Featured Article

Thursday, 28 November 2013

How to Configure EXEC and Absolute Timeouts

It is a common meeting time with the corporate security policy. Put it in a simple way, exec timeout exec to be configured after you terminate the exec session session idle timeout. The default value is 10 minutes.

But an absolute timeout the maximum amount of time for a single session can remain established. So if you have 12 minutes to more than an absolute timeout the user is active, the session will be disconnected after 12 minutes.

Absolute timeout, sometimes to the force and the exec session access on the server to terminate either if idle state after a specified period.

  • Than load if you use GNS3 CCNA free Binder GNS3 topology than starting system R1.
  • Create R1 than configuring a device with the device console session respects the hostname (s).
  • Create a loopback interface on R1 and assigns its IP address 10.1.1.1/32
  • Creating a 15-level permissions the user name and password, and authenticate local settings VTY lines.

Vty line through R1 than by establishing a Telnet session to a Loopback0 interface IP address, verify that you have configured on the configuration 4 0 exec timeout for a minute. Once authenticated, wait one minute.
Than two minutes absolute timeout on the VTY lines configured, please delete previously configured on the R1 ′ s vty line exec timeout configuration. By establishing a Telnet session to a Loopback0 interface IP address and wait for two minutes to verify your configuration. If correctly configured you will be disconnected automatically after 120 seconds.

Lab Instruction:

Step 1. Configure vty lines 4 x 0 minutes exec timeout and verify that your configuration telnet'ing to Loopback0 IP address authentication, then idle for 1 minutes.

R1 con0 is now available
Press RETURN to get started.
R1>enable
R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#line vty 0 4
R1(config-line)#exec-timeout 2
R1(config-line)#end
R1#telnet 10.1.1.1
Trying 10.1.1.1 ... Open
User Access Verification
Username: 
Password: 
R1#
[Connection to 10.1.1.1 closed by foreign host]
R1#

Step 2. Than two minutes absolute timeout on the VTY lines configured, please delete previously configured on the R1 ′ s vty line exec timeout configuration. By establishing a Telnet session to a Loopback0 interface IP address and wait for two minutes to verify your configuration. If correctly configured you will be disconnected automatically after 120 seconds.

R1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#line vty 0 4
R1(config-line)#no exec-timeout
R1(config-line)#absolute-timeout 2
R1(config-line)#end
R1#telnet 10.1.1.1
Trying 10.1.1.1 ... Open
User Access Verification
Username: tom
Password: 
R1#
* Line timeout expired
[Connection to 10.1.1.1 closed by foreign host]
R1#

How to Configure Cisco IOS Web Server Authentication

Configure Cisco IOS Web server authentication (HTTP and HTTPS) is a common configuration used on the equipment used in the production network, such as Cisco routers running the host Web based device management interface of Cisco Security Device Manager (SDM) Cisco Catalyst converter Web interface hosting management only users of the Web interface for authentication.

  • Than load if you use GNS3 CCNA free Binder GNS3 topology than starting system R1.
  • Create R1 than configuring a device with the device console session respects the hostname (s).
  • Using GNS3 if you complete this lab than Ethernet NIO cloud is the need to connect to R1 ′ s FastEthernet1/0 interface. Reference laboratory for 1-8--configured to GNS3 Ethernet configuration NIO NIO cloud clouds.
  • Configuration for Web authentication in this lab level 15 privileges of the local user account.
  • With DHCP or static IP addresses, your local configuration of LAN FastEthernet0/0 interface, so you can access the Web browser Internet Explorer or Firefox browser through the exchanger.
Lab Objectives:

  • Configure R1 to use the domain name "stubarea.NET".
  • By using IP HTTP Secure-Server global configuration command to enable Cisco IOS secure Web server.
  • Configure Cisco IOS Web services authenticate local user database.
  • FastEthernet0/0 IP address by connecting to the device through the Internet Explorer or Firefox and use the lab the credentials configured in the prerequisites section to verify your configuration.
Lab Instruction:

R1 con0 is now available
Press RETURN to get started.
R1>enable
R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ip domain-name

Step 1. Cisco IOS security-enabled Web servers by performing the IP HTTP Secure-Server global configuration command, as shown below;

R11(config)#ip http secure-server
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
%SSH-5-ENABLED: SSH 1.99 has been enabled
R1(config)#

Step 2. Configuring Cisco IOS Web services authenticate local user database, as shown below;

R1(config)#ip http authentication local

Step 3. FastEthernet0/0 IP address by connecting to the device through the Internet Explorer or Firefox and use the lab the credentials configured in the prerequisites section to verify your configuration.

To view the full resolution of the images below, click the thumbnail image(s) to open the image in a new browser tab.


As shown in the above image you will be prompted to enter a user name and password. Provide a user name and password to create preconditions. Once you are authenticated successfully you will see the following page;


How to Configure the Password Encryption Service

Under today's 7th on the Cisco device-level encryption encryption standards were considered extremely weak. There are a lot of Web sites, provided a decipher script, allowing you to copy and paste the service password hash value is encrypted and decrypted hash value that you clear the text. Sample Web site is the Web site.

This lab will teach you how to configure the password encryption service, use a level on Cisco router or switch 7 encryption encrypts the plaintext password.

But it's very easy to use this encryption service is to prevent peak Tom from looking at your shoulder check plaintext passwords configuration is displayed on the screen.

Online posting configuration to delete the type 7 passwords are encrypted when you share, you can easily crack the password. Type 5 password using the MD5 hash value, is a one-way (non-reversible) 128-bit algorithm. This password cannot be "decrypted" due to the nature of the algorithm. When you authenticate the MD5 format password Cisco device, and match it to the machine encrypt your password string strings are stored in the configuration. If there is a match then authentication was successful, if not then authentication is not your password is rejected.

Head type 7 passwords are regarded as weak, and type 5 password is "uncrackable" PE se.

Type 5 password hashes cannot be decrypted with a rainbow table password hash values of type 5 is divided into 3 separate sections. Using the types found in the laboratory this laboratory 5 password hashes, $1 Cisco type 5 password, $ID2R means "salt" and $2AKUK4US6yUQVkggSMkLV0 is "salt" calculate MD5 hash value. Cisco does not publish "salt" technically how to use MD5 hashing so it is "unknown".

Salt is used to ensure that they are unique and exclusive to the salts functions to write MD5 strings in the extra security. For example, let us say the actual password after using the phrase, prehashed the password value in the second character of the randomly generated password is Hello123, and Cisco parts of salt than "his" $SALT "under llo123 will give you a unique MD5 strings. Ultimately I am tryign to point is that Cisco using salt features of these technologies are proprietary. Keep in head in the salt is random generated of and and password hash storage in together, makes it almost impossible, even created for each current value of standard MD5 Rainbow table of Rainbow, because you not knows in the "salt" how using you of function cannot prepared a feet was set on each may of password as salt random generated of each using Shi of Rainbow table in the found of Cisco equipment Shang of password "secret xxxx enabled" command.

So when someone tells you that you can crack Type5 rainbow tables is not correct because the standard rainbow tables will not work, because a standard rainbow tables do not have every possible MD5 hashes of salted passwords hashed Cisco IOS can generate value.

Step 1. Configure the user account to use the local user name Tom and Cisco's secret

R1 con0 is now available
Press RETURN to get started.
R1>enable
R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#username tom secret Cisco

Step 2. Configure a user account to use the local user name John and password Cisco;

R1(config)#username john password Cisco

Step 3. Tom and John--verify that the user account was created by viewing the running configuration. Tip: you can view the user name in the configuration of the round using a regular expression, as follows;

R1(config)#do show run | inc username
username tom privilege 15 secret 5 $1$ID2R$2AKUK4US6yUQVkggSMkLV0
username john privilege 15 password 0 Cisco
R1(config)#

Step 4. In global configuration mode by performing the service password-encryption see below; enable password encryption service

R1(config)#service password-encryption

Step 5. Verify, after John's user name is encrypted by viewing the user name in the configuration of the round is shown below; enable password encryption service

R1(config)#do show run | inc username
username tom privilege 15 secret 5 $1$ID2R$2AKUK4US6yUQVkggSMkLV0
username john privilege 15 password 7 106D000A0618
R1(config)#

How to Configuring VTY Lines ACL

It is common security policies in your production network, used to control the access control list specifies that only a specific subnet of the remote management of network devices and/or host network access management establish a remote session to the device.

This lab will teach you how to configure the ACL to control access to specific networks and/or host exec session is established through a VTY line is used for remote management.


  • If you are using GNS3, than the boot devices start free CCNA R1,R2, R3 and SW1 load Binder GNS3 topology.
  • Establish a with R1, R2, R3, and SW1 to configure their respectable name of the host device console session.
  • FastEthernet0/0 10.1.1.1/24 IP address is configured on the interface of R1.
  • FastEthernet0/0 10.1.1.2/24 IP address is configured on the interface of R2.
  • FastEthernet0/0 10.1.1.3/24 IP address is configured on the interface of R3.
  • Level 15 privileges will be used to validate local R1 VTY exec session is configured on a local user name and password.
  • Configure R1 accepts Telnet and SSH sessions.


Lab Objectives:

  • Creates a named extended access lists are called VTY_ACCESS
  • Denied access to the vty line via a telnet host version 10.1.1.3.
  • Allows the network 10.1.1.0/24 using Telnet or SSH
  • Denies all other traffic and log rejected attempts to connect.
  • Access class command configure vty line of the access list.
  • Please verify your configuration and connectivity using R2 and R3.

One of the biggest new features and 12.3T of the main line are managed using the extended access list, allow specific traffic to Cisco device connections to vty lines by using a specific protocol; IE,Telnet or SSH exec sessions.

Step 1. Known as VTY_ACCESS of a named access list configured on R1


R1 con0 is now available
Press RETURN to get started.
R1>enable
R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ip access-list extended VTY_ACCESS
R1(config-ext-nacl)#

Step 2. Denying access to vty lines via a telnet host version 10.1.1.3. In order to accomplish this goal, you need to specify the host version 10.1.1.3 as source and target any EQ Telnet as shown below;

R1(config-ext-nacl)#10 deny tcp host 10.1.1.3 any eq telnet

When traffic destined to the device control plane, in ACL, it is represented as 0.0.0.0/0;AKA: any

Step 3. Allow the network 10.1.1.0/24 using Telnet or SSH. This goal will require two access lists, one for the Telnet (TCP port 23) and another for SSH (TCP port 22) is shown below;

R1(config-ext-nacl)#20 permit tcp 10.1.1.0 0.0.0.255 any eq 22
R1(config-ext-nacl)#30 permit tcp 10.1.1.0 0.0.0.255 any eq 23

Step 4. Deny all other traffic and log the denied connection attempts.

R1(config-ext-nacl)#500 deny ip any any log

Step 5. Use the class command on vty lines configured access list.

R1(config-ext-nacl)#line vty 0 4
R1(config-line)#access-class VTY_ACCESS in
R1(config-line)#end
R1#

Step 6. Verify that your configuration and connectivity using R2 and R3.

Verify connectivity using the R2 and R3 first must verified before your visit on-R1 in the IP access list using the list displayed

R1#show access-list
Extended IP access list VTY_ACCESS
10 deny tcp host 10.1.1.3 any eq telnet
20 permit tcp 10.1.1.0 0.0.0.255 any eq 22
30 permit tcp 10.1.1.0 0.0.0.255 any eq telnet
500 deny ip any any log
R1#

You can verify that Telnet is rejected by executing in privileged mode displays the access list command on R1 ACL using a vty line. This will show you each of the access control list entries; next to the hit count

R1#show access-list
Extended IP access list VTY_ACCESS
10 deny tcp host 10.1.1.3 any eq telnet (1 match)
20 permit tcp 10.1.1.0 0.0.0.255 any eq 22 (4 matches)
30 permit tcp 10.1.1.0 0.0.0.255 any eq telnet (6 matches)
500 deny ip any any log
R1#
Subscribe to: Posts (Atom)

Popular Posts

Powered by Blogger.