Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to read syntax of a cisco IOS .config file?

I am new to auditing cisco device (firewall,router, switch) configurations.  I need to validate if the device settings comply with my company's Information Security hardening guidelines (NIST, CIS, DISA).  I requested .config files from selected firewalls, routers, and switches.  Is there something (an example) that translates the syntax in the .config files to compare to hardening guidelines, such as,  "RSA Key Pair must be 2048 bits", or "SSH Access Control is enabled"?

Some of the syntax is intuitative such as trying to validate that "SSH must be version 2" which can be matched with the string "ssh version 2" in the .config file.

Here is a cleaned snippet of a firewall device .config file and where I found the version for SSH.

ASA Version X.X(X)
!
hostname AA-AAA-AA-A
domain-name AAA.org
enable password AAXXXXX7 encrypted
passwd AAXXXXX7 encrypted
names
!
interface GigabitEthernet0/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
description LAN Failover Interface
!
interface TYPE0/0
nameif management
security-level 100
ip address 00.00.255.000 255.255.255.0
TYPE-only
!

.
.
.
.
.
.
service resetoutside
telnet timeout 10
ssh 00.00.0.0 255.255.255.0 TRUST-XXXX
ssh 00.00.000.0 255.255.255.0 TRUST-XXX
ssh 00.00.00.0 255.255.255.0 TRUST-XXX
ssh timeout 10
ssh version 2
console timeout 10

 

 

Everyone's tags (1)
2 REPLIES
VIP Gold

Unfortunately, there's no

Unfortunately, there's no magic translator that can convert language used in Cisco's configuration into unknown language used in hardening guidelines used in your's organization.

Note that compliance verification is not only about content of current configuration, but also about the default values not expresses in configuration. They are model/firmware version specific.

Also, there may not be 1:1 mapping between a requirement and a configuration statement.

You need to understand the particular device to be able to analyze their's compliance with particular requirement in full.

 

 

 

New Member

This discussion has been

This discussion has been reposted from Additional Communities to the Other Network Infrastructure Subjects community.

132
Views
0
Helpful
2
Replies