Comandos CCNA Security

COMANDOS CCNA SECURITY 1.2

COMANDOS CCNA SECURITY 1.2

CONFIGURAR R1 COMO CLIENTE

CONFIGURAR R1 COMO CLIENTE NTPNTP.. R1(config)# ntp authenticate

R1(config)# ntp authenticate

R1(config)# ntp authentication-key 1 md5 ciscontppa55 R1(config)# ntp authentication-key 1 md5 ciscontppa55 R1(config)# ntp trusted-key 1

R1(config)# ntp trusted-key 1

R1(config)# ntp server 192.16.1.5 key 1 R1(config)# ntp server 192.16.1.5 key 1 CONFIGURAR ROUTERS

CONFIGURAR ROUTERS PAPARA ACTUALIZAR SU RA ACTUALIZAR SU FECHA-HORA.FECHA-HORA. R1(config)# ntp update-ca!endar 

R1(config)# ntp update-ca!endar  CONFIGURAR LOS

CONFIGURAR LOS ROUTERS PAROUTERS PARA MOSTRAR EL RA MOSTRAR EL TIEMPO EN LOS LOGS.TIEMPO EN LOS LOGS. R1(config)# service timestamps !og datetime msec

R1(config)# service timestamps !og datetime msec CONFIGURAR EL ROUTER

CONFIGURAR EL ROUTER PAPARA GENERAR LOGS RA GENERAR LOGS DE ACTIVIDADES.DE ACTIVIDADES.

"onfigure the router to generate system !ogging messages for oth successfu! and fai!ed "onfigure the router to generate system !ogging messages for oth successfu! and fai!ed !ogin attempts. $he fo!!o%ing commands !og every successfu! !ogin and !og fai!ed !ogin attempts !ogin attempts. $he fo!!o%ing commands !og every successfu! !ogin and !og fai!ed !ogin attempts after every second fai!ed !ogin.

after every second fai!ed !ogin. R1(config)#

R1(config)# login on-s!!"ss loglogin on-s!!"ss log R1(config)#

R1(config)# login on-#$il%" log "&"%' 2login on-#$il%" log "&"%' 2 CONFIGURAR UN ROUTER PARA IDENTIFICA

CONFIGURAR UN ROUTER PARA IDENTIFICAR EL HOST R EL HOST REMOTO (UE RECI)IR* LOSREMOTO (UE RECI)IR* LOS MENSA+ES DE LOGGING.

MENSA+ES DE LOGGING. R1(config)#!ogging

R1(config)#!ogging host host (hostname- (hostname- ip ip address)address) R1

R1(co(confinfig)g)#!o#!oggigging ng tratrap p ininforformatmationiona!a! (!(!eveeve!)!) R1

R1(c(cononfifig)g)#!#!ogoggiging song soururcece-i-intntererfafacece ($($yype anpe and numd numeer)r) R1(config)#!ogging on

R1(config)#!ogging on R1(config)#!ogging on R1(config)#!ogging on CONFIGURAR EL L

CONFIGURAR EL LARGO MINIMO PAARGO MINIMO PARA LAS PASS,ORD DE UN RA LAS PASS,ORD DE UN ROUTER.ROUTER. R1(config)# security pass%ords min-!ength 1&

R1(config)# security pass%ords min-!ength 1& CONFIGURAR UN

CONFIGURAR UN ROUTER PAROUTER PARA SOPORTARA SOPORTAR CONEIONES SSH.R CONEIONES SSH. S"/ 1.

S"/ 1. "onfigure a domain name. "onfigure a domain name. R'(config)#

R'(config)# i/ 0o$in-n$" !!n$s"!%i'.i/ 0o$in-n$" !!n$s"!%i'.!o!o S"/ 2.

S"/ 2. "reate a user  of **+admin %ith the highest possi!e privi!ege !eve! and a secret "reate a user  of **+admin %ith the highest possi!e privi!ege !eve! and a secret pass%ord of ciscosshpa55.

pass%ord of ciscosshpa55. R'(config)#

R'(config)# s"%n$" SSH$0in /%i&il"g" 1 s"!%" !is!oss3/$s"%n$" SSH$0in /%i&il"g" 1 s"!%" !is!oss3/$ S"/ 4.

S"/ 4. "onfigure the incoming ,$ !ines on R'. se the !oca! user accounts for mandatory "onfigure the incoming ,$ !ines on R'. se the !oca! user accounts for mandatory !ogin and va!idation. /ccept on!y **+ connections.

!ogin and va!idation. /ccept on!y **+ connections. R'(config)#

R'(config)# lin" &' 5 6lin" &' 5 6 R'(config-!ine)#

R'(config-!ine)# login lo!$llogin lo!$l R'(config-!ine)#

S"/ 6.

S"/ 6. 0rase eisting key pairs on R'. /ny eisting R*/ key pairs shou!d e erased on the 0rase eisting key pairs on R'. /ny eisting R*/ key pairs shou!d e erased on the router.

router.

R'(config)#

R'(config)#!%'/o 7"' 8"%oi8" %s$!%'/o 7"' 8"%oi8" %s$

S"/ .

S"/ . enerate the R*/ encryption key pair for R'. enerate the R*/ encryption key pair for R'. R'(config)#

R'(config)# !%'/o 7"' g"n"%$" %s$!%'/o 7"' g"n"%$" %s$

CONFIGURAR LOS PAR*METROS DE TIMEOUTS AND AUTHENTICATION PARA SSH. CONFIGURAR LOS PAR*METROS DE TIMEOUTS AND AUTHENTICATION PARA SSH. *et the timeout to 9& seconds3 the numer of authentication retries to 23 and the version to 2. *et the timeout to 9& seconds3 the numer of authentication retries to 23 and the version to 2.

R'(config)#

R'(config)# i/ ss3 i"-o 95i/ ss3 i"-o 95 R'(config)#

R'(config)# i/ ss3 $3"ni!$ion-%"%i"s 2i/ ss3 $3"ni!$ion-%"%i"s 2 R'(config)#

R'(config)# i/ ss3 &"%sion 2i/ ss3 &"%sion 2 CONECTA

CONECTARSE A R4 USRSE A R4 USANDO SSH DESDE ANDO SSH DESDE UN PC-C.UN PC-C.

4hen prompted for the pass%ord3 enter the pass%ord configured for the administrator 4hen prompted for the pass%ord3 enter the pass%ord configured for the administrator ciscosshpa55.

ciscosshpa55.

PC: ss3 ;l SSH$0in 192.1<=.4.1 PC: ss3 ;l SSH$0in 192.1<=.4.1 CONECTA

CONECTARSE A R4 USANDO SSH DESDE RSE A R4 USANDO SSH DESDE R2 VIA SSH VERSION 2.R2 VIA SSH VERSION 2. R2#

R2# ss3 ;& 2 ;l SSH$0in 15.2.2.1ss3 ;& 2 ;l SSH$0in 15.2.2.1 R'#

R'# /$ss>o%0? !is!oss3/$/$ss>o%0? !is!oss3/$ CONFIGURAR UN USUARIO EN

CONFIGURAR UN USUARIO EN LA )ASE DE DATOLA )ASE DE DATOS LOCS LOCAL.AL. R'(config)#

R'(config)# s"%n$" A0in51 /%i&il"g" 1 s"!%" A0in51/$sss"%n$" A0in51 /%i&il"g" 1 s"!%" A0in51/$ss CONFIGURE THE LOGIN )LOC@-FOR COMM

CONFIGURE THE LOGIN )LOC@-FOR COMMAND.AND.

to configure a 6& second !ogin shutdo%n (uiet mode timer) if t%o fai!ed !ogin attempts are to configure a 6& second !ogin shutdo%n (uiet mode timer) if t%o fai!ed !ogin attempts are made %ithin '& seconds

made %ithin '& seconds R1(config)#

R1(config)# login lo!7-#o% <5 $"/s 2 > login lo!7-#o% <5 $"/s 2 >i3in 45i3in 45 CONFIGU

CONFIGURAR UN RAR UN USUARIO LOCAL PAUSUARIO LOCAL PARA RA AAA AAA AUTHENTICAUTHENTICAATIONTION R'(config)#

R'(config)# s"%n$" +R-ADMIN s"!%" S%5ngP$>5%0s"%n$" +R-ADMIN s"!%" S%5ngP$>5%0 R'(config)#

R'(config)# $$$ n">-o0"l$$$ n">-o0"l R'(config)#

R'(config)# $$$ $3"ni!$ion login 0"#$l lo!$l lo!$l-!$s" "n$l"$$$ $3"ni!$ion login 0"#$l lo!$l lo!$l-!$s" "n$l" IMPLEME

IMPLEMENTANTAR AAA R AAA SERVICES PARA SERVICES PARA ACCEDER A ACCEDER A LA CONSOLE LA CONSOLE USANDO UNUSANDO UNA A )ASE DE)ASE DE DATOS LOCAL

DATOS LOCAL R'(config)#

R'(config)# $$$ $3"ni!$ion login 0"#$l lo!$l non"$$$ $3"ni!$ion login 0"#$l lo!$l non" R'(config)#

R'(config)# lin" !onsol" 5lin" !onsol" 5 R'(config-!ine)#

CREAR UN PERFIL EN UNA )ASE DE DATOS LOCAL CON AAA AUTHENTICATION PARA USAR TELNET .

R'(config)# $$$ $3"ni!$ion login TELNETBLOGIN lo!$l-!$s" R'(config)# lin" &' 5 6

R'(config-!ine)# login $3"ni!$ion TELNETBLOGIN

CONFIGURAR UN ROUTER PARA AUTENTICARSE POR TACACS  LUEGO RADIUS SERVERS Y FINALMENTE EN UNA )ASE DE DATOS LOCAL

R1(config)# $$$ n">-o0"l

R1(config)# $!$!s-s"%&"% 3os 192.1<=.1.1 singl"-!onn"!ion R1(config)# $!$!s-s"%&"% 7"' TACACSP$,5%0

R1(config)# %$0is-s"%&"% 3os 192.1<=.1.2

R1(config)# %$0is-s"%&"% 7"' RADIUS-P$,5%0

R1(config)# $$$ $3"ni!$ion login 0"#$l g%o/ $!$!s g%o/ %$0is lo!$l-!$s" (definir e! orden de !os servidores uti!iados para autenticarse $/"/"*3 R/* y 78/:08$0 un usuario de !a ase de datos !oca!)

CONFIGURAR TIPOS DE AUTORIZACIONES DE COMANDOS A TRAVS DE AAA R1(config)# s"%n$" +R-ADMIN s"!%" S%5ngP$>5%0

R1(config)# s"%n$" ADMIN s"!%" S%5ngP$>5%0 R1(config)# $$$ n">-o0"l

R1(config)# $$$ $3"ni!$ion login 0"#$l g%o/ $!$!s R1(config)# $$$ $3o%i8$ion ""! 0"#$l g%o/ $!$!s R1(config)# $$$ $3o%i8$ion n">o%7 0"#$l g%o/ $!$!s CONFIGURAR AUDITORIAS A TRAVS DE AAA

R1(config)# s"%n$" +R-ADMIN s"!%" S%5ngP$>5%0 R1(config)# s"%n$" ADMIN s"!%" S%5ngP$>5%0 R1(config)# $$$ n">-o0"l

R1(config)# $$$ $3"ni!$ion login 0"#$l g%o/ $!$!s R1(config)# $$$ $3o%i8$ion ""! 0"#$l g%o/ $!$!s R1(config)# $$$ $3o%i8$ion n">o%7 0"#$l g%o/ $!$!s

R1(config)# $$$ $!!oning ""! 0"#$l s$%-so/ g%o/ $!$!s R1(config)# $$$ $!!oning n">o%7 0"#$l s$%-so/ g%o/ $!$!s )LO(UEAR UNA CUENTA DESPUS DE  INTENTOS

R'(config)# $$$ lo!$l $3"ni!$ion $"/s $-#$il n"%  CREAR NIVELES DE PRIVILEGIOS

R1(config)#s"%n$" USER /%i&il"g" 1 s"!%" !is!o R1(config)#/%i&il"g" ""! l"&"l  /ing

R1(config)#"n$l" s"!%" l"&"l  !is!o

R1(config)#/%i&il"g" ""! l"&"l 15 %"lo$0 R1(config)#"n$l" s"!%" l"&"l 15 !is!o15

R1(config)#s"%n$" +R-ADMIN /%i&il"g" 15 s"!%" !is!o15 R1(config)#s"%n$" ADMIN /%i&il"g" 1 s"!%" !is!o124

CONFIGURAR VISTAS )ASADAS EN ROLES HA)ILITAR ROOT VIE,

R1(config)# $$$ n">-o0"l R1(config)# "i

R1(config)# "n$l" s"!%" !is!o1246 R1# "n$l" &i">

;ass%ord< !is!o1246

R1(config)# /$%s"% &i"> $0in1 R1(config-vie%)# s"!%" $0in1/$ss

R1(config-vie%)# !o$n0s ""! in!l0" $ll s3o>

R1(config-vie%)# !o$n0s ""! in!l0" $ll !on#ig "%in$l R1(config-vie%)# !o$n0s ""! in!l0" $ll 0"g

R1(config-vie%)# "n0 VERIFICAR LA VISTA ADMIN1.

R1# "n$l" &i"> $0in1 ;ass%ord< $0in1/$ss

C%"$% n$ &is$ ll$$0$ SHO,VIE, Asign$% l$ /$ss>o%0 $ l$ &is$

P"%ii% $ "s$ &is$ s$% o0os los !o$n0os EEC " !oi"n!"n !on s3o> R1(config)#$$$ n">-o0"l

R1(config)#/$%s"% &i"> SHO,VIE, R1(config-vie%)#s"!%" !is!o

R1(config-vie%)#!o$n0s ""! in!l0" s3o> R1(config-vie%)#"n0

C%"$% n$ &is$ ll$$0$ VERIFIEDVIE, Asign$% l$ /$ss>o%0 $ l$ &is$

P"%ii% $ "s$ &is$ s$% "l !o$n0o /ing R1(config)#$$$ n">-o0"l

R1(config)#/$%s"% &i"> VERIFIEDVIE, R1(config-vie%)#s"!%" !is!o

R1(config-vie%)#"n0

C%"$% n$ &is$ ll$$0$ RE)OOTVIE, Asign$% l$ /$ss>o%0 $ l$ &is$

P"%ii% $ "s$ &is$ s$% "l !o$n0o %"lo$0 R1(config)#$$$ n">-o0"l

R1(config)#/$%s"% &i"> RE)OOTVIE, R1(config-vie%)#s"!%" !is!o15

R1(config-vie%)#!o$n0s ""! in!l0" %"lo$0 R1(config-vie%)#"n0

TO SECURE THE IOS IMAGE AND ENA)LE CISCO IOS IMAGE RESILIENCE R1(config)#s"!%" oo-i$g"

TO SECURE THE )OOT CONFIG R1(config)#s"!%" oo-!on#ig CREAR ACLs

E+EMPLOS DE ACLs

permit udp any 192.16.1.& &.&.&.255 e domain ;ermite a cua!uier host acceder a DNS permit tcp any 192.16.1.& &.&.&.255 e smtp ;ermite a cua!uier host acceder a SMTP permit tcp any 192.16.1.& &.&.&.255 e ftp ;ermite a cua!uier host acceder a FTP deny tcp any host 192.16.1.' e ==' 8iega a cua!uier host acceder a HTTPS permit tcp any host 192.16.'.' e 22 ;ermite a cua!uier host acceder a SSH permit icmp any any echo-rep!y ;ermite a cua!uier host "!3o %"/li"s

permit icmp any any unreacha!e ;ermite a cua!uier host 0"s. n%"$!3$l"

deny icmp any any 8iega a cua!uier host acceder a ICMP

ACL PARA PERMITIR PROTOCOLOS PARA ESP J5K - AHJ1K- ISA@MAPJUDP PORT 55K

"rear una ACL NOM)RADA ETENDIDA !!amado /"-13 ap!icada entrante en !a interfa 7a&>&3 ue niega e! servidor %orkgroup server sa!ga3 pero permite ue e! resto de !os usuarios de /8 fuera de acceso usando !a pa!ara c!ave "s$lis3"0

CREAR UNA ACL NOM)RADA etended named !!amada ACL-23 ap!icada en direcci?n sa!iente en !a interfa :@ 7a&>13 para permitir e! acceso a !os servidores 4e e 0mai! especificados.

R1(config)# ip access-list extended ACL-1

R1(config-ext-nacl)# remark LAN ACL

R1(config-ext-nacl)# deny ip host 192.168.1.6 any

R1(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any estalished 

R1(config-ext-nacl)# deny ip any any

R1(config-ext-nacl)# exit

R1(config)# inter!ace "a0#0

R1(config-if)# ip access-$ro%p ACL-1 in

ACL NUMERADA

R1#

R1(config)# i/ $!!"ss-lis ""n0"0 15

R1(config-et-nac!)# /"%i !/ 3os 192.1<=.1.155 $n' " "ln" R1(config-et-nac!)# /"%i !/ $n' $n' " >>>

R1(config-et-nac!)# /"%i !/ $n' $n' " "ln" R1(config-et-nac!)# /"%i !/ $n' $n' " s/ R1(config-et-nac!)# /"%i !/ $n' $n' " /o/4 R1(config-et-nac!)# /"%i !/ $n' $n' " 21 R1(config-et-nac!)# /"%i !/ $n' $n' " 25

R1(config)# ip access-list extended ACL-1

R1(config-ext-nacl)# remark LAN ACL

R1(config-ext-nacl)# deny ip host 192.168.1.6 any

R1(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any

estalished 

R1(config-ext-nacl)# deny ip any any

R1(config-ext-nacl)# exit

R1(config)# inter!ace "a0#0

R1(config-if)# ip access-$ro%p ACL-1 in

R1(config-if)# exit

$he

lo$

 parameter can e appended to

the end of an /" statement.

permit tcp any host 192.168.2.6 eq 80 lo$

R1# s3o> $!!"ss-lis 15 0tended ; access !ist 15&

1& permit tcp any any e %%% 2& permit tcp any any e te!net '& permit tcp any any e smtp =& permit tcp any any e pop' 5& permit tcp any any e 21 6& permit tcp any any e 2&

ACLs COMPLE+AS TCP Es$lis3"0 ACLs

R1(config)# $!!"ss-lis 155 /"%i !/ $n' " 664 192.1<=.1.5 5.5.5.2 "s$lis3"0 R1(config)# $!!"ss-lis 155 0"n' i/ $n' $n'

R1(config)# in"%#$!" s555

R1(config-if)# i/ $!!"ss-g%o/ 155 in R"#l"i&" ACLs

R1(config)# i/ $!!"ss-lis ""n0"0 INTERNALBACL

R1(config-et-nac!)# /"%i !/ $n' $n' " =5 %"#l"! ,E)-ONLY-REFLEIVE-ACL

R1(config-et-nac!)# /"%i 0/ $n' $n' " 4 %"#l"! DNS-ONLY-REFLEIVE-ACL i"o 15 R1(config-et-nac!)# "i

R1(config)# i/ $!!"ss-lis ""n0"0 ETERNALBACL

R1(config-et-nac!)# "&$l$" ,E)-ONLY-REFLEIVE-ACL R1(config-et-nac!)# "&$l$" DNS-ONLY-REFLEIVE-ACL R1(config-et-nac!)# 0"n' i/ $n' $n'

R1(config-et-nac!)# "i R1(config)# in"%#$!" s555

R1(config-if)# i/ $!!"ss-g%o/ INTERNALBACL o R1(config-if)# i/ $!!"ss-g%o/ ETERNALBACL in D'n$i! ACLs

R'(config)# s"%n$" S0"n /$ss>o%0 !is!o

R'(config)# $!!"ss-lis 151 /"%i !/ $n' 3os 15.2.2.2 " "ln"

R'(config)# $!!"ss-lis 151 0'n$i! TESTLIST i"o 1 /"%i i/ 192.1<=.15.5 5.5.5.2 192.1<=.4.5 5.5.5.2

R'(config)# in"%#$!" s551

R'(config-if)# i/ $!!"ss-g%o/ 151 in R'(config-if)# "i

R'(config)# lin" &' 5 6 R'(config-!ine)# login lo!$l

R'(config-!ine)# $o!o$n0 $!!"ss-"n$l" 3os i"o 1 J$i no #n!ion$ $l$0o% ' "s n !o$n0o o!loK

Ti"-$s"0 ACLs

R1(config)# i"-%$ng" EMPLOYEE-TIME

R1(config-time-range)# /"%io0i! >""70$'s 12?55 o 14?55 R1(config-time-range)# /"%io0i! >""70$'s 1?55 o 19?55 R1(config-time-range)# "i

R1(config)# $!!"ss-lis 155 /"%i i/ 192.1<=.1.5 5.5.5.2 $n' i"-%$ng" EMPLOYEE-TIME R1(config)# $!!"ss-lis 155 0"n' i/ $n' $n'

R1(config)# in"%#$!" F$sE3"%n" 51 R1(config-if)# i/ $!!"ss-g%o/ 155 in R1(config-if)# "i

MITIGATING ATTAC@S ,ITH ACLS

P"%i" solo /ing 0"s0" l$ %"0 192.1<=.45.5 ' 0"ni"g$ o0o lo 0"s R1(config)# $!!"ss-lis 125 /"%i i!/ $n' 192.1<=.25.5 5.5.5.2 "!3o

R1(config)# $!!"ss-lis 125 /"%i i!/ $n' 192.1<=.25.5 5.5.5.2 "!3o-%"/l' R1(config)# $!!"ss-lis 125 0"n' i/ $n' $n'

Do No Allo> A00%"ss"s o " S/oo#"0

A eny a!! ; packets containing the fo!!o%ing ; addresses in their source fie!d<  B /ny !oca! host addresses (12C.&.&.&>)

 B /ny reserved private addresses (R7" 191)

 B /ny addresses in the ; mu!ticast address range (22=.&.&.&>=)  B Inon0 on S555 R1(config)# $!!"ss-lis 15 0"n' i/ 5.5.5.5 5.2.2.2 $n' R1(config)# $!!"ss-lis 15 0"n' i/ 15.5.5.5 5.2.2.2 $n' R1(config)# $!!"ss-lis 15 0"n' i/ 12.5.5.5 5.2.2.2 $n' R1(config)# $!!"ss-lis 15 0"n' i/ 12.1<.5.5 5.1.2.2 $n' R1(config)# $!!"ss-lis 15 0"n' i/ 192.1<=.5.5 5.5.2.2 $n' R1(config)# $!!"ss-lis 15 0"n' i/ 226.5.5.5 1.2.2.2 $n' R1(config)# $!!"ss-lis 15 0"n' i/ 3os 2.2.2.2 $n'

A o not a!!o% any outound ; packets %ith a source address other than a va!id ; address of the interna! net%ork.

 B "reate an /" that permits on!y those packets that contain source addresses from inside the net%ork and denies a!! others.

 B Inon0 on F$51

P%o"! DNS SMTP $n0 FTP

• 8*3 *:$;3 and 7$; are common services that often must e a!!o%ed through a fire%a!!.  B Oon0 on F$55

R1(config)# $!!"ss-lis 1=5 /"%i 0/ $n' 3os 192.1<=.25.2 " 0o$in R1(config)# $!!"ss-lis 1=5 /"%i !/ $n' 3os 192.1<=.25.2 " s/ R1(config)# $!!"ss-lis 1=5 /"%i !/ $n' 3os 192.1<=.25.2 " #/

R1(config)# $!!"ss-lis 1=5 /"%i !/ 3os 255... 3os 192.1<=.25.2 " "ln" R1(config)# $!!"ss-lis 1=5 /"%i !/ 3os 255... 3os 192.1<=.25.2 " 22

R1(config)# $!!"ss-lis 1=5 /"%i 0/ 3os 255... 3os 192.1<=.25.2 " s'slog R1(config)# $!!"ss-lis 1=5 /"%i 0/ 3os 255... 3os 192.1<=.25.2 " sn/%$/ Fil"% ICMP M"ss$g"s

A *evera! inound ":; messages are reuired for proper net%ork operation<  B E!3o %"/l' - /!!o%s interna! users to ping eterna! hosts.

 B So%!" "n!3- Reuests the sender to decrease the traffic rate.

 B Un%"$!3$l"- nreacha!e messages are generated for packets that are administrative!y denied y an /".

 B Inon0 on S555

R1(config)# $!!"ss-lis 15 /"%i i!/ $n' $n' "!3o-%"/l' R1(config)# $!!"ss-lis 15 /"%i i!/ $n' $n' so%!"-"n!3 R1(config)# $!!"ss-lis 15 /"%i i!/ $n' $n' n%"$!3$l" R1(config)# $!!"ss-lis 15 0"n' i!/ $n' $n'

R1(config)# $!!"ss-lis 15 /"%i i/ $n' $n'

A *evera! outound ":; messages are reuired for proper net%ork operation<  B E!3o - /!!o%s users to ping eterna! hosts.

 B P$%$""% /%ol" - nforms the host of packet header pro!ems.  B P$!7" oo ig - Reuired for packet :$ discovery.

 B So%!" "n!3 - $hrott!es do%n traffic %hen necessary.  B Inon0 on F$55

O)+ECT GROUPS EAMPLE

n this eamp!e topo!ogy3 there are ' servers3 each reuiring outside to inside access for ' protoco!s

4ithout oDect groups3 %e have to configure a permit statement for each server3 for each protoco!

R1(config)# i/ $!!"ss-lis ""n0"0 In

R1(config-et-nac!)# /"%i !/ $n' 3os 15.15.15.1 " s/ R1(config-et-nac!)# /"%i !/ $n' 3os 15.15.15.1 " >>> R1(config-et-nac!)# /"%i !/ $n' 3os 15.15.15.1 " 3/s

R1(config-et-nac!)# /"%i !/ $n' 3os 15.15.15.2 " s/ R1(config-et-nac!)# /"%i !/ $n' 3os 15.15.15.2 " >>> R1(config-et-nac!)# /"%i !/ $n' 3os 15.15.15.2 " 3/s R1(config-et-nac!)# /"%i !/ $n' 3os 15.15.15.4 " s/ R1(config-et-nac!)# /"%i !/ $n' 3os 15.15.15.4 " >>> R1(config-et-nac!)# /"%i !/ $n' 3os 15.15.15.4 " 3/s

7or the same topo!ogy3 using oDect group configuration3 first create the service oDect for  the services.

R1(config)# o"!-g%o/ s"%&i!" ,"-s&!s !/ R1(config-service-group)# !/ s/

R1(config-service-group)# !/ >>> R1(config-service-group)# !/ 3/s

A 8et3 create the net%ork oDect for the servers<

$his eamp!e uses the %$ng" key%ord3 you can a!so use the 3os key%ord or define a sunet.

R1(config)# o"!-g%o/ n">o%7 ,"s"%&"%s

R1(config-net%ork-group)# %$ng" 15.15.15.1 15.15.15.4

CONFIGURACIQN CL*SICA DE FIRE,ALL

 /n administrator needs to permit inside users to initiate $";3 ;3 and ":; traffic %ith a!! eterna! sources. Eutside c!ients are a!!o%ed to communicate %ith the *:$; :ai! server  (2&9.165.2&1.2) and +$$; server (2&9.165.2&1.1) that are !ocated in the enterprise demi!itaried one (:@). t is a!so necessary to permit certain ":; messages to a!! interfaces. /!! other traffic from the eterna! net%ork is denied.

S"/ 1. "hoose an interface3 either interna! or eterna!. S"/ 2. "onfigure ; /"s at the interface.

S"/ 4. efine inspection ru!es.

"reate an /" that a!!o%s $";3 ;3 and ":; sessions and denies a!! other traffic. R1(config)# $!!"ss-lis 151 /"%i !/ 15.15.15.5 5.5.5.2 $n'

R1(config)# $!!"ss-lis 151 /"%i 0/ 15.15.15.5 5.5.5.2 $n' R1(config)# $!!"ss-lis 151 /"%i i!/ 15.15.15.5 5.5.5.2 $n' R1(config)# $!!"ss-lis 151 0"n' i/ $n' $n'

$his /" is app!ied to the interna! interface in the inound direction. $he /" processes traffic initiating from the interna! net%ork prior to !eaving the net%ork.

R1(config)# in"%#$!" F$55

R1(config-if)# i/ $!!"ss-g%o/ 151 in

8et3 create an etended /" in %hich *:$; and +$$; traffic is permitted from the eterna! net%ork to the :@ net%ork on!y3 and a!! other traffic is denied.

R1(config)# $!!"ss-lis 152 /"%i !/ $n' 259.1<.251.1 5.5.5.5 " =5 R1(config)# $!!"ss-lis 152 /"%i !/ $n' 259.1<.251.2 5.5.5.5 " s/ R1(config)# $!!"ss-lis 152 /"%i i!/ $n' $n' "!3o-%"/l'

R1(config)# $!!"ss-lis 152 /"%i i!/ $n' $n' $0inis%$i&"l'-/%o3ii"0 R1(config)# $!!"ss-lis 152 /"%i i!/ $n' $n' /$!7"-oo-ig

R1(config)# $!!"ss-lis 152 /"%i i!/ $n' $n' "!3o

R1(config)# $!!"ss-lis 152 /"%i i!/ $n' $n' i"-"!""0"0 R1(config)# $!!"ss-lis 152 0"n' i/ $n' $n'

$his /" is app!ied to the interface connecting to the eterna! net%ork in the inound direction.

R1(config)# in"%#$!" S555

R1(config-if)# i/ $!!"ss-g%o/ 152 in

8et3 create inspection ru!es for $"; inspection and ; inspection. R1(config)# i/ ins/"! n$" MYSITE !/

R1(config)# i/ ins/"! n$" MYSITE 0/

$hese inspection ru!es are app!ied to the interna! interface in the inound direction.

R1(config)# in"%#$!" F$55

R1(config-if)# i/ ins/"! MYSITE in

CONFIGURING CONTET-)ASED ACCESS CONTROL JC)ACK

1.- Con#ig%" $ n$"0 IP ACL on R4 o lo!7 $ll %$##i! o%igin$ing #%o 3" osi0" n">o%7. se the i/ $!!"ss-lis ""n0"0 command to create a named ; /".

R'(config)# i/ $!!"ss-lis ""n0"0 OUT-IN R'(config-et-nac!)# 0"n' i/ $n' $n'

R'(config-et-nac!)# "i

R'(config)# in"%#$!" s551

R'(config-if)# i/ $!!"ss-g%o/ OUT-IN in

4.- Con#i% 3$ %$##i! "n"%ing in"%#$!" S"%i$l 551 is 0%o//"0.

7rom the ;"-" command prompt3 ping the ;"-/ server. $he ":; echo rep!ies are !ocked y the /".

6.- C%"$" $ C)AC Ins/"!ion Rl"

"reate an inspection ru!e to inspect ":;3 $e!net3 and +$$; traffic. R'(config)# i/ ins/"! n$" IN-OUT-IN i!/

R'(config)# i/ ins/"! n$" IN-OUT-IN "ln" R'(config)# i/ ins/"! n$" IN-OUT-IN 3/

.- T%n on i"-s$/"0 logging $n0 C)AC $0i %$il "ss$g"s.

se the i/ ins/"! $0i-%$il  command to turn on "F/" audit messages to provide a record of net%ork access through the fire%a!!3 inc!uding i!!egitimate access attempts. 0na!e !ogging to the sys!og server3 192.16.1.'3 %ith the logging 3os command. :ake sure that !ogged messages are timestamped.

R'(config)# i/ ins/"! $0i-%$il

R'(config)# s"%&i!" i"s$/s 0"g 0$"i" s"! R'(config)# logging 3os 192.1<=.1.4

<.- A//l' 3" ins/"!ion %l" o "g%"ss %$##i! on in"%#$!" S551. R'(config-if)# i/ ins/"! IN-OUT-IN o

.- V"%i#' 3$ $0i %$il "ss$g"s $%" "ing logg"0 on 3" s'slog s"%&"%.

7rom ;"-"3 test connectivity to ;"-/ %ith ping3 $e!net3 and +$$;. ;ing and +$$; shou!d e successfu!. 8ote that ;"-/ %i!! reDect the $e!net session.

7rom ;"-/3 test connectivity to ;"-" %ith ping and $e!net. /!! shou!d e !ocked.

Revie% the sys!og messages on server ;"-/< c!ick the Con#ig ta and then c!ick the SYSLOG option.

=.- V"%i#' Fi%">$ll Fn!ion$li'

Epen a $e!net session from ;"-" to R2. $he $e!net shou!d succeed. 4hi!e the $e!net session is active3 issue the command s3o> i/ ins/"! s"ssions on R'. $his command.

R4 s3o> i/ ins/"! s"ssions disp!ays the eisting sessions that are current!y eing tracked and inspected y "F/"

R4 s3o> i/ ins/"! in"%#$!"s R4 s3o> i/ ins/"! !on#ig R4 0"g i/ ins/"! 0"$il"0

STEPS FOR CONFIGURING ZONE-)ASED POLICY FIRE,ALLS ,ITH CLI

S"/ 1. "rear !as onas para e! fire%a!! con e! comando 8on" s"!%i'. R'(config)# 8on" s"!%i' IN-ZONE

R'(config-sec-one)# 0"s!%i/ion Insi0" N">o%7 R'(config)# 8on" s"!%i' OUT-ZONE

R'(config-sec-one)# 0"s!%i/ion Osi0" N">o%7

S"/ 2. "rear una /" ue define e! trGfico interno. se e! comando $!!"ss-lis para crear una etendida /" 151 para permitir todo e! trGfico ; desde !a red 192.1<=.4.526 hacia cua!uier destino.

R'(config)# $!!"ss-lis 151 /"%i i/ 192.1<=.4.5 5.5.5.2 $n'

S"/ 4. efinir e! trafico ue serG sometido a !as reg!as de fire%a!! con e! comando  !l$ss-$/ '/" ins/"!. (/cG se us? una /")

R'(config)# !l$ss-$/ '/" ins/"! $!3-$ll IN-NET-CLASS-MAP Jno%" 0"l !l$ss-$/K R'(config-cmap)# $!3 $!!"ss-g%o/ 151

S"/ 6. "rear un /oli!'-$/ para determinar ue se harG cuando coincida con e! trGfico indicado en !a /"3 usando e! comando /oli!'-$/ '/" ins/"! .

R'(config)# /oli!'-$/ '/" ins/"! IN-2-OUT-PMAP Jno%" 0"l /oli!'-$/K R'(config-pmap)# !l$ss '/" ins/"! IN-NET-CLASS-MAP Jno%" 0"l !l$ss-$/K R'(config-pmap-c)# ins/"! J"l %#i!o s" ins/"!!ion$%K

S"/ . "rear par de onas interna versus eterna (source and destination ones) usando e! comando 8on"-/$i% s"!%i' y mencionado !os nomres de !as onas.

R'(config)# 8on"-/$i% s"!%i' IN-2-OUT-ZPAIR so%!" IN-ZONE 0"sin$ion OUT-ZONE S"/ <. 0specificar e! /oli!' $/ para maneDar e! trGfico entre e! par de onas. ndicar e! po!icy-map y !a acci?n asociada Jins/"!K a! par de onas3 usando e! comando s"%&i!"-/oli!' '/" ins/"! y haciendo referencia a! /oli!' $/ previamente creado3 IN-2-OUT-PMAP.

R'(config-sec-one-pair)# s"%&i!"-/oli!' '/" ins/"! IN-2-OUT-PMAP R'(config-sec-one-pair)# "i

S"/. /signar !as interfaces de! router interfaces a !as onas interna o eterna usando e! comando 8on"-""% s"!%i'.

R'(config)# in"%#$!" #$51

R'(config-if)# 8on"-""% s"!%i' IN-ZONE R'(config-if)# "i

R'(config)# in"%#$!" s551

R'(config-if)# 8on"-""% s"!%i' OUT-ZONE R'(config-if)# "i

RESUMEN TT DE ZPF ena!e

configure termina! hostname R'

one security IN-ZONE one security OUT-ZONE

access-!ist 1&1 permit ip 192.16.'.& &.&.&.255 any c!ass-map type inspect match-a!! IN-NET-CLASS-MAP match access-group 1&1

eit

po!icy-map type inspect IN-2-OUT-PMAP c!ass type inspect IN-NET-CLASS-MAP inspect

eit

service-po!icy type inspect IN-2-OUT-PMAP eit

interface fa&>1

one-memer security IN-ZONE eit

interface s&>&>1

one-memer security OUT-ZONE eit

E+EMPLO PRACTICO Z)F 1 CREAR ZONAS

one security 80$4ERH one security 8$0R80$ one security :@

2 CLASIFICAR TR*FICO MEDIANTE CLASS MAP. c!ass-map type inspect match-any 80$toE$

 match protoco! http  match protoco! smtp  match protoco! pop'  match protoco! icmp

c!ass-map type inspect match-any 80$to:@  match protoco! http

 match protoco! dns  match protoco! tftp  match protoco! icmp

 match access-group name +";

ip access-!ist etended +";  permit udp any any e ootps  permit udp any any e ootpc

4 DEFINIR LOS POLICY-MAP Y LA ACCIQN A REALIZAR. po!icy-map type inspect 80$4ERHtoE$*0

 c!ass type inspect 80$toE$   inspect

po!icy-map type inspect E$*0to80$4ERH  c!ass type inspect E$to80$

  drop

 c!ass type inspect 80$to:@   inspect

po!icy-map type inspect :@to80$4ERH  c!ass type inspect :@to80$

  inspect

po!icy-map type inspect E$*0to:@  c!ass type inspect E$to:@

  inspect

po!icy-map type inspect :@toE$*0  c!ass type inspect :@toE$

  inspect

6 CREAR LOS ZONE PAIR (UE ES LA APLICACIQN ENTRE ZONAS. one-pair security 80$toE$ source 80$4ERH destination 8$0R80$  service-po!icy type inspect 80$4ERHtoE$*0

 HACER MIEM)ROS DE ALGUNA ZONA A LAS INTERFACES EN F,.

74(config-if)#int seria! &>&>&

74(config-if)#one-memer security 8$0R80$ 74(config-if)#eit 74(config-if)#int fa&>1 74(config-if)#one-memer security :@ 74(config-if)#eit 74(config)#int fa&>&

74(config-if)#one-memer security 80$4ERH 74(config-if)#eit

CONFIGURE IOS INTRUSION PREVENTION SYSTEM JIPSK USING CLI 1.- CREATE AN IOS IPS CONFIGURATION DIRECTORY IN FLASH.

En R13 create a directory in f!ash using the 70i%  command. 8ame the directory i/s0i% . R1#70i% i/s0i% 

"reate directory fi!ename IipsdirJK LEn"% M "reated dir f!ash<ipsdir 

2.- CONFIGURE THE IPS SIGNATURE STORAGE LOCATION.

En R13 configure the ;* signature storage !ocation to e the directory you Dust created. R1(config)#i/ i/s !on#ig lo!$ion #l$s3?i/s0i% 

4.- CREATE AN IPS RULE.

En R13 create an ;* ru!e name using the i/ i/s n$" name _{command in g!oa! configuration}

mode. 8ame the ;* ru!e iosi/s.

6.- ENA)LE LOGGING.

E* ;* supports the use of sys!og to send event notification. *ys!og notification is ena!ed y defau!t. f !ogging conso!e is ena!ed3 you see ;* sys!og messages.

0na!e sys!og if it is not ena!ed. R1(config)# i/ i/s noi#' log

se the !lo!7 s" command from privi!eged 0N0" mode to reset the c!ock if necessary. R1# !lo!7 s" 51?25?55 < $n$%' 2559

0na!e the timestamp service if it is not ena!ed.

R1(config)# s"%&i!" i"s$/s log 0$"i" s"!

*end !og messages to the *ys!og server at ; address 192.16.1.5&. R1(config)# logging 3os 192.1<=.1.5

.- CONFIGURE IOS IPS TO USE THE SIGNATURE CATEGORIES.

Retire the $ll signature category %ith the %"i%"0 %" command (a!! signatures %ithin the signature re!ease). nretire the IOSBIPS )$si! category %ith the %"i%"0 #$ls" command.

R1(config)# i/ i/s sign$%"-!$"go%' R1(config-ips-category)# !$"go%' $ll

R1(config-ips-category-action)# %"i%"0 %" R1(config-ips-category-action)# "i

R1(config-ips-category)# !$"go%' iosBi/s $si! R1(config-ips-category-action)# %"i%"0 #$ls" R1(config-ips-category-action)# "i

R1(config-ips-category)# "i

o you %ant to accept these changesK IconfirmJ En"%: <.- APPLY THE IPS RULE TO AN INTERFACE.

 /pp!y the ;* ru!e to an interface %ith the i/ i/sname direction _{command in interface}

configuration mode. /pp!y the ru!e outound on the 7a&>& interface of R1. /fter you ena!e ;*3 some !og messages %i!! e sent to the conso!e !ine indicating that the ;* engines are eing initia!ied.

o"? $he direction in means that ;* inspects on!y traffic going into the interface. *imi!ar!y3 o means on!y traffic going out the interface.

R1(config)# in"%#$!" #$55 R1(config-if)# i/ i/s iosi/s o

.- MODIFY THE SIGNATURE. CHANGE THE EVENT-ACTION OF A SIGNATURE.

n-retire the echo reuest signature (signature 2&&=3 susig  &)3 ena!e it and change the signature action to a!ert3 and drop.

R1(config)# i/ i/s sign$%"-0"#iniion R1(config-sigdef)# sign$%" 2556 5 R1(config-sigdef-sig)# s$s R1(config-sigdef-sig-status)# %"i%"0 #$ls" R1(config-sigdef-sig-status)# "n$l"0 %" R1(config-sigdef-sig-status)# "i R1(config-sigdef-sig)# "ngin"

R1(config-sigdef-sig-engine)# "&"n-$!ion /%o0!"-$l"%

R1(config-sigdef-sig-engine)# "&"n-$!ion 0"n'-/$!7"-inlin" R1(config-sigdef-sig-engine)# "i

R1(config-sigdef-sig)# "i R1(config-sigdef)# "i

o you %ant to accept these changesK IconfirmJ En"%: =.- USE SHO, COMMANDS TO VERIFY IPS.

se the s3o> i/ i/s $ll command to see an ;* configuration status summary.

LAYER 2 SECURITY 1.- CONFIGURE ROOT )RIDGE

Assign C"n%$l $s 3" /%i$%' %oo %i0g".

"entra!(config)# s/$nning-%"" &l$n 1 %oo /%i$%' Assign S,-1 $s $ s"!on0$%' %oo %i0g".

*4-1(config)# s/$nning-%"" &l$n 1 %oo s"!on0$%' 2.- PROTECT AGAINST STP ATTAC@S

*4-/(config)# in"%#$!" %$ng" #$s"3"%n" 51 - 6 *4-/(config-if-range)# s/$nning-%"" /o%#$s 4.- ENA)LE )PDU GUARD ON ALL ACCESS PORTS.

F; guard is a feature that can he!p prevent rogue s%itches and spoofing on access ports. *4-/(config)# in"%#$!" %$ng" #$s"3"%n" 51 - 6

*4-/(config-if-range)# s/$nning-%"" /0g$%0 "n$l" *tep 1. 6.- ENA)LE ROOT GUARD ON ALL TRUN@ PORTS.

*4-1(config-if)# in"%#$!" #$526

*4-1(config-if)# s/$nning-%"" g$%0 %oo .- ENA)LE STORM CONTROL FOR )ROADCASTS.

0na!e storm contro! for roadcasts on a!! ports connecting s%itches (trunk ports). *et a 5 percent rising suppression !eve! using the so%-!on%ol %o$0!$s command.

*4-1(config)# in"%#$!" gi11

*4-1(config-if)# so%-!on%ol %o$0!$s l"&"l 5

<.- ENA)LE TRUN@ING INCLUDING ALL TRUN@ SECURITY MECHANISMS ON THE TRUN@-LIN@.

*et the port to trunk3 assign native ,/8 15 to the trunk port3 and disa!e auto-negotiation. *4-1(config)# in"%#$!" #$524

*4-1(config-if)# no s30o>n

*4-1(config-if)# s>i!3/o% o0" %n7

*4-1(config-if)# s>i!3/o% non"goi$" J$!"%0o 0" $s$l"$K

CONFIGURE AND VERIFY A SITE-TO-SITE IPSEC VPN USING CLI

Parameters R1 R3

Key distribution method Manual or ISAKMP ISAKMP ISAKMP Encryption algorithm DES, 3DES,or AES AES AES

Hash algorithm MD5 or SHA1 SHA1 SHA1 Authentication method Pre-shared keys or RSA pre-share pre-share

Key e!change DH Group 1, 2,or5 DH2 DH 2 IKE SA "i#etime 86400 seonds or less $%&'' $%&''

ISAKMP Key !pnpa55 !pnpa55

Parameters R1 R3

(rans#orm Set "P#-SE$ "P#-SE$ Peer Hostname %3 %& Peer IP Address &0'2'2'2 &0'&'&'2

)et*or+ to be

encrypted &(2'&68'&'0)24 &(2'&68'3'0)24 ,rypto Map name "P#-MAP "P#-MAP SA Establishment *pse-*sak+p *pse-*sak+p

CONFIGURE IPSEC PARAMETERS ON R1 1.- IDENTIFY INTERESTING TRAFFIC ON R1.

"onfigure /" 115 to identify the traffic from the /8 on R1 to the /8 on R' as interesting. Rememer that due to the imp!icit deny a!!3 there is no need to configure a 0"n' $n' $n' statement.

R1(config)# $!!"ss-lis 115 /"%i i/ 192.1<=.1.5 5.5.5.2 192.1<=.4.5 5.5.5.2 2.- CONFIGURE THE ISA@MP PHASE 1 PROPERTIES ON R1.

"onfigure the crypto */H:; po!icy 15 properties on R1 a!ong %ith the shared crypto key &/n/$. Refer to the */H:; ;hase 1 ta!e for the specific parameters to configure. efau!t va!ues do not have to e configured therefore on!y the encryption3 key echange method3 and + method must e configured.

R1(config)# !%'/o is$7/ /oli!' 15 R1(config-isakmp)# "n!%'/ion $"s

R1(config-isakmp)# $3"ni!$ion /%"-s3$%" R1(config-isakmp)# g%o/ 2

R1(config-isakmp)# "i

R1(config)# !%'/o is$7/ 7"' &/n/$ $00%"ss 15.2.2.2 4.- CONFIGURE THE ISA@MP PHASE 2 PROPERTIES ON R1.

"reate the transform-set VPN-SET  to use "s/-40"s  and "s/-s3$-3$!. $hen create the crypto map VPN-MAP that inds a!! of the ;hase 2 parameters together. se seuence numer 15 and identify it as an i/s"!-is$7/ map.

R1(config)# !%'/o i/s"! %$ns#o%-s" VPN-SET "s/-40"s "s/-s3$-3$! R1(config)# !%'/o $/ VPN-MAP 15 i/s"!-is$7/

R1(config-crypto-map)# 0"s!%i/ion VPN !onn"!ion o R4 R1(config-crypto-map)# s" /""% 15.2.2.2

R1(config-crypto-map)# s" %$ns#o%-s" VPN-SET R1(config-crypto-map)# $!3 $00%"ss 115

R1(config-crypto-map)# "i

6.- CONFIGURE THE CRYPTO MAP ON THE OUTGOING INTERFACE.

7ina!!y3 ind the VPN-MAP crypto map to the outgoing *eria! &>&>& interface. R1(config)# in"%#$!" S555

R1(config-if)# !%'/o $/ VPN-MAP CONFIGURE IPSEC PARAMETERS ON R4

1.- CONFIGURE ROUTER R4 TO SUPPORT A SITE-TO-SITE VPN ,ITH R1.

8o% configure reciprocating parameters on R'. "onfigure /" 115 identifying the traffic from the /8 on R' to the /8 on R1 as interesting.

R'(config)# $!!"ss-lis 115 /"%i i/ 192.1<=.4.5 5.5.5.2 192.1<=.1.5 5.5.5.2 2.- CONFIGURE THE ISA@MP PHASE 1 PROPERTIES ON R4.

"onfigure the crypto */H:; po!icy 15 properties on R' a!ong %ith the shared crypto key &/n/$.

R'(config)# !%'/o is$7/ /oli!' 15 R'(config-isakmp)# "n!%'/ion $"s

R'(config-isakmp)# $3"ni!$ion /%"-s3$%" R'(config-isakmp)# g%o/ 2

R'(config-isakmp)# "i

4.- CONFIGURE THE ISA@MP PHASE 2 PROPERTIES ON R1.

ike you did on R13 create the transform-set VPN-SET to use "s/-40"s and "s/-s3$-3$!. $hen create the crypto map VPN-MAP that inds a!! of the ;hase 2 parameters together. se seuence numer 15 and identify it as an i/s"!-is$7/ map.

R'(config)# !%'/o i/s"! %$ns#o%-s" VPN-SET "s/-40"s "s/-s3$-3$! R'(config)# !%'/o $/ VPN-MAP 15 i/s"!-is$7/

R'(config-crypto-map)# 0"s!%i/ion VPN !onn"!ion o R1 R'(config-crypto-map)# s" /""% 15.1.1.2

R'(config-crypto-map)# s" %$ns#o%-s" VPN-SET R'(config-crypto-map)# $!3 $00%"ss 115

R'(config-crypto-map)# "i

6.- CONFIGURE THE CRYPTO MAP ON THE OUTGOING INTERFACE.

7ina!!y3 ind the VPN-MAP crypto map to the outgoing *eria! &>&>1 interface. No"? $his is not graded.

R'(config)# in"%#$!" S551

R'(config-if)# !%'/o $/ VPN-MAP .- VERIFY THE IPSEC VPN

*tep 2. ,erify the tunne! prior to interesting traffic. ssue the sho% crypto ipsec sa command on R1. 8otice that the numer of packets encapsu!ated3 encrypted3 decapsu!ated and decrypted are a!! set to &.

TAREA DEL PROFE

1. D"#ini% l$s 8on$s 0" $!"%0o $ lo in0i!$0o "n l$ o/olog$

one security :@ one security 8*0 one security E$*0

2. S" 0"" /"%ii% %#i!o /$%$ " "l Ro"% R6 /"0$ $"ni#i!$%s" $ %$&s 0" R$0is "n "l s"%&i0o% ,inR$0is JPC2K

c!ass-map type inspect match-any ":OE$O$EO8  match protoco! radius

po!icy-map type inspect ;:OE$O$EO8  c!ass type inspect ":OE$O$EO8   inspect

one-pair security @;OE$O$EO8 source E$*0 destination 8*0  service-po!icy type inspect ;:OE$O$EO8

4. El %$#i!o 0"s0" "l PC6 3$!i$ los s"%&i0o%"s ,E) ' FTP JPC4K 0"" s"% /"%ii0o.

c!ass-map type inspect match-any ":OE$O$EO:@  match protoco! http

po!icy-map type inspect ;:OE$O$EO:@  c!ass type inspect ":OE$O$EO:@   inspect

one-pair security @;OE$O$EO:@ source E$*0 destination :@  service-po!icy type inspect ;:OE$O$EO:@

6. L$ %"0 in"%n$ $in 0"" /o0"% ll"g$% $l s"%&i0o% ," JPC4K FTP no s"% /"%ii0o /$%$ "s$ %"0.

c!ass-map type inspect match-any ":O8O$EO:@  match protoco! http

po!icy-map type inspect ;:O8O$EO:@  c!ass type inspect ":O8O$EO:@   inspect

one-pair security @;O8O$EO:@ source 8*0 destination :@  service-po!icy type inspect ;:O8O$EO:@

. El s"%&i0o% ACS 0"" /o0"% $l!$n8$% $ %$&s 0" /ing $l %o"% R6 Jloo/$!7K ' $ l$ %"0 15.65.526 Jno s" 0"" /"%ii% g"n"%$% n$ $l$ 0" "s$0oK

access-!ist 1&& permit ip host 1&.6.2&.1& any c!ass-map type inspect match-a!! ":O/"*  match protoco! icmp

 match access-group 1&&

po!icy-map type inspect ;:O8O$EOE$  c!ass type inspect ":O8O$EOE$   inspect

!l$ss '/" ins/"! CMBACS   /$ss

one-pair security @;O8O$EOE$ source 8*0 destination E$*0  service-po!icy type inspect ;:O8O$EOE$

access-!ist 1&1 permit ip any host 1&.6.2&.1& c!ass-map type inspect match-a!! ":O/"*OR  match access-group 1&1

 match protoco! icmp

po!icy-map type inspect ;:OE$O$EO8  c!ass type inspect ":OE$O$EO8   inspect

 !l$ss '/" ins/"! CMBACSBR   /$ss

one-pair security @;OE$O$EO8 source E$*0 destination 8*0  service-po!icy type inspect ;:OE$O$EO8

<. Los s$%ios 0" l$ %"0 In"%n$ s" l"s /"%i" n$&"g$% "n In"%n" Jsolo HTTP ' DNSK

c!ass-map type inspect match-any ":O8O$EOE$  match protoco! http

 match protoco! dns

po!icy-map type inspect ;:O8O$EOE$

 !l$ss '/" ins/"! CMBINBTOBOUT   ins/"!

 c!ass type inspect ":O/"*   pass

one-pair security @;O8O$EOE$ source 8*0 destination E$*0  service-po!icy type inspect ;:O8O$EOE$

. El F, 0"" "n"% los /"%isos /$%$ /o0"% %"$li8$% T"ln" ' SSH 3$!i$ "l Ro"% R1 ' R2 JIn"%#$!"s loo/$!7sK $0"s 0" /"%ii% "l "n&o 0" los Logs 3$!i$ "l s"%&i0o% s'slog JPC1K ; No "s

/"%ii0o ili8$% l$s /oli!$s /o% 0"#"!o 0"l Fi%">$ll.

access-!ist 1&2 permit tcp host 1&.6.2'.' any e te!net access-!ist 1&2 permit tcp host 1&.6.1'.' any e te!net access-!ist 1&2 permit tcp host 1&.6.1'.' any e 22 access-!ist 1&2 permit tcp host 1&.6.2'.' any e 22 access-!ist 1&2 permit tcp host 1&.6.1'.' any e sys!og access-!ist 1&2 permit tcp host 1&.6.2'.' any e sys!og c!ass-map type inspect match-any ":O*07O$EO8  match access-group 1&2

po!icy-map type inspect ;:O*07O$EO8  c!ass type inspect ":O*07O$EO8   inspect

one-pair security @;O*07O$EO8 source se!f destination 8*0  service-po!icy type inspect ;:O*07O$EO8

=. Es n"!"s$%io /"%ii% " "l PC2 /"0$ $0inis%$% $ %$&s 0" CCP $l 0is/osii&o F, JH$ili" lo n"!"s$%io /$%$ log%$% "s" %""%ii"noK

access-!ist 1&' permit tcp host 1&.6.2&.1& host 1&.6.2'.' e %%% access-!ist 1&' permit tcp host 1&.6.2&.1& host 1&.6.2'.' e ==' access-!ist 1&' permit tcp host 1&.6.2&.1& host 1&.6.1'.' e ==' access-!ist 1&' permit tcp host 1&.6.2&.1& host 1&.6.1'.' e %%% c!ass-map type inspect match-any ":O8O$EO*07

 match access-group 1&'

po!icy-map type inspect ;:O8O$EO*07  c!ass type inspect ":O8O$EO*07   inspect

one-pair security @;O8O$EO*07 source 8*0 destination se!f   service-po!icy type inspect ;:O8O$EO*07

9. El !li"n" PC6 0"" "n"% los /"%isos s#i!i"n"s /$%$ "s$l"!"% n$ s"sin VPN 3$!i$ "l Ro"%  R1 /$%$ "s" "s n"!"s$%io " "l F, g"n"%" n$ $l$ 0" "s$0$ /$%$ los /%oo!olos ESP ' AH.

access-!ist 1&= permit ahp host 1&.6.=&.1& host 1&.6.1'.1 access-!ist 1&= permit esp host 1&.6.=&.1& host 1&.6.1'.1

c!ass-map type inspect match-any ":O,;8  match access-group 1&=

po!icy-map type inspect ;:OE$O$EO8  c!ass type inspect ":OE$O$EO8   inspect

 c!ass type inspect ":O/"*OR   pass

 c!ass type inspect ":O,;8   inspect

one-pair security @;OE$O$EO8 source E$*0 destination 8*0  service-po!icy type inspect ;:OE$O$EO8

15. To0$s l$s s"sion"s EIGRP 0""n s"% $n"ni0$s "n%" "l F, ' Ro"% R1 R2 ' "n%" "l F, ' "l %o"% R6.