FREE CCNA Lab: CCNA Security – Sirius Cybernetics Part 2 – ASA Basic settings Labs – FreeLabFriday
FREE CCNA Lab: CCNA Security – Sirius Cybernetics Part 2 – ASA Basic settings
Connect with Brian:
Connect with David:
#CCNA #CCENT #FreeLabFriday
Sirius Cybernetics Corporation have replaced the original Branch Router with an ASA 5505 Security Appliance. Scheduled downtime for the installation of the ASA 5505 has been signed off and the ASA has been installed late on Friday evening after all employees have left for the weekend. It is now Saturday morning and you are the Security Engineer on duty today, travelling to site at present.
The Senior Network engineer has left an updated Network Diagram of the new setup. On arrival, you have a number of tasks to complete to ensure a functioning network is restored and the following criteria have been met for the configuration of the ASA:
1. A hostname of Branch-ASA
2. Domain name of SiriusCybernetics.com
3. The encrypted privilege exec prompt password of secret123
4. Set the correct date and time for certificates and logging
5. Configure 3 interfaces:
VLAN IP Address Mask Name Security Level
i. 1 10.1.1.1 /24 inside 100
ii. 2 126.96.36.199 /27 outside 0
iii. 3 192.168.1.1 /24 dmz 50
Disable forwarding of traffic from the DMZ network to VLAN1.
6. Configure a static default route pointing to the next hop IP address on the ISP Router.
7. Configure the ASA to provide Network Address Translation overloading on the outside interface using Object-based NAT. The object should be named inside-network. The Inside interface network should be translated. Ensure the entire subnet is referenced for the inside network.
8. Create the default policy map to allow all traffic initiated from the inside interface to the outside resources to be inspected. When the policy is correctly configured, modify the policy-map to allow ICMP, HTTP and DNS traffic to be inspected. Apply the global policy.
9. Configure the ASA to use the local database for authentication. The user to be authenticated must be admin with a password of cisco. SSH user authentication should be via the local database for remote access connections.
10. PC1 and the ISP Router outside interface should be configured as the only entities allowed for secure remote access. Set the SSH timeout to 12 minutes.
11. Configure the ASA to provide DHCP addresses for the Inside clients PC2,3 & 4. Addresses leased should be in the range 10.1.1.5 – 10.1.1.15. DNS services should be provided by the ISP Public DNS server.
12. Configure the ASA to perform a static NAT using the highest available IP address from the allocated public range assigned by the ISP to the dmz WWW Server (192.168.1.3). This should be accomplished by Object-based NAT once more – the named object should be DMZ-SERVER.
Configure a named access-list OUTSIDE-DMZ to permit icmp from the outside to the dmz server only and secure web traffic to the dmz server only. Apply the access-list appropriately to the outside interface.
There are built in connectivity tests to gain extra points in this assessment. If the connectivity tests do not complete however, you will not receive the 100% score. You will be able to Check Results for your score and use this as possible hints and tips as to what to check to get the 100% score. Good luck everyone
Get more at http://davidbombal.com