Escolar Documentos
Profissional Documentos
Cultura Documentos
WRITTEN BY
ASHISH HALDER
CCNA RnS, CCNA Sec, CCNP RnS, CCNP Sec, CCIE Sec (written)
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE
Special thanks to Tariq Ibne Aziz vai & Murshid Vai who have given me help and support to
learn Cisco Security
All rights reserved. No part of this book may be reproduced or transmitted in any form or by
any means, electronic or mechanical, including photocopying, recording, or by any
information storage and retrieval system, without written permission from the publisher,
except for the inclusion of brief quotations in a review.
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE
Contents
LAB 6: Configure routers to use Cisco Access Control Server (ACS) and TACACs+ Authentication ---------35
LAB 19: Static NAT to Multiple Service on same Outside IP Address such as HTTP, HTTPS, TELNET, SSH ...-
----------------------------------------------------------------------------------------------------------------------------------..115
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE
LAB 31: IPSec SITE-TO-SITE VPN BETWEEN TWO CISCO ROUTER ------------------------------------------------- 190
LAB 32: Clientless SSL VPN Remote Access (using a web browser) -----------------------------------------------195
LAB 33: SSL or IPsec (IKEv2) VPN Remote Access (using Cisco AnyConnect client)--------------------------- 211
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE
The management plane: It is used to configure, monitor and manage the network device and
protocols.
Management plane will be secured using Passwords, RBAC, NTP, AAA, SSH, HTTPS, VLAN's,
ACLs, and SNMPv3.
The control plane: The control plane is dealing with the actual process of routing traffic
through the device. So it could be used by the dynamic routing protocols such as ARP, BGP,
OSPF, EIGRP packets.
SNMP traps and syslog messages can be associated with high CPU rates or low memory
availability which can affect control plane functionality.
The data plane: The end-user traffic. This is the traffic that is going through your network,
and not to a network device. For example, the traffic generated when a user in your network
browse a website.
Data plane will be secured using intrusion protection systems (IPS), firewalls, and Layer 2
security on switches.
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE
( Passwords, Privilege level, RBAC, NTP, AAA, SSH, HTTPS, VLAN's, ACLs, and SNMPv3)
We should follow the below rules when we set password on a Cisco Devices:
By default the length is 6 characters, but we can change the default length.
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE
Now we will try to configure the password less than 10 characters, but it is not possible to set
password........
R1(config)#username ashish privilege 15 secret ashish
% Password too short - must be at least 10 characters. Password configuration
failed
R1(config)#username ashish privilege 15 secret ashish12345
R1(config)#
Encrypt Password
R1(config)#line console 0
R1(config-line)#password cisco123456
R1(config-line)#login
Here the password is in clear text...We will make it encrypted using the following
command
R1(config)#service password-encryption
R1(config)#exit
R1#conf t
*Mar 1 00:30:21.623: %SYS-5-CONFIG_I: Configured from console by console
R1#show running-config | include password
service password-encryption
security passwords min-length 10
password 7 02050D4808095E731F1A5C4F
R1#
Type 7 is the Cisco proprietary method (Vigenere cypher) and is weak. Type 7 is a password
with a weak, exclusive-or type encryption. Type 7 passwords can be retrieved from the
encrypted text by using publicly available tools.
Type 0 is a clear text password visible to any user who has access to privileged mode on the
router.
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE
The Type5 is encrypted using MD5 hashing, and is considered pretty strong. The "enable
secret" password is stored using Type 5.Here is the example............
The username username secret password global command also generates a type 5 password.
A limited number of Cisco IOS and Cisco IOS XE releases based on the Cisco IOS 15 code base
include support for a new algorithm is called Type 4, and a password hashed using this
algorithm is referred to as a Type 4 password. It is considered to be a stronger alternative to
the existing Type 5 and Type 7 algorithms against brute-force attacks.
The design called for using Password-Based Key Derivation Function version 2 (PBKDF2) has
the following input values:
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE
Type 8
This mean the password will be encrypted when router store it in Run/Start Files using
PBKDF2-SHA-256, starting from IOS 15.3(3).
Password-Based Key Derivation Function 2 (PBKDF2) with Secure Hash Algorithm, 26-bits (SHA-
256) as the hashing algorithm
Example 1 :
R1(config)#enable algorithm-type sha256 secret cisco
R1(config)#do sh run | i enable
enable secret 8 $8$mTj4RZG8N9ZDOk$elY/asfm8kD3iDmkBe3hD2r4xcA/0oWS5V3os.O91u.
Example 2 :
R1(config)# username ashish algorithm-type sha256 secret cisco
R1# show running-config | inc username
username ashish secret 8
$8$dsYGNam3K1SIJO$7nv/35M/qr6t.dVc7UY9zrJDWRVqncHub1PE9UlMQFs
Type 9
This mean the password will be encrypted when router store it in Run/Start Files using scrypt
as the hashing algorithm, starting from IOS 15.3(3)
Example 1 :
R1(config)#ena algorithm-type scrypt secret cisco
R1(config)#do sh run | i enable
enable secret 9 $9$WnArItcQHW/uuE$x5WTLbu7PbzGDuv0fSwGKS/KURsy5a3WCQckmJp0MbE
Example 2 :
N.B.
If we configure type 8 or type 9 passwords and then downgrade to a release that does not
support type 8 and type 9 passwords, we must configure the type 5 passwords before
downgrading. If not, we are locked out of the device and a password recovery is required.
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE
One of the easy and common method is to set authorization for administrative access is using
privilege levels. By default, the Cisco IOS has two privilege levels:
There are 16 privilege levels from 0 to 15. Privilege level with lower value has the limitation
to run the Cisco commands. But if the privilege level is 15, here all the Cisco commands is
permitted.
We can create users and assign privilege level, then set commands on behalf of the privilege
level. So different users will now run some specific commands ...hence increase the device
security !!
N.B. We will never assign Privilege level 15 for normal users, it is for only Administrative or
root users.
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE
Router(config)#line vty 0 4
Router(config-line)#login local
Router(config-line)#exit
By default, all Cisco routers are come with 5 VTY line interfaces. They are 0, 1, 2, 3, and 4.
Assign IP to Host
Verify Connectivity
Now we will create a privilege level and set some commands on regards to the privilege
level...
Router(config)#privilege exec level 5 configure terminal
Router(config)#privilege exec level 5 show version
Router(config)#privilege exec level 5 show privilege
Router(config)#privilege configure all level 5 interface
Here “all” option in the last command allows the sub-options under interface. We can verify
our configuration by logging into the router and viewing the commands available at each
level.
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE
Verification
C:\>telnet 192.168.10.1
Trying 192.168.10.1 ...Open
Router#show privilege
Current privilege level is 5
Router#show version
Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version
12.4(15)T1, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Wed 18-Jul-07 04:52 by pt_team
Not Possible...right??
Router#show running-config
Building configuration...
Current configuration: 1021 bytes
!
version 12.4
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE
Now possible...............
Telnet was designed to work within a private network and not across a public network where
threats can appear. Because of this, all the data is transmitted in plain text, including
passwords. This is a major security issue and the developers of SSH used encryptions to make
it harder for other people to sniff the password and other relevant information.
Secure Shell (SSH) is a protocol which provides a secure remote access connection to network
devices. Communication between the client and server is encrypted in SSH. To do this, it uses
a RSA public/private keypair.
There are two versions: version 1 and 2. Version 2 is more secure and commonly used.
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE
The name of the RSA keypair will be the hostname and domain name of the router.
Switch(config)#hostname ASHISH-SW
ASHISH-SW(config)#ip domain-name ashish.com
Key sizes of 1024 or smaller should be avoided. Larger key sizes take longer time to calculate
and enhance more security
ASHISH-SW(config)#line console 0
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE
ASHISH-SW(config-line)#logging synchronous
ASHISH-SW(config-line)#login local
Router#conf t
Router(config)#hostname Venus
Venus(config)#interface fastEthernet 0/0
Venus(config-if)#ip address 192.168.10.1 255.255.255.0
Venus(config-if)#no shutdown
Venus(config-if)#exit
Venus(config)#ip domain-name cisco.com
Venus(config)#username ashish privilege 15 password cisco123
Venus(config)#crypto key generate rsa
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE
Venus(config-line)#login local
Venus(config-line)#exit
Venus(config)#line vty 0 4
Venus(config-line)#transport input ssh
Venus(config-line)#login local
Venus#show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Venus#
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE
Step2: Enable SSH to generate a key, it will encrypt the traffic between the user and the ASA
Step 3:Use the username previously created to connect to the ASA with SSH
Local AAA means that we are performing AAA without the use of an external database. When
performing local AAA, we can authenticate with a username and password that is part of the
configuration of the security appliance.
Step 4: We will Define the IP addresses which are allowed to connect to the ASA
step 5: Specify ssh version; There are two versions: version 1 and 2. Version 2 is more secure
and commonly used.
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved
CCNA SECURITY LAB GUIDE
Ashish Halder (CCNA RnS, CCNP RnS, CCNA Sec, CCNP Sec, CCIE Sec-written), All rights are reserved