cisco

1. Before you start the exercise, please add your team number and Coach's email to the user profile. Once in Packet Tracer, click on Options --> User Profile. The name is your team number and the email is your Coach's email address. (Example: Name = 09-9758, Email = instructor_roy@ciscorocks.com)
2. ___________________________________________________________________________________________________________
3. During the past month, Always Food Available (AFA) was the talk of the town! Vacationers, with cabins in the hills on the other side of the lake, praised the expanded delivery service. No longer did people on the far side of the lake need to travel around the lake to enjoy their favorite food. The local farmers are even special ordering small items they need for work around the farm.
4. AFA’s employees are happy with the network and the great job your team has done to meet their software, hardware, and networking needs. Your best friend’s sister approved an upgrade to the drone GPS system so that the deliveries can be more precise.
5. A new drone maintenance station is needed to keep the fleet of drones running. In order for this to happen a new remote network connection needs to be added to the HQ network. You will be responsible for configuring the connections to the new site. During a recent security audit you found that your network is not as secure as it could be. Your task will be to start to secure the administration of the network as well as review other new security solutions. You will build and test the new security solutions such as IPSEC and AAA in a lab environment.
6.  
7. Instructions
8.  
9. SAVE YOUR PACKET TRACER FILE OFTEN.
10.  
11. NOTE: Exact commands will be in quotation marks to help you know when the command starts and stops. Please do not type the quotation marks when you are instructed to type a command.
12.  
13. Configure the enable secret password on all production Routers and Switches = C1sc0R0cks
14.  
15. NOTE: Some configuration will already exist on certain devices. Modify existing configuration as needed.
16.  
17. IP addresses to note:
18. Internal DNS: 192.168.50.2
19. Internal Web Server:
20. IP = 192.168.50.2
21. URL = www.afainternal.com
22. External DNS: 64.102.174.10
23. External Web Server:
24. IP = 64.102.174.10
25. URL = www-afa.com
26.  
27. Configuration
28. · Access network devices securely using SSH
29. o Configure all production switches and routers with the following
30. § Use SSHv2
31. § Generate the crypto rsa key at modulus1024
32. § Domain name = afa.com
33. § Configure VTY line 0 to 4
34. · Transport input to be ssh
35. · Login should be local
36. § Configure a local user for logging remotely
37. · User = admin
38. · Secret Password = C1sc0R0cks
39.  
40. · Create a message that will display when login into all production switches and routers.
41. o The message-of-the-day banner needs to say exactly the following:
42. § “ KEEP OUT ----- AUTHORIZED USERS ONLY “
43. · Does it work?
44. o Make sure you can SSH to each router and switch on the AFA HQ network from the Network Admin PC. Make sure you see the message-of-the-day. “ssh –l <username> <IP address>”
45.  
46. · A new Firewall has been installed at the new Warehouse. Configure the ASA as follows.
47. o Hostname = afa-remote-asa
48. o Interface E0/0 = vlan 2
49. o Interface E0/1 = vlan 1
50. o Interface vlan 1:
51. § Nameif = inside
52. § Security level = 100
53. § IP address = 192.168.1.1/24
54. o Interface vlan 2:
55. § Nameif = outside
56. § Security level = 0
57. § IP address = 64.102.174.20/24
58. o Configure NAT (aka: PAT or NAT Overload)
59. § Network object name = “nat”
60. § Subnet = allow only the inside network.
61. § NAT should allow host from the inside to the outside dynamically using the outside interface.
62. o Routing
63. § Configure a default route pointing to 64.102.174.1
64. o MPF configuration. Ensure that HTTP and DNS are inspected
65. § Class map name = inspection_default
66. · Class map needs to match “default-inspection-traffic”
67. § Policy map name = global_policy
68. · Class = inspection_default
69. o Inspect HTTP and DNS
70. § Service policy = “global_policy global”
71. o The ASA needs to give out IP address through DHCP
72. § DNS server = 64.102.174.10 on the inside interface
73. § Lease time = 2 hours on the inside interface
74. § Domain = afa.com on the inside interface
75. § Enable on the inside
76. § DHCP address pool should be from .5 to .36 on the inside interface
77. o Configure an access-list for return ICMP traffic
78. § Access-list name = out_in
79. § Permit any source and any destination
80. § Limit it to icmp echo-reply
81. § Apply it inbound on the outside interface
82. o Does it work?
83. § See if you can browse from a Maintenance PC to the web server. (IP = 64.102.174.10 or www.afa.com) Troubleshoot as needed if it doesn’t work.
84.  
85. · Testing Security solutions in the lab
86. NOTE: Basic IP connectivity on the lab network devices were previously configured by a high school intern. It is recommended that you check it before starting.
87. NOTE: All passwords used in the lab are “cisco12345” unless otherwise stated.
88. o Configure a Lan-to-Lan tunnel between Lab Router 1 and Lab Router 2
89.  
90. IPSEC Lab Router 1
91. IPSEC Lab Router 2
92. Crypto ISAKMP Policy number
93. 10
94. 10
95. Crypto ISAKMP Policy: Encryption
96. AES 256
97. AES 256
98. Crypto ISAKMP Policy: authentication
99. Pre-share
100. Pre-share
101. Crypto ISAKMP Policy: group
102. 5
103. 5
104. Crypto ISAKMP Policy: Life time
105. 3600
106. 3600
107. Crypto ISAKMP key and address:
108. Key:cisco123 IP:20.1.1.253
109. Key:cisco123 IP:10.1.1.253
110. Crypto ipsec security-association life time in seconds
111. 1800
112. 1800
113. Crypto ipsec transform-set
114. 50 esp-aes 256 esp-sha-hmac
115. 50 esp-aes 256 esp-sha-hmac
116. Crypto map: name
117. CMAP 10 ipsec-isakmp
118. CMAP 10 ipsec-isakmp
119. Crypto map CMAP: peer
120. 20.1.1.253
121. 10.1.1.253
122. Crypto map CMAP: pfs
123. Group 5
124. Group 5
125. Crypto map CMAP: security association lifetime
126. 900
127. 900
128. Crypto map CMAP: transform set
129. 50
130. 50
131. Crypto map CMAP: match address
132. 101
133. 101
134. Access-list name
135. 101
136. 101
137. Access-list 101 permit source
138. 192.168.1.0 0.0.0.255
139. 15.1.1.0 0.0.0.255
140. Access-list 101 permit destination
141. 15.1.1.0 0.0.0.255
142. 192.168.1.0 0.0.0.255
143. Access-list 101 permit protocol
144. IP
145. IP
146. Apply crypto map “CMAP” to interface
147. GigabitEthernet 0
148. GigabitEthernet 0
149. § Does it work?
150. · Use ping to test from IPSEC Lab Server 2 to IPSEC Lab Server 1. Remember, basic IP connectivity was already working. You need to determine if the traffic is going over the encrypted tunnel or over the clear. Hint. “show crypto ipsec sa” look at the “encaps and decaps” are they going up as you send traffic? Or “show crypto isakmp sa” do you see a connection with an ACTIVE status?
151.  
152.  
153. o Configure the Authentication and Accounting.
154. § Configure AAA-Lab-Router1 & AAA-Lab-Switch1 to allow remote access using Telnet, authenticating the user using TACACS. HINT: Don’t lock yourself out. Wait to save the configuration until after you verify that you can access the device remotely with AAA configured. This way you can simply reload the router to recover the CLI access if needed.
155. · Enable AAA
156. · AAA authentication = Configure logins to use a default method of the group TACACS+. Also, use local login for a fall back.
157. · TACACS server host and key = 30.1.1.254 key cisco123 (use the command that combines the host and key on the same line)
158. · Configure the VTY line 0 to 4 to use transport input for telnet and login authentication should be default.
159. · Configure a local user name and encrypted password.
160. o Username = localadmin
161. o Encrypted Password = cisco12345
162. This should only be used if the TACACS server is not reachable.
163. § Configure AAA-Lab-Router1 & AAA-Lab-Switch1 to use Accounting services
164. · Accounting for exec sessions should have a default method for start and stop messages that uses the group tacacs+
165. § Configure Lab Server1 as a TACACS server.
166. · Enable the AAA service under the “Services Tab”
167. · Configure the AAA server to allow both the AAA Lab Router1 and AAA Lab Switch1 to use it for authenticate. There will be two entries.
168. o Client Name = Host name of AAA Lab Router1 and AAA Lab Switch1
169. o Client IP = IP address of AAA Lab Router1 and AAA Lab Switch1
170. o Secret = cisco123
171. o ServerType = TACACS
172. o Add a user:
173. § Username = admin
174. § Password = cisco12345
175. § Configure logging on AAA-Lab-Router1 & AAA-Lab-Switch1
176. · Enable logging and log to 30.1.1.254.
177. · Trap debug logs and userinfo
178. § Configure Lab Server1 syslog server
179. · Enable the syslog service under the “Services Tab”
180. · Return here to see if AAA accounting is working.
181.  
182. § Does it work?
183. · From the Lab Server1 see if you can telnet to AAA-Lab-Router1 & AAA-Lab-Switch1. You should be prompted to login with a username and then a password. Use the username and password that you set in the AAA server. (admin:cisco12345)
184.  
185. · Troubleshooting
186. o Users at East Lake are complaining that they can’t get to the www.afa.com or www.afainternal.com. Troubleshoot and fix the problem.
187.  
188.  
189. Submit Packet Tracer Activity
190.  
191. Submit your Packet Tracer file using the instructions found on the Netacad CP-IX Regional Round assignment.
192.  
193. 1. Save the Packet Tracer config file to your desktop following this naming convention. "PT- Round2_<team number>.pka" Example: PT-Round2_09-9758.pka
194. 2. Complete the assignment by clicking on the "Submit Assignment" button on the right side of this page. Then you will have the option to upload the Packet Tracer file and Submit the Assignment.
195. If you upload the wrong file you will get zero points for the exercise.