LAB 9 : CCNAS_Chp9_PTActA_Secure-Network
PC_A
NTP_enable_key 1 _pass:ciscontppa55
======================
Admin01
Admin01pa55
R1(config)#aaa new-model
R1(config)#aaa authentication login default local none
R1(config)#ip access-list extended OUT-IN
R1(config-ext-nacl)#deny ip any any
R1(config)#banner motd "No Unauthorized Access!"
R1(config)#line console 0
R1(config-line)#password ciscoconpa55
R1(config-line)#logging synchronous
R1(config-line)#exec-timeout 05
R1(config)#enable secret ciscoenpa55
R1(config)#ip inspect name IN-OUT-IN icmp
R1(config)#ip inspect name IN-OUT-IN http
R1(config)#ip inspect name IN-OUT-IN telnet
R1(config)#service timestamps log datetime msec
R1(config)#ntp authenticate
R1(config)#ntp authentication-key 1 md5 ciscontppa55
R1(config)#ntp server 192.168.1.5 key 1
R1(config)#ntp trusted-key 1
R1(config)#ntp update-calendar
R1(config)#in s0/0/0
R1(config-if)#ip access-group OUT-IN in
R1(config-if)#ip inspect IN-OUT-IN out
R1(config)#service password-encryption
R1(config)#security passwords min-length 10
R1(config)#logging host 192.168.1.6
R1(config)#logging trap debugging
R1(config)#username Admin01 privilege 15 secret Admin01pa55
R1(config)#line vty 0 4
R1(config-line)#password ciscovtypa55
R1(config-line)#exec-timeout 05
R1(config-line)# login authentication default
=============================
R3(config)#aaa new-model
R3(config)#aaa authentication login default local none
R3(config)#access-list 101 permit ip 192.168.3.0 0.0.0.255 any
R3(config)#banner motd "No Unauthorized Access!"
R3(config)#class-map type inspect match-all IN-NET-CLASS-MAP
R3(config-cmap)#match access-group 101
R3(config)#line console 0
R3(config-line)#password ciscoconpa55
R3(config-line)#logging synchronous
R3(config-line)#exec-timeout 05
R3(config)#enable secret ciscoenpa55
R3(config)#ip domain-name ccnasecurity.com
R3(config)#policy-map type inspect IN-2-OUT-PMAP
R3(config-pmap)#CLAss type inspect IN-NET-CLASS-MAP
R3(config-pmap-c)#inspect
R3(config)#in f0/1
R3(config-if)#zone-member security IN-ZONE
R3(config)#in s0/0/1
R3(config-if)#zone-member security OUT-ZONE
R3(config)#service password-encryption
R3(config)#security passwords min-length 10
R3(config)#username Admin01 privilege 15 secret Admin01pa55
R3(config)#crypto key generate rsa
1024
R3(config)#ip ssh authentication-retries 2
R3(config)#ip ssh time-out 90
R3(config)#ip ssh version 2
R3(config)#line vty 0 4
R3(config-line)#password ciscovtypa55
R3(config-line)#login
R3(config-line)#exec-timeout 05
R3(config-line)#transport input ssh
R3(config)# zone security IN-ZONE
R3(config)# zone security OUT-ZONE
R3(config)#zone-pair security IN-2-OUT-ZPAIR source IN-ZONE destination OUT-ZONE
R3(config-sec-zone-pair)#SErvice-policy type inspect IN-2-OUT-PMAP
===========================
ciscoconpa55
ciscoenpa55
ciscovtypa55
S1(config)#line console 0
S1(config-line)#password ciscoconpa55
S1(config-line)#login
S1(config-line)#logging synchronous
S1(config-line)#exec-timeout 05
S1(config)#enable secret ciscoenpa55
S1(config)#service password-encryption
S1(config)#line vty 0
S1(config-line)#password ciscovtypa55
S1(config-line)#login
S1(config-line)#exec-timeout 05
S1(config)#in f0/1
S1(config-if)#switchport mode trunk
S1(config-if)#switchport nonegotiate
S1(config-if)#storm-control broadcast level 50
S1(config-if)#switchport trunk native vlan 99
S1(config)#in f0/5
S1(config-if)#switchport mode access
S1(config-if)#switchport port-security
S1(config-if)# spanning-tree portfast
S1(config-if)# spanning-tree bpduguard enable
S1(config-if)# switchport port-security mac-address sticky
S1(config-if)#switchport port-security mac-address sticky 0001.42CB.A602
S1(config)#in f0/6
S1(config-if)# switchport mode access
S1(config-if)# switchport port-security
S1(config-if)#switchport port-security mac-address sticky
S1(config-if)#switchport port-security mac-address sticky 0060.4714.358B
S1(config-if)# spanning-tree bpduguard enable
S1(config-if)# spanning-tree portfast
S1(config)#interface range f0/7 -24
S1(config-if-range)#shutdown
S1(config)#in range f0/2-4
S1(config-if-range)#shutdown
S1(config)#interface range gigabitEthernet 1/1 -2
S1(config-if-range)#shutdown
==============================
S2(config)#interface range f0/19 -24
S2(config-if-range)#shutdown
S2(config)#interface range f0/2 -17
S2(config-if-range)#shutdown
S2(config)#interface range gigabitEthernet 1/1 -2
S2(config-if-range)#shutdown
S2(config)#line console 0
S2(config-line)#password ciscoconpa55
S2(config-line)#login
S2(config-line)#logging synchronous
S2(config-line)#exec-timeout 05
S2(config-line)#enable secret ciscoenpa55
S2(config)#line vty 0
S2(config-line)#password ciscovtypa55
S2(config-line)#login
S2(config-line)#exec-timeout 05
S2(config)#service password-encryption
S2(config)#in f0/1
S2(config-if)#
S2(config-if)#switchport mode trunk
S2(config-if)#switchport nonegotiate
S2(config-if)#storm-control broadcast level 50
S2(config-if)#switchport trunk native vlan 99
S2(config)#in f0/18
S2(config-if)#switchport mode access
S2(config-if)# switchport port-security
S2(config-if)#switchport port-security mac-address sticky
S2(config-if)#switchport port-security mac-address sticky 0001.435D.AAAA
S2(config-if)#spanning-tree bpduguard enable
S2(config-if)#spanning-tree portfast
============================
S3(config)#in ra gigabitEthernet 1/1 -2
S3(config-if-range)#sh
S3(config)# in range f0/7 -24
S3(config-if-range)#shutdown
S3(config)#in ra f0/1 -4
S3(config-if-range)#shutdown
S3(config)#in f0/5
S3(config-if)#switchport mode access
S3(config-if)#switchport port-security
S3(config-if)#switchport port-security mac-address sticky
S3(config-if)#switchport port-security mac-address sticky 0030.F201.7802
S3(config-if)#spanning-tree bpduguard enable
S3(config-if)#spanning-tree portfast
S3(config)#in f0/6
S3(config-if)#switchport mode access
S3(config-if)# switchport port-security
S3(config-if)#switchport port-security mac-address sticky
S3(config-if)#switchport port-security mac-address sticky 00E0.8F17.C053
S3(config-if)#spanning-tree bpduguard enable
S3(config-if)#spanning-tree portfast
S3(config)#line console 0
S3(config-line)#password ciscoconpa55
S3(config-line)#login
S3(config-line)#logging synchronous
S3(config-line)#exec-timeout 05
S3(config)#service password-encryption
S3(config)#enable secret ciscoenpa55
S3(config)#line vty 0
S3(config-line)#password ciscovtypa55
S3(config-line)#login
S3(config-line)#exec-timeout 05
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
LAB 8: CCNAS_Chp8_PTActA_Site-to-Site-IPsec-VPN
1.Trên file pka
Router(config)#crypto isakmp enable
Router(config)#crypto isakmp policy 10
Router(config-isakmp)#authentication pre-share
Router(config-isakmp)#encryption aes 256
outer(config-isakmp)#hash sha
Router(config-isakmp)#group 2
Router(config-isakmp)#lifetime 3600
Router(config)#crypto isakmp key cisco123 address 10.10.10.11 //ip đầu xa
Router(config)#crypto ipsec transform-set MYSEC esp-aes 256 esp-sha-hmac ///
Router(config)#crypto ipsec security-association lifetime seconds 1800
Router(config)#access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
Router(config)#crypto map MYMAP 10 ipsec-isakmp
Router(config-crypto-map)#match address 101
Router(config-crypto-map)# set peer 10.10.10.11
Router(config-crypto-map)#set pfs group2
Router(config-crypto-map)#set transform-set MYSEC ///
Router(config-crypto-map)#set security-association lifetime seconds 900
Router(config)#in s0/0/0 //cong ra
Router(config-if)#crypto map MYMAP
Router#show crypto ipsec sa
Router#show crypto isakmp sa
Router#show crypto isakmp policy
=======================================
2. Theo mô hình
//192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
R1(config)#crypto isakmp enable
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#encryption aes
R1(config-isakmp)#group 2
R1(config-isakmp)#lifetime 86400
R1(config)#crypto isakmp key vpnpa55 address 10.2.2.2 //10.1.1.2 //ip đầu xa
R1(config)#crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac
R1(config)#crypto map VPN-MAP 10 ipsec-isakmp
R1(config-crypto-map)#match address 110
R1(config-crypto-map)#set peer 10.2.2.2 //10.1.1.2
R1(config-crypto-map)#set transform-set VPN-SET
R1(config)#in s0/0/0 //s0/0/1
R1(config-if)#crypto map VPN-MAP
R2 // tương tự
========================================================================
3. Theo mô hình Lab IPsec VPN site to site
R1(config)# interface loopback0
R1(config-if)# ip address 172.16.1.1 255.255.255.0
R1(config-if)# interface fastethernet0/0
R1(config-if)# ip address 192.168.12.1 255.255.255.0
R1(config-if)# no shutdown
R2(config)# interface fastethernet0/0
R2(config-if)# ip address 192.168.12.2 255.255.255.0
R2(config-if)# no shutdown
R2(config-if)# interface serial0/0/1
R2(config-if)# ip address 192.168.23.2 255.255.255.0
R2(config-if)# clockrate 64000
R2(config-if)# no shutdown
R3(config)# interface loopback0
R3(config-if)# ip address 172.16.3.1 255.255.255.0
R3(config-if)# interface serial0/0/1
R3(config-if)# ip address 192.168.23.3 255.255.255.0
R3(config-if)# no shutdown
Bước 2: Cấu hình định tuyến EIGRP
R1(config)# router eigrp 1
R1(config-router)# no auto-summary
R1(config-router)# network 172.16.0.0
R1(config-router)# network 192.168.12.0
R2(config)# router eigrp 1
R2(config-router)# no auto-summary
R2(config-router)# network 192.168.12.0
R2(config-router)# network 192.168.23.0
R3(config)# router eigrp 1
R3(config-router)# no auto-summary
R3(config-router)# network 172.16.0.0
R3(config-router)# network 192.168.23.0
Bước 3: Tạo các IKE policy
R1(config)# crypto isakmp enable
R1(config)# crypto isakmp policy 10
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# encryption aes 256
R1(config-isakmp)# hash sha
R1(config-isakmp)# group 5
R1(config-isakmp)# lifetime 3600
R3(config)# crypto isakmp enable
R3(config)# crypto isakmp policy 10
R3(config-isakmp)# authentication pre-share
R3(config-isakmp)# encryption aes 256
R3(config-isakmp)# hash sha
R3(config-isakmp)# group 5
R3(config-isakmp)# lifetime 3600
Bước 4: Cấu hình các Pre-Shared Key
R1(config)# crypto isakmp key cisco address 192.168.23.3
R3(config)# crypto isakmp key cisco address 192.168.12.1
Bước 5: Cấu hình transform set IPsec và lifetime
R1(config)# crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac ah-sha-hmac
R1(config)# crypto ipsec security-association lifetime seconds 1800
R3(config)# crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac ah-sha-hmac
R3(config)# crypto ipsec security-association lifetime seconds 1800
Bước 6: Xác định lưu lượng cần quan tâm
R1(config)# access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255
R3(config)# access-list 101 permit ip 172.16.3.0 0.0.0.255 172.16.1.0 0.0.0.255
Bước 7: Tạo và áp dụng các crypto map
R1(config)# crypto map MYMAP 10 ipsec-isakmp
R1(config-crypto-map)# match address 101
R1(config-crypto-map)# set peer 192.168.23.3
R1(config-crypto-map)# set pfs group5
R1(config-crypto-map)# set transform-set 50
R1(config-crypto-map)# set security-association lifetime seconds 900
R3(config)# crypto map MYMAP 10 ipsec-isakmp
R3(config-crypto-map)# match address 101
R3(config-crypto-map)# set peer 192.168.12.1
R3(config-crypto-map)# set pfs group5
R3(config-crypto-map)# set transform-set 50
R3(config-crypto-map)# set security-association lifetime seconds 900
Áp dụng các crypto map vào các cổng router
R1(config)# interface fastethernet0/0
R1(config-if)# crypto map MYMAP
R3(config)# interface serial0/0/1
R3(config-if)# crypto map MYMAP
show crypto ipsec transform-set
show crypto map
show scrypto isakmp sa
show crypto ipsec sa
Kiểm tra quá trình mã hoá gói tin
Từ R1 ta tiến hành telnet qua R3, ngay khi đó chúng ta sử dụng chương trình Wireshark để bắt gói tin trong quá trình hai router trao đổi.
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
LAB 5 : CCNAS_Chp5_PTActA_IPS
ciscoenpa55
R1#clock set 02:35:00 06 september 2012
R1#mkdir ipsdir
R1(config)#ip ips name iosips
R1(config)#ip ips notify log
R1(config)#logging host 192.168.1.50
R1(config)#service timestamps log datetime msec
R1(config)#ip ips config location flash:ipsdir
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip ips iosips out
R1(config)#ip ips signature-category
R1(config-ips-category)#category all
R1(config-ips-category-action)#retired true
R1(config-ips-category-action)#exit
R1(config-ips-category)#category ios_ips basic
R1(config-ips-category-action)#retired false
R1(config-ips-category-action)#exi
R1(config-ips-category)#exi
R1(config)#ip ips signature-definition
R1(config-sigdef)#signature 2004 0
R1(config-sigdef-sig)#status
R1(config-sigdef-sig-status)#enabled true
R1(config-sigdef-sig-status)#retired false
R1(config-sigdef-sig-status)#exit
R1(config-sigdef-sig)#engine
R1(config-sigdef-sig-engine)#event-action produce-alert
R1(config-sigdef-sig-engine)#event-action deny-packet-inline
LAB 3 : CCNAS_Chp3_PTActA _AAA
R1>en
Password: ciscoenpa55
R1(config)#username Admin1 password admin1pa55
R1(config)#aaa new-model
R1(config)#aaa authentication login default local
R1(config)#line console 0
R1(config-line)#login authentication default
Username: Admin1
Password: admin1pa55
R1>
R1>en
Password: cisocenpa55
R1(config)#aaa authentication login TELNET-LOGIN local
R1(config)#line vty 0 4
R1(config-line)#login authentication TELNET-LOGIN
PC _A
telnet 192.168.1.1
user Admin1
pass admin1pa55
en
pass ciscoenpa55
R2>en
Password: ciscoenpa55
R2(config)#username admin password adminpa55
R2(config)#tacacs-server host 192.168.2.2
R2(config)#tacacs-server key tacacspa55
R2(config)#aaa new-model
R2(config)#aaa authentication login default group tacacs+ local
R2(config)#line console 0
R2(config-line)#login authentication default
Username:Admin2
Password: admin2pa55
R2>
R2>en
Password: ciscoenpa55
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
Password: ciscoenpa55
R1(config)#username Admin1 password admin1pa55
R1(config)#aaa new-model
R1(config)#aaa authentication login default local
R1(config)#line console 0
R1(config-line)#login authentication default
Username: Admin1
Password: admin1pa55
R1>
R1>en
Password: cisocenpa55
R1(config)#aaa authentication login TELNET-LOGIN local
R1(config)#line vty 0 4
R1(config-line)#login authentication TELNET-LOGIN
PC _A
telnet 192.168.1.1
user Admin1
pass admin1pa55
en
pass ciscoenpa55
R2>en
Password: ciscoenpa55
R2(config)#username admin password adminpa55
R2(config)#tacacs-server host 192.168.2.2
R2(config)#tacacs-server key tacacspa55
R2(config)#aaa new-model
R2(config)#aaa authentication login default group tacacs+ local
R2(config)#line console 0
R2(config-line)#login authentication default
Username:Admin2
Password: admin2pa55
R2>
R2>en
Password: ciscoenpa55
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
BAI 2 : en_Security_Chp2_ PTActA_Syslog-SSH-NTP
hostname R1
!
enable secret 5 $1$mERr$TfFTxE.mmb5O5BVC56ndL0
!
ip ssh version 1
ip name-server 0.0.0.0
!
!
spanning-tree mode pvst
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
ip address 10.1.1.1 255.255.255.252
clock rate 64000
!
interface Serial0/0/1
no ip address
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.2
no cdp run
!
logging trap debugging
logging 192.168.1.6
line con 0
line vty 0 4
password ciscovtypa55
login
!
!
ntp server 192.168.1.5 key 0
ntp update-calendar
!
end
!
enable secret 5 $1$mERr$TfFTxE.mmb5O5BVC56ndL0
!
ip ssh version 1
ip name-server 0.0.0.0
!
!
spanning-tree mode pvst
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
ip address 10.1.1.1 255.255.255.252
clock rate 64000
!
interface Serial0/0/1
no ip address
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.2
no cdp run
!
logging trap debugging
logging 192.168.1.6
line con 0
line vty 0 4
password ciscovtypa55
login
!
!
ntp server 192.168.1.5 key 0
ntp update-calendar
!
end
hostname R2
!
enable secret 5 $1$mERr$TfFTxE.mmb5O5BVC56ndL0
!
ip ssh version 1
ip name-server 0.0.0.0
!
!
spanning-tree mode pvst
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
ip address 10.1.1.2 255.255.255.252
!
interface Serial0/0/1
ip address 10.2.2.2 255.255.255.252
clock rate 64000
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 192.168.1.0 255.255.255.0 10.1.1.1
ip route 192.168.3.0 255.255.255.0 10.2.2.1
no cdp run
!
logging trap debugging
logging 192.168.1.6
line con 0
line vty 0 4
password ciscovtypa55
login
!
!
ntp server 192.168.1.5 key 0
ntp update-calendar
!
end
hostname R3
enable secret 5 $1$mERr$TfFTxE.mmb5O5BVC56ndL0
!
username SSHadmin privilege 15 secret 5 $1$mERr$OBJ1/J.XbT5.JhwNHVc7p/
!
ip ssh version 2
ip ssh authentication-retries 2
ip ssh time-out 90
ip domain-name ccnasecurity.com
ip name-server 0.0.0.0
!
!
spanning-tree mode pvst
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
ip address 192.168.3.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
clock rate 64000
shutdown
!
interface Serial0/0/1
ip address 10.2.2.1 255.255.255.252
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.2.2.2
!
no cdp run
!
logging trap debugging
logging 192.168.1.6
line con 0
line vty 0 4
password ciscovtypa55
login local
transport input ssh
privilege level 15
!
ntp server 192.168.1.5 key 0
ntp update-calendar
!
end
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
