Configure Basic Router Security

Configure the following on R1:

Minimum password length is 10 characters.
R1(config)# security passwords min-length 10
Encrypt plaintext passwords.
R1(config)# service password-encryption
Privileged EXEC mode secret password is ciscoenapa55.
R1(config)# enable secret ciscoenapa55
Console line password is ciscoconpa55, timeout is 15 minutes, and console messages
should not interrupt command entry.
R1(config)# line console 0
R1(config-line)# password ciscoconpa55
R1(config-line)# login
R1(config-line)# exec-timeout 15 0
R1(config-line)# logging synchronous
A message-of-the-day (MOTD) banner should include the word unauthorized.
banner motd #Unauthorized access to this device is prohibited!#

Configure the following on R2:

Privileged EXEC mode secret password is ciscoenapa55.
R2(config)# enable secret ciscoenapa55
Password for the VTY lines is ciscovtypa55, timeout is 15 minutes, and login is required.
R2(config)# line vty 0 4
R2(config-line)# password ciscovtypa55
R2(config-line)# login
R2(config-line)# exec-timeout 15 0

Configure Basic Switch Security

Configure the following on S1 :
Encrypt plaintext passwords.
S1(config)# service password-encryption
Privileged EXEC mode secret password is ciscoenapa55.
S1(config)# enable secret ciscoenapa55
Console line password is ciscoconpa55, timeout is 5 minutes, and consoles messages should not
interrupt command entry.
S1(config)# line console 0
S1(config-line)# password ciscoconpa55
S1(config-line)# exec-timeout 5 0
S1(config-line)# logging synchronous
S1(config-line)# login
Password for the VTY lines is ciscovtypa55, timeout is 5 minutes, and login is required.
S1(config)# line vty 0 15
S1(config-line)# password ciscovtypa55
S1(config-line)# exec-timeout 5 0
S1(config-line)# login
An MOTD banner should include the word unauthorized.
S1(config)# banner motd #Unauthorized access is prohibited
Configure trunking between S1 and S2 with the following settings:
Set the mode to trunk and assign VLAN 99 as the native VLAN.
S1(config)# interface f0/1
S1(config-if)# switchport mode trunk
S1(config-if)# switchport trunk native vlan 99
Disable the generation of DTP frames.
S1(config-if)# switchport nonegotiate
Configure the S1 with the following port settings:
F0/6 should only allow access mode, set to PortFast, and enable BPDU guard.
S1(config)# interface f0/6
S1(config-if)# switchport mode access
S1(config-if)# spanning-tree portfast
S1(config-if)# spanning-tree bpduguard enable
F0/6 uses basic default port security with dynamically learned MAC addresses added to the running
configuration.
S1(config-if)# switchport port-security
S1(config-if)# switchport port-security mac-address sticky
All other ports should be disabled.
S1(config)# interface range f0/2 - 5, f0/7 - 24
S1(config-if-range)# shutdown

Configure AAA Local Authentication

Configure the following on R1:

Create a local user account of Admin01, a secret password of Admin01pa55, and a privilege
level of 15.
R1(config)# username Admin01 privilege 15 secret Admin01pa55
Enable AAA services.
R1(config)# aaa new-model
Implement AAA services using the local database as the first option and then the enable
password as the backup option.
R1(config)# aaa authentication login default local enable

Configure SSH

Configure the following on R1:

The domain name is [Link]
R1(config)# ip domain-name [Link]
The RSA key should be generated with 1024 modulus bits.
R1(config)# crypto key generate rsa general-keys modulus 1024
Only SSH version 2 is allowed.
R1(config)# ip ssh version 2
Only SSH is allowed on VTY lines.
R1(config)# line vty 0 4
R1(config-line)# transport input ssh
Verify that PC-C can remotely access R1 ([Link]) using SSH.
ssh -l Admin01 [Link]

Secure Against Login Attacks

Configure the following on R1:

If a user fails to log in twice within a 30-second time span, disable logins for one minute.
R1(config)# login block-for 60 attempts 2 within 30
Log all failed login attempts.
R1(config)# login on-failure log

Configure Site-to-Site IPsec VPNs

Enable the Security Technology package license on R1.

Save the running configuration before reloading.
R1(config)# license boot module c1900 technology-package securityk9
R1# wr mem
R1# reload
Configure the following on R1:
Create an access list to identify interesting traffic on R1.
Configure ACL 101 to allow traffic from the R1 Lo1 network to the R3 G0/1 LAN.
R1(config)# access-list 101 permit ip [Link] [Link] [Link] [Link] ( (akra int
L01 O el byte lekher 0 ouel masque e9elbou )
Configure the crypto isakmp policy 10 Phase 1 properties on R1 and the shared crypto key
ciscovpnpa55. Use the following parameters:
Key distribution method: ISAKMP
Encryption: aes 256
Hash: sha
Authentication method: pre-shared
Key exchange: DH Group 5
IKE SA lifetime: 3600
ISAKMP key: ciscovpnpa55
R1(config)# crypto isakmp policy 10
R1(config-isakmp)# encryption aes 256
R1(config-isakmp)# hash sha
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# group 5
R1(config-isakmp)# lifetime 3600
R1(config)# crypto isakmp key ciscovpnpa55 address <R3’s Public IP>
(@eli teba R3, taba3 el chemin men R l R o akra @ el interface el mou3ayna kemla
maghir ma tbadel shy)
Create the transform set VPN-SET to use esp-aes 256 and esp-sha-hmac.
R1(config)# crypto ipsec transform-set VPN-SET esp-aes 256 esp-sha-hmac
Then create the crypto map CMAP that binds all of the Phase 2 parameters together. Use
sequence number 10 and identify it as an ipsec-isakmp map. Use the following parameters:

Transform set: VPN-SET

Transform encryption: esp-aes 256
Transform authentication: esp-sha-hmac
Perfect Forward Secrecy (PFS): group5
Crypto map name: CMAP
SA establishment: ipsec-isakmp

R1(config)# crypto map CMAP 10 ipsec-isakmp

R1(config-crypto-map)# set peer <R3’s Public IP>
R1(config-crypto-map)# set transform-set VPN-SET
R1(config-crypto-map)# set pfs group5
R1(config-crypto-map)# match address 101
Bind the crypto map (CMAP) to the outgoing interface.
R1(config)# interface g0/0 (Outgoing Interface)
R1(config-if)# crypto map CMAP
Verify that the Security Technology package license is enabled.
R1# show version
Repeat the site-to-site VPN configurations on R3 so that they mirror all configurations from
R1.

Ping the Lo1 interface ([Link]) on R1 from PC-C. On R3, use the show crypto ipsec sa
command to verify that the number of packets is more than 0, which indicates that the IPsec
VPN tunnel is working.

Configure Firewall and IPS Settings

Configure a ZPF on R3 using the following requirements:
Create zones named IN-ZONE and OUT-ZONE.
R3(config)# zone security IN-ZONE
R3(config)# zone security OUT-ZONE
Create an ACL number 110 that defines internal traffic, which permits all IP protocols from
the [Link]/24 source network to any destination.
R3(config)# access-list 110 permit ip [Link] [Link] any
Create a class map named INTERNAL-CLASS-MAP that uses the match-all option and ACL
110.
R3(config)# class-map type inspect match-all INTERNAL-CLASS-MAP
R3(config-cmap)# match access-group 110
exit
Create a policy map named IN-2-OUT-PMAP that uses the class map INTERNAL-CLASS-
MAP to inspect all matched traffic.
R3(config)# policy-map type inspect IN-2-OUT-PMAP
R3(config-pmap)# class type inspect INTERNAL-CLASS-MAP
R3(config-pmap-c)# inspect
Create a zone pair named IN-2-OUT-ZPAIR that identifies IN-ZONE as the source zone and
OUT-ZONE as the destination zone.
Specify that the IN-2-OUT-PMAP policy map is to be used to inspect traffic between the two
zones.
R3(config)# zone-pair security IN-2-OUT-ZPAIR source IN-ZONE destination OUT-
ZONE
R3(config-zone-pair)# service-policy type inspect IN-2-OUT-PMAP
Assign G0/1 as an IN-ZONE member and S0/0/1 as an OUT-ZONE member.
R3(config)# interface g0/1
R3(config-if)# zone-member security IN-ZONE
R3(config)# interface s0/0/1
R3(config-if)# zone-member security OUT-ZONE
Configure an IPS on R3 using the following requirements:
Create a directory in flash named ipsdir and set it as the location for IPS signature storage.
R3# mkdir ipsdir
conf t
ip ips config location flash:ipsdir
Create an IPS rule named IPS-RULE.
ip ips name IPS-RULE
Retire the all signature category with the retired true command (all signatures within the
signature release).
ip ips signature-category
category all
retired true exit
Unretire the IOS_IPS Basic category with the retired false command.
category ios_ips basic
retired false
exit
Apply the rule inbound on the S0/0/1 interface.
interface s0/0/1
ip ips IPS-RULE in

Configure ASA Basic Security and Firewall Settings

Configure VLAN interfaces with the following settings:
For the VLAN 1 interface, configure the addressing to use [Link]/24.
(chouf les @ eli ldekhel w bara bech tfarak bin inside w outside w anehi vlan 1 w 2 )
ciscoasa#conf t
ciscoasa(config)#interface vlan 1
ciscoasa(config-if)#nameif inside
ciscoasa(config-if)#security-level 100 (100 khater inside)
ciscoasa(config-if)#ip address [Link] [Link]
For the VLAN 2 interface, remove the default DHCP setting and configure the addressing to
use [Link]/29.
ciscoasa(config-if)#interface vlan 2
ciscoasa(config-if)#nameif outside
ciscoasa(config-if)#security-level 0 (0 ki yebda outside)
ciscoasa(config-if)#no ip address dhcp
ciscoasa(config-if)#ip address [Link] [Link]
Configure hostname, domain name, enable password, and console password using the
following settings:
The ASA hostname is CCNAS-ASA.
The domain name is [Link].
The enable mode password is ciscoenapa55.
ciscoasa(config)#hostname CCNAS-ASA
CCNAS-ASA(config)#domain-name [Link]
CCNAS-ASA(config)#enable password ciscoenapa55

Create a user and configure AAA to use the local database for remote authentication.
Configure a local user account named admin with the password adminpa55. Do not use the
encrypted attribute.
CCNAS-ASA(config)#username admin password adminpa55
Configure AAA to use the local ASA database for SSH user authentication.
CCNAS-ASA(config)#aaa authentication ssh console LOCAL
Allow SSH access from the outside host [Link] with a timeout of 10 minutes.
CCNAS-ASA(config)#ssh [Link] [Link] outside
CCNAS-ASA(config)#ssh timeout 10
Configure the ASA as a DHCP server using the following settings:
Sign IP addresses to inside DHCP clients from [Link] to [Link].
CCNAS-ASA(config)#dhcpd address [Link]-[Link] inside
Enable DHCP to listen for DHCP client requests.
CCNAS-ASA(config)#dhcpd enable inside

Configure static routing and NAT:

Create a static default route to the next hop router (R1) IP address.
CCNAS-ASA(config)#route outside [Link] [Link] [Link]
Create a network object named inside-net and assign attributes to it using the subnet and
nat commands.
CCNAS-ASA(config)#object network inside-net
CCNAS-ASA(config-network-object)#subnet [Link] [Link]
CCNAS-ASA(config-network-object)#nat (inside,outside) dynamic interface
Create a dynamic NAT translation to the outside interface.

Modify the Cisco Modular Policy Framework (MPF) on the ASA using the following settings:
Configure class-map inspection_default to match default-inspection-traffic, and then exit to
global configuration mode.
CCNAS-ASA(config)#class-map inspection_default
CCNAS-ASA(config-cmap)#match default-inspection-traffic
Configure the policy-map list global_policy. Enter the class inspection_default and enter the
command to inspect icmp. Then exit to global config mode.
CCNAS-ASA(config)#policy-map global_policy
CCNAS-ASA(config-pmap)#class inspection_default
CCNAS-ASA(config-pmap-c)#inspect icmp
Configure the MPF service-policy to make the global_policy apply globally.
CCNAS-ASA(config)#service-policy global_policy global