Loading...
首页 > 文档

ccie security V3.0 vd+

创建于: 2011-03-10 22:41:18          

one question:

 

1.setup admin context,c1 and c2 context.

2.no interface assign to admin context.

3.assign interfaces e0/0(outside) and e0/1(inside)to c1

4.assign interfaces e0/0(outside)and e0/2(inside)to c2

5.do not manully assign mac address to each interfaces

6.allow icmp on both contexts.

7.difault route to R1.(y.y.3.1)

8.c1--150.1.0.0/16 to inside interface

9.c2--192.168.2.0/24 to inside interface

  c2--150.1.0.0/16 to outside y.y.3.10

one answer

 

SW1:

interface FastEthernet0/10

switchport access

switch access vlan 3

interface FastEthernet0/11

switchport access

switch access vlan 2

interface FastEthernet0/12

switchport access

switch access vlan 4

ASA1

STEP1:init

interface Ethernet0/0

no shutdown

!

interface Ethernet0/1

no shutdown

!

interface Ethernet0/2

no shutdown

STEP2:

admin-context admin

context admin

config-url disk0:/admin.cfg

!

context c1

allocate-interface Ethernet0/0

allocate-interface Ethernet0/1

config-url disk0:/c1.cfg

!

context c2

allocate-interface Ethernet0/0

allocate-interface Ethernet0/2

config-url disk0:/c2.cfg

STEP3:

mac-address auto

 

STEP4:

interface Ethernet0/0

nameif outside

security-level 0

ip add 45.45.3.10 255.255.255.0

!

interface Ethernet0/1

nameif insdie

security-level 100

ip add 45.45.2.10 255.255.255.0

!

access-list out extended permit icmp any any

!

access-group out in interface outside

!

route outside 0.0.0.0 0.0.0.0 45.45.3.1 1

route insdie 150.1.0.0 255.255.0.0 45.45.2.1 1

STEP5:

interface Ethernet0/0

nameif outside

security-level 0

ip add 45.45.3.12 255.255.255.0

!

interface Ethernet0/2

nameif inside

security-level 100

ip address 45.45.4.12 255.255.255.0

!

access-list out extended permit icmp any any

!

access-group out in interface outside

!

route outside 0.0.0.0 0.0.0.0 45.45.3.1 1

route outside 150.1.0.0 255.255.0.0 45.45.3.10 1

route inside 192.168.2.0 255.255.255.0 45.45.4.2 1

 

two question:

1.e0/0 and e0/2-----redundant interface 1 e0/0 is active interface

2.Redundant1 is outside interface.

3.e0/1 inside interface.

4.routing OSPF(process1)area 0.(see a default route to R1)

5.allow icmp

two answer:

SW3

interface FastEthernet0/10

switchport access

switch access vlan 6

interface FastEthernet0/11

switchport access

switch access vlan 7

interface FastEthernet0/12

switchport access

switch access vlan 6

ASA2

STEP1:

interface Ethernet0/0

no shutdown

!

interface Ethernet0/2

no shutdown

!

interface Rendundant1

member-interface Ethernet0/0

member-interface Ethernet0/2

nameif outside

security-level 0

ip address 45.45.6.10 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 45.45.7.10 255.255.255.0

no shutdown

STEP3:放行icmp

access-list out extended permit icmp any any

access-group out in interface outside

STEP2:

router ospf 1

network 45.45.6.0 255.255.255.0 area 0

network 45.45.7.0 255.255.255.0 area 0

three question:

1.R3 loopback2 address to access R5 loopback2.the source Ip address will be change to y.y.7.30. R1----y.y.6.1 to access R5 loopback2.the source Ip address will be y.y.7.31.

R3 lo2 访问R5 lo2转换到y.y.7.30

R1访问R5 lo2转换到y.y.7.31

use packet tracer to verify it

2.the loopback addresses to access other two loopback interface of R1 and R4.it should be change to y.y.6.x and y.y.6.NN.

three answer

ASA2

step1:

access-list R1.Lo2-R5.Lo2 extended permit ip host 45.45.51.1 host 45.45.52.5

access-list R4-R5.Lo2 extended permit ip host 45.45.6.1 host 45.45.52.5

static (outside,inside) 45.45.7.30 access-list R1.Lo2-R5.Lo2

static (outside,insdie) 45.45.7.31 access-list R4-R5.Lo2

access-list out extended permit tcp host 45.45.51.1 host 45.45.52.5 eq 23

aceess-list out extended permit tcp host 45.45.6.1 host 45.45.52.5 eq 23

test:

packet-tracer input outside tcp 45.45.51.1 1024 45.45.52.5 23

packet-tracer input outside tcp 45.45.6.1 1024 45.45.52.5 23

step2:

access-list VLAN8-64 extended permit ip 45.45.8.0 255.255.255.0 64.102.51.0 255.255.255.0

access-list VLAN8-Any extended permit ip 45.45.8.0 255.255.255.0 any

nat (inside) 1 access-list VLAN8-64

nat (inside) 2 access-list VLAN8-Any

global (outside) 1 45.45.6.30

global (outside) 2 45.45.6.31

test

packet-tracer input inside icmp 45.45.8.1 8 0 64.102.51.1

packet-tracer input inside icmp 45.45.8.1 8 0 45.45.2.1

four question:

 

on the R3  config the ZBF

interface    zone name

g0/0(6.0)    internal

g0/1(10.0)   external

inbound inspect http/telnet/icmp

        icmp min 20000b/s

        burst 2000

        http request/response header large 4096 reset

outbound inspect all (use the extended ACL)

four answer:

R3

 

STEP1:

zone security internal

zone security external

interface FastEthernet0/0

ip address 45.45.6.3 255.255.255.0

zone-member security internal

!

interface FastEthernet0/1

ip address 45.45.10.3 255.255.255.0

zone-member security external

STEP2:

class-map type inspect match-all inbound.http

match protocol http

class-map type inspect match-all inbound.icmp

match protocol icmp

class-map type inspect match-all inbound.telnet

match protocol telnet

STEP3:

class-map type inspect http match-any match.http

match req-resp header length gt 4096

policy-map type inspect http control.http

class type inspect http match.http

reset

STEP4:

policy-map type inspect inbound.policy

class type inspect inbound.icmp

  inspect

  police rate 20000 burst 2000

class type inspect inbound.http

  inspect

  service-policy http control.http

class type inspect inbound.telnet

  inspect

STEP5:

ip access-list extended alltraffic

permit ip any any

access-list 101 permit ip any any

class-map type inspect match-all outbound.traffic

match access-group name alltraffic

match access-group 101

STEP6: policy-map type inspect outbound.policy

class type inspect outbound.traffic

  inspect

 

STEP7:

zone-pair security inbound source external destination internal

service-policy type inspect inbound.policy

zone-pair security outbound source internal destination external

service-policy type inspect outbound.policy

five question:

1.R1-loopback 192.168.1.1 R5 loopback 192.168.5.5

2.can not use GRE over IPsec.Can not use access-list to match interseting traffic.Do not use"cry map" in any routers.

3.through eigrp 199.should see loopback each other

R1 ping 192.168.5.5

R5 ping 192.168.1.1

five answer:

ASA2:

access-list out extended permit udp host 45.45.6.1 host 45.45.7.5 eq isakmp

access-list out extended permit esp host 45.45.6.1 host 45.45.7.5

R1:

crypto isakmp policy 10

authentication pre-share

crypto isakmp key cisco address 45.45.7.5

!

crypto ipsec transform-set cisco esp-des esp-md5-hmac

!

crypto ipsec profile ipsecprof

set transform-set cisco

!

interface Tunnel0

tunnel source 45.45.6.1

tunnel destination 45.45.7.5

tunnel mode ipsec ipv4

ip address 172.16.15.1 255.255.255.0

tunnel protection ipsec profile ipsecprof

!

router eigrp 199

network 172.16.15.0 0.0.0.255

network 192.168.1.0 0.0.0.255

no auto-summary

R5:

crypto isakmp policy 10

authentication pre-share

crypto isakmp key cisco add 45.45.6.1

!

crypto ipsec transform-set cisco esp-des esp-md5-hmac

!

crypto ipsec profile ipsecprof

set transform-set cisco

!

interface Tunnel0

tunnel source 45.45.7.5

tunnel destination 45.45.6.1

tunnel mode ipsec ipv4

ip address 172.16.15.2 255.255.255.0

tunnel protection ipsec profile ipsecprof

!

router eigrp 199

network 172.16.15.2 0.0.0.255

network 192.168.5.0 0.0.0.255

no auto-summary

six question:

1.tunnel mode error.****

2.tunnel address is not correct.(172.16.23.N--172.16.123.N)****

3.missded IP nhrp map multicast......

4.access-list 101--deny esp any any

                   permit ip any any

5.sw1 racl+vacl

6.172.16.123.1 (R1)

7.ip nhrp map multi(R3)

8.gre mode

9. SW ACL (deny esp any any)

10. HUB: tunnel mode ipsec ipv4

11. eigrp  were network the physical intereface

12. GRE mode

13.shutdown

six answer:

ASA1/c2:

access-list out extended permit udp host 45.45.6.3 hsot 45.45.4.2 eq isakmp

access-list out extended permit esp host 45.45.6.3 host 45.45.4.2

R2:

crypto isakmp policy 10

encryption 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp key cisco address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set cisco esp-3des esp-sha-hmac

mode transport

!

crypto ipsec profile ipsecprof

set transform-set cisco

!

int Tunnel 0

tunnel source 45.45.4.2

tunnel mode gre multipoint

tunnel key 123

ip add 172.16.23.1 255.255.255.0

ip mtu 1400

ip nhrp authentication cisco

ip nhrp network-id 10

ip nhrp map multicast dynamic

no ip split-horizon eigrp 123

no ip next-hop-self eigrp 123

tunnel protection ipsec profile ipsecprof

router eigrp 123

network 172.16.23.0 0.0.0.255

network 192.168.2.0 0.0.0.255

no auto-summary

 

R3:

crypto isakmp policy 10

encryption 3des

authentication pre-share

hash md5

group 2

!

crypto isakmp key cisco address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set cisco esp-3des esp-sha-hmac

mode transport

!

crypto ipsec profile ipsecprof

set transform-set cisco

!

int Tunnel 0

tunnel source 45.45.6.3

tunnel mode gre multipoint

tunnel key 123

ip add 172.16.23.2 255.255.255.0

  ip mtu 1400

ip nhrp authentication cisco

ip nhrp network-id 10

ip nhrp nhs 172.16.23.1

ip nhrp map 172.16.23.1 45.45.4.2

ip nhrp map multicast 45.45.4.2

tunnel protection ipsec profile ipsecprof

router eigrp 123

network 172.16.23.0 0.0.0.255

network 192.168.3.0 0.0.0.255

no auto-summary

 

seven question:
traceroute

seven anserer:

ASA1 C2"

policy-map global_policy

class class_default

set connection decrement-ttl

access-list out permit udp any any gt 33434

 

eight question:

SW1 about SW1 arp snooping

eight answer:

SW1:

arp access-list arpacl

permit ip host 1.1.1.1 mac host 0000.0000.1111

ip arp inspection filter arpacl vlan 13

ip arp inspection vlan 13

ip dhcp snooping

ip dhcp snooping vlan 13

interface FastEthernet0/15

ip arp inspection trust

ip dhcp snooping trust

 

nine question:

BGP auhentication throught ASA

nine answer:

ASA2

access-list out extended permit tcp host 45.45.6.3 host 45.45.7.5 eq bgp

tcp-map fbgp

tcp-options range 19 19 allow

class-map bgp

match port tcp eq bgp

policy-map global_policy

class bgp

  set connection random-sequence-number disable

  set connection advanced-options fbgp

R3

router bgp 103

no synchronization

bgp log-neighbor-changes

neighbor 45.45.7.5 remote-as 105

neighbor 45.45.7.5 password cisco

neighbor 45.45.7.5 ebgp-multihop 255

network 192.168.33.33 mask 255.255.255.255

no auto-summary

R5

router bgp 105

no synchronization

bgp log-neighbor-changes

neighbor 45.45.6.3 remote-as 103

neighbor 45.45.6.3 password cisco

neighbor 45.45.6.3 ebgp-multihop 255

no auto-summary

test

RackYYR5#sh ip bgp

ten question

flood prevention

ten answer:

mac access-list extended AP

deny host 0013.0013.0013 any appletalk

permit any any

interface fa 0/10

mac access-group AP in

 

eleven queston:

feature

eleven answer:

R1

1.no ip source-route

2.no service dhcp

评论 (0)