Cisco CCNA Security Packet Tracer SBA Step 1 a) CORP(config)# security passwords min-length 10 b) CORP(config)# enable secret ciscoclass

c) CORP(config)# service password-encryption d) CORP(config)# line con 0 CORP(config-line)# login local CORP(config-line)# exec-timeout 20 CORP(config)# line vty 0 4 CORP(config-line)# login local CORP(config-line)# exec-timeout 20 e) CORP(config)# interface s0/0/0
CORP(config-if)# no cdp endble

Step 2 a) b)
CORP(config)# ip domain-name theccnas.com CORP(config)# crypto key generate rsa general-keys modulus 1024 CORP(config)# ip ssh version 2 CORP(config)# ip ssh time-out 90 CORP(config)# ip ssh authentication-retries 2 CORP(config)# line vty 0 4 CORP(config-line)# no transport input telnet CORP(config-line)# transport input ssh CORP(config)# aaa new-model CORP(config)# aaa authentication login default local CORP(config)# line vty 0 4 CORP(config-line)# login authentication default CORP(config)# line con 0 CORP(config-line)# login authentication default CORP(config)# ntp server 172.16.25.2 CORP(config)# ntp update-calendar CORP(config)# service timestamps log datetime msec CORP(config)# logging host 172.16.25.2 CORP(config)# logging on

c)

Step 3 a) b) Switch1(config)# interface f0/24

Switch1(config-if)# storm-control broadcast level 50

c)
Switch1(config)# interface range f0/1 23

 d)

Switch1(config-if-range)# spanning-tree portfast Switch1(config-if-range)# spanning-tree bpduguard enable Switch1(config-if-range)# switchport mode access Switch1(config-if-range)# switchport port-security Switch1(config-if-range)# switchport port-security maximum 2 Switch1(config-if-range)# switchport port-security mac-address sticky Switch1(config-if-range)# switchport port-security violation shutdown Switch1(config)# interface range f0/2 5 Switch1(config-if)# shutdown Switch1(config)# interface range f0/7 10 Switch1(config-if)# shutdown Switch1(config)# interface range f0/13 23 Switch1(config-if)# shutdown

Step 4 a) b) c) d)
CORP# mkdir ipsdir CORP(config)# ip ips config location flash:ipsdir CORP(config)# ip ips name corpips CORP(config)# ip ips signature-category CORP(config-ips-category)# category all CORP(config-ips-category-action)# retired true CORP(config-ips-category-action)# exit CORP(config-ips-category)# category ios_ips basic CORP(config-ips-category-action)# retired false CORP(config-ips-category-action)# exit CORP(config-ips-category)# exit CORP(config-if)# ip ips corpips out

e) CORP(config)# interface f0/0 f)

CORP(config)# ip ips signature-definition CORP(config-sigdef)# signature 2004 0 CORP(config-sigdef-sig)# status CORP(config-sigdef-sig-status)# retired false CORP(config-sigdef-sig-status)# enabled true CORP(config-sigdef-sig-status)# exit CORP(config-sigdef-sig)# engine CORP(config-sigdef-sig-engine)# event-action produce-alert CORP(config-sigdef-sig-engine)# event-action deny-packet-inline CORP(config-sigdef-sig-engine)# exit CORP(config-sigdef-sig)# exit CORP(config-sigdef)# exit DMZ Web Srv> ping 172.16.25.5

g) Net Admin> ping 10.1.1.2 Step 5 a) CORP(config)# access-list 12 permit host 172.16.25.5
CORP(config)# access-list 12 permit host 198.133.219.35 CORP(config)# line vty 0 4 CORP(config-line)# access-class 12 in

b) CORP(config)# ip access-list extended DMZFIREWALL

1.

CORP(config-ext-nacl)# permit tcp any host 10.1.1.2 eq www CORP(config-ext-nacl)# permit udp any host 10.1.1.5 eq domain

2. CORP(config-ext-nacl)# permit tcp any host 10.1.1.5 eq domain 3. CORP(config-ext-nacl)# permit ip 172.16.25.0 0.0.0.255 10.1.1.0
0.0.0.255

4. CORP(config-ext-nacl)# permit tcp 198.133.219.32 0.0.0.31 host 10.1.1.2

eq ftp CORP(config-ext-nacl)# exit CORP(config)# interface f0/0 CORP(config-if)# ip access-group DMZFIREWALL out

c) Testing (Admin PC station cannot access http://www.theccnas.com, but it can access http://209.165.200.241), ping can resolve theccna.com to 209.165.200.241 d) CORP(config)# ip access-list extended INCORP
1. CORP(config-ext-nacl)# permit tcp any host 209.165.200.241 eq www CORP(config-ext-nacl)# permit udp any host 209.165.200.242 eq domain

2. CORP(config-ext-nacl)# permit tcp any host 209.165.200.242 eq domain 3. CORP(config-ext-nacl)# permit tcp host 198.133.219.35 host
209.165.200.226 eq 22

albo
CORP(config-ext-nacl)# permit tcp 198.133.219.32 0.0.0.31 host 209.165.200.226 eq 22

4. CORP(config-ext-nacl)# permit ip host 198.133.219.2 host 209.165.200.226 5. CORP(config-ext-nacl)# permit ip 198.133.219.32 0.0.0.31 209.165.200.240
0.0.0.15 CORP(config-ext-nacl)# exit CORP(config)# interface s0/0/0 CORP(config-if)# ip access-group INCORP in

e) Testing f) CORP(config)# ip inspect name INTOCORP icmp

CORP(config)# ip inspect name INTOCORP tcp CORP(config)# ip inspect name INTOCORP udp CORP(config)# interface s0/0/0 CORP(config-if)# ip inspect INTOCORP out CORP(config)# interface f0/0 CORP(config-if)# ip inspect INTOCORP out

g) CORP(config)# ip inspect audit-trail

Step 6 a) b) c)
Branch(config)# access-list 110 permit ip 198.133.219.32 0.0.0.31 any Branch(config)# class-map type inspect match-all BR-IN-CLASS-MAP Branch(config)# zone security BR-IN-ZONE Branch(config-sec-zone)# exit Branch(config)# zone security BR-OUT-ZONE Branch(config-sec-zone)# exit

Branch(config-cmap)# match access-group 110

d) e)
Branch(config)# zone-pair security IN-OUT-ZPAIR source BR-IN-ZONE destination BR-OUT-ZONE Branch(config-sec-zone-pair)# service-policy type inspect BR-IN-OUTPMAP Branch(config)# interface s0/0/0 Branch(config-if)# zone-member security BR-OUT-ZONE Branch(config)# interface f0/0 Branch(config-if)# zone-member security BR-IN-ZONE Branch(config)# policy-map type inspect BR-IN-OUT-PMAP Branch(config-pmap)# class type inspect BR-IN-CLASS-MAP Branch(config-pmap-c)# inspect

Step 7 a) CORP(config)# access-list 120 permit ip 209.165.200.240 0.0.0.15

198.133.219.32 0.0.0.31

b) CORP(config)# crypto iskamp policy 10

CORP(config-isakmp)# CORP(config-isakmp)# CORP(config-isakmp)# CORP(config-isakmp)# CORP(config-isakmp)# CORP(config-isakmp)# CORP(config)# crypto authentication pre-share encryption aes 256 group 2 hash sha lifetime 86400 exit isakmp key Vpnpass101 address 198.133.219.2 VPN-MAP 10 ipsec-isakmp match address 120 set peer 198.133.219.2 set transform-set VPN-SET

c) CORP(config)# crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac

CORP(config)# crypto map CORP(config-crypto-map)# CORP(config-crypto-map)# CORP(config-crypto-map)#

d) CORP(config)# interface s0/0/0

CORP(config)# crypto map VPN-MAP

e) Branch(config)# access-list 120 permit ip 198.133.219.32 0.0.0.31

209.165.200.240 0.0.0.15 Branch(config)# crypto iskamp policy 10 Branch(config-isakmp)# authentication pre-share Branch(config-isakmp)# encryption aes 256 Branch(config-isakmp)# group 2 Branch(config-isakmp)# hash sha Branch(config-isakmp)# lifetime 86400 Branch(config-isakmp)# exit Branch(config)# crypto isakmp key Vpnpass101 address 209.165.200.226 Branch(config)# crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac Branch(config)# crypto map VPN-MAP 10 ipsec-isakmp Branch(config-crypto-map)# match address 120 Branch(config-crypto-map)# set peer 209.165.200.226 Branch(config-crypto-map)# set transform-set VPN-SET Branch(config)# interface s0/0/0 Branch(config)# crypto map VPN-MAP

f)

CORP# write CORP# reload Branch# write Branch# reload

g) CORP# show crypto ipsec sa