CCNA Security Skills Based Challenge Lab

8/10/2019 CCNA Security Skills Based Challenge Lab

1/9

Cisco CCNA Security Skills Based Challenge Lab Collin College

CCNA Security Skills Based Challenge Lab

Lab Overview

This Skills Based Challenge Lab (SBCL) is divided into 7 parts. The parts should be completedsequentially. n !art " you veri#y that the basic device settings have been precon#igured by the instructor.n !art $% you secure a net&ork router using the CL to con#igure various 'S #eatures including andSS. n !art * you con#igure a site+to+site ,!- bet&een " and * through the S! router ($). n !art /you con#igure a 0!1 #ire&all and !S on an S. !art 2 con#igures net&ork s&itches using the CL. n!arts 3 and 7 you con#igure the S #ire&all #unctionality and clientless SSL ,!- remote access.

equired esources4 * routers% * s&itches%" S 2252% * !Cs% and Serial and 6thernet cablesas sho&n in the topology

!C+4 indo&s 8!% ,ista% or indo&s 7 &ith CC!% !uTTy SS client (eb and 1T! server optional)(#lash drive optional)!C+B4 indo&s 8!% ,ista% or indo&s 7 &ith !uTTy SS client and 9ava version 3.: or higher (S;."2.$5.** $22.$22.$22.$/? -= S 65=5

S5=5=5 (;C6) "5."55."." $22.$22.$22.$2$ -= -=

Loopback " "7$.$"."5." $22.$22.$22.5 -= -=.

$ S5=5=5 "5."55.".$ $22.$22.$22.$2$ -= -=

S5=5=" (;C6) "5.$55.$.$ $22.$22.$22.$2$ -= -=

Loopback " ">$."3?.$55.$ $22.$22.$22.$2$ -= -=

* 15=" "7$.*".*5." $22.$22.$22.5 -= -=

S5=5=" "5.$55.$." $22.$22.$22.$2$ -= -=

S" ,L- " ">$."3?."55."" $22.$22.$22.5 ">$."3?."55." -=

S$ ,L- " ">$."3?."55."$ $22.$22.$22.5 ">$."3?."55." -=

S ,L- " (65=") ">$."3?."55." $22.$22.$22.5 - S$ 15=$/

S ,L- $ (65=5) 3>."2.$5.*/ $22.$22.$22.$/? - " 15=5

!C+ -C ">$."3?."55.$ $22.$22.$22.5 ">$."3?."55." S" 15=3

!C+B -C ">$."3?."55.* $22.$22.$22.5 ">$."3?."55." S$ 15="?

!C+C -C "7$.*".*5.* $22.$22.$22.5 "7$.*".*5." S* 15="?

Ob#ectives$

!art "4 ,eri#y Basic ;evice Settings

!art $4 Con#igure Secure outer dministrative ccess Con#igure encrypted pass&ords and a login banner. Con#igure 686C timeout on console and ,T@ lines. Con#igure login #ailure rates and ,T@ login enhancements.

Con#igure SS access and disable Telnet. Con#igure local authentication. -T! client to the -T!=Syslog server

!art *4 Con#igure a Site+to+Site ,!- bet&een Ss Con#igure an !sec site+to+site ,!- bet&een " and * using CC!.

!art /4 Con#igure an S #ire&all and ntrusion !revention System Con#igure a Aone+based policy (0!1) #ire&all on an S using CC!. Con#igure an ntrusion !revention System (!S) on an S using CC!. Con#igure a CBC #ire&all to implement security policies

!art 24 Secure -et&ork S&itches

Con#igure pass&ords and a login banner. Con#igure management ,L- access. Secure trunk ports. Secure access ports. !rotect against ST! attacks. Con#igure port security and disable unused ports.

!art 34 Con#igure S Basic Settings and 1ire&all

2


3/9


Con#igure basic settings% pass&ords% date and time. Con#igure the inside and outside ,L- inter#aces. Con#igure port address translation (!T) #or the inside net&ork. Con#igure a ;C! server #or the inside net&ork. Con#igure administrative access via Telnet and SS. Con#igure a static de#ault route #or the S.

Con#igure Local user authentication. ,eri#y address translation and #ire&all #unctionality

!art 74 Con#igure S Clientless SSL ,!- emote ccess Con#igure a remote access SSL ,!- using S;


4/9


s an -T! client to the -T!=Syslog server To timestamp log messages To send logging messages to the -T!=Syslog server

Task $4 Con#igure Local uthentication &ith on ".Step "4 Con#igure the local user database.

Create a local user account o# dmin5" &ith a secret pass&ord o# dmin5"pa22 and aprivilege level o# "2.

Step $4 6nable services.Step *4 mplement services using the local database.Create the de#ault login authentication method list using case+sensitive local authentication as the#irst option and the enable pass&ord as the backup option to use i# an error occurs in relation tolocal authentication.

Task *4 Con#igure the SS Server on outer ".Step "4 Con#igure the domain name ccnasecurity.com.Step $4 Con#igure the incoming vty lines.

Speci#y that the router vty lines &ill accept only SS connections.Step *4 Generate the S encryption key pair.

Con#igure the S keys &ith "5$/ as the number o# modulus bits.

Step /4 Con#igure the SS version.Speci#y that the router accept only SS version $ connections.

Step 24 ,eri#y SS connectivity to " #rom !C+C.Launch the SS client on !C+C and test SS connectivity to " and login in as dmin5"&ith the pass&ord dmin5"pa22.

Task /4 Secure against login attacks on ".Step "4 Con#igure enhanced login security on ".

# a user #ails to login t&ice &ithin a *5 second time span% then disable logins #or " minute.Log all #ailed login attempts.

Part *$ C"nfigure a Site+t"+Site IPsec &PN between IS(sn !art * o# this SBCL% you use CC! or CL to con#igure an !sec ,!- tunnel bet&een " and * that

passes through $.

# using CC!4Task "4 Con#igure the site+to+site ,!- bet&een " and *.

Step "4 Con#igure the enable secret pass&ord and TT! access on * prior to starting CC!.a. 1rom the CL% con#igure an enable secret pass&ord o# ciscoenapa22 #or use &ith

CC! on *.b. 6nable the TT! server on *.c. dd user dmin5" to the local database &ith a privileged level o# "2% and a

pass&ord o# dmin5"pa22.d. Con#igure local database authentication o# TT! sessions.

Step $4 ccess CC! and discover *.1rom !C+C run CC! and access *.

Step *4 se the CC! ,!- &iAard to con#igure *.se the Huick Setup option to con#igure the * side o# the site+to+site ,!-.Step /4 Con#igure basic ,!- connection in#ormation settings.

a. Speci#y * S5=5=" as the inter#ace #or the connection and " inter#ace S5=5=5 asthe remote peer static ! address.

b. Speci#y the pre+shared ,!- key cisco"$*/2.c. 6ncrypt tra##ic bet&een the * L- and the " Loopback " simulated L-.

Step 24 Generate a mirror con#iguration #rom * and apply it to ".

4


5/9


6/9


a. Con#igure a Basic #ire&all &ith 1a5=" inter#ace as the nside inter#ace and S5=5="as the 'utside inter#ace.

b. se the Lo& Security setting% and complete the 1ire&all &iAard.Step $4 ,eri#y 1ire&all #unctionality.

a. 1rom !C+C% ping e:ternal router $. The pings should be success#ul.b. 1rom e:ternal router $% ping !C+C. The pings should -'T be success#ul.

# using CL4Step "4 Con#igure a 0!1 1ire&all on * using CL.

a. ccess the * router &ith username (%ADIN% pass&ord cisc"ccnas and theenable secret pass&ord o# cisc"class.b. 'n the * router% create the #ire&all Aones.

Create an internal Aone named B(+IN+5ON-.Create an e:ternal Aone named B(+O6T+5ON-.

c. ;e#ine a tra##ic class and access list. Create an CL (CL %%1) to permit all protocols #rom the "7$.*".*5.5=$/ net&ork to

any destination. Create a class map using the option o# class )a. ty.e ins.ect&ith the )atch+all

key&ord. $."3?.$55.$). $ Lo" cannot ping the !C+C in the * o##ice ("7$.*".*5.*).

The !C+C in * o##ice can establish an SS connection to the " router &ith the

username SS/Accessand pass&ord cisc"sshaccess. # you get the "J prompt%then your con#iguration is correct.

Task $4 Con#igure !S on * sing CC! or CL.

Step "4 !repare router * and the T1T! server.To con#igure Cisco 'S !S 2.:% the 'S !S signature package #ile and public crypto key #ilesmust be available on the !C &ith the T1T! server installed. * uses !C+C as the T1T! server.Check &ith your instructor i# these #iles are not on the !C.

a.,eri#y that the 'S+S:::+CL.pkg signature package #ile is in the de#ault T1T! #older.The ::: is the version number and varies depending on &hich #ile &as do&nloaded #romCisco.com.b.,eri#y that the realm+cisco.pub.key.t:t #ile is available and note its location on !C+C.

c.,eri#y or create the !S directory% ipsdir% in router #lash on *.

-ote4 1or router *% the !S signature (.:ml) #iles in the #lash4=ipsdir= directory should have been deletedand the directory removed prior to starting the SBCL. The #iles must be deleted #rom the directory in orderto remove it.

-ote4 # the ipsdir directory is listed and there are #iles in it% contact your instructor. This directory must beempty be#ore con#iguring !S. # there are no #iles in it you may proceed to con#igure !S.

6


7/9


# using CC!4Step $4 ccess CC! and discover * (i# required).Speci#y dmin5" as the username and dmin5"pa22 as the pass&ord.

Step *4 se the CC! !S &iAard to con#igure !S.a. Launch the !S &iAard and apply the !S rule in the inbound direction #or

Serial5=5=".b. Speci#y the signature #ile &ith a L and use T1T! to retrieve the #ile #rom !C+C.c. -ame the public key #ile realm+cisco.pub.d. Copy the te:t #rom the public key #ile to the CC! !S &iAard.e. Speci#y the #lash4=ipsdir= directory name as the location to store the signature

in#ormation.#. Choose the basic category.g. Complete the &iAard.

# using CL4Step $4 Con#igure an 'S !S on the * outer.

a. 'n the * router% create a directory in #lash named ipsdir.b. Con#igure the !S signature storage location to be #lash4ipsdir.c. Create an !S rule named *ips.

d. Con#igure the 'S !S to use the signature categories. etire the all signaturecategory and unretire the iosKips basic category.e. pply the !S rule in the inbound direction #or Serial5=5=".#.


8/9


Task *4 Con#igure !ort Security and ;isable nused !orts.Step "4 Con#igure basic port security #or the S" access port.

se the de#ault port security options (set ma:imum $."3?."55.". The pings should be success#ul.Step *4 Con#igure and veri#y access to the S #rom the inside net&ork.

a. Con#igure the S to accept TT!S connections and to allo& access to S;."2.$5.$*/ and mask $22.$22.$22.$/?.

Step /4 Con#igure ;C!% address translation and administrative access.a. 6nable the ;C! server on the nside nter#ace and speci#y a starting ! address

o# ">$."3?."55.2 and ending ! address o# ">$."3?."55.*5. 6nter the ;-Sserver " address o# "5.*.*.* and domain name ccnasecurity.com.

b. Con#igure the S to use port address translation (!T) using the ! address o#the outside inter#ace.

c. dd Telnet access to the S #or the inside net&ork ">$."3?."55.5 &ith a subnetmask o# $22.$22.$22.5. dd SS access to the S #rom host "7$.*".*5.* onthe outside net&ork.

Step 24 Test Telnet access to the S.a. 1rom a command prompt or G Telnet client on !C+B% Telnet to the S insideinter#ace at ! address ">$."3?."55.".

Task *4 Con#iguring S Settings #rom the S;< Con#iguration


9/9


previously enabled so you should be prompted &ith a user authentication login dialog bo:#rom the $ G device manger. 6:it the bro&ser.

Step /4 Con#igure #or SS client access.a. Create a ne& user named admin &ith a pass&ord o# cisco"$*. llo& this user

1ull access (S;$."3?."55.* (simulating a &eb server).Step 24 ,eri#y ,!- access #rom the remote host.

'pen the bro&ser on !C+C and enter the login L #or the SSL ,!- into the address#ield (https4==3>."2.$5.*/). The Logon &indo& should appear. 6nter the previouslycon#igured user name ,!-user and pass&ord remote and click Logon to continue. Theeb !ortal &indo& should display.

"

Documents

CCNA Security Skills Based Challenge Lab