配置路由器使用Cisco AutoSecure

配置路由器使用Cisco AutoSecure
配置路由器使用Cisco AutoSecure 实验过程:R1#auto secure                --- AutoSecure Configuration ---*** AutoSecure configuration enhances the security ofthe router, but it will not make it absolutely resistantto all security attacks ***AutoSecure will modify the configuration of your device.All configuration changes will be shown. For a detailedexplanation of how the configuration changes enhance securityand any possible side effects, please refer to Cisco.com forAutosecure documentation.At any prompt you may enter '?' for help.Use ctrl-c to abort this session at any prompt.Gathering information about the router for AutoSecureIs this router connected to internet? [no]: yesEnter the number of interfaces facing the internet [1]: Interface                  IP-Address      OK? Method Status                ProtocolFastEthernet0/0            unassigned      YES unset  administratively down down    Ethernet1/0                unassigned      YES unset  administratively down down    Ethernet1/1                unassigned      YES unset  administratively down down    Ethernet1/2                unassigned      YES unset  administratively down down    Ethernet1/3                unassigned      YES unset  administratively down down    Enter the interface name that is facing the internet: FastEthernet0/0Securing Management plane services...Disabling service fingerDisabling service padDisabling udp & tcp small serversEnabling service password encryptionEnabling service tcp-keepalives-inEnabling service tcp-keepalives-outDisabling the cdp protocolDisabling the bootp serverDisabling the http serverDisabling the finger serviceDisabling source routingDisabling gratuitous arpHere is a sample Security Banner to be shownat every access to device. Modify it to suit yourenterprise requirements.Authorized Access only  This system is the property of So-&-So-Enterprise.  UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.  You must have explicit permission to access this  device. All activities performed on this device  are logged. Any violations of access policy will result  in disciplinary action.Enter the security banner {Put the banner betweenk and k, where k is any character}:k www.norvel.com.cn kEnable secret is either not configured or is the same as enable passwordEnter the new enable secret: Confirm the enable secret : Enter the new enable password: Choose a password that's different from secretEnter the new enable password: % Password too short - must be at least 6 characters. Password configuration failedEnter the new enable password: Confirm the enable password:Configuration of local user databaseEnter the username: suyajuncnEnter the password: Confirm the password: Configuring AAA local authenticationConfiguring Console, Aux and VTY lines forlocal authentication, exec-timeout, and transportSecuring device against Login AttacksConfigure the following parametersBlocking Period when Login Attack detected: Device not secured against 'login attacks'. Configure SSH server? [yes]: yesEnter the domain-name: blog.norvel.com.cnConfiguring interface specific AutoSecure servicesDisabling the following ip services on all interfaces: no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-replyDisabling mop on Ethernet interfacesSecuring Forwarding plane services...Enabling CEF (This might impact the memory requirements for your platform)Enabling unicast rpf on all interfaces connectedto internetConfigure CBAC Firewall feature? [yes/no]: yesThis is the configuration generated:no service fingerno service padno service udp-small-serversno service tcp-small-serversservice password-encryptionservice tcp-keepalives-inservice tcp-keepalives-outno cdp runno ip bootp serverno ip http serverno ip fingerno ip source-routeno ip gratuitous-arpsno ip identdbanner motd ^C www.norvel.com.cn ^Csecurity passwords min-length 6security authentication failure rate 10 logenable secret 5 $1$Bjbb$u54FP6qoSwpVXyBs6PBmY.enable password 7 095F5B10180F021C0802username suyajuncn password 7 0100131D5A0113012242aaa new-modelaaa authentication login local_auth localline con 0 login authentication local_auth exec-timeout 5 0 transport output telnetline aux 0 login authentication local_auth exec-timeout 10 0 transport output telnetline vty 0 4 login authentication local_auth transport input telnetip domain-name blog.norvel.com.cncrypto key generate rsa general-keys modulus 1024ip ssh time-out 60ip ssh authentication-retries 2line vty 0 4 transport input ssh telnetservice timestamps debug datetime msec localtime show-timezoneservice timestamps log datetime msec localtime show-timezonelogging facility local2logging trap debuggingservice sequence-numberslogging console criticallogging bufferedinterface FastEthernet0/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabledinterface Ethernet1/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabledinterface Ethernet1/1 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabledinterface Ethernet1/2 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabledinterface Ethernet1/3 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabledip cefaccess-list 100 permit udp any any eq bootpcinterface FastEthernet0/0 ip verify unicast source reachable-via rx allow-default 100ip inspect audit-trailip inspect dns-timeout 7ip inspect tcp idle-time 14400ip inspect udp idle-time 1800ip inspect name autosec_inspect cuseeme timeout 3600ip inspect name autosec_inspect ftp timeout 3600ip inspect name autosec_inspect http timeout 3600ip inspect name autosec_inspect rcmd timeout 3600ip inspect name autosec_inspect realaudio timeout 3600ip inspect name autosec_inspect smtp timeout 3600ip inspect name autosec_inspect tftp timeout 30ip inspect name autosec_inspect udp timeout 15ip inspect name autosec_inspect tcp timeout 3600ip access-list extended autosec_firewall_acl permit udp any any eq bootpc deny ip any anyinterface FastEthernet0/0 ip inspect autosec_inspect out ip access-group autosec_firewall_acl in!end Apply this configuration to running-config? [yes]: yesApplying the config generated to running-configThe name for the keys will be: R1.blog.norvel.com.cn% The key modulus size is 1024 bits% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]R1#R1#R1#R1#R1#R1#show runBuilding configuration...Current configuration : 3069 bytes!upgrade fpd autoversion 12.4no service padservice tcp-keepalives-inservice tcp-keepalives-outservice timestamps debug datetime msec localtime show-timezoneservice timestamps log datetime msec localtime show-timezoneservice password-encryptionservice sequence-numbers!hostname R1!boot-start-markerboot-end-marker!security authentication failure rate 10 logsecurity passwords min-length 6logging console criticalenable secret 5 $1$Bjbb$u54FP6qoSwpVXyBs6PBmY.enable password 7 095F5B10180F021C0802!         aaa new-model!!aaa authentication login local_auth local!!aaa session-id commonno ip source-routeno ip gratuitous-arpsip cef!!!!no ip bootp serverno ip domain lookupip domain name blog.norvel.com.cnip inspect audit-trailip inspect udp idle-time 1800ip inspect dns-timeout 7ip inspect tcp idle-time 14400ip inspect name autosec_inspect cuseeme timeout 3600ip inspect name autosec_inspect ftp timeout 3600ip inspect name autosec_inspect http timeout 3600ip inspect name autosec_inspect rcmd timeout 3600ip inspect name autosec_inspect realaudio timeout 3600ip inspect name autosec_inspect smtp timeout 3600ip inspect name autosec_inspect tftp timeout 30ip inspect name autosec_inspect udp timeout 15ip inspect name autosec_inspect tcp timeout 3600ip auth-proxy max-nodata-conns 3ip admission max-nodata-conns 3!multilink bundle-name authenticated!!       !!username suyajuncn password 7 0100131D5A0113012242archive log config  logging enable  hidekeys! !!!ip ssh time-out 60ip ssh authentication-retries 2!!!!interface FastEthernet0/0 no ip address ip access-group autosec_firewall_acl in ip verify unicast source reachable-via rx allow-default 100 no ip redirects no ip unreachables no ip proxy-arp ip inspect autosec_inspect out shutdown duplex half no mop enabled!interface Ethernet1/0 no ip address no ip redirects no ip unreachables no ip proxy-arp shutdown duplex half no mop enabled!interface Ethernet1/1 no ip address no ip redirects no ip unreachables no ip proxy-arp shutdown duplex half no mop enabled!interface Ethernet1/2 no ip address no ip redirects no ip unreachables no ip proxy-arp shutdown duplex half no mop enabled!interface Ethernet1/3 no ip address no ip redirects no ip unreachables no ip proxy-arp shutdown duplex half no mop enabled!ip forward-protocol ndno ip http serverno ip http secure-server!         !!ip access-list extended autosec_firewall_acl permit udp any any eq bootpc deny   ip any any!logging alarm informationallogging trap debugginglogging facility local2access-list 100 permit udp any any eq bootpcno cdp run!!!control-plane!!    !gatekeeper shutdown!banner motd ^C  ^C!line con 0 exec-timeout 5 0 logging synchronous login authentication local_auth transport output telnet stopbits 1line aux 0 login authentication local_auth transport output telnet stopbits 1line vty 0 4 login authentication local_auth transport input telnet ssh!!end          R1# 

推荐阅读

    学习写字楼新选择6000元主流配置

    学习写字楼新选择6000元主流配置,,这种配置需要考虑双核心的办公和娱乐平台,充分考虑办公室的办公需求和娱乐需求,以约6000元的预算和cost-e

    酷睿I7 配置

    酷睿I7 配置,配置,玩家国度啦华硕 Rampage II Extreme(3800元)如果米不够,也可以把Extreme改为Gene,不过是小板内存推荐金士顿6G DDR3 2000骇

    提高3A四核羿龙II游戏配置的性能

    提高3A四核羿龙II游戏配置的性能,,以节能环保为主题的IT产业,目前3A低端平台处理器、主板芯片组、独立开发卡性能突出,特别是在与AMD的处理

    opporeno8参数配置及价格

    opporeno8参数配置及价格,面部,亿元,Oppo的荣誉2020年1月4日,接近屏幕关闭传感器是否支持双卡:支持oppor11splus什么时候上市的Oppo R11S P

    查看配置:酷睿i3530集展示办公平台

    查看配置:酷睿i3530集展示办公平台,,由于时间和精力的关系,我们不可能对所有的配置进行评论,希望我们能理解,我希望我们的评论能在那些需要帮

    3500元超额值学生娱乐结构的优化配置

    3500元超额值学生娱乐结构的优化配置,,作为一个DIY的主流用户领域的学生,每个用户51学生攒机的高峰。因为学生用户没有稳定的收入来源,攒机