Implementing Cisco Network Security (IINS) v3.

0
CCNA Security [210-260]

Day 1:
Lab 1: Enabling Services (Telnet, SSH, HTTP) for Remote Access
Lab 2: Application of ACL (Standard, Extended & Named)
Lab 3: Routing Protocol Authentication (RIPv2, EIGRP, OSPF,
BGPv4)

Lab 1:
1. Enable Basic Routing between R1, R2 and R3
[Static/Default/RIP/EIGRP/OSPF].

2. Enabling Telnet in R3:

conf t
username cisco privilege 15 password cisco
line vty 0 4
login local
transport input telnet

From R1 & R2: telnet 10.2.2.1

Enter username and password
who [for checking who is accessing R3]
3. Enabling SSH in R3:
conf t
ip domain-name cisco.com
crypto key generate rsa modulus 2048
ip ssh version 2
ip ssh rsa key R3.cisco.com
line vty 0 4
transport input ssh

From R1 & R2: ssh -l cisco -v 2 10.2.2.1

Enter username and password
who [for checking who is accessing R3]

4. Enabling HTTP in R3:

conf t
ip http server
ip http authentication local
line vty 0 4
transport input all

From R1 & R2: telnet 10.2.2.1 80

connection will be open, use ctrl+c to exit

Now, we can remotely control R3 from R1 & R2, by Telnet, SSH & HTTP.

======================================================L
ab 2:
Task: Block R2 to access R3, but R1 will able to access R3.
Standard ACL [It can permit or deny trafiic based only on the source
address(s)].:
access-list 10 deny host 10.2.2.2
access-list 10 deny host 10.1.1.2
access-list 10 permit any

Go to the specific interface: ip access-group 10 in

Extended ACL [It can permit/block (Match) specific Source &

Destination (individual port)].:
Remove the standard access-list along with access-group.

Create an extended access-list [Block R2 for telnet access & Block R1 for
SSH, allow all other services]
access-list 101 deny tcp host 10.1.1.2 host 10.2.2.1 eq 23
access-list 101 deny tcp host 10.2.2.1 host 10.2.2.1 eq 23
access-list 101 deny tcp host 10.1.1.1 host 10.2.2.1 eq 22
access-list 101 permit ip any any

Go to the specific interface: ip access-group 101 in

Drawback of Extended ACL: if we delete any single rule or any kind of

alteration, then the entire ACL will be abolished.

Named ACL: We can manipulate the created policies, at any time as per
requirement.

Remove the extended access-list and associated access-group.

We are going to do the same task with extended ACL i.e. Block R2 for
telnet access & Block R1 for SSH, allow all other services.

ip access-list extended ABC

deny tcp host 10.1.1.2 host 10.2.2.1 eq 23
deny tcp host 10.2.2.1 host 10.2.2.1 eq 23
deny tcp host 10.1.1.1 host 10.2.2.1 eq 22
permit ip any any

Go to the specific interface: ip access-group ABC in

Now, we can check the created rules by "show access-list"

It will appear in the following way, rules will be in a specific sequence
number:
ip access-list extended ABC
10 deny tcp host 10.1.1.2 host 10.2.2.1 eq 23
20 deny tcp host 10.2.2.1 host 10.2.2.1 eq 23
30 deny tcp host 10.1.1.1 host 10.2.2.1 eq 22
40 permit ip any any
Verification: Check Telnet, SSH & HTTP connectivity from R1 & R2,
& check the hits in ACL (show access-list).

Changed requirement: Block R1 for telnet access & Block R2 for

SSH, allow all other services.
We can edit our previously created Access-List.

conf t
ip access-list extended ABC
no 10
no 20
no 30
10 deny tcp host 10.1.1.2 host 10.2.2.1 eq 22
20 deny tcp host 10.2.2.1 host 10.2.2.1 eq 22
30 deny tcp host 10.1.1.1 host 10.2.2.1 eq 23

Now if we check the access-list, it will appear in the following manner:

ip access-list extended ABC
10 deny tcp host 10.1.1.2 host 10.2.2.1 eq 22
20 deny tcp host 10.2.2.1 host 10.2.2.1 eq 22
30 deny tcp host 10.1.1.1 host 10.2.2.1 eq 23
40 permit ip any any

Verification: Check Telnet, SSH & HTTP connectivity from R1 & R2, &
check the hits in ACL (show access-list).
======================================================
Lab 3: Routing Protocol Authentication
Lab 3.1: RIPv2 [Clear-Text Authentication]
Enable RIPv2 between R1, R2 & R3.

R1:
key chain RIPkey
key 1
key-string cisco123
interface GigabitEthernet0/0
ip rip authentication key-chain RIPkey

R2:
key chain RIPkey
key 1
key-string cisco123
interface GigabitEthernet0/0
ip rip authentication key-chain RIPkey
interface GigabitEthernet0/1
ip rip authentication key-chain RIPkey

R3:
key chain RIPkey
key 1
key-string cisco123
interface GigabitEthernet0/0
ip rip authentication key-chain RIPkey

Verification: show ip route

Verification: debug ip rip
Example:
Oct 18:09:44.984: RIP: received packet with text authentication
cisco123

Lab 3.2: RIPv2 [MD5 Authentication]

R1, R2 & R3: In the spefic interfaces: ip rip authentication mode md5

Verification: debug ip rip

Example:
Oct 8 18:54:31.388: RIP: received packet with MD5 authentication

Lab 3.3: Routing Protocol Authentication with OSPF [Plain-text

Authentication]:
Remove RIP from R1, R2 & R3 ["no router rip", along with from the
associated interfaces]
Enable OSPF in all three routers and verify by "show ip route".
In the specific interfaces:
(config-subif)#ip ospf authentication
(config-subif)#ip ospf authentication-key cisco123

OSPF neighborship will come up.

Verification: debug ip ospf packet
Output (example):
OSPF packet debugging is on
R1#
Oct 8 19:04:31.336: OSPF-1 PAK : rcv. v:2 t:1 l:48 rid:136.1.23.3
aid:0.0.0.0 chk:8C8B aut:1 auk: from GigabitEthernet0/0
Oct 8 19:04:40.540: OSPF-1 PAK : rcv. v:2 t:1 l:48 rid:136.1.23.3
aid:0.0.0.0 chk:8C8B aut:1 auk: from GigabitEthernet0/

In this case, the aut value of 1 indicates plain-text authentication, where

an aut value of 0 would indicate no authenticaiton.

Lab 3.4: Routing Protocol Authentication with OSPF [Strong MD5

Authentication]:
Remove the configurations related to OSPF authentication from specific
interfaces.
Then configure as following:
(config-subif)#ip ospf authentication message-digest
(config-subif)#ip ospf message-digest-key 1 md5 cisco123

Verification: show ip route

Verification: show ip ospf neighbor
Verification: debug ip ospf packet
OSPF packet debugging is on
R2#
Oct 8 20:12:42.332: OSPF: rcv. v:2 t:1 l:48 rid:136.1.23.3 aid:0.0.0.0
chk:0 aut:2 keyid:1 seq:0x50EC6E88 from GigabitEthernet0/0
Oct 8 20:12:52.004: OSPF: rcv. v:2 t:1 l:48 rid:136.1.23.3 aid:0.0.0.0
chk:0 aut:2 keyid:1 seq:0x50EC6E91 from GigabitEthernet0/0
Oct 8 20:13:01.868: OSPF: rcv. v:2 t:1 l:48 rid:136.1.23.3 aid:0.0.0.0
chk:0 aut:2 keyid:1 seq:0x50EC6E9B from GigabitEthernet0/0
Oct 8 20:13:10.916: OSPF: rcv. v:2 t:1 l:48 rid:136.1.23.3 aid:0.0.0.0
chk:0 aut:2 keyid:1 seq:0x50EC6EA4 from GigabitEthernet0/0

In the above output you can now see the aut value set to 2 indicating
MD5 authentication, followed by the keyid of 1.
Take special note of this value as it will be important in the next step.
You can use different keys in between R1 & R2; and R2 & R3.

Lab 3.5: Routing Protocol Authentication with EIGRP

Remove OSPF from all of three routers [no router ospf 1'] along with
from the associated interfaces.
Implement EIGRP, and verify by "show ip route" and "show ip eigrp
neighbor"

Enable EIGRP Authentication:

key chain EIGRP
key 1
key-string cisco123key
end
conf t
interface GigabitEthernet0/0
ip authentication mode eigrp 100 md5
ip authentication key-chain eigrp 100 EIGRP
end

Verification:
R1#debug eigrp packet

Output (example):
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK,
STUB, SIAQUERY, SIAREPLY)
EIGRP Packet debugging is on
R1#
Feb 1 12:35:20.583: EIGRP: Sending HELLO on Gi0/0 - paklen 60
Feb 1 12:35:20.583: AS 100, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0
iidbQ un/rely 0/0
Feb 1 12:35:20.583: {type = 2, length = 40}
Feb 1 12:35:20.583: {vector = {
Feb 1 12:35:20.583: {00020010 00000001 00000000 00000000
00000000 E9
DDCD9F F0D68CAF 5A4CEBD4}
Feb 1 12:35:20.583: {12C14427}
Feb 1 12:35:20.583: }
Feb 1 12:35:20.583: {type = 1, length = 12}
Feb 1 12:35:20.583: {vector = {
Feb 1 12:35:20.583: {01000100 0000000F}
Feb 1 12:35:20.583: }
Feb 1 12:35:20.583: {type = 4, length = 8}
Feb 1 12:35:20.583: {vector = {
Feb 1 12:35:20.583: {08000200}
Feb 1 12:35:20.583: }
Feb 1 12:35:21.535: EIGRP: received packet with MD5 authentication,
key id = 1
Feb 1 12:35:21.535: EIGRP: Received HELLO on Gi0/0 - paklen 60 nbr
136.1.13.3
Feb 1 12:35:21.535: AS 100, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0
iidbQ un/
rely 0/0 peerQ un/rely 0/0
Feb 1 12:35:21.535: {type = 2, length = 40}
Feb 1 12:35:21.535: {vector = {
Feb 1 12:35:21.535: {00020010 00000001 00000000 00000000
00000000 63
697363 6F313233 6B657900}
Feb 1 12:35:21.535: {00000000}
Feb 1 12:35:21.535: }
Feb 1 12:35:21.535: {type = 1, length = 12}
Feb 1 12:35:21.535: {vector = {
Feb 1 12:35:21.535: {01000100 0000000F}
Feb 1 12:35:21.539: }
Feb 1 12:35:21.539: {type = 4, length = 8}
Feb 1 12:35:21.539: {vector = {
Feb 1 12:35:21.539: {05020300}
Feb 1 12:35:21.539: }un
Feb 1 12:35:24.947: EIGRP: Sending HELLO on Gi0/0 - paklen 60
Feb 1 12:35:24.947: AS 100, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0
iidbQ un/
rely 0/0
Feb 1 12:35:24.947: {type = 2, length = 40}
Feb 1 12:35:24.947: {vector = {
Feb 1 12:35:24.947: {00020010 00000001 00000000 00000000
00000000 E9
DDCD9F F0D68CAF 5A4CEBD4}
Feb 1 12:35:24.947: {12C14427}
Feb 1 12:35:24.947: }
Feb 1 12:35:24.947: {type = 1, length = 12}

Lab 3.6: Routing Protocol Authentication with BGP4

Remove EIGRP related commands.
Establish Routing between R1 & R3.
Configure BGP Peering on R1 and R3:
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#router bgp 65539
R1(config-router)#neigh 10.2.2.1 remote-as 65539
R1(config-router)#neigh 10.2.2.1 update-source loo0 [create loopback
address 1.1.1.1]

R2>en
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#router bgp 65539
R3(config-router)#neighbor 10.1.1.1 remote-as 65539
R3(config-router)#neigh 10.1.1.1 update-source loo0 [create loopback
address 3.3.3.3]

Verification: show ip bgp summary [State will be 0]

BGP Authentication:
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#router bgp 65539
R1(config-router)#neighbor 10.2.2.1 password ciscoBGP

R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#router bgp 65539
R3(config-router)#neighbor 10.1.1.1 password ciscoBGPpass
R3(config-router)#end

Verification:
Now clear the BGP process to reset the neighbor and negotiate
authentication.
R3#clear ip bgp *
Feb 1 12:53:34.743: %BGP-5-ADJCHANGE: neighbor 10.1.1.1 Down
User reset
Feb 1 12:53:34.743: %BGP_SESSION-5-ADJCHANGE: neighbor 10.1.1.1
IPv4 Unicast topology base removed from session User reset
Feb 1 12:53:35.663: %BGP-5-ADJCHANGE: neighbor 150.1.1.1 Up

As you can see, the neighbor came back up. Now let's verify that
authentication is in use.
R1#sh ip bgp neighbors | in BGP
BGP neighbor is 10.2.2.1, remote AS 65539, internal link
BGP version 4, remote router ID 10.2.2.1
BGP state = Established, up for 00:06:23
BGP table version 1, neighbor version 1/0