I finished CCNA Security course, and now I'm learning hard for exams. Here you can look to the router's config on that I'd learned (configured): AAA, Viewers, Superview, SSH, NTP, antispoofing, ACLs, Zone-Based firewall, VPN, IPS
!
version 12.4
parser view HELPDESK
secret 5 $1$nsI5$iD3AeQD78Nyj.5DoApLeT1
commands configure include hostname
commands exec include ping
commands exec include show
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R_B
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 $1$V/n6$Ex3DGVJPrOjs/IAlJ90qe0
enable password 7 14141B180F0B
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login LISTA group tacacs+ local
aaa authorization exec default local
aaa authorization exec LISTA group tacacs+ local
aaa accounting exec LISTA
action-type start-stop
group tacacs+
!
!
!
aaa session-id common
memory-size iomem 15
clock timezone Buc 2
clock summer-time Buc recurring last Sun Mar 3:00 last Sun Oct 4:00
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
no ip domain lookup
ip domain name download1024.com
ip ips config location flash:/IPS/ retries 1
ip ips notify SDEE
ip ips name IOSIPS
!
ip ips signature-category
category all
retired true
category ios_ips advanced
alert-severity high
retired false
event-action deny-packet-inline deny-attacker-inline produce-alert
category reconnaissance
alert-severity high
retired false
event-action deny-packet-inline deny-attacker-inline produce-alert
!
no ipv6 cef
ntp server 192.168.152.1
!
multilink bundle-name authenticated
!
!
!
!
voice-card 0
!
!
crypto pki trustpoint TP-self-signed-3211923374
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3211923374
revocation-check none
rsakeypair TP-self-signed-3211923374
!
!
crypto pki certificate chain TP-self-signed-3211923374
certificate self-signed 01
30820245 308201AE A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33323131 39323333 3734301E 170D3131 30393131 30393530
35385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32313139
32333337 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100AD68 81D00FEB 360C249E 19F07BBE 7BE8A5E4 068D486E 5B4918B5 6DAB82FC
6F101C50 7094F3FB A4349049 3DE94925 771539FF 7B9E05B0 1D90363A A570F978
70965796 25FC855A CEA4D281 2A766D7C 17A9F60C 1AD2716B 588B3362 C8F67060
B0095583 1A2B680F 2479065F 6A65A8E4 C50A806C 4E5FB88E B35B392C 91697A26
C9170203 010001A3 6D306B30 0F060355 1D130101 FF040530 030101FF 30180603
551D1104 11300F82 0D525F42 2E637265 6469732E 726F301F 0603551D 23041830
168014A8 1BC7CE7A 411E1004 CBA8671A 664E048F 59F0E830 1D060355 1D0E0416
0414A81B C7CE7A41 1E1004CB A8671A66 4E048F59 F0E8300D 06092A86 4886F70D
01010405 00038181 001A7EC1 49C08095 195AFFB8 5ABD3E1C FA24283F CA2EBF76
AA7ED965 AB11007B AA583399 9DBFA9A4 1D455DB3 FC297B38 3843868E A719F253
A12EEF80 E1384290 DC9C5E71 6944283B 4A7535EB 6C12CCBB 8A8C2D48 0F9F1ACC
47CFD99F 2A8BB2B5 316B8BBF 20728C36 4D959C5F 55A5E362 E63544B6 0D9CF7C2
F8F589BD DC452046 EC
quit
!
!
username cisco privilege 15 password 7 030752180500
username level5 privilege 5 password 7 082D49580C1550
username helpdesk view HELPDESK secret 5 $1$P53B$c1fVrRpdDvEzhGkYtl2vi.
username http privilege 15 password 7 070C285F4D061A0C041104
archive
log config
hidekeys
!
!
crypto isakmp policy 110
encr 3des
authentication pre-share
group 2
lifetime 43200
crypto isakmp key cisco address 192.168.151.2
!
!
crypto ipsec transform-set MYSET esp-aes
!
crypto map MYMAP 10 ipsec-isakmp
set peer 192.168.151.2
set security-association lifetime seconds 86400
set transform-set MYSET
set pfs group1
match address 110
!
!
crypto key pubkey-chain rsa
named-key realm-cisco.pub signature
key-string
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
F3020301 0001
quit
!
!
ip ssh version 2
!
class-map type inspect match-all TFTP_TRAFFIC
match access-group name TRAFIC_OUT_IN
match protocol tftp
class-map type inspect match-all HTTP_TRAFFIC
match access-group name TRAFIC_OUT_IN
match protocol http
class-map type inspect match-all HTTPS_TRAFFIC
match access-group name TRAFIC_OUT_IN
match protocol https
class-map type inspect match-any TRAFIC_INTRARE
match class-map TFTP_TRAFFIC
match class-map HTTP_TRAFFIC
match class-map HTTPS_TRAFFIC
class-map type inspect match-all TRAFIC_IESIRE
match access-group name TRAFIC_IESIRE
class-map type inspect match-any TRAFIC_ROUTER
match protocol bgp
match protocol telnet
match protocol icmp
!
!
policy-map type inspect POL_OUT_SELF
class type inspect TRAFIC_ROUTER
pass
class class-default
drop
policy-map type inspect POL_IN_OUT
class type inspect TRAFIC_IESIRE
inspect
class class-default
drop
policy-map type inspect POL_OUT_IN
class type inspect TRAFIC_INTRARE
inspect
class class-default
drop
!
zone security INSIDE
description Zona_Inside
zone security OUTSIDE
description Zona_Outside
zone-pair security IN-OUT source INSIDE destination OUTSIDE
service-policy type inspect POL_OUT_IN
zone-pair security OUT-IN source OUTSIDE destination INSIDE
service-policy type inspect POL_IN_OUT
zone-pair security OUT-SELF source OUTSIDE destination self
service-policy type inspect POL_OUT_SELF
!
!
!
!
interface FastEthernet0/0
description LAN
ip address 10.0.152.1 255.255.255.0
ip ips IOSIPS in
ip ips IOSIPS out
ip virtual-reassembly
zone-member security INSIDE
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1/0
description WAN
ip address 192.168.152.2 255.255.255.0
ip virtual-reassembly
zone-member security OUTSIDE
clock rate 2000000
crypto map MYMAP
!
interface Serial0/1/1
no ip address
shutdown
clock rate 2000000
!
router bgp 200
no synchronization
bgp log-neighbor-changes
network 10.0.152.0 mask 255.255.255.0
network 192.168.152.0
neighbor 192.168.152.1 remote-as 1
no auto-summary
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
!
ip access-list standard TRAFIC_IESIRE
permit 10.0.152.0 0.0.0.255
deny any
!
ip access-list extended TRAFIC_OUT_IN
deny ip 0.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 224.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
permit ip any host 10.0.152.11
!
logging 192.168.20.2
logging 10.0.152.11
access-list 110 permit ip 10.0.152.0 0.0.0.255 10.0.151.0 0.0.0.255
!
!
tacacs-server host 10.0.152.10 single-connection key 7 05080F1C2243
!
control-plane
!
!
!
!
mgcp fax t38 ecm
!
!
!
privilege configure level 5 hostname
privilege exec level 5 ping
privilege exec level 5 show startup-config
privilege exec level 5 show running-config
privilege exec level 5 show
!
line con 0
exec-timeout 0 0
password 7 030752180500
logging synchronous
line aux 0
line vty 0 4
exec-timeout 0 0
password 7 045802150C2E
authorization exec LISTA
accounting exec LISTA
logging synchronous
!
scheduler allocate 20000 1000
end
No comments:
Post a Comment