou-4 5e in te e rr* 4i.a5-e4 .tate! On PC*,3 go to te %onfig ta5! Se-ect 9ast.thernet un4er te +nterface .ection! Cange te >AC a44re.. to anoter a44re..! Fro2 interface configuration 2o4e on .witc S for Fa0/1#3 u .e te no switchport port7security mac7 address sticky address co22an4 to re2ove te origina- PC*, -earne4 a44re..! Sut4own an4 ten re*ena5-e te Fa0/1# interface! On S3 u.e te show run co22an4 to confir2 tat te port co2e. up an4 tat te new >AC a44re.. a. 5een -earne4! *ote$ +f it i. 4e.ire4 to reconnect te PC wit te origina- >AC a44re..3 you can .i2p-y cange te >AC a44re.. on te PC 5ack to te origina- one an4 i..ue te shutdown an4 no shut down co22an4. on port Fa0/1#! +f te PC or a N+C i. 5eing rep-ace4 an4 wi-- ave a new >AC a44re..3 you 2u.t fir.t re2ove te o-4 -earne4 a44re..!
Step 4*.
$ec results.
8our co2p-etion percentage .ou-4 5e 100G! C-ick %heck (esults to .ee fee45ack an4 verification of wic reHuire4 co2ponent. ave 5een co2p-ete4!
A-- content. are Copyrigt 19901 Ci.co Sy.te2.3 +nc! A-- rigt. re.erve4! Ti. 4ocu2ent i. Ci.co Pu5-ic +nfor2ation!
Page 6 of 6