Cisco Network Security Configuration

Scenario

This culminating activity includes many of the skills that you have acquired during this course. You will secure routers using the CLI to configure various IOS features, including AAA, SSH, and Zone-Based Policy Firewall (ZPF). You will configure a site-to-site VPN between R1 and R3 (you only required to configure R1). You will secure the switches on the network. 

Note: Not all security features will be configured on all devices, however, they would be in a production network. 

Configure Basic Router Security (7 marks) 

Configure the following on R1: 

Minimum password length is 10 characters. Encrypt plaintext passwords. Privileged EXEC mode secret password is cisco12345. Console line password is cisco12345, timeout is 15 minutes, and console messages should not interrupt command entry. A message-of-the-day (MOTD) banner should include the word unauthorized. 

Configure Basic Switch Security (10 marks) 

Configure trunking on S1 only (it is your responsibility to identify the trunk link and appropriate port on S1): 

Set the mode to trunk and assign VLAN 99 as the native VLAN. Disable the generation of DTP frames. 

Configure the S1 with the following port settings: 
F0/6 should only allow access mode, set to PortFast, and enable BPDU guard. F0/6 uses basic default port security with dynamically learned MAC addresses added to the running configuration. All other ports should be disabled. 

Note: Although not all ports are checked, your instructor may want to verify that all unused ports are disabled. 

Configure AAA Local Authentication (4 marks) 

Configure the following on R1: 
 
Create a local user account of Admin01, a secret password of Admin01pass, and a privilege level of 15. Enable AAA services. 

Implement AAA services using the local database as the first option and then the enable password as the backup option. 

Configure SSH (4 marks) 

Configure the following on R1: 

The domain name is ccnasecurity.com. The RSA key should be generated with 1024 modulus bits. Only SSH version 2 is allowed. Only SSH is allowed on VTY lines. 

Configure Site-to-Site IPsec VPN on R1 only (15 marks) 

Configure the following on R1: 

Create an access list to identify interesting traffic on R1. Configure ACL 101 to allow traffic from the R1 Lo1 network to the R3 G0/1 LAN. 

Configure the crypto isakmp policy 10 Phase 1 properties on R1 and the shared crypto key ciscovpnpa55. Use the following parameters: 

1. Key distribution method: ISAKMP 
2. Encryption: aes 256 
3. Hash: sha 
4. Authentication method: pre-shared 
5. Key exchange: DH Group 5 
6. IKE SA lifetime: 3600 
7. ISAKMP key: ciscovpnpa55 

Create the transform set VPN-SET to use esp-aes 256 and esp-sha-hmac. Then create the crypto map CMAP that binds all of the Phase 2
parameters together. Use sequence number 10 and identify it as an ipsec-isakmp map. Use the following parameters: 

1. Transform set: VPN-SET 
2. Transform encryption: esp-aes 256 
3. Transform authentication: esp-sha-hmac 
4. Perfect Forward Secrecy (PFS): group5 
5. Crypto map name: CMAP 
6. SA establishment: ipsec-isakmp 
7. Bind the crypto map (CMAP) to the outgoing interface. 

Configure Firewall (10 marks) 

 Configure a ZPF on R3 using the following requirements: 

1. Create zones named IN-ZONE and OUT-ZONE. 

2. Create an ACL number 110 that defines internal traffic, which permits all IP protocols from the 172.30.3.0/24 source network to any destination. 

Create a class map named INTERNAL-CLASS-MAP that uses the match-all option and ACL 110. 

Create a policy map named IN-2-OUT-PMAP that uses the class map INTERNAL-CLASS-MAP to inspect all matched traffic. 

Create a zone pair named IN-2-OUT-ZPAIR that identifies IN-ZONE as the source zone and OUT-ZONE as the destination zone. 

Specify that the IN-2-OUT-PMAP policy map is to be used to inspect traffic between the two zones. 

Assign G0/1 as an IN-ZONE member and S0/0/1 as an OUT-ZONE member.