Skip to content

Cisco IOS

Cisco IOS

Initial Checklist:
1. Reconfigure Passwords
2. Encrypt Passwords
3. Change Banner/motd
4. Backup Config
5. Turn off HTTP/HTTPS/SNMP
6. Turn off default usernames
7. Turn off finger
8. Turn off DNS Lookup
9. Turn off CDP
10. Turn off Bootp
11. Create ACL
12. Backup Config

Defaults to Change

Encrypt the Password on Config:

service password-encryption

Change Default username:

router# conf t
router(conf)# username YOUR_NEW_USER password YOUR_NEW_PASSWORD
router(conf)# enable secret YOUR_NEW_SERET_PASSWORD
router(conf)# no username OLD_USER

Disable telnet:

CiscoDevice(config)# line vty 0 15 
CiscoDevice(config-line)# transport input none

Disable DNS Lookup:

no ip domain-lookup

Disable CDP:

no cdp run

Have Linenumber on configs:

service linenumber

Turn off default servers:

no snmp-server
no ip http server
no ip http secure-server
no ip bootp server

Logging Changes

Default Logging Changes:

no logging console
no logging monitor
logging trap 6
logging buffered 4096 6
clock timezone EST -5
service timestamps log datetime msec localtime show-timezone

Transfer to Syslog:

logging <IP>
logging source-interface <INTERFACE>

Monitoring SPAN Port

Setting up an Monitoring Port:

#Set the source
monitor sesssion 1 source int <INTERFACE> both
monitor sesssion 2 source int <INTERFACE> tx
monitor sesssion 3 source int <INTERFACE> rx
#Set the destination
monitor session 1 dest int <INTERFACE>

SSH

Enable secure SSH:

ip ssh version 2
ip domain-name mycompany.com
crypto key generate rsa modulus 2048
ip ssh time-out 60
ip ssh authentication-retries 3 

#Set SSH ACL
ip access-list extend ssh-imbound
permit 172.24.X.0 0.0.0.255 any eq 22
permit 192.168.14.0 0.0.0.255 any eq 22
permit 192.168.32.0 0.0.0.255 any eq 22
deny ip any any log

#Disable
line vty 0 1
access-class ssh-inbound in 
sesssion-limit 2
login authentication default
transport input ssh
transport output ssh
transport perfred none
line vty 2 4
login authentication default
transport input none
transport output none
transport preferred none

Hardened Security

Disable AUX port:

line aux 0
transport input none
transport output none
no exec
exec timeout 0 1
login authentication default

Require Console port login:

line con 0 
login authentication default

BGP

Enable BGP:

router bgp <64496|autonomous-system-number>
address-family ipv4 unicast
network 192.0.2.0

Configure BGP Neighbors:

neighbor <192.0.2.1|IP|Group Name> remote-as 64497

Reset BGP Connections:

clear ip bgp <address>
clear ip bgp *

Disable BGP:

no router bgp <64496|autonomous-system-number>

DHCP

Setup DHCPv4:

ip dhcp pool <NAME>
network 10.1.1.0 /24
default-router 10.4.4.1
dns-server 4.2.2.2
lease infinite

Setup DHCPv6:

ipv6 dhcp pool <NAME>
dns-server <fe80::1ff:fe23:4567:890a>
domain-name <domain>
int type <0|number>
ipv6 dhcp server <NAME>
ipv6 nd other-config-flag
ip name-server <fe80::1ff:fe23:4567:890a>

ACL for IPv6:

interface <Interface>
ipv6 trafic-filter <access-list-name> {in|out}

Setup Dual Stack:

conf titleipv6 unicast-routing
int <fa0/0>
ip address <192.168.10.1|IP> <255.255.255.0|Subnet>
ipv6 address 3ffe:b00:c18:1::3/127

VLANs

VLANs Setup:

#Group Physical Interfaces
int range fastEthernet 0/1-10
spanning-tree portfast
spanning-tree bpguard enable

Create Vlans:

vlan 14 name 192.168.14.0/24_SERVERS
vlan 32 name 192.168.32.0/24_WORKSTATIONS
vlan 500 name bogus_native

Add Servers to VLAN:

interface <fastEthernet 0/1>
switchport mode access
switchport access vlan 14

Add Workstations to VLAN:

interface <fastEthernet 0/5>
switchport mode access
switchport access vlan 32

Add Connection to router:

interface <fastEthernet 0/1>
switchport mode trunk
switchport trunk native vlan 500
switchport trunk encapsulation dot1q
switchport trunk allowed vlan remove 500

Setup Router for VLANs:

interface <fastEthernet 0/1>
no ip address
exit 
#Setup VLAN 14
int <fa0/1.14>
encapsulation dot1q 14 ip address 192.168.14.1 255.255.255.0
#Setup VLAN 32
int <fa0/1.32>
encapsulation dot1q 32 ip address 192.168.32.1 255.255.255.0
exit 
#Setup Default VLAN
int <fa0/1.1>
encapsulation dot1q 1 native ip address 192.168.1.1 255.255.255.0
exit

Finalize the Settings:

ip default-gateway 192.168.32.1
int vlan 32
ip address 192.168.32.2 255.255.255.0
no shut

NAT/PAT

Create Connection between VLANS:

ip access-list standard NAT-ACL
permit 192.168.14.0 0.0.0.255
permit 192.168.32.0 0.0.0.255

#Create External NAT
ip nat pool NET-POOL 172.24.X.1 172.24.X.254 pre 24
ip nat inside source list NAT-ACL pool NET-POOL

#Connect Internal and External NAT
ip nat inside source static tcp 192.168.14.10 25 172.24.X.7 25
ip nat inside source static tcp 192.168.14.10 110 172.24.X.7 110
ip nat inside source static tcp 192.168.14.10 53 172.24.X.7 53
#Second Server
ip nat inside source static tcp 192.168.14.12 80 172.24.X.25 80
ip nat inside source static tcp 192.168.14.12 443 172.24.X.25 443
#Third Server
ip nat inside source static tcp 192.168.14.13 80 172.24.X.15 80
ip nat inside source static tcp 192.168.14.13 443 172.24.X.15 443

#Set interfaces to NATs
interface <WAN>
ip nat outside
interface <SUBINTERFACE>
ip nat inside

Recovery

Use Break/alt+b to enter rommon mode

Reset Router Password:

confeg 0x2142
reset 
copy start run 
change password
config-reg 0x2102
copy run start
reload

Reset Switch Password:

flash_init
load_helper
dir flash:
rename flash:config.text flash:config.old
boot 
write memory

Restore from TFTP:

IP_ADDRESS=192.168.20.1
IP_SUBNET_MASK=255.255.255.0
DEFAULT_GATEWAY=192.168.20.254
TFTP_SERVER=192.168.20.254
TFTP_FILE=c1841-ipbase-mz.123-14.T7.bin
tftpdnld

ACL Examples

Default ACL:

ip access-list extended NET-IN-ACL

deny ip 127.0.0.0 0.255.255.255 any log
deny ip 192.0.2.0 0.0.0.255 any log
deny ip 224.0.0.0 31.255.255.255 any log
deny ip host 255.255.255.255 any log
deny ip host 0.0.0.0 any log


deny ip 172.24.X.0 0.0.0.255 any log
deny ip 192.168.0.0 0.0.255.255 any log

deny tcp any any fragments
deny udp any any fragments
deny icmp any any fragments
deny ip any any fragments

permit tcp host <BGP Peer IP> host <WLAN IP> eq bgp
permit tcp host <BGP Peer IP> eq bgp host <WLAN IP> 
deny ip any host <WLAN IP> log

deny ip 192.168.14.0 0.0.0.255 any log
deny ip 192.168.32.0 0.0.0.255 any log

deny any icmp any any 

#Introspection on Packets
permit udp any eq domain host 172.24.X.7 gt 1023
permit udp any eq domain host 172.24.X.7 eq domain
permit tcp any 172.24.X.0 0.0.0.255 established
permit udp any range 1 1023 172.24.X.0 0.0.0.255 gt 1023
evaluate EGRESS-REF

#External Services
#DNS
permit udp any gt 1023 host 172.24.x.7 eq domain
deny udp any any eq domain
deny tcp any any eq domain

#Mail
permit tcp any host 172.24.x.7 eq smtp
permit tcp any host 172.24.x.7 eq pop3

#HTTP
permit tcp any host 172.24.x.15 eq www
permit tcp any host 172.24.x.15 eq 443
permit tcp any host 172.24.x.25 eq www
permit tcp any host 172.24.x.25 eq 443

deny ip any any

Add a site to a blocklist:

access-list 101 deny tcp any host www.badsite.com eq www