|
|
DynamipsGUI搭建ISCW实验机架试验需求:
1、所有这三个路由器上不必要的服务都应该被关闭,这需要手动完成。对所有路由器的访问使用SSH(阻塞Telnet服务)。只允许网络管理员(172.16.4.12、172.16.4.13、172.16.4.14和172.16.4.15)访问EXEC。
2、每个管理员有一个单独的帐号来访问路由器。使用AAA设置对路由器的访问认证。所有执行的命令和系统事件应该被记录。AAA服务器将使用CISCO Secure ACS,以TACACS—+作为安全协议。即使是分支机构的路由器上也设置AAA功能。
3、标准的扩展ACL用来在内部路由器上执行策略限制。标准的扩展ACL也用在分支机构路由器———路由器C。
4、边界路由器———路由器A上将使用标准的扩展ACL和机遇上下问的访问控制(Context-Based Access Control,CBAC)组合来实施过滤。对E-mail和HTTP应该建立审查机制。内部路由器也使用CBAC,允许从外部返回的流量并审查SMTP流量。
5、在边界路由器上通过Websense服务器对Web流量实施过滤。
6、在边界路由器上需要碑志地址转换,对DMZ设备需要静态转换,对所有其他要访问Internet的内部设备实施动态转换。对VPN连接,应该关闭地址转换。
7、由于子网数目很少,应该使用静态路由作路由选择,使用逆向路径转发(Reverse-path forwarding,RPF)来防止某种类型的欺骗攻击。
8、在公司总部和分支机构的边界路由器上实施IDS,用于提供增强的保护。任何攻击都被记录在系统日志服务器上,对TCP连接攻击使用TCO复位。
9、使用CBAC来组织一连接攻击,包括TCP SYN洪水攻击。
10、由于Internet访问限制ICMP和UDP的使用,公司关注使用这些协议的DoS攻击,因此决定通过NBAR来实施速率限制。
11、使用NTP来同步设备的时间。内部系统日志服务器也用作主NTP时间源,认证被用来严整设备的身份。所有三个路由器都使用时间戳将日志消息记录到日志服务器。对分支机构的路由器C,这些消息应该被加密。
12、使用战到战的IPSec VPN来保护分支机构和公司总部之间的流量。所有的分布流量必须通过该连接,包括最终Internet的流量。设备的认证采用预共享秘匙完成。
13、实施EasyVPN来处理远程接入用户。有三个组的用户:admin、ac**ing和user。Admin组包括网络管理员。ac**ing组包括远程接入的财务人员,对这些人员要实施适当的限制。User组包括其他所有的员工。这些用户如果要访问Inetrnet,则需要安装软件放火墙;所有公司发送到公司总部的流量都应该被保护。
本机架使用DynamipsGUI搭建完成,IOS使用7200高级安全版
经测试稳定运行,内存占用低,只需要1G内存就可轻松完成试验!
试验机架下载后可以直接使用 注意修改idle-pc值
配置开始:
基础配置及IP地址请参照拓扑图配置
注意:请将所有设备的接口改为全双工
在接口模式下 duplex full
不然会报双工不匹配的错误
在所有路由器上关闭不需要的服务
RouterA RouterB & RouterC
no cdp run
no service tcp-small-server
no service udp-small-server
no ip finger
no ip identd
no service finger
no ip source-route
no ftp-server enable
no ip http server
no ip http secure-server
no snmp-server community public RO
no snmp-server community private RW
no snmp-server enable traps
no snmp-server system-shutdown
no snmp-server trap-auth
no snmp-server
no ip domain-lookup
no ip boot server
no service dhcp
no service pad
no boot network
no service config
接口上
no ip directed-broadcast
no ip unreachables
no ip redirect
no ip mask-reply
删除超时连接,坏连接
service tcp-keepalives-in
service tcp-keepalives-out
配置SSH
ip domain-name cisco.com
crypto key generate rsa
access-list 1 permit 172.16.4.12 0.0.0.3
access-list 1 deny any
line vty 0 4
login
access-class 1 in
transport input ssh
transport output ssh
配置AAA
aaa new-model
tacacs-server host 172.16.3.7 single-connection key cisco
username backdoor secret cisco
aaa authentication login console_access group tacacs+ local
aaa authentication login default group tacacs+
aaa authentication enable default group tacacs+ enable none
aaa authentication username-prompt "Password:"
aaa authentication password-prompt "Password:"
aaa authentication fail-message C
Invalid authentication,Please re-enter
C
aaa authentication attempts login 1 (登录尝试次数)
line con 0
login authentication console_access
配置路由
RouterA
ip route 0.0.0.0 0.0.0.0 192.1.1.254
ip route 172.16.3.0 255.255.255.0 172.16.2.254
ip route 172.16.4.0 255.255.255.0 172.16.2.254
ip route 172.16.5.0 255.255.255.0 172.16.2.254
interface tunnel0
ip add 172.16.99.1 255.255.255.0
tunnel source 192.1.1.1
tunnel destination 200.1.1.1
ip route 172.16.100.0 255.255.255.0 tunnel0
RouterB
ip route 0.0.0.0 0.0.0.0 172.16.2.1
RouterC
interface tunnel0
ip add 172.16.99.2 255.255.255.0
tunnel source 200.1.1.1
tunnel destination 192.1.1.1
ip route 192.1.1.0 255.255.255.0 200.1.1.254
ip route 0.0.0.0 0.0.0.0 tunnel0
配置ACL
RouterA
ip access-list extended ingre-filter
remark Unassigned IANA addresses
deny ip 1.0.0.0 0.255.255.255 any
deny ip 2.0.0.0 0.255.255.255 any
deny ip 5.0.0.0 0.255.255.255 any
deny ip 7.0.0.0 0.255.255.255 any
deny ip 23.0.0.0 0.255.255.255 any
deny ip 27.0.0.0 0.255.255.255 any
deny ip 31.0.0.0 0.255.255.255 any
deny ip 36.0.0.0 0.255.255.255 any
deny ip 37.0.0.0 0.255.255.255 any
deny ip 39.0.0.0 0.255.255.255 any
deny ip 41.0.0.0 0.255.255.255 any
deny ip 42.0.0.0 0.255.255.255 any
deny ip 49.0.0.0 0.255.255.255 any
deny ip 50.0.0.0 0.255.255.255 any
deny ip 58.0.0.0 0.255.255.255 any
deny ip 59.0.0.0 0.255.255.255 any
deny ip 60.0.0.0 0.255.255.255 any
deny ip 70.0.0.0 0.255.255.255 any
deny ip 71.0.0.0 0.255.255.255 any
deny ip 72.0.0.0 0.255.255.255 any
deny ip 73.0.0.0 0.255.255.255 any
deny ip 74.0.0.0 0.255.255.255 any
deny ip 75.0.0.0 0.255.255.255 any
deny ip 76.0.0.0 0.255.255.255 any
deny ip 77.0.0.0 0.255.255.255 any
deny ip 78.0.0.0 0.255.255.255 any
deny ip 79.0.0.0 0.255.255.255 any
deny ip 83.0.0.0 0.255.255.255 any
deny ip 84.0.0.0 0.255.255.255 any
deny ip 85.0.0.0 0.255.255.255 any
deny ip 86.0.0.0 0.255.255.255 any
deny ip 87.0.0.0 0.255.255.255 any
deny ip 88.0.0.0 0.255.255.255 any
deny ip 89.0.0.0 0.255.255.255 any
deny ip 90.0.0.0 0.255.255.255 any
deny ip 91.0.0.0 0.255.255.255 any
deny ip 92.0.0.0 0.255.255.255 any
deny ip 93.0.0.0 0.255.255.255 any
deny ip 94.0.0.0 0.255.255.255 any
deny ip 95.0.0.0 0.255.255.255 any
deny ip 96.0.0.0 0.255.255.255 any
deny ip 97.0.0.0 0.255.255.255 any
deny ip 99.0.0.0 0.255.255.255 any
deny ip 100.0.0.0 0.255.255.255 any
deny ip 101.0.0.0 0.255.255.255 any
deny ip 102.0.0.0 0.255.255.255 any
deny ip 103.0.0.0 0.255.255.255 any
deny ip 104.0.0.0 0.255.255.255 any
deny ip 105.0.0.0 0.255.255.255 any
deny ip 106.0.0.0 0.255.255.255 any
deny ip 107.0.0.0 0.255.255.255 any
deny ip 108.0.0.0 0.255.255.255 any
deny ip 109.0.0.0 0.255.255.255 any
deny ip 110.0.0.0 0.255.255.255 any
deny ip 111.0.0.0 0.255.255.255 any
deny ip 112.0.0.0 0.255.255.255 any
deny ip 123.0.0.0 0.255.255.255 any
deny ip 114.0.0.0 0.255.255.255 any
deny ip 115.0.0.0 0.255.255.255 any
deny ip 116.0.0.0 0.255.255.255 any
deny ip 117.0.0.0 0.255.255.255 any
deny ip 118.0.0.0 0.255.255.255 any
deny ip 119.0.0.0 0.255.255.255 any
deny ip 120.0.0.0 0.255.255.255 any
deny ip 121.0.0.0 0.255.255.255 any
deny ip 122.0.0.0 0.255.255.255 any
deny ip 123.0.0.0 0.255.255.255 any
deny ip 124.0.0.0 0.255.255.255 any
deny ip 125.0.0.0 0.255.255.255 any
deny ip 126.0.0.0 0.255.255.255 any
deny ip 197.0.0.0 0.255.255.255 any
deny ip 201.0.0.0 0.255.255.255 any
remark RFC 1918 private addresses
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.0.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
remark Other bogons
deny ip 224.0.0.0 15.255.255.255 any
deny ip 240.0.0.0 15.255.255.255 any
deny ip 0.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 127.0.0.0 0.255.255.255 any
remark Allow IPSec access for site-to-site connections
permit udp any host 192.1.1.1 eq isakmp
permit esp any host 192.1.1.1
permit udp any host 192.1.1.1 eq 4500
permit gre host 200.1.1.1 host 192.1.1.1
Remark Allow access to DMZ Server
permit tcp any host 192.1.1.2 eq 25
permit udp any host 192.1.1.3 eq 53
permit tcp any host 192.1.1.4 eq 80
Remark Deny all other traffic
deny ip any any
int f0/0
ip access-group ingress-filter in
控制内网用户对DMZ区域的访问
ip access-list extended DMZ-filter
remark Allow access to DMZ Servers
permit tcp any host 172.16.1.2 eq 25
permit udp any host 172.16.1.3 eq 53
permit tcp any host 172.16.1.4 eq 80
remark Deny all other traffic
deny ip any any
int lo0
ip access-group DMZ-filter out
RouterB
ip access-list extended server-farm-filter
remark Restrict access to the email-server
permit tcp 172.16.0.0 0.0.255.255 host 172.16.3.1 eq 25
remark Restric access to the DNS Server
permit udp 172.16.0.0 0.0.255.255 host 172.16.3.2 eq 53
remark Restric access to the application server
permit tcp 172.16.0.0 0.0.255.255 host 172.16.3.3 eq 443
remark Deny access to the database server
deny ip any host 172.16.3.4
remark Protect the ac**ing server
permit tcp 172.16.5.0 0.0.0.255 host 172.16.3.5 eq 2501
permit tcp 172.16.253.0 0.0.0.255 host 172.16.3.5 eq 2501
deny ip any host 172.16.3.5
remark Protect the scp server service
permit tcp host 172.16.3.254 host 172.16.3.6 eq 22
permit tcp host 172.16.2.1 host 172.16.3.6 eq 22
permit tcp host 172.16.99.2 host 172.16.3.6 eq 22
remark Protect Syslog server service
permit udp host 172.16.3.254 host 172.16.3.6 eq 514
permit udp host 172.16.2.1 host 172.16.3.6 eq 514
permit udp host 172.16.99.2 host 172.16.3.6 eq 514
remark Protect NTP server service
permit tcp any host 172.16.3.6 eq 123
remark Deny all other traffic to the Syslog/SCP/NTP server
deny ip any host 172.16.3.6
int lo2
ip access-group server-farm-filter out
ip access-list extended user-filter
remark Restrict access to the ac**ing segment,but allow everthing else
deny ip any 172.16.5.0 0.0.0.255
permit ip any any
int lo0
ip access-group user-filter in
ip access-list extended other-filter
remark Deny all traffic--CBAC will allow returning traffic
permit tcp host 172.16.1.2 host 172.16.3.1 eq 25
permit ip host 172.16.99.2 172.16.3.6 0.0.0.254
permit ip host 172.16.2.1 172.16.3.6 0.0.0.254
permit ip 172.16.99.0 0.0.0.255 172.16.3.0 0.0.0.255
permit ip 172.16.100.0 0.0.0.255 172.16.3.0 0.0.0.255
permit ip 172.16.252.0 0.0.0.255 172.16.3.0 0.0.0.255
permit ip 172.16.253.0 0.0.0.255 172.16.3.0 0.0.0.255
permit ip 172.16.254.0 0.0.0.255 172.16.3.0 0.0.0.255
deny ip any any
int f0/0
ip access-group other-filter in
RouterC
ip access-list extended ingress-filter
remark Allow Site-to-Site IPSec access
permit udp host 192.1.1.1 host 200.1.1.1 eq 500
permit esp host 192.1.1.1 host 200.1.1.1
permit gre host 192.1.1.1 host 200.1.1.1
remark Deny all other traffic
deny ip any any
int f0/0
ip access-group ingress-filter in
配置CBAC
RouterA
ip access-list extended ICMP-filter
remark Allow mangement ICMP,deny others
permit icmp 172.16.4.12 0.0.0.3 any
deny icmp any any
permit ip any any
int f0/0
ip access-group ICMP-filter out
ip inspect name CBAC-A1 smtp
ip inspect name CBAC-A1 ftp
ip inspect name CBAC-A1 tcp
ip inspect name CBAC-A1 udp
ip inspect name CBAC-A1 icmp
ip inspect name CBAC-A1 http urlfilter
ip inspect tcp synwait-time 15
ip inspect tcp idle-time 300
ip inspect udp idle-time 20
ip urlfilter server vendor websense 172.16.6.2
ip urlfilter cache 7000
ip urlfilter max-request 1500
ip urlfilter max-resp-pak 350
ip urlfilter alert
int f0/0
ip inspect CBAC-A1 out
ip inspect name CBAC-A2 smtp
ip inspect name CBAC-A2 ftp
ip inspect name CBAC-A2 tcp
int lo0
ip inspect CBAC-A2 in
RouterB
ip inspect name CBAC-B smtp
ip inspect name CBAC-B ftp
ip inspect name CBAC-B http
ip inspect name CBAC-B tcp
ip inspect name CBAC-B udp
ip inspect name CBAC-B icmp
ip inspect tcp synwait-time 15
ip inspect tcp idle-time 180
ip inspect udp idle-time 20
int f0/0
ip inspect CBAC-B out
ip inspect tcp idle-time 300
配置NAT
RouterA
ip nat inside source static 172.16.1.2 192.1.1.2
ip nat inside source static 172.16.1.3 192.1.1.3
ip nat inside source static 172.16.1.4 192.1.1.4
ip access-list extended dynamic-pat-addresses
deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
permit ip 172.16.0.0 0.0.255.255 any
ip nat pool dymanic-pat-pool 192.168.1.250 192.168.1.253 netmask 255.255.255.0
ip nat inside source list dynamic-pat-addresses pool dynamic-pat-pool overload
int lo0
ip nat inside
int f1/0
ip nat inside
int lo1
ip nat inside
int tunnel0
ip nat inside
int f0/0
ip nat outside
ip access-list extended no-static-NAT
remark ** the email server to the vpn devices
permit ip host 172.16.1.2 172.16.252.0 0.255.255.255
permit ip host 172.16.1.2 172.16.253.0 0.255.255.255
permit ip host 172.16.1.2 172.16.254.0 0.255.255.255
remark ** the DNS server to the vpn devices
permit ip host 172.16.1.3 172.16.252.0 0.255.255.255
permit ip host 172.16.1.3 172.16.253.0 0.255.255.255
permit ip host 172.16.1.3 172.16.254.0 0.255.255.255
remark ** the web server to the vpn decices
permit ip host 172.16.1.4 172.16.252.0 0.255.255.255
permit ip host 172.16.1.4 172.16.253.0 0.255.255.255
permit ip host 172.16.1.4 172.16.254.0 0.255.255.255
int lo100
ip add 172.16.98.1 255.255.255.0
route-map NO-NAT permit 10
match ip address no-static-NAT
set interface lo100
route-map NO-NAT permit 20
int lo0
ip policy route-map NO-NAT
开启逆向静态转发
RouterA
ip cef
int lo1
ip verify unicast reverse-path
int lo0
ip verify unicast reverse-path
int f1/0
ip verify unicast reverse-path
RouterB
ip cef
int lo0
ip verify unicast reverse-path
int lo1
ip verify unicast reverse-path
int lo2
ip verify unicast reverse-path
int f0/0
ip verify unicast reverse-path
RouterC
ip cef
int f0/0
ip verify unicast reverse-path
int lo0
ip verify unicast reverse-path
配置IDS
RouterA
ip audit notify log
ip audit name IDSRULE attack action alarm drop reset
ip audit name IDSRULE info action alarm
int f0/0
ip audit IDSRULE in
ip inspect max-incomplete high 700
ip inspect max-incomplete low 550
ip inspect one-minute high 800
ip inspect one-minute low 650
速率限制
RouterA
access-list 111 deny tcp any any eq 25
access-list 111 deny udp any any eq 53
access-list 111 deny esp any any
access-list 111 deny udp any any eq 500
access-list 111 deny udp any any eq 4500
access-list 111 deny tcp any any eq 80
access-list 111 permit ip any any
class-map match-any non-important-traffic
match access-group 111
policy-map mark-non-important-traffic
class non-important-traffic
set ip dscp 1
int lo1
service-policy input mark-non-important-traffic
int lo0
service-policy input mark-non-important-traffic
int f1/0
service-policy input mark-non-important-traffic
class-map match-any marked-traffic
match dscp 1
policy-map limit-traffic
class marked-traffic
police 256000 32000 32000
conform-action transmit
exceed-action drop
violate-action drop
int f0/0
service-policy output limit-traffic
配置NTP
RouterA
ntp server 172.16.3.6 key 32 source f1/0
ntp authenticate
ntp authentication-key 32 md5 cisco
ntp trusted-key 32
ntp **-calendar
access-list 19 permit 172.16.3.6 0.0.0.0
ntp access-group peer 19
ntp source f1/0
int lo1
ntp disable
int lo0
ntp disable
int f0/0
ntp disable
打开日志时间戳
RouterA
service timestamps log datetime
logging on
logging host 172.16.3.6
logging trap informational
logging source-interface f1/0
logging origin-id string RouterA
RouterB
service timestamps log datetime
logging on
logging host 172.16.3.6
logging trap informational
logging source-interface lo2
logging origin-id string RouterB
配置VPN
RouterA
crypto isakmp policy 100
authentication pre-share
encryption 3des
hash sha
group 2
crypto isakmp key cisco address 200.1.1.1
access-list 119 permit gre host 200.1.1.1 host 192.1.1.1
crypto ipsec transform-set Routertransform esp-sha-hmac esp-3des
mode tunnel
crypto map ipsecmap 100 ipsec-isakmp
match address 119
set peer 200.1.1.1
set transform-set Routertransform
int f0/0
crypto map ipsecmap
RouterC
crypto isakmp policy 100
authentication pre-share
encryption 3des
hash sha
group 2
crypto isakmp key cisco address 192.1.1.1
access-list 119 permit gre host 192.1.1.1 host 200.1.1.1
crypto ipsec transform-set Routertransform esp-sha-hmac esp-3des
mode tunnel
crypto map ipsecmap 100 ipsec-isakmp
match address 119
set peer 192.1.1.1
set transform-set Routertransform
int f0/0
crypto map ipsecmap
配置EZ-VPN
RouterA
aaa authentication login vpnauthenticate group tacacs+
aaa authorization network admin group tacacs+
aaa authorization network ac**ing group tacacs+
aaa authorization network users group tacacs+
crypto isakmp policy 200
authentication pre-share
encryption 3des
hash md5
group 2
crypto isakmp keepalive 20 10
crypto isakmp xauth timeout 45
ip local pool admin_pool 172.16.252.1 172.16.252.254
ip local pool ac**ing_pool 172.16.253.1 172.16.253.254
ip local pool users_pool 172.16.254.1 172.16.254.254
crypto isakmp client configuration group admin
key adminkey123
pool admin_pool
domain cisco.com
dns 172.16.3.2
acl 131
firewall are-u-there
access-list 131 permit ip any 172.16.0.0 0.0.255.255
crypto isakmp client configuration group ac**ing
key ac**ingkey123
pool ac**ing_pool
domain cisco.com
dns 172.16.3.2
acl 131
firewall are-u-there
crypto isakmp client configuration group users
key userskey123
pool users_pool
domain cisco.com
dns 172.16.3.2
acl 131
firewall are-u-there
crypto ipsec transform-set easyvpn esp-3des esp-sha-hmac
crypto dynamic-map dynamic_map 100
set transform-set easyvpn
crypto map ipsecmap client authentication list vpnauthenticate
crypto map ipsecmap isakmp authorization list admin
crypto map ipsecmap isakmp authorization list ac**ing
crypto map ipsecmap isakmp authorization list users
crypto map ipsecmap client configuration address respond
crypto map ipsecmap 999 ipsec-isakmp dynamic dynamic-map
最后保存配置
copy running-config startup-config
下载ISCW配置文档和试验机架:
|
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有账号?立即注册
x
|
[复制链接]
|熊猫同学技术论坛|小黑屋|
网络工程师论坛
( 沪ICP备09076391 )
发表于 2009-4-12 14:21:26
提升卡
置顶卡
变色卡
显身卡
