Ccna security Chapter 2 Lab A: Securing the Router for Administrative Access Instructor Version Topology ip addressing Table


Router R1 (after SDM Security Audit lockdown)



Download 392.14 Kb.
Page10/10
Date29.01.2017
Size392.14 Kb.
#12094
1   2   3   4   5   6   7   8   9   10

Router R1 (after SDM Security Audit lockdown)
Building configuration...
Current configuration : 6591 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname R1

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging message-counter syslog

no logging buffered

logging console critical

enable secret 5 $1$qiT9$TsdzaYNSjevWaC1VDKYgF0

!

aaa new-model

!

aaa authentication login local_authen local

aaa authorization exec local_author local

!

aaa session-id common

dot11 syslog

no ip source-route

!

ip cef

no ip bootp server

no ip domain lookup

!

no ipv6 cef

multilink bundle-name authenticated

!

crypto pki trustpoint TP-self-signed-1301487169

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1301487169

revocation-check none

rsakeypair TP-self-signed-1301487169

!

!

crypto pki certificate chain TP-self-signed-1301487169

certificate self-signed 01

3082023A 308201A3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 31333031 34383731 3639301E 170D3038 31323231 31363238

33305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 33303134

38373136 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100CACC 53A913D4 424F2294 B8EAC5BF E4CADFC5 FCBD03D2 C40D6BF7 9B582413

8C478ADC B02FB6BF 481512E1 3BDE9FDE 88DFAFE1 A76621C3 10EBBC35 62D7331E

E820D588 8F703464 0FE6258C 96BE38C2 111DAC8C A2D2C800 D61390C0 16CD886C

BA036712 E3ADC4F8 DC477457 CEB68C1F 8064C9BD CF3AC037 9DEE8B8D 9906C165

6CF50203 010001A3 62306030 0F060355 1D130101 FF040530 030101FF 300D0603

551D1104 06300482 02523130 1F060355 1D230418 30168014 511FE4C9 4A1A8667

F2BB73CC F3FDCCE3 DE9CBCA7 301D0603 551D0E04 16041451 1FE4C94A 1A8667F2

BB73CCF3 FDCCE3DE 9CBCA730 0D06092A 864886F7 0D010104 05000381 810098BE

697A56AA 40E7D56A AB7C86A2 9A76D57E DD17150E D35382F5 792C6A54 C9272E0C

ED0FE4EC 3CFE585D 2C0DE8ED 37BD10F8 49110181 3462D1DC 9E35A052 0C74585C

CA2FB05F E965BA45 4BFEBB14 DB07F28C ABE06ECA 0DBBD791 1CF0E3C0 775EB127

65734982 309AD84E 2AE3C3A6 A16B83E5 328F5D2C 3A31D8D4 5E71538C AE34

quit

!

username admin privilege 15 secret 5 $1$uKGH$dq8qkvBLt5L4nED5bNTK4.

archive

log config

hidekeys

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

class-map type inspect match-any sdm-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all sdm-insp-traffic

match class-map sdm-cls-insp-traffic

class-map type inspect match-any SDM-Voice-permit

match protocol h323

match protocol skinny

match protocol sip

class-map type inspect match-any sdm-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-all sdm-invalid-src

match access-group 100

class-map type inspect match-all sdm-icmp-access

match class-map sdm-cls-icmp-access

class-map type inspect match-all sdm-protocol-http

match protocol http

!

!

policy-map type inspect sdm-permit-icmpreply

class type inspect sdm-icmp-access

inspect

class class-default

pass

policy-map type inspect sdm-inspect

class type inspect sdm-invalid-src

drop log

class type inspect sdm-insp-traffic

inspect

class type inspect sdm-protocol-http

inspect

class type inspect SDM-Voice-permit

inspect

class class-default

pass

policy-map type inspect sdm-permit

class class-default

drop

!

zone security out-zone

zone security in-zone

zone-pair security sdm-zp-self-out source self destination out-zone

service-policy type inspect sdm-permit-icmpreply

zone-pair security sdm-zp-out-self source out-zone destination self

service-policy type inspect sdm-permit

zone-pair security sdm-zp-in-out source in-zone destination out-zone

service-policy type inspect sdm-inspect

!

interface Null0

no ip unreachables

!

interface FastEthernet0/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

shutdown

duplex auto

speed auto

no mop enabled

!

interface FastEthernet0/1

description $FW_INSIDE$

ip address 192.168.1.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

zone-member security in-zone

duplex auto

speed auto

no mop enabled

!

interface FastEthernet0/1/0

!

interface FastEthernet0/1/1

!

interface FastEthernet0/1/2

!

interface FastEthernet0/1/3

!

interface Serial0/0/0

description $FW_OUTSIDE$

ip address 10.1.1.1 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

zone-member security out-zone

clock rate 64000

!

interface Serial0/0/1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

shutdown

clock rate 2000000

!

interface Vlan1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 10.1.1.2

no ip http server

ip http access-class 1

ip http authentication local

ip http secure-server

!

logging trap debugging

logging 192.168.1.3

access-list 1 remark HTTP Access-class list

access-list 1 remark SDM_ACL Category=1

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 1 deny any

access-list 100 remark SDM_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip 10.1.1.0 0.0.0.3 any

access-list 101 remark VTY Access-class list

access-list 101 remark SDM_ACL Category=1

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 101 deny ip any any

no cdp run
!

control-plane

!

banner login ^CUnauthorized access prohibited^C

!

line con 0

login authentication local_authen

transport output telnet

line aux 0

login authentication local_authen

transport output telnet

line vty 0 4

access-class 101 in

authorization exec local_author

login authentication local_authen

transport input telnet ssh

!

scheduler allocate 20000 1000

end
R1#


All contents are Copyright © 1992–2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page of


Download 392.14 Kb.

Share with your friends:
1   2   3   4   5   6   7   8   9   10




The database is protected by copyright ©ininet.org 2024
send message

    Main page