· 6 years ago · Mar 13, 2019, 04:18 AM
1 ---Page 43 Securing Passwords---
2Router(config)#service password-encryption
3 Encrypt all plantext passwords to level 7
4Router(config)#security passwords min-length length
5 Enforce a minimum password length for all new passwords. Existing passwords are not affected.
6Router(config)#enable algorithm-type {md5,sha256,scrypt} secret password
7 Encrypt the priv EXEC mode password using either type 8 (sha256) or type 9 (scrypt) passwords.
8
9
10 ---Page 43 Securing the Console Line and Disabling the Aux Line---
11Router(config)#username name algorithm-type {md5,sha256,scrypt} secret password
12 Create a local user entry and encrypt the pass using type 8 or type 9 passwords.
13Router(config)#line console 0
14 Enter line config
15Router(config-line)#login local
16 Auth using local database
17Router(config-line)#exec-timeout minutes seconds
18 Sets inactivity timer interval. Default is 10 minutes
19Router(config-line)#line aux 0
20 Enter aux mode
21Router(config-line)#no exec
22 disable aux port
23
24
25 ---Page 44 Configure SSH access---
26Router(config)#hostname name
27 A hostname other than Router must be configured
28Router(config)#username name algorithm-type {md5,sha256,scrypt} secret password
29 Create a local user entry and encrypt the password
30Router(config)#ip domain name name
31 Configure a domain name. Required to implement SSH. hypenated command ip domain-name also accepted.
32Router(config)#crypto key generate rsa general-keys modulus modulus
33 Generate the general usage RSA keys that SSH requires. Required to implement SSH.
34Router(config)#ip ssh version {1,2}
35 Specify the version of SSH to enable. Default is both 1 and 2 which can be reactived with no ip ssh version. SSHv2 is better.
36Router(config)#ip ssh time-out seconds
37 The number of seconds to wait for the SSH client to respond during negotiation phase. Default is 120 seconds.
38Router(config)#ip ssh authentication-retries integer
39 Limit the number of login attempts. Default is 3.
40Router(config)#login block-for seconds attempts tries within seconds
41 Configure enhanced vty login
42Router(config#line vty 0 4
43 Enter line vty mode.
44Router(config-line)#login local
45 Auth using local database. This is only availabe if AAA is not enabled.
46Router(config-line)#transport input ssh
47 Only allow incoming SSH sessions.
48Router(config-line)#access-class ACL-number
49 Apply an access control list (ACL) to specify who can access the vty line.
50
51
52 ---Page 46 Securing configuration and IOS files---
53R1(config)#secure boot-image
54 Secure the IOS image by hiding it in flash. It can be seen only when in ROMMON mode.
55R1(config)#secure boot-config
56 Take a snapshot of the router running configuration and securely archive it in flash. It can be seen only when in ROMMON.
57R1#show secure bootset
58 Display the status of Cisco IOS image and configuration resilience. This step is important to verify that the cisco IOS image and config have been properly backed up and secured. Shows location and filename.
59
60
61 ---Page 46 Restoring configuration and IOS files---
62Router#reload
63 reload the router
64rommon 1 >dir flash:
65 enter ROMMON and display the bootset files.
66rommon 2 >boot c1900-univer-salk9-mz,SPA.154-3.M2.bin
67 Boot the router using the listed image.
68Router(config)#secure boot-config restore flash01.runcfg-20151025-180642.ar
69 Restore the secure configuration to the archive found in flash.
70
71
72 ---Page 47 Implementing role based access control---
73Router(config)#privilege mode {level level command,reset command}
74 Assign commands to a custom privilege level between level 2 and 14. There are 16 levels. Level 0 is entry level, level 1 is for EXEC, and level 15 is privileged EXEC. 2-14 are customizable.
75Router(config)#enable algorithm-type {md5,sha256,scrypt} secret password
76 Assign a password to the custom privilege level.
77Router>enable level
78 Enter a custom privilege level.
79Router#Show privilege
80 Verify the privilege level
81
82
83 ---Page 49 Configuring RBAC---
84Router(config)#aaa new-model
85 Enable AAA.
86Router#enable view
87 Enter root view. REquired to configure and alter views. Use the enable password when prompted. Enable Secret must be configured.
88Router(config)#parser view viewname
89 Create a view in global configuration mode. There is a maximum limit of 15 views in total excluding the root.
90Router(config-view)#secret password
91 Assign a password to the view. This is a required step. Script, and algorith type are not supported.
92Router(config-view)#commands parsermode {include,include-exclusive,exclude} {all} {interface interfacename, command}
93 Assign commands to the current view. Views contain commands.
94Router#enable view viewname
95 Enter and verify a view
96
97
98 ---Page 50 Configuring a superview---
99Router(config)#parser view viewname superview
100 Create a superview in global configuration mode. A superview can only contain other views. A superview cannot contain commands.
101Router(config-view)#secret password
102 Assign a password to the view. This is a required step.
103Router(config-view)#view viewname
104 Assign an existing view to the superview. Multiple views can be assigned to a superview.
105
106
107 ---Page 51 Configure NTP Master Clock and Client---
108Router(config)#ntp master stratum
109 Configure the router to be the NTP master. The stratum number is optional and is the number of hops away from an authoritative time source, such as an atomic clock.
110Router(config)#ntp authenticate
111 Enable NTP authentication
112Router(config)#ntp authentication key keynumber md5 keyvalue
113 Define the NTP key and password and encrypt it using md5
114Router(config)#ntp trusted-key keynumber
115 Identify the trusted key on the master. To synchronize, an NTP client must provide the correct trusted key and password.
116
117Client(config)#ntp server ntpserveraddress
118 Enable Router to be the master clock to which peers will syncrhonize.
119Client(config)#ntp authentication-key keynumber md5 keyvalue
120 Define the NTP key and password and encrypt it using MD5
121Client(config)#ntp trusted-key keynumber
122 Identify the trusted key on the master.
123
124
125 ---Page 54 Configurating Syslog---
126Router(config)#service timestamps {debug,log} {uptime,datetime(msec)} {localtime} {show-timezone} {year}
127 Enable time stamps on debug and logging messages.
128Router(config)#logging host {ipaddress,hostname}
129 Identify the syslog server address or hostname.
130Router(config)#logging trap level
131 Limit messages to the syslog servers based on severity. Default is 0-6
132Router(config)#logging source-interface interfacetype interfacenumber
133 Specify that syslog packets contain the IP address of a specific interface, regardless of which interface the packet uses to exit the router.
134Router(config)#logging on
135 On by default, it sends messages to the buffer, vty lines, and syslog server.
136
137
138 ---Page 58 Configure local AAA authentication---
139Router(config)#username name algorithm-type {md5,sha256,scrypt} secret password
140 Add a username and password to the local security database
141Router(config)#aaa new-model
142 enable aaa
143Router(config)#aaa authentication login {default, listname {method1, method2...}
144 Defines the login authentication method to use for con,vty, and aux lines. If a list-name is defined, the login authentication list-name must be applied to the line. Maximum of four methods.
145Router(config)#aaa authentication username-prompt textstring
146 Replace the default username prompt. If using spaces it must use double quotes
147Router(config)#aaa authentication password-prompt textstring
148 Replace the default password prompt. If using spaces it must use double quotes
149Router(config)#aaa local authentication attempts max-fail number
150 Secure aaa user accounts by locking out accounts that have exceded the maximum number of failed attempts specified. Stays locked until cleared by an admin with the clear aaa local user lockout {username usernamed,all} command
151
152
153 ---Page 61 Configure server-based AAA authentication---
154Router(config)#tacacs server servername
155 Enter TACACS server configuration mode.
156Router(config-server-tacacs)#address ipv4 ip-address
157 Identify the IP address of the server
158Router(config-server-tacacs)#single-connection
159 Enhance TCP performance by having the TCP connection maintained for the life of the session. The command makes the TCP session more efficient.
160Router(config-server-tacacs)#key secretkey
161 Configure the shared secret key to encrypt the data transfer between the tacacs+ server and aaa enabled router
162
163Router(config)#radius server servername
164 Enter RADIUS server configuration mode.
165Router(config-radius-server)#address ipv4 ipaddress {auth-port port#, acct-port port#}
166 Identify the IP address of the server. Specify a RADIUS host. Port numbers and key are optional. Default auth port is 1645 and acct port is 1646.
167Router(config-radius-server)#key secretkey
168 Configure the shared secret key to encrypt the data transfer between the RADIUS server and AAA-enabled router.
169Router(config)#aaa authentication login {default, listname} {method1, method2}
170 Defines the default login authentication method to use when accessing lines. Server based method choices include group radius, group tacacs+, and group groupname. You should add local as a fallback.
171
172
173 ---Page 64 Configure AAA authorization---
174Router(config)#aaa authorization {exec,network,commandslevel} {default,listname} {method1,method2}
175 Defines the authorization policy to use when accessing lines: exec is used to auth whether the user can run an EXEC shell. Network is used to auth network related service requests such as PPP. Command is used to implement auth for all commands for a specific priv level.
176
177
178 ---Page 65 Configure AAA accounting---
179Router(config)#aaa accounting {system,network,exec,commandslevel} {default,listname} {start-stop,wait-start,stoponly,none} {method1, method2}
180 Define the accounting method to use for a specific service. It keeps track of requested services for billing or security purposes
181
182
183 ---Page 65 Configure 802.1X port based authentication---
184Switch(config)#aaa new-model
185 enable aaa
186Switch(config)#radius server server-name
187 enter radius server configuration mode
188Switch(config-radius-server)#address ipv4 ip-address {auth-port port#,acct-port port#}
189 Identify the IP address of the server, specify a RADIUS host. Default port numbers are 1645, and 1646.
190Switch(config-radius-server)#key secret-key
191 Configure the shared secret key to encrypt the data transfer between the RADIUS server and AAA-enabled router.
192Switch(config)#aaa authentication dot1x {default,listname} group radius
193 Create an 802.1x port-based authentication method list.
194Switch(config)#dot1x system-auth-control
195 Globally enable 802.1x port based authentication
196Switch(config-if)#switchport mode access
197 Configure the port as an access port
198Switch(config-if)#Authentication port-control auto
199 Enable 802.1x port based auth on the port. The port begins in unauthorized state, enabling only EAPOL frames to be sent and received. When it transitions to up or when EAPOL-start frame is received the switch requests the identity of the client and begins relaying auth messages to the auth server.
200Switch(config-if)#dot1x pae authenticator
201 Set the port to be a Port Access Entity (PAE) authenticator. PAE makes the interface act only as an authenticator and to not respond to any messages meant for a supplicant.
202
203
204 ---Page 72 Configure port security on a switch---
205Switch(config-if)#switchport mode access
206 A required step, this sets the interface to access mode. A port cannot be secured while in the default dynamic auto mode.
207Switch(config-if)#switchport port-security
208 Enable port security and assign the current MAC address to the port. Port-security defaults: 1 MAC address can be assigned, port violation action is shut down.
209Switch(config-if)#switchport port-security maximum value
210 Set the maximum number of secure MAC addresses for the interface. Default is one but the max is 132. Some switches connection Cisco IP phones require 3 MAC addresses, and others 2.
211Switch(config-if)#switchport port-security violation {protect,restrict,shutdown, shutdown vlan}
212 Configure the port action when the number of MAC addresses exceeds the defined maximum. Default is shutdown.
213Switch(config-if)#switchport port-security mac-address macaddress
214 Manually assign the MAC addresses connecting to the port. Repeat for each secure MAC address.
215Switch(config-if)#switchport port-security mac-address sticky
216 Enable the switch to dynamically learn the connected MAC addresses until the maximum is reached. Learned are added to the running configuration.
217Switch(config)#errdisable recovery cause psecure-violation
218 Enable dynamic error recovery of an error-disabled port. Default is 300 seconds.
219Switch(config)#errdisable recovery interval seconds
220 Specify how long a port will remain disabled before it is reenabled.
221Switch(config-if)#switchport port-security aging {static,time minutes, type {absolute,activity}}
222 Remove secure MAC addresses on a secure port without manually deleting the existing address in the startup-config. Absolute (default) removes the address after time. inactivity removes the address only if they are inactive for a time.
223
224
225 ---Page 77 Mitigate VLAN attacks---
226 On Trunk Links:
227Switch(config-if)#switchport mode trunk
228 Explicitly enable trunking on the link.
229Switch(config-if)#switchport nonegotiate
230 Disable DTP and prevent DTP frames from being generated.
231Switch(config-if)#switchport trunk native vlan vlan
232 Change the native VLAN to a dedicated VLAN with no other traffic on it.
233
234 On the nontrunk links, disable trunking:
235Switch(config-if)#switchport mode access
236 Configures port as an access port. This also disables trunking on the interface.
237
238 Assign all unused ports to a dedicated unused VLAN and disable the ports:
239Switch(config-if)#switchport mode access
240 Configures port as an access port. This also disables trunking on the interface.
241Switchport(config-if)#switchport access vlan vlan
242 Assign the port to an unused VLAN
243Switchport(config if)#shutdown
244 Disable the port.
245
246
247 ---Page 79 Configure DHCP snooping---
248Switch(config)#ip dhcp snooping
249 Globally enable DHCP snooping
250Switch(config-if)#ip dhcp snooping trust
251 Identify trusted ports.
252Switch(config-if)#ip dhcp snooping limit rate rate
253 On untrusted ports, limit the number of DHCP messages an interface can receive per second. Range is 1 to 2048
254Switch(config)#ip dhcp snooping vlan vlannumber (vlannumber)
255 Enable DHCP snooping for specific VLANs
256
257
258 ---Page 81 Mitigating ARP attacks with DAI---
259Switch(config)#ip dhcp snooping
260 Globally enable DHCP snooping. This allows DAI to determine the validity of an ARP packet based on MAC to IP address binding in the DHCP snooping database.
261Switch(config-if)#ip dhcp snooping trust
262 Identify trusted DHCP ports.
263Switch(config-if)#ip arp inspection trust
264 Identify trusted ARP ports.
265Switch(config)#ip arp inspection vlan vlanrange
266 Enable DAI on a per VLAN basis.
267Switch(config)#ip dhcp snopping vlan vlannumber
268 Enable DHCP snooping for specific VLANs
269S1(config)#ip arp inspection validate {src-mac dst-mac ip}
270 Enable DAI to inspect based on the src mac, dst mac, or ip
271
272
273 ---Page 83 Mitigate Address Spoofing attacks---
274Switch(config)#ip dhcp snooping
275 Globally enable DHCP snooping.
276Switch(config-if)#ip verify source {port-security}
277 Enable IP source guard with IP address filtering. Use the port-security keyword to enable IP source guard with IP and MAC address filtering.
278
279
280 ---Page 84 Configure STP enhancement on a switch---
281Switch(config)#spanning-tree portfast default
282 Globally enable the PortFast feature on all ports.
283Switch(config-if)#spanning-tree portfast
284 Enable PortFast on the specified port.
285Switch(config)#spanning-tree portfast bpduguard default
286 Globally enable BPDU guard on all PortFast enabled ports.
287Switch(config-if)#spanning-tree bpduguard enable
288 Enable BPDU guard on the specified port.
289Switch(config-if)#spanning-tree guard root
290 Enable root guard on the specified port.
291Switch(config)#errdisable recovery cause bpduguard
292 Enable the timer to recover from the BPDU guard error-disabled state.
293Switch(config)#spanning-tree loopguard default
294 Globally enable loop guard on all point-topoint links.
295Switch(config-if)#spanning-tree guard loop
296 Enable loop guard on the specified port.
297
298
299 ---Page 87 Configure storm control on a switch---
300Switch(config-if)#storm-control {{broadcast,multicast,unicast} level{level, (levellow),bps bps (bpslow),pps pps (ppslow)}} {action {shutdown,trap}}
301 Enable storm control on layer 2 ports and etherchannels to monitor the rate of received traffic. Broadcast multicast, and unicase traffic can be monitored.
302 level specifies the rising and falling supression levels as a percentage. level bps specifies the rising and falling levels in bits per seconds. level pps specifies the rising and falling levels in packets per second.
303 It can either shutdown the port, or send an SNMP trap.
304
305
306 ---Page 110 Configure Configure IP ACLs---
307 Numbered Extended ACL
308Router(config)#access-list accesslistnumber {permit,deny} protocol source source-wildcard [operator port] destination destinationwildcard [operator port] [established] [log]
309 Define an extended ACL. Valid numbers are between 100-199 and 2000-2699
310 The log keyword as it could negatively affect the performance of the device.
311Router(config)#interface type number
312 Specify the interface type and number and enter interface config mode.
313Router(config-if)#ip access-group accesslistnumber {in,out}
314 Apply the specified extended access list to the interface.
315
316 Named Extended ACLs
317Router(config)#ip access-list extended {accesslistnumber, accesslistname}
318 Define a named ACL. The command can also be used to edit a numbered ACL.
319Router(config-ext-nacl)#permit protocol source source-wildcard [operator port] destination destination-wildcard [operator port] [established] [log]
320 Define the permit statement.
321Router(config-ext-nacl)#deny protocol source source-wildercard [operator port] destination destination-wildcard [operator port [log]
322 Define the deny statement.
323Router(config)#interface type number
324 Specify the interface type and number and enter interface config mode.
325Router(config-if)#ip access-group accesslistname {in,out}
326 Apply the specified ACL to the interface
327
328
329 ---Page 117 Configure IP ACLs with object groups---
330 Network Object Group
331Router(config)#object-group network networkgroupid
332 Create a network object group.
333Router(config-network-group)#description descriptiontext host {host address,hostname} network address {/nn,networkmask} range hostaddress1 hostaddress2 any group-object nestedobjectgroupname
334 From network object config mode, define the specifics of the network object.
335 Command breakdown
336Router(config-network-group)#description descriptiontext
337 Add a description up to 200 characters
338Router(config-network-group)#host {hostaddress, hostname}
339 Identify a host IP address or name of the host.
340Router(config-network-group)#network-address {/nn, network mask}
341 Identify a subject object. The default network mask is /32.
342Router(config-network-group)#range hostaddress1 hostaddress2
343 Identify a range of host IP addresses.
344Router(config-network-group)#any
345 Identify any host IP address in the range 0.0.0.0-255.255.255.255
346Router(config-network-group)#group-object nestedobjectgroupname
347 Specify a nested object group to be included in the current parent object group.
348
349 Service Object Group
350Router(config)#object-group service servicegroupid
351 Create a service object group.
352Router(config-service-group)#description descriptiontext protocol [tcp,udp,tcp-udp [source {{eq,lt,gt}port1 range port1 port2} {eq lt gt} port1 range port1 port2}] icmp icmptype group-object nestedobjectgroupname
353 From service object configuration mode, define the specifics of the service object.
354 Command breakdown
355Router(config-network-group)#description descriptiontext
356 Add a description up to 200 characters.
357Router(config-service-group)#protocol {protocolnumber, protocol}
358 Identify an IP protocol number or name.
359Router(config-service-group)#tcp,udp, tcp-udp [source {{eq,lt,gt} port1 range port1 port2} {eq,lt,gt} port1 range port1 port2
360 Specify parameters for TCP, UDP, or both.
361Router(config-service-group)#icmp icmptype
362 Specify the decimal number or name of an ICMP type.
363Router(config-service-group)#group-object nestedobjectgroupname
364 Specify a nested object group to be included in the current object group
365
366
367 ---Page 119 Using Object Groups in Extended ACLs---
368Router(config)#ip access-list extended {accesslistnumber, accesslistname}
369 Define a named ACL. The command can also be used to edit a numbered ACL.
370Router(config-ext-nacl)#permit {protocol, object-group serviceobjectgroupname} [object-group sourcenetworkobjectgroupname] [object-group destinationnetworkobjectgroupname]
371 Define the permit statement.
372Router(config-ext-nacl)#deny {protocol, object-group serviceobjectgroupname} [object-group sourcenetworkobjectgroupname] [object-group destinationnetworkobjectgroupname]
373 Define the deny statement.
374
375
376 ---Page 121 Configure IPv6 ACLs---
377Router(config)#ipv6 access-list accesslistname
378 Define an IPv6 ACL and enter IPv6 access list configuration mode. IPv6 ACL names cannot contain space or quotation mark or begin with a numeral
379Router(config-ipv6-acl)#permit protocl {sourceipv6prefix/nn, any, host sourceipv6address, auth} [operator portnumber] {destinationipv6prefix/nn, any, host destinationipv6address, auth} [operator portnumber] [dest-option-type [dohnumber dohtype] [dscp value] [flow-label value] [fragments] [log] [log-input] [mobility] [mobility-type mhnumber mhtype] [reflect name timeout value] [routing] [routing-type routingnumber] [equence value] [time-range name]
380 Specify the permit condition for an IPv6 ACL.
381Router(config-ipv6-acl)# denyprotocol { source-ipv6-prefix/nn| any | host source-ipv6-address |auth} [ operator [ port-number]]{ destination-ipv6-prefix/nn | any| host destination-ipv6-address |auth} [ operator [ port-number]][ dest-option-type [ doh-number |doh-type]] [ dscp value][ flow-label value] [ fragments][ log] [ log-input] [ mobility][ mobility-type [ mh-number |mh-type]] [ routing] [ routing-typerouting-number] [ sequence value][ time-range name] [ undeterminedtransport]
382 Specify the permit condition for an IPv6 ACL.
383Router(config)#interface type number
384 Specify the interface type and number and enter interface config mode.
385Router(config-if)#ipv6 traffic-filter accesslistname {in,out}
386 Apply the specified IPv6 access list to the interface.
387Router(config)#line vty 0 4
388 Enter line vty mode.
389Router(config-line)#ipv6 access-class accesslistname {in,out}
390
391
392 ---Page 131 Configure an IOS zone based firewall---
3931.)Create the security zones
394 Router(config#zone security zonename
395 Create a security zone.
3962.)Create a layer 3/4 class map and match traffic.
397 Router(config)#class-map type inspect {match-any, match-all} classmapname
398 Create a layer 3 and layer 4 inspect type class map.
399 Router(config-cmap)#match access-group {accessgroup, name accessgroupname}
400 Configure a layer 3 and layer 4 inspect type class map.
401 Router(config-cmap)#match protocol protocol
402 Configure the match criteria on the basis of a specified protocl.
403 Router(config-cmap)#match service {any, text-chat}
404 Configure the match criteria for any supported instant messenger protocol.
405 Router(config-cmap)#match class-map classmapname
406 Nest traffic classes within one another.
407Optionally, Create a layer 7 inspect type class map
408 Router(config)#class-map type inspect protocolname {match-any, match-all} classmapname
409 Create a layer 7 (application specific) inspect type class map.
410 Router(config-cmap)#match protocolparameters
411 Varies depending on parameters.
4123.)Configure an action using a policy map
413 Router(config)#policy-map type inspect policymapname
414 Create a layer 3 and layer 4 inspect type policy map.
415 Router(config-pmap)#class type inspect classmapname
416 Identify the class map. You can also configure class class-default.
417 Router(config-pmap-c)# {drop,inspect,pass}
418 Assign an action. Drop denies the traffic matching the class. Inspect permits and statefully tracks the essions of the traffic class. Pass statelessly permits packets between zones.
4194.)Identify zone pairs and assign a service policy
420 Router(config)#zone-pair security zonepairname source {sourcezonename, self, default}
421 destination {destinationzonename,self,default}
422 Create a zone pair that permits a unidirectional firewall policy between a pair of zones. Self specifies the system-defined zone. Indicates whether traffic will be going to or from a router.
423 Default specifies the name of the default security zone. Interfaces without configured zones belong to the default zone.
424 Router(config-sec-zone-pair)#service-policy type inspect policymapname
425 Assign the interface type and number.
4265.)Assign interfaces to zones
427 Router(config)#interface type number
428 Specify the interface type and number.
429 Router(config-if)#zone-member security zonename
430 Attach the interface to the specified zone.
431
432
433 ---Page 142 Configure IOS IPS---
4341.)Create an IOS IPS directory in flash
435 Router#mkdir flash:dir-name
436 Create a directory in flash, you can specify other locations.
4372.)Copy the cisco IOS IPS signature package to flash using one of the following methods:
438 Router#copy ftp://
439 Router#copy tftp://
440 Router#copy usbflash0:/
4413.)Create the RSA crypto key
442 Open the realm.cisco.pub.key.txt file and select the entire contents.
443 Copy the text and paste it in global config mode.
444 Show running-config | section crypto key pubkey-chain rsa
445 Verifies the configuration.
446
447
448 ---Page 144 Creating an IOS IPS rule and specifying the IPS signature location---
449Router(config)#ip ips name ipsname [list acl]
450 Create an IPS rule name.
451 list acl is optional and specifies an extended or standard ACL to filter the traffic that will be scanned. All traffic that is permitted by the ACL is subject to inspection by the IPS. Traffic that is denied by the ACL is not inspected by the IPS.
452Router(config)#ip ips config location flash:dirname
453 Specify the IPS signature file location.
454 The IPS signature file location is used to restore the IPS configuration in cases such as router reboots or IPS becoming disabled or reenabled.
455 Files such as signature definitions, signature type definitions, and signature category information are written in XML format, compressed and saved to the specified IPS location.
456Enable SDEE and logging even notification:
457Router(config)#ip http server
458 Enable the HTTP server (required).
459Router(config)#ip ips notify sdee
460 Enable IPS SDEE event notification.
461Router(config)#ip ips notify log
462 Enable logging.
463
464
465 ---Page 144 Tuning Signatures per Category---
466Router(config)#ip ips signature-category
467 Enter IPS category configuration mode to tune Cisco IOS IPS signature parameters on the basis of a signature category.
468Router(config-ips-category)#category{all,ios ips [basic,advanced]}
469 Specify the signature category to change, and enter IPS category action mode.
470 Many other categories and subcategories exist: attack, does, dos, ddos email, p2p.
471 IOS IPS processes category commands in the order listed in the configuration.
472Router(config-ips-category-action)#retired {false,true}
473 Specify whether a signature or category definition should be saved in the router memory.
474 false unretires all signatures within a given category.
475 true retires all signatures within a given category.
476Router(config-ips-category-action)#event-action action
477 Change router actions for a specified signature category.
478 Actions include: deny-attack-inline, deny-connection-inline, deny-packet-inline, produce-alert, reset-tcp-connection
479Router(config-ips-category-action)#alert-severity {high,medium,low,informational}
480 Change the alert severity rating for a given signature or category. To return to the default action, use the no alert-severity command.
481Router(config-ips-category-action)#fidelity-rating rating
482 Change the signature fidelity rating for a signature given category.
483Router(config-ips-category-action)#exit
484 Return to IPS category mode.
485Router(config-ips-category)#exit
486 After signature-based changes are complete you are prompted to confirm whether the changes are acceptable.
487 Confirming the changes instructs IOS IPS to compile the changes for the signature and modify memory structures to reflect the change and save the changes to the IPS location specified.
488Router(config-if)#ip ips ipsname {in,out}
489 Apply the IPS rule to an interface. The router loads the signatures and builds the signature engines when IPS is applied to the first interface.
490
491 ---Page Configuring IOS site to site VPN---
4921.)Create an IKE policy
493 Router(config)#crypto isakmp policy priority
494 Define an IKE policy to specify the parameters to be used during an IKE negotiation to create the IKE SA.
495 priority uniquely identifies the IKE policy and assigns a priority to the policy. Use an integer from 1 to 10,000 with 1 being the highest priority and 10,000 the lowest.
4962.)Configure the IKE policy phase 1 parameters
497 Router(config-isakmp)#hash {md5,sha,sha256,sha384,sha512}
498 Set the hashing algorithm for the IKE policy.
499 Router(config-isakmp)#authentication {pre-share,rsa-encr,rsa-sig}
500 Set the authentication method for the IKE policy.
501 Router(config-isakmp)#group {1-24}
502 Set the DH group to use for the IKE policy.
503 Router(config-isakmp)#lifetime seconds
504 Configure the max time an IKE SA can exist before it expires. From 60 to 86400 seconds. 1 minute to 24 hours.
505 Router(config-isakmp)#encryption {des,3des,aes aes-bit}
506 Set the encryption algorithm for the IKE policy.
5073.)Specify the PSK and identify the peer address or hostname
508 Router(config)#crypto isakmp key presharedkey {address address,hostname hostname}
509 Set the PSK for the remote peer and identify the peer by IP address or hostname. DNS must be enabled.
5104.)Create the IPsec policy required for Phase 2
511 Router(config)#crypto ipsec transform-set transformname transform1 [transform2] [transform3] [transform4]
512 Define the IPsec transform set and settings. A transform set specifies one or two IPSec security protocols, either AH or ESP or both. It also specifies which algorithms to use with the selected security protocol.
513 You may specify up to four transforms.
5145.)Create the crypto map specifics
515 Router(config)#crypto map mapname sequencenumber ipsec-isakmp
516 Define the site to site IPsec VPN crypto map settings.
5176.)Configure crypto map specifics
518 Router(config-crypto-map)#description description
519 Add the description to the crypto map.
520 Router(config-crypto-map)#set peer peerid
521 Specify an IPsec peer. You can identify multiple peers using commas.
522 Router(config-crypto-map)#set transform-set transformname1 [transformname2]... [transformname6]
523 Specify which transform sets can be used with the crypto map entry. Up to six transform sets in one command.
524 Router(config-crypto-map)#match address cryptoacl
525 Assign an extended access list to a crypto map entry that will be used by IPsec to determine which traffic should be protected by crpto and which does not. Traffic that is permitted will be protected.
526 Router(config-crypto-map)#set security-association lifetime {days days,kilobytes bytes,seconds seconds}
527 Identify how long the IPsec SA will remain in effect before having to renegotiate
528 Router(config-crypto-map)#set pfs [group1,-group24]
529 Identify the DH group to use.
5307.)Apply the crypto map to an interface
531 Router(config)#interface type number
532 Specify the interface type and number
533 Router(config-if)#crypto map cryptomapname
534 Apply a previously defined crypto map set to an interface.
535
536
537 ---Page 206 Configure basic settings on an ASA 5505---
538IOS Router Command ASA command
539enable secret enable password
540line vty 0 4, password, login passwd
541ip route route outside
542show ip interfaces brief show interfaces ip brief
543show ip route show route
544show vlan show switch vlan
545show ip nat translations show xlate
546copy running-config startup-config write [memory]
547erase startup-config write erase
548
549
550 ---Page 208 Configure interfaces on an ASA 5505---
551 Configuring the Inside and Outside SVIs
552ciscoasa(config)#interface vlan vlanid
553 Create an SVI
554ciscoasa(config-if)#nameif {inside,outside,name}
555 Assign a name to the SVI interface.
556ciscoasa(config-if)#security-level level
557 Assign or change the SVI security level. All SVIs must have a value, inside and outside are automatically assigned.
558ciscoasa(config-if)#ip address ipaddress network
559 Assign an IP address and mask to the SVI
560
561 Assigning Layer 2 Ports to VLANs
562ciscoasa(config)#interface int/number
563 specify a layer 2 physical port.
564ciscoasa(config-if)#switchport access vlan vlanid
565 change the VLAN assignment of the port from the default of VLAN 1
566ciscoasa(config-if)#no shutdown
567 Enable physical port.
568
569 Configuring a Third SVI
570ciscoasa(config)#interface int/number
571 Specify a layer 2 phsyical port.
572ciscoasa(config-if)#no forward interface vlan vlanid
573 Limit the interface from intiating contact to another VLAN. You must configure this command before the interface is named.
574
575
576 ---Page 210 Configure the management plane on an ASA 5505---
577 Enabling Telnet Access
578ciscoasa(config)#passwd password
579 Configure the telnet/ssh password
580ciscoasa(config)#telnet ipaddress subnetmask interfacename
581 Identify which inside hosts can telnet to which ASA interface.
582ciscoasa(config)#telnet timeout minutes
583 alters the default timeout of 5 minutes.
584ciscoasa(config)#username name password password
585 Create a local database entry.
586ciscoasa(config)#asa authentication telnet console LOCAL
587 Configure telnet to refer to the local database for auth.
588
589 Enabling SSH access
590ciscoasa(config)#username name password password
591 create a local database entry.
592ciscoasa(config)#aaa authentication ssh console LOCAL
593 Configure SSH to refer to the local database for auth
594ciscoasa(config)#crypto key generate rsa modulus modulus
595 Generates the RSA key required for SSH encryption. Valid modulus include: 512, 768, 1024, 2048.
596ciscoasa(config)#ssh ipaddress subnetmask interfacename
597 Identify which inside hosts can SSH to which ASA interface.
598ciscoasa(config)#ssh version {1,2}
599 Enable SSH version 1 or 2
600ciscoasa(config)#ssh timeout minutes
601 Alters the default priv EXEC timeout of 5 minutes
602
603 Enable HTTPS services on the ASA
604ciscoasa(config)#http server enable
605 Enable the ASA HTTP server.
606ciscoasa(config)#http ipaddress networkmask interfacename
607 Id a host or hsots that can access the ASA HTTP server using ASDM
608
609 Configuring Time Services
610ciscoasa(config)#clock set hh:mm:ss month day year
611 Manually sets the clock via the CLI
612 OR
613ciscoasa(config)#ntp server ipaddress [key keynumber]
614 ID the NTP server address
615ciscoasa(config)#ntp authentication-key keynumber md5 password
616 Configure the NTP key and password
617ciscoasa(config)#ntp trusted-key
618 ID the trusted key
619ciscoasa(config)#ntp authenticate
620 Enable NTP authentication.
621
622
623 ---Page 212 Configure the control plane on an ASA 5505---
624 Configuring a Default Route
625ciscoasa(config)# route interfacename 0.0.0.0 0.0.0 nexthopipaddress
626 Create a default static route
627
628
629 ---Page 230 Configure DHCP settings on an ASA 5505---
630 DHCP CLIENT
631ciscoasa(config-if)#ip address dhcp [setroute]
632 Requests an IP address from the upstream device
633 The setroute keyword automatically installs a default route to the upstream device.
634 DHCP Server Services
635ciscoasa(config)#dhcpd address[startofpool] - [endofpool] inside
636 Define the pool of IP addresses and assign the pool to inside users.
637 The start of pool and end of pool ip addresses are separated by a required hyphen.
638ciscoasa(config)#dhcpd enable interfacename
639 Enable the DHCP server service (daemon) on the specified interface of the ASA.
640 The inside interface is usually configured to provide DHCP services by using the dhcpd enable inside command
641 Manual DHCP options
642ciscoasa(config)#dhcpd domain domainname
643 Configure the DNS domain name
644ciscoasa(config)#dhcpd dns dnsipaddress
645 Configure the DNS domain name
646ciscoasa(config)#dhcpd wins winsipaddress
647 Configure a WINS server address
648ciscoasa(config)#dhcpd lease seconds
649 Configure the lease time in seconds. The default is 3600 seconds.
650ciscoasa(config)#dhcpd option value
651 Configure the DHCP option code. Option code is in the range 0-255.
652
653
654 ---Page 235 Configure objects and object groups on an ASA 5505---
655 Create or edit a network object (contains a single IP address/mask pair that can be identified using a host subnet or range of addresses)
656ciscoasa(config)#object network objectname
657 Create or edit a network object and enter network object config mode.
658ciscoasa(config-network-object)#{host ipaddress, subnet networkaddress netmask, range ipaddress1 ipaddress2}
659 Assign the IP address to the named object. You can configure a host address, a subnet, or a range of addresses.
660 Create or edit a service object (contains a protocol and optional source and/or destination port)
661ciscoasa(config)#object service objectname
662 Create or edit a service object and enter service object configuration mode.
663ciscoasa(config-service-object)#service {protocol,icmp icmptype,icmp6 icmp6type, {tcp,udp} [source operatorport] [destination operatorport]}
664 Specify an IP protocol name or number.
665 You can optionally configure specific source or destination ports.
666 Create a network object group
667ciscoasa(config)#object-group network groupname
668 Create or edit a network object group and enter network object group config mode.
669ciscoasa(config-network-object-group)#network-object host ipaddress
670 Assign an IP address to the named object.
671ciscoasa(config-network-object-group)#group-object groupname
672 Assign an object group to be the named object. This allows for logical grouping of the same type of objects and construction of hierarchical object groups for structured configuration.
673 Create a protocol object group (combines IP protocols into one object)
674ciscoasa(config)#object-group protocol groupname
675 Create or edit a protocol object group and enter protocol object group config mode.
676ciscoasa(config-protocol-object-group)#protocol-object protocol
677 Define the protocols in the group. The protocol parameter is the IP protocol numberic identifier or a keyword identifier.
678ciscoasa(config-protocol-object-group)#group-object groupname
679 Assign an object group to be the named object.
680
681
682 ---Page 243 Configure ACLs on an ASA 5505---
683ciscoasa(config)#access-list id extended {deny,permit} protocol {sourceaddress sourcemask}, any, host, srchost, interface srcinterfacename operatorport [port] {destinationadd destmask}, any, host, dsthost, interface dstinterfacename operator port [port]}
684 Create an extended ACL
685 The interface keyword is used for to the box filtering.
686ciscoasa(config-if)#access-group aclid {in,out} interface interfacename [per-user-override,control-plane]
687 Applies the ACL to the interface.
688 The control-plane keyword is used for to the box filtering.
689
690
691 ---Page 250 Configure NAT services on an ASA 5505---
692 Dynamic NAT configuration
6931.)create a network object to identify the pool of public IP addresses
694 ciscoasa(config)#object network publicpoolobject
695 Create a network object and enter network object config mode.
696 ciscoasa(config-network-object)#{host ipaddress,subnet networkaddress networkmask, range ipaddress1 ipaddress2}
697 Identify the public IP pool of IP addresses using a host address, a subnet or a range of addresses.
6982.)create the network object that identifies the inside hosts and enable Dynamic NAT
699 ciscoasa(config)#object network natobjectname
700 Create a network object and enter network object config mode.
701 ciscoasa(config-network-object)#{subnet networkaddress networkmask, range ipaddress1 ipaddress2}
702 Identify the inside IP pool of IP addresses using a subnet or a range of addresses.
703 ciscoasa(config)#nat (realifc, mappedifc) dynamic publicpoolobject
704 Enable NAT to dynamically translate traffic from realifc to mappifc using the public pool network object.
705
706
707 ---Page 260 Configure AAA access control on an ASA 5505---
708 Local AAA authentication
709ciscoasa(config)#username name password password [privilege privlevel]
710 Create a local user account
711ciscoasa(config)#aaa authentication enable console LOCAL
712 Enable AAA authentication for the privileged EXEC mode using the local database.
713ciscoasa(config)#aaa authentication http console LOCAL
714 Enable AAA authentication for HTTP access using the local database.
715ciscoasa(config)#aaa authentication ssh console LOCAL
716 Enable AAA authentication for SSH access using the local database.
717ciscoasa(config)#aaa authentication telnet console LOCAL
718 Enable AAA authentication for telnet access using the local database.
719 Server Based AAA authentication
720ciscoasa(config)#aaa-server servertag protocol [tacacs+,radius]
721 Create a TACACS+ or RADIUS AAA server group.
722 Other protocols include http-form, kerberos, ldap, nt, and sdi.
723ciscoasa(config-aaa-server-group)#aaa-server servertag [{interfacename}] host {serverip, name} [key]
724
725
726 ---Page 267 Class maps, policy maps, and service policies---
7271.)Create a class map to identify specific layer 3/4 traffic
728 ciscoasa(config)#class-map classmapname
729 Create a layer 3 or 4 class map and enter class map configuration mode.
730 ciscoasa(config)#class-map type management classmapname
731 Create a layer 3 or 4 class map for to the box traffic and enter class map configuration mode.
7322.)Define the traffic to include in the class by matching a characteristic
733 ciscoasa(config-cmap)#match any
734 Match all traffic to which you want to apply actions.
735 ciscoasa(config-cmap)#match access-list aclid
736 Match packets specified by an extended ACL
7373.)Create a policy map to assign actions to traffic configured in layer 3/4 class maps
738 ciscoasa(config)#policy-map pmapname
739 Specify a name for this policy map (up to 40 characters in length).
740 ciscoasa(config-pmap)#class classmapname
741 Assign a class map to a policy map where you can assign actions to the class map traffic and enter config policy map class mode.
7424.)Assign one of the following actions:
743 ciscoasa(config-pmap-c)#set connection
744 configure connection parameters
745 ciscoasa(config-pmap-c)#police {input,output}ratebps
746 Rate-limit traffic for this class.
747 ciscoasa(config-pmap-c)#inspect protocol
748 Configure protocol inspection services.
749 Different keywords include: dns,ftp,http,icmp,ipv6, and more.
7505.)The service policy enables the policy map globally on all interfaces or on a specific one.
751 ciscoasa(config)#service-policy pmapname [global,interface interface]
752 Enable a set of policies globally or apply them on an interface.
753 OR
754 ciscoasa(config)#service-policy global_policy global