Devoir À Rendre 08 06 2023
Devoir À Rendre 08 06 2023
Devoir À Rendre 08 06 2023
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 18
Lab - CCNA Security Comprehensive Lab
IP Addressing Table
Objectives
Part 1: Create a Basic Technical Security Policy
Part 2: Configure Basic Device Settings
Part 3: Configure Secure Router Administrative Access
Configure encrypted passwords and a login banner.
Configure the EXEC timeout value on console and vty lines.
Configure login failure rates and vty login enhancements.
Configure Secure Shell (SSH) access and disable Telnet.
Configure local authentication, authorization, and accounting (AAA) user authentication.
Secure the router against login attacks, and secure the IOS image, and configuration file.
Configure a router NTP server and router NTP clients.
Configure router syslog reporting and a syslog server on a local host.
Part 4: Configure a Site-to-Site VPN between ISRs
Configure an IPsec site-to-site VPN between R1 and R3 using the Cisco Configuration Professional
(CCP).
Part 5: Configure a Zone-Based Policy Firewall and Intrusion Prevention System
Configure a Zone-Based Policy Firewall (ZBF) on an ISR using CCP.
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 18
Lab - CCNA Security Comprehensive Lab
Background / Scenario
This comprehensive lab is divided into nine parts. The parts should be completed sequentially. In Part 1, you
will create a basic technical security policy. In Part 2, you configure the basic device settings. In Part 3, you
will secure a network router using the command-line interface (CLI) to configure various IOS features,
including AAA and SSH. In Part 4, you will configure a site-to-site VPN between R1 and R3 through the ISP
router (R2). In Part 5, you will configure a ZBF and IPS on an ISR. In Part 6, you will configure a network
switch using the CLI. In Parts 7 to 9, you will configure the ASA firewall functionality and clientless SSL VPN
remote access.
Note: The router commands and output in this lab are from a Cisco 1841 router using Cisco IOS software,
release 15.1(4)M8 (Advanced IP Services image). The switch commands and output are from Cisco WS-
C2960-24TT-L switches with Cisco IOS Release 15.0(2)SE4 (C2960-LANBASEK9-M image). Other routers,
switches, and Cisco IOS versions can be used. See the Router Interface Summary Table at the end of the lab
to determine which interface identifiers to use based on the equipment in the lab. Depending on the router, or
switch model and Cisco IOS version, the commands available and output produced might vary from what is
shown in this lab.
The ASA used with this lab is a Cisco model 5505 with an 8-port integrated switch, running OS version 8.4(2)
and the Adaptive Security Device Manager (ASDM) version 7.2(1) and comes with a Base license that allows
a maximum of three VLANs.
Note: Ensure that the routers and switches have been erased and have no startup configurations.
Required Resources
3 Routers (Cisco 1841 with Cisco IOS Release 15.1(4)M8 Advanced IP Services image or comparable)
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 18
Lab - CCNA Security Comprehensive Lab
3 Switches (Cisco 2960 with cryptography IOS image for SSH support – Release 15.0(2)SE4 or
comparable)
1 ASA 5505 (OS version 8.4(2) and ASDM version 7.2(1) and Base license or comparable)
3 PCs (Windows Vista or Windows 7 with CCP 2.5, Cisco VPN Client, latest version of Java, Internet
Explorer, and Flash Player)
Serial and Ethernet cables as shown in the topology
Console cables to configure Cisco networking devices
CCP Notes:
If the PC on which CCP is installed is running Windows Vista or Windows 7, it may be necessary to right-
click on the CCP icon or menu item, and choose Run as administrator.
In order to run CCP, it may be necessary to temporarily disable antivirus programs and O/S firewalls.
Make sure that all pop-up blockers are turned off in the browser.
Step 2: Create a “Network Device Security Guidelines” document for router and switch security.
Create a high-level list of tasks to include for network access and device security. This document should
reinforce and supplement the information presented in a basic Security Policy. It is based on the content of
previous CCNA Security labs and on the networking devices present in the course lab topology.
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of 18
Lab - CCNA Security Comprehensive Lab
Note: The “Network Device Security Guidelines” document should be no more than two pages, and is the
basis for the equipment configuration in the remaining parts of the lab.
Step 7: Save the basic running configuration for each router and switch.
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 5 of 18
Lab - CCNA Security Comprehensive Lab
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 6 of 18
Lab - CCNA Security Comprehensive Lab
Task 5: Secure against Login Attacks and Secure the IOS and Configuration File on R1
and R3
Step 2: Secure the Cisco IOS image and archive a copy of the running configuration.
a. The secure boot-image command enables Cisco IOS image resilience, which hides the file from the dir
and show commands. The file cannot be viewed, copied, modified, or removed using EXEC mode
commands. (It can be viewed in ROMMON mode.)
b. The secure boot-config command takes a snapshot of the router running configuration and securely
archives it in persistent storage (flash).
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 7 of 18
Lab - CCNA Security Comprehensive Lab
____________________________________________________________________________________
____________________________________________________________________________________
b. Save the running configuration to the startup configuration from the privileged EXEC mode prompt.
Step 2: Configure R3 to log messages to the syslog server using the CLI.
a. Verify that you have connectivity between R3 and PC-C by pinging the R1 Fa0/1 interface IP address
172.16.1.3. If it is unsuccessful, troubleshoot as necessary before continuing.
b. NTP was configured in Task 2 to synchronize the time on the network. Displaying the correct time and
date in syslog messages is vital when using syslog to monitor a network. If the correct time and date of a
message is not known, it can be difficult to determine what network event caused the message.
Verify that the timestamp service for logging is enabled on the router using the show run command. Use
the service timestamps log datetime msec command if the timestamp service is not enabled.
c. Configure the syslog service on the router to send syslog messages to the syslog server.
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 8 of 18
Lab - CCNA Security Comprehensive Lab
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 9 of 18
Lab - CCNA Security Comprehensive Lab
Step 2: Verify the IOS IPS signature package location and TFTP server setup.
a. Verify connectivity between R3 and PC-C, the TFTP server, using the ping command.
b. Start Tftpd32 (or other TFTP server) and set the default directory to the one with the IPS signature
package in it. Note the filename for use in the next step.
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 10 of 18
Lab - CCNA Security Comprehensive Lab
h. In the Config Location and Category window > Choose Category field, select basic.
i. Click Next to display the Summary window, and click Finish.
j. On the Deliver Configuration to Device screen, click Deliver to deliver the commands to the router.
Note: Allow the signature configuration process to complete. This can take several minutes.
##################”
Step 1: On R3 (PC-C), use CCP to test the IPsec VPN tunnel between the two routers.
a. On the CCP menu bar, click Configure > Security > VPN > Site-to-Site VPN and select the Edit Site-
to-Site VPN tab.
b. In the Edit Site to Site VPN tab, select the VPN you just configured, and click Test Tunnel.
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 11 of 18
Lab - CCNA Security Comprehensive Lab
c. When the VPN Troubleshooting window displays, click Start to have CCP troubleshoot the tunnel.
d. When the CCP Warning window displays, indicating that CCP will enable router debugs and generate
some tunnel traffic, click Yes to continue.
e. In the next VPN Troubleshooting window, the IP address of the R3 Fa0/1 interface in the source network
is displayed by default (172.16.1.1). Enter the IP address of the R1 Loopback 1 interface in the
Destination Network field (172.20.1.1), and click Continue to begin the debugging process.
If the debug is successful, you should see an Information window indicating that troubleshooting was
successful and the tunnel is up.
Step 2: Ping from PC-C to the R1 Lo1 interface at 172.20.1.1 to generate some interesting traffic.
Step 3: Issue the show crypto isakmp sa command on R3 to view the security association
created.
Step 4: Issue the show crypto ipsec sa command on R1 to see how many packets have been
received from R3 and decrypted by R1.
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 12 of 18
Lab - CCNA Security Comprehensive Lab
Step 3: Save the running configuration to the startup configuration for each switch.
Step 2: Bypass Setup Mode and configure the ASDM VLAN interfaces using the CLI.
a. When prompted to preconfigure the firewall through interactive prompts (Setup mode), respond with no.
b. Enter privileged EXEC mode. The password should be blank (no password) at this point.
c. Enter global configuration mode. Respond with no to the prompt to enable anonymous reporting.
d. The VLAN 1 logical interface will be used by PC-B to access ASDM on ASA physical interface E0/1.
Configure interface VLAN 1 and name it inside. The Security Level should be automatically set to the
highest level of 100. Specify IP address 192.168.10.1 and subnet mask 255.255.255.0.
e. Enable physical interface E0/1 and verify the E0/1 and VLAN 1 interface status. The status and protocol
for interface E0/1 and VLAN 1 should be up/up.
f. Preconfigure interface VLAN 2 and name it outside, add physical interface E0/0 to VLAN 2, and bring up
the E0/0 interface. You will assign the IP address using ASDM.
g. Test connectivity to the ASA by pinging from PC-B to ASA interface VLAN 1 IP address 192.168.1.1. The
pings should be successful.
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 13 of 18
Lab - CCNA Security Comprehensive Lab
Step 3: Configure and verify access to the ASA from the inside network. |||||||||||||||||||||||||||
a. Use the http command to configure the ASA to accept HTTPS connections and to allow access to ASDM
from any host on the inside network 192.168.10.0/24.
b. Open a browser on PC-B and test the HTTPS access to the ASA by entering https://192.168.1.1.
c. From the ASDM Welcome page, click Run ASDM. When prompted for a username and password, leave
them blank and click OK.
Task 2: Configure Basic ASA Settings Using the ASDM Startup Wizard
Step 1: Access the Configuration menu and launch the Startup wizard.
At the top left of the screen, click Configuration > Launch Startup wizard.
Step 2: Configure the hostname, domain name, and the enable password.
a. On the first Startup wizard screen, select the Modify Existing Configuration option.
b. On the Startup Wizard Step 2 screen, configure the ASA hostname CCNAS-ASA and domain name
ccnasecurity.com. Change the enable mode password from blank (no password) to ciscoenapa55.
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 14 of 18
Lab - CCNA Security Comprehensive Lab
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 15 of 18
Lab - CCNA Security Comprehensive Lab
Step 2: Configure static NAT to the DMZ server using a network object.
Configure a network object named dmz-server and assign it the static IP address of the DMZ server
(192.168.2.3). While in object definition mode, use the nat command to specify that this object is used to
translate a DMZ address to an outside address using static NAT and specify a public translated address of
209.165.200.11.
Step 3: Configure an ACL to allow access to the DMZ server from the Internet.
Configure a named access list OUTSIDE-DMZ that permits any IP protocol from any external host to the
internal IP address of the DMZ server. Apply the access list to the ASA outside interface in the in direction.
Note: Unlike IOS ACLs, the ASA ACL permit statement must permit access to the internal private DMZ
address. External hosts access the server using its public static NAT address, and the ASA translates it to the
internal host IP address and applies the ACL.
You can modify this ACL to allow only services that you want to expose to external hosts, such as web
(HTTP) or file transfer (FTP).
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 16 of 18
Lab - CCNA Security Comprehensive Lab
inspection policy. The pings from PC-B to PC-A do not affect the NAT translation counts, because both
PC-B and PC-A are behind the firewall and no translation takes place.
f. The DMZ server cannot ping PC-B on the inside network, because the DMZ interface VLAN 3 has a lower
security level and the fact that, when the VLAN 3 interface was created, it was necessary to specify the
no forward command. Try to ping from the DMZ server PC-A to PC-B at IP address 192.168.1.X. The
pings should be unsuccessful.
g. Use the show run command to display the configuration for VLAN 3.
Note: An access list can be applied to the inside interface to control the type of access to be permitted or
denied to the DMZ server from inside hosts.
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 17 of 18
Lab - CCNA Security Comprehensive Lab
Router Model Ethernet Interface #1 Ethernet Interface #2 Serial Interface #1 Serial Interface #2
1700 Fast Ethernet 0 (Fa0) Fast Ethernet 1 (Fa1) Serial 0 (S0) Serial 1 (S1)
1800 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
(Fa0/0) (Fa0/1)
1900 Gigabit Ethernet 0/0 Gigabit Ethernet 0/1 Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
(G0/0) (G0/1)
2801 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/1/0 (S0/1/0) Serial 0/1/1 (S0/1/1)
(Fa0/0) (Fa0/1)
2811 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
(Fa0/0) (Fa0/1)
2900 Gigabit Ethernet 0/0 Gigabit Ethernet 0/1 Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
(G0/0) (G0/1)
Note: To find out how the router is configured, look at the interfaces to identify the type of router and how many
interfaces the router has. There is no way to effectively list all the combinations of configurations for each router
class. This table includes identifiers for the possible combinations of Ethernet and Serial interfaces in the device.
The table does not include any other type of interface, even though a specific router may contain one. An
example of this might be an ISDN BRI interface. The string in parenthesis is the legal abbreviation that can be
used in Cisco IOS commands to represent the interface.
© 2023 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 18 of 18