COMANDOS CCNA SECURITY 1.

2
CONFIGURAR R1 COMO CLIENTE NTP.
NTP.
R1(config)# ntp authenticate
R1(config)# ntp authentication-key 1 md5 ciscontppa55
R1(config)# ntp trusted-key 1
R1(config)# ntp server 192.16.1.5 key 1

CONFIGURAR ROUTERS PARA

PARA ACTUALIZAR SU FECHA-HORA.
R1(config)# ntp update-ca!endar 

CONFIGURAR LOS ROUTERS PARA

PARA MOSTRAR EL TIEMPO EN LOS LOGS.
R1(config)# service timestamps !og datetime msec

CONFIGURAR EL ROUTER PARA

PARA GENERAR LOGS DE ACTIVIDADES.
"onfigure the router to generate system !ogging messages for oth successfu! and fai!ed
!ogin attempts. $he fo!!o%ing commands !og every successfu! !ogin and !og fai!ed !ogin attempts
after every second fai!ed !ogin.
R1(config)# login on-s!!"ss log
R1(config)# login on-#$il%" log "&"%' 2

CONFIGURAR UN ROUTER PARA IDENTIFICAR

IDENTIFICAR EL HOST REMOTO (UE RECI)IR* LOS
MENSA+ES DE LOGGING.
R1(config)#!ogging host (hostname- ip address)
R1(co
R1(confi
nfig)
g)#!o
#!oggi
gging
ng trap
trap infor
informat
mation
iona!
a! (!eve
(!eve!)
!)
R1(c
R1(con
onfi
fig)
g)#!
#!og
oggi
ging
ng sour
source
ce-i
-int
nter
erfa
face
ce ($y
($ype and
and nume
numer)
r)
R1(config)#!ogging on
R1(config)#!ogging on

CONFIGURAR EL LARGO
L ARGO MINIMO PARA
PARA LAS PASS,ORD DE UN ROUTER.
R1(config)# security pass%ords min-!ength 1&

CONFIGURAR UN ROUTER PARA PARA SOPORTAR

SOPORTAR CONEIONES SSH.
S"/ 1. "onfigure a domain name.
R'(config)# i/ 0o$in-n$" !!n$s"!%i'.!o
!!n$s"!%i'.!o

S"/ 2. "reate a user  of **+admin %ith the highest possi!e privi!ege !eve! and a secret
pass%ord of ciscosshpa55.
R'(config)# s"%n$" SSH$0in /%i&il"g" 1 s"!%" !is!oss3/$

S"/ 4. "onfigure the incoming ,$ !ines on R'. se the !oca! user accounts for mandatory
!ogin and va!idation. /ccept on!y **+ connections.
R'(config)# lin" &' 5 6
R'(config-!ine)# login lo!$l
R'(config-!ine)# %$ns/o% in/ ss3
 S"/ 6. 0rase eisting key pairs on R'. /ny eisting R*/ key pairs shou!d e erased on the
router.
R'(config)# !%'/o 7"' 8"%oi8" %s$

S"/ . enerate the R*/ encryption key pair for R'.

R'(config)# !%'/o 7"' g"n"%$" %s$

CONFIGURAR LOS PAR*METROS DE TIMEOUTS AND AUTHENTICATION PARA SSH.

*et the timeout to 9& seconds3 the numer of authentication retries to 23 and the version to 2.
R'(config)# i/ ss3 i"-o 95
R'(config)# i/ ss3 $3"ni!$ion-%"%i"s 2
R'(config)# i/ ss3 &"%sion 2

CONECTARSE
CONECTARSE A R4 USANDO
US ANDO SSH DESDE UN PC-C.
4hen prompted for the pass%ord3 enter the pass%ord configured for the administrator
ciscosshpa55.
PC: ss3 ;l SSH$0in 192.1<=.4.1

CONECTARSE
CONECTARSE A R4 USANDO SSH DESDE R2 VIA SSH VERSION 2.
R2# ss3 ;& 2 ;l SSH$0in 15.2.2.1
R'# /$ss>o%0? !is!oss3/$

CONFIGURAR UN USUARIO EN LA )ASE DE DATOSDATOS LOCAL.

LOC AL.
R'(config)# s"%n$" A0in51 /%i&il"g" 1 s"!%" A0in51/$ss

CONFIGURE THE LOGIN )LOC@-FOR COMMAND.

COMM AND.
to configure a 6& second !ogin shutdo%n (uiet mode timer) if t%o fai!ed !ogin attempts are
made %ithin '& seconds
R1(config)#  login lo!7-#o% <5 $"/s 2 >i3in
> i3in 45

CONFIGURAR
CONFIGU RAR UN USUARIO LOCAL PARA PARA AAA AUTHENTICA
AUTHENTIC ATION
R'(config)# s"%n$" +R-ADMIN s"!%" S%5ngP$>5%0
R'(config)# $$$ n">-o0"l
R'(config)# $$$ $3"ni!$ion login 0"#$l lo!$l lo!$l-!$s" "n$l"

IMPLEMENTA
IMPLEME NTAR R AAA SERVICES PARA ACCEDER A LA CONSOLE USANDO UNA
UN A )ASE DE
DATOS LOCAL
R'(config)# $$$ $3"ni!$ion login 0"#$l lo!$l non"
R'(config)# lin" !onsol" 5
R'(config-!ine)# login $3"ni!$ion 0"#$l
CREAR UN PERFIL EN UNA )ASE DE DATOS LOCAL CON AAA AUTHENTICATION PARA
USAR TELNET .
R'(config)# $$$ $3"ni!$ion login TELNETBLOGIN lo!$l-!$s"
R'(config)# lin" &' 5 6
R'(config-!ine)# login $3"ni!$ion TELNETBLOGIN

CONFIGURAR UN ROUTER PARA AUTENTICARSE POR TACACS  LUEGO RADIUS

SERVERS Y FINALMENTE EN UNA )ASE DE DATOS LOCAL
R1(config)# $$$ n">-o0"l
R1(config)# $!$!s-s"%&"% 3os 192.1<=.1.1 singl"-!onn"!ion
R1(config)# $!$!s-s"%&"% 7"' TACACSP$,5%0

R1(config)# %$0is-s"%&"% 3os 192.1<=.1.2

R1(config)# %$0is-s"%&"% 7"' RADIUS-P$,5%0
R1(config)# $$$ $3"ni!$ion login 0"#$l g%o/ $!$!s g%o/ %$0is lo!$l-!$s"
(definir e! orden de !os servidores uti!iados para autenticarse $/"/"*3 R/* y 78/:08$0
un usuario de !a ase de datos !oca!)

CONFIGURAR TIPOS DE AUTORIZACIONES DE COMANDOS A TRAVS DE AAA

R1(config)# s"%n$" +R-ADMIN s"!%" S%5ngP$>5%0
R1(config)# s"%n$" ADMIN s"!%" S%5ngP$>5%0
R1(config)# $$$ n">-o0"l
R1(config)# $$$ $3"ni!$ion login 0"#$l g%o/ $!$!s
R1(config)# $$$ $3o%i8$ion ""! 0"#$l g%o/ $!$!s
R1(config)# $$$ $3o%i8$ion n">o%7 0"#$l g%o/ $!$!s

CONFIGURAR AUDITORIAS A TRAVS DE AAA

R1(config)# s"%n$" +R-ADMIN s"!%" S%5ngP$>5%0

R1(config)# s"%n$" ADMIN s"!%" S%5ngP$>5%0
R1(config)# $$$ n">-o0"l
R1(config)# $$$ $3"ni!$ion login 0"#$l g%o/ $!$!s
R1(config)# $$$ $3o%i8$ion ""! 0"#$l g%o/ $!$!s
R1(config)# $$$ $3o%i8$ion n">o%7 0"#$l g%o/ $!$!s
R1(config)# $$$ $!!oning ""! 0"#$l s$%-so/ g%o/ $!$!s
R1(config)# $$$ $!!oning n">o%7 0"#$l s$%-so/ g%o/ $!$!s

)LO(UEAR UNA CUENTA DESPUS DE  INTENTOS

R'(config)# $$$ lo!$l $3"ni!$ion $"/s $-#$il n"% 

CREAR NIVELES DE PRIVILEGIOS

R1(config)# s"%n$" USER /%i&il"g" 1 s"!%" !is!o
R1(config)# /%i&il"g" ""! l"&"l  /ing
R1(config)# "n$l" s"!%" l"&"l  !is!o
R1(config)# s"%n$" SUPPORT /%i&il"g"  s"!%" !is!o
 R1(config)# /%i&il"g" ""! l"&"l 15 %"lo$0
R1(config)# "n$l" s"!%" l"&"l 15 !is!o15

R1(config)# s"%n$" +R-ADMIN /%i&il"g" 15 s"!%" !is!o15

R1(config)# s"%n$" ADMIN /%i&il"g" 1 s"!%" !is!o124

CONFIGURAR VISTAS )ASADAS EN ROLES

HA)ILITAR ROOT VIE,

R1(config)# $$$ n">-o0"l
R1(config)# "i

R1(config)# "n$l" s"!%" !is!o1246

R1# "n$l" &i">

;ass%ord< !is!o1246

R1(config)# /$%s"% &i"> $0in1

R1(config-vie%)# s"!%" $0in1/$ss
R1(config-vie%)# !o$n0s ""! in!l0" $ll s3o>
R1(config-vie%)# !o$n0s ""! in!l0" $ll !on#ig "%in$l
R1(config-vie%)# !o$n0s ""! in!l0" $ll 0"g
R1(config-vie%)# "n0

VERIFICAR LA VISTA ADMIN1.

R1# "n$l" &i"> $0in1
;ass%ord< $0in1/$ss

C%"$% n$ &is$ ll$$0$ SHO,VIE,

Asign$% l$ /$ss>o%0 $ l$ &is$
P"%ii% $ "s$ &is$ s$% o0os los !o$n0os EEC " !oi"n!"n !on s3o>
R1(config)# $$$ n">-o0"l
R1(config)# /$%s"% &i"> SHO,VIE,
R1(config-vie%)# s"!%" !is!o
R1(config-vie%)# !o$n0s ""! in!l0" s3o>
R1(config-vie%)# "n0

C%"$% n$ &is$ ll$$0$ VERIFIEDVIE,

Asign$% l$ /$ss>o%0 $ l$ &is$
P"%ii% $ "s$ &is$ s$% "l !o$n0o /ing
R1(config)# $$$ n">-o0"l
R1(config)# /$%s"% &i"> VERIFIEDVIE,
R1(config-vie%)# s"!%" !is!o
R1(config-vie%)# !o$n0s ""! in!l0" /ing
 R1(config-vie%)# "n0

C%"$% n$ &is$ ll$$0$ RE)OOTVIE,

Asign$% l$ /$ss>o%0 $ l$ &is$
P"%ii% $ "s$ &is$ s$% "l !o$n0o %"lo$0
R1(config)# $$$ n">-o0"l
R1(config)# /$%s"% &i"> RE)OOTVIE,
R1(config-vie%)# s"!%" !is!o15
R1(config-vie%)# !o$n0s ""! in!l0" %"lo$0
R1(config-vie%)# "n0

TO SECURE THE IOS IMAGE AND ENA)LE CISCO IOS IMAGE RESILIENCE
R1(config)# s"!%" oo-i$g"

TO SECURE THE )OOT CONFIG

R1(config)# s"!%" oo-!on#ig

CREAR ACLs

E+EMPLOS DE ACLs
permit udp any 192.16.1.& &.&.&.255 e domain ;ermite a cua!uier host acceder a DNS
permit tcp any 192.16.1.& &.&.&.255 e smtp ;ermite a cua!uier host acceder a SMTP
permit tcp any 192.16.1.& &.&.&.255 e ftp ;ermite a cua!uier host acceder a FTP
deny tcp any host 192.16.1.' e ==' 8iega a cua!uier host acceder a HTTPS
permit tcp any host 192.16.'.' e 22 ;ermite a cua!uier host acceder a SSH
permit icmp any any echo-rep!y ;ermite a cua!uier host "!3o %"/li"s
permit icmp any any unreacha!e ;ermite a cua!uier host 0"s. n%"$!3$l"
deny icmp any any 8iega a cua!uier host acceder a ICMP
permit ip any any ;ermite a cua!uier host a !$li"% l$0o
ACL PARA PERMITIR PROTOCOLOS PARA ESP J5K - AHJ1K- ISA@MAPJUDP PORT 55K

"rear una ACL NOM)RADA ETENDIDA !!amado /"-13 ap!icada entrante en !a interfa 7a&>&3
ue niega e! servidor %orkgroup server sa!ga3 pero permite ue e! resto de !os usuarios de /8
fuera de acceso usando !a pa!ara c!ave "s$lis3"0
R1(config)# ip access-list extended ACL-1
R1(config-ext-nacl)# remark LAN ACL
R1(config-ext-nacl)# deny ip host 192.168.1.6 any
R1(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any estalished 
R1(config-ext-nacl)# deny ip any any
R1(config-ext-nacl)# exit
R1(config)# inter!ace "a0#0
R1(config-if)# ip access-$ro%p ACL-1 in
R1(config-if)# exit

CREAR UNA ACL NOM)RADA etended named !!amada ACL-23 ap!icada en direcci?n sa!iente en
!a interfa :@ 7a&>13 para permitir e! acceso a !os servidores 4e e 0mai! especificados.
 R1(config)# ip access-list extended ACL-1
R1(config-ext-nacl)# remark LAN ACL
R1(config-ext-nacl)# deny ip host 192.168.1.6 any
R1(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any
estalished 
R1(config-ext-nacl)# deny ip any any
R1(config-ext-nacl)# exit
R1(config)# inter!ace "a0#0
R1(config-if)# ip access-$ro%p ACL-1 in

R1(config-if)# exit

$he lo$ parameter can e appended to

the end of an /" statement.

permit tcp any host 192.168.2.6 eq

80 lo$

ACL NUMERADA

R1#
R1(config)# i/ $!!"ss-lis ""n0"0 15
R1(config-et-nac!)# /"%i !/ 3os 192.1<=.1.155 $n' " "ln"
R1(config-et-nac!)# /"%i !/ $n' $n' " >>>
R1(config-et-nac!)# /"%i !/ $n' $n' " "ln"
R1(config-et-nac!)# /"%i !/ $n' $n' " s/
R1(config-et-nac!)# /"%i !/ $n' $n' " /o/4
R1(config-et-nac!)# /"%i !/ $n' $n' " 21
R1(config-et-nac!)# /"%i !/ $n' $n' " 25
R1# s3o> $!!"ss-lis 15
0tended ; access !ist 15&
1& permit tcp any any e %%%
2& permit tcp any any e te!net
'& permit tcp any any e smtp
=& permit tcp any any e pop'
5& permit tcp any any e 21
6& permit tcp any any e 2&

ACLs COMPLE+AS

TCP Es$lis3"0 ACLs

R1(config)#  $!!"ss-lis 155 /"%i !/ $n' " 664 192.1<=.1.5 5.5.5.2 "s$lis3"0
R1(config)#  $!!"ss-lis 155 0"n' i/ $n' $n'
R1(config)#  in"%#$!" s555
R1(config-if)#  i/ $!!"ss-g%o/ 155 in

R"#l"i&" ACLs
R1(config)#  i/ $!!"ss-lis ""n0"0 INTERNALBACL
R1(config-et-nac!)#  /"%i !/ $n' $n' " =5 %"#l"! ,E)-ONLY-REFLEIVE-ACL
R1(config-et-nac!)#  /"%i 0/ $n' $n' " 4 %"#l"! DNS-ONLY-REFLEIVE-ACL i"o 15
R1(config-et-nac!)#  "i
R1(config)#  i/ $!!"ss-lis ""n0"0 ETERNALBACL
R1(config-et-nac!)#  "&$l$" ,E)-ONLY-REFLEIVE-ACL
R1(config-et-nac!)#  "&$l$" DNS-ONLY-REFLEIVE-ACL
R1(config-et-nac!)#  0"n' i/ $n' $n'
R1(config-et-nac!)#  "i
R1(config)#  in"%#$!" s555
R1(config-if)#  i/ $!!"ss-g%o/ INTERNALBACL o
R1(config-if)#  i/ $!!"ss-g%o/ ETERNALBACL in

D'n$i! ACLs
R'(config)#  s"%n$" S0"n /$ss>o%0 !is!o
R'(config)#  $!!"ss-lis 151 /"%i !/ $n' 3os 15.2.2.2 " "ln"
R'(config)#  $!!"ss-lis 151 0'n$i! TESTLIST i"o 1 /"%i i/ 192.1<=.15.5 5.5.5.2
192.1<=.4.5 5.5.5.2
R'(config)#  in"%#$!" s551
R'(config-if)#  i/ $!!"ss-g%o/ 151 in
R'(config-if)#  "i
R'(config)#  lin" &' 5 6
R'(config-!ine)#  login lo!$l
R'(config-!ine)#  $o!o$n0 $!!"ss-"n$l" 3os i"o 1 J$i no #n!ion$ $l$0o% '
"s n !o$n0o o!loK

Ti"-$s"0 ACLs
R1(config)#  i"-%$ng" EMPLOYEE-TIME
R1(config-time-range)#  /"%io0i! >""70$'s 12?55 o 14?55
R1(config-time-range)#  /"%io0i! >""70$'s 1?55 o 19?55
R1(config-time-range)#  "i
R1(config)#  $!!"ss-lis 155 /"%i i/ 192.1<=.1.5 5.5.5.2 $n' i"-%$ng" EMPLOYEE-TIME
R1(config)#  $!!"ss-lis 155 0"n' i/ $n' $n'
R1(config)#  in"%#$!" F$sE3"%n" 51
R1(config-if)#  i/ $!!"ss-g%o/ 155 in
R1(config-if)#  "i
MITIGATING ATTAC@S ,ITH ACLS

P"%i" solo /ing 0"s0" l$ %"0 192.1<=.45.5 ' 0"ni"g$ o0o lo 0"s

R1(config)#  $!!"ss-lis 125 /"%i i!/ $n' 192.1<=.25.5 5.5.5.2 "!3o

R1(config)#  $!!"ss-lis 125 /"%i i!/ $n' 192.1<=.25.5 5.5.5.2 "!3o-%"/l'
R1(config)#  $!!"ss-lis 125 0"n' i/ $n' $n'

Do No Allo> A00%"ss"s o " S/oo#"0

A eny a!! ; packets containing the fo!!o%ing ; addresses in their source fie!d<
 B /ny !oca! host addresses (12C.&.&.&>)
 B /ny reserved private addresses (R7" 191)
 B /ny addresses in the ; mu!ticast address range (22=.&.&.&>=)
 B Inon0 on S555

R1(config)#  $!!"ss-lis 15 0"n' i/ 5.5.5.5 5.2.2.2 $n'

R1(config)#  $!!"ss-lis 15 0"n' i/ 15.5.5.5 5.2.2.2 $n'
R1(config)#  $!!"ss-lis 15 0"n' i/ 12.5.5.5 5.2.2.2 $n'
R1(config)#  $!!"ss-lis 15 0"n' i/ 12.1<.5.5 5.1.2.2 $n'
R1(config)#  $!!"ss-lis 15 0"n' i/ 192.1<=.5.5 5.5.2.2 $n'
R1(config)#  $!!"ss-lis 15 0"n' i/ 226.5.5.5 1.2.2.2 $n'
R1(config)#  $!!"ss-lis 15 0"n' i/ 3os 2.2.2.2 $n'

A o not a!!o% any outound ; packets %ith a source address other than a va!id ; address of
the interna! net%ork.
 B "reate an /" that permits on!y those packets that contain source addresses from
inside the net%ork and denies a!! others.
 B Inon0 on F$51
A R1J!on#igK $!!"ss-lis 15 /"%i i/ 192.1<=.1.5 5.5.5.2 $n'
P%o"! DNS SMTP $n0 FTP
• 8*3 *:$;3 and 7$; are common services that often must e a!!o%ed through a fire%a!!.
 B Oon0 on F$55
R1(config)#  $!!"ss-lis 1=5 /"%i 0/ $n' 3os 192.1<=.25.2 " 0o$in
R1(config)#  $!!"ss-lis 1=5 /"%i !/ $n' 3os 192.1<=.25.2 " s/
R1(config)#  $!!"ss-lis 1=5 /"%i !/ $n' 3os 192.1<=.25.2 " #/
R1(config)#  $!!"ss-lis 1=5 /"%i !/ 3os 255... 3os 192.1<=.25.2 " "ln"
R1(config)#  $!!"ss-lis 1=5 /"%i !/ 3os 255... 3os 192.1<=.25.2 " 22
R1(config)#  $!!"ss-lis 1=5 /"%i 0/ 3os 255... 3os 192.1<=.25.2 " s'slog
R1(config)#  $!!"ss-lis 1=5 /"%i 0/ 3os 255... 3os 192.1<=.25.2 " sn/%$/

Fil"% ICMP M"ss$g"s

A *evera! inound ":; messages are reuired for proper net%ork operation<
 B E!3o %"/l' - /!!o%s interna! users to ping eterna! hosts.
 B So%!" "n!3 - Reuests the sender to decrease the traffic rate.
 B Un%"$!3$l" - nreacha!e messages are generated for packets that are
administrative!y denied y an /".
 B Inon0 on S555

R1(config)#  $!!"ss-lis 15 /"%i i!/ $n' $n' "!3o-%"/l'

R1(config)#  $!!"ss-lis 15 /"%i i!/ $n' $n' so%!"-"n!3
R1(config)#  $!!"ss-lis 15 /"%i i!/ $n' $n' n%"$!3$l"
R1(config)#  $!!"ss-lis 15 0"n' i!/ $n' $n'
R1(config)#  $!!"ss-lis 15 /"%i i/ $n' $n'

A *evera! outound ":; messages are reuired for proper net%ork operation<
 B E!3o - /!!o%s users to ping eterna! hosts.
 B P$%$""% /%ol" - nforms the host of packet header pro!ems.
 B P$!7" oo ig - Reuired for packet :$ discovery.
 B So%!" "n!3 - $hrott!es do%n traffic %hen necessary.
 B Inon0 on F$55

O)+ECT GROUPS EAMPLE

n this eamp!e topo!ogy3 there are ' servers3 each reuiring outside to inside access for
' protoco!s
4ithout oDect groups3 %e have to configure a permit statement for each server3 for each
protoco!
R1(config)# i/ $!!"ss-lis ""n0"0 In
R1(config-et-nac!)# /"%i !/ $n' 3os 15.15.15.1 " s/
R1(config-et-nac!)# /"%i !/ $n' 3os 15.15.15.1 " >>>
R1(config-et-nac!)# /"%i !/ $n' 3os 15.15.15.1 " 3/s
 R1(config-et-nac!)# /"%i !/ $n' 3os 15.15.15.2 " s/
R1(config-et-nac!)# /"%i !/ $n' 3os 15.15.15.2 " >>>
R1(config-et-nac!)# /"%i !/ $n' 3os 15.15.15.2 " 3/s
R1(config-et-nac!)# /"%i !/ $n' 3os 15.15.15.4 " s/
R1(config-et-nac!)# /"%i !/ $n' 3os 15.15.15.4 " >>>
R1(config-et-nac!)# /"%i !/ $n' 3os 15.15.15.4 " 3/s

7or the same topo!ogy3 using oDect group configuration3 first create the service oDect for 
the services.
R1(config)# o"!-g%o/ s"%&i!" ,"-s&!s !/
R1(config-service-group)# !/ s/
R1(config-service-group)# !/ >>>
R1(config-service-group)# !/ 3/s

A 8et3 create the net%ork oDect for the servers<

$his eamp!e uses the %$ng" key%ord3 you can a!so use the 3os key%ord or define a
sunet.
R1(config)# o"!-g%o/ n">o%7 ,"s"%&"%s
R1(config-net%ork-group)# %$ng" 15.15.15.1 15.15.15.4

CONFIGURACIQN CL*SICA DE FIRE,ALL

 /n administrator needs to permit inside users to initiate $";3 ;3 and ":; traffic %ith a!!
eterna! sources. Eutside c!ients are a!!o%ed to communicate %ith the *:$; :ai! server 
(2&9.165.2&1.2) and +$$; server (2&9.165.2&1.1) that are !ocated in the enterprise demi!itaried
one (:@). t is a!so necessary to permit certain ":; messages to a!! interfaces. /!! other traffic
from the eterna! net%ork is denied.

S"/ 1. "hoose an interface3 either interna! or eterna!.

S"/ 2. "onfigure ; /"s at the interface.

S"/ 4. efine inspection ru!es.

S"/ 6. /pp!y an inspection ru!e to an interface.

 "reate an /" that a!!o%s $";3 ;3 and ":; sessions and denies a!! other traffic.

R1(config)# $!!"ss-lis 151 /"%i !/ 15.15.15.5 5.5.5.2 $n'

R1(config)# $!!"ss-lis 151 /"%i 0/ 15.15.15.5 5.5.5.2 $n'

R1(config)# $!!"ss-lis 151 /"%i i!/ 15.15.15.5 5.5.5.2 $n'

R1(config)# $!!"ss-lis 151 0"n' i/ $n' $n'

$his /" is app!ied to the interna! interface in the inound direction. $he /" processes traffic
initiating from the interna! net%ork prior to !eaving the net%ork.

R1(config)# in"%#$!" F$55

R1(config-if)# i/ $!!"ss-g%o/ 151 in

8et3 create an etended /" in %hich *:$; and +$$; traffic is permitted from the eterna!
net%ork to the :@ net%ork on!y3 and a!! other traffic is denied.

R1(config)# $!!"ss-lis 152 /"%i !/ $n' 259.1<.251.1 5.5.5.5 " =5

R1(config)# $!!"ss-lis 152 /"%i !/ $n' 259.1<.251.2 5.5.5.5 " s/

R1(config)# $!!"ss-lis 152 /"%i i!/ $n' $n' "!3o-%"/l'

R1(config)# $!!"ss-lis 152 /"%i i!/ $n' $n' n%"$!3$l"

R1(config)# $!!"ss-lis 152 /"%i i!/ $n' $n' $0inis%$i&"l'-/%o3ii"0

R1(config)# $!!"ss-lis 152 /"%i i!/ $n' $n' /$!7"-oo-ig

R1(config)# $!!"ss-lis 152 /"%i i!/ $n' $n' "!3o

R1(config)# $!!"ss-lis 152 /"%i i!/ $n' $n' i"-"!""0"0

R1(config)# $!!"ss-lis 152 0"n' i/ $n' $n'

$his /" is app!ied to the interface connecting to the eterna! net%ork in the inound direction.

R1(config)# in"%#$!" S555

R1(config-if)# i/ $!!"ss-g%o/ 152 in

8et3 create inspection ru!es for $"; inspection and ; inspection.

R1(config)# i/ ins/"! n$" MYSITE !/

R1(config)# i/ ins/"! n$" MYSITE 0/

$hese inspection ru!es are app!ied to the interna! interface in the inound direction.

R1(config)# in"%#$!" F$55

R1(config-if)# i/ ins/"! MYSITE in

CONFIGURING CONTET-)ASED ACCESS CONTROL JC)ACK

1.- Con#ig%" $ n$"0 IP ACL on R4 o lo!7 $ll %$##i! o%igin$ing #%o 3" osi0" n">o%7.
se the i/ $!!"ss-lis ""n0"0 command to create a named ; /".
R'(config)# i/ $!!"ss-lis ""n0"0 OUT-IN
R'(config-et-nac!)# 0"n' i/ $n' $n'
R'(config-et-nac!)# "i

2.- A//l' 3" ACL o in"%#$!" S"%i$l 551.

 R'(config)# in"%#$!" s551
R'(config-if)# i/ $!!"ss-g%o/ OUT-IN in

4.- Con#i% 3$ %$##i! "n"%ing in"%#$!" S"%i$l 551 is 0%o//"0.

7rom the ;"-" command prompt3 ping the ;"-/ server. $he ":; echo rep!ies are !ocked
y the /".

6.- C%"$" $ C)AC Ins/"!ion Rl"

"reate an inspection ru!e to inspect ":;3 $e!net3 and +$$; traffic.
R'(config)# i/ ins/"! n$" IN-OUT-IN i!/
R'(config)# i/ ins/"! n$" IN-OUT-IN "ln"
R'(config)# i/ ins/"! n$" IN-OUT-IN 3/

.- T%n on i"-s$/"0 logging $n0 C)AC $0i %$il "ss$g"s.

se the i/ ins/"! $0i-%$il   command to turn on "F/" audit messages to provide a
record of net%ork access through the fire%a!!3 inc!uding i!!egitimate access attempts. 0na!e !ogging
to the sys!og server3 192.16.1.'3 %ith the logging 3os command. :ake sure that !ogged
messages are timestamped.
R'(config)# i/ ins/"! $0i-%$il
R'(config)# s"%&i!" i"s$/s 0"g 0$"i" s"!
R'(config)# logging 3os 192.1<=.1.4

<.- A//l' 3" ins/"!ion %l" o "g%"ss %$##i! on in"%#$!" S551.

R'(config-if)# i/ ins/"! IN-OUT-IN o

.- V"%i#' 3$ $0i %$il "ss$g"s $%" "ing logg"0 on 3" s'slog s"%&"%.
7rom ;"-"3 test connectivity to ;"-/ %ith ping3 $e!net3 and +$$;. ;ing and +$$; shou!d e
successfu!. 8ote that ;"-/ %i!! reDect the $e!net session.
7rom ;"-/3 test connectivity to ;"-" %ith ping and $e!net. /!! shou!d e !ocked.
Revie% the sys!og messages on server ;"-/< c!ick the Con#ig ta and then c!ick the SYSLOG
option.

=.- V"%i#' Fi%">$ll Fn!ion$li'

Epen a $e!net session from ;"-" to R2. $he $e!net shou!d succeed. 4hi!e the $e!net session is
active3 issue the command s3o> i/ ins/"! s"ssions on R'. $his command.

R4 s3o> i/ ins/"! s"ssions disp!ays the eisting sessions that are current!y eing tracked and
inspected y "F/"

R4 s3o> i/ ins/"! in"%#$!"s

R4 s3o> i/ ins/"! !on#ig
R4 0"g i/ ins/"! 0"$il"0
STEPS FOR CONFIGURING ZONE-)ASED POLICY FIRE,ALLS ,ITH CLI

S"/ 1. "rear !as onas para e! fire%a!! con e! comando  8on" s"!%i'.

R'(config)# 8on" s"!%i' IN-ZONE

R'(config-sec-one)# 0"s!%i/ion Insi0" N">o%7
R'(config)# 8on" s"!%i' OUT-ZONE
R'(config-sec-one)# 0"s!%i/ion Osi0" N">o%7

S"/ 2. "rear una /" ue define e! trGfico interno. se e! comando $!!"ss-lis para crear una
etendida /" 151 para permitir todo e! trGfico ; desde !a red 192.1<=.4.526 hacia cua!uier
destino.
R'(config)# $!!"ss-lis 151 /"%i i/ 192.1<=.4.5 5.5.5.2 $n'

S"/ 4. efinir e! trafico ue serG sometido a !as reg!as de fire%a!! con e! comando  !l$ss-$/ '/"
ins/"!. (/cG se us? una /")

R'(config)# !l$ss-$/ '/" ins/"! $!3-$ll IN-NET-CLASS-MAP Jno%" 0"l !l$ss-$/K

R'(config-cmap)# $!3 $!!"ss-g%o/ 151
R'(config-cmap)# "i
S"/ 6. "rear un /oli!'-$/ para determinar ue se harG cuando coincida con e! trGfico indicado
en !a /"3 usando e! comando /oli!'-$/ '/" ins/"! .
R'(config)# /oli!'-$/ '/" ins/"! IN-2-OUT-PMAP Jno%" 0"l /oli!'-$/K
R'(config-pmap)# !l$ss '/" ins/"! IN-NET-CLASS-MAP Jno%" 0"l !l$ss-$/K
R'(config-pmap-c)# ins/"! J"l %#i!o s" ins/"!!ion$%K

S"/ . "rear par de onas interna versus eterna (source and destination ones) usando e!
comando 8on"-/$i% s"!%i' y mencionado !os nomres de !as onas.
R'(config)# 8on"-/$i% s"!%i' IN-2-OUT-ZPAIR so%!" IN-ZONE 0"sin$ion OUT-ZONE

S"/ <. 0specificar e! /oli!' $/ para maneDar e! trGfico entre e! par de onas. ndicar e! po!icy-
map y !a acci?n asociada Jins/"!K a! par de onas3 usando e! comando s"%&i!"-/oli!' '/"
ins/"! y haciendo referencia a! /oli!' $/ previamente creado3 IN-2-OUT-PMAP .
R'(config-sec-one-pair)# s"%&i!"-/oli!' '/" ins/"! IN-2-OUT-PMAP
R'(config-sec-one-pair)# "i

S"/. /signar !as interfaces de! router interfaces a !as onas interna o eterna usando e! comando
8on"-""% s"!%i'.
R'(config)# in"%#$!" #$51
R'(config-if)# 8on"-""% s"!%i' IN-ZONE
R'(config-if)#  "i

R'(config)# in"%#$!" s551

R'(config-if)# 8on"-""% s"!%i' OUT-ZONE
R'(config-if)# "i

RESUMEN TT DE ZPF

ena!e
configure termina!
hostname R'
one security IN-ZONE
one security OUT-ZONE
access-!ist 1&1 permit ip 192.16.'.& &.&.&.255 any
c!ass-map type inspect match-a!! IN-NET-CLASS-MAP
match access-group 1&1
eit
po!icy-map type inspect IN-2-OUT-PMAP
c!ass type inspect IN-NET-CLASS-MAP
inspect
eit
one-pair security IN-2-OUT-ZPAIR source IN-ZONE destination OUT-ZONE
service-po!icy type inspect IN-2-OUT-PMAP
eit
interface fa&>1
one-memer security IN-ZONE
eit
interface s&>&>1
one-memer security OUT-ZONE
eit

E+EMPLO PRACTICO Z)F

1 CREAR ZONAS
one security 80$4ERH
one security 8$0R80$
one security :@

2 CLASIFICAR TR*FICO MEDIANTE CLASS MAP.

c!ass-map type inspect match-any 80$toE$
 match protoco! http
 match protoco! smtp
 match protoco! pop'
 match protoco! icmp

c!ass-map type inspect match-any 80$to:@

 match protoco! http
 match protoco! dns
 match protoco! tftp
 match protoco! icmp
 match access-group name +";

ip access-!ist etended +";

 permit udp any any e ootps
 permit udp any any e ootpc

4 DEFINIR LOS POLICY-MAP Y LA ACCIQN A REALIZAR.

po!icy-map type inspect 80$4ERHtoE$*0
 c!ass type inspect 80$toE$
  inspect
po!icy-map type inspect E$*0to80$4ERH
 c!ass type inspect E$to80$
  drop
po!icy-map type inspect 80$4ERHto:@
  c!ass type inspect 80$to:@
  inspect
po!icy-map type inspect :@to80$4ERH
 c!ass type inspect :@to80$
  inspect
po!icy-map type inspect E$*0to:@
 c!ass type inspect E$to:@
  inspect
po!icy-map type inspect :@toE$*0
 c!ass type inspect :@toE$
  inspect

6 CREAR LOS ZONE PAIR (UE ES LA APLICACIQN ENTRE ZONAS.

one-pair security 80$toE$ source 80$4ERH destination 8$0R80$
 service-po!icy type inspect 80$4ERHtoE$*0

 HACER MIEM)ROS DE ALGUNA ZONA A LAS INTERFACES EN F,.

74(config-if)#int seria! &>&>&

74(config-if)#one-memer security 8$0R80$
74(config-if)#eit
74(config-if)#int fa&>1
74(config-if)#one-memer security :@
74(config-if)#eit
74(config)#int fa&>&
74(config-if)#one-memer security 80$4ERH
74(config-if)#eit

CONFIGURE IOS INTRUSION PREVENTION SYSTEM JIPSK USING CLI

1.- CREATE AN IOS IPS CONFIGURATION DIRECTORY IN FLASH.

En R13 create a directory in f!ash using the 70i%  command. 8ame the directory i/s0i% .
R1#70i% i/s0i% 
"reate directory fi!ename IipsdirJK L En"% M
"reated dir f!ash<ipsdir 

2.- CONFIGURE THE IPS SIGNATURE STORAGE LOCATION.

En R13 configure the ;* signature storage !ocation to e the directory you Dust created.
R1(config)# i/ i/s !on#ig lo!$ion #l$s3?i/s0i% 

4.- CREATE AN IPS RULE.

En R13 create an ;* ru!e name using the i/ i/s n$" name command in g!oa! configuration
mode. 8ame the ;* ru!e iosi/s.
R1(config)# i/ i/s n$" iosi/s
 6.- ENA)LE LOGGING.
E* ;* supports the use of sys!og to send event notification. *ys!og notification is ena!ed
y defau!t. f !ogging conso!e is ena!ed3 you see ;* sys!og messages.
0na!e sys!og if it is not ena!ed.

R1(config)# i/ i/s noi#' log

se the !lo!7 s" command from privi!eged 0N0" mode to reset the c!ock if necessary.
R1# !lo!7 s" 51?25?55 < $n$%' 2559

0na!e the timestamp service if it is not ena!ed.

R1(config)# s"%&i!" i"s$/s log 0$"i" s"!

*end !og messages to the *ys!og server at ; address 192.16.1.5&.

R1(config)# logging 3os 192.1<=.1.5

.- CONFIGURE IOS IPS TO USE THE SIGNATURE CATEGORIES.

Retire the $ll signature category %ith the %"i%"0 %"  command (a!! signatures %ithin the
signature re!ease). nretire the IOSBIPS )$si! category %ith the %"i%"0 #$ls" command.
R1(config)# i/ i/s sign$%"-!$"go%'
R1(config-ips-category)# !$"go%' $ll
R1(config-ips-category-action)# %"i%"0 %"
R1(config-ips-category-action)# "i
R1(config-ips-category)# !$"go%' iosBi/s $si!
R1(config-ips-category-action)# %"i%"0 #$ls"
R1(config-ips-category-action)# "i
R1(config-ips-category)# "i
o you %ant to accept these changesK IconfirmJ En"%:

<.- APPLY THE IPS RULE TO AN INTERFACE.

 /pp!y the ;* ru!e to an interface %ith the i/ i/s name direction  command in interface
configuration mode. /pp!y the ru!e outound on the 7a&>& interface of R1. /fter you ena!e ;*3
some !og messages %i!! e sent to the conso!e !ine indicating that the ;* engines are eing
initia!ied.
o"? $he direction in means that ;* inspects on!y traffic going into the interface. *imi!ar!y3 o
means on!y traffic going out the interface.
R1(config)# in"%#$!" #$55
R1(config-if)# i/ i/s iosi/s o

.- MODIFY THE SIGNATURE. CHANGE THE EVENT-ACTION OF A SIGNATURE.

n-retire the echo reuest signature (signature 2&&=3 susig  &)3 ena!e it and change the
signature action to a!ert3 and drop.
R1(config)# i/ i/s sign$%"-0"#iniion
R1(config-sigdef)# sign$%" 2556 5
R1(config-sigdef-sig)# s$s
R1(config-sigdef-sig-status)# %"i%"0 #$ls"
R1(config-sigdef-sig-status)# "n$l"0 %"
R1(config-sigdef-sig-status)# "i
R1(config-sigdef-sig)# "ngin"
 R1(config-sigdef-sig-engine)# "&"n-$!ion /%o0!"-$l"%
R1(config-sigdef-sig-engine)# "&"n-$!ion 0"n'-/$!7"-inlin"
R1(config-sigdef-sig-engine)# "i
R1(config-sigdef-sig)# "i
R1(config-sigdef)# "i
o you %ant to accept these changesK IconfirmJ En"%:

=.- USE SHO, COMMANDS TO VERIFY IPS.

se the s3o> i/ i/s $ll command to see an ;* configuration status summary.

LAYER 2 SECURITY
1.- CONFIGURE ROOT )RIDGE

Assign C"n%$l $s 3" /%i$%' %oo %i0g".

"entra!(config)# s/$nning-%"" &l$n 1 %oo /%i$%'

Assign S,-1 $s $ s"!on0$%' %oo %i0g".

*4-1(config)# s/$nning-%"" &l$n 1 %oo s"!on0$%'

2.- PROTECT AGAINST STP ATTAC@S

*4-/(config)#  in"%#$!" %$ng" #$s"3"%n" 51 - 6
*4-/(config-if-range)# s/$nning-%"" /o%#$s

4.- ENA)LE )PDU GUARD ON ALL ACCESS PORTS.

F; guard is a feature that can he!p prevent rogue s%itches and spoofing on access ports.
*4-/(config)#  in"%#$!" %$ng" #$s"3"%n" 51 - 6
*4-/(config-if-range)# s/$nning-%"" /0g$%0 "n$l"

*tep 1. 6.- ENA)LE ROOT GUARD ON ALL TRUN@ PORTS.

*4-1(config-if)# in"%#$!" #$526
*4-1(config-if)# s/$nning-%"" g$%0 %oo

.- ENA)LE STORM CONTROL FOR )ROADCASTS.

0na!e storm contro! for roadcasts on a!! ports connecting s%itches (trunk ports). *et a 5
percent rising suppression !eve! using the so%-!on%ol %o$0!$s command.
*4-1(config)# in"%#$!" gi11
*4-1(config-if)# so%-!on%ol %o$0!$s l"&"l 5

<.- ENA)LE TRUN@ING INCLUDING ALL TRUN@ SECURITY MECHANISMS ON THE

TRUN@-LIN@.
*et the port to trunk3 assign native ,/8 15 to the trunk port3 and disa!e auto-negotiation.
*4-1(config)# in"%#$!" #$524
*4-1(config-if)# no s30o>n
*4-1(config-if)# s>i!3/o% o0" %n7
*4-1(config-if)# s>i!3/o% %n7 n$i&" &l$n 1
 *4-1(config-if)# s>i!3/o% non"goi$" J$!"%0o 0" $s$l"$K

CONFIGURE AND VERIFY A SITE-TO-SITE IPSEC VPN USING CLI

Parameters R1 R3

Key distribution method Manual or ISAKMP ISAKMP ISAKMP

Encryption algorithm DES, 3DES, or AES AES AES

Hash algorithm MD5 or SHA1 SHA1 SHA1

Authentication method Pre-shared keys or RSA pre-share pre-share

Key e!change DH Group 1, 2, or 5 DH 2 DH 2

IKE SA "i#etime 86400 seonds or less $%&'' $%&''

ISAKMP Key !pnpa55 !pnpa55

Parameters R1 R3

(rans#orm Set "P#-SE$ "P#-SE$

Peer Hostname %3 %&

Peer IP Address &0'2'2'2 &0'&'&'2

)et*or+ to be
&(2'&68'&'0)24 &(2'&68'3'0)24
encrypted

,rypto Map name "P#-MAP "P#-MAP

SA Establishment *pse-*sak+p *pse-*sak+p

CONFIGURE IPSEC PARAMETERS ON R1

1.- IDENTIFY INTERESTING TRAFFIC ON R1.

"onfigure /" 115 to identify the traffic from the /8 on R1 to the /8 on R' as interesting.
Rememer that due to the imp!icit deny a!!3 there is no need to configure a 0"n' $n' $n'
statement.
 R1(config)# $!!"ss-lis 115 /"%i i/ 192.1<=.1.5 5.5.5.2 192.1<=.4.5 5.5.5.2

2.- CONFIGURE THE ISA@MP PHASE 1 PROPERTIES ON R1.

"onfigure the crypto */H:; po!icy 15 properties on R1 a!ong %ith the shared crypto key
&/n/$. Refer to the */H:; ;hase 1 ta!e for the specific parameters to configure. efau!t
va!ues do not have to e configured therefore on!y the encryption3 key echange method3 and +
method must e configured.

R1(config)# !%'/o is$7/ /oli!' 15

R1(config-isakmp)# "n!%'/ion $"s
R1(config-isakmp)# $3"ni!$ion /%"-s3$%"
R1(config-isakmp)# g%o/ 2
R1(config-isakmp)# "i
R1(config)# !%'/o is$7/ 7"' &/n/$ $00%"ss 15.2.2.2

4.- CONFIGURE THE ISA@MP PHASE 2 PROPERTIES ON R1.

"reate the transform-set VPN-SET  to use "s/-40"s  and "s/-s3$-3$!. $hen create the
crypto map VPN-MAP that inds a!! of the ;hase 2 parameters together. se seuence numer 15
and identify it as an i/s"!-is$7/ map.

R1(config)# !%'/o i/s"! %$ns#o%-s" VPN-SET "s/-40"s "s/-s3$-3$!

R1(config)# !%'/o $/ VPN-MAP 15 i/s"!-is$7/
R1(config-crypto-map)# 0"s!%i/ion VPN !onn"!ion o R4
R1(config-crypto-map)# s" /""% 15.2.2.2
R1(config-crypto-map)# s" %$ns#o%-s" VPN-SET
R1(config-crypto-map)# $!3 $00%"ss 115
R1(config-crypto-map)# "i

6.- CONFIGURE THE CRYPTO MAP ON THE OUTGOING INTERFACE.

7ina!!y3 ind the VPN-MAP crypto map to the outgoing *eria! &>&>& interface.

R1(config)# in"%#$!" S555

R1(config-if)# !%'/o $/ VPN-MAP

CONFIGURE IPSEC PARAMETERS ON R4

1.- CONFIGURE ROUTER R4 TO SUPPORT A SITE-TO-SITE VPN ,ITH R1.

8o% configure reciprocating parameters on R'. "onfigure /" 115 identifying the traffic from
the /8 on R' to the /8 on R1 as interesting.

R'(config)# $!!"ss-lis 115 /"%i i/ 192.1<=.4.5 5.5.5.2 192.1<=.1.5 5.5.5.2

2.- CONFIGURE THE ISA@MP PHASE 1 PROPERTIES ON R4.

"onfigure the crypto */H:; po!icy 15 properties on R' a!ong %ith the shared crypto key
&/n/$.
R'(config)# !%'/o is$7/ /oli!' 15
R'(config-isakmp)# "n!%'/ion $"s
R'(config-isakmp)# $3"ni!$ion /%"-s3$%"
R'(config-isakmp)# g%o/ 2
R'(config-isakmp)# "i
R'(config)# !%'/o is$7/ 7"' &/n/$ $00%"ss 15.1.1.2
 4.- CONFIGURE THE ISA@MP PHASE 2 PROPERTIES ON R1.
ike you did on R13 create the transform-set VPN-SET to use "s/-40"s and "s/-s3$-3$!.
$hen create the crypto map VPN-MAP that inds a!! of the ;hase 2 parameters together. se
seuence numer 15 and identify it as an i/s"!-is$7/ map.

R'(config)# !%'/o i/s"! %$ns#o%-s" VPN-SET "s/-40"s "s/-s3$-3$!

R'(config)# !%'/o $/ VPN-MAP 15 i/s"!-is$7/
R'(config-crypto-map)# 0"s!%i/ion VPN !onn"!ion o R1
R'(config-crypto-map)# s" /""% 15.1.1.2
R'(config-crypto-map)# s" %$ns#o%-s" VPN-SET
R'(config-crypto-map)# $!3 $00%"ss 115
R'(config-crypto-map)# "i

6.- CONFIGURE THE CRYPTO MAP ON THE OUTGOING INTERFACE.

7ina!!y3 ind the  VPN-MAP crypto map to the outgoing *eria! &>&>1 interface. No"? $his is not
graded.

R'(config)# in"%#$!" S551

R'(config-if)# !%'/o $/ VPN-MAP

.- VERIFY THE IPSEC VPN

*tep 2. ,erify the tunne! prior to interesting traffic. ssue the sho% crypto ipsec sa command on
R1. 8otice that the numer of packets encapsu!ated3 encrypted3 decapsu!ated and decrypted are
a!! set to &.

TAREA DEL PROFE

1. D"#ini% l$s 8on$s 0" $!"%0o $ lo in0i!$0o "n l$ o/olog$
one security :@
one security 8*0
one security E$*0

2. S" 0"" /"%ii% %#i!o /$%$ " "l Ro"% R6 /"0$ $"ni#i!$%s" $ %$&s 0" R$0is "n "l
s"%&i0o% ,inR$0is JPC2K
c!ass-map type inspect match-any ":OE$O$EO8
 match protoco! radius

po!icy-map type inspect ;:OE$O$EO8

 c!ass type inspect ":OE$O$EO8
  inspect

one-pair security @;OE$O$EO8 source E$*0 destination 8*0

 service-po!icy type inspect ;:OE$O$EO8

4. El %$#i!o 0"s0" "l PC6 3$!i$ los s"%&i0o%"s ,E) ' FTP JPC4K 0"" s"% /"%ii0o.
c!ass-map type inspect match-any ":OE$O$EO:@
 match protoco! http
 match protoco! ftp
 po!icy-map type inspect ;:OE$O$EO:@
 c!ass type inspect ":OE$O$EO:@
  inspect

one-pair security @;OE$O$EO:@ source E$*0 destination :@

 service-po!icy type inspect ;:OE$O$EO:@

6. L$ %"0 in"%n$ $in 0"" /o0"% ll"g$% $l s"%&i0o% ," JPC4K FTP no s"% /"%ii0o /$%$ "s$
%"0.
c!ass-map type inspect match-any ":O8O$EO:@
 match protoco! http

po!icy-map type inspect ;:O8O$EO:@

 c!ass type inspect ":O8O$EO:@
  inspect

one-pair security @;O8O$EO:@ source 8*0 destination :@

 service-po!icy type inspect ;:O8O$EO:@

. El s"%&i0o% ACS 0"" /o0"% $l!$n8$% $ %$&s 0" /ing $l %o"% R6 Jloo/$!7K ' $ l$ %"0 15.65.526
Jno s" 0"" /"%ii% g"n"%$% n$ $l$ 0" "s$0oK
access-!ist 1&& permit ip host 1&.6.2&.1& any
c!ass-map type inspect match-a!! ":O/"*
 match protoco! icmp
 match access-group 1&&

po!icy-map type inspect ;:O8O$EOE$

 c!ass type inspect ":O8O$EOE$
  inspect

!l$ss '/" ins/"! CMBACS

  /$ss

one-pair security @;O8O$EOE$ source 8*0 destination E$*0

 service-po!icy type inspect ;:O8O$EOE$

access-!ist 1&1 permit ip any host 1&.6.2&.1&

c!ass-map type inspect match-a!! ":O/"*OR
 match access-group 1&1
 match protoco! icmp

po!icy-map type inspect ;:OE$O$EO8

 c!ass type inspect ":OE$O$EO8
  inspect
 !l$ss '/" ins/"! CMBACSBR
  /$ss

one-pair security @;OE$O$EO8 source E$*0 destination 8*0

 service-po!icy type inspect ;:OE$O$EO8

<. Los s$%ios 0" l$ %"0 In"%n$ s" l"s /"%i" n$&"g$% "n In"%n" Jsolo HTTP ' DNSK
c!ass-map type inspect match-any ":O8O$EOE$
 match protoco! http
  match protoco! dns

po!icy-map type inspect ;:O8O$EOE$

 !l$ss '/" ins/"! CMBINBTOBOUT
  ins/"!
 c!ass type inspect ":O/"*
  pass

one-pair security @;O8O$EOE$ source 8*0 destination E$*0

 service-po!icy type inspect ;:O8O$EOE$

. El F, 0"" "n"% los /"%isos /$%$ /o0"% %"$li8$% T"ln" ' SSH 3$!i$ "l Ro"% R1 ' R2 JIn"%#$!"s
loo/$!7sK $0"s 0" /"%ii% "l "n&o 0" los Logs 3$!i$ "l s"%&i0o% s'slog JPC1K ; No "s
/"%ii0o ili8$% l$s /oli!$s /o% 0"#"!o 0"l Fi%">$ll.
access-!ist 1&2 permit tcp host 1&.6.2'.' any e te!net
access-!ist 1&2 permit tcp host 1&.6.1'.' any e te!net
access-!ist 1&2 permit tcp host 1&.6.1'.' any e 22
access-!ist 1&2 permit tcp host 1&.6.2'.' any e 22
access-!ist 1&2 permit tcp host 1&.6.1'.' any e sys!og
access-!ist 1&2 permit tcp host 1&.6.2'.' any e sys!og
c!ass-map type inspect match-any ":O*07O$EO8
 match access-group 1&2

po!icy-map type inspect ;:O*07O$EO8

 c!ass type inspect ":O*07O$EO8
  inspect

one-pair security @;O*07O$EO8 source se!f destination 8*0

 service-po!icy type inspect ;:O*07O$EO8

=. Es n"!"s$%io /"%ii% " "l PC2 /"0$ $0inis%$% $ %$&s 0" CCP $l 0is/osii&o F, JH$ili" lo
n"!"s$%io /$%$ log%$% "s" %""%ii"noK
access-!ist 1&' permit tcp host 1&.6.2&.1& host 1&.6.2'.' e %%%
access-!ist 1&' permit tcp host 1&.6.2&.1& host 1&.6.2'.' e =='
access-!ist 1&' permit tcp host 1&.6.2&.1& host 1&.6.1'.' e =='
access-!ist 1&' permit tcp host 1&.6.2&.1& host 1&.6.1'.' e %%%
c!ass-map type inspect match-any ":O8O$EO*07
 match access-group 1&'

po!icy-map type inspect ;:O8O$EO*07

 c!ass type inspect ":O8O$EO*07
  inspect

one-pair security @;O8O$EO*07 source 8*0 destination se!f 

 service-po!icy type inspect ;:O8O$EO*07

9. El !li"n" PC6 0"" "n"% los /"%isos s#i!i"n"s /$%$ "s$l"!"% n$ s"sin VPN 3$!i$ "l Ro"% 
R1 /$%$ "s" "s n"!"s$%io " "l F, g"n"%" n$ $l$ 0" "s$0$ /$%$ los /%oo!olos ESP ' AH.
access-!ist 1&= permit ahp host 1&.6.=&.1& host 1&.6.1'.1
access-!ist 1&= permit esp host 1&.6.=&.1& host 1&.6.1'.1
access-!ist 1&= permit udp host 1&.6.=&.1& host 1&.6.1'.1 e isakmp
 c!ass-map type inspect match-any ":O,;8
 match access-group 1&=

po!icy-map type inspect ;:OE$O$EO8

 c!ass type inspect ":OE$O$EO8
  inspect
 c!ass type inspect ":O/"*OR
  pass
 c!ass type inspect ":O,;8
  inspect

one-pair security @;OE$O$EO8 source E$*0 destination 8*0

 service-po!icy type inspect ;:OE$O$EO8

15. To0$s l$s s"sion"s EIGRP 0""n s"% $n"ni0$s "n%" "l F, ' Ro"% R1 R2 ' "n%" "l F, ' "l
%o"% R6.