1. Please Use 1941 series routers, and as you put them in your design, go to Physical tab, power off the switch and add HWIC-2T module in the empty slot.
B. AAA configuration in ROUTER 1
Commands to setup AAA in router
Setup AAA authorization
Server 1 AAA tab.
Server side setup is complete .
Issue telnet command from the server CLI.
Telnet from pc to check its working , use the radius server username and password.
C. Configuration OF Access control Lists
Configuring Router 3
Please use the router 3 ip addresses, this is demo only. EIGRP needs to be configured for all 3 routers. Please follow up to step from ch8 lab.
Ping from PC- A to PC -3 should be successful.
Configuration of Access Control List in R1:
Ping from PC- C to the server- A it wouldn’t be successful.
Enabling ssh in router1
D. Configure syslog in server A
Syslog output in server
E. Implement Zone based Firewall
Create the topology again . do the router EIGRP and make sure everything pings.
Zone based: Day 2
Configure ssh in R2
Apply ssh for line vty 0 4
Now ssh from PC-C to R2 using the local username and password
From pc-c make sure you can access the http server0 : 192.168.1.3
Make sure to check the security package
Need to activate security
Reeboot router 3
Reload the router
Use show ver command to check
Create an internal zone.
Use the zone security command to create a zone named IN-ZONE.
R3(config)# zone security IN-ZONE
Create an external zone.
Use the zone security command to create a zone named OUT-ZONE.
R3(config-sec-zone)# zone security OUT-ZONE
Identify Traffic Using a Class-Map
Step 1: Create an ACL that defines internal traffic.
Use the access-list command to create extended ACL 101 to permit all IP protocols from the 192.168.3.0/24 source network to any destination.
R3(config)# access-list 101 permit ip 192.168.3.0 0.0.0.255 any
Step 2: Create a class map referencing the internal traffic ACL.
Use the class-map type inspect command with the match-all option to create a class map named IN-NET-CLASS-MAP. Use the match access-group command to match ACL 101.
R3(config)# class-map type inspect match-all IN-NET-CLASS-MAP
R3(config-cmap)# match access-group 101
Part 4: Specify Firewall Policies
Step 1: Create a policy map to determine what to do with matched traffic.
Use the policy-map type inspect command and create a policy map named IN-2-OUT-PMAP.
R3(config)# policy-map type inspect IN-2-OUT-PMAP
Step 2: Specify a class type of inspect and reference class map IN-NET-CLASS-MAP.
R3(config-pmap)# class type inspect IN-NET-CLASS-MAP
Step 3: Specify the action of inspect for this policy map.
The use of the inspect command invokes context-based access control (other options include pass and drop).
%No specific protocol configured in class IN-NET-CLASS-MAP for inspection. All protocols will be inspected.
Issue the exit command twice to leave config-pmap-c mode and return to config mode.
Part 5: Apply Firewall Policies
Step 1: Create a pair of zones.
Using the zone-pair security command, create a zone pair named IN-2-OUT-ZPAIR. Specify the source and destination zones that were created in Task 1.
R3(config)# zone-pair security IN-2-OUT-ZPAIR source IN-ZONE destination OUT-ZONE
Step 2: Specify the policy map for handling the traffic between the two zones.
Attach a policy-map and its associated actions to the zone pair using the service-policy type inspectcommand and reference the policy map previously created, IN-2-OUT-PMAP.
R3(config-sec-zone-pair)# service-policy type inspect IN-2-OUT-PMAP
Step 3: Assign interfaces to the appropriate security zones.
Use the zone-member security command in interface configuration mode to assign G0/1 to IN-ZONEand S0/0/1 to OUT-ZONE.
R3(config)# interface g0/1
R3(config-if)# zone-member security IN-ZONE
R3(config)# interface s0/0/1
R3(config-if)# zone-member security OUT-ZONE
Step 4: Copy the running configuration to the startup configuration.
Part 6: Test Firewall Functionality from IN-ZONE to OUT-ZONE
Verify that internal hosts can still access external resources after configuring the ZPF.
Step 1: From internal PC-C, ping the external PC-A server.
From the PC-C command prompt, ping server at 192.168.1.3. The ping should succeed.
Step 2: From internal PC-C, SSH to the R2 S0/0/1 interface.
a. From the PC-C command prompt, SSH to R2 at 10.2.2.2. Use the username Admin and the password Adminpa55 to access R2. The SSH session should succeed.
b. While the SSH session is active, issue the command show policy-map type inspect zone-pair sessions on R3 to view established sessions.
What is the source IP address and port number?
What is the destination IP address and port number?
Step 3: From PC-C, exit the SSH session on R2 and close the command prompt window.
Step 4: From internal PC-4, open a web browser to the server web page.
Enter the server IP address 192.168.1.3 in the browser URL field, and click Go. The HTTP session should succeed. While the HTTP session is active, issue the command show policy-map type inspect zone-pair sessions on R3 to view established sessions.
Note: If the HTTP session times out before you execute the command on R3, you will have to click the Go button on PC-4to generate a session between PC-4and Server
Step 5: Close the browser on PC-C.
Part 7: Test Firewall Functionality from OUT-ZONE to IN-ZONE
Verify that external hosts CANNOT access internal resources after configuring the ZPF.
Step 1: From the server command prompt, ping PC-4.
From the PC-A command prompt, ping PC-4 at 192.168.3.3. The ping should fail.
Step 2: From R2, ping PC-4.
From R2, ping PC-C at 192.168.3.3. The ping should fail.
F. Configure IPS
Follow the Chapter 5 lab.
Part 1: Enable IOS IPS
Note: Within Packet Tracer, the routers already have the signature files imported and in place. They are the default xml files in flash. For this reason, it is not necessary to configure the public crypto key and complete a manual import of the signature files.
Step 1: Enable the Security Technology package.
a. On R1, issue the show version command to view the Technology Package license information.
b. If the Security Technology package has not been enabled, use the following command to enable the package.
R1(config)# license boot module c1900 technology-package securityk9
c. Accept the end user license agreement.
d. Save the running-config and reload the router to enable the security license.
e. Verify that the Security Technology package has been enabled by using the show version command.
f. Reload the router using reload command
Step 2: Verify network connectivity.
a. Ping from PC-C to PC-1. The ping should be successful.
b. Ping from PC-1 to PC-C. The ping should be successful.
Step 3: Create an IOS IPS configuration directory in flash.
On R1, create a directory in flash using the mkdir command. Name the directory ipsdir.
Step 4: Configure the IPS signature storage location.
On R1, configure the IPS signature storage location to be the directory you just created.
Step 5: Create an IPS rule.
On R1, create an IPS rule name using the ip ips name name command in global configuration mode. Name the IPS rule iosips.
Step 6: Enable logging.
IOS IPS supports the use of syslog to send event notification. Syslog notification is enabled by default. If logging console is enabled, IPS syslog messages display.
a. Enable syslog if it is not enabled.
b. If necessary, use the clock set command from privileged EXEC mode to reset the clock.
c. Verify that the timestamp service for logging is enabled on the router using the show run command. Enable the timestamp service if it is not enabled.
d. Send log messages to the syslog server at IP address of the server
Step 7: Configure IOS IPS to use the signature categories.
Retire the all signature category with the retired true command (all signatures within the signature release). Unretire the IOS_IPS Basic category with the retired false command.
Step 8: Apply the IPS rule to an interface.
Apply the IPS rule to an interface with the ip ips name direction command in interface configuration mode. Apply the rule outbound on the G0/0 interface of R1. After you enable IPS, some log messages will be sent to the console line indicating that the IPS engines are being initialized.
Note: The direction in means that IPS inspects only traffic going into the interface. Similarly, out means that IPS inspects only traffic going out of the interface.
Part 2: Modify the Signature
Step 1: Change the event-action of a signature.
Un-retire the echo request signature (signature 2004, subsig ID 0), enable it, and change the signature action to alert and drop.
Step 2: Use show commands to verify IPS.
Use the show ip ips all command to view the IPS configuration status summary.
Step 3: Verify that IPS is working properly.
a. From PC-C attempt to ping server.
b. From server, attempt to ping PC-C.
Step 4: View the syslog messages.
a. Click the Syslog server.
b. Select the Services tab.
c. In the left navigation menu, select SYSLOG to view the log file.
G. Configure VPN
Follow the ch8 lab for the VPN.
H. Configure Switched to mitigate Layer 2 Attacks.
Follow the chapter 6 lab for switch.