0.0.0.0 lab
TRANSCRIPT
-
8/19/2019 0.0.0.0 Lab
1/15
CCNA Security
Lab – Instructor Lab
Topology
Note: ISR G1 devices use FastEthernet interfaces instead of GigabitEthernet interfaces.
© 2016 Cisco andor its affi!iates. "!! rights reserved. #his docu$ent is Cisco %ub!ic. %age 1 of 15
-
8/19/2019 0.0.0.0 Lab
2/15
Lab – Instructor Lab
IP Addressing Table
Device Interface IP Address Subnet as! Default "ate#ay S#itc$ Port
R1G00 20&.16'.200.22' 2''.2''.2''.2() *" "S" E00
S000 +,CE- 10.1.1.1 2''.2''.2''.2'2 *" *"
R2S000 10.1.1.2 2''.2''.2''.2'2 *" *"
S001 +,CE- 10.2.2.2 2''.2''.2''.2'2 *" *"
RG01 1/2.16..1 2''.2''.2''.0 *" S F0'
S001 10.2.2.1 2''.2''.2''.2'2 *" *"
"S"
"* 1 +E01- 1&2.16).1.1 2''.2''.2''.0 *" S2 F02(
"* 2 +E00- 20&.16'.200.226 2''.2''.2''.2() *" R1 G00
"* +E02- 1&2.16).2.1 2''.2''.2''.0 *" S1 F02(
%C" *IC 1&2.16).2. 2''.2''.2''.0 1&2.16).2.1 S1 F06
%C3 *IC 1&2.16).1. 2''.2''.2''.0 1&2.16).1.1 S2 F01)
%CC *IC 1/2.16.. 2''.2''.2''.0 1/2.16..1 S F01)
%b&ectives
Part 1' Initiali(e and )eload Net#or! Devices
• Initia!i4e the router and re!oad.
• Enab!e the securit5 techno!og5 ac7age !icense.
• Initia!i4e the s8itch and re!oad.
• Initia!i4e the "S".
Part *' +ava Settings for PCs if Necessary
• Enab!e a secure 9##% server.
• Create a user account 8ith rivi!ege !eve! 1'.
• Configure SS9 and #e!net access for !oca! !ogin.
Part ,' Access a Cisco )outer -sing a ini.-S/ Console Cable
• Setu the h5sica! connection 8ith a $iniS3 cab!e.
• erif5 that the S3 conso!e is read5.
•
Enab!e the C;< ort.Part 0' Do#nload and Install t$e AnyConnect Client Soft#are Pac!age
• ,o8n!oad the "n5Connect Secure
-
8/19/2019 0.0.0.0 Lab
3/15
Lab – Instructor Lab
/ac!groundScenario
%art 1 of this instructor !ab rovides the stes for initia!i4ing devices bac7 to their defau!t settings. %art 2 ofthis !ab rovides the stes necessar5 to set =ava settings on the %C hosts. %art of this !ab rovides otiona!infor$ation on ho8 to do8n!oad> insta!!> and use the Cisco S3 driver on a ?indo8s %C.
)e2uired )esources
• 1 "S" ''0' +;S version &.2+-> "S,< version /.(+1-> and 3ase !icense or co$arab!e-
• routers +Cisco 1&(1 8ith Cisco I;S Re!ease 1'.(+- 8ith SS9 c!ient soft8are insta!!ed-
• Seria! and Ethernet cab!es> as sho8n in the too!og5
• Conso!e cab!es to configure Cisco net8or7ing devices
Part 1' Initiali(e and )eload Net#or! Devices
Step 1' Initiali(e t$e )outer and )eload3
a3 Connect to t$e router3
Conso!e into the router and enter rivi!eged EAEC $ode using the enable co$$and.
Router> enable
Router#
b3 4rase t$e startup configuration file fro N6)A3
#5e the erase startup.config co$$and to re$ove the startu configuration fro$ *R" ress 4nter to confir$ the re!oad. %ressing an5 other 7e5 8i!! abort the re!oad.
Router# reload
rocee" with reloa"? [confirm]
$ov %& '(:%(:)&*&%+: ,-.-/0/RE1O23: Reloa" re4ueste" 5y console* Reloa" Reason:Reloa" Comman"*
Bou $a5 receive a ro$t to save the running configuration rior to re!oading the router. Resond b5t5ing no and ress 4nter .
-ystem configuration has 5een mo"ifie"* -ave? [yes6no]: no
© 2016 Cisco andor its affi!iates. "!! rights reserved. #his docu$ent is Cisco %ub!ic. %age , of 15
-
8/19/2019 0.0.0.0 Lab
4/15
Lab – Instructor Lab
d3 /ypass t$e initial configuration dialog3
"fter the router re!oads> 5ou are ro$ted to enter the initia! configuration dia!og. Enter no and ress 4nter .
7oul" you li8e to enter the initial configuration "ialog? [yes6no]: no
e3 Terinate t$e autoinstall progra3
Bou 8i!! be ro$ted to ter$inate the autoinsta!! rogra$. Resond yes and then ress 4nter .
7oul" you li8e to terminate autoinstall? [yes]: yes
Router>
Step *' Initiali(e t$e S#itc$ and )eload3
a3 Connect to t$e s#itc$3
Conso!e into the s8itch and enter rivi!eged EAEC $ode.
-witch> enable
-witch#
b3 Deterine if t$ere $ave been any 6LANs created3
se the s$o# flas$ co$$and to deter$ine if an5 "*s have been created on the s8itch.
-witch# show flash
3irectory of flash:6
% /rw9 '&'& ar ' '&&+ )):);:++ de!ete the fi!e.
-witch# delete vlan.dat
3elete filename [vlan*"at]?
b. Bou 8i!! be ro$ted to verif5 the fi!e na$e. "t this oint> 5ou can change the fi!e na$e or ress 4nter if5ou have entered the na$e correct!5.
c. ?hen 5ou are ro$ted to de!ete this fi!e> ress 4nter to confir$ the de!etion. %ressing an5 other 7e5 8i!!abort the de!etion.
3elete flash:6vlan*"at? [confirm]
-witch#
© 2016 Cisco andor its affi!iates. "!! rights reserved. #his docu$ent is Cisco %ub!ic. %age 0 of 15
-
8/19/2019 0.0.0.0 Lab
5/15
Lab – Instructor Lab
d3 4rase t$e startup configuration file3
se the erase startup.config co$$and to erase the startu configuration fi!e fro$ *R" ress 4nter to confir$ the re$ova!. %ressing an5 other 7e5 8i!! abort theoeration.
-witch# erase startup-config
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm][OK]
Erase of nvram: comlete
-witch#
e3 )eload t$e s#itc$3
Re!oad the s8itch to re$ove o!d configuration infor$ation fro$ $e$or5. ?hen ro$ted to re!oad the s8itch>ress 4nter to roceed 8ith the re!oad. %ressing an5 other 7e5 8i!! abort the re!oad.
-witch# reload
rocee" with reloa"? [confirm]
Note: Bou $a5 receive a ro$t to save the running configuration rior to re!oading the s8itch. #5e no
and ress 4nter .-ystem configuration has 5een mo"ifie"* -ave? [yes6no]: no
f3 /ypass t$e initial configuration dialog3
"fter the s8itch re!oads> 5ou shou!d see a ro$t to enter the initia! configuration dia!og. #5e no at thero$t and ress 4nter .
7oul" you li8e to enter the initial configuration "ialog? [yes6no]: no
-witch>
Part *' +ava Settings on PCs
#he netgeneration =ava %!ugin $ust be enab!ed and the securit5 setting $ust be set to $ediu$ for theCC% configuration of I%S. #o suort CC% configuration of I%S and set the =ava hea to 2'6 the %Cshou!d be running =ava =RE version 6 or ne8er. #his is done using the runti$e ara$eter DA$2'6$. #he!atest =RE for ?indo8s can be do8n!oaded fro$ ;rac!e Cororation at htt:888.orac!e.co$ .
Note: CC% is no !onger used 8ith CC*"Sv2 !abs.
g3 4nable t$e ne7t.generation +ava Plug.in3
a. ;en the Control Panel> and se!ect +ava to access the =ava Contro! %ane!.
b. In the =ava Contro! %ane!> c!ic7 the Advanced tab.
c. ocate the heading =ava %!ugin. Se!ect the chec7bo to 4nable t$e ne7t.generation Plug.in. abro8ser restart is re@uired.
d. C!ic7 Apply.
e. C!ic7 8es to a!!o8 the changes. C!ic7 %9 to ac7no8!edge the changes.
$3 C$ange t$e +ava security settings3
f. C!ic7 the Security tab.
g. Change the Securit5 eve! to ediu b5 $oving the s!ider.
h. C!ic7 Apply.
© 2016 Cisco andor its affi!iates. "!! rights reserved. #his docu$ent is Cisco %ub!ic. %age 5 of 15
http://www.oracle.com/http://www.oracle.com/http://www.oracle.com/
-
8/19/2019 0.0.0.0 Lab
6/15
Lab – Instructor Lab
i3 C$ange t$e +ava Applet )untie settings3
i. C!ic7 the +ava tab and then the 6ie# button to change the =ava "!et Runti$e Settings.
. ,oub!ec!ic7 the )untie Paraeters bo. #5e –:7*5; in the bo.
7. C!ic7 %9. C!ic7 %9 again to eit the =ava Contro! %ane!.
&3 )estart all #eb bro#sers< including CCP if it opened< in order for t$e c$anges to ta!eeffect3
Step 1' Access a Cisco )outer -sing a ini.-S/ Console Cable
If 5ou are using a Cisco 1&(1 router or other Cisco I;S devices 8ith a $iniS3 conso!e ort> 5ou can accessthe device conso!e ort using a $iniS3 cab!e connected to the S3 ort on 5our co$uter.
Note: #he $iniS3 conso!e cab!e is the sa$e t5e of $iniS3 cab!e used 8ith other e!ectronics devices>such as S3 hard drives> S3 rinters> or S3 hubs. #hese $iniS3 cab!es can be urchased throughCisco S5ste$s> Inc. or other thirdart5 vendors. %!ease verif5 that 5ou are using a $iniS3 cab!e> not a$icroS3 cab!e> to connect to the $iniS3 conso!e ort on a Cisco I;S device.
Note: Bou $ust use either the S3 ort or the R=(' ort. ,o not use the$ si$u!taneous!5. ?hen the S3ort is used> it ta7es riorit5 over the R=(' conso!e ort.
!3 Set up t$e p$ysical connection #it$ a ini.-S/ cable3
!. Connect the $iniS3 cab!e to the $iniS3 conso!e ort of the router.
$. Connect the other cab!e end to a S3 ort on the co$uter.
© 2016 Cisco andor its affi!iates. "!! rights reserved. #his docu$ent is Cisco %ub!ic. %age ; of 15
-
8/19/2019 0.0.0.0 Lab
7/15
Lab – Instructor Lab
n. #urn on the Cisco router and co$uter.
l3 6erify t$at t$e -S/ console is ready3
If 5ou are using a !ease insta!! the Cisco S3 conso!e driver. " S3 driver $ust be insta!!ed rior to being used on a the fo!der contains instructions for insta!!ation> re$ova!> and the re@uireddrivers for different oerating s5ste$s and architectures. %!ease choose the aroriate version for 5ours5ste$.
?hen the E, indicator for the S3 conso!e ort has turned green> the S3 conso!e ort is read5 for access.
3 4nable t$e C% port for t$e =indo#s > PC3
If 5ou are using a 5ou $a5 need to erfor$ the fo!!o8ing stes to enab!e the C;<ort:
© 2016 Cisco andor its affi!iates. "!! rights reserved. #his docu$ent is Cisco %ub!ic. %age > of 15
http://www.cisco.com/http://www.cisco.com/cisco/software/release.html?mdfid=282774238&flowid=714&softwareid=282855122&release=3.1&relind=AVAILABLE&rellifecycle=&reltype=latesthttp://www.cisco.com/cisco/software/release.html?mdfid=282774238&flowid=714&softwareid=282855122&release=3.1&relind=AVAILABLE&rellifecycle=&reltype=latesthttp://www.cisco.com/cisco/software/release.html?mdfid=282774238&flowid=714&softwareid=282855122&release=3.1&relind=AVAILABLE&rellifecycle=&reltype=latesthttp://www.cisco.com/http://www.cisco.com/cisco/software/release.html?mdfid=282774238&flowid=714&softwareid=282855122&release=3.1&relind=AVAILABLE&rellifecycle=&reltype=latesthttp://www.cisco.com/cisco/software/release.html?mdfid=282774238&flowid=714&softwareid=282855122&release=3.1&relind=AVAILABLE&rellifecycle=&reltype=latesthttp://www.cisco.com/cisco/software/release.html?mdfid=282774238&flowid=714&softwareid=282855122&release=3.1&relind=AVAILABLE&rellifecycle=&reltype=latest
-
8/19/2019 0.0.0.0 Lab
8/15
Lab – Instructor Lab
o. C!ic7 the =indo#s Start icon to access the Control Panel.
. ;en the Device anager .
@. C!ic7 the Ports ?C% @ LPT tree !in7 to eand it. Rightc!ic7 the -S/ Serial Port icon and choose-pdate Driver Soft#are.
r. Choose /ro#se y coputer for driver soft#are.
s. Choose Let e pic! fro a list of device drivers on y coputer and c!ic7 Ne7t.
© 2016 Cisco andor its affi!iates. "!! rights reserved. #his docu$ent is Cisco %ub!ic. %age B of 15
-
8/19/2019 0.0.0.0 Lab
9/15
Lab – Instructor Lab
t. Choose the Cisco Serial driver and c!ic7 Ne7t.
© 2016 Cisco andor its affi!iates. "!! rights reserved. #his docu$ent is Cisco %ub!ic. %age of 15
-
8/19/2019 0.0.0.0 Lab
10/15
Lab – Instructor Lab
u. #he device driver is insta!!ed successfu!!5. #a7e note of the assigned ort nu$ber !isted at the to of the8indo8. In this sa$!e> C;< ' is used for co$$unication 8ith the router. C!ic7 Close.
v. ;en Tera Ter. C!ic7 the Serial radio button and choose Port C%5' Cisco Serial ?C% 5. #his ortshou!d no8 be avai!ab!e for co$$unication 8ith the router. C!ic7 %9.
Part *' Do#nload and Install t$e AnyConnect Client Soft#are Pac!ages
dated versions of CiscoKs "n5Connect C!ient soft8are ac7ages can be do8n!oaded fro$ Cisco.co$. It isreco$$ended that "n5Connect Secure
-
8/19/2019 0.0.0.0 Lab
11/15
Lab – Instructor Lab
"S" ''0' for CC*"S. #his re!ease of the "n5Connect Secure connect to the 888.cisco.co$ and !og in.
. C!ic7 Support L Security ?6PN< Eire#all L AnyConnect 6PN Client35. Fro$ the Cisco "n5Connect %* C!ient screen> c!ic7 Do#nload Soft#are3
4. Fro$ the ,o8n!oad Soft8are D Se!ect a %roduct screen> c!ic7 AnyConnect Secure obility Client.
© 2016 Cisco andor its affi!iates. "!! rights reserved. #his docu$ent is Cisco %ub!ic. %age 11 of 15
http://www.cisco.com/http://www.cisco.com/
-
8/19/2019 0.0.0.0 Lab
12/15
Lab – Instructor Lab
aa. C!ic7 AnyConnect Security obility Client v037.
ab. se the scro!! bar in the ,o8n!oad Soft8are D "n5Connect Secure
-
8/19/2019 0.0.0.0 Lab
13/15
Lab – Instructor Lab
b3 -pload t$e AnyConnect Secure obility Client to t$e ASA 5553
ac. "fter the anyconnect.#in.0313*B.!3p!g has been do8n!oaded> connect the %C to the "S" ''0'E01 interface and assign it a static I% address of 1*31;B313, 8ith a subnet $as7 of *553*553*5533
Note: #his %C 8i!! a!so need #F#% soft8are insta!!ed. Tftpd,*3e7e is used for this ea$!e.
ad. Configure the "S"Ks "* 8ith an I% address of 1*31;B3131> a subnet $as7 of *553*553*553> and the
na$eif to inside.
ciscoasa@configA# int vlan 1
ciscoasa@config/ifA# ip address 192.168.1.1 255.255.255.0
ciscoasa@config/ifA# nameif inside
B$O: -ecurity level for Dinsi"eD set to ')) 5y "efault*
ciscoasa@config/ifA# no shut
ae. "ctivate interface E00.
ciscoasa@config/ifA# int e01
ciscoasa@config/ifA# no shut
ciscoasa@config/ifA# end
af. Start the #ftd2 soft8are and verif5 that the anyconnect.#in.0313*B.!3p!g fi!e is !ocated in thedefau!t director5.
ag. Fro$ the CI on the "S"> issue the copy tftp'1*31;B3131anyconnect.#in.0313*B.!3p!g flas$' co$$and.
ciscoasa# copy tftp!192.168.1."anyconnect-win-#.1.00028-$9.p$g flash!
2""ress or name of remote host ['&%*';(*'*+]?
© 2016 Cisco andor its affi!iates. "!! rights reserved. #his docu$ent is Cisco %ub!ic. %age 1, of 15
-
8/19/2019 0.0.0.0 Lab
14/15
Lab – Instructor Lab
-ource filename [anyconnect/win/=*'*)))%(/8&*8g]?
3estination filename [anyconnect/win/=*'*)))%(/8&*8g]?
2ccessing tft:66'&%*';(*'*+6anyconnect/win/=*'*)))%(/
8&*8g***!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Outut Omitte">
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
7riting file "is8):6anyconnect/win/=*'*)))%(/8&*8g***
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Outut Omitte">
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
';&+%=0( 5ytes coie" in ;)*';) secs @%(%%) 5ytes6secAciscoasa#
ah. Issue the s$o# flas$ co$$and on the "S" to verif5 that the fi!e has been u!oaded to f!ash.
ciscoasa# show flash
//#// //length// /////"ate6time////// ath
0= +)=;()&; e5 '+ %)'0 '0:)&:=% asa&%+/8(*5in
'& %)=( ay '+ %)'0 '(:=%:%= crytoFarchive
%) %)=( ay '+ %)'0 '(:=%:0= core"uminfo
%' 0& ay '+ %)'0 '(:=%:0= core"uminfo6core"um*cfg
') %)=( 2ug %& %)'' '+:0&:+; log
0 %;+0)&'; ar %; %)'0 '=:%):'= as"m/='*5in
;% '%&&(;=' 2ug %& %)'' '=:)=:') cs"F+*0*%))(/8&*8g ;+ %)=( 2ug %& %)'' '=:)=:'% s"es8to
(; ) 2ug %& %)'' '=:)=:'% s"es8to6"ata*9ml
;= =;(;&' 2r '; %)'0 ';:'):%% anyconnect/win/%*0*%)'=/8&*8g
;0 ;=(0' 2r '; %)'0 ';:'':%; anyconnect/macos9/i+(;/%*0*%)'=/8&*8g
;; ;;(&=&( 2r '; %)'0 ';:'%:'( anyconnect/linu9/%*0*%)'=/8&*8g
;( ';&+%=0( ay %' %)'0 %%:%+:)0 anyconnect/win/=*'*)))%(/8&*8g
'%(0+==) 5ytes total @%+++&))( 5ytes freeA
ciscoasa#
© 2016 Cisco andor its affi!iates. "!! rights reserved. #his docu$ent is Cisco %ub!ic. %age 10 of 15
-
8/19/2019 0.0.0.0 Lab
15/15
Lab – Instructor Lab
)outer Interface Suary Table
)outer Interface Suary
)outer odel 4t$ernet Interface G1 4t$ernet Interface G* Serial Interface G1 Serial Interface G*
1)00 Fast Ethernet 00+F00-
Fast Ethernet 01+F01-
Seria! 000 +S000- Seria! 001 +S001-
1&00 Gigabit Ethernet 00+G00-
Gigabit Ethernet 01+G01-
Seria! 000 +S000- Seria! 001 +S001-
2)01 Fast Ethernet 00+F00-
Fast Ethernet 01+F01-
Seria! 010 +S010- Seria! 011 +S011-
2)11 Fast Ethernet 00+F00-
Fast Ethernet 01+F01-
Seria! 000 +S000- Seria! 001 +S001-
2&00 Gigabit Ethernet 00+G00-
Gigabit Ethernet 01+G01-
Seria! 000 +S000- Seria! 001 +S001-
Note: #o find out ho8 the router is configured> !oo7 at the interfaces> identif5 the t5e of router used> and ho8$an5 interfaces the router has. #here is no 8a5 to effective!5 !ist a!! the co$binations of configurations for eachrouter c!ass. #his tab!e inc!udes identifiers for the ossib!e co$binations of Ethernet and Seria! interfaces in thedevice. #he tab!e does not inc!ude an5 other t5e of interface> even though a secific router $a5 contain one. "nea$!e of this $ight be an IS,* 3RI interface. #he string in arenthesis is the !ega! abbreviation that can beused in Cisco I;S co$$ands to reresent the interface.
© 2016 Cisco andor its affi!iates. "!! rights reserved. #his docu$ent is Cisco %ub!ic. %age 15 of 15