Beruflich Dokumente
Kultur Dokumente
IP Addressing Table
Device R1 R2 R3 S1 S2 S3 PC-A PC-B PC-C Interface FA0/1 S0/0/0 (DCE) S0/0/0 S0/0/1 (DCE) FA0/1 S0/0/1 VLAN 1 VLAN 1 VLAN 1 NIC NIC NIC IP Address 172.16.1.1 10.10.10.1 10.10.10.2 10.20.20.2 172.16.3.1 10.20.20.1 172.16.1.11 172.16.1.12 172.16.3.11 172.16.1.3 172.16.1.2 172.16.3.3 Subnet Mask 255.255.255.0 255.255.255.252 255.255.255.252 255.255.255.252 255.255.255.0 255.255.255.252 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 Default Gateway N/A N/A N/A N/A N/A N/A 172.16.1.1 172.16.1.1 172.16.3.1 172.16.1.1 172.16.1.1 172.16.3.1 Switch Port S1 FA0/5 N/A N/A N/A S3 FA0/5 N/A N/A N/A N/A S1 FA0/6 S2 FA0/18 S3 FA0/18
Objectives
Part 1: Build the network and configure basic device settings Part 2: Secure Network Routers Configure encrypted passwords and a login banner. Configure EXEC timeout on console and VTY lines. Configure login failure rates and virtual login enhancements Configure SSH access and disable Telnet. Configure local AAA authentication. Configure a zone-based policy firewall (ZPF) and ACLs
Step 3: Configure static default routes on edge routers (R1 and R3).
Configure a static default route from R1 to R2 and from R3 to R2. R1(config)#ip route 0.0.0.0 0.0.0.0 10.10.10.2 R3(config)#ip route 0.0.0.0 0.0.0.0 10.20.20.2
Step 8: Save the basic running configuration for each router and switch.
d. Exit to the initial router screen that displays: R1 con0 is now available, Press RETURN to get started. e. Attempt to log in to the console as baduser with a bad password to verify that users not defined in the local router database are denied access.
Step 4: Repeat Steps 1 through 3 to configure AAA with local authentication on R3.
Step 3: Generate the RSA encryption key pair for router R1.
Configure the RSA keys with 1024 as the number of modulus bits. R1(config)#crypto key generate rsa general-keys modulus 1024 The name for the keys will be: R1.ccnasecurity.com % The key modulus size is 1024 bits % Generating 1024 bit RSA keys, keys will be nonexportable...[OK] R1(config)# *May 26 19:08:58.215: %SSH-5-ENABLED: SSH 1.99 has been enabled
PC-C to R3.
Step 2: Save the running configuration to the startup configuration for R1. Step 3: Repeat steps 1 and 2 to configure enhanced login security for virtual logins for router R3.
Step 2:
Create two security zones Inside and Outside. Create one class map IN2OUT_MAP to match all traffic and another OUT2SELF_MAP to math only telnet traffic. Create policy-map IN2OUT_PMAP to inspect traffic from class map IN2OUT_MAP Create policy-map OUT2SELF_PMAP to drop traffic from class map OUT2SELF_MAP and pass everything else Create zone-pair IN2OUT_PAIR for the outside direction and apply IN2OUT_PMAP policymap Create zone-pair OUT2SELF for Outside to Self zone and apply OUT2SELF_PMAP policymap
Tests: a. From PC-A, ping external router R2 interface S0/0/0 at IP address 10.10.10.2. The pings should be successful. b. From external router R2, ping PC-A at IP address 172.16.1.3. The pings should NOT be successful. c. From router R2, telnet to R1 at IP address 10.10.10.1. The telnet attempt should NOT be successful.
Submission:
Save the file with your name using capital letter followed by your first name, e.g. SMITH_John Upload the file to the Weblearn via the Skills Assessment Practice Assignment on the Weblearn.