Professional Documents
Culture Documents
[DATE%
[CO&PAN' NA&E% [Com()n* )++,e!!%
Travaux pratiques du module Option scurit CCNA curit Con!i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,
CCNA Security
IP Addressing Table
Anne universitaire 2013-2014
Interface %A0*1 0*0*0 3)C+4 0*0*0 0*0*1 3)C+4 %A0*1 0*0*1 N(C N(C
Subnet Mask 222/222/222/0 222/222/222/222 222/222/222/222 222/222/222/222 222/222/222/0 222/222/222/222 222/222/222/0 222/222/222/0
Default Gateway N*A N*A N*A N*A N*A N*A 1.2/101/1/1 1.2/101/3/1
Switc Port 1 %A0*2 N*A N*A N*A 3 %A0*2 N*A 1 %A0*0 3 %A0*11
Travaux pratiques du module Option scurit CCNA curit Con!i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,
!b"ectives
5art 16 #asic -outer Con!i"uration Con!i"ure 7ost names8 inter!ace (5 addresses8 and access pass&ords/ Con!i"ure t7e +(9-5 d'namic routin" protocol/ :se t7e Nmap port scanner to test !or router vulnera;ilities
5art 26 Con!i"urin" a Context-#ased Access Control 3C#AC4 %ire&all Con!i"ure C#AC usin" Auto ecure/ +xamine t7e resultin" C#AC con!i"uration/ <eri!' t7e !ire&all !unctionalit'/
5art 36 Con!i"urin" a $one-#ased 5olic' %ire&all 3$#%8 $5% or $%=4 Con!i"ure a $one-#ased 5olic' %ire&all usin" )>/ +xamine t7e resultin" C#AC con!i"uration/ :se )> >onitor to veri!' con!i"uration/
#ackground
T7e most ;asic !orm o! a Cisco (O !ire&all uses access control lists 3AC?s4 &it7 !ilterin" (5 tra!!ic and monitorin" esta;lis7ed tra!!ic patterns/ T7is is re!erred to as a traditional Cisco (O !ire&all/ (n more recent Cisco (O versions8 t7is approac7 7as evolved into a met7od called context-;ased access control 3C#AC4 or (nspect*C#AC8 &7ic7 is ;ased on tate!ul 5ac@et (nspection 3 5(4/ C#AC ma@es creatin" !ire&alls easier and "ives t7e administrator "reater control over various t'pes o! application tra!!ic ori"inatin" !rom inside and outside o! t7e protected net&or@/ =7en Cisco (O Auto ecure is run8 it prompts to create a C#AC !ire&all and "enerates a ;asic con!i"uration/ %or simple net&or@s &it7 a sin"le inside and outside inter!ace8 C#AC is easier to con!i"ure t7an traditional Cisco (O !ire&alls/ Con!i"urations &it7 multiple inter!aces and )>$ requirements can ;ecome complex and di!!icult to mana"e usin" C#AC/ T7e current met7od used &it7 )> !or securin" router is called a Aone-;ased polic' !ire&all 3ma' ;e a;;reviated as $#%8 $5% or $%=4/ A Aone-;ased polic' !ire&all provides t7e same t'pe o! !unctionall' as C#AC8 ;ut is ;etter suited !or multiple inter!aces t7at 7ave similar or var'in" securit' requirements/ =7ile Auto ecure "enerates a C#AC !ire&all8 )> "enerates a $#% !ire&all ;' de!ault/
Anne universitaire 2013-2014
(n t7is la;8 'ou ;uild a multi-router net&or@ and con!i"ure t7e routers and 7osts/ Bou use Auto ecure to con!i"ure a C#AC !ire&all and )> to con!i"ure a Aone-;ased polic' !ire&all/ Note$ T7e router commands and output in t7is la; are !rom a Cisco 1141 &it7 Cisco (O -elease 12/43204T 3Advanced (5 ima"e4/ Ot7er routers and Cisco (O versions can ;e used/ ee t7e -outer (nter!ace ummar' ta;le at t7e end o! t7e la; to determine &7ic7 inter!ace identi!iers to use ;ased on t7e equipment in t7e la;/ )ependin" on t7e router model and Cisco (O version8 t7e commands availa;le and output produced mi"7t var' !rom &7at is s7o&n in t7is la;/ Note$ >a@e sure t7at t7e routers and t7e s&itc7es 7ave ;een erased and 7ave no startup con!i"urations/
%e&uired %esources
3 routers &it7 )> 2/2 installed 3Cisco 1141 &it7 Cisco (O -elease 12/43204T1 or compara;le4 2 s&itc7es 3Cisco 2.00 or compara;le4 5C-A 3=indo&s C5 or <ista4
Travaux pratiques du module Option scurit CCNA curit Con!i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,
5C-C 3=indo&s C5 or <ista4 erial and +t7ernet ca;les as s7o&n in t7e topolo"' -ollover ca;les to con!i"ure t7e routers via t7e console
Travaux pratiques du module Option scurit CCNA curit Con!i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,
Travaux pratiques du module Option scurit CCNA curit Con!i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,
R1(config-line)#e$ec-timeout 5 0 R1(config-line)#login c/ Con!i"ure t7e pass&ord on t7e vt' lines !or router -1/ R1(config)#line %t! 0 4 R1(config-line)#pa word ci co%t!pa R1(config-line)#e$ec-timeout 5 0 R1(config-line)#login d/ -epeat t7ese con!i"urations on ;ot7 -2 and -3/
R1(config)# er%ice pa
;/ (ssue t7e #ow run command/ Can 'ou read t7e console8 aux8 and vt' pass&ordsD =7' or &7' notD &on on ne peut pa ' le c/ mot de pa e ont cr!pt(. -epeat t7is con!i"uration on ;ot7 -2 and -3/
Step '7$ Save t e basic running configuration for all t ree routers(
ave t7e runnin" con!i"uration to t7e startup con!i"uration !rom t7e privile"ed +C+C prompt/ R1#cop! running-config tartup-config
Step '$ 9!ptional: Download and install N2ap and t e ;en2ap G8I front<end(
Nmap 3FNet&or@ >apperF4 is a !ree and open source utilit' !or net&or@ exploration or securit' auditin"/ a/ (! Nmap is alread' installed on 5C-A and 5C-C8 "o to tep 2/ Ot7er&ise8 do&nload t7e latest =indo&s version !rom 7ttp6**nmap/or"*do&nload/7tml/ ;/ On 5C-A and 5C-C8 run t7e Nmap setup utilit' and install all components listed8 includin" t7e $enmap 9:( !ront-end/ Clic@ Ne4t to accept t7e de!aults &7en prompted/
Travaux pratiques du module Option scurit CCNA curit Con!i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,
Step )$ Scan for open ports on %' using N2ap fro2 internal ost PC<A(
a/ %rom internal 7ost 5C-A8 start t7e Nmap-$enmap application and enter t7e (5 address o! t7e de!ault "ate&a'8 -1 %a0*1 31.2/101/1/148 as t7e Target/ Accept t7e de!ault Nmap command entered !or 'ou in t7e Co22and &indo& and use t7e Intense scan pro!ile/ Note$ (! t7e 5C is runnin" a personal !ire&all it ma' ;e necessar' to turn it o!! temporaril' to o;tain accurate test results/
Travaux pratiques du module Option scurit CCNA curit Con!i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,
;/ Clic@ t7e Scan ;utton to ;e"in t7e scan o! -1 !rom internal 7ost 5C-A/ Allo& some time !or t7e scan to complete/ T7e next t&o screens s7o& t7e entire output o! t7e scan a!ter scrollin"/
Travaux pratiques du module Option scurit CCNA curit Con!i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,
c/
Clic@ t7e Service ;utton in t7e upper le!t side o! t7e screen/ =7at ports are open on -1 %a0*1 !rom t7e perspective o! internal 7ost 5C-AD . celui de /elnet 23 et 0//+ 80
"n )emar*ue *ue +,-- &map d(tecte deu$ port =7at is t7e >AC address o! t7e -1 %a0*1 inter!aceD +our ce routeur l1adre e mac e t
cc00.141c.0000
%or -18 &7at t'pe o! device and &7at O version does Nmap detectD )1 d(tecte un routeur a%ec un "S ,i co 2"S %er ion 12.4
Travaux pratiques du module Option scurit CCNA curit Con!i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,
Step *$ Scan for open ports on %' using N2ap fro2 e4ternal ost PC<C(
a/ %rom external 7ost 5C-C8 start t7e Nmap-$enmap application and enter t7e (5 address o! -1 0*0*0 310/1/1/14 as t7e Tar"et/ Accept t7e de!ault Nmap command entered !or 'ou in t7e Co22and &indo& and use t7e Intense scan pro!ile/ ;/ Clic@ t7e Scan ;utton/ Allo& some time !or t7e scan to complete/ T7e next t&o screens s7o& t7e entire output o! t7e scan a!ter scrollin"/
10
Travaux pratiques du module Option scurit CCNA curit Con!i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,
c/ 3e
Clic@ t7e Services ;utton ;elo& t7e Co22and entr' !ield/ =7at services are runnin" and availa;le on -1 !rom t7e perspective o! 5C-CD er%ice *ui ont en marc#e . /elnet et 0//+
d/ (n t7e Nmap scan output8 re!er to t7e T-AC+-O:T+ in!ormation/ Eo& man' 7ops are ;et&een 5C-C and -1 and t7rou"7 &7at (5 addresses did t7e scan 7ave to "o to reac7 -1D
11
Travaux pratiques du module Option scurit CCNA curit Con!i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,
3e nom4re de aut *ue le can pa e pour arri%er 5 )1 e t 3' le can commence de +,-, 5 )3 par l1interface 6a0/1 192.168.3.1 5 )2 S0/0/1 10.2.2.2 et finalement )1 S0/0/0 10.1.1.1 Note$ (n 5art 2 o! t7is la; 'ou &ill con!i"ure a C#AC !ire&all on -1 and t7en run Nmap a"ain to test access !rom external 7ost 5C-C to -1/
12
Travaux pratiques du module Option scurit CCNA curit Con!i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,
0nter the nu ber of interfaces facing the internet -1./ 1 23) 4etho" Status 1rotocol 70S unset a" inistrati#ely "own "own 70S anual u' u' u' u'
0nter the interface na e that is facing the internet/ serial7?7?7 Securing 4anage ent 'lane ser#ices$$$ <isabling ser#ice finger <isabling ser#ice 'a" <isabling u"' = tc' s all ser#ers 0nabling ser#ice 'asswor" encry'tion 0nabling ser#ice tc'-!ee'ali#es-in 0nabling ser#ice tc'-!ee'ali#es-out <isabling the c"' 'rotocol <isabling the boot' ser#er <isabling the htt' ser#er <isabling the finger ser#ice
13
Travaux pratiques du module Option scurit CCNA curit Con!i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,
<isabling source routing <isabling gratuitous ar' >ere is a sa 'le Security ?anner to be shown at e#ery access to "e#ice$ 4o"ify it to suit your enter'rise re@uire ents$ AuthoriAe" Access only Bhis syste is the 'ro'erty of So-=-So-0nter'rise$ *CA*B>2R,D0< ACC0SS B2 B>,S <0E,C0 ,S 1R2>,?,B0<$ 7ou ust ha#e e&'licit 'er ission to access this "e#ice$ All acti#ities 'erfor e" on this "e#ice are logge"$ Any #iolations of access 'olicy will result in "isci'linary action$ 0nter the security banner F1ut the banner between ! an" !, where ! is any characterG/ @ 8naut oriAed Access Pro ibited @ 0nable secret is either not configure" or is the sa e as enable 'asswor" 0nter the new enable secret/ cisco')*+. Confir the enable secret / cisco')*+. 0nter the new enable 'asswor"/ cisco/1367 Confir the enable 'asswor"/ cisco/1367 Configuration of local user "atabase 0nter the userna e/ ad2in 0nter the 'asswor"/ cisco')*+. Confir the 'asswor"/ cisco')*+. Configuring AAA local authentication Configuring Console, Au& an" EB7 lines for local authentication, e&ec-ti eout, an" trans'ort Securing "e#ice against ;ogin Attac!s Configure the following 'ara eters ?loc!ing 1erio" when ;ogin Attac! "etecte"/ /7 4a&i u 4a&i u ;ogin failures with the "e#ice/ ) ti e 'erio" for crossing the faile" login atte 'ts/ *7
Anne universitaire 2013-2014
Configure SS> ser#er) -yes./ no Configuring interface s'ecific AutoSecure ser#ices <isabling the following i' ser#ices on all interfaces/ no no no no i' i' i' i' re"irects 'ro&y-ar' unreachables "irecte"-broa"cast
14
Travaux pratiques du module Option scurit CCNA curit Con!i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,
no i' as!-re'ly <isabling o' on 0thernet interfaces Securing %orwar"ing 'lane ser#ices$$$ 0nabling C0% (Bhis ight i 'act the e ory re@uire ents for your 'latfor ) 0nabling unicast r'f on all interfaces connecte" to internet Configure C?AC %irewall feature) -yes6no./ yes Bhis is the configuration generate"/ no ser#ice finger no ser#ice 'a" no ser#ice u"'-s all-ser#ers no ser#ice tc'-s all-ser#ers ser#ice 'asswor"-encry'tion ser#ice tc'-!ee'ali#es-in ser#ice tc'-!ee'ali#es-out no c"' run no i' boot' ser#er no i' htt' ser#er no i' finger no i' source-route no i' gratuitous-ar's no i' i"ent" banner ot" HC *nauthoriAe" Access 1rohibite" HC security authentication failure rate 15 log enable secret I J1J $"eJ4'ItKr6,:LIEhuKo+9AoA1 enable 'asswor" M 5I5:5%1C22N31:I0N1ICNM userna e a" in 'asswor" M 525I5<N:5:58I0M31%1AIC aaa new- o"el aaa authentication login localOauth local line con 5 login authentication localOauth e&ec-ti eout I 5 trans'ort out'ut telnet line au& 5 login authentication localOauth e&ec-ti eout 15 5 trans'ort out'ut telnet line #ty 5 N login authentication localOauth trans'ort in'ut telnet line tty 1 login authentication localOauth e&ec-ti eout 1I 5 login bloc!-for 95 atte 'ts 2 within 35 ser#ice ti esta 's "ebug "ateti e sec localti e show-ti eAone ser#ice ti esta 's log "ateti e sec localti e show-ti eAone logging facility local2 logging tra' "ebugging
12
Travaux pratiques du module Option scurit CCNA curit Con!i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,
ser#ice se@uence-nu bers logging console critical logging buffere" interface %ast0thernet565 no i' re"irects no i' 'ro&y-ar' no i' unreachables no i' "irecte"-broa"cast no i' as!-re'ly no o' enable" interface %ast0thernet561 no i' re"irects no i' 'ro&y-ar' no i' unreachables no i' "irecte"-broa"cast no i' as!-re'ly no o' enable" interface Serial56565 no i' re"irects no i' 'ro&y-ar' no i' unreachables no i' "irecte"-broa"cast no i' as!-re'ly interface Serial56561 no i' re"irects no i' 'ro&y-ar' no i' unreachables no i' "irecte"-broa"cast no i' as!-re'ly interface Elan1 no i' re"irects no i' 'ro&y-ar' no i' unreachables no i' "irecte"-broa"cast no i' as!-re'ly no o' enable" access-list 155 'er it u"' any any e@ boot'c interface Serial56565 i' #erify unicast source reachable-#ia r& allow-"efault 155 i' ins'ect au"it-trail i' ins'ect "ns-ti eout M i' ins'ect tc' i"le-ti e 1NN55 i' ins'ect u"' i"le-ti e 1:55 i' ins'ect na e autosecOins'ect cusee e ti eout 3955 i' ins'ect na e autosecOins'ect ft' ti eout 3955 i' ins'ect na e autosecOins'ect htt' ti eout 3955 i' ins'ect na e autosecOins'ect rc " ti eout 3955 i' ins'ect na e autosecOins'ect realau"io ti eout 3955 i' ins'ect na e autosecOins'ect s t' ti eout 3955 i' ins'ect na e autosecOins'ect tft' ti eout 35 i' ins'ect na e autosecOins'ect u"' ti eout 1I i' ins'ect na e autosecOins'ect tc' ti eout 3955 i' access-list e&ten"e" autosecOfirewallOacl
10
Travaux pratiques du module Option scurit CCNA curit Con!i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,
'er it u"' any any e@ boot'c "eny i' any any interface Serial56565 i' ins'ect autosecOins'ect out i' access-grou' autosecOfirewallOacl in P en" A''ly this configuration to running-config) -yes./ yes A''lying the config generate" to running-config R1# 5555N3/ *<ec 28 21/2:/I8$223 *BC/ QA*B2S0C-1-42<,%,0</ AutoSecure configuration has been 4o"ifie" on this "e#ice
R1(config)#ip acce -li t e$tended auto ec;firewall;acl R1(config-e&t-nacl)#15 permit eigrp an! an! R1(config-e&t-nacl)#end d/ )ispla' t7e +xtended AC? autosecJ!ire&allJacl a"ain/ R1# #ow acce -li t auto ec;firewall;acl 0&ten"e" ,1 access list autosecOfirewallOacl 15 'er it u"' any any e@ boot'c 1I 'er it eigr' any any (I) 25 "eny i' any any (15) Notice t7at t7ere is no& some +(9-5 pac@et activit' !or AC? statement 12/
1G
Travaux pratiques du module Option scurit CCNA curit Con!i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,
Step +$ Scan for open ports on %' using N2ap fro2 e4ternal ost PC<C(
a/ %rom external 7ost 5C-C8 use Nmap-$enmap to scan -1 at Tar"et (5 address 10/1/1/1/ Accept t7e de!ault Nmap command entered !or 'ou in t7e Co22and &indo&/ :se t7e Intense scan pro!ile/ ;/ Clic@ t7e Scan ;utton to ;ein" scannin" -1/
No& t7at t7e -1 C#AC !ire&all is in place8 &7at services are availa;le on -1 and &7at is t7e status o! -1 !rom t7e perspective o! external 5C-CD -ucun Ser%ice n1e t d(tect(. Seulement le comme en panne depui &map ur +,-, tatut de )1 10.1.1.1 e t ignal(
11
Travaux pratiques du module Option scurit CCNA curit Con!i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,
;/ =7at is t7e most common command issued t7at is related to C#ACD 3a commande e t . ip in pect name auto ec;in pect c/ C#AC creates rules to trac@ TC5 and :)5 !lo&s usin" t7e ip in pect name name protocol command/ To &7at inter!ace is t7e autosecJinspect name applied and in &7at directionD ortie
d/ To &7ic7 inter!ace is t7e AC? autosecJ!ire&allJacl applied and in &7ic7 directionD 2nterface e t . S0/0/0 et la direction . Sortie e/ =7at is t7e purpose o! t7e AC? autosecJ!ire&allJaclD
Anne universitaire 2013-2014
-uto ec;firewall;acl autori e 4ootp trafic d1entrer 5 l1interface S0/0/0 et 4lo*ue le re te de conne$ion non (ta4li depui l1e$t(rieur de )1
1.
Travaux pratiques du module Option scurit CCNA curit Con!i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,
3e ping marc#e parce *ue l1adre e 2+ de +,-- et celle de de l1interface 6a0/1 de )1 ont dan le mAme r( eau 7+a erelle de +,--8' et au i le firewall n1a pa d1effet ur le trafic.
20
Travaux pratiques du module Option scurit CCNA curit Con!i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,
;/ Notice t7e 2G matc7es on AC? line 20/ =7at is t7is a result o!D ,e ont le 4lo*u(. c/ r( ultat de ancien tentati%e de conne$ion *ui ont (tait
Con!i"ure -1 to allo& Telnet access ;' addin" a statement to t7e +xtended AC? autosecJ!ire&allJacl t7at permits TC5 port 23 3Telnet4/ R1(config)#ip acce -li t e$tended auto ec;firewall;acl R1(config-e&t-nacl)#18 permit tcp an! an! e* 23 R1(config-e&t-nacl)#end
d/ %rom external router -28 telnet a"ain to -1 at (5 address 10/1/1/1/ R2Ttelnet 10.1.1.1 Brying 15$1$1$1 $$$ 2'en *nauthoriAe" Access 1rohibite" *ser Access Eerification *serna e/ admin 1asswor"/ ci co12345 R1T e/ %rom t7e Telnet session on -18 displa' t7e modi!ied +xtended AC? autosecJ!ire&allJacl/
R1T #ow acce -li t auto ec;firewall;acl 0&ten"e" ,1 access list autosecOfirewallOacl 15 'er it u"' any any e@ boot'c 1I 'er it eigr' any any (2I) 1: 'er it tc' any any e@ telnet (12 atches) 25 "eny i' any any (IM atches)
!/ Notice t7e ne& line 11 in t7e AC? and t7e 12 matc7es/ =7at is t7is a result o!D ,1e t le r( ultat de la tentati%e de conne$ion *ui %ienne d1Atre accept(. "/ -emove Telnet external access !rom t7e -1 !ire&all AC?/
Anne universitaire 2013-2014
R1(config)#ip acce -li t e$tended auto ec;firewall;acl R1(config-e&t-nacl)#no 18 permit tcp an! an! e* telnet R1(config-e&t-nacl)#end
Note$ E is recommended instead o! Telnet8 ;ecause it provides a more secure &a' to allo& remote administration access to a router or ot7er net&or@in" device/ E provides encr'pted communication8 7o&ever8 some additional con!i"uration is required to support t7e E connection/ -e!er to C7apter 2 ?a; A !or t7e procedure to ena;le E/ %or added securit'8 con!i"ure E as t7e onl' input transport on t7e vt' lines and remove Telnet as an input transport/ Allo&in" E access to -1 !rom external 7osts also requires addin" a statement to t7e +xtended AC? autosecJ!ire&allJacl t7at permits TC5 port 22 3 E4/
Step 1$ Test Telnet access fro2 internal PC<A to e4ternal router %)(
a/ %rom 5C-A8 telnet to -2 at (5 address 10/1/1/2/ C/STtelnet 10.1.1.2
21
Travaux pratiques du module Option scurit CCNA curit Con!i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,
;/ =as t7e telnet attempt success!ulD =7' or &7' notD 3a tentati%e de conne$ion /elnet a (t( e$(cut( a%ec (tait lanc(e 5 partir du 3-& )1 et a (t( autori (. c/ ?o" in to -2 ;' providin" t7e vt' pass&ord o! ciscovt'pass/ d/ ?eave t7e Telnet session open/ uccB ' parce *ue elle a
22
Travaux pratiques du module Option scurit CCNA curit Con!i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,
2utgoing access list is not set < ta4li #ed Se ion Se ion 6556,128 7192.168.1.3.11858CD710.1.1.2.238 tcp S2S;"+<& ;/ (n t7e +sta;lis7ed essions section8 &7at is t7e source (5 address and port num;er !or ession 022C121D 312+ c/ ource e t . 192.168.1.3' et le &E port pour cette e e ion e t 1185 ion e t 23. =7at is t7e destination (5 address and port num;er !or ession 022C121D
R1# #ow ip in pect e ion detail 0stablishe" Sessions Session 9II9C12: (182$19:$1$3/11:I)VT(15$1$1$2/23) tc' S,SO210C Create" 55/55/58, ;ast hear" 55/55/52 ?ytes sent (initiator/res'on"er) -NI/1IN. ,n S,< 15$1$1$2-23/23.VT182$19:$1$3-11:I/11:I. on AC; autosecOfirewallOacl (18 atches) ;/ Close t7e Telnet connection &7en 'ou are !inis7ed veri!'in" C#AC operation/
23
Travaux pratiques du module Option scurit CCNA curit Con!i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,
"ui' a%ec
uccB
(! t7e pin"s are not success!ul8 trou;les7oot t7e ;asic device con!i"urations ;e!ore continuin"/
Step '$ Configure t e enable secret password and 5TTP router access prior to starting SDM(
a/ %rom t7e C?(8 con!i"ure t7e ena;le secret pass&ord !or use &it7 )> on -3/ R3(config)#ena4le R3(config)#ip #ttp ecret ci co12345 er%er ;/ +na;le t7e ETT5 server on -3/
24
Travaux pratiques du module Option scurit CCNA curit Con!i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,
c/
elect #asic =irewall and clic@ t7e >aunc t e selected task ;utton/
d/ (n t7e #asic %ire&all Con!i"uration =iAard &indo&8 !amiliariAe 'oursel! &it7 &7at t7e #asic %ire&all does/ =7at does t7e #asic %ire&all do &it7 tra!!ic !rom outside Aones to inside AonesD 9a ic 6irewall 4lo*ue le trafic de l1e$t(rieur 5 l1int(rieur. e/ Clic@ Ne4t to continue/ !/ C7ec@ t7e Inside 9trusted: c7ec@ ;ox !or =ast,t ernet7?' and t7e !utside 9untrusted: c7ec@ ;ox !or Serial7?7?'( Clic@ Ne4t/
22
Travaux pratiques du module Option scurit CCNA curit Con!i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,
"/
Clic@ !F &7en t7e &arnin" is displa'ed tellin" 'ou t7at 'ou cannot launc7 )> !rom t7e 0*0*1 inter!ace a!ter t7e %ire&all &iAard completes/
7/ >ove t7e slider ;et&een Ei"78 >edium8 and ?o& securit' to !amiliariAe 'oursel! &it7 &7at eac7 provides/ =7at is t7e main di!!erence ;et&een Ei"7 securit' and >edium or ?o& securit'D 3a difference e t . 0ig# ecurit! . ?(tecte le trafic entrant et ortant 72@' +2+8 et le 4lo*uent. @edium ecurit! . ?(tecte le trafic entrant et ortant 72@' +2+8 et le autori ent 5 pa er on leur fai ant un ui%i 7tracking8. 3ow ecurit! . &e d(tecte aucun trafic pour le application p(cifi*ue comme 2@ et +2+' mai malgr( tou le in pectent pour %(rifier l1origine de leur conne$ion' i c1(tait depui le r( eau interne' c1e t 4on inon il e t refu (. i/ >ove t7e slider to ?o& ecurit' and clic@ t7e Preview Co22ands ;utton to previe& t7e commands t7at are delivered to t7e router/ =7en 'ou are !inis7ed revie&in" t7e commands8 clic@ Close and t7en clic@ Ne4t/ -evie& t7e %ire&all Con!i"uration ummar'/ =7at does t7is displa' provideD
M/
6irewall ,onfiguration Summar! affic#er un r( umer de la configuration *ue nou a%on d(H5 fait a%ec l1utilitaire 6irewall wiFard. @/ l/ Clic@ =inis to complete t7e %ire&all &iAard/ =7en t7e -outin" tra!!ic con!i"uration &indo& displa's8 ensure t7at t7e c7ec@ ;ox Allow ,IG%P updates to co2e t roug t e firewall is c7ec@ed and clic@ !F/ Note$ T7is screen onl' displa's i! a d'namic routin" protocol is con!i"ured/
m/ =7at &ould 7appen i! t7is ;ox &as not c7ec@edD 3e routage <2=)+ era 4lo*u( par le firewall et par con (*uent la mi e 5 Hour de ta4le de routage n1aura pa lieu' du coup )3 ne era pa con cient de l1e$i tence du egment 10.1.1.0/30 ou 192.168.1.0/24
20
Travaux pratiques du module Option scurit CCNA curit Con!i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,
n/ (n addition to +(9-58 !or &7at ot7er routin" protocols does t7e !ire&all allo& updatesD 3e protocole de routage comme "S+6 et )2+ o/ (n t7e )eliver Con!i"uration to -outer &indo&8 ma@e sure t7at t7e Save running config to routerGs startup config c7ec@ ;ox is c7ec@ed and clic@ Deliver/ p/ Clic@ !F in t7e Commands )eliver' tatus &indo&/ Eo& man' commands &ere "enerated ;' t7e %ire&all &iAardD 3e nom4re de commande g(n(rer par 6irewall wiFard e t 115 commande . q/ Clic@ !F to displa' t7e messa"e t7at 'ou 7ave success!ull' con!i"ured a !ire&all on t7e router/ Clic@ !F to close t7e messa"e &indo&/ r/ T7e +dit %ire&all 5olic' &indo& displa's &it7 t7e -ule )ia"ram/
s/
(n t7e -ule )ia"ram8 locate access list 100 3!older icon4/ =7at action is ta@en and &7at rule options are applied !or tra!!ic &it7 an invalid source address in t7e 12G/0/0/0*1 address ran"eD
2G
Travaux pratiques du module Option scurit CCNA curit Con!i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,
(n AC? 1008 notice t7at t7e source addresses listed are permitted/ T7e AC? uses permit statements to identi!' t7ese addresses as a "roup so t7at t7e' can ;e matc7ed &it7 t7e cla -map t!pe in pect matc#-all dm-in%alid- rc command and t7en dropped and lo""ed ;' t7e cla t!pe in pect dm-in%alid- rc command8 &7ic7 is one o! t7e class t'pes speci!ied !or t7e sd2<inspect polic'-map/
d/ (ssue t7e command #ow run I 4eg <2=)+ to displa' t7e runnin" con!i"uration ;e"innin" &it7 t7e line t7at contains t7e !irst occurrence o! t7e text H+(9-5I/ Continue to press ,nter until 'ou see all t7e commands in t7e !ire&all con!i"uration t7at are related to +(9-5 routin" protocol updates on -3/ Bou s7ould see t7e !ollo&in" commands6 classatch classatch classa' ty'e ins'ect atch-any S<4O0,+R1 access-grou' na e S<4O0,+R1 a' ty'e ins'ect atch-any S<4O0,+R1OBRA%%,C class- a' S<4O0,+R1 a' ty'e ins'ect atch-all S<4O0,+R1O1B
'olicy- a' ty'e ins'ect s" -'er it class ty'e ins'ect S<4O0,+R1O1B 'ass class class-"efault "ro'
21
Travaux pratiques du module Option scurit CCNA curit Con!i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,
Gone pair information c/ Clic@ t7e Configure ;utton and select Additional Tasks H AC> ,ditor H =irewall %ules/ T7ere s7ould ;e an AC? t7at lists !a@e source addresses8 suc7 as t7e ;roadcast address o! 222/222/222/222 and t7e 12G/0/0/0*1 net&or@/ T7ese &ere identi!ied in t7e runnin" con!i"uration output in Tas@ 38 tep 1;/
d/ Clic@ t7e Configure ;utton and select Additional Tasks H ;ones to veri!' t7e Aones con!i"uration/ =7at inter!aces are listed and in &7at Aone is eac7D "ut-Fone . Serial 0/0/1 2n-Fone . 6a t<t#ernet 0/1 e/ Clic@ Configure and select Additional Tasks H ;ones Pairs to veri!' t7e Aone pairs con!i"uration/ %ill in t7e !ollo&in" in!ormation/ Gone +air Sdm-Fp- elf-out Sdm-Fp-out- elf Sdm-Fp- elf-out !/ "/ =7at is C35? s7ort !orD ,i co ,ommon ,la ification +olic! 3anguage 7/ +xpand t7e C35? menu and select Class Map H Inspection( Eo& man' class maps &ere created ;' t7e )> %ire&all &iAardD S?@ 6irewall wiFard a cr(e 10 cla i/ map elect C*P> H Policy Map H Protocol Inspection/ Eo& man' polic' maps &ere created ;' t7e )> %ire&all &iAardD +xamine t7e details !or t7e polic' map sdm-permit t7at is applied to t7e sdm-Ap-out-sel! Aone pair/ %ill in t7e in!ormation ;elo&/ ?ist t7e action !or t7e tra!!ic matc7in" eac7 o! t7e class maps re!erenced &it7in t7e sdm-permit polic' map/ &ame. S?@;<2=)+;+/ &ame. cla -default -ction. +a -ction. ?rop
Anne universitaire 2013-2014
2.
Travaux pratiques du module Option scurit CCNA curit Con!i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,
C < < C
15$2$2$5 is "irectly connecte", Serial56561 15$1$1$5 -8562152N555. #ia 15$2$2$2, 55/3N/12, Serial56561 182$19:$1$562N -85621529I95. #ia 15$2$2$2, 55/32/19, Serial56561 182$19:$3$562N is "irectly connecte", %ast0thernet561
;/ =7ic7 net&or@s 7as -3 learned via t7e +(9-5 routin" protocolD 3e r( eau 10.1.1.0/30 et 192.168.1.0/24
30
Travaux pratiques du module Option scurit CCNA curit Con!i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,
31
Travaux pratiques du module Option scurit CCNA curit Con!i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,
d/ %rom t7e -2 C?(8 pin" t7e -3 0*0*1 inter!ace at (5 address 10/2/2/1/ T7e pin"s s7ould !ail/ e/ %rom t7e -2 C?(8 telnet to t7e -3 0*0*1 inter!ace at (5 address 10/2/2/1/ T7e telnet attempt s7ould !ail/ !/ Clic@ t7e Dropped Packets option and o;serve t7e "rap7 s7o&in" t7e num;er o! dropped pac@ets resultin" !rom t7e !ailed pin" and telnet attempts/ Bour screen s7ould loo@ similar to t7e one ;elo&/
32
Travaux pratiques du module Option scurit CCNA curit Con!i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,
"/ Clic@ t7e Allowed Packets option and o;serve t7e "rap7 s7o&in" t7e num;er o! +(9-5 pac@ets received !rom router -3/ T7is num;er &ill continue to "ro& at a stead' pace as +(9-5 updates are received !rom -2/
33
Travaux pratiques du module Option scurit CCNA curit Con!i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,
Task /$ %eflection
=7at are some !actors to consider &7en con!i"urin" !ire&alls usin" traditional manual C?( met7ods compared to usin" t7e automated Auto ecure C#AC and t7e )> %ire&all &iAard 9:( met7odsD 3e m(t#ode ,32 traditionnel . <$ige un a%oir-faire a%anc( de -,3 et de la manipulation de commande de (curit( ,i co 2"S. -u i ce m(t#ode con omme (norm(ment du temp durant leur manipulation et pro%o*ue de erreur de !nta$e %ue leur comple$it(. -utoSecure ,9-, . +eut cau er de pro4lBme par e$emple au ni%eau du routage comme d(H5 mentionn(e dan l1atelier le ca pour le protocole routage <2=)+' et "S+6 et au i la difficult( de configuration de interface interne ,9-, rend la tKc#e un peu dure. <nfin au ni%eau de manipulation de commande ' -utoSecure ,9-, facilite facilement la proc(dure a%ec de proce u automati ( et donne une alternati%e 5 la comple$it( de manipulation !nta$i*ue de commande ,i co 2"S pour l1admini trateur. du
Anne universitaire 2013-2014
34
Travaux pratiques du module Option scurit CCNA curit Con!i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,
S?@ . ,1e t la meilleure m(t#ode' elle permet une fle$i4ilit( une implicit( pour la configuration du firewall pour plu ieur routeur multiple interface et ?@G.
a%ec
32
Travaux pratiques du module Option scurit CCNA curit Con!i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,
-outer (nter!ace ummar' Ta;le %outer Interface Su22ary -outer >odel 1G00 1100 2000 2100 +t7ernet (nter!ace N1 %ast +t7ernet 0 3%A04 %ast +t7ernet 0*0 3%A0*04 %ast +t7ernet 0*0 3%A0*04 %ast +t7ernet 0*0 3%A0*04 +t7ernet (nter!ace N2 %ast +t7ernet 1 3%A14 %ast +t7ernet 0*1 3%A0*14 %ast +t7ernet 0*1 3%A0*14 %ast +t7ernet 0*1 3%A0*14 erial (nter!ace N1 erial 0 3 04 erial 0*0*0 3 0*0*04 erial 0*0 3 0*04 erial 0*0*0 3 0*0*04 erial (nter!ace N2 erial 1 3 14 erial 0*0*1 3 0*0*14 erial 0*1 3 0*14 erial 0*0*1 3 0*0*14
Note$ To !ind out 7o& t7e router is con!i"ured8 loo@ at t7e inter!aces to identi!' t7e t'pe o! router and 7o& man' inter!aces t7e router 7as/ T7ere is no &a' to e!!ectivel' list all t7e com;inations o! con!i"urations !or eac7 router class/ T7is ta;le includes identi!iers !or t7e possi;le com;inations o! +t7ernet and erial inter!aces in t7e device/ T7e ta;le does not include an' ot7er t'pe o! inter!ace8 even t7ou"7 a speci!ic router ma' contain one/ An example o! t7is mi"7t ;e an ( )N #-( inter!ace/ T7e strin" in parent7esis is t7e le"al a;;reviation t7at can ;e used in Cisco (O commands to represent t7e inter!ace/
3e
%outer %'
configuration
de
routeur
30
Travaux pratiques du module Option scurit CCNA curit Con!i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,
ip cef no ip domain lookup M no ip%6 cef multilink 4undle-name aut#enticated M M M arc#i%e log config #ideke! M interface 6a t<t#ernet0/0 no ip addre #utdown duple$ auto peed auto M interface 6a t<t#ernet0/1 ip addre 192.168.1.1 255.255.255.0 duple$ auto peed auto M interface 6a t<t#ernet0/1/0 M interface 6a t<t#ernet0/1/1 M interface 6a t<t#ernet0/1/2 M interface 6a t<t#ernet0/1/3 M interface Serial0/0/0 ip addre 10.1.1.1 255.255.255.252 no fair-*ueue clock rate 64000 M interface Serial0/0/1 no ip addre #utdown clock rate 2000000 M interface Nlan1 no ip addre M router eigrp 101 network 10.1.1.0 0.0.0.3 network 192.168.1.0 no auto- ummar! M ip forward-protocol nd no ip #ttp er%er no ip #ttp ecure- er%er M
3G
Travaux pratiques du module Option scurit CCNA curit Con!i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,
control-plane M line con 0 e$ec-timeout 0 0 pa word J 14141918060929242-38322631 logging !nc#ronou login line au$ 0 e$ec-timeout 5 0 pa word J 045802150,2<4?591109040401 login line %t! 0 4 e$ec-timeout 5 0 pa word J 0508061,2243581?0015160118 login M c#eduler allocate 20000 1000 end
%outer %)
)2L # run 9uilding configuration... ,urrent configuration . 1369 4!te M %er ion 12.4 er%ice time tamp de4ug datetime m ec er%ice time tamp log datetime m ec er%ice pa word-encr!ption M #o tname )2 M 4oot- tart-marker 4oot-end-marker M ecurit! pa word min-lengt# 10 logging me age-counter ! log M no aaa new-model dot11 ! log ip ource-route M ip cef no ip domain lookup M no ip%6 cef multilink 4undle-name aut#enticated M arc#i%e log config #ideke! M interface 6a t<t#ernet0/0
31
Travaux pratiques du module Option scurit CCNA curit Con!i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,
no ip addre #utdown duple$ auto peed auto M interface 6a t<t#ernet0/1 no ip addre #utdown duple$ auto peed auto M interface 6a t<t#ernet0/1/0 M interface 6a t<t#ernet0/1/1 M interface 6a t<t#ernet0/1/2 M interface 6a t<t#ernet0/1/3 M interface Serial0/0/0 ip addre 10.1.1.2 255.255.255.252 no fair-*ueue M interface Serial0/0/1 ip addre 10.2.2.2 255.255.255.252 clock rate 64000 M interface Nlan1 no ip addre M router eigrp 101 network 10.1.1.0 0.0.0.3 network 10.2.2.0 0.0.0.3 no auto- ummar! M ip forward-protocol nd no ip #ttp er%er no ip #ttp ecure- er%er M M control-plane M line con 0 e$ec-timeout 0 0 pa word J 0508061,22434?061J15160118 logging !nc#ronou login line au$ 0 e$ec-timeout 5 0 pa word J 104?000-0618131<141429383J login line %t! 0 4 e$ec-timeout 5 0
3.
Travaux pratiques du module Option scurit CCNA curit Con!i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,
%outer %*
)3L # run 9uilding configuration... ,urrent configuration . 134J 4!te M %er ion 12.4 er%ice time tamp de4ug datetime m ec er%ice time tamp log datetime m ec er%ice pa word-encr!ption M #o tname )3 M 4oot- tart-marker 4oot-end-marker M ecurit! pa word min-lengt# 10 logging me age-counter ! log M no aaa new-model dot11 ! log ip ource-route M ip cef no ip domain lookup M no ip%6 cef multilink 4undle-name aut#enticated M arc#i%e log config #ideke! M interface 6a t<t#ernet0/0 no ip addre #utdown duple$ auto peed auto M interface 6a t<t#ernet0/1 ip addre 192.168.3.1 255.255.255.0 duple$ auto peed auto M interface 6a t<t#ernet0/1/0
40
Travaux pratiques du module Option scurit CCNA curit Con!i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,
)3L
M interface 6a t<t#ernet0/1/1 M interface 6a t<t#ernet0/1/2 M interface 6a t<t#ernet0/1/3 M interface Serial0/0/0 no ip addre #utdown no fair-*ueue clock rate 2000000 M interface Serial0/0/1 ip addre 10.2.2.1 255.255.255.252 M interface Nlan1 no ip addre M router eigrp 101 network 10.2.2.0 0.0.0.3 network 192.168.3.0 no auto- ummar! M ip forward-protocol nd no ip #ttp er%er no ip #ttp ecure- er%er M control-plane M line con 0 e$ec-timeout 0 0 pa word J 0110061J58040500265,461-0logging !nc#ronou login line au$ 0 e$ec-timeout 5 0 pa word J 09464J1-1-0-160J131,053938 login line %t! 0 4 e$ec-timeout 5 0 pa word J 1414191806093,363?38322631 login M c#eduler allocate 20000 1000 end
41
Travaux pratiques du module Option scurit CCNA curit Con!i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,
42
Travaux pratiques du module Option scurit CCNA curit Con!i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,
ip in pect name auto ec;in pect tftp timeout 30 ip in pect name auto ec;in pect udp timeout 15 ip in pect name auto ec;in pect tcp timeout 3600 login 4lock-for 60 attempt 2 wit#in 30 M no ip%6 cef multilink 4undle-name aut#enticated M u ername admin pa word J 151102160J25J-J6J96J60 arc#i%e log config logging ena4le #ideke! M interface 6a t<t#ernet0/0 no ip addre no ip redirect no ip unreac#a4le no ip pro$!-arp #utdown duple$ auto peed auto no mop ena4led M interface 6a t<t#ernet0/1 ip addre 192.168.1.1 255.255.255.0 no ip redirect no ip unreac#a4le no ip pro$!-arp duple$ auto peed auto no mop ena4led M interface 6a t<t#ernet0/1/0 M interface 6a t<t#ernet0/1/1 M interface 6a t<t#ernet0/1/2 M interface 6a t<t#ernet0/1/3 M interface Serial0/0/0 ip addre 10.1.1.1 255.255.255.252 ip acce -group auto ec;firewall;acl in ip %erif! unica t ource reac#a4le-%ia r$ allow-default 100 no ip redirect no ip unreac#a4le no ip pro$!-arp ip in pect auto ec;in pect out nmp trap ip %erif! drop-rate no fair-*ueue clock rate 64000 M
43
Travaux pratiques du module Option scurit CCNA curit Con!i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,
interface Serial0/0/1 no ip addre no ip redirect no ip unreac#a4le no ip pro$!-arp #utdown clock rate 2000000 M interface Nlan1 no ip addre no ip redirect no ip unreac#a4le no ip pro$!-arp no mop ena4led M router eigrp 101 network 10.1.1.0 0.0.0.3 network 192.168.1.0 no auto- ummar! M ip forward-protocol nd no ip #ttp er%er no ip #ttp ecure- er%er M ip acce -li t e$tended auto ec;firewall;acl permit udp an! an! e* 4ootpc den! ip an! an! M logging trap de4ugging logging facilit! local2 acce -li t 100 permit udp an! an! e* 4ootpc no cdp run M control-plane M 4anner motd Q, >naut#oriFed -cce +ro#i4ited Q, M line con 0 e$ec-timeout 5 0 pa word J 121-0,04110406092439253920 logging !nc#ronou login aut#entication local;aut# tran port output telnet line au$ 0 e$ec-timeout 15 0 pa word J 0508061,2243461,0115160118 login aut#entication local;aut# tran port output telnet line %t! 0 4 e$ec-timeout 5 0 pa word J 104?000-06180416151429383J login aut#entication local;aut#
44
Travaux pratiques du module Option scurit CCNA curit Con!i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,
42
Travaux pratiques du module Option scurit CCNA curit Con!i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,
matc# protocol pop3 matc# protocol net #ow matc# protocol #ell matc# protocol realmedia matc# protocol rt p matc# protocol mtp e$tended matc# protocol *l-net matc# protocol treamwork matc# protocol tftp matc# protocol %doli%e matc# protocol tcp matc# protocol udp cla -map t!pe in pect matc#-all dm-in p-traffic matc# cla -map dm-cl -in p-traffic cla -map t!pe in pect matc#-an! S?@;<2=)+ matc# acce -group name S?@;<2=)+ cla -map t!pe in pect matc#-an! S?@;<2=)+;/)-662, matc# cla -map S?@;<2=)+ cla -map t!pe in pect matc#-all S?@;<2=)+;+/ matc# cla -map S?@;<2=)+;/)-662, cla -map t!pe in pect matc#-an! S?@-Noice-permit matc# protocol #323 matc# protocol kinn! matc# protocol ip cla -map t!pe in pect matc#-an! dm-cl -icmp-acce matc# protocol icmp cla -map t!pe in pect matc#-all dm-icmp-acce matc# cla -map dm-cl -icmp-acce cla -map t!pe in pect matc#-all dm-in%alid- rc matc# acce -group 100 cla -map t!pe in pect matc#-all dm-protocol-#ttp matc# protocol #ttp M polic!-map t!pe in pect dm-permit-icmprepl! cla t!pe in pect dm-icmp-acce in pect cla cla -default pa polic!-map t!pe in pect dm-in pect cla t!pe in pect dm-in%alid- rc drop log cla t!pe in pect dm-in p-traffic in pect cla t!pe in pect dm-protocol-#ttp in pect cla t!pe in pect S?@-Noice-permit in pect cla cla -default pa polic!-map t!pe in pect dm-permit cla t!pe in pect S?@;<2=)+;+/ pa cla cla -default
40
Travaux pratiques du module Option scurit CCNA curit Con!i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,
drop M Fone ecurit! out-Fone Fone ecurit! in-Fone Fone-pair ecurit! dm-Fp- elf-out ource elf de tination out-Fone er%ice-polic! t!pe in pect dm-permit-icmprepl! Fone-pair ecurit! dm-Fp-out- elf ource out-Fone de tination elf er%ice-polic! t!pe in pect dm-permit Fone-pair ecurit! dm-Fp-in-out ource in-Fone de tination out-Fone er%ice-polic! t!pe in pect dm-in pect M interface 6a t<t#ernet0/0 no ip addre #utdown duple$ auto peed auto M interface 6a t<t#ernet0/1 de cription O6R;2&S2?<O ip addre 192.168.3.1 255.255.255.0 Fone-mem4er ecurit! in-Fone duple$ auto peed auto M interface 6a t<t#ernet0/1/0 M interface 6a t<t#ernet0/1/1 M interface 6a t<t#ernet0/1/2 M interface 6a t<t#ernet0/1/3 M interface Serial0/0/0 no ip addre #utdown no fair-*ueue clock rate 2000000 M interface Serial0/0/1 de cription O6R;">/S2?<O ip addre 10.2.2.1 255.255.255.252 Fone-mem4er ecurit! out-Fone M interface Nlan1 no ip addre M router eigrp 101 network 10.2.2.0 0.0.0.3 network 192.168.3.0 no auto- ummar! M ip forward-protocol nd ip #ttp er%er
4G
Travaux pratiques du module Option scurit CCNA curit Con!i"uration C#AC et $one-#ased %ire&alls C'cle (n"nieur )partement de Tlcommunications * +N A,
no ip #ttp ecure- er%er M ip acce -li t e$tended S?@;<2=)+ remark S?@;-,3 ,ategor!C1 permit eigrp an! an! M acce -li t 100 remark S?@;-,3 ,ategor!C128 acce -li t 100 permit ip #o t 255.255.255.255 an! acce -li t 100 permit ip 12J.0.0.0 0.255.255.255 an! acce -li t 100 permit ip 10.2.2.0 0.0.0.3 an! M control-plane M line con 0 e$ec-timeout 0 0 pa word J 0110061J58040500265,461-0logging !nc#ronou login line au$ 0 e$ec-timeout 5 0 pa word J 13061<01080305363334292026 login line %t! 0 4 e$ec-timeout 5 0 pa word J 030J521805003J585J19181604 login M c#eduler allocate 20000 1000 end )3L
41