Ccna 4 accessing the wan lab manual instructor version

To apply simple encryption to the passwords, enter the following command in global config mode: R1 config service password-encryption Verify this with the show run command. R1 show run service password-encryption! Step 2: Secure the console and VTY lines. You can cause the router to log out a line that has been idle for a specified time. If a network engineer was logged into a networking device and was suddenly called away, this command automatically logs the user out after the specified time.

The following commands cause the line to log out after 5 minutes. The router blocks login attempts for 5 minutes if someone fails five attempts within 2 minutes.

This is set especially low for the purpose of this lab. An additional measure is to log each time this happens. R1 config login block-for attempt 2 within R1 config security authentication failure rate 5 log To verify this, attempt to connect to R1 from R2 via Telnet with an incorrect username and password.

On R2: R2 telnet Is this the most desirable setup? This is not secure because it gives information about the network structure. The first step in hacking a network is network reconnaissance in which you try to map out the existing network before deciding how to attack it.

The passive-interface command prevents routers from sending routing updates to all interfaces except those interfaces configured to participate in routing updates. This command is issued as part of the RIP configuration. The first command puts all interfaces into passive mode the interface only receives RIP updates.

The second command returns specific interfaces from passive to active mode both sending and receiving RIP updates. The next is to have RIP updates password protected. To do this, you must first configure a key to use. These will be the same interfaces that were enabled using the no passive-interface command earlier. You can view this on R1 using the show ip route command and confirming that no routes from R2 appear in the routing table.

Remember that each active interface must be configured. After all three routers have been configured to use routing authentication, the routing tables should repopulate with all RIP routes. R1 should now have all the routes via RIP. Confirm this with the show ip route command. SNMP logging can be useful in monitoring network activity. The captured information can be sent to a syslog server on the network, where it can be analyzed and archived.

You should be careful when configuring logging syslog on the router. When choosing the designated log host, remember that the log host should be connected to a trusted or protected network or an isolated and dedicated router interface.

In this lab, you will configure PC1 as the syslog server for R1. In this example, the IP address of PC1 is used. R1 config logging In the next step, you will define the level of severity for messages to be sent to the syslog server.

The level of SNMP messages can be adjusted to allow the administrator to determine what kinds of messages are sent to the syslog device. Routers support different levels of logging. The eight levels range from 0 emergencies , indicating that the system is unstable, to 7 debugging , which sends messages that include router information. To configure the severity levels, you use the keyword associated with the level, as shown in the table.

Severity Level Keyword Description 0 emergencies System unusable 1 alerts Immediate action required 2 critical Critical conditions 3 errors Error conditions 4 warnings Warning conditions 5 notifications Normal but significant condition 6 informational Informational messages 7 debugging Debugging messages The logging trap command sets the severity level.

The severity level includes the level specified and anything below it severity-wise. Set R1 to level 4 to capture messages with severity level 4, 5, 6, and 7. R1 config logging trap warnings What is the danger of setting the level of severity too high or too low? Important messages are harder to find among less useful messages. Also it can cause network congestion. The danger in setting the level too low is that not enough information is provided when attempting to identify a problem.

Note: If you installed syslog software on PC1, generate and look at syslog software for messages. Why should you disable unused interfaces on network devices?

Disabling these interfaces prevents them from being used for man-in-the- middle attacks or DHCP spoofing. All other interfaces on R1 should be administratively shut down using the shutdown interface configuration command. Interfaces manually shut down are listed as administratively down. Many services are not needed in most modern networks. Leaving unused services enabled leaves ports open that can be used to compromise a network.

Disable each of these services on R1. These commands are entered at the interface level and should be applied to every interface on R1. R1 config-if no ip redirects R1 config-if no ip proxy-arp R1 config-if no ip unreachables R1 config-if no ip directed-broadcast R1 config-if no ip mask-reply R1 config-if no mop enabled What kind of attack does disabling IP redirects, IP unreachables, and IP directed broadcasts mitigate?

Disabling these services reduces the information received by such attempts. Step 4: Use AutoSecure to secure a Cisco router. By using a single command in CLI mode, the AutoSecure feature allows you to disable common IP services that can be exploited for network attacks and enable IP services and features that can aid in the defense of a network when under attack.

AutoSecure simplifies the security configuration of a router and hardens the router configuration. Using the AutoSecure feature, you can apply the same security features that you just applied except for securing RIP to a router much faster. Because you have already secured R1, use the auto secure command on R3. All configuration changes will be shown.

For a detailed explanation of how the configuration changes enhance security and any possible side effects, please refer to Cisco. At any prompt you may enter '? Use ctrl-c to abort this session at any prompt.

Gathering information about the router for AutoSecure Is this router connected to internet? Yes Enter domain-name: cisco. Enabling CEF This might impact the memory requirements for your platform Enabling unicast rpf on all interfaces connected to internet Configure CBAC firewall feature: no Tcp intercept feature is used prevent tcp syn attack On the servers in the network.

However, there are advantages to doing it manually, as you will see in the troubleshooting lab. When you use AutoSecure, you may disable a service you need. Always use caution and think about the services that you require before using AutoSecure.

Cisco IOS is the software that routers use to operate. Your router may have enough memory to store multiple Cisco IOS images. It is important to know which files are stored on your router.

Issue the show flash command to view the contents of the flash memory of your router. Caution: Be very careful when issuing commands that involve the flash memory. Mistyping a command could result in the deletion of the Cisco IOS image. You can use the dir all command to show all files on the router. In this lab, however, we do not use actual Cisco IOS files because any mistakes made in entering the commands could lead to erasing the Cisco IOS image of the device.

Why is it important to have an updated version of Cisco IOS software? Having an updated version ensures that the latest security fixes are included in the running Cisco IOS software. One way to test this is to ping between these devices. This file can be a blank text file, because this step only serves to illustrate the steps involved. Each TFTP program differs in where files are stored.

Consult your TFTP server help file to determine the root folder. From R1, retrieve the file and save it to the flash memory. R2 copy tftp flash Address or name of remote host []? Loading test from This can be useful if there is a device that needs an image and you have one that is already using that image. Remember that Cisco IOS images are specific to router platforms and memory requirements. Use caution when transferring a Cisco IOS image from one router to another.

The command syntax is: tftp-server nvram: [filename1 [alias filename2] The command below configures R2 as a TFTP server.

R2 supplies its startup config file to devices requesting it via TFTP we are using the startup config for the sake of simplicity and ease. The alias keyword allows devices to request the file using the alias test instead of the full filename. R2 config tftp-server nvram:startup-config alias test Now we can request the file from R2 using R1.

R1 copy tftp flash Address or name of remote host []? Be very careful when doing this! Accidentally erasing flash memory will mean that you have to re-install the entire IOS image for the router.

If the router prompts you to erase flash, something is very wrong. You rarely want to erase the entire flash. Do NOT hit enter. Erase flash:? Delete flash:test? Delete flash:test-router? This is an example only.

Do not complete this task. Do NOT complete on your routers. Only read it. Loading cipbase-mz. If for some reason you can no longer access a device because you do not know, have lost, or have forgotten a password, you can still gain access by changing the configuration register. The configuration register tells the router which configuration to load on bootup. In the configuration register, you can instruct the router to boot from a blank configuration that is not password protected.

The first step in changing the configuration register is to view the current setting using the show version command.

These steps are performed on R3. The Break key is different on different computers. Frequently, it is in the upper right hand corner of the keyboard. A break causes the device to enter a mode called ROMmon. This mode does not require the device to have access to a Cisco IOS image file.

R3 reload Proceed with reload? Reload Reason: Reload command. System Bootstrap, Version This configuration does not have a password configured, but supports Cisco IOS commands.

Change the value of the configuration register to 0x Step 4: Restore the router. Now we copy the startup configuration to the running configuration, restore the configuration, and then change the configuration register back to the default 0x To copy the startup configuration from NVRAM to running memory, type copy startup-config running-config. Be careful! Do not type copy running-config startup-config or you will erase your startup configuration.

Router copy startup-config running-config Destination filename [running-config]? Most important, you can now see the passwords enable password, enable secret, VTY, console passwords in either an encrypted or unencrypted format. You can reuse unencrypted passwords. You must change encrypted passwords to a new password. R3 configure terminal Enter configuration commands, one per line. R3 config enable secret ciscoccna R3 config username ccna password ciscoccna Issue the no shutdown command on every interface that you want to use.

Every interface that you want to use should display up up. The variable configuration register value is either the value you recorded in Step 3 or 0x Save the running configuration.

R3 config config-register 0x R3 config end R3 copy running-config startup-config Destination filename [startup-config]? This is why you should always have a backup of all working configurations for devices in a production network. The second drawback is that anyone with physical access to a device can follow these steps and take control of a device.

Therefore, physical security for network devices is essential. Configs for Part 1 R1! These directions are not included in the student version of this lab. SDM is faster than typing each command and gives you more control than the AutoSecure feature. Please consult your instructor for directions. Create a username and password on R2.

A new window opens. Make sure that you have all popup blockers turned off in your browser. Also make sure that JAVA is installed and updated. Step 2: Navigate to the Security Audit feature. Click the Configure button in the top left side of the window.

Now navigate down the left panel to Security Audit and click on it. Step 3: Perform a Security Audit. This gives a brief explanation of what the Security Audit feature does. Click on Next to open the Security Audit Interface configuration window. An interface should be classified as outside untrusted if you cannot be sure of the legitimacy of the traffic coming into the interface. After selecting outside and inside interfaces, click Next.

A new window opens indicating that SDM is conducting a security audit. As you can see, the default configuration is unsecure. Click the Close button to continue. Click the Fix All button to make all the suggested security changes.

Then click the Next button. Enter a banner message to use as the message of the day for the router, and then click Next. Next, set the level of severity of log traps that you want the router to send to the syslog server. The severity level is set to debugging for this scenario.

Click Next to view a summary of the changes about to be made to the router. After reviewing the changes about to be committed, click Finish. You will then install the SDM application locally on a host computer. Finally, you will install SDM onto the flash memory of a router. Step 1: Preparation Start this lab by erasing any previous configurations and reloading your devices. Once your devices are reloaded, set the appropriate hostnames.

Ensure that the switch is set up so that both the router and host are in the same VLAN. By default, all ports on the switch are assigned to VLAN 1.

This login will need to have a privilege level of 15 so that SDM can change configuration settings on the router. If your image supports it you will need to have an IOS image that supports crypto functionality , you should also enable secure HTTPS access using the ip http secure-server command.

This is normal. Also, make sure the HTTP server uses the local database for authentication purposes. Issue "write memory" to save new certificate R1 config ip http authentication local Finally, configure the virtual terminal lines of the router to authenticate using the local authentication database. Allow virtual terminal input through both telnet and SSH. R1 config line vty 0 4 R1 config-line login local R1 config-line transport input telnet ssh Step 3: Configure Addressing Configure the Fast Ethernet interface on the router with the IP address shown in the diagram.

If you have already configured the correct IP address, skip this step. If the PC already has an IP address in the same subnet as the router, you may skip this step. From the PC ping the R1 Ethernet interface. You should receive responses.

If you do not receive a response, troubleshoot by verifying the VLAN of the switchports and the IP address and subnet mask on each of the devices attached to the switch. You should start by extracting the SDM zip file to a directory on your hard drive. You are almost ready to use SDM to configure the router.

Once the installation wizard screen opens, click Next. Accept the terms of the license agreement, and then click Next. The next screen prompts you to choose from three options where you want to install SDM. Both installation types are very similar. If you do not want to install SDM to your computer, skip to Step 7.

For now, click This Computer, and then click Next. Use the default destination folder and click Next again. Click Install to begin the installation. The software installs, and then you are prompted with a final dialog box to launch SDM. The SDM Launcher dialog box will open. Then click the Launch button. Note that Internet Explorer may block SDM at first, and you will need to allow it or adjust your Internet Explorer security settings accordingly to use it.

Depending on the version of Internet Explorer you are running, one of these settings is especially important for running SDM locally, and it is on the Tools menu, under Internet Options Click the Advanced tab, and under the Security heading, check Allow active content to be run in files on My Computer if it is not already checked.

Enter in the username and password you created earlier. You may be prompted to accept a certificate from this router. Accept the certificate to proceed. After this, give the username and password for the router and click Yes.

If everything was configured correctly, you will be able to access the SDM dashboard. If your configuration here looks correct, it means you have successfully configured and connected to SDM. Your information may vary depending upon which version of SDM you are running. You may notice some messages being logged to the console. Jan 14 Leave the default installation options checked and click Next. During the installation, more messages may be logged to the console. This installation process takes a little while look at the timestamps in the console output below to estimate the duration on a Cisco The time will vary by router model.

Before you do this, go onto the console and issue the show flash: command. Notice all the files that SDM installed to flash. Before the installation, the only file listed was the first file, the IOS image.

When you are prompted to accept the certificate, click Yes. Ignore the security warnings and click Run. Enter the username and password you configured in step 2. SDM will read the configuration off the router.

What you see may differ from what appears in the following figure depending upon router model number, IOS version, and so forth. Scenario In this lab, you will configure security using the network shown in the topology diagram.

If you need assistance, refer to the Basic Security lab. For this lab, do not use password protection or login on any console lines because they might cause accidental logout.

However, you should still secure the console line using other means. Create a secure password for router access. Create the username ccna to store locally on the router. Configure the router to use the local authentication database. Remember to use ciscoccna for all passwords in this lab. Configure the console and vty lines to block a user who enters an incorrect username and password five times within 2 minutes.

Block additional login attempts for 2 minutes. R2: R2 telnet Do not send RIP updates to non-network routers any router not in this scenario. Authenticate RIP updates and encrypt them. Step 2: Disable unused global services on R1.

However, R1 will not get the updates unless you set up RIP authentication. Step 4: Choose settings to apply to the router. Step 5: Commit the configuration to the router.

Your boss has asked you to correct the errors the new engineer has made configuring the routers. While correcting the problems, make sure that all the devices are secure but are still accessible by administrators, and that all networks are reachable. Verify that a device is secure by using tools such as Telnet and ping. Unauthorized use of these tools should be blocked, but also ensure that authorized use is permitted.

For this lab, do not use login or password protection on any console lines to prevent accidental lockout. Use ciscoccna for all passwords in this scenario. Task 1: Load Routers with the Supplied Scripts Load the following configurations into the devices in the topology. Each line in red is included in the Instructor lab, but is not included in the student lab, and not loaded into the router at the beginning of this lab.

Lines to be removed are highlighted in yellow. Lines to be added are in red. Use the annotations to assist students to correctly identify answers. R1: no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption! Here the policy should!

It is a no shutdown common mistake to forget a command! AutoSecure is used. RIP interfaces should be set to passive, router rip unless otherwise configured. CDP should be disabled unless needed. Another case error.

Note: When troubleshooting a production network that is not working, many very small mistakes can prevent everything from working correctly. The first item to check is the spelling and case of all passwords, keychain names and keys, and authentication list names.

It is often a mismatch in case or spelling that causes total failure. The best practice is to start with the most basic and work upward. First ask whether all the names and keys match up. Next, if the configuration uses a list or keychain and so on, check if the item referenced actually exists and is the same on all devices.

Configuring something once on one device and then copying and pasting into the other device is the best way to ensure that the configuration is exactly the same. Next, when thinking about disabling or restricting services, ask what the services are used for and if they are needed. Also ask what information the router should be sending out.

Who should and should not receive that information. Finally, ask what the services enable the users to do, and do you want them to be able to do that. Generally, if you can think of a way that a service can be abused, you should take steps to prevent that. Task 3: Document the Corrected Network R1 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption no service finger no service udp-small-server no service tcp-small-server!

You will apply both standard and extended ACLs. On older routers, or versions of the IOS before R1 hostname R1! A typical best practice is to configure a standard ACL as close to the destination as possible. In this task, you are configuring a standard ACL.

The ACL is designed to block traffic from the This ACL will be applied inbound on the R3 serial interface. For this reason, add the permit any statement to the end of the ACL. Connectivity tests should be successful before applying the ACL. R3 config-std-nacl deny This will allow you to see the access list log messages when the packet is denied. Since the ACL is designed to block traffic with source addresses from the R1 ping ip Target IP address: You see output similar to the following.

Each line of an ACL has an associated counter showing how many packets have matched the rule. Any other hosts, such as those on the Conduct another test from PC1 to PC3 to ensure that this traffic is not blocked. Extended ACLs can filter traffic based on more than just source address.

Extended ACLs can filter on protocol, source, and destination IP addresses, and source and destination port numbers. An additional policy for this network states that devices from the Computers on this LAN are not permitted to access the Internet. Therefore, these users must be blocked from reaching the IP address Because this requirement needs to enforce both source and destination, an extended ACL is needed.

In this task, you are configuring an extended ACL on R1 that blocks traffic originating from any device on the A typical best practice for applying extended ACLs is to place them as close to the source as possible.

Before beginning, verify that you can ping Step 1: Configure a named extended ACL. From this prompt, add the necessary statements to block traffic from the Use the host keyword when defining the destination. R1 config-ext-nacl deny ip Add the permit statement to ensure that other traffic is not blocked. Extended ACLs are typically placed close to the source.

From PC1, ping the loopback interface on R2. These pings should fail, because all traffic from the If the destination is any other address, the pings should succeed. Confirm this by pinging R3 from the Note: The extended ping feature on R1 cannot be used to test this ACL, since the traffic will originate within R1 and will never be tested against the ACL applied to the R1 serial interface.

All other hosts are denied. Verify that you can telnet to R2 from both R1 and R3. Step 1: Configure the ACL. Configure a named standard ACL on R2 that permits traffic from Deny all other traffic. Enter line configuration mode for VTY lines 0—4. R2 config line vty 0 4 Use the access-class command to apply the ACL to the vty lines in the inbound direction. Note that this differs from the command used to apply ACLs to other interfaces. Connection attempts should fail. R1 telnet You will be presented with a prompt for the VTY line password.

R3 telnet User Access Verification Password: Why do connection attempts from other networks fail even though they are not specifically listed in the ACL? Any traffic not explicitly permitted is dropped. Task 6: Troubleshooting ACLs When an ACL is improperly configured or applied to the wrong interface or in the wrong direction, network traffic may be affected in an undesirable manner.

In an earlier task, you created and applied a named standard ACL on R3. Use the show running-config command to view the ACL and its placement. Recall that this ACL was designed to block all network traffic with a source address from the This time the ACL will be filtering outbound traffic, rather than inbound traffic.

Remember to use the out keyword when applying the ACL. As an alternative, use an extended ping from R1. Notice that this time pings succeed, and the ACL counters are not incremented. Confirm this by issuing the show ip access-list command on R3. Step 4: Restore the ACL to its original configuration.

Remove the ACL from the outbound direction and reapply it to the inbound direction. Attempt to communicate to any device connected to R2 or R3 from R1 or its attached networks.

Notice that all communication is blocked; however, ACL counters are not incremented. Essentially, this will cause routes from R1 to be removed from the routing table. Router 2 hostname R2! Router 3 hostname R3! Note: If you use a , , or router, the router outputs and interface descriptions may appear different. Task 2: Perform Basic Router Configurations. R1 hostname R1 no ip domain-lookup enable secret class!

R2 hostname R2 enable secret class no ip domain lookup! Deny and log all other connection attempts. Document your testing procedures. These tests should fail. Attempt to telnet to R1 from PC1.

Test should pass Attempt to telnet to R3 from PC3. Test should pass. The network administrator has noticed that students in these labs are playing games across the WAN with the remote students. Any other traffic should be denied and logged. Note: This may require multiple access lists. Verify your configuration and document your testing procedure. Why is the order of access list statements so important?

If a packet matches a line, the matched action is performed and the actions after that are ignored. Ping from PC1 to PC3. Ping from PC3 to PC1. Both should fail. Step 2: Test port 80 access. This should be successful. No routes should be lost. Confirm with show ip route. Step 4: Test ping to R2. Ping to R2 from R1 and PC1.

Ping to R2 from R3 and PC3. Both should succeed. Step 5: Perform other ping tests to confirm that all other traffic is denied. R3 hostname R3! Task 7: Clean Up Erase the configurations and reload the routers. Your department has been asked to examine the configuration, conduct tests and change the configuration as necessary to secure the customer routers.

Log any attempts by other devices to access the VTY lines. All other traffic should be allowed to and from R1 and R3. A minimum of ACL statements should be used and applied inbound on the R2 serial interfaces. OSPF is used to distribute routing information. All passwords, except the enable secret password, are set to cisco. The enable secret password is set to class. Task 1: Load Routers with the Supplied Scripts [Instructor note: These commands can be loaded into the router by the instructor or by the students.

They are not included in the student version of the lab. Document the steps you used to troubleshoot the network and note each error found. R2 hostname R2 enable secret class! R3 hostname R3 enable secret class no ip domain lookup! One router is the DHCP server.

The other router forwards DHCP requests to the server. When you have completed the configurations, verify the connectivity between the inside and outside addresses. Note: If you use a , , or series router, the router outputs and interface descriptions may look different. On older routers some commands may be different, or not exist. Step 2: Clear all existing configurations on the routers. Do not advertise the Note: Instead of attaching a server to R2, you can configure a loopback interface on R2 to use the IP address If you do this, you do not need to configure the Fast Ethernet interface.

You may also allow the class to make "pod-only" reservations using the pod types listed above. To enable pod-only reservations, check the box in the class settings for the appropriate pod type. Options include:. These reservations are not tied to specific lab exercises. Therefore, the pod will be configured using the default network configuration.

Please note however, not all CCNA labs use the default network configuration and must be completed by selecting the correct lab exercise see the following discussion. Always select the correct lab exercise for the lab being performed. Students or teams should schedule the correct lab exercise from the catalog. A lab that works on different pod types may appear more than once if your system is so equipped.

Instructors should select the correct lab from the Exercise tab during instructor-led lab reservations. This can be done as many times as needed during the reservation. Importance of Choosing the Correct Lab Exercise.