CCNA Security PT Practice SBA

A few things to keep in mind while completing this activity: 1. Do not use the browser Back button or close or reload any Exam windows during the exam. 2. Do not close Packet Tracer when you are done. It will close automatically. 3. Click the Submit Assessment button to submit your work.

Introduction
In this practice Packet Tracer Skills Based Assessment, you will: configure basic device hardening and secure network management configure a CBAC firewall to implement security policies configure devices to protect against STP attacks and to enable broadcast storm control configure port security and disable unused switch ports configure an IOS IPS configure a ZPF to implement security policies configure a site-to-site IPsec VPN

Addressing Table
Device Interface S0/0/0 Internet S0/0/1 S0/1/0 Fa0/0 S0/0/0 Fa0/0 CORP Fa0/1.10 Fa0/1.25 Fa0/1.99 Branch External Public Svr External Web Svr External PC NTP/Syslog Svr DMZ DNS Svr DMZ Web Svr PC0 PC1 S0/0/0 Fa0/0 S0/0/0 Fa0/0 NIC NIC NIC NIC NIC NIC NIC NIC IP Address 209.165.200.225 192.31.7.1 198.133.219.1 192.135.250.1 209.165.200.226 10.1.1.254 172.16.10.254 172.16.25.254 172.16.99.254 198.133.219.2 198.133.219.62 192.31.7.2 192.31.7.62 192.135.250.5 192.31.7.35 192.31.7.33 172.16.25.2 10.1.1.5 10.1.1.2 172.16.10.5 172.16.10.10 Subnet Mask 255.255.255.252 255.255.255.252 255.255.255.252 255.255.255.0 255.255.255.252 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.252 255.255.255.224 255.255.255.252 255.255.255.224 255.255.255.0 255.255.255.224 255.255.255.224 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 Gateway n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a 192.135.250.1 192.31.7.62 192.31.7.62 172.16.25.254 10.1.1.254 10.1.1.254 172.16.10.254 172.16.10.254 DNS server n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a 192.135.250.5 192.135.250.5 10.1.1.5 192.135.250.5 10.1.1.5 10.1.1.5 10.1.1.5

Device Net Admin Admin PC

Interface NIC NIC

IP Address 172.16.25.5 198.133.219.35

Subnet Mask 255.255.255.0 255.255.255.224

Gateway 172.16.25.254 198.133.219.62

DNS server 10.1.1.5 192.135.250.5

Note: Appropriate verification procedures should be taken after each configuration task to ensure that it has been properly implemented.

Step 1: Configure Basic Device Hardening for the CORP Router.

a. b. c. d. Configure the CORP router to only accept passwords with a minimum length of 10 characters. Configure an encrypted privileged level password of ciscoclass. Enable password encryption for all clear text passwords in the configuration file. Configure the console port and all vty lines with the following requirements:

Note: CORP is already configured with the username CORPADMIN and the secret password ciscoccnas. use the local database for login disconnect after being idle for 20 minutes e. Disable the CDP protocol only on the link to the Internet router.

Step 2: Configure Secure Network Management for the CORP Router.

a. Enable the CORP router: as an NTP client to the NTP/Syslog server to update the router calendar (hardware clock) from the NTP time source to timestamp log messages to send logging messages to the NTP/Syslog server b. Configure the CORP router to accept SSH connections. Use the following guidelines:

Note: CORP is already configured with the username SSHAccess and the secret password ciscosshaccess. domain name is theccnas.com RSA encryption key pair using a modulus of 1024 SSH version 2, timeout of 90 seconds, and 2 authentication retries all vty lines accept only SSH connections c. Configure the CORP router with AAA authentication and verify its functionality: AAA authentication using the local database as the default for console line and vty lines access

Step 3: Configure Device Hardening for Switch1.

a. Access Switch1 with username CORPADMIN, password ciscoccnas, and the enable secret password of ciscoclass. b. Enable storm control for broadcasts on FastEthernet 0/24 with a 50 percent rising suppression level. c. Configure Switch1 to protect against STP attacks.

Configure PortFast on FastEthernet ports 0/1 to 0/23. Enable BPDU guard on FastEthernet ports 0/1 to 0/23. d. Configure port security and disable unused ports. Set the maximum number of learned MAC addresses to 2 on FastEthernet ports 0/1 to 0/23. Allow the MAC address to be learned dynamically and to shutdown the port if a violation occurs. Disable unused ports (Fa0/2-5, Fa0/7-10, Fa0/13-23).

Step 4: Configure an IOS IPS on the CORP Router.

a. b. c. On the CORP router, create a directory in flash named ipsdir. Configure the IPS signature storage location to be flash:ipsdir. Create an IPS rule named corpips.

d. Configure the IOS IPS to use the signature categories. Retire the all signature category and unretire the ios_ips basic category. e. Apply the IPS rule to the Fa0/0 interface.

f. Modify the ios_ips basic category. Unretire the echo request signature (signature 2004, subsig 0); enable the signature; modify the signature event-action to produce an alert and to deny packets that match the signature. g. Verify that IPS is working properly. Net Admin in the internal network cannot ping DMZ Web Svr. DMZ Web Svr, however, can ping Net Admin.

Step 5: Configure ACLs and CBAC on the CORP Router to Implement the Security Policy.
a. Create ACL 12 to implement the security policy regarding the access to the vty lines: Only users connecting from Net Admin and Admin PC are allowed access to the vty lines. b. Create, apply, and verify an extended named ACL (named DMZFIREWALL) to filter incoming traffic to the DMZ. The ACL should be created in the order specified in the following guidelines (Please note, the order of ACL statements is significant only because of the scoring need in Packet Tracer.): 1. 2. 3. HTTP traffic is allowed to DMZ Web Svr. DNS traffic (both TCP and UDP) is allowed to DMZ DNS Svr. All traffic from 172.16.25.0/24 is allowed to enter the DMZ.

4. FTP traffic from the Branch administrator workstations in the subnet of 198.133.219.32/27 is allowed to DMZ Web Svr. c. To verify the DMZFIREWALL ACL, complete the following tests: Admin PC in the branch office can access the URL http://www.theccnas.com; Admin PC can open an FTP session to the DMZ Web Svr with the usernamecisco and the password cisco; Net Admin can open an FTP session to the DMZ Web Svr with the username cisco and the password cisco; and PC1 cannot open an FTP session to the DMZ Web Svr. d. Create, apply, and verify an extended named ACL (named INCORP) to control access from the Internet into the CORP router. The ACL should be created in the order specified in the following

guidelines (Please note, the order of ACL statements is significant only because of the scoring need in Packet Tracer.): 1. 2. Allow HTTP traffic to the DMZ Web Svr. Allow DNS traffic (both TCP and UDP) to the DMZ DNS Svr.

3. Allow SSH traffic from the Branch Office administrator workstation to the Serial 0/0/0 interface on the CORP router. 4. Allow IP traffic from the Branch router serial interface into the CORP router serial interface.

5. Allow IP traffic from the Branch Office LAN to the public IP address range that is assigned to the CORP site (209.165.200.240/28). e. To verify the INCORP ACL, complete the following tests: Admin PC in the branch office can access the URL http://www.theccnas.com; Admin PC can establish an SSH connection to the CORP router (209.165.200.226) with the username SSHAccess and password ciscosshaccess; and External PC cannot establish an SSH connection to the CORP router (209.165.200.226). f. Create and apply a CBAC inspection rule (named INTOCORP) to inspect ICMP, TCP, and UDP traffic between the CORP internal network and any other network. g. h. Enable CBAC audit messages to be sent to the syslog server. Verify the CBAC firewall configuration.

PC1 can access the External Web Svr (