!************************************************ !* * !* Lab 2 Final Solutions for all Devices * !* * !************************************************ !******************************** !* * !* R1 Final Solution Config * !* * !******************************** service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R1 no logging console enable password cisco no aaa new-model ip source-route ip cef no ip domain lookup ip domain name cisco.com ip multicast-routing crypto key generate rsa exportable label dmvpn_gdoi ip ips config location flash:ips5/ retries 1 ip ips notify SDEE ip ips name myIOSipsV5 ! ip ips signature-category category all retired true category ios_ips basic retired false ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key cisco address 0.0.0.0 0.0.0.0 ! ! crypto gdoi group dmvpn_gdoi identity number 2 server address ipv4 10.6.6.6 ! ! crypto map dmvpn_using_gdoi local-address Loopback0 crypto map dmvpn_using_gdoi 10 gdoi set group dmvpn_gdoi ! ! crypto key pubkey-chain rsa named-key realm-cisco.pub signature key-string 30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101 00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16 17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128 B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E 5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35 FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85 50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36 006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE 2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3 F3020301 0001 quit ! load protocol ip.phdf load protocol udp.phdf ! ip tcp synwait-time 5 ip ssh version 1 ! class-map type access-control match-all W32-Blaster description "Match W32.Blaster worm packets" match field UDP dest-port eq 0x45 match start l3-start offset 50 size 4 eq 0x20A29010 match field IP length gt 0x192 class-map type stack match-all udp_protocol description "Match UDP over IP packets" match field IP protocol eq 0x11 next UDP ! ! policy-map type access-control drop-W32-Blaster description "Policy for UDP based W32.Blaster worm attack" class W32-Blaster drop policy-map type access-control fpm-policy description "drop W32.Blaster worm packets" class udp_protocol service-policy drop-W32-Blaster ! ! interface Loopback0 ip address 10.1.1.1 255.255.255.0 ! interface Loopback11 ip address 10.11.11.11 255.255.255.255 ! interface Tunnel0 ip address 172.16.1.1 255.255.255.0 no ip redirects ip mtu 1400 no ip next-hop-self eigrp 2 ip pim dr-priority 10 ip pim nbma-mode ip pim sparse-dense-mode ip nhrp authentication cisco ip nhrp map multicast dynamic ip nhrp network-id 2 ip nhrp server-only no ip split-horizon eigrp 2 no ip mroute-cache delay 1500 tunnel source Loopback0 tunnel mode gre multipoint tunnel key 2 ! interface GigabitEthernet0/0 ip address 192.168.3.11 255.255.255.0 ip pim sparse-dense-mode ip ips myIOSipsV5 in ip ips myIOSipsV5 out rate-limit input access-group 101 32000 6000 12000 conform-action transmit exceed-action drop crypto map dmvpn_using_gdoi ! interface GigabitEthernet0/1 ip address 192.168.2.11 255.255.255.0 service-policy type access-control input fpm-policy no shutdown ! router eigrp 2 network 10.11.11.11 0.0.0.0 network 172.16.1.0 0.0.0.255 no auto-summary ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 192.168.2.1 ip route 10.2.2.0 255.255.255.0 192.168.3.2 ip route 10.3.3.0 255.255.255.0 192.168.3.3 ip route 10.4.4.0 255.255.255.0 192.168.3.2 ip route 10.5.5.0 255.255.255.0 192.168.3.2 ip route 10.6.6.0 255.255.255.0 192.168.3.2 ip route 10.7.7.0 255.255.255.0 192.168.3.2 ip route 10.8.8.0 255.255.255.0 192.168.3.3 ip route 192.168.0.0 255.255.0.0 192.168.3.2 ip http server no ip http secure-server ! access-list 101 permit udp any host 10.1.1.1 eq isakmp ! ! line con 0 exec-timeout 0 0 password cisco logging synchronous login line aux 0 exec-timeout 0 0 password cisco logging synchronous login transport input telnet line vty 0 4 exec-timeout 0 0 password cisco logging synchronous login transport input telnet ! end !******************************** !* * !* R2 Final Solution Config * !* * !******************************** service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R2 no logging console enable password cisco aaa new-model aaa authentication login ezvpn local aaa authorization network ezvpn local ! ip source-route ip cef no ip domain lookup ip domain name cisco.com no ipv6 cef ! username cisco privilege 15 password 0 cisco secure boot-image secure boot-config ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key cisco address 0.0.0.0 0.0.0.0 ! crypto isakmp client configuration group cisco key cisco domain cisco.com pool mypool crypto isakmp profile ezvpn_dvti match identity group cisco client authentication list ezvpn isakmp authorization list ezvpn client configuration address respond virtual-template 1 ! ! crypto ipsec transform-set ezvpn_trans esp-3des esp-sha-hmac ! crypto ipsec profile ezvpn_dvti set transform-set ezvpn_trans set isakmp-profile ezvpn_dvti ! ! ip tcp synwait-time 5 ! no policy-map drop23 no class-map match-any drop23 ! class-map match-all drop23 match protocol telnet match ip dscp 1 ! ! policy-map drop23 class drop23 drop ! ! interface Loopback0 ip address 10.2.2.2 255.255.255.0 ! interface GigabitEthernet0/0 ip address 192.168.3.2 255.255.255.0 no shutdown ! interface GigabitEthernet0/1 ip address 192.168.4.2 255.255.255.0 service-policy input drop23 no service-policy output drop23 no shutdown ! interface Virtual-Template1 type tunnel ip unnumbered Loopback0 tunnel source Loopback0 tunnel mode ipsec ipv4 tunnel protection ipsec profile ezvpn_dvti ! ip local pool mypool 10.20.20.1 10.20.20.100 ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 192.168.4.10 ip route 10.1.1.0 255.255.255.0 192.168.3.11 ip route 192.168.2.0 255.255.255.0 192.168.3.11 no ip http server no ip http secure-server ! ! access-list 101 permit tcp any any eq telnet ! line con 0 exec-timeout 0 0 password cisco logging synchronous line aux 0 exec-timeout 0 0 password cisco logging synchronous transport input telnet line vty 0 4 exec-timeout 0 0 password cisco logging synchronous transport input telnet ! end !******************************** !* * !* R3 Final Solution Config * !* * !******************************** service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R3 ! enable password cisco ! no aaa new-model ip source-route ip cef no ip domain lookup ip domain name cisco.com ip multicast-routing no ipv6 cef ! crypto key generate rsa exportable label dmvpn_gdoi ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key cisco address 0.0.0.0 0.0.0.0 ! ! crypto gdoi group dmvpn_gdoi identity number 2 server address ipv4 10.6.6.6 ! ! crypto map dmvpn_using_gdoi local-address Loopback0 crypto map dmvpn_using_gdoi 10 gdoi set group dmvpn_gdoi ! ip tcp synwait-time 5 ip ssh version 1 ! class-map type port-filter match-all myclassmap match closed-ports ! ! policy-map type port-filter mypolicymap class myclassmap drop ! ! interface Loopback0 ip address 10.3.3.3 255.255.255.0 ! interface Loopback11 ip address 10.33.33.33 255.255.255.255 ! interface Tunnel0 ip address 172.16.1.3 255.255.255.0 no ip redirects ip mtu 1400 no ip next-hop-self eigrp 2 ip pim sparse-dense-mode ip nhrp authentication cisco ip nhrp map 172.16.1.1 10.1.1.1 ip nhrp map multicast 10.1.1.1 ip nhrp network-id 2 ip nhrp nhs 172.16.1.1 ip nhrp registration no-unique no ip split-horizon eigrp 2 no ip mroute-cache load-interval 30 delay 2000 qos pre-classify tunnel source Loopback0 tunnel mode gre multipoint tunnel key 2 ! interface GigabitEthernet0/0 ip address 192.168.3.3 255.255.255.0 ip policy route-map drop4444-pbr crypto map dmvpn_using_gdoi no shutdown ! interface GigabitEthernet0/1 ip address 192.168.5.3 255.255.255.0 crypto map dmvpn_using_gdoi no shutdown ! router eigrp 2 network 10.33.33.33 0.0.0.0 network 172.16.1.0 0.0.0.255 no auto-summary ! ip route 0.0.0.0 0.0.0.0 192.168.5.10 ip route 10.1.1.0 255.255.255.0 192.168.3.11 ip route 10.11.11.0 255.255.255.0 Tunnel0 ip route 10.33.33.0 255.255.255.0 Tunnel0 ip http server no ip http secure-server ! ! ip mroute 10.1.1.1 255.255.255.255 172.16.1.1 access-list 101 permit tcp any any eq 4444 ! ! route-map drop4444-pbr permit 10 match ip address 101 match length 100 100 set interface Null0 ! route-map drop4444-pbr permit 20 ! ! control-plane host service-policy type port-filter input mypolicymap ! ! control-plane ! ! line con 0 exec-timeout 0 0 password cisco logging synchronous login line aux 0 exec-timeout 0 0 password cisco logging synchronous login transport input telnet line vty 0 4 exec-timeout 0 0 password cisco logging synchronous login transport input telnet ! end !******************************** !* * !* R4 Final Solution Config * !* * !******************************** service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R4 no logging console enable password cisco ! no aaa new-model ip source-route ip cef ! no ip domain lookup ip domain name cisco.com ip port-map http port tcp 8080 ip inspect max-incomplete low 200 ip inspect max-incomplete high 300 ip inspect tcp max-incomplete host 100 block-time 0 ip inspect name mycbac tcp ip inspect name mycbac udp ip inspect name mycbac icmp ip inspect name mycbac http java-list 1 no ipv6 cef ! frame-relay switching ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key cisco address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set L2L_trans esp-3des esp-sha-hmac ! crypto ipsec profile L2L_VTI set transform-set L2L_trans ! ! ! crypto ipsec client ezvpn ezvpn_dvti connect auto group cisco key cisco local-address Loopback0 mode client no peer 192.168.4.2 peer 10.2.2.2 username cisco password cisco xauth userid mode interactive ! ip tcp synwait-time 5 ! ! ! ! interface Loopback0 ip address 10.4.4.4 255.255.255.0 ! interface Loopback45 ip address 45.45.4.1 255.255.255.0 ! interface Tunnel45 ip address 100.1.1.1 255.255.255.0 tunnel source GigabitEthernet0/1 tunnel destination 192.168.45.5 tunnel mode ipsec ipv4 tunnel protection ipsec profile L2L_VTI ! interface GigabitEthernet0/0 ip address 192.168.41.1 255.255.255.0 ip access-group 101 in no ip unreachables ip inspect mycbac out crypto ipsec client ezvpn ezvpn_dvti inside no shutdown ! interface GigabitEthernet0/1 ip address 192.168.45.4 255.255.255.0 no ip access-group 102 in no shutdown ! interface Serial0/0/0 ip address 192.168.64.4 255.255.255.0 encapsulation frame-relay ip ospf network point-to-point no fair-queue clock rate 2000000 frame-relay map ip 192.168.64.6 64 broadcast frame-relay intf-type dce crypto ipsec client ezvpn ezvpn_dvti outside no shutdown ! router ospf 1 log-adjacency-changes network 10.4.4.0 0.0.0.255 area 0 network 192.168.41.0 0.0.0.255 area 0 network 192.168.45.0 0.0.0.255 area 0 network 192.168.64.0 0.0.0.255 area 0 ! router rip version 2 network 45.45.4.0 network 100.0.0.0 no auto-summary ! ip forward-protocol nd no ip http server no ip http secure-server ! access-list 1 permit 198.168.10.25 access-list 101 permit icmp any any access-list 101 permit ospf any any access-list 102 deny udp host 192.168.45.5 host 192.168.45.4 eq isakmp access-list 102 permit ip any any ! ! ! line con 0 exec-timeout 0 0 password cisco logging synchronous login line aux 0 exec-timeout 0 0 password cisco logging synchronous login transport input telnet line vty 0 4 exec-timeout 0 0 password cisco logging synchronous login transport input telnet ! end !******************************** !* * !* R5 Final Solution Config * !* * !******************************** service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R5 ! no logging buffered enable password cisco ! aaa new-model aaa authentication login myauthen group tacacs+ aaa authentication login noauthen none aaa authorization exec myexecauthor group tacacs+ aaa authorization commands 5 mycommandauthor group tacacs+ ! ! ip source-route ip cef ! ! no ip domain lookup ip domain name cisco.com ip multicast-routing no ipv6 cef ! frame-relay switching ! ! crypto key generate rsa exportable label dmvpn_gdoi ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key cisco address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set L2L_trans esp-3des esp-sha-hmac ! crypto ipsec profile L2L_VTI set transform-set L2L_trans ! crypto gdoi group dmvpn_gdoi identity number 2 server address ipv4 10.6.6.6 ! ! crypto map dmvpn_using_gdoi local-address Loopback0 crypto map dmvpn_using_gdoi 10 gdoi set group dmvpn_gdoi ! ! ! ip tcp synwait-time 5 ip ssh version 1 ! ! ! ! interface Loopback0 ip address 10.5.5.5 255.255.255.0 no ip redirects ! interface Loopback11 ip address 10.55.55.55 255.255.255.255 ! interface Loopback45 ip address 45.45.5.1 255.255.255.0 ! interface Tunnel0 ip address 172.16.1.5 255.255.255.0 no ip redirects ip mtu 1400 no ip next-hop-self eigrp 2 ip pim sparse-dense-mode ip nhrp authentication cisco ip nhrp map 172.16.1.1 10.1.1.1 ip nhrp map multicast 10.1.1.1 ip nhrp network-id 2 ip nhrp nhs 172.16.1.1 ip nhrp registration no-unique no ip split-horizon eigrp 2 no ip mroute-cache load-interval 30 delay 2000 qos pre-classify tunnel source Loopback0 tunnel mode gre multipoint tunnel key 2 ! interface Tunnel45 ip address 100.1.1.2 255.255.255.0 tunnel source GigabitEthernet0/0 tunnel destination 192.168.45.4 tunnel mode ipsec ipv4 tunnel protection ipsec profile L2L_VTI ! interface GigabitEthernet0/0 ip address 192.168.45.5 255.255.255.0 no shutdown ! interface GigabitEthernet0/1 ip address 192.168.52.1 255.255.255.0 no shutdown ! interface Serial0/0/1 ip address 192.168.65.5 255.255.255.0 encapsulation frame-relay ip ospf network point-to-point clock rate 2000000 frame-relay map ip 192.168.65.6 65 broadcast frame-relay intf-type dce crypto map dmvpn_using_gdoi no shutdown ! router eigrp 2 network 10.55.55.55 0.0.0.0 network 172.16.1.0 0.0.0.255 no auto-summary ! router ospf 1 log-adjacency-changes network 10.5.5.0 0.0.0.255 area 0 network 192.168.45.0 0.0.0.255 area 0 network 192.168.52.0 0.0.0.255 area 0 network 192.168.65.0 0.0.0.255 area 0 ! router rip version 2 network 45.45.5.0 network 100.0.0.0 no auto-summary ! ip http server no ip http secure-server ! ! ip mroute 10.1.1.1 255.255.255.255 172.16.1.1 ! ! ! tacacs-server host 192.168.2.14 key cisco ! ! privilege configure all level 5 router privilege configure all level 5 interface privilege configure level 15 crypto privilege exec level 5 configure terminal privilege exec level 5 configure ! line con 0 exec-timeout 0 0 password cisco logging synchronous login authentication noauthen line aux 0 exec-timeout 0 0 password cisco logging synchronous transport input telnet line vty 0 4 exec-timeout 0 0 password cisco authorization commands 5 mycommandauthor authorization exec myexecauthor logging synchronous login authentication myauthen transport input telnet ! end !******************************** !* * !* R6 Final Solution Config * !* * !******************************** service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R6 ! enable password cisco no aaa new-model ip source-route ip cef ! ! ! ! no ip domain lookup ip domain name cisco.com ip multicast-routing no ipv6 cef ! crypto key generate rsa exportable label dmvpn_gdoi ! ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key cisco address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set dmvpn_trans esp-3des esp-sha-hmac mode transport require ! crypto ipsec profile dmvpn_using_gdoi set security-association lifetime seconds 36000 set transform-set dmvpn_trans ! crypto gdoi group dmvpn identity number 2 server local rekey retransmit 10 number 2 rekey authentication mypubkey rsa dmvpn_gdoi rekey transport unicast sa ipsec 1 profile dmvpn_using_gdoi match address ipv4 101 replay counter window-size 64 address ipv4 10.6.6.6 ! ! ! ip tcp synwait-time 5 ip ssh version 1 ! class-map match-all mark23 match protocol telnet ! ! policy-map mark23 class mark23 set dscp 1 ! ! ! ! ! interface Loopback0 ip address 10.6.6.6 255.255.255.0 ip pim sparse-dense-mode ! interface GigabitEthernet0/0 ip address 192.168.6.6 255.255.255.0 ip pim sparse-dense-mode no shutdown ! interface Serial0/0/0 ip address 192.168.64.6 255.255.255.0 encapsulation frame-relay ip ospf network point-to-point no fair-queue frame-relay map ip 192.168.64.4 64 broadcast no service-policy input mark23 no shutdown ! interface Serial0/0/1 ip address 192.168.65.6 255.255.255.0 ip pim sparse-dense-mode encapsulation frame-relay ip ospf network point-to-point frame-relay map ip 192.168.65.5 65 broadcast service-policy input mark23 no shutdown ! router ospf 1 log-adjacency-changes redistribute connected metric 1 subnets redistribute static metric 1 subnets network 10.6.6.0 0.0.0.255 area 0 network 192.168.64.0 0.0.0.255 area 0 network 192.168.65.0 0.0.0.255 area 0 ! ip route 10.1.1.0 255.255.255.0 192.168.6.10 ip route 10.2.2.0 255.255.255.0 192.168.6.10 ip route 10.3.3.0 255.255.255.0 192.168.6.11 ip route 192.168.2.0 255.255.255.0 192.168.6.10 ip route 192.168.3.0 255.255.255.0 192.168.6.10 ip route 192.168.4.0 255.255.255.0 192.168.6.10 ip route 192.168.5.0 255.255.255.0 192.168.6.11 no ip http server no ip http secure-server ! ! ! access-list 101 permit gre any any ! ! ! line con 0 exec-timeout 0 0 password cisco logging synchronous login line aux 0 exec-timeout 0 0 password cisco logging synchronous login transport input telnet line vty 0 4 exec-timeout 0 0 password cisco logging synchronous login transport input telnet ! end !******************************** !* * !* Sw1 Final Solution Config * !* * !******************************** no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Sw1 enable password cisco ! vtp mode server vtp domain ccie vtp password cisco ! ! vlan 2 vlan 3 vlan 4 vlan 5 vlan 6 vlan 7 vlan 8 vlan 10 ! no aaa new-model system mtu routing 1500 ip subnet-zero ip routing no ip domain-lookup ip domain-name cisco.com ! ! ip dhcp snooping vlan 10 no ip dhcp snooping information option ip dhcp snooping ! ! ip tcp synwait-time 5 ! ! ! interface Loopback0 ip address 10.7.7.7 255.255.255.0 ! interface FastEthernet0/1 switchport access vlan 3 switchport mode access ! interface FastEthernet0/2 switchport access vlan 3 switchport mode access ! interface FastEthernet0/3 switchport access vlan 3 switchport mode access ! interface FastEthernet0/4 no switchport ip address 192.168.41.2 255.255.255.0 ! interface FastEthernet0/5 switchport access vlan 8 switchport mode access ! interface FastEthernet0/6 switchport access vlan 6 switchport mode access ! interface FastEthernet0/7 ! interface FastEthernet0/8 ! interface FastEthernet0/9 ! interface FastEthernet0/10 switchport access vlan 6 switchport mode access ! interface FastEthernet0/11 switchport access vlan 4 switchport mode access ! interface FastEthernet0/12 switchport access vlan 5 switchport mode access ! interface FastEthernet0/13 ! interface FastEthernet0/14 ! interface FastEthernet0/15 switchport access vlan 2 switchport mode access ! interface FastEthernet0/16 switchport access vlan 7 switchport mode access ! interface FastEthernet0/17 switchport access vlan 8 switchport mode access ! interface FastEthernet0/18 switchport access vlan 10 switchport mode access ip verify source ! interface FastEthernet0/19 switchport access vlan 10 switchport mode access ip dhcp snooping trust ! interface FastEthernet0/20 switchport access vlan 2 switchport mode access ! interface FastEthernet0/21 ! interface FastEthernet0/22 switchport access vlan 2 switchport mode access ! interface FastEthernet0/23 switchport access vlan 2 switchport mode access ! interface FastEthernet0/24 switchport trunk encapsulation dot1q switchport mode trunk ! interface GigabitEthernet0/1 ! interface GigabitEthernet0/2 ! interface Vlan1 no ip address shutdown ! router ospf 1 log-adjacency-changes network 10.7.7.0 0.0.0.255 area 0 network 192.168.41.0 0.0.0.255 area 0 ! ip classless ip route 0.0.0.0 0.0.0.0 192.168.41.1 ip http server ip http port 8080 ip http secure-server ! ! ip source binding 0000.0000.0001 vlan 10 10.10.1.1 interface Fa0/18 ! control-plane ! ! line con 0 exec-timeout 0 0 password cisco logging synchronous login line vty 0 4 exec-timeout 0 0 password cisco logging synchronous login transport input telnet line vty 5 15 login ! end Sw1#show vtp status VTP Version : running VTP1 (VTP2 capable) Configuration Revision : 10 Maximum VLANs supported locally : 1005 Number of existing VLANs : 15 VTP Operating Mode : Server VTP Domain Name : ccie VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0x9A 0x7A 0xC6 0xAA 0x92 0x16 0xE8 0x51 Configuration last modified by 192.168.52.2 at 8-17-09 14:03:53 Local updater ID is 192.168.41.2 on interface Fa0/4 (first layer3 interface found) Sw1#show vlan brief VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Fa0/7, Fa0/8, Fa0/9, Fa0/13 Fa0/14, Fa0/21, Gi0/1, Gi0/2 2 VLAN0002 active Fa0/15, Fa0/20, Fa0/22, Fa0/23 3 VLAN0003 active Fa0/1, Fa0/2, Fa0/3 4 VLAN0004 active Fa0/11 5 VLAN0005 active Fa0/12 6 VLAN0006 active Fa0/6, Fa0/10 7 VLAN0007 active Fa0/16 8 VLAN0008 active Fa0/5, Fa0/17 10 VLAN0010 active Fa0/18, Fa0/19 101 VLAN0101 active 102 VLAN0102 active 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup !******************************** !* * !* Sw2 Final Solution Config * !* * !******************************** no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Sw2 ! vtp mode server vtp domain ccie vtp password cisco ! no logging console enable password cisco ! username cisco privilege 15 password 0 cisco no aaa new-model system mtu routing 1500 ip subnet-zero ip routing no ip domain-lookup ip domain-name cisco.com ! ! ! ! ! ! crypto key generate rsa exportable ! ! ! ! spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! ip tcp synwait-time 5 ip ssh time-out 5 ip ssh authentication-retries 2 ip ssh version 1 ! ! ! interface Loopback0 ip address 10.8.8.8 255.255.255.0 ! interface FastEthernet0/1 switchport access vlan 2 switchport mode access ! interface FastEthernet0/2 switchport access vlan 4 switchport mode access no ip access-group 101 in ! interface FastEthernet0/3 switchport access vlan 5 switchport mode access ! interface FastEthernet0/4 switchport access vlan 7 switchport mode access ! interface FastEthernet0/5 no switchport ip address 192.168.52.2 255.255.255.0 ! interface FastEthernet0/6 ! interface FastEthernet0/7 ! interface FastEthernet0/8 ! interface FastEthernet0/9 ! interface FastEthernet0/10 switchport access vlan 6 switchport mode access ! interface FastEthernet0/11 switchport access vlan 4 switchport mode access ! interface FastEthernet0/12 switchport access vlan 5 switchport mode access ! interface FastEthernet0/13 ! interface FastEthernet0/14 ! interface FastEthernet0/15 ! interface FastEthernet0/16 ! interface FastEthernet0/17 ! interface FastEthernet0/18 ! interface FastEthernet0/19 ! interface FastEthernet0/20 switchport access vlan 101 switchport mode access switchport voice vlan 102 switchport port-security maximum 10 switchport port-security maximum 8 vlan access switchport port-security maximum 2 vlan voice switchport port-security switchport port-security violation restrict switchport port-security mac-address sticky spanning-tree portfast ! interface FastEthernet0/21 ! interface FastEthernet0/22 ! interface FastEthernet0/23 ! interface FastEthernet0/24 switchport trunk encapsulation dot1q switchport mode trunk ! interface GigabitEthernet0/1 ! interface GigabitEthernet0/2 ! interface Vlan1 no ip address ! router ospf 1 log-adjacency-changes network 10.8.8.0 0.0.0.255 area 0 network 192.168.52.0 0.0.0.255 area 0 ! ip classless ip route 0.0.0.0 0.0.0.0 192.168.52.1 ip http server ip http secure-server ! ! access-list 101 deny udp any any eq isakmp access-list 101 permit ip any any ! control-plane ! ! line con 0 exec-timeout 0 0 password cisco logging synchronous login line vty 0 4 exec-timeout 0 0 password cisco logging synchronous login local transport input ssh line vty 5 15 exec-timeout 0 0 password cisco logging synchronous login local transport input ssh ! end Sw2#show vtp status VTP Version : running VTP1 (VTP2 capable) Configuration Revision : 10 Maximum VLANs supported locally : 1005 Number of existing VLANs : 15 VTP Operating Mode : Server VTP Domain Name : ccie VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0x9A 0x7A 0xC6 0xAA 0x92 0x16 0xE8 0x51 Configuration last modified by 192.168.52.2 at 8-17-09 14:03:53 Local updater ID is 192.168.52.2 on interface Fa0/5 (first layer3 interface found) Sw2#show vlan brief VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Fa0/6, Fa0/7, Fa0/8, Fa0/9 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/21 Fa0/22, Fa0/23, Gi0/1, Gi0/2 2 VLAN0002 active Fa0/1 3 VLAN0003 active 4 VLAN0004 active Fa0/2, Fa0/11 5 VLAN0005 active Fa0/3, Fa0/12 6 VLAN0006 active Fa0/10 7 VLAN0007 active Fa0/4 8 VLAN0008 active 10 VLAN0010 active 101 VLAN0101 active Fa0/20 102 VLAN0102 active Fa0/20 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup !******************************** !* * !* ASA1 System Context * !* Final Solution Configuration * !* * !******************************** mode multiple !***************************************************** ! Convert to Multi-mode, ASA will reboot at this point !***************************************************** ! ! hostname ASA1 enable password cisco mac-address auto ! interface Ethernet0/0 no shutdown ! interface Ethernet0/1 no shutdown ! interface Ethernet0/2 no shutdown ! interface Ethernet0/3 no shutdown ! interface Management0/0 shutdown ! ! failover failover lan unit primary failover lan interface failint Ethernet0/3 failover key cisco failover link failint Ethernet0/3 failover interface ip failint 192.168.50.10 255.255.255.0 standby 192.168.50.11 failover group 1 failover group 2 secondary admin-context admin context admin allocate-interface Management0/0 config-url disk0:/admin ! context c1 allocate-interface Ethernet0/0 allocate-interface Ethernet0/1 config-url disk0:/c1 join-failover-group 1 ! context c2 allocate-interface Ethernet0/0 allocate-interface Ethernet0/2 config-url disk0:/c2 join-failover-group 2 ! prompt hostname context : end [OK] !******************************** !* * !* ASA1 c1 Context * !* Final Solution Configuration * !* * !******************************** change context c1 ! hostname c1 enable password cisco passwd cisco names ! interface Ethernet0/0 nameif outside security-level 0 ip address 192.168.6.10 255.255.255.0 standby 192.168.6.15 asr-group 1 ! interface Ethernet0/1 nameif inside security-level 100 ip address 192.168.4.10 255.255.255.0 standby 192.168.4.15 ! regex emailaddress "joe@myemail.com" ! time-range abc absolute start 21:00 01 August 2009 end 22:00 01 August 2009 ! access-list 100 extended permit icmp any any access-list 100 extended permit udp any any eq 848 access-list 100 extended permit udp any any eq isakmp access-list 100 extended permit esp any any access-list 100 extended permit tcp host 10.5.5.5 host 10.1.1.1 eq telnet access-list 100 extended permit tcp host 192.168.65.5 host 192.168.2.14 eq tacacs access-list 100 extended permit tcp any any eq telnet access-list policyNAT extended permit ip host 10.1.1.1 host 10.4.4.4 access-list 101 extended permit ip host 10.2.2.2 host 10.6.6.6 time-range abc access-list 101 extended deny ip host 10.2.2.2 host 10.6.6.6 access-list 101 extended permit ip any any access-list telnet extended permit tcp host 10.5.5.5 host 10.1.1.1 eq telnet static (inside,outside) 192.168.6.61 access-list policyNAT access-group 100 in interface outside access-group 101 out interface outside route outside 0.0.0.0 0.0.0.0 192.168.6.6 1 route inside 10.1.1.0 255.255.255.0 192.168.4.2 1 route inside 10.2.2.0 255.255.255.0 192.168.4.2 1 route inside 192.168.2.0 255.255.255.0 192.168.4.2 1 route inside 192.168.3.0 255.255.255.0 192.168.4.2 1 aaa-server myACSserver protocol tacacs+ max-failed-attempts 2 aaa-server myACSserver (inside) host 192.168.2.14 key cisco aaa authentication match telnet outside myACSserver aaa authorization match telnet outside myACSserver ! class-map webport match port tcp eq www ! policy-map type inspect esmtp blockBADemail parameters special-character action drop-connection match sender-address regex emailaddress drop-connection match header to-fields count gt 5 drop-connection policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect esmtp blockBADemail policy-map embryonic_attack_protection class webport set connection embryonic-conn-max 100 per-client-embryonic-max 100 ! service-policy global_policy global service-policy embryonic_attack_protection interface outside : end [OK] !******************************** !* * !* ASA1 c2 Context * !* Final Solution Configuration * !* * !******************************** change context c2 ! hostname c2 domain-name cisco.com enable password cisco passwd cisco ! interface Ethernet0/0 nameif outside security-level 0 ip address 192.168.6.11 255.255.255.0 standby 192.168.6.15 asr-group 1 ! interface Ethernet0/2 nameif inside security-level 100 ip address 192.168.5.10 255.255.255.0 standby 192.168.5.15 ! access-list 100 extended permit icmp any any access-list 100 extended permit ip any any nat-control global (outside) 1 192.168.6.150-192.168.6.155 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) 10.3.3.3 10.3.3.3 netmask 255.255.255.255 access-group 100 in interface outside route outside 0.0.0.0 0.0.0.0 192.168.6.6 1 route inside 10.1.1.0 255.255.255.0 192.168.5.3 1 route inside 10.3.3.0 255.255.255.0 192.168.5.3 1 ! : end [OK] !******************************** !* * !* ASA2 Final Solution Config * !* * !******************************** mode multiple !***************************************************** ! Convert to Multi-mode, ASA will reboot at this point !***************************************************** ! ! interface Ethernet0/3 no shutdown ! failover failover lan unit secondary failover lan interface failint Ethernet0/3 failover key cisco failover link failint Ethernet0/3 failover interface ip failint 192.168.50.10 255.255.255.0 standby 192.168.50.11 failover group 1 failover group 2 secondary !******************************** !* * !* IPS Final Solution Config * !* * !******************************** service interface physical-interfaces GigabitEthernet0/0 admin-state enabled exit physical-interfaces GigabitEthernet0/1 admin-state enabled exit inline-interfaces mypair interface1 GigabitEthernet0/0 interface2 GigabitEthernet0/1 exit exit ! ------------------------------ service host network-settings host-ip 192.168.2.12/24,192.168.2.11 host-name IPS telnet-option enabled access-list 192.168.2.0/24 exit exit ! ------------------------------ service signature-definition sig0 signatures 2000 0 alert-severity medium engine atomic-ip event-action produce-alert exit status enabled true exit exit signatures 2004 0 alert-severity medium engine atomic-ip event-action produce-alert exit status enabled true exit exit signatures 65000 0 sig-description sig-name Large ICMP attack exit engine atomic-ip event-action produce-alert specify-l4-protocol yes l4-protocol icmp exit exit specify-ip-payload-length yes ip-payload-length 5000-6000 exit specify-ip-addr-options yes ip-addr-options rfc-1918-address exit exit exit exit ! ------------------------------ service analysis-engine virtual-sensor vs0 logical-interface mypair inline-TCP-evasion-protection-mode strict exit exit