Sie sind auf Seite 1von 7

CCNA Security - SBA

Introduction
In this Packet Tracer Skills Based Assessment, you will:

configure basic device hardening and secure network management configure an ACL firewall to implement security policies configure devices to protect against STP attacks and to enable broadcast storm control configure port security and disable unused switch ports configure a site-to-site IPsec VPN

Addressing Table
Device Interface S0/0/0 Fa0/0 Fa0/1.10 Fa0/1.20 Fa0/1.77 S0/0/0 Fa0/0 NIC NIC NIC NIC NIC NIC NIC NIC IP Address 103.250.180.34 1st IP Address 1st IP Address 1st IP Address 1st IP Address 118.30.180.18 1st IP Address 10.0.20.2 10.0.1.12 10.0.1.11 10.0.10.15 10.0.10.100 10.0.20.5 10.10.30.5 10.10.30.100 Subnet Mask 255.255.255.252 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.240 255.255.255.252 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 Gateway n/a n/a n/a n/a n/a n/a n/a 10.0.20.1 10.0.1.1 10.0.1.1 10.0.10.1 10.0.10.1 10.0.20.1 10.10.30.1 10.10.40.1 DNS server n/a n/a n/a n/a n/a n/a n/a 10.0.1.15 192.135.250.5 10.0.1.12 10.0.1.12 10.0.1.12 10.0.1.12 192.135.250.5 192.135.250.5

UMY

Vokasi NTP/Syslog Svr UMY DNS Svr UMY Web Svr PC0 PC1 Net Admin Admin PC PCB1

Note: Appropriate verification procedures should be taken after each configuration task to ensure that it has been properly implemented.

Step 1: Configure Basic Device Hardening for the UMY Router.


a. Configure the UMY router to only accept passwords with a minimum length of 11 characters. b. Configure an encrypted privileged level password of Unggul-Islami. c. Enable password encryption for all clear text passwords in the configuration file.

d. Configure the console port and all vty lines with the following requirements: The username UMYADMIN and the secret password Security-123. use the local database for login disconnect after being idle for 20 minutes

e. Disable the CDP protocol only on the link to the Internet router.

Step 2: Configure Secure Network Management for the UMY Router.


a. Enable the UMY router: as an NTP client to the NTP/Syslog server to update the router calendar (hardware clock) from the NTP time source to timestamp log messages to send logging messages to the NTP/Syslog server

b. Configure the UMY router to accept SSH connections. Use the following guidelines: The username UMYAccess and the secret password UMYsshAccess. domain name is umy.ac.id RSA encryption key pair using a modulus of 1024 SSH version 2, timeout of 60 seconds, and 3 authentication retries all vty lines accept only SSH connections

c. Configure the UMY router with AAA authentication and verify its functionality: AAA authentication using the local database as the default for console line and vty lines access

Step 3: Configure Device Hardening for Switches and Vokasi Router.


a. Access S-UMY Switch with username UMYADMIN, password Security-123, and the enable secret password of Unggul-Islami b. Enable storm control for broadcasts on FastEthernet 0/24 with a 50 percent rising suppression level. c. Configure Switch1 to protect against STP attacks.

Configure PortFast on FastEthernet ports 0/1 to 0/23. Enable BPDU guard on FastEthernet ports 0/1 to 0/23.

d. Configure port security and disable unused ports. Set the maximum number of learned MAC addresses to 2 on FastEthernet ports 0/1 to 0/23. Allow the MAC address to be learned dynamically and to shutdown the port if a violation occurs. Disable unused ports (Fa0/2-5, Fa0/7-10, Fa0/13-23).

e. Access S-DMZ Switch with username UMYADMIN, password Security-123, and the enable secret password of Unggul-Islami , and disable unused ports. f. Access S-Vokasi Switch with username UMYADMIN, password Security-123, and the enable secret password of Unggul-Islami , and disable unused ports.

Step 4: Configure Address Translation on UMY and Vokasi Routers.


a. On the UMY router, Create static NAT for UMY Web Svr and DMZ DNS Svr. Create ACL 1 to handle inside network of VLAN 10 Create ACL 2 to handle inside network of VLAN 20 Binding ACL 1 to NAT-POOL-1 (103.250.180.17 to 103.250.180.18 with netmask of 255.255.255.224) as a Dynamic Nat Overload Binding ACL 1 to NAT-POOL-2 (103.250.180.19 to 103.250.180.20 with netmask of 255.255.255.224) as a Dynamic Nat Overload.

b. On the Vokasi router, Create static NAT for AdminPC. Create ACL 3 to handle inside network of the lower half of Vokasi LAN. Binding ACL 3 to NAT-POOL-VKS (118.30.180.8 to 118.30.180.9 with netmask of 255.255.255.240) as a Dynamic Nat Overload

Step 5: Configure ACLs on the UMY Router to Implement the Security Policy.
a. Create ACL 13 to implement the security policy regarding the access to the vty lines: Only users connecting from Net Admin and Admin PC are allowed access to the vty lines.

b. Create, apply, and verify an extended named ACL (named DMZ-UMY-FW) to filter incoming traffic to the DMZ. The ACL should be created in the order specified in the following guidelines . 1. HTTP traffic is allowed to UMY Web Svr. 2. DNS traffic (both TCP and UDP) is allowed to DMZ DNS Svr. 3. All traffic from 10.0.20.0/24 is allowed to enter the DMZ. 4. FTP traffic from the R-Vokasi administrator workstation is allowed to UMY Web Svr. c. To verify the DMZFIREWALL ACL, complete the following tests: Admin PC in the R-Vokasi office can access the URL http://www.umy.ac.id; Admin PC can open an FTP session to the UMY Web Svr with the username cisco and the password cisco; PCB1 cannot open an FTP session to the UMY Web Svr. Net Admin can open an FTP session to the UMY Web Svr with the username cisco and the password cisco; and PC1 cannot open an FTP session to the UMY Web Svr.

d. Create, apply, and verify an extended named ACL (named IN-UMY) to control access from the Internet into the R-UMY router. The ACL should be created in the order specified in the following guidelines : 1. Allow HTTP traffic to the UMY Web Svr. 2. Allow DNS traffic (both TCP and UDP) to the DMZ DNS Svr. 3. Allow SSH traffic from the Vokasi Office administrator workstation to the Serial 0/0/1 interface on the UMY router. 4. Allow IP traffic from the Vokasi router serial interface into the R-UMY router serial interface. 5. Allow IP traffic from the Vokasi Office LAN to the public IP address range that is assigned to the UMY site (103.250.180.0/27). e. To verify the IN-UMY ACL, complete the following tests: Admin PC in the Vokasi office can access the URL http://www.umy.ac.id;

Admin PC can establish an SSH connection to the UMY router (103.250.180.34) with the username SSHAccess and password UMYsshAccess; PCB1 cannot establish an SSH connection to the UMY router (103.250.180.34); and External PC cannot establish an SSH connection to the UMY router (103.250.180.34).

Step 7: Configure a Site-to-Site IPsec VPN between the UMY router and the Vokasi Router.
The following tables list the parameters for the ISAKMP Phase 1 Policy and IPsec Phase 2 Policy: ISAKMP Phase 1 Policy Parameters Key ISAKMP Distribution Method AES Encryption Algorithm Number of Bits Hash Algorithm Authentication Method Key Exchange IKE SA Lifetime ISAKMP Key 256 SHA-1 Pre-share DH 2 86400 VpnPass101 ISAKMP Phase 2 Policy Parameters Parameters UMY Router Vokasi Router

Transform Set Name Transform Set Peer Host Name Peer IP Address Encrypted Network Crypto Map Name SA Establishment

VPN-SET esp-3des esp-sha-hmac Vokasi 118.30.180.18 103.250.180.0/27 VPNUMY-MAP ipsec-isakmp

VPN-SET esp-3des esp-sha-hmac UMY 103.250.180.34 118.30.180.0/28 VPNUMY-MAP ipsec-isakmp

a. Configure an ACL (ACL 138) on the UMY router to identify the interesting traffic. The interesting traffic is all IP traffic between the two LANs (103.250.180.0/27 and 118.30.180.0/28). b. Configure the ISAKMP Phase 1 properties on the UMY router. The crypto ISAKMP policy is 10. Refer to the ISAKMP Phase 1 Policy Parameters Table for the specific details needed. c. Configure the ISAKMP Phase 2 properties on the UMY router. Refer to the ISAKMP Phase 2 Policy Parameters Table for the specific details needed.

d. Bind the VPNUMY-MAP crypto map to the outgoing interface. e. Configure IPsec parameters on the Vokasi router using the same parameters as on the UMY router. Note that interesting traffic is defined as the IP traffic from the two LANs. f. Save the running-config, then reload both UMY and Vokasi routers. g. Verify the VPN configuration by conducting an FTP session with the username cisco and the password cisco from the Admin PC to the UMY Web Svr. On the Vokasi router, check that the packets are encrypted. To exit the FTP session, type quit.

Version 1.0 Created in Packet Tracer 5.3.1.0044 and Marvel 1.0.1 All contents are Copyright 1992 - 2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.