Network Security 1.0 Final PT Skills Exam (PTSA) (Answer Key)
Network Security (Version 1) – Network Security Final PT Skills Assessment (PTSA)
Network Security – Practice PT Skills Assessment (PTSA) Answers
A few things to keep in mind while completing this activity:
- Do not use the browser Back button or close or reload any Exam windows during the exam.
- Do not close Packet Tracer when you are done. It will close automatically.
- Click the Submit Assessment button to submit your work.
In this practice Packet Tracer Skills Based Assessment, you will:
- Configure an ASA firewall to implement security policies.
- Configure Layer 2 security on a LAN switch.
- Configure a site-to-site IPsec VPN
Background / Scenario
Your company has been hired by a used car dealership that has a corporate headquarters and multiple branch offices. The Car1 Company has become concerned about network security and has contracted you to implement Layer 2 security, an ASA device, and VPN services from HQ to the branches. Your job is to prototype the network in the lab prior to your company installing the equipment at the Car1 sites. In this case, you will only implement a VPN between headquarters and a single branch.
Note: Some values and approaches to configuring devices in this simulated assessment may not conform to current security best practices. In some cases, values have been simplified to streamline the assessment, and in other cases, values have been used by necessity in order to facilitate the assessment of certain skills in Packet Tracer.
|Device||Interface||IP Address||Subnet Mask||Gateway||DNS server|
|PC0,PC1, and PC2||NIC||DHCPclient||255.255.255.0||192.168.10.1||192.168.10.10|
Part 1: Configure the ASA 5506-X
Step 1: Configure Basic Settings on the ASA device.
HQ-ASA5506 is already configured with a password: Thecar1Admin.
Note: In order to receive full credit for you configuration, you must save your configuration file after making any changes to the device configuration.
- a. Configure the domain name as thecar1.com.
- b. Configure the hostname as HQ-ASA5506.
- c. Configure the INSIDE, OUTSIDE, and DMZ interfaces with the following:
- IP address 184.108.40.206/28, nameif OUTSIDE, security-level 1, assign to G1/1
- IP address 192.168.10.1/24, nameif INSIDE, security-level 100, assign to G1/2
- IP address 192.168.20.1/24, nameif DMZ, security-level 70, assign to G1/3
Step 2: Configure the DHCP service on the ASA device for the internal network.
- a. The DHCP pool is 192.168.10.25 – 192.168.10.35.
- b. The DHCP service should provide DNS server (AAA/NTP/syslog server) information.
- c. PC0, PC1, and PC2 should receive their addresses over DHCP.
Step 3: Configure routing on the ASA.
Configure a default route that will enable hosts on the HQ INTERNAL and DMZ networks to communicate with outside hosts. Use the IP address of the HQ router interface as the gateway interface.
Step 4: Configure Secure Network Management for the ASA Device.
a. Configure the ASA with NTP and AAA:
- The ASA is a NTP client to the AAA/NTP/Syslog server.
- Enable the authentication to the ASA.
- The authentication key is key 1 with the password is corpkey.
b. Configure AAA and SSH.
- Configure the ASA device with AAA authentication using the username of Car1Admin and password of adminpass01.
- Configure AAA to use the local database for SSH connections to the console port.
- Generate a RSA key pair to support with modulus size of 1024 bits.
- Configure HQ-ASA5506 to accept SSH connections only from the Net Admin workstation.
- Configure SSH session timeout to be 20 minutes.
Step 5: Configure NAT Service for the ASA device for both INSIDE and DMZ networks.
- a. Create a network object called INSIDE-nat with subnet 192.168.10.0/24 and enable the IP addresses of the hosts in the internal network to be dynamically translated to access the external network via the outside interface.
- b. Create a network object DMZ-web-server to statically translate the DMZ web server internal IP address to the outside public IP address 220.127.116.11.
- c. Create a network object DMZ-dns-server to statically translate the DMZ DNS server internal IP address to the outside public IP address 18.104.22.168.
Step 6: Configure ACL on the ASA device to implement the Security Policy.
a.Configure a named extended ACL to permit inside hosts to be translated to the pool of outside IP addresses. Name the ACL NAT-IP-ALL.
b.Apply NAT-IP-ALL ACL to the DMZ and OUTSIDE interfaces in the inward direction.
c.Configure an ACL to allow access to the DMZ servers from the internet. Create an extended named ACL (named OUTSIDE-TO-DMZ) to filter incoming traffic to the HQ ASA. The ACL statements should be created in the order specified in the following guidelines:
(Note: The order of ACL statements is significant only because of the scoring requirements for this assessment.)
- The ACL should contain four access control entries (ACEs).
- HTTP traffic is allowed to DMZ Web Svr.
- DNS traffic (both TCP and UDP) is allowed to the DMZ DNS server (two separate ACEs).
- FTP traffic from the Branch administrator workstation is allowed to the DMZ web server.
Note: For the purposes of this assessment, do NOT apply this ACL.
Part 2: Configure Layer 2 Security on a Switch
For this part of the assessment, you will be configuring Switch1 in the internal network with Layer 2 attack mitigation measures.
Step 1: Disable Unused Switch Ports
- a. Disable all unused switch ports on Switch1.
- b. Configure all unused ports in static access mode so that they will not negotiate trunks.
Step 2: Implement Port Security
On Switch1, configure port security on all of the switch ports that are connected to hosts according to the following requirements:
- The ports should be configured as static access ports.
- The ports should learn a maximum of two MAC addresses.
- The ports should record the MAC addresses that have been learned in the device running configuration.
- If a violation occurs, the port should drop packets from host MAC addresses that have not been learned, increment the violation counter, and generate a syslog message.
Step 3: Implement STP Security
On Switch1, implement STP security measures on the active ports that are connected to hosts.
- a. Configure the switch to disable host ports that receive a BPDU.
- b. Configure the ports to quickly go into STP forwarding mode without going through the STP transitional modes. Do this on a port-by-port basis, not on the entire switch.
Part 3: Configure a Site-to-Site IPsec VPN between the HQ and the Branch Routers
Note: The Branch and HQ routers have already been configured with a username of CORPADMIN and a password of NetSec-Admin1. The enable secret password is [email protected].
Configure a site-to-site IPsec VPN between the HQ and Branch routers according to the requirements below.
The following tables list the parameters for the ISAKMP phase 1 and phase 2 policies:
ISAKMP Phase 1 Policy Parameters
|Key Distribution Method||ISAKMP|
IPsec Phase 2 Policy Parameters Table
|Parameters||HQ Router||Branch Router|
a.Configure ACL 120 on the HQ router to identify the interesting traffic to be sent across the VPN. The interesting traffic is all IP traffic from the HQ LAN to the Branch LAN.
b.Configure the ISAKMP Phase 1 properties on the HQ router. The crypto ISAKMP policy is 10. Refer to the ISAKMP Phase 1 Policy Parameters Table for the specific details needed.
c.Configure the ISAKMP Phase 2 properties on the HQ router using 10 as the sequence number. Refer to the ISAKMP Phase 2 Policy Parameters Table for the specific details needed.
d.Bind the VPN-MAP crypto map to the outgoing interface.
e.Configure IPsec parameters on the Branch router using the same parameters as on the HQ router. Note that interesting traffic is defined as the IP traffic from the Branch LAN to the LAN that is attached to HQ.
f.Save the running-config, then reload both the HQ and Branch routers.