Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Commands from lecture 25/1 2012 Passwords/login enable

advertisement 
Commands from lecture 25/1 2012
Passwords/login
enable password cisco
enable secret cisco (MD5)
line vty 0 4
password cisco
login (to require login)
passwords can be viewed through sniffer…
exec-timeout
service password-encryption, crack (cisco algorithm, weaker)
username name secret cisco
line con 0
login local (local database)
login block-for 15 attempts 5 within 60
show login
show login failures
banner {
c This euipment is privately owned and access is logged. Disconnect immediately if you are not an
authorized user. Violators will be prosecuted to the fullest extent of the law. c
SSH part
ip domain-name span.com
crypto key generate rsa
show crypto key mypubkey rsa
show ip ssh
ip ssh version 2 (diffie-hellman key exchange)
ip ssh time-out 60
ip ssh authenication-retries 2
show ip ssh
try with tera term or putty
line vty 0 4
transport input ssh
Privileges part
username USER privilege 1 secret cisco
username USER2 privilege 5 secret cisco5
username USER2 privilege 10 secret cisco10
uesrname ADMIN privilege 15 secret cisco
login as USER..
show privilege
try ping
enable 5
show priv
try ping
enable 10
show priv
ping
show run
VIEWS part (role-based CLI)
aaa new-model (enable aaa on device)
parser view (view-name) creates a view
include add command to view
include-exclusive (no other views)
exclude command/interface
all adds all the rest/subcommands
interface
parser view VERIFY
secret cisco5
commands exec include ping
exit
show run
parser view ASD superview
view view-name (VERIFY)
sho run
enable view ASD
?
Securing Image/Config-files part
secure boot-image
secure boot-config
show secure bootset
no service password-recovery ….
SYSLOG part
logging host
loggin trap
logging source-interface
logging on
NTP part
clock set 10:38.00 jan 25 2012
ntp server <ip> key source
ntp broadcast client
ntp server ^
show clock
show ntp status
ntp authentication key
ntp trusted key
show ntp associations
Auto Secure
AAA radius server
Enable aaa services
aaa-new model
Set authentication methods for default login (radius)
aaa authetication login default group radius (none, local etc) <- authentication method order from left to
right
Specify the radius server, secret and ports
radius-server host 192.168.3.10 auth-port 1645 key WinRadius (ports may differ)
Apply added authentication to the virtual terminal connections
line vty 0 4
login authentication default
CBAC configuration (Stateful FW)
Create block for incoming traffic
ip access-list extended lockout
deny icmp any any
Apply to outer interface, inbound
interface fa0/1
ip access-group lockout in
Create inspection rule to allow ICMP requests from the inside
ip inspect name ICMP icmp alert on
Apply to inner interface, inbound
interface fa0/0
ip inspect ICMP in
Debug inspected ICMP traffic
debug ip inspect protocol icmp
Enable built in IPS and apply it to an interface
ip ips name MYIPS
interface fa0/0
ip ips MYIPS in
Confirm IPS
show ip ips configuration
Site-to-Site VPN
1. Create Internet Key Exchange (IKE) key policy.
Router(config)#crypto isakmp policy 1
Router(config-isakmp)#hash md5
Router(config-isakmp)#authentication pre-share
2. Setup the shared key
Router(config)#crypto isakmp key VPNKEY address XXX.XXX.XXX.XXX (static public ip address of the
other end)
3. Set lifetime for the IPSec security associations
Router(config)#crypto ipsec security-association lifetime seconds YYYYY
4. Configure an extended access-list to define the traffic that is allowed to be directed through the VPN
link
Router(config)#access-list AAA permit ip SSS.SSS.SSS.SSS WIL.DCA.RDM.ASK DDD.DDD.DDD.DDD
WIL.DCA.RDM.ASK
5. Define the transformations set that will be used for this VPN connection
Router(config)#crypto ipsec transform-set SETNAME BBBB CCCCC (b and c = transformations set)
6. After defining all the previous things, we need to create a cypto-map that associates the access-list to
the other site and the transform set.
Router(config)#crypto map MAPNAME PRIORITY ipsec-isakmp
Router(config-crypto-map)#set peer XXX.XXX.XXX.XXX (static public address of the other end)
Router(config-crypto-map)#set transform-set SETNAME
Router(config-crypto-map)#match address AAA (access-list)
7. The last step is to bind the crypto-map to the interface that connects the router to the other end.
Router(config)#interface s0/1/0
Router(config-if)#crypto map MAPNAME
Access layer port-security
Int fa0/x
switchport mode access
switchport port-security
switchport port-security mac-address sticky
Trunk port security
Int fa0/x
switchport mode trunk
storm-control broadcast level 50
switchport nonegotiate
Related documents
HV-Open for laptop
HV-Open for laptop
CCNA 2 - Chapter 8 Study Guide 1. Why
CCNA 2 - Chapter 8 Study Guide 1. Why
Assignment 1
Assignment 1
Quick Guide 3 – How to Login Logging in
Quick Guide 3 – How to Login Logging in
Using Khan Academy
Using Khan Academy
Router Device Security Lab Configuring Secure Passwords
Router Device Security Lab Configuring Secure Passwords
Download
advertisement