Scribd
Upload
18 views

ISM Journal rUGVED

Here are the steps to configure extended ACLs to allow only FTP and ICMP traffic from specific hosts: 1. Create extended ACL 100 and permit FTP traffic from PC2 (172.22.34.66) to the server (172.22.34.62): access-list 100 permit tcp 172.22.34.66 0.0.0.31 host 172.22.34.62 eq ftp 2. Permit ICMP traffic from PC1 (172.22.34.98) to the server: access-list 100 permit icmp 172.22.34.98 0.0.0.31 host 172.22.34.62 3. Apply ACL 100 to incoming

Uploaded by

571TYIT sunil
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
18 views

ISM Journal rUGVED

Here are the steps to configure extended ACLs to allow only FTP and ICMP traffic from specific hosts: 1. Create extended ACL 100 and permit FTP traffic from PC2 (172.22.34.66) to the server (172.22.34.62): access-list 100 permit tcp 172.22.34.66 0.0.0.31 host 172.22.34.62 eq ftp 2. Permit ICMP traffic from PC1 (172.22.34.98) to the server: access-list 100 permit icmp 172.22.34.98 0.0.0.31 host 172.22.34.62 3. Apply ACL 100 to incoming

Uploaded by

571TYIT sunil
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 46

TYIT_603_RUGVED

Practical 1
Aim: Packet Tracer - Configure Cisco Routers for Syslog, NTP, and SSH Operations.

Page1
TYIT_603_RUGVED

NTP Server

SYSLOG Server

Page2
TYIT_603_RUGVED

R1

Page3
TYIT_603_RUGVED

R2

Page4
TYIT_603_RUGVED

Page5
TYIT_603_RUGVED

R3

Page6
TYIT_603_RUGVED

PC1

Page7
TYIT_603_RUGVED

CLI

Page8
TYIT_603_RUGVED

Step l : Test connectivity. All devices should be able to ping all other IP addresses.

Step 2: Configure OSPF MD5 authentication for all the routers In area 0.
R1
Router#conf t
Router#conf t
Router(config)#hostname r1
r1(config)#router ospf 1
r1(config-router)#network 192.168.1.0 0.0.0.255 area 0
r1(config-router)#network 10.1.1.0 0.0.0.3 area 0

R2

Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname r2
r2(config)#route ospf 1
r2(config-router)#network 10.1.1.0 0.0.0.3 area 0
r2(config-router)#network 10.2.2.0 0.0.0.3 area 0

Page9
TYIT_603_RUGVED

R3
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#hostname r3
r3(config-if)#route ospf 1
r3(config-router)#network 192.168.3.0 0.0.0.255 area 0
r3(config-router)#network 10.2.2.0 0.0.0.3 area 0

r1(config-router)#area 0 authentication message-digest


r2(config-router)#area 0 authentication message-digest
r3(config-router)#area 0 authentication message-digest

Step 3: Configure the MD5 key for all the routers in area 0.
r1
r1(config)#interface s0/0/0
r1(config)#ip ospf message-digest-key 1 md5 MD5pa55

r2
r2(config)#interface s0/0/0
r2(config)#ip ospf message-digest-key 1 md5 MD5pa55
r2(config)#interface s0/0/1
r2(config)#ip ospf message-digest-key 1 md5 MD5pa55

r3
r3(config)#interface s0/0/1
r3(config)#ip ospf message-digest-key 1 md5 MD5pa55

P a g e 10
TYIT_603_RUGVED

Step I : Enable NTP authentication on PC-A

Step 2: Configure RI, R2, and R3 as NTP clients


Rl(config)#ntp server 192.168.1.5
Step 3: Configure routers to update hardware clock. Rl(config)#ntp update-calendar
Step 4: Configure NTP authentication on the routers
R2(config)# ntp authenticate
R2(config)# ntp trusted-key 1
R2(config)# ntp authentication-key 1 md5 NTPpa55 Step 5: Configure routers to timestamp log
messages.
Rl(config)#service timestamps log datetime msec

Part 3: Configure Routers to Log Messages to the Syslog Server


Step l: Configure the routers to identify the remote host (Syslog Server) that will receive logging
messages.
Rl(config)# logging host 192.168.1.6
Step 2: Examine logs of the Syslog Server. From the Services tab of the Syslog Server's dialogue box,
select the Syslog services button. Observe the logging messages received from the routers.

P a g e 11
TYIT_603_RUGVED

Part 4: Configure R3 to Support SSH Connections


Step l : Configure a domain name
R3(config)# ip domain-name ccnasecurity.com
Step 2: Configure users for login to the SSH server on R3.
Create a user ID of SSHadmin with the highest possible privilege level and a secret password of
ciscosshpa55.
R3(config)#username SSHadmin privilege 15 secret ciscosshpa55
Step 3: Configure the incoming vty lines on R3.
Use the local user accounts for mandatory login and validation. Accept only SSH connections
R3(config)#line vty 0 4
R3(config-line)#login local
R3(config-line)# transport input ssh

P a g e 12
TYIT_603_RUGVED

Step 4: Erase existing key pairs on R3.


Any existing RSA key pairs should be erased on the router.
R3(config)# crypto key zeroize rsa
% No Signature RSA Keys found in configuration.
Step 5: Generate the RSA encryption key pair for R3
R3(config)#crypto key generate rsa
The name for the keys will be: R3.ccnasecurity.com
Choose the size of the key modulus in the range of 360 to 4096 for your General Purpose Keys. Choosing
a key modulus greater than 512 may take a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable... [OK]
Step 6: Verify the SSH configuration
R3(config)#show ip ssh
*Mar 1 %SSH-5-ENABLED: SSH 1.99 has been enabled
Step 7: Configure SSH timeouts and authentication parameters.
R3(config)# ip ssh time-out 90
R3(config)# ip ssh authentication-retries 2
R3(config)# ip ssh version 2
Step 8: Attempt to connect to R3 via Telnet from PC-C
Open the Desktop of PC-C. Select the Command Prompt icon. From PC-C, enter the command to connect
to
R3 via Telnet telnet 192.168.3.1
Step 9: Connect to R3 using SSH on PC-C
Open the Desktop of PC-C. Select the Command Prompt icon. From PC-C, enter the command to connect
to R3 via SSH. When prompted for the password, enter the password configured for the administrator
ciscosshpa55.
ssh -1 SSHadmin 192.168.3.1

P a g e 13
TYIT_603_RUGVED

Step 10: Connect to R3 using SSH on R2. To troubleshoot and maintain R3, the administrator at the ISP
must use SSH to access the router CLI. From the CLI of R2, enter the command to connect to R3 via SSH
version 2 using the SSHadmin user account. When prompted for the password, enter the password
configured for the administrator: ciscosshpa55.
ssh -v 2-1 SSHadmin 10.2.2.1

r1#show ip ospf interface

GigabitEthernet0/0 is up, line protocol is up


Internet address is 192.168.1.1/24, Area 0
Process ID 1, Router ID 192.168.1.1, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 192.168.1.1, Interface address 192.168.1.1
No backup designated router on this network
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:08
Index 1/1, flood queue length 0

P a g e 14
TYIT_603_RUGVED

Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 0, Adjacent neighbor count is 0
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
No key configured, using default key id 0
Serial0/0/0 is up, line protocol is up
Internet address is 10.1.1.1/30, Area 0
Process ID 1, Router ID 192.168.1.1, Network Type POINT-TO-POINT, Cost: 64
Transmit Delay is 1 sec, State POINT-TO-POINT, Priority 0
No designated router on this network
No backup designated router on this network
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:03
Index 2/2, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1

P a g e 15
TYIT_603_RUGVED

Practical 2
Aim: Configure AAA Authentication

STEP I : Config the name of router as RI AND R2.

P a g e 16
TYIT_603_RUGVED

Step 2 : Go to RI CLI.

P a g e 17
TYIT_603_RUGVED

P a g e 18
TYIT_603_RUGVED

Practical 3
Aim: Configuring Extended ACLs

Table :

Device interface IP address Subnet Mast Default Gateway

RI GO/O 172.22.34.65 255.255.255.224

GO/ I 172.22.34.97 255.255.255.240

GO/2 172.22.34.1 255.255.255.192

Server 172.22.34.62 255.255.255.192 172.22.31.1

PCI 172.22.34.98 255.255.255.240 172.22.34.97

PC2 172.22.34.66 255.255.255.224 172.22.34.65

P a g e 19
TYIT_603_RUGVED

Configure router using following commands


Router [(config)#access-list ?
IP extended access list Router[(config)#access-list 100 ?
permit Specify packets to forward
Router[(config)#access-list 100 permit ?
tcp Transmission Control Protocol
Router[(config)#access-list 100 permit tcp ?
Router[(config)#access-list 100 permit tcp 172.22.34.66 ?
Router[(config)#access-list 100 permit tcp 172.22.34.66 0.0.0.31 ?
Router[(config)#access-list 100 permit tcp 172.22.34.66 0.0.0.31 host 172.22.34.62 eq ftp
Router(config)#access-list 100 permit icmp 172.22.34.98 0.0.0.31 host 172.22.34.62
Router(config)#interface gigabitEthernet 0/1
Router(config-if)#ip access-group 100 in
Part 2
Router(config)#ip access-list?
access-list extended HTTP-ONLY
Router(config-ext-nacl)#
Router(config-ext-nacl)#permit tcp 172.22.34.98?
Router(config-ext-nacl)#permit tcp 172.22.34.98 0.0.0.15?
Router(config-ext-nacl)#permit tcp 172.22.34.98 0.0.0.15 host 172.22.34.62 eq www
Router(config-ext-nacl)#permit icmp 172.22.34.98 0.0.0.15 host 172.22.34.62
Router(config-ext-nacl)#exit
Router(config)#interface gigabitEthernet 0/2 Router(config-if)#ip access-group 100 in access-
group HTTP-ONLY in
Router(config-if)# Go to pc commend prompt PC>ping 172.22.34.62

P a g e 20
TYIT_603_RUGVED

P a g e 21
TYIT_603_RUGVED

Practical 4
Aim: Configure IP ACLs to Mitigate Attacks.
Table :
Device Interface IP Address Subnet Mask Default Switch
Gateway Port
R1 G0/1 192.168.1.1 255.255.255.0 N/A S1 F0/5
S0/0/0(DCE) 10.1.1.1 255.255.255.252 N/A N/A
R2 S0/0/0 10.1.1.2 255.255.255.252 N/A N/A
S0/0/1(DCE) 10.2.2.2 255.255.255.252 N/A N/A
Lo0 192.168.2.1 255.255.255.0 N/A N/A
R3 G0/1 192.168.3.1 255.255.255.0 N/A S3 F0/5
S0/0/1 10.2.2.1 255.255.255.252 N/A N/A
PC-A NIC 192.168.1.3 255.255.255.0 192.168.1.1 S1 F0/6
PC-C NIC 192.168.3.3 255.255.255.0 192.168.1.2 S3 F0/18

P a g e 22
TYIT_603_RUGVED

P a g e 23
TYIT_603_RUGVED

Password is: ciscosshpa55

P a g e 24
TYIT_603_RUGVED

P a g e 25
TYIT_603_RUGVED

P a g e 26
TYIT_603_RUGVED

P a g e 27
TYIT_603_RUGVED

P a g e 28
TYIT_603_RUGVED

P a g e 29
TYIT_603_RUGVED

Practical 5
Aim: Configuring a Zone-Based Policy Firewall

Table :

P a g e 30
TYIT_603_RUGVED

P a g e 31
TYIT_603_RUGVED

r3(config)# license boot module c1900 technology-package securityk9


ACCEPT? [yes/no]: yes r3#write
Building configuration... [OK] r3#reload r3(config)#zone security In-ZONE r3(config-sec-
zone)#exit r3(config)#access-list 101 permit ip 192.168.3.0 0.0.0.255 any r3(config)#class-map
type inspect match-all IN-NET-CLASS-MAP r3(config-cmap)#match access-group 101
r3(config-cmap)#exit r3(config)#policy-map type inspect IN-2-OUT-PLAP
type inspect IN-NET-CLASS-MAP r3(config-pmap)#exit
security IN-2-OUT-ZPAIR source IN-ZONE destination OUT-ZONE
r3 (config)# r2>ping 192.168.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds: !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max — 1/5/10 ms

P a g e 32
TYIT_603_RUGVED

Practical 6
Aim: Configure IOS Intrusion Prevention System (IPS) Using the CLI

P a g e 33
TYIT_603_RUGVED

P a g e 34
TYIT_603_RUGVED

P a g e 35
TYIT_603_RUGVED

P a g e 36
TYIT_603_RUGVED

P a g e 37
TYIT_603_RUGVED

Step I verify network communication


A - Ping PC-C to PC-A ping should be successful

Ping PC-A TO PC-C ping should be successfull

Step 2 Go to RI CLI then


RI (config)# license boot module c1900 technology-package securityk9
Then Click Yes
Then exit confic and type write

P a g e 38
TYIT_603_RUGVED

Rl#write
Building configuration...
[OKI
Rl#reload Proceed with reload? [confirm]
Press enter
Step 3 making a directory
On rl make a directory in flash using mkdir command name the directory ipsdir
Rl#mkdir
Create directory filename [mkdirl?ipsdir Created dir flash:ipsdir
Step 4 configure the IPS signature storage location
On rl configure the ips signature storage location to the directory you just created
RI (config)#ip ips config location flash:ipsdir
Rl(config)#ip ips name iosips
Rl(config)#ip ips notify log
Rl(config)#service timestamp log datetime msec
Rl(config)#logging host 192.168.1.50
Rl(config)#ip ips signature-category
Rl(config-ips-category)#category all
Rl(config-ips-category-action)#retired true
Rl(config-ips-category-action)#exit
Rl(config-ips-category)#category ios_ips basic
Rl(config-ips-category-action)#retired false
Rl(config-ips-category-action)#exit
RI (config-ips-category)#exit
Do you want to accept these changes? [confirm]
Applying Category configuration to signatures
%1PS-6-ENGINE BUILDING: atomic-ip - 288 signatures - 6 of 13 engines
%IPS-6-ENGINE READY: atomic-ip - build time 30 ms - packets for this engine will be
scanned
P a g e 39
TYIT_603_RUGVED

RI (config-if)#exit
RI (config)#ip ips signature-definition
RI (config-sigdef)#signature 2004 0
RI (config-sigdef-sig)#status
Rl(config-sigdef-sig-status)#retired false
RI (config-sigdef-sig-status)#enable true
Rl(config-sigdef-sig-status)#exit
RI (config-sigdef-sig)#engin
Rl(config-sigdef-sig-engine)#event-action produce-alert
RI(config-sigdef-sig-engine)#R1(config-sigdef-sig-engine)#event-action deny-packet-inline RI
(config-sigdef-sig-engine)#exit

RI
RI
Do you want to accept these changes? [confirm]
01PS-6-ENGINE BUILDS STARTED:
%1PS-6-ENGINE BUILDING: atomic-ip - 303 signatures - 3 of 13 engines
0
olPS-6-ENGINE READY: atomic-ip - build time 480 ms - packets for this engine will be
scanned
%1PS-6-ALL ENGINE BUILDS COMPLETE: elapsed time 648 ms
RI (config)#do show ip ips all
OUTPUT

P a g e 40
TYIT_603_RUGVED

Practical 7
Aim: Layer 2 Security

A. layer two security Assign the central switch as the root bridge
B. Secure spanning tree parameter to prevent STP manipulation attract
Step I
Switch>en
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#spanning-tree vlan 1 root primary
Switch(config)#end step 2 go to sw-l SW-1>en
SW-1#sh spanning-tree
SW-1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW-1(config)#spanning-tree vlan 1 root secondary
SW-1(config)#interface range f0/23-24
SW-1(config-if-range)#spanning-tree guard root
SW-1(config-if-range)#end
sw-l#
%SYS-5-CONFIG I: Configured from console by console
sw-l#
SW-1#show spanning-tree

P a g e 41
TYIT_603_RUGVED

step 4 SW-A
SW-A(config)#interface range fO/1-4
SW-A(config-if-range)#spanning-tree portfast
SW-A(config-if-range)#interface range f0/1-22
SW-A(config-if-range)#switchport mode access
SW-A(config-if-range)#switchport port-security
SW-A(config-if-range)#switchport port-security maximum 2
SW-A(config-if-range)#switchport port-security violation shutdown SW-A(config-if-
range)#switchport port-security mac-address sticky
SW-A(config-if-range)#interface range f0/5-22
SW-A(config-if-range)#shutdown
SW-2#show port-security interface f0/1

step 4 SW-B
SW-A(config)#interface range fO/1-4
SW-A(config-if-range)#spanning-tree portfast
SW-A(config-if-range)#interface range f0/1-22
SW-A(config-if-range)#switchport mode access
SW-A(config-if-range)#switchport port-security
SW-A(config-if-range)#switchport port-security maximum 2
SW-A(config-if-range)#switchport port-security violation shutdown SW-A(config-if-
range)#switchport port-security mac-address sticky
SW-A(config-if-range)#interface range f0/5-22
SW-A(config-if-range)#shutdown
SW-2#show port-security interface f0/1

P a g e 42
TYIT_603_RUGVED

Output :

P a g e 43
TYIT_603_RUGVED

Practical 8
Aim: Implement Layer 2 VLAN Security.

Configure switch using following commands


Switch(config)#vlan 10
Switch(config-vlan)#name arealToffice
Switch(config-vlan)#exit
Switch(config)#vlan 20
Switch(config-vlan)#name arealTprod
Switch(config-vlan)#exit
Switch(config)#vlan 200
Switch(config-vlan)#name arealTmgmt
Switch(config-vlan)#exit
Switch(config)#exit
Switch#
Verify VLAN Name Status Ports on switch
SWITCH#show vlan

P a g e 44
TYIT_603_RUGVED

Switch(config)#int fa0/2
Switch(config-if)#switchport access vlan 200
Switch(config-if)#switchport mode access
Switch(config-if)#int fa0/l
Switch(config-if)#switchport trunk native vlan 30
Switch(config-if)#switchport mode trunk Switch(config-if)#switchport nonegotiate Go to router
and give sub interface Router(config-if)#int g0/0.10
Router(config-subif)#int g0/0.20
Router(config-subif)#int g0/0.200
Router(config-subif)#description arealTmgmt
Router(config-subif)#ip address 192.168.200.1 255.255.255.0
Router(config-subif)#access list 101 deny ip 192.168.200.0 0.0.0.255 any
Router(config-subif)#exit
Router(config)#access-list 101 deny ip 192.168.200.0 0.0.0.255 any access-list 101 permit ip any
any access-list 102 permit ip host 192.168.200.10 any
Router(config-if)#int g0/0.10
Router(config-subif)#no ip address
Router(config-subif)#ip access-group 101 in
Router(config-subif)#description arealToffice
Router(config-subif)#no ip address Router(config-subif)#ip access-group 101 in
Router(config-subif)#int g0/0.20
Router(config-subif)#description arealTprod Router(config-subif)#no ip address
Router(config-subif)#ip access-group 101 in
Router(config-subif)#int g0/0.200
Router(config-subif)#description arealTmgmy
Router(config-subif)#encapsulation dotlQ 200
Router(config-subif)#ip address 192.168.200.1 255.255.255.0
Verify the configuration
l) Check connectivity from pc0 to router —should be successful

P a g e 45
TYIT_603_RUGVED

2) Pc0>ping 192.168.200.1 2) check connectivity from PCI to router —should be unsuccessful


i.e. blocked

P a g e 46

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy