Cisco ASA Firewall Allowing SSH Access

config term

### Step 1 To generate an RSA key pair, which is required for SSH###

crypto key generate rsa modulus 1024


### Step 3 To identify the IP addresses from which the ASA accepts connections ###
### ssh source_IP_address mask source_interface ###
ssh 192.168.1.25 255.255.255.255 INT
ssh 192.168.90.27 255.255.255.255 INT


### Enable login from ssh authentication from console or aaa or LDAP ###
aaa authentication ssh console LDAP_SRV_GRP LOCAL

Cisco password Type 7加密機制不安全,建議改為Type 5(MD5 Hash)

Cisco password Type 7加密機制不安全,建議改為Type 5(MD5 Hash)


依PwC建議Ciscoo Password encrypt type 7為不安全加密方式
(Type 7是直接對密碼使用OR或XOR進行加密，很容易可以破解)
建議使用Type 5(MD5 Hash)

###1. Use AAA account login###

config term

###2. Erase Local user account tcbnetadmin(Type 7) ###
no username tcbnetadmin

###3. Add Local user account tcbnetadmin(Secret Type 5) ###
username tcbnetadmin privilege 15 secret 5 $1$q7on$cHPb9N257ld8lmU0R4Npd.

###4. Erase enable password(Type 7) ###
no enable password

###5. Add Enable secret password(Type 5)
enable secret 5 $1$xCj8$5oqZn6GKMlTn4lOhOAVio.

Cisco use Secert 5 MD5 encryption password

config term

no enable password

enable secret 5 $1$wF.a$fqKnnKbCWmevxYzmtpnLu1

### Del Cisco type 7 encryption password ###
no username tcbnetadmin privilege 15 password

### Add Cisco type 5 MD5 encryption password ###
username tcbnetadmin privilege 15 secret 5 $1$WGXm$iQYYb7vxgUt2.hYqDLm7q.


###Encryption Password###



service password-encryption

Cisco 2811 IOS ipbase-mz.124-24.T6.bin upgrade advsecurityk9-mz.151-4.M10.bin(support IP-SLA)

Cisco 2811 IOS ipbase-mz.124-24.T6.bin upgrade advsecurityk9-mz.151-4.M10.bin(support IP-SLA)

# Define ftp server username & password

config term
ip ftp username anonymous
ip ftp password tcbank
exit

# Del origin IOS c2800nm-ipbase-mz.124-15.T9.bin
del /force /recursive flash:c2800nm-ipbase-mz.124-15.T9.bin

# Del origin IOS c2800nm-ipbase-mz.124-24.T6.bin
del /force /recursive flash:c2800nm-ipbase-mz.124-24.T6.bin
# Use ftp service transfer IOS to flash
copy ftp://172.17.200.1/CiscoIOS/c2800nm-advsecurityk9-mz.151-4.M10.bin flash:

# Verify IOS file
verify /md5 flash:/c2800nm-advsecurityk9-mz.151-4.M10.bin 5f49dcc31ad30fb41b1deb4977cd34f0

# Setup Boot from IOS c2800nm-advsecurityk9-mz.151-4.M10.bin
config term
# Delete old boot config
no boot system flash c2800nm-ipbase-mz.124-24.T6.bin
# Add New boot config
boot system flash c2800nm-advsecurityk9-mz.151-4.M10.bin
exit
write


# After Reboot SuccessFul 

# Verify IOS file MD5
c2800nm-advsecurityk9-mz.151-4.M10.bin ==> 5f49dcc31ad30fb41b1deb4977cd34f0

中華電信之合勤ZyXEL數據機的登入帳密

發表日期：2013 年 04 月 16 日

前日幫家人安裝IP Cam，搞半天不知道中華電信ATU-R VDSL合勤 D-link 數據機的登入帳密，google到資料，貼在這供自己和有需要的人參考：

數據機登入介面IP http://192.168.1.1預設帳號密碼是user/user

VDSL 登入帳號/密碼北區: cht / chtnvdsl中區: cht / chtcvdsl南區: cht / chtsvdsl

ATU-R 登入帳號/密碼
北區: cht / chtnadsl
中區: cht / chtcadsl
南區: cht / chtsadsl

Cisco Feature Navigator

檢測你需要那一個Cisco IOS版本
http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp


Tool 2
https://software.cisco.com/selection/research.html?pid=279343665&sid=280805680#?mode=&tid=&pid=279343665&sid=280805680&cr=&crt=&hid=&fid=&cp=1

Branch Cisco Router Policy-Based Routing(PBR)

Cisco Router 2811



config term

### Add Access-List OA-Out-PBR & acl-RouteToDomain ###
ip access-list extended OA-Out-PBR
permit ip 172.16.0.0 0.0.255.255 any
permit ip 172.17.0.0 0.0.255.255 any

ip access-list extended acl-RouteToDomain
 permit ip any host 192.168.1.23
 permit ip any host 192.168.1.24
 permit ip any host 192.168.90.23
 permit ip any host 192.168.90.24

 ### Add ip sla monitor FTTB-Lease ###
 no track 1

 no ip sla 10

 ip sla 10
 icmp-echo 10.100.xxx.1 source-interface FastEthernet0/0
 frequency 5

ip sla schedule 10 life forever start-time now

track 1 ip sla 10 reachability

exit

exit

### Add Route-map FC ###
 route-map FC permit 9
 match ip address acl-RouteToDomain
 set ip next-hop verify-availability 10.100.xxx.1 1 track 1
 set ip next-hop 10.70.xxx.2
!        
route-map FC permit 10
 match ip address OA-Out-PBR
 set ip next-hop 10.200.xxx.1
!        


inte bvi1
ip policy route-map FC

Cisco 1841 Router Stock Qos

Cisco 1841 Router Stock Qos

1.
ip access-list extended acl_BranchQos
 10 permit ip host 192.168.1.50 any
 11 permit ip host 192.168.1.52 any
 12 permit ip host 192.168.91.50 any
 20 permit ip host 192.168.1.166 any
 21 permit ip host 192.168.91.166 any
 22 permit ip host 172.16.127.166 any
 remark "(10-Antivirus),(20-FileServer)"

2.
class-map match-all classmap_BranchQos
 match access-group name acl_BranchQos

3.
policy-map policymap_BranchQos
 class classmap_BranchQos
   police cir 256000
     conform-action transmit
     exceed-action drop
     violate-action drop

4.
interface serial0/1/0
 service-policy input policymap_BranchQos