001_Logging

To prevent Logins on auxiliary lines

R1(config)# line aux 0

R1(config-line)# no password

R1(config-line # login

001_Logging

To enable telnet to support

Telnet and  SSH

R1(config)# line vty 0 4

R1(config-line)# no transport input

R1(config-line # transport input telnet ssh

R1(config-line # exit

001_Logging

To enable telnet to support  

SSH only

Note 1: SSH has replaced Telnet as the best practice for providing remote router administration.

Note 2: Not all Cisco IOS versions support SSH....

R1(config)# line vty 0 4

R1(config-line)# no transport input

R1(config-line # transport input ssh

R1(config-line # exit

001_Securing SSH Router Access

R1(config)# Hostname R1

R1(config)# ip domain-name cisco.com

R1(config)# crypto key generate rsa

R1(config)# username student secret cisco

R1(config)# line vty 0 4

R1(config-line)# transport input ssh

R1(config-line)# login local

R1(config)# ip ssh time-out 15

R1(config)# ip ssh authentication-retries 3

002_Securing Protocol RIPv2

Securing RIPV2 Routing Protocol

R1(config)# key chain RIP_KEY

R1(config-keychain)# key 1

R1(config-keychain)# key-string cisco

R1(config-keychain)# exit

R1(config)# int s0/0/0

R1(config-if)#ip rip authentication mode md5

R1(config-if)#ip rip authentication key-chain RIP-KEY

002_Securing Protocol EIGRP

Securing EIGRP Routing Protocol

R1(config)# key chain EIGRP_KEY

R1(config-keychain)# key 1

R1(config-keychain)# key-string cisco

R1(config-keychain)# exit

R1(config)# int s0/0/0

R1(config-if)#ip rip authentication mode eigrp md5

R1(config-if)#ip rip authentication key-chain eigrp 1 EIGRP_KEY

002_Securing Protocol OSPF

Securing OSPF Routing Protocol

R1(config)# int s0/0/0

R1(config-if)#ip ospf message-digest-key 1 md5 cisco

R1(config-if)#ip ospf authentication message-digest

R1(config-if)#exit

R1(config)# router ospf 10

R1(config-router)# area 0 authetication message-digest

003_Securing a router at a high level

Cisco AutoSecure uses a single command to disable non-essential system processes and services, eliminating potential security threats.

R1# auto secure

The router will then ask a number of questions, such as "is this router connected to the Internet?"

003_Cisco_Security_Device Manager

A web interface for Cisco routers (only installed by default on newer Cisco routers)

Accessible from a browser at https://198.162.20.1

More on Cisco Security Device Manager (SDM) at http://www.cisco.com/en/US/products/sw/secursw/ps5318/

004_Copy_Cisco Configuration

running configuration

from RAM

to startup in NVRAM

RouterX# copy running-config startup-config

RouterX# copy system:running-config nvram:startup-config

004_Copy_Cisco Configuration

running configuration

from RAM

to remote

RouterY# copy running-config tftp:

RouterY# copy system:running-config tftp:

004_Copy_Cisco Configuration

running configuration

from remote

to RAM

RouterZ# copy tftp: startup-config

RouterZ# copy tftp: nvram:startup-config

004_Copy_Cisco Configuration

To backup a copy of the IOS image

1) show flash will show the IOS version present

(something like C1841-ipbase-mz.123-14.T7.bin)

2) copy flash: tftp:

-> will ask source filename - enter the C1841... image name

-> will ask address of remote host - just type the IP address

004_Router_Password Recovery

To recover a lost password (note this requires physical access)

1) Show version

-> look for "configuration register" - something like "0x2102"

2) romon1>confreg 0x2102

3) enable

4) copy startup-config running-config

5) pick a new password with enable secret new_password

005_Auto_Secure Cisco Command

To manually auto-secure a router

R1#auto secure

Is this router connected to internet [no]: y

Enter the number of interfaces facing internet [1]: 1

Enter the interface name that is facing internet: Serial0/0/0

Securing Management plane services...

....

Many more messages

006_Configure Cisco SDM

To enable Cisco Router and Security Device Manager (SDM)

To configure a router to support SDM:

First, enable the HTTP or HTTPS server on the router.

Router# configure terminal

Router(config)# ip http server

Router(config)# ip http secure-server

Router(config)# ip http authentication local

Router(config)# ip http timeout-policy idle 600 life 86400 requests 10000

Next, create a user who has enable privileges

Router(config)# username username privilege 15 secret 0 password

 Finally, configure the vty lines to support telnet / ssh local login and privileged level 15 users

Router(config)# line vty 0 4

Router(config-line)# privilege level 15

Router(config-line)# login local

Router(config-line)# transport input telnet ssh

Router(config-line)# exit

Download at

http://www.cisco.com/en/US/products/sw/secursw/ps5318/

Managing Running Configurations

Commands to manage configurations

Copy the running configuration from RAM to the startup configuration in NVRAM:

R2# copy running-config startup-config

R2# copy system:running-config nvram:startup-config

Copy the running configuration from RAM to a remote location:

R2# copy running-config tftp:

R2# copy system:running-config tftp:

Copy a configuration from a remote source to the running configuration:

R2# copy tftp: running-config

R2# copy tftp: system:running-config

Copy a configuration from a remote source to the startup configuration:

R2# copy tftp: startup-config

R2# copy tftp: nvram:startup-config

Access Control List

ACL Golden Rules

·       ACL Rules must be in order of Specifics first Generics Last 

·        Note: there is an implied  Access-list 99 deny any  unless an explicit counter-acting access-list 99 permit any is specified.

·        Simple ACL's (1 to 99) should be placed closest to packet destination

·       Complex ACL's (100 to 199) should be placed closest to packet source

·        Simple ACL - 1- 99 can have only a source host or network

·        Complex ACL - 100 - 199 can have a source, a destination and a protocol e.g. 80 or http (the two are interchangeable)

Access Control List

Rules Summary

Extended Access Control Lists

IP

access-list access-list-number 

     [dynamic dynamic-name [timeout minutes]] 

     {deny|permit} protocol source source-wildcard 

     destination destination-wildcard [precedence precedence] 

     [tos tos] [log|log-input] [time-range time-range-name]

ICMP

access-list access-list-number 

     [dynamic dynamic-name [timeout minutes]] 

     {deny|permit} icmp source source-wildcard 

     destination destination-wildcard 

     [icmp-type [icmp-code] |icmp-message]

     [precedence precedence] [tos tos] [log|log-input] 

     [time-range time-range-name]

TCP

access-list access-list-number 

     [dynamic dynamic-name [timeout minutes]] 

     {deny|permit} tcp source source-wildcard [operator [port]]

     destination destination-wildcard [operator [port]] 

     [established] [precedence precedence] [tos tos] 

     [log|log-input] [time-range time-range-name]

UDP

access-list access-list-number 

     [dynamic dynamic-name [timeout minutes]] 

     {deny|permit} udp source source-wildcard [operator [port]] 

     destination destination-wildcard [operator [port]] 

     [precedence precedence] [tos tos] [log|log-input] 

     [time-range time-range-name]

In all software releases, the access-list-number can be 101 to 199. In Cisco IOS Software Release 12.0.1, extended ACLs begin to use additional numbers (2000 to 2699). These additional numbers are referred to as expanded IP ACLs. Cisco IOS Software Release 11.2 added the ability to use list name in extended ACLs.

The value of 0.0.0.0/255.255.255.255 can be specified as any. After the ACL is defined, it must be applied to the interface (inbound or outbound). In early software releases, out was the default when a keyword out or in was not specified. The direction must be specified in later software releases.

Apply Access Control List to Interface:

interface <interface>

ip access-group {number|name} {in|out}

This extended ACL is used to permit traffic on the 10.1.1.x network (inside) and to receive ping responses from the outside while it prevents unsolicited pings from people outside, permitting all other traffic.

interface Ethernet0/1

ip address 172.16.1.2 255.255.255.0

ip access-group 101 in

access-list 101 deny icmp any 10.1.1.0 0.0.0.255 echo

access-list 101 permit ip any 10.1.1.0 0.0.0.255

Access Control List

Example 1:

Block the 10.1.10.0 network from accessing the 10.1.40.0 network. All other access to 10.1.40.0 is allowed. 

no access-list 10 
! (more generic, closest to destination)

access-list 10 deny    10.1.10.0   0.0.0.255
access-list 10 permit any 
int fa0/1
ip access-group 10 out
exit

Access Control List

Example 2:

Hosts 10.1.50.1 through 10.1.50.63 are not allowed web access to Intranet server at 10.1.80.16. All other access is allowed.

no access-list 101
! (more specific, closest to source)

access-list 101 deny ip 10.1.50.0 0.0.0.63   10.1.80.16 0.0.0.0 eq 80
access-list 101 permit ip any any
interface fa0/0 
ip access-group 101 in
exit

Access Control List

Example 3:

Hosts 10.1.10.5 must not reach host  10.1.50.7

Because this is a precise host to host ACL, one that covers one host and one host only, the wildcard mask is 0.0.0.0

no access-list 115  

! (more specific, closest to source)

access-list 115 deny ip 10.1.10.5 0.0.0.0  10.1.50.7 0.0.0.0

access-list 115 permit IP any any

int fa0/0

ip access-group 115 in

exit

!

Access Control List

Example 4:

Use the name NO_FTP named ACL  to block the 10.1.70.0/24 network from accessing FTP services (port 21) on the file server (single host)  located at 10.1.10.2. All other access should be allowed

no ip access-list extended NO_FTP

ip access-list extended NO_FTP

deny tcp 10.1.70.0 0.0.0.255 host 10.1.10.2 eq ftp

permit ip any any

interface fa0/1

ip access-group NO_FTP in

exit

!

Access Control List

Example 5:

"Firewall" ACL

·  Allow only inbound ping replies from ISP and any source beyond ISP.

·  Allow only established TCP sessions from ISP and any source beyond ISP.

·  Explicitly block all other inbound access from ISP and any source beyond ISP

no ip access-list extended FIREWALL

ip access-list extended FIREWALL

permit icmp any any echo-reply

permit tcp any any established

deny ip any any

interface s0/1/0

ip access-group FIREWALL in

exit

!

Access Control List

Example 6:

Allow

·  hosts on the 192.168.30.0/24 network web access to any destination

·  hosts on the 192.168.30.0/24 network ICMP access to any destination.

·  Explicitly deny any other access originating from the network.

interface FastEthernet0/1

ip access-group 101 in

access-list 101 permit tcp 192.168.30.0 0.0.0.255 any eq www

access-list 101 permit icmp 192.168.30.0 0.0.0.255 any

access-list 101 deny ip any any

Access Control List

Example 7:

Another FIREWALL variation

·  Allow TW-DSL web access to the Intranet server.

·  Allow TW-Cable web access to the Intranet server.

·  Allow only inbound ping replies from ISP and any source beyond ISP.

·  Allow only established TCP sessions from ISP and any source beyond ISP.

·  Explicitly block all other inbound access from ISP and any source beyond ISP.

no ip access-list extended FIREWALL

ip access-list extended FIREWALL

permit tcp  host 192.168.1.10  host 192.168.20.254 eq www

permit tcp  host 192.168.2.10  host 192.168.20.254 eq www

permit icmp any  any           echo-reply

permit tcp  any  any           established

deny   IP   any  any

interface s0/1/0

interface Serial0/1/0

ip address 209.165.200.225 255.255.255.224

ip access-group FIREWALL in

exit

!

Access Control List

Example 8:

Deny Ping from a single host to 3 specific addresses.

!!! Deny ping from 101.1.1.9

enable

config t

access-list 101 deny icmp host 101.1.1.9  host  103.3.3.3    

access-list 101 deny icmp host 101.1.1.9  host  113.13.13.3  

access-list 101 deny icmp host 101.1.1.9  host  123.23.23.3 

access-list 101 permit ip any any

interface FastEthernet0/1

ip access-group 101 in

Access Control List

Example 9:

Deny Telnet traffic coming from a given interface

!!! deny telnet with a standard access list

!!! Note that the telnet deny does not care about the interface, since it

!!! is using the VTY line.

access-list 10 permit host 101.1.1.9

line vty 0 15

access-class 10 in

interface FastEthernet0/1

ip access-group 101 in