Friday, November 9, 2012

INE Vol 2 Lab 5

IOS Firewall
  • 'ip options drop' can be configured from global config mode to drop all IP options
SSL VPN
  • Enable webvpn
    • webvpn
      • port 443
      • enable outside
      • tunnel-group-list enable
      • svc image flash:/anyconnect.img
      • svc enable
  • Set the tunnel-protocol to svc under group policy
  • Enable webvpn for the tunnel group
    • tunnel-group SSLVPN webvpn-attributes
      • group-alias SSLVPN enable
      • authentication aaa
  • If necessary, create local user and attach to group
    • username SSLUSER attributes
      • group-lock value SSLVPN
  • Set encryption
    • ssl encryption rc4-md5
  • Lastly, enable NAT exemption if required
DMVPN
  • Interesting point, I created my tunnel interfaces first, then I was going to protect them with IPSec, but my CA enrollment kept failing. If I shutdown the tunnel interfaces, and then enroll, it works just fine. Could be a code thing, I'm not sure.
  • Remember timers are negotiated - so if you already have a isakmp policy, you will not need to create another just for different timers.
AAA/Tacacs
  • Set configure level privilege commands with 'privilege configure all level 7 snmp-server'
  • aaa authorization config-commands
    • Required to autorize config mode, even if you set 'aaa authorization commands 7 default start-stop group tacacs'
Process Monitoring
  • You can alert on processor and memory usage
    • memory free low-watermark processor 5000
    • process cpu threshold type total rising 75 interval 60 falling 30 interval 60
    • snmp-server enable traps cpu
    • snmp-server enable traps memory
    • logging host 162.1.38.100 transport tcp
Login Security
  • login quiet-mode access-class 1
    • This exempts the hosts in ACL 1 from the login parameters
  • login parameters are only supported with local password auth or aaa
Source Tracking
  • ip source-track [address] - enables source tracking for the specified host
  • show ip source-track [address] - show results
IOS IPS
  • specify the IPS signature location
    • ip ips config location flash:ips
  • Enable IOS basic set of signatures
    • ip ips signature-category
      • category ios_ips basic
        • retired false
      • category all
        • retired true
  • Disable a specific signature
    • ip ips signature-definition
      • signature 3106 0
        • status
          • retired true
  • Tune Signature
    • ip ips signature-definition
      • signature 2000 0
        • alert-severity high
  • Enable SDEE event report
    • ip ips notify SDEE
  • Set TVR
    • ip ips event-action-rules
      • target-value high target-address 192.10.1.0/24
  • Enable IPS
    • ip ips name IPS list IPS
    • int s1/0
      • ip ips IPS in
  • Show ips configuration
    • show ip ips configuration
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)