CCNA Security Commands: Configuration and Best Practices
Chapter 2: CCNA Security
******** MD5 Authentication Configuration ********
-
Configure OSPF MD5 Authentication for all routers in area 0:
R1(config)# router ospf 1
R1(config-router)# area 0 authentication message-digest
R1(config)# interface s0/0/0
R1(config-if)# ip ospf message-digest-key 1 md5 MD5pa55(Password) -
Configure NTP:
R1(config)# ntp server 192.168.0.1
R1(config)# ntp authenticate
R1(config)# ntp trusted-key 1
R1(config)# ntp authentication-key 1 md5 NTPpa55(Password) - Configure routers to log messages to the Syslog server.
-
Configure to support SSH connections:
R3(config)# username SSHadmin privilege 15 secret ciscosshpa55
R3(config)# ip domain-name ccnasecurity.com
R3(config)# crypto key generate rsa
Chapter 3: CCNA Security
-
AAA Activation:
R1(config)# aaa new-model
R1(config)# aaa authentication login default local(Local method)
R1(config)# line console 0
R1(config-line)# login authentication default -
Create local lists for VTY:
R1(config)# aaa authentication login TELNET-LOGIN local
R1(config)# line vty 0 4
R1(config-line)# login authentication TELNET-LOGIN -
TACACS+ Based Configuration:
R2(config)# username Admin2 privilege 15 secret admin2pa55
In TACACS, add the username and password ****1812***
Configure the TACACS server, then add it to the router:
R2(config)# tacacs-server host 192.168.2.2(Server IP)
R2(config)# tacacs-server key tacacspa55(Server key)
R2(config)# aaa new-model
R2(config)# aaa authentication login default group tacacs+(Create a default group) -
AAA Authentication Method for Console:
R2(config)# line console 0
R2(config-line)# login authentication default -
RADIUS Server Configuration (Port 1645):
Client Name = Router Name
Client IP = Gateway IP
Server Type = RADIUS
Secret = Key of my server
Username = Username
Password = Password of my username
R3(config)# username Admin3 secret admin3pa55
R3(config)# radius-server host 192.168.3.2(RADIUS IP)
R3(config)# radius-server key radiuspa55 -
Console RADIUS Authentication:
R1(config)# aaa new-model
R1(config)# aaa authentication login default group radius local
R1(config)# line console 0
R1(config-line)# login authentication default
Chapter 4: CCNA Security
-
Create Zones:
R3(config)# license boot module c1900 technology-package securityk9
R3(config)# zone security IN-ZONE(Internal Zone)
R3(config-sec-zone)# exit
R3(config)# zone security OUT-ZONE
R3(config-sec-zone)# exit -
Identify traffic using a Class-Map:
R3(config)# access-list 101 permit ip 192.168.3.0 0.0.0.255 any(Access list of my LAN)
R3(config)# class-map type inspect match-all IN-NET-CLASS-MAP(Name of the Class-Map)
R3(config-cmap)# match access-group 101(Same number as my ACL)
R3(config-cmap)# exit -
Create a Policy-Map to determine what to do with matching traffic:
R3(config)# policy-map type inspect IN-2-OUT-PMAP(Name of the Policy) -
Specify an inspect class type and reference class-map:
R3(config-pmap)# class type inspect IN-NET-CLASS-MAP(Name of the Class-Map)
R3(config-pmap-c)# inspect
R3(config-pmap-c)# exit
R3(config-pmap)# exit -
Apply Firewall Policies:
R3(config)# zone-pair security IN-2-OUT-ZPAIR(Name of the Zone Pair)
R3(config)# source IN-ZONE destination OUT-ZONE
R3(config-sec-zone-pair)# service-policy type inspect IN-2-OUT-PMAP(Name of the Policy)
R3(config-sec-zone-pair)# exit
R3(config)# -
Assign interfaces to the appropriate security zones:
R3(config)# interface g0/1
R3(config-if)# zone-member security IN-ZONE(Towards my LAN)
R3(config-if)# exit
R3(config)# interface s0/0/1
R3(config-if)# zone-member security OUT-ZONE(Towards the Internet)
R3(config-if)# exit
Chapter 5: CCNA Security
****** Basic Router Configuration ******
-
Disable DNS Lookup:
RT(config)# no ip domain-lookup -
Set Minimum Password Length:
RT(config)# security password min-length 10 -
Set Domain Name:
RT(config)# ip domain-name ccnasecurity.com -
Create User:
RT(config)# username admin1 algorithm-type scrypt secret cisco12345 -
Configure RSA Key Encryption:
RT(config)# crypto key generate rsa
****** Console and VTY Line Configuration ******
-
Console Line:
RT(config)# line console 0
RT(config-line)# login local
RT(config-line)# exec-timeout 5 0
RT(config-line)# logging synchronous -
VTY Lines:
RT(config)# line vty 0 4
RT(config-line)# login local
RT(config-line)# transport input ssh
RT(config-line)# exec-timeout 5 0 -
Auxiliary Line:
RT(config)# line aux 0
RT(config-line)# login local
RT(config-line)# exec-timeout 5 0
****** Other Configurations ******
-
Enable Secret:
R1(config)# enable algorithm-type scrypt secret class12345 -
License:
R1(config)# license boot module c1900 technology-package securityk9
****** IPS Configuration ******
-
Create the Directory:
R1# mkdir ipsdir -
Configure the IPS Crypto Key:
R1(config)# crypto key pubkey-chain rsa
R1(config-pubkey-chain)# named-key realm-cisco.pub signature
R1(config-pubkey-key)# key-string -
Create IPS Rules:
R1(config)# ip ips name iosips
R1(config)# ip ips name ips list ?
R1(config)# ip ips config location flash:ipsdir -
Activate HTTP Notifications:
R1(config)# ip http server
R1(config)# ip ips notify sdee -
Syslog Notifications:
R1(config)# ip ips notify log
R1# clock set 01:20:00 8 march 2015
R1(config)# service timestamps log datetime msec
R1(config)# logging 192.168.1.3 -
Configure IPS Signatures:
R1(config)# ip ips signature-category
R1(config-ips-category)# category all
R1(config-ips-category-action)# retired true
R1(config-ips-category-action)# exit
R1(config-ips-category)# category ios_ips basic
R1(config-ips-category-action)# retired false
R1(config-ips-category-action)# exit
R1(config-ips-category)# exit -
Apply Rules to Interfaces:
R1(config)# interface g0/1
R1(config-if)# ip ips iosips in
Chapter 6: CCNA Security
-
Basic Configuration:
S1(config)# line console 0
S1(config-line)# password ciscoconpass
S1(config-line)# exec-timeout 5 0
S1(config-line)# login
S1(config-line)# logging synchronous
S1(config)# ip domain-name ccnasecurity.com
S1(config)# username admin privilege 15 algorithm-type scrypt secret cisco12345
S1(config)# crypto key generate rsa general-keys modulus 1024
S1(config)# ip ssh time-out 90
S1(config)# ip ssh authentication-retries 2
S1(config)# line vty 0 4
S1(config-line)# privilege level 15
S1(config-line)# exec-timeout 5 0
S1(config-line)# login local
S1(config-line)# transport input ssh
S1(config-line)# exit
S1(config)# enable algorithm-type scrypt secret cisco12345 -
Switch Port Security:
S1(config)# interface f0/1
S1(config-if)# switchport port-security
S1(config-if)# switchport mode access
S1(config-if)# switchport port-security
S1(config-if)# end
S1# show port-security interface f0/1 -
MAC Configurations:
Maximum number of MAC addresses per port:
S1(config-if)# switchport port-security maximum
Dynamic MAC Learning:
S1(config-if)# switchport port-security mac-address sticky
Manually configure a MAC address for an interface:
S1(config-if)# switchport port-security mac-address xxxx.xxxx.xxxx (vlan | access | voice)
Enable MAC address notification function on a switch:
S1(config)# mac address-table notification -
Port Violations:
S1(config-if)# switchport port-security violation (protect | restrict | shutdown | shutdown vlan)
Configuration for IP Phone Connection:
S1(config)# interface f0/1
S1(config-if)# switchport mode access
S1(config-if)# switchport port-security
S1(config-if)# switchport port-security maximum 3(Maximum number of MAC addresses for that port)
S1(config-if)# switchport port-security violation shutdown
S1(config-if)# switchport port-security aging time 120 -
Trunk and DHCP Configurations:
Set trunks to non-negotiation mode and change the native VLAN on trunk ports:
S1(config-if)# switchport nonegotiate
S1(config-if)# switchport trunk native vlan 999
Protected Ports: Protected ports do not send unicast, broadcast, or multicast traffic to other protected ports:
S1(config-if)# switchport protected
Trusted and Untrusted Ports: Trusted ports for DHCP are only from switch to router and from switch to switch, not from switch to users:
S1(config)# ip dhcp snooping(Enable DHCP protection)
S1(config)# interface f0/1
S1(config-if)# ip dhcp snooping trust
S1(config-if)# exit
S1(config)# interface range f0/5-24
S1(config-if-range)# ip dhcp snooping limit rate 6(Limit the others)
S1(config)# ip dhcp snooping vlan 5,10,50,2(Allowed only on these VLANs)
Configure Global Snooping:
S1(config)# ip dhcp snooping
S1(config)# ip dhcp snooping vlan 10(DHCP snooping for a VLAN)
S1(config)# ip arp inspection vlan 10(Dynamic ARP inspection)
S1(config)# interface f0/24
S1(config-if)# ip dhcp snooping trust(Port from switch to router)
S1(config-if)# ip arp inspection trust(Port from switch to router)
S1(config)# interface range f0/1-5
S1(config-range-if)# ip verify source(Configure IP Source Guard) -
Root Bridge Assignment:
Assign a Root:
spanning-tree vlan 1 root primary
spanning-tree vlan 1 root secondary
spanning-tree portfast(For faster connections from switch to PCs on the interfaces)
spanning-tree bpduguard enable(Enable BPDU Guard on ports connected to PCs)
Chapter 8: CCNA Security
****** IKE Policy Configuration ******
R1(config)# crypto isakmp policy 1
R1(config-isakmp)# hash sha (Integrity Definition)
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# group 24
R1(config-isakmp)# lifetime 3600
R1(config-isakmp)# encryption aes
R1(config-isakmp)# end
****** Show Commands ******
R1# show crypto isakmp policy (View created policies)
R1# show crypto isakmp sa (See if the tunnel is created)
****** Shared Key Configuration (On Both Sides) ******
R1(config)# crypto isakmp key cisco12345 address 172.30.3.2 (IP of the other side’s router)
****** Creating Interesting Traffic Tunnel ******
R1(config)# access-list 101 permit ip 10.0.1.0 0.0.0.255 (My internal LAN)
R1(config)# access-list 101 permit ip 10.0.1.0 0.0.0.255 192.168.1.0 0.0.0.255 (Other side’s LAN)
(On both sides)
R2(config)# access-list 102 permit ip 192.168.1.0 0.0.0.255 (My internal LAN)
R2(config)# access-list 102 permit ip 192.168.1.0 0.0.0.255 10.0.1.0 0.0.0.255
****** Transform Set Configuration (Same on Both Sides) ******
R1(config)# crypto ipsec transform-set R1-R2 esp-aes esp-sha-hmac
R2(config)# crypto ipsec transform-set R1-R2 esp-aes esp-sha-hmac
****** Configure a Crypto Map (Same on Both Sides) ******
R1(config)# crypto map R1-R2_MAP 10 ipsec-isakmp
R1(config-crypto-map)# match address 101
R1(config-crypto-map)# set transform-set R1-R2
R1(config-crypto-map)# set peer 172.30.2.2 (Other router’s IP)
R1(config-crypto-map)# set pfs group24
R1(config-crypto-map)# set security-association lifetime seconds 900
R2(config)# crypto map R1-R2_MAP 10 ipsec-isakmp
R2(config-crypto-map)# match address 102
R2(config-crypto-map)# set transform-set R1-R2
R2(config-crypto-map)# set peer 172.30.2.1 (Other router’s IP)
R2(config-crypto-map)# set pfs group24
R2(config-crypto-map)# set security-association lifetime seconds 900
****** Apply Crypto Maps ******
R1(config)# interface s0/0/0 (My serial towards the router)
R1(config-if)# crypto map R1-R2_MAP
Chapter 9: CCNA Security
Configure a logical VLAN 1 interface for the inside network (192.168.1.0/24) and set the security level to the highest setting of 100.
CCNAS-ASA(config)# interface vlan 1
CCNAS-ASA(config-if)# nameif inside
CCNAS-ASA(config-if)# ip address 192.168.1.1 255.255.255.0 (Internal LAN, do not take DMZ)
CCNAS-ASA(config-if)# security-level 100
CCNAS-ASA(config-if)# interface vlan 2
CCNAS-ASA(config-if)# nameif outside
CCNAS-ASA(config-if)# ip address 209.165.200.226 255.255.255.248 (Connected from ASA to outside)
CCNAS-ASA(config-if)# security-level 0
Create a default”quad zer” route using the route command, associate it with the outside interface of the ASA, and point the /0 IP address of R1 G0/0 (209.165.200.225) as the gateway of last resort.
CCNAS-ASA(config)# route outside 0.0.0.0 0.0.0.0 209.165.200.225 (IP of the external network to connect)
Create a network object inside-net and assign attributes to it using the subnet and nat commands.
CCNAS-ASA(config)# object network inside-net
CCNAS-ASA(config-network-object)# subnet 192.168.1.0 255.255.255.0 (Portion of my internal network)
CCNAS-ASA(config-network-object)# nat (inside,outside) dynamic interface
CCNAS-ASA(config-network-object)# end
Create the class-map, policy-map, and service-policy. Add ICMP traffic inspection to the policy-map list using the following commands:
CCNAS-ASA(config)# class-map inspection_default
CCNAS-ASA(config-cmap)# match default-inspection-traffic
CCNAS-ASA(config-cmap)# exit
CCNAS-ASA(config)# policy-map global_policy
CCNAS-ASA(config-pmap)# class inspection_default
CCNAS-ASA(config-pmap-c)# inspect icmp
CCNAS-ASA(config-pmap-c)# exit
CCNAS-ASA(config)# service-policy global_policy global
Part 4: Configure DHCP, AAA, and SSH
CCNAS-ASA(config)# dhcpd address 192.168.1.5-192.168.1.36 inside
CCNAS-ASA(config)# dhcpd dns 209.165.201.2 interface inside
CCNAS-ASA(config)# dhcpd enable inside
Step 2: Configure AAA to use the local database for authentication.
CCNAS-ASA(config)# username admin password adminpa55
CCNAS-ASA(config)# aaa authentication ssh console LOCAL
Step 3: Configure remote access to the ASA.
CCNAS-ASA(config)# crypto key generate rsa modulus 1024
CCNAS-ASA(config)# ssh 192.168.1.0 255.255.255.0 inside
CCNAS-ASA(config)# ssh 172.16.3.3 255.255.255.255 outside (Outside network)
CCNAS-ASA(config)# ssh timeout 10
Part 5: Configure a DMZ, Static NAT, and ACLs
a. Configurar DMZ VLAN 3, que es donde el servidor web de acceso público residirá . Le asignará la dirección IP 192.168.2.1/24 , el nombre de DMZ , y asignarle un nivel de seguridad de los 70. Debido a que el servidor no necesita iniciar la comunicación con los usuarios en el interior , para desactivar el reenvío de la interfaz VLAN 1 .CCNAS-ASA(config)# interface vlan 3CCNAS-ASA(config-if)# ip address 192.168.2.1 255.255.255.0CCNAS-ASA(config-if)# no forward interface vlan 1CCNAS-ASA(config-if)# nameif dmzINFO: Security level for “dmz” set to 0 by default.CCNAS-ASA(config-if)# security-level 70CCNAS-ASA(config-if)# interface Ethernet0/2CCNAS-ASA(config-if)# switchport access vlan 3CCNAS-ASA(config)# object network dmz-serverCCNAS-ASA(config-network-object)# host 192.168.2.3—- ip del dmzCCNAS-ASA(config-network-object)# nat (dmz,outside) static 209.165.200.227–se le asigna una ip del asaCCNAS-ASA(config-network-object)# exitCCNAS-ASA(config)# access-list OUTSIDE-DMZ permit icmp any host 192.168.2.3 — se permite dmzCCNAS-ASA(config)# access-list OUTSIDE-DMZ permit tcp any host 192.168.2.3 eq 80CCNAS-ASA(config)# access-group OUTSIDE-DMZ in interface outside CISCOclase 3: Asignar privilegios a los usuarios (es un arma de doble filo ya que servira con pocos dispositivos)si se puede: 2-14(no se puede) default : 0-1-15OPCION A TRAVES DEL USUARIO:R1:username level10 privilege 10 secret level10username cristobal secret cisco :por defeecto viene con todos los privilegios do show runn | incluyde privilegeR1(config)#username RICARDO privilege 15 secret c15coR1(config)#username FABIAN privilege 5 secret c15coR1(config)#username JUAN privilege 10 secret c15coR1(config)#enable secret level 15 c15coR1(config)#enable secret level 5 c15coR1(config)#enable secret level 10 c15coline vty 0 15no privilege level 15 :toma el privilegio del usuario enable secret level 10 ciscoshow privilege : comando para ver el nivel de privilegio que esta usando el usuarioenable : entrar a la consolaconf terprivilege exec level10 configure : el exec es el modo se ejecuta los comandos , el comando configure se ejecuta en el modo previligiado (significa que el usuario con nivel menor a 10 osea 9 no podra ejecutar el comando “configure”) pero el que tenga nivel del 10-15 siR1(config)#privilege configure level 11 interface description :servira?R1(config)#privilege interface level 11 description : inter face= modo description= comandoR1(config)#privilege exec level 5 pingR1(config)#privilege exec level 5 show ip routeprivilege exec level 10 configure terminal : lo mismo que arriba pero esta vez con el comando conf.terminalprivilege configure level 10 interface : aqui otorgo el permiso al usuario para usar ese comandoshow parset dum exec : muestra todos los comandos que puede ejecutar en un modo y el numero de privilegios de estashow parset dum configure | includ (n°x) : muestra los comandos que se pueden ejecutar en ese nivel CREACION DE VISTAS (PLANTILLAS):enableconf terminalaaa new-model : al ingresar este comando se desabilita el login local (habilitamos la vista)enable secret ciscoexit enable view root…………………………………………………………………….. (ahora creamos vistas)conf terparser view vista1secret vista1commands exec ? (exclude-include-includeyexclude) commands exec include all show : incluir todos los comandos showcommands exec exclude all show ip route : exclude todos los show ip routeasignar usuario a la vista username (nombre de usuario) view (nombre de la vista) secret (contraseña)exitenable view vista1 : habilita la view(vista)show ip route (no se puede) show (se puede)…………………………………………………………..( vista a un usuario)enable view root : entrar a la vista de rootusername yasser view vista1 secret ciscoaaa authentication login REMOTO local : aaa = de manera local o remota (el remoto se ocupa en la linea vty)aaa authentization EXEC VISTA1 local line vty 0 4login authentication REMOTOauthorization exec VISTA1show clock : ver hora y fechaclock set 20:55:30 14 march 2018SERVIDOR NTP : sincroniza la hora en los dispositivos (TRABAJA EN UDP PUERTO 23)el router que esta mas cerca del servidor NTP (1-15).. el valor se llama stratummientras mas lejos mayor estratum ntp master 1ntp server x.x.x.x (nombre de dominio o ip del servidor) OJO: el ntp configurado como master entonces el r2 se le pone la ip del r1ntp authentication-key 1 md5 ciscontp aunthenticate : activarntp trusted-key 1 : desirle que ocupare la llave 1cliente + (ntp server x.x.x.x key 1)