© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 16
Packet Tracer -– Skills Integration ChallengeExamen Final
Objectives
Scenario
This culminating activity includes many of the skills that you have acquired during this course. The routers
and switches are preconfigured with the basic device settings, such as IP addressing and routing. You will
secure routers using the CLI to configure various IOS features, including AAA, SSH, and Zone-Based Policy
Firewall (ZPF). You will configure a site-to-site VPN between R1 and R3. You will secure the switches on the
network. In addition, you will also configure firewall functionality on the ASA.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 16
Packet Tracer -– Skills Integration ChallengeExamen Final
Requirements
Note: Not all security features will be configured on all devices, however, they would be in a production network.
o Defina en el line cConsole el: line password : is ciscoconpa55, y un timeout de is 15 minutoes, and
console messages should not interrupt command entry.
o
o A message-of-the-day (MOTD) bBanner (MOTD) should include the word: Acceso Restringido.
unauthorized.
Configure the following on R2:
o Privileged EXEC mode secret password is ciscoenapa55.
o Password for the VTY lines is ciscovtypa55, timeout is 15 minutes, and login is required.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 16
Packet Tracer -– Skills Integration ChallengeExamen Final
Configure SSH
Configure lo siguiente en R1Configure the following on R1:
o The El domain name : is ccnasecurity.com
o The RSA key should be generatedGenere with las llaves RSA con 1024 modulus bits.
o Only Habilite SSH versionversión 2 is allowed2.
o Only Habilite únicamente el acceso por SSH eis allowed on el VTY lines.
VerifyVerifique that que PC-C can pueda acceder remotely remotamente a access R1 (209.165.200.233)
using usando SSH.
Secure AgainstAsegure el dispositivo contra Login Attacks Formatted: Spanish (Costa Rica)
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of 16
Packet Tracer -– Skills Integration ChallengeExamen Final
o
o ISAKMP key: ciscovpnpa55
Create
Cree the el transform set VPN-SET to use esp-aes 256 yand esp-sha-hmac.
Then cCreeate the el crypto map CMAP 10:
that binds all of the Phase 2 parameters together. Use sequence number 10 and identify it as an ipsec-
isakmp map. Use the following parameters:
o Transform set: VPN-SET
o Transform encryption: Defina la IP del peeresp-aes 25.6
o Transform authentication: esp-sha-hmacAsocie el trafico interesante definido en la lista de acceso
101.
Perfect Forward Secrecy (PFS): group5
o Crypto map name: CMAP
o SA establishment: ipsec-isakmp
Bind the crypto map (CMAP) to the outgoing interface.
Asocie el crypto map a la interface de salida.
Realice la configuración a modo espejo en R3Verify that the Security Technology package license is
enabled. Repeat the site-to-site VPN configurations on R3 so that they mirror all configurations from R1.
Ping the Lo1 interface (172.20.1.1) on R1 from PC-C. On R3, use the show crypto ipsec sa command
to verify that the number of packets is more than 0, which indicates that the IPsec VPN tunnel is working.
Verifique que el tunnel IPSec sea funcional.
Configure como Firewall R3 and IPS Settings Formatted: Spanish (Costa Rica)
Configure a ZPF eon R3 using the following requirements: Formatted: Spanish (Costa Rica)
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 5 of 16
Packet Tracer -– Skills Integration ChallengeExamen Final
o Create a directory in flash named ipsdir and set it as the location for IPS signature storage.
o Create an IPS rule named IPS-RULE.
o Retire the all signature category with the retired true command (all signatures within the signature
release).
o Unretire the IOS_IPS Basic category with the retired false command.
o Apply the rule inbound on the S0/0/1 interface.
Configure ASA Basic Security and y Firewall Settings Formatted: English (United States)
Modifiquey thel class-map Cisco Modular Policy Framework (MPF) inspection_default eon thel
ASA using the following settings:
o Configure class-map inspection_default to match default-inspection-traffic, and then exit to
global configuration mode.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 6 of 16
Packet Tracer -– Skills Integration ChallengeExamen Final
o Configure en the el policy-map list global_policy. Enter theen la clases inspection_default and
enter the con el commando to inspect icmp.
o Then exit to global config mode.
o Configure the MPF service-policy to make the global_policy apply globally.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 7 of 16
Packet Tracer -– Skills Integration ChallengeExamen Final
Step-by-Step Scripts
!-------------------------------
!-------------------------------
!R1
conf t
service password-encryption
line console 0
password ciscoconpa55
exec-timeout 15 0
login
logging synchronous
banner motd $Unauthorized access strictly prohibited and prosecuted to the full
extent of the law!$
end
!R2
conf t
line vty 0 4
password ciscovtypa55
exec-timeout 15 0
login
end
!-------------------------
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 8 of 16
Packet Tracer -– Skills Integration ChallengeExamen Final
!-------------------------
!S1
conf t
service password-encryption
line console 0
password ciscoconpa55
exec-timeout 5 0
login
logging synchronous
line vty 0 15
password ciscovtypa55
exec-timeout 5 0
login
banner motd $Unauthorized access strictly prohibited and prosecuted to the full
extent of the law!$
end
!Trunking
!S1 and S2
conf t
switchport nonegotiate
end
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 9 of 16
Packet Tracer -– Skills Integration ChallengeExamen Final
conf t
spanning-tree portfast
shutdown
switchport port-security
no shutdown
shutdown
end
!----------------------------------
!----------------------------------
!R1
conf t
aaa new-model
end
!-------------------------
!Configure SSH
!-------------------------
!R1
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 10 of 16
Packet Tracer -– Skills Integration ChallengeExamen Final
conf t
ip domain-name ccnasecurity.com
1024
ip ssh version 2
line vty 0 4
end
!----------------------------
!----------------------------
!R1
conf t
!---------------------------------
!---------------------------------
!R1
conf t
authentication pre-share
hash sha
group 5
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 11 of 16
Packet Tracer -– Skills Integration ChallengeExamen Final
lifetime 3600
exit
exit
interface S0/0/0
end
!R3
conf t
authentication pre-share
hash sha
group 5
lifetime 3600
exit
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 12 of 16
Packet Tracer -– Skills Integration ChallengeExamen Final
exit
interface S0/0/1
end
!-----------------------------------
!-----------------------------------
!R3
conf t
!Firewall configs
exit
inspect
exit
interface g0/1
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 13 of 16
Packet Tracer -– Skills Integration ChallengeExamen Final
exit
interface s0/0/1
end
!IPS configs
mkdir ipsdir
conf t
ip ips signature-category
category all
retired true
exit
retired false
exit
exit
<Enter>
interface s0/0/1
ip ips IPS-RULE in
!--------------------------------------------------
!--------------------------------------------------
!CCNAS-ASA
enable
<Enter>
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 14 of 16
Packet Tracer -– Skills Integration ChallengeExamen Final
conf t
interface vlan 1
nameif inside
security-level 100
interface vlan 2
nameif outside
security-level 0
no ip address dhcp
exit
hostname CCNAS-ASA
domain-name ccnasecurity.com
ssh timeout 10
exit
conf t
class-map inspection_default
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 15 of 16
Packet Tracer -– Skills Integration ChallengeExamen Final
match default-inspection-traffic
exit
policy-map global_policy
class inspection_default
inspect icmp
exit
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 16 of 16