|
|
LAB 3 update
Q1 the lab begins with configuration of ASA3 which is single mode routed firewall. In the previous
lab this firewall was multiple mode but now it is single mode. Here R1 router is connected to right which is dmz to asa3. R1 is connected to R4 and R5 which is also running mpls .
So here you need to provide names and routes to the firewall. Be careful as the routes have 28 as mask apart from normal 16 or 24 mask
then you need to provide time to firewall from SW1 and open access-list for icmp for both dmz and out and for udp 123 for outside and dmz
then have asked to ping from R3 which right now can't be done as asa1 isnt configured and is the next question.
Q2 here the ASA1 is in multiple mode . You have to configure context C1 and C2 and admin context. Assign e0/0 and e0/2 in C1 and e0/1 and e0/ 3 in C2.Assign name and ip and assign routing to it.open icmp for both context.
next part of the question is you have asa2 which is also in mode multiple. and between ASA1 and ASA2 you have to do active active failover with C1 active on second firewall and C2 active on primary firewall.
assign ip add for standby interfaces and match the output.
Q3 Here you have ASA4 which is like the previous scenario of lab 1-2 but is in mode single. It has 2 links backup and primary on the outside. Assign ip add to inside, outside & backup. then run ospf specifying the area 1 and area 0 network .they ask you to verify the deafult route to be redistributed and appear on R3.There are new networks of 10.10.110.10 and 10.10.120.10 which you have to prevent coming into area 0. Then they will ask for begin sla monitor for the network 150.1.7.0 through R6 (you have to monitor R6 interface and time duration is 2 sec if network goes down use the backup link ) as the reachibilty is now available as the 2 firewall are configured. then they will ask to perform nat-control and translate add of 10.10.110.10 and 10.10.120.10 for the outside interface. and the other network of 7.7.0.0/16 going towards 7.7.0.0/16 and 150.1.0.0/16 should be un translated. then they will ask you to verify it using packet tracer command.
Q4 On asa 3 you have to do NAT which is 8.4 . Here you have to translate 20.20.20.1 (loopback 1 on Sw1 ) to 7.7.3.20 and 7.7.8.20 if the traffic is for telnet and http. then it is to be verified using packet tracer command.
Q5 this is zone based firewall between R4 and R5 which are connected to R1 on DMZ to ASA3.here you have create zone and the set of conditions are:
1 the ospf which is running should not be affected
2 outside interface is 7.7.2.0 which is 7.7.2.4 and 7.7.2.5 for R4 and R5 merged as single link going towards sw 4(which is in place of R5 according to LAB 1-2).
3 telnet and icmp to be allowed from out interface of both R4 and R5.inspect this traffic and make sure that class-default has log and drop to verify the traffic.
IPS
IPS management is similar to previous lab but now they have introduced inline pair between interfaces g0/2 and g0/3 which are in vlan 55 and 33.and then this needs to be assigned to vs2 that is already created. ping and telnet and ip add for management is the same acc to lab1/2.
then they will ask to enable g0/0 for promiscuous mode and assign it to vs0.the promiscuous task which is later in the lab.
task 2
then you have ping sw1 from R6 and Sw1 from ASA3 inside such that the ping is visible from R6 to Sw1 on the sensor but isn't visible if it's from the inside of asa3
task 3
create a signature for tacas from 192.168.0.0 network as source and produce verbose alert with high serverity. assign it to vs2.
test from R6 using the command test aaa group tacas cisco cisco legacy.
WSA
here the task is similar to previous except the redirection here is from SW1 vlan 150
VPN
Q 1.troubleshoot the vpn ikev2 between ASA3 and R6. intersting traffic is 192.168.6.0 (R6) to 20.20.20.1 on Sw1. On firewall you have to create the entire vpn configuration for ikev2 and and on R6 add crypto map to interface. Keep in mind there are 2 firewall in the middle ASA1 c2 and ASA3 .
Q2 . here you have a getvpn with vrf aware with R2 (now on top with wsa/ips management vlan4) as key server and R1,R4,R5 as group members. some parameters are given like rekey for group 1 and group2 on key server are missing. and lifetime parameters are also missing.R1,R4,R5 all three have mpls config on them along with R2
WLC
here you have to create dynamic interface , SSID and profiles for guest and admin. for guest you have to create web authentication on wlc and for admin just normal authentication . all parameters like vlan ssid are mentioned (vlan for admin is 110 and guest 120 )
system hardening
Q1. here you have to run ospf v2 on area 1 with md5 authentication
Q2. you have to secure sw3 ports f0/2 and f0/3 for R4 and R5 from untrusted traffic without dhcp snooping.
Q3 ips promicsous mode with traffic from SW6 g1/0/1,2/3 interfaces to g1/0/1 interface connected by trunk. use vlan 10 as remote vlan. check by using packet display for int g0/0.
Q4 on wlc u have shun user by using ips as the attack traffic reaches the ips. there are parameters such as ips add and some index with ip add of clients. you have to put this info on wlc
ISE
TASK 1 IP-PHONE and PC (similar to previous lab)
TASK 2 Central WEB authentication using the parameters specified and done on switch. |
|
简体中文
英语
日语
韩语
法语
西班牙语
越南语
泰语
阿拉伯语
俄语
葡萄牙语
德语
意大利语
希腊语
荷兰语
波兰语
保加利亚语
爱沙尼亚语
丹麦语
芬兰语
捷克语
罗马尼亚语
斯洛文尼亚语
瑞典语
匈牙利语
繁体中文
文言文
[复制链接]
发表于 2013-7-28 11:22:58
置顶卡
喧嚣卡
变色卡
千斤顶
楼主
