Esplanade Education Society’s

NIRANJANA MAJITHIA COLLEGE OF COMMERCE AND SCIENCE

(NAAC Accredited ‘B’ Grade, ISO 9001: 2015 CERTIFIED)
(Affiliated to University of Mumbai)
DEPARTMENT OF INFORMATION TECHNOLOGY

CERTIFICATE

This is to certify that the work entered in this journal is as per syllabus for T.Y.BSc.IT Class Perscribed by University
of Mumbai and was done in the IT laboratory of Niranjana Majithia College of Commerce by Mr/Mrs
______________________________ of TYBSc.IT. bearing Seat No:

Semester-VI during the academic year 2023-2024.

Internal Guide Coordinator

External Examiner

Date: College Seal

 Practical 1: Configure Cisco Routers for Syslog,
NTP, and SSH Operations

Address Table:
Default
Device Interface IP Address Subnet Mask
Gateway
G 0/0 192.168.1.1 255.255.255.0 N/A
R1
S 0/1/0 10.1.1.1 255.255.255.252 N/A
S 0/1/0 10.1.1.2 255.255.255.252 N/A
R2
S 0/1/1 10.2.2.2 255.255.255.252 N/A
G 0/0 192.168.3.1 255.255.255.0 N/A
R3
S 0/1/0 10.2.2.1 255.255.255.252 N/A
PC-A NIC 192.168.1.5 255.255.255.0 192.168.1.1
PC-B NIC 192.168.1.6 255.255.255.0 192.168.1.1
PC-C NIC 192.168.3.5 255.255.255.0 192.168.3.1

Steps for Part 1: Configure OSPF MD5 Authentication

Step 1: Test connectivity. All devices should be able to ping all other IP addresses.

➔ Pc and Server configuration:

➔ Router Configuration:
➔ RIP Routing
➔ Checking ping between Pc and Servers
Step 2: Configure OSPF MD5 authentication for all the routers in area 0.

Step 3: Configure the MD5 key for all the routers in area 0.

step 4: Verify configurations.

Steps for Part 2: Configure NTP step 1: Enabling

NTP Authentication on Both Sever.

Step 2: Configure R1, R2, and R3 as NTP clients.

Step 3: Configure routers to update hardware clock. Configure R1, R2, and R3 to periodically

step 4: Configure NTP authentication on the routers.

Step 5: Configure routers to timestamp log messages

Steps for part 3: Configure Routers to Log Messages to the Syslog Server

Step 1: Configure the routers to identify the remote host will receive logging messages. R1

R2
R3

step 2: show syslog:

Part 4: Configure R3 to Support SSH Connections
 Practical 2: Packet Tracer -Configure AAA Authentication
on Cisco Routers

Address Table:

Device Interface IP Address Subnet Mask

R1 G0/1 192.168.1.1 255.255.255.0
S0/0/0 10.1.1.2 255.255.255.252
R2 G0/0 192.168.2.1 255.255.255.0
S0/0/0 10.1.1.1 255.255.255.252
S0/0/1 10.2.2.1 255.255.255.252
R3 G0/1 192.168.3.1 255.255.255.0
S0/0/1 10.2.2.2 255.255.255.252
PC-A NIC 192.168.1.3 255.255.255.0
PC-B NIC 192.168.2.3 255.255.255.0
PC-C NIC 192.168.3.3 255.255.255.0
Steps for Part 1: Configure Local AAA Authentication for Console Access on R1 Step 1:
Test Connectivity ➔ Pc configuration

➔ router configuration
Username:
touhid Password:
1234 R1>
Part 2: Configure Local AAA Authentication for vty Lines on R1
 Practical 3:- Configure Extended ACLs – Scenario 1

Address Table:
Default
Device Interface IP Address Subnet Mask
Gateway
G 0/0 172.22.34.1 255.255.255.252 N/A
R1 S 0/1 172.22.34.65 255.255.255.252 N/A
S 0/2 172.22.34.97 255.255.255.252 N/A
Server NIC 172.22.34.62 255.255.255.0 172.22.34.1
PC1 NIC 172.22.34.66 255.255.255.0 172.22.34.68
PC1 NIC 172.22.34.98 255.255.255.0 172.22.34.97

Necessary step:
Step 1: Test connectivity. All devices should be able to ping all other IP addresses. ➔
Pc and Server configuration:
➔ Router Configuration:
 Note: Check ping command from PC’s to Server and it should work
Part 1: Configure, Apply and Verify an Extended Numbered ACL
Step 1: Configure an ACL to permit FTP and ICMP.

Step 2: Verify the ACL implementation in PC1.

 Note: username = cisco, password = cisco

Part 2: Configure, Apply and Verify an Extended Named ACL

Step 1: Configure an ACL to permit HTTP access and ICMP.
 Practical 4:- Configure IP ACLs to Mitigate Attacks

Addressing Table:

Device Interface IP Address Subnet Mask DefaultGateway

Gig0/0 192.168.1.1 255.255.255.0

R1
Se0/1/0 10.1.1.1 255.255.255.252

Se0/1/0 10.1.1.2 255.255.255.252

R2 Se0/1/1 10.2.2.2 255.255.255.252

Lo0 192.168.2.1 255.255.255.0

Gig0/0 192.168.3.1 255.255.255.0

R3
Se0/1/0 10.2.2.1 255.255.255.252

Fa0 192.168.1.3 255.255.255.0 192.168.1.1

PC-A

PC-C Fa0 192.168.3.3 255.255.255.0 192.168.3.1

Step 1: Configure SSH login on all 3 routers(Repeat same steps for all 3 routers)

Step 2: Configure loop back address on Router 2

Part 1: Verify Basic Network Connectivity

Step 1: From PC-A, verify connectivity to PC-C and R2

➔ Checking SSH from PC

Part 2: Verify Basic Network Connectivity

Step 1: From PC-C, verify connectivity to PC-A and R2

Checking ssh via loopback address

Part 2: Secure Access to Routers

Step 1: Configure ACL 10 to block all remote access to the routers except
from PC-C

Execute command on all routers (R1, R2, R3)

it should Unsuccessfull

Part 3: Create a Numbered IP ACL 120 on R1

Step 1: Verify that PC-C can access the PC-A via HTTPS using the
web browser.
Be sure to disable HTTP and enable HTTPS on server PC-A in Services tab

Step 2: Configure ACL 120 to specifically permit and deny the specified Traffic.
192.168.1.3 (PC-A ip address)

Step 3: Apply the ACL to interface (On Router 1)

Step 4: Verify that PC-C cannot access PC-A via HTTPS using the web browser.
 Practical 5 :- Configuring a Zone-Based
Policy Firewall
Circuit Diagram :-

IP Configuration
:- PC-A

PC-C
R1
R2
R3
Commands :-
SSH
Verification :-
 Practical 6 :- Configuring IOS
Instruction Prevention System
Using CLI
Circuit Diagram :-

IP Configuration
:- PC0
PC1

PC2
Server0
Commands :-
R0

R1
Web Browser:-
PC0 – Server0

PC1 – Server0
Server0 – PC0

Server0 – PC1

Verification :-
 Practical 7:- Layer 2 Security

Part 1: Configure IOS Intrusion Prevention System (IPS) Using the

CLI Address Table:

Note: Enable Authentication of NTP in PC-1

Device Interface IP Subnet Mask Default
Address Gateway
Gig0/0 192.168.1.1 255.255.255.0
R1 Se0/0/0 10.1.1.1 255.255.255.252
Se0/0/0 10.1.1.2 255.255.255.252
R2 Se0/0/1 10.2.2.2 255.255.255.252
Gig0/0 192.168.3.1 255.255.255.0
R3 Se0/0/1 10.2.2.1 255.255.255.252
PC-1 Fa0 192.168.1.3 255.255.255.0 192.168.1.1
PC-2 Fa0 192.168.1.2 255.255.255.0 192.168.1.1
PC-3 Fa0 192.168.3.3 255.255.255.0 192.168.3.1
Part 1: Configuration if IPS
Verification
Part 2: Configure IPS to use signature category

Part 3: Modify an IPS signature.

 Practical 8:-Layer 2 VLAN Security

● Creating a Network-->adding IP addresses to it□changing the display name.

Step 1:-MultilayerSwitch □ Cli

Central (config)#spanning-tree vlan 1 root primary

SW-1(conf)#spanning-tree vlan 1 root secondary

Step 2:-Protection against STP
attacks SW-A(conf)#interface range
f0/3-6
# spanning-tree
portfast #exit
#interface range f0/3-6

Spanning-tree bpduguard enable

SW-1(conf)#interface
rangef0/23-24 #spanning-tree

guard root
SW-B(conf)#interface range
f0/3-6 # spanning-tree portfast
#exit

#interface range f0/3-6

Spanning-tree bpduguard enable
SW-2(conf)#interface
rangef0/23-24 #spanning-tree
guard root
Step 3:-Configure port security and disable unused ports.
SW-A (config)#interface range
f0/1-22 #switch port mode access
# switch port port-security

# switch port port-security maximum 2

# switch port port-security violation shutdown
# switch port port-security mac-address sticky
● Verify port security

SW-A#show port security interface f0/1

● Disable unused ports
SW-A(config)#interface range
f0/5-22 #shutdown
SW-B(config)#interface range
f0/1-22 #switch port mode access
# switch port port-security

# switch port port-security maximum 2

# switch port port-security violation shutdown
# switch port port-security mac-address sticky
● Verify port security

SW-B#show port security interface f0/1

● Disable unused ports
SW-B(config)#interface range
f0/5-22 #shutdown
● Ports are now disabled.
Practical 9: Configure and Verify a Site-to-Site
IPsec VPN Using CLI
The routers have been pre-configured with the following:

· Password for console line: ciscoconpa55

· Password for vty lines: ciscovtypa55

· Enable password: ciscoenpa55

· SSH username and password: SSHadmin / ciscosshpa55

· OSPF 101

Part 1: Configure IPsec Parameters on R1

Step 1: Test connectivity.

Ping from PC-A to PC-C.

Step 2: Enable the Security Technology package.

a. On R1, issue the show version command to view the Security Technology package license
information.

b. If the Security Technology package has not been enabled, use the following command to enable
the package.

R1(config)# license boot module c1900 technology-package securityk9

c. Accept the end-user license agreement.

d. Save the running-config and reload the router to enable the security license.

e. Verify that the Security Technology package has been enabled by using the show version
command.

Step 3: Identify interesting traffic on R1.

Configure ACL 110 to identify the traffic from the LAN on R1 to the LAN on R3 as interesting. This
interesting traffic will trigger the IPsec VPN to be implemented when there is traffic between the R1
to R3 LANs. All other traffic sourced from the LANs will not be encrypted. Because of the implicit
deny all, there is no need to configure a deny ip any any statement.

R1(config)# access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

Step 4: Configure the IKE Phase 1 ISAKMP policy on R1.

Configure the crypto ISAKMP policy 10 properties on R1 along with the shared crypto key vpnpa55.
Refer to the ISAKMP Phase 1 table for the specific parameters to configure. Default values do not
have to be configured. Therefore, only the encryption method, key exchange method, and DH method
must be configured.

Note: The highest DH group currently supported by Packet Tracer is group 5. In a production
network, you would configure at least DH 14.

R1(config)# crypto isakmp policy 10

R1(config-isakmp)# encryption aes 256

R1(config-isakmp)# authentication pre-share

R1(config-isakmp)# group 5

R1(config-isakmp)# exit

R1(config)# crypto isakmp key vpnpa55 address 10.2.2.2

Step 5: Configure the IKE Phase 2 IPsec policy on R1.

a. Create the transform-set VPN-SET to use esp-aes and esp-sha-hmac.

R1(config)# crypto ipsec transform-set VPN-SET esp-aes esp-sha-hmac

b. Create the crypto map VPN-MAP that binds all of the Phase 2 parameters together. Use sequence
number 10 and identify it as an ipsec-isakmp map.

R1(config)# crypto map VPN-MAP 10 ipsec-isakmp

R1(config-crypto-map)# description VPN connection to R3

R1(config-crypto-map)# set peer 10.2.2.2

R1(config-crypto-map)# set transform-set VPN-SET

R1(config-crypto-map)# match address 110

R1(config-crypto-map)# exit

Step 6: Configure the crypto map on the outgoing interface.

Bind the VPN-MAP crypto map to the outgoing Serial 0/0/0 interface.

R1(config)# interface s0/0/0

R1(config-if)# crypto map VPN-MAP

Part 2: Configure IPsec Parameters on R3

Step 1: Enable the Security Technology package.

a. On R3, issue the show version command to verify that the Security Technology package license
information has been enabled.

b. If the Security Technology package has not been enabled, enable the package and reload R3.

Step 2: Configure router R3 to support a site-to-site VPN with R1.

Configure reciprocating parameters on R3. Configure ACL 110 identifying the traffic from the LAN
on R3 to the LAN on R1 as interesting.

R3(config)# access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

Step 3: Configure the IKE Phase 1 ISAKMP properties on R3.

Configure the crypto ISAKMP policy 10 properties on R3 along with the shared crypto key vpnpa55.

R3(config)# crypto isakmp policy 10

R3(config-isakmp)# encryption aes 256

R3(config-isakmp)# authentication pre-share

R3(config-isakmp)# group 5

R3(config-isakmp)# exit

R3(config)# crypto isakmp key vpnpa55 address 10.1.1.2

Step 4: Configure the IKE Phase 2 IPsec policy on R3.

a. Create the transform-set VPN-SET to use esp-aes and esp-sha-hmac.

R3(config)# crypto ipsec transform-set VPN-SET esp-aes esp-sha-hmac

b. Create the crypto map VPN-MAP that binds all of the Phase 2 parameters together. Use sequence
number 10 and identify it as an ipsec-isakmp map.

R3(config)# crypto map VPN-MAP 10 ipsec-isakmp

R3(config-crypto-map)# description VPN connection to R1

R3(config-crypto-map)# set peer 10.1.1.2

R3(config-crypto-map)# set transform-set VPN-SET

R3(config-crypto-map)# match address 110

R3(config-crypto-map)# exit
Step 5: Configure the crypto map on the outgoing interface.

Bind the VPN-MAP crypto map to the outgoing Serial 0/0/1 interface. Note: This is not graded.

R3(config)# interface s0/0/1

R3(config-if)# crypto map VPN-MAP

Part 3: Verify the IPsec VPN

Step 1: Verify the tunnel prior to interesting traffic.

Issue the show crypto ipsec sa command on R1. Notice that the number of packets encapsulated,
encrypted, decapsulated, and decrypted are all set to 0.

Step 2: Create interesting traffic.

Ping PC-C from PC-A.

Step 3: Verify the tunnel after interesting traffic.

On R1, re-issue the show crypto ipsec sa command. Notice that the number of packets is more than 0,
which indicates that the IPsec VPN tunnel is working.

Step 4: Create uninteresting traffic.

Ping PC-B from PC-A. Note: Issuing a ping from router R1 to PC-C or R3 to PC-A is not interesting
traffic.

Step 5: Verify the tunnel.

On R1, re-issue the show crypto ipsec sa command. Notice that the number of packets has not
changed, which verifies that uninteresting traffic is not encrypted.

Step 6: Check results.

Your completion percentage should be 100%. Click Check Results to see feedback and verification of
which required components have been completed.
 Practical 10: Configuring ASA Basic Settings Firewall Using CLI

Address Table:
Default
Device Interface IP Address Subnet Mask
Gateway
G0/0 209.165.200.225 255.255.255.248 N/A
R1 S0/0/0
10.1.1.1 255.255.255.252 N/A
(DCE)
S0/0/0 10.1.1.2 255.255.255.252 N/A
R2 S0/0/1
10.2.2.2 255.255.255.252 N/A
(DCE)
 G0/1 172.16.3.1 255.255.255.0 N/A
R3
S0/0/1 10.2.2.1 255.255.255.252 N/A
VLAN 1
ASA 192.168.1.1 255.255.255.0 N/A
(E0/1)
VLAN 2
ASA 209.165.200.226 255.255.255.248 N/A
(E0/0)
VLAN 3
ASA 192.168.2.1 255.255.255.0 N/A
(E0/2)
DMZ
NIC 192.168.2.3 255.255.255.0 192.168.2.1
Server
PC-B NIC 192.168.1.3 255.255.255.0 192.168.1.1
PC-C NIC 172.16.3.3 255.255.255.0 172.16.3.1

Steps for Part 1: Verify Connectivity and Explore the ASA.

Step 1: Verify connectivity.
Step 2: Determine the ASA version, interfaces, and license.
Step 3: Determine the file system and contents of flash memory.

Steps for Part 2: Configure ASA Settings and Interface Security Using
the CLI.
Step 1: Configure the hostname and domain name.
Step 2: Configure the enable mode password.
Step 3: Set the date and time.
Step 4: Configure the inside and outside interfaces.
● Configure a logical VLAN 1 interface for the inside network
(192.168.1.0/24) and set the security level to the highest setting of 100.
CCNAS-ASA(config)# interface vlan 1 CCNAS-ASA(config-if)#
nameif inside
 CCNAS-ASA(config-if)# ip address 192.168.1.1 255.255.255.0 CCNAS-
ASA(config
if)# security-level 100
● Create a logical VLAN 2 interface for the outside network
(209.165.200.224/29), set the security level to the lowest setting of 0, and
enable the VLAN 2 interface.
CCNAS-ASA(config-if)# interface vlan 2
CCNAS-ASA(config-if)# nameif outside
CCNAS-ASA(config-if)# ip address 209.165.200.226 255.255.255.248 CCNAS

ASA(config-if)# security-level 0

Step 5: Test connectivity to the ASA.

Steps for Part 3: Configure Routing, Address Translation, and

Inspection Policy Using the CLI
Step 1: Configure a static default route for the ASA.

Step 2: Configure address translation using PAT and network objects.

Step 3: Modify the default MPF application inspection global service policy
● a. Create the class-map, policy-map, and service-policy. Add the inspection
of ICMP traffic to the policy map list using the following commands:
CCNAS-ASA(config)# class-map inspection_default
CCNAS-ASA(config-cmap)# match default-inspection-traffic
CCNAS-ASA(config-cmap)# exit
CCNAS-ASA(config)# policy-map global_policy
CCNAS-ASA(config-pmap)# class inspection_default
CCNAS-ASA(config-pmap-c)# inspect icmp
CCNAS-ASA(config-pmap-c)# exit

CCNAS-ASA(config)# service-policy global_policy global

Steps for Part 4: Configure DHCP, AAA, and SSH
Step 1: Configure the ASA as a DHCP server.
Step 2: Configure AAA to use the local database for authentication.
Step 3: Configure remote access to the ASA.