Lab1 Cciesecv4 Questionset

QUESTIONS LAB 1 WORKBOOK
Real Labs V1
www.cciesecuritylabs.com
CCIE voicelabs.com1
CCIESECURITYLABS.COM
15-June-2013
Initial Guidelines 1. Read all of the questions in a section before you start the configuration. It is even recommended that you read the entire lab exam before you proceed with any configuration. 2. Exam questions have dependencies on others. Read through the entire workbook to help identify these questions and the best order of configuration. Section do not have to be completed in the order presented in the workbook. 3. Most questions include verification output that can be used to check your solutions. Highlighted section in output verification displays MUST be matched to ensure correctness. 4. If you need clarification of the meaning of a questions, or if you suspect that there may be hardware issues in your equipment, contact the onsite lab proctor as soon as possible. 5. The equipment on the rack assigned to you is physically cabled, so do NOT tamper with it. Before starting the exam, confirm that all devices in you rack are in working order. During the exam, if any device is locked or inaccessible for any reason, you must recover it. When you finish the exam, ensure that all devices are accessible to the grading proctor. A device that is not accessible for grading cannot be marked and may cause you to lose substantial points. 6. Knowledge of implementation and troubleshooting techniques is part of the lab exam. 7. Points are awarded only for working configurations. Towards the end of the exam, you should test the functionality of all sections of the exam. 8. You will be presented with preconfigured routers and switches in your topology. The routers and switches are preconfigured with basic IP addressing, hostname, enable password (cisco), switching, VTP, VLANs, Frame Relay DLCI mapping, IP routing and Console port configuration. Do NOT change any of the pre configurations at any time, unless the change is specified in a question. 9. Throughout the exam, assume these values for variables if required: - YY is your two-digit rack number. For example, the YY value for Rack 01 is 01 and for Rack 11 is 11 - SS is your Site ID for the lab exam location, Read the next page for your location. - BB is the backbone number. For example, the BB value for Backbone 2 is 2. Backbone subnets use the following address convention: 150.BB.YY.0/24. Do NOT change backbone addresses unless you are instructed to do so. - X is your router number. For example, the value of X for Router 1 is 1, for Switch 1 & 2 is 7 & 8 respectively CCIESECURITYLABS.COM CCIESECLABS.COM
15-June-2013
- Z is any number. 10. You are allowed to add static and default routes (if required) on any device. 11. In any configuration where additional addressing is indicated in the Lab Topology Diagram, Ensure that additional addressing does not conflict with a network that is already used in your topology. Routing Protocols preconfigured are shown in the Lab Routing Diagram. 12. Full access to the VMWare ESXi Server from your workstation is provided. Use the username admin and the password cisco to log in. You can add, modify or delete any settings on the Cisco Secure ACS, Test-PC and Cisco ISEs as required in the question. 13. All device names, access information and username/password combinations are summarized on the following pages. Do NOT change these settings.
CCIESECLABS.COM
15-June-2013
CCIE Security Lab Equipment and Software v4.0

Hardware
Cisco 3800 Series Integrated Services Routers (ISR) Cisco 1800 Series Integrated Services Routers (ISR) Cisco 2900 Series Integrated Services Routers (ISR G2) Cisco Catalyst 3560-24TS Series Switches Cisco Catalyst 3750-X Series Switches Cisco ASA 5500 and 5500-X Series Adaptive Security Appliances Cisco IPS Series 4200 Intrusion Prevention System sensors Cisco S-series Web Security Appliance Cisco ISE 3300 Series Identity Services Engine Cisco WLC 2500 Series Wireless LAN Controller Cisco Aironet 1200 Series Wireless Access Point Cisco IP Phone 7900 Series* Cisco Secure Access Control System Notes: The ASA appliances can be configured using CLI or ASDM/Cisco Prime Tools. *Device Authentication only, provisioning of IP phones is NOT required.
Software Versions

Cisco ISR Series running IOS Software Version 15.1(x)T and 15.2(x)T Cisco Catalyst 3560/3750 Series Switches running Cisco IOS Software Release 12.2SE/15.0(x)SE Cisco ASA 5500 Series Adaptive Security Appliances OS Software Versions 8.2x, 8.4x, 8.6x Cisco IPS Software Release 7.x Cisco VPN Client Software for Windows, Release 5.x Cisco Secure ACS System software version 5.3x Cisco WLC 2500 Series software 7.2x Cisco Aironet 1200 series AP Cisco IOS Software Release 12.4J(x) Cisco WSA S-series software version 7.1x Cisco ISE 3300 series software version 1.1x Cisco NAC Posture Agent v4.X Cisco AnyConnect Client v3.0X
CCIESECURITYLABS.COM CCIESECLABS.COM
15-June-2013
Summary of username and Password for all devices

Device Router Switches IPS WSA WLC AP ESXi Server ISE Acs ASA Test-PC Username cisco cisco cisco admin cisco ciscoAP admin admin admin admin Test-PC Password Cisco Cisco 123cisco123 Ironport Cisco123 CCie123 Cisco Ise@123 Acs@123 Asa@123 Cisco123
CCIESECLABS.COM
15-June-2013
Topology 1: Test PC and Vmware ESXI server
Topology 2: Local Candidate PC
CCIESECLABS.COM
15-June-2013
Topology 3: Switch Cabling
CCIESECLABS.COM
15-June-2013
Topology 4 : layer 2
CCIESECLABS.COM
15-June-2013
CCIESECLABS.COM
15-June-2013
CCIESECLABS.COM
15-June-2013
Pre-Configuration
On R1
conf t hostname R1 ! no logging console enable password cisco ! no aaa new-model dot11 syslog ip cef ! no ip domain lookup ipv6 unicast-routing ipv6 cef ! multilink bundle-name authenticated ! voice-card 0 ! crypto pki token default removal timeout 0 ! licence udi pid cisco3825 sn FTX1236A0D9 ! archive log config hidekeys username cisco privilege 15 password 0 cisco ! redundancy ! ip tcp synwait-time 5 ip ssh version 1 ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp key cisco address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set cisco1 esp-3des esp-md5-hmac mode transport CCIESECURITYLABS.COM CCIESECLABS.COM
15-June-2013
! ! crypto ipsec profile DMVPN set transform-set cisco1 ! ! interface loopback 0 ip address 192.168.1.1 255.255.255.255 ! interface loopback2 ip address 192.68.11.11 255.255.255.255 ! interface loopback3 no ip address ipv6 address 3001:0:1:3::/64 eui-64 ! interface tunnel0 bandwidth 1000 ip address 172.16.23.1 255.255.255.0 no ip redirects ip mtu 1360 ip nhrp authentication cisco ip nhrp map multicast dynamic ip nhrp network-id 23 ip nhrp holdtime 300 delay 1000 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel key 123 tunnel protection ipsec profile DMVPN ! interface GigabitEthernet0/0 ip address 7.7.8.1 255.255.255.0 duplex auto speed auto media-type rj45 ipv6 address 2001:128:BAD:8::1/64 ipv6 enable ipv6 ospf 2 area 0 ! interface GigabitEthernet0/1 ip address 10.2.2.1 255.255.255.0 duplex auto speed auto CCIESECURITYLABS.COM CCIESECLABS.COM
15-June-2013
media-type rj45 ! ! router eigrp 123 network 10.0.0.0 network 172.16.0.0 ! router ospf 2 router-id 11.11.11.11 network 7.7.8.0 0.0.0.255 area 1 network 192.168.11.11 0.0.0.0 area 1 ! ip forward-protocol nd ip http server no ip http secure-server ! ip route 0.0.0.0 0.0.0.0 7.7.8.10 ! logging esm config ipv6 router ospf 2 redistribute connected ! control-plane ! mgcp profile default ! ! line con 0 exec-timeout 0 0 password cisco logging synchronous line aux 0 exec-timeout 0 0 password cisco logging synchronous transport input telnet line vty 0 4 exec-timeout 0 0 password cisco logging synchronous login transport input telnet exit scheduler allocate 20000 1000 ntp server 7.7.4.1 CCIESECURITYLABS.COM CCIESECLABS.COM
15-June-2013
! end
On R2
en conf t hostname R2 ! boot-start-marker boot-end-marker ! no logging console enable password cisco ! no aaa new-model dot11 syslog ip cef ! ! ! ! no ip domain lookup ipv6 unicast-routing ipv6 cef ! multilink bundle-name authenticated ! voice card 0 ! crypto pki token default removal timeout 0 ! licence udi pid cisco3825 sn FTX123A0DN ! archive log config hidekeys username cisco privilege 15 password 0 cisco ! redundancy ! ip tcp synwait-time 5 ip ssh version 1 ! CCIESECURITYLABS.COM
CCIESECLABS.COM
15-June-2013
crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp key cisco address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set cisco1 esp-3des esp-md5-hmac mode transport ! crypto ipsec profile DMVPN set transform-set cisco1 ! ! ! interface loopback 0 ip address 192.168.2.2 255.255.255.255 ! interface loopback1 ip address 192.68.22.22 255.255.255.255 ! interface loopback 2 no ip address ! interface loopback3 no ip address ipv6 address 3001:0:2:1::/64 eui-64 ipv6 enable ! interface tunnel0 bandwidth 1000 ip address 172.16.23.2 255.255.255.0 no ip redirects ip mtu 1360 ip nhrp authentication cisco ip nhrp map multicast dynamic ip nhrp network-id 24 ip nhrp holdtime 300 delay 1000 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel key 123 tunnel protection ipsec profile DMVPN ! interface GigabitEthernet0/0 ip address 7.7.8.2 255.255.255.0 CCIESECURITYLABS.COM CCIESECLABS.COM
15-June-2013
duplex auto speed auto media-type rj45 ipv6 address 2001:128:BAD:8::2/64 ipv6 enable ipv6 ospf 2 area 0 ! interface GigabitEthernet0/1 ip address 10.2.2.2 255.255.255.0 duplex auto speed auto media-type rj45 ! ! router eigrp 123 network 10.0.0.0 network 172.16.0.0 ! router ospf 2 router-id 11.11.11.11 network 7.7.8.0 0.0.0.255 area 1 network 192.168.22.22 0.0.0.0 area 1 ! ip forward-protocol nd ip http server no ip http secure-server ! ! ip route 0.0.0.0 0.0.0.0 7.7.8.10 ! logging esm config ipv6 router ospf 2 redistribute connected ! control-plane ! ! mgcp profile default ! ! line con 0 exec-timeout 0 0 password cisco logging synchronous CCIESECURITYLABS.COM CCIESECLABS.COM
15-June-2013
line aux 0 exec-timeout 0 0 password cisco logging synchronous transport input telnet line vty 0 4 exec-timeout 0 0 password cisco logging synchronous login transport input telnet ! exit scheduler allocate 20000 1000 ntp server 7.7.4.1 ! end
On R3
en conf t hostname R3 ! boot-start-marker boot-end-marker ! no logging console enable password cisco ! no aaa new-model dot11 syslog ip source-route ! ip cef ! no ip domain lookup ipv6 unicast-routing ipv6 cef ! multilink bundle-name authenticated ! voice card 0 CCIESECURITYLABS.COM CCIESECLABS.COM
15-June-2013
! crypto pki token default removal timeout 0 ! licence udi pid cisco3825 sn FTX123A0DL ! archive log config hidekeys username cisco password 0 cisco ! redundancy ! ip tcp synwait-time 5 ip ssh version 1 ! crypto keyring ipv6keys pre-shared-key address ipv6 ::/0 key cisco123 crypto keyring ipv4keys pre-shared-key address 7.7.7.10 key cisco123 !
crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp profile ipv6 match identity address ipv6 2001:DB8:23::1/64 crypto isakmp profile secure-management match identity address 7.7.7.10 255.255.255.255 ! ! crypto ipsec transform-set 3des ah-sha-hmac esp-3des crypto ipsec transform-set management esp-3des esp-sha-hmac mode transport ! crypto ipsec profile profile0 set transform-set 3des set isakmp-profile ipv6 ! crypto map secure-management 1 ipsec-isakmp set peer 7.7.7.10 set transform-set management set isakmp-profile secure-management match address 120 CCIESECURITYLABS.COM CCIESECLABS.COM
15-June-2013
! ! ! interface loopback 0 ip address 7.7.53.3 255.255.255.255 ! interface loopback1 ip address 192.68.33.33 255.255.255.255 ! interface loopback3 no ip address ipv6 address 2010::/64 eui-64 ! interface tunnel0 no ip address ipv6 address 2001:DB8::1:2/64 ipv6 enable ipv6 eigrp 1 tunnel source GigabitEthernet0/1.2 tunnel protection ipsec profile profile0 ! interface GigabitEthernet0/0 ip address 7.7.7.3 255.255.255.0 ip ospf priority 10 duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/1 no ip address duplex auto speed auto media-type rj45 ! interface Gigabit0/1.1 encapsulation dot1Q 19 ip address dhcp ! interface Gigabit0/1.2 encapsulation dot1Q 13 ip address 7.7.13.3 255.255.255.0 ip ospf priority 0 ipv6 address 2001:DB8:23::2/64 ipv6 enable CCIESECURITYLABS.COM CCIESECLABS.COM
15-June-2013
! router eigrp 123 network 192.168.33.33 0.0.0.0 ! router ospf 1 router-id 3.3.3.3 redistribute connected metric 1 subnets redistribute static redistribute eigrp 100 metric 1 subnets network 7.7.13.0 0.0.0.255 area 0 ! ip forward-protocol nd ip http server no ip http secure-server ! ! ip route 0.0.0.0 0.0.0.0 7.7.8.10 ! logging esm config access-list 120 permit ip host 7.7.7.3 host 7.7.7.10 ipv6 router eigrp 1 router-id 10.10.10.10 redistribute connected ! control-plane ! ! mgcp profile default ! ! line con 0 exec-timeout 0 0 password cisco logging synchronous line aux 0 exec-timeout 0 0 password cisco logging synchronous transport input telnet line vty 0 4 exec-timeout 0 0 password cisco logging synchronous login transport input telnet CCIESECURITYLABS.COM CCIESECLABS.COM
15-June-2013
! exit scheduler allocate 20000 1000 ntp server 7.7.4.1 ! end
On R4
en conf t hostname R4 ! boot-start-marker boot-end-marker ! no logging console enable password cisco ! no aaa new-model dot11 syslog ip source-route ! ip cef ! ! ! ip domain list cisco.com no ip domain lookup ipv6 unicast-routing ipv6 cef ! multilink bundle-name authenticated ! crypto pki token default removal timeout 0 ! licence udi pid cisco1841 sn FTX12362013 ! archive log config hidekeys username cisco password 0 cisco ! CCIESECURITYLABS.COM CCIESECLABS.COM
15-June-2013
redundancy ! ip tcp synwait-time 5 ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp key cisco address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set cisco1 esp-3des esp-md5-hmac mode transport crypto ipsec transform-set 3des ah-sha-hmac esp-3des ! crypto ipsec profile DMVPN set transform-set cisco1 ! crypto ipsec profile profile0 set transform-set 3des ! ! ! interface loopback 0 ip address 192.168.44.44 255.255.255.255 ! interface loopback1 ip address 10.1.1.1 255.255.255.255 ! interface loopback 2 ip address 7.7.54.5 255.255.255.0 ! interface loopback3 no ip address ipv6 address 1010::/64 eui-64 ! interface tunnel0 bandwidth 1000 ip address 172.16.23.4 255.255.255.0 no ip redirects ip mtu 1360 ip nhrp nhs 172.16.23.1 ip nhrp nhs 172.16.23.2 tunnel source Fastethernet0/1.1 tunnel mode gre multipoint tunnel protection ipsec profile DMVPN CCIESECURITYLABS.COM CCIESECLABS.COM
15-June-2013
! interface FastEthernet0/0 ip address 7.7.11.4 255.255.255.0 duplex auto speed auto ipv6 address FE80:: link-local ipv6 address autoconfig ipv6 enable ! ! interface FastEthernet0/1 no ip address ip ospf priority 10 duplex auto speed auto ! interface Fastethernet0/1.1 encapsulation dot1Q 6 ip address 7.7.6.4 255.255.255.0 ip ospf priority 10 ipv6 address dhcp rapid-commit ipv6 enable ! interface FastEthernet0/1.2 encapsulation dot1Q 13 ip address 7.7.13.4 255.255.255.0 ipv6 address 2001:DB8:23::3/64 ipv6 enable ! router eigrp 123 network 172.16.0.0 network 192.168.44.0 ! router ospf 1 router-id 4.4.4.4 network 7.7.6.0 0.0.0.255 area 0 network 7.7.13.0 0.0.0.255 area 0 network 7.7.54.0 0.0.0.255 area 0 ! ip forward-protocol nd ip http server no ip http secure-server ! ! logging esm config CCIESECURITYLABS.COM CCIESECLABS.COM
15-June-2013
ipv6 router eigrp 1 router-id 40.40.40.40 redistribute connected ! control-plane ! ! line con 0 exec-timeout 0 0 password cisco logging synchronous line aux 0 exec-timeout 0 0 password cisco logging synchronous transport input telnet line vty 0 4 exec-timeout 0 0 password cisco logging synchronous login transport input telnet ! exit scheduler allocate 20000 1000 ! end
On R5 en conf t hostname R5 ! boot-start-marker boot-end-marker ! no logging console enable password cisco ! no aaa new-model dot11 syslog ip source-route ! CCIESECURITYLABS.COM CCIESECLABS.COM
15-June-2013
ip cef ! ! ! ip domain list cisco.com no ip domain lookup ip domain name cisco.com ipv6 unicast-routing ipv6 cef ! multilink bundle-name authenticated ! crypto pki token default removal timeout 0 ! licence udi pid cisco1841 sn FTX1236W022 ! archive log config hidekeys username cisco password 0 cisco ! redundancy ! ip tcp synwait-time 5 ! crypto keyring ipv6keys pre-shared-key address ipv6 ::/0 key cisco123 ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp key cisco address 0.0.0.0 0.0.0.0 crypto isakmp profile ipv6 keyring ipv6keys match identity address ipv6 2001:DB8:23::2/64 ! crypto ipsec transform-set cisco1 esp-3des esp-md5-hmac mode transport crypto ipsec transform-set 3des ah-sha-hmac esp-3des ! crypto ipsec profile DMVPN set transform-set cisco1 ! crypto ipsec profile profile0 CCIESECURITYLABS.COM CCIESECLABS.COM
15-June-2013
set transform-set 3des ! ! ! interface loopback 0 ip address 192.168.55.55 255.255.255.255 ! interface loopback 2 ip address 7.7.52.5 255.255.255.255 ! interface loopback3 no ip address ipv6 address 1010::/64 eui-64 ! interface tunnel0 bandwidth 1000 ip address 172.16.23.5 255.255.255.0 no ip redirects ip mtu 1360 ip nhrp authentication cisco ip nhrp network-id 23 ip nhrp nhs 172.16.23.1 ip nhrp nhs 172.16.23.2 delay 1000 tunnel source Fastethernet0/1.1 tunnel key 123 tunnel protection ipsec profile DMVPN ! ! interface Tunnel2 no ip address ipv6 address 2001:DB8::1:1/64 ipv6 enable ipv6 eigrp 1 tunnel source FastEthernet0/1.2 tunnel mode ipsec ipv4 tunnel protection ipsec profile profile0 ! interface FastEthernet0/0 ip address 7.7.11.5 255.255.255.0 duplex auto speed auto ipv6 address FE80:: link-local ipv6 address autoconfig ipv6 enable CCIESECURITYLABS.COM CCIESECLABS.COM
15-June-2013
! interface FastEthernet0/1 no ip address duplex auto speed auto ! interface Fastethernet0/1.1 encapsulation dot1Q 6 ip address 7.7.6.5 255.255.255.0 ip ospf priority 10 ipv6 address dhcp rapid-commit ipv6 enable ! interface FastEthernet0/1.2 encapsulation dot1Q 13 ip address 7.7.13.5 255.255.255.0 ipv6 address 2001:DB8:23::1/64 ipv6 enable ! router eigrp 123 network 172.16.0.0 network 192.168.55.0 ! router ospf 1 router-id 5.5.5.5 network 7.7.6.0 0.0.0.255 area 0 network 7.7.13.0 0.0.0.255 area 0 network 7.7.52.0 0.0.0.255 area 0 ! ip forward-protocol nd ip http server no ip http secure-server ! ! logging esm config ipv6 router eigrp 1 router-id 50.50.50.50 redistribute connected ! control-plane ! ! line con 0 exec-timeout 0 0 password cisco CCIESECURITYLABS.COM CCIESECLABS.COM
15-June-2013
logging synchronous line aux 0 exec-timeout 0 0 password cisco logging synchronous transport input telnet line vty 0 4 exec-timeout 0 0 password cisco logging synchronous login transport input telnet ! exit scheduler allocate 20000 1000 ! end
On R6
en conf t hostname R6 ! boot-start-marker boot-end-marker ! no logging console enable password cisco ! aaa new-model ! aaa authentication login lkey1-list local aaa authorization network lkey1-list local ! aaa session-id common ! crypto pki token default removal timeout 0 ! ipv6 unicast-routing ipv6 cef no ip source-route ip auth-proxy max-login-attempts 5 ip admission max-login-attempts 5 ! CCIESECURITYLABS.COM CCIESECLABS.COM
15-June-2013
ip dhcp excluded-address 7.7.19.1 7.7.19.5 ! ip dhcp pool pool19 network 7.7.19.0 255.255.255.0 lease infinite ! no ip domain lookup ip cef ! multilink bundle-name authenticated ! voice-card 0 ! licence udi pid cisco2951/k9 sn FTX1625AJRS hw-module ism 0 ! hw-module sm 1 ! username cisco privilege 15 password 0 cisco ! redundancy ! ip tcp synwait-time 5 ip ssh version 1 ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto ipsec transform-set cisco1 esp-3des esp-md5-hmac ! crypto ipsec profile ikey1 set transform-set cisco1 ! ! interface loopback 0 ip address 192.168.6.1 255.255.255.255 ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 ip address 7.7.5.3 255.255.255.0 CCIESECURITYLABS.COM CCIESECLABS.COM
15-June-2013
ip ospf priority 10 duplex auto speed auto ! interface GigabitEthernet0/1 no ip address duplex auto speed auto ! interface GigabitEthernet 0/1.1 encapsulation dot1Q 6 ip address 7.7.6.3 255.255.255.0 ipv6 address dhcp rapid-commit ipv6 enable ! interface FastEthernet0/1.2 encapsulation dot1Q 19 ip address 7.7.19.1 255.255.255.0 ! ! interface GigabitEthernet0/2 ip address 7.7.20.3 255.255.255.0 duplex auto speed auto ! interface GigabitEthernet1/0 no ip address shutdown ! interface GigabitEthernet1/1 description Internal switch interface connected to EtherSwitch Service Module no ip address ! router ospf 1 router-id 1.1.1.1 redistribute static metric 1 subnets route-map exclude-nets network 7.7.5.0 0.0.0.255 area 0 network 7.7.6.0 0.0.0.255 area 0 default-information originate always ! ip local pool pool2 13.1.1.1 13.1.1.10 ip forward-protocol nd ! ip http server CCIESECURITYLABS.COM CCIESECLABS.COM
15-June-2013
ip http authentication local no ip http secure-server ! ip route 0.0.0.0 0.0.0.0 7.7.5.10 ip route 7.7.9.0 255.255.255.0 7.7.20.1 ip route 7.7.10.0 255.255.255.0 7.7.20.1 ! access-list 10 deny 7.7.9.0 access-list 10 deny 7.7.10.0 access-list 20 permit 13.0.0.0 ! nls resp-timeout 1 cpd cr-id 1 route-map exclude-nets permit 10 match ip address 10 route-map exclude-nets permit 20 match ip address 20 ! ! control-plane ! call admission limit 75000 ! mgcp profile default ! ! gatekeeper shutdown ! telephony-service max-ephones 10 max-dn 144 ip source-address 7.7.20.3 port 2000 cnf-file perphone load 7960-7940 P0030702T023 load 7965 P0030702T023 max-conferences 8 gain -6 transfer-system full-consult create cnf-files version-stamp Jan 01 2002 00:00:00 ! ephone-dn-template 1 call-forward busy 4000 call-forward noan 4000 timeout 20 hold-alert 30 originator CCIESECURITYLABS.COM CCIESECLABS.COM
15-June-2013
! ephone-dn 7 number 007 name CCIE-Security-Lab ephone-dn-template 1 ! line con 0 exec-timeout 0 0 password cisco logging synchronous line aux 0 line 2 no activator-character no exec transport preferred none transport input all transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line 67 no activation-character no exec transport preferred none transport input all transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 flowcontrol software line 193 no activation-character no exec transport preferred none transport input all transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 exec-timeout 0 0 password cisco logging synchronous login transport input telnet ! scheduler allocate 20000 1000 ntp source GigabitEthernet0/2 ntp master 2 ! end CCIESECURITYLABS.COM CCIESECLABS.COM
15-June-2013
On SW1
en conf t hostname SW1 ! no logging console enable password cisco ! no aaa new-model system mtu routing 1500 ip routing no ip domain lookup ! spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! ip tcp synwait-time 5 ! interface FastEthernet0/1 switchport access vlan 150 switchport mode access ! interface FastEthernet0/2 switchport access vlan 150 switchport mode access ! interface FastEthernet0/3 switchport access vlan 150 switchport mode access ! interface FastEthernet0/4 switchport access vlan 150 switchport mode access ! interface FastEthernet0/7 switchport access vlan 4 switchport mode access ! interface FastEthernet0/9 CCIESECURITYLABS.COM CCIESECLABS.COM
15-June-2013
switchport access vlan 5 switchport mode access ! interface FastEthernet0/11 switchport access vlan 5 switchport mode access ! interface FastEthernet0/12 switchport access vlan 4 switchport mode access ! interface FastEthernet0/13 shutdown ! interface FastEthernet0/17-24 switchport trunk encapsulation dot1q switchport mode trunk ! interface vlan1 no ip address shutdown ! interface vlan 2 ip address 7.7.2.1 255.255.255.0 ! interface vlan4 ip address 7.7.4.1 255.255.255.0 ! interface vlan150 ip address 150.1.7.1 255.255.255.0 ! ip classless ip route 0.0.0.0 0.0.0.0 150.1.7.254 ip route 7.7.0.0 255.255.0.0 7.7.4.10 no ip http server no ip http secure-server ! ! ntp clock-period 36028811 ntp server 150.1.7.254 ! end
On SW2
15-June-2013
en conf t hostname Sw2 ! no logging console enable password cisco ! no aaa new-model system mtu routing 1500 ip routing no ip domain lookup ! crypto pki trustpoint TP-self-signed-87258368 enrollment selfsigned subject-name en=IOS-Self-Signed-Certificate-87258368 revocation-check none rsakeypair Tp-self-sgned-87258368 ! exit spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! ip tcp synwait-time 5 ! interface FastEthernet0/1 switchport access vlan 8 switchport mode access ! interface FastEthernet0/2 switchport access vlan 8 switchport mode access ! interface FastEthernet0/3 switchport access vlan 5 switchport mode access ! interface FastEthernet0/8 switchport access vlan 5 switchport mode access ! interface FastEthernet0/9 switchport access vlan 100 switchport mode access CCIESECURITYLABS.COM CCIESECLABS.COM
15-June-2013
! interface FastEthernet0/11 switchport access vlan 3 switchport mode access ! interface FastEthernet0/12 switchport access vlan 8 switchport mode access ! interface FastEthernet0/13 switchport access vlan 5 switchport mode access ! interface FastEthernet0/14 switchport access vlan 100 switchport mode access ! interface FastEthernet0/15 switchport access vlan 3 switchport mode access ! interface FastEthernet0/16 switchport access vlan 8 switchport mode access ! interface FastEthernet0/17 switchport trunk encapsulation dot1q switchport mode trunk ! interface FastEthernet0/23 switchport trunk encapsulation dot1q switchport mode trunk ! interface FastEthernet0/24 switchport trunk encapsulation dot1q switchport mode trunk ! interface Vlan1 no ip address shutdown end
On SW3
15-June-2013
en conf t hostname SW3 ! no logging console enable password cisco ! no aaa new-model system mtu routing 1500 ip routing no ip domain lookup ! ipv6 unicast-routing ipv6 dhcp pool dhcp-pool dns-server 2001:DB8:A:B::1 dns-server 2001:DB8:3000:3000::42 domain-name cisco.com ! crypto pki trustpoint TP-self-signed-87257344 enrollment selfsigned subject-name en=IOS-Self-Signed-Certificate-87257344 revocation-check none rsakeypair TP-self-sgned-87257344 ! spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! ip tcp synwait-time 5 ! interface FastEthernet0/1 switchport access vlan 77 switchport mode access ! interface FastEthernet0/2 switchport access vlan 11 switchport mode access ! interface FastEthernet0/3 switchport access vlan 11 switchport mode access ! ! interface FastEthernet0/17-24 CCIESECURITYLABS.COM CCIESECLABS.COM
15-June-2013
switchport trunk encapsulation dot1q switchport mode trunk ! interface vlan1 ip address 7.7.11.1 255.255.255.0 ipv6 address 2001:DB8:1234:42::1/64 ipv6 nd other-config-flag ipv6 dhcp server dhcp-pool ! ipv6 router ospf 1 log-adjacency-changes ! end
On SW4
en conf t hostname SW4 ! no logging console enable password cisco ! no aaa new-model system mtu routing 1500 ip routing no ip domain lookup ! crypto pki trustpoint TP-self-signed-87258368 enrollment selfsigned subject-name en=IOS-Self-Signed-Certificate-87258368 revocation-check none rsakeypair TP-self-sgned-87258368 ! spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! ip tcp synwait-time 5 ! interface FastEthernet0/1 ! CCIESECURITYLABS.COM CCIESECLABS.COM
15-June-2013
interface FastEthernet0/2 ! interface FastEthernet0/3 switchport trunk encapsulation dot1q switchport mode trunk ! interface FastEthernet0/4 switchport trunk encapsulation dot1q switchport mode trunk ! interface FastEthernet0/5 switchport trunk encapsulation dot1q switchport mode trunk ! interface FastEthernet0/6 switchport trunk encapsulation dot1q switchport mode trunk ! interface FastEthernet0/9 ! interface FastEthernet0/11 switchport access vlan 33 switchport mode access ! interface FastEthernet0/12 switchport trunk encapsulation dot1q switchport mode trunk ! interface FastEthernet0/14 ! interface FastEthernet0/15 ! interface FastEthernet0/16 ! interface FastEthernet0/17 - 24 switchport trunk encapsulation dot1q switchport mode trunk ! interface vlan1 no ip address shutdown ! end
CCIESECLABS.COM
15-June-2013
On SW5
en conf t hostname SW5 ! no logging console enable password cisco ! no aaa new-model switch 1 provision ws-ws3750x-12s system mtu routing 1500 ip routing ! no ip domain lookup ipv6 unicast-routing ! crypto pki trustpoint TP-self-signed-1457097984 enrollment selfsigned subject-name en=IOS-Self-Signed-Certificate-1457097984 revocation-check none rsakeypair TP-self-sgned-1457097984 ! spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! ip tcp synwait-time 5 ! interface loopback 1 no ip address ipv6 address 3001:0:5:1::/64 eui-64 ipv6 ospf 1 area 0 ! interface loopback2 no ip address ipv6 address 3001:0:5:2::/64 eui-64 ipv6 ospf 1 area 0 ! interface FastEthernet0/0 no ip address no ip route-cache shutdown ! CCIESECURITYLABS.COM CCIESECLABS.COM
15-June-2013
! interface GigabitEthernet1/0/3 switchport access vlan 3 switchport mode access ! interface GigabitEthernet1/0/4 switchport access vlan 20 switchport mode access ! interface GigabitEthernet1/0/5 no switchport ip address 7.7.20.1 255.255.255.0 ! interface GigabitEthernet1/0/8 no switchport ip address 7.7.10.2 255.255.255.0 ipv6 address 2001:128:ABC:10::2/64 ! interface GigabitEthernet1/0/9 switchport trunk encapsulation dot1q switchport mode trunk ! interface GigabitEthernet1/0/11 switchport trunk encapsulation dot1q switchport mode trunk ! interface GigabitEthernet1/0/12 switchport trunk encapsulation dot1q switchport mode trunk ! interface vlan1 no ip address shutdown ! interface vlan3 ip address 7.7.3.2 255.255.255.0 no ip redirects ! ip route 0.0.0.0 0.0.0.0 7.7.3.12 ip route 7.7.0.0 255.255.0.0 7.7.3.10 ip route 7.7.2.0 255.255.255.0 7.7.3.8 ip route 7.7.4.0 255.255.255.0 7.7.3.12 ip route 7.7.9.0 255.255.255.0 7.7.10.1 ip route 7.7.99.0 255.255.255.0 7.7.10.1 ip route 200.200.9.0 255.255.255.0 7.7.3.10 CCIESECURITYLABS.COM CCIESECLABS.COM
15-June-2013
! logging esm config ipv6 router ospf 1 router-id 35.35.35.35 redistribute connected ! line con 0 exec-timeout 0 0 password cisco logging synchronous line vty 0 4 exec-timeout 0 0 password cisco logging synchronous login transport input telnet line vty 5 15 exec-timeout 0 0 password cisco login transport input telnet ! ntp server 7.7.20.3 ! end
On SW6
en conf t hostname Sw6 ! no logging console enable password cisco ! username ciscoAP password 0 CCie123 username cisco password 0 cisco aaa new-model ! aaa session-id common switch 1 provision ws-w3750x-12s CCIESECURITYLABS.COM CCIESECLABS.COM
15-June-2013
system mtu routing 1500 ip routing ! ip dhcp excluded-address 7.7.7.1 7.7.7.15 ip dhcp excluded-address 7.7.9.1 7.7.9.5 ip dhcp excluded-address 7.7.99.1 7.7.99.5 ip dhcp excluded-address 10.10.110.1 10.10.110.5 ip dhcp excluded-address 10.10.120.1 10.10.120.5 ! ip dhcp pool pool7 network 7.7.7.0 255.255.255.0 default-router 7.7.7.2 option 43 ip 7.7.7.11 lease infinite ! ip dhcp pool voice network 7.7.9.0 255.255.255.0 option 150 ip 7.7.20.1 default-router 7.7.9.2 ! ip dhcp pool data network 7.7.99.0 255.255.255.0 default-router 7.7.99.1 dns-server 150.1.7.10 ! ip domain-name cisco.com ipv6 unicast-routing ! crypto pki trustpoint TP-self-signed-1459336320 enrollment selfsigned subject-name en=IOS-Self-Signed-Certificate-1459336320 revocation-check none rsakeypair TP-self-sgned-1459336320 ! spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ip tcp synwait-time 5 interface loopback0 ip address 192.168.66.66 255.255.255.0 ! interface loopback 1 no ip address ipv6 address 1001:0:6:1::/64 eui-64 CCIESECURITYLABS.COM CCIESECLABS.COM
15-June-2013
ipv6 ospf 1 area 0 ! interface loopback2 no ip address ipv6 address 3001:0:6:2::/64 eui-64 ipv6 ospf 1 area 0 ! interface FastEthernet0/0 no ip address no ip route-cache ! interface GigabitEthernet1/0/1 ! interface GigabitEthernet1/0/2 description WLC switchport trunk encapsulation dot1q switchport mode trunk ! interface GigabitEthernet1/0/5 switchport access vlan 7 switchport mode access ! interface GigabitEthernet1/0/6 switchport access vlan 7 switchport mode access ! interface GigabitEthernet1/0/7 switchport access vlan 7 switchport mode access ! interface GigabitEthernet1/0/8 no switchport ip address 7.7.10.1 255.255.255.0 ip address 7.7.10.1 255.255.255.0 ipv6 address 2001:128:ABC:10::1/64 ipv6 ospf 1 area 0 ! interface GigabitEthernet1/0/12 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1-6,8-4094 switchport mode trunk ! interface vlan1 no ip address shutdown CCIESECURITYLABS.COM CCIESECLABS.COM
15-June-2013
! interface vlan7 ip address 7.7.7.2 255.255.255.0 ipv6 enable ! interface vlan9 ip address 7.7.9.2 255.255.255.0 ! interface vlan99 ip address 7.7.99.1 255.255.255.0 ! ip classless no ip http server no ip http secure-server ! ip route 0.0.0.0 0.0.0.0 7.7.7.1 ip route 7.7.20.0 255.255.255.0 7.7.10.2 ! ip access-list extended ACL-DEFAULT remark DHCP permit udp any eq bootpc any eq bootps remark DNS permit udp any any eq domain remark Ping permit icmp any any remark PXL/TFTP permit udp any any eq tftp deny ip any any log ! ip radius source-interface vlan7 logging esm config ipv6 router ospf 1 router-id 36.36.36.36 redistribute connected ! exit radius-server attribute 8 include-in-access req radius-server attribute 25 access-request include radius-server dead-criteria time 5 tries 3 radius-server host 150.1.7.20 auth-port 1812 acct-port 1813 key cisco radius-server vsa send accounting radius-server vsa send authentication ! ntp server 7.7.20.3 ! CCIESECURITYLABS.COM CCIESECLABS.COM
15-June-2013
Section I. Perimeter security

1.1 Configure routing and Basic Access on ASA1 (6 Points)
This question has three tasks. Complete each task to provide basic connectivity and routing capabilities on ASA1. 1) ASA1 should be in single-context routed mode and configured using the information in the table below: Interface Gi 0/0 Gi 0/2 Gi 0/3 Nameif Outside Inside Dmz Switch Vlans 5 3 8 Sec Level 0 100 50 IP Address 7.7.5.10/24 7.7.3.10/24 7.7.8.10/24
CCIESECLABS.COM
15-June-2013
Use exact names and numbers as shown in the table. 2) Add static routes as follows: Interface Inside Network Configure a Default Route Next Hop 7.7.3.2
3) Configure a Secured OSPF process 1 Router-id should be 8.8.8.8 Assign network 7.7.5.0 to area 0 Assign network 7.7.8.0 to area 1 Ensure that networks 192.168.11.11 and 192.168.22.22 (loopbacks on R1 and R2) are added to the routing table on ASA1 but are not propagated into area 0.
Verify by checking the routing table on R6. Verify your solutions by successfully pinging the inside 150.1.7.0 network from the all major 7.7.0.0 subnets as well as pinging from outside subnets to dmz subnets. For example: R6#ping 7.7.8.1 R6#ping 150.1.7.20 R6#ping 7.7.3.2
Note: 1) Key is already configured in R1 and R2 2) Check the vlan assignment
CCIESECLABS.COM
15-June-2013
1.2 Configure stateful failover between ASA1 and ASA2
(4 points)
CCIESECLABS.COM
15-June-2013
- configure LAN-based active-standby failover on ASA1 and ASA2 - Use GigabitEthernet 0/1 in VLAN 100 on SW2 for the failover LAN interface and name it fover. - Use IP address 7.7.100.100/24 for active and 7.7.100.101/24 for standby - Enable stateful failover using fail-over interface GigabitEthernet 0/1 - Use all other parameters accordingly to achieve this task Your output must match all parameters highlighted below:
CCIESECLABS.COM
15-June-2013
1.3 Configure ASA3 in Multi-Context Firewall Mode
Part A: Initialize ASA3
(4 points)
ASA3 must be configured as a multi-context firewall. ASA3 requires a shared outside interface. Use the following outputs to complete the initial configuration. Context details Name C1 C2 Admin Config URL C1.cfg C2.cfg Admin.cfg
(NOTE: Above files are already there in flash & needs to be deleted before configuring) The config-url file should be saved on the disk:0 You can permit ICMP traffic from any to any on both contexts. You can modify the Catalyst switch configuration to complete this task. When the task is completed, ensure that you are able to ping all major subnets within your
15-June-2013
network, including the ISE1 150.1.7.20 Use exact names and numbers as shown in the table Context c1 initialization details: Interface Gi 0/1 Gi 0/0 Type Not Shared Shared Nameif Inside Outside Switch Vlans 2 33 Sec Level 100 0 IP Address 7.7.2.10/24 7.7.3.8/24
Context c1 routing configuration details: Interface Outside Network 0.0.0.0/0 Next Hop 7.7.3.2
Context c2 initialization details: Interface Gi 0/2 Gi 0/0 Type Shared Shared Nameif Inside Outside Switch Vlans 4 33 Sec Level 100 0 IP Address 7.7.4.10/24 7.7.3.12/24
Context c2 routing configuration details: Interface Inside Outside Network 0.0.0.0/0 7.7.0.0/16 Next Hop 7.7.4.1 7.7.3.2
Context admin initialization details: Interface Gi 0/2 Type Shared Nameif Management Switch Vlans 4 Sec Level 100 IP Address 7.7.4.200/24
Context admin routing configuration details: Interface Management Network 0.0.0.0/0 Next Hop 7.7.4.1
CCIESECLABS.COM
15-June-2013
Part B: Configure IP Services on ASA3
(4 points)
Telnet access telnet must be allowed from VLAN4 IP 7.7.4.1 on SW1 to the admin cxt of ASA3 To verify your solution: SW1# telnet 7.7.4.200 /so vlan4
Object NAT and Port-to-Application Mapping Use object NAT to translate the VLAN4 IP address 7.7.4.1 On SW1 to a global address of 7.7.3.3. Devices on the outside of ASA3 must be able to Telnet to the global address using a non-standard port of 2300. To verify your solution: R6# telnet 7.7.3.3 2300
1.4 Configure ASA4 in transparent mode with NAT support
(6 points)
Configure ASA4 as a transparent firewall to be deployed between R3 and SW6 by completing the three tasks outlined below
15-June-2013
1. ASA4 will be assigned the IP address 7.7.7.10/24 and use the following interfaces Interface Type Nameif Gi 0/3 Physical Inside Gi 0/0 Physical Outside Note: Do not configure management interface 0/0. Switch Vlans 7 77 Sec Level 100 0
2. Add static routes on ASA4 to match the following output ASA# show route 0.0.0.0/0 via 7.7.7.3 7.7.9.0/24 via 7.7.7.2 Verify your solution by pinging from ASA4 as followings: ASA4# ping inside 7.7.7.2 ASA4# ping outside 7.7.7.3
3. Configure NAT on the Cisco ASA4 firewall using the following information NAT control is required Configure a rule where any traffic sourced from 7.7.9.0/24 and destined to 7.7.0.0/16 is mapped to a global add from 200.200.9.0/24. This NAT rule must allow for Bidirectional connection initialization. Ensure that traffic sourced from the 7.7.7.0/24 network and destined to 7.7.0.0/16 or 150.1.0.0/16 is not translated but still able to transit ASA4. Verify your solution by initiating a ping from SW6 to R3 using VLAN9 as the source interface. Enabling debug Ip icmp on R3 should show the translation has occurred R3# ICMP: echo reply sent, src 7.7.7.3, dst 200.200.9.2
15-June-2013
SECTION II. IPS and Context security

2.1 Initialize the Cisco IPS Sensor Appliance (4 points)
Initialize the Cisco IPS Sensor appliance as follows: Parameters Hostname Management Sensor IP Address Default Gateway Sensor ACL Telnet Auto IP Logging Settings IPS Configure the Command and control Management 0/0 interface in vlan 4 7.7.4.100/24 7.7.4.1 7.7.0.0/16, 150.100.7.0/24, 151.ss.1.0/24, 150.1.7.0/24 Enable telnet Management Enable ip Logging on sig0, Log 200 pkts, log time 30 secs, log bytes 5024
Verify the Cisco IPS sensor configuration using the following: The username and password for the Cisco IPS console are cisco and 123cisco123. DO NOT CHANGE THEM. Use the console to initialize the Cisco IPS sensor appliance using the defails in this table Ensure that the Management0/0 interface is up and functioning (refer to the Lab Topology diagram).
15-June-2013
You can modify Cisco Catalyst switches configuration if required. Ensure that the Cisco IPS sensor is able to ping the default gateway and Test-PC: IPS# ping 7.7.4.1 IPS# ping 150.1.7.100 Ensure that the following ping and telnet connection is successful from SW1 SW1# ping 7.7.4.100 SW1# telnet 7.7.4.100
2.2 Deploy the Cisco IPS Sensor Using an In-line VLAN Pair
(4 points)
CCIESECLABS.COM
15-June-2013
Configure the Cisco IPS appliance inline VLAN pair using these guidelines: Configure the CISCO IPS sensor appliance for the inline VLAN pair as shown in the Lab Topology diagram as follow: Parameters Interface Inline Vlan Pair Settings Gig 0/0 Vlan 3 & Vlan 33
You are allowed to modify the switch parameters as appropriate to achieve this task. Refer to the lab diagram for the required information. You may access the IPS management GUI (IME) either from your Test-PC or your local Candidate PC to help with the task. The IME password is Cisc0123. You are allowed to adjust any firewall and/or routing configuration to ensure that this works. Ensure that the sensor is passing traffic successfully. For testing, ensure that this ping from SW6 is passing through the sensor with the packets being displayed on the sensor console. IPS# packet display gigabitethernet0/0 R6#ping 7.7.4.1
CCIESECLABS.COM
15-June-2013
2.3 Implement custom signatures on the Cisco IPS sensor
(4 points)
A custom signature 61000 is required on the Cisco IPS sensor as follows: Trigger Users are allowed to telnet to SW1 via translated address (see Q1.3), however, they must not be allowed to launch another telnet from SW1 to any device on the 150.1.0.0/16 network. Action reset-tcp-connection when a telnet session is attempted from within an existing session to SW1 Alert-severity high Signature-definition 0
CCIESECLABS.COM
15-June-2013
Note: Theres a dependency on the NAT-object & Port-to-Application Mapping config from Q 1.3. You can use any signature engine to complete this task that satisfies the question requirements. Verify your solution by connecting to SW1 from another device in the topology using the translated address specified in Q1.3 and thereafter launch a Telnet from SW1 to your Test PC (150.1.7.100) as follows: SW1>enable SW1#telnet 150.1.7.
2.4 Initialize the Cisco WSA and Enable WCCP Support
(6 points)
CCIESECLABS.COM
15-June-2013
The Cisco WSA has been initialized with IP address of 7.7.4.150 & connected via SW1 in VLAN4. Using the Test-PC or Candidate PC, connect to WSA and configure as following Connection Information: http://7.7.4.150:8080/ Username=admin Password=ironport Initialize the Cisco WSA sensor appliance as follows using the system setup wizard: Security services: Parameters Web Proxy Web Proxy Mode IP Spoofing HTTP/S Proxy Native FTP Proxy L4 Traffic Monitor L4 Traffic Monitor Action Acceptable User Controls Web Reputation Filters Ironport DVS Engine Settings Enabled Transparent Not Enabled Enabled Enabled Enabled Enabled Enabled Enabled Webroot: Enabled Mcafee: Enabled
Parameters Hostname Interface Ip Address Default Gateway System Information NTP Server DNS L4 Traffic Monitoring
Settings Wsa.cisco.com M1 to be used for Management 7.7.4.150/24 7.7.4.1 Admin:ironport, foobar@cisco.com, time:US/America/LA 7.7.4.1 150.1.7.10 Duplex: T1 (in/out)
Accept all other defaults From ASA/c2, verify that you can ping M1 interface of WSA: ASA3/c2(config)# ping 7.7.4.150
15-June-2013
Configure WCCP redirect from the inside interface of ASA3/c2 to WSA using: Redirect-list: for all HTTP and HTTPS traffic Group-list to limit redirections to the WSA only Service-group must be in the appropriate range
Note: You can use any names for your redirect-list and group-list. Be sure to use a service-group. DO not use the default web-cache. This question is dependent on the completion of Q1.3. You may have to reboot WSA after configuration of WCCP if the ASA reports following event in the logs: WCCP-EVNT: D90: Here_I_An packet from 7.7.4.150 ignored: bad web-cache id. Use the following to verify your solution from the Test-PC, and then check HTTP requests on R3 for the address of the WSA:
CCIESECLABS.COM
15-June-2013
2.5 Add a custom URL Access Policy to the WSA
(3 points)
Add a custom URL category called Restricted Site which will block the Site 7.7.7.2. Add the custom URL filter to the Global access policy and ensure that the action taken will be to block the correction. Use the following to verify your solution from the Test-PC:
CCIESECLABS.COM
15-June-2013
SECTION III. Secure Access

3.1 Troubleshooting IPsec Management of ASA4 (4 points)
Complete the configuration of an IPsec secured management tunnel between R3 and ASA4. R3 has been partially configured and will indicate the IKE and IPsec, policy parameters to use. Ensure that you are able to launch the IPsec protected Telnet session from R3 to ASA4. There are faults on R3 that must be corrected to complete this question. Do not use wildcard (0.0.0.0) pre-shared keys. You can use any names for policies that have not been preconfigured. Verify your solution as follows:
CCIESECLABS.COM
15-June-2013
3.2 Troubleshooting IPsec Static VTI with IPv6
(5 points)
An IPsec static virtual tunnel interface is required between R3 and R5. This interface supports IPv6 traffic and EIGRPv6 routes (the networks from Loopback3) must be exchanged securely for AS1 via Tunnel. Complete and troubleshoot the configuration: Verify your solution as follows:
CCIESECLABS.COM
15-June-2013
Ensure that the interface Loopbck3 subnets on either router are being advertised via EIGRPv6. R3# show ipv6 route EX 1010::/64 [170/27008000] Via FE80::21E:BEFF:FE80:B5C, Tunnel0 R5#sho ipv6 route EX 2010::/64 [170/27008000] Via FE80::21E:4AFF:FE2F:CA50, Tunnel2
3.3 Troubleshooting DMVPN Phase 3 with Dual hubs
(6 points)
CCIESECLABS.COM
15-June-2013
In this question R1 and R2 are dual DMVPN Hubs with R4 and R5 as the spokes that peer with hubs for redundancy. The hubs are pre-configured. Complete the configuration of the spokes and troubleshoot the solution using the following information: 172.16.23.1/2 IP addresses of DUAL Hubs 172.16.23.4/5 IP addresses of DUAL Spokes Each spoke must peer with both hubs and direct spoke to spoke communication should occur using NHRP shortcut capabilities EIGRP routing AS 123 is preconfigured & must be advertising the Lo 0 of R4 & R5 and network 10.2.2.0/24 of R1 and R2 Verify your solution as follows:
CCIESECLABS.COM
15-June-2013
3.4 Configure Security Features on the Cisco WLC
(4 points)
The WLC manages the configuration and control of the Cisco AP 1242 (There is no need to change any settings on the AP itself)
CCIESECLABS.COM
15-June-2013
To complete this question you can use the CLI on the WLC, or the web GUI via http://7.7.7.11/ Username =cisco Password=Cisco123. 1. Configure 802.1x support on the WLC. This information is pushed to the AP in the rack and will facilitate 802.1x authentication. 2. To protect the network from Rogue AP's associating with the WLC, configure the WLC with the following Rogue Rule Route Rule Name: Rogue Type: Malicious SSID: Rogue Must be Heard of RSSI value of -60 or stronger Classify only if the rogue is not using encryption
CCIESECLABS.COM
15-June-2013
SECTION IV. System Hardening and Availability

4.1 Troubleshoot Secure Routing Using OSPFv3 in Cisco IOS (4 points)
OSPFv3 has been partially pre-configured between R1 & R2 using command ipv6 router ospf 2 Complete configuration and troubleshooting as required to meet the following requirements: 1. Configure AH md5 authentication for area 0 to protect routing info. You can define your own keys 2. Ensure that the IPV6 addresses from interface Loopback3 on R1 and R2 are being advertised using OSPFv3 via Gig 0/0 on R1 and R2
4.2 Troubleshoot IP Options Handling on the Cisco ASA
(3 points)
The following information has appeared in an error message on ASA1 for IGMPv2 traffic transiting ASA1: %ASA-6-106012: Dny IP from 7.7.5.15 to 225.17.1.1, IP options: Router Alert Configure ASA1 to prevent this error message and allow IGMPv2 to function correctly for all interfaces
CCIESECLABS.COM
15-June-2013
4.3 Configure Netflow on a Cisco IOS Router
(3 points)
Configure Netflow version 9 on R6 using following requirements: 1. Define an IP flow-top-talkers policy to be applied on Gig 0/1.1 as follows: - Display top5 talkers for ICMP traffic - Randomly sample traffic at a rate of one-out-of 10 packets 2. Verbose netflow output must display - IP Address - MAC Address - Vlan IDs R6#show ip cache verbose flow R6#show ip flow top-talker
15-June-2013
SECTION V. Threat Identification and Mitigation

5.1 Tuning Application Inspection on the Cisco ASA (4 points)
HTTP inspection must be configured to log GET operation with level 15 privilege made to Cisco IOS HTTP servers behind ASA1. The packet capture output below which shows an HTTP session to 7.7.8.1 from Test-PC should be used to help define your match criteria.
CCIESECLABS.COM
15-June-2013
5.2 Configure Dynamic-ARP Inspection in a DHCP Environment
(4 points)
R3 receives an IP address for interface g0/1.1 from R6 which is considered a trusted DHCP Server. Configure SW4 for DAI using DHCP snooping for the appropriate VLAN. SW4# show ip dhcp snooping binding
5.3 LDAP (Outdated )

-Microsoft windows users utilize the msNPAllowDialin attribute to grant or withdraw permissions to dial into registration admisstion and status server (RASS) Configure ASA admin context to map this MS attribute to Cisco cVPN3000-IETF-Radius-class: - A value of FALSE should be mapped to a value of ACCESS-DENY - A value of TRUE should be mapped to a value of ACCESS-ALLOW
CCIESECLABS.COM
15-June-2013
SECTION VI. Identity Management

6.1 Configure the Cisco Access Point as an 802.1X supplicant (6 points)
The Cisco Access Point 1242 is managed and controlled by the Cisco WLC which should be allowed to communicate with 802.1X authorized Aps. In this question you are required to configure 802.1X support for the AP on SW6 (RADIUS source interface 7.7.7.2/VLAN7) and ISE1 (150.1.7.20). Use the information below to complete the question 1. Create an identity for the AP on ISE1 using the credentials created in the 802.1x task in Q3.4 that will be used for authentication and mapped to an authorization policy 2. Configure an Authorization Profile and Authorization Policy rule for Cisco Access point as follows Parameters Name Management Description Access Type
Settings Cisco_Access_Points Configure the Command and control Management 0/0 interface in vlan 4 Permit Cisco AP 1242 Access_Accept
CCIESECLABS.COM
15-June-2013
Common Tasks DACL Name DACL Policy Vlan
AP_DACL Permit CAPWAP (UDP 5246/5247) and DNS 9
3. Configure SW6 G1/0/5 for 802.1x support which will enable the Cisco AP to authenticate via Radius to ISE1 and receive and authorization Policy
6.2 Configure Support for MAB/802.1X for Voice and Data VLANs
Part A: Authentication and Authorization of Cisco IP Phone with MAB (6 points)

The Cisco IP Phone is connected to the interface g1/0/1 on SW6. It receives an IP address via DHCP from the 7.7.9.0/24 subnet and registers with CUCME on R6 (via 7.7.20.3). The requirement is to add security to this connection through authentication and authorization on SW6 using MAC Authentication Bypass (MAB) to assign the RADIUS attributes required to move the phone into the voice VLAN.
15-June-2013
Use the following information to complete this task: - Create an Endpoint Identity for the IP Phone in your Rack on ISE1 (150.1.7.20) - Verify that you have an authentication rule for MAB on the Cisco ISE. - Verify that the standard authorization policy for Cisco IP Phones exists and is allowing a permit on all traffic on ISE1. - Configure g1/0/1 on SW6 to support a voice VLAN (9) and data VLAN (99) - Voice VLAN will support MAB for authentication - Data VLAN will provide support for the Test-PC that must connect through Phone using 802.1X. - SW6 must attempt a MAB authentication first after learning the MAC address of an Endpoint. If MAB is not successful, 802.1X endpoints should be allowed to connect. The following output should be used to verify your solution
CCIESECLABS.COM
15-June-2013
Part B:
(6 points)
Authentication and Authorization of 802.1X Client through a Cisco IP Phone

The Test-PC must be allowed to connect through the authenticated Cisco IP Phone 1. SW 6 G1/0/1 should have been configured to support a voice and data Vlan in Part A of this question 2. Configure and Authorization Profile and Authorization Policy rule for the Test-PC on ISE1 using the following info Attribute Group Name Username/Password Access Type Common Tasks DACL Name DACL Policy Vlan Value Test-PC_Group test-PC/Cisc0123 Access_Accept DATA_VLAN_DACL Permit ip any any 99
The following output should be used for verification
CCIESECLABS.COM
15-June-2013
Thank You for using cciesecuritylabs workbooks.
CCIESECLABS.COM

Lab1 Cciesecv4 Questionset

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lab1 Cciesecv4 Questionset

Uploaded by

Copyright:

Available Formats

QUESTIONS LAB 1 WORKBOOK

CCIE Security Lab Equipment and Software v4.0

Summary of username and Password for all devices

Topology 1: Test PC and Vmware ESXI server

Topology 2: Local Candidate PC

Topology 3: Switch Cabling

! exit scheduler allocate 20000 1000 ntp server 7.7.4.1 ! end

Section I. Perimeter security

Note: 1) Key is already configured in R1 and R2 2) Check the vlan assignment

1.2 Configure stateful failover between ASA1 and ASA2

1.3 Configure ASA3 in Multi-Context Firewall Mode

Part A: Initialize ASA3

Part B: Configure IP Services on ASA3

1.4 Configure ASA4 in transparent mode with NAT support

SECTION II. IPS and Context security

2.3 Implement custom signatures on the Cisco IPS sensor

2.4 Initialize the Cisco WSA and Enable WCCP Support

2.5 Add a custom URL Access Policy to the WSA

SECTION III. Secure Access

3.2 Troubleshooting IPsec Static VTI with IPv6

3.3 Troubleshooting DMVPN Phase 3 with Dual hubs

3.4 Configure Security Features on the Cisco WLC

SECTION IV. System Hardening and Availability

4.2 Troubleshoot IP Options Handling on the Cisco ASA

4.3 Configure Netflow on a Cisco IOS Router

SECTION V. Threat Identification and Mitigation

5.2 Configure Dynamic-ARP Inspection in a DHCP Environment

5.3 LDAP (Outdated )

SECTION VI. Identity Management

Common Tasks DACL Name DACL Policy Vlan

AP_DACL Permit CAPWAP (UDP 5246/5247) and DNS 9

Part A: Authentication and Authorization of Cisco IP Phone with MAB (6 points)

Authentication and Authorization of 802.1X Client through a Cisco IP Phone

The following output should be used for verification

Thank You for using cciesecuritylabs workbooks.

You might also like