LAN 301 - Cisco CCNA Security

LAN 301: Lab 04

 Auto Secure

 Tempo estimado: 30 minutos

Objetivo: Aplicar os conceitos de configuração do auto secure.

Arquivo: \CCNA Security\Labs\Lab 04\Lan_301 - Lab 04.pkt

Topologia:
 2 roteadores
 1 switch
 1 PC Windows com conexão console

Rede Corporativa
192.168.1.0/30

Console
200.1.1.0/30
rt-0 Internet
PC0

Fa0/0 Se0/0/0 Se0/0/0

ISP

sw-0

Exercícios:
1. Configurar o roteador 0 através da conexão console do PC0 usando como base as informações abaixo:

Router0:
Hostname: rt-0
Interface f0/0:
Endereço IP: 192.168.1.1/24
Description: Link_to_LAN
Interface s0/0/0:
Endereço IP: 200.1.1.2/30
Description: Link_to_WAN
Encapsutation: HDLC
Bandwidth: 2 Mbps

1/6
 Observações:

 O Router0 é o DTE.

 O Switch0 está pré-configurado com o endereço IP 192.168.1.2/24.

 O roteador ISP é o DCE e está pré-configurado da seguinte maneira:

Hostname: rt-isp
Interface s0/0/0:
Endereço IP: 200.1.1.1/30
Encapsutation: HDLC
Clock Rate: 2 Mbps
Bandwidth: 2 Mbps
Status: UP

2. Verificar conectividade entre o roteador 0 com o switch 0 e o roteador 0 com o roteador ISP (verifique se roteador 0
consegue pingar esses hosts).

3. Configurar o auto secure conforme opções abaixo.

 Interface conectada a Internet: Serial0/0/0

 Banner: Acesso permitido apenas para pessoas autorizadas
 Senha enable secret: cisco
 Senha enable password: ccna
 Autenticação local para telnet, console e ssh.
 Usuário: admin
 Senha: lansec
 Período de bloqueio quando for detectado ataque de login: 30 segundos
 Número máximo de tentativas de login: 3
 Período máximo de tempo para as tentativas de login que falharam: 10 segundos
 Nao configurar servidor SSH
 Configurar recurso de firewall CBAC

4. Testar configurações para acesso via porta console.

5. Verificar conectividade entre o roteador 0 com o switch 0 e o roteador 0 com o roteador ISP (verifique se roteador 0
consegue pingar esses hosts).

2/6
Resolução do LAB 04:

Arquivo: \CCNA Security\Labs\Lab 04\LAN_301 - Lab 04-resolucao.pkt

1. Configurar o roteador 0 através da conexão console do PC0 usando como base as informações abaixo:

A partir do PC0

- Tab ”Desktop”: Clicar em Terminal e configurar o acesso console como se segue:

Bits Per Second: 9600

Data Bits: 8
Parity: None
Stop Bits: 1
Flow Control: None

- Clicar no botão OK

Router0:
Hostname: rt-0
Router(config)# hostname rt-0

Interface f0/0:
rt-0 (config)# int f0/0
rt-0(config-if)# ip address 192.168.1.1 255.255.255.0
rt-0(config-if)# description Link_to_LAN
rt-0(config-if)# no shut

Interface s0/0/0:
rt-0(config)# int s0/0/0
rt-0(config-if)# ip address 200.1.1.2 255.255.255.252
rt-0(config-if)# description Link_to_WAN
rt-0(config-if)# encapsulation hdlc
rt-0(config-if)# bandwidth 2000
rt-0(config-if)# no shut

rt-0(config-if)# ^Z
rt-0# write memory

2. Verificar conectividade entre o roteador 0 com o switch 0 e o roteador 0 com o roteador ISP (verifique se roteador 0
consegue pingar esses hosts).

Router0:
rt-0# ping 192.168.1.2
rt-0# ping 200.1.1.1

3. Configurar o auto secure conforme opções abaixo.

 Interface conectada a Internet: Serial0/0/0

 Banner: Acesso permitido apenas para pessoas autorizadas
 Senha enable secret: cisco
 Senha enable password: ccna
 Autenticação local para telnet, console e ssh.
 Usuário: admin
 Senha: lansec
 Período de bloqueio quando for detectado ataque de login: 30 segundos
 Número máximo de tentativas de login: 3
 Período máximo de tempo para as tentativas de login que falharam: 10 segundos
 Nao configurar servidor SSH
 Configurar recurso de firewall CBAC

3/6
 rt-0# auto secure

Is this router connected to internet? [no]: yes

Enter the number of interfaces facing the internet [1]: 1

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 192.168.1.1 YES manual up up

FastEthernet0/1 unassigned YES unset administratively down down
Serial0/0/0 200.1.1.2 YES manual up up
Serial0/0/1 unassigned YES unset administratively down down
Vlan1 unassigned YES unset administratively down down

Enter the interface name that is facing the internet: Serial0/0/0

Securing Management plane services...

Disabling service finger

Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol

Disabling the bootp server

Disabling the http server
Disabling the finger service
Disabling source routing
Disabling gratuitous arp

Here is a sample Security Banner to be shown at every access

to device. Modify it to suit your enterprise requirements.

Authorized Access only

This system is the property of So-&-So-Enterprise.
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
You must have explicit permission to access this device. All
activities performed on this device are logged.
Any violations of access policy will result in disciplinary action.

Enter the security banner {Put the banner between

k and k, where k is any character}: k Acesso permitido apenas para pessoas autorizadas k
Enable secret is either not configured or
is the same as enable password
Enter the new enable secret: cisco
Confirm the enable secret: cisco
Enter the new enable password: ccna
Confirm the enable password: ccna

Configuration of local user database

Enter the username: admin
Enter the password: lansec
Confirm the passord: lansec

Configuring AAA local authentication

Configuring Console, Aux and VTY lines for
local authentication, exec-timeout, and transport
Securing device against Login Attacks
Configure the following parameters

Blocking Period when Login Attack detected: 30

Maximum Login failures with the device: 3

Maximum time period for crossing the failed login attempts: 10

4/6
Configure SSH server? [yes]: no

Configuring interface specific AutoSecure services

Disabling the following ip services on all interfaces:

Disabling mop on Ethernet interfaces

Securing Forwarding plane services...

Enabling CEF (This might impact the memory requirements for your platform)
Enabling unicast rpf on all interfaces connected to internet

Configure CBAC Firewall feature? [yes/no]: yes

This is the configuration generated:

!
service password-encryption
no cdp run
access-list 100 permit udp any any eq bootpc
banner motd acesso permitido apenas para pessoas autorizadas

enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0

enable password 7 08224F4008
username admin password 7 082D4D401A1C06
aaa new-model
aaa authentication login local_auth local
line con 0
login authentication local_auth
exec-timeout 5 0
transport output telnet
line vty 0 4
login authentication local_auth
transport input telnet
service timestamps debug datetime msec
service timestamps log datetime msec
logging trap debugging
logging console
logging buffered
ip inspect audit-trail
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect udp idle-time 1800
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
ip access-list extended autosec_firewall_acl
permit udp any any eq bootpc
deny ip any any
interface Serial0/0/0
ip inspect autosec_inspect out
ip access-group autosec_firewall_acl in

Apply this configuration to running-config? [yes]: yes

Applying the config generated to running-config
The name for the keys will be: test.test

% The key modulus size is 1024 bits

% Generating 1024 bit RSA keys, keys will be non-exportable...
*Mar 1 22:56:41.001: %SYS-3-CPUHOG: Task is running for (2007)msecs, more than
(2000)msecs (0/0),process = crypto sw pk proc.
-Traceback= 0x824198E0 0x82419FC4 0x8283C238 0x82866AD8 0x828667A8 0x82865D34 0x
828660F4 0x82866510 0x802335D4 0x80236D80 [OK]

rt-0# write memory

rt-0# exit

5/6
4. Testar configurações para acesso via porta console.

A partir do PC0

Press RETURN to get started.

Acesso permitido apenas para pessoas autorizadas

User Access Verification

Username: admin
Password: lansec
rt-0> enable
Password: cisco
rt-0#

5. Verificar conectividade entre o roteador 0 com o switch 0 e o roteador 0 com o roteador ISP (verifique se roteador 0
consegue pingar esses hosts).

Router0:
rt-0# ping 192.168.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 17/28/32 ms

*** O ICMP (ping) continua funcionando para a rede interna, considerada segura.

rt-0# ping 200.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 200.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

*** O ICMP (ping) não responde mais para a interface serial conectada com a Internet, considerada não segura.

6/6