Task 1: Test Connectivity and Verify Configurations
Step 1. Verify IP addresses.
Step 2. Verify routing tables.
Step 3. Test connectivity.
From PC-A, ping PC-C atIP address 192.168.3.5.

Task 2: Secure the Routers
Step 1. Set minimum a password length of 10 characters on router R1and R3.
设置10位长度的密码，在R1和R3上
R1(config)#security passwords min-length 10
Step 2. Configure an enable secret password on router R1 and R3.
Use an enable secret password of ciscoenpa55.
设置secret密码ciscoenpa55在R1和R3上
R1(config)#enable secret 5ciscoenpa55
enablesecret 5 ciscoenpa55
Step 3. Encrypt plaintext passwords. 加密明文密码
R1(config)#service password-encryption
Step 4. Configure the console lines on R1.
Configure a console password of ciscoconpa55 andenable login. Set the exec-timeout to log out after 5 minutesof inactivity. Prevent console messages from interrupting command entry.
在R1上设置控制台密码ciscoconpa55，并启用，exec-timeout 5分钟，防止控制台消息打断命令行输入。
line con 0
exec-timeout 5 0
password 7 0822455D0A1606181C1B0D517F(ciscoconpa55)
Step 5. Configure vty lines on R1.
Configure a vty line password of ciscovtypa55 andenable login. Set the exec-timeout to log out after 5 minutesof inactivity.
在R1上设置VTY密码，exec-timeout 5分钟。
linevty 0 4
exec-timeout5 0
password7 0822455D0A1606181C1B0D517F (ciscoconpa55)
login
Step 6. Configure login banner on R1 and R3.
Configure a warning to unauthorized userswith a message-of-the-day (MOTD) banner that says: “No Unauthorized Access!”.
在R1和R3上配置登陆条幅
banner login&No Unauthorized Access!&

Task 3: Configure Local Authentication on R1 and R3
Step 1. Configure the local user database.
Create a local user account of Admin01 witha secret password of Admin01pa55.
Step 2. Enable AAA services.
Step 3. Implement AAA services using the local database.
Create the default login authenticationmethod list using local authentication with no backup method.
在R1和R3上配置本地AAA认证，账户Admin01，密码Admin01pa55。
R1(config)#usernameAdmin01 secret Admin01pa55
R1(config)#aaanew-model
R1(config)#aaaauthentication login default local
Local是不区分大小写，local-case是区分大小写，但是我们的模拟器似乎没local-case

Task 4: Configure NTP
Step 1. Enable NTP authentication on PC-A.
On PC-A, choose the Config tab,and then the NTP button. Select On for NTPservice. Enable authentication and enter a Key of 1 anda password of ciscontppa55.
Step 2. Configure R1 as an NTP Client.
参考资料：http://blog.sina.com.cn/s/blog_4607665901016jwb.html
Configure NTP authentication Key 1 witha password of ciscontppa55. Configure R1 to synchronize with theNTP server and authenticate using Key 1.
R1#ping 192.168.1.5
ntp authentication-key 1 md50822455D0A161107020A5951 7
ntpauthenticate
ntptrusted-key 1
ntpserver 192.168.1.5 key 1
ntpupdate-calendar
Step 3. Configure routers to update hardware clock.
Configure routers to periodically updatethe hardware clock with the time learned from NTP.
在PC-A上配置NTP服务，Key为1，密码ciscontppa55。在R1上配置NTP客户端，Key为1，密码ciscontppa55。配置路由器周期性更新时钟频率。

Task 5: Configure R1 as Syslog Client
Step 1. Configure R1 to timestamp log messages.
Configure timestamp service for logging onthe routers.
Step 2. Configure R1 to log messages to the syslog server.
Configure the routers to identify theremote host (syslog server) that will receive logging messages.
在R1上配置时间戳服务，记录syslog服务。
Logging host xxxx
R1(config)#service timestampsdebug datetime msec
R1(config)#service timestamps log datetimemsec

Task 6: Secure Router Against Login Attacks
Step 1. Log unsuccessful login attempts to R1.
Step 2. Telnet to R1 from PC-A.
Telnet from PC-A to R1. The Telnetshould be successful.
Step 3. Telnet to R1 from PC-A and check syslog messages on thesyslog server.
Exit from the current Telnet session andTelnet again to R1 using the wrong password. Check the syslog server on PC-B.
R1(config)#logging on
R1(config)#logging console
R1(config)#logging192.168.1.6 （PC-B的IP地址，ping了已通）

Task 7: Configure SSH on R3
Step 1. Configure a domain name.
Configure a domain name of ccnasecurity.com onR3.
R3(config)#ip domain name ccnasecurity.com
Step 2. Configure the incoming vty lines on R3.
Use the local user accounts for mandatorylogin and validation and accept only SSH connections.
Step 3. Configure RSA encryption key pair for R3.
Any existing RSA key pairs should beerased on the router. If there are no keys currently configured a message willbe displayed indicating this. Configure the RSA keys with a modulus of 1024.
Step 4. Configure SSH timeouts and authentication parameters.
Set the SSH timeout to 90 seconds,the number of authentication retries to 2, and the version to 2.
在R3上配合子ssh服务，RSA key长度1024，域名ccnasecurity.com。设置SSH版本为timeout 90秒，版本2 ，认证规则2。
http://blog.163.com/chunger_qin/blog/static/1332804922012216102252667/
R3(config)#username cisco privilege 1 secret 5 cisco
R3(config)#line vty 0 4
R3(config-line)#transport input ssh
R3(config-line)#exit
R3(config)#crypto key generate rsa
The name for the keys will be: R3.ccnasecurity.com
Choose the size of the key modulus in the range of 360 to2048 for your
General PurposeKeys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will benon-exportable...[OK]
R3(config)#ip ssh time-out 90
R3(config)#ip ssh authentication-retries 2
R3(config)#ip ssh version 2

Task 8: Configure CBAC on R1
http://blog.chinaunix.net/uid-23829146-id-2656714.html
Step 1. Configure a named IP ACL.
Create an IP ACL named OUT-IN toblockall traffic originating from the outside network.
Apply the access list to incoming trafficon interface Serial 0/0/0.
ip access-list standard OUT-IN
denyany
interfaceSerial0/0/0
ipaccess-group OUT-IN in
Step 2. Confirm that traffic entering interface Serial 0/0/0 is dropped.
From the PC-A command prompt, ping PC-C.The ICMP echo replies are blocked by the ACL.
Step 3. Create an inspection rule to inspect ICMP, Telnet and HTTPtraffic.
Create an inspection rule named IN-OUT-IN toinspect ICMP, Telnet and HTTP traffic.
ip inspect nameIN-OUT-IN icmp
ip inspect nameIN-OUT-IN telnet
ip inspect nameIN-OUT-IN http
Step 4. Apply the inspect rule to the outside interface.
Apply the IN-OUT-IN inspectionrule to the interface where traffic exits to outside networks.
interfaceSerial0/0/0
ip address 10.1.1.1 255.255.255.252
ip access-group OUT-IN in
ip inspect IN-OUT-IN out
clock rate 64000
Step 5. Test operation of the inspection rule.
From the PC-A command prompt, ping PC-C.The ICMP echo replies should be inspected and allowed through.
在R1上配置CBAC防火墙，命名ACL规则OUT-IN，阻止所有外部流量，并用在Serial 0/0/0的incoming接口。inspection规则IN-OUT-IN，侦测ICMP, Telnet 和 HTTP流量。
最后补上：
R1(config)#ip inspect audit-trail
R1#debug ip inspect detailed
INSPECT Detailed Debug debugging is on

Task 9: Configure ZPF on R3
http://wenku.baidu.com/link?url=MzxNcQiVx3IqYVEt_odsanWTIMidC1NV-sNvQv1QauDCwrGZPeg_mQK2mvniJ_bz66Kgr8fq7941OoDnrxBGWV-lnHleTkqdPUfm7oA-f1e
Step 1. Test connectivity.
Verify that the internal host can accessexternal resources.
From PC-C, test connectivity with ping andTelnet to R2; all should be successful.
From R2 ping toPC-C. The pings should be allowed.
Step 2. Create the firewall zones.
Create an internal zone named IN-ZONE.
Create an external zone named OUT-ZONE.
zone securityIN-ZONE
exit
zone securityOUT-ZONE
exit
Step 3. Create an ACL that defines internal traffic.
Create an extended, numbered ACL thatpermits all IP protocols from the 192.168.3.0/24 source network to any destination.Use 101 for the ACL number.
access-list101 permit ip 192.168.3.0 0.0.0.255 any
R3(config)#ipaccess-list extended 101
R3(config-ext-nacl)#10permit ip 192.168.3.0 0.0.0.255 any
R3(config-ext-nacl)#exit
Step 4. Create a class map referencing the internal traffic ACL.
Create a class map named IN-NET-CLASS-MAP to match ACL 101.
Step 5. Specify firewall policies.
Create a policy map named IN-2-OUT-PMAP to determine what to do with matchedtraffic.
Specify a class type of inspect andreferenceclass map IN-NET-CLASS-MAP.
Specify the action of inspect forthis policy map
Step4\5要注意在配置class-map的时候就要直接type in
这样在创建type i8n的policymap之下才能映射到双in的模式
class-maptype inspect match-all IN-NET-CLASS-MAP
match access-group 101
!
policy-maptype inspect IN-2-OUT-PMAP
class type inspect IN-NET-CLASS-MAP
inspect
Step 6. Apply firewall policies.
Create a zone pair named IN-2-OUT-ZPAIR. Specify the source and destination zonesthat were created earlier.
Attach a policy map and actions to thezone pair referencing the policy map previously created, IN-2-OUT-PMAP.
Exit to the global config prompt andassign the internal and external interfaces to the security zones.
zone securityIN-ZONE
zone security OUT-ZONE
zone-pair securityIN-2-OUT-ZPAIR source IN-ZONE destination OUT-ZONE
service-policy type inspect IN-2-OUT-PMAP
interfaceFastEthernet0/1
ip address 192.168.3.1 255.255.255.0
zone-member security IN-ZONE
！
interfaceSerial0/0/1
ip address 10.2.2.1 255.255.255.252
zone-member security OUT-ZONE
Step 7. Test firewall functionality.
Verify that the internal host can stillaccess external resources.
From PC-C, test connectivity with ping andTelnet to R2; all should be successful.
From R2 ping toPC-C. The pings should now be blocked.
在R3上配置ZBF防火墙，具体参数见上。

Task 10: Secure the Switches
Step 1. Configure an enable secret password on all switches. 配置secret密码
Use an enable secret password of ciscoenpa55.
Step 2. Encrypt plaintext passwords.加密明文密码
Step 3. Configure the console lines on all switches. 配置控制台密码及参数
Configure a console password of ciscoconpa55 andenable login. Set the exec-timeout to log out after 5 minutesof inactivity. Prevent console messages from interrupting command entry.
Step 4. Configure vty lines on all switches.配置vty密码及参数
Configure a vty line password of ciscovtypa55 andenable login. Set the exec-timeout to log out after 5 minutesof inactivity. Set the basic login parameter.
Step 5. Secure trunk ports on S1 and S2.
Configure port Fa0/1 on S1 as a trunkport. 配置trunk端口
Configure port Fa0/1 on S2 as a trunkport.配置trunk端口
Verify that S1 port Fa0/1 is in trunkingmode.
Set the native VLAN on S1 and S2 trunkports to an unused VLAN 99.配置native VLAN 99
Set the trunk ports on S1 and S2 so thatthey do not negotiate by turning off the generation of DTP frames.禁止自动协商。
Enable storm control for broadcasts on theS1 and S2 trunk ports with a 50 percent rising suppression level.启用广播风暴 50%。
Step 6. Secure access ports.
Disable trunking on S1, S2 and S3 accessports. 禁用access端口的trunk属性。
Enable PortFast on S1, S2, and S3 accessports. 配置access端口为PortFast。
Enable BPDU guard on the switch portspreviously configured as access only.启用BPDU保护
Enable basic default port security on all accessports that are in use. Use the sticky option. Re-enable each access port towhich port security was applied.启用端口安全性，和粘性学习。
Disable any ports not being used on eachswitch. 关闭所有没有使用的端口。
举个例子：
S1(config)#int range f0/1-24
S1(config-if-range)#switchport mode acc
S1(config-if-range)#shut
S1(config-if-range)#switchport access vlan 1
S1(config)#int f0/1
S1(config-if)#no shutdown
S1(config-if)#switchport mo trunk
S1(config-if)#switchport trunk native vlan99
S1(config-if)#switchport trunk allowedvlan all
S1(config-if)#switchport nonegotiate
S1(config-if)#storm-control broadcastlevel ?
<0.0-100.0> Enter risingthreshold
S1(config-if)#storm-control broadcastlevel 50.00
S1(config-if)#exit
S1(config)#spanning-tree portfast default
S1(config)#int rang f0/5-6
S1(config-if-range)#spanning-treebpduguard enable
S1(config-if-range)#switchportport-security
S1(config-if-range)#switchportport-security maximum 1
S1(config-if-range)#switchportport-security mac-address sticky
S1(config-if-range)#
S1(config-if-range)#end
刷代码：
int range f0/1-24
switchport mode acc
shut
switchport access vlan 1
int f0/1
no shutdown
switchport mo trunk
switchport trunk native vlan 99
switchport trunk allowed vlan all
switchport nonegotiate
storm-control broadcast level 50.00
exit
spanning-tree portfast default
int rang f0/5-6
no shutdown
spanning-tree bpduguard enable
switchport port-security
switchport port-security maximum 1
switchport port-security mac-addresssticky
end

Task 13: Verification Security Configure.
Step 1. Test SSH configuration.
Attempt to connect to R3 via Telnet fromPC-C.
From PC-C, enter the command to connect toR3 via Telnet at IP address 192.168.3.1.
This connection should fail, since R3 hasbeen configured to accept only SSH connections on the virtual terminal lines.
From PC-C, enter the ssh –lAdmin01 192.168.3.1 command to connect to R3 via SSH.
When prompted for the password, enter thepassword Admin01pa55 configured for the local administrator.
Use the show ip ssh commandto see the configured settings.
username Admin01privilege 15 secret 5 【Admin01pa55】
ip ssh version 2
ip sshauthentication-retries 2
ip ssh time-out 90
ip domain-nameccnasecurity.com
R3(config)#cryptokey generate rsa
% You already haveRSA keys defined named R3.ccnasecurity.com .
% Do you reallywant to replace them? [yes/no]: y
The name for thekeys will be: R3.ccnasecurity.com
Choose the size ofthe key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulusgreater than 512 may take
a few minutes.
How many bits inthe modulus [512]: 1024
% Generating 1024bit RSA keys, keys will be non-exportable...[OK]
R3(config)#
line vty 0 4
login local
transport input ssh
Step 2. Verify timestamps, NTP status for R1 and PC-A.
R1#show ntp status
Clock is synchronized, stratum 2,reference is 192.168.1.5
nominal freq is 250.0000 Hz, actualfreq is 249.9990 Hz, precision is 2**19
reference time is D82238BD.000000CD(23:56:45.205 UTC Mon Dec 29 2014)
clock offset is 0.00 msec, rootdelay is 0.00 msec
root dispersion is 0.02 msec, peerdispersion is 0.02 msec.
Step 3. Test CBAC firewall on R1.
Ping from PC-A to R2 at 10.2.2.2 (shouldsucceed)
Telnet from PC-A to R2 10.2.2.2(should succeed)
Ping from R2 to PC-A at 192.168.1.5(should fail)
Step 4. Test ZPF firewall on R3.
Ping from PC-C to R2 at 10.2.2.2(should succeed)
Telnet from PC-C to R2 at 10.2.2.2(should succeed)
Ping from R2 to PC-C at 192.168.3.5(should fail)
Telnet from R2 to R3 at 10.2.2.1(should fail – only SSH is allowed)
Step 5. Verify port security.
On S2, use the show run commandto confirm that S2 has added a sticky MAC address for Fa0/18. This should be theMAC address of PC-B. Record the MAC address for later use.
Select PC-B. Go to the Config tab.Select FastEthernet under the Interface section. Edit the MACaddress field.
配置页面，接口配置，修改MAC地址
interface FastEthernet0/18
switchport port-security mac-address sticky0001.435D.3057
接口MAC：0001.435D.3057
改成：0001.435D.4096
This should cause a port securityviolation and S2 should shut down port Fa0/18.
默认为shutdown，因为是缺省值所以命令并不会出现在config中
%LINK-5-CHANGED:Interface FastEthernet0/18, changed state to administratively down
%LINEPROTO-5-UPDOWN:Line protocol on Interface FastEthernet0/18, changed state to down
Use the show interface Fa0/18 commandto view the status of the port. The port should be in the err-disabled state.
S2#show int f0/18
FastEthernet0/18is down, line protocol is down (err-disabled)
On PC-B, go to the Config tab.Select FastEthernet under the Interface section. Change theMAC address to another address.
0001.435D.2048
From interface configuration mode onswitch S2 for Fa0/18, use the no switchport port-security mac-addresssticky address command to remove the original PC-B learnedaddress. 【他的意思是把原先绑定的记录删掉，重新添加记录，no switchportport-security mac-address sticky 0001.435D.3057】
Shutdown and then re-enable the Fa0/18interface.
On S2, use the show run commandto confirm that the port comes up and that the new MAC address has beenlearned.
interfaceFastEthernet0/18
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky0001.435D.2048
spanning-tree bpduguard enable
!Note: If it is desired toreconnect the PC with the original MAC address, you can simply change the MACaddress on the PC back to the original one and issue the shutdown and no shutdown commands on port Fa0/18. If the PC or a NIC is being replaced and willhave a new MAC address, you must first remove the old learned address.

非常感谢！我因为在其它方面投入太多，对思科配置的课就落下很多，在网上一直找资料
正好我在做的一个pka跟这篇教程有很多相似处，帮了我个大忙！

太感谢了，跪谢大佬