Issue the show users command to see connections to router R3. What connections are present? Use the service password-encryption command to encrypt the console, aux, and vty
CCNA Security
All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 25 of 33
c. Issue the show users command to see connections to router R3. What connections are present?
The console connection and the vty connection from PC-A by user admin01.
d. Close the Telnet connection using the quit or exit command.
Reflection
Why is VPN a good option for remote users? Answers will vary but should include the following: It is a flexible technology that is widely supported by
equipment vendors. Service is commonly available from ISPs. A VPN server can be set up independent of the ISP if desired. VPN provides easy and secure access to internal LAN resources for remote workers
and business partners. Any authorized persons with an Internet connection can access internal resources as if they were on the local LAN.
Router Interface Summary Table
Router Interface Summary
Router Model
Ethernet Interface 1
Ethernet Interface 2
Serial Interface 1
Serial Interface 2
1800 Fast Ethernet 00
Fa00 Fast Ethernet 01
Fa01 Serial 000
S000 Serial 001
S001 1900
Gigabit Ethernet 00 G00
Gigabit Ethernet 01 G01
Serial 000 S000
Serial 001 S001
2800 Fast Ethernet 00
Fa00 Fast Ethernet 01
Fa01 Serial 000
S000 Serial 001
S001 2900
Gigabit Ethernet 00 G00
Gigabit Ethernet 01 G01
Serial 000 S000
Serial 001 S001
Note: To find out how the router is configured, look at the interfaces to identify the type of router and how many interfaces the router has. There is no way to effectively list all the combinations of
configurations for each router class. This table includes identifiers for the possible combinations of Ethernet and Serial interfaces in the device. The table does not include any other type of interface,
even though a specific router may contain one. An example of this might be an ISDN BRI interface. The string in parenthesis is the legal abbreviation that can be used in Cisco IOS commands to
represent the interface.
Router Configs
Note: ISR G2 devices have Gigabit Ethernet interfaces instead of FastEthernet Interfaces.
Router R1
R1sh run Building configuration...
Current configuration : 1472 bytes version 12.4
service timestamps debug datetime msec service timestamps log datetime msec
service password-encryption hostname R1
boot-start-marker boot-end-marker
CCNA Security
All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 26 of 33
security passwords min-length 10 logging message-counter syslog
enable secret 5 1AaIKBZ.jxgcYYqw0hU6fUjv5 no aaa new-model
dot11 syslog ip source-route
ip cef no ip domain lookup
no ipv6 cef multilink bundle-name authenticated
archive log config
hidekeys interface FastEthernet00
no ip address shutdown
duplex auto speed auto
interface FastEthernet01 ip address 192.168.1.1 255.255.255.0
duplex auto speed auto
interface FastEthernet010 interface FastEthernet011
interface FastEthernet012 interface FastEthernet013
interface Serial000 ip address 10.1.1.1 255.255.255.252
clock rate 64000 interface Serial001
no ip address shutdown
clock rate 2000000 interface Vlan1
no ip address ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.1.1.2 no ip http server
no ip http secure-server control-plane
banner motd CUnauthorized access strictly prohibited and
CCNA Security
All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 27 of 33
prosecuted to the full extent of the lawC line con 0
exec-timeout 0 0 password 7 02050D4808090C2E425E080A16
logging synchronous login
line aux 0 line vty 0 4
exec-timeout 5 0 password 7 060506324F411F0D1C0713181F
login scheduler allocate 20000 1000
end R1
Router R2
R2sh run Building configuration...
Current configuration : 1407 bytes version 12.4
service timestamps debug datetime msec service timestamps log datetime msec
service password-encryption hostname R2
boot-start-marker boot-end-marker
security passwords min-length 10 logging message-counter syslog
enable secret 5 1FNVc5HoYxMY0M3X15fdJH2h2V1 no aaa new-model
dot11 syslog ip source-route
ip cef no ip domain lookup
no ipv6 cef multilink bundle-name authenticated
archive log config
hidekeys interface FastEthernet00
no ip address shutdown
duplex auto
CCNA Security
All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 28 of 33
speed auto interface FastEthernet01
no ip address shutdown
duplex auto speed auto
interface FastEthernet010 interface FastEthernet011
interface FastEthernet012 interface FastEthernet013
interface Serial000 ip address 10.1.1.2 255.255.255.252
no fair-queue interface Serial001
ip address 10.2.2.2 255.255.255.252 clock rate 64000
interface Vlan1 no ip address
ip forward-protocol nd ip route 192.168.1.0 255.255.255.0 10.1.1.1
ip route 192.168.3.0 255.255.255.0 10.2.2.1 no ip http server
no ip http secure-server control-plane
banner motd CUnauthorized access strictly prohibited and prosecuted to the full extent of the lawC
line con 0 exec-timeout 0 0
password 7 1511021F0725282B2623343100 logging synchronous
login line aux 0
line vty 0 4 exec-timeout 5 0
password 7 070C285F4D060F110E020A1F17 login
scheduler allocate 20000 1000 end
R2
Router R3
R3sh run Building configuration...
CCNA Security
All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 29 of 33
Current configuration : 5999 bytes version 12.4
service timestamps debug datetime msec service timestamps log datetime msec
service password-encryption hostname R3
boot-start-marker boot-end-marker
security passwords min-length 10 logging message-counter syslog
no logging buffered enable secret 5 1RSyCWul3UddSy.qeKk1kWu6Cs
aaa new-model aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local aaa session-id common
dot11 syslog ip source-route
ip cef no ip domain lookup
no ipv6 cef multilink bundle-name authenticated
username admin01 privilege 15 secret 5 17RQv6.9C.LzorlQIncw7qa.32. username VPNuser1 secret 5 1iHZxreDaIu1D4ccOGRiRorycm0
archive log config
hidekeys crypto isakmp policy 1
encr 3des authentication pre-share
group 2 crypto isakmp client configuration group VPN-Access
key cisco12345 pool SDM_POOL_1
max-users 50 netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1 match identity group VPN-Access
client authentication list ciscocp_vpn_xauth_ml_1 isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond virtual-template 1
CCNA Security
All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 30 of 33
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 3600 set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1 class-map type inspect match-any SDM_AH
match access-group name SDM_AH class-map type inspect match-any ccp-skinny-inspect
match protocol skinny class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme match protocol dns
match protocol ftp match protocol https
match protocol icmp match protocol imap
match protocol pop3 match protocol netshow
match protocol shell match protocol realmedia
match protocol rtsp match protocol smtp extended
match protocol sql-net match protocol streamworks
match protocol tftp match protocol vdolive
match protocol tcp match protocol udp
class-map type inspect match-all ccp-insp-traffic match class-map ccp-cls-insp-traffic
class-map type inspect match-any SDM_IP match access-group name SDM_IP
class-map type inspect match-any SDM_ESP match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC match protocol isakmp
match protocol ipsec-msft match class-map SDM_AH
match class-map SDM_ESP class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe class-map type inspect match-any ccp-h323-inspect
match protocol h323 class-map type inspect match-all ccp-invalid-src
match access-group 100 class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access class-map type inspect match-any ccp-sip-inspect
CCNA Security
All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 31 of 33
match protocol sip class-map type inspect match-all ccp-protocol-http
match protocol http policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access inspect
class class-default pass
policy-map type inspect ccp-inspect class type inspect ccp-invalid-src
drop log class type inspect ccp-protocol-http
inspect class type inspect ccp-insp-traffic
inspect class type inspect ccp-sip-inspect
inspect class type inspect ccp-h323-inspect
inspect class type inspect ccp-h323annexe-inspect
inspect class type inspect ccp-h225ras-inspect
inspect class type inspect ccp-h323nxg-inspect
inspect class type inspect ccp-skinny-inspect
inspect class class-default
drop policy-map type inspect ccp-permit
class type inspect SDM_EASY_VPN_SERVER_PT pass
class class-default drop
policy-map type inspect sdm-permit-ip class type inspect SDM_IP
pass class class-default
drop log zone security in-zone
zone security out-zone zone security ezvpn-zone
zone-pair security ccp-zp-out-self source out-zone destination self service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
CCNA Security
All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 32 of 33
service-policy type inspect sdm-permit-ip interface FastEthernet00
no ip address shutdown
duplex auto speed auto
interface FastEthernet01 description FW_INSIDE
ip address 192.168.3.1 255.255.255.0 zone-member security in-zone
duplex auto speed auto
interface FastEthernet010 interface FastEthernet011
interface FastEthernet012 interface FastEthernet013
interface Serial000 no ip address
shutdown no fair-queue
clock rate 2000000 interface Serial001
description FW_OUTSIDE ip address 10.2.2.1 255.255.255.252
zone-member security out-zone interface Virtual-Template1 type tunnel
ip unnumbered Serial001 zone-member security ezvpn-zone
tunnel mode ipsec ipv4 tunnel protection ipsec profile CiscoCP_Profile1
interface Vlan1 no ip address
ip local pool SDM_POOL_1 192.168.3.100 192.168.3.150 ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.2.2.2 ip http server
ip http authentication local no ip http secure-server
ip access-list extended SDM_AH remark CCP_ACL Category=1
permit ahp any any ip access-list extended SDM_ESP
remark CCP_ACL Category=1 permit esp any any
ip access-list extended SDM_IP remark CCP_ACL Category=1
CCNA Security
All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 33 of 33
permit ip any any access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 10.2.2.0 0.0.0.3 any control-plane
banner motd CUnauthorized access strictly prohibited and prosecuted to the full extent of the lawC
line con 0 exec-timeout 0 0
password 7 14141B180F0B29242A38322631 logging synchronous
line aux 0 line vty 0 4
exec-timeout 5 0 password 7 14141B180F0B3C3F3D38322631
scheduler allocate 20000 1000 end
R3
All contents are Copyright © 1992 –2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 1 of 26
CCNA Security