思科防火墙基本配置_第1页
思科防火墙基本配置_第2页
思科防火墙基本配置_第3页
思科防火墙基本配置_第4页
思科防火墙基本配置_第5页
已阅读5页,还剩61页未读 继续免费阅读

下载本文档

版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领

文档简介

Lesson3©2023CiscoSystems,Inc.Allrightsreserved.SNPAv4.0—3-1开始思科安全设备©2023CiscoSystems,Inc.Allrightsreserved.SNPAv4.0—3-2顾客接口防火墙访问模式firewall>firewall#firewall<config>#monitor>思科防火墙有4个安全管理访问模式:UnprivilegedPrivilegedConfigurationMonitor

Internetpixfirewall>enablepassword:pixfirewall#enable[priv_level]firewall>Usedtocontrolaccesstotheprivilegedmode让你能够访问到其他模式AccessPrivilegeMode访问配置模式:configureterminal命令configureterminalfirewall#Usedtostartconfigurationmodetoenter

configurationcommandsfromaterminalpixfirewall>enablepassword:pixfirewall#configureterminalpixfirewall(config)#exitpixfirewall#exitpixfirewall>exitfirewall#Usedtoexitfromanaccessmodepixfirewall>help?enableTurnonprivilegedcommandsexitExitthecurrentcommandmodeloginLoginasaparticularuserlogoutExitfromcurrentcommandmode,andto unprivilegedmodequitExitthecurrentcommandmodepixfirewall>helpenableUSAGE:enable[<priv_level>]DESCRIPTION:enableTurnonprivilegedcommandshelp命令©2023CiscoSystems,Inc.Allrightsreserved.SNPAv4.0—3-7文件管理查看和保存你旳配置Thefollowingcommandsenableyoutovieworsaveyourconfiguration:copyrunstartshowrunning-configshowstartup-configwritememorywriteterminalTosaveconfigurationchanges:copyrunstartrunning-configstartup-config(saved)ConfigurationChangesClearingRunningConfigurationfirewall(config)#clearconfigureallClearstherunning-configurationfw1(config)#clearconfigallCleartherunningconfiguration:clearconfigallrunning-configstartup-config(default)ClearingStartupConfigurationfirewall#writeeraseClearsthestartupconfigurationFw1#writeeraseClearthestartupconfiguration:Writeeraserunning-configstartup-config(default)ReloadtheConfiguration:reloadCommandRebootsthesecurityapplianceandreloadstheconfigurationRebootscanbescheduledfw1#reloadProceedwithreload?[confirm]yRebooting...reload[noconfirm][cancel][quick][save-config][max-hold-time[hh:]mm[{in[hh:]mm|{athh:mm[{monthday}|{daymonth}]}][reasontext]firewall(config)#FileSystemSoftwareImageConfigurationfilePrivatedatafilePDMimageCrashinformationRelease6.andearlierRelease7.andlaterSoftwareimageConfigurationfilePrivatedataPDMimageBackupimage*Backup configuration file*Virtualfirewall Configurationfile**SpaceavailableDisplayingStoredFiles:SystemandConfigurationDisplaythedirectorycontents.firewall(config)#PIXFirewallFlash:ASADisk0:Disk1:firewall#dirDirectoryofflash:/3-rw-490291213:37:33Jul272023pix-701.bin4-rw-674893213:21:13Jul282023asdm-501.bin16128000bytestotal(4472832bytesfree)dir[/recursive][[{disk0:|disk1:|flash:}][<path>}]]SelectingBootSystemFileCanstoremorethanonesystemimageandconfigurationfileDesignateswhichsystemimageandstartupconfigurationfiletobootfw1(config)#bootsystemflash:/pix-701.binBoot[system|config}<url>firewall(config)#firewall#dirDirectoryofflash:/3-rw-490291213:37:33Jul272023pix-701.bin4-rw-674893213:21:13Jul282023asdm-501.bin16128000bytestotal(4472832bytesfree)VerifyingtheStartupSystemImageDisplaythesystembootimage.fw1#showbootvarBOOTvariable=flash:/pix-701.binCurrentBOOTvariable=flash:/pix-701.binCONFIG_FILEvariable=CurrentCONFIG_FILEvariable=showbootvarfirewall(config)#BootImageflash:/pix-701.binConfiguredRunning©2023CiscoSystems,Inc.Allrightsreserved.SNPAv4.0—3-16SecurityApplianceSecurityLevelsFunctionsoftheSecurityAppliance:SecurityAlgorithmImplementsstatefulconnectioncontrolthroughthesecurityappliance.Allowsone-way(outbound)connectionswithaminimumnumberofconfigurationchanges.Anoutboundconnectionisaconnectionoriginatingfromahostonamore-protectedinterfaceanddestinedforahostonaless-protectednetwork.Monitorsreturnpacketstoensurethattheyarevalid.RandomizesthefirstTCPsequencenumbertominimizetheriskofattack.SecurityLevelExampleOutsideNetworkEthernet0Securitylevel0Interfacename=outsideDMZNetworkEthernet2Securitylevel50Interfacename=DMZInsideNetworkEthernet1Securitylevel100Interfacename=insidee0e2e1Internet©2023CiscoSystems,Inc.Allrightsreserved.SNPAv4.0—3-19BasicSecurityApplianceConfigurationAssigningHostnametoSecurityAppliance:

ChangingtheCLIPromptpixfirewall(config)#hostnameBoston

Boston(config)#hostnamenewnamepixfirewall(config)#ChangesthehostnameinthePIXFirewallCLIpromptServerBostonServerNew_YorkServerDallaspixfirewall(config)#hostnameBoston

Boston(config)#hostnamenewnameBasicCLICommandsforSecurityApplianceshostnameinterfacenameifipaddresssecurity-levelspeedduplexnoshutdownnat-controlnatglobalroutee0e2e1Internetinterfacehardware_idfirewall(config)#fw1(config)#interfaceethernet0(GigabitEthernet0/0)fw1(config-if)#interfaceCommandandSubcommandsSpecifiesaperimeterinterfaceanditsslotlocationonthefirewallEthernet0Ethernet2Ethernet1e0e2e1Internetnameifhardware_idif_namefirewall(config-if)#fw1(config)#interfaceethernet0(GigabitEthernet0/0)fw1(config-if)#nameifoutsideAssignanInterfaceName:

nameifSubcommandAssignsanametoeachperimeterinterfaceonthePIXFirewallSecurityAppliance.Ethernet0Interfacename=outsideEthernet2Interfacename=dmzEthernet1Interfacename=insidee0e2e1Internetipaddressip_address[netmask]firewall(config-if)#AssignInterfaceIPAddress:

ipaddressSubcommandAssignsanIPaddresstoeachinterfacefw1(config)#interfaceethernet0(GigabitEthernet0/0)fw1(config-if)#nameifoutsideEthernet0Interfacename=outsidee0e2e1InternetDHCP-AssignedAddressfw1(config)#interfaceethernet0(GigabitEthernet0/0)fw1(config-if)#nameifoutsidefw1(config-if)#ipaddressdhcpfirewall(config-if)#ipaddressif_namedhcp[setroute][retryretry_cnt]EnablestheDHCPclientfeatureontheoutsideinterfacee0InternetDHCPAssignedEthernet0Interfacename=outsideIPaddress=DHCPsecurity-levelnumberfirewall(config-if)#AssignaSecurityLevel:security-levelSubCommandsAssignsasecurityleveltotheinterfacefw1(config)#interfaceethernet0(GigabitEthernet0/0)fw1(config-if)#nameifoutsidefw1(config-if)#security-level0e0e2e1InternetEthernet0Interfacename=outsideSecuritylevel=0speed

[hardware_speed]duplex[duplex_operation]firewall(config-if)#AssignanInterfaceSpeedandDuplex:speedandduplexSubCommandsEnablesaninterfacespeedandduplexfw1(config)#interfaceethernet0(GigabitEthernet0/0)fw1(config-if)#nameifoutsidefw1(config-if)#security-level0fw1(config-if)#speed100fw1(config-if)#duplexfulle0e2e1InternetEthernet0Speed=100Duplex=fullmanagement-onlynomanagement-onlyfirewall(config-if)#ASAManagementInterfaceTosetaninterfacetoacceptmanagementtrafficonlyfw1(config)#interfacemanagement0/0fw1(config-if)#nameifoutsidefw1(config-if)#security-level0e0e2e1InternetEthernet0Management=onlyNetworkAddressTranslationInsideLocalOutsideMappedPool10TranslationTable192.168.10.11NATInternetEnableNATControlInsideLocalOutsideMappedPool10TranslationTableNATInternetfw1(config)#nat-control

EnableordisableNATconfigurationrequirementnat[(if_name)]nat_id

address[netmask][dns][[tcp]tcp_max_conns[emb_limit][norandomseq]]][udpudp_max_conns]firewall(config)#natCommandEnablesIPaddresstranslationfw1(config)#nat(inside)100NATInternetglobalCommandWorkswiththenatfw1(config)#nat(inside)1fw1(config)#global(outside)1

firewall(config)#global[(if_name)]nat_id{mapped_ip[-mapped_ip]

[netmaskmapped_mask]}|interfaceNATInternetrouteif_name

ip_address

netmask

gateway_ip[metric]firewall(config)#ConfigureaStaticRoute:routeCommandDefinesastaticordefaultrouteforaninterfacefw1(config)#routeoutside1fw1(config)#routeinside021DefaultRouteStaticRouteInternetfw1(config)#namesfw1(config)#namebastionhostfw1(config)#name1insidehostHostName-to-IP-AddressMapping:

nameCommandConfiguresalistofname-to-IP-addressmappingsonthesecurityappliancenameip_addressnamefirewall(config)#“bastionhost”.2.1.1.11“insidehost”ConfigurationExamplewriteterminalinterfaceethernet0nameifoutsidesecurity-level0speed100duplexfullinterfaceethernet1nameifinsidesecurity-level100speed100duplexfull.1.1.2.1Ethernet0Interfacename=outsideSecuritylevel=0Ethernet1Interfacename=insideSecuritylevel=100InternetConfigurationExample(Cont.)interfaceethernet2nameifdmzsecurity-level50speed100duplexfullpasswd2KFQnbNIdI.2KYOUencryptedhostnamefw1namesnamebastionhostname1insidehost.1.1.2.1Ethernet2Interfacename=dmzSecuritylevel=50Internet“insidehost”“bastionhost”ConfigurationExample(Cont.)nat-controlnat(inside)100routeoutside1routeinside021MappedPool0-254.2.1.102“insidehost”“bastionhost”.1.2.1.1DefaultRouteStaticRouteInternet©2023CiscoSystems,Inc.Allrightsreserved.SNPAv4.0—3-38ExaminingSecurityApplianceStatusfw1#showinterfaceInterfaceGigabitEthernet0/0"outside",isup,lineprotocolisupDetected:Speed100Mbps,Full-duplexRequested:AutoMACaddress000b.fcf8.c538,MTU15000packetsinput,0bytes,0nobufferReceived0broadcasts,0runts,0giants0inputerrors,0CRC,0frame,0overrun,0ignored,0abort0packetsoutput,0bytes,0underrunsinputqueue(curr/maxblocks):hardware(0/0)software(0/0)outputqueue(curr/maxblocks):hardware(0/0)software(0/0)Received0VLANuntaggedpackets,0bytesTransmitted0VLANuntaggedpackets,0bytesDropped0VLANuntaggedpacketsshowCommandsfw1#showruninterface!interfaceEthernet0speed100duplexfullnameifoutsidesecurity-level0!interfaceEthernet1speed100duplexfullnameifinsidesecurity-level100showruninterfaceshowinterfacefw1#showmemoryFreememory:49046552bytesUsedmemory:18062312bytes-----------------------------Totalmemory:67108864bytesshowmemoryCommandDisplayssystemmemoryusageinformationfirewall#showmemoryfw1#showcpuusageCPUutilizationfor5seconds=0%;1minute:0%;5minutes:0%showcpuusageCommandDisplaysCPUusefirewall#showcpuusageInternetshowversionCommandDisplaysthesecurityappliance’ssoftwareversion,operatingtimesinceitslastreboot,processortype,Flashmemorytype,interfaceboards,serialnumber(BIOSidentification),andactivationkeyvalue.firewall#showversionCiscoPIXSecurityApplianceSoftwareVersion7.0(1)CompiledonThu31-Mar-0514:37bybuildersSystemimagefileis"flash:/pix-701.bin"Configfileatbootwas"startup-config"pixfirewallup12mins24secsHardware:PIX-515,128MBRAM,CPUPentium200MHzFlashi28F640J5@0x300,16MB……………fw1#showipaddressSystemIPAddresses:InterfaceNameIPaddressSubnetmaskCONFIGCONFIGCONFIGCurrentIPAddresses:InterfaceNameIPaddressSubnetmaskCONFIGCONFIGCONFIGshowipaddressCommand.1.1.2.1Internetfw1#showinterfaceinterfaceethernet0"outside"isup,lineprotocolisupMTU1500bytes,BW100000Kbitfullduplex4packetsinput,282bytes,0nobufferReceived0broadcasts,0runts,0giants0inputerrors,0CRC,0frame,0overrun,0ignored,0abort20packetsoutput,1242bytes,0underruns0outputerrors,0collisions,0interfaceresets0babbles,0latecollisions,0deferred0lostcarrier,0nocarrierinputqueue(curr/maxblocks):hardware(128/128)software(0outputqueue(curr/maxblocks):hardware(0/1)software(0/1)showinterfaceCommandshownameifCommandfw1#shownameifInterfaceNameSecurityEthernet0 outside0Ethernet1 inside100Ethernet2 dmz50Ethernet0Interfacename=outsideSecuritylevel=0Ethernet2Interfacename=dmzSecuritylevel=50Ethernet1Interfacename=insideSecuritylevel=100e0e2e1InternetshowrunnatCommandfw1#showrunnatnat(inside)100NATDisplaysasinglehostorrangeofhoststobetranslatedfirewall#showrunnatInternetshowrunglobalCommandfw1#showrunglobalMappedPoolDisplaysthepoolofmappedaddressesfirewall#showrunglobalInternetshowxlateCommandfw1#showxlate1inuse,1mostusedDisplaysthecontentsofthetranslationslotsfirewall#showxlateInsidelocalOutsidemappedpoolXlateTableInternetpingCommandDetermineswhetherotherIPaddressesarevisiblefromthesecurityapplianceSending5,100-byteICMPEchosto1,timeoutis2seconds:!!!!!Successrateis100percent(5/5),round-tripmin/avg/max=10/12/20mspinghost

firewall#InternetshowrouteCommandfw1(config)#shrouteS[1/0]via,outsideCisdirectlyconnected,insideC*isdirectlyconnected,cplaneCisdirectlyconnected,dmzCisdirectlyconnected,outsidee0e2e1Internet*ASA55X0onlyWorksonlywiththeASA5500SeriesAdaptiveSecurityAppliances©2023CiscoSystems,Inc.Allrightsreserved.SNPAv4.0—3-51SettingTimeandUsingNTPSupportclockCommand

Setsthesecurityapplianceclockfw1#clockset21:0:0jul232023clocksethh:mm:ss{daymonth|monthday}yearfirewall#Wed23-Jul-0321:00InternetSettingDaylightSavingTime

andTimeZonesSpecifiesthatsummertimestartsonthefirstSundayinAprilat2a.m.andendsonthelastSundayinOctoberat2a.m.fw1(config)#clocksummer-timePDTrecurring1SundayApril2:00lastSundayOctober2:00clocksummer-timezonerecurring[weekweekdaymonth

hh:mmweekweekdaymonthhh:mm][offset]firewall(config)#clocktimezonezonehours[minutes]firewall(config)#SetstheclockdisplaytothetimezonespecifiedDisplayssummertimehoursduringthespecifiedsummertimedaterangentpCommandSynchronizesthesecurityappliancewithanNTPserverfw1(config)#ntpauthentication-key1234md5cisco123fw1(config)#ntptrusted-key1234fw1(config)#ntpserver2key1234sourceinsidepreferfw1(config)#ntpauthenticatentpserverip_address[keynumber]sourceif_name[prefer]firewall(config)#NTPServerInternet©2023CiscoSystems,Inc.Allrightsreserved.SNPAv4.0—3-55SyslogConfigurationConfigureSyslogOutputtoaSyslogServer网络日志SyslogServerSyslogMessagesInternetLoggingOptionsConsole–OutputtoconsoleBuffered–OutputtointernalbufferMonitor–OutputtoTelnetHost–OutputtosyslogserverSNMP–OutputtoSNMPserverSyslogServerInternetLoggingOptionsConsoleTelnetInternalBufferSNMPServerLoggingLevels0–Emergencies1–Alerts2–Critical3–Errors4–Warnings5–Notifications6–Informational7–DebuggingSyslogServerInternetConsoleTelnetInternalBufferSNMPServerLoggingLevelsConfigureMessageOutputtoaSyslogServerDesignatethesysloghostserver.Setthelogginglevel.Enableloggingtimestamponsyslogmessages.Specifytheloggingdeviceidentifier.Enablelogging.SyslogServerSyslogMessagesfw1(config)#loggingtrapwarningsfw1(config)#loggingtimestampfw1(config)#loggingdevice-idpix6fw1(config)#loggingonfw1InternetSyslogOutputExampleMessageIdentifierLoggingDeviceIdentifierLoggingDateandTimeStampLoggingDeviceIPAddressLoggingLevelCustomizeSyslogOutputfw1(config)#loggingtrapwarningsfw1(config)#loggingmessage302023level4fw1(config)#loggingmessage302023level4loggingmessagesyslog_idlevellevel

人人文库> 全部分类> 教育资料 > 课件下载

温馨提示

  • 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
  • 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
  • 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
  • 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
  • 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
  • 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
  • 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

最新文档

评论

0/150

提交评论