Ccnp iscw lab guide

ISCW

Implementing Secure Converged Wide Area Networks Version 1.0

Lab Guide

Editorial, Production, and Graphic Services: 07.21.06

Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100

European Headquarters Cisco Systems International BV Haarlerbergpark Haarlerbergweg 13-19 1101 CH Amsterdam The Netherlands www-europe.cisco.com Tel: 31 0 20 357 1000 Fax: 31 0 20 357 1100

Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel: 408 526-7660 Fax: 408 527-0883

Asia Pacific Headquarters Cisco Systems, Inc. 168 Robinson Road #28-01 Capital Tower Singapore 068912 www.cisco.com Tel: +65 6317 7777 Fax: +65 6317 7799

Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax numbers are listed on the

C i s c o . c o m W e b s i t e a t w w w . c i s c o . c o m / g o / o f f i c e s .

Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China PRC • Colombia • Costa Rica • Croatia • Cyprus • Czech Republic • Denmark • Dubai , UAE • F in land • F rance • Germany • Greece • Hong Kong SAR • Hungary • India • Indonesia • I re land Israel • Italy • Japan • Korea • Luxembourg • Malaysia • Mexico • The Netherlands • New Zealand • Norway • Peru • Philippines Poland • Portugal • Puerto Rico • Romania • Russia • Saudi Arabia • Scotland • Singapore • Slovakia • Slovenia • South Africa Spain • Sweden • Switzerland • Taiwan • Thailand • Turkey • Ukraine • United Kingdom • United States • Venezuela • Vietnam • Zimbabwe

© 2006 Cisco Systems, Inc. All rights reserved. CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access

Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0601R)

DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED “AS IS.” CISCO MAKES AND YOU RECEIVE NO WARRANTIES IN CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. This learning product may contain early release content, and while Cisco believes it to be accurate, it falls subject to the disclaimer above.

ISCW

Lab Guide

Overview This guide presents the instructions and other information concerning the lab activities for this course. You can find the solutions in the lab activity Answer Key.

Outline This guide includes these activities:

Lab 2-1: E-Lab: Configuring DSL

Lab 3-1: Configuring Frame Mode MPLS

Lab 4-1: Configuring Site-to-Site IPsec VPNs

Lab 4-2: Configuring GRE Tunnels over IPsec Using SDM

Lab 4-3: Configuring IPsec VPN to Back Up a WAN Connection

Lab 4-4: Configuring Cisco Easy VPN Server Using SDM

Lab 5-1: Securing Cisco Routers

Lab 5-2: Securing Cisco Router Management

Lab 5-3: Configuring AAA Login Authentication and Exec Authorization on Cisco Routers

Lab 6-1: Configuring a Cisco IOS Firewall

Lab 6-2: Configuring Cisco IOS IPS

Lab 6-3: Troubleshooting Security

Answer Key

Lab 2-1: E-Lab: Configuring DSL Complete this lab activity to practice what you learned in the related module.

Activity Objective In this activity, you will configure the Cisco 837 router as the PPPoE client for end users connected behind its Ethernet 0 interface. After completing this activity, you will be able to meet these objectives:

Perform a simulated install procedure

Perform a simulated configuration of a Cisco 837 router for NAT with PPPoE

Visual Objective The figure illustrates what you will accomplish in this activity.

© 2006 Cisco Systems, Inc. All rights reserved. ISCW v1.0—4

Visual Objective for Lab 2-1:E-Lab: Configuring DSL

Scenario This simulation provides practice configuring a Cisco ADSL router for connectivity to an ISP using PPPoE. In addition, the simulation is necessary to configure DHCP services for IP addressing of local PCs at the location of the teleworker; also, basic PAT needs to be configured. Please reference these detailed information to complete this simulation:

Use the PVC number provided in the simulation.

A dynamic IP address is assigned by the ISP.

2 Implementing Secure Converged Wide Area Networks (ISCW) v1.0 © 2006 Cisco Systems, Inc.

© 2006 Cisco Systems, Inc. Lab Guide 3

Use the network provided in the simulation for the private network. Use CHAP authentication with these credentials:

— Hostname: provided in the simulation

— Password: provided in the simulation

Import to the local PC devices all DHCP parameters provided by the ISP.

Required Resources This is the resource that is required to complete this activity:

The DSL Standalone.zip archive containing all the files for the simulation

Command List The table describes the commands that are used in this activity.

Cisco IOS Commands

Command Description

configure terminal Enters global configuration mode.

ip dhcp pool name Configures a DHCP address pool on a DHCP server and enters DHCP pool configuration mode.

network network-number [mask | prefix-length]

Configures the subnet number and mask for a DHCP address pool on a Cisco IOS DHCP server.

default-router address [address2...address8]

Specifies the default router list for a DHCP client.

import all Imports DHCP option parameters into the DHCP server database.

interface type number [name-tag]

Configures an interface type and enters interface configuration mode.

ip address negotiated [previous]

Specifies that the IP address for a particular interface is obtained via PPP/IPCP address negotiation.

encapsulation encapsulation-type

Sets the encapsulation method used by the interface.

ppp chap hostname hostname Creates a pool of dialup routers that all appear to be the same host when authenticating with CHAP.

ppp chap password secret Enables a router calling a collection of routers that do not support this command (such as routers running older Cisco IOS software images) to configure a common CHAP secret password to use in response to challenges from an unknown peer.

mtu bytes Adjusts the maximum packet size or MTU size.

dialer pool number Specifies, for a dialer interface, which dialing pool to use to connect to a specific destination subnetwork.

pvc [name] vpi/vci Creates or assigns a name to an ATM permanent virtual circuit (PVC) and enters ATM VC configuration mode.

pppoe-client dial-pool-number number

Configures a PPPoE client and specifies DDR functionality.


access-list access-list-number {deny | permit} source [source-wildcard] [log]

Defines a standard IP ACL.

ip nat inside source {list {access-list-number | access-list-name} | route-map name} {interface type number | pool name} [mapping-id map-id | overload | reversible | vrf name]

Enables NAT of the inside source address.

ip nat outside source {list {access-list-number | access-list-name} | route-map name} pool pool-name [add-route | mapping-id map-id | vrf name]

Enables NAT of the outside source address.

ip tcp adjust-mss max-segment-size

Adjusts the maximum segment size (MSS) value of TCP synchronized (SYN) packets going through a router.

ip route prefix mask {ip-address | interface-type interface-number [ip-address]} [dhcp] [distance] [name] [permanent | track number] [tag tag]

Establishes static routes.

Job Aids No job aids are needed to complete the lab activity.


Task 1: Configure PPPoE over DSL Step 1 Configure the ATM interface.

Step 2 Configure a PVC using the assigned VPI/VCI under the ATM 0 interface.

Step 3 Configure the PVC for PPPoE client operation.

Step 4 No shut the ATM0 interface.

Step 5 Configure the Dialer0 interface.

Step 6 Configure IP address negotiations.

Step 7 Configure PPP encapsulation.

Step 8 Configure the Chap username.

Step 9 Configure the Chap hostname.

Step 10 Configure the MTU.

Step 11 Assign the Dialer0 interface to the proper dialer pool.

Step 12 Configure the 827 as the DHCP server for the end users connected behind its Ethernet0 interface.

Step 13 Configure the DHCP pool with the proper network range.

Step 14 Configure the default router.

Step 15 Import all DHCP parameters.

Step 16 Configure PAT.

Step 17 Ethernet0 interface is the inside interface.

Step 18 Dialer0 interface is the outside interface.

Step 19 Configure the proper ip nat inside statement.

Step 20 Configure an ACL to permit all traffic sourced from the Ethernet0 network.

Step 21 Adjust the TCP maximum segment size of the Ethernet0 interface to 1452.

Step 22 Configure a static default route pointing toward the Dialer0 interface.

Step 23 Use the show ip route command to examine the IP address assigned to the Dialer0 interface and the IP address of the aggregation router.

Lab 3-1: Configuring Frame Mode MPLS Complete this lab activity to practice what you learned in the related module.

Visual Objective This section contains information about your laboratory setup, details of the physical and logical connectivity in the laboratory, and information about the addressing scheme and IGP routing. Each pod will contain the router types defined in the table. Each pod is independent of other pods (that is, pods do not interact). Two learners are usually assigned to one pod. The addressing scheme of the pods differs, which is indicated with an x. The x should always be replaced by the pod number.

The names of all routers in your pod follow the naming convention detailed in this table.

Router Naming Convention

Router Name Description

HQ Provider access router, which in a real network connects to customer routers. Router represents access to the provider network.

Branch Provider core router, which in a real network has no connection to customer routers.

ISP Provider router, which connects different sites. Learners have no access to this router.

The first serial interface of the branch router is connected back-to-back to the ISP router. The DCE site is on the ISP router. The second FastEthernet interface of the HQ is connected to the second FastEthernet interface of the branch router.


Visual Objective for Lab 3-1:Configuring Frame Mode MPLS



The IP addressing of routers has been performed using the allocations scheme detailed in the IP host address table.

IP Host Address (Where x Is the Pod Number)

Router Interface IP Address

HQ (Loopback0) 10.0.x.1/32

HQ (Fa0/0) Public IP address (172.31.1.1 was used as an example in this document)

HQ (Fa0/1) 10.2.x.1/24

Branch (Loopback0) 10.0.x.2/32

Branch (Fa0/1) 10.2.x.2/24

Branch (S0/0/0) 10.5.x.2/24

ISP (Loopback) 10.10.10.10/24

ISP (Serial) 10.5.x.10/24

Workstation Public IP address

Note This addressing scheme has been selected for ease of use in the labs; it does not optimize the use of the address space.

EIGRP is used as the routing protocol between routers. The EIGRP routing configuration on the HQ router is shown in this printout: router eigrp 1 redistribute connected passive-interface Loopback0 network 10.0.0.0 no auto-summary

The EIGRP routing configuration on the branch router is shown in this printout: router eigrp 1 passive-interface FastEthernet0/0 passive-interface Loopback0 network 10.0.0.0 no auto-summary

Activity Objective MPLS can be enabled in Service Provider core networks to prepare the network core for MPLS services such as MPLS VPNs and MPLS-TE. Enabling basic MPLS functionality within the service provider environment involves enabling CEF, and LDP, TDP or, in certain cases, both protocols.

In this activity, your network has become an extension of an existing ISP’s MPLS network. You will configure and verify Frame Mode MPLS on your IOS routers to link your network into the ISP’s network. After completing this activity, you will be able to meet these objectives:

Enable IP CEF

Enable MPLS on a Frame Mode interface

Configure the MTU size

The figure illustrates what you will accomplish in this activity.


Visual Objective for Lab 3-1:Configuring Frame Mode MPLS

Required Resources This is the resource required to complete this activity:

Cisco IOS documentation


MPLS Commands

Command Description

ip cef Enables CEF switching on all interfaces with CEF capability.

mpls ip Enables MPLS forwarding of IPv4 packets along normally routed paths.

mpls mtu size Sets the per-interface MPLS MTU for labeled packets.

mpls label protocol {ldp | tdp | both }

Specifies the label distribution protocol to be used on a given interface.

show mpls interfaces [interface] [detail]

Displays information about one or more interfaces that have been configured for label switching.

show mpls ldp discovery Displays the status of the LDP discovery process. This command generates a list of interfaces over which the LDP discovery process is running.

show mpls ldp neighbor [address | interface] [detail]

Displays the status of LDP sessions.



show mpls ldp bindings [network {mask | length} [longer-prefixes]] [local-label label [- label]} [remote-label label [- label] [neighbor address] [local]

Displays the contents of the LIB.

Job Aid This job aid is available to help you complete the lab activity.

The instructor will allocate a pod that you will configure. Use this table to write down the pod assigned to you.

Pod Assigned

Parameter Value (Provided by Instructor)

pod


Task 1: Enable LDP on the Provider Routers In this task, you will configure basic label switching functionality in the provider core network.

Activity Procedure Complete these steps:

Step 1 On the HQ router in your pod, perform these tasks:

Enable CEF.

Enable LDP on the interface that is connected to the branch router.

Note The mpls label protocol ldp command can be issued at the global configuration level.

Step 2 On the branch router, perform these tasks:

Enable CEF.

Enable LDP on the interface that is connected to the HQ router.

Enable LDP on the interface that is connected to the ISP router.

Activity Verification You have completed this task when you attain these results:

On each of your routers, verify that the interfaces in question have been configured to use LDP.

Branch#show mpls interfaces Interface IP Tunnel Operational FastEthernet0/1 Yes (ldp) No Yes Serial0/0/0 Yes (ldp) No Yes

On each of your routers, verify that LDP Hello messages are transmitted and received over the appropriate interfaces and LDP neighbor relationships are established over them.

Branch#show mpls ldp discovery Local LDP Identifier: 10.0.1.2:0 Discovery Sources: Interfaces: FastEthernet0/1 (ldp): xmit/recv LDP Id: 10.0.1.1:0 Serial0/0/0 (ldp): xmit/recv LDP Id: 10.10.10.10:0; no host route

Branch#show mpls ldp neighbor Peer LDP Ident: 10.0.1.1:0; Local LDP Ident 10.0.1.2:0 TCP connection: 10.0.1.1.646 - 10.0.1.2.31740 State: Oper; Msgs sent/rcvd: 30/31; Downstream Up time: 00:15:11 LDP discovery sources: FastEthernet0/1, Src IP addr: 10.2.1.1 Addresses bound to peer LDP Ident: 172.31.1.1 10.2.1.1 10.0.1.1 Peer LDP Ident: 10.10.10.10:0; Local LDP Ident 10.0.1.2:0 TCP connection: 10.10.10.10.15637 - 10.0.1.2.646 State: Oper; Msgs sent/rcvd: 26/19; Downstream Up time: 00:14:20 LDP discovery sources:


Serial0/0/0, Src IP addr: 10.5.1.10 Addresses bound to peer LDP Ident: 10.10.10.10 10.5.1.10

On each of your routers, verify that LDP has allocated a label for each prefix in its IP routing table:

HQ#show mpls ldp bindings tib entry: 0.0.0.0 0.0.0.0, rev 16 local binding: tag: imp-null tib entry: 10.0.1.1 255.255.255.255, rev 12 local binding: tag: imp-null remote binding: tsr: 10.0.1.2:0, tag: 18 tib entry: 10.0.1.2 255.255.255.255, rev 6 local binding: tag: 16 remote binding: tsr: 10.0.1.2:0, tag: imp-null tib entry: 10.2.1.0 255.255.255.0, rev 4 local binding: tag: imp-null remote binding: tsr: 10.0.1.2:0, tag: imp-null tib entry: 10.5.1.0 255.255.255.0, rev 14 local binding: tag: 19 remote binding: tsr: 10.0.1.2:0, tag: imp-null tib entry: 10.6.6.0 255.255.255.0, rev 10 local binding: tag: 18 remote binding: tsr: 10.0.1.2:0, tag: imp-null tib entry: 10.10.10.0 255.255.255.0, rev 8 local binding: tag: 17 remote binding: tsr: 10.0.1.2:0, tag: 17 tib entry: 172.31.1.0 255.255.255.0, rev 2 local binding: tag: imp-null remote binding: tsr: 10.0.1.2:0, tag: 16

Perform a traceroute from the HQ router to the loopback address of the ISP router (10.10.10.10) and verify that the results display the associated labels:

HQ#traceroute 10.10.10.10 Type escape sequence to abort. Tracing the route to ISP (10.10.10.10) 1 10.2.1.2 [MPLS: Label 17 Exp 0] 0 msec 0 msec 0 msec 2 10.5.1.10 8 msec * 4 msec

Task 2: Configure the MTU Size Labeling a packet makes it larger because of the label stack. To prevent the fragmentation of labeled packets in the MPLS backbone, you will configure MPLS MTU on the link between the HQ and branch routers.

Activity Procedure Maximum size of the frame can be the maximum MTU size of the Ethernet interface, increased by a label stack with up to three labels. Complete these steps:

Step 1 On the interface that is connected to the branch router, change MPLS MTU on the HQ router.

Step 2 On the interface that is connected to the HQ router, change MPLS MTU on the branch router.



Verify MPLS MTU size on the interface on the Access router. HQ#show mpls interfaces FastEthernet0/1 detail Interface FastEthernet0/1: IP labeling enabled (ldp): Interface config LSP Tunnel labeling not enabled BGP tagging not enabled Tagging operational Fast Switching Vectors: IP to MPLS Fast Switching Vector MPLS Turbo Vector MTU = 1512

Task 3: Remove MPLS Configuration In this task, you will remove MPLS configuration from the HQ and branch routers.


Step 1 On the HQ router in your pod, perform these tasks:

Disable CEF.

Disable LDP on the interface that is connected to the branch router.

Remove MPLS MTU configuration on the interface that is connected to the branch router.

Step 2 On the branch router, perform these tasks:

Disable CEF.

Disable LDP on the interface that is connected to the HQ router.

Disable LDP on the interface that is connected to the ISP router.

Remove MPLS MTU configuration on the interface that is connected to the HQ router.


Verify interface configuration on the HQ router. HQ#show running-config interface FastEthernet 0/1 Building configuration... Current configuration : 129 bytes ! interface FastEthernet0/1 description *** Link to Branch *** ip address 10.2.1.1 255.255.255.0 duplex auto speed auto end


Verify interface configuration on the branch router. Branch#show running-config interface FastEthernet 0/1 Building configuration... Current configuration : 125 bytes ! interface FastEthernet0/1 description *** Link to HQ *** ip address 10.2.1.2 255.255.255.0 duplex auto speed auto end

Branch#show running-config interface Serial 0/0/0 Building configuration... Current configuration : 97 bytes ! interface Serial0/0/0 description *** Link to ISP *** ip address 10.5.1.2 255.255.255.0 end

Lab 4-1: Configuring Site-to-Site IPsec VPNs Complete this lab activity to practice what you learned in the related module.

Visual Objective This section contains information about your laboratory setup, details of the physical and logical connectivity in the laboratory, and information about the addressing scheme and IGP routing. Each pod is independent of other pods (that is, pods do not interact). Two learners are usually assigned to one pod. The addressing scheme of the pods differs, which is indicated with x. The x should always be replaced by the pod number. Each pod will contain the router types defined in the table and one PC.

The names of all devices in your pod follow the naming convention detailed in this table.

Device Naming Convention

Device Name Description

Workstation PC used for accessing router via SDM interface.

Server PC used as TFTP server for downloading files.

HQ, branch Routers between which you will establish IPsec tunnel.

ISP Router in the Service Provider network. Router is not accessible by learners.

The first serial interface of the branch router is connected back-to-back to the ISP. The DCE site is on the ISP router. The first FastEthernet interface of the branch router is connected to the server. The second FastEthernet interface of the branch is connected to the second FastEthernet interface of the HQ router. The first FastEthernet interface of the HQ router is connected to the Internet, where the workstation is connected.


Visual Objective for Lab 4-1:Configuring Site-to-Site IPsec VPNs



The IP addressing of the device has been performed using the allocations scheme detailed in the IP host address table.


Device Interface IP Address

Workstation Public IP address (see on the device)

Server 10.6.6.254/24


HQ (Fa0/0) Public IP address (provided by instructor)

HQ (Fa0/1) 10.2.x.1/24

HQ (S0/0/0) Shutdown


Branch (Fa0/0) 10.6.6.x/24

Branch (Fa0/1) 10.2.x.2/24

Branch (S0/0/0) 10.5.x.2/24

ISP (Loopback) 10.10.10.10/24

ISP (Serial) 10.5.x.10/24


Routing in the Network EIGRP is used as the routing protocol between routers. The EIGRP routing configuration on routers is shown in these printouts:

HQ router: router eigrp 1 redistribute connected passive-interface Loopback0 network 10.0.0.0 no auto-summary

Branch router: router eigrp 1 passive-interface FastEthernet0/0 passive-interface Loopback0 network 10.0.0.0 no auto-summary

Activity Objective In this exercise, you will configure two routers to establish a secure path between two networks over an untrusted network (as shown in the Visual Objective figure). The path will be secured using IPsec protocols, assisted by the IKE key-exchange protocol, which will also enforce the required traffic protection policy.

In the activity, you will configure a site-to-site IPsec VPN with preshared keys authentication, using SDM and CLI. After completing this activity, you will be able to meet these objectives:

Launch the Site-to-Site VPN Wizard and accept the default IKE policy, transform set, and IPsec rules

Use the VPN Connection Information window to identify the IP address or host name of the remote site that will terminate the VPN tunnel that you are configuring, to specify the router interface to use, and to enter the preshared key that both routers will use to authenticate each other

Use the VPN Connection Information window to examine and select the IKE policy, priority, and encryption type

Use the Transform Set window to examine and select the transform set for your VPN

Use the Traffic to Protect window to define the traffic that this VPN will protect per the given requirements

Use the Summary window to confirm that your VPN values match those provided in the exercise

Visual Objective The figure illustrates what you will accomplish in this activity. You will configure an IPsec tunnel between the HQ and branch routers to secure traffic between HQ FA0/0 network and network 10.10.10.0/24. (IP address 10.10.10.10/24 is the loopback on the ISP router.)


Visual Objective for Lab 4-1:Configuring Site-to-Site IPsec VPNs

Required Resources This resource is required to complete this activity:





SDM Preparation Commands

Command Description

copy Copies files between file systems

ip http server Starts the http server

ip http secure-server Starts the https server

ip http authentication Defines the authentication method of the local http server

username username password password

Creates local users

show crypto key mypubkey rsa

Displays the public RSA keys

show flash Displays the contents of the flash

show running-config Displays the running configuration

show crypto isakmp policy Displays the IKE proposals

show ip interface brief Displays brief interface status



Pod Assigned


pod


Task 1: Prepare the Routers for SDM-Based Provisioning In this task, you will configure the HQ router in your pod for SDM provisioning. Routers in the lab have preconfigured IP addresses and routing.


Step 1 Check if the files sdm.tar, home.tar, 256MB.sdf, home.shtml, sdmconfig-28xx.cfg, common.tar exist in the flash memory of the HQ routers. If the files are already in the flash, proceed with Step 3.

Step 2 Copy the files from the server to the HQ router flash memory:

Copy the file sdm.tar from the server to the HQ routers’ flash memory, using the copy tftp flash: command.

Use the same command to copy other files needed: home.tar, 256MB.sdf, home.shtml, sdmconfig-28xx.cfg, and common.tar.

Step 3 Configure the HQ router to support SDM management:

Start the HTTP server.

Start the HTTPS server.

Configure a local authentication method for access to the HTTP server.

Create a local user with privilege level 15 and MD5-based password protection. Use the username sdm and the password sdmpassword.

Note In actual implementations, do not use simple, easy-to-guess usernames and passwords. Use long (at least 8 characters) random strings with a mixture of numeric and lowercase and uppercase alphabetical characters.

Activity Verification You have completed this task when you start SDM from the workstation in your pod, following these steps:

Step 1 On the workstation, open the Internet Explorer and access the HQ router via HTTP (http://<Public-IP-address-on-the-Fa0/0-interface-of-HQ-router>).

Step 2 Log in as user sdm with the password sdmpassword.

Click OK. A new window appears, asking you if you want to use HTTPS.

Click OK. A Security Alert window appears, asking you if you want to accept the

certificate from the router.

Click Yes to accept the certificate. Now the session becomes HTTPS, so you need to enter

the username and password again. Use the username sdm and the password sdmpassword.


Click OK. When the SDM starts, you will first see a security warning.

Click More Details to view the self-signed certificate.


View the certificate. Click Close and then Yes to proceed at the security warning. If any additional warning appears, click Yes.

Click Yes to proceed at the security warning window that appears.

SDM on the HQ router will start.


Task 2: Access the Site-to-Site VPN Wizard In this task, you will launch the Site-to-Site VPN Wizard.


Step 1 Configure the HQ router using SDM. Click the Configure tab.

Step 2 Choose VPN from the category bar.

Step 3 Choose the VPN Site-to-Site VPN option.

Step 4 Leave the default selection of Create a Site to Site VPN and click Launch the

selected task.

Step 5 At this point, you can choose one of two options. You may choose to use the Quick Setup mode or the Step by Step Wizard. In this lab exercise, you will use the Step by Step Wizard mode.


Activity Verification Complete these steps to verify the activity:

Step 1 From the SDM, you can see output similar to this:

Step 2 Click Next to proceed.

Task 3: Define VPN Connection In this task, you will use the VPN Connection Information window to identify the IP address or host name of the remote site that will terminate the VPN tunnel that you are configuring. You will specify the router interface to use and enter the preshared key that both routers will use to authenticate each other.


Step 1 Configure the HQ router. Select FastEthernet0/1 as the interface for this VPN connection.

Step 2 Select static peer identity, and configure the peer address 10.2.x.2 (where x is the pod number).

Step 3 Set the preshared key to secretkey.





Task 4: Select an IKE Proposal In this task, you will configure IKE parameters (also known as the ISAKMP policy because ISAKMP, the Internet Security Association and Key Management Protocol, is the foundation of IKE) on both IPsec/IKE peers, which will enable the two peers to securely handshake, authenticate each other, and be able to agree on IPsec parameters when the IPsec policy is configured later in this lab.

In this task, you will use the VPN Connection Information window to examine and select the IKE policy, priority, and encryption type.



Step 1 Configure the HQ router. From the next window, determine what the default IKE policy is.

Step 2 Add a new IKE proposal by clicking Add.

Step 3 Configure these parameters:

Priority: 2

Encryption: 3DES

Hash: SHA-1

Authentication: Preshared

D-H Group: 2

Lifetime: 1 hour

Step 4 Click OK.



Step 1 From the SDM, you can see output similar to this.

Step 2 Make sure the new IKE proposal appears in the window, and click Next to proceed.

Your IKE parameters are now set, and the two peers should agree in their IKE parameters (ISAKMP policies) when they handshake at the beginning of the IKE session. Now, you will configure rules, specifying which traffic needs to be protected and the methods for its protection.

Task 5: Select the Transform Set In this task, you will use the Transform Set window to examine and select the transform set for your VPN.


Step 1 Configure the HQ router. From the next window, determine what the default transform set is.


Step 2 Click Add to add a new transform set with the name my_transform_set.

Step 3 Create a transform set, which represents the set of protection algorithms used inside IPsec to protect traffic. The transform set should use the ESP encapsulation only, with 3DES as the traffic encryption algorithm, and SHA-1 as the traffic authentication/integrity algorithm. Click Show Advanced to configure IPsec tunnel mode for this transform set, although this is the default setting.

Step 4 Click OK.



Step 1 From the SDM, you can see output similar to this.

Step 2 Choose new Transform Set from the drop-down list, and click Next to proceed.


Task 6: Select Traffic to Protect In this task, you will create and apply traffic protection rules to specify which traffic must be protected. In this task, you will use the Traffic to Protect window to define the traffic that this VPN will protect per the given requirements.

Activity Procedure Complete this step:

Step 1 Protect all traffic between these subnets: subnet of the FA0/0 HQ interface and 10.10.10.0/24.





Task 7: Complete the Setup In this task, you will use the Summary window to confirm that your VPN values match those provided in the previous tasks.


Step 1 Configure the HQ router. From the next window, examine the summary of the configuration, which will be sent to the router.

Step 2 Click Finish to apply the configuration to the router.


Step 3 When the configuration is applied, click OK.


Step 1 From the VPN window, you can see the new connection (IPsec tunnel). Because one side of the tunnel is not configured, the current status of the connection is Down.


Task 8: Generate Mirror Configuration In this task, you will generate a mirror configuration to paste it on the branch router.


Step 1 From the SDM window on the HQ router, click the Generate Mirror button.


Step 2 Click Save to save the mirror configuration. Name the file Branch.txt.

Step 3 Click Save and then OK to close the Generate Mirror window.



Activity Verification You have completed this task when you attain this result:

From the workstation desktop, open the Branch.txt file and verify the configuration. See the crypto map name.

crypto isakmp policy 2 authentication pre-share encr 3des hash sha group 2 lifetime 3600 exit crypto isakmp policy 1 authentication pre-share encr 3des hash sha group 2 lifetime 86400 exit crypto isakmp key secretkey address 10.2.1.1 crypto ipsec transform-set my_transform_set esp-sha-hmac esp-3des mode tunnel exit ip access-list extended SDM_1 remark SDM_ACL Category=4 remark IPSec Rule permit ip 10.10.10.0 0.0.0.255 172.31.1.0 0.0.0.255 exit crypto map SDM_CMAP_1 1 ipsec-isakmp description Apply the crypto map on the peer router's interface having IP address 10.2.1.2 that connects to this router. set transform-set my_transform_set set peer 10.2.1.1 match address SDM_1 set security-association lifetime seconds 3600 set security-association lifetime kilobytes 4608000 exit

Printout: HQ Router Mirrored IPsec Configuration

Task 9: Use Mirrored IPsec Configuration In this task, you will use a mirrored IPsec configuration to configure the branch router.


Step 1 Connect to the branch router using the console. Copy the mirrored configuration generated in the Generating Mirror Configuration task and paste it to the branch router.

Step 2 The mirrored configuration is not complete to establish the IPsec tunnel, so add these lines:

Apply crypto map to the FastEthernet0/1 interface on the branch router, using the crypto map name as generated by the Generate Mirror feature:

interface FastEthernet 0/1 crypto map SDM_CMAP_1

Printout: Branch Router Additional IPsec Configuration


Step 1 From the VPN window, you can see the connection (IPsec tunnel). The status of the connection is still Down.

Step 2 Click Test Tunnel and then Start.

Step 3 Click Yes in the SDM Warning window.


Step 4 In the next window, enter 10.10.10.10 in the Enter the IP address of a host in the

destination network field.


Step 5 Click Continue. The test should be successful.

Note In case the workstation is not on the same subnet as FA0/0 interface of the HQ router, packets will not go through IPsec VPN tunnel.

Step 6 Click OK and then Close. The status of the tunnel should now be Up.


Step 7 Examine the HQ router configuration, using the show running-config command to

see the VPN setup. HQ#show running-config <...part of the output omitted...> username sdm privilege 15 secret 5 $1$yGtx$5rU6rTEHAkTVAJMyIaJob1 ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp policy 2 encr 3des authentication pre-share group 2 lifetime 3600 crypto isakmp key secretkey address 10.2.1.2 ! crypto ipsec transform-set my_transform_set esp-3des esp-sha-hmac ! crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel to10.2.1.2 set peer 10.2.1.2 set transform-set my_transform_set match address 100 ! interface FastEthernet0/1 description *** Link to Branch *** ip address 10.2.1.1 255.255.255.0 crypto map SDM_CMAP_1 ! access-list 100 remark SDM_ACL Category=4 access-list 100 remark IPSec Rule access-list 100 permit ip 172.31.1.0 0.0.0.255 10.10.10.0 0.0.0.255

Printout: HQ Router Running Configuration

Step 8 Open the console connection to the HQ router and examine the IPsec VPN statistics, using the show crypto ipsec sa command. Check the number of encrypted packets.

HQ#show crypto ipsec sa interface: FastEthernet0/1 Crypto map tag: SDM_CMAP_1, local addr 10.2.1.1 protected vrf: (none) local ident (addr/mask/prot/port): (172.31.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0) current_peer 10.2.1.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 29, #pkts encrypt: 29, #pkts digest: 29 #pkts decaps: 29, #pkts decrypt: 29, #pkts verify: 29 #pkts compressed: 0, #pkts decompressed: 0



#pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 <...part of the output omitted...>

Printout: HQ Router crypto ipsec sa Command

Step 9 From the HQ router, ping IP address 10.10.10.10. Use the standard ping command. HQ#ping 10.10.10.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 12/15/16 ms

Printout: Ping from HQ to 10.10.10.10

Step 10 Examine the IPsec VPN statistics, using the show crypto ipsec sa command. Check the number of encrypted packets again. The number of the encrypted packets is the same because the standard ping has a source IP address that is different from the address where the packets permitted are to be encrypted.

HQ#show crypto ipsec sa interface: FastEthernet0/1 Crypto map tag: SDM_CMAP_1, local addr 10.2.1.1 protected vrf: (none) local ident (addr/mask/prot/port): (172.31.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0) current_peer 10.2.1.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 29, #pkts encrypt: 29, #pkts digest: 29 #pkts decaps: 29, #pkts decrypt: 29, #pkts verify: 29 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 <...part of the output omitted...>


Step 11 From the HQ router, ping IP address 10.10.10.10. Now, use the extended ping command with the source IP address from the HQ FA0/0 interface.

HQ#ping Protocol [ip]: Target IP address: 10.10.10.10 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: FastEthernet0/0 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds: Packet sent with a source address of 172.31.1.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 16/16/16 ms

Printout: Ping from HQ FA0/0 Interface to 10.10.10.10

Step 12 Examine the IPsec VPN statistics, using the show crypto ipsec sa command. Check the number of encrypted packets again. The number of the encrypted packets should be increased by 5 because extended ping uses the source IP address from FA0/0 interface, which is permitted to be encrypted.

HQ#show crypto ipsec sa interface: FastEthernet0/1 Crypto map tag: SDM_CMAP_1, local addr 10.2.1.1 protected vrf: (none) local ident (addr/mask/prot/port): (172.31.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0) current_peer 10.2.1.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 34, #pkts encrypt: 34, #pkts digest: 34 #pkts decaps: 34, #pkts decrypt: 34, #pkts verify: 34 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 <...part of the output omitted...>


Task 10: Remove IPsec Tunnel Configuration In this task, you will remove the IPsec tunnel configuration from both routers.


Step 1 First configure the HQ router. From the Edit Site to Site VPN window, delete the existing IPsec tunnel by clicking Delete in the upper-right corner of the window.



Step 2 SDM will not delete all IPsec configuration lines, so use these commands to delete it entirely:

no crypto isakmp policy 1 no crypto isakmp policy 2 no crypto isakmp key secretkey address 10.2.1.2 no crypto ipsec transform-set my_transform_set no access-list 100

Printout: Deleting IPsec Configuration on the HQ Router

Step 3 Delete the existing IPsec tunnel configuration on the branch router, using these commands:

interface FastEthernet0/1 no crypto map SDM_CMAP_1 ! no crypto map SDM_CMAP_1 no crypto ipsec transform-set my_transform_set no crypto isakmp policy 1 no crypto isakmp policy 2 no crypto isakmp key secretkey address 10.2.1.1 no ip access-list extended SDM_1

Printout: Deleting IPsec Configuration on the Branch Router


Examine the HQ router configuration, using the show running-config command, to see that the crypto map is no longer on the FastEthernet0/1 interface.

HQ#show running-config interface FastEthernet 0/1 Building configuration... Current configuration : 133 bytes ! interface FastEthernet0/1 description *** Link to Branch *** ip address 10.2.1.1 255.255.255.0 duplex auto speed auto end

Printout: HQ Router Interface Configuration

Lab 4-2: Configuring GRE Tunnels over IPsec Using SDM

Complete this lab activity to practice what you learned in the related module.

Activity Objective In this exercise, you will configure two routers to establish a secure path between two networks over an untrusted network (as shown in the figure). The path will be secured using secure GRE protocol. You will create a secure GRE tunnel (GRE over IPsec) using SDM. After completing this activity, you will be able to meet this objective:

Launch SDM v2.2a from the learner’s workstation and follow the steps on the Create Site to Site VPN tab of the SDM VPN Wizard



Visual Objective for Lab 4-2: Configuring GRE Tunnels over IPsec Using SDM



Command List The table describes the command that is used in this activity.



Show Command

Command Description




Pod Assigned


pod

Task 1: Create a Secure GRE Tunnel (GRE over IPsec) Using SDM

In this task, you will configure a secure GRE tunnel between the HQ and branch routers in your pod by using SDM. This tool enables you to create a GRE tunnel with IPsec encryption. When you create a GRE tunnel configuration, you also create an IPsec rule that describes the endpoints of the tunnel. Routers in the lab have preconfigured IP addresses and routing.


Step 1 On the workstation, open the Internet Explorer and access the HQ router via HTTP (http://<Public-IP-address-on-the-Fa0/0-interface-of-HQ-router>).

Step 2 Log in as user sdm with the password sdmpassword, and click OK.

Step 3 A new window appears, asking you if you want to use HTTPS. Click OK.


Step 4 The Security Alert window appears, asking you if you want to accept the certificate from the router. Click Yes to accept the certificate.

Step 5 Now the session becomes HTTPS, so you need to enter the username and password

again. Use the username sdm and the password sdmpassword, and click OK.


Step 6 When the SDM starts, you will first see a security warning. Click Yes to proceed at the security warning. If any additional warning appears, click Yes.

Step 7 If any other warning appears, click Yes.

Step 8 Click Yes to proceed at the security warning window.


Step 9 Wait for a few seconds while SDM is loading the current configuration from your

router. Refresh SDM by clicking the Refresh button.

Step 10 In the SDM, click Configure.

Step 11 Choose VPN from the category bar.

Step 12 Choose the Site-to-Site VPN option.


Step 13 Select the Create a secure GRE tunnel (GRE over IPsec) option and click

Launch the selected task.

Step 14 From SDM, you can see the Secure GRE Wizard window. Click Next.



Step 15 In the Tunnel Source area, select the interface FastEthernet0/1.

Tunnel Source: Select the interface name or the IP address of the interface that the tunnel will use. The IP address of the interface must be reachable from the other end of the tunnel; therefore it must a public, routable IP address. An error will be generated if you enter an IP address that is not associated with any configured interface.

Note SDM lists interfaces with static IP addresses and interfaces configured as unnumbered in the Interface list. Loopback interfaces are not included in the list.

Details button: Click to obtain details about the interface that you selected. The details window shows any HQ rules, IPsec policies, NAT rules, or Inspection rules associated with the interface. If a NAT rule that has been applied to this interface causes the address to be unroutable, the tunnel will not operate properly. To examine any of these rules in more detail, go to Additional Tasks/ACL Editor.

Step 16 In the Tunnel Destination area, type the IP address 10.2.x.2 (where x is the pod number).

Tunnel Destination: Enter the IP address of the interface on the remote router at the other end of the tunnel. This is the source interface from the point of view of the other end of the tunnel.

Make sure that this address is reachable by using the ping command. The ping command is available from the Tools menu. If the destination address cannot be reached, the tunnel will not be created properly.

Step 17 Configure the IP address of the GRE tunnel 10.1.x.1/24.

IP Address of the GRE tunnel: Enter the IP address of the tunnel. The IP addresses of both ends of the tunnel must be in the same subnet. The tunnel is given a separate IP address so that it can be a private address, if necessary.

IP Address: Enter the IP address of the tunnel in dotted decimal format.

Subnet Mask: Enter the subnet mask for the tunnel address in dotted decimal format.

Step 18 From SDM, you can see the GRE Tunnel Information window. Click Next.

Step 19 Do not select the Create a backup secure GRE tunnel for resilience option. Click

Next.

Step 20 Set the preshared key to secretkey and click Next.


Step 21 From the IKE Proposal window, determine what the default IKE policy is, and click Next.

Step 22 From the Transform Set window, determine what the default transform set is. Click

Next.


Step 23 Select Static Routing to support the GRE over IPsec VPN. Click Next.

Step 24 From the Static Routing Information window, select the Do split tunneling option.

Enter the destination network 10.0.0.0 255.0.0.0 to route traffic through this GRE tunnel. Click Next.


Step 25 From the Summary window examine the summary of the configuration, which will be sent to the router.

Step 26 Click Finish to apply the configuration to the router.

Step 27 When the configuration is applied, click OK.



From the VPN window, you can see the new connection (GRE tunnel). Because one side of the tunnel is not configured, the current status of the connection is Down.


Task 2: Generate Mirror Configuration In this task, you will generate a mirror configuration to paste it on the branch router.


Step 1 From the SDM window on the HQ router, click the Generate Mirror button.

Step 2 Click Save to save the mirror configuration. Name the file Branch_GRE.txt.


Step 3 Click Save and then OK to close the Generate Mirror window.


From the workstation desktop, open the Branch_GRE.txt file and verify the configuration. See the crypto map name.

crypto isakmp policy 1 authentication pre-share encr 3des hash sha group 2 lifetime 86400 exit crypto isakmp key secretkey address 10.2.1.1 crypto ipsec transform-set ESP-3DES-SHA esp-sha-hmac esp-3des mode tunnel exit ip access-list extended SDM_1 remark SDM_ACL Category=4 permit gre host 10.2.1.2 host 10.2.1.1 exit crypto map SDM_CMAP_1 1 ipsec-isakmp description Apply the crypto map on the peer router's interface having IP address 10.2.1.2 that connects to this router. set transform-set ESP-3DES-SHA set peer 10.2.1.1 match address SDM_1 set security-association lifetime seconds 3600 set security-association lifetime kilobytes 4608000 exit

Printout: HQ Router Mirrored IPsec and Partial GRE Configuration

Task 3: Use Mirrored Configuration In this task, you will use mirrored IPsec configuration to configure the branch router.




Step 1 Connect to the branch router, using the console. Copy the mirrored configuration generated in the previous task and paste it to the branch router.

Step 2 The mirrored configuration is not complete to establish GRE over IPsec tunnel, so add these lines:

Apply crypto map to the FastEthernet0/1 interface on the branch router, using the crypto map name as generated by the Generate Mirror feature:

interface FastEthernet 0/1 crypto map SDM_CMAP_1

Printout: Branch Router Additional IPsec Configuration

Configure the tunnel interface, set the IP MTU to 1420, and use IP address 10.1.1.2/24. The tunnel source should be Fa0/1, and the tunnel destination should be 10.2.x.1 (where x is the pod number). Apply crypto map to the tunnel interface on the branch router, and use the crypto map name as generated by the Generate Mirror feature. Enable the tunnel for dynamic path discovery. Use this example:

interface Tunnel0 ip address 10.1.x.2 255.255.255.0 ip mtu 1420 tunnel source FastEthernet0/1 tunnel destination 10.2.x.1 tunnel path-mtu-discovery crypto map SDM_CMAP_1

Printout: Branch Router Tunnel Configuration

On the branch router, configure the static default route to the tunnel interface configured in the previous bullet, and configure the static route for host IP address 10.2.x.1 (where x is the pod number) to Fa0/1 interface:

ip route 0.0.0.0 0.0.0.0 Tunnel0 ip route 10.2.x.1 255.255.255.255 FastEthernet0/1

Printout: Branch Router Additional GRE over IPsec Configuration


Step 1 From the VPN window, you can see the connection (GRE over IPsec tunnel). The status of the connection is still Down.


Step 2 Click Test Tunnel and then Start.

Step 3 Click OK and then Close. The status of the tunnel should now be Up.

Step 4 Examine the HQ router configuration, using the show running-config command to

see the tunnel interface configuration. HQ#show running-config <...part of output omitted...> crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key secretkey address 10.2.1.2 ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac



! crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel to10.2.1.2 set peer 10.2.1.2 set transform-set ESP-3DES-SHA match address 100 ! interface Tunnel0 ip address 10.1.1.1 255.255.255.0 ip mtu 1420 tunnel source FastEthernet0/1 tunnel destination 10.2.1.2 tunnel path-mtu-discovery crypto map SDM_CMAP_1 ! interface FastEthernet0/0 description *** Link to Workstation *** ip address 172.31.1.1 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 description *** Link to Branch *** ip address 10.2.1.1 255.255.255.0 duplex auto speed auto crypto map SDM_CMAP_1 ! ip route 0.0.0.0 0.0.0.0 Tunnel0 ip route 10.2.1.2 255.255.255.255 FastEthernet0/1 ! access-list 100 remark SDM_ACL Category=4 access-list 100 permit gre host 10.2.1.1 host 10.2.1.2

Printout: HQ Router Running Configuration

Task 4: Remove GRE Tunnel Configuration In this task, you will remove GRE tunnel configuration from both routers.


Step 1 Configure the HQ router. From the Edit Site to Site VPN window, delete the existing GRE tunnel by clicking Delete in the upper-right corner of the window.

Step 2 SDM will not delete all GRE over IPsec configuration lines, so use these commands

to delete it entirely: no crypto isakmp policy 1 no crypto isakmp key secretkey address 10.2.1.2 no crypto ipsec transform-set ESP-3DES-SHA no access-list 100 no ip route 10.0.0.0 255.0.0.0 Tunnel0 no ip route 10.2.1.2 255.255.255.255 FastEthernet0/1 no interface Tunnel0


Step 3 Delete the existing GRE over IPsec tunnel configuration on the branch router, using these commands:

interface FastEthernet0/1 no crypto map SDM_CMAP_1 exit ! no crypto map SDM_CMAP_1 no crypto ipsec transform-set ESP-3DES-SHA no crypto isakmp policy 1 no crypto isakmp key secretkey address 10.2.1.1 no ip access-list extended SDM_1 no ip route 0.0.0.0 0.0.0.0 Tunnel0 no ip route 10.2.1.2 255.255.255.255 FastEthernet0/1 no interface Tunnel0



Printout: Deleting GRE over IPsec Configuration on the Branch Router


Examine the HQ router configuration, using the show running-config command to verify that the crypto map is no longer on the FastEthernet0/1 interface.

HQ#show running-config interface FastEthernet 0/1 Building configuration... Current configuration : 129 bytes ! interface FastEthernet0/1 description *** Link to Branch *** ip address 10.2.1.1 255.255.255.0 duplex auto speed auto end

Printout: HQ Router Interface Configuration

Examine the branch router configuration, using the show running-config command to verify that the crypto map is no longer on the FastEthernet0/1 interface.

Branch#show running-config interface FastEthernet 0/1 Building configuration... Current configuration : 125 bytes ! interface FastEthernet0/1 description *** Link to HQ *** ip address 10.2.1.2 255.255.255.0 duplex auto speed auto end

Printout: Branch Router Interface Configuration


Lab 4-3: Configuring IPsec VPN to Back Up a WAN Connection


Visual Objective This section contains information about your laboratory setup, details of the physical and logical connectivity in the laboratory, and information about the addressing scheme and IGP routing. Each pod is independent of other pods (that is, pods do not interact). Two learners are usually assigned to the pod. The addressing scheme of the pods differs, which is indicated with x. The x should always be replaced by the pod number. Each pod will contain the router types defined in the table and one PC.




Workstation PC used for accessing router via SDM interface.

Server PC used as TFTP server for downloading files.

HQ, branch Routers between which you will establish IPsec tunnel.

ISP Router in the Service Provider network. Router is not accessible by learners.

The first serial interface of the HQ and branch routers is connected back-to-back to the ISP. The DCE site is on the ISP router. The first FastEthernet interface of the branch router is connected to the server. The second FastEthernet interface of the branch is connected to the second FastEthernet interface of the HQ router. The first FastEthernet interface of the HQ router is connected to the Internet, where the workstation is connected.


ISCW 1.0 Lab IP Addressing





Server 10.6.6.254/24



HQ (Fa0/1) 10.2.x.1/24

HQ (S0/0/0) 10.4.x.1/24


Branch (Fa0/0) 10.6.6.x/24

Branch (Fa0/1) 10.2.x.2/24

Branch (S0/0/0) 10.5.x.2/24

ISP (Loopback) 10.10.10.10/24

ISP (Serial to HQ) 10.4.x.10/24

ISP (Serial to Branch) 10.5.x.10/24







Activity Objective Two sites are connected over a dedicated link (an Ethernet interface in the exercise) to exchange business-critical data. At the same time, both sites are connected to the Internet (serial interfaces in the exercise). In case of the link failure between sites, business-critical data can be exchanged only via Internet connection (serial links). In this exercise, you will configure two Cisco routers to establish a secure backup path between two networks over an untrusted network (as shown in the figure). The path will be secured using IPsec protocols, assisted by the Internet Key Exchange (IKE) key exchange protocol, which will also enforce the required traffic protection policy. A backup IPsec VPN connection will be used only for exchanging data between sites; other Internet traffic will be sent unencrypted.

In this activity, you will configure an IPsec VPN to back up a WAN connection. You will use a preshared key (a secret, a password) to authenticate the two IPsec/IKE peers to each other. After completing this activity, you will be able to meet these objectives:

Configure IKE parameters

Create and apply traffic protection (IPsec) rules

Establish the backup IPsec tunnel



Visual Objective for Lab 4-3: Configuring IPsec VPN to Back Up a WAN Connection




IPsec Configuration and Troubleshooting Commands

Command Description

authentication {rsa-sig | rsa-encr | pre-share}

Specifies the authentication method within an IKE policy.

crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]]

Defines a transform set—an acceptable combination of security protocols and algorithms.

crypto isakmp key keystring address peer-address [mask]

Configures a preshared authentication key. You must configure this key whenever you specify preshared keys in an IKE policy.

crypto isakmp policy priority Defines an IKE policy. IKE policies define a set of parameters to be used during the IKE negotiation.

crypto map map-name seq-num ipsec-isakmp

Creates or modifies a crypto map entry and enters the crypto map configuration mode.



encryption {des | 3des} Specifies the encryption algorithm within an IKE policy.

group {1 | 2} Specifies the Diffie-Hellman group identifier within an IKE policy.

hash {sha | md5} Specifies the hash algorithm within an IKE policy.

match address [access-list-id | name]

Specifies an extended ACL for a crypto map entry.

set peer {hostname | ip-address}

Specifies an IPsec peer in a crypto map entry.

set transform-set transform-set-name [transform-set-name2...transform-set-name6]

Specifies which transform sets can be used with the crypto map entry.

show crypto ipsec sa Shows the settings used by current security associations.

show crypto isakmp policy Shows the parameters for each IKE policy.

show crypto isakmp sa Shows all current IKE security associations (SAs).

show crypto map Shows the crypto map configuration.



Pod Assigned


pod


Task 1: Configure IKE Parameters on Both Peers In this task, you will configure IKE parameters (also known as the ISAKMP policy because ISAKMP, the Internet Security Association and Key Management Protocol, is the foundation of IKE) on both IPsec/IKE peers. This will enable the two peers to securely handshake, authenticate each other, and be able to agree on IPsec parameters when the IPsec policy is configured later in this lab.


Step 1 Configure the HQ router with these parameters (ISAKMP policy):

A policy priority that is less than 65535 (use, for example, 100)

Preshared keys as the peer authentication mechanism

3DES as the encryption algorithm for the IKE session (this is to protect the management session’s privacy only)

SHA-1 as the hashing algorithm for the IKE session (this is to protect the management session’s integrity only)

Group 2 as the strength of Diffie-Hellman key exchange algorithm.

Note These settings for encryption, hashing, and Diffie-Hellman are the recommended settings for most real-life deployments. For even higher security, you might consider using Diffie-Hellman group 5.

Step 2 On the HQ router, configure the preshared key SeCrEtKeY and assign it to the IP address of the outside interface of the peer router (branch). Use IP addresses from the Serial0/0/0 interface.

Step 3 Configure the branch router with exactly the same IKE parameters (ISAKMP policy) as you have in the HQ router.

Step 4 On the branch router, configure the preshared key SeCrEtKeY and assign it to the IP address of the outside interface of the peer router (HQ). Use IP addresses from the Serial0/0/0 interface.


Use the show crypto isakmp policy command to verify the current IKE parameters (ISAKMP policy) on both peers. The command output should resemble these printouts:

HQ#show crypto isakmp policy Global IKE policy Protection suite of priority 100 encryption algorithm: Three key triple DES hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #2 (1024 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys).


hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit

Printout: HQ Router IKE Parameters

Branch#show crypto isakmp policy Global IKE policy Protection suite of priority 100 encryption algorithm: Three key triple DES hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #2 (1024 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit

Printout: Branch Router IKE Parameters

The ISAKMP policy with priority 65535 is the default policy, which is not secure enough for most applications.

Your IKE parameters are now set, and the two peers should agree in their IKE parameters (ISAKMP policies) when they handshake at the beginning of the IKE session. Now, you will configure rules, specifying which traffic needs to be protected, and specify the methods for its protection.

Task 2: Create and Apply Traffic Protection (IPsec) Rules In this task, you will create and apply traffic protection rules (crypto maps) to specify which traffic must be protected (using an ACL), using various protection methods (transform sets).


Step 1 On the HQ router, create a transform set, which represents the set of protection algorithms used inside IPsec to protect traffic. The transform set should use the ESP encapsulation only, with 3DES as the traffic encryption algorithm, and SHA-1 as the traffic authentication/integrity algorithm. Use keywords esp-3des and esp-sha-hmac. Configure IPsec tunnel mode for this transform set, although this is the default setting.

Step 2 On the HQ router, configure a crypto ACL, which should describe traffic to be protected inside the IPsec tunnel. The ACL should permit all IP traffic from the workstation (IP subnet on the FastEthernet0/0 interface of the HQ router) to the site behind the other IPsec peer (host IP address of the server 10.6.6.254). Permit inside the crypto ACL means “protect,” whereas deny means “route normally.”

Step 3 On the HQ router, configure a crypto map to tie all configured parameters together in a single rule. The crypto map should specify the traffic to be protected (the ACL using the match address command), the protection bundle to use (the set transform-set command), and the peer to send traffic to (the set peer command).


Step 4 On the HQ router, apply the configured crypto map to the outside, “dirty” (untrusted) interface (Serial0/0/0).

Step 5 Repeat all steps in this task for the branch router. All IPsec parameters should match between peers, and the crypto ACLs should mirror each other (that is, on the branch router, the crypto ACL should permit traffic from the host 10.6.6.254 to the IP subnet used on the FastEthernet0/0 interface of the HQ router).


On both peers, use the show crypto ipsec transform-set command to verify the current bundles of protection algorithms (transform sets). The command output should resemble these printouts:

HQ#show crypto ipsec transform-set Transform set MYSET: { esp-3des esp-sha-hmac } will negotiate = { Tunnel, },

Printout: Transform Set on the HQ Router

Branch#show crypto ipsec transform-set Transform set MYSET: { esp-3des esp-sha-hmac } will negotiate = { Tunnel, },

Printout: Transform Set on the Branch Router

On both peers, use the show crypto map command to verify the current traffic protection rules. The output should resemble these printouts:

HQ#show crypto map Crypto Map "MYMAP" 10 ipsec-isakmp Peer = 10.5.1.2 Extended IP access list 100 access-list 100 permit ip 172.31.1.0 0.0.0.255 host 10.6.6.254 Current peer: 10.5.1.2 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ MYSET, } Interfaces using crypto map MYMAP: Serial0/0/0

Printout: HQ Traffic Protection Rules (Crypto Map)

Branch#show crypto map Crypto Map "MYMAP" 10 ipsec-isakmp Peer = 10.4.1.1 Extended IP access list 100 access-list 100 permit ip host 10.6.6.254 172.31.1.0 0.0.0.255 Current peer: 10.4.1.1 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ MYSET, } Interfaces using crypto map MYMAP: Serial0/0/0

Printout: Branch Traffic Protection Rules (Crypto Map)


Task 3: Establish the Backup IPsec Tunnel In this task, you will generate traffic to establish the backup IPsec tunnel and verify its operation.


Step 1 Enable the Serial0/0/0 interface link on HQ router.

Step 2 On the both routers, verify the routing table. HQ#show ip route <...part of output omitted...> Gateway of last resort is not set 172.31.0.0 255.255.255.0 is subnetted, 1 subnets C 172.31.1.0 is directly connected, FastEthernet0/0 10.0.0.0 255.0.0.0 is variably subnetted, 7 subnets, 2 masks C 10.2.1.0 255.255.255.0 is directly connected, FastEthernet0/1 D 10.0.1.2 255.255.255.255 [90/156160] via 10.2.1.2, 00:01:29, FastEthernet0/1 D 10.10.10.0 255.255.255.0 [90/2297856] via 10.4.1.10, 00:01:29, Serial0/0/0 D 10.6.6.0 255.255.255.0 [90/30720] via 10.2.1.2, 00:01:29, FastEthernet0/1 C 10.0.1.1 255.255.255.255 is directly connected, Loopback0 D 10.5.1.0 255.255.255.0 [90/2172416] via 10.2.1.2, 00:01:30, FastEthernet0/1 C 10.4.1.0 255.255.255.0 is directly connected, Serial0/0/0

Printout: HQ Router Routing Table

Step 3 Perform traceroute from the HQ FastEthernet0/0 (172.31.x.1/24) interface to the (10.6.6.254).

HQ#traceroute Protocol [ip]: Target IP address: 10.6.6.254 Source address: 172.31.1.1 Numeric display [n]: Timeout in seconds [3]: Probe count [3]: Minimum Time to Live [1]: Maximum Time to Live [30]: Port Number [33434]: Loose, Strict, Record, Timestamp, Verbose[none]: Type escape sequence to abort. Tracing the route to 10.6.6.254 1 10.2.1.2 0 msec 4 msec 0 msec 2 10.6.6.254 4 msec 0 msec 0 msec

Printout: Traceroute from HQ FastEthernet0/0 to the Server

Step 4 Disable the FastEthernet0/1 interface on the HQ router (the link to the branch router).

Step 5 Perform traceroute again from the HQ FastEthernet0/1 interface to the server (10.6.6.254). Now, traceroute should show the path through the Internet (Serial0/0/0). The back up secure IPsec VPN connection via the Internet should establish.

HQ#traceroute Protocol [ip]:


Target IP address: 10.6.6.254 Source address: 172.31.1.1 Numeric display [n]: Timeout in seconds [3]: Probe count [3]: Minimum Time to Live [1]: Maximum Time to Live [30]: Port Number [33434]: Loose, Strict, Record, Timestamp, Verbose[none]: Type escape sequence to abort. Tracing the route to 10.6.6.254 1 * 10.5.1.2 20 msec 24 msec 2 10.6.6.254 32 msec 28 msec 32 msec

Printout: Traceroute from HQ FastEthernet0/0 to the Server


On the HQ router, use the show crypto isakmp sa command to display the current IKE sessions of this peer. The state of QM_IDLE indicates an idle IKE (ISAKMP) session after all negotiation has been completed. The output should resemble this printout:

HQ#show crypto isakmp sa dst src state conn-id slot status 10.5.1.2 10.4.1.1 QM_IDLE 1 0 ACTIVE

Printout: ISAKMP Connections (IKE SAs) in the HQ

On the HQ router, use the show crypto ipsec sa command to display the current (created) IPsec SAs. IPsec can only protect traffic if SAs for that traffic specification are established. Examine the statistics (counters) indicating encrypted and authenticated packets. They should steadily increase as you send more traffic through the IPsec tunnel.

HQ#show crypto ipsec sa interface: Serial0/0/0 Crypto map tag: MYMAP, local addr 10.4.1.1 protected vrf: (none) local ident (addr/mask/prot/port): (172.31.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.6.6.254/255.255.255.255/0/0) current_peer 10.5.1.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5 #pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 <...part of output omitted...>

Printout: IPsec SAs in the HQ

On the branch router, use the show crypto isakmp sa command to display the current IKE sessions of this peer. The state of QM_IDLE indicates an idle IKE (ISAKMP) session after all negotiation has been completed. The output should resemble this printout:

Branch#show crypto isakmp sa dst src state conn-id slot status 10.5.1.2 10.4.1.1 QM_IDLE 1 0 ACTIVE

Printout: ISAKMP Connections (IKE SAs) in the Branch


On the branch router, use the show crypto ipsec sa command to display the current (created) IPsec SAs. IPsec can only protect traffic if SAs for that traffic specification are established. Examine the statistics (counters) indicating encrypted and authenticated packets. They should steadily increase as you send more traffic through the IPsec tunnel.

Branch#show crypto ipsec sa interface: Serial0/0/0 Crypto map tag: MYMAP, local addr 10.5.1.2 protected vrf: (none) local ident (addr/mask/prot/port): (10.6.6.254/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (172.31.1.0/255.255.255.0/0/0) current_peer 10.4.1.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3 #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 <...part of output omitted...>

Printout: IPsec SAs in the Branch

Task 4: Remove Backup Configuration In this task, you will remove IPsec configuration from the HQ and branch routers.


Step 1 Enable the FastEthernet0/1 interface on the HQ router.

Step 2 Delete the crypto map configuration from the Serial0/0/0 interface on the HQ and branch routers.

interface Serial0/0/0 no crypto map MYMAP

Printout: Deleting IPsec Configuration on the HQ and Branch Routers

Step 3 Delete the crypto map, transform set, ISAKMP policy, preshared key, and ACL configuration on the HQ and branch routers.

no crypto map MYMAP no crypto ipsec transform-set MYSET no crypto isakmp policy 100 no crypto isakmp key SeCrEtKeY address 10.5.x.2 ! x is pod number no access-list 100


no crypto map MYMAP no crypto ipsec transform-set MYSET no crypto isakmp policy 100 no crypto isakmp key SeCrEtKeY address 10.4.x.1 ! x is pod number no access-list 100

Printout: Deleting IPsec Configuration on the Branch Router



On the HQ router, verify the routing table, network 10.6.6.0/24 should be reachable via the FastEthernet0/1 interface.

HQ#show ip route Gateway of last resort is not set 172.31.0.0 255.255.255.0 is subnetted, 1 subnets C 172.31.1.0 is directly connected, FastEthernet0/0 10.0.0.0 255.0.0.0 is variably subnetted, 7 subnets, 2 masks C 10.2.1.0 255.255.255.0 is directly connected, FastEthernet0/1 D 10.0.1.2 255.255.255.255 [90/156160] via 10.2.1.2, 00:01:31, FastEthernet0/1 D 10.10.10.0 255.255.255.0 [90/2297856] via 10.4.1.10, 00:01:31, Serial0/0/0 D 10.6.6.0 255.255.255.0 [90/30720] via 10.2.1.2, 00:01:31, FastEthernet0/1 C 10.0.1.1 255.255.255.255 is directly connected, Loopback0 D 10.5.1.0 255.255.255.0 [90/2172416] via 10.2.1.2, 00:01:32, FastEthernet0/1 C 10.4.1.0 255.255.255.0 is directly connected, Serial0/0/0

Printout: Routing Table on the HQ Router


Lab 4-4: Configuring Cisco Easy VPN Server Using SDM


Visual Objective This section contains information about your laboratory setup, details of the physical and logical connectivity in the laboratory, and information about the addressing scheme and IGP routing. Each pod is independent of other pods (that is, pods do not interact). Two learners are usually assigned to the pod. The addressing scheme of the pods differs, which is indicated with x. The x should always be replaced by the pod number. Each pod will contain the router types defined in the table and one PC.




Workstation PC used for SDM access to the HQ router and used for running VPN Client.

Server PC used as TFTP server for downloading files and as an ACS server.

HQ Router which will be configured as Easy VPN Server.

Branch Router in your pod.

ISP Router in the Service Provider network. Router is not accessible by learners. Configured by the instructor.

The first serial interface of the HQ and branch routers is connected back-to-back to the ISP. The DCE site is on the ISP router. The first FastEthernet interface of the branch router is connected to the server. The second FastEthernet interface of the branch is connected to the second FastEthernet interface of the HQ router. The first FastEthernet interface of the HQ router is connected to the Internet, where the workstation is connected.


ISCW 1.0 Lab IP Addressing





Server 10.6.6.254/24



HQ (Fa0/1) 10.2.x.1/24

HQ (S0/0/0) 10.4.x.1/24


Branch (Fa0/0) 10.6.6.x/24

Branch (Fa0/1) 10.2.x.2/24

Branch (S0/0/0) 10.5.x.2/24

ISP (Loopback) 10.10.10.10/24

ISP (Serial to HQ) 10.4.x.10/24

ISP (Serial to ISP) 10.5.x.10/24







Activity Objective In this exercise, you will configure Easy VPN Server on the HQ router using SDM, and you will install Cisco VPN Client on your workstation (learner PC) to connect to the Easy VPN Server. The path will be secured using IPsec protocols, assisted by the Internet Key Exchange (IKE) protocol, which will also enforce the required traffic protection policy. After completing this activity, you will be able to meet these objectives:

Configure Cisco Easy VPN Server using SDM per given requirements

Configure Cisco VPN Client

Verify RA VPN operations using SDM



Visual Objective for Lab 4-4: Configuring Cisco Easy VPN Server Using SDM




SDM Preparation Commands

Command Description

copy Copies files between file systems

ip http server Starts the http server

ip http secure-server Starts the https server

ip http authentication Defines the authentication method of the local http server

username username privilege {level} secret password

Creates local users

show crypto key mypubkey rsa

Displays the public RSA keys

show flash Displays the contents of the flash


show crypto isakmp policy Displays the IKE proposals

show ip interface brief Displays brief interface status





Pod Assigned


pod

Task 1: Configure Easy VPN Server In this task, you will configure Easy VPN Server on the HQ router in your pod by using SDM. Routers in the lab have preconfigured IP addresses and routing.


Step 1 Start the SDM on the HQ router.


Step 2 Click the Configure tab. Choose VPN from the category bar. Choose the Easy VPN Server option.

Step 3 Select Create Easy VPN Server. If you can click the Launch Easy VPN Server

Wizard button, proceed with Step 17.

Step 4 If AAA is not enabled on the router, you will not be able to launch the Easy VPN Server Wizard. SDM will display a prerequisite task of enabling AAA. Before configuring an Easy VPN Server, you have to enable AAA on the router. Click the Enable AAA link.

Step 5 To enable AAA on the router, click Yes. AAA commands will be delivered on the

router, and a new window, Command Delivery Status, will appear. Click OK.


Step 6 Click OK on the Information window.


Step 7 Click the Launch Easy VPN Server Wizard button on the Create Easy VPN Server window to create an Easy VPN Server.

Step 8 VPN Wizard will guide you through the configuration of an Easy VPN Server on the

router. Click Next.


Step 9 Select the interface for the Easy VPN Server; this is the interface connecting router to the Internet. In the lab, you will select the FastEthernet0/0 interface. Select Pre-shared keys as the method used for authenticating VPN clients connecting to the Easy VPN Server. Click Next.

Step 10 Examine the IKE proposals on the Easy VPN Server. If you will connect many Easy

VPN Clients with different IKE policies, you should add new IKE policies. Click Next.


Step 11 Examine the transform set used by the Easy VPN Server. Click Next.

Step 12 The local database will be used for group authentication. Select the Local method

and click Next.


Step 13 The local database will be used for user authentication. Select Enable User Authentication, select the Local Only method, and click Next.

Step 14 There is no group configured yet. Add a new group by clicking Add.


Step 15 A new window, Add Group Policy, will appear. On the General tab, enter a group name (VPN_Group), enter a preshared key (secret key) in the Pre-shared Key section, select Pool Information, and create a new pool of IP addresses in the range from 10.0.x.10 to 10.0.x.20.


Step 16 Click the Split Tunneling tab, and configure usage of VPN tunnel for only those networks used in the lab (10.0.0.0 0.255.255.255). Click OK.

Step 17 Examine the newly created group and click Next.



Step 1 From SDM you can see similar output.


Step 2 Examine the summary of the configuration and click Finish.

Step 3 The Easy VPN Server Wizard will prepare commands and deliver commands to the

router. Click OK.

Step 4 To inform the branch router about the new network on the HQ router, you have to

redistribute static routes, which will appear when VPN clients connect to the Easy VPN Server. Redistribute static routes into EIGRP process, using these commands:

HQ(config)#router eigrp 1 HQ(config-router)#redistribute static


Task 2: Configure the Cisco VPN Client on a Workstation In this task, you will prepare the workstation for remote access connectivity. You will install, configure, and test the Cisco VPN Client software.


Step 1 Connect to the workstation.

Step 2 On the workstation in your pod, start the Cisco VPN Client software (Start > All Programs > Cisco Systems VPN Client).


Step 3 The VPN Client window opens. Click the New button and create a new connection entry using the parameters listed in the table.

Cisco VPN Client Configuration Parameters

Parameter Value

Connection Entry HQ

Host Public IP address on the Fa0/0 provided by instructor

Group name VPN_Group

Password secretkey



Step 1 Click Save and then Connect in the main VPN Client window. After you enter the username sdm and the password sdmpassword, the VPN Client should successfully connect to the Easy VPN Server.

Step 2 Double-click the VPN Client icon in the taskbar.


Step 3 A VPN Client window will open. Examine the operation of the IPsec tunnel to the HQ router.

Task 3: Verify VPN Operations In this task, you will verify VPN operation.


Step 1 On the workstation, open the Internet Explorer and access the HQ router via HTTP (http://<Public-IP-address-on-the-Fa0/0-interface-of-HQ-router>). Log in as user sdm with the password sdmpassword.

Note Split tunneling is enabled, and only traffic from the workstation to 10.x.x.x will be tunneled. All other traffic will not be tunneled.

SDM will open. For detailed instructions, see the Configuring Easy VPN Server task.


Step 2 Click the Configure tab. Choose VPN from the category bar. Choose the Easy VPN Server option.

Step 3 Click the Edit Easy VPN Server tab.


Step 4 From the Edit Easy VPN Server tab, you can see the names of the crypto map attached to the FastEthernet0/0 interface. Test the Easy VPN Server configuration by clicking Test VPN Server and then Start.

Step 5 The test should be successful. Click OK and then Close.


Step 6 Choose Monitor > VPN Status > Easy VPN Server to verify that the client is connected.


Step 1 On the workstation, disable the VPN tunnel to the HQ router, right-click the VPN Client icon, and choose the Disconnect option.


Step 2 In the Cisco VPN Client’s Connection Manager, enable logging by choosing Log > Enable.

Step 3 Choose Log > Log Settings and put these areas into High level logging: IKE, User

Authentication, and IPsec.

Step 4 Click OK in the Log Settings window.


Step 5 Double-click the connection entry that you created in the Cisco VPN Client software. Wait for the IKE negotiation to complete. Use the username sdm and the password sdmpassword. When the negotiation is complete, the VPN Client window should disappear, and a padlock icon should appear in the system tray.

Step 6 Double-click the padlock icon to reopen the Connection Manager. Click the Log tab, and click the Log Window icon at the top to check the IKE negotiation process. A sample output is shown in the figure.


Step 7 Right-click the padlock icon in the system tray and choose Statistics from the menu. The default page will display the details about the connection. From this screen, you can verify the IP address assigned to the VPN client.

Step 8 If you click the Route Details tab, you will see the split tunneling configuration.

Only traffic to the network 10.0.0.0/8 is sent via secured connection.

Step 9 Disable the VPN Client connection. Right-click the padlock icon in the system tray

and choose Disconnect from the menu.


Lab 5-1: Securing Cisco Routers Complete this lab activity to practice what you learned in the related module.

Activity Objective In this activity, you will secure Cisco router administrative access with SDM one-step lockdown. After completing this activity, you will be able to meet these objectives:

Configure one-step lockdown

Configure IOS login enhancement



Visual Objective for Lab 5-1:Securing Cisco Routers

Required Resources These are the resources and equipment that are required to complete this activity:

Kiwi Syslog Deamon and Putty on the workstation desktop

Routers preconfigured for IP connectivity




Cisco IOS Commands

Command Description

login block-for Sets quiet mode active time period.

login delay Sets delay between successive failed logins.

login quiet-mode Sets quiet mode options.

login on-failure Sets options for a failed login attempt.

ssh -l userid ip-address Starts an encrypted session with a remote networking device. Specifies the user ID to use when logging in on the remote networking device running the SSH server, and adds the IP address of the terminal server.

show login Verifies the login enhancement status.

Job Aids There are no additional job aids for this activity.

Task 1: Configure One-Step Lockdown In this task, you will use SDM to perform a one-step lockdown of your HQ router.


Step 1 Start Internet Explorer on your workstation and launch SDM by connecting to your HQ router via HTTPS (https://HQ-Fa0/0-public-IP-address). Accept the security warnings about opening a secure connection, and accept the self-signed certificate offered by SDM.

Note If the SDM files are not installed in the router flash memory, install them according to the procedure described in the previous lab exercises.

Step 2 Log in as user sdm with the password sdmpassword. Accept all security warnings and log in again as user sdm with the password sdmpassword. Wait for SDM to read the router configuration and load the modules.

Step 3 In SDM, from the Edit menu, choose Preferences.

Step 4 Check the Preview commands before delivering to router check box and click

OK.

Step 5 In SDM, click the Configure icon in the toolbar at the top of the SDM window and

click the Security Audit icon in the Tasks pane on the left.

Step 6 Click the One-step lockdown button.


Step 7 An SDM warning will appear. Click Yes.


Step 8 Wait until the SDM scans the current router vulnerabilities. A one-step lockdown page will appear, listing services that will be secured. Click the Deliver button.

Step 9 A Deliver Configuration to Router page will appear, listing the commands that will

be sent to the router by the one-step lockdown function.

Step 10 Examine the commands and remember a few for later verification on the router. Do

not check the Save running config to router’s startup config check box. Click the Deliver button. Click OK after the configuration has been delivered to the router.


Step 1 Connect to your HQ router through the console and examine the running configuration, using the show running-config command. Compare it with the commands displayed by the SDM before delivery.

Step 2 Open a command prompt on your workstation and telnet to your HQ router’s Fa0/0 public IP address. The connection should be denied.


Q1) Why did the HQ router deny the Telnet connection after executing the one-step

lockdown?

Step 3 Start the Putty program on the workstation desktop. Put the address of your HQ router’s Fa0/0 public IP address in the address field, select SSH radio open, and click Open.


Step 4 Save the public key provided by your HQ router in the registry by clicking Yes in the Putty Security Alert window. Log in as user sdm with the password sdmpassword. You should now have access to your HQ router vty port via SSH.

Task 2: Configure IOS Login Enhancement In this task, you will configure your HQ router with IOS login security features, including blocking the access after an excessive number of failed login attempts.

Activity Procedure Complete this step on your workstation:

Step 1 Use the Cisco VPN Client on your workstation to VPN into your HQ router. After you VPN in, your VPN client should be assigned an internal IP address in the range of 10.0.x.10/24 to 10.0.x.20/24. From the Cisco VPN Client Statistics screens, determine the internal IP address assigned to your VPN client. Split tunneling is enabled, so only traffic destined to network 10.0.0.0 will be tunneled.

Complete these steps from your HQ router console:

Step 2 Configure syslog logging to your Cisco VPN Client internal IP address determined from Step 1 at the debugging level.

Step 3 Block the login access for 300 seconds after three failed login attempts within 60 seconds.

Step 4 Create a named standard ACL called quiet that permits access from the addresses of your branch router.

Step 5 Allow access to your HQ router during the quiet mode from your branch router. Use the ACL that you created in previous step.

Step 6 Log every failed login attempt to the workstation.

Step 7 Limit the login rate to protect your HQ router from dictionary attacks by setting the delay between two consecutive login attempts to five seconds.



Step 1 Start the Kiwi Syslog Deamon on your workstation by clicking its desktop icon.

Step 2 Start the Putty program located on the workstation desktop. Connect via SSH to your HQ router’s Fa0/0 public IP address, and provide the wrong password three times. Notice that the router uses the login rate of one attempt per 5 seconds. After three failed attempts, the session should be disconnected.

Q1) Why does the router limit the rate of login attempts?

Step 3 View the logged messages in the syslog server on your workstation.

Step 4 Verify the current mode of the login feature, using the show login command. The

HQ router should be in quiet mode.

Step 5 Attempt to SSH to your HQ router for the fourth time. The connection should be refused.

Q2) Why did the login attempt fail?



Step 6 SSH to your HQ router from the branch router. Provide correct credentials. The login attempt should succeed.

Q3) Why did the login attempt succeed?

Step 7 Use the show login failures and show login command on your HQ router to examine the login status and determine how much longer your HQ router will remain in the quiet mode.

Lab 5-2: Securing Cisco Router Management Complete this lab activity to practice what you learned in the related module.

Activity Objective In this activity, you will secure Cisco router administrative access and configure authenticated NTP communications. After completing this activity, you will be able to meet these objectives:

Configure a role-based CLI view

Configure a Cisco router as an NTP server

Configure a Cisco router as an NTP client

Securing the IOS image and configuration file



Visual Objective for Lab 5-2:Securing Cisco Router Management


Routers preconfigured for IP connectivity




Cisco IOS Commands

Command Description

enable view view_name Accesses a CLI view

parser view view_name Creates a CLI view

parser view view_name superview

Creates a superview

secret Sets a password in view configuration mode

commands Specifies accessible commands in view configuration mode

view Adds a view to a superview in superview configuration mode

username name view viewpassword password

Creates a username and associates with a CLI view

clock set Configures the system clock

ntp master Configures an NTP stratum

ntp authentication-key Defines an NTP authentication key

ntp trusted-key Declares a trusted NTP key

ntp peer Configures an NTP peer

ntp server Configures an NTP server

ntp source Source NTP packets from a specified interface

secure boot-config Secures the running configuration file

secure boot-image Secures the primary image file

Dir Displays the file system (rommon mode)

Boot Boots from an image (rommon mode)

secure boot-config restore Restores the secured configuration file to a location

show login Verifies the login enhancement status

show parser view Displays the current view

show secure-bootset Verifies the secured startup configuration and primary image

show ntp associations Displays NTP associations

show ntp status Displays NTP status

show clock Displays current system clock



Task 1: Configure a Role-Based CLI View In this task, you will configure the role-based CLI access on your branch router.

Activity Procedure Complete these steps on your branch router:

Step 1 Access the router through the console port. Configure AAA new-model.

Step 2 Remove the privilege level 15 setting from the console line and the vty lines.

Step 3 Exit from the CLI session and connect through the CLI again.

Step 4 Enter the root view. Verify that you are in the root view, using the show parser view command.

Step 5 Create a view named vpn that will be used to manage IPsec VPN. Secure access to the vpn view with the password vpnpassword.

Tip The CLI may not provide syntax help for the parser view command. In that case, you cannot use question marks to display command options.

Step 6 Add all exec commands, starting with show crypto, to the vpn view.

Step 7 Add all exec commands, starting with debug crypto, to the vpn view.

Step 8 Add the exec command configure terminal to the vpn view.

Step 9 Add all configuration commands, starting with crypto, to the vpn view. Exclude these commands from all other views.

Step 10 Add the interface configuration command to the vpn view.

Step 11 Add all interface FastEthernet0/1 configuration commands to the vpn view. This should allow the vpn view to apply crypto maps to this interface.

In these steps, you will examine the vpn view:

Step 12 Enter the vpn view. Type the show parser view command to verify that you are in the vpn view.

Step 13 Type a question mark to display commands available in exec mode.

Note When accessing the router through the console port, you are not prompted for CLI view passwords. If you connected through a vty line, you would have to provide the CLI view password. In this activity, however, you access through the console port.

Q1) Which commands do you see in the exec mode?


Step 14 Enter the show command followed by a question mark to see the available options.

Q2) Which options of the show command do you see?

Step 15 Enter the debug command followed by a question mark to see the available options.

Q3) Which options of the debug command do you see?

Step 16 Enter the configure command followed by a question mark to see available options.

Q4) Which options of the configure command do you see?

Step 17 Enter the configuration mode and type a question mark to see available commands.

Q5) Which configuration commands do you see?

Step 18 Enter the crypto command followed by a question mark to see the available options.

Q6) Which options of the crypto command do you see?

Step 19 Enter the interface command followed by a question mark to see the available options.

Q7) Which options of the interface command do you see?

Step 20 Attempt to enter interface FastEthernet0/0 configuration mode.

Q8) Did you succeed? Why?

Step 21 Attempt to enter interface FastEthernet0/1 configuration mode.

Q9) Did it work?

Step 22 List all commands available in interface FastEthernet0/1 configuration mode.

Q10) Which interface commands do you see?


In these steps, you will configure and test the oper view:

Step 23 Enter the root view and create a view named oper. Secure access to the oper view with the secret operpassword.

Step 24 Add all exec commands. starting with show ip and show interface. to the oper view.

Step 25 Add the exec command configure terminal to the oper view.

Step 26 Add all configuration commands. starting with username. to the oper view.

Step 27 Enter the oper view. Type show parser view command to verify that you are in the oper view.

Step 28 Check the commands and options available in exec mode.

Q11) Which commands and options are available in exec mode?

Step 29 Enter the configuration mode. Check the commands and options available in the configuration mode.

Q12) Which commands and options are available in the configuration mode?

In these steps, you will configure and test the admin superview:

Step 30 Enter the root view and create a superview named admin with password adminpassword that encompasses both the vpn and oper views.

Step 31 Enter the admin view and type the show parser view command to verify that you are in the admin view.

Step 32 Verify the available commands.

Q13) How did the admin view create its command set?

Activity Verification You have completed this task when you have correctly answered the questions within the steps.

Task 2: Configure Cisco Routers for NTP In this task, you will configure your branch router as the NTP server and the HQ router as the NTP client.

Activity Procedure Complete these steps on the routers in your pod:

In these steps, you will configure the NTP server on your branch router:

Step 1 Set the system clock on your branch router to the current value.

Step 2 Configure your branch router as the NTP server with NTP stratum 4.


Step 3 Define an NTP authentication password. Use key number 1, message digest md5, and password ntpsecret.

Note The key number is locally significant. It is not transmitted in NTP messages.

Step 4 Set the Loopback0 address to be the source IP address of the NTP server messages.

Step 5 Define your HQ router loopback address as an NTP peer, and authenticate NTP server messages to that peer with the key number 1.

In these steps, you will configure the NTP client on your HQ router:

Step 6 Verify the system clock on the HQ router and compare it with the clock on the branch router.

Note The time on both routers should be unsynchronized at this point. If the time on the HQ router is the same as on the branch router, set the time on the HQ router to an incorrect value.

Step 7 Define an NTP authentication password on your HQ router. Use key number 2, message digest md5, and password ntpsecret.

Step 8 Configure your HQ router as the NTP client of the branch router.

Step 9 Declare the authentication key number 2 as trusted.

Step 10 Source the NTP packets from the Loopback0 interface.

Activity Verification Complete these steps to verify this activity:

Step 1 Verify NTP associations and status on the routers in your pod.

Note If the status has not yet reached the synchronized state, wait and observe the synchronization process. The synchronization process may take up to 5 minutes. You may use the debug ntp events command or other NTP debugging commands to gain more insight into the communications.

Step 2 Verify the system clock on the routers in your pod. The time on the HQ router should be synchronized to the clock on the branch router.

Step 3 Save the running configuration on your routers.

Task 3 (Optional): Secure the IOS Image and Configuration File In this task, you will implement Cisco IOS resilient configuration on your branch router.


Step 1 Secure the boot image.

Step 2 Secure the configuration file.



Step 1 Verify the secure bootset configuration, using the show secure bootset command. Identify the name of the secure archive of the running configuration (runcfg-…).

Step 2 Verify that neither the image file nor the archived running configuration is visible in the flash memory, using the dir flash: command.

Step 3 Attempt to delete the image file from flash, using the delete command. This operation should fail.

Step 4 Attempt to delete the secure archived running configuration file, using the delete command. This operation should fail.

Step 5 Simulate a router compromise by erasing the startup configuration, using the erase startup-config command and reloading the branch router with the reload command without saving the running configuration.

Step 6 Break the boot process by sending the Break sequence (that is, by holding down the Ctrl and the Break keys a few seconds after the router starts the boot process). You will enter the rommon mode.

Step 7 Verify the existence of the secure bootset, using the dir flash: command.

Step 8 Start the boot process with the boot command pointing to the secure image file location.

Step 9 Decline to enter the initial configuration dialog.

Step 10 Restore the secured running configuration to a file on flash, for example flash:restored-cfg, using the secure boot-config restore flash:restored-cfg command.

Step 11 Verify that the restored configuration file is visible in the flash memory.

Step 12 Copy the restored file to the running configuration.

Step 13 Activate the FastEthernet interfaces that have been shut down.

Step 14 Return the router to the default state by disabling the IOS resilient configuration.

Lab 5-3: Configuring AAA Login Authentication and Exec Authorization on Cisco Routers


Activity Objective In this activity, you will configure the perimeter router to work with the local database and enable a password and line authentication to provide authentication, authorization, and accounting services. After completing this activity, you will be able to meet these objectives:

Configure local database authentication using AAA for the enable, line, and local methods so that you can experience the differences between the methods

Configure exec authorization against the local user database

Test authentication and authorization using debug

Configure the router to authenticate to the Cisco Secure ACS database

Visual Objective This figure displays the configuration that you will complete in this lab exercise.


Visual Objective for Lab 5-3: Configuring AAA Login Authentication and Exec Authorization

Required Resources No resources are required to complete this activity.



Command List The table describes the commands used in this activity.

Command Description

aaa new-model Enables AAA features.

username Creates a local user account and configures the password.

aaa authentication login default enable

Configures login authentication to use the enable password.

aaa authentication login {default | list-name} method1 [method2...]

Configures login authentication to use methods from the list.

aaa authorization exec Configures exec authorization to use methods from the list.

show clock Displays the time in the router clock.

service timestamps debug datetime msec

Adds the date and time to debug messages.

logging console Enables router console logging. Arguments control which messages are logged to the console, based on severity.

login authentication Specifies the authentication method in line configuration mode.

tacacs-server Configures the TACACS+ server parameters.

debug aaa authentication Enables AAA authentication debugging.

debug aaa authorization Enables AAA authorization debugging.

show privilege Displays your current level of privilege.



Task 1: Configure Local Database Authentication Using AAA In this task, you will configure local database authentication using authentication, authorization, and accounting (AAA) for the enable, line, and local methods, so that you can experience the differences between the methods.


Step 1 Make sure that on your branch router, the AAA features are turned on.

Step 2 Create the local username localuser and the password localpassword.

Step 3 Configure the enable password training.

Step 4 Configure login authentication to use the enable password (or enable secret if it exists) as the default method.

Step 5 Log out of the branch router.

Step 6 Access the router through the console port again. You should be prompted for a password.

Q1) Which password should you use? Why?

Step 7 Create a login authentication method named local_method to authenticate users against the local database. Apply this authentication method to the vty lines.

Step 8 From your HQ router, telnet to your branch router address (10.0.x.2). Test the vty line authentication method that you just configured.

Q2) How did you authenticate to the router when connecting via a Telnet session?

Step 9 Save the running configuration on your branch router.


Task 2: Configure AAA Exec Authorization Using Local User Database

In this task, you will configure AAA exec authorization, using the local user database.


Step 1 Create the local username localadmin and the password adminpassword and assign this user to the privilege level 15.


Step 2 From your HQ router, telnet to your branch router (10.0.x.2). Authenticate as user localadmin with the password adminpassword.

Step 3 Verify the privilege level that you accessed. Do not enter the privilege mode using the enable command.

Q1) Which privilege level have you been placed at? Why?

Step 4 Disconnect the Telnet session from the HQ router to the branch router.

Step 5 Create an exec authorization method named local_author to authorize users against the local database. Apply this authorization method to the vty lines.

Step 6 From your HQ router, telnet to your branch router (10.0.x.2). Log in using the username localadmin with the password adminpassword again.

Step 7 Verify the privilege level.

Q2) Which privilege level have you been placed at? Why?

Step 8 Disconnect the Telnet session from the HQ router to the branch router and save the running configuration on your branch router.


Task 3: Test Authentication and Authorization Using Debug In this task, you will look at the indicators for successful and unsuccessful authentication and authorization attempts.


Step 1 Check the system clock and, if needed, set it to the current value.

Step 2 Enter global configuration mode and ensure that you have detailed time stamp information for your debug output in the console session.

Step 3 Enable logging to the console at the debugging level.

Step 4 Turn on debugging for AAA authentication and authorization.

Step 5 Trigger an AAA authentication event by connecting via Telnet to your branch router (10.0.x.2) and authenticating against the local user database.

Step 6 Examine the information presented by the debug command.

Step 7 Exit from the Telnet session and connect again, but this time enter an incorrect password.

Step 8 Examine the information presented by the debug command.


Step 9 Turn off all debugging to the console, using the no debug all command. You will need to enter the enable mode to turn off debugging.


You examined authentication and authorization debugging information for both successful and failed login attempts.

Task 4: Configure the Router to Authenticate to the Cisco Secure ACS Database

In this task, you will configure your HQ router for authentication using a Cisco Secure ACS database. Cisco Secure ACS runs on the server that has been preconfigured with credentials listed in the table.

Cisco Secure ACS Credentials

Credential Value

TACACS+ server address 10.6.6.254

TACACS+ secret training

Username in ACS cisco

User password cisco123

User-specific enable password ciscoenable

Activity Procedure Complete these steps on your HQ router:

Step 1 Log in to the HQ router as user sdm with the password sdmpassword.

Step 2 Configure the IP address of the TACACS+ server to 10.6.6.254. Encrypt and authenticate TACACS+ communications, using the password training.

Step 3 Create an authentication method named aaa_login that authenticates against the TACACS+ server and, as a backup, against the local user database.

Step 4 Create an exec authorization method named aaa_exec that authorizes exec sessions against the TACACS+ server and, as a backup, against the local user database.

Step 5 Apply the methods aaa_login and aaa_exec to the vty lines.

Step 6 Offload the authentication of the privilege mode (enable authentication) to the TACACS+ server, and as a backup, using the local enable password.

Step 7 Activate AAA authentication and authorization debugging. Set the console logging to the debugging level (level 7).


Activity Verification Complete these steps to verify this activity:

Step 1 Launch the Putty program on your workstation desktop and open an SSH session to your HQ router (Fa0/0 IP address).

Step 2 Log in, using credentials listed at the beginning of this task.

Q1) What credentials did you use to access the HQ router and why?

Q2) Which credentials would you need to use if the ACS server failed?

Step 3 Enter privileged-exec mode using the appropriate enable password.

Q3) What enable password did you use and why?

Q4) Can multiple enable passwords exist in the system?

Step 4 Return the authentication and authorization settings of the vty lines to initial local authentication, using the authorization exec local_author and login authentication local_authen commands.

Step 5 Log out of the SSH session and save the configuration on your HQ router.

Lab 6-1: Configuring a Cisco IOS Firewall Complete this lab activity to practice what you learned in the related module.

Activity Objective In this activity, you will configure an advanced firewall. After completing this activity, you will be able to meet these objectives:

Select and configure the basic firewall option

Select and configure the advanced firewall option

Configure advanced inspection rules

Confirm your configuration

Verify the firewall for proper operations

Review the firewall log



ISCW 1.0 Lab Topology


Routers preconfigured with IP addresses and routing

SDM files installed in the flash memory of your HQ and branch routers



Command List The table describes the commands that are used in this activity. You use the SDM to configure the Cisco IOS firewall.

Cisco IOS Commands

Command Description


show ip inspect session Displays the IOS firewall state table

show ip inspect config Displays the IOS firewall settings

ssh –l username Opens an SSH session with a username login


Task 1: Configure the Basic Firewall In this task, you will use the SDM Basic Firewall wizard to configure your branch router.

Note In this task, you will configure the SDM on the branch router, not the HQ router as you did previously.


Step 1 Ensure that the Cisco VPN Client on your workstation has a VPN tunnel established to your HQ router public address. If not, connect using group name VPN_Group and group password secretkey. Authenticate as user sdm with the password sdmpassword.

Step 2 Open a web browser on your workstation and launch the SDM by connecting via HTTPS to your branch router (10.0.x.2).

Note If you cannot connect to your branch router via HTTPS, delete the currently configured crypto PKI trustpoint, if one exists, and re-enable ip http secure-server. This will create a new self-signed certificate.

Step 3 Authenticate as user sdm with the password sdmpassword as many times as prompted and accept all security warnings.

Step 4 From the Edit menu, choose Preferences.


Step 5 Check the Preview commands before delivering to router check box and click OK.

Step 6 Click the Configure tab, and select the Firewall and ACL icon from the Tasks

pane.

Step 7 Choose Basic Firewall and click the Launch the selected task button.

Step 8 Click Next when the Basic Firewall Configuration Wizard presents a configuration

overview.

Step 9 Select Serial0/0/0 as the outside interface in the Outside(untrusted) interface drop-down menu. Do not check the Allow secure SDM access from outside interfaces check box.

Note Allowing secure SDM access from outside interfaces would permit local HTTPS traffic arriving from local interfaces.


Step 10 Check the FastEthernet0/0 and FastEthernet0/1 check boxes in the Inside(trusted) interface section. Click Next.

Step 11 Click OK when an alert indicates that you cannot launch the SDM from the outside

interface.


Step 12 View the Internet Firewall Configuration Summary and click Finish.

Step 13 Permit EIGRP updates to come through the firewall by clicking OK button when the

Routing traffic configuration window appears.

Step 14 Examine the commands in the Deliver Configuration to Router window and click

the Deliver button. Click OK twice to accept the command delivery.



Step 1 View the ACLs and inspection rules in the outbound and inbound directions in the SDM, under the Edit Firewall Policy/ACL tab.

Step 2 Open a terminal session to the branch router through the console port. Authenticate

with the enable password training. Access the enable mode using the same password.

Note Login authentication on the console port has been configured to use the enable method in the previous activity. Login authentication on vty lines uses the local user database.

Step 3 View the configuration of the branch router. Verify that the commands generated by the Basic Firewall wizard have been deployed successfully.

Step 4 Close the SDM window and all browsers on your workstation.

Step 5 Shut the S0/0/0 interface on your HQ router so that the ISP router has only one path to your pod—via your branch router.

Step 6 From your HQ router, telnet to the ISP router (10.10.10.10).

Step 7 With the HQ Telnet session still active to ISP, display the firewall state table on your branch router, using the show ip inspect session command. You should see an open outbound Telnet session to 10.10.10.10.

Step 8 Verify the branch firewall settings, using the show ip inspect config command.

Step 9 From the ISP router, attempt to SSH to your HQ router (10.0.x.1), using the ssh -l command. The attempt should fail.


Task 2: Configure the Advanced Firewall In this task, you will launch the Advanced Firewall wizard available in SDM to configure the Cisco IOS firewall on your HQ router.


Step 1 Open a web browser on your workstation and launch the SDM by connecting via HTTPS to your HQ router (Fa0/0 public IP address).

Step 2 Authenticate as user sdm with the password sdmpassword as many times as prompted and accept all security warnings.

Step 3 From the Edit menu, choose Preferences, and check the Preview commands before delivering to router check box.

Step 4 Click the Configure tab in the SDM, and select the Firewall and ACL icon from the Tasks pane.

Step 5 Choose Advanced Firewall and click the Launch the selected task button.

Step 6 Click Next when the Advanced Firewall Configuration Wizard presents a

configuration overview.

Step 7 Select FastEthernet0/1 as the outside interface by checking its box in the Outside (untrusted) column.

Step 8 Select FastEthernet0/0 as the inside interface by checking its box in the Inside (trusted) column.


Step 9 Choose the Loopback0 interface from the DMZ Interface (Optional) drop-down menu. Do not check the Allow secure SDM access from outside interfaces check box. Click Next.

Step 10 Click OK when an alert indicates that you cannot launch the SDM from the outside

interface. The Advanced Firewall DMZ Service Configuration window appears.


Step 11 Click Add and create an entry for the SSH service running on your HQ router. Enter the HQ router Loopback0 address (10.0.x.1) in the Start IP Address and End IP Address fields. Choose the TCP radio button, enter 22 in the Service section, and click OK.

Note In the lab environment, there is no server attached to the HQ router DMZ. The SSH server running on the HQ router Loopback0 will be used to simulate a server for testing purposes.

Step 12 Click Add and create an entry for a nonexistent TFTP service running on your HQ router. Enter the HQ router Loopback0 address in the Start IP Address and End IP Address fields. Choose the UDP radio button and select tftp(69) in the Service section.

Step 13 Click OK.


Step 14 Click Next. The Advanced Firewall Security Configuration window appears.

Note You could select the default SDM Application Security Policy for generic TCP and UDP inspection.

Step 15 Choose the Use a custom Application Security Policy radio button.

Step 16 Click the Policy Name selection button and choose the Create a new policy option.


Step 17 Click the Application/Protocols group in the Application Security window. Check the tcp and udp check boxes in the Root > General menu.

Step 18 Check the tftp check box in the Root > Applications > File Transfer menu.


Step 19 Click OK. You return to the Advanced Firewall Security Configuration window. A new custom policy (appfw_100) appears in the custom Application Security Policy field.

Step 20 Click Next to accept the new custom application security policy.

Step 21 View the Internet Firewall Configuration Summary and click Finish.


Step 22 Permit EIGRP updates to come through the firewall by clicking the OK button when the Routing traffic configuration window appears.

Step 23 Examine the commands in the Deliver Configuration to Router window and click

the Deliver button. Click OK twice to accept the delivery.

Activity Verification Complete this step to verify the activity:

Step 1 Open a terminal session to the console port of your HQ router. Log in as user sdm with the password sdmpassword. View the router configuration and verify that the firewall commands have been deployed successfully.


Task 3: View and Test the Advanced Firewall In this task, you will use the SDM to view the security policy deployed by the Advanced Firewall wizard on your HQ router and test its operations.


Step 1 Select the Edit Firewall Policy/ACL within the Firewall and ACL task under the Configuration tab in the SDM of your HQ router.

Step 2 Use Select a direction section and the Originating traffic and Returning traffic

radio buttons to specify all possible flows between the interfaces FastEthernet0/0, FastEthernet0/1, and Loopback0. Investigate the ACLs and the applications inspected by firewall rules applied to each interface of the HQ router.

Step 3 Open a terminal session to the console port of your branch router. Log in with the enable password training.

Step 4 From the branch router, start an SSH session to the HQ router Loopback0 address (10.0.x.1), using the ssl –l username IP_address command, where username is cisco. The password is cisco123. The connection should succeed. Disconnect the SSH session.

Q1) Why could you connect to the router SSH server?

Step 5 From the branch router, telnet to the Loopback0 address of the HQ router (10.0.x.1). The connection should fail.

Q2) Why did the Telnet session fail?


Step 6 Open a command prompt window on your workstation and telnet to the branch router (10.0.x.2). The connection should succeed. Log in as user sdm with the password sdmpassword.

Q3) Why did the Telnet connection work?


Task 4: View the Firewall Log In this task, you will use the SDM to view the firewall log of your HQ router.


Step 1 Click the Additional tasks button task and choose Router Properties -> Logging. Double-click Logging Level in the right pane, or select Edit, and verify that logging has been enabled at the debugging level (level 7).

Step 2 Maximize the SDM window on your workstation and click the Monitor tab in the

SDM of your HQ router.


Step 3 Click the Firewall Status task and click the Firewall Log tab.

Step 4 View the log to find any packets that have been denied by the filter on the outside

interface, such as the previous telnet attempt. You should not find any packets.

Step 5 Select the Firewall and ACL configuration task under the Configure button in the SDM. Examine the ACL applied to the outside interface in the inbound direction to determine why no packet drops have been logged under the Firewall Log tab.

Q1) Why are no packet drops logged under the Firewall Log tab?


Step 6 Delete the statement from that ACL that denies all traffic from the private range 10.0.0.0/8 without logging it. Click the Cut button to remove it from the list and then click the Apply Changes button.

Note This statement prevented logging of any denied packets because the packets in this lab are sourced from the private range 10.0.0.0/8. Do not delete such statements in a real-life scenario.

Step 7 A Deliver Configuration to Router page appears. Click the Deliver button and then the OK button.

Step 8 Maximize the terminal window of your branch router. From the branch router, telnet

to the HQ router Loopback0 address (10.0.x.1). The connection should fail.

Step 9 Maximize the SDM window on your workstation and click the Monitor tab.


Step 10 Click the Firewall Status task and click the Firewall Log tab.

Q2) Why were the Telnet packets denied?

Step 11 Close all windows on your workstation and save the running configuration of your routers.



Lab 6-2: Configuring Cisco IOS IPS Complete this lab activity to practice what you learned in the related module.

Activity Objective In this activity, you will configure Cisco IOS IPS using SDM. After completing this activity, you will be able to meet these objectives:

Enable Cisco IOS IPS on the router

Configure IPS to scan all traffic

Configure IPS to use default signatures

Verify default global settings

Deliver the configuration to the router

Monitor IPS events using the SDEE view



Visual Objective for Lab 6-2:Configuring Cisco IOS IPS


Routers in your preconfigured with IP addresses and routing

SDM and appropriate SDF files installed in the flash memory of your HQ and branch router



Command List No commands are needed because you will perform all operations using the SDM.


Task 1: Configure Cisco IOS IPS Using the IPS Rule Wizard In this task, you will enable Cisco IOS IPS on your HQ router.

Activity Procedure Complete these steps on your workstation:

Step 1 Make sure that the Cisco VPN Client is connected via an IPsec tunnel to the HQ router public address (group name VPN_Group and group password secretkey, user name sdm and password sdmpassword).

Step 2 Open a web browser and launch the SDM by connecting to your HQ router public address using HTTPS.

Step 3 Authenticate as user sdm with the password sdmpassword as many times as prompted, and accept all security warnings.

Step 4 From the Edit menu, choose Preferences, and check the Preview commands before delivering to router check box.

Step 5 Click the Configuration tab and click the Intrusion Prevention icon in the task pane.

Step 6 Click the Create IPS tab and click the Launch IPS Rule Wizard button.


Step 7 An information page about SDEE notifications appears. Click OK to activate SDEE notifications.

Step 8 A Deliver Configuration to Router page appears, listing the command that will be

sent to the HQ router.

Step 9 Click Deliver and then OK. A page informing you about opening an SDEE

subscription appears. Click OK.


Step 10 A welcome page summarizing the configuration tasks appears.

Step 11 Click Next. The Select Interfaces page appears.

Step 12 Apply the IPS rules in the inbound direction to the FastEthernet0/1 interface by checking the appropriate check box in the table.

Note The incoming direction on the untrusted interfaces is the most likely place to check for intrusion attempts.

Step 13 Click Next. The SDF Locations page appears.


Step 14 Click the Add button. The Add a Signature Location page appears.

Step 15 Select the Specify SDF onflash radio button and select 256MB.sdf or 128MB.sdf from the File Name onflash drop-down menu.


Step 16 Click OK to return to the SDF Locations page. Leave the Use Built-In Signatures (as backup) check box checked.

Step 17 Click Next. View the configuration summary.


Step 18 Click Finish. The Deliver Configuration to Router page appears.

Step 19 Examine the commands that will be sent to the router. Click the Deliver button and

the OK button.

Step 20 Wait until the IPS engines are loaded. The Signature Compilation Status window appears. Click Close.

Activity Verification You have completed this task when you examined the commands in an appropriate SDM window.

Task 2: Configure IPS to Scan All Traffic In this task, you will customize the IPS policy to scan traffic arriving on all interfaces of your HQ router.


Activity Procedure Complete these steps in the SDM running on the workstation PC:

Step 1 Verify that the wizard has placed you under the Edit IPS tab of the Intrusion Prevention task, in IPS Policies.

Step 2 In the IPS Policies section, highlight the FastEthernet0/0 interface and click the

Enable button. The Enable IPS on an Interface – FastEthernet0/0 window appears.

Step 3 Select the Inbound radio button. Leave the Enable fragment checking on this interface check box checked. Click OK.

Note Fragment checking is the recommended default setting because it provides detection capabilities for attacks that use fragmented packets.

Step 4 The Deliver the Configuration to Router page appears. Examine the commands that

will be sent to the router.


Step 5 Click Deliver and OK.

Activity Verification You have completed this task when you have examined the commands in an appropriate SDM window.

Task 3: Configure Global Settings In this task, you will verify the global logging settings and configure the fail-closed feature on your HQ router.


Step 1 Choose the Global Settings section under the Edit IPS tab.

Step 2 Double-click any line in the item list. The Edit Global settings page appears.


Step 3 Make sure that Enable Syslog Notification is checked under the Syslog and SDEE

tab. Leave the SDEE parameters unchanged.

Step 4 Click the Global Engine tab and check the Enable Engine Fail Closed check box.


Step 5 Click OK. The Deliver Configuration to Router page appears.

Step 6 Examine the command that will be sent to the router. Click Deliver and then OK.

Activity Verification You have completed this task when you have examined the commands in an appropriate SDM window.


Task 4: Tune the Signatures In this task, you will disable UNIX signatures, lower the severity of the NetBIOS signature with ID 3300, and create your own signature on your HQ router.

Activity Procedure Complete these steps in the SDM of the HQ router running on the workstation PC:

Step 1 Choose the Signatures section under Edit IPS tab.

Step 2 Choose All Categories > OS > UNIX. Click the Select All icon.

Step 3 Click the Disable button and then the Apply Changes button at the bottom of the

right pane.


Step 4 The Deliver Configuration to Router page appears.

Step 5 Examine the commands that will be sent to the router. Click Deliver and OK.

Step 6 Wait until the signatures are compiled and click Close.


Step 7 Choose All Categories > Service > NETBIOS/SMB. Highlight the signature with the ID 3300.

Step 8 Click Edit to open the Edit Signature window. Click the Alarm severity green box.

The box will turn red, and the configuration drop-down menu will be activated. Select Medium from the drop-down menu.

Step 9 Click OK at the bottom of the window, and then click the Apply Changes button.

Wait until the signatures are compiled and click Close.


Step 10 List all STRING.TCP signatures by choosing Engine from the Select By drop-down menu and STRING.TCP from the Engine drop-down menu.

Step 11 Click the Add button and choose the Add new option.

Step 12 An Add signature window appears with parameters for a new custom signature with

ID 20000.

Step 13 Click the SigName green box. The box will turn red, and the configuration field will be activated. Enter telnet_attack as the signature name.

Step 14 Scroll down and click the Event action green box. The box will turn red, and the

configuration field will be activated. Select alarm and reset as the signature actions. Hold the Ctrl button to make multiple selections.

Step 15 Enter the string [aA][tT][tT][aA][cC][kK] in the RegexString field.

Note The RegexString defines which string seen in a TCP session will trigger an alarm. The syntax shown above will trigger for any combination of lowercase and uppercase characters in the string attack.


Step 16 Enter 23 in the ServicePorts field.

Note Port 23 defines that Telnet sessions will be inspected for the string attack

Step 17 Click OK and Apply Changes. Wait until the signatures are compiled and click Close.

Activity Verification This activity will be verified in Task 5.


Task 5: Monitor IPS In this task, you will use the SDM to monitor the IPS events generated by your HQ router.


Step 1 Choose the SDEE Messages section under Edit IPS tab. Wait until all messages are loaded from the router. You should see many status messages about engine states.

Step 2 Choose Status from SDEE Messages drop-down menu in the upper-right corner of

the window, and then click Refresh. You should still see the status messages.

Step 3 Choose Alerts from SDEE Messages drop-down menu in the upper-right corner of

the window, and then click Refresh. You may see some alerts.

Step 4 Open a web browser on your workstation and launch a Unicode attack against the branch router by accessing http://10.0.x.2/scripts/..%c0%af,. where x is your pod number. The page cannot be displayed.

Step 5 Click the Refresh button in the upper-right corner of the SDM message viewer. After the alerts have been loaded, scroll down to the bottom of the list to see new attacks (WWW IIS Unicode [ID5114], IIS DOT DOT Execute Attack [ID 3215], and WWW Directory Traversal [ID 3216]). Examine the alerts.

Note If the alarm does not trigger immediately, connect to the main server page http://10.0.x.2, do not authenticate, and then attack the server again.

Step 6 Open a command prompt on your workstation and telnet to your branch router Loopback0 address (10.0.x.2). Log in as user sdm with the password sdmpassword.


Step 7 Simulate an attack against the Telnet service by typing attack at the router prompt. The Cisco IOS IPS on the HQ router should reset the session.

Note The session is dropped because you configured a custom signature that triggers when such a string is detected in a Telnet session.

Step 8 Click the Refresh button in the upper-right corner of the SDM message viewer. After the alerts have been loaded, you should see an alert for your custom signature (telnet_attack, ID 20000).

Step 9 Close all windows on your workstation and save the configuration on your HQ and

branch routers.


Lab 6-3: Troubleshooting Security Complete this lab activity to practice what you learned in the related module.

Activity Objective In this activity, you will, given a network with security holes, determine where the holes are and secure the network. After completing this activity, you will be able to meet these objectives:

Troubleshoot secure management

Mitigate system vulnerabilities

Troubleshoot IPsec VPN

Troubleshoot availability



Visual Objective for Lab 6-3:Troubleshooting Security


Trouble tickets, which should be loaded on your pod routers

Workstation PC with SSH client (such as Putty), syslog server application, and Blue’s Port Scanner




Cisco IOS Commands

Command Description

show clock Displays the system clock

clock set Sets the system clock

transport input Defines which protocols to use when connecting to the terminal server (line configuration mode)

access-class Controls access to the terminal server with an ACL (line configuration mode)

aaa authentication login Sets authentication lists for logins

aaa authorization exec Sets authorization lists for starting an exec (shell)

debug aaa authentication Debugs the AAA authentication process

debug aaa authorization Debugs the AAA authorization process

logging on Enables logging to all enabled destinations

logging host Sets syslog server IP address and parameters

logging trap Set ssyslog server logging level

show logging Displays logging configuration

auto secure Launches the AutoSecure feature

show crypto map Displays crypto map settings

show crypto isakmp policy Displays ISAKMP policy settings

show crypto isakmp key Displays ISAKMP preshared keys

show crypto ipsec transform-set

Displays IPsec transform set parameters

show crypto isakmp sa Displays established ISAKMP SAs

show crypto ipsec sa Displays established IPsec SAs

debug crypto isakmp Debugs ISAKMP protocol negotiation

debug crypto ipsec Debugs IPsec SA negotiation

crypto isakmp policy Defines an ISAKMP policy

crypto isakmp key Sets a preshared key for ISAKMP

crypto ipsec transform-set Defines an IPsec transform set parameter

crypto map Configures a crypto map

set peer Sets the peer address in crypto map configuration mode

set ip access-group Defines interesting traffic in crypto map configuration mode

set transform-set Sets the transform set in crypto map configuration mode


show ip inspect config Displays Cisco IOS firewall configuration

ip inspect name Defines a firewall inspection rule

ip inspect Applies a firewall inspection rule to an interface



Task 1: Troubleshoot Secure Management In this task, you will troubleshoot problems in a secure management solution.


Step 1 Start the Cisco VPN Client on your workstation and establish a VPN tunnel to your HQ router Fa0/0 public address. Use group name VPN_Group and group password secretkey. Authenticate as user sdm with the password sdmpassword.

Step 2 Make sure that the time on your HQ router is set.

Step 3 Start the Syslog application on your workstation.

Step 4 Start Putty on your workstation and connect via SSH to your HQ router private address 10.0.x.1. The session should fail.

Step 5 Resolve the problem with the remote management of your HQ router by accessing the console port to fix the configuration. You are permitted to use only SSH for remote access. Log in as user sdm with the password sdmpassword.

Note When you SSH to the HQ private address (10.0.x.1), the session is sourced from the internal VPN address. When you connect to HQ Fa0/0 public address, the connection is sourced from the workstation public address. The ACL configuration on the VTY lines should reflect this fact.

Step 6 Fix syslog reporting between your HQ router and workstation.

Step 7 Test remote management connectivity from the workstation to your branch router (10.0.x.2). Use Telnet or SSH. It should not work.

Step 8 Resolve the problem with the remote management connectivity to your branch router by accessing the console port to fix the configuration.

Step 9 Attempt to telnet your HQ router from your branch router. This connection should be blocked by an ACL on the HQ router and reported to the syslog server running on your workstation. Verify that the syslog running on your workstation displays the events.


You can manage your pod routers.

Syslog server running on the workstation logs denied packets.


Task 2: Mitigate System Vulnerabilities In this task, you will use the Blue’s Port Scanner installed on the workstation to identify system vulnerabilities. Then you will remove them or block access to them.


Step 1 Launch the Blue’s Port Scanner on your workstation.

Note In real life, the hackers need to scan a large range of addresses to identify vulnerabilities. To save time, you will scan only individual addresses.

Step 2 Scan your HQ router for any open TCP services.

Step 3 Take a note of all open services.

Step 4 Block access to the unneeded services, using an automated method available in the router CLI and possibly enhance it with some manual configuration. You must at least leave SSH activated to be able to manage the router.

Step 5 Scan the HQ router again to verify that the access to the services has been blocked. Take a note of all services that should remain open.


After hardening, Blue’s Port Scanner identifies only a few selected services running on the HQ router.

Task 3: Troubleshoot IPsec VPN In this task, you will troubleshoot an IPsec VPN tunnel configuration.


Step 1 Open a web browser on your workstation and connect via HTTP to the loopback address of your branch router (10.0.x.2). This data is supposed to traverse the preconfigured IPsec tunnel between your HQ and branch routers, but the connection should fail.

Step 2 Fix the VPN problem.

Note Clear ISAKMP and IPsec SAs after reconfiguring crypto parameters.


Step 3 Connect via HTTP to the loopback address of your branch router again to verify that the VPN tunnel works. Log in as user sdm with the password sdmpassword.

Step 4 Check the ISAKMP and IPsec SAs on your routers to verify that they are established.


Connectivity through the VPN tunnel works.

Task 4: Troubleshoot Availability In this task, you will troubleshoot availability issues in a secured network.


Step 1 Open a command prompt on your workstation and ping your branch router (10.0.x.2). The ping will fail.

Step 2 Allow the workstation to ping the branch router. You must not modify any ACLs to achieve this goal.

Step 3 Use a command prompt on the workstation to open an FTP connection to your branch router. Log in as user sdm with the password sdmpassword. List the server directory, using the dir command. The listing will fail, and you should see a message about the failure to build a data connection.

Step 4 Fix the FTP issue. You must not reconfigure any ACLs to achieve this goal.

Step 5 Use the get command to download the file startup-config from the branch router.


You can connect to the branch router from the workstation using the ping and FTP application. You can download files from the branch router via FTP.


Answer Key The correct answers and expected solutions for the activities that are described in this guide appear here.

Lab 3-1 Answer Key: Configuring Frame Mode MPLS When you complete this activity, your solution will be similar to the results here, with differences that are specific to your device or pod.

Task 1: Enable LDP on the Provider Routers Configuration commands issued on the HQ router: HQ(config)#ip cef HQ(config)#interface FastEthernet0/1 HQ(config-if)#mpls label protocol ldp HQ(config-if)#mpls ip

Configuration commands issued on the branch router: Branch(config)#ip cef Branch(config)#interface FastEthernet0/1 Branch(config-if)#mpls label protocol ldp Branch(config-if)#mpls ip Branch(config)#interface Serial0/0/0 Branch(config-if)#mpls label protocol ldp Branch(config-if)#mpls ip

Task 2: Configure the MTU Size Configuration commands issued on the HQ router: HQ(config)#interface FastEthernet0/1 HQ(config-if)#mpls mtu 1512

Configuration commands issued on the branch router: Branch(config)#interface FastEthernet0/1 Branch(config-if)#mpls mtu 1512

Task 3: Remove MPLS Configuration Configuration commands issued on the HQ router: HQ(config)#no ip cef HQ(config)#interface FastEthernet0/1 HQ(config-if)#no mpls label protocol ldp HQ(config-if)#no mpls ip HQ(config-if)#no mpls mtu 1512

Configuration commands issued on the branch router: Branch(config)#no ip cef Branch(config)#interface FastEthernet0/1 Branch(config-if)#no mpls label protocol ldp Branch(config-if)#no mpls ip Branch(config-if)#no mpls mtu 1512 Branch(config)#interface Serial0/0/0 Branch(config-if)#no mpls label protocol ldp Branch(config-if)#no mpls ip


Lab 4-1 Answer Key: Configuring Site-to-Site IPsec VPNs When you complete this activity, your solution will be similar to the results here, with differences that are specific to your device or workgroup.

Task 1: Prepare the Routers for SDM-Based Provisioning To complete Steps 1 and 2, use these commands on the HQ router: HQ#show flash HQ#copy tftp flash

Configuration steps on the HQ router: HQ(config)#ip http server HQ(config)#ip http secure-server HQ(config)#ip http authentication local HQ(config)#username sdm privilege 15 secret sdmpassword

All subsequent tasks are performed within the graphical user interface of the SDM and are described in the lab task and verification section instructions.

Lab 4-2 Answer Key: Configuring GRE Tunnels over IPsec Using SDM

All tasks are performed within the graphical user interface of the SDM and are described in the lab task and verification section instructions.

Lab 4-3 Answer Key: Configuring IPsec VPN to Back Up a WAN Connection

When you complete this activity, your solution will be similar to the results here, with differences that are specific to your device or pod.

Task 1: Configure IKE Parameters on Both Peers Configuration steps on the HQ router: HQ(config)# crypto isakmp policy 100 encr 3des authentication pre-share hash sha group 2 crypto isakmp key SeCrEtKeY address 10.5.1.2

Configuration steps on the branch router: Branch(config)# crypto isakmp policy 100 encr 3des authentication pre-share hash sha group 2 crypto isakmp key SeCrEtKeY address 10.4.1.1

Task 2: Create and Apply Traffic Protection (IPsec) Rules Configuration steps on the HQ router: HQ(config)# crypto ipsec transform-set MYSET esp-3des esp-sha-hmac mode tunnel


access-list 100 permit ip 172.31.1.0 0.0.0.255 host 10.6.6.254 crypto map MYMAP 10 ipsec-isakmp set peer 10.5.1.2 set transform-set MYSET match address 100 interface Serial0/0/0 crypto map MYMAP

Configuration steps on the branch router: Branch(config)# crypto ipsec transform-set MYSET esp-3des esp-sha-hmac mode tunnel access-list 100 permit ip host 10.6.6.254 172.31.1.0 0.0.0.255 crypto map MYMAP 10 ipsec-isakmp set peer 10.4.1.1 set transform-set MYSET match address 100 interface Serial0/0/0 crypto map MYMAP

Task 3: Establish the Backup IPsec Tunnel In Step 1, use these commands on the HQ router: HQ(config)# interface Serial 0/0/0 no shutdown

In the Step 4 use these commands on the HQ router: HQ(config)# interface FastEthernet 0/1 shutdown

Task 4: Remove Backup Configuration Configuration steps on the HQ router: HQ(config)# interface FastEthernet0/1 no shutdown ! interface Serial0/0/0 no crypto map MYMAP exit no crypto map MYMAP no crypto ipsec transform-set MYSET no crypto isakmp policy 100 no crypto isakmp key SeCrEtKeY address 10.5.1.2 no access-list 100

Configuration steps on the branch router: Branch(config)# interface Serial0/0/0 no crypto map MYMAP exit no crypto map MYMAP no crypto ipsec transform-set MYSET no crypto isakmp policy 100 no crypto isakmp key SeCrEtKeY address 10.4.1.1 no access-list 100


Lab 4-4 Answer Key: Configuring Cisco Easy VPN Server Using SDM

When you complete this activity, your solution will be similar to the results here, with differences that are specific to your device or pod:

Task 1: Configure Easy VPN Server To complete Step 2, use these commands on the HQ router: HQ#show flash HQ#copy tftp flash

Configuration steps on the HQ router: HQ(config)#ip http server HQ(config)#ip http secure-server HQ(config)#ip http authentication local HQ(config)#username sdm privilege 15 secret sdmpassword

All subsequent tasks are performed within the graphical user interface of the SDM and are described in the lab task and verification section instructions.

Lab 5-1 Answer Key: Securing Cisco Routers When you complete this activity, your answers will be similar to those that follow.

Task 1: Configure One-Step Lockdown In this task, you will use the SDM.

Q1) One-step lockdown activated SSH and disabled Telnet as the line access method.

Task 2: Configure IOS Login Enhancement These commands need to be entered on your HQ router. The IP addresses may differ, depending on your pod. login block-for 300 attempts 3 within 60 ip access-list standard quiet permit host 10.2.1.2 exit ! login quiet-mode access-class quiet login delay 5 ! logging host your-workstation’s-VPN-client-internal-IP-address logging trap debugging login on-failure log

Q1) The command login delay that you used earlier configures a login delay.

Q2) The third login attempt triggered the quiet period that denied access to the router.

Q3) The configured access class creates an exception to the quiet period block. It permits access from the branch router.


Lab 5-2 Answer Key: Securing Cisco Router Management When you complete this activity, your answers will be similar to those that follow.

Task 1: Configure a Role-Based CLI View These commands need to be entered on your branch router (Steps 1–2): aaa new-model line con 0 no privilege level 15 line vty 0 4 no privilege level 15 exit exit

These commands need to be entered on your branch router (Steps 4–10): enable view configure terminal parser view vpn secret vpnpassword commands exec include all show crypto commands exec include all debug crypto commands exec include configure terminal commands configure include-exclusive all crypto commands configure include interface commands configure include all interface Fastethernet0/1 exit

These commands need to be entered on your branch router (Steps 22–25): parser view oper secret operpassword commands exec include all show ip commands exec include all show interface commands exec include configure terminal commands configure include all username exit !

These commands need to be entered on your branch router (Step 29): parser view admin superview secret adminpassword view vpn view oper end

Q1) Exec mode of the vpn view includes the configure, debug, enable, exit, and show commands.

Q2) Show command in vpn view has these options: crypto, flash, and parser.

Q3) Debug command in vpn view has the option crypto.

Q4) Configure command in vpn view has the option terminal.

Q5) Configuration mode in vpn view has the crypto, do, exit, and interface commands.

Q6) The crypto configuration command in vpn view has all options available.

Q7) The interface configuration command in vpn view has all interface options available.

Q8) No, vpn view blocks access to the FastEthernet0/0 interface configuration mode.

Q9) Yes, vpn view permits access to the FastEthernet0/1 interface configuration mode.

Q10) All commands are available in the interface FastEthernet0/1 configuration mode.


Q11) Exec mode of the oper view has these options: configure, enable, exit, and show. The show command has these options: ip and interface, including all suboptions.

Q12) Configuration mode of the oper view has the do, exit, and username show commands. The username command has all available options.

Q13) The commands in the admin superview are a superset of the commands in the individual vpn and oper views.

Task 2: Configure Cisco Routers for NTP These commands need to be entered on your branch router (NTP server): clock set 17:13:00 21 march 2006 configure terminal ntp master 4 ntp authentication-key 1 md5 ntpsecret ntp source loopback 0 ntp peer 10.0.x.1 key 1

Note Configuration of the source interface can also be included as an option of the ntp server command.

Configuration of the HQ router (NTP client): ntp authentication-key 2 md5 ntpsecret ntp server 10.0.x.2 key 2 ntp trusted-key 2 ntp source loopback 0

Task 3: Secure the IOS Image and Configuration File These commands need to be entered on your branch router. secure boot-config secure boot-image

Lab 5-3 Answer Key: Configuring AAA Login Authentication and Exec Authorization on Cisco Routers

When you complete this activity, your answers will be the same as those that follow.

Task 1: Configure Local Database Authentication Using AAA These commands need to be entered on your branch router in Steps 1–4: aaa new-model ! username localuser password localpassword enable password training aaa authentication login default enable

Q1) Access to the lines is protected with the enable password, or enable secret, if configured. This behavior is caused by the configured default login method.

These commands need to be entered on your branch router in Step 7: aaa authentication login local_method local ! line vty 0 4 login authentication local_method


Q2) Telnet sessions need to be authenticated against the local user database, with username localuser and password localpass.

Task 2: Configure AAA Exec Authorization Using Local User Database These commands need to be entered on your branch router in Step 1: username localadmin privilege 15 password adminpassword

Q1) You have been placed at privilege level 1, which is the default for user mode, that is, when a user connects to router line.

These commands need to be entered on your branch router in Step 5: aaa authorization exec local_author local ! line vty 0 4 authorization exec local_author

Q2) You have been placed at privilege level 15 because the exec authorization uses the local user database and the user localadmin has been configured with that privilege level.

Task 3: Test Authentication and Authorization Using Debug These commands need to be entered on your branch router: service timestamps debug datetime msec logging console debugging exit ! debug aaa authentication debug aaa authorization

Sample debugging output after a failed login attempt: Mar 21 17:46:09.023: AAA/BIND(0000000B): Bind i/f Mar 21 17:46:09.027: AAA/AUTHEN/LOGIN (0000000B): Pick method list 'local_method' Mar 21 17:46:19.275: AAA/AUTHEN/LOGIN (0000000B): Pick method list 'local_method'

Sample debugging output after a successful login attempt: Mar 21 17:46:09.023: AAA/BIND(0000000B): Bind i/f Mar 21 17:46:09.027: AAA/AUTHEN/LOGIN (0000000B): Pick method list 'local_method' Mar 21 17:46:19.275: AAA/AUTHEN/LOGIN (0000000B): Pick method list 'local_method' Mar 21 17:47:36.111: AAA/BIND(0000000C): Bind i/f Mar 21 17:47:36.115: AAA/AUTHEN/LOGIN (0000000C): Pick method list 'local_method' Mar 21 17:47:48.047: AAA/AUTHOR (0xC): Pick method list 'local_author' Mar 21 17:47:48.047: AAA/AUTHOR/EXEC(0000000C): processing AV cmd= Mar 21 17:47:48.047: AAA/AUTHOR/EXEC(0000000C): processing AV priv-lvl=15 Mar 21 17:47:48.047: AAA/AUTHOR/EXEC(0000000C): Authorization successful

Task 4: Configure the Router to Authenticate to the Cisco Secure ACS Database These commands need to be entered on your HQ router: tacacs-server host 10.6.6.254 key training aaa authentication login aaa_login group tacacs+ local aaa authorization exec aaa_exec group tacacs+ local aaa authentication enable default group tacacs+ enable logging console debugging ! line vty 0 4 login authentication aaa_login


authorization exec aaa_exec ! ! after verification return to initial values: line vty 0 4 authorization exec local_author login authentication local_authen

Q1) You should use the username cisco with password cisco123 that has been preconfigured in the ACS database because the authentication list includes TACACS+ as the first method.

Q2) If the ACS server failed, the local user database would be used to authenticate the connections. Local was configured as the second authentication method.

Q3) You should use the enable password ciscoenable that has been configured in ACS for the username cisco because the enable authentication listed TACACS+ as the first method.

Q4) AAA allows you to use one enable password for each individual user. An external AAA server like the ACS is needed for such an implementation.

Lab 6-1 Answer Key: Configuring a Cisco IOS Firewall When you complete this activity, your answers will be similar to those that follow.

Task 3: View and Test the Advanced Firewall Q1) The SSH connection was successful because the ACL on the outside interface permits inbound SSH

sessions to the HQ router Loopback0 address. The generic TCP inspection would permit return traffic from a host that would be connected to the DMZ in a real-life scenario.

Q2) The session failed because the ACL on the outside interface denies all traffic to the HQ router Loopback0 address except SSH and TFTP.

Q3) The initial Telnet session is permitted to go through the HQ router. The inspection rule applied to the inside interface in the inbound direction inspects generic TCP and permits return traffic to existing sessions. Therefore, the ACL on the outside interface does not block the return traffic.

Task 4: View the Firewall Log Q1) No packet drops are logged under the Firewall Log tab because the ACL applied by the wizard to the

outside interface in the inbound direction drops all packets from RFC1918 address ranges without logging them. The lab network uses addressing from the 10.0.0.0/8 network. In a real-life scenario, you would see denied packets in the firewall log because they would use public address ranges.

Q2) The firewall wizard created an ACL that permits all inbound traffic except to the configured DMZ services (SSH and TFTP). A few exceptions to this rule exist, such as permitting routing updates, NTP packets, and some ICMP messages.

Lab 6-2 Answer Key: Configuring Cisco IOS IPS The tasks were verified in the verification sections of the respective activities.

Lab 6-3 Answer Key: Troubleshooting Security When you complete this activity, your solution will be similar to the results here, with differences that are specific to your device or workgroup.

Task 1: Troubleshoot Secure Management These commands need to be entered on your HQ router.

RSA keys must be generated if they do not exist.


ip domain-name training.com crypto key generate rsa

ACL for the vty access class must be fixed. (The branch address in this example is from pod 1.)

no ip access-list standard Wstation_Branch ip access-list standard Wstation_Branch permit your-workstation’s-VPN-client-internal-IP-address permit 10.2.1.2

Fix syslog. logging on no logging 172.31.1.1 logging your-workstation’s-VPN-client-internal-IP-address logging trap 6 !

These commands need to be entered on your branch router.

If SSH should be used, generate RSA keys. ip domain-name training.com crypto key generate rsa

Fix transport input settings. line vty 0 4 transport input telnet ssh

Fix the authorization method to use the local database. no aaa authorization exec author_local aaa authorization exec author_local local

Caution The method must be reapplied to the line to take effect.

line vty 0 4 authorization exec author_local

Task 2: Mitigate System Vulnerabilities These commands need to be entered on your HQ router: auto secure no-interact no ftp-server enable

Task 3: Troubleshoot IPsec VPN These commands need to be entered on your branch router.

Fix the preshared key (the address is for pod 1). no crypto isakmp key vpsecret address 10.2.1.1 crypto isakmp key vpnsecret address 10.2.1.1

Make sure the crypto map uses the address of the dirty interface. no crypto map vpnmap local-address loopback 0

The ACLs must be symmetric (the address is for pod 1). no ip access-list extended vpnacl ip access-list extended vpnacl permit tcp host 10.0.1.2 eq 80 any

Task 4: Troubleshoot Availability These commands need to be entered on your HQ router: ip inspect name outbound icmp ip inspect name outbound ftp

Ccnp iscw lab guide

Technology

Transcript of Ccnp iscw lab guide