Showing posts with label CCNA SECURITY. Show all posts
Showing posts with label CCNA SECURITY. Show all posts

Tuesday 18 June 2024

What is Cisco IOS Zone Based Firewall on router? How to configure ZBF on Cisco Routers?

 Zone Based Firewall

ZBF (Zone Based Firewall) is the stateful firewall that is available on Cisco IOS routers, introduced in 2006. ZBF supports deep packet inspection just like an ASA. ZBF works based on the concept of security zones. You can name the zones whatever you want. In ZBF we don’t assign access-list to the interface. We create zones and the interface will be configured to the different zones (one interface can only be a member of one zone) and security policies will be assigned. The default policy is to block all the traffic unless we explicitly allow it.

 

  • Zone-Based Model: Interfaces are assigned to zones, and inspection policy is applied to traffic moving between these zones.
  • Flexible Configuration: Allows for more granular control of traffic based on zones rather than just interfaces.
  • Stateful Inspection: Maintains the state of active sessions and inspects traffic accordingly.
  • Successor to CBAC: ZBF is considered the successor to Context-Based Access Control (CBAC), offering enhanced security features.


let's see the configuration on ZBF:-

Topology:-




Goal:

  • configure the topology as per the topology 
  • assign IP addresses as per the topology 
  • configure EIGRP 100 and advertise all the interfaces 
  • configure router-2 for ZBF. 
  • configure zones INSIDE for LAN and OUTSIDE  zone for internet
  • configure ACL extended 
  • allow PC 2 to ping server 30.1.1.11
  • allow telnet from INSIDE
  • leave rest for the default
  • verify the configurations telnet, ping, and show commands. 



(first, configure the IP addresses on PC-1 and PC-2 inside the zone)

PC1> ip 10.1.1.10 255.0.0.0 10.1.1.1
Checking for duplicate address...
PC1 : 10.1.1.10 255.0.0.0 gateway 10.1.1.1

PC1> show ip
NAME        : PC1[1]
IP/MASK     : 10.1.1.10/8
GATEWAY     : 10.1.1.1

DNS         :
MAC         : 00:50:79:66:68:00
LPORT       : 10026
RHOST:PORT  : 127.0.0.1:10027
MTU:        : 1500

PC2> ip 10.1.1.11 255.0.0.0 10.1.1.1
Checking for duplicate address...
PC1 : 10.1.1.11 255.0.0.0 gateway 10.1.1.1

PC2> show ip
NAME        : PC2[1]
IP/MASK     : 10.1.1.11/8
GATEWAY     : 10.1.1.1

DNS         :
MAC         : 00:50:79:66:68:01
LPORT       : 10028
RHOST:PORT  : 127.0.0.1:10029
MTU:        : 1500

PC1> ping 10.1.1.11
84 bytes from 10.1.1.11 icmp_seq=1 ttl=64 time=0.583 ms
84 bytes from 10.1.1.11 icmp_seq=2 ttl=64 time=0.495 ms
84 bytes from 10.1.1.11 icmp_seq=3 ttl=64 time=0.511 ms
84 bytes from 10.1.1.11 icmp_seq=4 ttl=64 time=0.780 ms
84 bytes from 10.1.1.11 icmp_seq=5 ttl=64 time=0.759 ms

Configure the IP addresses between the routers and LAN interfaces


R1(config)#interface fastethernet 0/0
R1(config-if)#ip address 10.1.1.1 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#exit

R1(config)#interface serial 4/0
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit

R2(config)#interface serial 4/0
R2(config-if)#ip address 192.168.1.2 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit

R2(config)#interface serial 4/1
R2(config-if)#ip address 192.168.2.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit

R3(config)#interface serial 4/1
R3(config-if)#ip address 192.168.2.2 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#exit

R3(config)#interface fastethernet 0/0
R3(config-if)#ip address 30.1.1.1 255.0.0.0
R3(config-if)#no shutdown
R3(config-if)#exit

Configure the IP addresses on server-1 and server-2 in the outside zone


server2> ip 30.1.1.10 255.0.0.0 30.1.1.1
Checking for duplicate address...
PC1 : 30.1.1.10 255.0.0.0 gateway 30.1.1.1

server2> show ip
NAME        : server2[1]
IP/MASK     : 30.1.1.10/8
GATEWAY     : 30.1.1.1

DNS         :
MAC         : 00:50:79:66:68:04
LPORT       : 10034
RHOST:PORT  : 127.0.0.1:10035
MTU:        : 1500

server> ip 30.1.1.11 255.0.0.0 30.1.1.1
Checking for duplicate address...
PC1 : 30.1.1.11 255.0.0.0 gateway 30.1.1.1

server> show ip
NAME        : server[1]
IP/MASK     : 30.1.1.11/8
GATEWAY     : 30.1.1.1

DNS         :
MAC         : 00:50:79:66:68:05
LPORT       : 10036
RHOST:PORT  : 127.0.0.1:10037
MTU:        : 1500


Configure routing between routers and advertise directly connected interfaces


R1(config)#router eigrp 100
R1(config-router)#network 192.168.1.0
R1(config-router)#network 10.0.0.0
R1(config-router)#no auto-summary
R1(config-router)#exit

R2(config)#router eigrp 100
R2(config-router)#network 192.168.1.0
R2(config-router)#network 192.168.2.1
R2(config-router)#no auto-summary
R2(config-router)#exit

R3(config)#router eigrp 100
R3(config-router)#network 192.168.2.0
R3(config-router)#network 30.0.0.0
R3(config-router)#no auto-summary
R3(config-router)#exit


verify the connectivity with ping from PC-1 to server-1


PC1> show ip
NAME        : PC1[1]
IP/MASK     : 10.1.1.10/8
GATEWAY     : 10.1.1.1


PC1> ping 30.1.1.10
84 bytes from 30.1.1.10 icmp_seq=1 ttl=61 time=115.597 ms
84 bytes from 30.1.1.10 icmp_seq=2 ttl=61 time=94.468 ms
84 bytes from 30.1.1.10 icmp_seq=3 ttl=61 time=94.519 ms
84 bytes from 30.1.1.10 icmp_seq=4 ttl=61 time=78.793 ms
84 bytes from 30.1.1.10 icmp_seq=5 ttl=61 time=78.209 ms


As you can see the connectivity is good, now configure the telnet config on router-1 and router-2 for testing do not configure the login password. 



R1(config)#line vty 0 4
R1(config-line)#no login
R1(config-line)#exit

*Jun 17 11:54:55.771: %SYS-5-CONFIG_I: Configured from console by console
R1#telnet 192.168.2.2
Trying 192.168.2.2 ... Open

R3>
R3>
R3>
R3>


Our inside router-1 can telnet router-3, same way configure telnet on router-3



R3(config)#line vty 0 4
R3(config-line)#lo
R3(config-line)#no login
R3(config-line)#exit
R3(config)#end
R3#
R3#
R3#telnet 192.168.1.1
Trying 192.168.1.1 ... Open
R1>
R1>
R1>
R1>


Now configure zone name INSIDE for our LAN traffic and OUTSIDE zone 

R2(config)#zone security INSIDE
R2(config-sec-zone)#exit
R2(config)#zone security OUTSIDE
R2(config-sec-zone)#exit

R2(config)#interface serial 4/0
R2(config-if)#zone-member security INSIDE
R2(config-if)#exit

R2(config)#interface serial 4/1
R2(config-if)#zone-member security OUTSIDE
R2(config-if)#exit

the default policy is to block all the traffic unless we explicitly allow it. so now configure ACL and permit 10.1.1.11 to ping and permit 10.1.1.1 for telnet. 


R2(config)#ip access-list extended 150
R2(config-ext-nacl)#permit icmp host 10.1.1.11 any echo
R2(config-ext-nacl)#permit tcp host 10.1.1.1 host 30.1.1.1 eq telnet
R2(config-ext-nacl)#exit

R2#show access-lists 150
Extended IP access list 150
    10 permit icmp host 10.1.1.11 any echo (3 matches)
    30 permit tcp host 10.1.1.1 host 30.1.1.1 eq telnet (1 match)


configure a class map to classify the traffic for inspected


R2(config)#class-map type inspect INSIDE-OUTSIDE-CLASS
R2(config-cmap)#match access-group 150
R2(config-cmap)#exit

configure policy map to define ZBF policies on classified traffic


R2(config)#policy-map type inspect INSIDE-OUTSIDE-POLICY
R2(config-pmap)#class type inspect INSIDE-OUTSIDE-CLASS
R2(config-pmap-c)#inspect
R2(config-pmap-c)#exit
R2(config-pmap)#exit

configure zone pair

R2(config)#zone-security INSIDE-OUTSIDE-PAIR source INSIDE destination OUTSIDE
R2(config-sec-zone-pair)#service-policy type inspect INSIDE-OUTSIDE-POLICY
R2(config-sec-zone-pair)#exit


from router-1 try to access router-3 with telnet


R1#telnet 30.1.1.1 telnet /source-interface fastEthernet 0/0
Trying 30.1.1.1 ... Open
R3>
R3>
R3>

R3>show ip interface br
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            30.1.1.1        YES manual up                    up
Serial4/1                  192.168.2.2     YES manual up                    up


as you can see router-1 can access router-3 remotely with telnet, because we allow it 


R3#telnet 10.1.1.1 /source-interface fastEthernet 0/0
Trying 10.1.1.1 ...
% Connection timed out; remote host not responding


but router-3 can not access router-1 with telnet because we didn't allow it. by default, all the traffic is blocked. 


PC1> show ip
NAME        : PC1[1]
IP/MASK     : 10.1.1.10/8
GATEWAY     : 10.1.1.1




PC1> ping 30.1.1.11
30.1.1.11 icmp_seq=1 timeout
30.1.1.11 icmp_seq=2 timeout
30.1.1.11 icmp_seq=3 timeout
30.1.1.11 icmp_seq=4 timeout
30.1.1.11 icmp_seq=5 timeout

from the above output, you see that PC-1 can not ping servers because we didn't allow it. we allow PC-2 10.1.1.11 too ping any network

PC2> show ip
NAME        : PC2[1]
IP/MASK     : 10.1.1.11/8
GATEWAY     : 10.1.1.1


PC2> ping 30.1.1.11
84 bytes from 30.1.1.11 icmp_seq=1 ttl=61 time=127.289 ms
84 bytes from 30.1.1.11 icmp_seq=2 ttl=61 time=94.466 ms
84 bytes from 30.1.1.11 icmp_seq=3 ttl=61 time=94.540 ms
84 bytes from 30.1.1.11 icmp_seq=4 ttl=61 time=93.967 ms
84 bytes from 30.1.1.11 icmp_seq=5 ttl=61 time=94.784 ms



R2#show zone-pair security
Zone-pair name INSIDE-OUTSIDE-PAIR
    Source-Zone INSIDE  Destination-Zone OUTSIDE
    service-policy INSIDE-OUTSIDE-POLICY



R2#show access-lists 150
Extended IP access list 150
    10 permit icmp host 10.1.1.11 any echo (3 matches)
    30 permit tcp host 10.1.1.1 host 30.1.1.1 eq telnet (1 match)


R2#show zone security INSIDE
zone INSIDE
  Member Interfaces:
    Serial4/0


R2#show zone security OUTSIDE
zone OUTSIDE
  Member Interfaces:
    Serial4/1


if you like this blog please visit to our YouTube channel https://www.youtube.com/@internetworkss


Saturday 15 June 2024

What are TACACS+ RADIUS and Diameter protocols? How to configure TACACS+ RADIUS in cisco packet tracer? CCNA security

What are TACACS+ RADIUS and Diameter protocols? 


 TACACS+ RADIUS and Diameter is a protocol to provide a centralized management system for AAA Authentication, Authorization, and Accounting. An ACS (Access Control Server) supports RADIUS and TACACS+ protocols and is commonly used in enterprise environments. TACACS+, RADIUS, and Diameter have some key differences. (if you are not familiar with AAA please click here )


Types of AAA Protocols

  • Terminal access controller access-control system plus (TACACS+)
  • Remote authentication dial-in user service (RADIUS)
  • Diameter

TACACS+ (Terminal Access Controller Access Control System) is an enhancement to TACACS developed by Cisco. Which means TACACS+ is Cisco's proprietary protocol. TACACS+ is mainly used for device administration using ACS (Access Control Server). TACACS+ is used for the communication between the client and the Cisco ACS server. TACACS+ is a reliable protocol because it uses TCP port 49 for communication and the TACACS+ communication is encrypted means all the packets is encrypted. TACACS+ provides more control over accounting and authorization. TACACS+ combines authentication and authorization in one step.


Remote Access Dial-In User Service (RADIUS) is the IEFT standard protocol. The RADIUS protocol is used for communication between any vendor (cisco or non-cisco) AAA client and ACS server. If you are using multiple vendors devices then you can use RADIUS. In RADIUS communication is faster but a bit less reliable uses UDP port 1645/1812 for authentication and 1646/1813 for accounting. In a single process authentication and authorization can be done. RADIUS key with MD5 is used to hide the user password.

 The Diameter protocol is a AAA protocol that works with Long-Term Evolution (LTE) and multimedia networks. Diameter is an advanced Authentication, Authorization, and Accounting (AAA) protocol that evolved from the earlier RADIUS protocol. It’s part of the application layer protocols in the Internet protocol suite. 


let's see the configuration of the AAA TACACS+ and RADIUS server:

Topology:-




Goal: TACACS+

  • configure the topology as per the diagram 
  • configure the IP addresses as per the topology
  • configure dynamic routing between the network 
  • configure AAA authentication and key internet same for both (router and server)
  • verify with telnet from PC-1 192.168.10.30
  • configure RADIUS server 
  • verify with telnet from remote PC- 192.168.30.10


ROUTER-1(config)#interface gigabitEthernet 0/1
ROUTER-1(config-if)#ip address 192.168.10.1 255.255.255.0
ROUTER-1(config-if)#no shutdown
ROUTER-1(config-if)#exit

ROUTER-1(config)#interface gigabitEthernet 0/0
ROUTER-1(config-if)#ip address 192.168.20.1 255.255.255.0
ROUTER-1(config-if)#no shutdown
ROUTER-1(config-if)#exit
 
ROUTER-2(config)#interface gigabitEthernet 0/0
ROUTER-2(config-if)#ip address 192.168.20.2 255.255.255.0
ROUTER-2(config-if)#no shutdown
ROUTER-2(config-if)#exit

ROUTER-2(config)#interface gigabitEthernet 0/1
ROUTER-2(config-if)#ip address 192.168.30.1 255.255.255.0
ROUTER-2(config-if)#no shutdown
ROUTER-2(config-if)#exit

ROUTER-1(config)#router eigrp 100

ROUTER-1(config-router)#network 192.168.10.0

ROUTER-1(config-router)#network 192.168.20.0

ROUTER-1(config-router)#no auto-summary

ROUTER-1(config-router)#exit


%DUAL-5-NBRCHANGE: IP-EIGRP 100: Neighbor 192.168.20.1 (GigabitEthernet0/0) is up: new adjacency




ROUTER-2(config)#router eigrp 100

ROUTER-2(config-router)#network 192.168.20.0

ROUTER-2(config-router)#network 192.168.30.0

ROUTER-2(config-router)#no auto-summary

ROUTER-2(config-router)#exit


%DUAL-5-NBRCHANGE: IP-EIGRP 100: Neighbor 192.168.20.1 (GigabitEthernet0/0) is up: new adjacency




ROUTER-1(config)#username admin password internet
ROUTER-1(config)#tacacs-server host 192.168.10.10
ROUTER-1(config)#tacacs-server key cisco123

ROUTER-1(config)#aaa new-model
ROUTER-1(config)#aaa authentication login cisco123 group tacacs+ local

ROUTER-1(config)#line console 0
ROUTER-1(config-line)#login authentication cisco123
ROUTER-1(config-line)#exit
ROUTER-1(config)#end

User Access Verification


Username: user1

Password:

ROUTER-1>

ROUTER-1>

ROUTER-1>

ROUTER-1>password is user1


C:\>ipconfig


FastEthernet0 Connection:(default port)


Link-local IPv6 Address.........: FE80::2D0:D3FF:FEBA:44B2

IP Address......................: 192.168.10.30

Subnet Mask.....................: 255.255.255.0

Default Gateway.................: 192.168.10.1





(let's create another user with the name user2 and password user2)





(now verify with telnet from PC- 192.168.10.30)









ROUTER-1#show aaa sessions

Total sessions since last reload: 3

Session Id:4

Unique Id:4

User Name:user2

IP Address:192.168.10.30

Idle Time: 0

CT Call Handle: 0


Tuesday 11 June 2024

What is Cisco intrusion detection systems (IDS) and intrusion prevention systems (IPS)? | What is the difference between IPS and IDS? | How to configure Cisco intrusion prevention systems (IPS)? cyber security | intrusion prevention

 An intrusion prevention system (IPS) is a network security tool is also known as Intrusion Detection and Prevention System. (which can be a hardware device or software). An intrusion prevention system (IPS) continuously monitors a network for malicious activity and takes action to prevent it, including reporting, blocking, or dropping it, when it does occur. intrusion prevention system (IPS) is placed inline in the network traffic flow between the source and destination. IPS analyzes all traffic flows that enter the network and can detect or prevent network security attacks.




What do IPS and IDS sensors do?

An IPS/IDS sensor is a device that continuously monitors the  traffic on the network and then makes a decision based on a set of rules to indicate whether that traffic is okay or whether it is malicious in some way. 


An intrusion prevention system (IPS) is placed directly inline with the flow of network traffic and each packet goes through the IPS sensor on its way. if the malicious traffic is found by the IPS it can drop the packet and deny reaching the destination based on the rules configured. this concept is called IPS. The IPS adds a small amount of delay before forwarding packets. because the IPS is inline, it can manipulate traffic inline based on a current set of rules. 

What is the inline sensor?

A sensor is placed inline with the traffic, which means whatever the network traffic is going through the network is forced to go in one physical port on the sensor and the sensor is going to analyze the traffic. let's take a look at inline topology. 




The instruction detection system also continuously monitors the network traffic analyzes the traffic identifies the malicious packets and generates alerts but IDS can not prevent the attack by dropping the packets because this is an intrusion detection system not prevention. The original packet is already on its way to reach the destination so how it can drop the packet. IDS is not inline with the flow of network traffic, IDS is sent copies of the original packets. IPS adds a small amount of delay but IDS does not add any delay to the original network traffic. IDS cannot manipulate any original inline traffic. let's take a look of IDS not inline. 



IPS/IDS sensor platform

We must use IPS/IDS sensors in our network and enhance network protection. Cisco has several IPS/IDS sensor platforms that enable us to implement network protection as follows:

  • A dedicated IPS appliance
  • Software based on the router
  • A module in an IOS router like AIM-IPS, NME-IPS
  • A multilayer switches a blade that works in a 6500 series
  • Cisco firepower7000/8000 series appliance
  • ASA with firepower services 


Malicious traffic on the network identification

IPS/IDS sensors can identify the malicious packets in the network in many different ways based on the rules that are placed in the sensors, some of the rules are default, and some we can create or modify. There are several different methods IPS/IDS sensors can be configured for identifying malicious traffic.

  • Signature-based IPS/IDS
  • Policy-based IPS/IDS
  • Anomaly-based IPS/IDS
  • Reputation-based IPS/IDS

(in the next we will look deeply into these methods and actions)


Let's see how to configure the IOS Intrusion Prevention System (IPS)

Topology:-configure IOS Intrusion Prevention System (IPS)




Goal: The task is to enable IPS on R1 to scan traffic entering the 192.168.10.0 network. the Syslog server 192.168.10.20 is used to log IPS messages. From the pc-red zone attempting to ping the PC-green zone should fail and from the pc-green zone attempting to ping the PC-red zone should pass.

  • Enable IOS IPS 
  • Enable the security technology package
  • Verify network connectivity
  • Create an IOS IPS configuration directory in Flash
  • Configure the IPS signature location
  • Create an IPS rule
  • Enable logging
  • Configure IOS IPS to use the signature categories
  • Apply the IPS rule to an interface

  • Modify the signature 
  • Change the event action of the signature
  • Verify that IPS is working properly 
  • Fom pc-redzone attempt to ping PC-greenzone should fail
  • From pc-greenzone attempt to ping PC-redzone should pass
  • View the Syslog messages





Router(config)#interface gigabitEthernet 0/0
Router(config-if)#ip address 192.168.20.1 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#exit
 
Router(config)#interface gigabitethernet 0/1
Router(config-if)#ip address 192.168.10.1 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#exit
 
Router(config)#ip route 192.168.40.0 255.255.255.0 192.168.20.2
Router(config)#exit
 
Router2(config)#interface gigabitEthernet 0/1
Router2(config-if)#ip address 192.168.20.2 255.255.255.0
Router2(config-if)#no shutdown
Router2(config-if)#exit
 
Router2(config)#interface gigabitEthernet 0/0
Router2(config-if)#ip address 192.168.30.1 255.255.255.0
Router2(config-if)#no shutdown
Router2(config-if)#exit
 
Router2(config)#ip route 192.168.10.0 255.255.255.0 192.168.20.1
Router2(config)#ip route 192.168.40.0 255.255.255.0 192.168.30.2
Router2(config)#exit
Router3(config)#interface gigabitEthernet 0/0
Router3(config-if)#ip address 192.168.30.2 255.255.255.0
Router3(config-if)#no shutdown
Router3(config-if)#exit
 
Router3(config)#interface gigabitEthernet 0/1
Router3(config-if)#ip address 192.168.40.1 255.255.255.0
Router3(config-if)#no shutdown
Router3(config-if)#exit
 
Router3(config)#ip route 192.168.10.0 255.255.255.0 192.168.30.1
Router3(config)#exit
 
 
 
Router#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
 
Gateway of last resort is not set
 
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, GigabitEthernet0/1
L 192.168.10.1/32 is directly connected, GigabitEthernet0/1
192.168.20.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.20.0/24 is directly connected, GigabitEthernet0/0
L 192.168.20.1/32 is directly connected, GigabitEthernet0/0
S 192.168.40.0/24 [1/0] via 192.168.20.2
 
 
 
 
Router#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
 
Gateway of last resort is not set
 
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, GigabitEthernet0/1
L 192.168.10.1/32 is directly connected, GigabitEthernet0/1
192.168.20.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.20.0/24 is directly connected, GigabitEthernet0/0
L 192.168.20.1/32 is directly connected, GigabitEthernet0/0
S 192.168.40.0/24 [1/0] via 192.168.20.2
 
Router#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
 
Gateway of last resort is not set
 
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, GigabitEthernet0/1
L 192.168.10.1/32 is directly connected, GigabitEthernet0/1
192.168.20.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.20.0/24 is directly connected, GigabitEthernet0/0
L 192.168.20.1/32 is directly connected, GigabitEthernet0/0
S 192.168.40.0/24 [1/0] via 192.168.20.2
 
 
 
 
Router#show version
Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE SOFTWARE (fc2)
 
 
License Info:
 
License UDI:
 
-------------------------------------------------
Device# PID SN
-------------------------------------------------
*0 CISCO1941/K9 FTX1524UTQ7-
 
 
Technology Package License Information for Module:'c1900'
 
----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
-----------------------------------------------------------------
ipbase ipbasek9 Permanent ipbasek9
security None None None
data None None None
 
Configuration register is 0x2102
 
 
Router(config)#license boot module c1900 technology-package securityk9
 
PLEASE READ THE FOLLOWING TERMS CAREFULLY. INSTALLING THE LICENSE
 
ACCEPT? [yes/no]: yes
% use 'write' command to make license boot config take effect on next boot
 
Router(config)#: %IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL: Module name = C1900 Next reboot level = securityk9 and License = securityk9
 
Router#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
 
Router#reload
Proceed with reload? [confirm]

Router#mkdir ipsdir
Create directory filename [ipsdir]?
Created dir flash:ipsdir

Router(config)#ip ips config location flash:ipsdir

Router(config)#ip ips ?
config Location of IPS configuration files
fail Specify what to do during any failures
name Specify an IPS rule
notify Specify the notification mechanisms (SDEE or log) for
the alarms
signature-category Signature Category
signature-definition Signature Definition

Router(config)#ip ips name iosips
Router(config)#ip ips notify log
Router(config)#service timestamps log datetime msec
Router(config)#logging host 192.168.10.20
Router(config)#ip ips signature-category


Router(config-ips-category)#?

category Category keyword

exit Exit from Category Mode

no Negate or set default values of a command



Router(config-ips-category)#category all


Router(config-ips-category-action)#?

exit Exit from Category Actions Mode

no Negate or set default values of a command

retired Retire Category Signatures



Router(config-ips-category-action)#retired true

Router(config-ips-category-action)#exit


Router(config-ips-category)#category ?

all All Categories

ios_ips IOS IPS (more sub-categories


Router(config-ips-category)#category ios_ips basic

Router(config-ips-category-action)#retired false

Router(config-ips-category-action)#exit

Router(config-ips-category)#exit


Do you want to accept these changes? [confirm]

Applying Category configuration to signatures ...

%IPS-6-ENGINE_BUILDING: atomic-ip - 288 signatures - 6 of 13 engines

%IPS-6-ENGINE_READY: atomic-ip - build time 30 ms - packets for this engine will be scanned

Router(config)#interface gigabitEthernet 0/1

Router(config-if)#ip ips iosips out

Router(config-if)#exit


*Mar 01, 00:16:37.1616: %IPS-6-ENGINE_BUILDS_STARTED: 00:16:37 UTC Mar 01 1993

*Mar 01, 00:16:37.1616: %IPS-6-ENGINE_BUILDING: atomic-ip - 3 signatures - 1 of 13 engines

*Mar 01, 00:16:37.1616: %IPS-6-ENGINE_READY: atomic-ip - build time 8 ms - packets for this engine will be scanned

*Mar 01, 00:16:37.1616: %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 8 ms


*Mar 01, 00:16:53.1616: %SYS-5-CONFIG_I: Configured from console by console

*Mar 01, 00:16:53.1616: *Mar 01, 00:16:53.1616: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.10.20 port 514 started - CLI initiated



Router(config)#ip ips signature-definition

Router(config-sigdef)#signature 2004 0

Router(config-sigdef-sig)#status

Router(config-sigdef-sig-status)#retired false

Router(config-sigdef-sig-status)#enable true

Router(config-sigdef-sig-status)#exit



Router(config-sigdef-sig)#?

engine Engine

exit Exit from Signature Definition Mode

status Status


Router(config-sigdef-sig)#engin

Router(config-sigdef-sig-engine)#event-action ?

deny-packet-inline Deny Packet

produce-alert Produce Alert

Router(config-sigdef-sig-engine)#event-action produce-alert

Router(config-sigdef-sig-engine)#event-action deny-packet-inline

Router(config-sigdef-sig-engine)#exit

Router(config-sigdef-sig)#exit

Router(config-sigdef)#exit


Do you want to accept these changes? [confirm]


%IPS-6-ENGINE_BUILDS_STARTED:

%IPS-6-ENGINE_BUILDING: atomic-ip - 303 signatures - 3 of 13 engines

%IPS-6-ENGINE_READY: atomic-ip - build time 480 ms - packets for this engine will be scanned

%IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 648 ms




Router#show ip ips all

IPS Signature File Configuration Status

Configured Config Locations: flash:ipsdir

Last signature default load time:

Last signature delta load time:

Last event action (SEAP) load time: -none-


General SEAP Config:

Global Deny Timeout: 3600 seconds

Global Overrides Status: Enabled

Global Filters Status: Enabled


IPS Auto Update is not currently configured


IPS Syslog and SDEE Notification Status

Event notification through syslog is enabled

Event notification through SDEE is enabled


IPS Signature Status

Total Active Signatures: 1

Total Inactive Signatures: 0


IPS Packet Scanning and Interface Status

IPS Rule Configuration

IPS name iosips

IPS fail closed is disabled

IPS deny-action ips-interface is false

Fastpath ips is enabled

Quick run mode is enabled

Interface Configuration

Interface GigabitEthernet0/1

Inbound IPS rule is not set

Outgoing IPS rule is iosips


IPS Category CLI Configuration:

Category all

Retire: True

Category ios_ips basic

Retire: False


C:\>ipconfig


FastEthernet0 Connection:(default port)


Link-local IPv6 Address.........: FE80::202:16FF:FE76:76AD

IP Address......................: 192.168.10.10

Subnet Mask.....................: 255.255.255.0

Default Gateway.................: 192.168.10.1


Bluetooth Connection:


Link-local IPv6 Address.........: ::

IP Address......................: 0.0.0.0

Subnet Mask.....................: 0.0.0.0

Default Gateway.................: 0.0.0.0


C:\>ping 192.168.40.10


Pinging 192.168.40.10 with 32 bytes of data:


Reply from 192.168.40.10: bytes=32 time<1ms TTL=125

Reply from 192.168.40.10: bytes=32 time<1ms TTL=125

Reply from 192.168.40.10: bytes=32 time<1ms TTL=125

Reply from 192.168.40.10: bytes=32 time=2ms TTL=125


Ping statistics for 192.168.40.10:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 2ms, Average = 0ms



C:\>ipconfig


FastEthernet0 Connection:(default port)


Link-local IPv6 Address.........: FE80::201:43FF:FEBA:6555

IP Address......................: 192.168.40.10

Subnet Mask.....................: 255.255.255.0

Default Gateway.................: 192.168.40.1


Bluetooth Connection:


Link-local IPv6 Address.........: ::

IP Address......................: 0.0.0.0

Subnet Mask.....................: 0.0.0.0

Default Gateway.................: 0.0.0.0


C:\>ping 192.168.10.10


Pinging 192.168.10.10 with 32 bytes of data:


Request timed out.

Request timed out.

Request timed out.

Request timed out.


Ping statistics for 192.168.10.10:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),


C:\>ping 192.168.10.10


Pinging 192.168.10.10 with 32 bytes of data:


Request timed out.

Request timed out.

Request timed out.

Request timed out.


Ping statistics for 192.168.10.10:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),


C:\>







Router#

*Mar 01, 00:25:49.2525: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.168.40.10 -> 192.168.10.10:0] RiskRating:25

*Mar 01, 00:25:55.2525: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.168.40.10 -> 192.168.10.10:0] RiskRating:25

*Mar 01, 00:26:01.2626: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.168.40.10 -> 192.168.10.10:0] RiskRating:25

*Mar 01, 00:26:07.2626: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.168.40.10 -> 192.168.10.10:0] RiskRating:25

*Mar 01, 00:27:35.2727: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.168.40.10 -> 192.168.10.10:0] RiskRating:25

*Mar 01, 00:27:41.2727: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.168.40.10 -> 192.168.10.10:0] RiskRating:25

*Mar 01, 00:27:47.2727: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.168.40.10 -> 192.168.10.10:0] RiskRating:25

*Mar 01, 00:27:53.2727: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 [192.168.40.10 -> 192.168.10.10:0] RiskRating:25









What is Cisco IOS Zone Based Firewall on router? How to configure ZBF on Cisco Routers?

 Zone Based Firewall ZBF (Zone Based Firewall) is the stateful firewall that is available on Cisco IOS routers, introduced in 2006. ZBF supp...