CCNA Security 2.0 PT Practice SA – Part 2

CCNAS 2.0 PT SA Part 2

CCNA Security 2.0 PT Practice SA – Part 2 will be revealed in this post. I hope Question and Configuration Answer will help you to understand this CCNA Security 2.0 Packet Tracer Practice SA Part 2 more clearly in order to pass the exam. The answer shown below tested 100% correct. However, if you find any mistake or any way to improve better, please do leave your comment below.

CCNA Security PT Practice SA – Part 2

A few things to keep in mind while completing this activity:

  • Do not use the browser Back button or close or reload any Exam windows during the exam.
  • Do not close Packet Tracer when you are done. It will close automatically.
  • Click the Submit Assessment button to submit your work.


In this practice Packet Tracer Skills Based Assessment, you will:

  • Configure basic ASA device hardening and secure network management
  • Configure DHCP and NAT on the ASA device
  • Configure the ASA firewall to implement security policies
  • Configure a site-to-site IPsec VPN

Addressing Table

Device Interface IP Address Subnet Mask Gateway DNS server
Internet S0/0/0 n/a
S0/0/1 n/a
S0/1/0 n/a
G0/0 n/a
HQ S0/0/0 n/a
G0/0 n/a
HQ-ASA E0/0 n/a
E0/1 n/a
E0/2 n/a
Branch S0/0/0 n/a
G0/0 n/a
External Web Svr NIC
External PC NIC
AAA/NTP/Syslog Svr NIC
PC0 and PC1 NIC DHCP client
Branch Admin NIC
Net Admin PC NIC

Note: Appropriate verification procedures should be taken after each configuration task to ensure that the task has been properly implemented.

Step 1: Configure Basic Device Hardening for the ASA device.

Note: HQ-ASA is already configured with a password Thecar1Admin.

  1. Access HQ-ASA and enter the privileged mode with the enable password of Thecar1Admin.
  2. Configure the domain name as
  3. Configure the inside, outside, and dmz interfaces with the following information:
  • VLAN 1 – IP address, nameif inside, security-level 100, assign to E0/1
  • VLAN 2 – IP address, nameif outside, security-level 0, assign to E0/0
  • VLAN 3 – IP address, nameif dmz, security-level 70, assign to E0/2
  • Enable interfaces.

Step 2: Configure DHCP service on the ASA device for the internal network.

  1. The DHCP pool is –
  2. DHCP service should provide DNS server (AAA/NTP/syslog server) information.
  3. Verify that the internal users (PC0 and PC1) obtain the dynamic addressing information correctly.

Step 3: Configure Secure Network Management for the ASA Device.

  1. Enable the ASA device:
    • as an NTP client to the AAA/NTP/Syslog server
    • Enable the authentication to the NTP server.
    • The authentication key is key 1 with the password corpkey.
  2. Configure the ASA device with AAA authentication and verify its functionality:Note: the HQ-ASA is preconfigured with a username Car1Admin with password adminpass01
    • Configure AAA to use the local database for SSH connections to the console port.
    • Generate a RSA key pair to support with modulus size of 1024 bits.
    • Configure HQ-ASA to accept SSH connections only from the Net Admin workstation.
    • Configure SSH session timeout to be 20 minutes.

Step 4: Configure NAT Service for the ASA device for both inside and DMZ networks.

  1. Create an object inside-nat with subnet and enable the IP addresses of the hosts in the internal network to be dynamically translated to access the external network via the outside interface.
  2. Create an object dmz-dns-server to statically translate the DNS server in the DMZ to the public IP address.
  3. Create an object dmz-web-server to statically translate the web server in the DMZ to the public IP address.

Step 5: Configure ACL and firewall on the ASA device to implement the Security Policy.

  1. Modify the default MPF application inspection global service policy to enable hosts in the Internal network to access the web servers on the Internet
    • Create a class inspection_default that matches default-inspection-traffic.
    • Create a policy-map global_policy and specify the inspect with dns, ftp, http, and icmp.
    • Attach the policy map globally to all interfaces.
  2. Configure an ACL to allow access to the DMZ servers from the Internet.
    • Create, apply, and verify an extended named ACL (named OUTSIDE-TO-DMZ) to filter incoming traffic to the HQ-ASA. The ACL should be created in the order specified in the following guidelines (Please note, the order of ACL statements is significant only because of the scoring need in Packet Tracer.):
    • HTTP traffic is allowed to DMZ Web Svr.
    • DNS traffic (both TCP and UDP) is allowed to the DMZ DNS server (two separate ACEs).
    • FTP traffic from the branch administrator workstation is allowed to the DMZ web server.
    • The ACL should contain four ACEs.
    • Verify HQ-ASA configurations. Both Net Admin and DMZ Web Svr can access the website Branch Admin can access the website Branch Admin can also establish an FTP connection to the web server, using the username cisco and the password cisco.

Step 6: Configure a Site-to-Site IPsec VPN between the HQ Router and the Branch Router.

Note: The Branch and HQ routers have already been configured with a username of CORPADMIN and a password of Ciscoccnas. The enable secret password is ciscoclass.

The following tables list the parameters for the ISAKMP Phase 1 Policy and IPsec Phase 2 Policy:

ISAKMP Phase 1 Policy Parameters ISAKMP Phase 2 Policy Parameters
Key Distribution Method ISAKMP Parameters HQ Router Branch Router
Encryption Algorithm AES Transform Set Name VPN-SET VPN-SET
Number of Bits 256 Transform Set esp-3des
Hash Algorithm SHA-1 Peer Host Name Branch HQ
Authentication Method Pre-share Peer IP Address
Key Exchange DH 2 Encrypted Network
IKE SA Lifetime 86400 Crypto Map Name VPN-MAP VPN-MAP
ISAKMP Key Vpnpass101 SA Establishment ipsec-isakmp ipsec-isakmp
Peer IP Address See Phase 2 Table on the right.  
  1. Configure an ACL (ACL 120) on the HQ router to identify the interesting traffic. The interesting traffic is all IP traffic between the two LANs ( and
  2. Configure the ISAKMP Phase 1 properties on the HQ router. The crypto ISAKMP policy is 10. Refer to the ISAKMP Phase 1 Policy Parameters Table for the specific details needed.
  3. Configure the ISAKMP Phase 2 properties on the HQ router. Refer to the ISAKMP Phase 2 Policy Parameters Table for the specific details needed.
  4. Bind the VPN-MAP crypto map to the outgoing interface.
  5. Configure IPsec parameters on the Branch router using the same parameters as on the HQ router. Note that interesting traffic is defined as the IP traffic from the two LANs.
  6. Save the running-config, then reload both the HQ and Branch routers.
  7. Verify the VPN configuration by conducting an FTP session with the username cisco and the password cisco from the Branch Admin PC to the DMZ Web Svr. On the Branch router, check that the packets are encrypted. To exit the FTP session, type quit.

**** End of Question ****


CCNAS 2.0 PT SA Part 2


Configuration above tested 100% correct by our contributor. If you find any mistake with this configuration, please comment below or email to

Thanks to our contributor

Question Contributor: Sham

Answer Contributor: Marcinbar

15 thoughts on “CCNA Security 2.0 PT Practice SA – Part 2”

  1. Hi,

    I am preparing for the CCNA Security practise exam on packet tracer.

    Will this practice test part 1 and 2 be the same as the final practice exam for CCNA Security?


  2. HI.
    NAT—>Routing =>

    access-list OUTSIDE-TO-DMZ extended permit tcp any host eq 80
    access-list OUTSIDE-TO-DMZ extended permit tcp any host eq 53
    access-list OUTSIDE-TO-DMZ extended permit udp any host eq 53

  3. Hi everybody, I hope you are doing well.
    Can someone provide me cnna security 2.0 pratical exam with questions and answers?

    Best regards,

  4. On VPN HQ config are there a error

    The correct access list is:

    access-list 120 permit ip

  5. There are some errors on this for instance the HQ access list the addresees are flipped. it shoud be access-list 120 permit ip

  6. Typo error under HQ-ASA where you enter switchport access vlan for interface e0/1, e0/0, e0/2.

    The word Access is missing an S
    interface e0/1
    switchport access vlan 1
    no shutdown
    interface e0/0
    switchport access vlan 2
    no shutdown
    int e0/2
    switchport access vlan 3
    no shutdown

Leave a Reply

Your email address will not be published. Required fields are marked *