Appendix D. Configuration Examples

This appendix consolidates many of the concepts presented in this book into example router configurations that can be used as templates for your Cisco routers. While these examples don’t include all possible configurations, they do include the most common security configurations for both small and large organizations. The examples are created so you can type all commands directly into your router. They will be slightly different than a show running-config because of IOS version differences and command line differences.

Basic Example Configuration

This is a basic secure configuration that you might find at an organization with a small network with few routers and few administrators. In addition to standard security settings, this configuration will:

  • Disable all unneeded services. This configuration doesn’t use HTTP, SNMP, TFTP, CDP, etc.

  • Configure the router to use an external NTP server to set its time, while peering with two other routers—10.10.2.1 and 10.10.4.1. NTP is configured to use authentication and to serve only clients on the internal network.

  • Configure logging to log to the syslog server 10.10.4.6.

  • Enable an external interface—Serial 0/0—that has antispoofing ACL applied to it. This interface uses BGP, with authentication, as its routing protocol.

  • Enable an internal interface—Fast Ethernet 0/0—that has been configured to use RIP v2, with authentication, as its routing protocol.

  • Configure console access to use a line password for authentication.

  • Disable AUX access.

  • Restrict VTY access to the IP 10.10.4.10 and configure it to use only SSH:

!
! Enable password encryption
service password-encryption
!  
! Set the privileged level password
enable secret SecretEnablePassword
!
! Disable Global services & protocols
no service udp-small-servers
no service tcp-small-servers
no service finger
no service pad
no service config
no boot network
no cdp run
no snmp-server
no ip bootp server
no ip source-route
no ip finger
no ip name-server
no ip classless
no ip http server
!
! Enable needed services 
ip cef
service tcp-keepalives-in
!
! Configure the Loopback Address
int loopback 0
  ip address 10.10.10.1 255.255.255.252
!
! Configure NTP
  ! Use External Server 192.5.5.250
  ntp server 192.5.5.250  prefer
  ! Set our NTP source address to be our loopback interface
  ntp source loopback 0
  ! Enable NTP Authentication
  ntp authenticate
  ! Create & Trust our NTP authentication Key
  ntp authentication-key 10  md5 SecretNtpKey
  ntp trusted-key 10
  ! Now Peer with our other main routers (10.10.2.1 & 10.10.4.1)
  ! But use the authentication key we just created
  ntp peer 10.10.2.1 key 10
  ntp peer 10.10.4.1 key 10
  ! Configure NTP to only peer with our main routers (10.10.2.1 & 10.10.4.1)
    ! Create ACL & Log violations
    access-list 20  permit host 10.10.2.1
    access-list 20  permit host 10.10.4.1
    access-list 20  deny any log
    ! Apply the ACL as our peer ACL
    ntp access-group peer 20
  ! Configure NTP to only serve our internal networks 10.10.0.0/16
    ! Create and ACL & Log violations
    access-list 21  permit 10.10.0.0 0.0.255.255
    access-list 21  deny any log
    ! Apply the ACL as our server-only ACL
    ntp access-group serve-only 21
  ! Only server 20 NTP clients maximum
  ntp max-associations 20
  ! Set to Eastern Daylight Savings Time
  clock summer-time EDT  recurring
!
! Set up logging
  ! Turn logging on
  logging on
  ! Configure logging to use millisecond time stamps and the timezone
  service timestamps log datetime msec localtime show-timezone
  ! Enable sequence numbers and throttle messages below error level
  service sequence-numbers
  logging rate-limit all 10
 except error
  ! Create our logging buffer
  logging buffer 32000
  ! Set out logging buffer to see notification level messages & above
  logging buffer notification
  ! Disable Console logging
  no logging console
  ! Configure logging to go to our syslog server 10.10.4.6
  logging 10.10.4.6
  ! Set our syslog facility to local6 and our level to informational & above
  logging facility local6
  logging trap informational
!
! NSA recommended command privilege changes
privilege exec level 15 connect
privilege exec level 15 telnet
privilege exec level 15 rlogin
privilege exec level 15 show ip access-lists
privilege exec level 15 show access-lists
privilege exec level 15 show logging
privilege exec level 1 show ip
!
! Configure the Login Banner
banner login ^C
WARNING!!!
This system is solely for the use of authorized users for official purposes
You have no expectation of privacy in its use and to ensure that the system
is functioning properly, individuals using this computer system are subject
to having all of their activities monitored and recorded by system
personnel.  Use of this system evidences an express consent to such
monitoring and agreement that if such monitoring reveals evidence of
possible abuse or criminal activity, system personnel may provide the
results of such monitoring to appropriate officials
^C
!
! Configure the EXEC Banner
banner exec ^C
NOTICE!!!
This system is solely for the use of authorized users for official purposes
You have no expectation of privacy in its use and to ensure that the system
is functioning properly, individuals using this computer system are subject
to having all of their activities monitored and recorded by system
personnel.  Use of this system evidences an express consent to such
monitoring and agreement that if such monitoring reveals evidence of
possible abuse or criminal activity, system personnel may provide the
results of such monitoring to appropriate officials
^C
!
! Configure BGP for our ISP link using authentication
router bgp 100
  network 10.10.2.0
  network 10.10.4.0
  network 130.18.6.0
  neighbor 130.18.6.2 remote-as 115
  neighbor 130.18.6.2
 passwordSecretBGPpassword
!
! Create an Ingress (incoming) ACL for our External Interface (Serial 0/0)
  ! Anti-spoofing (Internet Network is 10.10.0.0/16)
  access-list 101  deny ip 10.10.0.0 0.0.255.255  any log-input
  access-list 101  deny ip 127.0.0.0 0.255.255.255 any log-input
  access-list 101  deny ip 10.0.0.0 0.255.255.255 any log-input
  access-list 101  deny ip 172.16.0.0 0.15.255.255 any log-input
  access-list 101  deny ip 192.168.0.0 0.0.255.255 any log-input
  access-list 101  deny ip 224.0.0.0 15.255.255.255 any log-input
  access-list 101  deny ip 240.0.0.0 7.255.255.255 any log-input
  ! Block all incoming Syslog packets (port 514)
  access-list 101  deny udp any any eq 514 log-input
  ! Block incoming all incoming ICMP packets except MTU discovery
  ! This won't allow us to ping or traceroute outside our network
  access-list 101  permit icmp any any 3 4
  access-list 101  deny icmp any any log-input
  ! Allow everything else 
  access-list 101  permit ip any any
!
! Create our Egress filter to no allow our network to send out spoofed packets
access-list 102
 permit ip 10.10.0.0 0.0.255.255  any 
access-list 102  deny ip any any log-input
!
! External Interface (Directly connected to Internet)
interface Serial 0/0
  ip address 130.18.6.1 255.255.255.252
  ! Disable unneeded protocols & services
  no ip redirects
  no ip directed-broadcast
  no ip mask-reply
  no ip unreachables
  no ip proxy-arp
  no cdp enable
  ! Enable uRPF anti-spoofing features
  ip verify unicast reverse-path
  ! Make sure we don't serve as a NTP server
  ntp disable
  ! Apply our ingress (incoming) ACL
  ip access-group 101
 in
  ! Apply our egress (outgoing) ACL
  ip access-group 102
 out
!
! Configure RIPv2 for our internal networking
router rip 
  version 2
  network 10.0.0.0
!  
! Define a Key Chain for our RIPv2 authentication
key chain 10
  key 1
    key-string SecretRipKey
!
! Internal Interface FastEthernet 0/0 (connected our Internal network)
interface FastEthernet 0/0
  ip address 10.10.2.2 255.255.255.0
  ! Disable unneeded protocols & services
  no ip redirects
  no ip directed-broadcast
  no ip mask-reply
  no ip unreachables
  no ip proxy-arp
  no cdp enable
  ! Enable uRPF anti-spoofing features
  ip verify unicast reverse-path
  ! Enable & Configure RIP v2 authentication
  ip rip authentication key-chain 10
  ip rip authentication mode md5
!
! Securely Configure the Console
line con 0
  ! Enable logins
  login
  ! Set the Console Login password
  password SecretConsolePassword
  ! Disable all network access
  transport input none
!
! Disable the AUX port
line aux 0
  ! Use the login and no password commands to disable access
  login
  no password
  ! Disable all network access
  transport input none
  ! NSA's other recommended commands for disabling access
  no exec
  exec-timeout 0 1
!
! Enable SSH on the router
  ! Give the router a hostname
  hostname RouterOne
  ! Configure our domain
  ip domain-name Company.Com
  !  Configure our RSA keys
  !crypto key generate rsa
  !  Configure a local username for vty SSH access
  username JohnDoe password PasswordForJohnDoe
  !  Configure SSH retries & Timeout
  ip ssh time-out 60
  ip ssh authenication-retries 2
!
! Create ACL to restrict VTY access managers IP only (10.10.4.10)
access-list 15
 permit 10.10.4.10
access-list 15
 deny any log
! Configure & Secure VTY access
line vty 0 4
  ! Enable login using the locally define username and password
  login local
  ! Make sure we only use SSH to access the router
  transport input ssh
  ! Set the timeout to 5 minutes
  exec-timeout 5 0
  ! Apply ACL to restrict VTY access
  access-class 15 in

AAA Example Configuration

This configuration is the same as the preceding one, except that instead of local and line authentication, it uses AAA authentication and a TACACS+ access control server. The TACACS+ server used in this example has the IP address 10.10.2.20.

!
! Enable password encryption
service password-encryption
!  
! Set the privileged level password
enable secret UnGuessablePassword
!
! Disable Global services & protocols
no service udp-small-servers
no service tcp-small-servers
no service finger
no service pad
no service config
no boot network
no cdp run
no snmp-server
no ip bootp server
no ip source-route
no ip finger
no ip name-server
no ip classless
no ip http server
!
! Enable needed services 
ip cef
service tcp-keepalives-in
!
! Configure the Loopback Address
int loopback 0
  ip address 10.10.10.1 255.255.255.252
!
! Configure NTP
  ! Use External Server 192.5.5.250
  ntp server 192.5.5.250  prefer
  ! Set our NTP source address to be our loopback interface
  ntp source loopback 0
  ! Enable NTP Authentication
  ntp authenticate
  ! Create & Trust our NTP authentication Key
  ntp authentication-key 10  md5 SecretNtpKey
  ntp trusted-key 10
  ! Now Peer with our other main routers (10.10.2.1 & 10.10.4.1)
  ! But use the authentication key we just created
  ntp peer 10.10.2.1 key 10
  ntp peer 10.10.4.1 key 10
  ! Configure NTP to only peer with our main routers (10.10.2.1 & 10.10.4.1)
    ! Create ACL & Log violations
    access-list 20  permit host 10.10.2.1 
    access-list 20  permit host 10.10.4.1
    access-list 20  deny any log
    ! Apply the ACL as our peer ACL
    ntp access-group peer 20
  ! Configure NTP to only serve our internal networks 10.10.0.0/16
    ! Create and ACL & Log violations
    access-list 21  permit 10.10.0.0 0.0.255.255
    access-list 21  deny any log
    ! Apply the ACL as our server-only ACL
    ntp access-group serve-only 21
  ! Only server 20 NTP clients maximum
  ntp max-associations 20
  ! Set to Eastern Daylight Savings Time
  clock summer-time EDT  recurring
!
! Set up logging
  ! Turn logging on
  logging on
  ! Configure logging to use millisecond time stamps and the timezone
  service timestamps log datetime msec localtime show-timezone
  ! Enable sequence numbers and throttle messages below error level
  service sequence-numbers
  logging rate-limit all 10  except error
  ! Create our logging buffer
  logging buffer 32000
  ! Set out logging buffer to see notification level messages & above
  logging buffer notification
  ! Disable Console logging
  no logging console
  ! Configure logging to go to our syslog server 10.10.4.6
  logging 10.10.4.6
  ! Set our syslog facility to local6 and our level to informational & above
  logging facility local6
  logging trap informational
!
! NSA recommended command privilege changes
privilege exec level 15 connect
privilege exec level 15 telnet
privilege exec level 15 rlogin
privilege exec level 15 show ip access-lists
privilege exec level 15 show access-lists
privilege exec level 15 show logging
privilege exec level 1 show ip
!
! Configure the Login Banner
banner login ^C
WARNING!!!
This system is solely for the use of authorized users for official purposes
You have no expectation of privacy in its use and to ensure that the system
is functioning properly, individuals using this computer system are subject
to having all of their activities monitored and recorded by system
personnel.  Use of this system evidences an express consent to such
monitoring and agreement that if such monitoring reveals evidence of
possible abuse or criminal activity, system personnel may provide the
results of such monitoring to appropriate officials
^C
!
! Configure the EXEC Banner
banner exec ^C
NOTICE!!!
This system is solely for the use of authorized users for official purposes
You have no expectation of privacy in its use and to ensure that the system
is functioning properly, individuals using this computer system are subject
to having all of their activities monitored and recorded by system
personnel.  Use of this system evidences an express consent to such
monitoring and agreement that if such monitoring reveals evidence of
possible abuse or criminal activity, system personnel may provide the
results of such monitoring to appropriate officials
^C
!
! Configure BGP for our ISP link using authentication
router bgp 100
  network 10.10.2.0
  network 10.10.4.0
  network 130.18.6.0
  neighbor 130.18.6.2 remote-as 115
  neighbor 130.18.6.2
 passwordSecretBGPpassword
!
! Create an Ingress (incoming) ACL for our External Interface (Serial 0/0)
  ! Anti-spoofing (Internet Network is 10.10.0.0/16)
  access-list 101  deny ip 10.10.0.0 0.0.255.255  any log-input
  access-list 101  deny ip 127.0.0.0 0.255.255.255 any log-input
  access-list 101  deny ip 10.0.0.0 0.255.255.255 any log-input
  access-list 101  deny ip 172.16.0.0 0.15.255.255 any log-input
  access-list 101  deny ip 192.168.0.0 0.0.255.255 any log-input
  access-list 101  deny ip 224.0.0.0 15.255.255.255 any log-input
  access-list 101  deny ip 240.0.0.0 7.255.255.255 any log-input
  ! Block all incoming Syslog packets (port 514)
  access-list 101  deny udp any any eq 514 log-input
  ! Block incoming all incoming ICMP packets except MTU discovery
  ! This won't allow us to ping or traceroute outside our network
  access-list 101  permit icmp any any 3 4
  access-list 101  deny icmp any any log-input
  ! Allow everything else 
  access-list 101  permit ip any any
!
! Create our Egress filter to no allow our network to send out spoofed packets
access-list 102  permit ip 10.10.0.0 0.0.255.255
 any 
access-list 102  deny ip any any log-input
!
! External Interface (Directly connected to Internet)
interface Serial 0/0
  ip address 130.18.6.1 255.255.255.252
  ! Disable unneeded protocols & services
  no ip redirects
  no ip directed-broadcast
  no ip mask-reply   no ip unreachables
  no ip proxy-arp
  no cdp enable
  ! Enable uRPF anti-spoofing features
  ip verify unicast reverse-path
  ! Make sure we don't serve as a NTP server
  ntp disable
  ! Apply our ingress (incoming) ACL
  ip access-group 101  in
  ! Apply our egress (outgoing) ACL   ip access-group 102
 out
!
! Configure RIPv2 for our internal networking
router rip 
  version 2
  network 10.0.0.0
!  
! Define a Key Chain for our RIPv2 authentication
key chain 10
  key 1
    key-string SecretRipKey
!
! Internal Interface FastEthernet 0/0 (connected our Internal network)
interface FastEthernet 0/0
  ip address 10.10.2.2 255.255.255.0
  ! Disable unneeded protocols & services
  no ip redirects
  no ip directed-broadcast
  no ip mask-reply
  no ip unreachables
  no ip proxy-arp
  no cdp enable
  ! Enable uRPF anti-spoofing features
  ip verify unicast reverse-path
  ! Enable & Configure RIP v2 authentication
  ip rip authentication key-chain 10
  ip rip authentication mode md5
! 
! THIS IS WHERE DIFFERENCES FROM PREVIOUS CONFIG START
! THIS CONFIG USES AAA INSTEAD OF LOCAL & LINE AUTHENTICATION
! IT ALSO USES AAA TO USE A TACACS+ SERVER FOR AUTHORIZATION.
!
! Enable AAA
  ! Define a new AAA model
  aaa new-model
  ! Define where to find our TACACS+ server (10.10.2.20)
  tacacs-server host 10.10.2.20
  ! Configure our TACACS+ server key
  tacacs-server key TACACSserverKEY
  ! Define default AAA authentication methods for logins:
  ! First TACACS+ server, then local usernames if server is unreachable
  aaa authentication login default group tacacs+ local
  ! Define default AAA authentication methods for enable password:
  ! First TACACS+ server, then local enable password if server is unreachable
  aaa authentication enable default group tacacs+ enable
  !
  ! Configure router to use AAA for authorization (Leave this part out if you
  ! only want to use AAA for authentication and keep standard authorization.
  !
  ! Configure AAA to use TACACS+ for EXEC (shell) authorization
  aaa authorization exec default group tacacs+ if-authenticated
  ! Configure AAA to use TACACS+ for level 1 and level 15 command authorization
  aaa authorization commands 1 default group tacacs+ if-authenticated
  aaa authorization commands 15 default group tacacs+ if-authenticated
  !
  ! Configure the router to use AAA to log to the TACACS+ server. 
  !
  ! Configure the router to perform EXEC, System, Network & Connection logging
  ! to the TACACS+ server
  aaa accounting exec default start-stop  group tacacs+
  aaa accounting system default stop-only  group tacacs+
  aaa accounting connection default start-stop  group tacacs+
  aaa accounting network default start-stop  group tacacs+
  ! Now configure the router to log all level 1 (user) and level 15 (privilege)
  ! command the the TACACS+ server
  aaa accounting commands 1  default stop-only  group tacacs+
  aaa accounting commands 15  default stop-only  group tacacs+
!
! Securely Configure the Console
line con 0
  ! Configure the console to use the AAA method 'default' for authentication
  login authentication default 
  ! Disable all network access
  transport input none
!
! Disable the AUX port
line aux 0
  ! Use the login and no password commands to disable access
  login
  no password
  ! Disable all network access
  transport input none
  ! NSA's other recommended commands for disabling access
  no exec
  exec-timeout 0 1
!
! Enable SSH on the router
  ! Give the router a hostname
  hostname RouterOne
  ! Configure our domain
  ip domain-name Company.Com
  !  Configure our RSA keys
  !crypto key generate rsa
  !  Configure a local username for vty SSH access
  username JohnDoe password PasswordForJohnDoe
  !  Configure SSH retries & Timeout
  ip ssh time-out 60
  ip ssh authenication-retries 2
!
! Create ACL to restrict VTY access managers IP only (10.10.4.10)
access-list 15  permit 10.10.4.10
access-list 15  deny any log
! Configure & Secure VTY access
line vty 0 4
  ! Configure logins to use the AAA methods 'default' for authentication.
  login authentication default
  ! Make sure we only use SSH to access the router
  transport input ssh
  ! Set the timeout to 5 minutes
  exec-timeout 5 0
  ! Apply ACL to restrict VTY access
  access-sclass 15 in

SNMP Example Configuration

The previous examples have SNMP turned off. If your organization requires SNMP, add the following configuration examples to the preceding ones. To enable this SNMP read-only access to the router, replace the no snmp-server command in the previous examples with the following configurations.

SNMP Version 2c

The following example configuration configures the router to provide SNMP v2c read-only access to the SNMP management system 10.10.4.10:

!
! Create an ACL that only allows 10.10.4.10 to use SNMP access
access-list 30  permit 10.10.4.10
access-list 30  deny any log
!
! Enable the SNMP read only server
snmp-server community SNMPreadOnlyCommunityString RO 30

SNMP Version 3

This example uses SNMP v3 authentication and encryption to protect SNMP traffic between the management server and the router and allows only SNMP management system 10.10.4.10 to access the router through SNMP:

!
! Create ACL that only allows 10.10.4.10 to use SNMP access
access-list 40  permit 10.10.4.10
access-list 40  deny any log
! Create an SNMP v3 group to use Authentication & Encryption
snmp-server group AuthPrivGroup  v3 priv access 40
! Define and SNMPv3 user, authentication password, and encryption password.
snmp-server user MyUser3  AuthPrivGroup  v3 auth md5 AuthPass  priv des56 PrivPass

HTTP Configuration

If you decide that HTTP’s usefulness outweighs its security problems, replace the no ip http server command in the preceding examples with the following. This example configures HTTP access for the IP 10.10.4.10 only:

!
! Create an ACL to limit HTTP access to 10.10.4.10
access-list 45 permit 10.10.4.10
access-list 45 deny any log
! Configure HTTP access to use the ACL
ip http access-class 45
! Configure HTTP access to use local authentication
ip http authenticationlocal
!
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.145.78.155