Professional Documents
Culture Documents
2
CONFIGURAR R1 COMO CLIENTE NTP.
R1(config)# ntp authenticate
R1(config)# ntp authentication-key 1 md5 ciscontppa55
R1(config)# ntp trusted-key 1
R1(config)# ntp server 192.168.1.5 key 1
Step 2. Create a user ID of SSHadmin with the highest possible privilege level and a secret
password of ciscosshpa55.
R3(config)# username SSHadmin privilege 15 secret ciscosshpa55
Step 3. Configure the incoming VTY lines on R3. Use the local user accounts for mandatory
login and validation. Accept only SSH connections.
R3(config)# line vty 0 4
R3(config-line)# login local
R3(config-line)# transport input ssh
Step 4. Erase existing key pairs on R3. Any existing RSA key pairs should be erased on the
router.
R3(config)#crypto key zeroize rsa
TO SECURE THE IOS IMAGE AND ENABLE CISCO IOS IMAGE RESILIENCE
R1(config)#secure boot-image
CREAR ACLs
EJEMPLOS DE ACLs
permit udp any 192.168.1.0 0.0.0.255 eq domain Permite a cualquier host acceder a DNS
permit tcp any 192.168.1.0 0.0.0.255 eq smtp Permite a cualquier host acceder a SMTP
permit tcp any 192.168.1.0 0.0.0.255 eq ftp Permite a cualquier host acceder a FTP
deny tcp any host 192.168.1.3 eq 443 Niega a cualquier host acceder a HTTPS
permit tcp any host 192.168.3.3 eq 22 Permite a cualquier host acceder a SSH
permit icmp any any echo-reply Permite a cualquier host echo replies
permit icmp any any unreachable Permite a cualquier host dest. unreachable
deny icmp any any Niega a cualquier host acceder a ICMP
permit ip any any Permite a cualquier host a cualquier lado
ACL PARA PERMITIR PROTOCOLOS PARA ESP (50) - AH(51)- ISAKMAP(UDP PORT 500)
Crear una ACL NOMBRADA EXTENDIDA llamado ACL-1, aplicada entrante en la interfaz Fa0/0,
que niega el servidor workgroup server salga, pero permite que el resto de los usuarios de LAN
fuera de acceso usando la palabra clave established
R1(config)# ip access-list extended ACL-1
R1(config-ext-nacl)# remark LAN ACL
R1(config-ext-nacl)# deny ip host 192.168.1.6 any
R1(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any established
R1(config-ext-nacl)# deny ip any any
R1(config-ext-nacl)# exit
R1(config)# interface Fa0/0
R1(config-if)# ip access-group ACL-1 in
R1(config-if)# exit
CREAR UNA ACL NOMBRADA extended named llamada ACL-2, aplicada en direccin saliente en
la interfaz DMZ Fa0/1, para permitir el acceso a los servidores Web e Email especificados.
R1(config)# ip access-list extended ACL-1
R1(config-ext-nacl)# remark LAN ACL
R1(config-ext-nacl)# deny ip host 192.168.1.6 any
R1(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any
established
R1(config-ext-nacl)# deny ip any any
R1(config-ext-nacl)# exit
R1(config)# interface Fa0/0
R1(config-if)# ip access-group ACL-1 in
R1(config-if)# exit
ACL NUMERADA
R1#
R1(config)# ip access-list extended 150
R1(config-ext-nacl)# permit tcp host 192.168.1.100 any eq telnet
R1(config-ext-nacl)# permit tcp any any eq www
R1(config-ext-nacl)# permit tcp any any eq telnet
R1(config-ext-nacl)# permit tcp any any eq smtp
R1(config-ext-nacl)# permit tcp any any eq pop3
R1(config-ext-nacl)# permit tcp any any eq 21
R1(config-ext-nacl)# permit tcp any any eq 20
R1# show access-list 150
Extended IP access list 150
10 permit tcp any any eq www
20 permit tcp any any eq telnet
30 permit tcp any any eq smtp
40 permit tcp any any eq pop3
50 permit tcp any any eq 21
60 permit tcp any any eq 20
ACLs COMPLEJAS
Reflexive ACLs
R1(config)# ip access-list extended INTERNAL_ACL
R1(config-ext-nacl)# permit tcp any any eq 80 reflect WEB-ONLY-REFLEXIVE-ACL
R1(config-ext-nacl)# permit udp any any eq 53 reflect DNS-ONLY-REFLEXIVE-ACL timeout 10
R1(config-ext-nacl)# exit
R1(config)# ip access-list extended EXTERNAL_ACL
R1(config-ext-nacl)# evaluate WEB-ONLY-REFLEXIVE-ACL
R1(config-ext-nacl)# evaluate DNS-ONLY-REFLEXIVE-ACL
R1(config-ext-nacl)# deny ip any any
R1(config-ext-nacl)# exit
R1(config)# interface s0/0/0
R1(config-if)# ip access-group INTERNAL_ACL out
R1(config-if)# ip access-group EXTERNAL_ACL in
Dynamic ACLs
R3(config)# username Student password cisco
R3(config)# access-list 101 permit tcp any host 10.2.2.2 eq telnet
R3(config)# access-list 101 dynamic TESTLIST timeout 15 permit ip 192.168.10.0 0.0.0.255
192.168.3.0 0.0.0.255
R3(config)# interface s0/0/1
R3(config-if)# ip access-group 101 in
R3(config-if)# exit
R3(config)# line vty 0 4
R3(config-line)# login local
R3(config-line)# autocommand access-enable host timeout 15 (aqui no funciona tabulador y
es un comando oculto)
Time-based ACLs
R1(config)# time-range EMPLOYEE-TIME
R1(config-time-range)# periodic weekdays 12:00 to 13:00
R1(config-time-range)# periodic weekdays 17:00 to 19:00
R1(config-time-range)# exit
R1(config)# access-list 100 permit ip 192.168.1.0 0.0.0.255 any time-range EMPLOYEE-TIME
R1(config)# access-list 100 deny ip any any
R1(config)# interface FastEthernet 0/1
R1(config-if)# ip access-group 100 in
R1(config-if)# exit
MITIGATING ATTACKS WITH ACLS
Do not allow any outbound IP packets with a source address other than a valid IP address of
the internal network.
Create an ACL that permits only those packets that contain source addresses from
inside the network and denies all others.
Inbound on Fa0/1
R1(config)# access-list 105 permit ip 192.168.1.0 0.0.0.255 any
Protect DNS, SMTP, and FTP
DNS, SMTP, and FTP are common services that often must be allowed through a firewall.
Outbound on Fa0/0
R1(config)# access-list 180 permit udp any host 192.168.20.2 eq domain
R1(config)# access-list 180 permit tcp any host 192.168.20.2 eq smtp
R1(config)# access-list 180 permit tcp any host 192.168.20.2 eq ftp
R1(config)# access-list 180 permit tcp host 200.5.5.5 host 192.168.20.2 eq telnet
R1(config)# access-list 180 permit tcp host 200.5.5.5 host 192.168.20.2 eq 22
R1(config)# access-list 180 permit udp host 200.5.5.5 host 192.168.20.2 eq syslog
R1(config)# access-list 180 permit udp host 200.5.5.5 host 192.168.20.2 eq snmptrap
Several outbound ICMP messages are required for proper network operation:
Echo - Allows users to ping external hosts.
Parameter problem - Informs the host of packet header problems.
Packet too big - Required for packet MTU discovery.
Source quench - Throttles down traffic when necessary.
Inbound on Fa0/0
In this example topology, there are 3 servers, each requiring outside to inside access for
3 protocols
Without object groups, we have to configure a permit statement for each server, for each
protocol
R1(config)# ip access-list extended In
R1(config-ext-nacl)# permit tcp any host 10.10.10.1 eq smtp
R1(config-ext-nacl)# permit tcp any host 10.10.10.1 eq www
R1(config-ext-nacl)# permit tcp any host 10.10.10.1 eq https
R1(config-ext-nacl)# permit tcp any host 10.10.10.2 eq smtp
R1(config-ext-nacl)# permit tcp any host 10.10.10.2 eq www
R1(config-ext-nacl)# permit tcp any host 10.10.10.2 eq https
R1(config-ext-nacl)# permit tcp any host 10.10.10.3 eq smtp
R1(config-ext-nacl)# permit tcp any host 10.10.10.3 eq www
R1(config-ext-nacl)# permit tcp any host 10.10.10.3 eq https
For the same topology, using object group configuration, first create the service object for
the services.
R1(config)# object-group service Web-svcs tcp
R1(config-service-group)# tcp smtp
R1(config-service-group)# tcp www
R1(config-service-group)# tcp https
This ACL is applied to the internal interface in the inbound direction. The ACL processes traffic
initiating from the internal network prior to leaving the network.
Next, create an extended ACL in which SMTP and HTTP traffic is permitted from the external
network to the DMZ network only, and all other traffic is denied.
This ACL is applied to the interface connecting to the external network in the inbound direction.
Next, create inspection rules for TCP inspection and UDP inspection.
These inspection rules are applied to the internal interface in the inbound direction.
1.- Configure a named IP ACL on R3 to block all traffic originating from the outside network.
Use the ip access-list extended command to create a named IP ACL.
R3(config)# ip access-list extended OUT-IN
R3(config-ext-nacl)# deny ip any any
R3(config-ext-nacl)# exit
7.- Verify that audit trail messages are being logged on the syslog server.
From PC-C, test connectivity to PC-A with ping, Telnet, and HTTP. Ping and HTTP should be
successful. Note that PC-A will reject the Telnet session.
From PC-A, test connectivity to PC-C with ping and Telnet. All should be blocked.
Review the syslog messages on server PC-A: click the Config tab and then click the SYSLOG
option.
R3# show ip inspect sessions displays the existing sessions that are currently being tracked and
inspected by CBAC
Step 1. Crear las zonas para el firewall con el comando zone security.
Step 2. Crear una ACL que define el trfico interno. Use el comando access-list para crear una
extendida ACL 101 para permitir todo el trfico IP desde la red 192.168.3.0/24 hacia cualquier
destino.
R3(config)# access-list 101 permit ip 192.168.3.0 0.0.0.255 any
Step 3. Definir el trafico que ser sometido a las reglas de firewall con el comando class-map type
inspect. (Ac se us una ACL)
Step 5. Crear par de zonas interna versus externa (source and destination zones) usando el
comando zone-pair security y mencionado los nombres de las zonas.
R3(config)# zone-pair security IN-2-OUT-ZPAIR source IN-ZONE destination OUT-ZONE
Step 6. Especificar el policy map para manejar el trfico entre el par de zonas. Indicar el policy-
map y la accin asociada (inspect) al par de zonas, usando el comando service-policy type
inspect y haciendo referencia al policy map previamente creado, IN-2-OUT-PMAP.
R3(config-sec-zone-pair)# service-policy type inspect IN-2-OUT-PMAP
R3(config-sec-zone-pair)# exit
Step7. Asignar las interfaces del router interfaces a las zonas interna o externa usando el comando
zone-member security.
R3(config)# interface fa0/1
R3(config-if)# zone-member security IN-ZONE
R3(config-if)# exit
1 CREAR ZONAS
zone security NETWORK
zone security INTERNET
zone security DMZ
LAYER 2 SECURITY
1.- CONFIGURE ROOT BRIDGE
Parameters R1 R3
Parameters R1 R3
Peer Hostname R3 R1
Network to be
192.168.1.0/24 192.168.3.0/24
encrypted
2. Se debe permitir trfico para que el Router R4 pueda autentificarse a travs de Radius en el
servidor WinRadius (PC2)
class-map type inspect match-any CM_OUT_TO_IN
match protocol radius
3. El trafico desde el PC4 hacia los servidores WEB y FTP (PC3) debe ser permitido.
class-map type inspect match-any CM_OUT_TO_DMZ
match protocol http
match protocol ftp
policy-map type inspect PM_OUT_TO_DMZ
class type inspect CM_OUT_TO_DMZ
inspect
4. La red interna tambin debe poder llegar al servidor Web (PC3), FTP no ser permitido para esta
red.
class-map type inspect match-any CM_IN_TO_DMZ
match protocol http
5. El servidor ACS debe poder alcanzar a travs de ping al router R4 (loopback) y a la red 10.X40.0/24
(no se debe permitir generar una tabla de estado)
access-list 100 permit ip host 10.6.20.10 any
class-map type inspect match-all CM_ACS
match protocol icmp
match access-group 100
6. Los usuarios de la red Interna se les permite navegar en Internet (solo HTTP y DNS)
class-map type inspect match-any CM_IN_TO_OUT
match protocol http
match protocol dns
7. El FW debe tener los permisos para poder realizar Telnet y SSH hacia el Router R1 y R2 (Interfaces
loopbacks), adems de permitir el envo de los Logs hacia el servidor syslog (PC1) No es
permitido utilizar las polticas por defecto del Firewall.
access-list 102 permit tcp host 10.6.23.3 any eq telnet
access-list 102 permit tcp host 10.6.13.3 any eq telnet
access-list 102 permit tcp host 10.6.13.3 any eq 22
access-list 102 permit tcp host 10.6.23.3 any eq 22
access-list 102 permit tcp host 10.6.13.3 any eq syslog
access-list 102 permit tcp host 10.6.23.3 any eq syslog
class-map type inspect match-any CM_SELF_TO_IN
match access-group 102
8. Es necesario permitir que el PC2 pueda administrar a travs de CCP al dispositivo FW (Habilite lo
necesario para lograr este requerimiento)
access-list 103 permit tcp host 10.6.20.10 host 10.6.23.3 eq www
access-list 103 permit tcp host 10.6.20.10 host 10.6.23.3 eq 443
access-list 103 permit tcp host 10.6.20.10 host 10.6.13.3 eq 443
access-list 103 permit tcp host 10.6.20.10 host 10.6.13.3 eq www
class-map type inspect match-any CM_IN_TO_SELF
match access-group 103
9. El cliente PC4 debe tener los permisos suficientes para establecer una sesin VPN hacia el Router
R1, para este es necesario que el FW genere una tabla de estada para los protocolos ESP y AH.
access-list 104 permit ahp host 10.6.40.10 host 10.6.13.1
access-list 104 permit esp host 10.6.40.10 host 10.6.13.1
access-list 104 permit udp host 10.6.40.10 host 10.6.13.1 eq isakmp
class-map type inspect match-any CM_VPN
match access-group 104
10. Todas las sesiones EIGRP deben ser mantenidas entre el FW y Router R1, R2 y entre el FW y el
router R4.