Professional Documents
Culture Documents
c) CORP(config)# service password-encryption d) CORP(config)# line con 0 CORP(config-line)# login local CORP(config-line)# exec-timeout 20 CORP(config)# line vty 0 4 CORP(config-line)# login local CORP(config-line)# exec-timeout 20 e) CORP(config)# interface s0/0/0
CORP(config-if)# no cdp endble
Step 2 a) b)
CORP(config)# ip domain-name theccnas.com CORP(config)# crypto key generate rsa general-keys modulus 1024 CORP(config)# ip ssh version 2 CORP(config)# ip ssh time-out 90 CORP(config)# ip ssh authentication-retries 2 CORP(config)# line vty 0 4 CORP(config-line)# no transport input telnet CORP(config-line)# transport input ssh CORP(config)# aaa new-model CORP(config)# aaa authentication login default local CORP(config)# line vty 0 4 CORP(config-line)# login authentication default CORP(config)# line con 0 CORP(config-line)# login authentication default CORP(config)# ntp server 172.16.25.2 CORP(config)# ntp update-calendar CORP(config)# service timestamps log datetime msec CORP(config)# logging host 172.16.25.2 CORP(config)# logging on
c)
c)
Switch1(config)# interface range f0/1 23
d)
Switch1(config-if-range)# spanning-tree portfast Switch1(config-if-range)# spanning-tree bpduguard enable Switch1(config-if-range)# switchport mode access Switch1(config-if-range)# switchport port-security Switch1(config-if-range)# switchport port-security maximum 2 Switch1(config-if-range)# switchport port-security mac-address sticky Switch1(config-if-range)# switchport port-security violation shutdown Switch1(config)# interface range f0/2 5 Switch1(config-if)# shutdown Switch1(config)# interface range f0/7 10 Switch1(config-if)# shutdown Switch1(config)# interface range f0/13 23 Switch1(config-if)# shutdown
Step 4 a) b) c) d)
CORP# mkdir ipsdir CORP(config)# ip ips config location flash:ipsdir CORP(config)# ip ips name corpips CORP(config)# ip ips signature-category CORP(config-ips-category)# category all CORP(config-ips-category-action)# retired true CORP(config-ips-category-action)# exit CORP(config-ips-category)# category ios_ips basic CORP(config-ips-category-action)# retired false CORP(config-ips-category-action)# exit CORP(config-ips-category)# exit CORP(config-if)# ip ips corpips out
g) Net Admin> ping 10.1.1.2 Step 5 a) CORP(config)# access-list 12 permit host 172.16.25.5
CORP(config)# access-list 12 permit host 198.133.219.35 CORP(config)# line vty 0 4 CORP(config-line)# access-class 12 in
1.
CORP(config-ext-nacl)# permit tcp any host 10.1.1.2 eq www CORP(config-ext-nacl)# permit udp any host 10.1.1.5 eq domain
2. CORP(config-ext-nacl)# permit tcp any host 10.1.1.5 eq domain 3. CORP(config-ext-nacl)# permit ip 172.16.25.0 0.0.0.255 10.1.1.0
0.0.0.255
c) Testing (Admin PC station cannot access http://www.theccnas.com, but it can access http://209.165.200.241), ping can resolve theccna.com to 209.165.200.241 d) CORP(config)# ip access-list extended INCORP
1. CORP(config-ext-nacl)# permit tcp any host 209.165.200.241 eq www CORP(config-ext-nacl)# permit udp any host 209.165.200.242 eq domain
2. CORP(config-ext-nacl)# permit tcp any host 209.165.200.242 eq domain 3. CORP(config-ext-nacl)# permit tcp host 198.133.219.35 host
209.165.200.226 eq 22
albo
CORP(config-ext-nacl)# permit tcp 198.133.219.32 0.0.0.31 host 209.165.200.226 eq 22
4. CORP(config-ext-nacl)# permit ip host 198.133.219.2 host 209.165.200.226 5. CORP(config-ext-nacl)# permit ip 198.133.219.32 0.0.0.31 209.165.200.240
0.0.0.15 CORP(config-ext-nacl)# exit CORP(config)# interface s0/0/0 CORP(config-if)# ip access-group INCORP in
Step 6 a) b) c)
Branch(config)# access-list 110 permit ip 198.133.219.32 0.0.0.31 any Branch(config)# class-map type inspect match-all BR-IN-CLASS-MAP Branch(config)# zone security BR-IN-ZONE Branch(config-sec-zone)# exit Branch(config)# zone security BR-OUT-ZONE Branch(config-sec-zone)# exit
d) e)
Branch(config)# zone-pair security IN-OUT-ZPAIR source BR-IN-ZONE destination BR-OUT-ZONE Branch(config-sec-zone-pair)# service-policy type inspect BR-IN-OUTPMAP Branch(config)# interface s0/0/0 Branch(config-if)# zone-member security BR-OUT-ZONE Branch(config)# interface f0/0 Branch(config-if)# zone-member security BR-IN-ZONE Branch(config)# policy-map type inspect BR-IN-OUT-PMAP Branch(config-pmap)# class type inspect BR-IN-CLASS-MAP Branch(config-pmap-c)# inspect
f)