chapter 5 protecting the network infrastrucyure using ccp

8/12/2019 Chapter 5 Protecting the Network Infrastrucyure Using Ccp

http://slidepdf.com/reader/full/chapter-5-protecting-the-network-infrastrucyure-using-ccp 1/14

Chapter 5 Cisco Configuration ProfessionalCisco Configuration Professional (CCP) is a Windows-based GUI application thatis used to easily and reliably deploy, manage, and monitor Cisco Integrated ServicesRouter (ISR) and ISR-G2 routers without requiring knowledge of the Cisco IOScommand-line interface (CLI).

Advantages of CCP include the following:

There are two versions of CCP:

Cisco Configuration Professional ExpressYou can use Cisco CP Express for the initial router deployment. Routers shipped withCCP have CCP Express embedded in flash memory and a factory default router configuration.

NOTE: For example, on a Cisco 1841 router, the CCP Express filename in flash iscpexpress.tar, and the default factory router configuration is cpconfig-18xx.cfg.

The factory default preconfigures the following settings:



CAUTION: The default username and password can be used only once. Anotherprivilege level 15 local database entry must be configured; otherwise, you will belocked out once you log out.

Connecting to Cisco CP Express Using the GUIFollow these steps to connect to Cisco CP Express on a router with default factory settings.

NOTE: The default factory configuration enables the router Fast Ethernet 0/0 (orGigabit Ethernet 0/0) interface with IP address 10.10.10.1/29. Smaller Cisco routers(Cisco 815 –1812) are Dynamic Host Control Protocol (DHCP) clients and attempt toobtain IP addressing automatically from an upstream device.

1. Connect the PC to the Fast Ethernet 0/0 (or Gigabit Ethernet 0/0) interface.2. Configure the PC IP address 10.10.10.2 /29 on the host.3. Open a browser window and enter the IP address 10.10.10.1 to connect to therouter and start CCP Express.4. When prompted for authentication, use the username cisco and password cisco.

Next, the Cisco CP Express Startup Wizard guides you through the remaining configuration(see Figure 5-1 ).



Figure 5-2 Cisco CP Express Startup Wizard Basic Configuration

After you configure the mandatory settings and clicking Next , the Startup Wizard guidesyou through the following:



Figure 5-3 shows an example of a main screen of Cisco CP Express after the router hasbeen configured and reloaded.



Figure 5-3 Cisco Configuration Professional Express

NOTE: You should use CCP Express only if you have minimal security, simple routingneeds, and no requirement for voice support.

NOTE: CCP Express is fairly intuitive and therefore is not explored any further here.

Cisco Configuration ProfessionalThe preferred way to configure an ISR using a GUI is with the Windows-based CCPapplication. CCP is installed locally on a PC and provides rich configuration capabilities

to configure security features for data and voice.

NOTE: Only CCP configuration options are explored throughout the remainder ofthis portable command guide.

Configuring an ISR for CCP Support A router must be configured to support a CCP connection. An ISR with default factorysettings is configured to do so.If an ISR no longer has the factory default configuration, you must initially configure the



following to support a CCP session:

Installing CCP on a Windows PCYou can download CCP for free from Cisco.com. Once downloaded, unzip the file andrun the .exe file. The installation consists of accepting a license agreement and selectingthe installation folder.The host PC requires the following minimal settings:

Internet Explorer 6.0 or later



Java Runtime Environment Version 1.6.0_11 or later Adobe Flash Player Version 10 or later, with Debug set to No Memory 1GB DRAM, 2GB recommended Screen resolution 1024 x 768

NOTE: When the installation is complete, you have the option to run CCP for thefirst time. To successfully connect to an ISR using CCP, your router must have asupporting configuration.

Connecting to an ISR Using CCPFollow these steps to connect to an ISR from a Windows host using CCP. The followingassumes that the router still has the default factory configuration.

NOTE: The default factory configuration enables the router Fast Ethernet 0/0 (orGigabit Ethernet 0/0) interface with IP address 10.10.10.1/29. Smaller Cisco routers(Cisco 815 –1812) are DHCP clients and attempt to obtain IP addressing automaticallyfrom an upstream device.

1. Connect the PC to the Fast Ethernet 0/0 (or Gigabit Ethernet) 0/0 interface.2. Configure the PC IP address 10.10.10.2 /29 on the host.3. Launch the preinstalled CCP application by choosing the Windows Start >All Programs > Cisco Configuration Professional > Cisco ConfigurationProfessional . Otherwise, double-click the Cisco Configuration Professional iconon your desktop.4. In the Manage Community dialog box, enter the IP address or hostname and theusername and password information for the devices that you want to configure. Inthe Select / Manage Community window, enter the router IP address 10.10.10.1 ,username cisco , and password cisco. Check the Connect Securely box if theimage supports crypto.

NOTE: If you enter the default username cisco and default password cisco , theChange Default Credentials dialog box opens. For security reasons, you mustchange the default credentials to new credentials.

CAUTION: If you do not change the default username and passwords, you cannotlog back in to the router after you log out.

5. Click OK to continue. The Change Default Credentials window appears and youmust enter a new local database entry.6. Click OK to continue. The Community View page appears (see Figure 5-4 ).



Figure 5-4 Community View Screen

On the Community View page, you have the following options:

CCP Features and User InterfaceCCP provides a single GUI to configure and easily manage the networking features ofup to 10 ISRs per community. Figure 5-5 shows the CCP GUI layout.



The CCP main screen contains the following components:



Application Menu OptionsThe Application menu options include the following:

Toolbar Menu OptionsThe toolbar provides the following options:

Toolbar Configure OptionsClick Configure on the toolbar to display the following options:



Toolbar Monitor OptionsClick Monitor on the toolbar to display the following options:

Using CCP to Configure IOS Device-Hardening FeaturesCCP Security AuditUse the Security Audit Wizard to test a router configuration to determine whether anypotential security problems exist in the configuration. The wizard also displays a screenthat lets you determine which of those security problems you want to fix. Once determined,

the Security Audit Wizard makes the necessary changes to the router configurationto fix those problems.To perform the security audit, follow these steps:1. On the toolbar, navigate to Configure > Security > Security Audit (seeFigure 5-6 ).



Figure 5-6 Security Audit Screen2. Click Perform Security Audit . The Welcome page of the Security Audit Wizardopens.3. Click Next . The Security Audit Interface Configuration page appears.4. Select the inside (trusted) and outside (untrusted) interfaces and click Next .5. The Security Audit Wizard tests the router configuration against Cisco recommendedbest practices to determine whether possible security problems exist. Areport screen appears and lists the test results. If you want to save this report to afile, click Save Report . Otherwise, click Close .6. The Security Audit Wizard now lists each security problem identified and providesthe option to fix. As well, each problem is hyperlink to an explanation.Select which problems to fix and click Next .7. The Summary screen now displays which services will be altered. Click Finish .8. Finally, the Deliver Configuration to Device window lists the commands that willbe sent to the router. Click Deliver to apply the changes.

CCP One-Step LockdownThe One-Step Lockdown option tests your router configuration against Ciscorecommendedbest practices to determine whether possible security problems exist, andit automatically makes necessary configuration changes to correct problems it finds.Changes are made automatically and without prompting the user to select components tofix.Navigate to Configure > Security > Security Audit > One-Step Lockdown .



Using the Cisco IOS AutoSecure CLI Feature AutoSecure is a Cisco IOS CLI feature that, like CCP, lets you more easily configuresecurity features on your router so that your network is better protected. CCP implementsalmost all the configurations that AutoSecure provides.The following AutoSecure features are not implemented in this version of CCPOne-Step Lockdown:

Configuring AutoSecure via the CLITo configure AutoSecure via the CLI, follow these steps:1. In privileged EXEC mode, enter auto secure . A banner explaining what

AutoSecure does appears.2. Answer if the device is connected to the Internet.3. Answer how many interfaces are facing the Internet.4. Identify which interface is facing the Internet.5. Enter a security banner.6. Enter the privileged EXEC password.7. Enter the enhanced login features.8. Answer if SSH should be configured.9. Configure the context-based access control (CBAC) firewall feature.10. Apply the configuration to the running configuration.

chapter 5 protecting the network infrastrucyure using ccp

Documents