Cisco Ccie Lab Security Demo V8

Only available on StudyMode
  • Topic: Routing, IP address, Network address translation
  • Pages : 15 (2183 words )
  • Download(s) : 58
  • Published : September 30, 2012
Open Document
Text Preview
Cisco CCIE LAB Security

Cisco CCIE LAB Security Demo
V8
Update September, 2011

Cisco CCIE LAB Security

Cisco CCIE LAB Security

1.1

ASA1 initialzation

• Configure ASA 1 initialization , Use the exact names
Detail to Be Used

Interface name

interface

Security Level

IP Address

outside

Ethernet0/0

0

2YY.YY.4.10/24

inside

inside Ethernet0/1

100

2YY.YY.1.10/24

DMZ2

Ethernet0/2.2

20

2YY.YY.2.10/24

DMZ3

Ethernet0/2.3

30

2YY.YY.3.10/24

• Configure a default route pointing to the R4 IP address 2YY.YY.4.4 • Configure IP routing on ASA1

Interface

Protocol

Details

Redistribution

outside

OSPF

Area0

n/a

inside

RIPv2

--

RIP into OSPF only

DMZ2

OSPF

Area2

n/a

DMZ3

n/a

n/a

n/a

• You may allow any ICMP traffic in your ACL.
• Do NOT enable NAT control,
importnat Note:
• You must finish the configuration of Q3.1,Sensor Initialization, in the IPS section, configuring an inline

VLAN

pair

between

ASA1

outside(vlan

100)

and

R4

Ethernet0/0(vlan 4).
• When inline VLAN pair is configured correctly , traffic can pass between the ASA outside interface and R4
• Modify the switch parameters as appropriate to achieve this task

Cisco CCIE LAB Security

1.2

Cisco ASA Failover

• Configure LAN-based active/standby failover on ASA1 and ASA2 • ASA1 is the primary, and ASA2 is the secondary.
• Use Etheraet0/3 for the failover LAN interface as 'failover' with the IP address 2YY.YY.5.10 for active and 2YY.YY.5.20 for standby.
• Use the failover password cisco
• Use standby IP address as shown in the output below
1.3

PIX Initialzation

Configure the admin, cl, and c2 contexts on the PIX as shown use the information given in the tables here. The context names are case-sensitive Admin Context Name ' admin' Interface nameif

Allocate

Security Level

IP address

None

None

n/a

n/a

Context1 Name ' cl'

Interface nameif

Allocate

Security

IP address

Level
outside

EthernetO

0

2YY. YY. 7. 1/24

inside

Ethernet1

100

2YY. YY. 77. 1/24

Context2 Name ' c2'

Interface nameif

Allocate

Security Level

IP address

outside

Ethernet2

0

2YY. YY. 8. 1/21

inside

Ethernet3

100

2YY. YY. 88. 1/24

• Configure a default route in the cl context pointing to R3 with the IP address 2YY. YY. 7. 3
• Configure a default route in the c2 context pointing to R3 with the IP address 2YY. YY. 8. 3

Cisco CCIE LAB Security

• You may allow any ICMP traffic in your ACL
• by default (no nat-control). Do NOT enable NAT control in any security contexts 1.4

Address Translations on ASA

• Configure static NAT on ASA1 for following conditions (do NOT enable NAT control): • Telnet request to the ASA outside IP address 2YY.YY.4.10 on port 1123 should be redirected to the Rl Loopback0 IP address 10.YY.1.1

• Telnet request to the ASA outside IP address 2YY.YY.4.10 on port 2223 should be redirected to the R2 Loopback0 IP address 10.YY.2.2
Verify Telnet from R4:
RackYYR4#telnet 2YY.YY.4.10 1123 (will connect to Rl)
RackYYR4#telnet 2YY.YY.4.10 2223

(will connect to R2)

• Configure policy Static NAT using the static command
• IP traffic destined for R4 Serial0/0, sourced form R1 Ethernet0/0( 170.1.1.1), is translated As 2YY.YY.4.50 Verify the configuration with an extended ping from Rl: RackYYRl#ping 2YY.YY.100.4 source Etheraet0/0 (170.1.1.1)

1.5

Cisco IOS Firewall (CBAC)

• Configure CBAC on R6 and keep the following points under consideration: • Configure the firewall outbound inspection on R6 Etheraet0/0 to protect your internal users from HTTP-based attacks coming from BB2

• Allow Java from a friendly site at 198.133.219.25 (www.cisco.com) while implicitly denying Java from all other sites.
• Configure an antispoofing ACL on the Etheraet0/0 ingress to prevent spoofing for the major net...
tracking img