收藏
下载资源下载资源 加入VIP,免费下载

CCIE SEC 学习 LAB1.docx

上传人:b****8 文档编号:30130518 上传时间:2023-08-05 格式:DOCX 页数:87 大小:36.25MB
下载 相关 举报
CCIE SEC 学习 LAB1.docx_第1页
第1页 / 共87页
CCIE SEC 学习 LAB1.docx_第2页
第2页 / 共87页
CCIE SEC 学习 LAB1.docx_第3页
第3页 / 共87页
CCIE SEC 学习 LAB1.docx_第4页
第4页 / 共87页
CCIE SEC 学习 LAB1.docx_第5页
第5页 / 共87页
点击查看更多>>
下载资源
资源描述

CCIE SEC 学习 LAB1.docx

《CCIE SEC 学习 LAB1.docx》由会员分享,可在线阅读,更多相关《CCIE SEC 学习 LAB1.docx(87页珍藏版)》请在冰豆网上搜索。

CCIE SEC 学习 LAB1.docx

CCIESEC学习LAB1

目录

1.1ConfigureRoutingandBasicAccessonASA1(point6)3

需求:

3

解法:

4

1.2ConfigureStatefulFailoverBetweenASA1andASA2(point4)6

需求:

6

解法:

7

1.3ConfigureASA3inMulti-ContextFirewallMode(point4)8

需求:

8

解法:

10

1.4ConfigureASA4inTransparentModewithNatSupport(point6)13

需求:

13

解法:

14

2.1InitializetheCiscoIPSSensorAppliance(point4)15

需求:

15

解法:

16

2.2DeploytheCiscoIPSSensorUsinganIn-LineVLANPair(point?

)20

需求:

20

解法:

20

2.3ImplementaCustomSignatureontheCiscoIPSSensor(point4)22

需求:

22

解法:

22

2.4InitializetheCiscoWSAandEnableWCCPSupport(point6)25

需求:

25

解法:

26

2.5AddaCustomURLAccessPolicytotheWSA(point3)38

需求:

38

解法:

38

3.1TroubleshootIPsecManagementofASA4(point4)41

需求:

41

解法:

41

3.2TroubleshootIPsecStaticVTIwithIPv6(point5)43

需求:

43

解法:

44

3.3TroubleshootDMVPNPhase3withDualHubs(point6)46

需求:

46

解法:

47

3.4ConfigureSecurityFeaturesontheCiscoWLC(point4)51

需求:

51

解法:

52

4.1TroubleshootSecureRoutingUsingOSPFv3inCiscoIOS(point4)55

需求:

55

解法:

56

4.2TroubleshootIPOptionsHandingontheCiscoASA(point3)58

需求:

58

解法:

58

4.3ConfigureNetflowonaCiscoIOSRouter(point3)59

需求:

59

解法:

59

5.1TuningApplicationInspectionontheASA(point4)60

需求:

60

解法:

60

5.2ConfigureDynamic-ARPInspectioninaDHCPenvironment(point?

)62

需求:

62

解法:

62

6.1ConfiguretheCiscoAccessPointasan802.1XSupplicant(point6)63

需求:

63

解法:

64

6.2ConfigureSupportforMAB/802.1XforVoiceandDataVLANs(point6+6)67

需求:

67

解法:

71

1.1ConfigureRoutingandBasicAccessonASA1(point6)

需求:

ThisquestionhasthreetasksCompleteeachtasktoprovidebasicconnectivityandroutingcapabilitiesonASA1

1)ASA1shouldbeinsingle-contextroutedmodeandconfigureusingtheinformationinthetablebelow

Interface

Nameif

SwitchVLANs

Sec-level

IPAddress

GigabitEthernet0/0

Outside

5

0

7.7.5.10/24

GigabitEthernet0/2

Insdie

3

100

7.7.3.10/24

GigabitEthernet0/3

DMZ

8

50

7.7.8.10/24

Useexcatnamesandnumbersasshowninthetable

2)Addstaticroutesasfollows:

Interface

Network

NextHop

Inside

Configureadefaultrouter

7.7.3.2

 

3)ConfigureOSPFprocess1withrouter-id8.8.8.8

a.Assignnetwork7.7.5.0toarea0

b.Assignnetwork7.7.8.0toarea1

c.Ensurethatnetworks192.168.11.11and192.168.22.22(loopbacksonR1andR2)areaddedtotheroutingtableASA1butarenotpropagatedintoarea0.VerifybycheckingtheroutingtableonR6.

 

Verifyyoursolutionsbysuccessfullypingingtheinside150.1.YY.0networkfromtheallmajorYY.YY.0.0subnetsaswellasformoutsidesubnetstodmzsubnets,forexample:

R3#ping7.7.8.1

R3#ping150.1.7.20

R3#ping7.7.3.2

 

解法:

OnSW2:

interfaceFastEthernet0/8(ASA1E0/0)

switchportaccessvlan5

switchportmodeaccess

spanning-treeportfast

!

interfaceFastEthernet0/11(ASA1E0/2)

switchportaccessvlan3

switchportmodeaccess

spanning-treeportfast

!

interfaceFastEthernet0/12(ASA1E0/3)

switchportaccessvlan8

switchportmodeaccess

spanning-treeportfast

end

wr

OnASA1:

hostnameASA1

interfaceEthernet0/0

nameifOutside

security-level0

ipaddress7.7.5.10255.255.255.0

noshutdown

!

interfaceEthernet0/2

nameifInside

security-level100

ipaddress7.7.3.10255.255.255.0

noshutdown

!

interfaceEthernet0/3

nameifDMZ

security-level50

ipaddress7.7.8.10255.255.255.0

noshutdown

routeinside007.7.3.2

prefix-listIPLab-Filterdeny192.168.11.11/32

prefix-listIPLab-Filterdeny192.168.22.22/32

prefix-listIPLab-Filterpermit0.0.0.0/0le32

routerospf1

router-id8.8.8.8

network7.7.5.0255.255.255.0area0

network7.7.8.0255.255.255.0area1

area0filter-listprefixIPLab-Filterin

access-listoutextendedpermiticmpanyany

access-groupoutininterfaceoutside

测试:

ASA1

R3#ping7.7.8.1

R3#ping150.1.7.20(ips和asa3配完后才能通)

R3#ping7.7.3.2

测试通过后wr

1.2ConfigureStatefulFailoverBetweenASA1andASA2(point4)

需求:

ØConfigureLAN-basedactive-standbyfailoveronASA1andASA2.

ØUseGigabitEthernet0/1inVLAN100onSW2fortheFailoverLANinterfaceandnameitfover.

ØUseIPaddress7.7.100.100/24foractiveand7.7.100.101/24forstandby.

ØEnablestatefulfailoverusingfoverinterfaceGigabitEthernet0/1.

ØConfigurestandbyIPaddressesasshownintheoutputbelow.

Øuseallotherparametersaccordinglytoactivethistask.

Youroutputmustmatchallparametershighlightedbelow:

ASA1(config-if)#showfailover

FailoverOn

FailoverunitPrimary

FailoverLANInterface:

foverEthernet0/1(up)

UnitPollfrequency1secondes,holdtime15seconds

InterfacePollfrequency5seconds,holdtime25seconds

InterfacePolicy1

MonitoredInterfaces3of110maximum

Version:

Ours8.4

(1),Mate8.4

(1)

LastFailoverat:

01:

07:

20UTCJan32003

Thishost:

Primary-Active

Activetime:

137(sec)

slot0:

ASA5510hw/swrev(2.0/8.4

(1))status(UpSys)

Interfaceoutside(7.7.5.10):

Normal(Monitored)

Interfaceinside(7.7.3.10):

Normal(Monitored)

InterfaceDMZ(7.7.8.10):

Normal(Monitored)

Otherhost:

Secondary-StandbyReady

Activetime:

0(sec)

slot0:

ASA5510hw/swrev(2.0/8.4

(1))status(UpSys)

Interfaceoutside(7.7.5.11):

Normal(Monitored)

Interfaceinside(7.7.3.11):

Normal(Monitored)

InterfaceDMZ(7.7.8.11):

Normal(Monitored)

解法:

OnSW2:

interfaceFastEthernet0/9(ASA1E0/1)

switchportaccessvlan100

switchportmodeaccess

spanning-treeportfast

interfaceFastEthernet0/14(ASA2E0/1)

switchportaccessvlan100

switchportmodeaccess

spanning-treeportfast

end

wr

--------------------------------------------------------------------------------

interfaceFastEthernet0/13(ASA2E0/0)

switchportaccessvlan5

switchportmodeaccess

spanning-treeportfast

!

interfaceFastEthernet0/15(ASA2E0/2)

switchportaccessvlan3

switchportmodeaccess

spanning-treeportfast

!

s

interfaceFastEthernet0/16(ASA2E0/3)

switchportaccessvlan8

switchportmodeaccess

spanning-treeportfast

end

wr

-----------------------------------------------------------------------------------

OnASA1:

interfaceEthernet0/0

nameifoutside

security-level0

ipaddress7.7.5.10255.255.255.0standby7.7.5.11

!

interfaceEthernet0/1

noshutdown

!

interfaceEthernet0/2

nameifinsdie

security-level100

ipaddress7.7.3.10255.255.255.0standby7.7.3.11

!

interfaceEthernet0/3

nameifdmz

security-level50

ipaddress7.7.8.10255.255.255.0standby7.7.8.11

 

failoverlanunitprimary

failoverlaninterfacefoverEthernet0/1

failoverlinkfoverEthernet0/1

failoverinterfaceipfover7.7.100.100255.255.255.0standby7.7.100.101

failover

wr

----------------------------------------------------------------------------------------------

OnASA2:

interfaceEthernet0/1

noshutdown

!

failoverlanunitsecondary

failoverlaninterfacefoverEthernet0/1

failoverlinkfoverEthernet0/1

failoverinterfaceipfover7.7.100.100255.255.255.0standby7.7.100.101

failover

 

1.3ConfigureASA3inMulti-ContextFirewallMode(point4)

需求:

1.Configuredasamulti-contextfirewallASA3requiredasharedoutsideinterfaceUsethefollowingoutputstocompletetheintalconfiguration.

Name

ConfigURL

C1

C1.cfg

C2

C2.cfg

Admin

Admin.cfg

2.InternetControlMessageProtocol(ICMP)trafficfromanytoanyinbothcontexts.

3.ModificationCatalystswitchconfigurationtocompletethistask.

4.Completed,ensurethatyouareabletopingatmajorsubnetswithinyournetwork.includingtheISE1150.1.7.20

5.Interfacenumbersasshowninthetables:

c1:

Interface

Type

Nameif

Vlan

Sec-level

IPaddress

Ethernet0/1

Notshared

Inside

2

100

7.7.2.10/24

Ethernet0/0

Shared

Outside

33

0

7.7.3.8/24

Interface

Network

NextHop

Outside

Configureadefaultroute

7.7.3.2

c2:

Interface

Type

Nameif

Vlan

Sec-level

IPaddress

Ethernet0/2

Notshared

Inside

4

100

7.7.4.10/24

Ethernet0/0

Shared

Outside

33

0

7.7.3.12/24

Interface

Network

NextHop

Outside

Configureastaticroutefor7.7.0.0/16

7.7.3.2

Inside

Configureadefaultroute

7.7.4.1

admin:

Interface

Nameif

Vlan

Sec-level

IPaddress

Ethernet0/2

Management

4

100

7.7.4.200/24

Interface

Network

NextHop

Management

Defaultroute

7.7.4.1

6.ConfigureIPservicesonASA3

TelnetAccess---TelnetmustbeallowedfromVLAN4IP7.7.4.1onSW1totheadmincontextofASA3

a.Verifyyoursolution

SW1#telnet7.7.4.200/sovlan4

Trying7.7.4.200.....Open

b.ObjectNATandPorttoApplicationMapping--UseobjectNattotranslatetheVLAN4IPaddressof7.7.4.1onSW1toaglobaladdressof7.7.3.3.DevicesontheoutsideofASA3mustbeabletoTelnettotheglobaladdressusinganon-standardportof2300

R6#telnet7.7.3.32300

Trying7.7.3.32400....Open

解法:

OnSW4:

interfaceFastEthernet0/11(ASA3E0/0)

switchportaccessvlan33

switchportmodeaccess

spanning-treeportfast

!

interfaceFastEthernet0/12(ASA3E0/1)

switchportaccessvlan2

switchportmodeaccess

spanning-treeportfast

!

interfaceFastEthernet0/13(ASA3E0/2)

switchportaccessvlan4

switchportmodeaccess

spanning-treeportfast

!

wr

----------------------------------------------------------------------------------------------

OnASA3:

showmode处于多模式

showfirewall处于路由模式

hostnameASA3

interfaceEthernet0/0

noshutdown

!

interfaceEthernet0/1

noshutdown

!

interfaceEthernet0/2

noshutdown

----------------------------------------------------------------------------------------------

admin-contextadmin

contextadmin

allocate-interfaceEthernet0/2

config-urldisk0:

/admin.cfg

!

contextc1

allocate-interfaceEthernet0/0

allocate-interfaceEthernet0/

展开阅读全文
相关资源
猜你喜欢
相关搜索

当前位置:首页 > PPT模板 > 自然景观

copyright@ 2008-2022 冰豆网网站版权所有

经营许可证编号:鄂ICP备2022015515号-1