You are on page 1of 8

!========= R1 enable conf t host R1 no ip domain-lookup !************************** security password min-length 10 enable secret ciscosecret !

3 banner motd #ROUTER R1# !4 username user01 privilege 0 password user01pass username user02 privilege 0 password user02pass username admin privilege 15 secret adminpassw !5 line con 0 logging synchronous login local exit !6 login block-for 60 attempts 15 within 120 access-list 1 permit host ___ip host____ login quiet-mode access-class 1 !7 service timestamps log datetime msec login on-success log login on-failure log logging host 192.168.33.12 logging trap warnings logging trap critical login on !8 ip domain-name ccna.cl crypto key generate rsa modulus 1024 ip ssh version 2 ip ssh time-out 30 ip ssh authentication-retries 5 !*** VTY line vty 0 4 password _______ login access-class 11 in !!(esto para regla acl en ssh) exit !*** ACL - SSH ! Permito solo el host ADMIN access-list 11 permit 192.168.33.4 access-list 11 deny any

!*** consola line con 0 password _______ login loggin synchronous exit !*** Aux line aux 0 password lineauxcon login ! ntp master 3 net server !ntp server 10.0.23.2 !ntp update-calendar **************************************************************** aaa new-model enable view ciscosecret !!! VERIFICADOR conf T parser view VERIFICADOR secret verificador commands exec include show flash commands exec include show ram commands exec include show version parser view INTERFACES secret interfaces commands exec include configure commands exec include show interfaces commands configure include interfaces commands exec include ping parser view ENRURAMIENTO secret enrutamiento commands exec include configure commands exec include show interfaces commands configure include interfaces commands exec include ping commands exec include ip route commands exec include ping

!!!*** RUTA ESTATICA ip route 192.168.20.0 255.255.255.0 10.0.12.2 ip route 192.168.21.0 255.255.255.0 10.0.12.2 ip route 192.168.22.0 255.255.255.0 10.0.12.2 ip route 192.168.33.0 255.255.255.248 10.0.12.2

ip route 10.0.23.0 255.255.255.0 10.0.12.2 ip ip ip ip route route route route 192.168.30.0 192.168.31.0 192.168.32.0 192.168.33.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 10.0.12.2 10.0.12.2 10.0.12.2 10.0.12.2

username administrador privilege 15 secret adminpassw login block-for 45 attempts 10 within 180 access-list 1 permit host 192.168.33.10 login quiet-mode access-class 1 login on-success log login on-failure log every 2 !*** SSH ip domain-name pruebaccnp2.cl crypto key generate rsa modulus 1024 ip ssh version 2 ip ssh time-out 110 ip ssh authentication-retries 5 !*** VTY line vty 0 4 !password ... !login privilege level 15 exec-timeout 5 0 transport input ssh exit !*** Consola line console 0 login local loggin synchronous exec-timeout 5 0 exit !*** Aux line aux 0 password ciscoauxpass exec-timeout 5 0 login ntp server 10.0.23.2 ntp update-calendar clock set 19:00:00 Oct 01 2012 !*** Usuarios aaa new-model !enable view !pac6501pas parser view revisor secret revisorpass !**************************

int lo0 ip addr 192.168.10.1 255.255.255.0 exit int lo1 ip addr 192.168.11.1 255.255.255.0 exit int lo2 ip addr 192.168.12.1 255.255.255.0 exit int s0/0 ip addr 10.0.12.1 255.255.255.0 clock rate 128000 no shut exit exit wr !========= R2 enable conf t host R2 no ip domain-lookup ip ip ip ip route route route route 192.168.30.0 192.168.31.0 192.168.32.0 192.168.33.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 10.0.23.3 10.0.23.3 10.0.23.3 10.0.23.3

ip route 192.168.10.0 255.255.255.0 10.0.12.1 ip route 192.168.11.0 255.255.255.0 10.0.12.1 ip route 192.168.12.0 255.255.255.0 10.0.12.1 int lo0 ip addr 192.168.20.2 255.255.255.0 exit int lo1 ip addr 192.168.21.2 255.255.255.0 exit int lo2 ip addr 192.168.22.2 255.255.255.0 exit int s0/0 ip addr 10.0.12.2 255.255.255.0 clock rate 128000 no shut exit int s0/1 ip addr 10.0.23.2 255.255.255.0 clock rate 128000 no shut exit exit wr

!========= R3 enable conf t host R3 no ip domain-lookup ip route 192.168.20.0 255.255.255.0 10.0.23.2 ip route 192.168.21.0 255.255.255.0 10.0.23.2 ip route 192.168.22.0 255.255.255.0 10.0.23.2 ip route 10.0.12.0 255.255.255.0 10.0.23.2 ip route 192.168.10.0 255.255.255.0 10.0.23.2 ip route 192.168.11.0 255.255.255.0 10.0.23.2 ip route 192.168.12.0 255.255.255.0 10.0.23.2 int lo0 ip addr 192.168.30.3 255.255.255.0 exit int lo1 ip addr 192.168.31.3 255.255.255.0 exit int lo2 ip addr 192.168.32.3 255.255.255.0 exit int s0/1 ip addr 10.0.23.3 255.255.255.0 clock rate 128000 no shut exit int f0/0 ip addr 192.168.33.3 255.255.255.0 no shut exit exit wr

***** Operator View Sample Router# enable view Password:secretpswd Router# configure Terminal Router(config)# parser view operator Router(config-view)#password 5 Oper@torPswd Router(config-view)#commands exec include ping Router(config-view)#commandsexec include show hardware Router(config-view)#commandsexec include show interfaces Router(config-view)#commandsexec include show version Router(config-view)#exit ***** Acme Company Network Administrator Router(config)# parser view NetOps

Router(config-view)#password 5 NetOps@Pswd Router(config-view)#commands exec include clear Router(config-view)#commands exec include copy Router(config-view)#commands exec include ping Router(config-view)#commandsexec include all show Router(config-view)#commandsexec include configure Router(config-view)#commands configure include access-list Router(config-view)#commandsconfigure include clock Router(config-view)#commandsconfigure include hostname Router(config-view)#commandsconfigure include interface Router(config-view)#commandsconfigure include ip Router(config-view)#commandsconfigure include line Router(config-view)#exit ***** Acme Company Security Administrator View Sample Configuration Router(config)# parser view SecOps Router(config-view)#password 5 SecOps@Pswd Router(config-view)#commands exec include copy running-config Router(config-view)#commands exec include login Router(config-view)#commandsexec include all show Router(config-view)#commands exec include-exclusive show crypto Router(config-view)#commands exec include-exclusive show key Router(config-view)#commands exec include configure terminal Router(config-view)#commands configure include access-list Router(config-view)#commands configure include-exclusive crypto Router(config-view)#commands configure include-exclusive key Router(config-view)#commands configure include-exclusive li-view Router(config-view)#exit show parser view [all] show users copy running-config startup-config ntp master 3 clock set 20:12:00 Dec 17 2008 Use the login block-for command to configure a 60 second login shutdown (quiet m ode timer) if two failed login attempts are made within 30 seconds. R1(config)# login block-for 60 attempts 2 within 30 secure boot-image R1(config)# service timestamps log datetime msec c. Configure the syslog service on the router to send syslog messages to the s yslog server. R1(config)# logging host 192.168.1.3 R1(config)# logging trap warnings R1(config)# logging trap critical Habilitar HTTPS (HTTP Secure) en un Router Cisco Para configurar y monitorizar el router utilizando una transferencia segura de d atos en el navegador, la solucin es habilitar HTTPS (Hypertext Transfer Protocol Secure o en espaol Protocolo seguro de transferencia de hipertexto) en el router. Para habilitar HTTPS en un router cisco se utiliza el comando ip http secure-se rver.

ip http secure-server HTTPS nos proporciona un mtodo seguro y encriptado para acceder al router desde u n navegador web usando Secure Sockets Layer (Protocolo de Capa de Conexin Segura SSL) y Transport Layer Security (Seguridad de la Capa de Transporte TLS). Por de fecto, el router crea un certificado digital en la configuracin, tal como se mues tra continuacin. show running-config | section crypto Por default, el servidor HTTPS usa el puerto 443, para cambiar el puerto del ser vidor HTTPS utilizaremos el siguiente comando. Router#configure terminal Router(config)#ip http secure-port 8080 Router(config)#end copy running-config startup-config

Implement AAA services and HTTP router access prior to starting CCP. a. From the CLI global config mode, enable a new AAA model. R3(config)# aaa new-model b. Enable the HTTP server on R3 for CCP access. R3(config)# ip http server R3(config)# username admin privilege 15 secret cisco12345 d. Have CCP use the local database to authenticate web sessions. R3(config)# ip http authentication local

!!!!****ACL INTERNA QUE ENVIA TRAFICO A HTTP Y DNS R1(config)# ip access-list extended internal_ACL R1(config-ext-nacl)# permit tcp any any eq 80 reflect web-only-reflexive-ACL R1(config-ext-nacl)# permit udp any any eq 53 reflect dns-only-reflexive-ACL tim eout 10 !!!!**** Continuando el ejemplo con trfico HTTP y DNS, esta sintaxis crea una ACL externa que deniega todo el trfico que se origina fuera de la red, pero permite el t rfico HTTP y DNS de retorno. R1(config)# ip access-list extended external_ACL R1(config-ext-nacl)# evaluate web-only-reflexive-ACL R1(config-ext-nacl)# evaluate dns-only-reflexive-ACL R1(config-ext-nacl)# deny ip any any !!!**** El ltimo paso consiste en aplicar las ACLs. R1(config)# interface s0/0/0 R1(config-if)# description connection to the ISP. R1(config-if)# ip access-group internal_ACL out R1(config-if)# ip access-group external_ACL in

!!!!*****ACL RANGO DE TIEMPO R1(config)# time-range DIAPORMEDIO R1(config-TIME-RANGE)# periodic monday wednesday friday 8:00 to 17:00 R1(config-TIME-RANGE)#exit R1(config)# access-list 101 permit tcp 192.168.10.0 0.0.0.255 any eq telnet time .range DIAPORMEDIO R1(config)#interface s0/0/0 R1(config-if)# ip access-group 101 out R1(config-if)#exit