思科防火墻基本配置_第1頁
思科防火墻基本配置_第2頁
思科防火墻基本配置_第3頁
思科防火墻基本配置_第4頁
思科防火墻基本配置_第5頁
已閱讀5頁,還剩61頁未讀, 繼續(xù)免費閱讀

下載本文檔

版權(quán)說明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請進行舉報或認(rèn)領(lǐng)

文檔簡介

Lesson3?2023CiscoSystems,Inc.Allrightsreserved.SNPAv4.0—3-1開始思科安全設(shè)備?2023CiscoSystems,Inc.Allrightsreserved.SNPAv4.0—3-2顧客接口防火墻訪問模式firewall>firewall#firewall<config>#monitor>思科防火墻有4個安全管理訪問模式:UnprivilegedPrivilegedConfigurationMonitor

Internetpixfirewall>enablepassword:pixfirewall#enable[priv_level]firewall>Usedtocontrolaccesstotheprivilegedmode讓你能夠訪問到其他模式AccessPrivilegeMode訪問配置模式:configureterminal命令configureterminalfirewall#Usedtostartconfigurationmodetoenter

configurationcommandsfromaterminalpixfirewall>enablepassword:pixfirewall#configureterminalpixfirewall(config)#exitpixfirewall#exitpixfirewall>exitfirewall#Usedtoexitfromanaccessmodepixfirewall>help?enableTurnonprivilegedcommandsexitExitthecurrentcommandmodeloginLoginasaparticularuserlogoutExitfromcurrentcommandmode,andto unprivilegedmodequitExitthecurrentcommandmodepixfirewall>helpenableUSAGE:enable[<priv_level>]DESCRIPTION:enableTurnonprivilegedcommandshelp命令?2023CiscoSystems,Inc.Allrightsreserved.SNPAv4.0—3-7文件管理查看和保存你旳配置Thefollowingcommandsenableyoutovieworsaveyourconfiguration:copyrunstartshowrunning-configshowstartup-configwritememorywriteterminalTosaveconfigurationchanges:copyrunstartrunning-configstartup-config(saved)ConfigurationChangesClearingRunningConfigurationfirewall(config)#clearconfigureallClearstherunning-configurationfw1(config)#clearconfigallCleartherunningconfiguration:clearconfigallrunning-configstartup-config(default)ClearingStartupConfigurationfirewall#writeeraseClearsthestartupconfigurationFw1#writeeraseClearthestartupconfiguration:Writeeraserunning-configstartup-config(default)ReloadtheConfiguration:reloadCommandRebootsthesecurityapplianceandreloadstheconfigurationRebootscanbescheduledfw1#reloadProceedwithreload?[confirm]yRebooting...reload[noconfirm][cancel][quick][save-config][max-hold-time[hh:]mm[{in[hh:]mm|{athh:mm[{monthday}|{daymonth}]}][reasontext]firewall(config)#FileSystemSoftwareImageConfigurationfilePrivatedatafilePDMimageCrashinformationRelease6.andearlierRelease7.andlaterSoftwareimageConfigurationfilePrivatedataPDMimageBackupimage*Backup configuration file*Virtualfirewall Configurationfile**SpaceavailableDisplayingStoredFiles:SystemandConfigurationDisplaythedirectorycontents.firewall(config)#PIXFirewallFlash:ASADisk0:Disk1:firewall#dirDirectoryofflash:/3-rw-490291213:37:33Jul272023pix-701.bin4-rw-674893213:21:13Jul282023asdm-501.bin16128000bytestotal(4472832bytesfree)dir[/recursive][[{disk0:|disk1:|flash:}][<path>}]]SelectingBootSystemFileCanstoremorethanonesystemimageandconfigurationfileDesignateswhichsystemimageandstartupconfigurationfiletobootfw1(config)#bootsystemflash:/pix-701.binBoot[system|config}<url>firewall(config)#firewall#dirDirectoryofflash:/3-rw-490291213:37:33Jul272023pix-701.bin4-rw-674893213:21:13Jul282023asdm-501.bin16128000bytestotal(4472832bytesfree)VerifyingtheStartupSystemImageDisplaythesystembootimage.fw1#showbootvarBOOTvariable=flash:/pix-701.binCurrentBOOTvariable=flash:/pix-701.binCONFIG_FILEvariable=CurrentCONFIG_FILEvariable=showbootvarfirewall(config)#BootImageflash:/pix-701.binConfiguredRunning?2023CiscoSystems,Inc.Allrightsreserved.SNPAv4.0—3-16SecurityApplianceSecurityLevelsFunctionsoftheSecurityAppliance:SecurityAlgorithmImplementsstatefulconnectioncontrolthroughthesecurityappliance.Allowsone-way(outbound)connectionswithaminimumnumberofconfigurationchanges.Anoutboundconnectionisaconnectionoriginatingfromahostonamore-protectedinterfaceanddestinedforahostonaless-protectednetwork.Monitorsreturnpacketstoensurethattheyarevalid.RandomizesthefirstTCPsequencenumbertominimizetheriskofattack.SecurityLevelExampleOutsideNetworkEthernet0Securitylevel0Interfacename=outsideDMZNetworkEthernet2Securitylevel50Interfacename=DMZInsideNetworkEthernet1Securitylevel100Interfacename=insidee0e2e1Internet?2023CiscoSystems,Inc.Allrightsreserved.SNPAv4.0—3-19BasicSecurityApplianceConfigurationAssigningHostnametoSecurityAppliance:

ChangingtheCLIPromptpixfirewall(config)#hostnameBoston

Boston(config)#hostnamenewnamepixfirewall(config)#ChangesthehostnameinthePIXFirewallCLIpromptServerBostonServerNew_YorkServerDallaspixfirewall(config)#hostnameBoston

Boston(config)#hostnamenewnameBasicCLICommandsforSecurityApplianceshostnameinterfacenameifipaddresssecurity-levelspeedduplexnoshutdownnat-controlnatglobalroutee0e2e1Internetinterfacehardware_idfirewall(config)#fw1(config)#interfaceethernet0(GigabitEthernet0/0)fw1(config-if)#interfaceCommandandSubcommandsSpecifiesaperimeterinterfaceanditsslotlocationonthefirewallEthernet0Ethernet2Ethernet1e0e2e1Internetnameifhardware_idif_namefirewall(config-if)#fw1(config)#interfaceethernet0(GigabitEthernet0/0)fw1(config-if)#nameifoutsideAssignanInterfaceName:

nameifSubcommandAssignsanametoeachperimeterinterfaceonthePIXFirewallSecurityAppliance.Ethernet0Interfacename=outsideEthernet2Interfacename=dmzEthernet1Interfacename=insidee0e2e1Internetipaddressip_address[netmask]firewall(config-if)#AssignInterfaceIPAddress:

ipaddressSubcommandAssignsanIPaddresstoeachinterfacefw1(config)#interfaceethernet0(GigabitEthernet0/0)fw1(config-if)#nameifoutsideEthernet0Interfacename=outsidee0e2e1InternetDHCP-AssignedAddressfw1(config)#interfaceethernet0(GigabitEthernet0/0)fw1(config-if)#nameifoutsidefw1(config-if)#ipaddressdhcpfirewall(config-if)#ipaddressif_namedhcp[setroute][retryretry_cnt]EnablestheDHCPclientfeatureontheoutsideinterfacee0InternetDHCPAssignedEthernet0Interfacename=outsideIPaddress=DHCPsecurity-levelnumberfirewall(config-if)#AssignaSecurityLevel:security-levelSubCommandsAssignsasecurityleveltotheinterfacefw1(config)#interfaceethernet0(GigabitEthernet0/0)fw1(config-if)#nameifoutsidefw1(config-if)#security-level0e0e2e1InternetEthernet0Interfacename=outsideSecuritylevel=0speed

[hardware_speed]duplex[duplex_operation]firewall(config-if)#AssignanInterfaceSpeedandDuplex:speedandduplexSubCommandsEnablesaninterfacespeedandduplexfw1(config)#interfaceethernet0(GigabitEthernet0/0)fw1(config-if)#nameifoutsidefw1(config-if)#security-level0fw1(config-if)#speed100fw1(config-if)#duplexfulle0e2e1InternetEthernet0Speed=100Duplex=fullmanagement-onlynomanagement-onlyfirewall(config-if)#ASAManagementInterfaceTosetaninterfacetoacceptmanagementtrafficonlyfw1(config)#interfacemanagement0/0fw1(config-if)#nameifoutsidefw1(config-if)#security-level0e0e2e1InternetEthernet0Management=onlyNetworkAddressTranslationInsideLocalOutsideMappedPool10TranslationTable192.168.10.11NATInternetEnableNATControlInsideLocalOutsideMappedPool10TranslationTableNATInternetfw1(config)#nat-control

EnableordisableNATconfigurationrequirementnat[(if_name)]nat_id

address[netmask][dns][[tcp]tcp_max_conns[emb_limit][norandomseq]]][udpudp_max_conns]firewall(config)#natCommandEnablesIPaddresstranslationfw1(config)#nat(inside)100NATInternetglobalCommandWorkswiththenatfw1(config)#nat(inside)1fw1(config)#global(outside)1

firewall(config)#global[(if_name)]nat_id{mapped_ip[-mapped_ip]

[netmaskmapped_mask]}|interfaceNATInternetrouteif_name

ip_address

netmask

gateway_ip[metric]firewall(config)#ConfigureaStaticRoute:routeCommandDefinesastaticordefaultrouteforaninterfacefw1(config)#routeoutside1fw1(config)#routeinside021DefaultRouteStaticRouteInternetfw1(config)#namesfw1(config)#namebastionhostfw1(config)#name1insidehostHostName-to-IP-AddressMapping:

nameCommandConfiguresalistofname-to-IP-addressmappingsonthesecurityappliancenameip_addressnamefirewall(config)#“bastionhost”.2.1.1.11“insidehost”ConfigurationExamplewriteterminalinterfaceethernet0nameifoutsidesecurity-level0speed100duplexfullinterfaceethernet1nameifinsidesecurity-level100speed100duplexfull.1.1.2.1Ethernet0Interfacename=outsideSecuritylevel=0Ethernet1Interfacename=insideSecuritylevel=100InternetConfigurationExample(Cont.)interfaceethernet2nameifdmzsecurity-level50speed100duplexfullpasswd2KFQnbNIdI.2KYOUencryptedhostnamefw1namesnamebastionhostname1insidehost.1.1.2.1Ethernet2Interfacename=dmzSecuritylevel=50Internet“insidehost”“bastionhost”ConfigurationExample(Cont.)nat-controlnat(inside)100routeoutside1routeinside021MappedPool0-254.2.1.102“insidehost”“bastionhost”.1.2.1.1DefaultRouteStaticRouteInternet?2023CiscoSystems,Inc.Allrightsreserved.SNPAv4.0—3-38ExaminingSecurityApplianceStatusfw1#showinterfaceInterfaceGigabitEthernet0/0"outside",isup,lineprotocolisupDetected:Speed100Mbps,Full-duplexRequested:AutoMACaddress000b.fcf8.c538,MTU15000packetsinput,0bytes,0nobufferReceived0broadcasts,0runts,0giants0inputerrors,0CRC,0frame,0overrun,0ignored,0abort0packetsoutput,0bytes,0underrunsinputqueue(curr/maxblocks):hardware(0/0)software(0/0)outputqueue(curr/maxblocks):hardware(0/0)software(0/0)Received0VLANuntaggedpackets,0bytesTransmitted0VLANuntaggedpackets,0bytesDropped0VLANuntaggedpacketsshowCommandsfw1#showruninterface!interfaceEthernet0speed100duplexfullnameifoutsidesecurity-level0!interfaceEthernet1speed100duplexfullnameifinsidesecurity-level100showruninterfaceshowinterfacefw1#showmemoryFreememory:49046552bytesUsedmemory:18062312bytes-----------------------------Totalmemory:67108864bytesshowmemoryCommandDisplayssystemmemoryusageinformationfirewall#showmemoryfw1#showcpuusageCPUutilizationfor5seconds=0%;1minute:0%;5minutes:0%showcpuusageCommandDisplaysCPUusefirewall#showcpuusageInternetshowversionCommandDisplaysthesecurityappliance’ssoftwareversion,operatingtimesinceitslastreboot,processortype,Flashmemorytype,interfaceboards,serialnumber(BIOSidentification),andactivationkeyvalue.firewall#showversionCiscoPIXSecurityApplianceSoftwareVersion7.0(1)CompiledonThu31-Mar-0514:37bybuildersSystemimagefileis"flash:/pix-701.bin"Configfileatbootwas"startup-config"pixfirewallup12mins24secsHardware:PIX-515,128MBRAM,CPUPentium200MHzFlashi28F640J5@0x300,16MB……………fw1#showipaddressSystemIPAddresses:InterfaceNameIPaddressSubnetmaskCONFIGCONFIGCONFIGCurrentIPAddresses:InterfaceNameIPaddressSubnetmaskCONFIGCONFIGCONFIGshowipaddressCommand.1.1.2.1Internetfw1#showinterfaceinterfaceethernet0"outside"isup,lineprotocolisupMTU1500bytes,BW100000Kbitfullduplex4packetsinput,282bytes,0nobufferReceived0broadcasts,0runts,0giants0inputerrors,0CRC,0frame,0overrun,0ignored,0abort20packetsoutput,1242bytes,0underruns0outputerrors,0collisions,0interfaceresets0babbles,0latecollisions,0deferred0lostcarrier,0nocarrierinputqueue(curr/maxblocks):hardware(128/128)software(0outputqueue(curr/maxblocks):hardware(0/1)software(0/1)showinterfaceCommandshownameifCommandfw1#shownameifInterfaceNameSecurityEthernet0 outside0Ethernet1 inside100Ethernet2 dmz50Ethernet0Interfacename=outsideSecuritylevel=0Ethernet2Interfacename=dmzSecuritylevel=50Ethernet1Interfacename=insideSecuritylevel=100e0e2e1InternetshowrunnatCommandfw1#showrunnatnat(inside)100NATDisplaysasinglehostorrangeofhoststobetranslatedfirewall#showrunnatInternetshowrunglobalCommandfw1#showrunglobalMappedPoolDisplaysthepoolofmappedaddressesfirewall#showrunglobalInternetshowxlateCommandfw1#showxlate1inuse,1mostusedDisplaysthecontentsofthetranslationslotsfirewall#showxlateInsidelocalOutsidemappedpoolXlateTableInternetpingCommandDetermineswhetherotherIPaddressesarevisiblefromthesecurityapplianceSending5,100-byteICMPEchosto1,timeoutis2seconds:!!!!!Successrateis100percent(5/5),round-tripmin/avg/max=10/12/20mspinghost

firewall#InternetshowrouteCommandfw1(config)#shrouteS[1/0]via,outsideCisdirectlyconnected,insideC*isdirectlyconnected,cplaneCisdirectlyconnected,dmzCisdirectlyconnected,outsidee0e2e1Internet*ASA55X0onlyWorksonlywiththeASA5500SeriesAdaptiveSecurityAppliances?2023CiscoSystems,Inc.Allrightsreserved.SNPAv4.0—3-51SettingTimeandUsingNTPSupportclockCommand

Setsthesecurityapplianceclockfw1#clockset21:0:0jul232023clocksethh:mm:ss{daymonth|monthday}yearfirewall#Wed23-Jul-0321:00InternetSettingDaylightSavingTime

andTimeZonesSpecifiesthatsummertimestartsonthefirstSundayinAprilat2a.m.andendsonthelastSundayinOctoberat2a.m.fw1(config)#clocksummer-timePDTrecurring1SundayApril2:00lastSundayOctober2:00clocksummer-timezonerecurring[weekweekdaymonth

hh:mmweekweekdaymonthhh:mm][offset]firewall(config)#clocktimezonezonehours[minutes]firewall(config)#SetstheclockdisplaytothetimezonespecifiedDisplayssummertimehoursduringthespecifiedsummertimedaterangentpCommandSynchronizesthesecurityappliancewithanNTPserverfw1(config)#ntpauthentication-key1234md5cisco123fw1(config)#ntptrusted-key1234fw1(config)#ntpserver2key1234sourceinsidepreferfw1(config)#ntpauthenticatentpserverip_address[keynumber]sourceif_name[prefer]firewall(config)#NTPServerInternet?2023CiscoSystems,Inc.Allrightsreserved.SNPAv4.0—3-55SyslogConfigurationConfigureSyslogOutputtoaSyslogServer網(wǎng)絡(luò)日志SyslogServerSyslogMessagesInternetLoggingOptionsConsole–OutputtoconsoleBuffered–OutputtointernalbufferMonitor–OutputtoTelnetHost–OutputtosyslogserverSNMP–OutputtoSNMPserverSyslogServerInternetLoggingOptionsConsoleTelnetInternalBufferSNMPServerLoggingLevels0–Emergencies1–Alerts2–Critical3–Errors4–Warnings5–Notifications6–Informational7–DebuggingSyslogServerInternetConsoleTelnetInternalBufferSNMPServerLoggingLevelsConfigureMessageOutputtoaSyslogServerDesignatethesysloghostserver.Setthelogginglevel.Enableloggingtimestamponsyslogmessages.Specifytheloggingdeviceidentifier.Enablelogging.SyslogServerSyslogMessagesfw1(config)#loggingtrapwarningsfw1(config)#loggingtimestampfw1(config)#loggingdevice-idpix6fw1(config)#loggingonfw1InternetSyslogOutputExampleMessageIdentifierLoggingDeviceIdentifierLoggingDateandTimeStampLoggingDeviceIPAddressLoggingLevelCustomizeSyslogOutputfw1(config)#loggingtrapwarningsfw1(config)#loggingmessage302023level4fw1(config)#loggingmessage302023level4loggingmessagesyslog_idlevellevel

溫馨提示

  • 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁內(nèi)容里面會有圖紙預(yù)覽,若沒有圖紙預(yù)覽就沒有圖紙。
  • 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
  • 5. 人人文庫網(wǎng)僅提供信息存儲空間,僅對用戶上傳內(nèi)容的表現(xiàn)方式做保護處理,對用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對任何下載內(nèi)容負(fù)責(zé)。
  • 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請與我們聯(lián)系,我們立即糾正。
  • 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時也不承擔(dān)用戶因使用這些下載資源對自己和他人造成任何形式的傷害或損失。

評論

0/150

提交評論