Cisco Security Configs Switch and Firewall Cisco ACS AAA templates

 

If you find the bellow information useful please rate this site by clicking on the respective icons bellow and help us keep this site alive

 

 

 

 

 

1.802.1.x configuration Switch side including Multi Domain Authentication and MAC address Authentication Bypass or MAB.


 

aaa group server radius dot1x
server-private 10.10.10.10 auth-port 1645 acct-port 1646 key cisco123

aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authentication dot1x default group dot1x
aaa authorization exec default group tacacs+ local if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

aaa authorization network default group radius

interface Vlan217
ip address 172.24.117.20 255.255.255.0

tacacs-server host 172.22.138.150
tacacs-server directed-request
tacacs-server key cisco123
radius-server host 172.22.138.150 auth-port 1812 acct-port 1813 key cisco123
radius-server key cisco123


!
!
!
aaa session-id common

line con 0
line vty 0 4
password a
line vty 5 15

Interface configuration for wired 802.1.x access

interface FastEthernet1/0/1
switchport access vlan 110
switchport mode access
switchport voice vlan 217
speed 100
duplex full
authentication host-mode multi-domain
authentication priority mab dot1x
authentication port-control auto
authentication periodic
mab
dot1x pae authenticator
spanning-tree portfast

2.Cisco TACACS+ switch template configuration example.


 

The bellow configuration will work for any cisco switch running any IOS release higher than 11.x .It configures a tacacs + server for user authentication on the console the ssh and telnet protocols .

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login no_tacacs local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common
tacacs-server host 172.24.10.250
tacacs-server directed-request
tacacs-server key test
ip access-list standard VTY-ACCESS
remark VTY ACCESS
permit 172.24.0.0 0.0.255.255
deny any log
line con 0
exec-timeout 5 0
transport output telnet
stopbits 1
line vty 0 4
access-class VTY-ACCESS in
exec-timeout 5 0
transport input telnet
transport output telnet
line vty 5 15
transport input none
transport output none

 

 

3.Cisco TACACS + firewall template configuration example


 

The bellow configuration is specific to all the Cisco ASA family of products running any version.It configures a AAA server on the inside of the network and it configures TACACS+ authentication on the SSH and HTTPS protocols with a fall back to locally configured users contained in the Cisco ASA database .

aaa-server TACACS+ protocol tacacs+
reactivation-mode depletion deadtime 1
aaa-server TACACS+ (inside) host 192.168.1.1
timeout 2
key test
aaa authentication serial console LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authentication http console TACACS+ LOCAL
aaa authentication ssh console TACACS+ LOCAL
aaa authentication telnet console TACACS+ LOCAL
aaa authorization command LOCAL
aaa accounting enable console TACACS+
aaa accounting serial console TACACS+
aaa accounting ssh console TACACS+
aaa accounting telnet console TACACS+
aaa accounting command privilege 15 TACACS+

3.Cisco ACS Appliances Default Bios passwords are as follows


 

The Reason why anybody would need to break into the BIOS of the ACS appliance is to change to boot sequence order so that you may reimage the device or recover the administrator password by booting from the Default CD provided by cisco .

The default bios password is usually the appliance model number so :

Cisco ACS 111 version appliance's password would be acs1111

Cisco ACS 112 version appliance's password would be acs1112

Cisco ACS 113 version appliance's password would be acs1113

Of course if that fails you can always remove the CMOS batery switch on the appliance and then switch off after 10 seconds that usually resets the password to default facotry setting thats usually blank :)

Cisco ASA and Related Configs

 

 

Cisco Natting Examples prior version 8.3


The bellow Section Describes natting order of operation in more detail.Cisco ASA natting is considered one of the most complicated and challenging subjects .If it looks intimidating thats because it is .If you require some assistance with that you can always contact us for more info.

Order of NAT Commands Used to Match Real Addresses
The security appliance matches real addresses to NAT commands in the following order:

1. NAT exemption (nat 0 access-list)—In order, until the first match. Identity NAT is not included in this category; it is included in the regular static NAT or regular NAT category. We do not recommend overlapping addresses in NAT exemption statements because unexpected results can occur.


2. Static NAT and Static PAT (regular and policy) (static)—In order, until the first match. Static identity NAT is included in this category.

3. Policy dynamic NAT (nat access-list)—In order, until the first match. Overlapping addresses are
allowed.

4. Regular dynamic NAT (nat)—Best match. Regular identity NAT is included in this category. The order of the NAT commands does not matter; the NAT statement that best matches the real address is used. For example, you can create a general statement to translate all addresses (0.0.0.0) on an interface. If you want to translate a subset of your network (10.1.1.1) to a different address, then you can create a statement to translate only 10.1.1.1. When 10.1.1.1 makes a connection, the specific statement for 10.1.1.1 is used because it matches the real address best. We do not recommend using overlapping statements; they use more memory and can slow the performance of the security appliance.

Static Translation or 1 to 1 translation


 

 

static (inside,outside1) 196.38.244.1 10.10.10.1 netmask 255.255.255.255

 

Nat Exemption used usually to allow access for vpn users or site to site VPN tunnels establishment


 

access-list inside_nat0_outbound extended permit ip host 192.168.1.2 194.168.100.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

Inside to Outside NAT Inside to outside natting ususally used to allow traffic from inside to outside by hiding the local networks from the outside world


 

nat (inside) 1 192.168.0.0 255.255.0.0

global (outside) 1 interface

Cisco Natting Examples after version 8.3

nat (any,any) source static 192.168.1.119 192.168.1.119
!
object network 192.168.1.119
nat (any,any) static outsidenat
object network obj-192.168.1.0
nat (inside,outside) dynamic interface

 

for a complete guide on how to achieve natting on Cisco ASA devices after version 8.3 go here

 

VPN tunnel password recovery as well as Site to Site shared secret password recovery


 

more system:running-config or

write net 10.27.16.20:running

 

 

 

Cisco FWSM and Related Configs

 

 

FWSM initial configuration switch side and firewall side configuration examples

Primary And Secondary Switch Side


 

vlan 2
name test1

firewall module 7 vlan-group 1
firewall vlan-group 1 2,3,100

Firewall Side


 

interface Vlan2
nameif test1
security-level 100
ip address 172.16.1.1 255.255.255.0 standby 172.16.1.2

 

 

FWSM Failover configuration example:typical firewall failover configuration


 

Switch Side Primary And Secondary . Its important to note that configuration outside of VSS mode must be done on the individual switches to duplicate the same environment otherwise the FWSM will report synchronization mismatch errors!

vlan 800
name fwsm-failover

Primary FWSM


 

interface Vlan800
description LAN/STATE Failover Interface

failover
failover lan unit primary
failover lan interface failover Vlan800
failover polltime unit 2 holdtime 6
failover link failover Vlan800
failover interface ip failover 172.2.2.1 255.255.255.252 standby 172.2.2.2

 

Secondary FWSM


 

Firewall Side

interface Vlan800
description LAN/STATE Failover Interface

failover
failover lan unit secondary
failover lan interface failover Vlan800
failover polltime unit 2 holdtime 6
failover link failover Vlan800
failover interface ip failover 172.2.2.1 255.255.255.252 standby 172.2.2.2

 

FWSM version upgrade configuration example


 

copy tftp://163.200.217.122/c6svc-fwm-k9.3-2-13.bin flash:image

copy tftp://163.200.217.122/c6svc-asdm-k9.3-2-13.bin flash:asdm

FWSM translation exception configuration example:bypass all natting trough the firewall


 

No nat-control

Firewall VSS mode configuration and configuration notes


 

The configuration of Cisco FWSM in VSS environment is quite simple. It is important to note that no special configuration is needed within the FWSM moduleto configure VSS.In Fact all the relevant configuration to achieve virtual swtich mode is done on the Cisco 6509 switch and its Supervosr engines.

Firewall and asymmetric routing


 

That can be achieved on the FWSM using teh ASR-GROUP command .The asr-group command causes incoming packets to be re-classified with the interface of the same Asymmetric Routing Group (asr-group), if a flow with the incoming interface cannot be found. If re-classification finds a flow with another interface, and the associated context is in standby state, the packet is forwarded to the active unit for processing.

Configuration Example of that is show bellow

interface Vlan2
nameif test1
security-level 100
ip address 172.16.1.1 255.255.255.0 standby 172.16.1.1
asr-group 1

interface Vlan3
nameif test1
security-level 100
ip address 172.16.2.1 255.255.255.0 standby 172.16.2.1
asr-group 1

 

 

Cisco IPS AIP and IDSM and Related Configs

 

 

Event Action Override configuration example: used to override specific signatures from their default actions Eg.

configure terminal
service event−action−rules rules100
filters insert name100 begin
signature−id−range 1000−1004
subsignature−id−range 1−4
attacker−address−range 10.10.10.10−10.10.10.23
victim−address−range 192.56.10.1−192.56.10.255
victim−port−range 0−8443
risk−rating−range 85−100
actions−to−remove reset−tcp−connection
deny−attacker−percentage 90

 

Recommended Reading


 

  1. Cisco ACS Best Practices document
  2. Cisco ASA Best Practices and Security Hardening Document.
  3. Cisco-vpn-ipsec-configuration-examples
  4. Cisco-ids-ips-aip-idsm-configuration-examples
  5. Detailed Cisco ACS 5.2 installation and configuration example with print screens

Share The Link And Enjoy Thanks !