Pete's Packet

Limitless

  • Catagories

  • Global visitors

    free counters

  • RSS CCIE Jobs – Metro NY area

Archive for the ‘Security’ Category

Netflow tools

Posted by Peter Kurdziel on October 27, 2009

Stager is a system for aggregating and presenting network statistics.
Stager is generic and can be customized to present and process any kind
of network statistics. The backend collects data and stores reports in
a database, automatically handling the aggregation of hourly statistics
into days, weeks, and months. The Web frontend presents data in tables,
matrices, or plots. The reports are fully customizable, and their
definitions are stored in an XML file.

http://software.uninett.no/stager/

The nfdump tools collect and process netflow data on the command line
http://nfdump.sourceforge.net/

NfSen is a graphical web based front end for the nfdump
netflow tools.
http://nfsen.sourceforge.net/

Posted in Other, Real World, Security | Leave a Comment »

CCIE Security Home Lab with dynamips

Posted by Peter Kurdziel on October 22, 2009

http://inetpro.org/wiki/CCIE_Security_Home_Lab_with_dynamips_&_Co

This page contains configuration examples or information on dynamips

The examples on this page are intended for use with dynamips, the Cisco router emulator. This information is not intended for use on hardware routers, and is primarily used for troubleshooting, testing, and certification lab study.
Support of Dynamips is found on Hackis_Forum. For other dynamips pages see Category:Dynamips

Posted in Security | Leave a Comment »

CSS/ASA can users on the inside access the VIP by its Public IP address

Posted by Peter Kurdziel on October 19, 2009

I’ve an ASA with a DMZ on which the CSS is connected.

Outside users connect to a public IP address which is statically NAT’d to the VIP on the CSS.
All is working well, but the customer wants to be able to use the public IP address (or DNS) from the inside network of the ASA.

If your existing static looks something like this for access from the outside…

static (dmz,outside) 1.1.1.1 2.2.2.2 netmask 255.255.255.255

all you have to do is add this static

static (dmz,inside) 1.1.1.1 2.2.2.2 netmask 255.255.255.255

Then anyone on the inside going to 1.1.1.1 will be sent do 2.2.2.2 in the dmz.

Posted in Real World, Security | Leave a Comment »

Day 88 – security

Posted by Peter Kurdziel on June 18, 2009

ACL’s

Deny only 100.0.0.2, 100.0.0.4 and 100.0.0.6. Do not drop OSPF adjacencies
access-list 1 deny 100.0.0.0 0.0.0.6 ( this denies even routes 0,2,4,6)
access-list 1 per any
Permit web/ftp/ospf traffic for all users on the 10.1.1.0/24 network (there are web/ftp clients on the 10.1.1.0/24 network (destination))

ip access-list extended test
remark permits web/ftp/ospf traffic for all users on the 10.1.1.0/24 network (there are web/ftp clients on the 10.1.1.0/24 network)
permit tcp 10.1.1.0 0.0.0.255 any eq www
permit tcp 10.1.1.0 0.0.0.255 any eq ftp
permit tcp 10.1.1.0 0.0.0.255 any eq ftp-data
remark these three lines cover user generated traffic
permit tcp 10.1.1.0 0.0.0.255 eq www any
remark this line covers replies from the web servers on the inside
permit tcp 10.1.1.0 0.0.0.255 any established
remark this line is necessary for the FTP server responses since ports vary
permit ospf 10.1.1.0 0.0.0.255 any
remark permits ospf traffic


Timed ACL’s

I couldn’t find this one the doc cd under router configuration. I did however find it under the switching section here: http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_50_se/configuration/guide/swacl.html

*** The time range relies on the switch system clock; therefore, you need a reliable clock source. Use Network Time Protocol (NTP).

Command
Purpose
Step 1 configure terminal Enter global configuration mode.
Step 2 time-range time-range-name Assign a meaningful name (for example, workhours) to the time range to be created, and enter time-range configuration mode. The name cannot contain a space or quotation mark and must begin with a letter.
Step 3 absolute [start time date]
[end time date]
or
periodic day-of-the-week hh:mm to [day-of-the-week] hh:mm
or
periodic {weekdays | weekend | daily} hh:mm to hh:mm		 Specify when the function it will be applied to is operational.
You can use only one absolute statement in the time range. If you configure more than one absolute statement, only the one configured last is executed.
You can enter multiple periodic statements. For example, you could configure different hours for weekdays and weekends.
See the example configurations.
Step 4 end Return to privileged EXEC mode.
Step 5 show time-range Verify the time-range configuration.
Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.

Repeat the steps if you have multiple items that you want in effect at different times.

To remove a configured time-range limitation, use the no time-range time-range-name global configuration command.

This example shows how to configure time ranges for workhours and to configure January 1, 2006, as a company holiday and to verify your configuration.

Switch(config)# time-range workhours
Switch(config-time-range)# periodic weekdays 8:00 to 12:00
Switch(config-time-range)# periodic weekdays 13:00 to 17:00
Switch(config-time-range)# exit
Switch(config)# time-range new_year_day_2006
Switch(config-time-range)# absolute start 00:00 1 Jan 2006 end 23:59 1 Jan 2006
Switch(config-time-range)# end
Switch# show time-range
time-range entry: new_year_day_2003 (inactive)
absolute start 00:00 01 January 2006 end 23:59 01 January 2006
time-range entry: workhours (inactive)
periodic weekdays 8:00 to 12:00
periodic weekdays 13:00 to 17:00
another example

time-range AFTERHOURS
periodic daily 0:00 to 6:59
!
time-range HOLIDAY
absolute start 00:00 4 July 2009 end 23:59  4 July 2009
!
time-range WEB
periodic weekdays 0:00 to 23:59

ip access-list extended AFTERHOURS
deny   udp 150.50.7.0 0.0.0.255 150.50.4.0 0.0.0.255 eq domain time-range AFTERHOURS
deny   tcp 150.50.7.0 0.0.0.255 150.50.4.0 0.0.0.255 eq domain time-range AFTERHOURS
deny   tcp 150.50.7.0 0.0.0.255 150.50.4.0 0.0.0.255 eq smtp time-range AFTERHOURS
deny   tcp 150.50.7.0 0.0.0.255 150.50.4.0 0.0.0.255 eq www time-range AFTERHOURS
permit ip any any

ip access-list extended FILTEROUT
deny   tcp host 150.50.4.100 any eq www time-range WEB
deny   ip 150.50.4.0 0.0.0.255 any time-range HOLIDAY
permit ip any any

=============================

Extended IP access list OSPFPIM1023
10 permit ospf host 150.50.7.5 any log
15 deny ospf any any
20 deny pim host 150.50.7.6 any
30 deny tcp 150.50.7.32 0.0.0.31 any gt 1023
40 permit ip any any
=================
r1 <> r2 <> r3
Restrict traffic from R1 to R2 and beyond

ip access-list extended Trusted
permit ip any any reflect TrustMe
remark this is all we need to establish a peer state.
ip access-list extended Untrusted
permit ospf any any
evaluate Trustme
deny   ip any any log
remark this allows our monitoring of things that are not denied

Refective acl in action after pinging /telnetting from R1 to r5 (untrusted) and successful telnet from R5 to R1:

R2(config-if)#do sho access-list

Reflexive IP access list TrustMe
permit udp host 150.50.100.2 eq ntp host 200.0.0.8 eq ntp (13 matches) (time left 267)
permit icmp host 150.50.24.2 host 150.50.24.4  (7 matches) (time left 243)
permit udp host 150.50.17.1 eq ntp host 200.0.0.8 eq ntp (3 matches) (time left 121)
permit ospf host 150.50.100.2  host 150.50.100.5  (12 matches) (time left 277)
permit ospf host 224.0.0.5  host 150.50.9.5  (34 matches) (time left 297)
permit ospf host 150.50.100.2  host 150.50.100.6  (13 matches) (time left 295)

Extended IP access list Trusted
10 permit ip any any reflect TrustMe (88 matches)

Reflexive IP access list Trustme
Extended IP access list Untrusted
10 permit ospf any any (14 matches)
20 evaluate Trustme
30 deny ip any any log (8 matches)

——————————
HTTP / SNMP acl
snmp-server community ipexpert RO 2
snmp-server community IpExPeRt RW 3

access-list 2 permit 150.50.17.0 0.0.0.255
access-list 2 remark this is for http and snmp ro
access-list 3 permit 150.50.200.200
access-list 3 remark this is for SNMP rw

ip http access-class 2

———————
prevent access from with the least lines of acl config
97.150.81.0/24
129.150.17.0/24
129.150.81.-/24
161.150.17.0/24
161.150.81.0/24
193.150.17.0/24
193.150.81.0/24

97 =  01100001
129 = 10000001
161 = 10100001
193 = 11000001
^^^differences / some options see below

17 = 00010001
81 = 01010001
^ differences / so the acl will be X.X.64.255

2^x where x = the number of 1 bits in the ACL mask tells us the number pf matches that the mask will get.

97 = separate acl
129 and 161 have 1 common different bit (32) – one acl here 32.0.64.255
129 and 193 have 1 common differnet bit (64) – one acl here 64.0.64.255

so you have three choices.

Standard IP access list 1
10 deny   129.150.17.0, wildcard bits 32.0.64.255
20 deny   193.150.17.0, wildcard bits 0.0.64.255
30 deny   97.150.81.0, wildcard bits 0.0.0.255
40 permit any

or

Standard IP access list 2
10 deny   129.150.17.0, wildcard bits 64.0.64.255
20 deny   161.150.17.0, wildcard bits 0.0.64.255
30 deny   97.150.81.0, wildcard bits 0.0.0.255
40 permit any
or

Standard IP access list 3
10 deny   129.150.17.0, wildcard bits 96.0.64.255
20 deny   97.150.81.0, wildcard bits 0.0.0.255
30 permit any

———-
**Traffic that is generated by the router is not subject to outbound acl’s.

access-list 166 permit ip any any precedence critical
access-list 166 deny   ip any any

interface Ethernet0/0
ip access-group 166 out

testing acl
R2(config)#do trace 150.50.7.7

Type escape sequence to abort.
Tracing the route to 150.50.7.7

1 150.50.100.6 28 msec
150.50.100.5 32 msec
150.50.9.5 24 msec
2 150.50.100.6 !A
150.50.7.7 28 msec *

!A means administratively prohibited.

————-

  1. When you apply and ACL to an outbound interface, the ACL acts upon traffic flowing through the router. It does not act upon traffic that originates in the router.
  2. Every ACL must have at least one permission statement. Otherwise you block all traffic.
  3. Use deny log to see how many times the acl was hit.
  4. Don’t forget to account for routing protocols when building ACL’s.
  5. When considering to use out or in use the interface as the point of reference.
  6. A 1 bit in an ACL mask means you don’t care what the value of that bit is .
  7. A 0 but in an ACL mask means the bit value will stay the same.

Posted in Routing & Switching Lab, Security | Leave a Comment »

site to site vpn

Posted by Peter Kurdziel on April 9, 2009

R1

crypto isakmp policy 10

encr 3des

authentication pre-share

crypto isakmp key VPNKEY address 192.168.2.2

crypto isakmp invalid-spi-recovery

!

!

crypto ipsec transform-set TS_MD5_TUNNEL esp-3des esp-md5-hmac

crypto ipsec transform-set TS_E3S_TUNNEL esp-3des esp-sha-hmac

!

crypto map CM_VPN 10 ipsec-isakmp

description to R2

set peer 192.168.2.2

set transform-set TS_E3S_TUNNEL

match address VPNACL

qos pre-classify

!

!

!

!

interface Loopback1

ip address 100.1.1.1 255.255.255.0

!

interface Tunnel0

ip address 172.16.1.2 255.255.255.0

tunnel source Loopback1

tunnel destination 10.1.1.1

!

interface Tunnel99

description vpn tunnel to r2

ip unnumbered Loopback1

tunnel source 192.168.10.2

tunnel destination 192.168.2.2

crypto map CM_VPN

!

!

interface Serial1/0

ip address 192.168.10.2 255.255.255.0

serial restart-delay 0

crypto map CM_VPN

!

router eigrp 10

network 100.1.1.1 0.0.0.0

network 172.16.1.0 0.0.0.255

network 192.168.10.0

no auto-summary

!

!

ip access-list extended VPNACL

permit gre host 192.168.10.2 host 192.168.2.2

!

==================================

r2

crypto isakmp policy 10

encr 3des

authentication pre-share

crypto isakmp key VPNKEY address 192.168.10.2

crypto isakmp invalid-spi-recovery

!

!

crypto ipsec transform-set TS_MD5_TUNNEL esp-3des esp-md5-hmac

crypto ipsec transform-set TS_E3S_TUNNEL esp-3des esp-sha-hmac

!

crypto map CM_VPN 10 ipsec-isakmp

description to R1

set peer 192.168.10.2

set transform-set TS_E3S_TUNNEL

match address VPNACL

qos pre-classify

!

!

interface Loopback1

ip address 200.1.1.1 255.255.255.0

!

interface Tunnel0

ip address 172.16.1.3 255.255.255.0

tunnel source Loopback1

tunnel destination 10.1.1.1

!

interface Tunnel99

description vpn to r1

ip unnumbered Loopback1

tunnel source 192.168.2.2

tunnel destination 192.168.10.2

crypto map CM_VPN

!

interface Serial1/0

ip address 192.168.2.2 255.255.255.0

serial restart-delay 0

crypto map CM_VPN

!

router eigrp 10

network 172.16.1.3 0.0.0.0

network 192.168.2.0

network 200.1.1.1 0.0.0.0

no auto-summary

!

!

ip access-list extended VPNACL

permit gre host 192.168.2.2 host 192.168.10.2

Posted in Real World, Security | Leave a Comment »

clear the counters on the ACL

Posted by Peter Kurdziel on March 10, 2009

When troubleshooting a problem with Access Control lists, one of the things you would want to do is to clear the counters on the ACL matches.

In Cisco IOS, you can clear the ACL Matches counters as follows:

 

Clear Counters on All ACLs

ciscorouter# clear access-list counters

This clears the matches on all the ACLs on the cisco router or switch.

Clear Counters on Specific ACLs

ciscorouter# clear access-list counters 60

In this, we clear the matches on the ACL number 60. You can also use the name of the ACL instead of ACL number.

To verify the counters are cleared,

ciscorouters# show access-lists

This should show the access-list with the counters cleared on the ACL(s)

Posted in Routing & Switching Lab, Security | Leave a Comment »

Posted by Peter Kurdziel on January 24, 2009

no service password-recovery – no pw recovery
security passwords min-length 7

enable secret cisco
% Password too short – must be at least 7 characters. Password configuration failed

————————————

service password-encryption

———————————————–

line aux 0
login local
password cisco

——————-

3 failed login attemps + create a syslog msg

security authentication failure rate 3 log
———————————————-

log out con session in 4 min 30 sec

line con 0
exec-timeout 4 30

might need a wr mem & reload
—————————–

username U2 privilege 2 password 7 070C285F4D06
username U3 privilege 3 password 7 01100F17580455
username admin password 7 094F471A1A0A

privilege interface level 3 shutdown
privilege interface level 3 ip address
privilege interface level 3 ip
privilege configure level 3 interface
privilege exec level 2 traceroute
privilege exec level 2 ping
privilege exec level 3 configure terminal
privilege exec level 3 configure
privilege exec level 2 show ip interface brief
privilege exec level 2 show ip interface
privilege exec level 2 show ip
privilege exec level 2 show interfaces
privilege exec level 2 show

line con 0
login local
———————-
not done on line….

config t banner motd #
You are connected to $(hostname) on line $(line) on domain $(domain)
#
ip domain-name ccie2be.4me

*Mar  1 00:48:50.483: %SYS-5-CONFIG_I: Configured from console by console
You are connected to R1 on line 0 on domain ccie2b3.4me
————————————————————–
menu’s

username U2 privilege 15 password 7 030752180500731C1E50
username U2 autocommand men U2
username admin password 7 060506324F415B49554E

menu U2 title ^C CCIE MENU ^C
menu U2 prompt ^C Please choose an option and press enter^C
menu U2 text 1 Display interfaces and ip’s
menu U2 command 1 sh ip int br
menu U2 options 1 pause
menu U2 text 2 Display ethernet 0/0
menu U2 command 2 sho run int e0/0
menu U2 text 3 Logout
menu U2 command 3 logtout
menu U2 text 4 Exit out of menu
menu U2 command 4 menu-exit
menu U2 clear-screen
menu U2 line-mode

CCIE MENU

1          Display interfaces and ip’s

2          Display ethernet 0/0

3          Logout

4          Exit out of menu

Please choose an option and press enter
————————————————–

access-list 1 per ho 1.1.1.1
line vty 0
access-class 1 in

test
telnet 10.1.12.2 <- does not work
telnet 10.1.12.2 /source lo0 <- works
—————————-

allow telnet from r1 to r2 then to r4
r2

line vty 0 871

access-class 2 out
access-list 2 per ho 4.4.4.4

R1(config-if)#do telnet 10.1.12.2 /source lo0
Trying 10.1.12.2 … Open

User Access Verification

Password:
R2>telnet 4.4.4.4
Trying 4.4.4.4 … Open

User Access Verification

Password:
R4>ex
——————————-
SSH
crypto key generate rsa usage-keys <– automaically enables ssh

then

aaa new-model
!
!
aaa authentication login NO-AUTH none
aaa authentication login LOCAL-AUTH local
!
username user1 password 0 cisco

ine con 0
exec-timeout 0 0
logging synchronous
login authentication NO-AUTH
line aux 0
login authentication NO-AUTH
line vty 0 4
password cisco
login authentication LOCAL-AUTH
transport input ssh
line vty 5 181
login authentication LOCAL-AUTH
transport input ssh
——————————————

deny communications between 1.1.1.1 and 4.4.4.4.

r2
access-list 100 deny   ip host 4.4.4.4 host 1.1.1.1
access-list 100 permit ip any any
access-list 101 deny   ip host 1.1.1.1 host 4.4.4.4
access-list 101 permit ip any any

interface Ethernet0/0
ip access-group 101 in

interface Serial1/0.23 point-to-point
ip access-group 100 in
———————————————–

r1 can ping and receive replies from r2. R2 can not ping r1.

access-list 100 deny   icmp host 10.1.12.2 any echo
access-list 100 deny   icmp host 2.2.2.2 any echo
access-list 100 deny   icmp host 10.1.23.2 any echo
access-list 100 permit ip any any
!
interface Ethernet0/0
ip access-group 100 in
—————————————

prevent icmp not reachable
s1/0.32
no ip unreachables
———————–

—————————–

filter eigrp

access-list 101 permit ip any any
access-list 101 deny eigrp any any log

e0/0
ip access-group 100 in
————————————

filter with mqc

c > p > s

access-list 100 permit tcp any any eq telnet

class-map match-all TELNET
match access-group 100

policy-map TST
class TELNET
set ip precedence 1

interface Ethernet0/0
ip address 10.1.12.1 255.255.255.0
full-duplex
service-policy output TST

——————————–

block precedence 1 on r3 s1/0.21

class-map match-all IP_PREC
match ip precedence 1
!
!
policy-map TEST
class IP_PREC
drop

int s1/0.32
service-policy input TEST
——————————-

interface Serial1/0.23 point-to-point
ip access-group 100 in

access-list 100 permit ospf any any
access-list 100 permit tcp any any established
————————————————

access-list 100 permit tcp any host 10.1.23.2 eq telnet
access-list 100 permit ospf any any
access-list 100 permit tcp any any established
access-list 100 dynamic TEST permit ip any any

line vty 0 4
password cisco
login local
autocommand access-enable host timeout 2

sho access-lis
Extended IP access list 100
10 permit tcp any host 10.1.23.2 eq telnet (171 matches)
20 permit ospf any any (10 matches)
30 permit tcp any any established
40 Dynamic TEST permit ip any any
50 permit ip host 10.1.34.4 any (5 matches) (time left 115)
——————————————————————–

access-list 100 permit tcp any host 10.1.23.2 eq telnet
access-list 100 permit ospf any any
access-list 100 permit tcp any any established
access-list 100 dynamic TEST timeout 3 permit ip any any
access-list 100 permit tcp any any eq 3005

line vty 0 4
password cisco
login local
autocommand  access-enable host
line vty 5 870
login local
autocommand  access-enable host
line vty 871
login local
rotary 5
autocommand  access-ena host
———————————————–

ip access-list extended inbound
permit ospf any any
evaluate TEST

ip access-list extended outbound
permit tcp any any eq www reflect TEST
permit tcp any any eq telnet reflect TEST
permit tcp any any eq 69 reflect TEST
permit ospf any any

interface Serial1/0.23 point-to-point
ip address 10.1.23.2 255.255.255.0
ip access-group inbound in
ip access-group outbound out

————————————-

ip access-list extended outbound
permit tcp any any eq www reflect TEST time 120
permit tcp any any eq telnet reflect TEST time 60
permit tcp any any eq 69 reflect TEST time 30
permit icmp any any reflect TEST timeout 10
permit udp any any eq 53 reflec TEST time 10
permit ospf any any

interface Serial1/0.23 point-to-point
ip address 10.1.23.2 255.255.255.0
ip access-group inbound in
ip access-group outbound out
——————————-

all reflective acls have a timeout of 120
ip reflexive-list timeout 120
——————————–

time-range WEEKDAYS
periodic weekdays 0:00 to 23:59
!
interface Ethernet0/0
ip address 10.1.12.1 255.255.255.0
ip access-group 100 out

access-list 100 permit tcp any any eq www time-range WEEKDAYS
——————-

internet on weekends only

time-range WEEKENDS
periodic weekend 0:00 to 23:59

access-list 100 permit tcp any any eq www time-range WEEKENDS

interface Ethernet0/0
ip access-group 100 out
—————————————
cbac
tcp, udp, icmp inspection. Traffic initiated from the inside is allowed back in.

access-list 100 permit udp any any eq rip
access-list 100 deny   ip any any log

ip inspect name fw tcp
ip inspect name fw udp
ip inspect name fw icmp

interface Ethernet0/1
ip access-group 100 in
ip inspect fw out
————————————-

access-list 100 permit ip 10.1.123.0 0.0.0.255 any
access-list 101 permit icmp any host 10.1.123.3
access-list 101 permit tcp any host 10.1.123.3 eq telnet

ip inspect name OUT tcp
ip inspect name OUT udp
ip inspect name OUT icmp

interface Ethernet0/0
ip access-group 100 in
ip inspect OUT in

!
interface Ethernet0/1
ip access-group 101 in

sh ip inspect session
—————————

ip inspect log drop-pkt
ip inspect max-incomplete high 800
ip inspect max-incomplete low 600
ip inspect one-minute high 800
ip inspect one-minute low 600
ip inspect tcp idle-time 8
ip inspect tcp finwait-time 8
ip inspect tcp synwait-time 20
ip inspect tcp max-incomplete host 80 block-time 8
ip inspect name OUT udp
ip inspect name OUT icmp
no ip ips deny-action ips-interface

do sho ip insp config
Dropped packet logging is enabled
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [600:800] connections
max-incomplete sessions thresholds are [600:800]
max-incomplete tcp connections per host is 80. Block-time 8 minutes.
tcp synwait-time is 20 sec — tcp finwait-time is 8 sec
tcp idle-time is 8 sec — udp idle-time is 30 sec
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name OUT
udp alert is on audit-trail is off timeout 30
icmp alert is on audit-trail is off timeout 10

—————————

CBAC & java blocking

ip inspect name FW http java-list 1 alert on audit-trail on
ip inspect name FW smtp
ip inspect name FW h323

!
interface Ethernet0/1
ip address 10.1.14.1 255.255.255.0
ip access-group 100 in
ip inspect FW out

access-list 1 permit 4.4.4.0 0.0.0.255
access-list 100 permit icmp any any
access-list 100 permit udp any any eq rip
————————————————-

router w/ 3 interfaces, inside, outside and DMZ

ip inspect name OUT tcp
ip inspect name OUT udp
ip inspect name OUT icmp
ip inspect name OUT-DMZ tcp

interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
ip access-group 101 in
ip inspect OUT in

access-list 100 permit ip 10.1.1.0 0.0.0.255 any
access-list 101 permit icmp any 10.2.2.0 0.0.0.255
access-list 101 permit tcp any 10.2.2.0 0.0.0.255 eq www
access-list 102 permit icmp 10.1.2.0 0.0.0.255 any
access-list 103 permit icmp any 10.1.2.0 0.0.0.255
access-list 103 permit tcp any 10.2.2.0 0.0.0.255 eq www

int e0/1
ip access-group 102 in
ip access-group 103 out
—————————————————————–
R1(config)# do sho ip port-map http
Default mapping:  http                 tcp port 80                         system defined

ip port-map http port tcp 8000 list 1
ip port-map http port tcp 8080 list 2
access-list 1 permit 10.1.1.3
access-list 2 permit 10.1.1.4

do sho ip port-ma htt
Default mapping:  http                 tcp port 80                         system defined
Host specific:    http                 tcp port 8000           in list 1   user defined
Host specific:    http                 tcp port 8080           in list 2   user defined

————————————————

code red

class-map match-any CODERED
match protocol http url “*cmd.exe*”
match protocol http url “*.ida*”
match protocol http url “*roote.exe*”
match protocol http url “*readme.eml*”

policy-map NOCODERED
class CODERED
set ip precedence 4

interface Ethernet0/0
ip address 10.6.6.6 255.255.255.0
ip access-group 100 out

interface Serial1/0.64 point-to-point
ip address 10.1.46.6 255.255.255.0
frame-relay interface-dlci 604
service-policy input NOCODERED

access-list 100 deny   ip any any precedence flash-override
access-list 100 permit ip any any

Posted in Routing & Switching Lab, Security | Leave a Comment »

 
Follow

Get every new post delivered to your Inbox.