Lab5-2.net file for Dynamips:
##################################################
#
# CCNP Version 5.0: Implementing Secure Converged Wide-Area Networks
# Lab 5.2 Securing a Router with Cisco AutoSecure
# By Happy Peter http://blog.xuite.net/juilin77/happy
#
##################################################
autostart=false
[localhost:7200]
workingdir = /opt/dynamips/dynagen-0.10.1/UTS/CCNP2/Lab5-2/workingconfig
[[3725]]
# Specify 3725 IOS image on Linux here:
image = /opt/dynamips/images/c3725-ad.bin
ram = 256
idlepc =0x60bf8d58
mmap = true
ghostios = true
confreg = 0x2102
###########################
#
# Define router instances 1
#
###########################
[[Router R1]]
model = 3725
console = 2001
Scenario:
In this scenario, you will configure Cisco AutoSecure on a router.
Basic Configuration:
enable
configure terminal
!
no ip domain lookup
!
line console 0
logging synchronous
exec-timeout 0 0
!
host R*
Step 1: Configure the Physical Interface
You can force the interface into an “always up” state using the interface-level "no keepalive" command. Then use the "no shutdown" command to bring the interface up.
R1:
interface fastEthernet 0/0
ip address 192.168.10.1 255.255.255.0
no keepalive
no shutdown
Step 2: Configure AutoSecure
At the privileged EXEC prompt, issue the auto secure command to start AutoSecure. You may notice that this command is hidden from the Cisco IOS in-line help system.
R1:
R1#auto secure
--- AutoSecure Configuration ---
*** AutoSecure configuration enhances the security of
the router, but it will not make it absolutely resistant
to all security attacks ***
AutoSecure will modify the configuration of your device.
All configuration changes will be shown. For a detailed
explanation of how the configuration changes enhance security
and any possible side effects, please refer to Cisco.com for
Autosecure documentation.
At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.
Gathering information about the router for AutoSecure
Is this router connected to internet? [no]: no
Securing Management plane services...
Disabling service finger
Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol
Disabling the bootp server
Disabling the http server
Disabling the finger service
Disabling source routing
Disabling gratuitous arp
Here is a sample Security Banner to be shown
at every access to device. Modify it to suit your
enterprise requirements.
Authorized Access only
This system is the property of So-&-So-Enterprise.
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
You must have explicit permission to access this
device. All activities performed on this device
are logged. Any violations of access policy will result
in disciplinary action.
Enter the security banner {Put the banner between
k and k, where k is any character}:
! test !
Enable secret is either not configured or
is the same as enable password
Enter the new enable secret: 123456
Confirm the enable secret : 123456
Enter the new enable password: 1234567
Confirm the enable password: 1234567
Configuration of local user database
Enter the username: peter
Enter the password: 123456
Confirm the password: 123456
Configuring AAA local authentication
Configuring Console, Aux and VTY lines for
local authentication, exec-timeout, and transport
Securing device against Login Attacks
Configure the following parameters
Blocking Period when Login Attack detected: 10
Maximum Login failures with the device: 5
Maximum time period for crossing the failed login attempts: 10
Configure SSH server? [yes]: yes
Enter the domain-name: cisco.com
Configuring interface specific AutoSecure services
Disabling the following ip services on all interfaces:
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
Disabling mop on Ethernet interfaces
Securing Forwarding plane services...
Enabling CEF (This might impact the memory requirements for your platform)
Enabling unicast rpf on all interfaces connected
to internet
Configure CBAC Firewall feature? [yes/no]: no
Tcp intercept feature is used prevent tcp syn attack
on the servers in the network. Create autosec_tcp_intercept_list
to form the list of servers to which the tcp traffic is to
be observed
Enable tcp intercept feature? [yes/no]: yes
This is the configuration generated:
no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
no cdp run
no ip bootp server
no ip http server
no ip finger
no ip source-route
no ip gratuitous-arps
no ip identd
banner motd ^C test ^C
security passwords min-length 6
security authentication failure rate 10 log
enable secret 5 $1$gQB6$jJlXmaxnMCUJTf5aJkVmE.
enable password 7 055A545C7519185E
username peter password 7 00554155500E5D
aaa new-model
aaa authentication login local_auth local
line con 0
login authentication local_auth
exec-timeout 5 0
transport output telnet
line aux 0
login authentication local_auth
exec-timeout 10 0
transport output telnet
line vty 0 4
login authentication local_auth
transport input telnet
login block-for 10 attempts 5 within 10
ip domain-name cisco.com
crypto key generate rsa general-keys modulus 1024
ip ssh time-out 60
ip ssh authentication-retries 2
line vty 0 4
transport input ssh telnet
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
logging facility local2
logging trap debugging
service sequence-numbers
logging console critical
logging buffered
interface FastEthernet0/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
no mop enabled
interface FastEthernet0/1
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
no mop enabled
ip cef
access-list 100 permit udp any any eq bootpc
ip tcp intercept list autosec_tcp_intercept_list
ip tcp intercept drop-mode random
ip tcp intercept watch-timeout 15
ip tcp intercept connection-timeout 3600
ip tcp intercept max-incomplete low 450
ip tcp intercept max-incomplete high 550
!
end
Apply this configuration to running-config? [yes]: yes
Applying the config generated to running-config
The name for the keys will be: R1.cisco.com
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
Final Configurations
R1:
hostname R1
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 4096
logging console critical
enable secret 5 $1$gQB6$jJlXmaxnMCUJTf5aJkVmE.
enable password 7 055A545C7519185E
!
aaa new-model
!
!
aaa authentication login local_auth local
!
!
aaa session-id common
memory-size iomem 5
no ip source-route
no ip gratuitous-arps
ip cef
!
no ip bootp server
no ip domain lookup
ip domain name cisco.com
login block-for 10 attempts 5 within 10
!
multilink bundle-name authenticated
!
username peter password 7 00554155500E5D
archive
log config
logging enable
hidekeys
!
ip tcp intercept list autosec_tcp_intercept_list
ip tcp intercept connection-timeout 3600
ip tcp intercept watch-timeout 15
ip tcp intercept max-incomplete low 450
ip tcp intercept max-incomplete high 550
ip tcp intercept drop-mode random
ip ssh time-out 60
ip ssh authentication-retries 2
!
interface FastEthernet0/0
ip address 192.168.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
no keepalive
no mop enabled
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
logging trap debugging
logging facility local2
access-list 100 permit udp any any eq bootpc
no cdp run
!
control-plane
!
banner motd ^C test ^C
!
line con 0
exec-timeout 5 0
logging synchronous
login authentication local_auth
transport output telnet
line aux 0
login authentication local_auth
transport output telnet
line vty 0 4
login authentication local_auth
transport input telnet ssh
!
end
Reference:
Cisco Networking Academy
http://www.cisco.com/web/learning/netacad/index.html
CCNP Version 5.0: Implementing Secure Converged Wide-Area Networks
Student Lab Manual
最初發表 / 最後更新: 2008.10.02 / 2018.06.11
0 comments:
張貼留言