Step 1: Configure Basic Device Hardening for the CORP Router.

a. Configure the CORP router to only accept passwords with a iniu length of 1!
characters.
CORP"config#$ security password in%length 1!
&. Configure an encrypted privileged level password of ciscoclass.
CORP"config#$ ena&le secret ciscoclass
c. 'na&le password encryption for all clear te(t passwords in the configuration file.
CORP"config#$ service password%encryption
d. Configure the console port and all vty lines with the following re)uireents:
*ote: CRP is already configured with the usernae CORP+D,-* and the secret password
ciscoccnas.
use the local data&ase for login
disconnect after &eing idle for .! inutes.
CORP"config#$ line consol !
CORP"config%line#$ login local
CORP"config%line#$ e(ec%tieout .! !
CORP"config%line#$ line vty ! /
CORP"config%line#$ login local
CORP"config%line#$ e(ec%tieout .! !
CORP"config%line#$ line vty 0 10
CORP"config%line#$ login local
CORP"config%line#$ e(ec%tieout .! !
e. Disa&le the CDP protocol only on the lin1 to the -nternet router.
CORP"config#$ interface s!2!2!
CORP"config%if#$ no cdp ena&le
Step .: Configure Secure *etwor1 ,anageent for the CORP Router.
a. 'na&le the CORP router:
as an *3P client to the *3P2Syslog server
to update the router calendar "hardware cloc1# fro the *3P tie source
to tiestap log essages
to send logging essages to the *3P2Syslog server
CORP"config#$ ntp server 14..15..0.. 1ey !
CORP"config#$ ntp update%calendar
CORP"config#$ service tiestaps log datetie sec
CORP"config#$ logging host 14..15..0..
&. Configure the CORP router to accept SSH connections. 6se the following guidelines:
*ote: CORP is already configured with the usernae SSH+ccess and the secret password
ciscosshaccess.
doain nae is theccnas.co
RS+ encryption 1ey pair using a odulus of 1!./
SSH version .7 tieout of 8! seconds7 and . authentication retries
all vty lines accept only SSH connections
CORP"config#$ ip doain%nae theccnas.co
CORP"config#$ crypto 1ey generate rsa
How any &its in the odulus 901.:: 1!./
CORP"config#$ ip ssh version .
CORP"config#$ ip ssh tie%out 8!
CORP"config#$ ip ssh authentication%retries .
CORP"config#$ line vty ! /
CORP"config%line#$ transport input ssh
CORP"config#$ line vty 0 10
CORP"config%line#$ transport input ssh
CORP"config%line#$ e(it
c. Configure the CORP router with +++ authentication and verify its functionality:
+++ authentication using the local data&ase as the default for console line and vty lines
access
CORP"config#$ aaa new odel
CORP"config#$ aaa authentication login default local
CORP"config#$ aaa authori;ation e(ec default local
CORP"config#$ line vty ! /
CORP"config%line#$ login authentication default
CORP"config%line#$ line vty 0 10
CORP"config%line#$ login authentication default
CORP"config%line#$ line con !
CORP"config%line#$ login authentication default

Step <: Configure Device Hardening for Switch1.
a. +ccess Switch1 with usernae CORP+D,-*7 password ciscoccnas7 and the ena&le secret
password of ciscoclass.
&. 'na&le stor control for &roadcasts on =ast'thernet !2./ with a 0! percent rising
suppression level.
S>1"config#$ interface fa!2./
S>1"config#$ stor%control &roadcast level 0!
c. Configure Switch1 to protect against S3P attac1s.
Configure Port=ast on =ast'thernet ports !21 to !2.<.
'na&le BPD6 guard on =ast'thernet ports !21 to !2.<.
S>1"config#$ interface range fa!21%.<
S>1"config%if%range#$ spanning%tree portfast
S>1"config%if%range#$ spanning%tree &pduguard ena&le
d. Configure port security and disa&le unused ports.
Set the a(iu nu&er of learned ,+C addresses to . on =ast'thernet ports !21 to !2.<.
+llow the ,+C address to &e learned dynaically and to shutdown the port if a violation occurs.
S>1"config#$ interface range fa!21%.<
S>1"config%if%range#$ switchport port%security
S>1"config%if%range#$ switchport port%security a(iu .
S>1"config%if%range#$ switchport port%security violation shutdown
S>1"config%if%range#$ switchport port%security ac%address stic1y

Disa&le unused ports "=a!2.%07 =a!24%1!7 =a!21<%.<#.
S>1"config#$ interface range fa!2.%0
S>1"config%if%range#$ shutdown
S>1"config#$ interface range fa!24%1!
S>1"config%if%range#$ shutdown
S>1"config#$ interface range fa!21<%.<
S>1"config%if%range#$ shutdown
S>1"config%if%range#$ end
S>1$ copy running%config startup%config
Step /: Configure an -OS -PS on the CORP Router.
a. On the CORP router7 create a directory in flash naed ipsdir.
CORP$ 1dir ipsdir
&. Configure the -PS signature storage location to &e flash:ipsdir.
CORP"config#$ ip ips config location flash:ipsdir2 retries 1
c. Create an -PS rule naed corpips.
CORP"config#$ ip ips nae corpips
d. Configure the -OS -PS to use the signature categories. Retire the all signature category and
unretire the ios?ips &asic category.
CORP"config#$ ip ips signature%category
CORP"config%ips%category#$ category all
CORP"config%ips%category%action#$ retired true
CORP"config%ips%category%action#$ e(it
CORP"config%ips%category#$ category ios?ips &asic
CORP"config%ips%category%action#$ retired false
CORP"config%ips%category%action#$ e(it
CORP"config%ips%category#$ e(it
Do you want to accept these changes@ 9confir: 9'nter:
e. +pply the -PS rule to the =a!2! interface.
CORP"config#$ interface fa!2!
CORP"config%if#$ ip ips corpips out
f. ,odify the ios?ips &asic category. 6nretire the echo re)uest signature "signature .!!/7 su&sig
!#A ena&le the signatureA odify the signature event%action to produce an alert and to deny
pac1ets that atch the signature.
CORP"config#$ip ips signature%definition
CORP"config%sigdef#$ signature .!!/ !
CORP"config%sigdef%sig#$ status
CORP"config%sigdef%sig%status#$ retired false
CORP"config%sigdef%sig%status#$ ena&le true
CORP"config%sigdef%sig%status#$ e(it
CORP"config%sigdef%sig#$ engine
CORP"config%sigdef%sig%engine#$ event%action produce%alert
CORP"config%sigdef%sig%engine#$ event%action deny%pac1et%inline
CORP"config%sigdef%sig%engine#$ e(it
CORP"config%sigdef%sig#$ e(it
CORP"config%sigdef#$ e(it
CORP"config#$ e(it
Do you want to accept these changes@ 9confir: 9'nter:
g. Berify that -PS is wor1ing properly. *et +din in the internal networ1 cannot ping D,C >e&
Svr. D,C >e& Svr7 however7 can ping *et +din.
Step 0: Configure +CDs and CB+C on the CORP Router to -pleent the Security Policy.
a. Create +CD 1. to ipleent the security policy regarding the access to the vty lines:
Only users connecting fro *et +din and +din PC are allowed access to the vty lines.
CORP"config#$ access%list 1. perit host 14..15..0.0
CORP"config#$ access%list 1. perit host 18E.1<<..18.<0
CORP"config#$ line vty ! /
CORP"config%line#$ access%class 1. in
CORP"config%line#$ line vty 0 10
CORP"config%line#$ access%class 1. in
&. Create7 apply7 and verify an e(tended naed +CD "naed D,C=-R'>+DD# to filter incoing
traffic to the D,C. 3he +CD should &e created in the order specified in the following guidelines
"Please note7 the order of +CD stateents is significant only &ecause of the scoring need in
Pac1et 3racer.#:
1. H33P traffic is allowed to D,C >e& Svr.
.. D*S traffic "&oth 3CP and 6DP# is allowed to D,C D*S Svr.
<. +ll traffic fro 14..15..0.!2./ is allowed to enter the D,C.
/. =3P traffic fro the Branch adinistrator wor1station is allowed to D,C >e& Svr.
CORP"config#$ ip access%list e(tended D,C=-R'>+DD
CORP"config%e(t%nacl#$ perit tcp any host 1!.1.1.. e) www
CORP"config%e(t%nacl#$ perit tcp any host 1!.1.1.0 e) doain
CORP"config%e(t%nacl#$ perit udp any host 1!.1.1.0 e) doain
CORP"config%e(t%nacl#$ perit ip 14..15..0.! !.!.!..00 1!.1.1.! !.!.!..00
CORP"config%e(t%nacl#$ perit tcp host 18E.1<<..18.<0 host 1!.1.1.. e) ftp
CORP"config%e(t%nacl#$ e(it
CORP"config#$ interface fa!2!
CORP"config%if#$ ip access%group D,C=-R'>+DD out
c. 3o verify the D,C=-R'>+DD +CD7 coplete the following tests:
+din PC in the &ranch office can access the 6RD http:22www.theccnas.coA
+din PC can open an =3P session to the D,C >e& Svr with the usernae cisco and the
password ciscoA
PCB1 cannot open an =3P session to the D,C >e& Svr.
*et +din can open an =3P session to the D,C >e& Svr with the usernae cisco and the
password ciscoA and
PC1 cannot open an =3P session to the D,C >e& Svr.
d. Create7 apply7 and verify an e(tended naed +CD "naed -*CORP# to control access fro
the -nternet into the CORP router. 3he +CD should &e created in the order specified in the
following guidelines "Please note7 the order of +CD stateents is significant only &ecause of the
scoring need in Pac1et 3racer.#:
1. +llow H33P traffic to the D,C >e& Svr.
.. +llow D*S traffic "&oth 3CP and 6DP# to the D,C D*S Svr.
<. +llow SSH traffic fro the Branch Office adinistrator wor1station to the Serial !2!2! interface
on the CORP router.
/. +llow -P traffic fro the Branch router serial interface into the CORP router serial interface.
0. +llow -P traffic fro the Branch Office D+* to the pu&lic -P address range that is assigned to
the CORP site ".!8.150..!!../!2.E#.
CORP"config#$ ip access%list e(tended -*CORP
CORP"config%e(t%nacl#$ perit tcp any host .!8.150..!!../1 e) www
CORP"config%e(t%nacl#$ perit tcp any host .!8.150..!!../. e) doain
CORP"config%e(t%nacl#$ perit udp any host .!8.150..!!../. e) doain
CORP"config%e(t%nacl#$ perit tcp host 18E.1<<..18.<0 host .!8.150..!!...5 e) ..
CORP"config%e(t%nacl#$ perit ip host 18E.1<<..18.. host .!8.150..!!...5
CORP"config%e(t%nacl#$ perit ip 18E.1<<..18.<. !.!.!.<1 .!8.150..!!../! !.!.!.10
CORP"config%e(t%nacl#$ e(it
CORP"config#$ interface s!2!2!
CORP"config%ifl#$ ip access%group -*CORP in
e. 3o verify the -*CORP +CD7 coplete the following tests:
+din PC in the &ranch office can access the 6RD http:22www.theccnas.coA
+din PC can esta&lish an SSH connection to the CORP router ".!8.150..!!...5# with the
usernaeSSH+ccess and password ciscosshaccessA
PCB1 cannot esta&lish an SSH connection to the CORP router ".!8.150..!!...5#A and
'(ternal PC cannot esta&lish an SSH connection to the CORP router ".!8.150..!!...5#.
f. Create and apply a CB+C inspection rule "naed -*3OCORP# to inspect -C,P7 3CP7 and
6DP traffic &etween the CORP internal networ1 and any other networ1.
CORP"config#$ ip inspect nae -*3OCORP icp
CORP"config#$ ip inspect nae -*3OCORP tcp
CORP"config#$ ip inspect nae -*3OCORP udp
g. 'na&le CB+C audit essages to &e sent to the syslog server.
CORP"config#$ ip inspect audit%trail
CORP"config#$ interface s!2!2!
CORP"config%if#$ ip inspect -*3OCORP out
h. Berify the CB+C firewall configuration.
PC1 can access the '(ternal >e& Svr "www.e(ternalone.co#.
PC1 can esta&lish an SSH connection to the '(ternal router with usernae SSHadin and
passwordciscosshpa00.
+din PC in the Branch office can esta&lish an SSH connection to the CORP router with the
usernaeSSH+ccess and password ciscosshaccess.
Step 5: Configure a Cone%Based Policy =irewall on the Branch Router.
a. +ccess the Branch router with usernae CORP+D,-*7 password ciscoccnas and the ena&le
secret password of ciscoclass.
&. On the Branch router7 create the firewall ;ones.
Create an internal ;one naed BR%-*%CO*'.
Create an e(ternal ;one naed BR%O63%CO*'.
Branch"config#$ ;one security BR%-*%CO*'
Branch"config%sec%;one#$ e(it
Branch"config#$ ;one security BR%O63%CO*'
Branch"config%sec%;one#$ e(it
c. Define a traffic class and access list.
Create an +CD "+CD 11!# to perit all protocols fro the 18E.1<<..18.<.2.4 networ1 to any
destination.
Branch"config#$ access%list 11! perit ip 18E.1<<..18.<. !.!.!.<1 any

Create a class ap using the option of class ap type inspect with the atch%all 1eyword.
,atch the +CD 11! and nae the class ap BR%-*%CD+SS%,+P.
Branch"config#$ class%ap type inspect atch%all BR%-*%CD+SS%,+P
Branch"config%cap#$ atch access%group 11!
d. Specify firewall policies.
Create a policy ap naed BR%-*%O63%P,+P.
6se the BR%-*%CD+SS%,+P class ap.
Specify the action of inspect for this policy ap.
Branch"config#$ policy%ap type inspect BR%-*%O63%P,+P
Branch"config%pap#$ class type inspect BR%-*%CD+SS%,+P
Branch"config%pap%c#$ inspect
e. +pply the firewall.
Create a pair of ;ones naed -*%O63%CP+-R with the source as BR%-*%CO*' and
destination as BR%O63%CO*'.
Branch"config#$ ;one%pair security -*%O63%CP+-R source BR%-*%CO*' destination BR%O63%
CO*'

Specify the policy ap BR%-*%O63%P,+P for handling the traffic &etween the two ;ones.
Branch"config%sec%;one%pair#$ service%policy type inspect BR%-*%O63%P,+P
+ssign interfaces to the appropriate security ;ones.
Branch"config#$ interface fa!2!
Branch"config%if#$ ;one%e&er security BR%-*%CO*'
Branch"config%if#$ interface s!2!2!
Branch"config%if#$ ;one%e&er security BR%O63%CO*'
f. Berify the CP= configuration.
3he +din PC in the Branch office can access the 6RDs http:22www.theccnas.co and
http:22www.e(ternalone.co.
3he +din PC in the Branch office can ping the '(ternal PC "18..<1.4.<<#.
'(ternal PC cannot ping the +din PC in the Branch office "18E.1<<..18.<0#.
3he +din PC in Branch office can esta&lish an SSH connection to the CORP router with the
usernaeSSH+ccess and password ciscosshaccess. -f you get the CorpF propt7 then your
configuration is correct.
Step 4: Configure a Site%to%Site -Psec BP* &etween the CORP router and the Branch Router.
3he following ta&les list the paraeters for the -S+G,P Phase 1 Policy and -Psec Phase .
Policy:
-S+G,P Phase 1 Policy Paraeters
-S+G,P Phase . Policy Paraeters
Gey Distri&ution ,ethod -S+G,P Paraeters CORP Router Branch Router
'ncryption +lgorith +'S 3ransfor Set *ae BP*%S'3 BP*%S'3
*u&er of Bits .05 3ransfor Set esp%<des
esp%sha%hac esp%<des
esp%sha%hac
Hash +lgorith SH+%1 Peer Host *ae Branch CORP
+uthentication ,ethod Pre%share Peer -P +ddress 18E.1<<..18..
.!8.150..!!...5
Gey '(change DH . 'ncrypted *etwor1 .!8.150..!!../!2.E
18E.1<<..18.<.2.4
-G' S+ Difetie E5/!! Crypto ,ap *ae BP*%,+P BP*%,+P
-S+G,P Gey Bpnpass1!1 S+ 'sta&lishent ipsec%isa1p ipsec%isa1p
a. Configure an +CD "+CD 1.!# on the CORP router to identify the interesting traffic. 3he
interesting traffic is all -P traffic &etween the two D+*s ".!8.150..!!../!2.E and
18E.1<<..18.<.2.4#.
CORP"config#$ access%list 1.! perit ip .!8.150..!!../! !.!.!.10 18E.1<<..18.<. !.!.!.<1
&. Configure the -S+G,P Phase 1 properties on the CORP router. 3he crypto -S+G,P policy is
1!. Refer to the -S+G,P Phase 1 Policy Paraeters 3a&le for the specific details needed.
CORP"config#$ crypto isa1p policy 1!
CORP"config%isa1p#$ encryption aes .05
CORP"config%isa1p#$ authentication pre%share
CORP"config%isa1p#$group .
CORP"config%isa1p#$ lifetie E5/!! "Default2Optional#
CORP"config%isa1p#$ hash sha "Default2optional#
CORP"config%isa1p#$ e(it
CORP"config#$ crypto isa1p 1ey Bpnpass1!1 address 18E.1<<..18..
c. Configure the -S+G,P Phase . properties on the CORP router. Refer to the -S+G,P Phase
. Policy Paraeters 3a&le for the specific details needed.
CORP"config#$ crypto ipsec transfor%set BP*%S'3 esp%<des esp%sha%hac
CORP"config#$ crypto ap BP*%,+P 1! ipsec%isa1p
CORP"config%crypto%ap#$ set peer 18E.1<<..18..
CORP"config%crypto%ap#$ set transfor%set BP*%S'3
CORP"config%crypto%ap#$ atch address 1.!
d. Bind the BP*%,+P crypto ap to the outgoing interface.
CORP"config#$ interface s!2!2!
CORP"config%if#$ crypto ap BP*%,+P
CORP"config%if#$ end
e. Configure -Psec paraeters on the Branch router using the sae paraeters as on the
CORP router. *ote that interesting traffic is defined as the -P traffic fro the two D+*s.
Branch"config#$ access%list 1.! perit ip 18E.1<<..18.<. !.!.!.<1 .!8.150..!!../! !.!.!.10
Branch"config#$ crypto isa1p policy 1!
Branch"config%isa1p#$ encryption aes .05
Branch"config%isa1p#$ authentication pre%share
Branch"config%isa1p#$ group .
Branch"config%isa1p#$ lifetie E5/!! "Default2Optional#
Branch"config%isa1p#$ hash sha "Default2optional#
Branch"config%isa1p#$ e(it
Branch"config#$ crypto isa1p 1ey Bpnpass1!1 address .!8.150..!!...5
Branch"config#$ crypto ipsec transfor%set BP*%S'3 esp%<des esp%sha%hac
Branch"config#$ crypto ap BP*%,+P 1! ipsec%isa1p
Branch"config%crypto%ap#$ set peer .!8.150..!!...5
Branch"config%crypto%ap#$ set transfor%set BP*%S'3
Branch"config%crypto%ap#$ atch address 1.!
Branch"config%crypto%ap#$ e(it
Branch"config#$ interface s!2!2!
Branch"config%if#$ crypto ap BP*%,+P
Branch"config%if#$ end
f. Save the running%config7 then reload &oth CORP and Branch routers.
CORP$ copy running%config startup%config
Branch$ copy running%config startup%config
g. Berify the BP* configuration &y conducting an =3P session with the usernae cisco and the
password cisco fro the +din PC to the D,C >e& Svr. On the Branch router7 chec1 that the
pac1ets are encrypted. 3o e(it the =3P session7 type )uit.
http:22www.scri&d.co2doc21405E8E<82CC*+S%v1%1%S1ills%Based%+ssessent%Hands%on%
+nswers
http:22www.invialgo.co2.!1<2ccna%security%pac1et%tracer%practice%s&a2
https:22learningnetwor1.cisco.co2docs2DOC%1!405
http:22ha&eegygol.wordpress.co2.!1.2112.52ccna%security%chapter%E%site%to%site%ipsec%vpn%
pac1et%tracer%activity%answer2coent%page%12