Name: Max Vasic

Student ID: 0947481

Lecturer: F.Mentiplay

Box Hill Institute of TAFE

Design a Secure Network

Case Study 2
 ICT 219 – Network Security

Case Study - Design a Secure Network

Diagram & IP Addressing

IPSec VPN (Site to Site) – Ipsec VPN technology allows for secure transmission of
data over unsecure network such as the public internet. A VPN tunnel is configured
as site to site VPN from R1 to R3. All traffic going between the two routers from
network 192.168.1.0/24 to 192.168.3.0/24 is encrypted and securely transmitted
over any number of networks in between. The tunnel encrypts any packets coming
out from R1 (providing source and destination addresses match) and puts the packet
inside another packet with its own set of IP addresses, the process is known as
encapsulation.

AAA model – AAA authentication is configured on R1 which automatically secures all

possible connections to the router for example via a console or VTY lines. AAA can

2
also be used to specify where to check for the username and password either in local
database or remotely.

SSH – SSH allows for secure session connections to R3. SSH encrypts all data
between the client and the router, telnet on the other hand sends all commands in
plain text.

ACL Firewall – In Cisco ACLs are used to secure the router from any unwanted traffic.
A ‘deny any any’ is the most secure firewall possible, however setting up this type of
a firewall will block all wanted traffic and make the router useless. The ‘deny any
any’ firewall can be modified so that only the tunnel formation is accepted as well as
other wanted traffic.

Configuration Print-Outs
Router 1
hostname R1
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip inspect ICMP in
no shutdown
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 10.1.1.2
!
ip inspect name ICMP icmp
!
interface Serial0/0/0
ip address 10.1.1.1 255.255.255.252
crypto map CMAP
ip access-group 102 in
clock rate 64000
no shutdown
!
crypto isakmp enable
crypto isakmp policy 10
authentication pre-share
encryption aes 256
hash sha
group 5
lifetime 3600
!
crypto isakmp key cisco123 address 10.2.2.2
crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac

3
crypto ipsec security-association lifetime seconds 1800
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
crypto map CMAP 10 ipsec-isakmp
match address 101
set peer 10.2.2.2
set pfs group5
set transform-set 50
set security-association lifetime seconds 900
!
aaa new-model
username Admin secret cisco
aaa authentication login default local
!
ip access-list extended 102
permit esp host 10.2.2.2 host 10.1.1.1
permit ahp host 10.2.2.2 host 10.1.1.1
permit udp host 10.2.2.2 host 10.1.1.1 eq isakmp
deny any any
!
line con 0
line aux 0
line vty 0 4
login
!
End

Router 2
hostname R2
!
interface Serial0/0/0
ip address 10.1.1.2 255.255.255.252
no shutdown
!
interface Serial0/0/1
ip address 10.2.2.1 255.255.255.252
clock rate 64000
no shutdown
!
ip route 192.168.1.0 255.255.255.0 10.2.2.2
!
line con 0
line aux 0
line vty 0 4
login
!
End

4
 Router 3
hostname R2
!
interface FastEthernet0/1
ip address 192.168.3.1 255.255.255.0
no shutdown
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 10.2.2.1
!
interface Serial0/0/1
ip address 10.2.2.2 255.255.255.252
crypto map CMAP
no shutdown
!
crypto isakmp enable
crypto isakmp policy 10
authentication pre-share
encryption aes 256
hash sha
group 5
lifetime 3600
!
crypto isakmp key cisco123 address 10.1.1.1
crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 1800
access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
crypto map CMAP 10 ipsec-isakmp
match address 101
set peer 10.1.1.1
set pfs group5
set transform-set 50
set security-association lifetime seconds 900
!
ip domain-name cisco.com
!
username Admin secret cisco
crypto key generate rsa general-keys modulus 1024
!
line con 0
line aux 0
line vty 0 4
transport input ssh
login local
!
End