CCNA安全综合训练配置

pka文件原题下载地址：https://pan.baidu.com/s/1d4QMGnqsfzBfKuoNIDRPEw，密码：5fqq

配置路由器基本安全

· R1上配置如下内容:

o 密码最小长度为10个字符

R1(config)#security passwords min-length 10

o 加密所有的明文密码

R1(config)#service password-encryption

o 特权模式密码为ciscoenapa55

R1(config)#enable secret ciscoenapa55

o 控制台密码为ciscoconpa55,超时为15分钟.

R1(config)#line console 0

R1(config-line)#password ciscoconpa55

R1(config-line)#logging synchronous

R1(config-line)#exec-timeout 15

o 设置MOTD标语，标语中要包含单词“unauthorized”.

R1(config)#banner motd warning unauthorized, no login

 

·  R2上配置如下内容:

o 配置特权密码为ciscoenapa55.

R2(config)#enable secret ciscoenapa55

o VTY线路密码为ciscovtypa55, 超时为15分钟, and login is required.

R2(config)#line vty 0 4

R2(config-line)#password ciscovtypa55

R2(config-line)#exec-timeout 15

R2#copy running-config startup-config

 

配置交换机基本安全

·  S1上配置如下内容:

o 加密所以明文密码

S1(config)#service password-encryption

o 设置特权密码为 ciscoenapa55.

S1(config)#enable secret ciscoenapa55

o 控制台密码为 ciscoconpa55, 超时为5分钟,

S1(config)#line console 0

S1(config-line)#password ciscoconpa55

S1(config-line)#logging synchronous

S1(config-line)#exec-timeout 5

o VTY线路密码为 ciscovtypa55, 超时 5分钟,.

S1(config-line)#line vty 0 4

S1(config-line)#password ciscovtypa55

S1(config-line)#logging synchronous

S1(config-line)#exec-timeout 5

o 配置MOTD 标语，包含单词“unauthorized”.

S1(config)#banner motd warning unauthorized, no login

· S1和S2间的中继做如下配置

o 设定端口为中继，本征VLAN为99

o 禁用DTP协商.

o 启用广播风暴控制，广播占带宽50%时丢弃流量

S1(config)#int f0/1

S1(config-if)#switchport mode trunk

S1(config-if)#switchport trunk native vlan 99

S1(config-if)#switchport nonegotiat

S1(config-if)#storm-control broadcast level 50

 

S2(config)#int f0/1

S2(config-if)#switchport mode trunk

S2(config-if)#switchport trunk native vlan 99

S2(config-if)#switchport nonegotiate

S2(config-if)#storm-control broadcast level 50

 

· S1的端口做如下配置

o Fa0/6 端口设为接入模式，配置PortFast 属性并启用BPDU保护.

o Fa0/6 采用默认的端口安全性设置，自动学习MAC地址，并粘帖到运行配置文件

o 禁用所以其他未使用端口.

S1(config)#int f0/6

S1(config-if)#switchport mode access

S1(config-if)#switchport port-security

S1(config-if)#spanning-tree portfast

S1(config-if)#spanning-tree bpduguard enable

S1(config-if)#switchport port-security mac-address sticky

S1(config)#interface range fastEthernet 0/2-5

S1(config-if-range)#shutdown

S1(config-if-range)#interface range fastEthernet 0/7-24

S1(config-if-range)#shutdown

S1(config-if-range)#interface range g0/1-2

S1(config-if-range)#shutdown

 

配置AAA本地认证

·  R1做如下配置:

o 创建本地用户 Admin01, 密码为 Admin01pa55, 级别为 15.

R1(config)#username Admin01 secret Admin01pa55

R1(config)#username Admin01 privilege 15

o 启用AAA服务.

o 实施AAA服务，本地数据库验证为首要验证方法，enable密码作为备用的验证方法、

R1(config)#aaa new-model

R1(config)#aaa authentication login default local enable

· 在 R1上配置SSH:

o 域名为 ccnasecurity.com

R1(config)#ip domain-name ccnasecurity.com

o  RSA key 生成采用 1024 modulus bits.

R1(config)#crypto key generate rsa

o 使用SSH版本2.

R1(config)#ip ssh version 2

o 在VTY线路上只允许SSH.

R1(config)#line vty 0

R1(config-line)#transport input ssh

· 验证PC-C 通过SSH能否登录到R1 (209.165.200.233)

 

配置防止登录攻击

·  R1:

o 如果用户30秒内两次登录失败，1分钟后才能再尝试登录

R1(config)#login block-for 60 attempts 2 within 30

o 记录所有登录失败的信息.

R1(config)#login on-failure log

配置站点到站点IPSec VPN

·  R1上做如下配置:

o 在R1上创建ACL 101，表示感兴趣的数据量.

§  允许R1 Lo1 网络的数据可以到达  R3 的局域网.

§ 拒绝所以其他流量.

R1(config)#access-list 101 permit ip 172.20.1.0 0.0.0.255 172.30.3.0 0.0.0.255

o 创建 crypto isakmp policy 10，欲共享密钥为 ciscovpnpa55.其他阶段一参数如下:

R1(config-isakmp)#crypto isakmp policy 10

§ Key distribution method: ISAKMP

§ Encryption: aes 256

R1(config-isakmp)#encryption aes 256

§ Hash: sha-1

R1(config-isakmp)#hash sha

§ Authentication method: pre-shared

R1(config-isakmp)#authentication pre-share

§ Key exchange: DH Group 5

R1(config-isakmp)#group 5

§ IKE SA lifetime: 3600

R1(config-isakmp)#lifetime 3600

§ ISAKMP key: ciscovpnpa55

R1(config)#crypto isakmp key ciscovpnpa55 address 10.20.20.1

o 创建变换集 VPN-SET. 加密映射CMAP，并将转换集绑定到加密映射。加密映射的使用的序列号为 10 ，转换集实验的参数如下：

R1(config)#access-list 102 permit ahp host 10.20.20.1 host 10.10.10.1

R1(config)#access-list 102 permit esp host 10.20.20.1 host 10.10.10.1

R1(config)#access-list 102 permit udp host 10.20.20.1 host 10.10.10.1 eq isakmp

R1(config)#access-list 102 permit tcp 172.30.3.0 0.0.0.255 host 209.165.200.233 eq 22

R1(config)#interface serial0/0/0

R1(config-if)#ip access-group 102 in

§ Transform Set: VPN-SET

§ Transform Encryption: esp-aes 256

§ Transform Authentication: esp-sha-hmac

§ Perfect Forward Secrecy (PFS): group5

§ Crypto Map name: CMAP

§ SA Establishment: ipsec-isakmp

R1(config)#crypto ipsec transform-set VPN-SET esp-aes 256 esp-sha-hmac

R1(config)#crypto map CMAP 10 ipsec-isakmp

R1(config-crypto-map)#set peer 10.20.20.1

R1(config-crypto-map)#set transform-set VPN-SET

R1(config-crypto-map)#set pfs group5

R1(config-crypto-map)#set security-association lifetime seconds 3600

R1(config-crypto-map)#match address 101

o 将加密映射CMAP 应用到合适的接口.

R1(config)#interface s0/0/0

R1(config-if)#crypto map CMAP

 

 

 

· 根据R1的配置，在R3上做相应的VPN配置

R3(config)#access-list 101 permit ip 172.30.3.0 0.0.0.255 172.20.1.0 0.0.0.255

R3(config)#crypto isakmp policy 10

R3(config-isakmp)#encryption aes 256

R3(config-isakmp)#hash sha

R3(config-isakmp)#authentication pre-share

R3(config-isakmp)#group 5

R3(config-isakmp)#lifetime 3600

R3(config-isakmp)#crypto isakmp key ciscovpnpa55 address 10.10.10.1

R3(config)#access-list 102 permit ahp host 10.10.10.1 host 10.20.20.1

R3(config)#access-list 102 permit esp host 10.10.10.1 host 10.20.20.1

R3(config)#access-list 102 permit udp host 10.10.10.1 host 10.20.20.1 eq isakmp

R3(config)#access-list 102 permit tcp host 209.165.200.233 eq 22 172.30.3.0 0.0.0.255

R3(config)#interface serial0/0/1

R3(config-if)#ip access-group 102 in

R3(config)#crypto ipsec transform-set VPN-SET esp-aes 256 esp-sha-hmac

R3(config)#crypto map CMAP 10 ipsec-isakmp

R3(config-crypto-map)#set peer 10.10.10.1

R3(config-crypto-map)#set transform-set VPN-SET

R3(config-crypto-map)#set pfs group5

R3(config-crypto-map)#match address 101

R3(config-crypto-map)#set security-association lifetime seconds 3600

R3(config)#interface s0/0/1

R3(config-if)#crypto map CMAP

· 从PC-C Ping  Lo1 接口 (172.20.1.1) ，然后在R3上实验show crypto ipsec sa 命令验证VPN是否正常工作

 

 

配置防火墙和IPS

· 在R3上配置ZPF防火墙:

o 创建区域 IN-ZONE和OUT-ZONE.

R3(config)#zone security IN-ZONE

R3(config-sec-zone)#zone security OUT-ZONE

o 创建ACL110，允许172.30.3.0/24网络的IP流量可以到达任何目的网络，其他流量拒绝

R3(config)#access-list 110 permit ip 172.30.3.0 0.0.0.255 any

o 创建class map  INTERNAL-CLASS-MAP 

R3(config)#class-map type inspect match-any INTERNAL-CLASS-MAP

R3(config-cmap)#match protocol tcp

R3(config-cmap)#match protocol icmp

R3(config-cmap)#match protocol udp

R3(config-cmap)#match access-group 110

o 创建policy map 名字为 IN-2-OUT-PMAP 引用，class map INTERNAL-CLASS-MAP ，动作为 

R3(config)#policy-map type inspect IN-2-OUT-PMAP

R3(config-pmap)#class  INTERNAL-CLASS-MAP

R3(config-pmap-c)#inspect

o 创建 zone pair 名字为 IN-2-OUT-ZPAIR.

o 指定策略 IN-2-OUT-PMAP来对两个域的流量来进行检查.

R3(config)#zone-pair security IN-2-OUT-ZPAIR source IN-ZONE destination OUT-ZONE

R3(config-sec-zone-pair)#service-policy type inspect IN-2-OUT-PMAP

o 指定 Fa0/1 为 IN-ZONE 成员 ，指定 S0/0/1 为 OUT-ZONE 成员.

R3(config)#interface f0/1

R3(config-if)#zone-member security IN-ZONE

R3(config-if)#interface s0/0/1

R3(config-if)#zone-member security OUT-ZONE

· 在R3上配置IPS.

o 创建目录 ipsdir，并设定3作为存放IPS特征文件的目录.

R3#mkdir ipsdir

R3(config)#ip ips config location flash:ipsdir

o 创建 IPS rule  IPS-RULE.

R3(config)#ip ips name IPS-RULE

o 隐退signature category.

o 非隐退 IOS_IPS Basic category.

R3(config)#ip ips signature-category

R3(config-ips-category)#category all

R3(config-ips-category-action)#retired true

R3(config-ips-category)#category ios_ips Basic

R3(config-ips-category-action)#retired false

o 在接口S0/0/1 应用规则.

R3(config)#int s0/0/1

R3(config-if)#ip ips IPS-RULE in

 

配置 ASA基本安全和防火墙特性

· VLAN interfaces配置如下  

o VLAN 1 interface,地址 192.168.10.1/24.

o VLAN 2 interface, 地址 209.165.200.234/29.

ciscoasa(config)#int vlan 1

ciscoasa(config-if)#ip add 192.168.10.1 255.255.255.0

ciscoasa(config-if)#int vlan 2

ciscoasa(config-if)#ip add 209.165.200.234 255.255.255.248

· 配置主机名、域名、特权密码和telnet密码:

o 主机名 CCNAS-ASA.

ciscoasa(config)#hostname CCNAS-ASA

o 域名ccnasecurity.com.

CCNAS-ASA(config)#domain-name ccnasecurity.com

o 特权密码 ciscoenapa55.

CCNAS-ASA(config)#enable password ciscoenapa55

· 创建用户并做AAA配置.

o 创建本地用户Admin01 ，密码 Admin01pa55，级别 为 15.

CCNAS-ASA(config)#username Admin01 password Admin01pa55

o 创建本地用户admin ，密码 adminpa55.

CCNAS-ASA(config)#username admin password adminpa55

o 配置 AAA对telnet和SSH用户进行认证.

CCNAS-ASA(config)#aaa authentication telnet console lOCAL

CCNAS-ASA(config)#aaa authentication ssh console lOCAL

· 配置本地Telnet控制台接入访问和 SSH 远程访问.

o 允许内部网络192.168.10.0/24 telnet到ASA，超时时间设为10分钟.

CCNAS-ASA(config)#telnet timeout 10

CCNAS-ASA(config)#telnet 192.168.10.0 255.255.255.0 inside

o 允许外部网络主机 172.30.3.3通过SSH登录到ASA.

CCNAS-ASA(config)#ssh timeout 10

CCNAS-ASA(config)#ssh 172.30.3.3 255.255.255.255 outside

· 配置ASA作为 DHCP 服务器

o 为内部 网络分配地址范围192.168.10.5到192.168.10.30.

CCNAS-ASA(config)#dhcpd address 192.168.10.5-192.168.10.30 inside

o 启用DHCP .

CCNAS-ASA(config)#dhcpd enable inside

· 配置静态路由和 NAT.

o 配置静态默认路由，下一跳地址为R1的IP地址.

CCNAS-ASA(config)#route outside 0.0.0.0 0.0.0.0 209.165.200.233

o 创建网络对象inside-net 

o 创建动态 NAT 将内网地址转换 outside interface.

CCNAS-ASA(config)#object network inside-net

CCNAS-ASA(config)#subnet 192.168.10.0 255.255.255.0

CCNAS-ASA(config-network-object)#nat (inside,outside) dynamic interface

· 修改ASA默认安全策略，允许安全级别高的接口的网络ping安全级别低接口网络

   提示：class-map  policy-map  service-policy    

CCNAS-ASA(config)#class-map inspection_default

CCNAS-ASA(config-cmap)#match default-inspection-traffic

CCNAS-ASA(config)#policy-map global_policy

CCNAS-ASA(config-pmap)#class inspection_default

CCNAS-ASA(config-pmap-c)#inspect icmp

CCNAS-ASA(config)#service-policy global_policy global