<<

. 8
( 9)



>>

R3(config)#router eigrp 101
R3(config-router)#network 192.168.3.0 0.0.0.255
R3(config-router)#network 10.2.2.0 0.0.0.3
R3(config-router)#no auto-summary




234
Step 5: Configure a static default route on R2.

Router R1 represents a connection to the Internet. A default route is configured on R2 for all traffic whose
destination network does not exist in the R2 routing table.

Note: Without the default route configured on R2, R2 cannot respond to the SDM HTTP connection from
PC-A later in the lab. Because R1 is not part of the EIGRP domain and is not advertising the PC-A LAN,
R2 does not know about the 192.168.1.0/24 network.

a. Configure a static default route on R2 that points to the R1 S0/0/0 interface IP address.
R2(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.1
b. Redistribute the static default into EIGRP so that R3 also learns the route.
R2(config)#router eigrp 101
R2(config-router)#redistribute static

Step 6: Configure PC host IP settings.

a. Configure a static IP address, subnet mask, and default gateway for PC-A, as shown in the IP
addressing table.

b. Configure a static IP address, subnet mask, and default gateway for PC-C, as shown in the IP
addressing table.


Step 7: Verify basic network connectivity.

a. Ping from PC-A to the R2 S0/0/0 interface at IP address 10.1.1.2. Are the results successful? _____

If the pings are not successful, troubleshoot the basic device configurations before continuing.

Note: PC-A should be able to ping external R2 interface S0/0/0 but is not able to ping any of the
internal EIGRP network IP addresses on R2 and R3.

b. Ping from R2 to PC-C on the R3 LAN. Are the results successful? _____

If the pings are not successful, troubleshoot the basic device configurations before continuing.

Note: If you can ping from R2 to PC-C, you have demonstrated that the EIGRP routing protocol is
configured and functioning correctly. If you cannot ping but the device interfaces are up and IP addresses
are correct, use the show run and show ip route commands to help identify routing protocol-related
problems.


Step 8: Configure a minimum password length.
Note: Passwords in this lab are set to a minimum of 10 characters but are relatively simple for the benefit
of performing the lab. More complex passwords are recommended in a production network.
Use the security passwords command to set a minimum password length of 10 characters.
R1(config)#security passwords min-length 10




235
Step 9: Configure the basic console and vty lines.

a. Configure a console password and enable login for router R1. For additional security, the exec-
timeout command causes the line to log out after 5 minutes of inactivity. The logging synchronous
command prevents console messages from interrupting command entry.

Note: To avoid repetitive logins during this lab, the exec-timeout can be set to 0 0, which prevents
it from expiring. However, this is not considered a good security practice.
R1(config)#line console 0
R1(config-line)#password ciscoconpass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login
R1(config-line)#logging synchronous
b. Configure the password on the vty lines for router R1.
R1(config)#line vty 0 4
R1(config-line)#password ciscovtypass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login
c. Repeat these configurations on both R2 and R3.


Step 10: Encrypt clear text passwords.

a. Use the service password-encryption command to encrypt the console, aux, and vty passwords.

R1(config)# service password-encryption

b. Issue the show run command. Can you read the console, aux, and vty passwords? Why or why not?
_____________________________________

c. Repeat this configuration on both R2 and R3.


Step 11: Save the basic running configuration for all three routers.

Save the running configuration to the startup configuration from the privileged EXEC prompt.
R1#copy running-config startup-config

Part 2. Configuring a Remote Access VPN
In Part 2 of this lab, you configure a remote access Ipsec VPN. R2 is configured as an Easy VPN server using
SDM, and the Cisco VPN client is configured on PC-A. The PC-A host simulates an employee connecting
from home over the Internet. Router R1 simulates an Internet ISP router.


Task 1. Prepare R2 for SDM Access and Easy VPN Server Setup

Step 1: Configure the enable secret password and HTTP router access prior to starting SDM.

a. From the CLI, configure the enable secret password for use with SDM on R2.
R2(config)#enable secret cisco12345
b. Enable the HTTP server on R2.
R2(config)#ip http server

236
c. Create an admin account on R2 with privilege level 15 for use with AAA.
R2(config)#username admin privilege 15 password 0 cisco12345

Step 2: Access SDM and set command delivery preferences.

a. Run the SDM application or open a browser on PC-A and start SDM by entering the R2 S0/0/0 IP address
10.1.1.2 in the address field.

b. Log in with no username and the enable secret password cisco12345.

c. In the Authentication Required dialog box, enter cisco12345 in the Password field and click Yes.

d. If the Cisco IOS IPS login dialog box displays, enter the enable secret password of cisco12345.

e. Select Edit > Preferences to configure SDM to allow you to preview the commands before sending them
to the router. In the User Preferences window, check the Preview commands before delivering to router
check box and click OK.


Task 2. Use the SDM VPN Wizard to Configure the Easy VPN Server

Step 1: Launch the Easy VPN server wizard and configure AAA services.

a. Click the Configure button at the top of the SDM home screen.

b. Click the VPN button under Tasks to view the VPN configuration page.

c. Select Easy VPN Server from the main VPN window, and then click Launch Easy VPN Server
Wizard.

d. The Easy VPN Server wizard checks the router configuration to see if AAA is enabled. If not, the
Enable AAA window displays. AAA must be enabled on the router before the Easy VPN Server
configuration starts. Click Yes to continue with the configuration.

e. If prompted to deliver the configuration to the router, click Deliver.

f. In the Command Delivery Status window, click OK. When the message “AAA has been successfully
enabled on the router” displays, click OK.

g. Now that AAA is enabled, you can start the Easy VPN Server Wizard by clicking the Launch Easy
VPN Server Wizard button. Read through the descriptions of the tasks that the wizard guides you
through.




237
238
How does the client receive the IPsec policies? ______________________________________________

How does the Easy VPN remote server configuration differ from the site-to-site?
____________________________________________________________________________________
____________________________________________________________________________________

h. Click Next when you are finished answering the above questions.


Step 2: Configure the virtual tunnel interface and authentication.

a. Select the interface on which the client connections terminate. Click the Unnumbered to radio button,
and select the Serial0/0/0 interface from the pull-down menu.

b. Select Pre-shared Keys for the authentication type and click Next to continue.




Step 3: Select the IKE proposal.

a. In the Internet Key Exchange (IKE) Proposals window, the default IKE proposal is used for R2.




239
What is the encryption method used with the default IKE policy? ____________

What is the hash algorithm used to ensure that the keys have not been tampered with? __________

b. Click Next to accept the default IKE policy.

Note: Configurations on both sides of the tunnel must match exactly. However, the Cisco VPN client
automatically selects the proper configuration for itself. Therefore, no IKE configuration is necessary on
the client PC.


Step 4: Select the transform set.

a. In the Transform Set window, the default SDM default transform set is used. What is the ESP
encryption method used with the default transform set? ________________




240
b. Click Next to accept the default transform set.


Step 5: Specify group authorization and group policy lookup.

a. In the Group Authorization and Group Policy Lookup window, select the Local option because a
RADIUS server is not available.




241
b. Click Next to create a new AAA method list for the group policy lookup that uses the local router
database.


Step 6: Configure User Authentication (XAuth).

a. In the User Authentication (XAuth) window, you can specify to store user information on an external
server, such as a RADIUS server or a local database or both. Check the Enable User Authentication
check box and accept the default of Local Only.




242
Where does the router look for valid user account and passwords to authenticate remote VPN users
when they attempt to log in? _________________________________________________________

b. Click the Add User Credentials button. In the User Accounts window, you can view currently defined
users or add new users. What is the name of the user currently defined, and what is the user privilege
level? ________________________

How was this user defined? ___________________________

c. In the User Accounts window, click the Add button to add another user. Enter the username user01
with a password of user01pass, and select the check box for encrypting the password using the MD5
hash algorithm. Leave the privilege level at 1.

What is the range of privilege levels that can be set for a user? __________________




243
d. Click OK to accept the user01 entries, and then click OK to close the User Accounts window.




e. In the User Authentication (XAuth) window, click Next to continue.


Step 7: Specify group authorization and user group policies.

In the Group Authorization and User Group Policies window, you must create at least one group policy for
the VPN server.




244
a. Click Add to create a group policy.

b. In the Add Group Policy window, enter VPN-Access as the name of this group. Enter a new pre-
shared key of cisco12345 and then re-enter it.

c. Leave the Pool Information box checked. Enter a starting address of 192.168.2.101, an ending
address of 192.168.2.150, and a subnet mask of 255.255.255.0.

d. Enter 50 for the Maximum Connections Allowed.

e. Click OK to accept the entries.

f. An SDM warning message displays indicating that the IP addresses in the pool and the IP address of
the Loopback0 interface are in the same subnet. Click Yes to confirm.

Why use an IP network for the VPN clients pool that is associated with a loopback interface?
________________________________________________________________________________

How does R3 route traffic to the VPN clients?
________________________________________________________________________________

g. When you return to the Group Authorization window, check the Configure Idle Timer check box and
enter one hour (1). This disconnects idle users if there is no activity for one hour and allows others to
connect. Click Next to continue.


245
h. When the Cisco Tunneling Control Protocol (cTCP) window displays, do not enable cTCP. Click Next
to continue.


Step 8: Review the configuration summary and deliver the commands.

a. Scroll through the commands that SDM will send to the router. Do not select the check box Test VPN
connectivity. Click Finish.

b. If prompted to deliver the configuration to the router, click Deliver.




246
c. In the Command Delivery Status window, click OK. How many commands were delivered? ________


Step 9: Test the VPN server.

a. You are returned to the main VPN window with the Edit Easy VPN Server tab selected. Click the Test
VPN Server button in the bottom right corner of the screen.

b. In the VPN Troubleshooting window, click the Start button.

c. Your screen should look similar to the one below. Click OK to close the information window. Click
Close to exit the VPN Troubleshooting window.




247
Task 3. Use the Cisco VPN Client to Test the Remote Access VPN

Step 1: (Optional) Install the Cisco VPN client.
If not already installed, install Cisco VPN client software on host PC-A. If you do not have the Cisco VPN client
software, contact your instructor.




248
Step 2: Configure PC-A as a VPN client to access the R2 VPN server.

Start the Cisco VPN client and select Connection Entries > New or click the New icon.




Enter the following information to define the new connection entry. Click Save when you are finished.

Connection Entry: VPN-R2

Description: Connection to R2 internal network

Host: 10.1.1.2 (IP address of the R2 S0/0/0 interface)

Group Authentication Name: VPN-Access (Defines the address pool configured in Task 2)

Password: cisco12345 (Pre-shared key configured in Task 2)

249
Confirm Password: cisco12345

Note: The group authentication name and password are case-sensitive and must match the ones
created on the VPN server.




Step 3: Test access from PC-A without a VPN connection.

Open a command prompt on PC-A, and ping the PC-C IP address at 192.168.3.3 on the R3 LAN. Are the
pings successful? Why or why not?

Note: After creating a VPN connection entry, you must activate it. Currently, the VPN tunnel is not up.


Step 4: Establish a VPN connection and login.

a. Select the newly created connection VPN-R2 and click the Connect icon. You can also double-click
the connection entry.




250
b. Enter the username admin created previously on the VPN router, and enter the password cisco12345.

c. Click OK to continue. The VPN Client window minimizes to a lock icon in the tools tray of the taskbar.
When the lock is closed, the VPN tunnel is up. When it is open, the VPN connection is down.




Task 4. Verify the VPN Tunnel between the Client, Server, and Internal Network

Step 1: Check the VPN Client status.

Double-click the VPN lock icon to expand the VPN Client window.

What does it say about the connection status at the top of the window? ________________________


Step 2: Check the tunnel statistics.

Select Status > Statistics to display the Tunnel Details tab.




251
What is the Client IP address obtained from the VPN server?
________________________________________________________________________________

Note: Each time you disconnect and reconnect to the VPN server, you receive a new IP address until
the limit is reached.

a. What is the VPN server address? ______________________________

b. How many packets have been encrypted? _______________________

c. What is the encryption method being used? ______________________

d. What is the authentication being used? __________________________


Step 3: Check the Cisco IOS messages on R2 when the tunnel is created.

Open the console connection for R2 and locate the message displayed indicating that the virtual interface
came up when the VPN Client connection was made.
R2#
*Feb 2 16:09:08.907: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Virtual-Access2, changed state to up
R2#

Step 4: Verify the VPN connection.

From the PC-A command prompt, issue the ipconfig /all command to see the network connections
currently in use.

a. What is the configuration for the first local area connection?
IP Address: ____________________________
Subnet Mask: __________________________
Default Gateway: _______________________
Description:

252
b. What is the configuration for Local Area Connection 2?
IP Address: ____________________________
Subnet Mask: __________________________
Default Gateway: _______________________
Description: ____________________________

Step 5: Test the access from the client with the VPN connection.

With the VPN connection from computer PC-A to router R2 activated, open a command prompt on PC-A
and ping the PC-C IP address at 192.168.3.3 on the R3 LAN. Are the pings successful? Why or why not?
____________________________________________________________________________________
____________________________________________________________________________________


Step 6: Telnet to R2 from PC-A.

From the PC-A command prompt, telnet to R2 at the Lo0 IP address 192.168.2.1 Log in as admin with
the password cisco12345. What is the router command prompt and why is this?
________________________________________________________________________________

a. Issue the show run command to view the various commands generated by SDM to configure the VPN
server.

b. Issue the show users command to see the connections to router R2. What connections are present?
_________________________________________________________________________

c. Exit the Telnet session with the quit or exit command.

d. Right-click the VPN Client icon in the tools tray and select Disconnect, or click the VPN-R2 connection
and click the Disconnect icon.

e. Open the VPN client connection again but this time log in as user01 with the password user01pass.

f. Telnet from PC-A to R2 again at the Lo0 IP address 192.168.2.1. Log in as user01 with the password
user01pass. What is the router command prompt and why is this?
________________________________________________________________________________

Note: You could have telnetted to R2 from the first VPN session and logged in as user01, but this
process demonstrates the VPN disconnect and connect process and verifies that user01 is set up
properly.


Task 5. Reflection
Why is VPN a good option for remote users?

Router Interface Summary Table
Router Interface Summary
Router Model Ethernet Interface Ethernet Interface Serial Interface Serial Interface
#1 #2 #1 #2
1700 Fast Ethernet 0 Fast Ethernet 1 Serial 0 (S0) Serial 1 (S1)
(FA0) (FA1)
1800 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0/0 Serial 0/0/1
(FA0/0) (FA0/1) (S0/0/0) (S0/0/1)


253
Router Interface Summary
2600 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0 (S0/0) Serial 0/1 (S0/1)
(FA0/0) (FA0/1)
2800 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0/0 Serial 0/0/1
(FA0/0) (FA0/1) (S0/0/0) (S0/0/1)
Note: To find out how the router is configured, look at the interfaces to identify the type of router
and how many interfaces the router has. There is no way to effectively list all the combinations of
configurations for each router class. This table includes identifiers for the possible combinations of
Ethernet and Serial interfaces in the device. The table does not include any other type of interface,
even though a specific router may contain one. An example of this might be an ISDN BRI interface.
The string in parenthesis is the legal abbreviation that can be used in Cisco IOS commands to
represent the interface.




254
Chapter 9: Lab A: Security Policy Development and Implementation

Topology




IP Addressing Table

Device Interface IP Address Subnet Mask Default Gateway Switch Port
R1 FA0/1 192.168.1.1 255.255.255.0 N/A S1 FA0/5
S0/0/0 (DCE) 10.1.1.1 255.255.255.252 N/A N/A
R2 S0/0/0 10.1.1.2 255.255.255.252 N/A N/A
S0/0/1 (DCE) 10.2.2.2 255.255.255.252 N/A N/A
R3 FA0/1 192.168.3.1 255.255.255.0 N/A S3 FA0/5
S0/0/1 10.2.2.1 255.255.255.252 N/A N/A
S1 VLAN 1 192.168.1.11 255.255.255.0 192.168.1.1 N/A
S2 VLAN 1 192.168.1.12 255.255.255.0 192.168.1.1 N/A
S3 VLAN 1 192.168.3.11 255.255.255.0 192.168.3.1 N/A


255
Device Interface IP Address Subnet Mask Default Gateway Switch Port
PC-A NIC 192.168.1.3 255.255.255.0 192.168.1.1 S1 FA0/6
PC-B NIC 192.168.1.2 255.255.255.0 192.168.1.1 S2 FA0/18
PC-C NIC 192.168.3.3 255.255.255.0 192.168.3.1 S3 FA0/18



Objectives
Part 1: Create a Basic Security Policy

Use Cisco Security Policy Builder to create a policy.

Develop a network device configuration policy.


Part 2: Basic Network Device Configuration

Configure host names, interface IP addresses, and passwords.

Configure static routing.


Part 3: Secure Network Routers

Configure passwords and a login banner.


Configure SSH access and disable Telnet.


Configure HTTP secure server access.


Configure a synchronized time source using NTP.


Configure router syslog support.


Configure centralized authentication using AAA and RADIUS.


Use Cisco IOS to disable unneeded services and secure against login attacks.


Use SDM to disable unneeded services.


Configure a CBAC firewall.


Configure a ZBF firewall.


Configure Intrusion Prevention System (IPS) using Cisco IOS and SDM.


Back up and secure the Cisco IOS image and configuration files.


Part 4: Secure Network Switches

Configure passwords, and a login banner.


Configure management VLAN access.


Configure a synchronized time source Using NTP.


Configure syslog support.



256
Configure SSH access.


Configure AAA and RADIUS.


Secure trunk ports.


Secure access ports.


Protect against STP attacks.


Configure port security and disable unused ports.


Part 5: Configure VPN Remote Access

Use SDM to configure Easy VPN Server.


Use the Cisco VPN Client to test the remote access VPN.



Background

A comprehensive security policy covers three main areas: governing policies, end-user policies, and technical
policies. Technical policies can include email, remote access, telephony, applications, and network policies,
such as device access controls and logging. The focus of this lab is technical network policies and security
measures that can be configured for network devices.

In Part 1 of this lab, you use the Cisco Security Policy Builder tool to create a basic security policy. You
customize the policy by changing the generic names in the document to a company name of your choice.

You also develop a Network Device Security Guidelines document as a supplement to the basic security
policy. This document addresses specific router and switch security measures and describes the security
requirements to be implemented on the infrastructure equipment. The basic Security Policy and the Network
Device Security Guidelines are presented to your instructor for review prior to starting Part 2 of the lab.

In Part 2, you build the network and configure basic device settings. In Parts 3 and 4, you secure routers and
switches. In Part 5, you configure a router for VPN remote access. The Network Device Security Guidelines
policy is used as the guiding document.

The fictitious company you are working for has two locations connected by an ISP. Router R1 represents a
remote site, and R3 represents the corporate headquarters. Router R2 represents the ISP.

Note: The router commands and output in this lab are from a Cisco 1841 with Cisco IOS Release 12.4(20)T
(Advanced IP image). The switch commands and output are from a Cisco WS-C2960-24TT-L with Cisco IOS
Release 12.2(46)SE (C2960-LANBASEK9-M image). Other routers, switches, and Cisco IOS versions can be
used. See the Router Interface Summary table at the end of the lab to determine which interface identifiers to
use based on the equipment in the lab. Depending on the router or switch model and Cisco IOS version, the
commands available and output produced might vary from what is shown in this lab.

Note: Make sure that the routers and switches have been erased and have no startup configurations.


Required Resources
2 routers with SDM 2.5 installed (Cisco 1841 with Cisco IOS Release 12.4(20)T1 Advanced IP

Service or comparable)
1 router (Cisco 1841 with Cisco IOS Release 12.4(20)T1 IP Base or comparable)



257
3 switches (Cisco 2960 with Cisco IOS Release 12.2(46)SE C2960-LANBASEK9-M image or

comparable)
PC-A: Windows XP, Vista, or Windows Server (with RADIUS, TFTP, and syslog servers plus PuTTY

and Cisco VPN Client software available)
PC-B: Windows XP or Vista

PC-C: Windows XP or Vista (with RADIUS, TFTP, and syslog servers plus PuTTY software available;

SuperScan is optional)
Serial and Ethernet cables as shown in the topology

Rollover cables to configure the routers via the console

Access to the Internet and an email account.



Part 1. Create a Security Policy
In Part 1, you use the Cisco Security Policy Builder tool to create a basic security policy. You customize the
policy to meet specific needs. Present this document in a formal manner, with a title page, administrative
overview, and policy components.

This tool provides businesses a sample network security policy that is then tailored to their requirements.


Task 1. Use Cisco Security Policy Builder to Create a Basic Security Policy
(Chapter 9)

Step 1: Access the Cisco Security Policy Builder tool.

a. Open a browser and access the Cisco Security Policy Builder (SPB) tool at
http://www.ciscowebtools.com/spb.

Note: You do not need a CCO account to access this tool.

b. Read through the introduction screen to get an overview of what SPB does and then click the Launch
Security Policy Builder link.




258
Step 2: Create a basic security policy.

In the next window, click the SECURITY POLICY INTERVIEW link to begin the interview.

a. In the first SECURITY POLICY INTERVIEW window, select 51-100 employees for Company Size.
Click Next to continue.

b. For Industry, select the industry in which your company primarily operates. You may choose any of
the industries listed. In this example, the manufacturing industry is selected. Click Next to continue.




259
c. For Advanced Technologies, select Yes for the question regarding whether the organization deploys
security, VPN, and firewall? Select No for wireless, IP communications (VoIP), and storage. Click Next to
continue.




260
d. For Remote Access, select Yes “ For Employees only. Click Next to continue.




e. In the SECURITY POLICY RESULTS window, enter your email address and accept the disclaimer.
Click Send Security Policy.

Note: The security policy is emailed to you as a Word document.

261
Step 3: Review the basic security policy.

The security policy generated by Cisco SPB is approximately 20 pages. Review the major sections of the
policy and list them in the space provided below.

Note: These sections change based on your answers to the security policy interview in Step 2,
especially those related to the advanced technologies employed.

________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________

What portions of the generated basic SPB policy are related to technical policies?

a. Select a fictitious company name and write it here: _______________________________________

b. Read through the policy to identify generic text to be replaced. Use find and replace to replace the text
with the company name that you selected.

c. Replace the generic text in the basic security policy document, such as < YOUR COMPANY NAME
HERE >, with the name of your fictitious company.



262
Task 2. Create Network Equipment Security Guidelines to Supplement the Basic
Security Policy (Chapter 9)

Step 1: Review the objectives for previous CCNA Security labs.

a. Open each of the previous labs completed from chapters one through eight and review the objectives
listed for each one.

b. Copy them to a separate document for use as a starting point. Focus mainly on those objectives that
involve security practices and device configuration.


Step 2: Create a Network Device Security Guidelines document for router and switch security.

Create a high-level list of tasks to include for network device security. This document reinforces and
supplements the information presented in the basic Security Policy document created in Task 1. It is
based on the content of previous CCNA Security labs and on the networking devices present in the
course lab topology. Construct the document so that the topic headings and wording are similar to that
found in the Security Policy document.

Note: The Network Device Security Guidelines document is no more than two pages and is the basis for
the equipment configuration in the remaining parts of the lab.


Step 3: Submit the basic Security Policy and Network Device Security Guidelines to your
instructor.

Provide the edited basic Security Policy and Network Device Security Guidelines documents to your
instructor for review before starting Part 2 of the lab. You can send them as email attachments or put
them on removable storage media, such as a flash drive, floppy disc, or CD.

Note: These security documents are over 20 pages. Do not print them out.


Part 2. Basic Network Device Configuration (Chapters 2 and 6)
In Part 2, you set up the network topology and configure basic settings, such as the interface IP addresses
and static routing. Perform steps on routers and switches as indicated.


Step 1: Cable the network as shown in the topology.

Attach the devices shown in the topology diagram, and cable as necessary.


Step 2: Configure basic settings for all routers.

Configure host names as shown in the topology.

a. Configure the interface IP addresses as shown in the IP addressing table.

b. Configure a clock rate for the routers with a DCE serial cable attached to their serial interface.

c. Disable DNS lookup to prevent the router from attempting to translate incorrectly entered commands as
though they were host names.




263
Step 3: Configure static default routes on R1 and R3.

Configure a static default route from R1 to R2 and from R3 to R2.


Step 4: Configure static routes on R2.

Configure a static route from R2 to the R1 LAN and from R2 to the R3 LAN.


Step 5: Configure basic settings for each switch.

Configure host names as shown in the topology.

a. Configure the VLAN 1 management addresses as shown in the IP Addressing table.

b. Configure the IP default gateway for each of the three switches. The gateway for the S2 and S3
switches is the R1 Fa0/1 interface IP address. The gateway for the S3 switch is the R3 Fa0/1 interface IP
address.

c. Disable DNS lookup to prevent the switches from attempting to translate incorrectly entered commands
as though they were host names.


Step 6: Configure PC host IP settings.

Configure a static IP address, subnet mask, and default gateway for PC-A, PC-B, and PC-C, as shown in
the IP addressing table.


Step 7: Verify connectivity between PC-A and PC-C.

Step 8: Save the basic running configuration for each router.


Part 3. Secure Network Routers
In Part 3, you configure device access, passwords, firewalls, and intrusion prevention. Perform steps on
routers as indicated.


Task 1. Configure Passwords and a Login Banner (Chapter 2)

Step 1: Configure a minimum password length of 10 characters on all routers.

Step 2: Configure the enable secret password on all routers.

Use an enable secret password of cisco12345.


Step 3: Encrypt plaintext passwords.

Step 4: Configure the console lines on all routers.

Configure a console password of ciscoconpass and enable login. Set the exec-timeout to log out
after 5 minutes of inactivity. Prevent console messages from interrupting command entry.


264
Step 5: Configure the vty lines on R2.

Configure a vty lines password of ciscovtypass and enable login. Set the exec-timeout to log out after
5 minutes of inactivity.

Note: The vty lines for R1 and R3 are configured for SSH in Task 2.


Step 6: Configure a login warning banner on routers R1 and R3.

Configure a warning to unauthorized users with a message-of-the-day (MOTD) banner that says
“Unauthorized access strictly prohibited and prosecuted to the full extent of
the law”.


Task 2. Configure the SSH Server on Routers R1 and R3 (Chapter 2)

Step 1: Configure a privileged user for login from the SSH client.

Create the user Admin01 account with a privilege level of 15 and a secret password of Admin01pa55.


Step 2: Configure the domain name ccnasecurity.com.

Step 3: Configure the incoming vty lines.

Specify a privilege level of 15 so that a user with the highest privilege level (15) will default to privileged
EXEC mode when accessing the vty lines. Other users will default to user EXEC mode. Specify local user
accounts for mandatory login and validation, and accept only SSH connections.


Step 4: Generate the RSA encryption key pair for the router.

Configure the RSA keys with 1024 for the number of modulus bits.


Step 5: Verify SSH connectivity to R1 from PC-A.

a. If the SSH client is not already installed, download either TeraTerm or PuTTY.

b. Launch the SSH client, enter the Fa0/1 IP address, and enter the Admin01 username and password
Admin01pa55.


Task 3. Configure a Synchronized Time Source Using NTP (Chapter 2)

Step 1: Set up the NTP master using Cisco IOS commands.

R2 will be the master NTP server. All other routers and switches learn their time from it, either directly or
indirectly.

a. Ensure that R2 has the correct coordinated universal time. Set the time if it is not correct.

b. Configure R2 as the NTP master with a stratum number of 3.




265
Step 2: Configure R1 and R3 as NTP clients.

a. Configure R1 and R3 to become NTP clients of R2.

b. Verify that R1 and R3 have made an association with R2 using the show ntp associations
command.


Task 4. Configure Router Syslog Support (Chapter 2)

Step 1: (Optional) Install the syslog server on PC-A and PC-C.

If a syslog server is not currently installed on the host, download the latest version of Kiwi from
http://www.kiwisyslog.com or Tftpd32 from http://tftpd32.jounin.net and install it on your desktop. If it is already
installed, go to Step 2.


Step 2: Configure R1 to log messages to the PC-A syslog server.

a. Verify that you have connectivity between R1 and host PC-A by pinging the R1 Fa0/1 interface IP
address 192.168.1.1 from PC-A. If it is not successful, troubleshoot as necessary before continuing.

b. Configure logging on the router to send syslog messages to the syslog server.


Step 3: Configure R3 to log messages to the PC-C syslog server.

a. Verify that you have connectivity between R3 and the host PC-C by pinging the R3 Fa0/1 interface IP
address 192.168.3.1 from PC-C. If it is not successful, troubleshoot as necessary before continuing.

b. Configure logging on the router to send syslog messages to the syslog server.


Task 5. Configure Authentication Using AAA and RADIUS (Chapter 3)
PC-A will serve as the local RADIUS server for the remote site, and R1 accesses the external RADIUS server
for user authentication. The freeware RADIUS server WinRadius is used for this section of the lab.


Step 1: (Optional) Download and configure the WinRadius software.

a. If WinRadius is not currently installed on R1, download the latest version from
http://www.suggestsoft.com/soft/itconsult2000/winradius/. There is no installation setup. The
extracted WinRadius.exe file is executable.

b. Start the WinRadius.exe application. If the application is being started for the first time, follow the
instructions to configure the WinRadius server database.


Step 2: Configure users and passwords on the WinRadius server.

a. Add username RadAdmin with a password of RadAdminpa55.

b. Add username RadUser with a password of RadUserpa55.

Step 3: Enable AAA on R1.
Use the aaa new-model command to enable AAA.

266
Step 4: Configure the default login authentication list.

Configure the list to first use radius for the authentication service and then local to allow access based
on the local router database if a RADIUS server cannot be reached.


Step 5: Verify connectivity between R1 and the PC-A RADIUS server.

Ping from R1 to PC-A.

If the pings are not successful, troubleshoot the PC and router configuration before continuing.


Step 6: Specify a RADIUS server on R1.

Configure the router to access the RADIUS server at the PC-A IP address. Specify port numbers 1812
and 1813, along with the default secret key of WinRadius for the RADIUS server.

Step 7: Test your configuration by logging into the console on R1.

a. Exit to the initial router screen that displays the following: R1 con0 is now available.

b. Log in with the username RadAdmin and password RadAdminpa55. Are you able to login with
minimal delay? __________________________________________________________________

Note: If you close the WinRadius server and restart it, you must recreate the user accounts from Step 2.


Step 8: Test your configuration by connecting to R1 with SSH.

Clear the log display for the WinRadius server by selecting Log > Clear.

a. Use PuTTY or another terminal emulation client to open an SSH session from PC-A to R1.

b. At the login prompt, enter the username RadAdmin defined on the RADIUS server and the password
RadAdminpa55.

Are you able to login to R1? _____

c. Exit the SSH session.

d. Stop the WinRadius server on PC-A by selecting Operation > Exit.

e. Open an SSH session and attempt to log in again as RadAdmin.

Are you able to login to R1? _______________________________

f. Close the SSH client and open another SSH session to R1 and attempt to log in as Admin01 with a
password of Admin01pa55.

With the WinRadius server unavailable, are you able to log in to R1? Why or why not?
____________________________________________________________________________________
____________________________________________________________________________________




267
Step 9: Configure RADIUS support on R3.

Repeat steps 1 through 6 to configure R3 to access PC-C as a RADIUS server.


Task 6. Use the CLI to Disable Unneeded Services on R1 and Secure Against
Login Attacks (Chapter 2)

Step 1: Use the CLI to disable common IP services that can be exploited for network attacks.

Tip: You can issue the auto secure management command to see the management related commands
that would be generated. When prompted with “Apply this configuration to running-config? [yes]:” respond NO
and then selectively copy the desired commands to a text file for editing and application to the router.

Disable the following global services on the router.
Service finger
service pad
service udp-small-servers
service tcp-small-servers
cdp run
ip bootp server
ip http server
ip finger
ip source-route
ip gratuitous-arps
ip identd

Note: Disabling the HTTP server prevents web-based access to the router using SDM. If you want to
have secure access to the router using SDM, you can enable it using the command ip http secure-
server.

a. For each serial interface, disable the following interface services.
Ip redirects
ip proxy-arp
ip unreachables
ip directed-broadcast
ip mask-reply

b. For each Fast Ethernet interface, disable the following interface services.
Ip redirects
ip proxy-arp
ip unreachables
ip directed-broadcast
ip mask-reply
mop enabled


Step 2: Secure against login attacks on R1 and R3.

Configure the following parameters:

Blocking period when login attack detected: 60


Maximum login failures with the device: 2


268
Maximum time period for crossing the failed login attempts: 30



Step 3: Save the running configuration to the startup configuration for R1 and R3.


Task 7. Use SDM to Disable Unneeded Services on R3 (Chapter 2)

Step 1: Configure secure HTTP router access prior to starting SDM.

Enable the HTTP secure server on R3.


Step 2: Access SDM and set command delivery preferences.

a. Start the SDM application, or open a browser on PC-C and start SDM by entering the R3 IP address at
https://192.168.3.1 in the address field. Be sure to use HTTPS as the protocol.

b. At the security certificate warning, click Continue to this website.

c. Log in with no username and the enable secret password cisco12345.

d. If the Warning “ Security window pops up stating that the website™s certificate cannot be verified, check the
Always trust content from this publisher check box and then click Yes to continue.

e. In the Authentication Required dialog box, do not enter a username but enter the enable secret password
cisco12345.

f. In the IOS IPS Login dialog box, do not enter a username but enter the enable secret password
cisco12345.

g. Set the user preferences to allow preview of commands before delivering them to the router.


Step 3. Begin the security audit.

a. Select Configure > Security Audit and click the Perform Security Audit button.

b, Select FastEthernet 0/1 as the Inside Trusted interface and Serial 0/0/1 as the Outside Untrusted
interface

c. View the Security Audit report and note which services did not pass. Click Next.

d. In the Fix It window, click Fix it to disable the following global and interface services:
Global services to disable:
service pad
cdp run
ip bootp server
ip source-route

Per-interface service to disable:
ip redirects
ip unreachables
mop enabled




269
Note: Do not fix (disable) Proxy ARP because this disables ARP on all R3 interfaces and causes a
problem, specifically with interface Fa0/1, and pings to the R3 VPN server LAN. The VPN server is
configured in Part 5 of the lab.

e. Click Next to view a summary of the problems that will be fixed. Click Finish to deliver the commands
to the router.


Task 8. Configure a CBAC Firewall on R1 (Chapter 4)

Step 1: Use the Cisco IOS AutoSecure feature to enable a CBAC firewall on R1.

a. To configure only the Context Based Access Control (CABC) firewall on R1, use the auto secure
command and specify the firewall option. Respond as shown in the following AutoSecure output to the
AutoSecure questions and prompts. The responses are in bold.
R1#auto secure firewall
--- AutoSecure Configuration ---

*** AutoSecure configuration enhances the security of the router, but it will
not make it absolutely resistant to all security attacks ***

AutoSecure will modify the configuration of your device. All configuration
changes will be shown. For a detailed explanation of how the configuration
changes enhance security and any possible side effects, please refer to
Cisco.com for
Autosecure documentation.
At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.

Gathering information about the router for AutoSecure

yes
Is this router connected to internet? [no]:
Enter the number of interfaces facing the internet [1]: 1
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES unset administratively down down

FastEthernet0/1 192.168.1.1 YES manual up up

Serial0/0/0 10.1.1.1 YES SLARP up up

Serial0/0/1 unassigned YES unset administratively down down


Enter the interface name that is facing the internet: serial0/0/0
Configure CBAC Firewall feature? [yes/no]: yes

This is the configuration generated:

ip inspect audit-trail
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect udp idle-time 1800
ip inspect name autosec_inspect cuseeme timeout 3600
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600


270
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
ip access-list extended autosec_firewall_acl
permit udp any any eq bootpc
deny ip any any
interface Serial0/0/0
ip inspect autosec_inspect out
ip access-group autosec_firewall_acl in
!
end

Apply this configuration to running-config? [yes]: yes

Applying the config generated to running-config

R1#
Feb 12 18:34:58.040: %AUTOSEC-5-ENABLED: AutoSecure is configured on the
device

Step 2: Review the AutoSecure CBAC configuration.

To which interface is the autosec_inspect name applied and in what direction? _________________

a. To which interface is the ACL autosec_firewall_acl applied and in which direction? ______________

b. What is the purpose of the ACL autosec_firewall_acl?
________________________________________________________________________________


Step 3: From PC-A, ping the R2 external WAN interface.

a. From PC-A, ping the R2 interface S0/0/0 at IP address 10.1.1.2.

b. Are the pings successful? Why or why not?
________________________________________________________________________________


Step 4: Add ICMP to the autosec_inspect list.

Configure R1 to inspect ICMP and allow ICMP echo replies from outside hosts with a timeout of
60 seconds.

Step 5: From PC-A, ping the R2 external WAN interface.

From PC-A, ping the R2 interface S0/0/0 at IP address 10.1.1.2.
Are the pings successful? Why or why not?
_______________________________________________________________________

Step 6: From R2, ping PC-A.

From R2 ping PC-A. Are the pings successful? Why or why not?
________________________________________________________________________________

271
Step 7: Test SSH access from PC-C to R1.

From external host PC-C, start a PuTTY session to R1.

Is the SSH session connection successful? Why or why not?
________________________________________________________________________________


Step 8: Configure the R1 firewall to allow SSH access from external hosts on the 192.168.3.0/24
network.

a. Display the Extended ACL named autosec_firewall_acl that is applied to S0/0/0 inbound.
R1#show access-list autosec_firewall_acl
Extended IP access list autosec_firewall_acl
10 permit udp any any eq bootpc
20 deny ip any any (57 matches)
b. Configure R1 to allow SSH access by adding a statement to the Extended ACL autosec_firewall_acl
that permits the SSH TCP port 22.
R1(config)#ip access-list extended autosec_firewall_acl
R1(config-ext-nacl)#13 permit tcp 192.168.3.0 0.0.0.255 any eq 22
R1(config-ext-nacl)#end
c. From external host PC-C, start a PuTTY SSH session to R1 at IP address 10.1.1.1 and log in as
RADIUS user RadAdmin with a password of RadAdminpa55.

d. From the SSH session on R1, display the modified Extended ACL autosec_firewall_acl.
R1#show access-list autosec_firewall_acl
Extended IP access list autosec_firewall_acl
10 permit udp any any eq bootpc
13 permit tcp 192.168.3.0 0.0.0.255 any eq 22 (16 matches)
20 deny ip any any (60 matches)

Step 9: Configure the R1 firewall to allow NTP and VPN traffic.

a. Configure R1 to allow Network Time Protocol (NTP) updates from R2 by adding a statement to the
Extended ACL autosec_firewall_acl that permits the NTP (UDP port 123).
R1(config)#ip access-list extended autosec_firewall_acl
R1(config-ext-nacl)#15 permit udp host 10.1.1.2 host 10.1.1.1 eq ntp
b. Configure R1 to allow IPsec VPN traffic between PC-A and R3 by adding a statement to the Extended
ACL autosec_firewall_acl that permits the Ipsec Encapsulating Security Protocol (ESP).

Note: In Part 5 of the lab, R3 will be configured as a VPN server, and PC-A will be the remote client.
R1(config-ext-nacl)#18 permit esp any any
R1(config-ext-nacl)#end
c. Display the modified extended ACL autosec_firewall_acl.
R1#show access-list autosec_firewall_acl
Extended IP access list autosec_firewall_acl
10 permit udp any any eq bootpc
13 permit tcp 192.168.3.0 0.0.0.255 any eq 22 (67 matches)
15 permit udp host 10.1.1.2 host 10.1.1.1 eq ntp (3 matches)
18 permit esp any any
20 deny ip any any (21 matches)


272
Step 10: Test Telnet access from internal PC-A to external router R2.

a. From PC-A, telnet to R2 at IP address 10.1.1.2 using the vty line password Cisc0vtypa55.
C:\>telnet 10.1.1.2
Is the telnet attempt successful? Why or why not?
_______________________________________________________________________________

b. Leave the Telnet session open.


Step 11: Display CBAC inspection sessions.

Display the IP inspect session to see the active Telnet session from PC-A to R2.


Task 9. Configure a ZBF Firewall on R3 (Chapter 4)

Step 1: Access SDM using HTTPS.

a. Start the SDM application or open a browser on PC-C and start SDM by entering the R3 IP address at
https://192.168.3.1 in the address field. Be sure to use HTTPS as the protocol.

b. At the security certificate warning, click Continue to this website.

c. Log in with no username and the enable secret password cisco12345.

d. In the Authentication Required dialog box and IOS IPS Login dialog box, do not enter a username but
enter the enable secret password cisco12345.

<<

. 8
( 9)



>>