Professional Documents
Culture Documents
info
www.CareerCert.info
CCBOOTCAMPs
CCIE Security Advanced Lab Workbook
Volume 1
for the CCIE Security Lab Exam version 3.0
CCBOOTCAMP
375 N. Stephanie Street
Building 21, Suite 2111
Henderson, NV 89014
1.877.654.2243 Toll Free
www.ccbootcamp.com
Cisco, the Cisco Logo, CCNA, CCNP, CCDP, CCDA, CCIE, Cisco Certified
Network Associate, Cisco Certified Design Professional, Cisco Certified Design
Associate, and Cisco Certified Network Professional, are registered trademarks of
Cisco Systems, Inc. The contents contained wherein, is not associated or endorsed by
Cisco Systems, Inc.
www.CareerCert.info
PLEASE READ THIS SUBSCRIPTION LICENSE AGREEMENT CAREFULLY BEFORE USING THIS PRODUCT.
THIS SUBSCRIPTION LICENSE AGREEMENT APPLIES TO CCBOOTCAMPs CCIE Security Advanced Lab
Workbook.
BY ORDERING THIS PRODUCT YOU ARE CONSENTING TO BE BOUND BY THIS LICENSING AGREEMENT.
IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS LICENSE, THEN DO NOT PURCHASE THIS
PRODUCT.
License Agreement
CCBOOTCAMPs CCIE Security Advanced Lab Workbook is copyrighted. In addition, this
product is at all times the property of CCBOOTCAMP, and the customer shall agree to
use this product only for themselves, the licensed user. The license for the specific
customer remains valid from the purchase date until they pass their CCIE Security lab
exam.
CCBOOTCAMPs CCIE Security Advanced Lab Workbook materials are licensed by individual
customer. This material cannot be resold, transferred, traded, sold, or have the price
shared in any way. Each specific individual customer must have a license to use this
product. The customer agrees that this product is always the property of CCBOOTCAMP,
and they are just purchasing a license to use it. A Customers license will be revoked
if they violate this licensing agreement in any way.
Copies of this material in any form or fashion are strictly prohibited. If for any
reason a licensed copy of this material is lost or damaged a new copy will be provided
free of charge, except for the cost of printing, shipping and handling.
Individuals or entities that knowingly violate the terms of this licensing agreement
may be subject to punitive damages that CCBOOTCAMP could seek in civil court. Damages
will be limited to a maximum of $500,000.00 per individual and $2,000,000.00 per
entity. In addition, individuals or entities that knowingly violate the terms of this
license agreement may be subject to criminal penalties as are allowed by law.
The venue of any dispute, controversy, litigation or proceeding (formal or informal)
arising out of or pertaining to this licensing agreement or the subject hereof shall
lie exclusively in the County of Clark, State of Nevada. Provided, however, that if
any such dispute, controversy, litigation or proceeding requires or permits
jurisdiction in a federal court or agency of the United States, then venue shall lie
in no federal court or agency other than those located in (or nearest to) the County
of Clark, State of Nevada.
Term and Termination of License Agreement
This License is effective until terminated. Customer may terminate this License at any
time by destroying all copies of written and electronic material of said product.
Customer's rights under this License will terminate immediately without notice from
CCBOOTCAMP, if Customer fails to comply with any provision of this License. Upon
termination, Customer must destroy all copies of material in its possession or
control. The license for the specific user remains valid from the purchase date until
the user passes their lab exam pertaining to the purchased subscription. Once the
customer passes the relevant lab exam the license is terminated and all material
written or electronic in their possession or control must be destroyed or returned to
CCBOOTCAMP.
Warranty
No warranty of any kind is provided with this product. There are no guarantees that
the use of this product will help a customer pass any exams, tests, or certifications,
or enhance their knowledge in any way. The product is provided on an AS IS basis.
In no event will CCBOOTCAMP, its suppliers, or licensed resellers be liable for any
incurred costs, lost revenue, lost profit, lost data, or any other damages regardless
of the theory of liability arising out of use or inability to use this product.
www.CareerCert.info
LAB 1
Instructions
Verify that all configurations have been cleared, before
you load initial configurations onto the lab routers,
backbone routers and switches. There are no initial
configurations for the ASA and IPS. You will be required
to configure these devices in the practice lab, just as you
will be required to do so in the actual lab exam.
ASDM and SDM are not available in the actual lab exam.
The ACS workstation is used in this lab as the candidate PC
as well as the ACS server. The IP address of the ACS
cannot be changed.
There is a test pc available in the practice labs as well
as the actual lab. The IP address of the rack interface
test PC may be changed through the desktop application. For
both PCs, you may add/remove static routes for connectivity
as described in the LAB.
Do not change the default route
on the ACS or the test PC, as you may lose connectivity.
Always remember to Apply changes and Save your configs
often!
Unless otherwise specified, use only the existing networks
within your lab. Additional networks, static and/or
default routes, may not be configured unless specified in a
task.
When creating passwords, use cisco unless indicated
otherwise in a specific task. Refer to the Remote Rack
Access FAQ PDF for cabling, ACS and IPS Access and other
commonly asked questions. The document is located here:
http://www.ccbootcamp.com/download
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Sections:
1.ASA Firewalls
2.IOS Firewalls
3.VPNs
4.IPS
5.Identity Management
6.Control/Management Plane Security
7.Advanced Security
8.Network Attack Mitigation
If you would like additional copies of the diagrams to use with
the labs, they can be downloaded from
http://www.ccbootcamp.com/download/!Security/
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
SW1
Fa0/1
Fa0/0
R1
Fa0/1
Fa0/1
SW2
SW1
Fa0/2
Fa0/0
R2
Fa0/1
Fa0/2
SW2
SW1
Fa0/3
Fa0/0
R3
Fa0/1
Fa0/3
SW2
SW1
Fa0/4
Fa0/0
R4
Fa0/1
Fa0/4
SW2
SW1
Fa0/5
Fa0/0
R5
Fa0/1
Fa0/5
SW2
SW1
Fa0/6
Fa0/0
R6
Fa0/1
Fa0/6
SW2
SW1
Fa0/9
Fa0/0
BB1
Fa0/1
Fa0/9
SW2
SW1
Fa0/10
Fa0/0
BB2
Fa0/1
Fa0/10
SW2
SW1
Fa0/12
E0/0
E0/2
Fa0/12
SW2
Fa0/14
SW2
E0/3
Fa0/17
SW2
E0/2
Fa0/18
SW2
E0/3
Fa0/23
SW2
ASA01
Gi0/0: sense
SW1
Fa0/14
SW1
Fa0/17
E0/1
SW1
Fa0/18
E0/0
IDS
IDS
Gi0/1: c&c
ASA01
ASA02
SW1
E0/1
Fa0/23
ASA02
SW1
SW2
Fas0/19
Fas0/19
Fas0/20
Fas0/20
Sensor Int.
G0/0
Fa1/0
Fa1/1
Fa1/2
Fa1/3
Connected to:
SW1 Fa0/14
SW3 Fa0/4
SW3 Fa0/3
SW3 Fa0/2
SW3 Fa0/1
Fas0/0
2811
SW3
SW4
Fas0/17
SW3
Fas0/19
Fas0/19
Fas0/20
Fas0/20
Fas0/1
R7
Fas0/17
SW4
ACS PC SW1 Fa0/24
192.168.2.101
Fas0/0
2811
Fas0/1
R8
SW3
Fas0/18
SW4
Fas0/18
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 1.2
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 1.3
4 Points
Task 1.4
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 2:
Task 2.1
IOS Firewalls
4 Points
4 Points
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 3: VPN
Task 3.1
4 Points
4 Points
Create
10
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 3.3
4 Points
4 Points
11
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 4:
Task 4.1
IPS
4 Points
4 Points
12
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 4.3
4 Points
13
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 4.4
4 Points
4 Points
14
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 5:
Task 5.1
Identity Management
4 Points
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
= AUTHORIZED
= Guest-Vlan
= 11
16
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 6:
Task 6.1
4 Points
17
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 7:
Task 7.1
Advanced Security
4 Points
Allow the EBGP neighbors between BB1 and BB2. Add BGP
authentication between BB1 and BB2 using the password of
cisco. Verify the BGP sourced routes appear on routers 1-5,
7, and 8.
Prevent the ACS PC from being able to telnet to R6. Stop
this traffic before it reaches R6. Do not assign an access
list to any interface on the switch as part of your
solution for this task.
Configure R3 so that it cannot originate a telnet session.
Do not use any line or AAA commands for this task.
Configure R5 to do the following: Rate Limit FTP and ICMP
traffic destined to the 50.50.4.0/24 network to 10,000 bps.
Drop the traffic that exceeds this rate. Limit the burst to
8000 bps. Rate Limit telnet in the same fashion, with the
exception that if the rate limit is exceeded for telnet,
forward the packet with precedence of network control.
Apply this policy to Fa0/0 only.
On SW4 assign port Fa0/23 to VLAN 4. Only allow the host
with the MAC address of 0001.0002.0003 to be connected only
to port FA0/23. If there is a violation, shut down the
port.
The switch should automatically re-enable the port
after 30 seconds if there is no longer a violation.
Configure the SW1 to only allow the minimum number of MAC
addresses needed on the SW1 ports Fa0/1 and Fa0/4, and
store these in the running configuration. Create a syslog
message but do not shutdown the port if there is a
violation.
18
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
19
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 8:
Task 8.1
4 Points
20
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 8.2
4 Points
Solutions Guide
(next page)
21
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Idle
Location
00:02:20
00:00:00 50.50.4.101
24
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
User
Host(s)
idle
Idle
Location
00:00:00 50.50.4.6
25
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 1.2
4 Points
26
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
27
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
28
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
is on
ICMP:
ICMP:
ICMP:
ICMP:
ICMP:
echo
echo
echo
echo
echo
reply
reply
reply
reply
reply
sent,
sent,
sent,
sent,
sent,
src
src
src
src
src
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
dst
dst
dst
dst
dst
50.50.4.19
50.50.4.19
50.50.4.19
50.50.4.19
50.50.4.19
29
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
30
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 1.3
4 Points
31
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Reset and log any FTP PUT commands going through c2. Do
not use the keyword of PUT in any policy-map syntax for
this task.
ASA1/c2(config)# class-map type inspect ftp match-any CMAP_INS_FTP_PUT
ASA1/c2(config-cmap)# match request-command put
ASA1/c2(config-cmap)# exit
ASA1/c2(config)# policy-map type inspect ftp PMAP_INS_FTP_PUT
ASA1/c2(config-pmap)# parameters
ASA1/c2(config-pmap-p)# class CMAP_INS_FTP_PUT
ASA1/c2(config-pmap-c)# reset log
ASA1/c2(config-pmap-c)# exit
ASA1/c2(config-pmap)# exit
ASA1/c2(config)# policy-map global_policy
ASA1/c2(config-pmap)# class inspection_default
ASA1/c2(config-pmap-c)# no inspect ftp
ASA1/c2(config-pmap-c)# inspect ftp strict PMAP_INS_FTP_PUT
ASA1/c2(config-pmap-c)# exit
ASA1/c2(config-pmap)# exit
R1#copy start ftp
Address or name of remote host []? 50.50.4.101
Destination filename [r1-confg]? test-put
Writing test-put
%Error writing ftp://50.50.4.101/test-put (Permission denied)
%ASA-5-303005: Strict FTP inspection matched Class 21: CMAP_INS_FTP_PUT in
policy-map PMAP_INS_FTP_PUT, Reset connection from outside:50.50.4.1/25724 to
inside:192.168.2.101/21
ASA1/c2(config)# show service-policy
32
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 0, drop 0, reset-drop 0
Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
Inspect: netbios, packet 16, drop 0, reset-drop 0
Inspect: rsh, packet 0, drop 0, reset-drop 0
Inspect: rtsp, packet 0, drop 0, reset-drop 0
Inspect: skinny , packet 0, drop 0, reset-drop 0
Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0
Inspect: sqlnet, packet 0, drop 0, reset-drop 0
Inspect: sunrpc, packet 0, drop 0, reset-drop 0
Inspect: tftp, packet 0, drop 0, reset-drop 0
Inspect: sip , packet 0, drop 0, reset-drop 0
Inspect: xdmcp, packet 0, drop 0, reset-drop 0
Inspect: ftp strict PMAP_INS_FTP_PUT, packet 13, drop 0, reset-drop 1
33
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 1.4
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Note: ASA2
ciscoasa(config)# show mode
Security context mode: single
ciscoasa(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
Security context mode: multiple
ciscoasa>
ciscoasa> enable
Password:
ciscoasa# conf t
ciscoasa(config)# show mode
Security context mode: multiple
ciscoasa(config)# interface Ethernet0/3
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# failover lan interface lanfail Ethernet0/3
INFO: Non-failover interface config is cleared on Ethernet0/3 and its subinterfaces
ciscoasa(config)# failover interface ip lanfail 50.50.50.1 255.255.255.0
standby 50.50.50.6
ciscoasa(config)# failover key cisco
ciscoasa(config)# failover link lanfail
ciscoasa(config)# failover replication http
35
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Primary
State:
Active time:
State:
Active time:
slot
c2
c2
c2
c1
c1
slot
Other host:
Group 1
Group 2
Secondary
State:
Active time:
State:
Active time:
slot
c2
c2
c2
c1
Active
500 (sec)
Standby Ready
247 (sec)
Standby Ready
0 (sec)
Active
252 (sec)
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
rcv
43
40
0
0
0
3
0
0
0
rerr
0
0
0
0
0
0
0
0
0
37
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 2:
Task 2.1
IOS Firewalls
4 Points
38
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
39
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 2.2
4 Points
40
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
41
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 2.3
4 Points
42
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 2.4
4 Points
43
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
44
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
45
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
46
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
47
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
48
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
timed
timed
timed
timed
out.
out.
out.
out.
49
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
c:\ACS_PC>ping 50.50.235.2
Pinging 50.50.235.2 with 32 bytes of data:
Reply
Reply
Reply
Reply
from
from
from
from
50.50.235.2:
50.50.235.2:
50.50.235.2:
50.50.235.2:
bytes=32
bytes=32
bytes=32
bytes=32
time=127ms TTL=252
time=141ms TTL=252
time=120ms TTL=252
time=82ms TTL=252
50
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 3: VPNs
Task 3.1
4 Points
51
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
55
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 3.2
4 Points
Create
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
(3.3.3.3/255.255.255.255/47/0)
(2.2.2.2/255.255.255.255/47/0)
#pkts digest: 6
#pkts verify: 7
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Remote
I-VRF
1001
3.3.3.3
50.50.4.6
rsig 2
1002
3.3.3.3
2.2.2.2
rsig 2
1003
3.3.3.3
2.2.2.2
rsig 2
60
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 3.3
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R6(ipsec-profile)#exit
R6(config)#interface Virtual-Template1 type tunnel
R6(config-if)#ip unnumbered FastEthernet0/1
R6(config-if)#tunnel mode ipsec ipv4
R6(config-if)#tunnel protection ipsec profile IPSEC-easyvpn-profile-1
R6(config-if)#exit
R6(config)#ip local pool POOL_1 192.168.0.51 192.168.0.55
R6(config)#ip radiu
R6(config)#ip radius source-interface FastEthernet0/0
R6(config)#access-list 100 permit ip 192.168.0.0 0.0.255.255 any
R6(config)#radius-server host 192.168.2.101 auth-port 1645 acct-port 1646
R6(config)#radius-server key cisco
R6(config)#line con 0
R6(config-line)#login authentication FREE
R6(config-line)#exit
ASA1/c2/act(config)# access-list outside permit udp host 50.50.12.7 host
50.50.4.6 eq 500
ASA1/c2/act(config)# access-list outside permit udp host 50.50.12.7 host
50.504.6 eq 4500
62
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
63
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R7(config-crypto-ezvpn)#exit
R7(config)#interface Loopback3
R7(config-if)#ip address 10.3.0.7 255.255.255.0
R7(config-if)#crypto ipsec client ezvpn EZ_CLIENT inside
R7(config-if)#exit
R7(config)#interface FastEthernet0/1
R7(config-if)#crypto ipsec client ezvpn EZ_CLIENT outside
R7(config-if)#exit
R7(config)#interface Virtual-Template1 type tunnel
R7(config-if)#no ip address
R7(config-if)#tunnel mode ipsec ipv4
R7(config-if)#exit
R7(config)#
R7(config)#
*Apr 29 16:49:23.043: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R7(config)#
*Apr 29 16:49:24.755: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Virtual-Template1, changed state to down
R7(config)#
*Apr 29 16:49:26.007: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) User=vpn_user
Group=vpn_group Client_public_addr=50.50.12.7 Server_public_addr=50.50.4.6
Assigned_client_addr=192.168.0.51
R7(config)#
*Apr 29 16:49:26.631: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Loopback10000, changed state to up
*Apr 29 16:49:26.687: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0,
changed state to up
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
66
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 3.4
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R4(config)#router ospf 1
R4(config-router)#passive fa0/0
R4(config-router)#redistribute static subnets
R4(config-router)#exit
R6#ping 50.50.6.5 sour fa0/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 50.50.6.5, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.6
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/3/4 ms
R6#
R1#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: MY_HA_MAP, local addr 50.50.4.14
protected vrf: (none)
local ident (addr/mask/prot/port): (50.50.6.0/255.255.255.0/1/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/1/0)
current_peer 50.50.4.6 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
R1#wr
Building configuration...
[OK]
R1#reload
Proceed with reload? [confirm]
Apr 29 18:01:19.931: %SYS-5-RELOAD: Reload requested
Reason: Reload Command.
by console. Reload
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
70
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 4:
Task 4.1
IPS
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
ms
ms
ms
ms
--- 172.17.33.200 ping statistics --4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.3/0.4/0.9 ms
Sensor#
ASA1/c2/act(config)# static (dmz,inside) tcp 50.50.3.15 5796 172.17.33.15
6783
(Note: it may take a reload of the ASA for this to take effect)
ASA1/c2/act(config)# static (inside,dmz) 192.168.2.101 192.168.2.101
72
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
73
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 4.2
4 Points
74
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
75
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
76
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Create
77
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
78
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
79
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 4.3
4 Points
1
1
2
2
source vlan 11 rx
destination remote vlan 999
destination interface Fa0/2
source remote vlan 999
SW3(config)#int fa 0/1
SW3(config-if)#sw trun encap dot1
SW3(config-if)#switchport mode trunk
SW3(config-if)#end
80
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
81
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
82
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
83
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
84
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
85
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
86
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 4.4
4 Points
87
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
88
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
89
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
90
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R2#who
Line
* 0 con 0
515 vty 1
User
Host(s)
idle
idle
Idle
Location
00:00:00
00:00:03 50.50.4.15
size 10000
R2#
R2#show policy-map int fa 0/0
FastEthernet0/0
Service-policy input: IDS_RL_POLICY_MAP_1
Class-map: IDS_RL_CLASS_MAP_icmp-xxBx-8-1_1 (match-any)
484 packets, 55176 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name IDS_RL_ACL_icmp-xxBx-8-1_1
484 packets, 55176 bytes
5 minute rate 0 bps
police:
cir 1 %
91
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
92
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 4.5
4 Points
93
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
94
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
95
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R2#telnet 1.1.1.1 80
Trying 1.1.1.1, 80 ... Open
test
[Connection to 1.1.1.1 closed by foreign host]
R2#
96
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
97
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 5:
Task 5.1
Identity Management
4 Points
98
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
SW1#
SW1#telnet 50.50.4.105
Trying 50.50.4.105 ... Open
LOGIN Authentication
Username: c-user
Password: cisco
Authentication Successful
[Connection to 50.50.4.105 closed by foreign host]
SW1#
99
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
SW1#telnet 8.8.8.8
Trying 8.8.8.8 ...
% Connection refused by remote host
SW1#telnet 50.50.4.105
Trying 50.50.4.105 ... Open
LOGIN Authentication
Username: c-user
Password: cisco
Authentication Successful
[Connection to 50.50.4.105 closed by foreign host]
SW1#telnet 8.8.8.8
Trying 8.8.8.8 ... Open
R8#exit
[Connection to 8.8.8.8 closed by foreign host]
SW1#
ASA1/c1/act(config)# show uauth
Current
Most Seen
Authenticated Users
1
1
Authen In Progress
0
1
user 'c-user' at 11.11.2.9, authenticated
access-list #ACSACL#-IP-ACL1-49f8688e (*)
absolute
timeout: 0:05:00
inactivity timeout: 0:00:00
ASA1/c1/act(config)#
ASA1/c1/act(config)# show acce
ASA1/c1/act(config)# show access-list #ACSACL#-IP-ACL1-49f8688e
access-list #ACSACL#-IP-ACL1-49f8688e; 2 elements (dynamic)
access-list #ACSACL#-IP-ACL1-49f8688e line 1 extended permit tcp any host
8.8.8.8 eq telnet (hitcnt=1) 0xed24bdfc
access-list #ACSACL#-IP-ACL1-49f8688e line 2 extended permit tcp any host
50.50.4.105 eq telnet (hitcnt=1) 0x8ac38cde
ASA1/c1/act(config)#
101
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 5.2
4 Points
102
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
103
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
104
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
105
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
106
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
107
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
108
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R7(config)#int loop 99
R7(config-if)#ip address 99.99.99.9 255.255.255.0
R7(config-if)#exit
R7(config)#exit
R7#logout
Command authorization failed.
R7#exit
[Connection to 7.7.7.7 closed by foreign host]
109
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
!
interface Serial0/1/0
no ip address
!
interface Serial0/1/1
no ip address
!
!
access-list 1 permit 50.50.0.0 0.0.255.255
access-list 110 deny
ip any any log-input
!
end
112
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 5.3
4 Points
= AUTHORIZED
= Guest-Vlan
= 11
113
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
114
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
115
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
116
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
117
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
SW3(config)#aaa new-model
SW3(config)#aaa authentication dot1x default group radius local
SW3(config)#aaa authorization network default group radius
SW3(config)#dot1x system-auth-control
SW3(config)#interface FastEthernet0/18
SW3(config-if)#switchport access vlan 11
SW3(config-if)#switchport mode access
SW3(config-if)#dot1x pae authenticator
SW3(config-if)#dot1x port-control auto
SW3(config-if)#dot1x host-mode multi-host
SW3(config-if)#dot1x timeout quiet-period 3
SW3(config-if)#dot1x timeout tx-period 5
SW3(config-if)#dot1x guest-vlan 11
SW3(config-if)#dot1x auth-fail vlan 6
SW3(config-if)#spanning-tree portfast
SW3(config-if)#interface Vlan4
SW3(config-if)#ip address 50.50.4.9 255.255.255.0
SW3(config-if)#ip radius source-interface Vlan4
SW3(config)#radius-server host 50.50.4.101 auth-port 1645 acct-port 1646
SW3(config)#radius-server source-ports 1645-1646
SW3(config)#radius-server key cisco
SW3#test aaa group radius 1xuser cisco legacy
Attempting authentication test to server-group radius using radius
118
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
119
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 6:
Task 6.1
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
121
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
122
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 7:
Task 7.1
Advanced Security
4 Points
Allow the EBGP neighbors between BB1 and BB2. Add BGP
authentication between BB1 and BB2 using the password of
cisco. Verify the BGP sourced routes appear on routers 1-5,
7, and 8.
ASA1/c1/act(config)# static (outside,inside) 11.11.2.11 11.11.2.11 netmask
255.255.255.255 norandomseq
ASA1/c1/act(config)# access-list outside permit tcp host 11.11.2.11 host
11.11.9.11 eq bgp
BB2#show ip bgp summary
BGP router identifier 11.11.9.11, local AS number 2
BGP table version is 16, main routing table version 16
15 network entries using 1800 bytes of memory
15 path entries using 780 bytes of memory
2/1 BGP path/bestpath attribute entries using 248 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 2852 total bytes of memory
BGP activity 75/60 prefixes, 90/75 paths, scan interval 60 secs
Neighbor
11.11.2.11
V
4
AS MsgRcvd MsgSent
1
469
465
TblVer
16
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
ASA1/c1/act(config-cmap)# exit
ASA1/c1/act(config)# policy-map global_policy
ASA1/c1/act(config-pmap)# class MORE_BGP
ASA1/c1/act(config-pmap-c)# set connection random-sequence-number disable
ASA1/c1/act(config-pmap-c)# set connection advanced-options OPTION_19
ASA1/c1/act(config-pmap-c)# exit
ASA1/c1/act(config-pmap)# class BGP_TRAFFIC
ASA1/c1/act(config-pmap-c)# set connection random-sequence-number disable
ASA1/c1/act(config-pmap-c)# set connection advanced-options OPTION_19
ASA1/c1/act(config-pmap-c)# exit
124
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
V
4
AS MsgRcvd MsgSent
1
484
483
TblVer
46
Prevent the ACS PC from being able to telnet to R6. Stop this traffic before
it reaches R6. Do not assign an access list to any interface on the switch as
part of your solution for this task.
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
from
from
from
from
192.168.0.6:
192.168.0.6:
192.168.0.6:
192.168.0.6:
bytes=32
bytes=32
bytes=32
bytes=32
time=2ms
time=1ms
time=1ms
time=1ms
TTL=255
TTL=255
TTL=255
TTL=255
126
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R3#telnet 4.4.4.4
Trying 4.4.4.4 ... Open
R4#exit
[Connection to 4.4.4.4 closed by foreign host]
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#ip local policy route-map NO_OUTBOUND_TELNET
R3(config)#ip access-list extended NO_OUTBOUND_TELNET
R3(config-ext-nacl)#permit tcp any any eq telnet log
R3(config-ext-nacl)#exit
R3(config)#route-map NO_OUTBOUND_TELNET permit 10
R3(config-route-map)#match ip address NO_OUTBOUND_TELNET
R3(config-route-map)#set interface Null0
R3(config-route-map)#exit
R3(config)#exit
R3#telnet
Apr 29 23:53:07.192: %SYS-5-CONFIG_I: Configured from console by console
R3#telnet 4.4.4.4
Trying 4.4.4.4 ...
Apr 29 23:53:09.932: %SEC-6-IPACCESSLOGP: list NO_OUTBOUND_TELNET permitted
tcp 50.50.235.3(23533) -> 4.4.4.4(23), 1 packet
% Connection timed out; remote host not responding
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
129
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
SW4#show port-security
00:08:25: %SYS-5-CONFIG_I: Configured from console by console
SW4#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count)
(Count)
(Count)
--------------------------------------------------------------------------Fa0/23
1
0
0
Shutdown
--------------------------------------------------------------------------Total Addresses in System (excluding one mac per port)
: 0
Max Addresses limit in System (excluding one mac per port) : 6272
SW4#
fa 0/1, fa0/4
switchport port-security maximum 1
switchport port-security mac-address sticky
switchport port-security violation restrict
130
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
131
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 7.2
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
IP TTL modified
: 0
Window varied resets: 0
TCP-options:
Selective ACK cleared: 0
Window scale cleared : 0
Other options cleared: 0
Other options drops: 0
ASA1/c2/act(config)#
Timestamp cleared
: 0
133
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
134
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R3#
Apr 30 16:02:18.213: %SEC-6-IPACCESSLOGP: list 123 denied tcp 50.50.7.2(0) ->
8.8.8.8(0), 1 packet
R3#
R3#show policy-map interface Fa0/0
FastEthernet0/0
Service-policy input: PMAP_MARK_INBOUND
Class-map: CMAP_HTTP_URL (match-any)
5 packets, 804 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http url "*default.ida*"
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol http url "*ScoobySnack.exe*"
5 packets, 804 bytes
5 minute rate 0 bps
Match: protocol http url "*root.exe*"
0 packets, 0 bytes
135
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
137
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 8.2
4 Points
138
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
LAB 2
Instructions
Verify that all configurations have been cleared, before
you load initial configurations onto the lab routers,
backbone routers and switches. There are no initial
configurations for the ASA and IPS. You will be required
to configure these devices in the practice lab, just as you
will be required to do so in the actual lab exam.
ASDM and SDM are not available in the actual lab exam.
The ACS workstation is used in this lab as the candidate PC
as well as the ACS server. The IP address of the ACS
cannot be changed.
There is a test pc available in the practice labs as well
as the actual lab. The IP address of the rack interface
test PC may be changed through the desktop application. For
both PCs, you may add/remove static routes for connectivity
as described in the LAB.
Do not change the default route
on the ACS or the test PC, as you may lose connectivity.
Always remember to Apply changes and Save your configs
often!
Unless otherwise specified, use only the existing networks
within your lab. Additional networks, static and/or
default routes, may not be configured unless specified in a
task.
When creating passwords, use cisco unless indicated
otherwise in a specific task. Refer to the Remote Rack
Access FAQ PDF for cabling, ACS and IPS Access and other
commonly asked questions. The document is located here:
http://www.ccbootcamp.com/download
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Sections:
1.ASA Firewalls
2.IOS Firewalls
3.VPNs
4.IPS
5.Identity Management
6.Control/Management Plane Security
7.Advanced Security
8.Network Attack Mitigation
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
ACS PC
.101
R1
BB1
.99
VLAN 168
192.168.2.0
SW2
.11
Inside
E0/0.v
VLAN 77
G0/0
DMZ1
E0/0.v
172.16.77.0
IPS C&C
.50
ASA1
DMZ2
E0/0.v
OSPF
Area 0
VLAN 99
172.16.99.0
VLAN 44
172.16.44.0
R4
Outside
E0/0.v
R7
VLAN 22
24.234.22.0
VLAN 252
24.234.252.0
BB2
R2
.252
SW1
.11
EIGRP1
Frame Relay
24.234.100.0
Outside
E0/0.v
VLAN 111
24.234.111.0
R6
C1
Inside
E0/0.v
VLAN 121
24.234.121.0
R3
VLAN 222
24.234.222.0
Outside
E0/0.v
C2
Inside
E0/0.v
VLAN 88
172.16.88.0
VLAN 55
172.16.55.0
R8
R5
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
SW1
Fa0/1
Fa0/0
R1
Fa0/1
Fa0/1
SW2
SW1
Fa0/2
Fa0/0
R2
Fa0/1
Fa0/2
SW2
SW1
Fa0/3
Fa0/0
R3
Fa0/1
Fa0/3
SW2
SW1
Fa0/4
Fa0/0
R4
Fa0/1
Fa0/4
SW2
SW1
Fa0/5
Fa0/0
R5
Fa0/1
Fa0/5
SW2
SW1
Fa0/6
Fa0/0
R6
Fa0/1
Fa0/6
SW2
SW1
Fa0/9
Fa0/0
BB1
Fa0/1
Fa0/9
SW2
SW1
Fa0/10
Fa0/0
BB2
Fa0/1
Fa0/10
SW2
SW1
Fa0/12
E0/0
E0/2
Fa0/12
SW2
Fa0/14
SW2
E0/3
Fa0/17
SW2
E0/2
Fa0/18
SW2
E0/3
Fa0/23
SW2
ASA01
Gi0/0: sense
SW1
Fa0/14
SW1
Fa0/17
E0/1
SW1
Fa0/18
E0/0
IDS
IDS
Gi0/1: c&c
ASA01
ASA02
SW1
E0/1
Fa0/23
ASA02
SW1
SW2
Fas0/19
Fas0/19
Fas0/20
Fas0/20
Sensor Int.
G0/0
Fa1/0
Fa1/1
Fa1/2
Fa1/3
Connected to:
SW1 Fa0/14
SW3 Fa0/4
SW3 Fa0/3
SW3 Fa0/2
SW3 Fa0/1
Fas0/0
2811
SW3
SW4
Fas0/17
SW3
Fas0/19
Fas0/19
Fas0/20
Fas0/20
Fas0/1
R7
Fas0/17
SW4
ACS PC SW1 Fa0/24
192.168.2.101
Fas0/0
2811
Fas0/1
R8
SW3
Fas0/18
SW4
Fas0/18
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 1:
Task 1.1
ASA Firewalls
4 Points
Interface
E0/0.168
E0/0.22
E0/0.77
E0/0.44
VLAN
168
22
77
44
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 1.2
4 Points
Context
c1
c1
c2
c2
Name
Inside
Outside
Inside
Outside
Interface
E0/0.88
E0/0.111
E0/0.55
E0/0.222
Sec Level
Default
Default
Default
Default
IP Address
172.16.88.200/24
24.234.111.200/24
172.16.55.200/24
24.234.222.200/24
VLAN
88
111
55
222
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 1.3
4 Points
4 Points
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 2:
Task 2.1
IOS Firewalls
4 Points
Permit
TCP
UDP
ICMP
Outside->Inside
ICMP
Telnet
Limits
Max TCP embryonic
connections per
host: 100
Max sessions: 200
One minute high: 100
One minute low: 50
Telnet timeout: 1
min
ICMP rate limited to
8000 bps burst 2000
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 3: VPNs
Task 3.1
4 Points
4 Points
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 4:
IPS
Gateway
Managed by
172.16.77.50
172.16.77.100
172.16.77.101
Task 4.2
Mgmt. SSL
port
10443
4 Points
4 Points
10
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 4.4
4 Points
11
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 5:
Task 5.1
Identity Management
4 Points
4 Points
4 Points
12
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 6:
Task 6.1
4 Points
4 Points
4 Points
13
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 7:
Task 7.1
Advanced Security
4 Points
4 Points
4 Points
14
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 8:
Task 8.1
4 Points
4 Points
4 Points
15
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
16
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 1:
Task 1.1
ASA Firewalls
4 Points
Interface
E0/0.168
E0/0.22
E0/0.77
E0/0.44
VLAN
168
22
77
44
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
ASA1(config-subif)#
security-level 50
ASA1(config-subif)#
ASA1(config-subif)#
int e0/0.44
ASA1(config-subif)#
vlan 44
ASA1(config-subif)#
nameif DMZ2
INFO: Security level for "DMZ2" set to 0 by default.
ASA1(config-subif)#
security-level 50
ASA1(config-subif)#
ip address 172.16.44.100 255.255.255.0
ASA1(config-subif)#
ASA1(config-subif)#
int e0/0
ASA1(config-if)#
no shut
ASA1(config-if)#
ASA1(config-if)#
router eigrp 1
ASA1(config-router)#
no auto-summary
ASA1(config-router)#
network 24.234.22.0 255.255.255.0
ASA1(config-router)#
ASA1(config-router)#
router ospf 1
ASA1(config-router)#
network 172.16.44.0 255.255.255.0 area 0
ASA1(config-router)#
default-information originate always
ASA1(config-router)#
ASA1(config-router)#
router eigrp 1
ASA1(config-router)#
default-metric 100 100 255 255 1500
ASA1(config-router)#
redistribute ospf 1
ASA1(config-router)#
ASA1(config-router)#
policy-map global_policy
ASA1(config-pmap)#
class inspection_default
ASA1(config-pmap-c)#
inspect icmp
Verification:
R2#sho ip route (Codes cut)
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 4 subnets
172.16.55.0 [170/2172416] via 24.234.100.6, 01:21:29, Serial0/0/0
172.16.44.0
[170/25628160] via 24.234.22.100, 01:09:07, FastEthernet0/0.22
D EX
172.16.99.0
[170/25628160] via 24.234.22.100, 01:08:52, FastEthernet0/0.22
D EX
172.16.88.0 [170/2172416] via 24.234.100.6, 01:21:29, Serial0/0/0
24.0.0.0/24 is subnetted, 6 subnets
C
24.234.252.0 is directly connected, FastEthernet0/0.252
D
24.234.222.0 [90/2172416] via 24.234.100.6, 01:21:31, Serial0/0/0
D
24.234.121.0 [90/2172416] via 24.234.100.3, 01:21:31, Serial0/0/0
C
24.234.100.0 is directly connected, Serial0/0/0
D
24.234.111.0 [90/2172416] via 24.234.100.6, 01:21:31, Serial0/0/0
C
24.234.22.0 is directly connected, FastEthernet0/0.22
S
192.168.2.0/24 [1/0] via 24.234.22.100
D EX
D EX
R1#ping 24.234.100.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.234.100.6, timeout is 2 seconds:
.!!!!
18
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
19
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 1.2
4 Points
Context
c1
c1
c2
c2
Name
Inside
Outside
Inside
Outside
Interface
E0/0.88
E0/0.111
E0/0.55
E0/0.222
Sec Level
Default
Default
Default
Default
IP Address
172.16.88.200/24
24.234.111.200/24
172.16.55.200/24
24.234.222.200/24
VLAN
88
111
55
222
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
ASA2/c2(config-pmap)#
class inspection_default
ASA2/c2(config-pmap-c)#
inspect icmp
Verification:
R8#ping 24.234.22.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.234.22.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/57/60 ms
R8#ping 24.234.100.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.234.100.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/58/60 ms
R8#ping 24.234.100.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.234.100.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/58/60 ms
R8#ping 24.234.100.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.234.100.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R5#ping 24.234.100.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.234.100.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/57/60 ms
R5#ping 24.234.100.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.234.100.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/58/60 ms
R5#ping 24.234.100.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.234.100.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Task 1.3
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
23
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Verification:
NAT policies on Interface Inside:
match ip Inside host 192.168.2.101 Outside any
static translation to 24.234.22.101
translate_hits = 0, untranslate_hits = 0
match ip Inside host 192.168.2.101 DMZ2 any
static translation to 172.16.44.101
translate_hits = 0, untranslate_hits = 0
R7#telnet 24.234.22.2
Trying 24.234.22.2 ... Open
R1#telnet 24.234.22.2
Trying 24.234.22.2 ... Open
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
25
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 1.4
4 Points
Verification:
ASA1# sho service-policy global (inspection_default cut)
Class-map: TELNET
Set connection policy: embryonic-conn-max 50
current embryonic conns 0, drop 0
R2(config)#ip http server
26
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
27
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 1.5
4 Points
Current(eps) Trigger
0
Total
28
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 2:
Task 2.1
IOS Firewalls
4 Points
Permit
TCP
UDP
ICMP
Outside->Inside
ICMP
Telnet
Limits
Max TCP embryonic
connections per
host: 100
Max sessions: 200
One minute high: 100
One minute low: 50
Telnet timeout: 1
min
ICMP rate limited to
8000 bps burst 2000
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Verification:
BB1#ping 24.234.22.2 repeat 50
Type escape sequence to abort.
Sending 50, 100-byte ICMP Echos to 24.234.22.2, timeout is 2 seconds:
!!!!!!!!.!!!!!!!!.!!!!!!!!.!!!!!!!!.!!!!!!!!.!!!!!
Success rate is 90 percent (45/50), round-trip min/avg/max = 1/2/4 ms
30
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 3: VPNs
Task 3.1
4 Points
R8#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R8(config)#clock timezone PST -8
R8(config)#ntp master
R8(config)#ntp authentication-key 1 md5 cisco
R8(config)#ntp trusted-key 1
R8(config)#ntp authenticate
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#ntp authentication-key 1 md5 cisco
R2(config)#ntp trusted-key 1
R2(config)#ntp authenticate
R2(config)#ntp server 172.16.88.8
R2(config)#clock timezone PST -8
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#ntp authentication-key 1 md5 cisco
R3(config)#ntp trusted-key 1
R3(config)#ntp authenticate
R3(config)#ntp server 172.16.88.8
R3(config)#clock timezone PST -8
ASA2/c1# conf t
ASA2/c1(config)# access-list R8_R2_R3 permit ip host 172.16.88.8 host
24.234.100.2
ASA2/c1(config)# access-list R8_R2_R3 permit ip host 172.16.88.8 host
24.234.100.3
ASA2/c1(config)# nat (inside) 0 access-list R8_R2_R3
ASA2/c1(config)#
ASA2/c1(config)# access-list outside permit udp host 24.234.100.2 host
172.16.88.8 eq ntp
ASA2/c1(config)#
access-list outside permit udp host 24.234.100.3 host
172.16.88.8 eq ntp
ASA2/c1(config)# access-group outside in interface outside
31
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Verification:
R2#sho ntp status
Clock is synchronized, stratum 9, reference is 172.16.88.8
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18
reference time is CDA48EE7.182D1CE5 (12:56:07.094 PST Thu Apr 30 2009)
clock offset is 3.4612 msec, root delay is 46.69 msec
root dispersion is 6.47 msec, peer dispersion is 2.99 msec
R3#sho ntp status
Clock is synchronized, stratum 9, reference is 172.16.88.8
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18
reference time is CDA48EFD.389483F0 (12:56:29.221 PST Thu Apr 30 2009)
clock offset is 3.8323 msec, root delay is 46.89 msec
root dispersion is 7.13 msec, peer dispersion is 3.27 msec
32
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 3.2
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Apr 30 21:08:00.075: RSA key size needs to be atleast 768 bits for ssh
version 2
Apr 30 21:08:00.079: %SSH-5-ENABLED: SSH 1.5 has been enabled
Apr 30 21:08:00.079: %CRYPTO-6-AUTOGEN: Generated new 512 bit key pair
Re-enter password:
% The subject name in the certificate will include: R3.ccbootcamp.com
% Include the router serial number in the subject name? [yes/no]: n
% Include an IP address in the subject name? [no]:
Request certificate from CA? [yes/no]: y
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate CA1 verbose' commandwill show the
fingerprint.
R3(config)#
Apr 30 21:08:11.727: CRYPTO_PKI: Certificate Request Fingerprint MD5:
277B8E80 35285201 492FB093 2628CCCB
Apr 30 21:08:11.727: CRYPTO_PKI: Certificate Request Fingerprint SHA1:
E6D3C0B8 84227AB1 DC377070 185404C8 9902C77C
Apr 30 21:08:16.280: %PKI-6-CERTRET: Certificate received from Certificate
Authority
R8(config)#crypto pki trustpoint CA_SELF
R8(ca-trustpoint)#enrollment url http://172.16.88.8:80
R8(ca-trustpoint)#exit
R8(config)#crypto pki authenticate CA_SELF
Certificate has the following attributes:
Fingerprint MD5: B9E03DB9 AF64E9D1 95DF3626 4E3C4AF9
Fingerprint SHA1: E10732F4 F28DC5A1 AD28EBA5 335C02E7 75B957A3
% Do you accept this certificate? [yes/no]: y
Trustpoint CA certificate accepted.
R8(config)#crypto pki enroll CA_SELF
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password:
Re-enter password:
% The subject name in the certificate will include: R8.ccbootcamp.com
% Include the router serial number in the subject name? [yes/no]: n
% Include an IP address in the subject name? [no]:
Request certificate from CA? [yes/no]: y
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate CA_SELF verbose' commandwill show the
fingerprint.
R8(config)#
Apr 30 21:09:18.863: CRYPTO_PKI: Certificate Request Fingerprint MD5:
20D43D3E B7C72560 AAE2FE9D C7F33E9D
35
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
36
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 3.3
4 Points
37
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Verification:
R8#sho crypto gdoi
GROUP INFORMATION
Group Name
:
Group Identity
:
Group Members
:
IPSec SA Direction
:
Active Group Server
:
Group Rekey Lifetime
:
Group Rekey
Remaining Lifetime
:
Rekey Retransmit Period :
Rekey Retransmit Attempts:
Group Retransmit
Remaining Lifetime
:
IPSec SA Number
:
IPSec SA Rekey Lifetime:
Profile Name
:
Replay method
:
Replay Window Size
:
SA Rekey
Remaining Lifetime :
ACL Configured
:
Group Server list
GET (Unicast)
1
2
Both
Local
1800 secs
1693 secs
10 secs
2
0 secs
1
3600 secs
GET
Count Based
64
3494 secs
access-list 101
: Local
BB2#ping 24.234.121.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.234.121.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 84/85/88 ms
39
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 4:
IPS
Gateway
Managed by
172.16.77.50
172.16.77.100
172.16.77.101
Mgmt. SSL
port
10443
Verify that you can connect to and manage the IPS from the ACS server. You
are allowed to make necessary changes to ASA1 and add a route to the ACS
server to accomplish this.
IPS# setup
--- System Configuration Dialog --At any point you may enter a question mark '?' for help.
User ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.
(output cut)
Continue with configuration dialog?[yes]:
Enter host name[IPS]:
Enter IP interface[192.168.2.100/24,192.168.2.101]:
172.16.77.50/24,172.16.77.100
Enter telnet-server status[disabled]:
Enter web-server port[443]: 10443
Modify current access list?[no]: yes
Current access list entries:
No entries
Permit: 172.16.77.101/32
Permit:
Modify system clock settings?[no]:
Modify interface/virtual sensor configuration?[no]:
Modify default threat prevention settings?[no]:
The following configuration was entered.
(output cut)
[0] Go to the command prompt without saving this config.
[1] Return back to the setup without saving this config.
[2] Save this configuration and exit setup.
Enter your selection[2]: 2
Configuration Saved.
*15:35:21 UTC Thu Apr 30 2009
Modify system date and time?[no]:
IPS#
40
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Verification:
41
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 4.2
4 Points
42
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
43
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
44
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Verification:
R5#ping 24.234.22.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.234.22.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/58/60 ms
Task 4.3
4 Points
45
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
46
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Verification:
R5#ping 24.234.222.6 size 10000
Type escape sequence to abort.
Sending 5, 10000-byte ICMP Echos to 24.234.222.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/16/24 ms
47
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
48
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 4.4
4 Points
49
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
50
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Verification:
R5#ping 24.234.222.6 size 10000
Type escape sequence to abort.
Sending 5, 10000-byte ICMP Echos to 24.234.222.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Only the previous virus.exe alert is shown. No sig fired for the R7 traffic.
51
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 5:
Task 5.1
Identity Management
4 Points
52
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
53
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
54
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
55
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Verification:
56
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 5.2
4 Points
57
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
58
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Verification:
R6#ping 24.234.111.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.234.111.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R6#telnet 24.234.111.250
Trying 24.234.111.250 ... Open
LOGIN Authentication
Username: r8user
Password:
Authentication Successful
59
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 5.3
4 Points
223
exit
555
exit
444
60
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Verification:
SW4#sho dot1x interface fastEthernet 0/16
Dot1x Info for FastEthernet0/16
----------------------------------PAE
= AUTHENTICATOR
PortControl
= AUTO
ControlDirection
= Both
HostMode
= SINGLE_HOST
QuietPeriod
= 60
ServerTimeout
= 0
SuppTimeout
= 30
ReAuthMax
= 2
MaxReq
= 2
TxPeriod
= 30
61
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 6:
Task 6.1
4 Points
62
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Verification:
R2#sho policy-map type queue-threshold control-plane host
queue-limit 50
queue-count 0
packets allowed/dropped 0/0
Control Plane Host
Service-policy queue-threshold input: FTP
Class-map: FTP (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol ftp
R3#telnet 24.234.100.2
Trying 24.234.100.2 ... Open
Username: authp
Password:
R2>
BB2#telnet 24.234.252.2
Trying 24.234.252.2 ...
% Connection timed out; remote host not responding
63
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 6.2
4 Points
64
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Verification:
SW1#telnet 24.234.100.6
Trying 24.234.100.6 ... Open
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Queueing
Output Queue: Conversation 265
Bandwidth 25 (%)
Bandwidth 386 (kbps)Max Threshold 64 (packets)
(pkts matched/bytes matched) 0/0
(depth/total drops/no-buffer drops) 0/0/0
Class-map: class-default (match-any)
39 packets, 1304 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
66
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 6.3
4 Points
Verification:
R3(config)#ip http server
R2#copy http://24.234.100.3/www.virus.com null:
%Error opening http://24.234.100.3/www.virus.com (I/O error)
R3#sho policy-map int
R3#sho policy-map interface s0/0/0
Serial0/0/0
Service-policy input: HTTP
Class-map: HTTP (match-any)
7 packets, 1118 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http url "www.virus.com"
7 packets, 1118 bytes
5 minute rate 0 bps
drop
67
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 7:
Task 7.1
Advanced Security
4 Points
Verification:
R2#ping
Protocol [ip]:
Target IP address: 24.234.252.252
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 24.234.252.2
(unnecessary commands cut)
Loose, Strict, Record, Timestamp, Verbose[none]: timestamp
Number of timestamps [ 9 ]:
Loose, Strict, Record, Timestamp, Verbose[TV]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.234.252.252, timeout is 2 seconds:
Packet sent with a source address of 24.234.252.2
Packet has IP options: Total option bytes= 40, padded length=40
Timestamp: Type 0. Overflows: 0 length 40, ptr 5
Request 4 timed out
Success rate is 0 percent (0/5)
68
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 7.2
4 Points
Verification:
BB2#sho ip route (codes cut)
Gateway of last resort is 24.234.252.2 to network 0.0.0.0
B
S
C
C
S*
C
O
C
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
70
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 7.3
4 Points
71
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 8:
Task 8.1
4 Points
Verification:
R3#ping
Protocol [ip]: 24.234.22.100
% Unknown protocol - "24.234.22.100", type "ping ?" for help
R3#ping
Protocol [ip]:
Target IP address: 24.234.22.100
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 24.234.100.3
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]: timestamp
Number of timestamps [ 9 ]:
Loose, Strict, Record, Timestamp, Verbose[TV]:
72
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R3#ping 24.234.22.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.234.22.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/58/60 ms
R3#ping 24.234.22.100 size 2000
Type escape sequence to abort.
Sending 5, 2000-byte ICMP Echos to 24.234.22.100, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#ping 24.234.100.6 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.234.100.6, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
.....
Success rate is 0 percent (0/5)
May 1 00:33:15.576: %SEC-6-IPACCESSLOGDP: list 102 denied icmp 24.234.100.3
-> 24.234.22.100 (0/0), 1 packet
May 1 00:35:11.837: %SEC-6-IPACCESSLOGDP: list 103 denied icmp 1.1.1.1
(FastEthernet0/0.22 0019.e8d9.6272) -> 24.234.100.6 (0/0), 1 packet
73
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 8.2
4 Points
Verification:
R1#ping 24.234.22.2 size 3000
Type escape sequence to abort.
Sending 5, 3000-byte ICMP Echos to 24.234.22.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#copy http://24.234.22.2/www.bad_traffic.com null:
%Error opening http://24.234.22.2/www.bad_traffic.com (I/O error)
%ASA-6-302013: Built outbound TCP connection 9 for Outside:24.234.22.2/80
(24.234.22.2/80) to Inside:192.168.2.1/65134 (24.234.22.100/1024)
%ASA-5-304001: 192.168.2.1 Accessed URL 24.234.22.2:/www.bad_traffic.com
%ASA-6-302014: Teardown TCP connection 9 for Outside:24.234.22.2/80 to
Inside:192.168.2.1/65134 duration 0:00:00 bytes 0 Flow closed by inspection
%ASA-6-106015: Deny TCP (no connection) from 192.168.2.1/65134 to
24.234.22.2/80 flags ACK on interface Inside
74
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 8.3
4 Points
SW3(config)#int fa0/12
SW3(config-if)# sw mode access
SW3(config-if)# sw port-security
SW3(config-if)# exit
SW3(config)# errdisable recovery cause psecure-violation
SW3(config)# errdisable recovery interval 30
SW3(config)#ip dhcp snooping
SW3(config)# ip dhcp snooping vlan 13
SW3(config)# int fa0/13
SW3(config-if)# ip dhcp snooping trust
SW3(config)# int fa0/15
SW3(config-if)# ip verify source
SW3(config)#int fa0/16
SW3(config-if)# sw block unicast
SW3(config-if)# sw block multicast
Verification:
SW3#sho port-security interface fa0/12
Port Security
: Enabled
Port Status
: Secure-down
Violation Mode
: Shutdown
Aging Time
: 0 mins
Aging Type
: Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses
: 1
Total MAC Addresses
: 0
Configured MAC Addresses
: 0
75
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
: 0
: 0000.0000.0000:0
: 0
Trusted
------yes
Allow option
-----------yes
76
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
LAB 3
Instructions
Verify that all configurations have been cleared, before
you load initial configurations onto the lab routers,
backbone routers and switches. There are no initial
configurations for the ASA and IPS. You will be required
to configure these devices in the practice lab, just as you
will be required to do so in the actual lab exam.
ASDM is NOT available for the ASA devices in the actual lab
exam.
The ACS workstation is used in this lab as the candidate PC
as well as the ACS server. The IP address of the ACS
cannot be changed.
There is a test pc available in the practice labs as well
as the actual lab. The IP address of the rack interface
test PC may be changed through the desktop application. For
both PCs, you may add/remove static routes for connectivity
as described in the LAB.
Do not change the default route
on the ACS or the test PC, as you may lose connectivity.
Always remember to Apply changes and Save your configs
often!
Unless otherwise specified, use only the existing networks
within your lab. Additional networks, static and/or
default routes, may not be configured unless specified in a
task.
When creating passwords, use cisco unless indicated
otherwise in a specific task. Refer to the Remote Rack
Access FAQ PDF for cabling, ACS and IPS Access and other
commonly asked questions. The document is located here:
http://www.ccbootcamp.com/download
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Sections:
1.ASA Firewalls
2.IOS Firewalls
3.VPNs
4.IPS
5.Identity Management
6.Control/Management Plane Security
7.Advanced Security
8.Network Attack Mitigation
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
SW1
Fa0/1
Fa0/0
R1
Fa0/1
Fa0/1
SW2
SW1
Fa0/2
Fa0/0
R2
Fa0/1
Fa0/2
SW2
SW1
Fa0/3
Fa0/0
R3
Fa0/1
Fa0/3
SW2
SW1
Fa0/4
Fa0/0
R4
Fa0/1
Fa0/4
SW2
SW1
Fa0/5
Fa0/0
R5
Fa0/1
Fa0/5
SW2
SW1
Fa0/6
Fa0/0
R6
Fa0/1
Fa0/6
SW2
SW1
Fa0/9
Fa0/0
BB1
Fa0/1
Fa0/9
SW2
SW1
Fa0/10
Fa0/0
BB2
Fa0/1
Fa0/10
SW2
SW1
Fa0/12
E0/0
E0/2
Fa0/12
SW2
Fa0/14
SW2
E0/3
Fa0/17
SW2
E0/2
Fa0/18
SW2
E0/3
Fa0/23
SW2
ASA01
Gi0/0: sense
SW1
Fa0/14
SW1
Fa0/17
E0/1
SW1
Fa0/18
E0/0
IDS
IDS
Gi0/1: c&c
ASA01
ASA02
SW1
E0/1
Fa0/23
ASA02
SW1
SW2
Fas0/19
Fas0/19
Fas0/20
Fas0/20
Sensor Int.
G0/0
Fa1/0
Fa1/1
Fa1/2
Fa1/3
Connected to:
SW1 Fa0/14
SW3 Fa0/4
SW3 Fa0/3
SW3 Fa0/2
SW3 Fa0/1
Fas0/0
2811
Fas0/1
R7
SW3
SW4
Fas0/17
SW3
Fas0/19
Fas0/19
Fas0/20
Fas0/20
Fas0/17
SW4
ACS PC SW1 Fa0/24
192.168.2.101
Fas0/0
2811
Fas0/1
R8
SW3
Fas0/18
SW4
Fas0/18
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
Real
Int.
E0/1
Mapped
Int.
E0/0
c1
ASA2
ASA2
E0/1
E0/1
E0/1
E0/0
E0/0.4
E0/0.4
Real
IP:TCP PORT #
50.50.4.15:432
1
50.50.4.0/24
192.168.2.101
6.6.6.6
Mapped
IP:TCP PORT#
50.50.4.25:1234
50.50.4.75
50.50.4.101
50.50.4.6
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 1.3
4 Points
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 2:
Task 2.1
IOS Firewalls
4 Points
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 2.3
4 Points
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 3:
Task 3.1
VPNs
4 Points
4 Points
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
10
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 4:
Task 4.1
IPS
4 Points
4 Points
11
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 4.3
4 Points
4 Points
12
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 5:
Task 5.1
Identity Management
4 Points
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 5.3
4 Points
= AUTHORIZED
= Guest-Vlan
= 11
14
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 6:
Task 6.1
4 Points
15
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 7:
Task 7.1
Advanced Security
4 Points
16
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 7.2
4 Points
17
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 8:
Task 8.1
4 Points
18
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 8.2
4 Points
19
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 1:
Task 1.1
ASA Firewalls
4 Points
Device
Name
c1
Real
Int.
E0/1
Mapped
Int.
E0/0
c1
ASA2
ASA2
E0/1
E0/1
E0/1
E0/0
E0/0.4
E0/0.4
Real
IP:TCP PORT #
50.50.4.15:432
1
50.50.4.0/24
192.168.2.101
6.6.6.6
Mapped
IP:TCP PORT#
50.50.4.25:1234
50.50.4.75
50.50.4.101
50.50.4.6
SW1(config)#int fa 0/12
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 4
SW1(config-if)#int fa 0/17
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 2
SW1(config-if)#int fa 0/18
SW1(config-if)#switchport trunk encapsulation dot1q
SW1(config-if)#switchport mode trunk
SW1(config-if)#int fa 0/23
SW1(config-if)#switchport host
SW1(config-if)#switchport access vlan 3
ciscoasa(config)# hostname ASA1
ASA1(config)# interface e0/0
ASA1(config-if)# no shut
ASA1(config-if)# interface e 0/1
ASA1(config-if)# no shut
ASA1(config-if)# admin-context c1
ASA1(config)# context c1
ASA1(config-ctx)# allocate-interface e0/0
ASA1(config-ctx)# allocate-interface e0/1
ASA1(config-ctx)# config-url c1.cfg
ASA1(config-ctx)# exit
ASA1(config)# wr mem all
ASA1(config)# changeto context c1
ASA1/c1(config)# ip address 50.50.4.50 255.255.255.0
ASA1/c1(config)# interface e0/1
ASA1/c1(config-if)# nameif inside
ASA1/c1(config-if)# int e 0/0
ASA1/c1(config-if)# nameif outside
ASA1/c1(config)# static (inside,outside) tcp 50.50.4.25 1234 50.50.4.15 4321
ASA1/c1(config)# nat (inside) 1 50.50.4.0 255.255.255.0
20
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
22
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 1.2
4 Points
23
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
24
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 1.3
4 Points
25
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
26
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Reset and log any FTP traffic with GET commands going
through ASA2. Use a L7 class-map type inspect as part of
your solution.
ASA2(config)# class-map type inspect ftp match-any CMAP_INS_FTP_GET
ASA2(config-cmap)# match request-command get
ASA2(config-cmap)# exit
ASA2(config)# policy-map type inspect ftp PMAP_INS_FTP_GET
ASA2(config-pmap)# parameters
ASA2(config-pmap-p)# class CMAP_INS_FTP_GET
ASA2(config-pmap-c)# reset log
ASA2(config-pmap-c)# exit
ASA2(config-pmap)# exit
ASA2(config)# policy-map global_policy
ASA2(config-pmap)# class inspection_default
ASA2(config-pmap-c)# no inspect ftp
ASA2(config-pmap-c)# inspect ftp strict PMAP_INS_FTP_GET
ASA2(config-pmap-c)# exit
ASA2(config-pmap)# exit
R4#dir
Directory of flash:/
1 -rw52990552
Sep 4 2008 09:45:04 +00:00 c2800nmadventerprisek9-mz.124-15.T7.bin
2 -rw1038 Nov 11 2008 23:32:52 +00:00 home.shtml
256471040 bytes total (192409600 bytes free)
R4#copy home.shtml ftp
Address or name of remote host []? 50.50.4.101
Destination filename [home.shtml]?
Writing home.shtml !
1038 bytes copied in 0.956 secs (1086 bytes/sec)
R4#copy ftp flash
Address or name of remote host []? 50.50.4.101
Source filename []? home.shtml
Destination filename [home.shtml]? test.txt
Accessing ftp://50.50.4.101/home.shtml...
%Error opening ftp://50.50.4.101/home.shtml (Protocol error)
R4#
NOTE: On ASA2...
%ASA-5-303005: Strict FTP inspection matched Class 21: CMAP_INS_FTP_GET in
policy-map PMAP_INS_FTP_GET, Reset connection from outside:50.50.4.4/20780 to
inside:192.168.2.101/21
27
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 1.4
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
rcv
0
0
0
0
0
0
0
0
0
0
0
0
0
0
rerr
0
0
0
0
0
0
0
0
0
0
0
0
0
0
30
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 2:
Task 2.1
IOS Firewalls
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R3(config-if)#exit
R3(config)#interface Serial 0/0/0
R3(config-if)#zone-member security inside
R3(config-if)#exit
R3(config)#interface FastEthernet0/1
R3(config-if)#zone-member security outside
R3(config-if)#exit
R3(config)#parameter-map type inspect Param-Map-OUTBOUND
R3(config-profile)# max-incomplete low 4
R3(config-profile)# max-incomplete high 40
R3(config-profile)# audit-trail on
R3(config-profile)# exit
R3(config)# parameter-map type inspect Param-Map-INBOUND
R3(config-profile)# max-incomplete low 5
R3(config-profile)# max-incomplete high 50
R3(config-profile)# audit-trail on
R3(config-profile)# exit
R3(config)#
R3(config)#
R8#ping 2.2.2.2 repeat 20
Sending 20, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!.!!!!.!!!!.!!!!.
Success rate is 80 percent (16/20), round-trip min/avg/max = 1/1/4 ms
R8#
R3#
*May 1 05:43:37.199: %FW-6-SESS_AUDIT_TRAIL_START: (target:class)(INBOUND:CMAP-INBOUND):Start icmp session: initiator (50.50.11.8:8) -responder (2.2.2.2:0)
R3#show policy-map type inspect zone-pair INBOUND
Zone-pair: INBOUND
Police
rate 8000 bps,1000 limit
conformed 804 packets, 97414 bytes; actions: transmit
exceeded 455 packets, 72153 bytes; actions: drop
conformed 0 bps, exceed 0 bps
Service-policy inspect : PMAP-INBOUND
Class-map: CMAP-INBOUND (match-any)
Match: protocol icmp
6 packets, 1780 bytes
30 second rate 0 bps
Match: protocol telnet
3 packets, 72 bytes
30 second rate 0 bps
Inspect
Packet inspection statistics [process switch:fast switch]
tcp packets: [0:3195]
icmp packets: [0:121]
Session creations since subsystem startup or last reset 9
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [1:1:1]
32
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
33
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 2.2
4 Points
34
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
35
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R6(config)#
R6(config)#ip access-list extended AUTH_PROXY
R6(config-ext-nacl)# permit tcp any host 50.50.9.11 eq www log
R6(config-ext-nacl)#
R6(config-ext-nacl)#ip access-list log-update threshold 1
36
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
37
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R6#
*May 1 06:16:56.403: %SEC-6-IPACCESSLOGP: list AUTH_PROXY permitted tcp
192.168.2.101(4802) -> 50.50.9.11(80), 1 packet
R6#show ip auth-proxy cache
Authentication Proxy Cache
Client Name user-2.2, Client IP 192.168.2.101, Port 4802, timeout 5, Time
Remaining 1, state ESTAB
R6#
38
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 2.3
4 Points
39
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
40
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 2.4
4 Points
41
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
42
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 3:
Task 3.1
VPNs
4 Points
43
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Note: These would support the ntp, CA registration and GET VPN in the next
tasks.
ASA2, configuration mode:
access-list outside permit tcp host 50.50.4.1 host 50.50.3.6 eq www
access-list outside permit tcp host 50.50.4.4 host 50.50.3.6 eq www
access-list outside permit tcp host 50.50.5.5 host 50.50.3.6 eq www
access-list outside permit tcp host 50.50.12.7 host 50.50.3.6 eq www
access-list outside permit tcp host 50.50.11.8 host 50.50.3.6 eq www
access-list outside permit udp host 50.50.4.1 host 50.50.4.6 eq ntp
access-list outside permit udp host 50.50.4.4 host 50.50.4.6 eq ntp
access-list outside permit udp host 50.50.5.5 host 50.50.4.6 eq ntp
access-list outside permit udp host 50.50.12.7 host 50.50.4.6 eq ntp
access-list outside permit udp host 50.50.11.8 host 50.50.4.6 eq ntp
access-list outside permit udp host 50.50.5.5 host 50.50.3.6 eq 848
access-list outside permit udp host 50.50.12.7 host 50.50.3.6 eq 848
access-list outside permit udp host 50.50.11.8 host 50.50.3.6 eq 848
access-list outside permit udp host 50.50.235.5 host 50.50.3.6 eq 848
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password:
Re-enter password:
% The subject name in the certificate will include: R1.ccbootcamp.com
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]:
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate R6-CA1 verbose' commandwill show the
fingerprint.
R1(config)#
May 1 08:04:27.840: CRYPTO_PKI: Certificate Request Fingerprint MD5:
5CA16B6B E5289EDB 9D4782C0 9BA6CB88
May 1 08:04:27.844: CRYPTO_PKI: Certificate Request Fingerprint SHA1:
B51208DE 08586B0C D925CF8C 5C20DEC2 FB87B828
R1(config)#
May 1 08:04:32.436: %PKI-6-CERTRET: Certificate received from Certificate
Authority
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
50
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 3.2
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
:
:
:
:
:
:
group1
1
0
Both
50.50.3.6
50.50.3.6
50.50.11.8
GM Reregisters in
: 248 secs
Rekey Received(hh:mm:ss) : 00:24:34
Rekeys received
Cumulative
After registration
Rekey Acks sent
: 0
: 0
: 0
R7#
.May 1 10:16:42.011: %CRYPTO-5-GM_REGSTER: Start registration to KS
50.50.3.6 for group group1 using address 50.50.12.7
53
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
54
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 3.3
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
56
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
You may add a single static route on R7, but it may not use
R2 as a next hop.
58
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 3.4
4 Points
R6(config)#int loopback 34
R6(config-if)#ip address 66.66.66.6 255.255.255.0
R6(config-if)#exit
R6(config)#access-list 145 permit icmp 66.66.0.0 0.0.255.255 50.50.6.0
0.0.0.255
R6(config)#crypto isakmp invalid-spi-recovery
R6(config)#crypto isakmp keepalive 10
R6(config)#crypto isakmp nat keepalive 5
R6(config)#$c transform-set HA_TRANSFORM_AES_SHA esp-aes esp-sha-hmac
R6(cfg-crypto-trans)#exit
R6(config)#crypto map MYMAP local-address loop 0
R6(config)#crypto map MYMAP 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R6(config-crypto-map)#set peer 50.50.4.14
R6(config-crypto-map)#set transform-set HA_TRANSFORM_AES_SHA
R6(config-crypto-map)#match address 145
R6(config-crypto-map)#exit
R6(config)#interface FastEthernet0/1
R6(config-if)#crypto map MYMAP
R6(config-if)#exit
ASA2:
access-list outside permit udp host 50.50.4.14 host 50.50.4.6 eq 500
access-list outside permit udp host 50.50.4.14 host 50.50.4.6 eq 4500
59
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
by console. Reload
61
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
adding
isakmp
isakmp
isakmp
R7(config)#!NOTE:
R7(config)#crypto
R7(config)#crypto
R7(config)#crypto
adding
isakmp
isakmp
isakmp
R8(config)#!NOTE:
R8(config)#crypto
R8(config)#crypto
R8(config)#crypto
adding
isakmp
isakmp
isakmp
62
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 4:
Task 4.1
IPS
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
64
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
65
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
66
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 4.2
4 Points
67
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
68
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
69
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
70
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
SW1(config)#int fa 0/2
SW1(config-if)#switchport access vlan 99
% Access VLAN does not exist. Creating vlan 99
SW1(config-if)#int fa 0/5
SW1(config-if)#switchport access vlan 55
% Access VLAN does not exist. Creating vlan 55
SW1(config-if)#end
71
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
72
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R2#ping 50.50.9.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 50.50.9.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R2#telnet 50.50.9.11 80
Trying 50.50.9.11, 80 ... Open
testing
[Connection to 50.50.9.11 closed by foreign host]
R2#
73
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
74
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
75
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
76
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
77
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
78
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
79
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
80
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R1#copy http://5.5.5.5/AtTacK.Me?
http://5.5.5.5/AtTacK.Me A URL beginning with this prefix
R1#copy http://5.5.5.5/AtTacK.Me? null
R1#copy http://5.5.5.5/AtTacK.Me? null: ?
<cr>
NOTE: Use Ctrl+v, then the ? to get it into the command line as a character.
R1#copy http://5.5.5.5/AtTacK.Me? null:
%Error opening http://5.5.5.5/AtTacK.Me? (I/O error)
81
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R1#
82
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
1
1
2
2
source vlan 11 rx
destination remote vlan 999
source remote vlan 999
destination interface Fa0/2
ingress vlan 11
session
session
session
session
session
session
1
1
1
1
1
1
source vlan
destination
source vlan
destination
source vlan
destination
11 rx
remote vlan 999
11 rx
remote vlan 999
11 rx
remote vlan 999
83
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
84
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
85
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
86
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
87
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R3#show access-lists
Extended IP access list 101
10 permit ip any any (3 matches)
Extended IP access list 102
10 permit udp any any eq 848 (6 matches)
Extended IP access list IDS_Fa0/0_in_0
10 permit ip host 50.50.4.15 any
20 permit ip any any (17 matches)
R3#show acce
R3#show run int fa0/0
Building configuration...
Current configuration : 158 bytes
!
interface FastEthernet0/0
88
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
89
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
90
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
91
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
92
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 4.4
4 Points
93
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
94
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
95
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
96
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
97
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R2#
*May 1 19:18:38.479: %SYS-5-CONFIG_I: Configured from console by vty0
(50.50.4.75)
R2#show policy-map int fa 0/0
FastEthernet0/0
Service-policy input: IDS_RL_POLICY_MAP_1
Class-map: IDS_RL_CLASS_MAP_icmp-xxBx-8-5_1 (match-any)
2191 packets, 3198234 bytes
5 minute offered rate 47000 bps, drop rate 0 bps
Match: access-group name IDS_RL_ACL_icmp-xxBx-8-5_1
2191 packets, 3198234 bytes
5 minute rate 47000 bps
police:
cir 5 %
cir 5000000 bps, bc 156250 bytes
conformed 2188 packets, 3194452 bytes; actions:
transmit
exceeded 3 packets, 3782 bytes; actions:
drop
conformed 10000 bps, exceed 0 bps
Class-map: class-default (match-any)
23 packets, 1882 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
R2#
98
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 4.5
4 Points
99
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 5:
Task 5.1
Identity Management
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
101
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 5.2
4 Points
102
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
103
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
104
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
105
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
106
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
107
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R7(config)#aaa new-model
R7(config)#tacacs-server host 50.50.4.101
R7(config)#tacacs-server key cisco
R7(config)#ip tacacs source-interface loopback 0
R7(config)#aaa authentication login default none
R7(config)#aaa authentication login R7-LOC local
R7(config)#aaa authorization config-commands
R7(config)#aaa authorization exec TAC group tacacs+ none
R7(config)#aaa authorization commands 0 TAC group tacacs+
R7(config)#aaa authorization commands 1 TAC group tacacs+
R7(config)#aaa authorization commands 15 TAC group tacacs+
R7(config)#aaa accounting commands 0 TAC start-stop group tacacs+
R7(config)#aaa accounting commands 1 TAC start-stop group tacacs+
R7(config)#aaa accounting commands 15 TAC start-stop group tacacs+
R7(config)#username admin privilege 15 secret cisco
R7(config)#username user5.2 password 0 cisco
R7(config)#line vty 0 4
R7(config-line)#privilege level 15
R7(config-line)#authorization commands 0 TAC
R7(config-line)#authorization commands 1 TAC
R7(config-line)#authorization commands 15 TAC
R7(config-line)#authorization exec TAC
R7(config-line)#accounting commands 0 TAC
R7(config-line)#accounting commands 1 TAC
R7(config-line)#accounting commands 15 TAC
R7(config-line)#login authentication R7-LOC
R7(config-line)#exit
R7#test aaa group tacacs+ user5.2 cisco legacy
Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated.
R2#ssh -l user5.2 7.7.7.7
Password: cisco
R7#show ver
Command authorization failed.
108
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R7#show privi
Command authorization failed.
R7#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R7(config)#router rip
Command authorization failed.
R7(config)#int loop 6783
R7(config-if)#ip address 99.99.99.99 255.255.255.255
R7(config-if)#end
Command authorization failed.
R7(config)#exit
R7#logout
Command authorization failed.
R7#exit
[Connection to 7.7.7.7 closed by foreign host]
R2#
109
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
110
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R2(config)#aaa new-model
R2(config)#ip domain-name ccbootcamp.com
R2(config)#crypto key generate rsa modulus 1024
The name for the keys will be: R2.ccbootcamp.com
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
R2(config)#aaa authentication login default none
R2(config)#aaa authentication login ssh local
R2(config)#aaa authorization exec default none
R2(config)#aaa authorization exec ssh local
R2(config)#username user5.2c privilege 10 secret cisco
R2(config)#username admin privilege 15 secret cisco
R2(config)#ip ssh version 2
R2(config)#access-list 1 permit 50.50.0.0 0.0.255.255
R2(config)#privilege interface level 10 ip access-group
R2(config)#privilege interface level 10 ip address
R2(config)#privilege interface level 10 ip
R2(config)#privilege configure level 10 access-list
R2(config)#privilege configure level 10 ip access-list extended
R2(config)#privilege configure level 10 ip access-list standard
R2(config)#privilege configure level 10 ip access-list
R2(config)#privilege configure level 10 interface
R2(config)#privilege configure level 10 ip
R2(config)#privilege exec level 10 show running-config
R2(config)#privilege exec level 10 show
R2(config)#line vty 0 4
R2(config-line)#privilege level 15
R2(config-line)#authorization exec ssh
R2(config-line)#login authentication ssh
R2(config-line)#exit
R2#show run
Building configuration...
Current configuration : 784 bytes
!
boot-start-marker
boot-end-marker
!
!
interface Loopback0
111
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
112
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 5.3
4 Points
= AUTHORIZED
= Guest-Vlan
= 11
113
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
114
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
115
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
= UNAUTHORIZED
SW3#
03:59:43: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/18,
changed state to up
SW3#show dot1x interface fa0/18 details
Dot1x Info for FastEthernet0/18
----------------------------------PAE
= AUTHENTICATOR
PortControl
= AUTO
ControlDirection
= Both
HostMode
= MULTI_HOST
ReAuthentication
= Disabled
QuietPeriod
= 3
ServerTimeout
= 30
SuppTimeout
= 30
ReAuthPeriod
= 3600 (Locally configured)
ReAuthMax
= 2
MaxReq
= 2
TxPeriod
= 5
RateLimitPeriod
= 0
Auth-Fail-Vlan
= 6
Auth-Fail-Max-attempts
= 3
117
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Guest-Vlan
= 11
= AUTHORIZED
Authorized By
Vlan Policy
= Guest-Vlan
= 11
SW3#
118
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 6:
Task 6.1
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
120
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
121
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 7:
Task 7.1
Advanced Security
4 Points
R8#telnet 1.1.1.1
Trying 1.1.1.1 ... Open
R1#exit
R8(config)#ip local policy route-map NO_OUTBOUND_TELNET
R8(config)#ip access-list extended NO_OUTBOUND_TELNET
R8(config-ext-nacl)#permit tcp any any eq telnet log
R8(config-ext-nacl)#exit
R8(config)#route-map NO_OUTBOUND_TELNET permit 10
R8(config-route-map)#match ip address NO_OUTBOUND_TELNET
R8(config-route-map)#set interface Null0
R8(config-route-map)#exit
R8(config)#end
R8#telnet 1.1.1.1
Trying 1.1.1.1 ...
122
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
124
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
125
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 7.2
4 Points
126
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 8:
Task 8.1
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
slippery?task
o root.exe
Drop this traffic outbound on Fa0/1.
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
dscp 5
Packets marked 5
Class-map: class-default (match-any)
50 packets, 5063 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Configure R2 to drop all IP options, but do not use an accesslist for this task.
R2(config)#ip options drop
BB2#ping
Protocol [ip]:
Target IP address: 3.3.3.3
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface:
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]: t
Number of timestamps [ 9 ]: 2
Loose, Strict, Record, Timestamp, Verbose[TV]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet has IP options: Total option bytes= 12, padded length=12
Timestamp: Type 0. Overflows: 0 length 12, ptr 5
>>Current pointer<<
Time= 00:00:00.000 UTC (00000000)
Time= 00:00:00.000 UTC (00000000)
Request
Request
Request
Request
Request
Success
BB2#
0 timed
1 timed
2 timed
3 timed
4 timed
rate is
Task 8.2
out
out
out
out
out
0 percent (0/5)
4 Points
129
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
130
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
LAB 4
Instructions
Verify that all configurations have been cleared, before
you load initial configurations onto the lab routers,
backbone routers and switches. There are no initial
configurations for the ASA and IPS. You will be required
to configure these devices in the practice lab, just as you
will be required to do so in the actual lab exam.
ASDM and SDM are not available in the actual lab exam.
The ACS workstation is used in this lab as the candidate PC
as well as the ACS server. The IP address of the ACS
cannot be changed.
There is a test pc available in the practice labs as well
as the actual lab. The IP address of the rack interface
test PC may be changed through the desktop application. For
both PCs, you may add/remove static routes for connectivity
as described in the LAB.
Do not change the default route
on the ACS or the test PC, as you may lose connectivity.
Always remember to Apply changes and Save your configs
often!
Unless otherwise specified, use only the existing networks
within your lab. Additional networks, static and/or
default routes, may not be configured unless specified in a
task.
When creating passwords, use cisco unless indicated
otherwise in a specific task. Refer to the Remote Rack
Access FAQ PDF for cabling, ACS and IPS Access and other
commonly asked questions. The document is located here:
http://www.ccbootcamp.com/download
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Sections:
1.ASA Firewalls
2.IOS Firewalls
3.VPNs
4.IPS
5.Identity Management
6.Control/Management Plane Security
7.Advanced Security
8.Network Attack Mitigation
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
ACS PC
.101
R1
BB1
.99
VLAN 168
192.168.2.0
SW2
.11
VLAN 77
G0/0
VLAN 99
172.16.99.0
Inside
E0/0.v
DMZ1
E0/0.v
172.16.77.0
IPS C&C
.50
ASA1
VLAN 44
172.16.44.0
DMZ2
E0/0.v
R4
Outside
E0/0.v
R7
VLAN 22
24.234.22.0
VLAN 252
24.234.252.0
BB2
R2
.252
SW1
.11
EIGRP1
Frame Relay
24.234.100.0
Outside
E0/0.v
VLAN 111
24.234.111.0
R6
C1
Inside
E0/0.v
VLAN 121
24.234.121.0
R3
VLAN 222
24.234.222.0
Outside
E0/0.v
C2
Inside
E0/0.v
VLAN 88
172.16.88.0
VLAN 55
172.16.55.0
R8
R5
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
SW1
Fa0/1
Fa0/0
R1
Fa0/1
Fa0/1
SW2
SW1
Fa0/2
Fa0/0
R2
Fa0/1
Fa0/2
SW2
SW1
Fa0/3
Fa0/0
R3
Fa0/1
Fa0/3
SW2
SW1
Fa0/4
Fa0/0
R4
Fa0/1
Fa0/4
SW2
SW1
Fa0/5
Fa0/0
R5
Fa0/1
Fa0/5
SW2
SW1
Fa0/6
Fa0/0
R6
Fa0/1
Fa0/6
SW2
SW1
Fa0/9
Fa0/0
BB1
Fa0/1
Fa0/9
SW2
SW1
Fa0/10
Fa0/0
BB2
Fa0/1
Fa0/10
SW2
SW1
Fa0/12
E0/0
E0/2
Fa0/12
SW2
Fa0/14
SW2
E0/3
Fa0/17
SW2
E0/2
Fa0/18
SW2
E0/3
Fa0/23
SW2
ASA01
Gi0/0: sense
SW1
Fa0/14
SW1
Fa0/17
E0/1
SW1
Fa0/18
E0/0
IDS
IDS
Gi0/1: c&c
ASA01
ASA02
SW1
E0/1
Fa0/23
ASA02
SW1
SW2
Fas0/19
Fas0/19
Fas0/20
Fas0/20
Sensor Int.
G0/0
Fa1/0
Fa1/1
Fa1/2
Fa1/3
Connected to:
SW1 Fa0/14
SW3 Fa0/4
SW3 Fa0/3
SW3 Fa0/2
SW3 Fa0/1
Fas0/0
2811
SW3
SW4
Fas0/17
SW3
Fas0/19
Fas0/19
Fas0/20
Fas0/20
Fas0/1
R7
Fas0/17
SW4
ACS PC SW1 Fa0/24
192.168.2.101
Fas0/0
2811
Fas0/1
R8
SW3
Fas0/18
SW4
Fas0/18
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 1:
Task 1.1
ASA Firewalls
4 Points
Interface
E0/0.168
E0/0.22
E0/0.77
E0/0.44
VLAN
168
22
77
44
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 1.2
4 Points
Name
Inside
Outside
Inside
Outside
Interface
E0/0.88
E0/0.111
E0/0.55
E0/0.222
Security Level
Default
Default
Default
Default
IP Address
172.16.88.200/24
24.234.111.200/24
172.16.55.200/24
24.234.222.200/24
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
VLAN
88
111
55
222
www.CareerCert.info
Task 1.3
4 Points
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 2:
IOS Firewalls
Permit
Telnet
HTTP
ICMP
Outside->Inside
ICMP
Telnet
Limits
All TCP connections
should time out if
idle for longer than
10 seconds
Only 1 telnet
connection should be
allowed at any time
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 2.2
4 Points
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 3: VPNs
Task 3.1
4 Points
4 Points
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
11
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 4: IPS
Task 4.1
4 Points
Gateway
Managed by
172.16.77.50
172.16.77.100
192.168.2.101
Mgmt. SSL
port
44443
Verify that you can connect to and manage the IPS from the
ACS server. You are allowed to make necessary changes to
ASA1 and add a route to the ACS server to accomplish this.
Enable telnet management.
Create sig1, rules1, and ad1 which should be clones of the
existing sig0, rules0 and ad0.
Create virtual sensor vs1 and assign sig1, rules1 and ad1
to it.
Task 4.2
4 Points
12
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 4.3
4 Points
4 Points
4 Points
13
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 5:
Task 5.1
Identity Management
4 Points
4 Points
Access
All commands
All show commands
Can only ping 24.234.100.6
No other command access
14
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 6:
Task 6.1
4 Points
15
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 7.1
4 Points
4 Points
16
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 8:
Task 8.1
4 Points
Using ASA1, protect the ACS server from SYN flood attacks
originating from the outside. Half open TCP connections
should be limited to no more than 200 total and no more
than 50 per host. You may not use a policy-map to
accomplish this.
R7 will be functioning as a DNS server. Allow it to be
reachable for DNS traffic at 24.234.22.7 but protect it
from attacks based on its weak DNS transaction ID. Also
only allow one DNS response per query.
Task 8.2
4 Points
17
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 1:
Task 1.1
ASA Firewalls
4 Points
Interface
E0/0.168
E0/0.22
E0/0.77
E0/0.44
VLAN
168
22
77
44
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
S
D EX
S
D
C
D
C
C
D
D
R7#ping 172.16.44.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.44.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
20
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 1.2
4 Points
Name
Inside
Outside
Inside
Outside
Interface
E0/0.88
E0/0.111
E0/0.55
E0/0.222
Security Level
Default
Default
Default
Default
IP Address
172.16.88.200/24
24.234.111.200/24
172.16.55.200/24
24.234.222.200/24
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
VLAN
88
111
55
222
www.CareerCert.info
ASA2(config-ctx)# exit
ASA2(config)#
ASA2(config)# context c1
Creating context 'c1'... Done. (2)
ASA2(config-ctx)# allocate-interface Ethernet0/0.88
ASA2(config-ctx)# allocate-interface Ethernet0/0.111
ASA2(config-ctx)# config-url disk0:/c1.cfg
WARNING: Could not fetch the URL disk0:/c1.cfg
INFO: Creating context with default config
ASA2(config-ctx)#
ASA2(config-ctx)# context c2
Creating context 'c2'... Done. (3)
ASA2(config-ctx)# allocate-interface Ethernet0/0.55
ASA2(config-ctx)# allocate-interface Ethernet0/0.222
ASA2(config-ctx)# config-url disk0:/c2.cfg
WARNING: Could not fetch the URL disk0:/c2.cfg
INFO: Creating context with default config
ASA2(config-ctx)#
ASA2(config-ctx)# changeto context c1
ASA2/c1(config)#
ASA2/c1(config)# interface e0/0.88
ASA2/c1(config-if)# ip address 172.16.88.200 255.255.255.0
ASA2/c1(config-if)# nameif Inside
INFO: Security level for "Inside" set to 100 by default.
ASA2/c1(config-if)#
ASA2/c1(config-if)# interface e0/0.111
ASA2/c1(config-if)# ip address 24.234.111.200 255.255.255.0
ASA2/c1(config-if)# nameif Outside
INFO: Security level for "Outside" set to 0 by default.
ASA2/c1(config-if)#
ASA2/c1(config-if)# route outside 0 0 24.234.111.6
ASA2/c1(config)#
ASA2/c1(config)# fixup protocol icmp
INFO: converting 'fixup protocol icmp ' to MPF commands
ASA2/c1(config)#
ASA2/c1(config)# changeto context c2
ASA2/c2(config)#
ASA2/c2(config)# interface e0/0.55
ASA2/c2(config-if)# ip address 172.16.55.200 255.255.255.0
ASA2/c2(config-if)# nameif Inside
INFO: Security level for "Inside" set to 100 by default.
ASA2/c2(config-if)#
ASA2/c2(config-if)# interface e0/0.222
ASA2/c2(config-if)# ip address 24.234.222.200 255.255.255.0
ASA2/c2(config-if)# nameif Outside
INFO: Security level for "Outside" set to 0 by default.
ASA2/c2(config-if)#
ASA2/c2(config-if)# route outside 0 0 24.234.222.6
ASA2/c2(config)#
ASA2/c2(config)# fixup protocol icmp
INFO: converting 'fixup protocol icmp ' to MPF commands
Verification:
22
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R5#ping 24.234.22.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.234.22.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/57/60 ms
R8#ping 24.234.22.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.234.22.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/58/60 ms
23
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 1.3
4 Points
nat-control
nat (inside) 1 172.16.55.0 255.255.255.0
global (outside) 1 interface
access-list NAT permit ip 172.16.66.0 255.255.255.0 host
nat (inside) 2 access-list NAT
global (outside) 2 24.234.222.5
Verification:
R4#telnet 172.16.44.7 2323
Trying 172.16.44.7, 2323 ... Open
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R1#telnet 192.168.2.200
Trying 192.168.2.200 ... Open
R5#ping 24.234.22.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.234.22.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/58/60 ms
R5#
ASA2/c2(config)# sho xlate detail
1 in use, 1 most used
Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,
r - portmap, s - static
ICMP PAT from Inside:172.16.55.5/2 to Outside:24.234.222.200/12327 flags ri
R5#ping 24.234.252.252
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.234.252.252, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 56/58/60 ms
ASA2/c2(config)# sho xlate
2 in use, 2 most used
PAT Global 24.234.222.5(48105) Local 172.16.55.5 ICMP id 6
PAT Global 24.234.222.200(26805) Local 172.16.55.5 ICMP id 5
25
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 1.4
4 Points
Verification:
26
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R8#telnet 24.234.100.2
Trying 24.234.100.2 ... Open
Address
24.234.100.2
Byte
0
R8#telnet 24.234.100.2
Trying 24.234.100.2 ...
% Connection timed out; remote host not responding
%ASA-3-201013: Per-client connection limit exceeded 1/1 for input packet from
172.16.88.8/27183 to 24.234.100.2/23 on interface Inside
27
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 2:
IOS Firewalls
Permit
Telnet
HTTP
ICMP
Outside->Inside
ICMP
Telnet
Limits
All TCP connections
should time out if
idle for longer than
10 seconds
Only 1 telnet
connection should be
allowed at any time
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Verification:
SW1#ping 24.234.100.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.234.100.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 58/60/67 ms
SW1#telnet 24.234.100.6
Trying 24.234.100.6 ... Open
Address
24.234.121.11
Byte
0
R6#telnet 24.234.121.11
Trying 24.234.121.11 ... Open
[Connection to 24.234.121.11 closed by foreign host]
29
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 2.2
4 Points
Verification:
ASA1# ping 172.16.99.99
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.99.99, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
*May 4 17:16:07.663: %SEC-6-IPACCESSLOGDP: list CBAC denied icmp
172.16.44.100 (FastEthernet0/0.44 0019.e8d9.624e) -> 172.16.99.99 (8/0), 1
packet
30
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
BB1#ping 24.234.22.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.234.22.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
BB1#telnet 24.234.22.2
Trying 24.234.22.2 ... Open
31
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 2.3
4 Points
Verification:
R8#ping 24.234.111.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.234.111.6, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/6/12 ms
R8#sho ip nbar protocol-discovery protocol icmp
FastEthernet0/0.88
Input
----Protocol
Packet Count
Byte Count
5min Bit Rate (bps)
5min Max Bit Rate (bps)
------------------------ -----------------------icmp
8
928
0
0
unknown
0
0
0
0
Total
8
928
0
0
Output
-----Packet Count
Byte Count
5min Bit Rate (bps)
5min Max Bit Rate (bps)
-----------------------4
472
0
0
0
0
0
0
4
472
0
0
32
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
33
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 3: VPNs
Task 3.1
4 Points
Verification:
R2#sho ntp status (output cut)
Clock is synchronized, stratum 9, reference is 192.168.2.1
R6#sho ntp status (output cut)
Clock is synchronized, stratum 9, reference is 192.168.2.1
34
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 3.2
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
38
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 3.3
4 Points
39
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
: GET
: 1
40
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Rekeys received
IPSec SA Direction
Active Group Server
Group Server list
:
:
:
:
0
Both
192.168.2.1
192.168.2.1
GM Reregisters in
Rekey Received
: 2621 secs
: never
Rekeys received
Cumulative
After registration
: 0
: 0
:
:
:
:
:
:
GET
1
0
Both
192.168.2.1
192.168.2.1
GM Reregisters in
Rekey Received
: 2543 secs
: never
Rekeys received
Cumulative
After registration
: 0
: 0
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
#pkts
#pkts
#pkts
#send
42
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 3.4
4 Points
ASA1(config)#
ASA1(config)#
eq isakmp
ASA1(config)#
eq 4500
ASA1(config)#
ASA1(config)#
ASA1(config)#
eq isakmp
ASA1(config)#
eq 4500
ASA1(config)#
ASA1(config)#
ASA1(config)#
R7(config)#aaa new-model
R7(config)#aaa authentication login EZVPN local
R7(config)#aaa authorization network EZVPN local
R7(config)#
R7(config)#username ezvpn password 0 ezvpn
R7(config)#
R7(config)#ip local pool EZVPN 172.16.177.50 172.16.177.150
R7(config)#
R7(config)#crypto isakmp policy 5
R7(config-isakmp)#authentication pre-share
43
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R7(config-isakmp)#hash sha
R7(config-isakmp)#encryption aes
R7(config-isakmp)#group 2
R7(config-isakmp)#exit
R7(config)#
R7(config)#crypto ipsec transform-set EZVPN esp-3des esp-md5-hmac
R7(cfg-crypto-trans)#exit
R7(config)#
R7(config)#crypto isakmp client configuration group EZVPN
R7(config-isakmp-group)#pool EZVPN
R7(config-isakmp-group)#key ezvpn
R7(config-isakmp-group)#save-password
R7(config-isakmp-group)#acl 150
R7(config-isakmp-group)#exit
R7(config)#
R7(config)#crypto dynamic-map EZVPN 1
R7(config-crypto-map)#set transform-set EZVPN
R7(config-crypto-map)#reverse-route
R7(config-crypto-map)#exit
R7(config)#
R7(config)#access-list 150 permit ip 7.7.7.0 0.0.0.255 any
R7(config)#
R7(config)#crypto map EZVPN client authentication list EZVPN
R7(config)#crypto map EZVPN isakmp authorization list EZVPN
R7(config)#crypto map EZVPN client configuration address respond
R7(config)#crypto map EZVPN 1 ipsec-isakmp dynamic EZVPN
R7(config)#
R7(config)#int fa0/0.77
R7(config-subif)#crypto map EZVPN
R7(config-subif)#exit
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R4(config)#
R4(config)#interface loopback 4
R4(config-if)#ip address 4.4.4.4 255.255.255.0
R4(config-if)#crypto ipsec client ezvpn EZVPN inside
R4(config-if)#exit
R4(config)#
R4(config)#interface fa0/0.44
R4(config-subif)#crypto ipsec client ezvpn EZVPN
Verification:
R4#sho crypto ipsec client ezvpn
Easy VPN Remote Phase: 6
Tunnel name : EZVPN
Inside interface list: Loopback4
Outside interface: FastEthernet0/0.44
Current State: IPSEC_ACTIVE
Last Event: MTU_CHANGED
Address: 172.16.177.61 (applied on Loopback10000)
Mask: 255.255.255.255
Save Password: Allowed
Split Tunnel List: 1
Address
: 7.7.7.0
Mask
: 255.255.255.0
Protocol
: 0x0
Source Port: 0
Dest Port : 0
Current EzVPN Peer: 172.16.77.7
R4#ping 7.7.7.7 so l4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 7.7.7.7, timeout is 2 seconds:
Packet sent with a source address of 4.4.4.4
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
R4#sho crypto ipsec sa
interface: FastEthernet0/0.44
Crypto map tag: FastEthernet0/0.44-head-0, local addr 172.16.44.4
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.177.61/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 172.16.77.7 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
45
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 4: IPS
Task 4.1
4 Points
Gateway
Managed by
172.16.77.50
172.16.77.100
192.168.2.101
Mgmt. SSL
port
44443
Verify that you can connect to and manage the IPS from the
ACS server. You are allowed to make necessary changes to
ASA1 and add a route to the ACS server to accomplish this.
Enable telnet management.
Create sig1, rules1, and ad1 which should be clones of the
existing sig0, rules0 and ad0.
Create virtual sensor vs1 and assign sig1, rules1 and ad1
to it.
sensor# setup
--- System Configuration Dialog --At any point you may enter a question mark '?' for help.
User ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.
Current Configuration:
(cut)
4 21:24:15 2009
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
47
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
48
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
49
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 4.2
4 Points
50
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
51
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
52
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
53
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
54
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 4.3
4 Points
55
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Verification:
R8#ping 24.234.111.6 repeat 101
Type escape sequence to abort.
Sending 101, 100-byte ICMP Echos to 24.234.111.6, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (101/101), round-trip min/avg/max = 1/3/4 ms
56
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
57
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 4.4
4 Points
58
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Verification:
R6(config)#ip http server
R5#copy http://24.234.222.6/DeaTH null:
%Error opening http://24.234.222.6/DeaTH (I/O error)
R5#ping 24.234.222.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.234.222.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
59
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 4.3
4 Points
60
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
61
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Verification:
R8#ping 24.234.22.2 repeat 102
Type escape sequence to abort.
Sending 102, 100-byte ICMP Echos to 24.234.22.2, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!
Success rate is 99 percent (101/102), round-trip min/avg/max = 56/60/64 ms
62
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
63
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 5:
Task 5.1
Identity Management
4 Points
64
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
65
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
66
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
Access
All commands
All show commands
Can only ping 24.234.100.6
No other command access
67
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
68
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
69
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
70
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Verification:
R6#telnet 24.234.100.2
Trying 24.234.100.2 ... Open
Username: R2Admin
Password:
R2#conf t
Enter configuration commands, one per line.
R2(config)#int fa0/0
R2(config-if)#exit
R2(config)#exit
R2#exit
IP-Address
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
FastEthernet0/0
up
FastEthernet0/0.22
up
FastEthernet0/0.252
up
FastEthernet0/1
down
Serial0/0/0
up
Serial0/0/1
down
Serial0/1/0
down
Serial0/1/1
down
unassigned
YES NVRAM
up
24.234.22.2
YES NVRAM
up
24.234.252.2
YES NVRAM
up
unassigned
YES NVRAM
administratively down
24.234.100.2
YES NVRAM
up
unassigned
YES NVRAM
administratively down
unassigned
YES NVRAM
administratively down
unassigned
YES NVRAM
administratively down
R2#ping 24.234.100.3
Command authorization failed.
R2#ping 24.234.100.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.234.100.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/68/88 ms
72
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
73
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
ASA2/c2(config)#
telnet
ASA2/c2(config)#
ASA2/c2(config)#
ASA2/c2(config)#
ASA2/c2(config)#
ASA2/c2(config)#
ASA2/c2(config)#
telnet
ASA2/c2(config)#
Verification:
R6#ping 24.234.222.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.234.222.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R6#telnet 24.234.222.150
Trying 24.234.222.150 ... Open
LOGIN Authentication
Username: c2user
Password:
Authentication Successful
75
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 6:
Task 6.1
4 Points
udp-port: 162
type: trap
BB2#ping 24.234.22.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.234.22.2, timeout is 2 seconds:
76
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
BB2#telnet 24.234.22.2
Trying 24.234.22.2 ... Open
Username: R2Admin
Password:
R2#exit
[Connection to 24.234.22.2 closed by foreign host]
BB2#ssh -l R2Admin 24.234.22.2
BB2#
77
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
78
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
Configure R6 to protect ONLY R5 and R8 against syn flood attacks. You may not
use CBAC to accomplish this.
Protection should occur when more than 200 half open connections are
attempted.
Protection should cease when half open connections drop below 100.
If there are more than 50 half-open connections in a minute they should be
dropped starting with the oldest.
When the number of half open connections in a one minute period goes below 25
dropping should cease.
The router should stop managing a tcp session if it is idle for 60 seconds.
R6(config)#access-list 101 permit tcp any host 24.234.222.5
R6(config)#access-list 101 permit tcp any host 172.16.88.8
R6(config)#
R6(config)#ip tcp intercept list 101
command accepted, interfaces with mls configured might cause inconsistent
behavior
R6(config)#ip tcp intercept max-incomplete high 200
command accepted, interfaces with mls configured might cause inconsistent
behavior
R6(config)#ip tcp intercept max-incomplete low 100
command accepted, interfaces with mls configured might cause inconsistent
behavior
R6(config)#ip tcp intercept one-minute high 50
command accepted, interfaces with mls configured might cause inconsistent
behavior
R6(config)#ip tcp intercept one-minute low 25
command accepted, interfaces with mls configured might cause inconsistent
behavior
R6(config)#ip tcp intercept connection-timeout 30
command accepted, interfaces with mls configured might cause inconsistent
behavior
79
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 7.3
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
81
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 8:
Task 8.1
4 Points
Using ASA1, protect the ACS server from SYN flood attacks
originating from the outside. Half open TCP connections
should be limited to no more than 200 total and no more
than 50 per host. You may not use a policy-map to
accomplish this.
R7 will be functioning as a DNS server. Allow it to be
reachable for DNS traffic at 24.234.22.7 but protect it
from attacks based on its weak DNS transaction ID. Also
only allow one DNS response per query.
ASA1(config)# no static (Inside,Outside) 24.234.22.101 192.168.2.101 netmask
255.255.255.255
ASA1(config)# static (Inside,Outside) 24.234.22.101 192.168.2.101 netmask
255.255.255.255 tcp 200 50
ASA1(config)# static (DMZ1,outside) 24.234.22.7 172.16.77.7
ASA1(config)# access-list outside permit tcp any host 24.234.22.7 eq 53
ASA1(config)# access-list outside permit udp any host 24.234.22.7 eq 53
ASA1(config)# policy-map type inspect dns preset_dns_map
ASA1(config-pmap)# parameters
ASA1(config-pmap-p)# dns-guard
ASA1(config-pmap-p)# id-randomization
82
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Verification:
83
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 8.2
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
0 timed
1 timed
2 timed
3 timed
4 timed
rate is
out
out
out
out
out
0 percent (0/5)
R6#ping 24.234.22.100 so l6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.234.22.100, timeout is 2 seconds:
Packet sent with a source address of 6.6.6.6
.....
Success rate is 0 percent (0/5)
*May 5 21:58:11.098: %SEC-6-IPACCESSLOGDP: list 150 denied icmp 6.6.6.6
(Serial0/0/0 ) -> 24.234.22.100 (0/0), 1 packet
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
86
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
LAB 5
Instructions
Verify that all configurations have been cleared, before
you load initial configurations onto the lab routers,
backbone routers and switches. There are no initial
configurations for the ASA and IPS. You will be required
to configure these devices in the practice lab, just as you
will be required to do so in the actual lab exam.
ASDM and SDM are not available in the actual lab exam.
The ACS workstation is used in this lab as the candidate PC
as well as the ACS server. The IP address of the ACS
cannot be changed.
There is a test pc available in the practice labs as well
as the actual lab. The IP address of the rack interface
test PC may be changed through the desktop application. For
both PCs, you may add/remove static routes for connectivity
as described in the LAB.
Do not change the default route
on the ACS or the test PC, as you may lose connectivity.
Always remember to Apply changes and Save your configs
often!
Unless otherwise specified, use only the existing networks
within your lab. Additional networks, static and/or
default routes, may not be configured unless specified in a
task.
When creating passwords, use cisco unless indicated
otherwise in a specific task. Refer to the Remote Rack
Access FAQ PDF for cabling, ACS and IPS Access and other
commonly asked questions. The document is located here:
http://www.ccbootcamp.com/download
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Sections:
1.ASA Firewalls
2.IOS Firewalls
3.VPNs
4.IPS
5.Identity Management
6.Control/Management Plane Security
7.Advanced Security
8.Network Attack Mitigation
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
SW1
Fa0/1
Fa0/0
R1
Fa0/1
Fa0/1
SW2
SW1
Fa0/2
Fa0/0
R2
Fa0/1
Fa0/2
SW2
SW1
Fa0/3
Fa0/0
R3
Fa0/1
Fa0/3
SW2
SW1
Fa0/4
Fa0/0
R4
Fa0/1
Fa0/4
SW2
SW1
Fa0/5
Fa0/0
R5
Fa0/1
Fa0/5
SW2
SW1
Fa0/6
Fa0/0
R6
Fa0/1
Fa0/6
SW2
SW1
Fa0/9
Fa0/0
BB1
Fa0/1
Fa0/9
SW2
SW1
Fa0/10
Fa0/0
BB2
Fa0/1
Fa0/10
SW2
SW1
Fa0/12
E0/0
E0/2
Fa0/12
SW2
Fa0/14
SW2
E0/3
Fa0/17
SW2
E0/2
Fa0/18
SW2
E0/3
Fa0/23
SW2
ASA01
Gi0/0: sense
SW1
Fa0/14
SW1
Fa0/17
E0/1
SW1
Fa0/18
E0/0
IDS
IDS
Gi0/1: c&c
ASA01
ASA02
SW1
E0/1
Fa0/23
ASA02
SW1
SW2
Fas0/19
Fas0/19
Fas0/20
Fas0/20
Sensor Int.
G0/0
Fa1/0
Fa1/1
Fa1/2
Fa1/3
Connected to:
SW1 Fa0/14
SW3 Fa0/4
SW3 Fa0/3
SW3 Fa0/2
SW3 Fa0/1
Fas0/0
2811
SW3
SW4
Fas0/17
SW3
Fas0/19
Fas0/19
Fas0/20
Fas0/20
Fas0/1
R7
Fas0/17
SW4
ACS PC SW1 Fa0/24
192.168.2.101
Fas0/0
2811
Fas0/1
R8
SW3
Fas0/18
SW4
Fas0/18
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
4 Points
Real
Int.
INSIDE
INSIDE
INSIDE
INSIDE
INSIDE
Control
Fa0/0
Fa0/1
Mapped
Int.
OUTSIDE
OUTSIDE
OUTSIDE
OUTSIDE
OUTSIDE
OUTSIDE
Fa0/1
Fa0/0
Real
IP:PORT #
10.30.10.8
8.8.8.8:tcp/23
Any IP
2.2.2.2
2.2.2.2
172.26.60.0/24
192.168.2.101
10.40.10.200
Mapped
IP:PORT#
100.60.10.8
100.60.10.8:tcp/2323
100.60.10.201-210
100.60.10.2
100.60.10.22
100.60.10.211-215
10.40.10.101
192.168.2.200
On the ACS PC, do not add ANY host routes except for route
add 100.0.0.0 mask 255.0.0.0 192.168.2.2 -p. Do not add
any 192.0.0.0 networks to any routing protocols.
Permit
both firewalls to be managed via HTTPS from the ACS PC.
Task 1.3
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 1.4
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
4 Points
4 Points
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 3: VPNs
Task 3.1
4 Points
4 Points
Source Interface
Fa0/1
E0/0.60
IP of PEER
100.60.10.100
100.60.10.2
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 3.3
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 3.4
4 Points
10
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 4: IPS
Task 4.1
4 Points
4 Points
Assign R1
11
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 4.3
4 Points
12
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
4 Points
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Do
4 Points
15
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
4 Points
16
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
4 Points
17
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
ASA-1(config-if)# exit
ASA-1(config)# interface Redundant1
ASA-1(config-if)# member-interface Ethernet0/1
INFO: security-level and IP address are cleared on Ethernet0/1.
ASA-1(config-if)# member-interface Ethernet0/2
INFO: security-level and IP address are cleared on Ethernet0/2.
ASA-1(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ASA-1(config-if)# ip address 10.30.10.100 255.255.255.0
ASA-1(config-if)# exit
ASA-1(config)# router eigrp 1
ASA-1(config-router)# no auto-summary
ASA-1(config-router)# network 0.0.0.0 0.0.0.0
ASA-1(config-router)# exit
Verification
ASA-1(config)# ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA-1(config)# ping 6.6.6.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 30/32/40 ms
ASA-1(config)#
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Verification
ASA-2(config)# ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA-2(config)# ping 6.6.6.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 30/30/30 ms
ASA-2(config)#
20
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 1.2
4 Points
Real
Int.
INSIDE
INSIDE
INSIDE
INSIDE
INSIDE
Control
Fa0/0
Fa0/1
Mapped
Int.
OUTSIDE
OUTSIDE
OUTSIDE
OUTSIDE
OUTSIDE
OUTSIDE
Fa0/1
Fa0/0
Real
IP:PORT #
10.30.10.8
8.8.8.8:tcp/23
Any IP
2.2.2.2
2.2.2.2
172.26.60.0/24
192.168.2.101
10.40.10.200
Mapped
IP:PORT#
100.60.10.8
100.60.10.8:tcp/2323
100.60.10.201-210
100.60.10.2
100.60.10.22
100.60.10.211-215
10.40.10.101
192.168.2.200
21
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
On the ACS PC, do not add ANY host routes except for route
add 100.0.0.0 mask 255.0.0.0 192.168.2.2 -p. Do not add
any 192.0.0.0 networks to any routing protocols.
Permit
both firewalls to be managed via HTTPS from the ACS PC.
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
23
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 1.3
4 Points
24
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 1.4
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
ASA-2(config-priority-queue)# exit
ASA-2(config)# !Note:Priority Queue on Major Int. cover all Sub Ints.
ASA-2(config)# !Note:will need priority queue on outside for VPN :Later.
ASA-2(config)# class-map type regex match-any CMAP_REG_EXP
ASA-2(config-cmap)# match regex REG_X_COM
ASA-2(config-cmap)# match regex REG_X_EXE
ASA-2(config-cmap)# match regex REG_X_BAT
ASA-2(config-cmap)# exit
ASA-2(config)# class-map type inspect http match-any CMAP_INS_HTTP
ASA-2(config-cmap)# match request uri regex class CMAP_REG_EXP
ASA-2(config-cmap)# exit
ASA-2(config)# class-map CMAP_80_8080_TO_ACS
ASA-2(config-cmap)# match access-list HTTP_ACL
ASA-2(config-cmap)# exit
ASA-2(config)# class-map TELNET_TO_R2
ASA-2(config-cmap)# match access-list PRIORITY_ACL
ASA-2(config-cmap)# policy-map type inspect http PMAP_INS_HTTP
ASA-2(config-pmap)# parameters
ASA-2(config-pmap-p)# class CMAP_INS_HTTP
ASA-2(config-pmap-c)# reset log
ASA-2(config-pmap-c)# exit
ASA-2(config-pmap)# exit
ASA-2(config)# policy-map type inspect ftp PMAP_INS_RMDIR
ASA-2(config-pmap)# parameters
ASA-2(config-pmap-p)# match request-command dele
ASA-2(config-pmap-c)# reset log
ASA-2(config-pmap-c)# exit
ASA-2(config-pmap)# exit
ASA-2(config)# policy-map global_policy
ASA-2(config-pmap)# class inspection_default
ASA-2(config-pmap-c)# no inspect ftp
ASA-2(config-pmap-c)# inspect ftp strict PMAP_INS_RMDIR
ASA-2(config-pmap-c)# exit
ASA-2(config-pmap)# class TELNET_TO_R2
ASA-2(config-pmap-c)# priority
ASA-2(config-pmap-c)# exit
ASA-2(config-pmap)# class CMAP_80_8080_TO_ACS
ASA-2(config-pmap-c)# inspect http PMAP_INS_HTTP
ASA-2(config-pmap-c)# exit
ASA-2(config-pmap)# exit
26
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R4#ping 100.60.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.60.10.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
R4#ping 100.60.10.22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.60.10.22, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
R4#telnet 100.60.10.2
Trying 100.60.10.2 ... Open
R2#exit
[Connection to 100.60.10.2 closed by foreign host]
R4#telnet 100.60.10.22
27
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
c2800nm-
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
=
=
=
=
=
=
=
BE
0
0
1403
0
0
0
Queue Type
Tail Drops
Reset Drops
Packets Transmit
Packets Enqueued
Current Q Length
Max Q Length
=
=
=
=
=
=
=
LLQ
0
0
0
0
0
0
=
=
=
=
=
=
=
BE
0
0
708
0
0
0
Queue Type
Tail Drops
Reset Drops
Packets Transmit
Packets Enqueued
Current Q Length
Max Q Length
=
=
=
=
=
=
=
LLQ
0
0
67
0
0
0
29
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
31
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 2.2
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Address
4
100.120.10.6
3
100.120.10.7
2
100.15.10.1
1
100.70.10.3
0
100.70.10.4
R5#ping 6.6.6.6
Interface
Hold Uptime
SRTT
(sec)
(ms)
11 00:01:00 523
10 00:01:00
4
160 03:12:16 125
11 03:12:38
34
14 03:12:38
1
Fa0/0.120
Fa0/0.120
Se0/0/0
Fa0/0.70
Fa0/0.70
RTO
3138
200
750
204
200
Q
Cnt
0
0
0
0
0
Seq
Num
21
7
47
57
61
33
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 2.3
4 Points
R7(config)#line vty 0
R7(config-line)#login local
R7(config-line)#transport input telnet
R7(config-line)#line vty 1-4
R7(config-line)#transport input ssh
R7(config-line)#exit
R7(config)#ip domain-name ccbootcamp.com
R7(config)#crypto key generate rsa
The name for the keys will be: R7.ccbootcamp.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
R7(config)#ip ssh version 2
R7(config)#username admin privilege 15 secret cisco
R7(config)#end
R7(config)#line vty 0
R7(config-line)# password cisco
R7(config-line)# login
R7(config-line)#transport input telnet
R7(config-line)#exit
R7(config)#line vty 1 4
R7(config-line)#transport input ssh
R7(config-line)#login local
R7(config-line)#rotary 1
R7(config-line)#exit
R7(config)#ip ssh port 2000 rotary 1
R7(config)#ip ssh version 2
R7(config)#username admin privilege 15 secret cisco
R1#ssh -l admin -p 2000 7.7.7.7
Password: cisco
R7#who
Line
User
Host(s)
0 con 0
idle
*515 vty 1
admin
idle
Idle
Location
00:00:10
00:00:00 100.90.10.1
34
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 2.4
4 Points
Host(s)
idle
idle
Idle
Location
00:01:13
00:00:00 100.90.10.1
R1#telnet 7.7.7.7
Trying 7.7.7.7 ... Open
User Access Verification
Username: admin
Password: cisco
R7#who
Line
User
Host(s)
Idle
Location
0 con 0
idle
00:01:13
*514 vty 0
admin
idle
00:00:00 100.90.10.1
R7#exit
[Connection to 7.7.7.7 closed by foreign host]
R1#ssh -l admin -p 2000 7.7.7.7
% Connection refused by remote host
R4#ssh -l admin -p 2000 7.7.7.7
Password: cisco
R7#who
Line
User
Host(s)
Idle
Location
0 con 0
idle
00:03:46
*515 vty 1
admin
idle
00:00:00 100.70.10.4
R7#exit
[Connection to 7.7.7.7 closed by foreign host]
R4#telnet 7.7.7.7
Trying 7.7.7.7 ...
% Connection refused by remote host
35
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 3: VPNs
Task 3.1
4 Points
36
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
38
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 3.2
4 Points
Source Interface
Fa0/1
E0/0.60
IP of PEER
100.60.10.100
100.60.10.2
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R2#
ASA-2(config)#
100.60.10.2 eq
ASA-2(config)#
100.60.10.2 eq
40
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
41
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 3.3
4 Points
10.30.10.8
10.30.10.8
10.30.10.8
10.30.10.8
host
host
host
host
100.60.10.3
100.60.10.4
100.70.10.3
100.70.10.4
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
:
:
:
:
:
:
group1
1
0
Both
10.30.10.8
10.30.10.8
GM Reregisters in
Rekey Received
: 1517 secs
: never
Rekeys received
Cumulative
After registration
: 0
: 0
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 3.4
4 Points
45
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
46
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
SW2#traceroute 10.40.10.2
Type escape sequence to abort.
Tracing the route to 10.40.10.2
1 100.55.10.5 0 msec 0 msec 0 msec
2 10.40.10.2 8 msec * 0 msec
SW2#
priority
Global policy:
Service-policy: global_policy
Class-map: TELNET_TO_R2
Priority:
Interface need-4-priority-on-sub: aggregate drop 0, aggregate
transmit 43259
Priority:
Interface control: aggregate drop 0, aggregate transmit 43259
Priority:
Interface outside: aggregate drop 0, aggregate transmit 43259
Priority:
Interface inside: aggregate drop 0, aggregate transmit 0
Class-map: CMAP_VPN_REMOTE_PRIORITY
Priority:
Interface need-4-priority-on-sub: aggregate drop 0, aggregate
transmit 43259
Priority:
Interface control: aggregate drop 0, aggregate transmit 43259
Priority:
Interface outside: aggregate drop 0, aggregate transmit 43259
Priority:
Interface inside: aggregate drop 0, aggregate transmit 0
ASA-2(config)#
SW2(config)#int fa 0/16
SW2(config-if)#switchport host
switchport mode will be set to access
spanning-tree portfast will be enabled
49
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
50
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
51
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
52
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 4: IPS
Task 4.1
4 Points
--- System Configuration Dialog --At any point you may enter a question mark '?' for help.
User ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.
!
!
!
Continue with configuration dialog?[yes]:
Enter host name[sensor]:
Enter IP interface[192.168.1.2/24,192.168.1.1]:
172.26.60.250/24,172.26.60.200
Enter telnet-server status[disabled]:
Enter web-server port[443]: 5796
53
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
ms
ms
ms
ms
--- 172.26.60.200 ping statistics --4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.2/0.3/0.4 ms
sensor#
c:\ACS_PC>route add 172.26.60.0 mask 255.255.255.0 192.168.2.2 p
54
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
55
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
56
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 4.2
4 Points
Assign R1
time=3.3
time=2.7
time=2.7
time=2.6
ms
ms
ms
ms
--- 1.1.1.1 ping statistics --4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 2.6/2.8/3.3 ms
sensor#
57
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
58
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
59
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
60
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
61
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
62
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
63
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
64
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
65
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
66
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
67
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
68
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
69
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
70
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
71
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R1#
R1#who
Line
514 vty 0
R1#
User
ips-user
Host(s)
idle
Idle
Location
00:00:12 100.60.10.212
72
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
73
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
74
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 4.3
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
76
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
77
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
78
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
79
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
80
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
81
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
82
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
83
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
84
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
85
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
86
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
87
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R5#telnet 6.6.6.6
Trying 6.6.6.6 ... Open
R6#cisco123
[Connection to 6.6.6.6 closed by foreign host]
R5#
88
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
89
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
90
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
91
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
92
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
94
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 5.2
4 Points
95
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
96
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Password: cisco
Authentication Successful
[Connection to 100.60.10.10 closed by foreign host]
R5#copy home.shtml tftp://10.40.10.101
Address or name of remote host [10.40.10.101]?
Destination filename [home.shtml]?
!!
1038 bytes copied in 0.048 secs (21625 bytes/sec)
R5#
98
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 5.3
4 Points
99
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
100
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
101
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R2(config)#no ip cef
R2(config)#ip access-list extended NO_ICMP_TO_BB1
R2(config-ext-nacl)#deny icmp host 192.168.2.101 host 100.110.10.50 log-input
R2(config-ext-nacl)#permit ip any any
R2(config-ext-nacl)#exit
R2(config)#ip access-list extended AUTH_PROXY
R2(config-ext-nacl)#permit tcp host 192.168.2.101 host 100.110.10.50 eq www
log-input
R2(config-ext-nacl)#exit
R2(config)#aaa new-model
R2(config)#aaa authentication login default group tacacs+
R2(config)#aaa authentication login AUTH_PROXY group tacacs+
R2(config)#aaa authentication login FREE none
R2(config)#aaa authorization auth-proxy default group tacacs+
R2(config)#ip auth-proxy name AUTH_PROXY http inactivity-time 60 list
AUTH_PROXY
R2(config)#!Note: this is just to test a 2nd time faster
R2(config)#ip admission absolute-timer 1
R2(config)#ip auth-proxy absolute-timer 1
R2(config)#interface FastEthernet0/0
R2(config-if)#ip access-group NO_ICMP_TO_BB1 in
R2(config-if)#ip auth-proxy AUTH_PROXY
R2(config-if)#no ip route-cache cef
R2(config-if)#no ip route-cache
R2(config-if)#exit
R2(config)#interface FastEthernet0/1
R2(config-if)#no ip route-cache cef
R2(config-if)#no ip route-cache
R2(config-if)#exit
R2(config)#ip http server
R2(config)#ip http authentication aaa login-authentication AUTH_PROXY
R2(config)#ip access-list log-update threshold 1
R2(config)#tacacs-server host 192.168.2.101
R2(config)#tacacs-server key cisco
R2(config)#line con 0
R2(config-line)#login authentication FREE
R2(config-line)#exit
R2(config)#line vty 0 4
R2(config-line)#login authentication FREE
102
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R2(config-line)#exit
R2(config)#
103
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
c:\ACS_PC>ping 100.110.10.50
Pinging 100.110.10.50 with 32 bytes of data:
Reply from 100.110.10.50: bytes=32 time=6ms TT
Reply from 100.110.10.50: bytes=32 time=6ms TT
Reply from 100.110.10.50: bytes=32 time=6ms TT
Reply from 100.110.10.50: bytes=32 time=6ms TT
Ping statistics for 100.110.10.50:
Packets: Sent = 4, Received = 4, Lost = 0
Approximate round trip times in milli-seconds:
Minimum = 6ms, Maximum = 6ms, Average = 6m
c:\ACS_PC>
R2#show access-lists
Extended IP access list 101
10 permit icmp host 10.40.10.101 host 100.60.10.8
Extended IP access list AUTH_PROXY
10 permit tcp host 192.168.2.101 host 100.110.10.50 eq www log-input (7
matches)
Extended IP access list NO_ICMP_TO_BB1
permit icmp host 192.168.2.101 host 100.110.10.50 (4 matches)
104
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
105
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
transmit
exceeded 9 packets, 4842 bytes; actions:
drop
conformed 0 bps, exceed 0 bps
Class-map: CMAP_TELNET_SSH (match-all)
43 packets, 2770 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name TELNET_SSH_ACL
police:
cir 10000 bps, bc 1500 bytes
conformed 43 packets, 2770 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps
Class-map: class-default (match-any)
60 packets, 49272 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
R5#
109
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Current
---------0.00%
Do
110
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 6.2
4 Points
V
4
AS MsgRcvd MsgSent
1
5
4
TblVer
16
PfxRcd
15
R8(config)#router bgp 8
R8(config-router)# neighbor 100.110.10.50 password cisco
BB1(config-router)# neighbor 10.30.10.8 password cisco
BB1(config-router)#end
BB1#wr
Building configuration...
*May 3 21:44:37.590: %SYS-5-CONFIG_I: Configured from console by console
*May 3 21:44:40.466: %TCP-6-BADAUTH: No MD5 digest from 10.30.10.8(65055) to
100.110.10.50(179)[OK]
BB1#
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
112
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Note: The path from R8 to BB1 crosses BOTH vs1 and vs2. Disable or modify
the signature that is normalizing the TCP option 19. Both examples are
included.
113
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
BB1#
*May
BB1#
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
115
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 7.2
4 Points
116
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
117
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
drop 0
Set connection advanced-options: TCP_MAP_BGP
Retransmission drops: 0
TCP checksum drops : 0
Exceeded MSS drops : 0
SYN with data drops: 0
Invalid ACK drops
: 0
SYN-ACK with data drops: 0
Out-of-order (OoO) packets : 0
OoO no buffer drops: 0
OoO buffer timeout drops : 0
SEQ past window drops: 0
Reserved bit cleared: 0
Reserved bit drops : 0
IP TTL modified
: 0
Urgent flag cleared: 0
Window varied resets: 0
TCP-options:
Selective ACK cleared: 0
Timestamp cleared : 0
Window scale cleared : 0
Other options cleared: 0
Other options drops: 0
Class-map: R8-TELNET
Set connection policy:
drop 0
Set connection advanced-options: INT_CHECK
Retransmission drops: 0
TCP checksum drops : 0
Exceeded MSS drops : 0
SYN with data drops: 0
Invalid ACK drops
: 0
SYN-ACK with data drops: 0
Out-of-order (OoO) packets : 0
OoO no buffer drops: 0
OoO buffer timeout drops : 0
SEQ past window drops: 0
Reserved bit cleared: 0
Reserved bit drops : 0
IP TTL modified
: 0
Urgent flag cleared: 0
Window varied resets: 0
TCP-options:
Selective ACK cleared: 0
Timestamp cleared : 0
Window scale cleared : 0
Other options cleared: 0
Other options drops: 0
Input police Interface outside:
cir 10000 bps, bc 1500 bytes
conformed 263 packets, 14279 bytes; actions: transmit
exceeded 0 packets, 0 bytes; actions: drop
conformed 0 bps, exceed 0 bps
Input police Interface inside:
cir 10000 bps, bc 1500 bytes
conformed 199 packets, 55005 bytes; actions: transmit
exceeded 19 packets, 11209 bytes; actions: drop
conformed 16 bps, exceed 0 bps
ASA-1(config)#
119
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
120
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
vlan 60,70
maximum 2
violation restrict
mac-address sticky
mac-address sticky 001b.53e4.ea18 vlan 60
mac-address sticky 001b.53e4.ea18 vlan 70
SW1#
122
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 8.2
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol http url "*root.exe*"
4 packets, 375 bytes
5 minute rate 0 bps
QoS Set
dscp 1
Packets marked 4
Class-map: class-default (match-any)
239 packets, 19766 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
R1#show acce
R1#show access-li
R1#show access-lists 105
Extended IP access list 105
10 deny ip any any dscp 1 log
20 permit ip any any (15 matches)
R1#
124
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R5#telnet 1.1.1.1
Trying 1.1.1.1 ... Open
Username: ips-user
Password: cisco
R1>exit
[Connection to 1.1.1.1 closed by foreign host]
125
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R1#ping
Protocol [ip]:
Target IP address: 4.4.4.4
Repeat count [5]: 1
Datagram size [100]:
Timeout in seconds [2]: 1
Extended commands [n]: yes
Source address or interface:
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]: yes
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]: t
Number of timestamps [ 9 ]: 1
Loose, Strict, Record, Timestamp, Verbose[TV]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 4.4.4.4, timeout is 1 seconds:
Reply data will be validated
Packet has IP options: Total option bytes= 8, padded length=8
Timestamp: Type 0. Overflows: 0 length 8, ptr 5
>>Current pointer<<
Time= 17:00:00.000 PDT (00000000)
Reply to request 0 (12 ms). Received packet has options
Total option bytes= 8, padded length=8
Timestamp: Type 0. Overflows: 7 length 8, ptr 9
Time= 15:45:18.510 PDT (04E1FA2E)
>>Current pointer<<
Success rate is 100 percent (1/1), round-trip min/avg/max = 12/12/12 ms
R1#ping
Protocol [ip]:
Target IP address: 4.4.4.4
Repeat count [5]: 1
Datagram size [100]:
Timeout in seconds [2]: 1
Extended commands [n]: yes
Source address or interface:
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]: yes
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]: t
126
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Number of timestamps [ 9 ]: 1
Loose, Strict, Record, Timestamp, Verbose[TV]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 4.4.4.4, timeout is 1 seconds:
Reply data will be validated
Packet has IP options: Total option bytes= 8, padded length=8
Timestamp: Type 0. Overflows: 0 length 8, ptr 5
>>Current pointer<<
Time= 17:00:00.000 PDT (00000000)
Request 0 timed out
Success rate is 0 percent (0/1)
R1#
127
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
128
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
LAB 6
Instructions
Verify that all configurations have been cleared, before
you load initial configurations onto the lab routers,
backbone routers and switches. There are no initial
configurations for the ASA and IPS. You will be required
to configure these devices in the practice lab, just as you
will be required to do so in the actual lab exam.
ASDM and SDM are not available in the actual lab exam.
The ACS workstation is used in this lab as the candidate PC
as well as the ACS server. The IP address of the ACS
cannot be changed.
There is a test pc available in the practice labs as well
as the actual lab. The IP address of the rack interface
test PC may be changed through the desktop application. For
both PCs, you may add/remove static routes for connectivity
as described in the LAB.
Do not change the default route
on the ACS or the test PC, as you may lose connectivity.
Always remember to Apply changes and Save your configs
often!
Unless otherwise specified, use only the existing networks
within your lab. Additional networks, static and/or
default routes, may not be configured unless specified in a
task.
When creating passwords, use cisco unless indicated
otherwise in a specific task. Refer to the Remote Rack
Access FAQ PDF for cabling, ACS and IPS Access and other
commonly asked questions. The document is located here:
http://www.ccbootcamp.com/download
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Sections:
1.ASA Firewalls
2.IOS Firewalls
3.VPNs
4.IPS
5.Identity Management
6.Control/Management Plane Security
7.Advanced Security
8.Network Attack Mitigation
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
ACS PC
.101
R1
BB1
.99
VLAN 168
192.168.2.0
SW2
.11
Inside
E0/0.v
VLAN 77
G0/0
DMZ1
E0/0.v
172.16.77.0
IPS C&C
.50
ASA1
DMZ2
E0/0.v
OSPF
Area 0
VLAN 99
172.16.99.0
VLAN 44
172.16.44.0
R4
Outside
E0/0.v
R7
VLAN 22
24.234.22.0
VLAN 252
24.234.252.0
BB2
R2
.252
SW1
OSPF
Area 1
Frame Relay
24.234.100.0
Outside
E0/0.v
VLAN 111
24.234.111.0
R6
C1
Inside
E0/0.v
.11
VLAN 121
24.234.121.0
R3
VLAN 222
24.234.222.0
Outside
E0/0.v
C2
Inside
E0/0.v
VLAN 88
172.16.88.0
VLAN 55
172.16.55.0
R8
R5
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
SW1
Fa0/1
Fa0/0
R1
Fa0/1
Fa0/1
SW2
SW1
Fa0/2
Fa0/0
R2
Fa0/1
Fa0/2
SW2
SW1
Fa0/3
Fa0/0
R3
Fa0/1
Fa0/3
SW2
SW1
Fa0/4
Fa0/0
R4
Fa0/1
Fa0/4
SW2
SW1
Fa0/5
Fa0/0
R5
Fa0/1
Fa0/5
SW2
SW1
Fa0/6
Fa0/0
R6
Fa0/1
Fa0/6
SW2
SW1
Fa0/9
Fa0/0
BB1
Fa0/1
Fa0/9
SW2
SW1
Fa0/10
Fa0/0
BB2
Fa0/1
Fa0/10
SW2
SW1
Fa0/12
E0/0
E0/2
Fa0/12
SW2
Fa0/14
SW2
E0/3
Fa0/17
SW2
E0/2
Fa0/18
SW2
E0/3
Fa0/23
SW2
ASA01
Gi0/0: sense
SW1
Fa0/14
SW1
Fa0/17
E0/1
SW1
Fa0/18
E0/0
IDS
IDS
Gi0/1: c&c
ASA01
ASA02
SW1
E0/1
Fa0/23
ASA02
SW1
SW2
Fas0/19
Fas0/19
Fas0/20
Fas0/20
Sensor Int.
G0/0
Fa1/0
Fa1/1
Fa1/2
Fa1/3
Connected to:
SW1 Fa0/14
SW3 Fa0/4
SW3 Fa0/3
SW3 Fa0/2
SW3 Fa0/1
Fas0/0
2811
SW3
SW4
Fas0/17
SW3
Fas0/19
Fas0/19
Fas0/20
Fas0/20
Fas0/1
R7
Fas0/17
SW4
ACS PC SW1 Fa0/24
192.168.2.101
Fas0/0
2811
Fas0/1
R8
SW3
Fas0/18
SW4
Fas0/18
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 1:
Task 1.1
ASA Firewalls
4 Points
Interface
E0/0.168
E0/0.22
E0/0.77
E0/0.44
VLAN
168
22
77
44
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 1.2
4 Points
Name
Inside
Outside
Inside
Outside
Interface
E0/0.88
E0/0.111
E0/0.55
E0/0.222
Sec. Level
50
50
Default
Default
IP Address
172.16.88.200/24
24.234.111.200/24
172.16.55.200/24
24.234.222.200/24
VLAN
88
111
55
222
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 1.4
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 2:
Task 2.1
IOS Firewalls
4 Points
Permit
TCP
UDP
ICMP
Limits
Log all traffic
Outside->Inside
TCP
ICMP
4 Points
R3 should explicitly deny and log all traffic from the VLAN
121 network.
Telnet, ICMP and HTTP from the rest of the network should
be allowed to VLAN 121 with the following restrictions:
o All telnet sessions will be logged.
o A total maximum of 200 half forms sessions should be
allowed. If this is exceeded they should be dropped.
o When the number of half formed sessions falls below 100
the dropping behavior should stop.
o A maximum of 50 half formed TCP sessions per host are
allowed. If this is exceeded no more connections to that
host are to be allowed for 5 minutes.
8
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 2.3
4 Points
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 3: VPNs
Task 3.1
4 Points
4 Points
4 Points
10
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 3.4
4 Points
11
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 4:
Task 4.1
IPS
4 Points
Gateway
Managed by
172.16.77.50
172.16.77.100
192.168.2.101
Mgmt. SSL
port
10443
Verify that you can connect to and manage the IPS from the
ACS server. You are allowed to make necessary changes to
ASA1 and add a route to the ACS server to accomplish this.
Create sig1, rules1, and ad1 which should be clones of the
existing sig0, rules0 and ad0.
Create virtual sensor vs1 and assign sig1, rules1 and ad1
to it.
Task 4.2
4 Points
12
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 4.3
4 Points
4 Points
4 Points
13
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 5:
Task 5.1
Identity Management
4 Points
4 Points
14
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 6:
Task 6.1
4 Points
15
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 7:
Advanced Security
4 Points
16
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 8:
Task 8.1
4 Points
4 Points
17
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 1:
Task 1.1
ASA Firewalls
4 Points
Interface
E0/0.168
E0/0.22
E0/0.77
E0/0.44
VLAN
168
22
77
44
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
O IA
O IA
C
O
O
C
O
C
S
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
20
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 1.2
4 Points
Name
Inside
Outside
Inside
Outside
Interface
E0/0.88
E0/0.111
E0/0.55
E0/0.222
Security Level
50
50
Default
Default
IP Address
172.16.88.200/24
24.234.111.200/24
172.16.55.200/24
24.234.222.200/24
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
VLAN
88
111
55
222
www.CareerCert.info
22
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 1.3
4 Points
ASA2/c2(config)# nat-control
ASA2/c2(config)#
ASA2/c2(config)# access-list R5_R6 permit tcp host 172.16.55.5 host
24.234.100.6 eq telnet
ASA2/c2(config)# nat (inside) 1 access-list R5_R6
ASA2/c2(config)# global (outside) 1 24.234.222.5
INFO: Global 24.234.222.5 will be Port Address Translated
ASA2/c2(config)# access-list R5_R3 permit tcp host 172.16.55.5 host
24.234.100.3 eq telnet
ASA2/c2(config)# nat (inside) 2 access-list R5_R3
ASA2/c2(config)# global (outside) 2 24.234.222.55
INFO: Global 24.234.222.77 will be Port Address Translated
ASA2/c2(config)#
ASA2/c2(config)# nat (inside) 3 172.16.55.0 255.255.255.0
ASA2/c2(config)# global (outside) 3 interface
INFO: Outside interface address added to PAT pool
23
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Verification:
ASA1# sho xlate
2 in use, 2 most used
Global 24.234.22.101 Local 192.168.2.101
PAT Global 24.234.22.100(2323) Local 192.168.2.1(23)
R2#telnet 24.234.22.100 2323
Trying 24.234.22.100, 2323 ... Open
R5#telnet 24.234.100.6
Trying 24.234.100.6 ... Open
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 1.4
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Verification:
ASA1# sho failover
Failover On
Failover unit Primary
Failover LAN Interface: FAIL Ethernet0/1 (Failed - No Switchover)
Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds
Interface Poll frequency 500 milliseconds, holdtime 5 seconds
Interface Policy 1
Monitored Interfaces 3 of 250 maximum
failover replication http
Version: Ours 8.0(4), Mate Unknown
Last Failover at: 08:19:07 UTC May 7 2009
This host: Primary - Active
Active time: 44 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status (Up Sys)
Interface Inside (192.168.2.100): Normal (Waiting)
Interface Outside (24.234.22.100): Normal (Waiting)
Interface DMZ1 (172.16.77.100): Normal (Not-Monitored)
Interface DMZ2 (172.16.44.100): Normal (Waiting)
slot 1: empty
Other host: Secondary - Failed
Active time: 0 (sec)
slot 0: empty
Interface Inside (192.168.2.125): Unknown (Waiting)
Interface Outside (24.234.22.125): Unknown (Waiting)
Interface DMZ1 (172.16.77.125): Unknown (Not-Monitored)
Interface DMZ2 (172.16.44.125): Unknown (Waiting)
slot 1: empty
Stateful Failover Logical Update Statistics
Link : FAIL Ethernet0/1 (Failed)
Stateful Obj
xmit
xerr
General
0
0
sys cmd
0
0
up time
0
0
RPC services
0
0
TCP conn
0
0
UDP conn
0
0
ARP tbl
0
0
Xlate_Timeout
0
0
VPN IKE upd
0
0
VPN IPSEC upd
0
0
VPN CTCP upd
0
0
VPN SDI upd
0
0
VPN DHCP upd
0
0
SIP Session
0
0
rcv
0
0
0
0
0
0
0
0
0
0
0
0
0
0
rerr
0
0
0
0
0
0
0
0
0
0
0
0
0
0
26
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 2:
Task 2.1
IOS Firewalls
4 Points
Permit
TCP
UDP
ICMP
Limits
Log all traffic
Outside->Inside
TCP
ICMP
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R4(config-pmap-c)#exit
R4(config-pmap)#zone-pair security INSIDE_OUTSIDE source Inside destination
Outside
R4(config-sec-zone-pair)#service-policy type inspect INSIDE_OUTSIDE
R4(config-sec-zone-pair)#
R4(config-sec-zone-pair)#parameter-map type inspect OUTSIDE_INSIDE_TCP
R4(config-profile)#one-minute high 100
%Also resetting low threshold from [unlimited] to [100]
R4(config-profile)#one-minute low 50
R4(config-profile)#exit
R4(config)#
R4(config)#class-map type inspect OUTSIDE_INSIDE_TCP
R4(config-cmap)#match protocol tcp
R4(config-cmap)#exit
R4(config)#class-map type inspect OUTSIDE_INSIDE_ICMP
R4(config-cmap)#match protocol icmp
R4(config-cmap)#exit
R4(config)#policy-map type inspect OUTSIDE_INSIDE
R4(config-pmap)#class OUTSIDE_INSIDE_TCP
R4(config-pmap-c)#inspect OUTSIDE_INSIDE_TCP
R4(config-pmap-c)#exit
R4(config-pmap)#class OUTSIDE_INSIDE_ICMP
R4(config-pmap-c)#inspect
R4(config-pmap-c)#police rate 8000 burst 2000
R4(config-pmap-c)#
R4(config-pmap-c)#zone-pair security OUTSIDE_INSIDE source Outside
destination Inside
R4(config-sec-zone-pair)#service-policy type inspect OUTSIDE_INSIDE
Verification:
ASA1# ping 172.16.99.99
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.99.99, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
*May 7 17:10:45.907: %FW-6-SESS_AUDIT_TRAIL_START: (target:class)(INSIDE_OUTSIDE:INSIDE_OUTSIDE):Start icmp session: initiator
(172.16.44.100:8) -- responder (172.16.99.99:0)
*May 7 17:10:56.099: %FW-6-SESS_AUDIT_TRAIL: (target:class)(INSIDE_OUTSIDE:INSIDE_OUTSIDE):Stop icmp session: initiator
(172.16.44.100:8) sent 360 bytes -- responder (172.16.99.99:0) sent 360 bytes
BB1#ping 24.234.100.2 repeat 20
Type escape sequence to abort.
Sending 20, 100-byte ICMP Echos to 24.234.100.2, timeout is 2 seconds:
!!!!!!!!.!!!!!!!!.!!
Success rate is 90 percent (18/20), round-trip min/avg/max = 1/2/4 ms
R4#sho policy-map type inspect zone-pair OUTSIDE_INSIDE
Zone-pair: OUTSIDE_INSIDE
Police
rate 8000 bps,2000 limit
conformed 86 packets, 10148 bytes; actions: transmit
exceeded 4 packets, 472 bytes; actions: drop
conformed 0 bps, exceed 0 bps
28
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 2.2
4 Points
R3 should explicitly deny and log all traffic from the VLAN
121 network.
Telnet, ICMP and HTTP from the rest of the network should
be allowed to VLAN 121 with the following restrictions:
o All telnet sessions will be logged.
o A total maximum of 200 half forms sessions should be
allowed. If this is exceeded they should be dropped.
o When the number of half formed sessions falls below 100
the dropping behavior should stop.
o A maximum of 50 half formed TCP sessions per host are
allowed. If this is exceeded no more connections to that
host are to be allowed for 5 minutes.
R3(config)#ip access-list extended CBAC
R3(config-ext-nacl)#deny ip any any log-input
R3(config-ext-nacl)#
R3(config-ext-nacl)#ip inspect name CBAC telnet audit-trail on
R3(config)#ip inspect name CBAC http
R3(config)#ip inspect name CBAC icmp
R3(config)#ip inspect max-incomplete high 200
%Also resetting low threshold from [unlimited] to [200]
R3(config)#ip inspect max-incomplete low 100
R3(config)#ip inspect tcp max-incomplete host 50 block-time 5
R3(config)#
R3(config)#int fa0/0.121
R3(config-subif)#ip access-group CBAC in
R3(config-subif)#ip inspect CBAC out
Verification:
SW1#ping 24.234.100.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.234.100.2, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
*May 7 17:33:37.103: %SEC-6-IPACCESSLOGDP: list CBAC denied icmp
24.234.121.11 (FastEthernet0/0.121 001b.2b79.26c1) -> 24.234.100.2 (0/0), 1
packet
R2#telnet 24.234.121.11
29
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
30
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 2.3
4 Points
Verification:
R5#telnet 24.234.100.2
Trying 24.234.100.2 ... Open
31
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Server
24.234.100.2:23
State
Create
Timeout
Mode
State
Create
Timeout
Mode
State
Create
Timeout
Mode
State
ESTAB
Create
Timeout Mode
00:00:05 00:59:56 I
32
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 2.4
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Serial0/0/0
Service-policy input: INCOMING
Class-map: HTTP (match-any)
7 packets, 1064 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http
7 packets, 1064 bytes
5 minute rate 0 bps
drop
Class-map: class-default (match-any)
59 packets, 5036 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Service-policy output: OUTGOING
Class-map: SKYPE (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 10
Match: protocol skype
Queueing
Strict Priority
Output Queue: Conversation 264
Bandwidth 10 (%)
Bandwidth 154 (kbps) Burst 3850 (Bytes)
(pkts matched/bytes matched) 0/0
(total drops/bytes drops) 0/0
Class-map: class-default (match-any)
85 packets, 5530 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
34
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 3: VPNs
Task 3.1
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 3.2
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
ReqID State
Fingerprint
SubjectName
-------------------------------------------------------------RA certificate requests:
ReqID State
Fingerprint
SubjectName
-------------------------------------------------------------Router certificates requests:
ReqID State
Fingerprint
SubjectName
-------------------------------------------------------------1
pending
2FED6D7C06052672C815AB326FC0DD4C hostname=R2.ccbootcamp.com
R8#crypto pki server CA1 grant 1
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
RA certificate requests:
ReqID State
Fingerprint
SubjectName
-------------------------------------------------------------Router certificates requests:
ReqID State
Fingerprint
SubjectName
-------------------------------------------------------------2
pending
A23C671F7EAE36CB17174A6EB5E0EE09 hostname=ASA1
R8#crypto pki server CA1 grant 2
39
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 3.3
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
41
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 3.4
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R3(config)#int loopback 3
R3(config-if)#ip address 3.3.3.3 255.255.255.0
R3(config-if)#exit
R3(config)#
R3(config)#crypto isakmp policy 20
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#encryption 3des
R3(config-isakmp)#hash sha
R3(config-isakmp)#exit
R3(config)#
R3(config)#crypto isakmp key cisco address 0.0.0.0 0.0.0.0
R3(config)#
R3(config)#crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac
R3(cfg-crypto-trans)#mode transport
R3(cfg-crypto-trans)#exit
R3(config)#
R3(config)#crypto ipsec profile DMVPN
R3(ipsec-profile)#set transform-set DMVPN
R3(ipsec-profile)#exit
R3(config)#
R3(config)#interface tunnel 0
R3(config-if)#bandwidth 1000
R3(config-if)#ip address 10.10.10.3 255.255.255.0
R3(config-if)#ip mtu 1400
R3(config-if)#ip nhrp map multicast 24.234.100.2
R3(config-if)#ip nhrp map 10.10.10.2 24.234.100.2
R3(config-if)#ip nhrp network-id 1
R3(config-if)#ip nhrp nhs 10.10.10.2
R3(config-if)#tunnel source s0/0/0
R3(config-if)#tunnel mode gre multipoint
R3(config-if)#tunnel protection ipsec profile DMVPN
R3(config-if)#exit
R3(config)#
R3(config)#router eigrp 1
R3(config-router)#no auto
R3(config-router)#network 10.10.10.0 0.0.0.255
R3(config-router)#network 3.3.3.0 0.0.0.255
R3(config-router)#exit
R3(config)#
*May 7 22:09:49.374: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*May 7 22:09:49.710: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Loopback3, changed state to up
*May 7 22:09:50.090: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Tunnel0, changed state to up
*May 7 22:09:51.150: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.10.10.2
(Tunnel0) is up: new adjacency
43
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R6(config)#int loopback 6
R6(config-if)#ip address 6.6.6.6 255.255.255.0
R6(config-if)#exit
R6(config)#
R6(config)#crypto isakmp policy 20
R6(config-isakmp)#authentication pre-share
R6(config-isakmp)#encryption 3des
R6(config-isakmp)#hash sha
R6(config-isakmp)#exit
R6(config)#
R6(config)#crypto isakmp key cisco address 0.0.0.0 0.0.0.0
R6(config)#
R6(config)#crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac
R6(cfg-crypto-trans)#mode transport
R6(cfg-crypto-trans)#exit
R6(config)#
R6(config)#crypto ipsec profile DMVPN
R6(ipsec-profile)#set transform-set DMVPN
R6(ipsec-profile)#exit
R6(config)#
R6(config)#interface tunnel 0
R6(config-if)#bandwidth 1000
R6(config-if)#ip address 10.10.10.6 255.255.255.0
R6(config-if)#ip mtu 1400
R6(config-if)#ip nhrp map multicast 24.234.100.2
R6(config-if)#ip nhrp map 10.10.10.2 24.234.100.2
R6(config-if)#ip nhrp network-id 1
R6(config-if)#ip nhrp nhs 10.10.10.2
R6(config-if)#tunnel source s0/0/0
R6(config-if)#tunnel mode gre multipoint
R6(config-if)#tunnel protection ipsec profile DMVPN
R6(config-if)#exit
R6(config)#
R6(config)#router eigrp 1
R6(config-router)#no auto
R6(config-router)#network 10.10.10.0 0.0.0.255
R6(config-router)#network 6.6.6.0 0.0.0.255
R6(config-router)#exit
R6(config)#
*May 7 22:08:41.393: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*May 7 22:08:41.733: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Loopback6, changed state to up
*May 7 22:08:42.109: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Tunnel0, changed state to up
*May 7 22:08:45.549: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.10.10.2
(Tunnel0) is up: new adjacency
Verification:
R6#sho ip route
2.0.0.0/24
D
2.2.2.0
3.0.0.0/24
eigrp
is subnetted, 1 subnets
[90/15488000] via 10.10.10.2, 00:00:42, Tunnel0
is subnetted, 1 subnets
44
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R6#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 92/92/92 ms
R6#sho crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst
src
state
conn-id slot status
24.234.100.2
24.234.100.6
QM_IDLE
1001
0 ACTIVE
IPv6 Crypto ISAKMP SA
R6#sho crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 24.234.100.6
protected vrf: (none)
local ident (addr/mask/prot/port): (24.234.100.6/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (24.234.100.2/255.255.255.255/47/0)
current_peer 24.234.100.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 33, #pkts encrypt: 33, #pkts digest: 33
#pkts decaps: 32, #pkts decrypt: 32, #pkts verify: 32
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
R6#ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 152/179/196 ms
R6#sho crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst
src
state
conn-id slot status
24.234.100.3
24.234.100.6
QM_IDLE
1002
0 ACTIVE
24.234.100.2
24.234.100.6
QM_IDLE
1001
0 ACTIVE
IPv6 Crypto ISAKMP SA
R6#sho crypto ipsec sa (output cut)
protected vrf: (none)
local ident (addr/mask/prot/port):
remote ident (addr/mask/prot/port):
current_peer 24.234.100.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1, #pkts encrypt: 1,
#pkts decaps: 1, #pkts decrypt: 1,
(24.234.100.6/255.255.255.255/47/0)
(24.234.100.3/255.255.255.255/47/0)
#pkts digest: 1
#pkts verify: 1
45
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
#pkts
#pkts
#pkts
#send
46
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 4:
Task 4.1
IPS
4 Points
Gateway
Managed by
172.16.77.50
172.16.77.100
192.168.2.101
Mgmt. SSL
port
10443
Verify that you can connect to and manage the IPS from the
ACS server. You are allowed to make necessary changes to
ASA1 and add a route to the ACS server to accomplish this.
Create sig1, rules1, and ad1 which should be clones of the
existing sig0, rules0 and ad0.
Create virtual sensor vs1 and assign sig1, rules1 and ad1
to it.
sensor# setup
--- System Configuration Dialog --At any point you may enter a question mark '?' for help.
User ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.
Current Configuration:
(cut)
4 21:24:15 2009
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Permit:
Modify system clock settings?[no]:
Modify interface/virtual sensor configuration?[no]:
Modify default threat prevention settings?[no]:
The following configuration was entered.
(cut)
[0] Go to the command prompt without saving this config.
[1] Return back to the setup without saving this config.
[2] Save this configuration and exit setup.
Enter your selection[2]: 2
Configuration Saved.
48
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
49
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
50
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 4.2
4 Points
51
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
SW1(config)#vlan 254
52
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
SW1(config-vlan)#remote-span
SW1(config-vlan)#exit
SW1(config)#monitor session 1 source VLAN 168
SW1(config)#monitor session 1 destination remote
SW1(config)#monitor session 1 destination remote VLAN 254
SW3(config)#monitor session 1 source remote vlan 254
SW3(config)#monitor session 1 destination interface fa0/3
SW3(config)#int fa0/2
SW3(config-if)#sw mode access
SW3(config-if)#sw access vlan 168
53
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
54
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Verification:
BB2#ping 24.234.252.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.234.252.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
55
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 4.3
4 Points
56
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Verification:
R1#ping 192.168.2.101 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.2.101, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/1/4 ms
57
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
58
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 4.4
4 Points
59
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
60
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
61
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Verification:
BB2#ping 24.234.252.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.234.252.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
BB2#ping 24.234.252.2 size 10000
Type escape sequence to abort.
Sending 5, 10000-byte ICMP Echos to 24.234.252.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
62
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 4.5
4 Points
Verification:
R2#ping 24.234.252.252 size 10000
Type escape sequence to abort.
Sending 5, 10000-byte ICMP Echos to 24.234.252.252, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/14/16 ms
63
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 5:
Identity Management
4 Points
64
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
65
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
66
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
67
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 5.2
4 Points
68
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
69
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
70
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R2(config)#aaa new-model
R2(config)#aaa authentication login default group tacacs+
R2(config)#aaa authorization auth-proxy default group tacacs+
R2(config)#
R2(config)#tacacs-server host 24.234.22.101 key cisco
R2(config)#
R2(config)#access-list 101 permit tcp any host 24.234.252.252 eq www
R2(config)#ip auth-proxy name AUTHP http list 101
R2(config)#
R2(config)#ip http server
R2(config)#ip http authentication aaa
R2(config)#
R2(config)#access-list 105 deny tcp any host 24.234.252.252 eq www
R2(config)#access-list 105 permit ip any any
R2(config)#
R2(config)#int fa0/0.22
R2(config-subif)#ip access-group 105 in
R2(config-subif)#ip auth-proxy AUTHP
71
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Verification:
72
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
(AAA)
When telneting to R8, authentication should occur using a username of r8user
with a password of cisco.
Authentication should occur locally and authorization should occur using the
ACS server.
The user should be placed into privileged exec mode automatically.
r8user should only be able to issue show commands and ping to any ip address.
The copy command should be available on R8 to any user without entering
privileged mode.
73
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
74
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
75
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Verification:
R6#telnet 172.16.88.8
Trying 172.16.88.8 ... Open
IP-Address
unassigned
YES NVRAM
up
172.16.88.8
YES NVRAM
up
unassigned
YES NVRAM
administratively down
unassigned
YES NVRAM
administratively down
unassigned
YES NVRAM
administratively down
76
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 6:
Task 6.1
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Service
SSH-Server
Telnet
HTTP CORE
TACACS service
DHCPD Receive
NTP
24.234.100.6(18788)
24.234.100.6(18788)
24.234.100.6(18788)
24.234.100.6(18788)
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
79
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 7:
Advanced Security
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 7.2
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
dscp af43
Packets marked 4
Class-map: class-default (match-any)
3 packets, 282 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
R6#sho policy-map interface fa0/0.222
FastEthernet0/0.222
Service-policy output: BAD_TELNET
Class-map: BAD_TELNET (match-all)
8 packets, 496 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: dscp af43 (38)
drop
Class-map: class-default (match-any)
16 packets, 1504 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
83
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 8:
Task 8.1
4 Points
Current(eps) Trigger
0
Total
84
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
1-hour
383
10-min
62
1-hour
383
10-min
62
1-hour
383
10-min
71
1-hour
429
Scanning:
Bad
pkts:
Bad
pkts:
Firewall:
Firewall:
Interface:
Interface:
R1#ping 24.234.22.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.234.22.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#ping 24.234.22.2 size 3000
Type escape sequence to abort.
Sending 5, 3000-byte ICMP Echos to 24.234.22.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
85
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 8.2
4 Points
86
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Timer Status
-------------Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Enabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Trusted
------yes
Configuration
-------------
Operation
---------
ACL Match
---------
Static ACL
----------
87
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
168
Enabled
Active
Vlan
---168
ACL Logging
----------Deny
DHCP Logging
-----------Deny
Vlan
---168
Forwarded
--------0
Dropped
------1
DHCP Drops
---------1
Vlan
---168
DHCP Permits
-----------0
ACL Permits
----------0
Probe Permits
------------0
Vlan
----
IP Validation Failures
----------------------
Vlan
---168
IP Validation Failures
---------------------0
Probe Logging
------------Off
ACL Drops
--------0
Source MAC Failures
------------------0
88
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
LAB 7
Instructions
Verify that all configurations have been cleared, before
you load initial configurations onto the lab routers,
backbone routers and switches. There are no initial
configurations for the ASA and IPS. You will be required
to configure these devices in the practice lab, just as you
will be required to do so in the actual lab exam.
ASDM and SDM are not available in the actual lab exam.
The ACS workstation is used in this lab as the candidate PC
as well as the ACS server. The IP address of the ACS
cannot be changed.
There is a test pc available in the practice labs as well
as the actual lab. The IP address of the rack interface
test PC may be changed through the desktop application. For
both PCs, you may add/remove static routes for connectivity
as described in the LAB.
Do not change the default route
on the ACS or the test PC, as you may lose connectivity.
Always remember to Apply changes and Save your configs
often!
Unless otherwise specified, use only the existing networks
within your lab. Additional networks, static and/or
default routes, may not be configured unless specified in a
task.
When creating passwords, use cisco unless indicated
otherwise in a specific task. Refer to the Remote Rack
Access FAQ PDF for cabling, ACS and IPS Access and other
commonly asked questions. The document is located here:
http://www.ccbootcamp.com/download
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Sections:
1.ASA Firewalls
2.IOS Firewalls
3.VPNs
4.IPS
5.Identity Management
6.Control/Management Plane Security
7.Advanced Security
8.Network Attack Mitigation
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
SW1
Fa0/1
Fa0/0
R1
Fa0/1
Fa0/1
SW2
SW1
Fa0/2
Fa0/0
R2
Fa0/1
Fa0/2
SW2
SW1
Fa0/3
Fa0/0
R3
Fa0/1
Fa0/3
SW2
SW1
Fa0/4
Fa0/0
R4
Fa0/1
Fa0/4
SW2
SW1
Fa0/5
Fa0/0
R5
Fa0/1
Fa0/5
SW2
SW1
Fa0/6
Fa0/0
R6
Fa0/1
Fa0/6
SW2
SW1
Fa0/9
Fa0/0
BB1
Fa0/1
Fa0/9
SW2
SW1
Fa0/10
Fa0/0
BB2
Fa0/1
Fa0/10
SW2
SW1
Fa0/12
E0/0
E0/2
Fa0/12
SW2
Fa0/14
SW2
E0/3
Fa0/17
SW2
E0/2
Fa0/18
SW2
E0/3
Fa0/23
SW2
ASA01
Gi0/0: sense
SW1
Fa0/14
SW1
Fa0/17
E0/1
SW1
Fa0/18
E0/0
IDS
IDS
Gi0/1: c&c
ASA01
ASA02
SW1
E0/1
Fa0/23
ASA02
SW1
SW2
Fas0/19
Fas0/19
Fas0/20
Fas0/20
Sensor Int.
G0/0
Fa1/0
Fa1/1
Fa1/2
Fa1/3
Connected to:
SW1 Fa0/14
SW3 Fa0/4
SW3 Fa0/3
SW3 Fa0/2
SW3 Fa0/1
Fas0/0
2811
SW3
SW4
Fas0/17
SW3
Fas0/19
Fas0/19
Fas0/20
Fas0/20
Fas0/1
R7
Fas0/17
SW4
ACS PC SW1 Fa0/24
192.168.2.101
Fas0/0
2811
Fas0/1
R8
SW3
Fas0/18
SW4
Fas0/18
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R8
ACS PC
.101
VLAN 2
192.168.2.0 / 24
inside
e0/1
ASA1
.10
outside
e0/0
BB1
BB2
.9
.9
Int G0/1
.250
XP Test
PC .102
VLAN 100
172.19.100.0/24
VLAN 101
10.88.101.0/24
inside
e0/1.v
dmz
e0/1.v
VLAN 66
22.222.6.0/24
VLAN 77
22.222.7.0/24
IPS Inline
G0/0.1
IPS Inline
Fa1/0
ASA2
context
perim
.20
outside
e0/0
VLAN 10
22.222.10.0/24
VLAN 5
22.222.5.0/24
IPS Inline
G0/0.1
IPS Inline
Fa1/1
R1
VLAN 6
22.222.6.0/24
VLAN 7
22.222.7.0/24
VLAN 12
22.222.12.0/24
R6
R7
S0/0/0
S0/0/0
R5
VLAN 45
22.222.45.0/24
Frame Relay
22.222.67.0/24
R2
R4
VLAN 23
22.222.23.0/24
S0/0/0
VLAN 34
22.222.34.0/24
R3
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
4 Points
Do
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 1.3
4 Points
Real
Int.
INSIDE
INSIDE
INSIDE
INSIDE
DMZ
Mapped
Int.
OUTSIDE
OUTSIDE
OUTSIDE
OUTSIDE
OUTSIDE
Real
IP:PORT #
ACS IP address
R8 Fa0/0.2
R8 Loopback 0
any
172.19.100.250:TCP
port 7000
Mapped
IP:PORT#
22.222.10.101
22.222.10.8
22.222.10.18
OUTSIDE Interface
22.222.5.250:TCP
port 8000
4 Points
Enable SSH on R8
On ASA1, configure the following:
o Permit all ICMP and SSH to R8 Loopback 0, R8 Fa0/0.2 and
the ACS PC. Configure a 1 line access-list to accomplish
this.
o Prioritize SSH to R8 Loopback 0
o Rate limit ICMP to the ACS PC to 8,000 bps
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
4 Points
4 Points
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 3: VPNs
Task 3.1
4 Points
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 3.3
4 Points
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 4: IPS
Task 4.1
4 Points
4 Points
10
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 4.3
4 Points
4 Points
11
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
4 Points
12
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 5.3
4 Points
13
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
14
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
4 Points
15
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
4 Points
16
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R8#
R8#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static
route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
18
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
O E2
1.1.1.0 [110/20] via 192.168.2.10, 00:02:30, FastEthernet0/0.2
O E2 2.0.0.0/8 [110/20] via 192.168.2.10, 00:02:30, FastEthernet0/0.2
3.0.0.0/24 is subnetted, 1 subnets
O E2
3.3.3.0 [110/20] via 192.168.2.10, 00:02:30, FastEthernet0/0.2
4.0.0.0/24 is subnetted, 1 subnets
O E2
4.4.4.0 [110/20] via 192.168.2.10, 00:02:30, FastEthernet0/0.2
5.0.0.0/24 is subnetted, 1 subnets
O E2
5.5.5.0 [110/20] via 192.168.2.10, 00:02:30, FastEthernet0/0.2
6.0.0.0/24 is subnetted, 1 subnets
O E2
6.6.6.0 [110/20] via 192.168.2.10, 00:02:31, FastEthernet0/0.2
22.0.0.0/24 is subnetted, 9 subnets
O E2
22.222.67.0 [110/20] via 192.168.2.10, 00:02:31, FastEthernet0/0.2
O E2
22.222.10.0 [110/20] via 192.168.2.10, 00:02:33, FastEthernet0/0.2
O E2
22.222.12.0 [110/20] via 192.168.2.10, 00:02:33, FastEthernet0/0.2
O E2
22.222.5.0 [110/20] via 192.168.2.10, 00:02:33, FastEthernet0/0.2
O E2
22.222.6.0 [110/20] via 192.168.2.10, 00:02:33, FastEthernet0/0.2
O E2
22.222.7.0 [110/20] via 192.168.2.10, 00:02:33, FastEthernet0/0.2
O E2
22.222.23.0 [110/20] via 192.168.2.10, 00:02:33, FastEthernet0/0.2
O E2
22.222.45.0 [110/20] via 192.168.2.10, 00:02:33, FastEthernet0/0.2
O E2
22.222.34.0 [110/20] via 192.168.2.10, 00:02:33, FastEthernet0/0.2
7.0.0.0/24 is subnetted, 1 subnets
O E2
7.7.7.0 [110/20] via 192.168.2.10, 00:02:33, FastEthernet0/0.2
8.0.0.0/24 is subnetted, 1 subnets
C
8.8.8.0 is directly connected, Loopback0
C
192.168.2.0/24 is directly connected, FastEthernet0/0.2
R8#ping 5.5.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R8#
19
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 1.2
4 Points
Do
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
22
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 1.3
4 Points
Real
Int.
INSIDE
INSIDE
INSIDE
INSIDE
DMZ
Mapped
Int.
OUTSIDE
OUTSIDE
OUTSIDE
OUTSIDE
OUTSIDE
Real
IP:PORT #
ACS IP address
R8 Fa0/0.2
R8 Loopback 0
any
172.19.100.250:TCP
port 7000
Mapped
IP:PORT#
22.222.10.101
22.222.10.8
22.222.10.18
OUTSIDE Interface
22.222.5.250:TCP
port 8000
23
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
24
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 1.4
4 Points
Enable SSH on R8
On ASA1, configure the following:
o Permit all ICMP and SSH to R8 Loopback 0, R8 Fa0/0.2 and
the ACS PC. Configure a 1 line access-list to accomplish
this.
o Prioritize SSH to R8 Loopback 0
o Rate limit ICMP to the ACS PC to 8,000 bps
R8(config)#ip domain-name ccbootcamp.com
R8(config)#crypto key generate rsa modulus 1024
The name for the keys will be: R8.ccbootcamp.com
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
R8(config)#
*May 12 03:47:35.471: %SSH-5-ENABLED: SSH 1.99 has been enabled
R8(config)#ip ssh ver 2
R8(config)#username user-1.4 password cisco
R8(config)#line vty 0 4
R8(config-line)#login local
ASA1(config)# object-group network R8_ACS_GLOBAL
ASA1(config-network)# network-object host 22.222.10.101
ASA1(config-network)# network-object host 22.222.10.18
ASA1(config-network)# network-object host 22.222.10.8
ASA1(config-network)# exit
ASA1(config)# object-group service SERVICES
ASA1(config-service)# service-object icmp
ASA1(config-service)# service-object tcp eq ssh
ASA1(config-service)# exit
ASA1(config)# access-list outside line 1 extended permit object-group
SERVICES any object-group R8_ACS_GLOBAL
ASA1(config)# access-group outside in interface outside
ASA1(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list outside; 6 elements
access-list outside line 1 extended permit object-group SERVICES any objectgroup R8_ACS_GLOBAL 0x1dc02b1c
access-list outside line 1 extended permit icmp any host 22.222.10.101
(hitcnt=0) 0xd09f23cb
access-list outside line 1 extended permit icmp any host 22.222.10.18
(hitcnt=0) 0xd85414f7
access-list outside line 1 extended permit icmp any host 22.222.10.8
(hitcnt=0) 0x182eac7f
25
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found
at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
Cisco 2811 (revision 53.50) with 249856K/12288K bytes of memory.
Processor board ID FTX1113A3JK
2 FastEthernet interfaces
2 Serial(sync/async) interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
62720K bytes of ATA CompactFlash (Read/Write)
Configuration register is 0x2102
R8>exit
[Connection to 22.222.10.8 closed by foreign host]
R1#ping 22.222.10.101 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 22.222.10.101, timeout is 2 seconds:
.!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!.!!!!!!!!!
!!!!!!!!!.!!!!!!!!!!!!!!!!!!.!
Success rate is 94 percent (94/100), round-trip min/avg/max = 1/1/4 ms
R1#
ASA1(config)# show priority statistics
Priority-Queue Statistics interface inside
Queue Type
Tail Drops
Reset Drops
Packets Transmit
Packets Enqueued
Current Q Length
Max Q Length
=
=
=
=
=
=
=
BE
0
0
1380
0
0
0
Queue Type
Tail Drops
Reset Drops
Packets Transmit
Packets Enqueued
Current Q Length
Max Q Length
ASA1(config)#
=
=
=
=
=
=
=
LLQ
0
0
46
0
0
0
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 0, drop 0, reset-drop 0
Inspect: ftp, packet 0, drop 0, reset-drop 0
Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
Inspect: netbios, packet 0, drop 0, reset-drop 0
Inspect: rsh, packet 0, drop 0, reset-drop 0
Inspect: rtsp, packet 0, drop 0, reset-drop 0
Inspect: skinny , packet 0, drop 0, reset-drop 0
Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0
Inspect: sqlnet, packet 0, drop 0, reset-drop 0
Inspect: sunrpc, packet 0, drop 0, reset-drop 0
Inspect: tftp, packet 0, drop 0, reset-drop 0
Inspect: sip , packet 0, drop 0, reset-drop 0
Inspect: xdmcp, packet 0, drop 0, reset-drop 0
Inspect: icmp, packet 239, drop 0, reset-drop 0
Class-map: CMAP_SSH_PRIORITY
Priority:
Interface inside: aggregate drop 0, aggregate transmit 46
Priority:
Interface outside: aggregate drop 0, aggregate transmit 0
Class-map: CMAP_ICMP_POLICE
Output police Interface inside:
cir 8000 bps, bc 1500 bytes
conformed 94 packets, 10716 bytes; actions: transmit
exceeded 5 packets, 570 bytes; actions: drop
conformed 0 bps, exceed 0 bps
Output police Interface outside:
cir 8000 bps, bc 1500 bytes
conformed 0 packets, 0 bytes; actions: transmit
exceeded 0 packets, 0 bytes; actions: drop
conformed 0 bps, exceed 0 bps
Class-map: class-default
Default Queueing
ASA1(config)#
28
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
31
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 2.2
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
34
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 2.3
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
36
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 2.4
4 Points
37
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 3: VPNs
Task 3.1
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
42
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 3.2
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R8(gdoi-sa-ipsec)#profile PROF-GDOI-Group1
R8(gdoi-sa-ipsec)#match address ipv4 199
R8(gdoi-sa-ipsec)#replay
May 12 05:46:32.307: %GDOI-5-KS_REKEY_TRANS_2_UNI: Group group1 transitioned
to Unicast Rekey.
R8(gdoi-sa-ipsec)#replay counter window-size 64
R8(gdoi-sa-ipsec)#address ipv4 192.168.2.8
R8(gdoi-local-server)#redundancy
R8(gdoi-coop-ks-config)#local priority 2
R8(gdoi-coop-ks-config)#peer address ipv4 22.222.45.5
R8(gdoi-coop-ks-config)#exit
R8(gdoi-local-server)#
R8(gdoi-local-server)#access-list 199 permit icmp host 2.2.2.2 host 3.3.3.3
R8(config)#access-list 199 permit ic
May 12 05:46:34.999: %GDOI-5-COOP_KS_ADD: 22.222.45.5 added as COOP Key
Server in group group1.
R8(config)#access-list 199 permit icmp host 3.3.3.3 host 2.2.2.2
R8(config)#
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R2(config-isakmp)#encr aes
R2(config-isakmp)#hash sha
R2(config-isakmp)#authentication rsa-sig
R2(config-isakmp)#group 5
R2(config-isakmp)#exit
R2(config)#crypto gdoi group group1
R2(config-gdoi-group)#identity number 1
R2(config-gdoi-group)#server address ipv4 192.168.2.8
R2(config-gdoi-group)#server address ipv4 22.222.45.5
R2(config-gdoi-group)#exit
R2(config)#crypto map map-group1 10 gdoi
% NOTE: This new crypto map will remain disabled until a valid
group has been configured.
R2(config-crypto-map)#set group group1
R2(config-crypto-map)#exit
R2(config)#interface fa0/0.12
R2(config-subif)# crypto map map-group1
R2(config-subif)#interface fa
May 12 05:59:02.889: %CRYPTO-5-GM_REGSTER: Start registration to KS
192.168.2.8 for group group1 using address 22.222.12.20/0.23
R2(config-subif)# crypto map map-group1
R2(config-subif)#exit
R2(config)#
May 12 05:59:02.893: %CRYPTO-6-GDOI_ON_OFF: GDOI is ON
R2(config)#
May 12 05:59:03.305: %CRYPTO-5-GM_REGSTER: Start registration to KS
192.168.2.8 for group group1 using address 22.222.23.2
May 12 05:59:03.437: %GDOI-5-GM_REKEY_TRANS_2_UNI: Group group1 transitioned
to Unicast Rekey.
May 12 05:59:03.445: %GDOI-5-GM_REGS_COMPL: Registration to KS 192.168.2.8
complete for group group1 using address 22.222.12.2
R2(config)#
R3(config)#
R3(config)#
R3(config)#crypto isakmp policy 1
R3(config-isakmp)#encr aes
R3(config-isakmp)#hash sha
R3(config-isakmp)#authentication rsa-sig
R3(config-isakmp)#group 5
R3(config-isakmp)#exit
R3(config)#crypto gdoi group group1
R3(config-gdoi-group)#identity number 1
R3(config-gdoi-group)#server address ipv4 192.168.2.8
R3(config-gdoi-group)#server address ipv4 22.222.45.5
R3(config-gdoi-group)#exit
R3(config)#crypto map map-group1 10 gdoi
% NOTE: This new crypto map will remain disabled until a valid
group has been configured.
R3(config-crypto-map)#set group group1
R3(config-crypto-map)#exit
R3(config)#interface Fa0/0.23
R3(config-subif)# crypto map map-group1
R3(config-subif)#interface Fa0
46
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
:
:
:
:
:
:
group1
1
0
Both
22.222.45.5
192.168.2.8
22.222.45.5
GM Reregisters in
Rekey Received
: 921 secs
: never
Rekeys received
Cumulative
After registration
Rekey Acks sent
: 0
: 0
: 0
:
:
:
:
:
Unicast
85614
3DES
192
HMAC_AUTH_SHA
47
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
: 1024
TEK POLICY:
FastEthernet0/0.23:
FastEthernet0/0.34:
IPsec SA:
sa direction:inbound
spi: 0xE651F933(3864131891)
transform: esp-aes esp-sha-hmac
sa timing:remaining key lifetime (sec): (975)
Anti-Replay : Disabled
IPsec SA:
sa direction:outbound
spi: 0xE651F933(3864131891)
transform: esp-aes esp-sha-hmac
sa timing:remaining key lifetime (sec): (975)
Anti-Replay : Disabled
IPsec SA:
sa direction:inbound
spi: 0xE651F933(3864131891)
transform: esp-aes esp-sha-hmac
sa timing:remaining key lifetime (sec): (973)
Anti-Replay : Disabled
IPsec SA:
sa direction:outbound
spi: 0xE651F933(3864131891)
transform: esp-aes esp-sha-hmac
sa timing:remaining key lifetime (sec): (973)
Anti-Replay : Disabled
R3#
R3#ping 2.2.2.2 source loop 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R3#show cryp
R3#show crypto engi
R3#show crypto engine conne
R3#show crypto engine connections ac
R3#show crypto engine connections active
Crypto Engine Connections
ID
1001
1002
1003
2001
Interface
Fa0/0.23
<none>
Fa0/0.34
Fa0/0.23
Type
IKE
IKE
IKE
IPsec
Algorithm
SHA+AES
SHA+3DES
SHA+AES
AES+SHA
Encrypt
0
0
0
0
Decrypt
0
0
0
0
IP-Address
22.222.23.3
22.222.34.3
2.2.2.2
48
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
2002
2003
2004
2005
2006
2007
2008
Fa0/0.23
Fa0/0.23
Fa0/0.23
Fa0/0.34
Fa0/0.34
Fa0/0.34
Fa0/0.34
IPsec
IPsec
IPsec
IPsec
IPsec
IPsec
IPsec
AES+SHA
AES+SHA
AES+SHA
AES+SHA
AES+SHA
AES+SHA
AES+SHA
0
0
5
0
0
0
0
0
5
0
0
0
0
0
2.2.2.2
3.3.3.3
3.3.3.3
2.2.2.2
2.2.2.2
3.3.3.3
3.3.3.3
Remote
I-VRF
22.222.34.3
22.222.45.5
Engine-id:Conn-id = SW:2
psk
1001 22.222.23.3
192.168.2.8
23:57:04
Engine-id:Conn-id = SW:1
ACTIVE aes
sha
rsig 5
1003 22.222.34.3
22.222.45.5
23:57:45
Engine-id:Conn-id = SW:3
ACTIVE aes
sha
rsig 5
49
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 3.3
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R1(config-isakmp-group)#pool POOL_1
R1(config-isakmp-group)#acl 100
R1(config-isakmp-group)#save-password
R1(config-isakmp-group)#exit
R1(config)#crypto isakmp profile easy-IKE-profile-1
% A profile is deemed incomplete until it has match identity statements
R1(conf-isa-prof)#match identity group vpn_group
R1(conf-isa-prof)#client authentication list vpn_group
R1(conf-isa-prof)#isakmp authorization list vpn_group
R1(conf-isa-prof)#client configuration address respond
R1(conf-isa-prof)#virtual-template 1
R1(conf-isa-prof)#exit
R1(config)#crypto ipsec transform-set EZ_TRANS_AES_SHA_Tunnel esp-aes espsha-hmac
R1(cfg-crypto-trans)#exit
R1(config)#crypto ipsec profile IPSEC-easyvpn-profile-1
R1(ipsec-profile)#set transform-set EZ_TRANS_AES_SHA_Tunnel
R1(ipsec-profile)#set isakmp-profile easy-IKE-profile-1
R1(ipsec-profile)#exit
R1(config)#interface Virtual-Template1 type tunnel
R1(config-if)#ip unnumbered loop 0
R1(config-if)#tunnel mode ipsec ipv4
R1(config-if)#tunnel protection ipsec profile IPSEC-easyvpn-profile-1
R1(config-if)#exit
R1(config)#ip local pool POOL_1 11.11.11.51 11.11.11.60
R1(config)#access-list 100 permit ip
*May 12 06:48:52.182: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Virtual-Template1, changed state to down
R1(config)#access-list 100 permit ip 11.11.11.0 0.0.0.255 any
*May 12 06:48:52.974: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1(config)#
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Interface
Fa0/0.34
Fa0/0.34
Fa0/0.34
Type
IKE
IPsec
IPsec
Algorithm
SHA+AES
AES+SHA
AES+SHA
Encrypt
0
0
5
Decrypt
0
5
0
IP-Address
22.222.34.4
22.222.34.4
22.222.34.4
R4#
52
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 3.4
4 Points
53
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
54
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
55
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
56
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
57
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 4: IPS
Task 4.1
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
sensor#
sensor#
sensor#
sensor# setup
--- System Configuration Dialog --At any point you may enter a question mark '?' for help.
User ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.
Current Configuration:
service host
network-settings
host-ip 192.168.1.2/24,192.168.1.1
host-name sensor
telnet-option disabled
ftp-timeout 300
no login-banner-text
exit
time-zone-settings
offset 0
standard-time-zone-name UTC
exit
summertime-option disabled
ntp-option disabled
exit
service web-server
port 443
exit
service event-action-rules rules0
overrides
override-item-status Enabled
risk-rating-range 90-100
exit
exit
Current time: Tue May 12 08:25:37 2009
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
No entries
Permit: 22.222.10.101/32
Permit:
Modify system clock settings?[no]:
Modify interface/virtual sensor configuration?[no]:
Modify default threat prevention settings?[no]:
The following configuration was entered.
service host
network-settings
host-ip 172.19.100.250/24,172.19.100.20
host-name sensor
telnet-option enabled
access-list 22.222.10.101/32
ftp-timeout 300
no login-banner-text
exit
time-zone-settings
offset 0
standard-time-zone-name UTC
exit
summertime-option disabled
ntp-option disabled
exit
service web-server
port 7000
exit
service event-action-rules rules0
overrides
override-item-status Enabled
risk-rating-range 90-100
exit
exit
[0] Go to the command prompt without saving this config.
[1] Return back to the setup without saving this config.
[2] Save this configuration and exit setup.
Enter your selection[2]:
Configuration Saved.
*08:27:15 UTC Tue May 12 2009
Modify system date and time?[no]:
sensor# conf t
sensor(config)# banner ?
login
Set login banner.
sensor(config)# banner login ?
<cr>
sensor(config)# banner login
Banner[]: Connected to IPS Sensor Console
sensor(config)#
ensor(config)# exit
sensor# exit
Connected to IPS Sensor Console
sensor login:
60
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
61
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 4.2
4 Points
62
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
63
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
64
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
65
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
66
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
67
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
68
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
69
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 4.3
4 Points
70
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
71
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
72
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
73
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
74
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
75
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
76
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
77
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
78
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
79
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
80
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
81
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
82
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
83
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
84
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
85
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
86
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
87
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
88
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 4.4
4 Points
89
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
90
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
91
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
92
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
93
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
94
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
95
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
96
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
97
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
98
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
BB2#telnet 3.3.3.3 80
Trying 3.3.3.3, 80 ... Open
this is not nice
99
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
100
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
101
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
102
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
103
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
104
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
105
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
106
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
107
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
SW4#ping 192.168.2.101
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.101, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/203/1007 ms
SW4#test aaa grou
SW4#test aaa group radius user-5.1 cisco le
SW4#test aaa group radius user-5.1 cisco legacy
Attempting authentication test to server-group radius using radius
User was successfully authenticated.
SW4#
SW4#show dot1x int fa 0/16
Dot1x Info for FastEthernet0/16
----------------------------------PAE
= AUTHENTICATOR
PortControl
= AUTO
ControlDirection
= Both
HostMode
= MULTI_DOMAIN
Violation Mode
= SHUTDOWN
108
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
ReAuthentication
QuietPeriod
ServerTimeout
SuppTimeout
ReAuthPeriod
ReAuthMax
MaxReq
TxPeriod
RateLimitPeriod
Auth-Fail-Vlan
Auth-Fail-Max-attempts
Guest-Vlan
=
=
=
=
=
=
=
=
=
=
=
=
Disabled
3
30
30
3600 (Locally configured)
2
2
5
0
514
3
511
109
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 5.2
4 Points
110
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
111
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
112
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
113
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
114
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
115
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
116
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
117
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
118
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
119
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
120
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
121
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R5#telnet 5.5.5.5
Trying 5.5.5.5 ... Open
User Access Verification
Username: admin-5.2
Password:
R5#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R5(config)#int fa 0/0
R5(config-if)#exit
R5(config)#exit
[Connection to 5.5.5.5 closed by foreign host]
R5#telnet 5.5.5.5
Trying 5.5.5.5 ... Open
122
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R5(config)#router rip
R5(config-router)#net 20.0.0.0
R5(config-router)#exit
R5(config)#exit
R5#exit
May 13 11:39:10.626: %SYS-5-CONFIG_I: Configured from console by user-5.2 on
vty0 (5.5.5.5)
[Connection to 5.5.5.5 closed by foreign host]
R5#
123
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
124
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 5.3
4 Points
125
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
126
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R5(config)#line vty 0 2
R5(config-line)#no authorization commands 0 TAC
R5(config-line)#no authorization commands 1 TAC
R5(config-line)#no authorization commands 15 TAC
R5(config-line)#no authorization exec TAC
R5(config-line)#no accounting commands 0 TAC
R5(config-line)#no accounting commands 1 TAC
R5(config-line)#no accounting commands 15 TAC
R5(config-line)#password cisco
R5(config-line)#transport input telnet
R5(config-line)#line vty 3 4
R5(config-line)#transport input ssh
R5(config-line)#rotary 1
R5(config-line)#exit
R5(config)#ip ssh version 2
R5(config)#ip ssh port 2000 rotary 1
R5(config)#username user-5.3 secret cisco
127
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R4#telnet 5.5.5.5
Trying 5.5.5.5 ... Open
R5#who
Line
0 con 0
*514 vty 0
Interface
User
User
Host(s)
idle
idle
Idle
Location
00:01:00
00:00:00 22.222.45.4
Mode
Idle
Peer Address
R5#exit
[Connection to 5.5.5.5 closed by foreign host]
R4#ssh -l user-5.3 -p 2000 5.5.5.5
Password:
R5#show ssh
Connection Version Mode Encryption Hmac
State
Username
517
1.99
IN
aes128-cbc hmac-sha1
Session started
user5.3
517
1.99
OUT aes128-cbc hmac-sha1
Session started
user5.3
%No SSHv1 server connections running.
R5#show line
Tty Line Typ
Tx/Rx
A Modem Roty AccO AccI Uses Noise Overruns
*
0
0 CTY
5
0
0/0
1
1 AUX
9600/9600 0
0
0/0
514 514 VTY
7
0
0/0
515 515 VTY
0
0
0/0
516 516 VTY
0
0
0/0
*
517 517 VTY
1
3
0
0/0
518 518 VTY
1
0
0
0/0
Line(s) not in async mode -or- with no hardware support:
2-513
R5#
128
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
show access-list
130
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
131
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
132
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
133
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
134
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
135
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
136
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
137
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
138
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 7.2
4 Points
139
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
Interface
Priority
24578 (priority 24576 sys-id-ext 2)
Address
0019.067e.e200
Hello Time
2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Role Sts Cost
Prio.Nbr Type
140
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
--------------------Fa0/7
Fa0/8
Fa0/14
Fa0/17
Fa0/19
Fa0/20
Fa0/21
Fa0/22
FWD
FWD
FWD
FWD
FWD
FWD
FWD
FWD
19
19
19
19
19
19
19
19
128.9
128.10
128.16
128.19
128.21
128.22
128.23
128.24
P2p
P2p
P2p
P2p
P2p
P2p
P2p
P2p
Interface
Role Sts Cost
Prio.Nbr Type
------------------- ---- --- --------- -------- ------------------------------Fa0/23
Fa0/24
SW1#
Desg FWD 19
Desg FWD 19
128.25
128.26
P2p
P2p
SW3(config)#int vlan 2
SW3(config-if)#ip add 192.168.2.113 255.255.255.0
SW3(config-if)#exit
SW3(config)#ip routing
SW3(config)#ip route 0.0.0.0 0.0.0.0 192.168.2.8
SW3(config)#clock timezone PST -8
SW3(config)#clock sum
SW3(config)#clock summer-time PDT recurring
SW3(config)#ntp authentication-key 1 md5 cisco
SW3(config)#ntp trusted-key 1
SW3(config)#ntp authenticate
SW3(config)#ntp server 8.8.8.8
SW3(config)#ip dhcp snooping
SW3(config)#ip dhcp snooping vlan 2
SW3(config)#no ip dhcp snooping information option
SW3(config)#ip dhcp snooping database flash:snoop.db
SW3(config)#end
SW3#show spanning-tree vlan 2
SW3#show spanni
SW3#show spanning-tree vlan 2
VLAN0002
Spanning tree enabled protocol ieee
Root ID
Priority
24578
Address
0019.067e.e200
Cost
19
Port
23 (FastEthernet0/21)
Hello Time
2 sec Max Age 20 sec
Bridge ID
Interface
Priority
32770 (priority 32768 sys-id-ext 2)
Address
0018.187c.3c00
Hello Time
2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Role Sts Cost
Prio.Nbr Type
141
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
--------------------Fa0/7
Fa0/8
Fa0/18
Fa0/19
Fa0/20
Fa0/21
Fa0/22
FWD
FWD
FWD
BLK
BLK
FWD
BLK
19
19
19
19
19
19
19
128.9
128.10
128.20
128.21
128.22
128.23
128.24
P2p
P2p
P2p
P2p
P2p
P2p
P2p
SW3#SW3#SW3#conf t
SW3(config)#int fa0/21
SW3(config-if)#ip dhcp snooping trust
SW3(config-if)#end
SW3#
May 13 13:38:31.849: %SYS-5-CONFIG_I: Configured from console by console
SW3#
142
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 8.2
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
D
4.4.4.0 255.255.255.0 [90/161792] via 22.222.10.1, 0:03:01, outside
D
5.5.5.0 255.255.255.0 [90/164352] via 22.222.10.1, 0:03:01, outside
D
6.6.6.0 255.255.255.0 [90/2303488] via 22.222.10.1, 0:03:01, outside
D
22.222.67.0 255.255.255.0 [90/2175488] via 22.222.10.1, 0:03:01, outside
C
22.222.10.0 255.255.255.0 is directly connected, outside
D
22.222.12.0 255.255.255.0 [90/28672] via 22.222.10.1, 0:03:01, outside
D
22.222.5.0 255.255.255.0 [90/38912] via 22.222.10.1, 0:03:01, outside
C
22.222.6.0 255.255.255.0 is directly connected, emergency
D
22.222.7.0 255.255.255.0 [90/2178048] via 22.222.10.1, 0:03:01, outside
D
22.222.23.0 255.255.255.0 [90/31232] via 22.222.10.1, 0:03:01, outside
D
22.222.45.0 255.255.255.0 [90/36352] via 22.222.10.1, 0:03:01, outside
D
22.222.34.0 255.255.255.0 [90/33792] via 22.222.10.1, 0:03:02, outside
D
7.7.7.0 255.255.255.0 [90/2303488] via 22.222.10.1, 0:03:02, outside
O
8.8.8.8 255.255.255.255 [110/11] via 192.168.2.8, 1:09:46, inside
D
11.11.11.0 255.255.255.0 [90/131072] via 22.222.10.1, 0:03:02, outside
C
192.168.2.0 255.255.255.0 is directly connected, inside
S*
0.0.0.0 0.0.0.0 [1/0] via 22.222.10.1, outside
ASA1(config)#
R1#debug ip icmp
ICMP packet debugging is on
R1#
*May 14 04:34:52.551: ICMP: echo reply sent, src 1.1.1.1, dst 22.222.10.10
*May 14 04:34:52.571: ICMP: echo reply sent, src 1.1.1.1, dst 22.222.10.10
*May 14 04:34:52.591: ICMP: echo reply sent, src 1.1.1.1, dst 22.222.10.10
R1#reload
Proceed with reload? [confirm]
*May 14
*May 14
*May 14
*May 14
Reason:
*May 14
*May 14
*May 14
dst 22.222.10.10
dst 22.222.10.10
dst 22.222.10.10
console. Reload
dst 22.222.10.10
dst 22.222.10.10
dst 22.222.10.10
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
145
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
LAB 8
Instructions
Verify that all configurations have been cleared, before
you load initial configurations onto the lab routers,
backbone routers and switches. There are no initial
configurations for the ASA and IPS. You will be required
to configure these devices in the practice lab, just as you
will be required to do so in the actual lab exam.
ASDM and SDM are not available in the actual lab exam.
The ACS workstation is used in this lab as the candidate PC
as well as the ACS server. The IP address of the ACS
cannot be changed.
There is a test pc available in the practice labs as well
as the actual lab. The IP address of the rack interface
test PC may be changed through the desktop application. For
both PCs, you may add/remove static routes for connectivity
as described in the LAB.
Do not change the default route
on the ACS or the test PC, as you may lose connectivity.
Always remember to Apply changes and Save your configs
often!
Unless otherwise specified, use only the existing networks
within your lab. Additional networks, static and/or
default routes, may not be configured unless specified in a
task.
When creating passwords, use cisco unless indicated
otherwise in a specific task. Refer to the Remote Rack
Access FAQ PDF for cabling, ACS and IPS Access and other
commonly asked questions. The document is located here:
http://www.ccbootcamp.com/download
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Sections:
1.ASA Firewalls
2.IOS Firewalls
3.VPNs
4.IPS
5.Identity Management
6.Control/Management Plane Security
7.Advanced Security
8.Network Attack Mitigation
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
ACS PC
.101
R1
BB1
.99
VLAN 168
192.168.2.0
SW2
.11
Inside
E0/0.v
VLAN 77
G0/0
DMZ1
E0/0.v
172.16.77.0
IPS C&C
.50
ASA1
DMZ2
E0/0.v
OSPF
Area 0
VLAN 99
172.16.99.0
VLAN 44
172.16.44.0
R4
Outside
E0/0.v
R7
VLAN 22
24.234.22.0
VLAN 252
24.234.252.0
BB2
R2
.252
SW1
.11
EIGRP 1
Frame Relay
24.234.100.0
Outside
E0/0.v
172.16.88.0
R6
C1
Inside
E0/0.v
VLAN 121
24.234.121.0
R3
172.16.88.0
Outside
E0/0.v
C2
Inside
E0/0.v
VLAN 88
172.16.88.0
VLAN 55
172.16.55.0
R8
R5
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
SW1
Fa0/1
Fa0/0
R1
Fa0/1
Fa0/1
SW2
SW1
Fa0/2
Fa0/0
R2
Fa0/1
Fa0/2
SW2
SW1
Fa0/3
Fa0/0
R3
Fa0/1
Fa0/3
SW2
SW1
Fa0/4
Fa0/0
R4
Fa0/1
Fa0/4
SW2
SW1
Fa0/5
Fa0/0
R5
Fa0/1
Fa0/5
SW2
SW1
Fa0/6
Fa0/0
R6
Fa0/1
Fa0/6
SW2
SW1
Fa0/9
Fa0/0
BB1
Fa0/1
Fa0/9
SW2
SW1
Fa0/10
Fa0/0
BB2
Fa0/1
Fa0/10
SW2
SW1
Fa0/12
E0/0
E0/2
Fa0/12
SW2
Fa0/14
SW2
E0/3
Fa0/17
SW2
E0/2
Fa0/18
SW2
E0/3
Fa0/23
SW2
ASA01
Gi0/0: sense
SW1
Fa0/14
SW1
Fa0/17
E0/1
SW1
Fa0/18
E0/0
IDS
IDS
Gi0/1: c&c
ASA01
ASA02
SW1
E0/1
Fa0/23
ASA02
SW1
SW2
Fas0/19
Fas0/19
Fas0/20
Fas0/20
Sensor Int.
G0/0
Fa1/0
Fa1/1
Fa1/2
Fa1/3
Connected to:
SW1 Fa0/14
SW3 Fa0/4
SW3 Fa0/3
SW3 Fa0/2
SW3 Fa0/1
Fas0/0
2811
SW3
SW4
Fas0/17
SW3
Fas0/19
Fas0/19
Fas0/20
Fas0/20
Fas0/1
R7
Fas0/17
SW4
ACS PC SW1 Fa0/24
192.168.2.101
Fas0/0
2811
Fas0/1
R8
SW3
Fas0/18
SW4
Fas0/18
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
Interface
E0/0.168
E0/0.22
E0/0.77
E0/0.44
VLAN
168
22
77
44
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 1.2
4 Points
Name
Inside
Outside
Inside
Outside
Interface
E0/0.88
E0/0.111
E0/0.55
E0/0.222
Security Level
Default
Default
Default
Default
VLAN
88
111
55
222
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 1.3
4 Points
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
Permit
TCP
UDP
ICMP
Limits
Log all ICMP
traffic.
Outside->Inside
Telnet
SSH
HTTP
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 2.3
4 Points
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 3: VPNs
Task 3.1
4 Points
4 Points
4 Points
10
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 3.4
4 Points
11
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 4: IPS
Task 4.1
4 Points
Gateway
Managed by
172.16.77.50
172.16.77.100
192.168.2.101
Mgmt. SSL
port
4443
Verify that you can connect to and manage the IPS from the
ACS server. You may not add any routes or make changes to
ASA1 to accomplish this.
Create sig1, rules1, and ad1 which should be clones of the
existing sig0, rules0 and ad0.
Create virtual sensor vs1 and assign sig1, rules1 and ad1
to it.
Task 4.2
4 Points
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
4 Points
4 Points
13
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
14
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
4 Points
15
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
4 Points
16
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
Interface
E0/0.168
E0/0.22
E0/0.77
E0/0.44
VLAN
168
22
77
44
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
O E2
C
C
O E2
O
O
O
O
E2
E2
E2
E2
18
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
C
D
C
C
S
R4#ping 24.234.100.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.234.100.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/58/60 ms
19
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 1.2
4 Points
Name
Inside
Outside
Inside
Outside
Interface
E0/0.88
E0/0.111
E0/0.55
E0/0.222
Security Level
Default
Default
Default
Default
VLAN
88
111
55
222
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
ciscoasa(config-ctx)# exit
ciscoasa(config)#
ciscoasa(config)# context c1
Creating context 'c1'... Done. (2)
ciscoasa(config-ctx)# allocate-interface Ethernet0/0.88 Inside
ciscoasa(config-ctx)# allocate-interface Ethernet0/0.111 Outside
ciscoasa(config-ctx)# config-url disk0:/c1.cfg
WARNING: Could not fetch the URL disk0:/c1.cfg
INFO: Creating context with default config
ciscoasa(config-ctx)#
ciscoasa(config-ctx)# context c2
Creating context 'c2'... Done. (3)
ciscoasa(config-ctx)# allocate-interface Ethernet0/0.55 Inside
ciscoasa(config-ctx)# allocate-interface Ethernet0/0.222 Outside
ciscoasa(config-ctx)# config-url disk0:/c2.cfg
WARNING: Could not fetch the URL disk0:/c2.cfg
INFO: Creating context with default config
ciscoasa(config-ctx)#
ciscoasa(config-ctx)# changeto context c1
ciscoasa/c1(config)# interface Outside
ciscoasa/c1(config-if)# nameif Outside
INFO: Security level for "Outside" set to 0 by default.
ciscoasa/c1(config-if)# interface Inside
ciscoasa/c1(config-if)# nameif Inside
INFO: Security level for "Inside" set to 100 by default.
ciscoasa/c1(config-if)#
ciscoasa/c1(config-if)# changeto context c2
ciscoasa/c2(config)#
ciscoasa/c2(config)# interface Inside
ciscoasa/c2(config-if)# nameif Inside
INFO: Security level for "Inside" set to 100 by default.
ciscoasa/c2(config-if)#
ciscoasa/c2(config-if)# interface Outside
ciscoasa/c2(config-if)# nameif Outside
INFO: Security level for "Outside" set to 0 by default.
ciscoasa/c2(config-if)#
ciscoasa/c2(config-if)# fixup protocol icmp
INFO: converting 'fixup protocol icmp ' to MPF commands
Verification:
R5#ping 172.16.55.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.55.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R8#ping 172.16.88.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.88.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
21
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 1.3
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Timestamp cleared
: 0
23
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 1.4
4 Points
R6(config)#int fa0/0.222
R6(config-subif)#ip address 172.16.55.55 255.255.255.0 secondary
R5#ping 172.16.55.55
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.55.55, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
%ASA-3-322002: ARP inspection check failed for arp response received from
host 001b.533b.e950 on interface Outside. This host is advertising MAC
Address 001b.533b.e950 for IP Address 172.16.55.55, which is statically bound
to MAC Address 001b.534f.5555
24
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
Permit
TCP
UDP
ICMP
Limits
Log all ICMP
traffic.
Outside->Inside
Telnet
SSH
HTTP
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
27
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 2.2
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
29
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 2.3
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
FastEthernet0/0.252
Input
Output
---------Protocol
Packet Count
Packet Count
Byte Count
Byte Count
5min Bit Rate (bps)
5min Bit Rate (bps)
5min Max Bit Rate (bps) 5min Max Bit Rate (bps)
------------------------ ------------------------ ----------------------eigrp
0
60
0
4680
BB2#copy http://24.234.100.3/test.exe null:
%Error opening http://24.234.100.3/test.exe (I/O error)
BB2#ssh -l cisco 24.234.3.100
% Destination unreachable; gateway or host down
BB2#ping 24.234.100.3 size 1000 repeat 10
Type escape sequence to abort.
Sending 10, 1000-byte ICMP Echos to 24.234.100.3, timeout is 2 seconds:
!!.!!.!!.!
Success rate is 70 percent (7/10), round-trip min/avg/max = 508/508/508 ms
R2#sho policy-map interface fa0/0.252
FastEthernet0/0.252
Service-policy input: INCOMING
Class-map: HTTP (match-any)
7 packets, 1192 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http
7 packets, 1192 bytes
5 minute rate 0 bps
drop
Class-map: SSH (match-all)
1 packets, 64 bytes
5 minute offered rate 0 bps
Match: protocol ssh
Match: access-group 101
Class-map: SSH_DROP (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol ssh
0 packets, 0 bytes
5 minute rate 0 bps
drop
Class-map: ICMP (match-any)
10 packets, 10180 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol icmp
10 packets, 10180 bytes
31
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
32
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 2.4
4 Points
33
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 3: VPNs
Task 3.1
4 Points
34
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Verification:
R2#sho ntp associations
address
ref clock
st when poll reach delay offset
disp
*~24.234.22.1
127.127.7.1
8
15
64 377
2.2 -13.01
4.8
* master (synced), # master (unsynced), + selected, - candidate, ~
configured
R2#
R5#sho ntp associations
address
ref clock
st when poll reach delay offset
disp
*~24.234.22.1
127.127.7.1
8
42
64
3
47.9
0.48
0.3
* master (synced), # master (unsynced), + selected, - candidate, ~
configured
R6#sho ntp assoc
address
ref clock
st when poll reach delay offset
disp
*~24.234.22.1
127.127.7.1
8
0
64
7
46.8
-4.69
3875.7
* master (synced), # master (unsynced), + selected, - candidate, ~
configured
35
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 3.2
4 Points
36
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
May 11 21:38:35.014: RSA key size needs to be atleast 768 bits for ssh
version 2
May 11 21:38:35.018: %SSH-5-ENABLED: SSH 1.5 has been enabled
May 11 21:38:35.018: %CRYPTO-6-AUTOGEN: Generated new 512 bit key pair
Re-enter password:
% The subject name in the certificate will include: R6.ccbootcamp.com
% Include the router serial number in the subject name? [yes/no]: n
% Include an IP address in the subject name? [no]:
Request certificate from CA? [yes/no]: y
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate CA1 verbose' commandwill show the
fingerprint.
R6(config)#
May 11 21:38:45.990: CRYPTO_PKI: Certificate Request Fingerprint MD5:
4870EC71 3F418F40 2049F967 0C23BFEF
May 11 21:38:45.990: CRYPTO_PKI: Certificate Request Fingerprint SHA1:
CD3C7E54 38E2E0A1 9D950F2A 0FF2D4E8 A2839318
May 11 21:38:51.401: %PKI-6-CERTRET: Certificate received from Certificate
Authority
39
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 3.3
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R2(config)#
R2(config)#crypto map map-group1 10 gdoi
% NOTE: This new crypto map will remain disabled until a valid
group has been configured.
R2(config-crypto-map)#set group GET
R2(config-crypto-map)#!
R2(config-crypto-map)#interface s0/0/0
R2(config-if)#crypto map map-group1
R2(config-if)#
May 11 22:45:06.973: %CRYPTO-5-GM_REGSTER: Start registration to KS
24.234.100.6 for group GET using address 24.234.100.2
May 11 22:45:06.977: %CRYPTO-6-GDOI_ON_OFF: GDOI is ON
May 11 22:45:10.353: %GDOI-5-GM_REGS_COMPL: Registration to KS 24.234.100.6
complete for group GET using address 24.234.100.2
R5(config)#crypto isakmp policy 1
R5(config-isakmp)#encr aes
R5(config-isakmp)#hash sha
R5(config-isakmp)#authentication rsa-sig
R5(config-isakmp)#group 2
R5(config-isakmp)#exit
R5(config)#
R5(config)#crypto gdoi group GET
R5(config-gdoi-group)#identity number 1
R5(config-gdoi-group)#server address ipv4 24.234.100.6
R5(config-gdoi-group)#exit
R5(config)#
R5(config)#crypto map map-group1 10 gdoi
% NOTE: This new crypto map will remain disabled until a valid
group has been configured.
R5(config-crypto-map)#set group GET
R5(config-crypto-map)#!
R5(config-crypto-map)#interface fa0/0.55
R5(config-subif)#crypto map map-group1
R5(config-subif)#
May 11 21:48:41.911: %CRYPTO-5-GM_REGSTER: Start registration to KS
24.234.100.6 for group GET using address 172.16.55.5
May 11 21:48:41.915: %CRYPTO-6-GDOI_ON_OFF: GDOI is ON
ciscoasa/c2(config)# access-list outside permit icmp host 172.16.55.6 host
172.16.55.5
ciscoasa/c2(config)# access-list outside permit esp host 24.234.22.2 host
172.16.55.5
ciscoasa/c2(config)# access-list outside permit udp host 24.234.22.2 host
172.16.55.5 eq isakmp
ciscoasa/c2(config)# access-group outside in interface outside
41
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Verification:
R2#ping 172.16.55.5 so fa0/0.22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.55.5, timeout is 2 seconds:
Packet sent with a source address of 24.234.22.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 92/93/96 ms
R2#sho crypto ipsec sa (output cut)
interface: Serial0/0/0
Crypto map tag: map-group1, local addr 24.234.100.2
protected vrf: (none)
local ident (addr/mask/prot/port): (24.234.22.2/255.255.255.255/1/0)
remote ident (addr/mask/prot/port): (172.16.55.5/255.255.255.255/1/0)
current_peer port 848
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
42
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 3.4
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R7(config-crypto-map)#exit
R7(config)#
R7(config)#access-list 150 permit ip 7.7.7.0 0.0.0.255 any
R7(config)#
R7(config)#crypto map EZVPN client authentication list EZVPN
R7(config)#crypto map EZVPN isakmp authorization list EZVPN
R7(config)#crypto map EZVPN client configuration address respond
R7(config)#crypto map EZVPN 1 ipsec-isakmp dynamic EZVPN
R7(config)#
R7(config)#int fa0/0.77
R7(config-subif)#crypto map EZVPN
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
45
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 4: IPS
Task 4.1
4 Points
Gateway
Managed by
172.16.77.50
172.16.77.100
192.168.2.101
Mgmt. SSL
port
4443
Verify that you can connect to and manage the IPS from the
ACS server. You may not add any routes or make changes to
ASA1 to accomplish this.
Create sig1, rules1, and ad1 which should be clones of the
existing sig0, rules0 and ad0.
Create virtual sensor vs1 and assign sig1, rules1 and ad1
to it.
sensor# setup (output cut)
--- System Configuration Dialog --At any point you may enter a question mark '?' for help.
User ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
47
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
48
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 4.2
4 Points
49
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
50
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
51
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Verification:
BB1#ping 24.234.22.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.234.22.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
BB2#ping 24.234.22.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.234.22.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
52
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 4.3
4 Points
53
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R4#ping
Protocol [ip]:
Target IP address: 172.16.99.99
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.16.44.4
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]: t
Number of timestamps [ 9 ]: 3
Loose, Strict, Record, Timestamp, Verbose[TV]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.99.99, timeout is 2 seconds:
Packet sent with a source address of 172.16.44.4
Packet has IP options: Total option bytes= 16, padded length=16
Timestamp: Type 0. Overflows: 0 length 16, ptr 5
>>Current pointer<<
Time= 00:00:00.000 UTC (00000000)
Time= 00:00:00.000 UTC (00000000)
Time= 00:00:00.000 UTC (00000000)
Request
Request
Request
Request
Request
Success
0 timed
1 timed
2 timed
3 timed
4 timed
rate is
out
out
out
out
out
0 percent (0/5)
54
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 4.4
4 Points
If the timestamp traffic from the previous task is between BB1 and R4, the
traffic should never be denied. You may not modify the signature to
accomplish this.
Verification:
BB1#ping (output cut)
Protocol [ip]:
Target IP address: 172.16.99.4
55
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
56
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
57
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
58
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Verification:
59
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
60
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 5.2
4 Points
Verification:
61
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R2#ping 24.234.22.101
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.234.22.101, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2#telnet 24.234.22.150
Trying 24.234.22.150 ... Open
LOGIN Authentication
Username: admin
Password:
Authentication Successful
62
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 5.3
4 Points
63
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
64
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R2(config)#aaa new-model
R2(config)#aaa authentication login default group tacacs+
R2(config)#aaa authorization auth-proxy default group tacacs+
R2(config)#
R2(config)#tacacs-server host 24.234.22.101 key cisco
R2(config)#
R2(config)#access-list 102 permit tcp host 24.234.22.101 host 172.16.88.88 eq
www
R2(config)#ip auth-proxy name AUTHP http list 102
R2(config)#
R2(config)#ip http server
R2(config)#ip http authentication aaa
R2(config)#
R2(config)#$ 105 deny tcp host 24.234.22.101 host 172.16.88.88 eq www
R2(config)#access-list 105 permit ip any any
R2(config)#
R2(config)#int fa0/0.22
R2(config-subif)#ip access-group 105 in
R2(config-subif)#ip auth-proxy AUTHP
ASA1(config)# access-list outside permit tcp host 24.234.22.2 host
24.234.22.101 eq tacacs
ciscoasa/c1(config)# access-list outside permit tcp host 24.234.22.101 host
172.16.88.88 eq www
Verification:
65
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
66
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Verification:
BB2#sho policy-map type queue-threshold control-plane all
queue-limit 10
queue-count 0
Control Plane Host
24.234.252.2(48061)
24.234.252.2(48061)
24.234.252.2(48061)
24.234.252.2(48061)
68
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
69
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
70
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Verification:
BB1#sho ip bgp
BGP table version is 5, local router ID is 99.99.99.99
Status codes: s suppressed, d damped, h history, * valid, > best, i internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network
*> 22.22.22.0/24
*> 99.99.99.0/24
Next Hop
24.234.252.252
0.0.0.0
BB2#sho ip bgp
BGP table version is 5, local router ID is 22.22.22.22
Status codes: s suppressed, d damped, h history, * valid, > best, i internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network
*> 22.22.22.0/24
*> 99.99.99.0/24
Next Hop
0.0.0.0
172.16.99.99
71
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 7.2
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 0, drop 0, reset-drop 0
message-length maximum 512, drop 0
dns-guard, count 0
protocol-enforcement, drop 0
nat-rewrite, count 0
id-randomization, count 0
73
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R8#ping 172.16.88.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.88.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R8#ping 172.16.88.6 size 3000
Type escape sequence to abort.
Sending 5, 3000-byte ICMP Echos to 172.16.88.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
*May 12 21:09:53.308: %SEC-6-IPACCESSLOGDP: list 103 denied icmp 172.16.88.88
(FastEthernet0/0.111 001a.a22d.0f14) -> 172.16.88.6 (0/0), 1 packet
75
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 8.2
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
:
:
:
:
0
0
0000.0000.0000:0
0
Lower
----------50.00%
Current
---------0.00%
Lower
----------30.00%
Current
---------0.00%
Timer Status
-------------Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Enabled
Enabled
Disabled
Disabled
77
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
LAB 9
Instructions
Verify that all configurations have been cleared, before
you load initial configurations onto the lab routers,
backbone routers and switches. There are no initial
configurations for the ASA and IPS. You will be required
to configure these devices in the practice lab, just as you
will be required to do so in the actual lab exam.
ASDM and SDM are not available in the actual lab exam.
The ACS workstation is used in this lab as the candidate PC
as well as the ACS server. The IP address of the ACS
cannot be changed.
There is a test pc available in the practice labs as well
as the actual lab. The IP address of the rack interface
test PC may be changed through the desktop application. For
both PCs, you may add/remove static routes for connectivity
as described in the LAB.
Do not change the default route
on the ACS or the test PC, as you may lose connectivity.
Always remember to Apply changes and Save your configs
often!
Unless otherwise specified, use only the existing networks
within your lab. Additional networks, static and/or
default routes, may not be configured unless specified in a
task.
When creating passwords, use cisco unless indicated
otherwise in a specific task. Refer to the Remote Rack
Access FAQ PDF for cabling, ACS and IPS Access and other
commonly asked questions. The document is located here:
http://www.ccbootcamp.com/download
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Sections:
1.ASA Firewalls
2.IOS Firewalls
3.VPNs
4.IPS
5.Identity Management
6.Control/Management Plane Security
7.Advanced Security
8.Network Attack Mitigation
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
SW1
Fa0/1
Fa0/0
R1
Fa0/1
Fa0/1
SW2
SW1
Fa0/2
Fa0/0
R2
Fa0/1
Fa0/2
SW2
SW1
Fa0/3
Fa0/0
R3
Fa0/1
Fa0/3
SW2
SW1
Fa0/4
Fa0/0
R4
Fa0/1
Fa0/4
SW2
SW1
Fa0/5
Fa0/0
R5
Fa0/1
Fa0/5
SW2
SW1
Fa0/6
Fa0/0
R6
Fa0/1
Fa0/6
SW2
SW1
Fa0/9
Fa0/0
BB1
Fa0/1
Fa0/9
SW2
SW1
Fa0/10
Fa0/0
BB2
Fa0/1
Fa0/10
SW2
SW1
Fa0/12
E0/0
E0/2
Fa0/12
SW2
Fa0/14
SW2
E0/3
Fa0/17
SW2
E0/2
Fa0/18
SW2
E0/3
Fa0/23
SW2
ASA01
Gi0/0: sense
SW1
Fa0/14
SW1
Fa0/17
E0/1
SW1
Fa0/18
E0/0
IDS
IDS
Gi0/1: c&c
ASA01
ASA02
SW1
E0/1
Fa0/23
ASA02
SW1
SW2
Fas0/19
Fas0/19
Fas0/20
Fas0/20
Sensor Int.
G0/0
Fa1/0
Fa1/1
Fa1/2
Fa1/3
Connected to:
SW1 Fa0/14
SW3 Fa0/4
SW3 Fa0/3
SW3 Fa0/2
SW3 Fa0/1
Fas0/0
2811
SW3
SW4
Fas0/17
SW3
Fas0/19
Fas0/19
Fas0/20
Fas0/20
Fas0/1
R7
Fas0/17
SW4
ACS PC SW1 Fa0/24
192.168.2.101
Fas0/0
2811
Fas0/1
R8
SW3
Fas0/18
SW4
Fas0/18
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R8
R7
R1
VLAN 88
2.88.2.0 /24
Int G0/1
.250
VLAN 77
2.77.2.0 /24
VLAN 11
2.11.2.0 /24
VLAN 222
2.222.2.0 /24
ASA1
.10
VLAN 66
2.66.2.0 /24
R6
VLAN 55
2.55.2.0 /24
VLAN 22
2.22.2.0 /24
R2
VLAN 33
2.33.2.0 /24
VLAN 44
2.44.2.0 /24
R5
R3
VLAN 3
2.3.2.0 /24
VLAN 5
2.5.2.0 /24
R4
VLAN 4
192.168.2.0/24
VLAN 333
2.3.2.0 /24
ACS PC
.101
XP Test
PC .102
BB1
BB2
.9
.9
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 1.2
4 Points
rcv
10
rerr
0
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
sys cmd
up time
RPC services
TCP conn
UDP conn
ARP tbl
Xlate_Timeout
VPN IKE upd
VPN IPSEC upd
VPN CTCP upd
VPN SDI upd
VPN DHCP upd
SIP Session
10
0
0
0
0
12
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
10
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Task 1.3
4 Points
Real
Int.
22
Mapped
Int.
44
Real
IP:PORT #
2.222.2.250:TCP 443
Mapped
IP:PORT#
2.44.2.250:TCP 5796
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 1.4
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
4 Points
4 Points
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 3: VPNs
Task 3.1
4 Points
4 Points
10
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 3.3
4 Points
4 Points
11
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 4: IPS
Task 4.1
4 Points
4 Points
4 Points
12
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 4.4
4 Points
Send a TCP reset for any telnet traffic that includes the
string gunna!getcha . Log any packets destined for the
victim for the next 35 seconds.
13
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
4 Points
14
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 5.3
4 Points
15
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
16
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
4 Points
17
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
sticky
sticky
sticky
sticky
sticky
sticky
sticky
sticky
sticky
0018.199e.b5fe
0018.199e.b5fe
0018.199e.b5fe
0018.199e.b5fe
0018.199e.b5fe
0018.199e.b5fe
0018.199e.b5fe
0018.199e.b5fe
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
11
22
33
44
55
66
77
88
4 Points
18
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
19
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
ASA1(config-subif)#
ASA1(config-subif)#
ASA1(config-subif)#
ASA1(config-subif)#
ASA1(config-subif)#
ASA1(config-subif)#
ASA1(config-subif)#
ASA1(config-subif)#
ASA1(config-subif)#
ASA1(config-subif)#
ASA1(config-subif)#
ASA1(config-subif)#
ASA1(config-subif)#
ASA1(config-subif)#
ASA1(config-subif)#
ASA1(config-subif)#
ASA1(config-subif)#
ASA1(config-subif)#
ASA1(config-subif)#
ASA1(config-subif)#
int e 0/0.55
vlan 55
security 55
nameif 55
ip address 2.55.2.10
int e 0/0.66
vlan 66
security 66
nameif 66
ip address 2.66.2.10
int e 0/0.77
vlan 77
security 77
nameif 77
ip address 2.77.2.10
int e 0/0.88
vlan 88
security 88
nameif 88
ip address 2.88.2.10
ciscoasa(config)#
ciscoasa(config)#
ciscoasa(config)# show mode
Security context mode: single
ciscoasa(config)# hostname ASA1
ASA1(config)# int e0/0
ASA1(config-if)# no shut
ASA1(config-if)# int e 0/0.11
ASA1(config-subif)# vlan 11
ASA1(config-subif)# security 11
ASA1(config-subif)# nameif 11
ASA1(config-subif)# ip address 2.11.2.10
ASA1(config-subif)# int e 0/0.22
ASA1(config-subif)# vlan 22
ASA1(config-subif)# security 22
ASA1(config-subif)# nameif 22
ASA1(config-subif)# ip address 2.22.2.10
ASA1(config-subif)# int e 0/0.33
ASA1(config-subif)# vlan 33
ASA1(config-subif)# security 33
ASA1(config-subif)# nameif 33
ASA1(config-subif)# ip address 2.33.2.10
ASA1(config-subif)# int e 0/0.44
ASA1(config-subif)# vlan 44
ASA1(config-subif)# security 44
ASA1(config-subif)# nameif 44
ASA1(config-subif)# ip address 2.44.2.10
ASA1(config-subif)# int e 0/0.55
ASA1(config-subif)# vlan 55
ASA1(config-subif)# security 55
ASA1(config-subif)# nameif 55
ASA1(config-subif)# ip address 2.55.2.10
ASA1(config-subif)# int e 0/0.66
ASA1(config-subif)# vlan 66
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
20
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
ASA1(config-subif)# security 66
ASA1(config-subif)# nameif 66
ASA1(config-subif)# ip address 2.66.2.10 255.255.255.0
ASA1(config-subif)# int e 0/0.77
ASA1(config-subif)# vlan 77
ASA1(config-subif)# security 77
ASA1(config-subif)# nameif 77
ASA1(config-subif)# ip address 2.77.2.10 255.255.255.0
ASA1(config-subif)# int e 0/0.88
ASA1(config-subif)# vlan 88
ASA1(config-subif)# security 88
ASA1(config-subif)# nameif 88
ASA1(config-subif)# ip address 2.88.2.10 255.255.255.0
ASA1(config-subif)# exit
ASA1(config)# router rip
ASA1(config-router)# ver 2
ASA1(config-router)# no auto-summary
ASA1(config-router)# passive-interface default
ASA1(config-router)# no passive-interface 11
ASA1(config-router)# no passive-interface 22
ASA1(config-router)# no passive-interface 33
ASA1(config-router)# network 2.0.0.0
ASA1(config-router)# redistribute ospf 1 met
ASA1(config-router)# redistribute ospf 1 metric 2
ASA1(config-router)# redistribute eigrp 1 metric 2
ASA1(config-router)#exit
ASA1(config)# router ospf 1
ASA1(config-router)# network 2.44.0.0 255.255.0.0 area 0
ASA1(config-router)# network 2.55.0.0 255.255.0.0 area 0
ASA1(config-router)# network 2.66.0.0 255.255.0.0 area 0
ASA1(config-router)# redistribute rip subnets
ASA1(config-router)# redistribute eigrp 1 subnets
ASA1(config-router)# exit
ASA1(config)# router eigrp 1
ASA1(config-router)# no auto-summary
ASA1(config-router)# network 2.77.0.0 255.255.0.0
ASA1(config-router)# network 2.88.0.0 255.255.0.0
ASA1(config-router)# redistribute ospf 1 metric 1 1 1 1 1
ASA1(config-router)# redistribute rip metric 1 1 1 1 1
ASA1(config-router)# exit
ASA1(config)#
ASA1(config)# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter
area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
21
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R
1.1.1.0 255.255.255.0 [120/1] via 2.11.2.1, 0:00:28, 11
R
2.2.2.0 255.255.255.0 [120/1] via 2.22.2.2, 0:00:00, 22
R
2.3.2.0 255.255.255.0 [120/1] via 2.33.2.3, 0:00:03, 33
O
2.5.2.0 255.255.255.0 [110/11] via 2.55.2.5, 0:29:29, 55
C
2.11.2.0 255.255.255.0 is directly connected, 11
C
2.22.2.0 255.255.255.0 is directly connected, 22
C
2.33.2.0 255.255.255.0 is directly connected, 33
C
2.44.2.0 255.255.255.0 is directly connected, 44
C
2.55.2.0 255.255.255.0 is directly connected, 55
C
2.66.2.0 255.255.255.0 is directly connected, 66
C
2.77.2.0 255.255.255.0 is directly connected, 77
C
2.88.2.0 255.255.255.0 is directly connected, 88
R
2.222.2.0 255.255.255.0 [120/1] via 2.22.2.2, 0:00:00, 22
R
3.3.3.0 255.255.255.0 [120/1] via 2.33.2.3, 0:00:03, 33
O
4.4.4.4 255.255.255.255 [110/11] via 2.44.2.4, 0:29:30, 44
O
5.5.5.5 255.255.255.255 [110/11] via 2.55.2.5, 0:29:30, 55
O
6.6.6.6 255.255.255.255 [110/11] via 2.66.2.6, 0:29:30, 66
D
7.7.7.0 255.255.255.0 [90/131072] via 2.77.2.7, 0:13:39, 77
D
8.0.0.0 255.0.0.0 [90/131072] via 2.88.2.8, 0:35:39, 88
O
192.168.2.0 255.255.255.0 [110/11] via 2.44.2.4, 0:29:30, 44
ASA1(config)#
R1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static
route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
C
R
R
R
C
R
R
R
R
R
R
R
R
R
R
R
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R
R
R
R1#
ASA1(config)# policy-map global_policy
ASA1(config-pmap)# class inspection_default
ASA1(config-pmap-c)#
inspect icmp
ASA1(config-pmap-c)# exit
ASA1(config-pmap)# exit
23
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 1.2
4 Points
rcv
10
rerr
0
24
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
sys cmd
up time
RPC services
TCP conn
UDP conn
ARP tbl
Xlate_Timeout
VPN IKE upd
VPN IPSEC upd
VPN CTCP upd
VPN SDI upd
VPN DHCP upd
SIP Session
10
0
0
0
0
12
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
10
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
rcv
29
29
0
0
0
0
0
0
0
0
0
0
0
0
rerr
0
0
0
0
0
0
0
0
0
0
0
0
0
0
27
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 1.3
4 Points
Real
Int.
22
Mapped
Int.
44
Real
IP:PORT #
2.222.2.250:TCP 443
Mapped
IP:PORT#
2.44.2.250:TCP 5796
28
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
29
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
30
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
31
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 1.4
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
C
10.0.0.0 255.255.255.0 is directly connected, lanfail
O
192.168.2.0 255.255.255.0 [110/11] via 2.44.2.4, 0:10:39, 44
S*
0.0.0.0 0.0.0.0 [1/0] via 2.55.2.5, 55
ASA1(config)#
BB1#
BB1#reload
Proceed with reload? [confirm]
ASA1(config)# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter
area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 2.33.2.3 to network 0.0.0.0
R
1.1.1.0 255.255.255.0 [120/1] via 2.11.2.1, 0:00:12, 11
R
2.2.2.0 255.255.255.0 [120/1] via 2.22.2.2, 0:00:01, 22
R
2.3.2.0 255.255.255.0 [120/1] via 2.33.2.3, 0:00:22, 33
O
2.5.2.0 255.255.255.0 [110/11] via 2.55.2.5, 0:00:15, 55
C
2.11.2.0 255.255.255.0 is directly connected, 11
C
2.22.2.0 255.255.255.0 is directly connected, 22
C
2.33.2.0 255.255.255.0 is directly connected, 33
C
2.44.2.0 255.255.255.0 is directly connected, 44
C
2.55.2.0 255.255.255.0 is directly connected, 55
C
2.66.2.0 255.255.255.0 is directly connected, 66
C
2.77.2.0 255.255.255.0 is directly connected, 77
C
2.88.2.0 255.255.255.0 is directly connected, 88
R
2.222.2.0 255.255.255.0 [120/1] via 2.22.2.2, 0:00:01, 22
R
3.3.3.0 255.255.255.0 [120/1] via 2.33.2.3, 0:00:22, 33
O
4.4.4.4 255.255.255.255 [110/11] via 2.44.2.4, 0:00:17, 44
O
5.5.5.5 255.255.255.255 [110/11] via 2.55.2.5, 0:00:17, 55
O
6.6.6.6 255.255.255.255 [110/11] via 2.66.2.6, 0:00:17, 66
D
8.0.0.0 255.0.0.0 [90/131072] via 2.88.2.8, 0:54:22, 88
C
10.0.0.0 255.255.255.0 is directly connected, lanfail
O
192.168.2.0 255.255.255.0 [110/11] via 2.44.2.4, 0:00:17, 44
S*
0.0.0.0 0.0.0.0 [254/0] via 2.33.2.3, 33
ASA1(config)#
33
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
35
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 2.2
4 Points
R6#telnet 2.5.2.9
Trying 2.5.2.9 ... Open
BB1#exit
[Connection to 2.5.2.9 closed by foreign host]
R6#
BB1#ping 2.55.2.10 repeat 15
Type escape sequence to abort.
Sending 15, 100-byte ICMP Echos to 2.55.2.10, timeout is 2 seconds:
!!!!.!!!!.!!!!.
Success rate is 80 percent (12/15), round-trip min/avg/max = 1/1/4 ms
BB1#
36
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
37
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 2.3
4 Points
38
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 2.4
4 Points
configuration...
configuration...
configuration...
configuration...
configuration...
configuration...
39
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 3: VPNs
Task 3.1
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Re-enter password:
% The subject name in the certificate will include: R4.ccbootcamp.com
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]:
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate R1-CA verbose' commandwill show the
fingerprint.
R4(config)#
R4(config)#
May 17 04:45:38.124: CRYPTO_PKI: Certificate Request Fingerprint MD5:
FB009B1F F2A07B92 AF40F039 4DF72BFF
May 17 04:45:38.128: CRYPTO_PKI: Certificate Request Fingerprint SHA1:
DAC3E1C5 3B790E81 14E92CBD FD1A4178 6FE88443
R4(config)#
May 17 04:45:42.380: %PKI-6-CERTRET: Certificate received from Certificate
Authority
R4(config)#
R5(config)#ip domain-name ccbootcamp.com
R5(config)#clock timezone
May 17 04:45:43.293: %SYS-5-CONFIG_I: Configured from console by console
R5(config)#clock timezone PST -8
R5(config)#clock summer-time PDT recurring
R5(config)#ntp authentication-key 1 md5 cisco
R5(config)#ntp trusted-key 1
R5(config)#ntp authenticate
R5(config)#ntp server 1.1.1.1
May 17 04:45:44.902: %SYS-6-CLOCKUPDATE: System clock has been updated from
21:45:44 PDT Sat May 16 2009 to 21:45:44 PDT Sat May 16 2009, configured from
console by console.
May 17 04:45:45.402: %SYS-6-CLOCKUPDATE: System clock has been updated from
21:45:45 PDT Sat May 16 2009 to 21:45:45 PDT Sat May 16 2009, configured from
console by console.
R5(config)#ntp server 1.1.1.1
R5(config)#crypto key generate rsa general-keys modulus 1024 exportable
% You already have RSA keys defined named R5.ccbootcamp.com.
% They will be replaced.
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be exportable...
May 17 04:45:47.826: %SSH-5-DISABLED: SSH 1.99 has been disabled[OK]
R5(config)#crypto ca trustpoint R1-CA
R5(ca-trustpoint)#enrollment url http://1.1.1.1:80
R5(ca-trustpoint)#revocation-check none
R5(ca-trustpoint)#exit
R5(config)#
R5(config)#
R5(config)#crypto pki authenticate R1-CA
Certificate has the following attributes:
Fingerprint MD5: 6639F668 A7C539DA D444653F 0DD6A31B
Fingerprint SHA1: AB5C27EF 877C1C27 5A7CA12F 101777F4 86C0E64A
42
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R7(config)#ntp authentication-key 1 md
May 17 04:45:57.578: %SYS-6-CLOCKUPDATE: System clock has been updated from
21:45:57 PDT Sat May 16 2009 to 21:45:57 PDT Sat May 16 2009, configured from
console by console.
R7(config)#ntp authentication-key 1 md5 cisco
R7(config)#ntp trusted-key 1
R7(config)#ntp authenticate
R7(config)#ntp server 1.1.1.1
R7(config)#crypto key generate rsa general-keys modulus 1024 exportable
% You already have RSA keys defined named R7.ccbootcamp.com.
% They will be replaced.
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be exportable...
May 17 04:46:04.675: %SSH-5-DISABLED: SSH 1.99 has been disabled[OK]
R7(config)#crypto ca trustpoint R1-CA
R7(ca-trustpoint)#enrollment url http://1.1.1.1:80
R7(ca-trustpoint)#revocation-check none
R7(ca-trustpoint)#exit
R7(config)#
R7(config)#
R7(config)#
May 17 04:46:06.939: %SSH-5-ENABLED: SSH 1.99 has been enabledcry
R7(config)#crypto pki authenticate R1-CA
Certificate has the following attributes:
Fingerprint MD5: 6639F668 A7C539DA D444653F 0DD6A31B
Fingerprint SHA1: AB5C27EF 877C1C27 5A7CA12F 101777F4 86C0E64A
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
R7(config)#
R7(config)#crypto pki enroll R1-CA
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password:
Re-enter password:
% The subject name in the certificate will include: R7.ccbootcamp.com
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]:
Request certificate from CA? [yes/no]: ye
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate R1-CA verbose' commandwill show the
fingerprint.
R7(config)#
May 17 04:46:18.955: CRYPTO_PKI: Certificate Request Fingerprint MD5:
476E9C95 8C87815F AD1EE04A CE6AAB27
45
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Re-enter password:
% The subject name in the certificate will include: R8.ccbootcamp.com
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]:
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate R1-CA verbose' commandwill show the
fingerprint.
R8(config)#
R8(config)#
May 17 04:46:27.857: CRYPTO_PKI: Certificate Request Fingerprint MD5:
55D6E2A8 0D7EE2D3 BCCCD2CA 8215989B
May 17 04:46:27.857: CRYPTO_PKI: Certificate Request Fingerprint SHA1:
5CD8729E 49920665 3DCA194C E42F6B8A FE20FA50
R8(config)#
May 17 04:46:32.058: %PKI-6-CERTRET: Certificate received from Certificate
Authority
R8(config)#
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
48
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 3.2
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
52
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (6.6.6.6/255.255.255.255/1/0)
remote ident (addr/mask/prot/port): (7.7.7.7/255.255.255.255/1/0)
current_peer port 848
PERMIT, flags={origin_is_acl,}
#pkts encaps: 20, #pkts encrypt: 20, #pkts digest: 20
#pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10
53
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
#pkts
#pkts
#pkts
#send
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3FFC7B68(1073511272)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2022, flow_id: NETGX:22, crypto map: map-group1
sa timing: remaining key lifetime (sec): (399)
IV size: 16 bytes
replay detection support: Y
54
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Status: ACTIVE
spi: 0x17F276B6(401766070)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2026, flow_id: NETGX:26,
sa timing: remaining key lifetime
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
spi: 0x9909BC72(2567552114)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2030, flow_id: NETGX:30,
sa timing: remaining key lifetime
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
spi: 0x8A084196(2315796886)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2034, flow_id: NETGX:34,
sa timing: remaining key lifetime
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R6#
55
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 3.3
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R3(config-if)#exit
R3(config)#ip local pool MY_VPN_POOL 2.33.2.51 2.33.2.60
R3(config)#access-list 101 permit ip 2.33.2.0 0.0.255.255 any
R3(config)#exit
57
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 3.4
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Remote
I-VRF
1015 2.88.2.8
2.88.2.10
23:59:44
Engine-id:Conn-id = SW:15
ACTIVE aes
sha
rsig 2
1014
ACTIVE aes
sha
rsig 2
2.88.2.8
2.88.2.10
Engine-id:Conn-id = ???
(deleted)
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
60
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 4: IPS
Task 4.1
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
62
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 4.2
4 Points
63
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
64
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
65
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
66
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
67
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
68
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
69
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 4.3
4 Points
70
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
71
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
72
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
BB2#
73
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 4.4
4 Points
Send a TCP reset for any telnet traffic that includes the
string gunna!getcha . Log any packets destined for the
victim for the next 35 seconds.
74
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
75
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
76
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
77
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
78
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
79
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
80
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
81
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
82
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
83
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
84
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
85
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
86
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
87
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
88
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
BB2#telnet 1.1.1.1
Trying 1.1.1.1 ... Open
R1#gunna!getcha
% Unknown command or computer name, or unable to find computer address
R1#
89
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
90
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
91
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
92
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
93
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
94
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
SW4(config)#aaa new-model
SW4(config)#aaa authentication dot1x default group radius local
SW4(config)#aaa authorization network default group radius
95
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
SW4(config)#vlan 512,513,514
SW4(config-vlan)#exit
SW4(config)#interface vlan 4
SW4(config-if)#ip address 192.168.2.114 255.255.255.0
SW4(config-if)#dot1x system-auth-control
SW4(config)#interface FastEthernet0/16
SW4(config-if)#switchport mode access
SW4(config-if)#dot1x pae authenticator
SW4(config-if)#dot1x port-control auto
SW4(config-if)#dot1x guest-vlan 513
SW4(config-if)#dot1x auth-fail vlan 512
SW4(config-if)#dot1x violation-mode shutdown
SW4(config-if)#exit
SW4(config)#ip radius source-interface VLAN4
SW4(config)#radius-server host 192.168.2.101
SW4(config)#radius-server key cisco
SW4(config)#end
SW4#test aaa group radius user-5.1 cisco legacy
Attempting authentication test to server-group radius using radius
User was successfully authenticated.
SW4#
SW4#show dot1x interface fa0/16
Dot1x Info for FastEthernet0/16
----------------------------------PAE
= AUTHENTICATOR
PortControl
= AUTO
ControlDirection
= Both
HostMode
= SINGLE_HOST
Violation Mode
= SHUTDOWN
ReAuthentication
= Disabled
QuietPeriod
= 60
ServerTimeout
= 30
SuppTimeout
= 30
ReAuthPeriod
= 3600 (Locally configured)
ReAuthMax
= 2
MaxReq
= 2
TxPeriod
= 30
RateLimitPeriod
= 0
Auth-Fail-Vlan
= 512
Auth-Fail-Max-attempts
= 3
Guest-Vlan
= 513
SW4#
96
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 5.2
4 Points
97
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
98
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
99
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
100
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
101
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
102
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
103
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
104
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
105
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
106
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R1#telnet 1.1.1.1
Trying 1.1.1.1 ... Open
Username: user-5.2
Password:
R1#show ver
Command authorization failed.
R1#conf t
Enter configuration commands, one per line.
R1(config)#router rip
Command authorization failed.
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
108
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 5.3
4 Points
User
user-5.3
Host(s)
2.22.2.2
idle
Idle
Location
00:00:00
00:00:00 2.22.2.2
Interface
User
Mode
Idle
R2>exit
[Connection to 2.22.2.2 closed by foreign host]
R2#
Peer Address
109
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
111
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
112
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
113
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
114
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
115
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
116
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 7.2
4 Points
15
BB1(config)#router bgp 1
BB1(config-router)#neighbor 2.3.2.9 password cisco
BB1(config-router)#
117
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
118
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
119
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
BB2#
*May 17 09:28:26.458: %TCP-6-BADAUTH: No MD5 digest from 2.5.2.9(22545) to
2.3.2.9(179)
BB2#
*May 17 09:28:47.790: %BGP-5-ADJCHANGE: neighbor 2.5.2.9 Up
BB2#show ip bgp summ
BB2#show ip bgp summary
BGP router identifier 2.3.2.9, local AS number 2
BGP table version is 46, main routing table version 46
15 network entries using 1800 bytes of memory
15 path entries using 780 bytes of memory
2/1 BGP path/bestpath attribute entries using 248 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 2852 total bytes of memory
BGP activity 30/15 prefixes, 30/15 paths, scan interval 60 secs
Neighbor
2.5.2.9
BB2#
V
4
AS MsgRcvd MsgSent
1
16
18
TblVer
46
120
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
sticky
sticky
sticky
sticky
sticky
sticky
sticky
sticky
sticky
0018.199e.b5fe
0018.199e.b5fe
0018.199e.b5fe
0018.199e.b5fe
0018.199e.b5fe
0018.199e.b5fe
0018.199e.b5fe
0018.199e.b5fe
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
11
22
33
44
55
66
77
88
Task 8.2
4 Points
121
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
ASA1(config-pmap-c)# exit
ASA1(config-pmap)# exit
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
125
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
LAB 10
Instructions
Verify that all configurations have been cleared, before
you load initial configurations onto the lab routers,
backbone routers and switches. There are no initial
configurations for the ASA and IPS. You will be required
to configure these devices in the practice lab, just as you
will be required to do so in the actual lab exam.
ASDM and SDM are not available in the actual lab exam.
The ACS workstation is used in this lab as the candidate PC
as well as the ACS server. The IP address of the ACS
cannot be changed.
There is a test pc available in the practice labs as well
as the actual lab. The IP address of the rack interface
test PC may be changed through the desktop application. For
both PCs, you may add/remove static routes for connectivity
as described in the LAB.
Do not change the default route
on the ACS or the test PC, as you may lose connectivity.
Always remember to Apply changes and Save your configs
often!
Unless otherwise specified, use only the existing networks
within your lab. Additional networks, static and/or
default routes, may not be configured unless specified in a
task.
When creating passwords, use cisco unless indicated
otherwise in a specific task. Refer to the Remote Rack
Access FAQ PDF for cabling, ACS and IPS Access and other
commonly asked questions. The document is located here:
http://www.ccbootcamp.com/download
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Sections:
1.ASA Firewalls
2.IOS Firewalls
3.VPNs
4.IPS
5.Identity Management
6.Control/Management Plane Security
7.Advanced Security
8.Network Attack Mitigation
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
ACS PC
.101
R1
BB1
.99
VLAN 168
192.168.2.0
SW2
.11
VLAN 77
G0/0
VLAN 99
172.16.99.0
Inside
E0/0.v
DMZ1
E0/0.v
172.16.77.0
IPS C&C
.50
ASA1
VLAN 44
172.16.44.0
DMZ2
E0/0.v
R4
Outside
E0/0.v
R7
VLAN 22
24.234.22.0
VLAN 252
24.234.252.0
BB2
R2
.252
SW1
.11
EIGRP1
Frame Relay
24.234.100.0
Outside
E0/0.v
VLAN 111
24.234.111.0
R6
C1
Inside
E0/0.v
VLAN 121
24.234.121.0
R3
VLAN 222
24.234.222.0
Outside
E0/0.v
C2
Inside
E0/0.v
VLAN 88
172.16.88.0
VLAN 55
172.16.55.0
R8
R5
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
SW1
Fa0/1
Fa0/0
R1
Fa0/1
Fa0/1
SW2
SW1
Fa0/2
Fa0/0
R2
Fa0/1
Fa0/2
SW2
SW1
Fa0/3
Fa0/0
R3
Fa0/1
Fa0/3
SW2
SW1
Fa0/4
Fa0/0
R4
Fa0/1
Fa0/4
SW2
SW1
Fa0/5
Fa0/0
R5
Fa0/1
Fa0/5
SW2
SW1
Fa0/6
Fa0/0
R6
Fa0/1
Fa0/6
SW2
SW1
Fa0/9
Fa0/0
BB1
Fa0/1
Fa0/9
SW2
SW1
Fa0/10
Fa0/0
BB2
Fa0/1
Fa0/10
SW2
SW1
Fa0/12
E0/0
E0/2
Fa0/12
SW2
Fa0/14
SW2
E0/3
Fa0/17
SW2
E0/2
Fa0/18
SW2
E0/3
Fa0/23
SW2
ASA01
Gi0/0: sense
SW1
Fa0/14
SW1
Fa0/17
E0/1
SW1
Fa0/18
E0/0
IDS
IDS
Gi0/1: c&c
ASA01
ASA02
SW1
E0/1
Fa0/23
ASA02
SW1
SW2
Fas0/19
Fas0/19
Fas0/20
Fas0/20
Sensor Int.
G0/0
Fa1/0
Fa1/1
Fa1/2
Fa1/3
Connected to:
SW1 Fa0/14
SW3 Fa0/4
SW3 Fa0/3
SW3 Fa0/2
SW3 Fa0/1
Fas0/0
2811
SW3
SW4
Fas0/17
SW3
Fas0/19
Fas0/19
Fas0/20
Fas0/20
Fas0/1
R7
Fas0/17
SW4
ACS PC SW1 Fa0/24
192.168.2.101
Fas0/0
2811
Fas0/1
R8
SW3
Fas0/18
SW4
Fas0/18
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
Interface
E0/0.168
E0/0.22
E0/0.77
E0/0.44
VLAN
168
22
77
44
4 Points
Name
Inside
Outside
Inside
Outside
Interface
E0/0.88
E0/0.111
E0/0.55
E0/0.222
Sec-Level
50
50
Default
Default
IP Address
172.16.88.200/24
24.234.111.200/24
172.16.55.200/24
24.234.222.200/24
VLAN
88
111
55
222
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
4 Points
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 3: VPNs
Task 3.1
4 Points
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 3.3
4 Points
4 Points
10
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 4: IPS
Task 4.1
4 Points
Gateway
Managed by
172.16.77.50
172.16.77.100
192.168.2.101
Mgmt. SSL
port
443
Verify that you can connect to and manage the IPS from the
ACS server. You may add a route to the ACS server to
accomplish this.
Create sig1, rules1, and ad1 which should be clones of the
existing sig0, rules0 and ad0.
Create virtual sensor vs1 and assign sig1, rules1 and ad1
to it.
Task 4.2
4 Points
4 Points
11
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
12
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
4 Points
4 Points
13
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
14
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
4 Points
15
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
4 Points
16
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
Interface
E0/0.168
E0/0.22
E0/0.77
E0/0.44
VLAN
168
22
77
44
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R2#sho ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static
route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
D
172.16.44.0 [90/28416] via 24.234.22.100, 00:01:47,
FastEthernet0/0.22
D EX
172.16.99.0
[170/28416] via 24.234.22.100, 00:01:46, FastEthernet0/0.22
D
172.16.88.0 [90/2172416] via 24.234.100.6, 00:17:38, Serial0/0/0
D
172.16.77.0 [90/28416] via 24.234.22.100, 00:01:47,
FastEthernet0/0.22
22.0.0.0/24 is subnetted, 1 subnets
C
22.22.22.0 is directly connected, Loopback22
24.0.0.0/24 is subnetted, 4 subnets
C
24.234.252.0 is directly connected, FastEthernet0/0.252
D
24.234.121.0 [90/2172416] via 24.234.100.3, 00:20:30, Serial0/0/0
C
24.234.100.0 is directly connected, Serial0/0/0
C
24.234.22.0 is directly connected, FastEthernet0/0.22
S
192.168.2.0/24 [1/0] via 24.234.22.100
19
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 1.2
4 Points
Name
Inside
Outside
Inside
Outside
Interface
E0/0.88
E0/0.111
E0/0.55
E0/0.222
Security Level
50
50
Default
Default
IP Address
172.16.88.200/24
24.234.111.200/24
172.16.55.200/24
24.234.222.200/24
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
VLAN
88
111
55
222
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
22
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 1.3
4 Points
23
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 1.4
4 Points
24
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Verification:
ASA2/c1# sho service-policy inspect ftp
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: ftp strict PUT, packet 0, drop 0, reset-drop 0
class PUT
reset, packet 0
25
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
Verification:
SW1(config)#int l0
SW1(config-if)#ip address 10.1.1.1 255.255.255.0
SW1(config-if)#exit
SW1(config)#exit
SW1#ping 24.234.100.3 so l0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.234.100.3, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
.....
Success rate is 0 percent (0/5)
R3#sho access-lists
Extended IP access list 101
10 deny ip 172.16.0.0 0.15.255.255 any
20 deny ip 10.0.0.0 0.255.255.255 any (15 matches)
26
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R6(config)#int l0
R6(config-if)#ip address 66.66.66.66 255.255.255.0
R6(config-if)#exit
R6(config)#exit
R6#ping 24.234.100.3 so l0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.234.100.3, timeout is 2 seconds:
Packet sent with a source address of 66.66.66.66
.....
Success rate is 0 percent (0/5)
*May 13 17:15:33.791: %SEC-6-IPACCESSLOGDP: list 102 denied icmp 66.66.66.66
-> 24.234.100.3 (0/0), 1 packet
R6#ping 24.234.100.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.234.100.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/58/60 ms
R6#ping 24.234.100.3 size 3000
Type escape sequence to abort.
Sending 5, 3000-byte ICMP Echos to 24.234.100.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
27
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 2.2
4 Points
28
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
29
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 2.3
4 Points
30
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 2.4
4 Points
Output
-----Packet Count
Byte Count
5min Bit Rate (bps)
5min Max Bit Rate (bps)
-----------------------31
31
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4560
2418
32
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 3: VPNs
Task 3.1
4 Points
33
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 3.2
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
36
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 3.3
4 Points
37
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R8(config)#int loopback 88
R8(config-if)#ip address 88.88.88.88 255.255.255.0
R8(config-if)#exit
R8(config)#crypto isakmp policy 5
R8(config-isakmp)#encryption aes
R8(config-isakmp)#hash sha
R8(config-isakmp)#group 2
R8(config-isakmp)#authentication rsa-sig
R8(config-isakmp)#exit
R8(config)#crypto ipsec transform-set VPN esp-aes esp-sha-hmac
R8(cfg-crypto-trans)#exit
R8(config)#access-list 150 permit icmp host 88.88.88.88 host 55.55.55.55
R8(config)#crypto map VPN 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R8(config-crypto-map)#set transform-set VPN
R8(config-crypto-map)#set peer 24.234.222.5
R8(config-crypto-map)#match address 150
R8(config-crypto-map)#exit
R8(config)#int fa0/0.88
R8(config-subif)#crypto map VPN
Verification:
R8#ping 55.55.55.55 so 88.88.88.88
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 55.55.55.55, timeout is 2 seconds:
Packet sent with a source address of 88.88.88.88
...!!
Success rate is 40 percent (2/5), round-trip min/avg/max = 1/2/4 ms
R8#
R8#sho crypto ipsec sa
interface: FastEthernet0/0.88
Crypto map tag: VPN, local addr 172.16.88.8
protected vrf: (none)
local ident (addr/mask/prot/port): (88.88.88.88/255.255.255.255/1/0)
remote ident (addr/mask/prot/port): (55.55.55.55/255.255.255.255/1/0)
current_peer 24.234.222.5 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 2, #pkts encrypt: 2, #pkts digest: 2
#pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 3, #recv errors 0
38
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 3.4
4 Points
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Verification:
R8#ping 24.234.121.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.234.121.11, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 92/93/96 ms
41
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Section 4: IPS
Task 4.1
4 Points
Gateway
Managed by
172.16.77.50
172.16.77.100
192.168.2.101
Mgmt. SSL
port
443
Verify that you can connect to and manage the IPS from the
ACS server. You may add a route to the ACS server to
accomplish this.
Create sig1, rules1, and ad1 which should be clones of the
existing sig0, rules0 and ad0.
Create virtual sensor vs1 and assign sig1, rules1 and ad1
to it.
sensor# setup
--- System Configuration Dialog --At any point you may enter a question mark '?' for help.
User ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.
Current Configuration:
(cut)
4 21:24:15 2009
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Permit:
Modify system clock settings?[no]:
Modify interface/virtual sensor configuration?[no]:
Modify default threat prevention settings?[no]:
The following configuration was entered.
(cut)
[0] Go to the command prompt without saving this config.
[1] Return back to the setup without saving this config.
[2] Save this configuration and exit setup.
Enter your selection[2]: 2
Configuration Saved.
43
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
44
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
45
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
46
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 4.2
4 Points
SW3(config)#monitor session 1
SW3(config)#monitor session 1
SW3(config)#
SW3(config)#monitor session 2
SW3(config)#monitor session 2
SW3(config)#
SW3(config)#int fa0/2
SW3(config-if)#sw mode access
SW3(config-if)#sw access vlan
source VLAN 77
destination remote VLAN 253
source VLAN 168
destination remote VLAN 254
168
47
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
48
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 4.3
4 Points
49
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
50
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
51
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Verification:
52
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
53
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
54
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 4.4
4 Points
55
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
56
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Verification:
R1#copy http://24.234.100.6/cisco null:
%Error opening http://24.234.100.6/cisco (Unknown error -1)
R1#copy http://24.234.22.2/cisco null:
%Error opening http://24.234.22.2/cisco (I/O error)
57
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
58
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
59
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 5.2
4 Points
60
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Verification:
R6#ping 24.234.222.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.234.222.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R6#telnet 24.234.222.50
Trying 24.234.222.50 ... Open
LOGIN Authentication
Username: admin
Password:
Authentication Successful
61
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 5.3
4 Points
62
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
Verification:
R2#telnet 24.234.100.3
Trying 24.234.100.3 ... Open
Packets Processed/Dropped/Errors
63
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
-------------------------------------------------------Management-Interface
40/3/0
--------------------------------------------------------
64
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
65
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 7.2
4 Points
66
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
R1#telnet 172.16.88.8
Trying 172.16.88.8 ...
% Connection timed out; remote host not responding
R6#sho route-map
route-map BAD_TELNET, permit, sequence 10
Match clauses:
ip address (access-lists): 101
Set clauses:
interface Null0
Policy routing matches: 4 packets, 192 bytes
67
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
4 Points
68
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Task 8.2
4 Points
69
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
Verification:
R1#ping 24.234.100.6 size 2000 repeat 10
Type escape sequence to abort.
Sending 10, 2000-byte ICMP Echos to 24.234.100.6, timeout is 2 seconds:
!!.!.!.!.!
Success rate is 60 percent (6/10), round-trip min/avg/max = 892/892/896 ms
R2#sho int rate-limit
Serial0/0/0
Output
matches: access-group 110
params: 8000 bps, 2000 limit, 2000 extended limit
conformed 16 packets, 15244 bytes; action: transmit
exceeded 4 packets, 5036 bytes; action: drop
last packet: 14960ms ago, current burst: 1276 bytes
last cleared 00:00:44 ago, conformed 2000 bps, exceeded 0 bps
R6#ping 24.234.22.2 so l0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.234.22.2, timeout is 2 seconds:
Packet sent with a source address of 66.66.66.66
.....
Success rate is 0 percent (0/5)
R2#
*May 15 15:53:48.991: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 66.66.66.66
-> 24.234.22.2 (0/0), 1 packet
R1#ping
Protocol [ip]:
Target IP address: 24.234.100.6
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.2.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]: t
Number of timestamps [ 9 ]: 3
Loose, Strict, Record, Timestamp, Verbose[TV]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.234.100.6, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
Packet has IP options: Total option bytes= 16, padded length=16
Timestamp: Type 0. Overflows: 0 length 16, ptr 5
>>Current pointer<<
70
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info
0 timed
1 timed
2 timed
3 timed
4 timed
rate is
out
out
out
out
out
0 percent (0/5)
71
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated