!************************************************ !* * !* Lab 1 Final Solutions for all Devices * !* * !************************************************ !******************************** !* * !* R1 Final Solution Config * !* * !******************************** service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R1 no logging console enable password cisco no aaa new-model ip source-route ip cef no ip domain lookup ip domain name cisco.com no ipv6 cef ! crypto key generate rsa exportable label gdoikeys modulus 1024 crypto key generate rsa exportable label myCA modulus 1024 ! ! ! ! ! ! ! ! ! ! crypto pki server myCA database level complete issuer-name CN=myCA.cisco.com grant auto lifetime ca-certificate 365 database url flash: no shutdown ! crypto pki trustpoint myCA revocation-check crl rsakeypair myCA ! ! ! crypto isakmp policy 10 hash md5 authentication pre-share group 2 ! crypto isakmp policy 20 encr aes hash md5 authentication pre-share group 2 crypto isakmp key cisco address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set cisco esp-3des esp-md5-hmac mode transport crypto ipsec transform-set gdoitrans esp-aes esp-sha-hmac ! crypto ipsec profile dmvpn set transform-set cisco ! crypto ipsec profile gdoi_profile set security-association lifetime seconds 36000 set transform-set gdoitrans ! crypto gdoi group lab1getvpn identity number 123 server local rekey retransmit 30 number 2 rekey authentication mypubkey rsa gdoikeys rekey transport unicast sa ipsec 1 profile gdoi_profile match address ipv4 101 replay time window-size 10 address ipv4 192.168.3.11 ! ! ! load protocol flash:ip.phdf load protocol flash:tcp.phdf ! ip tcp synwait-time 5 ! class-map type access-control match-all TCP23classmap match field TCP dest-port eq 23 match field IP dest-addr eq 10.1.1.1 class-map type stack match-all matchTCPstack match field IP protocol eq 6 next TCP ! ! policy-map type access-control dropTCP23 class TCP23classmap drop policy-map type access-control blockTCP23 class matchTCPstack service-policy dropTCP23 ! interface Loopback0 ip address 10.1.1.1 255.255.255.0 ! interface Loopback1 ip address 11.11.11.11 255.255.255.255 ! interface Tunnel1 bandwidth 1000 ip address 172.1.0.1 255.255.255.0 no ip redirects ip mtu 1360 no ip next-hop-self eigrp 100 ip nhrp authentication cisco ip nhrp map multicast dynamic ip nhrp network-id 11 ip nhrp holdtime 300 no ip split-horizon eigrp 100 delay 1100 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel key 11 tunnel protection ipsec profile dmvpn ! interface GigabitEthernet0/0 ip address 192.168.3.11 255.255.255.0 no shutdown ! interface GigabitEthernet0/1 ip address 192.168.2.11 255.255.255.0 no shutdown ! interface Serial0/0/0 no ip address shutdown clock rate 2000000 ! interface Serial0/0/1 no ip address shutdown clock rate 2000000 ! router eigrp 100 network 11.11.11.0 0.0.0.255 network 172.1.0.0 0.0.0.255 no auto-summary ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 192.168.2.1 ip route 10.0.0.0 255.0.0.0 192.168.3.10 ip route 172.17.0.0 255.255.0.0 192.168.3.10 ip route 192.168.0.0 255.255.0.0 192.168.3.10 ip http server no ip http secure-server ! ! ! access-list 1 permit 10.5.5.5 access-list 1 permit 192.168.2.12 access-list 1 permit 192.168.9.10 access-list 101 permit ip 172.17.0.0 0.0.255.255 172.17.0.0 0.0.255.255 access-list 120 permit ip host 192.168.64.6 any access-list 120 permit ip any host 192.168.64.6 ! ! ! control-plane service-policy type access-control input blockTCP23 ! ! line con 0 exec-timeout 0 0 password cisco logging synchronous login line aux 0 exec-timeout 0 0 password cisco logging synchronous login transport input telnet line vty 0 4 exec-timeout 0 0 password cisco logging synchronous login transport input telnet ! ntp authentication-key 1 md5 cisco ntp authenticate ntp trusted-key 1 ntp source Loopback0 ntp access-group peer 1 ntp master 5 end !******************************** !* * !* R2 Final Solution Config * !* * !******************************** service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption hostname R2 enable password cisco ! aaa new-model aaa authentication login vtyauthen group tacacs+ aaa authentication login conauthen none aaa authorization exec vtyexec group tacacs+ ip source-route ip cef no ip domain lookup ip domain name cisco.com no ipv6 cef ! crypto isakmp policy 10 hash md5 authentication pre-share group 2 crypto isakmp key cisco address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set cisco esp-3des esp-md5-hmac mode transport ! crypto ipsec profile dmvpn set transform-set cisco ! ip tcp synwait-time 5 ! class-map match-all copp match access-group 101 match not access-group 102 ! ! policy-map copp class copp drop ! ! ! ! ! interface Loopback0 ip address 10.2.2.2 255.255.255.0 ! interface Loopback1 ip address 22.22.22.22 255.255.255.0 ! interface Tunnel1 bandwidth 1000 ip address 172.1.0.2 255.255.255.0 no ip redirects ip mtu 1360 ip nhrp authentication cisco ip nhrp map multicast 192.168.3.11 ip nhrp map 172.1.0.1 192.168.3.11 ip nhrp network-id 11 ip nhrp holdtime 300 ip nhrp nhs 172.1.0.1 delay 1100 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel key 11 tunnel protection ipsec profile dmvpn ! interface GigabitEthernet0/0 ip address 192.168.4.11 255.255.255.0 no shutdown ! interface GigabitEthernet0/1 ip address 192.168.5.11 255.255.255.0 no shutdown ! interface Serial0/0/0 no ip address shutdown ! interface Serial0/0/1 no ip address shutdown ! router eigrp 100 network 22.22.22.0 0.0.0.255 network 172.1.0.0 0.0.0.255 no auto-summary ! router ospf 1 log-adjacency-changes ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 192.168.4.10 ip http server no ip http secure-server ! ! ! access-list 101 permit icmp any any access-list 102 permit icmp 10.0.0.0 0.255.255.255 any access-list 102 permit icmp 172.16.0.0 0.15.255.255 any access-list 102 permit icmp 192.168.0.0 0.0.255.255 any ! tacacs-server host 192.168.2.14 tacacs-server key cisco ! control-plane service-policy input copp ! line con 0 exec-timeout 0 0 password cisco logging synchronous login authentication conauthen line aux 0 exec-timeout 0 0 password cisco logging synchronous transport input telnet line vty 0 4 exec-timeout 0 0 password cisco authorization exec vtyexec logging synchronous login authentication vtyauthen transport input telnet ! parser view netop secret 5 $1$.SqL$qcRMtupOtbjMledzQJwp20 commands configure include all ip route commands configure include all router commands configure include all interface commands configure include ip commands exec include configure terminal commands exec include configure commands exec include all show ! parser view secop secret 5 $1$o6m5$CtYHwt2EPE4/iKqHCTvEn. commands configure include all radius-server commands configure include all tacacs-server commands configure include all interface commands configure include all zone-pair commands configure include all zone commands configure include all policy-map commands configure include all class-map commands configure include all crypto commands configure include all aaa commands exec include configure terminal commands exec include configure commands exec include all show ! end !******************************** !* * !* R3 Final Solution Config * !* * !******************************** service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R3 enable password cisco no aaa new-model ip source-route ip cef no ip domain lookup ip domain name cisco.com no ipv6 cef ! crypto isakmp policy 10 encr aes hash md5 authentication pre-share group 2 crypto isakmp key cisco address 0.0.0.0 0.0.0.0 ! ! crypto gdoi group lab1getvpn identity number 123 server address ipv4 192.168.3.11 ! ! crypto map gdoi 10 gdoi set group lab1getvpn ! ip tcp synwait-time 5 ! interface Loopback0 ip address 10.3.3.3 255.255.255.0 ! interface Loopback10 ip address 172.17.3.3 255.255.255.0 ! interface GigabitEthernet0/0 no ip address shutdown ! interface GigabitEthernet0/1 ip address 192.168.9.3 255.255.255.0 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 cisco crypto map gdoi no shutdown ! interface Serial0/0/0 ip address 192.168.35.3 255.255.255.0 encapsulation ppp ip ospf network point-to-point no fair-queue no shutdown ! interface Serial0/0/1 no ip address shutdown ! router ospf 1 log-adjacency-changes network 10.3.3.0 0.0.0.255 area 0 network 172.17.3.0 0.0.0.255 area 0 network 192.168.9.0 0.0.0.255 area 0 network 192.168.35.0 0.0.0.255 area 0 ! ip http server no ip http secure-server ! line con 0 exec-timeout 0 0 password cisco logging synchronous login line aux 0 exec-timeout 0 0 password cisco logging synchronous login transport input telnet line vty 0 4 exec-timeout 0 0 password cisco logging synchronous login transport input telnet ! end !******************************** !* * !* R4 Final Solution Config * !* * !******************************** service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption hostname R4 enable password cisco no aaa new-model ip source-route ip cef ! no ip domain lookup ip domain name cisco.com no ipv6 cef ! frame-relay switching ! crypto isakmp policy 10 hash md5 authentication pre-share group 2 crypto isakmp key cisco address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set cisco esp-3des esp-md5-hmac mode transport ! crypto ipsec profile dmvpn set transform-set cisco ! ip tcp synwait-time 5 ! interface Loopback0 ip address 10.4.4.4 255.255.255.0 ! interface Loopback1 ip address 44.44.44.44 255.255.255.0 ! interface Tunnel1 bandwidth 1000 ip address 172.1.0.4 255.255.255.0 no ip redirects ip mtu 1360 ip nhrp authentication cisco ip nhrp map multicast 192.168.3.11 ip nhrp map 172.1.0.1 192.168.3.11 ip nhrp network-id 11 ip nhrp nhs 172.1.0.1 delay 1100 tunnel source Serial0/0/0 tunnel mode gre multipoint tunnel key 11 tunnel protection ipsec profile dmvpn ! interface GigabitEthernet0/0 no ip address shutdown ! interface GigabitEthernet0/1 ip address 192.168.9.4 255.255.255.0 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 cisco no shutdown ! interface Serial0/0/0 ip address 192.168.64.4 255.255.255.0 encapsulation frame-relay ip ospf network point-to-point clock rate 2000000 frame-relay map ip 192.168.64.6 64 broadcast frame-relay intf-type dce no shutdown ! interface Serial0/0/1 no ip address shutdown clock rate 2000000 ! router eigrp 100 network 44.44.44.0 0.0.0.255 network 172.1.0.0 0.0.0.255 no auto-summary ! router ospf 1 log-adjacency-changes network 10.4.4.0 0.0.0.255 area 0 network 192.168.9.0 0.0.0.255 area 0 network 192.168.64.0 0.0.0.255 area 0 ! ip http server no ip http secure-server ! ! control-plane host management-interface GigabitEthernet0/1 allow http telnet management-interface Serial0/0/0 allow telnet ! ! control-plane ! ! line con 0 exec-timeout 0 0 password cisco logging synchronous login line aux 0 exec-timeout 0 0 password cisco logging synchronous login transport input telnet line vty 0 4 exec-timeout 0 0 password cisco logging synchronous login transport input telnet ! end !******************************** !* * !* R5 Final Solution Config * !* * !******************************** service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption no service dhcp ! hostname R5 logging buffered 4096 no logging console enable password cisco no aaa new-model ip source-route ip cef no ip bootp server no ip domain lookup ip domain name cisco.com no ipv6 cef ! frame-relay switching ! parameter-map type regex emailid pattern joe@myemail.com ! crypto pki trustpoint cisco enrollment url http://10.1.1.1:80 serial-number revocation-check none ! ! ! crypto pki certificate map mycert 10 issuer-name co myca subject-name co asa2 ! ! crypto isakmp policy 10 encr 3des hash md5 group 2 crypto isakmp identity dn crypto isakmp profile isakmpprofile ca trust-point cisco match certificate mycert ! ! crypto ipsec transform-set cisco esp-3des esp-sha-hmac ! crypto map cisco local-address Loopback1 crypto map cisco 10 ipsec-isakmp set peer 192.168.9.10 set transform-set cisco set isakmp-profile isakmpprofile match address 109 ! ! ! ip finger ip tcp synwait-time 5 ip ssh version 1 ! class-map type inspect match-all icmp match protocol icmp class-map type inspect http match-any webtunneling match request port-misuse tunneling class-map type inspect match-all smtp match protocol smtp class-map type inspect match-any central_remote match access-group 101 class-map type inspect match-any other match protocol telnet match protocol ssh class-map type inspect match-any web match protocol http class-map type inspect smtp match-all largemail match sender address regex emailid match data-length gt 10000000 ! ! policy-map type inspect http dropwebtunneling class type inspect http webtunneling reset policy-map type inspect central_remote class type inspect central_remote inspect class class-default drop policy-map type inspect smtp droplargemail class type inspect smtp largemail reset policy-map type inspect remote_central class type inspect web inspect service-policy http dropwebtunneling class type inspect icmp inspect police rate 20000 burst 2000 class type inspect other inspect class type inspect smtp inspect service-policy smtp droplargemail class class-default drop ! zone security REMOTE zone security CENTRAL zone-pair security central_remote source CENTRAL destination REMOTE service-policy type inspect central_remote zone-pair security remote_central source REMOTE destination CENTRAL service-policy type inspect remote_central ! ! ! ! interface Loopback0 ip address 10.5.5.5 255.255.255.0 ! interface Loopback1 ip address 192.168.55.5 255.255.255.0 ! interface Loopback5 ip address 10.55.55.55 255.255.255.255 ip nat inside ip virtual-reassembly ! interface GigabitEthernet0/0 no ip address shutdown ! interface GigabitEthernet0/1 ip address 192.168.11.10 255.255.255.0 ntp broadcast no shutdown ! interface Serial0/0/0 ip address 192.168.35.5 255.255.255.0 ip nat outside ip virtual-reassembly zone-member security REMOTE encapsulation ppp ip ospf network point-to-point no fair-queue clock rate 2000000 crypto map cisco no shutdown ! interface Serial0/0/1 ip address 192.168.65.5 255.255.255.0 ip nat outside ip virtual-reassembly zone-member security CENTRAL encapsulation frame-relay ip ospf network point-to-point clock rate 2000000 frame-relay map ip 192.168.65.6 65 broadcast frame-relay intf-type dce crypto map cisco no shutdown ! router ospf 1 log-adjacency-changes network 10.5.5.0 0.0.0.255 area 0 network 10.55.55.0 0.0.0.255 area 0 network 192.168.35.0 0.0.0.255 area 0 network 192.168.55.0 0.0.0.255 area 0 network 192.168.65.0 0.0.0.255 area 0 ! ip forward-protocol nd ip http server no ip http secure-server ! ! ip nat inside source route-map s0 interface Serial0/0/0 overload ip nat inside source route-map s1 interface Serial0/0/1 overload ! access-list 101 permit ip any any access-list 102 permit ip host 10.55.55.55 any access-list 109 permit ip host 10.5.5.5 host 10.8.8.8 ! ! ! ! route-map s1 permit 10 match ip address 102 match interface Serial0/0/1 ! route-map s0 permit 10 match ip address 102 match interface Serial0/0/0 ! ! ! ! line con 0 exec-timeout 0 0 password cisco logging synchronous login line aux 0 exec-timeout 0 0 password cisco logging synchronous login transport input telnet line vty 0 4 exec-timeout 0 0 password cisco logging synchronous login transport input telnet ! process cpu threshold type total rising 75 interval 5 ntp authentication-key 1 md5 cisco ntp authenticate ntp trusted-key 1 ntp server 10.1.1.1 key 1 source Loopback0 end ! Following steps will enroll & install CA certificate once CA server is UP ! ! crypto key generate rsa exportable modulus 1024 ! crypto pki authenticate cisco ! crypto pki enroll cisco ! end !******************************** !* * !* R6 Final Solution Config * !* * !******************************** service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R6 logging buffered 4096 enable password cisco no aaa new-model ip source-route ip cef no ip domain lookup ip domain name cisco.com no ipv6 cef ! ! crypto isakmp policy 10 encr aes hash md5 authentication pre-share group 2 crypto isakmp key cisco address 0.0.0.0 0.0.0.0 ! ! crypto gdoi group lab1getvpn identity number 123 server address ipv4 192.168.3.11 ! ! crypto map gdoi 10 gdoi set group lab1getvpn ! ip tcp synwait-time 5 ! ! interface Loopback0 ip address 10.6.6.6 255.255.255.0 ! interface Loopback10 ip address 172.17.6.6 255.255.255.0 ! interface Loopback20 ip address 50.50.50.50 255.255.255.255 ! interface GigabitEthernet0/0 ip address 192.168.7.11 255.255.255.0 no shutdown ! interface GigabitEthernet0/1 ip address 192.168.6.11 255.255.255.0 no shutdown ! interface Serial0/0/0 ip address 192.168.64.6 255.255.255.0 ip verify unicast source reachable-via any encapsulation frame-relay ip ospf network point-to-point snmp trap ip verify drop-rate no fair-queue frame-relay map ip 192.168.64.4 64 broadcast crypto map gdoi no shutdown ! interface Serial0/0/1 ip address 192.168.65.6 255.255.255.0 ip verify unicast source reachable-via any encapsulation frame-relay ip ospf network point-to-point snmp trap ip verify drop-rate frame-relay map ip 192.168.65.5 65 broadcast no shutdown ! router ospf 1 log-adjacency-changes redistribute connected metric 1 subnets redistribute static metric 1 subnets network 10.6.6.0 0.0.0.255 area 0 network 172.17.6.0 0.0.0.255 area 0 network 192.168.64.0 0.0.0.255 area 0 network 192.168.65.0 0.0.0.255 area 0 ! ip forward-protocol nd ip route 10.1.1.0 255.255.255.0 192.168.6.10 ip route 10.2.2.0 255.255.255.0 192.168.6.10 ip route 10.7.7.0 255.255.255.0 192.168.7.10 ip route 172.16.1.0 255.255.255.0 192.168.7.10 ip route 192.168.2.0 255.255.255.0 192.168.6.10 ip route 192.168.3.0 255.255.255.0 192.168.6.10 ip route 192.168.4.0 255.255.255.0 192.168.6.10 ip route 192.168.5.0 255.255.255.0 192.168.6.10 ip route 192.168.8.0 255.255.255.0 192.168.7.10 no ip http server no ip http secure-server ! ! ! access-list 101 deny icmp host 10.55.55.55 any access-list 101 deny icmp host 192.168.65.5 any access-list 101 deny icmp host 192.168.35.5 any access-list 101 permit ip any any access-list 120 permit ip any host 192.168.3.11 ! ! ! line con 0 exec-timeout 0 0 password cisco logging synchronous login line aux 0 exec-timeout 0 0 password cisco logging synchronous login transport input telnet line vty 0 4 exec-timeout 0 0 password cisco logging synchronous login transport input telnet ! end !******************************** !* * !* Sw1 Final Solution Config * !* * !******************************** no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Sw1 enable password cisco ! aaa new-model aaa authentication login vtyauthen group tacacs+ aaa authentication login conauthen none ip subnet-zero ip routing no ip domain-lookup ip domain-name cisco.com ! errdisable recovery cause bpduguard errdisable recovery interval 60 spanning-tree mode pvst spanning-tree loopguard default spanning-tree portfast default spanning-tree portfast bpduguard default spanning-tree extend system-id ! vlan access-map abc 10 action drop match ip address 101 vlan access-map abc 20 action forward ! ip tcp synwait-time 5 ! interface Loopback0 ip address 10.7.7.7 255.255.255.0 ! interface Loopback1 ip address 172.16.1.1 255.255.255.0 ! interface FastEthernet0/1 switchport access vlan 3 switchport mode access ! interface FastEthernet0/2 switchport access vlan 4 switchport mode access ! interface FastEthernet0/3 ! interface FastEthernet0/4 ! interface FastEthernet0/5 ! interface FastEthernet0/6 switchport access vlan 102 switchport mode access ! interface FastEthernet0/7 ! interface FastEthernet0/8 ! interface FastEthernet0/9 ! interface FastEthernet0/10 switchport access vlan 101 switchport mode access ! interface FastEthernet0/11 switchport trunk encapsulation dot1q switchport mode trunk ! interface FastEthernet0/12 switchport access vlan 201 switchport mode access ! interface FastEthernet0/13 no switchport ip address 192.168.8.11 255.255.255.0 storm-control broadcast level 80.00 60.00 ! interface FastEthernet0/14 ! interface FastEthernet0/15 switchport access vlan 2 switchport mode access ! interface FastEthernet0/16 switchport trunk encapsulation dot1q switchport trunk allowed vlan 101,102 switchport mode trunk ! interface FastEthernet0/17 switchport trunk encapsulation dot1q switchport trunk allowed vlan 201,202 switchport mode trunk ! interface FastEthernet0/18 ! interface FastEthernet0/19 ! interface FastEthernet0/20 switchport access vlan 2 switchport mode access ! interface FastEthernet0/21 ! interface FastEthernet0/22 switchport access vlan 2 switchport mode access ! interface FastEthernet0/23 switchport access vlan 2 switchport mode access ! interface FastEthernet0/24 switchport trunk encapsulation dot1q switchport mode trunk ! interface GigabitEthernet0/1 ! interface GigabitEthernet0/2 ! interface Vlan1 no ip address shutdown ! ip classless ip route 0.0.0.0 0.0.0.0 192.168.8.10 ip http server ip http secure-server ! ! access-list 101 permit ip host 192.168.4.11 host 192.168.3.11 access-list 101 permit ip host 192.168.4.11 host 192.168.64.4 tacacs-server host 192.168.2.14 tacacs-server directed-request tacacs-server key cisco ! ! line con 0 exec-timeout 0 0 password cisco logging synchronous login authentication conauthen line vty 0 4 exec-timeout 0 0 password cisco logging synchronous login authentication vtyauthen transport input telnet line vty 5 15 ! end Sw1# show vtp status VTP Version : running VTP2 Configuration Revision : 15 Maximum VLANs supported locally : 1005 Number of existing VLANs : 15 VTP Operating Mode : Server VTP Domain Name : ccie VTP Pruning Mode : Disabled VTP V2 Mode : Enabled VTP Traps Generation : Disabled MD5 digest : 0x7C 0x7F 0x19 0xCB 0xF0 0xB7 0x9A 0xB6 Configuration last modified by 192.168.11.11 at 6-18-09 13:06:36 Local updater ID is 192.168.8.11 on interface Fa0/13 (first layer3 interface found) Sw1# Sw1# Sw1#show vlan brief VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Fa0/3, Fa0/4, Fa0/5, Fa0/7 Fa0/8, Fa0/9, Fa0/14, Fa0/18 Fa0/19, Fa0/21, Gi0/1, Gi0/2 2 VLAN0002 active Fa0/15, Fa0/20, Fa0/22, Fa0/23 3 VLAN0003 active Fa0/1 4 VLAN0004 active Fa0/2 5 VLAN0005 active 9 VLAN0009 active 50 VLAN0050 active 101 VLAN0101 active Fa0/10 102 VLAN0102 active Fa0/6 201 VLAN0201 active Fa0/12 202 VLAN0202 active 1002 fddi-default act/unsup 1003 trcrf-default act/unsup 1004 fddinet-default act/unsup 1005 trbrf-default act/unsup !******************************** !* * !* Sw2 Final Solution Config * !* * !******************************** no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption hostname Sw2 no logging console enable password cisco no aaa new-model ip subnet-zero ip routing no ip domain-lookup ip domain-name cisco.com ! ip dhcp snooping vlan 50 ip dhcp snooping ip arp inspection vlan 50 ip arp inspection validate src-mac ip ! key chain cisco key 1 key-string cisco ! ip tcp synwait-time 5 ! interface Loopback0 ip address 10.8.8.8 255.255.255.0 ! interface FastEthernet0/1 switchport access vlan 2 switchport mode access ! interface FastEthernet0/2 switchport access vlan 5 switchport mode access ! interface FastEthernet0/3 switchport access vlan 9 switchport mode access ! interface FastEthernet0/4 switchport access vlan 9 switchport mode access ! interface FastEthernet0/5 no switchport ip address 192.168.11.11 255.255.255.0 ntp broadcast client ! interface FastEthernet0/6 switchport access vlan 202 switchport mode access ! interface FastEthernet0/7 switchport mode access dot1x pae authenticator dot1x port-control auto dot1x host-mode multi-host dot1x violation-mode shutdown dot1x max-req 3 dot1x reauthentication dot1x guest-vlan 5 ! interface FastEthernet0/8 ! interface FastEthernet0/9 ! interface FastEthernet0/10 switchport access vlan 9 switchport mode access ! interface FastEthernet0/11 no switchport ip address 192.168.10.11 255.255.255.0 ip authentication mode eigrp 10 md5 ip authentication key-chain eigrp 10 cisco ! interface FastEthernet0/12 switchport access vlan 9 switchport mode access ! interface FastEthernet0/13 ! interface FastEthernet0/14 ! interface FastEthernet0/15 switchport access vlan 50 switchport mode access ip arp inspection trust ip arp inspection limit rate 10 ip dhcp snooping trust ! interface FastEthernet0/16 ! interface FastEthernet0/17 ! interface FastEthernet0/18 ! interface FastEthernet0/19 ! interface FastEthernet0/20 ! interface FastEthernet0/21 ! interface FastEthernet0/22 ! interface FastEthernet0/23 ! interface FastEthernet0/24 switchport trunk encapsulation dot1q switchport mode trunk ! interface GigabitEthernet0/1 ! interface GigabitEthernet0/2 ! interface Vlan1 no ip address shutdown ! ! router eigrp 10 no auto-summary network 10.8.8.0 0.0.0.255 network 192.168.10.0 ! ip classless ip http server ip http secure-server control-plane ! ! line con 0 exec-timeout 0 0 password cisco logging synchronous login line vty 0 4 exec-timeout 0 0 password cisco logging synchronous login transport input telnet line vty 5 15 login ! ntp clock-period 36028956 end Sw2# show vtp status VTP Version : running VTP2 Configuration Revision : 15 Maximum VLANs supported locally : 1005 Number of existing VLANs : 15 VTP Operating Mode : Server VTP Domain Name : ccie VTP Pruning Mode : Disabled VTP V2 Mode : Enabled VTP Traps Generation : Disabled MD5 digest : 0x7C 0x7F 0x19 0xCB 0xF0 0xB7 0x9A 0xB6 Configuration last modified by 192.168.11.11 at 6-18-09 13:06:36 Local updater ID is 192.168.11.11 on interface Fa0/5 (first layer3 interface found) Sw2# Sw2#show vlan brief VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Fa0/7, Fa0/8, Fa0/9, Fa0/13 Fa0/14, Fa0/16, Fa0/17, Fa0/18 Fa0/19, Fa0/20, Fa0/21, Fa0/22 Fa0/23, Gi0/1, Gi0/2 2 VLAN0002 active Fa0/1 3 VLAN0003 active 4 VLAN0004 active 5 VLAN0005 active Fa0/2 9 VLAN0009 active Fa0/3, Fa0/4, Fa0/10, Fa0/12 50 VLAN0050 active Fa0/15 101 VLAN0101 active 102 VLAN0102 active 201 VLAN0201 active 202 VLAN0202 active Fa0/6 1002 fddi-default act/unsup 1003 trcrf-default act/unsup 1004 fddinet-default act/unsup 1005 trbrf-default act/unsup Sw2# Sw2# !******************************** !* * !* ASA1 System Context * !* Final Solution Configuration * !* * !******************************** mode multiple !***************************************************** ! Convert to Multi-mode, ASA will reboot at this point !***************************************************** ! hostname ASA1 enable password cisco no mac-address auto ! interface Ethernet0/0 no shutdown ! interface Ethernet0/1 no shutdown ! interface Ethernet0/1.1 vlan 3 ! interface Ethernet0/1.2 vlan 4 ! interface Ethernet0/2 no shutdown ! interface Ethernet0/3 no shutdown ! interface Management0/0 no shutdown ! no failover ! admin-context admin context admin allocate-interface Management0/0 mgmt config-url disk0:/admin ! context abc1 allocate-interface Ethernet0/0 outside allocate-interface Ethernet0/3 inside config-url disk0:/abc1 ! context abc2 allocate-interface Ethernet0/1.1 inside allocate-interface Ethernet0/1.2 dmz2 allocate-interface Ethernet0/2 outside config-url disk0:/abc2 ! prompt hostname context : end !******************************** !* * !* ASA1 abc1 Context * !* Final Solution Configuration * !* * !******************************** change context abc1 ! hostname abc1 enable password cisco passwd cisco names ! interface outside nameif outside security-level 0 ip address 192.168.7.10 255.255.255.0 ! interface inside nameif inside security-level 100 ip address 192.168.8.10 255.255.255.0 ! access-list 100 extended permit icmp any any access-list 100 extended permit tcp any host 172.16.1.1 eq www access-list 100 extended permit tcp any host 172.16.1.1 eq https access-list 100 extended permit tcp any host 192.168.8.11 eq telnet icmp unreachable rate-limit 1 burst-size 1 static (inside,outside) 172.16.1.1 172.16.1.1 netmask 255.255.255.255 access-group 100 in interface outside route outside 0.0.0.0 0.0.0.0 192.168.7.11 1 route inside 10.7.7.0 255.255.255.0 192.168.8.11 1 route inside 172.16.1.0 255.255.255.0 192.168.8.11 1 sysopt noproxyarp outside service resetinbound crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet timeout 5 ssh timeout 5 no threat-detection statistics tcp-intercept ! class-map webserver443 match port tcp eq https class-map inspection_default match default-inspection-traffic class-map webserver80 match port tcp eq www ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp policy-map webserver class webserver443 set connection embryonic-conn-max 50 per-client-embryonic-max 5 class webserver80 set connection embryonic-conn-max 50 per-client-embryonic-max 5 ! service-policy global_policy global service-policy webserver interface outside : end !******************************** !* * !* ASA1 abc2 Context * !* Final Solution Configuration * !* * !******************************** change context abc2 ! hostname abc2 enable password cisco passwd cisco names ! interface inside nameif inside security-level 100 ip address 192.168.3.10 255.255.255.0 ! interface dmz2 nameif dmz2 security-level 50 ip address 192.168.4.10 255.255.255.0 ! interface outside nameif outside security-level 0 ip address 192.168.6.10 255.255.255.0 ! regex filterIMregex "yusuf@hotmail.com" access-list 100 extended permit icmp any any access-list 100 extended permit udp host 10.5.5.5 host 10.1.1.1 eq ntp access-list 100 extended permit udp host 192.168.9.10 host 10.1.1.1 eq ntp access-list 100 extended permit tcp any host 10.1.1.1 eq www access-list 100 extended permit esp any any access-list 100 extended permit udp any any eq isakmp access-list 100 extended permit udp host 192.168.9.3 host 192.168.3.11 eq 848 access-list 100 extended permit udp host 192.168.6.11 host 192.168.3.11 eq 848 access-list 100 extended permit udp host 192.168.64.6 host 192.168.3.11 eq 848 access-list 100 extended permit tcp host 192.168.4.11 host 192.168.2.14 eq tacacs access-list 100 extended permit tcp any host 192.168.4.11 eq telnet access-list 100 extended permit tcp host 192.168.8.11 host 192.168.2.14 eq tacacs access-list 100 extended permit tcp any any eq telnet access-list 101 extended permit tcp host 10.1.1.1 host 10.6.6.6 eq telnet access-list 102 extended permit tcp any host 10.6.6.6 eq telnet icmp unreachable rate-limit 1 burst-size 1 global (outside) 1 192.168.6.61 global (outside) 2 192.168.6.62 nat (inside) 1 access-list 101 nat (inside) 2 access-list 102 access-group 100 in interface dmz2 access-group 100 in interface outside route outside 0.0.0.0 0.0.0.0 192.168.6.11 1 route inside 10.1.1.0 255.255.255.0 192.168.3.11 1 route dmz2 10.2.2.0 255.255.255.0 192.168.4.11 1 route inside 192.168.2.0 255.255.255.0 192.168.3.11 1 route dmz2 192.168.5.0 255.255.255.0 192.168.4.11 1 crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 no threat-detection statistics tcp-intercept ! class-map type inspect im match-all filterIMclassmap match protocol msn-im match login-name regex filterIMregex match service file-transfer class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map type inspect im filterIMpolicy parameters class filterIMclassmap drop-connection policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect im filterIMpolicy ! service-policy global_policy global : end [OK] !******************************** !* * !* ASA2 Final Solution Config * !* * !******************************** hostname ASA2 domain-name cisco.com enable password cisco passwd cisco ! interface Ethernet0/0 no nameif no security-level no ip address no shutdown ! interface Ethernet0/1 nameif inside security-level 100 ip address 192.168.10.10 255.255.255.0 authentication key eigrp 10 key-id 1 authentication mode eigrp 10 md5 no shutdown ! interface Ethernet0/2 no nameif no security-level no ip address no shutdown ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 shutdown no nameif no security-level no ip address management-only ! interface Redundant1 member-interface Ethernet0/0 member-interface Ethernet0/2 nameif outside security-level 0 ip address 192.168.9.10 255.255.255.0 ospf message-digest-key 1 md5 ospf authentication message-digest no shutdown ! dns server-group DefaultDNS domain-name cisco.com access-list 100 extended permit icmp any any access-list 101 extended permit ip host 10.8.8.8 host 10.5.5.5 ip local pool SSLpool 192.168.111.1-192.168.111.50 mask 255.255.255.0 no failover icmp unreachable rate-limit 1 burst-size 1 static (outside,inside) 192.168.10.6 10.6.6.6 netmask 255.255.255.255 access-group 100 in interface outside ! router eigrp 10 no auto-summary network 192.168.10.0 255.255.255.0 redistribute ospf 1 metric 1 1 1 1 1 ! router ospf 1 network 192.168.9.0 255.255.255.0 area 0 log-adj-changes redistribute eigrp 10 metric 1 subnets ! route outside 0.0.0.0 0.0.0.0 192.168.9.4 1 track 1 route outside 0.0.0.0 0.0.0.0 192.168.9.3 2 dynamic-access-policy-record DfltAccessPolicy snmp-server enable traps snmp authentication linkup linkdown coldstart sla monitor 444 type echo protocol ipIcmpEcho 10.4.4.4 interface outside num-packets 3 frequency 5 sla monitor schedule 444 life forever start-time now crypto ipsec transform-set cisco esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto map cisco 10 match address 101 crypto map cisco 10 set peer 192.168.55.5 crypto map cisco 10 set transform-set cisco crypto map cisco 10 set security-association lifetime seconds 28800 crypto map cisco 10 set security-association lifetime kilobytes 4608000 crypto map cisco 10 set trustpoint cisco crypto map cisco interface outside crypto ca trustpoint cisco enrollment url http://10.1.1.1:80 serial-number crl configure crypto isakmp enable outside crypto isakmp policy 10 authentication rsa-sig encryption 3des hash md5 group 2 lifetime 86400 ! track 1 rtr 444 reachability telnet timeout 5 ssh timeout 5 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp authentication-key 1 md5 cisco ntp authenticate ntp trusted-key 1 ntp server 10.1.1.1 key 1 webvpn enable outside svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1 svc enable tunnel-group-list enable group-policy SSLclient internal group-policy SSLclient attributes dns-server value 192.168.2.14 vpn-tunnel-protocol svc default-domain value cisco.com address-pools value SSLpool username lab1user password cisco username lab1user attributes service-type remote-access tunnel-group 192.168.55.5 type ipsec-l2l tunnel-group 192.168.55.5 ipsec-attributes trust-point cisco tunnel-group svc type remote-access tunnel-group svc general-attributes default-group-policy SSLclient tunnel-group svc webvpn-attributes group-alias lab1 enable ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context ! Following steps will enroll & install CA certificate once CA server is UP ! ! crypto key generate rsa modulus 1024 ! crypto ca authenticate cisco ! crypto ca enroll cisco ! end : end [OK] !******************************** !* * !* IPS Final Solution Config * !* * !******************************** service interface physical-interfaces GigabitEthernet0/0 admin-state enabled subinterface-type inline-vlan-pair subinterface 1 vlan1 101 vlan2 102 exit exit exit physical-interfaces GigabitEthernet0/1 admin-state enabled subinterface-type inline-vlan-pair subinterface 1 vlan1 201 vlan2 202 exit exit exit exit ! ------------------------------ service host network-settings host-ip 192.168.2.12/24,192.168.2.11 host-name IPS telnet-option enabled access-list 10.1.1.0/24 access-list 192.168.2.0/24 exit time-zone-settings offset 0 standard-time-zone-name UTC exit ntp-option enabled ntp-keys 1 md5-key cisco ntp-servers 10.1.1.1 key-id 1 exit exit ! ------------------------------ service signature-definition sig0 signatures 2000 0 alert-severity medium engine atomic-ip event-action produce-alert exit status enabled true exit exit signatures 2004 0 alert-severity medium engine atomic-ip event-action produce-alert exit status enabled true exit exit signatures 60000 0 alert-severity high sig-fidelity-rating 100 sig-description sig-name kazaa exit engine string-udp event-action produce-alert|deny-attacker-inline regex-string [Kk][Aa][Zz][Aa][Aa] service-ports 1214 direction to-service exit status enabled true exit exit exit ! ------------------------------ service signature-definition sig2 application-policy http-policy http-enable true max-outstanding-http-requests-per-connection 5 exit exit signatures 2000 0 alert-severity medium engine atomic-ip event-action produce-alert exit status enabled true exit exit signatures 2004 0 alert-severity medium engine atomic-ip event-action produce-alert exit status enabled true exit exit exit ! ------------------------------ service web-server enable-tls true port 8000 exit ! ------------------------------ service analysis-engine virtual-sensor vs0 physical-interface GigabitEthernet0/0 subinterface-number 1 exit virtual-sensor vs2 signature-definition sig2 physical-interface GigabitEthernet0/1 subinterface-number 1 exit exit