CCNA Security

Lab - CCNA Security Comprehensive Lab (Instructor Version)

Topology

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 75
Lab - CCNA Security Comprehensive Lab

IP Addressing Table

Device Interface IP Address Subnet Mask Default Gateway Switch Port

Fa0/0 209.165.200.9 255.255.255.248 N/A ASA E0/0

R1 S0/0/0 (DCE) 10.10.10.1 255.255.255.252 N/A N/A
Loopback 1 172.20.1.1 255.255.255.0 N/A N/A
S0/0/0 10.10.10.2 255.255.255.252 N/A N/A
R2
S0/0/1 (DCE) 10.20.20.2 255.255.255.252 N/A N/A
Fa0/1 172.16.1.1 255.255.255.0 N/A S3 Fa0/5
R3
S0/0/1 10.20.20.1 255.255.255.252 N/A N/A
S1 VLAN 1 192.168.2.11 255.255.255.0 192.168.2.1 N/A
S2 VLAN 1 192.168.1.11 255.255.255.0 192.168.1.1 N/A
S3 VLAN 1 172.16.1.11 255.255.255.0 172.30.3.1 N/A
VLAN 1 (E0/1) 192.168.1.1 255.255.255.0 N/A S2 Fa0/24
ASA VLAN 2 (E0/0) 209.165.200.10 255.255.255.248 N/A R1 Fa0/0
VLAN 2 (E0/2) 192.168.2.1 255.255.255.0 N/A S1 Fa0/24
PC-A NIC 192.168.2.3 255.255.255.0 192.168.2.1 S1 Fa0/6
PC-B NIC 192.168.1.3 255.255.255.0 192.168.1.1 S2 Fa0/18
PC-C NIC 172.16.1.3 255.255.255.0 172.16.1.1 S3 Fa0/18

Objectives
Part 1: Create a Basic Technical Security Policy
Part 2: Configure Basic Device Settings
Part 3: Configure Secure Router Administrative Access
 Configure encrypted passwords and a login banner.
 Configure the EXEC timeout value on console and vty lines.
 Configure login failure rates and vty login enhancements.
 Configure Secure Shell (SSH) access and disable Telnet.
 Configure local authentication, authorization, and accounting (AAA) user authentication.
 Secure the router against login attacks, and secure the IOS image, and configuration file.
 Configure a router NTP server and router NTP clients.
 Configure router syslog reporting and a syslog server on a local host.
Part 4: Configure a Site-to-Site VPN between ISRs
 Configure an IPsec site-to-site VPN between R1 and R3 using the Cisco Configuration Professional
(CCP).
Part 5: Configure a Zone-Based Policy Firewall and Intrusion Prevention System
 Configure a Zone-Based Policy Firewall (ZBF) on an ISR using CCP.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 75
Lab - CCNA Security Comprehensive Lab

 Configure an intrusion prevention system (IPS) on an ISR using CCP.

Part 6: Secure Network Switches
 Configure passwords and a login banner.
 Configure management VLAN access.
 Secure access ports.
 Protect against Spanning Tree Protocol (STP) attacks.
 Configure port security and disable unused ports.
Part 7: Configure ASA Basic Settings and Firewall
 Configure basic settings, passwords, date, and time.
 Configure the inside and outside VLAN interfaces.
 Configure port address translation (PAT) for the inside network.
 Configure a Dynamic Host Configuration Protocol (DHCP) server for the inside network.
 Configure administrative access via Telnet and SSH.
 Configure a static default route for the Adaptive Security Appliance (ASA).
 Configure Local AAA user authentication.
 Configure a DMZ with a static NAT and ACL.
 Verify address translation and firewall functionality.
Part 8 Configure a DMZ, Static NAT, and ACLs
Part 9: Configure ASA Clientless SSL VPN Remote Access
 Configure a remote access SSL VPN using the Cisco Adaptive Security Device Manager (ASDM).
 Verify SSL VPN access to the portal.

Background / Scenario
This comprehensive lab is divided into nine parts. The parts should be completed sequentially. In Part 1, you
will create a basic technical security policy. In Part 2, you configure the basic device settings. In Part 3, you
will secure a network router using the command-line interface (CLI) to configure various IOS features,
including AAA and SSH. In Part 4, you will configure a site-to-site VPN between R1 and R3 through the ISP
router (R2). In Part 5, you will configure a ZBF and IPS on an ISR. In Part 6, you will configure a network
switch using the CLI. In Parts 7 to 9, you will configure the ASA firewall functionality and clientless SSL VPN
remote access.
Note: The router commands and output in this lab are from a Cisco 1841 router using Cisco IOS software,
release 15.1(4)M8 (Advanced IP Services image). The switch commands and output are from Cisco WS-
C2960-24TT-L switches with Cisco IOS Release 15.0(2)SE4 (C2960-LANBASEK9-M image). Other routers,
switches, and Cisco IOS versions can be used. See the Router Interface Summary Table at the end of the lab
to determine which interface identifiers to use based on the equipment in the lab. Depending on the router, or
switch model and Cisco IOS version, the commands available and output produced might vary from what is
shown in this lab.
The ASA used with this lab is a Cisco model 5505 with an 8-port integrated switch, running OS version 8.4(2)
and the Adaptive Security Device Manager (ASDM) version 7.2(1) and comes with a Base license that allows
a maximum of three VLANs.
Note: Ensure that the routers and switches have been erased and have no startup configurations.
Instructor Note: Instructions for initializing the network devices are provided in Lab 0.0.0.0. Instructions for
erasing the ASA and accessing the console are provided in this lab.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 75
Lab - CCNA Security Comprehensive Lab

Required Resources
 3 Routers (Cisco 1841 with Cisco IOS Release 15.1(4)M8 Advanced IP Services image or comparable)
 3 Switches (Cisco 2960 with cryptography IOS image for SSH support – Release 15.0(2)SE4 or
comparable)
 1 ASA 5505 (OS version 8.4(2) and ASDM version 7.2(1) and Base license or comparable)
 3 PCs (Windows Vista or Windows 7 with CCP 2.5, Cisco VPN Client, latest version of Java, Internet
Explorer, and Flash Player)
 Serial and Ethernet cables as shown in the topology
 Console cables to configure Cisco networking devices
CCP Notes:
 Refer to Lab 0.0.0.0 for instructions on how to install and run CCP.
 If the PC on which CCP is installed is running Windows Vista or Windows 7, it may be necessary to right-
click on the CCP icon or menu item, and choose Run as administrator.
 In order to run CCP, it may be necessary to temporarily disable antivirus programs and O/S firewalls.
Make sure that all pop-up blockers are turned off in the browser.

Part 1: Create a Basic Technical Security Policy (Chapters 1 and 10)

In Part 1, you will create a Network Device Security Guidelines document that can serve as part of a
comprehensive network security policy. This document addresses specific router and switch security
measures and describes the security requirements to be implemented on the infrastructure equipment.

Task 1: Identify Potential Sections of a Basic Network Security Policy.

A network security policy should include several key sections that can address potential issues for users,
network access, device access, and other areas. List some key sections you think could be part of good basic
security policy.
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary but could include the following:
 Introduction
 Acceptable Use Policy
 E-mail and Communications Activities
 Antivirus Policy
 Identity Policy
 Password Policy
 Encryption Policy
 Remote Access Policy
 Virtual Private Network (VPN) Policy
 Extranet Policy
 Device management policy
 Physical device security policy

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of 75
Lab - CCNA Security Comprehensive Lab

Task 2: Create a “Network Equipment Security Guidelines” Document As a Supplement

to a Basic Security Policy

Step 1: Review the objectives from previous CCNA Security labs.

a. Open each of the previous labs completed from chapters 1 to 9, and review the objectives listed for each
one.
b. Copy the objectives to a separate document for use as a starting point. Focus mainly on those objectives
that involve security practices and device configuration.

Step 2: Create a “Network Device Security Guidelines” document for router and switch security.
Create a high-level list of tasks to include for network access and device security. This document should
reinforce and supplement the information presented in a basic Security Policy. It is based on the content of
previous CCNA Security labs and on the networking devices present in the course lab topology.
Note: The “Network Device Security Guidelines” document should be no more than two pages, and is the
basis for the equipment configuration in the remaining parts of the lab.

Step 3: Submit the Network Device Security Guidelines to your instructor.

Provide the “Network Device Security Guidelines” documents to your instructor for review before starting Part
2 of this lab. You can send them as e-mail attachments or put them on removable storage media, such as a
flash drive.
Instructor Note: The following is an example of how the Network Device Security Guidelines document might
look. Be sure the students have addressed the categories and steps shown here.
Technical Policies Supplement to Security Policies
Network Device Security Guidelines
Unless otherwise indicated, these policy guidelines apply to all primary network devices such as switches and
routers.
Router Administrative Access
The following steps must be taken to secure and harden routers:
1) Configure the enable secret, console, and vty passwords.
2) Encrypt all passwords, which should be a minimum of 10 characters. Passwords should include a
combination of uppercase, lowercase, numbers, and special characters.
3) Configure a login banner warning unauthorized users of the penalties of accessing this device.
4) Configure an administrative user with privilege level 15 and a secret password.
5) Configure an SSH server and disable Telnet access.
6) Configure a centralized synchronized time source using NTP.
7) Configure syslog support on edge routers.
8) Enable HTTP secure server for web-based access.
9) Configure centralized authentication for each site using AAA and RADIUS.
10) Disable unneeded services.
11) Configure static routing between edge routers and the ISP.
Router Firewalls and Intrusion Prevention

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 5 of 75
Lab - CCNA Security Comprehensive Lab

Configure a firewall on edge routers using CCP zone-based firewall tools. The firewall must allow external
SSH connections, VPN traffic, and NTP.
Configure a Cisco IOS Intrusion Prevention System (IPS) on the internal and external interfaces of the
edge router.
Switch Security Measures
The following steps should be taken to secure and harden switches:
1) Configure the enable secret, console, and vty passwords.
2) Encrypt all passwords, which should be a minimum of 10 characters. Passwords should include a
combination of uppercase, lowercase, numbers, and special characters.
3) Configure a login banner warning unauthorized users of the penalties of accessing this device.
4) Configure an administrative user with privilege level 15 and a secret password.
5) Configure NTP to access a centralized synchronized time source.
6) Configure an SSH server and disable Telnet access.
7) Disable the HTTP server.
8) Configure centralized authentication using AAA and RADIUS.
9) Configure forced trunking mode on trunk ports.
10) Change the native VLAN for trunk ports to an unused VLAN.
11) Enable storm control for broadcasts.
12) Configure all active non-trunk ports as access ports.
13) Enable PortFast and BPDU guard on all active ports.
14) Configure port security.
15) Disable unused ports.
Device Operating System and Configuration File Security
1) Back up device Cisco IOS images to a TFTP server.
2) Back up device running configs to a TFTP server.
3) Secure the Cisco IOS image and configuration files.
VPN Remote Access
1) Configure corporate router support for remote access IPsec VPN connections.
2) Provide the Cisco VPN Client on external hosts.

Part 2: Configure Basic Device Settings (Chapters 2 and 6)

Step 1: Cable the network as shown in the topology.
Attach the devices as shown in the topology diagram, and cable as necessary.

Step 2: Configure basic settings for all routers.

a. Configure hostnames as shown in the topology.
b. Configure the interface IP addresses as shown in the IP addressing table.
c. Configure a serial interface DCE clock rate of 128000 for the routers, if using routers other than those
specified with this lab.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 6 of 75
Lab - CCNA Security Comprehensive Lab

Instructor Note: The Cisco ISR 1841 IOS and WICs used in this lab will auto configure the clock rate on
serial DCE interfaces and set it to 2000000.
d. Disable DNS lookup on each router.
R1(config)# no ip domain-lookup

Step 3: Configure static default routes on routers R1 and R3.

a. Configure a static default route from R1 to R2 and from R3 to R2.
R1(config)# ip route 0.0.0.0 0.0.0.0 s0/0/0

R3(config)# ip route 0.0.0.0 0.0.0.0 s0/0/1

b. Configure static routes from R2 to the R1 simulated LAN (Loopback 1), the R1 Fa0/0-to-ASA subnet, and
the R3 LAN.
R2(config)# ip route 172.20.1.0 255.255.255.0 s0/0/0
R2(config)# ip route 172.16.1.0 255.255.255.0 s0/0/1
R2(config)# ip route 209.165.200.8 255.255.255.248 s0/0/0

Step 4: Configure basic settings for each switch.

a. Configure hostnames, as shown in the topology.
b. Configure the VLAN 1 management address on each switch, as shown in the IP Addressing table.
S1(config)# interface vlan 1
S1(config)# ip address 192.168.2.11 255.255.255.0
S1(config)# no shutdown

S2(config)# interface vlan 1

S2(config)# ip address 192.168.1.11 255.255.255.0
S2(config)# no shutdown

S3(config)# interface vlan 1

S3(config)# ip address 172.16.1.11 255.255.255.0
S3(config)# no shutdown
c. Configure the IP default gateway for each of the three switches.
S1(config)# ip default-gateway 192.168.2.1

S2(config)# ip default-gateway 192.168.1.1

S3(config)# ip default-gateway 172.16.1.1

d. Disable DNS lookup on each switch.
S1(config)# no ip domain-lookup

Step 5: Configure PC host IP settings.

Configure a static IP address, subnet mask, and default gateway for each PC, as shown in the IP Addressing
table.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 7 of 75
Lab - CCNA Security Comprehensive Lab

Step 6: Verify connectivity between PC-C and R1 Lo1 and Fa0/0.

PC-C:\> ping 172.20.1.1
PC-C:\> ping 209.165.200.9

Step 7: Save the basic running configuration for each router and switch.

Part 3: Configure Secure Router Administrative Access (Chapters 2 and 3)

You use the CLI to configure passwords and device access restrictions.

Task 1: Configure Access Passwords on All the Routers

Step 1: Configure the enable secret password.

Use ciscoenapa55 as the enable secret password..
R1(config)# enable secret ciscoenapa55

Step 2: Configure the console line.

Configure a console password of ciscoconpa55 and enable login. Set the exec-timeout value to log out after
15 minutes of inactivity. Prevent console messages from interrupting command entry.
R1(config)# line console 0
R1(config-line)# password ciscoconpa55
R1(config-line)# exec-timeout 15 0
R1(config-line)# login
R1(config-line)# logging synchronous

Step 3: Configure the vty lines.

Configure the password for vty lines to be ciscovtypa55 and enable login. Set the exec-timeout value to log
out a session after 15 minutes of inactivity.
R1(config)# line vty 0 4
R1(config-line)# password ciscovtypa55
R1(config-line)# exec-timeout 15 0
R1(config-line)# login

Task 2: Configure Settings for R1 and R3

Step 1: Configure a minimum password length of 10 characters.

R1(config)# security passwords min-length 10

Step 2: Encrypt plaintext passwords.

R1(config)# service password-encryption

Step 3: Configure a login warning banner.

Configure a warning to unauthorized users with a message-of-the-day (MOTD) banner that says:
Unauthorized access strictly prohibited and prosecuted to the full extent of the law!.
R1(config)# banner motd $Unauthorized access strictly prohibited!$

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 8 of 75
Lab - CCNA Security Comprehensive Lab

Step 4: Configure the router to log login activity.

a. Configure the router to generate system logging messages for both successful and failed login attempts.
Configure the router to log every successful login and log failed login attempts after every second failed
login.
R1(config)# login on-success log
R1(config)# login on-failure log every 2
R1(config)# exit
b. Issue the show login command. What additional information is displayed?
____________________________________________________________________________________
____________________________________________________________________________________
No login delay has been applied.
No Quiet-Mode access list has been configured.
All successful login is logged.
Every 2 failed login is logged.

Router NOT enabled to watch for login Attacks

Step 5: Enable HTTP access.

a. Enable the HTTP server on R1 to simulate an Internet target for later testing.
R1(config)# ip http server
b. Enable secure HTTP server on R3 for a secure CCP access.
R3(config)# ip http secure-server
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 3 seconds)

Step 6: Configure the local user database.

Create a local user account of Admin01 with a secret password of Admin01pa55 and a privilege level of 15,
and configure the local database to authenticate and access the HTTP sessions.
R3(config)# username Admin01 privilege 15 secret Admin01pa55
R3(config)# ip http authentication local

Task 3: Configure Local Authentication with AAA on R1 and R3

Step 1: Configure the local user database.

Create a local user account of Admin01 with a secret password of Admin01pa55 and a privilege level of 15.
R1(config)# username Admin01 privilege 15 secret Admin01pa55

Step 2: Enable AAA services.

R1(config)# aaa new-model

Step 3: Implement AAA services using the local database.

Create the default login authentication method list using case-sensitive local authentication as the first option,
and the enable password as the backup option to use if an error occurs in relation to local authentication.
R1(config)# aaa authentication login default local-case enable

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 9 of 75
Lab - CCNA Security Comprehensive Lab

Task 4: Configure the SSH Server on R1 and R3

Step 1: Configure the domain name.

Configure a domain name of ccnasecurity.com.
R1(config)# ip domain-name ccnasecurity.com

Step 2: Change the vty lines to accept SSH connections only.

Specify that the router vty lines will accept only SSH connections and only using the local database.
R1(config)# line vty 0 4
R1(config-line)# transport input ssh
R1(config-line)# exit

Step 3: Generate the RSA encryption key pair.

Configure the RSA keys with 1024 as the number of modulus bits.
R1(config)# crypto key generate rsa general-keys modulus 1024
The name for the keys will be: R1.ccnasecurity.com
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
R1(config)#
*Nov 29 19:08:58.215: %SSH-5-ENABLED: SSH 1.99 has been enabled

Step 4: Configure the SSH version.

Specify that the router accept only SSH version 2 connections.
R1(config)# ip ssh version 2

Step 5: Configure SSH timeouts and authentication parameters.

The default SSH timeouts and authentication parameters can be altered to be more restrictive. Configure
SSH timeout to 90 seconds and the number of authentication attempts to 2.
R1(config)# ip ssh time-out 90
R1(config)# ip ssh authentication-retries 2

Step 6: Verify SSH connectivity to R1 from PC-C.

Launch the SSH client on PC-C, enter the R1 S0/0/0 IP address (10.10.10.1) and log in as Admin01 with the
password Admin01pa55. If prompted by the SSH client with a security alert regarding the server’s host key,
click Yes.

Task 5: Secure against Login Attacks and Secure the IOS and Configuration File on R1
and R3

Step 1: Configure enhanced login security.

If a user fails to log in twice within a 30-second time span, then disable logins for 1 minute. Log all failed login
attempts.
R1(config)# login block-for 60 attempts 2 within 30
R1(config)# login on-failure log

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 10 of 75
Lab - CCNA Security Comprehensive Lab

Step 2: Secure the Cisco IOS image and archive a copy of the running configuration.
a. The secure boot-image command enables Cisco IOS image resilience, which hides the file from the dir
and show commands. The file cannot be viewed, copied, modified, or removed using EXEC mode
commands. (It can be viewed in ROMMON mode.)
R1(config)# secure boot-image
.Dec 17 25:40:13.170: %IOS_RESILIENCE-5-IMAGE_RESIL_ACTIVE: Successfully
secured running image
b. The secure boot-config command takes a snapshot of the router running configuration and securely
archives it in persistent storage (flash).
R1(config)# secure boot-config
*Apr 25 05:08:39.247: %IOS_RESILIENCE-5-CONFIG_RESIL_ACTIVE: Successfully secured
config archive [flash:.runcfg-20140425-050838.ar]

Step 3: Verify that your image and configuration are secured.

a. You can use only the show secure bootset command to display the archived filename. Display the
status of configuration resilience and the primary bootset filename.
R1# show secure bootset
IOS resilience router id FTX1205Y0PT

IOS image resilience version 15.1 activated at 05:08:30 UTC Fri Apr 25 2014
Secure archive flash:c1841-advipservicesk9-mz.151-4.M8.bin type is image (elf) []
file size is 45756600 bytes, run size is 45922284 bytes
Runnable image, entry point 0x8000F000, run from ram

IOS configuration resilience version 15.1 activated at 05:08:38 UTC Fri Apr 25 2014
Secure archive flash:.runcfg-20140425-050838.ar type is config
configuration archive size 3272 bytes
What is the name of the archived running config file and on what is the name based?
____________________________________________________________________________________
____________________________________________________________________________________
Answers will vary, but will in the following format: runcfg-20140425-050838.ar. It is based on the date
and time archived by the secure boot-config command.
b. Save the running configuration to the startup configuration from the privileged EXEC mode prompt.

Task 6: Configure a Synchronized Time Source Using NTP

R2 will be the master NTP clock source for R1 and R3.

Step 1: Set up the NTP master using Cisco IOS commands.

R2 is the master NTP server in this lab. All other routers and switches learn the time from it, either directly or
indirectly. For this reason, you must ensure that R2 has the correct Coordinated Universal Time (UTC) set.
a. Use the show clock command to display the current time set on the router.
R2# show clock
*01:19:02.331 UTC Mon Dec 15 2008
b. Use the clock set time command to set the time on the router.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 11 of 75
Lab - CCNA Security Comprehensive Lab

R2# clock set 20:12:00 May 15 2014

*Dec 17 20:12:18.000: %SYS-6-CLOCKUPDATE: System clock has been updated from
01:20:26 UTC Thu Apr 24 2014 to 20:12:00 UTC Wed May 15 2014, configured from
console by admin on console.
c. Configure R2 as the NTP master using the ntp master stratum-number command in global configuration
mode. The stratum number indicates the distance from the original source. For this lab, use a stratum
number of 3 on R2. When a device learns the time from an NTP source, its stratum number becomes one
greater than the stratum number of its source.
R2(config)# ntp master 3

Step 2: Configure R1 and R3 as NTP clients using the CLI.

a. R1 and R3 will become NTP clients of R2. To configure R1, use the ntp server hostname global
configuration mode command. The hostname can also be an IP address. The ntp update-calendar
command periodically updates the calendar with the NTP time.
R1(config)# ntp server 10.10.10.2
R1(config)# ntp update-calendar
b. Verify that R1 has made an association with R2 with the show ntp associations command. You can also
use the more verbose version of the command by adding the detail argument. It might take some time for
the NTP association to form.
R1# show ntp associations

address ref clock st when poll reach delay offset disp

~10.10.10.2 127.127.1.1 3 14 64 3 0.000 -280073 3939.7
*sys.peer, # selected, +candidate, -outlyer, x falseticker, ~ configured
c. Verify the time on R1 and R3 after they have made NTP associations with R2.
R1# show clock
*20:34:50.270 UTC Thu May 15 2014*20:12:24.859 UTC Wed Dec 17 2008

Task 7: Configure Syslog Support on R3 and PC-C

Step 1: Install the syslog server on PC-C.

a. The Tftpd32 software from jounin.net is free to download and install, and it includes a TFTP server, TFTP
client, and a syslog server and viewer. If not already installed, download Tftpd32 at
http://tftpd32.jounin.net and install it on PC-C.
b. Run the Tftpd32.exe file, click Settings, and ensure that the syslog server check box is checked. In the
SYSLOG tab, you can configure a file for saving syslog messages. Close the settings and in the main
Tftpd32 interface window, note the server interface IP address, and select the Syslog server tab to bring
it to the foreground.

Step 2: Configure R3 to log messages to the syslog server using the CLI.
a. Verify that you have connectivity between R3 and PC-C by pinging the R1 Fa0/1 interface IP address
172.16.1.3. If it is unsuccessful, troubleshoot as necessary before continuing.
b. NTP was configured in Task 2 to synchronize the time on the network. Displaying the correct time and
date in syslog messages is vital when using syslog to monitor a network. If the correct time and date of a
message is not known, it can be difficult to determine what network event caused the message.
Verify that the timestamp service for logging is enabled on the router using the show run command. Use
the service timestamps log datetime msec command if the timestamp service is not enabled.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 12 of 75
Lab - CCNA Security Comprehensive Lab

R3(config)# service timestamps log datetime msec

c. Configure the syslog service on the router to send syslog messages to the syslog server.
R3(config)# logging host 172.16.1.3

Step 3: Configure the logging severity level on R3.

Logging traps can be set to support the logging function. A trap is a threshold that when reached, triggers a
log message. The level of logging messages can be adjusted to allow the administrator to determine what
kinds of messages are sent to the syslog server. Routers support different levels of logging. The eight levels
range from 0 (emergencies), indicating that the system is unstable, to 7 (debugging), which sends messages
that include router information.
Note: The default level for syslog is 6, informational logging. The default for console and monitor logging is 7,
debugging.
a. Use the logging trap command to set the severity level for R3 to level 4, warnings.
R3(config)# logging trap warnings
b. Use the show logging command to see the type and level of logging enabled.
R3# show logging
Syslog logging: enabled (0 messages dropped, 1 messages rate-limited,
0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.

No Inactive Message Discriminator.

Console logging: level debugging, 271 messages logged, xml disabled,

filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: disabled, xml disabled,
filtering disabled
Logging Exception size (4096 bytes)
Count and timestamp logging messages: disabled
Persistent logging: disabled

No active filter modules.

ESM: 0 messages dropped

Trap logging: level warnings, 0 message lines logged

Logging to 172.16.1.3 (udp port 514, audit disabled,
authentication disabled, encryption disabled, link up),
0 message lines logged,
0 message lines rate-limited,
0 message lines dropped-by-MD,
xml disabled, sequence number disabled
filtering disabled

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 13 of 75
Lab - CCNA Security Comprehensive Lab

Part 4: Configure a Zone-Based Policy Firewall and Intrusion Prevention

System (Chapters 4 and 5)
In Part 4, you will configure a ZBF and IPS on R3 using CCP.

Task 1: Configure a ZBF on R3 Using CCP

Step 1: Access CCP and discover R3.

a. Start CCP on PC-C. In the Manage Devices window, add R3 IP address (172.16.1.1) in the first IP
address field. In the Username field, enter Admin01, and in the Password field, Admin01pa55. Ensure
that the Connect Securely check box is selected.
b. At the CCP Dashboard, click Discover to discover and connect to R3.

Step 2: Use the CCP Firewall wizard to configure ZBF.

a. On the CCP menu bar, click Configure > Security > Firewall > Firewall.
b. Select Basic Firewall and click Launch the selected task.
c. Specify Fa0/1 interface as the Inside (trusted) interface and S0/0/1 as the Outside (untrusted)
interface.
d. Click OK when the warning displays, informing you that you cannot launch CCP from the S0/0/1 interface
after the Firewall wizard completes.
e. Select Low Security, and complete the Firewall wizard.
f. Deliver the configuration to the router.

Step 3: Verify firewall functionality.

a. From PC-C, ping external router R2 interface S0/0/1 at IP address 10.20.20.2. The pings should be
successful.
b. From external router R2, ping PC-C at IP address 172.16.1.3. The pings should NOT be successful.
c. From PC-C on the R3 internal LAN, Telnet to R2 at IP address 10.20.20.2 and use password
ciscovtypa55.
C:\> telnet 10.20.20.2
User Access verification
Password: ciscovtypa55
d. With the Telnet session open from PC-C to R2, issue the show policy-map type inspect zone-pair
sessions command on R3 from the privileged EXEC mode prompt. Continue pressing Enter until you
see an Established Sessions section toward the end.
R3# show policy-map type inspect zone-pair sessions
<output omitted>
Inspect
Number of Established Sessions = 1
Established Sessions
Session 65F40040 (172.30.3.3:3035)=>(10.20.20.2:23) tacacs:tcp SIS_OPEN
Created 00:03:49, Last heard 00:01:14
Bytes sent (initiator:responder) [49:75]
<output omitted>

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 14 of 75
Lab - CCNA Security Comprehensive Lab

Task 2: Configure IPS on R3 Using CCP

Step 1: Prepare router R3 and the TFTP server.

To configure Cisco IOS IPS 5.x, the IOS IPS signature package file and public crypto key files must be
available on the PC with the TFTP server installed. R3 uses PC-C as the TFTP server. Check with your
instructor if these files are not on the PC.
a. Verify that the IOS-Sxxx-CLI.pkg signature package file is in the default TFTP folder. The xxx is the
version number and varies depending on which file was downloaded from Cisco.com.
b. Verify that the realm-cisco.pub.key.txt file is available and note its location on PC-C. This is the public
crypto key used by Cisco IOS IPS.
c. Verify or create the IPS directory (ipsdir) in router flash on R3. From the R3 CLI, display the content of
flash memory and check to see if the ipsdir directory exists.
Note: For router R3, the IPS signature (.xml) files in the flash:/ipsdir/ directory should have been deleted
and the directory removed prior to starting the SBA. The files must be deleted from the directory to
remove it.
R3# show flash
d. If the ipsdir directory is not listed, create it in privileged EXEC mode, using the mkdir command.
R3# mkdir ipsdir
Create directory filename [ipsdir]?
Created dir flash:ipsdir
Note: If the ipsdir directory is listed and there are files in it, contact your instructor. This directory must be
empty before configuring IPS. If there are no files in it, you may proceed to configure IPS.

Step 2: Verify the IOS IPS signature package location and TFTP server setup.
a. Verify connectivity between R3 and PC-C, the TFTP server, using the ping command.
b. Start Tftpd32 (or other TFTP server) and set the default directory to the one with the IPS signature
package in it. Note the filename for use in the next step.

Step 3: Access CCP and discover R3 (if required).

a. Start CCP on PC-C. In the Manage Devices window, add R3 IP address (172.16.1.1) in the first IP
address field.
b. In the Username field, enter Admin01, and in the Password field, Admin01pa55. Ensure that the
Connect Securely check box is selected. Enter the same username and password for subsequent login
dialog boxes, if prompted. Click OK > Discover (on the next screen).

Step 4: Use the CCP IPS wizard to configure IPS.

NETLAB+ Users: It may be necessary to copy the text from the public key file before starting the IPS
configuration process with CCP. If you are not using NETLAB+ to perform the SBA go to Step 4a.
a. On the CCP menu bar, click Configure > Security > Intrusion Prevention > Create IPS.
b. Click Launch IPS Rule Wizard to open the Welcome to the IPS Policies Wizard window.
c. Apply the IPS rule in the inbound direction for Serial0/0/1.
d. In the Signature File and Public Key window, specify the signature file with a URL and use TFTP to
retrieve the file from PC-C. Enter the IP address of the PC-C TFTP server and the filename.
e. In the Signature File and Public Key window, enter the name of the public key file, realm-cisco.pub.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 15 of 75
Lab - CCNA Security Comprehensive Lab

f. On PC-C, open the public key file and copy the text that is between the phrase “key-string” and the word
“quit”. In the Configure Public Key section, paste the text into the Key field.
g. In the Config Location and Category window, specify the flash:/ipsdir/ directory name as the location to
store the signature information.
h. In the Config Location and Category window > Choose Category field, select basic.
i. Click Next to display the Summary window, and click Finish.
j. On the Deliver Configuration to Device screen, click Deliver to deliver the commands to the router.
Note: Allow the signature configuration process to complete. This can take several minutes.

Part 5: Configure a Site-to-Site IPsec VPN between ISRs (Chapter 8)

In Part 5, you will use CCP to configure an IPsec VPN tunnel between R1 and R3 that passes through R2.

Task 1: Configure the Site-to-Site VPN between R1 and R3

Step 1: Use the CCP VPN wizard to configure R3.

a. On the CCP menu bar, click Configure > Security > VPN > Site-to-Site VPN.
b. Select the Create a Site to Site VPN option to configure the R3 side of the site-to-site VPN. Click
Launch the selected task.
c. Verify that Quick setup option is selected, and click Next.

Step 2: Configure basic VPN connection information settings.

a. On the VPN Connection Information screen, select R3 S0/0/1 as the interface for the connection.
b. In the Peer Identity section, specify R1 interface S0/0/0 (10.10.10.1) as the remote peer static IP
address.
c. In the Authentication section, specify the pre-shared VPN key cisco12345.
d. In the Traffic to encrypt section, specify the R1 source interface FastEthernet0/1 and the destination IP
address of the R1 Loopback 1 network (172.20.1.0/24). Click Next.
e. Click Finish on the Summary of the Configuration screen.

Step 3: Generate a mirror configuration from R3 and apply it to R1.

a. When returned to the CCP VPN Edit Site-to-Site VPN screen on R3, click Generate mirror to create the
IOS commands for application to router R1.
b. Click Save and save the generated configuration CLI commands to a text file on the desktop or flash
drive on PC-C.
c. Edit the file as necessary to remove notes and non-essential components.
d. From PC-C, SSH to R1 using SSH client. Log in to R1 using Admin01 and Admin01pa55 for the
password. The enable password on R1 is ciscoenapa55.
e. Copy the mirrored commands from the text file that you saved on PC-C to the R1 command prompt in
global configuration mode.
f. Apply the crypto map named in the configuration to the R1 S0/0/0 interface.
R1(config)# interface s0/0/0
R1(config-if)# crypto map SDM_CMAP_1

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 16 of 75
Lab - CCNA Security Comprehensive Lab

Task 2: Test the Site-to-Site IPsec VPN Using CCP

Step 1: On R3 (PC-C), use CCP to test the IPsec VPN tunnel between the two routers.
a. On the CCP menu bar, click Configure > Security > VPN > Site-to-Site VPN and select the Edit Site-
to-Site VPN tab.
b. In the Edit Site to Site VPN tab, select the VPN you just configured, and click Test Tunnel.
c. When the VPN Troubleshooting window displays, click Start to have CCP troubleshoot the tunnel.
d. When the CCP Warning window displays, indicating that CCP will enable router debugs and generate
some tunnel traffic, click Yes to continue.
e. In the next VPN Troubleshooting window, the IP address of the R3 Fa0/1 interface in the source network
is displayed by default (172.16.1.1). Enter the IP address of the R1 Loopback 1 interface in the
Destination Network field (172.20.1.1), and click Continue to begin the debugging process.
If the debug is successful, you should see an Information window indicating that troubleshooting was
successful and the tunnel is up.

Step 2: Ping from PC-C to the R1 Lo1 interface at 172.20.1.1 to generate some interesting traffic.

Step 3: Issue the show crypto isakmp sa command on R3 to view the security association
created.
R3# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
10.10.10.1 10.20.20.1 QM_IDLE 1001 0 ACTIVE

Step 4: Issue the show crypto ipsec sa command on R1 to see how many packets have been
received from R3 and decrypted by R1.
R1# show crypto ipsec sa

interface: Serial0/0/0
Crypto map tag: SDM_CMAP_1, local addr 10.10.10.1

protected vrf: (none)

local ident (addr/mask/prot/port): (172.20.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
current_peer 10.20.20.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 33, #pkts encrypt: 33, #pkts digest: 33
#pkts decaps: 33, #pkts decrypt: 33, #pkts verify: 33
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 10.10.10.1, remote crypto endpt.: 10.20.20.1

path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/0
current outbound spi: 0x4B434C19(1262701593)

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 17 of 75
Lab - CCNA Security Comprehensive Lab

inbound esp sas:

spi: 0x425D0AA3(1113393827)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: FPGA:1, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4413304/3479)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
<output omitted>

Part 6: Secure Network Switches (Chapter 6)

Note: Not all security features in this part of the lab will be configured on all switches, although they normally
would be in a production network.
Instructor Note: In the interest of time, the security features are configured on just S1, except where noted.

Task 1: Configure Passwords and a Login Banner on S1

Step 1: Configure the enable secret password.

Use an enable secret password of ciscoenapa55.
S1(config)# enable secret ciscoenapa55

Step 2: Encrypt plaintext passwords.

S1(config)# service password-encryption

Step 3: Configure the console and vty lines.

a. Configure a console password of ciscoconpa55 and enable login. Set the exec-timeout value to log out
after five (5) minutes of inactivity. Prevent console messages from interrupting command entry.
S1(config)# line console 0
S1(config-line)# password ciscoconpa55
S1(config-line)# exec-timeout 5 0
S1(config-line)# login
S1(config-line)# logging synchronous
b. Configure a vty lines password of ciscovtypa55 and enable login. Set the exec-timeout value to log out
after five (5) minutes of inactivity.
S1(config)# line vty 0 4
S1(config-line)# password ciscovtypa55
S1(config-line)# exec-timeout 5 0
S1(config-line)# login

Step 4: Configure a login warning banner.

Configure a warning to unauthorized users with a MOTD banner that says “Unauthorized access strictly
prohibited!”.
S1(config)# banner motd $Unauthorized access strictly prohibited!$
S1(config)# exit

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 18 of 75
Lab - CCNA Security Comprehensive Lab

Step 5: Disable HTTP access.

HTTP access to the switch is enabled by default. To prevent HTTP access, disable the HTTP server and
HTTP secure server.
S1(config)# no ip http server
S1(config)# no ip http secure-server

Task 2: Secure Access Ports on S1

Step 1: Disable trunking access ports that are in use.

On S1, configure port F0/6 as access mode only.
S1(config)# interface FastEthernet 0/6
S1(config-if)# switchport mode access

Step 2: Enable PortFast access ports that are in use.

PortFast is configured on access ports that connect to a workstation or server to enable the port to forward
traffic more quickly.
Enable PortFast on the S1 Fa0/6 access port.
S1(config)# interface FastEthernet 0/6
S1(config-if)# spanning-tree portfast

Step 3: Enable BPDU guard access ports that are in use.

Enable BPDU guard on the F0/6 access port.
S1(config)# interface FastEthernet 0/6
S1(config-if)# spanning-tree bpduguard enable

Task 3: Configure Port Security and Disable Unused Ports

Step 1: Configure basic port security for the S1 access port.

Shut down user access ports that are in use on S1 and enable basic default port security. This sets the
maximum MAC addresses to 1 and the violation action to shut down. Use the sticky option to allow the
secure MAC address that is dynamically learned on a port to the switch running configuration. Re-enable the
access port to which port security was applied.
S1(config)# interface FastEthernet 0/6
S1(config-if)# shutdown
S1(config-if)# switchport port-security
S1(config-if)# switchport port-security mac-address sticky
S1(config-if)# no shutdown

Step 2: Disable unused ports on S1.

As a further security measure, disable any ports not being used on each switch.
Ports Fa0/1 and Fa0/6 are used on switch S1. Shut down the remaining Fast Ethernet ports and the two
Gigabit Ethernet ports.
S1(config)# interface range Fa0/2 - 5
S1(config-if-range)# shutdown
S1(config-if-range)# interface range Fa0/7 - 23

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 19 of 75
Lab - CCNA Security Comprehensive Lab

S1(config-if-range)# shutdown
S1(config-if-range)# interface range gigabitethernet0/1 - 2
S1(config-if-range)# shutdown

Step 3: Save the running configuration to the startup configuration for each switch.

Part 7: Configure ASA Basic Settings and Firewall (Chapter 9)

Task 1: Prepare the ASA for ASDM Access

Step 1: Clear the previous ASA configuration settings.

a. Use the write erase command to remove the startup-config file from flash memory.
ciscoasa# write erase
Erase configuration in flash memory? [confirm]
[OK]
ciscoasa#
b. Use the reload command to restart the ASA.
ciscoasa# reload
Proceed with reload? [confirm] <enter>
ciscoasa#

Step 2: Bypass Setup Mode and configure the ASDM VLAN interfaces using the CLI.
a. When prompted to preconfigure the firewall through interactive prompts (Setup mode), respond with no.
Pre-configure Firewall now through interactive prompts [yes]? no
b. Enter privileged EXEC mode. The password should be blank (no password) at this point.
c. Enter global configuration mode. Respond with no to the prompt to enable anonymous reporting.
d. The VLAN 1 logical interface will be used by PC-B to access ASDM on ASA physical interface E0/1.
Configure interface VLAN 1 and name it inside. The Security Level should be automatically set to the
highest level of 100. Specify IP address 192.168.10.1 and subnet mask 255.255.255.0.
ciscoasa(config)# interface vlan 1
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
ciscoasa(config-if)# exit
e. Enable physical interface E0/1 and verify the E0/1 and VLAN 1 interface status. The status and protocol
for interface E0/1 and VLAN 1 should be up/up.
ciscoasa(config)# interface e0/1
ciscoasa(config-if)# no shut
ciscoasa(config-if)# exit

ciscoasa(config)# show interface ip brief

Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES unset administratively down up
Ethernet0/1 unassigned YES unset up up

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 20 of 75
Lab - CCNA Security Comprehensive Lab

Ethernet0/2 unassigned YES unset administratively down down

Ethernet0/3 unassigned YES unset administratively down down
Ethernet0/4 unassigned YES unset administratively down down
Ethernet0/5 unassigned YES unset administratively down down
Ethernet0/6 unassigned YES unset administratively down down
Ethernet0/7 unassigned YES unset administratively down down
Internal-Data0/0 unassigned YES unset up up
Internal-Data0/1 unassigned YES unset up up
Vlan1 192.168.10.1 YES manual up up
Virtual0 127.0.0.1 YES unset up up
f. Preconfigure interface VLAN 2 and name it outside, add physical interface E0/0 to VLAN 2, and bring up
the E0/0 interface. You will assign the IP address using ASDM.
ciscoasa(config)# interface vlan 2
ciscoasa(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.

ciscoasa(config-if)# interface e0/0

ciscoasa(config-if)# switchport access vlan 2
ciscoasa(config-if)# no shut
g. Test connectivity to the ASA by pinging from PC-B to ASA interface VLAN 1 IP address 192.168.1.1. The
pings should be successful.

Step 3: Configure and verify access to the ASA from the inside network.
a. Use the http command to configure the ASA to accept HTTPS connections and to allow access to ASDM
from any host on the inside network 192.168.10.0/24.
ciscoasa(config)# http server enable
ciscoasa(config)# http 192.168.1.0 255.255.255.0 inside
b. Open a browser on PC-B and test the HTTPS access to the ASA by entering https://192.168.1.1.
c. From the ASDM Welcome page, click Run ASDM. When prompted for a username and password, leave
them blank and click OK.

Task 2: Configure Basic ASA Settings Using the ASDM Startup Wizard

Step 1: Access the Configuration menu and launch the Startup wizard.
At the top left of the screen, click Configuration > Launch Startup wizard.

Step 2: Configure the hostname, domain name, and the enable password.
a. On the first Startup wizard screen, select the Modify Existing Configuration option.
b. On the Startup Wizard Step 2 screen, configure the ASA hostname CCNAS-ASA and domain name
ccnasecurity.com. Change the enable mode password from blank (no password) to ciscoenapa55.

Step 3: Configure the outside VLAN interfaces.

a. On the Startup Wizard Step 3 screen – Interface Selection, do not change the current settings; these
were previously defined using the CLI.
b. On the Startup Wizard Step 4 screen – Switch Port Allocation, verify that port Ethernet1 is in Inside VLAN
1 and that port Ethernet0 is in Outside VLAN 2.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 21 of 75
Lab - CCNA Security Comprehensive Lab

c. On the Startup Wizard Step 5 screen – Interface IP Address Configuration, enter an Outside IP address
of 209.165.200.10 and Mask 255.255.255.248.

Step 4: Configure DHCP, address translation, and administrative access.

a. On the Startup Wizard Step 6 screen – DHCP Server, select Enable DHCP server on the Inside
Interface and specify a starting IP address of 192.168.1.5 and ending IP address of 192.168.1.30. Enter
the DNS Server 1 address of 10.3.3.3 and ccnasecurity.com for the domain name. Do NOT check the
box to enable Autoconfiguration from Interface.
b. On the Startup Wizard Step 7 screen – Address Translation (NAT/PAT), configure the ASA to Use Port
Address Translation (PAT) and select the Use the IP address of the outside interface option.
c. On the Startup Wizard Step 8 screen – Administrative Access, HTTPS/ASDM access is currently
configured for hosts on inside network 192.168.10.0/24. Add Telnet access to the ASA for the inside
network 192.168.1.0 with a subnet mask of 255.255.255.0. Add SSH access to the ASA from host
172.16.1.3 on the outside network.
d. Finish the wizard and deliver the commands to the ASA.
Note: ASDM may hang after delivering the configuration changes to the ASA. If this happens, close
ASDM and, on the PC Desktop, double-click the ASDM on 192.168.1.1 icon to restart ASDM. When
prompted, leave Username blank and enter ciscoenapa55 as the password.

Step 5: Test Telnet access to the ASA.

a. From a command prompt or GUI Telnet client on PC-B, Telnet to the ASA inside interface at IP address
192.168.1.1.
b. Log in to the ASA using the default login password of cisco. Enter privileged EXEC mode and provide the
password ciscoenapa55. Exit the Telnet session by using the quit command.

Task 3: Configuring ASA Settings From the ASDM Configuration Menu

Step 1: Set the ASA date and time.

At the Configuration > Device Setup screen, click System Time > Clock, set the time zone, current date
and time, and apply the commands to the ASA.

Step 2: Configure a static default route for the ASA.

a. At the Configuration > Device Setup screen, click Routing > Static Routes. Add a static route for the
outside interface, specify Any for the network object and a Gateway IP of 209.165.200.9 (R1 Fa0/0).
Apply the commands to the ASA.
b. On the ASDM Tools menu, select Ping, and enter the IP address of router R1 S0/0/0 (10.10.10.1). The
ping should succeed.

Step 3: Test access to an external website from PC-B.

Open a browser on PC-B and enter the IP address of the R1 S0/0/0 interface (10.10.10.1) to simulate access
to an external website. The R1 HTTP server was enabled in Part 2. You should be prompted with a user
authentication login dialog box from the R1 GUI device manger. Exit the browser.
Note: You will be unable to ping from PC-B to R1 S0/0/0, because the default ASA application inspection policy
does not permit ICMP from the internal network.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 22 of 75
Lab - CCNA Security Comprehensive Lab

Step 4: Configure AAA for SSH client access.

a. At the Configuration > Device Management screen, click Users/AAA > User Accounts > Add. Create
a new user named admin with a password of cisco123. Allow this user Full access (ASDM, SSH,
Telnet, and console) and set the privilege level to 15. Apply the command to the ASA.
b. At the Configuration > Device Management screen, click Users/AAA > AAA Access. On the
Authentication tab, require authentication for HTTP/ASDM, SSH, and Telnet connections, and specify the
LOCAL server group for each connection type. Click Apply to send the commands to the ASA.
Note: The next action you attempt within ASDM will require you to log in as admin with password
cisco123.
c. From PC-C, open an SSH client and attempt to access the ASA outside interface at 209.165.200.10. You
should be able to establish the connection. When prompted to log in, enter username admin and
password cisco123.
d. After logging in to the ASA using SSH, enter the enable command and provide the password
ciscoenapa55. Issue the show run command to display the current configuration you have created using
ASDM.
e. Connect to the ASA inside interface from a PC-B via Telnet using IP address 192.168.1.1.

Part 8: Configuring a DMZ, Static NAT, and ACLs (Chapter 9)

In Part 7, you configured address translation using PAT for the inside network. In this part, you will create a
DMZ on the ASA, configure static NAT to a DMZ server, and apply ACLs to control access to the server.
To accommodate the addition of a DMZ and a web server, you will use another address from the ISP range
assigned, 209.165.200.8/29 (.8-.15). Router R1 Fa0/0 and the ASA outside interface already use
209.165.200.9 and .10, respectively. You will use public address 209.165.200.11 and static NAT to provide
address translation access to the server.

Step 1: Configure the DMZ interface VLAN 3 on the ASA.

a. Configure DMZ VLAN 3, which is where the public access web server will reside. Assign it IP address
192.168.2.1/24, name it dmz, and assign it a security level of 70.
Note: If you are working with the ASA 5505 base license, you will see the error message shown in the
output below. The ASA 5505 Base license allows for the creation of up to three named VLAN interfaces.
However, you must disable communication between the third interface and one of the other interfaces
using the no forward command. This is not an issue if the ASA has a Security Plus license, which allows
20 named VLANs.
Because the server does not need to initiate communication with the inside users, disable forwarding to
interface VLAN 1.
CCNAS-ASA(config)# interface vlan 3
CCNAS-ASA(config-if)# ip address 192.168.2.1 255.255.255.0
CCNAS-ASA(config-if)# nameif dmz
ERROR: This license does not allow configuring more than 2 interfaces with
nameif and without a "no forward" command on this interface or on 1
interface(s)
with nameif already configured.

CCNAS-ASA(config-if)# no forward interface vlan 1

CCNAS-ASA(config-if)# nameif dmz
INFO: Security level for "dmz" set to 0 by default.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 23 of 75
Lab - CCNA Security Comprehensive Lab

CCNAS-ASA(config-if)# security-level 70
CCNAS-ASA(config-if)# no shut
b. Assign ASA physical interface E0/2 to DMZ VLAN 3 and enable the interface.
CCNAS-ASA(config-if)# interface Ethernet0/2
CCNAS-ASA(config-if)# switchport access vlan 3
CCNAS-ASA(config-if)# no shut
c. Display the status for all ASA interfaces using the show interface ip brief command.
CCNAS-ASA # show interface ip brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES unset up up
Ethernet0/1 unassigned YES unset up up
Ethernet0/2 unassigned YES unset up up
Ethernet0/3 unassigned YES unset down down
Ethernet0/4 unassigned YES unset down down
Ethernet0/5 unassigned YES unset down down
Ethernet0/6 unassigned YES unset down down
Ethernet0/7 unassigned YES unset down down
Internal-Data0/0 unassigned YES unset up up
Internal-Data0/1 unassigned YES unset up up
Vlan1 192.168.1.1 YES manual up up
Vlan2 209.165.200.10 YES manual up up
Vlan3 192.168.2.1 YES manual up up
Virtual0 127.0.0.1 YES unset up up
d. Display the information for the Layer 3 VLAN interfaces using the show ip address command.
CCNAS-ASA # show ip address
System IP Addresses:
Interface Name IP address Subnet mask Method
Vlan1 inside 192.168.1.1 255.255.255.0 manual
Vlan2 outside 209.165.200.10 255.255.255.248 manual
Vlan3 dmz 192.168.2.1 255.255.255.0 manual
<output omitted>
e. Display the VLANs and port assignments on the ASA using the show switch vlan command.
CCNAS-ASA(config)# show switch vlan
VLAN Name Status Ports
---- -------------------------------- --------- -----------------------------
1 inside up Et0/1, Et0/3, Et0/4, Et0/5
Et0/6, Et0/7
2 outside up Et0/0
3 dmz up Et0/2

Step 2: Configure static NAT to the DMZ server using a network object.
Configure a network object named dmz-server and assign it the static IP address of the DMZ server
(192.168.2.3). While in object definition mode, use the nat command to specify that this object is used to

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 24 of 75
Lab - CCNA Security Comprehensive Lab

translate a DMZ address to an outside address using static NAT and specify a public translated address of
209.165.200.11.
CCNAS-ASA(config)# object network dmz-server
CCNAS-ASA(config-network-object)# host 192.168.2.3
CCNAS-ASA(config-network-object)# nat (dmz,outside) static 209.165.200.11

Step 3: Configure an ACL to allow access to the DMZ server from the Internet.
Configure a named access list OUTSIDE-DMZ that permits any IP protocol from any external host to the
internal IP address of the DMZ server. Apply the access list to the ASA outside interface in the in direction.
CCNAS-ASA(config)# access-list OUTSIDE-DMZ permit ip any host 192.168.2.3
CCNAS-ASA(config)# access-group OUTSIDE-DMZ in interface outside
Note: Unlike IOS ACLs, the ASA ACL permit statement must permit access to the internal private DMZ
address. External hosts access the server using its public static NAT address, and the ASA translates it to the
internal host IP address and applies the ACL.
You can modify this ACL to allow only services that you want to expose to external hosts, such as web
(HTTP) or file transfer (FTP).

Step 4: Test access to the DMZ server.

a. Create a loopback 0 interface on Internet router R2 representing an external host. Assign Lo0 IP address
172.30.1.1 and a mask of 255.255.255.0. Ping the DMZ server public address from R2 using the
loopback interface as the source of the ping. The pings should be successful.
R2(config-if)# interface Lo0
R2(config-if)# ip address 172.30.1.1 255.255.255.0

R2# ping 209.165.200.11 source lo0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 209.165.200.11, timeout is 2 seconds:
Packet sent with a source address of 172.30.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
b. Clear the NAT counters using the clear nat counters command.
CCNAS-ASA# clear nat counters
c. Ping from PC-C to the DMZ server at the public address 209.165.200.11. The pings should be
successful.
d. Issue the show nat and show xlate commands on the ASA to see the effect of the pings. Both the PAT
(inside to outside) and static NAT (dmz to outside) policies are shown.
CCNAS-ASA# show nat

Auto NAT Policies (Section 2)

1 (dmz) to (outside) source static dmz-server 209.165.200.11
translate_hits = 0, untranslate_hits = 4

2 (inside) to (outside) source dynamic inside-net interface

translate_hits = 4, untranslate_hits = 0

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 25 of 75
Lab - CCNA Security Comprehensive Lab

Note: Pings from inside to outside are translated hits. Pings from outside host PC-C to the DMZ are
considered untranslated hits.
CCNAS-ASA# show xlate
1 in use, 3 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from dmz:192.168.2.3 to outside:209.165.200.227 flags s idle 0:22:58
timeout 0:00:00ping
Note: The flag is “s” indicating a static translation.
e. Because the ASA inside interface (VLAN 1) is set to a security level of 100 (the highest) and the DMZ
interface (VLAN 3) is set to 70, you can also access the DMZ server from a host on the inside network.
The ASA acts like a router between the two networks. Ping the DMZ server (PC-A) internal address
(192.168.2.3) from inside network host PC-B (192.168.1.X). The pings should be successful due to the
interface security level and the fact that ICMP is being inspected on the inside interface by the global
inspection policy. The pings from PC-B to PC-A do not affect the NAT translation counts, because both
PC-B and PC-A are behind the firewall and no translation takes place.
f. The DMZ server cannot ping PC-B on the inside network, because the DMZ interface VLAN 3 has a lower
security level and the fact that, when the VLAN 3 interface was created, it was necessary to specify the
no forward command. Try to ping from the DMZ server PC-A to PC-B at IP address 192.168.1.X. The
pings should be unsuccessful.
g. Use the show run command to display the configuration for VLAN 3.
CCNAS-ASA# show run interface vlan 3
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 70
ip address 192.168.2.1 255.255.255.0
Note: An access list can be applied to the inside interface to control the type of access to be permitted or
denied to the DMZ server from inside hosts.

Part 9: Configure ASA Clientless SSL VPN Remote Access (Chapter 9)

Step 1: Start the VPN wizard.
On PC-B, on the ASDM main menu, click Wizards > VPN Wizards > Clientless SSL VPN wizard. The SSL
VPN wizard Clientless SSL VPN Connection screen displays.

Step 2: Configure the SSL VPN user interface.

On the SSL VPN Interface screen, configure VPN-Con-Prof as the Connection Profile Name, and specify
outside as the interface to which outside users will connect.

Step 3: Configure AAA user authentication.

On the User Authentication screen, click Authenticate Using the Local User Database, enter the username
VPNuser with a password of remote. Click Add to create the new user.

Step 4: Configure the VPN group policy.

On the Group Policy screen, create a new group policy named VPN-Grp-Pol.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 26 of 75
Lab - CCNA Security Comprehensive Lab

Step 5: Configure the bookmark list.

a. From the Clientless Connections Only – Bookmark List screen, click Manage to create an HTTP server
bookmark in the bookmark list. In the Configure GUI Customization Objects window, click Add to open
the Add Bookmark List window. Name the list WebServer-XX, where XX is your initials.
b. Add a new Bookmark with Web Mail as the Bookmark Title. Enter the server destination IP address of
PC-B 192.168.1.3 (simulating a web server).

Step 6: Verify VPN access from the remote host.

a. Open the browser on PC-C and enter the login URL for the SSL VPN into the address field
(https://209.165.200.10). Use secure HTTP (HTTPS) as SSL is required to connect to the ASA.
b. The Login window should appear. Enter the previously configured username VPNuser and password
remote, and click Logon to continue.

Step 7: Access the web portal window.

After the user authenticates, the ASA SSL web portal webpage will be displayed, listing the various
bookmarks previously assigned to the profile. If the Bookmark points to a valid server IP address or hostname
that has HTTP web services installed and functional, the outside user can access the server from the ASA
portal.
Note: In this lab, the web mail server is not installed on PC-B.

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 27 of 75
Lab - CCNA Security Comprehensive Lab

Router Interface Summary Table

Router Interface Summary

Router Model Ethernet Interface #1 Ethernet Interface #2 Serial Interface #1 Serial Interface #2

1700 Fast Ethernet 0 (Fa0) Fast Ethernet 1 (Fa1) Serial 0 (S0) Serial 1 (S1)
1800 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
(Fa0/0) (Fa0/1)
1900 Gigabit Ethernet 0/0 Gigabit Ethernet 0/1 Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
(G0/0) (G0/1)
2801 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/1/0 (S0/1/0) Serial 0/1/1 (S0/1/1)
(Fa0/0) (Fa0/1)
2811 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
(Fa0/0) (Fa0/1)
2900 Gigabit Ethernet 0/0 Gigabit Ethernet 0/1 Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
(G0/0) (G0/1)
Note: To find out how the router is configured, look at the interfaces to identify the type of router and how many
interfaces the router has. There is no way to effectively list all the combinations of configurations for each router
class. This table includes identifiers for the possible combinations of Ethernet and Serial interfaces in the device.
The table does not include any other type of interface, even though a specific router may contain one. An
example of this might be an ISDN BRI interface. The string in parenthesis is the legal abbreviation that can be
used in Cisco IOS commands to represent the interface.

Device Configs

Router R1 - After Part 2

R1# show run
Building configuration...

Current configuration : 1257 bytes

!
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
dot11 syslog
ip source-route
!
ip cef

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 28 of 75
Lab - CCNA Security Comprehensive Lab

no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
redundancy
!
interface Loopback0
ip address 172.20.1.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 209.165.200.9 255.255.255.248
duplex auto
speed auto
!
interface Serial0/0/0
ip address 10.10.10.1 255.255.255.252
no fair-queue
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
interface Serial0/1/0
no ip address
shutdown
clock rate 2000000
!
interface Serial0/1/1
no ip address
shutdown
clock rate 2000000
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
!
control-plane

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 29 of 75
Lab - CCNA Security Comprehensive Lab

!
line con 0
line aux 0
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
end

Router R2 – After Part 2

R2# show run
Building configuration...

Current configuration : 1376 bytes

!
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
dot11 syslog
ip source-route
!
ip cef
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
redundancy
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 30 of 75
Lab - CCNA Security Comprehensive Lab

duplex auto
speed auto
!
interface Serial0/0/0
ip address 10.10.10.2 255.255.255.252
no fair-queue
clock rate 2000000
!
interface Serial0/0/1
ip address 10.20.20.2 255.255.255.252
!
interface FastEthernet0/1/0
no ip address
!
interface FastEthernet0/1/1
no ip address
!
interface FastEthernet0/1/2
no ip address
!
interface FastEthernet0/1/3
no ip address
!
interface Vlan1
no ip address
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 172.16.1.0 255.255.255.0 Serial0/0/1
ip route 172.20.1.0 255.255.255.0 Serial0/0/0
ip route 209.165.200.8 255.255.255.248 Serial0/0/0
!
control-plane
!
line con 0
line aux 0
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
end

Router R3 – After Part 2

R1# show run
Building configuration...

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 31 of 75
Lab - CCNA Security Comprehensive Lab

Current configuration : 1257 bytes

!
! Last configuration change at 17:58:56 UTC Thu Apr 24 2014
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
dot11 syslog
ip source-route
!
ip cef
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
redundancy
!
interface Loopback0
ip address 172.20.1.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 209.165.200.9 255.255.255.248
duplex auto
speed auto
!
interface Serial0/0/0
ip address 10.10.10.1 255.255.255.252
no fair-queue
!
interface Serial0/0/1
no ip address

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 32 of 75
Lab - CCNA Security Comprehensive Lab

shutdown
clock rate 2000000
!
interface Serial0/1/0
no ip address
shutdown
clock rate 2000000
!
interface Serial0/1/1
no ip address
shutdown
clock rate 2000000
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
!
control-plane
!
line con 0
line aux 0
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
end

Router R1 – After Part 3

R1# show run
Building configuration...

Current configuration : 3520 bytes

!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
enable secret 5 $1$761A$4RVk4ALzPiWnu.FZf4XZi.
!

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 33 of 75
Lab - CCNA Security Comprehensive Lab

aaa new-model
!
aaa authentication login default local-case enable
!
aaa session-id common
!
dot11 syslog
ip source-route
!
ip cef
no ip domain lookup
ip domain name ccnasecurity.com
login block-for 60 attempts 2 within 30
login on-failure log every 2
login on-success log
no ipv6 cef
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1561489156
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1561489156
revocation-check none
rsakeypair TP-self-signed-1561489156
!
crypto pki certificate chain TP-self-signed-1561489156
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31353631 34383931 3536301E 170D3134 30343234 31383239
31375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 35363134
38393135 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A32F D25B5F1A 0AA1DC21 A30D20CF 78870AEF E39A9211 7383BE36 E97BA33E
232075A3 40846325 EBA6CCE0 72C0F09C 5D0A9511 D3128EFF F93E0BDD 8903B16F
A554F288 8ADDAA3F 53625582 33D57E1F A144B666 17E74921 3C2DA006 7DFA39D7
0E5E066C C0924AB8 60609F58 F1397A9D 72549099 97FEF11F 83B52612 9EE50849
244B0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1430BE1E ADBA5BCA 09FDBDB5 7F1CE0A5 F45D3A1E 57301D06
03551D0E 04160414 30BE1EAD BA5BCA09 FDBDB57F 1CE0A5F4 5D3A1E57 300D0609
2A864886 F70D0101 05050003 81810054 71C62DC4 5F30B15B AC392827 8CFE2CDB
597BD437 47CAA12E EB2E793D A1069231 6F19614F E4CDB3C3 D9A22318 897CE867
018982E0 B9DA06AE 85999C3E E4BE6DCC 3B93132E EE46AD57 FAD0651D FF40CDFB
C704DA13 C3AA19FD 24C8A81F 3E5F5CB9 3E89B294 D1F008A3 A3F9E0E3 C1F96A42
9AFC98BD AC0D5274 34C646C8 1FD3CA
quit
!

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 34 of 75
Lab - CCNA Security Comprehensive Lab

username Admin01 privilege 15 secret 5 $1$8HMu$MkznX4g9Prbkkkw7jTSWV1

secure boot-image
secure boot-config
!
redundancy
!
ip ssh time-out 90
ip ssh authentication-retries 2
ip ssh version 2
!
interface Loopback0
ip address 172.20.1.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 209.165.200.9 255.255.255.248
duplex auto
speed auto
!
interface Serial0/0/0
ip address 10.10.10.1 255.255.255.252
no fair-queue
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
ip forward-protocol nd
ip http server
ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
!
control-plane
!
banner motd ^CUnauthorized access strictly prohibited!
^C
!
line con 0
exec-timeout 15 0
password 7 110A1016141D08030A3A2A717D
logging synchronous

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 35 of 75
Lab - CCNA Security Comprehensive Lab

line aux 0
line vty 0 4
exec-timeout 15 0
password 7 14141B180F0B3C3F3D38326077
transport input ssh
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 10.10.10.2
end

Router R2 – After Part 3

R2# show run
Building configuration...

Current configuration : 1509 bytes

!
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
dot11 syslog
ip source-route
!
ip cef
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
redundancy
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 36 of 75
Lab - CCNA Security Comprehensive Lab

shutdown
duplex auto
speed auto
!
interface Serial0/0/0
ip address 10.10.10.2 255.255.255.252
no fair-queue
clock rate 2000000
!
interface Serial0/0/1
ip address 10.20.20.2 255.255.255.252
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip route 172.16.1.0 255.255.255.0 Serial0/0/1
ip route 172.20.1.0 255.255.255.0 Serial0/0/0
ip route 209.165.200.8 255.255.255.248 Serial0/0/0
!
control-plane
!
line con 0
line aux 0
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
ntp master 3
end

Router R3 – After Part 3

R3# show run
Building configuration...

Current configuration : 3391 bytes

!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
enable secret 5 $1$Ara0$pzjFPbfyyh2yvfN0cAp3g/

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 37 of 75
Lab - CCNA Security Comprehensive Lab

!
aaa new-model
!
aaa authentication login default local-case enable
!
aaa session-id common
!
dot11 syslog
ip source-route
!
ip cef
no ip domain lookup
login block-for 60 attempts 2 within 30
login on-failure log
login on-success log
no ipv6 cef
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1221570205
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1221570205
revocation-check none
rsakeypair TP-self-signed-1221570205
!
crypto pki certificate chain TP-self-signed-1221570205
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31323231 35373032 3035301E 170D3134 30343235 30353031
33385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32323135
37303230 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A857 27D5B581 64C07B1F BC05B79A CF816F2C 1615CE4A 0AC9949A E096AAF1
E483C086 CA00722C CB168E01 BCF54883 9BD342B0 2995D721 F0825C7C 596DC70F
C634954B 75EEE6CF BBA04F30 12569A7C AAAE7BF7 58574324 CDA34C08 91F9B165
5D76F93D 949F66F9 2987DB6A 9C4AC914 322A47A3 4ED49B61 023B6DDB 9C19A638
EDFF0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 142113F5 6356CDED 73D30C0E A601F3AD 27113602 3C301D06
03551D0E 04160414 2113F563 56CDED73 D30C0EA6 01F3AD27 1136023C 300D0609
2A864886 F70D0101 05050003 8181006A EDB598D2 86BEA74B 4DDD2D37 9DACAF95
81396EDD 3DB7A3FE F9754232 5BCEB6B7 C7CD5A04 7F457673 83D8D032 E11EADF5
799AB5A3 6AD35F53 84DF1B20 2313E679 142F9001 F1E29530 3362D41B 13B8A6BC
6325D39B 4EF39AD4 7C1D806C 3E445F0F E80D24B2 9C0A289D 9BF0D991 85C47464
8F30F5C1 B4F67C34 A82669BD A62EBA
quit
!

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 38 of 75
Lab - CCNA Security Comprehensive Lab

username Admin01 privilege 15 secret 5 $1$PRGN$yXu.Rjr8KrXYz.GeP7n/K/

secure boot-image
secure boot-config
!
redundancy
!
!
ip ssh time-out 90
ip ssh authentication-retries 2
ip ssh version 2
!
interface Loopback0
no ip address
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.16.1.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
clock rate 2000000
!
interface Serial0/0/1
ip address 10.20.20.1 255.255.255.252
clock rate 2000000
!
ip forward-protocol nd
ip http server
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 Serial0/0/1
!
logging trap warnings
logging 172.16.1.3
!
control-plane
!
banner motd ^CUnathorized access is strictly prohibited!^C
!
line con 0

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 39 of 75
Lab - CCNA Security Comprehensive Lab

exec-timeout 15 0
password 7 060506324F410A160B07135E59
logging synchronous
line aux 0
line vty 0 4
exec-timeout 15 0
password 7 05080F1C2243581D001516475E
transport input ssh
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 10.10.10.2
end

Router R1 – After Part 4

R1# show run
Building configuration...

Current configuration : 4262 bytes

!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
enable secret 5 $1$761A$4RVk4ALzPiWnu.FZf4XZi.
!
aaa new-model
!
aaa authentication login default local-case enable
!
aaa session-id common
!
dot11 syslog
ip source-route
!
ip cef
no ip domain lookup
ip domain name ccnasecurity.com
login block-for 60 attempts 2 within 30
login on-failure log every 2
login on-success log
no ipv6 cef
!

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 40 of 75
Lab - CCNA Security Comprehensive Lab

multilink bundle-name authenticated

!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1561489156
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1561489156
revocation-check none
rsakeypair TP-self-signed-1561489156
!
!
crypto pki certificate chain TP-self-signed-1561489156
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31353631 34383931 3536301E 170D3134 30343234 31383239
31375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 35363134
38393135 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A32F D25B5F1A 0AA1DC21 A30D20CF 78870AEF E39A9211 7383BE36 E97BA33E
232075A3 40846325 EBA6CCE0 72C0F09C 5D0A9511 D3128EFF F93E0BDD 8903B16F
A554F288 8ADDAA3F 53625582 33D57E1F A144B666 17E74921 3C2DA006 7DFA39D7
0E5E066C C0924AB8 60609F58 F1397A9D 72549099 97FEF11F 83B52612 9EE50849
244B0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1430BE1E ADBA5BCA 09FDBDB5 7F1CE0A5 F45D3A1E 57301D06
03551D0E 04160414 30BE1EAD BA5BCA09 FDBDB57F 1CE0A5F4 5D3A1E57 300D0609
2A864886 F70D0101 05050003 81810054 71C62DC4 5F30B15B AC392827 8CFE2CDB
597BD437 47CAA12E EB2E793D A1069231 6F19614F E4CDB3C3 D9A22318 897CE867
018982E0 B9DA06AE 85999C3E E4BE6DCC 3B93132E EE46AD57 FAD0651D FF40CDFB
C704DA13 C3AA19FD 24C8A81F 3E5F5CB9 3E89B294 D1F008A3 A3F9E0E3 C1F96A42
9AFC98BD AC0D5274 34C646C8 1FD3CA
quit
!
username Admin01 privilege 15 secret 5 $1$8HMu$MkznX4g9Prbkkkw7jTSWV1
secure boot-image
secure boot-config
!
redundancy
!
!
ip ssh time-out 90
ip ssh authentication-retries 2
ip ssh version 2
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 41 of 75
Lab - CCNA Security Comprehensive Lab

crypto isakmp key cisco12345 address 10.20.20.1

!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Apply the crypto map on the peer router's interface having IP address
10.10.10.1 that connects to this router.
set peer 10.20.20.1
set transform-set ESP-3DES-SHA
match address SDM_1
!
interface Loopback0
ip address 172.20.1.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 209.165.200.9 255.255.255.248
duplex auto
speed auto
!
interface Serial0/0/0
ip address 10.10.10.1 255.255.255.252
no fair-queue
crypto map SDM_CMAP_1
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
ip forward-protocol nd
ip http server
ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
!
ip access-list extended SDM_1
remark CCP_ACL Category=4
remark IPSec Rule
permit ip 172.20.1.0 0.0.0.255 172.16.1.0 0.0.0.255
!
control-plane

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 42 of 75
Lab - CCNA Security Comprehensive Lab

!
banner motd ^CUnauthorized access strictly prohibited!
^C
!
line con 0
exec-timeout 0 0
password 7 110A1016141D08030A3A2A717D
logging synchronous
line aux 0
line vty 0 4
exec-timeout 15 0
password 7 14141B180F0B3C3F3D38326077
transport input ssh
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 10.10.10.2
end

Router R2 – After Part 4

R2# show run
Building configuration...

Current configuration : 1509 bytes

!
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
dot11 syslog
ip source-route
!
ip cef
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 43 of 75
Lab - CCNA Security Comprehensive Lab

redundancy
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
ip address 10.10.10.2 255.255.255.252
no fair-queue
clock rate 2000000
!
interface Serial0/0/1
ip address 10.20.20.2 255.255.255.252
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip route 172.16.1.0 255.255.255.0 Serial0/0/1
ip route 172.20.1.0 255.255.255.0 Serial0/0/0
ip route 209.165.200.8 255.255.255.248 Serial0/0/0
!
control-plane
!
line con 0
line aux 0
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
ntp master 3
end

Router R3 – After Part 4

R3# show run
Building configuration...

Current configuration : 3937 bytes

!
service timestamps debug datetime msec

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 44 of 75
Lab - CCNA Security Comprehensive Lab

service timestamps log datetime msec

service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
no logging buffered
enable secret 5 $1$Ara0$pzjFPbfyyh2yvfN0cAp3g/
!
aaa new-model
!
aaa authentication login default local-case enable
!
aaa session-id common
!
dot11 syslog
ip source-route
!
ip cef
no ip domain lookup
login block-for 60 attempts 2 within 30
login on-failure log
login on-success log
no ipv6 cef
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1221570205
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1221570205
revocation-check none
rsakeypair TP-self-signed-1221570205
!
crypto pki certificate chain TP-self-signed-1221570205
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31323231 35373032 3035301E 170D3134 30343235 30353031
33385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32323135
37303230 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A857 27D5B581 64C07B1F BC05B79A CF816F2C 1615CE4A 0AC9949A E096AAF1
E483C086 CA00722C CB168E01 BCF54883 9BD342B0 2995D721 F0825C7C 596DC70F
C634954B 75EEE6CF BBA04F30 12569A7C AAAE7BF7 58574324 CDA34C08 91F9B165

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 45 of 75
Lab - CCNA Security Comprehensive Lab

5D76F93D 949F66F9 2987DB6A 9C4AC914 322A47A3 4ED49B61 023B6DDB 9C19A638

EDFF0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 142113F5 6356CDED 73D30C0E A601F3AD 27113602 3C301D06
03551D0E 04160414 2113F563 56CDED73 D30C0EA6 01F3AD27 1136023C 300D0609
2A864886 F70D0101 05050003 8181006A EDB598D2 86BEA74B 4DDD2D37 9DACAF95
81396EDD 3DB7A3FE F9754232 5BCEB6B7 C7CD5A04 7F457673 83D8D032 E11EADF5
799AB5A3 6AD35F53 84DF1B20 2313E679 142F9001 F1E29530 3362D41B 13B8A6BC
6325D39B 4EF39AD4 7C1D806C 3E445F0F E80D24B2 9C0A289D 9BF0D991 85C47464
8F30F5C1 B4F67C34 A82669BD A62EBA
quit
!
license udi pid CISCO1841 sn FTX1205Y0PT
username Admin01 privilege 15 secret 5 $1$tTTB$LqYVD3oolgaUQeHSl4cgw1
secure boot-image
secure boot-config
!
redundancy
!
ip ssh time-out 90
ip ssh authentication-retries 2
ip ssh version 2
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco12345 address 10.10.10.1
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to10.10.10.1
set peer 10.10.10.1
set transform-set ESP-3DES-SHA
match address 100
!
interface Loopback0
no ip address
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.16.1.1 255.255.255.0
duplex auto
speed auto

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 46 of 75
Lab - CCNA Security Comprehensive Lab

!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
clock rate 2000000
!
interface Serial0/0/1
ip address 10.20.20.1 255.255.255.252
clock rate 2000000
crypto map SDM_CMAP_1
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 Serial0/0/1
!
logging trap warnings
logging 172.16.1.3
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 172.16.1.0 0.0.0.255 172.20.1.0 0.0.0.255
!
control-plane
!
banner motd ^CUnathorized access is strictly prohibited!^C
!
line con 0
exec-timeout 0 0
password 7 060506324F410A160B07135E59
logging synchronous
line aux 0
line vty 0 4
exec-timeout 15 0
password 7 05080F1C2243581D001516475E
transport input ssh
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 10.10.10.2
end

Router R3 – After Part 6

R3# show run
Building configuration...

Current configuration : 8841 bytes

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 47 of 75
Lab - CCNA Security Comprehensive Lab

!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
no logging buffered
enable secret 5 $1$Ara0$pzjFPbfyyh2yvfN0cAp3g/
!
aaa new-model
!
aaa authentication login default local-case enable
!
aaa session-id common
!
dot11 syslog
ip source-route
!
cef
no ip domain lookup
ip ips config location flash:/ipsdir retries 1
ip ips notify SDEE
ip ips name sdm_ips_rule
!
ip ips signature-category
category all
retired true
category ios_ips basic
retired false
!
login block-for 60 attempts 2 within 30
login on-failure log
login on-success log
no ipv6 cef
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1221570205
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1221570205
revocation-check none
rsakeypair TP-self-signed-1221570205

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 48 of 75
Lab - CCNA Security Comprehensive Lab

!
crypto pki certificate chain TP-self-signed-1221570205
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31323231 35373032 3035301E 170D3134 30343235 30353031
33385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32323135
37303230 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A857 27D5B581 64C07B1F BC05B79A CF816F2C 1615CE4A 0AC9949A E096AAF1
E483C086 CA00722C CB168E01 BCF54883 9BD342B0 2995D721 F0825C7C 596DC70F
C634954B 75EEE6CF BBA04F30 12569A7C AAAE7BF7 58574324 CDA34C08 91F9B165
5D76F93D 949F66F9 2987DB6A 9C4AC914 322A47A3 4ED49B61 023B6DDB 9C19A638
EDFF0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 142113F5 6356CDED 73D30C0E A601F3AD 27113602 3C301D06
03551D0E 04160414 2113F563 56CDED73 D30C0EA6 01F3AD27 1136023C 300D0609
2A864886 F70D0101 05050003 8181006A EDB598D2 86BEA74B 4DDD2D37 9DACAF95
81396EDD 3DB7A3FE F9754232 5BCEB6B7 C7CD5A04 7F457673 83D8D032 E11EADF5
799AB5A3 6AD35F53 84DF1B20 2313E679 142F9001 F1E29530 3362D41B 13B8A6BC
6325D39B 4EF39AD4 7C1D806C 3E445F0F E80D24B2 9C0A289D 9BF0D991 85C47464
8F30F5C1 B4F67C34 A82669BD A62EBA
quit
!
username Admin01 privilege 15 secret 5 $1$tTTB$LqYVD3oolgaUQeHSl4cgw1
secure boot-image
secure boot-config
!
redundancy
!
crypto key pubkey-chain rsa
named-key realm-cisco.pub
key-string
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
F3020301 0001
quit
!
ip ssh time-out 90
ip ssh authentication-retries 2
ip ssh version 2
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 49 of 75
Lab - CCNA Security Comprehensive Lab

match access-group 103

class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 102
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 101

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 50 of 75
Lab - CCNA Security Comprehensive Lab

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-VPNOutsideToInside-1
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class class-default
drop
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_VPN_PT
pass
class class-default
drop
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 51 of 75
Lab - CCNA Security Comprehensive Lab

service-policy type inspect ccp-inspect

zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-VPNOutsideToInside-1
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco12345 address 10.10.10.1
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to10.10.10.1
set peer 10.10.10.1
set transform-set ESP-3DES-SHA
match address 100
!
interface Loopback0
no ip address
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1
description $FW_INSIDE$
ip address 172.16.1.1 255.255.255.0
ip virtual-reassembly in
zone-member security in-zone
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
clock rate 2000000
!
interface Serial0/0/1
description $FW_OUTSIDE$
ip address 10.20.20.1 255.255.255.252
ip ips sdm_ips_rule in
ip virtual-reassembly in
zone-member security out-zone
clock rate 2000000

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 52 of 75
Lab - CCNA Security Comprehensive Lab

crypto map SDM_CMAP_1

!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 Serial0/0/1
!
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
!
logging trap warnings
logging 172.16.1.3
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 172.16.1.0 0.0.0.255 172.20.1.0 0.0.0.255
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip 10.20.20.0 0.0.0.3 any
access-list 102 remark CCP_ACL Category=128
access-list 102 permit ip host 10.10.10.1 any
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip 172.20.1.0 0.0.0.255 172.16.1.0 0.0.0.255
!
control-plane
!
!
banner motd ^CUnathorized access is strictly prohibited!^C
!
line con 0
exec-timeout 0 0
password 7 060506324F410A160B07135E59
logging synchronous
line aux 0
line vty 0 4
exec-timeout 15 0
password 7 05080F1C2243581D001516475E
transport input ssh
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 10.10.10.2
end

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 53 of 75
Lab - CCNA Security Comprehensive Lab

ASA Firewall – After Part 7

CCNAS-ASA# show run
: Saved
:
ASA Version 8.4(2)
!
hostname CCNAS-ASA
domain-name ccnasecurity.com
enable password ghF9EgNuXj9mQTfb encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 209.165.200.10 255.255.255.248
!
ftp mode passive
clock timezone MST -7
dns server-group DefaultDNS
domain-name ccnasecurity.com
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 54 of 75
Lab - CCNA Security Comprehensive Lab

!
nat (inside,outside) after-auto source dynamic any interface
route outside 0.0.0.0 0.0.0.0 209.165.200.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 172.16.1.3 255.255.255.255 outside
ssh timeout 5
console timeout 0

dhcpd address 192.168.1.5-192.168.1.30 inside

dhcpd dns 10.3.3.3 interface inside
dhcpd domain ccnasecurity.com interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password e1z89R3cZe9Kt6Ib encrypted privilege 15
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 55 of 75
Lab - CCNA Security Comprehensive Lab

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:aca1346b36de25269d1a951d1f03d7f0
: end

Router R1 – Final
R1# show run
Building configuration...

Current configuration : 4262 bytes

!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
enable secret 5 $1$761A$4RVk4ALzPiWnu.FZf4XZi.
!
aaa new-model
!
aaa authentication login default local-case enable
!
aaa session-id common
!
dot11 syslog
ip source-route
!
ip cef
no ip domain lookup
ip domain name ccnasecurity.com
login block-for 60 attempts 2 within 30
login on-failure log every 2
login on-success log
no ipv6 cef
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1561489156
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1561489156
revocation-check none

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 56 of 75
Lab - CCNA Security Comprehensive Lab

rsakeypair TP-self-signed-1561489156
!
crypto pki certificate chain TP-self-signed-1561489156
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31353631 34383931 3536301E 170D3134 30343234 31383239
31375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 35363134
38393135 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A32F D25B5F1A 0AA1DC21 A30D20CF 78870AEF E39A9211 7383BE36 E97BA33E
232075A3 40846325 EBA6CCE0 72C0F09C 5D0A9511 D3128EFF F93E0BDD 8903B16F
A554F288 8ADDAA3F 53625582 33D57E1F A144B666 17E74921 3C2DA006 7DFA39D7
0E5E066C C0924AB8 60609F58 F1397A9D 72549099 97FEF11F 83B52612 9EE50849
244B0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1430BE1E ADBA5BCA 09FDBDB5 7F1CE0A5 F45D3A1E 57301D06
03551D0E 04160414 30BE1EAD BA5BCA09 FDBDB57F 1CE0A5F4 5D3A1E57 300D0609
2A864886 F70D0101 05050003 81810054 71C62DC4 5F30B15B AC392827 8CFE2CDB
597BD437 47CAA12E EB2E793D A1069231 6F19614F E4CDB3C3 D9A22318 897CE867
018982E0 B9DA06AE 85999C3E E4BE6DCC 3B93132E EE46AD57 FAD0651D FF40CDFB
C704DA13 C3AA19FD 24C8A81F 3E5F5CB9 3E89B294 D1F008A3 A3F9E0E3 C1F96A42
9AFC98BD AC0D5274 34C646C8 1FD3CA
quit
!
username Admin01 privilege 15 secret 5 $1$8HMu$MkznX4g9Prbkkkw7jTSWV1
secure boot-image
secure boot-config
!
redundancy
!
ip ssh time-out 90
ip ssh authentication-retries 2
ip ssh version 2
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco12345 address 10.20.20.1
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Apply the crypto map on the peer router's interface having IP address
10.10.10.1 that connects to this router.
set peer 10.20.20.1
set transform-set ESP-3DES-SHA
match address SDM_1
!

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 57 of 75
Lab - CCNA Security Comprehensive Lab

interface Loopback0
ip address 172.20.1.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 209.165.200.9 255.255.255.248
duplex auto
speed auto
!
interface Serial0/0/0
ip address 10.10.10.1 255.255.255.252
no fair-queue
crypto map SDM_CMAP_1
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
ip forward-protocol nd
ip http server
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
!
ip access-list extended SDM_1
remark CCP_ACL Category=4
remark IPSec Rule
permit ip 172.20.1.0 0.0.0.255 172.16.1.0 0.0.0.255
!
control-plane
!
banner motd ^CUnauthorized access strictly prohibited!
^C
!
line con 0
exec-timeout 15 0
password 7 110A1016141D08030A3A2A717D
logging synchronous
line aux 0
line vty 0 4
exec-timeout 15 0
password 7 14141B180F0B3C3F3D38326077
transport input ssh

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 58 of 75
Lab - CCNA Security Comprehensive Lab

!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 10.10.10.2
end

Router R2 – Final
R2# show run
Building configuration...

Current configuration : 1638 bytes

!
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$ScW3$LN6IJi/1R4uiv5/ZW1kpA.
!
no aaa new-model
!
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0

!
redundancy
!
interface Loopback0
ip address 172.30.1.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 59 of 75
Lab - CCNA Security Comprehensive Lab

duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
ip address 10.10.10.2 255.255.255.252
no fair-queue
clock rate 2000000
!
interface Serial0/0/1
ip address 10.20.20.2 255.255.255.252
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip route 172.16.1.0 255.255.255.0 Serial0/0/1
ip route 172.20.1.0 255.255.255.0 Serial0/0/0
ip route 209.165.200.8 255.255.255.248 Serial0/0/0
!
control-plane
!
line con 0
line aux 0
line vty 0 4
password ciscovtypa55
login
transport input all
!
scheduler allocate 20000 1000
ntp master 3
end

Router R3 - Final
R3# show run
Building configuration...

Current configuration : 8841 bytes

!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R3

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 60 of 75
Lab - CCNA Security Comprehensive Lab

!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
no logging buffered
enable secret 5 $1$Ara0$pzjFPbfyyh2yvfN0cAp3g/
!
aaa new-model
!
aaa authentication login default local-case enable
!
aaa session-id common
!
dot11 syslog
ip source-route
!
ip cef
no ip domain lookup
ip ips config location flash:/ipsdir retries 1
ip ips notify SDEE
ip ips name sdm_ips_rule
!
ip ips signature-category
category all
retired true
category ios_ips basic
retired false
!
login block-for 60 attempts 2 within 30
login on-failure log
login on-success log
no ipv6 cef
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1221570205
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1221570205
revocation-check none
rsakeypair TP-self-signed-1221570205
!
crypto pki certificate chain TP-self-signed-1221570205
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31323231 35373032 3035301E 170D3134 30343235 30353031

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 61 of 75
Lab - CCNA Security Comprehensive Lab

33385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32323135
37303230 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A857 27D5B581 64C07B1F BC05B79A CF816F2C 1615CE4A 0AC9949A E096AAF1
E483C086 CA00722C CB168E01 BCF54883 9BD342B0 2995D721 F0825C7C 596DC70F
C634954B 75EEE6CF BBA04F30 12569A7C AAAE7BF7 58574324 CDA34C08 91F9B165
5D76F93D 949F66F9 2987DB6A 9C4AC914 322A47A3 4ED49B61 023B6DDB 9C19A638
EDFF0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 142113F5 6356CDED 73D30C0E A601F3AD 27113602 3C301D06
03551D0E 04160414 2113F563 56CDED73 D30C0EA6 01F3AD27 1136023C 300D0609
2A864886 F70D0101 05050003 8181006A EDB598D2 86BEA74B 4DDD2D37 9DACAF95
81396EDD 3DB7A3FE F9754232 5BCEB6B7 C7CD5A04 7F457673 83D8D032 E11EADF5
799AB5A3 6AD35F53 84DF1B20 2313E679 142F9001 F1E29530 3362D41B 13B8A6BC
6325D39B 4EF39AD4 7C1D806C 3E445F0F E80D24B2 9C0A289D 9BF0D991 85C47464
8F30F5C1 B4F67C34 A82669BD A62EBA
quit
!
username Admin01 privilege 15 secret 5 $1$tTTB$LqYVD3oolgaUQeHSl4cgw1
secure boot-image
secure boot-config
!
redundancy
!
crypto key pubkey-chain rsa
named-key realm-cisco.pub
key-string
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
F3020301 0001
quit
!
ip ssh time-out 90
ip ssh authentication-retries 2
ip ssh version 2
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 103
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any SDM_ESP

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 62 of 75
Lab - CCNA Security Comprehensive Lab

match access-group name SDM_ESP

class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 102
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 101
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 63 of 75
Lab - CCNA Security Comprehensive Lab

!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-VPNOutsideToInside-1
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class class-default
drop
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_VPN_PT
pass
class class-default
drop
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-VPNOutsideToInside-1
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
!

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 64 of 75
Lab - CCNA Security Comprehensive Lab

crypto isakmp policy 1

encr 3des
authentication pre-share
group 2
crypto isakmp key cisco12345 address 10.10.10.1
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to10.10.10.1
set peer 10.10.10.1
set transform-set ESP-3DES-SHA
match address 100
!
interface Loopback0
no ip address
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1
description $FW_INSIDE$
ip address 172.16.1.1 255.255.255.0
ip virtual-reassembly in
zone-member security in-zone
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
clock rate 2000000
!
interface Serial0/0/1
description $FW_OUTSIDE$
ip address 10.20.20.1 255.255.255.252
ip ips sdm_ips_rule in
ip virtual-reassembly in
zone-member security out-zone
clock rate 2000000
crypto map SDM_CMAP_1
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 65 of 75
Lab - CCNA Security Comprehensive Lab

!
ip route 0.0.0.0 0.0.0.0 Serial0/0/1
!
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
!
logging trap warnings
logging 172.16.1.3
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 172.16.1.0 0.0.0.255 172.20.1.0 0.0.0.255
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip 10.20.20.0 0.0.0.3 any
access-list 102 remark CCP_ACL Category=128
access-list 102 permit ip host 10.10.10.1 any
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip 172.20.1.0 0.0.0.255 172.16.1.0 0.0.0.255
!
control-plane
!
banner motd ^CUnathorized access is strictly prohibited!^C
!
line con 0
exec-timeout 15 0
password 7 060506324F410A160B07135E59
logging synchronous
line aux 0
line vty 0 4
exec-timeout 15 0
password 7 05080F1C2243581D001516475E
transport input ssh
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 10.10.10.2
end

ASA 5505 – Final

ASA Version 8.4(2)
!
hostname CCNAS-ASA
domain-name ccnasecurity.com
enable password ghF9EgNuXj9mQTfb encrypted

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 66 of 75
Lab - CCNA Security Comprehensive Lab

passwd 2KFQnbNIdI.2KYOU encrypted

names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 209.165.200.10 255.255.255.248
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 70
ip address 192.168.2.1 255.255.255.0
!
ftp mode passive
clock timezone MST -7
dns server-group DefaultDNS
domain-name ccnasecurity.com
object network dmz-server
host 192.168.2.3
access-list OUTSIDE-DMZ extended permit ip any host 192.168.2.3
pager lines 24
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 67 of 75
Lab - CCNA Security Comprehensive Lab

no asdm history enable

arp timeout 14400
!
object network dmz-server
nat (dmz,outside) static 209.165.200.11
!
nat (inside,outside) after-auto source dynamic any interface
access-group OUTSIDE-DMZ in interface outside
route outside 0.0.0.0 0.0.0.0 209.165.200.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 172.16.1.3 255.255.255.255 outside
ssh timeout 5
console timeout 0

dhcpd address 192.168.1.5-192.168.1.30 inside

dhcpd dns 10.3.3.3 interface inside
dhcpd domain ccnasecurity.com interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
group-policy VPN-Grp-Pol internal
group-policy VPN-Grp-Pol attributes
vpn-tunnel-protocol ssl-clientless
webvpn
url-list none
username admin password e1z89R3cZe9Kt6Ib encrypted privilege 15
username VPNuser password L/4HaWObNIjDRINS encrypted privilege 0
username VPNuser attributes

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 68 of 75
Lab - CCNA Security Comprehensive Lab

vpn-group-policy VPN-Grp-Pol
tunnel-group VPN-Con-Prof type remote-access
tunnel-group VPN-Con-Prof general-attributes
default-group-policy VPN-Grp-Pol
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:3df558c4b921ff4505d707c72c657657
: end

Switch S1
S1# show run
S1#sh run
Building configuration...

Current configuration : 1967 bytes

!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname S1
!
boot-start-marker
boot-end-marker
!
enable secret 4 RUvYYU43ox4ij3OGZk5X2bDsq27Bs7wfcwrxjRg5L.M
!
no aaa new-model
system mtu routing 1500
!
no ip domain-lookup
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
shutdown
!
interface FastEthernet0/2
shutdown
!
interface FastEthernet0/3
shutdown

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 69 of 75
Lab - CCNA Security Comprehensive Lab

!
interface FastEthernet0/4
shutdown
!
interface FastEthernet0/5
shutdown
!
interface FastEthernet0/6
switchport mode access
switchport port-security
switchport port-security mac-address sticky
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/7
shutdown
!
interface FastEthernet0/8
shutdown
!
interface FastEthernet0/9
shutdown
!
interface FastEthernet0/10
shutdown
!
interface FastEthernet0/11
shutdown
!
interface FastEthernet0/12
shutdown
!
interface FastEthernet0/13
shutdown
!
interface FastEthernet0/14
shutdown
!
interface FastEthernet0/15
shutdown
!
interface FastEthernet0/16
shutdown
!
interface FastEthernet0/17
shutdown
!
interface FastEthernet0/18
shutdown

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 70 of 75
Lab - CCNA Security Comprehensive Lab

!
interface FastEthernet0/19
shutdown
!
interface FastEthernet0/20
shutdown
!
interface FastEthernet0/21
shutdown
!
interface FastEthernet0/22
shutdown
!
interface FastEthernet0/23
shutdown
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
ip address 192.168.2.11 255.255.255.0
!
ip default-gateway 192.168.2.1
no ip http server
no ip http secure-server
!
banner motd ^C Unauthorized accesss strictly prohibited!^C
!
line con 0
exec-timeout 5 0
password 7 05080F1C22434D06171516475E
logging synchronous
login
line vty 0 4
login
line vty 5 15
login
!
end

Switch S2
S2# show run

Current configuration : 1394 bytes

!
!

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 71 of 75
Lab - CCNA Security Comprehensive Lab

version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname S2
!
boot-start-marker
boot-end-marker
!
no aaa new-model
system mtu routing 1500
!
!
no ip domain-lookup
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
shutdown
!
interface FastEthernet0/2
shutdown
!
interface FastEthernet0/3
shutdown
!
interface FastEthernet0/4
shutdown
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 72 of 75
Lab - CCNA Security Comprehensive Lab

!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
ip address 192.168.1.11 255.255.255.0
!
ip default-gateway 192.168.1.1
ip http server
ip http secure-server
!
!
line con 0
line vty 5 15
!
end

Switch S3
S3#sh run
Building configuration...

Current configuration : 1392 bytes

!
version 15.0

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 73 of 75
Lab - CCNA Security Comprehensive Lab

no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname S3
!
boot-start-marker
boot-end-marker
!
no aaa new-model
system mtu routing 1500
!
no ip domain-lookup
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
shutdown
!
interface FastEthernet0/2
shutdown
!
interface FastEthernet0/3
shutdown
!
interface FastEthernet0/4
shutdown
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 74 of 75
Lab - CCNA Security Comprehensive Lab

!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
ip address 172.16.1.11 255.255.255.0
!
ip default-gateway 172.16.1.1
ip http server
ip http secure-server
!
line con 0
line vty 5 15
!
end

© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 75 of 75