UTF-8''ISCW LAB P1

8/13/2019 UTF-8''ISCW LAB P1

http://slidepdf.com/reader/full/utf-8iscw-lab-p1 1/145

Sách Lab ISCW Tài liệu thực hành dành cho học viên

VSIC Education Corporation Trang 1

ISCW LABMục lục

Lab 3.1 Configuring SDM on a Router ...................................................................................... 2Lab 3.2 Configuring a Basic GRE Tunnel ............................................................................... 26

Lab 3.3 Configuring Wireshark and SPAN .............................................................................. 31

Lab 3.4 Configuring Site-to-Site IPsec VPNs with SDM ........................................................ 36

Lab 3.5 Configuring Site-to-Site IPsec VPNs with the IOS CLI ............................................. 59

Lab 3.6 Configuring a Secure GRE Tunnel with SDM ............................................................ 74

Lab 3.7 Configuring a Secure GRE Tunnel with the IOS CLI................................................. 96

Lab 3.8 Configuring IPsec VTIs ............................................................................................ 101

Lab 3.9 Configuring Easy VPN with SDM ............................................................................ 109

Lab 3.10 Configuring Easy VPN with the IOS CLI ............................................................... 129

Lab 4.1 Configuring Frame Mode MPLS .............................................................................. 137

Lab 5.1 Using SDM One-Step Lockdown ............................................................................. 146

Lab 5.2 Securing a Router with Cisco AutoSecure ................................................................ 153

Lab 5.3 Disabling Unneeded Services .................................................................................... 158

Lab 5.4 Enhancing Router Security ........................................................................................ 160

Lab 5.5 Configuring Logging ................................................................................................. 167

Lab 5.6a Configuring AAA and TACACS+ .......................................................................... 171

Lab 5.6b Configuring AAA and RADIUS ............................................................................. 180

Lab 5.6c Configuring AAA Using Local Authentication ...................................................... 183

Lab 5.7 Configuring Role-Based CLI Views ......................................................................... 185

Lab 5.8 Configuring NTP ....................................................................................................... 189

Lab 6.1 Configuring a Cisco IOS Firewall Using SDM......................................................... 193

Lab 6.2 Configuring CBAC ................................................................................................... 209

Lab 6.3 Configuring IPS with SDM ....................................................................................... 213

Lab 6.4 Configuring IPS with CLI ......................................................................................... 231

8/13/2019 UTF-8''ISCW LAB P1




Lab 3.1 Configuring SDM on a Router

1. MUÏC TIEÂU:Chuaån bò cho router caøi ñaët SDMCaøi ñaët SDM treân PCCaøi ñaët SDM treân router.

2. CAÁU HÌNH:Step 1: Xoùa caáu hình cuû cuûa router vaø Switch. Khôûi ñoäng laïi thieát bò.

Step 2: Caáu hình router ñeå hoã trôï SDM:

R1(config)# username ciscosdm privilege 15 password 0 ciscosdm R1(config)# ip http serverR1(config)# ip http secure-server% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]*Jan 14 20:19:45.310: %SSH-5-ENABLED: SSH 1.99 has been enabled*Jan 14 20:19:46.406: %PKI-4-NOAUTOSAVE: Configuration was modified. Issue"write memory" to save new certificateR1(config)# ip http authentication local R1(config)# line vty 0 4R1(config-line)# login localR1(config-line)# transport input telnet ssh

Step 3: Gaùn ñòa chæ IP nhö hình veõ:

Gaùn IP cho router:

R1(config)# interface fastethernet0/0R1(config-if)# ip address 192.168.10.1 255.255.255.0R1(config-if)# no shutdown

Gaùn IP cho PC:

8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




C:\Documents and Settings\Administrator> ping 192.168.10.1Pinging 192.168.10.1 with 32 bytes of data:Reply from 192.168.10.1: bytes=32 time=1ms TTL=255Reply from 192.168.10.1: bytes=32 time<1ms TTL=255Reply from 192.168.10.1: bytes=32 time<1ms TTL=255Reply from 192.168.10.1: bytes=32 time<1ms TTL=255Ping statistics for 192.168.10.1:Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:Minimum = 0ms, Maximum = 1ms, Average = 0ms

Step 4: Giaûi neùn SDM treân PC:

8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




Step 5: Caøi ñaët SDM treân PC:Choïn setup.exe

8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




Step 6: Chaïy SDM treân PC:

8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




Step 7: Caøi ñaët SDM treân router:

8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




Jan 14 16:15:26.367: %SYS-5-CONFIG_I: Configured from console by ciscosdm onvty0 (192.168.10.50)Jan 14 16:15:30.943: %SYS-5-CONFIG_I: Configured from console by ciscosdm onvty0 (192.168.10.50)Jan 14 16:15:36.227: %SYS-5-CONFIG_I: Configured from console by ciscosdm onvty0 (192.168.10.50)Jan 14 16:15:39.211: %SYS-5-CONFIG_I: Configured from console by ciscosdm onvty0 (192.168.10.50)

Jan 14 16:15:44.583: %SYS-5-CONFIG_I: Configured from console by ciscosdm onvty0 (192.168.10.50)

8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




Jan 14 16:19:40.795: %SYS-5-CONFIG_I: Configured from console by ciscosdm onvty0 (192.168.10.50)Jan 14 16:19:43.855: %SYS-5-CONFIG_I: Configured from console by ciscosdm onvty0 (192.168.10.50)Jan 14 16:19:49.483: %SYS-5-CONFIG_I: Configured from console by ciscosdm onvty0 (192.168.10.50)Jan 14 16:25:57.823: %SYS-5-CONFIG_I: Configured from console by ciscosdm onvty0 (192.168.10.50)Jan 14 16:26:02.331: %SYS-5-CONFIG_I: Configured from console by ciscosdm onvty0 (192.168.10.50)Jan 14 16:27:42.279: %SYS-5-CONFIG_I: Configured from console by ciscosdm onvty0 (192.168.10.50)Jan 14 16:27:46.767: %SYS-5-CONFIG_I: Configured from console by ciscosdm onvty0 (192.168.10.50)Jan 14 16:28:11.403: %SYS-5-CONFIG_I: Configured from console by ciscosdm onvty0 (192.168.10.50)Jan 14 16:28:15.795: %SYS-5-CONFIG_I: Configured from console by ciscosdm onvty0 (192.168.10.50)Jan 14 16:29:04.391: %SYS-5-CONFIG_I: Configured from console by ciscosdm onvty0 (192.168.10.50)

R1# show flash:CompactFlash directory:File Length Name/status1 38523272 c2800nm-advipservicesk9-mz.124-9.T1.bin2 1038 home.shtml3 1823 sdmconfig-2811.cfg4 102400 home.tar5 491213 128MB.sdf6 1053184 common.tar7 4753408 sdm.tar8 1684577 securedesktop-ios-3.1.1.27-k9.pkg

8/13/2019 UTF-8''ISCW LAB P1




9 398305 sslclient-win-1.1.0.154.pkg10 839680 es.tar[47849552 bytes used, 16375724 available, 64225276 total]62720K bytes of ATA CompactFlash (Read/Write)

Step 8: Chaïy SDM treân router:

8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




Step 9: Monitor interface treân SDM:

8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




Lab 3.2 Configuring a Basic GRE Tunnel

1. MUÏC TIEÂU:Caáu hình GRE tunnelCaáu hình EIGRP treân routerCaáu hình vaø kieåm tra routing treân GRE tunnel.

2. CAÁU HÌNH:

Step 1: Caáu hình IP nhö hình veõ:R1(config)# interface loopback 0R1(config-if)# ip address 172.16.1.1 255.255.255.0R1(config-if)# interface serial 0/0/0R1(config-if)# ip address 192.168.12.1 255.255.255.0R1(config-if)# clockrate 64000R1(config-if)# no shutdownR2(config)# interface serial 0/0/0R2(config-if)# ip address 192.168.12.2 255.255.255.0R2(config-if)# no shutdownR2(config-if)# interface serial 0/0/1R2(config-if)# ip address 192.168.23.2 255.255.255.0R2(config-if)# clockrate 64000R2(config-if)# no shutdownR3(config)# interface loopback 0R3(config-if)# ip address 172.16.3.1 255.255.255.0R3(config-if)# interface serial 0/0/1R3(config-if)# ip address 192.168.23.3 255.255.255.0R3(config-if)# no shutdown

Caáu hình EIGRP AS 1:

R1(config)# router eigrp 1R1(config-router)# no auto-summaryR1(config-router)# network 192.168.12.0

8/13/2019 UTF-8''ISCW LAB P1




R2(config)# router eigrp 1R2(config-router)# no auto-summaryR2(config-router)# network 192.168.12.0R2(config-router)# network 192.168.23.0R3(config)# router eigrp 1R3(config-router)# no auto-summaryR3(config-router)# network 192.168.23.0

Step 3: Caáu hình GRE tunnel:

R1(config)# int tunnel0R1(config-if)# tunnel source serial0/0/0R1(config-if)# tunnel destination 192.168.23.3R1(config-if)# ip address 172.16.13.1 255.255.255.0R3(config)# int tunnel0R3(config-if)# tunnel source serial0/0/1R3(config-if)# tunnel destination 192.168.12.1

8/13/2019 UTF-8''ISCW LAB P1




R3(config-if)# ip address 172.16.13.3 255.255.255.0

Step 4: Caáu hình Routing baèng EIGRP qua tunnel:

R1(config)# router eigrp 2R1(config-router)# no auto-summaryR1(config-router)# network 172.16.0.0R3(config)# router eigrp 2R3(config-router)# no auto-summaryR3(config-router)# network 172.16.0.0

8/13/2019 UTF-8''ISCW LAB P1




Final ConfigurationsR1# show runhostname R1!

8/13/2019 UTF-8''ISCW LAB P1




interface Tunnel0ip address 172.16.13.1 255.255.255.0tunnel source Serial0/0/0tunnel destination 192.168.23.3!interface Loopback0ip address 172.16.1.1 255.255.255.0!interface Serial0/0/0ip address 192.168.12.1 255.255.255.0clock rate 64000no shutdown!router eigrp 1network 192.168.12.0no auto-summary!router eigrp 2network 172.16.0.0no auto-summary!end

R2# show runhostname R2!interface Serial0/0/0

ip address 192.168.12.2 255.255.255.0no shutdown !interface Serial0/0/1ip address 192.168.23.2 255.255.255.0clock rate 64000no shutdown!router eigrp 1network 192.168.12.0network 192.168.23.0no auto-summary!endR3# show runhostname R3!interface Loopback0

ip address 172.16.3.1 255.255.255.0!interface Tunnel0ip address 172.16.13.3 255.255.255.0tunnel source Serial0/0/1tunnel destination 192.168.12.1!interface Serial0/0/1ip address 192.168.23.3 255.255.255.0no shutdown!router eigrp 1network 192.168.23.0no auto-summary!router eigrp 2network 172.16.0.0no auto-summary

!end

8/13/2019 UTF-8''ISCW LAB P1




Lab 3.3 Configuring Wireshark and SPAN

1. MUÏC TIEÂU:Caøi ñaët wireshark treân PCCaáu hình SPAN treân Switch:

2. CAÁU HÌNH:Step 1: Caáu hình router:

R1(config)# interface fastethernet0/0R1(config-if)# ip address 192.168.10.1 255.255.255.0R1(config-if)# no shutdownR1(config-if)# exitR1(config)# router eigrp 1R1(config-router)# network 192.168.10.0

Step 2: Caøi ñaët wireshark treân PC.Step 3: Caáu hình SPAN treân Switch:

ALS1(config)# monitor session 1 source interface fastethernet0/1 ALS1(config)# monitor session 1 destination interface fastethernet0/6

Step 4: Sniff packet duøng WinShark:

8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




Final ConfigurationsR1# show run!hostname R1!interface fastethernet0/0ip address 192.168.10.1 255.255.255.0

!router eigrp 1network 192.168.10.0!End

ALS1# show run!hostname ALS1!monitor session 1 source interface fastethernet0/1monitor session 1 destination interface fastethernet0/6!end

8/13/2019 UTF-8''ISCW LAB P1




Lab 3.4 Configuring Site-to-Site IPsec VPNs with SDM

1. MUÏC TIEÂU:Caáu hình EIGRP treân router:Duøng SDM caáu hình VPN Ipsec Site-to-site

Kieåm tra hoïat ñoäng cuûa Ipsec.2. CAÁU HÌNH:Step 1: Caáu hình IP address nhö hình veõ:R1(config)# interface loopback0R1(config-if)# ip address 172.16.1.1 255.255.255.0R1(config-if)# interface fastethernet0/0R1(config-if)# ip address 192.168.12.1 255.255.255.0R1(config-if)# no shutdownR2(config)# interface fastethernet0/0R2(config-if)# ip address 192.168.12.2 255.255.255.0R2(config-if)# no shutdownR2(config-if)# interface serial0/0/1R2(config-if)# ip address 192.168.23.2 255.255.255.0R2(config-if)# clockrate 64000R2(config-if)# no shutdownR3(config)# interface loopback0

R3(config-if)# ip address 172.16.3.1 255.255.255.0R3(config-if)# interface serial0/0/1R3(config-if)# ip address 192.168.23.3 255.255.255.0R3(config-if)# no shutdown

Step 2: Caáu hình EIGRP:R1(config)# router eigrp 1R1(config-router)# no auto-summaryR1(config-router)# network 172.16.0.0

8/13/2019 UTF-8''ISCW LAB P1




R1(config-router)# network 192.168.12.0R2(config)# router eigrp 1R2(config-router)# no auto-summaryR2(config-router)# network 192.168.12.0R2(config-router)# network 192.168.23.0R3(config)# router eigrp 1R3(config-router)# no auto-summaryR3(config-router)# network 172.16.0.0R3(config-router)# network 192.168.23.0

Step 3: Keát noáu vaøo router baèng SDM:

Step 4: Caáu hình Ipsec VPN site-to-site:

8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




Step 5 taïo Generate Mirror... treân R3:

8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




R3# configure terminalR3(config)# crypto isakmp policy 10R3(config-isakmp)# authentication pre-shareR3(config-isakmp)# encr aes 256R3(config-isakmp)# hash md5R3(config-isakmp)# group 5R3(config-isakmp)# lifetime 28800R3(config-isakmp)# exitR3(config)# crypto isakmp policy 1R3(config-isakmp)# authentication pre-shareR3(config-isakmp)# encr 3desR3(config-isakmp)# hash sha

R3(config-isakmp)# group 2R3(config-isakmp)# lifetime 86400R3(config-isakmp)# exitR3(config)# crypto isakmp key cisco address 192.168.12.1

R3(config)# crypto IPsec transform-set cisco_lab_transform esp-sha-hmac espaes256R3(cfg-crypto-trans)# mode tunnelR3(cfg-crypto-trans)# exit

8/13/2019 UTF-8''ISCW LAB P1




R3(config)# ip access list extended SDM_1R3(config-ext-nacl)# remark SDM_ACL Category=4R3(config-ext-nacl)# remark IPsec RuleR3(config-ext-nacl)# permit ip 172.16.3.0 0.0.0.255 172.16.1.0 0.0.0.255R3(config-ext-nacl)# exitR3(config)# crypto map SDM_CMAP_1 1 IPsec-isakmp% NOTE: This new crypto map will remain disabled until a peerand a valid access list have been configured.R3(config-crypto-map)# description Apply the crypto map on the peer router'sinterface having IP address 192.168.23.3 that connects to this router.R3(config-crypto-map)# set transform-set cisco_lab_transformR3(config-crypto-map)# set peer 192.168.12.1R3(config-crypto-map)# match address SDM_1R3(config-crypto-map)# set security-association lifetime seconds 3600R3(config-crypto-map)# set security-association lifetime kilobytes 4608000R3(config-crypto-map)# exit R3(config)# interface serial 0/0/1R3(config-if)# crypto map SDM_CMAP_1*Jan 15 22:00:38.184: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

Step 6: Kieåm tra VPN duøng SDM:

8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




Step 7: Kieãm tra caáu hình VPN duøng CLI:

8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




Final ConfigurationsR1# show run!hostname R1!crypto pki trustpoint TP-self-signed-1455051929enrollment selfsignedsubject-name cn=IOS-Self-Signed-Certificate-1455051929revocation-check nonersakeypair TP-self-signed-1455051929!crypto pki certificate chain TP-self-signed-1455051929certificate self-signed 01<OUTPUT OMITTED>8EAF0758 8E56E4F8 68C2872C 1BA64531 80ED01B7 84EB790C 43312206 575Cquitusername ciscosdm privilege 15 password 0 ciscosdm

!crypto isakmp policy 1encr 3desauthentication pre-sharegroup 2!crypto isakmp policy 10encr aes 256hash md5authentication pre-share

8/13/2019 UTF-8''ISCW LAB P1




group 5lifetime 28800crypto isakmp key cisco address 192.168.23.3!crypto IPsec transform-set cisco_lab_transform esp-aes 256 esp-sha-hmac!crypto map SDM_CMAP_1 1 IPsec-isakmpdescription Tunnel to192.168.23.3set peer 192.168.23.3set transform-set cisco_lab_transformmatch address 101!interface Loopback0ip address 172.16.1.1 255.255.255.0!interface FastEthernet0/0ip address 192.168.12.1 255.255.255.0crypto map SDM_CMAP_1no shutdown!router eigrp 1network 172.16.0.0network 192.168.12.0no auto-summary! ! !ip http serverip http authentication localip http secure-server!access-list 100 remark SDM_ACL Category=4access-list 100 remark IPsec Ruleaccess-list 100 permit ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255access-list 101 remark SDM_ACL Category=4 access-list 101 remark IPsec Ruleaccess-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255!line vty 0 4login localtransport input telnet ssh!endR2# show run!hostname R2!interface FastEthernet0/0ip address 192.168.12.2 255.255.255.0no shutdown!interface Serial0/0/1ip address 192.168.23.2 255.255.255.0clock rate 64000no shutdown!router eigrp 1network 192.168.12.0network 192.168.23.0no auto-summary!endR3# show run!hostname R3!enable secret 5 $1$gJqP$HsL/xMjpFvacHs7bWGvIK.!crypto isakmp policy 1encr 3desauthentication pre-sharegroup 2!crypto isakmp policy 10encr aes 256hash md5

8/13/2019 UTF-8''ISCW LAB P1




authentication pre-sharegroup 5lifetime 28800crypto isakmp key cisco address 192.168.12.1!crypto IPsec transform-set cisco_lab_transform esp-aes 256 esp-sha-hmac!crypto map SDM_CMAP_1 1 IPsec-isakmpdescription # Apply the crypto map on the peer router's interface having IPaddress 192.168.23.3 that connects to this router.set peer 192.168.12.1set transform-set cisco_lab_transformmatch address SDM_1!interface Loopback0ip address 172.16.3.1 255.255.255.0!interface Serial0/0/1ip address 192.168.23.3 255.255.255.0crypto map SDM_CMAP_1 no shutdown!router eigrp 1network 172.16.0.0network 192.168.23.0no auto-summary!ip access-list extended SDM_1remark SDM_ACL Category=4remark IPsec Rulepermit ip 172.16.3.0 0.0.0.255 172.16.1.0 0.0.0.255!line vty 0 4password ciscologin!end

8/13/2019 UTF-8''ISCW LAB P1




Lab 3.5 Configuring Site-to-Site IPsec VPNs with the IOS CLI

1. MUÏC TIEÂU:Caáu hình EIGRP treân routerCaáu hình VPN ipsec site-to-site dung CLIKieåm tra IPSEC.

2. CAÁU HÌNH:Step 1 : caáu hình IP nhö hình veõ:

R1(config)# interface loopback0R1(config-if)# ip address 172.16.1.1 255.255.255.0R1(config-if)# interface fastethernet0/0R1(config-if)# ip address 192.168.12.1 255.255.255.0R1(config-if)# no shutdownR2(config)# interface fastethernet0/0R2(config-if)# ip address 192.168.12.2 255.255.255.0R2(config-if)# no shutdownR2(config-if)# interface serial0/0/1R2(config-if)# ip address 192.168.23.2 255.255.255.0R2(config-if)# clockrate 64000R2(config-if)# no shutdownR3(config)# interface loopback0R3(config-if)# ip address 172.16.3.1 255.255.255.0R3(config-if)# interface serial0/0/1R3(config-if)# ip address 192.168.23.3 255.255.255.0R3(config-if)# no shutdown

Step 2: Caáu hình EIGRP:

R1(config)# router eigrp 1R1(config-router)# no auto-summaryR1(config-router)# network 172.16.0.0R1(config-router)# network 192.168.12.0R2(config)# router eigrp 1

8/13/2019 UTF-8''ISCW LAB P1




R2(config-router)# no auto-summaryR2(config-router)# network 192.168.12.0R2(config-router)# network 192.168.23.0R3(config)# router eigrp 1R3(config-router)# no auto-summaryR3(config-router)# network 172.16.0.0R3(config-router)# network 192.168.23.0

Step 3: Taïo IKE policy:R1(config)# crypto isakmp enable R1(config)# crypto isakmp policy 10R1(config-isakmp)# authentication pre-shareR1(config-isakmp)# encryption aes 256R1(config-isakmp)# hash shaR1(config-isakmp)# group 5R1(config-isakmp)# lifetime 3600

R3(config)# crypto isakmp policy 10R3(config-isakmp)# authentication pre-shareR3(config-isakmp)# encryption aes 256R3(config-isakmp)# hash shaR3(config-isakmp)# group 5R3(config-isakmp)# lifetime 3600

Step 4: Caáu hình PSK:

R1(config)# crypto isakmp key cisco address 192.168.23.3R3(config)# crypto isakmp key cisco address 192.168.12.1

Step 5: Caáu hình Ipsec transform set vaø life time:

8/13/2019 UTF-8''ISCW LAB P1




R1(config)# crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac ah-sha-hmacR1(cfg-crypto-trans)# exitR1(config)#

R3(config)# crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac ah-sha-hmacR3(cfg-crypto-trans)# exitR3(config)#

R1(config)# crypto ipsec security-association lifetime seconds 1800

R3(config)# crypto ipsec security-association lifetime seconds 1800

Step 6: Xaùc Ñònh interesting traffic:R1(config)# access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255R3(config)# access-list 101 permit ip 172.16.3.0 0.0.0.255 172.16.1.0 0.0.0.255

Step 7: Taïo vaø apply crypto map:

R1(config)# crypto map MYMAP 10 ipsec-isakmp R1(config-crypto-map)# match address 101 R1(config-crypto-map)# set peer 192.168.23.3R1(config-crypto-map)# set pfs group5R1(config-crypto-map)# set transform-set 50R1(config-crypto-map)# set security-association lifetime seconds 900

R3(config)# crypto map MYMAP 10 ipsec-isakmp% NOTE: This new crypto map will remain disabled until a peerand a valid access list have been configured.R3(config-crypto-map)# match address 101R3(config-crypto-map)# set peer 192.168.12.1R3(config-crypto-map)# set pfs group5R3(config-crypto-map)# set transform-set 50R3(config-crypto-map)# set security-association lifetime seconds 900

R1(config)# interface fastethernet0/0R1(config-if)# crypto map MYMAP*Jan 17 04:09:09.150: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ONR3(config)# interface serial0/0/1R3(config-if)# crypto map MYMAP*Jan 17 04:10:54.138: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

Step 8: Kieåm tra IP sec hoïat ñoäng:

8/13/2019 UTF-8''ISCW LAB P1




Step 9 Kieåm tra hoïat ñoäng cuûa Ipsec:

8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




Step 10 Debug ipsec:

R1# debug crypto isakmpCrypto ISAKMP debugging is on

R1# debug crypto ipsecCrypto IPSEC debugging is on

8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




R1# undebug all All possible debugging has been turned off

8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




Final Configurations:R1# show run

8/13/2019 UTF-8''ISCW LAB P1




!hostname R1!crypto isakmp policy 10encr aes 256authentication pre-sharegroup 5lifetime 3600crypto isakmp key cisco address 192.168.23.3!crypto ipsec security-association lifetime seconds 1800!crypto ipsec transform-set 50 ah-sha-hmac esp-aes 256 esp-sha-hmac!crypto map MYMAP 10 ipsec-isakmpset peer 192.168.23.3set security-association lifetime seconds 900set transform-set 50set pfs group5match address 101!interface Loopback0ip address 172.16.1.1 255.255.255.0!interface FastEthernet0/0ip address 192.168.12.1 255.255.255.0crypto map MYMAPno shutdown!router eigrp 1network 172.16.0.0network 192.168.12.0no auto-summary!access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255!endR2# show run!hostname R2!interface FastEthernet0/0ip address 192.168.12.2 255.255.255.0no shutdown!interface Serial0/0/1ip address 192.168.23.2 255.255.255.0clock rate 64000no shutdown!router eigrp 1network 192.168.12.0network 192.168.23.0no auto-summary!endR3# show run!hostname R3!enable secret 5 $1$LT7i$MY2NhpGjl5uL1zNAoR2tf.!crypto isakmp policy 10encr aes 256authentication pre-sharegroup 5lifetime 3600crypto isakmp key cisco address 192.168.12.1!crypto ipsec security-association lifetime seconds 1800!crypto ipsec transform-set 50 ah-sha-hmac esp-aes 256 esp-sha-hmac!crypto map MYMAP 10 ipsec-isakmpset peer 192.168.12.1

8/13/2019 UTF-8''ISCW LAB P1




set security-association lifetime seconds 900set transform-set 50set pfs group5match address 101!interface Loopback0ip address 172.16.3.1 255.255.255.0!interface Serial0/0/1ip address 192.168.23.3 255.255.255.0crypto map MYMAPno shutdown!router eigrp 1network 172.16.0.0network 192.168.23.0no auto-summary!access-list 101 permit ip 172.16.3.0 0.0.0.255 172.16.1.0 0.0.0.255!line vty 0 4password ciscologin!end

8/13/2019 UTF-8''ISCW LAB P1




Lab 3.6 Configuring a Secure GRE Tunnel with SDM

1. MUÏC TIEÂU:Caáu hình EIGRP treân router:Duøng SDM ñeå secure GRE tunnel.

2. CAÁU HÌNH:Step 1: Caáu hình IP nhö hình veõ:R1# configure terminalR1(config)# interface loopback 0R1(config-if)# ip address 172.16.1.1 255.255.255.0R1(config-if)# interface fastethernet 0/0R1(config-if)# ip address 192.168.12.1 255.255.255.0R1(config-if)# no shutdownR2# configure terminalR2(config)# interface fastethernet 0/0R2(config-if)# ip address 192.168.12.2 255.255.255.0R2(config-if)# no shutdownR2(config-if)# interface serial0/0/1R2(config-if)# ip address 192.168.23.2 255.255.255.0R2(config-if)# clockrate 64000R2(config-if)# no shutdownR3# configure terminalR3(config)# interface loopback 0R3(config-if)# ip address 172.16.3.1 255.255.255.0R3(config-if)# interface serial0/0/1R3(config-if)# ip address 192.168.23.3 255.255.255.0R3(config-if)# no shutdown

Step 2: Caáu hình EIGRP AS 1 :

R1(config)# router eigrp 1

8/13/2019 UTF-8''ISCW LAB P1




R1(config-router)# no auto-summaryR1(config-router)# network 192.168.12.0R2(config)# router eigrp 1R2(config-router)# no auto-summaryR2(config-router)# network 192.168.12.0R2(config-router)# network 192.168.23.0R3(config)# router eigrp 1R3(config-router)# no auto-summaryR3(config-router)# network 192.168.23.0

Step 3: Keát noái vaøo router duøng SDM:

Step 4: Caáu hình Ipsec VTI duøng SDM:

8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




Step 5: Generate a Mirror Configuration treân R3

8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




R3(config)# crypto isakmp policy 10R3(config-isakmp)# authentication pre-shareR3(config-isakmp)# encr aes 256R3(config-isakmp)# hash shaR3(config-isakmp)# group 5R3(config-isakmp)# lifetime 28800R3(config-isakmp)# exitR3(config)# crypto isakmp policy 1R3(config-isakmp)# authentication pre-shareR3(config-isakmp)# encr 3desR3(config-isakmp)# hash shaR3(config-isakmp)# group 2

R3(config-isakmp)# lifetime 86400R3(config-isakmp)# exitR3(config)# crypto isakmp key cisco address 192.168.12.1R3(config)# crypto ipsec transform-set mytrans esp-sha-hmac esp-aes 256R3(cfg-crypto-trans)# mode tunnelR3(cfg-crypto-trans)# exitR3(config)# ip access-list extended SDM_1R3(config-ext-nacl)# remark SDM_ACL Category=4R3(config-ext-nacl)# permit gre host 192.168.23.3 host 192.168.12.1 R3(config-ext-nacl)# exit

8/13/2019 UTF-8''ISCW LAB P1




R3(config)# crypto map SDM_CMAP_1 1 ipsec-isakmp% NOTE: This new crypto map will remain disabled until a peerand a valid access list have been configured.R3(config-crypto-map)# description Apply the crypto map on the peer router'sinterface having IP address 192.168.23.3 that connects to this router.R3(config-crypto-map)# set transform-set mytransR3(config-crypto-map)# set peer 192.168.12.1R3(config-crypto-map)# match address SDM_1R3(config-crypto-map)# set security-association lifetime seconds 3600R3(config-crypto-map)# set security-association lifetime kilobytes 4608000R3(config-crypto-map)# exit

R1# show run | interface tunnel 0Building configuration...Current configuration : 190 bytes!interface Tunnel0ip address 172.16.13.1 255.255.255.0ip mtu 1420tunnel source FastEthernet0/0tunnel destination 192.168.23.3tunnel path-mtu-discoverycrypto map SDM_CMAP_1end

R3(config)# interface Tunnel 0R3(config-if)# ip address 172.16.13.3 255.255.255.0R3(config-if)# ip mtu 1420R3(config-if)# tunnel source Serial0/0/1R3(config-if)# tunnel destination 192.168.12.1R3(config-if)# tunnel path-mtu-discoveryR3(config-if)# crypto map SDM_CMAP_1

R3(config)# interface serial 0/0/1R3(config-if)# crypto map SDM_CMAP_1

R3(config)# router eigrp 2R3(config-router)# no auto-summaryR3(config-router)# network 172.16.0.0

Step 6: Kieåm tra caáu hình tunnel baèng SDM:

8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




Final ConfigurationsR1# show runhostname R1!crypto pki trustpoint TP-self-signed-1455051929enrollment selfsignedsubject-name cn=IOS-Self-Signed-Certificate-1455051929revocation-check nonersakeypair TP-self-signed-1455051929!crypto pki certificate chain TP-self-signed-1455051929

certificate self-signed 013082023A 308201A3 A0030201 02020101 300D0609 2A864886 F70D0101 0405003031312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 4365727469666963 6174652D 31343535 30353139 3239301E 170D3037 30313139 3030333730375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 031326494F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 3435353035313932 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 818902818100B2AE D3DF3BE4 D1323EDA B5A4EC54 2E3F3B46 20204095 3FA3FE01 0B3F5C84283D08A2 1023886D 6791AD57 DFFD39EE C453D2EF 0555041C A1B9CCCA 82216AABFBD731B8 465F3B57 4E7D76C3 54BE49F3 B82D0AF7 74005E9E 59736B5A 90D63697EABA4FE5 973B7F4A D0C2B77A 5B03A5C7 4376DE69 3B784063 726D0E9C 51065FEC

8/13/2019 UTF-8''ISCW LAB P1




E4290203 010001A3 62306030 0F060355 1D130101 FF040530 030101FF 300D0603551D1104 06300482 02523130 1F060355 1D230418 30168014 976FC125 5539A58694800545 D6F943AD A89E2B22 301D0603 551D0E04 16041497 6FC12555 39A58694800545D6 F943ADA8 9E2B2230 0D06092A 864886F7 0D010104 05000381 81000E3E9C147BD6 EF49FD63 943C943A FD5773A4 559346F8 0F33886E 26A84C33 2FB0AC36 FF5F849E 782BAB73 D94FFEAB 7BE8F8E1 E72238F9 A70A7709 8854878F 53105BB23996E9E2 CD907377 101D3E5C 62A7CC8B 3C268997 CCF09774 909EE66A F09A9D3EBBB99FC4 96E50636 1CEC52CB 9A45E8DB 7317DE15 06350825 9ECCD529 B3A7quitusername ciscosdm privilege 15 password 0 ciscosdm!crypto isakmp policy 1encr 3desauthentication pre-sharegroup 2!crypto isakmp policy 10encr aes 256authentication pre-sharegroup 5lifetime 28800crypto isakmp key cisco address 192.168.23.3! !crypto ipsec transform-set mytrans esp-aes 256 esp-sha-hmac!crypto map SDM_CMAP_1 1 ipsec-isakmpdescription Tunnel to192.168.23.3set peer 192.168.23.3set transform-set mytransmatch address 100!interface Tunnel0ip address 172.16.13.1 255.255.255.0ip mtu 1420tunnel source FastEthernet0/0tunnel destination 192.168.23.3tunnel path-mtu-discoverycrypto map SDM_CMAP_1!interface Loopback0ip address 172.16.1.1 255.255.255.0!interface FastEthernet0/0ip address 192.168.12.1 255.255.255.0crypto map SDM_CMAP_1no shut!router eigrp 1network 192.168.12.0no auto-summary!router eigrp 2network 172.16.13.0 0.0.0.255network 172.16.0.0no auto-summary!ip http serverip http authentication localip http secure-server!access-list 100 remark SDM_ACL Category=4access-list 100 permit gre host 192.168.12.1 host 192.168.23.3!line vty 0 4login localtransport input telnet sshend R2# show runhostname R2!interface FastEthernet0/0ip address 192.168.12.2 255.255.255.0no shut!

8/13/2019 UTF-8''ISCW LAB P1




interface Serial0/0/1ip address 192.168.23.2 255.255.255.0clock rate 64000no shut!router eigrp 1network 192.168.12.0network 192.168.23.0no auto-summary!endR3# show runhostname R3!enable secret 5 $1$xbvr$6YNBOCZFuWyM3UTmlHK03.!crypto isakmp policy 1encr 3desauthentication pre-sharegroup 2!crypto isakmp policy 10encr aes 256authentication pre-sharegroup 5lifetime 28800crypto isakmp key cisco address 192.168.12.1! !crypto ipsec transform-set mytrans esp-aes 256 esp-sha-hmac!crypto map SDM_CMAP_1 1 ipsec-isakmpdescription Apply the crypto map on the peer router's interface having IPaddress 192.168.23.3 that connects to this router.set peer 192.168.12.1set transform-set mytransmatch address SDM_1!interface Loopback0ip address 172.16.3.1 255.255.255.0!interface Tunnel0ip address 172.16.13.3 255.255.255.0ip mtu 1420tunnel source Serial0/0/1tunnel destination 192.168.12.1tunnel path-mtu-discoverycrypto map SDM_CMAP_1!interface Serial0/0/1ip address 192.168.23.3 255.255.255.0crypto map SDM_CMAP_1no shut! router eigrp 1network 192.168.23.0no auto-summary!router eigrp 2network 172.16.0.0no auto-summary!ip access-list extended SDM_1remark SDM_ACL Category=4permit gre host 192.168.23.3 host 192.168.12.1!line vty 0 4password ccieloginend

8/13/2019 UTF-8''ISCW LAB P1




Lab 3.7 Configuring a Secure GRE Tunnel with the IOS CLI

1. MUÏC TIEÂU:Caáu hình EIGRP treân routerTaïo GRE tunnel giöõa 2 routerDuøng Ipsec ñeå secure GRE tunnel

2. CAÁU HÌNH:Step 1: Caáu hình ñòa chæ IP nhö hình veõ:R1# configure terminalR1(config)# interface loopback0R1(config-if)# ip address 172.16.1.1 255.255.255.0R1(config-if)# interface fastethernet0/0R1(config-if)# ip address 192.168.12.1 255.255.255.0R1(config-if)# no shutdownR2# configure terminalR2(config)# interface fastethernet0/0R2(config-if)# ip address 192.168.12.2 255.255.255.0R2(config-if)# no shutdownR2(config-if)# interface serial0/0/1R2(config-if)# ip address 192.168.23.2 255.255.255.0R2(config-if)# clockrate 64000R2(config-if)# no shutdownR3# configure terminalR3(config)# interface loopback0R3(config-if)# ip address 172.16.3.1 255.255.255.0

R3(config-if)# interface serial0/0/1R3(config-if)# ip address 192.168.23.3 255.255.255.0R3(config-if)# no shutdown

Step 2: Caáu hình EIGRP AS 1R1(config)# router eigrp 1R1(config-router)# no auto-summaryR1(config-router)# network 192.168.12.0R2(config)# router eigrp 1R2(config-router)# no auto-summary

8/13/2019 UTF-8''ISCW LAB P1




R2(config-router)# network 192.168.12.0R2(config-router)# network 192.168.23.0R3(config)# router eigrp 1R3(config-router)# no auto-summaryR3(config-router)# network 192.168.23.0Verify that R1 and R3 can see the remote transit network with show ip route

Step 3: Caáu hình GRE tunnel:R1(config)# interface tunnel 0R1(config-if)# ip address 172.16.13.1 255.255.255.0R1(config-if)# tunnel source fastethernet0/0R1(config-if)# tunnel destination 192.168.23.3R3(config)# interface tunnel0R3(config-if)# ip address 172.16.13.3 255.255.255.0R3(config-if)# tunnel source serial0/0/1R3(config-if)# tunnel destination 192.168.12.1

Step 4: Caáu hình EIGRP AS 2 qua interface tunnel:R1(config)# router eigrp 2R1(config-router)# no auto-summaryR1(config-router)# network 172.16.0.0R3(config)# router eigrp 2R3(config-router)# no auto-summaryR3(config-router)# network 172.16.0.0

Step 5: Caáu hình IKE policy vaø peer:

R1(config)# crypto isakmp policy 10R1(config-isakmp)# authentication pre-shareR1(config-isakmp)# encryption aes 256R1(config-isakmp)# hash shaR1(config-isakmp)# group 5R1(config-isakmp)# lifetime 3600R3(config)# crypto isakmp policy 10R3(config-isakmp)# authentication pre-shareR3(config-isakmp)# encryption aes 256R3(config-isakmp)# hash shaR3(config-isakmp)# group 5R3(config-isakmp)# lifetime 3600

Step 6: Taïo PSKR1(config)# crypto isakmp key cisco address 192.168.23.3R3(config)# crypto isakmp key cisco address 192.168.12.1

Step 7: Taïo transform set:R1(config)# crypto ipsec transform-set mytrans esp-aes 256 esp-sha-hmac ahsha-hmacR1(cfg-crypto-trans)# exitR1(config)#

8/13/2019 UTF-8''ISCW LAB P1




R3(config)# crypto ipsec transform-set mytrans esp-aes 256 esp-sha-hmac ahsha-hmacR3(cfg-crypto-trans)# exitR3(config)#

Step 8: Xaùc ñònh traffic cho Ipsec:

R1(config)# access-list 101 permit gre host 192.168.12.1 host 192.168.23.3

R3(config)# access-list 101 permit gre host 192.168.23.3 host 192.168.12.1

Step 9: Taïo crypto map:R1(config)# crypto map mymap 10 ipsec-isakmp% NOTE: This new crypto map will remain disabled until a peerand a valid access list have been configured.R1(config-crypto-map)# match address 101R1(config-crypto-map)# set peer 192.168.23.3R1(config-crypto-map)# set transform-set mytransR1(config-crypto-map)# exitR1(config)# interface fastethernet 0/0R1(config-if)# crypto map mymap*Jan 22 07:01:30.147: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ONR3(config)# crypto map mymap 10 ipsec-isakmp% NOTE: This new crypto map will remain disabled until a peerand a valid access list have been configured.R3(config-crypto-map)# match address 101R3(config-crypto-map)# set peer 192.168.12.1R3(config-crypto-map)# set transform-set mytransR3(config-crypto-map)# interface serial 0/0/1R3(config-if)# crypto map mymap*Jan 22 07:02:47.726: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

Step 10: kieåm tra IPSEC:

Final ConfigurationsR1# show run!

8/13/2019 UTF-8''ISCW LAB P1




hostname R1!crypto isakmp policy 10authentication pre-sharegroup 5lifetime 3600crypto isakmp key cisco address 192.168.23.3!crypto ipsec transform-set mytrans ah-sha-hmac esp-aes 256 esp-sha-hmac!crypto map mymap 10 ipsec-isakmpset peer 192.168.23.3set transform-set mytransmatch address 101!interface Tunnel0ip address 172.16.13.1 255.255.255.0tunnel source FastEthernet0/0tunnel destination 192.168.23.3!interface Loopback0ip address 172.16.1.1 255.255.255.0!interface FastEthernet0/0ip address 192.168.12.1 255.255.255.0crypto map mymapno shutdown!router eigrp 1network 192.168.12.0no auto-summary!router eigrp 2network 172.16.0.0no auto-summary!access-list 101 permit gre host 192.168.12.1 host 192.168.23.3endR2# show runhostname R2!interface FastEthernet0/0ip address 192.168.12.2 255.255.255.0no shutdown!interface Serial0/0/1ip address 192.168.23.2 255.255.255.0clock rate 64000no shutdown!router eigrp 1network 192.168.12.0network 192.168.23.0no auto-summary !endR3# show runhostname R3!enable secret 5 $1$kkTj$cIYDuP2yz3vA1ARGVwxd11!crypto isakmp policy 10authentication pre-sharegroup 5lifetime 3600crypto isakmp key cisco address 192.168.12.1!crypto ipsec transform-set mytrans ah-sha-hmac esp-aes 256 esp-sha-hmac!crypto map mymap 10 ipsec-isakmpset peer 192.168.12.1set transform-set mytransmatch address 101!

8/13/2019 UTF-8''ISCW LAB P1




interface Loopback0ip address 172.16.3.1 255.255.255.0!interface Tunnel0ip address 172.16.13.3 255.255.255.0tunnel source Serial0/0/1tunnel destination 192.168.12.1!interface Serial0/0/1ip address 192.168.23.3 255.255.255.0crypto map mymapno shutdown!router eigrp 1network 192.168.23.0no auto-summary!router eigrp 2network 172.16.0.0no auto-summary!access-list 101 permit gre host 192.168.23.3 host 192.168.12.1!line vty 0 4password ciscologinend

8/13/2019 UTF-8''ISCW LAB P1




Lab 3.8 Configuring IPsec VTIs

1. MUÏC TIEÂU:Caáu hình EIGRP treân router.Caáu hình IPSec virtual interfaceCaáu hình VTI ñeå backup.

2. CAÁU HÌNH:Step 1: Caáu hình ñòa chæ IP nhö hình veõ:HQ# configure terminalHQ(config)# interface loopback 0

HQ(config-if)# ip address 172.16.1.1 255.255.255.0HQ(config-if)# interface fastethernet 0/0HQ(config-if)# ip address 172.16.13.1 255.255.255.0HQ(config-if)# no shutdownHQ(config-if)# interface serial 0/0/0HQ(config-if)# ip address 192.168.12.1 255.255.255.0HQ(config-if)# clockrate 64000HQ(config-if)# no shutdownISP# configure terminalISP(config-if)# interface serial 0/0/0ISP(config-if)# ip address 192.168.12.2 255.255.255.0ISP(config-if)# no shutdownISP(config-if)# interface serial 0/0/1ISP(config-if)# ip address 192.168.23.2 255.255.255.0ISP(config-if)# clockrate 64000ISP(config-if)# no shutdownBRANCH# configure terminalBRANCH(config)# interface loopback 0

BRANCH(config-if)# ip address 172.16.3.1 255.255.255.0BRANCH(config-if)# interface fastethernet 0/0BRANCH(config-if)# ip address 172.16.13.3 255.255.255.0BRANCH(config-if)# no shutdownBRANCH(config-if)# interface serial 0/0/1BRANCH(config-if)# ip address 192.168.23.3 255.255.255.0BRANCH(config-if)# no shutdown

Step 2: Caáu hình EIGRP AS 1

8/13/2019 UTF-8''ISCW LAB P1




HQ(config)# router eigrp 1HQ(config-router)# no auto-summaryHQ(config-router)# network 172.16.0.0

BRANCH(config)# router eigrp 1BRANCH(config-router)# no auto-summaryBRANCH(config-router)# network 172.16.0.0

Step 3: Caáu hình Static routing:HQ(config)# ip route 0.0.0.0 0.0.0.0 192.168.12.2BRANCH(config)# ip route 0.0.0.0 0.0.0.0 192.168.23.2

8/13/2019 UTF-8''ISCW LAB P1




Step 4: Taïo IKE policy vaø Peers:HQ(config)# crypto isakmp policy 10HQ(config-isakmp)# authentication pre-shareHQ(config-isakmp)# encryption aes 256HQ(config-isakmp)# hash shaHQ(config-isakmp)# group 5HQ(config-isakmp)# lifetime 3600BRANCH(config)# crypto isakmp policy 10BRANCH(config-isakmp)# authentication pre-shareBRANCH(config-isakmp)# encryption aes 256BRANCH(config-isakmp)# hash shaBRANCH(config-isakmp)# group 5BRANCH(config-isakmp)# lifetime 3600

Step 5: Taïp transform set:HQ(config)# crypto ipsec transform-set mytrans esp-aes 256 esp-sha-hmac ahsha-hmacHQ(cfg-crypto-trans)# exitHQ(config)#BRANCH(config)# crypto ipsec transform-set mytrans esp-aes 256 esp-sha-hmac

ah-sha-hmacBRANCH(cfg-crypto-trans)# exitBRANCH(config)#

Step 6: Taïo Ipsec Profile:HQ(config)# crypto ipsec profile myprof HQ(ipsec-profile)# set transform-set mytransBRANCH(config)# crypto ipsec profile myprofBRANCH(ipsec-profile)# set transform-set mytrans

8/13/2019 UTF-8''ISCW LAB P1




Step 7: Taïo Ipsec VTI:HQ(config)# interface tunnel 0HQ(config-if)# ip address 172.16.113.1 255.255.255.0HQ(config-if)# tunnel source serial 0/0/0HQ(config-if)# tunnel destination 192.168.23.3HQ(config-if)# tunnel mode ipsec ipv4HQ(config-if)# tunnel protection ipsec profile myprof

BRANCH(config)# interface tunnel 0BRANCH(config-if)# ip address 172.16.113.3 255.255.255.0BRANCH(config-if)# tunnel source serial 0/0/1BRANCH(config-if)# tunnel destination 192.168.12.1BRANCH(config-if)# tunnel mode ipsec ipv4BRANCH(config-if)# tunnel protection ipsec profile myprof

8/13/2019 UTF-8''ISCW LAB P1




Step 8: Kieåm tra EIGRP:

8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




Final Configurations

HQ# show run!hostname HQ!crypto isakmp policy 10encr aes 256authentication pre-sharegroup 5lifetime 3600crypto isakmp key cisco address 192.168.23.3!crypto ipsec transform-set mytrans ah-sha-hmac esp-aes 256 esp-sha-hmac!crypto ipsec profile myprofset transform-set mytrans!interface Tunnel0ip address 172.16.113.1 255.255.255.0

tunnel source Serial0/0/0tunnel destination 192.168.23.3tunnel mode ipsec ipv4tunnel protection ipsec profile myprof!interface Loopback0ip address 172.16.1.1 255.255.255.0!interface FastEthernet0/0ip address 172.16.13.1 255.255.255.0

8/13/2019 UTF-8''ISCW LAB P1




no shutdown!interface Serial0/0/0ip address 192.168.12.1 255.255.255.0clock rate 64000no shutdown!router eigrp 1network 172.16.0.0no auto-summary!ip route 0.0.0.0 0.0.0.0 192.168.12.2 !endISP# show run!hostname ISP!interface Serial0/0/0ip address 192.168.12.2 255.255.255.0no shutdown!interface Serial0/0/1ip address 192.168.23.2 255.255.255.0clock rate 64000no shutdown!endBRANCH# show runhostname BRANCH!crypto isakmp policy 10encr aes 256authentication pre-sharegroup 5lifetime 3600crypto isakmp key cisco address 192.168.12.1!crypto ipsec transform-set mytrans ah-sha-hmac esp-aes 256 esp-sha-hmac!crypto ipsec profile myprofset transform-set mytrans!interface Loopback0ip address 172.16.3.1 255.255.255.0!interface Tunnel0ip address 172.16.113.3 255.255.255.0tunnel source Serial0/0/1tunnel destination 192.168.12.1tunnel mode ipsec ipv4tunnel protection ipsec profile myprof!interface FastEthernet0/0ip address 172.16.13.3 255.255.255.0no shutdown!interface Serial0/0/1ip address 192.168.23.3 255.255.255.0no shutdown!router eigrp 1network 172.16.0.0no auto-summary!ip route 0.0.0.0 0.0.0.0 192.168.23.2!end

8/13/2019 UTF-8''ISCW LAB P1




Lab 3.9 Configuring Easy VPN with SDM

1. MUÏC TIEÂU:Caáu 2hinh EIGRP treân router.Caáu hình Easy VPN duøng SDM

Caøi ñaët Cisco VPN Client vaøo PCKieåm tra hoïat ñoäng cuûa VPN baèng SDM.

2. CAÁU HÌNH:Step 1: caáu hình ñòa chæ IP:ISP# configure terminalISP(config)# interface fastethernet0/0ISP(config-if)# ip address 192.168.10.1 255.255.255.0ISP(config-if)# no shutdownISP(config-if)# interface serial 0/0/0ISP(config-if)# ip address 192.168.12.1 255.255.255.0ISP(config-if)# clockrate 64000ISP(config-if)# no shutdownHQ# configure terminalHQ(config)# interface loopback 0HQ(config-if)# ip address 172.16.2.1 255.255.255.0

HQ(config-if)# interface serial0/0/0HQ(config-if)# ip address 192.168.12.2 255.255.255.0HQ(config-if)# no shutdownHQ(config-if)# interface serial 0/0/1HQ(config-if)# ip address 172.16.23.2 255.255.255.0HQ(config-if)# clockrate 64000HQ(config-if)# no shutdownHQ2# configure terminalHQ2(config)# interface loopback 0HQ2(config-if)# ip address 172.16.3.1 255.255.255.0HQ2(config-if)# interface serial 0/0/1

8/13/2019 UTF-8''ISCW LAB P1




HQ2(config-if)# ip address 172.16.23.3 255.255.255.0HQ2(config-if)# no shutdown

Step 2: Caáu hình EIGRP AS 1:

HQ(config)# router eigrp 1HQ(config-router)# no auto-summaryHQ(config-router)# network 172.16.0.0HQ2(config)# router eigrp 1HQ2(config-router)# no auto-summaryHQ2(config-router)# network 172.16.0.0

Step 3: Caáu hình Static default route:

HQ(config)# ip route 0.0.0.0 0.0.0.0 192.168.12.1HQ(config)# router eigrp 1HQ(config-router)# redistribute static

Step 4: Keát noái vaøo HQ router baèng SDM:

Step 5: Caáu hình Easy VPN Server baèng SDM.

8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




Step 6: Install Cisco VPN Client.Step 7: Kieåm tra keùt noái cuûa Client luùc chöa coù keát noái VPN.

8/13/2019 UTF-8''ISCW LAB P1




Step 8: Keát noái baèng VPN Client:

8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




Step 9: Kieåm tra keát noái sau khi VPN thaønh coâng:

Step 10 Kieåm tra Easy VPN baèng SDM:

8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




Step 11 : Ngaét keát noái VPN Client:

Final ConfigurationsISP# show runhostname ISP!interface FastEthernet0/0ip address 192.168.10.1 255.255.255.0no shutdown!interface Serial0/0/0ip address 192.168.12.1 255.255.255.0clock rate 64000no shutdown

8/13/2019 UTF-8''ISCW LAB P1




endHQ# show runhostname HQ!aaa new-model!aaa authentication login default localaaa authentication login sdm_vpn_xauth_ml_1 localaaa authorization exec default localaaa authorization network sdm_vpn_group_ml_1 local!aaa session-id common!crypto pki trustpoint TP-self-signed-3043721146enrollment selfsignedsubject-name cn=IOS-Self-Signed-Certificate-3043721146revocation-check nonersakeypair TP-self-signed-3043721146!crypto pki certificate chain TP-self-signed-3043721146certificate self-signed 013082023A 308201A3 A0030201 02020101 300D0609 2A864886 F70D0101 0405003031312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 4365727469666963 6174652D 33303433 37323131 3436301E 170D3037 30313234 3034343732365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 031326494F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 3034333732313134 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 818902818100ADBE 1C08ACA4 0AF3D3FF 11F49933 1AC172FE 3D3D40A6 3AB342FF B952D3E20F203935 83E9C1C0 E0B14B0B C44EF57E A9D7252E F8052060 8D194C9F 84BA3BE4F004217A 09B4A9E7 EFBD0D8C BA420B55 6055B135 ED9A33E5 D4294415 BC453756

AB458059 4E6E23A4 159A87C1 E92F8AB3 E4C7BA5F 434C1BE0 9BF59A78 08961B55F0DD0203 010001A3 62306030 0F060355 1D130101 FF040530 030101FF 300D0603551D1104 06300482 02485130 1F060355 1D230418 30168014 5BCB0C4C C995CEA2F7E9667E DC80525B BB481946 301D0603 551D0E04 1604145B CB0C4CC9 95CEA2F7E9667EDC 80525BBB 48194630 0D06092A 864886F7 0D010104 05000381 81008FFA728302E8 CA86686E 5394BA3A C8260F99 75CA12D4 3B86EAF2 EE3F9AB5 E5D18FEAFC495B41 C716BEF5 82A0F21C 7D085C01 EEFE4302 BA666344 D0D51346 9BDB4AD094B91A93 FEB44001 E50D3BFF 9479456F D2658D25 8BE61405 2AA5229A 3AFF2096ECDD7C61 3EB564C8 9608CA67 2A3CC3D6 B7A5B918 863E901E E2ABBD0D 279Aquitusername ciscosdm privilege 15 password 0 ciscosdmusername ciscouser password 0 ciscouser!crypto isakmp policy 1encr 3desauthentication pre-sharegroup 2!crypto isakmp client configuration group ciscogroupkey ciscogrouppool SDM_POOL_1acl 100netmask 255.255.255.0!crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac!crypto dynamic-map SDM_DYNMAP_1 1set security-association idle-time 28800set transform-set ESP-3DES-SHAreverse-route!crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1crypto map SDM_CMAP_1 client configuration address respondcrypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1!interface Loopback0ip address 172.16.2.1 255.255.255.0!interface Serial0/0/0ip address 192.168.12.2 255.255.255.0crypto map SDM_CMAP_1no shutdown!

8/13/2019 UTF-8''ISCW LAB P1




interface Serial0/0/1ip address 172.16.23.2 255.255.255.0clock rate 64000no shutdown!router eigrp 1redistribute staticnetwork 172.16.0.0no auto-summary!ip local pool SDM_POOL_1 172.16.1.100 172.16.1.200ip route 0.0.0.0 0.0.0.0 192.168.12.1!ip http serverip http authentication localip http secure-server!access-list 100 remark SDM_ACL Category=4access-list 100 permit ip 172.16.0.0 0.0.255.255 any!line vty 0 4transport input telnet sshendHQ2# show runhostname HQ2!interface Loopback0ip address 172.16.3.1 255.255.255.0!interface Serial0/0/1ip address 172.16.23.3 255.255.255.0no shutdown!router eigrp 1network 172.16.0.0no auto-summaryend

8/13/2019 UTF-8''ISCW LAB P1




Lab 3.10 Configuring Easy VPN with the IOS CLI

1. MUÏC TIEÂU:Caáu hình EIGRP treân router.Caáu hình Easy VPN ServerCaøi VPN client treân PCKeát noái VPN giöõa VPN client vaø VPN server.Kieåm tra hoïat ñoäng cuûa VPN

2. CAÁU HÌNH:Step 1: Caáu hình ñòa chæ IP:

ISP# configure terminalISP(config)# interface fastethernet 0/0ISP(config-if)# ip address 192.168.10.1 255.255.255.0ISP(config-if)# no shutdownISP(config-if)# interface serial 0/0/0ISP(config-if)# ip address 192.168.12.1 255.255.255.0ISP(config-if)# clockrate 64000ISP(config-if)# no shutdown

HQ# configure terminalHQ(config)# interface loopback 0HQ(config-if)# ip address 172.16.2.1 255.255.255.0HQ(config-if)# interface serial0/0/0HQ(config-if)# ip address 192.168.12.2 255.255.255.0HQ(config-if)# no shutdownHQ(config-if)# interface serial 0/0/1HQ(config-if)# ip address 172.16.23.2 255.255.255.0HQ(config-if)# clockrate 64000HQ(config-if)# no shutdownHQ2# configure terminal

8/13/2019 UTF-8''ISCW LAB P1




HQ2(config)# interface loopback 0HQ2(config-if)# ip address 172.16.3.1 255.255.255.0HQ2(config-if)# interface serial 0/0/1HQ2(config-if)# ip address 172.16.23.3 255.255.255.0HQ2(config-if)# no shutdown

Step 2: Caáu hình EIGRP As 1:

HQ(config)# router eigrp 1HQ(config-router)# no auto-summaryHQ(config-router)# network 172.16.0.0HQ2(config)# router eigrp 1HQ2(config-router)# no auto-summaryHQ2(config-router)# network 172.16.0.0

Step 3: Caáu hìng Staic route:

HQ(config)# ip route 0.0.0.0 0.0.0.0 192.168.12.1HQ(config)# router eigrp 1HQ(config-router)# redistribute static

Step 4: Baät AAA treân router HQ:

HQ(config)# username cisco password ciscoHQ(config)# aaa new-modelHQ(config)# aaa authentication login default local none

Step 5: Taïo IP pool:

HQ(config)# ip local pool VPNCLIENTS 172.16.2.100 172.16.2.200

Step 6: Caáu hình group authorization

HQ(config)# aaa authorization network VPNAUTH local

Step 7: Taïo IKE policy vaø group:

HQ(config)# crypto isakmp policy 10HQ(config-isakmp)# authentication pre-shareHQ(config-isakmp)# encryption aes 256HQ(config-isakmp)# group 2

HQ(config)# crypto isakmp client configuration group ciscogroup HQ(config-isakmp-group)# key ciscogroupHQ(config-isakmp-group)# pool VPNCLIENTSHQ(config-isakmp-group)# acl 100HQ(config-isakmp-group)# netmask 255.255.255.0 HQ(config)# access-list 100 permit ip 172.16.0.0 0.0.255.255 any

Step 9: Taïo Dynamic Map:HQ(config)# crypto dynamic-map mymap 10HQ(config-crypto-map)# set transform-set mytransHQ(config-crypto-map)# reverse-route

HQ(config)# crypto map mymap client configuration address respondHQ(config)# crypto map mymap isakmp authorization list VPNAUTHHQ(config)# crypto map mymap 10 ipsec-isakmp dynamic mymap HQ(config)#int serial0/0/0

8/13/2019 UTF-8''ISCW LAB P1




HQ(config-if)#crypto map mymap

Step 10 baät IKE DPD vaø user authentication:

HQ(config)# crypto isakmp keepalive 30 5

HQ(config)# aaa authentication login VPNAUTH local

HQ(config)# username ciscouser password ciscouser

HQ(config)# crypto isakmp xauth timeout 60HQ(config)# crypto map mymap client authentication list VPNAUTH

Step 11: Caøi ñaët VPN Client:

Step 12: Kieåm tra VPN khi chöa thieár laäp keát noái VPN

Step 13: Taïo keát noái VPN:

8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




Step 14: Kieåm tra keát noái tôùi maùy beân trong:

Step 15: Kieåm tra hoïat ñoäng VPN duøng CLI:

8/13/2019 UTF-8''ISCW LAB P1




Final ConfigurationsISP# show runhostname ISP!interface FastEthernet0/0ip address 192.168.10.1 255.255.255.0no shutdown

8/13/2019 UTF-8''ISCW LAB P1




!interface Serial0/0/0ip address 192.168.12.1 255.255.255.0clock rate 64000no shutdownendHQ# show runhostname HQ!aaa new-model!aaa authentication login default local noneaaa authentication login VPNAUTH localaaa authorization network VPNAUTH local!username cisco password 0 ciscousername ciscouser password 0 ciscouser!crypto isakmp policy 10encr aes 256authentication pre-sharegroup 2crypto isakmp keepalive 30 5crypto isakmp xauth timeout 60!crypto isakmp client configuration group ciscogroupkey ciscogrouppool VPNCLIENTSacl 100netmask 255.255.255.0!crypto ipsec transform-set mytrans esp-3des esp-sha-hmac!crypto dynamic-map mymap 10set transform-set mytransreverse-route! crypto map mymap client authentication list VPNAUTHcrypto map mymap isakmp authorization list VPNAUTHcrypto map mymap client configuration address respondcrypto map mymap 10 ipsec-isakmp dynamic mymap!interface Loopback0ip address 172.16.2.1 255.255.255.0!interface Serial0/0/0ip address 192.168.12.2 255.255.255.0crypto map mymapno shutdown!interface Serial0/0/1ip address 172.16.23.2 255.255.255.0clock rate 64000no shutdown!router eigrp 1redistribute staticnetwork 172.16.0.0no auto-summary!ip local pool VPNCLIENTS 172.16.2.100 172.16.2.200ip route 0.0.0.0 0.0.0.0 192.168.12.1!access-list 100 permit ip 172.16.0.0 0.0.255.255 anyendHQ2# show runhostname HQ2!interface Loopback0ip address 172.16.3.1 255.255.255.0!interface Serial0/0/1ip address 172.16.23.3 255.255.255.0no shutdown

8/13/2019 UTF-8''ISCW LAB P1




!router eigrp 1network 172.16.0.0no auto-summaryend

8/13/2019 UTF-8''ISCW LAB P1




Lab 4.1 Configuring Frame Mode MPLS

1. MUÏC TIEÂU:Caáu hình EIGRP treân router.Caáu hình LDP treân router.Ñoåi kích thöôùc MTUKieåm tra MPLS

2. CAÁU HÌNH:Step 1: caáu hình IP nhö hình veõ:

R1(config)# interface loopback 0R1(config-if)# ip address 172.16.1.1 255.255.255.0R1(config-if)# interface fastethernet 0/0R1(config-if)# ip address 172.16.12.1 255.255.255.0R1(config-if)# no shutdownR2(config)# interface loopback 0R2(config-if)# ip address 172.16.2.1 255.255.255.0R2(config-if)# interface fastethernet 0/0R2(config-if)# ip address 172.16.12.2 255.255.255.0R2(config-if)# no shutdownR2(config-if)# interface serial 0/0/1R2(config-if)# ip address 172.16.23.2 255.255.255.0R2(config-if)# clockrate 64000R2(config-if)# no shutdownR3(config)# interface loopback 0R3(config-if)# ip address 172.16.3.1 255.255.255.0R3(config-if)# interface serial 0/0/1

R3(config-if)# ip address 172.16.23.3 255.255.255.0R3(config-if)# no shutdown

Step 2 Caáu hìng EIGRP AS 1:R1(config)# router eigrp 1R1(config-router)# no auto-summaryR1(config-router)# network 172.16.0.0R2(config)# router eigrp 1R2(config-router)# no auto-summary

8/13/2019 UTF-8''ISCW LAB P1




R2(config-router)# network 172.16.0.0R3(config)# router eigrp 1R3(config-router)# no auto-summaryR3(config-router)# network 172.16.0.0

Step 3: Kieåm tra hoïat ñoäng cuûa CEF:

8/13/2019 UTF-8''ISCW LAB P1




Step 4 baät MPLS treân taát caû interface vaät lyù:

Step 5: Kieåm tra hoïat ñoäng cuûa MPLS:

8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




8/13/2019 UTF-8''ISCW LAB P1




Step 6: Ñoåi MTU size:

R1(config)# interface fastethernet 0/0R1(config-if)# mpls mtu 1508R2(config)# interface fastethernet0/0R2(config-if)# mpls mtu 1508

8/13/2019 UTF-8''ISCW LAB P1




Final ConfigurationsR1# show run!hostname R1! interface Loopback0ip address 172.16.1.1 255.255.255.0!interface FastEthernet0/0ip address 172.16.12.1 255.255.255.0mpls ipmpls mtu 1508no shutdown!router eigrp 1network 172.16.0.0no auto-summary

!endR2# show run!hostname R2!interface Loopback0ip address 172.16.2.1 255.255.255.0!interface FastEthernet0/0ip address 172.16.12.2 255.255.255.0mpls ipmpls mtu 1508no shutdown!interface Serial0/0/1ip address 172.16.23.2 255.255.255.0mpls ip

clock rate 64000no shutdown!router eigrp 1network 172.16.0.0no auto-summary!endR3# show run!hostname R3

8/13/2019 UTF-8''ISCW LAB P1



!interface Loopback0ip address 172.16.3.1 255.255.255.0!interface Serial0/0/1ip address 172.16.23.3 255.255.255.0mpls ipno shutdown!router eigrp 1network 172.16.0.0no auto-summary!end