CCNA Security Packet Tracer Practice SBA

This post is about CCNA Security Packet Tracer Skill Based Assessment Practice . I would like to share with all of your the answer or solution for this CCNA Security SBA. This CCNA Security SBA Practice contributed by Viktorcsn with !!" solution. I hope with the answer for CCNA Security SBA pro#ided$ it will be a %uideline to all of us to understand this CCNA Security practice better. Below is the &uestion and answer for CCNA Security Packet Tracer SBA Practice.

In this practice Packet Tracer Skills Based Assessment, you will:

configure basic device hardening and secure network management configure a BA firewall to implement security policies configure devices to protect against STP attacks and to enable broadcast storm control configure port security and disable unused switch ports configure an I!S IPS configure a "P# to implement security policies configure a site$to$site IPsec %P&

Addressing Table Device Interface S'('(' S'('(, Internet S'(,(' #a'(' S'('(' #a'(' CO P #a'(,+,' #a'(,+). #a'(,+** S'('(' Branc! #a'(' S'('(' "#ternal #a'(' Public Svr &I "#ternal $eb Svr &I IP Address )'*+,-.+)''+)). ,*)+/,+0+, ,*1+,//+),*+, ,*)+,/.+).'+, )'*+,-.+)''+)),'+,+,+).2 ,0)+,-+,'+).2 ,0)+,-+).+).2 ,0)+,-+**+).2 ,*1+,//+),*+) ,*1+,//+),*+-) ,*)+/,+0+) ,*)+/,+0+-) ,*)+,/.+).'+. ,*)+/,+0+/. Subnet Mask )..+)..+)..+).) )..+)..+)..+).) )..+)..+)..+).) )..+)..+)..+' )..+)..+)..+).) )..+)..+)..+' )..+)..+)..+' )..+)..+)..+' )..+)..+)..+' )..+)..+)..+).) )..+)..+)..+))2 )..+)..+)..+).) )..+)..+)..+))2 )..+)..+)..+' )..+)..+)..+))2 Gateway n(a n(a n(a n(a n(a n(a n(a n(a n(a n(a n(a n(a n(a ,*)+,/.+).'+, ,*)+/,+0+-) DNS server n(a n(a n(a n(a n(a n(a n(a n(a n(a n(a n(a n(a n(a n(a ,*)+,/.+).'+.

Device "#ternal PC NTP%Sysl&g Svr DM' DNS Svr DM' $eb Svr PC( PC) Net Ad*in Ad*in PC PCB)

Interface &I &I &I &I &I &I &I &I &I

IP Address ,*)+/,+0+// ,0)+,-+).+) ,'+,+,+. ,'+,+,+) ,0)+,-+,'+. ,0)+,-+,'+,' ,0)+,-+).+. ,*1+,//+),*+/. ,*1+,//+),*+2'

Subnet Mask )..+)..+)..+))2 )..+)..+)..+' )..+)..+)..+' )..+)..+)..+' )..+)..+)..+' )..+)..+)..+' )..+)..+)..+' )..+)..+)..+))2 )..+)..+)..+))2

Gateway ,*)+/,+0+-) ,0)+,-+).+).2 ,'+,+,+).2 ,'+,+,+).2 ,0)+,-+,'+).2 ,0)+,-+,'+).2 ,0)+,-+).+).2 ,*1+,//+),*+-) ,*1+,//+),*+-)

DNS server ,*)+,/.+).'+. ,'+,+,+. ,*)+,/.+).'+. ,'+,+,+. ,'+,+,+. ,'+,+,+. ,'+,+,+. ,*)+,/.+).'+. ,*)+,/.+).'+.

N&te+ Appropriate verification procedures should be taken after each configuration task to ensure that it has been properly implemented+ Ste, )+ C&nfigure Basic Device -ardening f&r t!e CO P &uter. a+ onfigure the !3P router to only accept passwords with a minimum length of ,' characters+ !3P4config56 security password min$length ,' b+ onfigure an encrypted privileged level password of ciscoclass+ !3P4config56 enable secret ciscoclass c+ 7nable password encryption for all clear te8t passwords in the configuration file+ !3P4config56 service password$encryption d+ onfigure the console port and all vty lines with the following re9uirements: &ote: !3P is already configured with the username !3PA:;I& and the secret password ciscoccnas+

use the local database for login disconnect after being idle for )' minutes+

!3P4config56 line consol ' !3P4config$line56 login local !3P4config$line56 e8ec$timeout )' ' !3P4config$line56 line vty ' 2 !3P4config$line56 login local !3P4config$line56 e8ec$timeout )' ' !3P4config$line56 line vty . ,. !3P4config$line56 login local !3P4config$line56 e8ec$timeout )' ' e+ :isable the :P protocol only on the link to the Internet router+ !3P4config56 interface s'('(' !3P4config$if56 no cdp enable

Ste, /+ C&nfigure Secure Netw&rk Manage*ent f&r t!e CO P &uter.

a+ 7nable the !3P router:

as an &TP client to the &TP(Syslog server to update the router calendar 4hardware clock5 from the &TP time source to timestamp log messages to send logging messages to the &TP(Syslog server

!3P4config56 ntp server ,0)+,-+).+) key ' !3P4config56 ntp update$calendar !3P4config56 service timestamps log datetime msec !3P4config56 logging host ,0)+,-+).+) b+ onfigure the !3P router to accept SS< connections+ =se the following guidelines:

&ote: !3P is already configured with the username SS<Access and the secret password ciscosshaccess+ domain name is theccnas+com 3SA encryption key pair using a modulus of ,')2 SS< version ), timeout of *' seconds, and ) authentication retries all vty lines accept only SS< connections

!3P4config56 ip domain$name theccnas+com !3P4config56 crypto key generate rsa <ow many bits in the modulus >.,)?: ,')2 !3P4config56 ip ssh version ) !3P4config56 ip ssh time$out *' !3P4config56 ip ssh authentication$retries ) !3P4config56 line vty ' 2 !3P4config$line56 transport input ssh !3P4config56 line vty . ,. !3P4config$line56 transport input ssh !3P4config$line56 e8it c+ onfigure the !3P router with AAA authentication and verify its functionality:

AAA authentication using the local database as the default for console line and vty lines access

!3P4config56 aaa new model !3P4config56 aaa authentication login default local !3P4config56 aaa authori@ation e8ec default local !3P4config56 line vty ' 2 !3P4config$line56 login authentication default !3P4config$line56 line vty . ,. !3P4config$line56 login authentication default !3P4config$line56 line con ' !3P4config$line56 login authentication default

Ste, 0+ C&nfigure Device -ardening f&r Switc!). a+ Access Switch, with username !3PA:;I&, password ciscoccnas, and the enable secret password of ciscoclass+ b+ 7nable storm control for broadcasts on #ast7thernet '()2 with a .' percent rising suppression level+ SA,4config56 interface fa'()2 SA,4config56 storm$control broadcast level .' c+ onfigure Switch, to protect against STP attacks+

onfigure Port#ast on #ast7thernet ports '(, to '()/+ 7nable BP:= guard on #ast7thernet ports '(, to '()/+

SA,4config56 interface range fa'(,$)/ SA,4config$if$range56 spanning$tree portfast SA,4config$if$range56 spanning$tree bpduguard enable d+ onfigure port security and disable unused ports+

Set the ma8imum number of learned ;A addresses to ) on #ast7thernet ports '(, to '()/+ Allow the ;A address to be learned dynamically and to shutdown the port if a violation occurs+

SA,4config56 interface range fa'(,$)/ SA,4config$if$range56 switchport port$security SA,4config$if$range56 switchport port$security ma8imum ) SA,4config$if$range56 switchport port$security violation shutdown SA,4config$if$range56 switchport port$security mac$address sticky

:isable unused ports 4#a'()$., #a'(0$,', #a'(,/$)/5+

SA,4config56 interface range fa'()$. SA,4config$if$range56 shutdown SA,4config56 interface range fa'(0$,' SA,4config$if$range56 shutdown SA,4config56 interface range fa'(,/$)/ SA,4config$if$range56 shutdown SA,4config$if$range56 end SA,6 copy running$config startup$config Ste, 1+ C&nfigure an IOS IPS &n t!e CO P &uter. a+ !n the !3P router, create a directory in flash named ipsdir+ !3P6 mkdir ipsdir b+ onfigure the IPS signature storage location to be flash:ipsdir+

!3P4config56 ip ips config location flash:ipsdir( retries , c+ reate an IPS rule named corpips+ !3P4config56 ip ips name corpips d+ onfigure the I!S IPS to use the signature categories+ 3etire the all signature category and unretire the iosBips basic category+ !3P4config56 ip ips signature$category !3P4config$ips$category56 category all !3P4config$ips$category$action56 retired true !3P4config$ips$category$action56 e8it !3P4config$ips$category56 category iosBips basic !3P4config$ips$category$action56 retired false !3P4config$ips$category$action56 e8it !3P4config$ips$category56 e8it :o you want to accept these changesC >confirm? >7nter? e+ Apply the IPS rule to the #a'(' interface+ !3P4config56 interface fa'(' !3P4config$if56 ip ips corpips out f+ ;odify the iosBips basic category+ =nretire the echo re9uest signature 4signature )''2, subsig '5D enable the signatureD modify the signature event$action to produce an alert and to deny packets that match the signature+ !3P4config56ip ips signature$definition !3P4config$sigdef56 signature )''2 ' !3P4config$sigdef$sig56 status !3P4config$sigdef$sig$status56 retired false !3P4config$sigdef$sig$status56 enable true !3P4config$sigdef$sig$status56 e8it !3P4config$sigdef$sig56 engine !3P4config$sigdef$sig$engine56 event$action produce$alert !3P4config$sigdef$sig$engine56 event$action deny$packet$inline !3P4config$sigdef$sig$engine56 e8it !3P4config$sigdef$sig56 e8it !3P4config$sigdef56 e8it !3P4config56 e8it :o you want to accept these changesC >confirm? >7nter? g+ %erify that IPS is working properly+ &et Admin in the internal network cannot ping :;" Aeb Svr+ :;" Aeb Svr, however, can ping &et Admin+ Ste, 2+ C&nfigure AC3s and CBAC &n t!e CO P &uter t& I*,le*ent t!e Security P&licy. a+ reate A E ,) to implement the security policy regarding the access to the vty lines:

!nly users connecting from &et Admin and Admin P are allowed access to the vty lines+

!3P4config56 access$list ,) permit host ,0)+,-+).+. !3P4config56 access$list ,) permit host ,*1+,//+),*+/. !3P4config56 line vty ' 2 !3P4config$line56 access$class ,) in !3P4config$line56 line vty . ,. !3P4config$line56 access$class ,) in b+ reate, apply, and verify an e8tended named A E 4named :;"#I37AAEE5 to filter incoming traffic to the :;"+ The A E should be created in the order specified in the following guidelines 4Please note, the order of A E statements is significant only because of the scoring need in Packet Tracer+5: ,+ <TTP traffic is allowed to :;" Aeb Svr+ )+ :&S traffic 4both T P and =:P5 is allowed to :;" :&S Svr+ /+ All traffic from ,0)+,-+).+'()2 is allowed to enter the :;"+ 2+ #TP traffic from the Branch administrator workstation is allowed to :;" Aeb Svr+ !3P4config56 ip access$list e8tended :;"#I37AAEE !3P4config$e8t$nacl56 permit tcp any host ,'+,+,+) e9 www !3P4config$e8t$nacl56 permit tcp any host ,'+,+,+. e9 domain !3P4config$e8t$nacl56 permit udp any host ,'+,+,+. e9 domain !3P4config$e8t$nacl56 permit ip ,0)+,-+).+' '+'+'+).. ,'+,+,+' '+'+'+).. !3P4config$e8t$nacl56 permit tcp host ,*1+,//+),*+/. host ,'+,+,+) e9 ftp !3P4config$e8t$nacl56 e8it !3P4config56 interface fa'(' !3P4config$if56 ip access$group :;"#I37AAEE out c+ To verify the :;"#I37AAEE A E, complete the following tests:

Admin P in the branch office can access the =3E http:((www+theccnas+comD Admin P can open an #TP session to the :;" Aeb Svr with the username cisco and the password ciscoD P B, cannot open an #TP session to the :;" Aeb Svr+ &et Admin can open an #TP session to the :;" Aeb Svr with the username cisco and the password ciscoD and P , cannot open an #TP session to the :;" Aeb Svr+

d+ reate, apply, and verify an e8tended named A E 4named I& !3P5 to control access from the Internet into the !3P router+ The A E should be created in the order specified in the following guidelines 4Please note, the order of A E statements is significant only because of the scoring need in Packet Tracer+5: ,+ Allow <TTP traffic to the :;" Aeb Svr+ )+ Allow :&S traffic 4both T P and =:P5 to the :;" :&S Svr+ /+ Allow SS< traffic from the Branch !ffice administrator workstation to the Serial '('(' interface on the !3P router+ 2+ Allow IP traffic from the Branch router serial interface into the !3P router serial interface+ .+ Allow IP traffic from the Branch !ffice EA& to the public IP address range that is assigned to the !3P site 4)'*+,-.+)''+)2'()15+

!3P4config56 ip access$list e8tended I& !3P !3P4config$e8t$nacl56 permit tcp any host )'*+,-.+)''+)2, e9 www !3P4config$e8t$nacl56 permit tcp any host )'*+,-.+)''+)2) e9 domain !3P4config$e8t$nacl56 permit udp any host )'*+,-.+)''+)2) e9 domain !3P4config$e8t$nacl56 permit tcp host ,*1+,//+),*+/. host )'*+,-.+)''+))- e9 )) !3P4config$e8t$nacl56 permit ip host ,*1+,//+),*+) host )'*+,-.+)''+))!3P4config$e8t$nacl56 permit ip ,*1+,//+),*+/) '+'+'+/, )'*+,-.+)''+)2' '+'+'+,. !3P4config$e8t$nacl56 e8it !3P4config56 interface s'('(' !3P4config$ifl56 ip access$group I& !3P in e+ To verify the I& !3P A E, complete the following tests:

Admin P in the branch office can access the =3E http:((www+theccnas+comD Admin P can establish an SS< connection to the !3P router 4)'*+,-.+)''+))-5 with the usernameSS<Access and password ciscosshaccessD P B, cannot establish an SS< connection to the !3P router 4)'*+,-.+)''+))-5D and 78ternal P cannot establish an SS< connection to the !3P router 4)'*+,-.+)''+))-5+

f+ reate and apply a BA inspection rule 4named I&T! !3P5 to inspect I ;P, T P, and =:P traffic between the !3P internal network and any other network+ !3P4config56 ip inspect name I&T! !3P icmp !3P4config56 ip inspect name I&T! !3P tcp !3P4config56 ip inspect name I&T! !3P udp g+ 7nable BA audit messages to be sent to the syslog server+ !3P4config56 ip inspect audit$trail !3P4config56 interface s'('(' !3P4config$if56 ip inspect I&T! !3P out h+ %erify the BA firewall configuration+

P , can access the 78ternal Aeb Svr 4www+e8ternalone+com5+ P , can establish an SS< connection to the 78ternal router with username SS<admin and passwordciscosshpa..+ Admin P in the Branch office can establish an SS< connection to the !3P router with the usernameSS<Access and password ciscosshaccess+

Ste, 4+ C&nfigure a '&ne5Based P&licy 6irewall &n t!e Branc! &uter. a+ Access the Branch router with username !3PA:;I&, password ciscoccnas and the enable secret password of ciscoclass+ b+ !n the Branch router, create the firewall @ones+

reate an internal @one named B3$I&$"!&7+ reate an e8ternal @one named B3$!=T$"!&7+

Branch4config56 @one security B3$I&$"!&7 Branch4config$sec$@one56 e8it Branch4config56 @one security B3$!=T$"!&7 Branch4config$sec$@one56 e8it c+ :efine a traffic class and access list+

reate an A E 4A E ,,'5 to permit all protocols from the ,*1+,//+),*+/)()0 network to any destination+

Branch4config56 access$list ,,' permit ip ,*1+,//+),*+/) '+'+'+/, any

reate a class map using the option of class map type inspect with the match$all keyword+ ;atch the A E ,,' and name the class map B3$I&$ EASS$;AP+

Branch4config56 class$map type inspect match$all B3$I&$ EASS$;AP Branch4config$cmap56 match access$group ,,' d+ Specify firewall policies+

reate a policy map named B3$I&$!=T$P;AP+ =se the B3$I&$ EASS$;AP class map+ Specify the action of inspect for this policy map+

Branch4config56 policy$map type inspect B3$I&$!=T$P;AP Branch4config$pmap56 class type inspect B3$I&$ EASS$;AP Branch4config$pmap$c56 inspect e+ Apply the firewall+

reate a pair of @ones named I&$!=T$"PAI3 with the source as B3$I&$"!&7 and destination as B3$!=T$"!&7+

Branch4config56 @one$pair security I&$!=T$"PAI3 source B3$I&$"!&7 destination B3$!=T$ "!&7

Specify the policy map B3$I&$!=T$P;AP for handling the traffic between the two @ones+

Branch4config$sec$@one$pair56 service$policy type inspect B3$I&$!=T$P;AP

Assign interfaces to the appropriate security @ones+

Branch4config56 interface fa'(' Branch4config$if56 @one$member security B3$I&$"!&7 Branch4config$if56 interface s'('(' Branch4config$if56 @one$member security B3$!=T$"!&7 f+ %erify the "P# configuration+

The Admin P in the Branch office can access the =3Es http:((www+theccnas+com and http:((www+e8ternalone+com+ The Admin P in the Branch office can ping the 78ternal P 4,*)+/,+0+//5+ 78ternal P cannot ping the Admin P in the Branch office 4,*1+,//+),*+/.5+ The Admin P in Branch office can establish an SS< connection to the !3P router with the usernameSS<Access and password ciscosshaccess+ If you get the orpF prompt, then your configuration is correct+

Ste, 7+ C&nfigure a Site5t&5Site IPsec 8PN between t!e CO P r&uter and t!e Branc! &uter. The following tables list the parameters for the ISAG;P Phase , Policy and IPsec Phase ) Policy: ISA9MP P!ase ) P&licy Para*eters 9ey Distributi&n ISA9MP Met!&d "ncry,ti&n A7S Alg&rit!* Nu*ber &f Bits -as! Alg&rit!* Aut!enticati&n Met!&d 9ey "#c!ange I9" SA 3ifeti*e ISA9MP 9ey ).S<A$, Pre$share :< ) ISA9MP P!ase / P&licy Para*eters Para*eters Transf&r* Set Na*e Transf&r* Set CO P &uter %P&$S7T Branc! &uter %P&$S7T esp$/des esp$sha$hmac !3P )'*+,-.+)''+))-

esp$/des esp$sha$hmac Peer -&st Na*e Branch Peer IP Address ,*1+,//+),*+)

"ncry,ted Netw&rk 1-2'' Cry,t& Ma, Na*e %pnpass,', SA "stablis!*ent

)'*+,-.+)''+)2'()1 ,*1+,//+),*+/)()0 %P&$;AP ipsec$isakmp %P&$;AP ipsec$isakmp

a+ onfigure an A E 4A E ,)'5 on the !3P router to identify the interesting traffic+ The interesting traffic is all IP traffic between the two EA&s 4)'*+,-.+)''+)2'()1 and ,*1+,//+),*+/)()05+ !3P4config56 access$list ,)' permit ip )'*+,-.+)''+)2' '+'+'+,. ,*1+,//+),*+/) '+'+'+/, b+ onfigure the ISAG;P Phase , properties on the !3P router+ The crypto ISAG;P policy is ,'+ 3efer to the ISAG;P Phase , Policy Parameters Table for the specific details needed+ !3P4config56 crypto isakmp policy ,' !3P4config$isakmp56 encryption aes ).!3P4config$isakmp56 authentication pre$share !3P4config$isakmp56group ) !3P4config$isakmp56 lifetime 1-2'' !3P4config$isakmp56 hash sha !3P4config$isakmp56 e8it !3P4config56 crypto isakmp key %pnpass,', address ,*1+,//+),*+) c+ onfigure the ISAG;P Phase ) properties on the !3P router+ 3efer to the ISAG;P Phase ) Policy Parameters Table for the specific details needed+

!3P4config56 crypto ipsec transform$set %P&$S7T esp$/des esp$sha$hmac !3P4config56 crypto map %P&$;AP ,' ipsec$isakmp !3P4config$crypto$map56 set peer ,*1+,//+),*+) !3P4config$crypto$map56 set transform$set %P&$S7T !3P4config$crypto$map56 match address ,)' d+ Bind the %P&$;AP crypto map to the outgoing interface+ !3P4config56 interface s'('(' !3P4config$if56 crypto map %P&$;AP !3P4config$if56 end e+ onfigure IPsec parameters on the Branch router using the same parameters as on the !3P router+ &ote that interesting traffic is defined as the IP traffic from the two EA&s+ Branch4config56 access$list ,)' permit ip ,*1+,//+),*+/) '+'+'+/, )'*+,-.+)''+)2' '+'+'+,. Branch4config56 crypto isakmp policy ,' Branch4config$isakmp56 encryption aes ).Branch4config$isakmp56 authentication pre$share Branch4config$isakmp56 group ) Branch4config$isakmp56 lifetime 1-2'' Branch4config$isakmp56 hash sha Branch4config$isakmp56 e8it Branch4config56 crypto isakmp key %pnpass,', address )'*+,-.+)''+))Branch4config56 crypto ipsec transform$set %P&$S7T esp$/des esp$sha$hmac Branch4config56 crypto map %P&$;AP ,' ipsec$isakmp Branch4config$crypto$map56 set peer )'*+,-.+)''+))Branch4config$crypto$map56 set transform$set %P&$S7T Branch4config$crypto$map56 match address ,)' Branch4config$crypto$map56 e8it Branch4config56 interface s'('(' Branch4config$if56 crypto map %P&$;AP Branch4config$if56 end f+ Save the running$config, then reload both !3P and Branch routers+ !3P6 copy running$config startup$config Branch6 copy running$config startup$config g+ %erify the %P& configuration by conducting an #TP session with the username cisco and the password cisco from the Admin P to the :;" Aeb Svr+ !n the Branch router, check that the packets are encrypted+ To e8it the #TP session, type 9uit+ ThatHs all+ IHm not sure which version it this Packet Tracer Activity since itHs not mine+ This &A Security SBA contributed by %iktorcsn+ 7ither itHs version ,+' or version ,+,+ <owever i noticed that this SBA practice has been published and shared in some website+ IHm not sure if this practice will be helpful to all of you guys, but i Iust try to spread it so that maybe someone that in need may get this resource much easier+ So finally, thank you to %iktorcsn for the contribution+ If you guys have latest version of &A Security or anything to share that will benefits all of us, please do not hesitate to drop me an email+ <ope it will bring success to all of us+ Thank Jou