Vous êtes sur la page 1sur 7

host R1

no ip domain-lookup

int g0/0
ip add 209.165.200.225 255.255.255.248
no shut

int s0/0/0
ip add 10.1.1.1 255.255.255.252
clock rate 128000
no shut

int lo1
ip add 172.20.1.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 s0/0/0

security passwords min-length 10


service password-encryption
banner motd $UNAUTHORISED ACCESS IS STRICTLY PROHIBITED AND PROSECUTED TO THE FULL
EXTENT OF THE LAW!$
enable algorithm-type scrypt secret cisco12345

username Admin01 privilege 15 algorithm-type scrypt secret Admin01pa55

aaa new-model
aaa authentication login default local-case enable

line con 0
privilege level 15
exec-timeout 15 0
logging synchronous
login authentication default
exi

line vty 0 4
privilege level 15
exec-timeout 15 0
logging synchronous
transport input ssh
login authentication default
exi

login on-success log


login on-failure log every 2
do show login

ip http server
ip http authentication local

ip domain-name ccnasecurity.com
crypto key generate rsa general-keys modulus 1024

ip ssh version 2
ip ssh time-out 90
ip ssh authentication-retries 2

login block-for 60 attempts 2 within 30


login on-failure log

secure boot-image
secure boot-config
do show secure bootset
no secure boot-image
no secure boot-config

ntp authenticate
ntp authentication-key 1 md5 NTPpassword
ntp trusted-key 1
ntp server 10.1.1.2
ntp update-calendar
do show ntp associations
do show ntp status

===============================================================================

host R2

no ip domain-lookup

int s0/0/0
ip add 10.1.1.2 255.255.255.252
no shut

int s0/0/1
ip add 10.2.2.2 255.255.255.252
clock rate 128000
no shut

ip route 209.165.200.224 255.255.255.248 s0/0/0


ip route 172.16.3.0 255.255.255.0 s0/0/1
ip route 172.20.1.0 255.255.255.0 s0/0/0

do show clock
do clock set 10:30:00 July 14 2017
do show clock

ntp authenticate
ntp authentication-key 1 md5 NTPpassword
ntp trusted-key 1
ntp master 3

===============================================================================

host R3

no ip domain-lookup

int f0/1
ip add 172.16.3.1 255.255.255.0
no shut

int s0/0/1
ip add 10.2.2.1 255.255.255.252
no shut

ip route 0.0.0.0 0.0.0.0 s0/0/1


security passwords min-length 10
service password-encryption
banner motd $UNAUTHORISED ACCESS IS STRICTLY PROHIBITED AND PROSECUTED TO THE FULL
EXTENT OF THE LAW!$
enable algorithm-type scrypt secret cisco12345

username Admin01 privilege 15 algorithm-type scrypt secret Admin01pa55

aaa new-model
aaa authentication login default local-case enable

line con 0
privilege level 15
exec-timeout 15 0
logging synchronous
login authentication default
exi

line vty 0 4
privilege level 15
exec-timeout 15 0
logging synchronous
transport input ssh
login authentication default
exi

login on-success log


login on-failure log every 2

ip http server
ip http authentication local

ip domain-name ccnasecurity.com
crypto key generate rsa general-keys modulus 1024

ip ssh version 2
ip ssh time-out 90
ip ssh authentication-retries 2

ntp authenticate
ntp authentication-key 1 md5 NTPpassword
ntp trusted-key 1
ntp server 10.2.2.2
ntp update-calendar
do show ntp associations
do show ntp status

service timestamps log datetime msec


logging 172.16.3.3

logging trap 4
do show logging

zone security INSIDE


zone security OUTSIDE

class-map type inspect match-any INSIDE_PROTOCOLS


match protocol tcp
match protocol udp
match protocol icmp
exi

policy-map type inspect INSIDE_TO_OUTSIDE


class type inspect INSIDE_PROTOCOLS
inspect
exi
exi

zone-pair security INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE


service-policy type inspect INSIDE_TO_OUTSIDE

int f0/1
zone-member security INSIDE

int s0/0/1
zone-member security OUTSIDE
exi
exi

show zone-pair security


show policy-map type inspect zone-pair
show zone security

conf t
crypto isakmp enable
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2

crypto isakmp key Site2SiteKEY1 address 209.165.200.226


do show crypto isakmp policy

crypto ipsec transform-set TRNSFRM-SET esp-aes 256 esp-sha-hmac

ip access-list extended 101


permit ip 172.16.3.0 0.0.0.255 192.168.1.0 0.0.0.255
exi

crypto map CMAP 1 ipsec-isakmp


match address 101
set transform-set TRNSFRM-SET
set peer 209.165.200.226

int s0/0/1
crypto map CMAP
end

show crypto map


show crypto ipsec sa

!delete flash:ipsdir/*
mkdir ipsdir

conf t
crypto key pubkey-chain rsa
named-key realm-cisco.pub signature
key-string
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
F3020301 0001
quit
exit
exit

ip ips config location flash:/ipsdir/


ip ips notify SDEE
ip ips name IOSIPS

ip ips signature-category
category all
retired true
exi
category ios_ips basic
retired false
exi
exi

int s0/0/1
ip ips IOSIPS in
exi
exi

copy tftp://172.16.3.3/IOS-S988-CLI.pkg idconf

===============================================================================

host S1

no ip domain-lookup

int vlan1
ip add 192.168.2.11 255.255.255.0
no shut
ip default-gateway 192.168.2.1

no ip http server
no ip http secure-server

enable algorithm-type scrypt secret cisco12345


banner motd $UNAUTHORISED ACCESS IS STRICTLY PROHIBITED$

ip domain-name ccnasecurity.com
username Admin01 privilege 15 algorithm-type scrypt secret Admin01pa55
service password-encryption
crypto key generate rsa general-keys modulus 1024
ip ssh version 2
ip ssh time-out 90
ip ssh authentication-retries 2

line con 0
privilege level 15
exec-timeout 5 0
logging synchronous
login local
exi

line vty 0 4
privilege level 15
exec-timeout 5 0
logging synchronous
transport input ssh
login local
exi

int f0/6
switchport mode access
switchport nonegotiate
switchport port-security
switchport port-security maximum 1
switchport port-security mac-address sticky
switchport port-security violation shutdown
spanning-tree portfast
spanning-tree portfast bpduguard default
int range f0/1-5
shut
spanning-tree guard loop
int range f0/7-23
shut
spanning-tree guard loop

===============================================================================

host S2

no ip domain-lookup

int vlan1
ip add 192.168.1.11 255.255.255.0
no shut
ip default-gateway 192.168.1.1

===============================================================================

host S3

no ip domain-lookup

int vlan1
ip add 172.16.3.11 255.255.255.0
no shut
ip default-gateway 172.16.3.1

===============================================================================
hostname ASA

int vlan1
nameif inside
ip address 192.168.1.1 255.255.255.0
security-level 100
no shut

int vlan2
nameif outside
ip address 209.165.200.226 255.255.255.248
security-level 0
no shut

int vlan3
no forward int vlan 1
nameif dmz
ip address 192.168.2.1 255.255.255.0
security-level 70
no shut

int e0/0
switchport access vlan 2
no shut

int e0/1
switchport access vlan 1
no shut

int e0/2
switchport access vlan 3
no shut

sh inter ip b
sh ip add
sh switch vlan

http server enable


http 192.168.1.0 255.255.255.0 inside