Академический Документы
Профессиональный Документы
Культура Документы
Introduction
In this practice Packet Tracer Skills Based Assessment, you will do as follows:
Configure devices to protect against STP attacks and to enable broadcast storm control
Addressing Table
Device
Internet
CORP
Interface
IP Address
Subnet Mask
Gateway
DNS server
S0/0/0
209.165.200.225
255.255.255.252
n/a
n/a
S0/0/1
192.31.7.1
255.255.255.252
n/a
n/a
S0/1/0
198.133.219.1
255.255.255.252
n/a
n/a
Gi0/0
192.135.250.1
255.255.255.0
n/a
n/a
S0/0/0
209.165.200.226
255.255.255.252
n/a
n/a
Gi0/0
209.165.200.254
255.255.255.240
n/a
n/a
VLAN 1
192.168.1.1
255.255.255.0
n/a
VLAN 2
209.165.200.253
255.255.255.240
n/a
VLAN 3
10.1.1.254
255.255.255.0
n/a
Gi0/0
192.168.1.2
255.255.255.0
n/a
Gi0/1.10
172.16.10.254
255.255.255.0
n/a
Gi0/1.25
172.16.25.254
255.255.255.0
n/a
Gi0/1.99
172.16.99.254
255.255.255.0
n/a
S0/0/0
198.133.219.2
255.255.255.252
n/a
n/a
Gi0/0
198.133.219.62
255.255.255.224
n/a
n/a
CORP-ASA
Internal
Branch
Interface
IP Address
Subnet Mask
Gateway
DNS server
S0/0/0
192.31.7.2
255.255.255.252
n/a
n/a
Gi0/0
192.31.7.62
255.255.255.224
n/a
n/a
Public Svr
NIC
192.135.250.5
255.255.255.0
192.135.250.1
n/a
External Web
Svr
NIC
192.31.7.35
255.255.255.224
192.31.7.62
192.135.250.5
External PC
NIC
192.31.7.33
255.255.255.224
192.31.7.62
192.135.250.5
Internal-DNS Svr
NIC
172.16.25.2
255.255.255.0
172.16.25.254
10.1.1.5
NTP/Syslog Svr
NIC
209.165.200.252
255.255.255.240
209.165.200.254
NIC
10.1.1.5
255.255.255.0
10.1.1.254
192.135.250.5
NIC
10.1.1.2
255.255.255.0
10.1.1.254
10.1.1.5
PC0
NIC
172.16.10.5
255.255.255.0
172.16.10.254
172.16.25.2
PC1
NIC
172.16.10.10
255.255.255.0
172.16.10.254
172.16.25.2
Net Admin
NIC
172.16.25.5
255.255.255.0
172.16.25.254
172.16.25.2
Admin PC
NIC
198.133.219.35
255.255.255.224
198.133.219.62
192.135.250.5
Device
External
Note: Appropriate verification procedures should be taken after each configuration task to ensure that it has been
properly implemented.
Step 6: Configure ACLs on the CORP Router to Implement the Security Policy.
a.Create ACL 12 to implement the security policy regarding the access to the vty lines so that only users
connecting from Net Admin and Admin PC are allowed access to the vty lines.
b.Create, apply, and verify an extended named ACL (named INCORP) to control access from the Internet
into the CORP router. The ACL should be created in the order specified in the following guidelines
(Please note, the order of ACL statements is significant only because of the scoring need in
Packet Tracer.):
1.Allow HTTP traffic to the DMZ Web Server.
2.Allow DNS traffic (both TCP and UDP) to the DMZ DNS Server (two separate ACEs).
3.Allow SSH traffic from the Branch Office administrator workstation to the Serial 0/0/0 interface on
the CORP router.
4.Allow IP traffic from the Branch router serial interface into the CORP router serial interface.
5.Allow IP traffic from the Branch Office LAN to the public IP address range that is assigned to the
CORP site (209.165.200.240/28).
6.Allow echo-reply and host-unreachable traffic from the Internet
7.Allow return TCP traffic from the Internet with the destination of 209.165.200.240/28
c.To verify the INCORP ACL, complete the following tests:
Net Admin PC in the Internal network can access the URL http://www.externalone.com;
Admin PC can establish an SSH connection to the CORP router (209.165.200.226) with the
username CORPSYS and password LetSysIn. If the password does not work, you may try the
backup username SSHAccess and password ciscosshaccess defined in the local database.
External User cannot establish an SSH connection to the CORP router (209.165.200.226).
Step 8: Configure a Site-to-Site IPsec VPN between the CORP router and the Branch
Router.
The following tables list the parameters for the ISAKMP Phase 1 Policy and IPsec Phase 2 Policy:
ISAKMP Phase 1 Policy Parameters
ISAKMP Phase 2 Policy Parameters
Key Distribution
Method
ISAKMP
Parameters
CORP Router
Branch Router
Encryption Algorithm
AES
Transform Set
Name
VPN-SET
VPN-SET
Number of Bits
256
Transform Set
esp-3des
esp-sha-hmac
esp-3des
esp-sha-hmac
Hash Algorithm
SHA-1
Branch
CORP
Authentication
Method
Pre-share
Peer IP Address
198.133.219.2
209.165.200.226
Key Exchange
DH 2
Encrypted Network
209.165.200.240/28
198.133.219.32/27
IKE SA Lifetime
86400
VPN-MAP
VPN-MAP
ISAKMP Key
Vpnpass101
SA Establishment
ipsec-isakmp
ipsec-isakmp
a.Configure an ACL (ACL 120) on the CORP router to identify the interesting traffic. The interesting traffic
is all IP traffic between the two LANs (209.165.200.240/28 and 198.133.219.32/27).
b.Configure the ISAKMP Phase 1 properties on the CORP router. The crypto ISAKMP policy is 10. Refer to
the ISAKMP Phase 1 Policy Parameters Table for the specific details needed.
c.Configure the ISAKMP Phase 2 properties on the CORP router. Refer to the ISAKMP Phase 2 Policy
Parameters Table for the specific details needed.
d.Bind the VPN-MAP crypto map to the outgoing interface.
e.Configure IPsec parameters on the Branch router using the same parameters as on the CORP router.
Note that interesting traffic is defined as theIP traffic from the two LANs.
f.Verify the VPN configuration. From the Admin PC, establish an FTP session to www.theccnas.com, using
the username cisco and password cisco. Also on Admin PC, visit the website www.theccnas.com. On
the Branch or CORP router, check that the packets are encrypted.