CCNP Implementing Secured Converged Wide-Area Networks (ISCW 642-825) Lab Portfolio David Kotfila / Joshua Moorhouse / Ross G. Wolfson, CCIE(R) No. 16696 CCNP Implementing Secured Converged Wide-Area Networks (ISCW 642-825) Lab Portfolio provides you with opportunities for hands-on practice to secure and expand the reach of an enterprise-class network to teleworkers and branch sites. The labs reinforce your understanding of how to secure and expand the reach of an enterprise network with a focus on VPN configuration and securing network access to remote sites. The book's primary focus includes teleworker configuration and access, Frame Mode MPLS, site-to-site IPsec VPN, Cisco(R) EZVPN, strategies used to mitigate network attacks, Cisco device hardening, and Cisco IOS(R) firewall features. Those preparing for the Implementing Secured Converged Wide-Area Networks (ISCW 642-825) certification exam should work through this book cover to cover. If you need to quickly review configuration examples, you can go directly to the relevant chapter. CCNP Implementing Secured Converged Wide-Area Networks (ISCW 642-825) Lab Portfolio includes *27 Labs built to support v5 of the Implementing Secured Converged Wide-Area Networks course within the Cisco Networking Academy(R) curriculum providing ample opportunity for practice. *2 Challenge and Troubleshooting Labs added to the core curriculum labs to test your mastery of the topics. *2 Case Studies to give you a taste of what is involved in a fully functioning network covering all the technologies taught in this course. Even if you do not have the actual equipment to configure these more complex topologies, it is worth reading through these labs to expand your thinking into more complex networking solutions. David Kotfila, CCNP(R), CCAI, is the director of the Cisco Networking Academy at Rensselaer Polytechnic Institute (RPI), Troy, New York. Joshua Moorhouse, CCNP, recently graduated from Rensselaer Polytechnic Institute with a bachelor of science degree in computer science, where he also worked as a teaching assistant in the Cisco Networking Academy. He currently works as a network engineer at Factset Research Systems. Ross Wolfson, CCIE(R) No. 16696, recently graduated from Rensselaer Polytechnic Institute with a bachelor of science degree in computer science. He currently works as a network engineer at Factset Research Systems. Use this Lab Portfolio with: CCNP ISCW Official Exam Certification Guide ISBN-10: 1-58720-150-X ISBN-13: 978-1-58720-150-9 CCNP ISCW Portable Command Guide ISBN-10: 1-58720-186-0 ISBN-13: 978-1-58720-186-8 This book is part of the Cisco Networking Academy Series from Cisco Press(R). Books in this series support and complement the Cisco Networking Academy curriculum.

Introduction Chapter 1 Remote Network Connectivity Requirements Lab 1-1: Lab Configuration Guide Chapter 2 Teleworker Connectivity Scenario: Configuring the CPE as the PPPoE Client Scenario: Configuring the CPE as the PPPoE Client over the ATM Interface Chapter 3 IPsec VPNs Lab 3-1: Configuring SDM on a Router (3.10.1) Scenario 7 Step 1: Lab Preparation 7 Step 2: Prepare the Router for SDM 7 Step 3: Configure Addressing 8 Step 4: Extract SDM on the Host 10 Step 5: Install SDM on the PC 13 Step 6: Run SDM from the PC 16 Step 7: Install SDM to the Router 19 Step 8: Run SDM from the Router 23 Step 9: Monitor an Interface in SDM 24 Lab 3-2: Configuring a Basic GRE Tunnel (3.10.2) 26 Scenario 26 Step 1: Configure Loopbacks and Physical Interfaces 26 Step 2: Configure EIGRP AS 1 27 Step 3: Configure a GRE Tunnel 28 Step 4: Routing EIGRP AS 2 over the Tunnel 30 Lab 3-3: Configuring Wireshark and SPAN (3.10.3) 33 Scenario 33 Step 1: Configure the Router 33 Step 2: Install Wireshark and WinPcap 33 Step 3: Configure SPAN on a Switch 39 Step 4: Sniff Packets Using Wireshark 40 Lab 3-4: Configuring Site-to-Site IPsec VPNs with SDM (3.10.4) 43 Scenario 43 Step 1: Configure Addressing 43 Step 2: Configure EIGRP 44 Step 3: Connect to the Routers via SDM 45 Step 4: Configure Site-to-Site IPsec VPN via SDM 45 Step 5: Generate a Mirror Configuration for R3 53 Step 6: Verify the VPN Configuration Using SDM 56 Step 7: Verify the VPN Configuration Using the IOS CLI 59 Challenge: Use Wireshark to Monitor Encryption of Traffic 65 TCL Script Output 70 Lab 3-5: Configuring Site-to-Site IPsec VPNs with the IOS CLI (3.10.5) 74 Scenario 74 Step 1: Configure Addressing 74 Step 2: Configure EIGRP 75 Step 3: Create IKE Policies 76 Step 4: Configure Preshared Keys 78 Step 5: Configure the IPsec Transform Set and Lifetimes 78 Step 6: Define Interesting Traffic 80 Step 7: Create and Apply Crypto Maps 81 Step 8: Verify IPsec Configuration 82 Step 9: Verify IPsec Operation 83 Step 10: Interpret IPsec Event Debugging 85 Challenge: Use Wireshark to Monitor Encryption of Traffic 97 TCL Script Output 103 Lab 3-6: Configuring a Secure GRE Tunnel with SDM (3.10.6) 106 Scenario 106 Step 1: Configure Addressing 106 Step 2: Configure EIGRP AS 1 107 Step 3: Connect to the Router Using SDM 108 Step 4: Configure an IPsec VTI Using SDM 108 Step 5: Generate a Mirror Configuration for R3 117 Step 6: Verify Tunnel Configuration Through SDM 120 Challenge: Use Wireshark to Monitor Encryption of Traffic 124 TCL Script Output 128 Lab 3-7: Configuring a Secure GRE Tunnel with the IOS CLI (3.10.7) 133 Scenario 133 Step 1: Configure Addressing 133 Step 2: Configure EIGRP AS 1 134 Step 3: Configure the GRE Tunnel 134 Step 4: Configure EIGRP AS 2 over the Tunnel 135 Step 5: Create IKE Policies and Peers 136 Step 6: Create IPsec Transform Sets 136 Step 7: Define the Traffic to Be Encrypted 137 Step 8: Create and Apply Crypto Maps 137 Step 9: Verify Crypto Operation 138 Challenge: Use Wireshark to Monitor Encryption of Traffic 139 Lab 3-8: Configuring IPsec VTIs (3.10.8) 144 Scenario 144 Step 1: Configure Addressing 144 Step 2: Configure EIGRP AS 1 145 Step 3: Configure Static Routing 145 Step 4: Create IKE Policies and Peers 147 Step 5: Create IPsec Transform Sets 148 Step 6: Create an IPsec Profile 148 Step 7: Create the IPsec VTI 149 Step 8: Verify Proper EIGRP Behavior 151 Lab 3-9: Configuring Easy VPN with SDM (3.10.9) 154 Scenario 154 Step 1: Configure Addressing 154 Step 2: Configure EIGRP AS 1 155 Step 3: Configure a Static Default Route 156 Step 4: Connect to HQ Through SDM 156 Step 5: Configure Easy VPN Server Through SDM 156 Step 6: Install the Cisco VPN Client 166 Step 7: Test Access from Client Without VPN Connection 169 Step 8: Connect to the VPN 169 Step 9: Test Network Access with VPN Connectivity 175 Step 10: Verify Easy VPN Functionality with SDM 176 Step 11: Disconnect the VPN Client 178 Lab 3-10: Configuring Easy VPN with the IOS CLI 180 Scenario 180 Step 1: Configure Addressing 180 Step 2: Configure EIGRP AS 1 181 Step 3: Configure a Static Default Route 181 Step 4: Enable AAA on HQ 182 Step 5: Create the IP Pool 182 Step 6: Configure the Group Authorization 182 Step 7: Create an IKE Policy and Group 182 Step 8: Configure the IPsec Transform Set 184 Step 9: Create a Dynamic Crypto Map 184 Step 10: Enable IKE DPD and User Authentication 184 Step 11: Install the Cisco VPN Client 185 Step 12: Test Access from Client Without VPN Connection 187 Step 13: Connect to the VPN 188 Step 14: Test Inside VPN Connectivity 193 Step 15: Verify VPN Operation Using the CLI 194 Step 16: Disconnect the VPN Client 195 Lab 3-11: IPsec Challenge Lab 196 Lab 3-12: IPsec Troubleshooting Lab 198 Initial Configurations 199 Chapter 4 Frame Mode MPLS Implementation 205 Lab 4-1: Configuring Frame Mode MPLS (4.5.1) 205 Scenario 205 Step 1: Configure Addressing 206 Step 2: Configure EIGRP AS 1 206 Step 3: Observe CEF Operation 207 Step 4: Enable MPLS on All Physical Interfaces 209 Step 5: Verify MPLS Configuration 210 Step 6: Change MPLS MTU 215 Lab 4-2: Challenge Lab: Implementing MPLS VPNs (4.5.2) 217 Scenario 218 Step 1: Configure Addressing 219 Step 2: Configure Routing in the Service-Provider Domain 219 Step 3: Configure MPLS in the SP Domain 220 Step 4: Configure a VRF 221 Step 5: Configure EIGRP AS 1 225 Step 6: Configure BGP 227 Step 7: Investigate Control Plane Operation 229 Step 8: Investigate Forwarding Plane Operation 235 Conclusion 238 Chapter 5 Cisco Device Hardening 241 Lab 5-1: Using SDM One-Step Lockdown (5.12.1) 241 Scenario 241 Step 1: Configure Addressing 241 Step 2: Install Nmap on the Host 242 Step 3: Run a Port Scan with Nmap 245 Step 4: Prepare a Router for SDM 245 Step 5: Use SDM One-Step Lockdown 246 Step 6: Use Nmap to See Changes 249 Conclusion 250 Lab 5-2: Securing a Router with Cisco AutoSecure (5.12.2) 251 Scenario 251 Step 1: Configure the Physical Interface 251 Step 2: Configure AutoSecure 251 Lab 5-3: Disabling Unneeded Services (5.12.3) 259 Scenario 259 Step 1: Configure the Physical Interface 259 Step 2: Ensure Services Are Disabled 259 Step 3: Manage Router Access 260 Step 4: Disable CDP 261 Step 5: Disable Other Unused Services 261 Step 6: Disabling Unneeded Interface Services 262 Lab 5-4: Enhancing Router Security (5.12.4) 263 Scenario 263 Step 1: Configure the Physical Interfaces 263 Step 2: Telnet to R1 264 Step 3: Configure Cisco IOS Login Enhancements 265 Step 4: Enforce a Minimum Password Length 269 Step 5: Modify Command Privilege Levels 270 Step 6: Create a Banner 273 Step 7: Enable SSH 273 Step 8: Encrypt Passwords 275 Lab 5-5: Configuring Logging (5.12.5) 276 Scenario 276 Step 1: Configure the Interface 276 Step 2: Install the Kiwi Syslog Daemon 276 Step 3: Run the Kiwi Syslog Service Manager 277 Step 4: Configure the Router for Logging 277 Step 5: Verify Logging 279 Step 6: Configure Buffered Logging 280 Lab 5-6a: Configuring AAA and TACACS+ (5.12.6a) 283 Scenario 283 Step 1: Configure the Interface 283 Step 2: Install CiscoSecure ACS 283 Step 3: Configure Users in CiscoSecure ACS 288 Step 4: Configure AAA Services on R1 292 Lab 5-6b: Configuring AAA and RADIUS (5.12.6b) 294 Scenario 294 Step 1: Configure the Interface 294 Step 2: Install CiscoSecure ACS 294 Step 3: Configure Users in CiscoSecure ACS 299 Step 4: Configure AAA Services on R1 303 Lab 5-6c: Configuring AAA Using Local Authentication (5.12.6c) 305 Step 1: Configure the Interface 305 Step 2: Configure the Local User Database 305 Step 3: Implement AAA Services 305 Lab 5-7: Configuring Role-Based CLI Views (5.12.7) 307 Scenario 307 Step 1: Configure an Enable Secret Password 307 Step 2: Enable AAA 307 Step 3: Change to the Root View 308 Step 4: Create Views 309 Step 5: Create a Superview 312 Lab 5-8: Configuring NTP (5.12.8) 313 Scenario 313 Step 1: Configure the Physical Interfaces 313 Step 2: Set Up the NTP Master 314 Step 3: Configure an NTP Client 314 Step 4: Configure NTP Peers with MD5 Authentication 315 Chapter 6 Cisco IOS Threat Defense Features 319 Lab 6-1: Configuring a Cisco IOS Firewall Using SDM (6.6.1) 319 Scenario 319 Step 1: Configure Loopbacks and Physical Interfaces 320 Step 2: Configure Routing Protocols 320 Step 3: Configure Static Routes to Reach the Internet 321 Step 4: Connect to FW Using SDM 322 Step 5: Use the SDM Advanced Firewall Wizard 323 Step 6: Modify the Firewall Configuration 331 Step 7: Monitor Firewall Activity 334 Conclusion 337 Lab 6-2: Configuring CBAC (6.6.2) 338 Scenario 338 Step 1: Configure the Physical Interfaces 338 Step 2: Configure Static Default Routes 339 Step 3: Enable Telnet Access 339 Step 4: Create IP Inspect Rules 339 Step 5: Block Unwanted Outside Traffic 341 Step 6: Verify CBAC Operation 341 Lab 6-3: Configuring IPS with SDM (6.6.3) 344 Scenario 344 Step 1: Configure the Physical Interfaces 344 Step 2: Configure Static Default Routes 345 Step 3: Enable Telnet Access 345 Step 4: Connect to FW Using SDM 345 Step 5: Use the SDM IPS Rule Wizard 346 Step 6: Verify and Modify IPS Behavior 353 Challenge: Add a Signature 358 Lab 6-4: Configuring IPS with CLI (6.6.4) 364 Scenario 364 Step 1: Configure Addressing 364 Step 2: Configure Static Default Routes 365 Step 3: Create and Apply an IPS Rule 365 Step 4: Modify Default IPS Behavior 366 Chapter 7 Case Studies 371 Case Study 1: CLI IPsec and Frame-Mode MPLS 371 Questions 372 Case Study 2: Device Hardening and VPNs 373 158713215x TOC 2/28/2008