Está en la página 1de 39

TRNG I HC BCH KHOA

KHOA CNG NGH THNG TIN

B MN MNG V TRUYN THNG

BO CO MN HC

AN TON THNG TIN MNG

ti:
Khai thc cc chc nng ca ASA Firewall trn GNS3

Sinh vin

: Nguyn Vn Hng
Nguyn Phan nh Phc
ng Minh Tr

Nhm

: 10B

Ngi hng dn : TS. Nguyn Tn Khi

Nng 2011

Nguyn Phan nh Phc Nguyn Vn Hng ng Minh Tr

NHN XT CA GIO VIN HNG DN


............................................................................................................................................................
............................................................................................................................................................
............................................................................................................................................................
............................................................................................................................................................
............................................................................................................................................................
............................................................................................................................................................
............................................................................................................................................................
............................................................................................................................................................
............................................................................................................................................................
............................................................................................................................................................
............................................................................................................................................................
............................................................................................................................................................
............................................................................................................................................................
............................................................................................................................................................
............................................................................................................................................................
............................................................................................................................................................
............................................................................................................................................................
............................................................................................................................................................
............................................................................................................................................................
............................................................................................................................................................
............................................................................................................................................................
............................................................................................................................................................

Khai thc cc chc nng ASA firewall trn GNS3

MC LC
I. TNG QUAN V TNG LA..................................................................8
A.

GII THIU TNG LA................................................................................8

B.

PHN LOI: ..............................................................................................8

C.

CHC NNG CA FIREWALL..........................................................................9

D.

NHNG HN CH CA FIREWALL..................................................................10

II. TNG LA CISCO ASA........................................................................10


1. GII THIU .............................................................................................10
B.

CC CHC NNG C BN............................................................................11


i. Cc ch lm vic...........................................................................11
ii. Qun l file.........................................................................................12
iii. Mc bo mt (Security Level)....................................................12

C.

NETWORK ACCESS TRANSLATION(NAT)......................................................14


a. Khi nim...........................................................................................14
ii. Cc k thut NAT.............................................................................14
iii. NAT trn thit b ASA.....................................................................17

V D:.......................................................................................................18
................................................................................................................18
D.

ACCESS CONTROL LISTS(ACL)..................................................................18

E.

VPN.....................................................................................................21
a. Gii thiu...........................................................................................21

C BC TIN HNH BI CC THIT B IPSEC:.................................................22


ii. Site-to-site VPN................................................................................23
iii. Remote access VPN.........................................................................23
iv. AnyConnect VPN.............................................................................24
Cung cp y kt ni mng ti ngi dng xa.Firewall ASA,
lm vic nh mt my ch WebVPN, gn mt a ch IP cho ngi dng
xa v ngi s dng mng. V vy, tt c cc giao thc IP v nhng ng
dng thng qua ng hm VPN m khng c bt k vn g. V d, mt
ngi dng xa, sau khi chng thc thnh cng AnyConnect VPN, c th
m mt kt ni t my tnh xa ti mt Window Terminal Server bn trong
mng trung tm. Mc d mt client c yu cu ci t trn my tnh ca
ngi dng, client ny c th c cung cp t ng cho ngi s dng t
ASA. Ngi dng c th kt ni vi mt trnh duyt ti firewall asa v ti
v client Java theo yu cu. Client java c th vn cn c ci t hoc b
loi b t my tnh ca ngi s dng khi ngt kt ni t thit b ASA.

Nguyn Phan nh Phc Nguyn Vn Hng ng Minh Tr

Client ny c kich c nh(khong 3 mb) v c lu tr trng b nh Flash


ca ASA...........................................................................................................24
...............................................................................................................25
Hnh 11. S mng m t kt ni AnyConnect VPN.......................25
C hai la chn ci t ban u cho khch hng AnyConnect:..........25
Cc bc cu hnh AnyConnect VPN.............................................25
F.

ROUTING PROTOCOL..................................................................................28
a. Khi nim...........................................................................................28
ii. Cc k thut nh tuyn....................................................................29
nh tuyn tnh.....................................................................................29

C 3 LOI NH TUYN TNH:........................................................................29


DIRECTLY CONNECTED ROUTE: CC NG KT NI TRC TIP C T NG TO
ASA KHI BN CU HNH MT A CH IP TRN MT GIAO DIN
THIT B...............................................................................................................29
RA TRONG BNG NH TUYN

NORMAL STATIC ROUTE: CUNG CP NG I C NH V MT MNG C TH NO


.......................................................................................................................29
DEFAULT ROUTE: DEFAULT ROUTE L TUYN NG MC NH C CU HNH

TNH

CA ROUTER L NI M KHI ROUTER NHN C MT GI TN CN CHUYN N MNG NO


M MNG KHNG C TRONG BNG NH TUYN CA ROUTER TH N S Y RA
DEFAULT ROUTE.....................................................................................................29

................................................................................................................30
HNH 12. M HNH MNG M T NH TUYN TNH..........................................30
G.

D PHNG NG TRUYN SLA.................................................................31

H.

CHUYN I S PHNG (FAILOVER).............................................................31


a. Gii thiu...........................................................................................31
ii. Phn loi Failover..............................................................................32
iii. Trin khai Failover ..........................................................................32

III. TRIN KHAI CC TNH NNG ASA TRN GNS3.............................35


1. M HNH TRIN KHAI................................................................................35
a. M hnh thc t..................................................................................35
ii. M hnh trn GNS3...........................................................................35
B.

CU HNH TRN ASA...............................................................................36


a. nh tuyn..........................................................................................36
ii. Acess Control List.............................................................................36
iii. NAT..................................................................................................37
iv. Gim st ng truyn.....................................................................37

Khai thc cc chc nng ASA firewall trn GNS3

v. DHCP.................................................................................................38

Nguyn Phan nh Phc Nguyn Vn Hng ng Minh Tr

I.
a.

Tng quan v tng la


Gii thiu tng la

Trong ngnh mng my tnh, bc tng la (firewall) l ro chn m mt s


c nhn, t chc, doanh nghip, c quan nh nc lp ra nhm ngn chn ngi
dng mng Internet truy cp cc thng tin khng mong mun hoc/v ngn chn
ngi dng t bn ngoi truy nhp cc thng tin bo mt nm trong mng ni b.
Tng la l mt thit b phn cng v/hoc mt phn mm hot ng trong
mt mi trng my tnh ni mng ngn chn mt s lin lc b cm bi chnh
sch an ninh ca c nhn hay t chc, vic ny tng t vi hot ng ca cc bc
tng ngn la trong cc ta nh. Tng la cn c gi l Thit b bo v bin
gii (Border Protection Device - BPD), c bit trong cc ng cnh ca NATO,
hay b lc gi tin (packet filter) trong h iu hnh BSD - mt phin bn Unix ca
i hc California, Berkeley.
Nhim v c bn ca tng la l kim sot giao thng d liu gia hai vng
tin cy khc nhau. Cc vng tin cy (zone of trust) in hnh bao gm: mng
Internet (vng khng ng tin cy) v mng ni b (mt vng c tin cy cao).
Mc ch cui cng l cung cp kt ni c kim sot gia cc vng vi tin cy
khc nhau thng qua vic p dng mt chnh sch an ninh v m hnh kt ni da
trn nguyn tc quyn ti thiu (principle of least privilege).
Cu hnh ng n cho cc tng la i hi k nng ca ngi qun tr h
thng. Vic ny i hi hiu bit ng k v cc giao thc mng v v an ninh my
tnh. Nhng li nh c th bin tng la thnh mt cng c an ninh v dng.
c kin thc xy dng mt tng la c cc tnh nng chng li cc yu t ph hoi
i hi phi c trnh chuyn nghip v k nng trong vic bo mt v an ninh.
b.

Phn loi:

Cc tng la c chia ra thnh hai dng: Firewall cng (bn ngoi) v


firewall mm (bn trong). Trong c hai u c nhng nhc im v u im
ring. Quyt nh la chn loi tng la no s dng l kh quan trng.
Firewall cng:
in hnh l cc tng la mng, thit b m rng ny c t gia my
tnh hoc mng v cp hoc modem DSL. Nhiu hng v nh cung cp dch v
Internet (ISP) a ra cc thit b router trong cng bao gm cc tnh nng
tng la. Tng la phn cng c s dng c hiu qu trong vic bo v nhiu
my tnh m vn c mc bo mt cao cho mt my tnh n. Nu bn ch c mt
my tnh pha sau tng la, hoc nu bn chc chn rng tt c cc my tnh khc
trn mng c cp nht cc bn v min ph v virus, worm v cc m nguy him
khc th bn khng cn m rng s bo v ca mt phn mm tng la. Tng
la phn cng c u im trong vic phn chia cc thit b ang chy trn h iu
hnh ring, v vy chng cung cp kh nng chng li cc tn cng.Mt s loi
Firewall cng nh: ASA, PIX, Fortinet, Juniper
c im ca Firewall cng:
Hot ng tng Network v tng Transport
8

Khai thc cc chc nng ASA firewall trn GNS3

Tc x l
Tnh bo mt cao
Tnh linh hot thp
Kh nng nng cp thp.
Khng kim tra c ni dung gi tin
Tuy nhin hin nay cng c rt nhiu nhng firewall cng c th tch hp nhiu
chc nng. Ngoi lm chc nng tng la bo mt, chng cn km theo cc
module khc nh routing,vpn,

Hnh 1. M hnh Firewall cng


Firewall mm:
Mt vi h iu hnh c tng la km theo, nu h iu hnh ca bn
khng c th cng d dng kim c t mt s ca hng my tnh hay hng phn
mm hoc cc nh cung cp dch v Internet.Mt s Firewall mm nh ISA
server,Zone Alarm, Norton firewall,cc phn mm antivirut hay cc h iu hnh
u c tnh nng firewall
c im:
Hot ng tng Application
Tnh linh hot cao: C th thm, bt cc quy tc, cc chc nng.
C th kim tra c ni dung ca gi tin (thng qua cc t kha).

Hnh 2. M hnh Firewall mm.

c.

Chc nng ca Firewall


Kim sot lung thng tin gia Intranet v Internet

Nguyn Phan nh Phc Nguyn Vn Hng ng Minh Tr

Thit lp c ch iu khin dng thng tin gia mng bn trong (Intranet)


v mng Internet. C th l:
Cho php hoc cm nhng dch v truy nhp ra ngoi (t Intranet ra
Internet).
Cho php hoc cm nhng dch v php truy nhp vo trong (t
Internet vo Intranet).

Hnh 3. M t lung d liu vo ra gia internet v intranet


Theo di lung d liu mng gia Internet v Intranet.
Kim sot a ch truy nhp, cm a ch truy nhp.
Kim sot ngi s dng v vic truy nhp ca ngi s dng.
Kim sot ni dung thng tin thng tin lu chuyn trn mng
d.

Nhng hn ch ca firewall

Firewall khng thng minh nh con ngi c th c hiu tng loi


thng tin v phn tch ni dung tt hay xu ca n.
Firewall ch c th ngn chn s xm nhp ca nhng ngun thng tin
khng mong mun nhng phi xc nh r cc thng s a ch
Firewall khng bo v c cc tn cng i vng qua n. V d nh thit b
modems, t chc tin cy, dch v tin cy (SSL/SSH).
Firewall cng khng th chng li cc cuc tn cng bng d liu (datadrivent attack). Khi c mt s chng trnh c chuyn theo th in t, vt qua
firewall vo trong mng c bo v v bt u hot ng y.
Firewall khng th bo v chng li vic truyn cc chng trnh hoc file
nhim virut.

II.

Tng la Cisco ASA


1.

Gii thiu

Tng la Cisco ASA l cng ngh mi nht trong cc gii php tng la
c a ra bi Cisco, hin nay ang thay th cc tng la PIX rt tt. ASA vit
10

Khai thc cc chc nng ASA firewall trn GNS3

11

tt ca Adaptive Security Appliances, lm c hai nhim v l mt tng la v


ng dng anti-malware.
Cisco ASA hot ng theo c ch gim st gi theo trng thi (Stateful
Packet Inspection), thc hin iu khin trng thi kt ni khi qua thit b bo
mt(ghi nhn trng thi ca tng gi thuc kt ni xc nh theo loi giao thc hay
ng dng). Cho php kt ni mt chiu(outbuond-i ra) vi rt t vic cu hnh.
Mt kt ni i ra l mt kt ni t thit b trn cng c mc bo mt cao n thit
b trn mng c mc bo mt thp hn.
Trng thi c ghi nhn s dng gim st v kim tra gi tr v.Thay i
ngu nhin gi tr tun t (sequence number) trong gi TCP gim ri ro ca s
tn cng.
Hot ng theo kin trc phn vng bo mt da theo cng, cng tin cy
(trusted) hay mc bo mt cao v cng khng tin cy (untrusted) hay mc bo mt
thp. Qui tc chnh cho mc bo mt l thit b t vng tin cy c th truy cp
c thit b truy cp vng khng tin cy hay cn gi l outbound. Ngc li t
vng bo mt thp khng th truy cp vng bo mt cao tr khi c cho php bi
ACL hay cn gi l inbound.
Mc bo mt (Security Level) 100: y l mc bo mt cao nht, thng
c gn cho cng thuc mng bn trong (inside).
Mc bo mt 0: l mc bo mt thp nht, thng c gn cho cng m
kt ni ra Internet hay vng khng tin cy cn gi l vng bn ngoi (outside).
Mc bo mt t 1-99: Cho php bn s dng gn cho nhng cng cn li
nu yu cu m rng vng mng.
Do trong qu trnh cu hnh thng tin cho cng m bo mi cng c
gn gi tr mc bo mt da vo chnh sch phn vng bo v ca bn thng qua
cu lnh security-level.
b.

Cc chc nng c bn

i.

Cc ch lm vic
Firewall ASA c 4 ch lm vic chnh:
Ch gim st (Monitor Mode): Hin th du nhc monitor>.

y l ch c bit cho php bn cp nht cc hnh nh qua mng


hoc khi phc mt khu.Trong khi ch gim st, bn c th
nhp lnh xc nh v tr ca mt my ch TFTP v v tr ca hnh
nh phn mm hoc file hnh nh nh phn khi phc mt khu ti
v.Bn truy cp vo ch ny bng cch nhn "Break" hoc "ESC"
cha kha ngay lp tc sau khi bt ngun thit b.
Ch khng c quyn (Unprivileged Mode): Hin th du nhc

>. Ch ny cung cp tm nhn hn ch ca cc thit b an


ninh.Bn khng th cu hnh bt c iu g t ch ny. bt u
vi cu hnh, lnh u tin bn cn phi bit l lnh enable. nh
enable v nhn Enter. Cc mt khu ban u l trng, do , nhn

Nguyn Phan nh Phc Nguyn Vn Hng ng Minh Tr

Enter mt ln na chuyn sang ch truy cp tip theo


(Privileged Mode).
Ch c quyn (Privileged Mode): Hin th du nhc #. Cho

php bn thay i cc thit lp hin hnh.Bt k lnh trong ch


khng c quyn cng lm vic trong ch ny.T ch ny, bn
c th xem cu hnh hin ti bng cch s dng show runningconfig.Tuy nhin, bn khng th cu hnh bt c iu g cho n khi
bn i n ch cu hnh (Configuration Mode). Bn truy cp vo
ch cu hnh bng cch s dng lnh configure terminal t ch
c quyn.
Ch cu hnh (Configuration Mode): ch ny hin th du nhc

(config)#. Cho php bn thay i tt c thit lp cu hnh h thng.


S dng exit t mi ch tr v ch trc .

ii.

Qun l file

C hai loi file cu hnh trong cc thit b an ninh Cisco: runningconfiguration v startup-configuration.
Loi file u tin running-configuration l mt trong nhng file hin ang
chy trn thit b, v c lu tr trong b nh RAM ca firewall. Bn c th xem
cu hnh ny bng cch g show running-config t cc ch Privileged. Bt k
lnh m bn nhp vo firewall c lu trc tip bng trong running-config v c
hiu lc thi hnh ngay lp tc. K t khi cu hnh chy c lu trong b nh
RAM, nu thit b b mt ngun, n s mt bt k thay i cu hnh m khng c
lu trc . lu li cu hnh ang chy, s dng copy run start hoc write
memory. Hai lnh ny s copy running-config vo startup-config ci m c lu
tr trong b nh flash.
Loi th hai startup-configuration l cu hnh sao lu ca runningconfiguration. N c lu tr trong b nh flash, v vy n khng b mt khi cc
thit b khi ng li. Ngoi ra, startup-configuration c ti khi thit b khi
ng. xem startup-configuration c lu tr, g lnh show startup-config.
iii.

Mc bo mt (Security Level)

Security Level c gn cho interface (hoc vt l hay logical sub-interfaces)


v n c bn mt s t 0-100 ch nh nh th no tin cy interface lin quan n
mt interface khc trn thit b. Mc bo mt cao hn th interface cng ng
tin cy hn (v do cc mng kt ni pha sau n) c coi l, lin quan n
12

Khai thc cc chc nng ASA firewall trn GNS3

13

interface khc. V mi interface firewall i din cho mt mng c th (hoc khu


vc an ninh), bng cch s dng mc bo mt, chng ta c th ch nh mc
tin tng khu vc an ninh ca chng ta. Cc quy tc chnh cho mc bo mt l
mt interface (hoc zone) vi mt mc bo mt cao hn c th truy cp vo mt
interface vi mt mc bo mt thp hn. Mt khc, mt interface vi mt mc
bo mt thp hn khng th truy cp vo mt interface vi mt mc bo mt
cao hn, m khng c s cho php r rng ca mt quy tc bo mt (Access
Control List - ACL).
Mt s mc bo mt in hnh:
Security Level 0: y l mc bo mt thp nht v n c gn

mc nh interface bn ngoi ca firewall. l mc bo mt t


tin cy nht v phi c ch nh ph hp vi mng (interface) m
chng ta khng mun n c bt k truy cp vo mng ni b ca
chng ta. Mc bo mt ny thng c gn cho interface kt ni
vi Internet. iu ny c ngha rng tt c cc thit b kt ni Internet
khng th c quyn truy cp vo bt k mng pha sau firewall, tr
khi r rng cho php mt quy tc ACL.
Security Level 1 n 99: Nhng mc bo mt c th c khu

vc bo mt vng ngoi (v d nh khu vc DMZ, khu vc qun


l,...).
Security Level 100: y l mc bo mt cao nht v n c gn

mc nh interface bn trong ca tng la. y l mc bo mt


ng tin cy nht v phi c gn cho mng (interface) m chng ta
mun p dng bo v nhiu nht t cc thit b an ninh.Mc bo
mt ny thng c gn cho interface kt ni mng ni b cng ty
ng sau n.

Nguyn Phan nh Phc Nguyn Vn Hng ng Minh Tr

Hnh 4. M t cc mc bo mt trong h thng mng


Vic truy cp gia Security Level tun theo cc quy nh sau:
Truy cp t Security Level cao hn ti Security Level thp hn: Cho

php tt c lu lng truy cp c ngun gc t Security Level cao


hn tr khi quy nh c th b hn ch bi mt Access Control List
(ACL). Nu NAT-Control c kch hot trn thit b, sau c mt
cp chuyn i nat/global gia cc interface c Security Level t cao
ti thp.
Truy cp t Security Level thp hn Security Level cao hn: Chn tt

c lu lng truy cp tr khi c cho php bi mt ACL. Nu NATControl c kch hot trn thit b ny, sau c phi l mt NAT
tnh gia cc interface c Security Level t cao ti thp.
Truy cp gia cc interface c cng mt Security Level: Theo mc

nh l khng c php, tr khi bn cu hnh lnh same-securitytraffic permit.


c.

Network Access Translation(NAT)


a.

Khi nim

S suy gim ca khng gian a ch cng cng IPv4 buc cc cng ng


Internet suy ngh v cch thay th ca a ch my ch ni mng. NAT do
c to ra gii quyt cc vn xy ra vi vic m rng ca Internet.
Mt s trong nhng li th ca vic s dng NAT trong cc mng IP nh
sau :
NAT gip gim thiu ton cu cn kit a ch IP cng cng .
Networks c th s dng RFC 1918 - khng gian a ch tin ni b .
NAT tng cng an ninh bng cch n networks topology v
addressing.
NAT ging nh mt router, n chuyn tip cc gi tin gia nhng lp mng
khc nhau trn mt mng ln. NAT dch hay thay i mt hoc c hai a ch bn
trong mt gi tin khi gi tin i qua mt router, hay mt s thit b khc. Thng
thng, NAT thng thay i a ch (thng l a ch ring) c dng bn trong
mt mng sang a ch cng cng.
NAT cng c th coi nh mt firewall c bn. thc hin c cng vic
, NAT duy tr mt bng thng tin v mi gi tin c gi qua. Khi mt PC trn
mng kt ni n 1 website trn Internet header ca a ch IP ngun c thay i
v thay th bng a ch Public m c cu hnh sn trn NAT server , sau khi
c gi tin tr v NAT da vo bng record m n lu v cc gi tin, thay i
a ch IP ch thnh a ch ca PC trong mng v chuyn tip i. Thng qua c
ch qun tr mng c kh nng lc cc gi tin c gi n hay gi t mt a
ch IP v cho php hay cm truy cp n mt port c th.
ii.

Cc k thut NAT
14

Khai thc cc chc nng ASA firewall trn GNS3

15

K thut NAT tnh(STATIC NAT)


Vi NAT tnh, a ch IP thng c nh x tnh vi nhau thng qua cc
lnh cu hnh. Trong NAT tnh, mt a ch Inside Local lun lun c nh x vo
a ch Inside Global. Nu c s dng, mi a ch Outside Local lun lun nh
x vo cng a ch Outside Global. NAT tnh khng c tit kim a ch thc.
Mc d NAT tnh khng gip tit kim a ch IP, c ch NAT tnh cho php mt
my ch bn trong hin din ra ngoi Internet, bi v my ch s lun dng cng
mt a ch IP thc .
Cch thc thc hin NAT tnh th d dng v ton b c ch dch a ch c
thc hin bi mt cng thc n gin:
a ch ch = a ch mng mi OR (a ch ngun AND ( NOT netmask))
V d :
Mt a ch private c map vi mt a ch public. V d 1 mt my trng
mng LAN c a ch 10. 1. 1. 1 c phin dch thnh 1 a ch public 20. 1. 1.
1 khi gi tin ra ngoi Internet.
Bt u bng mt gi tin c gi t mt PC bn tri ca hnh n mt my
ch bn phi a ch 170. 1. 1. 1. a ch ngun private 10. 1. 1. 1 c dch
thnh mt a ch thc 200. 1. 1. 1. My client gi ra mt gi tin vi a ch ngun
10. 1. 1. 1 nhng router NAT thay i a ch ngun thnh 200. 1. 1. 1.
Khi server nhn c mt gi tin vi a ch ngun 200. 1. 1. 1, my ch ngh
rng n ang ni chuyn vi my 200. 1. 1. 1, v vy my ch tr li li bng mt
gi tin gi v a ch ch 200. 1. 1. 1. Router sau s dch a ch ch 200. 1. 1.
1 ngc li thnh 10. 1. 1. 1.

Hnh 5. M t NAT Tnh ca mt mng Lan ra ngoi Internet


K thut NAT ng(Dynamic NAT)

Nguyn Phan nh Phc Nguyn Vn Hng ng Minh Tr

Vi NAT, khi s IP ngun khng bng s IP ch. S host chia s ni chung


b gii hn bi s IP ch c sn. NAT ng phc tp hn NAT tnh, v th chng
phi lu gi li thng tin kt ni v thm ch tm thng tin ca TCP trong packet.
Mt s ngi dng n thay cho NAT tnh v mc ch bo mt. Nhng ngi t
bn ngoi khng th tm c IP no kt ni vi host ch nh v ti thi im tip
theo host ny c th nhn mt IP hon ton khc.
Nhng kt ni t bn ngoi th ch c th khi nhng host ny vn cn nm gi
mt IP trong bng NAT ng. Ni m NAT router lu gi nhng thng tin v IP
bn trong (IP ngun )c lin kt vi NAT-IP(IP ch). Cho mt v d trong mt
session ca FPT non-passive. Ni m server c gng thit lp mt knh truyn d
liu v th khi server c gng gi mt IP packet n FTP client th phi c mt
entry cho client trong bng NAT. N vn phi cn lin kt mt IPclient vi cng
mt NAT-IPs khi client bt u mt knh truyn control tr khi FTP session ri sau
mt thi gian timeout. Xin ni thm giao thc FTP c 2 c ch l passive v nonpassive . Giao thc FTP lun dng 2 port (control v data) . Vi c ch passive
(th ng ) host kt ni s nhn thng tin v data port t server v ngc li nonpassive th host kt ni s ch nh dataport yu cu server lng nghe kt ni ti.
Bt c khi no nu mt ngi t bn ngoi mun kt ni vo mt host ch
nh bn trong mng ti mt thi im ty ch c 2 trng hp :
Host bn trong khng c mt entry trong bng NAT khi s nhn
c thng tin host unreachable hoc c mt entry nhng NAT-IPs l
khng bit.
Bit c IP ca mt kt ni bi v c mt kt ni t host bn trong ra
ngoi mng. Tuy nhin ch l NAT-IPs v khng phi l IP tht ca host.
V thng tin ny s b mt sau mt thii gian timeout ca entry ny trong
bng NAT router
V d:
Mt a ch private c map vi mt a ch public t mt nhm cc da ch
public. V d mt mng LAN c a ch 10. 1. 1. 1/8 c phin dch thnh 1 a
ch public trong di 200. 1. 1. 1 n 200. 1. 1. 100 khi gi tin ra ngoi Internet.

Hnh 6. Bng NAT ng ca mt mng LAN


16

Khai thc cc chc nng ASA firewall trn GNS3

17

K thut NAT overloading ( hay PAT)


Dng nh x nhiu a ch IP ring sang mt a ch cng cng v mi a
ch ring c phn bit bng s port. C ti 65. 356 a ch ni b c th chuyn
i sang 1 a ch cng cng. Nhng thc t th khang 4000 port. PAT hot ng
bng cch nh du mt s dng lu lng TCP hoc UDP t nhiu my cc b
bn trong xut hin nh cng t mt hoc mt vi a ch Inside Global. Vi PAT,
thay v ch dch a ch IP, NAT cng dch cc cng khi cn thit.V bi v cc
trng ca cng c chiu di 16 bit, mi a ch Inside Global c th h tr ln n
65000 kt ni TCP v UDP ng thi. V d, trong mt h thng mng c 1000
my, mt a ch IP thc c dng nh l a ch Inside Global duy nht c th
qun l trung bnh su dng d liu n v i t cc my trn Internet.
V d :
PAT map nhiu a ch Private n mt a ch Public, vic phn bit cc a
ch Private ny c da theo port, v d IP address 10. 1. 1. 1 s c map n ip
address 200. 1. 1. 6:port_number
* Mi quan h gia NAT v PAT
PAT c mi quan h gn gi vi NAT nn vn thng c gi l NAT
Trong NAT, nhn chung ch a ch ip c i. C s tng ng 1:1 gia a ch
ring v a ch cng cng.
Trong PAT, c a ch ring ca ngi gi v cng u c thay i. Thit
b PAT s chn s cng m cc hosts trn mng cng cng s nhn thy.
Trong NAT, nhng gi tin t ngoi mng vo c nh tuyn ti a ch IP ch
ca n trn mng ring bng cch tham chiu a ch ngn i vo.
Trong PAT, Ch c mt a ch IP cng cng c nhn thy t bn ngoi v gi tin
i vo t mng cng cng c nh tuyn ti ch ca chng trn mng ring
bng cch tham chiu ti bng qun l tng cp cng private v public lu trong
thit b PAT. Ci ny thng c gi l connection tracking.
Mt s thit b cung cp NAT, nh broadband routers, thc t cung cp PAT.
v l do ny, c s nhm ln ng k gia cc thut ng. Nhn chung ngi ta s
dng NAT bao gm nhng thit b PAT .
iii.

NAT trn thit b ASA


Cisco ASA firewalls h tr hai loi chuyn i a ch chnh

Dynamic NAT translation:

Dch source address trn interface bo mt cao hn vo mt phm vi (hoc 1


pool) ca a ch IP trn mt interface km an ton hn, cho kt ni ra ngoi. Lnh
nat xc nh my ch ni b s c dch, v lnh global xc nh cc pool a ch
trn outgoing interface .
Cu hnh Dynamic NAT translation:
ciscoasa(config)# nat (internal_interface_name) nat-id internal network IP
subnet
ciscoasa(config)# global (external_interface_name) nat-id external IP pool
range

Nguyn Phan nh Phc Nguyn Vn Hng ng Minh Tr

Static NAT translation:

Cung cp mt, lp bn a ch thng tr mt-mt gia mt IP trn mt


interface an ton hn v mt IP trn mt interface km an ton. Vi thch hp
Access Control List (ACL), static NAT cho php cc host trn mt interface km
an ton (v d nh Internet ) truy cp my ch trn mt interface bo mt cao
hn (v d: Web Server trn DMZ) vi lng ln thc tIP address ca cc my
ch trn interface bo mt cao hn.
Cu hnh Static NAT translation:
ciscoasa(config)#
static
(real_interface_name,mapped_interface_name)
mapped_IP real_IP netmasksubnet_mask
S dng PAT cng cho nhiu kt ni t cc my ch khc nhau ni b c th
c ghp trn mt a ch IP public nhng s dng s cng ngun khc nhau
V d:

Hnh 7. M t c ch PAT(NAT overload)


ciscoasa(config)# nat (inside) 1 192.168.1.0 255.255.255.0 Inside Subnet to use
PAT
ciscoasa(config)# global (outside) 1 100.1.1.2 netmask 255.255.255.255 Use a
single global IP address for PAT
Trong v d trn, tt c cc a ch ni b (192.168.1.0/24) s s dng mt a
ch IP public (100.1.1.2) vi port khc nhau. l, khi my ch 192.168.1.1 kt
ni Internet bn ngoi my ch, cc bc tng la s dch a ch public v port
vo 100.1.1.2 vi port 1024. Tng t nh vy, my ch 192.168.1.2 s c dch
mt ln na vo 100.1.1.2, nhng vi mt destinate port khc nhau (1025) . Cc
port ngun c t ng thay i vi mt s duy nht hn so vi 1023.Mt PAT
a ch duy nht c th h tr khong 64.000 my ni b.
d.

Access Control Lists(ACL).

Mt trong nhng yu t quan trng cn thit qun l giao tip lu lng


mng l c ch iu khin truy cp, cn c gi l Access Control List.

18

Khai thc cc chc nng ASA firewall trn GNS3

19

Hnh 8. S ACL iu khin truy cp mng


Access Control List(danh sch iu khin truy cp), nh tn ca n, l mt
danh sch cc bo co(c gi l mc kim sot truy cp) cho php hoc t chi
lu lng truy cp t mt ngun n mt ch n.Sau khi mt ACL c cu
hnh, n c p dng cho mt giao din vi mt lnh access-group. Nu khng c
ACL c p dng cho mt interface, lu lng truy cp ra bn ngoi(from inside
to outside) c php theo mc nh, v lu lng truy cp trong ni b(from
outside to inside) b t chi theo mc nh. ACL c th c p dng(bng cch s
dng lnh access-group) theo 2 hng "in" v"out" ca traffic i vi cc
interface. Chiu "in" ca ACL kim sot lu lng truy cp vo mt interface, v
theo hng "out"ca ACL kim sot traffic ra khi mt interface. Trong s trn,
c hai ACL th hin (cho Inbound v cho Outbound Access) c p dng cho
hng "in" interface ca outside v inside tng ng.
Sau y l nhng hng dn thit k v thc hin cc ACL:
i vi Outbound Traffic(T vng c security-level cao hn n thp
hn), tham s a ch ngun mt mc ACL l a ch thc s thc t
ca my ch hoc mng.
i vi Inbound Traffic(T vng c security-level thp hn n cao
hn), tham s a ch ch ACL l a ch IP ton cu chuyn dch.
ACL l lun lun kim tra trc khi chuyn dch a ch c thc
hin trn thit b bo mt.
ACL ngoi vic hn ch lu lng thng qua tng la, n c th c
s dng cng nh l mt ng truyn la chn c ch p dng mt
vi hnh ng khc lu lng truy cp c la chn, nh m ha,
dch thut, lp chnh sch, cht lng dch v, vv
Lnh cu hnh default ACL:
ciscoasa(config)# access-list access_list_name [line line_number] [extended]
{deny | permit} protocol source_address mask [operator source_port]
dest_address mask [operator dest_port]
Lnh cho php truy cp ca mt nhm s dng p dng cho ACL:
ciscoasa(config)#
interface_name

access-group

Cc tham s trong lnh:

access_list_name

[in|out]

interface

Nguyn Phan nh Phc Nguyn Vn Hng ng Minh Tr

access_list_name :mt tn m t ca ACLc th. Cng tn c s


dng trong lnh access-group.
lineline_number : Mi mc ACL c s dng ring ca mnh.
extended: S dng khi bn xc nh c hai ngun v a ch ch trong
ACL.
deny|permit :Xc nh liu lu lng truy cp c th c php hoc b
t chi.
protocol: Ch nhgiao thc giao thng(IP, TCP, UDP, vv).
source_address mask: Ch nh a ch IP ngun v subnet mask. Nu
l mt a ch IP duy nht, bn c th s dng t kho"host" m
khng c mt n. Bn cngc th s dng t kha "any" ch nh
bt k a ch.
[operator source_port]: Ch nh s cng ngun ca lu lng c
ngun gc. Cc t kha"operator" c th c "lt" (t hn), "gt" (ln
hn), "eq" (tng ng), "neq" (Khngbng), "phm vi" (phm vi
port). Nu source_port khng c quy nh c th, tng la ph hp
vi ttc cc port.
dest_address mask: y l a ch IP ch v subnet mask. Bn c th
s dng nhng t kha host hoc any.
[operator dest_port]: Ch nh s cng ch m cc ngun lu lng
yu
cu
truy cp vo. Cc t kha"operator" c th c"lt" (t hn), "gt" (ln
hn), "eq" (tng ng),"Neq" (khng bng), "range" (range of port).
Nu khng c dest-port c quy nh c th, cc bc tng la kt
hp tt c cc cng.
Cc v d ACL di y s cung cp cho chng ta mt hnh dung tt hn ca
lnh cu hnh :
ciscoasa(config)# access-list DMZ_IN extended permit ip any any
ciscoasa(config)# access-group DMZ_IN in interface DMZ
Cc lnh cu hnh trn s cho tt c cc lu lng mng thng qua tng la
ciscoasa(config)# access-list INSIDE_IN
255.255.255.0 200.1.1.0 255.255.255.0

extended

deny

tcp

192.168.1.0

ciscoasa(config)# access-list INSIDE_IN


255.255.255.0 host 210.1.1.1 eq 80

extended

deny

tcp

192.168.1.0

ciscoasa(config)# access-list INSIDE_IN extended permit ip any any


ciscoasa(config)# access-group INSIDE_IN in interface inside
V d trn s t chi tt c lu lng truy cp TCP t 192.168.1.0/24 mng
ni b ca chng ti i vi 200.1.1.0/24 mng bn ngoi.Ngoi ra, n s t chi

20

Khai thc cc chc nng ASA firewall trn GNS3

21

kt ni HTTP(port80) t ni b ca chng ti mng li cc my chbn


ngoi210.1.1.1. Tt c cc kt ni khc s c cho php t bn trong.
ciscoasa(config)# access-list OUTSIDE_IN extended permit tcp any host 100.1.1.1
eq 80
ciscoasa(config)# access-group OUTSIDE_IN in interface outside
Lnh cu hnhACL trn s cho php bt k my ch trn Internet truy cp
vo my ch Web Server ca chng ti(100.1.1.1).
Ch rng a ch 100.1.1.1 l a ch cng cng ton cu ca my ch web
ca chng ta.
e.

VPN
a.

Gii thiu

VPN l cm t vit tt ca Virtual Private Network, v c bn y l kt ni


t 1 v tr ny ti v tr khc hnh thnh m hnh mng LAN vi nhng dch v
h tr nh email, intranet... ch c truy cp khi ngi dng khai bo ng cc
thng tin c thit lp sn.
Cc thit b Cisco ASA, ngoi chc nng tng la ct li ca chng, c th
c s dng kt ni bo mt mng LAN t xa (VPN Site-to-Site) hoc cho php
remote user/teleworkers an ton giao tip vi mng cng ty ca h(VPN Remote
Access).
Cisco h tr mt s dng VPN trn ASA nhng ni chung l phn ra 2 loi
hoc l "IPSec VPNs " hoc "SSL VPNs". Cc th loi u tin s dng giao
thc IPSec bo mt thng tin trong khi loi th hai s dng SSL. SSL VPN cn
c gi l WebVPN trong thut ng ca Cisco. Hai im chung VPN c h
tr bi Cisco ASA c tip tc chia thnh cc cng ngh VPN sau.
IPSec Based VPNs:
Lan-to-Lan IPSec VPN: c s dng kt ni cc mng LAN t
xa thng qua phng tin truyn thng khng an ton (e.g Internet). N
chy gia ASA-to-ASA hoc Router ASA-to-Cisco.
Remote Access with IPSec VPN Client: Mt phn mm VPN
client c ci t trn my tnh ca ngi dng cung cp truy cp t xa vo
mng trung tm.S dng giao thc IPSec v cung cp kt ni mng y kt
ni ngi dng t xa. Ngi s dng s dng cc ng dng ca h ti cc trang
web trung tm nh thng thng m khng c mt VPN ti ch
SSL Based VPNs (WebVPN):
Clientless Mode WebVPN: y l trin khai u tin WebVPN SSL h
tr t ASA phin bn 7.0 v sau . N cho php ngi dng thit lp bo mt t
xa
truy cp VPN ng hm bng cch s dng ch l mt trnh duyt Web. Khng
cn cho mt phn mm hoc phn cng no. Tuy nhin, ch cc ng dng gii hn
c th c truy cp t xa.

Nguyn Phan nh Phc Nguyn Vn Hng ng Minh Tr

AnyConnect WebVPN: Java c bit khch hng da trn c ci t


trn my tnh ca ngi s dng cung cp mt ng hm SSL an ton n cc
trang web trung tm. Cung cp kt ni mng y (tng t nh vi IP
Sec khch hng truy cp t xa).Tt c cc ng dng ti trang web trung tm c
th c truy cp t xa.
IP Security (IPSec) l mt tiu chun m IETF cho php thng tin lin lc m
ha. l mt ph hp vi cc giao thc cung cp d liu bo mt, tnh ton vn
v xc thc.Mt mng ring o(VPN) l mt ng hm tin an ton trn mt con
ng khng an ton (v d nh qua Internet). IPSEC do l tng xy dng
mng ring o trn Internet hay bt k mng khng an ton khc. IPSec hot ng
lp mng, m ha v thm nh cc gi IP gia mt thit b bo mt tng la v
tham gia IPSec cc thit b khc, chng hn nh thit b nh tuyn Cisco, Cisco
bc tng la khc, phn mmVPN...
Cc giao thc IPSec sau y v tiu chun s c s dng sau ny trong
tho lun ca chng ti, v vy l mt tng tt gii thch ngn gn chc
nng v s dng ca h:
ESP (Encapsulation Security Payload): y l giao thc u tin ca
hai giao thc chnh trong cc tiu chun IPSec. N cung cp tnh ton
vn d liu, xc thc v bo mtdch v. ESP c s dng m ha
ti trng d liu ca cc gi tin IP.
AH (Authentication Header): y l giao thc th hai ca hai giao
thc chnh ca IPSec. N cung cp tnh ton vn d liu, xc thc, v
pht li pht hin. N khng cung cp dch v m ha, nhng thay v
n hot ng nh mt ch k s cho cc gi d liu m bo rng
gi mo d liu khng xy ra.
Internet Key Exchange (IKE): y l c ch c s dng bi cc
thit b an ninh an ton trao i kho mt m,chng thc IPSec v m
phn cc thng s an ton IPSec.Trn ASAFirewall, iu ny ng
ngha vi ISAKMP nh chng ta s thy trong cu hnh IPSec.
DES, 3DES, AES: Tt c y l nhng thut ton m ha c h tr
bi CiscoFirewall ASA.DES l yu nht (s dng kha m ha 56-bit),
v AESl mnh nht(s dng128,192,hoc 256 bit m ha). 3DES l
mt s la chn gia, n s dng kha m ha168-bit.
Diffie-Hellman (DH): y l mt kha cng khai mt m giao thc
c s dng bi IKE thit lp cc kha phin.
MD5, SHA-1: y l nhng thut ton Hash c s dng xc thc
d liu gi. SHA l mnh hn MD5.
Sercurity Association(SA): SA l mt kt ni gia hai ng nghip
IPSec. Mi ngang hng IPSec duy tr mt c s d liu SA, trong b
nh ca n c cha cc thng s SA. SA l duy nht xc nh bi a
ch peer IPSec, giao thc bo mt, v ch s tham s bo mt (SPI).
C bc tin hnh bi cc thit b IPSec:
Interesting Traffic:Cc thit b IPSec nhn lu lng truy cp bo v.
22

Khai thc cc chc nng ASA firewall trn GNS3

23

Giai on 1 (ISAKMP):Cc thit b IPSec m phn v mt chnh sch an


ninh IKEv thit lp mt knh an ton lin lc.
Giai on 2 (IPSec): Cc thit b IPSec m phn v mt chnh sch bo mt
IPSec bo v d liu.
Data Transfer:: D liu c chuyn giao mt cch an ton gia cc ng
nghip IPSec da trn IPSec cc thng s v cc phm m phn trong giai on
trc.
IPSEc Tunnel Terminated: IPSec SA chm dt khi thi gian hoc mt khi
lng d liu nht nh t c.
ii.

Site-to-site VPN

Hnh 9. S mng m t kt ni site to site IPSec VPN.


Site-to-Site IPSec VPN i khi c gi l LAN-to-LAN VPN. Nh tn ca
n, loi VPN kt ni hai mng LAN xa qua Internet.Thng thng, mng ni b s
dng c nhn gii quyt nh th hin trn s ca chng ti trn.Nu khng c
kt ni VPN, hai mng LAN trn (LAN-1 v LAN-2) s khng c th giao
tip.Bng cch cu hnh Site-to-Site IPSec VPN gia hai bc tng la ASA,
chng ta c th thit lp mt ng hm an ton qua Internet, v thng qua lu
lng truy cp mng LAN tin ca chng ti bn trong ng hm ny.Kt qu l
cc host trong mng 192.168.1.0/24 c th trc tip truy cp vo my ch trong
mng 192.168.2.0/24 (v ngc li) l nu chng c t trong cng mt mng
LAN. ng hm IPSec c thit lp gia cc a ch IP public ca
firewall(100.100.100.1 v 200.200.200.1).
iii.

Remote access VPN

Loi th hai ca IPSec VPN m chng ta s m t l Remote access VPN


bng cch s dng CiscoVPN client ngi dng t xa.y l loi VPNcho php
remote users/teleworkers vi truy cp Internet thit lp mt ng hm
IPSecVPN an ton gia mng cng ty ca h. Cc ngi s dng phi c mtphn
mm CiscoVPN client c ci t trn my tnh ca h s cho php mt giao tip
an ton vi ASA Firewall trong vn phng trung tm. Sau khi VPN c thit lp
gia ngi dng t xa v cc bc tng la ASA, ngi dng c gn mt a
ch IP ring t mt h bi c xc nh trc, v sau c nh km trn mng
LAN doanh nghip.

Nguyn Phan nh Phc Nguyn Vn Hng ng Minh Tr

Hnh 10. S mng m t kt ni Remote Access VPN


V d cu trc lin kt trn mng trn cho thy ASA Firewall bo v mng
LAN doanh nghip, v ngi dng t xa vi mt khch hng phn mm VPN thit
lp mt kt ni an ton vi ASA.Mt a ch IP trong phm vi cc 192.168.20.0/24
s c giao cho khch hng VPN, m s c php giao tip vi 192.168.1.0/24
mng ni b cng ty.Khi truy cp t xa VPN c thit lp, ngi dng t xa theo
mc nh s khng th truy cp bt c iu g khc trn Internet, tr cc mng
LAN doanh nghip.Hnh vi ny c th c thay i bng cch cu hnh "split
tunnel" tnh nng v tng la, tuy nhin khng nn dng cho mc ch an ninh.
iv.

AnyConnect VPN

Cung cp y kt ni mng ti ngi dng xa.Firewall ASA, lm vic nh


mt my ch WebVPN, gn mt a ch IP cho ngi dng xa v ngi s dng
mng. V vy, tt c cc giao thc IP v nhng ng dng thng qua ng hm
VPN m khng c bt k vn g. V d, mt ngi dng xa, sau khi chng
thc thnh cng AnyConnect VPN, c th m mt kt ni t my tnh xa ti mt
Window Terminal Server bn trong mng trung tm. Mc d mt client c yu
cu ci t trn my tnh ca ngi dng, client ny c th c cung cp t ng
cho ngi s dng t ASA. Ngi dng c th kt ni vi mt trnh duyt ti
firewall asa v ti v client Java theo yu cu. Client java c th vn cn c ci
t hoc b loi b t my tnh ca ngi s dng khi ngt kt ni t thit b ASA.
Client ny c kich c nh(khong 3 mb) v c lu tr trng b nh Flash ca
ASA.
Hot ng ca AnyConnect VPN
S di y cho ta thy mt m hnh mng vi ASA v mt ngi dng
xa kt ni thng qua AnyConnect VPN:

24

Khai thc cc chc nng ASA firewall trn GNS3

25

Hnh 11. S mng m t kt ni AnyConnect VPN


T s trn, firewall ASA c cu hnh nh mt Server Anyconnect VPN.
Mt ngi dng xa truy cp vo Internet v a ch IP my tnh ca anh y l
10.1.1.1(NIC IP). Ngi s dng c th lm c l do ng sau c mt nh tuyn
lm NAT/PAT v c mt a ch IP private c dch ra t a ch IP Public bi b
nh tuyn NAT. Khi ngi s dng xa kt ni v chng thc thnh cng ti
ASA vi Client Anyconnect, ASA s gn mt a ch IP ni b ti ngi s dng
t mt di IP c cu hnh trc( Range 192.168.5.1-20). T s trn, ASA gn
IP 192.168.5.1 cho ngi dng xa. iu ny c ngha rng ngi dng t xa l
hu nh gn lin vi mng LAN ca cng ty ng sau firewall ASA.
C hai la chn ci t ban u cho khch hng AnyConnect:
S dng clientless WebVPN portal.
Ci t bng tay bi ngi s dng.
S dng cc clientless web Portal, ngi s dng u tin kt ni v xc thc
ASA vi mt trnh duyt web an ton v cc Client JAVA Anyconnect l t ng
ti v v ci t trn my tnh ca ngi dng(ngi s dng cng c th bm vo
tabAnyConnecttrn cc portal WebVPN ti v cc client). iu ny c ngha
rng cc Client Java(phn m rng .PKG) c lu trn v nh flash bi cc
qun tr vin. Phng php ny c a thch bi v n t ng phn phi Client
cho ngi dng xa.
Vi phng php ci t bng tay, qun tr mng phi ti v cc client thch
hp Java (Microsoft MSI gi ci t hoc mt trong cc phin bn h iu hnh
khc) trn trang web ca Cisco v cung cp cc tp tin cho ngi s dng ci
t hng dn s dng trn my tnh xch tay ca h. Vi phng php ny, ngi
dng khng cn phi ng nhp trong h thng thng qua ch clientless bt
u tunnel SSL VPN. Thay vo ,ngi dng c th bt u t cc Client
AnyConnect th cng t my tnh ca h v cung cp thng tin xc thc ca h
cho ASA.
Cc bc cu hnh AnyConnect VPN

Nguyn Phan nh Phc Nguyn Vn Hng ng Minh Tr

STEP1: Chuyn file PKG vo flash trn ASA


u tin, bn cu ti v mt trong cc file .pkg t trang web ca Cisco. Mt
v d file Windows client c dng anyconnect-win-x.x.xxxx-k9.pkg.
copy file .pkg vo flash dng lnh
ASA# copy {tftp|ftp|scp}://[ip address]/anyconnect-win-x.x.xxxx-k9.pkg
disk0:
STEP2:
Kim tra cc file .pkg c trong flash cha.Ngoi ra, phi cho php dch v
web anyconnect trn giao din bn ngoi ca ASA.
ASA#configure terminal
ASA(config)#webvpn
ASA(config-webvpn)#svc image disk0:/anyconnect-win-2.3.2016-k9.pkg 1
ASA(config-webvpn)#enable outside
ASA(config-webvpn)#svc enable
Lu : s 1 vo cui ca tp tin gi l th t tp tin. N c s dng khi
bn c nhiu hn mt hnh nh c lu tr trn flash ASA (v d nh hnh
nh AnyConnect client dnh cho Windows v MAC).
STEP 3:
Min giao thng WebVPN SSL t kim tra Access List vo giao din bn
ngoi. Theo mc nh, giao thng WebVPN l khng c min kim tra Danh
sch truy cp khi chm dt trn giao din bn ngoi, khi lu lng c gii m,
n c kim tra cc inbound ACL p dng ln giao din outside. Bn phi c bao
gm bo co cp php cho lu lng truy cp gii m trong ACL hoc s dng
sysopt connect permit-vpn.
ASA(config)# sysopt connection permit-vpn
STEP 4:
Bc ny l ty chn, nhng n thc s l hu ch. Tt c cc SSL VPN
thng tin lin lc gia ngi s dng t xa v ASA lm vic vi bo mt
HTTPS(port 443). iu ny c ngha l ngi dng phi s dng https://[ASA IP
Public] trn trnh duyt ca h.V hu ht ngi dng s quen s dng
http://, nn bn c th thit lp cng chuyn hng ngi dng c th s dng
http:// (port 80),ASA s t ng chuyn hng trnh duyt n cng 443.
ASA(config)# http redirect outside 80

STEP 5:
To mt vng a ch IP t ASA gn a ch cho ngi dng xa. T s
trn ta thy sau khi ngi dng chng thc, ASA gn a ch IP cho ngi dng
xa trong vng t 192.168.5.1 n 192.168.5.20

26

Khai thc cc chc nng ASA firewall trn GNS3

27

ASA(config)# ip local pool VPNpool 192.168.5.1-192.168.5.20 mask


255.255.255.0
STEP 6:
To mt NAT giao thng gia cc mng LAN ca cng ty pha sau
ASA(192.168.1.0/24) v vng a ch ca ngi dng xa
ASA(config)# access-list NONAT extended
255.255.255.0 192.168.5.0 255.255.255.0
ASA(config)# nat (inside) 0 access-list NONAT
ASA(config)# nat (inside) 1 0.0.0.0 0.0.0.0

permit

ip

192.168.1.0

ASA(config)# global (outside) 1 interface We assume that we do PAT on


the outside interface
STEP 7: To mt Group Policy cho ngi s dng Anyconnect WebVPN
Group Policy cho php bn tch bit cc ngi dng truy cp t xa vo cc
nhm vi cc thuc tnh khc nhau. Cc thuc tnh Group Policy c th c cu
hnh gm da ch Server DNS, cc thit lp chia ng hm, lm th no Client s
ti c v(t ng hoc sau khi ngi s dng iu khin), nu cc phn mm
client s li vnh vin trn my tnh ngi dng.
ASA(config)# group-policy policy name internal
ASA(config)# group-policy policy name attributes
ASA(config-group-policy)# vpn-tunnel-protocol {[svc] [webvpn][ipsec]
[l2tp-ipsec]}
ASA(config-group-policy)# webvpn
ASA(config-group-webvpn)# svc keep-installer {installed | none}
ASA(config-group-webvpn)# svc ask {none | enable [default {webvpn | svc}
timeout value]}
Ch thch:
svc keep-installer {installed | none} installed ngha l client vn c
ci t vnh vin trn my tnh ca ngi dng ngay c sau khi ngt kt ni. Mc
nh l client c g b ci t sau khi ngi dng ngt kt ni
t phin AnyConnect.
svc ask {none | enable [default {webvpn | svc} timeout value]}

Lnh ny l lm nh th no AnyConnect Client s c ti


v my tnh ca ngi s dng.
STEP 8: To mt Tunnel Group.
Tunnel Group phi kt hp vi Group Policy c cu hnh trn.N cng
lin kt vi Group Policy vi cc vng a ch IP m chng ta cu hnh cho
ngi dng t xa.
ASA(config)# tunnel-group tunnel name type remote-access
ASA(config)# tunnel-group tunnel name general-attributes
ASA(config-tunnel-general)# default-group-policy group policy name

Nguyn Phan nh Phc Nguyn Vn Hng ng Minh Tr

Assign the Group Policy configured in Step7 above.


ASA(config-tunnel-general)# address-pool IP Pool for VPN
Gn vng a ch IP c cu hnh trong Step5 trn
ASA(config-tunnel-general)# exit
ASA(config)# tunnel-group tunnel name webvpn-attributes
ASA(config-tunnel-webvpn)# group-alias group_name_alias enable
To mt ci tn b danh cho cc nhm ng hm s c lit k trn cc bn
ghi trn mn hnh ca Client AnyConnect.
ASA(config-tunnel-webvpn)# exit
ASA(config)# webvpn
ASA(config-webvpn)#tunnel-group-list enable

Kch hot tnh nng danh sch cc tn b danh trn cc bn ghi trn mn
hnh ca Client AnyConnect
STEP 9: To mt ngi dng cc b trn ASA, n s c s dng chng
thc AnyConnect
ASA(config)# username ssluser1 password secretpass
ASA(config)# username ssluser1 attributes
ASA(config-username)# service-type remote-access
f.

Routing Protocol
a. Khi nim

Trc ht bn cn phi bit rng cc thit b ASA khng phi l mt b nh


tuyn y chc nng.Tuy nhin, n vn c mt bng nh tuyn c s dng
chn con ng tt nht t c mt mng ch nht nh.Sau khi tt c, nu
mt gi tin vt qua c s kim tra ca firewall rule, n cn phi c nh
tuyn bi firewall n ch ca n.
Cisco ASA Firewall thit b h tr c hai nh tuyn tnh v ng. Ba giao
thc nh tuyn ng c h tr, c th l RIP, OSPF v EIGRP. N rt cao nn
thch tnh cu hnh nh tuyn trn cc bc tng la ASA, thay v nh tuyn
ng. iu ny l do s dng cc giao thc nh tuyn ng c th phi by cu
trc mng ni b ca bn vi mng bn ngoi. Nu bn khng cn thn vi cu
hnh nh tuyn ng, n c th bt u broadcard cc mng con mng ni b ca
bn vi cc mng bn ngoi khng ng tin cy.
Tuy nhin, c nhng tnh hung m cu hnh nh tuyn ng l cn thit.Mt
trng hp nh vy s l mt mng li ln trong ASAFirewall l nm trong mng
ni b hoc trung tm d liu.Trong trng hp ny, bn s c hng li t vic
s dng mt giao thc nh tuyn ng trn ASA v bn s khng phi cu hnh
nh tuyn tnh m cng c th nguy c tit l bt k mng con n vi cc mng
khng tin cy s khng c (v ASA nm su bn trong campus network).
Sau y l mt s thc hnh giao thc nh tuyn tt nht cho cc ASA:
i vi cc mng nh, ch s dng nh tuyn tnh. S dng nh tuyn
tnh mc nh ch l a ch gateway kt ni vi outside interface

28

Khai thc cc chc nng ASA firewall trn GNS3

29

(thng l Internet), v cng s dng cc nh tuyn tnh cho cc mng


ni b c nhiu hn 1 hop (tc l khng kt ni trc tip).
Bt k mng c kt ni trc tip vo mt ASA interface KHNG
cn bt k cu hnh tuyn ng tnh,ASA Firewall s lm nhng vic
ny.
Nu ASA l kt ni trn chu vi ca mng (tc l bin gii gia cc
mng ng tin cy v khng tin cy), sau xc nh mt kt ni mc
nh i vi cc mng bn ngoi khng ng tin cy, v sau cu
hnh nh tuyn tnh c th i vi cc mng ni b.
Nu ASA l nm bn trong mt mng rng lnvi cc tuyn ng
mng ni b nhiu, th s dng cu hnh mt giao thc nh tuyn
ng.
ii.

Cc k thut nh tuyn
nh tuyn tnh

C 3 loi nh tuyn tnh:


Directly Connected Route: cc ng kt ni trc tip c t
ng to ra trong bng nh tuyn ASA khi bn cu hnh mt a
ch IP trn mt giao din thit b
Normal Static Route: cung cp ng i c nh v mt mng c th
no
Default Route: Default route l tuyn ng mc nh c cu hnh
tnh ca router l ni m khi router nhn c mt gi tn cn chuyn
n mng no m mng khng c trong bng nh tuyn ca
router th n s y ra default route
S dng lnh Route cu hnh nh tuyn tnh:
ASA(config)# route [interface-name] [destination-network] [netmask] [gateway]
[interface-name]: y l ASA interface ni gi tin s i ra.
[destination-network] [netmask]: a ch ch v mt n mng con
[gateway]: Hop tip theo m ASA s gi gi tin n
i vi cu hnh nh tuyn tnh, tham kho s di y

Nguyn Phan nh Phc Nguyn Vn Hng ng Minh Tr

Hnh 12. M hnh mng m t nh tuyn tnh


ASA(config)# route outside 0.0.0.0 0.0.0.0 100.1.1.1 (Default Route)
ASA(config)# route inside 192.168.2.0 255.255.255.0 192.168.1.1 (Static Route. To
reach network 192.168.2.0 send the packets to 192.168.1.1)
nh tuyn ng
-

RIP :

RIP l mt trong cc giao thc nh tuyn ng c nht.Mc d n khng


c s dng rng ri trong cc mng hin nay, bn vn tm thy n trong mt s
trng hp. CiscoASA phin bn7.x h tr RIP mt cch hn ch.Cc thit b
ASA(v7.x) ch c th chp nhn cc tuyn RIP v tychn qung co cho static
route.Tuy nhin, n khng c th nhn c RIP qung b t mt mng hng xm
v sau qung b routec ho mng hng xm khc. Tuy nhin t ASA phin bn
8.x, cc thit b bo mt h tr y chc nng RIP.C hai RIPv1 v RIPv2 c
h tr.Tuy nhin, bng cch s dng RIPv1 l khng c khuyn khch bi v n
khng h tr nh tuyn cp nht xc thc.
-

OSPF:

OSPF (OpenShortestPath First) l mt giao thc nh tuyn ng da trn


Link States ch khng phi l Distance Vectors (chng hn nh RIP) la chn
ng i ti u.N l mt giao thc nh tuyn tt hn v kh nng m rng hn
so vi RIP, l l do ti sao s dng rng ri trong cc mng doanh nghip
ln.OSPF c th rt phc tp v ngi ta c th vit c mt cun sch cho n.
-

EIGRP

EIGRP l phin bn nng cao ca IGRP c.N l mt giao thc c quyn


ca Cisco m ch chy gia cc thit b Cisco. H tr cho EIGRP trn Cisco ASA
c t phin bn 8.0 v sau .Mc d EIGRP l rt d s dng v linh hot,
thit k mng v qun tr vin ngn ngi s dng n rng ri k t khi n ch lm

30

Khai thc cc chc nng ASA firewall trn GNS3

31

vic vi thit b Cisco, v vy bn c hiu qu ph thuc vo mt nh cung cp duy


nht.(Lu : IPv6 c h tr trn Cisco ASA chy EIGRP.)
g.

D phng ng truyn SLA

Khi bn cu hnh mt tuyn ng tnh trn cc thit b an ninh, tuyn


ng tn ti vnh vin trong cc bng nh tuyn. Cch duy nht cho cc tuyn
ng tnh b loi b khi bng nh tuyn l khi cc interface trn ASA b tt.
Trong tt c cc trng hp khc, chng hn nh khi cng mc nh t xa b down
lm ng truyn b gin on, cc ASA s tip tc gi cc gi tin n
router cng ca n m khng bit rng n thc s l down.
T ASA phin bn 7.2 tr ln, tnh nng theo di cc tuyn ng tnh
c gii thiu. ASAtheo di cc tuyn ng tnh bng cch gi cc gi
tin ICMP echo request thng qua tuyn ng nh tuyn tnh chnh v ch i tr
li. Nu con ng chnh b down, mt con ng th cp c s dng. Tnh
nng ny rt hu ch khi bn mun thc hin Dual-ISP d phng, nh trong s
di y

Hnh 13. M t ng d phng SLA


Trong kch bn mng trn, interface eth0/0 (bn ngoi) c kt ni vi
ISP chnh v interface eth0/1 (d phng) c kt ni vi cc ISP d phng. Hai
tuyn ng tnh mc nh s c cu hnh (mt cho mi ISP) s s dng tnh
nng "theo di". Tuyn ng ISP chnh s c theo di bng cch s dng cc
yu cu ICMP cho. Nu echoreply khng nhn c trong mt khong thi gian
c xc nh trc, con ng th cp tnh s c s dng. Tuy nhin lu
rng cch ny ch ph hp cho traffic bn ngoi (c ngha l, t
mng bn trong i vi Internet)
h.

Chuyn i s phng (Failover)


a. Gii thiu

Failover l c im duy nht c quyn ca Cisco trong cc thit b bo mt.


Failover cung cp kh nng d phng gia cc thit b bo mt ASA: mt thit b
s d phng cho 1 thit b khc. C ch d phng ny cung cp tnh n hi trong

Nguyn Phan nh Phc Nguyn Vn Hng ng Minh Tr

h thng mng ca bn. V ph thuc vo cc loi failover bn s dng v lm th


no bn thc thi failover, tin trnh failover c th, trong hu ht cc trng hp,
n trong sut vi cc ngi dng v cc hosts.
Trong phn ny, cc bn s tm hiu c im failover. Ti s tho lun v 2
loi failover l hardware v stateful, yu cu bn phi ci t mt failover, hn ch
m bn s gp khi thc thi failover, v lm th no x l nng cp phn mm
cho cp thit b ASA trong qu trnh cu hnh failover.
ii.

Phn loi Failover

C hai loi failover: hardware failover (trong vi trng hp c gi l


stateless failover) v stateful failover. Khi failover phin bn u tin c s
dng, ch c hardware failover sn c. Bt u t phin bn 6, stateful failover
mi c thc thi.
Hardware failover ch cung cp cho d phng v phn cng trong thut ng
khc, ngi ta gi n l physical-failover ca mt thit b. Cu hnh gia hai thit
b ASA c ng b, nhng khng c g khc na. Vy nn, v d, nu mt kt
ni gia thit b c x l bi mt ASA v n b failed, thit b ASA khc c th
chim quyn chuyn tip giao thng ca thit b fail. Nhng t khi kt ni gc
khng ti to li vi thit b th hai, kt ni s fail: iu ng ngha vi vic, tt
c cc kt ni cn hot ng s mt v phi thc hin kt ni li qua thit b th
hai. i vi hardware failover, mt failover link s c yu cu gia 2 thit b
ASA, vn ny c tho lun trong phn Failover Cabling .
Stateful failover cung cp c phn cng v d phng trng thi. Bn cnh cu
hnh cc thit b bo mt ASA ng b, cc thng tin khc cng c ng b
theo. Vic ng b ny bao gm thng tin v cc bng routing, xlate, ngy gi hin
ti, bng a ch MAC layer 2(nu thit b ASA trong trng thi transparent), SIP,
kt ni VPN. Khi thc thi stateful failover, bn s cn hai links gia cc ASA, mt
link failover v mt link stateful.
iii.

Trin khai Failover

C hai s thc thi m Cisco h tr cho failover. Qua version 6 ca OS, ch c


active/standby c h tr, vi active/active th c h tr t version 7. Phn ny
s tho lun v hai loi failover v lm th no nh a ch IP, MAC ca thit b
c thc thi trong c hai loi .
Active/Standby Failover
Thc thi active/standby failover c hai thit b: primary v secondary. Bi
mc nh th primary s c vai tr lm active v secondary ng vai tr l standby.
Ch c thit b ng vai tr l active s x l giao thng gia cc interfaces. Ngoi
tr mt vi thng s, tt c cu hnh thay i thc thi trn active s c ng b
sang thit b standby. Thit b l standby s nh l mt hot standby hoc backup
cho thit b active. N khng chuyn giao thng qua cc interfaces. Chc nng
chnh ca n l kim sot hot ng ca thit b active v t a n ln vai tr
active nu thit b active khng cn hot ng.

32

Khai thc cc chc nng ASA firewall trn GNS3

33

Hnh 14. M hnh Active/standby failover


Addressing and Failover
Mi thit b (hoc context) tham gia vo failover cn c a ch duy nht IP
v MAC cho mi subnet m n kt ni n. Nu failover xy ra, thit b hin ti
lm standby s c thng chc ln vai tr active v thay i IP, MAC ca n
ging vi thit b primary. Thit b active mi sau gi cc frames ra ngoi mi
interface update bng a ch MAC kt ni trc tip. Ch rng thit b ASA
failed s khng tr thnh mt thit b standby tr khi vn l nguyn nhn ca
failover c gii quyt. Sau khi vn c tho g, thit b trc c vai tr
lm active s hot ng failover tr li vi vai tr standby v nhn li a ch IP,
MAC nh thit b standby bnh thng. Trong active/standby failover, khng c
qu trnh chim quyn, tuy nhin, trong active/active failover, l mt s la
chn.

Nguyn Phan nh Phc Nguyn Vn Hng ng Minh Tr

Hnh 15. M hnh Failover and addressing


Active/Active Failover
Trong khi thc thi Active/Active failover, c hai thit b ASA trong failover
pair u x l giao thng. hon thnh iu ny, hai context cn c to ra,
CTX1 s thc thi vai tr active v chuyn tip giao thng cho LAN bn tri v lm
standby cho LAN bn phi v ngc li i vi CTX2. Sau , cc tuyn ng
tnh trn cc routers kt ni trc tip c s dng load-balance giao thng gia
hai context, nu chng c chy trong ch routed. Nu cc contexts ang chy
trong ch transparent, cc routers kt ni trc tip c th s dng cc giao thc
ng hc v hai ng c cost bng nhau qua cc contexts ti cc routers trn
cc side khc.

34

Khai thc cc chc nng ASA firewall trn GNS3

35

Hnh 15. M hnh Active/active failover

III. Trin khai cc tnh nng ASA trn GNS3


1.

M hnh trin khai


a. M hnh thc t
FTP Server

WEB Server

10.0.0.2/24

10.0.0.2/24

200 .200 .200 .2/24


Remote PC
10.0.0.0/24
DMZ

203.162.4.0/24
Outside

200.200.200.0/24
INTERNET

E0/2
Primary ISP

E0/3

123.0.0.0/24

INTERNET
Backup ISP

ii.

E0/1

M hnh trn GNS3

192.168.10.0/24
Inside
E0/0

ASA

192.168.10.2/24

Nguyn Phan nh Phc Nguyn Vn Hng ng Minh Tr

b.

Cu hnh trn ASA


a. nh tuyn

Trong m hnh trin khai, ASA firewall c nhim v nh tuyn cho tt c cc


mng ni b i ra ngoi Internet. Vic nh tuyn c th ty thuc vo nh cu m
ta c th s dng nh tuyn tnh (static route v default-route) hoc nh tuyn
ng (RIP, EIGRP, OSPF). Tuy nhin, vi cc thit b nh tuyn cc cng ty quy
m khng ln, inh tuyn tnh c u tin s dng. Trong m hnh ny ta s dng
nh tuyn mc nh (default-route) cho mng ni b i n ISP bn ngoi.
ciscoasa(config)# route outside 0.0.0.0 0.0.0.0 203.162.4.2
ii.

Acess Control List

Mc nh, ASA ch cho php cc traffic i t ni c security-level cao n


ni c security-level thp. tin cho vic x l s c mng c thun li hn, ta
cho php cc traffic ICMP c i t vng DMZ (security-level 50) vo vng
inside (security-level 100).
access-list DMZ_access_in extended permit icmp any any
Tng t cng c access list trn interface outside cho php cc gi tin
ICMP c i qua
access-list 101 extended permit icmp any any
Trong s trn, cng ty s xy dng h thng web server v FTP server
h tr cho hot ng ca cng ty. y, ta s xy dng Web server IIS v FTP
server trong vng DMZ c a ch 10.0.0.2 v c NAT ra bn ngoi ra a ch
203.162.4.100 cho php tt c cc my tnh ngoi Internet truy cp c Web
server ca cng ty. cc my bn ngoi truy cp c, ta s to ra access control
list cho php http v ftp vo a ch 203.162.4.100.

36

Khai thc cc chc nng ASA firewall trn GNS3

37

access-list 101 extended permit tcp any host 203.162.4.100 eq www


access-list 101 extended permit tcp any host 203.162.4.100 eq ftp
access-list 101 extended permit tcp any host 203.162.4.100 eq ftp-data
iii.

NAT

Nh m hnh c p dng ph bin hin nay trong h thng mng ca cc


cc cng ty, tt c cc traffic i t mng bn trong ra bn ngoi u s dng c
ch chuyn dch a ch (PAT). Tt c cc mng trong m hnh gm
192.168.10.0/24 v 10.0.0.0/24 u c PAT ra a ch interface outside
203.162.4.1. u ny gip tang tnh bo mt ca h thng mng.
nat (inside) 1 192.168.10.0 255.255.255.0
nat (DMZ) 1 10.10.10.0 255.255.255.0
global (outside) 1 interface
global (backup) 1 interface
Ngoi ra, vic public cc web server v ftp server ni b ra bn ngoi cng
cn NAT tnh. y, web server v ftp server c a ch 10.0.0.2 c public ra
bn ngoi vi a ch 203.162.4.100
static (DMZ,outside) tcp 203.162.4.100 ftp-data 10.10.10.2 ftp-data
netmask 255. 255.255.255
static (DMZ,outside) tcp 203.162.4.100 ftp 10.10.10.2 ftp netmask
255.255.255.25 5
static (DMZ,outside) tcp 203.162.4.100 www 10.10.10.2 www netmask
255.255.255.255
iv.

Gim st ng truyn

Vic t kt ni trn ng truyn thng xuyn xy ra. i vi cc s c


pha trong mng ni b, vic x l s c i vi cc nh qun tr c thc hin
ch ng. Tuy nhin, cc s c xy ra m nguyn nhn pha cc ISP th chng ta
khng kim sot c. V vy, m bo cho h thng thng tin c sn sang
bt c lc no, ngi ta thng thu thm mt ng truyn mng d phng
chuyn sang s dng khi ng mng chnh xy ra s c. ASA h tr c ch gim
st ng truyn mng v chuyn sang ng d phng ngay lp tc. iu ny
c thc hin thng qua vic ASA lien tc ping n a ch ISP, nu trong khong
thi gian mc nh m n khng nhn c cu tr li t ISP th n coi nh ng
truyn n ISP gp s c v ngay lp tc chuyn sang ng d phng. Trong
thi gian chy ng d phng, n vn lien tc ping n Primary ISP, nu n nhn
c cu tr li t Primary bt c lc no, n s chuyn sang dng ng truyn
n Primary ISP .
sla monitor 100
type echo protocol ipIcmpEcho 203.162.4.2 interface outside
timeout 3000

Nguyn Phan nh Phc Nguyn Vn Hng ng Minh Tr

frequency 5
sla monitor schedule 100 life forever start-time now
track 10 rtr 100 reachability
route outside 0.0.0.0 0.0.0.0 203.162.4.2 1 track 10
route backup 0.0.0.0 0.0.0.0 123.0.0.2 254
v.

DHCP
Ta xy dng DHCP server ngay trn ASA n cp IP cho mng bn

trong
dhcpd address 192.168.10.50-192.168.10.100 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd enable inside

38

Khai thc cc chc nng ASA firewall trn GNS3

PH LC
Cu hnh ca ASA
ciscoasa# show run
: Saved
:
ASA Version 8.0(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/1
nameif DMZ
security-level 50
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/2
nameif outside
security-level 0
ip address 203.162.4.1 255.255.255.0
!
interface Ethernet0/3
nameif backup
security-level 100
ip address 123.0.0.1 255.255.255.0
!
interface Ethernet0/4
shutdown

39

Nguyn Phan nh Phc Nguyn Vn Hng ng Minh Tr

no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list icmp-in extended permit icmp any any
access-list 101 extended permit tcp any host 203.162.4.100 eq www
access-list 101 extended permit tcp any host 203.162.4.100 eq ftp
access-list 101 extended permit icmp any any
access-list 101 extended permit tcp any host 203.162.4.100 eq ftp-data
access-list NO_NAT extended permit ip 192.168.10.0 255.255.255.0 10.10.10.0
255.
255.255.0
access-list DMZ_access_in extended permit icmp any any
pager lines 24
mtu inside 1500
mtu DMZ 1500
mtu outside 1500
mtu backup 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (backup) 1 interface
nat (inside) 0 access-list NO_NAT

40

Khai thc cc chc nng ASA firewall trn GNS3

41

nat (inside) 1 192.168.10.0 255.255.255.0


nat (DMZ) 1 10.10.10.0 255.255.255.0
static (DMZ,outside) tcp 203.162.4.100 ftp-data 10.10.10.2 ftp-data netmask 255.
255.255.255
static (DMZ,outside) tcp 203.162.4.100 ftp 10.10.10.2 ftp netmask 255.255.255.25
5
static (DMZ,outside)
255.255.255.25

tcp

203.162.4.100

www

access-group DMZ_access_in in interface DMZ


access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 203.162.4.2 1 track 10
route backup 0.0.0.0 0.0.0.0 123.0.0.2 254
timeout xlate 3:00:00

10.10.10.2

www netmask
5