Chapitre 2 :

R1(config) #no ip domain-lookup R1(config) #service password-encryption R1(config)#security passwords min-length 10 R1(config)#banner motd $ Unauthorized access strictly prohibited and prosecuted to the full extent of the law $ R1(config)#login block-for 60 attempts 2 within 30 R1(config)#login on-success log R1(config)#login on-failure log every 2 R1(config)#login quiet-mode access-class 2 R1(config)#login delay 5 R1(config) #security authentication failure rate 2 log R1#show login

R1(config) #line console 0 R1(config-line)#login local R1(config-line)#exec-timeout 5 0 R1(config-line)#login R1(config-line)#logging synchronous

R1(config)#ip domain-name ccnasecurity.com R1(config)#username admin privilege 15 secret cisco12345 R1(config)#line vty 0 4 R1(config-line)#privilege level 15 R1(config-line)#login local R1(config-line)#transport input ssh R1(config)#crypto key generate rsa general-keys modulus 1024 R1(config)#crypto key zeroize rsa R1(config)#ip ssh time-out 90 R1(config)#ip ssh authentication-retries 2 R1#show ip ssh R1#show crypto key mypubkey rsa

R1(config)#secure boot-image (enable cisco ios resilience) R1(config)#secure boot-config (take a snapshot of the router running configuration and securely archive it in persistent storage) R1#show secure bootset ROMmon>dir flash : ROMmon>boot nom-d-image R1(config)#secure boot-config restore nom-fichier R1(config)#no service password-recovery (dsactiver laccs au mode rommon)

R1(config)# (no) logging on R1(config)#logging host ip/name R1(config)#logging source-interface int/number R1(config)#logging trap level(0- 7)

NTP R1(config)#clock set 10:00:00 aug 13 2013 R1(config)#ntp master R1(config)#ntp server 192.168.1.1 (client) R1(config)#ntp authenticate R1(config)#ntp authentication-key 1 md5 cisco123 R1(config)#ntp trusted-key 1 R1(config-if)#ntp broadcast (server) R1(config-if)#ntp broadcast client R1#show clock R1#show ntp status R1#show ntp associations detail

Chapitre 3: R1(config)#username Admin secret P@555w0rd R1(config)#aaa new-model R1(config)#aaa authentication login default local local-case enable gr radius none (max 4) R1(config)#aaa authentication login TELNET-LOGIN local-case R1(config)#aaa local authentication attempts max-fail 4 R1(config)#login delay 3 (1---10s) R1(config)#line vty 0 4 R1(config-line)#login authentication TELNET-LOGIN R1(config)#tacacs-server host ip-server single-connection R1(config)#tacacs-server key chalaka123 R1(config)#radius-server host192.168.1.20 (ip-server) R1(config)#radius-server key the-key R1(config)#aaa authentication login default group tacacs+/group radius local-case R1(config)#aaa authorization exec network/default group tacacs + R1(config)#aaa authorization console R1(config)#aaa authorization exec default local R1(config)#aaa authorization exec default if-authenticated (utilisateurs auront priv 15) R1(config)#aaa authorization config-commands R1(config)#aaa accounting exec default start-stop group tacacs+ R1(config)#aaa accounting network default start-stop group tacacs+

R1#debug aaa ? R1#show aaa sessions R1#show aaa local user lockout R1#clear aaa local user lockout all/username name R1#show aaa user all/name R1#debug tacacs ? R1#debug radius ? R1#debug radius/tacacs events

Time based-ACL: R1(config)# time-range employee-time R1(config-time-range)#absolute [start_time start_date] [end_time end_date] R1(config-time-range) #periodic weekdays 12:00 to 13:00 R1(config-time-range)#periodic weekdays 17:00 to 19:00 R1(config-time-range)#exit R1(config)#access-list 100 permit ip 192.168.1.0 0.0.0.255 any time-range employee-time R1(config)#access-list 100 deny ip any any R1(config)#interface FastEthernet 0/0 R1(config-if)#ip access-group 100 in R1(config-if)#exit

Dynamic ACL: R1(config)#username student secret cisco123 R1(config)# access-list 100 permit tcp any(ou un rseau) host 10.2.2.2(router add) eq 23 R1(config)#access-list 100 dynamic testlist timeout 15 permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 R1(config)#interface FastEthernet 0/0 R1(config-if)#ip access-group 100 in R1(config)#line vty 0 4 R1(config-line)#autocommand access-enable host timeout minutes 5 R1(config-line)#login local

Reflexive ACL: R1(config)# ip access-list extended internal_ACL R1(config-ext-nacl)#permit tcp any any eq 80 reflect web-only-reflexive-ACL R1(config-ext-nacl)#permit udp any any eq 53 reflect dns-only-reflexive-ACL timeout 10 R1(config)# ip access-list extended external_ACL R1(config-ext-nacl)#evaluate web-only-reflexive-ACL R1(config-ext-nacl)#evaluate dns-only-reflexive-ACL R1(config-ext-nacl)#deny ip any any R1(config)#interface s0/0/0 R1(config-if)#description connection to the ISP. R1(config-if)#ip access-group internal_ACL out R1(config-if)#ip access-group external_ACL in

Object groups : R1(config)#object-group network name-group R1(config-network-group)#host ip-add R1(config-network-group)#network-address net-id mask R1(config-network-group)#range ip1 ip2 R1(config-network-group)#group-object name (ajouter un object-group a un autre) R1(config)#object-group service name-service (protocols) R1(config-service-group)#tcp http/telnet/ssh/ftp R1(config-service-group)#udp tftp/dns R1(config)#ip access-list extended name R1(config-ext-nacl)#permit/deny tcp/udp object-group name-service/object-group name-group ipdestination

ZBFW: R1(config)#zone security zone1 R1(config)#int f0/0 R1(config-if)#zone-member security zone1 R1(config)#class-map type inspect telnet-traffic R1(config-cmap)#match protocol telnet / match access-group 100(access-list prcis) R1(config)#access-list 100 permit tcp host 192.168.1.2 host 192.168.1.66 eq 23 R1(config)#policy-map type inspect allow-telnet R1(config-pmap-c)#class type inspect telnet-traffic R1(config-pmap-c)#inspect R1(config)#zone-pair security zone1-zone2 source zone1 destination zone2 R1(config-sec-zone-pair)#service-policy type inspect allow-telnet R1#show policy-map type inspect zone-pair session

CBAC: R1(config)#access-list 100 permit tcp 192.168.1.0 0.0.0.255 any R1(config)#access-list 100 permit udp 192.168.1.0 0.0.0.255 any R1(config)#access-list 100 permit icmp 192.168.1.0 0.0.0.255 any R1(config)#int f0/0 R1(config-if)#ip access-group 100 in R1(config)#access-list 150 deny ip any any R1(config)#int s0/0 R1(config-if)#ip access-group 150 in R1(config)#ip inspect name traffic-return tcp R1(config)#ip inspect name traffic-return udp R1(config)#int fa0/0 R1(config-if)#ip inspect traffic-return in R1#show ip inspect all

Chapitre 5:

R1#format disk0: R1#mkdir ips R1#dir disk0: R1#copy ftp://10.0.0.2/IOS-S636-CLI.pkg disk0:/ips R1(config)#crypto key pubkey-chain rsa R1(config-pubkey-chain)#named-key realm-cisco.pub signature R1(config-pubkey-chain)#key-string 30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101 00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16 17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128 B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E 5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35 FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85 50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36 006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE 2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3 F3020301 0001 R1(config-pubkey-chain)#quit R1(config)#ip ips name ios-ips R1(config)#ip ips config location disk0:/ips (ip ips sdf location disk0:/ips) R1(config)#ip ftp username chalaka R1(config)#ip ftp password qwerty123 R1(config)#ip http server R1(config)#ip http secure-server R1(config)#ip ips notify sdee R1(config)#ip ips notify log R1(config)#logging 192.168.1.100 R1(config)# logging on R1(config)#ip ips signature-category R1(config-ips-category)#category all R1(config-ips-category-action)#retired true R1(config-ips-category-action)#exit R1(config-ips-category)#category ios_ips basic R1(config-ips-category-action)#retired false R1(config-ips-category-action)#exit R1(config) #int fa0/0 R1(config-if)#ip ips ios-ips in

R1#show ip ips all R1#show ip ips configuration R1#show ip ips interfaces R1#show ip ips signatures R1#show ip ips statistics

Chapitre 6: SW1(config) #int fa0/12 SW1(config-if)#switchport mode access/trunk SW1(config-if)#switchport port-security/nonegotiat SW1(config-if)#switchport port-security maximum 2/trunk native vlan-num SW1(config-if)#switchport port-security mac-address sticky SW1(config-if)#switchport port-security violation shutdown/restrict/protect(violation vlan) SW1(config-if)#switchport port-security mac-address 00-0A-EF-B5-32-89(exemple) SW1(config-if)#switchport port-security aging static/time 0-1440 min/type(absolute-inactivity) SW1(config-if)#switchport access vlan 10 SW1(config) #spanning-tree portfast default SW1(config) #int fa0/12 SW1(config-if)#spanning-tree portfast (spanning-tree bpdufilter enable) SW1(config)#spanning-tree portfast bpduguard default SW1(config)#spanning-tree portfast bpdufilter default SW1(config-if)#spanning-tree guard root SW1(config) #int fa0/1 SW1(config-if)#storm-control broadcast level 75.5 SW1(config-if)#storm-control multicast level pps 2k 1k SW1(config-if)#storm-control action shutdown

SW1(config)#monitor session 1 source interface fa0/5 rx/tx/both SW1(config)#monitor session 1 destination interface fa0/1 rx/tx/both (IDS port) SW1(config)#monitor session 1 source vlan 10 rx SW1(config)#monitor session 1 source vlan 20 tx SW1(config)#monitor session 1 destination interface f0/1

SW1#show interfaces trunk/show interface fa0/1 trunk/ show interface fa0/1 switchport SW1#show port-security SW1#show port-security int f0/12 SW1#show port-security address SW1#show spanning-tree summary totals/show spanning-tree interface fa0/5 detail SW1#show spanning-tree inconsistent-ports SW1#show storm-control SW1#show monitor session 1

Chapitre 8: GRE VPN: R1(config)#int tunnel 0 R1(config-if)#ip address 20.0.0.1 255.0.0.0 R1(config-if)#tunnel source f0/0 R1(config-if)#tunnel destination 1.1.1.2 R1(config-if)#tunnel mode gre ip R1(config)#ip route 172.16.0.0 255.255.0.0 tunnel 0

VPN Site-To-Site 1-Ensure that port protocols ESP (50) AH (51) IKE (500) are not blocked. 2-IKE1 R1(config)#crypto isakmp policy 10 R1(config-isakmp)#authentication pre-share R1(config-isakmp)#encryption des/3des/aes 128/192 R1(config-isakmp)#groupe 1/2/5 R1(config-isakmp)#hash md5/sha R1(config-isakmp)#lifetime 86400(seconde) R1(config)#crypto isakmp key CHAlaka123@ address 192.168.1.2(next router tunnel 0) 3-IKE2 (Transforme-set) R1(config)#crypto ipsec transform-set chicago-set esp-des/3des/aes esp-md5/sha

4-creat map R1(config)#crypto map map-name vers-chicago 10 ipsec-isakmp R1(config-crypto-map)#match address 100 (ACL number) R1(config-crypto-map)#set peer 192.168.1.2 (next hope tunnel) R1(config-crypto-map)#set pfs group1 (DH group 1/2/5) R1(config-crypto-map)#set transform-set chicago-set R1(config-crypto-map)#set security-association life-time seconds 86400 R1(config) #int s0/0/0 R1(config-if) #crypto map vers-chicago

R1#show crypto map R1#show crypto isakmp policy

R1#show crypto ipsec sa R1#show crypto ipsec transform-set R1#show crypto isakmp R1#show crypto ipsec