Topology :

Introduction
In this practice Packet Tracer Skills Based Assessment, you will do as follows:

Configure basic device hardening and secure network management

Configure an ASA firewall to implement security policies

Configure ACLs to filter network traffic

Configure devices to protect against STP attacks and to enable broadcast storm control

Configure port security and disable unused switch ports

Configure an IOS IPS

Configure a ZBF to implement security policies

Configure a site-to-site IPsec VPN

Addressing Table
Device

Internet

CORP

Interface

IP Address

Subnet Mask

Gateway

DNS server

S0/0/0

209.165.200.225

255.255.255.252

n/a

n/a

S0/0/1

192.31.7.1

255.255.255.252

n/a

n/a

S0/1/0

198.133.219.1

255.255.255.252

n/a

n/a

Gi0/0

192.135.250.1

255.255.255.0

n/a

n/a

S0/0/0

209.165.200.226

255.255.255.252

n/a

n/a

Gi0/0

209.165.200.254

255.255.255.240

n/a

n/a

VLAN 1

192.168.1.1

255.255.255.0

n/a

VLAN 2

209.165.200.253

255.255.255.240

n/a

VLAN 3

10.1.1.254

255.255.255.0

n/a

Gi0/0

192.168.1.2

255.255.255.0

n/a

Gi0/1.10

172.16.10.254

255.255.255.0

n/a

Gi0/1.25

172.16.25.254

255.255.255.0

n/a

Gi0/1.99

172.16.99.254

255.255.255.0

n/a

S0/0/0

198.133.219.2

255.255.255.252

n/a

n/a

Gi0/0

198.133.219.62

255.255.255.224

n/a

n/a

CORP-ASA

Internal

Branch

Interface

IP Address

Subnet Mask

Gateway

DNS server

S0/0/0

192.31.7.2

255.255.255.252

n/a

n/a

Gi0/0

192.31.7.62

255.255.255.224

n/a

n/a

Public Svr

NIC

192.135.250.5

255.255.255.0

192.135.250.1

n/a

External Web
Svr

NIC

192.31.7.35

255.255.255.224

192.31.7.62

192.135.250.5

External PC

NIC

192.31.7.33

255.255.255.224

192.31.7.62

192.135.250.5

Internal-DNS Svr

NIC

172.16.25.2

255.255.255.0

172.16.25.254

10.1.1.5

NTP/Syslog Svr

NIC

209.165.200.252

255.255.255.240

209.165.200.254

DMZ DNS Svr

NIC

10.1.1.5

255.255.255.0

10.1.1.254

192.135.250.5

DMZ Web Svr

NIC

10.1.1.2

255.255.255.0

10.1.1.254

10.1.1.5

PC0

NIC

172.16.10.5

255.255.255.0

172.16.10.254

172.16.25.2

PC1

NIC

172.16.10.10

255.255.255.0

172.16.10.254

172.16.25.2

Net Admin

NIC

172.16.25.5

255.255.255.0

172.16.25.254

172.16.25.2

Admin PC

NIC

198.133.219.35

255.255.255.224

198.133.219.62

192.135.250.5

Device
External

Note: Appropriate verification procedures should be taken after each configuration task to ensure that it has been
properly implemented.

Step 1: Configure Basic Device Hardening for the CORP Router.

a.Configure the CORP router to accept only passwords with a minimum length of 10 characters.
b.Configure an encrypted privileged level password of ciscoclass.
c.Enable password encryption for all clear text passwords in the configuration file.
d.Configure the console line and all vty lines 0 to 15 with the following requirements:
Note: CORP is already configured with the username CORPADMINand the secret password
Ciscoccnas.
use the local database for login
disconnect after being idle for 20 minutes
e.Disable the CDP protocol only on the link to the Internet router.

Step 2: Configure Secure Network Management for the CORP Router.

a.Enable the CORP router as follows:
as an NTP client to the NTP/Syslog server
to update the router calendar (hardware clock) from the NTP time source
to timestamp log messages
to send logging messages to the NTP/Syslog server
b.Configure the CORP router to accept SSH connections. Use the following guidelines:
Note: CORP is already configured with the username SSHAccess and the secret password
ciscosshaccess.
domain name is theccnas.com
RSA encryption key pair using a modulus of 1024
SSH version 2, timeout of 90 seconds, and 2 authentication retries
allvty lines accept only SSH connections
c.Configure the CORP router with AAA server-based authentication and verify its functionality:
Note: The AAA server is already configured with RADIUS service, a username CORPSYS and the
password LetSysIn. The key for the client to access the AAA server is corpradius.
AAA authentication using the AAA server as the default for console line and vty lines 0 to 4
access. The local database is used as a backup method in case the AAA server cannot be
connected.

Step 3: Configure Device Hardening for Switch1.

a.Access Switch1 with username CORPADMIN, password Ciscoccnas, and the enable secret password
of ciscoclass.
b.Enable storm control for broadcasts on GigabitEthernet0/1 with a 50 percent rising suppression level.
c.Configure Switch1 to protect against STP attacks.
Configure PortFast on Fast Ethernet ports 0/1 to 0/24.
Enable BPDU guard on Fast Ethernet ports 0/1 to 0/24.
d.Configure port security and disable unused ports.
Set the maximum number of learned MAC addresses to 2 on Fast Ethernet ports 0/1 to 0/24.
Allow the MAC address to be learned dynamically and then stored in the running config.
Shutdown the port if a violation occurs.
Disable unused ports (Fa0/2-4, Fa0/6-10, Fa0/13-24).

Step 4: Configure an IOS IPS on the CORP Router.

Note: On the CORP router, a directory in flash named ipsdir has already been created.
a.Configure the IPS signature storage location to be flash:ipsdir.
b.Create an IPS rule named corpips.
c.Configure the IOS IPS to use the signature categories. Retire the all signature category and unretire the
ios_ips basic category.
d.Apply the IPS rule to the Gi0/0 interface outbound.
e.Modify the ios_ips basic category. Unretire the echo request signature (signature 2004, subsig0);
enable the signature; modify the signature event-action to produce an alert and to deny packets that
match the signature.
f.Verify that IPS is working properly, that Public DNS/WEB/FTP Svr in the External network cannot ping
AAA server, but that AAA server, however, can ping Public DNS/WEB/FTP Svr.

Step 5: Configure CORP-ASA to Implement the Security Policy.

a.Access CORP-ASA and enter the privileged mode with the enable password of Ciscoccnas.
b.Configure the domain name as theccnas.com.
c.Configure the inside, outside, and dmz interfaces with the following information
VLAN 1 - IP address 192.168.1.1/24, nameifinside, security-level 100, assign to E0/1
VLAN 2 - IP address 209.165.200.253/28, nameifoutside, security-level 0, assign to E0/0
VLAN 3 - IP address 10.1.1.254/24, nameifdmz, security-level 70, assign to E0/2
Enable interfaces
d.Configure a static default route with the next hop address of the CORP router
e.Configure NAT for both inside and dmz network
Create an object inside-nat with subnet 192.168.1.0/24 and enable the IP addresses of the hosts
in the Internal network to be dynamically translated to access the External network using the
outside interface
Create an object dmz-dns-server to statically translate the DNS server in DMZ to the public IP
Create an object dmz-web-server to statically translate the web server in DMZ to the public IP
f.Modify the default MPF application inspection global service policy to enable hosts in the Internal network
to access the web servers on the Internet
Create a class inspection_default that matches default-inspection-traffic
Create a policy-map global_policy and specify the inspect http
Attach the policy map globally to all interfaces
g.Configure an ACL to allow access to the DMZ servers from the Internet. The ACL will also allow icmp
echo-reply traffic from the Internet to enter the CORP-ASA
Create, apply, and verify an extended named ACL (named OUTSIDE-TO-DMZ) to filter incoming
traffic to the CORP-ASA. The ACL should be created in the order specified in the following
guidelines (Please note, the order of ACL statements is significant only because of the
scoring need in Packet Tracer.):
1.HTTP traffic is allowed to DMZ Web Svr.
2.DNS traffic (both TCP and UDP) is allowed to DMZ DNS Server (two separate ACEs)
3.ICMP Echo-reply traffic is allowed to DMZ
4.FTP traffic from the Branch administrator workstation is allowed to DMZ Web Server.
5.The ACL should contain five ACEs
6.Verify ASA configurations. Both Net Admin PC and DMZ Web Svr can access the website
www.externalone.com. Admin PC can access the website www.theccnas.com. Admin PC
can also establish an FTP connection to www.theccnas.com, with the username cisco and
the password cisco.

Step 6: Configure ACLs on the CORP Router to Implement the Security Policy.
a.Create ACL 12 to implement the security policy regarding the access to the vty lines so that only users
connecting from Net Admin and Admin PC are allowed access to the vty lines.
b.Create, apply, and verify an extended named ACL (named INCORP) to control access from the Internet
into the CORP router. The ACL should be created in the order specified in the following guidelines
(Please note, the order of ACL statements is significant only because of the scoring need in
Packet Tracer.):
1.Allow HTTP traffic to the DMZ Web Server.
2.Allow DNS traffic (both TCP and UDP) to the DMZ DNS Server (two separate ACEs).
3.Allow SSH traffic from the Branch Office administrator workstation to the Serial 0/0/0 interface on
the CORP router.
4.Allow IP traffic from the Branch router serial interface into the CORP router serial interface.
5.Allow IP traffic from the Branch Office LAN to the public IP address range that is assigned to the
CORP site (209.165.200.240/28).
6.Allow echo-reply and host-unreachable traffic from the Internet
7.Allow return TCP traffic from the Internet with the destination of 209.165.200.240/28
c.To verify the INCORP ACL, complete the following tests:
Net Admin PC in the Internal network can access the URL http://www.externalone.com;

Admin PC can establish an SSH connection to the CORP router (209.165.200.226) with the
username CORPSYS and password LetSysIn. If the password does not work, you may try the
backup username SSHAccess and password ciscosshaccess defined in the local database.
External User cannot establish an SSH connection to the CORP router (209.165.200.226).

Step 7: Configure a Zone-Based Policy Firewall on the Branch Router.

a.Access the Branch router with username CORPADMIN, password Ciscoccnasand the enable secret
password of ciscoclass.
b.On the Branch router, create the firewall zones.
Create an internal zone named BR-IN-ZONE.
Create an external zone named BR-OUT-ZONE.
c.Define a traffic class and access list.
Create an ACL 110 to permit all protocols from the 198.133.219.32/27 network to any destination.
Create a class map using the option of class map type inspect with the match-all keyword.
Match the ACL 110 and name the class map BR-IN-CLASS-MAP.
d.Specify firewall policies.
Create a policy map named BR-IN-OUT-PMAP.
Use the BR-IN-CLASS-MAP class map.
Specify the action of inspect for this policy map.
e.Apply the firewall.
Create a pair of zones named IN-OUT-ZPAIR with the source as BR-IN-ZONE and destination as
BR-OUT-ZONE.
Specify the policy map BR-IN-OUT-PMAP for handling the traffic between the two zones.
Assign interfaces to the appropriate security zones.
f.Verify the ZBF configuration.
The Admin PC in the Branch office can access the URLs http://www.theccnas.com and
http://www.externalone.com.
The Admin PC in the Branch office can ping the External PC (192.31.7.33).
External User cannot ping the Admin PC in the Branch office (198.133.219.35).
The Admin PC in Branch office can establish an SSH connection to the CORP router with the
username CORPSYS and password LetSysIn. If the password does not work, you may try the
backup username SSHAccess and password ciscosshaccess defined in the local database.

Step 8: Configure a Site-to-Site IPsec VPN between the CORP router and the Branch
Router.
The following tables list the parameters for the ISAKMP Phase 1 Policy and IPsec Phase 2 Policy:
ISAKMP Phase 1 Policy Parameters
ISAKMP Phase 2 Policy Parameters
Key Distribution
Method

ISAKMP

Parameters

CORP Router

Branch Router

Encryption Algorithm

AES

Transform Set
Name

VPN-SET

VPN-SET

Number of Bits

256

Transform Set

esp-3des
esp-sha-hmac

esp-3des
esp-sha-hmac

Hash Algorithm

SHA-1

Peer Host Name

Branch

CORP

Authentication
Method

Pre-share

Peer IP Address

198.133.219.2

209.165.200.226

Key Exchange

DH 2

Encrypted Network

209.165.200.240/28

198.133.219.32/27

IKE SA Lifetime

86400

Crypto Map Name

VPN-MAP

VPN-MAP

ISAKMP Key

Vpnpass101

SA Establishment

ipsec-isakmp

ipsec-isakmp

a.Configure an ACL (ACL 120) on the CORP router to identify the interesting traffic. The interesting traffic
is all IP traffic between the two LANs (209.165.200.240/28 and 198.133.219.32/27).
b.Configure the ISAKMP Phase 1 properties on the CORP router. The crypto ISAKMP policy is 10. Refer to
the ISAKMP Phase 1 Policy Parameters Table for the specific details needed.

c.Configure the ISAKMP Phase 2 properties on the CORP router. Refer to the ISAKMP Phase 2 Policy
Parameters Table for the specific details needed.
d.Bind the VPN-MAP crypto map to the outgoing interface.
e.Configure IPsec parameters on the Branch router using the same parameters as on the CORP router.
Note that interesting traffic is defined as theIP traffic from the two LANs.
f.Verify the VPN configuration. From the Admin PC, establish an FTP session to www.theccnas.com, using
the username cisco and password cisco. Also on Admin PC, visit the website www.theccnas.com. On
the Branch or CORP router, check that the packets are encrypted.