CCIE SEC 学习 LAB1.docx
《CCIE SEC 学习 LAB1.docx》由会员分享,可在线阅读,更多相关《CCIE SEC 学习 LAB1.docx(87页珍藏版)》请在冰豆网上搜索。
CCIESEC学习LAB1
目录
1.1ConfigureRoutingandBasicAccessonASA1(point6)3
需求:
3
解法:
4
1.2ConfigureStatefulFailoverBetweenASA1andASA2(point4)6
需求:
6
解法:
7
1.3ConfigureASA3inMulti-ContextFirewallMode(point4)8
需求:
8
解法:
10
1.4ConfigureASA4inTransparentModewithNatSupport(point6)13
需求:
13
解法:
14
2.1InitializetheCiscoIPSSensorAppliance(point4)15
需求:
15
解法:
16
2.2DeploytheCiscoIPSSensorUsinganIn-LineVLANPair(point?
)20
需求:
20
解法:
20
2.3ImplementaCustomSignatureontheCiscoIPSSensor(point4)22
需求:
22
解法:
22
2.4InitializetheCiscoWSAandEnableWCCPSupport(point6)25
需求:
25
解法:
26
2.5AddaCustomURLAccessPolicytotheWSA(point3)38
需求:
38
解法:
38
3.1TroubleshootIPsecManagementofASA4(point4)41
需求:
41
解法:
41
3.2TroubleshootIPsecStaticVTIwithIPv6(point5)43
需求:
43
解法:
44
3.3TroubleshootDMVPNPhase3withDualHubs(point6)46
需求:
46
解法:
47
3.4ConfigureSecurityFeaturesontheCiscoWLC(point4)51
需求:
51
解法:
52
4.1TroubleshootSecureRoutingUsingOSPFv3inCiscoIOS(point4)55
需求:
55
解法:
56
4.2TroubleshootIPOptionsHandingontheCiscoASA(point3)58
需求:
58
解法:
58
4.3ConfigureNetflowonaCiscoIOSRouter(point3)59
需求:
59
解法:
59
5.1TuningApplicationInspectionontheASA(point4)60
需求:
60
解法:
60
5.2ConfigureDynamic-ARPInspectioninaDHCPenvironment(point?
)62
需求:
62
解法:
62
6.1ConfiguretheCiscoAccessPointasan802.1XSupplicant(point6)63
需求:
63
解法:
64
6.2ConfigureSupportforMAB/802.1XforVoiceandDataVLANs(point6+6)67
需求:
67
解法:
71
1.1ConfigureRoutingandBasicAccessonASA1(point6)
需求:
ThisquestionhasthreetasksCompleteeachtasktoprovidebasicconnectivityandroutingcapabilitiesonASA1
1)ASA1shouldbeinsingle-contextroutedmodeandconfigureusingtheinformationinthetablebelow
Interface
Nameif
SwitchVLANs
Sec-level
IPAddress
GigabitEthernet0/0
Outside
5
0
7.7.5.10/24
GigabitEthernet0/2
Insdie
3
100
7.7.3.10/24
GigabitEthernet0/3
DMZ
8
50
7.7.8.10/24
Useexcatnamesandnumbersasshowninthetable
2)Addstaticroutesasfollows:
Interface
Network
NextHop
Inside
Configureadefaultrouter
7.7.3.2
3)ConfigureOSPFprocess1withrouter-id8.8.8.8
a.Assignnetwork7.7.5.0toarea0
b.Assignnetwork7.7.8.0toarea1
c.Ensurethatnetworks192.168.11.11and192.168.22.22(loopbacksonR1andR2)areaddedtotheroutingtableASA1butarenotpropagatedintoarea0.VerifybycheckingtheroutingtableonR6.
Verifyyoursolutionsbysuccessfullypingingtheinside150.1.YY.0networkfromtheallmajorYY.YY.0.0subnetsaswellasformoutsidesubnetstodmzsubnets,forexample:
R3#ping7.7.8.1
R3#ping150.1.7.20
R3#ping7.7.3.2
解法:
OnSW2:
interfaceFastEthernet0/8(ASA1E0/0)
switchportaccessvlan5
switchportmodeaccess
spanning-treeportfast
!
interfaceFastEthernet0/11(ASA1E0/2)
switchportaccessvlan3
switchportmodeaccess
spanning-treeportfast
!
interfaceFastEthernet0/12(ASA1E0/3)
switchportaccessvlan8
switchportmodeaccess
spanning-treeportfast
end
wr
OnASA1:
hostnameASA1
interfaceEthernet0/0
nameifOutside
security-level0
ipaddress7.7.5.10255.255.255.0
noshutdown
!
interfaceEthernet0/2
nameifInside
security-level100
ipaddress7.7.3.10255.255.255.0
noshutdown
!
interfaceEthernet0/3
nameifDMZ
security-level50
ipaddress7.7.8.10255.255.255.0
noshutdown
routeinside007.7.3.2
prefix-listIPLab-Filterdeny192.168.11.11/32
prefix-listIPLab-Filterdeny192.168.22.22/32
prefix-listIPLab-Filterpermit0.0.0.0/0le32
routerospf1
router-id8.8.8.8
network7.7.5.0255.255.255.0area0
network7.7.8.0255.255.255.0area1
area0filter-listprefixIPLab-Filterin
access-listoutextendedpermiticmpanyany
access-groupoutininterfaceoutside
测试:
ASA1
R3#ping7.7.8.1
R3#ping150.1.7.20(ips和asa3配完后才能通)
R3#ping7.7.3.2
测试通过后wr
1.2ConfigureStatefulFailoverBetweenASA1andASA2(point4)
需求:
ØConfigureLAN-basedactive-standbyfailoveronASA1andASA2.
ØUseGigabitEthernet0/1inVLAN100onSW2fortheFailoverLANinterfaceandnameitfover.
ØUseIPaddress7.7.100.100/24foractiveand7.7.100.101/24forstandby.
ØEnablestatefulfailoverusingfoverinterfaceGigabitEthernet0/1.
ØConfigurestandbyIPaddressesasshownintheoutputbelow.
Øuseallotherparametersaccordinglytoactivethistask.
Youroutputmustmatchallparametershighlightedbelow:
ASA1(config-if)#showfailover
FailoverOn
FailoverunitPrimary
FailoverLANInterface:
foverEthernet0/1(up)
UnitPollfrequency1secondes,holdtime15seconds
InterfacePollfrequency5seconds,holdtime25seconds
InterfacePolicy1
MonitoredInterfaces3of110maximum
Version:
Ours8.4
(1),Mate8.4
(1)
LastFailoverat:
01:
07:
20UTCJan32003
Thishost:
Primary-Active
Activetime:
137(sec)
slot0:
ASA5510hw/swrev(2.0/8.4
(1))status(UpSys)
Interfaceoutside(7.7.5.10):
Normal(Monitored)
Interfaceinside(7.7.3.10):
Normal(Monitored)
InterfaceDMZ(7.7.8.10):
Normal(Monitored)
Otherhost:
Secondary-StandbyReady
Activetime:
0(sec)
slot0:
ASA5510hw/swrev(2.0/8.4
(1))status(UpSys)
Interfaceoutside(7.7.5.11):
Normal(Monitored)
Interfaceinside(7.7.3.11):
Normal(Monitored)
InterfaceDMZ(7.7.8.11):
Normal(Monitored)
解法:
OnSW2:
interfaceFastEthernet0/9(ASA1E0/1)
switchportaccessvlan100
switchportmodeaccess
spanning-treeportfast
interfaceFastEthernet0/14(ASA2E0/1)
switchportaccessvlan100
switchportmodeaccess
spanning-treeportfast
end
wr
--------------------------------------------------------------------------------
interfaceFastEthernet0/13(ASA2E0/0)
switchportaccessvlan5
switchportmodeaccess
spanning-treeportfast
!
interfaceFastEthernet0/15(ASA2E0/2)
switchportaccessvlan3
switchportmodeaccess
spanning-treeportfast
!
s
interfaceFastEthernet0/16(ASA2E0/3)
switchportaccessvlan8
switchportmodeaccess
spanning-treeportfast
end
wr
-----------------------------------------------------------------------------------
OnASA1:
interfaceEthernet0/0
nameifoutside
security-level0
ipaddress7.7.5.10255.255.255.0standby7.7.5.11
!
interfaceEthernet0/1
noshutdown
!
interfaceEthernet0/2
nameifinsdie
security-level100
ipaddress7.7.3.10255.255.255.0standby7.7.3.11
!
interfaceEthernet0/3
nameifdmz
security-level50
ipaddress7.7.8.10255.255.255.0standby7.7.8.11
failoverlanunitprimary
failoverlaninterfacefoverEthernet0/1
failoverlinkfoverEthernet0/1
failoverinterfaceipfover7.7.100.100255.255.255.0standby7.7.100.101
failover
wr
----------------------------------------------------------------------------------------------
OnASA2:
interfaceEthernet0/1
noshutdown
!
failoverlanunitsecondary
failoverlaninterfacefoverEthernet0/1
failoverlinkfoverEthernet0/1
failoverinterfaceipfover7.7.100.100255.255.255.0standby7.7.100.101
failover
1.3ConfigureASA3inMulti-ContextFirewallMode(point4)
需求:
1.Configuredasamulti-contextfirewallASA3requiredasharedoutsideinterfaceUsethefollowingoutputstocompletetheintalconfiguration.
Name
ConfigURL
C1
C1.cfg
C2
C2.cfg
Admin
Admin.cfg
2.InternetControlMessageProtocol(ICMP)trafficfromanytoanyinbothcontexts.
3.ModificationCatalystswitchconfigurationtocompletethistask.
4.Completed,ensurethatyouareabletopingatmajorsubnetswithinyournetwork.includingtheISE1150.1.7.20
5.Interfacenumbersasshowninthetables:
c1:
Interface
Type
Nameif
Vlan
Sec-level
IPaddress
Ethernet0/1
Notshared
Inside
2
100
7.7.2.10/24
Ethernet0/0
Shared
Outside
33
0
7.7.3.8/24
Interface
Network
NextHop
Outside
Configureadefaultroute
7.7.3.2
c2:
Interface
Type
Nameif
Vlan
Sec-level
IPaddress
Ethernet0/2
Notshared
Inside
4
100
7.7.4.10/24
Ethernet0/0
Shared
Outside
33
0
7.7.3.12/24
Interface
Network
NextHop
Outside
Configureastaticroutefor7.7.0.0/16
7.7.3.2
Inside
Configureadefaultroute
7.7.4.1
admin:
Interface
Nameif
Vlan
Sec-level
IPaddress
Ethernet0/2
Management
4
100
7.7.4.200/24
Interface
Network
NextHop
Management
Defaultroute
7.7.4.1
6.ConfigureIPservicesonASA3
TelnetAccess---TelnetmustbeallowedfromVLAN4IP7.7.4.1onSW1totheadmincontextofASA3
a.Verifyyoursolution
SW1#telnet7.7.4.200/sovlan4
Trying7.7.4.200.....Open
b.ObjectNATandPorttoApplicationMapping--UseobjectNattotranslatetheVLAN4IPaddressof7.7.4.1onSW1toaglobaladdressof7.7.3.3.DevicesontheoutsideofASA3mustbeabletoTelnettotheglobaladdressusinganon-standardportof2300
R6#telnet7.7.3.32300
Trying7.7.3.32400....Open
解法:
OnSW4:
interfaceFastEthernet0/11(ASA3E0/0)
switchportaccessvlan33
switchportmodeaccess
spanning-treeportfast
!
interfaceFastEthernet0/12(ASA3E0/1)
switchportaccessvlan2
switchportmodeaccess
spanning-treeportfast
!
interfaceFastEthernet0/13(ASA3E0/2)
switchportaccessvlan4
switchportmodeaccess
spanning-treeportfast
!
wr
----------------------------------------------------------------------------------------------
OnASA3:
showmode处于多模式
showfirewall处于路由模式
hostnameASA3
interfaceEthernet0/0
noshutdown
!
interfaceEthernet0/1
noshutdown
!
interfaceEthernet0/2
noshutdown
----------------------------------------------------------------------------------------------
admin-contextadmin
contextadmin
allocate-interfaceEthernet0/2
config-urldisk0:
/admin.cfg
!
contextc1
allocate-interfaceEthernet0/0
allocate-interfaceEthernet0/