PART 1

Step 1: Cable the network as shown in the topology.

Set up routers as of diagram

Step 2: Configure basic settings for all routers.

router>enable router# config t router(config)# hostname (router name - router1/2/3) router1(config-if)#interface s0/0/0 router1(config-if)#ip address 10.10.10.1 255.255.255.252 router1(config-if)#no shutdown router1(config-if)#clockrate 64000 router1(config-if)#no ip domain look up router1(config-if)#exit router2(config-if)#interface s0/0/1 router2(config-if)#ip address 10.20.20.2 255.255.255.252 router2(config-if)#no shutdown router2(config-if)#clockrate 64000 router2(config-if)#no ip domain look up router2(config-if)#exit router3(config-if)#interface s0/0/1 router3(config-if)#ip address 10.20.20.1 255.255.255.252 router3(config-if)#no shutdown router3(config-if)#clockrate 64000 router3(config-if)#no ip domain look up router3(config-if)#exit
Step 3: Configure static default routes on edge routers (R1 and R3).
Configure a static default route from R1 to R2 and from R3 to R2.

R1(config)#ip route 0.0.0.0 0.0.0.0 10.10.10.2 R3(config)#ip route 0.0.0.0 0.0.0.0 10.20.20.2

Step 4: Configure static routes on the ISP router (R2).

Configure a static route from R2 to the R1 LAN and from R2 to the R3 LAN.

R2(config)#ip route 172.16.1.0 255.255.255.0 10.10.10.1 R2(config)#ip route 172.16.3.0 255.255.255.0 10.20.20.1

Step 5: Configure basic settings for each switch.

(connect switch console to relevant PC) a. Configure host names as shown in the topology. S1>enable S1#config t S1(config)#hostname (name)

S2>enable S2#config t S2(config)#hostname (name)

S3>enable S3#config t S3(config)#hostname (name)

b. Configure the VLAN 1 management address on each switch as shown in the IP Addressing table. S1(config)#interface vlan1 S1(config-if)#ip address 172.16.1.11 255.255.255.0 S1(config-if)#no shutdown

S2(config)#interface vlan1 S2(config-if)#ip address 172.16.1.12 255.255.255.0 S2(config-if)#no shutdown

S3(config)#interface vlan1 S3(config-if)#ip address 172.16.3.11 255.255.255.0 S3(config-if)#no shutdown

c. Configure the IP default gateway for each of the three switches. The gateway for the S1 and S2 switches is the R1 Fa0/1 interface IP address. The gateway for the S3 switch is the R3 Fa0/1 interface IP address. S1(config)#ip default-gateway 172.16.1.1

S2(config)#ip default-gateway 172.16.1.1

S3(config)#ip default-gateway 172.16.3.1

d. Disable DNS lookup to prevent the switches from attempting to translate incorrectly entered commands as though they were host names.

S1(config)#no ip domain-lookup

S2(config)#no ip domain-lookup

S3(config)# no ip domain-lookup

Step 6: Configure PC host IP settings.

Configure a static IP address,subnet mask, and default gateway for PC-A, PC-B, and PC-C, as shown in the IP addressing table. set network back to original topology ctrl panel - network connections - disable green and wireless - right click red - properties internet protocol - use following ip address - use IP addressing table

Step 7: Verify connectivity between PC-A and PC-C. command prompt - ping ip addresses

Step 8: Save the basic running configuration for each router and switch. R1#copy running-config startup-config R2#copy running-config startup-config R3#copy running-config startup-config S1#copy running-config startup-config S2#copy running-config startup-config S3#copy running-config startup-config

Part 2
Step 1: Configure a minimum password length of 10 characters on all routers. R1(config)#security passwords min-length 10 R2(config)#security passwords min-length 10 R3 (config)#security passwords min-length 10 Step 2: Configure the enable secret password on all routers R1(config)#enable secret ciscoenapa55 R2(config)# enable secret ciscoenapa55 R3(config)# enable secret ciscoenapa55 .Step 3: Encrypt plaintext passwords. R1(config)#service password-encryption R2(config)#service password-encryption R3(config)#service password-encryption Step 4: Configure the console lines on all routers. R1(config)#line console 0 R1(config-line)#password ciscoenapa55 R1(config-line)#exec-timeout 5 0 R1(config-line)#login R1(config-line)#logging synchronous R2(config)#line console 0 R2(config-line)#password ciscoenapa55 R2(config-line)#exec-timeout 5 0 R2(config-line)#login R2(config-line)#logging synchronous R3(config)#line console 0 R3(config-line)#password ciscoenapa55 R3(config-line)#exec-timeout 5 0 R3(config-line)#login R3(config-line)#logging synchronous

Step 5: Configure the vty lines on R2. R2(config)#line vty 0 4 R2(config-line)#password ciscoenapa55 R2(config-line)#exec-timeout 5 0 R2(config-line)#login

Step 6: Configure a login warning banner on routers R1 and R3. R1(config)#banner motd $Unauthorized access strictly prohibited and prosecuted to the full extent of the law$ R1(config)#exit R3(config)#banner motd $Unauthorized access strictly prohibited and prosecuted to the full extent of the law$ R3(config)#exit Task 2: Configure Local Authentication Using AAA on R1 and R3. Step 1: Configure the local user database on R1. R1(config)#username Admin01 secret Admin01pa55 Step 2: Enable AAA services on R1. R1(config)# aaa new-model

Step 3: Implement AAA services using the local database on R1 and R3 R1(config)#aaa authentication login default local none R3(config)#aaa authentication login default local none a. Create the default login authentication method list using local authentication as the first option and the enable password as the backup option. b. Verify that AAA with local authentication is functioning correctly.

Task 3: Configure the SSH Server on Routers R1 and R3. Step 1: Configure the domain name ccnasecurity.com on R1. R1(config)#ip domain name ccnasecurity.com

Step 2: Configure the incoming vty lines on R1. R1(config)#username Admin01 privilege 15 secret Admin01pa55 Step 3: Generate the RSA encryption key pair for router R1. R1(config)#crypto key zeroize rsa R1(config)#crypto key generate rsa modulus 1024 Step 4: Verify SSH connectivity to R1 from PC-A.

Task 4: Secure against login attacks on R1 and R3. R1# show login R1(config)# login block-for 60 attempts within 30 R3# show login R3(config)# login block-for 60 attempts within 30 Task 5: Configure a Zone-based Policy Firewall (ZPF) Firewall on R1 and R3. Step 1: Enable the HTTP server on R1 R1(config)#ip http server Step 2: Access SDM and set command delivery preferences on R1. a. Run the SDM application, or open a browser on PC-A and start SDM b. Log in as Admin01 with a password of Admin01pa55. Enter the same username and password for subsequent login dialog boxes, if prompted. c. Select Edit > Preferences to configure SDM to allow you to preview the commands before sending them to the router.

Step 3: Use the SDM Firewall wizard to configure a ZPF on R1 & R3 a. Click the Configure button at the top of the SDM screen, and then click Firewall and ACL. b. Select Basic Firewall and click the Launch the selected task button. On the Basic Firewall Configuration wizard screen, click Next. c. Check the Inside (trusted) check box for FastEthernet0/1 and the Outside (untrusted) check box for Serial0/0/0. Click Next. d. Select Low Security and click Next. In the Summary window, click Finish. e. Click OK in the Commands Delivery Status window.

Task 6: Configure IPS on R1 and R3 Using SDM. Step 1: Prepare router R1 and the TFTP server. To configure Cisco IOS IPS 5.x, the IOS IPS signature package file and public crypto key files must be available on the PC with the TFTP server installed (R1 uses PC-A as the TFTP server and R3 uses PC-C). a. Verify that the IOS-Sxxx-CLI.pkg signature package file is in the default TFTP folder. The xxx is the version number and varies depending on which file was downloaded from CCO. b. Verify that the realm-cisco.pub.key.txt file is available and note its location on PC-A or PC-C. This is the public crypto key used by Cisco IOS IPS. c. Verify or create the IPS directory, ipsdir, in router flash on R1. From the R1 CLI, display the content of flash memory and check to see if the ipsdir directory exists. d. If the ipsdir directory is not listed, create it in privileged EXEC mode, using the mkdir command. Note: If the ipsdir directory is listed and there are files in it, this must be deleted. This directory must be empty before configuring IPS. If there are no files in it you may proceed to configure IPS. Step 2: Verify the IOS IPS signature package location and TFTP server setup. Step 3: Access SDM on R1. Step 4: Use the SDM IPS wizard to configure IPS.

Step 5: Save the running configuration to the startup configuration. Step 6: Repeat Steps 1 through 5 to configure IPS on R3

PART 3
TO ENABLE SDM router3>en router3#config t Enter configuration commands, one per line. End with CNTL/Z. router3(config)#hostname R3 R3(config)#ip http server R3(config-if)#interface fa 0/1 R3(config-if)#ip address 172.16.3.1 255.255.255.0 R3(config-if)#no shut R3(config-if)#enable password ciscoenapa55

Task 1: Configure the site-to-site VPN on R1 and R3.

Step 1: Access SDM on R1. If can't access - java 5 isn't installed correctly or firewall blocking it. Do firewall config as last step. IP address into internet explorer username - blank password - ciscoenapa55 Step 2: Start the SDM VPN wizard to configure R1.

Step 3: Configure basic VPN connection information settings.

a. Interface for the connection, on R1 is Serial0/0/0. b. The Peer Identity section, is Peer with static address and the IP address of remote peer R3 S0/0/1 R1 - 10.20.20.1 R3 - 10.10.10.1 c. The Authentication Pre-shared keys is ciscovpnpa55.

d. The Traffic to encrypt specify FastEthernet 0/1 of R1 as the source interface. Specify the IP address and subnet mask of the R3 FastEthernet 0/1 interface as the destination. These settings will be mirrored when configuring R3. R1 - 172.16.3.1 255.255.255.0 R3 - 172.16.1.1 255.255.255.0

Step 4: Review the summary configuration and deliver commands to the router.

Step 5: Save the running-config to the startup-config. Step 6: Repeat Steps 1 through 5 to configure the site-to-site VPN on R3. Be sure to account for differences in interfaces and other variables.

Task 2: Test the VPN between R1 and R3 Using SDM.

Part 4