Sie sind auf Seite 1von 6

Topology

IP Addressing Table
Device R1 R2 R3 S1 S2 S3 PC-A PC-B PC-C Interface FA0/1 S0/0/0 (DCE) S0/0/0 S0/0/1 (DCE) FA0/1 S0/0/1 VLAN 1 VLAN 1 VLAN 1 NIC NIC NIC IP Address 172.16.1.1 10.10.10.1 10.10.10.2 10.20.20.2 172.16.3.1 10.20.20.1 172.16.1.11 172.16.1.12 172.16.3.11 172.16.1.3 172.16.1.2 172.16.3.3 Subnet Mask 255.255.255.0 255.255.255.252 255.255.255.252 255.255.255.252 255.255.255.0 255.255.255.252 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 Default Gateway N/A N/A N/A N/A N/A N/A 172.16.1.1 172.16.1.1 172.16.3.1 172.16.1.1 172.16.1.1 172.16.3.1 Switch Port S1 FA0/5 N/A N/A N/A S3 FA0/5 N/A N/A N/A N/A S1 FA0/6 S2 FA0/18 S3 FA0/18

Objectives
Part 1: Build the network and configure basic device settings Part 2: Secure Network Routers Configure encrypted passwords and a login banner. Configure EXEC timeout on console and VTY lines. Configure login failure rates and virtual login enhancements Configure SSH access and disable Telnet. Configure local AAA authentication. Configure a zone-based policy firewall (ZPF) and ACLs

Part 1: Build the Network and Configure Basic Settings.


In Part 1, you set up the network topology and configure basic settings, such as the hostname, interface IP addresses and static routing. Perform steps on routers and switches as indicated.

Step 1: Cable the network as shown in the topology.


Instructor note: The instructor may wish to set up the topology in advance due to time constraints. If the SBA topology is already set up, go to Step 2. Otherwise, attach the devices shown in the topology diagram, and cable as necessary.

Step 2: Configure basic settings for all routers.


a. Configure host names as shown in the topology. b. Configure the interface IP addresses as shown in the IP addressing table. c. Configure a clock rate for the routers with a DCE serial cable attached to their serial interface. R1(config)#interface S0/0/0 R1(config-if)#clock rate 64000 R2(config)#interface S0/0/1 R2(config-if)#clock rate 64000 d. Disable DNS lookup to prevent the router from attempting to translate incorrectly entered commands as though they were host names. R1(config)#no ip domain-lookup

Step 3: Configure static default routes on edge routers (R1 and R3).
Configure a static default route from R1 to R2 and from R3 to R2. R1(config)#ip route 0.0.0.0 0.0.0.0 10.10.10.2 R3(config)#ip route 0.0.0.0 0.0.0.0 10.20.20.2

Step 4: Configure static routes on the ISP router (R2).


Configure a static route from R2 to the R1 LAN and from R2 to the R3 LAN. R2(config)#ip route 172.16.1.0 255.255.255.0 10.10.10.1 R2(config)#ip route 172.16.3.0 255.255.255.0 10.20.20.1

Step 5: Configure basic settings for each switch.


a. Configure host names as shown in the topology. b. Configure the VLAN 1 management address on each switch as shown in the IP Addressing table. S1(config)#interface vlan 1 S1(config)#ip address 172.16.1.11 255.255.255.0 S1(config)#no shutdown S2(config)#interface vlan 1 S2(config)#ip address 172.16.1.12 255.255.255.0 S2(config)#no shutdown S3(config)#interface vlan 1 S3(config)#ip address 172.16.3.11 255.255.255.0 S3(config)#no shutdown c. Configure the IP default gateway for each of the three switches. The gateway for the S1 and S2 switches is the R1 Fa0/1 interface IP address. The gateway for the S3 switch is the R3 Fa0/1 interface IP address. S1(config)#ip default-gateway 172.16.1.1 S2(config)#ip default-gateway 172.16.1.1 S3(config)#ip default-gateway 172.16.3.1 d. Disable DNS lookup to prevent the switches from attempting to translate incorrectly entered commands as though they were host names. S1(config)#no ip domain-lookup

Step 6: Configure PC host IP settings.


Configure a static IP address, subnet mask, and default gateway for PC-A, PC-B, and PC-C, as shown in the IP addressing table.

Step 7: Verify connectivity between PC-A and PC-C.


PC-A:\>ping 172.16.3.3

Step 8: Save the basic running configuration for each router and switch.

Part 2: Secure Network Routers


In Part 2, you configure device access, passwords, firewalls, and intrusion prevention. Perform steps on routers as indicated.

Task 1: Configure Passwords and a Login Banner.


Step 1: Configure a minimum password length of 10 characters on all routers.
R1(config)#security passwords min-length 10

Step 2: Configure the enable secret password on all routers.


Use an enable secret password of ciscoenapa55. R1(config)#enable secret ciscoenapa55

Step 3: Encrypt plaintext passwords.


R1(config)#service password-encryption

Step 4: Configure the console lines on all routers.


Configure a console password of ciscoconpa55 and enable login. Set the exec-timeout to log out after 5 minutes of inactivity. Prevent console messages from interrupting command entry. R1(config)#line console 0 R1(config-line)#password ciscoconpa55 R1(config-line)#exec-timeout 5 0 R1(config-line)#login R1(config-line)#logging synchronous

Step 5: Configure the vty lines on R2.


Configure a vty lines password of ciscovtypa55 and enable login. Set the exec-timeout to log out after 5 minutes of inactivity. R2(config)#line vty 0 4 R2(config-line)#password ciscovtypa55 R2(config-line)#exec-timeout 5 0 R2(config-line)#login Note: The vty lines for R1 and R3 are configured for SSH in Task 3.

Step 6: Configure a login warning banner on routers R1 and R3.


Configure a warning to unauthorized users with a message-of-the-day (MOTD) banner that says: Unauthorized access strictly prohibited and prosecuted to the full extent of the law!. R1(config)#banner motd $Unauthorized access strictly prohibited and prosecuted to the full extent of the law!$

Task 2: Configure Local Authentication Using AAA on R1 and R3.


Step 1: Configure the local user database on R1.
Create a local user account of Admin01 with a secret password of Admin01pa55. R1(config)#username Admin01 privilege 15 secret Admin01pa55

Step 2: Enable AAA services on R1.


R1(config)#aaa new-model

Step 3: Implement AAA services using the local database on R1.


a. Create the default login authentication method list using local authentication as the first option and the enable password as the backup option. R1(config)#aaa authentication login default local enable b. Exit to the initial router screen that displays: R1 con0 is now available, Press RETURN to get started. c. Log in to the console as Admin01 with a password of Admin01pa55 to verify that AAA with local authentication is functioning correctly.

d. Exit to the initial router screen that displays: R1 con0 is now available, Press RETURN to get started. e. Attempt to log in to the console as baduser with a bad password to verify that users not defined in the local router database are denied access.

Step 4: Repeat Steps 1 through 3 to configure AAA with local authentication on R3.

Task 3: Configure the SSH Server on Routers R1 and R3.


Step 1: Configure the domain name ccnasecurity.com on R1.
R1(config)#ip domain-name ccnasecurity.com

Step 2: Configure the incoming vty lines on R1.


Specify a privilege level of 15 so that a user with the highest privilege level (15) will default to privileged EXEC mode when accessing the vty lines. Other users will default to user EXEC mode. Specify that the vty lines will accept only SSH connections. R1(config)#line vty 0 4 R1(config-line)#privilege level 15 R1(config-line)#transport input ssh R1(config-line)#exit

Step 3: Generate the RSA encryption key pair for router R1.
Configure the RSA keys with 1024 as the number of modulus bits. R1(config)#crypto key generate rsa general-keys modulus 1024 The name for the keys will be: R1.ccnasecurity.com % The key modulus size is 1024 bits % Generating 1024 bit RSA keys, keys will be nonexportable...[OK] R1(config)# *May 26 19:08:58.215: %SSH-5-ENABLED: SSH 1.99 has been enabled

Step 4: Verify SSH connectivity to R1 from PC-A.


Launch the SSH client (TeraTerm or PuTTY) on PC-A, enter the Fa0/1 IP address, and login in as Admin01 with the password Admin01pa55. Step 5: Repeat Steps 1 through 4 to configure SSH on R3 and test the connection from

PC-C to R3.

Task 4: Secure against login attacks on R1 and R3.


Step 1: Configure the following parameters on R1 to provide enhanced login security for virtual logins.
Blocking period when login attack detected: 60 Maximum login failures with the device: 2 Maximum time period for crossing the failed login attempts: 30 Log all failed login attempts R1(config)#login block-for 60 attempts 2 within 30 R1(config)# login on-failure log

Step 2: Save the running configuration to the startup configuration for R1. Step 3: Repeat steps 1 and 2 to configure enhanced login security for virtual logins for router R3.

Task 5: Configure a Zone-based Policy Firewall (ZPF) Firewall on R1 and R3.


Step 1: Configure a ZPF on R1
Inside (trusted) check box for FastEthernet0/1 and the Outside (untrusted) Serial0/0/0

Step 2:
Create two security zones Inside and Outside. Create one class map IN2OUT_MAP to match all traffic and another OUT2SELF_MAP to math only telnet traffic. Create policy-map IN2OUT_PMAP to inspect traffic from class map IN2OUT_MAP Create policy-map OUT2SELF_PMAP to drop traffic from class map OUT2SELF_MAP and pass everything else Create zone-pair IN2OUT_PAIR for the outside direction and apply IN2OUT_PMAP policymap Create zone-pair OUT2SELF for Outside to Self zone and apply OUT2SELF_PMAP policymap

Tests: a. From PC-A, ping external router R2 interface S0/0/0 at IP address 10.10.10.2. The pings should be successful. b. From external router R2, ping PC-A at IP address 172.16.1.3. The pings should NOT be successful. c. From router R2, telnet to R1 at IP address 10.10.10.1. The telnet attempt should NOT be successful.

Submission:
Save the file with your name using capital letter followed by your first name, e.g. SMITH_John Upload the file to the Weblearn via the Skills Assessment Practice Assignment on the Weblearn.

Das könnte Ihnen auch gefallen