LAB 3: AUTO SECURE (phần II) -

Trong trường hợp router của bạn có kết nối ra Internet, Auto Secure sẽ thực hiện thêm vài tác vụ liên quan đến cổng kết nối ra Internet. Dưới đây ra thực hiện cấu hình router dùng chức năng Auto Secure cho một router có hai cổng. Cổng thứ nhất F0/0 kết nối vào mạng bên trong. Cổng thứ hai, F0/1 kết nối ra môi trường bên ngoài, Internet.

Đầu tiên ta gán địa chỉ private cho cổng F0/0 là cổng kết nối vào bên trong LAN của doanh nghiệp.

Demo#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Demo(config)#int f0/0

Demo(config-if)#ip add 192.168.1.1 255.255.255.0

Demo(config-if)#no shut

Demo(config-if)#exit

Demo(config)#

*Dec 2 04:13:59.103: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up

*Dec 2 04:14:00.103: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

Sau đó, ta cấu hình cổng F0/1. Giả sử cổng này kết nối ra ngoài Internet. Địa chỉ IP của cổng được xin từ DHCP. Chú ý cách dùng câu lệnh ip address của cổng này.

Demo#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Demo(config)#int f0/1

Demo(config-if)#ip add

Demo(config-if)#ip address ?

A.B.C.D IP address

dhcp IP Address negotiated via DHCP

pool IP Address autoconfigured from a local DHCP pool

Demo(config-if)#ip address dhcp

Demo(config-if)#no shut

Demo(config-if)#exit

Như vậy câu lệnh ip address, ngoài tuỳ chọn quen thuộc là gán một địa chỉ cụ thể, còn có các tuỳ chọn cho phép xin IP từ một DHCP server. Ta kiểm tra trạng thái các cổng và địa chỉ IP của nó.

Demo#sh ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 192.168.1.1 YES manual up up

FastEthernet0/1 10.215.219.32 YES DHCP up up

Serial0/1/0 unassigned YES unset administratively down down

Serial0/2/0 unassigned YES unset administratively down down

Thỉng thoảng, trong khi cấu hình các router đấu nối ra Internet, bạn cũng cần chỉ định địa chỉ DNS mà router sẽ dùng để phần giải tên. Câu lệnh chỉ định DNS server được thực hiện như dưới đây. Trong ví dụ này, địa chỉ DNS server của VNN được dùng.

Demo#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Demo(config)#ip name-server 203.162.4.191

Demo(config)#exit

Lúc này, bảng định tuyến của router sẽ như dưới đây. Chú ý các địa chỉ gateway of last resort là do DHCP server cấp xuống.

Demo#sh ip ro

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.215.219.254 to network 0.0.0.0

10.0.0.0/24 is subnetted, 1 subnets

C 10.215.219.0 is directly connected, FastEthernet0/1

C 192.168.1.0/24 is directly connected, FastEthernet0/0

S* 0.0.0.0/0 [254/0] via 10.215.219.254

Sau đây ta sẽ dùng Auto Secure để tăng cường tính bảo mật của thiết bị. Ví dụ này khác ví dụ trước ở điểm, router này có kết nối ra Internet.

Demo#auto secure

--- AutoSecure Configuration ---

*** AutoSecure configuration enhances the security of

the router, but it will not make it absolutely resistant

to all security attacks ***

AutoSecure will modify the configuration of your device.

All configuration changes will be shown. For a detailed

explanation of how the configuration changes enhance security

and any possible side effects, please refer to Cisco.com for

Autosecure documentation.

At any prompt you may enter '?' for help.

Use ctrl-c to abort this session at any prompt.

Gathering information about the router for AutoSecure

Router sẽ bắt đầu thu thập thông tin từ người quản trị. Đầu tiên AutoSecure sẽ hỏi router này có kết nối ra Internet không? Nếu có, có bao nhiêu cổng kết nối ra Internet. Mặc định, router cho rằng có 1 cổng kết nối ra Internet.

Is this router connected to internet? [no]: yes

*Dec 2 04:21:16.671: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up

Enter the number of interfaces facing the internet [1]:

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 192.168.1.1 YES manual up up

FastEthernet0/1 10.215.219.32 YES DHCP up up

Serial0/1/0 unassigned YES unset administratively down down

Serial0/2/0 unassigned YES unset administratively down down

Router sau đó sẽ hỏi những cổng nào trong các cổng trên của router.

Enter the interface name that is facing the internet: F0/1

Invalid interface name

Enter the interface name that is facing the internet: FastEthernet0/1

Sau khi ta nhập vào cổng kết nối ra Internet, router tự động tắt một số dịch vụ của router.

Securing Management plane services...

Disabling service finger

Disabling service pad

Disabling udp & tcp small servers

Enabling service password encryption

Enabling service tcp-keepalives-in

Enabling service tcp-keepalives-out

Disabling the cdp protocol

Disabling the bootp server

Disabling the http server

Disabling the finger service

Disabling source routing

Disabling gratuitous arp

Router yêu cầu nhập vào security banner.

Here is a sample Security Banner to be shown

at every access to device. Modify it to suit your

enterprise requirements.

Authorized Access only

This system is the property of So-&-So-Enterprise.

UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.

You must have explicit permission to access this

device. All activities performed on this device

are logged. Any violations of access policy will result

in disciplinary action.

Enter the security banner {Put the banner between

k and k, where k is any character}:

$This config is for user VnPro$

Router yêu cầu cài đặt các mật khẩu.

Enable secret is either not configured or

is the same as enable password

Enter the new enable secret:

Confirm the enable secret :

passwords do not match

Enter the new enable secret:

Confirm the enable secret :

passwords do not match

Enter the new enable secret:

Confirm the enable secret :

Enter the new enable password:

% Password too short - must be at least 6 characters. Password configuration failed

Enter the new enable password:

Confirm the enable password:

Configuration of local user database

Enter the username: vnpro

Enter the password:

% Password too short - must be at least 6 characters. Password configuration failed

Enter the password:

Confirm the password:

Configuring AAA local authentication

Configuring Console, Aux and VTY lines for

local authentication, exec-timeout, and transport

Securing device against Login Attacks

Configure the following parameters

Blocking Period when Login Attack detected: 3

Maximum Login failures with the device: 3

Maximum time period for crossing the failed login attempts: 3

Router yêu cầu cấu hình SSH.

Configure SSH server? [yes]:

Enter the domain-name: vnpro.org

Configuring interface specific AutoSecure services

Disabling the following ip services on all interfaces:

no ip redirects

no ip proxy-arp

no ip unreachables

no ip directed-broadcast

no ip mask-reply

Disabling mop on Ethernet interfaces

Securing Forwarding plane services...

Enabling CEF (This might impact the memory requirements for your platform)

Configuring the named ACLs for Ingress Filtering

autosec_iana_reserved_block: This block is subjected to

change by IANA. For an updated list, visit

www.iana.org/assignments/ipv4-address-space.

1/8, 2/8, 5/8, 7/8, 23/8, 27/8, 31/8, 36/8, 37/8, 39/8,

41/8, 42/8, 49/8, 50/8, 58/8, 59/8, 60/8, 70/8, 71/8,

72/8, 73/8, 74/8, 75/8, 76/8, 77/8, 78/8, 79/8, 83/8,

84/8, 85/8, 86/8, 87/8, 88/8, 89/8, 90/8, 91/8, 92/8, 93/8,

94/8, 95/8, 96/8, 97/8, 98/8, 99/8, 100/8, 101/8, 102/8,

103/8, 104/8, 105/8, 106/8, 107/8, 108/8, 109/8, 110/8,

111/8, 112/8, 113/8, 114/8, 115/8, 116/8, 117/8, 118/8,

119/8, 120/8, 121/8, 122/8, 123/8, 124/8, 125/8, 126/8,

197/8, 201/8

autosec_private_block:

10/8, 172.16/12, 192.168/16

autosec_complete_block: This block is a combination of the

autosec_iana_reserved_block, autosec_private_block, and

any packet with a source address of multicast (224/4),

class E (240/4), 0/8, 169.254/16, 192.0.2/24, and 127/8.

Tiếp theo, router yêu cầu cấu hình các ACL để lọc các gói tin trên cổng bên ngoài.

Configuring Ingress Filtering replaces the existing

acl on external interfaces, if any, with Ingress

Filtering acl.

Configure Ingress Filtering on edge interfaces? [yes]:

[1] Apply autosec_iana_reserved_block acl on all edge interfaces

[2] Apply autosec_private_block acl on all edge interfaces

[3] Apply autosec_complete_bogon acl on all edge interfaces

Enter your selection [3]:

Enabling unicast rpf on all interfaces connected

to internet

Configure CBAC Firewall feature? [yes/no]: y

This is the configuration generated:

no service finger

no service pad

no service udp-small-servers

no service tcp-small-servers

service password-encryption

service tcp-keepalives-in

service tcp-keepalives-out

no cdp run

no ip bootp server

no ip http server

no ip finger

no ip source-route

no ip gratuitous-arps

no ip identd

banner motd ^CThis config is for user VnPro^C

security passwords min-length 6

security authentication failure rate 10 log

enable secret 5 $1$nEyq$HlTuZIiDeOChLt4arodSI0

enable password 7 075E731F1A5C4F52

username vnpro password 7 025756085F5359

aaa new-model

aaa authentication login local_auth local

line con 0

exec-timeout 5 0

transport output telnet

line aux 0

exec-timeout 10 0

transport output telnet

line vty 0 4

transport input telnet

line tty 1

exec-timeout 15 0

ip domain-name vnpro.org

crypto key generate rsa general-keys modulus 1024

ip ssh time-out 60

ip ssh authentication-retries 2

line vty 0 4

transport input ssh telnet

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

logging facility local2

logging trap debugging

service sequence-numbers

logging console critical

logging buffered

interface FastEthernet0/0

no ip redirects

no ip proxy-arp

no ip unreachables

no ip directed-broadcast

no ip mask-reply

no mop enabled

interface FastEthernet0/1

no ip redirects

no ip proxy-arp

no ip unreachables

no ip directed-broadcast

no ip mask-reply

no mop enabled

interface Serial0/1/0

no ip redirects

no ip proxy-arp

no ip unreachables

no ip directed-broadcast

no ip mask-reply

interface Serial0/2/0

no ip redirects

no ip proxy-arp

no ip unreachables

no ip directed-broadcast

no ip mask-reply

ip cef

access-list compiled

ip access-list extended autosec_iana_reserved_block

deny ip 1.0.0.0 0.255.255.255 any

deny ip 2.0.0.0 0.255.255.255 any

deny ip 5.0.0.0 0.255.255.255 any

deny ip 7.0.0.0 0.255.255.255 any

deny ip 23.0.0.0 0.255.255.255 any

deny ip 27.0.0.0 0.255.255.255 any

deny ip 31.0.0.0 0.255.255.255 any

deny ip 36.0.0.0 0.255.255.255 any

deny ip 37.0.0.0 0.255.255.255 any

deny ip 39.0.0.0 0.255.255.255 any

deny ip 41.0.0.0 0.255.255.255 any

deny ip 42.0.0.0 0.255.255.255 any

deny ip 49.0.0.0 0.255.255.255 any

deny ip 50.0.0.0 0.255.255.255 any

deny ip 58.0.0.0 0.255.255.255 any

deny ip 59.0.0.0 0.255.255.255 any

deny ip 60.0.0.0 0.255.255.255 any

deny ip 70.0.0.0 0.255.255.255 any

deny ip 71.0.0.0 0.255.255.255 any

deny ip 72.0.0.0 0.255.255.255 any

deny ip 73.0.0.0 0.255.255.255 any

deny ip 74.0.0.0 0.255.255.255 any

deny ip 75.0.0.0 0.255.255.255 any

deny ip 76.0.0.0 0.255.255.255 any

deny ip 77.0.0.0 0.255.255.255 any

deny ip 78.0.0.0 0.255.255.255 any

deny ip 79.0.0.0 0.255.255.255 any

deny ip 83.0.0.0 0.255.255.255 any

deny ip 84.0.0.0 0.255.255.255 any

deny ip 85.0.0.0 0.255.255.255 any

deny ip 86.0.0.0 0.255.255.255 any

deny ip 87.0.0.0 0.255.255.255 any

deny ip 88.0.0.0 0.255.255.255 any

deny ip 89.0.0.0 0.255.255.255 any

deny ip 90.0.0.0 0.255.255.255 any

deny ip 91.0.0.0 0.255.255.255 any

deny ip 92.0.0.0 0.255.255.255 any

deny ip 93.0.0.0 0.255.255.255 any

deny ip 94.0.0.0 0.255.255.255 any

deny ip 95.0.0.0 0.255.255.255 any

deny ip 96.0.0.0 0.255.255.255 any

deny ip 97.0.0.0 0.255.255.255 any

deny ip 98.0.0.0 0.255.255.255 any

deny ip 99.0.0.0 0.255.255.255 any

deny ip 100.0.0.0 0.255.255.255 any

deny ip 101.0.0.0 0.255.255.255 any

deny ip 102.0.0.0 0.255.255.255 any

deny ip 103.0.0.0 0.255.255.255 any

deny ip 104.0.0.0 0.255.255.255 any

deny ip 105.0.0.0 0.255.255.255 any

deny ip 106.0.0.0 0.255.255.255 any

deny ip 107.0.0.0 0.255.255.255 any

deny ip 108.0.0.0 0.255.255.255 any

deny ip 109.0.0.0 0.255.255.255 any

deny ip 110.0.0.0 0.255.255.255 any

deny ip 111.0.0.0 0.255.255.255 any

deny ip 112.0.0.0 0.255.255.255 any

deny ip 113.0.0.0 0.255.255.255 any

deny ip 114.0.0.0 0.255.255.255 any

deny ip 115.0.0.0 0.255.255.255 any

deny ip 116.0.0.0 0.255.255.255 any

deny ip 117.0.0.0 0.255.255.255 any

deny ip 118.0.0.0 0.255.255.255 any

deny ip 119.0.0.0 0.255.255.255 any

deny ip 120.0.0.0 0.255.255.255 any

deny ip 121.0.0.0 0.255.255.255 any

deny ip 122.0.0.0 0.255.255.255 any

deny ip 123.0.0.0 0.255.255.255 any

deny ip 124.0.0.0 0.255.255.255 any

deny ip 125.0.0.0 0.255.255.255 any

deny ip 126.0.0.0 0.255.255.255 any

deny ip 197.0.0.0 0.255.255.255 any

deny ip 201.0.0.0 0.255.255.255 any

permit ip any any

remark This acl might not be up to date. Visit www.iana.org/assignments/ipv4-address-space for update list

exit

ip access-list extended autosec_private_block

deny ip 10.0.0.0 0.255.255.255 any

deny ip 172.16.0.0 0.15.255.255 any

deny ip 192.168.0.0 0.0.255.255 any

permit ip any any

exit

ip access-list extended autosec_complete_bogon

deny ip 1.0.0.0 0.255.255.255 any

deny ip 2.0.0.0 0.255.255.255 any

deny ip 5.0.0.0 0.255.255.255 any

deny ip 7.0.0.0 0.255.255.255 any

deny ip 23.0.0.0 0.255.255.255 any

deny ip 27.0.0.0 0.255.255.255 any

deny ip 31.0.0.0 0.255.255.255 any

deny ip 36.0.0.0 0.255.255.255 any

deny ip 37.0.0.0 0.255.255.255 any

deny ip 39.0.0.0 0.255.255.255 any

deny ip 41.0.0.0 0.255.255.255 any

deny ip 42.0.0.0 0.255.255.255 any

deny ip 49.0.0.0 0.255.255.255 any

deny ip 50.0.0.0 0.255.255.255 any

deny ip 58.0.0.0 0.255.255.255 any

deny ip 59.0.0.0 0.255.255.255 any

deny ip 60.0.0.0 0.255.255.255 any

deny ip 70.0.0.0 0.255.255.255 any

deny ip 71.0.0.0 0.255.255.255 any

deny ip 72.0.0.0 0.255.255.255 any

deny ip 73.0.0.0 0.255.255.255 any

deny ip 74.0.0.0 0.255.255.255 any

deny ip 75.0.0.0 0.255.255.255 any

deny ip 76.0.0.0 0.255.255.255 any

deny ip 77.0.0.0 0.255.255.255 any

deny ip 78.0.0.0 0.255.255.255 any

deny ip 79.0.0.0 0.255.255.255 any

deny ip 83.0.0.0 0.255.255.255 any

deny ip 84.0.0.0 0.255.255.255 any

deny ip 85.0.0.0 0.255.255.255 any

deny ip 86.0.0.0 0.255.255.255 any

deny ip 87.0.0.0 0.255.255.255 any

deny ip 88.0.0.0 0.255.255.255 any

deny ip 89.0.0.0 0.255.255.255 any

deny ip 90.0.0.0 0.255.255.255 any

deny ip 91.0.0.0 0.255.255.255 any

deny ip 92.0.0.0 0.255.255.255 any

deny ip 93.0.0.0 0.255.255.255 any

deny ip 94.0.0.0 0.255.255.255 any

deny ip 95.0.0.0 0.255.255.255 any

deny ip 96.0.0.0 0.255.255.255 any

deny ip 97.0.0.0 0.255.255.255 any

deny ip 98.0.0.0 0.255.255.255 any

deny ip 99.0.0.0 0.255.255.255 any

deny ip 100.0.0.0 0.255.255.255 any

deny ip 101.0.0.0 0.255.255.255 any

deny ip 102.0.0.0 0.255.255.255 any

deny ip 103.0.0.0 0.255.255.255 any

deny ip 104.0.0.0 0.255.255.255 any

deny ip 105.0.0.0 0.255.255.255 any

deny ip 106.0.0.0 0.255.255.255 any

deny ip 107.0.0.0 0.255.255.255 any

deny ip 108.0.0.0 0.255.255.255 any

deny ip 109.0.0.0 0.255.255.255 any

deny ip 110.0.0.0 0.255.255.255 any

deny ip 111.0.0.0 0.255.255.255 any

deny ip 112.0.0.0 0.255.255.255 any

deny ip 113.0.0.0 0.255.255.255 any

deny ip 114.0.0.0 0.255.255.255 any

deny ip 115.0.0.0 0.255.255.255 any

deny ip 116.0.0.0 0.255.255.255 any

deny ip 117.0.0.0 0.255.255.255 any

deny ip 118.0.0.0 0.255.255.255 any

deny ip 119.0.0.0 0.255.255.255 any

deny ip 120.0.0.0 0.255.255.255 any

deny ip 121.0.0.0 0.255.255.255 any

deny ip 122.0.0.0 0.255.255.255 any

deny ip 123.0.0.0 0.255.255.255 any

deny ip 124.0.0.0 0.255.255.255 any

deny ip 125.0.0.0 0.255.255.255 any

deny ip 126.0.0.0 0.255.255.255 any

deny ip 197.0.0.0 0.255.255.255 any

deny ip 201.0.0.0 0.255.255.255 any

deny ip 10.0.0.0 0.255.255.255 any

deny ip 172.16.0.0 0.15.255.255 any

deny ip 192.168.0.0 0.0.255.255 any

deny ip 224.0.0.0 15.255.255.255 any

deny ip 240.0.0.0 15.255.255.255 any

deny ip 0.0.0.0 0.255.255.255 any

deny ip 169.254.0.0 0.0.255.255 any

deny ip 192.0.2.0 0.0.0.255 any

deny ip 127.0.0.0 0.255.255.255 any

permit ip any any

remark This acl might not be up to date. Visit www.iana.org/assignments/ipv4-address-space for update list

exit

interface FastEthernet0/1

ip access-group autosec_complete_bogon in

exit

access-list 100 permit udp any any eq bootpc

interface FastEthernet0/1

ip verify unicast source reachable-via rx allow-default 100

ip inspect audit-trail

ip inspect dns-timeout 7

ip inspect tcp idle-time 14400

ip inspect udp idle-time 1800

ip inspect name autosec_inspect cuseeme timeout 3600

ip inspect name autosec_inspect ftp timeout 3600

ip inspect name autosec_inspect http timeout 3600

ip inspect name autosec_inspect rcmd timeout 3600

ip inspect name autosec_inspect realaudio timeout 3600

ip inspect name autosec_inspect smtp timeout 3600

ip inspect name autosec_inspect tftp timeout 30

ip inspect name autosec_inspect udp timeout 15

ip inspect name autosec_inspect tcp timeout 3600

ip access-list extended autosec_firewall_acl

permit udp any any eq bootpc

deny ip any any

interface FastEthernet0/1

ip inspect autosec_inspect out

end

Router sẽ hỏi bạn có muốn áp dụng cấu hình này hay không.

Apply this configuration to running-config? [yes]:

Applying the config generated to running-config

The name for the keys will be: Demo.vnpro.org

% The key modulus size is 1024 bits

% Generating 1024 bit RSA keys ...[OK]

Demo#sh run

Building configuration...

Current configuration : 9519 bytes

version 12.3

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

hostname Demo

boot-start-marker

boot-end-marker

security authentication failure rate 10 log

security passwords min-length 6

logging buffered 4096 debugging

logging console critical

enable secret 5 $1$nEyq$HlTuZIiDeOChLt4arodSI0

enable password 7 075E731F1A5C4F52

aaa new-model

aaa authentication login local_auth local

aaa session-id common

resource policy

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

no ip source-route

no ip gratuitous-arps

ip cef

no ip dhcp use vrf connected

no ip bootp server

ip domain name vnpro.org

ip ssh time-out 60

ip ssh authentication-retries 2

ip inspect audit-trail

ip inspect udp idle-time 1800

ip inspect dns-timeout 7

ip inspect tcp idle-time 14400

ip inspect name autosec_inspect cuseeme timeout 3600

ip inspect name autosec_inspect ftp timeout 3600

ip inspect name autosec_inspect http timeout 3600

ip inspect name autosec_inspect rcmd timeout 3600

ip inspect name autosec_inspect realaudio timeout 3600

ip inspect name autosec_inspect smtp timeout 3600

ip inspect name autosec_inspect tftp timeout 30

ip inspect name autosec_inspect udp timeout 15

ip inspect name autosec_inspect tcp timeout 3600

no ip ips deny-action ips-interface

no ftp-server write-enable

username vnpro password 7 025756085F5359

Thông tin khác

» LAB 2: AUTO SECURE (10.06.2023)
» LAB 1: ISCW (PHẦN 2) (09.06.2023)
» ĐONG ĐẦY CẢM XÚC TẠI BUỔI BẾ GIẢNG LỚP CCNA 23A04 (09.06.2023)
» LAB 1: ISCW (08.06.2023)
» IPSec GRE tunnel dự phòng cho leased-line (07.06.2023)
» SỰ KIỆN HOT NHẤT TẠI VNPRO TỐI NAY: KHAI GIẢNG KHÓA HỌC CCIE (07.06.2023)
» LAB PKI (PHẦN 2) (06.06.2023)
» Lab PKI (Phần 1) (05.06.2023)

LAB 3: AUTO SECURE (phần II) -