CCNA Security v1.1

NETLAB+ support materials for CCNA Security have been revised to provide compatibility with the release of CCNA Security version 1.1. A new topology, MAP with ASA, has been created to provide added functionality.

Several labs have been added to the lab list below:

  • Ch. 0, Lab A, in which devices are configured for use with Cisco Configuration Professional (CCP) 2.5.
  • Ch. 10, labs A, B, C and D, which are only supported on a MAP with ASA, with an ASA 5505.
  • Ch. 10, labs E, F, G and H, which are only supported on a MAP with ASA, with an ASA 5510.
  • Skills Based Assessment (SBA), which is only supported on a MAP with ASA, with an ASA 5505.

CCNA Security labs require different console and enable secret password settings from other courses. Please review the information on enabling CCNA Security labs.

Supported Labs

Lab Description Pod Required Comments
Ch. 0 A Configuring Devices for Use with Cisco Configuration Professional (CCP) 2.5 MAP w/ASA or MAP or CRP or BRPv2
Ch. 1 A Researching Network Attacks and Security Audit No equipment is required.
Ch. 2 A Securing the Router for Administrative Access MAP w/ASA or MAP or CRP or BRPv2
Ch. 3 A Securing Administrative Access Using AAA and RADIUS MAP w/ASA or MAP or CRP or BRPv2
Ch. 4 A Configuring CBAC and Zone-Based Firewalls MAP w/ASA or MAP or CRP or BRPv2
Ch. 5 A Configuring an Intrusion Prevention System (IPS) Using the CLI and CCP MAP w/ASA or MAP or CRP or BRPv2
Ch. 6 A Securing Layer 2 Switches MAP w/ASA or MAP or LSP For part 4 (Configure SPAN and Monitor Traffic) please use task 2, option 2.
Ch. 7 A Exploring Encryption Methods MAP w/ASA or MAP or LSP
Ch. 8 A Configuring a Site-to-Site VPN Using IOS and CCP MAP w/ASA or MAP or CRP or BRPv2
Ch. 8 B Configuring a Remote Access VPN Server and Client MAP w/ASA or MAP or CRP or BRPv2
Ch. 9 A Security Policy Development and Implementation MAP w/ASA or MAP
Ch. 9 A Part 1 Security Policy Development and Implementation Part 1 CRP or BRPv2 Security with routers.
Ch. 9 A Part 2 Security Policy Development and Implementation Part 2 LSP Security with switches.
Ch. 10 A Configuring ASA Basic Settings and Firewall Using CLI MAP w/ASA1
Ch. 10 B Configuring ASA Basic Settings and Firewall Using ASDM MAP w/ASA1
Ch. 10 C Configuring Clientless and AnyConnect Remote Access SSL VPNs Using ASDM MAP w/ASA1
Ch. 10 D Configuring a Site-to-Site IPsec VPN Using CCP and ASDM MAP w/ASA1
Ch. 10 E Configuring ASA Basic Settings and Firewall Using CLI MAP w/ASA2
Ch. 10 F Configuring ASA Basic Settings and Firewall Using ASDM MAP w/ASA2
Ch. 10 G Configuring Clientless and AnyConnect Remote Access SSL VPNs Using ASDM MAP w/ASA2
Ch. 10 H Configuring a Site-to-Site IPsec VPN Using CCP and ASDM MAP w/ASA2
SBA Skills Based Assessment MAP w/ASA1
Pod Compatibility Quick Reference Table

NDG has worked closely with the Cisco CCNA Security lab team to develop these labs and to ensure compatibility with NETLAB+ topologies. This table indicates the NETLAB+ topologies that may be used for each lab.

CCNA Security Lab Multi-Purpose Academy Pod with ASA Multi-Purpose Academy Pod Basic Router Pod Cuatro Router Pod LAN Switching Pod
MAP w/ASA MAP BRPv2 CRP LSP
Ch. 0 Lab A Yes Yes Yes Yes
Ch. 1 Lab A Yes Yes Yes Yes
Ch. 2 Lab A Yes Yes Yes Yes
Ch. 3 Lab A Yes Yes Yes Yes
Ch. 4 Lab A Yes Yes Yes Yes
Ch. 5 Lab A Yes Yes Yes Yes
Ch. 6 Lab A Yes Yes Yes
Ch. 7 Lab A Yes Yes Yes
Ch. 8 Lab A Yes Yes Yes Yes
Ch. 8 Lab B Yes Yes Yes Yes
Ch. 9 Lab A Yes Yes Part 1 Part 1 Part 2
Ch. 10 Lab A Yes1
Ch. 10 Lab B Yes1
Ch. 10 Lab C Yes1
Ch. 10 Lab D Yes1
Ch. 10 Lab E Yes2
Ch. 10 Lab F Yes2
Ch. 10 Lab G Yes2
Ch. 10 Lab H Yes2
SBA Yes1

1Supported using ASA 5505

2Supported using ASA 5510

Router, Switch, and IOS Requirements

The routers used must meet minimum IOS requirements specified by the curriculum. The following recommendations are based on the CCNA Security Equipment List (available on Academy Connection). Other routers and switches models may be used. Please consult Academy Connection NetAcad Maintenance - Image & Hardware Support Assistance with Legacy Equipment and Software.

Router /
Switch
Recommended
Model(s)
Minimum
DRAM
Minimum
IOS
Feature Set
R1 Cisco 1841
Cisco 1941
192 MB 12.4(20)T1 Advanced IP Services
R21 Cisco 1841
Cisco 1941
128 MB 12.4(20)T1 IP Base
R31 Cisco 1841
Cisco 1941
192 MB 12.4(20)T1 Advanced IP Services
S1 Cisco 2960 LAN Base Image
S2 Cisco 2960 LAN Base Image
S3 Cisco 2960 LAN Base Image

1Routers R2 and R3 do not apply to Lan Switching Pods (LSP)

Enabling the Labs

CCNA Security labs require different console and enable secret password settings from other courses. If CCNA Security and other courses are enabled in the same class, it is likely that the NETLAB+ automation will fail to save configuration files, since the default passwords, cisco and class are not the correct passwords for CCNA Security.

To avoid configuration management problems, we recommend that the CCNA Security course be enabled in a separate class from other courses. Enabling this course within a separate class will allow you to set the appropriate console and enable secret passwords in the class settings required for CCNA Security.

Create a new class to be used for the CCNA Security Course using the following settings:

MAP MAP MAP CRP LSP BRPv2
If your MAP with ASA pod has an ASA 5505:
  • In the Global Labs section of the class settings, select AE CCNA Security V1.1 ASA5505
    To enable the SBA, select AE CCNA Security V1.1 ASA5505 SBA
    Do not enable any other labs for this class.
  • Change the Console Password to ciscoconpass
  • Change the Enable Password to cisco12345
If your MAP with ASA pod has an ASA 5510:
  • In the Global Labs section of the class settings, select AE CCNA Security V1.1 ASA5510
    Do not enable any other labs for this class.
  • Change the Console Password to ciscoconpass
  • Change the Enable Password to cisco12345

The pod types listed are also available for "pod-only" reservations. To enable pod-only reservations, select the check boxes for the following options in the class settings that are appropriate for the pods available on your system:

  • "Multi-Purpose Academy Pod with ASA (no labs)" (provides access to the MAP pod with ASA only)
  • "Multi-Purpose Academy Pod (no labs)" (provides access to the MAP pod only)
  • "AE CCNA Pod Reservations (no labs)" (provides access to CRP, BRP2 and LSP pods)

"Pod-only" reservations are not tied to specific lab exercises. Therefore, the pod will be configured using the default network configuration and will not be properly configured to complete CCNA Security labs.

More information is available in the Enable Multi-Purpose Academy Pod Exercises section of the Multi-purpose Academy Pod Planning and Installation Guide

Using the Labs

Always select the correct lab exercise for the lab being performed. Students or teams should schedule the correct lab exercise from the catalog. NETLAB+ will only show those labs for which the required pod type is available. A lab that works on different pod types may appear more than once if your system is so equipped. Instructors should select the correct lab from the Exercise tab during instructor-led lab reservations. This can be done as many times as needed during the reservation.

Importance of Choosing the Correct Lab Exercise

Several of the labs may differ from the standard pod topologies. This is handled by NETLAB+ Dynamic VLAN Mapping technology. Always select the correct lab exercise for the actual lab. This insures that NETLAB+ will set up VLANs on the control switch such that lab devices and PCs are placed in the correct LAN segment for the exercise being performed. Selecting the correct exercise will also make the completed lab output easier to find in the archive.

NETLAB+ will configure the routers and switches with initial configuration files that include basic IP connectivity. Please verify this configuration by pinging the network interfaces before starting the lab exercise.

Requirements

Adaptive Security Appliance (ASA) Requirements

The ASA is required in order to complete 8 of the labs (Ch. 10, labs A,B,C,D,E,F and G) as noted in the pod compatibility table above. These 8 labs are the only CCNA Security labs that require the ASA. You will use either Labs A-D or Labs E-H, depending on the ASA model you install on your MAP w/ASA.

Four of the labs requiring the ASA, Ch.10 labs A, B, C and D are supported using the ASA 5505.

The other four labs requiring the ASA, Ch.10 labs E, F, G and H are supported using the ASA 5510.

Please refer to the Multi-purpose Academy Pod with ASA page for details on implementation.

Device Recommended
Model(s)
Minimum
DRAM
Minimum
Flash
Recommended IOS Feature Set
ASA Cisco 5505
Adaptive Security Appliance (ASA)
512 MB 128 MB Cisco (ASA) Software Version 8.4(2)
Base License
Cisco ASDM Version 6.4(5)
ASA Cisco 5510
Adaptive Security Appliance (ASA)
1 GB 256 MB Cisco (ASA) Software Version 8.4(2)
Base License
Cisco ASDM Version 6.4(5)
 

Required Software List

Software Name Purpose Requirements Comments / Links
Cisco Configuration Professional (CCP) CCP is installed in the PCs. Supported Microsoft Windows O/S:
  • Windows 7
  • Windows Vista: Business Edition and Ultimate Edition
  • Windows XP with SP2 and higher
Minimum 1GB of RAM for all OSs.
When using CCP:
  • The web browser needs Sun JRE 1.5.0_11 up to 1.6.0_16 and Adobe Flash Player Version 10.0.12.36 and later.
  • The recommended screen size for the virtual PCs is 1024 x 768.
  • Visit www.cisco.com for more information.
Known working platform:
  • Windows XP Pro with SP2
  • 1GB of RAM
  • Java 6 Update 35 ? jre-6u35-windows-i586.exe
  • Adobe Flash Player 10.3 ? flashplayer10_3r183.23_winax.exe from fp_10.3.183.23_archive.zip
Known not to work with:
  • Java 7
  • Adobe Flash Player 11
Kiwi Syslog This software will be used as the syslog server. Supported O/S:
  • Windows 98 or later
  • x86-based Linux distributions with GTK+ 2.0 (or higher) and glibc-2.3 (or higher)
www.kiwisyslog.com
Wireshark This software will be used as the sniffer and packet analyzer. Windows/Linux www.wireshark.org
WinRadius WinRadius is a standard RADIUS server for network authentication and accounting. Windows/Linux http://winradius.eu
NMAP This software is used to test the lab configuration. Windows/Linux www.insecure.org
Cisco VPN Client This software is used to build a VPN. www.cisco.com
Tera Term Pro V2.3 Software terminal emulator for Windows. www.ayera.com/teraterm/
TFTP32 DHCP, TFTP, SMTP, Syslog servers, and TFTP client. tftpd32.jounin.net.com
IOS-Sxxx-CLI.pkg This file is used with the Chapter 5 lab. To obtain instructions on the file version and how to download, please read the Chapter 5 Lab.
realm-cisco.pub.key.txt This file is used with the Chapter 5 lab. To obtain instructions on the file version and how to download, please read the Chapter 5 Lab.
PuTTY SSH Client Used as an SSH Client Windows/Linux www.chiark.greenend.org.uk/~sgtatham/putty/