Está en la página 1de 156

O TO Bo mt - Cisco Firewall

Lch hc
Ngy 1 Ngy 2 Ni Dung Mc Tiu Bi 2: Bi 1 : Cc bc u lm quen v Tng Hc: Trong 5 ngy Lchquan v Cisco cu hnh thit b bo mt ca Firewall Sng t 9h-11h30 Cisco (continue) Bi 3: Bi 2: Chiu t 14h-16h30 Qun l thit b bo mt Cc bc u lm quen
v cu hnh thit b bo mt ca Cisco cisco ASA Bi 4: Access Control Lists

Ngy 3
Bi 5: Cisco Adaptive Security Device Manager Bi 6: Firewall Switch Modules (FWSM)

Sng 8h30-11h30 L thuyt

Chiu 14h-17h00 Thc hnh

Bi 1 :Thit lp console n thit b firewall Bi 2: Thc hin mt s cu lnh c bn Bi 3: Cu hnh cc interface

Bi 4: Cu hnh NAT v cu hnh nh tuyn


Bi 5: Kim tra kt ni ti cc cng Inside, Outside, v DMZ Bi 6 :Cu hnh Access-lists (ACLs) trn firewall Bi 7: Qun tr Cisco firewall

Gii thiu
1. 2. 3. Ngi trnh by: H Tn V tr cng tc Kinh nghim

1. 2. 3.

Hc vin gii thiu H tn V tr cng tc Nhng kinh nghim v bo mt mng

Bi 1 Tng quan v Cisco Firewall

Firewall l g ?
DMZ Vng mng

Internet

Outside Vng mng

Inside Vng mng

Firewall l mt h thng hoc mt nhm cc h thng Kim sot quyn truy cp gia hai hoc nhiu vng mng. .

Cc cng ngh v Firewall

Firewall hot ng c da trn mt trong ba cng ngh :


Packet filtering Proxy server Stateful packet filtering

Packet Filtering

DMZ: Server B

Host A Internet

Data

Inside: Server C

Data

C AB-Yes AC-No

Vic Kim sot truy nhp thng tin da vo a ch ngun V a ch ch ca gi tin gi n

Proxy Server

Proxy Server

Internet

Outside Network

Inside Network

Cc kt ni t c thng qua mt my ch i din trung gian.

Stateful Packet Filtering


DMZ: Server B

Host A

Data Internet

HTTP

Inside: Server C

Vic Kim sot truy nhp thng tin khng ch da vo a ch ngun V a ch ch ca gi tin gi n m cn da vo bng trng thi (state table)

State Table
Source address Destination address Source port Destination port Initial sequence no. Ack Flag
192.168.0.20 172.16.0.50 1026 80 49769 10.0.0.11 172.16.0.50 1026 80 49091

Syn

Syn

H thng bo mt ca Cisco
H thng bo mt ca cisco cung cp gii php an ninh , bo mt hng ti cc i tng khch hng. Mt s tnh nng ca thit b an ning bo mt ca cisco nh sau:
H iu hnh ring bit Stateful packet inspection Xc thc ngi dng Theo di, gim st cc ng dng v giao thc Modular policy framework Mng ring o (VPN) Cc ng cnh bo mt (cc firewall o) Stateful failover Transparent firewalls Qun tr da trn giao din web

H iu hnh ring bit

Vic s dng h iu hnh ring bit loi tr c cc nguy c bo mt khi s dng chung vi cc h iu hnh khc

Stateful Packet Inspection

Gii thut kim tra gi tin -statefull packet inspection cung cp cc kt ni bo mt . Mc nh, gii thut ny cho php kt ni t my vng trong (cp bo mt cao hn) sang cc vng c cp bo mt thp hn Mc nh, gii thut ny chn cc kt ni t my vng ngoi (cp bo mt thp hn ) sang cc vng c cp bo cao hn Gii thut ny h tr xc thc, y quyn v theo di.

Nhn din ng dng


FTP Server

Client

Data Control Port Port 20 21 Data - Port 2010 Port 2010 OK Data

Control Data Port Port 2008 2010

C giao thc nh FTP, HTTP, H.323, and SQL*Net cn cc kt ni t Nhiu port khc nhau truyn d liu qua firewall . Thit b bo mt s theo di qu trnh kt ni ny. Cc port cn cho kt ni s c m mt cch an ton theo tng ng dng.

Modular Policy
System Engineer
SE

Internet Headquarters T1
exec

Executives

Internet

S2S

S2S

Site C

Site B

Class Map
Traffic Flow Default Internet Systems Engineer Executives Site to Site

Policy Map
Services Inspect IPS Police Priority

Service Policy
Interface/Global Global Outside

Mng ring o (VPN)

Site to Site Internet

IPsec VPN SSL VPN


Headquarters

Remote Access

Cc ng cnh bo mt
4 thit b firewall tht

1 thit b firewall tht 4 thit b firewall o

Internet

Internet

Cung cp kh nng to nhiu firewall o trn mt thit b firewall tht

Kh nng Failover : Active/Standby, Active/Active, v Stateful Failover


Failover: Active/Standby Failover: Active/Active

Contexts

1 Primary: Failed Firewall Secondary: Active Firewall Primary: Failed/Standby

2 Secondary: Active/Active

Internet

Internet

Kh nng d phng (Failover) m bo kt ni mng c thng sut khi mt thit b hng..


Active/standby: mt thit b s chy chnh, mt thit b s d phng. Active/Active: C hai thit b u chy , chia ti v d phng ln nhau. Stateful failover: duy tr trng thi kt ni khi mt thit b kt ni chnh hng.

Transparent Firewall

192.168.1.5

192.168.1.2

Internet

C kh nng trin khai thit b bo mt layer 2 Cho php bo mt t layer 2 n layer 7 v hot ng nh mt thit b layer 2

Gii php qun tr dng web

Adaptive Security Device Manager (ASDM)

Cc loi firewall ca cisco v tnh nng

Cc dng sn phm ASA 5500


ASA 5550

ASA 5540

Gi

ASA 5520

ASA 5510 ASA 5505

Gigabit Ethernet Cc vn phng ROO

DN nh

Doanh nghip ln

SP

Chc nng

SP = service provider ( nh cung cp dch v)

Cc dng sn phm PIX 500


PIX 535

PIX 525

Gi

PIX 515E

PIX 506E

PIX 501

Gigabit Ethernet SOHO Cc vn phng ROBO DN nh Doanh nghip ln SP

Chc nng

Thit b bo mt Cisco ASA 5510


Nng cao an ninh v cung cp dch v mng, bao gm c cc dch v VPN, cho cc doanh nghip nh.
Cung cp ln ti 130,000 kt ni ng thi. Thng lng c th p ng ti 300-Mbps Cc interface c h tr: Ln ti 5 cng 10/100 Fast Ethernet Ln ti 25 VLANs Ln ti 5 ng cnh (contexts) H tr failover Active/standby H tr VPNs Site to site (250 peers) Remote access WebVPN H tr thm cc module SSMs (Cisco ASA AIP SSM, Cisco ASA CSC SSM, v Gigabit Ethernet SSM loi 4 port)

Thit b bo mt Cisco ASA 5520


Cung cp cc dch v bo mt , k c vpn cho cc doanh nghip c va. Cung cp ln ti 280,000 kt ni ng thi. Thng lng c th p ng 450-Mbps Cc interface c h tr: 4 10/100/1000 Gigabit Ethernet interfaces 1 10/100 Fast Ethernet interface Ln ti 100 VLANs Ln ti 20 contexts H tr failover Active/standby Active/active H tr VPNs Site to site (750 peers) Remote access WebVPN H tr thm cc module SSMs (Cisco ASA AIP SSM, Cisco ASA CSC SSM, v Gigabit Ethernet SSM loi 4 port)

Thit b bo mt Cisco ASA 5540


Cung cp cc dch v cn hiu qu cao, cc loi dch v bo mt , k c vpn cho cc doanh nghip ln v cc nh cung cp dch v. Cung cp ln ti 400,000 kt ni ng thi Thng lng p ng 650-Mbps Cc interface h tr: 4 10/100/1000 Gigabit Ethernet interfaces 1 10/100 Fast Ethernet interface Ln ti 200 VLANs Ln ti 50 contexts H tr failover Active/standby Active/active H tr VPNs Site to site (5,000 peers) Remote access WebVPN H tr thm c module SSMs (Cisco ASA AIP SSM, Cisco ASA CSC SSM, and four-port Gigabit Ethernet SSM)

Cc thit b bo mt ASA 5510, 5520, v 5540 mt pha trc

Status Power
Active

Flash

VPN

Cc thit b bo mt ASA 5510, 5520, v 5540 mt pha sau

B nh flash

Cc module SSMs

Cc interface c nh

Cc thit b bo mt ASA 5510, 5520, v 5540 cng kt ni


B nh Flash Cng qun tr outband Cng Console Ngun in (AC hoc DC)

4 cng 10/100/1000 Gigabit Ethernet


2 cng USB 2.0 *Vi thit b bo mt ASA 5510 h tr cng 10/100

Cng AUX

Cisco ASA Security Services Module


Module cung cp cc dch v m rng cho thit b bo mt S dng b nh flash tng cng tin cy C cng Gigabit ethernet cho php qun tr outband

Cc kiu module SSM


SSM-10 B x l 2.0-GHz 1.0 GB RAM SSM-20 B x l 2.4-GHz 2.0 GB RAM
Link and activity Speed

power

Status

SSM loi 4 port Gigabit ethernet


RJ-45 link LED
RJ-45 speed LED

SFP link LED


SFP speed LED

RJ-45 ports

Status LED Power LED

SFP ports

Tm tt

Firewall l thit b kim sot truy nhp t vng mng ny sang vng mng khch Statefull firewall l thit b hot ng hiu qu nht. Thit b bo mt ca cisco bao gm PIX v ASA . Cc thit b bo mt ASA 5510, 5520 nhm ti th trng cc doanh nghip va v nh. Cc chc nng ca thit b bo mt c th c m rng nh vo SSMs.

Bi 2 Cc bc u lm quen v cu hnh thit b bo mt ca Cisco

Giao din ngi s dng

Cc ch truy nhp
Thit b bo mt Cisco c 4 ch truy nhp nh sau :
Unprivileged Privileged Configuration
Monitor

Ch Privileged

Internet

ciscoasa>

enable [priv_level]
Lnh ny cho php truy nhp vo ch Priviledged
ciscoasa> enable password: ciscoasa#

Ch Configuration : cu lnh configure terminal


ciscoasa#

configure terminal
Dng lnh ny ng nhp vo ch Configuation ciscoasa#

exit
Lnh exit dng thot khoi ch hin ti, tr v ch trc

ciscoasa> enable password: ciscoasa# configure terminal ciscoasa(config)# exit ciscoasa# exit ciscoasa>

Lnh help
ciscoasa > enable exit login logout perfmon ping quit help ? Turn on privileged commands Exit the current command mode Log in as a particular user Exit from current user profile to unprivileged mode Change or view performance monitoring options Test connectivity from specified interface to an IP address Exit the current command mode

ciscoasa > help enable USAGE: enable [<priv_level>]

Qun l v lu tr cc File cu hnh

Xem v lu li cu hnh

Cc lnh di y cho php xem cu hnh:


show running-config show startup-config lu li cu hnh thay i, dng lnh: copy run start
startupconfig (saved) runningconfig Cu hnh thay i

Cc lnh di y cho php lu cu hnh


copy run start write memory

Xa cu hnh ang chy running-config


Xa cu hnh ang chy : clear config all startupconfig runningconfig (default)

ciscoasa(config)#

clear configure all


Xa cu hnh ang chy

ciscoasa(config)# clear config all

Xa cu hnh lc khi ng startup-config


Xa cu hnh lc khi ng : write erase startupconfig (default) runningconfig

ciscoasa#

write erase
Xa cu hnh lc khi ng

ciscoasa# write erase

Khi ng li thit b : lnh reload


ciscoasa#

reload [at hh:mm [month day | day month]] [cancel] [in [hh:]mm] [max-hold-time [hh:]mm] [noconfirm] [quick] [reason text] [save-config]
Khi ng li , thit b s t ng ly li cu hnh startup-config copy vo running-config chy.

ciscoasa# reload Proceed with reload?[confirm] y Rebooting...

File h thng

Release 7.0
and later

Software image Configuration file Private data ASDM image Backup image* Backup configuration file*

Hin th cc file lu tr : file h thng v file cu hnh


Internet

ciscoasa#

ASA disk0: disk1:

PIX flash:

dir [/all] [/recursive] [all-filesystems] [disk0: | disk1: | flash: | system:]


Hin th ni dung ca a .

ciscoasa# dir Directory of disk0:/ 8 -rw- 8202240 13:37:33 Jul 28 2006 1264 -rw- 5539756 13:21:13 Jul 28 2006 62947328 bytes total (49152000 bytes free)

asa721-k8.bin asdm-521.bin

Cc mc bo mt (security levels)

Vng DMZ
GigabitEthernet0/2 Security level 50 Interface name = DMZ
g0/2

Internet
g0/0 g0/1

Vng Outside
GigabitEthernet0/0 Security level 0 Interface name = outside

Vng Inside
GigabitEthernet0/1 Security level 100 Interface name = inside

Kim tra trng thi ca thit b bo mt

Cu lnh show
asa1# show run interface . . . interface GigabitEthernet0/0 speed 1000 duplex full nameif outside security-level 0 ip address 192.168.1.2 255.255.255.0 ! interface GigabitEthernet0/1 speed 1000 duplex full nameif inside security-level 100 ip address 10.0.1.1 255.255.255.0 . . .

show run interface

show interface

asa1# show interface Interface GigabitEthernet0/0 "outside", is up, line protocol is up Detected: Speed 1000 Mbps, Full-duplex Requested: Auto MAC address 000b.fcf8.c538, MTU 1500 IP address 192.168.1.2, subnet mask 255.255.255.0 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns input queue (curr/max blocks): hardware (0/0) software (0/0) output queue (curr/max blocks): hardware (0/0) software (0/0) Received 0 VLAN untagged packets, 0 bytes Transmitted 0 VLAN untagged packets, 0 bytes Dropped 0 VLAN untagged packets

Lnh show memory


ciscoasa#

show memory

asa1# show memory Free memory: Used memory: ------------Total memory: 468962336 bytes (87%) 67908576 bytes (13%) ---------------536870912 bytes (100%)

Lnh show cpu usage

Internet
10.0.1.11

10.0.1.4

ciscoasa#

show cpu usage

asa1# show cpu usage


CPU utilization for 5 seconds = 0%; 1 minute: 0%; 5 minutes: 0%

Lnh show version


asa1# show version Cisco Adaptive Security Appliance Software Version 7.2(1) Device Manager Version 5.2(1) Compiled on Wed 31-May-06 14:45 by root System image file is "disk0:/asa721-k8.bin" Config file at boot was "startup-config" ciscoasa up 2 mins 51 secs Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz Internal ATA Compact Flash, 64MB BIOS Flash AT49LW080 @ 0xffe00000, 1024KB . . .

Lnh show ip address

172.16.1.0

.1

Internet
asa1# show ip address System IP Addresses: Interface GigabitEthernet0/0 GigabitEthernet0/1 GigabitEthernet0/2 Current IP Addresses: Interface GigabitEthernet0/0 GigabitEthernet0/1 GigabitEthernet0/2

192.168.1.0 .2 .1

10.0.1.0
.1

10.1.1.0

Name outside inside dmz

IP address 192.168.1.2 10.0.1.1 172.16.1.1

Subnet mask 255.255.255.0 255.255.255.0 255.255.255.0

Method CONFIG CONFIG CONFIG

Name outside inside dmz

IP address 192.168.1.2 10.0.1.1 172.16.1.1

Subnet mask 255.255.255.0 255.255.255.0 255.255.255.0

Method CONFIG CONFIG CONFIG

Lnh show interface


asa1# show interface Interface GigabitEthernet0/0 "outside", is up, line protocol is up Hardware is i82546GB rev03, BW 1000 Mbps Full-Duplex(Full-duplex), 100 Mbps(100 Mbps) MAC address 0013.c482.2e4c, MTU 1500 IP address 192.168.1.2, subnet mask 255.255.255.0 8 packets input, 1078 bytes, 0 no buffer Received 8 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 L2 decode drops 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions 0 late collisions, 0 deferred input queue (curr/max blocks): hardware (8/0) software (0/0) output queue (curr/max blocks): hardware (0/0) software (0/0) Traffic Statistics for "outside": 8 packets input, 934 bytes 0 packets output, 0 bytes 8 packets dropped 1 minute input rate 0 pkts/sec, 0 bytes/sec 1 minute output rate 0 pkts/sec, 0 bytes/sec 1 minute drop rate, 0 pkts/sec 5 minute input rate 0 pkts/sec, 0 bytes/sec 5 minute output rate 0 pkts/sec, 0 bytes/sec 5 minute drop rate, 0 pkts/sec

Lnh show nameif


GigabitEthernet0/2 Interface name = dmz Security level = 50

g0/2
Internet

g0/0
GigabitEthernet0/0 Interface name = outside Security level = 0
asa1# show nameif Interface GigabitEthernet0/0 GigabitEthernet0/1 GigabitEthernet0/2

g0/1
GigabitEthernet0/1 Interface name = inside Security level = 100

Name outside inside dmz 0 100

Security

50

Lnh show run nat

Internet X.X.X.X 10.0.1.X

10.0.1.11

NAT
10.0.1.4

ciscoasa#

show run nat


Hin th host hoc c mt gii a ch c NAT

asa1# show run nat nat (inside) 1 10.0.1.0 255.255.255.0 0 0

Lnh show run global

Internet

10.0.1.11

10.0.1.X Mapped Pool 192.168.1.20-192.168.1.254

10.0.1.4

ciscoasa#

show run global


Hin th gii a ch s c map cho cc host bn trong

asa1# show run global global (outside) 1 192.168.1.20-192.168.1.254 netmask 255.255.255.0

Lnh show xlate

Internet 192.168.1.20
Outside mapped pool
192.168.1.20

10.0.1.11
Inside local
10.0.1.11

10.0.1.11

Xlate Table

10.0.1.4

ciscoasa#

show xlate
Displays the contents of the translation slots

asa1# show xlate 1 in use, 1 most used Global 192.168.1.20 Local 10.0.1.11

Lnh show route


172.16.1.0

g0/2
Internet
ciscoasa#
192.168.1.0 .1 10.0.1.0

g0/0

g0/1

show route [interface_name [ip_address [netmask [static]]]]


Hin th bng thng tin nh tuyn

asa1(config)# show route S 0.0.0.0 0.0.0.0 [1/0] via 192.168.1.1, outside C 10.0.1.0 255.255.255.0 is directly connected, inside C* 127.0.0.0 255.255.0.0 is directly connected, cplane C 172.16.1.0 255.255.255.0 is directly connected, dmz C 192.168.1.0 255.255.255.0 is directly connected, outside

Lnh ping

Internet 10.0.1.11

10.0.1.4
ciscoasa#

ping [if_name] host [data pattern] [repeat count] [size bytes] [timeout seconds] [validate]
Kim tra s tn ti ca mt host trn mng

asa1# ping 10.0.1.11 Sending 5, 100-byte ICMP Echos to 10.0.1.11, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 10/12/20 ms

Lnh traceroute

Internet example.com

ciscoasa#

traceroute {destination_ip | hostname} [source source_ip | sourceinterface] [numeric] [timeout timeout_value] [probe probe_num] [ttl min_ttl max_ttl] [port port_value] [use-icmp]
Kim tra ng i ca gi tin n ch

asa1#traceroute 172.26.26.20

Cu hnh c bn thit b Cisco firewall

Cu hnh dng lnh c bn

hostname interface nameif ip address security-level speed duplex no shutdown nat-control nat global route

g0/2
Internet

g0/0

g0/1

Thay i tn (hostname)
New York ( asa1) Server
Boston (asa2)

Internet
Dallas (asa3)

Server

Server

ciscoasa(config)#

hostname newname
Thay i hostname s dng dng lnh.

ciscoasa(config)# hostname asa1 asa1(config)#

Cc lnh vi interface
GigabitEthernet0/2
g0/2

Internet
g0/0 g0/1

GigabitEthernet0/0

GigabitEthernet0/1

ciscoasa(config)#

interface {physical_interface[.subinterface] | mapped_name}


Vo ch cu hnh ring ca tng interface

asa1(config)# interface GigabitEthernet0/0 asa1(config-if)#

Gn tn cho interface: lnh nameif


GigabitEthernet0/2 Interface name = dmz

g0/2
Internet

g0/0
GigabitEthernet0/0 Interface name = outside

g0/1
GigabitEthernet0/1 Interface name = inside

ciscoasa(config-if)#

nameif if_name
Gn tn cho interface l outside.

asa1(config)# interface GigabitEthernet0/0 asa1(config-if)# nameif outside

Gn a ch IP cho interface: Lnh ip address


g0/2
Internet

g0/0

g0/1

ciscoasa(config-if)#

GigabitEthernet0/0 Interface name = outside IP address = 192.168.1.2

ip address ip_address [mask] [standby ip_address]


Gn a ch IP cho tng interface

asa1(config)# interface GigabitEthernet0/0 asa1(config-if)# nameif outside asa1(config-if)# ip address 192.168.1.2 255.255.255.0

Nhn a ch IP ng (DHCP)
Nhn DHCP
Internet

g0/0
GigabitEthernet0/0 Interface name = outside IP address = dhcp
ciscoasa(config-if)#

ip address dhcp [setroute]


Cho php nhn a ch ng interface outside

asa1(config)# interface GigabitEthernet0/0 asa1(config-if)# nameif outside asa1(config-if)# ip address dhcp

Gn mc bo mt: lnh security-level


g0/2
Internet

g0/0
GigabitEthernet0/0 Interface name = outside IP address = 192.168.1.2 Security level = 0

g0/1

ciscoasa(config-if)#

security-level number
Gn mc bo mt cho interface

asa1(config)# interface GigabitEthernet0/0 asa1(config-if)# nameif outside asa1(config-if)# ip address 192.168.1.2 asa1(config-if)# security-level 0

Cho php cc interface cng mc bo mt :lnh same-security-traffic


DMZ Network
GigabitEthernet0/2 Security level 100 Interface name = dmz

g0/2

Internet
g0/0

g0/1

Inside Network
GigabitEthernet0/1 Security level 100 Interface name = inside

ciscoasa(config)#

same-security-traffic permit {inter-interface | intra-interface}


Cho php d liu gia cc interface cng mc bo mt hoc trn chnh interface .

asa1(config)# same-security-traffic permit inter-interface

Thit lp tc v duplex : lnh speed v duplex


GigabitEthernet0/0 Speed =1000 Duplex = full

g0/2 g0/1

Internet g0/0
ciscoasa(config-if)# speed {10 | 100 | 1000 | auto | nonegotiate} duplex {auto | full | half} Thit lp tc v duplex cho interface asa1(config)# interface GigabitEthernet0/0 asa1(config-if)# nameif outside asa1(config-if)# ip address 192.168.1.2 asa1(config-if)# security-level 0 asa1(config-if)# speed 1000 asa1(config-if)# duplex full

Interface qun tr ca ASA


Management0/0 Management only = no

g0/2 Internet g0/0 m0/0 g0/1

ciscoasa(config-if)#

management-only
Cu hnh interface ch chp nhn d liu qun tr

no management-only
Tt chc nng ch chp nhn d liu qun tr

asa1(config)# interface management0/05520, 5540 and 5550) Disables management-only mode (for ASA asa1(config-if)# no management-only

Bt hoc tt Interfaces: lnh shutdown


g0/2 Internet

g0/0
GigabitEthernet0/0 Enabled

g0/1

ciscoasa(config-if)#

shutdown
Lnh shutdown s tt (disabled) interface Lnh no shutdown = bt (enabled) interface

Disables management-only mode (for ASA 5520, 5540 and asa1(config)# interface GigabitEthernet0/0 5550) asa1(config-if)# no shutdown

Network Address Translation (NAT)

NAT
192.168.0.20 10.0.0.11 10.0.0.11 192.168.10 .11

Internet

Bng dch chuyn a ch

Outside Mapped Pool 192.168.0.20

Inside Local 10.0.0.11

10.0.0.4

Bt chc nng kim sot NAT

NAT
192.168.0.20 10.0.0.11 10.0.0.11 200.200.200.11

Internet

Translation Table

Outside Mapped Pool 192.168.0.20

Inside Local 10.0.0.11

10.0.0.4

bt chc nng kim sot NAT

asa1(config)# nat-control

Cu lnh nat

Internet
X.X.X.X 10.0.1.11

10.0.1.11

NAT
10.0.1.4

ciscoasa(config)#

nat (if_name) nat_id address [netmask] [dns]


Cho php NAT gii a ch

asa1(config)# nat (inside) 1 0.0.0.0 0.0.0.0

Cu lnh global

Internet
10.0.1.11 192.168.1.20

10.0.1.11

NAT
ciscoasa(config)#
10.0.1.4

global(if_name) nat_id {mapped_ip[-mapped_ip] [netmask mapped_mask]} | interface


Cu lnh ny kt hp vi cu lnh nat gn mt gii a ch public IP map cho cc my vng inside , v d, 192.168.0.20-192.168.0.254 asa1(config)# nat (inside) 1 0.0.0.0 0.0.0.0 asa1(config)# global (outside) 1 192.168.1.20-192.168.1.254

Cu hnh Route tnh: lnh route


Default Route
Internet
192.168.1.1 10.0.1.102
10.1.1.11

Route tnh

ciscoasa(config)#

route if_name ip_address netmask gateway_ip [metric]


Cu hnh route tnh, default route cho mt interface asa1(config)# route outside 0.0.0.0 0.0.0.0 192.168.1.1 1 asa1(config)# route inside 10.1.1.0 255.255.255.0 10.0.1.102 1

10.1.1.4

Cu hnh map hostname- IP: cu lnh name


bastionhost 172.16.1.2 172.16.1.0 .2 .1 insidehost 10.0.1.11

Internet

10.0.1.0 .1 .11

ciscoasa(config)#

name ip_address name


Cu hnh cc a ch IP ca server tng ng vi cc tn

asa1(config)# names asa1(config)# name 172.16.1.2 bastionhost asa1(config)# name 10.0.1.11 insidehost

Cu hnh mu
172.16.1.0

.1 10.0.1.0 10.1.1.0 .1 .1 GigabitEthernet0/1 Interface name = inside Security level = 100 IP address = 10.0.1.1

Internet

192.168.1.0 .2 GigabitEthernet0/0 Interface name = outside Security level = 0 IP address = 192.168.1.2

asa1(config)# write terminal . . . interface GigabitEthernet0/0 speed 1000 duplex full nameif outside security-level 0 ip address 192.168.1.2 255.255.255.0 interface GigabitEthernet0/1 speed 1000 duplex full nameif inside security-level 100 ip address 10.0.1.1 255.255.255.0 . . .

Cu hnh mu (tip.)
bastionhost 172.16.1.2 172.16.1.0 .1 .2 .1 GigabitEthernet0/2 Interface name = dmz Security level = 50 IP address = 172.16.1.1 10.0.1.0 10.1.1.0 .1

insidehost 10.1.1.11

Internet

192.168.1.0

interface GigabitEthernet0/2 nameif dmz security-level 50 speed 1000 duplex full ip address 172.16.1.1 255.255.255.0 passwd 2KFQnbNIdI.2KYOU encrypted hostname asa1 names name 172.16.1.2 bastionhost name 10.1.1.11 insidehost

Cu hnh mu (Tip.)

bastionhost 172.16.1.2

Default Route

172.16.1.0

.2 .1 10.0.1.0

Route tnh
10.1.1.0 .102 .1

insidehost 10.1.1.11

Internet

192.168.1.0 .1 .2

.1

Mapped Pool 192.168.1.20 - 254

10.0.0.0

nat-control nat (inside) 1 0.0.0.0 0.0.0.0 0 0 global (outside) 1 192.168.1.20-192.168.1.254 route outside 0.0.0.0 0.0.0.0 192.168.1.1 1 route inside 10.1.1.0 255.255.255.0 10.0.1.102 1

Tm tt
Thit b bo mt cisco asa c 4 ch qun tr chnh l : unprivileged, privileged, configuration, v monitor. C hai b nh dng lu cu hnh bao gm : running configuration v startup configuration. Lnh show running-config hin th cu hnh ang lu b nh RAM ln mn hnh S dng lnh copy run start hoc write memory lu cu hnh . Interface vi mc bo mt cao hn c th truy nhp interface vi mc bo mt thp hn, nhng ngc li th khng c, tr khi c cu hnh access-list cho php. Lnh show gip hin th cc tham s qun l thit b. Cc lnh c bn u cu hnh cisco firewall bao gm : interface, nat, global, v route. Lnh nat v global hot ng ng thi dch chuyn a ch IP.

Bi 3

Qun l thit b bo mt cisco ASA

Cu hnh qun l truy cp t xa

Cu hnh telnet
Telnet
Internet

10.0.0.11

ciscoasa(config)#

telnet {{hostname | IP_address mask interface_name} | {IPv6_address interface_name} | {timeout number}}


Cho php ta cu hnh nhng host c php telnet ti cisco firewall
ciscoasa(config)#

passwd password [encrypted]


Cu hnh mt khu dng cho vic telnet ti cisco firewall

asa1(config)# telnet 10.0.0.11 255.255.255.255 inside asa1(config)# telnet timeout 15 asa1(config)# passwd telnetpass

Xem v xa cu hnh Telnet


ciscoasa#

show running-config telnet [timeout]


Hin th cu hnh cc my c cho php telnet ciscoasa(config)#

clear configure telnet


Xa cu hnh telnet ciscoasa#

who [local_ip]
Cho php xem user no ang c phin telnet ti thit b ciscoasa#

kill telnet_id
Kick mt phin telnet

Cu hnh cho php truy nhp SSH


Kt ni SSH ti cisco firewall:
Cung cp gii php truy nhp t xa an ton, bo mt Xc thc v m ha mnh i hi cp kha RSA trn firewall Yu cu kha kich hot 3DES/AES hoc DES Cho php 5 phin SSH kt ni cng lc. S dng mt khu ca telnet cho vic truy nhp

Cu hnh SSH

ciscoasa(config)#

ciscoasa(config)#

crypto key zeroize {rsa | dsa} [label key-pair-label] [default] [noconfirm]


G b cp kha RSA c ciscoasa(config)#

crypto key generate rsa [usage-keys | general-keys] [label key-pair-label] [modulus size] [noconfirm]
To cp kha RSA mi ciscoasa(config)#

write memory
Lu li cu hnh

ssh {ip_address mask | ipv6_address/prefix} interface


Cho php nhng host ch nh c php kt ni ssh ti. ciscoasa(config)#

ciscoasa(config)#

domain-name name
Cu hnh domain-name

ssh timeout number


Lng thi gian idle trc khi kt ni b ngt

Cu hnh mu
username: pix password: telnetpassword

SSH
Internet

172.26.26.50

asa1(config)# crypto key zeroize rsa asa1(config)# write memory

asa1(config)# domain-name cisco.com


asa1(config)# crypto key generate rsa modulus 1024 asa1(config)# write memory asa1(config)# ssh 172.26.26.50 255.255.255.255 outside asa1(config)# ssh timeout 30

Qun l phn mm, cu hnh, license

Xem cu trc th mc
dir
Internet

10.0.0.11

192.168.0.0 ciscoasa#

10.0.0.3

dir [/all] [/recursive] [all-filesystems | [disk0: | disk1: | flash: | system:] path]


Hin th ni dung ca th mc hay a cn xem
asa1# dir Directory of disk0:/ 4346 -rw- 8202240 15:01:10 Oct 19 2006 6349 -rw- 5539756 15:30:39 Oct 19 2006 7705 -rw- 3334 07:03:57 Oct 22 2006 asa721-k8.bin asdm521.bin old_running.cfg

62947328 bytes total (29495296 bytes free)

C th s dng lnh pwd xem ng dn ca th mc hin thi.

Copy files

copy
Internet

10.0.0.11

192.168.0.0

10.0.0.3

ciscoasa#

copy [/noconfirm | /pcap] {url | running-config | startup-config} {running-config | startup-config | url}


Copy file t th mc ny sang th mc khc

asa1# copy disk0:MYCONTEXT.cfg startup-config


Copy file MYCONTEXT.cfg t disk0 vo startup configuration

Backup & restore file cu hnh


10.0.0.11
Internet

192.168.0.0

config

10.0.0.3

ciscoasa#

FTP server

copy ftp: startup-config


Copy file cu hnh t ftp server ciscoasa#

copy running-config ftp:


Copy file cu hnh sang FTP server

Nng cp h iu hnh

Xem thng tin v phin bn


version?
Internet

10.0.0.11

10.0.0.3
ciscoasa#

show version
Hin th thng tin v phin bn, cu hnhphaanf cng, license key, v thi gian thit b chy.
asa1# show version Cisco Adaptive Security Appliance Software Version 7.2(1) Device Manager Version 5.2(1) Compiled on Wed 31-May-06 14:45 by root System image file is disk0:/asa721-k8.bin Config file at boot was startup-config asa1 up 17 hours 40 mins . . .

Nng cp phin bn
10.0.0.11
Internet

TFTP

10.0.0.3

ciscoasa#

copy tftp://server[/path]/filename flash:/filename


Copy file image nng cp t tftp server

asa1# copy tftp://10.0.0.3/asa721-k8.bin flash


TFTP server a ch 10.0.0.3 khi nhn c yu cu download ca cisco asa s t ng ti image xung flash ca cisco asa

Summary
SSH cung cp kt ni qun tr t xa mt cch an ton, bo mt. TFTP c s dng nng cp image cho cisco firewall.. telnet c th c cu hnh trn tt c cc interface ca cisco firewall.

Bi 4

Access Control Lists (ACLs)

Cu hnh ACLs trn cisco firewall


Outside ACL for Inbound Access

Internet

Inside
ACL for Outbound Access

ACL trn interface chn hoc cho php cc gi tin n hoc i khi interface .
Mt ACL ch cn m t c gi tin khi to ca ng dng, chiu tr v khng cn thit phi c trong ACL. Nu khng c ACLs no c cu hnh trn interface th : Mc nh gi tin t inside outside c cho qua (outbound). Mc nh gi tin t outside inside b chn (inbound)

D liu Inbound ti DMZ Web Server


DMZ
Public Web Server

Inbound
Internet

X
.2 10.0.1.0

Inside

192.168.1.0 .1

Outside

Khng c ACL, mc nh d liu inbound s b chn. cho php d liu inbound, lm theo nh sau:
Cu hnh NAT tnh cho Web server Cu hnh inbound ACL Gn ACL cho interface Outside

Cu hnh NAT tnh cho web server

DMZ
172.16.1.2 Public Web Server

192.168.1.9 192.168.1.0

Inside
.2 10.0.1.0

Internet

.1

Outside

asa1(config)# static (DMZ,outside) 192.168.1.9 172.16.1.2 0 0


nh x mt a ch trong vng inside 172.16.1.2 tng ng vi mt a ch public 192.168.1.9.

Cu lnh: access-list
Cho php d liu Inbound HTTP Internet
ciscoasa(config)#

DMZ
172.16.1.2 Public Web Server

192.168.1.9 192.168.1.0 .1 .2 10.0.1.0

Inside

Outside

access-list id [line line-number] [extended] {deny | permit} {protocol | object-group protocol_obj_grp_id}{host sip | sip smask | interface ifc_name | object-group network_obj_grp_id | any} [operator port [port] | object-group service_obj_grp_id] {host dip | dip dmask | interface ifc_name | object-group network_obj_grp_id | any} [operator port [port] | object-group service_obj_grp_id | objectgroup icmp_type_obj_group_id] [log [[level] [interval secs] | disable | default]] [inactive | time-range time_range_name]

asa1(config)# access-list ACLOUT permit tcp any host 192.168.1.9 eq www


Cho php t bn ngoi c truy nhp web server DMZ server

Cu lnh: access-group
Gn ACL cho interface DMZ
Public Web Server

Inside
Internet
192.168.1.0 .1 .2 10.0.1.0

Outside
ciscoasa(config)#

access-group access-list {in | out} interface interface_name [per-user-override]


Gn ACL cho interface

asa1(config)# access-group ACLOUT in interface outside

Cu lnh: show access-list


ICMPDMZ
Internet

ACLOUT 192.168.1.0

ACLIN

192.168.6.10

asa1(config)# show access-list access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list ACLOUT; 4 elements access-list ACLOUT line 1 extended permit tcp 192.168.6.0 255.255.255.0 host 192.168.1.11 eq www (hitcnt=4)0x984ebd70 access-list ACLOUT line 2 extended permit tcp host 192.168.6.10 host 192.168.1.11 eq ftp (hitcnt=1) 0x53490ecd access-list ACLOUT line 3 extended permit tcp any host 192.168.1.9 eq www (hitcnt=8) 0x83af39ca access-list ACLOUT line 4 extended deny ip any any (hitcnt=4) 0x2ca30385 access-list ICMPDMZ; 1 elements access-list ICMPDMZ line 1 extended permit icmp host bastionhost any echo-reply

Cu lnh: clear access-list counters


Web Server 172.16.1.2 192.168.6.10 Internet 192.168.1.9

ACLIN

ACLOUT

asa1(config)# clear access-list ACLOUT counters asa1(config)# show access-list access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list ACLOUT; 4 elements access-list ACLOUT line 1 extended permit tcp 192.168.6.0 255.255.255.0 host 192.168.1.11 eq www (hitcnt=0) 0x984ebd70 access-list ACLOUT line 2 extended permit tcp host 192.168.6.10 host 192.168.1.11 eq ftp (hitcnt=0) 0x53490ecd access-list ACLOUT line 3 extended permit tcp any host 192.168.1.9 eq www (hitcnt=0) 0x83af39ca access-list ACLOUT line 4 extended deny ip any any (hitcnt=0) 0x2ca30385

ACL Logging

Internet

ACL Syslog Messages


ciscoasa(config)#

Syslog Server

access-list id [line line-number] [extended] {deny | permit} {protocol | object-group protocol_obj_grp_id}{host sip | sip smask | interface ifc_name | object-group network_obj_grp_id | any} [operator port [port] | object-group service_obj_grp_id] {host dip | dip dmask | interface ifc_name | object-group network_obj_grp_id | any} [operator port [port] | object-group service_obj_grp_id | object-group icmp_type_obj_group_id] [log [[level] [interval secs] | disable | default]] [inactive | time-range time_range_name]

asa1(config)# access-list OUTSIDE-ACL permit icmp any host 192.168.1.11 log 7 interval 600
Cho php log li cc gi tin icmp ti 192.168.1.11

Ch thch cho ACL


ciscoasa(config)#

access-list id [line line-number] remark text


Chn vo li ch thch cho access-list

asa1(config)# access-list ACLOUT line 2 remark WebMailA access-list


asa1(config)# show access-list access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alertinterval 300 access-list ACLOUT; 6 elements access-list ACLOUT line 1 extended permit tcp any host 192.168.1.7 eq www (hitcnt=0) 0x3df6ed1e access-list ACLOUT line 2 remark WebMailA access-list access-list ACLOUT line 3 extended permit tcp any host 192.168.1.8 eq www (hitcnt=0) 0xd5383eba access-list ACLOUT line 4 extended permit tcp any host 192.168.1.9 eq www (hitcnt=0)0x2c4288ad access-list ACLOUT line 5 extended permit tcp any host 192.168.1.10 eq www (hitcnt=0) 0xb70c935b access-list ACLOUT line 6 extended permit tcp any host 192.168.1.11 eq www (hitcnt=0) 0x8b43382e

former line 2

Cu hnh ACL cho inbound http


DMZ
172.16.1.2 Public Web Server

Inbound
192.168.1.9

Inside

Internet
.1

192.168.1.0 .2 10.0.1.0

Outside

asa1(config)# static (DMZ,outside) 192.168.1.9 172.16.1.2 0 0


asa1(config)# access-list ACLOUT permit tcp any host 192.168.1.9 eq www asa1(config)# access-group ACLOUT in interface outside
Cho php t bn ngoi truy nhp vo trang web ca DMZ server.

Cu lnh : icmp

Internet

Outside ICMP

Inside

ciscoasa(config)#

icmp {permit | deny} {host sip | sip smask | any} [icmp-type] if_name
Cho php hoc khng cho php ping n interface

asa1(config)# icmp permit any outside


Cho php ping t bn ngoi vo interface

Tm tt
ACLs cho php h thng xc nh kt ni no s c php i qua. Vi ICM ACLs , ta c th gip cho h thng khng b pht hin .

Bi 5

Cisco Adaptive Security Device Manager (ASDM)

Tng quan v ASDM

ASDM l g ?

Internet SSL Secure Tunnel

ASDM l mt cng c cu hnh, qun l thit b bo mt ca cisco, c da trn giao din web.

Cc tnh nng ca ASDM

Chy a nn Hot ng da trn my o java S dng SSL m bo kt ni an ton, bo mt c ti trc vo b nh flash vi cc dng cisco ASA v Cisco PIX version 7.2 v mi hn. Phin kt ni ASDM 5 phin kt ni ASDM i vi mt thit b (single mode) 32 phin ni nu ch multiple mode Hot ng trn cc thit b bo mt : PIX 515E, 525, v 535* Hot ng trn cc thit b bo mt :Cisco ASA 5505, 5510, 5520, 5540, v 5550

Cc yu cu i vi cisco firewall chy ASDM


Thit b bo mt ca Cisco cn p ng cc yu cu sau chy ASDM:
Kha kch hot DES hoc 3DES H tr java-plugin H iu hnh ca firewall phi tng thch vi ASDM s ci t. Phn cng tng thch.

* ASDM phin bn 5.2 i hi thit b bo mt chy h iu hnh phin bn 7.2.

Yu cu v trnh duyt web vi ASDM trnh duyt web c th chy c ASDM, cn nhng yu cu sau :
JavaScript v Java c cho php chy trong trnh duyt. SSL c cho php chy trong trnh duyt. Popup blockers c th chn ASDM khi chy.

Phn cng h tr

Windows Sun Solaris Linux

Chy ASDM

Chy ASDM di dng: Ci ASDM ln my tnh Java applet

Chy
Startup Wizard

Cu hnh cisco firewall chy ASDM


s dng c ASDM ,trn cisco firewall cn c cc thng s nh sau :
Thi gian a ch IP bn interface inside v subnet mask Host name Domain name M dch v http server Cho php mt a ch my ch nh c truy nhp vo ASDM

Cu hnh khi to qua console

Pre-configure Firewall now through interactive prompts [yes]? <Enter> Firewall Mode [Routed]: Enable Password [<use current password>]: cisco123 Allow password recovery [yes] ? Clock (UTC) Year [2006]: <Enter> Month [Sep]: <Enter> Day [2]: <Enter> Time [10:21:49]: <Enter> Inside IP address: 10.0.1.1 Inside network mask: 255.255.255.0 Host name: asa1 Domain name: ciscoasa.com IP address of host running Device Manager: 10.0.1.11 Use this configuration and write to flash? Y

Giao din qun tr ca ASDM

ASDM Home Window


Menu bar Main toolbar Thng tin thit b License Trng thi VPN Trng thi d liu

Trng thi Interface

Ti nguyen H thng

Thng ip c log

ASDM Home Window (tip.)

License tab

Startup Wizard

Startup Wizard
Interfaces NAT v PAT Hostname Domain name Enable password

VPN Wizard

VPN Wizard
Site-to-Site Remote Access

Ch : chn Configuration > VPN chnh sa cc kt ni VPN

High Availability and Scalability Wizard

High Availability and Scalability Wizard


Active/Active Failover Active/Standby Failover VPN Cluster Load Balancing

Configuration Window
Configuration Interface Security Policy NAT VPN IPS CSD Manager Routing Global Objects Properties

Interfaces

IP address Static DHCP Same security level

Cc chnh sch bo mt (Security Policy)

Access Rules AAA Rules Filter Rules Service Policy Rules

Cu hnh NAT

Cc cu hnh NAT NAT Policy NAT NAT exemption Maximum connections NAT0

VPN
Chnh sa cc kt ni VPN (edit
VPN)
General IKE IPsec IP Address Management Load Balancing NAC WebVPN E-Mail Proxy

Ch : s dng Remote Access hoc Site-to-Site VPN Wizard to kt ni VPN mi.

Cu hnh nh tuyn

Route Tnh nh tuyn ng OSPF RIP Multicast IGMP MRoute PIM Proxy ARPs

Global Objects

Network Object Groups IP Names Service Groups Class Maps Inspect Maps Regular Expressions TCP Maps Time Ranges

Cc la chn trong mc Monitoring

Interfaces VPN IPS or Trend Micro Content Security Routing Properties Logging

Biu trng thi interface

Biu ny cho php theo di trng thi (byte, load,..) ca cc interface

Packet Tracer

Interface Source IP Source port

Destination IP Destination port

Flow lookup

Route lookup

Access list

Options > Preferences


Options

Cc cng c

Tools Command Line Interface Packet Tracer Ping Traceroute File Management Ugrade Software Upload ASDM Assistant Guide System Reload ASDM Java Console

Phn gip (Help)


Help Help Topics Help for Current Screen Release Notes Getting Started VPN 3000 Migration Guide Glossary .

Gip trc tuyn (online Help)

Summary
ASDM l mt cng c cu hnh thit b bo mt ca cisco da trn giao din web. Gim thiu cc cu hnh cn thit c th chy ASDM. ASDM cha nhiu cng c h tr gip cu hnh thit b bo mt. ASDM c mt s wizard sn c n gin ha vic cu hnh: Startup Wizard: Hng dn tng bc ta c th cu hnh khi to . VPN Wizard: Hng dn tng bc ta cu hnh site-to-ste VPN hoc remote access VPN. High Availability and Scalability Wizard: Hng dn tng bc cu hnh active/active failover, active/standby failover, v VPN cluster load balancing

Bi 6

Firewall Switch Modules (FWSM)

Tng quan v FWSM

FWSM (Cisco Firewall Services Module) c da trn cng ngh ca Cisco PiX, v th n cho cng mc bo mt v tin cy. FWSM l slot m rng trn Cisco switch 6500, router 7600

Cc tnh nng chnh ca FWSM


Cho php Switch v Firewall trn cng mt nn tng phn cng. Da trn cng ngh ca cisco PIX. H tr ch tranparent hoc ch routed. Ln ti 100 Ng cnh an ninh (security contexts) Ln ti 256 VLANs vi mi ng cnh ln ti 1000 VLANs vi tt c ng cnh Thng lng 5-Gbps Cho php Mt triu kt ni ng thi Cho php 100,000 kt ni trong mt giy Cho php nhiu firewall trong mt thit b phn cng (ti a 4) nh tuyn ng vi RIP v1 , v2 v OSPF Cu hnh d phng
<#>

So snh tnh nng ca FWSM v PIX

<#>

M hnh kt ni

<#>

V tr t MSFC

<#>

Bt u lm quen cu hnh FWSM

Trc khi cu hnh FWSM cn thc hin cc bc c bn sau : Kim tra vic ci t FWSM.
Kim tra cu hnh VLANs trn switch.
Cu hnh VLANs cho FWSM .

<#>

Kim tra vic ci t FWSM

<#>

Kim tra cu hnh VLANs trn switch

To Vlan

nh ngha mt VLAN qun tr trn MSFC. Gn mt a ch IP .

<#>

Firewall VLAN-Group

To mt nhm Vlan-group nhm cc VLAN cn kim sot

Gn cc Vlan-group cho cc firewall tng ng vi slot cm vo

Cu hnh cc Interfaces ca FWSM

Cu hnh phin console ti FWSM thng s v Processor lun l 1

<#>

Cu hnh Default Route

Default route.

<#>

Cu hnh FWSM Access-List

FWSM1(config)# access-list 200 permit ip 10.1.1.0 255.255.255.0 any FWSM1(config)# access-group 200 in interface inside

Mc nh, mi d liu khng truyn qua c FWSM D liu c cho php trn mt interface, c th c php i qua cc interface khc.

<#>

Khi ng li FWSM

Khi ng li FWSM

<#>

Summary
FWSM (Cisco Firewall Services Module) c da trn cng ngh ca Cisco PiX, v th n cho cng mc bo mt v tin cy. FWSM l slot m rng trn Cisco switch 6500, router 7600 H tr ch tranparent hoc ch routed. Cu lnh ca FWSM tng t nh cisco asa hay cisco PIX.

<#>