Comandos CCNA Security

COMANDOS CCNA SECURITY 1.2 CONFIGURAR R1 COMO CLIENTE NTP. NTP. R1(config)# ntp authenticate R1(config)# ntp authentication-key 1 md5 ciscontppa55 R1(config)# ntp trusted-key 1 R1(config)# ntp server 192.16.1.5 key 1

CONFIGURAR ROUTERS PARA PARA ACTUALIZAR SU FECHA-HORA. R1(config)# ntp update-ca!endar 

CONFIGURAR LOS ROUTERS PARA PARA MOSTRAR EL TIEMPO EN LOS LOGS. R1(config)# service timestamps !og datetime msec

CONFIGURAR EL ROUTER PARA PARA GENERAR LOGS DE ACTIVIDADES. "onfigure the router to generate system !ogging messages for oth successfu! and fai!ed !ogin attempts. $he fo!!o%ing commands !og every successfu! !ogin and !og fai!ed !ogin attempts after every second fai!ed !ogin. R1(config)# login on-s!!"ss log R1(config)# login on-#$il%" log "&"%' 2

CONFIGURAR UN ROUTER PARA IDENTIFICAR IDENTIFICAR EL HOST REMOTO (UE RECI)IR* LOS MENSA+ES DE LOGGING. R1(config)#!ogging host R1(co R1(confi nfig) g)#!o #!oggi gging ng trap trap infor informat mation iona! a! R1(c R1(con onfi fig) g)#! #!og oggi ging ng sour source ce-i -int nter erfa face ce R1(config)#!ogging on R1(config)#!ogging on

(hostname- ip address) (!eve (!eve!) !) ($y ($ype and and nume numer) r)

CONFIGURAR EL LARGO L ARGO MINIMO PARA PARA LAS PASS,ORD DE UN ROUTER. R1(config)# security pass%ords min-!ength 1&

CONFIGURAR UN ROUTER PARA PARA SOPORTAR SOPORTAR CONEIONES SSH. S"/ 1. "onfigure a domain name. R'(config)# i/ 0o$in-n$" !!n$s"!%i'.!o !!n$s"!%i'.!o S"/ 2. "reate a user  of **+admin %ith the highest possi!e privi!ege !eve! and a secret pass%ord of ciscosshpa55. R'(config)# s"%n$" SSH$0in /%i&il"g" 1 s"!%" !is!oss3/$

S"/ 4. "onfigure the incoming ,$ !ines on R'. se the !oca! user accounts for mandatory !ogin and va!idation. /ccept on!y **+ connections. R'(config)# lin" &' 5 6 R'(config-!ine)# login lo!$l R'(config-!ine)# %$ns/o% in/ ss3

S"/ 6. 0rase eisting key pairs on R'. /ny eisting R*/ key pairs shou!d e erased on the router. R'(config)# !%'/o 7"' 8"%oi8" %s$

S"/ . enerate the R*/ encryption key pair for R'. R'(config)# !%'/o 7"' g"n"%$" %s$

CONFIGURAR LOS PAR*METROS DE TIMEOUTS AND AUTHENTICATION PARA SSH. *et the timeout to 9& seconds3 the numer of authentication retries to 23 and the version to 2. R'(config)# i/ ss3 i"-o 95 R'(config)# i/ ss3 $3"ni!$ion-%"%i"s 2 R'(config)# i/ ss3 &"%sion 2

CONECTARSE CONECTARSE A R4 USANDO US ANDO SSH DESDE UN PC-C. 4hen prompted for the pass%ord3 enter the pass%ord configured for the administrator ciscosshpa55.

PC: ss3 ;l SSH$0in 192.15%0 R'(config)# $$$ n">-o0"l R'(config)# $$$ $3"ni!$ion login 0"#$l lo!$l lo!$l-!$s" "n$l" IMPLEMENTA IMPLEME NTAR R AAA SERVICES PARA ACCEDER A LA CONSOLE USANDO UNA UN A )ASE DE DATOS LOCAL R'(config)# $$$ $3"ni!$ion login 0"#$l lo!$l non" R'(config)# lin" !onsol" 5 R'(config-!ine)# login $3"ni!$ion 0"#$l

CREAR UN PERFIL EN UNA )ASE DE DATOS LOCAL CON AAA AUTHENTICATION PARA USAR TELNET . R'(config)# $$$ $3"ni!$ion login TELNETBLOGIN lo!$l-!$s" R'(config)# lin" &' 5 6 R'(config-!ine)# login $3"ni!$ion TELNETBLOGIN CONFIGURAR UN ROUTER PARA AUTENTICARSE POR TACACS  LUEGO RADIUS SERVERS Y FINALMENTE EN UNA )ASE DE DATOS LOCAL R1(config)# $$$ n">-o0"l R1(config)# $!$!s-s"%&"% 3os 192.1 ;ass%ord< !is!o1246 R1(config)# /$%s"% &i"> $0in1 R1(config-vie%)# s"!%" $0in1/$ss R1(config-vie%)# !o$n0s ""! in!l0" $ll s3o> R1(config-vie%)# !o$n0s ""! in!l0" $ll !on#ig "%in$l R1(config-vie%)# !o$n0s ""! in!l0" $ll 0"g R1(config-vie%)# "n0

VERIFICAR LA VISTA ADMIN1. R1# "n$l" &i"> $0in1 ;ass%ord< $0in1/$ss C%"$% n$ &is$ ll$$0$ SHO,VIE, Asign$% l$ /$ss>o%0 $ l$ &is$ P"%ii% $ "s$ &is$ s$% o0os los !o$n0os EEC " !oi"n!"n !on s3o> R1(config)# $$$ n">-o0"l R1(config)# /$%s"% &i"> SHO,VIE, R1(config-vie%)# s"!%" !is!o R1(config-vie%)# !o$n0s ""! in!l0" s3o> R1(config-vie%)# "n0 C%"$% n$ &is$ ll$$0$ VERIFIEDVIE, Asign$% l$ /$ss>o%0 $ l$ &is$ P"%ii% $ "s$ &is$ s$% "l !o$n0o /ing R1(config)# $$$ n">-o0"l R1(config)# /$%s"% &i"> VERIFIEDVIE, R1(config-vie%)# s"!%" !is!o R1(config-vie%)# !o$n0s ""! in!l0" /ing

R1(config-vie%)# "n0

C%"$% n$ &is$ ll$$0$ RE)OOTVIE, Asign$% l$ /$ss>o%0 $ l$ &is$ P"%ii% $ "s$ &is$ s$% "l !o$n0o %"lo$0 R1(config)# $$$ n">-o0"l R1(config)# /$%s"% &i"> RE)OOTVIE, R1(config-vie%)# s"!%" !is!o15 R1(config-vie%)# !o$n0s ""! in!l0" %"lo$0 R1(config-vie%)# "n0 TO SECURE THE IOS IMAGE AND ENA)LE CISCO IOS IMAGE RESILIENCE R1(config)# s"!%" oo-i$g" TO SECURE THE )OOT CONFIG R1(config)# s"!%" oo-!on#ig CREAR ACLs E+EMPLOS DE ACLs permit udp any 192.16.1.& &.&.&.255 e domain permit tcp any 192.16.1.& &.&.&.255 e smtp permit tcp any 192.16.1.& &.&.&.255 e ftp deny tcp any host 192.16.1.' e ==' permit tcp any host 192.16.'.' e 22 permit icmp any any echo-rep!y permit icmp any any unreacha!e deny icmp any any permit ip any any

;ermite a cua!uier host acceder a DNS ;ermite a cua!uier host acceder a SMTP ;ermite a cua!uier host acceder a FTP 8iega a cua!uier host acceder a HTTPS ;ermite a cua!uier host acceder a SSH ;ermite a cua!uier host "!3o %"/li"s ;ermite a cua!uier host 0"s. n%"$!3$l" 8iega a cua!uier host acceder a ICMP ;ermite a cua!uier host a !$li"% l$0o

ACL PARA PERMITIR PROTOCOLOS PARA ESP J5K - AHJ1K- ISA@MAPJUDP PORT 55K

"rear una ACL NOM)RADA ETENDIDA !!amado /"-13 ap!icada entrante en !a interfa 7a&>&3 ue niega e! servidor %orkgroup server sa!ga3 pero permite ue e! resto de !os usuarios de /8 fuera de acceso usando !a pa!ara c!ave "s$lis3"0 R1(config)# ip access-list extended ACL-1 R1(config-ext-nacl)# remark LAN ACL R1(config-ext-nacl)# deny ip host 192.168.1.6 any R1(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any estalished  R1(config-ext-nacl)# deny ip any any R1(config-ext-nacl)# exit R1(config)# inter!ace "a0#0 R1(config-if)# ip access-$ro%p ACL-1 in R1(config-if)# exit

CREAR UNA ACL NOM)RADA etended named !!amada ACL-23 ap!icada en direcci?n sa!iente en !a interfa :@ 7a&>13 para permitir e! acceso a !os servidores 4e e 0mai! especificados.

R1(config)# ip access-list extended ACL-1 R1(config-ext-nacl)# remark LAN ACL R1(config-ext-nacl)# deny ip host 192.168.1.6 any R1(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any

estalished  R1(config-ext-nacl)# deny ip any any R1(config-ext-nacl)# exit R1(config)# inter!ace "a0#0 R1(config-if)# ip access-$ro%p ACL-1 in R1(config-if)# exit

$he lo$ parameter can e appended to the end of an /" statement. permit tcp any host 192.168.2.6 eq 80 lo$

ACL NUMERADA R1# R1(config)# i/ $!!"ss-lis ""n0"0 15 R1(config-et-nac!)# /"%i !/ 3os 192.1""70$'s 1?55 o 19?55 R1(config-time-range)#  "i R1(config)#  $!!"ss-lis 155 /"%i i/ 192.1)  B /ny reserved private addresses (R7" 191)  B /ny addresses in the ; mu!ticast address range (22=.&.&.&>=)  B Inon0 on S555

R1(config)#  $!!"ss-lis 15 0"n' i/ 5.5.5.5 5.2.2.2 $n' R1(config)#  $!!"ss-lis 15 0"n' i/ 15.5.5.5 5.2.2.2 $n' R1(config)#  $!!"ss-lis 15 0"n' i/ 12.5.5.5 5.2.2.2 $n' R1(config)#  $!!"ss-lis 15 0"n' i/ 12.1>> /"%i !/ $n' 3os 15.15.15.2 " 3/s /"%i !/ $n' 3os 15.15.15.4 " s/ /"%i !/ $n' 3os 15.15.15.4 " >>> /"%i !/ $n' 3os 15.15.15.4 " 3/s

7or the same topo!ogy3 using oDect group configuration3 first create the service oDect for  the services. R1(config)# o"!-g%o/ s"%&i!" ,"-s&!s !/ R1(config-service-group)# !/ s/ R1(config-service-group)# !/ >>> R1(config-service-group)# !/ 3/s A

8et3 create the net%ork oDect for the servers< $his eamp!e uses the %$ng" key%ord3 you can a!so use the 3os key%ord or define a sunet. R1(config)# o"!-g%o/ n">o%7 ,"s"%&"%s R1(config-net%ork-group)# %$ng" 15.15.15.1 15.15.15.4

CONFIGURACIQN CL*SICA DE FIRE,ALL  /n administrator needs to permit inside users to initiate $";3 ;3 and ":; traffic %ith a!! eterna! sources. Eutside c!ients are a!!o%ed to communicate %ith the *:$; :ai! server  (2&9.165.2&1.2) and +$$; server (2&9.165.2&1.1) that are !ocated in the enterprise demi!itaried one (:@). t is a!so necessary to permit certain ":; messages to a!! interfaces. /!! other traffic from the eterna! net%ork is denied.

S"/ 1. "hoose an interface3 either interna! or eterna!. S"/ 2. "onfigure ; /"s at the interface. S"/ 4. efine inspection ru!es. S"/ 6. /pp!y an inspection ru!e to an interface.

"reate an /" that a!!o%s $";3 ;3 and ":; sessions and denies a!! other traffic. R1(config)# $!!"ss-lis 151 /"%i !/ 15.15.15.5 5.5.5.2 $n' R1(config)# $!!"ss-lis 151 /"%i 0/ 15.15.15.5 5.5.5.2 $n' R1(config)# $!!"ss-lis 151 /"%i i!/ 15.15.15.5 5.5.5.2 $n' R1(config)# $!!"ss-lis 151 0"n' i/ $n' $n' $his /" is app!ied to the interna! interface in the inound direction. $he /" processes traffic initiating from the interna! net%ork prior to !eaving the net%ork. R1(config)# in"%#$!" F$55 R1(config-if)# i/ $!!"ss-g%o/ 151 in 8et3 create an etended /" in %hich *:$; and +$$; traffic is permitted from the eterna! net%ork to the :@ net%ork on!y3 and a!! other traffic is denied.

R1(config)# $!!"ss-lis 152 /"%i !/ $n' 259.1 i/ ins/"! !on#ig R4 0"g i/ ins/"! 0"$il"0

STEPS FOR CONFIGURING ZONE-)ASED POLICY FIRE,ALLS ,ITH CLI

S"/ 1. "rear !as onas para e! fire%a!! con e! comando  8on" s"!%i'. R'(config)# 8on" s"!%i' IN-ZONE R'(config-sec-one)# 0"s!%i/ion Insi0" N">o%7 R'(config)# 8on" s"!%i' OUT-ZONE R'(config-sec-one)# 0"s!%i/ion Osi0" N">o%7

S"/ 2. "rear una /" ue define e! trGfico interno. se e! comando $!!"ss-lis para crear una etendida /" 151 para permitir todo e! trGfico ; desde !a red 192.11 one-memer security IN-ZONE eit interface s&>&>1 one-memer security OUT-ZONE eit

E+EMPLO PRACTICO Z)F 1 CREAR ZONAS one security 80$4ERH one security 8$0R80$ one security :@

2 CLASIFICAR TR*FICO MEDIANTE CLASS MAP. c!ass-map type inspect match-any 80$toE$  match protoco! http  match protoco! smtp  match protoco! pop'  match protoco! icmp c!ass-map type inspect match-any 80$to:@  match protoco! http  match protoco! dns  match protoco! tftp  match protoco! icmp  match access-group name +"; ip access-!ist etended +";  permit udp any any e ootps  permit udp any any e ootpc

4 DEFINIR LOS POLICY-MAP Y LA ACCIQN A REALIZAR. po!icy-map type inspect 80$4ERHtoE$*0  c!ass type inspect 80$toE$   inspect po!icy-map type inspect E$*0to80$4ERH  c!ass type inspect E$to80$   drop po!icy-map type inspect 80$4ERHto:@

 c!ass type inspect 80$to:@   inspect po!icy-map type inspect :@to80$4ERH  c!ass type inspect :@to80$   inspect po!icy-map type inspect E$*0to:@  c!ass type inspect E$to:@   inspect po!icy-map type inspect :@toE$*0  c!ass type inspect :@toE$   inspect

6 CREAR LOS ZONE PAIR (UE ES LA APLICACIQN ENTRE ZONAS. one-pair security 80$toE$ source 80$4ERH destination 8$0R80$  service-po!icy type inspect 80$4ERHtoE$*0

 HACER MIEM)ROS DE ALGUNA ZONA A LAS INTERFACES EN F,. 74(config-if)#int seria! &>&>& 74(config-if)#one-memer security 8$0R80$ 74(config-if)#eit 74(config-if)#int fa&>1 74(config-if)#one-memer security :@ 74(config-if)#eit 74(config)#int fa&>& 74(config-if)#one-memer security 80$4ERH 74(config-if)#eit

CONFIGURE IOS INTRUSION PREVENTION SYSTEM JIPSK USING CLI 1.- CREATE AN IOS IPS CONFIGURATION DIRECTORY IN FLASH. En R13 create a directory in f!ash using the 70i%  command. 8ame the directory i/s0i% . R1#70i% i/s0i%  "reate directory fi!ename IipsdirJK L En"% M "reated dir f!ashi!3/o% o0" %n7 *4-1(config-if)# s>i!3/o% %n7 n$i&" &l$n 1

*4-1(config-if)# s>i!3/o% non"goi$" J$!"%0o 0" $s$l"$K

CONFIGURE AND VERIFY A SITE-TO-SITE IPSEC VPN USING CLI

Parameters

R1

R3

Key distribution method

Manual or ISAKMP

ISAKMP

ISAKMP

Encryption algorithm

DES, 3DES, or AES

AES

AES

Hash algorithm

MD5 or SHA1

SHA1

SHA1

Authentication method

Pre-shared keys or RSA

pre-share

pre-share

Key e!change

DH Group 1, 2, or 5

DH 2

DH 2

IKE SA "i#etime

86400 seonds or less

$%&''

$%&''

!pnpa55

!pnpa55

ISAKMP Key

Parameters

R1

R3

(rans#orm Set

"P#-SE$

"P#-SE$

Peer Hostname

%3

%&

Peer IP Address

&0'2'2'2

&0'&'&'2

)et*or+ to be encrypted

&(2'&68'&'0)24

&(2'&68'3'0)24

,rypto Map name

"P#-MAP

"P#-MAP

SA Establishment

*pse-*sak+p

*pse-*sak+p

CONFIGURE IPSEC PARAMETERS ON R1 1.- IDENTIFY INTERESTING TRAFFIC ON R1. "onfigure /" 115 to identify the traffic from the /8 on R1 to the /8 on R' as interesting. Rememer that due to the imp!icit deny a!!3 there is no need to configure a 0"n' $n' $n' statement.

R1(config)# $!!"ss-lis 115 /"%i i/ 192.1&>1 interface. No"? $his is not graded. R'(config)# in"%#$!" S551 R'(config-if)# !%'/o $/ VPN-MAP

.- VERIFY THE IPSEC VPN *tep 2.

,erify the tunne! prior to interesting traffic. ssue the sho% crypto ipsec sa command on R1. 8otice that the numer of packets encapsu!ated3 encrypted3 decapsu!ated and decrypted are a!! set to &.

TAREA DEL PROFE 1. D"#ini% l$s 8on$s 0" $!"%0o $ lo in0i!$0o "n l$ o/olog$ one security :@ one security 8*0 one security E$*0

2. S" 0"" /"%ii% %#i!o /$%$ " "l Ro"% R6 /"0$ $"ni#i!$%s" $ %$&s 0" R$0is "n "l s"%&i0o% ,inR$0is JPC2K c!ass-map type inspect match-any ":OE$O$EO8  match protoco! radius po!icy-map type inspect ;:OE$O$EO8  c!ass type inspect ":OE$O$EO8   inspect one-pair security @;OE$O$EO8 source E$*0 destination 8*0  service-po!icy type inspect ;:OE$O$EO8

4. El %$#i!o 0"s0" "l PC6 3$!i$ los s"%&i0o%"s ,E) ' FTP JPC4K 0"" s"% /"%ii0o. c!ass-map type inspect match-any ":OE$O$EO:@  match protoco! http  match protoco! ftp

po!icy-map type inspect ;:OE$O$EO:@  c!ass type inspect ":OE$O$EO:@   inspect one-pair security @;OE$O$EO:@ source E$*0 destination :@  service-po!icy type inspect ;:OE$O$EO:@

6. L$ %"0 in"%n$ $in 0"" /o0"% ll"g$% $l s"%&i0o% ," JPC4K FTP no s"% /"%ii0o /$%$ "s$ %"0. c!ass-map type inspect match-any ":O8O$EO:@  match protoco! http po!icy-map type inspect ;:O8O$EO:@  c!ass type inspect ":O8O$EO:@   inspect one-pair security @;O8O$EO:@ source 8*0 destination :@  service-po!icy type inspect ;:O8O$EO:@

. El s"%&i0o% ACS 0"" /o0"% $l!$n8$% $ %$&s 0" /ing $l %o"% R6 Jloo/$!7K ' $ l$ %"0 15.65.526 Jno s" 0"" /"%ii% g"n"%$% n$ $l$ 0" "s$0oK access-!ist 1&& permit ip host 1&.6.2&.1& any c!ass-map type inspect match-a!! ":O/"*  match protoco! icmp  match access-group 1&& po!icy-map type inspect ;:O8O$EOE$  c!ass type inspect ":O8O$EOE$   inspect

!l$ss '/" ins/"! CMBACS   /$ss one-pair security @;O8O$EOE$ source 8*0 destination E$*0  service-po!icy type inspect ;:O8O$EOE$ access-!ist 1&1 permit ip any host 1&.6.2&.1& c!ass-map type inspect match-a!! ":O/"*OR  match access-group 1&1  match protoco! icmp po!icy-map type inspect ;:OE$O$EO8  c!ass type inspect ":OE$O$EO8   inspect

 !l$ss '/" ins/"! CMBACSBR   /$ss one-pair security @;OE$O$EO8 source E$*0 destination 8*0  service-po!icy type inspect ;:OE$O$EO8

$ll. access-!ist 1&2 permit tcp host 1&.6.2'.' any e te!net access-!ist 1&2 permit tcp host 1&.6.1'.' any e te!net access-!ist 1&2 permit tcp host 1&.6.1'.' any e 22 access-!ist 1&2 permit tcp host 1&.6.2'.' any e 22 access-!ist 1&2 permit tcp host 1&.6.1'.' any e sys!og access-!ist 1&2 permit tcp host 1&.6.2'.' any e sys!og c!ass-map type inspect match-any ":O*07O$EO8  match access-group 1&2 po!icy-map type inspect ;:O*07O$EO8  c!ass type inspect ":O*07O$EO8   inspect one-pair security @;O*07O$EO8 source se!f destination 8*0  service-po!icy type inspect ;:O*07O$EO8

=. Es n"!"s$%io /"%ii% " "l PC2 /"0$ $0inis%$% $ %$&s 0" CCP $l 0is/osii&o F, JH$ili" lo n"!"s$%io /$%$ log%$% "s" %""%ii"noK access-!ist 1&' permit tcp host 1&.6.2&.1& host 1&.6.2'.' e %%% access-!ist 1&' permit tcp host 1&.6.2&.1& host 1&.6.2'.' e ==' access-!ist 1&' permit tcp host 1&.6.2&.1& host 1&.6.1'.' e ==' access-!ist 1&' permit tcp host 1&.6.2&.1& host 1&.6.1'.' e %%% c!ass-map type inspect match-any ":O8O$EO*07  match access-group 1&' po!icy-map type inspect ;:O8O$EO*07  c!ass type inspect ":O8O$EO*07   inspect one-pair security @;O8O$EO*07 source 8*0 destination se!f   service-po!icy type inspect ;:O8O$EO*07

9. El !li"n" PC6 0"" "n"% los /"%isos s#i!i"n"s /$%$ "s$l"!"% n$ s"sin VPN 3$!i$ "l Ro"%  R1 /$%$ "s" "s n"!"s$%io " "l F, g"n"%" n$ $l$ 0" "s$0$ /$%$ los /%oo!olos ESP ' AH. access-!ist 1&= permit ahp host 1&.6.=&.1& host 1&.6.1'.1 access-!ist 1&= permit esp host 1&.6.=&.1& host 1&.6.1'.1 access-!ist 1&= permit udp host 1&.6.=&.1& host 1&.6.1'.1 e isakmp

c!ass-map type inspect match-any ":O,;8  match access-group 1&= po!icy-map type inspect ;:OE$O$EO8  c!ass type inspect ":OE$O$EO8   inspect  c!ass type inspect ":O/"*OR   pass  c!ass type inspect ":O,;8   inspect one-pair security @;OE$O$EO8 source E$*0 destination 8*0  service-po!icy type inspect ;:OE$O$EO8

15. To0$s l$s s"sion"s EIGRP 0""n s"% $n"ni0$s "n%" "l F, ' Ro"% R1 R2 ' "n%" "l F, ' "l %o"% R6.