Cisco Network Security Configuration Commands
Basic Passwords
Line con 0
password <password>
login
Config mode password: enable password <password>
OSPF MD5 Authentication
router ospf 1
area 0 authentication message-digest
MD5 Key Configuration
int <Serial Ports>
ip ospf message-digest key 1 md5 <Password>
show ip ospf
NTP Configuration
Configure NTP Settings in server under NTP Tab
ntp server <Server Address>
ntp update-calendar
NTP Authentication on Router
ntp authenticate
ntp trusted-key 1
ntp authentication-key 1 md5 <password>
Timestamp and Logging
service timestamps log datetime msec
Logging host <syslog server address>
SSH Configuration
ip domain name <Domain Address>
username <username> privilege 15 secret <password>
SSH VTY Lines
line vty 0 4
login local
transport input ssh
SSH Generate RSA Keys
crypto key generate rsa
SSH Parameters
ip ssh version 2
ip ssh time-out <Seconds>
ip authentication-retries <Number of Attempts>
do sh ip ssh
SSH FROM PC: ssh <username> <Ip Address>
SSH FROM Router: ssh -v 2 -l SSHadmin 10.2.2.1
Blocking IP Addresses
ODD: access-list 1 deny 192.168.0.0 255.255.254.255
EVEN: access-list 1 deny 192.168.0.1 255.255.255.255
Layer 2 Security
Root Switch Configs
spanning-tree vlan 1 root primary
spanning-tree vlan 1 root secondary
Portfast/BPDU/Rootguard/Storm
int range {range of pc connected ports}
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root (on all ports connected to non-root switches)
switchport port-security mac-address sticky (learn dynamic mac addresses (static is other option))
switchport port-security maximum 2
Switchport port-security Violation Shutdown
storm-control broadcast level 50
Firewall SSH
username admin password cisco
aaa authentication ssh console local
aaa authentication telnet console local
crypto key generate rsa modulus
no
IPDS
mkdir ipsdir (Creates directory)
ip ips config location flash:ipsdir
ip ips name <Rule name>
ip ips notify log
clock set <h:m:s dd/mm/yy>
service timestamp log datetime msec
logging host <logging server Address>
ip ips signature-category
category all
retire true
exit
category ios_ips basic
retired false
exit
exit
int <out Serial Interface>
ip ips <rule name> out
ip ips signature-definition
signature 2004 0
status
retired false
enable true
exit
engine
event-action produce-alert
event-action deny-packet-inline
exit
exit
Firewall Activity
route outside 0.0.0.0 0.0.0.0 <outside ip connect FW>
int vlan 1
no nameif inside
nameif inside
ip add <address of firewall inside router> <mask>
security-level 100
exit
Int vlan 2
nameif outside
ip add <address of outside router> <mask>
security-level 50
exit
int vlan 3
ip add <dmz zone ip add>
no forward int vlan 1
nameif dmz
security-level 70
int <address of firewall out to dmz>
switchport access vlan 3
exit
object network <give a server name>
host <that server address>
nat (dmz,outside)
end
Firewall SSH
username admin password cisco
aaa authentication ssh console local
aaa authentication telnet console local
crypto key generate rsa modulus
no
MDF Application
class-map inspection_default
match(?) default-inspection-traffic
exit
policy-map global_policy
class inspection_default
inspect(?) icmp
exit
service-policy global_policy global
All AAA Tasks
AAA Console Authentication
username <username> secret <password>
aaa new-model
aaa authentication login default local
line console 0
login authentication default
end
AAA VTY Lines Authentication
aaa authentication login telnet-login
end
AAA Radius or TACACS Authentication (Different Router)
username <username> secret <password>
Configure radius OR tacacs server from config tab add key password
<radius-server OR tacacs-server> host <server address>
<radius-server OR tacacs-server> key <key>
aaa new-model
aaa authentication login default group <radius OR tacas+> local
line console 0
login authentication default
end
exit
VPN – Extra
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key vpnuser address (ip address or other router)
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map mymap 10 ipsec-isakmp
set peer 10.0.0.2
set transform-set myset
match address 100
interface fa0/0
ip address 10.1.1.2 255.255.255.0
duplex half
interface Serial2/0
ip address 172.16.1.1 255.255.255.0
crypto map mymap
ip route 0.0.0.0 0.0.0.0 172.16.1.2
access-list 100 permit ip 10.1.1.0 0.0.0.255 172.16.2.0 0.0.0.255