Cisco CCNA Security Skills Based Challenge Lab

Collin College

CCNA Security Skills Based Challenge Lab

Lab Overview
This Skills Based Challenge Lab (SBCL) is divided into 7 parts. The parts should be completed
sequentially. In Part 1 you verify that the basic device settings have been preconfigured by the instructor.
In Part 2, you secure a network router using the CLI to configure various IOS features including AAA and
SSH. In Part 3 you configure a site-to-site VPN between R1 and R3 through the ISP router (R2). In Part 4
you configure a ZPF firewall and IPS on an ISR. Part 5 configures network switches using the CLI. In
Parts 6 and 7 you configure the ASA firewall functionality and clientless SSL VPN remote access.

Required Resources: 3 routers, 3 switches,1 ASA 5505, 3 PCs, and Serial and Ethernet cables
as shown in the topology

PC-A: Windows XP, Vista, or Windows 7 with CCP, PuTTy SSH client (Web and FTP server optional)
(flash drive optional)
PC-B: Windows XP, Vista, or Windows 7 with PuTTy SSH client and Java version 6.x or higher (ASDM
loaded on the PC is optional)
PC-C: Windows XP, Vista, or Windows 7 with CCP, PuTTy SSH client, TFTP server and IPS files. (flash
drive optional)

Cisco CCNA Security Skills Based Challenge Lab

Collin College

IP Addressing Table

Device
R1

R2

R3
S1
S2
ASA
ASA
PC-A
PC-B
PC-C

Interface
FA0/0
S0/0/0 (DCE)
Loopback 1
S0/0/0
S0/0/1 (DCE)
Loopback 1
FA0/1
S0/0/1
VLAN 1
VLAN 1
VLAN 1 (E0/1)
VLAN 2 (E0/0)
NIC
NIC
NIC

IP Address
69.15.20.33
10.100.1.1
172.21.10.1
10.100.1.2
10.200.2.2
192.168.200.2
172.31.30.1
10.200.2.1
192.168.100.11
192.168.100.12
192.168.100.1
69.15.20.34
192.168.100.2
192.168.100.3
172.31.30.3

Subnet Mask
255.255.255.248
255.255.255.252
255.255.255.0
255.255.255.252
255.255.255.252
255.255.255.252
255.255.255.0
255.255.255.252
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.248
255.255.255.0
255.255.255.0
255.255.255.0

Default
Gateway
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
192.168.100.1
192.168.100.1
NA
NA
192.168.100.1
192.168.100.1
172.31.30.1

Objectives:
Part 1: Verify Basic Device Settings
Part 2: Configure Secure Router Administrative Access

Configure encrypted passwords and a login banner.

Configure EXEC timeout on console and VTY lines.

Configure login failure rates and VTY login enhancements.

Configure SSH access and disable Telnet.

Configure local AAA authentication.

NTP client to the NTP/Syslog server

Part 3: Configure a Site-to-Site VPN between ISRs

Configure an IPsec site-to-site VPN between R1 and R3 using CCP.

Part 4: Configure an ISR firewall and Intrusion Prevention System

Configure a zone-based policy (ZPF) firewall on an ISR using CCP.

Configure an Intrusion Prevention System (IPS) on an ISR using CCP.

Configure a CBAC firewall to implement security policies

Part 5: Secure Network Switches
Configure passwords and a login banner.
Configure management VLAN access.
Secure trunk ports.
Secure access ports.
Protect against STP attacks.
Configure port security and disable unused ports.

Part 6: Configure ASA Basic Settings and Firewall

Switch Port
ASA E0/0
N/A
N/.A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
S2 FA0/24
R1 FA0/0
S1 FA0/6
S2 FA0/18
S3 FA0/18

Cisco CCNA Security Skills Based Challenge Lab

Collin College

Configure basic settings, passwords, date and time.

Configure the inside and outside VLAN interfaces.
Configure port address translation (PAT) for the inside network.
Configure a DHCP server for the inside network.
Configure administrative access via Telnet and SSH.
Configure a static default route for the ASA.
Configure Local AAA user authentication.
Verify address translation and firewall functionality

Part 7: Configure ASA Clientless SSL VPN Remote Access

Configure a remote access SSL VPN using ASDM.
Verify SSL VPN access to the portal.
Part 1: Verify Basic Device Settings
Important Note: Prior to starting the exam, verify that the basic test environment is built as described
below.

Network cabled as shown in the topology.

Basic settings for all routers configured.

o
Host names, interface IP addresses, serial interface DCE clock rate.
o
DNS lookup disabled on each router.

Static default routes on routers R1, R2 and R3 configured.

o
Static default route from R1 to R2 and from R3 to R2.
o
Static routes from R2 to the R1 simulated LAN (Loopback 1), the R1 Fa0/0-to-ASA
subnet and the R3 LAN.

Basic settings for each switch configured.

o
Host names, VLAN 1 management address, IP default gateway.
o
DNS lookup disabled on each switch.

PC host IP settings configured.

o
Static IP address, subnet mask, and default gateway for each PC.

Verify connectivity between PC-C and R1 Lo1 and Fa0/0.

Part 2: Configure Secure Router Administrative Access
Task 1: Configure Settings for R1 and R2.
Step 1: Configure a minimum password length of 10 characters on R1.
Step 2: Configure the enable secret password on R1.
Use an enable secret password of ciscoenapa55.
Step 3: Encrypt plaintext passwords on R1.
Step 4: Configure the console lines on R1.
Configure a console password of ciscoconpa55 and enable login. Set the exec-timeout to
log out after 15 minutes of inactivity. Prevent console messages from interrupting
command entry.
Step 5: Configure a login warning banner on R1.
Configure a warning to unauthorized users with a message-of-the-day (MOTD) banner
that says: Unauthorized access strictly prohibited and prosecuted to the full extent of the
law!.
Step 6: Configure the vty lines and enable password on R2.
a. Configure the password for vty lines to be ciscovtypa55 and enable login. Set the
exec-timeout so a session is logged out after 15 minutes of inactivity.
b.Use an enable secret password of ciscoenapa55.
Step 7: Enable HTTP access on router R2.
Enable the HTTP server on R2 to simulate an Internet target for later testing.

Step 8. Enable the R1 router:

Cisco CCNA Security Skills Based Challenge Lab

Collin College

As an NTP client to the NTP/Syslog server

To timestamp log messages
To send logging messages to the NTP/Syslog server

Task 2: Configure Local Authentication with AAA on R1.

Step 1: Configure the local user database.
Create a local user account of Admin01 with a secret password of Admin01pa55 and a
privilege level of 15.
Step 2: Enable AAA services.
Step 3: Implement AAA services using the local database.
Create the default login authentication method list using case-sensitive local authentication as the
first option and the enable password as the backup option to use if an error occurs in relation to
local authentication.
Task 3: Configure the SSH Server on Router R1.
Step 1: Configure the domain name ccnasecurity.com.
Step 2: Configure the incoming vty lines.
Specify that the router vty lines will accept only SSH connections.
Step 3: Generate the RSA encryption key pair.
Configure the RSA keys with 1024 as the number of modulus bits.
Step 4: Configure the SSH version.
Specify that the router accept only SSH version 2 connections.
Step 5: Verify SSH connectivity to R1 from PC-C.
Launch the SSH client on PC-C and test SSH connectivity to R1 and login in as Admin01
with the password Admin01pa55.
Task 4: Secure against login attacks on R1.
Step 1: Configure enhanced login security on R1.
If a user fails to login twice within a 30 second time span, then disable logins for 1 minute.
Log all failed login attempts.
Part 3: Configure a Site-to-Site IPsec VPN between ISRs
In Part 3 of this SBCL, you use CCP or CLI to configure an IPsec VPN tunnel between R1 and R3 that
passes through R2.
If using CCP:
Task 1: Configure the site-to-site VPN between R1 and R3.
Step 1: Configure the enable secret password and HTTP access on R3 prior to starting CCP.
a.
From the CLI, configure an enable secret password of ciscoenapa55 for use with
CCP on R3.
b.
Enable the HTTP server on R3.
c.
Add user Admin01 to the local database with a privileged level of 15, and a
password of Admin01pa55.
d.
Configure local database authentication of HTTP sessions.
Step 2: Access CCP and discover R3.
From PC-C run CCP and access R3.
Step 3: Use the CCP VPN wizard to configure R3.
Use the Quick Setup option to configure the R3 side of the site-to-site VPN.
Step 4: Configure basic VPN connection information settings.
a.
Specify R3 S0/0/1 as the interface for the connection and R1 interface S0/0/0 as
the remote peer static IP address.
b.
Specify the pre-shared VPN key cisco12345.
c.
Encrypt traffic between the R3 LAN and the R1 Loopback 1 simulated LAN.
Step 5: Generate a mirror configuration from R3 and apply it to R1.

Cisco CCNA Security Skills Based Challenge Lab

a.
b.

Collin College

On R3, generate a mirror configuration for application to router R1 and save it to

the desktop or flash drive. Edit the file as necessary and apply the mirrored
commands to R1.
Apply the crypto map to the R1 VPN interface.

Task 2: Test the Site-to-Site IPsec VPN using CCP

a.
On R3 (PC-C), use CCP to test the IPsec VPN tunnel between the two routers.
b.
Ping from PC-C to the R1 Lo1 interface at 172.21.10.1 to generate some interesting
traffic.
c.
Issue the show crypto isakmp sa command on R3 to view the security association
created.
d.
Issue the show crypto ipsec sa command on R1 to verify packets are being received from
R3 and decrypted by R1.
If using CLI:
Configure a Site-to-Site IPsec VPN between the R1 and R3.
The following tables list the parameters for the ISAKMP Phase 1 Policy and IPsec Phase 2
Policy:
ISAKMP Phase 1 Policy
ISAKMP Phase 2 Policy Parameters
Parameters
Key Distribution
ISAKMP
Parameters
R1 Router
R3 Router
Method
Encryption
AES
Transform Set
VPN-SET
VPN-SET
Algorithm
Name
esp-3des
esp-3des
Number of Bits
256
Transform Set
esp-sha-hmac
esp-sha-hmac
Hash Algorithm
SHA-1
Peer Host Name
R3
R1
Authentication
Pre-share
Peer IP Address
10.200.2.1
10.100.1.2
Method
Key Exchange
DH 2
Encrypted Network 172.21.10.0/24
172.31.30.0/24
IKE SA Lifetime
86400
Crypto Map Name VPN-MAP
VPN-MAP
ISAKMP Key
Vpnpass101
SA Establishment ipsec-isakmp
ipsec-isakmp
a.
b.
c.
d.
e.
f.
g.

Configure an ACL (ACL 120) on the R1 router to identify the interesting traffic. The
interesting traffic is all IP traffic between the two LANs (172.21.10.0/24 and 172.31.30.0/24).
Configure the ISAKMP Phase 1 properties on the R1 router. The crypto ISAKMP policy is 10.
Refer to the ISAKMP Phase 1 Policy Parameters Table for the specific details needed.
Configure the ISAKMP Phase 2 properties on the R1 router. Refer to the ISAKMP Phase 2
Policy Parameters Table for the specific details needed.
Bind the VPN-MAP crypto map to the outgoing interface.
Configure IPsec parameters on the R3 router using the same parameters as on the R1
router. Note that interesting traffic is defined as the IP traffic from the two LANs.
Save the running-config, then reload both R1 and R3 routers.
Verify the VPN configuration by conducting an FTP session with the username cisco and the
password cisco from the PC-C to the DMZ Web Svr. On the R3 router, check that the
packets are encrypted. To exit the FTP session, type quit.

Part 4: Configure an ISR Firewall and Intrusion Prevention System

In Part 4, you configure a zone-based policy firewall and IPS on R3 using CCP or CLI.
Task 1: Configure a ZPF Firewall on R3.
If using CCP:
Step 1: Use the CCP Firewall wizard to configure a zone-based firewall.

Cisco CCNA Security Skills Based Challenge Lab

Collin College

a.

Configure a Basic firewall with Fa0/1 interface as the Inside interface and S0/0/1
as the Outside interface.
b.
Use the Low Security setting, and complete the Firewall wizard.
Step 2: Verify Firewall functionality.
a.
From PC-C, ping external router R2. The pings should be successful.
b.
From external router R2, ping PC-C. The pings should NOT be successful.
If using CLI:
Step 1: Configure a ZPF Firewall on R3 using CLI.
a. Access the R3 router with username R1ADMIN, password ciscoccnas and the
enable secret password of ciscoclass.
b. On the R3 router, create the firewall zones.
Create an internal zone named BR-IN-ZONE.
Create an external zone named BR-OUT-ZONE.
c. Define a traffic class and access list.
Create an ACL (ACL 110) to permit all protocols from the 172.31.30.0/24 network to
any destination.
Create a class map using the option of class map type inspect with the match-all
keyword. Match the ACL 110 and name the class map BR-IN-CLASS-MAP.
d. Specify firewall policies.
Create a policy map named BR-IN-OUT-PMAP.
Use the BR-IN-CLASS-MAP class map.
Specify the action of inspect for this policy map.
e. Apply the firewall.
Create a pair of zones named IN-OUT-ZPAIR with the source as BR-IN-ZONE and
destination as BR-OUT-ZONE.
Specify the policy map BR-IN-OUT-PMAP for handling the traffic between the two
zones.
Assign interfaces to the appropriate security zones.
f. Verify the ZPF configuration.
The PC-C in the R3 office can ping the R2 Lo1 (192.168.200.2).
R2 Lo1 cannot ping the PC-C in the R3 office (172.31.30.3).
The PC-C in R3 office can establish an SSH connection to the R1 router with the
username SSHAccess and password ciscosshaccess. If you get the R1> prompt,
then your configuration is correct.
Task 2: Configure IPS on R3 Using CCP or CLI.
Step 1: Prepare router R3 and the TFTP server.
To configure Cisco IOS IPS 5.x, the IOS IPS signature package file and public crypto key files
must be available on the PC with the TFTP server installed. R3 uses PC-C as the TFTP server.
Check with your instructor if these files are not on the PC.
a.Verify that the IOS-Sxxx-CLI.pkg signature package file is in the default TFTP folder.
The xxx is the version number and varies depending on which file was downloaded from
Cisco.com.
b.Verify that the realm-cisco.pub.key.txt file is available and note its location on PC-C.
c.Verify or create the IPS directory, ipsdir, in router flash on R3.
Note: For router R3, the IPS signature (.xml) files in the flash:/ipsdir/ directory should have been deleted
and the directory removed prior to starting the SBCL. The files must be deleted from the directory in order
to remove it.
Note: If the ipsdir directory is listed and there are files in it, contact your instructor. This directory must be
empty before configuring IPS. If there are no files in it you may proceed to configure IPS.

Cisco CCNA Security Skills Based Challenge Lab

Collin College

If using CCP:
Step 2: Access CCP and discover R3 (if required).
Specify Admin01 as the username and Admin01pa55 as the password.
Step 3: Use the CCP IPS wizard to configure IPS.
a.
Launch the IPS wizard and apply the IPS rule in the inbound direction for
Serial0/0/1.
b.
Specify the signature file with a URL and use TFTP to retrieve the file from PC-C.
c.
Name the public key file realm-cisco.pub.
d.
Copy the text from the public key file to the CCP IPS wizard.
e.
Specify the flash:/ipsdir/ directory name as the location to store the signature
information.
f.
Choose the basic category.
g.
Complete the wizard.
If using CLI:
Step 2: Configure an IOS IPS on the R3 Router.
a. On the R3 router, create a directory in flash named ipsdir.
b. Configure the IPS signature storage location to be flash:ipsdir.
c. Create an IPS rule named R3ips.
d. Configure the IOS IPS to use the signature categories. Retire the all signature
category and unretire the ios_ips basic category.
e. Apply the IPS rule in the inbound direction for Serial0/0/1.
f. Modify the ios_ips basic category. Unretire the echo request signature (signature
2004, subsig 0); enable the signature; modify the signature event-action to produce an
alert and to deny packets that match the signature.
g. Verify that IPS is working properly. PC-C in the internal network can R2 Lo1.
However, R2 Lo1 can not ping PC-C.
Part 5: Secure Network Switches
Task 1: Configure Passwords and a Login Banner on S1.
Step 1: Configure the enable secret password of ciscoenapa55.
Step 2: Encrypt plaintext passwords.
Step 3: Configure the console and VTY lines.
a.
Configure a console password of ciscoconpa55 and set the exec-timeout to log
out after 5 minutes of inactivity. Prevent console messages from interrupting
command entry.
b.
Configure a vty lines password of ciscovtypa55 and set the exec-timeout to log
out after 5 minutes of inactivity.
Step 4: Configure a login warning banner.
Configure a warning to unauthorized users with a message-of-the-day (MOTD)
banner that says Unauthorized access strictly prohibited and prosecuted to the
full extent of the law!.
Step 5: Disable HTTP access.
Task 2: Secure Trunk and Access Ports on S1 and S2.
Step 1: Configure trunk ports on S1 and S2.
Step 2: Change the native VLAN to 99 for the trunk ports on S1 and S2.
Step 3: Prevent the use of DTP on S1 and S2 trunk ports.
Step 4: Verify the trunking configuration on S1 and S2.
Step 5: Enable storm control for broadcasts on S1 and S2 trunk ports.
Step 6: Disable trunking on S1 access ports that are in use.
Step 7: Enable PortFast on S1 access ports that are in use.
Step 8: Enable BPDU guard on S1 access ports that are in use.

Cisco CCNA Security Skills Based Challenge Lab

Collin College

Task 3: Configure Port Security and Disable Unused Ports.

Step 1: Configure basic port security for the S1 access port.
Use the default port security options (set maximum MAC addresses to 2 and violation
action to shutdown). Allow the secure MAC address that is dynamically learned on a port
be added to the switch running configuration.
Step 2: Disable unused ports on S1.
As a further security measure, disable any ports not being used.
Part 6: Configure ASA Basic Settings and Firewall
Task 1: Prepare the ASA for ASDM access.
Step 1: Clear the previous ASA configuration settings.
Step 2: Bypass Setup Mode and configure the VLAN interfaces using CLI.
a.
The VLAN 1 logical interface will be used by PC-B to access ASDM on ASA
physical interface E0/1. Configure interface VLAN 1 and name it inside. Specify
IP address 192.168.100.1 and subnet mask 255.255.255.0. Verify that the
security level is set to 100.
b.
Pre-configure interface VLAN 2 and name it outside, and add physical interface
E0/0 to VLAN 2. You will assign the IP address using ASDM. Verify that the
security level is set to 0.
c.
Test Connectivity to the ASA by pinging from PC-B to ASA interface VLAN 1 IP
address 192.168.100.1. The pings should be successful.
Step 3: Configure and verify access to the ASA from the inside network.
a.
Configure the ASA to accept HTTPS connections and to allow access to ASDM
from any host on the inside network 192.168.100.0/24.
b.
Open a browser on PC-B and test the HTTPS access to the ASA ASDM GUI.
Task 2: Configure basic ASA settings using the ASDM Startup Wizard.
Step 1: Access the Configuration menu and launch the Startup wizard.
Step 2: Configure hostname, domain name, and enable password.
Configure the ASA host name CCNAS-ASA and domain name of ccnasecurity.com.
Change the enable mode password to ciscoenapa55.
Step 3: Configure the outside VLAN interface.
Enter an outside IP address of 69.15.20.234 and mask 255.255.255.248.
Step 4: Configure DHCP, address translation and administrative access.
a.
Enable the DHCP server on the Inside Interface and specify a starting IP address
of 192.168.100.5 and ending IP address of 192.168.100.30. Enter the DNS
server 1 address of 10.3.3.3 and domain name ccnasecurity.com.
b.
Configure the ASA to use port address translation (PAT) using the IP address of
the outside interface.
c.
Add Telnet access to the ASA for the inside network 192.168.100.0 with a subnet
mask of 255.255.255.0. Add SSH access to the ASA from host 172.31.30.3 on
the outside network.
Step 5: Test Telnet access to the ASA.
a.
From a command prompt or GUI Telnet client on PC-B, Telnet to the ASA inside
interface at IP address 192.168.100.1.
Task 3: Configuring ASA Settings from the ASDM Configuration Menu.
Step 1: Set the ASA Date and Time.
Set the time zone, current date and time and apply the commands to the ASA.
Step 2: Configure a static default route for the ASA.
Add a static route for the outside interface and specify Any for the network object and a
Gateway IP of 69.15.20.33. Use Ping from the ASDM Tools menu to test connectivity to
the IP address of router R1 S0/0/0 (10.100.1.1). The ping should succeed.
Step 3: Test access to an external website from PC-B.
Open a browser on PC-B and enter the IP address of the R2 S0/0/0 interface
(10.100.1.2) to simulate access to an external website. The R2 HTTP server was

Cisco CCNA Security Skills Based Challenge Lab

Collin College

previously enabled so you should be prompted with a user authentication login dialog box
from the R2 GUI device manger. Exit the browser.
Step 4: Configure AAA for SSH client access.
a.
Create a new user named admin with a password of cisco123. Allow this user
Full access (ASDM, SSH, Telnet, and console) and set the privilege level to 15.
b.
Require authentication for HTTP/ASDM, SSH and Telnet connections and specify
the LOCAL server group for each connection type.
c.
From PC-C, open an SSH client such as PuTTY and attempt to access the ASA
outside interface at 69.15.20.34. You should be able to establish the connection.
Part 7: Configure ASA Clientless SSL VPN Remote Access
Step 1: Configure the SSL VPN user interface.
Configure VPN-Con-Prof as the Connection Profile Name, and specify outside as the
interface to which outside users will connect.
Step 2: Configure AAA user authentication.
Use the local user database to authenticate remote access users and create a new user
named VPNuser with a password of remote.
Step 3: Configure the VPN group policy.
Create a new group policy named VPN-Grp-Pol.
Step 4: Configure the bookmark list.
a.
Add a bookmark list and name it WebServer-XX (where XX is your initials).
b.
Add a new Bookmark with Web Mail as the Bookmark Title. Specify the server
destination IP address of PC-B 192.168.100.3 (simulating a web server).
Step 5: Verify VPN access from the remote host.
Open the browser on PC-C and enter the login URL for the SSL VPN into the address
field (https://69.15.20.34). The Logon window should appear. Enter the previously
configured user name VPNuser and password remote and click Logon to continue. The
Web Portal window should display.