Lab - Ccna Security

CCNA SECURITY

LAB GUIDE

LAB SECURITY_2: NTP SERVER CONFIGURATION AND VERIFICATION Network Devices need to be accurately synchronized with a reliable time source such as an NTP server. It is very important as we want to be confirmed c onfirmed that logging information and timestamps have the accurate time and date. The router can be updated and synchronized with a public NTP server. This will ensure the router's time is constantly synchronized, however it will not act as an NTP server for internal hosts. The Internal hosts can be synchronized with the router.

Be noted that, here loopback adapter is accessible to Internet through our Ethernet LAN Card of Local host. So that NTP Server can be updated with the server located in the Internet. Follow this step before go to the GNS3 –

Find your host Ethernet Adapter > Right click on it > Properties

Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved

CCNA SECURITY

LAB GUIDE

FULL VIRTUALIZED LAB………

YOU WILL GET THE REAL FLAVOUR Just 15 USD……Payment Method is PayPal

PDF Copy is Available Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved

CCNA SECURITY

LAB GUIDE

FULL VIRTUALIZED LAB………

YOU WILL GET THE REAL FLAVOUR Just 15 USD……Payment Method is PayPal

PDF Copy is Available Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved

CCNA SECURITY

LAB GUIDE

Go to the sharing tab

Check as follows, select your Loopback Adapter. H ere I have renamed it to Virtual Adapter. At the end I will show you how to add Loopback Adapter in your PC.

The final window as following. Now OK.


CCNA SECURITY

LAB GUIDE

Finally mark the IP Address of your Loopback Adapter. It will be the default Gateway for your Routers stated as below figure on GNS3 !

Now I will describe how to add Loopback Adapter on Windows 7 Host 1. Go to Computer > Right click on computer > Properties

Device Manager > right Click on your PC (Here Ashish-PC) > Add legacy Hardware


CCNA SECURITY

LAB GUIDE

Click Next

Click next (nothing change to here)

Click Next


CCNA SECURITY

LAB GUIDE

Select Network Adapters > Next

Wait for a bit. A window will comes, from here select Microsoft from left Pannel and select Microsoft loopback Adapter from the right panel as shown in figure


CCNA SECURITY

LAB GUIDE

Click next

clikc next > then finish


CCNA SECURITY

LAB GUIDE

After reboot you can now use your Loopback Adapter Configuration of Router R1 (For Internet Access through Loopback Adapter) R1#conf t R1(config)#interface fastEthernet 0/0 R1(config-if)#ip address 192.168.137.2 255.255.255.0 R1(config-if)#no shutdown R1(config-if)#exit R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.137.1 R1(config)#ip domain-lookup R1(config)#ip name-server 8.8.8.8 R1(config)#exit

A brief discussion: Domain-lookup will allow the Cisco to resolve domains, ip domain-lookup command to enable DNS host name-to-IP address translation. Here 8.8.8.8 takes care of internet resolving. Name server is to define the DNS to query for unknown host. At this state any DNS request will be forwarded to 8.8.8.8 and the Cisco will act as the "middle man" between the client and the DNS.


CCNA SECURITY

LAB GUIDE

There is a nice way to use a Cisco as a DNS server. This is the way to save some money without the need for additional devices.

Verification Apply ping to Google to ensure that the R1 is connected to the Internet

Configuration on R2 R2#conf t R2(config)#interface fastEthernet 0/1 R2(config-if)#ip address 172.16.10.2 255.255.255.0 R2(config-if)#no shutdown

OSPF Configuration (as a dynamic Routing) R2(config)#router ospf 1 R2(config-router)#network 172.16.10.0 0.0.0.255 area 0 R2(config-router)#end R2(config)#ip domain-lookup R2(config)#ip name-server 8.8.8.8

OSPF Configuration on R1 R1(config)#router ospf 1 R1(config-router)#network 172.16.10.0 0.0.0.255 area 0 R1(config-router)#default-information originate R1(config-router)#end

Here, the OSPF router does not, by default, generate a default route into the OSPF domain. In order for OSPF to generate a default route, you must use the default-information originate command.

Configure NAT on R1 Router so that R2 Router can be connected with the Internet Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved

CCNA SECURITY

LAB GUIDE

R1(config)#interface fastEthernet 0/1 R1(config-if)#ip nat inside R1(config-if)#exit R1(config)#interface fastEthernet 0/0 R1(config-if)#ip nat outside R1(config-if)#exit R1(config)#access-list 1 permit 172.16.10.0 0.0.0.255 R1(config)#ip nat inside source list 1 interface fastEthernet 0/0 overload

Verification Apply ping to Google to ensure that the R2 is connected to the Internet

NTP Configuration First we will check the time on R1 Router R1#show clock detail *00:18:45.843 UTC Fri Mar 1 2002 No time source

Now we will call NTP Server from global Internet Source R1#conf t R1(config)#ntp source fastEthernet 0/1 R1(config)#ntp master 2

A stratum 2 device because it’s one NTP hop further away from the source. R1(config)#ntp server pool.ntp.org Translating "pool.ntp.org"...domain server (8.8.8.8) [OK]

Check the time again R1#show clock detail 11:46:54.831 UTC Thu Jan 4 2018 Time source is NTP


CCNA SECURITY

LAB GUIDE

We can see that R1 time is synchronized with the Internet NTP Server Apply show ntp associations on R1 and verify

Configuration on R2 Here we call the R1 as a NTP Server which will synchronized with Local Router (R2) R2(config)#ntp server 172.16.10.1 R2(config)#exit

Verify if the time of R2 is updated with R1 R2#show clock detail .11:47:08.935 UTC Thu Jan 4 2018 Time source is NTP .......................................................Fine!!! Updated!!!


CCNA SECURITY

LAB GUIDE

AUTHENTICATION

Authentication is used to prevent tampering with the timestamps on the logs generated by devices. To implement an attack on NTP, a hacker would make their rogue host appear to be a valid NTP server. R1(config)# ntp authenticate R1(config)# ntp authentication-key 1 md5 cisco123 R1(config)# ntp trusted-key 1 R2(config)# ntp authenticate R2(config)# ntp authentication-key 1 md5 cisco123 R2(config)# ntp trusted-key 1 R2(config)# ntp server 172.16.10.1 key 1

Parameters Key-id Specifies an ID for an authentication key. The range is from 1 through 65535.

Md5 md5-string Specifies a string for the MD5 message-digest algorithm. The string can be a maximum of 15 ASCII characters.

Ntp trusted-key: An additional subset of trusted keys which can be used for NTP authentication.

LAB 4: How to Configure ASA on GNS3 I have used 

Cisco ASA 8.4.2



GNS3 Version 1.3.3



asa842-initrd.gz and asa842-vmlinuz



JavaJDK 6

First Right click on GNS3 

Run as an Administrator



Edit



Preferences


CCNA SECURITY

LAB GUIDE

Click on QEMU > Check mark on Use the local server > OK

Now Click on QEMU VMs > New


CCNA SECURITY

LAB GUIDE

Now select Type – ASA 8.4(2)

Name field give a name as follows > Next

Keep it default and click next


CCNA SECURITY

LAB GUIDE

Browse the Image File (Keep the image file other than C Drive)

Select as following


CCNA SECURITY

LAB GUIDE

Click must be on ‘No’

nd

Repeat this for 2 image file as follows


CCNA SECURITY

LAB GUIDE

Click on “No”


CCNA SECURITY

LAB GUIDE

Finally this will be as follows

Now click on Apply > Ok


CCNA SECURITY

LAB GUIDE

Drag and drop the ASA in the right panel > clikc on Start button (green arrow)

Now click on Console

The following will appear after booting the ASA


CCNA SECURITY

LAB GUIDE

Now we need to activate the ASA. So follow the commands and Enter Activation Key as following steps


CCNA SECURITY

LAB GUIDE

After Reload the following will appear. Now ASA is ready for working!!


CCNA SECURITY

LAB GUIDE

Add ASDM and connect your ASA Follow the steps below to do this: 

Add a Loop-back to your computer, Assign IP : 192.168.10.1/24



Drag and drop ‘Cloud’ to the GNS3 work-space and connect it with an Ethernet Switch.



Right click on ‘Cloud’ and add the Loop-back adapter



Open a console on ASA and run the following command:


CCNA SECURITY

LAB GUIDE

ciscoasa #config terminal ciscoasa(config)# interface GigabitEthernet1 ciscoasa(config-if)# nameif inside ciscoasa(config-if)# security-level 100 ciscoasa(config-if)# ip address 192.168.10.5 255.255.255.0 ciscoasa(config-if)# no shut 

Now try to ping your computers Loopback IP from the ASA and also from your PC to ASA to verify if it is successful



Download ASDM ( asdm-649.bin)



Install a TFTP server in your local PC and keep the above file in its root directory.

Now upload the asdm-649.bin to the ASA flash using the below commands: ciscoasa# copy tftp: flash: Address or name of remote host? 192.168.10.1 Source filename? asdm-649.bin Destination filename [asdm-649.bin]? press Enter

Accessing tftp://192.168.10.1/asdm649.bin…!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 18927088 bytes copied in 143.10 secs (132357 bytes/sec)

Enter the commands to load ASDM on the ASA and enable http server: ciscoasa(config)# asdm image flash:asdm-649.bin ciscoasa(config)# http server enable ciscoasa(config)# http 192.168.10.5 255.255.255.0 inside ciscoasa(config)# username admin password admin123 privilege 15 ciscoasa(config)# write memory

At our local PC, open a browser and type https://192.168.10.5


CCNA SECURITY

LAB GUIDE

Click on ‘Run ASDM’ and enter with the username and password.


CCNA SECURITY

LAB GUIDE

LAB 5: ASA Basic Security-level Configuration Security Levels are applied to an interface to describe a level of trust . The following are the security levels used on the Cisco ASA:

Security level 100 The highest possible level and most trusted, it is used by the inside interface by default.

Security level 0 The lowest possible level, most untrusted, it’s used by the outside interface by default.

Security levels 1–99 Can be assigned to any other interface on the ASA. The inside is typically 100, the outside is 0, and the dmz interface is 50. We can create as many security levels as we want! An interface with a high security level can access an interface with a low security level but the other way around is not possible unless we configure an access-list.


CCNA SECURITY

LAB GUIDE

ciscoasa# conf t ciscoasa(config)# hostname Venus Venus(config)# interface gigabitEthernet 1 Venus(config-if)# description INSIDE INTERFACE_ INTERNAL NETWORK Venus(config-if)# nameif inside Venus(config-if)# security-level 100 Venus(config-if)# ip address 192.168.10.1 255. 255.255.0 Venus(config-if)# no shutdown Venus(config-if)# exit Venus(config)# interface gigabitEthernet 0 Venus(config-if)# description OUTSIDE Interface Venus(config-if)# nameif outside Venus(config-if)# security-level 0 Venus(config-if)# ip address 103.13.148.1 255.255.255.252 Venus(config-if)# no shutdown Venus(config-if)# exit Venus(config)# interface gigabitEthernet 2 Venus(config-if)# description DMZ Interface Venus(config-if)# nameif dmz Venus(config-if)# security-level 50 Venus(config-if)# ip address 172.16.10.1 255.255.255.0 Venus(config-if)# no shutdown Venus(config-if)#

Router Configuration R1#conf t R1(config)#hostname ISP ISP(config)#interface fastEthernet 0/0 ISP(config-if)#description ISP>Firewall ASA Interface ISP(config-if)#ip address 103.13.148.2 255.255.255.252 ISP(config-if)#no shutdown ISP(config-if)#exit Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved

CCNA SECURITY

LAB GUIDE

ISP(config)#interface fastEthernet 0/1 ISP(config-if)#ip address 10.10.10.1 255.255.255.0 ISP(config-if)#description Global Internet ISP(config-if)#no shutdown ISP(config-if)#exit

ASA static routes 1. Default Static route for Internet access, and 2. Normal static route It's configuration is simply difference than the Cisco Router. The format of the static route command is:

ASA(config)# route [interface name] [destination address] [netmask] [gateway] 

A static route is created manually by a network administrator.



A Default Route (also known as the gateway of last resort) is a special type of static route. It specifies a path where the router doesn’t know how to reach the destination.

Configure Default Route on ASA going to Internet Venus(config)# route outside 0.0.0.0 0.0.0.0 103.13.148.2

Configure Static Routes on ISP Router to inside Network and DMZ ISP(config)#ip route 192.168.10.0 255.255.255.0 103.13.148.1 ISP(config)#ip route 172.16.10.0 255.255.255.0 103.13.148.1

Now we will assign IP to all PCs and apply ping from ASA to all Hosts as follows : Venus(config)# ping 10.10.10.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 40/90/120 ms


CCNA SECURITY

LAB GUIDE

Venus(config)# ping 192.168.10.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms Venus(config)# ping 172.16.10.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.10.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

By default ping is disabled from Inside to Outside, we will create an ACL to permit ICMP from Inside to outside Venus(config)# access-list inside-in permit icmp any any Venus(config)# access-list inside-in permit tcp any any Venus(config)# access-list inside-in permit ip any any Venus(config)# access-list outside-in permit icmp any any echo-reply

Apply these to ASA Interface Venus(config)# access-group inside-in in interface inside Venus(config)# access-group outside-in in interface outside C:\> ping 172.16.10.2 (Inside to Outside) Reply from 10.10.10.10: bytes=32 time<1ms TTL=128 Reply from 10.10.10.10: bytes=32 time<1ms TTL=128 Reply from 10.10.10.10: bytes=32 time<1ms TTL=128 Reply from 10.10.10.10: bytes=32 time<1ms TTL=128

Now we apply ping from outside host to inside host...

Not Successful..right? Actually we never allow outside users to allow ICMP to inside hosts Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved

CCNA SECURITY

LAB GUIDE

N.B. Same Security Level What if the interfaces have the same security level? The default behavior is to deny traffic between interfaces with the same security level. But it can be changed by using the same-

security-traffic permit inter-interface command. This will allow traffic between all interfaces of the same level.

LAB 6. ASA Management (with the Previous Figure and Configuration) The ASA supports remote administration trough SSH and Telnet. Telnet was designed to work within a private network and not across a public network where threats can appear. Because of this, all the data is transmitted in plain text, including passwords. This is a major security issue and the developers of SSH used encryptions to make it harder for other people to sniff the password and other relevant information. Secure Shell (SSH) is a protocol which provides a secure remote access connection to network devices. Communication between the client and server is encrypted in SSH. Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved

CCNA SECURITY

LAB GUIDE

SSH uses cryptographic technology for privacy (encryption), origin authentication (public/private key pairs), and data integrity (hash algorithms). The same thing is applied using HTTPS instead of HTTP for GUI access to the device. There are two versions: version 1 and 2. Version 2 is more secure and commonly used.

Step 1: Create a username and password to manage the ASA with SSH/Telnet/ASDM

Venus(config)# username ashish password cisco123 privilege 15 Step2: Enable SSH to generate a key, it will encrypt the traffic between the user and the ASA

Ashish(config)# crypto key generate rsa modulus 1024 INFO: The name for the keys will be: Keypair generation process begin. Please wait...

Step 3:Use the username previously created to connect to the ASA with SSH

Ashish(config)# aaa authentication ssh console LOCAL Local AAA means that we are performing AAA without the use of an external database. When performing local AAA, we can authenticate with a username and password that is part of the configuration of the security appliance.

Step 4: We will Define the IP addresses which are allowed to connect to the ASA Ashish(config)# ssh 10.10.10.10 255.255.255.255 outside Ashish(config)# ssh 192.168.10.2 255.255.255.255 inside

Step 5: Enable ASDM for GUI and define the IP addresses that are allowed to connect to the ASA with ASDM Ashish(config)# http server enable Ashish(config)# aaa authentication http console LOCAL Ashish(config)# http 192.168.10.0 255.255.255.0 inside

Verification: 1. Verifying the LOCAL database


CCNA SECURITY

LAB GUIDE

2. Verify SSH Access from Outside Host, So we will open putty from our Desktop

Configure SSH Access on ISP Router Step 1: Configure hostname and domain name The name of the RSA keypair will be the hostname and domain name of the router. ISP(config)#hostname ISPRouter ISPRouter(config)#ip domain-name ashish.com


CCNA SECURITY

LAB GUIDE

Step 2: Create the username password ISPRouter(config)#username ashish privilege 15 secret cisco123

Step 2 :Generate the RSA Keys ISPRouter(config)#crypto key generate rsa The name for the keys will be: ISPRouter.ashish.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

Key sizes of 1024 or smaller should be avoided. Larger key sizes take longer time to calculate and enhance more security

Step 3: SSH version 1 is the default version. So change it to version 2 ISPRouter(config)#ip ssh version 2

Step 4 : Setup the Line VTY configurations ISPRouter(config)#aaa new-model ISPRouter(config)#aaa authentication login default local ISPRouter(config)#line vty 0 5 ISPRouter(config-line)#transport input ssh ISPRouter(config-line)#login authentication default

Here AAA uses the local username database for authentication

Step 5: Create enable password ISPRouter(config)#enable secret cisco123


CCNA SECURITY

LAB GUIDE

Step 6: Verify SSH access


CCNA SECURITY

LAB GUIDE

AND MANY MORE LABS: WITH EASY EXPANATION Contents LAB 1: Securing Passwords ------------------------------------------------------------------------------------------------- 6 LAB 2: Secure Device Access with configuring privilege levels ------------------------------------------------------10 LAB 3: CONFIGURING SSH ON CISCO Devices --------------------------------------------------------------------------13 Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved

CCNA SECURITY

LAB GUIDE

LAB 4: Configuring SNMPV3 ------------------------------------------------------------------------------------------------18 LAB 5: NTP SERVER CONFIGURATION AND VERIFICATION -----------------------------------------------------------24 LAB 6: Configure routers to use Cisco Access Control Server (ACS) and TACACs+ Authentication ---------35 LAB 7: Configure ACL and Block Web Sites ------------------------------------------------------------------------------57 LAB 8: Role-based access control (RBAC) --------------------------------------------------------------------------------62 LAB 9: Configure RIP Authentication ------------------------------------------------------------------------------------ 66 LAB 10: EIGRP Authentication ----------------------------------------------------------------------------------------------71 LAB 11: OSPF Authentication -----------------------------------------------------------------------------------------------73 LAB 12: How to Configure ASA on GNS3 ---------------------------------------------------------------------------------77 LAB 13: ASA Basic Security-level Configuration ----------------------------------------------------------------------- 90 LAB 14. ASA Management ---------------------------------------------------------- -------------------------------------- 94 LAB 15 : ASA Access Control List ------------------------------------------------------------------------------------------98 LAB 16 : ASA Object Groups -----------------------------------------------------------------------------------------------103 LAB 17: Static NAT Configuration on ASA -----------------------------------------------------------------------------108 LAB 18: Static NAT with multiple outside IP addresses -------------------------------------------------------------110 LAB 19: Static NAT to Multiple Service on same Outside IP Address such as HTTP, HTTPS, TELNET, SSH ...----------------------------------------------------------------------------------------------------------------------------------..115 LAB 20: Dynamic NAT-Many-to-one NAT ------------------------------------------------------------------------------120 LAB 21: Dynamic NAT (Many to Many) ---------------------------------------------------------------------------------122 LAB 22: PAT Configuration -----------------------------------------------------------------------------------------------124 LAB 23: Static NAT Port Forwarding on ASA ---------------------------------------------------------------------------126 LAB 24: ASA Active/Standby Failover Configuration -----------------------------------------------------------------131 LAB 25: ASA Security Contexts:(Virtualization) ------------------------------------------------------------------------137 LAB 26 : Port Security of Switch -------------------------------------------------------------------------------------------148


Lab - Ccna Security

Recommend Documents