I didn't have time for any of the security tasks in Mock Lab 1. There were 3 for a total of 9 points. Again, the lab sessions run 7:45 and I had to load initial configs and eat dinner! Had I been able to use the full 8 hours, I am sure I would have gotten 1 or 2 of these tasks.
Here is the gist of the first security task, 9.1:
R9 should accept telnet on port 3005.
It should not allow telnet on port 23.
Configure a local user cisco with password of cisco and privilege level 15.
Telnet should require a login, but console access should not
I am going to use R5 as an example since I already have it up in Dynamips. First, to allow telnet on port 3005 use the rotary command:
R5(config)#username cisco privilege 15 password cisco
R5(config-line)#line vty 5
R5(config-line)#rotary 5
R5(config-line)#login local
Next we create an ACL to block telnet to port 23:
R5(config)#access-list 101 deny tcp any any eq telnet
R5(config)#access-list 101 permit ip any any
R5(config)#line vty 0 ?
<1-935> Last Line number
R5(config)#line vty 0 935
R5(config-line)#access-class 101 in
Let's try from R4:
R4#telnet 141.141.45.5
Trying 141.141.45.5 ...
% Connection refused by remote host
R4#telnet 141.141.45.5 3005
Trying 141.141.45.5, 3005 ... Open
User Access Verification
Username: cisco
Password:
R5#
Now we have already satisfied the last requirement right? "Telnet should require a login, but console access should not." But for some reason the proctor guide goes a step further and creates an aaa method for VTY while console uses the default. Here's what they have:
R5(config)#aaa new-model
R5(config)#aaa authentication login VTY local
R5(config)#aaa authentication login default none
R5(config)#line vty 5
R5(config-line)#login authentication VTY
The first command tells the router to enable the aaa commands. The second command defines a login list called VTY. Note that this is not used anywhere until it is applied in the last command. The third command configures that default login method to be "none" or no authentication. This method is applied to the console by default.
Here is the gist of the first security task, 9.1:
R9 should accept telnet on port 3005.
It should not allow telnet on port 23.
Configure a local user cisco with password of cisco and privilege level 15.
Telnet should require a login, but console access should not
I am going to use R5 as an example since I already have it up in Dynamips. First, to allow telnet on port 3005 use the rotary command:
R5(config)#username cisco privilege 15 password cisco
R5(config-line)#line vty 5
R5(config-line)#rotary 5
R5(config-line)#login local
Next we create an ACL to block telnet to port 23:
R5(config)#access-list 101 deny tcp any any eq telnet
R5(config)#access-list 101 permit ip any any
R5(config)#line vty 0 ?
<1-935> Last Line number
Let's try from R4:
R4#telnet 141.141.45.5
Trying 141.141.45.5 ...
% Connection refused by remote host
R4#telnet 141.141.45.5 3005
Trying 141.141.45.5, 3005 ... Open
User Access Verification
Username: cisco
Password:
R5#
Now we have already satisfied the last requirement right? "Telnet should require a login, but console access should not." But for some reason the proctor guide goes a step further and creates an aaa method for VTY while console uses the default. Here's what they have:
R5(config)#aaa new-model
R5(config)#aaa authentication login VTY local
R5(config)#aaa authentication login default none
R5(config)#line vty 5
R5(config-line)#login authentication VTY
The first command tells the router to enable the aaa commands. The second command defines a login list called VTY. Note that this is not used anywhere until it is applied in the last command. The third command configures that default login method to be "none" or no authentication. This method is applied to the console by default.
