Aiuto per esercizio di CISCO SECURITY
Inviato: sab 26 giu , 2010 8:09 pm
Ciao a tutti!
Sono nuovo e appena registrato.
Praticamente mi servirebbe aiuto per scrivere tutti i comandi
per configurare un router cisco per risolvere i punti dell'esercizio in allegato. E' una parte dell'esame di una materia che a giorni devo dare: "Sicurezza delle Reti". Purtroppo, per taglio dei fondi alle università, il corso parallelo della Cisco (CISCO SECURITY) non si è tenuto.
Io ho provato a fare questo...
Se avete modo di correggere o aggiungere comandi...
GRAZIE...dipendo da voi a questo punto!!
Saluti...
PS: uso PACKET TRACER 5.3 (non ho modo di avere accesso a dispositivi reali)
PPS: il file l'ho uppato qui: http://www.megaupload.com/?d=FM86ZDYA
Visto che non riesco ad allegare il file .doc, vi posto qui di seguito la mia configurazione:
// Configurazione BASE Router //
Router(config)# hostname Router
Router(config)# no ip domain-lookup
Router(config)# enable secret class
Router(config)# line con 0
Router(config-line)# password cisco
Router(config-line)# login
Router(config-line)# exec-timeout 3 30 (timeout linea CONSOLE 0)
Router(config-line)# exit
Router(config)# line vty 0 4
Router(config-line)# password cisco
Router(config-line)# login
Router(config-line)# exec-timeout 3 30 (timeout linee VTY 0...4)
Router(config-line)# exit
Router(config)# line aux 0
Router(config-line)# password cisco
Router(config-line)# login
Router(config-line)# exec-timeout 3 30 (timeout linea AUX 0)
Router(config-line)# exit
// Configuro INTERFACCE Router //
Router(config)# int e0/0
Router(config-if)# description INSIDE NETWORK
Router(config-if)# ip address 10.10.1.1 255.0.0.0
Router(config-if)# no shut
Router(config-if)# exit
Router(config)# int e0/1
Router(config-if)# description OUTSIDE NETWORK
Router(config-if)# ip address 88.52.101.193 255.255.255.192
Router(config-if)# no shut
Router(config-if)# exit
Router(config)# int e1/0
Router(config-if)# description DMZ NETWORK
Router(config-if)# ip address 172.16.0.1 255.255.0.0
Router(config-if)# no shut
Router(config-if)# exit
// Configuro una rotta statica //
Router(config)# ip route 0.0.0.0 0.0.0.0 e0/1
// Abilito il SyslogServer e avvio Logging //
Router(config)# logging on
Router(config)# logging 10.10.1.100
// Configuro la CBAC per ispezione traffico TCP e UDP OUTBOUND //
Router(config)# ip inspect audit-trail
Router(config)# ip inspect name OUTBOUND tcp
Router(config)# ip inspect name OUTBOUND udp
// Creo ACL per permettere traffico originato da rete INSIDE //
Router(config)# access-list 101 permit ip 10.0.0.0 0.255.255.255 any
Router(config)# access-list 101 deny ip any any
// Applico ACL e INSPECTION RULE all’interfaccia e0/0 //
Router(config)# interface e0/0
Router(config-if)# ip inspect OUTBOUND in
Router(config-if)# ip access-group 101 in
// Configuro la CBAC per ispezione traffico TCP INBOUND //
Router(config)# ip inspect name INBOUND tcp
// Creo ACL per permettere traffico proveniente da rete OUTSIDE a WebServer //
Router(config)# access-list 102 permit icmp any host 172.16.0.2
Router(config)# access-list 102 permit tcp any host 172.16.0.2 eq www
Router(config)# access-list 102 deny ip any any
// Applico ACL e INSPECTION RULE all’interfaccia e0/1 //
Router(config)# interface e0/1
Router(config)# ip inspect INBOUND in
Router(config-if)# ip access-group 102 in
// Creo ACL per traffico ICMP originato da WebServer su DMZ //
Router(config)# access-list 103 permit icmp host 172.16.0.2 any
Router(config)# access-list 103 deny ip any any
// Creo ACL per permettere traffico originato da reti OUTSIDE, INSIDE a WebServer //
Router(config)# access-list 104 permit icmp any host 172.16.0.2
Router(config)# access-list 104 permit tcp any host 172.16.0.2 eq www
Router(config)# access-list 104 deny ip any any
// Applico le ACL all’interfaccia e1/0 //
Router(config)# ip access-group 103 in
Router(config)# ip access-group 104 out
// Configuro AAA con SERVER RADIUS //
Router(config)# username pezzino privilege 15 password cisco
Router(config)# username guest privilege 1 password guest
Router(config)# aaa new-model
Router(config)# radius-server host 10.10.1.50 key ciscosecure
Router(config)# aaa authentication login default group radius local
// Configuro servizio IDS //
Router(config)# ip audit notify log
Router(config)# ip audit po remote hostid 16 orgid 1 rmtaddress 10.10.1.100 localaddress 10.10.1.1
Router(config)# ip audit name AUDIT1 info action alarm
Router(config)# ip audit name AUDIT1 attack action alarm drop reset
Router(config)# int e0/1
Router(config-if)# ip audit AUDIT1 in
// Definisco i paramentri per la policy IKE 110 //
Router(config)# crypto isakmp policy 110
Router(config-isakmp)# authentication pre-share
Router(config-isakmp)# encryption 3des
Router(config-isakmp)# group 2
Router(config-isakmp)# hash sha
Router(config-isakmp)# lifetime 36000
Router(config)# crypto isakmp key cisco1234 address 80.27.110.13 // Peer Address
Router(config)# crypto ipsec transform-set MYSET esp-des
// Definisco le ACL per il traffico da criptare //
Router(config)# access-list 110 permit tcp 10.0.0.3 0.0.0.255 80.27.110.13 0.0.0.255
// Definisco i parametri per la Crypto MAP //
Router(config)# crypto map MYMAP 110 ipsec-isakmp
Router(config-crypto-map)# match address 110 // ACL 110 definisce il traffic “interessante” //
Router(config-crypto-map)# set peer 80.27.110.13
Router(config-crypto-map)# set pfs group1
Router(config-crypto-map)# set transform-set MYSET
Router(config-crypto-map)# set security-association lifetime seconds 86400
// Applico la Crypto MAP all’interfaccia d’uscita OUTSIDE //
Router(config)# int e0/1
Router(config-if)# crypto map mymap
Sono nuovo e appena registrato.
Praticamente mi servirebbe aiuto per scrivere tutti i comandi
per configurare un router cisco per risolvere i punti dell'esercizio in allegato. E' una parte dell'esame di una materia che a giorni devo dare: "Sicurezza delle Reti". Purtroppo, per taglio dei fondi alle università, il corso parallelo della Cisco (CISCO SECURITY) non si è tenuto.
Io ho provato a fare questo...
Se avete modo di correggere o aggiungere comandi...
GRAZIE...dipendo da voi a questo punto!!
Saluti...
PS: uso PACKET TRACER 5.3 (non ho modo di avere accesso a dispositivi reali)
PPS: il file l'ho uppato qui: http://www.megaupload.com/?d=FM86ZDYA
Visto che non riesco ad allegare il file .doc, vi posto qui di seguito la mia configurazione:
// Configurazione BASE Router //
Router(config)# hostname Router
Router(config)# no ip domain-lookup
Router(config)# enable secret class
Router(config)# line con 0
Router(config-line)# password cisco
Router(config-line)# login
Router(config-line)# exec-timeout 3 30 (timeout linea CONSOLE 0)
Router(config-line)# exit
Router(config)# line vty 0 4
Router(config-line)# password cisco
Router(config-line)# login
Router(config-line)# exec-timeout 3 30 (timeout linee VTY 0...4)
Router(config-line)# exit
Router(config)# line aux 0
Router(config-line)# password cisco
Router(config-line)# login
Router(config-line)# exec-timeout 3 30 (timeout linea AUX 0)
Router(config-line)# exit
// Configuro INTERFACCE Router //
Router(config)# int e0/0
Router(config-if)# description INSIDE NETWORK
Router(config-if)# ip address 10.10.1.1 255.0.0.0
Router(config-if)# no shut
Router(config-if)# exit
Router(config)# int e0/1
Router(config-if)# description OUTSIDE NETWORK
Router(config-if)# ip address 88.52.101.193 255.255.255.192
Router(config-if)# no shut
Router(config-if)# exit
Router(config)# int e1/0
Router(config-if)# description DMZ NETWORK
Router(config-if)# ip address 172.16.0.1 255.255.0.0
Router(config-if)# no shut
Router(config-if)# exit
// Configuro una rotta statica //
Router(config)# ip route 0.0.0.0 0.0.0.0 e0/1
// Abilito il SyslogServer e avvio Logging //
Router(config)# logging on
Router(config)# logging 10.10.1.100
// Configuro la CBAC per ispezione traffico TCP e UDP OUTBOUND //
Router(config)# ip inspect audit-trail
Router(config)# ip inspect name OUTBOUND tcp
Router(config)# ip inspect name OUTBOUND udp
// Creo ACL per permettere traffico originato da rete INSIDE //
Router(config)# access-list 101 permit ip 10.0.0.0 0.255.255.255 any
Router(config)# access-list 101 deny ip any any
// Applico ACL e INSPECTION RULE all’interfaccia e0/0 //
Router(config)# interface e0/0
Router(config-if)# ip inspect OUTBOUND in
Router(config-if)# ip access-group 101 in
// Configuro la CBAC per ispezione traffico TCP INBOUND //
Router(config)# ip inspect name INBOUND tcp
// Creo ACL per permettere traffico proveniente da rete OUTSIDE a WebServer //
Router(config)# access-list 102 permit icmp any host 172.16.0.2
Router(config)# access-list 102 permit tcp any host 172.16.0.2 eq www
Router(config)# access-list 102 deny ip any any
// Applico ACL e INSPECTION RULE all’interfaccia e0/1 //
Router(config)# interface e0/1
Router(config)# ip inspect INBOUND in
Router(config-if)# ip access-group 102 in
// Creo ACL per traffico ICMP originato da WebServer su DMZ //
Router(config)# access-list 103 permit icmp host 172.16.0.2 any
Router(config)# access-list 103 deny ip any any
// Creo ACL per permettere traffico originato da reti OUTSIDE, INSIDE a WebServer //
Router(config)# access-list 104 permit icmp any host 172.16.0.2
Router(config)# access-list 104 permit tcp any host 172.16.0.2 eq www
Router(config)# access-list 104 deny ip any any
// Applico le ACL all’interfaccia e1/0 //
Router(config)# ip access-group 103 in
Router(config)# ip access-group 104 out
// Configuro AAA con SERVER RADIUS //
Router(config)# username pezzino privilege 15 password cisco
Router(config)# username guest privilege 1 password guest
Router(config)# aaa new-model
Router(config)# radius-server host 10.10.1.50 key ciscosecure
Router(config)# aaa authentication login default group radius local
// Configuro servizio IDS //
Router(config)# ip audit notify log
Router(config)# ip audit po remote hostid 16 orgid 1 rmtaddress 10.10.1.100 localaddress 10.10.1.1
Router(config)# ip audit name AUDIT1 info action alarm
Router(config)# ip audit name AUDIT1 attack action alarm drop reset
Router(config)# int e0/1
Router(config-if)# ip audit AUDIT1 in
// Definisco i paramentri per la policy IKE 110 //
Router(config)# crypto isakmp policy 110
Router(config-isakmp)# authentication pre-share
Router(config-isakmp)# encryption 3des
Router(config-isakmp)# group 2
Router(config-isakmp)# hash sha
Router(config-isakmp)# lifetime 36000
Router(config)# crypto isakmp key cisco1234 address 80.27.110.13 // Peer Address
Router(config)# crypto ipsec transform-set MYSET esp-des
// Definisco le ACL per il traffico da criptare //
Router(config)# access-list 110 permit tcp 10.0.0.3 0.0.0.255 80.27.110.13 0.0.0.255
// Definisco i parametri per la Crypto MAP //
Router(config)# crypto map MYMAP 110 ipsec-isakmp
Router(config-crypto-map)# match address 110 // ACL 110 definisce il traffic “interessante” //
Router(config-crypto-map)# set peer 80.27.110.13
Router(config-crypto-map)# set pfs group1
Router(config-crypto-map)# set transform-set MYSET
Router(config-crypto-map)# set security-association lifetime seconds 86400
// Applico la Crypto MAP all’interfaccia d’uscita OUTSIDE //
Router(config)# int e0/1
Router(config-if)# crypto map mymap