For Classroom Use Only! - TRCAutomation.Solutions...Cisco ASDM-IDM Launcher v7.6.2 Firefox About this lab This lab is written to introduce the different features and benefits that

L03 - Introduction to Network Security

For Classroom Use Only!

Important User Information

This documentation, whether, illustrative, printed, “online” or electronic (hereinafter “Documentation”) is intended for use only as a learning aid when using Rockwell Automation approved demonstration hardware, software and firmware. The Documentation should only be used as a learning tool by qualified professionals. The variety of uses for the hardware, software and firmware (hereinafter “Products”) described in this Documentation, mandates that those responsible for the application and use of those Products must satisfy themselves that all necessary steps have been taken to ensure that each application and actual use meets all performance and safety requirements, including any applicable laws, regulations, codes and standards in addition to any applicable technical documents. In no event will Rockwell Automation, Inc., or any of its affiliate or subsidiary companies (hereinafter “Rockwell Automation”) be responsible or liable for any indirect or consequential damages resulting from the use or application of the Products described in this Documentation. Rockwell Automation does not assume responsibility or liability for damages of any kind based on the alleged use of, or reliance on, this Documentation. No patent liability is assumed by Rockwell Automation with respect to use of information, circuits, equipment, or software described in the Documentation.

Except as specifically agreed in writing as part of a maintenance or support contract, equipment users are responsible for:

• properly using, calibrating, operating, monitoring and maintaining all Products consistent with all Rockwell Automation

or third-party provided instructions, warnings, recommendations and documentation;

• ensuring that only properly trained personnel use, operate and maintain the Products at all times;

• staying informed of all Product updates and alerts and implementing all updates and fixes; and • all other factors affecting the Products that are outside of the direct control of Rockwell Automation.

Reproduction of the contents of the Documentation, in whole or in part, without written permission of Rockwell Automation is prohibited. Throughout this manual we use the following notes to make you aware of safety considerations:

Identifies information about practices or circumstances that can cause an explosion in a hazardous environment, which may lead to personal injury or death, property damage, or economic loss.

Identifies information that is critical for successful application and understanding of the product.

Identifies information about practices or circumstances that can lead to personal injury or death, property damage, or economic loss. Attentions help you: • identify a hazard • avoid a hazard • recognize the consequence

Labels may be located on or inside the drive to alert people that dangerous voltage may be present.

Labels may be located on or inside the drive to alert people that surfaces may be dangerous temperatures.

3 of 66

Introduction to Network Security

Contents

Before you begin ........................................................................................................................................... 5

Lab Network Hardware ..................................................................................................................................................................... 5

About this lab .................................................................................................................................................................................... 5

Lab 1 ............................................................................................................................................................. 6

Lab 1 Network Layout ....................................................................................................................................................................... 6

About this lab .................................................................................................................................................................................... 7

Lab 1 Steps ....................................................................................................................................................................................... 7

Certificates and encryption, benefits of cryptographic firmware (5 Minutes) .................................................................................... 7

Lab 2 ........................................................................................................................................................... 15

Lab 2 Network Layout ..................................................................................................................................................................... 15

About this lab .................................................................................................................................................................................. 15

Lab 2 Steps ..................................................................................................................................................................................... 16

Port Security (10 Minutes) .............................................................................................................................................................. 16

Lab 3 ........................................................................................................................................................... 24

Lab 3 Network Layout ..................................................................................................................................................................... 24

About this lab .................................................................................................................................................................................. 25

Lab 3 Steps ..................................................................................................................................................................................... 25

Stratix 5950 Access Control Lists (ACL) (15 Minutes) .................................................................................................................... 25

Lab 4 ........................................................................................................................................................... 31

About this lab .................................................................................................................................................................................. 32

Lab 4 Steps ..................................................................................................................................................................................... 32

Lab 5 ........................................................................................................................................................... 38

Lab 5 Network Layout – Same as Lab 4 ......................................................................................................................................... 38

About this lab .................................................................................................................................................................................. 39

Lab 5 Steps ..................................................................................................................................................................................... 39

Following “Policy 1.a” (5 Minutes) ................................................................................................................................................... 39

4 of 66

Instructor only – Lab Reset ......................................................................................................................... 43

Network Layout – Start of lab .......................................................................................................................................................... 43

Device IP address assignment ....................................................................................................................................................... 44

README ......................................................................................................................................................................................... 44

Step 1................................................................................................................................................ Error! Bookmark not defined.

Restore Stratix 5950 Access Rules ................................................................................................................................................ 44

Reset Port Security Settings on Stratix 5400 .................................................................................................................................. 47

Restart the VM ................................................................................................................................................................................ 50

Instructor Only – Lab Setup ........................................................................................................................ 50

Tools & prerequisites ...................................................................................................................................................................... 50

Network Layout – Start of lab (Wait to connect cables till end of setup) Return to 5950 Restore ............................................... 51

Device IP address assignment ....................................................................................................................................................... 51

README ......................................................................................................................................................................................... 52

Prepare Stratix 5400 for the lab ...................................................................................................................................................... 52



5950 FirePOWER Restore .............................................................................................................................................................. 62

Prepare 1756-L73 for the lab .......................................................................................................................................................... 65

Prepare 1769-L24ER for the lab ..................................................................................................................................................... 65

5 of 66

Before you begin

Lab Network Hardware

The lab network consists of the following hardware:

� Stratix 5700

� Stratix 5400

� Stratix 5950

� Stratix 5900

� Stratix 2000

� 1756 ControlLogix Chassis

� 1756-L73 v30.012

� 1756-EN2T

� 1769-L24ER-QB1B v30.012

The lab employs the following software:

� Windows 10

� RSLinx Classic v3.90

� Studio 5000 v30

� FactoryTalk View Site Edition Client v9.00

� Cisco ASDM-IDM Launcher v7.6.2

� Firefox

About this lab

This lab is written to introduce the different features and benefits that Rockwell Automation EtherNet/IP products offer to harden

EtherNet/IP networks. This lab will focus on managed Stratix switches along with the Stratix 5950 Security Appliance to provide

network security to the lab network. There will be 5 labs to complete and accompanying each lab will be a short discussion by

the lab proctor.

6 of 66

Lab 1

Lab 1 Network Layout

192.168.1.254

192.168.1.69

192.168.1.149

192.168.1.1

192.168.1.2

192.168.1.56

7 of 66

About this lab

In this lab we will be exploring a standard security feature offered by Stratix managed switches called certificates. Some people

may notice that when using the Stratix device manager a new warning appears showing that the site is not secure. These

warnings relate to the usage of security certificates in the Stratix switch when using a secure web page. The lab will explore what

a certificate is, how to view it and why Firefox would consider the Stratix web page not secure.

Lab 1 Steps

Certificates and encryption, benefits of cryptographic firmware (5 Minutes)

1. From the Desktop, double click the Firefox icon

2. On the top toolbar click the Stratix 5400 bookmark. This attempts to connect to the secure address of the Stratix

5400 switch at 192.168.1.1

3. Read the message that is shown stating that the connection is not secure

Each web browser presents this information differently but all relay the same important message

8 of 66

4. In the top left corner near the URL, click on the Information button as shown

5. Click on the arrow next to the message 192.168.1.1 Connection is Not Secure

6. Read the message that is displayed, this defines what the Connection is Not Secure warning actually means

7. Click the Advanced button below the Your connection is not secure warning

9 of 66

8. Review the items that are presented in the Advanced section

The three items of interest are:

� 192.168.1.1 uses an invalid security certificate

� The certificate is not trusted because it is self-signed

� The certificate is not valid for the name 192.168.1.1

9. Click Add Exception…

10 of 66

10. Click View

11. Under the General tab review the basic information of the certificiate provided by the switch

The certificate information is provided when accessing web sites and URLs that begin with HTTPS (Hyper Text Transfer

Protocol Secure). We will be discussing the differences between traditional HTTP and HTTPS after this lab as well as the

items we see on this screen. If desired, review the Details tab, this is an optional step.

11 of 66

12. Click Close

13. Click Confirm Security Exception at the bottom

This adds an expcetion to gain access to the Device Manager. This should only be done for trusted devices.

12 of 66

14. You will now be presented with the Stratix 5400 switch login page. Notice now at the top near the URL there is a

lock with a yellow warning sign

This indicates that you have added an expcetion for this site which allows you to access the Device Manager securely

15. Click on the Proper HTTPS bookmark at the top of the page

This navigates to https://rockwellautomation.custhelp.com

16. Notice the green lock located next to the URL then click on the information icon

17. Notice that this web page indicates there is a Secure Connection, click on the Arrow

13 of 66

18. Click More Information

19. Click View Certificate

14 of 66

20. Review the information provided from this certificate

This certificate is issued by a trusted Certificate Authority, in this case Symantic Corporation, this is why the connection

is considered secure, safe, or trusted

21. Close the windows using the X in the top right of the window and leave Firefox open for the next lab (You can

minimize Firefox).

22. This concludes lab 1; Please stop here and await the lab 1 discussion prior to moving to lab 2

15 of 66

Lab 2


About this lab

In this lab we will be connecting our newly purchased 1769-L24 as part of our machine commissioning process. During this

connection process we will be exploring a security feature in the Stratix managed switches called port security. This is just one of

the many network security features that the Stratix managed switches offer to secure the network and increase the overall

security posture of the network.

192.168.1.254

192.168.1.1

192.168.1.2

192.168.1.69

192.168.1.149

192.168.1.56

16 of 66

Lab 2 Steps

Port Security (10 Minutes)

1. Open RSLinx Classic from the desktop

2. Click on the RSWho button

3. Click the ( + ) next to the driver named NETSEC-Lab

4. RSLinx Classic should see the following devices:

� 192.168.1.1 – Stratix 5400

� 192.168.1.2 – Stratix 5700

� 192.168.1.56 – 1756-EN2T

Devices not seen should appear with a Red X or Yellow ?

5. From the taskbar maximize the NETSEC_HMI by clicking on the shown graphic:

We’ve already opened the NETSEC_HMI from the desktop, you just need to bring it to focus in Windows

6. Login to the HMI with the following credentials:

� Username: labuser

� Password: rockwell

17 of 66

The initial HMI screen monitors the status of the network from the 1756-L73 controller. Any network issues are

indicated with a flashing Black/Red connection and a graphic over the device that is not connecting to the 1756-L73

7. The HMI screen indicates a connection issue between the 1769-L24 and the 1756-L73

Since the device is still disconnected, the connection cannot establish

8. Connect the cable from the 1769-L24 to the Stratix 2000 unmanaged switch using any port (shown below)

18 of 66

9. Return to the HMI with the network monitoring display. Take note that a connection issue is still present but

there is also an additional message on the display.

This message is generated by the switch using an Add-on-Instruction in the controller and indicates there is an

unauthorized device connected to the switch. We need to ensure that this is not a true security concern.

10. Move the mouse over the picture of the Stratix 5400 and click on it

This launches the Stratix 5400 diagnostic faceplate

19 of 66

11. From the display of the faceplate we can see that there is a fault or alarm on port 4

12. Click on the Alarms tab at the top

20 of 66

13. Click on Page 2 at the top then click the right or left arrows shown in the red box below to select Gi 1/4 as

shown below

The bottom of the faceplate indicates which ports are currently reporting faults, you may not see the Link Fault

alarm

14. Review the list of Port Alarms to confirm that Port 4 is causing the alarm, note that you may not see the

Link Fault alarm

The faceplate tells us exactly what we suspected, port 4 has an unauthorized device connected to it via a port security

violation. We know that we just connected our 1769-L24 to the Stratix 2000 which is connected to port 4 of the Stratix

5400. We must not be allowing enough MAC addresses to connect to port 4 of the Stratix 5400

21 of 66

15. Maximize Firefox from the taskbar

16. Click the Stratix 5400 bookmark at the top in the bookmark bar

17. Log into the switch using rockwell for the username and password

18. From the top menu go to Monitor � Syslog

The Syslog logs a variety of messages from the switch ranging from critical alarms to informational and debugging

messages

22 of 66

19. Take note of the current messages that are appearing at the bottom of the syslog, if needed resize the

Description column

Your message will read similarly, your MAC address displayed will vary:

%PORT_SECUIRTY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address

ABCD.ABCD.ABCD on port GigabitEthernet1/4

Because we are using the Automation Device smartport we are limiting the amount of MAC addresses allowed through the

particular port. We didn’t consider that we would be using an unmanaged switch on this port with multiple devices

20. On the Stratix Device Manager go to Configure � Port Security

23 of 66

21. Select port Gi1/4 and select Edit

22. Change the Maximum MAC Count Allowed from 2 to 3 then click OK

23. Maximize the HMI from the task bar by clicking the

24. Verify that the !!!!Unauthorized device detected!!!! message is no longer present and the alarms page

lists no Port Alarms (This may take a moment)

You will also notice that the HMI is reporting that a connection problem still persists for the 1769-L24


24 of 66

Lab 3


192.168.1.254

192.168.1.69

192.168.1.149

192.168.1.1

192.168.1.2

192.168.1.56

25 of 66

About this lab

In this lab we will be reviewing the firewall portion of the Stratix 5950 configuration. The firewall can be configured to block many

types of traffic and provide a strong security boundary between the inside and outside networks. We will be ensuring that the

proper traffic flows are permitted through the firewall to complete the commissioning of our new machine.

Lab 3 Steps

Stratix 5950 Access Control Lists (ACL) (15 Minutes)

1. Maximize RSLinx Classic from the task bar

2. Verify that RSLinx Classic can now see all four devices

Recall previously in Lab 2 RSLinx Classic could not connect to the 1769-L24

The Engineering PC has good communication to both the 1756-EN2T (1756-L73) and the 1769-L24. However if we review

the HMI screen a connection issue is still reported between the 1769-L24 and the 1756-L73 controller. We verified this at

the end of the last lab but if you would like return to the HMI and verify the communication issue again you can.

3. From the desktop, double click the Cisco ASDM-IDM Launcher

4. On the login screen for the Cisco ASDM-IDM Launcher enter rockwell for the password

26 of 66

5. Click Continue for both of the certificate warnings that appear (This may take a few moments)

6. At the bottom right of the Home page, click on the maximize button for the latest ASDM Syslog Messages

27 of 66

7. Review the log messages, specifically the messages that appear in yellow. If needed click the red Stop

button on the right to stop messages from scrolling

Look for messages with a Source IP of 192.168.1.56 and a Destination IP of 192.168.1.69

The firewall log is informing us that a connection from 192.168.1.56 to 192.168.1.69 is being blocked. These addresses

correlate to our 1756-L73 and our 1769-L24 controllers. This is likely why our HMI is still reporting a connection problem.

8. Click Configuration at the top of the Cisco ASDM

9. In the bottom left, click Firewall

10. Click on the second rule on the inside1 interface and click Edit

28 of 66

11. Click the button to the right of Destination under Destination Criteria

12. Double click on the 1769-L24 network object as highlighted below, verify that the entry was added to the

Destination -> section then click OK

29 of 66

13. Click OK on the Edit Access Rule page

14. Click Apply at the bottom of the Firewall Access Rules page

15. Maximize the HMI from the taskbar

16. The HMI should no longer indicate that the 1769-L24 is experiencing connection issues

That’s great! But what did we do? The Stratix 5950 was pre-configured for our lab to have Network Objects (Logical names

for IP addresses) and Service Objects (Logical names for source/destination port pairs). We added our 1769-L24 controller

to a pre-existing rule in the Firewall. This pre-existing rule allows TCP CIP connections from the inside to pass through the

Firewall to whatever devices we specify in the destination field. We will discuss this more at the end of the lab.

30 of 66

17. From the desktop open the Command Prompt

18. In the Command Prompt enter the following command:

� Ping 192.168.1.56

19. Take note of the results, if time permits review the Stratix 5950 Firewall rules to determine why the ping failed. You can

also spend time trying other methods to access the 1756-L73, such as HTTP.

20. This concludes lab 3; Please stop here and await the lab 3 discussion prior to moving to lab

31 of 66

Lab 4

Lab 4 Network Layout (Same as Lab 3)

192.168.1.254

192.168.1.69

192.168.1.149

192.168.1.1

192.168.1.2

192.168.1.56

32 of 66

About this lab

In this lab we will continue our commissioning process and make edits to our 1769-L24 controller that we are installing. We will be exploring the Deep Packet Inspection (DPI) configuration of the Stratix 5950 and what effect it is having on our CIP traffic. We will be using a combination of Studio 5000 and Cisco ASDM to complete the lab.

Lab 4 Steps

Deep Packet Inspection (DPI) using the Stratix 5950 (15 Minutes)

1. From the desktop, open Studio 5000

2. Under the Recent Projects click on NETSEC_L73_v30

As part of our commissioning process we need to download a new program to our 1756-L73 ControlLogix controller

33 of 66

3. At the top, click on the Communications menu then select Download

You’ll notice an error message appear stating that Studio 5000 can no longer communicate with RSLinx and that Logix

Designer has been taken offline.

All we did is download to the controller…why would we lose connection with our controller? Let’s investigate...

4. Click OK for both errors

5. Maximize ASDM from the task bar

6. In the top of ASDM click on Monitoring

7. In the bottom left of the ASDM window click on ASA FirePOWER Monitoring

8. On the left side click on Real Time Eventing

34 of 66

9. In the center of the ASDM window, events should be shown, move your mouse over one and select View

Details

10. Review the items on the page, the details of this event contain a wealth of information. For our purposes of

commissioning this machine we want to look under the Policy details. These details inform us as to what

Policy and Rule blocked us from downloading to the controller

We now know what Policy and Rule blocked us, now we need to go ahead and review how this is configured to ensure it is

correct

11. At the top of the ASDM window click on Configuration

12. In the bottom left of the ASDM window clock on ASA FirePOWER Configuration

35 of 66

13. On the left, expand Policies using the ( + ) button and click Access Control Policy

14. Under the Access Control Policy (ACP) list, click on the pencil on the right hand side for the Block PAC

Changes ACP

15. Under the Standard Rules heading click the pencil on the right side for Rule Policy 1.a to 1756-L73

16. Click on the Networks tab and review the options presented

This is where the Source and Destination networks are defined for our DPI policies and rules. Notice we are using this rule

for any source network and just the 1756-L73 as the destination network

36 of 66

17. Once done reviewing the Networks tab, click on the Applications tab

18. On the Applications tab we configure specific applications that we want to block

Note: It may take a moment to load the Application Filters

19. In the Application Filters search box, type cip which will return the results that are specific to the Common

Industrial Protocol (CIP).

The below screenshot calls out the available application filters for CIP on the left side of the ASDM window. On the right

side of the ASDM window we can review what filter we currently have selected and at the top for the action we define what

we want to happen for that specific application.

37 of 66

20. Click the checkbox next to CIP RA Admin and review the items that are included in the filter

To summarize what these items have shown, we are blocking all CIP RA Admin traffic from any outside network with a

destination of the 1756-L73. Based on the name of the rule, Policy 1.a, we can assume there are rules and procedures in

place to prevent remote downloading.

21. If time permits, explore the FirePOWER configuration using ASDM, otherwise close ASDM, if prompted to

save, click Save


38 of 66

Lab 5

Lab 5 Network Layout – Same as Lab 4

192.168.1.254

192.168.1.69

192.168.1.149

192.168.1.1

192.168.1.2

192.168.1.56

39 of 66

About this lab

In this lab we will be following a made up policy called “Policy 1.a”. This policy was defined by your company’s security staff and

is a part of the Policies and Procedures portion of the Defense-in-Depth strategy. The “Policy 1.a” defines that in order to perform

any administrative maintenance on a PLC program, the maintenance engineer must be connected to the local switch and have

line of sight of the PLC in question. This policy was put in place to avoid remotely performing administrative actions on a PLC

through the entirety of the enterprise or industrial network. We will be following the policy by opening a maintenance port on the

local Stratix 5700 switch so that we can connect closer to the PLC by accessing the switch in the same cell.

Lab 5 Steps

Following “Policy 1.a” (5 Minutes)

1. Maximize the HMI from the task bar and login if needed

Username: labuser

Password: rockwell

2. Hover the mouse over the Stratix 5700, you will notice that it highlights. This is because the Stratix 5700

contains a button to open a new display

3. Attempt to click the button (click on the Stratix 5700)

Nothing should happen, we need to login prior to using this display. This display is reserved only for maintenance and we do not want all users to have access to it.

40 of 66

4. In the bottom right of the display click the Login button

5. In the login field, enter the following credentials

� User name: maint


6. Once the Login/Logout process is completed, click the Stratix 5700 button again

The Maint display is opened which will allow us to programmatically enable a port so we can download our new program to

the 1756-L73

7. Click the Enable Maintenance Port button

41 of 66

8. Notice that two items change on the display:

The Stratix 5700 now has a green port with an M labeled on top of it indicating it is now a maintenance port and the button

has changed status to Maintenance Port Enabled

9. We need to connect the PC into port 16 of the Stratix 5700 switch. Move the PC, connected to port 3 of the

Stratix 2000, to port 16 of the Stratix 5700.

10. Maximize Studio 5000

42 of 66

11. At the top, click on the Communications menu then select Download

You’ll notice that this time we did not lose communication with the controller. This is because we are connected locally to

the cell and have direct access to the controller via the Stratix 5700

12. Maximize RSLinx Classic and browse the NETSEC-Lab, Ethernet driver

Take note that two devices now appear with Red Xs. Why is that? Be prepared to answer this question in the following

discussion.

15. This concludes lab 5; Please stop here and await the lab 5 discussion

43 of 66

Instructor only – Lab Reset

Network Layout – Start of lab

Stratix 5400 Port 1 Connects to Stratix 5950 Port 1

Stratix 5400 Port 3 Connects to Stratix 5950 Management (Mgmt)

Stratix 5400 Port 4 Connects to Stratix 2000

Stratix 2000 Port 3 Connects to Computer

Stratix 2000 Port 2 Is disconnected from 1769-L24

Stratix 5700 Port 1 Connects to 1756-EN2T

Stratix 5700 Port Gigabit 1 Connects to Stratix 5950 Port 2

Stratix 5400

Stratix 5950

Stratix 5700

1756-L73

Stratix 2000

1769-L24

192.168.1.254

192.168.1.69

192.168.1.149

192.168.1.1

192.168.1.2 192.168.1.56

44 of 66

Device IP address assignment

1756-EN2T DHCP Persistence 192.168.1.56

Stratix 5700 Static via config file 192.168.1.2

Stratix 5950 BVI Static via conig file 192.168.1.254

Stratix 5950 Mgmt Static via lab setup 192.168.1.253

Stratix 5400 Static via config 192.168.1.1

Computer Static via VM 192.168.1.149

1769-L24ER Static via lab setup 192.168.1.69

README

For the beginning of each event and after each lab please perform the lab reset procedure. Only use the lab setup procedure IF

AND ONLY IF a device does not respond at its configured IP address or other unforeseen issues occur. Prior to starting the

bellow steps ensure that the cable are connected as shown above.

Disconnect Devices

1. Disconnect the 1769-L24 controller from the Stratix 2000

2. Move the PCs EtherNet cable from the Stratix 5700 port 16 back to the Stratix 2000

Restore Stratix 5950 Access Rules

1. Open Cisco ASDM-IDM Launcher from the desktop

2. On the login screen for the Cisco ASDM-IDM Launcher enter rockwell for the password

45 of 66

3. Click Continue for both of the certificate warnings that may appear (This may take a few moments)

4. Click Tools �� Restore Configurations

5. On the Restore Configurations menu click the Browse Local… button

6. Navigate to C:\Users\Labuser\Documents\Lab Files\Stratix 5950\Firewall Config and select

NETSEC_5950_FW and click Select file

46 of 66

7. Click Next

8. On the next Restore Configurations screen check box Running Configuration and Start-up

configuration and click Restore

9. If an error appears relating to failover pair click Yes

10. Click Replace on the Running Configuration Restore screen

47 of 66

11. After a short time the Restore Progress will be complete. Sometimes this step gets stuck at 98% - If this

happens it is OK to close the window, the restore should be successful

Reset Port Security Settings on Stratix 5400

1. Open Firefox from the desktop

2. On the top toolbar click the Stratix 5400 bookmark. This connects to the secure address of the Stratix 5400

switch at 192.168.1.1

48 of 66

3. Log into the switch using rockwell as the username and password

4. On the Stratix Device Manager go to Configure � Port Security


6. Uncheck the box for Enable and change the Maximum MAC Count Allowed from 3 to 2 then click OK

49 of 66


8. Click the Enable check box and click OK

9. Close Firefox

10. Disconnect the cable in port Gi 1/4, wait a moment and reconnect the cable

50 of 66

Restart the VM

Instructor Only – Lab Setup

Tools & prerequisites

� Software programs required

� RSLinx Classic v3.90

� Studio 5000 Logix Designer v30

� Firefox

� FactoryTalk View Site Edition Client

� Cisco Adaptive Security Device Manager (ASDM)

� Hardware devices required

� NET-SEC Demo Box

� Stratix 5950 demo stand

� Files required

� Stratix_5950_Lab Files

� Config - NETSEC_5950_FW

� FirePOWER - NETSEC_FP-2017-08-31T11-09-42.tgz

� Stratix5700: Config.text

� Stratix5400: Config.text

51 of 66

Network Layout – Start of lab (Wait to connect cables till end of setup) Return to 5950 Restore

Stratix 5400 Port 1 Connects to Stratix 5950 Port 1

Stratix 5400 Port 3 Connects to Stratix 5950 Management

Stratix 5400 Port 4 Connects to Stratix 2000

Stratix 2000 Port 3 Connects to Computer

Stratix 2000 Port 2 Is disconnected from 1769-L24

Stratix 5700 Port 1 Connects to 1756-EN2T

Stratix 5700 Port Gigabit 1 Connects to Stratix 5950 Port 2

Device IP address assignment

1756-EN2T DHCP Persistence 192.168.1.56

Stratix 5700 Static via config file 192.168.1.2

Stratix 5950 BVI Static via conig file 192.168.1.254

52 of 66

Stratix 5950 Mgmt Static via lab setup 192.168.1.253

Stratix 5400 Static via config 192.168.1.1

Computer Static via VM 192.168.1.149

1769-L24ER Static via lab setup 192.168.1.69

README

The lab setup should not need to be completed for each lab/event. The lab setup is ONLY for an event where the hardware

cannot be accessed at its configured IP address. At the start of each event the lab reset procedure should be completed which

will leave the hardware in a lab-ready state.

Prepare Stratix 5400 for the lab

Only perform this setup if the RESET procedure did not work

1. Factory reset the switch by pressing and holding the Express Setup button with a paper clip until the Setup

status indicator flashes alternating green and red during seconds 16...20, and then release.

2. While the Stratix 5400 is resetting, right click the Change to 169 address.bat located in

C:\Users\Labuser\Documents\Lab Files\Stratix\Setup\IP Address batch files and select Run as

Administrator

3. Disconnect all cables from the Stratix 5400

4. Once the Stratix 5400 is fully booted, press the express setup button with a paper clip and release

5. Connect the computer to the port that is flashing green


7. In the URL web bar type in 169.254.0.1

8. Click Advanced then click Add Exception

9. Uncheck the check box for Permanently store this exception

10. Click Confirm Security Exception

11. Login with the default credentials

� Username: blank (Leave field empty)

� Password: switch

53 of 66

12. On the express setup page fill in the parameters below and click Submit

� For the password enter rockwell

13. Enter the below credentials when prompted

� User Name: rockwell


14. Go to Admin � Load/Save

15. Click Browse and navigate to C:\Users\Labuser\Documents\Lab Files\Stratix\Stratix Configs\Stratix 5400

54 of 66

16. Select config.text and click Open

17. Click Upload

18. The following message should appear in the top right

19. Disconnect from the Stratix 5400. The initial lab setup should be complete. We will verify the configuration

55 of 66

after all devices are loaded.



1. Factory reset the switch by pressing and holding the Express Setup button with a paper clip until the Setup

status indicator flashes alternating green and red during seconds 16...20, and then release.

2. (Skip if this was done for the Stratix 5400 setup) While the Stratix 5700 is resetting, right click the Change to

169 address.bat located in C:\Users\Labuser\Documents\Lab Files\Stratix\Setup\IP Address batch files and

select Run as Administrator

3. Disconnect all cables from the Stratix 5700

4. Once the Stratix 5700 is fully booted, press the express setup button with a paper clip and release

5. Connect the computer to the port that is flashing green


7. In the URL web bar type in 169.254.0.1

8. Click Advanced then click Add Exception

9. Uncheck the check box for Permanently store this exception

10. Click Confirm Security Exception

11. Login with the default credentials

� Username: blank

� Password: switch

12. On the express setup page fill in the parameters below and click Submit

� For the password enter rockwell

56 of 66

13. Enter the below credentials when prompted

� User Name: rockwell


14. Go to Admin � Load/Save

15. Click Browse and navigate to C:\Users\Labuser\Documents\Lab Files\Stratix\Stratix Configs\Stratix 5700

16. Select config.text and click Open

57 of 66

17. Click Upload

18. The following messages should appear in the top right

19. Once both the Stratix 5400 (Above) and the Stratix 5700 have had their configuration files loaded cycle

power to the demo box. Do not cycle power to the Stratix 5950.



1. Factory Reset the Stratix 5950 by using a paperclip or small screw driver and holding the express setup

button for 4 seconds and releasing, please wait at least 30 seconds after releasing to confirm success of the

reset. The Stratix 5950 should begin a reboot cycle, you should hear the hardware bypass enable and the

58 of 66

Port LEDs will begin flashing. Please allow 5 minutes or more for the Stratix 5950 to full boot. The Stratix

5950 is fully booted when the Port LEDs stop flashing.

2. Disconnect all cables from the Stratix 5950 if any are present

3. Connect the PC to the Management port of the Stratix 5950

4. Open Cisco ASDM-IDM Launcher from the desktop

5. For the login details enter 169.254.0.1 for the IP address and leave the username and password blank then

click OK

6. Click Continue for any security exception warnings (There may be two)

7. If the following error occurs click Cancel

59 of 66

8. Once ASDM finishes loading run through the Device Setup, it should start automatically

� Step 1: Click Next

� Step 2: enter rockwell for the New Password: and Confirm New Password: then click Next

� Step 3: Enter 192.168.1.254 for the Management IP Address: and select 255.255.255.0 for the Subnet Mask: then

click Next

� Step 4-8: Click Next

� Step 9: If prompted, accept the agreement and click Next, otherwise just click Next

� Step 10: Under IPv4 enter 192.168.1.253 for IP Address: Select 255.255.255.0 for Subnet Mask: Enter 192.168.1.1 for

Gateway: then click Next

� Step 11: Click Finish

9. The following page may appear for at least 30 seconds, be patient and it will finish

10. When prompted enter the Password: of rockwell while leaving the username field empty

11. Click the Tools menu at the top and select Restore Configurations

60 of 66

12. On the Restore Configurations menu click the Browse Local… button

13. Navigate to C:\Users\Labuser\Documents\Lab Files\Stratix 5950\Firewall Config and select

NETSEC_5950_FW and click Select file

14. Click Next

61 of 66

15. On the next Restore Configurations screen check box Running Configuration and Start-up

configuration and click Restore

16. If an error appears relating to failover pair click Yes

17. Click Replace on the Running Configuration Restore screen

18. After a short time the Restore Progress will be complete. Sometimes this step gets stuck at 98% - If this

happens it is OK to close the window, the restore should be successful

62 of 66

19. The Stratix 5950 will no longer be accessible from the 169.254.0.1 address. This should conclude the usage

of this address range. Navigate to C:\Users\Labuser\Documents\Lab Files\Stratix\Setup\IP Address batch

files and right click the Change to 192 address.bat and select Run as Administrator

20. Connect all cables as shown from the beginning of this setup section

5950 FirePOWER Restore


1. Once the Stratix 5950 is fully booted and all cables are connected open Cisco ASDM-IDM Launcher

2. Connect using the following credentials:

� Device IP Address / Name: 192.168.1.254

� Username: rockwell


63 of 66

3. Click Continue for the two Security Warnings

4. Click Configuration

5. Click ASA FirePOWER Configuration

6. Expand Tools then click Backup Restore

7. Click Upload Backup in the top right of the window

8. Click Choose File

9. Navigate to C:\Users\Labuser\Documents\Lab Files\Stratix\Stratix 5950\FirePOWER Backup and select the

file NETSEC_FP-2017-08-31T11-09-42.tgz then click Open

10. Click Upload Backup

64 of 66

11. The following display will appear indicating completion

12. Click the Backup Management tab

13. Allow 1-3 minutes for the backup to appear here, it should appear as follows once complete

14. Click the checkbox next to the backup with the file name starting with NETSEC and click Restore

15. Click Restore on the next prompt

16. Allow at least 15 minutes for this process to complete. It is crucial that power is not lost to the device during

this process. During the process ASDM may appear to lose communication with the Stratix 5950. It may be

best to continue with the lab setup and return here to finish the Stratix 5950 setup

17. Refresh ASDM after waiting and another Security Warning may appear, click Continue

18. Expand Policies then click Access Control Policy

19. Verify that the Block PAC Changes policy is present and Applied to Device

20. The Stratix 5950 setup is complete, close ASDM

65 of 66

Prepare 1756-L73 for the lab


1. Connect the PC directly to the 1756-EN2T

2. Navigate to C:\Users\Labuser\Documents\Lab Files\PACs\ACD and double click the

NETSEC_L73_v30.acd file

3. Click Communications � Download

Prepare 1769-L24ER for the lab


1. Connect the Ethernet cable from the 1769-L24ER to the Stratix 2000 switch

2. Assign an address to the 1769-L24 module using either a USB cable or the BOOTP/DHCP Utility

3. Navigate to C:\Users\Labuser\Documents\Lab Files\PACs\ACD and double click the

NETSEC_L24_v30.acd file

4. Click Communications � Download

66 of 66

5. Once complete disconnect the cable from the 1769-L24ER to the Stratix 2000 switch

Publication XXXX-XX###X-EN-P — Month Year Copyright© 2017 Rockwell Automation, Inc. All rights reserved.

Supersedes Publication XXXX-XX###X-EN-P — Month Year