ccna security v3 workbook demo

Rohit Pardasani CCIE # 21282

Copyrights ACIT Education Pvt Ltd 2010-2011 Website: http://www.acit.in; Email: [email protected]

Author- Rohit Pardasani

Triple CCIE # 21282

(R/S , SP and Security)

CCNA Security V3

Lab Guide



A Note from the Author I would like to take this opportunity to thank you for participating in the CCNA Security training from ACIT Education Pvt Ltd. I have based the book pattern on the CCNA Security Blueprint. It is broken down into 5 Modules. There are in total 66 lab exercises. These labs give you the foundation to attempt the CCNA Security Exam. This book also contains a complete Solution video in which I have configured and explained each topic in detail.

Rohit Pardasani

CCIE # 21282 ( R/S, SP, Security)

[email protected]

mailto:[email protected]



ACIT Bootcamps

• Instructed by a Well-known Triple CCIE Instructor. • 5 days of intense CCNA Security® Training. • Covers all the topics listed in the CCNA® Security Blue Print. • Each topic will be discussed in the class room environment by our expert instructor. • Mock Test will be conducted and graded during the last day to analyze your knowledge and readiness. • Includes our CCNA® Security Lab Guide for free. • Access to our expert instructor staff after the CCNA® Security BootCamp. • For a group of eight or more, we can bring this bootcamp to your office anywhere in the world. • Excellent Retake Policy, which allows you to retake this course for free for up to one year, as far as there is a seat available in the class. • Compliant with latest CCNA Security changes announced by Cisco systems.

For International Customers ACIT is offering attractive and convenient travel package for our customers traveling from around the world to attend our training programs. ACIT will assign a dedicated account manager to work with our delegates travel needs. Single point of contact will make your travel and learning experience unique and easy. Please check our online schedule and contact us for any training requirements in international locations.

Disclaimer CCNA®, Cisco® IOS®, Cisco® Systems, the Cisco® logo, and Networking Academy are registered trademarks or trademarks of Cisco® Systems Inc. .



Table of Contents: Module 1: Basic Router Configuration. Control Administrative Access for Routers. Configure Administrative Roles. Create Banners on Routers. Configure SSH access. Create various privileges. SDM access.

Module 2: Rip Authentication NTP Syslog ACS with Tacacs and Radius authentication using CLI and SDM

Module 3: Eigrp Authentication CBAC Zone-Based Firewall using SDM IOS IPS

Module 4: Site to Site VPN using CLI Site to Site VPN using SDM Easy VPN Server using CLI Easy VPN Server using SDM

Module 5: Port-Security Storm-Control SPAN One Step LockDown.



CCNA Security Lab Guide

Module 1:

Objective

1.1 Assign Router1 a hostname of R1

Solution:

R1

Router>enable

Router#config terminal

Router(config)#hostname R1



R1(config)#

1.2 Configure ip address on R1 router on int ser0/0 with

12.0.0.1/24. Verify if clock rate is required.

Solution:

R1# conf terminal

R1(config)#interface Serial0/0

R1(config-if)#ip add 12.0.0.1 255.255.255.0

R1(config-if)#no shut

R1(config-if)#exit

R1(config)#exit

R1#show controllers serial0/0

Interface Serial0/0

Hardware is PowerQUICC MPC860

DTE V.35 clocks stopped.

(Since it is DTE , no clock rate is required.)

1.3 Configure Router2 with a hostname R2

Solution:

R2

Router>enable

Router#Config Terminal




R2(config)#

1.4 Configure ip address on R2 on int ser0/0 with 12.0.0.2/24

Solution:

R2(config)#interface Serial0/0

R2(config-if)#ip add 12.0.0.2 255.255.255.0

R2(config-if)#no shut

R2(config-if)#exit

R2(config)#exit

1.5 Configure R2 serial0/0 with clock rate 64000 as R2 is DCE.

Verify before adding it with the command sh controller s

serial0/0 on R2.

Solution:

R2#show controllers serial0/0

Interface Serial0/0

Hardware is PowerQUICC MPC860

DCE V.35, no clock

(Since it is DCE , clock rate is required)

R2#config terminal

R2(config)#interface serial0/0

R2(config-if)#clock rate 64000



R2(config-if)#exit

R2(config)#exit

1.6 Save both R1 and R2 by issuing the wr command in

privilege mode.

Solution:

R1# wr

R2#wr

1.7 Configure enable password cisco on both routers

Solution:

R1#conf t

R1(config)# enable password cisco

R1(config)#exit

R1#exit

R2#conf t

R2(config)# enable password cisco

R2(config)#exit

R2#exit

1.8 Verify where it is used.

Solution:

R1>enable



Here it will ask you for the password which you have set using enable password

command.

R1#

R2>enable

Here it will ask you for the password which you have set using enable password

command.

R2#

1.9 Configure enable secret acitedu on both routers

Solution:

Now set the enable secret password on R1

R1#config terminal

R1(config)#enable secret acitedu

R1(config)#exit

R1#exit

Now set the enable secret password on R2

R2#config terminal


R2(config)#exit

R2#exit

1.10 Verify where it is used and which one takes preference.

Solution:

R1>enable

Here it will ask you for the password which you have set using enable secret



command. Enable secret takes preference over enable password command.

Try putting cisco as the password ..It will not work

Now try putting acitedu as the password. It works.

R1#

Now try the same on R2

R2>enable

Here it will ask you for the password which you have set using enable secret

command. Enable secret takes preference over enable password command.

Try putting cisco as the password ..It will not work.

Now try putting acitedu as the password. It works.

R2#

1.11 Change the minimum password length to 10 characters on

R1

Solution:

R1#config terminal

R1(config)#security password min-length 10

R1(config)#exit

R1#

1.12 Verify it by changing the enable password to cisco12345

and enable secret passwords to acitedu123 on R1.

Solution:

R1#config terminal




It will not work as the password length is less than 10

R1(config)#enable password cisco

It will not work as the password length is less than 10

Now put secret password as acitedu123

And enable password as cisco12345

R1(config)#enable password cisco12345

R1(config)#enable secret acitedu123

R1(config)#exit

R1#

1.13 Configure R1 with the line console password as

console123 and line vty password to vty1234567

Solution:

This task solution is given together with task 1.14

1.14 Verify where line console and line vty password is used

Solution:

R1#config terminal

R1(config)#line con 0

R1(config-line)#password console123

R1(config-line)#exit

R1(config)#exit

R1#exit



It will directly reach un privilege mode. It will not ask for a password as you have

not given login in the line con 0.

Now put login under line con 0

R1#config terminal


R1(config-line)#login


R1(config)#exit

R1#exit

Now it will ask you the console password.

Now configure vty.

R1#config terminal

R1(config)#line vty 0 4

R1(config-line)#password vty1234567


R1(config)#exit

R1#exit

Telnet from R2 to R1. It will ask for the password .Give vty1234567.It will work

without you giving login under the line vty 0 4. As it is default.

1.15 Ensure that all passwords on R1 are stored in encrypted

format.

Solution:

R1# sh run



All passwords will be seen in clear text..

R1#config terminal

R1(config)#service password-encryption

R1(config)#exit

R1#sh run

Now you will see all passwords in encrypted format.

1.16 Create a username rohit password acit123456 on R1

Solution:

R1#config terminal

R1(config)#username rohit password acit123456

1.17 Ensure that console and telnet connections on R1 are now

asking username and password.

Solution:

R1#config terminal

R1(config)# line vty 0 4

R1(config-line)#login local


R1(config)# line con 0



R1(config)#exit

R1#exit



It will now ask you for username and password.

Telnet from R2 to R1. It will ask you for username and password.

1.18 Block telnet attempts on R1 for 2 min if authentication fails

2 times within 1 minute. Log successful attempts and

unsuccessful attempts.

Solution:

R1#config terminal

R1(config)# login block-for 120 attempts 2 within 60

R1(config)#login on-failure log

R1(config)#login on-success log

R1(config)#exit

R1#

Now telnet from R2 and give correct username and password .You will see a log

on R1.Now again telnet from R2 to R1 and give wrong username and password

twice. Now you will be blocked for 2 minutes and a log will also come. You can

verify the blocking by doing telnet from R2 to R1 again.

Now once you are blocked, no one can telnet R1. Even the administrator will be

blocked. Thus we can omit the administrator’s ip from the blocking by issuing the

command below

R1(config)#login quiet-mode access-class 101

R1(config)#access-list 101 permit ip host 1.1.1.1 any.

You can verify this by creating a loopback on R1 with ip 1.1.1.1/32 and doing

telnet from R1 to R1 using source as loopback after R2 has been blocked.



i.e R1# telnet 12.0.0.1 /source loop0

1.19 Set the inactivity time to 1 minute 10 secs on console and

vty.

Solution:

R1#config terminal


R1(config-line)#exec-timeout 1 10



R1(config-line)#exec-timeout 1 10


R1(config)#exit

R1#

Telnet from R2 to R1.Login by giving correct username and password. Wait till

1minute 10 seconds. You will be logged out as you were idle.

1.20 Create a username ccnasec with password ccnasec123

and privilege 3.

Solution:

R1#config terminal

R1(config)#username ccnasec privilege 3 password ccnasec123

1.21 Assign privilege level 3 the permission to issue show run.

Assign privilege level 3 the permission to go to config



terminal and to go to interface and to do shut and no shut

the interface . Also give privilege level 3 permission to add

static routes and remove static route.

Solution:

R1(config)#privilege interface level 3 shutdown

R1(config)#privilege interface level 3 no shutdown

R1(config)#privilege configure level 3 ip route

R1(config)#privilege configure level 3 interface

R1(config)#privilege configure level 3 no ip route

R1(config)#privilege exec level 3 configure terminal

R1(config)#privilege exec level 3 show ip route

Now telnet from R2 to R1 and log in with username ccnasec and password

ccnasec123. Check if you can do show ip route

When you do show ? You will see additional commands of show as well. This is

because it inherits other basic privileges of level 0 and 1.

Check if can go to config terminal.

Check if you can add static route by giving the command

Ip route 1.1.1.1 255.255.255.255 serial0/0

No Ip route 1.1.1.1 255.255.255.255 serial0/0

Check by going to int fas 0/0

Check by shutting the interface fa0/0 and then doing no shut.

You will see that in the int fa0/0 there is no ip address command .This is because

we didn’t give ip address permission.



1.22 Create username ccie with password ccie123456 and

assign it to a role called MYVIEW. This user should only

have rights to do show ip route and show ip int brief.

Solution:

R1#config terminal

R1(config)#aaa new-model

R1(config)#aaa authentication login default local

R1(config)#username ccie view MYVIEW password ccie123456

Now create a view called MYVIEW

R1(config)#exit

R1#enable view

It will ask you for a password. Put the password acitedu. This is your enable

secret password.

R1#config terminal

R1(config)#parser view MYVIEW

R1(config-view)#secret view123

R1(config-view)#commands exec include show ip route

R1(config-view)#commands exec include show ip int brief

R1(config-view)#exit

R1(config)#exit

R1#wr

Now Telnet from R2 to R1. It will ask you for username and password. Put

username as ccie and password as ccie123456. Once you log on you will reach

unprivileged mode. Since this user does not know the enable password which



the administrator will not give him.He will log on with the enable view MYVIEW

command which is given below.

R1>enable view MYVIEW

Put the password of the view which is view123. Now you will be able to only use

two commands i.e show ip route and show ip int brief.

1.23 Create an MOTD banner “Welcome to MOTD”

Create an exec banner “Welcome to exec”

Verify both the banners

Solution:

R1#conf terminal

R1(config)#banner motd $ Welcome to MOTD $

R1(config)#banner exec $ Welcome to MOTD $

R1(config)#exit

R1#

Now telnet from R2 to R1. You will see the banner message of MOTD. After you

log in with username and password you will see the EXEC message.

1.24 Prepare the router for SDM access. Verify if SDM opens.

Solution:

R1#config terminal

R1(config)#ip http server

R1(config)#ip http secure-server (if u want to access router via https)

R1(config)#ip http authentication local



(Since aaa new-model was enabled earlier)

To verify Give ip 10.0.0.1/24 to R1 interface fas0/0

Now connect a PC to R1 fas0/0 and give the PC an ip 10.0.0.110/24 with

gateway as 10.0.0.1.

Open Internet Explorer and type http://10.0.0.1

You SDM will open after you give username rohit and password acit123456.

It will not work as http access requires privilege mode 15.

Now assign username rohit with privilege 15.

R1(config)#username rohit privilege 15 password acit123456

Now Open Internet Explorer and type http://10.0.0.1

It will work.

1.25 Configure R2 for SSH access. Create username cisco and

password as cisco12345. Use domain name “acit.in” and

Configure the RSA keys with 1024 for the number of modulus

bits. Verify by doing ssh from R1.

Solution:

R2#config terminal

R2(config)#username cisco password cisco12345

R2(config)#ip domain-name acit.in

R2(config)#crypto key generate rsa general-keys modulus 1024




http://10.0.0.1/

http://10.0.0.1/



R2(config)#

Now do ssh from R1 to R2 using the following command.

R1#ssh –l cisco 12.0.0.2

Put the password as cisco12345 and it will work.



Module 2:

Objective

2.1 Erase all routers before you start your lab.

Solution:

R1#erase startup-config

R1#reload


R2#reload


R3#reload



2.2 Configure R1 router with the hostname as R1.Configure

interface fastethernet0/0 with ip address as 10.0.0.1/24 and serial

0/0 with ip address as 12.0.0.1/24.

Solution:

R1

Router>en

Router#config t


R1(config)#interface fa0/0

R1(config-if)#ip add 10.0.0.1 255.255.255.0

R1(config-if)#no shutdown

R1(config)#interface serial 0/0

R1(config-if)#ip address 12.0.0.1 255.255.255.0



interface serial 0/0 with ip address as 12.0.0.2/24 and make this

interface DCE. Configure interface serial0/1 with the ip address

23.0.0.2/24 and make this interface DCE.

Solution:

R2:

Router>en

Router#config t













interface loopback0 with ip address 3.3.3.3/32 and serial 0/0 with

ip address as 23.0.0.3/24.

Solution:

R3:

Router>en

Router#config t


R3(config)#interface loop 0







2.5 Configure RIPv2 as the routing protocol on all routers and

configure authentication between R1 and R2 using the strongest

possible method with password as ACIT and key id as 1.

Configure authentication between R2 and R3 using clear

text.Use password as ROHIT. Make sure you are able to ping

from R1 to R3.

Solution:

R1(config)#router rip

R1(config-router)#version 2

R1(config-router)#no auto-summary

R1(config-router)#network 12.0.0.0


R1(config-router)#exit

R1(config)#key chain RIP12

R1(config-keychain)#key 1

R1(config-keychain-key)#key-string ACIT

R1(config-keychain-key)#exit

R1(config-keychain)#exit

R1(config)#int se0/0

R1(config-if)#ip rip authentication mode md5

R1(config-if)#ip rip authentication key-chain RIP12

R1(config-if)#exit

R1(config)#exit

R1#wr



Now Configure R2.









R2(config-keychain-key)#key-string ACIT

R2(config-keychain-key)#exit



R2(config-keychain-key)#key-string ROHIT



R2(config-if)#ip rip authentication mode md5



R2(config-if)#ip rip authentication mode text


R2(config-if)#exit

R2(config)#exit



R2#wr

Now Configure R3









R3(config-keychain-key)#key-string ROHIT



R3(config-if)#ip rip authentication mode text


R3(config-if)#exit

R3(config)#exit

R3#wr

To Verify if the Rip routes have come properly, issue the show ip route.

Make sure your key in the key chain is correctly configured. Issue the show key

chain to verify the password.

2.6 Configure R2 as the ntp server with stratum value of 2 and

configure ntp authentication with password as CISCO. Configure



R1 from command line as the ntp client of R2. And Configure R3

as the ntp client of R2 using SDM. Change the clock time on R2

as todays date and time. Verify with the clients have

synchronized .

Solution:

R1(config)#ntp authenticate

R1(config)#ntp authentication-key 1 md5 CISCO

R1(config)#ntp trusted-key 1

R1(config)#ntp server 12.0.0.2 key 1

R2#configure terminal

R2(config)#ntp master 2

R2(config)#ntp authentication-key 1 md5 CISCO

R3#config terminal

R3(config)#ip http server

Access R3 via SDM .

Once SDM starts Go to Additional Tasks

Open Router Properties and then NTP.

Click on ADD

Choose Ntp Server ip address as 23.0.0.2

Click on Authentication key

Key Number As 1

Key Value as CISCO

Click on OK

Click on SAVE Tab on the TOP.



Verify on R3 by doing show run if the ntp configuration has come.

Now verify R1 if the time has synchronized with R2 by giving show ntp

association detail. You will get the following output:

R1#sh ntp associations detail

12.0.0.2 configured, authenticated, our_master, sane, valid, stratum 2

ref ID 127.127.7.1, time D12123E6.20435B6D (21:53:42.126 Tue Mar 8 2011)

our mode client, peer mode server, our poll intvl 64, peer poll intvl 64

root delay 0.00 msec, root disp 0.03, reach 377, sync dist 14.618

delay 28.96 msec, offset 1.5571 msec, dispersion 0.11

precision 2**18, version 3

org time D12123E7.BED7556D (21:53:43.745 UTC Tue Mar 8 2011)

rcv time D12123E7.C226B1B9 (21:53:43.758 UTC Tue Mar 8 2011)

xmt time D12123E7.BAA98CDE (21:53:43.729 UTC Tue Mar 8 2011)

filtdelay = 28.96 29.19 28.92 28.95 29.02 30.36 28.96 28.98

filtoffset = 1.56 1.68 1.55 1.62 1.69 0.76 1.53 1.52

filterror = 0.02 0.99 1.97 2.94 3.92 4.90 5.87 6.85

Here it show that R1 is authentication R2 and it has synchronized and it is valid.

Now check R3 the same way.

2.7 Install Kiwi application on PC1 and give the PC1 an ip of

10.0.0.110/24 with gateway as 10.0.0.1 and configure R1 using

CLI to send all informational syslog messages to the Kiwi syslog

server. Configure R2 using SDM to send all informational syslog

messages to kiwi syslog server. Verify in the kiwi syslog server

if they have come.



Solution:

Install Kiwi software on your PC. Now configure R1 via CLI.

R1#config Terminal

R1(config)#logging host 10.0.0.110

R1(config)#logging trap informational

Now configure Syslog on R2 via SDM

Connect to R2 via SDM

GO to Additional Tasks

Click on Router properties

Click on Logging

Click on EDIT

Enable Logging Level Checkbox and choose level as informational

Click on ADD and type the ip address of KIWI which is 10.0.0.110

Disble logging Buffered checkbox and click on OK and apply and then Click on

SAVE Button on Top.

Now verify if the logs are coming by going to R1 and R2 router and doing shut

and no shut to int fas0/1.

You will now see logs coming to KIWI syslog server.

2.8 Install ACS server on PC1. Configure R1 with a username

rohit and password acit in the local user database . Configure a

username called user1 and password user1 in the ACS server.

Configure R1 to ask for authentication whenever you connect to

console. This authentication should first use Tacacs+ for

authentication and if tacacs+ server fails it should use the local



database for authentication. USE CLI method to achieve this

task.

Solution:

Install ACS on your PC

R1#config terminal

R1(config)#username rohit password acit

Now create an account on ACS server.

Open ACS and click on User Setup

Type the username as user1 and click on Add/Edit

Enter the password as user1 and click on Submit


R1(config)#aaa authentication login default group tacacs+ local

R1(config)#tacacs-server host 10.0.0.110 key cisco

Now add R1 as a client on ACS server.

Click on Network Configuration Tab

Choose AAA server name as ACS123

Choose AAA Server ip address as 10.0.0.110

Type key as cisco

Choose AAA server type as CiscoSecure ACS

Click on Submit and Apply.

Now click on ADD entry on AAA clients Column

Choose AAA client hostname as R1

Choose AAA client ip address as 10.0.0.1



Choose the shared secret as cisco

Choose Authenticate using Tacacs+ (Cisco IOS)

Click on Submit and Apply

Now verify.

R1(config)#exit

R1#exit

Here it will ask for username and password.

Try with username rohit and password as acit.

It will not work as the tacacs+ server is reachable and it takes preference over

local database.Now try with username user1 and password user1. It will work.

Now shut interface fas 0/0 of R1 so that the tacscs+ server becomes un-

reachable. Now try again.

This time username user1 will not work as the tacacs+ server is un-reachable but

username rohit and password acit would work.

Now start the interface Fas0/0 again on R1 before going to next lab.

2.9 Configure R1 in such a way that it uses Tacacs+ for

authentication whenever anyone remotely accesses R1.If Tacscs

fails it should use line password for authentication. USE CLI

method to achieve this task.

Solution:

R1#config terminal

R1(config)#aaa authentication login REMOTE group tacacs+ line




R1(config-line)#login authentication REMOTE

R1(config-line)#password cisco


R1(config)#exit

R1#

Now Verify

R2#telnet 12.0.0.1

Here log in with username user1 and password user1.

You will be able to log on.

Now shut down int fas 0/0 on R1 so that tacacs+ server is un-reachable.

Now try again from R2.

This time it will not ask you for username. It will just ask for the password . Put

password as cisco. It will work.


2.10 Configure R3 in such a way that it uses Radius for

authentication whenever anyone remotely accesses R3.If

Radius fails it should use enable password for authentication.

USE CLI method to achieve this task.

Solution:


R3(config)#aaa authentication login default group radius enable

R3(config)#radius-server host 10.0.0.110 key cisco

R3(config)#enable secret cisco



Now add R3 as a client of the ACs server.





Choose Authenticate using RADIUS (Cisco IOS/PIX 6.0)


Now verify.

R2#telnet 23.0.0.3

Here log in with username user1 and password user1.

You will be able to log on.

Now shut down int fas 0/0 on R1 so that radius server is un-reachable.

Now try again from R2

This time it will ask you for username and password. Put the username as

anyword as it does not matter but put the password as the enable secret

password which is cisco.

It will work.


2.11 Ensure that R3 will not ask for any type of authentication

for console access. USE CLI method to achieve this task.

Solution:

Before you start this Lab log of from R3 and check if you are asked to



authenticate. You are asked to authenticate as the command aaa

authentication login default group radius enable gets applied to line console

0 automatically. You will see that it ask you for username and password.

R3#config terminal

R3(config)#

R3(config)#aaa authentication login CON none

R3(config)#line console 0

R3(config-line)#login authentication CON


R3(config)#exit

R3#

Now verify by logging out from R3

R3#exit

Here it does not ask for username but only enable secret password.

R3>

2.12 Configure R2 in such a way that it uses Tacacs+ for

authentication for any type of connection. USE SDM to achieve

this task.

Solution:

Add R2 as a client on ACS server.

Click on Network Configuration Tab







Choose Authenticate using Tacacs+ (Cisco IOS)


Now log on R2 via SDM

Once SDM starts Go to Additional Tasks

Click on AAA

Click on Enable AAA

You will get a error message that you need a username to be created having

privilege 15. Create one on R2

R2(config)#username ccnasec privilege 15 password ccnasec

Now try again via SDM by clicking on Enable AAA

It will add some commands automatically. This is just a prevention so that you do

not get locked out of the router.

Now Click on AAA servers under AAA tab and click on ADD

Choose Server type as Tacacs+

Put Server IP as 10.0.0.110

And Key as cisco

Now Click on login under Authentication Policies and click on Edit

Click on Add and Choose Group Tacacs+

Move the tacacs+ up and local below .

Now do ok.

Now verify by logging out of R2



R2#exit

Here it will ask for username and password. Use username as user1 and

password user1.

ccna security v3 workbook demo

Documents