6.2.7 Lab - Configure Automated Security Features
6.2.7 Lab - Configure Automated Security Features
6.2.7 Lab - Configure Automated Security Features
Addressing Table
Device Interface IP Address Subnet Mask Default Gateway Switch Port
R2
G0/0/1 10.2.2.2 255.255.255.252 N/A N/A
R3 G0/0/0 10.2.2.1 255.255.255.252 N/A N/A
R3
G0/0/1 192.168.3.1 255.255.255.0 N/A S3 F0/5
© 2015 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public. Page 1 of 11 www.netacad.com
Lab - Securing the Router for Administrative Access
Objectives
Part 1: Configure Basic Device Settings
Cable the network as shown in the topology.
Configure basic IP addressing for routers and PCs.
Configure OSPF routing.
Configure PC hosts.
Verify connectivity between hosts and routers.
Part 2: Configure Automated Security Features
Lock down a router using AutoSecure and verify the configuration.
Contrast using AutoSecure with manually securing a router using the command line.
Background / Scenario
The router is a critical component in any network. It controls the movement of data into and out of the network
and between devices within the network. It is particularly important to protect network routers because the
failure of a routing device could make sections of the network, or the entire network, inaccessible. Controlling
access to routers and enabling reporting on routers is critical to network security and should be part of a
comprehensive security policy.
In this lab, you will build a multi-router network and configure the routers and hosts. You will use automated
security features on router R3.
Note: The routers used with hands-on labs are Cisco 4221 with Cisco IOS XE Release 16.9.6 (universalk9
image). The switches used in the labs are Cisco Catalyst 2960+ with Cisco IOS Release 15.2(7) (lanbasek9
image). Other routers, switches, and Cisco IOS versions can be used. Depending on the model and Cisco
IOS version, the commands available and the output produced might vary from what is shown in the labs.
Refer to the Router Interface Summary Table at the end of the lab for the correct interface identifiers.
Note: Before you begin, ensure that the routers and the switches have been erased and have no startup
configurations.
Required Resources
3 Routers (Cisco 4221 with Cisco XE Release 16.9.6 universal image or comparable with a Security
Technology Package license)
2 Switches (Cisco 2960+ with Cisco IOS Release 15.2(7) lanbasek9 image or comparable)
2 PCs (Windows OS with a terminal emulation program, such as PuTTY or Tera Term installed)
Console cables to configure Cisco networking devices
Ethernet cables as shown in the topology
© 2015 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public. Page 2 of 11 www.netacad.com
Lab - Securing the Router for Administrative Access
Instructions
© 2015 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public. Page 3 of 11 www.netacad.com
Lab - Securing the Router for Administrative Access
b. Issue the show ip route command to verify that all networks display in the routing table on all routers.
R1# show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
© 2015 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public. Page 4 of 11 www.netacad.com
Lab - Securing the Router for Administrative Access
show run, show ip ospf neighbor, and show ip route commands to help identify routing protocol-related
problems.
Close configuration window
enable
configure terminal
service password-encryption
security passwords min-length 10
enable algorithm-type scrypt secret cisco12345
ip domain name netsec.com
username user01 algorithm-type scrypt secret user01pass
username admin privilege 15 algorithm-type scrypt secret adminpasswd
banner motd " Unauthorized access is strictly prohibited! "
line con 0
exec-timeout 5 0
login local
logging synchronous
line aux 0
exec-timeout 5 0
login local
line vty 0 4
exec-timeout 5 0
privilege level 15
transport input ssh
login local
crypto key generate rsa general-keys modulus 1024
ip ssh time-out 90
ip ssh authentication-retries 2
ip ssh version 2
close configuration window
© 2015 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public. Page 5 of 11 www.netacad.com
Lab - Securing the Router for Administrative Access
© 2015 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public. Page 6 of 11 www.netacad.com
Lab - Securing the Router for Administrative Access
© 2015 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public. Page 7 of 11 www.netacad.com
Lab - Securing the Router for Administrative Access
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
no cdp run
no ip bootp server
no ip http server
no ip finger
no ip source-route
no ip gratuitous-arps
banner motd ^C Unauthorized Access Prohibited ^C
security passwords min-length 6
security authentication failure rate 10 log
enable secret 5 $1$lubv$Rdx4gHUcijbxV7p2z76/71
enable password 7 110A1016141D5D5B5C737B
username admin password 7 02050D4808095E731F1A5C
aaa new-model
aaa authentication login local_auth local
line console 0
login authentication local_auth
exec-timeout 5 0
transport output telnet
line aux 0
login authentication local_auth
exec-timeout 10 0
transport output telnet
line vty 0 4
© 2015 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public. Page 8 of 11 www.netacad.com
Lab - Securing the Router for Administrative Access
© 2015 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public. Page 9 of 11 www.netacad.com
Lab - Securing the Router for Administrative Access
R3#
Note: The questions asked and the output may vary depend on the features on the IOS image and
device.
1. What security-related configuration changes were performed on R3 by AutoSecure that were not performed in
previous sections of the lab on R1?
Type your answers here.
2. What security-related configuration changes were performed in previous sections of the lab that were not
performed by AutoSecure?
Type your answers here.
3. Identify at least five unneeded services that were locked down by AutoSecure and at least three security
measures applied to each interface.
Note: Some of the services listed as being disabled in the AutoSecure output above might not appear in the
show running-config output because they are already disabled by default for this router and Cisco IOS
version.
Services disabled include:
Type your answers here.
For each interface, the following were disabled:
Type your answers here.
© 2015 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public. Page 10 of 11 www.netacad.com
Lab - Securing the Router for Administrative Access
Note: To find out how the router is configured, look at the interfaces to identify the type of router and how many
interfaces the router has. There is no way to effectively list all the combinations of configurations for each router
class. This table includes identifiers for the possible combinations of Ethernet and Serial interfaces in the device.
The table does not include any other type of interface, even though a specific router may contain one. An
example of this might be an ISDN BRI interface. The string in parenthesis is the legal abbreviation that can be
used in Cisco IOS commands to represent the interface.
End of document
© 2015 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public. Page 11 of 11 www.netacad.com