LAB 1
09.08.2015 Views
Share Embed Flag

LAB 1

CCIE Security Advanced Lab Workbook Version 3.0 ... - CCBootcamp

CCIE Security Advanced Lab Workbook Version 3.0 ... - CCBootcamp

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
  • No tags were found...
ccbootcamp.com

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

START NOW

<strong>LAB</strong> 1For questions: www.securityie.coms.a.lab.01.09.05.kb.r04.09.05.docInstructionsVerify that all configurations have been cleared, beforeyou load initial configurations onto the lab routers,backbone routers and switches. There are no initialconfigurations for the ASA and IPS. You will be requiredto configure these devices in the practice lab, just as youwill be required to do so in the actual lab exam.ASDM and SDM are not available in the actual lab exam.The ACS workstation is used in this lab as the candidate PCas well as the ACS server. The IP address of the ACScannot be changed.There is a ‘test pc’ available in the practice labs as wellas the actual lab. The IP address of the “rack” interfacetest PC may be changed through the desktop application. Forboth PCs, you may add/remove static routes for connectivityas described in the <strong>LAB</strong>. Do not change the default routeon the ACS or the test PC, as you may lose connectivity.Always remember to Apply changes and Save your configsoften!Unless otherwise specified, use only the existing networkswithin your lab. Additional networks, static and/ordefault routes, may not be configured unless specified in atask.When creating passwords, use “cisco” unless indicatedotherwise in a specific task. Refer to the “Remote RackAccess FAQ” PDF for cabling, ACS and IPS Access and othercommonly asked questions. The document is located here:http://www.ccbootcamp.com/download1www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.comCopyright ©2009, Network Learning, Incorporated

Sections:For questions: www.securityie.coms.a.lab.01.09.05.kb.r04.09.05.doc1. ASA Firewalls2. IOS Firewalls3. VPNs4. IPS5. Identity Management6. Control/Management Plane Security7. Advanced Security8. Network Attack MitigationIf you would like additional copies of the diagrams to use withthe labs, they can be downloaded fromhttp://www.ccbootcamp.com/download/!Security/2www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.comCopyright ©2009, Network Learning, Incorporated

SW1Fa0/1Fa0/0R1Fa0/1For questions: www.securityie.coms.a.lab.01.09.05.kb.r04.09.05.docFa0/1SW2SW1Fa0/2Fa0/0R2Fa0/1Fa0/2SW2SW1Fa0/3Fa0/0R3Fa0/1Fa0/3SW2SW1Fa0/4Fa0/0R4Fa0/1Fa0/4SW2SW1Fa0/5Fa0/0R5Fa0/1Fa0/5SW2SW1Fa0/6Fa0/0R6Fa0/1Fa0/6SW2SW1Fa0/9Fa0/0BB1Fa0/1Fa0/9SW2SW1Fa0/10Fa0/0BB2Fa0/1Fa0/10SW2SW1SW1Fa0/12Fa0/14E0/0 E0/2ASA01Gi0/0: sense IDSIDSGi0/1: c&cFa0/12Fa0/14SW2SW2SW1SW1SW1Fa0/17Fa0/18Fa0/23E0/1 E0/3ASA01E0/0 E0/2ASA02E0/1 E0/3ASA02Fa0/17Fa0/18Fa0/23SW2SW2SW2SW1Fas0/21 Fas0/21Fas0/22 Fas0/22Fas0/19 Fas0/19Fas0/20 Fas0/20Fas0/07 Fas0/07Fas0/08 Fas0/08Fas0/07Fas0/08Fas0/07Fas0/08Fas0/19 Fas0/19SW2Fas0/21 Fas0/21Fas0/22 Fas0/22Sensor Int. Connected to:G0/0 SW1 Fa0/14Fa1/0 SW3 Fa0/4Fa1/1 SW3 Fa0/3Fa1/2 SW3 Fa0/2Fa1/3 SW3 Fa0/1Fas0/0SW3Fas0/172811R7Fas0/1SW4Fas0/17Fas0/20Fas0/20SW3SW4ACS PC – SW1 Fa0/24192.168.2.101Fas0/02811R8Fas0/1XP Test PC – SW2 Fa0/16192.168.2.102SW3Fas0/18SW4Fas0/183www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.comCopyright ©2009, Network Learning, Incorporated

For questions: www.securityie.coms.a.lab.01.09.05.kb.r04.09.05.doc4www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.comCopyright ©2009, Network Learning, Incorporated

For questions: www.securityie.coms.a.lab.01.09.05.kb.r04.09.05.doc5www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.comCopyright ©2009, Network Learning, Incorporated

Section 1: ASA FirewallsTask 1.1 4 PointsFor questions: www.securityie.coms.a.lab.01.09.05.kb.r04.09.05.docConfigure the ASA as shown in the diagram. Use the defaultgateway of 50.50.4.14 for both contexts. Context c1 shoulduse e0/0 for redundancy on the inside interface, with e0/2being active. Configure c1 as the admin context. Add a static route for the 192.168.0.0 network on c2. Add a route on the ACS PC for 50.50.0.0/16 using R6. Translate SW1 to the inside of c1 using 50.50.4.19Translate the ACS PCs 192.168.2.101 address to the outsideaddress of 50.50.4.101 on c2.Translate R6 Fa0/1 address to the global address of50.50.4.6 on c2.Task 1.2 4 PointsAllow SSH management on the inside interface of c1 from theACS PC. Use the username of “user1” with password of“cisco”. Authenticate this user with RADIUS.On c1, permit ICMP echo requests inbound on the outsideinterface. Verify that SW1 can ping R1 at 1.1.1.1. R1should see these pings sourced from 50.50.4.19On c1, deny TCP sessions from the R5 Loopback 0 and SW1, ifthe TCP window size shrinks unexpectedly afterestablishment, and limit ½ formed TCP sessions to 101. Donot use the static for this task.On c1, do not allow non-initial fragments inbound on theoutside interface, and send a TCP reset to the initiator ofa packet if the firewall is not going to allow a packet toor through the firewall on the outside interface.6www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.comCopyright ©2009, Network Learning, Incorporated

CCBOOTCAMP’sCCIE Security Advanced Lab WorkbookVolume 1, Part 2 of 2for the CCIE Security Lab Exam version 3.0For questions about this workbook please visit: www.securityie.comCCBOOTCAMP375 N. Stephanie StreetBuilding 21, Suite 2111Henderson, NV 890141.877.654.2243 Toll Freewww.ccbootcamp.com“Cisco,” the “Cisco Logo,” “CCNA,” “CCNP,” “CCDP,” “CCDA,” “CCIE,” “Cisco CertifiedNetwork Associate,” “Cisco Certified Design Professional,” “Cisco Certified DesignAssociate,” “and “Cisco Certified Network Professional,” are registered trademarks ofCisco Systems, Inc. The contents contained wherein, is not associated or endorsed byCisco Systems, Inc.

PLEASE READ THIS SUBSCRIPTION LICENSE AGREEMENT CAREFULLY BEFORE USING THIS PRODUCT.THIS SUBSCRIPTION LICENSE AGREEMENT APPLIES TO CCBOOTCAMP’s CCIE Security Advanced LabWorkbook.BY ORDERING THIS PRODUCT YOU ARE CONSENTING TO BE BOUND BY THIS LICENSING AGREEMENT.IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS LICENSE, THEN DO NOT PURCHASE THISPRODUCT.License AgreementCCBOOTCAMP’s CCIE Security Advanced Lab Workbook is copyrighted. In addition, thisproduct is at all times the property of CCBOOTCAMP, and the customer shall agree touse this product only for themselves, the licensed user. The license for the specificcustomer remains valid from the purchase date until they pass their CCIE Security labexam.CCBOOTCAMP’s CCIE Security Advanced Lab Workbook materials are licensed by individualcustomer. This material cannot be resold, transferred, traded, sold, or have the priceshared in any way. Each specific individual customer must have a license to use thisproduct. The customer agrees that this product is always the property of CCBOOTCAMP,and they are just purchasing a license to use it. A Customer’s license will be revokedif they violate this licensing agreement in any way.Copies of this material in any form or fashion are strictly prohibited. If for anyreason a licensed copy of this material is lost or damaged a new copy will be providedfree of charge, except for the cost of printing, shipping and handling.Individuals or entities that knowingly violate the terms of this licensing agreementmay be subject to punitive damages that CCBOOTCAMP could seek in civil court. Damageswill be limited to a maximum of $500,000.00 per individual and $2,000,000.00 perentity. In addition, individuals or entities that knowingly violate the terms of thislicense agreement may be subject to criminal penalties as are allowed by law.The venue of any dispute, controversy, litigation or proceeding (formal or informal)arising out of or pertaining to this licensing agreement or the subject hereof shalllie exclusively in the County of Clark, State of Nevada. Provided, however, that ifany such dispute, controversy, litigation or proceeding requires or permitsjurisdiction in a federal court or agency of the United States, then venue shall liein no federal court or agency other than those located in (or nearest to) the Countyof Clark, State of Nevada.Term and Termination of License AgreementThis License is effective until terminated. Customer may terminate this License at anytime by destroying all copies of written and electronic material of said product.Customer's rights under this License will terminate immediately without notice fromCCBOOTCAMP, if Customer fails to comply with any provision of this License. Upontermination, Customer must destroy all copies of material in its possession orcontrol. The license for the specific user remains valid from the purchase date untilthe user passes their lab exam pertaining to the purchased subscription. Once thecustomer passes the relevant lab exam the license is terminated and all materialwritten or electronic in their possession or control must be destroyed or returned toCCBOOTCAMP.WarrantyNo warranty of any kind is provided with this product. There are no guarantees thatthe use of this product will help a customer pass any exams, tests, or certifications,or enhance their knowledge in any way. The product is provided on an “AS IS” basis.In no event will CCBOOTCAMP, its suppliers, or licensed resellers be liable for anyincurred costs, lost revenue, lost profit, lost data, or any other damages regardlessof the theory of liability arising out of use or inability to use this product.

<strong>LAB</strong> 6For questions: www.securityie.coms.a.lab.06.09.05.sm.r04.09.05.docInstructionsVerify that all configurations have been cleared, beforeyou load initial configurations onto the lab routers,backbone routers and switches. There are no initialconfigurations for the ASA and IPS. You will be requiredto configure these devices in the practice lab, just as youwill be required to do so in the actual lab exam.ASDM and SDM are not available in the actual lab exam.The ACS workstation is used in this lab as the candidate PCas well as the ACS server. The IP address of the ACScannot be changed.There is a ‘test pc’ available in the practice labs as wellas the actual lab. The IP address of the “rack” interfacetest PC may be changed through the desktop application. Forboth PCs, you may add/remove static routes for connectivityas described in the <strong>LAB</strong>. Do not change the default routeon the ACS or the test PC, as you may lose connectivity.Always remember to Apply changes and Save your configsoften!Unless otherwise specified, use only the existing networkswithin your lab. Additional networks, static and/ordefault routes, may not be configured unless specified in atask.When creating passwords, use “cisco” unless indicatedotherwise in a specific task. Refer to the “Remote RackAccess FAQ” PDF for cabling, ACS and IPS Access and othercommonly asked questions. The document is located here:http://www.ccbootcamp.com/download1www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.comCopyright ©2009, Network Learning, Incorporated

Sections:For questions: www.securityie.coms.a.lab.06.09.05.sm.r04.09.05.doc1. ASA Firewalls2. IOS Firewalls3. VPNs4. IPS5. Identity Management6. Control/Management Plane Security7. Advanced Security8. Network Attack Mitigation2www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.comCopyright ©2009, Network Learning, Incorporated

For questions: www.securityie.coms.a.lab.06.09.05.sm.r04.09.05.docSW2.11ACS PC.101VLAN 168192.168.2.0InsideE0/0.vR1OSPFArea 0BB1.99VLAN 99172.16.99.0IPS C&C.50G0/0VLAN 77172.16.77.0DMZ1E0/0.vASA1OutsideE0/0.vDMZ2E0/0.vVLAN 44172.16.44.0R4R7VLAN 2224.234.22.0BB2.252VLAN 25224.234.252.0R2OSPFArea 1SW1.11VLAN 12124.234.121.0Frame Relay24.234.100.0R3C1InsideE0/0.vVLAN 88172.16.88.0OutsideE0/0.vVLAN 11124.234.111.0R6VLAN 22224.234.222.0OutsideE0/0.vC2InsideE0/0.vVLAN 55172.16.55.0R8R5Routers use router number for last octet. Other devicesuse IP addresses as shown in diagram, or indicated withina task. Unless otherwise shown, all router interfaces arefa0/0.v where “v”=vlan number. All networks are /24unless otherwise noted3www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.comCopyright ©2009, Network Learning, Incorporated

For questions: www.securityie.coms.a.lab.06.09.05.sm.r04.09.05.docSW1Fa0/1Fa0/0R1Fa0/1Fa0/1SW2SW1Fa0/2Fa0/0R2Fa0/1Fa0/2SW2SW1Fa0/3Fa0/0R3Fa0/1Fa0/3SW2SW1Fa0/4Fa0/0R4Fa0/1Fa0/4SW2SW1Fa0/5Fa0/0R5Fa0/1Fa0/5SW2SW1Fa0/6Fa0/0R6Fa0/1Fa0/6SW2SW1Fa0/9Fa0/0BB1Fa0/1Fa0/9SW2SW1Fa0/10Fa0/0BB2Fa0/1Fa0/10SW2SW1SW1Fa0/12Fa0/14E0/0 E0/2ASA01Gi0/0: senseIDSIDSGi0/1: c&cFa0/12Fa0/14SW2SW2SW1SW1SW1Fa0/17Fa0/18Fa0/23E0/1 E0/3ASA01E0/0 E0/2ASA02E0/1 E0/3ASA02Fa0/17Fa0/18Fa0/23SW2SW2SW2SW1Fas0/21 Fas0/21Fas0/22 Fas0/22Fas0/19 Fas0/19Fas0/20 Fas0/20Fas0/07 Fas0/07Fas0/08 Fas0/08Fas0/07Fas0/08Fas0/07Fas0/08Fas0/19 Fas0/19SW2Fas0/21 Fas0/21Fas0/22 Fas0/22Sensor Int. Connected to:G0/0 SW1 Fa0/14Fa1/0 SW3 Fa0/4Fa1/1 SW3 Fa0/3Fa1/2 SW3 Fa0/2Fa1/3 SW3 Fa0/1Fas0/0SW3Fas0/172811R7Fas0/1SW4Fas0/17Fas0/20Fas0/20SW3SW4ACS PC – SW1 Fa0/24192.168.2.101Fas0/02811R8Fas0/1XP Test PC – SW2 Fa0/16192.168.2.102SW3Fas0/18SW4Fas0/184www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.comCopyright ©2009, Network Learning, Incorporated

For questions: www.securityie.coms.a.lab.06.09.05.sm.r04.09.05.docSection 1:Task 1.1 4 PointsASA FirewallsSet the hostname of ASA1 to ASA1.Configure ASA1 with the following interface settings:Name Interface Security level IP Address VLANInside E0/0.168 Default 192.168.2.100/24 168Outside E0/0.22 Default 24.234.22.100/24 22DMZ1 E0/0.77 50 172.16.77.100/24 77DMZ2 E0/0.44 75 172.16.44.100/24 44Configure ASA1 as an ABR. Interface DMZ2 is in area 0 andinterface outside is in area 1. Ensure that a default route to ASA1 is sent into area 0.You may not use a static route or default informationoriginate command to accomplish this. The area 1 routersshould only reach outside networks via the default route,never by a specific route. Verify that area 0 routers have routes to the area 1networks.Test connectivity from R4 to R2, R3 and R6. You are allowedto inspect ICMP on ASA1 to accomplish this.5www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.comCopyright ©2009, Network Learning, Incorporated

Task 1.2 4 PointsFor questions: www.securityie.coms.a.lab.06.09.05.sm.r04.09.05.docSet the hostname of ASA2 to ASA2.Configure ASA2 with multiple contexts, c1 and c2. Use thefollowing interfaces settings:Context Name Interface Sec. Level IP Address VLANc1 Inside E0/0.88 50 172.16.88.200/24 88c1 Outside E0/0.111 50 24.234.111.200/24 111c2 Inside E0/0.55 Default 172.16.55.200/24 55c2 Outside E0/0.222 Default 24.234.222.200/24 222The contexts should not know the interface numbers, onlythe names provided in the table, EX: Inside, Outside.Configure a default route on both contexts with R6 as thenext hop.Task 1.3 4 PointsThe ACS server should be reachable on the outside networkvia the address 24.234.22.101.Hosts on the outside of ASA1 should be able to telnet tothe outside interface address on port 2323 and reach R1.Verify by allowing R2. Require a translation for traffic traversing context c2.If R5 telnets to R6 it should have its address translatedto 24.234.222.5. If it telnets to R3 its address should be24.234.222.55.Translate outgoing traffic from the inside network of c2 tothe address 24.234.222.100.6www.ccbootcamp.com Toll Free 877.654.2243 sales@ccbootcamp.comCopyright ©2009, Network Learning, Incorporated

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!