This post is about CCNA Security Packet Tracer Skill Based Assessment Practice . I would like to share with all of your the answer or solution for this CCNA Security SBA. This CCNA Security SBA Practice contributed by Viktorcsn with 100% solution. I hope with the answer for CCNA Security SBA provided, it will be a guideline to all of us to understand this CCNA Security practice better. Below is the question and answer for CCNA Security Packet Tracer SBA Practice.
In this practice Packet Tracer Skills Based Assessment, you will:
- configure basic device hardening and secure network management
- configure a CBAC firewall to implement security policies
- configure devices to protect against STP attacks and to enable broadcast storm control
- configure port security and disable unused switch ports
- configure an IOS IPS
- configure a ZPF to implement security policies
- configure a site-to-site IPsec VPN
Addressing Table
Device | Interface | IP Address | Subnet Mask | Gateway | DNS server |
Internet | S0/0/0 | 209.165.200.225 | 255.255.255.252 | n/a | n/a |
S0/0/1 | 192.31.7.1 | 255.255.255.252 | n/a | n/a | |
S0/1/0 | 198.133.219.1 | 255.255.255.252 | n/a | n/a | |
Fa0/0 | 192.135.250.1 | 255.255.255.0 | n/a | n/a | |
CORP | S0/0/0 | 209.165.200.226 | 255.255.255.252 | n/a | n/a |
Fa0/0 | 10.1.1.254 | 255.255.255.0 | n/a | n/a | |
Fa0/1.10 | 172.16.10.254 | 255.255.255.0 | n/a | n/a | |
Fa0/1.25 | 172.16.25.254 | 255.255.255.0 | n/a | n/a | |
Fa0/1.99 | 172.16.99.254 | 255.255.255.0 | n/a | n/a | |
Branch | S0/0/0 | 198.133.219.2 | 255.255.255.252 | n/a | n/a |
Fa0/0 | 198.133.219.62 | 255.255.255.224 | n/a | n/a | |
External | S0/0/0 | 192.31.7.2 | 255.255.255.252 | n/a | n/a |
Fa0/0 | 192.31.7.62 | 255.255.255.224 | n/a | n/a | |
Public Svr | NIC | 192.135.250.5 | 255.255.255.0 | 192.135.250.1 | n/a |
External Web Svr | NIC | 192.31.7.35 | 255.255.255.224 | 192.31.7.62 | 192.135.250.5 |
External PC | NIC | 192.31.7.33 | 255.255.255.224 | 192.31.7.62 | 192.135.250.5 |
NTP/Syslog Svr | NIC | 172.16.25.2 | 255.255.255.0 | 172.16.25.254 | 10.1.1.5 |
DMZ DNS Svr | NIC | 10.1.1.5 | 255.255.255.0 | 10.1.1.254 | 192.135.250.5 |
DMZ Web Svr | NIC | 10.1.1.2 | 255.255.255.0 | 10.1.1.254 | 10.1.1.5 |
PC0 | NIC | 172.16.10.5 | 255.255.255.0 | 172.16.10.254 | 10.1.1.5 |
PC1 | NIC | 172.16.10.10 | 255.255.255.0 | 172.16.10.254 | 10.1.1.5 |
Net Admin | NIC | 172.16.25.5 | 255.255.255.0 | 172.16.25.254 | 10.1.1.5 |
Admin PC | NIC | 198.133.219.35 | 255.255.255.224 | 198.133.219.62 | 192.135.250.5 |
PCB1 | NIC | 198.133.219.40 | 255.255.255.224 | 198.133.219.62 | 192.135.250.5 |
Note: Appropriate verification procedures should be taken after each configuration task to ensure that it has been properly implemented.
Step 1: Configure Basic Device Hardening for the CORP Router.
a. Configure the CORP router to only accept passwords with a minimum length of 10 characters.
CORP(config)# security password min-length 10
b. Configure an encrypted privileged level password of ciscoclass.
CORP(config)# enable secret ciscoclass
c. Enable password encryption for all clear text passwords in the configuration file.
CORP(config)# service password-encryption
d. Configure the console port and all vty lines with the following requirements:
Note: CORP is already configured with the username CORPADMIN and the secret password ciscoccnas.
- use the local database for login
- disconnect after being idle for 20 minutes.
CORP(config)# line consol 0
CORP(config-line)# login local
CORP(config-line)# exec-timeout 20 0
CORP(config-line)# line vty 0 4
CORP(config-line)# login local
CORP(config-line)# exec-timeout 20 0
CORP(config-line)# line vty 5 15
CORP(config-line)# login local
CORP(config-line)# exec-timeout 20 0
e. Disable the CDP protocol only on the link to the Internet router.
CORP(config)# interface s0/0/0
CORP(config-if)# no cdp enable
Step 2: Configure Secure Network Management for the CORP Router.
a. Enable the CORP router:
- as an NTP client to the NTP/Syslog server
- to update the router calendar (hardware clock) from the NTP time source
- to timestamp log messages
- to send logging messages to the NTP/Syslog server
CORP(config)# ntp server 172.16.25.2 key 0
CORP(config)# ntp update-calendar
CORP(config)# service timestamps log datetime msec
CORP(config)# logging host 172.16.25.2
b. Configure the CORP router to accept SSH connections. Use the following guidelines:
- Note: CORP is already configured with the username SSHAccess and the secret password ciscosshaccess.
- domain name is theccnas.com
- RSA encryption key pair using a modulus of 1024
- SSH version 2, timeout of 90 seconds, and 2 authentication retries
- all vty lines accept only SSH connections
CORP(config)# ip domain-name theccnas.com
CORP(config)# crypto key generate rsa
How many bits in the modulus [512]: 1024
CORP(config)# ip ssh version 2
CORP(config)# ip ssh time-out 90
CORP(config)# ip ssh authentication-retries 2
CORP(config)# line vty 0 4
CORP(config-line)# transport input ssh
CORP(config)# line vty 5 15
CORP(config-line)# transport input ssh
CORP(config-line)# exit
c. Configure the CORP router with AAA authentication and verify its functionality:
- AAA authentication using the local database as the default for console line and vty lines access
CORP(config)# aaa new model
CORP(config)# aaa authentication login default local
CORP(config)# aaa authorization exec default local
CORP(config)# line vty 0 4
CORP(config-line)# login authentication default
CORP(config-line)# line vty 5 15
CORP(config-line)# login authentication default
CORP(config-line)# line con 0
CORP(config-line)# login authentication default
Step 3: Configure Device Hardening for Switch1.
a. Access Switch1 with username CORPADMIN, password ciscoccnas, and the enable secret password of ciscoclass.
b. Enable storm control for broadcasts on FastEthernet 0/24 with a 50 percent rising suppression level.
SW1(config)# interface fa0/24
SW1(config)# storm-control broadcast level 50
c. Configure Switch1 to protect against STP attacks.
- Configure PortFast on FastEthernet ports 0/1 to 0/23.
- Enable BPDU guard on FastEthernet ports 0/1 to 0/23.
SW1(config)# interface range fa0/1-23
SW1(config-if-range)# spanning-tree portfast
SW1(config-if-range)# spanning-tree bpduguard enable
d. Configure port security and disable unused ports.
- Set the maximum number of learned MAC addresses to 2 on FastEthernet ports 0/1 to 0/23. Allow the MAC address to be learned dynamically and to shutdown the port if a violation occurs.
SW1(config)# interface range fa0/1-23
SW1(config-if-range)# switchport port-security
SW1(config-if-range)# switchport port-security maximum 2
SW1(config-if-range)# switchport port-security violation shutdown
SW1(config-if-range)# switchport port-security mac-address sticky
- Disable unused ports (Fa0/2-5, Fa0/7-10, Fa0/13-23).
SW1(config)# interface range fa0/2-5
SW1(config-if-range)# shutdown
SW1(config)# interface range fa0/7-10
SW1(config-if-range)# shutdown
SW1(config)# interface range fa0/13-23
SW1(config-if-range)# shutdown
SW1(config-if-range)# end
SW1# copy running-config startup-config
Step 4: Configure an IOS IPS on the CORP Router.
a. On the CORP router, create a directory in flash named ipsdir.
CORP# mkdir ipsdir
b. Configure the IPS signature storage location to be flash:ipsdir.
CORP(config)# ip ips config location flash:ipsdir/ retries 1
c. Create an IPS rule named corpips.
CORP(config)# ip ips name corpips
d. Configure the IOS IPS to use the signature categories. Retire the all signature category and unretire the ios_ips basic category.
CORP(config)# ip ips signature-category
CORP(config-ips-category)# category all
CORP(config-ips-category-action)# retired true
CORP(config-ips-category-action)# exit
CORP(config-ips-category)# category ios_ips basic
CORP(config-ips-category-action)# retired false
CORP(config-ips-category-action)# exit
CORP(config-ips-category)# exit
Do you want to accept these changes? [confirm] [Enter]
e. Apply the IPS rule to the Fa0/0 interface.
CORP(config)# interface fa0/0
CORP(config-if)# ip ips corpips out
f. Modify the ios_ips basic category. Unretire the echo request signature (signature 2004, subsig 0); enable the signature; modify the signature event-action to produce an alert and to deny packets that match the signature.
CORP(config)#ip ips signature-definition
CORP(config-sigdef)# signature 2004 0
CORP(config-sigdef-sig)# status
CORP(config-sigdef-sig-status)# retired false
CORP(config-sigdef-sig-status)# enable true
CORP(config-sigdef-sig-status)# exit
CORP(config-sigdef-sig)# engine
CORP(config-sigdef-sig-engine)# event-action produce-alert
CORP(config-sigdef-sig-engine)# event-action deny-packet-inline
CORP(config-sigdef-sig-engine)# exit
CORP(config-sigdef-sig)# exit
CORP(config-sigdef)# exit
CORP(config)# exit
Do you want to accept these changes? [confirm] [Enter]
g. Verify that IPS is working properly. Net Admin in the internal network cannot ping DMZ Web Svr. DMZ Web Svr, however, can ping Net Admin.
Step 5: Configure ACLs and CBAC on the CORP Router to Implement the Security Policy.
a. Create ACL 12 to implement the security policy regarding the access to the vty lines:
- Only users connecting from Net Admin and Admin PC are allowed access to the vty lines.
CORP(config)# access-list 12 permit host 172.16.25.5
CORP(config)# access-list 12 permit host 198.133.219.35
CORP(config)# line vty 0 4
CORP(config-line)# access-class 12 in
CORP(config-line)# line vty 5 15
CORP(config-line)# access-class 12 in
b. Create, apply, and verify an extended named ACL (named DMZFIREWALL) to filter incoming traffic to the DMZ. The ACL should be created in the order specified in the following guidelines (Please note, the order of ACL statements is significant only because of the scoring need in Packet Tracer.):
1. HTTP traffic is allowed to DMZ Web Svr.
2. DNS traffic (both TCP and UDP) is allowed to DMZ DNS Svr.
3. All traffic from 172.16.25.0/24 is allowed to enter the DMZ.
4. FTP traffic from the Branch administrator workstation is allowed to DMZ Web Svr.
CORP(config)# ip access-list extended DMZFIREWALL
CORP(config-ext-nacl)# permit tcp any host 10.1.1.2 eq www
CORP(config-ext-nacl)# permit tcp any host 10.1.1.5 eq domain
CORP(config-ext-nacl)# permit udp any host 10.1.1.5 eq domain
CORP(config-ext-nacl)# permit ip 172.16.25.0 0.0.0.255 10.1.1.0 0.0.0.255
CORP(config-ext-nacl)# permit tcp host 198.133.219.35 host 10.1.1.2 eq ftp
CORP(config-ext-nacl)# exit
CORP(config)# interface fa0/0
CORP(config-if)# ip access-group DMZFIREWALL out
c. To verify the DMZFIREWALL ACL, complete the following tests:
- Admin PC in the branch office can access the URL http://www.theccnas.com;
- Admin PC can open an FTP session to the DMZ Web Svr with the username cisco and the password cisco;
- PCB1 cannot open an FTP session to the DMZ Web Svr.
- Net Admin can open an FTP session to the DMZ Web Svr with the username cisco and the password cisco; and
- PC1 cannot open an FTP session to the DMZ Web Svr.
d. Create, apply, and verify an extended named ACL (named INCORP) to control access from the Internet into the CORP router. The ACL should be created in the order specified in the following guidelines (Please note, the order of ACL statements is significant only because of the scoring need in Packet Tracer.):
1. Allow HTTP traffic to the DMZ Web Svr.
2. Allow DNS traffic (both TCP and UDP) to the DMZ DNS Svr.
3. Allow SSH traffic from the Branch Office administrator workstation to the Serial 0/0/0 interface on the CORP router.
4. Allow IP traffic from the Branch router serial interface into the CORP router serial interface.
5. Allow IP traffic from the Branch Office LAN to the public IP address range that is assigned to the CORP site (209.165.200.240/28).
CORP(config)# ip access-list extended INCORP
CORP(config-ext-nacl)# permit tcp any host 209.165.200.241 eq www
CORP(config-ext-nacl)# permit tcp any host 209.165.200.242 eq domain
CORP(config-ext-nacl)# permit udp any host 209.165.200.242 eq domain
CORP(config-ext-nacl)# permit tcp host 198.133.219.35 host 209.165.200.226 eq 22
CORP(config-ext-nacl)# permit ip host 198.133.219.2 host 209.165.200.226
CORP(config-ext-nacl)# permit ip 198.133.219.32 0.0.0.31 209.165.200.240 0.0.0.15
CORP(config-ext-nacl)# exit
CORP(config)# interface s0/0/0
CORP(config-ifl)# ip access-group INCORP in
e. To verify the INCORP ACL, complete the following tests:
- Admin PC in the branch office can access the URL http://www.theccnas.com;
- Admin PC can establish an SSH connection to the CORP router (209.165.200.226) with the usernameSSHAccess and password ciscosshaccess;
- PCB1 cannot establish an SSH connection to the CORP router (209.165.200.226); and
- External PC cannot establish an SSH connection to the CORP router (209.165.200.226).
f. Create and apply a CBAC inspection rule (named INTOCORP) to inspect ICMP, TCP, and UDP traffic between the CORP internal network and any other network.
CORP(config)# ip inspect name INTOCORP icmp
CORP(config)# ip inspect name INTOCORP tcp
CORP(config)# ip inspect name INTOCORP udp
g. Enable CBAC audit messages to be sent to the syslog server.
CORP(config)# ip inspect audit-trail
CORP(config)# interface s0/0/0
CORP(config-if)# ip inspect INTOCORP out
h. Verify the CBAC firewall configuration.
- PC1 can access the External Web Svr (www.externalone.com).
- PC1 can establish an SSH connection to the External router with username SSHadmin and passwordciscosshpa55.
- Admin PC in the Branch office can establish an SSH connection to the CORP router with the usernameSSHAccess and password ciscosshaccess.
Step 6: Configure a Zone-Based Policy Firewall on the Branch Router.
a. Access the Branch router with username CORPADMIN, password ciscoccnas and the enable secret password of ciscoclass.
b. On the Branch router, create the firewall zones.
- Create an internal zone named BR-IN-ZONE.
- Create an external zone named BR-OUT-ZONE.
Branch(config)# zone security BR-IN-ZONE
Branch(config-sec-zone)# exit
Branch(config)# zone security BR-OUT-ZONE
Branch(config-sec-zone)# exit
c. Define a traffic class and access list.
- Create an ACL (ACL 110) to permit all protocols from the 198.133.219.32/27 network to any destination.
Branch(config)# access-list 110 permit ip 198.133.219.32 0.0.0.31 any
- Create a class map using the option of class map type inspect with the match-all keyword. Match the ACL 110 and name the class map BR-IN-CLASS-MAP.
Branch(config)# class-map type inspect match-all BR-IN-CLASS-MAP
Branch(config-cmap)# match access-group 110
d. Specify firewall policies.
- Create a policy map named BR-IN-OUT-PMAP.
- Use the BR-IN-CLASS-MAP class map.
- Specify the action of inspect for this policy map.
Branch(config)# policy-map type inspect BR-IN-OUT-PMAP
Branch(config-pmap)# class type inspect BR-IN-CLASS-MAP
Branch(config-pmap-c)# inspect
e. Apply the firewall.
- Create a pair of zones named IN-OUT-ZPAIR with the source as BR-IN-ZONE and destination as BR-OUT-ZONE.
Branch(config)# zone-pair security IN-OUT-ZPAIR source BR-IN-ZONE destination BR-OUT-ZONE
- Specify the policy map BR-IN-OUT-PMAP for handling the traffic between the two zones.
Branch(config-sec-zone-pair)# service-policy type inspect BR-IN-OUT-PMAP
- Assign interfaces to the appropriate security zones.
Branch(config)# interface fa0/0
Branch(config-if)# zone-member security BR-IN-ZONE
Branch(config-if)# interface s0/0/0
Branch(config-if)# zone-member security BR-OUT-ZONE
f. Verify the ZPF configuration.
- The Admin PC in the Branch office can access the URLs http://www.theccnas.com and http://www.externalone.com.
- The Admin PC in the Branch office can ping the External PC (192.31.7.33).
- External PC cannot ping the Admin PC in the Branch office (198.133.219.35).
- The Admin PC in Branch office can establish an SSH connection to the CORP router with the usernameSSHAccess and password ciscosshaccess. If you get the Corp> prompt, then your configuration is correct.
Step 7: Configure a Site-to-Site IPsec VPN between the CORP router and the Branch Router.
The following tables list the parameters for the ISAKMP Phase 1 Policy and IPsec Phase 2 Policy:
ISAKMP Phase 1 Policy Parameters |
ISAKMP Phase 2 Policy Parameters |
||||
Key Distribution Method | ISAKMP | Parameters | CORP Router | Branch Router | |
Encryption Algorithm | AES | Transform Set Name | VPN-SET | VPN-SET | |
Number of Bits | 256 | Transform Set | esp-3des esp-sha-hmac |
esp-3des esp-sha-hmac |
|
Hash Algorithm | SHA-1 | Peer Host Name | Branch | CORP | |
Authentication Method | Pre-share | Peer IP Address | 198.133.219.2 | 209.165.200.226 | |
Key Exchange | DH 2 | Encrypted Network | 209.165.200.240/28 | 198.133.219.32/27 | |
IKE SA Lifetime | 86400 | Crypto Map Name | VPN-MAP | VPN-MAP | |
ISAKMP Key | Vpnpass101 | SA Establishment | ipsec-isakmp | ipsec-isakmp |
a. Configure an ACL (ACL 120) on the CORP router to identify the interesting traffic. The interesting traffic is all IP traffic between the two LANs (209.165.200.240/28 and 198.133.219.32/27).
CORP(config)# access-list 120 permit ip 209.165.200.240 0.0.0.15 198.133.219.32 0.0.0.31
b. Configure the ISAKMP Phase 1 properties on the CORP router. The crypto ISAKMP policy is 10. Refer to the ISAKMP Phase 1 Policy Parameters Table for the specific details needed.
CORP(config)# crypto isakmp policy 10
CORP(config-isakmp)# encryption aes 256
CORP(config-isakmp)# authentication pre-share
CORP(config-isakmp)#group 2
CORP(config-isakmp)# lifetime 86400 (Default/Optional)
CORP(config-isakmp)# hash sha (Default/optional)
CORP(config-isakmp)# exit
CORP(config)# crypto isakmp key Vpnpass101 address 198.133.219.2
c. Configure the ISAKMP Phase 2 properties on the CORP router. Refer to the ISAKMP Phase 2 Policy Parameters Table for the specific details needed.
CORP(config)# crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac
CORP(config)# crypto map VPN-MAP 10 ipsec-isakmp
CORP(config-crypto-map)# set peer 198.133.219.2
CORP(config-crypto-map)# set transform-set VPN-SET
CORP(config-crypto-map)# match address 120
d. Bind the VPN-MAP crypto map to the outgoing interface.
CORP(config)# interface s0/0/0
CORP(config-if)# crypto map VPN-MAP
CORP(config-if)# end
e. Configure IPsec parameters on the Branch router using the same parameters as on the CORP router. Note that interesting traffic is defined as the IP traffic from the two LANs.
Branch(config)# access-list 120 permit ip 198.133.219.32 0.0.0.31 209.165.200.240 0.0.0.15
Branch(config)# crypto isakmp policy 10
Branch(config-isakmp)# encryption aes 256
Branch(config-isakmp)# authentication pre-share
Branch(config-isakmp)# group 2
Branch(config-isakmp)# lifetime 86400 (Default/Optional)
Branch(config-isakmp)# hash sha (Default/optional)
Branch(config-isakmp)# exit
Branch(config)# crypto isakmp key Vpnpass101 address 209.165.200.226
Branch(config)# crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac
Branch(config)# crypto map VPN-MAP 10 ipsec-isakmp
Branch(config-crypto-map)# set peer 209.165.200.226
Branch(config-crypto-map)# set transform-set VPN-SET
Branch(config-crypto-map)# match address 120
Branch(config-crypto-map)# exit
Branch(config)# interface s0/0/0
Branch(config-if)# crypto map VPN-MAP
Branch(config-if)# end
f. Save the running-config, then reload both CORP and Branch routers.
CORP# copy running-config startup-config
Branch# copy running-config startup-config
g. Verify the VPN configuration by conducting an FTP session with the username cisco and the password cisco from the Admin PC to the DMZ Web Svr. On the Branch router, check that the packets are encrypted. To exit the FTP session, type quit.
That’s all. I’m not sure which version it this Packet Tracer Activity since it’s not mine. This CCNA Security SBA contributed by Viktorcsn. Either it’s version 1.0 or version 1.1. However i noticed that this SBA practice has been published and shared in some website. I’m not sure if this practice will be helpful to all of you guys, but i just try to spread it so that maybe someone that in need may get this resource much easier.
So finally, thank you to Viktorcsn for the contribution. If you guys have latest version of CCNA Security or anything to share that will benefits all of us, please do not hesitate to drop me an email. Hope it will bring success to all of us.
Thank You
I need the pka file!!
Send me an email and I will send you pkt file.
saadraaz at gmail . com
Hi can i get the pkt file for the skill based assessment. my email to your given address was received back as failed. Sorry about that.
([email protected])
Thanks
Thanx for the posting.
Kindly forward copy of the pka (and/or pkt) file to
chessyrealman {/at/}gmail.com
Thanks in advance
can I get a pkt file please?
email: [email protected]
Please, send me .pkt file: [email protected]
I have CCNAS Exam after 20 days
Could you send me pkt file
Thank you
Sorry
email: [email protected]
Could you please send me the .pkt or .pka Packet Tracer activity file to [email protected]
Thanks
Please send the SBA pkt file.
Thank you.
can someone send me the pkt file plz [email protected]
thank u so much
Please send me the pka at [email protected]
Please send me the pka at
[email protected]
send the pka please! and if you have the skills exam pka also 🙂
Hello!
Can you send me the pkt file please? my email address is [email protected]
Thanks!!
Hi, could you pls send me copy of pkt file too? Thanks Rose
Hi, could you pls send me copy of pkt file too?
[email protected]
Thanks Rose
Hi, could somebody please send me copy of pkt file too?
[email protected]
Thanks
Jon
Can you send me this lab? thanks
CCNA Security Packet Tracer Practice SBA<< plz can you send the the PKT file thank tou
can you please send the PT
I do not have this file anymore, please do not email me for this. Thanks and wish you best of luck.
can I get a pkt file please?
How can i get the .pka File for this test? Thanks a lot!
100% true. Pass yesterday!
Please send me the pka at
[email protected]
verrygood
60%
72%
is it the final skill exam answer?
Please, send me .pkt file: [email protected]
I have CCNAS Exam
Hi, this is rose, could you please send me copy of exam? My final is this Thursday. Thanks Rose
I got 100%! Thanks!
gracias 92%
rayos saque 66%
Please send me this pkt file. Do you have Cisco Network academy ccna security Skill Based Assesment Lab v1.1 ?
Please send me that question along with answer to my email.
Thanks
Can you upload a copy of the CCNA Security 1.1 Hands-on SBA Answer Key as well
hi friends,
i used the inter-vlan in CORP router and trunk with SW1,and i followed the whole steps still no access to DMZ.
plz help
Could you send me the pka/pkt file ?
tks in advanced,
Marcelo
thanks to u,,,
Could you plz send me a pkt file.
Thanks to u,
92%
There are two things wrong
ACL12 line vty must be out
ACL 120 IPsec VPN Configuration INCORRECT
Could you please send me a pkt/pka file copy
of CCNA Security Packet Tracer Practice SBA
Thank you so much ^_^
Regards
can i have the pka file….
~thanx in Advance~
Could you plz send me a pkt file.
thanks
Can I get the pka files for this lab?
Thanks
Can i please get the solution for CCNA Security SBA final solution ?
Please sseend me the SBA pkt file.
Thank you.
Could you send me the pka or pkt file?
Thanks!
I need the pka file!! please send me [email protected]
Could you send me the pkt or pka file ?
Thanks
where can get the pka file ?
Could you send me the pkt file ? – thanks! 🙂
Please send me this pkt file.
Thank you.
Hi,
Could you send me the pka/pkt file ?
thanks
Hello!
Can you send me the pkt file, pls?
Thanks in advance 🙂
Please, I need to pka.
Hi!
Please send me this pkt file.
Thanks
Could someone please send me this pka file. Would be very much appreciated!
Thanks in advance 🙂
Missing Items
Configure ZPF
IOS IPS Configuration
Line Timeout
Could you plz send me a pkt file.
fapofa at mail dot com
Any chance I could be sent the PKT please?
yes u may. send to [email protected]
Could you please send the .pka activity to me also?
[email protected]
93%
Gracias Carnal!!
Puedes enviar el archivo pka te lo agradeseria mucho
[email protected]
Gracias
CORP(config)# aaa new model (false)
CORP(config)# aaa new-model (true)
Hello guys,
You’re awesome! is it possible somebody to send me .pkt or .pka file.
Thanks in advance
[email protected]
Could you send me the file .pka and .pkt for this test?
Hi guys,
Could you send me the .pkt or .pka files too?
crazy_stoyan4o[at]abv.bg
Thanks a lot 🙂
Hi!
Please send me this pkt file. [email protected]
Thanks
Hi,
please, i need u PKA file for training my certification ccna security.
Thx
WOw… 100%….
Thanks a lot, thanks
could you please send em ccna security final .pkt to my email thanks
Please send me the pkt file! i have exam in the scool and i need the pkt! thanks in advence
[email protected]
Please send me the .pkt or .pka as well!
Thanks
[email protected]
Can you please send me the .pkt file
Thanks!
Thanks for this!
Could someone please be so kind as to send me a copy of the .pkt file?
[email protected]
Please, send me .pkt file: [email protected]
thanks
Hi,
please send me your pka file.
My e_mail:[email protected]
Could you please send the pkt file to me?
[email protected]
Thanks a lot!
Could you please send the pkt file to me also?
Could you please send the pkt file to me also?
[email protected]
Thanks
Can you please send me the .pka file. .thanks.
Guys, you don’t need .pka file – if you have access to this site you can just follow the instructions. 😉
100%
it is important to test everything, if you dont test it, PKT wont score it!
Hagan todas las pruebas, tienen que hacerlas para que el PKT se las evalue!
No need to test anything, 100% without any testing.
Hi,
can u send me the both SBA1 and SBA2? .pkt ???
big help.
please email both to [email protected]
thank you, waiting for someone to send
May I have the pkt or pka file file, please ?
Thanks a lot
May I have the pkt or pka file file, please ?
Thanks a lot
Here is my email address for the file:
[email protected]
send me the pkt file plzzzzz
[email protected]
Can I get the packet tracer file please. [email protected]
Thanks
can i get the pkt file = [email protected]
Could you please send me the Packet Tracer activity to [email protected]
I have been waiting for more than a week for the Packet Tracer file. Is anyone going to send me that? Is there any admin of this website?
[email protected]
Can I please have a copy of the pka/pkt file? [email protected]. thanks
Could you plz send me a pkt file? bsorin111 at gmail.com
Please send completed .pka to [email protected]
Can you please send me the pkt or pka file?
Thank you. Sam
Could you plz send me a pkt file? [email protected]
Please send completed .pka to
[email protected]
Hi,
Can anyone send the packet tracer file to me plz.
[email protected]
send me the .pkt file pls
[email protected]
thank u
Guys could you please send me the packet tracer activity for the finals. Cheers! 🙂
Please send me the the packet trace file at
[email protected]
thanks a lot.
can someone send me the pkt file plz to [email protected]
thank u so much
send me the pkt file plzzzzz
[email protected]
Hello!!
this is awsome!!
could you send me the pkt file aswell??
email: [email protected]
thanks!!!
Can you please send me the .pkt file plz : [email protected]
Thanks for your explanation.
Please, send me the .pkt file: [email protected]
I´ll take CCNAS Exam
Regards
How do you do this one???
Modify the ZPF on R2 to allow incoming isakmp traffic
Step 1. Create an AL that define the incoming isakmp and esp traffic
Create an extended, numbered ACL 102 that permit all UDP protocol of isakmp type,
and esp protocol from source 10.0.43.1 to destination 10.0.42.1.
Step 2. Create a class map referencing the isakmp traffic
Create a class map named VPN-OUT-CMAP to match ACL 102.
Step 3. Specify firewall policies
Create a policy map named VPN-2-NET-PMAP to determine what to do with the
matched traffic. Specify a class type of inspect and reference class map VPN-OUTCMAP.
Specify the action of inspect for this policy map.
Thanks alot
Can anyone send me the Pka file please.
[email protected]
Someone can send the packet tracer file to me?
[email protected]
please are you kind to send me the .pka file?thanks a lot 🙂
Hello. I appreciate your useful learning site.
Can you please send me the packet tracer files as needed? Thank you.
hello , can I have the pkt or pka please.I need it for exam 🙂
Can you please send me the Packet Tracer version of the above exams question?
Thanking you much in advance.
[email protected]
Me puedes enviar por favor el archivo .pka del final practico de ccna security.
gentileza agradecida mi correo es:
[email protected]
gracias
Send my .pka pleased
[email protected]
Thanks
please are you kind to send me the .pka file?thanks a lot
Me puedes enviar por favor el archivo .pka del final practico de ccna security.
Me puedes enviar por favor el archivo .pka del final practico de ccna security.
[email protected]
Can you please send me the Packet Tracer version of the above exams question?
Thanking you much in advance.
please are you kind to send me the .pka file?thanks a lot
[email protected]
Could you please send me the pkt files?
Thanks in advance.
Thank you for posting this. I was given 100%.
please, sending practice sba.
thanks
mattcataldi@hotmail. com
Can someone please send me either the PKA or PKT file for the CCNA Security Skills Based Assessment?
venompsx @ softhome .net
Thank you!
Please send me the pka file too.
Thanks!!
[email protected]
Hi Please send me PT for the practical exam. Is there any second version as in CCNA practical or just one version what you show here ?
Thanks a lot and appreciate
Chris
Please send me the pka file, thanks
[email protected]
Can you please send the packet tracer final v1.2? and the theory exam final v1.2?
my email [email protected]
thank you for responding
sent the pka
Can you please send the SBA final v1.2?
thank you for responding
Puedes enviar el pka?
Saludos y muchas gracias.
Can you please send the SBA final v1.2?
Please send me the CCNA Security PTA file.
Can you please send the SBA final v1.2?
thank you for responding
[email protected]
please if you have pkt for 1.1 can you please send it to me
Could you please send me the pkt files?
thank you for responding
Thanks for uploading this! It has been a great help =)
There doesnt seem to be any SBA 1.2 anywhere any ideas just need step 5 answering done the rest?
Step 5: Configure CORP-ASA to Implement the Security Policy.
a. Access CORP-ASA and enter the privileged mode with the enable password of Ciscoccnas.
b. Configure the domain name as theccnas.com.
c. Configure the inside, outside, and dmz interfaces with the following information
– VLAN 1 – IP address 192.168.1.1/24, nameif inside, security-level 100, assign to E0/1
– VLAN 2 – IP address 209.165.200.253/28, nameif outside, security-level 0, assign to E0/0
– VLAN 3 – IP address 10.1.1.254/24, nameif dmz, security-level 70, assign to E0/2
– Enable interfaces
d. Configure a static default route with the next hop address of the CORP router
e. Configure NAT for both inside and dmz network
– Create an object inside-nat with subnet 192.168.1.0/24 and enable the IP addresses of the hosts in the Internal network to be dynamically translated to access the External network using the outside interface
– Create an object dmz-dns-server to statically translate the DNS server in DMZ to the public IP
– Create an object dmz-web-server to statically translate the web server in DMZ to the public IP
f. Modify the default MPF application inspection global service policy to enable hosts in the Internal network to access the web servers on the Internet
– Create a class inspection_default that matches default-inspection-traffic
– Create a policy-map global_policy and specify the inspect http
– Attach the policy map globally to all interfaces
g. Configure an ACL to allow access to the DMZ servers from the Internet. The ACL will also allow icmp echo-reply traffic from the Internet to enter the CORP-ASA
– Create, apply, and verify an extended named ACL (named OUTSIDE-TO-DMZ) to filter incoming traffic to the CORP-ASA. The ACL should be created in the order specified in the following guidelines (Please note, the order of ACL statements is significant only because of the scoring need in Packet Tracer.):
1. HTTP traffic is allowed to DMZ Web Svr.
2. DNS traffic (both TCP and UDP) is allowed to DMZ DNS Server (two separate ACEs)
3. ICMP Echo-reply traffic is allowed to DMZ
4. FTP traffic from the Branch administrator workstation is allowed to DMZ Web Server.
5. The ACL should contain five ACEs
6. Verify ASA configurations. Both Net Admin PC and DMZ Web Svr can access the website _www.externalone.com. Admin PC can access the website _www.theccnas.com. Admin PC can also establish an FTP connection to _www.theccnas.com, with the username cisco and the password cisco.
Could you please write exact commands on every step that need to be changed.
Thank you and appreciated that or
Please send me the v1.2 sba! thanks
if anyone has ccna security sba v.12 please send it
Hi ,
I have an exam next week. I need a final SBA PT exam for 1.2. Please send me
Thank you in advance
No one is monitoring this site. I’ve been trying to get help with the SBA for v1.2 since Nov 13 and haven’t received any kind of response.
Can anyone help with this?
CCNA Security v1.2 PT Practice SA
A few things to keep in mind while completing this activity:
1. Do not use the browser Back button or close or reload any Exam windows during the exam.
2. Do not close Packet Tracer when you are done. It will close automatically.
3. Click the Submit Assessment button to submit your work.
Introduction
In this practice Packet Tracer Skills Based Assessment, you will do as follows:
• Configure basic device hardening and secure network management
• Configure an ASA firewall to implement security policies
• Configure ACLs to filter network traffic
• Configure devices to protect against STP attacks and to enable broadcast storm control
• Configure port security and disable unused switch ports
• Configure an IOS IPS
• Configure a ZBF to implement security policies
• Configure a site-to-site IPsec VPN
Addressing Table
Device Interface IP Address Subnet Mask Gateway DNS server
Internet S0/0/0 209.165.200.225 255.255.255.252 n/a n/a
S0/0/1 192.31.7.1 255.255.255.252 n/a n/a
S0/1/0 198.133.219.1 255.255.255.252 n/a n/a
Gi0/0 192.135.250.1 255.255.255.0 n/a n/a
CORP S0/0/0 209.165.200.226 255.255.255.252 n/a n/a
Gi0/0 209.165.200.254 255.255.255.240 n/a n/a
CORP-ASA VLAN 1 192.168.1.1 255.255.255.0 n/a
VLAN 2 209.165.200.253 255.255.255.240 n/a
VLAN 3 10.1.1.254 255.255.255.0 n/a
Internal Gi0/0 192.168.1.2 255.255.255.0 n/a
Gi0/1.10 172.16.10.254 255.255.255.0 n/a
Gi0/1.25 172.16.25.254 255.255.255.0 n/a
Gi0/1.99 172.16.99.254 255.255.255.0 n/a
Branch S0/0/0 198.133.219.2 255.255.255.252 n/a n/a
Gi0/0 198.133.219.62 255.255.255.224 n/a n/a
External S0/0/0 192.31.7.2 255.255.255.252 n/a n/a
Gi0/0 192.31.7.62 255.255.255.224 n/a n/a
Public Svr NIC 192.135.250.5 255.255.255.0 192.135.250.1 n/a
External Web Svr NIC 192.31.7.35 255.255.255.224 192.31.7.62 192.135.250.5
External PC NIC 192.31.7.33 255.255.255.224 192.31.7.62 192.135.250.5
Internal-DNS Svr NIC 172.16.25.2 255.255.255.0 172.16.25.254 10.1.1.5
NTP/Syslog Svr NIC 209.165.200.252 255.255.255.240 209.165.200.254
DMZ DNS Svr NIC 10.1.1.5 255.255.255.0 10.1.1.254 192.135.250.5
DMZ Web Svr NIC 10.1.1.2 255.255.255.0 10.1.1.254 10.1.1.5
PC0 NIC 172.16.10.5 255.255.255.0 172.16.10.254 172.16.25.2
PC1 NIC 172.16.10.10 255.255.255.0 172.16.10.254 172.16.25.2
Net Admin NIC 172.16.25.5 255.255.255.0 172.16.25.254 172.16.25.2
Admin PC NIC 198.133.219.35 255.255.255.224 198.133.219.62 192.135.250.5
Note: Appropriate verification procedures should be taken after each configuration task to ensure that it has been properly implemented.
Step 1: Configure Basic Device Hardening for the CORP Router.
a. Configure the CORP router to accept only passwords with a minimum length of 10 characters.
security password min-length 10
b. Configure an encrypted privileged level password of ciscoclass.
enable secret ciscoclass
c. Enable password encryption for all clear text passwords in the configuration file.
service password-encryption
d. Configure the console line and all vty lines 0 to 15 with the following requirements:
Note: CORP is already configured with the username CORPADMIN and the secret password Ciscoccnas.
use the local database for login
disconnect after being idle for 20 minutes
Line con 0
Login local
Exec-timeout 20 0
Exit
Line vty 0 15
Loging local
Exec-timeout 20 0
exit
d. Disable the CDP protocol only on the link to the Internet router.
Int s0/0/0
No cdp enable
Step 2: Configure Secure Network Management for the CORP Router.
a. Enable the CORP router as follows:
as an NTP client to the NTP/Syslog server
ntp server 209.165.200.252 key 0
to update the router calendar (hardware clock) from the NTP time source
Ntp update-calendar
to timestamp log messages
Service timestamp log datetime msec
to send logging messages to the NTP/Syslog server
Logging host 209.165.200.252
b. Configure the CORP router to accept SSH connections. Use the following guidelines:
Note: CORP is already configured with the username SSHAccess and the secret password ciscosshaccess.
domain name is theccnas.com
Ip domain-name theccnas.com
RSA encryption key pair using a modulus of 1024
Crypto key generate rsa
SSH version 2, timeout of 90 seconds, and 2 authentication retries
Ip ssh version 2
Ip ssh time-put 90
Ip ssh authentication-retries 2
all vty lines accept only SSH connections
Line vty 0 15
Transport input ssh
c. Configure the CORP router with AAA server-based authentication and verify its functionality:
Note: The AAA server is already configured with RADIUS service, a username CORPSYS and the password LetSysIn. The key for the client to access the AAA server is corpradius.
AAA authentication using the AAA server as the default for console line and vty lines 0 to 4 access. The local database is used as a backup method in case the AAA server cannot be connected.
Aaa new model
Aaa authentication login default local 1
Aaa authorization exec default local
Line vty 015
Login authentication default
exit
Step 3: Configure Device Hardening for Switch1.
a. Access Switch1 with username CORPADMIN, password Ciscoccnas, and the enable secret password of ciscoclass.
b. Enable storm control for broadcasts on GigabitEthernet0/1 with a 50 percent rising suppression level.
Int g0/1
Storm-control broadcast level 50
c. Configure Switch1 to protect against STP attacks.
Configure PortFast on Fast Ethernet ports 0/1 to 0/24.
Enable BPDU guard on Fast Ethernet ports 0/1 to 0/24.
Int range f0/1 – 24
Spanning-tree portfast
Spanning-tree bpduguard enable
d. Configure port security and disable unused ports.
Set the maximum number of learned MAC addresses to 2 on Fast Ethernet ports 0/1 to 0/24. Allow the MAC address to be learned dynamically and then stored in the running config. Shutdown the port if a violation occurs.
Int range f0/1-24
Switchport port-security enable
Switchport port-security maximum 2
Switchport port-security violation shutdown
Switchport port-security mac-address sticky
Disable unused ports (Fa0/2-4, Fa0/6-10, Fa0/13-24).
Int f0/2-4
Shut
Int f0/6-10
Shut
Int f0/13-24
Shut
End
Copy run start
Step 4: Configure an IOS IPS on the CORP Router.
Note: On the CORP router, a directory in flash named ipsdir has already been created.
a. Configure the IPS signature storage location to be flash:ipsdir.
Mkdir ipsdir
b. Create an IPS rule named corpips.
Ipipsconfig location flash:ipsdir/ retries 1
c. Configure the IOS IPS to use the signature categories. Retire the all signature category and unretire the ios_ips basic category.
Ip ips name corpips
Ip ips signature-category
Category all
Retire true
Exit
Category ios_ips basic
Retire false
Exit
Exit
d. Apply the IPS rule to the Gi0/0 interface outbound.
Int g0/0
Ip ips corpips out
exit
e. Modify the ios_ips basic category. Unretire the echo request signature (signature 2004, subsig 0); enable the signature; modify the signature event-action to produce an alert and to deny packets that match the signature.
Ip ips signature-definition
Signature 2004 0
Status
Retired false
Enable true
exit
Engine
Event-action produce-alert
Event-action deny-packet-inline
Exit
Exit
Exit
Exit
f. Verify that IPS is working properly, that Public DNS/WEB/FTP Svr in the External network cannot ping AAA server, but that AAA server, however, can ping Public DNS/WEB/FTP Svr.
Step 5: Configure CORP-ASA to Implement the Security Policy.
a. Access CORP-ASA and enter the privileged mode with the enable password of Ciscoccnas.
b. Configure the domain name as theccnas.com.
c. Configure the inside, outside, and dmz interfaces with the following information
VLAN 1 – IP address 192.168.1.1/24, nameif inside, security-level 100, assign to E0/1
Int vlan 1
Ip add 192.168.1.1 255.255.255.0
Nameif inside
Security-level 100
No shut
Exit
VLAN 2 – IP address 209.165.200.253/28, nameif outside, security-level 0, assign to E0/0
Int vlan 2
Ip add 209.165.200.253 255.255.255.240
Nameif outside
Security-level 0
No shut
Exit
VLAN 3 – IP address 10.1.1.254/24, nameif dmz, security-level 70, assign to E0/2
Int vlan 3
No forward int vlan 1
Ip add 10.1.1.254 255.255.255.0
Nameif dmz
Security-level 70
No shut
Exit
Enable interfaces
Int e0/1
Switchport access vlan 1
No shut
exit
Int e0/0
Switchport access vlan 2
No shut
exit
Int e0/2
Switchport access vlan 3
No shut
exit
e. Configure a static default route with the next hop address of the CORP router
Route outside 0.0.0.0 0.0.0.0 209.165.200.254
e. Configure NAT for both inside and dmz network
Create an object inside-nat with subnet 192.168.1.0/24 and enable the IP addresses of the hosts in the Internal network to be dynamically translated to access the External network using the outside interface
Object network inside-nat
Subnet 192.168.1.0 255.255.255.0
Nat (inside,outside) dynamic inside-nat
Create an object dmz-dns-server to statically translate the DNS server in DMZ to the public IP
Object network dmz-dns-server
Host 10.1.1.5
Nat (dmz,outside) static 209.165.200.252
Exit
Create an object dmz-web-server to statically translate the web server in DMZ to the public IP
Object network dmz-web-server
Host 10.1.1.2
Nat (dmz,outside) static 209.165.200.251
Exit
f. Modify the default MPF application inspection global service policy to enable hosts in the Internal network to access the web servers on the Internet
Create a class inspection_default that matches default-inspection-traffic
Create a policy-map global_policy and specify the inspect http
policy-map global_policy
class inspection_default
inspect http
Attach the policy map globally to all interfaces
g. Configure an ACL to allow access to the DMZ servers from the Internet. The ACL will also allow icmp echo-reply traffic from the Internet to enter the CORP-ASA
Create, apply, and verify an extended named ACL (named OUTSIDE-TO-DMZ) to filter incoming traffic to the CORP-ASA. The ACL should be created in the order specified in the following guidelines (Please note, the order of ACL statements is significant only because of the scoring need in Packet Tracer.):
1. HTTP traffic is allowed to DMZ Web Svr.
2. DNS traffic (both TCP and UDP) is allowed to DMZ DNS Server (two separate ACEs)
3. ICMP Echo-reply traffic is allowed to DMZ
4. FTP traffic from the Branch administrator workstation is allowed to DMZ Web Server.
5. The ACL should contain five ACEs
6. Verify ASA configurations. Both Net Admin PC and DMZ Web Svr can access the website http://www.externalone.com. Admin PC can access the website http://www.theccnas.com. Admin PC can also establish an FTP connection to http://www.theccnas.com, with the username cisco and the passwordcisco.
access-list OUTSIDE-TO-DMZ permit tcp any host 10.1.1.2 eq www
access-list OUTSIDE-TO-DMZ permit tcp any host 10.1.1.5 eq dns
access-list OUTSIDE-TO-DMZ permit udp any host 10.1.1.5 eq dns
access-list OUTSIDE-TO-DMZ permit icmp any any echo-reply
access-list OUTSIDE-TO-DMZ permit tcp host 198.133.219.35 10.1.1.2 eq ftp
access-group OUTSIDE-TO-DMZ in interface outside
Step 6: Configure ACLs on the CORP Router to Implement the Security Policy.
a. Create ACL 12 to implement the security policy regarding the access to the vty lines so that only users connecting from Net Admin and Admin PC are allowed access to the vty lines.
access-list 12 permit host 172.16.25.5
access-list 12 permit host 198.133.219.35
line vty 0 4
access-class 12 in
line vty 5 15
access-class 12 in
b. Create, apply, and verify an extended named ACL (named INCORP) to control access from the Internet into the CORP router. The ACL should be created in the order specified in the following guidelines (Please note, the order of ACL statements is significant only because of the scoring need in Packet Tracer.):
1. Allow HTTP traffic to the DMZ Web Server.
2. Allow DNS traffic (both TCP and UDP) to the DMZ DNS Server (two separate ACEs).
3. Allow SSH traffic from the Branch Office administrator workstation to the Serial 0/0/0 interface on the CORP router.
4. Allow IP traffic from the Branch router serial interface into the CORP router serial interface.
5. Allow IP traffic from the Branch Office LAN to the public IP address range that is assigned to the CORP site (209.165.200.240/28).
6. Allow echo-reply and host-unreachable traffic from the Internet
7. Allow return TCP traffic from the Internet with the destination of 209.165.200.240/28
ip access-list extended INCORP
permit tcp any host 209.165.200.241 eq www
permit tcp any host 209.165.200.242 eq domain
permit udp any host 209.165.200.242 eq domain
permit tcp host 198.133.219.35 host 209.165.200.226 eq 22
permit ip host 198.133.219.2 host 209.165.200.226
permit ip 198.133.219.32 0.0.0.31 209.165.200.240 0.0.0.15
exit
interface s0/0/0
ip access-group INCORP in
ip inspect name INTOCORP icmp
ip inspect name INTOCORP tcp
ip inspect name INTOCORP udp
ip inspect audit-trail
interface s0/0/0
ip inspect INTOCORP in
c. To verify the INCORP ACL, complete the following tests:
Net Admin PC in the Internal network can access the URL http://www.externalone.com;
Admin PC can establish an SSH connection to the CORP router (209.165.200.226) with the username CORPSYS and password LetSysIn. If the password does not work, you may try the backup username SSHAccess and password ciscosshaccess defined in the local database.
External User cannot establish an SSH connection to the CORP router (209.165.200.226).
Step 7: Configure a Zone-Based Policy Firewall on the Branch Router.
a. Access the Branch router with username CORPADMIN, password Ciscoccnas and the enable secret password of ciscoclass.
b. On the Branch router, create the firewall zones.
Create an internal zone named BR-IN-ZONE.
Zone security BR-IN-ZONE
exit
Create an external zone named BR-OUT-ZONE.
Zone security BR-OUT-ZONE
exit
b. Define a traffic class and access list.
Create an ACL 110 to permit all protocols from the 198.133.219.32/27 network to any destination.
access-list 110 permit ip 198.133.219.32 0.0.0.31 any
Create a class map using the option of class map type inspect with the match-all keyword. Match the ACL 110 and name the class map BR-IN-CLASS-MAP.
class-map type inspect match-all BR-IN-CLASS-MAP
match access-group 110
d. Specify firewall policies.
Create a policy map named BR-IN-OUT-PMAP.
policy-map type inspect BR-IN-OUT-PMAP
Use the BR-IN-CLASS-MAP class map.
class type inspect BR-IN-CLASS-MAP
Specify the action of inspect for this policy map.
inspect
e. Apply the firewall.
Create a pair of zones named IN-OUT-ZPAIR with the source as BR-IN-ZONE and destination as BR-OUT-ZONE.
zone-pair security IN-OUT-ZPAIR source BR-IN-ZONE destination BR-OUT-ZONE
Specify the policy map BR-IN-OUT-PMAP for handling the traffic between the two zones.
service-policy type inspect BR-IN-OUT-PMAP
Assign interfaces to the appropriate security zones.
interface g0/0
zone-member security BR-IN-ZONE
interface s0/0/0
zone-member security BR-OUT-ZONE
f. Verify the ZBF configuration.
The Admin PC in the Branch office can access the URLs http://www.theccnas.com and http://www.externalone.com.
The Admin PC in the Branch office can ping the External PC (192.31.7.33).
External User cannot ping the Admin PC in the Branch office (198.133.219.35).
The Admin PC in Branch office can establish an SSH connection to the CORP router with the username CORPSYS and password LetSysIn. If the password does not work, you may try the backup username SSHAccess and password ciscosshaccess defined in the local database.
Step 8: Configure a Site-to-Site IPsec VPN between the CORP router and the Branch Router.
The following tables list the parameters for the ISAKMP Phase 1 Policy and IPsec Phase 2 Policy:
ISAKMP Phase 1 Policy Parameters ISAKMP Phase 2 Policy Parameters
Key Distribution Method ISAKMP Parameters CORP Router Branch Router
Encryption Algorithm AES Transform Set Name VPN-SET VPN-SET
Number of Bits 256 Transform Set esp-3des
esp-sha-hmac esp-3des
esp-sha-hmac
Hash Algorithm SHA-1 Peer Host Name Branch CORP
Authentication Method Pre-share Peer IP Address 198.133.219.2 209.165.200.226
Key Exchange DH 2 Encrypted Network 209.165.200.240/28 198.133.219.32/27
IKE SA Lifetime 86400 Crypto Map Name VPN-MAP VPN-MAP
ISAKMP Key Vpnpass101 SA Establishment ipsec-isakmp ipsec-isakmp
a. Configure an ACL (ACL 120) on the CORP router to identify the interesting traffic. The interesting traffic is all IP traffic between the two LANs (209.165.200.240/28 and 198.133.219.32/27).
b. Configure the ISAKMP Phase 1 properties on the CORP router. The crypto ISAKMP policy is 10. Refer to the ISAKMP Phase 1 Policy Parameters Table for the specific details needed.
c. Configure the ISAKMP Phase 2 properties on the CORP router. Refer to the ISAKMP Phase 2 Policy Parameters Table for the specific details needed.
d. Bind the VPN-MAP crypto map to the outgoing interface.
e. Configure IPsec parameters on the Branch router using the same parameters as on the CORP router. Note that interesting traffic is defined as the IP traffic from the two LANs.
f. Verify the VPN configuration. From the Admin PC, establish an FTP session to http://www.theccnas.com, using the username cisco and password cisco. Also on Admin PC, visit the website http://www.theccnas.com. On the Branch or CORP router, check that the packets are encrypted.
CORP:
access-list 120 permit ip 209.165.200.240 0.0.0.15 198.133.219.32 0.0.0.31
crypto isakmp policy 10
encryption aes 256
authentication pre-share
group 2
lifetime 86400 (Default/Optional)
hash sha (Default/optional)
exit
crypto isakmp key Vpnpass101 address 198.133.219.2
crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac
crypto map VPN-MAP 10 ipsec-isakmp
set peer 198.133.219.2
set transform-set VPN-SET
match address 120
interface s0/0/0
crypto map VPN-MAP
end
BRANCH:
access-list 120 permit ip 198.133.219.32 0.0.0.31 209.165.200.240 0.0.0.15
crypto isakmp policy 10
encryption aes 256
authentication pre-share
group 2
lifetime 86400 (Default/Optional)
hash sha (Default/optional)
exit
crypto isakmp key Vpnpass101 address 209.165.200.226
crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac
crypto map VPN-MAP 10 ipsec-isakmp
set peer 209.165.200.226
set transform-set VPN-SET
match address 120
interface s0/0/0
crypto map VPN-MAP
end
CORP# copy running-config startup-config
Branch# copy running-config startup-config
send me the email address I have the solution took me three weeks
Hi DMB, If you would like to share your answer for new practice with us, u may send to [email protected]. Thank you
Just sent it to you guys
The addressing you have in the above solution is incorrect becareful
hey there can I get the pkt file plz Thank greatly appreciate it
plz i want .pka file for this assessment i have an exam tomorrow
hi DMB
Please send me the solution on my email
I would be thankful to you.
Here is the solution which i did… I gotta 85 % there is still some error in it.
CORP(config)# security password min-length 10
CORP(config)# enable secret ciscoclass
CORP(config)# service password-encryption
CORP(config)# line consol 0
CORP(config-line)# login local
CORP(config-line)# exec-timeout 20 0
CORP(config-line)# line vty 0 4
CORP(config-line)# login local
CORP(config-line)# exec-timeout 20 0
CORP(config-line)# line vty 5 15
CORP(config-line)# login local
CORP(config-line)# exec-timeout 20 0
CORP(config)#Int s0/0/0
CORP(config-if)#No cdp enable
CORP(config)# ntp server 209.165.200.252 key 0
CORP(config)# ntp update-calendar
CORP(config)# service timestamps log datetime msec
CORP(config)# logging host 209.165.200.252
CORP(config)# ip domain-name theccnas.com
CORP(config)# crypto key generate rsa
How many bits in the modulus [512]: 1024
CORP(config)# ip ssh version 2
CORP(config)# ip ssh time-out 90
CORP(config)# ip ssh authentication-retries 2
CORP(config)# line vty 0 4
CORP(config-line)# transport input ssh
CORP(config)# line vty 5 15
CORP(config-line)# transport input ssh
CORP(config-line)# exit
CORP(config)# aaa new-model
CORP(config)# radius-server key corpradius
CORP(config)# aaa authentication login default group radius local
CORP(config)# line vty 0 4
CORP(config-line)# login authentication default
CORP(config-line)# line vty 5 15
CORP(config-line)# login authentication default
CORP(config-line)# line con 0
CORP(config-line)# login authentication default
SW1(config)#Int g0/1
SW1(config-if)# storm-control broadcast level 50
SW1(config)# interface range fa0/1-24
SW1(config-if-range)# spanning-tree portfast
SW1(config-if-range)# spanning-tree bpduguard enable
SW1(config)# interface range fa0/1-24
SW1(config-if-range)# switchport port-security
SW1(config-if-range)# switchport port-security maximum 2
SW1(config-if-range)# switchport port-security violation shutdown
SW1(config-if-range)# switchport port-security mac-address sticky
SW1(config)# interface range f0/2-4
SW1(config-if-range)# shutdown
SW1(config)# interface range f0/6-10
SW1(config-if-range)# shutdown
SW1(config)# interface range f0/13-24
SW1(config-if-range)# shutdown
SW1# copy run start
CORP# mkdir ipsdir
CORP(config)# ip ips config location flash:ipsdir/ retries 1
CORP(config)# ip ips name corpips
CORP(config)# ip ips signature-category
CORP(config-ips-category)# category all
CORP(config-ips-category-action)# retired true
CORP(config-ips-category-action)# exit
CORP(config-ips-category)# category ios_ips basic
CORP(config-ips-category-action)# retired false
CORP(config-ips-category-action)# exit
CORP(config-ips-category)# exit
Do you want to accept these changes? [confirm] [Enter]
CORP(config)# interface g0/0
CORP(config-if)# ip ips corpips out
CORP(config)#ip ips signature-definition
CORP(config-sigdef)# signature 2004 0
CORP(config-sigdef-sig)# status
CORP(config-sigdef-sig-status)# retired false
CORP(config-sigdef-sig-status)# enable true
CORP(config-sigdef-sig-status)# exit
CORP(config-sigdef-sig)# engine
CORP(config-sigdef-sig-engine)# event-action produce-alert
CORP(config-sigdef-sig-engine)# event-action deny-packet-inline
CORP(config-sigdef-sig-engine)# exit
CORP(config-sigdef-sig)# exit
CORP(config-sigdef)# exit
CORP(config)# exit
Do you want to accept these changes? [confirm] [Enter]
CORP-ASA(config)# domain-name theccnas.com
CORP-ASA(config)# int vlan 1
CORP-ASA(config-if)#ip add 192.168.1.1 255.255.255.0
CORP-ASA(config-if)#nameif inside
CORP-ASA(config-if)#Security-level 100
CORP-ASA(config-if)# no shut
CORP-ASA(config)# int vlan 2
CORP-ASA(config-if)#Ip add 209.165.200.253 255.255.255.240
CORP-ASA(config-if)#nameif outside
CORP-ASA(config-if)#Security-level 0
CORP-ASA(config-if)# no shut
CORP-ASA(config)# int vlan 3
CORP-ASA(config-if)#no forward int vlan 1
CORP-ASA(config-if)#ip add 10.1.1.254 255.255.255.0
CORP-ASA(config-if)#nameif dmz
CORP-ASA(config-if)#Security-level 70
CORP-ASA(config-if)# no shut
CORP-ASA(config)# int e0/1
CORP-ASA(config-if)#switchport access vlan 1
CORP-ASA(config)# int e0/0
CORP-ASA(config-if)#switchport access vlan 2
CORP-ASA(config)# int e0/2
CORP-ASA(config-if)#switchport access vlan 3
CORP-ASA(config)# route outside 0.0.0.0 0.0.0.0 209.165.200.254
CORP-ASA(config)# object network inside-nat
CORP-ASA(config-network-object)# subnet 192.168.1.0 255.255.255.0
CORP-ASA(config-network-object)#nat (inside,outside) dynamic interface
CORP-ASA(config)# object network dmz-dns-server
CORP-ASA(config-network-object)# host 10.1.1.5
CORP-ASA(config-network-object)# nat (dmz,outside) static 209.165.200.242
CORP-ASA(config)# object network dmz-web-server
CORP-ASA(config-network-object)# host 10.1.1.2
CORP-ASA(config-network-object)# nat (dmz,outside) static 209.165.200.241
CORP-ASA(config)# class-map inspection_default
CORP-ASA(config-cmap)# match default-inspection-traffic
CORP-ASA(config-cmap)# exit
CORP-ASA(config)# policy-map global_policy
CORP-ASA(config-pmap)# class inspection_default
CORP-ASA(config-pmap-c)# inspect http
CORP-ASA(config)# service-policy global_policy global
CORP-ASA(config)#access-list OUTSIDE-TO-DMZ permit tcp any host 10.1.1.2 eq www
CORP-ASA(config)#access-list OUTSIDE-TO-DMZ permit tcp any host 10.1.1.5 eq domain
CORP-ASA(config)#access-list OUTSIDE-TO-DMZ permit udp any host 10.1.1.5 eq domain
CORP-ASA(config)#access-list OUTSIDE-TO-DMZ permit icmp any any echo-reply
CORP-ASA(config)#access-list OUTSIDE-TO-DMZ permit tcp host 198.133.219.35 host 10.1.1.2 eq ftp
CORP-ASA(config)# access-group OUTSIDE-TO-DMZ in interface outside
CORP(config)# access-list 12 permit host 172.16.25.5
CORP(config)# access-list 12 permit host 198.133.219.35
CORP(config)# line vty 0 4
CORP(config-line)# access-class 12 in
CORP(config-line)# line vty 5 15
CORP(config-line)# access-class 12
CORP(config)#ip access-list extended INCORP
CORP(config-ext-nacl)#permit tcp any host 209.165.200.241 eq www
CORP(config-ext-nacl)#permit tcp any host 209.165.200.242 eq domain
CORP(config-ext-nacl)#permit udp any host 209.165.200.242 eq domain
CORP(config-ext-nacl)#permit tcp host 198.133.219.35 host 209.165.200.226 eq 22
CORP(config-ext-nacl)#permit ip host 198.133.219.2 host 209.165.200.226
CORP(config-ext-nacl)#permit ip 198.133.219.32 0.0.0.31 209.165.200.240 0.0.0.15
CORP(config)# interface s0/0/0
CORP(config-ifl)# ip access-group INCORP in
Branch(config)# zone security BR-IN-ZONE
Branch(config-sec-zone)# exit
Branch(config)# zone security BR-OUT-ZONE
Branch(config-sec-zone)# exit
Branch(config)# access-list 110 permit ip 198.133.219.32 0.0.0.31 any
Branch(config)# class-map type inspect match-all BR-IN-CLASS-MAP
Branch(config-cmap)# match access-group 110
Branch(config)# policy-map type inspect BR-IN-OUT-PMAP
Branch(config-pmap)# class type inspect BR-IN-CLASS-MAP
Branch(config-pmap-c)# inspect
Branch(config)# zone-pair security IN-OUT-ZPAIR source BR-IN-ZONE destination BR-OUT-ZONE
Branch(config-sec-zone-pair)# service-policy type inspect BR-IN-OUT-PMAP
Branch(config)# interface g0/0
Branch(config-if)# zone-member security BR-IN-ZONE
Branch(config-if)# interface s0/0/0
Branch(config-if)# zone-member security BR-OUT-ZONE
CORP(config)# access-list 120 permit ip 209.165.200.240 0.0.0.15 198.133.219.32 0.0.0.31
CORP(config)# crypto isakmp policy 10
CORP(config-isakmp)# encryption aes 256
CORP(config-isakmp)# authentication pre-share
CORP(config-isakmp)#group 2
CORP(config-isakmp)# lifetime 86400
CORP(config-isakmp)# hash sha
CORP(config-isakmp)# exit
CORP(config)# crypto isakmp key Vpnpass101 address 198.133.219.2
CORP(config)# crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac
CORP(config)# crypto map VPN-MAP 10 ipsec-isakmp
CORP(config-crypto-map)# set peer 198.133.219.2
CORP(config-crypto-map)# set transform-set VPN-SET
CORP(config-crypto-map)# match address 120
CORP(config)# interface s0/0/0
CORP(config-if)# crypto map VPN-MAP
CORP(config-if)# end
Branch(config)# access-list 120 permit ip 198.133.219.32 0.0.0.31 209.165.200.240 0.0.0.15
Branch(config)# crypto isakmp policy 10
Branch(config-isakmp)# encryption aes 256
Branch(config-isakmp)# authentication pre-share
Branch(config-isakmp)# group 2
Branch(config-isakmp)# lifetime 86400
Branch(config-isakmp)# hash sha
Branch(config-isakmp)# exit
Branch(config)# crypto isakmp key Vpnpass101 address 209.165.200.226
Branch(config)# crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac
Branch(config)# crypto map VPN-MAP 10 ipsec-isakmp
Branch(config-crypto-map)# set peer 209.165.200.226
Branch(config-crypto-map)# set transform-set VPN-SET
Branch(config-crypto-map)# match address 120
Branch(config-crypto-map)# exit
Branch(config)# interface s0/0/0
Branch(config-if)# crypto map VPN-MAP
Branch(config-if)# end
CORP# copy running-config startup-config
Branch# copy running-config startup-config
Thank you Ali
CORP(config)# ip ssh authentication-retries 2
should be
CORP(config)# ip ssh authentication /retries 1
Merry xmas everyone I did think that admin would of had the 1.2 version up by now?
yes sir. v1.2 has been published
hi
is this version the actual SBA or just a practice SBA thanks
Hello everyone.
Can someone send me the .pkt file PLEASE
Thanks in advance……
steve33
Hello!
Can you send me the pkt file please?
i dont have the pka file sorry
Hello, would you please send me the PT file ?
Can you sent me the file. Thanks.
Hi guys
Can someone send me the .pkt file PLEASE
I would be appreciated
Thank you
Can I be sent the .pkt file please.
Thanks
Could you please send me the .pkt or .pka Packet Tracer activity file to
Please can you send me the Packet Tracer file for SBA 1.1.
Many Thanks
Dan
Please can you send me the Packet Tracer file for SBA 1.1.
,1.2
Many Thanks
mail : [email protected]
Hello!
Can you send me the pkt file please?
Hello!
Can you send me the pkt file please?
[email protected]
Hello everyone.
Can someone send me the .pkt file PLEASE….
emai – [email protected]
Could you please send me the .pka file? Thank you
May i have the copy of .pka file?
my email [email protected]
Could you please send me the .pka file? Thank you
Hi. Could somebody send me pka file please 🙂 Thanks
May I please have the copy of .pka file?
Please and thank you….
can some explain where 209.165.200.241 209.165.200.242 can from as it is not in the addressing table?? and why they are in the ACL n not 10.1.1.2 10.1.1.5
thanks
Would you kindly send me a copy of the .pka file?
HI,
Could you please send me the .pka file? Thank you
My email [email protected]
Hi,
Could you please send me the .pka file for :
chap 4
Packet Tracer activity, Configuring Context-Based Access Control (CBAC)
Configuring a Zone-Based Policy Firewall (ZPF)
chap 5
Configure IOS Intrusion Prevention System (IPS) using CLI
chap 6
Layer 2 Security
Layer 2 VLAN Security
chap 8
Configure and Verify a Site-to-Site IPsec VPN Using CLI
chap 9
Configure a Network for Secure Operation
Thank you
Joe
HI,
Could you please send me the .pka file? Thank you