CCNA Security v2.

0
Skills Assessment - A
Topology

Assessment Objectives
Part 1: Verify Network Connectivity (1 points, 5 minutes)
Part 2: Configure Secure Router Administrative Access (17 points, 15 minutes)
Part 3: Configure a Zone-Based Policy Firewall (14 points, 10 minutes)
Part 4: Configure an Intrusion Prevention System (15 points, 10 minutes)
Part 5: Secure Layer 2 Switches (22 points, 20 minutes)
Part 6: Configure ASA Basic Management and Firewall Settings (17 points, 15 minutes)
Part 7: Configure the ASA for SSL VPN Remote Access Using ASDM (14 points, 15 minutes)

Scenario
This Skills Assessment (SA) is the final practical exam of student training for the CCNA Security course. The
exam is divided into seven parts. The parts should be completed sequentially, and signed off by your

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 11
CCNA Security Skills Assessment Student Training

instructor before moving on to the next part. In Part 1, you will verify that the basic device settings have been
preconfigured by the instructor. In Part 2, you will secure a network router using the command line interface
(CLI) to configure various IOS features including AAA and SSH. In Part 3 and 4, you will configure a zone-
based policy firewall (ZPF) and intrusion prevention using the Cisco IOS intrusion prevention system (IPS) on
an integrated service router (ISR) using the CLI. In Part 5, you will configure and secure layer 2 switches
using the CLI. In Parts 6 and 7, you will configure the ASA management and firewall settings using the CLI
and implement an SSL Remote Access VPN using ASDM.

Required Resources
 3 Routers (Cisco 1941 with Cisco IOS Release 15.2(4)M3 universal image or comparable)
 3 Switches (Cisco 2960 with Cisco IOS Release 15.0(2) lanbasek9 image or comparable)
 1 ASA 5505 (OS version 9.2(3) and ASDM version 7.4(1) and Base license or comparable)
 3 PCs (Windows 7 with a terminal emulation program, such as Tera Term)
 Console cable to configure the Cisco IOS devices via the console ports
 Ethernet and Serial cables as shown in the topology

Part 1: Verify Network Connectivity

Total points: 17
Time: 15 minutes
In the interest of time, your instructor has pre-configured basic settings on R1 and R3 and configured the
static IP address information for the PC hosts in the topology. In Part 1, you will verify that PC-C can ping the
G0/1 interface on R1.

Configuration Task Specification Points

Ping the G0/1 interface on R1 from PC-C. See Topology for specific settings. 1/2
Ping interface S0/0/1 on R1 from R3. See Topology for specific settings. 1/2

Instructor Sign-Off Part 1: ______________________

Points: _________ of 1
Note: Do not proceed to Part 2 until your instructor has signed off on Part 1.

Part 2: Configure Secure Router Administrative Access

Total points: 17
Time: 15 minutes
In Part 2, you will secure administrative access on R3 using the CLI. Configuration tasks include the following:

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 11
CCNA Security Skills Assessment Student Training

Configuration Item or Task Specification Points

Set minimum password length. Minimum Length: 10 characters 1

Assign and encrypt a privileged EXEC Password: cisco12345

1
password. Encryption type: 9 (scrypt)
Username: Admin01
Add a user in the local database for Privilege level: 15
1
administrator access. Encryption type: 9 (scrypt)
Password: admin01pass
Configure an MOTD banner. Unauthorized Access is Prohibited! 1/2
Disable HTTP server services. 1/2
Domain name: ccnassecurity.com
RSA keys size: 1024
Configure SSH. Version: 2 4
Timeout: 90 seconds
Authentication retries: 2
Configure VTY lines to allow SSH access. Allow only SSH access 1

Configure the AAA authentication and Enable AAA

2
authorization settings. Use local database as default setting.
Authentication key: NTPpassword
Encryption: MD5
Configure NTP. Key: 1 4
NTP server: 209.165.200.233
Configure for periodic calendar updates.
Enable timestamp service to log the date and time
in milliseconds.
Configure syslog. 2
Send syslog messages to: 172.30.3.3.
Set message logging severity level to: Warnings.

Note: Before proceeding to Part 3, ask your instructor to verify R3’s configuration and functionality.
Instructor Sign-Off Part 2: ______________________
Points: _________ of 17

Part 3: Configure a Zone-Based Policy Firewall

Total points: 14
Time: 10 minutes
In Part 3, you will configure a ZPF on R3 using the CLI. Configuration tasks include the following:

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 11
CCNA Security Skills Assessment Student Training

Configuration Item or Task Specification Points

Inside zone name: INSIDE

Create security zone names. 2
Outside zone name: INTERNET
Class map name: INSIDE_PROTOCOLS
Create an inspect class map. Inspection type: match-any 3
Protocols allowed: tcp, udp, icmp
Policy map name: INSIDE_TO_INTERNET
Create an inspect policy map. Bind the class map to the policy map. 3
Matched packets should be inspected.
Zone pair name: IN_TO_OUT_ZONE
Create a zone pair. Source zone: INSIDE 2
Destination zone: INTERNET
Zone pair name: IN_TO_OUT_ZONE
Apply the policy map to the zone pair. 2
Policy map name: INSIDE_TO_INTERNET

Assign interfaces to the proper security Interface G0/1: INSIDE

2
zones. Interface S0/0/0: INTERNET

Troubleshoot as necessary to correct any issues.

Note: Before proceeding to Part 4, ask your instructor to verify your ZPF configuration and functionality.
Instructor Sign-Off Part 2: ______________________
Points: _________ of 14

Part 4: Configure an Intrusion Prevention System

Total points: 15
Time: 10 minutes
In Part 4, you will configure an IPS on R3 using the CLI. Configuration tasks include the following:

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of 11
CCNA Security Skills Assessment Student Training

Configuration Item or Task Specification Points

Directory name: IPSDIR

Create an IPS directory on flash. Note: If the directory already exists, delete the
directory and recreate it. 1

crypto key pubkey-chain rsa

named-key realm-cisco.pub signature
key-string
30820122 300D0609 2A864886 F70D0101
01050003 82010F00 3082010A 02820101
00C19E93 A8AF124A D6CC7A24 5097A975
206BE3A2 06FBA13F 6F12CB5B 4E441F16
17E630D5 C02AC252 912BE27F 37FDD9C8
11FC7AF7 DCDD81D9 43CDABC3 6007D128
B199ABCB D34ED0F9 085FADC1 359C189E
F30AF10A C0EFB624 7E0764BF 3E53053E
Copy and paste the crypto key file into R3’s
5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 1
running-configuration.
9479039D 20F30663 9AC64B93 C0112A35
FE3F0C87 89BCB7BB 994AE74C FA9E481D
F65875D6 85EAF974 6D9CC8E3 F0B08B85
50437722 FFBE85B9 5E4189FF CC189CB9
69C46F9C A84DFBA5 7A0AF99E AD768C36
006CF498 079F88F8 A3B3FB1F 9FB7B3CB
5539E1D1 9693CCBB 551F78D2 892356AE
2F56D826 8918EF3C 80CA4F4D 87BFCA3B
BFF668E9 689782A5 CF31CB6E B4B094D3
F3020301 0001
quit

Create an IPS rule. IPS rule name: IOSIPS 1

Set the storage location for the IPS signatures. Location: IPSDIR on flash 1

Enable HTTP server services.

Enable IPS SDEE event notification.
Enable SDEE notification services. 1

Enable IPS syslog support. 1

Retire all signatures in the all category. Category: all 2

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 5 of 11
CCNA Security Skills Assessment Student Training

Un-retire the ios_ips basic category

signatures. Category: ios_ips basic 2

Interface: S0/0/0
Apply the IPS rule to the interface.
Direction: in 2

Protocol: TFTP
IP Address of TFTP server: 172.30.3.3
Copy the S854 signature from PC-C.
Signature: IOS-S854-CLI.pkg
Compile signatures after they are loaded: idconf 3

Note: Before attempting the TFTP copy, the Tftpd32 software on PC-C needs to be running with the directory
set to the location of the file: IOS-S854-CLI.pkg.
Troubleshoot as necessary to correct any issues.
Note: Before proceeding to Part 5, ask your instructor to verify your IPS configuration and functionality.
Instructor Sign-Off Part 4: ______________________
Points: _________ of 15

Part 5: Secure Layer 2 Switches

Total points: 22
Time: 20 minutes
Note: Not all security features in this part of the exam will be configured on all switches. However, in a
production network, all security features will be configured on all switches. In the interest of time, the security
features are configured on only S2, except where noted.
In Part 5, you will configure security settings on S2 using the CLI. Configuration tasks include the following:

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 6 of 11
CCNA Security Skills Assessment Student Training

Configuration Item or Task Specification Points

Switch: S2
Assign and encrypt a privileged EXEC
Password: cisco12345 1/2
password.
Encryption type: 9 (scrypt)
Switch: S2
Username: Admin01
Add a user in the local database for
Privilege level: 15 1
administrator access.
Encryption type: 9 (scrypt)
Password: admin01pass
Switch: S2
Configure an MOTD banner. 1/2
Banner: Unauthorized Access is Prohibited!
Disable HTTP and HTTP secure server. Switch: S2 1
Switch: S2
Domain name: ccnassecurity.com
RSA keys size: 1024
Configure SSH. 2
Version: 2
Timeout: 90 seconds
Authentication retries: 2

Configure the VTY lines to allow SSH Switch: S2

1/2
access. Allow only SSH access.
Switch: S2
Configure the AAA authentication and
Enable AAA 2
authorization settings.
Use local database as default setting.
Switches: S1 & S2
VLAN: 2, Name: NewNative
Create the VLAN list. 1/2
VLAN: 10, Name: LAN
VLAN: 99, Name: Blackhole
Switches: S1 & S2
Interfaces: F0/1, F0/2
Configure the trunk ports. 2
Native VLAN: 2
Prevent DTP.
Switch: S2
Disable trunking. Ports: F0/18, F0/24 2
VLAN assignment: 10
Switch: S2
Enable PortFast and BPDU guard. 2
Ports: F0/18, F0/24

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 7 of 11
CCNA Security Skills Assessment Student Training

Switch: S2
Port: F0/18
Configure basic port security. Maximum limit: 1 3
Remember the MAC address.
Violation Action: Shutdown

Disable unused ports on S2, and assign Switch: S2

1
ports to VLAN 99. Ports: F0/3-17, F0/19-23, G0/1-2
Switch: S2
Configure Loop guard. 1
Loop guard: Default
Enable DHCP snooping globally
Configure DHCP snooping. Enable DHCP for VLAN: 10 3
DHCP trusted interface: F0/24

NETLAB+ Note: Use a Maximum limit of 2 when configuring basic port security. Otherwise, the hidden
Control Switch will cause a violation to occur and the port will be shutdown.
Troubleshoot as necessary to correct any issues.
Note: Before proceeding to Part 6, ask your instructor to verify your switch configuration and functionality.
Instructor Sign-Off Part 5: ______________________
Points: _________ of 22

Part 6: Configure ASA Basic Management and Firewall Settings

Total points: 17
Time: 15 minutes
Note: By default, the privileged EXEC password is blank. Press Enter at the password prompt.
In Part 6, you will configure the ASA’s basic setting and firewall using the CLI. Configuration tasks include the
following:

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 8 of 11
CCNA Security Skills Assessment Student Training

Configuration Item or Task Specification Points

Configure the ASA hostname. Name: CCNAS-ASA 1/2

Configure the domain name. Domain name: ccnasecurity.com 1/2
Configure the privileged EXEC password. Password: cisco12345 1/2

Add a user in the local database with User: Admin01

1/2
administrator console access. Password: admin01pass
VLAN: 1
Name: inside
Configure VLAN 1. IP address: 192.168.10.1 2
Subnet mask: 255.255.255.0
Security level: 100
VLAN: 2
Name: outside
IP address: 209.165.200.226
Configure VLAN 2. 3
Subnet mask: 255.255.255.248
Security level: 0
Activate the VLAN.
Configure the AAA to use the local
1
database for SSH user authentication.

Generate an RSA key pair to support the Key: RSA

1
SSH connections. Modulus size: 1024
Inside network: 192.168.10.0/24
Configure the ASA to accept SSH
Timeout: 10 minutes 1
connections from hosts on the inside LAN.
Version: 2

Assign VLANs to interfaces and activate VLAN 1 interface: E0/1

2
each interface. VLAN 2 interface: E0/0
Configure the default route. Default route IP address: 209.165.200.225 1
Enable HTTPS server services.
Configure the ASDM access to the ASA. 2
Enable HTTPS on the inside network.
Create a network object to identify internal Object name: INSIDE-NET
addresses for PAT. Dynamically bind Subnet: 192.168.10.0/24 2
interfaces by using the interface address as
Interfaces: inside, outside
the mapped IP.
Policy-map: global_policy
Modify the default global policy to allow
Class: inspection_default 1
returning ICMP traffic through the firewall.
Inspect: icmp

Troubleshoot as necessary to correct any issues.

Note: Before proceeding to Part 7, ask your instructor to verify your ASA configuration and functionality.

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 9 of 11
CCNA Security Skills Assessment Student Training

Instructor Sign-Off Part 6: ______________________

Points: _________ of 17

Part 7: Configure the ASA for SSL VPN Remote Access Using ASDM
Total points: 14
Time: 15 minutes
In Part 7, you will configure an AnyConnect SSL remote access VPN on the ASA using ASDM. You will then
use a browser on PC-C to connect and download the Cisco AnyConnect Secure Mobility Client software
located on the ASA. After the software has downloaded, you will manually install the AnyConnect software to
PC-C and use it to establish a remote SSL VPN connection to the ASA.

Step 1: Configure SSL VPN settings on the ASA using the ASDM from PC-B.
Use a browser on PC-B to establish an ASDM session to the ASA. After the session is established, use the
AnyConnect VPN Wizard to configure the ASA to allow SSL VPN client connections. Configuration
parameters include the following:

Configuration Item or Task Specification Points

Connection: HTTPS
IP address: 192.168.10.1
Use a browser on PC-B, and connect
Username: Admin01 1
to the ASA.
Password: admin01pass
Note: You will need to accept all security messages.
Connection profile name: ANYCONNECT-SSL-VPN
VPN access interface: outside
VPN protocols: SSL only.
Client images: anyconnect-win-4.1.00028-k9.pkg
Username: VPNuser
Password: VPNuserpa55
Use the AnyConnect VPN Wizard to IP address pool name: VPN-POOL
configure the ASA to accept SSL VPN
IP address pool starting address: 192.168.10.201 7
connections from the Cisco
AnyConnect Secure Mobility Client. IP address pool ending address: 192.168.10.210
IP address pool subnet mask: 255.255.255.0
DNS server: 10.20.30.40
Domain name: ccnasecurity.com
Exempt VPN traffic from NAT: Enable
Inside interface: inside
Local network: any4

Step 2: Establish an SSL VPN connection to the ASA from PC-C

To establish an SSL VPN connection to the ASA, you will need to use a browser on PC-C to download the
Cisco AnyConnect Secure Mobility Client software from the ASA. After the software is downloaded, you will
install the AnyConnect software to PC-C and then establish an SSL VPN connection to the ASA. The steps
required are as follows:

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 10 of 11
CCNA Security Skills Assessment Student Training

Configuration Item or Task Specification Points

Use a browser on PC-C. Connect to Connection: HTTPS

the ASA. Download the Cisco IP address: 209.165.200.226
2
AnyConnect Secure Mobility Client Username: VPNuser
software to the PC. Password: VPNuserpa55
Accept all security warning messages.
Download and install the Cisco
If the Untrusted Server Blocked! window appears.
AnyConnect Secure Mobility Client.
Click Change Setting to allow the connection to the
After installation is complete the 2
ASA.
AnyConnect SSL VPN session should
be established automatically. When asked to change PC settings to allow
AnyConnect Client to be installed, click Yes.
Verify that an SSL VPN session has
been established to the ASA using 2
ASDM from PC-B.

Troubleshoot as necessary to correct any issues.

Instructor Sign-Off Part 7: ______________________
Points: _________ of 14

Router Interface Summary

Router Interface Summary

Router Model Ethernet Interface #1 Ethernet Interface #2 Serial Interface #1 Serial Interface #2

1800 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
(F0/0) (F0/1)
1900 Gigabit Ethernet 0/0 Gigabit Ethernet 0/1 Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
(G0/0) (G0/1)
2801 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/1/0 (S0/1/0) Serial 0/1/1 (S0/0/1)
(F0/0) (F0/1)
2811 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
(F0/0) (F0/1)
2900 Gigabit Ethernet 0/0 Gigabit Ethernet 0/1 Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
(G0/0) (G0/1)
Note: To find out how the router is configured, look at the interfaces, identify the type of router, and how many
interfaces the router has. There is no way to effectively list all of the combinations of configurations for each
router class. This table includes identifiers for the possible combinations of Ethernet and Serial interfaces in the
device. This table does not include any other type of interface, even though a specific router may contain one. An
example of this might be an ISDN BRI interface. The string in parenthesis is the legal abbreviation that can be
used in Cisco IOS commands to represent the interface.

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 11 of 11