III Guía_CCNA_SecurityV4.docx

CCNP 1 OSPF

Guia CCNA Security v2

ACLs Established2ACLs de Tiempo7ACLs Dinmicas10ACLs IP/ICMP13ACLs para OSPF y EIGRP19ACLs para IPv623ACLs Reflexivas30

ACLs Established

Configure direccionamiento mostrado. Configure OSPF como muestra la figura, publicando las interfaces directamente conectadas. R3 es el router ASBR para este escenario. Segn polticas de la empresa solo se permitir el trfico iniciado localmente desde los routers R1 y R2. Utilice la ACL 103. Habilite telnet en todos los routers, utilice password cisco. Las sesiones telnet no puede cerrarse nunca. En R3 se deben enviar log a la consola para ambos intentos (fallidos/exitosos).

R1router ospf 1 router-id 1.1.1.1

interface range fastEthernet 0/0 - 1 ip ospf 1 area 0 ip ospf network point-to-point

interface Loopback0 ip ospf 1 area 0

line vty 0 4 exec-timeout 0 0 password cisco login



interface Loopback0 ip ospf 1 area 0line vty 0 4 exec-timeout 0 0 password cisco login



interface Serial1/0 ip ospf 1 area 1




interface Serial1/0 ip ospf 1 area 1



R3#show ip ospf neighborNeighbor ID Pri State Dead Time Address Interface1.1.1.1 0 FULL/ - 00:00:37 10.1.13.1 FastEthernet0/02.2.2.2 0 FULL/ - 00:00:38 10.1.23.2 FastEthernet0/14.4.4.4 0 FULL/ - 00:00:33 10.1.34.4 Serial1/0

R1#sh ip route ospf 10.0.0.0/8 is variably subnetted, 10 subnets, 2 masksO 10.1.23.0/24 [110/2] via 10.1.13.3, 00:24:17, FastEthernet0/1 [110/2] via 10.1.12.2, 00:24:27, FastEthernet0/0O IA 10.1.34.0/24 [110/65] via 10.1.13.3, 00:05:27, FastEthernet0/1O 10.2.2.2/32 [110/2] via 10.1.12.2, 00:05:55, FastEthernet0/0O 10.3.3.3/32 [110/2] via 10.1.13.3, 00:05:55, FastEthernet0/1O IA 10.4.4.4/32 [110/66] via 10.1.13.3, 00:04:59, FastEthernet0/1

Comprobamos si R4 puede acceder a los routers dentro de area 0 utilizando telnet.

R4#telnet 10.2.2.2Trying 10.2.2.2 ... OpenUser Access VerificationPassword:ciscoR2>


Configuramos la ACL 103 y la aplicamos a la entrada de la serial 1/0 de R3.

R3access-list 103 permit ospf any anyaccess-list 103 permit tcp any any established logaccess-list 103 deny ip any any log

interface Serial1/0 ip access-group 103 in

R4#telnet 10.1.1.1Trying 10.1.1.1 ...% Destination unreachable; gateway or host down


R3#show access-lists 103Extended IP access list 103 10 permit ospf any any (8 matches) 20 permit tcp any any established log (11 matches)


R3#*Aug 29 13:27:47.747: %SEC-6-IPACCESSLOGP: list 103 denied tcp 10.1.34.4(46374) -> 10.1.1.1(23), 1 packet


R3#*Aug 29 13:28:37.151: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 10.4.4.4(23) -> 10.1.13.1(45476), 1 packet

Nota: la gran limitacin del uso de la ACL en conjunto con established es que solo aplica a TCP y capas superiores, pero no funciona para UDP o ICMP.

ACLs de Tiempo

Configurar el direccionamiento mostrado y habilitar EIGRP 1 de manera que los routers publiquen todas sus interfaces directamente conectadas. Configurar R3 para que permita a los usuarios desde R4 navegar por Internet durante los dias de semana unicamente, y pruebas de conectividad icmp los fines de semana. Habilitamos EIGRP

R1router eigrp 1 network 10.0.0.0 no auto-summary




R4#sh ip route eigrpGateway of last resort is not set 10.0.0.0/8 is variably subnetted, 9 subnets, 2 masksD 10.1.1.0/24 [90/161280] via 10.1.34.3, 00:01:07, FastEthernet0/0D 10.1.12.0/24 [90/33280] via 10.1.34.3, 00:01:07, FastEthernet0/0D 10.1.23.0/24 [90/30720] via 10.1.34.3, 00:01:07, FastEthernet0/0D 10.2.2.0/24 [90/158720] via 10.1.34.3, 00:01:07, FastEthernet0/0D 10.3.3.0/24 [90/156160] via 10.1.34.3, 00:01:07, FastEthernet0/0

Definimos los permisos en R3 segn lo que se explicita inicialmente.

R3time-range SEMANA periodic weekdays 0:00 to 23:59

time-range FINDE periodic weekend 0:00 to 23:59

access-list 100 permit tcp any any eq www time-range SEMANAaccess-list 100 permit icmp any any time-range FINDEaccess-list 100 permit eigrp any anyaccess-list 100 deny ip any any log

interface FastEthernet0/0 ip access-group 100 in

R3#clock set 10:00:00 20 sept 2011//martes

R4#ping 10.3.3.3Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.3.3.3, timeout is 2 seconds:U.U.USuccess rate is 0 percent (0/5)

%SEC-6-IPACCESSLOGDP: list 100 denied icmp 10.1.34.4 -> 10.3.3.3 (8/0), 1 packet

R3#show access-listsExtended IP access list 10010 permit icmp any any time-range FINDE (inactive) (5 matches) 20 permit tcp any any eq www time-range SEMANA (active) 30 permit eigrp any any (64 matches) 40 deny ip any any log (15 matches)

R4#telnet 10.2.2.2 80Trying 10.2.2.2, 80 ...% Connection refused by remote host

R3#show access-listsExtended IP access list 100 10 permit icmp any any time-range FINDE (inactive) (5 matches)20 permit tcp any any eq www time-range SEMANA (active) (1 match) 30 permit eigrp any any (70 matches) 40 deny ip any any log (15 matches)

R3#clock set 10:00:00 18 sept 2011//fin de semanaR3#%SYS-6-CLOCKUPDATE: System clock has been updated from 10:04:55 UTC Tue Sep 20 2011 to 10:00:00 UTC Sun Sep 18 2011, configured from console by console.R3#clear access-list counters

R3#%SEC-6-IPACCESSLOGDP: list 100 denied icmp 10.1.34.4 -> 10.3.3.3 (8/0), 14 packets

R4#ping 10.3.3.3Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.3.3.3, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 16/76/116 ms

R3#show access-listsExtended IP access list 100 10 permit icmp any any time-range FINDE (active) (5 matches) 20 permit tcp any any eq www time-range SEMANA (inactive) 30 permit eigrp any any (6 matches)40 deny ip any any log

ACLs Dinmicas

Configurar EIGRP 1 en todos los routers y publicar sus interfaces directamente conectadas. EIGRP no debe perder adyacencias. Habilitar Telnet en R1 yR2. Para acceder a R4 debemos usar el usuario admin4 password cisco4 R4 requiere autentificacin para poder acceder a los routers dentro de empresa A. Usar telnet para autentificacin. Los routers dentro de Empresa A pueden acceder a los servicios de R4 sin autentificacin. En R3 (el router de borde) crear usuario u4 password cisco.


line vty 0 4 password cisco login







Accedemos a los routers utilizando telnet antes de aplicar la configuracin en R3.


R1#telnet 10.4.4.4Trying 10.4.4.4 ... Open Autentificacion AAAUsuario:admin4Password:cisco4

Configuramos R3

R3username u4 password cisco

access-list 100 permit tcp any host 10.1.34.3 eq telnetaccess-list 100 permit eigrp any anyaccess-list 100 permit tcp any any established logaccess-list 100 dynamic ACCESO permit ip any any

interface Serial1/0 ip access-group 100 in

line vty 0 4 autocommand access-enable host//comando ocultologin local//Parece no ser necesario si el server est down.

R4#telnet 10.1.34.3Trying 10.1.34.3 ... Open

User Access Verification

Username: u4Password:[Connection to 10.1.34.3 closed by foreign host]

R4#telnet 10.2.2.2Trying 10.2.2.2 ... Open

User Access Verification

Password:

R2>enPassword:R2#


R3#show access-listsExtended IP access list 100 10 permit tcp any host 10.1.34.3 eq telnet (132 matches) 20 permit eigrp any any (128 matches) 30 permit tcp any any established log (18 matches) 40 Dynamic ACCESO permit ip any any permit ip host 10.1.34.4 any (1 match)

ACLs IP/ICMP

Configrar RIPv2 para que exista NLRI completo. Las actualizaciones deben ser unicast (no mutlicast). En R2 debemos denegar entre 10.1.1.1 y 10.4.4.4. El resto del trfico debe ser permitido. De haber un match respecto a esta regla, debemos ver un log de consola en R2.

R1router rip version 2 passive-interface FastEthernet0/0 network 10.0.0.0 neighbor 10.1.12.2 no auto-summary

R2router rip version 2 passive-interface FastEthernet0/0 passive-interface FastEthernet0/1 network 10.0.0.0 neighbor 10.1.12.1 neighbor 10.1.23.3 no auto-summary

R3router rip version 2 passive-interface FastEthernet0/0 passive-interface FastEthernet0/1 network 10.0.0.0 neighbor 10.1.34.4 neighbor 10.1.23.2 no auto-summary

R4router rip version 2 passive-interface FastEthernet0/0 network 10.0.0.0 neighbor 10.1.34.3 no auto-summary

R1#sh ip route ripCodes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 9 subnets, 2 masksR 10.1.23.0/24 [120/1] via 10.1.12.2, 00:00:12, FastEthernet0/0R 10.1.34.0/24 [120/2] via 10.1.12.2, 00:00:12, FastEthernet0/0R 10.2.2.0/24 [120/1] via 10.1.12.2, 00:00:12, FastEthernet0/0R 10.3.3.0/24 [120/2] via 10.1.12.2, 00:00:12, FastEthernet0/0R 10.4.4.0/24 [120/3] via 10.1.12.2, 00:00:12, FastEthernet0/0

R1#ping 10.4.4.4 source 10.1.1.1 repeat 2Type escape sequence to abort.Sending 2, 100-byte ICMP Echos to 10.4.4.4, timeout is 2 seconds:Packet sent with a source address of 10.1.1.1!!Success rate is 100 percent (2/2), round-trip min/avg/max = 80/106/132 ms

En R2 creamos las ACLs que filtrar el trfico entre 10.1.1.1 y 10.4.4.4. Como buena prctica verificamos si hemos configurado alguna ACL con anterioridad con el comando show access-lists. Una de las ACL tiene origen R1 y destino R4. La otra ACL tiene origen R4 y destino R1. Esto quiere decir que aplicaremos cada ACL en interfaces distintas.

R2#show access-listsR2#

R2access-list 102 deny ip host 10.4.4.4 host 10.1.1.1 logaccess-list 102 permit ip any any

access-list 122 deny ip host 10.1.1.1 host 10.4.4.4 logaccess-list 122 permit ip any any

interface FastEthernet0/0 ip access-group 122 ininterface FastEthernet0/1 ip access-group 102 in

R2#show access-listsExtended IP access list 102 10 deny ip host 10.4.4.4 host 10.1.1.1 log 20 permit ip any any (3 matches)Extended IP access list 122 10 deny ip host 10.1.1.1 host 10.4.4.4 log 20 permit ip any any (3 matches)

Prueba de conectividad

R1#ping 10.2.2.2 source 10.1.1.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:Packet sent with a source address of 10.1.1.1!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 16/56/88 ms

R1#ping 10.3.3.3 source 10.1.1.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.3.3.3, timeout is 2 seconds:Packet sent with a source address of 10.1.1.1!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 48/74/120 ms

R1#ping 10.4.4.4 source 10.1.1.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.4.4.4, timeout is 2 seconds:Packet sent with a source address of 10.1.1.1U.U.USuccess rate is 0 percent (0/5)

R2#*Sep 5 13:14:05.527: %SEC-6-IPACCESSLOGDP: list 122 denied icmp 10.1.1.1 -> 10.4.4.4 (0/0), 1 packet

R1#sh ip route ripCodes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 9 subnets, 2 masksR 10.1.23.0/24 [120/1] via 10.1.12.2, 00:00:19, FastEthernet0/0R 10.1.34.0/24 [120/2] via 10.1.12.2, 00:00:19, FastEthernet0/0R 10.2.2.0/24 [120/1] via 10.1.12.2, 00:00:19, FastEthernet0/0R 10.3.3.0/24 [120/2] via 10.1.12.2, 00:00:19, FastEthernet0/0R 10.4.4.0/24 [120/3] via 10.1.12.2, 00:00:19, FastEthernet0/0

Se requieren las siguientes polticas: R1puede pinguear a R2 y recibir la replica de vuelta. R2 no puede pinguear a R1

R1access-list 101 deny icmp host 10.1.12.2 any echoaccess-list 101 deny icmp host 10.2.2.2 any echoaccess-list 101 deny icmp host 10.1.23.2 any echoaccess-list 101 permit ip any any









En el siguiente ejemplo configuraremos R2 de manera que si no tiene como alcanzar una red utilice a R3 como su default-gateway. Creamos una default route. Intentamos conectividad a una IP inexistente (10.5.5.5)

R2ip route 0.0.0.0 0.0.0.0 fastEthernet 0/1 10.1.23.3

R2#sh ip route staticGateway of last resort is 10.1.23.3 to network 0.0.0.0S* 0.0.0.0/0 [1/0] via 10.1.23.3, FastEthernet0/1

R2#debug ip icmpICMP packet debugging is on

R2#ping 10.5.5.5 repeat 2Type escape sequence to abort.Sending 2, 100-byte ICMP Echos to 10.5.5.5, timeout is 2 seconds:U*Sep 5 13:35:50.603: ICMP: dst (10.1.23.2) host unreachable rcv from 10.1.23.3.Success rate is 0 percent (0/2)

Configurar R3 de manera que no enve mensage de ICMP: dst (10.1.23.2) host unreachable.

R3interface FastEthernet0/1no ip unreachables

R2#ping 10.5.5.5 repeat 2Type escape sequence to abort.Sending 2, 100-byte ICMP Echos to 10.5.5.5, timeout is 2 seconds:..Success rate is 0 percent (0/2)

ACLs para OSPF y EIGRP

Configure EIGRP 1 en todos los routers y publique sus interfaces directamente conectadas. Deshabilite la sumarizacin automtica. Configure OSPF 1 area 0 en todos los routers y publique sus interfaces directamente conectadas. No se permite la eleccin de DR/BDR. Publique las loopback en OSPF con sus mscaras correctas. No utilizar comando network para publicar las interfaces. Remover RIPv2 de la configuracin anterior incluyendo ACLs.

Rxno router rip


router ospf 1 router-id 1.1.1.1

interface Loopback0 ip ospf network point-to-point ip ospf 1 area 0

interface FastEthernet0/0 ip ospf network point-to-point ip ospf 1 area 0















R2#show ip ospf neighborNeighbor ID Pri State Dead Time Address Interface3.3.3.3 0 FULL/ - 00:00:34 10.1.23.3 FastEthernet0/11.1.1.1 0 FULL/ - 00:00:36 10.1.12.1 FastEthernet0/0

R2#show ip eigrp neighborsEIGRP-IPv4 Neighbors for AS(1)H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num1 10.1.23.3 Fa0/1 13 00:04:21 110 660 0 60 10.1.12.1 Fa0/0 11 00:04:23 124 744 0 5

Configure una ACL en R1 de manera que bloquee el trfico EIGRP y permita todo el resto del trfico. El resultado de est configuracin la veremos en la tabla de R1 donde en lugar de redes conocidas por EIGRP (AD 90) se instalarn redes conocidas por OSPF (AD 110).

Nota: Primero verificamos la RIB. Luego de la configuracin veremos que EIGRP pierde adyacencia.

R1#sh ip routeGateway of last resort is not set 10.0.0.0/8 is variably subnetted, 9 subnets, 2 masksC 10.1.1.0/24 is directly connected, Loopback0L 10.1.1.1/32 is directly connected, Loopback0C 10.1.12.0/24 is directly connected, FastEthernet0/0L 10.1.12.1/32 is directly connected, FastEthernet0/0D 10.1.23.0/24 [90/30720] via 10.1.12.2, 00:10:41, FastEthernet0/0D 10.1.34.0/24 [90/33280] via 10.1.12.2, 00:10:39, FastEthernet0/0D 10.2.2.0/24 [90/156160] via 10.1.12.2, 00:10:41, FastEthernet0/0D 10.3.3.0/24 [90/158720] via 10.1.12.2, 00:10:39, FastEthernet0/0D 10.4.4.0/24 [90/161280] via 10.1.12.2, 00:10:38, FastEthernet0/0

R1#show access-listsExtended IP access list 101 10 deny icmp host 10.1.12.2 any echo (10 matches) 20 deny icmp host 10.2.2.2 any echo (5 matches) 30 deny icmp host 10.1.23.2 any echo (5 matches) 40 permit ip any any (242 matches)

R1#conf terminalEnter configuration commands, one per line. End with CNTL/Z.R1(config)#R1(config)#no access-list 101

R1access-list 100 deny eigrp any anyaccess-list 100 permit ip any any


R1#sh ip route | begin GatewayGateway of last resort is not set 10.0.0.0/8 is variably subnetted, 9 subnets, 2 masksC 10.1.1.0/24 is directly connected, Loopback0L 10.1.1.1/32 is directly connected, Loopback0C 10.1.12.0/24 is directly connected, FastEthernet0/0L 10.1.12.1/32 is directly connected, FastEthernet0/0O 10.1.23.0/24 [110/2] via 10.1.12.2, 00:00:13, FastEthernet0/0O 10.1.34.0/24 [110/3] via 10.1.12.2, 00:00:13, FastEthernet0/0O 10.2.2.0/24 [110/2] via 10.1.12.2, 00:00:13, FastEthernet0/0O 10.3.3.0/24 [110/3] via 10.1.12.2, 00:00:13, FastEthernet0/0O 10.4.4.0/24 [110/4] via 10.1.12.2, 00:00:13, FastEthernet0/0

ACLs para IPv6

Configure el direccionamiento mostrado en la figura. Asigne la direccin link-local en todas sus interfaces fsicas con la siguiente disposicin:RouterLink-localID

R1FE80::11.1.1.1

R2FE80::22.2.2.2

R3FE80::33.3.3.3

R4FE80::44.4.4.4

Configure OSPFv3 como muestra la figura. La loopback0 de R3 debe ser publicada en el dominio OSPF. Habilite logs OSPF detalladamente y explique los estados OSPF. No debe existir eleccin de DR/BDR. Publique las loopback0 con sus mscaras correctas.

R1ipv6 router ospf 1 router-id 1.1.1.1 log-adjacency-changes detail

interface FastEthernet0/0 ipv6 ospf 1 area 0 ipv6 ospf network point-to-point


interface Loopback0 ipv6 ospf 1 area 0 ipv6 ospf network point-to-point





R2#*Sep 7 13:44:03.863: %OSPFv3-5-ADJCHG: Process 1, Nbr 1.1.1.1 on FastEthernet0/0 from 2WAY to EXSTART, AdjOK?*Sep 7 13:44:04.079: %OSPFv3-5-ADJCHG: Process 1, Nbr 1.1.1.1 on FastEthernet0/0 from EXSTART to EXCHANGE, Negotiation Done*Sep 7 13:44:04.235: %OSPFv3-5-ADJCHG: Process 1, Nbr 1.1.1.1 on FastEthernet0/0 from EXCHANGE to LOADING, E xchange Done*Sep 7 13:44:04.379: %OSPFv3-5-ADJCHG: Process 1, Nbr 1.1.1.1 on FastEthernet0/0 from LOADING to FULL, Loadi ng Done





R1#show ipv6 ospf neighbor OSPFv3 Router with ID (1.1.1.1) (Process ID 1)Neighbor ID Pri State Dead Time Interface ID Interface3.3.3.3 0 FULL/ - 00:00:30 2 FastEthernet0/12.2.2.2 0 FULL/ - 00:00:35 2 FastEthernet0/0

R2#show ipv6 ospf neighbor OSPFv3 Router with ID (2.2.2.2) (Process ID 1)Neighbor ID Pri State Dead Time Interface ID Interface3.3.3.3 0 FULL/ - 00:00:32 3 FastEthernet0/11.1.1.1 0 FULL/ - 00:00:38 2 FastEthernet0/0

R1#show ipv6 route ospfIPv6 Routing Table - default - 10 entriesCodes: C - Connected, L - Local, S - Static, U - Per-user Static route B - BGP, R - RIP, H - NHRP, I1 - ISIS L1 I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP EX - EIGRP external, ND - ND Default, NDp - ND Prefix, DCE - Destination NDr - Redirect, O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1 OE2 - OSPF ext 2, ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2, l - LISPO 2001:1:1:23::/64 [110/2] via FE80::2, FastEthernet0/0 via FE80::3, FastEthernet0/1O 2001:2:2:2::/64 [110/2] via FE80::2, FastEthernet0/0O 2001:3:3:3::/64 [110/2] via FE80::3, FastEthernet0/1

R1#ping ipv6 2001:3:3:3::3Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 2001:3:3:3::3, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 28/45/72 ms

Configure RIPng en R3 y R4 utilizando el identificador de proceso R34. R4 debe publicar su interface loopback0

R3ipv6 router rip R34

interface Serial1/0 ipv6 rip R34 enable

R4ipv6 router rip R34

interface Serial1/0 ipv6 rip R34 enable

interface Loopback0 ipv6 rip R34 enable

R3#show ipv6 route ripIPv6 Routing Table - default - 13 entriesCodes: C - Connected, L - Local, S - Static, U - Per-user Static route B - BGP, R - RIP, H - NHRP, I1 - ISIS L1 I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP EX - EIGRP external, ND - ND Default, NDp - ND Prefix, DCE - Destination NDr - Redirect, O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1 OE2 - OSPF ext 2, ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2, l - LISPR 2001:4:4:4::/64 [120/2] via FE80::4, Serial1/0

Redistribuir mutuamente OSPFv3/RIPng

R3ipv6 router ospf 1 redistribute rip R34 include-connected

ipv6 router rip R34 redistribute ospf 1 metric 2 include-connected

R1#show ipv6 route ospfIPv6 Routing Table - default - 12 entriesCodes: C - Connected, L - Local, S - Static, U - Per-user Static route B - BGP, R - RIP, H - NHRP, I1 - ISIS L1 I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP EX - EIGRP external, ND - ND Default, NDp - ND Prefix, DCE - Destination NDr - Redirect, O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1 OE2 - OSPF ext 2, ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2, l - LISPO 2001:1:1:23::/64 [110/2] via FE80::2, FastEthernet0/0 via FE80::3, FastEthernet0/1OE2 2001:1:1:34::/64 [110/20] via FE80::3, FastEthernet0/1O 2001:2:2:2::/64 [110/2] via FE80::2, FastEthernet0/0O 2001:3:3:3::/64 [110/2] via FE80::3, FastEthernet0/1OE2 2001:4:4:4::/64 [110/20] via FE80::3, FastEthernet0/1

R1#ping 2001:4:4:4::4Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 2001:4:4:4::4, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 48/68/88 ms

Crear y publicar la loopback1 en R1 como muestra la figura.

R1interface Loopback1 ipv6 address 2000:1:1::1/64 ipv6 address 2000:1:1:1::1/64 ipv6 address 2000:1:1:2::1/64 ipv6 address 2000:1:1:3::1/64 ipv6 address 2000:1:1:4::1/64 ipv6 address 2000:1:1:5::1/64 ipv6 address 2000:1:1:6::1/64 ipv6 address 2000:1:1:7::1/64 ipv6 ospf 1 area 0 ipv6 ospf network point-to-point

R4#show ipv6 route ripIPv6 Routing Table - default - 19 entriesCodes: C - Connected, L - Local, S - Static, U - Per-user Static route B - BGP, R - RIP, H - NHRP, I1 - ISIS L1 I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP EX - EIGRP external, ND - ND Default, NDp - ND Prefix, DCE - Destination NDr - Redirect, O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1 OE2 - OSPF ext 2, ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2, l - LISPR 2000:1:1::/64 [120/3] via FE80::3, Serial1/0R 2000:1:1:1::/64 [120/3] via FE80::3, Serial1/0R 2000:1:1:2::/64 [120/3] via FE80::3, Serial1/0R 2000:1:1:3::/64 [120/3] via FE80::3, Serial1/0R 2000:1:1:4::/64 [120/3] via FE80::3, Serial1/0R 2000:1:1:5::/64 [120/3] via FE80::3, Serial1/0R 2000:1:1:6::/64 [120/3] via FE80::3, Serial1/0R 2000:1:1:7::/64 [120/3] via FE80::3, Serial1/0R 2001:1:1:1::/64 [120/3] via FE80::3, Serial1/0R 2001:1:1:12::/64 [120/3] via FE80::3, Serial1/0R 2001:1:1:13::/64 [120/3] via FE80::3, Serial1/0R 2001:1:1:23::/64 [120/3] via FE80::3, Serial1/0R 2001:2:2:2::/64 [120/3] via FE80::3, Serial1/0R 2001:3:3:3::/64 [120/3] via FE80::3, Serial1/0

Configurar R3 de manera que R1 no pueda probar conectividad con el comando ping. Esto incluye las interfaces loopback o la interface que comunica con R2.

R4ipv6 access-list TEST deny icmp 2001:1:1:13::/64 anypermit ipv6 any any

interface FastEthernet0/0 ipv6 traffic-filter TEST in

R1#debug ipv6 icmp ICMP Packet debugging is on

R1#ping 2001:1:1:13::3 repeat 1Type escape sequence to abort.Sending 1, 100-byte ICMP Echos to 2001:1:1:13::3, timeout is 2 seconds:

ICMPv6: Sent echo request, Src=2001:1:1:13::1, Dst=2001:1:1:13::3ICMPv6: Received N-Solicit, Src=2001:1:1:13::3, Dst=FF02::1:FF00:1ICMPv6: Sent N-Advert, Src=2001:1:1:13::1, Dst=2001:1:1:13::3.Success rate is 0 percent (0/1)R1#ICMPv6: Received N-Solicit, Src=2001:1:1:13::3, Dst=FF02::1:FF00:1ICMPv6: Sent N-Advert, Src=2001:1:1:13::1, Dst=2001:1:1:13::3

R1#ping 2001:3:3:3::3 repeat 1 source 2001:1:1:12::1Type escape sequence to abort.Sending 1, 100-byte ICMP Echos to 2001:3:3:3::3, timeout is 2 seconds:Packet sent with a source address of 2001:1:1:12::1!Success rate is 100 percent (1/1), round-trip min/avg/max = 52/52/52 ms

R1#ping 2001:3:3:3::3 repeat 1 source 2000:1:1:1::1Type escape sequence to abort.Sending 1, 100-byte ICMP Echos to 2001:3:3:3::3, timeout is 2 seconds:Packet sent with a source address of 2000:1:1:1::1!Success rate is 100 percent (1/1), round-trip min/avg/max = 60/60/60 ms

El primer caso solo incluye la ipv6 de origen 2001:1:1:13::1 pero no incluye las dems interfaces. Debemos hacer una configuracin que incluya todas las IPv6 que pertenecen a R1.

R3ipv6 access-list TEST deny icmp 2001:1:1:13::/64 any deny icmp 2000:1:1:0::/61 any deny icmp 2001:1:1:12::/64 any permit ipv6 any any

interface FastEthernet0/0 ipv6 traffic-filter TEST in

R1#ping 2001:3:3:3::3 repeat 1 source 2000:1:1:1::1Type escape sequence to abort.Sending 1, 100-byte ICMP Echos to 2001:3:3:3::3, timeout is 2 seconds:Packet sent with a source address of 2000:1:1:1::1SSuccess rate is 0 percent (0/1)R1#ping 2001:3:3:3::3 repeat 1 source 2001:1:1:12::1Type escape sequence to abort.Sending 1, 100-byte ICMP Echos to 2001:3:3:3::3, timeout is 2 seconds:Packet sent with a source address of 2001:1:1:12::1SSuccess rate is 0 percent (0/1)

R3#traceroute 2001:1:1:13::3Type escape sequence to abort.Tracing the route to 2001:1:1:13::3

1*Sep 7 15:22:41.667: ICMPv6: Sent Unreachable code 4, Src=2001:1:1:13::3, Dst=2001:1:1:13::3 **Sep 7 15:22:44.671: ICMPv6: Sent Unreachable code 4, Src=2001:1:1:13::3, Dst=2001:1:1:13::3 **Sep 7 15:22:47.679: ICMPv6: Sent Unreachable code 4, Src=2001:1:1:13::3, Dst=2001:1:1:13::3 * 2*Sep 7 15:22:50.683: ICMPv6: Sent Unreachable code 4, Src=2001:1:1:13::3, Dst=2001:1:1:13::3 **Sep 7 15:22:53.691: ICMPv6: Sent Unreachable code 4, Src=2001:1:1:13::3, Dst=2001:1:1:13::3 *

ACLs Reflexivas

Configure el direccionamiento mostrado. La red broadcast y el enlace R1-R3 no participan en este laboratorio (las interfaces asociadas deben deshabilitarse). Habilite EIGRP 1 publique sus interfaces directamente conectadas en todos los routers.Las ACLs Reflexivas tienen dos usos: Permitir el trfico de salida de una interface desde la red interna y filtrar el trfico de entrada en base a una sesin establecida desde dentro de la red interna. Permitir todo el trfico de entrada para una interface orientada hacia la red interna, y permitir trfico de salida basado en una sesin existente originada dentro de la red interna.

R1router eigrp 1 network 1.0.0.0 network 10.0.0.0 no auto-summary




R2#show ip eigrp neighborsIP-EIGRP neighbors for process 1H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num1 10.1.23.3 Se0/1 14 00:00:04 271 1626 0 160 10.1.12.1 Se0/0 10 00:05:56 40 240 0 14

R4#sh ip route eigrp 1.0.0.0/24 is subnetted, 1 subnetsD 1.1.1.0 [90/3321856] via 10.1.34.3, 00:00:23, Serial0/0 2.0.0.0/24 is subnetted, 1 subnetsD 2.2.2.0 [90/2809856] via 10.1.34.3, 00:00:23, Serial0/0 3.0.0.0/24 is subnetted, 1 subnetsD 3.3.3.0 [90/2297856] via 10.1.34.3, 00:05:22, Serial0/0 10.0.0.0/24 is subnetted, 3 subnetsD 10.1.12.0 [90/3193856] via 10.1.34.3, 00:00:23, Serial0/0D 10.1.23.0 [90/2681856] via 10.1.34.3, 00:00:34, Serial0/0

R1 y R2 pertenecen a la empresa ALFA; R3 y R4 pertenecen a la empresa BETA. R2 es el router de borde que conecta ambas empresas. R2 debe ser configurado de manera: Permita el trfico de retorno para HTTP, TFTP y Telnet que se haya originado internamente. No debe perderse adyacencia EIGRP entre R2 y R3.

Paso 1: Crear una ACL interna que busque nuevas sesiones salientes y cree una entrada de control de acceso temporal (reflexive ACE).

R2ip access-list extended DE-SALIDA permit tcp any any eq www reflect WEB permit tcp any any eq telnet reflect TELNET permit tcp any any eq 69 reflect TFTP permit eigrp any any

R2#show access-listsExtended IP access list DE-SALIDA 10 permit tcp any any eq www reflect WEB 20 permit tcp any any eq telnet reflect TELNET 30 permit tcp any any eq 69 reflect TFTP 40 permit eigrp any anyReflexive IP access list TELNETReflexive IP access list TFTPReflexive IP access list WEB

Paso 2: Crear Una ACL externa que use la ACL reflexiva para inspeccionar (examinar) el trfico de retorno.

R2ip access-list extended DE-ENTRADA permit eigrp any any evaluate WEB evaluate TELNET evaluate TFTP

R2#show access-listsExtended IP access list DE-ENTRADA 10 permit eigrp any any 20 evaluate WEB 30 evaluate TELNET 40 evaluate TFTPExtended IP access list DE-SALIDA 10 permit tcp any any eq www reflect WEB 20 permit tcp any any eq telnet reflect TELNET 30 permit tcp any any eq 69 reflect TFTP 40 permit eigrp any anyReflexive IP access list TELNETReflexive IP access list TFTPReflexive IP access list WEB

Paso 3: aplicarlo a la interface adecuada. En nuestro caso la interface de salida de R2.

R2interface Serial0/1 ip access-group DE-ENTRADA in ip access-group DE-SALIDA out

R4#sh ip route eigrp 1.0.0.0/24 is subnetted, 1 subnetsD 1.1.1.0 [90/3321856] via 10.1.34.3, 01:00:00, Serial0/0 2.0.0.0/24 is subnetted, 1 subnetsD 2.2.2.0 [90/2809856] via 10.1.34.3, 01:00:00, Serial0/0 3.0.0.0/24 is subnetted, 1 subnetsD 3.3.3.0 [90/2297856] via 10.1.34.3, 01:04:59, Serial0/0 10.0.0.0/24 is subnetted, 3 subnetsD 10.1.12.0 [90/3193856] via 10.1.34.3, 01:00:00, Serial0/0D 10.1.23.0 [90/2681856] via 10.1.34.3, 01:00:12, Serial0/0

R2#show ip eigrp neighbors serial 0/1IP-EIGRP neighbors for process 1H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num1 10.1.23.3 Se0/1 14 01:00:27 271 1626 0 16R4#debug ip icmpICMP packet debugging is on

R4#ping 1.1.1.1 repeat 1Type escape sequence to abort.Sending 1, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:USuccess rate is 0 percent (0/1)R4#ICMP: dst (10.1.34.4) administratively prohibited unreachable rcv from 10.1.23.2

R2access-list 10 permit 10.1.34.4

R2#debug ip packet 10 detailIP packet debugging is on (detailed) for access list 10R2#IP: s=10.1.34.4 (Serial0/1), d=1.1.1.1, len 100, access denied ICMP type=8, code=0

Como vemos en la salida anterior, el trfico originado desde fuera de la empresa ALFA no puede ingresar. Las ACLs Reflexivas no se limitan solo al trfico TCP como es el caso de las ACLs con el comando Established.


R2#IP: s=10.1.34.4 (Serial0/1), d=1.1.1.1, len 44, access denied TCP src=49732, dst=23, seq=2499314714, ack=0, win=4128 SYN

R4line vty 0 4 password cisco login

R2access-list 11 permit 1.1.1.1

R2#debug ip packet 11 detailIP packet debugging is on (detailed) for access list 11R1#telnet 4.4.4.4 /source-interface loopback 0Trying 4.4.4.4 ... OpenUser Access VerificationPassword:ciscoR4>

R2#IP: tableid=0, s=1.1.1.1 (Serial0/0), d=4.4.4.4 (Serial0/1), routed via FIBIP: s=1.1.1.1 (Serial0/0), d=4.4.4.4 (Serial0/1), g=10.1.23.3, len 44, forward TCP src=12060, dst=23, seq=198473953, ack=0, win=4128 SYN

R2#show access-lists TELNETReflexive IP access list TELNET permit tcp host 4.4.4.4 eq telnet host 1.1.1.1 eq 12060 (50 matches) (time left 230)

R2 ha creado una ACL temporal como muestra el comando show access-lists TELNET . Esta ACL se crea dinmicamente usando el puerto 12060 como origen y 23 destino (telnet). Se ha creado trfico de ida y vuelta.

Explique porque no podemos probar conectividad ICMP desde la zona protegida hacia la zona externa.

R1#ping 4.4.4.4 source loopback 0

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:Packet sent with a source address of 1.1.1.1U.U.USuccess rate is 0 percent (0/5)

En caso que no exista actividad durante 30 segundos (telnet R1R4) R2 debe cerrar la ACL temporal.

R2ip access-list extended DE-SALIDA permit tcp any any eq telnet reflect TELNET timeout 30

R1#telnet 4.4.4.4 /source-interface loopback 0Trying 4.4.4.4 ... OpenUser Access VerificationPassword:R4>

R2#show access-lists TELNETReflexive IP access list TELNET permit tcp host 4.4.4.4 eq telnet host 1.1.1.1 eq 55727 (13 matches) (time left 29)***R2#show access-lists TELNETReflexive IP access list TELNET permit tcp host 4.4.4.4 eq telnet host 1.1.1.1 eq 55727 (13 matches) (time left 2)



R2#show access-lists TELNETReflexive IP access list TELNET

4

@ NMT 2013

III Guía_CCNA_SecurityV4.docx

Documents

Transcript of III Guía_CCNA_SecurityV4.docx