CCIE Security Advanced Lab Workbook Version 3.0 PDF

www.CareerCert.
info
www.CareerCert.info
CCBOOTCAMPs
CCIE Security Advanced Lab Workbook
Volume 1
for the CCIE Security Lab Exam version 3.0
For questions about this workbook please visit: www.securityie.com
CCBOOTCAMP
375 N. Stephanie Street
Building 21, Suite 2111
Henderson, NV 89014
1.877.654.2243 Toll Free
www.ccbootcamp.com
Cisco, the Cisco Logo, CCNA, CCNP, CCDP, CCDA, CCIE, Cisco Certified
Network Associate, Cisco Certified Design Professional, Cisco Certified Design
Associate, and Cisco Certified Network Professional, are registered trademarks of
Cisco Systems, Inc. The contents contained wherein, is not associated or endorsed by
Cisco Systems, Inc.
www.CareerCert.info
PLEASE READ THIS SUBSCRIPTION LICENSE AGREEMENT CAREFULLY BEFORE USING THIS PRODUCT.
THIS SUBSCRIPTION LICENSE AGREEMENT APPLIES TO CCBOOTCAMPs CCIE Security Advanced Lab
Workbook.
BY ORDERING THIS PRODUCT YOU ARE CONSENTING TO BE BOUND BY THIS LICENSING AGREEMENT.
IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS LICENSE, THEN DO NOT PURCHASE THIS
PRODUCT.
License Agreement
CCBOOTCAMPs CCIE Security Advanced Lab Workbook is copyrighted. In addition, this
product is at all times the property of CCBOOTCAMP, and the customer shall agree to
use this product only for themselves, the licensed user. The license for the specific
customer remains valid from the purchase date until they pass their CCIE Security lab
exam.
CCBOOTCAMPs CCIE Security Advanced Lab Workbook materials are licensed by individual
customer. This material cannot be resold, transferred, traded, sold, or have the price
shared in any way. Each specific individual customer must have a license to use this
product. The customer agrees that this product is always the property of CCBOOTCAMP,
and they are just purchasing a license to use it. A Customers license will be revoked
if they violate this licensing agreement in any way.
Copies of this material in any form or fashion are strictly prohibited. If for any
reason a licensed copy of this material is lost or damaged a new copy will be provided
free of charge, except for the cost of printing, shipping and handling.
Individuals or entities that knowingly violate the terms of this licensing agreement
may be subject to punitive damages that CCBOOTCAMP could seek in civil court. Damages
will be limited to a maximum of $500,000.00 per individual and $2,000,000.00 per
entity. In addition, individuals or entities that knowingly violate the terms of this
license agreement may be subject to criminal penalties as are allowed by law.
The venue of any dispute, controversy, litigation or proceeding (formal or informal)
arising out of or pertaining to this licensing agreement or the subject hereof shall
lie exclusively in the County of Clark, State of Nevada. Provided, however, that if
any such dispute, controversy, litigation or proceeding requires or permits
jurisdiction in a federal court or agency of the United States, then venue shall lie
in no federal court or agency other than those located in (or nearest to) the County
of Clark, State of Nevada.
Term and Termination of License Agreement
This License is effective until terminated. Customer may terminate this License at any
time by destroying all copies of written and electronic material of said product.
Customer's rights under this License will terminate immediately without notice from
CCBOOTCAMP, if Customer fails to comply with any provision of this License. Upon
termination, Customer must destroy all copies of material in its possession or
control. The license for the specific user remains valid from the purchase date until
the user passes their lab exam pertaining to the purchased subscription. Once the
customer passes the relevant lab exam the license is terminated and all material
written or electronic in their possession or control must be destroyed or returned to
CCBOOTCAMP.
Warranty
No warranty of any kind is provided with this product. There are no guarantees that
the use of this product will help a customer pass any exams, tests, or certifications,
or enhance their knowledge in any way. The product is provided on an AS IS basis.
In no event will CCBOOTCAMP, its suppliers, or licensed resellers be liable for any
incurred costs, lost revenue, lost profit, lost data, or any other damages regardless
of the theory of liability arising out of use or inability to use this product.
www.CareerCert.info
For questions: www.securityie.com

s.a.lab.01.09.05.kb.r04.09.05.doc
LAB 1
Instructions
Verify that all configurations have been cleared, before
you load initial configurations onto the lab routers,
backbone routers and switches. There are no initial
configurations for the ASA and IPS. You will be required
to configure these devices in the practice lab, just as you
will be required to do so in the actual lab exam.
ASDM and SDM are not available in the actual lab exam.
The ACS workstation is used in this lab as the candidate PC
as well as the ACS server. The IP address of the ACS
cannot be changed.
There is a test pc available in the practice labs as well
as the actual lab. The IP address of the rack interface
test PC may be changed through the desktop application. For
both PCs, you may add/remove static routes for connectivity
as described in the LAB.
Do not change the default route
on the ACS or the test PC, as you may lose connectivity.
Always remember to Apply changes and Save your configs
often!
Unless otherwise specified, use only the existing networks
within your lab. Additional networks, static and/or
default routes, may not be configured unless specified in a
task.
When creating passwords, use cisco unless indicated
otherwise in a specific task. Refer to the Remote Rack
Access FAQ PDF for cabling, ACS and IPS Access and other
commonly asked questions. The document is located here:
http://www.ccbootcamp.com/download
www.ccbootcamp.com
Toll Free 877.654.2243
sales@ccbootcamp.com
Copyright 2009, Network Learning, Incorporated
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Sections:
1.ASA Firewalls
2.IOS Firewalls
3.VPNs
4.IPS
5.Identity Management
6.Control/Management Plane Security
7.Advanced Security
8.Network Attack Mitigation
If you would like additional copies of the diagrams to use with
the labs, they can be downloaded from
http://www.ccbootcamp.com/download/!Security/
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
SW1
Fa0/1
Fa0/0
R1
Fa0/1
Fa0/1
SW2
SW1
Fa0/2
Fa0/0
R2
Fa0/1
Fa0/2
SW2
SW1
Fa0/3
Fa0/0
R3
Fa0/1
Fa0/3
SW2
SW1
Fa0/4
Fa0/0
R4
Fa0/1
Fa0/4
SW2
SW1
Fa0/5
Fa0/0
R5
Fa0/1
Fa0/5
SW2
SW1
Fa0/6
Fa0/0
R6
Fa0/1
Fa0/6
SW2
SW1
Fa0/9
Fa0/0
BB1
Fa0/1
Fa0/9
SW2
SW1
Fa0/10
Fa0/0
BB2
Fa0/1
Fa0/10
SW2
SW1
Fa0/12
E0/0
E0/2
Fa0/12
SW2
Fa0/14
SW2
E0/3
Fa0/17
SW2
E0/2
Fa0/18
SW2
E0/3
Fa0/23
SW2
ASA01
Gi0/0: sense
SW1
Fa0/14
SW1
Fa0/17
E0/1
SW1
Fa0/18
E0/0
IDS
IDS
Gi0/1: c&c
ASA01
ASA02
SW1
E0/1
Fa0/23
ASA02
SW1
SW2
Fas0/19
Fas0/19
Fas0/20
Fas0/20
Sensor Int.
G0/0
Fa1/0
Fa1/1
Fa1/2
Fa1/3
Connected to:
SW1 Fa0/14
SW3 Fa0/4
SW3 Fa0/3
SW3 Fa0/2
SW3 Fa0/1
Fas0/0
2811
SW3
SW4
Fas0/17
SW3
Fas0/19
Fas0/19
Fas0/20
Fas0/20
Fas0/1
R7
Fas0/17
SW4
ACS PC SW1 Fa0/24
192.168.2.101
Fas0/0
2811
Fas0/1
R8
SW3
XP Test PC SW2 Fa0/16

192.168.2.102
Fas0/18
SW4
Fas0/18
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Section 1: ASA Firewalls

Task 1.1 4 Points
Configure the ASA as shown in the diagram. Use the default
gateway of 50.50.4.14 for both contexts. Context c1 should
use e0/0 for redundancy on the inside interface, with e0/2
being active. Configure c1 as the admin context.
Add a static route for the 192.168.0.0 network on c2.
Add a route on the ACS PC for 50.50.0.0/16 using R6.
Translate SW1 to the inside of c1 using 50.50.4.19
Translate the ACS PCs 192.168.2.101 address to the outside
address of 50.50.4.101 on c2.
Translate R6 Fa0/1 address to the global address of
50.50.4.6 on c2.
Task 1.2
4 Points
Allow SSH management on the inside interface of c1 from the

ACS PC. Use the username of user1 with password of
cisco. Authenticate this user with RADIUS.
On c1, permit ICMP echo requests inbound on the outside
interface. Verify that SW1 can ping R1 at 1.1.1.1. R1
should see these pings sourced from 50.50.4.19
On c1, deny TCP sessions from the R5 Loopback 0 and SW1, if
the TCP window size shrinks unexpectedly after
establishment, and limit formed TCP sessions to 101. Do
not use the static for this task.
On c1, do not allow non-initial fragments inbound on the
outside interface, and send a TCP reset to the initiator of
a packet if the firewall is not going to allow a packet to
or through the firewall on the outside interface.
6
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Task 1.3
4 Points
On c2, permit all ingress traffic on the inside interface

to be dynamically translated to the outside interface.
Configure both contexts to send syslog warnings to the ACS
PC.
Permit ICMP echo requests, FTP on ports 21 and 2121, HTTP,
and telnet inbound on the outside interface of c2 to the
ACS PC and R6.
Use a single access-list entry for this
task.
Reset and log any FTP PUT commands going through c2. Do
not use the keyword of PUT in any policy-map syntax for
this task.
On c2, allow VLAN 5 to have access to R6 using HTTP on
port 8000 and verify that any re-transmissions are
consistent with the originals.
Task 1.4
4 Points
Configure failover, using the system addresses +5 for the

failover addresses.
Use E0/3, 50.50.50.1 and VLAN 50 for
failover. Configure stateful failover for http. ASA1
should normally be active for c1 and ASA2 should be active
for c2. Monitor all interfaces except for the dmz. Use
a password to protect the failover.
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Section 2:
Task 2.1
IOS Firewalls
4 Points
Configure R3 with CBAC. Provide RFC 1918 spoof protection

and permit TELNET, ICMP Echo, and NTP traffic inbound on
Fa0/1.
Inside clients accessing resources outside of Fa0/1 should
be allowed to use FTP, PING, HTTP, TELNET, SIP, SSH and
NFS.
Clients should not be allowed to retrieve HTTP java content
on any server in the 50.50.11.0/24 address space.
Set the embryonic limit for all CBAC TCP connections
through R3 to 10.
Task 2.2
4 Points
Log all denied packets, individually, along with CBAC

session information to the ACS PC using the source address
of loopback 0.
Globally set the TCP synwait timeout to be 5 seconds. Do
not allow ANY fragments through R3.
Do not place any inspection rules or access-lists to the
Fa0/0 interface. Make sure that R3 can ping the Loopback 0
on R8.
Task 2.3
4 Points
On R2, prevent the backbone from spoofing. Implement a

solution that will dynamically update, as new inside
networks are added.
Do not place an access-list on any
interface on R2 as part of this task.
Deny HTTP management connections to R2 except for hosts
coming from the 50.50.0.0/16 network.
8
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
On R5, explicitly deny ICMP from 50.50.4.101 to 50.50.235.2

inbound on Fa0/0.
Task 2.4
4 Points
Explicitly require HTTP authentication using ACS TACACS at

R5 for HTTP port 80 session from the ACS PC to R2 at
50.50.235.2
Create a user named ap-user with password of cisco on
the ACS server. After successful authentication, allow ICMP
from 50.50.4.101 to 50.50.235.2
Configure the ACS to maintain a history of successful login
requests.
Your solution should dynamically enter an ACE in the the
inbound ACL on R5 Fa0/0.
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Section 3: VPN
Task 3.1
4 Points
Configure R1 as a CA and NTP server reachable at its

loopback 0 interface. Allow certificates to be
automatically issued to devices with at least a 1024 key
size. Configure a CN of R1-CA_Server.ccbootcamp.com with
a location of VEGAS. Use authentication for NTP.
Configure R2, R3 and R6 to get a certificate from R1 as
well as use R1 for NTP.
Task 3.2
4 Points
Configure DMVPN using the following:

o R6 as the hub.
o R2 and R3 as the spokes. Use the R6 global address of
50.50.4.6 to reach the hub.
o Use the 10.1.0.y/16 for the GRE network.
o Use 3DES, SHA, RSA and DH2 for IKE phase 1.
loopback 2 on each router using yy.0.0.y/8.
Create
o Only traffic between each Loopback 2, 24 bit network

space should be protected with IPsec. Use AES for
encryption of data. Shared keying material should be
regenerated every 30 minutes.
o You may overlay EIGRP in your configuration.
o Spoke to spoke traffic must take the optimal path.
o Integrate fault tolerance on each of the spokes.
10
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Task 3.3
4 Points
Create Loopback 3 interface on R7 using 10.3.0.7/24

Configure R6 as an EasyVPN server with R7 as an easy VPN
remote. R7s inside interface should be Loopback 3, and the
outside interface should be Fa0/1. Do not apply a crypto
map to any interface as part of this task.
Encrypt only traffic destined to 192.168.0.0/16 Use AES
and SHA for IKE phase 1 and 2 and a preshared key of
cisco.
Use client mode with the address pool of 192.168.0.51 to
192.168.0.55 and authenticate with a user named vpn_user,
and a group name vpn_group. Both passwords should be set
as cisco. The user should be authenticated via the ACS
server. Use a virtual template on R7 as part of this task.
You may add a single static route on R7.
Task 3.4
4 Points
Protect ICMP traffic between 192.168.0.0/16 and

50.50.6.0/24
Use AES and SHA for phase 1 and 2. Use preshared keys for authentication.
The termination points for the tunnel are R6 Fa0/1 and the
HSRP address on VLAN 4. Do not configure any static routes
for this task.
R1 should be the active router if available. Test by
issuing a ping from R6 Fa0/0 to 50.50.6.5 then reload R1
and test the ping again. R4 should be able to carry the
IPsec traffic within 20 seconds of R1 being down.
11
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Section 4:
Task 4.1
IPS
4 Points
Configure the Sensor per the diagram with the default

gateway of c2.
Configure the Sensor to be managed on port 6783. Connect
from the ACS PC using destination 50.50.3.15 and TCP port
5796.
Set the web server-id to sensor-1. Allow the sensor to be
managed only by the ACS PC. The username is cisco, with
password of ccie5796.
Task 4.2
4 Points
Configure the default virtual sensor and the following:

o Fa1/0 and Fa1/1 as an inline pair in VLAN 9 and 99.
o Place R2 Fa0/0 in VLAN 99
o Use default rules, sigs and ad.
Create
vs1 using the folling:
o Inline VLAN pair using G0/0 and VLAN 5 and 55

o Assign R5 Fa0/0 to vlan 55
o Use sig1, rules1 and ad1
12
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Task 4.3
4 Points
Configure the vs2 in promiscuous mode using the following:

o All VLAN 11 traffic will be seen on Fa1/2
o Resets will be sent from Fa 1/3
The 3rd packet in a set of PING requests with a payload of
500 bytes or greater should trigger an alert
The address of 1.1.1.1 will never be seen as an attacker.
SNMP traps to the ACS PC on UDP using port 185 with the
password cisco. Send an SNMP trap for all signatures
that generate a risk rating of 100.
13
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Task 4.4
4 Points
Configure the default virtual sensor so that when an ICMP

flood is seen, a dynamic rate limit of 1% is placed on R2
Fa0/0 inbound.
This rate limit should be removed after 2 minutes. Use a
fault tolerant address on R2.
Task 4.5
4 Points
Configure virtual sensor 1 to be capable of deep packet

inspection of HTTP and FTP. Include port 8080 for HTTP.
When non-http traffic is seen, send a TCP reset to the
attacker and log future packets from this attacker to
anyone for 3 minutes.
Configure virtual sensor 1 to recognize the 50.50.4.0/24
network as mission critical.
14
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Section 5:
Task 5.1
Identity Management
4 Points
Allow users on VLAN 2 to authenticate via 50.50.4.105 on c1

using telnet. Configure the username c-user with password
cisco. Use the ACS server with RADIUS to authenticate the
user.
Upon successful authentication, dynamically apply an
access-list that allows telnet traffic to 8.8.8.8 from the
authenticated user. Test by using telnet from SW1 to
Loopback 0 on R8.
Task 5.2
4 Points
On R7, allow a user named r7-user with a password of

cisco to connect via SSH. Use the local database for
authentication, and the ACS server for authorization. The
ACS server should see R7 as the IP address of 50.50.3.7 On
R7, use the source address of Loopback 0 for TACACS.
The only commands that the r7-user should be able to do
would allow entry into configuration mode, configure an IP
address in interface configuration mode, and the command of
exit.
All successful commands issued by this user should be
logged on the ACS server. This user should not be able to
log into any other ACS managed device.
Do not associate any privilege lever with the username of
r7-user on the local database of R7.
On R6, create a local user named user5 with a password of
g0Od?P@ss5. Allow any user to perform an extended ping
using privilege level 1. Do not use any AAA commands for
this task.
Configure R2 so that after local authentication via SSH, a
user named Mr.show is automatically placed in enable mode
with privilege level 10. When this user issues a show run
15
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
command, he should only view the available interfaces,

their assigned IP's, access-lists applied to the
interfaces, and access-lists configured globally. Do not
use ACS as part of this task.
Task 5.3
4 Points
Require 802.1x authentication on SW3, port FA0/18. Set up

an ACS user named 1xuser. Have the ACS provide the VLAN
assignment of VLAN 10 for successful authentication of this
user.
The ACS should see SW3 as 50.50.4.9.
Configure SW3 so that your output looks similar to the
following:
SW3#show dot1x interface fa0/18 details
Dot1x Info for FastEthernet0/18
----------------------------------PAE
= AUTHENTICATOR
PortControl
= AUTO
ControlDirection
= Both
HostMode
= MULTI_HOST
ReAuthentication
= Disabled
QuietPeriod
= 3
ServerTimeout
= 30
SuppTimeout
= 30
ReAuthPeriod
= 3600 (Locally configured)
ReAuthMax
= 2
MaxReq
= 2
TxPeriod
= 5
RateLimitPeriod
= 0
Auth-Fail-Vlan
= 6
Auth-Fail-Max-attempts
= 3
Guest-Vlan
= 11
Dot1x Authenticator Client List Empty
Port Status
Authorized By
Vlan Policy
= AUTHORIZED
= Guest-Vlan
= 11
16
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Section 6:
Task 6.1
Control/Management Plane Security
4 Points
On R4, apply a QoS policy for aggregate CP services for

Telnet and ICMP traffic received on the control plane. The
source address of 5.5.5.5 should not be restricted, while
all other inbound telnet and ICMP inbound traffic should be
restricted to 10Kbps, regardless of ingress interface.
On R8, use the control plane to deny outbound port
unreachable messages to anyone except devices within the
50.50.0.0/16 network space.
17
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Section 7:
Task 7.1
Advanced Security
4 Points
Allow the EBGP neighbors between BB1 and BB2. Add BGP
authentication between BB1 and BB2 using the password of
cisco. Verify the BGP sourced routes appear on routers 1-5,
7, and 8.
Prevent the ACS PC from being able to telnet to R6. Stop
this traffic before it reaches R6. Do not assign an access
list to any interface on the switch as part of your
solution for this task.
Configure R3 so that it cannot originate a telnet session.
Do not use any line or AAA commands for this task.
Configure R5 to do the following: Rate Limit FTP and ICMP
traffic destined to the 50.50.4.0/24 network to 10,000 bps.
Drop the traffic that exceeds this rate. Limit the burst to
8000 bps. Rate Limit telnet in the same fashion, with the
exception that if the rate limit is exceeded for telnet,
forward the packet with precedence of network control.
Apply this policy to Fa0/0 only.
On SW4 assign port Fa0/23 to VLAN 4. Only allow the host
with the MAC address of 0001.0002.0003 to be connected only
to port FA0/23. If there is a violation, shut down the
port.
The switch should automatically re-enable the port
after 30 seconds if there is no longer a violation.
Configure the SW1 to only allow the minimum number of MAC
addresses needed on the SW1 ports Fa0/1 and Fa0/4, and
store these in the running configuration. Create a syslog
message but do not shutdown the port if there is a
violation.
18
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Task 7.2 (Firewall Based)
4 Points
On c2, do not permit MSN games or MSN webcam traffic to go

through the firewall. Other types of MSN P2P traffic should
be allowed. Apply this policy inbound on all interfaces.
19
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Section 8:
Task 8.1
Network Attack Mitigation
4 Points
Configure R2 to not follow any embedded routing information

that may be included in ingress traffic coming from BB2. In
addition, protect downstream routers from any malicious
options that may be included in packets sourced from BB2.
Do not allow R2 to disclose information to the VLAN 9
network that may be used to compromise R2.
Set any incoming http packets on R3 Fa0/0 interface to DSCP
value of 1 if they contain any of the following listed
below. Drop this traffic outbound on Fa0/1.
o default.ida
o ScoobySnack.exe
o root.exe
A rogue application somewhere on 50.50.5.0/24 and
50.50.11.0/24 is sending data embedded in ICMP to a
destination on or behind BB1.
The ICMP packet size ranges
from 285 and 325 bytes inclusively. Drop this traffic on
R1 and R4 outbound on Fa0/0.
Do not use an access-list to
drop this traffic.
On R6, stop syn-flood attacks against the ACS PC. R6
should be passive unless formed sessions reach 100, and
then R1 should not use FIFO to remove connection attempts.
Have R1 stop removing sessions when the level drops to 40.
Do not use CBAC for this task.
20
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Task 8.2
4 Points
On c1, prevent VLAN 2 hosts from spoofing source addresses

of 50.50.0.0/16
Do not use an access-list as part of this
task.
On c1, deny IP fragments on the outside interface. Do not
use the keyword fragment in any access-list.
Solutions Guide
(next page)
21
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc

Task 1.1
4 Points
Configure the ASA as shown in the diagram. Use the default

gateway of 50.50.4.14 for both contexts. Context c1 should
use e0/0 for redundancy on the inside interface, with e0/2
being active. Configure c1 as the admin context.
SW1(config)#interface range fa0/12, fa0/18

SW1(config-if-range)#switchport host
switchport mode will be set to access
spanning-tree portfast will be enabled
channel group will be disabled
SW1(config-if-range)#switchport access vlan 4
SW1(config-if-range)#int fa 0/17
% Command exited out of interface range and its sub-modes.
Not executing the command for second and later interfaces
SW1(config-if)#switchport trunk encapsulation dot1q
SW1(config-if)#switchport mode trunk
SW1(config-if)#int fa 0/23
SW2(config)#int range fa 0/12, fa 0/18

ciscoasa(config)# show mode

Security context mode: single
ciscoasa(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
Security context mode: multiple
***
*** --- SHUTDOWN NOW --ciscoasa(config)# hostname ASA1
ASA1(config)# mac-address auto
ASA1(config)# interface Ethernet0/0
ASA1(config-if)# no shut
22
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
ASA1(config-if)# interface Ethernet0/1

ASA1(config-if)# interface Ethernet0/1.2
ASA1(config-subif)# vlan 2
ASA1(config-subif)# interface Ethernet0/1.3
ASA1(config-subif)# interface Ethernet0/2
ASA1(config-if)# interface Redundant1
ASA1(config-if)# member-interface Ethernet0/2
INFO: security-level and IP address are cleared on Ethernet0/2.
ASA1(config-if)# member-interface Ethernet0/0
ASA1(config-if)#
ASA1(config-if)# admin-context c1
Creating context 'c1'... Done. (1)
ASA1(config)# context c1
ASA1(config-ctx)#
allocate-interface Ethernet0/1.2
ASA1(config-ctx)#
allocate-interface Redundant1
ASA1(config-ctx)#
config-url disk0:/c1.cfg
WARNING: Could not fetch the URL disk0:/c1.cfg
INFO: Creating context with default config
INFO: Admin context will take some time to come up .... please wait.
ASA1(config-ctx)#
ASA1(config-ctx)# context c2
ASA1(config-ctx)#
allocate-interface Ethernet0/1.3-Ethernet0/1.4
ASA1(config-ctx)#
allocate-interface Ethernet0/1.13
ASA1(config-ctx)#
ASA1(config-ctx)#
ASA1(config-ctx)# end
ASA1(config)# changeto context c1

ASA1/c1(config)# hostname c1
ASA1/c1(config)# interface Ethernet0/1.2
ASA1/c1(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ASA1/c1(config-if)# ip address 11.11.2.100 255.255.255.0
ASA1/c1(config-if)# interface Redundant1
ASA1/c1(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ASA1/c1(config-if)# security-level 100
ASA1/c1(config-if)# changeto context c2
ASA1/c2(config)# hostname c2
23
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc

ASA1/c2(config-if)# interface Ethernet0/1.4
ASA1/c2(config-if)# nameif dmz
INFO: Security level for "dmz" set to 0 by default.
ASA1/c2(config)# route outside 0 0 50.50.4.14
ASA1/c1(config)# route inside 0 0 50.50.4.14
Add a static route for the 192.168.0.0 network on c2.
ASA1/c2(config)# route inside 192.168.0.0 255.255.0.0 50.50.3.6
c:\ACS_PC>route add 50.50.0.0 mask 255.255.0.0 192.168.0.6 -p
Translate SW1 to the inside of c1 using 50.50.4.19

ASA1/c1(config)# static (outside,inside) 50.50.4.19 11.11.2.9 netmask
255.255.255.255
R1#telnet 50.50.4.19
Trying 50.50.4.19 ... Open
SW1#
Translate the ACS PCs 192.168.2.101 address to the outside

address of 50.50.4.101 on c2.
ASA1/c2(config)# static (inside,outside) 50.50.4.101 192.168.2.101 netmask
255.255.255.255
c:\ACS_PC>telnet 50.50.4.4
R4#who
Line
User
Host(s)
0 con 0
idle
*514 vty 0
idle
Idle
Location
00:02:20
00:00:00 50.50.4.101
24
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Translate R6 Fa0/1 address to the global address of

50.50.4.6 on c2.
ASA1/c2(config)# static (inside,outside) 50.50.4.6 50.50.3.6 netmask

255.255.255.255
R6#telnet 50.50.4.4
Trying 50.50.4.4 ... Open
R4#who
Line
*514 vty 0
User
Host(s)
idle
Idle
Location
00:00:00 50.50.4.6
25
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Task 1.2
4 Points
Allow SSH management on the inside interface of c1 from the

ACS PC. Use the username of user1 with password of
cisco. Authenticate this user with RADIUS.
ASA1/c1(config)# ssh 50.50.4.101 255.255.255.255 inside
ASA1/c1(config)# domain-name cisco.com
ASA1/c1(config)# crypto key generate rsa
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
ASA1/c1(config)#
ASA1/c1(config)# aaa-server RAD protocol radius
ASA1/c1(config-aaa-server-group)# aaa-server RAD (inside) host 50.50.4.101
ASA1/c1(config-aaa-server-host)# key cisco
26
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
ASA1/c2(config)# access-list outside permit udp host 50.50.4.100 host

50.50.4.101 eq radius
ASA1/c2(config)# access-group outside in interface outside
ASA1/c1(config)# test aaa authentication RAD host 50.50.4.101 username user1

password cisco
INFO: Attempting Authentication test to IP address <50.50.4.101> (timeout: 12
seconds)
INFO: Authentication Successful
(Note: If the authentication fails, verify that the redundant pair is UP!)
ASA1/c1(config)# aaa authentication ssh console RAD
27
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
28
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
On c1, permit ICMP echo requests inbound on the outside

interface. Verify that SW1 can ping R1 at 1.1.1.1. R1
should see these pings sourced from 50.50.4.19
ASA1/c1(config)# access-list outside permit icmp any any echo
SW1#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
R1#debug ip icmp
ICMP packet debugging
*Apr 29 03:28:02.415:
*Apr 29 03:28:02.419:
*Apr 29 03:28:02.419:
*Apr 29 03:28:02.419:
*Apr 29 03:28:02.423:
is on
ICMP:
ICMP:
ICMP:
ICMP:
ICMP:
echo
echo
echo
echo
echo
reply
reply
reply
reply
reply
sent,
sent,
sent,
sent,
sent,
src
src
src
src
src
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1,
dst
dst
dst
dst
dst
50.50.4.19
50.50.4.19
50.50.4.19
50.50.4.19
50.50.4.19
On c1, deny TCP sessions from the R5 Loopback 0 and SW1, if

the TCP window size shrinks unexpectedly after
establishment, and limit formed TCP sessions to 101. Do
not use the static for this task.
ASA1/c1(config)# access-list global_mpc extended permit tcp host 5.5.5.5 host
50.50.4.19
ASA1/c1(config)# tcp-map TCP_MAP_R5_TO_SW1
ASA1/c1(config-tcp-map)# window-variation drop-connection
ASA1/c1(config-tcp-map)# exit
ASA1/c1(config)# class-map R5_TO_SW1
ASA1/c1(config-cmap)# match access-list global_mpc
ASA1/c1(config-cmap)# exit
ASA1/c1(config)# policy-map global_policy
ASA1/c1(config-pmap)# class R5_TO_SW1
ASA1/c1(config-pmap-c)# set connection embryonic-conn-max 101
ASA1/c1(config-pmap-c)# set connection advanced-options TCP_MAP_R5_TO_SW1
ASA1/c1(config-pmap-c)# exit
ASA1/c1(config-pmap)# exit
ASA1/c1(config)#
29
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc

a packet if the firewall is not going to allow a packet to
or through the firewall on the outside interface.
ASA1/c1(config)# fragment chain 1
ASA1/c1(config)# service resetoutside
ASA1/c1(config)# service resetinbound
30
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Task 1.3
4 Points
On c2, permit all ingress traffic on the inside interface

to be dynamically translated to the outside interface.
ASA1/c2(config)# nat (inside) 1 0.0.0.0 0.0.0.0
ASA1/c2(config)# global (outside) 1 interface
INFO: outside interface address added to PAT pool
Configure both contexts to send syslog warnings to the ACS

PC.
ASA1/c1(config)# logging enable
ASA1/c1(config)# logging trap Warnings
ASA1/c1(config)# logging host inside 50.50.4.101
50.50.4.101 eq syslog
ASA1/c2(config)# logging trap Warnings
ASA1/c2(config)# logging host inside 192.168.2.101
31
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Permit ICMP echo requests, FTP on ports 21 and 2121, HTTP,

and telnet inbound on the outside interface of c2 to the
ACS PC and R6.
Use a single access-list entry for this
task.
ASA1/c2(config)# object-group network GLOBAL_R6_ACS
ASA1/c2(config-network)# network-object host 50.50.4.101
ASA1/c2(config-network)# network-object host 50.50.4.6
ASA1/c2(config-network)# object-group service SERVICES_R6_ACS_GLOBAL
ASA1/c2(config-service)# service-object icmp echo
ASA1/c2(config-service)# service-object tcp eq 2121
ASA1/c2(config-service)# service-object tcp eq ftp
ASA1/c2(config-service)# service-object tcp eq www
ASA1/c2(config-service)# service-object tcp eq telnet
ASA1/c2(config-service)# access-list outside permit object-group
SERVICES_R6_ACS_GLOBAL any object-group GLOBAL_R6_ACS
R4#telnet 50.50.4.6
R6#
Reset and log any FTP PUT commands going through c2. Do
not use the keyword of PUT in any policy-map syntax for
this task.
ASA1/c2(config)# class-map type inspect ftp match-any CMAP_INS_FTP_PUT
ASA1/c2(config-cmap)# match request-command put
ASA1/c2(config)# policy-map type inspect ftp PMAP_INS_FTP_PUT
ASA1/c2(config-pmap)# parameters
ASA1/c2(config-pmap-p)# class CMAP_INS_FTP_PUT
ASA1/c2(config-pmap-c)# reset log
ASA1/c2(config-pmap)# class inspection_default
ASA1/c2(config-pmap-c)# no inspect ftp
ASA1/c2(config-pmap-c)# inspect ftp strict PMAP_INS_FTP_PUT
R1#copy start ftp
Address or name of remote host []? 50.50.4.101
Destination filename [r1-confg]? test-put
Writing test-put
%Error writing ftp://50.50.4.101/test-put (Permission denied)
%ASA-5-303005: Strict FTP inspection matched Class 21: CMAP_INS_FTP_PUT in
policy-map PMAP_INS_FTP_PUT, Reset connection from outside:50.50.4.1/25724 to
inside:192.168.2.101/21
ASA1/c2(config)# show service-policy
32
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 0, drop 0, reset-drop 0
Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
Inspect: netbios, packet 16, drop 0, reset-drop 0
Inspect: rsh, packet 0, drop 0, reset-drop 0
Inspect: rtsp, packet 0, drop 0, reset-drop 0
Inspect: skinny , packet 0, drop 0, reset-drop 0
Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0
Inspect: sqlnet, packet 0, drop 0, reset-drop 0
Inspect: sunrpc, packet 0, drop 0, reset-drop 0
Inspect: tftp, packet 0, drop 0, reset-drop 0
Inspect: sip , packet 0, drop 0, reset-drop 0
Inspect: xdmcp, packet 0, drop 0, reset-drop 0
Inspect: ftp strict PMAP_INS_FTP_PUT, packet 13, drop 0, reset-drop 1
On c2, allow VLAN 5 to have access to R6 using HTTP on

port 8000 and verify that any re-transmissions are
consistent with the originals.
ASA1/c2(config)# access-list outside permit tcp 50.50.5.0 255.255.255.0 host
50.50.4.6 eq 8000
ASA1/c2(config)# access-list global_mpc extended permit tcp 50.50.5.0
255.255.255.0 host 50.50.4.6 eq 8000
ASA1/c2(config)# class-map TCP_PORT_8000
ASA1/c2(config-cmap)# match access-list global_mpc
ASA1/c2(config-cmap)# tcp-map TCP_MAP_SEQEUNTIAL
ASA1/c2(config-tcp-map)# check-retransmission
ASA1/c2(config-tcp-map)# exit
ASA1/c2(config-pmap)# class TCP_PORT_8000
ASA1/c2(config-pmap-c)# set connection advanced-options TCP_MAP_SEQEUNTIAL
33
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Task 1.4
4 Points
Configure failover, using the system addresses +5 for the

failover addresses.
Use E0/3, 50.50.50.1 and VLAN 50 for
failover. Configure stateful failover for http. ASA1
should normally be active for c1 and ASA2 should be active
for c2. Monitor all interfaces except for the dmz. Use
a password to protect the failover.
SW2(config)#interface range fa 0/17, fa0/23
% Access VLAN does not exist. Creating vlan 50
SW2(config-if-range)#end

ASA1/c1(config-if)# ip address 11.11.2.100 255.255.255.0 standby 11.11.2.105
ASA1/c1(config-if)# interface Redundant1
ASA1/c1(config-if)# exit
ASA1/c1(config)# monitor-interface inside
ASA1/c1(config)# monitor-interface outside
ASA1/c1(config)# changeto con c2
ASA1/c2(config-if)# ip address 172.17.33.200 255.255.255.0 standby
172.17.33.205
ASA1/c2(config-if)# exit
ASA1/c1(config)# changeto con c2
ASA1/c2(config)# monitor-interface inside
ASA1/c2(config)# monitor-interface outside
ASA1(config-if)# no shutdown
ASA1(config-if)# failover lan interface lanfail Ethernet0/3
ASA1(config)# failover interface ip lanfail 50.50.50.1 255.255.255.0 standby
50.50.50.6
ASA1(config)# failover key cisco
ASA1(config)# failover link lanfail
ERROR: No change to the stateful interface
ASA1(config)# failover replication http
WARNING: command has no effect for active/active failover
ASA1(config)# failover lan unit primary
34
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
ASA1(config)# failover group 1

ASA1(config-fover-group)# primary
ASA1(config-fover-group)# preempt 30
ASA1(config-fover-group)# polltime interface 5 holdtime 25
ASA1(config-fover-group)# replication http
ASA1(config-fover-group)# exit
ASA1(config)# failover group 2
ASA1(config-fover-group)# secondary
ASA1(config-fover-group)# preempt 30
ASA1(config-fover-group)# polltime interface 5 holdtime 25
ASA1(config-fover-group)# replication http
ASA1(config-fover-group)# exit
ASA1(config-ctx)# join-failover-group 1
ASA1(config-ctx)# exit
ASA1(config-ctx)# join-failover-group 2
ASA1(config)# failover
ASA1(config)# .
No Response from Mate
Group 1 No Response from Mate, Switch to Active
Group 2 No Response from Mate, Switch to Active
ASA1(config)# prompt hostname context state
ASA1/act(config)#
Note: ASA2
ciscoasa(config)# mode multiple
Convert the system configuration? [confirm]
ciscoasa>
ciscoasa> enable
Password:
ciscoasa# conf t
ciscoasa(config)# interface Ethernet0/3
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# failover lan interface lanfail Ethernet0/3
INFO: Non-failover interface config is cleared on Ethernet0/3 and its subinterfaces
ciscoasa(config)# failover interface ip lanfail 50.50.50.1 255.255.255.0
standby 50.50.50.6
ciscoasa(config)# failover key cisco
ciscoasa(config)# failover link lanfail
ciscoasa(config)# failover replication http
35
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
ciscoasa(config)# failover lan unit secondary

ciscoasa(config)# failover
ciscoasa(config)# fail
ciscoasa(config)# .
Detected an Active mate
Beginning configuration replication from mate.
.
.
.
Group 1 Detected Active mate
Group 2 Detected Active mate
End configuration replication from mate.
Group 2 preempt mate
ASA1/stby(config)#
ASA1/act(config)# show failover
Failover On
Failover unit Primary
Failover LAN Interface: lanfail Ethernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 250 maximum
failover replication http
Version: Ours 8.0(4), Mate 8.0(4)
Group 1 last failover at: 22:11:30 UTC May 28 2009
Group 2 last failover at: 22:12:34 UTC May 28 2009
This host:
Group 1
Group 2
Primary
State:
Active time:
State:
Active time:
slot
c2
c2
c2
c1
c1
slot
Other host:
Group 1
Group 2
0: ASA5510 hw/sw rev (2.0/8.0(4)) status (Up Sys)

Interface inside (50.50.3.205): Normal
Interface outside (50.50.4.205): Normal
Interface dmz (172.17.33.205): Normal (Not-Monitored)
1: empty
Secondary
State:
Active time:
State:
Active time:
slot
c2
c2
c2
c1
Active
500 (sec)
Standby Ready
247 (sec)
Standby Ready
0 (sec)
Active
252 (sec)
0: ASA5510 hw/sw rev (2.0/8.0(4)) status (Up Sys)

Interface dmz (172.17.33.200): Normal (Not-Monitored)
36
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
c1 Interface inside (50.50.4.105): Normal

slot 1: empty
Stateful Failover Logical Update Statistics
Link : lanfail Ethernet0/3 (up)
Stateful Obj
xmit
xerr
General
47
0
sys cmd
40
0
up time
0
0
RPC services
0
0
TCP conn
0
0
UDP conn
0
0
ARP tbl
7
0
Xlate_Timeout
0
0
SIP Session
0
0
rcv
43
40
0
0
0
3
0
0
0
rerr
0
0
0
0
0
0
0
0
0
Logical Update Queue Information

Cur
Max
Total
Recv Q:
0
1
43
Xmit Q:
0
1
47
ASA1/act(config)#
37
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Section 2:
Task 2.1
IOS Firewalls
4 Points
Configure R3 with CBAC. Provide RFC 1918 spoof protection

and permit TELNET, ICMP Echo, and NTP traffic inbound on
Fa0/1.
R3(config)#ip access-list extended RFC1918
R3(config-ext-nacl)# deny
ip 10.0.0.0 0.255.255.255 any log
ip 172.16.0.0 0.15.255.255 any log
ip 192.168.0.0 0.0.255.255 any log
R3(config-ext-nacl)# permit tcp any any eq telnet
R3(config-ext-nacl)# permit icmp any any echo
R3(config-ext-nacl)# permit udp any any eq ntp
R3(config-ext-nacl)# permit ospf any any
R3(config-ext-nacl)#exit
R3(config)#interface FastEthernet0/1
R3(config-if)# ip access-group RFC1918 in
R3(config-if)#
Inside clients accessing resources outside of Fa0/1 should

be allowed to use FTP, PING, HTTP, TELNET, SIP, SSH and
NFS.
R3(config-if)#ip inspect name CBAC ftp
R3(config)#ip inspect name CBAC icmp
R3(config)#ip inspect name CBAC telnet
R3(config)#ip inspect name CBAC sip
R3(config)#ip inspect name CBAC ssh
R3(config)#ip inspect name CBAC nfs
R3(config)#interface fa0/1
R3(config-if)#ip ins
R3(config-if)#ip inspect CBAC out
Clients should not be allowed to retrieve HTTP java content

on any server in the 50.50.11.0/24 address space.
R3(config-if)#access-list 1 deny 50.50.11.0 0.0.0.255 log
R3(config)#access-list 1 permit any
R3(config)#ip inspect name CBAC http java-list 1
38
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Set the embryonic limit for all CBAC TCP connections

through R3 to 10.
R3(config)#ip inspect max-incomplete low 5
R3(config)#ip inspect max-incomplete high 10
Note: without filtering return telnet sourced from the outside, and doing an
inspection rule for it, we cant control ALL the formed sessions.
R3(config)#ip inspect name CBAC_4_TELNET telnet
R3(config)#ip access-list extended RETURN_TELNET
R3(config-ext-nacl)# deny tcp any eq telnet any log
R3(config-ext-nacl)# permit ip any any
R3(config-ext-nacl)#interface FastEthernet0/1
R3(config-if)# ip access-group RETURN_TELNET out
R3(config-if)# ip inspect CBAC_4_TELNET in
39
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Task 2.2
4 Points
Log all denied packets, individually, along with CBAC

session information to the ACS PC using the source address
of loopback 0.
R3(config)#ip access-list log-update threshold 1
Note: IF you dont set the threshold to 1, you wont see individual syslog
messages, they will be summarized at 5 minute intervals.
R3(config)#logging source-interface Loopback0
R3(config)#logging 50.50.4.101
R3(config)#ip inspect audit-trail
ASA1/c2/act(config)# access-list outside permit udp host 3.3.3.3 host
50.50.4.101 eq syslog
R7#8.8.8.8
R8#exit
[Connection to 8.8.8.8 closed by foreign host]
R7#
R3(config)#
*Apr 29 05:49:53.927: %FW-6-SESS_AUDIT_TRAIL_START: Start telnet session:
initiator (50.50.12.7:44035) -- responder (8.8.8.8:23)
R3(config)#
*Apr 29 05:49:54.927: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host
50.50.4.101 port 514 started - CLI initiated
R3(config)#
*Apr 29 05:50:08.303: %FW-6-SESS_AUDIT_TRAIL: Stop telnet session: initiator
(50.50.12.7:44035) sent 36 bytes -- responder (8.8.8.8:23) sent 44 bytes
R3(config)#
40
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Globally set the TCP synwait timeout to be 5 seconds. Do

not allow ANY fragments through R3.
R3(config)#ip inspect tcp synwait-time 5
R3(config)#ip inspect name CBAC fragment maximum 0 timeout 1
Do not place any inspection rules or access-lists to the

Fa0/0 interface. Make sure that R3 can ping the Loopback 0
on R8.
R3(config)#ip access-list extended RFC1918
R3(config-ext-nacl)# permit icmp host 8.8.8.8 host 50.50.11.3 echo-reply
ip any any log-input
R3(config-ext-nacl)#end
R3#pign
R3#ping 8.8.8.8
!!!!!
41
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Task 2.3
4 Points
On R2, prevent the backbone from spoofing. Implement a

solution that will dynamically update, as new inside
networks are added.
Do not place an access-list on any
interface on R2 as part of this task.
R2(config)#access-list 110 deny
R2(config)#int fa 0/0
R2(config-if)# ip verify unicast source reachable-via rx 110
Deny HTTP management connections to R2 except for hosts

R2(config)#access-list 1 permit 50.50.0.0 0.0.255.255
R2(config)#ip http access-class 1
On R5, explicitly deny ICMP from 50.50.4.101 to 50.50.235.2

inbound on Fa0/0.
R5(config)#access-list 100 deny icmp host 50.50.4.101 host 50.50.235.2
R5(config)#access-list 100 permit ip any any
R5(config-if)#ip access-group 100 in
42
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Task 2.4
4 Points
Explicitly require HTTP authentication using ACS TACACS at

R5 for HTTP port 80 session from the ACS PC to R2 at
50.50.235.2
R5(config)#no ip cef
R5(config)#aaa new-model
R5(config)#aaa authentication login default group tacacs+
R5(config)#aaa authentication login FREE none
R5(config)#aaa authentication login AUTH_PROXY group tacacs+
R5(config)#aaa authorization auth-proxy default group tacacs+
R5(config)#ip auth-proxy auth-proxy-banner http #
Enter TEXT message. End with the character '#'.
Congratulations on Auth-Proxy
#
R5(config)#ip auth-proxy absolute-timer 1
R5(config)#$xy name AUTH_PROXY http inactivity-time 5 list AUTH_PROXY
R5(config)#ip admission absolute-timer 1
R5(config)#!
R5(config-if)# ip auth-proxy AUTH_PROXY
R5(config-if)# no ip route-cache
R5(config-if)#ip http server
R5(config)#ip http access-class 1
R5(config)#ip http authentication aaa login-authentication AUTH_PROXY
R5(config)#ip access-list extended AUTH_PROXY
R5(config-ext-nacl)# permit tcp host 50.50.4.101 host 50.50.235.2 eq www log
R5(config-ext-nacl)#ip access-list log-update threshold 1
any
R5(config)#tacacs-server host 50.50.4.101
R5(config)#tacacs-server key cisco
R5(config)#line con 0
R5(config-line)# login authentication FREE
R5(config-line)#line vty 0 4
R5(config-line)# privilege level 15
ASA1/c2/act(config)# access-list outside permit tcp host 50.50.5.5 host
50.50.4.101 eq tacacs
ASA1/c2/act(config)# fixup protocol icmp
INFO: converting 'fixup protocol icmp ' to MPF commands
ASA1/c2/act(config)#
43
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Create a user named ap-user with password of cisco on

the ACS server. After successful authentication, allow ICMP
from 50.50.4.101 to 50.50.235.2
44
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
45
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
46
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
R5#test aaa group tacacs+ ap-user cisco legacy

Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated.
47
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Configure the ACS to maintain a history of successful login

requests.
48
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Your solution should dynamically enter an ACE in the the

c:\ACS_PC>ping 50.50.235.2
Pinging 50.50.235.2 with 32 bytes of data:
Request
Request
Request
Request
timed
timed
timed
timed
out.
out.
out.
out.
Ping statistics for 50.50.235.2:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
49
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
c:\ACS_PC>ping 50.50.235.2
Reply
Reply
Reply
Reply
from
from
from
from
50.50.235.2:
50.50.235.2:
50.50.235.2:
50.50.235.2:
bytes=32
bytes=32
bytes=32
bytes=32
time=127ms TTL=252
time=141ms TTL=252
time=120ms TTL=252
time=82ms TTL=252

Approximate round trip times in milli-seconds:
Minimum = 82ms, Maximum = 141ms, Average = 117ms
c:\ACS_PC>
R5#show access-lists
Standard IP access list 1
10 deny
any
Extended IP access list 100
permit icmp host 50.50.4.101 any
10 deny icmp host 50.50.4.101 host 50.50.235.2 (12 matches)
20 permit ip any any (2065 matches)
Extended IP access list AUTH_PROXY
10 permit tcp host 50.50.4.101 host 50.50.235.2 eq www log (23 matches)
R5#
50
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Section 3: VPNs
Task 3.1
4 Points

a location of VEGAS. Use authentication for NTP.
R1(config)#clock timezone PST -8
R1(config)#clock summer-time PDT recurring
R1(config)#ntp authentication-key 1 md5 cisco
R1(config)#ntp authenticate
R1(config)#ntp trusted-key 1
R1(config)#ntp source Loopback0
R1(config)#ntp master 1
R1(config)#ntp update-calendar
R1(config)#crypto pki server R1-CA_Server
R1(cs-server)# issuer-name CN=R1-CA_Server.ccbootcamp.com L=VEGAS C=US
R1(cs-server)# grant auto
R1(cs-server)# cdp-url http://1.1.1.1/R1-CA_Servercdp.R1-CA_Server.crl
R1(cs-server)#no shut
%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password: cisco123
Re-enter password: cisco123
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
Apr 29 15:23:33.103: %SSH-5-ENABLED: SSH 1.99 has been enabled% Exporting
Certificate Server signing certificate and keys...
% Certificate Server enabled.
R1(cs-server)#
Apr 29 15:23:39.167: %PKI-6-CS_ENABLED: Certificate server now enabled.
R1(cs-server)#
51
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Configure R2, R3 and R6 to get a certificate from R1 as

well as use R1 for NTP.
R6(config)#ntp server 1.1.1.1
R6(config)#crypto key generate rsa general-keys
The name for the keys will be: R6.cisco.com
modulus 1024 exportable
% The key modulus size is 1024 bits

% Generating 1024 bit RSA keys, keys will be exportable...[OK]
R6(config)#crypto ca trustpoint R1-CA
R6(ca-trustpoint)# enrollment retry count 5
R6(ca-trustpoint)# enrollment retry period 3
R6(ca-trustpoint)# enrollment url http://1.1.1.1:80
R6(ca-trustpoint)# revocation-check none
R6(ca-trustpoint)#exit
R6(config)#cry pki authenticate R1-CA
Certificate has the following attributes:
Fingerprint MD5: 2D1DAFDA B64A3622 F13BC6E2 CCBFC5A3
Fingerprint SHA1: 1A5C1476 AC955FE1 A557396D B402D0E1 D849BF94
% Do you accept this certificate? [yes/no]: yes
.Apr 29 15:34:46.033: %SSH-5-ENABLED: SSH 1.99 has been enabled
yes
Trustpoint CA certificate accepted.
R6(config)#cryp pki enroll R1-CA
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password: cisco123
% The subject name in the certificate will include: R6.cisco.com
% Include the router serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: FTX1113A3QQ
% Include an IP address in the subject name? [no]: no
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto ca certificate R1-CA verbose' command will show the
fingerprint.
R6(config)#
Apr 29 15:35:21.133: CRYPTO_PKI: Certificate Request Fingerprint MD5:
D1F9B7DC 09E50DB0 1B0DB2BA 3FA66E67
52
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Apr 29 15:35:21.137: CRYPTO_PKI: Certificate Request Fingerprint SHA1:

44DECE95 13604167 7267F53B 7F322E33 A654E808
R6(config)#
Apr 29 15:35:25.681: %PKI-6-CERTRET: Certificate received from Certificate
Authority
R6(config)#
R2(config)#ip domain-name cisco.com

R2(config)#ntp server

%
Password: cisco123
% Include the router serial number in the subject name? [yes/no]: no
% The 'show crypto ca certificate R1-CA verbose' command will show the
fingerprint.
R2(config)#
53
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc

368733DA 81034295 2D409041 B2F4A499
A96A3512 A48DC068 51A5EE1C 390E9CBB 97E2BB83
R2(config)#
Authority
R2(config)#


*Apr 29 15:42:37.927: %SSH-5-ENABLED: SSH 1.99 has been enabled
%
Password: cisco123
54
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
% The 'show crypto ca certificate R1-CA verbose' commandwill show the

fingerprint.
R3(config)#
7C1BDB5D 8972E4E1 5554593E B5C8FD20
B5C85AAA 06D199D8 A489FA0B 8484FEE7 436B94E1
R3(config)#
Authority
R3(config)#
55
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Task 3.2
4 Points
Configure DMVPN using the following:

o R6 as the hub.
o R2 and R3 as the spokes. Use the R6 global address of
50.50.4.6 to reach the hub.
o Use the 10.1.0.y/16 for the GRE network.
o Use 3DES, SHA, RSA and DH2 for IKE phase 1.
loopback 2 on each router using yy.0.0.y/8.
Create
o Only traffic between each Loopback 2, 24 bit network

space should be protected with IPsec. Use AES for
encryption of data. Shared keying material should be
regenerated every 30 minutes.
o You may overlay EIGRP in your configuration.
o Spoke to spoke traffic must take the optimal path.
o Integrate fault tolerance on each of the spokes.
R6(config)#crypto isakmp policy 1
R6(config-isakmp)# encr 3des
R6(config-isakmp)# group 2
R6(config-isakmp)# lifetime 3600
R6(config-isakmp)#crypto isakmp invalid-spi-recovery
R6(config)#crypto isakmp keepalive 10
R6(config)#crypto isakmp nat keepalive 5
R6(config)#crypto ipsec transform-set AES_SHA_TRANSPORT_MODE esp-aes esp-shahmac
R6(cfg-crypto-trans)#mode transport
R6(cfg-crypto-trans)#exit
R6(config)#crypto ipsec profile DMVPN_PROF
R6(ipsec-profile)#set transform-set AES_SHA_TRANSPORT_MODE
R6(ipsec-profile)#set pfs group2
R6(ipsec-profile)#exit
R6(config)#interface Loopback2
R6(config-if)#ip address 66.0.0.6 255.0.0.0
R6(config-if)#ip ospf network point-to-point
R6(config-if)#exit
R6(config)#interface Tunnel0
R6(config-if)#bandwidth 1000
R6(config-if)#no ip redirects
R6(config-if)#ip mtu 1400
R6(config-if)#no ip next-hop-self ei
R6(config-if)#no ip next-hop-self eigrp 1
R6(config-if)#ip nhrp authentication DMVPN_NW
R6(config-if)#ip nhrp map multicast dynam
R6(config-if)#ip nhrp map multicast dynamic
R6(config-if)#ip nhrp network-id 100000
56
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
R6(config-if)#ip nhrp holdtime 360

R6(config-if)#ip tcp adjust-mss 1360
R6(config-if)#no ip split-horizon eigrp 1
R6(config-if)#delay 1000
R6(config-if)#tunnel source FastEthernet0/1
R6(config-if)#tunnel mode gre multipoint
R6(config-if)#tunnel key 100000
R6(config-if)#tunnel protection ipsec profile DMVPN_PROF
R6(config-if)#exit
R6(config)#router eigrp 1
R6(config-router)#network 10.1.0.0 0.0.255.255
R6(config-router)#network 66.0.0.0
R6(config-router)#no auto-summary
R6(config-router)#exit
50.50.4.6 eq isakmp
50.50.4.6 eq 4500
50.50.4.6 eq isakmp
50.50.4.6 eq 4500
access-list outside permit udp host 2.2.2.2 host


R2(config-isakmp)#encr 3des
R2(config-isakmp)#group 2
R2(config-isakmp)#exit
R2(config)#crypto ipsec transform-set MY_SET_AES_SHA esp-aes esp-sha-hmac
R2(config)#crypto ipsec profile Profile1
R2(ipsec-profile)#set transform-set MY_SET_AES_SHA
R2(config-if)#interface Tunnel0
R2(config-if)#ip nhrp map multicast 50.50.4.6
R2(config-if)#ip nhrp map 10.1.0.6 50.50.4.6
R2(config-if)#ip nhrp networ
R2(config-if)#ip nhrp nhs 10.1.0.6
R2(config-if)#tunnel source Loopback0
57
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc

R2(config-if)#tunnel protection ipsec profile Profile1
R2(config-if)#exit
R2(config-router)#network 2

R3(config)#crypto ipsec transform-set MY_SET_AES_SHA esp-aes esp-sha-hmac
R3(config)#crypto ipsec profile Profile1
R3(ipsec-profile)#set transform-set MY_SET_AES_SHA
R3(config-if)#exit
R3(config)#interface Tunnel0
R3(config-if)#ip
R3(config-if)#ip nhrp map multicast
R3(config-if)#tunnel source Loopback0
R3(config-if)#tunnel protection ipsec profile Profile1
R3(config-if)#exit
R3#show crypto ipsec sa
interface: Tunnel0
58
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Crypto map tag: Tunnel0-head-0, local addr 3.3.3.3

protected vrf: (none)
local ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (50.50.4.6/255.255.255.255/47/0)
current_peer 50.50.4.6 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 23, #pkts encrypt: 23, #pkts digest: 23
#pkts decaps: 22, #pkts decrypt: 22, #pkts verify: 22
R3#show ip route eigrp

D
66.0.0.0/8 [90/2944000] via 10.1.0.6, 00:02:00, Tunnel0
D
22.0.0.0/8 [90/3200000] via 10.1.0.2, 00:02:00, Tunnel0
R3#
R3#ping 22.0.0.2 repeat 10

!!!!.!!!!!
R3#
interface: Tunnel0
local ident (addr/mask/prot/port):
remote ident (addr/mask/prot/port):
#pkts encaps: 6, #pkts encrypt: 6,
#pkts decaps: 7, #pkts decrypt: 7,
(3.3.3.3/255.255.255.255/47/0)
(2.2.2.2/255.255.255.255/47/0)
#pkts digest: 6
#pkts verify: 7
R3#show crypto session

Crypto session current status
Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 2.2.2.2 port 500
IKE SA: local 3.3.3.3/500 remote 2.2.2.2/500 Active
IPSEC FLOW: permit 47 host 3.3.3.3 host 2.2.2.2
Active SAs: 2, origin: crypto map
Interface: Tunnel0
Peer: 50.50.4.6 port 4500
59
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
R3#show crypto isakmp sa detail

Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local
Lifetime Cap.
Remote
I-VRF
Status Encr Hash Auth DH
1001
3.3.3.3
50.50.4.6
ACTIVE 3des sha
rsig 2
1002
3.3.3.3
2.2.2.2
ACTIVE 3des sha
rsig 2
1003
3.3.3.3
2.2.2.2
ACTIVE 3des sha
rsig 2
60
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Task 3.3
4 Points
Configure EasyVPN using the following:

o R6 as an EasyVPN server. Do not apply a crypto map to
any interface as part of this task.
o R7 as an easy VPN remote. Create Loopback 3 interface on
R7 using 10.3.0.7/24 R7s inside interface should be
Loopback 3, and the outside interface should be Fa0/1.
Use a virtual template on R7 as part of this task. You
may add a single static route on R7.
o Encrypt only traffic destined to 192.168.0.0/16 Use AES
and SHA for IKE phase 1 and 2 and a preshared key of
cisco.
o Use client mode with the address pool of 192.168.0.51 to
192.168.0.55 and authenticate with a user named
vpn_user, and a group name vpn_group. Both passwords
should be set as cisco.
o Users should be authenticated via the ACS server.
R6(config)#aaa authentication login default none
R6(config)#aaa authentication login vpn_group group radius local
R6(config)#aaa authorization network vpn_group local
R6(config-isakmp)#encr aes
R6(config-isakmp)#authentication pre-share
R6(config)#crypto isakmp client configuration group vpn_group
R6(config-isakmp-group)#key cisco
R6(config-isakmp-group)#pool POOL_1
R6(config-isakmp-group)#acl 100
R6(config-isakmp-group)#save-password
R6(config-isakmp-group)#exit
R6(config)#crypto isakmp profile easy-IKE-profile-1
R6(conf-isa-prof)#match identity group vpn_group
R6(conf-isa-prof)#client authentication list vpn_group
R6(conf-isa-prof)#isakmp authorization list vpn_group
R6(conf-isa-prof)#client configuration address respond
R6(conf-isa-prof)#virtual-template 1
R6(conf-isa-prof)#exit
R6(config)#crypto ipsec transform-set EZ_TRANS_AES_SHA_Tunnel esp-aes espsha-hmac
R6(config)#crypto ipsec profile IPSEC-easyvpn-profile-1
R6(ipsec-profile)#set transform-set EZ_TRANS_AES_SHA_Tunnel
R6(ipsec-profile)#set isakmp-profile easy-IKE-profile-1
61
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
R6(config)#interface Virtual-Template1 type tunnel
R6(config-if)#ip unnumbered FastEthernet0/1
R6(config-if)#tunnel mode ipsec ipv4
R6(config-if)#tunnel protection ipsec profile IPSEC-easyvpn-profile-1
R6(config-if)#exit
R6(config)#ip local pool POOL_1 192.168.0.51 192.168.0.55
R6(config)#ip radiu
R6(config)#ip radius source-interface FastEthernet0/0
R6(config)#access-list 100 permit ip 192.168.0.0 0.0.255.255 any
R6(config)#radius-server host 192.168.2.101 auth-port 1645 acct-port 1646
R6(config)#radius-server key cisco
R6(config-line)#login authentication FREE
R6(config-line)#exit
50.50.4.6 eq 500
50.504.6 eq 4500
62
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
63
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
R6#test aaa group radius vpn_user cisco legacy

Attempting authentication test to server-group radius using radius
R6#
R7(config)#crypto ipsec client ezvpn EZ_CLIENT

R7(config-crypto-ezvpn)#connect auto
R7(config-crypto-ezvpn)#group vpn_group key cisco
R7(config-crypto-ezvpn)#mode client
R7(config-crypto-ezvpn)#peer 50.50.4.6
R7(config-crypto-ezvpn)#virtual-interface 1
Error: Virtual-template 1 does not exist
R7(config-crypto-ezvpn)#username vpn_user password cisco
R7(config-crypto-ezvpn)#xauth userid mode local
64
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
R7(config-crypto-ezvpn)#exit
R7(config-if)#crypto ipsec client ezvpn EZ_CLIENT inside
R7(config-if)#exit
R7(config-if)#crypto ipsec client ezvpn EZ_CLIENT outside
R7(config-if)#exit
R7(config-if)#no ip address
R7(config-if)#exit
R7(config)#
R7(config)#
*Apr 29 16:49:23.043: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R7(config)#
*Apr 29 16:49:24.755: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Virtual-Template1, changed state to down
R7(config)#
*Apr 29 16:49:26.007: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) User=vpn_user
Group=vpn_group Client_public_addr=50.50.12.7 Server_public_addr=50.50.4.6
Assigned_client_addr=192.168.0.51
R7(config)#
*Apr 29 16:49:26.631: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Loopback10000, changed state to up
*Apr 29 16:49:26.687: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0,
changed state to up
R7#show crypto ipsec client ezvpn

Easy VPN Remote Phase: 6
Tunnel name : EZ_CLIENT
Inside interface list: Loopback3
Outside interface: FastEthernet0/1
Current State: IPSEC_ACTIVE
Last Event: MTU_CHANGED
Address: 192.168.0.51 (applied on Loopback10000)
Mask: 255.255.255.255
Save Password: Allowed
Split Tunnel List: 1
Address
: 192.168.0.0
Mask
: 255.255.0.0
Protocol
: 0x0
Source Port: 0
Dest Port : 0
Current EzVPN Peer: 50.50.4.6
Interface: Tunnel0
Peer: 2.2.2.2 port 4500
65
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc

Interface: Tunnel0
Peer: 3.3.3.3 port 4500
Interface: Virtual-Access2
Username: vpn_user
Profile: easy-IKE-profile-1
Group: vpn_group
Assigned address: 192.168.0.51
Peer: 50.50.12.7 port 4500
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 192.168.0.51
R7(config)#ip route 192.168.0.0 255.255.0.0 50.50.4.6
R7#ping 192.168.0.6 source loopback 3
Packet sent with a source address of 10.3.0.7
!!!!!
R7#
66
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Task 3.4
4 Points
Configure High Availabilty IPSec using the following:

o Protect ICMP traffic between 192.168.0.0/16 and
50.50.6.0/24
o Use AES and SHA for phase 1 and 2.
o Use pre-shared keys for authentication.
o The termination points for the tunnel are R6 Fa0/1 and
the HSRP address on VLAN 4.
o Do not configure any static routes for this task.
o R1 should be the active router if available. Test by
issuing a ping from R6 Fa0/0 to 50.50.6.5 then reload R1
and test the ping again. R4 should be able to carry the
IPsec traffic within 20 seconds of R1 being down.
R6(config)#access-list 105 permit icmp 192.168.0.0 0.0.255.255 50.50.6.0
0.0.0.255
R6(config)#crypto isakmp key cisco address 50.50.4.14
R6(config)#crypto isakmp invalid-spi-recovery
R6(config)#$c transform-set HA_TRANSFORM_AES_SHA esp-aes esp-sha-hmac
R6(config)#crypto map MYMAP 1 ipsec-isakmp
R6(config-crypto-map)#set peer 50.50.4.14
R6(config-crypto-map)#set transform-set HA_TRANSFORM_AES_SHA
R6(config-crypto-map)#match address 105
R6(config-crypto-map)#interface FastEthernet0/1
R6(config-if)#crypto map MYMAP
R6(config-if)#exit
ASA1/c2/act(config)#access-list outside permit udp host 50.50.4.14 host

50.50.4.6 eq 500
ASA1/c2/act(config)#access-list outside permit udp host 50.50.4.14 host
50.50.4.6 eq 4500

0.0.255.255
67
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc

R1(config)#crypto ipsec transform-set AES_SHA esp-aes esp-sha-hmac
R1(config)#crypto map MY_HA_MAP 1 ipsec-isakmp
R1(config-crypto-map)#description Tunnel to50.50.4.6
R1(config-crypto-map)#set transform-set AES_SHA
R1(config-crypto-map)#reverse-route
R1(config-crypto-map)#exit
R1(config-if)#standby 1 priority 101
R1(config-if)#standby 1 preempt
R1(config-if)#standby 1 name HA
R1(config-if)#crypto map MY_HA_MAP redundancy HA
R1(config-if)#exit
R1(config)#
R1(config)#
Apr 29 17:52:33.763: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Standby
-> Active
R1(config)#
Apr 29 17:52:34.135: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1(config)#router ospf 1
R1(config-router)#redistribute static subnets
R1(config-router)#passive-interface fa 0/0
NOTE: IF OSPF is left on both routers on the 50.50.4.0 network, there will
be equal cost load balancing from R5 to the 192.168.0.0 network, so only of
the traffic will make it, (via the tunnel).

0.0.255.255
R4(config-if)#exit
68
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
R4(config-router)#passive fa0/0
R4(config-router)#redistribute static subnets
R6#ping 50.50.6.5 sour fa0/0
.!!!!
R6#
interface: FastEthernet0/0
Crypto map tag: MY_HA_MAP, local addr 50.50.4.14
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
R1#wr
Building configuration...
[OK]
R1#reload
Proceed with reload? [confirm]
Apr 29 18:01:19.931: %SYS-5-RELOAD: Reload requested
Reason: Reload Command.
by console. Reload
R6#ping 50.50.6.5 sour fa0/0

.!!!!
R6#
69
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc

70
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Section 4:
Task 4.1
IPS
4 Points
Configure the Sensor per the diagram and with the

following:
o Default gateway of c2.
o Configure the Sensor to be managed on port 6783. Connect
from the ACS PC using destination 50.50.3.15 and
destination TCP port 5796.
o Set the web server-id to sensor-1. Allow the sensor to
be managed only by the ACS PC. The username is cisco,
with password of ccie5796.
SW2(config)#int fa 0/14
SW2(config-if)#switchport host
SW2(config-if)#switchport access vlan 13
SW2(config-if)#end
sensor# erase current-config
Warning: Removing the current-config file will result in all configuration
being reset to default, including system information such as IP address.
User accounts will not be erased. They must be removed manually using the "no
username" command.
Continue? []: yes
sensor# setup
!
!
Enter host name[sensor]: Sensor
Enter IP interface[192.168.1.2/24,192.168.1.1]: 172.17.33.15/24,172.17.33.200
Enter telnet-server status[disabled]:
Enter web-server port[443]: 6783
Modify current access list?[no]: yes
Current access list entries:
No entries
Permit: 192.168.2.101/32
Permit:
Modify system clock settings?[no]:
Modify interface/virtual sensor configuration?[no]:
Modify default threat prevention settings?[no]:
!
!
!
[0] Go to the command prompt without saving this config.
71
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
[1] Return back to the setup without saving this config.

[2] Save this configuration and exit setup.
Enter your selection[2]:
Configuration Saved.
*18:46:02 UTC Wed Apr 29 2009
Modify system date and time?[no]:
sensor#
sensor# conf t
sensor(config)# service web-server
sensor(config-web)# server-id sensor-1
sensor(config-web)# exit
Apply Changes?[yes]:
sensor(config)# exit
sensor# exit
Sensor# ping 172.17.33.200

PING 172.17.33.200 (172.17.33.200): 56 data bytes
64 bytes from 172.17.33.200: icmp_seq=0 ttl=255 time=0.9
ms
ms
ms
ms
--- 172.17.33.200 ping statistics --4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.3/0.4/0.9 ms
Sensor#
ASA1/c2/act(config)# static (dmz,inside) tcp 50.50.3.15 5796 172.17.33.15
6783
(Note: it may take a reload of the ASA for this to take effect)
ASA1/c2/act(config)# static (inside,dmz) 192.168.2.101 192.168.2.101
72
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
73
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Task 4.2
4 Points
Configure vs0 using the following:

o Fa1/0 and Fa1/1 as an inline pair in VLAN 9 and 99.
o Place R2 Fa0/0 in VLAN 99
o Use default rules, sigs and ad.
SW3(config-if)#sw ho
SW3(config-if)#sw access vlan 9
SW3(config-if)#sw host
SW3(config-if)#exit
SW1#show run int fa 0/2
Current configuration : 133 bytes
interface FastEthernet0/2
description **R2 FA0/0**
switchport access vlan 9
switchport mode access
spanning-tree portfast
end
SW1#conf t
Enter configuration commands, one per line.
SW1(config-if)#sw a v 99
SW1(config-if)#end
End with CNTL/Z.
74
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
75
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
76
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Create
o Inline VLAN pair using G0/0 and VLAN 5 and 55

SW1(config)# int fa0/14
77
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
78
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
79
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Task 4.3
4 Points

o All VLAN 11 traffic forwarded to port Fa1/2
o Resets will be sent from Fa 1/3
o the 3rd packet in a set of PING requests with a payload
of 500 bytes or greater triggers an alert
o The address of 1.1.1.1 will never be seen as an attacker
o SNMP traps to the ACS PC on UDP using port 185 with the
password cisco.
o Send an SNMP trap for all signatures that generate a risk
rating of 100.
SW3(config)#vlan 999
SW3(config-vlan)#remote
SW3(config-vlan)#exit
SW3(config)#monitor session
1
1
2
2
source vlan 11 rx
destination remote vlan 999
destination interface Fa0/2
source remote vlan 999
SW1(config)#monitor session 1 source vlan 11 rx

SW1(config)#monitor session 1 destination remote vlan 999
SW3(config-if)#sw trun encap dot1
SW3(config-if)#end
80
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
81
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
82
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
83
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
84
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
85
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
ASA1/c2/act(config)# access-list dmz permit udp host 172.17.33.15 host

192.168.2.101 eq 185
ASA1/c2/act(config)# access-group dmz in int dmz
86
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Task 4.4
4 Points
Configure vs0 with the following:

o An ICMP flood should cause a dynamic rate limit of 1% to
be placed on R2 Fa0/0 inbound.
o This rate limit should be removed after 2 minutes. Use a
fault tolerant address to R2 for sensor access.
87
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
88
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
89
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
90
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
ASA1/c2/act(config)# access-list dmz permit tcp host 172.17.33.15 host

2.2.2.2 eq telnet
ASA1/c2/act(config)# static (dmz,outside) 50.50.4.15 172.17.33.15
R2#who
Line
* 0 con 0
515 vty 1
User
Host(s)
idle
idle
BB2#ping 7.7.7.7 repeat 75
Idle
Location
00:00:00
00:00:03 50.50.4.15
size 10000

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!.!!!.!!!.!!!.!!!.!!!.!!!.!!!
.!!!.
BB2#
R2#
R2#show policy-map int fa 0/0
FastEthernet0/0
Service-policy input: IDS_RL_POLICY_MAP_1
Class-map: IDS_RL_CLASS_MAP_icmp-xxBx-8-1_1 (match-any)
484 packets, 55176 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name IDS_RL_ACL_icmp-xxBx-8-1_1
5 minute rate 0 bps
police:
cir 1 %
91
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
cir 1000000 bps, bc 31250 bytes

conformed 484 packets, 55176 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps
Class-map: class-default (match-any)
1 packets, 94 bytes
Match: any
R2#
92
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Task 4.5
4 Points

o Deep packet inspection capability of HTTP and FTP.
Include port 8080 for HTTP.
o When non-http traffic is seen, send a TCP reset to the
attacker and log future packets from this attacker to
anyone for 3 minutes.
o Configure this sensor to recognize the 50.50.4.0/24
93
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
94
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
95
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
R2#telnet 1.1.1.1 80
Trying 1.1.1.1, 80 ... Open
test
R2#
96
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
97
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Section 5:
Task 5.1
Identity Management
4 Points
Allow users on VLAN 2 to authenticate via 50.50.4.105 on c1

using telnet. Configure the username c-user with password
cisco. Use the ACS server with RADIUS to authenticate the
user.
ASA1/c1/act(config)# virtual telnet 50.50.4.105
ASA1/c1/act(config)# access-list outside permit tcp 11.11.2.0 255.255.255.0
host 50.50.4.105 eq telnet
ASA1/c1/act(config)# static (inside,outside) 50.50.4.105 50.50.4.105 netmask
255.255.255.255
ASA1/c1/act(config)# access-list auth-tel permit tcp 11.11.2.0 255.255.255.0
host 50.50.4.105 eq telnet
aaa authentication match auth-tel outside RAD
98
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
SW1#
SW1#telnet 50.50.4.105
Trying 50.50.4.105 ... Open
LOGIN Authentication
Username: c-user
Password: cisco
Authentication Successful
SW1#
99
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Upon successful authentication, dynamically apply an

access-list that allows telnet traffic to 8.8.8.8 from the
authenticated user. Test by using telnet from SW1 to
Loopback 0 on R8.
ASA1/c1/act(config)# show uauth

Current
Most Seen
Authenticated Users
1
1
Authen In Progress
0
1
user 'c-user' at 11.11.2.9, authenticated
absolute
timeout: 0:05:00
inactivity timeout: 0:00:00
ASA1/c1/act(config)# clear uauth
ASA1/c1/act(config)# show run access-group
access-group outside in interface outside
ASA1/c1/act(config)# access-group outside in interface outside per-useroverride
100
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
SW1#telnet 8.8.8.8
Trying 8.8.8.8 ...
% Connection refused by remote host
SW1#telnet 50.50.4.105
Trying 50.50.4.105 ... Open
Username: c-user
Password: cisco
SW1#telnet 8.8.8.8
R8#exit
SW1#
ASA1/c1/act(config)# show uauth
Current
Most Seen
Authenticated Users
1
1
Authen In Progress
0
1
access-list #ACSACL#-IP-ACL1-49f8688e (*)
absolute
timeout: 0:05:00
ASA1/c1/act(config)# show acce
ASA1/c1/act(config)# show access-list #ACSACL#-IP-ACL1-49f8688e
access-list #ACSACL#-IP-ACL1-49f8688e; 2 elements (dynamic)
access-list #ACSACL#-IP-ACL1-49f8688e line 1 extended permit tcp any host
8.8.8.8 eq telnet (hitcnt=1) 0xed24bdfc
access-list #ACSACL#-IP-ACL1-49f8688e line 2 extended permit tcp any host
50.50.4.105 eq telnet (hitcnt=1) 0x8ac38cde
101
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Task 5.2
4 Points
On R7, allow a user named r7-user with a password of

authentication, and the ACS server for authorization. The
ACS server should see R7 as the IP address of 50.50.3.7 On
R7, use the source address of Loopback 0 for TACACS.
R7(config)#username admin privi 15 secret cisco
R7(config)#aaa authentication login R7-LOC local
R7(config)#aaa authorization config-commands
R7(config)#aaa authorization exec TAC group tacacs+ none
R7(config)#aaa authorization commands 0 TAC group tacacs+
R7(config)#aaa accounting commands 0 TAC start-stop group tacacs+
R7(config)#username r7-user password cisco
R7(config)#line vty 0 4
R7(config-line)#authorization commands 0 TAC
R7(config-line)#authorization exec TAC
R7(config-line)#accounting commands 0 TAC
R7(config-line)#login authentication R7-LOC
R7(config)#crypto key generate rsa modulus 1024
R7(config)#
*Apr 29 22:03:17.286: %SSH-5-ENABLED: SSH 1.99 has been enabled
R7(config)#
ASA1/c2/act(config)# static (outside,inside) 50.50.3.7 50.50.12.7
50.50.4.101 eq tacacs
102
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
103
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
R7#test aaa group tacacs+ r7-user cisco legacy

104
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
The only commands that the r7-user should be able to do

would allow entry into configuration mode, configure an IP
address in interface configuration mode, and the command of
exit.
All successful commands issued by this user should be
logged on the ACS server. This user should not be able to
log into any other ACS managed device.
Do not associate any privilege lever with the username of
r7-user on the local database of R7.
105
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
106
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
107
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
108
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
R2#ssh -l r7-user 7.7.7.7

Password: cisco
R7#conf t
R7(config)#router rip
Command authorization failed.
End with CNTL/Z.
R7(config)#int loop 99
R7(config-if)#exit
R7(config)#exit
R7#logout
R7#exit
109
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
On R6, create a local user named user5 with a password of

g0Od?P@ss5. Allow any user to perform an extended ping
using privilege level 1. Do not use any AAA commands for
this task.
R6(config)#username user5 secret g0Od?P@ss5
Note: to insert a ?, use the Ctrl+v, release, then the ?
R6(config)#privilege exec level 1 ping
R6(config)#exit
R6#disable
R6>ping
Protocol [ip]:
Target IP address: 50.50.3.200
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]:
Sweep range of sizes [n]:
!!!!!
R6>

user named Mr.show is automatically placed in enable mode
with privilege level 10. When this user issues a show run
command, he should only view the available interfaces,
their assigned IP's, access-lists applied to the
interfaces, and access-lists configured globally. Do not
use ACS as part of this task.
R2(config)#aaa authentication login ssh local
R2(config)#aaa authorization exec default none
R2(config)#aaa authorization exec ssh local
R2(config)#ip domain name cisco.com
R2(config)#username Mr.show privilege 10 secret cisco
R2(config)#username admin privilege 15 secret cisco
R2(config)#ip ssh version 2
R2(config)#privilege interface level 10 ip access-group
R2(config)#privilege interface level 10 ip address
R2(config)#privilege interface level 10 ip
R2(config)#privilege configure level 10 access-list
R2(config)#privilege configure level 10 ip access-list extended
R2(config)#privilege configure level 10 ip access-list standard
R2(config)#privilege configure level 10 ip access-list
R2(config)#privilege configure level 10 interface
R2(config)#privilege configure level 10 ip
R2(config)#privilege exec level 10 show running-config
110
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
R2(config)#privilege exec level 10 show

R2(config)#
R2(config-line)#privilege level 15
R2(config-line)#authorization exec ssh
R2(config-line)#login authentication ssh
R7#ssh -l Mr.Show 2.2.2.2
Password:
R2#show run
!
! Last configuration change at 14:14:35 PDT Wed Apr 29 2009
! NVRAM config last updated at 15:28:12 PDT Wed Apr 29 2009
!
boot-start-marker
boot-end-marker
!
!
!
!
!
!
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface Loopback2
ip address 22.0.0.2 255.0.0.0
!
interface Tunnel0
ip address 10.1.0.2 255.255.0.0
!
ip address 11.11.9.2 255.255.255.0
!
no ip address
!
interface FastEthernet0/1.7
ip address 50.50.7.2 255.255.255.0
!
ip address 50.50.12.2 255.255.255.0
!
interface Serial0/0/0
ip address 50.50.235.2 255.255.255.248
!
no ip address
111
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
!
no ip address
!
no ip address
!
!
access-list 1 permit 50.50.0.0 0.0.255.255
access-list 110 deny
!
end
112
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Task 5.3
4 Points
Configure 802.1x with the following:

o Require 802.1x authentication on SW3, port FA0/18.
o Set up an ACS user named 1xuser. Have the ACS provide
the VLAN assignment of VLAN 10 for successful
authentication of this user.
o The ACS should see SW3 as 50.50.4.9.
o Configure SW3 so that your output looks similar to the
following:
----------------------------------PAE
= AUTHENTICATOR
PortControl
= AUTO
ControlDirection
= Both
HostMode
= MULTI_HOST
ReAuthentication
= Disabled
QuietPeriod
= 3
ServerTimeout
= 30
SuppTimeout
= 30
ReAuthPeriod
ReAuthMax
= 2
MaxReq
= 2
TxPeriod
= 5
RateLimitPeriod
= 0
Auth-Fail-Vlan
= 6
= 3
Guest-Vlan
= 11
Port Status
Authorized By
Vlan Policy
= AUTHORIZED
= Guest-Vlan
= 11

50.50.4.101 eq radius
113
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
114
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
115
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
116
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
117
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
SW3(config)#aaa new-model
SW3(config)#aaa authentication dot1x default group radius local
SW3(config)#aaa authorization network default group radius
SW3(config)#dot1x system-auth-control
SW3(config)#interface FastEthernet0/18
SW3(config-if)#switchport mode access
SW3(config-if)#dot1x pae authenticator
SW3(config-if)#dot1x port-control auto
SW3(config-if)#dot1x host-mode multi-host
SW3(config-if)#dot1x timeout quiet-period 3
SW3(config-if)#dot1x timeout tx-period 5
SW3(config-if)#dot1x guest-vlan 11
SW3(config-if)#dot1x auth-fail vlan 6
SW3(config-if)#spanning-tree portfast
SW3(config-if)#interface Vlan4
SW3(config-if)#ip address 50.50.4.9 255.255.255.0
SW3(config-if)#ip radius source-interface Vlan4
SW3(config)#radius-server host 50.50.4.101 auth-port 1645 acct-port 1646
SW3(config)#radius-server source-ports 1645-1646
SW3(config)#radius-server key cisco
SW3#test aaa group radius 1xuser cisco legacy
118
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
119
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Section 6:
Task 6.1
4 Points

R4(config)#class-map match-all CMAP_CONTROL_PLANE
R4(config-cmap)#match access-group 150
R4(config-cmap)#policy-map PMAP_CONTROL_PLANE
R4(config-pmap)#class CMAP_CONTROL_PLANE
R4(config-pmap-c)#police 10000 conform-action transmitexceed-action drop
violate-action drop
R4(config-pmap-c-police)#exit
R4(config-pmap-c)#
R4(config-pmap-c)#access-list 150 deny tcp host 5.5.5.5 any eq telnet
R4(config)#access-list 150 deny icmp host 5.5.5.5 any
R4(config)#access-list 150 permit tcp any any eq telnet
R4(config)#access-list 150 permit icmp any any
R4(config)#control-plane
R4(config-cp)#service-policy input PMAP_CONTROL_PLANE
R4(config-cp)#exit
R4#show policy-map
Policy Map PMAP_CONTROL_PLANE
Class CMAP_CONTROL_PLANE
police cir 10000 bc 1500 be 1500
conform-action transmit
exceed-action drop
violate-action drop
R5#ping 4.4.4.4 size 500 repeat 10
!!.!!.!!.!
R5#ping 4.4.4.4 size 500 repeat 10 source loop 0
!!!!!!!!!!
R5#
R4#show policy-map control-plane
Control Plane
120
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Service-policy input: PMAP_CONTROL_PLANE

Class-map: CMAP_CONTROL_PLANE (match-all)
Match: access-group 150
police:
cir 10000 bps, bc 1500 bytes, be 1500 bytes
transmit
drop
violated 92 packets, 139288 bytes; actions:
drop
conformed 0 bps, exceed 0 bps, violate 0 bps
Match: any
R4#
121
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc

R8(config)#class-map match-all CMAP_ICMP_UNREACHABLE
R8(config-cmap)#policy-map PMAP_ICMP_UNREACHABLE
R8(config-pmap)#class CMAP_ICMP_UNREACHABLE
R8(config-pmap-c)#drop
R8(config-pmap-c)#exit
R8(config-pmap)#exit
icmp any 50.50.0.0 0.0.255.255 portunreachable
R8(config)#access-list 151 permit icmp any any port-unreachable
R8(config-cp)#service-policy output PMAP_ICMP_UNREACHABLE
R8(config-cp)#exit
Control Plane
Service-policy output: PMAP_ICMP_UNREACHABLE
Class-map: CMAP_ICMP_UNREACHABLE (match-all)
0 packets, 0 bytes
drop
Match: any
122
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Section 7:
Task 7.1
Advanced Security
4 Points
Allow the EBGP neighbors between BB1 and BB2. Add BGP
authentication between BB1 and BB2 using the password of
cisco. Verify the BGP sourced routes appear on routers 1-5,
7, and 8.
ASA1/c1/act(config)# static (outside,inside) 11.11.2.11 11.11.2.11 netmask
255.255.255.255 norandomseq
11.11.9.11 eq bgp
BB2#show ip bgp summary
BGP router identifier 11.11.9.11, local AS number 2
BGP table version is 16, main routing table version 16
15 network entries using 1800 bytes of memory
15 path entries using 780 bytes of memory
2/1 BGP path/bestpath attribute entries using 248 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 2852 total bytes of memory
BGP activity 75/60 prefixes, 90/75 paths, scan interval 60 secs
Neighbor
11.11.2.11
V
4
AS MsgRcvd MsgSent
1
469
465
TblVer
16
InQ OutQ Up/Down state/pfx

0
0 00:00:14
15
BB1(config-router)#neighbor 11.11.9.11 password cisco

ASA1/c1/act(config)# access-list global_mpc_1 extended permit tcp host
11.11.2$
WARNING: <global_mpc_1> found duplicate element
ASA1/c1/act(config)# access-list global_mpc_2 extended permit tcp host
11.11.9$
WARNING: <global_mpc_2> found duplicate element
ASA1/c1/act(config)# tcp-map OPTION_19
ASA1/c1/act(config-tcp-map)# tcp-options range 19 19 allow
ASA1/c1/act(config-tcp-map)# exit
ASA1/c1/act(config)#access-list global_mpc_1 extended permit tcp host
11.11.2.11 host 11.11.9.11
ASA1/c1/act(config)#access-list global_mpc_2 extended permit tcp host
11.11.9.11 host 11.11.2.11
ASA1/c1/act(config)# class-map BGP_TRAFFIC
ASA1/c1/act(config-cmap)# match access-list global_mpc_1
ASA1/c1/act(config-cmap)# exit
ASA1/c1/act(config)# class-map MORE_BGP
ASA1/c1/act(config-cmap)# match access-list global_mpc_2
123
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
ASA1/c1/act(config)# policy-map global_policy
ASA1/c1/act(config-pmap)# class MORE_BGP
ASA1/c1/act(config-pmap-c)# set connection random-sequence-number disable
ASA1/c1/act(config-pmap-c)# set connection advanced-options OPTION_19
ASA1/c1/act(config-pmap-c)# exit
ASA1/c1/act(config-pmap)# class BGP_TRAFFIC
ASA1/c1/act(config-pmap-c)# set connection random-sequence-number disable
ASA1/c1/act(config-pmap-c)# set connection advanced-options OPTION_19
124
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc

Neighbor
11.11.2.11
V
4
AS MsgRcvd MsgSent
1
484
483
TblVer
46
InQ OutQ Up/Down State/Pfx

0
0 00:07:30
15
Prevent the ACS PC from being able to telnet to R6. Stop this traffic before
it reaches R6. Do not assign an access list to any interface on the switch as
part of your solution for this task.
SW1(config)#ip access-list extended NO_TELNET_TO_R6

SW1(config-ext-nacl)#$ host 192.168.2.101 host 192.168.0.6 eq telnet
SW1(config-ext-nacl)# permit tcp host 192.168.2.101 host 6.6.6.6 eq telnet
SW1(config-ext-nacl)# permit tcp host 192.168.2.101 host 50.50.3.6 eq telnet
SW1(config-ext-nacl)#vlan access-map NO_TELNET_TO_R6 10
125
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
SW1(config-access-map)# action drop

SW1(config-access-map)# match ip address NO_TELNET_TO_R6
SW1(config-access-map)#vlan access-map NO_TELNET_TO_R6 20
SW1(config-access-map)# action forward
SW1(config-access-map)#vlan filter NO_TELNET_TO_R6 vlan-list 10
SW1(config)#exit
c:\ACS_PC>ping 192.168.0.6
Reply
Reply
Reply
Reply
from
from
from
from
192.168.0.6:
192.168.0.6:
192.168.0.6:
192.168.0.6:
bytes=32
bytes=32
bytes=32
bytes=32
time=2ms
time=1ms
time=1ms
time=1ms
TTL=255
TTL=255
TTL=255
TTL=255

c:\ACS_PC>telnet 192.168.0.6
Connecting To 192.168.0.6...Could not open connection to the host, on port
23:
Connect failed
c:\ACS_PC>
126
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc

Do not use any line or AAA commands for this task.
R3#telnet 4.4.4.4
R4#exit
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#ip local policy route-map NO_OUTBOUND_TELNET
R3(config)#ip access-list extended NO_OUTBOUND_TELNET
R3(config-ext-nacl)#permit tcp any any eq telnet log
R3(config)#route-map NO_OUTBOUND_TELNET permit 10
R3(config-route-map)#match ip address NO_OUTBOUND_TELNET
R3(config-route-map)#set interface Null0
R3(config-route-map)#exit
R3(config)#exit
R3#telnet
Apr 29 23:53:07.192: %SYS-5-CONFIG_I: Configured from console by console
R3#telnet 4.4.4.4
Trying 4.4.4.4 ...
Apr 29 23:53:09.932: %SEC-6-IPACCESSLOGP: list NO_OUTBOUND_TELNET permitted
tcp 50.50.235.3(23533) -> 4.4.4.4(23), 1 packet
% Connection timed out; remote host not responding

Apply this policy to Fa0/0 only.
R5(config)#class-map match-all TELNET_TO_50.50.4.0
R5(config-cmap)# match access-group name TELNET_TO_50.50.4.0
R5(config-cmap)#exit
R5(config)#class-map match-all FTP_ICMP_TO_50.50.4.0
R5(config-cmap)# match access-group name FTP_ICMP_TO_50.50.4.0
R5(config)#policy-map R5_OUTBOUND_FA0/0
R5(config-pmap)# class FTP_ICMP_TO_50.50.4.0
R5(config-pmap-c)#
police rate 10000 burst 1000
R5(config-pmap-c-police)# conform-action transmit
R5(config-pmap-c-police)# exceed-action drop
R5(config-pmap-c-police)# violate-action drop
127
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
R5(config-pmap-c)# class TELNET_TO_50.50.4.0

R5(config-pmap-c)# police rate 10000 burst 1000
R5(config-pmap-c-police)# conform-action transmit
R5(config-pmap-c-police)# exceed-action set-prec-transmit 7
R5(config-pmap-c-police)# violate-action set-prec-transmit 7
R5(config-pmap-c-police)#interface FastEthernet0/0
R5(config-if)# service-policy output R5_OUTBOUND_FA0/0
R5(config-if)#ip access-list extended FTP_ICMP_TO_50.50.4.0
R5(config-ext-nacl)# permit tcp any 50.50.4.0 0.0.0.255 eq ftp
R5(config-ext-nacl)# permit icmp any 50.50.4.0 0.0.0.255
R5(config)#ip access-list extended TELNET_TO_50.50.4.0
R5(config-ext-nacl)# permit tcp any 50.50.4.0 0.0.0.255 eq telnet
!!!!!!!!!!
!.!.!.!.!.
R5#show poli
FastEthernet0/0
Service-policy output: R5_OUTBOUND_FA0/0
Class-map: FTP_ICMP_TO_50.50.4.0 (match-all)
Match: access-group name FTP_ICMP_TO_50.50.4.0
police:
rate 10000 bps, burst 1000 bytes, peak-burst 1500 bytes
transmit
drop
drop
Class-map: TELNET_TO_50.50.4.0 (match-all)
0 packets, 0 bytes
Match: access-group name TELNET_TO_50.50.4.0
police:
transmit
128
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc

set-prec-transmit 7
set-prec-transmit 7
Match: any
R5#
129
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc

with the MAC address of 0001.0002.0003 to be connected only
to port FA0/23. If there is a violation, shut down the
port.
The switch should automatically re-enable the port
after 30 seconds if there is no longer a violation.
SW4(config)#interface fa 0/23
SW4(config-if)#switchport port-security
SW4(config-if)#switchport port-security mac-address 0001.0002.0003
SW4(config-if)#switchport port-security violation restrict
SW4(config-if)#switchport port-security violation shutdown
SW4(config-if)#exit
SW4(config)#errdisable recovery interval 30
SW4(config)#errdisable recovery cause psecure-violation
SW4#show port-security
00:08:25: %SYS-5-CONFIG_I: Configured from console by console
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count)
(Count)
(Count)
--------------------------------------------------------------------------Fa0/23
1
0
0
Shutdown
--------------------------------------------------------------------------Total Addresses in System (excluding one mac per port)
: 0
Max Addresses limit in System (excluding one mac per port) : 6272
SW4#

store these in the running configuration. Create a syslog
message but do not shutdown the port if there is a
violation.
R1(config-if)#stand
R1(config-if)#standby us
R1(config-if)#standby use-bia
R4(config-if)#stand
R4(config-if)#standby us
SW1(config)#int range
SW1(config-if-range)#
fa 0/1, fa0/4
switchport port-security maximum 1
switchport port-security mac-address sticky
switchport port-security violation restrict
130
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
SW1(config-if-range)# switchport port-security

SW1(config-if-range)# end
SW1#show run
!
!
!
switchport port-security
switchport port-security mac-address sticky 001b.53b4.6ae8
!
!
!
switchport port-security mac-address sticky 001b.53e4.ea18
131
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Task 7.2
4 Points
On c2, do not permit MSN games or MSN webcam traffic to go

through the firewall. Other types of MSN P2P traffic should
be allowed. Apply this policy inbound on all interfaces.
ASA1/c2/act(config)# class-map type inspect im match-all
CMAP_INS_IM_MSN_GAMES$
ASA1/c2/act(config-cmap)# match protocol msn-im
ASA1/c2/act(config-cmap)# match service games webcam
ASA1/c2/act(config)# policy-map type inspect im PMAP_INS_IM_MSN_GAMES_WEBCAM
ASA1/c2/act(config-pmap)# parameters
ASA1/c2/act(config-pmap-p)# class CMAP_INS_IM_MSN_GAMES_WEBCAM
ASA1/c2/act(config-pmap-c)# drop-connection log
ASA1/c2/act(config-pmap)# exit
ASA1/c2/act(config)# policy-map global_policy
ASA1/c2/act(config-pmap)# class inspection_default
ASA1/c2/act(config-pmap-c)# inspect im PMAP_INS_IM_MSN_GAMES_WEBCAM
ASA1/c2/act(config-pmap)# exit
ASA1/c2/act(config)# show service-policy
Global policy:
Inspect: ftp strict PMAP_INS_FTP_PUT, packet 0, drop 0, reset-drop 0
Inspect: icmp, packet 0, drop 0, reset-drop 0
Inspect: im PMAP_INS_IM_MSN_GAMES_WEBCAM, packet 339, drop 0, resetdrop 0
Class-map: TCP_PORT_8000
Set connection policy:
drop 0
Set connection advanced-options: TCP_MAP_SEQEUNTIAL
Retransmission drops: 0
TCP checksum drops : 0
Exceeded MSS drops : 0
SYN with data drops: 0
Invalid ACK drops
: 0
SYN-ACK with data drops: 0
Out-of-order (OoO) packets : 0
OoO no buffer drops: 0
OoO buffer timeout drops : 0
SEQ past window drops: 0
Reserved bit cleared: 0
Reserved bit drops : 0
132
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
IP TTL modified
: 0
Window varied resets: 0
TCP-options:
Selective ACK cleared: 0
Window scale cleared : 0
Other options cleared: 0
Other options drops: 0
Urgent flag cleared: 0
Timestamp cleared
: 0
133
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Section 8: Network Attack Mitigation

Task 8.1
4 Points
Configure R2 to not follow any embedded routing information

that may be included in ingress traffic coming from BB2. In
addition, protect downstream routers from any malicious
options that may be included in packets sourced from BB2.
Do not allow R2 to disclose information to the VLAN 9
network that may be used to compromise R2.
R2(config)#no ip options
R2(config)#no ip source-route
R2(config-if)#no cdp enable
R2(config-if)#
134
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc

o default.ida
o ScoobySnack.exe
o root.exe
R3(config)#class-map match-any CMAP_HTTP_URL
R3(config-cmap)#match protocol http url "*default.ida*"
R3(config-cmap)#match protocol http url "*ScoobySnack.exe*"
R3(config-cmap)#match protocol http url "*root.exe*"
R3(config)#policy-map PMAP_MARK_INBOUND
R3(config-pmap)#class CMAP_HTTP_URL
R3(config-pmap-c)#set ip dscp 1
R3(config-pmap)#int Fa0/0
R3(config-if)#service-policy input PMAP_MARK_INBOUND
R3(config-if)#exit
R3(config)#access-list 123 deny ip any any dscp 1 log
R3(config-if)#ip access-group 123 out
R3(config-if)#exit
R2#copy http://8.8.8.8/ScoobySnack.exe null:
R3#
Apr 30 16:02:18.213: %SEC-6-IPACCESSLOGP: list 123 denied tcp 50.50.7.2(0) ->
8.8.8.8(0), 1 packet
R3#
R3#show policy-map interface Fa0/0
FastEthernet0/0
Service-policy input: PMAP_MARK_INBOUND
Class-map: CMAP_HTTP_URL (match-any)
Match: protocol http url "*default.ida*"
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol http url "*ScoobySnack.exe*"
5 minute rate 0 bps
Match: protocol http url "*root.exe*"
0 packets, 0 bytes
135
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
5 minute rate 0 bps

QoS Set
dscp 1
Packets marked 5
Match: any
A rogue application somewhere on 50.50.5.0/24 and

50.50.11.0/24 is sending data embedded in ICMP to a
destination on or behind BB1.
The ICMP packet size ranges
from 285 and 325 bytes inclusively. Drop this traffic on
R1 and R4 outbound on Fa0/0.
Do not use an access-list to
drop this traffic.
R1(config)#class-map match-all ICMP_CMAP
R1(config-cmap)#match packet length min 285 max 325
R1(config-cmap)#match protocol icmp
R1(config)#policy-map ICMP_PMAP
R1(config-pmap)#class ICMP_CMAP
R1(config-if)#service-policy output ICMP_PMAP
R1(config-if)#exit
R4(config)#class-map match-all ICMP_CMAP

R4(config-cmap)#match packet length min 285 max 325
R4(config)#policy-map ICMP_PMAP
R4(config-pmap)#class ICMP_CMAP
R4(config-if)#service-policy output ICMP_PMAP
R4(config-if)#exit
ASA1/c1/act(config)# fixup protocol icmp

136
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc

!!
..
Success rate is 0 percent (0/2)
!!

FastEthernet0/0
Service-policy output: ICMP_PMAP
Class-map: ICMP_CMAP (match-all)
Match: packet length min 285 max 325
Match: protocol icmp
drop
Match: any
R1#
On R6, stop syn-flood attacks against the ACS PC. R6

should be passive unless formed sessions reach 100, and
then R1 should not use FIFO to remove connection attempts.
Have R1 stop removing sessions when the level drops to 40.
Do not use CBAC for this task.
R6(config)#access-list 150 permit tcp any host 192.168.2.101 log
R6(config)#ip tcp intercept list 150
R6(config)#ip tcp intercept max-incomplete low 41
R6(config)#ip tcp intercept max-incomplete high 99
R6(config)#ip tcp intercept mode watch
R6(config)#ip tcp intercept drop-mode random
137
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.01.09.05.kb.r04.09.05.doc
Task 8.2
4 Points
On c1, prevent VLAN 2 hosts from spoofing source addresses

of 50.50.0.0/16
Do not use an access-list as part of this
task.
ASA1/c1/act(config)# ip verify reverse-path interface outside
On c1, deny IP fragments on the outside interface. Do not

use the keyword fragment in any access-list.
ASA1/c1/act(config)# fragment chain 1 outside
138
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
LAB 2
Instructions
cannot be changed.
often!
task.
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Sections:
1.ASA Firewalls
2.IOS Firewalls
3.VPNs
4.IPS
7.Advanced Security
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
ACS PC
.101
R1
BB1
.99
VLAN 168
192.168.2.0
SW2
.11
Inside
E0/0.v
VLAN 77
G0/0
DMZ1
E0/0.v
172.16.77.0
IPS C&C
.50
ASA1
DMZ2
E0/0.v
OSPF
Area 0
VLAN 99
172.16.99.0
VLAN 44
172.16.44.0
R4
Outside
E0/0.v
R7
VLAN 22
24.234.22.0
VLAN 252
24.234.252.0
BB2
R2
.252
SW1
.11
EIGRP1
Frame Relay
24.234.100.0
Outside
E0/0.v
VLAN 111
24.234.111.0
R6
C1
Inside
E0/0.v
VLAN 121
24.234.121.0
R3
VLAN 222
24.234.222.0
Outside
E0/0.v
C2
Inside
E0/0.v
VLAN 88
172.16.88.0
VLAN 55
172.16.55.0
R8
R5
Routers use router number for last octet. Other devices

use IP addresses as shown in diagram, or indicated within
a task. Unless otherwise shown, all router interfaces are
fa0/0.v where v=vlan number. All networks are /24
unless otherwise noted
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
SW1
Fa0/1
Fa0/0
R1
Fa0/1
Fa0/1
SW2
SW1
Fa0/2
Fa0/0
R2
Fa0/1
Fa0/2
SW2
SW1
Fa0/3
Fa0/0
R3
Fa0/1
Fa0/3
SW2
SW1
Fa0/4
Fa0/0
R4
Fa0/1
Fa0/4
SW2
SW1
Fa0/5
Fa0/0
R5
Fa0/1
Fa0/5
SW2
SW1
Fa0/6
Fa0/0
R6
Fa0/1
Fa0/6
SW2
SW1
Fa0/9
Fa0/0
BB1
Fa0/1
Fa0/9
SW2
SW1
Fa0/10
Fa0/0
BB2
Fa0/1
Fa0/10
SW2
SW1
Fa0/12
E0/0
E0/2
Fa0/12
SW2
Fa0/14
SW2
E0/3
Fa0/17
SW2
E0/2
Fa0/18
SW2
E0/3
Fa0/23
SW2
ASA01
Gi0/0: sense
SW1
Fa0/14
SW1
Fa0/17
E0/1
SW1
Fa0/18
E0/0
IDS
IDS
Gi0/1: c&c
ASA01
ASA02
SW1
E0/1
Fa0/23
ASA02
SW1
SW2
Fas0/19
Fas0/19
Fas0/20
Fas0/20
Sensor Int.
G0/0
Fa1/0
Fa1/1
Fa1/2
Fa1/3
Connected to:
SW1 Fa0/14
SW3 Fa0/4
SW3 Fa0/3
SW3 Fa0/2
SW3 Fa0/1
Fas0/0
2811
SW3
SW4
Fas0/17
SW3
Fas0/19
Fas0/19
Fas0/20
Fas0/20
Fas0/1
R7
Fas0/17
SW4
ACS PC SW1 Fa0/24
192.168.2.101
Fas0/0
2811
Fas0/1
R8
SW3

192.168.2.102
Fas0/18
SW4
Fas0/18
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Section 1:
Task 1.1
ASA Firewalls
4 Points
Set the hostname of ASA1 to ASA1.

Configure ASA1 with the following interface settings:
Name
Inside
Outside
DMZ1
DMZ2
Interface
E0/0.168
E0/0.22
E0/0.77
E0/0.44
Security level IP Address

Default
192.168.2.100/24
Default
24.234.22.100/24
50
172.16.77.100/24
50
172.16.44.100/24
VLAN
168
22
77
44
Configure EIGRP with AS 1, verify that all EIGRP networks

are reachable.
Configure OSPF 1 as part of area 0. Inject a default route
to the DMZ2 interface. You may not add any static routes as
part of this task.
Configure the ASA so that the OSPF area 0 networks are seen
in the routing tables of R2, R3 and R6.
Test connectivity from R1 to all currently reachable
network devices. You are allowed to inspect ICMP on ASA1 to
accomplish this.
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Task 1.2
4 Points

Configure ASA2 with multiple contexts, c1 and c2. Use the
following interfaces settings:
Context
c1
c1
c2
c2
Name
Inside
Outside
Inside
Outside
Interface
E0/0.88
E0/0.111
E0/0.55
E0/0.222
Sec Level
Default
Default
Default
Default
IP Address
172.16.88.200/24
24.234.111.200/24
172.16.55.200/24
24.234.222.200/24
VLAN
88
111
55
222
The contexts should not know the interface numbers, only

the names provided in the table, EX: Inside, Outside.
Configure a default route on each context with R6 as the
next hop.
Verify connectivity from the inside networks to R2, R3 and
R6. You are allowed to inspect ICMP to accomplish this.
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Task 1.3
4 Points
Context c1 should require a NAT translation to pass

traffic.
On ASA1, the ACS server should be reachable on the outside
interface at 24.234.22.101. It should be reachable on the
DMZ2 interface at 172.16.44.101.
When R7 telnets to 24.234.22.2 its source IP should appear
as 24.234.22.7 but when it telnets to 24.234.100.3 its
source address should appear as 24.234.22.77. Do not use
the static command to accomplish this.
The 192.168.2.0/24 network should be translated to the
outside interface address of ASA1, unless the traffic is
sourced from R1 and destined for BB2. For this traffic, the
source address should be translated to 24.234.22.99.
Task 1.4
4 Points
Configure ASA1 so that all allowed telnet traffic will be

inspected, but limited to no more than 50 half open
connections. You may not use any address translation
commands or ACLs to accomplish this
Inspect DNS traffic from the DMZ2 network and allow it as
long as long as the domain name bad_domain.com is not
included.
Task 1.5
4 Points
Configure ASA1 to detect scanning of hosts. If a scanning

threat is detected, the ASA should shun the scanner for 1
hour. R2 should never be shunned in this way.
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Section 2:
Task 2.1
IOS Firewalls
4 Points
Setup a zone based firewall on R4. Configure an inside and

outside zone with fa0/0.44 as the inside and fa0/0.99 as
the outside. The policy for the firewall should be as
follows:
Policy direction
Inside->Outside
Permit
TCP
UDP
ICMP
Outside->Inside
ICMP
Telnet
Limits
Max TCP embryonic
connections per
host: 100
Max sessions: 200
One minute high: 100
One minute low: 50
Telnet timeout: 1
min
ICMP rate limited to
8000 bps burst 2000
Test the Inside->Outside policy with telnet from R1 to BB1.

Test the Outside->Inside policy with ICMP from BB1 to R2.
Your output should resemble the following:
!!!!!!!!.!!!!!!!!.!!!!!!!!.!!!!!!!!.!!!!!!!!.!!!!!
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Section 3: VPNs
Task 3.1
4 Points
Configure R8 as an NTP server. Use MD5 authentication. Set

the clock to use pacific standard time.
R2 and R3 should sync their time to R8. You are allowed to
configure any ACLs needed on context c1 to accomplish this.
R2 and R3 should be able to connect to R8 using its real
address.
Set R2 and R3 to use pacific standard time.
Task 3.2
4 Points
Configure R8 as a CA server called CA1. The server should

allow auto enrollment via http. Certificate lifetime should
be 30 days. The issuer name should be R8.ccbootcamp.com
with a location of LV and country of US.
R2 and R3 should enroll with R8 via http://172.16.88.8:80.
R8 should enroll with itself.
Task 3.3
4 Points
Configure GETVPN using the following settings:

o Key server: R8
o Member servers: R2 and R3
o Crypto policy on server: ICMP between BB2 and SW1
o IKE Phase 1: DH2, RSA-SIG, AES, SHA
o GDOI policy: 3DES, SHA
o Rekey policy: Unicast, 30 minute lifetime
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Section 4:
IPS
Task 4.1 4 Points

Configure the sensor with the following settings:
IP Address
Gateway
Managed by
172.16.77.50
172.16.77.100
172.16.77.101
Task 4.2
Mgmt. SSL
port
10443
4 Points
Create virtual sensor vs1.

Configure vs1 to use Fa1/0 as a promiscuous interface for
VLAN77. You can make any necessary changes to SW1 and SW3
to accomplish this. Vs1 should use sig1, rules1 and ad1.
Configure virtual sensor vs0 to use g0/0 with an inline
VLAN pair. It should protect traffic between R5 and context
c2. Make necessary changes to sw1 and R5 to accomplish
this.
Verify that R5 has connectivity to the rest of the network.
Task 4.3
4 Points
Modify an existing signature within sig0 that will send a

medium severity alert if R5 attempts to send ICMP echoes
that are 10000 bytes or larger.
Create a custom signature within sig1 that will send a high
severity alert if web traffic on VLAN 77 contains the
string virus.exe, case insensitive.
10
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Task 4.4
4 Points
If R5 attempts to send ICMP echoes to R6 that are 10000

bytes or greater, the packets should be denied inline. You
are not allowed to create or modify any signatures to
accomplish this.
If R7 triggers the virus.exe signature and alert should
not be generated. You may not edit the signature to
accomplish this.
11
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Section 5:
Task 5.1
Identity Management
4 Points
R2 should deny any

interface destined
via http. Create a
authenticate with.
changes to ASA1 to
Task 5.2
icmp traffic incoming on the fa0/0.22

for BB2 unless it is first authenticated
user named authp on the ACS server to
You are allowed to make necessary
accomplish this.
4 Points
Configure context c1 to require authentication via virtual

telnet at 24.234.111.250 before allowing icmp traffic from
R6 to R8. Create a user called r8user on the ACS server for
this authentication.
Task 5.3
4 Points
Configure SW4 for dot1x authentication. Port fa0/16 should

be configured so that if there is no 802.1x supplicant it
will be placed in VLAN 444. The port should also allow for
a cisco phone on voice vlan 555. If the supplicant passes
authentication it should be placed in VLAN 223.
12
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Section 6:
Task 6.1
4 Points
Configure R2 so that no more than 50 FTP packets destined

for the router will be allowed in the input queue.
Any incoming SSH connections to R2 should be dropped. You
may not use any ACL to accomplish this.
Telnet connections to R2 should be allowed from any address
except BB2s fa0/0.252 interface. Do not apply an ACL
directly to an interface to accomplish this.
Task 6.2
4 Points
Configure R3 so that telnet traffic from SW1 to R6 is given

priority and guaranteed 25% of interface s0/0/0s
bandwidth. All other telnet traffic should be policed to
8000 bps with a burst of 2000 bps.
ICMP traffic from SW1 to R6 should be guaranteed 25% of
interface s0/0/0s bandwidth.
Task 6.3
4 Points
Configure R3 to identify incoming protocols on any of its

interfaces
R3 should drop any incoming http traffic that contains a
URL of www.virus.com
13
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Section 7:
Task 7.1
Advanced Security
4 Points
On BB2, deny any incoming packets with the timestamp

option. You may not use the ip option drop command to
accomplish this.
Task 7.2
4 Points
BB1 and BB2 are pre-configured to be BGP peers. Determine

why they are not peering and correct the problem. You are
not allowed to make any changes to either BB1 or BB2 to
accomplish this. This task is complete when the 99.99.99.0
and 22.22.22.0 networks are in the ip routing tables on
both BB routers.
Task 7.3
4 Points
Configure R6 to protect against syn flood attacks from the

24.234.100.0/24 network. When the number of half open
connections exceeds 500 the router should start dropping
them. When the number of half open connections falls below
250 the router should stop dropping them. The half open
connections to be dropped should be chosen randomly.
14
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Section 8:
Task 8.1
4 Points
Configure R2 to prevent any IP Option based attack. You may

not use an ACL to accomplish this.
R2 should drop and log any non-initial fragments inbound on
its s0/0/0 interface.
Drop and log any incoming spoofed packets on the fa0/0.22
interface of R2. This protection must be dynamic and an ACL
may not be applied directly to an interface.
Task 8.2
4 Points
Do not allow fragmented traffic to traverse ASA1. Use only

a single command to accomplish this.
A recent internet worm uses the strings bad_traffic and
s1ck.ness in the URLs of http traffic. Configure ASA1 to
drop this traffic globally.
Task 8.3
4 Points
On SW3, configure port fa0/12 so that a CAM flood cannot

occur. If more than one mac address is seen on the port it
should be shut down. If a shutdown occurs, the port should
come back up in 30 seconds.
Configure SW3 to protect against DHCP starvation attacks on
VLAN 13. Only port fa0/13 should be allowed to respond to
DHCP requests.
Configure port fa0/15 on SW3 so that only an IP address in
the DHCP binding table will be allowed.
Configure SW3 to that unknown unicast or multicast traffic
will never be flooded out port fa0/16.
15
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Solutions Guide on Next Page
16
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Section 1:
Task 1.1
ASA Firewalls
4 Points

Name
Inside
Outside
DMZ1
DMZ2
Interface
E0/0.168
E0/0.22
E0/0.77
E0/0.44

Default
192.168.2.100/24
Default
24.234.22.100/24
50
172.16.77.100/24
50
172.16.44.100/24
VLAN
168
22
77
44

are reachable.
Configure OSPF 1 as part of area 0. Inject a default route
to the DMZ2 interface. You may not add any static routes as
part of this task.
Configure the ASA so that the OSPF area 0 networks are seen
in the routing tables of R2, R3 and R6.
accomplish this.
ciscoasa(config)#
hostname ASA1
ASA1(config)#
int e0/0.168
ASA1(config-subif)#
vlan 168
ASA1(config-subif)#
ip address 192.168.2.100 255.255.255.0
ASA1(config-subif)#
nameif Inside
INFO: Security level for "Inside" set to 100 by default.
ASA1(config-subif)#
ASA1(config-subif)#
int e0/0.22
ASA1(config-subif)#
vlan 22
ASA1(config-subif)#
nameif Outside
INFO: Security level for "Outside" set to 0 by default.
ASA1(config-subif)#
ip address 24.234.22.100 255.255.255.0
ASA1(config-subif)#
ASA1(config-subif)#
int e0/0.77
ASA1(config-subif)#
vlan 77
ASA1(config-subif)#
ip address 172.16.77.100 255.255.255.0
ASA1(config-subif)#
nameif DMZ1
INFO: Security level for "DMZ1" set to 0 by default.
17
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
ASA1(config-subif)#
security-level 50
ASA1(config-subif)#
ASA1(config-subif)#
int e0/0.44
ASA1(config-subif)#
vlan 44
ASA1(config-subif)#
nameif DMZ2
ASA1(config-subif)#
security-level 50
ASA1(config-subif)#
ip address 172.16.44.100 255.255.255.0
ASA1(config-subif)#
ASA1(config-subif)#
int e0/0
ASA1(config-if)#
no shut
ASA1(config-if)#
ASA1(config-if)#
router eigrp 1
ASA1(config-router)#
no auto-summary
network 24.234.22.0 255.255.255.0
router ospf 1
network 172.16.44.0 255.255.255.0 area 0
default-information originate always
router eigrp 1
default-metric 100 100 255 255 1500
redistribute ospf 1
policy-map global_policy
ASA1(config-pmap)#
class inspection_default
ASA1(config-pmap-c)#
inspect icmp
Verification:
R2#sho ip route (Codes cut)
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 4 subnets
172.16.55.0 [170/2172416] via 24.234.100.6, 01:21:29, Serial0/0/0
172.16.44.0
[170/25628160] via 24.234.22.100, 01:09:07, FastEthernet0/0.22
D EX
172.16.99.0
D EX
172.16.88.0 [170/2172416] via 24.234.100.6, 01:21:29, Serial0/0/0
C
24.234.252.0 is directly connected, FastEthernet0/0.252
D
24.234.222.0 [90/2172416] via 24.234.100.6, 01:21:31, Serial0/0/0
D
24.234.121.0 [90/2172416] via 24.234.100.3, 01:21:31, Serial0/0/0
C
24.234.100.0 is directly connected, Serial0/0/0
D
24.234.111.0 [90/2172416] via 24.234.100.6, 01:21:31, Serial0/0/0
C
S
192.168.2.0/24 [1/0] via 24.234.22.100
D EX
D EX
R1#ping 24.234.100.6
.!!!!
18
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx

R1#ping 24.234.121.11
!!!!!
R1#ping 172.16.99.99
!!!!!
R1#ping 172.16.77.7
!!!!!
R1#ping 172.16.77.11
19
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Task 1.2
4 Points

Context
c1
c1
c2
c2
Name
Inside
Outside
Inside
Outside
Interface
E0/0.88
E0/0.111
E0/0.55
E0/0.222
Sec Level
Default
Default
Default
Default
IP Address
172.16.88.200/24
24.234.111.200/24
172.16.55.200/24
24.234.222.200/24
VLAN
88
111
55
222

next hop.
Verify connectivity from the inside networks to R2, R3 and
R6. You are allowed to inspect ICMP to accomplish this.
ciscoasa(config)# hostname ASA2
ASA2(config)#
ASA2(config)#
interface e0/0
ASA2(config-if)#
no shut
ASA2(config-if)#
ASA2(config-if)#
interface Ethernet0/0.55
ASA2(config-subif)#
vlan 55
ASA2(config-subif)#
ASA2(config-subif)#
ASA2(config-subif)#
vlan 88
ASA2(config-subif)#
ASA2(config-subif)#
ASA2(config-subif)#
vlan 111
ASA2(config-subif)#
ASA2(config-subif)#
ASA2(config-subif)#
vlan 222
ASA2(config-subif)#
ASA2(config-subif)#
admin admin
Creating context 'admin'... Done. (1)
ASA2(config)#
context admin
ASA2(config-ctx)#
config-url disk0:admin.cfg
INFO: Converting disk0:admin.cfg to disk0:/admin.cfg
Cryptochecksum (changed): cf287bec dd6e8cf1 b96cbba9 ca2251ec
20
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
INFO: Context admin was created with URL disk0:/admin.cfg

ASA2(config-ctx)#
exit
ASA2(config)#
ASA2(config)#
context c1
ASA2(config-ctx)#
allocate-interface Ethernet0/0.88 Inside
ASA2(config-ctx)#
allocate-interface Ethernet0/0.111 Outside
ASA2(config-ctx)#
ASA2(config-ctx)#
ASA2(config-ctx)#
context c2
ASA2(config-ctx)#
allocate-interface Ethernet0/0.55 Inside
ASA2(config-ctx)#
allocate-interface Ethernet0/0.222 Outside
ASA2(config-ctx)#
ASA2(config-ctx)#
ASA2(config-ctx)#
changeto context c1
ASA2/c1(config)#
ASA2/c1(config)#
interface Inside
ASA2/c1(config-if)#
ip address 172.16.88.200 255.255.255.0
ASA2/c1(config-if)#
nameif Inside
ASA2/c1(config-if)#
ASA2/c1(config-if)#
interface Outside
ASA2/c1(config-if)#
ip address 24.234.111.200 255.255.255.0
ASA2/c1(config-if)#
nameif Outside
ASA2/c1(config-if)#
ASA2/c1(config-if)#
route outside 0 0 24.234.111.6
ASA2/c1(config)#
ASA2/c1(config)#
ASA2/c1(config-pmap)#
ASA2/c1(config-pmap-c)#
inspect icmp
changeto context c2
ASA2/c2(config)#
ASA2/c2(config)#
interface Inside
ASA2/c2(config-if)#
ip address 172.16.55.200 255.255.255.0
ASA2/c2(config-if)#
nameif Inside
ASA2/c2(config-if)#
ASA2/c2(config-if)#
interface Outside
ASA2/c2(config-if)#
ip address 24.234.222.200 255.255.255.0
ASA2/c2(config-if)#
nameif Outside
ASA2/c2(config-if)#
ASA2/c2(config-if)#
route outside 0 0 24.234.222.6
ASA2/c2(config)#
ASA2/c2(config)#
21
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
ASA2/c2(config-pmap)#
inspect icmp
Verification:
R8#ping 24.234.22.2
!!!!!
R8#ping 24.234.100.2
!!!!!
R8#ping 24.234.100.3
!!!!!
R8#ping 24.234.100.6
!!!!!
R5#ping 24.234.100.2
!!!!!
R5#ping 24.234.100.3
!!!!!
R5#ping 24.234.100.6
!!!!!
Task 1.3
4 Points
Context c1 should require a NAT translation to pass

traffic.
22
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
On ASA1, the ACS server should be reachable on the outside

interface at 24.234.22.101. It should be reachable on the
DMZ2 interface at 172.16.44.101.
When R7 telnets to 24.234.22.2 its source IP should appear
as 24.234.22.7 but when it telnets to 24.234.100.3 its
source address should appear as 24.234.22.77. Do not use
the static command to accomplish this.
The 192.168.2.0/24 network should be translated to the
outside interface address of ASA1, unless the traffic is
sourced from R1 and destined for BB2. For this traffic, the
source address should be translated to 24.234.22.99.
ASA2/c1(config)# nat-control
ASA1(config)#
ASA1(config)#
static (inside,outside) 24.234.22.101 192.168.2.101

static (inside,DMZ2) 172.16.44.101 192.168.2.101
ASA1(config)# access-list R7_R2 permit tcp host 172.16.77.7 host 24.234.22.2

eq telnet
ASA1(config)#
nat (DMZ1) 1 access-list R7_R2
ASA1(config)#
global (outside) 1 24.234.22.7
INFO: Global 24.234.22.7 will be Port Address Translated
ASA1(config)#
access-list R7_R3 permit tcp host 172.16.77.7 host
24.234.100.3 eq telnet
ASA1(config)#
nat (DMZ1) 2 access-list R7_R3
ASA1(config)#
ASA1(config)# nat (Inside) 3 192.168.2.0 255.255.255.0
ASA1(config)# global (Outside) 3 interface
INFO: Outside interface address added to PAT pool
ASA1(config)# access-list R1_BB2 permit ip host 192.168.2.1 host
24.234.252.252
ASA1(config)#
static (inside,outside) 24.234.22.99 access-list R1_BB2
23
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Verification:
NAT policies on Interface Inside:
match ip Inside host 192.168.2.101 Outside any
static translation to 24.234.22.101
translate_hits = 0, untranslate_hits = 0
match ip Inside host 192.168.2.101 DMZ2 any
static translation to 172.16.44.101
translate_hits = 0, untranslate_hits = 0
R7#telnet 24.234.22.2
Trying 24.234.22.2 ... Open
User Access Verification

Password:
R2>
ASA1# sho xlate
3 in use, 3 most used
Global 172.16.44.101 Local 192.168.2.101
Global 24.234.22.101 Local 192.168.2.101
PAT Global 24.234.22.7(63721) Local 172.16.77.7(21554)
R7#telnet 24.234.100.3
Trying 24.234.100.3 ... Open

Password:
R3>
ASA1# sho xlate
Global 172.16.44.101 Local 192.168.2.101
Global 24.234.22.101 Local 192.168.2.101
PAT Global 24.234.22.77(62439) Local 172.16.77.7(29964)
R1#telnet 24.234.22.2
Trying 24.234.22.2 ... Open

Password:
R2>
ASA1# sho xlate
Global 172.16.44.101 Local 192.168.2.101
24
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Global 24.234.22.101 Local 192.168.2.101

Global 24.234.22.99 Local 192.168.2.1
PAT Global 24.234.22.77(62439) Local 172.16.77.7(29964)
PAT Global 24.234.22.100(34682) Local 192.168.2.1(24223)
R1#telnet 24.234.252.252
Trying 24.234.252.252 ... Open

Password:
BB2>
ASA1# sho xlate
Global 172.16.44.101 Local 192.168.2.101
Global 24.234.22.101 Local 192.168.2.101
Global 24.234.22.99 Local 192.168.2.1
PAT Global 24.234.22.77(62439) Local 172.16.77.7(29964)
25
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Task 1.4
4 Points
Configure ASA1 so that all allowed telnet traffic will be

inspected, but limited to no more than 50 half open
connections. You may not use any address translation
commands or ACLs to accomplish this
Inspect DNS traffic from the DMZ2 network and allow it as
long as long as the domain name bad_domain.com is not
included.
ASA1(config)# class-map TELNET
ASA1(config-cmap)#
match port tcp eq telnet
ASA1(config-cmap)#
exit
ASA1(config)#
ASA1(config-pmap)#
class TELNET
set connection embryonic-conn-max 50
regex BAD_DOMAIN "bad\_domain\.com"
ASA1(config)#
class-map type inspect dns match-any BAD_DOMAIN
ASA1(config-cmap)#
match domain-name regex BAD_DOMAIN
ASA1(config-cmap)#
exit
ASA1(config)#
policy-map type inspect dns BAD_DOMAIN
ASA1(config-pmap)#
class BAD_DOMAIN
drop
exit
ASA1(config-pmap)#
class-map DNS
ASA1(config-cmap)#
exit
ASA1(config)#
access-list DMZ2_DNS permit tcp any any eq domain
ASA1(config)#
access-list DMZ2_DNS permit udp any any eq domain
ASA1(config)#
class-map DNS
ASA1(config-cmap)#
match access-list DMZ2_DNS
ASA1(config-cmap)#
exit
ASA1(config)#
policy-map DMZ2
ASA1(config-pmap)#
class DNS
inspect dns BAD_DOMAIN
exit
ASA1(config-pmap)#
exit
ASA1(config)#
service-policy DMZ2 interface DMZ2
Verification:
ASA1# sho service-policy global (inspection_default cut)
Class-map: TELNET
Set connection policy: embryonic-conn-max 50
current embryonic conns 0, drop 0
R2(config)#ip http server
26
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
R4#copy http://24.234.22.2:53/www.bad_domain.com null:

%Error opening http://24.234.22.2:53/www.bad_domain.com (I/O error)
ASA1# sho service-policy interface dmz2
Interface DMZ2:
Service-policy: DMZ2
Class-map: DNS
Inspect: dns BAD_DOMAIN, packet 3, drop 3, reset-drop 0
27
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Task 1.5
4 Points
Configure ASA1 to detect scanning of hosts. If a scanning

threat is detected, the ASA should shun the scanner for 1
hour. R2 should never be shunned in this way.
ASA1(config)# threat-detection scanning-threat shun duration 1800
ASA1(config)#
threat-detection scanning-threat shun except ip-address
24.234.22.2
Verification:
ASA1# sho threat-detection rate

Average(eps)
events
10-min ACL drop:
0
31
1-hour ACL drop:
0
31
10-min SYN attck:
0
36
1-hour SYN attck:
0
36
10-min Scanning:
0
103
1-hour Scanning:
0
103
10-min Firewall:
0
31
1-hour Firewall:
0
31
10-min Interface:
0
34
1-hour Interface:
0
Current(eps) Trigger
0
Total
28
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Section 2:
Task 2.1
IOS Firewalls
4 Points

follows:
Policy direction
Inside->Outside
Permit
TCP
UDP
ICMP
Outside->Inside
ICMP
Telnet
Limits
Max TCP embryonic
connections per
host: 100
Max sessions: 200
One minute low: 50
Telnet timeout: 1
min
8000 bps burst 2000

Your output should resemble the following:
!!!!!!!!.!!!!!!!!.!!!!!!!!.!!!!!!!!.!!!!!!!!.!!!!!
R4(config)#zone security Inside
R4(config-sec-zone)# exit
R4(config)# zone security Outside
R4(config-sec-zone)# exit
R4(config)#
R4(config)#
int fa0/0.44
R4(config-subif)#
zone-member security Inside
R4(config-subif)#
int fa0/0.99
R4(config-subif)#
zone-member security Outside
R4(config-subif)#
R4(config-subif)# parameter-map type inspect INSIDE_OUTSIDE
R4(config-profile)# tcp max-incomplete host 50
29
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
R4(config-profile)# one-minute high 100

%Also resetting low threshold from [unlimited] to [100]
R4(config-profile)# one-minute low 50
R4(config-profile)# sessions maximum 200
R4(config-profile)#
R4(config-profile)# class-map type inspect match-any INSIDE_OUTSIDE
R4(config-cmap)# match protocol tcp
R4(config-cmap)# match protocol udp
R4(config-cmap)# match protocol icmp
R4(config-cmap)# exit
R4(config)# policy-map type inspect INSIDE_OUTSIDE
R4(config-pmap)# class INSIDE_OUTSIDE
R4(config-pmap-c)# inspect INSIDE_OUTSIDE
R4(config-pmap-c)# exit
R4(config-pmap)#$ security INSIDE_OUTSIDE source Inside destination Outside
R4(config-sec-zone-pair)# service-policy type inspect INSIDE_OUTSIDE
R4(config-sec-zone-pair)#
R4(config-sec-zone-pair)# parameter-map type inspect OUTSIDE_INSIDE_TELNET
R4(config-profile)# tcp idle-time 60
R4(config-profile)# exit
R4(config)# class-map type inspect OUTSIDE_INSIDE_TELNET
R4(config-cmap)# match protocol telnet
R4(config)# class-map type inspect OUTSIDE_INSIDE_ICMP
R4(config)# policy-map type inspect OUTSIDE_INSIDE
R4(config-pmap)# class OUTSIDE_INSIDE_TELNET
R4(config-pmap-c)# inspect OUTSIDE_INSIDE_TELNET
R4(config-pmap)# class OUTSIDE_INSIDE_ICMP
R4(config-pmap-c)# inspect
R4(config-pmap-c)#
R4(config-pmap-c)#$ security OUTSIDE_INSIDE source Outside destination Inside
R4(config-sec-zone-pair)# service-policy type inspect OUTSIDE_INSIDE
Verification:
!!!!!!!!.!!!!!!!!.!!!!!!!!.!!!!!!!!.!!!!!!!!.!!!!!
30
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Section 3: VPNs
Task 3.1
4 Points

R2 and R3 should sync their time to R8. You are allowed to
configure any ACLs needed on context c1 to accomplish this.
R2 and R3 should be able to connect to R8 using its real
address.
R8#conf t
R8(config)#ntp master
R2#conf t
R3#conf t
ASA2/c1# conf t
ASA2/c1(config)# access-list R8_R2_R3 permit ip host 172.16.88.8 host
24.234.100.2
ASA2/c1(config)# access-list R8_R2_R3 permit ip host 172.16.88.8 host
24.234.100.3
ASA2/c1(config)# nat (inside) 0 access-list R8_R2_R3
ASA2/c1(config)#
172.16.88.8 eq ntp
ASA2/c1(config)#
172.16.88.8 eq ntp
31
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Verification:
R2#sho ntp status
Clock is synchronized, stratum 9, reference is 172.16.88.8
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18
reference time is CDA48EE7.182D1CE5 (12:56:07.094 PST Thu Apr 30 2009)
clock offset is 3.4612 msec, root delay is 46.69 msec
root dispersion is 6.47 msec, peer dispersion is 2.99 msec
R3#sho ntp status
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18
reference time is CDA48EFD.389483F0 (12:56:29.221 PST Thu Apr 30 2009)
clock offset is 3.8323 msec, root delay is 46.89 msec
root dispersion is 7.13 msec, peer dispersion is 3.27 msec
32
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Task 3.2
4 Points
Configure R8 as a CA server called CA1. The server should

allow auto enrollment via http. Certificate lifetime should
be 30 days. The issuer name should be R8.ccbootcamp.com
with a location of LV and country of US.
R2 and R3 should enroll with R8 via http://172.16.88.8:80.
R8(config)#ip domain-name ccbootcamp.com
R8(config)#crypto key generate rsa mod 1024 exportable
The name for the keys will be: R8.ccbootcamp.com
R8(config)#
Apr 30 21:00:33.619: %SSH-5-ENABLED: SSH 1.99 has been enabled
R8(config)#crypto pki server CA1
R8(cs-server)#grant auto
R8(cs-server)#lifetime certificate 30
R8(cs-server)#issuer-name CN=R8.ccbootcamp.com L=LV C=US
Password:
Re-enter password:
% Exporting Certificate Server signing certificate and keys...
R8(cs-server)#exit
R8(config)#
Apr 30 21:05:17.283: %PKI-6-CS_ENABLED: Certificate server now enabled.
ASA2/c1(config)# access-list outside permit tcp host 24.234.100.2 host
172.16.88.8 eq www
172.16.88.8 eq www
R2(config)#crypto pki trustpoint CA1
R2(ca-trustpoint)#enrollment url http://172.16.88.8:80
R2(config)#crypto pki authenticate CA1
Fingerprint MD5: B9E03DB9 AF64E9D1 95DF3626 4E3C4AF9
33
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Fingerprint SHA1: E10732F4 F28DC5A1 AD28EBA5 335C02E7 75B957A3

% Do you accept this certificate? [yes/no]: y
R2(config)#crypto pki enroll CA1
%
Password:
Apr 30 21:06:45.188: RSA key size needs to be atleast 768 bits for ssh
version 2
Apr 30 21:06:45.192: %CRYPTO-6-AUTOGEN: Generated new 512 bit key pair
Re-enter password:
% The subject name in the certificate will include: R2.ccbootcamp.com
% Include the router serial number in the subject name? [yes/no]: n
% Include an IP address in the subject name? [no]:
Request certificate from CA? [yes/no]: y
% The 'show crypto ca certificate CA1 verbose' commandwill show the
fingerprint.
R2(config)#
CA60E458 028D34FD 9BD8EB84 30DFBE83
E0AF5772 DE531937 7DB7D363 6232BF60 C5BBFA6B
Authority
%
Password:
34
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Apr 30 21:08:00.075: RSA key size needs to be atleast 768 bits for ssh
version 2
Apr 30 21:08:00.079: %CRYPTO-6-AUTOGEN: Generated new 512 bit key pair
Re-enter password:
fingerprint.
R3(config)#
277B8E80 35285201 492FB093 2628CCCB
E6D3C0B8 84227AB1 DC377070 185404C8 9902C77C
Authority
R8(config)#crypto pki trustpoint CA_SELF
R8(config)#crypto pki authenticate CA_SELF
R8(config)#crypto pki enroll CA_SELF
%
Password:
Re-enter password:
% The 'show crypto ca certificate CA_SELF verbose' commandwill show the
fingerprint.
R8(config)#
20D43D3E B7C72560 AAE2FE9D C7F33E9D
35
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx

F3698CB5 2AC0C8D4 758A164C C658AD03 A90B0FBC
Authority
36
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Task 3.3
4 Points

o Key server: R8
o Crypto policy on server: ICMP between BB2 and SW1
o IKE Phase 1: DH2, RSA-SIG, AES, SHA
R8(config-isakmp)#
encr aes
R8(config-isakmp)#
hash sha
R8(config-isakmp)#
authentication rsa-sig
R8(config-isakmp)#
group 2
R8(config-isakmp)#
exit
R8(config)#
crypto ipsec transform-set GET esp-3des esp-sha-hmac
R8(cfg-crypto-trans)#
exit
R8(config)#
crypto ipsec profile GET
R8(ipsec-profile)#
set transform-set GET
R8(ipsec-profile)#
exit
R8(config)# access-list 101 permit icmp host 24.234.252.252 host
24.234.121.11
R8(config)#access-list 101 permit icmp host 24.234.121.11 host 24.234.252.252
R8(config)#
crypto gdoi group GET
R8(config-gdoi-group)#
identity number 1
server local
R8(gdoi-local-server)#
address ipv4 172.16.88.8
rekey transport unicast
rekey authentication mypubkey rsa R8.ccbootcamp.com
rekey lifetime seconds 1800
sa ipsec 1
R8(gdoi-sa-ipsec)#
profile GET
R8(gdoi-sa-ipsec)#
match address ipv4 101
R8(gdoi-sa-ipsec)#
exit
Apr 30 21:10:36.399: %CRYPTO-6-GDOI_ON_OFF: GDOI is ON
Apr 30 21:10:36.459: %GDOI-5-KS_REKEY_TRANS_2_UNI: Group GET transitioned to
Unicast Rekey.
37
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx

172.16.88.8 eq 848
172.16.88.8 eq 848
R2(config-isakmp)#
encryption aes
R2(config-isakmp)#
hash sha
R2(config-isakmp)#
R2(config-isakmp)#
group 2
R2(config-isakmp)#
exit
R2(config)#
identity number 1
server address ipv4 172.16.88.8
exit
R2(config)#
crypto map map-group1 10 gdoi
% NOTE: This new crypto map will remain disabled until a valid
group has been configured.
R2(config-crypto-map)#
set group GET
interface s0/0/0
R2(config-if)#
crypto map map-group1
R2(config-if)#
Apr 30 21:12:47.480: %CRYPTO-5-GM_REGSTER: Start registration to KS
172.16.88.8 for group GET using address 24.234.100.2
Apr 30 21:12:52.708: %GDOI-5-GM_REKEY_TRANS_2_UNI: Group GET transitioned to
Unicast Rekey.
Apr 30 21:12:52.844: %GDOI-5-GM_REGS_COMPL: Registration to KS 172.16.88.8
complete for group GET using address 24.234.100.2
R3(config-isakmp)#
encryption aes
R3(config-isakmp)#
hash sha
R3(config-isakmp)#
R3(config-isakmp)#
group 2
R3(config-isakmp)#
exit
R3(config)#
identity number 1
server address ipv4 172.16.88.8
exit
R3(config)#
crypto map map-group1 10 gdoi
set group GET
interface s0/0/0
R3(config-if)#
crypto map map-group1
R3(config-if)#
Apr 30 21:13:57.320: %CRYPTO-5-GM_REGSTER: Start registration to KS
Apr 30 21:14:01.040: %GDOI-5-GM_REKEY_TRANS_2_UNI: Group GET transitioned to
Unicast Rekey.
Apr 30 21:14:01.176: %GDOI-5-GM_REGS_COMPL: Registration to KS 172.16.88.8
38
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Verification:
R8#sho crypto gdoi
GROUP INFORMATION
Group Name
:
Group Identity
:
Group Members
:
IPSec SA Direction
:
Active Group Server
:
Group Rekey Lifetime
:
Group Rekey
Remaining Lifetime
:
Rekey Retransmit Period :
Rekey Retransmit Attempts:
Group Retransmit
Remaining Lifetime
:
IPSec SA Number
:
IPSec SA Rekey Lifetime:
Profile Name
:
Replay method
:
Replay Window Size
:
SA Rekey
Remaining Lifetime :
ACL Configured
:
Group Server list
GET (Unicast)
1
2
Both
Local
1800 secs
1693 secs
10 secs
2
0 secs
1
3600 secs
GET
Count Based
64
3494 secs
access-list 101
: Local
BB2#ping 24.234.121.11
!!!!!
R2#sho crypto ipsec sa (output cut to pertinent SA)

interface: Serial0/0/0
Crypto map tag: map-group1, local addr 24.234.100.2
current_peer port 848
39
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Section 4:
IPS
Task 4.1 4 Points

IP Address
Gateway
Managed by
172.16.77.50
172.16.77.100
172.16.77.101
Mgmt. SSL
port
10443
Verify that you can connect to and manage the IPS from the ACS server. You
are allowed to make necessary changes to ASA1 and add a route to the ACS
server to accomplish this.
IPS# setup
--- System Configuration Dialog --At any point you may enter a question mark '?' for help.
User ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.
(output cut)
Continue with configuration dialog?[yes]:
Enter host name[IPS]:
Enter IP interface[192.168.2.100/24,192.168.2.101]:
172.16.77.50/24,172.16.77.100
No entries
Permit: 172.16.77.101/32
Permit:
The following configuration was entered.
(output cut)
Enter your selection[2]: 2
*15:35:21 UTC Thu Apr 30 2009
IPS#
40
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
ASA1(config)# static (inside,DMZ1) 172.16.77.101 192.168.2.101
Verification:
41
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Task 4.2
4 Points
Create virtual sensor vs1.

Configure vs1 to use Fa1/0 as a promiscuous interface for
VLAN77. You can make any necessary changes to SW1 and SW3
to accomplish this. Vs1 should use sig1, rules1 and ad1.
Configure virtual sensor vs0 to use g0/0 with an inline
VLAN pair. It should protect traffic between R5 and context
c2. Make necessary changes to sw1 and R5 to accomplish
this.
Verify that R5 has connectivity to the rest of the network.
SW1(config)# vlan 999

SW1(config-vlan)# remote-span
SW1(config-vlan)# exit
SW1(config)# monitor session 1 source vlan 77
SW1(config)# monitor session 1 destination remote vlan 999
SW3(config)#
SW3(config)#
monitor session 1 source remote vlan 999

monitor session 1 destination interface Fa0/4
42
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
SW1(config)# vlan 255

SW1(config-vlan)# exit
SW1(config)#int fa0/14
SW1(config-if)#sw trunk encapsulation dot1q
SW1(config-if)#sw mode trunk
R5(config)#int fa0/0.55
R5(config-subif)# encapsulation dot1Q 255
43
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
44
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Verification:
R5#ping 24.234.22.2
!!!!!
Task 4.3
4 Points
Modify an existing signature within sig0 that will send a

medium severity alert if R5 attempts to send ICMP echoes
that are 10000 bytes or larger.
Create a custom signature within sig1 that will send a high
severity alert if web traffic on VLAN 77 contains the
string virus.exe, case insensitive.
45
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
46
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Verification:
R5#ping 24.234.222.6 size 10000
!!!!!
47
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx

SW2#copy http://172.16.77.7/VirUs.eXe null:
%Error opening http://172.16.77.7/VirUs.eXe (No such file or directory)
48
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Task 4.4
4 Points
If R5 attempts to send ICMP echoes to R6 that are 10000

bytes or greater, the packets should be denied inline. You
are not allowed to create or modify any signatures to
accomplish this.
If R7 triggers the virus.exe signature and alert should
not be generated. You may not edit the signature to
accomplish this.
49
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
50
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Verification:
R5#ping 24.234.222.6 size 10000
.....
SW2(config)#ip http server

R7#copy http://172.16.77.11/virus.exe null:
%Error opening http://172.16.77.11/virus.exe (No such file or directory)
Only the previous virus.exe alert is shown. No sig fired for the R7 traffic.
51
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Section 5:
Task 5.1
Identity Management
4 Points
R2 should deny any

interface destined
via http. Create a
authenticate with.
changes to ASA1 to
icmp traffic incoming on the fa0/0.22

for BB2 unless it is first authenticated
user named authp on the ACS server to
You are allowed to make necessary
accomplish this.
R2(config)# aaa new-model

R2(config)# aaa authentication login default group tacacs+
R2(config)# aaa authorization auth-proxy default group tacacs+
R2(config)# tacacs-server host 24.234.22.101 key cisco
R2(config)# access-list 101 permit tcp any host 24.234.252.252 eq www
R2(config)# ip auth-proxy name AUTHP http list 101
R2(config)# ip http server
R2(config)# ip http authentication aaa
R2(config)# access-list 105 deny icmp any host 24.234.252.252
R2(config)# access-list 105 permit ip any any
R2(config)# int fa0/0.22
R2(config-subif)# ip access-group 105 in
R2(config-subif)# ip auth-proxy AUTHP
ASA1(config)# access-list outside permit tcp host 24.234.22.2 host
24.234.22.101 eq tacacs
ASA1(config)# access-group outside in interface outside
52
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
53
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
54
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
55
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Verification:
R2#sho ip auth-proxy cache

Authentication Proxy Cache
Client Name authp, Client IP 24.234.22.101, Port 4938, timeout 60, Time
Remaining 60, state ESTAB
56
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Task 5.2
4 Points
Configure context c1 to require authentication via virtual

telnet at 24.234.111.250 before allowing icmp traffic from
R6 to R8. Create a user called r8user on the ACS server for
this authentication.
ASA2/c1(config)# static (inside,outside) 24.234.111.8 172.16.88.8
ASA2/c1(config)# access-list outside extended permit icmp host 24.234.111.6
host 24.234.111.8
24.234.111.250 eq telnet
ASA2/c1(config)# virtual telnet 24.234.111.250
ASA2/c1(config)# aaa-server ACS protocol tacacs+
ASA2/c1(config-aaa-server-group)#
exit
ASA2/c1(config)# aaa-server ACS (outside) host 24.234.22.101 cisco
ASA2/c1(config-aaa-server-host)#
exit
ASA2/c1(config)# access-list VIR_TEL permit icmp host 24.234.111.6 host
24.234.111.8
ASA2/c1(config)# access-list VIR_TEL permit tcp host 24.234.111.6 host
24.234.111.250 eq telnet
ASA2/c1(config)# aaa authentication match VIR_TEL outside ACS
24.234.22.101 eq tacacs
57
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
58
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Verification:
R6#ping 24.234.111.8
.....
R6#telnet 24.234.111.250
Trying 24.234.111.250 ... Open
Username: r8user
Password:

R6#ping 24.234.111.8
!!!!!
59
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Task 5.3
4 Points
Configure SW4 for dot1x authentication. Port fa0/16 should

be configured so that if there is no 802.1x supplicant it
will be placed in VLAN 444. The port should also allow for
a cisco phone on voice vlan 555. If the supplicant passes
authentication it should be placed in VLAN 223.
SW1(config)# vlan
SW1(config-vlan)#
SW1(config)# vlan
SW1(config-vlan)#
SW1(config)# vlan
223
exit
555
exit
444
SW4(config)# dot1x system-auth-control

SW4(config-if)# switchport mode access
SW4(config-if)# switchport access vlan 223
SW4(config-if)# switchport voice vlan 555
SW4(config-if)# dot1x pae authenticator
SW4(config-if)# dot1x port-control auto
SW4(config-if)# dot1x guest-vlan 444
60
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Verification:
SW4#sho dot1x interface fastEthernet 0/16
----------------------------------PAE
= AUTHENTICATOR
PortControl
= AUTO
ControlDirection
= Both
HostMode
= SINGLE_HOST
QuietPeriod
= 60
ServerTimeout
= 0
SuppTimeout
= 30
ReAuthMax
= 2
MaxReq
= 2
TxPeriod
= 30
61
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Section 6:
Task 6.1
4 Points
Configure R2 so that no more than 50 FTP packets destined

for the router will be allowed in the input queue.
Any incoming SSH connections to R2 should be dropped. You
may not use any ACL to accomplish this.
Telnet connections to R2 should be allowed from any address
except BB2s fa0/0.252 interface. Do not apply an ACL
directly to an interface to accomplish this.
R2(config)# class-map type queue-threshold match-all FTP
R2(config-cmap)# match protocol ftp
R2(config)# policy-map type queue-threshold FTP
R2(config-pmap)# class FTP
R2(config-pmap-c)# queue-limit 50
R2(config-pmap)# exit
R2(config)# control-plane host
R2(config-cp-host)# service-policy type queue-threshold input FTP
R2(config-cp-host)# class-map type port-filter match-all SSH
R2(config-cmap)# match port tcp 22
R2(config)# policy-map type port-filter SSH
R2(config-pmap)# class SSH
R2(config-pmap-c)# drop
R2(config-cp-host)# service-policy type port-filter input SSH
R2(config-cp-host)# access-list 110 permit tcp host 24.234.252.252 any eq
telnet
R2(config)# class-map TELNET
R2(config-cmap)# match access-group 110
R2(config)# policy-map TELNET
R2(config-pmap)# class TELNET
R2(config-cp-host)# service-policy input TELNET
62
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Verification:
R2#sho policy-map type queue-threshold control-plane host
queue-limit 50
queue-count 0
packets allowed/dropped 0/0
Control Plane Host
Service-policy queue-threshold input: FTP
Class-map: FTP (match-all)
0 packets, 0 bytes
Match: protocol ftp
R3#ssh -l authp 24.234.100.2

R2#sho policy-map type port-filter control-plane host
Control Plane Host
Service-policy port-filter input: SSH
Class-map: SSH (match-all)
Match: port tcp 22
Drop
R3#telnet 24.234.100.2
Trying 24.234.100.2 ... Open
Username: authp
Password:
R2>
BB2#telnet 24.234.252.2
Trying 24.234.252.2 ...
R2#sho policy-map control-plane host

Control Plane Host
Service-policy input: TELNET
Class-map: TELNET (match-all)
drop
63
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Task 6.2
4 Points
Configure R3 so that telnet traffic from SW1 to R6 is given

priority and guaranteed 25% of interface s0/0/0s
bandwidth. All other telnet traffic should be policed to
8000 bps with a burst of 2000 bps.
ICMP traffic from SW1 to R6 should be guaranteed 25% of
interface s0/0/0s bandwidth.
R3(config)# access-list 101 permit tcp host 24.234.121.11 host 24.234.100.6
eq telnet
R3(config)# access-list 102 deny tcp host 24.234.121.11 host 24.234.100.6 eq
telnet
R3(config)# access-list 102 permit tcp any any eq telnet
R3(config)#
R3(config)# class-map match-all DEFAULT_TELNET
R3(config-cmap)# class-map match-all SW1_TELNET
R3(config-cmap)#
R3(config-cmap)# policy-map R3
R3(config-pmap)# class DEFAULT_TELNET
R3(config-pmap-c)# police 8000 2000
R3(config-pmap-c-police)# class SW1_TELNET
R3(config-pmap-c)# priority percent 25
R3(config)# int s0/0/0
R3(config-if)# service-policy out R3
R3(config-if)#
R3(config-if)#$st 103 permit icmp host 24.234.121.11 host 24.234.100.6
R3(config)# class-map ICMP_SW1
R3(config)# policy-map R3
R3(config-pmap)# class ICMP_SW1
R3(config-pmap-c)# bandwidth percent 25
64
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Verification:
SW1#telnet 24.234.100.6
Trying 24.234.100.6 ... Open

Password:
R6>
R6>exit
SW1#ping 24.234.100.6
!!!!!
R3#sho policy-map interface s0/0/0

Serial0/0/0
Service-policy output: R3
Class-map: DEFAULT_TELNET (match-all)
0 packets, 0 bytes
police:
transmit
drop
Class-map: SW1_TELNET (match-all)
Queueing
Strict Priority
Output Queue: Conversation 264
Bandwidth 25 (%)
Bandwidth 386 (kbps) Burst 9650 (Bytes)
(pkts matched/bytes matched) 0/0
(total drops/bytes drops) 0/0
Class-map: ICMP_SW1 (match-all)
65
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Queueing
Bandwidth 25 (%)
Bandwidth 386 (kbps)Max Threshold 64 (packets)
(depth/total drops/no-buffer drops) 0/0/0
Match: any
66
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Task 6.3
4 Points
Configure R3 to identify incoming protocols on any of its

interfaces
R3 should drop any incoming http traffic that contains a
URL of www.virus.com
R3(config-subif)# ip nbar protocol-discovery
R3(config-subif)# int s0/0/0
R3(config-if)# ip nbar protocol-discovery
R3(config)#class-map match-any HTTP
R3(config-cmap)#class-map match-any HTTP
R3(config-cmap)# match protocol http url "www.virus.com"
R3(config)# policy-map HTTP
R3(config-pmap)# class HTTP
R3(config-pmap)# interface fa0/0.121
R3(config-subif)# service-policy in HTTP
R3(config-subif)# interface s0/0/0
R3(config-if)# service-policy in HTTP
Verification:
R2#copy http://24.234.100.3/www.virus.com null:
%Error opening http://24.234.100.3/www.virus.com (I/O error)
R3#sho policy-map int
Serial0/0/0
Service-policy input: HTTP
Class-map: HTTP (match-any)
Match: protocol http url "www.virus.com"
5 minute rate 0 bps
drop
67
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Section 7:
Task 7.1
Advanced Security
4 Points
On BB2, deny any incoming packets with the timestamp

option. You may not use the ip option drop command to
accomplish this.
BB2(config)#ip access-list extended TIMESTAMP
BB2(config-ext-nacl)#deny ip any any option timestamp
BB2(config-ext-nacl)#permit ip any any
BB2(config-ext-nacl)#exit
BB2(config)#int fa0/0.252
BB2(config-subif)#ip access-group TIMESTAMP in
Verification:
R2#ping
Protocol [ip]:
Repeat count [5]:
Extended commands [n]: y
Source address or interface: 24.234.252.2
(unnecessary commands cut)
Loose, Strict, Record, Timestamp, Verbose[none]: timestamp
Number of timestamps [ 9 ]:
Loose, Strict, Record, Timestamp, Verbose[TV]:
Packet has IP options: Total option bytes= 40, padded length=40
Timestamp: Type 0. Overflows: 0 length 40, ptr 5
Request 4 timed out
68
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Task 7.2
4 Points
BB1 and BB2 are pre-configured to be BGP peers. Determine

why they are not peering and correct the problem. You are
not allowed to make any changes to either BB1 or BB2 to
accomplish this. This task is complete when the 99.99.99.0
and 22.22.22.0 networks are in the ip routing tables on
both BB routers.
172.16.99.99 eq bgp
ASA1(config)#
tcp-map BGP
ASA1(config-tcp-map)#
tcp-options range 19 19 allow
ASA1(config-tcp-map)#
exit
ASA1(config)#
access-list BGP permit tcp host 24.234.252.252 host
172.16.99.99 eq bgp
ASA1(config)#
access-list BGP permit tcp host 172.16.99.99 host
24.234.252.252 eq bgp
ASA1(config)#
class-map BGP
ASA1(config-cmap)#
match access-list BGP
ASA1(config-cmap)#
exit
ASA1(config)#
ASA1(config-pmap)#
class BGP
set connection random-sequence-number disable
set connection advanced-options BGP
Verification:
BB2#sho ip route (codes cut)
Gateway of last resort is 24.234.252.2 to network 0.0.0.0
B
S
C
C
S*

99.99.99.0 [20/0] via 172.16.99.99, 00:00:27
172.16.99.99 [1/0] via 24.234.252.2
22.22.22.0 is directly connected, Loopback0
0.0.0.0/0 [1/0] via 24.234.252.2
BB1#sho ip route (codes cut)
C
O
C

172.16.44.0 [110/2] via 172.16.99.4, 05:38:10, FastEthernet0/0.99
69
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx

22.22.22.0 [20/0] via 24.234.252.252, 00:01:14
S
24.234.252.252 [1/0] via 172.16.99.4
O*E2 0.0.0.0/0 [110/1] via 172.16.99.4, 05:27:53, FastEthernet0/0.99
B
70
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Task 7.3
4 Points
Configure R6 to protect against syn flood attacks from the

24.234.100.0/24 network. When the number of half open
connections exceeds 500 the router should start dropping
them. When the number of half open connections falls below
250 the router should stop dropping them. The half open
connections to be dropped should be chosen randomly.
R6(config)#
ip tcp intercept list 101
command accepted, interfaces with mls configured might cause inconsistent
behavior
R6(config)#
ip tcp intercept max-incomplete high 500
behavior
R6(config)#
ip tcp intercept max-incomplete low 250
behavior
R6(config)#
ip tcp intercept drop-mode random
behavior
71
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Section 8:
Task 8.1
4 Points
Configure R2 to prevent any IP Option based attack. You may

R2 should drop and log any non-initial fragments inbound on
its s0/0/0 interface.
Drop and log any incoming spoofed packets on the fa0/0.22
interface of R2. This protection must be dynamic and an ACL
may not be applied directly to an interface.
R2(config)#ip option drop

% Warning: RSVP and other protocols that use IP Options packets
may not function as expected.
R2(config)#
R2(config)#
access-list 102 deny ip any any fragments log
R2(config)#
access-list 102 permit ip any any
R2(config)#
int s0/0/0
R2(config-if)#
ip access-group 102 in
R2(config-if)#
R2(config-if)#
access-list 103 deny ip any any log-input
R2(config)#
int fa0/0.22
R2(config-subif)#
ip verify unicast source reachable-via rx 103
Verification:
R3#ping
Protocol [ip]: 24.234.22.100
% Unknown protocol - "24.234.22.100", type "ping ?" for help
R3#ping
Protocol [ip]:
Repeat count [5]:
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]: timestamp
72
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx

(Output cut)
Request 0 timed out
Request 1 timed out
Request 2 timed out
Request 3 timed out
Request 4 timed out
R3#ping 24.234.22.100
!!!!!
R3#ping 24.234.22.100 size 2000
.....
.....
May 1 00:33:15.576: %SEC-6-IPACCESSLOGDP: list 102 denied icmp 24.234.100.3
-> 24.234.22.100 (0/0), 1 packet
May 1 00:35:11.837: %SEC-6-IPACCESSLOGDP: list 103 denied icmp 1.1.1.1
(FastEthernet0/0.22 0019.e8d9.6272) -> 24.234.100.6 (0/0), 1 packet
73
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Task 8.2
4 Points
Do not allow fragmented traffic to traverse ASA1. Use only

a single command to accomplish this.
A recent internet worm uses the strings bad_traffic and
s1ck.ness in the URLs of http traffic. Configure ASA1 to
drop this traffic globally.
ASA1(config)# fragment chain 1
ASA1(config)# regex sickness "s1ck\.ness"
ASA1(config)# regex bad "bad\_traffic"
ASA1(config)# class-map type regex match-any BAD_HTTP
ASA1(config-cmap)# match regex sickness
ASA1(config-cmap)# match regex bad
ASA1(config-cmap)# exit
ASA1(config)# class-map type inspect http BAD
ASA1(config-cmap)# match request uri regex class BAD_HTTP
ASA1(config)# policy-map type inspect http BAD
ASA1(config-pmap)# class BAD
ASA1(config-pmap-c)# drop
ERROR: % Incomplete command
ASA1(config-pmap-c)# exit
ASA1(config-pmap)# exit
ASA1(config)# policy-map global_policy
ASA1(config-pmap)# class inspection_default
ASA1(config-pmap-c)# inspect http BAD
Verification:
R1#ping 24.234.22.2 size 3000
.....
R1#copy http://24.234.22.2/www.bad_traffic.com null:
%Error opening http://24.234.22.2/www.bad_traffic.com (I/O error)
%ASA-6-302013: Built outbound TCP connection 9 for Outside:24.234.22.2/80
(24.234.22.2/80) to Inside:192.168.2.1/65134 (24.234.22.100/1024)
%ASA-5-304001: 192.168.2.1 Accessed URL 24.234.22.2:/www.bad_traffic.com
%ASA-6-302014: Teardown TCP connection 9 for Outside:24.234.22.2/80 to
Inside:192.168.2.1/65134 duration 0:00:00 bytes 0 Flow closed by inspection
%ASA-6-106015: Deny TCP (no connection) from 192.168.2.1/65134 to
24.234.22.2/80 flags ACK on interface Inside
74
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Task 8.3
4 Points
On SW3, configure port fa0/12 so that a CAM flood cannot

occur. If more than one mac address is seen on the port it
should be shut down. If a shutdown occurs, the port should
come back up in 30 seconds.
Configure SW3 to protect against DHCP starvation attacks on
VLAN 13. Only port fa0/13 should be allowed to respond to
DHCP requests.
Configure port fa0/15 on SW3 so that only an IP address in
the DHCP binding table will be allowed.
Configure SW3 to that unknown unicast or multicast traffic
will never be flooded out port fa0/16.
SW3(config-if)# sw mode access
SW3(config-if)# sw port-security
SW3(config-if)# exit
SW3(config)# errdisable recovery cause psecure-violation
SW3(config)# errdisable recovery interval 30
SW3(config)#ip dhcp snooping
SW3(config)# ip dhcp snooping vlan 13
SW3(config-if)# ip dhcp snooping trust
SW3(config-if)# ip verify source
SW3(config-if)# sw block unicast
SW3(config-if)# sw block multicast
Verification:
SW3#sho port-security interface fa0/12
Port Security
: Enabled
Port Status
: Secure-down
Violation Mode
: Shutdown
Aging Time
: 0 mins
Aging Type
: Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses
: 1
Total MAC Addresses
: 0
Configured MAC Addresses
: 0
75
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.02.09.05.sm.r04.09.05.docx
Sticky MAC Addresses

Last Source Address:Vlan
Security Violation Count
: 0
: 0000.0000.0000:0
: 0
SW3#sho ip dhcp snooping

Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
13
DHCP snooping is operational on following VLANs:
13
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is enabled
circuit-id default format: vlan-mod-port
remote-id: 001b.2b78.9d80 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface
----------------------FastEthernet0/13
Custom circuit-ids:
Trusted
------yes
Allow option
-----------yes
Rate limit (pps)

---------------unlimited
SW3#sho interfaces fa0/16 switchport | inc Unknown

Unknown unicast blocked: enabled
Unknown multicast blocked: enabled
76
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
LAB 3
Instructions
ASDM is NOT available for the ASA devices in the actual lab
exam.
cannot be changed.
often!
task.
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
Sections:
1.ASA Firewalls
2.IOS Firewalls
3.VPNs
4.IPS
7.Advanced Security
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
SW1
Fa0/1
Fa0/0
R1
Fa0/1
Fa0/1
SW2
SW1
Fa0/2
Fa0/0
R2
Fa0/1
Fa0/2
SW2
SW1
Fa0/3
Fa0/0
R3
Fa0/1
Fa0/3
SW2
SW1
Fa0/4
Fa0/0
R4
Fa0/1
Fa0/4
SW2
SW1
Fa0/5
Fa0/0
R5
Fa0/1
Fa0/5
SW2
SW1
Fa0/6
Fa0/0
R6
Fa0/1
Fa0/6
SW2
SW1
Fa0/9
Fa0/0
BB1
Fa0/1
Fa0/9
SW2
SW1
Fa0/10
Fa0/0
BB2
Fa0/1
Fa0/10
SW2
SW1
Fa0/12
E0/0
E0/2
Fa0/12
SW2
Fa0/14
SW2
E0/3
Fa0/17
SW2
E0/2
Fa0/18
SW2
E0/3
Fa0/23
SW2
ASA01
Gi0/0: sense
SW1
Fa0/14
SW1
Fa0/17
E0/1
SW1
Fa0/18
E0/0
IDS
IDS
Gi0/1: c&c
ASA01
ASA02
SW1
E0/1
Fa0/23
ASA02
SW1
SW2
Fas0/19
Fas0/19
Fas0/20
Fas0/20
Sensor Int.
G0/0
Fa1/0
Fa1/1
Fa1/2
Fa1/3
Connected to:
SW1 Fa0/14
SW3 Fa0/4
SW3 Fa0/3
SW3 Fa0/2
SW3 Fa0/1
Fas0/0
2811
Fas0/1
R7
SW3
SW4
Fas0/17
SW3
Fas0/19
Fas0/19
Fas0/20
Fas0/20
Fas0/17
SW4
ACS PC SW1 Fa0/24
192.168.2.101
Fas0/0
2811
Fas0/1
R8
SW3

192.168.2.102
Fas0/18
SW4
Fas0/18
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc

Task 1.1
4 Points
Configure the ASA as shown in the diagram using the

defaults and the information in the table below.
Configure/allow routing protocols on both ASA firewall.
Device
Name
c1
Real
Int.
E0/1
Mapped
Int.
E0/0
c1
ASA2
ASA2
E0/1
E0/1
E0/1
E0/0
E0/0.4
E0/0.4
Real
IP:TCP PORT #
50.50.4.15:432
1
50.50.4.0/24
192.168.2.101
6.6.6.6
Mapped
IP:TCP PORT#
50.50.4.25:1234
50.50.4.75
50.50.4.101
50.50.4.6
Permit BPDUs on both interfaces of c1.

Use the default gateway of 50.50.4.60 for c1.
Task 1.2
4 Points
Allow SSH management on the inside interface of ASA2 from

the ACS PC. Use the username of user-task-1.2 with
password of cisco. Use the local database to
authenticate this user.
Allow R6 to ping all other routers loopback 0 interface,
and BB1 and BB2 ethernet interfaces.
a packet if the firewall is not going to allow a packet
through the firewall on the outside interface.
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
Task 1.3
4 Points
Configure both c1 and ASA2 to send syslog warnings to the

ACS PC.
Summarize the following syslog message on c1, so that it
gives summary every 10 minutes at level 4
Deny udp src outside:50.50.4.1/1985 dst
inside:224.0.0.2/1985 by access-group "outside"
Permit ICMP echo requests, TFTP, FTP, HTTP, and telnet
inbound on the outside interface of ASA2 to the ACS PC and
R6.
Use a single access-list entry for this task.
Reset and log any FTP traffic with GET commands going
through ASA2. Use a L7 class-map type inspect as part of
your solution.
On ASA2, allow the 50.50.6.0/24 network to have access to
R6 loopback 0 using HTTP.
Verify that any retransmissions are consistent with the originals.
Task 1.4
4 Points
Configure failover on ASA2, in preparation or a second

firewall that will be added later.
Use the system
addresses +3 for the failover addresses.
Use E0/3,
50.50.50.1 and VLAN 50 for failover. Configure stateful
failover for http.
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
Section 2:
Task 2.1
IOS Firewalls
4 Points
Configure R3 as a Zone Based Firewall with the following:

o inside zone with S0/0/0 and Fa0/0
o outside zone with Fa0/1
o inspect all ip traffic outbound
o inspect icmp and telnet inbound
o max embryonic-connections inbound high 50 low 5
o max embryonic-connections outbound high 40 low 4
o Police inbound ICMP to 8000bps, burst of 1000bytes
o Send detailed session information to the ACS PC.
Task 2.2
4 Points
Configure auth-proxy including the following:

o Explicitly require HTTP authentication using ACS TACACS
at R6 for all HTTP port 80 sessions to BB2 at 50.50.9.11
o Create an access-list to deny icmp from any to 50.50.9.11
inbound on R6 Fa0/0.
o Create a user named user-2.2 with password of cisco
on the ACS server. After successful http authentication
on R6, allow ICMP echo from this user to 50.50.9.11
o Configure the ACS to maintain a history of successful and
failed login requests.
o Your solution should dynamically enter an ACE in the
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
Task 2.3
4 Points
On R2, implement a spoofing mitigation solution that will

dynamically update, as new inside networks are added.
Log denied packets, including information regarding the
interface that denied the packet.
Do not place an access-list on any interface on R2 as part
of this task.
Test by creating loopback 66 on BB2, using 6.6.6.6/24 and
ping 2.2.2.2 using a source of loopback 66 from BB2.
On BB2, deny HTTP management connections except for hosts
Task 2.4
4 Points
On R2, deny inbound TCP traffic sourced from 50.50.12.7 on

source TCP port 80.
Allow clients who connect to 50.50.12.7 using HTTP to
establish a session.
Use CBAC for this task.
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
Section 3:
Task 3.1
VPNs
4 Points

loopback 0 interface.
Allow certificates to be automatically issued to devices
with at least a 1024 key size.
Configure a CN of R6-CA_Server.ccbootcamp.com with a
location of NV.
Use authentication for NTP.
Configure all routers that will use digital certificates to
use R6 as an NTP and CA server.
Task 3.2
4 Points
Configure GET VPN using the following information:

o R6 primary key server
o R8 secondary key server
o R5 member
o R7 member
o IKE phase 1: DH2, RSA-Sig, AES, SHA, Lifetime 400 sec
o IKE phase 2: AES SHA, Lifetime 1800 sec
o Protected traffic: ICMP between 7.7.7.7 and 5.5.5.5
Task 3.3
4 Points
Configure EASY VPN using the following:

o Server R6, using loop 0
o Client R7
o Client inside interface new loop 5, 100.5.0.7/24
o Client outside interface Fa 0/1
9
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
o Split tunnel to 192.168.0.0/16

o IKE 1: AES, SHA, PSK, DH2
o IKE 2: AES, SHA
o Client Mode
o Pool: 192.168.0.75-80
o Group name:
vpn_group password cisco
o Username: vpn_user password cisco

o RADIUS authentication
o Virtual templates used
You may add a single static route on R7, but it may not use
R2 as a next hop.
Task 3.4
4 Points
Create a High Availabilty IPSec tunnel using the following:

o R6 using Loop 0
o R4/R1 as HSRP VPN gateway
o IKE phase 1: AES, SHA, RSA-Sig
o IKE phase 2: AES, SHA
o New Loop 34 on R6 using 66.66.66.6/24
o Do not allow R6 to add to any routing protocol
o Protected traffic: ICMP 66.66.0.0/16<->50.50.6.0/24
o Do not configure any static routes
o R4 active router if available
Test by issuing a ping from R6 Fa0/0 to 50.50.6.5 then
reload R4 and test the ping again. R1 should be able to
carry the IPsec traffic within 20 seconds of R4 being down.
10
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
Section 4:
Task 4.1
IPS
4 Points
Configure the Sensor per the diagram including the

following:
o Default gateway of 50.50.4.14
o Name the sensor IPS.
1234.
o Allow the sensor to be managed only by 50.50.4.0/24
network. The username on the sensor is cisco, with
Task 4.2
4 Points

o G0/0.1 with a VLAN pair of 9 and 99.
o Place R2 Fa0/0 in VLAN 99.
o Use sig1, rules1 and ad1.
o Alert on non-http traffic, and send a TCP reset.
Create vs2 using the folling:
o Assign R5 Fa0/0 to vlan 55.
o Deny HTTP connections if the URL has ATTACK.ME?
regardless of case.
11
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
Task 4.3
4 Points

o All VLAN 11 traffic will be seen on Fa1/2.
o Allow the sensor to send resets on this port.
o ICMP floods on VLAN 11 should produce an alert.
o Place a block on R3 Fa0/0 inbound with the above attack
is seen.
o The address of 50.50.4.101 should never be seen as an
attacker.
Task 4.4
4 Points
Configure the sensor so that when an ICMP flood is seen on

VLAN 9, a dynamic rate limit of 5% is placed on R2 Fa0/0
inbound.
If R2 S0/0/0 should fail, sensor should still be able to
manage R2.
Configure virtual sensor 1 to recognize all 50.50.4.0/24
addresses as mission critical.
12
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
Section 5:
Task 5.1
Identity Management
4 Points
Require users on VLAN 2 to authenticate at c1 before

allowing telnet. Configure the username c-user with
password cisco. Use the ACS server with RADIUS to
authenticate the user.
Task 5.2
4 Points
Configure command authorization using the following:

o On R7, allow a user named user5.2 with a password of
authentication, and the ACS server for authorization.
o The ACS server should see R7 as the IP address of
50.50.3.7 On R7, use the source address of Loopback 0
for TACACS.
o The only commands that the user5.2 should be able to do
would allow entry into configuration mode, configure an
IP address in interface configuration mode, and the
command of exit.
o All successful commands issued by this user should be
logged on the ACS server.
o Do not associate any privilege lever with the username of
user5.2 on the local database of R7.
On R6, create a local user named user5.2b with a password
of a?a. Allow all users perform an extended ping even if
they are at privilege level 1. Do not use any AAA commands
for this task.
user named user5.2c is automatically placed in privilege
mode level 10. When this user issues a show run command, he
should only view the available interfaces, their assigned
IP's, access-lists applied to the interfaces, and accesslists configured globally. Do not use ACS as part of this
task.
13
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
Task 5.3
4 Points

o Set up an ACS user named user5.3. Have the ACS provide
following:
----------------------------------PAE
= AUTHENTICATOR
PortControl
= AUTO
ControlDirection
= Both
HostMode
= MULTI_HOST
ReAuthentication
= Disabled
QuietPeriod
= 3
ServerTimeout
= 30
SuppTimeout
= 30
ReAuthPeriod
ReAuthMax
= 2
MaxReq
= 2
TxPeriod
= 5
RateLimitPeriod
= 0
Auth-Fail-Vlan
= 6
= 3
Guest-Vlan
= 11
Port Status
Authorized By
Vlan Policy
= AUTHORIZED
= Guest-Vlan
= 11
14
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
Section 6:
Task 6.1
4 Points

Successful results will look similar to the following:
!.!.!.!.!.

15
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
Section 7:
Task 7.1
Advanced Security
4 Points
Prevent the BB1 from being able to ping 50.50.4.50

Stop
this traffic before it reaches c1. Do not assign an access
Do not use any line, AAA or control plane commands for this
task.
Apply this policy to Fa0/0 only. Successful results will
look similar to the following.
!!!!.!!!!.
R5#

with the MAC address of 1001.2002.3003 to be connected to
port FA0/23. If there is a violation, shut down the port.
The switch should automatically re-enable the port after 30
seconds if there is no longer a violation.
store these in the running configuration. Do not shutdown
the port, and do not create a syslog message if there is a
violation.
16
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
Task 7.2
4 Points
On c1, do not permit MSN games or MSN file-transfer traffic

to go through the firewall. Other types of MSN P2P traffic
should be allowed. Apply this policy inbound on all
interfaces.
17
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
Section 8:
Task 8.1
4 Points
On R2, configure the following:

o Do not allow any non-initial TCP, UDP or ICMP fragments
in from BB2.
o Deny this traffic and log it.
o Generate log messages for each and any unreachable
messages that R2 may receive from BB2, but do not drop
it.
o slippery?task
o root.exe
Configure R2 to drop all IP options, but do not use an
access-list for this task.
18
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
Task 8.2
4 Points
On ASA2, prevent VLAN 3 hosts from spoofing source

addresses owned by other devices in the 50.50.0.0/16 space.
Do not use an access-list as part of this task.
On c1, deny non initial IP fragments on the outside
interface. Do not use the keyword fragment in any accesslist.
SOLUTIONS GUIDE on next page.
19
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
Section 1:
Task 1.1
ASA Firewalls
4 Points
Configure the ASA as shown in the diagram using the

defaults and the information in the table below.
Configure/allow routing protocols on both ASA firewall.
Device
Name
c1
Real
Int.
E0/1
Mapped
Int.
E0/0
c1
ASA2
ASA2
E0/1
E0/1
E0/1
E0/0
E0/0.4
E0/0.4
Real
IP:TCP PORT #
50.50.4.15:432
1
50.50.4.0/24
192.168.2.101
6.6.6.6
Mapped
IP:TCP PORT#
50.50.4.25:1234
50.50.4.75
50.50.4.101
50.50.4.6
ASA1(config)# interface e0/0
ASA1(config-if)# interface e 0/1
ASA1(config-if)# admin-context c1
ASA1(config-ctx)# allocate-interface e0/0
ASA1(config-ctx)# config-url c1.cfg
ASA1(config)# wr mem all
ASA1(config)# changeto context c1
ASA1/c1(config)# ip address 50.50.4.50 255.255.255.0
ASA1/c1(config)# interface e0/1
ASA1/c1(config-if)# int e 0/0
ASA1/c1(config)# static (inside,outside) tcp 50.50.4.25 1234 50.50.4.15 4321
20
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
ASA1/c1(config)# global (outside) 1 50.50.4.75

BB1#telnet 1.1.1.1
R1#who
Line
User
Host(s)
Idle
Location
*514 vty 0
idle
00:00:00 50.50.4.11
R1#exit
ASA1/c1(config)#
ASA1/c1(config)#
ASA1/c1(config)#
ASA1/c1(config)#
ASA1/c1(config)#
access-list outside permit ospf any any

access-list inside permit ospf any any
access-list inside permit ip any any
access-group inside in interface inside

ciscoasa# show mode
ciscoasa(config)# mode single
***
*** --- SHUTDOWN NOW --ciscoasa# conf t
ASA2(config)# interface e 0/1
ASA2(config-if)# nameif inside
ASA2(config-if)# ip add 50.50.3.60 255.255.255.0
ASA2(config-if)# interface e 0/0
ASA2(config-if)# interface e 0/0.4
ASA2(config-subif)# ip address 50.50.4.60 255.255.255.0
ASA2(config-subif)# nameif outside
ASA2(config-subif)# exit
ASA2(config)# ping 50.50.4.14
!!!!!
ASA2(config)# router ospf 1
ASA2(config-router)# net 50.50.4.60 255.255.255.255 area 0
ASA2(config-router)# redistribute eigrp 1
INFO: Only classful networks will be redistributed
ASA2(config-router)# redistribute eigrp 1 sub
ASA2(config-router)# redistribute eigrp 1 subnets
ASA2(config-router)# router eigrp 1
ASA2(config-router)# network 50.50.3.6 255.255.255.255
ASA2(config-router)# redistribute ospf 1 metric 1 1 1 1 1
ASA2(config-router)# exit
21
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
ASA2(config)# static (inside,outside) 50.50.4.101 192.168.2.101

R6#telnet 4.4.4.4 /source loop 0
R4#who
Line
User
Host(s)
Idle
Location
*514 vty 0
idle
00:00:00 50.50.4.6
R4#exit
R6#
Permit BPDUs on both interfaces of c1.

ASA1/c1(config)#
ASA1/c1(config)#
ASA1/c1(config)#
ASA1/c1(config)#
access-list inside-L2 ethertype permit bpdu

access-list outside-L2 ethertype permit bpdu
access-group inside-L2 in int inside
access-group outside-L2 in int outside
Use the default gateway of 50.50.4.60 for c1.

ASA2(config)# same-security-traffic permit intra-interface
ASA1/c1(config)# route outside 0 0 50.50.4.60
ASA1/c1(config)# ping 8.8.8.8
!!!!!

ASA2(config-pmap-c)# inspect icmp
c:\ACS_PC>ping 50.50.11.8
Reply from 50.50.11.8: bytes=32 time=23ms TTL=251
22
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
Task 1.2
4 Points
Allow SSH management on the inside interface of ASA2 from

the ACS PC. Use the username of user-task-1.2 with
password of cisco. Use the local database to
authenticate this user.
ASA2(config)# crypto key generate rsa modulus 1024
WARNING: You have a RSA keypair already defined named <Default-RSA-Key>.
Do you really want to replace them? [yes/no]: yes
ASA2(config)# ssh 192.168.2.101 255.255.255.255 inside
ASA2(config)# ssh ver 2
ASA2(config)# aaa authentication ssh console LOCAL
WARNING: local database is empty! Use 'username' command to define local
users.
ASA2(config)# username user-task-1.2 password cisco
23
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
Allow R6 to ping all other routers loopback 0 interface, and BB1

and BB2 ethernet interfaces.
ASA1/c1(config)# access-list outside permit icmp host 50.50.3.6 host
50.50.4.11 echo

a packet if the firewall is not going to allow a packet
through the firewall on the outside interface.
ASA1/c1(config)# fragment chain 1 outside

ASA1/c1(config)# service resetinbound
R6#ping 50.50.4.11 size 1500
!!!!!
R6#ping 50.50.4.11 size 1600
.....
R6#
24
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
Task 1.3
4 Points
Configure both c1 and ASA2 to send syslog warnings to the

ACS PC.
ASA2(config)# access-list outside permit udp host 50.50.4.50 host 50.50.4.101

eq syslog
ASA1/c1(config)# logging trap warnings
ASA1/c1(config)# logging host outside 50.50.4.101
WARNING: interface Ethernet0/0 security level is 0.
ASA1/c1(config)#
Summarize the following syslog message on c1, so that it

gives summary every 10 minutes at level 4
o Deny udp src outside:50.50.4.1/1985 dst
inside:224.0.0.2/1985 by access-group "outside"
ASA1/c1(config)# access-list outside deny udp any host 224.0.0.2 eq 1985 1985
log warnings interval 600
25
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
Permit ICMP echo requests, TFTP, FTP, HTTP, and telnet

inbound on the outside interface of ASA2 to the ACS PC and
R6.
Use a single access-list entry for this task.
ASA2(config)# object-group network R6_and_ACS_outside
ASA2(config-network)# network-object host 50.50.4.101
ASA2(config-network)# exit
ASA2(config)# object-group service R6_and_ACS_services
ASA2(config-service)# service-object icmp echo
ASA2(config-service)# service-object udp tftp
ASA2(config-service)# service-object tcp eq ftp
ASA2(config-service)# service-object tcp eq www
ASA2(config-service)# service-object tcp eq telnet
ASA2(config-service)# exit
ASA2(config)# access-list outside permit object-group R6_and_ACS_services any
object-group R6_and_ACS_outside
R4#ping 50.50.3.6
!!!!!
R4#
26
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
Reset and log any FTP traffic with GET commands going
through ASA2. Use a L7 class-map type inspect as part of
your solution.
ASA2(config)# class-map type inspect ftp match-any CMAP_INS_FTP_GET
ASA2(config-cmap)# match request-command get
ASA2(config)# policy-map type inspect ftp PMAP_INS_FTP_GET
ASA2(config-pmap)# parameters
ASA2(config-pmap-p)# class CMAP_INS_FTP_GET
ASA2(config-pmap-c)# reset log
ASA2(config-pmap-c)# no inspect ftp
ASA2(config-pmap-c)# inspect ftp strict PMAP_INS_FTP_GET
R4#dir
Directory of flash:/
1 -rw52990552
Sep 4 2008 09:45:04 +00:00 c2800nmadventerprisek9-mz.124-15.T7.bin
2 -rw1038 Nov 11 2008 23:32:52 +00:00 home.shtml
256471040 bytes total (192409600 bytes free)
R4#copy home.shtml ftp
Destination filename [home.shtml]?
Writing home.shtml !
1038 bytes copied in 0.956 secs (1086 bytes/sec)
R4#copy ftp flash
Source filename []? home.shtml
Destination filename [home.shtml]? test.txt
Accessing ftp://50.50.4.101/home.shtml...
%Error opening ftp://50.50.4.101/home.shtml (Protocol error)
R4#
NOTE: On ASA2...
%ASA-5-303005: Strict FTP inspection matched Class 21: CMAP_INS_FTP_GET in
policy-map PMAP_INS_FTP_GET, Reset connection from outside:50.50.4.4/20780 to
inside:192.168.2.101/21
27
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
On ASA2, allow the 50.50.6.0/24 network to have access to

R6 loopback 0 using HTTP.
Verify that any retransmissions are consistent with the originals.
ASA2(config)# access-list ACL_2_R6 permit tcp 50.50.6.0 255.255.255.0 host
50.50.4.6 eq 80
ASA2(config)# access-list outside permit tcp 50.50.6.0 255.255.255.0 host
50.50.4.6 eq 80
ASA2(config)# tcp-map TCP_MAP_SEQEUNTIAL
ASA2(config-tcp-map)# check-retransmission
ASA2(config-tcp-map)# exit
ASA2(config)# class-map CMAP_2_R6
ASA2(config-cmap)# match access-list ACL_2_R6
ASA2(config-pmap)# class CMAP_2_R6
ASA2(config-pmap-c)# set connection advanced-options TCP_MAP_SEQEUNTIAL
ASA2(config)# show service-policy
Global policy:
Inspect: ftp strict PMAP_INS_FTP_GET, packet 61, drop 15, reset-drop 2
Class-map: CMAP_2_R6
drop 0
Set connection advanced-options: TCP_MAP_SEQEUNTIAL
Invalid ACK drops
: 0
IP TTL modified
: 0
TCP-options:
Timestamp cleared : 0
28
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc

ASA2(config)#
Task 1.4
4 Points
Configure failover on ASA2, in preparation or a second

firewall that will be added later.
Use the system
addresses +3 for the failover addresses.
Use E0/3,
50.50.50.1 and VLAN 50 for failover. Configure stateful
failover for http.
SW2(config-if)#exit

ASA2(config-if)# exit
ASA2(config)# failover lan interface lanfail Ethernet0/3
ASA2(config)# failover link lanfail Ethernet0/3
50.50.50.4
ASA2(config)# interface Ethernet0/0.4
ASA2(config-subif)# ip address 50.50.4.60 255.255.255.0 standby 50.50.4.63
ASA2(config-if)# ip address 50.50.3.60 255.255.255.0 standby 50.50.3.63
ASA2(config)# .
No Response from Mate
ASA2(config)# monitor-interface outside
ASA2(config)# show failover
Failover On
Failover unit Secondary
Interface Policy 1
29
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc

Version: Ours 8.0(4), Mate Unknown
Last Failover at: 04:24:39 UTC May 1 2009
This host: Secondary - Active
Active time: 55 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status (Up Sys)
Interface outside (50.50.4.60): Normal (Waiting)
Interface inside (50.50.3.60): Normal (Waiting)
slot 1: empty
Other host: Primary - Failed
slot 0: empty
Interface outside (50.50.4.63): Unknown (Waiting)
Interface inside (50.50.3.63): Unknown (Waiting)
slot 1: empty
Stateful Obj
xmit
xerr
General
0
0
sys cmd
0
0
up time
0
0
RPC services
0
0
TCP conn
0
0
UDP conn
0
0
ARP tbl
0
0
Xlate_Timeout
0
0
VPN IKE upd
0
0
VPN IPSEC upd
0
0
VPN CTCP upd
0
0
VPN SDI upd
0
0
VPN DHCP upd
0
0
SIP Session
0
0
rcv
0
0
0
0
0
0
0
0
0
0
0
0
0
0
rerr
0
0
0
0
0
0
0
0
0
0
0
0
0
0

Cur
Max
Total
Recv Q:
0
0
0
Xmit Q:
0
0
0
ASA2(config)#
30
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
Section 2:
Task 2.1
IOS Firewalls
4 Points
Configure R3 as a Zone Based Firewall with the following:

o inside zone with S0/0/0 and Fa0/0
o outside zone with Fa0/1
o inspect all ip traffic outbound
o inspect icmp and telnet inbound
o max embryonic-connections inbound high 50 low 5
o max embryonic-connections outbound high 40 low 4
o Police inbound ICMP to 8000bps, burst of 1000bytes
o Send detailed session information to the ACS PC.
R3(config)#
R3(config)#class-map type inspect match-all CMAP-OUTBOUND
R3(config)#class-map type inspect match-any CMAP-INBOUND
R3(config-cmap)#match protocol telnet
R3(config)#policy-map type inspect PMAP-OUTBOUND
R3(config-pmap)#class type inspect CMAP-OUTBOUND
R3(config-pmap-c)#inspect Param-Map-OUTBOUND
R3(config)#policy-map type inspect PMAP-INBOUND
R3(config-pmap)#class type inspect CMAP-INBOUND
R3(config-pmap-c)#inspect Param-Map-INBOUND
R3(config-pmap-c)#police rate 8000 burst 1000
R3(config)#zone security inside
R3(config-sec-zone)#exit
R3(config)#zone security outside
R3(config)#zone-pair security OUTBOUND source inside destination outside
R3(config-sec-zone-pair)#service-policy type inspect PMAP-OUTBOUND
R3(config-sec-zone-pair)#exit
R3(config)#zone-pair security INBOUND source outside destination inside
R3(config-sec-zone-pair)#service-policy type inspect PMAP-INBOUND
R3(config-if)#zone-member security inside
31
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
R3(config-if)#exit
R3(config)#interface Serial 0/0/0
R3(config-if)#zone-member security inside
R3(config-if)#exit
R3(config-if)#zone-member security outside
R3(config-if)#exit
R3(config)#parameter-map type inspect Param-Map-OUTBOUND
R3(config-profile)# max-incomplete low 4
R3(config-profile)# max-incomplete high 40
R3(config-profile)# audit-trail on
R3(config)# parameter-map type inspect Param-Map-INBOUND
R3(config-profile)# max-incomplete low 5
R3(config-profile)# max-incomplete high 50
R3(config-profile)# audit-trail on
R3(config)#
R3(config)#
!!!!.!!!!.!!!!.!!!!.
R8#
R3#
*May 1 05:43:37.199: %FW-6-SESS_AUDIT_TRAIL_START: (target:class)(INBOUND:CMAP-INBOUND):Start icmp session: initiator (50.50.11.8:8) -responder (2.2.2.2:0)
R3#show policy-map type inspect zone-pair INBOUND
Zone-pair: INBOUND
Police
rate 8000 bps,1000 limit
conformed 804 packets, 97414 bytes; actions: transmit
exceeded 455 packets, 72153 bytes; actions: drop
Service-policy inspect : PMAP-INBOUND
Class-map: CMAP-INBOUND (match-any)
30 second rate 0 bps
Match: protocol telnet
3 packets, 72 bytes
Inspect
Packet inspection statistics [process switch:fast switch]
tcp packets: [0:3195]
icmp packets: [0:121]
Session creations since subsystem startup or last reset 9
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [1:1:1]
32
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
Last session created 00:00:30

Last statistic reset never
Last session creation rate 1
Maxever session creation rate 3
Last half-open session total 0
Match: any
Drop (default action)
0 packets, 0 bytes
R3#
33
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
Task 2.2
4 Points
Configure auth-proxy including the following:

o Explicitly require HTTP authentication using ACS TACACS
at R6 for all HTTP port 80 sessions to BB2 at 50.50.9.11
o Create an access-list to deny icmp from any to 50.50.9.11
inbound on R6 Fa0/0.
o Create a user named user-2.2 with password of cisco
on the ACS server. After successful http authentication
on R6, allow ICMP echo from this user to 50.50.9.11
o Configure the ACS to maintain a history of successful and
failed login requests.
o Your solution should dynamically enter an ACE in the
34
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
35
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
R6(config)#
R6(config-ext-nacl)# permit tcp any host 50.50.9.11 eq www log
R6(config-ext-nacl)#
R6(config-ext-nacl)#ip access-list log-update threshold 1
36
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
R6(config)#access-list 128 deny icmp any host 50.50.9.11

R6(config)# ip auth-proxy name AUTH_PROXY http inactivity-time 5 list
AUTH_PROXY
R6(config-if)# ip auth-proxy AUTH_PROXY
R6(config-if)# ip access-group 128 in
R6(config-if)#ip http server
R6(config-if)#line con 0
R6(config-line)# privilege level 15
R6#test aaa group tacacs+ user-2.2 cisco legacy
37
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
R6#
*May 1 06:16:56.403: %SEC-6-IPACCESSLOGP: list AUTH_PROXY permitted tcp
192.168.2.101(4802) -> 50.50.9.11(80), 1 packet
R6#show ip auth-proxy cache
Authentication Proxy Cache
Client Name user-2.2, Client IP 192.168.2.101, Port 4802, timeout 5, Time
Remaining 1, state ESTAB
R6#
38
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
Task 2.3
4 Points
On R2, implement a spoofing mitigation solution that will

dynamically update, as new inside networks are added. Log
denied packets, including information regarding the
interface that denied the packet. Do not place an accesslist on any interface on R2 as part of this task. Test by
creating loopback 66 on BB2, using 6.6.6.6/24 and ping
2.2.2.2 using a source of loopback 66 from BB2.
R2(config)# access-list 101 deny ip any any log-input
R2(config)# interface fa 0/0
R2(config-if)# ip verify unicast source reachable-via rx 101
R2(config-if)# exit
BB2(config)#int loopback 66
BB2(config-if)#ip address
BB2(config-if)#ip address 6.6.6.6 255.255.255.0
BB2(config-if)#end
BB2#ping 2.2.2.2 source loopback 66
.....
BB2#
R2#
*May 1 06:26:36.951: %SEC-6-IPACCESSLOGDP: list 101 denied icmp 6.6.6.6
(FastEthernet0/0 0017.0eaf.d700) -> 2.2.2.2 (0/0), 1 packet
R2#
39
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
On BB2, deny HTTP management connections except for hosts

BB2(config)#access-list 1 permit 50.50.0.0 0.0.255.255 log
BB2(config)#ip http access-class 1
40
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
Task 2.4
4 Points
On R2, deny inbound TCP traffic sourced from 50.50.12.7 on

source TCP port 80. Allow clients who connect to
50.50.12.7 using HTTP to establish a session.
Use CBAC
for this task.
R2(config)#access-list 100 deny tcp host 50.50.12.7 eq 80 any log
R2(config-subif)#ip access-group 100 in
R2(config)#ip inspect name CBAC http

R2(config)#interface fa0/1.12
R2(config-subif)#ip inspect CBAC out
41
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
42
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
Section 3:
Task 3.1
VPNs
4 Points

a location of NV. Use authentication for NTP.
R6(config)#crypto key generate rsa general-keys modulus 1024 exportable
R6(cs-server)#database url nvram:
R6(cs-server)#database level minimum
R6(cs-server)#issuer-name CN=R6.ccbootcamp.com L=NV C=US
R6(cs-server)#cdp-url http://50.50.4.6/R1-CA_Servercdp.R1-CA_Server.crl
Password: cisco123
R6(cs-server)#
May 1 07:34:45.958: %PKI-6-CS_ENABLED: Certificate server now enabled.
43
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
Configure any routers using digital certificates to use R6

as an NTP and CA server.
Note: These would support the ntp, CA registration and GET VPN in the next
tasks.
ASA2, configuration mode:
access-list outside permit tcp host 50.50.4.1 host 50.50.3.6 eq www
access-list outside permit udp host 50.50.4.1 host 50.50.4.6 eq ntp
access-list outside permit udp host 50.50.5.5 host 50.50.3.6 eq 848


R1(config)#crypto ca trustpoint R6-CA1
R1(ca-trustpoint)#enrollment retry count 5
R1(ca-trustpoint)#enrollment retry period 3
R1(ca-trustpoint)#revocation-check none
R1(config)#crypto pki authenticate R6-CA1
Fingerprint MD5: 6E05E243 24DE8FEF 2E04F274 B03B305E
Fingerprint SHA1: 6DE596B4 C8F7ECDA B366D49B A4F89A00 79214B27
R1(config)#crypto pki enroll R6-CA1
%
44
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
Password:
Re-enter password:
% The 'show crypto ca certificate R6-CA1 verbose' commandwill show the
fingerprint.
R1(config)#
May 1 08:04:27.840: CRYPTO_PKI: Certificate Request Fingerprint MD5:
5CA16B6B E5289EDB 9D4782C0 9BA6CB88
May 1 08:04:27.844: CRYPTO_PKI: Certificate Request Fingerprint SHA1:
B51208DE 08586B0C D925CF8C 5C20DEC2 FB87B828
R1(config)#
May 1 08:04:32.436: %PKI-6-CERTRET: Certificate received from Certificate
Authority

R4(config)#cry pki authenticate R6-CA1
R4(config)#cry pki enroll R6-CA1
%
45
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc

Password:
Re-enter password:
fingerprint.
R4(config)#
BEEDCD72 2D463151 CAF0DB0E 862EB76B
5F0C5AF1 023C3EA2 24273E45 9B18FEE1 B2506638
R4(config)#
Authority
R4(config)#

%
46
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc

Password:
Re-enter password:
% Include the router serial number in the subject name? [yes/no]:
% Please answer 'yes' or 'no'.
fingerprint.
R5(config)#
212FE1BE 4FC3A7C3 C9300F8B 246310CC
EFAB4522 8412F1AA 4FCBDABB F2D4563D FFFF649B
R5(config)#
Authority
May 1 08:09:25.386: %SSH-5-ENABLED: SSH 1.99 has been enabled
47
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc

%
Password:
Re-enter password:
fingerprint.
R7(config)#
124D541D 396D0088 FA7E03AE 4F5B0F30
5E366840 A2EA7666 C385CAB8 0CEDDEBC FCFDE798
R7(config)#
Authority
R7(config)#
Note: this allows R8 to invoke HTTP to R6
R3(config-cmap)#match protocol http
R8(config)#
*May 1 08:18:01.534: %SYS-6-CLOCKUPDATE: System clock has been updated from
08:18:01 UTC Fri May 1 2009 to 00:18:01 PST Fri May 1 2009, configured from
console by console.
*May 1 08:18:02.018: %SYS-6-CLOCKUPDATE: System clock has been updated from
00:18:02 PST Fri May 1 2009 to 01:18:02 PDT Fri May 1 2009, configured from
console by console.
48
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc

%
Password:
Re-enter password:
fingerprint.
R8(config)#
*May 1 08:22:01.214: CRYPTO_PKI: Certificate Request Fingerprint MD5:
DEA02D98 EB087920 39DD0D47 E506F9D0
*May 1 08:22:01.214: CRYPTO_PKI: Certificate Request Fingerprint SHA1:
285B891C 67B486DE 96660A56 750350D2 DF9325BB
R8(config)#
*May 1 08:22:09.694: %PKI-6-CERTRET: Certificate received from Certificate
Authority
R8(config)#
R8(config)#end
R8#wr
*May
R8#
Note:
1 08:22:13.098: %SYS-5-CONFIG_I: Configured from console by console[OK]
R6 needs to enroll to itself!

49
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc

%
Password:
Re-enter password:
fingerprint.
R6(config)#
4619D8CB E4E9E54E E447CB23 50639C0A
4EAB4A7A C95D3449 FFA6CD8D DA313FE2 218A6A4C
R6(config)#
Authority
R6(config)#end
50
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
Task 3.2
4 Points
Configure GET VPN using the following information:

o R6 primary key server
o R8 secondary key server
o R5 member
o R7 member
o IKE phase 1: DH2, RSA-Sig, AES, SHA, Lifetime 400s
o IKE phase 2: AES SHA, Lifetime 1800s
o Protected traffic: ICMP between 7.7.7.7 and 5.5.5.5
R6(config-isakmp)#hash sha
R6(config-isakmp)#authentication rsa-sig
R6(config-isakmp)#lifetime 400
R6(config)#crypto ipsec transform-set Trans-GDOI-AES-SHA esp-aes esp-sha
R6(config)#crypto ipsec profile PROF-GDOI-Group1
R6(ipsec-profile)#set security-association lifetime seconds 1800
R6(ipsec-profile)#set transform-set Trans-GDOI-AES-SHA
R6(config)#crypto gdoi group group1
R6(config-gdoi-group)#identity number 1
R6(config-gdoi-group)#server local
R6(gdoi-local-server)#rekey lifetime seconds 86400
R6(gdoi-local-server)#rekey retransmit 10 number 2
R6(gdoi-local-server)#rekey authentication mypubkey rsa R6.ccbootcamp.com
R6(gdoi-local-server)#rekey transport unicast
R6(gdoi-local-server)#sa ipsec 1
R6(gdoi-sa-ipsec)#profile PROF-GDOI-Group1
R6(gdoi-sa-ipsec)#match address ipv4 199
R6(gdoi-sa-ipsec)#replay counter window-size 64
R6(gdoi-sa-ipsec)#address ipv4 50.50.3.6
R6(gdoi-local-server)#redundancy
R6(gdoi-coop-ks-config)#local priority 10
R6(gdoi-coop-ks-config)#peer address ipv4 50.50.11.8
R6(gdoi-coop-ks-config)#exit
R6(gdoi-local-server)#access-list 199 permit icmp host 7.7.7.7 host 5.5.5.5
R3(config)#access-list 102 permit udp any any eq 848
51
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc


R5(config-gdoi-group)#server address ipv4 50.50.3.6
R5(config-gdoi-group)#exit
R5(config)#crypto map map-group1 10 gdoi
R5(config-crypto-map)#set group group1
R5(config-if)# crypto map map-group1
R5(config-if)#interface serial0/0/0
R5(config-if)#exit
52
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc

R7(config)#interface Fa0/1
R7(config-if)#exit
R7#
May 1 10:05:42.101: %CRYPTO-5-GM_REGSTER: Start registration to KS 50.50.3.6
for group group1 using address 50.50.12.7
May 1 10:05:42.905: %GDOI-5-GM_REKEY_TRANS_2_UNI: Group group1 transitioned
to Unicast Rekey.
May 1 10:05:42.985: %GDOI-5-GM_REGS_COMPL: Registration to KS 50.50.3.6
complete for group group1 using address 50.50.12.7
R7#show crypto gdoi
GROUP INFORMATION
Group Name
Group Identity
Rekeys received
IPSec SA Direction
Active Group Server
Group Server list
:
:
:
:
:
:
group1
1
0
Both
50.50.3.6
50.50.3.6
50.50.11.8
GM Reregisters in
: 248 secs
Rekey Received(hh:mm:ss) : 00:24:34
Rekeys received
Cumulative
After registration
Rekey Acks sent
: 0
: 0
: 0
ACL Downloaded From KS 50.50.3.6:

access-list permit icmp host 7.7.7.7 host 5.5.5.5
R7#
.May 1 10:16:42.011: %CRYPTO-5-GM_REGSTER: Start registration to KS
50.50.3.6 for group group1 using address 50.50.12.7
53
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
.May 1 10:16:42.839: %GDOI-5-GM_REKEY_TRANS_2_UNI: Group group1 transitioned

to Unicast Rekey.
.May 1 10:16:42.931: %GDOI-5-GM_REGS_COMPL: Registration to KS 50.50.3.6
R7#ping 5.5.5.5 source loop 0

!!!!!
R7#
54
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
Task 3.3
4 Points
Configure EASY VPN using the following:

o Server R6, using loop 0
o Client R7
o Client inside interface new loop 5, 100.5.0.7/24
o Client outside interface Fa 0/1
o Split tunnel to 192.168.0.0/16
o IKE 1: AES, SHA, PSK, DH2
o IKE 2: AES, SHA
o Client Mode
o Pool: 192.168.0.75-80
o Group name:
vpn_group password cisco
o Username: vpn_user password cisco

o RADIUS authentication
o Virtual templates used
R6(config)#aaa authentication login vpn_group group radius local
R6(config)#$c transform-set EZ_TRANS_AES_SHA_Tunnel esp-aes esp-sha-hmac
55
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
R6(config-if)#ip unnumbered loop 0

R6(config-if)#exit
R6(config)#ip local pool
May 1 10:46:20.067: %LINEPROTO-5-UPDOWN: Line protocol on Interface VirtualTemplate1, changed state to down
R6(config)#ip radius source-interface Fast
May 1 10:46:20.807: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R6(config)#ip radius source-interface FastEthernet0/0
R6(config)#radius-server host 192.168.2.101 auth-port 1645 acct-port 1646
R6(config)#radius-server key cisco
Note: ASA2 permissions
56
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
R6#test aaa group radius vpn_user cisco legacy

R7(config-if)#exit
R7(config-if)#crypto ipsec client ezvpn EZ_CLIENT outside
R7(config-if)#exit
R7(config)#interface Virtual-Template1 typ
R7(config-if)#exit
May 1 10:59:31.675: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) User=vpn_user
Group=vpn_group Client_public_addr=50.50.12.7 Server_public_addr=50.50.4.6
R7(config)#
May 1 10:59:32.299: %LINEPROTO-5-UPDOWN: Line protocol on Interface
May 1 10:59:32.355: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0,
changed state to up
57
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
You may add a single static route on R7, but it may not use
R2 as a next hop.
R7(config)#ip route 192.168.0.0 255.255.0.0 50.50.4.6

Outside interface: FastEthernet0/1
Mask: 255.255.255.255
Address
: 192.168.0.0
Mask
: 255.255.0.0
Protocol
: 0x0
Source Port: 0
Dest Port : 0
R7#
!!!!!
R7#
58
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
Task 3.4
4 Points
Create a High Availabilty IPSec tunnel using the following:

o R6 using Loop 0
o R4/R1 as HSRP VPN gateway
o IKE phase 1: AES, SHA, RSA-Sig
o IKE phase 2: AES, SHA
o New Loop 34 on R6 using 66.66.66.6/24
o Do not allow R6 to add to any routing protocol
o Protected traffic: ICMP 66.66.0.0/16<->50.50.6.0/24
o Do not configure any static routes
o R4 active router if available
Test by issuing a ping from R6 Fa0/0 to 50.50.6.5 then
reload R4 and test the ping again. R1 should be able to
carry the IPsec traffic within 20 seconds of R4 being down.
R6(config)#int loopback 34
R6(config-if)#exit
0.0.0.255
R6(config)#$c transform-set HA_TRANSFORM_AES_SHA esp-aes esp-sha-hmac
R6(config)#crypto map MYMAP local-address loop 0
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R6(config-crypto-map)#set transform-set HA_TRANSFORM_AES_SHA
R6(config-if)#exit
ASA2:
59
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc

0.0.255.255
R1(config-isakmp)#auth rsa-sig
R1(config-if)#exit
R1(config-router)#passive fa0/0
R1(config-router)#redist static sub
R1(config-if)#ip ospf cost 2
0.0.255.255
R4(config-if)#standby 1 priority 101
R4(config-if)#standby 1 preempt
60
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc

R4(config-if)#exit
R4(config-router)#redist static subnets
...!!
!!!!!
Interface: FastEthernet0/1
Peer: 50.50.4.14 port 4500
IKE SA: local 6.6.6.6/4500 remote 50.50.4.14/4500 Inactive
IPSEC FLOW: permit 1 66.66.0.0/255.255.0.0 50.50.6.0/255.255.255.0

Peer: 50.50.4.6 port 4500
R4#
R4#wr
[OK]
R4#
R4#reload
May 1 17:26:18.636: %SYS-5-RELOAD: Reload requested
Reason: Reload Command.
by console. Reload
61
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc

.!!!!
R6#
R1#show crypto sess
Peer: 50.50.4.6 port 4500
R1#show cryp
R1#show crypto ips
R5(config)#!NOTE:
R5(config)#crypto
R5(config)#crypto
R5(config)#crypto
adding
isakmp
isakmp
isakmp
to all the peers of R6

invalid-spi-recovery
keepalive 10
nat keepalive 5
R7(config)#!NOTE:
R7(config)#crypto
R7(config)#crypto
R7(config)#crypto
adding
isakmp
isakmp
isakmp

keepalive 10
nat keepalive 5
R8(config)#!NOTE:
R8(config)#crypto
R8(config)#crypto
R8(config)#crypto
adding
isakmp
isakmp
isakmp

keepalive 10
nat keepalive 5
62
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
Section 4:
Task 4.1
IPS
4 Points
Configure the Sensor per the diagram including the

following:
o Default gateway of 50.50.4.14
o Name the sensor IPS.
1234.
o Allow the sensor to be managed only by 50.50.4.0/24
network. The username on the sensor is cisco, with
sensor login: cisco
Password: ccie5796
***NOTICE***
This product contains cryptographic features and is subject to United States
!
!
username" command.
Continue? []: yes
sensor#
sensor# setup
Enter host name[sensor]: IPS
No entries
Permit: 50.50.4.0/24
Permit:
63
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc

!
!
exit
Enter your selection[2]:2
*17:56:27 UTC Fri May 01 2009
sensor# exit
IPS login: cisco
Password: ccie5796
IPS#
ASA1/C1 context:
access-list outside extended permit tcp 50.50.4.0 255.255.255.0 host
50.50.4.25 eq 1234
ASA1/c1(config)# show run static
Note: Created earlier in the labstatic (inside,outside) tcp 50.50.4.25 1234 50.50.4.15 4321 netmask
255.255.255.255
64
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
65
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
66
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
Task 4.2
4 Points
Configure the vs1 with the following:

o Place R2 Fa0/0 in VLAN 99.
o Alert on non-http traffic, and send a TCP reset
Create
o G0/0.2 with a VLAN pair of 5 and 55

o Deny HTTP connections if the URL has ATTACK.ME?
o Detect the above regardless of case
67
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc

68
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
69
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
70
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
SW1(config-if)#end
71
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
72
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
R2#ping 50.50.9.11
!!!!!
R2#telnet 50.50.9.11 80
Trying 50.50.9.11, 80 ... Open
testing
R2#
73
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
74
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
75
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
76
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
77
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
78
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
79
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
80
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
R1#copy http://5.5.5.5/AtTacK.Me?
http://5.5.5.5/AtTacK.Me A URL beginning with this prefix
R1#copy http://5.5.5.5/AtTacK.Me? null
R1#copy http://5.5.5.5/AtTacK.Me? null: ?
<cr>
NOTE: Use Ctrl+v, then the ? to get it into the command line as a character.
R1#copy http://5.5.5.5/AtTacK.Me? null:
%Error opening http://5.5.5.5/AtTacK.Me? (I/O error)
81
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
R1#
82
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
Task 4.3 4 Points

o All VLAN 11 traffic will be seen on Fa1/2
o Allow the sensor to send resets on this port
o ICMP floods on VLAN 11 should produce an alert
o Place a block on R3 Fa0/0 inbound with the above attack
is seen
SW3(config-vlan)#remote
SW3(config)#exit
SW3#show vlan remote-span
1
1
2
2
source vlan 11 rx
destination remote vlan 999
destination interface Fa0/2
ingress vlan 11
Remote SPAN VLANs

----------------------------------------------------------------------------999
SW3#
SW1(config)#monitor
SW1(config)#monitor
SW2(config)#monitor
SW2(config)#monitor
SW4(config)#monitor
SW4(config)#monitor
session
session
session
session
session
session
1
1
1
1
1
1
source vlan
destination
source vlan
destination
source vlan
destination
11 rx
remote vlan 999
11 rx
remote vlan 999
11 rx
remote vlan 999
83
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
84
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
85
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
86
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
87
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
10 permit udp any any eq 848 (6 matches)
Extended IP access list IDS_Fa0/0_in_0
10 permit ip host 50.50.4.15 any
R3#show acce
R3#show run int fa0/0
!
88
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
ip address 50.50.7.3 255.255.255.0

ip access-group IDS_Fa0/0_in_0 in
zone-member security inside
duplex auto
speed auto
end

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!U.U.U.U.U.U.U.U.U. Note: etc... Use Ctrl+Shift and
while holding them, press 6 6 (to break out)
89
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
90
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
The address of 50.50.4.101 should never be seen as an

attacker This is a test of a wrap.
91
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
92
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
Task 4.4
4 Points
Configure the sensor so that when an ICMP flood is seen on

VLAN 9, a dynamic rate limit of 5% is placed on R2 Fa0/0
inbound.
If R2 S0/0/0 should fail, sensor should still be able to
manage R2.
93
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
94
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
95
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
BB2#ping 2.2.2.2 size 10000 repeat 500

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!
96
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
97
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
R2#
*May 1 19:18:38.479: %SYS-5-CONFIG_I: Configured from console by vty0
(50.50.4.75)
FastEthernet0/0
Service-policy input: IDS_RL_POLICY_MAP_1
Class-map: IDS_RL_CLASS_MAP_icmp-xxBx-8-5_1 (match-any)
Match: access-group name IDS_RL_ACL_icmp-xxBx-8-5_1
5 minute rate 47000 bps
police:
cir 5 %
transmit
drop
Match: any
R2#
98
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
Task 4.5
4 Points
Configure virtual sensor 1 to recognize the 50.50.4.0/24

99
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
Section 5:
Task 5.1
Identity Management
4 Points
Require users on VLAN 2 to authenticate at c1 before

allowing telnet. Configure the username c-user with
password cisco. Use the ACS server with RADIUS to
authenticate the user.

eq radius
ASA1/c1(config)# access-list AUTH permit tcp 50.50.4.0 255.255.255.0 any eq
telnet
ASA1/c1(config)# aaa-server RAD protocol radius
ASA1/c1(config-aaa-server-group)# aaa-server RAD (outside) host 50.50.4.101
ASA1/c1(config-aaa-server-host)# exit
ASA1/c1(config)# aaa authentication match AUTH inside RAD
100
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
ASA1/c1(config)# test aaa authentication RAD username c-user password cisco

Server IP Address or name: 50.50.4.101
INFO: Attempting Authentication test to IP address <50.50.4.101> (timeout: 12
seconds)
INFO: Authentication Successful
ASA1/c1(config)#
BB1#telnet 8.8.8.8
Username: c-user
Password:
BB1#telnet 8.8.8.8
R8#
ASA1/c1(config)# show uauth
Current
Most Seen
Authenticated Users
1
1
Authen In Progress
0
1
absolute
timeout: 0:05:00
ASA1/c1(config)#
101
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
Task 5.2
4 Points
Configure command authorization using the following:

o On R7, allow a user named user5.2 with a password of
authentication, and the ACS server for authorization.
o The ACS server should see R7 as the IP address of
50.50.3.7 On R7, use the source address of Loopback 0
for TACACS.
o The only commands that the user5.2 should be able to do
would allow entry into configuration mode, configure an
IP address in interface configuration mode, and the
command of exit.
o All successful commands issued by this user should be
logged on the ACS server.
o Do not associate any privilege lever with the username of
user5.2 on the local database of R7.
102
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
103
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
104
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
105
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
106
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
107
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
ASA2(config)# access-list outside permit tcp host 7.7.7.7 host 50.50.4.101 eq

tacacs
ASA2(config)# static (outside,inside) 50.50.3.7 7.7.7.7
R7(config)#ip tacacs source-interface loopback 0
R7(config)#username user5.2 password 0 cisco
R7#test aaa group tacacs+ user5.2 cisco legacy
R2#ssh -l user5.2 7.7.7.7
Password: cisco
R7#show ver
108
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
R7#show privi
R7#conf t
R7(config-if)#end
R7(config)#exit
R7#logout
R7#exit
R2#
109
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
On R6, create a local user named user5.2b with a password

of a?a. Allow all users perform an extended ping even if
they are at privilege level 1. Do not use any AAA commands
for this task.
R6(config)#username user5 password a?a
Note: use the Ctrl+v, release, and then press the ? character
R6(config)#privilege exec level 1 ping
R6(config)#exit
R6>ping
Protocol [ip]:
Repeat count [5]:
Extended commands [n]:
!!!!!
R6>
110
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc

user named user5.2c is automatically placed in privilege
mode level 10. When this user issues a show run command, he
should only view the available interfaces, their assigned
IP's, access-lists applied to the interfaces, and accesslists configured globally. Do not use ACS as part of this
task.
R2(config)#aaa authentication login ssh local
R2(config)#aaa authorization exec default none
R2(config)#aaa authorization exec ssh local
R2(config)#username user5.2c privilege 10 secret cisco
R2(config)#privilege interface level 10 ip access-group
R2(config)#privilege interface level 10 ip address
R2(config)#privilege interface level 10 ip
R2(config)#privilege configure level 10 access-list
R2(config)#privilege configure level 10 ip access-list extended
R2(config)#privilege configure level 10 ip access-list standard
R2(config)#privilege configure level 10 ip access-list
R2(config)#privilege configure level 10 interface
R2(config)#privilege configure level 10 ip
R2(config)#privilege exec level 10 show running-config
R2(config)#privilege exec level 10 show
R2(config-line)#authorization exec ssh
R2(config-line)#login authentication ssh
R2#show run
!
boot-start-marker
boot-end-marker
!
!
interface Loopback0
111
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
ip address 2.2.2.2 255.255.255.0

!
ip address 50.50.9.2 255.255.255.0
!
ip address 50.50.7.2 255.255.255.0
!
ip address 50.50.12.2 255.255.255.0
ip access-group 100 in
!
ip address 50.50.235.2 255.255.255.248
!
!
access-list 1 permit 50.50.0.0 0.0.255.255
tcp host 50.50.12.7 eq www any log
access-list 100 permit ip any any
!
end
R2#exit
R7#
112
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
Task 5.3
4 Points

o Set up an ACS user named user5.3. Have the ACS provide
following:
----------------------------------PAE
= AUTHENTICATOR
PortControl
= AUTO
ControlDirection
= Both
HostMode
= MULTI_HOST
ReAuthentication
= Disabled
QuietPeriod
= 3
ServerTimeout
= 30
SuppTimeout
= 30
ReAuthPeriod
ReAuthMax
= 2
MaxReq
= 2
TxPeriod
= 5
RateLimitPeriod
= 0
Auth-Fail-Vlan
= 6
= 3
Guest-Vlan
= 11
Port Status
Authorized By
Vlan Policy
= AUTHORIZED
= Guest-Vlan
= 11
113
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
114
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
115
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc

eq radius
SW3(config-if)#dot1x host-mode multi-host
SW3(config-if)#spanning-tree portfast
SW3(config-if)#interface Vlan4
SW3(config-if)#ip radius source-interface Vlan4
SW3(config)#radius-server host 50.50.4.101 auth-port 1645 acct-port 1646
SW3(config)#radius-server source-ports 1645-1646
SW3(config)#exit
116
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
SW3#test aaa group radius user5.3 cisco legacy


----------------------------------PAE
= AUTHENTICATOR
PortControl
= AUTO
ControlDirection
= Both
HostMode
= MULTI_HOST
ReAuthentication
= Disabled
QuietPeriod
= 3
ServerTimeout
= 30
SuppTimeout
= 30
ReAuthPeriod
ReAuthMax
= 2
MaxReq
= 2
TxPeriod
= 5
RateLimitPeriod
= 0
Auth-Fail-Vlan
= 6
= 3
Guest-Vlan
= 11
Port Status
= UNAUTHORIZED
SW3#
03:59:43: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/18,
changed state to up
----------------------------------PAE
= AUTHENTICATOR
PortControl
= AUTO
ControlDirection
= Both
HostMode
= MULTI_HOST
ReAuthentication
= Disabled
QuietPeriod
= 3
ServerTimeout
= 30
SuppTimeout
= 30
ReAuthPeriod
ReAuthMax
= 2
MaxReq
= 2
TxPeriod
= 5
RateLimitPeriod
= 0
Auth-Fail-Vlan
= 6
= 3
117
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
Guest-Vlan
= 11

Port Status
= AUTHORIZED
Authorized By
Vlan Policy
= Guest-Vlan
= 11
SW3#
118
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
Section 6:
Task 6.1
4 Points

Successful results will look similar to the following:
!.!.!.!.!.
R4#conf t
R4(config)#access-list 150 deny tcp host 1.1.1.1 any eq telnet
R4(config)#access-list 150 permit tcp any any eq telnet
R4(config)#class-map CMAP_CONTROL_PLANE
R4(config)#policy-map PMAP_CONTROL_PLANE
R4(config-pmap-c)# police 8000 conform transmit exceed drop
R4(config-pmap-c-police)# exit
R4(config-pmap)#control-plane
R4(config-cp)# service-policy input PMAP_CONTROL_PLANE
R4(config-cp)# exit
R4(config)#
May 1 20:53:30.425: %CP-5-FEATURE: Control-plane Policing feature enabled on
Control plane aggregate path
R4(config)#
!.!.!.!.!.
R1#ping 4.4.4.4 size 1000 repeat 10 source loopback 0
119
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc

!!!!!!!!!!
R1#
Control Plane
police:
transmit
drop
drop
Match: any
R4#
120
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc

R8(config)#class-map match-all CMAP_ICMP_UNREACHABLE
R8(config-cmap)#policy-map PMAP_ICMP_UNREACHABLE
R8(config-pmap)#class CMAP_ICMP_UNREACHABLE
R8(config-pmap)#access-list 151 deny icmp any 50.50.0.0 0.0.255.255 portunreachable
R8(config)#access-list 151 permit icmp any any port-unreachable
R8(config-cp)#service-policy output PMAP_ICMP_UNREACHABLE
R8(config-cp)#exit
121
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
Section 7:
Task 7.1
Advanced Security
4 Points
Prevent the BB1 from being able to ping 50.50.4.50

Stop
this traffic before it reaches c1. Do not assign an access
BB1#ping 50.50.4.50
.!!!!
SW1(config)#ip access-list extended NO_PING_TO_C1_ACL
SW1(config-ext-nacl)# permit icmp host 50.50.4.11 host 50.50.4.50 echo
SW1(config-ext-nacl)#vlan access-map NO_PING_TO_C1_MAP 10
SW1(config-access-map)# action drop
SW1(config-access-map)# match ip address NO_PING_TO_C1_ACL
SW1(config-access-map)#vlan access-map NO_PING_TO_C1_MAP 20
SW1(config-access-map)# action forward
SW1(config-access-map)#vlan filter NO_PING_TO_C1_MAP vlan-list 2
SW1(config)#exit
BB1#ping 50.50.4.50
.....

Do not use any line, AAA or control plane commands for this
task.
R8#telnet 1.1.1.1
R1#exit
R8(config)#ip local policy route-map NO_OUTBOUND_TELNET
R8(config)#ip access-list extended NO_OUTBOUND_TELNET
R8(config-ext-nacl)#permit tcp any any eq telnet log
R8(config)#route-map NO_OUTBOUND_TELNET permit 10
R8(config-route-map)#match ip address NO_OUTBOUND_TELNET
R8(config)#end
R8#telnet 1.1.1.1
Trying 1.1.1.1 ...
122
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
*May 1 21:43:41.624: %SEC-6-IPACCESSLOGP: list NO_OUTBOUND_TELNET permitted

tcp 50.50.11.8(27244) -> 1.1.1.1(23), 1 packet
R8#ping 7.7.7.7
!!!!!
Configure R5 to do the following:

o Rate Limit FTP and ICMP traffic destined to the
50.50.4.0/24 network to 10,000 bps.
o Drop the traffic that exceeds this rate.
o Limit the burst to 8000 bps.
o Rate Limit telnet in the same fashion, with the exception
that if the rate limit is exceeded for telnet, forward
the packet with precedence of network control.
o Apply this policy to Fa0/0 only.
Successful results will look similar to the following.
!!!!.!!!!.
R5#
R5(config)#policy-map R5_OUTBOUND_FA0/0
R5(config-pmap)#class FTP_ICMP_TO_50.50.4.0
R5(config-pmap-c-police)#conform-action transmit
R5(config-pmap-c-police)#exceed-action drop
R5(config-pmap-c-police)#violate-action drop
R5(config-pmap-c)#class TELNET_TO_50.50.4.0
R5(config-pmap-c-police)#conform-action transmit
R5(config-pmap-c-police)#exceed-action set-prec-transmit 7
R5(config-pmap-c-police)#violate-action set-prec-transmit 7
R5(config-pmap)#interface FastEthernet0/0
R5(config-if)#service-policy output R5_OUTBOUND_FA0/0
R5(config-if)#exit
R5(config)#ip access-list extended FTP_ICMP_TO_50.50.4.0
R5(config-ext-nacl)#permit tcp any 50.50.4.0 0.0.0.255 eq ftp
123
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
R5(config-ext-nacl)#permit icmp any 50.50.4.0 0.0.0.255

R5(config)#ip access-list extended TELNET_TO_50.50.4.0
R5(config-ext-nacl)#permit tcp any 50.50.4.0 0.0.0.255 eq telnet
R5(config)#exit
!!!!.!!!!.
R5#
FastEthernet0/0
Service-policy output: R5_OUTBOUND_FA0/0
Class-map: FTP_ICMP_TO_50.50.4.0 (match-all)
Match: access-group name FTP_ICMP_TO_50.50.4.0
police:
transmit
drop
drop
Class-map: TELNET_TO_50.50.4.0 (match-all)
Match: access-group name TELNET_TO_50.50.4.0
police:
transmit
set-prec-transmit 7
set-prec-transmit 7
Match: any
124
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc

with the MAC address of 1001.2002.3003 to be connected to
port FA0/23. If there is a violation, shut down the port.
The switch should automatically re-enable the port after 30
seconds if there is no longer a violation.

SW3(config-if)#switchport port-security
SW3(config-if)#switchport port-security mac-address 0001.0002.0003

store these in the running configuration. Do not shutdown
the port, and do not create a syslog message if there is a
violation.
SW1(config)#interface range fa 0/1, fa0/4

SW1(config-if-range)# switchport port-security maximum 1
SW1(config-if-range)# switchport port-security mac-address sticky
SW1(config-if-range)# switchport port-security violation protect
125
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
Task 7.2
4 Points
On c1, do not permit MSN games or MSN file-transfer traffic

to go through the firewall. Other types of MSN P2P traffic
should be allowed. Apply this policy inbound on all
interfaces.
ASA1/c1(config)# class-map type inspect im match-all

CMAP_INS_IM_MSN_GAMES_WEBCAM
ASA1/c1(config-cmap)# match protocol msn-im
ASA1/c1(config-cmap)# match service games webcam
ASA1/c1(config)# policy-map type inspect im PMAP_INS_IM_MSN_GAMES_WEBCAM
ASA1/c1(config-pmap)# parameters
ASA1/c1(config-pmap-p)# class CMAP_INS_IM_MSN_GAMES_WEBCAM
ASA1/c1(config-pmap-c)# drop-connection log
ASA1/c1(config-pmap-c)# inspect im PMAP_INS_IM_MSN_GAMES_WEBCAM
ASA1/c1(config)# show service-policy
Global policy:
Inspect: ftp, packet 0, drop 0, reset-drop 0
Inspect: im PMAP_INS_IM_MSN_GAMES_WEBCAM, packet 513, drop 0, resetdrop 0
126
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
Section 8:
Task 8.1
4 Points

o Do not allow any non-initial TCP, UDP or ICMP fragments
in from BB2.
o Deny this traffic and log it.
o Generate log messages for each and any unreachable
messages that R2 may receive from BB2, but do not drop
it.
R2(config)#access-list 150 deny tcp any any fragment log-input
R2(config)#access-list 150 deny udp any any fragment log-input
R2(config)#access-list 150 deny icmp any any fragment log-input
R2(config)#access-list 150 permit ICMP any any unreachable log-input
R2(config-if)#exit
BB2#ping 2.2.2.2
!!!!!
BB2#ping 2.2.2.2 size 1501
.....
BB2#
R2#
(FastEthernet0/0 0017.0eaf.d700) -> 2.2.2.2 (0/0), 1 packet
R2#
!
!
!
10 deny tcp any any log-input fragments
20 deny udp any any log-input fragments
30 deny icmp any any log-input fragments (5 matches)
127
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
40 permit icmp any any unreachable log-input

R2#

below.
o
slippery?task
o root.exe
Drop this traffic outbound on Fa0/1.
R3(config)#class-map match-any CMAP_HTTP_URL

R3(config-cmap)#match protocol http url "*slippery?task*"
R3(config)#policy-map PMAP_MARK_INBOUND
R3(config-pmap)#class CMAP_HTTP_URL
R3(config-pmap)#int Fa0/0
R3(config-if)#service-policy input PMAP_MARK_INBOUND
R3(config-if)#exit
R3(config)#access-list 123 deny ip any any dscp 5 log
R3(config-if)#exit
R3(config)#
R2#copy http://8.8.8.8/slippery?task null:
%Error opening http://8.8.8.8/slippery?task (I/O error)
R2#
R3#show policy-map int fa0/0
FastEthernet0/0
Service-policy input: PMAP_MARK_INBOUND
Class-map: CMAP_HTTP_URL (match-any)
Match: protocol http url "*slippery?task*"
5 minute rate 0 bps
0 packets, 0 bytes
5 minute rate 0 bps
QoS Set
128
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
dscp 5
Packets marked 5
Match: any
R3#show access-list 123

10 deny ip any any dscp 5 log (5 matches)
Configure R2 to drop all IP options, but do not use an accesslist for this task.
R2(config)#ip options drop
BB2#ping
Protocol [ip]:
Repeat count [5]:
Source address or interface:
Loose, Strict, Record, Timestamp, Verbose[none]: t
Number of timestamps [ 9 ]: 2
>>Current pointer<<
Time= 00:00:00.000 UTC (00000000)
Time= 00:00:00.000 UTC (00000000)
Request
Request
Request
Request
Request
Success
BB2#
0 timed
1 timed
2 timed
3 timed
4 timed
rate is
Task 8.2
out
out
out
out
out
0 percent (0/5)
4 Points
129
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.03.09.05.kb.r04.09.05.doc
On ASA2, prevent VLAN 3 hosts from spoofing source

addresses owned by other devices in the 50.50.0.0/16 space.
Do not use an access-list as part of this task.
ASA2(config)# ip verify reverse-path interface inside
On c1, deny non initial IP fragments on the outside

interface. Do not use the keyword fragment in any accesslist.
ASA1/c1(config)# fragment chain 1 outside
ASA1/c1(config)# show fragment
Interface: outside
Size: 200, Chain: 1, Timeout: 5, Reassembly: virtual
Queue: 0, Assembled: 0, Fail: 0, Overflow: 0
Interface: inside
Size: 200, Chain: 24, Timeout: 5, Reassembly: virtual
Queue: 0, Assembled: 0, Fail: 0, Overflow: 0
130
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
LAB 4
Instructions
cannot be changed.
often!
task.
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
Sections:
1.ASA Firewalls
2.IOS Firewalls
3.VPNs
4.IPS
7.Advanced Security
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
ACS PC
.101
R1
BB1
.99
VLAN 168
192.168.2.0
SW2
.11
VLAN 77
G0/0
VLAN 99
172.16.99.0
Inside
E0/0.v
DMZ1
E0/0.v
172.16.77.0
IPS C&C
.50
ASA1
VLAN 44
172.16.44.0
DMZ2
E0/0.v
R4
Outside
E0/0.v
R7
VLAN 22
24.234.22.0
VLAN 252
24.234.252.0
BB2
R2
.252
SW1
.11
EIGRP1
Frame Relay
24.234.100.0
Outside
E0/0.v
VLAN 111
24.234.111.0
R6
C1
Inside
E0/0.v
VLAN 121
24.234.121.0
R3
VLAN 222
24.234.222.0
Outside
E0/0.v
C2
Inside
E0/0.v
VLAN 88
172.16.88.0
VLAN 55
172.16.55.0
R8
R5

www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
SW1
Fa0/1
Fa0/0
R1
Fa0/1
Fa0/1
SW2
SW1
Fa0/2
Fa0/0
R2
Fa0/1
Fa0/2
SW2
SW1
Fa0/3
Fa0/0
R3
Fa0/1
Fa0/3
SW2
SW1
Fa0/4
Fa0/0
R4
Fa0/1
Fa0/4
SW2
SW1
Fa0/5
Fa0/0
R5
Fa0/1
Fa0/5
SW2
SW1
Fa0/6
Fa0/0
R6
Fa0/1
Fa0/6
SW2
SW1
Fa0/9
Fa0/0
BB1
Fa0/1
Fa0/9
SW2
SW1
Fa0/10
Fa0/0
BB2
Fa0/1
Fa0/10
SW2
SW1
Fa0/12
E0/0
E0/2
Fa0/12
SW2
Fa0/14
SW2
E0/3
Fa0/17
SW2
E0/2
Fa0/18
SW2
E0/3
Fa0/23
SW2
ASA01
Gi0/0: sense
SW1
Fa0/14
SW1
Fa0/17
E0/1
SW1
Fa0/18
E0/0
IDS
IDS
Gi0/1: c&c
ASA01
ASA02
SW1
E0/1
Fa0/23
ASA02
SW1
SW2
Fas0/19
Fas0/19
Fas0/20
Fas0/20
Sensor Int.
G0/0
Fa1/0
Fa1/1
Fa1/2
Fa1/3
Connected to:
SW1 Fa0/14
SW3 Fa0/4
SW3 Fa0/3
SW3 Fa0/2
SW3 Fa0/1
Fas0/0
2811
SW3
SW4
Fas0/17
SW3
Fas0/19
Fas0/19
Fas0/20
Fas0/20
Fas0/1
R7
Fas0/17
SW4
ACS PC SW1 Fa0/24
192.168.2.101
Fas0/0
2811
Fas0/1
R8
SW3

192.168.2.102
Fas0/18
SW4
Fas0/18
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
Section 1:
Task 1.1
ASA Firewalls
4 Points

Name
Inside
Outside
DMZ1
DMZ2
Interface
E0/0.168
E0/0.22
E0/0.77
E0/0.44

Default
192.168.2.100/24
Default
24.234.22.100/24
50
172.16.77.100/24
50
172.16.44.100/24
VLAN
168
22
77
44

are reachable. You are allowed to inspect ICMP for this
task.
Create a static route to 172.16.99.0/24 network. Ensure
that this route is propagated throughout the EIGRP AS.
With a single command, allow all traffic between DMZ1 and
DMZ2.
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
Task 1.2
4 Points

Context
c1
c1
c2
c2
Name
Inside
Outside
Inside
Outside
Interface
E0/0.88
E0/0.111
E0/0.55
E0/0.222
Security Level
Default
Default
Default
Default
IP Address
172.16.88.200/24
24.234.111.200/24
172.16.55.200/24
24.234.222.200/24

next hop.
Configure ICMP inspection in the global policy, using only
a single command.
Verify that the inside networks can ping to the outside.
www.ccbootcamp.com
Toll Free 877.654.2243
VLAN
88
111
55
222
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
Task 1.3
4 Points
Configure ASA1 so that hosts on the DMZ2 network can telnet

to R7 on port 2323 using address 172.16.44.7. Do not use an
ACL to accomplish this.
The ACS server should be reachable on the outside of ASA1
with an address of 24.234.22.101.
When ASA1 inside hosts attempt to connect to 192.168.2.200
they should be redirected to R4. You are not allowed to use
any static or nat commands to accomplish this.
Context c2 should require a translation for traffic to
traverse the firewall.
Outgoing traffic from the 172.16.55.0 network should be
translated to the outside interface address of context c2
unless it is destined for BB2. The BB2 traffic should be
translated to 24.234.222.5.
Task 1.4
4 Points
On c2, ensure that ftp traffic conforms to RFCs. If the

GET command is used, the connection should be logged and
dropped.
HTTP traffic from the inside network on c2 should be
allowed, but dropped and logged if the string attacker is
seen.
Ensure that R8 can only open one telnet connection at a
time to R2.
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
Section 2:
IOS Firewalls
Task 2.1 (4 Points

outside zone with fa0/0.121 as the inside and s0/0/0 as the
outside. The policy for the firewall should be as follows:
Policy direction
Inside->Outside
Permit
Telnet
HTTP
ICMP
Outside->Inside
ICMP
Telnet
Limits
All TCP connections
should time out if
idle for longer than
10 seconds
Only 1 telnet
connection should be
allowed at any time
Verify your policy when complete.
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
Task 2.2
4 Points
On R4, explicitly deny any incoming traffic on fa0/0.44.

The denied traffic should be logged.
Telnet, FTP, HTTP and ICMP from the VLAN99 network should
be dynamically allowed to return.
Telnet should time out after 30 seconds of inactivity.
HTTP session information should be logged.
The hashtable should be set to maximum size.
No more than 200 half open sessions should be allowed per
host.
Task 2.3
4 Points
Configure R8 to discover protocols on its fa0/0.88

interface
Drop any bitorrent traffic incoming on fa0/0.88
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
Section 3: VPNs
Task 3.1
4 Points

R2 and R6 should sync their time to R1.
Task 3.2
4 Points
Configure R1 as a CA server called CA1.

The server should allow auto enrollment via http.
Certificates should be automatically granted.
Certificate lifetime should be 180 days.
The issuer name should be R1.ccbootcamp.com with a
location of LV and country of US.
Enroll R2 and R6 with the newly create CA
Task 3.3
4 Points

Key server: R1
Member servers: R2 and R6
Crypto policy on server: ICMP between ASA1 outside
interface and context c1 outside interface
10
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
IKE Phase 1: DH2, RSA-Sig, AES, SHA

GDOI policy: 3DES, SHA
Rekey policy: Unicast, 30 minute lifetime
Task 3.4
4 Points
Configure R7 as an ezvpn server with the following

settings:
o For IKE phase 1 use pre-shared keys, AES, SHA and group
2.
o For phase 2 use 3des and MD5.
o Clients should receive an IP from the pool 172.16.177.50150.
o Only traffic for the 7.7.7.0/24 network should go through
the tunnel.
o Password data should be saved on the client.
o A static route should be created for the client address.
Create loopback 44 on R4 with the IP 4.4.4.4/24.
Setup R4 as an ezvpn client and connect to R7.
11
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
Section 4: IPS
Task 4.1
4 Points

IP Address
Gateway
Managed by
172.16.77.50
172.16.77.100
192.168.2.101
Mgmt. SSL
port
44443
Verify that you can connect to and manage the IPS from the
ACS server. You are allowed to make necessary changes to
ASA1 and add a route to the ACS server to accomplish this.
Enable telnet management.
Create sig1, rules1, and ad1 which should be clones of the
existing sig0, rules0 and ad0.
Create virtual sensor vs1 and assign sig1, rules1 and ad1
to it.
Task 4.2
4 Points
Setup interface fa1/0 to protect traffic between the

outside interface of context c1 and R6 fa0/0.111. You are
allowed to create an additional VLAN to accomplish this.
outside interface for context c2 and R6 fa0/0.222. You are
Assign the c1->R6 traffic to vs0 and the c2->R6 traffic to
vs1.
Verify that both context c1 and c2 have connectivity to r6.
12
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
Task 4.3
4 Points
Modify an existing signature so that an alert will be

generated when R8 pings any host more than 100 times.
Task 4.4
4 Points
Create a single signature that will generate an alert and

deny the attacker for half an hour when any of the
following strings are detected in http traffic from the
VLAN 55 network:
o W0rm_
o Exploit.exe
o death (case insensitive)
Task 4.3
4 Points
If the ICMP echo signature tuned above is destined for

24.234.22.2 the action should be changed to deny the
packets inline. You cannot modify any signature to
accomplish this.
If the http string signature created above is triggered by
R5, it should not be denied. Only an alert should be
generated. You may not modify any signature to accomplish
this.
13
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
Section 5:
Task 5.1
Identity Management
4 Points
Configure the ACS server to connect to a generic LDAP

database at 192.168.2.50. Use the following information:
o The organization is ccbootcamp.com
o The users to be authenticated are in the employees ou.
o The groups they are a part of are in the groups ou.
o Usernames are identified by the uid and are identified as
users by the Person attribute.
o Groups are identified by their cn and identified as
groups by the GroupName attribute.
o The list of users belonging to a group is stored in
GroupMembers record.
o The admin account is called admin and is found under
the it ou in users.ccbootcamp.com. The password is
cisco.
Task 5.2
4 Points
Authenticate access to R2 using the ACS server at

24.234.22.101. Create two users with the following
attributes:
User
R2Admin
R2Restricted
Access
All commands
All show commands
Can only ping 24.234.100.6
No other command access
Task 5.3 4 Points

Make R5 reachable on the outside of context c2 as
24.234.222.5.
Outside hosts should not be allowed to ping to R5 unless
they first telnet to an address of 24.234.222.150 and
authenticate. Create a user on the ACS server called
c2user to accomplish this.
14
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
Section 6:
Task 6.1
4 Points
Configure R2 to generate an alert when the CPU utilization

exceeds 75% for a period of 10 seconds.
The alerts should be sent to the ACS server using a
community string of cisco
R2 should only allow incoming icmp or telnet traffic on the
fa0/0.252 interface. You may not use an access list to
accomplish this.
15
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
Task 7.1
4 Points
If R6 attempts to telnet to ASA1, R2 should drop this

traffic. You are not allowed to apply an ACL to any
interface or use a policy map to accomplish this.
Task 7.3
4 Points
On R6, ensure that outgoing ICMP is guaranteed 25% of

interface bandwith.
Outgoing ssh traffic should be given priority and
guaranteed 50% of interface bandwith.
Outgoing telnet should be identified but not guaranteed
bandwidth.
16
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
Section 8:
Task 8.1
4 Points
Using ASA1, protect the ACS server from SYN flood attacks
originating from the outside. Half open TCP connections
should be limited to no more than 200 total and no more
than 50 per host. You may not use a policy-map to
accomplish this.
R7 will be functioning as a DNS server. Allow it to be
reachable for DNS traffic at 24.234.22.7 but protect it
from attacks based on its weak DNS transaction ID. Also
only allow one DNS response per query.
Task 8.2
4 Points
Configure R2 to drop all TCP Option based attacks. You may

R2 should dynamically block IP spoofing on its s0/0/0
interface. Packets dropped by the protection should be
logged. Do not apply an ACL directly to an interface to
accomplish this.
A DoS attack is flooding UDP and ICMP traffic into the
24.234.100.0/24 network via R2. Configure R2 to rate limit
this traffic to no more than 10% of s0/0/0s bandwidth.
Solutions Guide on next page.
17
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
Section 1:
Task 1.1
ASA Firewalls
4 Points

Name
Inside
Outside
DMZ1
DMZ2
Interface
E0/0.168
E0/0.22
E0/0.77
E0/0.44

Default
192.168.2.100/24
Default
24.234.22.100/24
50
172.16.77.100/24
50
172.16.44.100/24
VLAN
168
22
77
44

are reachable. You are allowed to inspect ICMP for this
task.
Create a static route to 172.16.99.0/24 network. Ensure
that this route is propagated throughout the EIGRP AS.
With a single command, allow all traffic between DMZ1 and
DMZ2.
ASA1(config)# int e0/0.168
ASA1(config-subif)# nameif Inside
ASA1(config-subif)#
ASA1(config-subif)# int e0/0.22
ASA1(config-subif)# nameif Outside
ASA1(config-subif)#
ASA1(config-subif)# nameif DMZ1
ASA1(config-subif)# security-level 50
ASA1(config-subif)#
18
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc

ASA1(config-subif)#
ASA1(config-subif)# int e0/0
ASA1(config)# fixup protocol icmp
ASA1(config)# route DMZ2 172.16.99.0 255.255.255.0 172.16.44.4
ASA1(config)# router eigrp 1
ASA1(config-router)# redistribute static
ASA1(config)# same-security-traffic permit inter-interface
Verification:
ASA1# sho route (Codes cut)
D EX 172.16.55.0 255.255.255.0 [170/2172928] via 24.234.22.2, 0:07:41,
Outside
C
172.16.44.0 255.255.255.0 is directly connected, DMZ2
S
172.16.99.0 255.255.255.0 [1/0] via 172.16.44.4, DMZ2
D EX 172.16.88.0 255.255.255.0 [170/2172928] via 24.234.22.2, 0:07:41,
Outside
C
172.16.77.0 255.255.255.0 is directly connected, DMZ1
D
24.234.252.0 255.255.255.0 [90/28672] via 24.234.22.2, 0:07:54, Outside
D
24.234.222.0 255.255.255.0 [90/2172928] via 24.234.22.2, 0:07:41,
Outside
D
24.234.121.0 255.255.255.0 [90/2172928] via 24.234.22.2, 0:07:41,
Outside
D
24.234.100.0 255.255.255.0 [90/2170368] via 24.234.22.2, 0:07:54,
Outside
D
24.234.111.0 255.255.255.0 [90/2172928] via 24.234.22.2, 0:07:41,
Outside
C
24.234.22.0 255.255.255.0 is directly connected, Outside
C
192.168.2.0 255.255.255.0 is directly connected, Inside
ASA1# ping 24.234.100.6
!!!!!
ASA1# ping 24.234.100.3
!!!!!
ASA1# ping 24.234.100.2
!!!!!
19
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
R6#sho ip route (Codes cut)

172.16.55.0 [1/0] via 24.234.222.200
172.16.99.0 [170/2172672] via 24.234.100.2, 00:05:29, Serial0/0/0
172.16.88.0 [1/0] via 24.234.111.200
24.234.252.0 [90/2172416] via 24.234.100.2, 00:09:15, Serial0/0/0
24.234.121.0 [90/2172416] via 24.234.100.3, 00:17:33, Serial0/0/0
24.234.22.0 [90/2172416] via 24.234.100.2, 00:09:16, Serial0/0/0
EX 192.168.2.0/24 [170/2172416] via 24.234.100.2, 00:09:16, Serial0/0/0
S
D EX
S
D
C
D
C
C
D
D
R7#ping 172.16.44.4
!!!!!
20
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
Task 1.2
4 Points

Context
c1
c1
c2
c2
Name
Inside
Outside
Inside
Outside
Interface
E0/0.88
E0/0.111
E0/0.55
E0/0.222
Security Level
Default
Default
Default
Default
IP Address
172.16.88.200/24
24.234.111.200/24
172.16.55.200/24
24.234.222.200/24

next hop.
Configure ICMP inspection in the global policy, using only
a single command.
Verify that the inside networks can ping to the outside.
ASA2(config-if)#
ASA2(config-subif)#
ASA2(config-subif)#
ASA2(config-subif)#
ASA2(config-subif)#
ASA2(config-subif)# admin admin
ASA2(config)#
ASA2(config)# context admin
ASA2(config-ctx)# config-url disk0:admin.cfg
WARNING: Could not fetch the URL disk0:/admin.cfg
21
www.ccbootcamp.com
Toll Free 877.654.2243
VLAN
88
111
55
222
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
ASA2(config)#
ASA2(config-ctx)# allocate-interface Ethernet0/0.88
ASA2(config-ctx)# config-url disk0:/c1.cfg
ASA2(config-ctx)#
ASA2(config-ctx)#
ASA2(config-ctx)# changeto context c1
ASA2/c1(config)#
ASA2/c1(config)# interface e0/0.88
ASA2/c1(config-if)# nameif Inside
ASA2/c1(config-if)#
ASA2/c1(config-if)# interface e0/0.111
ASA2/c1(config-if)# nameif Outside
ASA2/c1(config-if)#
ASA2/c1(config-if)# route outside 0 0 24.234.111.6
ASA2/c1(config)#
ASA2/c1(config)# fixup protocol icmp
ASA2/c1(config)#
ASA2/c1(config)# changeto context c2
ASA2/c2(config)#
ASA2/c2(config)# interface e0/0.55
ASA2/c2(config-if)#
ASA2/c2(config-if)# interface e0/0.222
ASA2/c2(config-if)#
ASA2/c2(config)#
Verification:
22
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
R5#ping 24.234.22.2
!!!!!
R8#ping 24.234.22.2
!!!!!
23
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
Task 1.3
4 Points
Configure ASA1 so that hosts on the DMZ2 network can telnet

to R7 on port 2323 using address 172.16.44.7. Do not use an
ACL to accomplish this.
with an address of 24.234.22.101.
When ASA1 inside hosts attempt to connect to 192.168.2.200
they should be redirected to R4. You are not allowed to use
any static or nat commands to accomplish this.
Context c2 should require a translation for traffic to
traverse the firewall.
Outgoing traffic from the 172.16.55.0 network should be
translated to the outside interface address of context c2
unless it is destined for BB2. The BB2 traffic should be
translated to 24.234.222.5.
ASA1(config)# static (DMZ1,DMZ2) tcp 172.16.44.7 2323 172.16.77.7 telnet
ASA1(config)# alias (inside) 192.168.2.200 172.16.44.4 255.255.255.255
ASA2/c2(config)#
ASA2/c2(config)#
ASA2/c2(config)#
ASA2/c2(config)#
24.234.252.252
ASA2/c2(config)#
ASA2/c2(config)#
nat-control
nat (inside) 1 172.16.55.0 255.255.255.0
global (outside) 1 interface
access-list NAT permit ip 172.16.66.0 255.255.255.0 host
nat (inside) 2 access-list NAT
Verification:
R4#telnet 172.16.44.7 2323
Trying 172.16.44.7, 2323 ... Open

Password:
R7>
ASA1# sho xlate
PAT Global 172.16.44.7(2323) Local 172.16.77.7(23)
Global 24.234.22.101 Local 192.168.2.101
24
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
Global 192.168.2.200 Local 172.16.44.4
R1#telnet 192.168.2.200
Trying 192.168.2.200 ... Open

Password:
R4>
R5#ping 24.234.22.2
!!!!!
R5#
ASA2/c2(config)# sho xlate detail
Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,
r - portmap, s - static
ICMP PAT from Inside:172.16.55.5/2 to Outside:24.234.222.200/12327 flags ri
R5#ping 24.234.252.252
.!!!!
ASA2/c2(config)# sho xlate
PAT Global 24.234.222.5(48105) Local 172.16.55.5 ICMP id 6
25
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
Task 1.4
4 Points
On c2, ensure that ftp traffic conforms to RFCs. If the

GET command is used, the connection should be logged and
dropped.
HTTP traffic from the inside network on c2 should be
allowed, but dropped and logged if the string attacker is
seen.
Ensure that R8 can only open one telnet connection at a
time to R2.
ASA2/c2(config)# class-map type inspect ftp GET
ASA2/c2(config-cmap)# match request-command get
ASA2/c2(config)# policy-map type inspect ftp GET
ASA2/c2(config-pmap)# class GET
ASA2/c2(config-pmap-c)# reset log
ASA2/c2(config-pmap-c)# inspect ftp strict GET
ASA2/c2(config)# regex attacker "attacker"
ASA2/c2(config)# class-map type inspect http ATTACKER
ASA2/c2(config-cmap)# match request uri regex attacker
ASA2/c2(config)# policy-map type inspect http ATTACKER
ASA2/c2(config-pmap)# class ATTACKER
ASA2/c2(config-pmap-c)# inspect http ATTACKER
ASA2/c1(config)# access-list R8_TELNET permit tcp host 172.16.88.8 host
24.234.100.2
ASA2/c1(config)# class-map R8_TELNET
ASA2/c1(config-cmap)# match access-list R8_TELNET
ASA2/c1(config-pmap)# class R8_TELNET
ASA2/c1(config-pmap-c)# set connection per-client-max 1
Verification:
26
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
ASA2/c2# sho service-policy inspect ftp

Global policy:
Inspect: ftp strict GET, packet 0, drop 0, reset-drop 0
class GET
reset log, packet 0
R5#copy http://24.234.222.6/attacker null:

%Error opening http://24.234.222.6/attacker (I/O error)
%ASA-5-415006: HTTP - matched Class 20: ATTACKER in policy-map ATTACKER, URI
matched - Dropping connection from Inside:172.16.55.5/32171 to
Outside:24.234.222.6/80
R8#telnet 24.234.100.2
Trying 24.234.100.2 ... Open

Password:
R2>
R8#sho sessions
Conn Host
* 1 24.234.100.2
Address
24.234.100.2
Byte
0
Idle Conn Name

0 24.234.100.2
R8#telnet 24.234.100.2
Trying 24.234.100.2 ...
%ASA-3-201013: Per-client connection limit exceeded 1/1 for input packet from
172.16.88.8/27183 to 24.234.100.2/23 on interface Inside
27
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
Section 2:
IOS Firewalls
Task 2.1 (4 Points

Policy direction
Inside->Outside
Permit
Telnet
HTTP
ICMP
Outside->Inside
ICMP
Telnet
Limits
All TCP connections
should time out if
idle for longer than
10 seconds
Only 1 telnet
connection should be
allowed at any time
Verify your policy when complete.

R3(config)#zone security Outside
R3(config)#
R3(config-subif)#zone-member security Inside
R3(config-subif)#int s0/0/0
R3(config-if)#zone-member security Outside
R3(config-if)#exit
R3(config)#parameter-map type inspect INSIDE_OUTSIDE
R3(config-profile)#tcp idle-time 10
R3(config-profile)#exit
R3(config)#
R3(config)#class-map type inspect match-any INSIDE_OUTSIDE
R3(config)#policy-map type inspect INSIDE_OUTSIDE
R3(config-pmap)#class INSIDE_OUTSIDE
R3(config-pmap-c)#inspect INSIDE_OUTSIDE
R3(config-pmap)#zone-pair security INSIDE_OUTSIDE source Inside destination
Outside
R3(config-sec-zone-pair)#service-policy type inspect INSIDE_OUTSIDE
28
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
R3(config-sec-zone-pair)#parameter-map type inspect OUTSIDE_INSIDE_TELNET

R3(config-profile)#sessions maximum 1
R3(config)#
R3(config)#class-map type inspect OUTSIDE_INSIDE_TELNET
R3(config)#class-map type inspect OUTSIDE_INSIDE_ICMP
R3(config)#policy-map type inspect OUTSIDE_INSIDE
R3(config-pmap)#class OUTSIDE_INSIDE_TELNET
R3(config-pmap-c)#inspect OUTSIDE_INSIDE_TELNET
R3(config-pmap)#class OUTSIDE_INSIDE_ICMP
R3(config-pmap-c)#inspect
R3(config-pmap-c)#
R3(config-pmap-c)#zone-pair security OUTSIDE_INSIDE source Outside
destination Inside
R3(config-sec-zone-pair)#service-policy type inspect OUTSIDE_INSIDE
Verification:
SW1#ping 24.234.100.6
!!!!!
SW1#telnet 24.234.100.6
Trying 24.234.100.6 ... Open

Password:
R6>
R6#telnet 24.234.121.11
Trying 24.234.121.11 ... Open
Password:
SW1>
R6#sho sessions
Conn Host
* 1 24.234.121.11
Address
24.234.121.11
Byte
0
Idle Conn Name

0 24.234.121.11
R6#telnet 24.234.121.11
Trying 24.234.121.11 ... Open
29
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
Task 2.2
4 Points
On R4, explicitly deny any incoming traffic on fa0/0.44.

The denied traffic should be logged.
Telnet, FTP, HTTP and ICMP from the VLAN99 network should
be dynamically allowed to return.
Telnet should time out after 30 seconds of inactivity.
HTTP session information should be logged.
The hashtable should be set to maximum size.
No more than 200 half open sessions should be allowed per
host.
R4(config)#ip access-list extended CBAC
R4(config-ext-nacl)#deny ip any any log-input
R4(config-ext-nacl)#interface FastEthernet0/0.44
R4(config-subif)#ip access-group CBAC in
R4(config-subif)#exit
R4(config)#
R4(config)#logging buffered 6
R4(config)#ip inspect name CBAC telnet timeout 30
R4(config)#ip inspect name CBAC ftp
R4(config)#ip inspect name CBAC http audit-trail on
R4(config)#ip inspect hashtable-size 8192
CBAC: Changing Hashlen from 1024 to 8192
R4(config)#ip inspect tcp max-incomplete host 200
R4(config)#
R4(config-subif)#ip inspect CBAC in
Verification:
ASA1# ping 172.16.99.99
?????
*May 4 17:16:07.663: %SEC-6-IPACCESSLOGDP: list CBAC denied icmp
172.16.44.100 (FastEthernet0/0.44 0019.e8d9.624e) -> 172.16.99.99 (8/0), 1
packet
30
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
BB1#ping 24.234.22.2
!!!!!
BB1#telnet 24.234.22.2
Trying 24.234.22.2 ... Open

Password:
R2>
31
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
Task 2.3
4 Points
Configure R8 to discover protocols on its fa0/0.88

interface
Drop any bitorrent traffic incoming on fa0/0.88
R8(config-subif)#ip nbar protocol-discovery
R8(config)#class-map match-any TORRENT
R8(config-cmap)#match protocol bittorrent
R8(config)#policy-map BITTORRENT
R8(config-pmap)#class TORRENT
R8(config-subif)#service-policy in BITTORRENT
Verification:
R8#ping 24.234.111.6
.!!!!
R8#sho ip nbar protocol-discovery protocol icmp
FastEthernet0/0.88
Input
----Protocol
Packet Count
Byte Count
5min Bit Rate (bps)
5min Max Bit Rate (bps)
------------------------ -----------------------icmp
8
928
0
0
unknown
0
0
0
0
Total
8
928
0
0
Output
-----Packet Count
Byte Count
5min Bit Rate (bps)
-----------------------4
472
0
0
0
0
0
0
4
472
0
0
32
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
R8#sho policy-map interface fa0/0.88

FastEthernet0/0.88
Service-policy input: BITTORRENT
Class-map: TORRENT (match-any)
0 packets, 0 bytes
Match: protocol bittorrent
0 packets, 0 bytes
5 minute rate 0 bps
drop
33
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
Section 3: VPNs
Task 3.1
4 Points

R2 and R6 should sync their time to R1.
ASA1(config)# access-list outside permit udp host 24.234.22.2 host
192.168.2.1 eq ntp
192.168.2.1 eq ntp
Verification:
R2#sho ntp status (output cut)
R6#sho ntp status (output cut)
34
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
Task 3.2
4 Points

The server should allow auto enrollment via http.
Certificates should be automatically granted.
Certificate lifetime should be 180 days.
Enroll R2 and R6 with the newly create CA
192.168.2.1 eq www
192.168.2.1 eq www

R1(config)#
R1(config)#crypto key generate rsa export mod 1024
R1(config)#
Password:
May 6 00:42:18.461: %PKI-6-CS_GRANT_AUTO: All enrollment requests will be
automatically granted.
Re-enter password:
35
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc

R1(cs-server)#
R1(cs-server)#exit
R1(config)#crypto pki trustpoint SELF_CA
R1(config)#crypto pki authenticate SELF_CA
Fingerprint MD5: E4954D67 AD66F3CC 5B919B79 9E010D01
Fingerprint SHA1: 059453E9 58AD2A10 516243BE 874C7999 9E1CFE8B
R1(config)#crypto pki enroll SELF_CA
%
Password:
Re-enter password:
% Include an IP address in the subject name? [no]: n
% The 'show crypto ca certificate SELF_CA verbose' commandwill show the
fingerprint.
R1(config)#
D592A2C7 BD7661F1 E1B48373 36898537
5A2BC763 4728D101 15A643C0 BF6FCD48 38E84B78
Authority

36
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc

%
Password:
May 6 00:46:30.592: RSA key size needs to be atleast 768 bits for ssh
version 2
May 6 00:46:30.592: %CRYPTO-6-AUTOGEN: Generated new 512 bit key pair
Re-enter password:
fingerprint.
R2(config)#
56AEC89D FA68C943 17B3CAAC 9A020920
6734D21A 6422FCB7 874D54C0 CE25A557 41D75E59
Authority

%
Password:
May 6 00:47:27.722:
version 2
RSA key size needs to be atleast 768 bits for ssh

37
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc

Re-enter password:
fingerprint.
R6(config)#
72495856 1A23F71E 2B5147F8 5107A1AE
FA8EC19B B8D474D6 D6AEAFAC 7164B2DD 4F66A354
Authority
38
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
Task 3.3
4 Points

Key server: R1
Member servers: R2 and R6
Crypto policy on server: ICMP between ASA1 outside
interface and context c1 outside interface
IKE Phase 1: DH2, RSA-Sig, AES, SHA
GDOI policy: 3DES, SHA
Rekey policy: Unicast, 30 minute lifetime
R1(config-isakmp)#
R1(config-isakmp)#crypto ipsec transform-set GET esp-3des esp-sha-hmac
R1(cfg-crypto-trans)#crypto ipsec profile GET
R1(ipsec-profile)#set transform-set GET
R1(config)#
R1(config)#crypto gdoi group GET
R1(gdoi-local-server)#address ipv4 192.168.2.1
R1(gdoi-sa-ipsec)#profile GET
R1(gdoi-sa-ipsec)#exit
May 6 00:57:20.425: %CRYPTO-6-GDOI_ON_OFF: GDOI is ON
May 6 00:57:20.497: %GDOI-5-KS_REKEY_TRANS_2_UNI: Group GET transitioned to
Unicast Rekey.
R1(gdoi-local-server)#exit
39
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc

R2(config)#
R2(config)#
R2(config-crypto-map)#set group GET
R2(config-crypto-map)#!
R2(config)#int s0/0/0
R2(config-if)#crypto map map-group1
R6(config)#
R6(config)#
R6(config-crypto-map)#interface s0/0/0

192.168.2.1 eq 848
192.168.2.1 eq 848
Verification:
R2#sho crypto gdoi
GROUP INFORMATION
Group Name
Group Identity
: GET
: 1
40
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
Rekeys received
IPSec SA Direction
Active Group Server
Group Server list
:
:
:
:
0
Both
192.168.2.1
192.168.2.1
GM Reregisters in
Rekey Received
: 2621 secs
: never
Rekeys received
Cumulative
After registration
: 0
: 0

R6#sho crypto gdoi
GROUP INFORMATION
Group Name
Group Identity
Rekeys received
IPSec SA Direction
Active Group Server
Group Server list
:
:
:
:
:
:
GET
1
0
Both
192.168.2.1
192.168.2.1
GM Reregisters in
Rekey Received
: 2543 secs
: never
Rekeys received
Cumulative
After registration
: 0
: 0

ASA1# ping 24.234.111.200

!!!!!
R2#sho crypto ipsec sa (Output cut)

41
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
#pkts
#pkts
#pkts
#send
compressed: 0, #pkts decompressed: 0

not compressed: 0, #pkts compr. failed: 0
not decompressed: 0, #pkts decompress failed: 0
errors 0, #recv errors 0
42
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
Task 3.4
4 Points

settings:
2.
the tunnel.
Create loopback 44 on R4 with the IP 4.4.4.4/24.
Setup R4 as an ezvpn client and connect to R7.
ASA1(config)#
ASA1(config)#
eq isakmp
ASA1(config)#
eq 4500
ASA1(config)#
ASA1(config)#
ASA1(config)#
eq isakmp
ASA1(config)#
eq 4500
ASA1(config)#
ASA1(config)#
ASA1(config)#
access-list DMZ1 permit esp host 172.16.77.7 host 172.16.44.4

access-list DMZ1 permit udp host 172.16.77.7 host 172.16.44.4
access-list DMZ2 permit esp host 172.16.44.4 host 172.16.77.7

access-group DMZ1 in interface DMZ1

access-group DMZ2 in interface DMZ2
R7(config)#aaa authentication login EZVPN local
R7(config)#aaa authorization network EZVPN local
R7(config)#
R7(config)#username ezvpn password 0 ezvpn
R7(config)#
R7(config)#ip local pool EZVPN 172.16.177.50 172.16.177.150
R7(config)#
43
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
R7(config-isakmp)#encryption aes
R7(config)#
R7(config)#crypto ipsec transform-set EZVPN esp-3des esp-md5-hmac
R7(config)#
R7(config)#crypto isakmp client configuration group EZVPN
R7(config-isakmp-group)#pool EZVPN
R7(config-isakmp-group)#key ezvpn
R7(config)#
R7(config)#crypto dynamic-map EZVPN 1
R7(config-crypto-map)#set transform-set EZVPN
R7(config)#
R7(config)#
R7(config)#crypto map EZVPN client authentication list EZVPN
R7(config)#crypto map EZVPN isakmp authorization list EZVPN
R7(config)#crypto map EZVPN client configuration address respond
R7(config)#crypto map EZVPN 1 ipsec-isakmp dynamic EZVPN
R7(config)#
R7(config-subif)#crypto map EZVPN

R4(config-ext-nacl)#16 permit esp host 172.16.77.7 host 172.16.44.4
R4(config-ext-nacl)#17 permit udp host 172.16.77.7 host 172.16.44.4 eq isakmp
R4(config-ext-nacl)#18 permit udp host 172.16.77.7 host 172.16.44.4 eq 4500
R4(config)#
R4(config)#
R4(config)#crypto ipsec client ezvpn EZVPN
R4(config-crypto-ezvpn)#group EZVPN key ezvpn
R4(config-crypto-ezvpn)#username ezvpn password ezvpn
R4(config)#
R4(config)#ip route 7.7.7.0 255.255.255.0 172.16.44.100
44
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
R4(config)#
R4(config)#interface loopback 4
R4(config-if)#crypto ipsec client ezvpn EZVPN inside
R4(config-if)#exit
R4(config)#
R4(config-subif)#crypto ipsec client ezvpn EZVPN
Verification:
R4#sho crypto ipsec client ezvpn
Tunnel name : EZVPN
Outside interface: FastEthernet0/0.44
Mask: 255.255.255.255
Address
: 7.7.7.0
Mask
: 255.255.255.0
Protocol
: 0x0
Source Port: 0
Dest Port : 0
R4#ping 7.7.7.7 so l4
!!!!!
R4#sho crypto ipsec sa
interface: FastEthernet0/0.44
Crypto map tag: FastEthernet0/0.44-head-0, local addr 172.16.44.4
45
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
Section 4: IPS
Task 4.1
4 Points

IP Address
Gateway
Managed by
172.16.77.50
172.16.77.100
192.168.2.101
Mgmt. SSL
port
44443
Enable telnet management.
to it.
sensor# setup
Current Configuration:
(cut)
Current time: Mon May
4 21:24:15 2009
Setup Configuration last modified: Mon May 04 15:36:40 2009

Enter host name[sensor]:
Enter telnet-server status[disabled]: enable
46
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc

No entries
Permit: 192.168.2.101/32
Permit:
(cut)
47
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
48
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
49
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
Task 4.2
4 Points

outside interface of context c1 and R6 fa0/0.111. You are
outside interface for context c2 and R6 fa0/0.222. You are
Assign the c1->R6 traffic to vs0 and the c2->R6 traffic to
vs1.
Verify that both context c1 and c2 have connectivity to r6.
SW3(config-if)#sw trunk encap dot1q
SW3(config-if)#int fa0/3
R6(config-subif)#encapsulation dot1Q 112
R6(config-subif)#int fa0/0.222
50
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
51
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
52
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
53
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
ASA2/c1# ping 24.234.111.6

!!!!!
ASA2/c1# changeto context c2
ASA2/c2# ping 24.234.222.6
!!!!!
54
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
Task 4.3
4 Points
Modify an existing signature so that an alert will be

generated when R8 pings any host more than 100 times.
55
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
Verification:
R8#ping 24.234.111.6 repeat 101
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
56
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
57
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
Task 4.4
4 Points
Create a single signature that will generate an alert and

deny the attacker for half an hour when any of the
following strings are detected in http traffic from the
VLAN 55 network:
o W0rm_
o Exploit.exe
o death (case insensitive)
58
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
Verification:
R5#copy http://24.234.222.6/DeaTH null:
%Error opening http://24.234.222.6/DeaTH (I/O error)
R5#ping 24.234.222.6
.....
59
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
Task 4.3
4 Points
If the ICMP echo signature tuned above is destined for

24.234.22.2 the action should be changed to deny the
packets inline. You cannot modify any signature to
accomplish this.
If the http string signature created above is triggered by
R5, it should not be denied. Only an alert should be
generated. You may not modify any signature to accomplish
this.
60
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
61
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
Verification:
R8#ping 24.234.22.2 repeat 102
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!
R5#copy http://24.234.222.6/DeaTH null:

%Error opening http://24.234.222.6/DeaTH (No such file or directory)
R5#
R5#ping 24.234.22.2
!!!!!
62
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
63
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
Section 5:
Task 5.1
Identity Management
4 Points
Configure the ACS server to connect to a generic LDAP

database at 192.168.2.50. Use the following information:
o The organization is ccbootcamp.com
o The users to be authenticated are in the employees ou.
o The groups they are a part of are in the groups ou.
o Usernames are identified by the uid and are identified as
users by the Person attribute.
o Groups are identified by their cn and identified as
groups by the GroupName attribute.
o The list of users belonging to a group is stored in
GroupMembers record.
o The admin account is called admin and is found under
the it ou in users.ccbootcamp.com. The password is
cisco.
64
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
65
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
66
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
Task 5.2 (Access Control)
4 Points
Authenticate access to R2 using the ACS server at

24.234.22.101. Create two users with the following
attributes:
User
R2Admin
R2Restricted
Access
All commands
All show commands
Can only ping 24.234.100.6
No other command access

24.234.22.101 eq tacacs
R2(config)#tacacs-server host 24.234.22.101 key cisco
R2(config)#aaa authentication login ACS group tacacs+
R2(config)#aaa authorization exec ACS group tacacs+
R2(config)#aaa authorization commands 15 ACS group tacacs+
R2(config)#aaa authentication login CONSOLE none
R2(config-line)#login authentication ACS
R2(config-line)#authorization exec ACS
R2(config-line)#authorization commands 15 ACS
67
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
68
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
69
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
70
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
Verification:
R6#telnet 24.234.100.2
Trying 24.234.100.2 ... Open
Username: R2Admin
Password:
R2#conf t
R2(config)#int fa0/0
R2(config-if)#exit
R2(config)#exit
R2#exit
End with CNTL/Z.

R6#telnet 24.234.100.2
Trying 24.234.100.2 ... Open
Username: R2Restricted
Password:
R2#conf t
R2#sho ip int br
Interface
Protocol
IP-Address
OK? Method Status

71
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
FastEthernet0/0
up
FastEthernet0/0.22
up
FastEthernet0/0.252
up
FastEthernet0/1
down
Serial0/0/0
up
Serial0/0/1
down
Serial0/1/0
down
Serial0/1/1
down
unassigned
YES NVRAM
up
24.234.22.2
YES NVRAM
up
24.234.252.2
YES NVRAM
up
unassigned
YES NVRAM
administratively down
24.234.100.2
YES NVRAM
up
unassigned
YES NVRAM
unassigned
YES NVRAM
unassigned
YES NVRAM
R2#ping 24.234.100.3
R2#ping 24.234.100.6
!!!!!
72
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
Task 5.3 4 Points

Make R5 reachable on the outside of context c2 as
24.234.222.5.
Outside hosts should not be allowed to ping to R5 unless
they first telnet to an address of 24.234.222.150 and
authenticate. Create a user on the ACS server called
c2user to accomplish this.
73
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc

24.234.22.101 eq tacacs

ASA2/c2(config)#
ASA2/c2(config-aaa-server-group)# exit
ASA2/c2(config)# aaa-server ACS (outside) host 24.234.22.101 cisco
ASA2/c2(config)# access-list VIR_TEL permit icmp any host 24.234.222.5
74
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
ASA2/c2(config)#
telnet
ASA2/c2(config)#
ASA2/c2(config)#
ASA2/c2(config)#
ASA2/c2(config)#
ASA2/c2(config)#
ASA2/c2(config)#
telnet
ASA2/c2(config)#
access-list VIR_TEL permit tcp any host 24.234.222.150 eq

aaa authentication match VIR_TEL outside ACS
virtual telnet 24.234.222.150
static (inside,outside) 24.234.222.150 24.234.222.150
access-list outside permit icmp any host 24.234.222.5
access-list outside permit tcp any host 24.234.222.150 eq
Verification:
R6#ping 24.234.222.5
.....
R6#telnet 24.234.222.150
Trying 24.234.222.150 ... Open
Username: c2user
Password:

R6#ping 24.234.222.5
!!!!!
ASA2/c2# sho uauth

Current
Most Seen
Authenticated Users
1
1
Authen In Progress
0
1
user 'c2user' at 24.234.222.6, authenticated
absolute
timeout: 0:05:00
75
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
Section 6:
Task 6.1
4 Points
Configure R2 to generate an alert when the CPU utilization

exceeds 75% for a period of 10 seconds.
The alerts should be sent to the ACS server using a
community string of cisco
R2 should only allow incoming icmp or telnet traffic on the
fa0/0.252 interface. You may not use an access list to
accomplish this.
R2(config)#snmp-server enable traps cpu threshold
R2(config)#snmp-server host 24.234.22.101 traps cisco cpu
R2(config)#process cpu threshold type total rising 75 interval 10
24.234.222.101 eq snmp
R2(config)#class-map match-any BB2
R2(config)#class-map match-all DROP
R2(config-cmap)#match any
R2(config)#policy-map BB2
R2(config-pmap)#class BB2
R2(config-pmap)#class DROP
R2(config-subif)#service-policy in BB2
Verification:
R2#sho snmp host
Notification host: 24.234.22.101
user: cisco
security model: v1
udp-port: 162
type: trap
BB2#ping 24.234.22.2
76
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
!!!!!
BB2#telnet 24.234.22.2
Trying 24.234.22.2 ... Open
Username: R2Admin
Password:
R2#exit
BB2#ssh -l R2Admin 24.234.22.2
BB2#

FastEthernet0/0.252
Service-policy input: BB2
Class-map: BB2 (match-any)
5 minute offered rate 0 bps
5 minute rate 0 bps
5 minute rate 0 bps
Class-map: DROP (match-all)
Match: any
drop
77
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
Section 7: Advanced Security

Task 7.1
4 Points
If R6 attempts to telnet to ASA1, R2 should drop this

traffic. You are not allowed to apply an ACL to any
interface or use a policy map to accomplish this.
R2(config)#access-list 101 permit tcp host 24.234.100.6 host 24.234.22.100 eq
telnet
R2(config)#
R2(config)#route-map BAD_TELNET permit 10
R2(config-route-map)#match ip address 101
R2(config-route-map)#set interface null0
Verification:
R5#telnet 24.234.22.100
Trying 24.234.22.100 ...
R2#sho route-map
route-map BAD_TELNET, permit, sequence 10
Match clauses:
ip address (access-lists): 101
Set clauses:
Policy routing matches: 4 packets, 192 bytes
78
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
Task 7.2 (TCP Intercept)
4 Points
Configure R6 to protect ONLY R5 and R8 against syn flood attacks. You may not
use CBAC to accomplish this.
Protection should occur when more than 200 half open connections are
attempted.
Protection should cease when half open connections drop below 100.
If there are more than 50 half-open connections in a minute they should be
dropped starting with the oldest.
When the number of half open connections in a one minute period goes below 25
dropping should cease.
The router should stop managing a tcp session if it is idle for 60 seconds.
R6(config)#access-list 101 permit tcp any host 24.234.222.5
R6(config)#access-list 101 permit tcp any host 172.16.88.8
R6(config)#
behavior
behavior
behavior
R6(config)#ip tcp intercept one-minute high 50
behavior
R6(config)#ip tcp intercept one-minute low 25
behavior
R6(config)#ip tcp intercept connection-timeout 30
behavior
79
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
Task 7.3
4 Points
On R6, ensure that outgoing ICMP is guaranteed 25% of

interface bandwith.
Outgoing ssh traffic should be given priority and
guaranteed 50% of interface bandwith.
Outgoing telnet should be identified but not guaranteed
bandwidth.
R6(config)#class-map match-all ICMP
R6(config)#class-map match-all SSH
R6(config-cmap)#match protocol ssh
R6(config)#class-map match-all TELNET
R6(config)#policy-map OUTGOING
R6(config-pmap)#class ICMP
R6(config-pmap-c)#bandwidth percent 25
R6(config-pmap)#class SSH
R6(config-pmap-c)#priority percent 50
R6(config-pmap)#class TELNET
R6(config-pmap)#int s0/0/0
R6(config-if)#service-policy out OUTGOING
Verification:
R6#ping 24.234.22.2
!!!!!
R6#ssh -l donotwork 24.234.22.2
R6#telnet 24.234.22.2
Trying 24.234.22.2 ... Open
Username: R2admin
Password:
R2#exit
80
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc

Serial0/0/0
Service-policy output: OUTGOING
Class-map: ICMP (match-all)
Queueing
Bandwidth 25 (%)
1 packets, 48 bytes
Match: protocol ssh
Queueing
Strict Priority
Bandwidth 50 (%)
Match: any
81
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
Section 8:
Task 8.1
4 Points
Using ASA1, protect the ACS server from SYN flood attacks
originating from the outside. Half open TCP connections
should be limited to no more than 200 total and no more
than 50 per host. You may not use a policy-map to
accomplish this.
R7 will be functioning as a DNS server. Allow it to be
reachable for DNS traffic at 24.234.22.7 but protect it
from attacks based on its weak DNS transaction ID. Also
only allow one DNS response per query.
ASA1(config)# no static (Inside,Outside) 24.234.22.101 192.168.2.101 netmask
255.255.255.255
ASA1(config)# static (Inside,Outside) 24.234.22.101 192.168.2.101 netmask
255.255.255.255 tcp 200 50
ASA1(config)# static (DMZ1,outside) 24.234.22.7 172.16.77.7
ASA1(config)# access-list outside permit tcp any host 24.234.22.7 eq 53
ASA1(config)# access-list outside permit udp any host 24.234.22.7 eq 53
ASA1(config)# policy-map type inspect dns preset_dns_map
ASA1(config-pmap-p)# dns-guard
ASA1(config-pmap-p)# id-randomization
82
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
Verification:
ASA1(config)# sho service-policy global inspect dns

Global policy:
message-length maximum 512, drop 0
dns-guard, count 0
protocol-enforcement, drop 0
nat-rewrite, count 0
id-randomization, count 0
83
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc
Task 8.2
4 Points
Configure R2 to drop all TCP Option based attacks. You may

R2 should dynamically block IP spoofing on its s0/0/0
interface. Packets dropped by the protection should be
logged. Do not apply an ACL directly to an interface to
accomplish this.
A DoS attack is flooding UDP and ICMP traffic into the
24.234.100.0/24 network via R2. Configure R2 to rate limit
this traffic to no more than 10% of s0/0/0s bandwidth.
R2(config)#ip option drop
R2(config)#access-list 150 deny ip any any log-input
R2(config-if)#ip verify unicast source reachable-via rx 150
R2(config)#access-list 155 permit udp any any
R2(config)#class-map match-any RATE
R2(config)#policy-map RATE
R2(config-pmap)#class RATE
R2(config-pmap-c)#police rate percent 10
R2(config-if)#service-policy output RATE
Verification:
R6#ping 24.234.22.100
!!!!!
R6#ping
Protocol [ip]:
Repeat count [5]:
84
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc

Source address or interface: serial0/0/0
>>Current pointer<<
Time= 00:00:00.000 UTC (00000000)
Time= 00:00:00.000 UTC (00000000)
Time= 00:00:00.000 UTC (00000000)
Time= 00:00:00.000 UTC (00000000)
Time= 00:00:00.000 UTC (00000000)
Time= 00:00:00.000 UTC (00000000)
Time= 00:00:00.000 UTC (00000000)
Time= 00:00:00.000 UTC (00000000)
Time= 00:00:00.000 UTC (00000000)
Request
Request
Request
Request
Request
Success
0 timed
1 timed
2 timed
3 timed
4 timed
rate is
out
out
out
out
out
0 percent (0/5)
R6#ping 24.234.22.100 so l6
.....
(Serial0/0/0 ) -> 24.234.22.100 (0/0), 1 packet
ASA1# ping 24.234.100.6

!!!!!
ASA1# ping 24.234.100.6 size 5000
?????
85
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.04.09.05.sm.r04.09.05.doc

Serial0/0/0
Service-policy output: RATE
Class-map: RATE (match-any)
5 minute rate 0 bps
police:
rate 10 %
rate 154000 bps, burst 4812 bytes
transmit
drop
86
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
LAB 5
Instructions
cannot be changed.
often!
task.
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
Sections:
1.ASA Firewalls
2.IOS Firewalls
3.VPNs
4.IPS
7.Advanced Security
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
SW1
Fa0/1
Fa0/0
R1
Fa0/1
Fa0/1
SW2
SW1
Fa0/2
Fa0/0
R2
Fa0/1
Fa0/2
SW2
SW1
Fa0/3
Fa0/0
R3
Fa0/1
Fa0/3
SW2
SW1
Fa0/4
Fa0/0
R4
Fa0/1
Fa0/4
SW2
SW1
Fa0/5
Fa0/0
R5
Fa0/1
Fa0/5
SW2
SW1
Fa0/6
Fa0/0
R6
Fa0/1
Fa0/6
SW2
SW1
Fa0/9
Fa0/0
BB1
Fa0/1
Fa0/9
SW2
SW1
Fa0/10
Fa0/0
BB2
Fa0/1
Fa0/10
SW2
SW1
Fa0/12
E0/0
E0/2
Fa0/12
SW2
Fa0/14
SW2
E0/3
Fa0/17
SW2
E0/2
Fa0/18
SW2
E0/3
Fa0/23
SW2
ASA01
Gi0/0: sense
SW1
Fa0/14
SW1
Fa0/17
E0/1
SW1
Fa0/18
E0/0
IDS
IDS
Gi0/1: c&c
ASA01
ASA02
SW1
E0/1
Fa0/23
ASA02
SW1
SW2
Fas0/19
Fas0/19
Fas0/20
Fas0/20
Sensor Int.
G0/0
Fa1/0
Fa1/1
Fa1/2
Fa1/3
Connected to:
SW1 Fa0/14
SW3 Fa0/4
SW3 Fa0/3
SW3 Fa0/2
SW3 Fa0/1
Fas0/0
2811
SW3
SW4
Fas0/17
SW3
Fas0/19
Fas0/19
Fas0/20
Fas0/20
Fas0/1
R7
Fas0/17
SW4
ACS PC SW1 Fa0/24
192.168.2.101
Fas0/0
2811
Fas0/1
R8
SW3

192.168.2.102
Fas0/18
SW4
Fas0/18
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc

Task 1.1
4 Points
Configure the ASAs per the diagram, including routing

protocols. On ASA1, use E0/2 as a redundant interface for
E0/1.
Task 1.2
4 Points
Configure the following translations. Use R2 Fa0/0 as the

inside interface. You may add 1 static host route on R2.
Device
Name
ASA1
ASA1
ASA2
ASA2
ASA2
ASA2
R2
R2
Real
Int.
INSIDE
INSIDE
INSIDE
INSIDE
INSIDE
Control
Fa0/0
Fa0/1
Mapped
Int.
OUTSIDE
OUTSIDE
OUTSIDE
OUTSIDE
OUTSIDE
OUTSIDE
Fa0/1
Fa0/0
Real
IP:PORT #
10.30.10.8
8.8.8.8:tcp/23
Any IP
2.2.2.2
2.2.2.2
172.26.60.0/24
192.168.2.101
10.40.10.200
Mapped
IP:PORT#
100.60.10.8
100.60.10.8:tcp/2323
100.60.10.201-210
100.60.10.2
100.60.10.22
100.60.10.211-215
10.40.10.101
192.168.2.200
On the ACS PC, do not add ANY host routes except for route
add 100.0.0.0 mask 255.0.0.0 192.168.2.2 -p. Do not add
any 192.0.0.0 networks to any routing protocols.
Permit
both firewalls to be managed via HTTPS from the ACS PC.
Task 1.3
4 Points
On ASA1, complete the following:

o Permit TELNET to R8 Loopback 0 on the outside interface,
as well as ICMP echo, HTTP and TELNET to R8 Fa0/0.30
Configure no more than a single line in your access-list
to accomplish this task.
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
Task 1.4
4 Points

o Filter spoofed addresses on the outside interface, if
sourced from the 10.40.10.0/24 address space.
Do not
use an access list as part of this task.
o On the outside interface, permit ICMP echo and TELNET to
100.60.10.2 and 100.60.10.22
Permit ICMP echo and FTP
to the ACS PC.
o Prioritize TELNET traffic destined to 100.60.10.2
o Deny and log FTP traffic that attempts to use the command
of DELE. Do not use a L7 class-map type inspect as
part of this task.
o Permit HTTP on port 80 and 8080 inbound on the outside
interface to the ACS PC. Send a reset to URL requests
that include an extension of .exe, .bat or .com.
Record
a syslog entry when this occurs.
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
Section 2: IOS Firewalls

Task 2.1
4 Points

o Use an access-list to deny any RFC 1918 sourced addresses
inbound on Fa0/1.
o Dynamically deny spoofed packets outside RFC 1918 inbound
on Fa0/1.
o Log ALL denied spoofed packets to the ACS PC syslog
server, including information the interface type and
number where the packet is denied. Source the logs from
Fa0/0.11
Task 2.2
4 Points
Configure R7 with the following:

o Transparent firewall based on the diagram.
o Allow R6 and R5 to become EIGRP neighbors.
o Assign the IP address of 100.120.10.7 to R7
o Deny ICMP echo-reply inbound on Fa0/1.
o Configure inspection of ICMP inbound on Fa0/0.
o Test by pinging to R6 from R5 through the R7.
o R7 should have complete IP routing table.
Task 2.3
4 Points
On R7, allow simple password protection for the 1st vty

line, and require ssh authentication on the 2-5th lines.
Create a local user named admin, with the password of
cisco. Use port 2000 to connect to the SSH lines.
Task 2.4
4 Points
On R7, permit TELNET sessions only from odd numbered hosts,

and SSH only from even numbered hosts.
7
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
Section 3: VPNs
Task 3.1
4 Points
Configure R1 as a CA and authenticated NTP server using the

following:
o Sourced from Loopback 0
o Distribution point of http://1.1.1.1/R1-CA_Servercdp.R1CA_Server.crl
o CN=R1.ccbootcamp.com, L=NV, C=US
Configure any hosts that this lab requires to use RSA-Sig
as CA clients of R1. Include these clients as
authenticated NTP clients of R1 as well.
Task 3.2
4 Points
Configure IPSec based on the following information.

VPN Device
R2
ASA1
Source Interface
Fa0/1
E0/0.60
IP of PEER
100.60.10.100
100.60.10.2
o IKE Phase 1: DH1, RSA-Sig, AES 128, SHA

o IKE Phase 2: PFS 2, 3DES, SHA
o Interesting traffic: ICMP between 100.60.10.8 &
10.40.10.101
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
Task 3.3
4 Points
Create Loopback 34 on R3 and R4 using yy.34.0.y/24

(y=router number).
Configure GETVPN using the following:
o Key server: R8 using Fa0/0.30
o Member servers: R3, R4 pointing to 10.30.10.8 for R8
o Crypto policy on server:
and R4.
ICMP between Loopback 34 on R3
o IKE Phase 1: DH2, PSK, AES 128, MD5

www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
Task 3.4
4 Points
Configure ASA2 as an EasyVPN server using the following:

o IKE Phase 1: DH2, PSK, AES 128, SHA, XAUTH using ACS
o IKE Phase 2: PFS2, AES 256, SHA
o Pool: 10.40.10.201-205
o User: vpn_user password of cisco
o Group: vpn_group password of cisco
o Client R5 (see output below.
10.40.10.2 via the tunnel.
SW2 should be able to ping
o Client VPN Software Client, test from XP PC on VLAN 60.

The PC should be able to ping 10.40.10.2 once the tunnel
is established.
o Prioritize remote-access VPN traffic
o Output from R5 should look like the following:
Inside interface list: FastEthernet0/0.55
Outside interface: Virtual-Access2 (bound to FastEthernet0/0.70)
Mask: 255.255.255.255
NBMS/WINS Primary: 10.40.10.101
Using PFS Group: 2
Address
: 10.40.10.2
Mask
: 255.255.255.255
Protocol
: 0x0
Source Port: 0
Dest Port : 0
Move the XP PC outside of the firewall, and configure the

VPN software client to be able to connect.
The XP PC is
connected to SW2 port Fa0/16.
10
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
Section 4: IPS
Task 4.1
4 Points
Erase the current-configuration first, then configure the

sensor per the diagram and the following:
o Use R1 as an authenticated NTP server.
o ASA2 as the default gateway.
o Allow management on port 5796 from 10.40.10.101
o Add a host route on the ACS PC for 172.26.60.0/24
Note: Username/Password for access are cisco/ccie5796
Task 4.2
4 Points
Create vs1, and configure the following:

o Use an inline VLAN pair, using G0/0.1
o Insert the sensor between R1 and vlan 110.
Fa0/1 to vlan 111.
Assign R1

o Create an alert when an ICMP flood is seen. Log the
attacker packets for 2 minutes, and implement a rate
limit inbound on R1 Fa0/1 to 1%.
o The sensor should log int to R1 via SSH, with local
authentication, as the user ips-user. Set the enable
secret on R1 to cisco.
attacker for any signatures.
11
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
Task 4.3
4 Points

o Use an inline interface pair, using Fa1/3 and Fa1/2
(located on SW3, ports Fa0/1 and Fa0/2).
o Insert vs2 between R7 Fa0/0 and vlan 120.
VLAN 121 as part of this task.
You may create

o Create a custom signature that is watching for the string
cisco123! or !321ocsic in upper or lower case on TCP
port 23 or 80.
Set a severity of MEDIUM, and a fidelity
rating of 70 for this signature.
o Without including the action of Send TCP Reset, or
including the IP address of 6.6.6.6 in the signature,
send a TCP reset to the attacker if this attack is seen
against 6.6.6.6
12
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
Section 5: Identity Management

Task 5.1
4 Points
Permit SSH to the outside interface of both firewalls from

5.5.5.5
Use ACS to authenticate the SSH login.
Create the user named user-5.1 and a password of cisco for
this task.
Record successful authentications.
Task 5.2
4 Points
When an outside user uses TELNET to 100.60.10.10, ASA2

should require authentication via RADIUS.
Create a user name of user-5.2, and dynamically permit TFTP
to the ACS PC for this authenticated user.
Time out the user after 10 minutes of inactivity.
Task 5.3
4 Points

o Deny ICMP from the ACS PC to 100.110.10.50
o Require authentication for HTTP traffic sourced from the
ACS PC to 100.110.10.50
o After successful authentication, the ACS PC should be
able to ping 100.110.10.50
o On BB1, restrict any HTTP sessions not sourced from the
ACS PC.
o On BB1, deny any inbound HTTP and TELNET management
connections if they are not received on Fa0/0.110
o Authenticate using ACS with a user named user-5.3.
13
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
Section 6: Control/Management Plane Security

Task 6.1
4 Points
On R5 configure the following:

o When total CPU utilization exceeds 90 percent for 5
seconds, generate a syslog message. Then, when CPU
utilization falls below 10 percent for 5 seconds,
generate another syslog message.
o Rate limit all EIGRP packets processed by R5 to 50,000
bps.
o Rate limit TELNET and SSH to R5 to 10,000 bps.
o Rate limit any ICMP, TCP and UDP non-initial fragments
directed to R5 to 8,000 bps.
Your output should be similar to the following:
Control Plane
Service-policy input: RTR_CoPP
Class-map: CMAP_EIGRP (match-all)
Match: access-group name EIGRP_ACL
police:
transmit
drop
Class-map: CMAP_FRAGMENTS (match-all)
Match: access-group name FRAGMENTS_ACL
police:
transmit
drop
Class-map: CMAP_TELNET_SSH (match-all)
14
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
Match: access-group name TELNET_SSH_ACL

police:
transmit
drop
Match: any
R5#
On SW3, configure ports Fa0/1 and Fa0/2 to provide traffic

suppression if broadcasts exceed 5% of the maximum
bandwidth.
Configure R6 to allow only only SSH, TELNET and HTTP as
management protocols. Restrict this access to Fa0/0.90
not use the IP address of R6 in your solution.
Task 6.2
Do
4 Points
Allow BB1 and R8 to be EGBP neighbors.

Verify that BGP
sourced routes can be seen in the routing table of all
routers.
Add authentication to the EBGP neighbors using
the password of cisco. R8 should be the initiator for the
BGP neighborship.
15
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc

Task 7.1
4 Points
On R1, identify P2P network traffic sources from VLAN 70

only.
Drop this traffic outbound on Fa0/1 without using
an access-list.
Task 7.2
4 Points
Stop P2P and other malicious traffic being tunneled on TCP

port 80 on 100.110.10.0/24. Use the sensor to send TCP
resets when this traffic is seen, and capture only the
initial packet that triggers the alert.
Verify the integrity of TELNET sessions to and from R8
Loopback 0 through ASA1. Rate limit ingress TELNET traffic
on both interfaces to 10,000 bps.
16
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc

Task 8.1
4 Points
On ASA1, globally protect the network by not allowing

fraggle attacks.
Do not use an access-list to accomplish
this.
Prevent MAC-address overload on SW1 ports fa 0/3-4.
Configure the minimum number of MAC addresses for these
ports, and save them in the configuration of the switch.
Generate a syslog message if exceeded, but do not shutdown
the port.
Task 8.2
4 Points
On R1, any inbound http packets on Fa0/0.90, destined for

the 100.110.10.0/24 network and containing any of the words
below within the URL, should be marked as DSCP 1, and then
dropped outbound on Fa0/0.11
o default.ida
o cmd.exe
o root.exe
On R5, prevent an outbound TELNET session sourced from r5.
Do not use AAA or line commands for this task.
On R5, protect neighboring routers from any crafted IP
option packets that may cause excessive CPU processing.
17
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc

Task 1.1
4 Points
Configure the ASAs per the diagram, including routing

protocols. On ASA1, use E0/2 as a redundant interface for
E0/1.
SW1(config)#interface fastEthernet 0/12

SW2(config-if)#sw host
Note Verify the firewall is in the correct mode, and make changes if
necessary.
ciscoasa(config)# mode single
***
*** --- SHUTDOWN NOW --***
ciscoasa(config)# hostname ASA-1
ASA-1(config)# interface Ethernet0/0
ASA-1(config-if)# no shut
ASA-1(config-if)# exit
ASA-1(config)# interface Ethernet0/0.60
ASA-1(config-subif)# vlan 60
ASA-1(config-subif)# nameif outside
ASA-1(config-subif)# ip address 100.60.10.100 255.255.255.0
18
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
ASA-1(config)# interface Redundant1
ASA-1(config-if)# member-interface Ethernet0/1
ASA-1(config-if)# member-interface Ethernet0/2
ASA-1(config-if)# nameif inside
ASA-1(config-if)# ip address 10.30.10.100 255.255.255.0
ASA-1(config)# router eigrp 1
ASA-1(config-router)# no auto-summary
ASA-1(config-router)# network 0.0.0.0 0.0.0.0
ASA-1(config-router)# exit
Verification
ASA-1(config)# ping 8.8.8.8
!!!!!
!!!!!
ASA-1(config)#
ciscoasa(config)# hostname ASA-2

ASA-2(config-subif)# nameif control
INFO: Security level for "control" set to 0 by default.
ASA-2(config-subif)# security-level 50
ASA-2(config-subif)# exit
ASA-2(config-subif)# nameif outside
ASA-2(config-subif)# exit
ASA-2(config-if)# nameif inside
ASA-2(config-if)# ip address 10.40.10.200 255.255.255.0
ASA-2(config)# router eigrp 1
ASA-2(config-router)# no auto-summary
19
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
ASA-2(config-router)# network 0.0.0.0 0.0.0.0

ASA-2(config-router)# exit
Verification
!!!!!
!!!!!
ASA-2(config)#
20
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
Task 1.2
4 Points
Configure the following translations. Use R2 Fa0/0 as the

inside interface. You may add 1 static host route on R2.
Device
Name
ASA1
ASA1
ASA2
ASA2
ASA2
ASA2
R2
R2
Real
Int.
INSIDE
INSIDE
INSIDE
INSIDE
INSIDE
Control
Fa0/0
Fa0/1
Mapped
Int.
OUTSIDE
OUTSIDE
OUTSIDE
OUTSIDE
OUTSIDE
OUTSIDE
Fa0/1
Fa0/0
Real
IP:PORT #
10.30.10.8
8.8.8.8:tcp/23
Any IP
2.2.2.2
2.2.2.2
172.26.60.0/24
192.168.2.101
10.40.10.200
Mapped
IP:PORT#
100.60.10.8
100.60.10.8:tcp/2323
100.60.10.201-210
100.60.10.2
100.60.10.22
100.60.10.211-215
10.40.10.101
192.168.2.200
ASA-1(config)# static (inside,outside) tcp 100.60.10.8 2323 8.8.8.8 telnet

netmask 255.255.255.255
ASA-1(config)# static (inside,outside) 100.60.10.8 10.30.10.8 netmask
255.255.255.255
WARNING: mapped-address conflict with existing static
TCP inside:8.8.8.8/23 to outside:100.60.10.8/2323 netmask 255.255.255.255
ASA-1(config)#
ASA-2(config)# access-list inside_nat_static_1 extended permit ip host
2.2.2.2 any
ASA-2(config)# access-list inside_nat_static extended permit ip host 2.2.2.2
any
ASA-2(config)# static (inside,outside) 100.60.10.2 access-list
inside_nat_static
ASA-2(config)# static (inside,outside) 100.60.10.22 access-list
inside_nat_static_1
ASA-2(config)# nat (inside) 1 0.0.0.0 0.0.0.0
ASA-2(config)# nat (control) 2 172.26.60.0 255.255.255.0
ASA-2(config)# global (outside) 1 100.60.10.201-100.60.10.210
ASA-2(config)# global (outside) 2 100.60.10.211-100.60.10.215
R2(config-if)#ip nat inside
R2(config-if)#interface fa0/1
R2(config-if)#ip nat outside
R2(config-if)#exit
R2(config)#ip nat inside source static 192.168.2.101 10.40.10.101
R2(config)#ip nat outside source static 10.40.10.200 192.168.2.200
R2(config)#ip route 192.168.2.200 255.255.255.255 10.40.10.200
21
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
On the ACS PC, do not add ANY host routes except for route
add 100.0.0.0 mask 255.0.0.0 192.168.2.2 -p. Do not add
any 192.0.0.0 networks to any routing protocols.
Permit
both firewalls to be managed via HTTPS from the ACS PC.

c:\ACS_PC>route print
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination
Netmask
Gateway
Interface Metric
0.0.0.0
0.0.0.0
172.22.45.100
172.22.45.101
10
100.0.0.0
255.0.0.0
192.168.2.2
192.168.2.101
1
127.0.0.0
255.0.0.0
127.0.0.1
127.0.0.1
1
172.22.45.0
255.255.255.0
172.22.45.101
172.22.45.101
10
172.22.45.101 255.255.255.255
127.0.0.1
127.0.0.1
10
172.22.255.255 255.255.255.255
172.22.45.101
172.22.45.101
10
192.168.0.0
255.255.0.0
192.168.2.101
192.168.2.101
10
192.168.2.101 255.255.255.255
127.0.0.1
127.0.0.1
10
192.168.2.255 255.255.255.255
192.168.2.101
192.168.2.101
10
224.0.0.0
240.0.0.0
172.22.45.101
172.22.45.101
10
224.0.0.0
240.0.0.0
192.168.2.101
192.168.2.101
10
255.255.255.255 255.255.255.255
172.22.45.101
172.22.45.101
1
255.255.255.255 255.255.255.255
192.168.2.101
192.168.2.101
1
Default Gateway:
172.22.45.100
===========================================================================
Persistent Routes:
Network Address
Netmask Gateway Address Metric
100.0.0.0
255.0.0.0
192.168.2.2
1
c:\ACS_PC>
ASA-1(config)# domain-name ccbootcamp.com
ASA-1(config)# crypto key generate rsa modulus 1024
ASA-1(config)# http server enable
ASA-1(config)# http 10.40.10.101 255.255.255.255 outside
ASA-1(config)#
ASA-2(config)# crypto key generate rsa modulus 1024
ASA-2(config)# http server enable
ASA-2(config)# http 10.40.10.101 255.255.255.255 inside
22
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
23
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
Task 1.3
4 Points

o Permit TELNET to R8 Loopback 0 on the outside interface,
as well as ICMP echo, HTTP and TELNET to R8 Fa0/0.30
Configure no more than a single line in your access-list
to accomplish this task.
ASA-1(config)# object-group service SERVICES_TO_R8
ASA-1(config-service)# service-object icmp echo
ASA-1(config-service)# service-object tcp eq 2323
ASA-1(config-service)# service-object tcp eq www
ASA-1(config-service)# service-object tcp eq telnet
ASA-1(config-service)# exit
ASA-1(config)# access-list outside extended permit object-group
SERVICES_TO_R8 any host 100.60.10.8
ASA-1(config)# access-group outside in interface outside
R3#telnet 100.60.10.8 2323
Trying 100.60.10.8, 2323 ... Open
R8#exit
R3#
24
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
Task 1.4
4 Points

o Filter spoofed addresses on the outside interface, if
sourced from the 10.40.10.0/24 address space.
Do not
use an access list as part of this task.
o On the outside interface, permit ICMP echo and TELNET to
100.60.10.2 and 100.60.10.22
Permit ICMP echo and FTP
to the ACS PC.
o Prioritize TELNET traffic destined to 100.60.10.2
o Deny and log FTP traffic that attempts to use the command
of DELE. Do not use a L7 class-map type inspect as
part of this task.
o Permit HTTP on port 80 and 8080 inbound on the outside
interface to the ACS PC. Send a reset to URL requests
that include an extension of .exe, .bat or .com.
Record
a syslog entry when this occurs.
ASA-2(config)# static (inside,outside) 10.40.10.101 10.40.10.101 netmask
255.255.255.255
ASA-2(config)# regex REG_X_BAT "\.[Bb][Aa][Tt]"
ASA-2(config)# regex REG_X_COM "\.[Cc][Oo][Mm]"
ASA-2(config)# regex REG_X_EXE "\.[Ee][Xx][Ee]"
ASA-2(config)# object-group network R2_GLOBAL
ASA-2(config-network)# network-object host 100.60.10.22
ASA-2(config-network)# network-object host 100.60.10.2
ASA-2(config-network)# exit
ASA-2(config)# access-list outside permit tcp any object-group R2_GLOBAL eq
telnet
ASA-2(config)# access-list outside permit icmp any object-group R2_GLOBAL
echo
ASA-2(config)# access-list outside permit tcp any host 10.40.10.101 eq ftp
ASA-2(config)# access-list outside permit icmp any host 10.40.10.101 echo
ASA-2(config)# access-list outside permit tcp any host 10.40.10.101 eq www
ASA-2(config)# access-list outside permit tcp any host 10.40.10.101 eq 8080
ASA-2(config)# access-group outside in interface outside
ASA-2(config)# access-list PRIORITY_ACL permit tcp any host 2.2.2.2 eq telnet
ASA-2(config)# access-list HTTP_ACL permit tcp any host 10.40.10.101 eq www
ASA-2(config)# access-list HTTP_ACL permit tcp any host 10.40.10.101 eq 8080
ASA-2(config)# ip verify reverse-path interface outside
ASA-2(config)# priority-queue inside
ASA-2(config-priority-queue)# exit
ASA-2(config)# interface e 0/0
ASA-2(config-if)# nameif need-4-priority-on-sub
INFO: Security level for "need-4-priority-on-sub" set to 0 by default.
ASA-2(config)# priority-queue need-4-priority-on-sub
25
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
ASA-2(config-priority-queue)# exit
ASA-2(config)# !Note:Priority Queue on Major Int. cover all Sub Ints.
ASA-2(config)# !Note:will need priority queue on outside for VPN :Later.
ASA-2(config)# class-map type regex match-any CMAP_REG_EXP
ASA-2(config-cmap)# match regex REG_X_COM
ASA-2(config-cmap)# match regex REG_X_EXE
ASA-2(config-cmap)# match regex REG_X_BAT
ASA-2(config-cmap)# exit
ASA-2(config)# class-map type inspect http match-any CMAP_INS_HTTP
ASA-2(config-cmap)# match request uri regex class CMAP_REG_EXP
ASA-2(config)# class-map CMAP_80_8080_TO_ACS
ASA-2(config-cmap)# match access-list HTTP_ACL
ASA-2(config)# class-map TELNET_TO_R2
ASA-2(config-cmap)# match access-list PRIORITY_ACL
ASA-2(config-cmap)# policy-map type inspect http PMAP_INS_HTTP
ASA-2(config-pmap)# parameters
ASA-2(config-pmap-p)# class CMAP_INS_HTTP
ASA-2(config-pmap-c)# reset log
ASA-2(config-pmap-c)# exit
ASA-2(config-pmap)# exit
ASA-2(config)# policy-map type inspect ftp PMAP_INS_RMDIR
ASA-2(config-pmap)# parameters
ASA-2(config-pmap-p)# match request-command dele
ASA-2(config-pmap-c)# reset log
ASA-2(config)# policy-map global_policy
ASA-2(config-pmap)# class inspection_default
ASA-2(config-pmap-c)# no inspect ftp
ASA-2(config-pmap-c)# inspect ftp strict PMAP_INS_RMDIR
ASA-2(config-pmap)# class TELNET_TO_R2
ASA-2(config-pmap-c)# priority
ASA-2(config-pmap)# class CMAP_80_8080_TO_ACS
ASA-2(config-pmap-c)# inspect http PMAP_INS_HTTP
26
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
R4#ping 100.60.10.2
.!!!!
R4#ping 100.60.10.22
.!!!!
R4#telnet 100.60.10.2
Trying 100.60.10.2 ... Open
R2#exit
R4#telnet 100.60.10.22
27
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
Trying 100.60.10.22 ... Open

R2#exit
R4#ping 10.40.10.101
!!!!!
R4#dir
1 -rw52990552
Sep 4 2008 10:45:04 +00:00
adventerprisek9-mz.124-15.T7.bin
c2800nm-
63883264 bytes total (10892288 bytes free)

R4#copy start ftp
Destination filename [r4-confg]? text.txt
Writing text.txt !
R4#copy http://10.40.10.101/root.exe null:
%Error opening http://10.40.10.101/root.exe (I/O error)
R4#
ASA-2(config)# %ASA-5-304001: 100.60.10.4 Accessed URL 10.40.10.101:/root.exe

%ASA-5-415006: HTTP - matched Class 21: CMAP_INS_HTTP in policy-map
PMAP_INS_HTTP, URI matched - Resetting connection from
outside:100.60.10.4/55837 to inside:10.40.10.101/80
ASA-2(config)#
ASA-2(config)# show service-policy
Global policy:
!
!
!
Class-map: TELNET_TO_R2
Priority:
Interface need-4-priority-on-sub: aggregate drop 0, aggregate
Priority:
Interface control: aggregate drop 0, aggregate transmit 0
Priority:
Interface outside: aggregate drop 0, aggregate transmit 0
Priority:
Interface inside: aggregate drop 0, aggregate transmit 0
Class-map: CMAP_80_8080_TO_ACS
Inspect: http PMAP_INS_HTTP, packet 4, drop 1, reset-drop 1
Class-map: CMAP_VPN_REMOTE_PRIORITY
Priority:
28
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc

Priority:
Priority:
Priority:
Class-map: class-default
Default Queueing
ASA-2(config)# show priority-queue statistics
Priority-Queue Statistics interface need-4-priority-on-sub
Queue Type
Tail Drops
Reset Drops
Packets Transmit
Packets Enqueued
Current Q Length
Max Q Length
=
=
=
=
=
=
=
BE
0
0
1403
0
0
0
Queue Type
Tail Drops
Reset Drops
Packets Transmit
Packets Enqueued
Current Q Length
Max Q Length
=
=
=
=
=
=
=
LLQ
0
0
0
0
0
0
Priority-Queue Statistics interface inside

Queue Type
Tail Drops
Reset Drops
Packets Transmit
Packets Enqueued
Current Q Length
Max Q Length
=
=
=
=
=
=
=
BE
0
0
708
0
0
0
Queue Type
Tail Drops
Reset Drops
Packets Transmit
Packets Enqueued
Current Q Length
Max Q Length
=
=
=
=
=
=
=
LLQ
0
0
67
0
0
0
29
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc

Task 2.1
4 Points

o Use an access-list to deny any RFC 1918 sourced addresses
inbound on Fa0/1.
o Dynamically deny spoofed packets outside RFC 1918 inbound
on Fa0/1.
o Log ALL denied spoofed packets to the ACS PC syslog
server, including information the interface type and
number where the packet is denied. Source the logs from
Fa0/0.11
R1(config)#access-list 100 deny ip 10.0.0.0 0.255.255.255 any log-input
R1(config)#access-list 101 deny ip any any log-input
R1(config-if)#exit
R1(config)#logging source-interface fa 0/0.11
R1(config)#logging trap 6
R1(config)#logging host 10.40.10.101
ASA-2(config)# access-list outside permit udp host 100.11.10.1 host

10.40.10.101 eq syslog
BB1#ping 4.4.4.4
!!!!!
BB1#conf t
BB1(config)#int loop 99
BB1(config-if)#ip address 10.40.10.99 255.255.255.0
BB1(config-if)#end
BB1#ping 4.4.4.4 source lo 99
.....
30
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
BB1(config)#no int loop 99

R1(config)#
%SEC-6-IPACCESSLOGDP: list 100 denied icmp 10.40.10.99 (FastEthernet0/1
001b.53e4.f688) -> 4.4.4.4 (0/0), 1 packet
R1(config)#
%SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 10.40.10.101 port 514 started CLI initiated
31
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
Task 2.2
4 Points
Configure R7 with the following:

o Transparent firewall based on the diagram.
o Allow R6 and R5 to become EIGRP neighbors.
o Assign the IP address of 100.120.10.7 to R7
o Deny ICMP echo-reply inbound on Fa0/1.
o Configure inspection of ICMP inbound on Fa0/0.
o Test by pinging to R6 from R5 through the R7.
o R7 should have complete IP routing table.
R7(config)#ip inspect audit-trail
R7(config)#bridge irb
R7(config-if)#ip inspect CBAC in
R7(config-if)#bridge-group 1
R7(config-if)#exit
R7(config-if)#ip access-group NO_ICMP_REPLY in
R7(config-if)#bridge-group 1
R7(config-if)#exit
R7(config)#interface BVI1
R7(config-if)#exit
R7(config)#ip access-list extended NO_ICMP_REPLY
R7(config-ext-nacl)#deny
icmp any any echo-reply log-input
R7(config-ext-nacl)#permit ip any any
R7(config)#bridge 1 protocol ieee
R7(config)#bridge 1 route ip
R5#show ip route 6.6.6.6
Routing entry for 6.6.6.0/24
Known via "eigrp 1", distance 90, metric 156160, type internal
Redistributing via eigrp 1
Last update from 100.120.10.6 on FastEthernet0/0.120, 00:00:38 ago
Routing Descriptor Blocks:
* 100.120.10.6, from 100.120.10.6, 00:00:38 ago, via FastEthernet0/0.120
Route metric is 156160, traffic share count is 1
Total delay is 5100 microseconds, minimum bandwidth is 100000 Kbit
Reliability 255/255, minimum MTU 1500 bytes
Loading 1/255, Hops 1
R5#show ip eigrp nei
R5#show ip eigrp neighbors
IP-EIGRP neighbors for process 1
32
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
Address
4
100.120.10.6
3
100.120.10.7
2
100.15.10.1
1
100.70.10.3
0
100.70.10.4
R5#ping 6.6.6.6
Interface
Hold Uptime
SRTT
(sec)
(ms)
11 00:01:00 523
10 00:01:00
4
160 03:12:16 125
11 03:12:38
34
14 03:12:38
1
Fa0/0.120
Fa0/0.120
Se0/0/0
Fa0/0.70
Fa0/0.70
RTO
3138
200
750
204
200
Q
Cnt
0
0
0
0
0
Seq
Num
21
7
47
57
61

!!!!!
33
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
Task 2.3
4 Points
On R7, allow simple password protection for the 1st vty

line, and require ssh authentication on the 2-5th lines.
Create a local user named admin, with the password of
cisco. Use port 2000 to connect to the SSH lines.
R7(config)#line vty 0
R7(config-line)#login local
R7(config-line)#transport input telnet
R7(config-line)#line vty 1-4
R7(config-line)#transport input ssh
R7(config)#crypto key generate rsa
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 1024
R7(config)#end
R7(config-line)# password cisco
R7(config-line)# login
R7(config-line)#rotary 1
R7(config)#ip ssh port 2000 rotary 1
R1#ssh -l admin -p 2000 7.7.7.7
Password: cisco
R7#who
Line
User
Host(s)
0 con 0
idle
*515 vty 1
admin
idle
Idle
Location
00:00:10
00:00:00 100.90.10.1
34
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
Task 2.4
4 Points
On R7, permit TELNET sessions only from odd numbered hosts,

and SSH only from even numbered hosts.

R7(config-line)#access-class 1 in
R7(config-line)#access-class 2 in
R7(config-line)#end
R1#telnet 7.7.7.7
Username: admin
Password: cisco
R7#who
Line
User
0 con 0
*514 vty 0
admin
Host(s)
idle
idle
Idle
Location
00:01:13
00:00:00 100.90.10.1
R1#telnet 7.7.7.7
Username: admin
Password: cisco
R7#who
Line
User
Host(s)
Idle
Location
0 con 0
idle
00:01:13
*514 vty 0
admin
idle
00:00:00 100.90.10.1
R7#exit
R1#ssh -l admin -p 2000 7.7.7.7
R4#ssh -l admin -p 2000 7.7.7.7
Password: cisco
R7#who
Line
User
Host(s)
Idle
Location
0 con 0
idle
00:03:46
*515 vty 1
admin
idle
00:00:00 100.70.10.4
R7#exit
R4#telnet 7.7.7.7
Trying 7.7.7.7 ...
35
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
Section 3: VPNs
Task 3.1
4 Points
Configure R1 as a CA and authenticated NTP server using the

following:
o Distribution point of http://1.1.1.1/R1-CA_Servercdp.R1CA_Server.crl
o CN=R1.ccbootcamp.com, L=NV, C=US
R1(cs-server)#cdp-url http://1.1.1.1/R1-CA_Servercdp.R1-CA_Server.crl
Password: cisco123
R1(cs-server)#exit
R1(config)#
36
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
Configure any hosts that this lab requires to use RSA-Sig

as CA clients of R1. Include these clients as
authenticated NTP clients of R1 as well.
ASA-1(config)# clock timezone PST -8

ASA-1(config)# clock summer-time PDT recurring
ASA-1(config)# ntp authentication-key 1 md5 cisco
ASA-1(config)# ntp trusted-key 1
ASA-1(config)# ntp authenticate
ASA-1(config)# ntp server 1.1.1.1
ASA-1(config)# crypto ca trustpoint R1-CA1
ASA-1(config-ca-trustpoint)# enrollment url http://1.1.1.1:80
ASA-1(config-ca-trustpoint)# revocation-check none
ASA-1(config-ca-trustpoint)# exit
ASA-1(config)# crypto ca authenticate R1-CA1
INFO: Certificate has the following attributes:
Fingerprint:
fc114726 4439a7a9 e4145fd9 b36dfb7f
Do you accept this certificate? [yes/no]: yes
ASA-1(config)# crypto ca enroll R1-CA1
%
Password:
Re-enter password:
% The fully-qualified domain name in the certificate will be: ASA1.ccbootcamp.com
% Include the device serial number in the subject name? [yes/no]: no
ASA-1(config)# The certificate has been granted by CA!
ASA-1(config)#

% Generating 1024 bit RSA keys, keys will be exportable...
37
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc

Fingerprint MD5: FC114726 4439A7A9 E4145FD9 B36DFB7F
Fingerprint SHA1: 1AE1100F A063279D 6652D81D 4A6C9BC2 81ED24D3
R2(config)#cry pki enroll R1-CA1
Password:
Re-enter password:
fingerprint.
3C98F5FF 8D4570B6 B4E47B72 60C77457
B88F067A CA14AE30 58718F51 2143166C A3687177
R2(config)#
Authority
38
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
Task 3.2
4 Points
Configure IPSec based on the following information.

VPN Device
R2
ASA1
Source Interface
Fa0/1
E0/0.60
IP of PEER
100.60.10.100
100.60.10.2
o IKE Phase 1: DH1, RSA-Sig, AES 128, SHA

o IKE Phase 2: PFS 2, 3DES, SHA
o Interesting traffic: ICMP between 100.60.10.8 &
10.40.10.101
R2(config)#crypto ipsec transform-set TRANS_TO_ASA1 esp-3des esp-sha-hmac
R2(config)#crypto map MYMAP local-address Loopback0
R2(config-crypto-map)#description Tunnel to 100.60.10.100 (ASA1)
R2(config-crypto-map)#set transform-set TRANS_TO_ASA1
R2(config-crypto-map)#set pfs group2
R2(config-if)#exit
R2(config)#access-list 101 remark for crypto to ASA1
R2(config)#exit
R2#show crypto map
Crypto Map: "MYMAP" idb: Loopback0 local address: 2.2.2.2
Crypto Map "MYMAP" 1 ipsec-isakmp
Description: Tunnel to 100.60.10.100 (ASA1)
Peer = 100.60.10.100
access-list 101 permit icmp host 10.40.10.101 host 100.60.10.8
Current peer: 100.60.10.100
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): Y
DH group: group2
Transform sets={
TRANS_TO_ASA1,
}
Interfaces using crypto map MYMAP:
FastEthernet0/1
39
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
R2#
ASA-2(config)#
100.60.10.2 eq
ASA-2(config)#
100.60.10.2 eq

500
4500
ASA-1(config)# access-list CRYPTO_ACL extended permit icmp host 100.60.10.8

host 10.40.10.101
ASA-1(config)#
ASA-1(config)# crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
ASA-1(config)# crypto map outside_map 1 match address CRYPTO_ACL
ASA-1(config)# crypto map outside_map 1 set pfs group2
ASA-1(config)# crypto map outside_map 1 set peer 100.60.10.2
ASA-1(config)# crypto map outside_map 1 set transform-set ESP-3DES-SHA
ASA-1(config)# crypto map outside_map 1 set trustpoint R1-CA1
ASA-1(config)# crypto map outside_map interface outside
ASA-1(config)# ASA-1(config)# crypto isakmp enable outside
ASA-1(config)# tunnel-group 100.60.10.2 type ipsec-l2l
ASA-1(config)# tunnel-group 100.60.10.2 ipsec-attributes
ASA-1(config-tunnel-ipsec)# peer-id-validate nocheck
ASA-1(config-tunnel-ipsec)# trust-point R1-CA1
ASA-1(config-tunnel-ipsec)# exit
ASA-1(config)# crypto isakmp policy 10
ASA-1(config-isakmp-policy)# authentication rsa-sig
ASA-1(config-isakmp-policy)# encryption aes
ASA-1(config-isakmp-policy)# hash sha
ASA-1(config-isakmp-policy)# group 1
ASA-1(config-isakmp-policy)# exit
ASA-1(config)#
40
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
41
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
Task 3.3
4 Points
Create Loopback 34 on R3 and R4 using yy.34.0.y/24

(y=router number).
Configure GETVPN using the following:
o Key server: R8 using Fa0/0.30
o Member servers: R3, R4 pointing to 10.30.10.8 for R8
o Crypto policy on server:
and R4.
ICMP between Loopback 34 on R3
o IKE Phase 1: DH2, PSK, AES 128, MD5

ASA-1(config)# access-list
10.30.10.8 eq 848
10.30.10.8 eq 848
10.30.10.8 eq 848
10.30.10.8 eq 848
ASA-1(config)#
ASA-1(config)#
ASA-1(config)#
ASA-1(config)#
ASA-1(config)#
outside extended permit udp host 100.60.10.4 host

access-list NO_NAT permit ip host

nat (inside) 0 access-list NO_NAT
10.30.10.8
10.30.10.8
10.30.10.8
10.30.10.8
host
host
host
host
100.60.10.3
100.60.10.4
100.70.10.3
100.70.10.4

R8(config)#crypto ipsec transform-set gdoi-trans-group1 esp-3des esp-sha-hmac
R8(config)#crypto ipsec profile gdoi-profile-group1
R8(ipsec-profile)#set transform-set gdoi-trans-group1
R8(gdoi-sa-ipsec)#profile gdoi-profile-group1
42
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc

R8(gdoi-sa-ipsec)#exit
R8(gdoi-local-server)#address ipv4 10.30.10.8
R8(config)#exit
R4(config-if)#exit
R4(config-subif)# crypto map map-group1
R4(config-subif)#interface Fa0/0.70
R4(config-subif)#
*May 3 07:50:01.783: %CRYPTO-5-GM_REGSTER: Start registration to KS
10.30.10.8 for group group1 using address 100.60.10.4 crypto map map-group1
R3(config-if)#exit
43
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc

R3(config-subif)#interface Fa0/0.70
R3(config-subif)#
R3#show crypto gdoi
GROUP INFORMATION
Group Name
Group Identity
Rekeys received
IPSec SA Direction
Active Group Server
Group Server list
:
:
:
:
:
:
group1
1
0
Both
10.30.10.8
10.30.10.8
GM Reregisters in
Rekey Received
: 1517 secs
: never
Rekeys received
Cumulative
After registration
: 0
: 0

TEK POLICY:
FastEthernet0/0.60:
FastEthernet0/0.70:
!!!!!
Interface: FastEthernet0/0.60
Peer: port 848
44
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc

Task 3.4
4 Points
Configure ASA2 as an EasyVPN server using the following:

o IKE Phase 1: DH2, PSK, AES 128, SHA, XAUTH using ACS
o IKE Phase 2: PFS2, AES 256, SHA
o Pool: 10.40.10.201-205
o User: vpn_user password of cisco
o Group: vpn_group password of cisco
o Client R5 (see output below.
10.40.10.2 via the tunnel.
SW2 should be able to ping
o Client VPN Software Client, test from XP PC on VLAN 60.

The PC should be able to ping 10.40.10.2 once the tunnel
is established.
o Prioritize remote-access VPN traffic
o Output from R5 should look like the following:
Outside interface: Virtual-Access2 (bound to FastEthernet0/0.70)
Mask: 255.255.255.255
Using PFS Group: 2
Address
: 10.40.10.2
Mask
: 255.255.255.255
Protocol
: 0x0
Source Port: 0
Dest Port : 0
45
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
46
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
ASA-2(config)# access-list SPLIT_ACL standard permit host 10.40.10.2

ASA-2(config)# access-list NO_NAT_ACL extended permit ip host 10.40.10.2
10.40.10.200 255.255.255.248
ASA-2(config)# ip local pool VPN_POOL 10.40.10.201-10.40.10.205 mask
255.255.248
ASA-2(config)# nat (inside) 0 access-list NO_NAT_ACL
ASA-2(config)# aaa-server RAD protocol radius
ASA-2(config-aaa-server-group)# aaa-server RAD (inside) host 10.40.10.101
ASA-2(config-aaa-server-host)# key cisco
ASA-2(config-aaa-server-host)# exit
ASA-2(config) crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-shahmac
ASA-2(config)# crypto dynamic-map MY_DYNOMITE_DYN_MAP 65535 set pfs
ASA-2(config)# crypto dynamic-map MY_DYNOMITE_DYN_MAP 65535 set transform-set
ESP-AES-256-SHA
ASA-2(config)# crypto map MY_REAL_CRYPTO_MAP 65535 ipsec-isakmp dynamic
MY_DYNOMITE_DYN_MAP
ASA-2(config)# crypto map MY_REAL_CRYPTO_MAP interface outside
ASA-2(config)# crypto isakmp enable outside
ASA-2(config)# crypto isakmp policy 10
ASA-2(config-isakmp-policy)# authentication pre-share
ASA-2(config-isakmp-policy)# encryption aes
ASA-2(config-isakmp-policy)# hash sha
ASA-2(config-isakmp-policy)# group 2
ASA-2(config-isakmp-policy)# lifetime 86400
ASA-2(config-isakmp-policy)# exit
ASA-2(config)# group-policy vpn_group internal
ASA-2(config)# group-policy vpn_group attributes
ASA-2(config-group-policy)# wins-server value 10.40.10.101
ASA-2(config-group-policy)# vpn-tunnel-protocol IPSec
ASA-2(config-group-policy)# password-storage enable
ASA-2(config-group-policy)# pfs enable
ASA-2(config-group-policy)# ipsec-udp enable
ASA-2(config-group-policy)# split-tunnel-policy tunnelspecified
47
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
ASA-2(config-group-policy)# split-tunnel-network-list value SPLIT_ACL

ASA-2(config-group-policy)# exit
ASA-2(config)# tunnel-group vpn_group type remote-access
ASA-2(config)# tunnel-group vpn_group general-attributes
ASA-2(config-tunnel-general)# address-pool VPN_POOL
ASA-2(config-tunnel-general)# authentication-server-group RAD
ASA-2(config-tunnel-general)# default-group-policy vpn_group
ASA-2(config-tunnel-general)# exit
ASA-2(config)# tunnel-group vpn_group ipsec-attributes
ASA-2(config-tunnel-ipsec)# pre-shared-key cisco
ASA-2(config-tunnel-ipsec)# radius-sdi-xauth
ASA-2(config-tunnel-ipsec)# exit
R5(config)#interface FastEthernet0/0.55
R5(config-subif)#crypto ipsec client ezvpn EZ_CLIENT inside
R5(config-subif)#crypto ipsec client ezvpn EZ_CLIENT outside
Mask: 255.255.255.255
Using PFS Group: 2
Address
: 10.40.10.2
Mask
: 255.255.255.255
Protocol
: 0x0
Source Port: 0
Dest Port : 0
R5#
SW2#ping 10.40.10.2
!!!!!
48
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
SW2#traceroute 10.40.10.2
Tracing the route to 10.40.10.2
1 100.55.10.5 0 msec 0 msec 0 msec
2 10.40.10.2 8 msec * 0 msec
SW2#
ASA-2(config)# class-map CMAP_VPN_REMOTE_PRIORITY

ASA-2(config-cmap)# match tunnel-group vpn_group
ASA-2(config-pmap)# class CMAP_VPN_REMOTE_PRIORITY
ASA-2(config-pmap-c)# priority
priority
Global policy:
Class-map: TELNET_TO_R2
Priority:
transmit 43259
Priority:
Priority:
Priority:
Class-map: CMAP_VPN_REMOTE_PRIORITY
Priority:
transmit 43259
Priority:
Priority:
Priority:
ASA-2(config)#
Move the XP PC outside of the firewall, and configure the

VPN software client to be able to connect.
The XP PC is
connected to SW2 port Fa0/16.
49
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc

50
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
51
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
52
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
Section 4: IPS
Task 4.1
4 Points
Erase the current-configuration first, then configure the

sensor per the diagram and the following:
o Use R1 as an authenticated NTP server.
o ASA2 as the default gateway.
o Allow management on port 5796 from 10.40.10.101
o Add a host route on the ACS PC for 172.26.60.0/24
Note: Username/Password for access are cisco/ccie5796
SW2(config-if)#end
ASA-2(config)# static (inside,control) 10.40.10.101 10.40.10.101
username" command.
Continue? []: yes
sensor#
sensor# setup
!
!
!
172.26.60.250/24,172.26.60.200
53
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc

No entries
Permit: 10.40.10.101/32
Permit:
!
!
!
*16:53:32 UTC Sun May 03 2009
sensor#
sensor# ping 172.26.60.200
PING 172.26.60.200 (172.26.60.200): 56 data bytes
ms
ms
ms
ms
sensor#
c:\ACS_PC>route add 172.26.60.0 mask 255.255.255.0 192.168.2.2 p
54
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
55
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
56
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
Task 4.2
4 Points

o Use an inline VLAN pair, using G0/0.1
o Insert the sensor between R1 and vlan 110.
Fa0/1 to vlan 111.
Assign R1

o Create an alert when an ICMP flood is seen. Log the
attacker packets for 2 minutes, and implement a rate
limit inbound on R1 Fa0/1 to 1%.
o The sensor should log int to R1 via SSH, with local
authentication, as the user ips-user. Set the enable
secret on R1 to cisco.
attacker for any signatures.
ASA-2(config-pmap)# class inspection_default
ASA-2(config-pmap-c)# inspect icmp
ASA-2(config-pmap-c)# end
sensor# ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: icmp_seq=0 ttl=252
time=3.3
time=2.7
time=2.7
time=2.6
ms
ms
ms
ms
sensor#
57
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc

!
end
SW2#conf t
SW2(config-if)#end
58
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
59
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
60
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
61
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
R1(config)#username ips-user secret cisco

R1(config)#enable secret cisco
R1(config-line)#end
R1#ssh -l ips-user 1.1.1.1
Password:
R1>exit
62
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
63
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
64
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
65
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
66
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
67
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
68
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
69
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
70
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
71
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
R1#
R1#who
Line
514 vty 0
R1#
User
ips-user
Host(s)
idle
Idle
Location
00:00:12 100.60.10.212
BB1#ping 5.5.5.5 repeat 500 size 1000

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!.!!!.!!!.!!!.!!!.!!!.!!!.!!!.!!!.!!!.!!!.!!!.!!!.!!!.!!!.!!!.!!!.!!!
.!!!.!!!.!!!.!!!.!!!.!!!.!!!.!!!.!!!.!!!.!!!.!!!.!!!.!!!.!!!.!!!.!!!.!
!!.!!!.!!!.!!!.!!!.!!!.!!!.!!!.!!!.!!!.!!!.!!!.!!!.!!!.!!!.!!!.!!!.!!!
.!!!.!!!.!
BB1#
72
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
73
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
74
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
Task 4.3
4 Points

o Use an inline interface pair, using Fa1/3 and Fa1/2
(located on SW3, ports Fa0/1 and Fa0/2).
o Insert vs2 between R7 Fa0/0 and vlan 120.
VLAN 121 as part of this task.
You may create

o Create a custom signature that is watching for the string
cisco123! or !321ocsic in upper or lower case on TCP
port 23 or 80.
Set a severity of MEDIUM, and a fidelity
rating of 70 for this signature.
o Without including the action of Send TCP Reset, or
including the IP address of 6.6.6.6 in the signature,
send a TCP reset to the attacker if this attack is seen
against 6.6.6.6
SW3#show run int fa0/1
description **SENSOR FA1/3**
end
SW3#show run int fa0/2
description **SENSOR FA1/2**
end
SW3#conf t
SW3(config-if)#end
description ***R7 FA0/0***
end
SW3#conf t
75
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc

SW3(config-if)#end
SW3#wr
76
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
77
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
78
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
79
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
80
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
81
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
82
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
83
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
84
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
85
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
86
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
87
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
R5#telnet 6.6.6.6
R6#cisco123
R5#
88
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
89
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
90
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc

Task 5.1
4 Points
Permit SSH to the outside interface of both firewalls from

5.5.5.5
Use ACS to authenticate the SSH login.
Create the user named user-5.1 and a password of cisco for
this task.
Record successful authentications.
91
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
ASA-2(config)# access-list outside permit udp host 100.60.10.100 host

10.40.10.101 eq radius
ASA-1(config)# aaa-server RAD protocol radius
ASA-1(config-aaa-server-group)# aaa-server RAD (outside) host 10.40.10.101
ASA-1(config-aaa-server-host)# key cisco
ASA-1(config-aaa-server-host)# exit
ASA-1(config)#
ASA-1(config)# aaa authentication ssh console RAD
ASA-1(config)# ssh 5.5.5.5 255.255.255.255 outside
ASA-2(config)# aaa authentication ssh console RAD
ASA-2(config)# ssh 5.5.5.5 255.255.255.255 outside
92
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc

R5(config)#ip ssh source-interface loop 0
R5(config)#end
R5#ssh -l user-5.1 100.60.10.100
Password: cisco
ASA-1> exit
R5#
R5#
R5#ssh -l user-5.1 100.60.10.200
Password: cisco
ASA-2> exit
R5#
93
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
94
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
Task 5.2
4 Points
When an outside user uses TELNET to 100.60.10.10, ASA2

should require authentication via RADIUS.
Create a user name of user-5.2, and dynamically permit TFTP
to the ACS PC for this authenticated user.
Time out the user after 10 minutes of inactivity.
ASA-2(config)# static (inside,outside) 100.60.10.10 100.60.10.10

ASA-2(config)# virtual telnet 100.60.10.10
ASA-2(config)# access-list outside permit tcp any host 100.60.10.10 eq telnet
ASA-2(config)# access-list VIR_TELNET extended permit tcp any host
100.60.10.10 eq telnet
ASA-2(config)# aaa authentication match VIR_TELNET outside RAD
95
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
96
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
ASA-2(config)# access-group outside in interface outside per-user-override

R5#dir
1 -rw52990552
2 -rw1038 Nov 11 2008 23:38:42 +00:00 home.shtml
R5#ping 10.40.10.101
!!!!!
R5#copy home.shtml tftp://10.40.10.101
Address or name of remote host [10.40.10.101]?
.....
%Error opening tftp://10.40.10.101/home.shtml (Timed out)
R5#telnet 100.60.10.10
Trying 100.60.10.10 ... Open
Username: user-5.2
97
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
Password: cisco
R5#copy home.shtml tftp://10.40.10.101
!!
R5#
ASA-2(config)# show uauth

Current
Most Seen
Authenticated Users
2
2
Authen In Progress
0
1
user 'user-5.2' at 100.70.10.5, authenticated
access-list #ACSACL#-IP-ACL_FOR_ASA2-49fd8926 (*)
absolute
timeout: 0:05:00
ipsec user 'vpn_user' at 10.40.10.201, authenticated
ASA-2(config)# show access-list #ACSACL#-IP-ACL_FOR_ASA2-49fd8926
access-list #ACSACL#-IP-ACL_FOR_ASA2-49fd8926; 2 elements (dynamic)
access-list #ACSACL#-IP-ACL_FOR_ASA2-49fd8926 line 1 extended permit udp any
host 10.40.10.101 eq tftp (hitcnt=1) 0x564a34e2
access-list #ACSACL#-IP-ACL_FOR_ASA2-49fd8926 line 2 extended permit tcp any
host 100.60.10.10 eq telnet (hitcnt=1) 0x3fbe1810
ASA-2(config)#
ASA-2(config)# timeout uauth 0:30:00 absolute
ASA-2(config)# timeout uauth 0:10:00 inactivity
98
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
Task 5.3
4 Points

o Deny ICMP from the ACS PC to 100.110.10.50
o Require authentication for HTTP traffic sourced from the
ACS PC to 100.110.10.50
o After successful authentication, the ACS PC should be
able to ping 100.110.10.50
o On BB1, restrict any HTTP sessions not sourced from the
ACS PC.
o On BB1, deny any inbound HTTP and TELNET management
connections if they are not received on Fa0/0.110
o Authenticate using ACS with a user named user-5.3.
99
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
100
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
101
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
R2(config)#no ip cef
R2(config)#ip access-list extended NO_ICMP_TO_BB1
R2(config-ext-nacl)#deny icmp host 192.168.2.101 host 100.110.10.50 log-input
R2(config-ext-nacl)#permit tcp host 192.168.2.101 host 100.110.10.50 eq www
log-input
R2(config)#aaa authentication login AUTH_PROXY group tacacs+
R2(config)#ip auth-proxy name AUTH_PROXY http inactivity-time 60 list
AUTH_PROXY
R2(config)#!Note: this is just to test a 2nd time faster
R2(config-if)#ip access-group NO_ICMP_TO_BB1 in
R2(config-if)#ip auth-proxy AUTH_PROXY
R2(config-if)#no ip route-cache cef
R2(config-if)#no ip route-cache
R2(config-if)#exit
R2(config-if)#no ip route-cache cef
R2(config-if)#no ip route-cache
R2(config-if)#exit
102
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
R2(config)#
103
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
c:\ACS_PC>ping 100.110.10.50
Reply from 100.110.10.50: bytes=32 time=6ms TT
Packets: Sent = 4, Received = 4, Lost = 0
Minimum = 6ms, Maximum = 6ms, Average = 6m
c:\ACS_PC>
10 permit icmp host 10.40.10.101 host 100.60.10.8
Extended IP access list AUTH_PROXY
10 permit tcp host 192.168.2.101 host 100.110.10.50 eq www log-input (7
matches)
Extended IP access list NO_ICMP_TO_BB1
permit icmp host 192.168.2.101 host 100.110.10.50 (4 matches)
104
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
10 deny icmp host 192.168.2.101 host 100.110.10.50 log-input (17 matches)

R2#
BB1(config)#access-list 1 permit 10.40.10.101
BB1(config)#ip http access-class 1
BB1(config)#control-plane host
BB1(config-cp-host)# management-interface fastEthernet 0/0.110 allow http
telnet
105
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc

Task 6.1
4 Points
On R5 configure the following:

o When total CPU utilization exceeds 90 percent for 5
seconds, generate a syslog message. Then, when CPU
utilization falls below 10 percent for 5 seconds,
generate another syslog message.
o Rate limit all EIGRP packets processed by R5 to 50,000
bps.
o Rate limit TELNET and SSH to R5 to 10,000 bps.
o Rate limit any ICMP, TCP and UDP non-initial fragments
directed to R5 to 8,000 bps.
Your output should be similar to the following:
Control Plane
police:
transmit
drop
police:
transmit
drop
106
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc

police:
transmit
drop
Match: any
R5#
R5(config)#process cpu threshold type total rising 90 interval 5 falling 10

interval 5
R5#wr
[OK]
R5#wr
[OK]
R5#wr
*May 3 20:13:12.974: %SYS-1-CPURISINGTHRESHOLD: Threshold: Total CPU
Utilization(Total/Intr): 99%/0%, Top 3 processes(Pid/Util): 269/99%, 142/0%,
298/0%[OK]
R5#
R5#
*May 3 20:13:22.966: %SYS-1-CPUFALLINGTHRESHOLD: Threshold: Total CPU
Utilization(Total/Intr) 0%/0%.
R5#
R5(config)#ip access-list extended EIGRP_ACL

R5(config-ext-nacl)#permit eigrp any any
R5(config)#ip access-list extended FRAGMENTS_ACL
R5(config-ext-nacl)#permit icmp any any fragments
R5(config-ext-nacl)#permit udp any any fragments
R5(config-ext-nacl)#permit tcp any any fragments
R5(config)#ip access-list extended TELNET_SSH_ACL
R5(config-ext-nacl)#permit tcp any any eq telnet
R5(config-ext-nacl)#permit tcp any any eq 22
R5(config)#class-map match-all CMAP_EIGRP
R5(config-cmap)#match access-group name EIGRP_ACL
R5(config)#class-map match-all CMAP_FRAGMENTS
107
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
R5(config-cmap)#match access-group name FRAGMENTS_ACL

R5(config)#class-map match-all CMAP_TELNET_SSH
R5(config-cmap)#match access-group name TELNET_SSH_ACL
R5(config)#policy-map RTR_CoPP
R5(config-pmap)#class CMAP_EIGRP
R5(config-pmap-c)#police 50000
R5(config-pmap-c)#class CMAP_FRAGMENTS
R5(config-pmap-c)#class CMAP_TELNET_SSH
R5(config-pmap-c)#control-plane
R5(config-cp)#service-policy input RTR_CoPP
R5(config-cp)#exit

!!.!!.!!.!
R4#telnet 5.5.5.5
R5#exit
R4#
Control Plane
police:
transmit
drop
police:
108
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
transmit
drop
police:
transmit
drop
Match: any
R5#
109
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
On SW3, configure ports Fa0/1 and Fa0/2 to provide traffic

suppression if broadcasts exceed 5% of the maximum
bandwidth.
SW3(config)#interface range fastEthernet 0/1-2
SW3(config-if-range)#storm-control broadcast level 5
SW3#show storm-control fa0/1 broadcast
Interface Filter State
Upper
Lower
--------- ------------- ----------- ----------Fa0/1
Forwarding
5.00%
5.00%
SW3#
Current
---------0.00%
Configure R6 to allow only only SSH, TELNET and HTTP as

management protocols. Restrict this access to Fa0/0.90
not use the IP address of R6 in your solution.
Do

R6(config-line)#end
R6(config)#control-plane host
R6(config-cp-host)#management-interface Fa 0/0.90 allow ssh telnet http
R1#telnet 6.6.6.6
Username: admin
Password: cisco
R6#exit
R1#R1#
!Note: R5 is attempting access through Fa0/0.80 on R6

R5#6.6.6.6
Trying 6.6.6.6 ...
R5#
110
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
Task 6.2
4 Points
Allow BB1 and R8 to be EGBP neighbors.

Verify that BGP
sourced routes can be seen in the routing table of all
routers.
Add authentication to the EBGP neighbors using
the password of cisco. R8 should be the initiator for the
BGP neighborship.
ASA-1(config)# show run nat
nat (inside) 0 access-list NO_NAT
ASA-1(config)# show run acc
ASA-1(config)# show run access-l
ASA-1(config)# show run access-list NO_NAT
access-list NO_NAT extended permit ip host 10.30.10.8 host 100.60.10.4
access-list NO_NAT extended permit ip host 10.30.10.8 host 100.60.10.3
ASA-1(config)# access-list NO_NAT permit ip host 10.30.10.8 host
100.110.10.50
R8#show ip bgp summary
Neighbor
100.110.10.50
R8#
V
4
AS MsgRcvd MsgSent
1
5
4
TblVer
16
InQ OutQ Up/Down

0
0 00:00:14
PfxRcd
15
R8(config)#router bgp 8
R8(config-router)# neighbor 100.110.10.50 password cisco
BB1(config-router)# neighbor 10.30.10.8 password cisco
BB1(config-router)#end
BB1#wr
*May 3 21:44:37.590: %SYS-5-CONFIG_I: Configured from console by console
*May 3 21:44:40.466: %TCP-6-BADAUTH: No MD5 digest from 10.30.10.8(65055) to
100.110.10.50(179)[OK]
BB1#
ASA-1(config)# access-list BGP_ACL extended permit tcp any any eq bgp

ASA-1(config)# access-list BGP_ACL extended permit tcp any eq bgp any
ASA-1(config)# tcp-map TCP_MAP_BGP
ASA-1(config-tcp-map)# tcp-options range 19 19 allow
ASA-1(config-tcp-map)# exit
111
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
ASA-1(config)# class-map CMAP_BGP

ASA-1(config-cmap)# match access-list BGP_ACL
ASA-1(config-pmap)# class CMAP_BGP
ASA-1(config-pmap-c)# set connection random-sequence-number disable
ASA-1(config-pmap-c)# set connection advanced-options TCP_MAP_BGP
ASA-1(config)#
BB1#
100.110.10.50(179)
BB1#
100.110.10.50(179)
112
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
Note: The path from R8 to BB1 crosses BOTH vs1 and vs2. Disable or modify
the signature that is normalizing the TCP option 19. Both examples are
included.
113
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
BB1#
*May
BB1#
3 21:59:40.650: %BGP-5-ADJCHANGE: neighbor 10.30.10.8 Up

114
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc

Task 7.1
4 Points
On R1, identify P2P network traffic sources from VLAN 70

only.
Drop this traffic outbound on Fa0/1 without using
an access-list.
R1(config)#class-map match-all CMAP_FASTTRACK
R1(config-cmap)#match protocol fasttrack
R1(config)#policy-map PMAP_FASTTRACK
R1(config-pmap)#class CMAP_FASTTRACK
R1(config-pmap)#int fa 0/1
R1(config-if)#service-policy output PMAP_FASTTRACK
R1(config-if)#exit
R1(config)#end
R1#show policy-map int fa0/1
FastEthernet0/1
Service-policy output: PMAP_FASTTRACK
Class-map: CMAP_FASTTRACK (match-all)
0 packets, 0 bytes
Match: protocol fasttrack
drop
Match: any
R1#
115
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
Task 7.2
4 Points
Stop P2P and other malicious traffic being tunneled on TCP

port 80 on 100.110.10.0/24. Use the sensor to send TCP
resets when this traffic is seen, and capture only the
initial packet that triggers the alert.
116
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
117
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
Verify the integrity of TELNET sessions to and from R8

Loopback 0 through ASA1. Rate limit ingress TELNET traffic
on both interfaces to 10,000 bps.
ASA-1(config)# access-list R8_ACL permit tcp host 8.8.8.8 eq telnet any
ASA-1(config)# access-list R8_ACL permit tcp any host 100.60.10.8 eq 2323
ASA-1(config)# tcp-map INT_CHECK
ASA-1(config-tcp-map)# checksum-verification
ASA-1(config-tcp-map)# exit
ASA-1(config)# class-map R8-TELNET
ASA-1(config-cmap)# match access-list R8_ACL
ASA-1(config-pmap)# class R8-TELNET
ASA-1(config-pmap-c)# set connection advanced-options INT_CHECK
ASA-1(config-pmap-c)# police input 10000 1500
ASA-1(config)#
R3#telnet 100.60.10.8 2323
Trying 100.60.10.8, 2323 ... Open
R8# show tech-support
!
!
!
R8#exit
R3#

Global policy:
Class-map: CMAP_BGP
Set connection policy: random-sequence-number disable
118
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
drop 0
Set connection advanced-options: TCP_MAP_BGP
Invalid ACK drops
: 0
IP TTL modified
: 0
TCP-options:
Class-map: R8-TELNET
drop 0
Set connection advanced-options: INT_CHECK
Invalid ACK drops
: 0
IP TTL modified
: 0
TCP-options:
Input police Interface outside:
Input police Interface inside:
ASA-1(config)#
119
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc

Task 8.1
4 Points
On ASA1, globally protect the network by not allowing

fraggle attacks.
Do not use an access-list to accomplish
this.
ASA-1(config)# class-map CMAP_FRAGGLE
ASA-1(config-cmap)# match port udp eq echo
ASA-1(config-pmap)# class CMAP_FRAGGLE
ASA-1(config-pmap-c)# set connection conn-max 1
120
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
Prevent MAC-address overload on SW1 ports fa 0/3-4.

Configure the minimum number of MAC addresses for these
ports, and save them in the configuration of the switch.
Generate a syslog message if exceeded, but do not shutdown
the port.
SW1(config)# int range fa0/3-4
SW1(config-if-range)# switchport port-security violation restrict
SW1(config-if-range)# switchport port-security maximum 2
SW1(config-if-range)# switchport port-security mac-address sticky
SW1#
SW1#show
06:16:21: %SYS-5-CONFIG_I: Configured from console by console
SW1#show port
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count)
(Count)
(Count)
--------------------------------------------------------------------------Fa0/3
2
2
0
Restrict
Fa0/4
2
2
0
Restrict
--------------------------------------------------------------------------Total Addresses in System (excluding one mac per port)
: 2
Max Addresses limit in System (excluding one mac per port) : 6272
!
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 60,70
switchport mode trunk
switchport port-security mac-address sticky 001b.5350.1b70 vlan 60
switchport port-security mac-address sticky 001b.5350.1b70 vlan 70
end
!
121
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
switchport trunk allowed

end
vlan 60,70
maximum 2
violation restrict
mac-address sticky
mac-address sticky 001b.53e4.ea18 vlan 60
mac-address sticky 001b.53e4.ea18 vlan 70
SW1#
122
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
Task 8.2
4 Points
On R1, any inbound http packets on Fa0/0.90, destined for

the 100.110.10.0/24 network and containing any of the words
below within the URL, should be marked as DSCP 1, and then
dropped outbound on Fa0/0.11
o default.ida
o cmd.exe
o root.exe
R1(config)#class-map match-any CMAP_ATTACK
R1(config-cmap)#match protocol http url "*default.ida*"
R1(config-cmap)#match protocol http url "*cmd.exe*"
R1(config-cmap)#policy-map PMAP_ATTACK_MARK
R1(config-pmap)#class CMAP_ATTACK
R1(config-subif)#service-policy input PMAP_ATTACK_MARK
R1(config-subif)#access-list 105 deny ip any any dscp 1 log
R1(config-if)#exit
R6#dir
1 -rw52990552
2 -rw1038 Nov 11 2008 23:28:50 +00:00 home.shtml
R6#copy home.shtml http://100.110.10.50/root.exe
Destination filename [root.exe]?
%Error writing http://100.110.10.50/root.exe (I/O error)
R6#
R1#show policy-map int fa 0/0.90
FastEthernet0/0.90
Service-policy input: PMAP_ATTACK_MARK
Class-map: CMAP_ATTACK (match-any)
Match: protocol http url "*default.ida*"
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol http url "*cmd.exe*"
123
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
0 packets, 0 bytes
5 minute rate 0 bps
5 minute rate 0 bps
QoS Set
dscp 1
Packets marked 4
Match: any
R1#show acce
R1#show access-li
R1#show access-lists 105
10 deny ip any any dscp 1 log
R1#
124
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
On R5, prevent an outbound TELNET session sourced from r5.

Do not use AAA or line commands for this task.
R5#telnet 1.1.1.1
Username: ips-user
Password: cisco
R1>exit
R5(config)#access-list 100 permit tcp any any eq telnet log-input

R5(config)#route-map KILL_OUTBOUND_TELNET permit 10
R5(config)#ip local policy route-map KILL_OUTBOUND_TELNET
R5(config)#end
R5#telnet 1.1.1.1
Trying 1.1.1.1 ...
*May 3 22:45:47.267: %SEC-6-IPACCESSLOGP: list 100 permitted tcp
100.120.10.5(26636) -> 1.1.1.1(23), 1 packet
*May 3 22:45:49.267: %SEC-6-IPACCESSLOGP: list 100 permitted tcp
100.120.10.5(26636) -> 1.1.1.1(23), 1 packet
125
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
On R5, protect neighboring routers from any crafted IP

option packets that may cause excessive CPU processing.
R1#ping
Protocol [ip]:
Repeat count [5]: 1
Timeout in seconds [2]: 1
Extended commands [n]: yes
Validate reply data? [no]: yes
Reply data will be validated
>>Current pointer<<
Time= 17:00:00.000 PDT (00000000)
Reply to request 0 (12 ms). Received packet has options
Total option bytes= 8, padded length=8
Time= 15:45:18.510 PDT (04E1FA2E)
>>Current pointer<<
R1#ping
Protocol [ip]:
Repeat count [5]: 1
Timeout in seconds [2]: 1
Extended commands [n]: yes
Validate reply data? [no]: yes
126
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
Reply data will be validated
>>Current pointer<<
Time= 17:00:00.000 PDT (00000000)
Request 0 timed out
R1#
127
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.05.09.05.kb.r04.09.05.doc
128
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
LAB 6
Instructions
cannot be changed.
often!
task.
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
Sections:
1.ASA Firewalls
2.IOS Firewalls
3.VPNs
4.IPS
7.Advanced Security
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
ACS PC
.101
R1
BB1
.99
VLAN 168
192.168.2.0
SW2
.11
Inside
E0/0.v
VLAN 77
G0/0
DMZ1
E0/0.v
172.16.77.0
IPS C&C
.50
ASA1
DMZ2
E0/0.v
OSPF
Area 0
VLAN 99
172.16.99.0
VLAN 44
172.16.44.0
R4
Outside
E0/0.v
R7
VLAN 22
24.234.22.0
VLAN 252
24.234.252.0
BB2
R2
.252
SW1
OSPF
Area 1
Frame Relay
24.234.100.0
Outside
E0/0.v
VLAN 111
24.234.111.0
R6
C1
Inside
E0/0.v
.11
VLAN 121
24.234.121.0
R3
VLAN 222
24.234.222.0
Outside
E0/0.v
C2
Inside
E0/0.v
VLAN 88
172.16.88.0
VLAN 55
172.16.55.0
R8
R5

www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
SW1
Fa0/1
Fa0/0
R1
Fa0/1
Fa0/1
SW2
SW1
Fa0/2
Fa0/0
R2
Fa0/1
Fa0/2
SW2
SW1
Fa0/3
Fa0/0
R3
Fa0/1
Fa0/3
SW2
SW1
Fa0/4
Fa0/0
R4
Fa0/1
Fa0/4
SW2
SW1
Fa0/5
Fa0/0
R5
Fa0/1
Fa0/5
SW2
SW1
Fa0/6
Fa0/0
R6
Fa0/1
Fa0/6
SW2
SW1
Fa0/9
Fa0/0
BB1
Fa0/1
Fa0/9
SW2
SW1
Fa0/10
Fa0/0
BB2
Fa0/1
Fa0/10
SW2
SW1
Fa0/12
E0/0
E0/2
Fa0/12
SW2
Fa0/14
SW2
E0/3
Fa0/17
SW2
E0/2
Fa0/18
SW2
E0/3
Fa0/23
SW2
ASA01
Gi0/0: sense
SW1
Fa0/14
SW1
Fa0/17
E0/1
SW1
Fa0/18
E0/0
IDS
IDS
Gi0/1: c&c
ASA01
ASA02
SW1
E0/1
Fa0/23
ASA02
SW1
SW2
Fas0/19
Fas0/19
Fas0/20
Fas0/20
Sensor Int.
G0/0
Fa1/0
Fa1/1
Fa1/2
Fa1/3
Connected to:
SW1 Fa0/14
SW3 Fa0/4
SW3 Fa0/3
SW3 Fa0/2
SW3 Fa0/1
Fas0/0
2811
SW3
SW4
Fas0/17
SW3
Fas0/19
Fas0/19
Fas0/20
Fas0/20
Fas0/1
R7
Fas0/17
SW4
ACS PC SW1 Fa0/24
192.168.2.101
Fas0/0
2811
Fas0/1
R8
SW3

192.168.2.102
Fas0/18
SW4
Fas0/18
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
Section 1:
Task 1.1
ASA Firewalls
4 Points

Name
Inside
Outside
DMZ1
DMZ2
Interface
E0/0.168
E0/0.22
E0/0.77
E0/0.44

Default
192.168.2.100/24
Default
24.234.22.100/24
50
172.16.77.100/24
75
172.16.44.100/24
VLAN
168
22
77
44
Configure ASA1 as an ABR. Interface DMZ2 is in area 0 and

interface outside is in area 1.
Ensure that a default route to ASA1 is sent into area 0.
You may not use a static route or default information
originate command to accomplish this. The area 1 routers
should only reach outside networks via the default route,
never by a specific route.
Verify that area 0 routers have routes to the area 1
networks.
Test connectivity from R4 to R2, R3 and R6. You are allowed
to inspect ICMP on ASA1 to accomplish this.
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
Task 1.2
4 Points

Context
c1
c1
c2
c2
Name
Inside
Outside
Inside
Outside
Interface
E0/0.88
E0/0.111
E0/0.55
E0/0.222
Sec. Level
50
50
Default
Default
IP Address
172.16.88.200/24
24.234.111.200/24
172.16.55.200/24
24.234.222.200/24
VLAN
88
111
55
222

Configure a default route on both contexts with R6 as the
next hop.
Task 1.3
4 Points
The ACS server should be reachable on the outside network

via the address 24.234.22.101.
Hosts on the outside of ASA1 should be able to telnet to
the outside interface address on port 2323 and reach R1.
Verify by allowing R2.
Require a translation for traffic traversing context c2.
If R5 telnets to R6 it should have its address translated
to 24.234.222.5. If it telnets to R3 its address should be
24.234.222.55.
Translate outgoing traffic from the inside network of c2 to
the address 24.234.222.100.
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
Task 1.4
4 Points
Configure ASA1 for a future failover pair with the

following settings:
o Use LAN based stateful failover with ASA1 as the primary
unit.
o Interface standby IPs should be the primary interface
+25.
o E0/1 will be the failover interface, use the
99.99.99.0/24 network.
o All interfaces except DMZ1 should be monitored.
o Use stateful HTTP replication.
o Set the unit polling time to 200 msec.
o Set the interface polling time to 500 msec.
o Enable failover but leave the link down.
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
Section 2:
Task 2.1
IOS Firewalls
4 Points

follows:
Policy direction
Inside->Outside
Permit
TCP
UDP
ICMP
Limits
Log all traffic
Outside->Inside
TCP
ICMP

One minute low: 50
8000 bps burst 2000

Task 2.2
4 Points
R3 should explicitly deny and log all traffic from the VLAN
121 network.
Telnet, ICMP and HTTP from the rest of the network should
be allowed to VLAN 121 with the following restrictions:
o All telnet sessions will be logged.
o A total maximum of 200 half forms sessions should be
allowed. If this is exceeded they should be dropped.
o When the number of half formed sessions falls below 100
the dropping behavior should stop.
o A maximum of 50 half formed TCP sessions per host are
allowed. If this is exceeded no more connections to that
host are to be allowed for 5 minutes.
8
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
Task 2.3
4 Points
Configure R6 to protect the 24.234.100.0/24 network against

flooding attacks. You may not use CBAC to accomplish this.
Protection should occur when more than 100 half open
connections are attempted within a 1 minute period.
Protection should cease when half open connections drop
below 100 in a one minute period.
Protection should drop half open sessions in random order.
The router should stop managing a tcp session if it is idle
for 1 hour.
Task 2.4
4 Points
On R6, automatically discover protocols coming from the

VLAN111 and VLAN222 networks.
Drop and any HTTP traffic incoming to the s0/0/0 interface
regardless of the port it uses.
Allow skype traffic from the 24.234.222.0/24 network,
prioritize it and dedicate 10% of s0/0/0s bandwidth to it.
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
Section 3: VPNs
Task 3.1
4 Points

R2 and ASA1 should sync their time to R1.
Set R2 and ASA1 to use pacific standard time.
Task 3.2
4 Points

The server should allow enrollment via http.
Certificates should be valid for 180 days
The administrator must manually grant certificates.
Enroll R2 and ASA1 with the newly create CA. You are
allowed to make policy changes to devices to accomplish
this.
Task 3.3
4 Points
Create a site to site tunnel between R2 and ASA1 with the

following attributes:
Phase 1: RSA-Sig, DH group 2, AES, SHA.
Phase 2: AES, SHA
Protected traffic: ICMP between BB2 and R1.
10
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
Task 3.4
4 Points
Create a loopback y interface on R2, R3 and R6. Use the IP

address y.y.y.y/24. Do not add these networks to OSPF or
make them reachable via a static route.
Create a DMVPN network with the following attributes:
o Hub: R2
o Spokes: R3 and R6
o Phase 1: Pre-Share, 3des, md5, default DH.
o Phase 2: 3des, md5, transport mode.
o Tunnel source: s0/0/0 interface of each router.
o Tunnel addresses: 10.10.10.y/24
o Routing protocol for DMVPN: EIGRP
o Set MTU to avoid fragmentation.
Verify that traffic between the loopback networks is
encrypted and is taking the optimal path.
11
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
Section 4:
Task 4.1
IPS
4 Points

IP Address
Gateway
Managed by
172.16.77.50
172.16.77.100
192.168.2.101
Mgmt. SSL
port
10443
to it.
Task 4.2
4 Points
Setup interface fa1/0 to protect traffic inline between BB2

and R2. You are allowed to make changes to SW1 and R2 to
accomplish this.
Setup interface fa1/1 as promiscuous on VLAN 168.
Setup interface fa1/2 as an alternate TCP reset interface
for fa1/1.
Assign fa1/0 to vs0 and fa1/1 to vs1.
Verify that BB2 has connectivity to R2.
12
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
Task 4.3
4 Points
Ping from R1 to the ACS server with a repeat count of 100.

Find out what signature fires when you do this.
Modify this signature with the following:
o Send a high severity alert
o Produce a verbose alert instead of a standard alert.
o Fire on 50 packets per second.
Task 4.4
4 Points
Create a custom signature that will detect ICMP packets of

10000 bytes or larger going to or from BB2.
If this traffic is detected the packets should be dropped
inline and an alert generated.
Task 4.5
4 Points
Large pings should never be denied between R2 and BB2. You

are not allowed to modify the custom signature to
accomplish this.
13
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
Section 5:
Task 5.1
Identity Management
4 Points
Configure ACS to authenticate using the local windows

database.
If a username cannot be found in the ACS user database, the
windows database should be checked.
Task 5.2
4 Points
Before allowing an HTTP connections to BB2 from beyond its

fa0/0.22 interface, R2 should first authenticate the
traffic.
Authentication should occur using the windows username
enablemode with a password of enableme
14
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
Section 6:
Task 6.1
4 Points
R2 should not allow any ssh connections to itself. You may

not use ANY access list to accomplish this.
R2 should not allow any TCP/UDP connections to itself for
ports that it is not using. Drop and log any attempts. You
may not use ANY access list to accomplish this.
No more than 10 BGP packets at a time should be allowed in
R2s input queue.
15
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
Section 7:
Advanced Security
Task 7.1 (4 Points

On R2, http and ssh traffic should both be prioritized and
given 25% of interface bandwidth on s0/0/0.
ICMP traffic should be policed to 10% of interface s0/0/0s
bandwidth.
Telnet traffic outgoing on s0/0/0 should have DSCP set to
af43.
Task 7.2
4 Points
Drop telnet destined for any network beyond fa0/0.222 on R6

by matching the dscp set in the previous task.
Telnet from beyond the fa0/0.111 interface on R6 destined
should be matched and dropped by the same policy.
16
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
Section 8:
Task 8.1
4 Points
TCP traffic coming from the outside of c1 should be limited

to 200 total half open connections. You may not use a
translation to accomplish this.
If an attacker attempts to scan hosts protected by ASA1 the
scanner should be shunned for 2 hours. R2 should never be
shunned in this manner.
Do not allow any fragmented packets to traverse ASA1. Use
only a single command to accomplish this.
Task 8.2
4 Points
Ensure that a host attached to port fa0/14 on switch 4 is

unable to launch a CAM flood attack. If one is attempted
the port should be disabled.
Once the attack stops the port should be enabled again
within 30 seconds.
Port fa0/12 on sw4 is attached to a DHCP server on VLAN
168. Only this port should be allowed to respond to DHCP
request for VLAN 168.
Configure sw4 so that ARP poisoning will be stopped on VLAN
168. Source mac addresses should be validated.
17
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
Section 1:
Task 1.1
ASA Firewalls
4 Points

Name
Inside
Outside
DMZ1
DMZ2
Interface
E0/0.168
E0/0.22
E0/0.77
E0/0.44

Default
192.168.2.100/24
Default
24.234.22.100/24
50
172.16.77.100/24
75
172.16.44.100/24
VLAN
168
22
77
44
Configure ASA1 as an ABR. Interface DMZ2 is in area 0 and

interface outside is in area 1.
Ensure that a default route to ASA1 is sent into area 0.
You may not use a static route or default information
originate command to accomplish this. The area 1 routers
should only reach outside networks via the default route,
never by a specific route.
Verify that area 0 routers have routes to the area 1
networks.
Test connectivity from R4 to R2, R3 and R6. You are allowed
to inspect ICMP on ASA1 to accomplish this.
ASA1(config)#
ASA1(config-subif)#
ASA1(config-subif)#
18
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc

ASA1(config-subif)#
ASA1(config-subif)#
ASA1(config-if)#
ASA1(config-if)# fixup protocol icmp
ASA1(config)#
ASA1(config-router)# network 24.234.22.0 255.255.255.0 area 0
ASA1(config-router)# area 1 stub no-summary
Verification:
R2#sho ip route (codes cut)

O IA
O IA
C
O
O
C
O
C
S

24.234.222.0 [110/65] via 24.234.100.6, 00:23:39, Serial0/0/0
24.234.121.0 [110/65] via 24.234.100.3, 00:23:39, Serial0/0/0
24.234.111.0 [110/65] via 24.234.100.6, 00:23:40, Serial0/0/0
192.168.2.0/24 [1/0] via 24.234.22.100

C
C
O*IA 0.0.0.0/0 [110/2] via 172.16.44.100, 00:05:45, FastEthernet0/0.44
R4#ping 24.234.100.2
19
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc

!!!!!
R4#ping 24.234.100.3
!!!!!
R4#ping 24.234.100.6
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max =

56/57/60 ms
20
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
Task 1.2
4 Points

Context
c1
c1
c2
c2
Name
Inside
Outside
Inside
Outside
Interface
E0/0.88
E0/0.111
E0/0.55
E0/0.222
Security Level
50
50
Default
Default
IP Address
172.16.88.200/24
24.234.111.200/24
172.16.55.200/24
24.234.222.200/24

next hop.
ASA2(config)#
ASA2(config-if)#
ASA2(config-subif)#
ASA2(config-subif)#
ASA2(config-subif)#
ASA2(config-subif)#
ASA2(config)#
21
www.ccbootcamp.com
Toll Free 877.654.2243
VLAN
88
111
55
222
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc

ASA2(config-ctx)# allocate-interface Ethernet0/0.88 Inside
ASA2(config-ctx)# allocate-interface Ethernet0/0.111 Outside
ASA2(config-ctx)#
ASA2(config-ctx)#
ASA2/c1(config)#
ASA2/c1(config)# interface Inside
ASA2/c1(config-if)#
ASA2/c1(config-if)# interface Outside
ASA2/c1(config-if)#
ASA2/c1(config)#
ASA2/c1(config)#
ASA2/c2(config)#
ASA2/c2(config-if)#
ASA2/c2(config-if)#
ASA2/c2(config)#
22
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
Task 1.3
4 Points
The ACS server should be reachable on the outside network

via the address 24.234.22.101.
Hosts on the outside of ASA1 should be able to telnet to
the outside interface address on port 2323 and reach R1.
Verify by allowing R2.
Require a translation for traffic traversing context c2.
If R5 telnets to R6 it should have its address translated
to 24.234.222.5. If it telnets to R3 its address should be
24.234.222.55.
Translate outgoing traffic from the inside network of c2 to
the address 24.234.222.100.
ASA1(config)# static (inside,outside) tcp interface 2323 192.168.2.1 telnet
ASA2/c2(config)#
ASA2/c2(config)# access-list R5_R6 permit tcp host 172.16.55.5 host
24.234.100.6 eq telnet
ASA2/c2(config)# nat (inside) 1 access-list R5_R6
ASA2/c2(config)# access-list R5_R3 permit tcp host 172.16.55.5 host
24.234.100.3 eq telnet
ASA2/c2(config)# nat (inside) 2 access-list R5_R3
ASA2/c2(config)#
ASA2/c2(config)# global (outside) 3 interface
INFO: Outside interface address added to PAT pool
23
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
Verification:
ASA1# sho xlate
Global 24.234.22.101 Local 192.168.2.101
PAT Global 24.234.22.100(2323) Local 192.168.2.1(23)
R2#telnet 24.234.22.100 2323
Trying 24.234.22.100, 2323 ... Open

Password:
R1>
R5#telnet 24.234.100.6
Trying 24.234.100.6 ... Open

Password:
R6>exit
R5#telnet 24.234.100.3
Trying 24.234.100.3 ... Open

Password:
R3>exit
ASA2/c2# sho xlate
PAT Global 24.234.222.55(18074) Local 172.16.55.5(49109)
PAT Global 24.234.222.5(53188) Local 172.16.55.5(50488)
R5#ping 24.234.100.6
!!!!!
ASA2/c2# sho xlate

24
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
Task 1.4
4 Points
Configure ASA1 for a future failover pair with the

following settings:
o Use LAN based stateful failover with ASA1 as the primary
unit.
o Interface standby IPs should be the primary interface
+25.
o E0/1 will be the failover interface, use the
99.99.99.0/24 network.
o All interfaces except DMZ1 should be monitored.
o Use stateful HTTP replication.
o Set the unit polling time to 200 msec.
o Set the interface polling time to 500 msec.
o Enable failover but leave the link down.
ASA1(config-subif)# ip address 192.168.2.100 255.255.255.0 standby
192.168.2.125
ASA1(config-subif)#
24.234.22.125
ASA1(config-subif)#
172.16.77.125
ASA1(config-subif)#
172.16.44.125
ASA1(config-subif)#
ASA1(config-subif)# failover lan unit primary
ASA1(config)# failover lan interface FAIL e0/1
ASA1(config)# failover interface ip FAIL 99.99.99.99 255.255.255.0 standby
99.99.99.124
ASA1(config)# failover link FAIL
ASA1(config)# monitor-interface Inside
ASA1(config)# monitor-interface Outside
ASA1(config)# monitor-interface DMZ2
ASA1(config)# failover polltime msec 200
INFO: Failover unit holdtime is set to 800 milliseconds
ASA1(config)# failover polltime interface msec 500
INFO: Failover interface holdtime is set to 5 seconds
25
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
Verification:
ASA1# sho failover
Failover On
Failover LAN Interface: FAIL Ethernet0/1 (Failed - No Switchover)
Unit Poll frequency 200 milliseconds, holdtime 800 milliseconds
Interface Poll frequency 500 milliseconds, holdtime 5 seconds
Interface Policy 1
Version: Ours 8.0(4), Mate Unknown
This host: Primary - Active
Interface Inside (192.168.2.100): Normal (Waiting)
Interface Outside (24.234.22.100): Normal (Waiting)
Interface DMZ1 (172.16.77.100): Normal (Not-Monitored)
Interface DMZ2 (172.16.44.100): Normal (Waiting)
slot 1: empty
Other host: Secondary - Failed
slot 0: empty
Interface Inside (192.168.2.125): Unknown (Waiting)
Interface Outside (24.234.22.125): Unknown (Waiting)
Interface DMZ1 (172.16.77.125): Unknown (Not-Monitored)
Interface DMZ2 (172.16.44.125): Unknown (Waiting)
slot 1: empty
Link : FAIL Ethernet0/1 (Failed)
Stateful Obj
xmit
xerr
General
0
0
sys cmd
0
0
up time
0
0
RPC services
0
0
TCP conn
0
0
UDP conn
0
0
ARP tbl
0
0
Xlate_Timeout
0
0
VPN IKE upd
0
0
VPN IPSEC upd
0
0
VPN CTCP upd
0
0
VPN SDI upd
0
0
VPN DHCP upd
0
0
SIP Session
0
0
rcv
0
0
0
0
0
0
0
0
0
0
0
0
0
0
rerr
0
0
0
0
0
0
0
0
0
0
0
0
0
0

Cur
Max
Total
Recv Q:
0
0
0
Xmit Q:
0
0
0
26
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
Section 2:
Task 2.1
IOS Firewalls
4 Points

follows:
Policy direction
Inside->Outside
Permit
TCP
UDP
ICMP
Limits
Log all traffic
Outside->Inside
TCP
ICMP

One minute low: 50
8000 bps burst 2000

R4(config)#
R4(config-subif)#zone-member security Outside
R4(config)#parameter-map type inspect INSIDE_OUTSIDE
R4(config-profile)#audit-trail on
R4(config)#
R4(config-cmap)#match protocol tcp
R4(config-cmap)#match protocol udp
R4(config)#
R4(config-pmap-c)#inspect INSIDE_OUTSIDE
27
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
R4(config-pmap)#zone-pair security INSIDE_OUTSIDE source Inside destination
Outside
R4(config-sec-zone-pair)#parameter-map type inspect OUTSIDE_INSIDE_TCP
R4(config-profile)#one-minute high 100
R4(config-profile)#one-minute low 50
R4(config)#
R4(config)#class-map type inspect OUTSIDE_INSIDE_TCP
R4(config)#class-map type inspect OUTSIDE_INSIDE_ICMP
R4(config-pmap)#class OUTSIDE_INSIDE_TCP
R4(config-pmap-c)#inspect OUTSIDE_INSIDE_TCP
R4(config-pmap)#class OUTSIDE_INSIDE_ICMP
R4(config-pmap-c)#
R4(config-pmap-c)#zone-pair security OUTSIDE_INSIDE source Outside
destination Inside
Verification:
ASA1# ping 172.16.99.99
!!!!!
*May 7 17:10:45.907: %FW-6-SESS_AUDIT_TRAIL_START: (target:class)(INSIDE_OUTSIDE:INSIDE_OUTSIDE):Start icmp session: initiator
(172.16.44.100:8) -- responder (172.16.99.99:0)
*May 7 17:10:56.099: %FW-6-SESS_AUDIT_TRAIL: (target:class)(INSIDE_OUTSIDE:INSIDE_OUTSIDE):Stop icmp session: initiator
(172.16.44.100:8) sent 360 bytes -- responder (172.16.99.99:0) sent 360 bytes
BB1#ping 24.234.100.2 repeat 20
!!!!!!!!.!!!!!!!!.!!
R4#sho policy-map type inspect zone-pair OUTSIDE_INSIDE
Zone-pair: OUTSIDE_INSIDE
Police
28
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
Task 2.2
4 Points
R3 should explicitly deny and log all traffic from the VLAN
121 network.
Telnet, ICMP and HTTP from the rest of the network should
be allowed to VLAN 121 with the following restrictions:
o All telnet sessions will be logged.
o A total maximum of 200 half forms sessions should be
allowed. If this is exceeded they should be dropped.
o When the number of half formed sessions falls below 100
the dropping behavior should stop.
o A maximum of 50 half formed TCP sessions per host are
allowed. If this is exceeded no more connections to that
host are to be allowed for 5 minutes.
R3(config-ext-nacl)#deny ip any any log-input
R3(config-ext-nacl)#ip inspect name CBAC telnet audit-trail on
R3(config)#ip inspect name CBAC http
R3(config)#ip inspect tcp max-incomplete host 50 block-time 5
R3(config)#
R3(config-subif)#ip access-group CBAC in
Verification:
SW1#ping 24.234.100.2
U.U.U
*May 7 17:33:37.103: %SEC-6-IPACCESSLOGDP: list CBAC denied icmp
24.234.121.11 (FastEthernet0/0.121 001b.2b79.26c1) -> 24.234.100.2 (0/0), 1
packet
R2#telnet 24.234.121.11
29
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
Trying 24.234.121.11 ... Open

Password:
SW1>
R3#
*May 7 17:35:14.123: %FW-6-SESS_AUDIT_TRAIL_START: Start telnet session:
R3#sho ip inspect sessions
Established Sessions
Session 47FAECDC (24.234.100.2:34731)=>(24.234.121.11:23) telnet SIS_OPEN
30
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
Task 2.3
4 Points
Configure R6 to protect the 24.234.100.0/24 network against

flooding attacks. You may not use CBAC to accomplish this.
Protection should occur when more than 100 half open
connections are attempted within a 1 minute period.
Protection should cease when half open connections drop
below 100 in a one minute period.
Protection should drop half open sessions in random order.
The router should stop managing a tcp session if it is idle
for 1 hour.
R6(config)#access-list 101 permit ip any 24.234.100.0 0.0.0.255
behavior
behavior
behavior
R6(config)#ip tcp
command accepted,
behavior
R6(config)#ip tcp
command accepted,
behavior
intercept drop-mode random

interfaces with mls configured might cause inconsistent
intercept connection-timeout 3600
interfaces with mls configured might cause inconsistent
Verification:
R5#telnet 24.234.100.2
Trying 24.234.100.2 ... Open

Password:
R2>
31
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
R6#sho tcp intercept connections

Incomplete:
Client
Server
Established:
Client
Server
R6#sho tcp intercept connections
Incomplete:
Client
Server
Established:
Client
24.234.222.200:64145
Server
24.234.100.2:23
State
Create
Timeout
Mode
State
Create
Timeout
Mode
State
Create
Timeout
Mode
State
ESTAB
Create
Timeout Mode
00:00:05 00:59:56 I
R6#sho tcp intercept statistics

Intercepting new connections using access-list 101
0 incomplete, 1 established connections (total 1)
0 connection requests per minute
32
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
Task 2.4
4 Points
On R6, automatically discover protocols coming from the

VLAN111 and VLAN222 networks.
Drop and any HTTP traffic incoming to the s0/0/0 interface
regardless of the port it uses.
Allow skype traffic from the 24.234.222.0/24 network,
prioritize it and dedicate 10% of s0/0/0s bandwidth to it.
R6(config-subif)#
R6(config-subif)#
R6(config-subif)#class-map match-any HTTP
R6(config)#
R6(config)#class-map match-all SKYPE
R6(config-cmap)#match protocol skype
R6(config-cmap)#
R6(config-cmap)#policy-map INCOMING
R6(config-pmap)#class HTTP
R6(config)#
R6(config-pmap)#class SKYPE
R6(config)#
R6(config-if)#service-policy in INCOMING
Verification:
R3#copy http://24.234.100.6/test null:
%Error opening http://24.234.100.6/test (I/O error)
R6#sho policy-map int s0/0/0

33
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
Serial0/0/0
Service-policy input: INCOMING
Match: protocol http
5 minute rate 0 bps
drop
Match: any
Class-map: SKYPE (match-all)
0 packets, 0 bytes
Match: protocol skype
Queueing
Strict Priority
Bandwidth 10 (%)
Match: any
34
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
Section 3: VPNs
Task 3.1
4 Points

R2 and ASA1 should sync their time to R1.
Set R2 and ASA1 to use pacific standard time.
ASA1(config)#
ASA1(config)#
ASA1(config)#
ASA1(config)#
ASA1(config)#
ntp authentication-key 1 md5 cisco

ntp trusted-key 1
ntp authenticate
ntp server 172.16.88.8
clock timezone PST -8
ASA2/c1(config)# same-security-traffic permit inter-interface

Verification:
R2#sho ntp associations
address
ref clock
st when poll reach delay offset
disp
*~172.16.88.8
127.127.7.1
8
37
64
3
46.7
-6.51
4.7
* master (synced), # master (unsynced), + selected, - candidate, ~
configured
ASA1(config)# sho ntp associations

address
ref clock
disp
*~172.16.88.8
127.127.7.1
8
10
64
1
46.3
-1.91
15890.
configured
35
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
Task 3.2
4 Points

The administrator must manually grant certificates.
Enroll R2 and ASA1 with the newly create CA. You are
allowed to make policy changes to devices to accomplish
this.
R8(config)#
Password:
Re-enter password:
May 7 18:33:52.854: %SSH-5-ENABLED: SSH 1.99 has been enabled% Exporting
Certificate Server signing certificate and keys...
R8(cs-server)#exit
R6(config)#access-list 102 deny tcp host 24.234.22.100 host 172.16.88.8 eq
www
R6(config)#access-list 102 deny tcp host 24.234.100.2 host 172.16.88.8 eq www
R6(config)#access-list 102 permit tcp any any
36
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
R6(config)#class-map match-all NEW_HTTP

R6(config)#policy-map INCOMING
R6(config-pmap)#no class HTTP
R6(config-pmap)#class NEW_HTTP

Fingerprint MD5: AAF92A33 012177CC 657C2BE5 4160AE68
Fingerprint SHA1: 0327A349 106924D5 8BD3F1E8 D1702D16 8B7900BF
%
Password:
version 2
Re-enter password:
% Include an IP address in the subject name? [no]: n
fingerprint.
R2(config)#
2FED6D7C 06052672 C815AB32 6FC0DD4C
843E302A EAF2BF2F A2FFB9F3 2DBCDFAE FBC881ED
R8#crypto pki server CA1 info requests

Enrollment Request Database:
Subordinate CA certificate requests:
37
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
ReqID State
Fingerprint
SubjectName
-------------------------------------------------------------RA certificate requests:
ReqID State
Fingerprint
SubjectName
-------------------------------------------------------------Router certificates requests:
ReqID State
Fingerprint
SubjectName
-------------------------------------------------------------1
pending
2FED6D7C06052672C815AB326FC0DD4C hostname=R2.ccbootcamp.com
R8#crypto pki server CA1 grant 1

Authority
ASA1(config)# crypto ca trustpoint CA1

ASA1(config-ca-trustpoint)# enrollment url http://172.16.88.8:80
ASA1(config-ca-trustpoint)# revocation-check none
ASA1(config-ca-trustpoint)# exit
ASA1(config)# crypto ca authenticate CA1
Fingerprint:
aaf92a33 012177cc 657c2be5 4160ae68
Do you accept this certificate? [yes/no]: y
ASA1(config)# crypto ca enroll CA1
%
Password: ********
Re-enter password: ********
% The fully-qualified domain name in the certificate will be: ASA1

% Include the device serial number in the subject name? [yes/no]: n
R8#crypto pki server CA1 info requests

Enrollment Request Database:
Subordinate CA certificate requests:
ReqID State
Fingerprint
SubjectName
-------------------------------------------------------------38
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
RA certificate requests:
ReqID State
Fingerprint
SubjectName
-------------------------------------------------------------Router certificates requests:
ReqID State
Fingerprint
SubjectName
-------------------------------------------------------------2
pending
A23C671F7EAE36CB17174A6EB5E0EE09 hostname=ASA1
R8#crypto pki server CA1 grant 2
ASA1(config)# The certificate has been granted by CA!
39
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
Task 3.3
4 Points
Create a site to site tunnel between R2 and ASA1 with the

following attributes:
Phase 1: RSA-Sig, DH group 2, AES, SHA.
Phase 2: AES, SHA
Protected traffic: ICMP between BB2 and R1.
R2(config)#
R2(config)#crypto ipsec transform-set ASA1 esp-aes esp-sha-hmac
R2(config)#
R2(config)#crypto map ASA1 10 ipsec-isakmp
R2(config-crypto-map)#set transform-set ASA1
R2(config)#
R2(config-subif)#crypto map ASA1
R2(config-subif)#
ASA1(config)# crypto isakmp enable outside

ASA1(config)#
ASA1(config)# crypto isakmp policy 10
ASA1(config-isakmp-policy)# authentication rsa-sig
ASA1(config-isakmp-policy)# group 2
ASA1(config-isakmp-policy)# encryption aes
ASA1(config-isakmp-policy)# hash sha
ASA1(config-isakmp-policy)# exit
ASA1(config)#
ASA1(config)# crypto ipsec transform-set R2_VPN esp-aes esp-sha-hmac
ASA1(config)#
ASA1(config)# access-list R2_VPN permit icmp host 192.168.2.1 host
24.234.252.252
ASA1(config)#
40
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
ASA1(config)# crypto map R2_VPN 10 set transform-set R2_VPN

ASA1(config)# crypto map R2_VPN 10 match address R2_VPN
ASA1(config)# crypto map R2_VPN 10 set peer 24.234.22.2
ASA1(config)#
ASA1(config)# crypto map R2_VPN interface Outside
ASA1(config)#
ASA1(config)# tunnel-group 24.234.22.2 type ipsec-l2l
ASA1(config)# tunnel-group 24.234.22.2 ipsec-attributes
ASA1(config-tunnel-ipsec)# trust-point CA1
ASA1(config-tunnel-ipsec)# peer-id-validate nocheck
Verification:
BB2#ping 192.168.2.1
.!!!!
ASA1# sho crypto ipsec sa (output cut)
interface: Outside
Crypto map tag: R2_VPN, seq num: 10, local addr: 24.234.22.100
access-list R2_VPN permit icmp host 192.168.2.1 host 24.234.252.252
(24.234.252.252/255.255.255.255/1/0)
current_peer: 24.234.22.2
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
41
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
Task 3.4
4 Points
Create a loopback y interface on R2, R3 and R6. Use the IP

address y.y.y.y/24. Do not add these networks to OSPF or
make them reachable via a static route.
Create a DMVPN network with the following attributes:
o Hub: R2
o Spokes: R3 and R6
o Phase 1: Pre-Share, 3des, md5, default DH.
o Phase 2: 3des, md5, transport mode.
o Tunnel source: s0/0/0 interface of each router.
o Tunnel addresses: 10.10.10.y/24
o Routing protocol for DMVPN: EIGRP
o Set MTU to avoid fragmentation.
Verify that traffic between the loopback networks is
encrypted and is taking the optimal path.
R2(config-isakmp)#encryption 3des
R2(config)#
R2(config)#crypto isakmp key cisco address 0.0.0.0 0.0.0.0
R2(config)#
R2(config)#crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac
R2(config)#
R2(config)#crypto ipsec profile DMVPN
R2(ipsec-profile)#set transform-set DMVPN
R2(config)#
R2(config)#interface tunnel 0
R2(config-if)#ip nhrp map multicast dynamic
R2(config-if)#tunnel source s0/0/0
R2(config-if)#no ip split-horizon eigrp 1
42
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
R2(config-if)#tunnel protection ipsec profile DMVPN

R2(config-if)#exit
R2(config-router)#no auto
R3(config-if)#exit
R3(config)#
R3(config)#
R3(config)#
R3(config)#
R3(config)#
R3(config-if)#exit
R3(config)#
R3(config)#
*May 7 22:09:49.374: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*May 7 22:09:49.710: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Tunnel0, changed state to up
*May 7 22:09:51.150: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.10.10.2
(Tunnel0) is up: new adjacency
43
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
R6(config-if)#exit
R6(config)#
R6(config)#
R6(config)#
R6(config)#
R6(config)#
R6(config-if)#exit
R6(config)#
R6(config)#
Tunnel0, changed state to up
*May 7 22:08:45.549: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.10.10.2
(Tunnel0) is up: new adjacency
Verification:
R6#sho ip route
2.0.0.0/24
D
2.2.2.0
3.0.0.0/24
eigrp
is subnetted, 1 subnets
[90/15488000] via 10.10.10.2, 00:00:42, Tunnel0
is subnetted, 1 subnets
44
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
3.3.3.0 [90/28288000] via 10.10.10.2, 00:00:42, Tunnel0
R6#ping 2.2.2.2
!!!!!
R6#sho crypto isakmp sa
dst
src
state
conn-id slot status
24.234.100.2
24.234.100.6
QM_IDLE
1001
0 ACTIVE
interface: Tunnel0
R6#ping 3.3.3.3
!!!!!
R6#sho crypto isakmp sa
dst
src
state
conn-id slot status
24.234.100.3
24.234.100.6
QM_IDLE
1002
0 ACTIVE
24.234.100.2
24.234.100.6
QM_IDLE
1001
0 ACTIVE
R6#sho crypto ipsec sa (output cut)
local ident (addr/mask/prot/port):
#pkts encaps: 1, #pkts encrypt: 1,
#pkts decaps: 1, #pkts decrypt: 1,
(24.234.100.6/255.255.255.255/47/0)
(24.234.100.3/255.255.255.255/47/0)
#pkts digest: 1
#pkts verify: 1
45
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
#pkts
#pkts
#pkts
#send

local crypto endpt.: 24.234.100.6, remote crypto endpt.: 24.234.100.3

path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/0
current outbound spi: 0x97A651F4(2544259572)
46
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
Section 4:
Task 4.1
IPS
4 Points

IP Address
Gateway
Managed by
172.16.77.50
172.16.77.100
192.168.2.101
Mgmt. SSL
port
10443
to it.
sensor# setup
(cut)
4 21:24:15 2009

No entries
Permit: 192.168.2.101/32
47
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
Permit:
(cut)
48
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
49
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
50
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
Task 4.2
4 Points
Setup interface fa1/0 to protect traffic inline between BB2

and R2. You are allowed to make changes to SW1 and R2 to
accomplish this.
for fa1/1.
Verify that BB2 has connectivity to R2.
51
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
52
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
SW1(config-vlan)#remote-span
SW1(config)#monitor session 1 source VLAN 168
SW1(config)#monitor session 1 destination remote
SW1(config)#monitor session 1 destination remote VLAN 254
SW3(config)#monitor session 1 source remote vlan 254
SW3(config)#monitor session 1 destination interface fa0/3
SW3(config-if)#sw mode access
53
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
54
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
Verification:
BB2#ping 24.234.252.2
!!!!!
55
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
Task 4.3
4 Points
Ping from R1 to the ACS server with a repeat count of 100.

Find out what signature fires when you do this.
Modify this signature with the following:
o Send a high severity alert
o Produce a verbose alert instead of a standard alert.
o Fire on 50 packets per second.
R1#ping 192.168.2.101 repeat 100
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!
56
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
Verification:
R1#ping 192.168.2.101 repeat 100
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
57
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
58
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
Task 4.4
4 Points
Create a custom signature that will detect ICMP packets of

10000 bytes or larger going to or from BB2.
If this traffic is detected the packets should be dropped
inline and an alert generated.
59
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
60
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
61
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
Verification:
BB2#ping 24.234.252.2
!!!!!
BB2#ping 24.234.252.2 size 10000
.....
62
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
Task 4.5
4 Points
Large pings should never be denied between R2 and BB2. You

are not allowed to modify the custom signature to
accomplish this.
Verification:
R2#ping 24.234.252.252 size 10000
!!!!!
63
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
Section 5:
Identity Management
Task 5.1 (External Databases)
4 Points
Configure ACS to authenticate using the local windows

database.
If a username cannot be found in the ACS user database, the
windows database should be checked.
64
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
65
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
66
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
67
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
Task 5.2
4 Points
Before allowing an HTTP connections to BB2 from beyond its

fa0/0.22 interface, R2 should first authenticate the
traffic.
Authentication should occur using the windows username
enablemode with a password of enableme
68
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
69
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
70
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc

24.234.22.101 eq tacacs
R2(config)#
R2(config)#
R2(config)#access-list 101 permit tcp any host 24.234.252.252 eq www
R2(config)#ip auth-proxy name AUTHP http list 101
R2(config)#
R2(config)#ip http authentication aaa
R2(config)#
R2(config)#access-list 105 deny tcp any host 24.234.252.252 eq www
R2(config)#
R2(config-subif)#ip auth-proxy AUTHP
71
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
Verification:
72
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
(AAA)
When telneting to R8, authentication should occur using a username of r8user
with a password of cisco.
Authentication should occur locally and authorization should occur using the
ACS server.
The user should be placed into privileged exec mode automatically.
r8user should only be able to issue show commands and ping to any ip address.
The copy command should be available on R8 to any user without entering
privileged mode.
73
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
74
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc

24.234.22.101 eq tacacs
R8(config)#username r8user password cisco
R8(config)#privilege exec level 1 copy
R8(config)#tacacs-server host 24.234.22.101 key 0 cisco
R8(config)#
R8(config)#aaa authentication login VTY local
R8(config)#aaa authorization exec VTY group tacacs+
R8(config)#aaa authorization commands 15 VTY group tacacs+
R8(config)#
R8(config-line)#login authentication VTY
R8(config-line)#authorization exec VTY
R8(config-line)#authorization commands 15 VTY
75
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
Verification:
R6#telnet 172.16.88.8
Trying 172.16.88.8 ... Open

Username: r8user
Password:
R8#show ip int br
Interface
Protocol
FastEthernet0/0
up
FastEthernet0/0.88
up
FastEthernet0/1
down
Serial0/0/0
down
Serial0/0/1
down
R8#ping 24.234.222.6
IP-Address
OK? Method Status
unassigned
YES NVRAM
up
172.16.88.8
YES NVRAM
up
unassigned
YES NVRAM
unassigned
YES NVRAM
unassigned
YES NVRAM

!!!!!
R8#conf t
From the console:
R8>copy http://24.234.111.6 null:
Source filename []?
?File name not specified
%Error parsing filename (Unknown error 0)
76
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
Section 6:
Task 6.1
4 Points
R2 should not allow any ssh connections to itself. You may

not use ANY access list to accomplish this.
R2 should not allow any TCP/UDP connections to itself for
ports that it is not using. Drop and log any attempts. You
may not use ANY access list to accomplish this.
No more than 10 BGP packets at a time should be allowed in
R2s input queue.
R2(config)#class-map type port-filter match-all SSH
R2(config-cmap)#match port tcp 22
R2(config)#class-map type port-filter match-all CLOSED
R2(config-cmap)#match closed-ports
R2(config)#policy-map type port-filter PORTS
R2(config-pmap)#class CLOSED
R2(config-pmap-c)#log
R2(config-pmap)#control-plane host
R2(config-cp-host)#service-policy type port-filter input PORTS
R2(config)#class-map type queue-threshold match-all BGP
R2(config-cmap)#match protocol BGP
R2(config)#policy-map type queue-threshold BGP
R2(config-pmap)#class BGP
R2(config-pmap-c)#queue-limit 10
R2(config-cp-host)#service-policy type queue-threshold input BGP
R2(config-cp-host)#
May 8 17:44:16.523: %CP-5-FEATURE: Protocol Queue Thresholding feature
enabled on Control plane host path
Verification:
R6#ssh -l cisco 24.234.100.2
R6#
77
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
R2#sho policy-map type port-filter control-plane host (output cut)

Control Plane Host
Service-policy port-filter input: PORTS
Match: port tcp 22
drop
R2#sho control-plane host open-ports
Active internet connections (servers and established)
Prot
Local Address
Foreign Address
State
tcp
*:22
*:0
LISTEN
tcp
*:23
*:0
LISTEN
tcp
*:80
*:0
LISTEN
udp
*:49
24.234.22.101:0
LISTEN
udp
*:67
*:0
LISTEN
udp
*:123
*:0
LISTEN
Service
SSH-Server
Telnet
HTTP CORE
TACACS service
DHCPD Receive
NTP
R6#copy ftp://24.234.100.2/test.exe null:

Accessing ftp://24.234.100.2/test.exe...
%Error opening ftp://24.234.100.2/test.exe (Timed out)
May 8 17:50:50.320:
-> 24.234.100.2(21)
May 8 17:50:52.316:
-> 24.234.100.2(21)
May 8 17:50:56.316:
-> 24.234.100.2(21)
May 8 17:51:04.315:
-> 24.234.100.2(21)
%CP-6-TCP: DROP TCP/UDP Portfilter
24.234.100.6(18788)
24.234.100.6(18788)
24.234.100.6(18788)
24.234.100.6(18788)
R2#show policy-map type queue-threshold control-plane host

queue-limit 10
queue-count 0
Control Plane Host
Service-policy queue-threshold input: BGP
Class-map: BGP (match-all)
0 packets, 0 bytes
Match: protocol bgp
78
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc

Match: any
79
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
Section 7:
Advanced Security
Task 7.1 (4 Points

On R2, http and ssh traffic should both be prioritized and
given 25% of interface bandwidth on s0/0/0.
ICMP traffic should be policed to 10% of interface s0/0/0s
bandwidth.
Telnet traffic outgoing on s0/0/0 should have DSCP set to
af43.
R2(config)#class-map match-any PRIORITY
R2(config)#class-map match-all ICMP
R2(config-pmap)#class PRIORITY
R2(config-pmap-c)#bandwidth percent 25
R2(config-pmap)#class ICMP
R2(config-pmap-c)#police rate percent 10
R2(config-pmap-c-police)#class TELNET
R2(config-pmap-c)#set dscp af43
R2(config-pmap)#int s0/0/0
Verification:
BB2#copy http://24.234.100.6/test.exe null:
%Error opening http://24.234.100.6/test.exe (I/O error)
BB2#ssh -l cisco 24.234.100.6
BB2#ping 24.234.100.6
!!!!!
BB2#telnet 24.234.100.6
Trying 24.234.100.6 ... Open
80
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc

Password:
R6>exit
Serial0/0/0
Class-map: PRIORITY (match-any)
Match: protocol ssh
1 packets, 48 bytes
5 minute rate 0 bps
5 minute rate 0 bps
Queueing
Bandwidth 25 (%)
Class-map: ICMP (match-all)
police:
rate 10 %
rate 154000 bps, burst 4812 bytes
transmit
drop
QoS Set
dscp af43
Packets marked 22
Match: any
81
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
Task 7.2
4 Points
Drop telnet destined for any network beyond fa0/0.222 on R6

by matching the dscp set in the previous task.
Telnet from beyond the fa0/0.111 interface on R6 destined
should be matched and dropped by the same policy.
R6(config)#class-map match-all BAD_TELNET
R6(config-cmap)#match dscp af43
R6(config)#policy-map BAD_TELNET
R6(config-pmap)#class BAD_TELNET
R6(config-subif)#service-policy output BAD_TELNET
R6(config)#
R6(config)#policy-map MARK_TELNET
R6(config-pmap)#class TELNET
R6(config-pmap-c)#set dscp af43
R6(config-subif)#service-policy input MARK_TELNET
Verification:
BB2#telnet 24.234.222.5
Trying 24.234.222.5 ...
R8#telnet 24.234.222.5
Trying 24.234.222.5 ...

FastEthernet0/0.111
Service-policy input: MARK_TELNET
QoS Set
82
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
dscp af43
Packets marked 4
Match: any
FastEthernet0/0.222
Service-policy output: BAD_TELNET
Class-map: BAD_TELNET (match-all)
Match: dscp af43 (38)
drop
Match: any
83
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
Section 8:
Task 8.1
4 Points
TCP traffic coming from the outside of c1 should be limited

to 200 total half open connections. You may not use a
translation to accomplish this.
If an attacker attempts to scan hosts protected by ASA1 the
scanner should be shunned for 2 hours. R2 should never be
shunned in this manner.
Do not allow any fragmented packets to traverse ASA1. Use
only a single command to accomplish this.
ASA2/c1(config)# access-list TCP permit tcp any any
ASA2/c1(config)# class-map TCP
ASA2/c1(config-cmap)# match access-list TCP
ASA2/c1(config)# policy-map OUTSIDE
ASA2/c1(config-pmap)# class TCP
ASA2/c1(config-pmap-c)# set connection embryonic-conn-max 200
ASA2/c1(config-pmap)# service-policy OUTSIDE interface outside
ASA1(config)# threat-detection scanning-threat shun except ip-address

24.234.22.2
ASA1(config)# threat-detection scanning-threat shun duration 7200
ASA1(config)# fragment chain 1
ASA2/c1# sho service-policy interface outside

Interface Outside:
Service-policy: OUTSIDE
Class-map: TCP
Set connection policy: embryonic-conn-max 200
current embryonic conns 0, drop 0
ASA1(config)# sho threat-detection rate

Average(eps)
events
10-min Scanning:
0
62
Current(eps) Trigger
0
Total
84
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
1-hour
383
10-min
62
1-hour
383
10-min
62
1-hour
383
10-min
71
1-hour
429
Scanning:
Bad
pkts:
Bad
pkts:
Firewall:
Firewall:
Interface:
Interface:
R1#ping 24.234.22.2
!!!!!
R1#ping 24.234.22.2 size 3000
.....
85
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
Task 8.2
4 Points
Ensure that a host attached to port fa0/14 on switch 4 is

unable to launch a CAM flood attack. If one is attempted
the port should be disabled.
Once the attack stops the port should be enabled again
within 30 seconds.
Port fa0/12 on sw4 is attached to a DHCP server on VLAN
168. Only this port should be allowed to respond to DHCP
request for VLAN 168.
Configure sw4 so that ARP poisoning will be stopped on VLAN
168. Source mac addresses should be validated.
SW4(config-if)#sw port-security
SW4(config)#ip dhcp snooping vlan 168
SW4(config-if)#ip dhcp snooping trust
SW4(config)#ip arp inspection vlan 168
SW4(config)#ip arp inspection validate src-mac
Verification:
SW4#sho port-security int fa0/14
Port Security
: Enabled
Port Status
: Secure-down
Violation Mode
: Shutdown
Aging Time
: 0 mins
Aging Type
: Absolute
: 1
Total MAC Addresses
: 0
: 0
: 0
: 0000.0000.0000:0
: 0
86
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
SW4#sho errdisable recovery

ErrDisable Reason
----------------arp-inspection
bpduguard
channel-misconfig
dhcp-rate-limit
dtp-flap
gbic-invalid
inline-power
l2ptguard
link-flap
mac-limit
loopback
pagp-flap
port-mode-failure
psecure-violation
security-violation
sfp-config-mismatch
small-frame
storm-control
udld
vmps
Timer Status
-------------Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Enabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Timer interval: 30 seconds

SW4#sho ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
168
DHCP snooping is operational on following VLANs:
168
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is enabled
circuit-id format: vlan-mod-port
remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface
-----------------------FastEthernet0/12
Trusted
------yes
Rate limit (pps)

---------------unlimited
SW4#sho ip arp inspection

Source Mac Validation
: Enabled
Destination Mac Validation : Disabled
IP Address Validation
: Disabled
Vlan
----
Configuration
-------------
Operation
---------
ACL Match
---------
Static ACL
----------
87
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.06.09.05.sm.r04.09.05.doc
168
Enabled
Active
Vlan
---168
ACL Logging
----------Deny
DHCP Logging
-----------Deny
Vlan
---168
Forwarded
--------0
Dropped
------1
DHCP Drops
---------1
Vlan
---168
DHCP Permits
-----------0
ACL Permits
----------0
Probe Permits
------------0
Vlan
----
Dest MAC Failures

-----------------
IP Validation Failures
----------------------
Invalid Protocol Data

---------------------
Vlan
---168
Dest MAC Failures

----------------0
IP Validation Failures
---------------------0
Invalid Protocol Data

--------------------0
Probe Logging
------------Off
ACL Drops
--------0
Source MAC Failures
------------------0
88
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
LAB 7
Instructions
cannot be changed.
often!
task.
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
Sections:
1.ASA Firewalls
2.IOS Firewalls
3.VPNs
4.IPS
7.Advanced Security
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
SW1
Fa0/1
Fa0/0
R1
Fa0/1
Fa0/1
SW2
SW1
Fa0/2
Fa0/0
R2
Fa0/1
Fa0/2
SW2
SW1
Fa0/3
Fa0/0
R3
Fa0/1
Fa0/3
SW2
SW1
Fa0/4
Fa0/0
R4
Fa0/1
Fa0/4
SW2
SW1
Fa0/5
Fa0/0
R5
Fa0/1
Fa0/5
SW2
SW1
Fa0/6
Fa0/0
R6
Fa0/1
Fa0/6
SW2
SW1
Fa0/9
Fa0/0
BB1
Fa0/1
Fa0/9
SW2
SW1
Fa0/10
Fa0/0
BB2
Fa0/1
Fa0/10
SW2
SW1
Fa0/12
E0/0
E0/2
Fa0/12
SW2
Fa0/14
SW2
E0/3
Fa0/17
SW2
E0/2
Fa0/18
SW2
E0/3
Fa0/23
SW2
ASA01
Gi0/0: sense
SW1
Fa0/14
SW1
Fa0/17
E0/1
SW1
Fa0/18
E0/0
IDS
IDS
Gi0/1: c&c
ASA01
ASA02
SW1
E0/1
Fa0/23
ASA02
SW1
SW2
Fas0/19
Fas0/19
Fas0/20
Fas0/20
Sensor Int.
G0/0
Fa1/0
Fa1/1
Fa1/2
Fa1/3
Connected to:
SW1 Fa0/14
SW3 Fa0/4
SW3 Fa0/3
SW3 Fa0/2
SW3 Fa0/1
Fas0/0
2811
SW3
SW4
Fas0/17
SW3
Fas0/19
Fas0/19
Fas0/20
Fas0/20
Fas0/1
R7
Fas0/17
SW4
ACS PC SW1 Fa0/24
192.168.2.101
Fas0/0
2811
Fas0/1
R8
SW3

192.168.2.102
Fas0/18
SW4
Fas0/18
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
Routers use router

number for last octet.
Routers use Fa0/0.v
(v=VLAN #) for ethernet
connections.
R8
ACS PC
.101
VLAN 2
192.168.2.0 / 24
inside
e0/1
ASA1
.10
outside
e0/0
BB1
BB2
.9
.9
Int G0/1
.250
XP Test
PC .102
VLAN 100
172.19.100.0/24
VLAN 101
10.88.101.0/24
inside
e0/1.v
dmz
e0/1.v
VLAN 66
22.222.6.0/24
VLAN 77
22.222.7.0/24
IPS Inline
G0/0.1
IPS Inline
Fa1/0
ASA2
context
perim
.20
outside
e0/0
VLAN 10
22.222.10.0/24
VLAN 5
22.222.5.0/24
IPS Inline
G0/0.1
IPS Inline
Fa1/1
R1
VLAN 6
22.222.6.0/24
VLAN 7
22.222.7.0/24
VLAN 12
22.222.12.0/24
R6
R7
S0/0/0
S0/0/0
R5
VLAN 45
22.222.45.0/24
Frame Relay
22.222.67.0/24
R2
R4
VLAN 23
22.222.23.0/24
S0/0/0
VLAN 34
22.222.34.0/24
R3
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc

Task 1.1
4 Points
Configure ASA1 with the following:

o IP addresses as shown in the diagram.
o EIGRP AS 1 on the outside interface.
o OSPF area 0 on the inside interface.
o Allow R8 to have the EIGRP 1 routes in its routing table.
o Allow R8 to ping 5.5.5.5
Task 1.2
4 Points
Configure ASA2 in multi-context mode with the following:

o Context named admin as the admin context using
interface e0/2 in VLAN 2 and .20 for the last octet.
not configure e0/2 as a firewall routed interface.
Do
o Context named perim using information on the diagram,

and a security level of 50 for the dmz.
o Unique mac addresses for each interface.
o Default route for perim using R5.
o Permit all icmp inbound on the outside interface.
o Hide the interface hardware information from the context
perim.
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
Task 1.3
4 Points
Configure the following translation rules.

Device
Name
ASA1
ASA1
ASA1
perim
perim
Real
Int.
INSIDE
INSIDE
INSIDE
INSIDE
DMZ
Mapped
Int.
OUTSIDE
OUTSIDE
OUTSIDE
OUTSIDE
OUTSIDE
Real
IP:PORT #
ACS IP address
R8 Fa0/0.2
R8 Loopback 0
any
172.19.100.250:TCP
port 7000
Mapped
IP:PORT#
22.222.10.101
22.222.10.8
22.222.10.18
OUTSIDE Interface
22.222.5.250:TCP
port 8000
Configure the IP address of the XP test PC by using the

utility on the XP desktop. Change the IP address to
10.88.101.102 255.255.255.0
Add a static route on the XP PC for 22.222.0.0/16
Add a static route on the ACS PC for 22.222.0.0/16
Configure and verify that the XP test PC can ping
22.222.10.10
Task 1.4
4 Points
Enable SSH on R8
On ASA1, configure the following:
o Permit all ICMP and SSH to R8 Loopback 0, R8 Fa0/0.2 and
the ACS PC. Configure a 1 line access-list to accomplish
this.
o Prioritize SSH to R8 Loopback 0
o Rate limit ICMP to the ACS PC to 8,000 bps
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc

Task 2.1
4 Points
On R6 configure a Zone Based Firewall with the following:

o S0/0/0 in the INSIDE zone
o Fa0/0.6 in the OUTSIDE zone
o Allow ICMP, HTTP and SSH outbound
o Allow ICMP inbound
Task 2.2
4 Points
On R6, set the maximum connections to 50, and max embryonic

limit to 10 for outbound TCP based traffic. Create and
send audit trail information to the ACS PC for all outbound
sessions.
Police inbound ICMP traffic to 8,000 bps.
Task 2.3
4 Points
On R3, mark all P2P type traffic as DSCP 2, inbound on

Serial 0/0/0, if it was sourced from 22.222.6.0/24
Drop this traffic outbound on Fa0/0.23 without using an
access-list.
Task 2.4
4 Points
On R3, generate a syslog message when total CPU utilization

rises above 90% for at least 5 seconds.
Generate another
syslog message when CPU utilization goes below 10% for at
least 10 seconds.
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
Section 3: VPNs
Task 3.1
4 Points
Configure R8 as a CA Server with the following:

o CN R8-CA_Server
o database url nvram:
o L=NV
o C=US
o CN=R8.ccbootcamp.com
o cdp-url http://22.222.10.18/R8.cdp.crl
o automatically grant certificates
Configure R8 as an NTP server with authentication, sourced
from Loopback 0.
Configure R2, R3 and R5 as NTP and CA clients.
Task 3.2
4 Points
Configure GET VPN using the following:

o Key server priority 2 R8 using Fa0/0.2 and no NAT
o Key server priority 1 R5
o Member servers R2/R3
o No NAT between members and Key Servers
o IKE phase 1, RSA-Sig, DH5, AES, SHA
o IPSec traffic: AES, SHA
o Interesting traffic: ICMP between R2/R3 loopback 0
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
Task 3.3
4 Points
Configure R1 as an EasyVPN server with the following:

o New loopback 11 of 11.11.11.1/24.
o Client mode, with pool of 11.11.11.51-60
o IKE Phase 1: aes, psk, dh 2, sha
o IKE Phase 2: aes, sha,
o Only tunnel traffic to the 11.11.11.0/24 network.
o Group name vpn_group
o User name user-3.3
o Authenticate this user locally.
o Allow a software client to store the XAUTH password in
their software client.
o Use Loopback 0 on R1 to terminate the tunnel
o Do not use a crypto map on R1 for this task.
Configure R4 as an easy vpn remote, with fa0/0.34 as the
outside interface, and Loopback 0 as the inside interface.
Task 3.4
4 Points
Configure ASA1 as a WEB VPN server with the following:

o Users connect to https://22.222.10.10/webusers
o Users are authenticated via the local database on the
firewall. Create a user named user-3.4 for this task.
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
Section 4: IPS
Task 4.1
4 Points
Use the erase current-config from them sensor command

line.
Username is cisco, password is ccie5796.
Configure the sensor per the diagram and the following:
o Default gateway using ASA2.
o Banner message saying Connected to IPS Sensor Console
o Management via port 7000
o Permit Telnet
o Permit only the ACS as a management device.
Verify that you can open a browser based management session
to the IPS from the ACS PC.
Task 4.2
4 Points

o sig1
o rules1
o ad1
o G0/0.1 as inline VLAN pair using VLANs 6 and 66
o sig2
o rules2
o ad2
o G0/0.2 as inline VLAN pair using VLANs 7 and 77.
10
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
Task 4.3
4 Points
Configure vs1 as follows:

o Create new signature named Task4.3
o Generate an alert and deny the packet if ICMP echo
payload is 1000 bytes or greater.
o Trigger on the 8th packet in a series.
o Without including the address of 6.6.6.6 or an action
with the word log in the signature, log the source of
the attack for 60 seconds if it is directed at 6.6.6.6
The IP address of 6.6.6.6 should never be seen as an
attacker for any signatures on vs1.
Task 4.4
4 Points
On vs2, configure the following:

o Send a TCP reset for any malicious TCP port 80 traffic
that includes the string ATTACK!. Log only the entire
first packet that triggers the alarm.
o Deny any malicious traffic that is tunneled through on
TCP port 80 or 8080.
11
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc

Task 5.1
4 Points
Configure 802.1x on SW4 port Fa0/16 as follows:

o Configure the voice VLAN as 512
o Clients who fail authentication should be assigned to
VLAN 514
o Clients without a supplicant are assigned to VLAN 511
o Create a user on ACS named user-5.1 on ACS as part of
this task who will be assigned to VLAN 513 if
authenticated. Note: there is no deviced connected to
SW4 Fa0/16.
o The ACS should see SW4 at the IP address of
192.168.2.114/24.
o Set the violation mode to shutdown
Task 5.2
4 Points
Configure R5 to use ACS and perform command authorization

with the following:
o Locally authenticated user named admin-5.2 with
authoriztion via TACACS with full access.
o Locally authenticated user named user-5.2. Authorization
via TACACS with the ability to add network statements to
configure routing protocols, issue the show ip
protocols command and enter the command of exit only.
o Do not associate any privilege level with either of these
users in the local router database.
o Record all successful commands issued by these users to
the ACS server.
12
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
Task 5.3
4 Points
Configure R5 with vty access as follows:

o Allow access via telnet on lines vty 0-2 using a password
of cisco.
o Allow ssh access on vty 3-4, using port 2000 to connect
to these specific lines. Use the local database and a
user named user-5.3
13
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc

Task 6.1
4 Points
Permit SSH and TELNET to R5 inbound only on Fa0/0.45

Permit SSH from only even IP addresses.
Permit TELNET from only odd IP addreses.
Rate limit all ICMP and TELNET traffic to R5 to 8,000bps.
Exempt 1.1.1.1 from this rate limiting. Do not apply any
configurations to any Ethernet interfaces to accomplish
this.
14
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc

Task 7.1
4 Points
On the ACS, if user is not found in the ACS database, query

an external LDAP database using the following as part of
your configuration:
o Generic LDAP database name of LDAP-7.1
o User and group directory organization object of ext-dir
o Primary LDAP server 22.222.10.105
LDAP v3
o admin common name of admin-7.2 with password of cisco and
orgrainzation name of ext-dir.
Task 7.2
4 Points
On R7, Fa0/0.7 configure the following:

o Disable CDP
o Disable proxy-arp
o Deny source-routed packets
o Explictly deny any packets sourced from RFC 1918 address
space
o Implement RPF checking, and log packets that fail this
check
15
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc

Task 8.1
4 Points
For VLAN 2, configure the following:

o Conigure DHCP snooping on VLAN 2.
Allow ASA1 to be a
DHCP server. Restrict DHCP traffic to 50 pps
o Save the DHCP binding database on flash as snoop.db
o You may configure VLAN interfaces and default routes as
part of this task.
Task 8.2
4 Points
Configure a default route on ASA1 using R1 as the next hop.

Confure ASA1 so that if a DoS attack removes R1 from
service, ASA1 will use R6 as a default gatway. You may use
interface E0/3 and an interface named emergency as part of
this task. Do not run any routing protocols on E0/3.
16
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc

Task 1.1
4 Points

o IP addresses as shown in the diagram.
o EIGRP AS 1 on the outside interface.
o OSPF area 0 on the inside interface.
o Allow R8 to have the EIGRP 1 routes in its routing table.
o Allow R8 to ping 5.5.5.5
SW1(config-if)#end
ciscoasa# show mode
ciscoasa# conf t
ciscoasa(config)# int e 0/1
ciscoasa(config-if)# no shut
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# ip add 192.168.2.10 255.255.255.0
ciscoasa(config-if)# int e 0/0
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# ip add 22.222.10.10 255.255.255.0
ciscoasa(config-if)# exit
ciscoasa(config)# router eigrp 1
ciscoasa(config-router)# net 22.0.0.0
ciscoasa(config-router)# no auto-summary
ciscoasa(config-router)# redistribute ospf 1 metric 1 1 1 1 1
ciscoasa(config-router)# router ospf 1
ciscoasa(config-router)# network 192.168.2.0 255.255.255.0 area 0
ciscoasa(config-router)# redistribute eigrp 1 subnets
ciscoasa(config)# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter
area
* - candidate default, U - per-user static route, o - ODR
17
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
P - periodic downloaded static route

C
22.222.10.0 255.255.255.0 is directly connected, outside
C
192.168.2.0 255.255.255.0 is directly connected, inside
ciscoasa(config)# show route
area
D
1.1.1.0 255.255.255.0 [90/131072] via 22.222.10.1, 0:00:20, outside
D
2.0.0.0 255.0.0.0 [90/156672] via 22.222.10.1, 0:00:20, outside
D
3.3.3.0 255.255.255.0 [90/159232] via 22.222.10.1, 0:00:20, outside
D
4.4.4.0 255.255.255.0 [90/161792] via 22.222.10.1, 0:00:20, outside
D
5.5.5.0 255.255.255.0 [90/164352] via 22.222.10.1, 0:00:20, outside
D
6.6.6.0 255.255.255.0 [90/2303488] via 22.222.10.1, 0:00:20, outside
D
22.222.67.0 255.255.255.0 [90/2175488] via 22.222.10.1, 0:00:20, outside
C
D
22.222.12.0 255.255.255.0 [90/28672] via 22.222.10.1, 0:00:20, outside
D
22.222.5.0 255.255.255.0 [90/38912] via 22.222.10.1, 0:00:20, outside
D
22.222.6.0 255.255.255.0 [90/2178048] via 22.222.10.1, 0:00:20, outside
D
22.222.7.0 255.255.255.0 [90/2178048] via 22.222.10.1, 0:00:20, outside
D
22.222.23.0 255.255.255.0 [90/31232] via 22.222.10.1, 0:00:20, outside
D
22.222.45.0 255.255.255.0 [90/36352] via 22.222.10.1, 0:00:20, outside
D
22.222.34.0 255.255.255.0 [90/33792] via 22.222.10.1, 0:00:23, outside
D
7.7.7.0 255.255.255.0 [90/2303488] via 22.222.10.1, 0:00:23, outside
C
R8#
R8#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static
route
o - ODR, P - periodic downloaded static route
18
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
O E2
O E2 2.0.0.0/8 [110/20] via 192.168.2.10, 00:02:30, FastEthernet0/0.2
O E2
O E2
O E2
O E2
O E2
O E2
O E2
O E2
O E2
O E2
O E2
O E2
O E2
O E2
C
C
192.168.2.0/24 is directly connected, FastEthernet0/0.2
R8#ping 5.5.5.5
!!!!!
R8#
19
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
Task 1.2
4 Points
Configure ASA2 in multi-context mode with the following:

o Context named admin as the admin context using
interface e0/2 in VLAN 2 and .20 for the last octet.
not configure e0/2 as a firewall routed interface.
Do
o Context named perim using information on the diagram,

and a security level of 50 for the dmz.
o Unique mac addresses for each interface.
o Default route for perim using R5.
o Permit all icmp inbound on the outside interface.
o Hide the interface hardware information from the context
perim.
ASA2(config)# int e 0/0
ASA2(config-if)# int e 0/1
ASA2(config-if)# int e 0/2
ASA2(config-if)# admin-context admin
ASA2(config-ctx)# config-url admin.cfg
INFO: Converting admin.cfg to disk0:/admin.cfg
ASA2(config)# int e 0/1.100
ASA2(config-subif)# int e 0/1.101
20
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc

ASA2(config)# context perim
Creating context 'perim'... Done. (4)
ASA2(config-ctx)# config-url perim.cfg
INFO: Converting perim.cfg to disk0:/perim.cfg
WARNING: Could not fetch the URL disk0:/perim.cfg
ASA2(config-ctx)# allocate-interface e0/0 outside
ASA2(config-ctx)# allocate-interface e0/1.100 dmz
ASA2(config-ctx)# allocate-interface e0/1.101 inside
ASA2(config)# mac-address auto
ASA2(config)# wr mem all
Saving context :
system : (000/002 Contexts saved)
Cryptochecksum: f041c3b7 91d2c09d 6a00fe59 b5795703
Saving context :
admin : (001/002 Contexts saved)
Cryptochecksum: 2a055ee2 89b313fc 10a26efd e653af09
1469 bytes copied in 0.230 secs
Saving context :
perim : (002/002 Contexts saved)
Cryptochecksum: 8eaefbea bcec5e19 23f30565 52201fce
[OK]
ASA2(config)# changeto context admin
ASA2/admin(config)# int e0/2
ASA2/admin(config-if)# nameif inside
ASA2/admin(config-if)# ip address 192.168.2.20 255.255.255.0
ASA2/admin(config-if)# management-only
ASA2/admin(config-if)# exit
ASA2/admin(config)# changeto context perim
ASA2/perim(config)# interface outside
ASA2/perim(config-if)# nameif outside
ASA2/perim(config-if)# ip address 22.222.5.20 255.255.255.0
ASA2/perim(config-if)# int dmz
ASA2/perim(config-if)# nameif dmz
INFO: Security level for "dmz" set to 0 by default.
ASA2/perim(config-if)# security 50
ASA2/perim(config-if)# int inside
ASA2/perim(config-if)# nameif inside
ASA2/perim(config-if)# exit
ASA2/perim(config)# route outside 0.0.0.0 0.0.0.0.0 22.222.5.5
^
ERROR: % Invalid input detected at '^' marker.
ASA2/perim(config)# route outside 0.0.0.0 0.0.0.0 22.222.5.5
21
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
ASA2/perim(config)# ping 1.1.1.1

!!!!!
ASA2/perim(config)# wr mem
Cryptochecksum: 31bce720 8ff67726 13d16892 e440b15e
[OK]
ASA2/perim(config)# access-list outside permit icmp any any
ASA2/perim(config)# access-group outside in inter outside
ASA2/perim(config)#
22
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
Task 1.3
4 Points

Device
Name
ASA1
ASA1
ASA1
perim
perim
Real
Int.
INSIDE
INSIDE
INSIDE
INSIDE
DMZ
Mapped
Int.
OUTSIDE
OUTSIDE
OUTSIDE
OUTSIDE
OUTSIDE
Real
IP:PORT #
ACS IP address
R8 Fa0/0.2
R8 Loopback 0
any
172.19.100.250:TCP
port 7000
Mapped
IP:PORT#
22.222.10.101
22.222.10.8
22.222.10.18
OUTSIDE Interface
22.222.5.250:TCP
port 8000

10.88.101.102 255.255.255.0
Add a static route on the XP PC for 22.222.0.0/16
Configure and verify that the XP test PC can ping
22.222.10.10
ASA2/perim(config)# nat (inside) 1 0 0
ASA2/perim(config)# global (outside) 1 interface
INFO: outside interface address added to PAT pool
ASA2/perim(config)# static (dmz,outside) tcp 22.222.5.250 8000 172.19.100.250
7000
23
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
c:\ACS_PC>route add 22.222.0.0 mask 255.255.0.0 192.168.2.10

c:\XP>route add 22.222.0.0 mask 255.255.0.0 10.88.101.20
24
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
Task 1.4
4 Points
Enable SSH on R8
o Permit all ICMP and SSH to R8 Loopback 0, R8 Fa0/0.2 and
the ACS PC. Configure a 1 line access-list to accomplish
this.
o Prioritize SSH to R8 Loopback 0
o Rate limit ICMP to the ACS PC to 8,000 bps
R8(config)#
*May 12 03:47:35.471: %SSH-5-ENABLED: SSH 1.99 has been enabled
R8(config)#ip ssh ver 2
R8(config)#username user-1.4 password cisco
ASA1(config)# object-group network R8_ACS_GLOBAL
ASA1(config)# object-group service SERVICES
ASA1(config-service)# service-object icmp
ASA1(config-service)# service-object tcp eq ssh
ASA1(config-service)# exit
ASA1(config)# access-list outside line 1 extended permit object-group
SERVICES any object-group R8_ACS_GLOBAL
ASA1(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list outside; 6 elements
access-list outside line 1 extended permit object-group SERVICES any objectgroup R8_ACS_GLOBAL 0x1dc02b1c
access-list outside line 1 extended permit icmp any host 22.222.10.101
(hitcnt=0) 0xd09f23cb
(hitcnt=0) 0xd85414f7
(hitcnt=0) 0x182eac7f
25
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
access-list outside line 1 extended permit tcp any host 22.222.10.101 eq

ssh (hitcnt=0) 0x2250c265
access-list outside line 1 extended permit tcp any host 22.222.10.18 eq ssh
(hitcnt=0) 0x67edee9e
access-list outside line 1 extended permit tcp any host 22.222.10.8 eq ssh
(hitcnt=0) 0x02ad335e
ASA1(config)#
ASA1(config)# priority-queue inside
ASA1(config-priority-queue)# exit
ASA1(config)# access-list SSH_PRIORITY permit tcp any host 8.8.8.8 eq ssh
ASA1(config)# class-map CMAP_SSH_PRIORITY
ASA1(config-cmap)# match access-list SSH_PRIORITY
ASA1(config-cmap)# policy-map global_policy
ASA1(config-pmap)# class CMAP_SSH_PRIORITY
ASA1(config-pmap-c)# priority
ASA1(config)# access-list POLICE_ICMP_ACL permit icmp any host 192.168.2.101
ASA1(config)# class-map CMAP_ICMP_POLICE
ASA1(config-cmap)# match access-list POLICE_ICMP_ACL
ASA1(config-cmap)# policy-map global_policy
ASA1(config-pmap)# class CMAP_ICMP_POLICE
ASA1(config-pmap-c)# police output 8000 1500 conform-action transmit exceedaction drop
R1#
R1#ssh -l user-1.4 22.222.10.18
Password: cisco
R8>show ver
Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version
12.4(15)T7, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Wed 13-Aug-08 17:09 by prod_rel_team
ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
R8 uptime is 2 hours, 1 minute
System returned to ROM by reload at 02:10:03 UTC Tue May 12 2009
System image file is "flash:c2800nm-adventerprisek9-mz.124-15.T7.bin"
This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
26
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found
at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
Cisco 2811 (revision 53.50) with 249856K/12288K bytes of memory.
Processor board ID FTX1113A3JK
2 FastEthernet interfaces
2 Serial(sync/async) interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
62720K bytes of ATA CompactFlash (Read/Write)
Configuration register is 0x2102
R8>exit
R1#ping 22.222.10.101 repeat 100
.!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!.!!!!!!!!!
!!!!!!!!!.!!!!!!!!!!!!!!!!!!.!
R1#
ASA1(config)# show priority statistics
Priority-Queue Statistics interface inside
Queue Type
Tail Drops
Reset Drops
Packets Transmit
Packets Enqueued
Current Q Length
Max Q Length
=
=
=
=
=
=
=
BE
0
0
1380
0
0
0
Queue Type
Tail Drops
Reset Drops
Packets Transmit
Packets Enqueued
Current Q Length
Max Q Length
ASA1(config)#
=
=
=
=
=
=
=
LLQ
0
0
46
0
0
0

27
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
Global policy:
Class-map: CMAP_SSH_PRIORITY
Priority:
Priority:
Class-map: CMAP_ICMP_POLICE
Output police Interface inside:
Output police Interface outside:
Class-map: class-default
Default Queueing
ASA1(config)#
28
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc

Task 2.1
4 Points

o S0/0/0 in the INSIDE zone
o Fa0/0.6 in the OUTSIDE zone
o Allow ICMP, HTTP and SSH outbound
R6(config)#class-map type inspect match-any CMAP-OUTBOUND
R6(config)#zone security INSIDE
R6(config)#zone security OUTSIDE
R6(config)#zone-pair security OUTBOUND source INSIDE destination OUTSIDE
R6(config-sec-zone-pair)#service-policy type inspect PMAP-OUTBOUND
R6(config)#zone-pair security INBOUND source OUTSIDE destination INSIDE
R6(config-sec-zone-pair)#service-policy type inspect PMAP-INBOUND
R6(config)#interface S0/0/0
R6(config-if)#zone-member security INSIDE
R6(config-if)#exit
R6(config)#interface Fa0/0.6
R6(config-subif)#zone-member security OUTSIDE
R6(config)#
R6(config)# R6#show policy-map type inspect zone-pair PMAP_INBOUND
Zone-pair: INBOUND
29
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc

0 packets, 0 bytes
Inspect
Last session created never
Match: any
0 packets, 0 bytes
R6(config-profile)#max-incomplete high 50
R6(config-pmap-c)#inspect Param-Map-OUTBOUND
R6(config)#
Zone-pair: INBOUND
Police
0 packets, 0 bytes
Inspect
30
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc

Match: any
0 packets, 0 bytes
R6#show policy-map type inspect zone-pair OUTBOUND
Zone-pair: OUTBOUND
Service-policy inspect : PMAP-OUTBOUND
Class-map: CMAP-OUTBOUND (match-any)
0 packets, 0 bytes
0 packets, 0 bytes
Match: protocol ssh
0 packets, 0 bytes
Inspect
Match: any
0 packets, 0 bytes
R6#
31
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
Task 2.2
4 Points
On R6, set the maximum connections to 50, and max embryonic

limit to 10 for outbound TCP based traffic. Create and
send audit trail information to the ACS PC for all outbound
sessions.
R6(config-profile)#max-incomplete low 50
R6(config)#parameter-map type inspect Param-Map-INBOUND
R6(config-profile)#class-map type inspect match-any CMAP-OUTBOUND
R6(config-cmap)# match protocol http
R6(config-cmap)# match protocol ssh
R6(config)#
R6(config-pmap)# class type inspect CMAP-OUTBOUND
R6(config-pmap-c)# inspect Param-Map-OUTBOUND
R6(config-pmap)# class type inspect CMAP-INBOUND
R6(config)#
R6(config)#zone security INSIDE
R6(config)#zone security OUTSIDE
R6(config)# zone-pair security OUTBOUND source INSIDE destination OUTSIDE
R6(config-sec-zone-pair)# service-policy type inspect PMAP-OUTBOUND
R6(config)#zone-pair security INBOUND source OUTSIDE destination INSIDE
R6(config-sec-zone-pair)# service-policy type inspect PMAP-INBOUND
R6(config-subif)# zone-member security OUTSIDE
R6(config)#interface Serial0/0/0
32
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
R6(config-if)# zone-member security INSIDE

R6(config-if)#end
Zone-pair: INBOUND
Police
0 packets, 0 bytes
Inspect
Match: any
R6#show policy-map type inspect zone-pair OUTBOUND
Zone-pair: OUTBOUND
Service-policy inspect : PMAP-OUTBOUND
Class-map: CMAP-OUTBOUND (match-any)
0 packets, 0 bytes
0 packets, 0 bytes
Match: protocol ssh
0 packets, 0 bytes
Inspect
33
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc

Match: any
R6#
34
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
Task 2.3
4 Points
On R3, mark all P2P type traffic as DSCP 2, inbound on

Serial 0/0/0, if it was sourced from 22.222.6.0/24
Drop this traffic outbound on Fa0/0.23 without using an
access-list.
R3(config)#class-map match-all CMAP_FASTTRACK
R3(config)#policy-map PMAP_MARK_FASTTRACK
R3(config-pmap)#class CMAP_FASTTRACK
R3(config)#int ser 0/0/0
R3(config-if)#service-policy input PMAP_MARK_FASTTRACK
R3(config-if)#exit
R3(config)#class-map match-all CMAP_DSCP_2
R3(config-cmap)#match ip dscp 2
R3(config)#policy-map PMAP_DROP_DSCP_2
R3(config-pmap)#class CMAP_DSCP_2
R3(config)#int fa 0/0.23
R3(config-subif)#service-policy output PMAP_DROP_DSCP_2
R3(config)#
R3#show policy-map
Policy Map PMAP_MARK_FASTTRACK
Class CMAP_FASTTRACK
set ip dscp 2
Policy Map PMAP_DROP_DSCP_2
Class CMAP_DSCP_2
drop
R3#show poli
R3#show policy-map int ser 0/0/0
Serial0/0/0
Service-policy input: PMAP_MARK_FASTTRACK
Class-map: CMAP_FASTTRACK (match-all)
0 packets, 0 bytes
35
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc

QoS Set
dscp 2
Packets marked 0
Match: any
R3# show poli
R3# show policy-map int fa 0/0.23
FastEthernet0/0.23
Service-policy output: PMAP_DROP_DSCP_2
Class-map: CMAP_DSCP_2 (match-all)
0 packets, 0 bytes
Match: ip dscp 2
drop
Match: any
R3#
36
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
Task 2.4
4 Points

Generate another
least 10 seconds.
R3(config)#process cpu threshold type total rising 90 interval 5 falling 10
interval 10
R3#wr
[OK]
R3#wr
[OK]
R3#wr
43/0%[OK]
R3#wr
[OK]
R3#
R3#
37
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
Section 3: VPNs
Task 3.1
4 Points

o CN R8-CA_Server
o L=NV
o C=US
from Loopback 0.
Configure R2, R3 and R5 as NTP and CA clients.
R8(cs-server)#cdp-url http://22.222.10.18/R8.cdp.crl
Password: cisco123
Re-enter password:cisco123
% Generating 1024 bit RSA keys, keys will be non-exportable...
R8(cs-server)#

38
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
ASA1(config)# object-group network NTP_CA_CLIENTS

ASA1(config)# access-list outside permit udp object-group NTP_CA_CLIENTS host
22.222.10.18 eq ntp
ASA1(config)# access-list outside permit tcp object-group NTP_CA_CLIENTS host
22.222.10.18 eq http
ASA1(config)# clear xlate

R2(config)#
R2(config)#crypto key generate rsa general-keys modulus 1024
Fingerprint MD5: F7802BD7 D82BEF45 CBE8A3A6 132A3333
Fingerprint SHA1: 7933BECE AB234B38 56E54D58 D5F54EF0 8860051A
% Do you accept this certificate? [yes/no]:
yes
R2(config)#cry pki enroll R8-CA
%
Password:
Re-enter password:
39
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc

fingerprint.
R2(config)#
18E6C36B DC6B7859 D52A664B C1A3B209
A2109AAD 22FF0A55 61D0E579 800DCADB D7BEFDBB
R2(config)#
Authority
R2(config)#

R3(config)#
R3(config)#
R3(config)#
%
Password:
Re-enter password:
40
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc

fingerprint.
R3(config)#
R3(config)#
B05AACBA 289C3C53 F4A0C204 995206DA
6B00B329 EA217CE0 9F5A432A FCB2E36A AFB313D2
R3(config)#
Authority
R3(config)#

R5(config)#
R5(config)#
%
Password:
Re-enter password:
41
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc

fingerprint.
R5(config)#
D3A33E05 06959F20 D65FC3B0 38D9A365
C20D2205 124076BB 2B305DF8 52DA6AC7 36119170
R5(config)#
R5(config)#
R5(config)#
Authority
R5(config)#
42
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
Task 3.2
4 Points

o Key server priority 2 R8 using Fa0/0.2 and no NAT
o Key server priority 1 R5
o No NAT between members and Key Servers
o Interesting traffic: ICMP between R2/R3 loopback 0
ASA1(config)# object-group network GET_VPN_PEERS_FOR_NONAT
ASA1(config-network)# access-list NO_NAT permit ip host 192.168.2.8 objectgroup GET_VPN_PEERS_FOR_NONAT
ASA1(config)# nat (inside) 0 access-list NO_NAT
ASA1(config)# access-list outside permit udp object-group
GET_VPN_PEERS_FOR_NONAT host 192.168.2.8 eq 848
R8(gdoi-local-server)#rekey authent
43
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
R8(gdoi-sa-ipsec)#replay
May 12 05:46:32.307: %GDOI-5-KS_REKEY_TRANS_2_UNI: Group group1 transitioned
to Unicast Rekey.
R8(config)#access-list 199 permit ic
May 12 05:46:34.999: %GDOI-5-COOP_KS_ADD: 22.222.45.5 added as COOP Key
Server in group group1.
R8(config)#

%
Password:
Re-enter password:
fingerprint.
R8(config)#
8E5A7779 7FCD888A 6F4C7F16 A2BE4151
44
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc

EB38C6BB 057A1E3C A315E629 EAD970E7 0889ABF1
R8(config)#
Authority
R8(config)#
R8(config)#

R5(gdoi-local-server)#rekey authentication mypubkey rsa R5.ccbootcamp.co
R5(gdoi-sa-ipsec)#replay counter window-size
May 12 05:55:36.077: %GDOI-5-KS_REKEY_TRANS_2_UNI: Group group1 transitioned
to Unicast Rekey.
R5(config)#access-list 199 permit icmp host 3.3.3
May 12 05:55:38.737: %GDOI-5-COOP_KS_ADD: 192.168.2.8 added as COOP Key
Server in group group1.
May 12 05:55:39.269: %GDOI-5-COOP_KS_ELECTION: KS entering election mode in
group group1 (Previous Primary = NONE)
R5(config)#
R5(config)#

45
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
R2(config-subif)#interface fa
May 12 05:59:02.889: %CRYPTO-5-GM_REGSTER: Start registration to KS
192.168.2.8 for group group1 using address 22.222.12.20/0.23
R2(config)#
R2(config)#
to Unicast Rekey.
R2(config)#
R3(config)#
R3(config)#
R3(config-subif)#interface Fa0
46
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc

192.168.2.8 for group group1 using address 22.222.23.3/0.34
R3(config)#
R3(config)#
R3(config)#
R3(config)#
to Unicast Rekey.
R3(config)#
May 12 06:00:49.903: %CRYPTO-5-GM_CONN_NEXT_SER: GM is connecting to next key
server from the list
R3(config)#
R3#show crypto gdoi

GROUP INFORMATION
Group Name
Group Identity
Rekeys received
IPSec SA Direction
Active Group Server
Group Server list
:
:
:
:
:
:
group1
1
0
Both
22.222.45.5
192.168.2.8
22.222.45.5
GM Reregisters in
Rekey Received
: 921 secs
: never
Rekeys received
Cumulative
After registration
Rekey Acks sent
: 0
: 0
: 0

KEK POLICY:
Rekey Transport Type
Lifetime (secs)
Encrypt Algorithm
Key Size
Sig Hash Algorithm
:
:
:
:
:
Unicast
85614
3DES
192
HMAC_AUTH_SHA
47
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
Sig Key Length (bits)
: 1024
TEK POLICY:
FastEthernet0/0.23:
FastEthernet0/0.34:
IPsec SA:
sa direction:inbound
spi: 0xE651F933(3864131891)
transform: esp-aes esp-sha-hmac
sa timing:remaining key lifetime (sec): (975)
Anti-Replay : Disabled
IPsec SA:
sa direction:outbound
spi: 0xE651F933(3864131891)
IPsec SA:
sa direction:inbound
spi: 0xE651F933(3864131891)
IPsec SA:
sa direction:outbound
spi: 0xE651F933(3864131891)
R3#
!!!!!
R3#show cryp
R3#show crypto engi
R3#show crypto engine conne
R3#show crypto engine connections ac
R3#show crypto engine connections active
Crypto Engine Connections
ID
1001
1002
1003
2001
Interface
Fa0/0.23
<none>
Fa0/0.34
Fa0/0.23
Type
IKE
IKE
IKE
IPsec
Algorithm
SHA+AES
SHA+3DES
SHA+AES
AES+SHA
Encrypt
0
0
0
0
Decrypt
0
0
0
0
IP-Address
22.222.23.3
22.222.34.3
2.2.2.2
48
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
2002
2003
2004
2005
2006
2007
2008
Fa0/0.23
Fa0/0.23
Fa0/0.23
Fa0/0.34
Fa0/0.34
Fa0/0.34
Fa0/0.34
IPsec
IPsec
IPsec
IPsec
IPsec
IPsec
IPsec
AES+SHA
AES+SHA
AES+SHA
AES+SHA
AES+SHA
AES+SHA
AES+SHA
0
0
5
0
0
0
0
0
5
0
0
0
0
0
2.2.2.2
3.3.3.3
3.3.3.3
2.2.2.2
2.2.2.2
3.3.3.3
3.3.3.3

C-id Local
Lifetime Cap.
1002
Remote
I-VRF
22.222.34.3
22.222.45.5
Engine-id:Conn-id = SW:2
ACTIVE 3des sha
psk
1001 22.222.23.3
192.168.2.8
23:57:04
ACTIVE aes
sha
rsig 5
1003 22.222.34.3
22.222.45.5
23:57:45
ACTIVE aes
sha
rsig 5

R3#
49
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
Task 3.3
4 Points

o New loopback 11 of 11.11.11.1/24.
Configure R4 as an easy vpn remote, with fa0/0.34 as the
outside interface, and Loopback 0 as the inside interface.
R1(config-if)#ip add 11.11.11.1 255.255.255.0
R1(config-if)#exit
R1(config)#
R1(config)#aaa authentication login vp
R1(config)#aaa authentication login vpn_group local
R1(config)#username user-3.3 password cisco
R1(config)#
50
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
% A profile is deemed incomplete until it has match identity statements
R1(config-if)#ip unnumbered loop 0
R1(config-if)#exit
R1(config)#access-list 100 permit ip
R1(config)#

R4(config-crypto-ezvpn)#username user-3.3 password cisco
R4(config-if)#exit
R4(config-subif)#crypto ipsec client ezvpn EZ_CLIENT outside
R4(config-if)#exit
R4(config)#
51
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
*May 12 06:46:52.626: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of

Informational mode failed with peer at 1.1.1.1
R4(config)#
R4(config)#
Mask: 255.255.255.255
Address
: 11.11.11.0
Mask
: 255.255.255.0
Protocol
: 0x0
Source Port: 0
Dest Port : 0
!!!!!
R4#show crypto engine connections active
Crypto Engine Connections
ID
1001
2001
2002
Interface
Fa0/0.34
Fa0/0.34
Fa0/0.34
Type
IKE
IPsec
IPsec
Algorithm
SHA+AES
AES+SHA
AES+SHA
Encrypt
0
0
5
Decrypt
0
5
0
IP-Address
22.222.34.4
22.222.34.4
22.222.34.4
R4#
52
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
Task 3.4
4 Points
Configure ASA1 as a WEB VPN server with the following:

o Users connect to https://22.222.10.10/webusers
o Users are authenticated via the local database on the
firewall. Create a user named user-3.4 for this task.
ASA1(config)# http server enable
ASA1(config)# webvpn
ASA1(config-webvpn)#
enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.
ASA1(config-webvpn)# exit
ASA1(config)# username user-3.4 password cisco
ASA1(config)# username user-3.4 attributes
ASA1(config-username)#
vpn-group-policy web_user_grp_policy
ASA1(config-username)# exit
ASA1(config)# group-policy web_user_grp_policy internal
ASA1(config)# group-policy web_user_grp_policy attributes
ASA1(config-group-policy)#
vpn-tunnel-protocol webvpn
ASA1(config-group-policy)# exit
ASA1(config)# tunnel-group web_vpn_connection type remote-access
ASA1(config)# tunnel-group web_vpn_connection general-attributes
ASA1(config-tunnel-general)#
default-group-policy web_user_grp_policy
ASA1(config-tunnel-general)# tunnel-group web_vpn_connection webvpnattributes
ASA1(config-tunnel-webvpn)#
group-alias webusers enable
ASA1(config-tunnel-webvpn)#
group-url https://22.222.10.10/webusers enable
53
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
54
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
55
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
56
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
57
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
Section 4: IPS
Task 4.1
4 Points
Use the erase current-config from them sensor command

line.
o Default gateway using ASA2.
o Banner message saying Connected to IPS Sensor Console
o Management via port 7000
o Permit Telnet
to the IPS from the ACS PC.
sensor login: cisco

Password:ccie5796
***NOTICE***
This product contains cryptographic features and is subject to United States
and local country laws governing import, export, transfer and use. Delivery
of Cisco cryptographic products does not imply third-party authority to
import,
export, distribute or use encryption. Importers, exporters, distributors and
users are responsible for compliance with U.S. and local country laws. By
using
this product you agree to comply with applicable laws and regulations. If you
are unable to comply with U.S. and local laws, return this product
immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found
at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
***LICENSE NOTICE***
username" command.
Continue? []: yes
58
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
sensor#
sensor#
sensor#
sensor# setup
service host
network-settings
host-ip 192.168.1.2/24,192.168.1.1
host-name sensor
telnet-option disabled
ftp-timeout 300
no login-banner-text
exit
time-zone-settings
offset 0
standard-time-zone-name UTC
exit
summertime-option disabled
ntp-option disabled
exit
service web-server
port 443
exit
service event-action-rules rules0
overrides
override-item-status Enabled
risk-rating-range 90-100
exit
exit
Current time: Tue May 12 08:25:37 2009

172.19.100.250/24,172.19.100.20
Enter telnet-server status[disabled]: enabled
59
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
No entries
Permit: 22.222.10.101/32
Permit:
service host
network-settings
host-ip 172.19.100.250/24,172.19.100.20
host-name sensor
telnet-option enabled
access-list 22.222.10.101/32
ftp-timeout 300
no login-banner-text
exit
time-zone-settings
offset 0
standard-time-zone-name UTC
exit
summertime-option disabled
ntp-option disabled
exit
service web-server
port 7000
exit
service event-action-rules rules0
overrides
override-item-status Enabled
risk-rating-range 90-100
exit
exit
*08:27:15 UTC Tue May 12 2009
sensor# conf t
sensor(config)# banner ?
login
Set login banner.
sensor(config)# banner login ?
<cr>
sensor(config)# banner login
Banner[]: Connected to IPS Sensor Console
sensor(config)#
ensor(config)# exit
sensor# exit
Connected to IPS Sensor Console
sensor login:
60
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
ASA2/perim(config)# access-list outside permit tcp host 22.222.10.101 host

22.222.5.250 eq 8000
SW2(config-if)#end
61
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
Task 4.2
4 Points

o sig1
o rules1
o ad1
o sig2
o rules2
o ad2
o G0/0.2 as inline VLAN pair using VLANs 7 and 77.
62
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
63
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
64
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
65
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
66
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
SW1(config-if)#switchport trunk encap dot1q

67
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
68
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
69
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
Task 4.3
4 Points

o Create new signature named Task4.3
o Generate an alert and deny the packet if ICMP echo
payload is 1000 bytes or greater.
o Trigger on the 8th packet in a series.
o Without including the address of 6.6.6.6 or an action
with the word log in the signature, log the source of
the attack for 60 seconds if it is directed at 6.6.6.6
The IP address of 6.6.6.6 should never be seen as an
attacker for any signatures on vs1.
70
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
71
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
72
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
73
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
74
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
75
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
76
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
77
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
78
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
79
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
80
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
81
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
82
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
83
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
84
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
85
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
86
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
87
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
88
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
Task 4.4
4 Points
On vs2, configure the following:

o Send a TCP reset for any malicious TCP port 80 traffic
that includes the string ATTACK!. Log only the entire
first packet that triggers the alarm.
o Deny any malicious traffic that is tunneled through on
TCP port 80 or 8080.
89
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
90
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
91
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
92
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
93
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
94
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
95
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
96
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
97
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
BB2#copy http://3.3.3.3/ATTACK! null:

%Error opening http://3.3.3.3/ATTACK! (I/O error)
BB2#
98
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
BB2#telnet 3.3.3.3 80
Trying 3.3.3.3, 80 ... Open
this is not nice
99
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
100
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc

Task 5.1
4 Points

o Configure the voice VLAN as 512
VLAN 514
SW4 Fa0/16.
o The ACS should see SW4 at the IP address of
192.168.2.114/24.
SW4(config)#aaa authentication dot1x default group radius
SW4(config)#vlan 511,513,514
SW4(config-if)#dot1x host-mode multi-domain
SW4(config-if)#switchport voice vlan 512
% Voice VLAN does not exist. Creating vlan 512
SW4(config-if)#dot1x violation-mode shutdown
SW4(config-if)#interface Vlan 2
SW4(config-if)#ip radius source-interface Vlan 2
SW4(config)#radius-server host 192.168.2.101
SW4(config)#exit
101
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
102
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
103
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
104
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
105
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
106
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
107
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
SW4#ping 192.168.2.101
!!!!!
SW4#test aaa grou
SW4#test aaa group radius user-5.1 cisco le
SW4#test aaa group radius user-5.1 cisco legacy
SW4#
SW4#show dot1x int fa 0/16
----------------------------------PAE
= AUTHENTICATOR
PortControl
= AUTO
ControlDirection
= Both
HostMode
= MULTI_DOMAIN
Violation Mode
= SHUTDOWN
108
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
ReAuthentication
QuietPeriod
ServerTimeout
SuppTimeout
ReAuthPeriod
ReAuthMax
MaxReq
TxPeriod
RateLimitPeriod
Auth-Fail-Vlan
Guest-Vlan
=
=
=
=
=
=
=
=
=
=
=
=
Disabled
3
30
30
3600 (Locally configured)
2
2
5
0
514
3
511
109
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
Task 5.2
4 Points
Configure R5 to use ACS and perform command authorization

with the following:
o Locally authenticated user named admin-5.2 with
authoriztion via TACACS with full access.
o Locally authenticated user named user-5.2. Authorization
via TACACS with the ability to add network statements to
configure routing protocols, issue the show ip
protocols command and enter the command of exit only.
o Do not associate any privilege level with either of these
users in the local router database.
o Record all successful commands issued by these users to
the ACS server.
22.222.10.101 eq tacacs
R5(config)#username admin-5.2 secret cisco
R5(config)#username user-5.2 secret cisco
110
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
111
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
112
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
113
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
114
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
115
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
116
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
117
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
118
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
119
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
120
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
121
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
R5#telnet 5.5.5.5
Username: admin-5.2
Password:
R5#conf t
R5(config-if)#exit
R5(config)#exit
R5#telnet 5.5.5.5
122
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc

Username: user-5.2
Password:
R5#conf t
End with CNTL/Z.
R5(config-router)#net 20.0.0.0
R5(config)#exit
R5#exit
May 13 11:39:10.626: %SYS-5-CONFIG_I: Configured from console by user-5.2 on
vty0 (5.5.5.5)
R5#
123
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
124
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
Task 5.3
4 Points

o Allow access via telnet on lines vty 0-2 using a password
of cisco.
o Allow ssh access on vty 3-4, using port 2000 to connect
to these specific lines. Use the local database and a
user named user-5.3
125
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
126
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
R5(config-line)#no authorization commands 0 TAC
R5(config-line)#no authorization exec TAC
R5(config-line)#no accounting commands 0 TAC
R5(config-line)#password cisco
R5(config-line)#rotary 1
R5(config)#ip ssh port 2000 rotary 1
127
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
R4#telnet 5.5.5.5
R5#who
Line
0 con 0
*514 vty 0
Interface
User
User
Host(s)
idle
idle
Idle
Location
00:01:00
00:00:00 22.222.45.4
Mode
Idle
Peer Address
R5#exit
R4#ssh -l user-5.3 -p 2000 5.5.5.5
Password:
R5#show ssh
Connection Version Mode Encryption Hmac
State
Username
517
1.99
IN
aes128-cbc hmac-sha1
Session started
user5.3
517
1.99
OUT aes128-cbc hmac-sha1
Session started
user5.3
%No SSHv1 server connections running.
R5#show line
Tty Line Typ
Tx/Rx
A Modem Roty AccO AccI Uses Noise Overruns
*
0
0 CTY
5
0
0/0
1
1 AUX
9600/9600 0
0
0/0
514 514 VTY
7
0
0/0
515 515 VTY
0
0
0/0
516 516 VTY
0
0
0/0
*
517 517 VTY
1
3
0
0/0
518 518 VTY
1
0
0
0/0
Line(s) not in async mode -or- with no hardware support:
2-513
R5#
128
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc

Task 6.1
4 Points
Permit SSH and TELNET to R5 inbound only on Fa0/0.45

Permit SSH from only even IP addresses.
Permit TELNET from only odd IP addreses.
Rate limit all ICMP and TELNET traffic to R5 to 8,000bps.
Exempt 1.1.1.1 from this rate limiting. Do not apply any
configurations to any Ethernet interfaces to accomplish
this.
R5(config-cp-host)#management-interface FastEthernet 0/0.45 allow ssh telnet
R5(config-cp-host)#exit
R5(config)#ip access-list standard EVEN
R5(config-std-nacl)#permit 0.0.0.0 255.255.255.254
R5(config-std-nacl)#exit
R5(config)#ip access-list standard ODD
R5(config-std-nacl)#permit 0.0.0.1 255.255.255.254
R5(config-std-nacl)#line vty 0 2
R5(config-line)#access-class ODD in
R5(config-line)#access-class EVEN in
R5(config)#ip access-list extended CPP
R5(config-ext-nacl)#deny tcp host 1.1.1.1 any eq telnet
R5(config-ext-nacl)#deny icmp host 1.1.1.1 any
R5(config-ext-nacl)#permit tcp any any eq telnet
R5(config-ext-nacl)#permit icmp any any
R5(config)#class-map match-all CMAP_CONTROL_PLANE
R5(config-cmap)#match access-group name CPP
R5(config-pmap-c)#police 8000 conform-action transmit exceed-action drop
violate-action drop
R5(config-pmap-c)#control-plane
R1#telnet 5.5.5.5
R5#exit
129
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc

R1#telnet 5.5.5.5 /source loop 0
R5#exit
R1#ping 5.5.5.5
!!!!!
!.!.!.!.!.
R1#ping 5.5.5.5 size 1000 repeat 10 source loop 0
!!!!!!!!!!
R1#

Control Plane
Match: access-group name CPP
police:
transmit
drop
drop
Match: any
R5#
show access-list
130
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
Standard IP access list EVEN

10 permit 0.0.0.0, wildcard bits 255.255.255.254
Standard IP access list ODD
10 permit 0.0.0.1, wildcard bits 255.255.255.254 (6 matches)
Extended IP access list CPP
10 deny tcp host 1.1.1.1 any eq telnet (17 matches)
20 deny icmp host 1.1.1.1 any (10 matches)
30 permit tcp any any eq telnet (68 matches)
40 permit icmp any any (15 matches)
R5#
131
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc

Task 7.1
4 Points
On the ACS, if user is not found in the ACS database, query

an external LDAP database using the following as part of
your configuration:
o Generic LDAP database name of LDAP-7.1
o User and group directory organization object of ext-dir
o Primary LDAP server 22.222.10.105
LDAP v3
o admin common name of admin-7.2 with password of cisco and
orgrainzation name of ext-dir.
132
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
133
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
134
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
135
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
136
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
137
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
138
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
Task 7.2
4 Points
On R7, Fa0/0.7 configure the following:

o Disable CDP
o Disable proxy-arp
o Deny source-routed packets
o Explictly deny any packets sourced from RFC 1918 address
space
o Implement RPF checking, and log packets that fail this
check
R7(config)#no ip source-route
R7(config)#ip access-list extended RFC_1918
R7(config-ext-nacl)#deny ip 10.0.0.0 0.255.255.255 any log
R7(config- ext-nacl)#exit
R7(config)#access-list 100 deny ip any any log
R7(config)#int fa 0/0.7
R7(config-subif)#ip access-group RFC_1918 in
R7(config-subif)#no cdp enable
R7(config-subif)#no ip proxy-arp
R7(config-subif)#ip verify unicast source reachable-via rx 100
R7(config)#end
R7#wr
*May 13 13:11:06.171: %SYS-5-CONFIG_I: Configured from console by console[OK]
R7#
139
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc

Task 8.1
4 Points
For VLAN 2, configure the following:

o Conigure DHCP snooping on VLAN 2.
Allow ASA1 to be a
DHCP server. Restrict DHCP traffic to 50 pps
o Save the DHCP binding database on flash as snoop.db
o You may configure VLAN interfaces and default routes as
part of this task.
SW1(config)#int vlan 2
SW1(config-if)#ip add 192.168.2.111 255.255.255.0
SW1(config-if)#exit
SW1(config)#ip routing
SW1(config)#ip route 0.0.0.0 0.0.0.0 192.168.2.8
SW1(config)#clock timezone PST -8
SW1(config)#clock summer-time PDT recurring
SW1(config)#ntp authentication-key 1 md5 cisco
SW1(config)#ntp trusted-key 1
SW1(config)#ntp authenticate
SW1(config)#ntp server 8.8.8.8
SW1(config)#no ip dhcp snooping information option
SW1(config-if)#ip dhcp snooping limit rate 50
SW1(config-if)#exit
SW1(config)#ip dhcp snooping database flash:snoop.db
SW1(config)#end
SW1(config)#spanning-tree vlan 2 root primary
SW1(config)#end
SW1#show spanning-tree vlan 2
VLAN0002
Spanning tree enabled protocol ieee
Root ID
Priority
24578
Address
0019.067e.e200
This bridge is the root
Hello Time
2 sec Max Age 20 sec
Bridge ID
Interface
Forward Delay 15 sec
Priority
24578 (priority 24576 sys-id-ext 2)
Address
0019.067e.e200
Hello Time
2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Role Sts Cost
Prio.Nbr Type
140
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
--------------------Fa0/7
Fa0/8
Fa0/14
Fa0/17
Fa0/19
Fa0/20
Fa0/21
Fa0/22
---- --- --------- -------- ----------------------------Desg

Desg
Desg
Desg
Desg
Desg
Desg
Desg
FWD
FWD
FWD
FWD
FWD
FWD
FWD
FWD
19
19
19
19
19
19
19
19
128.9
128.10
128.16
128.19
128.21
128.22
128.23
128.24
P2p
P2p
P2p
P2p
P2p
P2p
P2p
P2p
Interface
Role Sts Cost
Prio.Nbr Type
------------------- ---- --- --------- -------- ------------------------------Fa0/23
Fa0/24
SW1#
Desg FWD 19
Desg FWD 19
128.25
128.26
P2p
P2p
SW3(config)#int vlan 2
SW3(config-if)#ip add 192.168.2.113 255.255.255.0
SW3(config-if)#exit
SW3(config)#ip routing
SW3(config)#ip route 0.0.0.0 0.0.0.0 192.168.2.8
SW3(config)#clock timezone PST -8
SW3(config)#clock sum
SW3(config)#clock summer-time PDT recurring
SW3(config)#ntp trusted-key 1
SW3(config)#ntp authenticate
SW3(config)#ntp server 8.8.8.8
SW3(config)#no ip dhcp snooping information option
SW3(config)#ip dhcp snooping database flash:snoop.db
SW3(config)#end
SW3#show spanni
VLAN0002
Spanning tree enabled protocol ieee
Root ID
Priority
24578
Address
0019.067e.e200
Cost
19
Port
23 (FastEthernet0/21)
Hello Time
2 sec Max Age 20 sec
Bridge ID
Interface
Forward Delay 15 sec
Priority
32770 (priority 32768 sys-id-ext 2)
Address
0018.187c.3c00
Hello Time
2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Role Sts Cost
Prio.Nbr Type
141
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
--------------------Fa0/7
Fa0/8
Fa0/18
Fa0/19
Fa0/20
Fa0/21
Fa0/22
---- --- --------- -------- ----------------------------Desg

Desg
Desg
Altn
Altn
Root
Altn
FWD
FWD
FWD
BLK
BLK
FWD
BLK
19
19
19
19
19
19
19
128.9
128.10
128.20
128.21
128.22
128.23
128.24
P2p
P2p
P2p
P2p
P2p
P2p
P2p
SW3#SW3#SW3#conf t
SW3(config-if)#end
SW3#
May 13 13:38:31.849: %SYS-5-CONFIG_I: Configured from console by console
SW3#
142
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
Task 8.2
4 Points
Configure a default route on ASA1 using R1 as the next hop.

Confure ASA1 so that if a DoS attack removes R1 from
service, ASA1 will use R6 as a default gatway. You may use
interface E0/3 and an interface named emergency as part of
this task. Do not run any routing protocols on E0/3.

ASA1(config-router)# no network 22.0.0.0 255.0.0.0
ASA1(config)# int e 0/3

ASA1(config-if)# nameif emergency
ASA1(config-if)# security 0
ASA1(config-if)# ip address 22.222.6.10 255.255.255.0
ASA1(config)# route outside 0.0.0.0 0.0.0.0 22.222.10.1 track 1
ASA1(config)# route emergency 0.0.0.0 0.0.0.0 22.222.6.6 254
ASA1(config)# sla monitor 123
ASA1(config-sla-monitor)# type echo protocol ipIcmpEcho 1.1.1.1 interface
outside
ASA1(config-sla-monitor-echo)# num-packets 3
ASA1(config-sla-monitor-echo)# timeout 1000
ASA1(config-sla-monitor-echo)# frequency 3
ASA1(config-sla-monitor-echo)# sla monitor schedule 123 life forever starttime now
ASA1(config)# track 1 rtr 123 reachability
ASA1(config)# show route

area
D
D
D
1.1.1.0 255.255.255.0 [90/131072] via 22.222.10.1, 0:03:01, outside

2.0.0.0 255.0.0.0 [90/156672] via 22.222.10.1, 0:03:01, outside
3.3.3.0 255.255.255.0 [90/159232] via 22.222.10.1, 0:03:01, outside
143
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc
D
4.4.4.0 255.255.255.0 [90/161792] via 22.222.10.1, 0:03:01, outside
D
5.5.5.0 255.255.255.0 [90/164352] via 22.222.10.1, 0:03:01, outside
D
6.6.6.0 255.255.255.0 [90/2303488] via 22.222.10.1, 0:03:01, outside
D
22.222.67.0 255.255.255.0 [90/2175488] via 22.222.10.1, 0:03:01, outside
C
D
22.222.12.0 255.255.255.0 [90/28672] via 22.222.10.1, 0:03:01, outside
D
22.222.5.0 255.255.255.0 [90/38912] via 22.222.10.1, 0:03:01, outside
C
22.222.6.0 255.255.255.0 is directly connected, emergency
D
22.222.7.0 255.255.255.0 [90/2178048] via 22.222.10.1, 0:03:01, outside
D
22.222.23.0 255.255.255.0 [90/31232] via 22.222.10.1, 0:03:01, outside
D
22.222.45.0 255.255.255.0 [90/36352] via 22.222.10.1, 0:03:01, outside
D
22.222.34.0 255.255.255.0 [90/33792] via 22.222.10.1, 0:03:02, outside
D
7.7.7.0 255.255.255.0 [90/2303488] via 22.222.10.1, 0:03:02, outside
O
8.8.8.8 255.255.255.255 [110/11] via 192.168.2.8, 1:09:46, inside
D
11.11.11.0 255.255.255.0 [90/131072] via 22.222.10.1, 0:03:02, outside
C
S*
0.0.0.0 0.0.0.0 [1/0] via 22.222.10.1, outside
ASA1(config)#
R1#debug ip icmp
ICMP packet debugging is on
R1#
*May 14 04:34:52.551: ICMP: echo reply sent, src 1.1.1.1, dst 22.222.10.10
R1#reload
*May 14
*May 14
*May 14
*May 14
Reason:
*May 14
*May 14
*May 14
04:34:55.551: ICMP: echo reply sent, src 1.1.1.1,

04:34:56.751: %SYS-5-RELOAD: Reload requested by
Reload Command.
dst 22.222.10.10
dst 22.222.10.10
dst 22.222.10.10
console. Reload
dst 22.222.10.10
dst 22.222.10.10
dst 22.222.10.10
System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2006 by cisco Systems, Inc.
Initializing memory for ECC
.
c2811 platform with 262144 Kbytes of main memory
Main memory is configured to 64 bit mode with ECC enabled
Upgrade ROMMON initialized

program load complete, entry point: 0x8000f000, size: 0xcb80
program load complete, entry point: 0x8000f000, size: 0xcb80

144
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.07.09.05.kb.r04.09.05.doc

area
C
C
22.222.6.0 255.255.255.0 is directly connected, emergency
O
8.8.8.8 255.255.255.255 [110/11] via 192.168.2.8, 1:11:44, inside
C
S*
0.0.0.0 0.0.0.0 [254/0] via 22.222.6.6, emergency
ASA1(config)#
ASA1(config)#
145
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
LAB 8
Instructions
cannot be changed.
often!
task.
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
Sections:
1.ASA Firewalls
2.IOS Firewalls
3.VPNs
4.IPS
7.Advanced Security
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
ACS PC
.101
R1
BB1
.99
VLAN 168
192.168.2.0
SW2
.11
Inside
E0/0.v
VLAN 77
G0/0
DMZ1
E0/0.v
172.16.77.0
IPS C&C
.50
ASA1
DMZ2
E0/0.v
OSPF
Area 0
VLAN 99
172.16.99.0
VLAN 44
172.16.44.0
R4
Outside
E0/0.v
R7
VLAN 22
24.234.22.0
VLAN 252
24.234.252.0
BB2
R2
.252
SW1
.11
EIGRP 1
Frame Relay
24.234.100.0
Outside
E0/0.v
172.16.88.0
R6
C1
Inside
E0/0.v
VLAN 121
24.234.121.0
R3
172.16.88.0
Outside
E0/0.v
C2
Inside
E0/0.v
VLAN 88
172.16.88.0
VLAN 55
172.16.55.0
R8
R5

www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
SW1
Fa0/1
Fa0/0
R1
Fa0/1
Fa0/1
SW2
SW1
Fa0/2
Fa0/0
R2
Fa0/1
Fa0/2
SW2
SW1
Fa0/3
Fa0/0
R3
Fa0/1
Fa0/3
SW2
SW1
Fa0/4
Fa0/0
R4
Fa0/1
Fa0/4
SW2
SW1
Fa0/5
Fa0/0
R5
Fa0/1
Fa0/5
SW2
SW1
Fa0/6
Fa0/0
R6
Fa0/1
Fa0/6
SW2
SW1
Fa0/9
Fa0/0
BB1
Fa0/1
Fa0/9
SW2
SW1
Fa0/10
Fa0/0
BB2
Fa0/1
Fa0/10
SW2
SW1
Fa0/12
E0/0
E0/2
Fa0/12
SW2
Fa0/14
SW2
E0/3
Fa0/17
SW2
E0/2
Fa0/18
SW2
E0/3
Fa0/23
SW2
ASA01
Gi0/0: sense
SW1
Fa0/14
SW1
Fa0/17
E0/1
SW1
Fa0/18
E0/0
IDS
IDS
Gi0/1: c&c
ASA01
ASA02
SW1
E0/1
Fa0/23
ASA02
SW1
SW2
Fas0/19
Fas0/19
Fas0/20
Fas0/20
Sensor Int.
G0/0
Fa1/0
Fa1/1
Fa1/2
Fa1/3
Connected to:
SW1 Fa0/14
SW3 Fa0/4
SW3 Fa0/3
SW3 Fa0/2
SW3 Fa0/1
Fas0/0
2811
SW3
SW4
Fas0/17
SW3
Fas0/19
Fas0/19
Fas0/20
Fas0/20
Fas0/1
R7
Fas0/17
SW4
ACS PC SW1 Fa0/24
192.168.2.101
Fas0/0
2811
Fas0/1
R8
SW3

192.168.2.102
Fas0/18
SW4
Fas0/18
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc

Task 1.1
4 Points

Name
Inside
Outside
DMZ1
DMZ2
Interface
E0/0.168
E0/0.22
E0/0.77
E0/0.44

Default
192.168.2.100/24
Default
24.234.22.100/24
50
172.16.77.100/24
50
172.16.44.100/24
VLAN
168
22
77
44
Configure EIGRP with Outside in AS1.

Configure OSPF 1 with the DMZ2 network in area 0.
The EIGRP routers should know of the specific DMZ2
networks.
The OSPf routers should know of all specific networks on
the outside of ASA1.
accomplish this.
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
Task 1.2
4 Points
Set the firewall mode to transparent.

Context
c1
c1
c2
c2
Name
Inside
Outside
Inside
Outside
Interface
E0/0.88
E0/0.111
E0/0.55
E0/0.222
Security Level
Default
Default
Default
Default
VLAN
88
111
55
222

Verify connectivity from the inside networks to R6.
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
Task 1.3
4 Points

as 24.234.22.101. The maximum number of total connections
to the server should be 100, with no more than 50 half-open
sessions per host.
The ACS server should be able to reach the 172.16.77.50
address on DMZ1 via the inside address of 192.168.2.50.
This task will affect later tasks.
Context c1 should verify that the TCP window size does not
change unexpectedly during any telnet sessions from R8 to
R6.
Context c2 should check HTTP traffic and drop it if the
URLs cracker.com or warez.net are found.
Task 1.4
4 Points
On context c1 permit R6 to freely initiate traffic of any

type to R8.
R8s real IP should be hidden from hosts on the outside
interface of c1. It should always appear as 172.16.88.88 to
these hosts.
A host on the inside of c2 has the IP of 172.16.55.55 and a
mac address of 001b.534f.5555. Configure context c2 so that
outside hosts are not able to respond to arp requests for
this IP.
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc

Task 2.1
4 Points

Policy direction
Inside->Outside
Permit
TCP
UDP
ICMP
Limits
Log all ICMP
traffic.
Outside->Inside
Telnet
SSH
HTTP
Log all traffic.

For telnet and SSH,
max embryonic high
25, low 10
HTTP policed to 8000
bps with a burst of
2000
Test the Inside->Outside policy with telnet from SW1 to R2

Test the Outside->Inside policy with http from R2 to SW1.
Task 2.2
4 Points
On R4, all tcp traffic from the VLAN 99 network should be

dropped if it is idle for 10 seconds.
All http traffic from the VLAN 99 network should be logged.
Half open connections from VLAN 99 should be limited to no
more than 100 before they are dropped.
When the number of half open connetions falls below 50 the
dropping behavior should cease.
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
Task 2.3
4 Points
On R2, enable int fa0/0.252 to detect incoming protocols.

Drop all http incoming on the fa0/0.25 interface regardless
of the TCP port.
Allow SSH incoming on the fa0/0.252 interface, but only if
it originates from BB1. You may not apply an ACL directly
to an interface to accomplish this.
ICMP traffic incoming to fa0/0.252 should be policed to
8000 bps with a burst of 2000.
Task 2.4
4 Points
On R7, limit the total number of half open TCP connections

coming from the 172.16.55.0/24 network to 100 before
dropping connections.
When half open connections drop below 50, the dropping
behavior should cease.
If more than 50 half open connection occur in a 1 minute
period, they should also be dropped.
All half open connections should be dropped starting with
the oldest.
You may not use CBAC to complete any of these tasks.
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
Section 3: VPNs
Task 3.1
4 Points

R2, R5 and R6 should sync their time to R1 at 24.234.22.1
and use pacific standard time.
Task 3.2
4 Points

Certificates should be granted automatically.
Enroll R2, R5 and R6 with the newly created CA.
Task 3.3
4 Points
Configure GET VPN using the following settings:

o Key server: R6
o Crypto policy on server: ICMP between 24.234.22.2 and
172.16.55.5
o IKE Phase 1: DH2, RSA-Sig, AES, SHA
o GDOI policy: AES, SHA
10
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
Task 3.4
4 Points

settings:
2.
the tunnel.
o Create loopback 11 on R1 with the IP 1.1.1.1/24.
o Setup R1 as an ezvpn client with an inside network of
1.1.1.1 and connect to R7.
o Verify that you can ping from 1.1.1.1 to 7.7.7.7
11
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
Section 4: IPS
Task 4.1
4 Points

IP Address
Gateway
Managed by
172.16.77.50
172.16.77.100
192.168.2.101
Mgmt. SSL
port
4443
ACS server. You may not add any routes or make changes to
ASA1 to accomplish this.
to it.
Task 4.2
4 Points
Setup interface fa1/0 to protect traffic between BB1 and

R4. You are allowed to create an additional VLAN to
accomplish this.
outside BB2 and R2. You are allowed to create an additional
VLAN to accomplish this.
Assign the BB1 traffic to vs0 and the BB2 traffic to vs1.
Verify that both BB1 and BB2 have connectivity to the rest
of the network.
Task 4.3
4 Points
Modify an existing signature so that any packets with the

timestamp option will be denied going from or to the vlan
99 network.
12
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc

Task 5.1
4 Points
Add management IP addresses to both c1 and c2. Use .200 for

the IP address.
Allow SSH management only by devices on the inside of each
context.
Authenticate with the ACS server using tacacs. Create a
user called admin with a password of cisco to
accomplish this.
Verify that you are able to login from the inside of both
contexts.
Task 5.2
4 Points
Allow any host on the outside of ASA1 to ping the ACS

server but only after authenticating.
Authentication should occur by telneting to 24.234.22.150
Use the ACS server to authenticate with the previously
created username admin password cisco
Task 5.3
4 Points
Configure R2 so that HTTP requests from the ACS server to

R8 are denied.
Require authentication before allowing this traffic to
continue to R8.
Authenticate via the ACS server using the previously
13
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc

Task 6.1
4 Points
On BB2 only allow 10 BGP packets at a time in the input

queue.
SSH should never be allowed to BB2. Denied attempts should
be logged. You may not use an access list to accomplish
this.
Incoming http to BB2 should only be allowed from R2. You
may not apply an ACL directly to an interface to accomplish
this.
14
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc

Task 7.1
4 Points
BGP is preconfigured with BB1 and BB2 as neighbors. Add

authentication to this configuration with a password of
cisco.
Peering will not occur automatically. There are a number of
issues preventing the peering. Discover and correct these
issues.
Verify that the BGP networks are in the routing tables of
each backbone router.
Task 7.2
4 Points
Ensure that FTP traffic traversing ASA1 conforms to RFCs

and will drop and connection that uses the PUT command.
DNS should be allowed to R7 from the outside of ASA with
the following restrictions:
o Only one response per request should be allowed.
o Transaction IDs should be randomized.
o The DNS message format should be verified.
15
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc

Task 8.1
4 Points
On R6, protect against spoofing on all interfaces. This

protection must be dynamic and denied packets must be
logged. You may not apply an ACL directly to an interface
to accomplish this.
R6 should drop all packets containing ip options.
R6 should drop all fragmented packets incoming on
fa0/0.111. The dropped traffic should be logged, including
mac address.
Task 8.2
4 Points
Configure SW4, port fa0/10 to detect CAM table flood

attacks. No more than 4 mac addresses should be seen on
this port. If more are seen an alert should be generated,
but should the port should remain up.
Set port fa0/11 to shutdown if broadcast frames reach 50
percent of interface bandwidth. It should also shutdown if
multicast traffic reaches 30 percent of interface
bandwidth.
Set port fa0/12 to shutdown if more than 500 pps of frames
under 67 bytes are received on the interface.
For both of the previous tasks, once the error condition is
resolved the port should automatically come back up within
30 seconds.
16
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc

Task 1.1
4 Points

Name
Inside
Outside
DMZ1
DMZ2
Interface
E0/0.168
E0/0.22
E0/0.77
E0/0.44

Default
192.168.2.100/24
Default
24.234.22.100/24
50
172.16.77.100/24
50
172.16.44.100/24
VLAN
168
22
77
44

Configure OSPF 1 with the DMZ2 network in area 0.
The EIGRP routers should know of the specific DMZ2
networks.
The OSPf routers should know of all specific networks on
the outside of ASA1.
accomplish this.
ASA1(config)#
ASA1(config-subif)#
ASA1(config-subif)#
17
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc

ASA1(config-subif)#
ASA1(config-subif)#
ASA1(config-if)#
ASA1(config-if)# router eigrp 1
ASA1(config-router)# no auto-summary
ASA1(config)#
ASA1(config)#
Verification:
O E2
C
C
O E2
O
O
O
O
E2
E2
E2
E2


172.16.55.0 [90/2172416] via 24.234.100.6, 00:30:54, Serial0/0/0
172.16.44.0
D EX
172.16.99.0
D
172.16.88.0 [90/2172416] via 24.234.100.6, 00:30:54, Serial0/0/0
D
D EX
18
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
C
D
C
C
S

24.234.121.0 [90/2172416] via 24.234.100.3, 00:30:57, Serial0/0/0
192.168.2.0/24 [1/0] via 24.234.22.100
R4#ping 24.234.100.6
!!!!!
19
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
Task 1.2
4 Points
Set the firewall mode to transparent.

Context
c1
c1
c2
c2
Name
Inside
Outside
Inside
Outside
Interface
E0/0.88
E0/0.111
E0/0.55
E0/0.222
Security Level
Default
Default
Default
Default
VLAN
88
111
55
222

Verify connectivity from the inside networks to R6.
ASA2(config)#
ASA2(config)# firewall transparent
WARNING: Removing all contexts in the system
WARNING: Unable to delete admin context, because it doesn't exist.
ciscoasa(config)#
ciscoasa(config)# interface e0/0
ciscoasa(config-if)#
ciscoasa(config-if)# interface Ethernet0/0.55
ciscoasa(config-subif)# vlan 55
ciscoasa(config-subif)#
ciscoasa(config-subif)# interface Ethernet0/0.88
ciscoasa(config-subif)# admin admin
ciscoasa(config)# context admin
ciscoasa(config-ctx)# config-url disk0:admin.cfg
20
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
ciscoasa(config-ctx)# exit
ciscoasa(config)#
ciscoasa(config)# context c1
ciscoasa(config-ctx)# allocate-interface Ethernet0/0.88 Inside
ciscoasa(config-ctx)# allocate-interface Ethernet0/0.111 Outside
ciscoasa(config-ctx)# config-url disk0:/c1.cfg
ciscoasa(config-ctx)#
ciscoasa(config-ctx)# context c2
ciscoasa(config-ctx)# allocate-interface Ethernet0/0.55 Inside
ciscoasa(config-ctx)# allocate-interface Ethernet0/0.222 Outside
ciscoasa(config-ctx)# config-url disk0:/c2.cfg
ciscoasa(config-ctx)#
ciscoasa(config-ctx)# changeto context c1
ciscoasa/c1(config)# interface Outside
ciscoasa/c1(config-if)# nameif Outside
ciscoasa/c1(config-if)# interface Inside
ciscoasa/c1(config-if)# nameif Inside
ciscoasa/c1(config-if)#
ciscoasa/c1(config-if)# changeto context c2
ciscoasa/c2(config)#
ciscoasa/c2(config)# interface Inside
ciscoasa/c2(config-if)# nameif Inside
ciscoasa/c2(config-if)# interface Outside
ciscoasa/c2(config-if)# nameif Outside
ciscoasa/c2(config-if)# fixup protocol icmp
Verification:
R5#ping 172.16.55.5
!!!!!
R8#ping 172.16.88.6
!!!!!
21
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
Task 1.3
4 Points

as 24.234.22.101. The maximum number of total connections
to the server should be 100, with no more than 50 half-open
sessions per host.
The ACS server should be able to reach the 172.16.77.50
address on DMZ1 via the inside address of 192.168.2.50.
This task will affect later tasks.
Context c1 should verify that the TCP window size does not
change unexpectedly during any telnet sessions from R8 to
R6.
Context c2 should check HTTP traffic and drop it if the
URLs cracker.com or warez.net are found.
ASA1(config)# static (inside,outside) 24.234.22.101 192.168.2.101 tcp 100 50
ASA1(config)# static (DMZ1,inside) 192.168.2.50 172.16.77.50
ciscoasa/c1(config)# tcp-map WINDOW
ciscoasa/c1(config-tcp-map)# window-variation drop-connection
ciscoasa/c1(config-tcp-map)# exit
ciscoasa/c1(config)# access-list WINDOW permit tcp host 172.168.88.8 host
172.16.88.6 eq 23
ciscoasa/c1(config)# class-map WINDOW
ciscoasa/c1(config-cmap)# match access-list WINDOW
ciscoasa/c1(config-cmap)# exit
ciscoasa/c1(config)# policy-map global_policy
ciscoasa/c1(config-pmap)# class WINDOW
ciscoasa/c1(config-pmap-c)# set connection advanced-options WINDOW
ciscoasa/c2(config)# regex CRACKER "cracker\.com"
ciscoasa/c2(config)# regex WAREZ "warez\.net"
ciscoasa/c2(config)# class-map type regex match-any BAD_URL
ciscoasa/c2(config-cmap)# match regex CRACKER
ciscoasa/c2(config-cmap)# match regex WAREZ
ciscoasa/c2(config)# class-map type inspect http BAD
ciscoasa/c2(config-cmap)# match request uri regex class BAD_URL
ciscoasa/c2(config)# policy-map type inspect http BAD
ciscoasa/c2(config-pmap)# class BAD
ciscoasa/c2(config-pmap-c)# drop-connection
ciscoasa/c2(config-pmap-c)# exit
ciscoasa/c2(config-pmap)# exit
ciscoasa/c2(config)# policy-map global_policy
ciscoasa/c2(config-pmap)# class inspection_default
22
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
ciscoasa/c2(config-pmap-c)# inspect http BAD

Verification:
ASA1# sho xlate
Global 24.234.2.101 Local 192.168.2.101
Global 192.168.2.50 Local 172.16.77.50
ciscoasa/c1# sho service-policy (output cut)

Global policy:
Class-map: WINDOW
drop 0
Set connection advanced-options: WINDOW
Invalid ACK drops
: 0
IP TTL modified
: 0
TCP-options:

Timestamp cleared
: 0
R5#copy http://172.16.55.6/www.warez.net null:

%Error opening http://172.16.55.6/www.warez.net (I/O error)
ciscoasa/c2(config)# sho service-policy inspect http
Global policy:
Inspect: http BAD, packet 1, drop 1, reset-drop 0
protocol violations
packet 0
class BAD
drop-connection, packet 1
23
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
Task 1.4
4 Points
On context c1 permit R6 to freely initiate traffic of any

type to R8.
R8s real IP should be hidden from hosts on the outside
interface of c1. It should always appear as 172.16.88.88 to
these hosts.
A host on the inside of c2 has the IP of 172.16.55.55 and a
mac address of 001b.534f.5555. Configure context c2 so that
outside hosts are not able to respond to arp requests for
this IP.
ciscoasa/c1(config)# access-list outside permit ip host 172.16.88.6 any
ciscoasa/c1(config)# access-group outside in interface Outside
ciscoasa/c1(config)# static (inside,outside) 172.16.88.88 172.16.88.8
ciscoasa/c2(config)# arp inside 172.16.55.55 001b.534f.5555
ciscoasa/c2(config)# arp-inspection outside enable
Verification:
R6#ping 172.16.88.88
!!!!!
R6(config-subif)#ip address 172.16.55.55 255.255.255.0 secondary
R5#ping 172.16.55.55
.....
%ASA-3-322002: ARP inspection check failed for arp response received from
host 001b.533b.e950 on interface Outside. This host is advertising MAC
Address 001b.533b.e950 for IP Address 172.16.55.55, which is statically bound
to MAC Address 001b.534f.5555
24
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc

Task 2.1
4 Points

Policy direction
Inside->Outside
Permit
TCP
UDP
ICMP
Limits
Log all ICMP
traffic.
Outside->Inside
Telnet
SSH
HTTP
Log all traffic.

For telnet and SSH,
max embryonic high
25, low 10
HTTP policed to 8000
bps with a burst of
2000
Test the Inside->Outside policy with telnet from SW1 to R2

Test the Outside->Inside policy with http from R2 to SW1.
R3(config)#
R3(config-subif)#int s0/0/0
R3(config-if)#zone-member security Outside
R3(config-if)#exit
R3(config)#parameter-map type inspect INSIDE_ICMP
R3(config)#
R3(config-cmap)#match protocol udp
R3(config-cmap)#class-map type inspect match-any INSIDE_ICMP
R3(config)#
25
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc

R3(config-pmap)#class INSIDE_ICMP
R3(config-pmap-c)#inspect INSIDE_ICMP
R3(config-pmap)#zone-pair ecurity INSIDE_OUTSIDE source Inside destination
Outside
R3(config)#parameter-map type inspect OUTSIDE_INSIDE
R3(config-profile)#max-incomplete low 10
R3(config)#class-map type inspect OUTSIDE_HTTP
R3(config)#class-map type inspect OUTSIDE_INSIDE
R3(config-pmap)#class OUTSIDE_HTTP
R3(config-pmap-c)#inspect OUTSIDE_HTTP
R3(config-pmap)#
R3(config-pmap)#zone-pair security OUTSIDE_INSIDE source Outside destination
Inside
Verification:
SW1#telnet 24.234.22.2
Trying 24.234.22.2 ... Open

Password:
R2>
R3#sho policy-map type inspect zone-pair sessions (output cut)
Zone-pair: INSIDE_OUTSIDE
Service-policy inspect : INSIDE_OUTSIDE
Class-map: INSIDE_OUTSIDE (match-any)
Match: protocol tcp
1 packets, 24 bytes
26
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
Match: protocol udp

0 packets, 0 bytes
Inspect
Established Sessions
Session 47F7E85C (24.234.121.11:42762)=>(24.234.22.2:23) tcp
SIS_OPEN
Created 00:00:52, Last heard 00:00:45
Bytes sent (initiator:responder) [38:79]
R2#copy http://24.234.121.11/test.exe null:

%Error opening http://24.234.121.11/test.exe (No such file or directory)
R3#sho policy-map type inspect zone-pair (Output cut)
Zone-pair: OUTSIDE_INSIDE
Police
27
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
Task 2.2
4 Points
On R4, all tcp traffic from the VLAN 99 network should be

dropped if it is idle for 10 seconds.
All http traffic from the VLAN 99 network should be logged.
Half open connections from VLAN 99 should be limited to no
more than 100 before they are dropped.
When the number of half open connetions falls below 50 the
dropping behavior should cease.
R4(config)#ip inspect name CBAC http audit-trail on
R4(config)#ip inspect name CBAC tcp timeout 10
R4(config)#
R4(config-subif)#ip inspect CBAC in
Verification:
BB1#telnet 24.234.22.2
Trying 24.234.22.2 ... Open

Password:
R2>
(ten second wait)
%Error opening http://24.234.22.2/test.exe (No such file or directory)
*May 11 18:06:27.419: %FW-6-SESS_AUDIT_TRAIL_START: Start http session:
*May 11 18:06:32.323: %FW-6-SESS_AUDIT_TRAIL: Stop http session: initiator
(172.16.99.99:31117) sent 129 bytes -- responder (24.234.22.2:80) sent 137
bytes
R4#sho ip inspect st
tcp packets: [0:75]
http packets: [0:2]
Interfaces configured for inspection 1
28
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc

TCP reassembly statistics
received 0 packets out-of-order; dropped 0
peak memory usage 0 KB; current usage: 0 KB
peak queue length 0
29
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
Task 2.3
4 Points
On R2, enable int fa0/0.252 to detect incoming protocols.

Drop all http incoming on the fa0/0.25 interface regardless
of the TCP port.
Allow SSH incoming on the fa0/0.252 interface, but only if
it originates from BB1. You may not apply an ACL directly
to an interface to accomplish this.
ICMP traffic incoming to fa0/0.252 should be policed to
8000 bps with a burst of 2000.
R2(config)#
R2(config)#access-list 101 permit tcp host 24.234.252.252 any
R2(config)#
R2(config)#class-map match-all SSH
R2(config)#
R2(config)#class-map match-any SSH_DROP
R2(config)#
R2(config)#class-map match-any ICMP
R2(config)#
R2(config)#policy-map INCOMING
R2(config-pmap)#class SSH_DROP
R2(config-pmap-c)#class ICMP
R2(config-pmap-c)#police 8000 2000
R2(config-pmap)#int fa0/0.252
R2(config-subif)#service-policy in INCOMING
Verification:
R2#sho ip nbar protocol-discovery (output cut)
30
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
FastEthernet0/0.252
Input
Output
---------Protocol
Packet Count
Packet Count
Byte Count
Byte Count
5min Bit Rate (bps)
5min Bit Rate (bps)
5min Max Bit Rate (bps) 5min Max Bit Rate (bps)
------------------------ ------------------------ ----------------------eigrp
0
60
0
4680
BB2#ssh -l cisco 24.234.3.100
% Destination unreachable; gateway or host down
BB2#ping 24.234.100.3 size 1000 repeat 10
!!.!!.!!.!
FastEthernet0/0.252
Service-policy input: INCOMING
5 minute rate 0 bps
drop
1 packets, 64 bytes
Match: protocol ssh
Class-map: SSH_DROP (match-any)
0 packets, 0 bytes
Match: protocol ssh
0 packets, 0 bytes
5 minute rate 0 bps
drop
Class-map: ICMP (match-any)
31
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
5 minute rate 0 bps

police:
transmit
drop
32
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
Task 2.4
4 Points
On R7, limit the total number of half open TCP connections

coming from the 172.16.55.0/24 network to 100 before
dropping connections.
When half open connections drop below 50, the dropping
behavior should cease.
If more than 50 half open connection occur in a 1 minute
period, they should also be dropped.
All half open connections should be dropped starting with
the oldest.
You may not use CBAC to complete any of these tasks.
R7(config)#access-list 101 permit ip any 172.16.88.0 0.0.0.255
behavior
behavior
behavior
behavior
R7(config)#ip tcp intercept drop-mode oldest
behavior
33
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
Section 3: VPNs
Task 3.1
4 Points

R2, R5 and R6 should sync their time to R1 at 24.234.22.1
and use pacific standard time.
24.234.22.1 eq ntp
24.234.22.1 eq ntp
24.234.22.1 eq ntp
34
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
Verification:
address
ref clock
disp
*~24.234.22.1
127.127.7.1
8
15
64 377
2.2 -13.01
4.8
configured
R2#
address
ref clock
disp
*~24.234.22.1
127.127.7.1
8
42
64
3
47.9
0.48
0.3
configured
R6#sho ntp assoc
address
ref clock
disp
*~24.234.22.1
127.127.7.1
8
0
64
7
46.8
-4.69
3875.7
configured
35
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
Task 3.2
4 Points

Certificates should be granted automatically.
Enroll R2, R5 and R6 with the newly created CA.

R1(config)#
R1(config)#
Password:
Re-enter password:
R1(cs-server)#
36
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc

24.234.22.1 eq www
24.234.22.1 eq www
24.234.22.1 eq www
Fingerprint MD5: 63959C0F 6D6EE9DC 1A822923 B76E69EF
Fingerprint SHA1: 5F8C34EB 471892C7 5AA91D50 5B7C6D13 C2257087
%
Password:
version 2
Re-enter password:
fingerprint.
R2(config)#
570F2B5F 692A492E 8D5B60DC 6DAF8F1C
A729FE9F 0B9992FD 7860A0FB 15BCF9C0 F531A1F0
Authority
37
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc

%
Password:
version 2
Re-enter password:
fingerprint.
R5(config)#
23FC757F 072063C5 C8CFF527 2F227869
C476DECE 84429EE6 F0D3229F 2F7FBD08 DCBBEEEC
Authority
%
Password:
38
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
version 2
Re-enter password:
fingerprint.
R6(config)#
4870EC71 3F418F40 2049F967 0C23BFEF
CD3C7E54 38E2E0A1 9D950F2A 0FF2D4E8 A2839318
Authority
39
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
Task 3.3
4 Points
Configure GET VPN using the following settings:

o Key server: R6
o Crypto policy on server: ICMP between 24.234.22.2 and
172.16.55.5
o IKE Phase 1: DH2, RSA-Sig, AES, SHA
R6(config-isakmp)#
R6(config-isakmp)#crypto ipsec transform-set GET esp-aes esp-sha-hmac
R6(cfg-crypto-trans)#
R6(cfg-crypto-trans)#crypto ipsec profile GET
R6(config)#
R2(config)#
40
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
R2(config)#
R2(config-if)#
R5(config)#
R5(config)#
R5(config-crypto-map)#interface fa0/0.55
R5(config-subif)#crypto map map-group1
R5(config-subif)#
ciscoasa/c2(config)# access-list outside permit icmp host 172.16.55.6 host
172.16.55.5
ciscoasa/c2(config)# access-list outside permit esp host 24.234.22.2 host
172.16.55.5
ciscoasa/c2(config)# access-list outside permit udp host 24.234.22.2 host
172.16.55.5 eq isakmp
ciscoasa/c2(config)# access-group outside in interface outside
41
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
Verification:
R2#ping 172.16.55.5 so fa0/0.22
!!!!!
42
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
Task 3.4
4 Points

settings:
2.
the tunnel.
o Create loopback 11 on R1 with the IP 1.1.1.1/24.
o Setup R1 as an ezvpn client with an inside network of
1.1.1.1 and connect to R7.
o Verify that you can ping from 1.1.1.1 to 7.7.7.7
R7(config)#aaa authentication login EZVPN local
R7(config)#aaa authorization network EZVPN local
R7(config)#
R7(config)#username ezvpn password 0 ezvpn
R7(config)#
R7(config)#ip local pool EZVPN 172.16.177.50 172.16.177.150
R7(config)#
R7(config)#
R7(config)#crypto ipsec transform-set EZVPN esp-3des esp-md5-hmac
R7(config)#
R7(config)#crypto isakmp client configuration group EZVPN
R7(config-isakmp-group)#pool EZVPN
R7(config-isakmp-group)#key ezvpn
R7(config)#
R7(config)#crypto dynamic-map EZVPN 1
R7(config-crypto-map)#set transform-set EZVPN
43
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
R7(config)#
R7(config)#
R7(config)#crypto map EZVPN client authentication list EZVPN
R7(config)#crypto map EZVPN isakmp authorization list EZVPN
R7(config)#crypto map EZVPN client configuration address respond
R7(config)#crypto map EZVPN 1 ipsec-isakmp dynamic EZVPN
R7(config)#
R7(config-subif)#crypto map EZVPN
ASA1(config)# access-list DMZ1 permit esp host 172.16.77.7 host 192.168.2.1

ASA1(config)# access-list DMZ1 permit udp host 172.16.77.7 host 192.168.2.1
eq isakmp
ASA1(config)# access-group DMZ1 in interface DMZ1
R1(config)#
R1(config)#crypto ipsec client ezvpn EZVPN
R1(config-crypto-ezvpn)#group EZVPN key ezvpn
R1(config-crypto-ezvpn)#username ezvpn password ezvpn
R1(config)#
R1(config)#interface loopback 11
R1(config-if)#crypto ipsec client ezvpn EZVPN inside
R1(config-if)#exit
R1(config)#
R1(config-subif)#crypto ipsec client ezvpn EZVPN
R1(config-subif)#
*May 11 23:17:58.583: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) User=ezvpn
Group=EZVPN Client_public_addr=192.168.2.1 Server_public_addr=172.16.77.7
*May 11 23:17:59.535: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0,
changed state to up
Verification:
44
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
R1#ping 7.7.7.7 so l11

!!!!!
Crypto map tag: FastEthernet0/0.168-head-0, local addr 192.168.2.1
45
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
Section 4: IPS
Task 4.1
4 Points

IP Address
Gateway
Managed by
172.16.77.50
172.16.77.100
192.168.2.101
Mgmt. SSL
port
4443
ACS server. You may not add any routes or make changes to
ASA1 to accomplish this.
to it.
sensor# setup (output cut)
Current time: Tue May 12 00:44:40 2009

172.16.77.50/24,172.16.77.100
Permit: 192.168.2.101/32
Permit:
46
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc

*00:45:36 UTC Tue May 12 2009
47
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
48
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
Task 4.2
4 Points
Setup interface fa1/0 to protect traffic between BB1 and

R4. You are allowed to create an additional VLAN to
accomplish this.
outside BB2 and R2. You are allowed to create an additional
VLAN to accomplish this.
Assign the BB1 traffic to vs0 and the BB2 traffic to vs1.
Verify that both BB1 and BB2 have connectivity to the rest
of the network.
R2(config-subif)#encapsulation dot1q 253
R4(config-subif)#encapsulation dot1q 100
49
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
50
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
51
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
Verification:
BB1#ping 24.234.22.2
!!!!!
BB2#ping 24.234.22.2
!!!!!
52
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
Task 4.3
4 Points
Modify an existing signature so that any packets with the

timestamp option will be denied going from or to the vlan
99 network.
53
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
R4#ping
Protocol [ip]:
Repeat count [5]:
>>Current pointer<<
Time= 00:00:00.000 UTC (00000000)
Time= 00:00:00.000 UTC (00000000)
Time= 00:00:00.000 UTC (00000000)
Request
Request
Request
Request
Request
Success
0 timed
1 timed
2 timed
3 timed
4 timed
rate is
out
out
out
out
out
0 percent (0/5)
54
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
Task 4.4
4 Points
If the timestamp traffic from the previous task is between BB1 and R4, the
traffic should never be denied. You may not modify the signature to
accomplish this.
Verification:
BB1#ping (output cut)
Protocol [ip]:
55
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
Repeat count [5]:

>>Current pointer<<
Time= 00:00:00.000 UTC (00000000)
Time= 00:00:00.000 UTC (00000000)
Time= 00:00:00.000 UTC (00000000)
Reply to request 0 (4 ms). Received packet has options
Total option bytes= 16, padded length=16
Time=*01:52:37.243 UTC (80671B7B)
Time=*01:41:20.044 UTC (805CC62C)
Time=*01:41:20.044 UTC (805CC62C)
>>Current pointer<<
56
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc

Task 5.1
4 Points
Add management IP addresses to both c1 and c2. Use .200 for

the IP address.
Allow SSH management only by devices on the inside of each
context.
Authenticate with the ACS server using tacacs. Create a
user called admin with a password of cisco to
accomplish this.
Verify that you are able to login from the inside of both
contexts.
ciscoasa/c1(config)# crypto key generate rsa mod 1024
ciscoasa/c1(config)# ip address 172.16.88.200 255.255.255.0
ciscoasa/c1(config)# aaa-server ACS protocol tacacs+
ciscoasa/c1(config-aaa-server-group)# aaa-server ACS (Outside) host
24.234.22.101
ciscoasa/c1(config-aaa-server-host)# key cisco
ciscoasa/c1(config-aaa-server-host)# exit
ciscoasa/c1(config)# ssh 172.16.88.0 255.255.255.0 inside
ciscoasa/c1(config)# aaa authentication ssh console ACS
ciscoasa/c1(config)# changeto context c2
ciscoasa/c2(config)#
ciscoasa/c2(config)# crypto key generate rsa mod 1024
ciscoasa/c2(config)# ip address 172.16.55.200 255.255.255.0
ciscoasa/c2(config)# aaa-server ACS protocol tacacs+
ciscoasa/c2(config-aaa-server-group)# aaa-server ACS (Outside) host
24.234.22.101
ciscoasa/c2(config-aaa-server-host)# key cisco
ciscoasa/c2(config-aaa-server-host)# exit
ciscoasa/c2(config)# ssh 172.16.55.0 255.255.255.0 inside
ciscoasa/c2(config)# aaa authentication ssh console ACS
ASA1(config)#
24.234.22.101
ASA1(config)#
24.234.22.101
access-list outside permit tcp host 172.16.55.200 host

eq tacacs
access-list outside permit tcp host 172.16.88.200 host
eq tacacs
57
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
58
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
Verification:
59
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
R8#ssh -l admin 172.16.88.200

Password:
Type help or '?' for a list of available commands.
ciscoasa/c1>
R5#ssh -l admin 172.16.55.200
Password:
ciscoasa/c2>
60
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
Task 5.2
4 Points
Allow any host on the outside of ASA1 to ping the ACS

server but only after authenticating.
Authentication should occur by telneting to 24.234.22.150
Use the ACS server to authenticate with the previously
ASA1(config)# aaa-server ACS protocol tacacs+
ASA1(config-aaa-server-group)# exit
ASA1(config)# aaa-server ACS (inside) host 192.168.2.101
ASA1(config-aaa-server-host)# key cisco
ASA1(config-aaa-server-host)# exit
ASA1(config)# access-list VIR_TEL permit icmp any host 24.234.22.101
ASA1(config)# access-list VIR_TEL permit tcp any host 24.234.22.150 eq telnet
ASA1(config)# aaa authentication match VIR_TEL outside ACS
ASA1(config)#
ASA1(config)# virtual telnet 24.234.22.150
ASA1(config)# access-list outside permit icmp any host 24.234.22.101
ASA1(config)# access-list outside permit tcp any host 24.234.22.150 eq telnet
Verification:
61
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
R2#ping 24.234.22.101
.....
R2#telnet 24.234.22.150
Trying 24.234.22.150 ... Open
Username: admin
Password:

R2#ping 24.234.22.101
!!!!!
ASA1# sho uauth

Current
Most Seen
Authenticated Users
1
1
Authen In Progress
0
1
user 'admin' at 24.234.22.2, authenticated
absolute
timeout: 0:05:00
62
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
Task 5.3
4 Points
Configure R2 so that HTTP requests from the ACS server to

R8 are denied.
Require authentication before allowing this traffic to
continue to R8.
Authenticate via the ACS server using the previously
63
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
64
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
R2(config)#
R2(config)#
www
R2(config)#ip auth-proxy name AUTHP http list 102
R2(config)#
R2(config)#ip http authentication aaa
R2(config)#
R2(config)#$ 105 deny tcp host 24.234.22.101 host 172.16.88.88 eq www
R2(config)#
R2(config-subif)#ip auth-proxy AUTHP
24.234.22.101 eq tacacs
ciscoasa/c1(config)# access-list outside permit tcp host 24.234.22.101 host
172.16.88.88 eq www
Verification:
65
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
66
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc

Task 6.1
4 Points
On BB2 only allow 10 BGP packets at a time in the input

queue.
SSH should never be allowed to BB2. Denied attempts should
be logged. You may not use an access list to accomplish
this.
Incoming http to BB2 should only be allowed from R2. You
may not apply an ACL directly to an interface to accomplish
this.
BB2(config)#class-map type queue-threshold match-all BGP
BB2(config-cmap)#match protocol BGP
BB2(config-cmap)#exit
BB2(config)#policy-map type queue-threshold BGP
BB2(config-pmap)#class BGP
BB2(config-pmap-c)#queue-limit 10
BB2(config-pmap-c)#exit
BB2(config-pmap)#exit
BB2(config)#
BB2(config)#class-map type port-filter match-all SSH
BB2(config-cmap)#match port tcp 22
BB2(config)#policy-map type port-filter SSH
BB2(config-pmap)#class SSH
BB2(config-pmap-c)#drop
BB2(config-pmap-c)#log
BB2(config)#
BB2(config)#access-list 101 deny tcp host 24.234.252.2 any eq www
BB2(config)#access-list 101 permit tcp any any eq www
BB2(config)#
BB2(config)#class-map match-all HTTP
BB2(config-cmap)#match access-group 101
BB2(config)#policy-map HTTP
BB2(config-pmap)#class HTTP
BB2(config-pmap-c)#drop
BB2(config)#
BB2(config)#control-plane host
BB2(config-cp-host)#service-policy type queue-threshold input BGP
BB2(config-cp-host)#service-policy type port-filter input SSH
BB2(config-cp-host)#service-policy input HTTP
67
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
Verification:
BB2#sho policy-map type queue-threshold control-plane all
queue-limit 10
queue-count 0
Control Plane Host
Service-policy queue-threshold input: BGP

Class-map: BGP (match-all)
Match: protocol bgp
R2#ssh -l admin 24.234.252.252
BB2#
*May 12 17:14:50.367:
-> 24.234.252.252(22)
*May 12 17:14:52.367:
-> 24.234.252.252(22)
*May 12 17:14:56.367:
-> 24.234.252.252(22)
*May 12 17:15:04.363:
-> 24.234.252.252(22)
24.234.252.2(48061)
24.234.252.2(48061)
24.234.252.2(48061)
24.234.252.2(48061)
R3#copy http://24.234.252.252/test.exe null:

BB2#sho policy-map control-plane all
Control Plane Host
Class-map: HTTP (match-all)
drop
68
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc

Task 7.1
4 Points
BGP is preconfigured with BB1 and BB2 as neighbors. Add

authentication to this configuration with a password of
cisco.
Peering will not occur automatically. There are a number of
issues preventing the peering. Discover and correct these
issues.
Verify that the BGP networks are in the routing tables of
each backbone router.
BB2(config)#router bgp 65099
BB2(config-router)#neighbor 172.16.99.99 remote-as 65099
172.16.99.99 eq bgp
ASA1(config)# tcp-map BGP
ASA1(config-tcp-map)# tcp-options range 19 19 allow
ASA1(config)# access-list BGP permit tcp any any eq bgp
ASA1(config)# class-map BGP
ASA1(config-cmap)# match access-list BGP
ASA1(config-pmap)# class BGP
ASA1(config-pmap-c)# set connection random-sequence-number disable
ASA1(config-pmap-c)# set connection advanced-options BGP
69
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
70
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
Verification:
BB1#sho ip bgp
BGP table version is 5, local router ID is 99.99.99.99
Status codes: s suppressed, d damped, h history, * valid, > best, i internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network
*> 22.22.22.0/24
*> 99.99.99.0/24
Next Hop
24.234.252.252
0.0.0.0
Metric LocPrf Weight Path

0
0 65252 i
0
32768 i
BB2#sho ip bgp
BGP table version is 5, local router ID is 22.22.22.22
Status codes: s suppressed, d damped, h history, * valid, > best, i internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network
*> 22.22.22.0/24
*> 99.99.99.0/24
Next Hop
0.0.0.0
172.16.99.99
Metric LocPrf Weight Path

0
32768 i
0
0 65099 i
71
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
Task 7.2
4 Points
Ensure that FTP traffic traversing ASA1 conforms to RFCs

and will drop and connection that uses the PUT command.
DNS should be allowed to R7 from the outside of ASA with
the following restrictions:
o Only one response per request should be allowed.
o Transaction IDs should be randomized.
o The DNS message format should be verified.
ASA1(config)# class-map type inspect ftp FTP
ASA1(config-cmap)# match request-command put
ASA1(config)# policy-map type inspect ftp FTP
ASA1(config-pmap)# class FTP
ASA1(config-pmap-c)# reset
ASA1(config-pmap-c)# inspect ftp strict FTP
ASA1(config-pmap-c)# access-list outside permit tcp any host 172.16.77.7 eq
53
ASA1(config)# access-list outside permit udp any host 172.16.77.7 eq 53
ASA1(config)#
ASA1(config)# policy-map type inspect dns preset_dns_map
ASA1(config-pmap-p)# dns-guard
ASA1(config-pmap-p)# id-randomization
ASA1(config-pmap-p)# protocol-enforcement
ASA1(config-pmap-p)# exit
Verification:
ASA1# sho service-policy inspect ftp
Global policy:
Inspect: ftp strict FTP, packet 0, drop 0, reset-drop 0
class FTP
reset, packet 0
ASA1# sho service-policy inspect dns
Global policy:
72
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
message-length maximum 512, drop 0
dns-guard, count 0
protocol-enforcement, drop 0
nat-rewrite, count 0
id-randomization, count 0
73
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc

Task 8.1
4 Points
On R6, protect against spoofing on all interfaces. This

protection must be dynamic and denied packets must be
logged. You may not apply an ACL directly to an interface
to accomplish this.
R6 should drop all packets containing ip options.
R6 should drop all fragmented packets incoming on
fa0/0.111. The dropped traffic should be logged, including
mac address.
R6(config)#
R6(config-if)#int fa0/0.111
R6(config)#access-list 103 deny ip any any fragments log-input
Verification:
R2(config)#int l2
R2(config-if)#exit
R2(config)#exit
R2#ping 24.234.100.6 so l2
.....
R6#
74
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
*May 12 21:05:55.197: %SEC-6-IPACCESSLOGDP: list 102 denied icmp 2.2.2.2 ->

24.234.100.6 (0/0), 1 packet
R2#ping (output cut)

Protocol [ip]:
Repeat count [5]:
>>Current pointer<<
Time= 16:00:00.000 PST (00000000)
Request 4 timed out
R8#ping 172.16.88.6
!!!!!
R8#ping 172.16.88.6 size 3000
.....
(FastEthernet0/0.111 001a.a22d.0f14) -> 172.16.88.6 (0/0), 1 packet
75
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc
Task 8.2
4 Points
Configure SW4, port fa0/10 to detect CAM table flood

attacks. No more than 4 mac addresses should be seen on
this port. If more are seen an alert should be generated,
but should the port should remain up.
Set port fa0/11 to shutdown if broadcast frames reach 50
percent of interface bandwidth. It should also shutdown if
multicast traffic reaches 30 percent of interface
bandwidth.
Set port fa0/12 to shutdown if more than 500 pps of frames
under 67 bytes are received on the interface.
For both of the previous tasks, once the error condition is
resolved the port should automatically come back up within
30 seconds.
SW4(config-if)#sw port-security maximum 4
SW4(config-if)#sw port-security violation restrict
SW4(config-if)#sw port-security
SW4(config-if)#storm-control broadcast level 50
SW4(config-if)#storm-control multicast level 30
SW4(config-if)#storm-control action shutdown
SW4(config)#errdisable detect cause small-frame
SW4(config-if)#small-frame violation-rate 500
SW4(config)#errdisable recovery cause storm-control
SW4(config)#errdisable recovery cause small-frame
Verification:
SW4#sho port-security interface fa0/10
Port Security
: Disabled
Port Status
: Secure-down
Violation Mode
: Shutdown
Aging Time
: 0 mins
Aging Type
: Absolute
: 1
Total MAC Addresses
: 0
76
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.08.09.05.sm.r04.09.05.doc

:
:
:
:
0
0
0000.0000.0000:0
0
SW4#sho storm-control broadcast

Upper
--------- ------------- ----------Fa0/11
Link Down
50.00%
Lower
----------50.00%
Current
---------0.00%
SW4#sho storm-control multicast

Upper
--------- ------------- ----------Fa0/11
Link Down
30.00%
Lower
----------30.00%
Current
---------0.00%
SW4#sho errdisable detect | inc small

small-frame
Enabled
port
SW4#sho errdisable recovery
ErrDisable Reason
----------------arp-inspection
bpduguard
channel-misconfig
dhcp-rate-limit
dtp-flap
gbic-invalid
inline-power
l2ptguard
link-flap
mac-limit
loopback
pagp-flap
port-mode-failure
psecure-violation
security-violation
sfp-config-mismatch
small-frame
storm-control
udld
vmps
Timer Status
-------------Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Enabled
Enabled
Disabled
Disabled
77
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
LAB 9
Instructions
cannot be changed.
often!
task.
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
Sections:
1.ASA Firewalls
2.IOS Firewalls
3.VPNs
4.IPS
7.Advanced Security
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
SW1
Fa0/1
Fa0/0
R1
Fa0/1
Fa0/1
SW2
SW1
Fa0/2
Fa0/0
R2
Fa0/1
Fa0/2
SW2
SW1
Fa0/3
Fa0/0
R3
Fa0/1
Fa0/3
SW2
SW1
Fa0/4
Fa0/0
R4
Fa0/1
Fa0/4
SW2
SW1
Fa0/5
Fa0/0
R5
Fa0/1
Fa0/5
SW2
SW1
Fa0/6
Fa0/0
R6
Fa0/1
Fa0/6
SW2
SW1
Fa0/9
Fa0/0
BB1
Fa0/1
Fa0/9
SW2
SW1
Fa0/10
Fa0/0
BB2
Fa0/1
Fa0/10
SW2
SW1
Fa0/12
E0/0
E0/2
Fa0/12
SW2
Fa0/14
SW2
E0/3
Fa0/17
SW2
E0/2
Fa0/18
SW2
E0/3
Fa0/23
SW2
ASA01
Gi0/0: sense
SW1
Fa0/14
SW1
Fa0/17
E0/1
SW1
Fa0/18
E0/0
IDS
IDS
Gi0/1: c&c
ASA01
ASA02
SW1
E0/1
Fa0/23
ASA02
SW1
SW2
Fas0/19
Fas0/19
Fas0/20
Fas0/20
Sensor Int.
G0/0
Fa1/0
Fa1/1
Fa1/2
Fa1/3
Connected to:
SW1 Fa0/14
SW3 Fa0/4
SW3 Fa0/3
SW3 Fa0/2
SW3 Fa0/1
Fas0/0
2811
SW3
SW4
Fas0/17
SW3
Fas0/19
Fas0/19
Fas0/20
Fas0/20
Fas0/1
R7
Fas0/17
SW4
ACS PC SW1 Fa0/24
192.168.2.101
Fas0/0
2811
Fas0/1
R8
SW3

192.168.2.102
Fas0/18
SW4
Fas0/18
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
Routers use router number for last octet.

Routers use Fa0/0.v (v=VLAN #) for LAN
connections. Firewall uses FA0/0.v (v=VLAN #) for
LAN connections.
R8
R7
R1
VLAN 88
2.88.2.0 /24
Int G0/1
.250
VLAN 77
2.77.2.0 /24
VLAN 11
2.11.2.0 /24
VLAN 222
2.222.2.0 /24
ASA1
.10
VLAN 66
2.66.2.0 /24
R6
VLAN 55
2.55.2.0 /24
VLAN 22
2.22.2.0 /24
R2
VLAN 33
2.33.2.0 /24
VLAN 44
2.44.2.0 /24
R5
R3
VLAN 3
2.3.2.0 /24
VLAN 5
2.5.2.0 /24
R4
VLAN 4
192.168.2.0/24
VLAN 333
2.3.2.0 /24
ACS PC
.101
XP Test
PC .102
BB1
BB2
.9
.9
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc

Task 1.1
4 Points

o Use E0/0.v for each interface, v=VLAN number.
o Security levels should match the VLAN number.
o Names of the interface should match the VLAN number.
o Use .10 for the system IP address in the last octet.
o Enable RIP on E0/0.11-E0/0.33
o Enable OSPF area 0 on E0/0.44-66
o Enable EIGRP AS1 on E0/0.77-88
o Verify that routers R1 R8 have all the loopback 0
routes in their routing tables.
o Enable ICMP inspection.
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
Task 1.2
4 Points
Configure ASA2 as a failover unit for ASA1 with the

following:
o Use Fa0/3 and vlan 99 for failover.
o Configure statefull failover.
o Use the network of 10.0.0.0/8 and .11 for standby
addresses.
o Your output should look similar to the following:
ASA1(config)# show fail
Failover On
Interface Policy 1
Interface 11 (2.11.2.10): Normal
slot 1: empty
Other host: Secondary - Standby Ready
slot 1: empty
Stateful Obj
xmit
xerr
General
22
0
rcv
10
rerr
0
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
sys cmd
up time
RPC services
TCP conn
UDP conn
ARP tbl
Xlate_Timeout
VPN IKE upd
VPN IPSEC upd
VPN CTCP upd
VPN SDI upd
VPN DHCP upd
SIP Session
10
0
0
0
0
12
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
10
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0

Cur
Max
Total
Recv Q:
0
13
10
Xmit Q:
0
29
136
ASA1(config)#
Task 1.3
4 Points

Device
Name
ASA1
Real
Int.
22
Mapped
Int.
44
Real
IP:PORT #
2.222.2.250:TCP 443
Mapped
IP:PORT#
2.44.2.250:TCP 5796

2.3.2.102 255.255.255.0
Add a static route on the XP PC for 2.0.0.0 /8
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
Task 1.4
4 Points

o Default route route to R5
o Backup default route to R3 that should go active if
connectivity to BB1 at 2.5.2.9 becomes unreachable.
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc

Task 2.1
4 Points

o Fa0/0.55 in the inside zone
o Fa0/0.2 in the outside zone
o Allow ICMP, HTTP, TELNET and SSH outbound
Task 2.2
4 Points
On R5, set the maximum sessions to 100, and max embryonic

limit to 30 per host for outbound TCP based traffic.
Create and send audit trail information to the ACS PC for
all outbound sessions.
Task 2.3
4 Points
On R3, mark all Fasttrack traffic as DSCP 1, inbound on

Fa0/0.33
Drop this traffic outbound on Fa0/0.3
Task 2.4
4 Points

Generate another
least 30 seconds.
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
Section 3: VPNs
Task 3.1
4 Points

o CN R1-CA_Server
o L=NV
o C=US
from Loopback 0.
Configure Routers 4-8 and the ASA as NTP and CA clients.
Task 3.2
4 Points

o R4 as primary Key server using Loopback 0
o R5 as secondary Key server using Loopback 0
o Interesting traffic: ICMP Echo between R6/R7 loopback 0
10
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
Task 3.3
4 Points

Configure the XP Test PC as an easy vpn remote. You will
need to complete the IPS inline VLAN pair (in section 4)
before you can test this configuration.
Task 3.4
4 Points
Configure ASA1 and R8 as IPSec Peers with the following:

o IKE Phase 1: aes, dh2, RSA-Sig
o IKE Phase 2: aes, sha
o Interesting traffic: ICMP between R8 loopback 0 and R4
loopback 0.
11
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
Section 4: IPS
Task 4.1
4 Points
Use the erase current-config command from the sensor

command line.
o Default gateway using R2.
to the IPS from the ACS PC using port 5796.
Task 4.2
4 Points

o sig1
o rules1
o The IP address of the ACS PC should be seen as a mission
critical host.
Task 4.3
4 Points

o Create new signature named Clone ICMP Flood
o Generate an alert and deny the packet if ICMP flood is
seen.
o Trigger on the 90th packet in a series of echo requests.
o Deny the packet when the signature is triggered.
12
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
Task 4.4
4 Points
Send a TCP reset for any telnet traffic that includes the
string gunna!getcha . Log any packets destined for the
victim for the next 35 seconds.
13
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc

Task 5.1
4 Points

VLAN 512
SW4 Fa0/16.
o The ACS should see SW4 as the IP address of
192.168.2.114/24.
Task 5.2
4 Points
Configure R1 to use ACS and perform authentication and

authorization on the vty lines with the following:
o Authenticate and authorize a user named admin-5.2
providing full system access.
o Authenticate and authorize a user named user-5.2.
Provide this one user the ability to add interfaces,
input ip addresses, issue the show ip interface brief
command and enter the command of exit.
o Record all successful commands issued by authenticated
users to the ACS server.
ASA1(config)#access-list 11 permit tcp host 2.11.2.1 host 192.168.2.101 eq
tacacs
ASA1(config)#access-group 11 in int 11
14
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
Task 5.3
4 Points

o Allow only ssh access on vty 0-4. Use the local database
and a user named user-5.3. Only allow these sessions on
Fa 0/0.22.
o Do not use the command telnet or ssh in line vty 0 4,
as well as any access-lists as part of this task.
15
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc

Task 6.1
4 Points
Rate limit all ICMP traffic to R2 to 8,000bps, regardless

of which interface on R2 is the target. Exempt 8.8.8.8
from this rate limiting. Do not apply any policies or
configurations directly to any Ethernet interfaces as part
of task.
16
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc

Task 7.1
4 Points
Configure the ACS to use a RADIUS Token Server with the

following:
o IP address of 192.168.2.103
o Password of cisco
o The ACS should search here if a user is not found in the
ACS database.
Task 7.2
4 Points
o Allow BB1 and BB2 to become BGP neighbors. Add the

password of cisco for BGP authentication.
17
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc

Task 8.1
4 Points
On switchports used by the the ASA(s), save the mac

addresses in the configuration file of the switch. Your
output should resemble the following:
description **ASA-1 E0/0**
switchport port-security mac-address
interface FastEthernet 0/13
sticky
sticky
sticky
sticky
sticky
sticky
sticky
sticky
sticky
0018.199e.b5fe
0018.199e.b5fe
0018.199e.b5fe
0018.199e.b5fe
0018.199e.b5fe
0018.199e.b5fe
0018.199e.b5fe
0018.199e.b5fe
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
11
22
33
44
55
66
77
88
Allow a port shutdown by a security violation to be

restored automatically every 90 seconds if a security
violation is not present.
Task 8.2
4 Points
On the ASA, deny any non-initial fragments on the 77

interface.
Rate limit Fraggle and Smurf attack traffic if the the
network of 192.168.2.0/24 is a source or destination of the
attack. Rate limit to 10,000bps.
SOLUTIONS GUIDE begins on next page.
18
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc

Task 1.1
4 Points

o Use E0/0.v for each interface, v=VLAN number.
o Security levels should match the VLAN number.
o Names of the interface should match the VLAN number.
o Use .10 for the system IP address in the last octet.
o Enable RIP on E0/0.11-E0/0.33
o Enable OSPF area 0 on E0/0.44-66
o Enable EIGRP AS1 on E0/0.77-88
o Verify that routers R1 R8 have all the loopback 0
routes in their routing tables.
o Enable ICMP inspection.
SW1(config-if)#exit
ASA1(config)# int e0/0
ASA1(config-if)# int e 0/0.11
ASA1(config-subif)# security 11
ASA1(config-subif)# nameif 11
ASA1(config-subif)# ip address 2.11.2.10
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
19
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
ASA1(config-subif)#
ASA1(config-subif)#
ASA1(config-subif)#
ASA1(config-subif)#
ASA1(config-subif)#
ASA1(config-subif)#
ASA1(config-subif)#
ASA1(config-subif)#
ASA1(config-subif)#
ASA1(config-subif)#
ASA1(config-subif)#
ASA1(config-subif)#
ASA1(config-subif)#
ASA1(config-subif)#
ASA1(config-subif)#
ASA1(config-subif)#
ASA1(config-subif)#
ASA1(config-subif)#
ASA1(config-subif)#
ASA1(config-subif)#
int e 0/0.55
vlan 55
security 55
nameif 55
ip address 2.55.2.10
int e 0/0.66
vlan 66
security 66
nameif 66
int e 0/0.77
vlan 77
security 77
nameif 77
int e 0/0.88
vlan 88
security 88
nameif 88
ciscoasa(config)#
ciscoasa(config)#
ASA1(config)# int e0/0
ASA1(config-if)# int e 0/0.11
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
20
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
ASA1(config)# router rip
ASA1(config-router)# ver 2
ASA1(config-router)# passive-interface default
ASA1(config-router)# no passive-interface 11
ASA1(config-router)# network 2.0.0.0
ASA1(config-router)# redistribute ospf 1 met
ASA1(config-router)# redistribute ospf 1 metric 2
ASA1(config-router)# redistribute eigrp 1 metric 2
ASA1(config-router)#exit
ASA1(config-router)# redistribute rip subnets
ASA1(config-router)# redistribute rip metric 1 1 1 1 1
ASA1(config)#
area
21
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
R
1.1.1.0 255.255.255.0 [120/1] via 2.11.2.1, 0:00:28, 11
R
2.2.2.0 255.255.255.0 [120/1] via 2.22.2.2, 0:00:00, 22
R
2.3.2.0 255.255.255.0 [120/1] via 2.33.2.3, 0:00:03, 33
O
2.5.2.0 255.255.255.0 [110/11] via 2.55.2.5, 0:29:29, 55
C
2.11.2.0 255.255.255.0 is directly connected, 11
C
C
C
C
C
C
C
R
2.222.2.0 255.255.255.0 [120/1] via 2.22.2.2, 0:00:00, 22
R
3.3.3.0 255.255.255.0 [120/1] via 2.33.2.3, 0:00:03, 33
O
4.4.4.4 255.255.255.255 [110/11] via 2.44.2.4, 0:29:30, 44
O
5.5.5.5 255.255.255.255 [110/11] via 2.55.2.5, 0:29:30, 55
O
6.6.6.6 255.255.255.255 [110/11] via 2.66.2.6, 0:29:30, 66
D
7.7.7.0 255.255.255.0 [90/131072] via 2.77.2.7, 0:13:39, 77
D
8.0.0.0 255.0.0.0 [90/131072] via 2.88.2.8, 0:35:39, 88
O
192.168.2.0 255.255.255.0 [110/11] via 2.44.2.4, 0:29:30, 44
ASA1(config)#
R1#show ip route
route
C
R
R
R
C
R
R
R
R
R
R
R
R
R
R
R

22
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc

8.0.0.0/8 [120/2] via 2.11.2.10, 00:00:16, FastEthernet0/0.11
192.168.2.0/24 [120/2] via 2.11.2.10, 00:00:16, FastEthernet0/0.11
R
R
R
R1#
inspect icmp
23
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
Task 1.2
4 Points
Configure ASA2 as a failover unit for ASA1 with the

following:
o Use Fa0/3 and vlan 99 for failover.
o Configure statefull failover.
o Use the network of 10.0.0.0/8 and .11 for standby
addresses.
o Your output should look similar to the following:
Failover On
Interface Policy 1
slot 1: empty
slot 1: empty
Stateful Obj
xmit
xerr
General
22
0
rcv
10
rerr
0
24
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
sys cmd
up time
RPC services
TCP conn
UDP conn
ARP tbl
Xlate_Timeout
VPN IKE upd
VPN IPSEC upd
VPN CTCP upd
VPN SDI upd
VPN DHCP upd
SIP Session
10
0
0
0
0
12
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
10
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0

Cur
Max
Total
Recv Q:
0
13
10
Xmit Q:
0
29
136
ASA1(config)#
SW3(config)#int range fa 0/17 , fa 0/23
ASA1(config)# failover lan unit primary
ASA1(config)# failover lan interface lanfail Ethernet0/3
ASA1(config)# failover link lanfail Ethernet0/3
10.0.0.11
ASA1(config)# int e 0/0.11
25
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc

ciscoasa(config)# interface e0/3

ciscoasa(config-if)# exit
ciscoasa(config)# failiover lan unit secondary
ciscoasa(config)# failover lan interface lanfail Ethernet0/3
INFO: Non-failover interface config is cleared on Ethernet0/3 and its subinterfaces
ciscoasa(config)# failover key cisco
ciscoasa(config)# failover replication http
ciscoasa(config)# failover link lanfail Ethernet0/3
ciscoasa(config)# failover interface ip lanfail 10.0.0.10 255.255.255.0
standby 10.0.0.11
ciscoasa(config)# failover
Detected an Active mate
Beginning configuration replication from mate.
ASA1(config)# monitor-interface 11
Failover On
Interface Policy 1
26
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc

slot 1: empty
slot 1: empty
Stateful Obj
xmit
xerr
General
48
0
sys cmd
29
0
up time
0
0
RPC services
0
0
TCP conn
0
0
UDP conn
0
0
ARP tbl
19
0
Xlate_Timeout
0
0
VPN IKE upd
0
0
VPN IPSEC upd
0
0
VPN CTCP upd
0
0
VPN SDI upd
0
0
VPN DHCP upd
0
0
SIP Session
0
0
rcv
29
29
0
0
0
0
0
0
0
0
0
0
0
0
rerr
0
0
0
0
0
0
0
0
0
0
0
0
0
0

Cur
Max
Total
Recv Q:
0
8
30
Xmit Q:
0
29
295
ASA1(config)#
27
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
Task 1.3
4 Points

Device
Name
ASA1
Real
Int.
22
Mapped
Int.
44
Real
IP:PORT #
2.222.2.250:TCP 443
Mapped
IP:PORT#
2.44.2.250:TCP 5796

2.3.2.102 255.255.255.0
Add a static route on the XP PC for 2.0.0.0 /8
ASA1(config)# static (22,44) tcp 2.44.2.250 5796 2.222.2.250 443
28
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
29
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
30
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
31
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
Task 1.4
4 Points

o Default route route to R5
o Backup default route to R3 that should go active if
connectivity to BB1 at 2.5.2.9 becomes unreachable.
ASA1(config)# route 55 0 0 2.55.2.5 track 1
ASA1(config)# route 33 0 0 2.33.2.3 254
ASA1(config)#
ASA1(config)#
ASA1(config)# sla monitor 123
ASA1(config-sla-monitor)# type echo protocol ipIcmpEcho 2.5.2.9 interface 55
ASA1(config-sla-monitor-echo)# num-packets 3
ASA1(config-sla-monitor-echo)# timeout 1000
ASA1(config-sla-monitor-echo)# frequency 3
ASA1(config-sla-monitor-echo)# sla monitor schedule 123 life forever starttim$
ASA1(config)# !
ASA1(config)# track 1 rtr 123 reachability
ASA1(config)#
area
R
R
R
O
C
C
C
C
C
C
C
C
R
R
O
O
O
D
1.1.1.0 255.255.255.0 [120/1] via 2.11.2.1, 0:00:18, 11

2.2.2.0 255.255.255.0 [120/1] via 2.22.2.2, 0:00:03, 22
2.3.2.0 255.255.255.0 [120/1] via 2.33.2.3, 0:00:25, 33
2.5.2.0 255.255.255.0 [110/11] via 2.55.2.5, 0:10:35, 55
2.222.2.0 255.255.255.0 [120/1] via 2.22.2.2, 0:00:03, 22
3.3.3.0 255.255.255.0 [120/1] via 2.33.2.3, 0:00:25, 33
4.4.4.4 255.255.255.255 [110/11] via 2.44.2.4, 0:10:39, 44
5.5.5.5 255.255.255.255 [110/11] via 2.55.2.5, 0:10:39, 55
6.6.6.6 255.255.255.255 [110/11] via 2.66.2.6, 0:10:39, 66
8.0.0.0 255.0.0.0 [90/131072] via 2.88.2.8, 0:52:34, 88
32
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
C
10.0.0.0 255.255.255.0 is directly connected, lanfail
O
192.168.2.0 255.255.255.0 [110/11] via 2.44.2.4, 0:10:39, 44
S*
0.0.0.0 0.0.0.0 [1/0] via 2.55.2.5, 55
ASA1(config)#
BB1#
BB1#reload
area
R
1.1.1.0 255.255.255.0 [120/1] via 2.11.2.1, 0:00:12, 11
R
2.2.2.0 255.255.255.0 [120/1] via 2.22.2.2, 0:00:01, 22
R
2.3.2.0 255.255.255.0 [120/1] via 2.33.2.3, 0:00:22, 33
O
2.5.2.0 255.255.255.0 [110/11] via 2.55.2.5, 0:00:15, 55
C
C
C
C
C
C
C
C
R
2.222.2.0 255.255.255.0 [120/1] via 2.22.2.2, 0:00:01, 22
R
3.3.3.0 255.255.255.0 [120/1] via 2.33.2.3, 0:00:22, 33
O
4.4.4.4 255.255.255.255 [110/11] via 2.44.2.4, 0:00:17, 44
O
5.5.5.5 255.255.255.255 [110/11] via 2.55.2.5, 0:00:17, 55
O
6.6.6.6 255.255.255.255 [110/11] via 2.66.2.6, 0:00:17, 66
D
8.0.0.0 255.0.0.0 [90/131072] via 2.88.2.8, 0:54:22, 88
C
10.0.0.0 255.255.255.0 is directly connected, lanfail
O
192.168.2.0 255.255.255.0 [110/11] via 2.44.2.4, 0:00:17, 44
S*
0.0.0.0 0.0.0.0 [254/0] via 2.33.2.3, 33
ASA1(config)#
33
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc

Task 2.1
4 Points

o Fa0/0.55 in the inside zone
o Fa0/0.2 in the outside zone
o Allow ICMP, HTTP, TELNET and SSH outbound
R5(config)# class-map type inspect match-any cmap_outbound
R5(config-cmap)# match protocol ssh
R5(config-cmap)# match protocol http
R5(config-cmap)# match protocol telnet
R5(config)# class-map type inspect match-any cmap_inbound
R5(config)# policy-map type inspect pmap_outbound
R5(config-pmap)# class type inspect cmap_outbound
R5(config-pmap-c)#
inspect
R5(config)# policy-map type inspect pmap_inbound
R5(config-pmap)# class type inspect cmap_inbound
R5(config)#zone security inside
R5(config-sec-zone)#zone security outside
R5(config-sec-zone)#int Fa0/0.55
R5(config-subif)#zone-member security inside
R5(config)#int Fa0/0.5
R5(config-subif)#zone-member security outside
R5(config)# zone-pair security inside-to-outside source inside destination
outside
R5(config-sec-zone-pair)# service-policy type inspect pmap_outbound
R5(config)# zone-pair security outside-to-inside source outside destination
inside
R5(config-sec-zone-pair)# service-policy type inspect pmap_inbound
R5(config-sec-zone-pair)# exit
R5(config)#do show policy-map type inspect zone-pair
Zone-pair: inside-to-outside
Service-policy inspect : pmap_outbound
34
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
Class-map: cmap_outbound (match-any)

Match: protocol ssh
0 packets, 0 bytes
0 packets, 0 bytes
2 packets, 88 bytes
Inspect
icmp packets: [0:96]
Match: any
0 packets, 0 bytes
Zone-pair: outside-to-inside
Service-policy inspect : pmap_inbound
Class-map: cmap_inbound (match-any)
0 packets, 0 bytes
Inspect
Match: any
2 packets, 48 bytes
R5(config)#
35
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
Task 2.2
4 Points
On R5, set the maximum sessions to 100, and max embryonic

limit to 30 per host for outbound TCP based traffic.
Create and send audit trail information to the ACS PC for
all outbound sessions.
R5(config)#policy-map type inspect pmap_inbound
R5(config-pmap)# class type inspect cmap_inbound
R5(config)# parameter-map type inspect my_param_map
R5(config-profile)# sessions maximum 100
R5(config-profile)# tcp max-incomplete host 30
R5(config)# policy-map type inspect pmap_outbound
R5(config-pmap)# class type inspect cmap_outbound
R5(config-pmap-c)#
inspect my_param_map
R5(config)#logging trap 6
R5(config)#logging host 192.168.2.101
R5(config)#exit
R6#telnet 2.5.2.9
BB1#exit
R6#
!!!!.!!!!.!!!!.
BB1#
36
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
37
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
Task 2.3
4 Points
On R3, mark all Fasttrack traffic as DSCP 1, inbound on

Fa0/0.33
Drop this traffic outbound on Fa0/0.3
R3(config)#class-map match-any cmap_fasttrack
R3(config)#policy-map pmap_mark_fasttrack
R3(config-pmap)#class cmap_fasttrack
R3(config-pmap-c)#int Fa 0/0.33
R3(config-subif)#service-policy input pmap_mark_fasttrack
R3(config-subif)#
R3(config-subif)#access-list 100 deny ip any any dscp 1 log
R3(config)#int Fa0/0.3
R3(config-subif)#ip access-group 100 out
R3(config-subif)#end
R3#show policy-map interface fa 0/0.33
FastEthernet0/0.33
Service-policy input: pmap_mark_fasttrack
Class-map: cmap_fasttrack (match-any)
0 packets, 0 bytes
0 packets, 0 bytes
5 minute rate 0 bps
QoS Set
dscp 1
Packets marked 0
Match: any
R3#
38
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
Task 2.4
4 Points

Generate another
least 30 seconds.
R7(config)# process cpu threshold type total rising 70 interval 10 falling 30
interval 30
R7#wr
Building
[OK]
R7#wr
Building
[OK]
R7#wr
Building
[OK]
R7#wr
Building
[OK]
R7#wr
Building
[OK]
R7#wr
Building
configuration...
configuration...
configuration...
configuration...
configuration...
configuration...

114/0%[OK]
R7#
R7#
R7#
39
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
Section 3: VPNs
Task 3.1
4 Points

o CN R1-CA_Server
o L=NV
o C=US
from Loopback 0.
Configure Routers 4-8 and the ASA as NTP and CA clients.
R1(config)#ntp trusted-k
R1(cs-server)#cdp-url http://1.1.1.1/R1.cdp.crl
Password: cisco123
40
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc

R1(cs-server)#
R1(cs-server)#end
R4(config)#ntp authentica
May 17 04:45:24.648: %SYS-6-CLOCKUPDATE: System clock has been updated from
21:45:24 PDT Sat May 16 2009 to 21:45:24 PDT Sat May 16 2009, configured from
console by console.
console by console.
% You already have RSA keys defined named R4.ccbootcamp.com.
% They will be replaced.
May 17 04:45:27.524: %SSH-5-DISABLED: SSH 1.99 has been disabled[OK]
R4(config)#
R4(config)#
R4(config)#crypto pki authenticate R1-CA
Fingerprint MD5: 6639F668 A7C539DA D444653F 0DD6A31B
Fingerprint SHA1: AB5C27EF 877C1C27 5A7CA12F 101777F4 86C0E64A
R4(config)#
R4(config)#crypto pki enroll R1-CA
%
Password:
41
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
Re-enter password:
fingerprint.
R4(config)#
R4(config)#
FB009B1F F2A07B92 AF40F039 4DF72BFF
DAC3E1C5 3B790E81 14E92CBD FD1A4178 6FE88443
R4(config)#
Authority
R4(config)#
R5(config)#clock timezone
May 17 04:45:43.293: %SYS-5-CONFIG_I: Configured from console by console
console by console.
console by console.
R5(config)#
R5(config)#
42
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc

R5(config)#
%
Password:
Re-enter password:
fingerprint.
R5(config)#
R5(config)#
DA9F3B36 94E1DB4D B58E3274 02538757
09FABAB9 97E0299C 74DA3518 BA1319DC 7C0E7EEC
R5(config)#
Authority
R5(config)#
R6(config)#ntp
console by console.
console by console.
43
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc

R6(ca-trustpoint)#revoca
R6(config)#
R6(config)#
R6(config)#
%
Password:
Re-enter password:
fingerprint.
R6(config)#
R6(config)#
289B9219 1B81AB7E 25703B14 4DC41E4F
078BF93D CF36006A C00E529F 37B3B818 948DAED7
R6(config)#
Authority
R6(config)#
R7(config)#ntp au
console by console.
44
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
R7(config)#ntp authentication-key 1 md
console by console.
R7(config)#
R7(config)#
R7(config)#
May 17 04:46:06.939: %SSH-5-ENABLED: SSH 1.99 has been enabledcry
R7(config)#
%
Password:
Re-enter password:
Request certificate from CA? [yes/no]: ye
fingerprint.
R7(config)#
476E9C95 8C87815F AD1EE04A CE6AAB27
45
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc

40CE81FC B08CB0F4 7302A70B EB5704D2 913FBCBD
R7(config)#
Authority
R7(config)#
R8(config)#ntp authen
console by console.
R8(config)#ntp authentication-key 1 md5 ci
console by console.
R8(config)#
R8(config)#
R8(config)#
%
Password:
46
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
Re-enter password:
fingerprint.
R8(config)#
R8(config)#
55D6E2A8 0D7EE2D3 BCCCD2CA 8215989B
5CD8729E 49920665 3DCA194C E42F6B8A FE20FA50
R8(config)#
Authority
R8(config)#
ASA1(config)# clock timezone PST -8

ASA1(config)# clock summer-time PDT recurring
ASA1(config)# domain-name ccbootcamp.com
ASA1(config)# ntp authentication-key 1 md5 cisco
ASA1(config)# ntp trusted-key 1
ASA1(config)# ntp authenticate
ASA1(config)# ntp server 1.1.1.1
ASA1(config)# crypto key generate rsa general-keys modulus 1024
ASA1(config)# crypto ca trustpoint R1-CA
ASA1(config-ca-trustpoint)# enrollment url http://1.1.1.1:80
ASA1(config-ca-trustpoint)# revocation-check none
ASA1(config-ca-trustpoint)# exit
ASA1(config)# cry ca authenticate R1-CA
Fingerprint:
6639f668 a7c539da d444653f 0dd6a31b
Do you accept this certificate? [yes/no]: yes
ASA1(config)# cryp ca enroll R1-CA
%
Password:
Re-enter password:
% The fully-qualified domain name in the certificate will be:
ASA1.ccbootcamp.com
47
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
% Include the device serial number in the subject name? [yes/no]: no

ASA1(config)#
ASA1(config)# The certificate has been granted by CA!
48
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
Task 3.2
4 Points

o R4 as primary Key server using Loopback 0
o R5 as secondary Key server using Loopback 0
o Interesting traffic: ICMP Echo between R6/R7 loopback 0
ASA1(config)#
ASA1(config)#
ASA1(config)#
ASA1(config)#
ASA1(config)#
access-list 44 permit udp host 2.44.2.4 host 1.1.1.1 eq ntp

access-list 44 permit udp host 4.4.4.4 host 5.5.5.5 eq 848
access-group 44 in interface 44

R4(gdoi-local-server)#rekey authentication my
R4(gdoi-sa-ipsec)#replay counter w
49
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc

R5(gdoi-local-server)#rekey authentication myp
R5(gdoi-sa-ipsec)#replay counter wi
R5(config-gdoi-group)#access-list 123 permit icmp host 6.6.6.6 host 7.7.7.7
R5(config)#access-list 123 permit icmp host 7.7.7.7.7 host 6.6.6.6
R6(config-subif)#e
50
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc

R6(config)#
R6(config)#
R6(config)#
R6(config)#
to Unicast Rekey.
R6(config)#
R7(config)#
R7(config)#
R7(config)#
R7(config)#
to Unicast Rekey.
R7(config)#
R7(config)#
ASA1(config)#
ASA1(config)#
ASA1(config)#
ASA1(config)#
ASA1(config)#

access-list 66 permit udp host 2.66.2.6 host 1.1.1.1 eq ntp
access-list 66 permit 50 host 6.6.6.6 host 7.7.7.7
access-group 66 in interface 66

51
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc

!!!!!
local crypto endpt.: 2.66.2.6, remote crypto endpt.:
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.66
current outbound spi: 0x8A084196(2315796886)
inbound esp sas:
spi: 0x3FFC7B68(1073511272)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2023, flow_id: NETGX:23,
sa timing: remaining key lifetime
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
spi: 0x17F276B6(401766070)
IV size: 16 bytes
Status: ACTIVE
spi: 0x9909BC72(2567552114)
IV size: 16 bytes
Status: ACTIVE
spi: 0x8A084196(2315796886)
crypto map: map-group1

(sec): (405)

(sec): (441)

(sec): (985)
52
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
conn id: 2035, flow_id: NETGX:35, crypto map: map-group1

sa timing: remaining key lifetime (sec): (1090)
IV size: 16 bytes
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3FFC7B68(1073511272)
IV size: 16 bytes
Status: ACTIVE
spi: 0x17F276B6(401766070)
IV size: 16 bytes
Status: ACTIVE
spi: 0x9909BC72(2567552114)
IV size: 16 bytes
Status: ACTIVE
spi: 0x8A084196(2315796886)
IV size: 16 bytes
Status: ACTIVE

(sec): (402)

(sec): (439)

(sec): (983)

(sec): (1087)
outbound ah sas:
outbound pcp sas:
53
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
#pkts
#pkts
#pkts
#send

local crypto endpt.: 2.66.2.6, remote crypto endpt.:

current outbound spi: 0x8A084196(2315796886)
inbound esp sas:
spi: 0x3FFC7B68(1073511272)
IV size: 16 bytes
Status: ACTIVE
spi: 0x17F276B6(401766070)
IV size: 16 bytes
Status: ACTIVE
spi: 0x9909BC72(2567552114)
IV size: 16 bytes
Status: ACTIVE
spi: 0x8A084196(2315796886)
IV size: 16 bytes
Status: ACTIVE

(sec): (400)

(sec): (437)

(sec): (980)

(sec): (1085)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3FFC7B68(1073511272)
conn id: 2022, flow_id: NETGX:22, crypto map: map-group1
sa timing: remaining key lifetime (sec): (399)
IV size: 16 bytes
54
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
Status: ACTIVE
spi: 0x17F276B6(401766070)
IV size: 16 bytes
Status: ACTIVE
spi: 0x9909BC72(2567552114)
IV size: 16 bytes
Status: ACTIVE
spi: 0x8A084196(2315796886)
IV size: 16 bytes
Status: ACTIVE

(sec): (435)

(sec): (978)

(sec): (1083)
outbound ah sas:
outbound pcp sas:
R6#
55
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
Task 3.3
4 Points

Configure the XP Test PC as an easy vpn remote. You will
need to complete the IPS inline VLAN pair (in section 4)
before you can test this configuration.
R3(config-isakmp-group)#pool MY_VPN_POOL
% A profile is deemed incomplete until it has match identity statements
R3(config-if)#ip unnumbered Fa0/0.3
56
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
R3(config-if)#exit
R3(config)#ip local pool MY_VPN_POOL 2.33.2.51 2.33.2.60
R3(config)#exit
57
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
Task 3.4
4 Points
Configure ASA1 and R8 as IPSec Peers with the following:

o IKE Phase 1: aes, dh2, RSA-Sig
o IKE Phase 2: aes, sha
o Interesting traffic: ICMP between R8 loopback 0 and R4
loopback 0.
ASA1(config)# crypto isakmp enable 88
ASA1(config)# access-list Crypto_ACL permit icmp host 4.4.4.4 host 8.8.8.8
ASA1(config)# tunnel-group 2.88.2.8 type ipsec-l2l
ASA1(config)# tunnel-group 2.88.2.8 ipsec-attributes
ASA1(config-tunnel-ipsec)# trust-point R1-CA
ASA1(config-tunnel-ipsec)# peer-id-validate nocheck
ASA1(config-tunnel-ipsec)# crypto isakmp policy 10 authen rsa-sig
ASA1(config)# crypto isakmp policy 10 encrypt aes
ASA1(config)# crypto isakmp policy 10 hash sha
ASA1(config)# crypto isakmp policy 10 group 2
ASA1(config)# crypto ipsec transform-set MYSET esp-aes esp-sha-hmac
ASA1(config)# crypto map outside_map 1 set trustpoint R1-CA
ASA1(config)# crypto map outside_map 1 match address Crypto_ACL
ASA1(config)# crypto map outside_map 1 set peer 2.88.2.8
ASA1(config)# crypto map outside_map 1 set transform-set MYSET
ASA1(config)# crypto map outside_map interface 88
R8(config-isakmp)#encryp aes
R8(config)#crypto ipsec transform MYSET esp-aes esp-sha
R8(config-crypto-map)#set transform MYSET
R8(config-crypto-map)#interface fa0/0.88
R8(config-subif)#crypto map MYMAP
58
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
May 17 06:42:16.713: ISAKMP:(0): Support for IKE Fragmentation not enabled

May 17 06:42:16.717: ISAKMP:(0): Support for IKE Fragmentation not
enabled.!!!!
R8#show cryp
C-id Local
Lifetime Cap.
Remote
I-VRF
1015 2.88.2.8
2.88.2.10
23:59:44
ACTIVE aes
sha
rsig 2
1014
ACTIVE aes
sha
rsig 2
2.88.2.8
2.88.2.10
Engine-id:Conn-id = ???
(deleted)

Crypto map tag: MYMAP, local addr 2.88.2.8
local crypto endpt.: 2.88.2.8, remote crypto endpt.: 2.88.2.10
current outbound spi: 0x4B7B8195(1266385301)
inbound esp sas:
spi: 0xEB3DA2E5(3946685157)
conn id: 2003, flow_id: NETGX:3, crypto map: MYMAP
sa timing: remaining key lifetime (k/sec): (4578678/3575)
IV size: 16 bytes
59
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc

Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x4B7B8195(1266385301)
conn id: 2004, flow_id: NETGX:4, crypto map: MYMAP
sa timing: remaining key lifetime (k/sec): (4578678/3574)
IV size: 16 bytes
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R8#
60
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
Section 4: IPS
Task 4.1
4 Points
Use the erase current-config command from the sensor

command line.
o Default gateway using R2.
to the IPS from the ACS PC using port 5796.
SW2(config-if)#end
sensor# setup
!
!
!
!
Enter web-server port[443]:
No entries
Permit: 192.168.2.101/32
Permit:
!
!
!
!
61
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc

*06:26:02 UTC Sun May 17 2009
sensor#
ASA1(config)# access-list 44 permit tcp host 192.168.2.101 host 2.44.2.250 eq
5796
62
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
Task 4.2
4 Points

o sig1
o rules1
o The IP address of the ACS PC should be seen as a mission
critical host.
SW1(config-if)#end
63
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
64
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
65
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
66
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
67
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
68
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
69
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
Task 4.3
4 Points

o Create new signature named Clone ICMP Flood
o Generate an alert and deny the packet if ICMP flood is
seen.
o Trigger on the 90th packet in a series of echo requests.
o Deny the packet when the signature is triggered.
70
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
71
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!.!
72
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
BB2#
73
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
Task 4.4
4 Points
Send a TCP reset for any telnet traffic that includes the
string gunna!getcha . Log any packets destined for the
victim for the next 35 seconds.
74
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
75
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
76
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
77
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
78
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
79
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
80
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
81
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
82
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
83
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
84
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
85
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
86
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
87
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
88
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
BB2#telnet 1.1.1.1
R1#gunna!getcha
% Unknown command or computer name, or unable to find computer address
R1#
89
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
90
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
91
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc

Task 5.1
4 Points

VLAN 512
SW4 Fa0/16.
o The ACS should see SW4 as the IP address of
192.168.2.114/24.
92
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
93
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
94
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
95
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
SW4(config)#vlan 512,513,514
SW4(config)#interface vlan 4
SW4(config-if)#dot1x system-auth-control
SW4(config-if)#dot1x violation-mode shutdown
SW4(config-if)#exit
SW4(config)#ip radius source-interface VLAN4
SW4(config)#radius-server host 192.168.2.101
SW4(config)#end
SW4#test aaa group radius user-5.1 cisco legacy
SW4#
SW4#show dot1x interface fa0/16
----------------------------------PAE
= AUTHENTICATOR
PortControl
= AUTO
ControlDirection
= Both
HostMode
= SINGLE_HOST
Violation Mode
= SHUTDOWN
ReAuthentication
= Disabled
QuietPeriod
= 60
ServerTimeout
= 30
SuppTimeout
= 30
ReAuthPeriod
ReAuthMax
= 2
MaxReq
= 2
TxPeriod
= 30
RateLimitPeriod
= 0
Auth-Fail-Vlan
= 512
= 3
Guest-Vlan
= 513
SW4#
96
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
Task 5.2
4 Points
Configure R1 to use ACS and perform authentication and

authorization on the vty lines with the following:
o Authenticate and authorize a user named admin-5.2
providing full system access.
o Authenticate and authorize a user named user-5.2.
Provide this one user the ability to add interfaces,
input ip addresses, issue the show ip interface brief
command and enter the command of exit.
o Record all successful commands issued by authenticated
users to the ACS server.
ASA1(config)#access-list 11 permit tcp host 2.11.2.1 host 192.168.2.101 eq

tacacs
ASA1(config)#access-group 11 in int 11
R1(config)#aaa authentication login TAC group tacacs+
R1(config-line)#login authentication TAC
R1(config)#
97
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
98
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
99
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
100
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
101
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
102
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
103
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
104
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
105
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
106
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
R1#telnet 1.1.1.1
Username: user-5.2
Password:
R1#show ver
R1#conf t
End with CNTL/Z.

107
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
May 17 08:46:55.538: %LINEPROTO-5-UPDOWN: Line protocol on Interface

R1(config-if)#exit
R1(config)#exit
R1#logi
May 17 08:47:25.702: %SYS-5-CONFIG_I: Configured from console by user-5.2 on
vty0 (1.1.1.1ut
R1#logout
R1#exit
R1#
108
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
Task 5.3
4 Points

o Allow only ssh access on vty 0-4. Use the local database
and a user named user-5.3. Only allow these sessions on
Fa 0/0.22.
o Do not use the command telnet or ssh in line vty 0 4,
as well as any access-lists as part of this task.
R2(config)#
R2(config-cp-host)#management-interface fa0/0.22 allow ssh
R2(config-cp-host)#e
*May 17 08:35:30.850: %CP-5-FEATURE: Management-Interface feature enabled on
Control plane host path
R2(config-cp-host)#end
R2(config-line)#end
R2#
R2#telnet 2.2.2.2
Trying 2.2.2.2 ...
R2#
R2#ssh -l user-5.3 2.2.2.2
R2#ssh -l user-5.3 2.22.2.2
Password:
R2>who
Line
0 con 0
*514 vty 0
User
user-5.3
Host(s)
2.22.2.2
idle
Idle
Location
00:00:00
00:00:00 2.22.2.2
Interface
User
Mode
Idle
R2>exit
R2#
Peer Address
109
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc

Task 6.1
4 Points
Rate limit all ICMP traffic to R2 to 8,000bps, regardless

of which interface on R2 is the target. Exempt 8.8.8.8
from this rate limiting. Do not apply any policies or
configurations directly to any Ethernet interfaces as part
of task.
R2(config)#class-map CMAP_CONTROL_PLANE
R2(config-pmap-c)#police 8000 conform transmit exceed drop
R2(config-pmap)#control-plane
R2(config-cp)#exit
R2(config)#exit
!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!
!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!.!!!!!!!!!!!
R8#ping 2.22.2.2 repeat 50 source loopback 0
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
R8#
Control Plane
110
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc

police:
transmit
drop
drop
Match: any
R2#
111
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc

Task 7.1
4 Points
Configure the ACS to use a RADIUS Token Server with the

following:
o IP address of 192.168.2.103
o Password of cisco
o The ACS should search here if a user is not found in the
ACS database.
112
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
113
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
114
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
115
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
116
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
Task 7.2
4 Points
o Allow BB1 and BB2 to become BGP neighbors. Add the

password of cisco for BGP authentication.
ASA1(config)# access-list 33 permit tcp host 2.3.2.9 host 2.5.2.9 eq 179
ASA1(config)# access-group 33 in interface 33
R5(config)#access-list 100 permit tcp host 2.5.2.9 host 2.3.2.9 eq 179
R5(config)#access-list 101 permit tcp host 2.3.2.9 host 2.5.2.9 eq 179
R5(config)#do show run class-map
!
class-map type inspect match-any cmap_inbound
match protocol icmp
class-map type inspect match-any cmap_outbound
match protocol ssh
match protocol http
match protocol icmp
match protocol telnet
!
end
R5(config)#class-map type inspect match-any cmap_inbound
R5(config)#class-map type inspect match-any cmap_outbound
R5(config-cmap)#end
Neighbor
V
AS MsgRcvd MsgSent
TblVer InQ OutQ Up/Down
State/PfxRcd
2.5.2.9
4
1
10
9
16
0
0 00:05:47
15
BB1(config-router)#
117
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc

2.5.2.9(179)
ASA1(config)# access-list ACL_opt_19 extended permit tcp host 2.3.2.9 host
2.5.2.9
ASA1(config)# access-list ACL_opt_19 extended permit tcp host 2.5.2.9 host
2.3.2.9
ASA1(config)# tcp-map OPTION_19
ASA1(config-tcp-map)# tcp-options range 19 19 allow
ASA1(config)# class-map BGP_TRAFFIC
ASA1(config-cmap)# match access-list ACL_opt_19
ASA1(config-pmap)# class BGP_TRAFFIC
ASA1(config-pmap-c)# set connection random-sequence-number disable
ASA1(config-pmap-c)# set connection advanced-options OPTION_19
ASA1(config)#
118
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
119
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
BB2#
2.3.2.9(179)
BB2#
*May 17 09:28:47.790: %BGP-5-ADJCHANGE: neighbor 2.5.2.9 Up
BB2#show ip bgp summ
Neighbor
2.5.2.9
BB2#
V
4
AS MsgRcvd MsgSent
1
16
18
TblVer
46
InQ OutQ Up/Down PfxRcd

0
0 00:00:26
15
120
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc

Task 8.1
4 Points
On switchports used by the the ASA(s), save the mac

addresses in the configuration file of the switch. Your
output should resemble the following:
description **ASA-1 E0/0**
interface FastEthernet 0/13
sticky
sticky
sticky
sticky
sticky
sticky
sticky
sticky
sticky
0018.199e.b5fe
0018.199e.b5fe
0018.199e.b5fe
0018.199e.b5fe
0018.199e.b5fe
0018.199e.b5fe
0018.199e.b5fe
0018.199e.b5fe
vlan
vlan
vlan
vlan
vlan
vlan
vlan
vlan
11
22
33
44
55
66
77
88
Allow a port shutdown by a security violation to be

restored automatically every 90 seconds if a security
violation is not present.
SW1(config)#int range fa 0/12 , fa0/18

SW1(config-if-range)#switchport port-security maximum 8
SW1(config-if-range)#switchport port-security mac-address sticky
SW1(config-if-range)#switchport port-security
SW1(config-if-range)#no switchport port-security
NOTE: If switchport port-security is left active, failover will FAIL
SW2(config)#int range fa 0/17 , fa 0/23
SW2(config-if-range)#switchport port-security mac-address sticky
SW2(config-if-range)#switchport port-securi
SW2(config-if-range)#no switchport port-security
SW2(config-if-range)#exit
Task 8.2
4 Points
121
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
On the ASA, deny any non-initial fragments on the 77

interface.
Rate limit Fraggle and Smurf attack traffic if the the
network of 192.168.2.0/24 is a source or destination of the
attack. Rate limit to 10,000bps.
ASA1(config)# fragment chain 1 77

!!!!!
R7#ping 3.3.3.3 size 1500
!!!!!
R7#ping 3.3.3.3 size 1501
.....
R7#
ASA1(config)# %ASA-4-209005: Discard IP fragment set with more than 1
elements: src = 2.77.2.7, dest = 3.3.3.3, proto = ICMP, id = 104
ASA1(config)#
ASA1(config)#access-list
echo
echo-reply
echo
echo-reply
echo
255.255.255.0
SMUGGLE permit ICMP any 192.168.2.0 255.255.255.0

SMUGGLE permit ICMP any 192.168.2.0 255.255.255.0
SMUGGLE permit ICMP 192.168.2.0 255.255.255.0 any
SMUGGLE permit ICMP 192.168.2.0 255.255.255.0 any
SMUGGLE permit udp any 192.168.2.0 255.255.255.0 eq
SMUGGLE permit udp any eq echo 192.168.2.0
ASA1(config)# class-map CMAP_SMUGGLE

ASA1(config-cmap)# match access-list SMUGGLE
ASA1(config-pmap)# class CMAP_SMUGGLE
ASA1(config-pmap-c)# police input 10000
ASA1(config-pmap-c)# police output 10000
122
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc
R5#ping 192.168.2.4 repeat 100

!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!
!.!!!!!!!!!!!!!!!!!!!!!!.!!!!!
R5#
Global policy:
Class-map: BGP_TRAFFIC
Set connection policy: random-sequence-number disable
drop 0
Set connection advanced-options: OPTION_19
Invalid ACK drops
: 0
IP TTL modified
: 0
TCP-options:
Class-map: CMAP_SMUGGLE
Input police Interface 11:
123
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc

Output police Interface 11:
124
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.09.09.05.kb.r04.09.05.doc

ASA1(config)#
125
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
LAB 10
Instructions
cannot be changed.
often!
task.
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
Sections:
1.ASA Firewalls
2.IOS Firewalls
3.VPNs
4.IPS
7.Advanced Security
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
ACS PC
.101
R1
BB1
.99
VLAN 168
192.168.2.0
SW2
.11
VLAN 77
G0/0
VLAN 99
172.16.99.0
Inside
E0/0.v
DMZ1
E0/0.v
172.16.77.0
IPS C&C
.50
ASA1
VLAN 44
172.16.44.0
DMZ2
E0/0.v
R4
Outside
E0/0.v
R7
VLAN 22
24.234.22.0
VLAN 252
24.234.252.0
BB2
R2
.252
SW1
.11
EIGRP1
Frame Relay
24.234.100.0
Outside
E0/0.v
VLAN 111
24.234.111.0
R6
C1
Inside
E0/0.v
VLAN 121
24.234.121.0
R3
VLAN 222
24.234.222.0
Outside
E0/0.v
C2
Inside
E0/0.v
VLAN 88
172.16.88.0
VLAN 55
172.16.55.0
R8
R5

www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
SW1
Fa0/1
Fa0/0
R1
Fa0/1
Fa0/1
SW2
SW1
Fa0/2
Fa0/0
R2
Fa0/1
Fa0/2
SW2
SW1
Fa0/3
Fa0/0
R3
Fa0/1
Fa0/3
SW2
SW1
Fa0/4
Fa0/0
R4
Fa0/1
Fa0/4
SW2
SW1
Fa0/5
Fa0/0
R5
Fa0/1
Fa0/5
SW2
SW1
Fa0/6
Fa0/0
R6
Fa0/1
Fa0/6
SW2
SW1
Fa0/9
Fa0/0
BB1
Fa0/1
Fa0/9
SW2
SW1
Fa0/10
Fa0/0
BB2
Fa0/1
Fa0/10
SW2
SW1
Fa0/12
E0/0
E0/2
Fa0/12
SW2
Fa0/14
SW2
E0/3
Fa0/17
SW2
E0/2
Fa0/18
SW2
E0/3
Fa0/23
SW2
ASA01
Gi0/0: sense
SW1
Fa0/14
SW1
Fa0/17
E0/1
SW1
Fa0/18
E0/0
IDS
IDS
Gi0/1: c&c
ASA01
ASA02
SW1
E0/1
Fa0/23
ASA02
SW1
SW2
Fas0/19
Fas0/19
Fas0/20
Fas0/20
Sensor Int.
G0/0
Fa1/0
Fa1/1
Fa1/2
Fa1/3
Connected to:
SW1 Fa0/14
SW3 Fa0/4
SW3 Fa0/3
SW3 Fa0/2
SW3 Fa0/1
Fas0/0
2811
SW3
SW4
Fas0/17
SW3
Fas0/19
Fas0/19
Fas0/20
Fas0/20
Fas0/1
R7
Fas0/17
SW4
ACS PC SW1 Fa0/24
192.168.2.101
Fas0/0
2811
Fas0/1
R8
SW3

192.168.2.102
Fas0/18
SW4
Fas0/18
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc

Task 1.1
4 Points

Name
Inside
Outside
DMZ1
DMZ2
Interface
E0/0.168
E0/0.22
E0/0.77
E0/0.44

Default
192.168.2.100/24
Default
24.234.22.100/24
50
172.16.77.100/24
50
172.16.44.100/24
VLAN
168
22
77
44

The EIGRP routers should have specific routes to the DMZ
networks.
Create a static route to the 22.22.22.0/24 network via R2.
accomplish this.
Task 1.2
4 Points

Context
c1
c1
c2
c2
Name
Inside
Outside
Inside
Outside
Interface
E0/0.88
E0/0.111
E0/0.55
E0/0.222
Sec-Level
50
50
Default
Default
IP Address
172.16.88.200/24
24.234.111.200/24
172.16.55.200/24
24.234.222.200/24
VLAN
88
111
55
222

5
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc

next hop.
On c1, all traffic should be allowed in either direction.
Use only a single command to accomplish this.
Verify that the devices on the inside networks have
connectivity to the outside. You may inspect icmp to
accomplish this.
Task 1.3
4 Points

as 24.234.22.101
Hosts on the Inside of ASA1 should be able to reach
172.16.77.50 port 443 at the address 192.168.2.50 port
10443. This task will be verified in a later task.
Context c2 should require a NAT translation for any traffic
traversing it.
R5 should be reachable on the outside of c2 as 24.234.222.5
R8 should be able to telnet to R5 at the address
172.16.88.5.
Task 1.4
4 Points
Context c1 should ensure that ftp traffic passing through

it conforms to RFCs.
The ftp PUT command should not function.
http traffic should be allowed, but any containing .exe
case insensitive, should be dropped and logged.
Telnet connections through context c1 should be limited to
1 per client and be closed if they are idle for 5 minutes.
6
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc

Task 2.1
4 Points
On R3, deny RFC 1918 addresses inbound on the fa0/0.121

interface
On the s0/0/0 interface, dynamically deny any spoofed IP
addresses. The denied packets should be logged.
The s0/0/0 interface should also deny any incoming
fragmented packets.
Task 2.2
4 Points
On R2, explicitly deny all traffic from the VLAN 252

network.
Permit return traffic for TCP, UDP and ICMP sessions from
any other network, with the following restrictions:
TCP sessions should allow no more than 100 half-open
connections before dropping them. The dropping should stop
when half-open connections go below 50.
TCP sessions should timeout after 10 seconds of idle time.
All TCP sessions should be logged.
Task 2.3
4 Points
On R4, there should never be more than 50 half open TCP

connections allowed.
If this occurs the half open connections should be dropped
in random order.
The dropping behavior should stop when half open
connections drop below 25.
7
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
You may not use CBAC to complete this task.

Task 2.4
4 Points
R2 should discover incoming protocols on both the fa0/0.22

and s0/0/0 interfaces.
It should drop any bittorent traffic seen incoming on the
fa0/0.22 interface.
Incoming http traffic should be dropped incoming on the
s0/0/0 interface regardless of the port it is on.
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
Section 3: VPNs
Task 3.1
4 Points
Configure R5 as an NTP server

Set the clock to pacific standard time
R8 should sync its time with R5
Set the clock on R8 to pacific standard time
Task 3.2
4 Points
Configure R1 as a CA server called CA1 with the following

settings:
o The server should allow auto enrollment via http.
o Certificates should be automatically granted.
o Certificate lifetime should be 30 days.
o The issuer name should be R1.ccbootcamp.com with a
o R1 should enroll with itself.
o Enroll R5 with the newly create CA.
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
Task 3.3
4 Points
Create loopback 55 on R5 and loopback 88 on R8. The ip

address should be 55.55.55.55/24 on R5 and 88.88.88.88/24
on R8.
Create a site to site tunnel between R5 and R8 with the
following settings:
o Phase 1: AES, SHA, Group2, RSA-sig authentication
o Phase 2: AES, SHA
o Endpoints: fa0/0.yy interface on each router.
o Protected traffic: ICMP between the newly created
loopback addresses.
Verify that the tunnel is built and the traffic is being
encrypted.
Task 3.4
4 Points

o Key server: R2
o Crypto policy on server: ICMP between R8 fa0/0.88 and
SW1.
o IKE Phase 1: 3DES, SHA, group 2, pre-share
10
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
Section 4: IPS
Task 4.1
4 Points

IP Address
Gateway
Managed by
172.16.77.50
172.16.77.100
192.168.2.101
Mgmt. SSL
port
443
ACS server. You may add a route to the ACS server to
accomplish this.
to it.
Task 4.2
4 Points

for fa1/1.
Task 4.3
4 Points
Find and modify a signature that will fire when echo

requests of 10000 bytes or larger are seen on VLAN77.
The signature should generate a medium severity alert.
11
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
If the pings are directed towards R7 no alert should be

generated. You may not modify the signature to accomplish
this.
Task 4.4
4 Points
Create a custom signature that will generate an alert when

the string cisco is seen in http traffic on VLAN 168.
If the target is R2, the connection should be reset. You
may not modify the signature to accomplish this.
12
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc

Task 5.1
4 Points
Configure R2 so that telnet is never allowed on any

interface. You may not use an ACL or the control plane to
accomplish this.
SSH should be allowed to R2. Authenticate a username
admin with a password cisco on the ACS server.
One successful authentication, the admin user should be
automatically placed in privileged exec mode with access to
all commands.
Task 5.2
4 Points
Pings to R5 from the outside are currently denied by

context c2. They should be allowed, but only after
authentication via telnet.
The telnet address should be 24.234.222.50.
Authentication should occur using the ACS server.
Test by authenticating with the previously created admin
user.
Task 5.3
4 Points
Context c1 should allow SSH conections from R3 only. You

may not use an ACL to accomplish this.
Authenticate the connection with a local username of
sshuser and a password of cisco. This user should have
access to all commands.
If the SSH connection is idle for 1 minute it should be
dropped. You may not use MPF to accomplish this.
13
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc

Task 6.1
4 Points
R3 should only allow management via telnet on the s0/0/0

interface. All other management connections should be
dropped. You may not use an ACL or MQC commands to
accomplish this.
14
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc

Task 7.1
4 Points
Limit the total number of connections for context c1 to 20

Limit the total number of xlates to 15
No more than 1 ssh session at a time should be allowed to
c1. You may not use MPF commands to accomplish this.
Task 7.2
4 Points
On R2, telnet traffic from R1 should be prioritized and

guaranteed 10% of interface bandwidth on s0/0/0.
On R6, if this traffic is destined for R8 it should be
dropped. You may not apply an ACL directly to an interface
or use MQC commands to accomplish this.
15
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc

Task 8.1
4 Points
An external website at 24.234.22.2 is using java applets

and activex to attack hosts on the inside of ASA1. Allow
the HTTP traffic, but remove the applets and activex. This
should only affect traffic sourced from the inside network.
Task 8.2
4 Points
R1 is launching ICMP attacks against R6. Use R3 to limit

this traffic to 8000 bps with a max burst of 2000. You are
not allowed to use MQC commands to accomplish this.
R6 is using spoofed IPs to attack BB2. Use R2 to drop and
log this traffic regardless of the spoofed IP used.
An internet worm uses IP option based exploits. Configure
R2 to drop traffic containing IP options regardless of the
interface the traffic is received on.
Solutions Guide begins on next page.
16
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc

Task 1.1
4 Points

Name
Inside
Outside
DMZ1
DMZ2
Interface
E0/0.168
E0/0.22
E0/0.77
E0/0.44

Default
192.168.2.100/24
Default
24.234.22.100/24
50
172.16.77.100/24
50
172.16.44.100/24
VLAN
168
22
77
44

The EIGRP routers should have specific routes to the DMZ
networks.
Create a static route to the 22.22.22.0/24 network via R2.
accomplish this.
ASA1(config)#
ASA1(config-subif)#
ASA1(config-subif)#
ASA1(config-subif)#
17
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc

ASA1(config-subif)#
ASA1(config-if)#
ASA1(config-router)# redistribute static
ASA1(config)#
ASA1(config)# route outside 22.22.22.0 255.255.255.0 24.234.22.2
ASA1(config)# route DMZ2 172.16.99.0 255.255.255.0 172.16.44.4
ASA1(config)#
Verification:
R4#ping 24.234.100.6
!!!!!
R4#ping 22.22.22.22
!!!!!
R2#sho ip route
route

172.16.55.0 [90/2172416] via 24.234.100.6, 00:17:38, Serial0/0/0
18
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
D
172.16.44.0 [90/28416] via 24.234.22.100, 00:01:47,
FastEthernet0/0.22
D EX
172.16.99.0
D
172.16.88.0 [90/2172416] via 24.234.100.6, 00:17:38, Serial0/0/0
D
172.16.77.0 [90/28416] via 24.234.22.100, 00:01:47,
FastEthernet0/0.22
C
C
D
24.234.121.0 [90/2172416] via 24.234.100.3, 00:20:30, Serial0/0/0
C
C
S
192.168.2.0/24 [1/0] via 24.234.22.100
19
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
Task 1.2
4 Points

Context
c1
c1
c2
c2
Name
Inside
Outside
Inside
Outside
Interface
E0/0.88
E0/0.111
E0/0.55
E0/0.222
Security Level
50
50
Default
Default
IP Address
172.16.88.200/24
24.234.111.200/24
172.16.55.200/24
24.234.222.200/24

next hop.
On c1, all traffic should be allowed in either direction.
Use only a single command to accomplish this.
Verify that the devices on the inside networks have
connectivity to the outside. You may inspect icmp to
accomplish this.
ASA2(config)#
ASA2(config-if)#
ASA2(config-subif)#
ASA2(config-subif)#
ASA2(config-subif)#
ASA2(config-subif)#
20
www.ccbootcamp.com
Toll Free 877.654.2243
VLAN
88
111
55
222
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc

ASA2(config)#
ASA2(config-ctx)#
ASA2(config-ctx)#
ASA2/c1(config)#
ASA2/c1(config-if)#
ASA2/c1(config-if)#
ASA2/c1(config)#
ASA2/c1(config)#
ASA2/c1(config)# same-security-traffic permit inter-interface
ASA2/c2(config)#
ASA2/c2(config-if)#
21
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc

ASA2/c2(config-if)#
ASA2/c2(config)#
Verification:
R8#ping 24.234.22.2
!!!!!
R5#ping 24.234.22.2
!!!!!
R6#ping 172.16.88.8
!!!!!
22
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
Task 1.3
4 Points

as 24.234.22.101
Hosts on the Inside of ASA1 should be able to reach
172.16.77.50 port 443 at the address 192.168.2.50 port
10443. This task will be verified in a later task.
Context c2 should require a NAT translation for any traffic
traversing it.
R5 should be reachable on the outside of c2 as 24.234.222.5
R8 should be able to telnet to R5 at the address
172.16.88.5.
ASA1(config)# static (DMZ1,inside) tcp 192.168.2.50 10443 172.16.77.50 443
ASA2/c2(config)#
ASA2/c1(config)# static (outside,inside) tcp 172.16.88.5 23 24.234.222.5 23
24.234.222.5 eq telnet
Verification:
ASA1(config)# sho xlate
Global 24.234.22.101 Local 192.168.2.101
PAT Global 192.168.2.50(10443) Local 172.16.77.50(443)
R8#telnet 172.16.88.5
Trying 172.16.88.5 ... Open

Password:
R5>
23
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
Task 1.4
4 Points
Context c1 should ensure that ftp traffic passing through

it conforms to RFCs.
The ftp PUT command should not function.
http traffic should be allowed, but any containing .exe
case insensitive, should be dropped and logged.
Telnet connections through context c1 should be limited to
1 per client and be closed if they are idle for 5 minutes.
ASA2/c1(config)# class-map type inspect ftp PUT
ASA2/c1(config-cmap)# match request-command put
ASA2/c1(config)# policy-map type inspect ftp PUT
ASA2/c1(config-pmap)# class PUT
ASA2/c1(config-pmap-c)# reset
ASA2/c1(config)#
ASA2/c1(config)#
ASA2/c1(config)# regex EXE ".*\.[Ee][Xx][Ee]"
ASA2/c1(config)#
ASA2/c1(config)# class-map type inspect http EXE
ASA2/c1(config-cmap)# match request uri regex EXE
ASA2/c1(config)# policy-map type inspect http EXE
ASA2/c1(config-pmap)# class EXE
ASA2/c1(config)#
ASA2/c1(config)# access-list TELNET permit tcp any any eq telnet
ASA2/c1(config)# class-map TELNET
ASA2/c1(config-cmap)# match access-list TELNET
ASA2/c1(config)#
ASA2/c1(config-pmap-c)# inspect ftp strict PUT
ASA2/c1(config-pmap-c)# inspect http EXE
ASA2/c1(config-pmap)# class TELNET
ASA2/c1(config-pmap-c)# set connection per-client-max 1
ASA2/c1(config-pmap-c)# set connection timeout tcp 0:5:0
24
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
Verification:
ASA2/c1# sho service-policy inspect ftp
Global policy:
Inspect: ftp strict PUT, packet 0, drop 0, reset-drop 0
class PUT
reset, packet 0
R8#copy http://24.234.22.2/test.ExE null:

%Error opening http://24.234.22.2/test.ExE (I/O error)
ASA2/c1# sho service-policy inspect http
Global policy:
Inspect: http EXE, packet 14, drop 1, reset-drop 0
protocol violations
packet 0
class EXE
drop-connection log, packet 1
%ASA-5-415006: HTTP - matched Class 22: EXE in policy-map EXE, URI matched Dropping connection from Inside:172.16.88.8/64770 to Outside:24.234.22.2/80
ASA2/c1# sho service-policy (output cut)
Class-map: TELNET
Set connection policy: per-client-max 1
current conns 0, drop 0
Set connection timeout policy:
tcp 0:05:00
25
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc

Task 2.1
4 Points
On R3, deny RFC 1918 addresses inbound on the fa0/0.121

interface
On the s0/0/0 interface, dynamically deny any spoofed IP
addresses. The denied packets should be logged.
The s0/0/0 interface should also deny any incoming
fragmented packets.
R3(config)#access-list 101 deny ip 172.16.0.0 0.15.255.255 any
R3(config)#
R3(config)#
R3(config)#
R3(config)#access-list 103 deny ip any any fragments
R3(config)#
Verification:
SW1(config)#int l0
SW1(config-if)#exit
SW1(config)#exit
SW1#ping 24.234.100.3 so l0
.....
R3#sho access-lists
10 deny ip 172.16.0.0 0.15.255.255 any
20 deny ip 10.0.0.0 0.255.255.255 any (15 matches)
26
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
30 deny ip 192.168.0.0 0.0.255.255 any

40 permit ip any any
R6(config)#int l0
R6(config-if)#exit
R6(config)#exit
R6#ping 24.234.100.3 so l0
.....
-> 24.234.100.3 (0/0), 1 packet
R6#ping 24.234.100.3
!!!!!
R6#ping 24.234.100.3 size 3000
.....
27
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
Task 2.2
4 Points
On R2, explicitly deny all traffic from the VLAN 252

network.
Permit return traffic for TCP, UDP and ICMP sessions from
any other network, with the following restrictions:
TCP sessions should allow no more than 100 half-open
connections before dropping them. The dropping should stop
when half-open connections go below 50.
TCP sessions should timeout after 10 seconds of idle time.
All TCP sessions should be logged.
R2(config)#access-list 101 deny ip any any
R2(config)#
R2(config)#ip inspect name CBAC tcp audit-trail on
R2(config)#ip inspect name CBAC tcp timeout 10
R2(config)#ip inspect name CBAC udp
R2(config)#
Verification:
BB2#telnet 24.234.22.100
Trying 24.234.22.100 ...
% Destination unreachable; gateway or host down
R6#telnet 24.234.252.252
Trying 24.234.252.252 ... Open

Password:
BB2>
(WAIT 10 SECONDS)
28
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
*May 13 17:43:12.491: %FW-6-SESS_AUDIT_TRAIL_START: Start tcp session:

*May 13 17:43:24.967: %FW-6-SESS_AUDIT_TRAIL: Stop tcp session: initiator
(24.234.100.6:47702) sent 37 bytes -- responder (24.234.252.252:23) sent 75
bytes
29
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
Task 2.3
4 Points
On R4, there should never be more than 50 half open TCP

connections allowed.
If this occurs the half open connections should be dropped
in random order.
The dropping behavior should stop when half open
connections drop below 25.
You may not use CBAC to complete this task.
behavior
behavior
R4(config)#ip tcp intercept drop-mode random
behavior
30
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
Task 2.4
4 Points
R2 should discover incoming protocols on both the fa0/0.22

and s0/0/0 interfaces.
It should drop any bittorent traffic seen incoming on the
fa0/0.22 interface.
Incoming http traffic should be dropped incoming on the
s0/0/0 interface regardless of the port it is on.
R2(config)#class-map match-any TORRENT
R2(config-cmap)#match protocol bittorrent
R2(config)#policy-map TORRENT
R2(config-pmap)#class TORRENT
R2(config)#
R2(config-subif)#service-policy in TORRENT
R2(config)#
R2(config)#policy-map HTTP
R2(config)#
R2(config-if)#ip nbar protocol-discovery
R2(config-if)#service-policy in HTTP
Verification:
R2#sho ip nbar protocol-discovery (output cut)
FastEthernet0/0.22
Input
----Protocol
Packet Count
Byte Count
5min Bit Rate (bps)
------------------------ -----------------------eigrp
60
Output
-----Packet Count
Byte Count
5min Bit Rate (bps)
-----------------------31
31
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
4560
2418

FastEthernet0/0.22
Service-policy input: TORRENT
Class-map: TORRENT (match-any)
0 packets, 0 bytes
Match: protocol bittorrent
0 packets, 0 bytes
5 minute rate 0 bps
Drop
R6#copy http://24.234.22.2/test.com null:
%Error opening http://24.234.22.2/test.com (I/O error)
Serial0/0/0
5 minute rate 0 bps
drop
32
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
Section 3: VPNs
Task 3.1
4 Points
Configure R5 as an NTP server

Set the clock to pacific standard time
R8 should sync its time with R5
Set the clock on R8 to pacific standard time
24.234.55.5 eq ntp
Verification:
address
ref clock
disp
~24.234.222.5
0.0.0.0
16
64
0
0.0
0.00
16000.
configured
33
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
Task 3.2
4 Points
Configure R1 as a CA server called CA1 with the following

settings:
o The server should allow auto enrollment via http.
o Certificates should be automatically granted.
o Certificate lifetime should be 30 days.
o The issuer name should be R1.ccbootcamp.com with a
o R1 should enroll with itself.
o Enroll R5 with the newly create CA.
R5(config)#
R5(config)#
Password:
Re-enter password:
R5(cs-server)#exit
R5(config)#crypto pki trustpoint SELFCA

R5(config)#crypto pki authenticate SELFCA
34
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
Fingerprint MD5: 9389B915 7F129503 7F5E9021 98DB0F55

Fingerprint SHA1: AA01C8C1 A84052C4 6B4D2A1A 74A6172D 23C4B2D4
R5(config)#crypto pki enroll SELFCA
%
Password:
Re-enter password:
% The 'show crypto ca certificate SELFCA verbose' commandwill show the
fingerprint.
R5(config)#
08A887AD C6B54E06 3AF82B18 8FA535BE
EB01A7BE F790750F BBFB0B46 2F6FBD65 D3B20CCA
Authority

24.234.222.5 eq www
ASA2/c1(config)# access-list FOR_PKI permit tcp host 172.16.88.8 host
24.234.222.5 eq www
ASA2/c1(config)# class-map FOR_PKI
ASA2/c1(config-cmap)# match access-list FOR_PKI
ASA2/c1(config)# policy-map FOR_PKI
ASA2/c1(config-pmap)# class FOR_PKI
ASA2/c1(config-pmap-c)# inspect http
ASA2/c1(config)# service-policy FOR_PKI interface inside
Fingerprint MD5: 9389B915 7F129503 7F5E9021 98DB0F55
Fingerprint SHA1: AA01C8C1 A84052C4 6B4D2A1A 74A6172D 23C4B2D4
35
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc

%
Password:
version 2
Re-enter password:
% The subject name in the certificate will include: R8
fingerprint.
R8(config)#
907A7018 FD63A0C0 FB375E28 A5EA44F3
8E3E4C19 D56C2D32 669E2DA6 B4ACB0A9 649CA311
Authority
36
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
Task 3.3
4 Points
Create loopback 55 on R5 and loopback 88 on R8. The ip

address should be 55.55.55.55/24 on R5 and 88.88.88.88/24
on R8.
Create a site to site tunnel between R5 and R8 with the
following settings:
o Phase 1: AES, SHA, Group2, RSA-sig authentication
o Phase 2: AES, SHA
o Endpoints: fa0/0.yy interface on each router.
o Protected traffic: ICMP between the newly created
loopback addresses.
Verify that the tunnel is built and the traffic is being
encrypted.
R5(config-if)#exit
R5(config)#crypto ipsec transform-set VPN esp-aes esp-sha-hmac
R5(config)#crypto map VPN 10 ipsec-isakmp
R5(config-crypto-map)#set transform-set VPN
R5(config-subif)#crypto map VPN
ASA2/c2(config)# access-list outside permit esp host 172.16.88.8 host
24.234.222.5
24.234.222.5 eq isakmp
24.234.222.5 eq 4500
37
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
R8(config-if)#exit
R8(config)#crypto ipsec transform-set VPN esp-aes esp-sha-hmac
R8(config)#crypto map VPN 10 ipsec-isakmp
R8(config-crypto-map)#set transform-set VPN
R8(config-subif)#crypto map VPN
Verification:
R8#ping 55.55.55.55 so 88.88.88.88
...!!
R8#
Crypto map tag: VPN, local addr 172.16.88.8
38
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
Task 3.4
4 Points

o Key server: R2
o Crypto policy on server: ICMP between R8 fa0/0.88 and
SW1.
o IKE Phase 1: 3DES, SHA, group 2, pre-share
R2(config)#crypto key generate rsa mod 1024
R2(config)#
R2(config)#
R2(config)#crypto ipsec transform-set GET esp-aes esp-sha-hmac
R2(config)#
R2(config)#crypto ipsec profile GET
R2(config)#
R2(config)#
39
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc

R6(config)#
R6(config)#
R6(config)#
R6(config-if)#
*May 14 00:23:03.279: %CRYPTO-6-GDOI_ON_OFF: GDOI is ON
*May 14 00:23:03.847: %GDOI-5-GM_REKEY_TRANS_2_UNI: Group GET transitioned to
Unicast Rekey.
*May 14 00:23:03.979: %GDOI-5-GM_REGS_COMPL: Registration to KS 24.234.100.2
R3(config)#
R3(config)#
R3(config)#
R3(config-if)#
*May 14 00:26:55.959: %CRYPTO-6-GDOI_ON_OFF: GDOI is ON
*May 14 00:26:56.523: %GDOI-5-GM_REKEY_TRANS_2_UNI: Group GET transitioned to
Unicast Rekey.
*May 14 00:26:56.659: %GDOI-5-GM_REGS_COMPL: Registration to KS 24.234.100.2
40
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
Verification:
R8#ping 24.234.121.11
.!!!!

41
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
Section 4: IPS
Task 4.1
4 Points

IP Address
Gateway
Managed by
172.16.77.50
172.16.77.100
192.168.2.101
Mgmt. SSL
port
443
ACS server. You may add a route to the ACS server to
accomplish this.
to it.
sensor# setup
(cut)
4 21:24:15 2009

Enter web-server port[443]:443
No entries
Permit: 192.168.2.101/32
42
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
Permit:
(cut)
43
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
44
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
45
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
46
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
Task 4.2
4 Points

for fa1/1.
SW1(config)#
SW1(config)#monitor session 1
SW1(config)#
SW3(config)#
SW3(config)#
SW3(config-if)#sw access vlan
source VLAN 77
destination remote VLAN 253
source VLAN 168
destination remote VLAN 254

destination interface fa0/4
destination interface fa0/3
168
47
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
48
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
Task 4.3
4 Points
49
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
Find and modify a signature that will fire when echo

requests of 10000 bytes or larger are seen on VLAN77.
The signature should generate a medium severity alert.
If the pings are directed towards R7 no alert should be
generated. You may not modify the signature to accomplish
this.
50
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
51
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
Verification:
52
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
ASA1# ping 172.16.77.11 size 10000

!!!!!
53
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
ASA1# ping 172.16.77.7 size 10000

!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/10/20 m
Note that event number 20 is still the last event, no new alerts were
generated by the large ping to 172.16.77.7.
54
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
Task 4.4
4 Points
Create a custom signature that will generate an alert when

the string cisco is seen in http traffic on VLAN 168.
If the target is R2, the connection should be reset. You
may not modify the signature to accomplish this.
55
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
56
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
Verification:
R1#copy http://24.234.100.6/cisco null:
%Error opening http://24.234.100.6/cisco (Unknown error -1)
R1#copy http://24.234.22.2/cisco null:
%Error opening http://24.234.22.2/cisco (I/O error)
57
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc

Task 5.1
4 Points
Configure R2 so that telnet is never allowed on any

interface. You may not use an ACL or the control plane to
accomplish this.
SSH should be allowed to R2. Authenticate a username
admin with a password cisco on the ACS server.
One successful authentication, the admin user should be
automatically placed in privileged exec mode with access to
all commands.
R2(config)#aaa authentication login ACS group tacacs+
R2(config)#aaa authorization exec ACS group tacacs+
R2(config)#
R2(config)#
R2(config-line)#no transport input
R2(config-line)#login authentication ACS
R2(config-line)#authorization exec ACS
58
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc

24.234.22.101 eq tacacs
Verification:
R6#telnet 24.234.100.2
Trying 24.234.100.2 ...
R6#ssh -l admin 24.234.100.2

Password: cisco
R2#
59
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
Task 5.2
4 Points
Pings to R5 from the outside are currently denied by

context c2. They should be allowed, but only after
authentication via telnet.
The telnet address should be 24.234.222.50.
Authentication should occur using the ACS server.
Test by authenticating with the previously created admin
user.
ASA2/c2(config-aaa-server-group)# exit
ASA2/c2(config)# aaa-server ACS (outside) host 24.234.22.101
ASA2/c2(config)# access-list VIR_TEL permit icmp any host 24.234.222.5
ASA2/c2(config)# access-list VIR_TEL permit tcp any host 24.234.222.50 eq
telnet
ASA2/c2(config)# aaa authentication match VIR_TEL outside ACS
ASA2/c2(config)#
ASA2/c2(config)# virtual telnet 24.234.222.50
ASA2/c2(config)# access-list outside permit icmp any host 24.234.222.5
ASA2/c2(config)# access-list outside permit tcp any host 24.234.222.50 eq
telnet
24.234.22.101 eq tacacs
60
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
Verification:
R6#ping 24.234.222.5
.....
R6#telnet 24.234.222.50
Trying 24.234.222.50 ... Open
Username: admin
Password:

R6#ping 24.234.222.5
!!!!!
61
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
Task 5.3
4 Points
Context c1 should allow SSH conections from R3 only. You

may not use an ACL to accomplish this.
Authenticate the connection with a local username of
sshuser and a password of cisco. This user should have
access to all commands.
If the SSH connection is idle for 1 minute it should be
dropped. You may not use MPF to accomplish this.
ASA2/c1(config)# crypto key generate rsa mod 1024
ASA2/c1(config)# username sshuser password cisco privilege 15
ASA2/c1(config)# ssh 24.234.100.3 255.255.255.255 outside
ASA2/c1(config)# aaa authentication ssh console LOCAL
ASA2/c1(config)# ssh timeout 1
Verification:
R3#ssh -l sshuser 24.234.111.200
Password: cisco
ASA2/c1> en
Password:
ASA2/c1#
(leave idle for 1 minute)
62
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc

Task 6.1
4 Points
R3 should only allow management via telnet on the s0/0/0

interface. All other management connections should be
dropped. You may not use an ACL or MQC commands to
accomplish this.
R3(config-cp-host)#management-interface s0/0/0 allow telnet
R3(config-cp-host)#
*May 14 23:30:05.003: %CP-5-FEATURE: Management-Interface feature enabled on
Control plane host path
Verification:
R2#telnet 24.234.100.3
Trying 24.234.100.3 ... Open

Password:
R3>
R3#sho control-plane host counters

Control plane host path counters :
Feature
Packets Processed/Dropped/Errors
63
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
-------------------------------------------------------Management-Interface
40/3/0
--------------------------------------------------------
64
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc

Task 7.1
4 Points
Limit the total number of connections for context c1 to 20

Limit the total number of xlates to 15
No more than 1 ssh session at a time should be allowed to
c1. You may not use MPF commands to accomplish this.
ASA2(config)# class c1
ASA2(config-class)# limit-resource conns 20
ASA2(config-class)# limit-resource xlates 15
ASA2(config-class)# limit-resource ssh 1
ASA2(config-class)# context c1
ASA2(config-ctx)# member c1
65
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
Task 7.2
4 Points
On R2, telnet traffic from R1 should be prioritized and

guaranteed 10% of interface bandwidth on s0/0/0.
On R6, if this traffic is destined for R8 it should be
dropped. You may not apply an ACL directly to an interface
or use MQC commands to accomplish this.
R2(config)#access-list 105 permit tcp host 192.168.2.1 any eq telnet
R2(config)#
R2(config)#class-map match-all R1_TELNET
R2(config)#policy-map R1_TELNET
R2(config-pmap)#class R1_TELNET
R2(config-if)#service-policy out R1_TELNET
telnet
R6(config)#
R6(config)#route-map BAD_TELNET permit 10
R6(config-route-map)#set interface null0
R6(config-route-map)#
R6(config-route-map)#int s0/0/0
R6(config-if)#ip policy route-map BAD_TELNET
Verification:
R1#telnet 24.234.100.3
Trying 24.234.100.3 ... Open

Password:
R3>
66
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
R2#sho policy-map interface s0/0/0 (output cut)

Serial0/0/0
Service-policy output: R1_TELNET
Class-map: R1_TELNET (match-all)
Queueing
Strict Priority
Bandwidth 10 (%)
R1#telnet 172.16.88.8
Trying 172.16.88.8 ...
R6#sho route-map
route-map BAD_TELNET, permit, sequence 10
Match clauses:
ip address (access-lists): 101
Set clauses:
interface Null0
Policy routing matches: 4 packets, 192 bytes
67
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc

Task 8.1
4 Points
An external website at 24.234.22.2 is using java applets

and activex to attack hosts on the inside of ASA1. Allow
the HTTP traffic, but remove the applets and activex. This
should only affect traffic sourced from the inside network.
ASA1(config)# filter activex 0 192.168.2.0 255.255.255.0 24.234.22.2
255.255.255
ASA1(config)# filter java 0 192.168.2.0 255.255.255.0 24.234.22.2
255.255.255.255
68
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
Task 8.2
4 Points
R1 is launching ICMP attacks against R6. Use R3 to limit

this traffic to 8000 bps with a max burst of 2000. You are
not allowed to use MQC commands to accomplish this.
R6 is using spoofed IPs to attack BB2. Use R2 to drop and
log this traffic regardless of the spoofed IP used.
An internet worm uses IP option based exploits. Configure
R2 to drop traffic containing IP options regardless of the
interface the traffic is received on.
R2(config-if)#rate-limit output access-group 110 8000 2000 2000 conformaction transmit exceed-action drop
69
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
Verification:
!!.!.!.!.!
R2#sho int rate-limit
Serial0/0/0
Output
matches: access-group 110
params: 8000 bps, 2000 limit, 2000 extended limit
conformed 16 packets, 15244 bytes; action: transmit
exceeded 4 packets, 5036 bytes; action: drop
last packet: 14960ms ago, current burst: 1276 bytes
last cleared 00:00:44 ago, conformed 2000 bps, exceeded 0 bps
R6#ping 24.234.22.2 so l0
.....
R2#
-> 24.234.22.2 (0/0), 1 packet
R1#ping
Protocol [ip]:
Repeat count [5]:
>>Current pointer<<
70
www.ccbootcamp.com
Toll Free 877.654.2243
www.CareerCert.info

s.a.lab.10.09.05.sm.r04.09.05.doc
Time= 00:00:00.000 UTC (00000000)

Time= 00:00:00.000 UTC (00000000)
Time= 00:00:00.000 UTC (00000000)
Request
Request
Request
Request
Request
Success
0 timed
1 timed
2 timed
3 timed
4 timed
rate is
out
out
out
out
out
0 percent (0/5)
71
www.ccbootcamp.com
Toll Free 877.654.2243

CCIE Security Advanced Lab Workbook Version 3.0 PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CCIE Security Advanced Lab Workbook Version 3.0 PDF

Uploaded by

Copyright:

Available Formats

www.CareerCert.

For questions about this workbook please visit: www.securityie.com

For questions: www.securityie.com

For questions: www.securityie.com

For questions: www.securityie.com

XP Test PC SW2 Fa0/16

For questions: www.securityie.com

For questions: www.securityie.com

For questions: www.securityie.com

Section 1: ASA Firewalls

Allow SSH management on the inside interface of c1 from the

For questions: www.securityie.com

On c2, permit all ingress traffic on the inside interface

Configure failover, using the system addresses +5 for the

For questions: www.securityie.com

Configure R3 with CBAC. Provide RFC 1918 spoof protection

Log all denied packets, individually, along with CBAC

On R2, prevent the backbone from spoofing. Implement a

For questions: www.securityie.com

On R5, explicitly deny ICMP from 50.50.4.101 to 50.50.235.2

Explicitly require HTTP authentication using ACS TACACS at

For questions: www.securityie.com

Configure R1 as a CA and NTP server reachable at its

Configure DMVPN using the following:

o Only traffic between each Loopback 2, 24 bit network

For questions: www.securityie.com

Create Loopback 3 interface on R7 using 10.3.0.7/24

Protect ICMP traffic between 192.168.0.0/16 and

For questions: www.securityie.com

Configure the Sensor per the diagram with the default

Configure the default virtual sensor and the following:

vs1 using the folling:

o Inline VLAN pair using G0/0 and VLAN 5 and 55

For questions: www.securityie.com

Configure the vs2 in promiscuous mode using the following:

For questions: www.securityie.com

Configure the default virtual sensor so that when an ICMP

Configure virtual sensor 1 to be capable of deep packet

For questions: www.securityie.com

Allow users on VLAN 2 to authenticate via 50.50.4.105 on c1

On R7, allow a user named r7-user with a password of

For questions: www.securityie.com

command, he should only view the available interfaces,

Require 802.1x authentication on SW3, port FA0/18. Set up

For questions: www.securityie.com

Control/Management Plane Security

On R4, apply a QoS policy for aggregate CP services for

For questions: www.securityie.com

For questions: www.securityie.com

Task 7.2 (Firewall Based)

On c2, do not permit MSN games or MSN webcam traffic to go

For questions: www.securityie.com

Network Attack Mitigation

Configure R2 to not follow any embedded routing information

For questions: www.securityie.com

On c1, prevent VLAN 2 hosts from spoofing source addresses

For questions: www.securityie.com

Section 1: ASA Firewalls

Configure the ASA as shown in the diagram. Use the default

SW1(config)#interface range fa0/12, fa0/18

SW2(config)#int range fa 0/12, fa 0/18

ciscoasa(config)# show mode