Scribd Logo
Upload

Welcome to Scribd!

  • 11.3.1.2 CCNAS Configs

    Uploaded by

    eric
    1K views7 pages
    11.3.1.2 CCNA Security v2 Comprehensive Lab configs

    Copyright

    © © All Rights Reserved

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    11.3.1.2 CCNA Security v2 Comprehensive Lab configs

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    1K views7 pages

    11.3.1.2 CCNAS Configs

    Uploaded by

    eric
    11.3.1.2 CCNA Security v2 Comprehensive Lab configs

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 7

    host R1

    no ip domain-lookup

    int g0/0
    ip add 209.165.200.225 255.255.255.248
    no shut

    int s0/0/0
    ip add 10.1.1.1 255.255.255.252
    clock rate 128000
    no shut

    int lo1
    ip add 172.20.1.1 255.255.255.0

    ip route 0.0.0.0 0.0.0.0 s0/0/0

    security passwords min-length 10


    service password-encryption
    banner motd $UNAUTHORISED ACCESS IS STRICTLY PROHIBITED AND PROSECUTED TO THE FULL
    EXTENT OF THE LAW!$
    enable algorithm-type scrypt secret cisco12345

    username Admin01 privilege 15 algorithm-type scrypt secret Admin01pa55

    aaa new-model
    aaa authentication login default local-case enable

    line con 0
    privilege level 15
    exec-timeout 15 0
    logging synchronous
    login authentication default
    exi

    line vty 0 4
    privilege level 15
    exec-timeout 15 0
    logging synchronous
    transport input ssh
    login authentication default
    exi

    login on-success log


    login on-failure log every 2
    do show login

    ip http server
    ip http authentication local

    ip domain-name ccnasecurity.com
    crypto key generate rsa general-keys modulus 1024

    ip ssh version 2
    ip ssh time-out 90
    ip ssh authentication-retries 2

    login block-for 60 attempts 2 within 30


    login on-failure log

    secure boot-image
    secure boot-config
    do show secure bootset
    no secure boot-image
    no secure boot-config

    ntp authenticate
    ntp authentication-key 1 md5 NTPpassword
    ntp trusted-key 1
    ntp server 10.1.1.2
    ntp update-calendar
    do show ntp associations
    do show ntp status

    ===============================================================================

    host R2

    no ip domain-lookup

    int s0/0/0
    ip add 10.1.1.2 255.255.255.252
    no shut

    int s0/0/1
    ip add 10.2.2.2 255.255.255.252
    clock rate 128000
    no shut

    ip route 209.165.200.224 255.255.255.248 s0/0/0


    ip route 172.16.3.0 255.255.255.0 s0/0/1
    ip route 172.20.1.0 255.255.255.0 s0/0/0

    do show clock
    do clock set 10:30:00 July 14 2017
    do show clock

    ntp authenticate
    ntp authentication-key 1 md5 NTPpassword
    ntp trusted-key 1
    ntp master 3

    ===============================================================================

    host R3

    no ip domain-lookup

    int f0/1
    ip add 172.16.3.1 255.255.255.0
    no shut

    int s0/0/1
    ip add 10.2.2.1 255.255.255.252
    no shut

    ip route 0.0.0.0 0.0.0.0 s0/0/1


    security passwords min-length 10
    service password-encryption
    banner motd $UNAUTHORISED ACCESS IS STRICTLY PROHIBITED AND PROSECUTED TO THE FULL
    EXTENT OF THE LAW!$
    enable algorithm-type scrypt secret cisco12345

    username Admin01 privilege 15 algorithm-type scrypt secret Admin01pa55

    aaa new-model
    aaa authentication login default local-case enable

    line con 0
    privilege level 15
    exec-timeout 15 0
    logging synchronous
    login authentication default
    exi

    line vty 0 4
    privilege level 15
    exec-timeout 15 0
    logging synchronous
    transport input ssh
    login authentication default
    exi

    login on-success log


    login on-failure log every 2

    ip http server
    ip http authentication local

    ip domain-name ccnasecurity.com
    crypto key generate rsa general-keys modulus 1024

    ip ssh version 2
    ip ssh time-out 90
    ip ssh authentication-retries 2

    ntp authenticate
    ntp authentication-key 1 md5 NTPpassword
    ntp trusted-key 1
    ntp server 10.2.2.2
    ntp update-calendar
    do show ntp associations
    do show ntp status

    service timestamps log datetime msec


    logging 172.16.3.3

    logging trap 4
    do show logging

    zone security INSIDE


    zone security OUTSIDE

    class-map type inspect match-any INSIDE_PROTOCOLS


    match protocol tcp
    match protocol udp
    match protocol icmp
    exi

    policy-map type inspect INSIDE_TO_OUTSIDE


    class type inspect INSIDE_PROTOCOLS
    inspect
    exi
    exi

    zone-pair security INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE


    service-policy type inspect INSIDE_TO_OUTSIDE

    int f0/1
    zone-member security INSIDE

    int s0/0/1
    zone-member security OUTSIDE
    exi
    exi

    show zone-pair security


    show policy-map type inspect zone-pair
    show zone security

    conf t
    crypto isakmp enable
    crypto isakmp policy 1
    authentication pre-share
    encryption 3des
    hash sha
    group 2

    crypto isakmp key Site2SiteKEY1 address 209.165.200.226


    do show crypto isakmp policy

    crypto ipsec transform-set TRNSFRM-SET esp-aes 256 esp-sha-hmac

    ip access-list extended 101


    permit ip 172.16.3.0 0.0.0.255 192.168.1.0 0.0.0.255
    exi

    crypto map CMAP 1 ipsec-isakmp


    match address 101
    set transform-set TRNSFRM-SET
    set peer 209.165.200.226

    int s0/0/1
    crypto map CMAP
    end

    show crypto map


    show crypto ipsec sa

    !delete flash:ipsdir/*
    mkdir ipsdir

    conf t
    crypto key pubkey-chain rsa
    named-key realm-cisco.pub signature
    key-string
    30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
    00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
    17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
    B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
    5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
    FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
    50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
    006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
    2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
    F3020301 0001
    quit
    exit
    exit

    ip ips config location flash:/ipsdir/


    ip ips notify SDEE
    ip ips name IOSIPS

    ip ips signature-category
    category all
    retired true
    exi
    category ios_ips basic
    retired false
    exi
    exi

    int s0/0/1
    ip ips IOSIPS in
    exi
    exi

    copy tftp://172.16.3.3/IOS-S988-CLI.pkg idconf

    ===============================================================================

    host S1

    no ip domain-lookup

    int vlan1
    ip add 192.168.2.11 255.255.255.0
    no shut
    ip default-gateway 192.168.2.1

    no ip http server
    no ip http secure-server

    enable algorithm-type scrypt secret cisco12345


    banner motd $UNAUTHORISED ACCESS IS STRICTLY PROHIBITED$

    ip domain-name ccnasecurity.com
    username Admin01 privilege 15 algorithm-type scrypt secret Admin01pa55
    service password-encryption
    crypto key generate rsa general-keys modulus 1024
    ip ssh version 2
    ip ssh time-out 90
    ip ssh authentication-retries 2

    line con 0
    privilege level 15
    exec-timeout 5 0
    logging synchronous
    login local
    exi

    line vty 0 4
    privilege level 15
    exec-timeout 5 0
    logging synchronous
    transport input ssh
    login local
    exi

    int f0/6
    switchport mode access
    switchport nonegotiate
    switchport port-security
    switchport port-security maximum 1
    switchport port-security mac-address sticky
    switchport port-security violation shutdown
    spanning-tree portfast
    spanning-tree portfast bpduguard default
    int range f0/1-5
    shut
    spanning-tree guard loop
    int range f0/7-23
    shut
    spanning-tree guard loop

    ===============================================================================

    host S2

    no ip domain-lookup

    int vlan1
    ip add 192.168.1.11 255.255.255.0
    no shut
    ip default-gateway 192.168.1.1

    ===============================================================================

    host S3

    no ip domain-lookup

    int vlan1
    ip add 172.16.3.11 255.255.255.0
    no shut
    ip default-gateway 172.16.3.1

    ===============================================================================
    hostname ASA

    int vlan1
    nameif inside
    ip address 192.168.1.1 255.255.255.0
    security-level 100
    no shut

    int vlan2
    nameif outside
    ip address 209.165.200.226 255.255.255.248
    security-level 0
    no shut

    int vlan3
    no forward int vlan 1
    nameif dmz
    ip address 192.168.2.1 255.255.255.0
    security-level 70
    no shut

    int e0/0
    switchport access vlan 2
    no shut

    int e0/1
    switchport access vlan 1
    no shut

    int e0/2
    switchport access vlan 3
    no shut

    sh inter ip b
    sh ip add
    sh switch vlan

    http server enable


    http 192.168.1.0 255.255.255.0 inside

    You might also like