Configure IP ACLs to Mitigate Attacks.

on

Configure IP ACLs to Mitigate Attacks.





on all routers

enable secret enpa55

line console 0

password conpa55

login

ip domain-name ccnasecurity.com

username admin secret adminpa55

line vty 0 4

login local

crypto key generate rsa


for r2

int loopback 0

ip address 192.168.2.1 255.255.255.0

no shut 


on routers

ip route 192.168.3.0 255.255.255.0 10.1.1.2

ip route 10.2.2.0 255.255.255.252 10.1.1.2

ip route 192.168.2.0 255.255.255.0 10.1.1.2


ip route 192.168.1.0 255.255.255.0 10.1.1.1

ip route 192.168.3.0 255.255.255.0 10.2.2.1


ip route 192.168.1.0 255.255.255.0 10.2.2.2

ip route 10.1.1.0 255.255.255.252 10.2.2.2

ip route 192.168.2.0 255.255.255.0 10.2.2.2


PCA> ping 192.168.3.3 

PCA> ping 192.168.2.1 

PCA> ssh –l admin 192.168.2.1


PCC> ping 192.168.1.3 

PCC> ping 192.168.2.1 

PCC> ssh –l admin 192.168.2.1


Execute command on all routers

access-list 10 permit host 192.168.3.3

line vty 0 4

access-class 10 in


Verify exclusive access from management station PC-C.

PCC> ssh –l admin 192.168.2.1


PCA> ssh –l admin 192.168.2.1


Be sure to disable HTTP and enable HTTPS on server PC-A in Services tab.


R1

access-list 120 permit udp any host 192.168.1.3 eq domain

access-list 120 permit tcp any host 192.168.1.3 eq smtp

access-list 120 permit tcp any host 192.168.1.3 eq ftp

access-list 120 permit tcp any host 192.168.1.3 eq 443

access-list 120 permit tcp  host 192.168.3.3 host 10.1.1.1 eq 22

int se0/1/0

ip access-group 120 in


Verify that PC-C cannot access PC-A via HTTPS using the web browser.

Desktop->Web Browser->192.168.1.3 


PCA> ping 192.168.2.1


r1

access-list 120 permit icmp any any echo-reply

access-list 120 permit icmp any any unreachable

access-list 120 deny icmp any any 

access-list 120 permit ip any any


Verify that PC-A can successfully ping the loopback interface on R2.

PCA> ping 192.168.2.1 


R3:

access-list 110 permit ip 192.168.3.0 0.0.0.255 any

int int gig0/0

ip access-group 110 in

access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.3.3 eq 22

access-list 100 deny ip 10.0.0.0 0.255.255.255 any

access-list 100 deny ip 172.168.0.0 0.15.255.255 any

access-list 100 deny ip 192.168.0.0 0.0.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 deny ip 224.0.0.0 15.255.255.255 any

access-list 100 permit ip any any

int se0/1/0

ip access-group 100 in



Confirm that the specified traffic entering interface Serial 

is handled correctly.

PCC> ping 192.168.1.3 

PCC> ssh –l admin 192.168.2.1






Part 2 


line vty 0 4

password vtypa55

login


enable secret enpa55


router ospf 1

network 192.168.1.0 0.0.0.255 area 0

router ospf 1

area 0 authentication message-digest

int gig0/0

ip ospf message-digest-key 1 md5 MD5pa55




Part 1:Configure Local AAA Authentication for Console Access on R1

Test connectivity

PC0> ping 192.168.1.3

PC1> ping 192.168.1.2


show ip ospf interface

username admin secret adminpa55

aaa new-model

aaa authentication login default

end

exit


admin

adminpa55


ip domain-name ccnasecurity.com

crypto key generate rsa

aaa authentication login SSH-LOGIN local

line vty 0 4

login authentication SSH-LOGIN

transport input ssh

end


Verify the AAA authentication method

PC0> ssh -l admin 192.168.1.1

adminpa55


PC1> ssh -l admin 192.168.1.1

adminpa55 



Comments

Post a Comment