Scribd
Upload
36 views

Sic Practical

Uploaded by

Vaishnavi Awchar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
36 views

Sic Practical

Uploaded by

Vaishnavi Awchar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 49

PRACTICAL 1

Packet Tracer - Configure Cisco Routers for Syslog,


NTP, and SSH Operations
Topology

Configuring PC0

Configuring PC1
Configuring NTP server/server0

Configuring Syslog server/server1

Part 1: Configure OSPF MD5 Authentication


CLI commands for Router0:
Router#en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#router ospf 1
Router(config-router)#network 192.168.1.0 255.255.255.0 area 1
Router(config-router)#network 192.168.2.0 255.255.255.0 area 1
Router(config)#interface GigabitEthernet0/1
Router(config-if)#ip ospf authentication message-digest
Router(config-if)#ip ospf message-digest-key 1 md5 vaishnavi
Router(config-if)#exit
Router(config)#exit

CLI Commands for Router1:


Router#en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#router ospf 1
Router(config-router)#network 192.168.2.0 255.255.255.0 area 1
Router(config-router)#network 192.168.3.0 255.255.255.0 area 1
Router(config)#interface GigabitEthernet0/1
Router(config-if)#ip ospf authentication message-digest
Router(config-if)#ip ospf message-digest-key 1 md5 vaishnavi
Router(config-if)#exit
Router(config)#exit
Part 2: Configure
CLI Commands for router0:
Router#en
Router#show clock
*0:42:24.621 UTC Mon Mar 1 1993
Router#en
Router#show clock
9:6:27.627 UTC Mon Apr 3 2023
CLI Commands for router1:
Router#en
Router#show clock
*0:42:24.621 UTC Mon Mar 1 1993
Router#en
Router#show clock
9:6:27.627 UTC Mon Apr 3 2023

Part 3: Configure Routers to Log Messages to the Syslog Server


CLI commands for router0:
Router#en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#logging 192.168.1.2
Router(config)#exit

Cli commands for router1:


Router#en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#logging 192.168.1.2
Router(config)#exit
Part 4: Configuring SSH connections
Cli commands for Router1:
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ip domain-name vaishnavi.com
Router(config)#hostname R1
R1(config)#crypto key generate rsa
The name for the keys will be: R1.vaishnavi.com
Choose the size of the key modulus in the range of 360 to 4096 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]: 512


% Generating 512 bit RSA keys, keys will be non-exportable...[OK]

R1(config)#line vty 0 4
*Apr 3 9:19:58.401: RSA key size needs to be at least 768 bits for ssh version 2
*Apr 3 9:19:58.401: %SSH-5-ENABLED: SSH 1.5 has been enabled
R1(config-line)#transport input ssh
R1(config-line)#login local
R1(config-line)#exit
R1(config)#username vaishnavi privilege 15 password abc
Practical No. 3
Configure AAA Authentication on Cisco Routers
Topology :

Configuring PC0 :

Configuring PC1 :
Configuring Router0 :

Configuring Server0 (As TACACS) :


Configuring Server1 (As RADIUS) :
CLI mode of the Router0 :
Router>
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#aaa new-model
Router(config)#tacacs-server host 192.168.2.3 key cisco
Router(config)#radius-server host 192.168.2.2 key cisco
Router(config)#aaa authentication login yash group tacacs+ group radius local
Router(config)#line vty 0 4
Router(config-line)#login authentication vaishnavi
Router(config-line)#exit
Router(config)#
The authentication can be done by typing the command telnet 192.168.2.1(the Router IP) in any
of the PCs
We get a prompt to type the username and password, the username and password set in TACAcs
are  username : smile & password : smile we get the following

In order to authenticate the RADIUS server we need to turn OFF the TACACS service
We again enter the command telnet 192.168.2.1 (the Router IP) and enter the username and
password pf the RADIUS server  username : laugh & password : laugh we
get the following
The local login can also be verified by turning OFF both TACACS & RADIUS service. The
username & password are both cisco (by default)
Hence the authentication through both TACACS & RADIUS
Practical No. 2
Configure ACLs
Topology :

Configuring Server0 :

Configuring Server1 :
Configuring PC0 :

Configuring PC1 :
Configuring Router0:

Configuring Router1 :
Setting the RIP protocol on both the Routers :
Check the connectivity by using the ping command

Part 1 : Configure, apply and verify and extended numbered ACLs


Type the following commands in Router1
Router#en
Router#conf t
Router(config)#access-list 100 permit tcp host 192.168.3.2 host 192.168.1.2 eq ftp
Router(config)#interface GigabitEthernet0/0
Router(config-if)#ip access-group 100 out
Router(config-if)#exit

Now verify the ftp ( ftp 192.168.1.2) command from both the PCs,one would be
successful (PC0) and other (PC1) would fail
Part 2 : Configure, Apply and Verify an Extended Named ACL
We use the same topology for this case
Type the following command in the CLI mode of Router1
Router>en
Router#conf t
Router(config)#ip access-list extended yash
Router(config-ext-nacl)#permit tcp host 192.168.3.3 host 192.168.1.3 eq www
Router(config-ext-nacl)#exit
Router(config)#interface GigabitEthernet0/0
Router(config-if)#ip access-group yash out
Router(config-if)#exit
Now verify the www ( 192.168.1.3) command from both the PCs browser,one would
be successful (PC1) and other (PC0) would fail

Hence Extended Numbered ACLs as well as Extended Named ACLs have been
verified
Practical no. 4
Configure IP ACLs to Mitigate Attacks.
Topology:

Configuring PC0 :
Configuring PC1 :

Configuring Server0 :
For setting the ipv6 addresses we need to use CLI mode each Router as
Configuring Router0:
Router>
Router>en
Router#conf t
Router(config)#ipv6 unicast-routing
Router(config)#interface GigabitEthernet0/0
Router(config-if)#ipv6 address 2001::1/64
Router(config-if)#ipv6 rip a enable
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#
Router(config)#interface GigabitEthernet0/1
Router(config-if)#ipv6 address 2002::1/64
Router(config-if)#ipv6 rip a enable
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#
Router(config)#interface Serial0/1/0
Router(config-if)#ipv6 address 2003::1/64
Router(config-if)#ipv6 rip a enable
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#
Configuring Router1:
Router>
Router>en
Router#conf t
Router(config)#ipv6 unicast-routing
Router(config)#interface Serial0/1/0
Router(config-if)#ipv6 address 2003::2/64
Router(config-if)#ipv6 rip a enable
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#
Router(config)#interface Serial0/1/1
Router(config-if)#ipv6 address 2004::1/64
Router(config-if)#ipv6 rip a enable
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#
Configuring Router2:
Router>
Router>en
Router#conf t
Router(config)#ipv6 unicast-routing
Router(config)#interface Serial0/1/0
Router(config-if)#ipv6 address 2004::2/64
Router(config-if)#ipv6 rip a enable
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#
Router(config)#interface GigabitEthernet0/0
Router(config-if)#ipv6 address 2005::1/64
Router(config-if)#ipv6 rip a enable
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#exit
Check the connectivity by pinging from both the PC to Server
Connection is successful between PCs to server
We configure the ACLs & apply to the Router1 with the following conditions

1. No HTTP or HTTPS allowed on server by any host


2. No WWW service accessible on the server by any host
3. Only ipv6 packets allowed towards the server

Enter the following commands in the CLI mode of the Router1 :


Router>
Router>en
Router#conf t
Router(config)#ipv6 access-list smile
Router(config-ipv6-acl)#deny tcp any host 2005::2 eq www
Router(config-ipv6-acl)#deny tcp any host 2005::2 eq 443
Router(config-ipv6-acl)#permit ipv6 any any
Router(config-ipv6-acl)#exit
Router(config)#
Router(config)#interface Serial0/1/0
Router(config-if)#z
Router(config-if)#exit
Router(config)#

We verify the configuration by first accessing the www service from the browser of both
PCs and the get failure
Next we verify whether the ipv6 protocol works by pinging server from any of the PC ( it
must be successful)
Hence the given ACLs have been applied and verified on host running on ipv6
protocol.
Practical no. 5
Configuring a Zone-Based policy Firewall (ZPF)

Topology :

Configuring Server0 :

Configuring PC0 :
Configuring Router0 :
Configuring Router1 :
Configuring Router2 :
Part 1 : Static Routing to each router ( To add routing path )

Router 0 : Add the following routes in the static mode


Router 1 : Add the following routes in the static mode
Router 2 : Add the following routes in the static mode
Now we check the connectivity by pinging the Server from the PC

Part 2 : Configuring SSH on Router 1

Type the following commands in the CLI mode of Router1


Router>en
Router#conf t
Router(config)#ip domain-name yash.com
Router(config)#hostname R1
R1(config)#crypto key generate rsa
How many bits in the modulus [512]: 512
R1(config)#line vty 0 4
R1(config-line)#transport input ssh
R1(config-line)#
R1(config-line)#login local
R1(config-line)#exit
R1(config)#username yash privilege 15 password cisco

Now we verify the SSH using PC as follows


Next we access the web services of the Server using web browser of PC using the following

Part 3 : Create the Firewall Zones on Router 2 i.e connected to PC0

Note : Before that check the version of your router and see security package is enabled or not
if not enabled, to enable the security feature, type the following command in Router 2

Router>show version ( click on enter till the end)

Router>en
Router#conf t
Router(config)#license boot module c1900 technology-package securityk9
ACCEPT? [yes/no]: yes
Router(config)#exit
Router#reload
Router>en
Router#show version

We will get a message informing whether the security package is enabled or not
As you can see above security package is not enabled

Type the following commands in the CLI mode of Router2 which is connected with PC0
Router>
Router>en
Router#conf t
Router(config)#zone security in-zone
Router(config-sec-zone)#exit

Router(config)#zone security out-zone


Router(config-sec-zone)#exit
Router(config)#

Router(config)#access-list 101 permit ip 192.168.4.0 0.0.0.255 any


Router(config)#class-map type inspect match-all in-map
Router(config-cmap)#match access-group 101
Router(config-cmap)#exit
Router(config)#

Router(config)#policy-map type inspect in-out


Router(config-pmap)#class type inspect in-map
Router(config-pmap-c)#inspect
Router(config-pmap-c)#exit
Router(config-pmap)#exit
Router(config)#

Router(config)#zone-pair security in-out-zone source in-zone destination out-zone


Router(config-sec-zone-pair)#service-policy type inspect in-out
Router(config-sec-zone-pair)#exit
Router(config)#
Router(config)#interface GigabitEthernet0/0
Router(config-if)#zone-member security in-zone
Router(config-if)#exit
Router(config)#

Router(config)#interface Serial0/1/0
Router(config-if)#zone-member security out-zone
Router(config-if)#exit
Router(config)#exit
Router#

Router#copy running-config startup-config


Router#

Part 4 : Testing the Firewall Functionality ( from in-zone to out-zone) by the


following steps
Step 1: Pinging Server from the PC (it will succeed)

Step 2 : Start and SSH session from PC to Router1


As seen above the session becomes active and we get access to Router 1 ( do not exit and the
session and continue to step 3)

Step 3 : Type the following commands in the CLI mode of Router 2


Router#show policy-map type inspect zone-pair sessions
We will get following output
Step 4 : We close the SSH connection and open the web browser and access the server
address (192.168.1.2) and get the following ( it will succeed)
Part 5 : Testing the Firewall Functionality (from out-zone to in-zone) by the
following step
Step 1 : Ping PC0 from Server (it will show result in failure)

You might also like