COMANDOs CCNA sECURITY 1.

2
CONFIGURAR R1 COMO CLIENTE NTP.
R1(config)# ntp authenticate
R1(config)# ntp authentication-key 1 md5 ciscontppa55 R1(config)#
ntp trusted-key 1
R1(config)# ntp server 192.168.1.5 key 1

CONFIGURAR ROUTERs PARA ACTUALIZAR sU FECHA-HORA.

R1(config)# ntp update-ca!endar

CONFIGURAR LOs ROUTERs PARA MOsTRAR EL TIEMPO EN LOs LOGs.

R1(config)# service timestamps !og datetime msec

CONFIGURAR EL ROUTER PARA GENERAR LOGs DE ACTIVIDADEs.

Configure the router to generate system !ogging messages for both successfu! and fai!ed
!ogin attempts. The fo!!owing commands !og every successfu! !ogin and !og fai!ed !ogin attempts after
every second fai!ed !ogin.
R1(config)# login on-success log
R1(config)# login on-failure log every 2

CONFIGURAR UN ROUTER PARA IDENTIFICAR EL HOsT REMOTO QUE RECIBIRÁ LOs

MENsAJEs DE LOGGING.
R1(config)#!ogging host (hostname- ip address)
R1(config)#!ogging trap informationa! (!eve!) R1(config)#!
ogging source-interface (Type and number)
R1(config)#!ogging on
R1(config)#!ogging on

CONFIGURAR EL LARGO MINIMO PARA LAs PAssWORD DE UN ROUTER.

R1(config)# security passwords min-!ength 1&

CONFIGURAR UN ROUTER PARA sOPORTAR CONEXIONEs ssH.

step 1. Configure a domain name.
R3(config)# ip domain-name ccnasecurity.com

step 2. Create a user ID of **+admin with the highest possib!e privi!ege !eve! and a secret password of
ciscosshpa55.
R3(config)# username ssHadmin privilege 15 secret ciscosshpa55

step 3. Configure the incoming VTY !ines on R3. Use the !oca! user accounts for mandatory
!ogin and va!idation. Accept on!y **+ connections.
R3(config)# line vty 0 4
R3(config-!ine)# login local
R3(config-!ine)# transport input ssh
 step 4. 0rase existing key pairs on R3. Any existing R*A key pairs shou!d be erased on the
router.
R3(config)#crypto key zeroize rsa

step 5. Generate the R*A encryption key pair for R3. R3(config)#
crypto key generate rsa

CONFIGURAR LOs PARÁMETROs DE TIMEOUTs AND AUTHENTICATION PARA ssH.

*et the timeout to 9& seconds3 the number of authentication retries to 23 and the version to 2.
R3(config)# ip ssh time-out 90
R3(config)# ip ssh authentication-retries 2
R3(config)# ip ssh version 2

CONECTARsE A R3 UsANDO ssH DEsDE UN PC-C.

4hen prompted for the password3 enter the password configured for the administrator ciscosshpa55.
PC> ssh –l ssHadmin 192.168.3.1

CONECTARsE A R3 UsANDO ssH DEsDE R2 VIA ssH VERsION 2.

R2# ssh –v 2 –l ssHadmin 10.2.2.1
R3# password: ciscosshpa55

CONFIGURAR UN UsUARIO EN LA BAsE DE DATOs LOCAL.

R3(config)# username Admin01 privilege 15 secret Admin01pass

CONFIGURE THE LOGIN BLOCK-FOR COMMAND.

to configure a 6& second !ogin shutdown (quiet mode timer) if two fai!ed !ogin attempts are made
within 3& seconds
R1(config)# login block-for 60 attempts 2 within 30

CONFIGURAR UN UsUARIO LOCAL PARA AAA AUTHENTICATION

R3(config)# username JR-ADMIN secret str0ngPa55w0rd
R3(config)# aaa new-model
R3(config)# aaa authentication login default local local-case enable

IMPLEMENTAR AAA sERVICEs PARA ACCEDER A LA CONsOLE UsANDO UNA BAsE DE

DATOs LOCAL
R3(config)# aaa authentication login default local none
R3(config)# line console 0
R3(config-!ine)# login authentication default
CREAR UN PERFIL EN UNA BAsE DE DATOs LOCAL CON AAA AUTHENTICATION PARA
UsAR TELNET .
R3(config)# aaa authentication login TELNET_LOGIN local-case
R3(config)# line vty 0 4
R3(config-!ine)# login authentication TELNET_LOGIN

CONFIGURAR UN ROUTER PARA AUTENTICARsE POR TACACs+ , LUEGO RADIUs

sERVERs Y FINALMENTE EN UNA BAsE DE DATOs LOCAL
R1(config)# aaa new-model
R1(config)# tacacs-server host 192.168.1.1 single-connection
R1(config)# tacacs-server key TACACs+Pa55W0rd

R1(config)# radius-server host 192.168.1.2

R1(config)# radius-server key RADIUs-Pa55W0rd
R1(config)# aaa authentication login default group tacacs+ group radius local-case
(definir e! orden de !os servidores uti!izados para autenticarse TACAC*3 RADIU* y 7I8ALM08T0 un
usuario de !a base de datos !oca!)

CONFIGURAR TIPOs DE AUTORIZACIONEs DE COMANDOs A TRAVÉs DE AAA

R1(config)# username JR-ADMIN secret str0ngPa55w0rd
R1(config)# username ADMIN secret str0ngPa55w0rd
R1(config)# aaa new-model
R1(config)# aaa authentication login default group tacacs+
R1(config)# aaa authorization exec default group tacacs+
R1(config)# aaa authorization netwo default group tacacs+

CONFIGURAR AUDITORIAs A TRAVÉs DE AAA

R1(config)# username JR-ADMIN secret str0ngPa55w0rd

R1(config)# username ADMIN secret str0ngPa55w0rd
R1(config)# aaa new-model
R1(config)# aaa authentication login default group tacacs+
R1(config)# aaa authorization exec default group tacacs+
R1(config)# aaa authorization network default group tacacs+
R1(config)# aaa accounting exec default start-stop group
tacacs+
R1(config)# aaa accounting network default start-stop group tacacs+

BLOQUEAR UNA CUENTA DEsPUÉs DE X INTENTOs

R3(config)# aaa local authentication attempts max-fail number

CREAR NIVELEs DE PRIVILEGIOs

R1(config)#username UsER privilege 1 secret cisco
R1(config)#privilege exec level 5 ping
R1(config)#enable secret level 5 cisco5
R1(config)#username sUPPORT privilege 5 secret cisco5
 R1(config)#privilege exec level 10 reload
R1(config)#enable secret level 10 cisco10

R1(config)#username JR-ADMIN privilege 10 secret cisco10

R1(config)#username ADMIN privilege 15 secret cisco123

CONFIGURAR VIsTAs BAsADAs EN ROLEs

HABILITAR ROOT VIEW

R1(config)# aaa new-model
R1(config)# exit

R1(config)# enable secret cisco12345

R1# enable view

Password< cisco12345

R1(config)# parser view admin1

R1(config-view)# secret admin1pass
R1(config-view)# commands exec include all show
R1(config-view)# commands exec include all config terminal
R1(config-view)# commands exec include all debug R1(config-
view)# end

VERIFICAR LA VIsTA ADMIN1.

R1# enable view admin1
Password< admin1pass

*Crear una vista llamada sHOWVIEW

*Asignar la password a la vista
*Permitir a esta vista usar todos los comandos EXEC que comiencen con "show"
R1(config)#aaa new-model
R1(config)#parser view sHOWVIEW
R1(config-view)# secret cisco
R1(config-view)# commands exec include show
R1(config-view)# end

*Crear una vista llamada VERIFIEDVIEW

*Asignar la password a la vista
*Permitir a esta vista usar el comando ping
R1(config)#aaa new-model R1(config)#parser
view VERIFIEDVIEW R1(config-view)#
secret cisco5
R1(config-view)# commands exec include ping
 R1(config-view)# end

*Crear una vista llamada REBOOTVIEW

*Asignar la password a la vista
*Permitir a esta vista usar el comando reload
R1(config)#aaa new-model R1(config)#parser
view REBOOTVIEW R1(config-view)# secret
cisco10
R1(config-view)# commands exec include reload
R1(config-view)# end

TO sECURE THE IOs IMAGE AND ENABLE CIsCO IOs IMAGE REsILIENCE
R1(config)#secure boot-image

TO sECURE THE BOOT CONFIG

R1(config)#secure boot-config

CREAR ACLs
EJEMPLOs DE ACLs
permit udp any 192.168.1.& &.&.&.255 eq domain
permit tcp any 192.168.1.& &.&.&.255 eq smtp
permit tcp any 192.168.1.& &.&.&.255 eq ftp
tcp any host 192.168.1.3 eq 443
permit tcp any host 192.168.3.3 eq 22
permit icmp any any echo-rep!y
permit icmp any any unreachab!e
deny icmp any any
permit ip any any
Permite a cua!quier host acceder a DNs
Permite a cua!quier host acceder a sMTP
Permite a cua!quier host acceder a FTP deny
8iega a cua!quier host acceder a HTTPs
Permite a cua!quier host acceder a ssH
Permite a cua!quier host echo replies
Permite a cua!quier host dest. unreachable
8iega a cua!quier host acceder a ICMP
Permite a cua!quier host a cualquier lado
ACL PARA PERMITIR PROTOCOLOs PARA EsP (50) - AH(51)- IsAKMAP(UDP PORT 500)

Crear una ACL NOMBRADA EXTENDIDA !!amado ACL-13 ap!icada entrante en !a interfaz 7a&>&3
que niega e! servidor workgroup server sa!ga3 pero permite que e! resto de !os usuarios de LA8 fuera de acceso
usando !a pa!abra c!ave established
R1(config)# ip access-list extended ACL-1
R1(config-ext-nacl)# remark LAN ACL
R1(config-ext-nacl)# deny ip host 192.168.1.6 any
R1(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any established
R1(config-ext-nacl)# deny ip any any
R1(config-ext-nacl)# exit
R1(config)# interface Fa0/0
R1(config-if)# ip access-$roup ACL-1 in
R1(config-if)# exit

CREAR UNA ACL NOMBRADA extended named !!amada ACL-23 ap!icada en dirección sa!iente en
!a interfaz DM@ 7a&>13 para permitir e! acceso a !os servidores 4eb e 0mai! especificados.
 R1(config)# ip access-list extended ACL-1
R1(config-ext-nacl)# remark LAN ACL
R1(config-ext-nacl)# deny ip host 192.168.1.6 any R1(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any established
R1(config-ext-nacl)# deny ip any any R1(config-ext-nacl)# exit R1(config)# interface Fa0/0
R1(config-if)# ip access-$roup ACL-1 in

R1(config-if)# exit

The lo$ parameter can be appended to

the end of an ACL statement.

permittcpanyhost192.168.2.6eq
80lo$

ACL NUMERADA

R1#
R1(config)# ip access-list extended 150
R1(config-ext-nac!)# permit tcp host 192.168.1.100 any eq telnet
R1(config-ext-nac!)# permit tcp any any eq www
R1(config-ext-nac!)# permit tcp any any eq telnet
R1(config-ext-nac!)# permit tcp any any eq smtp
R1(config-ext-nac!)# permit tcp any any eq pop3
R1(config-ext-nac!)# permit tcp any any eq 21
R1(config-ext-nac!)# permit tcp any any eq 20
R1# show access-list 150
0xtended IP access !ist 15&
1& permit tcp any any eq www
2& permit tcp any any eq te!net
3& permit tcp any any eq smtp
4& permit tcp any any eq pop3
5& permit tcp any any eq 21 6&
permit tcp any any eq 2&

ACLs COMPLEJAs

TCP Established ACLs

R1(config)# access-list 100 permit tcp any eq 443 192.168.1.0 0.0.0.255 established
R1(config)# access-list 100 deny ip any any
R1(config)# interface s0/0/0
R1(config-if)# ip access-group 100 in

Reflexive ACLs
R1(config)# ip access-list extended INTERNAL_ACL
R1(config-ext-nac!)# permit tcp any any eq 80 reflect WEB-ONLY-REFLEXIVE-ACL
R1(config-ext-nac!)# permit udp any any eq 53 reflect DNs-ONLY-REFLEXIVE-ACL timeout 10
R1(config-ext-nac!)# exit
R1(config)# ip access-list extended EXTERNAL_ACL
R1(config-ext-nac!)# evaluate WEB-ONLY-REFLEXIVE-ACL
R1(config-ext-nac!)# evaluate DNs-ONLY-REFLEXIVE-ACL
R1(config-ext-nac!)# deny ip any any
R1(config-ext-nac!)# exit
R1(config)# interface s0/0/0
R1(config-if)# ip access-group INTERNAL_ACL out
R1(config-if)# ip access-group EXTERNAL_ACL in

Dynamic ACLs
R3(config)# username student password cisco
R3(config)# access-list 101 permit tcp any host 10.2.2.2 eq telnet
R3(config)# access-list 101 dynamic TEsTLIsT timeout 15 permit ip 192.168.10.0 0.0.0.255
192.168.3.0 0.0.0.255
R3(config)# interface s0/0/1 R3(config-
if)# ip access-group 101 in R3(config-
if)# exit
R3(config)# line vty 0 4
R3(config-!ine)# login local
R3(config-!ine)# autocommand access-enable host timeout 15 (aqui no funciona tabulador y es un
comando oculto)

Time-based ACLs
R1(config)# time-range EMPLOYEE-TIME
R1(config-time-range)# periodic weekdays 12:00 to 13:00
R1(config-time-range)# periodic weekdays 17:00 to 19:00
R1(config-time-range)# exit
R1(config)# access-list 100 permit ip 192.168.1.0 0.0.0.255 any time-range EMPLOYEE-TIME
R1(config)# access-list 100 deny ip any any
R1(config)# interface FastEthernet 0/1
R1(config-if)# ip access-group 100 in
R1(config-if)# exit
MITIGATING ATTACKs WITH ACLs

Permite solo ping desde la red 192.168.30.0 y deniega todo lo demás

R1(config)# access-list 120 permit icmp any 192.168.20.0 0.0.0.255 echo

R1(config)# access-list 120 permit icmp any 192.168.20.0 0.0.0.255 echo-reply
R1(config)# access-list 120 deny ip any any

Do Not Allow Addresses to be spoofed

A Deny a!! IP packets containing the fo!!owing IP addresses in their source fie!d<
B Any !oca! host addresses (12C.&.&.&>8)
B Any reserved private addresses (R7C 1918)
B Any addresses in the IP mu!ticast address range (224.&.&.&>4) B
Inbound on s0/0/0

R1(config)# access-list 150 deny ip 0.0.0.0 0.255.255.255 any

R1(config)# access-list 150 deny ip 10.0.0.0 0.255.255.255 any
R1(config)# access-list 150 deny ip 127.0.0.0 0.255.255.255 any
R1(config)# access-list 150 deny ip 172.16.0.0 0.15.255.255 any
R1(config)# access-list 150 deny ip 192.168.0.0 0.0.255.255 any
R1(config)# access-list 150 deny ip 224.0.0.0 15.255.255.255 any
R1(config)# access-list 150 deny ip host 255.255.255.255 any

A Do not a!!ow any outbound IP packets with a source address other than a va!id IP address of the
interna! network.
B Create an ACL that permits on!y those packets that contain source addresses from inside
the network and denies a!! others.
B Inbound on Fa0/1
A R1(config)# access-list 105 permit ip 192.168.1.0 0.0.0.255 any
Protect DNs, sMTP, and FTP
• D8*3 *MTP3 and 7TP are common services that often must be a!!owed through a firewa!!. B
Outbound on Fa0/0
R1(config)# access-list 180 permit udp any host 192.168.20.2 eq domain
R1(config)# access-list 180 permit tcp any host 192.168.20.2 eq smtp
R1(config)# access-list 180 permit tcp any host 192.168.20.2 eq ftp
R1(config)# access-list 180 permit tcp host 200.5.5.5 host 192.168.20.2 eq telnet R1(config)#
access-list 180 permit tcp host 200.5.5.5 host 192.168.20.2 eq 22 R1(config)# access-list 180
permit udp host 200.5.5.5 host 192.168.20.2 eq syslog R1(config)# access-list 180 permit udp
host 200.5.5.5 host 192.168.20.2 eq snmptrap

Filter ICMP Messages

A *evera! inbound ICMP messages are required for proper network operation<
B Echo reply - A!!ows interna! users to ping externa! hosts.
B source quench - Requests the sender to decrease the traffic rate.
B Unreachable - Unreachab!e messages are generated for packets that are
administrative!y denied by an ACL.
B Inbound on s0/0/0

R1(config)# access-list 150 permit icmp any any echo-reply R1(config)#

access-list 150 permit icmp any any source-quench R1(config)# access-
list 150 permit icmp any any unreachable R1(config)# access-list 150
deny icmp any any
R1(config)# access-list 150 permit ip any any

A *evera! outbound ICMP messages are required for proper network operation<
B Echo - A!!ows users to ping externa! hosts.
B Parameter problem - Informs the host of packet header prob!ems. B
Packet too big - Required for packet MTU discovery.
B source quench - Thrott!es down traffic when necessary. B
Inbound on Fa0/0

OBJECT GROUPs EXAMPLE

In this examp!e topo!ogy3 there are 3 servers3 each requiring outside to inside access for 3
protoco!s
4ithout object groups3 we have to configure a permit statement for each server3 for each
protoco!
R1(config)# ip access-list extended In
R1(config-ext-nac!)# permit tcp any host 10.10.10.1 eq smtp
R1(config-ext-nac!)# permit tcp any host 10.10.10.1 eq www
R1(config-ext-nac!)# permit tcp any host 10.10.10.1 eq https
 R1(config-ext-nac!)# permit tcp any host 10.10.10.2 eq smtp
R1(config-ext-nac!)# permit tcp any host 10.10.10.2 eq www
R1(config-ext-nac!)# permit tcp any host 10.10.10.2 eq https
R1(config-ext-nac!)# permit tcp any host 10.10.10.3 eq smtp
R1(config-ext-nac!)# permit tcp any host 10.10.10.3 eq www
R1(config-ext-nac!)# permit tcp any host 10.10.10.3 eq https

7or the same topo!ogy3 using object group configuration3 first create the service object for the
services.
R1(config)# object-group service Web-svcs tcp
R1(config-service-group)# tcp smtp
R1(config-service-group)# tcp www
R1(config-service-group)# tcp https

A 8ext3 create the network object for the servers<

This examp!e uses the range keyword3 you can a!so use the host keyword or define a subnet.
R1(config)# object-group network Webservers
R1(config-network-group)# range 10.10.10.1 10.10.10.3

CONFIGURACIÓN CLÁsICA DE FIREWALL

An administrator needs to permit inside users to initiate TCP3 UDP3 and ICMP traffic with a!!
externa! sources. Eutside c!ients are a!!owed to communicate with the *MTP Mai! server
(2&9.165.2&1.2) and +TTP server (2&9.165.2&1.1) that are !ocated in the enterprise demi!itarized zone
(DM@). It is a!so necessary to permit certain ICMP messages to a!! interfaces. A!! other traffic from the
externa! network is denied.

step 1. Choose an interface3 either interna! or externa!.

step 2. Configure IP ACLs at the interface.

step 3. Define inspection ru!es.

step 4. App!y an inspection ru!e to an interface.

 Create an ACL that a!!ows TCP3 UDP3 and ICMP sessions and denies a!! other traffic.

R1(config)# access-list 101 permit tcp 10.10.10.0 0.0.0.255 any

R1(config)# access-list 101 permit udp 10.10.10.0 0.0.0.255 any

R1(config)# access-list 101 permit icmp 10.10.10.0 0.0.0.255 any

R1(config)# access-list 101 deny ip any any

This ACL is app!ied to the interna! interface in the inbound direction. The ACL processes traffic
initiating from the interna! network prior to !eaving the network.

R1(config)# interface Fa0/0

R1(config-if)# ip access-group 101 in

8ext3 create an extended ACL in which *MTP and +TTP traffic is permitted from the externa! network
to the DM@ network on!y3 and a!! other traffic is denied.

R1(config)# access-list 102 permit tcp any 209.165.201.1 0.0.0.0 eq 80

R1(config)# access-list 102 permit tcp any 209.165.201.2 0.0.0.0 eq smtp

R1(config)# access-list 102 permit icmp any any echo-reply

R1(config)# access-list 102 permit icmp any any unreachable

R1(config)# access-list 102 permit icmp any any administratively-prohibited

R1(config)# access-list 102 permit icmp any any packet-too-big

R1(config)# access-list 102 permit icmp any any echo R1(config)#

access-list 102 permit icmp any any time-exceeded R1(config)#

access-list 102 deny ip any any

This ACL is app!ied to the interface connecting to the externa! network in the inbound direction. R1(config)#

interface S0/0/0

R1(config-if)# ip access-group 102 in

8ext3 create inspection ru!es for TCP inspection and UDP inspection.

R1(config)# ip inspect name MYSITE tcp

R1(config)# ip inspect name MYSITE udp

These inspection ru!es are app!ied to the interna! interface in the inbound direction.

R1(config)# interface Fa0/0

R1(config-if)# ip inspect MYSITE in

CONFIGURING CONTEXT-BASED ACCESS CONTROL (CBAC)

1.- Configure a named IP ACL on R3 to block all traffic originating from the outside network.
Use the ip access-list extended command to create a named IP ACL.
R3(config)# ip access-list extended OUT-IN
R3(config-ext-nac!)# deny ip any any
R3(config-ext-nac!)# exit

2.- Apply the ACL to interface Serial 0/0/1.

 R3(config)# interface s0/0/1
R3(config-if)# ip access-group OUT-IN in

3.- Confirm that traffic entering interface Serial 0/0/1 is dropped.

From the PC-C command prompt, ping the PC-A server. The ICMP echo replies are blocked by the
ACL.

4.- Create a CBAC Inspection Rule

Create an inspection rule to inspect ICMP, Telnet, and HTTP traffic.
R3(config)# ip inspect name IN-OUT-IN icmp
R3(config)# ip inspect name IN-OUT-IN telnet
R3(config)# ip inspect name IN-OUT-IN http

5.- Turn on time-stamped logging and CBAC audit trail messages.

Use the ip inspect audit-trail command to turn on CBAC audit messages to provide a record of
network access through the firewall, including illegitimate access attempts. Enable logging to the syslog
server, 192.168.1.3, with the logging host command. Make sure that logged
messages are timestamped.
R3(config)# ip inspect audit-trail
R3(config)# service timestamps debug datetime msec
R3(config)# logging host 192.168.1.3

6.- Apply the inspection rule to egress traffic on interface S0/0/1.

R3(config-if)# ip inspect IN-OUT-IN out

7.- Verify that audit trail messages are being logged on the syslog server.
From PC-C, test connectivity to PC-A with ping, Telnet, and HTTP. Ping and HTTP should be successful.
Note that PC-A will reject the Telnet session.
From PC-A, test connectivity to PC-C with ping and Telnet. All should be blocked.
Review the syslog messages on server PC-A: click the Config tab and then click the SYSLOG
option.

8.- Verify Firewall Functionality

Open a Telnet session from PC-C to R2. The Telnet should succeed. While the Telnet session is active,
issue the command show ip inspect sessions on R3. This command.

R3# show ip inspect sessions displays the existing sessions that are currently being tracked and inspected by
CBAC

R3# show ip inspect interfaces

R3# show ip inspect config R3#
debug ip inspect detailed
sTEPs FOR CONFIGURING ZONE-BAsED POLICY FIREWALLs WITH CLI

step 1. Crear las zOnas para el firewall COn el COmandO zone security.

R3(COnfig)# zone security IN-ZONE

R3(COnfig-seC-zOne)# description Inside Network
R3(COnfig)# zone security OUT-ZONE
R3(COnfig-seC-zOne)# description Outside Network

step 2. Crear una ACL que define el tráfiCO internO. Use el COmandO access-list para Crear una extendida
ACL 101 para permitir tOdO el tráfiCO IP desde la red 192.168.3.0/24 haCia Cualquier destinO.
R3(COnfig)# access-list 101 permit ip 192.168.3.0 0.0.0.255 any

step 3. Definir el trafiCO que será sOmetidO a las reglas de firewall COn el COmandO class-map type inspect.
(ACá se usó una ACL)

R3(COnfig)# class-map type inspect match-all IN-NET-CLAss-MAP (nombre del class-map)

R3(COnfig-Cmap)# match access-group 101
R3(COnfig-Cmap)# exit
Step 4. Crear un policy-map para determinar que se hará CuandO COinCida COn el tráfiCO indiCadO en la
ACL, usandO el COmandO policy-map type inspect .
R3(COnfig)# policy-map type inspect IN-2-OUT-PMAP (nombre del policy-map)
R3(COnfig-pmap)# class type inspect IN-NET-CLASS-MAP (nombre del class-map)
R3(COnfig-pmap-C)# inspect (el tráfico se inspeccionará)

Step 5. Crear par de zOnas interna versus externa (sOurCe and destinatiOn zOnes) usandO el COmandO zone-
pair security y menCiOnadO lOs nOmbres de las zOnas.
R3(COnfig)# zone-pair security IN-2-OUT-ZPAIR source IN-ZONE destination OUT-ZONE

Step 6. EspeCifiCar el policy map para manejar el tráfiCO entre el par de zOnas. IndiCar el pOliCy- map y la
aCCión asOCiada (inspect) al par de zOnas, usandO el COmandO service-policy type inspect y haCiendO
referenCia al policy map previamente CreadO, IN-2-OUT-PMAP.
R3(COnfig-seC-zOne-pair)# service-policy type inspect IN-2-OUT-PMAP
R3(COnfig-seC-zOne-pair)# exit

Step7. Asignar las interfaCes del rOuter interfaCes a las zOnas interna O externa usandO el COmandO
zone-member security.
R3(COnfig)# interface fa0/1
R3(COnfig-if)# zone-member security IN-ZONE
R3(COnfig-if)# exit

R3(COnfig)# interface s0/0/1

R3(COnfig-if)# zone-member security OUT-ZONE
R3(COnfig-if)# exit

RESUMEN TXT DE ZPF

enable
COnfigure terminal
hOstname R3
zOne seCurity IN-ZONE
zOne seCurity OUT-ZONE
aCCess-list 101 permit ip 192.168.3.0 0.0.0.255 any
Class-map type inspeCt matCh-all IN-NET-CLASS-MAP
matCh aCCess-grOup exit101
pOliCy-map type inspeCt IN-2-OUT-PMAP
Class type inspeCt IN-NET-CLASS-MAP
inspeCt
exit
zOne-pair seCurity IN-2-OUT-ZPAIR sOurCe IN-ZONEdestinatiOn OUT-ZONE
service-policy type inspect IN-2-OUT-PMAP
exit
interface fa0/1
zone-member security IN-ZONE
exit
interface s0/0/1
zone-member security OUT-ZONE
exit

E+EMPLO PRACTICO ZBF

1º CREAR ZONAS
zone security NETWORK
zone security INTERNET
zone security DMZ

2º CLASIFICAR TR*FICO MEDIANTE CLASS MAP.

class-map type inspect match-any NETtoOUT
match protocol http
match protocol smtp
match protocol pop3
match protocol icmp

class-map type inspect match-any NETtoDMZ

match protocol http
match protocol dns
match protocol tftp
match protocol icmp
match access-group name DHCP

ip access-list extended DHCP

permit udp any any eq bootps
permit udp any any eq bootpc

4º DEFINIR LOS POLICY-MAP Y LA ACCIÓN A REALIZAR.

policy-map type inspect NETWORKtoOUTSIDE class type inspect NETtoOUT

inspect
policy-map type inspect OUTSIDEtoNETWORK
class type inspect OUTtoNET
drop
policy-map type inspect NETWORKtoDMZ
 class type inspect NETtoDMZ
inspect
policy-map type inspect DMZtoNETWORK
class type inspect DMZtoNET
inspect
policy-map type inspect OUTSlDEtoDMZ class
type inspect OUTtoDMZ
inspect
policy-map type inspect DMZtoOUTSlDE class
type inspect DMZtoOUT
inspect

6º CREAR LOS ZONE PAIR (UE ES LA APLICACIÓN ENTRE ZONAS.

zone-pair security NETtoOUT source NETWORK destination lNTERNET
service-policy type inspect NETWORKtoOUTSlDE

5º HACER MIEMBROS DE ALGUNA ZONA A LAS INTERFACES EN FW.

FW(config-if)#int serial 0/0/0

FW(config-if)#zone-member security lNTERNET
FW(config-if)#exit
FW(config-if)#int fa0/1
FW(config-if)#zone-member security DMZ
FW(config-if)#exit
FW(config)#int fa0/0
FW(config-if)#zone-member security NETWORK
FW(config-if)#exit

CONFIGURE IOS INTRUSION PREVENTION SYSTEM JIPSK USING CLI 1.-

CREATE AN IOS IPS CONFIGURATION DIRECTORY IN FLASH.

On R1, create a directory in flash using the m70ir command. Name the directory ips0ir.
R1#m70ir ips0ir
Create directory filename [ipsdir]? < Enter>
Created dir flash:ipsdir

2.- CONFIGURE THE IPS SIGNATURE STORAGE LOCATION.

On R1, configure the lPS signature storage location to be the directory you just created.
R1(config)#ip ips config loc$tion fl$s3:ips0ir

4.- CREATE AN IPS RULE.

On R1, create an lPS rule name using the ip ips n$me name command in global configuration mode. Name
the lPS rule iosips.
R1(config)# ip ips n$me iosips
 4.- ENABLE LOGGING.
IE* IP* supports the use of sys!og to send event notification. *ys!og notification is enab!ed by
defau!t. If !ogging conso!e is enab!ed3 you see IP* sys!og messages.
0nab!e sys!og if it is not enab!ed.

R1(config)# ip ips notify log

Use the clock set command from privi!eged 0N0C mode to reset the c!ock if necessary.
R1# clock set 01:20:00 6 january 2009

0nab!e the timestamp service if it is not enab!ed.

R1(config)# service timestamps log datetime msec

*end !og messages to the *ys!og server at IP address 192.168.1.5&.

R1(config)# logging host 192.168.1.50

5.- CONFIGURE IOs IPs TO UsE THE sIGNATURE CATEGORIEs.

Retire the all signature category with the retired true command (a!! signatures within the signature re!
ease). Unretire the IOs_IPs Basic category with the retired false command.
R1(config)# ip ips signature-category
R1(config-ips-category)# category all
R1(config-ips-category-action)# retired true
R1(config-ips-category-action)# exit
R1(config-ips-category)# category ios_ips basic
R1(config-ips-category-action)# retired false
R1(config-ips-category-action)# exit
R1(config-ips-category)# exit
Do you want to accept these changesK IconfirmJ <Enter>

6.- APPLY THE IPs RULE TO AN INTERFACE.

App!y the IP* ru!e to an interface with the ip ips name direction command in interface
configuration mode. App!y the ru!e outbound on the 7a&>& interface of R1. After you enab!e IP*3 some !
og messages wi!! be sent to the conso!e !ine indicating that the IP* engines are being initia!ized.
ote: The direction in means that IP* inspects on!y traffic going into the interface. *imi!ar!y3 out
means on!y traffic going out the interface.
R1(config)# interface fa0/0
R1(config-if)# ip ips iosips out

7.- MODIFY THE sIGNATURE. CHANGE THE EVENT-ACTION OF A sIGNATURE.

Un-retire the echo request signature (signature 2&&43 subsig ID &)3 enab!e it and change the signature action
to a!ert3 and drop.
R1(config)# ip ips signature-definition
R1(config-sigdef)# signature 2004 0
R1(config-sigdef-sig)# status
R1(config-sigdef-sig-status)# retired false
R1(config-sigdef-sig-status)# enabled true
R1(config-sigdef-sig-status)# exit R1(config-
sigdef-sig)# engine
 R1(config-sigdef-sig-engine)# event-action produce-alert R1(config-
sigdef-sig-engine)# event-action deny-packet-inline R1(config-
sigdef-sig-engine)# exit
R1(config-sigdef-sig)# exit
R1(config-sigdef)# exit
Do you want to accept these changesK IconfirmJ <Enter>

8.- UsE sHOW COMMANDs TO VERIFY IPs.

Use the show ip ips all command to see an IP* configuration status summary.

LAYER 2 sECURITY
1.- CONFIGURE ROOT BRIDGE
Assign Central as the primary root bridge.
Centra!(config)# spanning-tree vlan 1 root primary

Assign sW-1 as a secondary root bridge.

*4-1(config)# spanning-tree vlan 1 root secondary

2.- PROTECT AGAINsT sTP ATTACKs

*4-A(config)# interface range fastethernet 0/1 - 4
*4-A(config-if-range)# spanning-tree portfast

3.- ENABLE BPDU GUARD ON ALL ACCEss PORTs.

FPDU guard is a feature that can he!p prevent rogue switches and spoofing on access ports.
*4-A(config)# interface range fastethernet 0/1 - 4
*4-A(config-if-range)# spanning-tree bpduguard enable

*tep 1. 4.- ENABLE ROOT GUARD ON ALL TRUNK PORTs.

*4-1(config-if)# interface fa0/24
*4-1(config-if)# spanning-tree guard root

5.- ENABLE sTORM CONTROL FOR BROADCAsTs.

0nab!e storm contro! for broadcasts on a!! ports connecting switches (trunk ports). *et a 50
percent rising suppression !eve! using the storm-control broadcast command.
*4-1(config)# interface gi1/1
*4-1(config-if)# storm-control broadcast level 50

6.- ENABLE TRUNKING, INCLUDING ALL TRUNK sECURITY MECHANIsMs ON THE

TRUNK-LINK.
*et the port to trunk3 assign native VLA8 15 to the trunk port3 and disab!e auto-negotiation.
*4-1(config)# interface fa0/23
*4-1(config-if)# no shutdown
*4-1(config-if)# switchport mode trunk
*4-1(config-if)# switchport trunk native vlan 15
 *4-1(config-if)# switchport nonegotiate (acuerdo de asamblea)

CONFIGURE AND VERIFY A sITE-TO-sITE IPsEC VPN UsING CLI

Key distribution Manual or ISAKMP ISAKMP ISAKMP

method
Encryption algorithm DES, 3DES, or AES AES AES

Hash algorithm MD5 or SHA-1 SHA-1 SHA-1

Authentication method Pre-shared keys or pre-share pre-share

RSA
Key exchange DH Group 1, 2, or 5 DH 2 DH 2

IKE SA Lifetime 86400 seconds or less $6&00 $6&00

ISAKMP Key vpnpa55 vpnpa55

Transform Set VPN-SET VPN-SET

Peer Hostname R3 R1

Peer IP Address 10.2.2.2 10.1.1.2

)et*or+ to be
1(2.168.1.0)24 1(2.168.3.0)24
encrypted

Crypto Map name VPN-MAP VPN-MAP

SA Establishment *psec-*sak+p *psec-*sak+p

CONFIGURE IPsEC PARAMETERs ON R1

1.- IDENTIFY INTEREsTING TRAFFIC ON R1.
Configure ACL 110 to identify the traffic from the LA8 on R1 to the LA8 on R3 as interesting.
Remember that due to the imp!icit deny a!!3 there is no need to configure a deny any any
statement.
 R1(config)# access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

2.- CONFIGURE THE IsAKMP PHAsE 1 PROPERTIEs ON R1.

Configure the crypto I*AHMP po!icy 10 properties on R1 a!ong with the shared crypto key
vpnpa55. Refer to the I*AHMP Phase 1 tab!e for the specific parameters to configure. Defau!t va!ues do
not have to be configured therefore on!y the encryption3 key exchange method3 and D+ method must be
configured.

R1(config)# crypto isakmp policy 10

R1(config-isakmp)# encryption aes
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# group 2
R1(config-isakmp)# exit
R1(config)# crypto isakmp key vpnpa55 address 10.2.2.2

3.- CONFIGURE THE IsAKMP PHAsE 2 PROPERTIEs ON R1.

Create the transform-set VPN-sET to use esp-3des and esp-sha-hmac. Then create the crypto map
VPN-MAP that binds a!! of the Phase 2 parameters together. Use sequence number 10 and identify it as an
ipsec-isakmp map.
R1(config)# crypto ipsec transform-set VPN-sET esp-3des esp-sha-hmac
R1(config)# crypto map VPN-MAP 10 ipsec-isakmp
R1(config-crypto-map)# description VPN connection to R3
R1(config-crypto-map)# set peer 10.2.2.2
R1(config-crypto-map)# set transform-set VPN-sET
R1(config-crypto-map)# match address 110 R1(config-
crypto-map)# exit

4.- CONFIGURE THE CRYPTO MAP ON THE OUTGOING INTERFACE.

7ina!!y3 bind the VPN-MAP crypto map to the outgoing *eria! &>&>& interface.

R1(config)# interface s0/0/0

R1(config-if)# crypto map VPN-MAP

CONFIGURE IPsEC PARAMETERs ON R3

1.- CONFIGURE ROUTER R3 TO sUPPORT A sITE-TO-sITE VPN WITH R1.
8ow configure reciprocating parameters on R3. Configure ACL 110 identifying the traffic from the
LA8 on R3 to the LA8 on R1 as interesting.

R3(config)# access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 2.-

CONFIGURE THE IsAKMP PHAsE 1 PROPERTIEs ON R3.

Configure the crypto I*AHMP po!icy 10 properties on R3 a!ong with the shared crypto key
vpnpa55.
R3(config)# crypto isakmp policy 10
R3(config-isakmp)# encryption aes
R3(config-isakmp)# authentication pre-share
R3(config-isakmp)# group 2
R3(config-isakmp)# exit
R3(config)# crypto isakmp key vpnpa55 address 10.1.1.2
 3.- CONFIGURE THE IsAKMP PHAsE 2 PROPERTIEs ON R1.
Like yOu did On R1, Create the transfOrm-set VPN-sET tO use esp-3des and esp-sha-hmac. Then
Create the CryptO map VPN-MAP that binds all Of the Phase 2 parameters tOgether. Use sequenCe number 10
and identify it as an ipsec-isakmp map.

R3(COnfig)# crypto ipsec transform-set VPN-sET esp-3des esp-sha-hmac

R3(COnfig)# crypto map VPN-MAP 10 ipsec-isakmp
R3(COnfig-CryptO-map)# description VPN connection to R1
R3(COnfig-CryptO-map)# set peer 10.1.1.2
R3(COnfig-CryptO-map)# set transform-set VPN-sET
R3(COnfig-CryptO-map)# match address 110 R3(COnfig-
CryptO-map)# exit

4.- CONFIGURE THE CRYPTO MAP ON THE OUTGOING INTERFACE.

Finally, bind the VPN-MAP CryptO map tO the OutgOing Serial 0/0/1 interfaCe. Note: This is nOt
graded.

R3(COnfig)# interface s0/0/1

R3(COnfig-if)# crypto map VPN-MAP

5.- VERIFY THE IPsEC VPN

Step 2. Verify the tunnel priOr tO interesting traffiC. Issue the shOw CryptO ipseC sa COmmand On R1.
NOtiCe that the number Of paCkets enCapsulated, enCrypted, deCapsulated and deCrypted are all set tO 0.

TAREA DEL PROFE

1. Definir las zonas de acuerdo a lo indicado en la topología
zOne seCurity DMZ zOne
seCurity INSIDE zOne
seCurity OUTSIDE

2. se debe permitir tráfico para que el Router R4 pueda autentificarse a través de Radius en el servidor
WinRadius (PC2)
Class-map type inspeCt matCh-any CM_OUT_TO_IN matCh
prOtOCOl radius

pOliCy-map type inspeCt PM_OUT_TO_IN

Class type inspeCt CM_OUT_TO_IN inspeCt

zOne-pair seCurity ZP_OUT_TO_IN sOurCe OUTSIDE destinatiOn INSIDE

serviCe-pOliCy type inspeCt PM_OUT_TO_IN

3. El trafico desde el PC4 hacia los servidores WEB y FTP (PC3) debe ser permitido.
Class-map type inspeCt matCh-any CM_OUT_TO_DMZ
matCh prOtOCOl http
matCh prOtOCOl ftp
 policy-map type inspect PM_OUT_TO_DMZ
class type inspect CM_OUT_TO_DMZ inspect

zone-pair security ZP_OUT_TO_DMZ source OUTSIDE destination DMZ

service-policy type inspect PM_OUT_TO_DMZ

4. La red interna también debe poder llegar al servidor Web (PC3), FTP no será permitido para esta red.
class-map type inspect match-any CM_IN_TO_DMZ
match protocol http

policy-map type inspect PM_IN_TO_DMZ

class type inspect CM_IN_TO_DMZ inspect

zone-pair security ZP_IN_TO_DMZ source INSIDE destination DMZ

service-policy type inspect PM_IN_TO_DMZ

5. El servidor ACs debe poder alcanzar a través de ping al router R4 (loopback) y a la red 10.X40.0/24 (no se
debe permitir generar una tabla de estado)
access-list 100 permit ip host 10.6.20.10 any
class-map type inspect match-all CM_ACS
match protocol icmp
match access-group 100

policy-map type inspect PM_IN_TO_OUT

class type inspect CM_IN_TO_OUT inspect

class type inspect CM_ACs pass

zone-pair security ZP_IN_TO_OUT source INSIDE destination OUTSIDE

service-policy type inspect PM_IN_TO_OUT

access-list 101 permit ip any host 10.6.20.10

class-map type inspect match-all CM_ACS_R
match access-group 101
match protocol icmp

policy-map type inspect PM_OUT_TO_IN

class type inspect CM_OUT_TO_IN inspect
class type inspect CM_ACs_R
pass

zone-pair security ZP_OUT_TO_IN source OUTSIDE destination INSIDE

service-policy type inspect PM_OUT_TO_IN

6. Los usuarios de la red Interna se les permite navegar en Internet (solo HTTP y DNs)
class-map type inspect match-any CM_IN_TO_OUT
match protocol http
 match protocol dns

policy-map type inspect PM_IN_TO_OUT class

type inspect CM_IN_TO_OUT inspect
class type inspect CM_ACS pass

zone-pair security ZP_IN_TO_OUT source INSIDE destination OUTSIDE

service-policy type inspect PM_IN_TO_OUT

7. El FW debe tener los permisos para poder realizar Telnet y SSH hacia el Router R1 y R2 (Interfaces
loopbacks), además de permitir el envío de los Logs hacia el servidor syslog (PC1) – No es permitido
utilizar las políticas por defecto del Firewall.
access-list 102 permit tcp host 10.6.23.3 any eq telnet
access-list 102 permit tcp host 10.6.13.3 any eq telnet
access-list 102 permit tcp host 10.6.13.3 any eq 22
access-list 102 permit tcp host 10.6.23.3 any eq 22 access-
list 102 permit tcp host 10.6.13.3 any eq syslog access-list
102 permit tcp host 10.6.23.3 any eq syslog class-map type
inspect match-any CM_SELF_TO_IN match access-group
102

policy-map type inspect PM_SELF_TO_IN

class type inspect CM_SELF_TO_IN inspect

zone-pair security ZP_SELF_TO_IN source self destination INSIDE

service-policy type inspect PM_SELF_TO_IN

8. Es necesario permitir que el PC2 pueda administrar a través de CCP al dispositivo FW (Habilite lo
necesario para lograr este requerimiento)
access-list 103 permit tcp host 10.6.20.10 host 10.6.23.3 eq www
access-list 103 permit tcp host 10.6.20.10 host 10.6.23.3 eq 443
access-list 103 permit tcp host 10.6.20.10 host 10.6.13.3 eq 443
access-list 103 permit tcp host 10.6.20.10 host 10.6.13.3 eq www
class-map type inspect match-any CM_IN_TO_SELF
match access-group 103

policy-map type inspect PM_IN_TO_SELF

class type inspect CM_IN_TO_SELF inspect

zone-pair security ZP_IN_TO_SELF source INSIDE destination self

service-policy type inspect PM_IN_TO_SELF

9. El cliente PC4 debe tener los permisos suficientes para establecer una sesión VPN hacia el Router R1, para
este es necesario que el FW genere una tabla de estada para los protocolos ESP y AH.
access-list 104 permit ahp host 10.6.40.10 host 10.6.13.1
access-list 104 permit esp host 10.6.40.10 host 10.6.13.1
access-list 104 permit udp host 10.6.40.10 host 10.6.13.1 eq isakmp
 c!ass-map type inspect match-any CMOVP8 match
access-group 1&4

po!icy-map type inspect PMOEUTOTEOI8 c!ass

type inspect CMOEUTOTEOI8 inspect
c!ass type inspect CMOAC*OR
pass
c!ass type inspect CMOVP8 inspect

zone-pair security @POEUTOTEOI8 source EUT*ID0 destination I8*ID0

service-po!icy type inspect PMOEUTOTEOI8

10. Todas las sesiones EIGRP deben ser mantenidas entre el FW y Router R1, R2 y entre el FW y el router
R4.