Inth hispracticePacketTracerSkillsBasedAssessm ent,youwil ll: configure ebasicdevic cehardening gandsecure enetworkmanagement m t configure eaCBACfire ewalltoimp plementsecu uritypolicies configure

ure edevicestoprotectaga ainstSTPatt acksandtoenablebroa adcaststorm mcontrol configure eportsecurityanddisableunuseds switchports s configure eanIOSIPS configure eaZPFtoim mplementse ecuritypolic ies configure easitetosi iteIPsecVPN N Add dressingTab ble Dev vice Int terface IPAddress A 0/0/0 S0 S0 0/0/1 Inte ernet S0 0/1/0 Fa a0/0 S0 0/0/0 Fa a0/0 COR RP 198 8.133.219.1 192 2.135.250.1 255.255 5.255.252 n/a n 255.255 5.255.0 n/a n n/a n/a n/a n/a n/a n/a n/a n/a Subnet Mask Gateway G DNSse erver n/a n/a

209 9.165.200.225 255.255 5.255.252 n/a n 192 2.31.7.1 255.255 5.255.252 n/a n

209 9.165.200.226 255.255 5.255.252 n/a n 10. .1.1.254 255.255 5.255.0 255.255 5.255.0 255.255 5.255.0 255.255 5.255.0 n/a n n/a n n/a n n/a n

Fa a0/1.10 172 2.16.10.254 Fa a0/1.25 172 2.16.25.254 Fa a0/1.99 172 2.16.99.254 S0 0/0/0 198 8.133.219.2

255.255 5.255.252 n/a n

Bran nch Fa a0/0 198 8.133.219.62 255.255 5.255.224 n/a n n/a

Device

Interface IPAddress S0/0/0 192.31.7.2

SubnetMask

Gateway

DNSserver n/a

255.255.255.252 n/a

External Fa0/0 PublicSvr External WebSvr NIC NIC 192.31.7.62 192.135.250.5 192.31.7.35 192.31.7.33 172.16.25.2 10.1.1.5 10.1.1.2 172.16.10.5 172.16.10.10 172.16.25.5 255.255.255.224 n/a 255.255.255.0 192.135.250.1 n/a n/a 192.135.250.5 192.135.250.5 10.1.1.5 192.135.250.5 10.1.1.5 10.1.1.5 10.1.1.5 10.1.1.5

255.255.255.224 192.31.7.62 255.255.255.224 192.31.7.62 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 172.16.25.254 10.1.1.254 10.1.1.254 172.16.10.254 172.16.10.254 172.16.25.254

ExternalPC NIC NTP/Syslog NIC Svr DMZDNS Svr NIC

DMZWeb NIC Svr PC0 PC1 NIC NIC

NetAdmin NIC AdminPC PCB1 NIC NIC

198.133.219.35 255.255.255.224 198.133.219.62 192.135.250.5 198.133.219.40 255.255.255.224 198.133.219.62 192.135.250.5

Note:Appropriateverificationproceduresshouldbetakenaftereachconfigurationtasktoensurethatithas beenproperlyimplemented. Step1:ConfigureBasicDeviceHardeningfortheCORPRouter. a.ConfiguretheCORProutertoonlyacceptpasswordswithaminimumlengthof10characters. CORP(config)#securitypasswordminlength10 b.Configureanencryptedprivilegedlevelpasswordofciscoclass. CORP(config)#enablesecretciscoclass c.Enablepasswordencryptionforallcleartextpasswordsintheconfigurationfile. CORP(config)#servicepasswordencryption d.Configuretheconsoleportandallvtylineswiththefollowingrequirements: Note:CORPisalreadyconfiguredwiththeusernameCORPADMINandthesecretpasswordciscoccnas. usethelocaldatabaseforlogin disconnectafterbeingidlefor20minutes. CORP(config)#lineconsol0 CORP(configline)#loginlocal CORP(configline)#exectimeout200 CORP(configline)#linevty04 CORP(configline)#loginlocal CORP(configline)#exectimeout200 CORP(configline)#linevty515
2

CORP(configline)#loginlocal CORP(configline)#exectimeout200 e.DisabletheCDPprotocolonlyonthelinktotheInternetrouter. CORP(config)#interfaces0/0/0 CORP(configif)#nocdpenable Step2:ConfigureSecureNetworkManagementfortheCORPRouter. a.EnabletheCORProuter: asanNTPclienttotheNTP/Syslogserver toupdatetheroutercalendar(hardwareclock)fromtheNTPtimesource totimestamplogmessages tosendloggingmessagestotheNTP/Syslogserver CORP(config)#ntpserver172.16.25.2key0 CORP(config)#ntpupdatecalendar CORP(config)#servicetimestampslogdatetimemsec CORP(config)#logginghost172.16.25.2 b.ConfiguretheCORProutertoacceptSSHconnections.Usethefollowingguidelines: Note:CORPisalreadyconfiguredwiththeusernameSSHAccessandthesecretpasswordciscosshaccess. domainnameistheccnas.com RSAencryptionkeypairusingamodulusof1024 SSHversion2,timeoutof90seconds,and2authenticationretries allvtylinesacceptonlySSHconnections CORP(config)#ipdomainnametheccnas.com CORP(config)#cryptokeygeneratersa Howmanybitsinthemodulus[512]:1024 CORP(config)#ipsshversion2 CORP(config)#ipsshtimeout90 CORP(config)#ipsshauthenticationretries2 CORP(config)#linevty04 CORP(configline)#transportinputssh CORP(config)#linevty515 CORP(configline)#transportinputssh CORP(configline)#exit c.ConfiguretheCORProuterwithAAAauthenticationandverifyitsfunctionality: AAAauthenticationusingthelocaldatabaseasthedefaultforconsolelineandvtylinesaccess CORP(config)#aaanewmodel CORP(config)#aaaauthenticationlogindefaultlocal CORP(config)#aaaauthorizationexecdefaultlocal CORP(config)#linevty04 CORP(configline)#loginauthenticationdefault CORP(configline)#linevty515 CORP(configline)#loginauthenticationdefault CORP(configline)#linecon0 CORP(configline)#loginauthenticationdefault Step3:ConfigureDeviceHardeningforSwitch1. a.AccessSwitch1withusernameCORPADMIN,passwordciscoccnas,andtheenablesecretpasswordof ciscoclass. b.EnablestormcontrolforbroadcastsonFastEthernet0/24witha50percentrisingsuppressionlevel. SW1(config)#interfacefa0/24 SW1(config)#stormcontrolbroadcastlevel50 c.ConfigureSwitch1toprotectagainstSTPattacks.
3

ConfigurePortFastonFastEthernetports0/1to0/23. EnableBPDUguardonFastEthernetports0/1to0/23. SW1(config)#interfacerangefa0/123 SW1(configifrange)#spanningtreeportfast SW1(configifrange)#spanningtreebpduguardenable d.Configureportsecurityanddisableunusedports. SetthemaximumnumberoflearnedMACaddressesto2onFastEthernetports0/1to0/23.Allowthe MACaddresstobelearneddynamicallyandtoshutdowntheportifaviolationoccurs. SW1(config)#interfacerangefa0/123 SW1(configifrange)#switchportportsecurity SW1(configifrange)#switchportportsecuritymaximum2 SW1(configifrange)#switchportportsecurityviolationshutdown SW1(configifrange)#switchportportsecuritymacaddresssticky Disableunusedports(Fa0/25,Fa0/710,Fa0/1323). SW1(config)#interfacerangefa0/25 SW1(configifrange)#shutdown SW1(config)#interfacerangefa0/710 SW1(configifrange)#shutdown SW1(config)#interfacerangefa0/1323 SW1(configifrange)#shutdown SW1(configifrange)#end SW1#copyrunningconfigstartupconfig Step4:ConfigureanIOSIPSontheCORPRouter. a.OntheCORProuter,createadirectoryinflashnamedipsdir. CORP#mkdiripsdir b.ConfiguretheIPSsignaturestoragelocationtobeflash:ipsdir. CORP(config)#ipipsconfiglocationflash:ipsdir/retries1 c.CreateanIPSrulenamedcorpips. CORP(config)#ipipsnamecorpips d.ConfiguretheIOSIPStousethesignaturecategories.Retiretheallsignaturecategoryandunretirethe ios_ipsbasiccategory. CORP(config)#ipipssignaturecategory CORP(configipscategory)#categoryall CORP(configipscategoryaction)#retiredtrue CORP(configipscategoryaction)#exit CORP(configipscategory)#categoryios_ipsbasic CORP(configipscategoryaction)#retiredfalse CORP(configipscategoryaction)#exit CORP(configipscategory)#exit Doyouwanttoacceptthesechanges?[confirm][Enter] e.ApplytheIPSruletotheFa0/0interface. CORP(config)#interfacefa0/0 CORP(configif)#ipipscorpipsout f.Modifytheios_ipsbasiccategory.Unretiretheechorequestsignature(signature2004,subsig0);enablethe signature;modifythesignatureeventactiontoproduceanalertandtodenypacketsthatmatchthesignature. CORP(config)#ipipssignaturedefinition CORP(configsigdef)#signature20040 CORP(configsigdefsig)#status CORP(configsigdefsigstatus)#retiredfalse CORP(configsigdefsigstatus)#enabletrue CORP(configsigdefsigstatus)#exit CORP(configsigdefsig)#engine
4

CORP(configsigdefsigengine)#eventactionproducealert CORP(configsigdefsigengine)#eventactiondenypacketinline CORP(configsigdefsigengine)#exit CORP(configsigdefsig)#exit CORP(configsigdef)#exit CORP(config)#exit Doyouwanttoacceptthesechanges?[confirm][Enter] g.VerifythatIPSisworkingproperly.NetAdminintheinternalnetworkcannotpingDMZWebSvr.DMZWeb Svr,however,canpingNetAdmin. Step5:ConfigureACLsandCBAContheCORPRoutertoImplementtheSecurityPolicy. a.CreateACL12toimplementthesecuritypolicyregardingtheaccesstothevtylines: OnlyusersconnectingfromNetAdminandAdminPCareallowedaccesstothevtylines. CORP(config)#accesslist12permithost172.16.25.5 CORP(config)#accesslist12permithost198.133.219.35 CORP(config)#linevty04 CORP(configline)#accessclass12in CORP(configline)#linevty515 CORP(configline)#accessclass12in b.Create,apply,andverifyanextendednamedACL(namedDMZFIREWALL)tofilterincomingtraffictothe DMZ.TheACLshouldbecreatedintheorderspecifiedinthefollowingguidelines(Pleasenote,theorderofACL statementsissignificantonlybecauseofthescoringneedinPacketTracer.): 1.HTTPtrafficisallowedtoDMZWebSvr. 2.DNStraffic(bothTCPandUDP)isallowedtoDMZDNSSvr. 3.Alltrafficfrom172.16.25.0/24isallowedtoentertheDMZ. 4.FTPtrafficfromtheBranchadministratorworkstationisallowedtoDMZWebSvr. CORP(config)#ipaccesslistextendedDMZFIREWALL CORP(configextnacl)#permittcpanyhost10.1.1.2eqwww CORP(configextnacl)#permittcpanyhost10.1.1.5eqdomain CORP(configextnacl)#permitudpanyhost10.1.1.5eqdomain CORP(configextnacl)#permitip172.16.25.00.0.0.25510.1.1.00.0.0.255 CORP(configextnacl)#permittcphost198.133.219.35host10.1.1.2eqftp CORP(configextnacl)#exit CORP(config)#interfacefa0/0 CORP(configif)#ipaccessgroupDMZFIREWALLout c.ToverifytheDMZFIREWALLACL,completethefollowingtests: AdminPCinthebranchofficecanaccesstheURLhttp://www.theccnas.com; AdminPCcanopenanFTPsessiontotheDMZWebSvrwiththeusernameciscoandthepasswordcisco; PCB1cannotopenanFTPsessiontotheDMZWebSvr. NetAdmincanopenanFTPsessiontotheDMZWebSvrwiththeusernameciscoandthepassword cisco;and PC1cannotopenanFTPsessiontotheDMZWebSvr. d.Create,apply,andverifyanextendednamedACL(namedINCORP)tocontrolaccessfromtheInternetinto theCORProuter.TheACLshouldbecreatedintheorderspecifiedinthefollowingguidelines(Pleasenote,the orderofACLstatementsissignificantonlybecauseofthescoringneedinPacketTracer.): 1.AllowHTTPtraffictotheDMZWebSvr. 2.AllowDNStraffic(bothTCPandUDP)totheDMZDNSSvr. 3.AllowSSHtrafficfromtheBranchOfficeadministratorworkstationtotheSerial0/0/0interfaceontheCORP router. 4.AllowIPtrafficfromtheBranchrouterserialinterfaceintotheCORProuterserialinterface. 5.AllowIPtrafficfromtheBranchOfficeLANtothepublicIPaddressrangethatisassignedtotheCORPsite (209.165.200.240/28).

CORP(config)#ipaccesslistextendedINCORP CORP(configextnacl)#permittcpanyhost209.165.200.241eqwww CORP(configextnacl)#permittcpanyhost209.165.200.242eqdomain CORP(configextnacl)#permitudpanyhost209.165.200.242eqdomain CORP(configextnacl)#permittcphost198.133.219.35host209.165.200.226eq22 CORP(configextnacl)#permitiphost198.133.219.2host209.165.200.226 CORP(configextnacl)#permitip198.133.219.320.0.0.31209.165.200.2400.0.0.15 CORP(configextnacl)#exit CORP(config)#interfaces0/0/0 CORP(configifl)#ipaccessgroupINCORPin e.ToverifytheINCORPACL,completethefollowingtests: AdminPCinthebranchofficecanaccesstheURLhttp://www.theccnas.com; AdminPCcanestablishanSSHconnectiontotheCORProuter(209.165.200.226)withthe usernameSSHAccessandpasswordciscosshaccess; PCB1cannotestablishanSSHconnectiontotheCORProuter(209.165.200.226);and ExternalPCcannotestablishanSSHconnectiontotheCORProuter(209.165.200.226). f.CreateandapplyaCBACinspectionrule(namedINTOCORP)toinspectICMP,TCP,andUDPtrafficbetween theCORPinternalnetworkandanyothernetwork. CORP(config)#ipinspectnameINTOCORPicmp CORP(config)#ipinspectnameINTOCORPtcp CORP(config)#ipinspectnameINTOCORPudp g.EnableCBACauditmessagestobesenttothesyslogserver. CORP(config)#ipinspectaudittrail CORP(config)#interfaces0/0/0 CORP(configif)#ipinspectINTOCORPout h.VerifytheCBACfirewallconfiguration. PC1canaccesstheExternalWebSvr(www.externalone.com). PC1canestablishanSSHconnectiontotheExternalrouterwithusernameSSHadminand passwordciscosshpa55. AdminPCintheBranchofficecanestablishanSSHconnectiontotheCORProuterwiththe usernameSSHAccessandpasswordciscosshaccess. Step6:ConfigureaZoneBasedPolicyFirewallontheBranchRouter. a.AccesstheBranchrouterwithusernameCORPADMIN,passwordciscoccnasandtheenablesecretpassword ofciscoclass. b.OntheBranchrouter,createthefirewallzones. CreateaninternalzonenamedBRINZONE. CreateanexternalzonenamedBROUTZONE. Branch(config)#zonesecurityBRINZONE Branch(configseczone)#exit Branch(config)#zonesecurityBROUTZONE Branch(configseczone)#exit c.Defineatrafficclassandaccesslist. CreateanACL(ACL110)topermitallprotocolsfromthe198.133.219.32/27networktoanydestination. Branch(config)#accesslist110permitip198.133.219.320.0.0.31any Createaclassmapusingtheoptionofclassmaptypeinspectwiththematchallkeyword.MatchtheACL 110andnametheclassmapBRINCLASSMAP. Branch(config)#classmaptypeinspectmatchallBRINCLASSMAP Branch(configcmap)#matchaccessgroup110 d.Specifyfirewallpolicies. CreateapolicymapnamedBRINOUTPMAP. UsetheBRINCLASSMAPclassmap. Specifytheactionofinspectforthispolicymap.
6

Branch(config)#policymaptypeinspectBRINOUTPMAP Branch(configpmap)#classtypeinspectBRINCLASSMAP Branch(configpmapc)#inspect e.Applythefirewall. CreateapairofzonesnamedINOUTZPAIRwiththesourceasBRINZONEanddestinationasBROUT ZONE. Branch(config)#zonepairsecurityINOUTZPAIRsourceBRINZONEdestinationBROUTZONE SpecifythepolicymapBRINOUTPMAPforhandlingthetrafficbetweenthetwozones. Branch(configseczonepair)#servicepolicytypeinspectBRINOUTPMAP Assigninterfacestotheappropriatesecurityzones. Branch(config)#interfacefa0/0 Branch(configif)#zonemembersecurityBRINZONE Branch(configif)#interfaces0/0/0 Branch(configif)#zonemembersecurityBROUTZONE f.VerifytheZPFconfiguration. TheAdminPCintheBranchofficecanaccesstheURLshttp://www.theccnas.comand http://www.externalone.com. TheAdminPCintheBranchofficecanpingtheExternalPC(192.31.7.33). ExternalPCcannotpingtheAdminPCintheBranchoffice(198.133.219.35). TheAdminPCinBranchofficecanestablishanSSHconnectiontotheCORProuterwiththe usernameSSHAccessandpasswordciscosshaccess.IfyougettheCorp>prompt,thenyourconfiguration iscorrect. Step7:ConfigureaSitetoSiteIPsecVPNbetweentheCORProuterandtheBranchRouter. ThefollowingtableslisttheparametersfortheISAKMPPhase1PolicyandIPsecPhase2Policy: ISAKMPPhase1PolicyParameters KeyDistribution Method EncryptionAlgorithm NumberofBits HashAlgorithm Authentication Method KeyExchange IKESALifetime ISAKMPKey ISAKMP AES 256 SHA1 Preshare DH2 86400 ISAKMPPhase2PolicyParameters Parameters CORPRouter BranchRouter VPNSET esp3des espshahmac CORP 209.165.200.226 198.133.219.32/27 VPNMAP ipsecisakmp

TransformSetName VPNSET TransformSet esp3des espshahmac Branch 198.133.219.2 209.165.200.240/28 VPNMAP ipsecisakmp

PeerHostName PeerIPAddress EncryptedNetwork CryptoMapName

Vpnpass101 SAEstablishment

a.ConfigureanACL(ACL120)ontheCORProutertoidentifytheinterestingtraffic.Theinterestingtrafficisall IPtrafficbetweenthetwoLANs(209.165.200.240/28and198.133.219.32/27). CORP(config)#accesslist120permitip209.165.200.2400.0.0.15198.133.219.320.0.0.31 b.ConfiguretheISAKMPPhase1propertiesontheCORProuter.ThecryptoISAKMPpolicyis10.Refertothe ISAKMPPhase1PolicyParametersTableforthespecificdetailsneeded. CORP(config)#cryptoisakmppolicy10 CORP(configisakmp)#encryptionaes256 CORP(configisakmp)#authenticationpreshare CORP(configisakmp)#group2 CORP(configisakmp)#lifetime86400(Default/Optional)
7

CORP(configisakmp)#hashsha(Default/optional) CORP(configisakmp)#exit CORP(config)#cryptoisakmpkeyVpnpass101address198.133.219.2 c.ConfiguretheISAKMPPhase2propertiesontheCORProuter.RefertotheISAKMPPhase2PolicyParameters Tableforthespecificdetailsneeded. CORP(config)#cryptoipsectransformsetVPNSETesp3desespshahmac CORP(config)#cryptomapVPNMAP10ipsecisakmp CORP(configcryptomap)#setpeer198.133.219.2 CORP(configcryptomap)#settransformsetVPNSET CORP(configcryptomap)#matchaddress120 d.BindtheVPNMAPcryptomaptotheoutgoinginterface. CORP(config)#interfaces0/0/0 CORP(configif)#cryptomapVPNMAP CORP(configif)#end e.ConfigureIPsecparametersontheBranchrouterusingthesameparametersasontheCORProuter.Note thatinterestingtrafficisdefinedastheIPtrafficfromthetwoLANs. Branch(config)#accesslist120permitip198.133.219.320.0.0.31209.165.200.2400.0.0.15 Branch(config)#cryptoisakmppolicy10 Branch(configisakmp)#encryptionaes256 Branch(configisakmp)#authenticationpreshare Branch(configisakmp)#group2 Branch(configisakmp)#lifetime86400(Default/Optional) Branch(configisakmp)#hashsha(Default/optional) Branch(configisakmp)#exit Branch(config)#cryptoisakmpkeyVpnpass101address209.165.200.226 Branch(config)#cryptoipsectransformsetVPNSETesp3desespshahmac Branch(config)#cryptomapVPNMAP10ipsecisakmp Branch(configcryptomap)#setpeer209.165.200.226 Branch(configcryptomap)#settransformsetVPNSET Branch(configcryptomap)#matchaddress120 Branch(configcryptomap)#exit Branch(config)#interfaces0/0/0 Branch(configif)#cryptomapVPNMAP Branch(configif)#end f.Savetherunningconfig,thenreloadbothCORPandBranchrouters. CORP#copyrunningconfigstartupconfig Branch#copyrunningconfigstartupconfig