Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Adam Andersen TEC - 2016
NOTES
1 | P a g e
Indholdsfortegnelse Basic security configuration 3
User creation 3
View user 3
Authentication method 3
AAA local database 3
Administrative Roles 3
AAA With RADIUS server 3
Securing layer 2 4
Setting trunk or access mode 4
Trunk VLAN prevention of VLAN hopping And nooegotiate 4
Spanning-tree security 4
DHCP snooping 4
PVLAN 4
CDP 4
Line security 5
Password security 5
MOTD 5
SSH security 5
Secure Boot Resilience 5
Intrusion Prevention System (IPS) 6
Basic IPS configuration 6
Signatures 6
Apply IPS Rule to interface 6
Load signatures from download 6
Modify signatures 7
Site-To-Site VPN 7
Internet Key Exchange (IKE) With IPsec 7
ASA with ASDM 8
Management interface 8
Enable the HTTP service with access 8
Configure the ASA with ASDM GUI interface 9
OSPF 10
Initiate OSPF configuration 10
Securing OSPF with authentication 10
Zone-Based Policy Firewall (ZPF) 11
2 | P a g e
SNMP 12
Router services and configuration 12
SCP service 12
Copy 12
Clock 12
NTP with authentication 12
Syslog server 13
Logging 13
Debug commands 14
Miscellanies 14
OSPF 14
IKE IPsec CRYPTO 14
Resilience 14
SNMP 14
Time and date NTP 14
Syslog Logging 14
Zone-Based Policy Firewall 14
Switch 15
ASA Firewall 15
Reset the ASA 15
Intrusion prevention system (IPS) 15
Secure Boot 15
3 | P a g e
Basic security configuration
User creation Create a user with encrypted password
(config-line) username [word] algorithm-type scrypt secret [word]
View user Router enable view
(config) parser view [username]
(config-view) secret [password]
(config-view) commands exec include all [type]
Authentication method AAA local database When using AAA as a authentication service then the service must be initiated first then the authentication
methods can be configured to use
Initiation of AAA
(config) aaa new-model
Configuration of authentication and autorization methods
(config) aaa authentication login default local
(config) aaa authorization exec default local
Administrative Roles Router enable view (the root user)
(config) parser view [word]
(config-view) secret [word]
(config-view) commands [config mode] [include ndash exclude] all [command]
AAA With RADIUS server (config) aaa new-model
(config) aaa authentication login default group radius local
(config) radius server [name]
(config) address ipv4 [network] auth-port 1812 acct-port 1813
(config) address [network]
(config) key [PSK]
AAA line authentication list (config) aaa authentication login [GROUPE NAME] group radius local
(config) line vty 0 4
(config) login authentication [GROUP NAME]
4 | P a g e
Securing layer 2 The bridge as root
(config) spanning-tree vlan 1 priority 0
Setting trunk or access mode (config-if) switchport mode trunk
(config-if) switchport mode access
Trunk VLAN prevention of VLAN hopping And nooegotiate (config-if) siwthport trunk navtive vlan [num]
(config-if) switchport nonegotiate
Spanning-tree security (config-if) spanning-tree portfast (this is to allow quick clients
package)
(config-it) spanning-tree bpdguard enable
(config-it) spanning-tree guard root (switch on none root ports)
(config) spanning-tree loopguard default
(config-if) switchport port-security (enables the port-security)
(config-if) switchport port-security mac-address [mac]
(config-if) switchport port-security maximum [num]
(config-if) switchport port-security violation [action]
(config-if) switchport port-security aging time [sec]
DHCP snooping (config) ip dhcp snooping
(config) ip dhcp snooping information option
(config-if) ip dhcp snooping limit rate [num]
Trust ports from DHCP server
(config-if) ip dhcp snooping trust
PVLAN Create vlan to use on the interface before applying
(config-if) switcport access vlan [num]
(config-if) switchport protected
CDP Do not broadcast unnessesary with Cisco Discovery Protocol
(config-if) no cdp enable
5 | P a g e
Line security (config-line) privilege level 15
(config-line) login local [set password if only login]
(config-line) exec-timeoute [min] [sec]
(config-line) logging synchronous (not security just nice)
Password security (config) service password-encryption
(config) security password min-length [num]
(config) enable algorithm-type scrypt secret [word]
(config) username [word] algorihm-type scrypt secret [word]
MOTD (config) banner [login ndash motd ndashexec] $ [TEXT] $
SSH security To setup SSH it needs to have a domain name for use in a certificate that needs to be generated Both needs to
be preformed before SSH can be used as a shell login Also line configuration needs to be made
(config) ip domain-name [domain]
(config) crypto key generate rsa general-key modulus [key length]
(config) ip ssh version [version num]
(config) ip ssh authentication-retries [num]
(config) ip ssh time-out [sec]
VTY lines transport to SSH
(config-line) transport input ssh
Secure Boot Resilience Creates a partition and secures the config and boot files
(config) secure boot-config
6 | P a g e
Intrusion Prevention System (IPS) Create the IPS folder to copy the IPS signature packages inside it Also
the digital certificate needs to be stored on the flash disk
Basic IPS configuration Router mkdir [word]
(config) [insert the crypto key]
(config) crypt key pubkey-chain rsa
(config-pubkey-chain) named-key realm-ciscopub signature
Create the rule with name and location
(config) ip ips name [word] list [wordnum]
(config) ip ips config location flash[dir name]
Enable SDEE notifications to syslog
(config) ip http server
(config) ip ips notify sdee
(config) ip ips notify log
(config) service timestamps log datetime msec
(config) logging [to host address]
Signatures Depending on the availliable RAM on the router the signatures might not be able to load them all at one Use
the retired function to not load these one
(config) ip ips signature-category
(config-ips-category) category all
(config-ips-category-action) retired true
(config-ips-category-action) exit
(config-ips-category) category ios_ips basic
(config-ips-category-action) retired false
Apply IPS Rule to interface
(config) interface [interface]
(config-if) ip ips iosips [in out]
Load signatures from download Make sure that a vaild tftp server is running and hosts the package file downloaded
Router copy ftp[tftpserver][packagefile]pkg idconf
7 | P a g e
Modify signatures Re enable retired specific signatures
(config) ip ips signature-definition
(config-sigdef) signature [num] [num]
(config-sigdef-sig) status
(config-sigdef-sig-status) enabled true
(config-sigdef-sig) engine
(config-sigdef-sig-engine) event-action deny-packet-inline
(config-sigdef-sig-engine) event-action produce-alert
(config-sigdef-sig-engine) event-action reset-tcp-connection
Site-To-Site VPN
Internet Key Exchange (IKE) With IPsec Allows exchange of security protocols and encryption algorithms IKE must be enabled as a service first by
issuing a command before it can be used Also and policy is needed to detriment the auth and encryption
Remember that this should be identical on both end to establish the communication
IKE Phase 1 ndash exchange keys
IKE Phase 2 ndash peers exchange IPsec policies for authentication and encryption of data traffic
(config) crypto isakmp enable
(config) crypto isakmp policy [num (priority)]
(config-isakmp) hash [algorithm]
(config-isakmp) authentication pre-share
(config-isakmp) group [Diffie-Hellman group]
(config-isakmp) lifetime [sec]
(config-isakmp) encryption [algorithm] [key-length]
Configure pre-shared keys to match each router These keys must math on both and point to each otherrsquos IP
address to make the authentication
(config) crypto isakmp [word] address [point to reach]
Set the IPsec negotiation of algorithm to use 2 types is used to hash
(config) crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac
Change the default lifetime of 3600sec of the association to be renewed and
exchanged
(config) crypto ipsec security-association lifetime seconds [num]
Define what the interesting traffic is with an ACL this will initiate the
encryption between peers to start and send the traffic This is done on
both side Remember to invert on the other side
(config) access-list [extended num] permit ip [source] [wildcard]
[destination] [wildcard]
8 | P a g e
Create a and apply a crypto map to match the access-list This tells the interface to the peer witch traffic to
match from
(config) crypto map [word] [seq num] ipsec-isakmp
(config-crypto-map) match address [access-list num]
(config-crypto-map) set peer [destination of peer address]
(config-crypto-map) set pfs [Diffie-Hellman group]
(config-crypto-map) set transform-set [wordnum]
(config-crypto-map) set security-association lifetime seconds [num]
Now the crypto map is to be applied on the interface
(config-if) crypto map [crypto map name]
ASA with ASDM Before the firewall can be configured via the ASDM the management It must be imitated to be allow clients to
access ASDM via the console The ASA box is locked down doing so by default
Management interface (config) interface vlan [num]
(config-if) nameif insde
(config-if) ip address [network] [subnet]
(config-if) security-level 100
(config) interface [interface]
(config-if) no shutdown
Configure the outside interface The WAN interface
(config) interface vlan [num]
(config-if) nameif outside
(config-if) ip address [network] [subnet]
(config-if) security-level 0
(config) interface [interface]
(config-if) no shutdown
Apply the vlan to the interface of outside
(config) interface [interface]
(config-if) switchport access vlan [num
(config-if) no shutdown
Enable the HTTP service with access (config) http server enable
(config) http [network] [subnet] [interface]
9 | P a g e
Configure the ASA with ASDM GUI interface Running different wizards to configure the ASA
Configure basic settings Configuration gt Device Setup gt Startup Wizardgt
Modify exsting configurationgt
Configure hostname domain name privileged password gt
Configure inside outside interfaces and VLANs gt
Configure DHCP gt
Configure PAT gt
Configure Access types gt
Summary Read before accept of config
Apply
Clock
Configuration gt Device Setup gt System Time gt Clock
Static routes Configuration gt Device Setup gt Routing gt Static Routes gt
Addgt
Configure Select interface quad zero is any gateway
Apply
AAA user authentication Configuration gt Device Management gt UsersAAAgt User Accountsgt
Configure Add Username password privilegedgt
Apply
AAA user access
Configuration gt Device Management gt UsersAAA gt AAA Access gt Authenticationgt
Configure Authentication to server group
Apply
Firewall policy Configuration gt Firewall gt Service Policy Rulesgt
Configure default inspection gt Rule Action chose the protocol to inspect
DMZ with ACLs
Configuration gt Device Setup gt Interface Settings gt Interfacesgt
Configure Addgt Select interface gt Security-level vlan network
Configure Edit the vlan if default 12 is set
Configure console in change the security-level on interface
Configure block traffic between VLANs in advanced tab
Apply
Configuration gt Firewall gt Public Serversgt
Configure Add gt Private interface private network(elipe) private service (elipe) public network
Apply
Verify rules Configuration gt Firewall gt Access Rules
DMZ with static NAT
10 | P a g e
OSPF Initiate OSPF followed with the ID number to use this must be the same ID number around all machines
Initiate OSPF configuration (config) router ospf [num]
Networks to transfer to neighbors Remember area number
(config-router) network [network] [wildcard mask] area [num]
(config-router) passive-interface [interface]
Securing OSPF with authentication Securing OSPF protocol makes it more secure to not join routing tables in the control plane that might be
malicious This should be applied to every interface with neighbors to form authentication
Configure a key chain to use
(config) key chain [word]
(config-keychain) key 1
Set the authentication key-string to use
(config-keychain-key) key-string [password]
(config-keychain-key) cryptographic-algorithm [algorithm]
Apply the key chain to and interface with neighbor
(config-int) ip ospf authentication key-chain [word]
11 | P a g e
Zone-Based Policy Firewall (ZPF) Start creating the zoneacutes to be used This should be represented by the
interfaces that it should apply to
Create a zone by giving it a name
(config) zone security [zone name]
(config-int) zone-member security [zone name
Use class-mapacutes to define what kind of traffic to inspect Match multiple
protocols inside one class-map It is also possible to nest class-mapacutes
(config) class-map type inspect match-any [class-map name]
(config-cmap) match protocol [protocol]
Use policy-mapacutes to take action on the traffic that is match from the class-map Inspect is used to also allow
dynamic return of the traffic Drop and pass can also be used
(config) policy-map type inspect [policy-map name]
(config-pmap) class type inspect [class-map name]
(config-pmap-c) inspect
Now the policy is needed to be paired with the zone If the zone is not
paired there is no traffic coming through
(config) zone-pair security [zone-pair name] source [zone name]
destination [zone name]
Now apply the policy to actively be used on this zone-pair
(config-sec-zone-pair) service-policy type inspect [policy-map name]
zone (zone-pair)
zone (zone-pair)
Zone
Policy-map
Class-map
12 | P a g e
SNMP To configure SNMP an ACL must be used containing the hosts that are allowed to connect for more secure
SNMP
(config) ip access-list standard [word]
(config-std-nacl) permit [network] [wildcard]
Configure the SNMP server witch MIB view read
(config) snmp-server view [word] [MIB] [include ndash exclude]
Configure SNMP group with version SNMPv3
(config) snmp-server group [word] [version] [security-level] [view thatrsquos
created] access [ACL]
Create user and associate with the group
(config) snmp-server user [word (username)] [groupname] [snmp version]
auth sha [password] priv [algorithm] [key-length] [password]
Router services and configuration
SCP service (config) ip scp server enabled
Copy
Router copy [mode][source][file] [destination]
Clock Router clock set HHMMSS MMM DD YYYY
NTP with authentication Setup and NTP server master
(config) ntp authentication-key [num] md5 [password]
(config) ntp trusted-key [num]
(config) ntp authenticate
(config) ntp master [stratum-number (master is 3)]
Configure NTP on clients it needs to use the same key and password from the
master NTP server to authenticate
(config) ntp authentication-key [num] md5 [password]
(config) ntp trusted-key [num]
(config) ntp authenticate
(config) ntp server [NTP master]
(config) ntp update-calendar
Router clock update-calendar
13 | P a g e
Syslog server Use a syslog server to log everything Setup timestamps to stamp the log There are different logging traps to
use
Turn on timestamps for the log
(config) service timestamps log datetime msec
Point to the syslog server
(config) logging host [destination address]
Define the logging level severity
(config) logging trap [severity]
Severity Level Keyword Meaning
0 emergencies System is unusable
1 alerts Immediate action required
2 critical Critical conditions
3 errors Error conditions
4 warnings Warning conditions
5 notifications Normal but significant condition
6 informational Informational messages
7 debugging Debugging messages
Logging (config) login on-failure log
(config) login on-succeed log
14 | P a g e
Debug commands
Miscellanies Show flash (show whats on the flash drive)
OSPF show ip ospf neighbor (check to see if there is any adjacent between neighbors)
show ip ospf neighbor summary (show ospf processes)
show ip ospf interface [interface] (show detailed information )
show ip route (check known routes is learned by OSPF pathacutes)
clear ip ospf redistribution (clear out the learned database)
debug ip ospf hello
IKE IPsec CRYPTO show crypto isakmp policy (shows the information on exchange configuration)
show crypto ipsec transform-set (show the tunnel and transport negotiation)
show crypto map (show the crypto map that applies to the current router)
show crypto ipsec sa (verify the associations and packet through the tunnel)
debug crypto ipsec
Resilience show secure bootset (shows archived files)
show flash (show flash directory)
SNMP show snmp group (verify snmp)
show snmp user (view snmp users created)
Time and date NTP show clock (view clock and date settings)
show ntp associations
debug ntp all
Syslog Logging show logging (view the logging settings this includes the logging to server)
Zone-Based Policy Firewall show zone-pair security (view the zone pairs that are made)
show policy-map type inspect zone-pair (detail view ond packets and zone pairs applied)
show zone security (show all the interfaces that is member of a zone)
15 | P a g e
Switch show spanning-tree (see if bidge is root)
show running-config (look on interface configuration)
show spanning-tree summary
show spanning-tree inconsistentports
show port-security
show port-security address
ASA Firewall show interface ip brief (show basic interface states)
Tools gt Packet Tracer
Reset the ASA
configure factory-default
write erase
reload
Intrusion prevention system (IPS) show ip ips signature count (shows the signature counts loaded enabled and retired) error message ldquoIPS-3-INVALID_DIGITAL_SIGNATURE Invalid Digital Signature found (key not found)rdquo check the crypto key
Secure Boot show secure bootset
1 | P a g e
Indholdsfortegnelse Basic security configuration 3
User creation 3
View user 3
Authentication method 3
AAA local database 3
Administrative Roles 3
AAA With RADIUS server 3
Securing layer 2 4
Setting trunk or access mode 4
Trunk VLAN prevention of VLAN hopping And nooegotiate 4
Spanning-tree security 4
DHCP snooping 4
PVLAN 4
CDP 4
Line security 5
Password security 5
MOTD 5
SSH security 5
Secure Boot Resilience 5
Intrusion Prevention System (IPS) 6
Basic IPS configuration 6
Signatures 6
Apply IPS Rule to interface 6
Load signatures from download 6
Modify signatures 7
Site-To-Site VPN 7
Internet Key Exchange (IKE) With IPsec 7
ASA with ASDM 8
Management interface 8
Enable the HTTP service with access 8
Configure the ASA with ASDM GUI interface 9
OSPF 10
Initiate OSPF configuration 10
Securing OSPF with authentication 10
Zone-Based Policy Firewall (ZPF) 11
2 | P a g e
SNMP 12
Router services and configuration 12
SCP service 12
Copy 12
Clock 12
NTP with authentication 12
Syslog server 13
Logging 13
Debug commands 14
Miscellanies 14
OSPF 14
IKE IPsec CRYPTO 14
Resilience 14
SNMP 14
Time and date NTP 14
Syslog Logging 14
Zone-Based Policy Firewall 14
Switch 15
ASA Firewall 15
Reset the ASA 15
Intrusion prevention system (IPS) 15
Secure Boot 15
3 | P a g e
Basic security configuration
User creation Create a user with encrypted password
(config-line) username [word] algorithm-type scrypt secret [word]
View user Router enable view
(config) parser view [username]
(config-view) secret [password]
(config-view) commands exec include all [type]
Authentication method AAA local database When using AAA as a authentication service then the service must be initiated first then the authentication
methods can be configured to use
Initiation of AAA
(config) aaa new-model
Configuration of authentication and autorization methods
(config) aaa authentication login default local
(config) aaa authorization exec default local
Administrative Roles Router enable view (the root user)
(config) parser view [word]
(config-view) secret [word]
(config-view) commands [config mode] [include ndash exclude] all [command]
AAA With RADIUS server (config) aaa new-model
(config) aaa authentication login default group radius local
(config) radius server [name]
(config) address ipv4 [network] auth-port 1812 acct-port 1813
(config) address [network]
(config) key [PSK]
AAA line authentication list (config) aaa authentication login [GROUPE NAME] group radius local
(config) line vty 0 4
(config) login authentication [GROUP NAME]
4 | P a g e
Securing layer 2 The bridge as root
(config) spanning-tree vlan 1 priority 0
Setting trunk or access mode (config-if) switchport mode trunk
(config-if) switchport mode access
Trunk VLAN prevention of VLAN hopping And nooegotiate (config-if) siwthport trunk navtive vlan [num]
(config-if) switchport nonegotiate
Spanning-tree security (config-if) spanning-tree portfast (this is to allow quick clients
package)
(config-it) spanning-tree bpdguard enable
(config-it) spanning-tree guard root (switch on none root ports)
(config) spanning-tree loopguard default
(config-if) switchport port-security (enables the port-security)
(config-if) switchport port-security mac-address [mac]
(config-if) switchport port-security maximum [num]
(config-if) switchport port-security violation [action]
(config-if) switchport port-security aging time [sec]
DHCP snooping (config) ip dhcp snooping
(config) ip dhcp snooping information option
(config-if) ip dhcp snooping limit rate [num]
Trust ports from DHCP server
(config-if) ip dhcp snooping trust
PVLAN Create vlan to use on the interface before applying
(config-if) switcport access vlan [num]
(config-if) switchport protected
CDP Do not broadcast unnessesary with Cisco Discovery Protocol
(config-if) no cdp enable
5 | P a g e
Line security (config-line) privilege level 15
(config-line) login local [set password if only login]
(config-line) exec-timeoute [min] [sec]
(config-line) logging synchronous (not security just nice)
Password security (config) service password-encryption
(config) security password min-length [num]
(config) enable algorithm-type scrypt secret [word]
(config) username [word] algorihm-type scrypt secret [word]
MOTD (config) banner [login ndash motd ndashexec] $ [TEXT] $
SSH security To setup SSH it needs to have a domain name for use in a certificate that needs to be generated Both needs to
be preformed before SSH can be used as a shell login Also line configuration needs to be made
(config) ip domain-name [domain]
(config) crypto key generate rsa general-key modulus [key length]
(config) ip ssh version [version num]
(config) ip ssh authentication-retries [num]
(config) ip ssh time-out [sec]
VTY lines transport to SSH
(config-line) transport input ssh
Secure Boot Resilience Creates a partition and secures the config and boot files
(config) secure boot-config
6 | P a g e
Intrusion Prevention System (IPS) Create the IPS folder to copy the IPS signature packages inside it Also
the digital certificate needs to be stored on the flash disk
Basic IPS configuration Router mkdir [word]
(config) [insert the crypto key]
(config) crypt key pubkey-chain rsa
(config-pubkey-chain) named-key realm-ciscopub signature
Create the rule with name and location
(config) ip ips name [word] list [wordnum]
(config) ip ips config location flash[dir name]
Enable SDEE notifications to syslog
(config) ip http server
(config) ip ips notify sdee
(config) ip ips notify log
(config) service timestamps log datetime msec
(config) logging [to host address]
Signatures Depending on the availliable RAM on the router the signatures might not be able to load them all at one Use
the retired function to not load these one
(config) ip ips signature-category
(config-ips-category) category all
(config-ips-category-action) retired true
(config-ips-category-action) exit
(config-ips-category) category ios_ips basic
(config-ips-category-action) retired false
Apply IPS Rule to interface
(config) interface [interface]
(config-if) ip ips iosips [in out]
Load signatures from download Make sure that a vaild tftp server is running and hosts the package file downloaded
Router copy ftp[tftpserver][packagefile]pkg idconf
7 | P a g e
Modify signatures Re enable retired specific signatures
(config) ip ips signature-definition
(config-sigdef) signature [num] [num]
(config-sigdef-sig) status
(config-sigdef-sig-status) enabled true
(config-sigdef-sig) engine
(config-sigdef-sig-engine) event-action deny-packet-inline
(config-sigdef-sig-engine) event-action produce-alert
(config-sigdef-sig-engine) event-action reset-tcp-connection
Site-To-Site VPN
Internet Key Exchange (IKE) With IPsec Allows exchange of security protocols and encryption algorithms IKE must be enabled as a service first by
issuing a command before it can be used Also and policy is needed to detriment the auth and encryption
Remember that this should be identical on both end to establish the communication
IKE Phase 1 ndash exchange keys
IKE Phase 2 ndash peers exchange IPsec policies for authentication and encryption of data traffic
(config) crypto isakmp enable
(config) crypto isakmp policy [num (priority)]
(config-isakmp) hash [algorithm]
(config-isakmp) authentication pre-share
(config-isakmp) group [Diffie-Hellman group]
(config-isakmp) lifetime [sec]
(config-isakmp) encryption [algorithm] [key-length]
Configure pre-shared keys to match each router These keys must math on both and point to each otherrsquos IP
address to make the authentication
(config) crypto isakmp [word] address [point to reach]
Set the IPsec negotiation of algorithm to use 2 types is used to hash
(config) crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac
Change the default lifetime of 3600sec of the association to be renewed and
exchanged
(config) crypto ipsec security-association lifetime seconds [num]
Define what the interesting traffic is with an ACL this will initiate the
encryption between peers to start and send the traffic This is done on
both side Remember to invert on the other side
(config) access-list [extended num] permit ip [source] [wildcard]
[destination] [wildcard]
8 | P a g e
Create a and apply a crypto map to match the access-list This tells the interface to the peer witch traffic to
match from
(config) crypto map [word] [seq num] ipsec-isakmp
(config-crypto-map) match address [access-list num]
(config-crypto-map) set peer [destination of peer address]
(config-crypto-map) set pfs [Diffie-Hellman group]
(config-crypto-map) set transform-set [wordnum]
(config-crypto-map) set security-association lifetime seconds [num]
Now the crypto map is to be applied on the interface
(config-if) crypto map [crypto map name]
ASA with ASDM Before the firewall can be configured via the ASDM the management It must be imitated to be allow clients to
access ASDM via the console The ASA box is locked down doing so by default
Management interface (config) interface vlan [num]
(config-if) nameif insde
(config-if) ip address [network] [subnet]
(config-if) security-level 100
(config) interface [interface]
(config-if) no shutdown
Configure the outside interface The WAN interface
(config) interface vlan [num]
(config-if) nameif outside
(config-if) ip address [network] [subnet]
(config-if) security-level 0
(config) interface [interface]
(config-if) no shutdown
Apply the vlan to the interface of outside
(config) interface [interface]
(config-if) switchport access vlan [num
(config-if) no shutdown
Enable the HTTP service with access (config) http server enable
(config) http [network] [subnet] [interface]
9 | P a g e
Configure the ASA with ASDM GUI interface Running different wizards to configure the ASA
Configure basic settings Configuration gt Device Setup gt Startup Wizardgt
Modify exsting configurationgt
Configure hostname domain name privileged password gt
Configure inside outside interfaces and VLANs gt
Configure DHCP gt
Configure PAT gt
Configure Access types gt
Summary Read before accept of config
Apply
Clock
Configuration gt Device Setup gt System Time gt Clock
Static routes Configuration gt Device Setup gt Routing gt Static Routes gt
Addgt
Configure Select interface quad zero is any gateway
Apply
AAA user authentication Configuration gt Device Management gt UsersAAAgt User Accountsgt
Configure Add Username password privilegedgt
Apply
AAA user access
Configuration gt Device Management gt UsersAAA gt AAA Access gt Authenticationgt
Configure Authentication to server group
Apply
Firewall policy Configuration gt Firewall gt Service Policy Rulesgt
Configure default inspection gt Rule Action chose the protocol to inspect
DMZ with ACLs
Configuration gt Device Setup gt Interface Settings gt Interfacesgt
Configure Addgt Select interface gt Security-level vlan network
Configure Edit the vlan if default 12 is set
Configure console in change the security-level on interface
Configure block traffic between VLANs in advanced tab
Apply
Configuration gt Firewall gt Public Serversgt
Configure Add gt Private interface private network(elipe) private service (elipe) public network
Apply
Verify rules Configuration gt Firewall gt Access Rules
DMZ with static NAT
10 | P a g e
OSPF Initiate OSPF followed with the ID number to use this must be the same ID number around all machines
Initiate OSPF configuration (config) router ospf [num]
Networks to transfer to neighbors Remember area number
(config-router) network [network] [wildcard mask] area [num]
(config-router) passive-interface [interface]
Securing OSPF with authentication Securing OSPF protocol makes it more secure to not join routing tables in the control plane that might be
malicious This should be applied to every interface with neighbors to form authentication
Configure a key chain to use
(config) key chain [word]
(config-keychain) key 1
Set the authentication key-string to use
(config-keychain-key) key-string [password]
(config-keychain-key) cryptographic-algorithm [algorithm]
Apply the key chain to and interface with neighbor
(config-int) ip ospf authentication key-chain [word]
11 | P a g e
Zone-Based Policy Firewall (ZPF) Start creating the zoneacutes to be used This should be represented by the
interfaces that it should apply to
Create a zone by giving it a name
(config) zone security [zone name]
(config-int) zone-member security [zone name
Use class-mapacutes to define what kind of traffic to inspect Match multiple
protocols inside one class-map It is also possible to nest class-mapacutes
(config) class-map type inspect match-any [class-map name]
(config-cmap) match protocol [protocol]
Use policy-mapacutes to take action on the traffic that is match from the class-map Inspect is used to also allow
dynamic return of the traffic Drop and pass can also be used
(config) policy-map type inspect [policy-map name]
(config-pmap) class type inspect [class-map name]
(config-pmap-c) inspect
Now the policy is needed to be paired with the zone If the zone is not
paired there is no traffic coming through
(config) zone-pair security [zone-pair name] source [zone name]
destination [zone name]
Now apply the policy to actively be used on this zone-pair
(config-sec-zone-pair) service-policy type inspect [policy-map name]
zone (zone-pair)
zone (zone-pair)
Zone
Policy-map
Class-map
12 | P a g e
SNMP To configure SNMP an ACL must be used containing the hosts that are allowed to connect for more secure
SNMP
(config) ip access-list standard [word]
(config-std-nacl) permit [network] [wildcard]
Configure the SNMP server witch MIB view read
(config) snmp-server view [word] [MIB] [include ndash exclude]
Configure SNMP group with version SNMPv3
(config) snmp-server group [word] [version] [security-level] [view thatrsquos
created] access [ACL]
Create user and associate with the group
(config) snmp-server user [word (username)] [groupname] [snmp version]
auth sha [password] priv [algorithm] [key-length] [password]
Router services and configuration
SCP service (config) ip scp server enabled
Copy
Router copy [mode][source][file] [destination]
Clock Router clock set HHMMSS MMM DD YYYY
NTP with authentication Setup and NTP server master
(config) ntp authentication-key [num] md5 [password]
(config) ntp trusted-key [num]
(config) ntp authenticate
(config) ntp master [stratum-number (master is 3)]
Configure NTP on clients it needs to use the same key and password from the
master NTP server to authenticate
(config) ntp authentication-key [num] md5 [password]
(config) ntp trusted-key [num]
(config) ntp authenticate
(config) ntp server [NTP master]
(config) ntp update-calendar
Router clock update-calendar
13 | P a g e
Syslog server Use a syslog server to log everything Setup timestamps to stamp the log There are different logging traps to
use
Turn on timestamps for the log
(config) service timestamps log datetime msec
Point to the syslog server
(config) logging host [destination address]
Define the logging level severity
(config) logging trap [severity]
Severity Level Keyword Meaning
0 emergencies System is unusable
1 alerts Immediate action required
2 critical Critical conditions
3 errors Error conditions
4 warnings Warning conditions
5 notifications Normal but significant condition
6 informational Informational messages
7 debugging Debugging messages
Logging (config) login on-failure log
(config) login on-succeed log
14 | P a g e
Debug commands
Miscellanies Show flash (show whats on the flash drive)
OSPF show ip ospf neighbor (check to see if there is any adjacent between neighbors)
show ip ospf neighbor summary (show ospf processes)
show ip ospf interface [interface] (show detailed information )
show ip route (check known routes is learned by OSPF pathacutes)
clear ip ospf redistribution (clear out the learned database)
debug ip ospf hello
IKE IPsec CRYPTO show crypto isakmp policy (shows the information on exchange configuration)
show crypto ipsec transform-set (show the tunnel and transport negotiation)
show crypto map (show the crypto map that applies to the current router)
show crypto ipsec sa (verify the associations and packet through the tunnel)
debug crypto ipsec
Resilience show secure bootset (shows archived files)
show flash (show flash directory)
SNMP show snmp group (verify snmp)
show snmp user (view snmp users created)
Time and date NTP show clock (view clock and date settings)
show ntp associations
debug ntp all
Syslog Logging show logging (view the logging settings this includes the logging to server)
Zone-Based Policy Firewall show zone-pair security (view the zone pairs that are made)
show policy-map type inspect zone-pair (detail view ond packets and zone pairs applied)
show zone security (show all the interfaces that is member of a zone)
15 | P a g e
Switch show spanning-tree (see if bidge is root)
show running-config (look on interface configuration)
show spanning-tree summary
show spanning-tree inconsistentports
show port-security
show port-security address
ASA Firewall show interface ip brief (show basic interface states)
Tools gt Packet Tracer
Reset the ASA
configure factory-default
write erase
reload
Intrusion prevention system (IPS) show ip ips signature count (shows the signature counts loaded enabled and retired) error message ldquoIPS-3-INVALID_DIGITAL_SIGNATURE Invalid Digital Signature found (key not found)rdquo check the crypto key
Secure Boot show secure bootset
2 | P a g e
SNMP 12
Router services and configuration 12
SCP service 12
Copy 12
Clock 12
NTP with authentication 12
Syslog server 13
Logging 13
Debug commands 14
Miscellanies 14
OSPF 14
IKE IPsec CRYPTO 14
Resilience 14
SNMP 14
Time and date NTP 14
Syslog Logging 14
Zone-Based Policy Firewall 14
Switch 15
ASA Firewall 15
Reset the ASA 15
Intrusion prevention system (IPS) 15
Secure Boot 15
3 | P a g e
Basic security configuration
User creation Create a user with encrypted password
(config-line) username [word] algorithm-type scrypt secret [word]
View user Router enable view
(config) parser view [username]
(config-view) secret [password]
(config-view) commands exec include all [type]
Authentication method AAA local database When using AAA as a authentication service then the service must be initiated first then the authentication
methods can be configured to use
Initiation of AAA
(config) aaa new-model
Configuration of authentication and autorization methods
(config) aaa authentication login default local
(config) aaa authorization exec default local
Administrative Roles Router enable view (the root user)
(config) parser view [word]
(config-view) secret [word]
(config-view) commands [config mode] [include ndash exclude] all [command]
AAA With RADIUS server (config) aaa new-model
(config) aaa authentication login default group radius local
(config) radius server [name]
(config) address ipv4 [network] auth-port 1812 acct-port 1813
(config) address [network]
(config) key [PSK]
AAA line authentication list (config) aaa authentication login [GROUPE NAME] group radius local
(config) line vty 0 4
(config) login authentication [GROUP NAME]
4 | P a g e
Securing layer 2 The bridge as root
(config) spanning-tree vlan 1 priority 0
Setting trunk or access mode (config-if) switchport mode trunk
(config-if) switchport mode access
Trunk VLAN prevention of VLAN hopping And nooegotiate (config-if) siwthport trunk navtive vlan [num]
(config-if) switchport nonegotiate
Spanning-tree security (config-if) spanning-tree portfast (this is to allow quick clients
package)
(config-it) spanning-tree bpdguard enable
(config-it) spanning-tree guard root (switch on none root ports)
(config) spanning-tree loopguard default
(config-if) switchport port-security (enables the port-security)
(config-if) switchport port-security mac-address [mac]
(config-if) switchport port-security maximum [num]
(config-if) switchport port-security violation [action]
(config-if) switchport port-security aging time [sec]
DHCP snooping (config) ip dhcp snooping
(config) ip dhcp snooping information option
(config-if) ip dhcp snooping limit rate [num]
Trust ports from DHCP server
(config-if) ip dhcp snooping trust
PVLAN Create vlan to use on the interface before applying
(config-if) switcport access vlan [num]
(config-if) switchport protected
CDP Do not broadcast unnessesary with Cisco Discovery Protocol
(config-if) no cdp enable
5 | P a g e
Line security (config-line) privilege level 15
(config-line) login local [set password if only login]
(config-line) exec-timeoute [min] [sec]
(config-line) logging synchronous (not security just nice)
Password security (config) service password-encryption
(config) security password min-length [num]
(config) enable algorithm-type scrypt secret [word]
(config) username [word] algorihm-type scrypt secret [word]
MOTD (config) banner [login ndash motd ndashexec] $ [TEXT] $
SSH security To setup SSH it needs to have a domain name for use in a certificate that needs to be generated Both needs to
be preformed before SSH can be used as a shell login Also line configuration needs to be made
(config) ip domain-name [domain]
(config) crypto key generate rsa general-key modulus [key length]
(config) ip ssh version [version num]
(config) ip ssh authentication-retries [num]
(config) ip ssh time-out [sec]
VTY lines transport to SSH
(config-line) transport input ssh
Secure Boot Resilience Creates a partition and secures the config and boot files
(config) secure boot-config
6 | P a g e
Intrusion Prevention System (IPS) Create the IPS folder to copy the IPS signature packages inside it Also
the digital certificate needs to be stored on the flash disk
Basic IPS configuration Router mkdir [word]
(config) [insert the crypto key]
(config) crypt key pubkey-chain rsa
(config-pubkey-chain) named-key realm-ciscopub signature
Create the rule with name and location
(config) ip ips name [word] list [wordnum]
(config) ip ips config location flash[dir name]
Enable SDEE notifications to syslog
(config) ip http server
(config) ip ips notify sdee
(config) ip ips notify log
(config) service timestamps log datetime msec
(config) logging [to host address]
Signatures Depending on the availliable RAM on the router the signatures might not be able to load them all at one Use
the retired function to not load these one
(config) ip ips signature-category
(config-ips-category) category all
(config-ips-category-action) retired true
(config-ips-category-action) exit
(config-ips-category) category ios_ips basic
(config-ips-category-action) retired false
Apply IPS Rule to interface
(config) interface [interface]
(config-if) ip ips iosips [in out]
Load signatures from download Make sure that a vaild tftp server is running and hosts the package file downloaded
Router copy ftp[tftpserver][packagefile]pkg idconf
7 | P a g e
Modify signatures Re enable retired specific signatures
(config) ip ips signature-definition
(config-sigdef) signature [num] [num]
(config-sigdef-sig) status
(config-sigdef-sig-status) enabled true
(config-sigdef-sig) engine
(config-sigdef-sig-engine) event-action deny-packet-inline
(config-sigdef-sig-engine) event-action produce-alert
(config-sigdef-sig-engine) event-action reset-tcp-connection
Site-To-Site VPN
Internet Key Exchange (IKE) With IPsec Allows exchange of security protocols and encryption algorithms IKE must be enabled as a service first by
issuing a command before it can be used Also and policy is needed to detriment the auth and encryption
Remember that this should be identical on both end to establish the communication
IKE Phase 1 ndash exchange keys
IKE Phase 2 ndash peers exchange IPsec policies for authentication and encryption of data traffic
(config) crypto isakmp enable
(config) crypto isakmp policy [num (priority)]
(config-isakmp) hash [algorithm]
(config-isakmp) authentication pre-share
(config-isakmp) group [Diffie-Hellman group]
(config-isakmp) lifetime [sec]
(config-isakmp) encryption [algorithm] [key-length]
Configure pre-shared keys to match each router These keys must math on both and point to each otherrsquos IP
address to make the authentication
(config) crypto isakmp [word] address [point to reach]
Set the IPsec negotiation of algorithm to use 2 types is used to hash
(config) crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac
Change the default lifetime of 3600sec of the association to be renewed and
exchanged
(config) crypto ipsec security-association lifetime seconds [num]
Define what the interesting traffic is with an ACL this will initiate the
encryption between peers to start and send the traffic This is done on
both side Remember to invert on the other side
(config) access-list [extended num] permit ip [source] [wildcard]
[destination] [wildcard]
8 | P a g e
Create a and apply a crypto map to match the access-list This tells the interface to the peer witch traffic to
match from
(config) crypto map [word] [seq num] ipsec-isakmp
(config-crypto-map) match address [access-list num]
(config-crypto-map) set peer [destination of peer address]
(config-crypto-map) set pfs [Diffie-Hellman group]
(config-crypto-map) set transform-set [wordnum]
(config-crypto-map) set security-association lifetime seconds [num]
Now the crypto map is to be applied on the interface
(config-if) crypto map [crypto map name]
ASA with ASDM Before the firewall can be configured via the ASDM the management It must be imitated to be allow clients to
access ASDM via the console The ASA box is locked down doing so by default
Management interface (config) interface vlan [num]
(config-if) nameif insde
(config-if) ip address [network] [subnet]
(config-if) security-level 100
(config) interface [interface]
(config-if) no shutdown
Configure the outside interface The WAN interface
(config) interface vlan [num]
(config-if) nameif outside
(config-if) ip address [network] [subnet]
(config-if) security-level 0
(config) interface [interface]
(config-if) no shutdown
Apply the vlan to the interface of outside
(config) interface [interface]
(config-if) switchport access vlan [num
(config-if) no shutdown
Enable the HTTP service with access (config) http server enable
(config) http [network] [subnet] [interface]
9 | P a g e
Configure the ASA with ASDM GUI interface Running different wizards to configure the ASA
Configure basic settings Configuration gt Device Setup gt Startup Wizardgt
Modify exsting configurationgt
Configure hostname domain name privileged password gt
Configure inside outside interfaces and VLANs gt
Configure DHCP gt
Configure PAT gt
Configure Access types gt
Summary Read before accept of config
Apply
Clock
Configuration gt Device Setup gt System Time gt Clock
Static routes Configuration gt Device Setup gt Routing gt Static Routes gt
Addgt
Configure Select interface quad zero is any gateway
Apply
AAA user authentication Configuration gt Device Management gt UsersAAAgt User Accountsgt
Configure Add Username password privilegedgt
Apply
AAA user access
Configuration gt Device Management gt UsersAAA gt AAA Access gt Authenticationgt
Configure Authentication to server group
Apply
Firewall policy Configuration gt Firewall gt Service Policy Rulesgt
Configure default inspection gt Rule Action chose the protocol to inspect
DMZ with ACLs
Configuration gt Device Setup gt Interface Settings gt Interfacesgt
Configure Addgt Select interface gt Security-level vlan network
Configure Edit the vlan if default 12 is set
Configure console in change the security-level on interface
Configure block traffic between VLANs in advanced tab
Apply
Configuration gt Firewall gt Public Serversgt
Configure Add gt Private interface private network(elipe) private service (elipe) public network
Apply
Verify rules Configuration gt Firewall gt Access Rules
DMZ with static NAT
10 | P a g e
OSPF Initiate OSPF followed with the ID number to use this must be the same ID number around all machines
Initiate OSPF configuration (config) router ospf [num]
Networks to transfer to neighbors Remember area number
(config-router) network [network] [wildcard mask] area [num]
(config-router) passive-interface [interface]
Securing OSPF with authentication Securing OSPF protocol makes it more secure to not join routing tables in the control plane that might be
malicious This should be applied to every interface with neighbors to form authentication
Configure a key chain to use
(config) key chain [word]
(config-keychain) key 1
Set the authentication key-string to use
(config-keychain-key) key-string [password]
(config-keychain-key) cryptographic-algorithm [algorithm]
Apply the key chain to and interface with neighbor
(config-int) ip ospf authentication key-chain [word]
11 | P a g e
Zone-Based Policy Firewall (ZPF) Start creating the zoneacutes to be used This should be represented by the
interfaces that it should apply to
Create a zone by giving it a name
(config) zone security [zone name]
(config-int) zone-member security [zone name
Use class-mapacutes to define what kind of traffic to inspect Match multiple
protocols inside one class-map It is also possible to nest class-mapacutes
(config) class-map type inspect match-any [class-map name]
(config-cmap) match protocol [protocol]
Use policy-mapacutes to take action on the traffic that is match from the class-map Inspect is used to also allow
dynamic return of the traffic Drop and pass can also be used
(config) policy-map type inspect [policy-map name]
(config-pmap) class type inspect [class-map name]
(config-pmap-c) inspect
Now the policy is needed to be paired with the zone If the zone is not
paired there is no traffic coming through
(config) zone-pair security [zone-pair name] source [zone name]
destination [zone name]
Now apply the policy to actively be used on this zone-pair
(config-sec-zone-pair) service-policy type inspect [policy-map name]
zone (zone-pair)
zone (zone-pair)
Zone
Policy-map
Class-map
12 | P a g e
SNMP To configure SNMP an ACL must be used containing the hosts that are allowed to connect for more secure
SNMP
(config) ip access-list standard [word]
(config-std-nacl) permit [network] [wildcard]
Configure the SNMP server witch MIB view read
(config) snmp-server view [word] [MIB] [include ndash exclude]
Configure SNMP group with version SNMPv3
(config) snmp-server group [word] [version] [security-level] [view thatrsquos
created] access [ACL]
Create user and associate with the group
(config) snmp-server user [word (username)] [groupname] [snmp version]
auth sha [password] priv [algorithm] [key-length] [password]
Router services and configuration
SCP service (config) ip scp server enabled
Copy
Router copy [mode][source][file] [destination]
Clock Router clock set HHMMSS MMM DD YYYY
NTP with authentication Setup and NTP server master
(config) ntp authentication-key [num] md5 [password]
(config) ntp trusted-key [num]
(config) ntp authenticate
(config) ntp master [stratum-number (master is 3)]
Configure NTP on clients it needs to use the same key and password from the
master NTP server to authenticate
(config) ntp authentication-key [num] md5 [password]
(config) ntp trusted-key [num]
(config) ntp authenticate
(config) ntp server [NTP master]
(config) ntp update-calendar
Router clock update-calendar
13 | P a g e
Syslog server Use a syslog server to log everything Setup timestamps to stamp the log There are different logging traps to
use
Turn on timestamps for the log
(config) service timestamps log datetime msec
Point to the syslog server
(config) logging host [destination address]
Define the logging level severity
(config) logging trap [severity]
Severity Level Keyword Meaning
0 emergencies System is unusable
1 alerts Immediate action required
2 critical Critical conditions
3 errors Error conditions
4 warnings Warning conditions
5 notifications Normal but significant condition
6 informational Informational messages
7 debugging Debugging messages
Logging (config) login on-failure log
(config) login on-succeed log
14 | P a g e
Debug commands
Miscellanies Show flash (show whats on the flash drive)
OSPF show ip ospf neighbor (check to see if there is any adjacent between neighbors)
show ip ospf neighbor summary (show ospf processes)
show ip ospf interface [interface] (show detailed information )
show ip route (check known routes is learned by OSPF pathacutes)
clear ip ospf redistribution (clear out the learned database)
debug ip ospf hello
IKE IPsec CRYPTO show crypto isakmp policy (shows the information on exchange configuration)
show crypto ipsec transform-set (show the tunnel and transport negotiation)
show crypto map (show the crypto map that applies to the current router)
show crypto ipsec sa (verify the associations and packet through the tunnel)
debug crypto ipsec
Resilience show secure bootset (shows archived files)
show flash (show flash directory)
SNMP show snmp group (verify snmp)
show snmp user (view snmp users created)
Time and date NTP show clock (view clock and date settings)
show ntp associations
debug ntp all
Syslog Logging show logging (view the logging settings this includes the logging to server)
Zone-Based Policy Firewall show zone-pair security (view the zone pairs that are made)
show policy-map type inspect zone-pair (detail view ond packets and zone pairs applied)
show zone security (show all the interfaces that is member of a zone)
15 | P a g e
Switch show spanning-tree (see if bidge is root)
show running-config (look on interface configuration)
show spanning-tree summary
show spanning-tree inconsistentports
show port-security
show port-security address
ASA Firewall show interface ip brief (show basic interface states)
Tools gt Packet Tracer
Reset the ASA
configure factory-default
write erase
reload
Intrusion prevention system (IPS) show ip ips signature count (shows the signature counts loaded enabled and retired) error message ldquoIPS-3-INVALID_DIGITAL_SIGNATURE Invalid Digital Signature found (key not found)rdquo check the crypto key
Secure Boot show secure bootset
3 | P a g e
Basic security configuration
User creation Create a user with encrypted password
(config-line) username [word] algorithm-type scrypt secret [word]
View user Router enable view
(config) parser view [username]
(config-view) secret [password]
(config-view) commands exec include all [type]
Authentication method AAA local database When using AAA as a authentication service then the service must be initiated first then the authentication
methods can be configured to use
Initiation of AAA
(config) aaa new-model
Configuration of authentication and autorization methods
(config) aaa authentication login default local
(config) aaa authorization exec default local
Administrative Roles Router enable view (the root user)
(config) parser view [word]
(config-view) secret [word]
(config-view) commands [config mode] [include ndash exclude] all [command]
AAA With RADIUS server (config) aaa new-model
(config) aaa authentication login default group radius local
(config) radius server [name]
(config) address ipv4 [network] auth-port 1812 acct-port 1813
(config) address [network]
(config) key [PSK]
AAA line authentication list (config) aaa authentication login [GROUPE NAME] group radius local
(config) line vty 0 4
(config) login authentication [GROUP NAME]
4 | P a g e
Securing layer 2 The bridge as root
(config) spanning-tree vlan 1 priority 0
Setting trunk or access mode (config-if) switchport mode trunk
(config-if) switchport mode access
Trunk VLAN prevention of VLAN hopping And nooegotiate (config-if) siwthport trunk navtive vlan [num]
(config-if) switchport nonegotiate
Spanning-tree security (config-if) spanning-tree portfast (this is to allow quick clients
package)
(config-it) spanning-tree bpdguard enable
(config-it) spanning-tree guard root (switch on none root ports)
(config) spanning-tree loopguard default
(config-if) switchport port-security (enables the port-security)
(config-if) switchport port-security mac-address [mac]
(config-if) switchport port-security maximum [num]
(config-if) switchport port-security violation [action]
(config-if) switchport port-security aging time [sec]
DHCP snooping (config) ip dhcp snooping
(config) ip dhcp snooping information option
(config-if) ip dhcp snooping limit rate [num]
Trust ports from DHCP server
(config-if) ip dhcp snooping trust
PVLAN Create vlan to use on the interface before applying
(config-if) switcport access vlan [num]
(config-if) switchport protected
CDP Do not broadcast unnessesary with Cisco Discovery Protocol
(config-if) no cdp enable
5 | P a g e
Line security (config-line) privilege level 15
(config-line) login local [set password if only login]
(config-line) exec-timeoute [min] [sec]
(config-line) logging synchronous (not security just nice)
Password security (config) service password-encryption
(config) security password min-length [num]
(config) enable algorithm-type scrypt secret [word]
(config) username [word] algorihm-type scrypt secret [word]
MOTD (config) banner [login ndash motd ndashexec] $ [TEXT] $
SSH security To setup SSH it needs to have a domain name for use in a certificate that needs to be generated Both needs to
be preformed before SSH can be used as a shell login Also line configuration needs to be made
(config) ip domain-name [domain]
(config) crypto key generate rsa general-key modulus [key length]
(config) ip ssh version [version num]
(config) ip ssh authentication-retries [num]
(config) ip ssh time-out [sec]
VTY lines transport to SSH
(config-line) transport input ssh
Secure Boot Resilience Creates a partition and secures the config and boot files
(config) secure boot-config
6 | P a g e
Intrusion Prevention System (IPS) Create the IPS folder to copy the IPS signature packages inside it Also
the digital certificate needs to be stored on the flash disk
Basic IPS configuration Router mkdir [word]
(config) [insert the crypto key]
(config) crypt key pubkey-chain rsa
(config-pubkey-chain) named-key realm-ciscopub signature
Create the rule with name and location
(config) ip ips name [word] list [wordnum]
(config) ip ips config location flash[dir name]
Enable SDEE notifications to syslog
(config) ip http server
(config) ip ips notify sdee
(config) ip ips notify log
(config) service timestamps log datetime msec
(config) logging [to host address]
Signatures Depending on the availliable RAM on the router the signatures might not be able to load them all at one Use
the retired function to not load these one
(config) ip ips signature-category
(config-ips-category) category all
(config-ips-category-action) retired true
(config-ips-category-action) exit
(config-ips-category) category ios_ips basic
(config-ips-category-action) retired false
Apply IPS Rule to interface
(config) interface [interface]
(config-if) ip ips iosips [in out]
Load signatures from download Make sure that a vaild tftp server is running and hosts the package file downloaded
Router copy ftp[tftpserver][packagefile]pkg idconf
7 | P a g e
Modify signatures Re enable retired specific signatures
(config) ip ips signature-definition
(config-sigdef) signature [num] [num]
(config-sigdef-sig) status
(config-sigdef-sig-status) enabled true
(config-sigdef-sig) engine
(config-sigdef-sig-engine) event-action deny-packet-inline
(config-sigdef-sig-engine) event-action produce-alert
(config-sigdef-sig-engine) event-action reset-tcp-connection
Site-To-Site VPN
Internet Key Exchange (IKE) With IPsec Allows exchange of security protocols and encryption algorithms IKE must be enabled as a service first by
issuing a command before it can be used Also and policy is needed to detriment the auth and encryption
Remember that this should be identical on both end to establish the communication
IKE Phase 1 ndash exchange keys
IKE Phase 2 ndash peers exchange IPsec policies for authentication and encryption of data traffic
(config) crypto isakmp enable
(config) crypto isakmp policy [num (priority)]
(config-isakmp) hash [algorithm]
(config-isakmp) authentication pre-share
(config-isakmp) group [Diffie-Hellman group]
(config-isakmp) lifetime [sec]
(config-isakmp) encryption [algorithm] [key-length]
Configure pre-shared keys to match each router These keys must math on both and point to each otherrsquos IP
address to make the authentication
(config) crypto isakmp [word] address [point to reach]
Set the IPsec negotiation of algorithm to use 2 types is used to hash
(config) crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac
Change the default lifetime of 3600sec of the association to be renewed and
exchanged
(config) crypto ipsec security-association lifetime seconds [num]
Define what the interesting traffic is with an ACL this will initiate the
encryption between peers to start and send the traffic This is done on
both side Remember to invert on the other side
(config) access-list [extended num] permit ip [source] [wildcard]
[destination] [wildcard]
8 | P a g e
Create a and apply a crypto map to match the access-list This tells the interface to the peer witch traffic to
match from
(config) crypto map [word] [seq num] ipsec-isakmp
(config-crypto-map) match address [access-list num]
(config-crypto-map) set peer [destination of peer address]
(config-crypto-map) set pfs [Diffie-Hellman group]
(config-crypto-map) set transform-set [wordnum]
(config-crypto-map) set security-association lifetime seconds [num]
Now the crypto map is to be applied on the interface
(config-if) crypto map [crypto map name]
ASA with ASDM Before the firewall can be configured via the ASDM the management It must be imitated to be allow clients to
access ASDM via the console The ASA box is locked down doing so by default
Management interface (config) interface vlan [num]
(config-if) nameif insde
(config-if) ip address [network] [subnet]
(config-if) security-level 100
(config) interface [interface]
(config-if) no shutdown
Configure the outside interface The WAN interface
(config) interface vlan [num]
(config-if) nameif outside
(config-if) ip address [network] [subnet]
(config-if) security-level 0
(config) interface [interface]
(config-if) no shutdown
Apply the vlan to the interface of outside
(config) interface [interface]
(config-if) switchport access vlan [num
(config-if) no shutdown
Enable the HTTP service with access (config) http server enable
(config) http [network] [subnet] [interface]
9 | P a g e
Configure the ASA with ASDM GUI interface Running different wizards to configure the ASA
Configure basic settings Configuration gt Device Setup gt Startup Wizardgt
Modify exsting configurationgt
Configure hostname domain name privileged password gt
Configure inside outside interfaces and VLANs gt
Configure DHCP gt
Configure PAT gt
Configure Access types gt
Summary Read before accept of config
Apply
Clock
Configuration gt Device Setup gt System Time gt Clock
Static routes Configuration gt Device Setup gt Routing gt Static Routes gt
Addgt
Configure Select interface quad zero is any gateway
Apply
AAA user authentication Configuration gt Device Management gt UsersAAAgt User Accountsgt
Configure Add Username password privilegedgt
Apply
AAA user access
Configuration gt Device Management gt UsersAAA gt AAA Access gt Authenticationgt
Configure Authentication to server group
Apply
Firewall policy Configuration gt Firewall gt Service Policy Rulesgt
Configure default inspection gt Rule Action chose the protocol to inspect
DMZ with ACLs
Configuration gt Device Setup gt Interface Settings gt Interfacesgt
Configure Addgt Select interface gt Security-level vlan network
Configure Edit the vlan if default 12 is set
Configure console in change the security-level on interface
Configure block traffic between VLANs in advanced tab
Apply
Configuration gt Firewall gt Public Serversgt
Configure Add gt Private interface private network(elipe) private service (elipe) public network
Apply
Verify rules Configuration gt Firewall gt Access Rules
DMZ with static NAT
10 | P a g e
OSPF Initiate OSPF followed with the ID number to use this must be the same ID number around all machines
Initiate OSPF configuration (config) router ospf [num]
Networks to transfer to neighbors Remember area number
(config-router) network [network] [wildcard mask] area [num]
(config-router) passive-interface [interface]
Securing OSPF with authentication Securing OSPF protocol makes it more secure to not join routing tables in the control plane that might be
malicious This should be applied to every interface with neighbors to form authentication
Configure a key chain to use
(config) key chain [word]
(config-keychain) key 1
Set the authentication key-string to use
(config-keychain-key) key-string [password]
(config-keychain-key) cryptographic-algorithm [algorithm]
Apply the key chain to and interface with neighbor
(config-int) ip ospf authentication key-chain [word]
11 | P a g e
Zone-Based Policy Firewall (ZPF) Start creating the zoneacutes to be used This should be represented by the
interfaces that it should apply to
Create a zone by giving it a name
(config) zone security [zone name]
(config-int) zone-member security [zone name
Use class-mapacutes to define what kind of traffic to inspect Match multiple
protocols inside one class-map It is also possible to nest class-mapacutes
(config) class-map type inspect match-any [class-map name]
(config-cmap) match protocol [protocol]
Use policy-mapacutes to take action on the traffic that is match from the class-map Inspect is used to also allow
dynamic return of the traffic Drop and pass can also be used
(config) policy-map type inspect [policy-map name]
(config-pmap) class type inspect [class-map name]
(config-pmap-c) inspect
Now the policy is needed to be paired with the zone If the zone is not
paired there is no traffic coming through
(config) zone-pair security [zone-pair name] source [zone name]
destination [zone name]
Now apply the policy to actively be used on this zone-pair
(config-sec-zone-pair) service-policy type inspect [policy-map name]
zone (zone-pair)
zone (zone-pair)
Zone
Policy-map
Class-map
12 | P a g e
SNMP To configure SNMP an ACL must be used containing the hosts that are allowed to connect for more secure
SNMP
(config) ip access-list standard [word]
(config-std-nacl) permit [network] [wildcard]
Configure the SNMP server witch MIB view read
(config) snmp-server view [word] [MIB] [include ndash exclude]
Configure SNMP group with version SNMPv3
(config) snmp-server group [word] [version] [security-level] [view thatrsquos
created] access [ACL]
Create user and associate with the group
(config) snmp-server user [word (username)] [groupname] [snmp version]
auth sha [password] priv [algorithm] [key-length] [password]
Router services and configuration
SCP service (config) ip scp server enabled
Copy
Router copy [mode][source][file] [destination]
Clock Router clock set HHMMSS MMM DD YYYY
NTP with authentication Setup and NTP server master
(config) ntp authentication-key [num] md5 [password]
(config) ntp trusted-key [num]
(config) ntp authenticate
(config) ntp master [stratum-number (master is 3)]
Configure NTP on clients it needs to use the same key and password from the
master NTP server to authenticate
(config) ntp authentication-key [num] md5 [password]
(config) ntp trusted-key [num]
(config) ntp authenticate
(config) ntp server [NTP master]
(config) ntp update-calendar
Router clock update-calendar
13 | P a g e
Syslog server Use a syslog server to log everything Setup timestamps to stamp the log There are different logging traps to
use
Turn on timestamps for the log
(config) service timestamps log datetime msec
Point to the syslog server
(config) logging host [destination address]
Define the logging level severity
(config) logging trap [severity]
Severity Level Keyword Meaning
0 emergencies System is unusable
1 alerts Immediate action required
2 critical Critical conditions
3 errors Error conditions
4 warnings Warning conditions
5 notifications Normal but significant condition
6 informational Informational messages
7 debugging Debugging messages
Logging (config) login on-failure log
(config) login on-succeed log
14 | P a g e
Debug commands
Miscellanies Show flash (show whats on the flash drive)
OSPF show ip ospf neighbor (check to see if there is any adjacent between neighbors)
show ip ospf neighbor summary (show ospf processes)
show ip ospf interface [interface] (show detailed information )
show ip route (check known routes is learned by OSPF pathacutes)
clear ip ospf redistribution (clear out the learned database)
debug ip ospf hello
IKE IPsec CRYPTO show crypto isakmp policy (shows the information on exchange configuration)
show crypto ipsec transform-set (show the tunnel and transport negotiation)
show crypto map (show the crypto map that applies to the current router)
show crypto ipsec sa (verify the associations and packet through the tunnel)
debug crypto ipsec
Resilience show secure bootset (shows archived files)
show flash (show flash directory)
SNMP show snmp group (verify snmp)
show snmp user (view snmp users created)
Time and date NTP show clock (view clock and date settings)
show ntp associations
debug ntp all
Syslog Logging show logging (view the logging settings this includes the logging to server)
Zone-Based Policy Firewall show zone-pair security (view the zone pairs that are made)
show policy-map type inspect zone-pair (detail view ond packets and zone pairs applied)
show zone security (show all the interfaces that is member of a zone)
15 | P a g e
Switch show spanning-tree (see if bidge is root)
show running-config (look on interface configuration)
show spanning-tree summary
show spanning-tree inconsistentports
show port-security
show port-security address
ASA Firewall show interface ip brief (show basic interface states)
Tools gt Packet Tracer
Reset the ASA
configure factory-default
write erase
reload
Intrusion prevention system (IPS) show ip ips signature count (shows the signature counts loaded enabled and retired) error message ldquoIPS-3-INVALID_DIGITAL_SIGNATURE Invalid Digital Signature found (key not found)rdquo check the crypto key
Secure Boot show secure bootset
4 | P a g e
Securing layer 2 The bridge as root
(config) spanning-tree vlan 1 priority 0
Setting trunk or access mode (config-if) switchport mode trunk
(config-if) switchport mode access
Trunk VLAN prevention of VLAN hopping And nooegotiate (config-if) siwthport trunk navtive vlan [num]
(config-if) switchport nonegotiate
Spanning-tree security (config-if) spanning-tree portfast (this is to allow quick clients
package)
(config-it) spanning-tree bpdguard enable
(config-it) spanning-tree guard root (switch on none root ports)
(config) spanning-tree loopguard default
(config-if) switchport port-security (enables the port-security)
(config-if) switchport port-security mac-address [mac]
(config-if) switchport port-security maximum [num]
(config-if) switchport port-security violation [action]
(config-if) switchport port-security aging time [sec]
DHCP snooping (config) ip dhcp snooping
(config) ip dhcp snooping information option
(config-if) ip dhcp snooping limit rate [num]
Trust ports from DHCP server
(config-if) ip dhcp snooping trust
PVLAN Create vlan to use on the interface before applying
(config-if) switcport access vlan [num]
(config-if) switchport protected
CDP Do not broadcast unnessesary with Cisco Discovery Protocol
(config-if) no cdp enable
5 | P a g e
Line security (config-line) privilege level 15
(config-line) login local [set password if only login]
(config-line) exec-timeoute [min] [sec]
(config-line) logging synchronous (not security just nice)
Password security (config) service password-encryption
(config) security password min-length [num]
(config) enable algorithm-type scrypt secret [word]
(config) username [word] algorihm-type scrypt secret [word]
MOTD (config) banner [login ndash motd ndashexec] $ [TEXT] $
SSH security To setup SSH it needs to have a domain name for use in a certificate that needs to be generated Both needs to
be preformed before SSH can be used as a shell login Also line configuration needs to be made
(config) ip domain-name [domain]
(config) crypto key generate rsa general-key modulus [key length]
(config) ip ssh version [version num]
(config) ip ssh authentication-retries [num]
(config) ip ssh time-out [sec]
VTY lines transport to SSH
(config-line) transport input ssh
Secure Boot Resilience Creates a partition and secures the config and boot files
(config) secure boot-config
6 | P a g e
Intrusion Prevention System (IPS) Create the IPS folder to copy the IPS signature packages inside it Also
the digital certificate needs to be stored on the flash disk
Basic IPS configuration Router mkdir [word]
(config) [insert the crypto key]
(config) crypt key pubkey-chain rsa
(config-pubkey-chain) named-key realm-ciscopub signature
Create the rule with name and location
(config) ip ips name [word] list [wordnum]
(config) ip ips config location flash[dir name]
Enable SDEE notifications to syslog
(config) ip http server
(config) ip ips notify sdee
(config) ip ips notify log
(config) service timestamps log datetime msec
(config) logging [to host address]
Signatures Depending on the availliable RAM on the router the signatures might not be able to load them all at one Use
the retired function to not load these one
(config) ip ips signature-category
(config-ips-category) category all
(config-ips-category-action) retired true
(config-ips-category-action) exit
(config-ips-category) category ios_ips basic
(config-ips-category-action) retired false
Apply IPS Rule to interface
(config) interface [interface]
(config-if) ip ips iosips [in out]
Load signatures from download Make sure that a vaild tftp server is running and hosts the package file downloaded
Router copy ftp[tftpserver][packagefile]pkg idconf
7 | P a g e
Modify signatures Re enable retired specific signatures
(config) ip ips signature-definition
(config-sigdef) signature [num] [num]
(config-sigdef-sig) status
(config-sigdef-sig-status) enabled true
(config-sigdef-sig) engine
(config-sigdef-sig-engine) event-action deny-packet-inline
(config-sigdef-sig-engine) event-action produce-alert
(config-sigdef-sig-engine) event-action reset-tcp-connection
Site-To-Site VPN
Internet Key Exchange (IKE) With IPsec Allows exchange of security protocols and encryption algorithms IKE must be enabled as a service first by
issuing a command before it can be used Also and policy is needed to detriment the auth and encryption
Remember that this should be identical on both end to establish the communication
IKE Phase 1 ndash exchange keys
IKE Phase 2 ndash peers exchange IPsec policies for authentication and encryption of data traffic
(config) crypto isakmp enable
(config) crypto isakmp policy [num (priority)]
(config-isakmp) hash [algorithm]
(config-isakmp) authentication pre-share
(config-isakmp) group [Diffie-Hellman group]
(config-isakmp) lifetime [sec]
(config-isakmp) encryption [algorithm] [key-length]
Configure pre-shared keys to match each router These keys must math on both and point to each otherrsquos IP
address to make the authentication
(config) crypto isakmp [word] address [point to reach]
Set the IPsec negotiation of algorithm to use 2 types is used to hash
(config) crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac
Change the default lifetime of 3600sec of the association to be renewed and
exchanged
(config) crypto ipsec security-association lifetime seconds [num]
Define what the interesting traffic is with an ACL this will initiate the
encryption between peers to start and send the traffic This is done on
both side Remember to invert on the other side
(config) access-list [extended num] permit ip [source] [wildcard]
[destination] [wildcard]
8 | P a g e
Create a and apply a crypto map to match the access-list This tells the interface to the peer witch traffic to
match from
(config) crypto map [word] [seq num] ipsec-isakmp
(config-crypto-map) match address [access-list num]
(config-crypto-map) set peer [destination of peer address]
(config-crypto-map) set pfs [Diffie-Hellman group]
(config-crypto-map) set transform-set [wordnum]
(config-crypto-map) set security-association lifetime seconds [num]
Now the crypto map is to be applied on the interface
(config-if) crypto map [crypto map name]
ASA with ASDM Before the firewall can be configured via the ASDM the management It must be imitated to be allow clients to
access ASDM via the console The ASA box is locked down doing so by default
Management interface (config) interface vlan [num]
(config-if) nameif insde
(config-if) ip address [network] [subnet]
(config-if) security-level 100
(config) interface [interface]
(config-if) no shutdown
Configure the outside interface The WAN interface
(config) interface vlan [num]
(config-if) nameif outside
(config-if) ip address [network] [subnet]
(config-if) security-level 0
(config) interface [interface]
(config-if) no shutdown
Apply the vlan to the interface of outside
(config) interface [interface]
(config-if) switchport access vlan [num
(config-if) no shutdown
Enable the HTTP service with access (config) http server enable
(config) http [network] [subnet] [interface]
9 | P a g e
Configure the ASA with ASDM GUI interface Running different wizards to configure the ASA
Configure basic settings Configuration gt Device Setup gt Startup Wizardgt
Modify exsting configurationgt
Configure hostname domain name privileged password gt
Configure inside outside interfaces and VLANs gt
Configure DHCP gt
Configure PAT gt
Configure Access types gt
Summary Read before accept of config
Apply
Clock
Configuration gt Device Setup gt System Time gt Clock
Static routes Configuration gt Device Setup gt Routing gt Static Routes gt
Addgt
Configure Select interface quad zero is any gateway
Apply
AAA user authentication Configuration gt Device Management gt UsersAAAgt User Accountsgt
Configure Add Username password privilegedgt
Apply
AAA user access
Configuration gt Device Management gt UsersAAA gt AAA Access gt Authenticationgt
Configure Authentication to server group
Apply
Firewall policy Configuration gt Firewall gt Service Policy Rulesgt
Configure default inspection gt Rule Action chose the protocol to inspect
DMZ with ACLs
Configuration gt Device Setup gt Interface Settings gt Interfacesgt
Configure Addgt Select interface gt Security-level vlan network
Configure Edit the vlan if default 12 is set
Configure console in change the security-level on interface
Configure block traffic between VLANs in advanced tab
Apply
Configuration gt Firewall gt Public Serversgt
Configure Add gt Private interface private network(elipe) private service (elipe) public network
Apply
Verify rules Configuration gt Firewall gt Access Rules
DMZ with static NAT
10 | P a g e
OSPF Initiate OSPF followed with the ID number to use this must be the same ID number around all machines
Initiate OSPF configuration (config) router ospf [num]
Networks to transfer to neighbors Remember area number
(config-router) network [network] [wildcard mask] area [num]
(config-router) passive-interface [interface]
Securing OSPF with authentication Securing OSPF protocol makes it more secure to not join routing tables in the control plane that might be
malicious This should be applied to every interface with neighbors to form authentication
Configure a key chain to use
(config) key chain [word]
(config-keychain) key 1
Set the authentication key-string to use
(config-keychain-key) key-string [password]
(config-keychain-key) cryptographic-algorithm [algorithm]
Apply the key chain to and interface with neighbor
(config-int) ip ospf authentication key-chain [word]
11 | P a g e
Zone-Based Policy Firewall (ZPF) Start creating the zoneacutes to be used This should be represented by the
interfaces that it should apply to
Create a zone by giving it a name
(config) zone security [zone name]
(config-int) zone-member security [zone name
Use class-mapacutes to define what kind of traffic to inspect Match multiple
protocols inside one class-map It is also possible to nest class-mapacutes
(config) class-map type inspect match-any [class-map name]
(config-cmap) match protocol [protocol]
Use policy-mapacutes to take action on the traffic that is match from the class-map Inspect is used to also allow
dynamic return of the traffic Drop and pass can also be used
(config) policy-map type inspect [policy-map name]
(config-pmap) class type inspect [class-map name]
(config-pmap-c) inspect
Now the policy is needed to be paired with the zone If the zone is not
paired there is no traffic coming through
(config) zone-pair security [zone-pair name] source [zone name]
destination [zone name]
Now apply the policy to actively be used on this zone-pair
(config-sec-zone-pair) service-policy type inspect [policy-map name]
zone (zone-pair)
zone (zone-pair)
Zone
Policy-map
Class-map
12 | P a g e
SNMP To configure SNMP an ACL must be used containing the hosts that are allowed to connect for more secure
SNMP
(config) ip access-list standard [word]
(config-std-nacl) permit [network] [wildcard]
Configure the SNMP server witch MIB view read
(config) snmp-server view [word] [MIB] [include ndash exclude]
Configure SNMP group with version SNMPv3
(config) snmp-server group [word] [version] [security-level] [view thatrsquos
created] access [ACL]
Create user and associate with the group
(config) snmp-server user [word (username)] [groupname] [snmp version]
auth sha [password] priv [algorithm] [key-length] [password]
Router services and configuration
SCP service (config) ip scp server enabled
Copy
Router copy [mode][source][file] [destination]
Clock Router clock set HHMMSS MMM DD YYYY
NTP with authentication Setup and NTP server master
(config) ntp authentication-key [num] md5 [password]
(config) ntp trusted-key [num]
(config) ntp authenticate
(config) ntp master [stratum-number (master is 3)]
Configure NTP on clients it needs to use the same key and password from the
master NTP server to authenticate
(config) ntp authentication-key [num] md5 [password]
(config) ntp trusted-key [num]
(config) ntp authenticate
(config) ntp server [NTP master]
(config) ntp update-calendar
Router clock update-calendar
13 | P a g e
Syslog server Use a syslog server to log everything Setup timestamps to stamp the log There are different logging traps to
use
Turn on timestamps for the log
(config) service timestamps log datetime msec
Point to the syslog server
(config) logging host [destination address]
Define the logging level severity
(config) logging trap [severity]
Severity Level Keyword Meaning
0 emergencies System is unusable
1 alerts Immediate action required
2 critical Critical conditions
3 errors Error conditions
4 warnings Warning conditions
5 notifications Normal but significant condition
6 informational Informational messages
7 debugging Debugging messages
Logging (config) login on-failure log
(config) login on-succeed log
14 | P a g e
Debug commands
Miscellanies Show flash (show whats on the flash drive)
OSPF show ip ospf neighbor (check to see if there is any adjacent between neighbors)
show ip ospf neighbor summary (show ospf processes)
show ip ospf interface [interface] (show detailed information )
show ip route (check known routes is learned by OSPF pathacutes)
clear ip ospf redistribution (clear out the learned database)
debug ip ospf hello
IKE IPsec CRYPTO show crypto isakmp policy (shows the information on exchange configuration)
show crypto ipsec transform-set (show the tunnel and transport negotiation)
show crypto map (show the crypto map that applies to the current router)
show crypto ipsec sa (verify the associations and packet through the tunnel)
debug crypto ipsec
Resilience show secure bootset (shows archived files)
show flash (show flash directory)
SNMP show snmp group (verify snmp)
show snmp user (view snmp users created)
Time and date NTP show clock (view clock and date settings)
show ntp associations
debug ntp all
Syslog Logging show logging (view the logging settings this includes the logging to server)
Zone-Based Policy Firewall show zone-pair security (view the zone pairs that are made)
show policy-map type inspect zone-pair (detail view ond packets and zone pairs applied)
show zone security (show all the interfaces that is member of a zone)
15 | P a g e
Switch show spanning-tree (see if bidge is root)
show running-config (look on interface configuration)
show spanning-tree summary
show spanning-tree inconsistentports
show port-security
show port-security address
ASA Firewall show interface ip brief (show basic interface states)
Tools gt Packet Tracer
Reset the ASA
configure factory-default
write erase
reload
Intrusion prevention system (IPS) show ip ips signature count (shows the signature counts loaded enabled and retired) error message ldquoIPS-3-INVALID_DIGITAL_SIGNATURE Invalid Digital Signature found (key not found)rdquo check the crypto key
Secure Boot show secure bootset
5 | P a g e
Line security (config-line) privilege level 15
(config-line) login local [set password if only login]
(config-line) exec-timeoute [min] [sec]
(config-line) logging synchronous (not security just nice)
Password security (config) service password-encryption
(config) security password min-length [num]
(config) enable algorithm-type scrypt secret [word]
(config) username [word] algorihm-type scrypt secret [word]
MOTD (config) banner [login ndash motd ndashexec] $ [TEXT] $
SSH security To setup SSH it needs to have a domain name for use in a certificate that needs to be generated Both needs to
be preformed before SSH can be used as a shell login Also line configuration needs to be made
(config) ip domain-name [domain]
(config) crypto key generate rsa general-key modulus [key length]
(config) ip ssh version [version num]
(config) ip ssh authentication-retries [num]
(config) ip ssh time-out [sec]
VTY lines transport to SSH
(config-line) transport input ssh
Secure Boot Resilience Creates a partition and secures the config and boot files
(config) secure boot-config
6 | P a g e
Intrusion Prevention System (IPS) Create the IPS folder to copy the IPS signature packages inside it Also
the digital certificate needs to be stored on the flash disk
Basic IPS configuration Router mkdir [word]
(config) [insert the crypto key]
(config) crypt key pubkey-chain rsa
(config-pubkey-chain) named-key realm-ciscopub signature
Create the rule with name and location
(config) ip ips name [word] list [wordnum]
(config) ip ips config location flash[dir name]
Enable SDEE notifications to syslog
(config) ip http server
(config) ip ips notify sdee
(config) ip ips notify log
(config) service timestamps log datetime msec
(config) logging [to host address]
Signatures Depending on the availliable RAM on the router the signatures might not be able to load them all at one Use
the retired function to not load these one
(config) ip ips signature-category
(config-ips-category) category all
(config-ips-category-action) retired true
(config-ips-category-action) exit
(config-ips-category) category ios_ips basic
(config-ips-category-action) retired false
Apply IPS Rule to interface
(config) interface [interface]
(config-if) ip ips iosips [in out]
Load signatures from download Make sure that a vaild tftp server is running and hosts the package file downloaded
Router copy ftp[tftpserver][packagefile]pkg idconf
7 | P a g e
Modify signatures Re enable retired specific signatures
(config) ip ips signature-definition
(config-sigdef) signature [num] [num]
(config-sigdef-sig) status
(config-sigdef-sig-status) enabled true
(config-sigdef-sig) engine
(config-sigdef-sig-engine) event-action deny-packet-inline
(config-sigdef-sig-engine) event-action produce-alert
(config-sigdef-sig-engine) event-action reset-tcp-connection
Site-To-Site VPN
Internet Key Exchange (IKE) With IPsec Allows exchange of security protocols and encryption algorithms IKE must be enabled as a service first by
issuing a command before it can be used Also and policy is needed to detriment the auth and encryption
Remember that this should be identical on both end to establish the communication
IKE Phase 1 ndash exchange keys
IKE Phase 2 ndash peers exchange IPsec policies for authentication and encryption of data traffic
(config) crypto isakmp enable
(config) crypto isakmp policy [num (priority)]
(config-isakmp) hash [algorithm]
(config-isakmp) authentication pre-share
(config-isakmp) group [Diffie-Hellman group]
(config-isakmp) lifetime [sec]
(config-isakmp) encryption [algorithm] [key-length]
Configure pre-shared keys to match each router These keys must math on both and point to each otherrsquos IP
address to make the authentication
(config) crypto isakmp [word] address [point to reach]
Set the IPsec negotiation of algorithm to use 2 types is used to hash
(config) crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac
Change the default lifetime of 3600sec of the association to be renewed and
exchanged
(config) crypto ipsec security-association lifetime seconds [num]
Define what the interesting traffic is with an ACL this will initiate the
encryption between peers to start and send the traffic This is done on
both side Remember to invert on the other side
(config) access-list [extended num] permit ip [source] [wildcard]
[destination] [wildcard]
8 | P a g e
Create a and apply a crypto map to match the access-list This tells the interface to the peer witch traffic to
match from
(config) crypto map [word] [seq num] ipsec-isakmp
(config-crypto-map) match address [access-list num]
(config-crypto-map) set peer [destination of peer address]
(config-crypto-map) set pfs [Diffie-Hellman group]
(config-crypto-map) set transform-set [wordnum]
(config-crypto-map) set security-association lifetime seconds [num]
Now the crypto map is to be applied on the interface
(config-if) crypto map [crypto map name]
ASA with ASDM Before the firewall can be configured via the ASDM the management It must be imitated to be allow clients to
access ASDM via the console The ASA box is locked down doing so by default
Management interface (config) interface vlan [num]
(config-if) nameif insde
(config-if) ip address [network] [subnet]
(config-if) security-level 100
(config) interface [interface]
(config-if) no shutdown
Configure the outside interface The WAN interface
(config) interface vlan [num]
(config-if) nameif outside
(config-if) ip address [network] [subnet]
(config-if) security-level 0
(config) interface [interface]
(config-if) no shutdown
Apply the vlan to the interface of outside
(config) interface [interface]
(config-if) switchport access vlan [num
(config-if) no shutdown
Enable the HTTP service with access (config) http server enable
(config) http [network] [subnet] [interface]
9 | P a g e
Configure the ASA with ASDM GUI interface Running different wizards to configure the ASA
Configure basic settings Configuration gt Device Setup gt Startup Wizardgt
Modify exsting configurationgt
Configure hostname domain name privileged password gt
Configure inside outside interfaces and VLANs gt
Configure DHCP gt
Configure PAT gt
Configure Access types gt
Summary Read before accept of config
Apply
Clock
Configuration gt Device Setup gt System Time gt Clock
Static routes Configuration gt Device Setup gt Routing gt Static Routes gt
Addgt
Configure Select interface quad zero is any gateway
Apply
AAA user authentication Configuration gt Device Management gt UsersAAAgt User Accountsgt
Configure Add Username password privilegedgt
Apply
AAA user access
Configuration gt Device Management gt UsersAAA gt AAA Access gt Authenticationgt
Configure Authentication to server group
Apply
Firewall policy Configuration gt Firewall gt Service Policy Rulesgt
Configure default inspection gt Rule Action chose the protocol to inspect
DMZ with ACLs
Configuration gt Device Setup gt Interface Settings gt Interfacesgt
Configure Addgt Select interface gt Security-level vlan network
Configure Edit the vlan if default 12 is set
Configure console in change the security-level on interface
Configure block traffic between VLANs in advanced tab
Apply
Configuration gt Firewall gt Public Serversgt
Configure Add gt Private interface private network(elipe) private service (elipe) public network
Apply
Verify rules Configuration gt Firewall gt Access Rules
DMZ with static NAT
10 | P a g e
OSPF Initiate OSPF followed with the ID number to use this must be the same ID number around all machines
Initiate OSPF configuration (config) router ospf [num]
Networks to transfer to neighbors Remember area number
(config-router) network [network] [wildcard mask] area [num]
(config-router) passive-interface [interface]
Securing OSPF with authentication Securing OSPF protocol makes it more secure to not join routing tables in the control plane that might be
malicious This should be applied to every interface with neighbors to form authentication
Configure a key chain to use
(config) key chain [word]
(config-keychain) key 1
Set the authentication key-string to use
(config-keychain-key) key-string [password]
(config-keychain-key) cryptographic-algorithm [algorithm]
Apply the key chain to and interface with neighbor
(config-int) ip ospf authentication key-chain [word]
11 | P a g e
Zone-Based Policy Firewall (ZPF) Start creating the zoneacutes to be used This should be represented by the
interfaces that it should apply to
Create a zone by giving it a name
(config) zone security [zone name]
(config-int) zone-member security [zone name
Use class-mapacutes to define what kind of traffic to inspect Match multiple
protocols inside one class-map It is also possible to nest class-mapacutes
(config) class-map type inspect match-any [class-map name]
(config-cmap) match protocol [protocol]
Use policy-mapacutes to take action on the traffic that is match from the class-map Inspect is used to also allow
dynamic return of the traffic Drop and pass can also be used
(config) policy-map type inspect [policy-map name]
(config-pmap) class type inspect [class-map name]
(config-pmap-c) inspect
Now the policy is needed to be paired with the zone If the zone is not
paired there is no traffic coming through
(config) zone-pair security [zone-pair name] source [zone name]
destination [zone name]
Now apply the policy to actively be used on this zone-pair
(config-sec-zone-pair) service-policy type inspect [policy-map name]
zone (zone-pair)
zone (zone-pair)
Zone
Policy-map
Class-map
12 | P a g e
SNMP To configure SNMP an ACL must be used containing the hosts that are allowed to connect for more secure
SNMP
(config) ip access-list standard [word]
(config-std-nacl) permit [network] [wildcard]
Configure the SNMP server witch MIB view read
(config) snmp-server view [word] [MIB] [include ndash exclude]
Configure SNMP group with version SNMPv3
(config) snmp-server group [word] [version] [security-level] [view thatrsquos
created] access [ACL]
Create user and associate with the group
(config) snmp-server user [word (username)] [groupname] [snmp version]
auth sha [password] priv [algorithm] [key-length] [password]
Router services and configuration
SCP service (config) ip scp server enabled
Copy
Router copy [mode][source][file] [destination]
Clock Router clock set HHMMSS MMM DD YYYY
NTP with authentication Setup and NTP server master
(config) ntp authentication-key [num] md5 [password]
(config) ntp trusted-key [num]
(config) ntp authenticate
(config) ntp master [stratum-number (master is 3)]
Configure NTP on clients it needs to use the same key and password from the
master NTP server to authenticate
(config) ntp authentication-key [num] md5 [password]
(config) ntp trusted-key [num]
(config) ntp authenticate
(config) ntp server [NTP master]
(config) ntp update-calendar
Router clock update-calendar
13 | P a g e
Syslog server Use a syslog server to log everything Setup timestamps to stamp the log There are different logging traps to
use
Turn on timestamps for the log
(config) service timestamps log datetime msec
Point to the syslog server
(config) logging host [destination address]
Define the logging level severity
(config) logging trap [severity]
Severity Level Keyword Meaning
0 emergencies System is unusable
1 alerts Immediate action required
2 critical Critical conditions
3 errors Error conditions
4 warnings Warning conditions
5 notifications Normal but significant condition
6 informational Informational messages
7 debugging Debugging messages
Logging (config) login on-failure log
(config) login on-succeed log
14 | P a g e
Debug commands
Miscellanies Show flash (show whats on the flash drive)
OSPF show ip ospf neighbor (check to see if there is any adjacent between neighbors)
show ip ospf neighbor summary (show ospf processes)
show ip ospf interface [interface] (show detailed information )
show ip route (check known routes is learned by OSPF pathacutes)
clear ip ospf redistribution (clear out the learned database)
debug ip ospf hello
IKE IPsec CRYPTO show crypto isakmp policy (shows the information on exchange configuration)
show crypto ipsec transform-set (show the tunnel and transport negotiation)
show crypto map (show the crypto map that applies to the current router)
show crypto ipsec sa (verify the associations and packet through the tunnel)
debug crypto ipsec
Resilience show secure bootset (shows archived files)
show flash (show flash directory)
SNMP show snmp group (verify snmp)
show snmp user (view snmp users created)
Time and date NTP show clock (view clock and date settings)
show ntp associations
debug ntp all
Syslog Logging show logging (view the logging settings this includes the logging to server)
Zone-Based Policy Firewall show zone-pair security (view the zone pairs that are made)
show policy-map type inspect zone-pair (detail view ond packets and zone pairs applied)
show zone security (show all the interfaces that is member of a zone)
15 | P a g e
Switch show spanning-tree (see if bidge is root)
show running-config (look on interface configuration)
show spanning-tree summary
show spanning-tree inconsistentports
show port-security
show port-security address
ASA Firewall show interface ip brief (show basic interface states)
Tools gt Packet Tracer
Reset the ASA
configure factory-default
write erase
reload
Intrusion prevention system (IPS) show ip ips signature count (shows the signature counts loaded enabled and retired) error message ldquoIPS-3-INVALID_DIGITAL_SIGNATURE Invalid Digital Signature found (key not found)rdquo check the crypto key
Secure Boot show secure bootset
6 | P a g e
Intrusion Prevention System (IPS) Create the IPS folder to copy the IPS signature packages inside it Also
the digital certificate needs to be stored on the flash disk
Basic IPS configuration Router mkdir [word]
(config) [insert the crypto key]
(config) crypt key pubkey-chain rsa
(config-pubkey-chain) named-key realm-ciscopub signature
Create the rule with name and location
(config) ip ips name [word] list [wordnum]
(config) ip ips config location flash[dir name]
Enable SDEE notifications to syslog
(config) ip http server
(config) ip ips notify sdee
(config) ip ips notify log
(config) service timestamps log datetime msec
(config) logging [to host address]
Signatures Depending on the availliable RAM on the router the signatures might not be able to load them all at one Use
the retired function to not load these one
(config) ip ips signature-category
(config-ips-category) category all
(config-ips-category-action) retired true
(config-ips-category-action) exit
(config-ips-category) category ios_ips basic
(config-ips-category-action) retired false
Apply IPS Rule to interface
(config) interface [interface]
(config-if) ip ips iosips [in out]
Load signatures from download Make sure that a vaild tftp server is running and hosts the package file downloaded
Router copy ftp[tftpserver][packagefile]pkg idconf
7 | P a g e
Modify signatures Re enable retired specific signatures
(config) ip ips signature-definition
(config-sigdef) signature [num] [num]
(config-sigdef-sig) status
(config-sigdef-sig-status) enabled true
(config-sigdef-sig) engine
(config-sigdef-sig-engine) event-action deny-packet-inline
(config-sigdef-sig-engine) event-action produce-alert
(config-sigdef-sig-engine) event-action reset-tcp-connection
Site-To-Site VPN
Internet Key Exchange (IKE) With IPsec Allows exchange of security protocols and encryption algorithms IKE must be enabled as a service first by
issuing a command before it can be used Also and policy is needed to detriment the auth and encryption
Remember that this should be identical on both end to establish the communication
IKE Phase 1 ndash exchange keys
IKE Phase 2 ndash peers exchange IPsec policies for authentication and encryption of data traffic
(config) crypto isakmp enable
(config) crypto isakmp policy [num (priority)]
(config-isakmp) hash [algorithm]
(config-isakmp) authentication pre-share
(config-isakmp) group [Diffie-Hellman group]
(config-isakmp) lifetime [sec]
(config-isakmp) encryption [algorithm] [key-length]
Configure pre-shared keys to match each router These keys must math on both and point to each otherrsquos IP
address to make the authentication
(config) crypto isakmp [word] address [point to reach]
Set the IPsec negotiation of algorithm to use 2 types is used to hash
(config) crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac
Change the default lifetime of 3600sec of the association to be renewed and
exchanged
(config) crypto ipsec security-association lifetime seconds [num]
Define what the interesting traffic is with an ACL this will initiate the
encryption between peers to start and send the traffic This is done on
both side Remember to invert on the other side
(config) access-list [extended num] permit ip [source] [wildcard]
[destination] [wildcard]
8 | P a g e
Create a and apply a crypto map to match the access-list This tells the interface to the peer witch traffic to
match from
(config) crypto map [word] [seq num] ipsec-isakmp
(config-crypto-map) match address [access-list num]
(config-crypto-map) set peer [destination of peer address]
(config-crypto-map) set pfs [Diffie-Hellman group]
(config-crypto-map) set transform-set [wordnum]
(config-crypto-map) set security-association lifetime seconds [num]
Now the crypto map is to be applied on the interface
(config-if) crypto map [crypto map name]
ASA with ASDM Before the firewall can be configured via the ASDM the management It must be imitated to be allow clients to
access ASDM via the console The ASA box is locked down doing so by default
Management interface (config) interface vlan [num]
(config-if) nameif insde
(config-if) ip address [network] [subnet]
(config-if) security-level 100
(config) interface [interface]
(config-if) no shutdown
Configure the outside interface The WAN interface
(config) interface vlan [num]
(config-if) nameif outside
(config-if) ip address [network] [subnet]
(config-if) security-level 0
(config) interface [interface]
(config-if) no shutdown
Apply the vlan to the interface of outside
(config) interface [interface]
(config-if) switchport access vlan [num
(config-if) no shutdown
Enable the HTTP service with access (config) http server enable
(config) http [network] [subnet] [interface]
9 | P a g e
Configure the ASA with ASDM GUI interface Running different wizards to configure the ASA
Configure basic settings Configuration gt Device Setup gt Startup Wizardgt
Modify exsting configurationgt
Configure hostname domain name privileged password gt
Configure inside outside interfaces and VLANs gt
Configure DHCP gt
Configure PAT gt
Configure Access types gt
Summary Read before accept of config
Apply
Clock
Configuration gt Device Setup gt System Time gt Clock
Static routes Configuration gt Device Setup gt Routing gt Static Routes gt
Addgt
Configure Select interface quad zero is any gateway
Apply
AAA user authentication Configuration gt Device Management gt UsersAAAgt User Accountsgt
Configure Add Username password privilegedgt
Apply
AAA user access
Configuration gt Device Management gt UsersAAA gt AAA Access gt Authenticationgt
Configure Authentication to server group
Apply
Firewall policy Configuration gt Firewall gt Service Policy Rulesgt
Configure default inspection gt Rule Action chose the protocol to inspect
DMZ with ACLs
Configuration gt Device Setup gt Interface Settings gt Interfacesgt
Configure Addgt Select interface gt Security-level vlan network
Configure Edit the vlan if default 12 is set
Configure console in change the security-level on interface
Configure block traffic between VLANs in advanced tab
Apply
Configuration gt Firewall gt Public Serversgt
Configure Add gt Private interface private network(elipe) private service (elipe) public network
Apply
Verify rules Configuration gt Firewall gt Access Rules
DMZ with static NAT
10 | P a g e
OSPF Initiate OSPF followed with the ID number to use this must be the same ID number around all machines
Initiate OSPF configuration (config) router ospf [num]
Networks to transfer to neighbors Remember area number
(config-router) network [network] [wildcard mask] area [num]
(config-router) passive-interface [interface]
Securing OSPF with authentication Securing OSPF protocol makes it more secure to not join routing tables in the control plane that might be
malicious This should be applied to every interface with neighbors to form authentication
Configure a key chain to use
(config) key chain [word]
(config-keychain) key 1
Set the authentication key-string to use
(config-keychain-key) key-string [password]
(config-keychain-key) cryptographic-algorithm [algorithm]
Apply the key chain to and interface with neighbor
(config-int) ip ospf authentication key-chain [word]
11 | P a g e
Zone-Based Policy Firewall (ZPF) Start creating the zoneacutes to be used This should be represented by the
interfaces that it should apply to
Create a zone by giving it a name
(config) zone security [zone name]
(config-int) zone-member security [zone name
Use class-mapacutes to define what kind of traffic to inspect Match multiple
protocols inside one class-map It is also possible to nest class-mapacutes
(config) class-map type inspect match-any [class-map name]
(config-cmap) match protocol [protocol]
Use policy-mapacutes to take action on the traffic that is match from the class-map Inspect is used to also allow
dynamic return of the traffic Drop and pass can also be used
(config) policy-map type inspect [policy-map name]
(config-pmap) class type inspect [class-map name]
(config-pmap-c) inspect
Now the policy is needed to be paired with the zone If the zone is not
paired there is no traffic coming through
(config) zone-pair security [zone-pair name] source [zone name]
destination [zone name]
Now apply the policy to actively be used on this zone-pair
(config-sec-zone-pair) service-policy type inspect [policy-map name]
zone (zone-pair)
zone (zone-pair)
Zone
Policy-map
Class-map
12 | P a g e
SNMP To configure SNMP an ACL must be used containing the hosts that are allowed to connect for more secure
SNMP
(config) ip access-list standard [word]
(config-std-nacl) permit [network] [wildcard]
Configure the SNMP server witch MIB view read
(config) snmp-server view [word] [MIB] [include ndash exclude]
Configure SNMP group with version SNMPv3
(config) snmp-server group [word] [version] [security-level] [view thatrsquos
created] access [ACL]
Create user and associate with the group
(config) snmp-server user [word (username)] [groupname] [snmp version]
auth sha [password] priv [algorithm] [key-length] [password]
Router services and configuration
SCP service (config) ip scp server enabled
Copy
Router copy [mode][source][file] [destination]
Clock Router clock set HHMMSS MMM DD YYYY
NTP with authentication Setup and NTP server master
(config) ntp authentication-key [num] md5 [password]
(config) ntp trusted-key [num]
(config) ntp authenticate
(config) ntp master [stratum-number (master is 3)]
Configure NTP on clients it needs to use the same key and password from the
master NTP server to authenticate
(config) ntp authentication-key [num] md5 [password]
(config) ntp trusted-key [num]
(config) ntp authenticate
(config) ntp server [NTP master]
(config) ntp update-calendar
Router clock update-calendar
13 | P a g e
Syslog server Use a syslog server to log everything Setup timestamps to stamp the log There are different logging traps to
use
Turn on timestamps for the log
(config) service timestamps log datetime msec
Point to the syslog server
(config) logging host [destination address]
Define the logging level severity
(config) logging trap [severity]
Severity Level Keyword Meaning
0 emergencies System is unusable
1 alerts Immediate action required
2 critical Critical conditions
3 errors Error conditions
4 warnings Warning conditions
5 notifications Normal but significant condition
6 informational Informational messages
7 debugging Debugging messages
Logging (config) login on-failure log
(config) login on-succeed log
14 | P a g e
Debug commands
Miscellanies Show flash (show whats on the flash drive)
OSPF show ip ospf neighbor (check to see if there is any adjacent between neighbors)
show ip ospf neighbor summary (show ospf processes)
show ip ospf interface [interface] (show detailed information )
show ip route (check known routes is learned by OSPF pathacutes)
clear ip ospf redistribution (clear out the learned database)
debug ip ospf hello
IKE IPsec CRYPTO show crypto isakmp policy (shows the information on exchange configuration)
show crypto ipsec transform-set (show the tunnel and transport negotiation)
show crypto map (show the crypto map that applies to the current router)
show crypto ipsec sa (verify the associations and packet through the tunnel)
debug crypto ipsec
Resilience show secure bootset (shows archived files)
show flash (show flash directory)
SNMP show snmp group (verify snmp)
show snmp user (view snmp users created)
Time and date NTP show clock (view clock and date settings)
show ntp associations
debug ntp all
Syslog Logging show logging (view the logging settings this includes the logging to server)
Zone-Based Policy Firewall show zone-pair security (view the zone pairs that are made)
show policy-map type inspect zone-pair (detail view ond packets and zone pairs applied)
show zone security (show all the interfaces that is member of a zone)
15 | P a g e
Switch show spanning-tree (see if bidge is root)
show running-config (look on interface configuration)
show spanning-tree summary
show spanning-tree inconsistentports
show port-security
show port-security address
ASA Firewall show interface ip brief (show basic interface states)
Tools gt Packet Tracer
Reset the ASA
configure factory-default
write erase
reload
Intrusion prevention system (IPS) show ip ips signature count (shows the signature counts loaded enabled and retired) error message ldquoIPS-3-INVALID_DIGITAL_SIGNATURE Invalid Digital Signature found (key not found)rdquo check the crypto key
Secure Boot show secure bootset
7 | P a g e
Modify signatures Re enable retired specific signatures
(config) ip ips signature-definition
(config-sigdef) signature [num] [num]
(config-sigdef-sig) status
(config-sigdef-sig-status) enabled true
(config-sigdef-sig) engine
(config-sigdef-sig-engine) event-action deny-packet-inline
(config-sigdef-sig-engine) event-action produce-alert
(config-sigdef-sig-engine) event-action reset-tcp-connection
Site-To-Site VPN
Internet Key Exchange (IKE) With IPsec Allows exchange of security protocols and encryption algorithms IKE must be enabled as a service first by
issuing a command before it can be used Also and policy is needed to detriment the auth and encryption
Remember that this should be identical on both end to establish the communication
IKE Phase 1 ndash exchange keys
IKE Phase 2 ndash peers exchange IPsec policies for authentication and encryption of data traffic
(config) crypto isakmp enable
(config) crypto isakmp policy [num (priority)]
(config-isakmp) hash [algorithm]
(config-isakmp) authentication pre-share
(config-isakmp) group [Diffie-Hellman group]
(config-isakmp) lifetime [sec]
(config-isakmp) encryption [algorithm] [key-length]
Configure pre-shared keys to match each router These keys must math on both and point to each otherrsquos IP
address to make the authentication
(config) crypto isakmp [word] address [point to reach]
Set the IPsec negotiation of algorithm to use 2 types is used to hash
(config) crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac
Change the default lifetime of 3600sec of the association to be renewed and
exchanged
(config) crypto ipsec security-association lifetime seconds [num]
Define what the interesting traffic is with an ACL this will initiate the
encryption between peers to start and send the traffic This is done on
both side Remember to invert on the other side
(config) access-list [extended num] permit ip [source] [wildcard]
[destination] [wildcard]
8 | P a g e
Create a and apply a crypto map to match the access-list This tells the interface to the peer witch traffic to
match from
(config) crypto map [word] [seq num] ipsec-isakmp
(config-crypto-map) match address [access-list num]
(config-crypto-map) set peer [destination of peer address]
(config-crypto-map) set pfs [Diffie-Hellman group]
(config-crypto-map) set transform-set [wordnum]
(config-crypto-map) set security-association lifetime seconds [num]
Now the crypto map is to be applied on the interface
(config-if) crypto map [crypto map name]
ASA with ASDM Before the firewall can be configured via the ASDM the management It must be imitated to be allow clients to
access ASDM via the console The ASA box is locked down doing so by default
Management interface (config) interface vlan [num]
(config-if) nameif insde
(config-if) ip address [network] [subnet]
(config-if) security-level 100
(config) interface [interface]
(config-if) no shutdown
Configure the outside interface The WAN interface
(config) interface vlan [num]
(config-if) nameif outside
(config-if) ip address [network] [subnet]
(config-if) security-level 0
(config) interface [interface]
(config-if) no shutdown
Apply the vlan to the interface of outside
(config) interface [interface]
(config-if) switchport access vlan [num
(config-if) no shutdown
Enable the HTTP service with access (config) http server enable
(config) http [network] [subnet] [interface]
9 | P a g e
Configure the ASA with ASDM GUI interface Running different wizards to configure the ASA
Configure basic settings Configuration gt Device Setup gt Startup Wizardgt
Modify exsting configurationgt
Configure hostname domain name privileged password gt
Configure inside outside interfaces and VLANs gt
Configure DHCP gt
Configure PAT gt
Configure Access types gt
Summary Read before accept of config
Apply
Clock
Configuration gt Device Setup gt System Time gt Clock
Static routes Configuration gt Device Setup gt Routing gt Static Routes gt
Addgt
Configure Select interface quad zero is any gateway
Apply
AAA user authentication Configuration gt Device Management gt UsersAAAgt User Accountsgt
Configure Add Username password privilegedgt
Apply
AAA user access
Configuration gt Device Management gt UsersAAA gt AAA Access gt Authenticationgt
Configure Authentication to server group
Apply
Firewall policy Configuration gt Firewall gt Service Policy Rulesgt
Configure default inspection gt Rule Action chose the protocol to inspect
DMZ with ACLs
Configuration gt Device Setup gt Interface Settings gt Interfacesgt
Configure Addgt Select interface gt Security-level vlan network
Configure Edit the vlan if default 12 is set
Configure console in change the security-level on interface
Configure block traffic between VLANs in advanced tab
Apply
Configuration gt Firewall gt Public Serversgt
Configure Add gt Private interface private network(elipe) private service (elipe) public network
Apply
Verify rules Configuration gt Firewall gt Access Rules
DMZ with static NAT
10 | P a g e
OSPF Initiate OSPF followed with the ID number to use this must be the same ID number around all machines
Initiate OSPF configuration (config) router ospf [num]
Networks to transfer to neighbors Remember area number
(config-router) network [network] [wildcard mask] area [num]
(config-router) passive-interface [interface]
Securing OSPF with authentication Securing OSPF protocol makes it more secure to not join routing tables in the control plane that might be
malicious This should be applied to every interface with neighbors to form authentication
Configure a key chain to use
(config) key chain [word]
(config-keychain) key 1
Set the authentication key-string to use
(config-keychain-key) key-string [password]
(config-keychain-key) cryptographic-algorithm [algorithm]
Apply the key chain to and interface with neighbor
(config-int) ip ospf authentication key-chain [word]
11 | P a g e
Zone-Based Policy Firewall (ZPF) Start creating the zoneacutes to be used This should be represented by the
interfaces that it should apply to
Create a zone by giving it a name
(config) zone security [zone name]
(config-int) zone-member security [zone name
Use class-mapacutes to define what kind of traffic to inspect Match multiple
protocols inside one class-map It is also possible to nest class-mapacutes
(config) class-map type inspect match-any [class-map name]
(config-cmap) match protocol [protocol]
Use policy-mapacutes to take action on the traffic that is match from the class-map Inspect is used to also allow
dynamic return of the traffic Drop and pass can also be used
(config) policy-map type inspect [policy-map name]
(config-pmap) class type inspect [class-map name]
(config-pmap-c) inspect
Now the policy is needed to be paired with the zone If the zone is not
paired there is no traffic coming through
(config) zone-pair security [zone-pair name] source [zone name]
destination [zone name]
Now apply the policy to actively be used on this zone-pair
(config-sec-zone-pair) service-policy type inspect [policy-map name]
zone (zone-pair)
zone (zone-pair)
Zone
Policy-map
Class-map
12 | P a g e
SNMP To configure SNMP an ACL must be used containing the hosts that are allowed to connect for more secure
SNMP
(config) ip access-list standard [word]
(config-std-nacl) permit [network] [wildcard]
Configure the SNMP server witch MIB view read
(config) snmp-server view [word] [MIB] [include ndash exclude]
Configure SNMP group with version SNMPv3
(config) snmp-server group [word] [version] [security-level] [view thatrsquos
created] access [ACL]
Create user and associate with the group
(config) snmp-server user [word (username)] [groupname] [snmp version]
auth sha [password] priv [algorithm] [key-length] [password]
Router services and configuration
SCP service (config) ip scp server enabled
Copy
Router copy [mode][source][file] [destination]
Clock Router clock set HHMMSS MMM DD YYYY
NTP with authentication Setup and NTP server master
(config) ntp authentication-key [num] md5 [password]
(config) ntp trusted-key [num]
(config) ntp authenticate
(config) ntp master [stratum-number (master is 3)]
Configure NTP on clients it needs to use the same key and password from the
master NTP server to authenticate
(config) ntp authentication-key [num] md5 [password]
(config) ntp trusted-key [num]
(config) ntp authenticate
(config) ntp server [NTP master]
(config) ntp update-calendar
Router clock update-calendar
13 | P a g e
Syslog server Use a syslog server to log everything Setup timestamps to stamp the log There are different logging traps to
use
Turn on timestamps for the log
(config) service timestamps log datetime msec
Point to the syslog server
(config) logging host [destination address]
Define the logging level severity
(config) logging trap [severity]
Severity Level Keyword Meaning
0 emergencies System is unusable
1 alerts Immediate action required
2 critical Critical conditions
3 errors Error conditions
4 warnings Warning conditions
5 notifications Normal but significant condition
6 informational Informational messages
7 debugging Debugging messages
Logging (config) login on-failure log
(config) login on-succeed log
14 | P a g e
Debug commands
Miscellanies Show flash (show whats on the flash drive)
OSPF show ip ospf neighbor (check to see if there is any adjacent between neighbors)
show ip ospf neighbor summary (show ospf processes)
show ip ospf interface [interface] (show detailed information )
show ip route (check known routes is learned by OSPF pathacutes)
clear ip ospf redistribution (clear out the learned database)
debug ip ospf hello
IKE IPsec CRYPTO show crypto isakmp policy (shows the information on exchange configuration)
show crypto ipsec transform-set (show the tunnel and transport negotiation)
show crypto map (show the crypto map that applies to the current router)
show crypto ipsec sa (verify the associations and packet through the tunnel)
debug crypto ipsec
Resilience show secure bootset (shows archived files)
show flash (show flash directory)
SNMP show snmp group (verify snmp)
show snmp user (view snmp users created)
Time and date NTP show clock (view clock and date settings)
show ntp associations
debug ntp all
Syslog Logging show logging (view the logging settings this includes the logging to server)
Zone-Based Policy Firewall show zone-pair security (view the zone pairs that are made)
show policy-map type inspect zone-pair (detail view ond packets and zone pairs applied)
show zone security (show all the interfaces that is member of a zone)
15 | P a g e
Switch show spanning-tree (see if bidge is root)
show running-config (look on interface configuration)
show spanning-tree summary
show spanning-tree inconsistentports
show port-security
show port-security address
ASA Firewall show interface ip brief (show basic interface states)
Tools gt Packet Tracer
Reset the ASA
configure factory-default
write erase
reload
Intrusion prevention system (IPS) show ip ips signature count (shows the signature counts loaded enabled and retired) error message ldquoIPS-3-INVALID_DIGITAL_SIGNATURE Invalid Digital Signature found (key not found)rdquo check the crypto key
Secure Boot show secure bootset
8 | P a g e
Create a and apply a crypto map to match the access-list This tells the interface to the peer witch traffic to
match from
(config) crypto map [word] [seq num] ipsec-isakmp
(config-crypto-map) match address [access-list num]
(config-crypto-map) set peer [destination of peer address]
(config-crypto-map) set pfs [Diffie-Hellman group]
(config-crypto-map) set transform-set [wordnum]
(config-crypto-map) set security-association lifetime seconds [num]
Now the crypto map is to be applied on the interface
(config-if) crypto map [crypto map name]
ASA with ASDM Before the firewall can be configured via the ASDM the management It must be imitated to be allow clients to
access ASDM via the console The ASA box is locked down doing so by default
Management interface (config) interface vlan [num]
(config-if) nameif insde
(config-if) ip address [network] [subnet]
(config-if) security-level 100
(config) interface [interface]
(config-if) no shutdown
Configure the outside interface The WAN interface
(config) interface vlan [num]
(config-if) nameif outside
(config-if) ip address [network] [subnet]
(config-if) security-level 0
(config) interface [interface]
(config-if) no shutdown
Apply the vlan to the interface of outside
(config) interface [interface]
(config-if) switchport access vlan [num
(config-if) no shutdown
Enable the HTTP service with access (config) http server enable
(config) http [network] [subnet] [interface]
9 | P a g e
Configure the ASA with ASDM GUI interface Running different wizards to configure the ASA
Configure basic settings Configuration gt Device Setup gt Startup Wizardgt
Modify exsting configurationgt
Configure hostname domain name privileged password gt
Configure inside outside interfaces and VLANs gt
Configure DHCP gt
Configure PAT gt
Configure Access types gt
Summary Read before accept of config
Apply
Clock
Configuration gt Device Setup gt System Time gt Clock
Static routes Configuration gt Device Setup gt Routing gt Static Routes gt
Addgt
Configure Select interface quad zero is any gateway
Apply
AAA user authentication Configuration gt Device Management gt UsersAAAgt User Accountsgt
Configure Add Username password privilegedgt
Apply
AAA user access
Configuration gt Device Management gt UsersAAA gt AAA Access gt Authenticationgt
Configure Authentication to server group
Apply
Firewall policy Configuration gt Firewall gt Service Policy Rulesgt
Configure default inspection gt Rule Action chose the protocol to inspect
DMZ with ACLs
Configuration gt Device Setup gt Interface Settings gt Interfacesgt
Configure Addgt Select interface gt Security-level vlan network
Configure Edit the vlan if default 12 is set
Configure console in change the security-level on interface
Configure block traffic between VLANs in advanced tab
Apply
Configuration gt Firewall gt Public Serversgt
Configure Add gt Private interface private network(elipe) private service (elipe) public network
Apply
Verify rules Configuration gt Firewall gt Access Rules
DMZ with static NAT
10 | P a g e
OSPF Initiate OSPF followed with the ID number to use this must be the same ID number around all machines
Initiate OSPF configuration (config) router ospf [num]
Networks to transfer to neighbors Remember area number
(config-router) network [network] [wildcard mask] area [num]
(config-router) passive-interface [interface]
Securing OSPF with authentication Securing OSPF protocol makes it more secure to not join routing tables in the control plane that might be
malicious This should be applied to every interface with neighbors to form authentication
Configure a key chain to use
(config) key chain [word]
(config-keychain) key 1
Set the authentication key-string to use
(config-keychain-key) key-string [password]
(config-keychain-key) cryptographic-algorithm [algorithm]
Apply the key chain to and interface with neighbor
(config-int) ip ospf authentication key-chain [word]
11 | P a g e
Zone-Based Policy Firewall (ZPF) Start creating the zoneacutes to be used This should be represented by the
interfaces that it should apply to
Create a zone by giving it a name
(config) zone security [zone name]
(config-int) zone-member security [zone name
Use class-mapacutes to define what kind of traffic to inspect Match multiple
protocols inside one class-map It is also possible to nest class-mapacutes
(config) class-map type inspect match-any [class-map name]
(config-cmap) match protocol [protocol]
Use policy-mapacutes to take action on the traffic that is match from the class-map Inspect is used to also allow
dynamic return of the traffic Drop and pass can also be used
(config) policy-map type inspect [policy-map name]
(config-pmap) class type inspect [class-map name]
(config-pmap-c) inspect
Now the policy is needed to be paired with the zone If the zone is not
paired there is no traffic coming through
(config) zone-pair security [zone-pair name] source [zone name]
destination [zone name]
Now apply the policy to actively be used on this zone-pair
(config-sec-zone-pair) service-policy type inspect [policy-map name]
zone (zone-pair)
zone (zone-pair)
Zone
Policy-map
Class-map
12 | P a g e
SNMP To configure SNMP an ACL must be used containing the hosts that are allowed to connect for more secure
SNMP
(config) ip access-list standard [word]
(config-std-nacl) permit [network] [wildcard]
Configure the SNMP server witch MIB view read
(config) snmp-server view [word] [MIB] [include ndash exclude]
Configure SNMP group with version SNMPv3
(config) snmp-server group [word] [version] [security-level] [view thatrsquos
created] access [ACL]
Create user and associate with the group
(config) snmp-server user [word (username)] [groupname] [snmp version]
auth sha [password] priv [algorithm] [key-length] [password]
Router services and configuration
SCP service (config) ip scp server enabled
Copy
Router copy [mode][source][file] [destination]
Clock Router clock set HHMMSS MMM DD YYYY
NTP with authentication Setup and NTP server master
(config) ntp authentication-key [num] md5 [password]
(config) ntp trusted-key [num]
(config) ntp authenticate
(config) ntp master [stratum-number (master is 3)]
Configure NTP on clients it needs to use the same key and password from the
master NTP server to authenticate
(config) ntp authentication-key [num] md5 [password]
(config) ntp trusted-key [num]
(config) ntp authenticate
(config) ntp server [NTP master]
(config) ntp update-calendar
Router clock update-calendar
13 | P a g e
Syslog server Use a syslog server to log everything Setup timestamps to stamp the log There are different logging traps to
use
Turn on timestamps for the log
(config) service timestamps log datetime msec
Point to the syslog server
(config) logging host [destination address]
Define the logging level severity
(config) logging trap [severity]
Severity Level Keyword Meaning
0 emergencies System is unusable
1 alerts Immediate action required
2 critical Critical conditions
3 errors Error conditions
4 warnings Warning conditions
5 notifications Normal but significant condition
6 informational Informational messages
7 debugging Debugging messages
Logging (config) login on-failure log
(config) login on-succeed log
14 | P a g e
Debug commands
Miscellanies Show flash (show whats on the flash drive)
OSPF show ip ospf neighbor (check to see if there is any adjacent between neighbors)
show ip ospf neighbor summary (show ospf processes)
show ip ospf interface [interface] (show detailed information )
show ip route (check known routes is learned by OSPF pathacutes)
clear ip ospf redistribution (clear out the learned database)
debug ip ospf hello
IKE IPsec CRYPTO show crypto isakmp policy (shows the information on exchange configuration)
show crypto ipsec transform-set (show the tunnel and transport negotiation)
show crypto map (show the crypto map that applies to the current router)
show crypto ipsec sa (verify the associations and packet through the tunnel)
debug crypto ipsec
Resilience show secure bootset (shows archived files)
show flash (show flash directory)
SNMP show snmp group (verify snmp)
show snmp user (view snmp users created)
Time and date NTP show clock (view clock and date settings)
show ntp associations
debug ntp all
Syslog Logging show logging (view the logging settings this includes the logging to server)
Zone-Based Policy Firewall show zone-pair security (view the zone pairs that are made)
show policy-map type inspect zone-pair (detail view ond packets and zone pairs applied)
show zone security (show all the interfaces that is member of a zone)
15 | P a g e
Switch show spanning-tree (see if bidge is root)
show running-config (look on interface configuration)
show spanning-tree summary
show spanning-tree inconsistentports
show port-security
show port-security address
ASA Firewall show interface ip brief (show basic interface states)
Tools gt Packet Tracer
Reset the ASA
configure factory-default
write erase
reload
Intrusion prevention system (IPS) show ip ips signature count (shows the signature counts loaded enabled and retired) error message ldquoIPS-3-INVALID_DIGITAL_SIGNATURE Invalid Digital Signature found (key not found)rdquo check the crypto key
Secure Boot show secure bootset
9 | P a g e
Configure the ASA with ASDM GUI interface Running different wizards to configure the ASA
Configure basic settings Configuration gt Device Setup gt Startup Wizardgt
Modify exsting configurationgt
Configure hostname domain name privileged password gt
Configure inside outside interfaces and VLANs gt
Configure DHCP gt
Configure PAT gt
Configure Access types gt
Summary Read before accept of config
Apply
Clock
Configuration gt Device Setup gt System Time gt Clock
Static routes Configuration gt Device Setup gt Routing gt Static Routes gt
Addgt
Configure Select interface quad zero is any gateway
Apply
AAA user authentication Configuration gt Device Management gt UsersAAAgt User Accountsgt
Configure Add Username password privilegedgt
Apply
AAA user access
Configuration gt Device Management gt UsersAAA gt AAA Access gt Authenticationgt
Configure Authentication to server group
Apply
Firewall policy Configuration gt Firewall gt Service Policy Rulesgt
Configure default inspection gt Rule Action chose the protocol to inspect
DMZ with ACLs
Configuration gt Device Setup gt Interface Settings gt Interfacesgt
Configure Addgt Select interface gt Security-level vlan network
Configure Edit the vlan if default 12 is set
Configure console in change the security-level on interface
Configure block traffic between VLANs in advanced tab
Apply
Configuration gt Firewall gt Public Serversgt
Configure Add gt Private interface private network(elipe) private service (elipe) public network
Apply
Verify rules Configuration gt Firewall gt Access Rules
DMZ with static NAT
10 | P a g e
OSPF Initiate OSPF followed with the ID number to use this must be the same ID number around all machines
Initiate OSPF configuration (config) router ospf [num]
Networks to transfer to neighbors Remember area number
(config-router) network [network] [wildcard mask] area [num]
(config-router) passive-interface [interface]
Securing OSPF with authentication Securing OSPF protocol makes it more secure to not join routing tables in the control plane that might be
malicious This should be applied to every interface with neighbors to form authentication
Configure a key chain to use
(config) key chain [word]
(config-keychain) key 1
Set the authentication key-string to use
(config-keychain-key) key-string [password]
(config-keychain-key) cryptographic-algorithm [algorithm]
Apply the key chain to and interface with neighbor
(config-int) ip ospf authentication key-chain [word]
11 | P a g e
Zone-Based Policy Firewall (ZPF) Start creating the zoneacutes to be used This should be represented by the
interfaces that it should apply to
Create a zone by giving it a name
(config) zone security [zone name]
(config-int) zone-member security [zone name
Use class-mapacutes to define what kind of traffic to inspect Match multiple
protocols inside one class-map It is also possible to nest class-mapacutes
(config) class-map type inspect match-any [class-map name]
(config-cmap) match protocol [protocol]
Use policy-mapacutes to take action on the traffic that is match from the class-map Inspect is used to also allow
dynamic return of the traffic Drop and pass can also be used
(config) policy-map type inspect [policy-map name]
(config-pmap) class type inspect [class-map name]
(config-pmap-c) inspect
Now the policy is needed to be paired with the zone If the zone is not
paired there is no traffic coming through
(config) zone-pair security [zone-pair name] source [zone name]
destination [zone name]
Now apply the policy to actively be used on this zone-pair
(config-sec-zone-pair) service-policy type inspect [policy-map name]
zone (zone-pair)
zone (zone-pair)
Zone
Policy-map
Class-map
12 | P a g e
SNMP To configure SNMP an ACL must be used containing the hosts that are allowed to connect for more secure
SNMP
(config) ip access-list standard [word]
(config-std-nacl) permit [network] [wildcard]
Configure the SNMP server witch MIB view read
(config) snmp-server view [word] [MIB] [include ndash exclude]
Configure SNMP group with version SNMPv3
(config) snmp-server group [word] [version] [security-level] [view thatrsquos
created] access [ACL]
Create user and associate with the group
(config) snmp-server user [word (username)] [groupname] [snmp version]
auth sha [password] priv [algorithm] [key-length] [password]
Router services and configuration
SCP service (config) ip scp server enabled
Copy
Router copy [mode][source][file] [destination]
Clock Router clock set HHMMSS MMM DD YYYY
NTP with authentication Setup and NTP server master
(config) ntp authentication-key [num] md5 [password]
(config) ntp trusted-key [num]
(config) ntp authenticate
(config) ntp master [stratum-number (master is 3)]
Configure NTP on clients it needs to use the same key and password from the
master NTP server to authenticate
(config) ntp authentication-key [num] md5 [password]
(config) ntp trusted-key [num]
(config) ntp authenticate
(config) ntp server [NTP master]
(config) ntp update-calendar
Router clock update-calendar
13 | P a g e
Syslog server Use a syslog server to log everything Setup timestamps to stamp the log There are different logging traps to
use
Turn on timestamps for the log
(config) service timestamps log datetime msec
Point to the syslog server
(config) logging host [destination address]
Define the logging level severity
(config) logging trap [severity]
Severity Level Keyword Meaning
0 emergencies System is unusable
1 alerts Immediate action required
2 critical Critical conditions
3 errors Error conditions
4 warnings Warning conditions
5 notifications Normal but significant condition
6 informational Informational messages
7 debugging Debugging messages
Logging (config) login on-failure log
(config) login on-succeed log
14 | P a g e
Debug commands
Miscellanies Show flash (show whats on the flash drive)
OSPF show ip ospf neighbor (check to see if there is any adjacent between neighbors)
show ip ospf neighbor summary (show ospf processes)
show ip ospf interface [interface] (show detailed information )
show ip route (check known routes is learned by OSPF pathacutes)
clear ip ospf redistribution (clear out the learned database)
debug ip ospf hello
IKE IPsec CRYPTO show crypto isakmp policy (shows the information on exchange configuration)
show crypto ipsec transform-set (show the tunnel and transport negotiation)
show crypto map (show the crypto map that applies to the current router)
show crypto ipsec sa (verify the associations and packet through the tunnel)
debug crypto ipsec
Resilience show secure bootset (shows archived files)
show flash (show flash directory)
SNMP show snmp group (verify snmp)
show snmp user (view snmp users created)
Time and date NTP show clock (view clock and date settings)
show ntp associations
debug ntp all
Syslog Logging show logging (view the logging settings this includes the logging to server)
Zone-Based Policy Firewall show zone-pair security (view the zone pairs that are made)
show policy-map type inspect zone-pair (detail view ond packets and zone pairs applied)
show zone security (show all the interfaces that is member of a zone)
15 | P a g e
Switch show spanning-tree (see if bidge is root)
show running-config (look on interface configuration)
show spanning-tree summary
show spanning-tree inconsistentports
show port-security
show port-security address
ASA Firewall show interface ip brief (show basic interface states)
Tools gt Packet Tracer
Reset the ASA
configure factory-default
write erase
reload
Intrusion prevention system (IPS) show ip ips signature count (shows the signature counts loaded enabled and retired) error message ldquoIPS-3-INVALID_DIGITAL_SIGNATURE Invalid Digital Signature found (key not found)rdquo check the crypto key
Secure Boot show secure bootset
10 | P a g e
OSPF Initiate OSPF followed with the ID number to use this must be the same ID number around all machines
Initiate OSPF configuration (config) router ospf [num]
Networks to transfer to neighbors Remember area number
(config-router) network [network] [wildcard mask] area [num]
(config-router) passive-interface [interface]
Securing OSPF with authentication Securing OSPF protocol makes it more secure to not join routing tables in the control plane that might be
malicious This should be applied to every interface with neighbors to form authentication
Configure a key chain to use
(config) key chain [word]
(config-keychain) key 1
Set the authentication key-string to use
(config-keychain-key) key-string [password]
(config-keychain-key) cryptographic-algorithm [algorithm]
Apply the key chain to and interface with neighbor
(config-int) ip ospf authentication key-chain [word]
11 | P a g e
Zone-Based Policy Firewall (ZPF) Start creating the zoneacutes to be used This should be represented by the
interfaces that it should apply to
Create a zone by giving it a name
(config) zone security [zone name]
(config-int) zone-member security [zone name
Use class-mapacutes to define what kind of traffic to inspect Match multiple
protocols inside one class-map It is also possible to nest class-mapacutes
(config) class-map type inspect match-any [class-map name]
(config-cmap) match protocol [protocol]
Use policy-mapacutes to take action on the traffic that is match from the class-map Inspect is used to also allow
dynamic return of the traffic Drop and pass can also be used
(config) policy-map type inspect [policy-map name]
(config-pmap) class type inspect [class-map name]
(config-pmap-c) inspect
Now the policy is needed to be paired with the zone If the zone is not
paired there is no traffic coming through
(config) zone-pair security [zone-pair name] source [zone name]
destination [zone name]
Now apply the policy to actively be used on this zone-pair
(config-sec-zone-pair) service-policy type inspect [policy-map name]
zone (zone-pair)
zone (zone-pair)
Zone
Policy-map
Class-map
12 | P a g e
SNMP To configure SNMP an ACL must be used containing the hosts that are allowed to connect for more secure
SNMP
(config) ip access-list standard [word]
(config-std-nacl) permit [network] [wildcard]
Configure the SNMP server witch MIB view read
(config) snmp-server view [word] [MIB] [include ndash exclude]
Configure SNMP group with version SNMPv3
(config) snmp-server group [word] [version] [security-level] [view thatrsquos
created] access [ACL]
Create user and associate with the group
(config) snmp-server user [word (username)] [groupname] [snmp version]
auth sha [password] priv [algorithm] [key-length] [password]
Router services and configuration
SCP service (config) ip scp server enabled
Copy
Router copy [mode][source][file] [destination]
Clock Router clock set HHMMSS MMM DD YYYY
NTP with authentication Setup and NTP server master
(config) ntp authentication-key [num] md5 [password]
(config) ntp trusted-key [num]
(config) ntp authenticate
(config) ntp master [stratum-number (master is 3)]
Configure NTP on clients it needs to use the same key and password from the
master NTP server to authenticate
(config) ntp authentication-key [num] md5 [password]
(config) ntp trusted-key [num]
(config) ntp authenticate
(config) ntp server [NTP master]
(config) ntp update-calendar
Router clock update-calendar
13 | P a g e
Syslog server Use a syslog server to log everything Setup timestamps to stamp the log There are different logging traps to
use
Turn on timestamps for the log
(config) service timestamps log datetime msec
Point to the syslog server
(config) logging host [destination address]
Define the logging level severity
(config) logging trap [severity]
Severity Level Keyword Meaning
0 emergencies System is unusable
1 alerts Immediate action required
2 critical Critical conditions
3 errors Error conditions
4 warnings Warning conditions
5 notifications Normal but significant condition
6 informational Informational messages
7 debugging Debugging messages
Logging (config) login on-failure log
(config) login on-succeed log
14 | P a g e
Debug commands
Miscellanies Show flash (show whats on the flash drive)
OSPF show ip ospf neighbor (check to see if there is any adjacent between neighbors)
show ip ospf neighbor summary (show ospf processes)
show ip ospf interface [interface] (show detailed information )
show ip route (check known routes is learned by OSPF pathacutes)
clear ip ospf redistribution (clear out the learned database)
debug ip ospf hello
IKE IPsec CRYPTO show crypto isakmp policy (shows the information on exchange configuration)
show crypto ipsec transform-set (show the tunnel and transport negotiation)
show crypto map (show the crypto map that applies to the current router)
show crypto ipsec sa (verify the associations and packet through the tunnel)
debug crypto ipsec
Resilience show secure bootset (shows archived files)
show flash (show flash directory)
SNMP show snmp group (verify snmp)
show snmp user (view snmp users created)
Time and date NTP show clock (view clock and date settings)
show ntp associations
debug ntp all
Syslog Logging show logging (view the logging settings this includes the logging to server)
Zone-Based Policy Firewall show zone-pair security (view the zone pairs that are made)
show policy-map type inspect zone-pair (detail view ond packets and zone pairs applied)
show zone security (show all the interfaces that is member of a zone)
15 | P a g e
Switch show spanning-tree (see if bidge is root)
show running-config (look on interface configuration)
show spanning-tree summary
show spanning-tree inconsistentports
show port-security
show port-security address
ASA Firewall show interface ip brief (show basic interface states)
Tools gt Packet Tracer
Reset the ASA
configure factory-default
write erase
reload
Intrusion prevention system (IPS) show ip ips signature count (shows the signature counts loaded enabled and retired) error message ldquoIPS-3-INVALID_DIGITAL_SIGNATURE Invalid Digital Signature found (key not found)rdquo check the crypto key
Secure Boot show secure bootset
11 | P a g e
Zone-Based Policy Firewall (ZPF) Start creating the zoneacutes to be used This should be represented by the
interfaces that it should apply to
Create a zone by giving it a name
(config) zone security [zone name]
(config-int) zone-member security [zone name
Use class-mapacutes to define what kind of traffic to inspect Match multiple
protocols inside one class-map It is also possible to nest class-mapacutes
(config) class-map type inspect match-any [class-map name]
(config-cmap) match protocol [protocol]
Use policy-mapacutes to take action on the traffic that is match from the class-map Inspect is used to also allow
dynamic return of the traffic Drop and pass can also be used
(config) policy-map type inspect [policy-map name]
(config-pmap) class type inspect [class-map name]
(config-pmap-c) inspect
Now the policy is needed to be paired with the zone If the zone is not
paired there is no traffic coming through
(config) zone-pair security [zone-pair name] source [zone name]
destination [zone name]
Now apply the policy to actively be used on this zone-pair
(config-sec-zone-pair) service-policy type inspect [policy-map name]
zone (zone-pair)
zone (zone-pair)
Zone
Policy-map
Class-map
12 | P a g e
SNMP To configure SNMP an ACL must be used containing the hosts that are allowed to connect for more secure
SNMP
(config) ip access-list standard [word]
(config-std-nacl) permit [network] [wildcard]
Configure the SNMP server witch MIB view read
(config) snmp-server view [word] [MIB] [include ndash exclude]
Configure SNMP group with version SNMPv3
(config) snmp-server group [word] [version] [security-level] [view thatrsquos
created] access [ACL]
Create user and associate with the group
(config) snmp-server user [word (username)] [groupname] [snmp version]
auth sha [password] priv [algorithm] [key-length] [password]
Router services and configuration
SCP service (config) ip scp server enabled
Copy
Router copy [mode][source][file] [destination]
Clock Router clock set HHMMSS MMM DD YYYY
NTP with authentication Setup and NTP server master
(config) ntp authentication-key [num] md5 [password]
(config) ntp trusted-key [num]
(config) ntp authenticate
(config) ntp master [stratum-number (master is 3)]
Configure NTP on clients it needs to use the same key and password from the
master NTP server to authenticate
(config) ntp authentication-key [num] md5 [password]
(config) ntp trusted-key [num]
(config) ntp authenticate
(config) ntp server [NTP master]
(config) ntp update-calendar
Router clock update-calendar
13 | P a g e
Syslog server Use a syslog server to log everything Setup timestamps to stamp the log There are different logging traps to
use
Turn on timestamps for the log
(config) service timestamps log datetime msec
Point to the syslog server
(config) logging host [destination address]
Define the logging level severity
(config) logging trap [severity]
Severity Level Keyword Meaning
0 emergencies System is unusable
1 alerts Immediate action required
2 critical Critical conditions
3 errors Error conditions
4 warnings Warning conditions
5 notifications Normal but significant condition
6 informational Informational messages
7 debugging Debugging messages
Logging (config) login on-failure log
(config) login on-succeed log
14 | P a g e
Debug commands
Miscellanies Show flash (show whats on the flash drive)
OSPF show ip ospf neighbor (check to see if there is any adjacent between neighbors)
show ip ospf neighbor summary (show ospf processes)
show ip ospf interface [interface] (show detailed information )
show ip route (check known routes is learned by OSPF pathacutes)
clear ip ospf redistribution (clear out the learned database)
debug ip ospf hello
IKE IPsec CRYPTO show crypto isakmp policy (shows the information on exchange configuration)
show crypto ipsec transform-set (show the tunnel and transport negotiation)
show crypto map (show the crypto map that applies to the current router)
show crypto ipsec sa (verify the associations and packet through the tunnel)
debug crypto ipsec
Resilience show secure bootset (shows archived files)
show flash (show flash directory)
SNMP show snmp group (verify snmp)
show snmp user (view snmp users created)
Time and date NTP show clock (view clock and date settings)
show ntp associations
debug ntp all
Syslog Logging show logging (view the logging settings this includes the logging to server)
Zone-Based Policy Firewall show zone-pair security (view the zone pairs that are made)
show policy-map type inspect zone-pair (detail view ond packets and zone pairs applied)
show zone security (show all the interfaces that is member of a zone)
15 | P a g e
Switch show spanning-tree (see if bidge is root)
show running-config (look on interface configuration)
show spanning-tree summary
show spanning-tree inconsistentports
show port-security
show port-security address
ASA Firewall show interface ip brief (show basic interface states)
Tools gt Packet Tracer
Reset the ASA
configure factory-default
write erase
reload
Intrusion prevention system (IPS) show ip ips signature count (shows the signature counts loaded enabled and retired) error message ldquoIPS-3-INVALID_DIGITAL_SIGNATURE Invalid Digital Signature found (key not found)rdquo check the crypto key
Secure Boot show secure bootset
12 | P a g e
SNMP To configure SNMP an ACL must be used containing the hosts that are allowed to connect for more secure
SNMP
(config) ip access-list standard [word]
(config-std-nacl) permit [network] [wildcard]
Configure the SNMP server witch MIB view read
(config) snmp-server view [word] [MIB] [include ndash exclude]
Configure SNMP group with version SNMPv3
(config) snmp-server group [word] [version] [security-level] [view thatrsquos
created] access [ACL]
Create user and associate with the group
(config) snmp-server user [word (username)] [groupname] [snmp version]
auth sha [password] priv [algorithm] [key-length] [password]
Router services and configuration
SCP service (config) ip scp server enabled
Copy
Router copy [mode][source][file] [destination]
Clock Router clock set HHMMSS MMM DD YYYY
NTP with authentication Setup and NTP server master
(config) ntp authentication-key [num] md5 [password]
(config) ntp trusted-key [num]
(config) ntp authenticate
(config) ntp master [stratum-number (master is 3)]
Configure NTP on clients it needs to use the same key and password from the
master NTP server to authenticate
(config) ntp authentication-key [num] md5 [password]
(config) ntp trusted-key [num]
(config) ntp authenticate
(config) ntp server [NTP master]
(config) ntp update-calendar
Router clock update-calendar
13 | P a g e
Syslog server Use a syslog server to log everything Setup timestamps to stamp the log There are different logging traps to
use
Turn on timestamps for the log
(config) service timestamps log datetime msec
Point to the syslog server
(config) logging host [destination address]
Define the logging level severity
(config) logging trap [severity]
Severity Level Keyword Meaning
0 emergencies System is unusable
1 alerts Immediate action required
2 critical Critical conditions
3 errors Error conditions
4 warnings Warning conditions
5 notifications Normal but significant condition
6 informational Informational messages
7 debugging Debugging messages
Logging (config) login on-failure log
(config) login on-succeed log
14 | P a g e
Debug commands
Miscellanies Show flash (show whats on the flash drive)
OSPF show ip ospf neighbor (check to see if there is any adjacent between neighbors)
show ip ospf neighbor summary (show ospf processes)
show ip ospf interface [interface] (show detailed information )
show ip route (check known routes is learned by OSPF pathacutes)
clear ip ospf redistribution (clear out the learned database)
debug ip ospf hello
IKE IPsec CRYPTO show crypto isakmp policy (shows the information on exchange configuration)
show crypto ipsec transform-set (show the tunnel and transport negotiation)
show crypto map (show the crypto map that applies to the current router)
show crypto ipsec sa (verify the associations and packet through the tunnel)
debug crypto ipsec
Resilience show secure bootset (shows archived files)
show flash (show flash directory)
SNMP show snmp group (verify snmp)
show snmp user (view snmp users created)
Time and date NTP show clock (view clock and date settings)
show ntp associations
debug ntp all
Syslog Logging show logging (view the logging settings this includes the logging to server)
Zone-Based Policy Firewall show zone-pair security (view the zone pairs that are made)
show policy-map type inspect zone-pair (detail view ond packets and zone pairs applied)
show zone security (show all the interfaces that is member of a zone)
15 | P a g e
Switch show spanning-tree (see if bidge is root)
show running-config (look on interface configuration)
show spanning-tree summary
show spanning-tree inconsistentports
show port-security
show port-security address
ASA Firewall show interface ip brief (show basic interface states)
Tools gt Packet Tracer
Reset the ASA
configure factory-default
write erase
reload
Intrusion prevention system (IPS) show ip ips signature count (shows the signature counts loaded enabled and retired) error message ldquoIPS-3-INVALID_DIGITAL_SIGNATURE Invalid Digital Signature found (key not found)rdquo check the crypto key
Secure Boot show secure bootset
13 | P a g e
Syslog server Use a syslog server to log everything Setup timestamps to stamp the log There are different logging traps to
use
Turn on timestamps for the log
(config) service timestamps log datetime msec
Point to the syslog server
(config) logging host [destination address]
Define the logging level severity
(config) logging trap [severity]
Severity Level Keyword Meaning
0 emergencies System is unusable
1 alerts Immediate action required
2 critical Critical conditions
3 errors Error conditions
4 warnings Warning conditions
5 notifications Normal but significant condition
6 informational Informational messages
7 debugging Debugging messages
Logging (config) login on-failure log
(config) login on-succeed log
14 | P a g e
Debug commands
Miscellanies Show flash (show whats on the flash drive)
OSPF show ip ospf neighbor (check to see if there is any adjacent between neighbors)
show ip ospf neighbor summary (show ospf processes)
show ip ospf interface [interface] (show detailed information )
show ip route (check known routes is learned by OSPF pathacutes)
clear ip ospf redistribution (clear out the learned database)
debug ip ospf hello
IKE IPsec CRYPTO show crypto isakmp policy (shows the information on exchange configuration)
show crypto ipsec transform-set (show the tunnel and transport negotiation)
show crypto map (show the crypto map that applies to the current router)
show crypto ipsec sa (verify the associations and packet through the tunnel)
debug crypto ipsec
Resilience show secure bootset (shows archived files)
show flash (show flash directory)
SNMP show snmp group (verify snmp)
show snmp user (view snmp users created)
Time and date NTP show clock (view clock and date settings)
show ntp associations
debug ntp all
Syslog Logging show logging (view the logging settings this includes the logging to server)
Zone-Based Policy Firewall show zone-pair security (view the zone pairs that are made)
show policy-map type inspect zone-pair (detail view ond packets and zone pairs applied)
show zone security (show all the interfaces that is member of a zone)
15 | P a g e
Switch show spanning-tree (see if bidge is root)
show running-config (look on interface configuration)
show spanning-tree summary
show spanning-tree inconsistentports
show port-security
show port-security address
ASA Firewall show interface ip brief (show basic interface states)
Tools gt Packet Tracer
Reset the ASA
configure factory-default
write erase
reload
Intrusion prevention system (IPS) show ip ips signature count (shows the signature counts loaded enabled and retired) error message ldquoIPS-3-INVALID_DIGITAL_SIGNATURE Invalid Digital Signature found (key not found)rdquo check the crypto key
Secure Boot show secure bootset
14 | P a g e
Debug commands
Miscellanies Show flash (show whats on the flash drive)
OSPF show ip ospf neighbor (check to see if there is any adjacent between neighbors)
show ip ospf neighbor summary (show ospf processes)
show ip ospf interface [interface] (show detailed information )
show ip route (check known routes is learned by OSPF pathacutes)
clear ip ospf redistribution (clear out the learned database)
debug ip ospf hello
IKE IPsec CRYPTO show crypto isakmp policy (shows the information on exchange configuration)
show crypto ipsec transform-set (show the tunnel and transport negotiation)
show crypto map (show the crypto map that applies to the current router)
show crypto ipsec sa (verify the associations and packet through the tunnel)
debug crypto ipsec
Resilience show secure bootset (shows archived files)
show flash (show flash directory)
SNMP show snmp group (verify snmp)
show snmp user (view snmp users created)
Time and date NTP show clock (view clock and date settings)
show ntp associations
debug ntp all
Syslog Logging show logging (view the logging settings this includes the logging to server)
Zone-Based Policy Firewall show zone-pair security (view the zone pairs that are made)
show policy-map type inspect zone-pair (detail view ond packets and zone pairs applied)
show zone security (show all the interfaces that is member of a zone)
15 | P a g e
Switch show spanning-tree (see if bidge is root)
show running-config (look on interface configuration)
show spanning-tree summary
show spanning-tree inconsistentports
show port-security
show port-security address
ASA Firewall show interface ip brief (show basic interface states)
Tools gt Packet Tracer
Reset the ASA
configure factory-default
write erase
reload
Intrusion prevention system (IPS) show ip ips signature count (shows the signature counts loaded enabled and retired) error message ldquoIPS-3-INVALID_DIGITAL_SIGNATURE Invalid Digital Signature found (key not found)rdquo check the crypto key
Secure Boot show secure bootset
15 | P a g e
Switch show spanning-tree (see if bidge is root)
show running-config (look on interface configuration)
show spanning-tree summary
show spanning-tree inconsistentports
show port-security
show port-security address
ASA Firewall show interface ip brief (show basic interface states)
Tools gt Packet Tracer
Reset the ASA
configure factory-default
write erase
reload
Intrusion prevention system (IPS) show ip ips signature count (shows the signature counts loaded enabled and retired) error message ldquoIPS-3-INVALID_DIGITAL_SIGNATURE Invalid Digital Signature found (key not found)rdquo check the crypto key
Secure Boot show secure bootset