Chapter 11 - Comprehensive Lab.txt-1

================================== =================================================== ======================= ====== ====================== R1 #no ip domain-lookup #int g0/0 #ip add 209.165.200.225 255.255.255.248 #no shut #int s0/0/0 #ip add 10.1.1.1 255.255.255.252 #clock rate 128000 #no shut #int lo1 #ip add 172.20.1.1 255.255.255.0 #ip route 0.0.0.0 0.0.0.0 10.1.1.2 #security passwords min-length 10 #service password-encryption #banner motd $UNAUTHORISED ACCESS IS STRICTLY PROHIBITED AND PROSECUTED TO THE FULL EXTENT OF THE LAW!$ #enable algorithm-type scrypt secret cisco12345 #username Admin01 privilege 15 secret Admin01pa55 #line con 0 #privilege 15 #exec-timeout 15 0 #logging synchronous #login #exi #line vty 0 4 #privilege 15 #exec-timeout 15 0 #logging synchronous #transport input ssh #login #exi #aaa new-model #aaa authentication login default local #login on-success log #login on-failure log every 2 #exi #ip http server #ip http authentication local #ip domain-name ccnasecurity.com #crypto key generate rsa general-keys modulus 1024 #ip ssh version 2 #ip ssh time-out 90

#ip ssh authentication-retries 2 #login block-for 60 attempts 2 within 30 #login on-failure log every 2 #secure boot-image #secure boot-config #copy running-config startup-config #no secure boot-image #no secure boot-config #ntp authenticate #ntp authentication-key 1 md5 NTPpassword #ntp trusted-key 1 #ntp server 10.1.1.2 #ntp update-calendar #do show ntp associations #do show ntp status #copy running-config startup-config ========================================================= ====================== R2 #no ip domain-lookup #int s0/0/0 #ip add 10.1.1.2 255.255.255.252 #no shut #int s0/0/1 #ip add 10.2.2.2 255.255.255.252 #clock rate 128000 #no shut #ip route 209.165.200.224 255.255.255.248 10.1.1.1 #ip route 172.16.3.0 255.255.255.0 10.2.2.1 #show clock #clock set 19:30:00 Jan 26 2017 #show clock #ntp #ntp #ntp #ntp

authenticate authentication-key 1 md5 NTPpassword trusted-key 1 master 3

#copy running-config startup-config ========================================================= ====================== R3 #no ip domain-lookup #int g0/1

#ip add 172.16.3.1 255.255.255.0 #no shut #int s0/0/1 #ip add 10.2.2.1 255.255.255.252 #no shut #ip route 0.0.0.0 0.0.0.0 10.2.2.2 #security passwords min-length 10 #service password-encryption #banner motd $UNAUTHORISED ACCESS IS STRICTLY PROHIBITED AND PROSECUTED TO THE FULL EXTENT OF THE LAW!$ #enable algorithm-type scrypt secret cisco12345 #username Admin01 privilege 15 secret Admin01pa55 #line con 0 #privilege 15 #exec-timeout 15 0 #logging synchronous #login #exi #line vty 0 4 #privilege 15 #exec-timeout 15 0 #logging synchronous #transport input ssh #login #exi #aaa new-model #aaa authentication login default local #login on-success log #login on-failure log every 2 #exi #ip http server #ip http authentication local #ip domain-name ccnasecurity.com #crypto key generate rsa general-keys modulus 1024 #ip ssh version 2 #ip ssh time-out 90 #ip ssh authentication-retries 2 #ntp authenticate #ntp authentication-key 1 md5 NTPpassword #ntp trusted-key 1 #ntp server 10.2.2.1 #ntp update-calendar #do show ntp associations #do show ntp status #service timestamps log datetime msec

#logging 172.16.3.3 #logging trap 4 #show logging #zone security INSIDE #zone security OUTSIDE #class-map type #match protocol #match protocol #match protocol

inspect match-any INSIDE_PROTOCOLS tcp udp icmp

#policy-map type inspect INSIDE_TO_OUTSIDE #class type inspect INSIDE_PROTOCOLS #inspect #zone-pair security INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE #zone-pair security INSIDE_TO_PROTOCOLS #service-policy type inspect INSIDE_TO_OUTSIDE #int g0/1 #zone-member security INSIDE #int s0/0/1 #zone-member security OUTSIDE #do show zone-pair security #do show policy-map type inspect zone-pair #do show zone security #crypto isakmp enable #crypto isakmp policy 1 #authentication pre-share #encryption 3des #hash sha #group 2 #end #crypto isakmp Site2SiteKEY1 address 209.165.200.226 #do show crypto isakmp policy #crypto ipsec transform-set TRNSFRM-SET esp-aes (256) esp-sha-hmac #ip access-list extended 101 #permit ip 172.16.3.0 0.0.0.255 192.168.1.0 0.0.0.255 #exi #crypto map CMAP 1 #match address 101 #set peer 209.165.200.226 #set transform-set TRNSFRM-SET #int s0/0/1 #crypto map CMAP

#end #do show crypto map #do show crypto ipsec sa #copy running-config startup-config ========================================================= ====================== S1 #no ip domain-lookup #int vlan1 #ip add 192.168.2.11 255.255.255.0 #ip default-gateway 192.168.2.1 #no shut #no ip http server #no ip http secure-server #enable algorithm-type scrypt secret cisco12345 #banner motd $UNAUTHORISED ACCESS IS STRICTLY PROHIBITED$ #ip domain-name ccnasecurity.com #username Admin01 privilege 15 secret Admin01pa55 #crypto key generate rsa general-keys modulus 1024 #ip ssh version 2 #ip ssh time-out 90 #ip ssh authentication-retries 2 #line con 0 #privilege 15 #exec-timeout 5 0 #logging synchronous #login #exi #line vty 0 4 #privilege 15 #exec-timeout 5 0 #logging synchronous #transport input ssh #login #exi #int f0/6 #switchport mode access #switchport nonegotiate #switchport port-security #switchport port-security maximum 1 #switchport port-security mac-address sticky #switchport port-security violation shutdown #spanning-tree portfast #spanning-tree portfast bpduguard default

#int range f0/1-5 #shut #spanning-tree loopguard #int range f0/7-23 #shut #spanning-tree loopguard #copy running-config startup-config ========================================================= ====================== S2 #no ip domain-lookup #int vlan1 #ip add 192.168.1.11 255.255.255.0 #ip default-gateway 192.168.1.1 #no shut #copy running-config startup-config ========================================================= ====================== S3 #no ip domain-lookup #int vlan1 #ip add 172.16.1.11 255.255.255.0 #ip default-gateway 172.30.3.1 #no shut #copy running-config startup-config ========================================================= ====================== ASA #write erase #reload #int vlan1 #nameif inside #ip address 192.168.1.1 255.255.255.0 #security-level 100 #no shut #int vlan2 #nameif outside #ip address 209.165.200.226 255.255.255.248 #security-level 0 #no shut #int vlan3 #nameif dmz #ip address 192.168.2.1 255.255.255.0 #security-level 70

#no shut #int e0/0 #switchport access vlan 2 #no shut #int e0/1 #switchport access vlan 1 #no shut #int e0/2 #switchport access vlan 3 #no shut #do sh int ip br #do sh ip add #do sh switch vlan #http server enable #http 192.168.1.0 255.255.255.0 ========================================================= ============================