CCNA Security 2.0 PT Practice SA – Part 2

CCNAS 2.0 PT SA Part 2

CCNA Security 2.0 PT Practice SA – Part 2 will be revealed in this post. I hope Question and Configuration Answer will help you to understand this CCNA Security 2.0 Packet Tracer Practice SA Part 2 more clearly in order to pass the exam. The answer shown below tested 100% correct. However, if you find any mistake or any way to improve better, please do leave your comment below.

CCNA Security PT Practice SA – Part 2

A few things to keep in mind while completing this activity:

  • Do not use the browser Back button or close or reload any Exam windows during the exam.
  • Do not close Packet Tracer when you are done. It will close automatically.
  • Click the Submit Assessment button to submit your work.

Introduction

In this practice Packet Tracer Skills Based Assessment, you will:

  • Configure basic ASA device hardening and secure network management
  • Configure DHCP and NAT on the ASA device
  • Configure the ASA firewall to implement security policies
  • Configure a site-to-site IPsec VPN

Addressing Table

Device Interface IP Address Subnet Mask Gateway DNS server
Internet S0/0/0 209.165.200.225 255.255.255.252 n/a
S0/0/1 192.31.7.1 255.255.255.252 n/a
S0/1/0 198.133.219.1 255.255.255.252 n/a
G0/0 192.135.250.1 255.255.255.0 n/a
HQ S0/0/0 209.165.200.226 255.255.255.252 n/a
G0/0 209.165.200.254 255.255.255.240 n/a
HQ-ASA E0/0 209.165.200.253 255.255.255.240 n/a
E0/1 192.168.10.1 255.255.255.0 n/a
E0/2 192.168.20.1 255.255.255.0 n/a
Branch S0/0/0 198.133.219.2 255.255.255.252 n/a
G0/0 198.133.219.62 255.255.255.224 n/a
External Web Svr NIC 192.31.7.35 255.255.255.224 192.31.7.62
External PC NIC 192.31.7.33 255.255.255.224 192.31.7.62 192.135.250.5
AAA/NTP/Syslog Svr NIC 192.168.10.10 255.255.255.0 192.168.10.1
DMZ DNS Svr NIC 192.168.20.5 255.255.255.0 192.168.20.1
DMZ Web Svr NIC 192.168.20.2 255.255.255.0 192.168.20.1 192.168.20.5
PC0 and PC1 NIC DHCP client 255.255.255.0 192.168.10.1 192.168.10.10
Branch Admin NIC 198.133.219.35 255.255.255.224 198.133.219.62 192.135.250.5
Net Admin PC NIC 192.168.10.5 255.255.255.0 192.168.10.1 192.168.10.10

Note: Appropriate verification procedures should be taken after each configuration task to ensure that the task has been properly implemented.

Step 1: Configure Basic Device Hardening for the ASA device.

Note: HQ-ASA is already configured with a password Thecar1Admin.

  1. Access HQ-ASA and enter the privileged mode with the enable password of Thecar1Admin.
  2. Configure the domain name as thecar1.com.
  3. Configure the inside, outside, and dmz interfaces with the following information:
  • VLAN 1 – IP address 192.168.10.1/24, nameif inside, security-level 100, assign to E0/1
  • VLAN 2 – IP address 209.165.200.253/28, nameif outside, security-level 0, assign to E0/0
  • VLAN 3 – IP address 192.168.20.1/24, nameif dmz, security-level 70, assign to E0/2
  • Enable interfaces.

Step 2: Configure DHCP service on the ASA device for the internal network.

  1. The DHCP pool is 192.168.10.25 – 192.168.10.35.
  2. DHCP service should provide DNS server (AAA/NTP/syslog server) information.
  3. Verify that the internal users (PC0 and PC1) obtain the dynamic addressing information correctly.

Step 3: Configure Secure Network Management for the ASA Device.

  1. Enable the ASA device:
    • as an NTP client to the AAA/NTP/Syslog server
    • Enable the authentication to the NTP server.
    • The authentication key is key 1 with the password corpkey.
  2. Configure the ASA device with AAA authentication and verify its functionality:Note: the HQ-ASA is preconfigured with a username Car1Admin with password adminpass01
    • Configure AAA to use the local database for SSH connections to the console port.
    • Generate a RSA key pair to support with modulus size of 1024 bits.
    • Configure HQ-ASA to accept SSH connections only from the Net Admin workstation.
    • Configure SSH session timeout to be 20 minutes.

Step 4: Configure NAT Service for the ASA device for both inside and DMZ networks.

  1. Create an object inside-nat with subnet 192.168.10.0/24 and enable the IP addresses of the hosts in the internal network to be dynamically translated to access the external network via the outside interface.
  2. Create an object dmz-dns-server to statically translate the DNS server in the DMZ to the public IP address.
  3. Create an object dmz-web-server to statically translate the web server in the DMZ to the public IP address.

Step 5: Configure ACL and firewall on the ASA device to implement the Security Policy.

  1. Modify the default MPF application inspection global service policy to enable hosts in the Internal network to access the web servers on the Internet
    • Create a class inspection_default that matches default-inspection-traffic.
    • Create a policy-map global_policy and specify the inspect with dns, ftp, http, and icmp.
    • Attach the policy map globally to all interfaces.
  2. Configure an ACL to allow access to the DMZ servers from the Internet.
    • Create, apply, and verify an extended named ACL (named OUTSIDE-TO-DMZ) to filter incoming traffic to the HQ-ASA. The ACL should be created in the order specified in the following guidelines (Please note, the order of ACL statements is significant only because of the scoring need in Packet Tracer.):
    • HTTP traffic is allowed to DMZ Web Svr.
    • DNS traffic (both TCP and UDP) is allowed to the DMZ DNS server (two separate ACEs).
    • FTP traffic from the branch administrator workstation is allowed to the DMZ web server.
    • The ACL should contain four ACEs.
    • Verify HQ-ASA configurations. Both Net Admin and DMZ Web Svr can access the website www.externalone.com. Branch Admin can access the website www.thecar1.com. Branch Admin can also establish an FTP connection to the web server www.thecar1.com, using the username cisco and the password cisco.

Step 6: Configure a Site-to-Site IPsec VPN between the HQ Router and the Branch Router.

Note: The Branch and HQ routers have already been configured with a username of CORPADMIN and a password of Ciscoccnas. The enable secret password is ciscoclass.

The following tables list the parameters for the ISAKMP Phase 1 Policy and IPsec Phase 2 Policy:

ISAKMP Phase 1 Policy Parameters ISAKMP Phase 2 Policy Parameters
Key Distribution Method ISAKMP Parameters HQ Router Branch Router
Encryption Algorithm AES Transform Set Name VPN-SET VPN-SET
Number of Bits 256 Transform Set esp-3des
esp-sha-hmac
esp-3des
esp-sha-hmac
Hash Algorithm SHA-1 Peer Host Name Branch HQ
Authentication Method Pre-share Peer IP Address 198.133.219.2 209.165.200.226
Key Exchange DH 2 Encrypted Network 209.165.200.240/28 198.133.219.32/27
IKE SA Lifetime 86400 Crypto Map Name VPN-MAP VPN-MAP
ISAKMP Key Vpnpass101 SA Establishment ipsec-isakmp ipsec-isakmp
Peer IP Address See Phase 2 Table on the right.  
  1. Configure an ACL (ACL 120) on the HQ router to identify the interesting traffic. The interesting traffic is all IP traffic between the two LANs (209.165.200.240/28 and 198.133.219.32/27).
  2. Configure the ISAKMP Phase 1 properties on the HQ router. The crypto ISAKMP policy is 10. Refer to the ISAKMP Phase 1 Policy Parameters Table for the specific details needed.
  3. Configure the ISAKMP Phase 2 properties on the HQ router. Refer to the ISAKMP Phase 2 Policy Parameters Table for the specific details needed.
  4. Bind the VPN-MAP crypto map to the outgoing interface.
  5. Configure IPsec parameters on the Branch router using the same parameters as on the HQ router. Note that interesting traffic is defined as the IP traffic from the two LANs.
  6. Save the running-config, then reload both the HQ and Branch routers.
  7. Verify the VPN configuration by conducting an FTP session with the username cisco and the password cisco from the Branch Admin PC to the DMZ Web Svr. On the Branch router, check that the packets are encrypted. To exit the FTP session, type quit.

**** End of Question ****

 

CCNAS 2.0 PT SA Part 2

 

domain-name thecar1.com
interface vlan 1
ip address 192.168.10.1 255.255.255.0
nameif inside
Security-level 100
no shutdown
exit
interface vlan 2
ip add 209.165.200.253 255.255.255.240
nameif outside
security-level 0
no shutdown
exit
interface vlan 3
No forward int vlan 1
ip add 192.168.20.1 255.255.255.0
nameif  dmz
security-level 70
no shutdown
exit
interface e0/1
switchport access vlan 1
no shutdown
exit
interface e0/0
switchport access vlan 2
no shutdown
exit
int e0/2
switchport access vlan 3
no shutdown
exit
dhcpd add 192.168.10.25-192.168.10.35 inside
dhcpd dns 192.168.10.10 interface inside
dhcpd enable inside
ntp server 192.168.10.10
ntp authenticate
ntp authentication-key 1 md5 corpkey
ntp trusted-key 1
aaa authentication ssh console LOCAL
ssh 192.168.10.5 255.255.255.255 inside 
ssh timeout 20
object network inside-nat
subnet 192.168.10.0 255.255.255.0
nat (inside,outside) dynamic interface
exit
configure terminal 
object network dmz-dns-server
host 192.168.20.5
nat (dmz,outside) static 209.165.200.242
exit
configure terminal 
object network dmz-web-server
host 192.168.20.2
nat (dmz,outside) static 209.165.200.241
exit
configure terminal 
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns
inspect ftp 
inspect http 
inspect icmp
exit
service-policy global_policy global
access-list OUTSIDE-TO-DMZ extended permit tcp any host 209.165.200.241 eq 80
access-list OUTSIDE-TO-DMZ extended permit tcp any host 209.165.200.242 eq 53
access-list OUTSIDE-TO-DMZ extended permit udp any host 209.165.200.242 eq 53
access-list OUTSIDE-TO-DMZ extended permit tcp host 198.133.219.35 host 209.165.200.241 eq ftp
access-group OUTSIDE-TO-DMZ in interface outside
access-list 120 permit ip 198.133.219.32 0.0.0.31 209.165.200.240 0.0.0.15
crypto isakmp policy 10
encryption aes 256
authentication pre-share 
group 2
lifetime 86400
hash sha
exit
crypto isakmp key Vpnpass101 address 209.165.200.226 
crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac 
crypto map VPN-MAP 10 ipsec-isakmp
set peer 209.165.200.226 
set transform-set VPN-SET 
match address 120 
exit
interface s0/0/0 
crypto map VPN-MAP
end   
copy running-config startup-config
access-list 120 permit ip 209.165.200.240 0.0.0.15 198.133.219.32 0.0.0.31
crypto isakmp policy 10
encryption aes 256
authentication pre-share 
group 2
lifetime 86400
hash sha
exit
crypto isakmp key Vpnpass101 address 198.133.219.2
crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac 
crypto map VPN-MAP 10 ipsec-isakmp
set peer 198.133.219.2 
set transform-set VPN-SET 
match address 120 
exit
interface s0/0/0 
crypto map VPN-MAP
end   
copy running-config startup-config

Configuration above tested 100% correct by our contributor. If you find any mistake with this configuration, please comment below or email to [email protected].

Thanks to our contributor

Question Contributor: Sham

Answer Contributor: Marcinbar

Sharing is Caring

18 thoughts on “CCNA Security 2.0 PT Practice SA – Part 2”

  1. Hi,

    I am preparing for the CCNA Security practise exam on packet tracer.

    Will this practice test part 1 and 2 be the same as the final practice exam for CCNA Security?

    Cheers,

  2. HI.
    NAT—>Routing =>

    access-list OUTSIDE-TO-DMZ extended permit tcp any host 192.168.20.2 eq 80
    access-list OUTSIDE-TO-DMZ extended permit tcp any host 192.168.20.5 eq 53
    access-list OUTSIDE-TO-DMZ extended permit udp any host 192.168.20.5 eq 53

  3. Hi everybody, I hope you are doing well.
    Can someone provide me cnna security 2.0 pratical exam with questions and answers?

    Best regards,
    Sammy

  4. On VPN HQ config are there a error

    The correct access list is:

    access-list 120 permit ip 209.165.200.240 255.255.255.240 198.133.219.32 255.255.255.224

  5. There are some errors on this for instance the HQ access list the addresees are flipped. it shoud be access-list 120 permit ip 209.165.200.240 0.0.0.15 198.133.219.32 0.0.0.31

    1. The below access list is also missing.

      access-list OUTSIDE-TO-DMZ extended permit tcp host 198.133.219.35 host 209.165.200.241 eq www

  6. Typo error under HQ-ASA where you enter switchport access vlan for interface e0/1, e0/0, e0/2.

    The word Access is missing an S
    interface e0/1
    switchport access vlan 1
    no shutdown
    exit
    interface e0/0
    switchport access vlan 2
    no shutdown
    exit
    int e0/2
    switchport access vlan 3
    no shutdown
    exit

Leave a Reply

Your email address will not be published. Required fields are marked *