In today’s practice lab, I will configure the interfaces on the devices,

then I will secure the network router using CLI to configure various IOS
features including AAA and SSH, then I will configure a Zone-Based
Policy Firewall (ZPF) and Intrusion Prevention using the Cisco IOS
Intrusion Prevention System (IPS) on a Router using CLI, then I will
configure and secure the switches , then I will configure the ASA
management and firewall settings using the CLI.
I hope my videos are helpful for those who are seeking to be certified
for the Cisco Exams, if you like my videos, please subscribe to my
channel and share it on your Facebook page, and give me the thumb
up, and please let me know if you have any suggestions, comments or
questions, I will gladly answer you back.
On my Facebook page, I created a group where I posted all of my labs
there, the name of the group “ CCNA Free Practice labs, Walk through”.
You need to install Packet Tracer, I posted a video to show you step by
step how to download and install Packet Tracer, either in English or
Arabic, see my video channel or my group on Facebook and please
follow through.
On the description of this video, you will find two files, one for the
packet tracer’s source files, and the documents to walk you through
the lab step by step until you finally will be able to verify the
configurations you did during this lab.
I will start the configuration on Router1.
On Router1:
# enable
# conf t
# hostname Router1
# int G0/0/0
# ip address 10.1.1.2 255.255.255.252
# no shutdown
# int S0/1/0
# ip address 10.2.2.1 255.255.255.252
# no shutdown
NEXT:
I will create a static route to reach the inside network on
192.168.10.0/24, and the next hop would be on 10.1.1.1
# conf t
# ip route 192.168.10.0 255.255.255.0 10.1.1.1
And another static route to reach the offside office.
# conf t
# ip route 172.16.30.0 255.255.255.0 10.2.2.2
NEXT:
I will configure Router1 as the NTP server with authentication.
On Router1:
# conf t
# ntp authentication-key 1 md5 cisco
# ntp server 10.2.2.1 key 1
# ntp trusted-key 1
To authenticate the server
# ntp authenticate
# ntp master 3
NEXT:
I will configure Router3:
On Router3:
# enable
# conf t
# hostname Router3
# int G0/0/0
# ip address 172.16.30.1 255.255.255.0
# no shut
# int S0/1/1
# ip address 10.2.2.2 255.255.255.252
# no shut
Next,
I will create a static route to reach other networks, and the exit
interface will be on Router1 S0/0/1
On Router3:
# conf t
# ip route 0.0.0.0 0.0.0.0 10.2.2.1
NEXT:
I will configure SW-1:
On SW-1:
# enable
# conf t
# hostname SW-1
Next,
I will set the root primary to VLAN1.
# conf t
#spanning-tree vlan 1 root primary
On SW-2:
# enable
# conf t
# hostname SW-2
# spanning-tree vlan 1 root secondary
NEXT,
I will verify network connectivity
Let us see if PC-3 can ping its gateway on Router3 G0/0/0
On PC-3:
# ping 172.16.30.1 it should be successful
From Router3, I will ping S0/0/1 interface on Router1.
On Router3:
# ping 10.2.2.1 it should be successful
NEXT:
I will configure secure router administrative access, I will secure the
administrative access on Router3 using CLI.
I will set the password length to 5 characters on Router3.
On Router3:
# conf t
# security password min-length 5
I will assign and encrypt a privileged EXEC password of “cisco”,
# enable secret cisco
I will add a user in the local database for the administrator access,
the username Admin1, privilege 15 and the password of Admin1.
On Router3:
# conf t
# username Admin1 privilege 15 secret Admin1
NEXT,
I will configure SSH on the router, the domain name: ccnasecurity.com
The RSA key size: 1024 bits, SSH version 2, timeout: 90 seconds, and
the authentication retries of 2.
On Router3
# conf t
# ip domain-name ccnasecurity.com
# crypto key generate rsa general-keys modulus 1024
# ip ssh version 2
# ip ssh time-out 90
# ip ssh authentication-retries 2
NEXT,
I will configure syslog, I will enable the timestamp service to log the
date and time in milliseconds, and send the syslog messages to the
PC-3 on 172.16.30.3, and I will set message logging severity level to “
debugging”
On Router3:
# conf t
# service timestamps log datetime msec
# logging host 172.16.30.3
# logging trap debugging
I will configure VTY lines to allow only SSH access.
On Router3:
# conf t
# line vty 0 15
# transport input ssh
NEXT,
I will configure AAA authentication and authorization settings, I will
enable AAA and use the local database as the default setting.
On Router3:
# conf t
# aaa new-model
# aaa authentication login default local
# aaa authorization exec default local
NEXT,
I will configure Router3 as the NTP client, I will use the authentication
key “cisco”, and for the encryption “ MD5”, and use key “ 1”, and our
NTP server is 10.2.2.1, and I will also configure for periodic calendar
updates.
On Router3:
# conf t
# ntp authentication-key 1 md5 cisco
# ntp authenticate
# ntp server 10.2.2.1 key 1
# ntp update-calendar
NEXT
I will verify what we did so far, I will connect to Router3 via SSH from
PC-3
On Svr:
# ssh -l Admin1 172.16.30.1 it should be successful
NEXT:
I will enable the Security Technology Package on Router3.
I will issue the show version command first to view the technology
package license information.
On Router3:
I will verify that the security technology package has been enabled by
using the show version command.
# show version
I will configure a Zone-Based Policy Firewall on Router3 using CLI, I
will create a security zones, for the inside zone I will name it : INSIDE,
and the outside zone I will name it: INTERNET
On Router3:
# conf t
# zone security INSIDE
# exit
# zone security INTERNET
# exit
NEXT:
I will create an inspection class map, the class map name:
INSIDE_PROTOCOLS, the inspection type: match-any and the
protocols allowed: tcp, udp and icmp.
On Router3:
# conf t
# class-map type inspect match-any INSIDE_PROTOCOLS
# match protocol tcp
# match protocol udp
# match protocol icmp
# exit
NEXT:
I will create an inspect policy map, the policy map name:
INSIDE_TO_INTERNET, and then bind the class map to the policy map,
and the matched packets should be inspected.
On Router3:
# conf t
# policy-map type inspect INSIDE_TO_INTERNET
# class type inspect INSIDE_PROTOCOLS
# inspect
# exit
# exit
NEXT:
I will create a zone pair, the name of the zone pair:
IN_TO_OUT_ZONE, the source zone would be: INSIDE and the
destination zone would be INTERNET
On Router3:
# conf t
# zone-pair security IN_TO_OUT_ZONE source INSIDE destination
INTERNET
NEXT:
I will apply the policy map to the zone pair, as the zone pair name:
IN_TO_OUT_ZONE and the policy map name: INSIDE_TO_INTERNET
On Router3:
# service-policy type inspect INSIDE_TO_INTERNET
# exit
NEXT:
I will assign interfaces to the proper security zones , the interface of
G0/0/0: inside and S0/0/0 for INTERNET
On Router3:
# conf t
# int G0/0/0
# zone-member security INSIDE
# int S0/1/1
# zone-member security INTERNET
Time to verify the configuration
What we did is to allow PC-3 be able to connect to the internet via
tcp, udp and the icmp, but not the other way around.
I will ping from PC-3 to the internet.
On PC-3:
# ping 10.2.2.1 it should be successful
I will ping from Router1 to PC-3.
On Router1:
# ping 172.16.30.3 it should fail because of the firewall we configured
on Router3.
NEXT:
I will configure an Intrusion Prevention System ( IPS ), I will configure
IPS on Router3.
I will create an IOS IPS configuration directory in flash using “ mkdir”
command, and I will name the directory “ ipsdir”.
On Router3:
# mkdir ipsdir
# enter
Next,
I will configure the IPS signature storage location to the directory I
have just created.
On Router3:
# conf t
# ip ips config location flash:ipsdir
Next
I will create an IPS rule name using the “ ip ips name” I will use
“iosips”
# ip ips name iosips
I will enable logging
# ip ips notify log
NEXT:
I will configure the IOS IPS to use the signature categories, I will retire
the “ all” signature category with the “ retired true” command, which
is all signature within signature release, then unretire the IOS_IPS
Basic category with the “ retired false” command.
On Router3:
# conf t
# ip ips signature-category
# category all
# retired true
# exit
# category ios_ips basic
# retired false
# exit
# exit
# enter to confirm the changes
NEXT:
The direction “ IN” means that IPS inspect only traffic going into the
interface, similarly “ OUT” means that IPS inspect any traffic going out
of the interface.
On Router3:
# conf t
# int S0/1/1
# ip ips iosips in
NEXT:
I will modify the signature by changing the event-action of a
signature, I will unretire the echo request signature ( signature 2004,
subsig ID 0 ), I will enable it, then change the signature action to alert
and drop.
On Router3:
# conf t
# ip ips signature-definition
# signature 2004 0
# status
# retired false
# enabled true
# exit
# engine
# event-action produce-alert
# event-action deny-packet-inline
# exit three time
# enter to confirm
I will run the show command:
# show ip ips all have a thorough look at the table and study it.
Notice the interface and to which direction is the “ iosips” rule
applied.
NEXT:
I will configure SW-1 and SW-2.
On SW-1:
# enable
I will create VLANs on the switch
# conf t
# vlan 2
# name NewNative
# vlan 10
# name LAN
# vlan 99
# name Blackhole
On SW-2
# enable
# conf t
I will create VLANs on the switch
# conf t
# vlan 2
# name NewNative
# vlan 10
# name LAN
# vlan 99
# name Blackhole
NEXT:
I will configure the trunk ports on SW-1 and SW-2.
On SW-1:
# conf t
# int range F0/1-2
# switchport mode trunk
# switchport trunk native vlan 2
Next, I will prevent DTP( Dynamic Trunking Protocol) on the switch
# switchport nonegotiate
I will assign F0/6 access port vlan 10
# int F0/6
# switchport mode access
# switchport access vlan 10
I will do the same on SW-2
On SW-2:
# conf t
# int range F0/1-2
# switchport mode trunk
# switchport trunk native vlan 2
Next, I will prevent DTP( Dynamic Trunking Protocol) on the switch
# switchport nonegotiate
I will disable trunking on F0/18, and F0/24 on SW-2 and I will assign
them to VLAN 10
On SW-2:
# conf t
# int range F0/18, F0/24
# switchport mode access
# switchport access vlan 10
I will enable PortFast and BPDU guard on F0/18, and F0/24.
# spanning-tree portfast
# spanning-tree bpduguard enable
# exit
Next, I will configure basic port security on F0/18 on SW-2, the port
connecting PC-2.
# conf t
# int f0/18
# switchport port-security
# switchport port-security maximum 2
# switchport port-security mac-address sticky
# switchport port-security violation shutdown
NEXT, I will disable unused ports on SW-2 and assign ports to VLAN 99
On SW-2:
# conf t
# int range F0/3-17, F0/19-23, G0/1-2
# switchport mode access
# switchport access vlan 99
# shutdown
NEXT
I will configure DHCP Snooping, I will enable DHCP snooping globally
and enable it for VLAN 10, and the F0/24 as DHCP trusted interface,
the port connected to the ASA device.
On SW-2:
# conf t
# ip dhcp snooping
# ip dhcp snooping vlan 10
# int F0/24
# ip dhcp snooping trust
# exit
I will run some show commands
# show vlan brief
# show int trunk
Here, PC-1 should be able to ping PC-2, and PC-2 should be able to
ping PC-1.
NEXT:
I will configure ASA Basic Management and firewall settings.
On the ASA device, by default the privilege EXEC password is blank, I
will press Enter as the password prompt
I will configure the ASA hostname as “ ASA
On ASA-5506:
# enable
# enter
# conf t
# hostname ASA
I will configure the domain name as ccnasecurity.com
# domain-name ccnasecurity.com
I will configure the privileged EXEC password of “ cisco”
# enable password cisco
I will add a user in the local database with administrator console
access of Admin1 and the password of Admin1
# username Admin1 password Admin1

I will configure interface G1/2, ( inside) with the name: inside, and the
IP address of 192.168.10.1/24 with security level of 100
# int G1/2
# nameif inside
# ip address 192.168.10.1 255.255.255.0
# security-level 100
#no shut
NEXT,
I will configure interface G1/1, ( outside), with the IP address
10.1.1.1/30, with the security level of 0
# int G1/1
# nameif outside
# ip address 10.1.1.1 255.255.255.252
# security-level 0
# no shut

NEXT:
I will configure the AAA to use the local database for SSH user
authentication
# aaa authentication ssh console LOCAL
Next, I will generate an RSA key pair to support the SSH connection.
# crypto key generate rsa modulus 1024
# yes
I will configure the ASA to accept SSH connections from hosts on the
inside LAN
# ssh 192.168.10.0 255.255.255.0 inside
# ssh timeout 10
NEXT,
I will configure the default route with the next hop IP address 10.1.1.2
# route outside 0.0.0.0 0.0.0.0 10.1.1.2
NEXT
I will create a network object to identify internal addresses for PAT,
and I will dynamically bind interfaces by using the interface address as
the mapped IP address.
# conf t
# object network INSIDE-NET
# subnet 192.168.10.0 255.255.255.0
# nat (inside,outside) dynamic interface
NEXT,
I will modify the default global policy to allow returning ICMP traffic
through the firewall, the policy-map: global_policy, and the class :
inspection_default and to inspect: icmp
# conf t
# class-map inspection_default
# match default-inspection-traffic
# exit
# policy-map type inspect dns preset_dns_map
# parameters
# message-length maximum 512
# exit
# exit
# policy-map global_policy
# class inspection_default
# inspect icmp
# exit
# service-policy global_policy global
I will ping from the PCs to the default gateway
We configured the firewall to permit pings
I will ping Router1 interface from the PCs
I will try to ping from Router1 to PC-1 and PC-2
Next, we will configure Site-to-Site VPN between Router3 and
the ASA
We will create an ISAKMP policy
ISAKMP policy priority: 10
Authentication type: pre-share
Encryption: aes 256
Hash algorithm: sha
Deffie-hellman group key-exchange: 5
On Router3:
# crypto isakmp enable
#crypto isakmp policy 10
# authentication pre-share
# encryption aes 256
# hash sha
# group 5
# lifetime 70000
Next, we will configure the pre-shared key as “cisco”, the destination
address 10.1.1.1
# exit
# crypto isakmp key cisco address 10.1.1.1
Next, we will configure the IPsec transform set,
Tag: VPN-SET
ESP transform: ESP_AES 256
Hash function: ESP_SHA_HMAC
# crypto ipsec transform-set VPN-SET esp-aes 256 esp-sha-hmac
Next, we will define interesting traffic
ACL: VPN-ACL
Source Network : 172.16.30.0 0.0.0.255
Destination Network 192.168.10.0 0.0.0.255
# ip access-list extended VPN-ACL
# permit ip 172.16.30.0 0.0.0.255 192.168.10.0 0.0.0.255
Next, we will create a crypto map
Crypto map name: VPN-MAP
Sequence number: 1
Type: ipsec-isakmp
ACL to match: VPN-ACL
Peer: 10.1.1.1
Transform-set: VPN-SET
# crypto map VPN-MAP 10 ipsec-isakmp
# match address VPN-ACL
# set peer 10.1.1.1
# set transform-set VPN-SET
Next we will apply the crypto map to the interface s0/0/0 and crypto
map name CMAP
# int s0/1/1
# crypto map VPN-MAP
Now, we will do the same on the ASA.
Next, we will configure Site-to-Site VPN between the ASA and Router3
We will create an ISAKMP policy
ISAKMP policy priority: 10
Authentication type: pre-share
Encryption: aes 256
Hash algorithm: sha
Deffie-hellman group key-exchange: 5
On the ASA:
# crypto ikev1 policy 10
# authentication pre-share
# encryption aes-256
# hash sha
# group 5
# lifetime 70000
# exit
# crypto ikev1 enable outside
# tunnel-group 10.2.2.2 type ipsec-l2l
Next, we will create attribute to set the pre shared key
# tunnel-group 10.2.2.2 ipsec-attributes
# ikev1 pre-shared-key cisco
# exit
Now, it is time to configure the transform-set
# crypto ipsec ikev1 transform-set VPN-SET esp-aes-256 esp-sha-
hmac
Next, we will create the map
Set the peer ( destination)
# crypto map VPN-MAP 10 set peer 10.2.2.2
Create the transform set
# crypto map VPN-MAP 10 set ikev1 transform-set VPN-SET
Next, we will create two network objects to identify Internal network
and the Remote network
On the ASA:
# object network LOCAL-NET
# subnet 192.168.10.0 255.255.255.0
Next for the remote network
# exit
# conf t
# object network REMOTE-NET
# subnet 172.16.30.0 255.255.255.0
# exit
Next, we will set the access list
# conf t
# access-list VPN-ACL extended permit ip object LOCAL-NET object
REMOTE-NET
Time to match the ACL
# crypto map VPN-MAP 10 match address VPN-ACL
Next we will apply the crypto map to the outside interface
# crypto map VPN-MAP interface outside
# exit