Lab - Ccna Security

CCNA SECURITY LAB GUIDE
LAB SECURITY_2: NTP SERVER CONFIGURATION AND VERIFICATION
Network Devices need to be accurately synchronized with a reliable time source such as an
NTP server. It is very important as we want to be confirmed that logging information and
timestamps have the accurate time and date.
The router can be updated and synchronized with a public NTP server. This will ensure the
router's time is constantly synchronized, however it will not act as an NTP server for internal
hosts. The Internal hosts can be synchronized with the router.
Be noted that, here loopback adapter is accessible to Internet through our Ethernet LAN Card
of Local host. So that NTP Server can be updated with the server located in the Internet.
Follow this step before go to the GNS3 –
Find your host Ethernet Adapter > Right click on it > Properties
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
FULL VIRTUALIZED LAB………

YOU WILL GET THE REAL FLAVOUR
Just 15 USD……Payment Method is PayPal
PDF Copy is Available
Go to the sharing tab
Check as follows, select your Loopback Adapter. Here I have renamed it to Virtual Adapter. At
the end I will show you how to add Loopback Adapter in your PC.
The final window as following. Now OK.
Finally mark the IP Address of your Loopback Adapter. It will be the default Gateway for your
Routers stated as below figure on GNS3 !
Now I will describe how to add Loopback Adapter on Windows 7 Host
1. Go to Computer > Right click on computer > Properties
Device Manager > right Click on your PC (Here Ashish-PC) > Add legacy Hardware
Click Next
Click next (nothing change to here)
Click Next
Select Network Adapters > Next
Wait for a bit. A window will comes, from here select Microsoft from left Pannel and select
Microsoft loopback Adapter from the right panel as shown in figure
Click next
clikc next > then finish
After reboot you can now use your Loopback Adapter
Configuration of Router R1 (For Internet Access through Loopback Adapter)

R1#conf t
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 192.168.137.2 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.137.1
R1(config)#ip domain-lookup
R1(config)#ip name-server 8.8.8.8
R1(config)#exit
A brief discussion:
Domain-lookup will allow the Cisco to resolve domains, ip domain-lookup command to enable
DNS host name-to-IP address translation.
Here 8.8.8.8 takes care of internet resolving. Name server is to define the DNS to query for
unknown host.
At this state any DNS request will be forwarded to 8.8.8.8 and the Cisco will act as the
"middle man" between the client and the DNS.
There is a nice way to use a Cisco as a DNS server. This is the way to save some money
without the need for additional devices.
Verification
Apply ping to Google to ensure that the R1 is connected to the Internet
Configuration on R2
R2#conf t
R2(config-if)#ip address 172.16.10.2 255.255.255.0
R2(config-if)#no shutdown
OSPF Configuration (as a dynamic Routing)

R2(config)#router ospf 1
R2(config-router)#network 172.16.10.0 0.0.0.255 area 0
R2(config-router)#end
R2(config)#ip domain-lookup
R2(config)#ip name-server 8.8.8.8
OSPF Configuration on R1
R1(config)#router ospf 1
R1(config-router)#network 172.16.10.0 0.0.0.255 area 0
R1(config-router)#default-information originate
R1(config-router)#end
Here, the OSPF router does not, by default, generate a default route into the OSPF domain. In
order for OSPF to generate a default route, you must use the default-information originate
command.
Configure NAT on R1 Router so that R2 Router can be connected with the Internet

R1(config-if)#ip nat inside
R1(config-if)#exit
R1(config-if)#ip nat outside
R1(config-if)#exit
R1(config)#access-list 1 permit 172.16.10.0 0.0.0.255
R1(config)#ip nat inside source list 1 interface fastEthernet 0/0 overload
Verification
Apply ping to Google to ensure that the R2 is connected to the Internet
NTP Configuration
First we will check the time on R1 Router
R1#show clock detail
*00:18:45.843 UTC Fri Mar 1 2002
No time source
Now we will call NTP Server from global Internet Source

R1#conf t
R1(config)#ntp source fastEthernet 0/1
R1(config)#ntp master 2
A stratum 2 device because it’s one NTP hop further away from the source.
R1(config)#ntp server pool.ntp.org
Translating "pool.ntp.org"...domain server (8.8.8.8) [OK]
Check the time again

11:46:54.831 UTC Thu Jan 4 2018
Time source is NTP
We can see that R1 time is synchronized with the Internet NTP Server
Apply show ntp associations on R1 and verify
Configuration on R2
Here we call the R1 as a NTP Server which will synchronized with Local Router (R2)
R2(config)#ntp server 172.16.10.1
R2(config)#exit
Verify if the time of R2 is updated with R1

.11:47:08.935 UTC Thu Jan 4 2018
Time source is NTP
.......................................................Fine!!! Updated!!!
AUTHENTICATION
Authentication is used to prevent tampering with the timestamps on the logs generated by
devices. To implement an attack on NTP, a hacker would make their rogue host appear to be
a valid NTP server.
R1(config)# ntp authenticate
R1(config)# ntp authentication-key 1 md5 cisco123
R1(config)# ntp trusted-key 1
R2(config)# ntp authenticate

R2(config)# ntp authentication-key 1 md5 cisco123
R2(config)# ntp trusted-key 1
R2(config)# ntp server 172.16.10.1 key 1
Parameters
Key-id
Specifies an ID for an authentication key. The range is from 1 through 65535.
Md5 md5-string
Specifies a string for the MD5 message-digest algorithm. The string can be a maximum of 15
ASCII characters.
Ntp trusted-key: An additional subset of trusted keys which can be used for NTP authentication.
LAB 4: How to Configure ASA on GNS3
I have used
 Cisco ASA 8.4.2
 GNS3 Version 1.3.3
 asa842-initrd.gz and asa842-vmlinuz
 JavaJDK 6
First Right click on GNS3
 Run as an Administrator
 Edit
 Preferences
Click on QEMU > Check mark on Use the local server > OK
Now Click on QEMU VMs > New
Now select Type – ASA 8.4(2)
Name field give a name as follows > Next
Keep it default and click next
Browse the Image File (Keep the image file other than C Drive)
Select as following
Click must be on ‘No’
Repeat this for 2nd image file as follows
Click on “No”
Finally this will be as follows
Now click on Apply > Ok
Drag and drop the ASA in the right panel > clikc on Start button (green arrow)
Now click on Console
The following will appear after booting the ASA
Now we need to activate the ASA. So follow the commands and Enter Activation Key as
following steps
After Reload the following will appear. Now ASA is ready for working!!
Add ASDM and connect your ASA
Follow the steps below to do this:
 Add a Loop-back to your computer, Assign IP : 192.168.10.1/24

 Drag and drop ‘Cloud’ to the GNS3 work-space and connect it with an Ethernet Switch.
 Right click on ‘Cloud’ and add the Loop-back adapter

 Open a console on ASA and run the following command:
ciscoasa #config terminal

ciscoasa(config)# interface GigabitEthernet1
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# ip address 192.168.10.5 255.255.255.0
ciscoasa(config-if)# no shut
 Now try to ping your computers Loopback IP from the ASA and also from your PC to
ASA to verify if it is successful
 Download ASDM ( asdm-649.bin)
 Install a TFTP server in your local PC and keep the above file in its root directory.
Now upload the asdm-649.bin to the ASA flash using the below commands:
ciscoasa# copy tftp: flash:
Address or name of remote host? 192.168.10.1
Source filename? asdm-649.bin
Destination filename [asdm-649.bin]? press Enter
Accessing tftp://192.168.10.1/asdm-
649.bin…!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
18927088 bytes copied in 143.10 secs (132357 bytes/sec)
Enter the commands to load ASDM on the ASA and enable http server:
ciscoasa(config)# asdm image flash:asdm-649.bin
ciscoasa(config)# http server enable
ciscoasa(config)# http 192.168.10.5 255.255.255.0 inside
ciscoasa(config)# username admin password admin123 privilege 15
ciscoasa(config)# write memory
At our local PC, open a browser and type https://192.168.10.5
Click on ‘Run ASDM’ and enter with the username and password.
LAB 5: ASA Basic Security-level Configuration
Security Levels are applied to an interface to describe a level of trust.
The following are the security levels used on the Cisco ASA:
Security level 100
The highest possible level and most trusted, it is used by the inside interface by default.
Security level 0
The lowest possible level, most untrusted, it’s used by the outside interface by default.
Security levels 1–99
Can be assigned to any other interface on the ASA. The inside is typically 100, the outside is
0, and the dmz interface is 50.
We can create as many security levels as we want!
An interface with a high security level can access an interface with a low security level but
the other way around is not possible unless we configure an access-list.
ciscoasa# conf t
ciscoasa(config)# hostname Venus
Venus(config)# interface gigabitEthernet 1

Venus(config-if)# description INSIDE INTERFACE_ INTERNAL NETWORK
Venus(config-if)# nameif inside
Venus(config-if)# security-level 100
Venus(config-if)# ip address 192.168.10.1 255.255.255.0

Venus(config-if)# no shutdown
Venus(config-if)# exit
Venus(config-if)# description OUTSIDE Interface
Venus(config-if)# nameif outside

Venus(config-if)# exit
Venus(config-if)# description DMZ Interface
Venus(config-if)# nameif dmz
Venus(config-if)#
Router Configuration
R1#conf t
R1(config)#hostname ISP
ISP(config)#interface fastEthernet 0/0

ISP(config-if)#description ISP>Firewall ASA Interface
ISP(config-if)#ip address 103.13.148.2 255.255.255.252

ISP(config-if)#no shutdown
ISP(config-if)#exit
ISP(config)#interface fastEthernet 0/1
ISP(config-if)#ip address 10.10.10.1 255.255.255.0

ISP(config-if)#description Global Internet
ISP(config-if)#no shutdown
ISP(config-if)#exit
ASA static routes
1. Default Static route for Internet access, and

2. Normal static route
It's configuration is simply difference than the Cisco Router.

The format of the static route command is:
ASA(config)# route [interface name] [destination address] [netmask] [gateway]
 A static route is created manually by a network administrator.

 A Default Route (also known as the gateway of last resort) is a special type of static
route. It specifies a path where the router doesn’t know how to reach the destination.
Configure Default Route on ASA going to Internet
Venus(config)# route outside 0.0.0.0 0.0.0.0 103.13.148.2
Configure Static Routes on ISP Router to inside Network and DMZ
ISP(config)#ip route 192.168.10.0 255.255.255.0 103.13.148.1
ISP(config)#ip route 172.16.10.0 255.255.255.0 103.13.148.1
Now we will assign IP to all PCs and apply ping from ASA to all Hosts as follows :
Venus(config)# ping 10.10.10.10
Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/90/120 ms

!!!!!

!!!!!
By default ping is disabled from Inside to Outside, we will create an ACL to permit ICMP
from Inside to outside
Venus(config)# access-list inside-in permit icmp any any

Venus(config)# access-list inside-in permit tcp any any
Venus(config)# access-list inside-in permit ip any any
Venus(config)# access-list outside-in permit icmp any any echo-reply
Apply these to ASA Interface
Venus(config)# access-group inside-in in interface inside
Venus(config)# access-group outside-in in interface outside
C:\> ping 172.16.10.2 (Inside to Outside)
Reply from 10.10.10.10: bytes=32 time<1ms TTL=128


Now we apply ping from outside host to inside host...
Not Successful..right? Actually we never allow outside users to allow ICMP to inside hosts
N.B. Same Security Level

What if the interfaces have the same security level? The default behavior is to deny traffic
between interfaces with the same security level. But it can be changed by using the same-
security-traffic permit inter-interface command. This will allow traffic between all
interfaces of the same level.
LAB 6. ASA Management (with the Previous Figure and Configuration)
The ASA supports remote administration trough SSH and Telnet. Telnet was designed to work
within a private network and not across a public network where threats can appear. Because
of this, all the data is transmitted in plain text, including passwords. This is a major security
issue and the developers of SSH used encryptions to make it harder for other people to sniff
the password and other relevant information.
Secure Shell (SSH) is a protocol which provides a secure remote access connection to network
devices. Communication between the client and server is encrypted in SSH.
SSH uses cryptographic technology for privacy (encryption), origin authentication

(public/private key pairs), and data integrity (hash algorithms). The same thing is applied
using HTTPS instead of HTTP for GUI access to the device.
There are two versions: version 1 and 2. Version 2 is more secure and commonly used.
Step 1: Create a username and password to manage the ASA with SSH/Telnet/ASDM
Venus(config)# username ashish password cisco123 privilege 15
Step2: Enable SSH to generate a key, it will encrypt the traffic between the user and the ASA
Ashish(config)# crypto key generate rsa modulus 1024

INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
Step 3:Use the username previously created to connect to the ASA with SSH
Ashish(config)# aaa authentication ssh console LOCAL

Local AAA means that we are performing AAA without the use of an external database. When
performing local AAA, we can authenticate with a username and password that is part of the
configuration of the security appliance.
Step 4: We will Define the IP addresses which are allowed to connect to the ASA
Ashish(config)# ssh 10.10.10.10 255.255.255.255 outside

Ashish(config)# ssh 192.168.10.2 255.255.255.255 inside
Step 5: Enable ASDM for GUI and define the IP addresses that are allowed to connect to the
ASA with ASDM
Ashish(config)# http server enable
Ashish(config)# aaa authentication http console LOCAL

Ashish(config)# http 192.168.10.0 255.255.255.0 inside
Verification:
1. Verifying the LOCAL database
2. Verify SSH Access from Outside Host, So we will open putty from our Desktop
Configure SSH Access on ISP Router
Step 1: Configure hostname and domain name
The name of the RSA keypair will be the hostname and domain name of the router.
ISP(config)#hostname ISPRouter
ISPRouter(config)#ip domain-name ashish.com
Step 2: Create the username password
ISPRouter(config)#username ashish privilege 15 secret cisco123
Step 2 :Generate the RSA Keys
ISPRouter(config)#crypto key generate rsa
The name for the keys will be: ISPRouter.ashish.com

Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 1024

% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
Key sizes of 1024 or smaller should be avoided. Larger key sizes take longer time to calculate
and enhance more security
Step 3: SSH version 1 is the default version. So change it to version 2
ISPRouter(config)#ip ssh version 2
Step 4 : Setup the Line VTY configurations
ISPRouter(config)#aaa new-model
ISPRouter(config)#aaa authentication login default local
ISPRouter(config)#line vty 0 5
ISPRouter(config-line)#transport input ssh

ISPRouter(config-line)#login authentication default
Here AAA uses the local username database for authentication
Step 5: Create enable password
ISPRouter(config)#enable secret cisco123
Step 6: Verify SSH access
AND MANY MORE LABS: WITH EASY EXPANATION
Contents
LAB 1: Securing Passwords ------------------------------------------------------------------------------------------------- 6
LAB 2: Secure Device Access with configuring privilege levels ------------------------------------------------------10
LAB 3: CONFIGURING SSH ON CISCO Devices --------------------------------------------------------------------------13
LAB 4: Configuring SNMPV3 ------------------------------------------------------------------------------------------------18
LAB 5: NTP SERVER CONFIGURATION AND VERIFICATION -----------------------------------------------------------24
LAB 6: Configure routers to use Cisco Access Control Server (ACS) and TACACs+ Authentication ---------35
LAB 7: Configure ACL and Block Web Sites ------------------------------------------------------------------------------57
LAB 8: Role-based access control (RBAC) --------------------------------------------------------------------------------62
LAB 9: Configure RIP Authentication ------------------------------------------------------------------------------------ 66
LAB 10: EIGRP Authentication ----------------------------------------------------------------------------------------------71
LAB 11: OSPF Authentication -----------------------------------------------------------------------------------------------73
LAB 12: How to Configure ASA on GNS3 ---------------------------------------------------------------------------------77
LAB 13: ASA Basic Security-level Configuration ----------------------------------------------------------------------- 90
LAB 14. ASA Management ---------------------------------------------------------- -------------------------------------- 94
LAB 15 : ASA Access Control List ------------------------------------------------------------------------------------------98
LAB 16 : ASA Object Groups -----------------------------------------------------------------------------------------------103
LAB 17: Static NAT Configuration on ASA -----------------------------------------------------------------------------108
LAB 18: Static NAT with multiple outside IP addresses -------------------------------------------------------------110
LAB 19: Static NAT to Multiple Service on same Outside IP Address such as HTTP, HTTPS, TELNET, SSH ...-
----------------------------------------------------------------------------------------------------------------------------------..115
LAB 20: Dynamic NAT-Many-to-one NAT ------------------------------------------------------------------------------120
LAB 21: Dynamic NAT (Many to Many) ---------------------------------------------------------------------------------122
LAB 22: PAT Configuration -----------------------------------------------------------------------------------------------124
LAB 23: Static NAT Port Forwarding on ASA ---------------------------------------------------------------------------126
LAB 24: ASA Active/Standby Failover Configuration -----------------------------------------------------------------131
LAB 25: ASA Security Contexts:(Virtualization) ------------------------------------------------------------------------137
LAB 26 : Port Security of Switch -------------------------------------------------------------------------------------------148
LAB 27 : Configure BPDU Guard on Cisco Switch ----------------------------------------------------------------------155
LAB 28: Configure Root Guard on Cisco Switch ------------------------------------------------------------------------156
LAB 29 : DHCP Snooping--------------------------------------------------------------------------------------------------- 159
LAB 30: Configuration of IPSEC VPN between two ASA --------------------------------------------------------------166
LAB 31: IPSec SITE-TO-SITE VPN BETWEEN TWO CISCO ROUTER ------------------------------------------------- 190
LAB 32: Clientless SSL VPN Remote Access (using a web browser) -----------------------------------------------195
LAB 33: SSL or IPsec (IKEv2) VPN Remote Access (using Cisco AnyConnect client)--------------------------- 211
LAB 34 : Configure GRE Tunnel ------------------------------------------------------------------------------------------- 229
LAB 35 : IPS/IDS ---------------------------------------------------------------------------------------------------------------232
LAB 36: PRIVATE VLAN ------------------------------------------------------------------------------------------------------250
-----------------------------------------------255 Pages---------- ----------------------------------------------

Lab - Ccna Security

Uploaded by

Copyright:

Available Formats

Lab - Ccna Security

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lab - Ccna Security

Uploaded by

Copyright:

Available Formats

CCNA SECURITY LAB GUIDE

LAB SECURITY_2: NTP SERVER CONFIGURATION AND VERIFICATION

FULL VIRTUALIZED LAB………

Go to the sharing tab

The final window as following. Now OK.

Now I will describe how to add Loopback Adapter on Windows 7 Host

1. Go to Computer > Right click on computer > Properties

Click next (nothing change to here)

Select Network Adapters > Next

clikc next > then finish

After reboot you can now use your Loopback Adapter

Configuration of Router R1 (For Internet Access through Loopback Adapter)

Apply ping to Google to ensure that the R1 is connected to the Internet

OSPF Configuration (as a dynamic Routing)

R1(config)#interface fastEthernet 0/1

Now we will call NTP Server from global Internet Source

Check the time again

Verify if the time of R2 is updated with R1

R2#show clock detail

R2(config)# ntp authenticate

Specifies an ID for an authentication key. The range is from 1 through 65535.

LAB 4: How to Configure ASA on GNS3

 Cisco ASA 8.4.2

 GNS3 Version 1.3.3

 asa842-initrd.gz and asa842-vmlinuz

First Right click on GNS3

Now Click on QEMU VMs > New

Now select Type – ASA 8.4(2)

Name field give a name as follows > Next

Keep it default and click next

Click must be on ‘No’

Repeat this for 2nd image file as follows

Finally this will be as follows

Now click on Apply > Ok

Now click on Console

The following will appear after booting the ASA

Add ASDM and connect your ASA

Follow the steps below to do this:

 Add a Loop-back to your computer, Assign IP : 192.168.10.1/24

 Right click on ‘Cloud’ and add the Loop-back adapter

ciscoasa #config terminal

ciscoasa# copy tftp: flash:

Address or name of remote host? 192.168.10.1

Source filename? asdm-649.bin

Destination filename [asdm-649.bin]? press Enter

18927088 bytes copied in 143.10 secs (132357 bytes/sec)

ciscoasa(config)# asdm image flash:asdm-649.bin

ciscoasa(config)# http server enable

ciscoasa(config)# http 192.168.10.5 255.255.255.0 inside

ciscoasa(config)# username admin password admin123 privilege 15

ciscoasa(config)# write memory

At our local PC, open a browser and type https://192.168.10.5

LAB 5: ASA Basic Security-level Configuration

Security Levels are applied to an interface to describe a level of trust.

Security level 100

Security levels 1–99

We can create as many security levels as we want!

ciscoasa(config)# hostname Venus

Venus(config)# interface gigabitEthernet 1