Ccnasv1.1 Chp10 Lab-F Asa5510-Fw-Asdm Instructor
Ccnasv1.1 Chp10 Lab-F Asa5510-Fw-Asdm Instructor
Ccnasv1.1 Chp10 Lab-F Asa5510-Fw-Asdm Instructor
Chapter 10 Lab F: Configuring ASA 5510 Basic Settings and Firewall sing AS!" (Instructor Version)
#rey $ighlighting % indicates answers provided on instructor lab copies only
&opology
Note: ISR G2 devices have Gigabit Ethernet interfaces instead of Fast Ethernet interfaces
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation
+age $ of ,-
CCNA Security
+b,ecti)es
(art 1: Lab Setup "able the networ8 as shown in the topology "onfigure hostna(es and interface I+ addresses for routers) switches) and +"s "onfigure static routing) including default routes) between R$) R2) and R3 "onfigure 9**+ and *elnet access for R$ Verify connectivity between hosts) switches) and routers
(art -: Accessing the ASA Console and AS!" Access the ASA console and view hardware, software, and configuration settings. "lear previous configuration settings Use CLI to configure settings for ASDM access. Test Ethernet and Layer connectivity to the ASA.
Access the ASDM !UI and e"#lore $a%or windows and o#tions. sing the AS!" Startup /i0ard Configure the hostna$e, do$ain na$e, and ena&le #assword. Configure the inside and outside interfaces. Configure D'C( for the inside networ). Configure #ort address translation *(AT+ for the inside networ). Configure Telnet and SS' ad$inistrative access. Set the date and ti$e. Configure a static default route for the ASA.
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation
+age 2 of ,-
CCNA Security Test connectivity using ASDM (ing and Traceroute. "onfigure :ocal !!! user authentication ;odify the ;+F application inspection policy
Part 5: Configuring a DMZ, Static NAT and ACLs "onfigure static 1!* for the 2;< server "onfigure an !": on the !S! to allow access to the 2;< for Internet users Verify access to the 2;< server for e=ternal and internal users >se !S2; ;onitor to graph traffic
Bac*ground 3 Scenario
*he "isco !daptive Security !ppliance (!S!) is an advanced networ8 security device that integrates a statefull firewall as well as V+1 and other capabilities *his lab e(ploys an !S! ,,$' to create a firewall and protect an internal corporate networ8 fro( e=ternal intruders while allowing internal hosts access to the Internet *he !S! creates three security interfaces? @utside) Inside and 2;< It provides outside users li(ited access to the 2;< and no access to internal resources Inside users can access the 2;< and outside resources *he focus of this lab is on the configuration of the !S! as a basic firewall @ther devices will receive (ini(al configuration to support the !S! portion of the lab *his lab uses the !S! G>I interface !S2;) which is si(ilar to the S2; and ""+ used with "isco ISRs) to configure basic device and security settings In +art $ of the lab you will configure the topology and non6!S! devices In +art 2 you will prepare the !S! for !2S; access In +art 3 you will use the !S2; Startup wi5ard to configure basic !S! settings and the firewall between the inside and outside networ8s In +art - you will configure additional settings via the !S2; configuration (enu In +art , you will configure a 2;< on the !S! and provide access to a server in the 2;< Aour co(pany has one location connected to an IS+ Router R$ represents a "+E device (anaged by the IS+ Router R2 represents an inter(ediate Internet router Router R3 connects an ad(inistrator fro( a networ8 (anage(ent co(pany) who has been hired to (anage your networ8 re(otely *he !S! is an edge "+E security device that connects the internal corporate networ8 and 2;< to the IS+ while providing 1!* and 29"+ services to inside hosts *he !S! will be configured for (anage(ent by an ad(inistrator on the internal networ8 as well as the re(ote ad(inistrator !S! :ayer 3 routed interfaces provide access to the three areas created in the lab? Inside) @utside) and 2;< *he IS+ has assigned the public I+ address space of 2'% $/, 2'' 22-.2%) which will be used for address translation on the !S! Note: *he routers used with this lab are "isco $0-$ with "isco I@S Release $2 -(2')* (!dvanced I+ i(age) *he switches are "isco BS6"2%/'62-**6: with "isco I@S Release $2 2(-/)SE ("2%/'6:!17!SEC%6; i(age) @ther routers) switches) and "isco I@S versions can be used 9owever) results and output (ay vary *he !S! used with this lab is a "isco (odel ,,$' with four FastEthernet routed interfaces) running @S version 0 -(2) and !S2; version / -(,)) and co(es with a 7ase license that allows a (a=i(u( of ,' V:!1s Note: ;a8e sure that the routers and switches have been erased and have no startup configurations 'nstructor Notes: Instructions for erasing both the switch and router are provided in the :ab ;anual) located on !cade(y "onnection in the *ools section Instructions for erasing the !S! and accessing the console are provided in this lab
4e5uired 4esources
3 routers ("isco $0-$ with "isco I@S Release $2 -(2')*$ or co(parable) 3 switches ("isco 2%/' or co(parable)
+age 3 of ,-
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation
CCNA Security $ !S! ,,$' (@S version 0 -(2) and !S2; version / -(,) and 7ase license or co(parable) +"6!? Bindows D+) Vista) or Bindows 4 with ""+) +u**y SS9 client (Beb and F*+ server optional) +"67? Bindows D+) Vista) or Bindows 4 with +u**y SS9 client and Eava version / = or higher (!S2; loaded on the +" is optional) +"6"? Bindows D+) Vista) or Bindows 4 with ""+) +u**y SS9 client Serial and Ethernet cables as shown in the topology Rollover cables to configure the routers and !S! via the console
'nstructor Notes: *his lab is divided into five parts +art $ and 2 can be perfor(ed separately but (ust be perfor(ed before +arts 3 through , +art 2 uses the !S! ":I to prepare the !S! for !S2; access +arts 3 through , can be perfor(ed individually or in co(bination with others as ti(e per(its) but should be perfor(ed seFuentially In so(e cases) a tas8 assu(es the configuration of certain features in a prior tas8 *he (ain goal is to use an !S! to i(ple(ent firewall and other services that (ight previously have been configured on an ISR !s with :ab $'E) the student configures the (ost co((on basic !S! ,,$' settings and services) such as 1!*) !":) 29"+) !!!) and SS9 Bhereas :ab $'E uses the ":I to configure these features and settings) this lab uses !S2;) the !S! G>I *he final running configs for all devices are found at the end of the lab
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation
+age - of ,-
CCNA Security
"onfigure a static route fro( R2 to the R$ Fa'.' subnet (connected to !S! interface E'.') and a static route fro( R2 to the R3 :!1
R2(config)# ip route 209.165.200.224 255.255.255.248 Serial0/0/0 R2(config)# ip route 172.16.3.0 255.255.255.0 Serial0/0/1
Step 1: 7nable the $&&( ser)er on 41 and set the enable and )ty passwords6
a Enable 9**+ access to R$ using the ip http server co((and in global config (ode "onfigure an enable password of class !lso set the vty and console passwords to cisco *his will provide web and *elnet targets for testing later in the lab
R1(config)# ip http server R1(config)# enable password class R1(config)# line vt 0 4 R1(config-line)# password cisco R1(config-line)# lo!in R1(config)# line con 0 R1(config-line)# password cisco R1(config-line)# lo!in
@n routers R2 and R3) set the sa(e enable) console and vty passwords as with R$
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation
+age , of ,-
CCNA Security
Step :: Sa)e the basic running configuration for each router and switch6
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation
CCNA Security
N!+/er of accelerators: 1 2: 1: 2: 3: &: *: ): B@t: B@t: B@t: B@t: B@t: :nt: :nt: Bt=ernet232 Bt=ernet231 Bt=ernet232 Bt=ernet233 (anage+ent232 Not !sed Not !sed : : : : : : : address address address address address irD 11 irD * is is is is is &&d3%cafd%8$)c5 &&d3%cafd%8$)d5 &&d3%cafd%8$)e5 &&d3%cafd%8$)f5 &&d3%cafd%8$)/5 irD irD irD irD irD 8 8 8 8 11
Cicensed feat!res for t=is platfor+: (a@i+!+ P="sical :nterfaces : 7nli+ited (a@i+!+ #CANs : *2 :nside 4osts : 7nli+ited <ailo er : 'isa/led #PN-'BS : Bna/led #PN-3'BS-ABS : Bna/led Sec!rit" Conte@ts : 2 E;P3EPRS : 'isa/led An"Connect Pre+i!+ Peers : 2 An"Connect Bssentials : 'isa/led >t=er #PN Peers : 2*2 ;otal #PN Peers : 2*2 S=ared Cicense : 'isa/led An"Connect for (o/ile : 'isa/led An"Connect for Cisco #PN P=one : 'isa/led Ad anced Bndpoint Assess+ent : 'isa/led 7C P=one Pro@" Sessions : 2 ;otal 7C Pro@" Sessions : 2 6otnet ;raffic <ilter : 'isa/led :nterco+pan" (edia Bngine : 'isa/led ;=is platfor+ =as a 6ase license% Houtput o(ittedI
perpet!al perpet!al perpet!al perpet!al perpet!al perpet!al perpet!al perpet!al perpet!al perpet!al perpet!al perpet!al perpet!al perpet!al perpet!al perpet!al perpet!al perpet!al perpet!al perpet!al
Bhat software version is this !S! ,,$' runningJ *he !S! in this lab uses version 0 -(2) Bhat is the na(e of the syste( i(age file and fro( where was it loadedJ *he syste( i(age file in the !S! for this lab is asa0-2680 bin and it was loaded fro( dis8'? (or flash?) *he !S! can be (anaged using a built6in G>I 8nown as the !daptive Security 2evice ;anager (!S2;) Bhat version of !S2; is this !S! runningJ *he !S! in this lab uses !S2; version / -(,) 9ow (uch R!; does this !S! haveJ *he !S! in this lab has $ G7 R!; 9ow (uch flash (e(ory does this !S! haveJ *he !S! in this lab has 2,/ ;7 flash (e(ory 9ow (any Ethernet interfaces does this !S! haveJ *he !S! in this lab has - Ethernet interfaces Bhat type of license does this !S! haveJ 7ase license 9ow (any V:!1s can be created with this licenseJ ,' V:!1s with the 7ase license 'nstructor Note: >nli8e the !S! ,,', base license) which can only create three V:!1s) the ,,$' base license can create up to ,' V:!1s and does not have the 2;< feature restriction
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation
+age 4 of ,-
CCNA Security
Si9e(/) F 2)223&*)2 <ree(/) 18$2.22.2 ;"pe dis1 dis1 networ1 opaD!e networ1 networ1 networ1 networ1 <lags rw rw rw rw ro ro rw rw Prefi@es dis12: flas=: dis11: tftp: s"ste+: =ttp: =ttps: ftp: s+/:
Bhat is another na(e for flash?J 2is8'? b 2isplay the contents of flash (e(ory using one of these co((ands? show 'lash) show dis)0) dir 'lash* or dir dis)0*
CCNAS-ASA# show 'lash* --#-- --lengt=-- -----date3ti+e-----12& 1*382.22 >ct 18 2211 1*:&8:&$ 12* 1)2$2*&& >ct 18 2211 1$:22:2& 3 &28) -an 21 2223 22:23:32 12 &28) -an 21 2223 22:2&:22 11 &28) -an 21 2223 22:2&:2& 12 &3 -an 21 2223 22:2&:2& 12. 1212*313 >ct 18 2211 1$:2.:*2 12$ &28) >ct 18 2211 1$:2.:*2 13* 1&)2 >ct 18 2211 1$:2.:*2 128 2$*.*)$ >ct 18 2211 1$:2.:*& 132 3223828 >ct 18 2211 1$:2.:*& 131 &$323&& >ct 18 2211 1$:2.:*$ 132 *228&23 >ct 18 2211 1$:2$:22 pat= asa$&2-1$%/in asd+-)&*%/in log cr"ptoGarc=i e cored!+pinfo cored!+pinfo3cored!+p%cfg csdG3%*%$&1-18%p1g sdes1top sdes1top3data%@+l an"connect-wince-AR( &:-2%&%1212-18%p1g an"connect-win-2%&%1212-18%p1g an"connect-+acos@-i3$)-2%&%1212-18%p1g an"connect-lin!@-2%&%1212-18%p1g
Bhat is the na(e of the !S2; file in flash?J asd(6/-, bin 'nstructor Notes: "hec8 the contents of flash (e(ory occasionally to see if there are (any upgradeKstartupKerror log files *he !S! generates these as a result of erasing the startup config Aou can delete these by issuing the co((and del 'lash*up!rade+startup+errors, fro( the enable pro(pt and pressing Enter at each pro(pt CCNAS-ASA# del 'lash*up!rade+startup+errors, 'elete filena+e H!pgradeGstart!pGerrorsFIJ 'elete dis12:3!pgradeGstart!pGerrorsG2211281&11*.%logJ Hconfir+I KBnter> 'elete dis12:3!pgradeGstart!pGerrorsG2211281&122&%logJ Hconfir+I KBnter> Ko!tp!t o+itted> Note: !lternatively) you can use the co((and dir 'lash*/,.lo! to view the log files and then use the del 'lash*/,.lo! co((and to re(ove the(
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation
+age 0 of ,-
CCNA Security Note: *he ;anage(ent '.' interface is a separate physical FastEthernet interface on the !S! ,,$' *his interface is not present on the !S! ,,', *he 29"+ server is enabled on the security appliance) so a +" connecting to the ;anage(ent '.' interface receives an address between $%2 $/0 $ 2 and $%2 $/0 $ 2,-
Note: Bith the default factory configuration) it is assu(ed that the +" connected to ;anage(ent '.' is a 29"+ client and will be used to configure the ,,$' using the !S2; G>I i(bedded in flash *he 9**+ server is enabled for !S2; and is accessible to users on the $%2 $/0 $ ' networ8 1o console or enable passwords are reFuired and the default host na(e is ciscoasa
Note: *he default factory configuration only configures the ;anage(ent '.' interface and does not configure an inside or outside networ8 interface *he configuration consists of the co((ands listed below Note: 2o not use these co((ands to configure the !S! at this ti(e inter'ace (ana!e(ent 0/0 ip address 192.168.1.1 255.255.255.0 na(ei' (ana!e(ent securit %level 100 no shutdown lo!!in! asd( in'or(ational 100 asd( histor enable http server enable http 192.168.1.0 255.255.255.0 (ana!e(ent dhcpd address 192.168.1.2%192.168.1.254 (ana!e(ent dhcpd lease 3600 dhcpd pin!+ti(eout 750 dhcpd enable (ana!e(ent a 2isplay the current running configuration using the show runnin!%con'i! co((and @utput will vary depending on the current state of the !S! configuration
CCNAS-ASA# show runnin!%con'i! : Sa ed : ASA #ersion $%&(2) L =ostna+e CCNAS-ASA ena/le password $R"2MN:"t.RRO72& encr"pted passwd 2A<Pn/N:d:%2AM>7 encr"pted na+es L interface Bt=ernet232 s=!tdown no na+eif no sec!rit"-le el no ip address L Houtput o(ittedI
&ip: *o stop the output fro( a co((and using the ":I) press the letter < If you see the ;anage(ent interface configured) and other settings as described previously) the device is (ost li8ely configured with the default factory configuration Aou (ay also see other security features such as a global policy that inspects selected application traffic) which the !S! inserts by default) if the original startup configuration has been erased *he actual output will vary depending on the !S! (odel) version and configuration status
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation
+age % of ,-
CCNA Security b Aou can restore the !S! to its factory default settings by using the co((and con'i!ure 'actor %de'ault fro( global configuration (ode as shown here
CCNAS-ASA# con' t CCNAS-ASA(config)# con'i!ure 'actor %de'ault ,ARN:NE: ;=e /oot s"ste+ config!ration will /e cleared% ;=e first i+age fo!nd in dis12:3 will /e !sed to /oot t=e s"ste+ on t=e ne@t reload% #erif" t=ere is a alid i+age on dis12:3 or t=e s"ste+ will not /oot% 6egin to appl" factor"-defa!lt config!ration: Clear all config!ration B@ec!ting co++and: interface +anage+ent232 B@ec!ting co++and: na+eif +anage+ent :N<>: Sec!rit" le el for 0+anage+ent0 set to 2 /" defa!lt% B@ec!ting co++and: ip address 182%1)$%1%1 2**%2**%2**%2 B@ec!ting co++and: sec!rit"-le el 122 B@ec!ting co++and: no s=!tdown B@ec!ting co++and: e@it B@ec!ting co++and: =ttp ser er ena/le B@ec!ting co++and: =ttp 182%1)$%1%2 2**%2**%2**%2 +anage+ent B@ec!ting co++and: d=cpd address 182%1)$%1%2-182%1)$%1%2*& +anage+ent B@ec!ting co++and: d=cpd ena/le +anage+ent B@ec!ting co++and: logging asd+ infor+ational <actor"-defa!lt config!ration is co+pleted
Review this output Aou (ay wish to capture and print the factory6default configuration as a reference Note: Restoring the !S! to factory default settings resets the hostna(e and pro(pt to ciscoasa&
Note: *he I@S co((and erase startup%con'i! is not supported on the !S! b >se the reload co((and to restart the !S! If pro(pted to save the configuration) respond with LnoM
ciscoasa# reload Proceed wit= reloadJ Hconfir+I KBnter> ciscoasa# FFF FFF --- S;AR; ERACB<7C S47;'>,N --S=!tting down isa1+p S=!tting down <ile s"ste+ FFF FFF --- S47;'>,N N>, --Process s=!tdown finis=ed Re/ooting%%%%% C:SC> SMS;B(S B+/edded 6:>S #ersion 1%2(12)13 2$32$32$ 1*:*2:3.%&* Houtput o(ittedI
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation
+age $' of ,-
CCNA Security
b c
Enter privileged EDE" (ode with the enable co((and and press HEnterI *he password should be blan8 (no password) at this point Enter global configuration (ode using the co((and con'i! t *he first ti(e you enter configuration (ode after reloading you will be as8ed if you wish to enable anony(ous reporting Respond with Lno M
ASA 5510 interface notes: *he ,,$' and other higher6end ,,'' series !S! (odels are different fro( the !S! ,,', Bith the ,,$' a physical FastEthernet interface can be assigned a :ayer 3 I+ address directly) (uch li8e a "isco router Bith the !S! ,,',) the eight integrated switch ports are :ayer 2 ports and V:!1s (ust be created *his is not the case with the ,,$' *he four FastEthernet interfaces on the ,,$' are routed interfaces Note: If you co(pleted the initial configuration Setup utility) ;anage(ent interface ;'.' is configured with an I+ address of $%2 $/0 $ $ Aou will need to re(ove the I+ address fro( the ;'.' interface in order to assign it to the inside interface E'.$ Instructions are provide here to configure both the inside (E'.$) and outside interface (E'.') at this ti(e *he 2;< interface (E'.2) will be configured in +art / of the lab d Re(ove the configuration fro( the ;'.' interface and shut it down (if reFuired)
ciscoasa(config)# inter'ace (0/0 ciscoasa(config-if)# shutdown ciscoasa(config-if)# no na(ei' ciscoasa(config-if)# no securit %level ciscoasa(config-if)# no ip address
"onfigure interface E'.$ for the inside networ8) $%2 $/0 $ '.2- 1a(e the interface inside) set the security level to the highest setting of 100 and bring it up
ciscoasa(config)# inter'ace e0/1 ciscoasa(config-if)# na(ei' inside ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0 ciscoasa(config-if)# securit %level 100 ciscoasa(config-if)# no shutdown
"onfigure interface E'.' for the outside networ8) 2'% $/, 2'' 22-.2% 1a(e the interface outside) set the security level to the lowest setting of 0 and bring it up
ciscoasa(config-if)# ciscoasa(config-if)# ciscoasa(config-if)# ciscoasa(config-if)# ciscoasa(config-if)# inter'ace e0/0 na(ei' outside ip address 209.165.200.226 255.255.255.248 securit %level 0 no shutdown
'nterface security le)el notes: Aou (ay receive a (essage that the security level for the inside interface was set auto(atically to $'' and the outside interface was set to ' *he !S! uses interface security levels fro( ' to $'' to enforce the security policy Security :evel $'' (inside) is the (ost secure and level ' (outside) is the least secure 7y default) the !S! applies a policy where traffic fro( a higher security level interface to one with a lower level is per(itted and traffic fro( a lower security level interface to one with a higher security level is denied *he !S! default security policy per(its outbound traffic) which is inspected by default Returning
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation +age $$ of ,-
CCNA Security traffic is allowed because of statefull pac8et inspection *his default Lrouted (odeM firewall behavior of the !S! allows pac8ets to be routed fro( the inside networ8 to the outside networ8 but not vice versa In +art 3 of this lab you will configure 1!* to increase the firewall protection g >se the show inter'ace ip brie' co((and to ensure that !S! interfaces E'.' and E'.$ are both up.up 1ote that this co((and is different fro( the I@S co((and show ip inter'ace brie' If either port is shown as down.down) chec8 the physical connections If either port is ad(inistratively down) bring it up with the no shutdown co((and
ciscoasa(config-if)# show inter'ace ip brie' :nterface :P-Address >AJ (et=od Bt=ernet232 228%1)*%222%22) MBS +an!al Bt=ernet231 182%1)$%1%1 MBS +an!al Bt=ernet232 !nassigned MBS !nset Bt=ernet233 !nassigned MBS !nset (anage+ent232 !nassigned MBS !nset Stat!s Protocol !p !p !p !p ad+inistrati el" down !p ad+inistrati el" down down ad+inistrati el" down down
&ip: ;ost !S! show co((ands) as well as pin!) cop and others) can be issued fro( within any config (ode pro(pt without the LdoM co((and reFuired with I@S h 2isplay the :ayer 3 interface infor(ation using the show ip address co((and
ciscoasa(config)# show ip address Houtput o(ittedI C!rrent :P Addresses: :nterface Na+e Bt=ernet232 o!tside Bt=ernet231 inside :P address 228%1)*%222%22) 182%1)$%1%1 S!/net +as1 2**%2**%2**%2&$ 2**%2**%2**%2 (et=od +an!al (an!al
Aou (ay also use the co((and show runnin!%con'i! inter'ace to display the configuration for a particular interface fro( the running6config
ciscoasa# show run inter'ace e0/0 L interface Bt=ernet232 na+eif o!tside sec!rit"-le el 2 ip address 228%1)*%222%22) 2**%2**%2**%2&$
*est basic connectivity to the !S! by pinging fro( +"67 to !S! interface E'.$ I+ address $%2 $/0 $ $ *he pings should be successful
@pen a browser on +"67 and test the 9**+S access to the !S! by entering https?..$%2 $/0 $ $ Note: 7e sure to specify the 9**+S protocol in the >R:
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation
+age $2 of ,-
CCNA Security
b c
"lic8 the 4un AS!" button "lic8 @es for any other security warnings Aou should see the Cisco AS!"='!" Launcher dialog bo= where you can enter a userna(e and password :eave these fields blan8 as they have not yet been configured
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation
+age $3 of ,-
CCNA Security
d e
"lic8 +A to continue !S2; will load the current configuration into the G>I *he initial G>I screen is displayed with various areas and options *he (ain (enu at the top left of the screen contains three (ain sectionsN 9o(e) "onfiguration) and ;onitoring *he 9o(e section is the default and has two dashboards? 2evice and Firewall *he 2evice dashboard is the default screen and shows device infor(ation such as *ype (!S! ,,$')) !S! and !S2; version) a(ount of (e(ory and firewall (ode (routed) *here are five areas on the 2evice 2ashboard !e)ice 'nfor2ation 'nterface Status 9(N Sessions Syste2 4esources Status &raffic Status
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation
+age $- of ,-
CCNA Security
"lic8 the Configuration and "onitoring tabs to beco(e fa(iliar with their layout and to see what options are available
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation
+age $, of ,-
CCNA Security
Step 1: Access the Configuration 2enu and launch the Startup wi0ard6
"lic8 the Configuration button at the top left of the screen *here are five (ain configuration areas? b !e)ice Setup Firewall 4e2ote Access 9(N Site=to=Site 9(N !e)ice "anage2ent
*he 2evice Setup Startup wi5ard is the first option available and displays by default Read through the on6screen te=t describing the Startup wi5ard and then clic8 the Launch Startup /i0ard button
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation
+age $/ of ,-
CCNA Security
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation
+age $4 of ,-
CCNA Security
@n the Startup Bi5ard Step - screen & +ther 'nterface Configuration) verify the settings for the inside interface) which were previously configured via the ":I Aou can edit the settings for any of the interfaces fro( this screen Note: 2o not chec8 the two bo=es for enabling traffic between interfaces of the sa(e security level and hosts on the sa(e interface
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation
+age $0 of ,-
CCNA Security
@n the Startup Bi5ard Step , screen & Static 4outes) clic8 Ne?t to bypass this wi5ard option at this ti(e Aou will configure a static route for the !S! later using the "onfiguration (enu
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation
+age $% of ,-
CCNA Security
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation
+age 2' of ,-
CCNA Security
@n the Startup Bi5ard Step 4 screen & Address &ranslation CNA&3(A&D) clic8 the button se (ort Address &ranslation C(A&D *he default is to use the I+ address of the outside interface 1ote that you can also specify a particular I+ address for +!* or a range of addresses with 1!* "lic8 Ne?t to continue
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation
+age 2$ of ,-
CCNA Security
@n the Startup Bi5ard Step 0 screen & Ad2inistrati)e Access) 9**+S.!S2; access is currently configured for hosts on inside networ8 $%2 $/0 $ '.2- !dd *elnet access to the !S! for the inside networ8 $%2 $/0 $ ' with a subnet (as8 of 2,, 2,, 2,, ' !dd SS9 access to the !S! fro( host $42 $/ 3 3 on the outside networ8 ;a8e sure the chec8bo= 7nable $&&( ser)er for $&&(S3AS!" access is chec8ed "lic8 Ne?t to continue
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation
+age 22 of ,-
CCNA Security
@n the Startup Bi5ard Step % screen & Auto pdate Ser)er) review the on6screen te=t describing the function of !uto >pdate but do not chec8 the bo= to Enable !uto >pdate !S! "lic8 Ne?t to continue
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation
+age 23 of ,-
CCNA Security
@n the Startup Bi5ard Step $' screen & Cisco S2art Call $o2e 7nroll2ent) review the on6screen te=t describing the function of S(art "all 9o(e and leave the default radio button selected to not enable this feature "lic8 Ne?t to continue
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation
+age 2- of ,-
CCNA Security
Step 5: 4e)iew the su22ary and deli)er the co22ands to the ASA6
a @n the Startup Bi5ard Step $$ screen & Startup /i0ard Su22ary) review the "onfiguration Su((ary and clic8 Finish !S2; will deliver the co((ands to the !S! device and then reload the (odified configuration Note: If the G>I dialogue bo= stops responding during the reload process) close it) e=it !S2;) and restart the browser and !S2; If pro(pted to save the configuration to flash (e(ory) respond with @es Even though !S2; (ay not appear to have reloaded the configuration) the co((ands were delivered If there are errors encountered as !S2; delivers the co((ands) you will be notified with a list of co((ands that succeeded and those that failed
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation
+age 2, of ,-
CCNA Security
Restart !S2; and provide the new enable password class with no userna(e Return to the 2evice 2ashboard and chec8 the Interface Status window Aou should see the inside and outside interfaces with I+ address and status *he inside interface should show so(e nu(ber of Cb.s *he *raffic Status window (ay show the !S2; access as *"+ traffic spi8e
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation
CCNA Security connection because SS9 access (!S! version 0 -(2) and later) reFuires that you also configure !!! and provide an authenticated user na(e !!! will be configured in the +art - of the lab
Step >: &est access to an e?ternal website using the AS!" (ac*et &racer utility6
a b Fro( the !S2; 9o(e page) choose &ools E (ac*et &racer "hoose the 'nside interface fro( the Interface drop down (enu and clic8 &C( fro( the +ac8et *ype radio buttons Fro( the Source drop down (enu) choose I+ !ddress and enter the address 1B-618>616. (+"67) with a source port of 1500 Fro( the 2estination drop down (enu) choose I+ !ddress and enter -0B61856-006--5 (R$ Fa'.') with a 2estination +ort of $&&( "lic8 Start to begin the trace of the pac8et *he pac8et should be per(itted
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation
+age 24 of ,-
CCNA Security
Reset the entries by clic8ing the Clear button *ry another trace and choose +utside fro( the Interface drop down (enu and leave &C( as the pac8et type Fro( the Source drop down (enu) choose I+ !ddress and enter -0B61856-006--5 (R$ Fa'.') and a Source +ort of 1500 Fro( the 2estination drop down (enu) choose I+ !ddress and enter the address -0B61856-006--8 (!S! outside interface) with a 2estination +ort of telnet "lic8 Start to begin the trace of the pac8et *he pac8et should be dropped "lic8 Close to continue
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation
+age 20 of ,-
CCNA Security
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation
+age 2% of ,-
CCNA Security
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation
+age 3' of ,-
CCNA Security b c Fro( the "onfiguration screen) 2evice Setup (enu) choose 4outing E Static 4outes "lic8 the '()1 +nly button and clic8 Add to add a new static route In the !dd Static Route dialogue bo=) choose the outside interface fro( the drop down (enu "lic8 the ellipsis button to the right of Networ* and select any fro( the list of networ8 obGects) then clic8 +A *he selection of any translates to a LFuad 5eroM (' ' ' ' ' ' ' ') route For the Gateway I+) enter -0B61856-006--5 (R$ Fa'.')
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation
+age 3$ of ,-
CCNA Security
e f
Fro( the !S2; &ools (enu) select (ing and enter the I+ address of router R$ S'.'.' ($' $ $ $) *he ping should succeed this ti(e "lic8 Close to continue Fro( the !S2; &ools (enu) select &raceroute and enter the I+ address of e=ternal host +"6" ($42 $/ 3 3) "lic8 on &race 4oute *he traceroute should succeed and show the hops fro( the !S! through R$) R2) and R3 to host +"6" "lic8 Close to continue
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation
+age 32 of ,-
CCNA Security
Step .: Configure AAA user authentication using the local ASA database6
It is necessary to enable !!! user authentication in order to access the !S! using SS9 Aou allowed SS9 access to the !S! fro( the outside host +"6" when the Startup wi0ard was run *o allow the re(ote networ8 ad(inistrator at +"6" to have SS9 access to the !S!) you will create a user in the local database a Fro( the "onfiguration screen) 2evice ;anage(ent area) clic8 sers3AAA "lic8 ser Accounts and then Add "reate a new user na(ed ad2in with a password of cisco1-. and enter the password again to confir( it !llow this user Full access (!S2;) SS9) *elnet) and console) and set the privilege level to 15 "lic8 +A to add the user and clic8 Apply to send the co((ands to the !S!
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation
+age 33 of ,-
CCNA Security
Fro( the "onfiguration screen) 2evice ;anage(ent area) clic8 sers3AAA "lic8 AAA Access @n the !uthentication tab) select the chec8bo=es to reFuire authentication for $&&(3AS!") SS$ and &elnet connections and specify the L:@"!:M server group for each connection type "lic8 Apply to send the co((ands to the !S!
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation
+age 3- of ,-
CCNA Security
Note: *he ne=t action you atte(pt within !S2; will reFuire you to login as ad2in with password cisco1-. c
Fro( +"6") open an SS9 client such as +u**A and atte(pt to access the !S! outside interface at
2'% $/, 2'' 22/ Aou should be able to establish the connection Bhen pro(pted to login) enter user na(e ad2in and password cisco1-. d !fter logging in to the !S! using SS9) enter the enable co((and and provide the password class Issue the show run co((and to display the current configuration you have created using !S2; Note: *he default ti(eout for *elnet and SS9 is , (inutes Aou can increase this setting using the ":I as described in :ab $'! or go to !S2; !e)ice "anage2ent E "anage2ent Access E AS!"3$&&(3&elnet3SS$
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation
+age 3, of ,-
CCNA Security
Select the inspectionFdefault policy and clic8 7dit to (odify the default inspection rules @n the Edit Service +olicy Rule window) clic8 the 4ule Actions tab and select the chec8bo= for 'C"( 2o not change the other default protocols that are chec8ed "lic8 +A and then clic8 Apply to send the co((ands to the !S! If pro(pted) login as again ad2in with a password of cisco1-.
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation
+age 3/ of ,-
CCNA Security
Fro( +"67) ping the e=ternal interface of R$ S'.'.' ($' $ $ $) *he pings should be successful
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation
+age 34 of ,-
CCNA Security
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation
+age 30 of ,-
CCNA Security already using 2'% $/, 2'' 22, and 22/) respectively Aou will use public address 2'% $/, 2'' 224 and static 1!* to provide address translation access to the server a Fro( the "onfiguration screen) Firewall (enu) clic8 the (ublic Ser)ers option and clic8 Add to define the 2;< server and services offered In the !dd +ublic Server dialog bo=) specify the +rivate Interface as d20) the +ublic Interface as outside and the +ublic I+ address as -0B61856-006--:
"lic8 the ellipsis button to the right of +rivate I+ !ddress 6 In the 7rowse +rivate I+ !ddress window) clic8 Add to define the server as a Networ* +b,ect Enter the na(e !"G=Ser)er) with a *ype of $ost and the +rivate I+ !ddress of 1B-618>6-6. Bhile in the !dd 1etwor8 @bGect dialog bo=) clic8 the double down arrow button for NA& "lic8 the chec8bo= for Add Auto2atic Address &ranslation 4ules and enter the type as Static Enter *ranslated !ddr? -0B61856-006--: Bhen the screen loo8s li8e the following) clic8 +A to add the server networ8 obGect Fro( the 7rowse +rivate I+ !ddress window) clic8 +A Aou will return to the !dd +ublic Server dialog bo=
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation
+age 3% of ,-
CCNA Security
In the !dd +ublic Server dialog) clic8 the ellipsis button to the right of +rivate Service In the 7rowse +rivate Service window) double clic8 to select the following services? tcp3http) tcp3ftp) ic2p3echo and ic2p3echo=reply (scroll down to see all services) "lic8 +A to continue and return to the Add (ublic Ser)er dialog
Note: Aou can specify +ublic services if different fro( the +rivate services) using the option on this screen
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation
+age -' of ,-
CCNA Security
Bhen you have co(pleted all infor(ation in the !dd +ublic Server dialog bo=) it should loo8 li8e the one shown below "lic8 +A to add the server "lic8 Apply at the +ublic Servers screen to send the co((ands to the !S!
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation
+age -$ of ,-
CCNA Security
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation
+age -2 of ,-
CCNA Security
Note: Aou can also see the actual I@S co((ands generated using the AS!" &ools E Co22and Line 'nterface and entering the co((and show run
Step 1: &est access to the !"G ser)er fro2 the outside networ*6
a b Fro( +"6") ping the I+ address of the static 1!* public server address (2'% $/, 2'' 224) *he pings should be successful 7ecause the !S! inside interface E'.$ is set to security level $'' (the highest) and the 2;< interface E'.2 is set to 4') you can also access the 2;< server fro( a host on the inside networ8 *he !S! acts li8e a router between the two networ8s +ing the 2;< server (+"6!) internal address ($%2 $/0 2 3) fro( inside networ8 host +"67 ($%2 $/0 $ 3 or 29"+ assigned address) *he pings should be successful due to interface security level and the fact that I";+ is being inspected on the inside interface by the global inspection policy *he 2;< server cannot ping +"67 on the inside networ8 *his is because the 2;< interface E'.2 has a lower security level (4') than inside interface E'.$ ($'') *ry to ping fro( the 2;< server +"6! to +"67 at I+ address $%2 $/0 $ D *he pings should not be successful
Step 5:
*here are a nu(ber of aspects of the !S! that can be (onitored using the "onitoring screen *he (ain categories on this screen are 'nterfaces) 9(N) 4outing) (roperties) and Logging In this step you will create a graph to (onitor pac8et activity for the !S! outside interface a Fro( the ;onitoring screen) Interfaces (enu) clic8 'nterface #raphs E outside Select (ac*et Counts and clic8 Add to add the graph *he e=hibit below shows +ac8et "ounts added
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation
+age -3 of ,-
CCNA Security
"lic8 the Show #raphs button to display the graph Initially there is no traffic displayed
Fro( a privileged (ode co((and pro(pt on R2) si(ulate Internet traffic to the !S! by pinging the 2;< server public address with a repeat count of $''' Aou can increase the nu(ber of pings if desired
R2# pin! 209.165.200.227 repeat 1000 ;"pe escape seD!ence to a/ort% Sending 12225 122-/"te :C(P Bc=os to 228%1)*%222%22.5 ti+eo!t is 2 seconds: LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL Ko!tp!t o+itted> LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL LLLLLLLLLLLLLLLLLLLL S!ccess rate is 122 percent (122231222)5 ro!nd-trip +in3a g3+a@ Q 132312 +s
Aou should see the results of the pings fro( R2 on the graph as an Input +ac8et "ount *he scale of the graph is auto(atically adGusted depending on the volu(e of traffic Aou can also view the data in tabular for( by clic8ing the &able tab 1otice that the View selected at the botto( left of the Graph screen is Real6ti(e) data every $' seconds "lic8 the pull6down (enu to see the other options available +ing fro( +"67 to R$ Fa'.' at 2'% $/, 2'' 22, using the &n option (nu(ber of pac8ets) to specify $''' pac8ets
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation
+age -- of ,-
CCNA Security
C:>R pin! 209.165.200.225 .n 1000
Note: *he response fro( the +" is relatively slow and it (ay ta8e a while to show up on the graph as @utput +ac8et "ount *he graph below shows an additional ,''' input pac8ets as well as both input and output pac8et counts
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation
+age -, of ,-
CCNA Security
4eflection:
$ Bhat are so(e benefits to using !S2; over the ":IJ *he !S2; G>I is easier to use) especially for less technical staff) and can generate very co(ple= configurations through the use of (ouse selections) fill6in fields) and wi5ards 2 Bhat are so(e benefits to using the ":I over !S2;J In so(e cases) the ":I can provide (ore precise control over the desired configuration !lso) so(e ":I co((ands are necessary to prepare the !S! for G>I access ":I reFuires only a serial console connection) whereas !S2; reFuires :ayer 3 (I+) connectivity to an !S! interface
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation
+age -/ of ,-
CCNA Security
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation
+age -4 of ,-
CCNA Security
CCNA Security +t! o!tside 1*22 +t! inside 1*22 +t! d+9 1*22 ic+p !nreac=a/le rate-li+it 1 /!rst-si9e 1 no asd+ =istor" ena/le arp ti+eo!t 1&&22 L o/Nect networ1 '(S-Ser er nat (d+95o!tside) static 228%1)*%222%22. L nat (inside5o!tside) after-a!to so!rce d"na+ic an" interface access-gro!p o!tsideGaccess in interface o!tside ro!te o!tside 2%2%2%2 2%2%2%2 228%1)*%222%22* 1 ti+eo!t @late 3:22:22 ti+eo!t conn 1:22:22 =alf-closed 2:12:22 !dp 2:22:22 ic+p 2:22:22 ti+eo!t s!nrpc 2:12:22 =323 2:2*:22 =22* 1:22:22 +gcp 2:2*:22 +gcp-pat 2:2*:22 ti+eo!t sip 2:32:22 sipG+edia 2:22:22 sip-in ite 2:23:22 sip-disconnect 2:22:22 ti+eo!t sip-pro isional-+edia 2:22:22 !a!t= 2:2*:22 a/sol!te ti+eo!t tcp-pro@"-reasse+/l" 2:21:22 ti+eo!t floating-conn 2:22:22 d"na+ic-access-polic"-record 'fltAccessPolic" !ser-identit" defa!lt-do+ain C>CAC aaa a!t=entication =ttp console C>CAC aaa a!t=entication ss= console C>CAC aaa a!t=entication telnet console C>CAC =ttp ser er ena/le =ttp 182%1)$%1%2 2**%2**%2**%2 inside no sn+p-ser er location no sn+p-ser er contact sn+p-ser er ena/le traps sn+p a!t=entication lin1!p lin1down coldstart war+start telnet 182%1)$%1%2 2**%2**%2**%2 inside telnet ti+eo!t 12 ss= 1.2%1)%3%3 2**%2**%2**%2** o!tside ss= ti+eo!t * console ti+eo!t 2 d=cpd address 182%1)$%1%*-182%1)$%1%*2 inside d=cpd dns 12%22%32%&2 interface inside d=cpd do+ain ccnasec!rit"%co+ interface inside d=cpd ena/le inside L t=reat-detection /asic-t=reat t=reat-detection statistics access-list no t=reat-detection statistics tcp-intercept we/ pn !serna+e ad+in password e19$8R3cSe8At):/ encr"pted pri ilege 1* L class-+ap inspectionGdefa!lt +atc= defa!lt-inspection-traffic L L polic"-+ap t"pe inspect dns presetGdnsG+ap para+eters +essage-lengt= +a@i+!+ client a!to +essage-lengt= +a@i+!+ *12 polic"-+ap glo/alGpolic" class inspectionGdefa!lt inspect dns presetGdnsG+ap inspect ftp
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation +age -% of ,-
CCNA Security inspect inspect inspect inspect inspect inspect inspect inspect inspect inspect inspect inspect inspect inspect =323 =22* =323 ras ip-options net/ios rs= rtsp s1inn" es+tp sDlnet s!nrpc tftp sip @d+cp ic+p
L ser ice-polic" glo/alGpolic" glo/al pro+pt =ostna+e conte@t no call-=o+e reporting anon"+o!s call-=o+e profile Cisco;AC-1 no acti e destination address =ttp =ttps:33tools%cisco%co+3its3ser ice3oddce3ser ices3'' CBSer ice destination address e+ail call=o+e?cisco%co+ destination transport-+et=od =ttp s!/scri/e-to-alert-gro!p diagnostic s!/scri/e-to-alert-gro!p en iron+ent s!/scri/e-to-alert-gro!p in entor" periodic +ont=l" s!/scri/e-to-alert-gro!p config!ration periodic +ont=l" s!/scri/e-to-alert-gro!p tele+etr" periodic dail" Cr"ptoc=ec1s!+:2.fa&2/$1$c&c$21d2&.cffa/&&2)313 : end
4outer 41
R1#s= r!n 6!ilding config!ration%%% C!rrent config!ration : 11&8 /"tes L ersion 12%& ser ice ti+esta+ps de/!g dateti+e +sec ser ice ti+esta+ps log dateti+e +sec no ser ice password-encr"ption L =ostna+e R1 L /oot-start-+ar1er /oot-end-+ar1er L logging +essage-co!nter s"slog ena/le password class L no aaa new-+odel dot11 s"slog ip so!rce-ro!te L
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation +age ,' of ,-
CCNA Security L L L ip cef no ip ) cef L +!ltilin1 /!ndle-na+e a!t=enticated L arc=i e log config =ide1e"s L interface <astBt=ernet232 ip address 228%1)*%222%22* 2**%2**%2**%2&$ d!ple@ a!to speed a!to L interface <astBt=ernet231 no ip address s=!tdown d!ple@ a!to speed a!to L interface Serial23232 ip address 12%1%1%1 2**%2**%2**%2*2 cloc1 rate 2222222 L interface Serial23231 no ip address s=!tdown L interface Serial23132 no ip address s=!tdown cloc1 rate 2222222 L interface Serial23131 no ip address s=!tdown cloc1 rate 2222222 L ip forward-protocol nd ip ro!te 2%2%2%2 2%2%2%2 Serial23232 ip =ttp ser er no ip =ttp sec!re-ser er L L control-plane L L line con 2 password cisco login line a!@ 2 line t" 2 & password cisco login L
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation +age ,$ of ,-
4outer 4R2#s= r!n 6!ilding config!ration%%% C!rrent config!ration : 8$3 /"tes L ersion 12%& ser ice ti+esta+ps de/!g dateti+e +sec ser ice ti+esta+ps log dateti+e +sec no ser ice password-encr"ption L =ostna+e R2 L /oot-start-+ar1er /oot-end-+ar1er L logging +essage-co!nter s"slog ena/le password class L no aaa new-+odel ip cef L interface <astBt=ernet232 no ip address s=!tdown d!ple@ a!to speed a!to L interface <astBt=ernet231 no ip address s=!tdown d!ple@ a!to speed a!to L interface <astBt=ernet23132 L interface <astBt=ernet23131 L interface <astBt=ernet23132 L interface <astBt=ernet23133 L interface Serial23232 ip address 12%1%1%2 2**%2**%2**%2*2 no fair-D!e!e cloc1 rate 2222222 L interface Serial23231 ip address 12%2%2%2 2**%2**%2**%2*2 cloc1 rate 2222222 L interface #lan1
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation +age ,2 of ,-
CCNA Security no ip address L ip ro!te 1.2%1)%3%2 2**%2**%2**%2 Serial23231 ip ro!te 228%1)*%222%22& 2**%2**%2**%2&$ Serial23232 L L ip =ttp ser er no ip =ttp sec!re-ser er L L control-plane L line con 2 password cisco login line a!@ 2 line t" 2 & password cisco login L sc=ed!ler allocate 22222 1222 end R2#
4outer 4.
R3#s= r!n 6!ilding config!ration%%% C!rrent config!ration : 12)2 /"tes L ersion 12%& ser ice ti+esta+ps de/!g dateti+e +sec ser ice ti+esta+ps log dateti+e +sec no ser ice password-encr"ption L =ostna+e R3 L /oot-start-+ar1er /oot-end-+ar1er L logging +essage-co!nter s"slog ena/le password class L no aaa new-+odel dot11 s"slog ip so!rce-ro!te L L L L ip cef no ip ) cef L +!ltilin1 /!ndle-na+e a!t=enticated L arc=i e
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation +age ,3 of ,-
CCNA Security log config =ide1e"s L interface <astBt=ernet232 no ip address s=!tdown d!ple@ a!to speed a!to L interface <astBt=ernet231 ip address 1.2%1)%3%1 2**%2**%2**%2 d!ple@ a!to speed a!to L interface <astBt=ernet23132 L interface <astBt=ernet23131 L interface <astBt=ernet23132 L interface <astBt=ernet23133 L interface Serial23232 no ip address s=!tdown no fair-D!e!e cloc1 rate 2222222 L interface Serial23231 ip address 12%2%2%1 2**%2**%2**%2*2 L interface #lan1 no ip address L ip forward-protocol nd ip ro!te 2%2%2%2 2%2%2%2 Serial23231 ip =ttp ser er no ip =ttp sec!re-ser er L control-plane L line con 2 password cisco login line a!@ 2 line t" 2 & password cisco login L sc=ed!ler allocate 22222 1222 end
Switches S1; S-; and S. % se default configs; e?cept for host na2e
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation
+age ,- of ,-