Scribd
Upload
36 views

13-F - W Config, VPN Config, IOS IPS Configuration, Hardware F - w-14-03-2024

The document describes configuring an IPS rule and signatures on a Cisco router to scan traffic entering a network. It also covers modifying a signature to change its action and verifying that IPS is working properly.

Uploaded by

Mukund Keshan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
36 views

13-F - W Config, VPN Config, IOS IPS Configuration, Hardware F - w-14-03-2024

The document describes configuring an IPS rule and signatures on a Cisco router to scan traffic entering a network. It also covers modifying a signature to change its action and verifying that IPS is working properly.

Uploaded by

Mukund Keshan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

Assessment -4

(Cisco Packet Tracer - Task 1)


Enable IOS Intrusion Prevention System

1. Create the network topology

The task is to enable IPS on Router0 to scan traffic entering the 192.168.1.0 network.

2. Configure the PCs and Routers with IPv4 address and Subnet Mask according to the table:

Device IP Mask
PC0 192.168.1.2 255.255.255.0
PC1 192.168.3.2 255.255.255.0
Router 0 192.168.1.1 255.255.255.0
10.1.1.1 255.255.255.252
Router 1 192.168.3.1 255.255.255.0
10.2.2.1 255.255.255.252
Router 2 10.1.1.2 255.255.255.252
10.2.2.2 255.255.255.252
Server 192.168.1.3 255.255.255.0

SS-1: Paste the working network setup.


Configure static routing in the Routers as follows:
Router 0:
Router(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.2

Router 1:
Router(config)#ip route 0.0.0.0 0.0.0.0 10.2.2.2

Router 2:
Router(config)#ip route 192.168.1.0 255.255.255.0 10.1.1.1
Router(config)#ip route 192.168.3.0 255.255.255.0 10.2.2.1
Part 1: Enable IOS IPS
Within Packet Tracer, the routers already have the signature files imported and in place. They are
the default xml files in flash. For this reason, it is not necessary to configure the public crypto key
and complete a manual import of the signature files.

Step 1: Enable the Security Technology package.


Enable the Security Technology package

Router(config)# license boot module c1900 technology-package securityk9


Router(config)#do reload

Step 2: Verify network connecJvity.


a. Ping from PC-0 to PC-1.
b. Ping from PC-1 to PC-0.

SS-2: Paste the output of these commands.

Step 3: Create an IOS IPS configuraJon directory.


Router#mkdir iostest

Step 4: Store IPS signature in the above directory


Router#config t
Router(config)#ip ips config location iostest

Step 5: Create an IPS rule


On Router 0, create an IPS rule name using the ip ips name name command in global configuraVon
mode. Name the IPS rule iosexecute.

Router(config)#ip ips name iosexecute

Step 6: Configure IOS IPS to use the signature categories.


• Retiring a signature means IOS IPS will NOT compile that signature into memory for scanning.
• Unretiring a signature instructs IOS IPS to compile the signature into memory and use the
signature to scan traffic.
• ReVre the all signature category with the reJred true command (all signatures within the
signature release).
• UnreVre the IOS_IPS Basic category with the reJred false command.

Router(config)#ip ips signature-category


Router(config-ips-category)#category all
Router(config-ips-category-action)#retired true
Router(config-ips-category-action)#exit
Router(config-ips-category)#category ios_ips basic
Router(config-ips-category-action)#retired false
Router(config-ips-category-action)#exit
Router(config-ips-category)#exit
Do you want to accept these changes? [confirm]
Step 7: Apply the IPS rule to an interface.
Apply the IPS rule to an interface with the ip ips name direc*on command in interface configuraVon
mode.
Apply the rule outbound on the G0/0 interface of Router 0.
Note: The direcVon in means that IPS inspects only traffic going into the interface. Similarly, out
means that IPS inspects only traffic going out of the interface.

Router(config)#int g0/0
Router(config-if)#ip ips iosexecute out
Router(config-if)#exit
Router(config)#logging host 192.168.1.3 (server address in the design)
Router(config)#service timestamps log datetime msec

Part 2: Modify the signature


Step 1: Change the event-action of a signature

Unretire the echo request signature (signature 2004, subsig ID 0) enable it, and change the signature
action to alert and drop.

Router(config)#ip ips signature-definition


Router(config-sigdef)#signature 2004 0
Router(config-sigdef-sig)#status
Router(config-sigdef-sig-status)#retired false
Router(config-sigdef-sig-status)#enabled true
Router(config-sigdef-sig-status)#exit
Router(config-sigdef-sig)#engine
Router(config-sigdef-sig-engine)#event-action produce-alert
Router(config-sigdef-sig-engine)#event-action deny-packet-inline
Router(config-sigdef-sig-engine)#exit
Router(config-sigdef-sig)#exit
Router(config-sigdef)#exit

Step 2: Use show commands to verify IPS


Router(config)#do show ip ips all

Q1. To which interfaces and in which direction is the ios_ips rule applied?

Step 3: Verify that IPS is working properly.


a. From PC-C, attempt to ping PC-A.
b. From PC-A, attempt to ping PC-C.

Q2. Were the pings successful? Why or why not?


Assessment -4
(Cisco Packet Tracer - Task 2)
Hardware Firewall Cisco ASA 5505 configuration

A firewall is a network security device that monitors incoming and outgoing network traffic and
decides whether to allow or block specific traffic based on a defined set of security rules. A firewall
can be hardware, software, or both. The Cisco ASA 5505 is a full-featured firewall for small business,
branch, and enterprise teleworker environments.

Assign IP on the Cisco ASA and ISP router and set the int inside and outside on the cisco ASA.
Security levels:
Inside = 100
Outside = 0
DMZ = 1-99

1. Goto PC2->Desktop->Terminal and click OK. In the terminal, enter the commands:
ciscoasa>enable
ciscoasa#show running-config
SS-1: Paste the output of the running configuration(include vlan 1 and 2 settings, dhcp settings).
Q1. Answer the following from the output:
What are the current security levels at vlan 1 and vlan 2?
What is the IP address at vlan 1?
What is the IP address range available at the DHCP?

Now, remove the IP from interface vlan1, and remove the DHCP address range.

ciscoasa#configure terminal
ciscoasa(config)#int vlan1
ciscoasa(config-if)#no ip address
ciscoasa(config-if)#exit
ciscoasa(config)# no dhcpd address <the address range obtained from show running-config
output> inside. (e.g., no dhcpd address 192.168.1.5-192.168.1.36 inside)
ciscoasa(config)#exit
ciscoasa#show running-config

SS-2: Paste the output of the running configuration(include vlan 1 and 2 settings, dhcp settings).

ciscoasa#configure terminal
ciscoasa(config)#int vlan 1
ciscoasa(config-if)#ip address 172.16.1.1 255.255.255.0
ciscoasa(config-if)#nameif inside
ciscoasa(config-if)#security-level 100
ciscoasa(config-if)#exit

ciscoasa(config)#int e0/1
ciscoasa(config-if)#switchport access vlan 1
ciscoasa(config-if)#exit

ciscoasa(config)#int vlan 2
ciscoasa(config-if)#ip address 203.1.1.2 255.255.255.0
ciscoasa(config-if)#no shutdown
ciscoasa(config-if)#nameif outside
ciscoasa(config-if)#security-level 0
ciscoasa(config-if)#exit

ciscoasa(config)#int e0/0
ciscoasa(config-if)#switchport access vlan 2
ciscoasa(config-if)#

SS-3: Paste the output of the running configuration(include vlan 1 and 2 settings).

Configure the gateway at Cisco ISP router:


Router>en
Router#conf t
Router(config)#hostname ISP
ISP(config)#int fa0/0
ISP(config-if)#ip address 203.1.1.1 255.255.255.0
ISP(config-if)#no shutdown
ISP(config-if)#exit
ISP(config)#

ISP(config)#int fa0/1
ISP(config-if)#ip address 8.8.8.1 255.0.0.0
ISP(config-if)#no shutdown
ISP(config-if)#exit
ISP(config)#exit
Set the IP address at the google.com server as 8.8.8.8. Now, ping the router addresses from
the google server.
Q2. Is the server able to ping the Router addresses?

2. Configure DHCP server and DNS server on Cisco ASA. The IP address range should be as
follows: 172.16.1.5 – 172.16.1.6

In PC0 and PC1; go to Desktop->IP configuration, and Turn DHCP ON

Now, in PC2 Terminal;


ciscoasa#configure terminal
ciscoasa(config)#dhcpd address 172.16.1.5-172.16.1.6 inside
ciscoasa(config)#dhcpd dns 8.8.8.8 interface inside
ciscoasa(config)#end
ciscoasa#show running-config

SS-4: Paste the output of the running configuration(include dhcp settings).

Goto PC0 and PC1 and check the IP address in the IP configuration window.

SS-5: Paste the IP configuration screen that displays the addresses given to PC0 and PC1.

From PC0, ping PC1.


From PC1, ping PC0.
Q3.Are the PCs able to ping each other successfully?

3. Configure default route on Cisco ASA and dynamic route on Cisco ISP (OSPF 1).
In cisco ASP terminal
ciscoasa#configure terminal
ciscoasa(config)#route outside 0.0.0.0 0.0.0.0 203.1.1.1

On the ISP router:


ISP>en
ISP#conf t
ISP(config)#router ospf 1
ISP(config-router)#network 203.1.1.0 0.0.0.255 area 0
ISP(config-router)#network 8.8.8.0 0.0.0.255 area 0

4. Create Object Network and Enable NAT


On PC2, enter the commands:
ciscoasa(config)#object network LAN
ciscoasa(config-network-object)#subnet 172.16.1.0 255.255.255.0
ciscoasa(config-network-object)#nat (inside,outside) dynamic interface
ciscoasa(config-network-object)#exit

5. Create Access list


From PC0 and PC1, ping -t 8.8.8.8
Q4. Are these ping requests getting timed out?
In PC2 configuration:
ciscoasa(config)#access-list in_to_internet extended permit tcp any any
ciscoasa(config)#access-list in_to_internet extended permit icmp any any
ciscoasa(config)#access-group in_to_internet in interface outside

Ping google from PC0 – Is it able to ping


Ping google from PC1 – Is it able to ping
Q5. Are these ping requests getting timed out?

6. Verify NAT is working. In Cisco ASA,


ciscoasa(config)#show xlate
ciscoasa(config)#show nat

SS-6: Paste the output of these commands.


Q6. Explain the output of these commands.

You might also like