CCNA SECURITY LAB GUIDE

(PRACTICAL STUDIES GUIDE)

WRITTEN BY

ASHISH HALDER
CCNA RnS, CCNA Sec, CCNP RnS, CCNP Sec, CCIE Sec (written)

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
 CCNA SECURITY LAB GUIDE

I have dedicated this book

to my Parents

And I have been encouraged to write this book by my beloved Eva

Special thanks to Tariq Ibne Aziz vai & Murshid Vai who have given me help and support to
learn Cisco Security

All rights reserved. No part of this book may be reproduced or transmitted in any form or by
any means, electronic or mechanical, including photocopying, recording, or by any
information storage and retrieval system, without written permission from the publisher,
except for the inclusion of brief quotations in a review.

Published in the Bangladesh

First Edition February 2017
Copyright® 2017 akhtechnologypark ltd.
Published by:
ATech Press
42, Kawran Bazar
Dhaka-1215
Cell:+88-01830618474

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
 CCNA SECURITY LAB GUIDE

Contents

LAB 1: Securing Passwords ------------------------------------------------------------------------------------------------- 6

LAB 2: Secure Device Access with configuring privilege levels ------------------------------------------------------10

LAB 3: CONFIGURING SSH ON CISCO Devices --------------------------------------------------------------------------13

LAB 4: Configuring SNMPV3 ------------------------------------------------------------------------------------------------18

LAB 5: NTP SERVER CONFIGURATION AND VERIFICATION -----------------------------------------------------------24

LAB 6: Configure routers to use Cisco Access Control Server (ACS) and TACACs+ Authentication ---------35

LAB 7: Configure ACL and Block Web Sites ------------------------------------------------------------------------------57

LAB 8: Role-based access control (RBAC) --------------------------------------------------------------------------------62

LAB 9: Configure RIP Authentication ------------------------------------------------------------------------------------ 66

LAB 10: EIGRP Authentication ----------------------------------------------------------------------------------------------71

LAB 11: OSPF Authentication -----------------------------------------------------------------------------------------------73

LAB 12: How to Configure ASA on GNS3 ---------------------------------------------------------------------------------77

LAB 13: ASA Basic Security-level Configuration ----------------------------------------------------------------------- 90

LAB 14. ASA Management ---------------------------------------------------------- -------------------------------------- 94

LAB 15 : ASA Access Control List ------------------------------------------------------------------------------------------98

LAB 16 : ASA Object Groups -----------------------------------------------------------------------------------------------103

LAB 17: Static NAT Configuration on ASA -----------------------------------------------------------------------------108

LAB 18: Static NAT with multiple outside IP addresses -------------------------------------------------------------110

LAB 19: Static NAT to Multiple Service on same Outside IP Address such as HTTP, HTTPS, TELNET, SSH ...-

----------------------------------------------------------------------------------------------------------------------------------..115

LAB 20: Dynamic NAT-Many-to-one NAT ------------------------------------------------------------------------------120

LAB 21: Dynamic NAT (Many to Many) ---------------------------------------------------------------------------------122

LAB 22: PAT Configuration -----------------------------------------------------------------------------------------------124

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
 CCNA SECURITY LAB GUIDE

LAB 23: Static NAT Port Forwarding on ASA ---------------------------------------------------------------------------126

LAB 24: ASA Active/Standby Failover Configuration -----------------------------------------------------------------131

LAB 25: ASA Security Contexts:(Virtualization) ------------------------------------------------------------------------137

LAB 26 : Port Security of Switch -------------------------------------------------------------------------------------------148

LAB 27 : Configure BPDU Guard on Cisco Switch ----------------------------------------------------------------------155

LAB 28: Configure Root Guard on Cisco Switch ------------------------------------------------------------------------156

LAB 29 : DHCP Snooping--------------------------------------------------------------------------------------------------- 159

LAB 30: Configuration of IPSEC VPN between two ASA --------------------------------------------------------------166

LAB 31: IPSec SITE-TO-SITE VPN BETWEEN TWO CISCO ROUTER ------------------------------------------------- 190

LAB 32: Clientless SSL VPN Remote Access (using a web browser) -----------------------------------------------195

LAB 33: SSL or IPsec (IKEv2) VPN Remote Access (using Cisco AnyConnect client)--------------------------- 211

LAB 34 : Configure GRE Tunnel ------------------------------------------------------------------------------------------- 229

LAB 35 : IPS/IDS ---------------------------------------------------------------------------------------------------------------232

LAB 36: PRIVATE VLAN ------------------------------------------------------------------------------------------------------250

-----------------------------------------------255 Pages---------- ----------------------------------------------

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
 CCNA SECURITY LAB GUIDE

Cisco NFP framework

The Network Foundation Protection combines a number of security techniques to ensure

security of routers and switches. It can be broken down into -

 The management plane

 The control plane and
 The data plane

The management plane: It is used to configure, monitor and manage the network device and
protocols.

Management plane will be secured using Passwords, RBAC, NTP, AAA, SSH, HTTPS, VLAN's,
ACLs, and SNMPv3.

The control plane: The control plane is dealing with the actual process of routing traffic
through the device. So it could be used by the dynamic routing protocols such as ARP, BGP,
OSPF, EIGRP packets.

SNMP traps and syslog messages can be associated with high CPU rates or low memory
availability which can affect control plane functionality.

The data plane: The end-user traffic. This is the traffic that is going through your network,
and not to a network device. For example, the traffic generated when a user in your network
browse a website.

Data plane will be secured using intrusion protection systems (IPS), firewalls, and Layer 2
security on switches.

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
 CCNA SECURITY LAB GUIDE

ABILITY TO ROUTE SECURE THE CONTROL PLANE

ABILITY TO MANAGE SECURE THE MANAGEMENT PLANE

ABILITY TO FORWARD SECURE THE DATA PLANE

Securing the Management Plane

( Passwords, Privilege level, RBAC, NTP, AAA, SSH, HTTPS, VLAN's, ACLs, and SNMPv3)

LAB 1: Securing Passwords

We should follow the below rules when we set password on a Cisco Devices:

 Change passwords often.

 Include alphanumeric characters, uppercase and lowercase characters, symbols,
and spaces.
 Password-leading spaces are ignored; all spaces after the first character are not
ignored.
 Do not use dictionary words.
 Encrypt all passwords.
 Passwords should have a minimum of 10 characters.

Security passwords min-length

By default the length is 6 characters, but we can change the default length.

R1(config)#security passwords min-length ?

<0-16> Minimum length of all user/enable passwords
R1(config)#security passwords min-length 10 (specify password length)

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
 CCNA SECURITY LAB GUIDE

Now we will try to configure the password less than 10 characters, but it is not possible to set
password........
R1(config)#username ashish privilege 15 secret ashish
% Password too short - must be at least 10 characters. Password configuration
failed
R1(config)#username ashish privilege 15 secret ashish12345
R1(config)#

Encrypt Password

R1(config)#line console 0
R1(config-line)#password cisco123456
R1(config-line)#login

R1#show running-config | include password

no service password-encryption
security passwords min-length 10
password cisco123456
R1#

Here the password is in clear text...We will make it encrypted using the following
command

R1(config)#service password-encryption
R1(config)#exit
R1#conf t
*Mar 1 00:30:21.623: %SYS-5-CONFIG_I: Configured from console by console
R1#show running-config | include password
service password-encryption
security passwords min-length 10
password 7 02050D4808095E731F1A5C4F
R1#

Type 7 is the Cisco proprietary method (Vigenere cypher) and is weak. Type 7 is a password
with a weak, exclusive-or type encryption. Type 7 passwords can be retrieved from the
encrypted text by using publicly available tools.

Type 0 is a clear text password visible to any user who has access to privileged mode on the
router.

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
 CCNA SECURITY LAB GUIDE

The Type5 is encrypted using MD5 hashing, and is considered pretty strong. The "enable
secret" password is stored using Type 5.Here is the example............

Router(config)#enable secret cisco12345678

Router(config)#exit

Router#show running-config | include enable

enable secret 5 $1$mERr$SaFBywzxj7k3obl3OyaaC.
Router#

The username username secret password global command also generates a type 5 password.

Router(config)#username ashish privilege 15 secret ashish@12345#

Router#show running-config | include username

username ashish privilege 15 secret 5 $1$mERr$kcu8m/BSLWLLgvOOJmgqx0

A limited number of Cisco IOS and Cisco IOS XE releases based on the Cisco IOS 15 code base
include support for a new algorithm is called Type 4, and a password hashed using this
algorithm is referred to as a Type 4 password. It is considered to be a stronger alternative to
the existing Type 5 and Type 7 algorithms against brute-force attacks.

The design called for using Password-Based Key Derivation Function version 2 (PBKDF2) has
the following input values:

 Hash algorithm = SHA-256

 Password = the user-provided plaintext password
 Salt = 80 bits (generated by calling a cryptographically secure random number
generator)
 Iteration count = 1,000 (one thousand)

Router# configure terminal

router#(config)#enable secret ?
0 Specifies an UNENCRYPTED password will follow
4 Specifies an SHA256 ENCRYPTED secret will follow
5 Specifies a MD5 ENCRYPTED secret will follow
LINE The UNENCRYPTED (cleartext) 'enable' secret
level Set exec level password
router(config)#

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
 CCNA SECURITY LAB GUIDE

Type 8

This mean the password will be encrypted when router store it in Run/Start Files using
PBKDF2-SHA-256, starting from IOS 15.3(3).

Password-Based Key Derivation Function 2 (PBKDF2) with Secure Hash Algorithm, 26-bits (SHA-
256) as the hashing algorithm

Example 1 :
R1(config)#enable algorithm-type sha256 secret cisco
R1(config)#do sh run | i enable
enable secret 8 $8$mTj4RZG8N9ZDOk$elY/asfm8kD3iDmkBe3hD2r4xcA/0oWS5V3os.O91u.

Example 2 :
R1(config)# username ashish algorithm-type sha256 secret cisco
R1# show running-config | inc username
username ashish secret 8
$8$dsYGNam3K1SIJO$7nv/35M/qr6t.dVc7UY9zrJDWRVqncHub1PE9UlMQFs

Type 9

This mean the password will be encrypted when router store it in Run/Start Files using scrypt
as the hashing algorithm, starting from IOS 15.3(3)

Example 1 :
R1(config)#ena algorithm-type scrypt secret cisco
R1(config)#do sh run | i enable
enable secret 9 $9$WnArItcQHW/uuE$x5WTLbu7PbzGDuv0fSwGKS/KURsy5a3WCQckmJp0MbE

Example 2 :

R1(config)# username demo9 algorithm-type scrypt secret cisco

R1# show running-config | inc username
username demo9 secret 9
$9$nhEmQVczB7dqsO$X.HsgL6x1il0RxkOSSvyQYwucySCt7qFm4v7pqCxkKM

N.B.

If we configure type 8 or type 9 passwords and then downgrade to a release that does not
support type 8 and type 9 passwords, we must configure the type 5 passwords before
downgrading. If not, we are locked out of the device and a password recovery is required.

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
 CCNA SECURITY LAB GUIDE

LAB 2: Secure Device Access with configuring privilege levels

One of the easy and common method is to set authorization for administrative access is using
privilege levels. By default, the Cisco IOS has two privilege levels:

 User EXEC mode - privilege level 1

 Privileged EXEC mode - privilege level 15 (like as a root user's permission)

There are 16 privilege levels from 0 to 15. Privilege level with lower value has the limitation
to run the Cisco commands. But if the privilege level is 15, here all the Cisco commands is
permitted.

We can create users and assign privilege level, then set commands on behalf of the privilege
level. So different users will now run some specific commands ...hence increase the device
security !!

N.B. We will never assign Privilege level 15 for normal users, it is for only Administrative or
root users.

Basic Configuration of Router

Router#conf t
Router(config)#interface fastEthernet 0/0
Router(config-if)#ip address 192.168.10.1 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#enable secret cisco@123456#

Telnet Configuration for remote Access

Router(config)#username user1 privilege 5 secret user1
Router(config)#username admin privilege 15 secret admin@312312#

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
 CCNA SECURITY LAB GUIDE

Router(config)#line vty 0 4
Router(config-line)#login local
Router(config-line)#exit

By default, all Cisco routers are come with 5 VTY line interfaces. They are 0, 1, 2, 3, and 4.

Assign IP to Host

Verify Connectivity

Now we will create a privilege level and set some commands on regards to the privilege
level...
Router(config)#privilege exec level 5 configure terminal
Router(config)#privilege exec level 5 show version
Router(config)#privilege exec level 5 show privilege
Router(config)#privilege configure all level 5 interface

Here “all” option in the last command allows the sub-options under interface. We can verify
our configuration by logging into the router and viewing the commands available at each
level.

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
 CCNA SECURITY LAB GUIDE

Verification

C:\>telnet 192.168.10.1
Trying 192.168.10.1 ...Open

User Access Verification

Username: user1
Password:

Router#show privilege
Current privilege level is 5

Router#show version
Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version
12.4(15)T1, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Wed 18-Jul-07 04:52 by pt_team

ROM: System Bootstrap, Version 12.3(8r)T8, RELEASE SOFTWARE (fc1)

System returned to ROM by power-on

System image file is "flash:c1841-advipservicesk9-mz.124-15.T1.bin"

--------------------------------------------------------------------
Router#configure terminal
Router (config) #interface fastEthernet 0/0
Router (config-if) #exit

Now we will try to run show running-config

Router# show running-config

Not Possible...right??

Login as admin user and then type the following command..........

Router (config) #privilege exec level 5 show running-config

Again login as user1.......

Router#show running-config
Building configuration...
Current configuration: 1021 bytes
!
version 12.4

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
 CCNA SECURITY LAB GUIDE

no service timestamps log datetime msec

no service password-encryption
!
hostname Router
!
enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
!
--More--

Now possible...............

LAB 3: CONFIGURING SSH ON CISCO Devices

Telnet was designed to work within a private network and not across a public network where
threats can appear. Because of this, all the data is transmitted in plain text, including
passwords. This is a major security issue and the developers of SSH used encryptions to make
it harder for other people to sniff the password and other relevant information.

Secure Shell (SSH) is a protocol which provides a secure remote access connection to network
devices. Communication between the client and server is encrypted in SSH. To do this, it uses
a RSA public/private keypair.

There are two versions: version 1 and 2. Version 2 is more secure and commonly used.

Enable SSH on Cisco Switch

Step 1: Configure Management IP
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#interface vlan 1

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
 CCNA SECURITY LAB GUIDE

Switch(config-if)#ip address 192.168.10.10 255.255.255.0

Switch(config-if)#no shutdown

Step 2 : Configure default gateway points to the router

Switch(config)#ip default-gateway 192.168.10.1

Step 3: Configure hostname and domain name

The name of the RSA keypair will be the hostname and domain name of the router.
Switch(config)#hostname ASHISH-SW
ASHISH-SW(config)#ip domain-name ashish.com

Step 4 :Generate the RSA Keys

ASHISH-SW(config)#crypto key generate rsa

The name for the keys will be: ASHISH-SW.ashish.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 2048
% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]
ASHISH-SW(config)#

Key sizes of 1024 or smaller should be avoided. Larger key sizes take longer time to calculate
and enhance more security

Step 5: SSH version 1 is the default version. So change it to version 2

ASHISH-SW(config)#ip ssh version 2

Step 6 : Setup the Line VTY configurations

ASHISH-SW(config)#line vty 0 4
ASHISH-SW(config-line)#transport input ssh
ASHISH-SW(config-line)#login local
Step 7: Create the username password
ASHISH-SW(config)#username ashish privilege 15 password cisco123

Step 8: Create enable password

ASHISH-SW(config)#enable secret cisco123

Step 9: create console password

ASHISH-SW(config)#line console 0

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
 CCNA SECURITY LAB GUIDE

ASHISH-SW(config-line)#logging synchronous
ASHISH-SW(config-line)#login local

Step 10: Verify SSH

C:\>ssh -l ashish 192.168.10.10 Open
Password:
ASHISH-SW#conf t
ASHISH-SW(config)#

Enable SSH on Router

Router#conf t
Router(config)#hostname Venus
Venus(config)#interface fastEthernet 0/0
Venus(config-if)#ip address 192.168.10.1 255.255.255.0
Venus(config-if)#no shutdown
Venus(config-if)#exit
Venus(config)#ip domain-name cisco.com
Venus(config)#username ashish privilege 15 password cisco123
Venus(config)#crypto key generate rsa

The name for the keys will be: Venus.cisco.com

Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 2048
% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]
Venus(config)#
*Mar 1 0:34:31.790: %SSH-5-ENABLED: SSH 1.99 has been enabled
Venus(config)#ip ssh version 2
Venus(config)#enable secret cisco
Venus(config)#line console 0
Venus(config-line)#logging synchronous

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
 CCNA SECURITY LAB GUIDE

Venus(config-line)#login local
Venus(config-line)#exit
Venus(config)#line vty 0 4
Venus(config-line)#transport input ssh
Venus(config-line)#login local

Venus#show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Venus#

C:\>ssh -l ashish 192.168.10.1 Open

Password:
Venus#conf t

RSA is algorithm used by modern computers to encrypt and decrypt messages. It is an

asymmetric cryptographic algorithm. Asymmetric means that there are two different keys.
This is also called public key cryptography, because one of them can be given to everyone.
===========================================================================

ENABLE SSH ON CISCO ASA

Basic Configuration of ASA

ciscoasa(config)# hostname ASHISH-ASA

ASHISH-ASA(config)# interface gigabitEthernet 0
ASHISH-ASA(config-if)# nameif inside
ASHISH-ASA(config-if)# security-level 100
ASHISH-ASA(config-if)# ip address 172.16.10.1 255.255.255.0
ASHISH-ASA(config-if)# no shutdown
Step 1: Create a username and password to manage the ASA with SSH

ASHISH-ASA(config)# username ashish password ashish123 privilege 15

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
 CCNA SECURITY LAB GUIDE

Step2: Enable SSH to generate a key, it will encrypt the traffic between the user and the ASA

ASHISH-ASA(config)# crypto key generate rsa modulus 2048

INFO: The name for the keys will be: <Default-RSA-Key>

Keypair generation process begin. Please wait...

Step 3:Use the username previously created to connect to the ASA with SSH

ASHISH-ASA(config)# aaa authentication ssh console LOCAL

Local AAA means that we are performing AAA without the use of an external database. When
performing local AAA, we can authenticate with a username and password that is part of the
configuration of the security appliance.

Step 4: We will Define the IP addresses which are allowed to connect to the ASA

ASHISH-ASA(config)# ssh 172.16.10.2 255.255.255.255 inside

step 5: Specify ssh version; There are two versions: version 1 and 2. Version 2 is more secure
and commonly used.

ASHISH-ASA(config)# ssh version 2

Verification (open the putty from your laptop )

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
 CCNA SECURITY LAB GUIDE

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved