Lab 3-1 Enhancing the Security of the Initial Configuration

Lab 3-1 Enhancing the Security of the Initial Configuration

Task 1: Add Password Protection Step 2: 

Enter this sequence of commands into t he Branch router:

Branch>enable Branch#configure terminal Enter configuration configuration commands, one one per line.

End with CNTL/Z. CNTL/Z.

Branch(config)#line console 0 password cisco Branch(config-line)#

Branch(config-line)#login 

Step 3: You will be asked for the password that you configured in the previous step.

Branch(config-line)#end Branch#exit

Branch con0 is now available

Press RETURN to get started.

1


User Access Verification

Password: cisco Branch>



Step 4:

Branch>enable Branch#show running-config | section line con line con 0 exec-timeout 60 0 password cisco logging synchronous login 

Step 5: Enter the following command sequence into the Branch router:

Branch#configure terminal Enter configuration commands, one per line.

2

End with CNTL/Z.


Branch(config)#username ccna secret cisco Branch(config)#line console 0 Branch(config-line)#login local 

Step 6: You will be asked for a username and password. Enter the credentials that you created in the previous step.

Branch(config-line)#end Branch#exit




Username: ccna Password: cisco Branch> 

Step 7: Note that the password is encrypted, not in cleartext. You could use the service password-encryption command to encode the cleartext password, but this encryption type is weak.

Branch#show running-config | section username

3


username ccna secret 5 $1$w0Z7$bHhgCAXtLexdTxFqk2Ufn1 

Step 8: Enter this sequence of commands into t he Branch router:

Branch#configure terminal Enter configuration commands, one per line.

End with CNTL/Z.

Branch(config)#line vty 0 4 Branch(config-line)#login local Branch(config-line)#exit Branch(config)# 

Step 9: Enter the appropriate credentials to log into the Branch router. Exit Telnet session.

PC1>telnet 10.1.1.1 Trying 10.1.1.1 ... Open


Username: ccna Password: cisco Branch>exit

4


[Connection to 10.1.1.1 closed by foreign host] PC1> 

Step 10: Enter this command on the Branch router:

Branch(config)#enable secret cisco Branch(config)#exit Branch# *Mar 20 17:16:24.300: %SYS-5-CONFIG_I: Configured from console by ccna on console Branch# 

Step 11:

Branch#disable Branch>enable Password:cisco Branch# 


Branch#copy running-config startup-config Destination filename [startup-config]? Building configuration...

5


[OK] 

Step 13:

Branch#show running-config | section enable enable secret 4 tnhtc92DXBhelxjYk8LWJrPV36S2i4ntXrpb4RFmfqY 

Step 14: Enter this sequence of commands on SW1:

SW1(config)#enable secret cisco SW1(config)#username ccna secret cisco SW1(config)#line console 0 SW1(config-line)#login local SW1(config-line)#line vty 0 4 SW1(config-line)#login local 

Step 15:

SW1(config-line)#end SW1#exit

SW1 con0 is now available


6



Username: ccna Password: cisco SW1> 

Step 16: Enter this command on the SW1 switch:

SW1#copy running-config startup-config Destination filename [startup-config]? Building configuration... [OK] 

Step 17:

SW1>enable Password: cisco SW1# 

Step 18: Enter the appropriate credentials to log into the switch. Exit Telnet session.

PC1>telnet 10.1.1.11 Trying 10.1.1.11 ... Open

7



Username: ccna Password: cisco SW1>exit

[Connection to 10.1.1.11 closed by foreign host] PC1> Task 2: Enable SSH Remote Access Step 1: 

Enter this sequence of commands on t he Branch router:

Branch(config)#ip domain-name cisco.com Branch(config)#crypto key generate rsa The name for the keys will be: Branch.cisco.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take few minutes.

How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

8


Branch(config)#line vty 0 4 Branch(config-line)#transport input ssh Branch(config-line)#exit Branch(config)#ip ssh version 2 


Branch#copy running-config startup-config Destination filename [startup-config]? Building configuration... [OK] 

Step 3: Enter this sequence of commands on t he SW1 switch:

SW1(config)#ip domain-name cisco.com SW1(config)#crypto key generate rsa The name for the keys will be: SW1.cisco.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take few minutes.

How many bits in the modulus [512]: 1024

9


% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

SW1(config)#line vty 0 4 SW1(config-line)#transport input ssh SW1(config-line)#ip ssh version 2 

Step 4:

PC1>telnet 10.1.1.1 Trying 10.1.1.1 ... % Connection refused by remote host

PC1> 

Step 5: Leave the connection open for the next step.

PC1#ssh -l ccna 10.1.1.1 Password: cisco Branch> 

Step 6:

Branch>show users

10

Line

User

Host(s)

Idle

0 con 0

ccna

idle

00:24:52

Location


*

2 vty 0

ccna

Interface

User

idle

00:00:00 10.1.1.100

Mode

Idle

Branch>exit PC1> 

Step 7:

PC1>ssh -l ccna 10.1.1.11 Password: cisco

SW1> 


SW1#copy running-config startup-config Destination filename [startup-config]? Building configuration... [OK] Task 3: Limit Remote Access to Selected Network Addresses Step 1: 

Enter this sequence of commands on t he SW1 switch:

SW1#configure terminal

11

Peer Address


Enter configuration commands, one per line.

End with CNTL/Z.

SW1(config)#access-list 1 permit host 10.1.1.1 SW1(config)#access-list 1 deny any log 

Step 2:

SW1(config)#line vty 0 4 SW1(config-line)#access-class 1 in 

Step 3: You should not be successful, because the ACL that you defined allows only the Branch router to establish sessions to switch SW1.

PC1>ssh -l ccna 10.1.1.11 % Connection refused by remote host

PC1> 

Step 4: You should be successful.

Branch#ssh -l ccna 10.1.1.11 Password: cisco

SW1>exit

[Connection to 10.1.1.11 closed by foreign host]

12


Branch# Exit SSH session from SW1 switch. 

Step 5: Notice that the counters for both the permit and deny statements increased. If you did not define an explicit deny statement, a remote session from PC1 would still be denied, but you would not be able to see cou for denied remote session attempts.

SW1#show access-lists Standard IP access list 1 10 permit 10.1.1.1 (2 matches) 20 deny

any log (1 match)

The number of matchs shown is typical. However, your values may be larger if you attempted the SSH connection more than once. 


SW1#copy running-config startup-config Destination filename [startup-config]? Building configuration... [OK] Task 4: Configure a Login Banner Step 1: 

Enter the following command on the Branch router:

banner login # Branch(config)#

Enter TEXT message.

13

End with the character '#'.


**********

Warning

*************

ccess to this device is restricted to authorized persons only! Un-authorized access is prohibited. Violators will be prosecuted. ***********************************************#

Branch(config)# 

Step 2: Notice the login banner that you were presented with as you logged in.

Branch#logout



**********

Warning

*************

Access to this device is restricted to authorized persons only!

14


Un-authorized access is prohibited. Violators will be prosecuted. ***********************************************


Username: ccna Password: cisco 


Branch#copy running-config startup-config Destination filename [startup-config]? Building configuration... [OK] 

Step 4: Enter the following command on the SW1 switch:

banner login # SW1(config)#

Enter TEXT message.

End with the character '#'.

**********

*************

Warning

ccess to this device is restricted to authorized persons only! Un-authorized access is prohibited. Violators will be prosecuted.

15


***********************************************#

SW1(config)# 

Step 5: Notice the login banner that you were presented with as you logged in.

SW1#logout

SW1 con0 is now available


**********

Warning

*************

Access to this device is restricted to authorized persons only! Un-authorized access is prohibited. Violators will be prosecuted. ***********************************************

16



Username: ccna Password: SW1> 


SW1>enable Password:cisco SW1#copy running-config startup-config Destination filename [startup-config]? Building configuration... [OK]

17

Lab 3-1 Enhancing the Security of the Initial Configuration

Recommend Documents