Опубликованный материал нарушает ваши авторские права? Сообщите нам.
Вуз: Предмет: Файл:
Securing Cisco IOS Networks Study Guide - Carl Timm.pdf
9.74 Mб

132 Chapter 4 Cisco Perimeter Router Problems and Solutions


You’re now familiar with the Cisco IOS Firewall software and some of its features, and you’re aware of the dangers lurking at the perimeter of your network. You also learned about ways to keep your network and its data safe using features built into the Cisco IOS Firewall.

By matching each problem with a specific solution, you’re now equipped with strategies that you can use against those attacks. Remember that the solution for eavesdropping and session replay is using encryption schemes such as IPSec. To stop unauthorized users from accessing your network, some simple access control lists work just fine. To provide relief from an IP address shortage, use NAT on the perimeter router to conserve subnets. The best solution for rerouting attacks is to configure MD5 authentication on your router. And finally, the solution for DoS attacks is to use the TCP Intercept feature.

If you brilliantly configure these features at the perimeter of your network, you’re good and safe to go. And a router running the Cisco IOS Firewall software can do all of this for you.

Exam Essentials

Know the solution to eavesdropping. To prevent eavesdropping, use IPSec encryption.

Know the commands to stop a chargen attack. The following two commands can stop a chargen attack:

Lab_B(config)#no service tcp-small-servers

Lab_B(config)#no service udp-small-servers

Know how to prevent unauthorized access, data manipulation, and malicious destruction.

To prevent certain inbound and outbound packets, use ACLs.

Know the solution to the lack of legal IP addresses problem. If you do not have enough legal IP addresses, use NAT and PAT.

Know how to prevent rerouting attacks. To secure your network against rerouting attacks, enable MD5 authentication.

Know how to prevent DoS attacks. To prevent DoS attacks, enable TCP Intercept.

Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501.


Commands Used in This Chapter 133

Key Terms

Before you take the exam, be certain you are familiar with the following terms:

Cisco IOS Firewall

perimeter routers

denial-of-service (DoS) attacks

rerouting attack


session replay


SYN flood attack


TCP Intercept

MD5 authentication


Commands Used in This Chapter

Here is the list of commands used in this chapter:



(config)#access-list number deny udp

Disables SNMP packets.

any any eq snmp


(config-if)#access-group 110 in

Configures the specified access list on your



(config)#no service tcp-small-servers

Disables the default TCP diagnostic services.

(config)#no service udp-small-servers

Disables the default UDP diagnostic services.

(config)#no service finger

Disables the Finger service.

(config)#no ip boot server

Disables the boot server service.

(config)#no service config

Disables the auto-config feature on a router.

(config)#no ip http server

Disables the HTTP service.

(config)#no ip source-route

Disable source-route packets.

(config-if)#no ip proxy-arp

Disables proxy ARP on an interface.

(config-if)#no ip redirects

Disables IP redirects on an interface.

(config-if)#no ip unreachables

Disables IP unreachable messages from being


sent out an interface.

Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501.


134 Chapter 4 Cisco Perimeter Router Problems and Solutions



(config-if)#no ip mroute-cache

Disables the multicast route cache.

(config-if)#no mop enabled

Disable the DECnet MOP service.

(config)#no service pad

Disables the X.25 PAD service.

(config)#service nagle

Enables the Nagle service.

(config)#logging trap debugging

Enables logging to a Syslog server.

(config)#logging ip_address

Logs messages to the specified Syslog server.

sh logging

Shows the login router memory.

(config)#no cdp run

Disables CDP on a Cisco device.

(config-if)#no cdp enable

Disables CDP on a Cisco device interface.

Lab_B(config-if)#ip helper-address

Forwards UDP packets to the specified IP



Lab_B(config)#no ip forward-protocol

Disables forwarding a specific UDP port.

udp port


(config)#ip forward-protocol udp port

(config)#access-list number deny ip ip_address wildcard any

(config)#access-list 110 deny tcp any any established

Lab_B(config)#access-list 110 permit tcp any any

(config)#router eigrp AS

(config-router)#network network_ number

(config-if)#ip authentication mode eigrp AS md5

(config-if)#ip authentication key-chain eigrp AS key_name

(config)#key chain key_name

Forwards the specified UDP port.

Denies the specified source address to any destination.

Sets up TCP Established on a router.

Permits all TCP packets.

Chooses the specified EIGRP process.

Configures EIGRP to advertise the specified network.

Enables MD5 authentication in IP EIGRP packets.

Enables authentication of IP EIGRP packets.

Identifies a key chain.

Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501.


Written Lab




(config-key)#key key_number

In the key chain configuration mode,


identifies the key number.

(config-key)#key-string number

In the key chain key configuration mode,


identifies the key string.

(config)#access-list number permit tcp

Creates the designated access list to permit

any host ip_address

any source to the specified destination.

(config)#ip tcp intercept list list_

Creates TCP Intercept to use the specified list.



(config)#ip tcp intercept mode

Sets the TCP Intercept mode to intercept.



Written Lab

This section asks you 10 write-in-the-answer questions to help you understand the technology that you need to know in order to pass the MCNS exam.

1.Which TCP Intercept mode will proxy-answer incoming SYN requests and not notify the server until the originating host is verified?

2.Which command would you configure on the perimeter router if you do not want it to announce to external hosts which subnets are not configured?

3.You want to disable Finger replies on a perimeter router. Which command do you want to use?

4.Which two commands would you use on your router to prevent a chargen attack?

5.___________ can be used to encrypt data between two networks, which prevents eavesdropping.

6.In a rerouting attack, the ___________ table is modified or prevented from being updated.

7.Which command disables Cisco Discovery Protocol on a perimeter router?

8.What command is used to enable an HTTP server on a router for AAA?

9.Which command disables Cisco Discovery Protocol on a perimeter router interface?

10.What command will disable proxy ARP on a perimeter router?

Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501.