CCNASv1.1 Chp09 Lab-A Sec-Pol Student

CCNA Security
Chapter 9 Lab A: Security Policy Development and

Implementation
Topology
Note: ISR G2 devices have Gigabit Ethernet interfaces instead of Fast Ethernet Interfaces.
All contents are Copyright 12!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation. 'age 1 of (2
CCNA Security
IP Addressing Table
Device Interace IP Address Subnet !as" Deault #ate$ay S$itch Port
R1 FA")1 12.1*+.1.1 2,,.2,,.2,,." -)A S1 FA"),
S")")" ./CE0 1".1.1.1 2,,.2,,.2,,.2,2 -)A -)A
R2 S")")" 1".1.1.2 2,,.2,,.2,,.2,2 -)A -)A
S")")1 ./CE0 1".2.2.2 2,,.2,,.2,,.2,2 -)A -)A
R( FA")1 12.1*+.(.1 2,,.2,,.2,,." -)A S( FA"),
S")")1 1".2.2.1 2,,.2,,.2,,.2,2 -)A -)A
S1 12A- 1 12.1*+.1.11 2,,.2,,.2,,." 12.1*+.1.1 -)A
S2 12A- 1 12.1*+.1.12 2,,.2,,.2,,." 12.1*+.1.1 -)A
S( 12A- 1 12.1*+.(.11 2,,.2,,.2,,." 12.1*+.(.1 -)A
'C3A -IC 12.1*+.1.( 2,,.2,,.2,,." 12.1*+.1.1 S1 FA")*
'C34 -IC 12.1*+.1.2 2,,.2,,.2,,." 12.1*+.1.1 S2 FA")1+
'C3C -IC 12.1*+.(.( 2,,.2,,.2,,." 12.1*+.(.1 S( FA")1+
%b&ectives
Part ': Create a (asic Technical Security Policy
/evelop a -et5or6 /evice Sec&rity G&idelines doc&#ent.
Part ): (asic Net$or" Device Coniguration
Config&re hostna#es$ interface I' addresses$ and pass5ords.
Config&re static ro&ting.
Part *: Secure Net$or" +outers
Config&re pass5ords and a login banner.
Config&re SS7 access and disable %elnet.
Config&re 7%%' sec&re server access.
Config&re a synchroni8ed ti#e so&rce &sing -%'.
Config&re ro&ter syslog s&pport.
Config&re centrali8ed a&thentication &sing AAA and RA/I9S.
9se Cisco I:S to disable &nneeded services and sec&re against login attac6s.
9se CC' to disable &nneeded services.
Config&re a C4AC fire5all.
Config&re a ;4F fire5all.
Config&re intr&sion prevention syste# .I'S0 &sing Cisco I:S and CC'.
4ac6 &p and sec&re the Cisco I:S i#age and config&ration files.
Part ,: Secure Net$or" S$itches
Config&re pass5ords$ and a login banner.
CCNA Security
Config&re #anage#ent 12A- access.
Config&re a synchroni8ed ti#e so&rce &sing -%'.
Config&re syslog s&pport.
Config&re SS7 access.
Config&re AAA and RA/I9S.
Sec&re tr&n6 ports.
Sec&re access ports.
'rotect against S%' attac6s.
Config&re port sec&rity and disable &n&sed ports.
Part -: Conigure .PN remote access
9se CC' to config&re Easy 1'- Server.
9se the Cisco 1'- Client to test the re#ote access 1'-.
(ac"ground
A co#prehensive sec&rity policy covers three #ain areas< governing policies$ end3&ser policies$ and technical
policies. %echnical policies can incl&de e3#ail$ re#ote access$ telephony$ applications$ and net5or6 policies$
s&ch as device access controls and logging. %he foc&s of this lab is the creation of a technical net5or6 policy
that specifies sec&rity #eas&res to be config&red for net5or6 devices and i#ple#entation of those #eas&res.
In 'art 1 of this lab$ yo& create a basic -et5or6 /evice Sec&rity G&idelines doc&#ent that can serve as part
of a co#prehensive policy. %his doc&#ent addresses specific ro&ter and s5itch sec&rity #eas&res and
describes the sec&rity re=&ire#ents to be i#ple#ented on the infrastr&ct&re e=&ip#ent. %he -et5or6 /evice
Sec&rity G&idelines doc&#ent is presented to yo&r instr&ctor for revie5 prior to starting 'art 2 of the lab.
In 'art 2$ yo& b&ild the net5or6 and config&re basic device settings. In 'arts ( and >$ yo& sec&re ro&ters and
s5itches. In 'art ,$ yo& config&re a ro&ter for 1'- re#ote access. %he -et5or6 /evice Sec&rity G&idelines
policy is &sed as the g&iding doc&#ent.
%he co#pany yo& are 5or6ing for has t5o locations connected by an IS'. Ro&ter R1 represents a re#ote site$
and R( represents the corporate head=&arters. Ro&ter R2 represents the IS'.
Note: %he ro&ter co##ands and o&tp&t in this lab are fro# a Cisco 1+>1 5ith Cisco I:S Release 12.>.2"0%
.Advanced I' i#age0. %he s5itch co##ands and o&tp&t are fro# a Cisco ?S3C2*"32>%%32 5ith Cisco I:S
Release 12.2.>*0SE .C2*"32A-4ASE@3A i#age0. :ther ro&ters$ s5itches$ and Cisco I:S versions can be
&sed. See the Ro&ter Interface S&##ary table at the end of the lab to deter#ine 5hich interface identifiers to
&se based on the e=&ip#ent in the lab. /epending on the ro&ter or s5itch #odel and Cisco I:S version$ the
co##ands available and o&tp&t prod&ced #ight vary fro# 5hat is sho5n in this lab.
Note: Aa6e s&re that the ro&ters and s5itches have been erased and have no start&p config&rations.
+e/uired +esources
2 ro&ters .Cisco 1+>1 5ith Cisco I:S Release 12.>.2"0%1 Advanced I' Service or co#parable0
1 ro&ter .Cisco 1+>1 5ith Cisco I:S Release 12.>.2"0%1 I' 4ase or co#parable0
( s5itches .Cisco 2*" 5ith Cisco I:S Release 12.2.>*0SE C2*"32A-4ASE@3A i#age or
co#parable0
'C3A< ?indo5s B'$ 1ista$ or ?indo5s C 5ith CC' 2.,$ RA/I9S$ %F%'$ and syslog servers pl&s
'&%%D and Cisco 1'- Client soft5are available
'C34< ?indo5s B'$ 1ista$ or ?indo5s C
All contents are Copyright 12!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation. 'age ( of (2
CCNA Security
'C3C< ?indo5s B'$ 1ista$ or ?indo5s C 5ith CC' 2.,$ RA/I9S$ %F%'$ and syslog servers pl&s
'&%%D soft5are available and S&perScan .optional0
Serial and Ethernet cables as sho5n in the topology
Rollover cables to config&re the ro&ters via the console
CCP Notes:
Refer to Chp "" 2ab A for instr&ctions on ho5 to install and r&n CC'. 7ard5are)soft5are
reco##endations for CC' incl&de ?indo5s B'$ 1ista$ or ?indo5s C 5ith Eava version 1.*."F11 &p to
1.*."F21$ Internet EGplorer *." or above and Flash 'layer 1ersion 1".".12.(* and later.
If the 'C on 5hich CC' is installed is r&nning ?indo5s 1ista or ?indo5s C$ it #ay be necessary to
right3clic6 on the CC' icon or #en& ite#$ and choose +un as administrator.
In order to r&n CC'$ it #ay be necessary to te#porarily disable antivir&s progra#s and :)S fire5alls.
Aa6e s&re that all pop3&p bloc6ers are t&rned off in the bro5ser.
Part ': Create a (asic Technical Security Policy
In 'art 1$ yo& create a -et5or6 /evice Sec&rity G&idelines doc&#ent that can serve as part of a
co#prehensive net5or6 sec&rity policy. %his doc&#ent addresses specific ro&ter and s5itch sec&rity
#eas&res and describes the sec&rity re=&ire#ents to be i#ple#ented on the infrastr&ct&re e=&ip#ent.
Tas" ': Identiy potential sections o a basic net$or" security policy 0Chapter 91
A net5or6 sec&rity policy sho&ld incl&de several 6ey sections that can address potential iss&es for &sers$
net5or6 access$ device access and other areas. 2ist so#e 6ey sections yo& thin6 co&ld be part of good
basic sec&rity policy.
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Tas" ): Create Net$or" 2/uipment Security #uidelines as a Supplement to a
(asic Security Policy 0Chapter 91
Step ': +evie$ the ob&ectives rom previous CCNA Security labs3
a. :pen each of the previo&s labs co#pleted fro# chapters one thro&gh eight and revie5 the obHectives
listed for each one.
b. Copy the obHectives to a separate doc&#ent for &se as a starting point. Foc&s #ainly on those
obHectives that involve sec&rity practices and device config&ration.
All contents are Copyright 12!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation. 'age > of (2
CCNA Security
Step ): Create a Net$or" Device Security #uidelines document or router and s$itch security3
Create a high3level list of tas6s to incl&de for net5or6 access and device sec&rity. %his doc&#ent sho&ld
reinforce and s&pple#ent the infor#ation presented in a basic Sec&rity 'olicy. It is based on the content
of previo&s CC-A Sec&rity labs and on the net5or6ing devices present in the co&rse lab topology.
Note: %he -et5or6 /evice Sec&rity G&idelines doc&#ent sho&ld be no #ore than t5o pages and is the
basis for the e=&ip#ent config&ration in the re#aining parts of the lab.
Step *: Submit the Net$or" Device Security #uidelines to your instructor3
'rovide the -et5or6 /evice Sec&rity G&idelines doc&#ents to yo&r instr&ctor for revie5 before starting
'art 2 of the lab. Do& can send the# as e3#ail attach#ents or p&t the# on re#ovable storage #edia$
s&ch as a flash drive.
All contents are Copyright 12!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation. 'age , of (2
CCNA Security
Part ): (asic Net$or" Device Coniguration 0Chapters ) and 41
In 'art 2$ yo& set &p the net5or6 topology and config&re basic settings$ s&ch as the interface I' addresses
and static ro&ting. 'erfor# steps on ro&ters and s5itches as indicated.
Step ': Cable the net$or" as sho$n in the topology3
Attach the devices sho5n in the topology diagra#$ and cable as necessary.
Step ): Conigure basic settings or all routers3
a. Config&re hostna#es as sho5n in the topology.
b. Config&re the interface I' addresses as sho5n in the I' addressing table.
c. Config&re a cloc6 rate for the ro&ters 5ith a /CE serial cable attached to their serial interface.
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
d. /isable /-S loo6&p to prevent the ro&ter fro# atte#pting to translate incorrectly entered co##ands
as tho&gh they 5ere hostna#es.
Step *: Conigure static deault routes on +' and +*3
Config&re a static defa&lt ro&te fro# R1 to R2 and fro# R( to R2.
Step ,: Conigure static routes on +)3
Config&re a static ro&te fro# R2 to the R1 2A- and fro# R2 to the R( 2A-.
Step -: Conigure basic settings or each s$itch3
a. Config&re hostna#es as sho5n in the topology.
b. Config&re the 12A- 1 #anage#ent addresses as sho5n in the I' Addressing table.
c. Config&re the I' defa&lt gate5ay for each of the three s5itches. %he gate5ay for the S1 and S2
s5itches is the R1 Fa")1 interface I' address. %he gate5ay for the S( s5itch is the R( Fa")1
interface I' address.
d. /isable /-S loo6&p to prevent the s5itches fro# atte#pting to translate incorrectly entered
co##ands as tho&gh they 5ere hostna#es.
All contents are Copyright 12!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation. 'age * of (2
CCNA Security
Step 4: Conigure PC host IP settings3
Config&re a static I' address$ s&bnet #as6$ and defa&lt gate5ay for 'C3A$ 'C34$ and 'C3C$ as sho5n in
the I' addressing table.
Step 5: .eriy connectivity bet$een PC6A and PC6C3
_____________________________________________________________________________
Step 7: Save the basic running coniguration or each router3
Part *: Secure Net$or" +outers
In 'art ($ yo& config&re device access$ pass5ords$ fire5alls$ and intr&sion prevention. 'erfor# steps on
ro&ters as indicated.
Tas" ': Conigure Pass$ords and a Login (anner 0Chapter )1
Step ': Conigure a minimum pass$ord length o '8 characters on all routers3
_____________________________________________________________________________
Step ): Conigure the enable secret pass$ord on all routers3
9se an enable secret pass5ord of cisco')*,-.
_____________________________________________________________________________
Step *: 2ncrypt plainte9t pass$ords3
_____________________________________________________________________________
Step ,: Conigure the console lines on all routers3
Config&re a console pass5ord of ciscoconpass and enable login. Set the eGec3ti#eo&t to log o&t after ,
#in&tes of inactivity. 'revent console #essages fro# interr&pting co##and entry.
_____________________________________________________________________________
Step -: Conigure the vty lines on +)3
Config&re a vty lines pass5ord of ciscovtypass and enable login. Set the eGec3ti#eo&t to log o&t after ,
#in&tes of inactivity.
_____________________________________________________________________________
Note: %he vty lines for R1 and R( are config&red for SS7 in %as6 2.
Step 4: Conigure a login $arning banner on routers +' and +*3
Config&re a 5arning to &na&thori8ed &sers 5ith a #essage3of3the3day .A:%/0 banner that says
I9na&thori8ed access strictly prohibited and prosec&ted to the f&ll eGtent of the la5J.
_____________________________________________________________________________
Tas" ): Conigure the SS: Server on +outers +' and +* 0Chapter )1
Step ': Conigure a privileged user or login rom the SS: client3
Create the &ser Ad#in"1 acco&nt 5ith a privilege level of 1, and a secret pass5ord of Ad#in"1pa,,.
All contents are Copyright 12!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation. 'age C of (2
CCNA Security
_____________________________________________________________________________
Step ): Conigure the domain name ccnasecurity3com3
_____________________________________________________________________________
Step *: Conigure the incoming vty lines3
Specify a privilege level of 1, so that a &ser 5ith the highest privilege level .1,0 5ill defa&lt to privileged
EBEC #ode 5hen accessing the vty lines. :ther &sers 5ill defa&lt to &ser EBEC #ode. Specify local &ser
acco&nts for #andatory login and validation$ and accept only SS7 connections.
_____________________________________________________________________________
Step ,: #enerate the +SA encryption "ey pair or the router3
Config&re the RSA 6eys 5ith 1"2> for the n&#ber of #od&l&s bits.
_____________________________________________________________________________
Step -: .eriy SS: connectivity to +' rom PC6A3
a. If the SS7 client is not already installed$ do5nload either %era%er# or '&%%D.
b. 2a&nch the SS7 client$ enter the Fa")1 I' address$ and enter the Admin8' &serna#e and pass5ord
Admin8'pa--.
%as6 (< Config&re a Synchroni8ed %i#e So&rce 9sing -%' 0Chapter )1
Step ': Set up the NTP master using Cisco I%S commands3
R2 5ill be the #aster -%' server. All other ro&ters and s5itches learn their ti#e fro# it$ either directly or
indirectly.
a. Ens&re that R2 has the correct coordinated &niversal ti#e. Set the ti#e if it is not correct.
b. Config&re R2 as the -%' #aster 5ith a strat&# n&#ber of (.
Step ): Conigure +' and +* as NTP clients3
a. Config&re R1 and R( to beco#e -%' clients of R2.
b. 1erify that R1 and R( have #ade an association 5ith R2 &sing the show ntp associations
co##and.
All contents are Copyright 12!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation. 'age + of (2
CCNA Security
Tas" ,: Conigure +outer Syslog Support 0Chapter )1
Step ': 0%ptional1 Install the syslog server on PC6A and PC6C3
If a syslog server is not c&rrently installed on the host$ do5nload the latest version of @i5i fro#
http<))555.6i5isyslog.co# or %ftpd(2 fro# http<))tftpd(2.Ho&nin.net and install it on yo&r des6top. If it is already
installed$ go to Step 2.
Step ): Conigure +' to log messages to the PC6A syslog server3
a. 1erify that yo& have connectivity bet5een R1 and host 'C3A by pinging the R1 Fa")1 interface I'
address 12.1*+.1.1 fro# 'C3A. If the pings are not s&ccessf&l$ tro&bleshoot as necessary before
contin&ing.
b. Config&re logging on the ro&ter to send syslog #essages to the syslog server.
Step *: Conigure +* to log messages to the PC6C syslog server3
a. 1erify that yo& have connectivity bet5een R( and the host 'C3C by pinging the R( Fa")1 interface I'
address 12.1*+.(.1 fro# 'C3C. If the pings are not s&ccessf&l$ tro&bleshoot as necessary before
contin&ing.
b. Config&re logging on the ro&ter to send syslog #essages to the syslog server.
Tas" -: Conigure Authentication ;sing AAA and +ADI;S 0Chapter *1
'C3A 5ill serve as the local RA/I9S server for the re#ote site and R1 accesses the eGternal RA/I9S server
for &ser a&thentication. %he free5are RA/I9S server ?inRadi&s is &sed for this section of the lab.
Step ': 0%ptional1 Do$nload and conigure the <in+adius sot$are3
a. If ?inRadi&s is not c&rrently installed on 'C3A$ do5nload the latest version fro#
http<))555.s&ggestsoft.co#)soft)itcons&lt2""")5inradi&s)$ http<))5inradi&s.soft(2.co#$
http<))555.brothersoft.co#)5inradi&s32"1>.ht#l. %here is no installation set&p. %he eGtracted
?inRadi&s.eGe file is eGec&table.
b. Start the ?inRadi&s.eGe application. If the application is being started for the first ti#e$ follo5 the
instr&ctions to config&re the ?inRadi&s server database.
Note: If ?inRadi&s is &sed on a 'C that &ses the Aicrosoft ?indo5s 1ista operating syste# or the
Aicrosoft ?indo5s C operating syste#$ :/4C #ay fail to create s&ccessf&lly beca&se it cannot 5rite to
the registry.
Possible solutions:
1. Co#patibility settings<
a. Right clic6 on the ?inRadi&s.eGe icon and select Properties.
b. ?hile in the Properties dialog boG$ select the Compatibility tab. In this tab$ select the
chec6boG for +un this program in compatibility mode or. %hen in the drop do5n #en&
belo5$ choose <indo$s =P 0Service Pac" *1 for eGa#ple$ if it is appropriate for yo&r
syste#.
c. Clic6 %>.
2. +un as Administrator settings<
a. Right clic6 on the ?inRadi&s.eGe icon and select Properties.
All contents are Copyright 12!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation. 'age of (2
CCNA Security
b. ?hile in the Properties dialog boG$ select the Compatibility tab. In this tab$ select the
chec6boG for +un this program as administrator in the 'rivilege 2evel section.
c. Clic6 %>.
(. +un as Administration for each la&nch<
a. Right clic6 on the ?inRadi&s.eGe icon and select +un as administrator.
b. ?hen ?inRadi&s la&nches$ clic6 ?es in the 9ser Acco&nt Control dialog boG.
Step ): Conigure users and pass$ords on the <in+adius server3
a. Add &serna#e +adAdmin 5ith a pass5ord of +adAdminpa--.
b. Add &serna#e +ad;ser 5ith a pass5ord of +ad;serpa--.
Step *: 2nable AAA on +'3
9se the aaa new-model co##and to enable AAA.
Step ,: Conigure the deault login authentication list3
Config&re the list to first &se radius for the a&thentication service and then local to allo5 access based
on the local ro&ter database if a RA/I9S server cannot be reached.
Step -: .eriy connectivity bet$een +' and the PC6A +ADI;S server3
'ing fro# R1 to 'C3A.
If the pings are not s&ccessf&l$ tro&bleshoot the 'C and ro&ter config&ration before contin&ing.
Step 4: Speciy a +ADI;S server on +'3
Config&re the ro&ter to access the RA/I9S server at the 'C3A I' address. Specify port n&#bers '7')
and '7'*$ along 5ith the defa&lt secret 6ey of <in+adius for the RA/I9S server.
_____________________________________________________________________________
Step 5: Test your coniguration by logging into the console on +'3
a. EGit to the initial ro&ter screen that displays the follo5ing<
R1 con0 is now available.
b. 2og in 5ith the &serna#e +adAdmin and pass5ord +adAdminpa--. Are yo& able to login 5ith
#ini#al delayK
Note: If yo& close the ?inRadi&s server and restart it$ yo& #&st recreate the &ser acco&nts fro# Step 2.
Step 7: Test your coniguration by connecting to +' $ith SS:3
a. Clear the log display for the ?inRadi&s server by choosing Log @ Clear.
b. 9se '&%%D or another ter#inal e#&lation client to open an SS7 session fro# 'C3A to R1.
c. At the login pro#pt$ enter the &serna#e +adAdmin defined on the RA/I9S server and the pass5ord
+adAdminpa--.
Are yo& able to login to R1K FFFFFFF
All contents are Copyright 12!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation. 'age 1" of (2
CCNA Security
d. EGit the SS7 session.
e. Stop the ?inRadi&s server on 'C3A by choosing %peration @ 29it.
f. :pen an SS7 session and atte#pt to log in again as +adAdmin.
Are yo& able to login to R1K FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
g. Close the SS7 client and open another SS7 session to R1 and atte#pt to log in as Admin8' 5ith a
pass5ord of Admin8'pa--.
?ith the ?inRadi&s server &navailable$ are yo& able to log in to R1K ?hy or 5hy notK
Step 9: Conigure +ADI;S support on +*3
Repeat steps 1 thro&gh * to config&re R( to access 'C3C as a RA/I9S server.
Tas" 4: ;se CLI to Disable ;nneeded Services on +' and Secure Against Login
Attac"s 0Chapter )1
Step ': ;se CLI to disable common IP services that can be e9ploited or net$or" attac"s3
Tip: Do& can iss&e the auto secure management co##and to see the #anage#ent related co##ands
that 5o&ld be generated. ?hen pro#pted 5ith IApply this configuration to running-config?
[yes]:J respond N% and then selectively copy the desired co##ands to a teGt file for editing and application
to the ro&ter.
a. /isable the follo5ing global services on the ro&ter.
service finger
service pad
service udp-sall-servers
service tcp-sall-servers
cdp run
ip bootp server
ip http server
ip finger
ip source-route
ip gratuitous-arps
ip identd
___________________________________________________________________________
_________________________________________________________________________
Note: /isabling the 7%%' server prevents 5eb3based access to the ro&ter via CC'. If yo& 5ant sec&re
access to the ro&ter via CC'$ yo& can enable it &sing the co##and ip http secure-server.
b. For each serial interface$ disable the follo5ing interface services.
ip redirects
ip pro!y-arp
ip unreachables
ip directed-broadcast
ip as"-reply
___________________________________________________________________________
_________________________________________________________________________
c. For each Fast Ethernet interface$ disable the follo5ing interface services.
CCNA Security
ip redirects
ip pro!y-arp
ip unreachables
ip directed-broadcast
ip as"-reply
op enabled
___________________________________________________________________________
_________________________________________________________________________
Step ): Secure against login attac"s on +' and +*3
Config&re the follo5ing para#eters<
4loc6ing period 5hen login attac6 detected< *"
AaGi#&# login fail&res 5ith the device< 2
AaGi#&# ti#e period for crossing the failed login atte#pts< ("
Step *: Save the running coniguration to the startup coniguration or +' and +*3
Tas" 5: ;se CCP to Disable ;nneeded Services on +* 0Chapter )1
Step ': Conigure user credentials or :TTP router access prior to starting CCP3
a. Enable the 7%%' server on R(.
:r enable the 7%%' sec&re server to connect sec&rely.
b. Create an ad#in acco&nt on R( 5ith privilege level 1, and pass5ord cisco')*,- for &se 5ith AAA
and CC'.
c. 7ave CC' &se the local database to a&thenticate 5eb sessions.
Step ): Access CCP and discover +*3
a. R&n the CC' application on 'C3C. In the Select)Aanage Co##&nity 5indo5$ inp&t the R( I' address
'9)3'473*3' in the first I' Address)7ostna#e field. Enter admin in the 9serna#e field$ and
cisco')*,- in the 'ass5ord field. Clic6 on the %> b&tton.
b. At the CC' /ashboard$ clic6 the Discovery b&tton to discover and connect to R(. If the discovery
process fails$ &se the Discover Details b&tton to deter#ine the proble# in order to resolve the iss&e.
Step *: (egin the security audit3
a. Choose Conigure @ Security @ Security Audit and clic6 the Perorm Security Audit b&tton. Clic6
Ne9t at the 5elco#e screen
b. Choose Aast2thernet 8B' as the Inside %r&sted interface and Serial 8B8B' as the :&tside 9ntr&sted
interface.
CCNA Security
c. 1ie5 the Sec&rity A&dit report and note 5hich services did not pass. Clic6 Close.
d. In the FiG It 5indo5$ clic6 Ai9 it to disable the follo5ing global and interface services<
#lobal services to disable:
service pad
cdp run
ip bootp server
ip source-route
$er-interface service to disable:
ip redirects
ip unreachables
op enabled
Note: /o not fiG .disable0 'roGy AR' beca&se this disables AR' on all R( interfaces and ca&ses a
proble#$ specifically 5ith interface Fa")1$ and pings to the R( 1'- server 2A-. %he 1'- server is
config&red in 'art , of the lab.
e. Clic6 Ne9t to vie5 a s&##ary of the proble#s that 5ill be fiGed. Clic6 Ainish and deliver the
co##ands to the ro&ter.
Tas" 7: Conigure a C(AC Aire$all on +' 0Chapter ,1
Step ': ;se the Cisco I%S AutoSecure eature to enable a C(AC ire$all on +'3
a. %o config&re only the ConteGt 4ased Access Control .C4AC0 fire5all on R1$ &se the auto secure
co##and and specify the firewall option. Respond as sho5n in the follo5ing A&toSec&re o&tp&t
to the A&toSec&re =&estions and pro#pts. %he responses are in bold.
R1% auto secure firewall
--- Auto&ecure 'onfiguration ---
((( Auto&ecure configuration enhances the security of the router) but it will
not a"e it absolutely resistant to all security attac"s (((
Auto&ecure will odify the configuration of your device* All configuration
changes will be shown* +or a detailed e!planation of how the configuration
changes enhance security and any possible side effects) please refer to
'isco*co for
Autosecure docuentation*
At any propt you ay enter ,?, for help*
-se ctrl-c to abort this session at any propt*
#athering inforation about the router for Auto&ecure
.s this router connected to internet? [no]: yes
/nter the nuber of interfaces facing the internet [1]: 1
.nterface .$-Address 01? 2ethod &tatus $rotocol
+ast/thernet030 unassigned 4/& unset adinistratively down down
+ast/thernet031 156*178*1*1 4/& anual up up
&erial03030 10*1*1*1 4/& &9AR$ up up
&erial03031 unassigned 4/& unset adinistratively down down
/nter the interface nae that is facing the internet: serial0/0/0
All contents are Copyright 12!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation. 'age 1( of (2
CCNA Security
'onfigure ':A' +irewall feature? [yes3no]: yes
;his is the configuration generated:
ip inspect audit-trail
ip inspect dns-tieout <
ip inspect tcp idle-tie 1==00
ip inspect udp idle-tie 1800
ip inspect nae autosec_inspect cuseee tieout >700
ip inspect nae autosec_inspect ftp tieout >700
ip inspect nae autosec_inspect http tieout >700
ip inspect nae autosec_inspect rcd tieout >700
ip inspect nae autosec_inspect realaudio tieout >700
ip inspect nae autosec_inspect stp tieout >700
ip inspect nae autosec_inspect tftp tieout >0
ip inspect nae autosec_inspect udp tieout 1?
ip inspect nae autosec_inspect tcp tieout >700
ip access-list e!tended autosec_firewall_acl
perit udp any any e@ bootpc
deny ip any any
interface &erial03030
ip inspect autosec_inspect out
ip access-group autosec_firewall_acl in
A
end
Apply this configuration to running-config? [yes]: yes
Applying the config generated to running-config
R1%
+eb 16 18:>=:?8*0=0: BA-;0&/'-?-/CA:9/D: Auto&ecure is configured on the
device
Step ): +evie$ the AutoSecure C(AC coniguration3
a. %o 5hich interface is the a&tosecFinspect na#e applied and in 5hat directionK
b. %o 5hich interface is the AC2 a&tosecFfire5allFacl applied and in 5hich directionK
c. ?hat is the p&rpose of the AC2 a&tosecFfire5allFaclK
Step *: Arom PC6AC ping the +) e9ternal <AN interace3
a. Fro# 'C3A$ ping the R2 interface S")")" at I' address 1".1.1.2.
b. Are the pings s&ccessf&lK ?hy or 5hy notK
Step ,: Add IC!P to the autosecDinspect list3
Config&re R1 to inspect ICA' and allo5 ICA' echo replies fro# o&tside hosts 5ith a ti#eo&t of *"
seconds.
All contents are Copyright 12!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation. 'age 1> of (2
CCNA Security
Step -: Arom PC6AC ping the +) e9ternal <AN interace3
a. Fro# 'C3A$ ping the R2 interface S")")" at I' address 1".1.1.2.
b. Are the pings s&ccessf&lK ?hy or 5hy notK
Step 4: Arom +)C ping PC6A3
Fro# R2 ping 'C3A. FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Are the pings s&ccessf&lK ?hy or 5hy notK FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Step 5: Test SS: access rom PC6C to +'3
Fro# eGternal host 'C3C$ start a '&%%D session to R1.
Is the SS7 session connection s&ccessf&lK ?hy or 5hy notK
Step 7: Conigure the +' ire$all to allo$ SS: access rom e9ternal hosts on the '9)3'473*38B),
net$or"3
a. /isplay the eGtended AC2 na#ed a&tosecFfire5allFacl that is applied to S")")" inbo&nd.
R1% show access-list autosec_firewall_acl
/!tended .$ access list autosec_firewall_acl
10 perit udp any any e@ bootpc
60 deny ip any any E?< atchesF
b. Config&re R1 to allo5 SS7 access by adding a state#ent to the eGtended AC2 a&tosecFfire5allFacl
that per#its the SS7 %C' port 22.
R1EconfigF% ip access-list extended autosec_firewall_acl
R1Econfig-e!t-naclF% 13 permit tcp 192.1!.3.0 0.0.0.2"" any e# 22
R1Econfig-e!t-naclF% end
c. Fro# eGternal host 'C3C$ start a '&%%D SS7 session to R1 at I' address 1".1.1.1 and log in as
RA/I9S &ser RadAd#in 5ith a pass5ord of RadAd#inpa,,.
d. Fro# the SS7 session on R1$ display the #odified eGtended AC2 a&tosecFfire5allFacl.
1> perit tcp 156*178*>*0 0*0*0*6?? any e@ 66 E17 atchesF
60 deny ip any any E70 atchesF
Step 9: Conigure the +' ire$all to allo$ NTP and .PN traic3
a. Config&re R1 to allo5 -et5or6 %i#e 'rotocol .-%'0 &pdates fro# R2 by adding a state#ent to the
eGtended AC2 a&tosecFfire5allFacl that per#its the -%' .9/' port 12(0.
R1EconfigF% ip access-list extended autosec_firewall_acl
R1Econfig-e!t-naclF% 1" permit udp host 10.1.1.2 host 10.1.1.1 e# ntp
b. Config&re R1 to allo5 I'sec 1'- traffic bet5een 'C3A and R( by adding a state#ent to the eGtended
AC2 a&tosecFfire5allFacl that per#its the I'sec Encaps&lating Sec&rity 'rotocol .ES'0.
Note: In 'art , of the lab$ R( 5ill be config&red as a 1'- server$ and 'C3A 5ill be the re#ote client.
R1Econfig-e!t-naclF% 1! permit esp any any
All contents are Copyright 12!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation. 'age 1, of (2
CCNA Security
R1Econfig-e!t-naclF% end
c. /isplay the #odified eGtended AC2 a&tosecFfire5allFacl.
1> perit tcp 156*178*>*0 0*0*0*6?? any e@ 66 E7< atchesF
1? perit udp host 10*1*1*6 host 10*1*1*1 e@ ntp E> atchesF
18 perit esp any any
60 deny ip any any E61 atchesF
Step '8: Test Telnet access rom internal PC6A to e9ternal router +)3
a. Fro# 'C3A$ %elnet to R2 at I' address '83'3'3) &sing the vty line pass5ord ciscovtypass.
':GH telnet 10.1.1.2
Is the %elnet atte#pt s&ccessf&lK ?hy or 5hy notK
b. 2eave the %elnet session open.
Step '': Display C(AC inspection sessions3
/isplay the I' inspect session to see the active %elnet session fro# 'C3A to R2.

Tas" 9: Conigure a E(A Aire$all on +* 0Chapter ,1
Step ': ;se CCP to discover +*3
a. R&n the CC' application on 'C3C. In the Select)Aanage Co##&nity 5indo5$ inp&t the R( I' address
b. At the CC' /ashboard$ clic6 on the Discovery b&tton to discover and connect to R(. If the discovery
Step ): ;se the CCP Aire$all $iFard to conigure a E(A on +*3
a. Clic6 the Conigure b&tton at the top of the CC' screen$ and then clic6 Security @ Aire$all @
Aire$all.
b. Select (asic Aire$all and clic6 the Launch the selected tas" b&tton. :n the 4asic Fire5all
Config&ration 5i8ard screen$ clic6 Ne9t.
c. Chec6 the Inside 0trusted1 chec6 boG for Aast 2thernet8B' and the %utside 0untrusted1 chec6 boG
for Serial8B8B'. Clic6 Ne9t. Clic6 %> 5hen the CC' access 5arning is displayed.
d. Choose Lo$ Security and clic6 Ne9t. In the S&##ary 5indo5$ clic6 Ainish and deliver the
co##ands to the ro&ter.
e. Clic6 %> in the Co##ands /elivery Stat&s 5indo5.
Step *: .eriy E(A unctionality3
a. Fro# 'C3C$ ping the R2 interface S")")1 at I' address 1".2.2.2. FFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Are the pings s&ccessf&lK ?hy or 5hy notK FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
b. Fro# eGternal ro&ter R2$ ping 'C3C at I' address 12.1*+.(.(. FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
All contents are Copyright 12!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation. 'age 1* of (2
CCNA Security
Are the pings s&ccessf&lK ?hy or 5hy notK FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
c. Fro# ro&ter R2$ %elnet to R( at I' address 1".2.2.1. FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Is the %elnet atte#pt s&ccessf&lK ?hy or 5hy notK FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
d. Fro# 'C3C on the R( internal 2A-$ %elnet to R2 at I' address '83)3)3) and &se pass5ord
ciscovtypass. FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
e. ?ith the %elnet session open fro# 'C3C to R2$ iss&e the co##and show policy-map type
inspect $one-pair session on R(. Contin&e pressing 2nter &ntil yo& see an Inspect
Established session section to5ard the end.
Step ,: Save the running coniguration to the startup coniguration3
Tas" '8: Conigure Intrusion Prevention System 0IPS1 on +' ;sing Cisco I%S
0Chapter -1
Step ': 0%ptional1 Install the TATP server on PC6A3
If a %F%' server is not c&rrently installed on 'C3A$ do5nload %ftpd(2 fro# http<))tftpd(2.Ho&nin.net and install
it on yo&r des6top. If it is already installed$ go to Step 2.
Step ): Prepare the router and TATP server3
%o config&re Cisco I:S I'S ,.G$ the I:S I'S Signat&re pac6age file and p&blic crypto 6ey files #&st be
available on 'C3A. Chec6 5ith yo&r instr&ctor if these files are not on the 'C. %hese files can be do5nloaded
fro# Cisco.co# 5ith a valid &ser acco&nt that has proper a&thori8ation.
a. 1erify that the I%S6Sxxx6CLI3p"g signat&re pac6age file is in a %F%' folder. %he xxx is the version
n&#ber and varies depending on 5hich file 5as do5nloaded.
b. 1erify that the realm6cisco3pub3"ey3t9t file is available and note its location on 'C3A. %his is the
p&blic crypto 6ey &sed by I:S I'S.
c. 1erify or create the I'S directory in ro&ter flash on R1. Fro# the R1 C2I$ display the content of flash
#e#ory &sing the show flash co##and. Chec6 5hether the ipsdir directory eGists and if it has files
in it. FFFFFFFFFFFFFFFFFFFFFFFFFF
d. If the ipsdir directory is not listed$ create it.
R1% m%dir ipsdir
'reate directory filenae [ipsdir]? &ress 'nter
'reated dir flash:ipsdir
e. If the ipsdir directory eGists and the signat&re files are in it$ yo& #&st re#ove the files to perfor# this
part of the lab. S5itch to the ipsdir directory and verify that yo& are in the directory. Re#ove the files
fro# the directory$ and then ret&rn to the flash root directory 5hen yo& are finished.
R1% cd ipsdir
R1% pwd
flash:3ipsdir3
R1% delete (1)
Delete filenae [3ipsdir3R1(]?
Delete flash:3ipsdir3R1-sigdef-typedef*!l? [confir]
Delete flash:3ipsdir3R1-sigdef-category*!l? [confir]
Delete flash:3ipsdir3R1-sigdef-default*!l? [confir]
All contents are Copyright 12!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation. 'age 1C of (2
CCNA Security
Delete flash:3ipsdir3R1-sigdef-delta*!l? [confir]
Delete flash:3ipsdir3R1-seap-delta*!l? [confir]
Delete flash:3ipsdir3R1-seap-typedef*!l? [confir]
R1% cd flash*/
R1% pwd
flash:3
Step *: %pen the IPS crypto "ey ile and copy the contents to the router3
:n 'C3A$ locate the crypto 6ey file na#ed real#3cisco.p&b.6ey.tGt and open it &sing -otepad or another
teGt editor. :n R1$ enter global config #ode$ copy the contents of the file$ and paste the contents to the
ro&ter.
%he contents sho&ld loo6 si#ilar to the follo5ing<
crypto "ey pub"ey-chain rsa
naed-"ey real-cisco*pub signature
"ey-string
>0860166 >00D0705 6A87=887 +<0D0101 010?000> 86010+00 >086010A 06860101
00'15/5> A8A+16=A D7''<A6= ?05<A5<? 607:/>A6 07+:A1>+ 7+16':?: =/==1+17
1</7>0D? '06A'6?6 516:/6<+ ><+DD5'8 11+'<A+< D'DD81D5 =>'DA:'> 700<D168
:155A:': D>=/D0+5 08?+AD'1 >?5'185/ +>0A+10A '0/+:76= </0<7=:+ >/?>0?>/
?:61=7A5 D<A?/D/> 0658A+0> D/D<A?:8 5=<50>5D 60+>077> 5A'7=:5> '0116A>?
+/>+0'8< 85:':<:: 55=A/<=' +A5/=81D +7?8<?D7 8?/A+5<= 7D5''8/> +0:08:8?
?0=><<66 ++:/8?:5 ?/=185++ ''185':5 75'=7+5' A8=D+:A? <A0A+55/ AD<78'>7
007'+=58 0<5+88+8 A>:>+:1+ 5+:<:>': ??>5/1D1 575>'':: ??1+<8D6 856>?7A/
6+?7D867 8518/+>' 80'A=+=D 8<:+'A>: :++778/5 785<86A? '+>1':7/ :=:05=D>
+>060>01 0001
@uit
Step ,: Create an IPS rule3
:n R1$ create an I'S r&le na#ed iosips. %his r&le 5ill be &sed later on an interface to enable I'S.
Step -: Conigure the IPS signature storage location in router lash memory3
Specify the location lash:ipsdir 5here the signat&re files 5ill be stored.
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Step 4: Conigure Cisco I%S IPS to use a pre6deined signature category3
Retire all signat&res in the IallJ category and then &nretire the iosDips basic category.
Step 5: Apply the IPS rule to interaces S8B8B8 and Aa8B'3
a. Apply the iosips r&le that yo& created on the S8B8B8 interface in the inbound direction.
All contents are Copyright 12!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation. 'age 1+ of (2
CCNA Security

b. Apply the I'S r&le to the R1 Aa8B' interface in the inbound direction.
Step 7: .eriy the I%S IPS signature pac"age location and TATP server setup
a. 1erify connectivity bet5een R1 and 'C3A$ the %F%' server.
b. 1erify that the 'C has the I'S signat&re pac6age file in a directory on the %F%' server. %his file is
typically na#ed I:S3Sxxx3C2I.p6g$ 5here xxx is the signat&re file version.
Note: 9se the ne5est signat&re file available if the ro&ter #e#ory can s&pport it. If a signat&re file is
not present$ contact yo&r instr&ctor before contin&ing.
c. Start the %F%' server and set the defa&lt directory to the one that contains the I'S signat&re
pac6age.
Step 9: Copy the signature pac"age rom the TATP server to the router3
a. 9se the copy tftp co##and to retrieve the signat&re file. 4e s&re to &se the idconf 6ey5ord at
the end of the copy co##and.
Note: I##ediately after the signat&re pac6age is loaded to the ro&ter$ signat&re co#piling begins.
Allo5 ti#e for this process to co#plete. It can ta6e several #in&tes.
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
b. /isplay the contents of the ipsdir directory created earlier.
c. 9se the show ip ips all co##and to see an I'S config&ration stat&s s&##ary. %o 5hich
interfaces and in 5hich direction is the iosips r&le appliedK
Step '8: Save the running coniguration to the startup coniguration3
Tas" '': Conigure IPS on +* ;sing CCP 0Chapter -1
Step ': 0%ptional1 Install the TATP server on PC6C3
If a %F%' server is not c&rrently installed on 'C3C$ do5nload %ftpd(2 fro# http<))tftpd(2.Ho&nin.net and install
it on yo&r des6top. If it is already installed$ go to Step 2.
Step ): Prepare the router and TATP server3
%o config&re Cisco I:S I'S ,.G$ the I:S I'S signat&re pac6age file and p&blic crypto 6ey files #&st be
available on 'C3C. Chec6 5ith yo&r instr&ctor if these files are not on the 'C. %hese files can be do5nloaded
fro# Cisco.co# 5ith a valid &ser acco&nt that has proper a&thori8ation.
a. 1erify that the I%S6Sxxx6CLI3p"g signat&re pac6age file is in a %F%' folder. %he xxx is the version
n&#ber and varies depending on 5hich file 5as do5nloaded.
Note: 9se the ne5est signat&re file available if the ro&ter #e#ory can s&pport it. If a signat&re file is
not present$ contact yo&r instr&ctor before contin&ing.
CCNA Security
b. 1erify that the realm6cisco3pub3"ey3t9t file is available and note its location on 'C3C. %his is the
p&blic crypto 6ey &sed by Cisco I:S I'S.
c. 1erify or create the I'S directory in ro&ter flash on R1. Fro# the R1 C2I$ display the content of flash
#e#ory and chec6 to see if the ipsdir directory eGists.
d. If the ipsdir directory is not listed$ create it in privileged EBEC #ode.
Step *: .eriy the I%S IPS signature pac"age and TATP server setup3
a. 1erify connectivity bet5een R( and 'C3C$ the %F%' server$ &sing the ping co##and.
b. 1erify that the 'C has the I'S signat&re pac6age file in a directory on the %F%' server. %his file is
typically na#ed I:S3Sxxx3C2I.p6g$ 5here xxx is the signat&re file version n&#ber.
Note: If this file is not present$ contact yo&r instr&ctor before contin&ing.
c. Start %ftpd(2 or another %F%' server and set the defa&lt directory to the one 5ith the I'S signat&re
pac6age in it. %a6e note of the filena#e for &se in the neGt step.
Step ,: Conigure +* to allo$ CCP Access and Discovery3
a. R&n the CC' application on 'C3C. In the Select)Aanage Co##&nity 5indo5$ inp&t R( I' address
b. At the CC' /ashboard$ clic6 on the Discovery b&tton to discover and connect to R(. If the discovery
Step -: ;se the CCP IPS $iFard to conigure IPS3
a. Clic6 the Conigure b&tton at the top of the CC' screen and then choose Security @ Intrusion
Prevention @ Create IPS. Clic6 the Launch IPS +ule <iFard b&tton to begin the I'S config&ration. If
pro#pted regarding S/EE notification$ clic6 %>. Clic6 Ne9t at the 5elco#e screen.
b. Apply the I'S r&le in the inbo&nd direction for FastEthernet")1 and Serial")")1. Clic6 Ne9t.
c. In the Signat&re File and '&blic @ey 5indo5$ specify the signat&re file 5ith a 9R2 and &se %F%' to
retrieve the file fro# 'C3C. Enter the I' address of the 'C3C %F%' server and the filena#e. Clic6 %>.
d. In the Signat&re File and '&blic @ey 5indo5$ enter the na#e of the p&blic 6ey file realm6cisco3pub.
e. :pen the p&blic 6ey file and copy the teGt that is bet5een the phrase I6ey3stringJ and the 5ord I=&it.J
'aste the teGt into the >ey field in the Config&re '&blic @ey section. Clic6 Ne9t.
f. In the Config 2ocation and Category 5indo5$ specify lash:Bipsdir as the location to store the
signat&re infor#ation. Clic6 %>.
g. In the Choose Category field of the Config 2ocation and Category 5indo5$ choose basic.
h. Clic6 Ne9t to display the S&##ary 5indo5$ and clic6 Ainish and deliver the co##ands to the ro&ter.
Clic6 %>.
Note: Allo5 the signat&re config&ration process to co#plete. %his can ta6e several #in&tes.
Step 4: 0%ptional1 .eriy IPS unctionality $ith CCP !onitor and SuperScan3
a. If S&perScan is not on 'C3C$ do5nload the S&perScan >." tool fro# the Scanning %ools gro&p at
http<))555.fo&ndstone.co#.
All contents are Copyright 12!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation. 'age 2" of (2
CCNA Security
b. Start S&perScan on 'C3C. Clic6 the :ost and Service Discovery tab. Chec6 the Timestamp
+e/uest chec6 boG$ and &nchec6 the 2cho +e/uest chec6 boG. Scroll the 9/' and %C' port
selection lists and notice the range of ports that 5ill be scanned.
c. Clic6 the Scan tab and enter the I' address of R2 S")")1 .'83)3)3)0 in the :ostnameBIP field.
Note: Do& can also specify an address range$ s&ch as 1".1.1.1 to 1".1.1.2,>$ by entering an address
in the Start IP and 2nd IP fields. %he progra# scans all hosts 5ith addresses in the range specified.
d. Clic6 the b&tton 5ith the bl&e arro5 in the lo5er left corner of the screen to start the scan.
Step 5: Chec" the results $ith CCP logging3
a. Enter the logging +uffered co##and in config #ode on R(.
b. Fro# Cisco CC'$ choose !onitor @ +outer @ Logging.
c. Clic6 the ;pdate b&tton. Do& 5ill see that Cisco I:S I'S has been logging the port scans generated
by S&perScan.
d. ?hat syslog #essages did yo& seeK
Step 7: Save the running coniguration to the startup coniguration3
Tas" '): (ac" ;p and Secure the Cisco +outer I%S Image and Coniguration
Ailes 0Chapter )1
Note: %he proced&res described here can also be &sed to bac6 &p the s5itch I:S i#ages and config&ration
files.
Step ': (ac" up the I%S Image rom +' and +* to a TATP server3
a. Create a directory for the I:S i#ages on 'C3A and 'C3C.
b. Start the %F%' server on 'C3A and choose the I:S i#ages directory as the defa&lt directory.
c. Copy the R1 I:S i#age to the 'C3A %F%' server as a bac6&p in case the c&rrent i#age beco#es
corr&pted. FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
d. Start the %F%' server on 'C3C and choose the I:S i#ages directory as the defa&lt directory.
e. Copy the R( I:S i#age to the %F%' server as a bac6&p in case the c&rrent i#age beco#es
corr&pted.
Note: %he I:S i#age on R1 sho&ld be the sa#e as the one for R($ so a single bac6&p co&ld s&ffice for
both ro&ters.
Step ): (ac" up the coniguration iles rom +' and +* to a TATP server3
a. Create a directory for config&rations on 'C3A and 'C3C.
b. Start the %F%' server on 'C3A and choose the Configs directory as the defa&lt directory.
c. Copy the R1 start&p3config file to the 'C3A %F%' server as a bac6&p.
Note: If changes have been #ade to the r&nning config$ yo& can save the# to the start&p config
before bac6ing &p the config file.
d. Start the %F%' server on 'C3C and choose the Configs directory as the defa&lt directory.
e. Copy the R( start&p3config file to the 'C3C %F%' server as a bac6&p.
CCNA Security
Step *: Secure the Cisco I%S image and archive a copy o the running coniguration or +' and
+*3
a. Sec&re the I:S boot i#age to enable Cisco I:S i#age resilience and hide the file fro# dir and
show co##ands. FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
b. Sec&re the ro&ter r&nning config&ration and sec&rely archive it in persistent storage .flash0.
Step ,: .eriy that the image and coniguration are secured3
/isplay the stat&s of config&ration resilience and the pri#ary bootset filena#e.
Part ,: Secure Net$or" S$itches 0Chapter 41
Tas" ': Conigure Pass$ords and a Login (anner on All S$itches 0Chapter )1
Step ': Conigure the enable secret pass$ord3
9se an enable secret pass5ord of cisco')*,-. FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Step ): 2ncrypt a plainte9t pass$ord3
Step *: Conigure the console line3
Config&re a console pass5ord of ciscoconpass and enable login. Set the eGec3ti#eo&t to log o&t after -
#in&tes of inactivity. 'revent console #essages fro# interr&pting co##and entry.
Note: %he vty lines for the s5itches are config&red for SS7 in %as6 2.
Step ,: Conigure a login $arning banner3
Config&re a 5arning to &na&thori8ed &sers 5ith a #essage3of3the3day .A:%/0 banner that says
I9na&thori8ed access strictly prohibited and prosec&ted to the f&ll eGtent of the la5J.
Step -: Disable :TTP access3
7%%' access to the s5itch is enabled by defa&lt. %o prevent 7%%' access$ disable the 7%%' server and
7%%' sec&re server.
CCNA Security
Tas" ): Conigure S$itches as NTP Clients 0Chapter )1
Note: Ro&ter R2 is the #aster -%' server. All other ro&ters and s5itches learn their ti#e fro# it$ either
directly or indirectly.
Step ': Conigure S'C S)C and S* to become NTP clients o +)3
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Step ): .eriy that S' has made an association $ith +)3 FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Tas" *: Conigure Syslog Support on All S$itches 0Chapter )1
Step ': 0%ptional1 Install the syslog server on PC6A and PC6C3
If a syslog server is not c&rrently installed on the host$ do5nload the latest version of @i5i fro#
http<))555.6i5isyslog.co# or %ftpd(2 fro# http<))tftpd(2.Ho&nin.net and install it on yo&r des6top. If it is already
installed$ go to Step 2.
Step ): Conigure S' to log messages to the PC6A syslog server3
a. 1erify that yo& have connectivity bet5een S1 and host 'C3A by pinging the S1 12A- 1 interface I'
address 12.1*+.1.11 fro# 'C3A. If the pings are not s&ccessf&l$ tro&bleshoot as necessary before
contin&ing.
b. Config&re the syslog service on the s5itch to send syslog #essages to the syslog server.
Tas" ,: Conigure the SS: Server on All S$itches 0Chapter )1
Step ': Conigure a domain name3
Enter global config&ration #ode and set the do#ain na#e.
Step ): Conigure a privileged user or login rom the SS: client3
9se the username co##and to create the &ser I/ 5ith the highest possible privilege level and a secret
pass5ord.
Step *: Conigure the incoming vty lines3
Config&re vty access on lines " thro&gh 1,. Specify that a privilege level of 1, is re=&ired to access the
vty lines$ &se the local &ser acco&nts for #andatory login and validation$ and accept only SS7
connections.
All contents are Copyright 12!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation. 'age 2( of (2
CCNA Security
Step ,: #enerate the +SA encryption "ey pair3
%he s5itch &ses the RSA 6ey pair for a&thentication and encryption of trans#itted SS7 data. Config&re
the RSA 6eys 5ith 1"2> for the n&#ber of #od&l&s bits.
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Step -: .eriy SS: connectivity to S' rom the SS: client PC6A3
a. If the SS7 client is not already installed$ do5nload either %era%er# or '&%%D.
b. 2a&nch the client$ enter the 12A- 1 I' address$ and enter the Admin8' &serna#e and pass5ord.
c. Close the '&%%D SS7 session 5indo5 5ith the exit or #uit co##and.
d. %ry to open a %elnet session to s5itch S1 fro# 'C3A. Are yo& able to open the %elnet sessionK ?hy
or 5hy notK
Tas" -: Conigure Authentication ;sing AAA and +ADI;S on All S$itches
0Chapter *1
Step ': 0%ptional1 Do$nload and conigure the <in+adius sot$are3
a. If ?inRadi&s is not c&rrently installed on 'C3A and 'C3C$ do5nload the latest version fro#
http<))555.s&ggestsoft.co#)soft)itcons&lt2""")5inradi&s)$ http<))5inradi&s.soft(2.co#$
http<))555.brothersoft.co#)5inradi&s32"1>.ht#l. %here is no installation set&p. %he eGtracted
?inRadi&s.eGe file is eGec&table.
b. Start the ?inRadi&s.eGe application. If the application is being started for the first ti#e$ follo5 the
instr&ctions to config&re the ?inRadi&s server database.
Step ): Conigure users and pass$ords on the <in+adius server3
Note: If the RA/I9S &ser acco&nts 5ere previo&sly config&red$ yo& can s6ip this step. If the RA/I9S
server has been sh&t do5n and restarted$ yo& #&st recreate the &ser acco&nts.
a. Add &serna#e +adAdmin 5ith a pass5ord of +adAdminpa--.
b. Add &serna#e +ad;ser 5ith a pass5ord of +ad;serpa--.
Step *: 2nable AAA3
Create a AAA ne5 #odel to enable AAA.
Step ,: Conigure the deault login authentication list3
Config&re the list to first &se RA/I9S for the a&thentication service and then localC to allo5 access based
on the local s5itch database if a RA/I9S server cannot be reached.
Step -: .eriy connectivity bet$een S' and the PC6A +ADI;S server3
'ing fro# S1 to 'C3A. FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
If the pings are not s&ccessf&l$ tro&bleshoot the 'C and s5itch config&ration before contin&ing.
Step 4: Speciy a +ADI;S server3
Config&re the s5itch to access the RA/I9S server at 'C3A. Specify auth6port '7') and acct6port '7'*$
along 5ith the I' address and secret 6ey of ?inRadi&s for the RA/I9S server.
All contents are Copyright 12!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation. 'age 2> of (2
CCNA Security
Step 5: Test the +ADI;S coniguration by logging in to the console on S'3
a. EGit to the initial s5itch screen that displays the follo5ing< &1 con0 is now available* $ress
R/;-RC to get started.
b. 2og in 5ith the &serna#e +adAdmin and pass5ord +adAdminpa--. Can yo& log in 5ith #ini#al
delayK FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Note: If yo& eGit the ?inRadi&s server and restart it$ yo& #&st recreate the &ser acco&nts fro# Step 2.
Step 7: Test your coniguration by connecting to S' $ith SS:3
a. Clear the log on the ?inRadi&s server by choosing Log @ Clear.
b. 9se '&%%D or another ter#inal e#&lation client to open an SS7 session fro# 'C3A to S1.
c. At the login pro#pt$ enter the &serna#e +adAdmin defined on the RA/I9S server and a pass5ord
of +adAdminpa--.
Are yo& able to login to S1K FFFFFFFFFFF
Tas" 4: Secure Trun" Ports 0Chapter 41
Step ': Conigure trun" ports on S' and S)3
a. Config&re port Fa")1 on S1 as a tr&n6 port.
b. Config&re port Fa")1 on S2 as a tr&n6 port.
c. 1erify that S1 port Fa")1 is in tr&n6ing #ode.
Step ): Change the native .LAN or the trun" ports on S' and S)3
Changing the native 12A- for tr&n6 ports to an &n&sed 12A- helps prevent 12A- hopping attac6s.
a. Set the native 12A- on the S1 Fa")1 tr&n6 interface to an &n&sed .LAN 99.
b. Set the native 12A- on the S2 Fa")1 tr&n6 interface to .LAN 99.
Step *: Prevent the use o DTP on S' and S)3
Set the tr&n6 ports on S1 and S2 so that they do not negotiate by t&rning off the generation of /%'
fra#es.
All contents are Copyright 12!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation. 'age 2, of (2
CCNA Security
Step ,: .eriy the trun"ing coniguration on port Aa8B'3
______________________________________________________________________________
____________________________________________________________________________
Step -: 2nable storm control or broadcasts3
Enable stor# control for broadcasts on the tr&n6 port 5ith a ," percent rising s&ppression level &sing the
storm-control +roadcast co##and.
Step 4: .eriy the coniguration $ith the sho$ run command3
Tas" 5: Secure Access Ports 0Chapter 41
4y #anip&lating the S%' root bridge para#eters$ net5or6 attac6ers hope to spoof his or her syste# as the
root bridge in the topology. Alternatively$ they can spoof a rog&e s5itch that they added to the net5or6 as the
root bridge. If a port that is config&red 5ith 'ortFast receives a 4'/9$ S%' can p&t the port into the bloc6ing
state by &sing a feat&re called 4'/9 g&ard.
Step ': Disable trun"ing on S'C S)C and S* access ports3
a. :n S1$ config&re ports Fa"), and F")* as access #ode only.
b. :n S2$ config&re Fa")1+ as access #ode only.
c. :n S($ config&re ports Fa"), and Fa")1+ as access #ode only.
Tas" 7: Protect Against STP Attac"s 0Chapter 41
%he topology has only t5o s5itches and no red&ndant paths$ b&t S%' is still active. In this step$ yo& enable
so#e s5itch sec&rity feat&res that can help red&ce the possibility of an attac6er #anip&lating s5itches via
S%'3related #ethods.
Step ': 2nable PortAast on S'C S)C and S* access ports3
'ortFast is config&red on access ports that connect to a single 5or6station or server to enable the# to
beco#e active #ore =&ic6ly.
a. Enable 'ortFast on the S1 Fa"), and Fa")* access ports.
b. Enable 'ortFast on the S2 Fa")1+ access port.
c. Enable 'ortFast on the S( Fa"), and Fa")1+ access port.
All contents are Copyright 12!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation. 'age 2* of (2
CCNA Security
Step ): 2nable (PD; guard on the S'C S)C and S* access ports3
4'/9 g&ard is a feat&re that can help prevent rog&e s5itches and spoofing on access ports. Enable 4'/9
g&ard on the s5itch ports previo&sly config&red as access only.
Tas" 9: Conigure Port Security and Disable ;nused Ports 0Chapter 41
Step ': Conigure basic port security3
Sh&t do5n all end3&ser access ports that are in &se and enable basic defa&lt port sec&rity. %his sets the
#aGi#&# AAC addresses to 1 and the violation action to sh&tdo5n. Reiss&e the port sec&rity co##and
&sing the stic%y option to allo5 the sec&re AAC address that is dyna#ically learned on a port$ to be added
to the s5itch r&nning config&ration. Re3enable each access port to 5hich port sec&rity 5as applied.
Step ): Disable unused ports on S' and S)3
As a f&rther sec&rity #eas&re$ disable any ports not being &sed on the s5itch.
a. 'orts Fa")1$ Fa"),$ and Fa")* are &sed on s5itch S1. Sh&t do5n the re#aining Fast Ethernet ports
and the t5o Gigabit Ethernet ports.
b. 'orts Fa"1) and Fa")1+ are &sed on s5itch S2. Sh&t do5n the re#aining Fast Ethernet ports and the
t5o Gigabit Ethernet ports.
c. 'orts Fa"), and Fa")1+ are &sed on s5itch S(. Sh&t do5n the re#aining Fast Ethernet ports and the
t5o Gigabit Ethernet ports.
All contents are Copyright 12!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation. 'age 2C of (2
CCNA Security
Step *: 0%ptional1 !ove active ports to another .LAN and change the management .LAN3
As a f&rther sec&rity #eas&re$ yo& can #ove all active end3&ser and ro&ter ports to a 12A- other than the
defa&lt 12A- 1 on the s5itches. Do& can also change the #anage#ent 12A- fro# 12A- 1 to another 12A-$
b&t yo& #&st have at least one end3&ser host port in that 12A- to #anage the s5itch re#otely &sing %elnet$
SS7$ or 7%%'.
Note: %he follo5ing config&ration allo5s yo& to #anage either s5itch re#otely fro# either 'C3A or 'C34. Do&
can only access the s5itches re#otely &sing SS7$ beca&se %elnet and 7%%' have been disabled. %he
proced&re for s5itch S( is also sho5n.
a. Config&re a ne5 12A- for &sers on each s5itch &sing the follo5ing co##ands.
Note: Do& co&ld also config&re 12A- 1" on s5itch S($ b&t it 5o&ld not co##&nicate 5ith 12A- 1" on
s5itches S1 and S2.
b. Add the c&rrent active access .non3tr&n60 ports to the ne5 12A-.
c. :n each s5itch$ re#ove the #anage#ent 12A- I' address fro# 12A- 1 .config&red in 'art 1 of the
lab0 and sh&t it do5n.
d. Config&re a #anage#ent 12A- I' address for the 12A- 1" interface on S1 and S2 and enable it.
e. Config&re a #anage#ent 12A- I' address for the 12A- (" interface on S( and enable it.
Step ,: Save the running6conig to the startup6conig3
Part -: Coniguring .PN +emote Access
In 'art ,$ config&re a re#ote access I'sec 1'-. R( is config&red via CC' as an Easy 1'- server$ and the Cisco
1'- Client is config&red on 'C3A. %he 'C3A host si#&lates an e#ployee connecting fro# ho#e or a re#ote
office over the Internet. Ro&ter R2 si#&lates an Internet IS' ro&ter.
Tas" ': ;se the CCP .PN <iFard to Conigure the 2asy .PN Server 0Chapter 71
Step ': Conigure +* to allo$ CCP Access and Discovery3
a. Enable the 7%%' server on R(.
All contents are Copyright 12!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation. 'age 2+ of (2
CCNA Security
:r enable the 7%%' sec&re server to connect sec&rely.
b. Create an ad#in acco&nt on R( 5ith privilege level 1, for &se 5ith AAA and CC'.
c. 7ave CC' &se the local database to a&thenticate 5eb sessions.
d. R&n the CC' application on 'C3C. In the Select)Aanage Co##&nity 5indo5$ inp&t the R( I' address
12.1*+.(.1 in the first I' Address)7ostna#e field. Enter admin in the 9serna#e field$ and
e. At the CC' /ashboard$ clic6 on the Discovery b&tton to discover and connect to R(. If the discovery
process fails$ clic6 the Discover Details b&tton to deter#ine the proble# in order to resolve the
iss&e.
Step ): Launch the 2asy .PN Server $iFard3
Clic6 the Conigure b&tton at the top of the CC' ho#e screen and choose Security @ .PN @ 2asy .PN
Server$ and then clic6 Launch 2asy .PN Server <iFard. Clic6 Ne9t on the ?elco#e Screen to
contin&e.
Note: %he Easy 1'- Server ?i8ard chec6s the ro&ter config&ration to see if AAA is enabled. If AAA is not
enabled$ the Enable AAA 5indo5 displays. AAA 5as enabled on the ro&ter previo&sly.
Step *: Conigure the virtual tunnel interace and authentication3
a. Choose the interface on 5hich the client connections ter#inate. Clic6 the ;nnumbered to radio
b&tton$ and choose the Serial8B8B' interface fro# the drop3do5n #en&.
b. Choose Pre6shared >eys for the a&thentication type and clic6 Ne9t to contin&e.
Step ,: Select an I>2 proposal3
In the Internet @ey EGchange .I@E0 'roposals 5indo5$ the defa&lt I@E proposal is &sed for R(. Clic6 Ne9t
to accept the defa&lt I@E policy.
Step -: Select the transorm set3
In the %ransfor# Sets 5indo5$ the defa&lt CC' transfor# set is &sed. Clic6 Ne9t to accept the defa&lt
transfor# set.
Step 4: Speciy the group authoriFation and group policy loo"up3
a. In the Gro&p A&thori8ation and Gro&p 'olicy 2oo6&p 5indo5$ choose the Local option.
b. Clic6 Ne9t to create a ne5 AAA #ethod list for gro&p policy loo6&p that &ses the local ro&ter
database.
Step 5: Conigure user authentication 0=Auth13
a. In the 9ser A&thentication .BA&th0 5indo5$ chec6 the 2nable ;ser Authentication chec6 boG and
choose Local %nly.
b. Clic6 the Add ;ser Credentials b&tton. In the 9ser Acco&nts 5indo5$ yo& can vie5 c&rrently defined
local &sers or add ne5 &sers. ?hich &ser acco&nt is c&rrently defined locallyK FFFFFFFFFFFFFFFFFF
c. Add the ne5 &ser .PN;ser' 5ith a pass5ord of .PN;ser'pa-- and clic6 %>.
d. Clic6 %> to close the 9ser Acco&nts 5indo5. Clic6 Ne9t.
CCNA Security
Step 7: Speciy group authoriFation and user group policies3
In the Gro&p A&thori8ation and 9ser Gro&p 'olicies 5indo5$ yo& #&st create at least one gro&p policy for the
1'- server.
a. Clic6 Add to create a gro&p policy.
b. In the Add Gro&p 'olicy 5indo5$ enter .PN6Access in the Name o This #roup field. Enter a ne5
pre3shared 6ey of cisco')*,- and then re3enter it. 2eave the Pool Inormation boG chec6ed. Enter a
starting address of '9)3'473*3)88$ an ending address of '9)3'473*3)-8$ and a s&bnet #as6 of
)--3)--3)--38.
c. Clic6 %> to accept the entries.
d. A CC' 5arning #essage displays indicating that the I' address pool and the Fast Ethernet ")1
address are in the sa#e s&bnet. Clic6 ?es to contin&e.
e. Chec6 the Conigure Idle Timer chec6 boG and enter 1 ho&r$ " #in&tes$ and " seconds.
f. ?hen the Cisco %&nneling Control 'rotocol .c%C'0 5indo5 displays$ do not enable c%C'. Clic6 %> if
a fire5all 5arning #essage displays. Clic6 Ne9t to contin&e.
g. ?hen the Easy 1'- Server 'ass3thro&gh Config&ration 5indo5 displays$ #a6e s&re that the Action
!odiy chec6 boG is chec6ed. %his option allo5s CC' to #odify the fire5all on S")")1 to allo5 I'sec
1'- traffic to reach the internal 2A-.
Step 9: +evie$ the coniguration summary and deliver the commands3
Scroll thro&gh the co##ands that CC' 5ill send to the ro&ter. Clic6 Ainish.
Step '8: Test the .PN Server
Do& are ret&rned to the #ain 1'- 5indo5 5ith the Edit 1'- Server tab selected. Clic6 the Test .PN Server
b&tton in the lo5er right corner of the screen. In the 1'- %ro&bleshooting 5indo5$ clic6 the Start b&tton. Clic6
Close to eGit the 1'- %ro&bleshooting 5indo5.
Tas" ): ;se the Cisco .PN Client to Test the +emote Access .PN 0Chapter 71
Step ': 0%ptional1 Install the Cisco .PN client3
If the Cisco 1'- Client soft5are is not already installed on host 'C3A$ install it no5. If yo& do not have the
Cisco 1'- Client soft5are or are &ns&re of the process$ contact yo&r instr&ctor.
Step ): Conigure PC6A as a .PN client to access the +* .PN server
a. Start the Cisco 1'- Client. Select Connection 2ntries @ Ne$ or clic6 the Ne$ icon 5ith the pl&s
sign .L0 on it.
b. Enter the follo5ing infor#ation to define the ne5 connection entry. Clic6 Save 5hen yo& are finished.
Connection Entry< .PN6Corp
/escription< Connection to +* corporate net$or"
7ost< '83)3)3' .I' address of the R( S")")1 interface0
Gro&p A&thentication -a#e< .PN6Access .specifies the address pool config&red in %as6 20
'ass5ord< cisco')*,- .pre3shared 6ey config&red in %as6 20
Confir# 'ass5ord< cisco')*,-
Note: %he gro&p a&thentication na#e and pass5ord are case3sensitive and #&st #atch the ones created
on the 1'- Server.
All contents are Copyright 12!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation. 'age (" of (2
CCNA Security
Step *: Test access rom PC6A $ithout a .PN connection3
Note: In the previo&s step$ yo& created a 1'- connection entry on the 1'- client co#p&ter 'C3A$ b&t
have not activated it yet.
:pen a co##and pro#pt on 'C3A and ping the 'C3C I' address at 12.1*+.(.( on the R( 2A-. Are the
pings s&ccessf&lK ?hy or 5hy notK
Step ,: 2stablish a .PN connection and login3
a. Choose the ne5ly created connection .PN6Corp and clic6 the Connect icon. Do& can also do&ble3
clic6 the connection entry.
b. ?hen the 1'- Client 9ser A&thentication dialog boG displays$ enter the &serna#e .PN;ser'
created previo&sly on the 1'- ro&ter R($ and enter the pass5ord of .PN;ser'pa--. Clic6 %> to
contin&e. %he 1'- Client 5indo5 #ini#i8es to a loc6 icon in the tools tray of the tas6bar. ?hen the
loc6 is closed$ the 1'- t&nnel is &p. ?hen it is open$ the 1'- connection is do5n.
Step -: Test access rom the client $ith the .PN connection3
?ith the 1'- connection fro# co#p&ter 'C3A to ro&ter R( activated$ open a co##and pro#pt on 'C3A
and ping the R( defa&lt gate5ay at 12.1*+.(.1. %hen ping the 'C3C I' address at 12.1*+.(.( on the R(
2A-. Are the pings s&ccessf&lK ?hy or 5hy notK
All contents are Copyright 12!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation. 'age (1 of (2
CCNA Security
+outer Interace Summary Table
+outer Interace Summary
Ro&ter
Aodel
Ethernet Interface
M1
Ethernet Interface
M2
Serial Interface
M1
Serial Interface
M2
1+""
Fast Ethernet ")"
.Fa")"0
Fast Ethernet ")1
.Fa")10
Serial ")")"
.S")")"0
Serial ")")1
.S")")10
1""
Gigabit Ethernet ")"
.G")"0
Gigabit Ethernet ")1
.G")10
Serial ")")"
.S")")"0
Serial ")")1
.S")")10
2+""
Fast Ethernet ")"
.Fa")"0
Fast Ethernet ")1
.Fa")10
Serial ")")"
.S")")"0
Serial ")")1
.S")")10
2""
Gigabit Ethernet ")"
.G")"0
Gigabit Ethernet ")1
.G")10
Serial ")")"
.S")")"0
Serial ")")1
.S")")10
Note: %o find o&t ho5 the ro&ter is config&red$ loo6 at the interfaces to identify the type of ro&ter
and ho5 #any interfaces the ro&ter has. %here is no 5ay to effectively list all the co#binations of
config&rations for each ro&ter class. %his table incl&des identifiers for the possible co#binations of
Ethernet and Serial interfaces in the device. %he table does not incl&de any other type of interface$
even tho&gh a specific ro&ter #ay contain one. An eGa#ple of this #ight be an IS/- 4RI interface.
%he string in parenthesis is the legal abbreviation that can be &sed in Cisco I:S co##ands to
represent the interface.
All contents are Copyright 12!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation. 'age (2 of (2

CCNASv1.1 Chp09 Lab-A Sec-Pol Student

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

CCNASv1.1 Chp09 Lab-A Sec-Pol Student

Transféré par

Droits d'auteur :

Formats disponibles

CCNA Security

Chapter 9 Lab A: Security Policy Development and

Vous aimerez peut-être aussi