<<

. 3
( 9)



>>




53
Note: If you configured R3 AAA authentication using Cisco IOS commands in Tasks 1 and 2, you can skip
this task. If you performed Tasks 1 and 2 and you want to perform this task, you should restore R3 to its basic
configuration. See Part 4, Step 1 for the procedure to restore R3 to its basic configuration.

Even if you do not perform this task, read through the steps to become familiar with the SDM process.


Step 1: Implement AAA services and HTTP router access prior to starting SDM.

a. From the CLI global config mode, enable a new AAA model.
R3(config)#aaa new-model
b. Enable the HTTP server on R3 for SDM access.
R3(config)#ip http server
Note: For maximum security, enable secure http server using the ip http
secure-server command.


Step 2: Access SDM and set command delivery preferences.

a. Open a browser on PC-C and start SDM by entering the R3 IP address 192.168.3.1 in the address field.

b. Log in with no username and the enable secret password cisco12345.

c. In the Password Needed “ Networking dialog box, enter cisco12345 in the Password field and click Yes.

d. Configure SDM to allow you to preview the commands before sending them to the router. Select Edit >
Preferences.

e. In the User Preferences window, check the Preview commands before delivering to router check box
and click OK.


Step 3: Create an administrative user with SDM.

a. Click the Configure button at the top of the screen.

b. Select Additional Tasks > Router Access > User Accounts/View.

c. In the User Accounts/View window, click Add.

d. In the Add an Account window, enter Admin01 in the Username field.

e. Enter the password Admin01pass in the New Password and Confirm New Password fields. (Remember,
passwords are case-sensitive.)

f. Confirm that the Encrypt Password using MD5 Hash Algorithm check box is checked.

g. Select 15 from the Privilege Level drop-down list and click OK.




54
h. In the Deliver Configuration to Router window, make sure that the Save running config to router™s
startup config check box is checked, and click Deliver.

i. In the Commands Delivery Status window, click OK.


Step 4: Create a AAA method list for login.

a. Click the Configure button at the top of the screen.

b. Select Additional Tasks > AAA > Authentication Policies > Login.

c. In the Authentication Login window, click Add.

d. In the Add a Method List for Authentication Login window, verify that Default is in the Name field.




55
e. Click Add in the Methods section.

f. In the Select Method List(s) for Authentication Login window, choose local and click OK. Take note of the
other methods listed, which include RADIUS (group radius) and TACACS+ (group tacacs+).




56
g. Click OK to close the window.

h. Repeat steps 4f and 4g, and choose none as a second authentication method.

i. In the Deliver Configuration to Router window, make sure that the Save running config to router's startup
config checkbox is checked, and click Deliver. In the Commands Delivery Status window, click OK.

j. What command was delivered to the router?
________________________________________________________________________________


Step 5: Verify the AAA username and profile for console login.

a. Exit to the initial router screen that displays: R3 con0 is now available, Press RETURN to get started.

b. Log in to the console as Admin01 with a password of Admin01pass. Were you able to login? Why or why
not? _________________________________________________________________________

c. Exit to the initial router screen that displays: R3 con0 is now available, Press RETURN to get started.

d. Attempt to log in to the console as baduser. Were you able to login? Why or why not?
________________________________________________________________________________

e. If no user accounts are configured in the local database, which users are permitted to access the device?
__________________________________________________________________________

f. Log in to the console as Admin01 with a password of Admin01pass. Access privileged EXEC mode using
the enable secret password cisco12345 and then show the running config. What commands are associated
with the SDM session?




57
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________


Task 4. Observe AAA Authentication Using Cisco IOS Debug
In this task, you use the debug command to observe successful and unsuccessful authentication attempts.


Step 1: Verify that the system clock and debug time stamps are configured correctly.

a. From the R3 user or privileged EXEC mode prompt, use the show clock command to determine
what the current time is for the router. If the time and date are incorrect, set the time from privileged
EXEC mode with the command clock set HH:MM:SS DD month YYYY. An example is provided
here for R3.
R3#clock set 14:15:00 26 December 2008
b. Verify that detailed time-stamp information is available for your debug output using the show run
command. This command displays all lines in the running config that include the text “timestamps”.
R3#show run | include timestamps

service timestamps debug datetime msec
service timestamps log datetime msec
c. If the service timestamps debug command is not present, enter it in global config mode.
R3(config)#service timestamps debug datetime msec
R3(config)#exit
d. Save the running configuration to the startup configuration from the privileged EXEC prompt.
R3#copy running-config startup-config

Step 2: Use debug to verify user access.

a. Activate debugging for AAA authentication.
R3#debug aaa authentication
AAA Authentication debugging is on
b. Start a Telnet session from PC-C to R3.

c. Log in with username Admin01 and password Admin01pass. Observe the AAA authentication events in
the console session window. Debug messages similar to the following should be displayed.
R3#
Dec 26 14:36:42.323: AAA/BIND(000000A5): Bind i/f
Dec 26 14:36:42.323: AAA/AUTHEN/LOGIN (000000A5): Pick method list
'default'
d. From the Telnet window, enter privileged EXEC mode. Use the enable secret password of cisco12345.
Debug messages similar to the following should be displayed. In the third entry, note the username
(Admin01), virtual port number (tty194), and remote Telnet client address (192.168.3.3). Also note that
the last status entry is “PASS.”
R3#
Dec 26 14:40:54.431: AAA: parse name=tty194 idb type=-1 tty=-1
Dec 26 14:40:54.431: AAA: name=tty194 flags=0x11 type=5 shelf=0 slot=0
adapter=0 port=194 channel=0


58
Dec 26 14:40:54.431: AAA/MEMORY: create_user (0x64BB5510)
user='Admin01' ruser=' NULL' ds0=0 port='tty194' rem_addr='192.168.3.3'
authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf=
(id=0)
Dec 26 14:40:54.431: AAA/AUTHEN/START (2467624222): port='tty194'
list='' action=LOGIN service=ENABLE
Dec 26 14:40:54.431: AAA/AUTHEN/START (2467624222): non-console enable
“ default to enable password
Dec 26 14:40:54.431: AAA/AUTHEN/START (2467624222): Method=ENABLE
R3#
Dec 26 14:40:54.435: AAA/AUTHEN(2467624222): Status=GETPASS
R3#
Dec 26 14:40:59.275: AAA/AUTHEN/CONT (2467624222): continue_login
(user='(undef)')
Dec 26 14:40:59.275: AAA/AUTHEN(2467624222): Status=GETPASS
Dec 26 14:40:59.275: AAA/AUTHEN/CONT (2467624222): Method=ENABLE
Dec 26 14:40:59.287: AAA/AUTHEN(2467624222): Status=PASS
Dec 26 14:40:59.287: AAA/MEMORY: free_user (0x64BB5510) user='NULL'
ruser='NULL' port='tty194' rem_addr='192.168.3.3' authen_type=ASCII
service=ENABLE priv=15 v
rf= (id=0)
e. From the Telnet window, exit privileged EXEC mode using the disable command. Try to enter
privileged EXEC mode again, but use a bad password this time. Observe the debug output on R3, noting
that the status is “FAIL” this time.
Dec 26 15:46:54.027: AAA/AUTHEN(2175919868): Status=GETPASS
Dec 26 15:46:54.027: AAA/AUTHEN/CONT (2175919868): Method=ENABLE
Dec 26 15:46:54.039: AAA/AUTHEN(2175919868): password incorrect
Dec 26 15:46:54.039: AAA/AUTHEN(2175919868): Status=FAIL
Dec 26 15:46:54.039: AAA/MEMORY: free_user (0x6615BFE4) user='NULL'
ruser='NULL'
port='tty194' rem_addr='192.168.3.3' authen_type=ASCII service=ENABLE
priv=15 v
rf= (id=0)
f. From the Telnet window, exit the Telnet session to the router. Then try to open a Telnet session to the
router again, but this time try to log in with the username Admin01 and a bad password. From the console
window, the debug output should look similar to the following.
Dec 26 15:49:32.339: AAA/AUTHEN/LOGIN (000000AA): Pick method list
'default'
What message was displayed on the Telnet client screen? ________________________________

g. Turn off all debugging using the undebug all command at the privileged EXEC prompt.


Part 4. Configure Centralized Authentication Using AAA and RADIUS.
In Part 4 of the lab, you install RADIUS server software on PC-A. You then configure router R1 to access the
external RADIUS server for user authentication. The freeware server WinRadius is used for this section of the
lab.


Task 1. Restore Router R1 to Its Basic Settings
To avoid confusion as to what was already entered and the AAA RADIUS configuration, start by restoring
router R1 to its basic configuration as performed in Parts 1 and 2 of this lab.



59
Step 1: Erase and reload the router.

a. Connect to the R1 console, and log in with the username Admin01 and password Admin01pass.

b. Enter privileged EXEC mode with the password cisco12345.

c. Erase the startup config and then issue the reload command to restart the router.


Step 2: Restore the basic configuration.

a. When the router restarts, enter privileged EXEC mode with the enable command, and then enter
global config mode. Use the HyperTerminal Transfer > Send File function, cut and paste or use another
method to load the basic startup config for R1 that was created and saved in Part 2 of this lab.

b. Test connectivity by pinging from host PC-A to PC-C. If the pings are not successful, troubleshoot the
router and PC configurations until they are.

c. If you are logged out of the console, log in again as user01 with password user01pass, and access
privileged EXEC mode with the password cisco12345.

d. Save the running config to the startup config using the copy run start command.


Task 2. Download and Install a RADIUS Server on PC-A
There are a number of RADIUS servers available, both freeware and for cost. This lab uses WinRadius, a
freeware standards-based RADIUS server that runs on Windows XP and most other Windows operating
systems. The free version of the software can support only five usernames.


Step 1: Download the WinRadius software.

a. Create a folder named WinRadius on your desktop or other location in which to store the files.

b. Download the latest version from http://www.suggestsoft.com/soft/itconsult2000/winradius/.

The publisher asks that you provide your email address and send them feedback after you install and
try WinRadius. You may skip the survey if desired.

c. Save the downloaded zip file in the folder you created in Step 1a, and extract the zipped files to the
same folder. There is no installation setup. The extracted WinRadius.exe file is executable.

d. You may create a shortcut on your desktop for WinRadius.exe.


Step 2: Configure the WinRadius server database.

a. Start the WinRadius.exe application. WinRadius uses a local database in which it stores user
information. When the application is started for the first time, the following messages are displayed

Please go to “Settings/Database and create the ODBC for your RADIUS
database.

Launch ODBC failed.




60
b. Select Settings > Database from the main menu and the following screen is displayed. Click the
Configure ODBC automatically button and then click OK. You should see a message that the ODBC
was created successfully. Exit WinRadius and restart the application for the changes to take effect.




c. When WinRadius starts again, you should see messages similar to the following displayed.




d. On which ports is WinRadius listening for authentication and accounting?
_______________________________________________________________________________


61
Step 3: Configure users and passwords on the WinRadius server.

Note: The free version of WinRadius can support only five usernames. The usernames are lost if you exit
the application and restart it. Any usernames created in previous sessions must be recreated. Note that
the first message in the previous screen shows that zero users were loaded. No users had been created
prior to this, but this message is displayed each time WinRadius is started, regardless of whether users
were created or not.

a. From the main menu, select Operation > Add User.

b. Enter the username RadUser with a password of RadUserpass. Remember that passwords are case-
sensitive.




c. Click OK. You should see a message on the log screen that the user was added successfully.


Step 4: Clear the log display.

From the main menu, select Log > Clear.


Step 5: Test the new user added using the WinRadius test utility.

a. A WinRadius testing utility is included in the downloaded zip file. Navigate to the folder where you
unzipped the WinRadius.zip file and locate the file named RadiusTest.exe.

b. Start the RadiusTest application, and enter the IP address of this RADIUS server (192.168.1.3),
username RadUser, and password RadUserpass as shown. Do not change the default RADIUS port
number of 1813 and the RADIUS password of WinRadius.


62
c. Click Send and you should see a Send Access_Request message indicating the server at 192.168.1.3,
port number 1813, received 44 hexadecimal characters. On the WinRadius log display, you should also
see a message indicating that user RadUser was authenticated successfully.




d. Close the RadiusTest application.


Task 3. Configure R1 AAA Services and Access the RADIUS Server Using Cisco
IOS
Note: If you want to configure AAA using SDM, go to Task 5.

Step 1: Enable AAA on R1.
Use the aaa new-model command in global configuration mode to enable AAA.
R1(config)#aaa new-model
Step 2: Configure the default login authentication list.
a. Configure the list to first use RADIUS for the authentication service, and then none. If no RADIUS
server can be reached and authentication cannot be performed, the router globally allows access without
authentication. This is a safeguard measure in case the router starts up without connectivity to an active
RADIUS server.
R1(config)#aaa authentication login default group radius none
b. You could alternatively configure local authentication as the backup authentication method instead.

Note: If you do not set up a default login authentication list, you could get locked out of the router and need to
use the password recovery procedure for your specific router.




63
Step 3: Specify a RADIUS server.

Use the radius-server host hostname key key command to point to the RADIUS server. The
hostname parameter accepts either a host name or an IP address. Use the IP address of the RADIUS
server, PC-A (192.168.1.3). The key is a secret password shared between the RADIUS server and the
RADIUS client (R1 in this case) and used to authenticate the connection between the router and the
server before the user authentication process takes place. The RADIUS client may be a Network Access
Server (NAS), but router R1 plays that role in this lab. Use the default NAS secret password of WinRadius
specified on the RADIUS server (see Task 2, Step 5). Remember that passwords are case-sensitive.
R1(config)#radius-server host 192.168.1.3 key WinRadius

Task 4. Test the AAA RADIUS Configuration

Step 1: Verify connectivity between R1 and the computer running the RADIUS server.

Ping from R1 to PC-A.
R1#ping 192.168.1.3
If the pings were not successful, troubleshoot the PC and router configuration before continuing.


Step 2: Test your configuration.

a. If you restarted the WinRadius server, you must recreate the user RadUser with a password of
RadUserpass by selecting Operation > Add User.

b. Clear the log on the WinRadius server by selecting Log > Clear from the main menu.

c. On R1, exit to the initial router screen that displays: R1 con0 is now available, Press RETURN to get
started.

d. Test your configuration by logging in to the console on R1 using the username RadUser and the
password of RadUserpass. Were you able to gain access to the user EXEC prompt and, if so, was there
any delay? ________________________________________________________________

e. Exit to the initial router screen that displays: R1 con0 is now available, Press RETURN to get
started.

f. Test your configuration again by logging in to the console on R1 using the nonexistent username of
Userxxx and the password of Userxxxpass. Were you able to gain access to the user EXEC prompt?
Why or why not? ________________________________________________________________

g. Were any messages displayed on the RADIUS server log for either login? _____

h. Why was a nonexistent username able to access the router and no messages are displayed on the
RADIUS server log screen? ________________________________________________________

i. When the RADIUS server is unavailable, messages similar to the following are typically displayed after
attempted logins.
*Dec 26 16:46:54.039: %RADIUS-4-RADIUS_DEAD: RADIUS server
192.168.1.3:1645,1646 is not responding.
*Dec 26 15:46:54.039: %RADIUS-4-RADIUS_ALIVE: RADIUS server
192.168.1.3:1645,1646 is being marked alive.




64
Step 3: Troubleshoot router-to-RADIUS server communication.

a. Check the default Cisco IOS RADIUS UDP port numbers used on R1 with the radius-server host
command and the Cisco IOS Help function.
R1(config)#radius-server host 192.168.1.3 ?
acct-port UDP port for RADIUS accounting server (default is 1646)
alias 1-8 aliases for this server (max. 8)
auth-port UDP port for RADIUS authentication server (default is 1645)
< Output omitted >

b. Check the R1 running configuration for lines containing the command radius. The following
command display all running config lines that include the text “radius”.
R1#show run | incl radius
aaa authentication login default group radius none
radius-server host 192.168.1.3 auth-port 1645 acct-port 1646 key 7
097B47072B04131B1E1F
< Output omitted >

c. What are the default R1 Cisco IOS UDP port numbers for the RADIUS server?
________________________________________________________________________________


Step 4: Check the default port numbers on the WinRadius server on PC-A.

From the WinRadius main menu select Settings > System.




What are the default WinRadius UDP port numbers? _____________________________________

Note: The early deployment of RADIUS was done using UDP port number 1645 for authentication and 1646
for accounting, which conflicts with the datametrics service. Because of this conflict, RFC 2865 officially
assigned port numbers 1812 and 1813 for RADIUS.


Step 5: Change the RADIUS port numbers on R1 to match the WinRadius server.

Unless specified otherwise, the Cisco IOS RADIUS configuration defaults to UDP port numbers 1645 and
1646. Either the router Cisco IOS port numbers must be changed to match the port number of the RADIUS


65
server or the RADIUS server port numbers must be changed to match the port numbers of the Cisco IOS
router. In this step, you modify the IOS port numbers to those of the RADIUS server, which are specified in
RFC 2865.

Remove the previous configuration using the following command.
R1(config)#no radius-server host 192.168.1.3 auth-port 1645 acct-port
1646
Issue the radius-server host command again and this time specify port numbers 1812 and 1813,
along with the IP address and secret key for the RADIUS server.
R1(config)#radius-server host 192.168.1.3 auth-port 1812 acct-port 1813
key WinRadius
Step 6: Test your configuration by logging into the console on R1.

a. Exit to the initial router screen that displays: R1 con0 is now available, Press RETURN to get started.

b. Log in again with the username of RadUser and password of RadUserpass. Were you able to
login? Was there any delay this time?
_______________________________________________________

c. The following message should display on the RADIUS server log.

User (RadUser) authenticate OK.

d. Exit to the initial router screen that displays: R1 con0 is now available, Press RETURN to get started.

e. Log in again using an invalid username of Userxxx and the password of Userxxxpass. Were you
able to login?
_________________________________________________________________________

What message was displayed on the router? ___________________________________________

The following messages should display on the RADIUS server log.

Reason: Unknown username

User (Userxxx) authenticate failed




66
Step 7: Create an authentication method list for Telnet and test it.

a. Create a unique authentication method list for Telnet access to the router. This does not have the
fallback of no authentication, so if there is no access to the RADIUS server, Telnet access is
disabled. Name the authentication method list TELNET_LINES.
R1(config)#aaa authentication login TELNET_LINES group radius
b. Apply the list to the vty lines on the router using the login authentication command.
R1(config)#line vty 0 4
R1(config-line)#login authentication TELNET_LINES
c. Telnet from PC-A to R1, and log in with the username RadUser and the password of RadUserpass.
Were you able to gain access to log in? _______________________________________________

d. Exit the Telnet session, and telnet from PC-A to R1 again. Log in with the username Userxxx and the
password of Userxxxpass. Were you able to log in? ______________________________________


Task 5. (Optional) Configure R1 AAA Services and Access the RADIUS Server
Using SDM
You can also use SDM to configure the router to access the external RADIUS server.

Note: If you configured R1 to access the external RADIUS server using Cisco IOS in Task 3, you can skip
this task. If you performed Task 3 and you want to perform this task, restore the router to its basic
configuration as described Task 1 of this part, except log in initially as RadUser with the password
RadUserpass. If the RADIUS server is unavailable at this time, you will still be able to log in to the console.

If you do not perform this task, read through the steps to become familiar with the SDM process.


Step 1: Implement AAA services and HTTP router access prior to starting SDM.

a. From the CLI global config mode, enable a new AAA model.
R1(config)#aaa new-model
b. Enable the HTTP server on R1.
R1(config)#ip http server

Step 2: Access SDM and enable the command preview option.

a. Open a browser on PC-A. Start SDM by entering the R1 IP address 192.168.1.1 in the address field.

b. Log in with no username and the enable secret password cisco12345.

c. In the Password Needed “ Networking dialog box, enter cisco12345 in the Password field and click Yes.

d. Configure SDM to allow you to preview commands before sending them to the router. Select Edit >
Preferences.

e. In the User Preferences window, check the Preview commands before delivering to router check box
and click OK.




67
Step 3: Configure R1 AAA to access the WinRADIUS server.

a. Click the Configure button at the top of the screen.

b. Select Additional Tasks > AAA > AAA Servers and Groups > AAA Servers.

c. In the AAA Servers window, click Add.

d. In the Add AAA Server window, verify that RADIUS is in the Server Type field.

e. In the Server IP or Host field, enter the IP address of PC-A, 192.168.1.3.

f. Change the Authorization Port from 1645 to 1812, and change the Accounting Port from 1646 to 1813 to
match the RADIUS server port number settings.

g. Check the Configure Key check box.

h. Enter WinRadius in both the New Key and Confirm Key fields.




i. In the Deliver Configuration to Router window, click Deliver, and in the Commands Delivery Status window,
click OK.



68
j. What command was delivered to the router?
________________________________________________________________________________


Step 4: Configure the R1 AAA login method list for RADIUS.

a. Click the Configure button at the top of the screen.

b. Select Additional Tasks > AAA > Authentication Policies > Login.

c. In the Authentication Login window, click Add.

d. In the Select Method List(s) for Authentication Login window, choose group radius and click OK.

e. In the Select Method List(s) for Authentication Login window, choose local as a second method
and click OK.




f. In the Deliver Configuration to Router window, click Deliver and in the Commands Delivery Status
window, click OK.




69
g. What command(s) were delivered to the router?
________________________________________________________________________________


Step 5: Test your configuration.

If you restarted the RADIUS server, you must recreate the user RadUser with a password of
RadUserpass by selecting Operation > Add User.

a. Clear the log on the WinRadius server by selecting Log > Clear.

b. Test your configuration by opening a Telnet session from PC-A to R1.
C:>telnet 192.168.1.1
c. At the login prompt, enter the username RadUser defined on the RADIUS server and a password of
RadUserpass.

d. Were you able to login to R1? _____


Task 6. Reflection
Why would an organization want to use a centralized authentication server rather than configuring users
and passwords on each individual router?
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________

Contrast local authentication and local authentication with AAA.
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________

Based on the Academy online course content, web research, and the use of RADIUS in this lab, compare
and contrast RADIUS with TACACS+.
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________




70
Router Interface Summary Table

Router Interface Summary
Router Model Ethernet Interface Ethernet Interface Serial Interface Serial Interface
#1 #2 #1 #2
1700 Fast Ethernet 0 Fast Ethernet 1 Serial 0 (S0) Serial 1 (S1)
(FA0) (FA1)
1800 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0/0 Serial 0/0/1
(FA0/0) (FA0/1) (S0/0/0) (S0/0/1)
2600 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0 (S0/0) Serial 0/1 (S0/1)
(FA0/0) (FA0/1)
2800 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0/0 Serial 0/0/1
(FA0/0) (FA0/1) (S0/0/0) (S0/0/1)
Note: To find out how the router is configured, look at the interfaces to identify the type of router
and how many interfaces the router has. There is no way to effectively list all the combinations of
configurations for each router class. This table includes identifiers for the possible combinations of
Ethernet and Serial interfaces in the device. The table does not include any other type of interface,
even though a specific router may contain one. An example of this might be an ISDN BRI interface.
The string in parenthesis is the legal abbreviation that can be used in Cisco IOS commands to
represent the interface.




71
Chapter 4: Lab A: Configuring CBAC and Zone-Based Firewalls

Topology




IP Addressing Table


Device Interface IP Address Subnet Mask Default Gateway Switch Port
R1 FA0/1 192.168.1.1 255.255.255.0 N/A S1 FA0/5
S0/0/0 (DCE) 10.1.1.1 255.255.255.252 N/A N/A
R2 S0/0/0 10.1.1.2 255.255.255.252 N/A N/A
S0/0/1 (DCE) 10.2.2.2 255.255.255.252 N/A N/A
R3 FA0/1 192.168.3.1 255.255.255.0 N/A S3 FA0/5
S0/0/1 10.2.2.1 255.255.255.252 N/A N/A
PC-A NIC 192.168.1.3 255.255.255.0 192.168.1.1 S1 FA0/6
PC-C NIC 192.168.3.3 255.255.255.0 192.168.3.1 S3 FA0/18

Objectives

Part 1: Basic Router Configuration

Configure host names, interface IP addresses, and access passwords.


72
Configure the EIGRP dynamic routing protocol.

Use the Nmap port scanner to test for router vulnerabilities


Part 2: Configuring a Context-Based Access Control (CBAC) Firewall

Configure CBAC using AutoSecure.

Examine the resulting CBAC configuration.

Verify the firewall functionality.


Part 3: Configuring a Zone-Based Policy Firewall (ZBF, ZPF or ZFW)

Configure a Zone-Based Policy Firewall using SDM.

Examine the resulting CBAC configuration.

Use SDM Monitor to verify configuration.


Background
The most basic form of a Cisco IOS firewall uses access control lists (ACLs) with filtering IP traffic and
monitoring established traffic patterns. This is referred to as a traditional Cisco IOS firewall. In more recent
Cisco IOS versions, this approach has evolved into a method called context-based access control (CBAC) or
Inspect/CBAC, which is based on Stateful Packet Inspection (SPI). CBAC makes creating firewalls easier and
gives the administrator greater control over various types of application traffic originating from inside and
outside of the protected network. When Cisco IOS AutoSecure is run, it prompts to create a CBAC firewall
and generates a basic configuration. For simple networks with a single inside and outside interface, CBAC is
easier to configure than traditional Cisco IOS firewalls. Configurations with multiple interfaces and DMZ
requirements can become complex and difficult to manage using CBAC.

The current method used with SDM for securing router is called a zone-based policy firewall (may be
abbreviated as ZBF, ZPF or ZFW). A zone-based policy firewall provides the same type of functionally as
CBAC, but is better suited for multiple interfaces that have similar or varying security requirements. While
AutoSecure generates a CBAC firewall, SDM generates a ZBF firewall by default.

In this lab, you build a multi-router network and configure the routers and hosts. You use AutoSecure to
configure a CBAC firewall and SDM to configure a zone-based policy firewall.

Note: The router commands and output in this lab are from a Cisco 1841 with Cisco IOS Release 12.4(20)T
(Advanced IP image). Other routers and Cisco IOS versions can be used. See the Router Interface Summary
table at the end of the lab to determine which interface identifiers to use based on the equipment in the lab.
Depending on the router model and Cisco IOS version, the commands available and output produced might
vary from what is shown in this lab.

Note: Make sure that the routers and the switches have been erased and have no startup configurations.


Required Resources

3 routers with SDM 2.5 installed (Cisco 1841 with Cisco IOS Release 12.4(20)T1 or comparable)


2 switches (Cisco 2960 or comparable)


PC-A (Windows XP or Vista)


PC-C (Windows XP or Vista)


Serial and Ethernet cables as shown in the topology


73
Rollover cables to configure the routers via the console



Part 1. Basic Router Configuration
In Part 1 of this lab, you set up the network topology and configure basic settings, such as the interface IP
addresses, dynamic routing, device access, and passwords.

Note: All tasks should be performed on routers R1, R2 and R3. The procedure for R1 is shown here as an
example.


Task 1. Configure Basic Router Settings

Step 1: Cable the network as shown in the topology.

Attach the devices shown in the topology diagram, and cable as necessary.


Step 2: Configure basic settings for each router.

a. Configure host names as shown in the topology.

b. Configure the interface IP addresses as shown in the IP addressing table.

c. Configure a clock rate for the serial router interfaces with a DCE serial cable attached.
R1(config)#interface S0/0/0
R1(config-if)#clock rate 64000

Step 3: Disable DNS lookup.

To prevent the router from attempting to translate incorrectly entered commands, disable DNS lookup.
R1(config)#no ip domain-lookup

Step 4: Configure the EIGRP routing protocol on R1, R2, and R3.

On R1, use the following commands.
R1(config)#router eigrp 101
R1(config-router)#network 192.168.1.0 0.0.0.255
R1(config-router)#network 10.1.1.0 0.0.0.3
R1(config-router)#no auto-summary
On R2, use the following commands.
R2(config)#router eigrp 101
R2(config-router)#network 10.1.1.0 0.0.0.3
R2(config-router)#network 10.2.2.0 0.0.0.3
R2(config-router)#no auto-summary
On R3, use the following commands.
R3(config)#router eigrp 101
R3(config-router)#network 192.168.3.0 0.0.0.255
R3(config-router)#network 10.2.2.0 0.0.0.3
R3(config-router)#no auto-summary




74
Step 5: Configure PC host IP settings.

a. Configure a static IP address, subnet mask, and default gateway for PC-A, as shown in the IP
addressing table.

b, Configure a static IP address, subnet mask, and default gateway for PC-C, as shown in the IP
addressing table.


Step 6: Verify basic network connectivity.

a. Ping from R1 to R3.

Were the results successful? _____

If the pings are not successful, troubleshoot the basic device configurations before continuing.

b. Ping from PC-A on the R1 LAN to PC-C on the R3 LAN.

Were the results successful? _____

If the pings are not successful, troubleshoot the basic device configurations before continuing.

Note: If you can ping from PC-A to PC-C, you have demonstrated that the EIGRP routing protocol is
configured and functioning correctly. If you cannot ping but the device interfaces are up and IP addresses
are correct, use the show run and show ip route commands to help identify routing protocol-related
problems.


Step 7: Configure a minimum password length.
Note: Passwords in this lab are set to a minimum of 10 characters but are relatively simple for the benefit
of performing the lab. More complex passwords are recommended in a production network.
Use the security passwords command to set a minimum password length of 10 characters.
R1(config)# security passwords min-length 10

Step 8: Configure basic console, auxiliary port, and vty lines.

a. Configure a console password and enable login for router R1. For additional security, the exec-
timeout command causes the line to log out after 5 minutes of inactivity. The logging synchronous
command prevents console messages from interrupting command entry.

Note: To avoid repetitive logins during this lab, the exec-timeout can be set to 0 0, which prevents
it from expiring. However, this is not considered a good security practice.
R1(config)#line console 0
R1(config-line)#password ciscoconpass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login
R1(config-line)#logging synchronous
b. Configure a password for the aux port for router R1.
R1(config)#line aux 0
R1(config-line)#password ciscoauxpass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login


75
c. Configure the password on the vty lines for router R1.
R1(config)#line vty 0 4
R1(config-line)#password ciscovtypass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login
d. Repeat these configurations on both R2 and R3.


Step 9: Enable HTTP server and HTTP server secure.

Enabling these services allows the router to be managed using the GUI and a web browser.
R1(config)#ip http server

Step 10: Encrypt clear text passwords.

a. Use the service password-encryption command to encrypt the console, aux, and vty passwords.

R1(config)# service password-encryption


b. Issue the show run command. Can you read the console, aux, and vty passwords? Why or why not?
__________________________________________________________________________

c. Repeat this configuration on both R2 and R3.


Step 11: Save the basic running configuration for all three routers.

Save the running configuration to the startup configuration from the privileged EXEC prompt.
R1#copy running-config startup-config

Task 2. Use the Nmap Port Scanner to Determine Router Vulnerabilities
In this task you determine open ports or services running on R1 using Nmap, before configuring a firewall.


Step 1: (Optional) Download and install Nmap and the Zenmap GUI front-end.

Nmap ("Network Mapper") is a free and open source utility for network exploration or security auditing.

If Nmap is already installed on PC-A and PC-C, go to Step 2. Otherwise, download the latest Windows
version from http://nmap.org/download.html.

On PC-A and PC-C, run the Nmap setup utility and install all components listed, including the Zenmap
GUI front-end. Click Next to accept the defaults when prompted.




76
Step 2: Scan for open ports on R1 using Nmap from internal host PC-A.

From internal host PC-A, start the Nmap-Zenmap application and enter the IP address of the default
gateway, R1 Fa0/1 (192.168.1.1), as the Target. Accept the default Nmap command entered for you
in the Command window and use the Intense scan profile.

Note: If the PC is running a personal firewall it may be necessary to turn it off temporarily to obtain
accurate test results.




a. Click the Scan button to begin the scan of R1 from internal host PC-A. Allow some time for the scan to
complete. The next two screens show the entire output of the scan after scrolling.



77
78
b. Click the Service button in the upper left side of the screen. What ports are open on R1 Fa0/1 from the
perspective of internal host PC-A? ________________________________________________

What is the MAC address of the R1 Fa0/1 interface? ________________________________________

For R1, what type of device and what OS version does Nmap detect?
__________________________________________________________________________________


Step 3: Scan for open ports on R1 using Nmap from external host PC-C.

From external host PC-C, start the Nmap-Zenmap application and enter the IP address of R1 S0/0/0
(10.1.1.1) as the Target. Accept the default Nmap command entered for you in the Command
window and use the Intense scan profile.



79
a. Click the Scan button. Allow some time for the scan to complete. The next two screens show the entire
output of the scan after scrolling.




80
a. Click the Services button below the Command entry field. What services are running and available on
R1 from the perspective of PC-C? __________________________________________________

b. In the Nmap scan output, refer to the TRACEROUTE information. How many hops are between PC-C
and R1 and through what IP addresses did the scan have to go to reach R1?
________________________________________________________________________________

Note: In Part 2 of this lab you will configure a CBAC firewall on R1 and then run Nmap again to test
access from external host PC-C to R1.




81
Part 2. Configuring a Context-Based Access Control (CBAC) Firewall
In Part 2 of this lab, you configure CBAC on R1 using AutoSecure. You then review and test the resulting
configuration.

Task 1. Verify Access to the R1 LAN from R2
In this task, you verify that with no firewall in place, the external router R2 can ping the R1 S0/0/0 interface
and PC-A on the R1 internal LAN.


Step 1: Ping from R2 to R1.

From R2, ping the R1 interface S0/0/0 at IP address 10.1.1.1.
R2#ping 10.1.1.1
Were the results successful? _____

If the pings are not successful, troubleshoot the basic device configurations before continuing.


Step 2: Ping from R2 to PC-A on the R1 LAN.

From R2, ping PC-A on the R1 LAN at IP address 192.168.1.3.
R2#ping 192.168.1.3
Were the results successful? _____

If the pings are not successful, troubleshoot the basic device configurations before continuing.


Step 3: Display the R1 running config prior to using AutoSecure.

a. Issue the show run command to review the current basic configuration on R1.

b. Are there any security commands related to access control?
_______________________________________________________________________________


Task 2. Use AutoSecure to Secure R1 and Enable CBAC
AutoSecure simplifies the security configuration of a router and hardens the router configuration. In this task,
you run AutoSecure and enable CBAC during the process.


Step 1: Use the AutoSecure IOS feature to enable CBAC.

a. Enter privileged EXEC mode using the enable command.

b. Issue the auto secure command on R1. Respond as shown in the following AutoSecure output to
the AutoSecure questions and prompts. The responses are bolded.

Note: The focus here is the commands generated by AutoSecure for CBAC, so you do not enable all the
potential security features that AutoSecure can provide, such as SSH access. Be sure to respond “yes” to
the prompt Configure CBAC Firewall feature?.
R1#auto secure
--- AutoSecure Configuration ---


82
*** AutoSecure configuration enhances the security of the router, but it will
not make it absolutely resistant to all security attacks ***

AutoSecure will modify the configuration of your device. All configuration
changes will be shown. For a detailed explanation of how the configuration
changes enhance security and any possible side effects, please refer to
Cisco.com for
Autosecure documentation.
At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.

Gathering information about the router for AutoSecure

yes
Is this router connected to internet? [no]:
Enter the number of interfaces facing the internet [1]: 1
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES unset administratively down down

FastEthernet0/1 192.168.1.1 YES manual up up

Serial0/0/0 10.1.1.1 YES SLARP up up

Serial0/0/1 unassigned YES unset administratively down down

Enter the interface name that is facing the internet: serial0/0/0

Securing Management plane services...

Disabling service finger
Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol

Disabling the bootp server
Disabling the http server
Disabling the finger service
Disabling source routing
Disabling gratuitous arp

Here is a sample Security Banner to be shown
at every access to device. Modify it to suit your
enterprise requirements.

Authorized Access only
This system is the property of So-&-So-Enterprise.
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
You must have explicit permission to access this
device. All activities performed on this device
are logged. Any violations of access policy will result
in disciplinary action.

Enter the security banner {Put the banner between
k and k, where k is any character}:

83
$ Unauthorized Access Prohibited $

Enable secret is either not configured or
is the same as enable password
Enter the new enable secret: cisco12345
Confirm the enable secret : cisco12345
Enter the new enable password: cisco67890
Confirm the enable password: cisco67890

Configuration of local user database
Enter the username: admin
Enter the password: cisco12345
Confirm the password: cisco12345
Configuring AAA local authentication
Configuring Console, Aux and VTY lines for
local authentication, exec-timeout, and transport
Securing device against Login Attacks
Configure the following parameters

Blocking Period when Login Attack detected: 60

Maximum Login failures with the device: 2

Maximum time period for crossing the failed login attempts: 30

Configure SSH server? [yes]: no

Configuring interface specific AutoSecure services
Disabling the following ip services on all interfaces:

no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
Disabling mop on Ethernet interfaces

Securing Forwarding plane services...

Enabling CEF (This might impact the memory requirements for your platform)
Enabling unicast rpf on all interfaces connected
to internet

Configure CBAC Firewall feature? [yes/no]: yes

This is the configuration generated:

no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
no cdp run
no ip bootp server

84
no ip http server
no ip finger
no ip source-route
no ip gratuitous-arps
no ip identd
banner motd ^C Unauthorized Access Prohibited ^C
security authentication failure rate 10 log
enable secret 5 $1$m.de$Mp5tQr/I8W5VhuQoG6AoA1
enable password 7 05080F1C2243185E415C47
username admin password 7 02050D4808095E731F1A5C
aaa new-model
aaa authentication login local_auth local
line con 0
login authentication local_auth
exec-timeout 5 0
transport output telnet
line aux 0
login authentication local_auth
exec-timeout 10 0
transport output telnet
line vty 0 4
login authentication local_auth
transport input telnet
line tty 1
login authentication local_auth
exec-timeout 15 0
login block-for 60 attempts 2 within 30
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
logging facility local2
logging trap debugging
service sequence-numbers
logging console critical
logging buffered
interface FastEthernet0/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
no mop enabled
interface FastEthernet0/1
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
no mop enabled
interface Serial0/0/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
interface Serial0/0/1
no ip redirects
no ip proxy-arp
no ip unreachables

85
no ip directed-broadcast
no ip mask-reply
interface Vlan1
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
no mop enabled
access-list 100 permit udp any any eq bootpc
interface Serial0/0/0
ip verify unicast source reachable-via rx allow-default 100
ip inspect audit-trail
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect udp idle-time 1800
ip inspect name autosec_inspect cuseeme timeout 3600
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
ip access-list extended autosec_firewall_acl
permit udp any any eq bootpc
deny ip any any
interface Serial0/0/0
ip inspect autosec_inspect out
ip access-group autosec_firewall_acl in
!
end

Apply this configuration to running-config? [yes]: yes

Applying the config generated to running-config

R1#
000043: *Dec 29 21:28:59.223 UTC: %AUTOSEC-1-MODIFIED: AutoSecure
configuration has been Modified on this device

Step 2: Configure the R1 firewall to allow EIGRP updates.

The AutoSecure CBAC firewall on R1 does not permit EIGRP hellos and neighbor associations to occur and,
therefore, no updates can be sent or received. Because EIGRP updates are blocked, R1 does not know of
the 10.2.2.0/30 or the 192.168.3.0/24 networks, and R2 does not know of the 192.168.1.0/24 network.

Note: When you configure the ZBF firewall on R3 in Part 3 of this lab, SDM gives the option of allowing
EIGRP routing updates to be received by R3.

Display the Extended ACL named autosec_firewall_acl, which is applied to S0/0/0 inbound.
R1#show access-list autosec_firewall_acl
Extended IP access list autosec_firewall_acl
10 permit udp any any eq bootpc
20 deny ip any any (10)


86
Notice the 10 matches on ACL line 20. What is this a result of?
___________________________________________________________________________

Configure R1 to allow EIGRP updates by adding a statement to the Extended ACL autosec_firewall_acl
that permits the EIGRP protocol.
R1(config)#ip access-list extended autosec_firewall_acl
R1(config-ext-nacl)#15 permit eigrp any any
R1(config-ext-nacl)#end
Display the Extended ACL autosec_firewall_acl again.
R1#show access-list autosec_firewall_acl
Extended IP access list autosec_firewall_acl
10 permit udp any any eq bootpc
15 permit eigrp any any (5)
20 deny ip any any (10)
Notice that there is now some EIGRP packet activity for ACL statement 15.


Step 3: Save the running configuration.

Enter privileged EXEC mode using the enable command and provide the enable password cisco12345.
R1#copy run start


Step 4: Scan for open ports on R1 using Nmap from external host PC-C.

From external host PC-C, use Nmap-Zenmap to scan R1 at Target IP address 10.1.1.1. Accept the
default Nmap command entered for you in the Command window. Use the Intense scan profile.

a. Click the Scan button to being scanning R1.




87
Now that the R1 CBAC firewall is in place, what services are available on R1 and what is the status of R1
from the perspective of external PC-C? ____________________________________________________


Task 3. Review the AutoSecure CBAC Configuration

Step 1: Review the commands that were delivered to router R1.

Display the running configuration for R1. The AutoSecure output should look similar to that
shown in Task 2, Step 1.

a. What is the most common command issued that is related to CBAC?
____________________________________________________________________________

b. CBAC creates rules to track TCP and UDP flows using the ip inspect name name protocol
command. To what interface is the autosec_inspect name applied and in what direction?
________________________________________________________________________________


Step 2: Display the protocols available with the ip inspect command.

To see the protocols available, enter the ip inspect name name command in global config mode,
followed by a question mark (?).

88
Note: Most of the protocols listed are application layer protocols. Newer Cisco IOS versions have
more protocols listed.
R1(config)# ip inspect name autosec_inspect ?
802-11-iapp IEEE 802.11 WLANs WG IAPP
ace-svr ACE Server/Propagation
appfw Application Firewall
appleqtc Apple QuickTime
bgp Border Gateway Protocol
biff Bliff mail notification
bittorrent bittorrent
<Output Omitted>
a. How many protocols can be configured for inspection?
____________________________________

b. Refer to the running configuration output or the AutoSecure output in Task 2, Step 1. Which
protocols did AutoSecure configure to be inspected as they leave the S0/0/0 interface?
____________________________________________________________________________

c. To which interface is the ACL autosec_firewall_acl applied and in which direction? _______________

d. What is the purpose of the ACL autosec_firewall_acl?
________________________________________________________________________________


Task 4. Verify CBAC Functionality
For the protocols identified to be inspected, the CBAC firewall allows return traffic for connections initiated
from the inside, but blocks all other connections from the outside.


Step 1: From PC-A, ping the R1 internal LAN interface.

From PC-A, ping R1 interface Fa0/1 at IP address 192.168.1.1.
C:\>ping 192.168.1.1
Were the pings successful? Why or why not? ____________________________________________


Step 2: From PC-A, ping the R2 external WAN interface.

From PC-A, ping the R2 interface S0/0/0 at IP address 10.1.1.2.
C:\>ping 10.1.1.2
Were the pings successful? Why or why not?
________________________________________________________________________________

<<

. 3
( 9)



>>