0.0.0.0 Lab

8/19/2019 0.0.0.0 Lab

1/15

CCNA Security

Lab – Instructor Lab

Topology

Note: ISR G1 devices use FastEthernet interfaces instead of GigabitEthernet interfaces.

© 2016 Cisco andor its affi!iates. "!! rights reserved. #his docu$ent is Cisco %ub!ic. %age 1 of 15

8/19/2019 0.0.0.0 Lab

2/15


IP Addressing Table

Device Interface IP Address Subnet as! Default "ate#ay S#itc$ Port

R1G00 20&.16'.200.22' 2''.2''.2''.2() *" "S" E00

S000 +,CE- 10.1.1.1 2''.2''.2''.2'2 *" *"

R2S000 10.1.1.2 2''.2''.2''.2'2 *" *"

S001 +,CE- 10.2.2.2 2''.2''.2''.2'2 *" *"

RG01 1/2.16..1 2''.2''.2''.0 *" S F0'

S001 10.2.2.1 2''.2''.2''.2'2 *" *"

"S"

"* 1 +E01- 1&2.16).1.1 2''.2''.2''.0 *" S2 F02(

"* 2 +E00- 20&.16'.200.226 2''.2''.2''.2() *" R1 G00

"* +E02- 1&2.16).2.1 2''.2''.2''.0 *" S1 F02(

%C" *IC 1&2.16).2. 2''.2''.2''.0 1&2.16).2.1 S1 F06

%C3 *IC 1&2.16).1. 2''.2''.2''.0 1&2.16).1.1 S2 F01)

%CC *IC 1/2.16.. 2''.2''.2''.0 1/2.16..1 S F01)

%b&ectives

Part 1' Initiali(e and )eload Net#or! Devices

• Initia!i4e the router and re!oad.

• Enab!e the securit5 techno!og5 ac7age !icense.

• Initia!i4e the s8itch and re!oad.

• Initia!i4e the "S".

Part *' +ava Settings for PCs if Necessary

• Enab!e a secure 9##% server.

• Create a user account 8ith rivi!ege !eve! 1'.

• Configure SS9 and #e!net access for !oca! !ogin.

Part ,' Access a Cisco )outer -sing a ini.-S/ Console Cable

• Setu the h5sica! connection 8ith a $iniS3 cab!e.

• erif5 that the S3 conso!e is read5.

•

Enab!e the C;< ort.Part 0' Do#nload and Install t$e AnyConnect Client Soft#are Pac!age

• ,o8n!oad the "n5Connect Secure

8/19/2019 0.0.0.0 Lab

3/15


/ac!groundScenario

%art 1 of this instructor !ab rovides the stes for initia!i4ing devices bac7 to their defau!t settings. %art 2 ofthis !ab rovides the stes necessar5 to set =ava settings on the %C hosts. %art of this !ab rovides otiona!infor$ation on ho8 to do8n!oad> insta!!> and use the Cisco S3 driver on a ?indo8s %C.

)e2uired )esources

• 1 "S" ''0' +;S version &.2+-> "S,< version /.(+1-> and 3ase !icense or co$arab!e-

• routers +Cisco 1&(1 8ith Cisco I;S Re!ease 1'.(+- 8ith SS9 c!ient soft8are insta!!ed-

• Seria! and Ethernet cab!es> as sho8n in the too!og5

• Conso!e cab!es to configure Cisco net8or7ing devices

Part 1' Initiali(e and )eload Net#or! Devices

Step 1' Initiali(e t$e )outer and )eload3

a3 Connect to t$e router3

Conso!e into the router and enter rivi!eged EAEC $ode using the enable co$$and.

Router> enable

Router#

b3 4rase t$e startup configuration file fro N6)A3

#5e the erase startup.config co$$and to re$ove the startu configuration fro$ *R" ress 4nter to confir$ the re!oad. %ressing an5 other 7e5 8i!! abort the re!oad.

Router# reload

rocee" with reloa"? [confirm]

$ov %& '(:%(:)&*&%+: ,-.-/0/RE1O23: Reloa" re4ueste" 5y console* Reloa" Reason:Reloa" Comman"*

Bou $a5 receive a ro$t to save the running configuration rior to re!oading the router. Resond b5t5ing no and ress 4nter .

-ystem configuration has 5een mo"ifie"* -ave? [yes6no]: no

© 2016 Cisco andor its affi!iates. "!! rights reserved. #his docu$ent is Cisco %ub!ic. %age , of 15

8/19/2019 0.0.0.0 Lab

4/15


d3 /ypass t$e initial configuration dialog3

"fter the router re!oads> 5ou are ro$ted to enter the initia! configuration dia!og. Enter no and ress 4nter .

7oul" you li8e to enter the initial configuration "ialog? [yes6no]: no

e3 Terinate t$e autoinstall progra3

Bou 8i!! be ro$ted to ter$inate the autoinsta!! rogra$. Resond yes and then ress 4nter .

7oul" you li8e to terminate autoinstall? [yes]: yes

Router>

Step *' Initiali(e t$e S#itc$ and )eload3

a3 Connect to t$e s#itc$3

Conso!e into the s8itch and enter rivi!eged EAEC $ode.

-witch> enable

-witch#

b3 Deterine if t$ere $ave been any 6LANs created3

se the s$o# flas$ co$$and to deter$ine if an5 "*s have been created on the s8itch.

-witch# show flash

3irectory of flash:6

% /rw9 '&'& ar ' '&&+ )):);:++ de!ete the fi!e.

-witch# delete vlan.dat

3elete filename [vlan*"at]?

b. Bou 8i!! be ro$ted to verif5 the fi!e na$e. "t this oint> 5ou can change the fi!e na$e or ress 4nter if5ou have entered the na$e correct!5.

c. ?hen 5ou are ro$ted to de!ete this fi!e> ress 4nter to confir$ the de!etion. %ressing an5 other 7e5 8i!!abort the de!etion.

3elete flash:6vlan*"at? [confirm]

-witch#


8/19/2019 0.0.0.0 Lab

5/15


d3 4rase t$e startup configuration file3

se the erase startup.config co$$and to erase the startu configuration fi!e fro$ *R" ress 4nter to confir$ the re$ova!. %ressing an5 other 7e5 8i!! abort theoeration.

-witch# erase startup-config

Erasing the nvram filesystem will remove all configuration files! Continue? [confirm][OK]

Erase of nvram: comlete

-witch#

e3 )eload t$e s#itc$3

Re!oad the s8itch to re$ove o!d configuration infor$ation fro$ $e$or5. ?hen ro$ted to re!oad the s8itch>ress 4nter to roceed 8ith the re!oad. %ressing an5 other 7e5 8i!! abort the re!oad.

-witch# reload

rocee" with reloa"? [confirm]

Note: Bou $a5 receive a ro$t to save the running configuration rior to re!oading the s8itch. #5e no

and ress 4nter .-ystem configuration has 5een mo"ifie"* -ave? [yes6no]: no

f3 /ypass t$e initial configuration dialog3

"fter the s8itch re!oads> 5ou shou!d see a ro$t to enter the initia! configuration dia!og. #5e no at thero$t and ress 4nter .

7oul" you li8e to enter the initial configuration "ialog? [yes6no]: no

-witch>

Part *' +ava Settings on PCs

#he netgeneration =ava %!ugin $ust be enab!ed and the securit5 setting $ust be set to $ediu$ for theCC% configuration of I%S. #o suort CC% configuration of I%S and set the =ava hea to 2'6 the %Cshou!d be running =ava =RE version 6 or ne8er. #his is done using the runti$e ara$eter DA$2'6$. #he!atest =RE for ?indo8s can be do8n!oaded fro$ ;rac!e Cororation at htt:888.orac!e.co$ .

Note: CC% is no !onger used 8ith CC*"Sv2 !abs.

g3 4nable t$e ne7t.generation +ava Plug.in3

a. ;en the Control Panel> and se!ect +ava to access the =ava Contro! %ane!.

b. In the =ava Contro! %ane!> c!ic7 the Advanced tab.

c. ocate the heading =ava %!ugin. Se!ect the chec7bo to 4nable t$e ne7t.generation Plug.in. abro8ser restart is re@uired.

d. C!ic7 Apply.

e. C!ic7 8es to a!!o8 the changes. C!ic7 %9 to ac7no8!edge the changes.

$3 C$ange t$e +ava security settings3

f. C!ic7 the Security tab.

g. Change the Securit5 eve! to ediu b5 $oving the s!ider.

h. C!ic7 Apply.


http://www.oracle.com/http://www.oracle.com/http://www.oracle.com/

8/19/2019 0.0.0.0 Lab

6/15


i3 C$ange t$e +ava Applet )untie settings3

i. C!ic7 the +ava tab and then the 6ie# button to change the =ava "!et Runti$e Settings.

. ,oub!ec!ic7 the )untie Paraeters bo. #5e –:7*5; in the bo.

7. C!ic7 %9. C!ic7 %9 again to eit the =ava Contro! %ane!.

&3 )estart all #eb bro#sers< including CCP if it opened< in order for t$e c$anges to ta!eeffect3

Step 1' Access a Cisco )outer -sing a ini.-S/ Console Cable

If 5ou are using a Cisco 1&(1 router or other Cisco I;S devices 8ith a $iniS3 conso!e ort> 5ou can accessthe device conso!e ort using a $iniS3 cab!e connected to the S3 ort on 5our co$uter.

Note: #he $iniS3 conso!e cab!e is the sa$e t5e of $iniS3 cab!e used 8ith other e!ectronics devices>such as S3 hard drives> S3 rinters> or S3 hubs. #hese $iniS3 cab!es can be urchased throughCisco S5ste$s> Inc. or other thirdart5 vendors. %!ease verif5 that 5ou are using a $iniS3 cab!e> not a$icroS3 cab!e> to connect to the $iniS3 conso!e ort on a Cisco I;S device.

Note: Bou $ust use either the S3 ort or the R=(' ort. ,o not use the$ si$u!taneous!5. ?hen the S3ort is used> it ta7es riorit5 over the R=(' conso!e ort.

!3 Set up t$e p$ysical connection #it$ a ini.-S/ cable3

!. Connect the $iniS3 cab!e to the $iniS3 conso!e ort of the router.

$. Connect the other cab!e end to a S3 ort on the co$uter.

© 2016 Cisco andor its affi!iates. "!! rights reserved. #his docu$ent is Cisco %ub!ic. %age ; of 15

8/19/2019 0.0.0.0 Lab

7/15


n. #urn on the Cisco router and co$uter.

l3 6erify t$at t$e -S/ console is ready3

If 5ou are using a !ease insta!! the Cisco S3 conso!e driver. " S3 driver $ust be insta!!ed rior to being used on a the fo!der contains instructions for insta!!ation> re$ova!> and the re@uireddrivers for different oerating s5ste$s and architectures. %!ease choose the aroriate version for 5ours5ste$.

?hen the E, indicator for the S3 conso!e ort has turned green> the S3 conso!e ort is read5 for access.

3 4nable t$e C% port for t$e =indo#s > PC3

If 5ou are using a 5ou $a5 need to erfor$ the fo!!o8ing stes to enab!e the C;<ort:

© 2016 Cisco andor its affi!iates. "!! rights reserved. #his docu$ent is Cisco %ub!ic. %age > of 15

http://www.cisco.com/http://www.cisco.com/cisco/software/release.html?mdfid=282774238&flowid=714&softwareid=282855122&release=3.1&relind=AVAILABLE&rellifecycle=&reltype=latesthttp://www.cisco.com/cisco/software/release.html?mdfid=282774238&flowid=714&softwareid=282855122&release=3.1&relind=AVAILABLE&rellifecycle=&reltype=latesthttp://www.cisco.com/cisco/software/release.html?mdfid=282774238&flowid=714&softwareid=282855122&release=3.1&relind=AVAILABLE&rellifecycle=&reltype=latesthttp://www.cisco.com/http://www.cisco.com/cisco/software/release.html?mdfid=282774238&flowid=714&softwareid=282855122&release=3.1&relind=AVAILABLE&rellifecycle=&reltype=latesthttp://www.cisco.com/cisco/software/release.html?mdfid=282774238&flowid=714&softwareid=282855122&release=3.1&relind=AVAILABLE&rellifecycle=&reltype=latesthttp://www.cisco.com/cisco/software/release.html?mdfid=282774238&flowid=714&softwareid=282855122&release=3.1&relind=AVAILABLE&rellifecycle=&reltype=latest

8/19/2019 0.0.0.0 Lab

8/15


o. C!ic7 the =indo#s Start icon to access the Control Panel.

. ;en the Device anager .

@. C!ic7 the Ports ?C% @ LPT tree !in7 to eand it. Rightc!ic7 the -S/ Serial Port icon and choose-pdate Driver Soft#are.

r. Choose /ro#se y coputer for driver soft#are.

s. Choose Let e pic! fro a list of device drivers on y coputer and c!ic7 Ne7t.

© 2016 Cisco andor its affi!iates. "!! rights reserved. #his docu$ent is Cisco %ub!ic. %age B of 15

8/19/2019 0.0.0.0 Lab

9/15


t. Choose the Cisco Serial driver and c!ic7 Ne7t.

© 2016 Cisco andor its affi!iates. "!! rights reserved. #his docu$ent is Cisco %ub!ic. %age of 15

8/19/2019 0.0.0.0 Lab

10/15


u. #he device driver is insta!!ed successfu!!5. #a7e note of the assigned ort nu$ber !isted at the to of the8indo8. In this sa$!e> C;< ' is used for co$$unication 8ith the router. C!ic7 Close.

v. ;en Tera Ter. C!ic7 the Serial radio button and choose Port C%5' Cisco Serial ?C% 5. #his ortshou!d no8 be avai!ab!e for co$$unication 8ith the router. C!ic7 %9.

Part *' Do#nload and Install t$e AnyConnect Client Soft#are Pac!ages

dated versions of CiscoKs "n5Connect C!ient soft8are ac7ages can be do8n!oaded fro$ Cisco.co$. It isreco$$ended that "n5Connect Secure

8/19/2019 0.0.0.0 Lab

11/15


"S" ''0' for CC*"S. #his re!ease of the "n5Connect Secure connect to the 888.cisco.co$ and !og in.

. C!ic7 Support L Security ?6PN< Eire#all L AnyConnect 6PN Client35. Fro$ the Cisco "n5Connect %* C!ient screen> c!ic7 Do#nload Soft#are3

4. Fro$ the ,o8n!oad Soft8are D Se!ect a %roduct screen> c!ic7 AnyConnect Secure obility Client.


http://www.cisco.com/http://www.cisco.com/

8/19/2019 0.0.0.0 Lab

12/15


aa. C!ic7 AnyConnect Security obility Client v037.

ab. se the scro!! bar in the ,o8n!oad Soft8are D "n5Connect Secure

8/19/2019 0.0.0.0 Lab

13/15


b3 -pload t$e AnyConnect Secure obility Client to t$e ASA 5553

ac. "fter the anyconnect.#in.0313*B.!3p!g has been do8n!oaded> connect the %C to the "S" ''0'E01 interface and assign it a static I% address of 1*31;B313, 8ith a subnet $as7 of *553*553*5533

Note: #his %C 8i!! a!so need #F#% soft8are insta!!ed. Tftpd,*3e7e is used for this ea$!e.

ad. Configure the "S"Ks "* 8ith an I% address of 1*31;B3131> a subnet $as7 of *553*553*553> and the

na$eif to inside.

ciscoasa@configA# int vlan 1

ciscoasa@config/ifA# ip address 192.168.1.1 255.255.255.0

ciscoasa@config/ifA# nameif inside

B$O: -ecurity level for Dinsi"eD set to ')) 5y "efault*

ciscoasa@config/ifA# no shut

ae. "ctivate interface E00.

ciscoasa@config/ifA# int e01

ciscoasa@config/ifA# no shut

ciscoasa@config/ifA# end

af. Start the #ftd2 soft8are and verif5 that the anyconnect.#in.0313*B.!3p!g fi!e is !ocated in thedefau!t director5.

ag. Fro$ the CI on the "S"> issue the copy tftp'1*31;B3131anyconnect.#in.0313*B.!3p!g flas$' co$$and.

ciscoasa# copy tftp!192.168.1."anyconnect-win-#.1.00028-$9.p$g flash!

2""ress or name of remote host ['&%*';(*'*+]?

© 2016 Cisco andor its affi!iates. "!! rights reserved. #his docu$ent is Cisco %ub!ic. %age 1, of 15

8/19/2019 0.0.0.0 Lab

14/15


-ource filename [anyconnect/win/=*'*)))%(/8&*8g]?

3estination filename [anyconnect/win/=*'*)))%(/8&*8g]?

2ccessing tft:66'&%*';(*'*+6anyconnect/win/=*'*)))%(/

8&*8g***!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Outut Omitte">

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

7riting file "is8):6anyconnect/win/=*'*)))%(/8&*8g***

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Outut Omitte">

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

';&+%=0( 5ytes coie" in ;)*';) secs @%(%%) 5ytes6secAciscoasa#

ah. Issue the s$o# flas$ co$$and on the "S" to verif5 that the fi!e has been u!oaded to f!ash.

ciscoasa# show flash

//#// //length// /////"ate6time////// ath

0= +)=;()&; e5 '+ %)'0 '0:)&:=% asa&%+/8(*5in

'& %)=( ay '+ %)'0 '(:=%:%= crytoFarchive

%) %)=( ay '+ %)'0 '(:=%:0= core"uminfo

%' 0& ay '+ %)'0 '(:=%:0= core"uminfo6core"um*cfg

') %)=( 2ug %& %)'' '+:0&:+; log

0 %;+0)&'; ar %; %)'0 '=:%):'= as"m/='*5in

;% '%&&(;=' 2ug %& %)'' '=:)=:') cs"F+*0*%))(/8&*8g ;+ %)=( 2ug %& %)'' '=:)=:'% s"es8to

(; ) 2ug %& %)'' '=:)=:'% s"es8to6"ata*9ml

;= =;(;&' 2r '; %)'0 ';:'):%% anyconnect/win/%*0*%)'=/8&*8g

;0 ;=(0' 2r '; %)'0 ';:'':%; anyconnect/macos9/i+(;/%*0*%)'=/8&*8g

;; ;;(&=&( 2r '; %)'0 ';:'%:'( anyconnect/linu9/%*0*%)'=/8&*8g

;( ';&+%=0( ay %' %)'0 %%:%+:)0 anyconnect/win/=*'*)))%(/8&*8g

'%(0+==) 5ytes total @%+++&))( 5ytes freeA

ciscoasa#


8/19/2019 0.0.0.0 Lab

15/15


)outer Interface Suary Table

)outer Interface Suary

)outer odel 4t$ernet Interface G1 4t$ernet Interface G* Serial Interface G1 Serial Interface G*

1)00 Fast Ethernet 00+F00-

Fast Ethernet 01+F01-

Seria! 000 +S000- Seria! 001 +S001-

1&00 Gigabit Ethernet 00+G00-

Gigabit Ethernet 01+G01-

Seria! 000 +S000- Seria! 001 +S001-



Seria! 010 +S010- Seria! 011 +S011-



Seria! 000 +S000- Seria! 001 +S001-

2&00 Gigabit Ethernet 00+G00-

Gigabit Ethernet 01+G01-

Seria! 000 +S000- Seria! 001 +S001-

Note: #o find out ho8 the router is configured> !oo7 at the interfaces> identif5 the t5e of router used> and ho8$an5 interfaces the router has. #here is no 8a5 to effective!5 !ist a!! the co$binations of configurations for eachrouter c!ass. #his tab!e inc!udes identifiers for the ossib!e co$binations of Ethernet and Seria! interfaces in thedevice. #he tab!e does not inc!ude an5 other t5e of interface> even though a secific router $a5 contain one. "nea$!e of this $ight be an IS,* 3RI interface. #he string in arenthesis is the !ega! abbreviation that can beused in Cisco I;S co$$ands to reresent the interface.


Documents

0.0.0.0 Lab