This appendix consolidates many of the concepts presented in this book into example router configurations that can be used as templates for your Cisco routers. While these examples don’t include all possible configurations, they do include the most common security configurations for both small and large organizations. The examples are created so you can type all commands directly into your router. They will be slightly different than a show running-config because of IOS version differences and command line differences.
This is a basic secure configuration that you might find at an organization with a small network with few routers and few administrators. In addition to standard security settings, this configuration will:
Disable all unneeded services. This configuration doesn’t use HTTP, SNMP, TFTP, CDP, etc.
Configure the router to use an external NTP server to set its
time, while peering with two other routers—10.10.2.1
and 10.10.4.1
. NTP is configured to use
authentication and to serve only clients on the internal
network.
Configure logging to log to the syslog server 10.10.4.6
.
Enable an external interface—Serial 0/0—that has antispoofing ACL applied to it. This interface uses BGP, with authentication, as its routing protocol.
Enable an internal interface—Fast Ethernet 0/0—that has been configured to use RIP v2, with authentication, as its routing protocol.
Configure console access to use a line password for authentication.
Disable AUX access.
Restrict VTY access to the IP 10.10.4.10
and configure it to use only
SSH:
! ! Enable password encryptionservice password-encryption
! ! Set the privileged level passwordenable secret
SecretEnablePassword ! ! Disable Global services & protocolsno service udp-small-servers
no service tcp-small-servers
no service finger
no service pad
no service config
no boot network
no cdp run
no snmp-server
no ip bootp server
no ip source-route
no ip finger
no ip name-server
no ip classless
no ip http server
! ! Enable needed servicesip cef
service tcp-keepalives-in
! ! Configure the Loopback Addressint loopback 0
ip address
10.10.10.1 255.255.255.252 ! ! Configure NTP ! Use External Server 192.5.5.250ntp server
192.5.5.250prefer
! Set our NTP source address to be our loopback interfacentp source loopback 0
! Enable NTP Authenticationntp authenticate
! Create & Trust our NTP authentication Keyntp authentication-key
10md5
SecretNtpKeyntp trusted-key
10 ! Now Peer with our other main routers (10.10.2.1 & 10.10.4.1) ! But use the authentication key we just createdntp peer
10.10.2.1key
10ntp peer
10.10.4.1key
10 ! Configure NTP to only peer with our main routers (10.10.2.1 & 10.10.4.1) ! Create ACL & Log violationsaccess-list
20permit host
10.10.2.1access-list
20permit host
10.10.4.1access-list
20deny any log
! Apply the ACL as our peer ACLntp access-group peer
20 ! Configure NTP to only serve our internal networks 10.10.0.0/16 ! Create and ACL & Log violationsaccess-list
21permit
10.10.0.0 0.0.255.255access-list
21deny any log
! Apply the ACL as our server-only ACLntp access-group serve-only
21 ! Only server 20 NTP clients maximumntp max-associations
20 ! Set to Eastern Daylight Savings Timeclock summer-time
EDTrecurring
! ! Set up logging ! Turn logging onlogging on
! Configure logging to use millisecond time stamps and the timezoneservice timestamps log datetime msec localtime show-timezone
! Enable sequence numbers and throttle messages below error levelservice sequence-numbers
logging rate-limit all
10except
error ! Create our logging bufferlogging buffer 32000
! Set out logging buffer to see notification level messages & abovelogging buffer notification
! Disable Console loggingno logging console
! Configure logging to go to our syslog server 10.10.4.6logging
10.10.4.6 ! Set our syslog facility to local6 and our level to informational & abovelogging facility
local6logging trap
informational ! ! NSA recommended command privilege changesprivilege exec level 15 connect
privilege exec level 15 telnet
privilege exec level 15 rlogin
privilege exec level 15 show ip access-lists
privilege exec level 15 show access-lists
privilege exec level 15 show logging
privilege exec level 1 show ip
! ! Configure the Login Bannerbanner login ^C
WARNING!!! This system is solely for the use of authorized users for official purposes You have no expectation of privacy in its use and to ensure that the system is functioning properly, individuals using this computer system are subject to having all of their activities monitored and recorded by system personnel. Use of this system evidences an express consent to such monitoring and agreement that if such monitoring reveals evidence of possible abuse or criminal activity, system personnel may provide the results of such monitoring to appropriate officials^C
! ! Configure the EXEC Bannerbanner exec ^C
NOTICE!!! This system is solely for the use of authorized users for official purposes You have no expectation of privacy in its use and to ensure that the system is functioning properly, individuals using this computer system are subject to having all of their activities monitored and recorded by system personnel. Use of this system evidences an express consent to such monitoring and agreement that if such monitoring reveals evidence of possible abuse or criminal activity, system personnel may provide the results of such monitoring to appropriate officials^C
!
! Configure BGP for our ISP link using authenticationrouter bgp
100network
10.10.2.0network
10.10.4.0network
130.18.6.0neighbor
130.18.6.2 remote-as 115neighbor
130.18.6.2password
SecretBGPpassword ! ! Create an Ingress (incoming) ACL for our External Interface (Serial 0/0) ! Anti-spoofing (Internet Network is 10.10.0.0/16)access-list
101deny ip
10.10.0.0 0.0.255.255any log-input
access-list
101deny ip 127.0.0.0 0.255.255.255 any log-input
access-list
101deny ip 10.0.0.0 0.255.255.255 any log-input
access-list
101deny ip 172.16.0.0 0.15.255.255 any log-input
access-list
101deny ip 192.168.0.0 0.0.255.255 any log-input
access-list
101deny ip 224.0.0.0 15.255.255.255 any log-input
access-list
101deny ip 240.0.0.0 7.255.255.255 any log-input
! Block all incoming Syslog packets (port 514)access-list
101deny udp any any eq 514 log-input
! Block incoming all incoming ICMP packets except MTU discovery ! This won't allow us to ping or traceroute outside our networkaccess-list
101permit icmp any any 3 4
access-list
101deny icmp any any log-input
! Allow everything elseaccess-list
101permit ip any any
! ! Create our Egress filter to no allow our network to send out spoofed packetsaccess-list
102permit ip
10.10.0.0 0.0.255.255any
access-list
102deny ip any any log-input
! ! External Interface (Directly connected to Internet)interface
Serial 0/0ip address
130.18.6.1 255.255.255.252 ! Disable unneeded protocols & servicesno ip redirects
no ip directed-broadcast
no ip mask-reply
no ip unreachables
no ip proxy-arp
no cdp enable
! Enable uRPF anti-spoofing featuresip verify unicast reverse-path
! Make sure we don't serve as a NTP serverntp disable
! Apply our ingress (incoming) ACLip access-group
101in
! Apply our egress (outgoing) ACLip access-group
102out
! ! Configure RIPv2 for our internal networkingrouter rip
version 2
network
10.0.0.0 ! ! Define a Key Chain for our RIPv2 authenticationkey chain
10key
1key-string
SecretRipKey ! ! Internal Interface FastEthernet 0/0 (connected our Internal network)interface
FastEthernet 0/0ip address
10.10.2.2 255.255.255.0 ! Disable unneeded protocols & servicesno ip redirects
no ip directed-broadcast
no ip mask-reply
no ip unreachables
no ip proxy-arp
no cdp enable
! Enable uRPF anti-spoofing featuresip verify unicast reverse-path
! Enable & Configure RIP v2 authenticationip rip authentication key-chain
10ip rip authentication mode md5
! ! Securely Configure the Consoleline con 0
! Enable loginslogin
! Set the Console Login passwordpassword
SecretConsolePassword ! Disable all network accesstransport input none
! ! Disable the AUX portline aux 0
! Use the login and no password commands to disable accesslogin
no password
! Disable all network accesstransport input none
! NSA's other recommended commands for disabling accessno exec
exec-timeout 0 1
! ! Enable SSH on the router ! Give the router a hostnamehostname RouterOne
! Configure our domainip domain-name
Company.Com ! Configure our RSA keys!crypto key generate rsa
! Configure a local username for vty SSH accessusername JohnDoe password
PasswordForJohnDoe ! Configure SSH retries & Timeoutip ssh time-out
60ip ssh authenication-retries
2 ! ! Create ACL to restrict VTY access managers IP only (10.10.4.10)access-list
15permit
10.10.4.10access-list
15deny any log
! Configure & Secure VTY accessline vty 0 4
! Enable login using the locally define username and passwordlogin local
! Make sure we only use SSH to access the routertransport input ssh
! Set the timeout to 5 minutesexec-timeout
5 0 ! Apply ACL to restrict VTY accessaccess-class
15in
This configuration is the same as the preceding one,
except that instead of local and line authentication, it uses AAA
authentication and a TACACS+ access control server. The TACACS+ server
used in this example has the IP address 10.10.2.20
.
! ! Enable password encryptionservice password-encryption
! ! Set the privileged level passwordenable secret
UnGuessablePassword ! ! Disable Global services & protocolsno service udp-small-servers
no service tcp-small-servers
no service finger
no service pad
no service config
no boot network
no cdp run
no snmp-server
no ip bootp server
no ip source-route
no ip finger
no ip name-server
no ip classless
no ip http server
! ! Enable needed servicesip cef
service tcp-keepalives-in
! ! Configure the Loopback Addressint loopback 0
ip address
10.10.10.1 255.255.255.252 ! ! Configure NTP ! Use External Server 192.5.5.250ntp server
192.5.5.250prefer
! Set our NTP source address to be our loopback interfacentp source loopback 0
! Enable NTP Authenticationntp authenticate
! Create & Trust our NTP authentication Keyntp authentication-key
10md5
SecretNtpKeyntp trusted-key
10 ! Now Peer with our other main routers (10.10.2.1 & 10.10.4.1) ! But use the authentication key we just createdntp peer
10.10.2.1key
10ntp peer
10.10.4.1key
10 ! Configure NTP to only peer with our main routers (10.10.2.1 & 10.10.4.1) ! Create ACL & Log violationsaccess-list
20permit host
10.10.2.1access-list
20permit host
10.10.4.1access-list
20deny any log
! Apply the ACL as our peer ACLntp access-group peer
20 ! Configure NTP to only serve our internal networks 10.10.0.0/16 ! Create and ACL & Log violationsaccess-list
21permit
10.10.0.0 0.0.255.255access-list
21deny any log
! Apply the ACL as our server-only ACLntp access-group serve-only
21 ! Only server 20 NTP clients maximumntp max-associations
20 ! Set to Eastern Daylight Savings Timeclock summer-time
EDTrecurring
! ! Set up logging ! Turn logging onlogging on
! Configure logging to use millisecond time stamps and the timezoneservice timestamps log datetime msec localtime show-timezone
! Enable sequence numbers and throttle messages below error levelservice sequence-numbers
logging rate-limit all
10except
error ! Create our logging bufferlogging buffer 32000
! Set out logging buffer to see notification level messages & abovelogging buffer notification
! Disable Console loggingno logging console
! Configure logging to go to our syslog server 10.10.4.6logging
10.10.4.6 ! Set our syslog facility to local6 and our level to informational & abovelogging facility
local6logging trap
informational ! ! NSA recommended command privilege changesprivilege exec level 15 connect
privilege exec level 15 telnet
privilege exec level 15 rlogin
privilege exec level 15 show ip access-lists
privilege exec level 15 show access-lists
privilege exec level 15 show logging
privilege exec level 1 show ip
! ! Configure the Login Bannerbanner login ^C
WARNING!!! This system is solely for the use of authorized users for official purposes You have no expectation of privacy in its use and to ensure that the system is functioning properly, individuals using this computer system are subject to having all of their activities monitored and recorded by system personnel. Use of this system evidences an express consent to such monitoring and agreement that if such monitoring reveals evidence of possible abuse or criminal activity, system personnel may provide the results of such monitoring to appropriate officials^C
! ! Configure the EXEC Bannerbanner exec ^C
NOTICE!!! This system is solely for the use of authorized users for official purposes You have no expectation of privacy in its use and to ensure that the system is functioning properly, individuals using this computer system are subject to having all of their activities monitored and recorded by system personnel. Use of this system evidences an express consent to such monitoring and agreement that if such monitoring reveals evidence of possible abuse or criminal activity, system personnel may provide the results of such monitoring to appropriate officials^C
! ! Configure BGP for our ISP link using authenticationrouter bgp
100network
10.10.2.0network
10.10.4.0network
130.18.6.0neighbor
130.18.6.2 remote-as 115neighbor
130.18.6.2password
SecretBGPpassword ! ! Create an Ingress (incoming) ACL for our External Interface (Serial 0/0) ! Anti-spoofing (Internet Network is 10.10.0.0/16)access-list
101deny ip
10.10.0.0 0.0.255.255any log-input
access-list
101deny ip 127.0.0.0 0.255.255.255 any log-input
access-list
101deny ip 10.0.0.0 0.255.255.255 any log-input
access-list
101deny ip 172.16.0.0 0.15.255.255 any log-input
access-list
101deny ip 192.168.0.0 0.0.255.255 any log-input
access-list
101deny ip 224.0.0.0 15.255.255.255 any log-input
access-list
101deny ip 240.0.0.0 7.255.255.255 any log-input
! Block all incoming Syslog packets (port 514)access-list
101deny udp any any eq 514 log-input
! Block incoming all incoming ICMP packets except MTU discovery ! This won't allow us to ping or traceroute outside our networkaccess-list
101permit icmp any any 3 4
access-list
101deny icmp any any log-input
! Allow everything elseaccess-list
101permit ip any any
! ! Create our Egress filter to no allow our network to send out spoofed packetsaccess-list
102permit ip
10.10.0.0 0.0.255.255any
access-list
102deny ip any any log-input
! ! External Interface (Directly connected to Internet)interface
Serial 0/0ip address
130.18.6.1 255.255.255.252 ! Disable unneeded protocols & servicesno ip redirects
no ip directed-broadcast
no ip mask-reply
no ip unreachables
no ip proxy-arp
no cdp enable
! Enable uRPF anti-spoofing featuresip verify unicast reverse-path
! Make sure we don't serve as a NTP serverntp disable
! Apply our ingress (incoming) ACLip access-group
101in
! Apply our egress (outgoing) ACLip access-group
102out
! ! Configure RIPv2 for our internal networkingrouter rip
version 2
network
10.0.0.0 ! ! Define a Key Chain for our RIPv2 authenticationkey chain
10key
1key-string
SecretRipKey ! ! Internal Interface FastEthernet 0/0 (connected our Internal network)interface
FastEthernet 0/0ip address
10.10.2.2 255.255.255.0 ! Disable unneeded protocols & servicesno ip redirects
no ip directed-broadcast
no ip mask-reply
no ip unreachables
no ip proxy-arp
no cdp enable
! Enable uRPF anti-spoofing featuresip verify unicast reverse-path
! Enable & Configure RIP v2 authenticationip rip authentication key-chain
10ip rip authentication mode md5
! ! THIS IS WHERE DIFFERENCES FROM PREVIOUS CONFIG START ! THIS CONFIG USES AAA INSTEAD OF LOCAL & LINE AUTHENTICATION ! IT ALSO USES AAA TO USE A TACACS+ SERVER FOR AUTHORIZATION. ! ! Enable AAA ! Define a new AAA modelaaa new-model
! Define where to find our TACACS+ server (10.10.2.20)tacacs-server host
10.10.2.20 ! Configure our TACACS+ server keytacacs-server key
TACACSserverKEY! Define default AAA authentication methods for logins: ! First TACACS+ server, then local usernames if server is unreachable
aaa authentication login default group tacacs+ local
! Define default AAA authentication methods for enable password: ! First TACACS+ server, then local enable password if server is unreachable
aaa authentication enable default group tacacs+ enable
! ! Configure router to use AAA for authorization (Leave this part out if you ! only want to use AAA for authentication and keep standard authorization. ! ! Configure AAA to use TACACS+ for EXEC (shell) authorization
aaa authorization exec default group tacacs+ if-authenticated
! Configure AAA to use TACACS+ for level 1 and level 15 command authorizationaaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
! ! Configure the router to use AAA to log to the TACACS+ server. ! ! Configure the router to perform EXEC, System, Network & Connection logging ! to the TACACS+ server
aaa accounting exec default
start-stopgroup
tacacs+aaa accounting system default
stop-onlygroup
tacacs+aaa accounting connection default
start-stopgroup
tacacs+aaa accounting network default
start-stopgroup
tacacs+! Now configure the router to log all level 1 (user) and level 15 (privilege) ! command the the TACACS+ server
aaa accounting commands
1default
stop-onlygroup
tacacs+aaa accounting commands
15default
stop-onlygroup
tacacs+ ! ! Securely Configure the Consoleline con 0
! Configure the console to use the AAA method 'default' for authenticationlogin authentication default
! Disable all network accesstransport input none
! ! Disable the AUX portline aux 0
! Use the login and no password commands to disable accesslogin
no password
! Disable all network accesstransport input none
! NSA's other recommended commands for disabling accessno exec
exec-timeout 0 1
! ! Enable SSH on the router ! Give the router a hostnamehostname RouterOne
! Configure our domainip domain-name
Company.Com ! Configure our RSA keys!crypto key generate rsa ! Configure a local username for vty SSH access
username JohnDoe password
PasswordForJohnDoe ! Configure SSH retries & Timeoutip ssh time-out
60ip ssh authenication-retries
2 ! ! Create ACL to restrict VTY access managers IP only (10.10.4.10)access-list
15permit
10.10.4.10access-list
15deny any log
! Configure & Secure VTY accessline vty 0 4
! Configure logins to use the AAA methods 'default' for authentication.login authentication default
! Make sure we only use SSH to access the routertransport input ssh
! Set the timeout to 5 minutesexec-timeout
5 0 ! Apply ACL to restrict VTY accessaccess-sclass
15in
The previous examples have SNMP turned off. If your organization requires SNMP, add the following configuration examples to the preceding ones. To enable this SNMP read-only access to the router, replace the no snmp-server command in the previous examples with the following configurations.
The following example configuration configures the router to
provide SNMP v2c read-only access to the SNMP management system
10.10.4.10
:
! ! Create an ACL that only allows 10.10.4.10 to use SNMP accessaccess-list
30permit 10.10.4.10
access-list
30deny any log
! ! Enable the SNMP read only serversnmp-server community
SNMPreadOnlyCommunityStringRO
30
This example uses SNMP v3 authentication and encryption to
protect SNMP traffic between the management server and the router and
allows only SNMP management system 10.10.4.10
to access the router through
SNMP:
! ! Create ACL that only allows 10.10.4.10 to use SNMP accessaccess-list
40permit
10.10.4.10access-list
40deny any log
! Create an SNMP v3 group to use Authentication & Encryptionsnmp-server group
AuthPrivGroupv3 priv access
40 ! Define and SNMPv3 user, authentication password, and encryption password.snmp-server user
MyUser3AuthPrivGroup
v3 auth md5
AuthPasspriv des56
PrivPass
If you decide that HTTP’s usefulness outweighs its
security problems, replace the no ip http
server command in the preceding examples with the following.
This example configures HTTP access for the IP 10.10.4.10
only:
! ! Create an ACL to limit HTTP access to 10.10.4.10access-list 45 permit
10.10.4.10access-list 45 deny any log
! Configure HTTP access to use the ACLip http access-class 45
! Configure HTTP access to use local authenticationip http authentication
local !
3.145.78.155