SENSS Implementing Cisco Edge Network Security Solutions Version 1.0 Lab Guidecisco chnPacfe Hoadauartors, Europe Headeunrtrs es Sytem he Stee Syne US) Pi Ls, Gov Stns Heron BY Siow en Steere ‘esa The Nabetanse Cena mare han 2 fea etnies, hare rursrs, an nk ere eae (en nite a ceeacantsens ‘Geo a Caoleg re vaseraraar abr tadarata of Cam andi ine wiba US. ond ‘her counes, Tove sls Gacovacunri, go otha UM: wa sec coneevadente Te bat Yosomans narod a he pope fer romeo oer wun he nr pat Coe ‘Stimpy apnerip rrp uve Caen a ay ae eorpany (1108 EONTENT pROMDED HERCUNDER EORESS, NPLIED STATUTORY OR IV ANY OTHER PAOVIION OF TS CONTENT Se ConWNGATION BETWEEN CISCO ANO YOU Esc SPECETCALLY ONCLAR AL. MPLIED WARRANTS, GEARING FROM A COURSE OF DENLNG, USAGE OR TRADE PRACTICE, Th tring rodut may conan oy laee Strand we Cac beers fe bse il scet fo be cacarner woveTable of Contents “onfigure Control and Management Plane Security Controls ‘visual Objective Requited Resources Lab Command List| Job Aids “Task 1 Configure Management Plana Security Contre on Cisco 10S Software Liz Task 2 Configure Managomert Plane Socuity Contes on Cisco ASA Las Task 3 Configure Management Assess AAA on Ceo IOS Software Lae “Task Configure Managemant Accass AKA on Cisco ASA Las Lab 2-2: Configure Trattic Telemetry Methods La? ‘Visual Objective Las Requied Resources, Las ‘Command List Las Jb Aide Lae Test 1: Configure Trafic Telemety Methods on C8c0 10S Software Ls “Task 2 Configuee Trae Telaraty Methods on Cisco ASA Lez Lab 2-3: Configure Layer 2 Data Plane Security Controls. L758 ‘Visual Objective 76 Roquited Resources L76 Command List| L768 eb Aida Lr Task 1: Configure DHCP Snooping “Task 2 Configure ARP Inspection Lab 2-4: Configure Layer 3 Data Plane Security Controls. Visual Objective Requited Resources Command List| Job Aids “Task 1 Configure uRPF on the Cieoo 10S Router Task 2 Contiguro uRPF on tho Clo ASA Task Configure IP Soures Guar ont Lab 3-1; Configure Cisco ASA NAT Visual Objective Roquited Resources, Command List| Job Aids Task 1: Configure Static NAT ‘Task 2 Configure Dynamic NAT Task 3: (Optional) Configure Twice NAT Lab 3:2: Configure Cisco IOS Software NAT. (eco 10S Catalyt Suiten‘Visual Objective L150 Roqulad Rosourcos L150 Command Lit L180 bb Aids Last Task 1: Configure Static NAT Lets “Task 2: Configure Oynamic NAT Lets Lab 4-1: Configure Basie Cisco ASA Access Policies L163 ‘Visual Objctiva Le Required Resources, Lea Command List Lees wb aids L185 “Task 1: Configure Object Groups L189 “Task 2: Confgur interface ACL Lave Task: Configure Gcbal ACL Levee Task: Vetfy Comnectvty Across the ASA Leta Lab 4-2: Configure Advanced Cisco ASA Access Policies L199 ‘Visual Objective 1-200 Roqultd Resources. L200 Command List 1-200 wb Aids L-200 “Task 1: Tune OSI Layer 3-4 Statoil Inspection L204 “Task2: Examine Suppor for Dynamic Protocols Lats “Task: Configure Application Inspection for HTTP Traffic L220 “Task 4 Configure Applicaon Inspection fr FTP Trafic Laat Lab 4-3: Configure Cisco ASA Botnet Traffic Filter L241 Visual Objective L282 Required Resources, L2ae Command List Lease bb Aids L2ea Task 1: Configure tho Botnat Trae itr using Dynami Database Lass “Task 2: Configure the Botnet Trae Fier using Static Database L527 Lab 4-4: Configure Cisco ASA Identity Firewall 1-261 ‘Visual Objective L252 Roquited Resources 26a Command List L252 spb Ass L259 “Task {Configure Cisco CDA L257 “Task2: Conigur tho Cis00 ASA for Aetvo Doctor tegration Lars “Task 3 Configure the Cisco ASA with Wentty Options Lar “Task 4 Configure the Coo ASA Idetity Babed Access Rules Lave Lab 5-1: Configure Basic Cisco 10S Zone-Based Policy Firewall Access Policies L293 1 ilar Gass Eg Nr Seay Sone able Cam yaar,‘Visual Objective Roquitad Resources (Command List| eb Aids Task 1: Configure Security Zones “Task 2 Configure Accass Contol Between he INSIDE and OUTSIDE Zones Task 3: Configure Accass Control Botwoon the VPN and INSIDE Zonos “Task 4 Configure Access Conto for Management Traffic Between the SELF and OUTSIDE Zones Lab 5-2: Configure Advanced Ciseo IOS Zone-Based Policy Firewall Access Policios ‘Viaual Objective Roquitad Resources ‘Command List| eb Aids Tas 1: Configure HTTP Appcaton Layer Inspection Lab Answer Keys Lab 2-1: Configure Control ana Management Piane Securiy Coir Lab 2-2: Confguo Traffe Telometry Methods Lab 2-8: Configure Layer 2 Dala Pane Security Controls Lab 2-4 Configure Layer 3 Dala Plano Socutly Controls Lab 3-1: Configure Cisco ASA NAT Lab 3-2: Configure Cisco 10S Softvare NAT Lab 4-1: Configure Basie Cisco ASA Accass Piles Lab 4-2: Configure Advanced Caco ASA Access Policies Lab 4-3: Configuo Cisco ASA Bott Tratfe Fitor Lab 4-4: Configure Cisco ASA Identity Frowall Lab 5-1: Configure Basic Cisco 10S Zone-Based Poi Firewall Acoaes Policies Lab 5-2: Configure Advanced Cisco 10S Zone-Based Poley Firewall Access Policies Sto am Gaara he L294 L294 L204 fe L299) L200 Lao L209Trperaning Css Eape Naot Seay Sone ate Cas ams,Lab 2-1: Configure Control and Management Plane Security Controls Activity Objective “The company Secure has a network topology shown inthe figure. The company recently hited anew (Chie Sccuty Oficer that wants to sccre contol and management plane of network devices in the Secu Xiheadguarters network ‘You sete enor secu enginee fr the Secute-X nenork, The CSO tasked you wih nyplementing suitable contol and management pane seurty cool onthe Csso ASA and Cisco 1OS Software router ‘inorder to harden both devices, nd to implement secre management access with usage of cfyptogrphiclly protected management protocols and authentication, authorization, and accounting sopabilites. Ini setvty you wil congue differen contol and management plane secuty contol: Enable SSH and SNMPV3 acess, and Como Plane Polising on the Cisco 10S router Enable SSH and SNMPV3 acces on the Cis ASA Enable extemal AAA for management acces onthe Cts 10S router Euble evel AAA for management acces on the Cisco ASAVisual Objective The fgue illustrates what you will ascomplish inthis activity. Lab 2-1: Configure Control and Management Plane Security Controls Required Resources ‘These resources are the resources and equipment that are required to complete this atvity APC with Intemet connectivity Command List The ible describes the commands that are used in his aetvity. The commands ae listed in alphabetical ode 0 that you can easily locate the information that you nee, Refer o this lis you need configura connand assistance ding the lb acti Cisco 10S Commands Desernion ‘resis suring method let for exec atanpis apart RADNUS ia athendcaton login rama group | Greaiesathenicalon ood ier iogin atonpls aganela| rads let RADIUS toner an local database as baru. ia athorzation exec rama group | Crolesauthonzaton motos ins br oc atopis agarala RADIUS Fads lest ‘sora ad loal database as backup. aaa newmodel ‘rab the authorization, aunorzaton, and aosooning AAA) cone rol mode, se SNMP Entities. Add the HO-ISR router as SNMP entity with the allowing parameters Env Aearess ‘SHIP Version ‘Secury Name (username) Securily Level ‘itsneaion pretocol [Authentication ey Encryption protocol Eneryption Kay Sto am Gaara he Hose ase 1721623 SANPVS SHAEntiy HOSA ci ess or 6h | tpa ron Cuarr Ose akosant Time Out 00 Jims} Revies |] Non fens ©} Mace (10) np vaAvBe Reed Comment ite Communi Seay Name eS Eagie [—) Security Level Auth, Priv e ‘Auth Protocol SHA Click Saveand OK, Tit rlaraning Gass Eape Naot Seay SoonStop 16 Inthe HiliSof MIB Browser window, make sure that HO-ISR is selected inthe drop-down menu on the [eft Inthe MIB Tree navigate to fxo> org> dad > internet> mgmt> mib-2 > system. Seest the sysLocation object, Select Get ffom the drop-down menu onthe right and lik te green "Play" bution texto theop-down aient, This procedute will obtain value ofthe aysL.oeation SNMP object onthe router using SNMv3, This sep verifis that SNMP access is working. You can also verify vale of other 'SNMP objects, such as sysUpTime, or sysName, ) a er i oS somes Seeanison ‘Step 17 nthe following steps, you wll demonstrate how an stacker ean overwhel an SNMP enabled router with ‘many SNMP request You will use the Atacker PC and the sumpwalk application to generate many SNMP requests that will overwhelm the HQ-ISR routers CPU. Stop 18 “Aecess me Amacker PC. Open tree terminal windows and use the samp\salk program inal oF them 10 ‘walkthrough the entre SNMP management information base on the router. This ation will overwheli the router with SNMP requests Stites GaermheStep 19 Retum to the console ofthe HQ-ISR router. Verify the CPU utlization. You should see that she SNMP. process overwhelmed the CPU an the route, which may be unable to respond to lima requests onthe contol and management plane, ‘Step 21 (nthe HQASR outer, configure the following ACLs. These ACLS will bused to identify wafic going to te routers management and control plane to configure Contol Plane Protection, ‘ACE Name Prtocot Source Address |Destnon!P | pectntion Por SSH_NGNT oP fe my 2 SAVP_NGUT [UDP a may er Step 22 (nthe HQUSR utr, configure the following class maps. These class maps willbe used to classify aie fr Contol Plane Protection. (Gass Hap Name Watch SSH_MGHT [AGL Nome: SSH NGUT (Cap Rparaning Gees ape Nevo Seay Soumane——SCSCSCSCS~S~S~S~*«S‘Stop 23 On the HQLISR router, configure a policy map with name CPPR. This policy map will be used to apply paling actions tothe previously configured trafic clases. ‘94 NGNT Plc to 6 be wh 600 Burt ize Sane aT Poice wo 64 ibe wan 500 Butane aetna Poles 18 kos wn 1600 Bhar aoe ‘Stop 24 (On the HQUISR router, apply the CPPR policy map to th host contol plane subinterface ‘Step 25 Retum tothe Atacker PC. Use the snmpwalk program again in al thee teminal windows, ‘Stop 26 ‘Retumto the console of the HQLISR router. Verify the CPU wilizstion again. You should see thatthe CPU, lean every low dus to the Cntro Plane Protection festure, which is policing SNMP traffic coming tothe route. SioiGesGaerehe