Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Before you start the exercise, please add your team number and Coach's email to the user profile. Once in Packet Tracer, click on Options --> User Profile. The name is your team number and the email is your Coach's email address. (Example: Name = 09-9758, Email = instructor_roy@ciscorocks.com)
- ___________________________________________________________________________________________________________
- During the past month, Always Food Available (AFA) was the talk of the town! Vacationers, with cabins in the hills on the other side of the lake, praised the expanded delivery service. No longer did people on the far side of the lake need to travel around the lake to enjoy their favorite food. The local farmers are even special ordering small items they need for work around the farm.
- AFA’s employees are happy with the network and the great job your team has done to meet their software, hardware, and networking needs. Your best friend’s sister approved an upgrade to the drone GPS system so that the deliveries can be more precise.
- A new drone maintenance station is needed to keep the fleet of drones running. In order for this to happen a new remote network connection needs to be added to the HQ network. You will be responsible for configuring the connections to the new site. During a recent security audit you found that your network is not as secure as it could be. Your task will be to start to secure the administration of the network as well as review other new security solutions. You will build and test the new security solutions such as IPSEC and AAA in a lab environment.
- Instructions
- SAVE YOUR PACKET TRACER FILE OFTEN.
- NOTE: Exact commands will be in quotation marks to help you know when the command starts and stops. Please do not type the quotation marks when you are instructed to type a command.
- Configure the enable secret password on all production Routers and Switches = C1sc0R0cks
- NOTE: Some configuration will already exist on certain devices. Modify existing configuration as needed.
- IP addresses to note:
- Internal DNS: 192.168.50.2
- Internal Web Server:
- IP = 192.168.50.2
- URL = www.afainternal.com
- External DNS: 64.102.174.10
- External Web Server:
- IP = 64.102.174.10
- URL = www-afa.com
- Configuration
- · Access network devices securely using SSH
- o Configure all production switches and routers with the following
- § Use SSHv2
- § Generate the crypto rsa key at modulus1024
- § Domain name = afa.com
- § Configure VTY line 0 to 4
- · Transport input to be ssh
- · Login should be local
- § Configure a local user for logging remotely
- · User = admin
- · Secret Password = C1sc0R0cks
- · Create a message that will display when login into all production switches and routers.
- o The message-of-the-day banner needs to say exactly the following:
- § “ KEEP OUT ----- AUTHORIZED USERS ONLY “
- · Does it work?
- o Make sure you can SSH to each router and switch on the AFA HQ network from the Network Admin PC. Make sure you see the message-of-the-day. “ssh –l <username> <IP address>”
- · A new Firewall has been installed at the new Warehouse. Configure the ASA as follows.
- o Hostname = afa-remote-asa
- o Interface E0/0 = vlan 2
- o Interface E0/1 = vlan 1
- o Interface vlan 1:
- § Nameif = inside
- § Security level = 100
- § IP address = 192.168.1.1/24
- o Interface vlan 2:
- § Nameif = outside
- § Security level = 0
- § IP address = 64.102.174.20/24
- o Configure NAT (aka: PAT or NAT Overload)
- § Network object name = “nat”
- § Subnet = allow only the inside network.
- § NAT should allow host from the inside to the outside dynamically using the outside interface.
- o Routing
- § Configure a default route pointing to 64.102.174.1
- o MPF configuration. Ensure that HTTP and DNS are inspected
- § Class map name = inspection_default
- · Class map needs to match “default-inspection-traffic”
- § Policy map name = global_policy
- · Class = inspection_default
- o Inspect HTTP and DNS
- § Service policy = “global_policy global”
- o The ASA needs to give out IP address through DHCP
- § DNS server = 64.102.174.10 on the inside interface
- § Lease time = 2 hours on the inside interface
- § Domain = afa.com on the inside interface
- § Enable on the inside
- § DHCP address pool should be from .5 to .36 on the inside interface
- o Configure an access-list for return ICMP traffic
- § Access-list name = out_in
- § Permit any source and any destination
- § Limit it to icmp echo-reply
- § Apply it inbound on the outside interface
- o Does it work?
- § See if you can browse from a Maintenance PC to the web server. (IP = 64.102.174.10 or www.afa.com) Troubleshoot as needed if it doesn’t work.
- · Testing Security solutions in the lab
- NOTE: Basic IP connectivity on the lab network devices were previously configured by a high school intern. It is recommended that you check it before starting.
- NOTE: All passwords used in the lab are “cisco12345” unless otherwise stated.
- o Configure a Lan-to-Lan tunnel between Lab Router 1 and Lab Router 2
- IPSEC Lab Router 1
- IPSEC Lab Router 2
- Crypto ISAKMP Policy number
- 10
- 10
- Crypto ISAKMP Policy: Encryption
- AES 256
- AES 256
- Crypto ISAKMP Policy: authentication
- Pre-share
- Pre-share
- Crypto ISAKMP Policy: group
- 5
- 5
- Crypto ISAKMP Policy: Life time
- 3600
- 3600
- Crypto ISAKMP key and address:
- Key:cisco123 IP:20.1.1.253
- Key:cisco123 IP:10.1.1.253
- Crypto ipsec security-association life time in seconds
- 1800
- 1800
- Crypto ipsec transform-set
- 50 esp-aes 256 esp-sha-hmac
- 50 esp-aes 256 esp-sha-hmac
- Crypto map: name
- CMAP 10 ipsec-isakmp
- CMAP 10 ipsec-isakmp
- Crypto map CMAP: peer
- 20.1.1.253
- 10.1.1.253
- Crypto map CMAP: pfs
- Group 5
- Group 5
- Crypto map CMAP: security association lifetime
- 900
- 900
- Crypto map CMAP: transform set
- 50
- 50
- Crypto map CMAP: match address
- 101
- 101
- Access-list name
- 101
- 101
- Access-list 101 permit source
- 192.168.1.0 0.0.0.255
- 15.1.1.0 0.0.0.255
- Access-list 101 permit destination
- 15.1.1.0 0.0.0.255
- 192.168.1.0 0.0.0.255
- Access-list 101 permit protocol
- IP
- IP
- Apply crypto map “CMAP” to interface
- GigabitEthernet 0
- GigabitEthernet 0
- § Does it work?
- · Use ping to test from IPSEC Lab Server 2 to IPSEC Lab Server 1. Remember, basic IP connectivity was already working. You need to determine if the traffic is going over the encrypted tunnel or over the clear. Hint. “show crypto ipsec sa” look at the “encaps and decaps” are they going up as you send traffic? Or “show crypto isakmp sa” do you see a connection with an ACTIVE status?
- o Configure the Authentication and Accounting.
- § Configure AAA-Lab-Router1 & AAA-Lab-Switch1 to allow remote access using Telnet, authenticating the user using TACACS. HINT: Don’t lock yourself out. Wait to save the configuration until after you verify that you can access the device remotely with AAA configured. This way you can simply reload the router to recover the CLI access if needed.
- · Enable AAA
- · AAA authentication = Configure logins to use a default method of the group TACACS+. Also, use local login for a fall back.
- · TACACS server host and key = 30.1.1.254 key cisco123 (use the command that combines the host and key on the same line)
- · Configure the VTY line 0 to 4 to use transport input for telnet and login authentication should be default.
- · Configure a local user name and encrypted password.
- o Username = localadmin
- o Encrypted Password = cisco12345
- This should only be used if the TACACS server is not reachable.
- § Configure AAA-Lab-Router1 & AAA-Lab-Switch1 to use Accounting services
- · Accounting for exec sessions should have a default method for start and stop messages that uses the group tacacs+
- § Configure Lab Server1 as a TACACS server.
- · Enable the AAA service under the “Services Tab”
- · Configure the AAA server to allow both the AAA Lab Router1 and AAA Lab Switch1 to use it for authenticate. There will be two entries.
- o Client Name = Host name of AAA Lab Router1 and AAA Lab Switch1
- o Client IP = IP address of AAA Lab Router1 and AAA Lab Switch1
- o Secret = cisco123
- o ServerType = TACACS
- o Add a user:
- § Username = admin
- § Password = cisco12345
- § Configure logging on AAA-Lab-Router1 & AAA-Lab-Switch1
- · Enable logging and log to 30.1.1.254.
- · Trap debug logs and userinfo
- § Configure Lab Server1 syslog server
- · Enable the syslog service under the “Services Tab”
- · Return here to see if AAA accounting is working.
- § Does it work?
- · From the Lab Server1 see if you can telnet to AAA-Lab-Router1 & AAA-Lab-Switch1. You should be prompted to login with a username and then a password. Use the username and password that you set in the AAA server. (admin:cisco12345)
- · Troubleshooting
- o Users at East Lake are complaining that they can’t get to the www.afa.com or www.afainternal.com. Troubleshoot and fix the problem.
- Submit Packet Tracer Activity
- Submit your Packet Tracer file using the instructions found on the Netacad CP-IX Regional Round assignment.
- 1. Save the Packet Tracer config file to your desktop following this naming convention. "PT- Round2_<team number>.pka" Example: PT-Round2_09-9758.pka
- 2. Complete the assignment by clicking on the "Submit Assignment" button on the right side of this page. Then you will have the option to upload the Packet Tracer file and Submit the Assignment.
- If you upload the wrong file you will get zero points for the exercise.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement