COMANDOS CCNA SECURITY 1.2 CONFIGURAR R1 COMO CLIENTE NTP. NTP. R1(config)# ntp authenticate R1(config)# ntp authentication-key 1 md5 ciscontppa55 R1(config)# ntp trusted-key 1 R1(config)# ntp server 192.16.1.5 key 1
CONFIGURAR ROUTERS PARA PARA ACTUALIZAR SU FECHA-HORA. R1(config)# ntp update-ca!endar
CONFIGURAR LOS ROUTERS PARA PARA MOSTRAR EL TIEMPO EN LOS LOGS. R1(config)# service timestamps !og datetime msec
CONFIGURAR EL ROUTER PARA PARA GENERAR LOGS DE ACTIVIDADES. "onfigure the router to generate system !ogging messages for oth successfu! and fai!ed !ogin attempts. $he fo!!o%ing commands !og every successfu! !ogin and !og fai!ed !ogin attempts after every second fai!ed !ogin. R1(config)# login on-s!!"ss log R1(config)# login on-#$il%" log "&"%' 2
CONFIGURAR UN ROUTER PARA IDENTIFICAR IDENTIFICAR EL HOST REMOTO (UE RECI)IR* LOS MENSA+ES DE LOGGING. R1(config)#!ogging host R1(co R1(confi nfig) g)#!o #!oggi gging ng trap trap infor informat mation iona! a! R1(c R1(con onfi fig) g)#! #!og oggi ging ng sour source ce-i -int nter erfa face ce R1(config)#!ogging on R1(config)#!ogging on
(hostname- ip address) (!eve (!eve!) !) ($y ($ype and and nume numer) r)
CONFIGURAR EL LARGO L ARGO MINIMO PARA PARA LAS PASS,ORD DE UN ROUTER. R1(config)# security pass%ords min-!ength 1&
CONFIGURAR UN ROUTER PARA PARA SOPORTAR SOPORTAR CONEIONES SSH. S"/ 1. "onfigure a domain name. R'(config)# i/ 0o$in-n$" !!n$s"!%i'.!o !!n$s"!%i'.!o S"/ 2. "reate a user of **+admin %ith the highest possi!e privi!ege !eve! and a secret pass%ord of ciscosshpa55. R'(config)# s"%n$" SSH$0in /%i&il"g" 1 s"!%" !is!oss3/$
S"/ 4. "onfigure the incoming ,$ !ines on R'. se the !oca! user accounts for mandatory !ogin and va!idation. /ccept on!y **+ connections. R'(config)# lin" &' 5 6 R'(config-!ine)# login lo!$l R'(config-!ine)# %$ns/o% in/ ss3
S"/ 6. 0rase eisting key pairs on R'. /ny eisting R*/ key pairs shou!d e erased on the router. R'(config)# !%'/o 7"' 8"%oi8" %s$
S"/ . enerate the R*/ encryption key pair for R'. R'(config)# !%'/o 7"' g"n"%$" %s$
CONFIGURAR LOS PAR*METROS DE TIMEOUTS AND AUTHENTICATION PARA SSH. *et the timeout to 9& seconds3 the numer of authentication retries to 23 and the version to 2. R'(config)# i/ ss3 i"-o 95 R'(config)# i/ ss3 $3"ni!$ion-%"%i"s 2 R'(config)# i/ ss3 &"%sion 2
CONECTARSE CONECTARSE A R4 USANDO US ANDO SSH DESDE UN PC-C. 4hen prompted for the pass%ord3 enter the pass%ord configured for the administrator ciscosshpa55.
PC: ss3 ;l SSH$0in 192.1<=.4.1 CONECTARSE CONECTARSE A R4 USANDO SSH DESDE R2 VIA SSH VERSION 2. R2# ss3 ;& 2 ;l SSH$0in 15.2.2.1 R'# /$ss>o%0? !is!oss3/$ CONFIGURAR UN USUARIO EN LA )ASE DE DATOS DATOS LOCAL. LOC AL. R'(config)# s"%n$" A0in51 /%i&il"g" 1 s"!%" A0in51/$ss CONFIGURE THE LOGIN )LOC@-FOR COMMAND. COMM AND. to configure a 6& second !ogin shutdo%n (uiet mode timer) if t%o fai!ed !ogin attempts are made %ithin '& seconds R1(config)# login lo!7-#o% <5 $"/s 2 >i3in > i3in 45
CONFIGURAR CONFIGU RAR UN USUARIO LOCAL PARA PARA AAA AUTHENTICA AUTHENTIC ATION R'(config)# s"%n$" +R-ADMIN s"!%" S%5ngP$>5%0 R'(config)# $$$ n">-o0"l R'(config)# $$$ $3"ni!$ion login 0"#$l lo!$l lo!$l-!$s" "n$l" IMPLEMENTA IMPLEME NTAR R AAA SERVICES PARA ACCEDER A LA CONSOLE USANDO UNA UN A )ASE DE DATOS LOCAL R'(config)# $$$ $3"ni!$ion login 0"#$l lo!$l non" R'(config)# lin" !onsol" 5 R'(config-!ine)# login $3"ni!$ion 0"#$l
CREAR UN PERFIL EN UNA )ASE DE DATOS LOCAL CON AAA AUTHENTICATION PARA USAR TELNET . R'(config)# $$$ $3"ni!$ion login TELNETBLOGIN lo!$l-!$s" R'(config)# lin" &' 5 6 R'(config-!ine)# login $3"ni!$ion TELNETBLOGIN CONFIGURAR UN ROUTER PARA AUTENTICARSE POR TACACS LUEGO RADIUS SERVERS Y FINALMENTE EN UNA )ASE DE DATOS LOCAL R1(config)# $$$ n">-o0"l R1(config)# $!$!s-s"%&"% 3os 192.1<=.1.1 singl"-!onn"!ion R1(config)# $!$!s-s"%&"% 7"' TACACSP$,5%0 R1(config)# %$0is-s"%&"% 3os 192.1<=.1.2 R1(config)# %$0is-s"%&"% 7"' RADIUS-P$,5%0 R1(config)# $$$ $3"ni!$ion login 0"#$l g%o/ $!$!s g%o/ %$0is lo!$l-!$s" (definir e! orden de !os servidores uti!iados para autenticarse $/"/"*3 R/* y 78/:08$0 un usuario de !a ase de datos !oca!)
CONFIGURAR TIPOS DE AUTORIZACIONES DE COMANDOS A TRAVS DE AAA R1(config)# s"%n$" +R-ADMIN s"!%" S%5ngP$>5%0 R1(config)# s"%n$" ADMIN s"!%" S%5ngP$>5%0 R1(config)# $$$ n">-o0"l R1(config)# $$$ $3"ni!$ion login 0"#$l g%o/ $!$!s R1(config)# $$$ $3o%i8$ion ""! 0"#$l g%o/ $!$!s R1(config)# $$$ $3o%i8$ion n">o%7 0"#$l g%o/ $!$!s CONFIGURAR AUDITORIAS A TRAVS DE AAA R1(config)# R1(config)# R1(config)# R1(config)# R1(config)# R1(config)# R1(config)# R1(config)#
s"%n$" +R-ADMIN s"!%" S%5ngP$>5%0 s"%n$" ADMIN s"!%" S%5ngP$>5%0 $$$ n">-o0"l $$$ $3"ni!$ion login 0"#$l g%o/ $!$!s $$$ $3o%i8$ion ""! 0"#$l g%o/ $!$!s $$$ $3o%i8$ion n">o%7 0"#$l g%o/ $!$!s $$$ $!!oning ""! 0"#$l s$%-so/ g%o/ $!$!s $$$ $!!oning n">o%7 0"#$l s$%-so/ g%o/ $!$!s
)LO(UEAR UNA CUENTA DESPUS DE INTENTOS R'(config)# $$$ lo!$l $3"ni!$ion $"/s $-#$il n"% CREAR NIVELES DE PRIVILEGIOS R1(config)# s"%n$" USER /%i&il"g" 1 s"!%" !is!o R1(config)# /%i&il"g" ""! l"&"l /ing R1(config)# "n$l" s"!%" l"&"l !is!o R1(config)# s"%n$" SUPPORT /%i&il"g" s"!%" !is!o
R1(config)# /%i&il"g" ""! l"&"l 15 %"lo$0 R1(config)# "n$l" s"!%" l"&"l 15 !is!o15 R1(config)# s"%n$" +R-ADMIN /%i&il"g" 15 s"!%" !is!o15 R1(config)# s"%n$" ADMIN /%i&il"g" 1 s"!%" !is!o124
CONFIGURAR VISTAS )ASADAS EN ROLES HA)ILITAR ROOT VIE, R1(config)# $$$ n">-o0"l R1(config)# "i R1(config)# "n$l" s"!%" !is!o1246 R1# "n$l" &i"> ;ass%ord< !is!o1246 R1(config)# /$%s"% &i"> $0in1 R1(config-vie%)# s"!%" $0in1/$ss R1(config-vie%)# !o$n0s ""! in!l0" $ll s3o> R1(config-vie%)# !o$n0s ""! in!l0" $ll !on#ig "%in$l R1(config-vie%)# !o$n0s ""! in!l0" $ll 0"g R1(config-vie%)# "n0
VERIFICAR LA VISTA ADMIN1. R1# "n$l" &i"> $0in1 ;ass%ord< $0in1/$ss C%"$% n$ &is$ ll$$0$ SHO,VIE, Asign$% l$ /$ss>o%0 $ l$ &is$ P"%ii% $ "s$ &is$ s$% o0os los !o$n0os EEC " !oi"n!"n !on s3o> R1(config)# $$$ n">-o0"l R1(config)# /$%s"% &i"> SHO,VIE, R1(config-vie%)# s"!%" !is!o R1(config-vie%)# !o$n0s ""! in!l0" s3o> R1(config-vie%)# "n0 C%"$% n$ &is$ ll$$0$ VERIFIEDVIE, Asign$% l$ /$ss>o%0 $ l$ &is$ P"%ii% $ "s$ &is$ s$% "l !o$n0o /ing R1(config)# $$$ n">-o0"l R1(config)# /$%s"% &i"> VERIFIEDVIE, R1(config-vie%)# s"!%" !is!o R1(config-vie%)# !o$n0s ""! in!l0" /ing
R1(config-vie%)# "n0
C%"$% n$ &is$ ll$$0$ RE)OOTVIE, Asign$% l$ /$ss>o%0 $ l$ &is$ P"%ii% $ "s$ &is$ s$% "l !o$n0o %"lo$0 R1(config)# $$$ n">-o0"l R1(config)# /$%s"% &i"> RE)OOTVIE, R1(config-vie%)# s"!%" !is!o15 R1(config-vie%)# !o$n0s ""! in!l0" %"lo$0 R1(config-vie%)# "n0 TO SECURE THE IOS IMAGE AND ENA)LE CISCO IOS IMAGE RESILIENCE R1(config)# s"!%" oo-i$g" TO SECURE THE )OOT CONFIG R1(config)# s"!%" oo-!on#ig CREAR ACLs E+EMPLOS DE ACLs permit udp any 192.16.1.& &.&.&.255 e domain permit tcp any 192.16.1.& &.&.&.255 e smtp permit tcp any 192.16.1.& &.&.&.255 e ftp deny tcp any host 192.16.1.' e ==' permit tcp any host 192.16.'.' e 22 permit icmp any any echo-rep!y permit icmp any any unreacha!e deny icmp any any permit ip any any
;ermite a cua!uier host acceder a DNS ;ermite a cua!uier host acceder a SMTP ;ermite a cua!uier host acceder a FTP 8iega a cua!uier host acceder a HTTPS ;ermite a cua!uier host acceder a SSH ;ermite a cua!uier host "!3o %"/li"s ;ermite a cua!uier host 0"s. n%"$!3$l" 8iega a cua!uier host acceder a ICMP ;ermite a cua!uier host a !$li"% l$0o
ACL PARA PERMITIR PROTOCOLOS PARA ESP J5K - AHJ1K- ISA@MAPJUDP PORT 55K
"rear una ACL NOM)RADA ETENDIDA !!amado /"-13 ap!icada entrante en !a interfa 7a&>&3 ue niega e! servidor %orkgroup server sa!ga3 pero permite ue e! resto de !os usuarios de /8 fuera de acceso usando !a pa!ara c!ave "s$lis3"0 R1(config)# ip access-list extended ACL-1 R1(config-ext-nacl)# remark LAN ACL R1(config-ext-nacl)# deny ip host 192.168.1.6 any R1(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any estalished R1(config-ext-nacl)# deny ip any any R1(config-ext-nacl)# exit R1(config)# inter!ace "a0#0 R1(config-if)# ip access-$ro%p ACL-1 in R1(config-if)# exit
CREAR UNA ACL NOM)RADA etended named !!amada ACL-23 ap!icada en direcci?n sa!iente en !a interfa :@ 7a&>13 para permitir e! acceso a !os servidores 4e e 0mai! especificados.
R1(config)# ip access-list extended ACL-1 R1(config-ext-nacl)# remark LAN ACL R1(config-ext-nacl)# deny ip host 192.168.1.6 any R1(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any
estalished R1(config-ext-nacl)# deny ip any any R1(config-ext-nacl)# exit R1(config)# inter!ace "a0#0 R1(config-if)# ip access-$ro%p ACL-1 in R1(config-if)# exit
$he lo$ parameter can e appended to the end of an /" statement. permit tcp any host 192.168.2.6 eq 80 lo$
ACL NUMERADA R1# R1(config)# i/ $!!"ss-lis ""n0"0 15 R1(config-et-nac!)# /"%i !/ 3os 192.1<=.1.155 $n' " "ln" R1(config-et-nac!)# /"%i !/ $n' $n' " >>> R1(config-et-nac!)# /"%i !/ $n' $n' " "ln" R1(config-et-nac!)# /"%i !/ $n' $n' " s/ R1(config-et-nac!)# /"%i !/ $n' $n' " /o/4 R1(config-et-nac!)# /"%i !/ $n' $n' " 21 R1(config-et-nac!)# /"%i !/ $n' $n' " 25
R1# s3o> $!!"ss-lis 15 0tended ; access !ist 15& 1& permit tcp any any e %%% 2& permit tcp any any e te!net '& permit tcp any any e smtp =& permit tcp any any e pop' 5& permit tcp any any e 21 6& permit tcp any any e 2&
ACLs COMPLE+AS TCP Es$lis3"0 ACLs R1(config)# $!!"ss-lis 155 /"%i !/ $n' " 664 192.1<=.1.5 5.5.5.2 "s$lis3"0 R1(config)# $!!"ss-lis 155 0"n' i/ $n' $n' R1(config)# in"%#$!" s555 R1(config-if)# i/ $!!"ss-g%o/ 155 in R"#l"i&" ACLs R1(config)# i/ $!!"ss-lis ""n0"0 INTERNALBACL R1(config-et-nac!)# /"%i !/ $n' $n' " =5 %"#l"! ,E)-ONLY-REFLEIVE-ACL R1(config-et-nac!)# /"%i 0/ $n' $n' " 4 %"#l"! DNS-ONLY-REFLEIVE-ACL i"o 15 R1(config-et-nac!)# "i R1(config)# i/ $!!"ss-lis ""n0"0 ETERNALBACL R1(config-et-nac!)# "&$l$" ,E)-ONLY-REFLEIVE-ACL R1(config-et-nac!)# "&$l$" DNS-ONLY-REFLEIVE-ACL R1(config-et-nac!)# 0"n' i/ $n' $n' R1(config-et-nac!)# "i R1(config)# in"%#$!" s555 R1(config-if)# i/ $!!"ss-g%o/ INTERNALBACL o R1(config-if)# i/ $!!"ss-g%o/ ETERNALBACL in D'n$i! ACLs R'(config)# s"%n$" S0"n /$ss>o%0 !is!o R'(config)# $!!"ss-lis 151 /"%i !/ $n' 3os 15.2.2.2 " "ln" R'(config)# $!!"ss-lis 151 0'n$i! TESTLIST i"o 1 /"%i i/ 192.1<=.15.5 5.5.5.2 192.1<=.4.5 5.5.5.2 R'(config)# in"%#$!" s551 R'(config-if)# i/ $!!"ss-g%o/ 151 in R'(config-if)# "i R'(config)# lin" &' 5 6 R'(config-!ine)# login lo!$l
R'(config-!ine)# $o!o$n0 $!!"ss-"n$l" 3os i"o 1 J$i no #n!ion$ $l$0o% '
"s n !o$n0o o!loK Ti"-$s"0 ACLs R1(config)# i"-%$ng" EMPLOYEE-TIME R1(config-time-range)# /"%io0i! >""70$'s 12?55 o 14?55 R1(config-time-range)# /"%io0i! >""70$'s 1?55 o 19?55 R1(config-time-range)# "i R1(config)# $!!"ss-lis 155 /"%i i/ 192.1<=.1.5 5.5.5.2 $n' i"-%$ng" EMPLOYEE-TIME R1(config)# $!!"ss-lis 155 0"n' i/ $n' $n' R1(config)# in"%#$!" F$sE3"%n" 51 R1(config-if)# i/ $!!"ss-g%o/ 155 in R1(config-if)# "i MITIGATING ATTAC@S ,ITH ACLS P"%i" solo /ing 0"s0" l$ %"0 192.1<=.45.5 ' 0"ni"g$ o0o lo 0"s R1(config)# $!!"ss-lis 125 /"%i i!/ $n' 192.1<=.25.5 5.5.5.2 "!3o R1(config)# $!!"ss-lis 125 /"%i i!/ $n' 192.1<=.25.5 5.5.5.2 "!3o-%"/l' R1(config)# $!!"ss-lis 125 0"n' i/ $n' $n'
Do No Allo> A00%"ss"s o " S/oo#"0 A
eny a!! ; packets containing the fo!!o%ing ; addresses in their source fie!d< B /ny !oca! host addresses (12C.&.&.&>) B /ny reserved private addresses (R7" 191) B /ny addresses in the ; mu!ticast address range (22=.&.&.&>=) B Inon0 on S555
R1(config)# $!!"ss-lis 15 0"n' i/ 5.5.5.5 5.2.2.2 $n' R1(config)# $!!"ss-lis 15 0"n' i/ 15.5.5.5 5.2.2.2 $n' R1(config)# $!!"ss-lis 15 0"n' i/ 12.5.5.5 5.2.2.2 $n' R1(config)# $!!"ss-lis 15 0"n' i/ 12.1<.5.5 5.1.2.2 $n' R1(config)# $!!"ss-lis 15 0"n' i/ 192.1<=.5.5 5.5.2.2 $n' R1(config)# $!!"ss-lis 15 0"n' i/ 226.5.5.5 1.2.2.2 $n' R1(config)# $!!"ss-lis 15 0"n' i/ 3os 2.2.2.2 $n' A
o not a!!o% any outound ; packets %ith a source address other than a va!id ; address of the interna! net%ork. B "reate an /" that permits on!y those packets that contain source addresses from inside the net%ork and denies a!! others. B Inon0 on F$51
A
R1J!on#igK $!!"ss-lis 15 /"%i i/ 192.1<=.1.5 5.5.5.2 $n'
P%o"! DNS SMTP $n0 FTP 8*3 *:$;3 and 7$; are common services that often must e a!!o%ed through a fire%a!!. B Oon0 on F$55 R1(config)# $!!"ss-lis 1=5 /"%i 0/ $n' 3os 192.1<=.25.2 " 0o$in R1(config)# $!!"ss-lis 1=5 /"%i !/ $n' 3os 192.1<=.25.2 " s/ R1(config)# $!!"ss-lis 1=5 /"%i !/ $n' 3os 192.1<=.25.2 " #/ R1(config)# $!!"ss-lis 1=5 /"%i !/ 3os 255... 3os 192.1<=.25.2 " "ln" R1(config)# $!!"ss-lis 1=5 /"%i !/ 3os 255... 3os 192.1<=.25.2 " 22 R1(config)# $!!"ss-lis 1=5 /"%i 0/ 3os 255... 3os 192.1<=.25.2 " s'slog R1(config)# $!!"ss-lis 1=5 /"%i 0/ 3os 255... 3os 192.1<=.25.2 " sn/%$/ •
Fil"% ICMP M"ss$g"s A
*evera! inound ":; messages are reuired for proper net%ork operation< B E!3o %"/l' - /!!o%s interna! users to ping eterna! hosts. B So%!" "n!3 - Reuests the sender to decrease the traffic rate. B Un%"$!3$l" - nreacha!e messages are generated for packets that are administrative!y denied y an /". B Inon0 on S555
R1(config)# $!!"ss-lis 15 /"%i i!/ $n' $n' "!3o-%"/l' R1(config)# $!!"ss-lis 15 /"%i i!/ $n' $n' so%!"-"n!3 R1(config)# $!!"ss-lis 15 /"%i i!/ $n' $n' n%"$!3$l" R1(config)# $!!"ss-lis 15 0"n' i!/ $n' $n' R1(config)# $!!"ss-lis 15 /"%i i/ $n' $n' A
*evera! outound ":; messages are reuired for proper net%ork operation< B E!3o - /!!o%s users to ping eterna! hosts. B P$%$""% /%ol" - nforms the host of packet header pro!ems. B P$!7" oo ig - Reuired for packet :$ discovery. B So%!" "n!3 - $hrott!es do%n traffic %hen necessary. B Inon0 on F$55
O)+ECT GROUPS EAMPLE n this eamp!e topo!ogy3 there are ' servers3 each reuiring outside to inside access for ' protoco!s 4ithout oDect groups3 %e have to configure a permit statement for each server3 for each protoco! R1(config)# i/ $!!"ss-lis ""n0"0 In R1(config-et-nac!)# /"%i !/ $n' 3os 15.15.15.1 " s/ R1(config-et-nac!)# /"%i !/ $n' 3os 15.15.15.1 " >>> R1(config-et-nac!)# /"%i !/ $n' 3os 15.15.15.1 " 3/s
R1(config-et-nac!)# R1(config-et-nac!)# R1(config-et-nac!)# R1(config-et-nac!)# R1(config-et-nac!)# R1(config-et-nac!)#
/"%i !/ $n' 3os 15.15.15.2 " s/ /"%i !/ $n' 3os 15.15.15.2 " >>> /"%i !/ $n' 3os 15.15.15.2 " 3/s /"%i !/ $n' 3os 15.15.15.4 " s/ /"%i !/ $n' 3os 15.15.15.4 " >>> /"%i !/ $n' 3os 15.15.15.4 " 3/s
7or the same topo!ogy3 using oDect group configuration3 first create the service oDect for the services. R1(config)# o"!-g%o/ s"%&i!" ,"-s&!s !/ R1(config-service-group)# !/ s/ R1(config-service-group)# !/ >>> R1(config-service-group)# !/ 3/s A
8et3 create the net%ork oDect for the servers< $his eamp!e uses the %$ng" key%ord3 you can a!so use the 3os key%ord or define a sunet. R1(config)# o"!-g%o/ n">o%7 ,"s"%&"%s R1(config-net%ork-group)# %$ng" 15.15.15.1 15.15.15.4
CONFIGURACIQN CL*SICA DE FIRE,ALL /n administrator needs to permit inside users to initiate $";3 ;3 and ":; traffic %ith a!! eterna! sources. Eutside c!ients are a!!o%ed to communicate %ith the *:$; :ai! server (2&9.165.2&1.2) and +$$; server (2&9.165.2&1.1) that are !ocated in the enterprise demi!itaried one (:@). t is a!so necessary to permit certain ":; messages to a!! interfaces. /!! other traffic from the eterna! net%ork is denied.
S"/ 1. "hoose an interface3 either interna! or eterna!. S"/ 2. "onfigure ; /"s at the interface. S"/ 4. efine inspection ru!es. S"/ 6. /pp!y an inspection ru!e to an interface.
"reate an /" that a!!o%s $";3 ;3 and ":; sessions and denies a!! other traffic. R1(config)# $!!"ss-lis 151 /"%i !/ 15.15.15.5 5.5.5.2 $n' R1(config)# $!!"ss-lis 151 /"%i 0/ 15.15.15.5 5.5.5.2 $n' R1(config)# $!!"ss-lis 151 /"%i i!/ 15.15.15.5 5.5.5.2 $n' R1(config)# $!!"ss-lis 151 0"n' i/ $n' $n' $his /" is app!ied to the interna! interface in the inound direction. $he /" processes traffic initiating from the interna! net%ork prior to !eaving the net%ork. R1(config)# in"%#$!" F$55 R1(config-if)# i/ $!!"ss-g%o/ 151 in 8et3 create an etended /" in %hich *:$; and +$$; traffic is permitted from the eterna! net%ork to the :@ net%ork on!y3 and a!! other traffic is denied.
R1(config)# $!!"ss-lis 152 /"%i !/ $n' 259.1<.251.1 5.5.5.5 " =5 R1(config)# $!!"ss-lis 152 /"%i !/ $n' 259.1<.251.2 5.5.5.5 " s/ R1(config)# $!!"ss-lis 152 /"%i i!/ $n' $n' "!3o-%"/l' R1(config)# $!!"ss-lis 152 /"%i i!/ $n' $n' n%"$!3$l"
R1(config)# $!!"ss-lis 152 /"%i i!/ $n' $n' $0inis%$i&"l'-/%o3ii"0 R1(config)# $!!"ss-lis 152 /"%i i!/ $n' $n' /$!7"-oo-ig R1(config)# $!!"ss-lis 152 /"%i i!/ $n' $n' "!3o R1(config)# $!!"ss-lis 152 /"%i i!/ $n' $n' i"-"!""0"0 R1(config)# $!!"ss-lis 152 0"n' i/ $n' $n'
$his /" is app!ied to the interface connecting to the eterna! net%ork in the inound direction. R1(config)# in"%#$!" S555 R1(config-if)# i/ $!!"ss-g%o/ 152 in
8et3 create inspection ru!es for $"; inspection and ; inspection. R1(config)# i/ ins/"! n$" MYSITE !/ R1(config)# i/ ins/"! n$" MYSITE 0/
$hese inspection ru!es are app!ied to the interna! interface in the inound direction. R1(config)# in"%#$!" F$55 R1(config-if)# i/ ins/"! MYSITE in
CONFIGURING CONTET-)ASED ACCESS CONTROL JC)ACK 1.- Con#ig%" $ n$"0 IP ACL on R4 o lo!7 $ll %$##i! o%igin$ing #%o 3" osi0" n">o%7. se the i/ $!!"ss-lis ""n0"0 command to create a named ; /". R'(config)# i/ $!!"ss-lis ""n0"0 OUT-IN R'(config-et-nac!)# 0"n' i/ $n' $n' R'(config-et-nac!)# "i 2.- A//l' 3" ACL o in"%#$!" S"%i$l 551.
R'(config)# in"%#$!" s551 R'(config-if)# i/ $!!"ss-g%o/ OUT-IN in
4.- Con#i% 3$ %$##i! "n"%ing in"%#$!" S"%i$l 551 is 0%o//"0. 7rom the ;"-" command prompt3 ping the ;"-/ server. $he ":; echo rep!ies are !ocked y the /".
6.- C%"$" $ C)AC Ins/"!ion Rl" "reate an inspection ru!e to inspect ":;3 $e!net3 and +$$; traffic. R'(config)# i/ ins/"! n$" IN-OUT-IN i!/ R'(config)# i/ ins/"! n$" IN-OUT-IN "ln" R'(config)# i/ ins/"! n$" IN-OUT-IN 3/
.- T%n on i"-s$/"0 logging $n0 C)AC $0i %$il "ss$g"s. se the i/ ins/"! $0i-%$il command to turn on "F/" audit messages to provide a record of net%ork access through the fire%a!!3 inc!uding i!!egitimate access attempts. 0na!e !ogging to the sys!og server3 192.16.1.'3 %ith the logging 3os command. :ake sure that !ogged messages are timestamped. R'(config)# i/ ins/"! $0i-%$il R'(config)# s"%&i!" i"s$/s 0"g 0$"i" s"! R'(config)# logging 3os 192.1<=.1.4
<.- A//l' 3" ins/"!ion %l" o "g%"ss %$##i! on in"%#$!" S551. R'(config-if)# i/ ins/"! IN-OUT-IN o .- V"%i#' 3$ $0i %$il "ss$g"s $%" "ing logg"0 on 3" s'slog s"%&"%. 7rom ;"-"3 test connectivity to ;"-/ %ith ping3 $e!net3 and +$$;. ;ing and +$$; shou!d e successfu!. 8ote that ;"-/ %i!! reDect the $e!net session. 7rom ;"-/3 test connectivity to ;"-" %ith ping and $e!net. /!! shou!d e !ocked. Revie% the sys!og messages on server ;"-/< c!ick the Con#ig ta and then c!ick the SYSLOG option.
=.- V"%i#' Fi%">$ll Fn!ion$li' Epen a $e!net session from ;"-" to R2. $he $e!net shou!d succeed. 4hi!e the $e!net session is active3 issue the command s3o> i/ ins/"! s"ssions on R'. $his command.
R4 s3o> i/ ins/"! s"ssions disp!ays the eisting sessions that are current!y eing tracked and inspected y "F/"
R4 s3o> i/ ins/"! in"%#$!"s R4 s3o> i/ ins/"! !on#ig R4 0"g i/ ins/"! 0"$il"0
STEPS FOR CONFIGURING ZONE-)ASED POLICY FIRE,ALLS ,ITH CLI
S"/ 1. "rear !as onas para e! fire%a!! con e! comando 8on" s"!%i'. R'(config)# 8on" s"!%i' IN-ZONE R'(config-sec-one)# 0"s!%i/ion Insi0" N">o%7 R'(config)# 8on" s"!%i' OUT-ZONE R'(config-sec-one)# 0"s!%i/ion Osi0" N">o%7
S"/ 2. "rear una /" ue define e! trGfico interno. se e! comando $!!"ss-lis para crear una etendida /" 151 para permitir todo e! trGfico ; desde !a red 192.1<=.4.526 hacia cua!uier destino. R'(config)# $!!"ss-lis 151 /"%i i/ 192.1<=.4.5 5.5.5.2 $n'
S"/ 4. efinir e! trafico ue serG sometido a !as reg!as de fire%a!! con e! comando !l$ss-$/ '/" ins/"!. (/cG se us? una /") R'(config)# !l$ss-$/ '/" ins/"! $!3-$ll IN-NET-CLASS-MAP Jno%" 0"l !l$ss-$/K R'(config-cmap)# $!3 $!!"ss-g%o/ 151 R'(config-cmap)# "i
S"/ 6. "rear un /oli!'-$/ para determinar ue se harG cuando coincida con e! trGfico indicado en !a /"3 usando e! comando /oli!'-$/ '/" ins/"! . R'(config)# /oli!'-$/ '/" ins/"! IN-2-OUT-PMAP Jno%" 0"l /oli!'-$/K R'(config-pmap)# !l$ss '/" ins/"! IN-NET-CLASS-MAP Jno%" 0"l !l$ss-$/K R'(config-pmap-c)# ins/"! J"l %#i!o s" ins/"!!ion$%K S"/ . "rear par de onas interna versus eterna (source and destination ones) usando e! comando 8on"-/$i% s"!%i' y mencionado !os nomres de !as onas. R'(config)# 8on"-/$i% s"!%i' IN-2-OUT-ZPAIR so%!" IN-ZONE 0"sin$ion OUT-ZONE S"/ <. 0specificar e! /oli!' $/ para maneDar e! trGfico entre e! par de onas. ndicar e! po!icymap y !a acci?n asociada Jins/"!K a! par de onas3 usando e! comando s"%&i!"-/oli!' '/" ins/"! y haciendo referencia a! /oli!' $/ previamente creado3 IN-2-OUT-PMAP . R'(config-sec-one-pair)# s"%&i!"-/oli!' '/" ins/"! IN-2-OUT-PMAP R'(config-sec-one-pair)# "i S"/. /signar !as interfaces de! router interfaces a !as onas interna o eterna usando e! comando 8on"-""% s"!%i'. R'(config)# in"%#$!" #$51 R'(config-if)# 8on"-""% s"!%i' IN-ZONE R'(config-if)# "i R'(config)# in"%#$!" s551 R'(config-if)# 8on"-""% s"!%i' OUT-ZONE R'(config-if)# "i
RESUMEN TT DE ZPF ena!e configure termina! hostname R' one security IN-ZONE one security OUT-ZONE access-!ist 1&1 permit ip 192.16.'.& &.&.&.255 any c!ass-map type inspect match-a!! IN-NET-CLASS-MAP match access-group 1&1 eit po!icy-map type inspect IN-2-OUT-PMAP c!ass type inspect IN-NET-CLASS-MAP inspect eit one-pair security IN-2-OUT-ZPAIR source IN-ZONE destination OUT-ZONE
service-po!icy type inspect IN-2-OUT-PMAP eit interface fa&>1 one-memer security IN-ZONE eit interface s&>&>1 one-memer security OUT-ZONE eit
E+EMPLO PRACTICO Z)F 1 CREAR ZONAS one security 80$4ERH one security 8$0R80$ one security :@
2 CLASIFICAR TR*FICO MEDIANTE CLASS MAP. c!ass-map type inspect match-any 80$toE$ match protoco! http match protoco! smtp match protoco! pop' match protoco! icmp c!ass-map type inspect match-any 80$to:@ match protoco! http match protoco! dns match protoco! tftp match protoco! icmp match access-group name +"; ip access-!ist etended +"; permit udp any any e ootps permit udp any any e ootpc
4 DEFINIR LOS POLICY-MAP Y LA ACCIQN A REALIZAR. po!icy-map type inspect 80$4ERHtoE$*0 c!ass type inspect 80$toE$ inspect po!icy-map type inspect E$*0to80$4ERH c!ass type inspect E$to80$ drop po!icy-map type inspect 80$4ERHto:@
c!ass type inspect 80$to:@ inspect po!icy-map type inspect :@to80$4ERH c!ass type inspect :@to80$ inspect po!icy-map type inspect E$*0to:@ c!ass type inspect E$to:@ inspect po!icy-map type inspect :@toE$*0 c!ass type inspect :@toE$ inspect
6 CREAR LOS ZONE PAIR (UE ES LA APLICACIQN ENTRE ZONAS. one-pair security 80$toE$ source 80$4ERH destination 8$0R80$ service-po!icy type inspect 80$4ERHtoE$*0
HACER MIEM)ROS DE ALGUNA ZONA A LAS INTERFACES EN F,. 74(config-if)#int seria! &>&>& 74(config-if)#one-memer security 8$0R80$ 74(config-if)#eit 74(config-if)#int fa&>1 74(config-if)#one-memer security :@ 74(config-if)#eit 74(config)#int fa&>& 74(config-if)#one-memer security 80$4ERH 74(config-if)#eit
CONFIGURE IOS INTRUSION PREVENTION SYSTEM JIPSK USING CLI 1.- CREATE AN IOS IPS CONFIGURATION DIRECTORY IN FLASH. En R13 create a directory in f!ash using the 70i% command. 8ame the directory i/s0i% . R1#70i% i/s0i% "reate directory fi!ename IipsdirJK L En"% M "reated dir f!ash
2.- CONFIGURE THE IPS SIGNATURE STORAGE LOCATION. En R13 configure the ;* signature storage !ocation to e the directory you Dust created. R1(config)# i/ i/s !on#ig lo!$ion #l$s3?i/s0i%
4.- CREATE AN IPS RULE. En R13 create an ;* ru!e name using the i/ i/s n$" name command in g!oa! configuration mode. 8ame the ;* ru!e iosi/s. R1(config)# i/ i/s n$" iosi/s
6.- ENA)LE LOGGING. E* ;* supports the use of sys!og to send event notification. *ys!og notification is ena!ed y defau!t. f !ogging conso!e is ena!ed3 you see ;* sys!og messages. 0na!e sys!og if it is not ena!ed. R1(config)# i/ i/s noi#' log se the !lo!7 s" command from privi!eged 0N0" mode to reset the c!ock if necessary. R1# !lo!7 s" 51?25?55 < $n$%' 2559 0na!e the timestamp service if it is not ena!ed. R1(config)# s"%&i!" i"s$/s log 0$"i" s"! *end !og messages to the *ys!og server at ; address 192.16.1.5&. R1(config)# logging 3os 192.1<=.1.5
.- CONFIGURE IOS IPS TO USE THE SIGNATURE CATEGORIES. Retire the $ll signature category %ith the %"i%"0 %" command (a!! signatures %ithin the signature re!ease). nretire the IOSBIPS )$si! category %ith the %"i%"0 #$ls" command. R1(config)# i/ i/s sign$%"-!$"go%' R1(config-ips-category)# !$"go%' $ll R1(config-ips-category-action)# %"i%"0 %" R1(config-ips-category-action)# "i R1(config-ips-category)# !$"go%' iosBi/s $si! R1(config-ips-category-action)# %"i%"0 #$ls" R1(config-ips-category-action)# "i R1(config-ips-category)# "i o you %ant to accept these changesK IconfirmJ En"%: <.- APPLY THE IPS RULE TO AN INTERFACE. /pp!y the ;* ru!e to an interface %ith the i/ i/s name direction command in interface configuration mode. /pp!y the ru!e outound on the 7a&>& interface of R1. /fter you ena!e ;*3 some !og messages %i!! e sent to the conso!e !ine indicating that the ;* engines are eing initia!ied.
o"?
$he direction in means that ;* inspects on!y traffic going into the interface. *imi!ar!y3 o means on!y traffic going out the interface. R1(config)# in"%#$!" #$55 R1(config-if)# i/ i/s iosi/s o
.- MODIFY THE SIGNATURE. CHANGE THE EVENT-ACTION OF A SIGNATURE. n-retire the echo reuest signature (signature 2&&=3 susig &)3 ena!e it and change the signature action to a!ert3 and drop. R1(config)# i/ i/s sign$%"-0"#iniion R1(config-sigdef)# sign$%" 2556 5 R1(config-sigdef-sig)# s$s R1(config-sigdef-sig-status)# %"i%"0 #$ls" R1(config-sigdef-sig-status)# "n$l"0 %" R1(config-sigdef-sig-status)# "i R1(config-sigdef-sig)# "ngin"
R1(config-sigdef-sig-engine)# "&"n-$!ion /%o0!"-$l"% R1(config-sigdef-sig-engine)# "&"n-$!ion 0"n'-/$!7"-inlin" R1(config-sigdef-sig-engine)# "i R1(config-sigdef-sig)# "i R1(config-sigdef)# "i o you %ant to accept these changesK IconfirmJ En"%:
=.- USE SHO, COMMANDS TO VERIFY IPS. se the s3o> i/ i/s $ll command to see an ;* configuration status summary.
LAYER 2 SECURITY 1.- CONFIGURE ROOT )RIDGE Assign C"n%$l $s 3" /%i$%' %oo %i0g". "entra!(config)# s/$nning-%"" &l$n 1 %oo /%i$%' Assign S,-1 $s $ s"!on0$%' %oo %i0g". *4-1(config)# s/$nning-%"" &l$n 1 %oo s"!on0$%' 2.- PROTECT AGAINST STP ATTAC@S *4-/(config)# in"%#$!" %$ng" #$s"3"%n" 51 - 6 *4-/(config-if-range)# s/$nning-%"" /o%#$s 4.- ENA)LE )PDU GUARD ON ALL ACCESS PORTS. F; guard is a feature that can he!p prevent rogue s%itches and spoofing on access ports. *4-/(config)# in"%#$!" %$ng" #$s"3"%n" 51 - 6 *4-/(config-if-range)# s/$nning-%"" /0g$%0 "n$l" *tep 1.
6.- ENA)LE ROOT GUARD ON ALL TRUN@ PORTS. *4-1(config-if)# in"%#$!" #$526 *4-1(config-if)# s/$nning-%"" g$%0 %oo
.- ENA)LE STORM CONTROL FOR )ROADCASTS.
0na!e storm contro! for roadcasts on a!! ports connecting s%itches (trunk ports). *et a 5 percent rising suppression !eve! using the so%-!on%ol %o$0!$s command. *4-1(config)# in"%#$!" gi11 *4-1(config-if)# so%-!on%ol %o$0!$s l"&"l 5
<.- ENA)LE TRUN@ING INCLUDING ALL TRUN@ SECURITY MECHANISMS ON THE TRUN@-LIN@. *et the port to trunk3 assign native ,/8 15 to the trunk port3 and disa!e auto-negotiation. *4-1(config)# in"%#$!" #$524 *4-1(config-if)# no s30o>n *4-1(config-if)# s>i!3/o% o0" %n7 *4-1(config-if)# s>i!3/o% %n7 n$i&" &l$n 1
*4-1(config-if)# s>i!3/o% non"goi$" J$!"%0o 0" $s$l"$K
CONFIGURE AND VERIFY A SITE-TO-SITE IPSEC VPN USING CLI
Parameters
R1
R3
Key distribution method
Manual or ISAKMP
ISAKMP
ISAKMP
Encryption algorithm
DES, 3DES, or AES
AES
AES
Hash algorithm
MD5 or SHA1
SHA1
SHA1
Authentication method
Pre-shared keys or RSA
pre-share
pre-share
Key e!change
DH Group 1, 2, or 5
DH 2
DH 2
IKE SA "i#etime
86400 seonds or less
$%&''
$%&''
!pnpa55
!pnpa55
ISAKMP Key
Parameters
R1
R3
(rans#orm Set
"P#-SE$
"P#-SE$
Peer Hostname
%3
%&
Peer IP Address
&0'2'2'2
&0'&'&'2
)et*or+ to be encrypted
&(2'&68'&'0)24
&(2'&68'3'0)24
,rypto Map name
"P#-MAP
"P#-MAP
SA Establishment
*pse-*sak+p
*pse-*sak+p
CONFIGURE IPSEC PARAMETERS ON R1 1.- IDENTIFY INTERESTING TRAFFIC ON R1. "onfigure /" 115 to identify the traffic from the /8 on R1 to the /8 on R' as interesting. Rememer that due to the imp!icit deny a!!3 there is no need to configure a 0"n' $n' $n' statement.
R1(config)# $!!"ss-lis 115 /"%i i/ 192.1<=.1.5 5.5.5.2 192.1<=.4.5 5.5.5.2
2.- CONFIGURE THE ISA@MP PHASE 1 PROPERTIES ON R1. "onfigure the crypto */H:; po!icy 15 properties on R1 a!ong %ith the shared crypto key &/n/$. Refer to the */H:; ;hase 1 ta!e for the specific parameters to configure. efau!t va!ues do not have to e configured therefore on!y the encryption3 key echange method3 and + method must e configured. R1(config)# !%'/o is$7/ /oli!' 15 R1(config-isakmp)# "n!%'/ion $"s R1(config-isakmp)# $3"ni!$ion /%"-s3$%" R1(config-isakmp)# g%o/ 2 R1(config-isakmp)# "i R1(config)# !%'/o is$7/ 7"' &/n/$ $00%"ss 15.2.2.2
4.- CONFIGURE THE ISA@MP PHASE 2 PROPERTIES ON R1. "reate the transform-set VPN-SET to use "s/-40"s and "s/-s3$-3$!. $hen create the crypto map VPN-MAP that inds a!! of the ;hase 2 parameters together. se seuence numer 15 and identify it as an i/s"!-is$7/ map. R1(config)# !%'/o i/s"! %$ns#o%-s" VPN-SET "s/-40"s "s/-s3$-3$! R1(config)# !%'/o $/ VPN-MAP 15 i/s"!-is$7/ R1(config-crypto-map)# 0"s!%i/ion VPN !onn"!ion o R4 R1(config-crypto-map)# s" /""% 15.2.2.2 R1(config-crypto-map)# s" %$ns#o%-s" VPN-SET R1(config-crypto-map)# $!3 $00%"ss 115 R1(config-crypto-map)# "i
6.- CONFIGURE THE CRYPTO MAP ON THE OUTGOING INTERFACE. 7ina!!y3 ind the VPN-MAP crypto map to the outgoing *eria! &>&>& interface. R1(config)# in"%#$!" S555 R1(config-if)# !%'/o $/ VPN-MAP
CONFIGURE IPSEC PARAMETERS ON R4 1.- CONFIGURE ROUTER R4 TO SUPPORT A SITE-TO-SITE VPN ,ITH R1. 8o% configure reciprocating parameters on R'. "onfigure /" 115 identifying the traffic from the /8 on R' to the /8 on R1 as interesting. R'(config)# $!!"ss-lis 115 /"%i i/ 192.1<=.4.5 5.5.5.2 192.1<=.1.5 5.5.5.2
2.- CONFIGURE THE ISA@MP PHASE 1 PROPERTIES ON R4. "onfigure the crypto */H:; po!icy 15 properties on R' a!ong %ith the shared crypto key &/n/$. R'(config)# !%'/o is$7/ /oli!' 15 R'(config-isakmp)# "n!%'/ion $"s R'(config-isakmp)# $3"ni!$ion /%"-s3$%" R'(config-isakmp)# g%o/ 2 R'(config-isakmp)# "i R'(config)# !%'/o is$7/ 7"' &/n/$ $00%"ss 15.1.1.2
4.- CONFIGURE THE ISA@MP PHASE 2 PROPERTIES ON R1. ike you did on R13 create the transform-set VPN-SET to use "s/-40"s and "s/-s3$-3$!. $hen create the crypto map VPN-MAP that inds a!! of the ;hase 2 parameters together. se seuence numer 15 and identify it as an i/s"!-is$7/ map. R'(config)# !%'/o i/s"! %$ns#o%-s" VPN-SET "s/-40"s "s/-s3$-3$! R'(config)# !%'/o $/ VPN-MAP 15 i/s"!-is$7/ R'(config-crypto-map)# 0"s!%i/ion VPN !onn"!ion o R1 R'(config-crypto-map)# s" /""% 15.1.1.2 R'(config-crypto-map)# s" %$ns#o%-s" VPN-SET R'(config-crypto-map)# $!3 $00%"ss 115 R'(config-crypto-map)# "i
6.- CONFIGURE THE CRYPTO MAP ON THE OUTGOING INTERFACE. 7ina!!y3 ind the VPN-MAP crypto map to the outgoing *eria! &>&>1 interface. No"? $his is not graded. R'(config)# in"%#$!" S551 R'(config-if)# !%'/o $/ VPN-MAP
.- VERIFY THE IPSEC VPN *tep 2.
,erify the tunne! prior to interesting traffic. ssue the sho% crypto ipsec sa command on R1. 8otice that the numer of packets encapsu!ated3 encrypted3 decapsu!ated and decrypted are a!! set to &.
TAREA DEL PROFE 1. D"#ini% l$s 8on$s 0" $!"%0o $ lo in0i!$0o "n l$ o/olog$ one security :@ one security 8*0 one security E$*0
2. S" 0"" /"%ii% %#i!o /$%$ " "l Ro"% R6 /"0$ $"ni#i!$%s" $ %$&s 0" R$0is "n "l s"%&i0o% ,inR$0is JPC2K c!ass-map type inspect match-any ":OE$O$EO8 match protoco! radius po!icy-map type inspect ;:OE$O$EO8 c!ass type inspect ":OE$O$EO8 inspect one-pair security @;OE$O$EO8 source E$*0 destination 8*0 service-po!icy type inspect ;:OE$O$EO8
4. El %$#i!o 0"s0" "l PC6 3$!i$ los s"%&i0o%"s ,E) ' FTP JPC4K 0"" s"% /"%ii0o. c!ass-map type inspect match-any ":OE$O$EO:@ match protoco! http match protoco! ftp
po!icy-map type inspect ;:OE$O$EO:@ c!ass type inspect ":OE$O$EO:@ inspect one-pair security @;OE$O$EO:@ source E$*0 destination :@ service-po!icy type inspect ;:OE$O$EO:@
6. L$ %"0 in"%n$ $in 0"" /o0"% ll"g$% $l s"%&i0o% ," JPC4K FTP no s"% /"%ii0o /$%$ "s$ %"0. c!ass-map type inspect match-any ":O8O$EO:@ match protoco! http po!icy-map type inspect ;:O8O$EO:@ c!ass type inspect ":O8O$EO:@ inspect one-pair security @;O8O$EO:@ source 8*0 destination :@ service-po!icy type inspect ;:O8O$EO:@
. El s"%&i0o% ACS 0"" /o0"% $l!$n8$% $ %$&s 0" /ing $l %o"% R6 Jloo/$!7K ' $ l$ %"0 15.65.526 Jno s" 0"" /"%ii% g"n"%$% n$ $l$ 0" "s$0oK access-!ist 1&& permit ip host 1&.6.2&.1& any c!ass-map type inspect match-a!! ":O/"* match protoco! icmp match access-group 1&& po!icy-map type inspect ;:O8O$EOE$ c!ass type inspect ":O8O$EOE$ inspect
!l$ss '/" ins/"! CMBACS /$ss one-pair security @;O8O$EOE$ source 8*0 destination E$*0 service-po!icy type inspect ;:O8O$EOE$ access-!ist 1&1 permit ip any host 1&.6.2&.1& c!ass-map type inspect match-a!! ":O/"*OR match access-group 1&1 match protoco! icmp po!icy-map type inspect ;:OE$O$EO8 c!ass type inspect ":OE$O$EO8 inspect
!l$ss '/" ins/"! CMBACSBR /$ss one-pair security @;OE$O$EO8 source E$*0 destination 8*0 service-po!icy type inspect ;:OE$O$EO8
<. Los s$%ios 0" l$ %"0 In"%n$ s" l"s /"%i" n$&"g$% "n In"%n" Jsolo HTTP ' DNSK c!ass-map type inspect match-any ":O8O$EOE$ match protoco! http
match protoco! dns po!icy-map type inspect ;:O8O$EOE$
!l$ss '/" ins/"! CMBINBTOBOUT ins/"! c!ass type inspect ":O/"* pass one-pair security @;O8O$EOE$ source 8*0 destination E$*0 service-po!icy type inspect ;:O8O$EOE$
. El F, 0"" "n"% los /"%isos /$%$ /o0"% %"$li8$% T"ln" ' SSH 3$!i$ "l Ro"% R1 ' R2 JIn"%#$!"s loo/$!7sK $0"s 0" /"%ii% "l "n&o 0" los Logs 3$!i$ "l s"%&i0o% s'slog JPC1K ; No "s /"%ii0o ili8$% l$s /oli!$s /o% 0"#"!o 0"l Fi%">$ll. access-!ist 1&2 permit tcp host 1&.6.2'.' any e te!net access-!ist 1&2 permit tcp host 1&.6.1'.' any e te!net access-!ist 1&2 permit tcp host 1&.6.1'.' any e 22 access-!ist 1&2 permit tcp host 1&.6.2'.' any e 22 access-!ist 1&2 permit tcp host 1&.6.1'.' any e sys!og access-!ist 1&2 permit tcp host 1&.6.2'.' any e sys!og c!ass-map type inspect match-any ":O*07O$EO8 match access-group 1&2 po!icy-map type inspect ;:O*07O$EO8 c!ass type inspect ":O*07O$EO8 inspect one-pair security @;O*07O$EO8 source se!f destination 8*0 service-po!icy type inspect ;:O*07O$EO8
=. Es n"!"s$%io /"%ii% " "l PC2 /"0$ $0inis%$% $ %$&s 0" CCP $l 0is/osii&o F, JH$ili" lo n"!"s$%io /$%$ log%$% "s" %""%ii"noK access-!ist 1&' permit tcp host 1&.6.2&.1& host 1&.6.2'.' e %%% access-!ist 1&' permit tcp host 1&.6.2&.1& host 1&.6.2'.' e ==' access-!ist 1&' permit tcp host 1&.6.2&.1& host 1&.6.1'.' e ==' access-!ist 1&' permit tcp host 1&.6.2&.1& host 1&.6.1'.' e %%% c!ass-map type inspect match-any ":O8O$EO*07 match access-group 1&' po!icy-map type inspect ;:O8O$EO*07 c!ass type inspect ":O8O$EO*07 inspect one-pair security @;O8O$EO*07 source 8*0 destination se!f service-po!icy type inspect ;:O8O$EO*07
9. El !li"n" PC6 0"" "n"% los /"%isos s#i!i"n"s /$%$ "s$l"!"% n$ s"sin VPN 3$!i$ "l Ro"% R1 /$%$ "s" "s n"!"s$%io " "l F, g"n"%" n$ $l$ 0" "s$0$ /$%$ los /%oo!olos ESP ' AH. access-!ist 1&= permit ahp host 1&.6.=&.1& host 1&.6.1'.1 access-!ist 1&= permit esp host 1&.6.=&.1& host 1&.6.1'.1 access-!ist 1&= permit udp host 1&.6.=&.1& host 1&.6.1'.1 e isakmp
c!ass-map type inspect match-any ":O,;8 match access-group 1&= po!icy-map type inspect ;:OE$O$EO8 c!ass type inspect ":OE$O$EO8 inspect c!ass type inspect ":O/"*OR pass c!ass type inspect ":O,;8 inspect one-pair security @;OE$O$EO8 source E$*0 destination 8*0 service-po!icy type inspect ;:OE$O$EO8
15. To0$s l$s s"sion"s EIGRP 0""n s"% $n"ni0$s "n%" "l F, ' Ro"% R1 R2 ' "n%" "l F, ' "l %o"% R6.