Lch hc

Ngy 1 Ngy 2 Ni Dung Mc Tiu Bi 2: Bi 1 : Cc bc u lm quen v ng quan v Cisco T L ch Hc: Trong 5 ngy cu hnh thit b bo mt ca Firewall Cisco (continue) Sng t 9h-11h30 Bi 3: Bi 2: Chi u t 14h-16h30Qun l thit b bo mt Cc bc u lm quen
v cu hnh thit b bo mt ca Cisco cisco ASA Bi 4: Access Control Lists

Ngy 3
Bi 5: Cisco Adaptive Security Device Manager Bi 6: Firewall Switch Modules (FWSM)

O TO Bo mt - Cisco Firewall

Sng 8h30-11h30 L thuyt

Chiu 14h-17h00 Thc hnh

Bi 1 :Thit lp console n thit b firewall Bi 2: Thc hin mt s cu lnh c bn Bi 3: Cu hnh cc interface

Bi 4: Cu hnh NAT v cu hnh nh tuyn Bi 5: Kim tra kt ni ti cc cng Inside, Outside, v DMZ Bi 6 :Cu hnh Access-lists (ACLs) trn firewall Bi 7: Qun tr Cisco firewall

Gii thiu
Ngi trnh by: 1. H Tn 2. V tr cng tc 3. Kinh nghim

Hc vin gii thiu 1. H tn 2. V tr cng tc 3. Nhng kinh nghim v bo mt mng

Bi 1 Tng quan v Cisco Firewall

Firewall l g ?
DMZ Vng mng

Cc cng ngh v Firewall

Firewall hot ng c da trn mt trong ba cng ngh :

Packet filtering Proxy server Stateful packet filtering

Internet

Outside Vng mng

Inside Vng mng

Firewall l mt h thng hoc mt nhm cc h thng Kim sot quyn truy cp gia hai hoc nhiu vng mng. .

Packet Filtering

Proxy Server

DMZ: Server B

Proxy Server

Host A Internet

Data

Inside: Server C Internet

Data

C AB-Yes AC-No

Outside Network

Inside Network

Vic Kim sot truy nhp thng tin da vo a ch ngun V a ch ch ca gi tin gi n

Cc kt ni t c thng qua mt my ch i din trung gian.

Stateful Packet Filtering

DMZ: Server B

H thng bo mt ca Cisco
H thng bo mt ca cisco cung cp gii php an ninh , bo mt hng ti cc i tng khch hng. Mt s tnh nng ca thit b an ning bo mt ca cisco nh sau:

Host A

Data Internet

HTTP

Inside: Server C

Vic Kim sot truy nhp thng tin khng ch da vo a ch ngun V a ch ch ca gi tin gi n m cn da vo bng trng thi (state table)

State Table
Source address Destination address Source port Destination port Initial sequence no. Ack Flag
192.168.0.20 172.16.0.50 1026 80 49769 10.0.0.11 172.16.0.50 1026 80 49091

H iu hnh ring bit Stateful packet inspection Xc thc ngi dng Theo di, gim st cc ng dng v giao thc Modular policy framework Mng ring o (VPN) Cc ng cnh bo mt (cc firewall o) Stateful failover Transparent firewalls Qun tr da trn giao din web

Syn

Syn

H iu hnh ring bit

Stateful Packet Inspection

Vic s dng h iu hnh ring bit loi tr c cc nguy c bo mt khi s dng chung vi cc h iu hnh khc

Gii thut kim tra gi tin -statefull packet inspection cung cp cc kt ni bo mt . Mc nh, gii thut ny cho php kt ni t my vng trong (cp bo mt cao hn) sang cc vng c cp bo mt thp hn Mc nh, gii thut ny chn cc kt ni t my vng ngoi (cp bo mt thp hn ) sang cc vng c cp bo cao hn Gii thut ny h tr xc thc, y quyn v theo di.

Nhn din ng dng

FTP Server System Engineer Client Executives
Data Control Port Port 20 21 Data - Port 2010 Control Data Port Port 2008 2010

Modular Policy
Internet Headquarters T1
exec SE

Internet

S2S

S2S

Site C
Port 2010 OK Data

Site B

Class Map
C giao thc nh FTP, HTTP, H.323, and SQL*Net cn cc kt ni t Nhiu port khc nhau truyn d liu qua firewall . Thit b bo mt s theo di qu trnh kt ni ny. Cc port cn cho kt ni s c m mt cch an ton theo tng ng dng.
Traffic Flow Default Internet Systems Engineer Executives Site to Site

Policy Map
Services Inspect IPS Police Priority

Service Policy
Interface/Global Global Outside

Mng ring o (VPN)

Cc ng cnh bo mt
4 thit b firewall tht 1 thit b firewall tht 4 thit b firewall o

BA

NK

BA

NK

Site to Site Internet

IPsec VPN SSL VPN

Headquarters Remote Access

Internet

Internet

Cung cp kh nng to nhiu firewall o trn mt thit b firewall tht

Kh nng Failover : Active/Standby, Active/Active, v Stateful Failover

Failover: Active/Standby Failover: Active/Active

Transparent Firewall

Contexts

192.168.1.5

1 Primary: Failed Firewall Secondary: Active Firewall Primary: Failed/Standby

2 192.168.1.2 Secondary: Active/Active

Internet

Internet

Internet

Kh nng d phng (Failover) m bo kt ni mng c thng sut khi mt thit b hng.. Active/standby: mt thit b s chy chnh, mt thit b s d phng. Active/Active: C hai thit b u chy , chia ti v d phng ln nhau. Stateful failover: duy tr trng thi kt ni khi mt thit b kt ni chnh hng.

C kh nng trin khai thit b bo mt layer 2 Cho php bo mt t layer 2 n layer 7 v hot ng nh mt thit b layer 2

Gii php qun tr dng web

Cc loi firewall ca cisco v tnh nng

Adaptive Security Device Manager (ASDM)

Cc dng sn phm ASA 5500

ASA 5550

Cc dng sn phm PIX 500

PIX 535

PIX 525 ASA 5540 PIX 515E

Gi

ASA 5520

Gi

PIX 506E ASA 5510 ASA 5505 PIX 501

Gigabit Ethernet Cc vn phng ROO DN nh Doanh nghip ln SP Cc SOHO vn phng ROBO DN nh

Gigabit Ethernet Doanh nghip ln SP

Chc nng

SP = service provider ( nh cung cp dch v)

Chc nng

Thit b bo mt Cisco ASA 5510

Nng cao an ninh v cung cp dch v mng, bao gm c cc dch v VPN, cho cc doanh nghip nh.
Cung cp ln ti 130,000 kt ni ng thi. Thng lng c th p ng ti 300-Mbps Cc interface c h tr: Ln ti 5 cng 10/100 Fast Ethernet Ln ti 25 VLANs Ln ti 5 ng cnh (contexts) H tr failover Active/standby H tr VPNs Site to site (250 peers) Remote access WebVPN H tr thm cc module SSMs (Cisco ASA AIP SSM, Cisco ASA CSC SSM, v Gigabit Ethernet SSM loi 4 port)

Thit b bo mt Cisco ASA 5520

Cung cp cc dch v bo mt , k c vpn cho cc doanh nghip c va. Cung cp ln ti 280,000 kt ni ng thi. Thng lng c th p ng 450-Mbps Cc interface c h tr: 4 10/100/1000 Gigabit Ethernet interfaces 1 10/100 Fast Ethernet interface Ln ti 100 VLANs Ln ti 20 contexts H tr failover Active/standby Active/active H tr VPNs Site to site (750 peers) Remote access WebVPN H tr thm cc module SSMs (Cisco ASA AIP SSM, Cisco ASA CSC SSM, v Gigabit Ethernet SSM loi 4 port)

Thit b bo mt Cisco ASA 5540

Cung cp cc dch v cn hiu qu cao, cc loi dch v bo mt , k c vpn cho cc doanh nghip ln v cc nh cung cp dch v. Cung cp ln ti 400,000 kt ni ng thi Thng lng p ng 650-Mbps Cc interface h tr: 4 10/100/1000 Gigabit Ethernet interfaces 1 10/100 Fast Ethernet interface Ln ti 200 VLANs Ln ti 50 contexts H tr failover Active/standby Active/active H tr VPNs Site to site (5,000 peers) Remote access WebVPN H tr thm c module SSMs (Cisco ASA AIP SSM, Cisco ASA CSC SSM, and four-port Gigabit Ethernet SSM)

Cc thit b bo mt ASA 5510, 5520, v 5540 mt pha trc

CSI1

Status Power Active

Flash VPN

Slide 26 CSI1 note from graphics: the callout info does not match the photo
Cisco Systems, Inc., 27-Mar-07

Cc thit b bo mt ASA 5510, 5520, v 5540 mt pha sau

B nh flash

Cc module SSMs

Cc interface c nh

Cc thit b bo mt ASA 5510, 5520, v 5540 cng kt ni

B nh Flash Cng qun tr outband Cng Console Ngun in (AC hoc DC)

Cisco ASA Security Services Module

Module cung cp cc dch v m rng cho thit b bo mt S dng b nh flash tng cng tin cy C cng Gigabit ethernet cho php qun tr outband

4 cng 10/100/1000 Gigabit Ethernet 2 cng USB 2.0 *Vi thit b bo mt ASA 5510 h tr cng 10/100

Cng AUX

Cc kiu module SSM

SSM-10 B x l 2.0-GHz 1.0 GB RAM SSM-20 B x l 2.4-GHz 2.0 GB RAM
Link and activity Speed

SSM loi 4 port Gigabit ethernet

RJ-45 link LED RJ-45 speed LED SFP link LED SFP speed LED

power

Status

RJ-45 ports

Status LED Power LED

SFP ports

Tm tt

Firewall l thit b kim sot truy nhp t vng mng ny sang vng mng khch Statefull firewall l thit b hot ng hiu qu nht. Thit b bo mt ca cisco bao gm PIX v ASA . Cc thit b bo mt ASA 5510, 5520 nhm ti th trng cc doanh nghip va v nh. Cc chc nng ca thit b bo mt c th c m rng nh vo SSMs.

B i 2 Cc bc u lm quen v cu hnh thit b bo mt ca Cisco

Cc ch truy nhp
Giao din ngi s dng

Thit b bo mt Cisco c 4 ch truy nhp nh sau :

Unprivileged Privileged Configuration Monitor
ciscoasa> ciscoasa# ciscoasa(config)# monitor>

Ch Privileged
ciscoasa#
Internet

Ch Configuration : cu lnh configure terminal

configure terminal
Dng lnh ny ng nhp vo ch Configuation ciscoasa#

exit
Lnh exit dng thot khoi ch hin ti, tr v ch trc ciscoasa>

enable [priv_level]
Lnh ny cho php truy nhp vo ch Priviledged ciscoasa> enable password: ciscoasa#

ciscoasa> enable password: ciscoasa# configure terminal ciscoasa(config)# exit ciscoasa# exit ciscoasa>

Lnh help
ciscoasa > enable exit login logout perfmon ping quit help ? Turn on privileged commands Exit the current command mode Log in as a particular user Exit from current user profile to unprivileged mode Change or view performance monitoring options Test connectivity from specified interface to an IP address Exit the current command mode

Qun l v lu tr cc File cu hnh

ciscoasa > help enable USAGE: enable [<priv_level>]

Xem v lu li cu hnh

Xa cu hnh ang chy running-config

Xa cu hnh ang chy : clear config all

Cc lnh di y cho php xem cu hnh:

show running-config show startup-config lu li cu hnh thay i, dng lnh: copy run start
startupconfig (saved) runningconfig Cu hnh thay i

startupconfig

Cc lnh di y cho php lu cu hnh

copy run start write memory

runningconfig (default)

ciscoasa(config)#

clear configure all

Xa cu hnh ang chy

ciscoasa(config)# clear config all

Xa cu hnh lc khi ng startup-config

Xa cu hnh lc khi ng : write erase startupconfig (default) runningconfig ciscoasa#

Khi ng li thit b : lnh reload

reload [at hh:mm [month day | day month]] [cancel] [in [hh:]mm] [max-hold-time [hh:]mm] [noconfirm] [quick] [reason text] [save-config]
Khi ng li , thit b s t ng ly li cu hnh startup-config copy vo running-config chy.

ciscoasa#

write erase
Xa cu hnh lc khi ng

ciscoasa# reload Proceed with reload?[confirm] y Rebooting...

ciscoasa# write erase

File h thng

Hin th cc file lu tr : file h thng v file cu hnh

Internet

Release 7.0
and later
ciscoasa#

Software image Configuration file Private data ASDM image Backup image* Backup configuration file*

ASA disk0: disk1:

PIX flash:

dir [/all] [/recursive] [all-filesystems] [disk0: | disk1: | flash: | system:]

Hin th ni dung ca a .

ciscoasa# dir Directory of disk0:/ 8 -rw- 8202240 13:37:33 Jul 28 2006 1264 -rw- 5539756 13:21:13 Jul 28 2006 62947328 bytes total (49152000 bytes free)

asa721-k8.bin asdm-521.bin

Cc mc bo mt (security levels)
Kim tra trng thi ca thit b bo mt Vng DMZ
GigabitEthernet0/2 Security level 50 Interface name = DMZ
g0/2

Internet
g0/0 g0/1

Vng Outside
GigabitEthernet0/0 Security level 0 Interface name = outside

Vng Inside
GigabitEthernet0/1 Security level 100 Interface name = inside

Cu lnh show
asa1# show run interface . . . interface GigabitEthernet0/0 speed 1000 duplex full nameif outside security-level 0 ip address 192.168.1.2 255.255.255.0 ! interface GigabitEthernet0/1 speed 1000 duplex full nameif inside security-level 100 ip address 10.0.1.1 255.255.255.0 . . .

Lnh show memory

ciscoasa#

show memory
show run interface

asa1# show memory Free memory: Used memory: ------------Total memory: 468962336 bytes (87%) 67908576 bytes (13%) ---------------536870912 bytes (100%)

show interface

asa1# show interface Interface GigabitEthernet0/0 "outside", is up, line protocol is up Detected: Speed 1000 Mbps, Full-duplex Requested: Auto MAC address 000b.fcf8.c538, MTU 1500 IP address 192.168.1.2, subnet mask 255.255.255.0 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns input queue (curr/max blocks): hardware (0/0) software (0/0) output queue (curr/max blocks): hardware (0/0) software (0/0) Received 0 VLAN untagged packets, 0 bytes Transmitted 0 VLAN untagged packets, 0 bytes Dropped 0 VLAN untagged packets

Lnh show cpu usage

Lnh show version

asa1# show version Cisco Adaptive Security Appliance Software Version 7.2(1) Device Manager Version 5.2(1)
10.0.1.11

Internet

10.0.1.4

Compiled on Wed 31-May-06 14:45 by root System image file is "disk0:/asa721-k8.bin" Config file at boot was "startup-config" ciscoasa up 2 mins 51 secs

ciscoasa#

show cpu usage

Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz Internal ATA Compact Flash, 64MB BIOS Flash AT49LW080 @ 0xffe00000, 1024KB . . .

asa1# show cpu usage CPU utilization for 5 seconds = 0%; 1 minute: 0%; 5 minutes: 0%

Lnh show ip address

Lnh show interface

asa1# show interface Interface GigabitEthernet0/0 "outside", is up, line protocol is up Hardware is i82546GB rev03, BW 1000 Mbps Full-Duplex(Full-duplex), 100 Mbps(100 Mbps) MAC address 0013.c482.2e4c, MTU 1500 IP address 192.168.1.2, subnet mask 255.255.255.0 8 packets input, 1078 bytes, 0 no buffer Received 8 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 L2 decode drops 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions 0 late collisions, 0 deferred input queue (curr/max blocks): hardware (8/0) software (0/0) output queue (curr/max blocks): hardware (0/0) software (0/0) Traffic Statistics for "outside": 8 packets input, 934 bytes 0 packets output, 0 bytes 8 packets dropped 1 minute input rate 0 pkts/sec, 0 bytes/sec 1 minute output rate 0 pkts/sec, 0 bytes/sec 1 minute drop rate, 0 pkts/sec 5 minute input rate 0 pkts/sec, 0 bytes/sec 5 minute output rate 0 pkts/sec, 0 bytes/sec 5 minute drop rate, 0 pkts/sec

172.16.1.0

.1 10.0.1.0 10.1.1.0 .1

Internet

192.168.1.0 .2 .1

asa1# show ip address System IP Addresses: Interface GigabitEthernet0/0 GigabitEthernet0/1 GigabitEthernet0/2 Current IP Addresses: Interface GigabitEthernet0/0 GigabitEthernet0/1 GigabitEthernet0/2

Name outside inside dmz

IP address 192.168.1.2 10.0.1.1 172.16.1.1

Subnet mask 255.255.255.0 255.255.255.0 255.255.255.0

Method CONFIG CONFIG CONFIG

Name outside inside dmz

IP address 192.168.1.2 10.0.1.1 172.16.1.1

Subnet mask 255.255.255.0 255.255.255.0 255.255.255.0

Method CONFIG CONFIG CONFIG

Lnh show nameif

GigabitEthernet0/2 Interface name = dmz Security level = 50

Lnh show run nat

g0/2
Internet

Internet X.X.X.X 10.0.1.X

10.0.1.11

g0/0
GigabitEthernet0/0 Interface name = outside Security level = 0

g0/1
GigabitEthernet0/1 Interface name = inside Security level = 100

NAT
10.0.1.4

ciscoasa#

show run nat

asa1# show nameif Interface GigabitEthernet0/0 GigabitEthernet0/1 GigabitEthernet0/2

Hin th host hoc c mt gii a ch c NAT

Name outside inside dmz 0 100 Security

50

asa1# show run nat nat (inside) 1 10.0.1.0 255.255.255.0 0 0

Lnh show run global

Lnh show xlate

Internet 10.0.1.X Mapped Pool 192.168.1.20-192.168.1.254

Internet
10.0.1.11

192.168.1.20
Outside mapped pool
192.168.1.20

10.0.1.11
Inside local
10.0.1.11

10.0.1.11

10.0.1.4

Xlate Table

10.0.1.4

ciscoasa#

ciscoasa#

show run global

Hin th gii a ch s c map cho cc host bn trong

show xlate
Displays the contents of the translation slots

asa1# show run global global (outside) 1 192.168.1.20-192.168.1.254 netmask 255.255.255.0

asa1# show xlate 1 in use, 1 most used Global 192.168.1.20 Local 10.0.1.11

Lnh show route

172.16.1.0

Lnh ping

g0/2 Internet
ciscoasa#
192.168.1.0 .1 10.0.1.0

Internet 10.0.1.11

g0/0

g0/1

show route [interface_name [ip_address [netmask [static]]]]

Hin th bng thng tin nh tuyn
ciscoasa#

10.0.1.4 ping [if_name] host [data pattern] [repeat count] [size bytes] [timeout seconds] [validate]
Kim tra s tn ti ca mt host trn mng

asa1(config)# show route S 0.0.0.0 0.0.0.0 [1/0] via 192.168.1.1, outside C 10.0.1.0 255.255.255.0 is directly connected, inside C* 127.0.0.0 255.255.0.0 is directly connected, cplane C 172.16.1.0 255.255.255.0 is directly connected, dmz C 192.168.1.0 255.255.255.0 is directly connected, outside

asa1# ping 10.0.1.11 Sending 5, 100-byte ICMP Echos to 10.0.1.11, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 10/12/20 ms

Lnh traceroute
Cu hnh c bn thit b Cisco firewall
Internet example.com

ciscoasa#

traceroute {destination_ip | hostname} [source source_ip | sourceinterface] [numeric] [timeout timeout_value] [probe probe_num] [ttl min_ttl max_ttl] [port port_value] [use-icmp]
Kim tra ng i ca gi tin n ch

asa1#traceroute 172.26.26.20

Cu hnh dng lnh c bn

Thay i tn (hostname)
New York ( asa1)

hostname interface nameif ip address security-level speed duplex no shutdown nat-control nat global route

Server Boston (asa2)

Internet

Server Dallas (asa3)

g0/2
Internet

Server

g0/0

g0/1 ciscoasa(config)#

hostname newname
Thay i hostname s dng dng lnh.

ciscoasa(config)# hostname asa1 asa1(config)#

Cc lnh vi interface
GigabitEthernet0/2
g0/2

Gn tn cho interface: lnh nameif

GigabitEthernet0/2 Interface name = dmz

Internet
g0/0 g0/1

g0/2
Internet GigabitEthernet0/1

GigabitEthernet0/0

g0/0
GigabitEthernet0/0 Interface name = outside

g0/1
GigabitEthernet0/1 Interface name = inside

ciscoasa(config)#

ciscoasa(config-if)# interface {physical_interface[.subinterface] | mapped_name}

nameif if_name
Vo ch cu hnh ring ca tng interface

Gn tn cho interface l outside. asa1(config)# interface GigabitEthernet0/0 asa1(config-if)#

asa1(config)# interface GigabitEthernet0/0 asa1(config-if)# nameif outside

Gn a ch IP cho interface: Lnh ip address

g0/2
Internet

Nhn a ch IP ng (DHCP)
Nhn DHCP

g0/0

g0/1

Internet

g0/0
GigabitEthernet0/0 Interface name = outside IP address = dhcp ciscoasa(config-if)#

ciscoasa(config-if)#

GigabitEthernet0/0 Interface name = outside IP address = 192.168.1.2

ip address ip_address [mask] [standby ip_address]

Gn a ch IP cho tng interface

ip address dhcp [setroute]

Cho php nhn a ch ng interface outside

asa1(config)# interface GigabitEthernet0/0 asa1(config-if)# nameif outside asa1(config-if)# ip address 192.168.1.2 255.255.255.0

asa1(config)# interface GigabitEthernet0/0 asa1(config-if)# nameif outside asa1(config-if)# ip address dhcp

Gn mc bo mt: lnh security-level

g0/2
Internet

Cho php cc interface cng mc bo mt :lnh same-security-traffic

DMZ Network
GigabitEthernet0/2 Security level 100 Interface name = dmz

g0/0
GigabitEthernet0/0 Interface name = outside IP address = 192.168.1.2 Security level = 0

g0/1
g0/2

Internet
g0/0

ciscoasa(config-if)#

g0/1

security-level number
Gn mc bo mt cho interface

Inside Network
GigabitEthernet0/1 Security level 100 Interface name = inside

asa1(config)# interface GigabitEthernet0/0 asa1(config-if)# nameif outside asa1(config-if)# ip address 192.168.1.2 asa1(config-if)# security-level 0

ciscoasa(config)#

same-security-traffic permit {inter-interface | intra-interface}

Cho php d liu gia cc interface cng mc bo mt hoc trn chnh interface .

asa1(config)# same-security-traffic permit inter-interface

Thit lp tc v duplex : lnh speed v duplex

GigabitEthernet0/0 Speed =1000 Duplex = full

Interface qun tr ca ASA

Management0/0 Management only = no

g0/2 Internet g0/1 ciscoasa(config-if)#

g0/2 m0/0 g0/0 g0/1

Internet g0/0
ciscoasa(config-if)# speed {10 | 100 | 1000 | auto | nonegotiate} duplex {auto | full | half} Thit lp tc v duplex cho interface asa1(config)# interface GigabitEthernet0/0 asa1(config-if)# nameif outside asa1(config-if)# ip address 192.168.1.2 asa1(config-if)# security-level 0 asa1(config-if)# speed 1000 asa1(config-if)# duplex full

management-only
Cu hnh interface ch chp nhn d liu qun tr

no management-only
Tt chc nng ch chp nhn d liu qun tr

asa1(config)# interface management0/0 Disables management-only mode (for ASA 5520, 5540 and 5550) asa1(config-if)# no management-only

Bt hoc tt Interfaces: lnh shutdown

g0/2 Internet g0/0
GigabitEthernet0/0 Enabled

Network Address Translation (NAT)

g0/1
192.168.0.20

NAT
10.0.0.11 10.0.0.11 192.168.10 .11

Internet

ciscoasa(config-if)#

shutdown
Lnh shutdown s tt (disabled) interface Lnh no shutdown = bt (enabled) interface Disables management-only modeGigabitEthernet0/0 (for ASA 5520, 5540 and 5550) asa1(config)# interface Bng dch chuyn a ch

Outside Mapped Pool 192.168.0.20

Inside Local 10.0.0.11

10.0.0.4

asa1(config-if)# no shutdown

Bt chc nng kim sot NAT

Cu lnh nat

NAT
Internet
192.168.0.20 10.0.0.11 10.0.0.11 200.200.200.11 X.X.X.X 10.0.1.11 10.0.1.11

Internet

NAT
10.0.1.4

Translation Table

Outside Mapped Pool 192.168.0.20

Inside Local 10.0.0.11

10.0.0.4

ciscoasa(config)#

nat (if_name) nat_id address [netmask] [dns]

Cho php NAT gii a ch

bt chc nng kim sot NAT

asa1(config)# nat-control

asa1(config)# nat (inside) 1 0.0.0.0 0.0.0.0

Cu lnh global

Cu hnh Route tnh: lnh route

Default Route Route tnh

Internet
10.0.1.11 192.168.1.20 10.0.1.11

Internet 192.168.1.1 10.0.1.102

10.1.1.11

NAT ciscoasa(config)#
10.0.1.4

ciscoasa(config)#
10.1.1.4

global(if_name) nat_id {mapped_ip[-mapped_ip] [netmask mapped_mask]} | interface

Cu lnh ny kt hp vi cu lnh nat gn mt gii a ch public IP map cho cc my vng inside , v d, 192.168.0.20-192.168.0.254 asa1(config)# nat (inside) 1 0.0.0.0 0.0.0.0 asa1(config)# global (outside) 1 192.168.1.20-192.168.1.254

route if_name ip_address netmask gateway_ip [metric]

Cu hnh route tnh, default route cho mt interface asa1(config)# route outside 0.0.0.0 0.0.0.0 192.168.1.1 1 asa1(config)# route inside 10.1.1.0 255.255.255.0 10.0.1.102 1

Cu hnh map hostname- IP: cu lnh name

bastionhost 172.16.1.2 172.16.1.0 .2 .1

Cu hnh mu
172.16.1.0

.1 10.0.1.0 10.1.1.0 .1 .1 GigabitEthernet0/1 Interface name = inside Security level = 100 IP address = 10.0.1.1

Internet

10.0.1.0 .1 .11

insidehost 10.0.1.11

Internet

192.168.1.0 .2 GigabitEthernet0/0 Interface name = outside Security level = 0 IP address = 192.168.1.2

ciscoasa(config)#

name ip_address name

Cu hnh cc a ch IP ca server tng ng vi cc tn

asa1(config)# names asa1(config)# name 172.16.1.2 bastionhost asa1(config)# name 10.0.1.11 insidehost

asa1(config)# write terminal . . . interface GigabitEthernet0/0 speed 1000 duplex full nameif outside security-level 0 ip address 192.168.1.2 255.255.255.0 interface GigabitEthernet0/1 speed 1000 duplex full nameif inside security-level 100 ip address 10.0.1.1 255.255.255.0 . . .

Cu hnh mu (tip.)
bastionhost 172.16.1.2 172.16.1.0 .1 .2 .1 GigabitEthernet0/2 Interface name = dmz Security level = 50 IP address = 172.16.1.1 10.0.1.0 10.1.1.0 .1

Cu hnh mu (Tip.)

insidehost 10.1.1.11

bastionhost 172.16.1.2

Internet

192.168.1.0

Default Route

172.16.1.0

.2 .1 10.0.1.0

Route tnh
10.1.1.0 .102 .1

insidehost 10.1.1.11

Internet
interface GigabitEthernet0/2 nameif dmz security-level 50 speed 1000 duplex full ip address 172.16.1.1 255.255.255.0 passwd 2KFQnbNIdI.2KYOU encrypted hostname asa1 names name 172.16.1.2 bastionhost name 10.1.1.11 insidehost

192.168.1.0 .1 .2

.1

Mapped Pool 192.168.1.20 - 254

10.0.0.0

nat-control nat (inside) 1 0.0.0.0 0.0.0.0 0 0 global (outside) 1 192.168.1.20-192.168.1.254 route outside 0.0.0.0 0.0.0.0 192.168.1.1 1 route inside 10.1.1.0 255.255.255.0 10.0.1.102 1

Tm tt
Thit b bo mt cisco asa c 4 ch qun tr chnh l : unprivileged, privileged, configuration, v monitor. C hai b nh dng lu cu hnh bao gm : running configuration v startup configuration. Lnh show running-config hin th cu hnh ang lu b nh RAM ln mn hnh S dng lnh copy run start hoc write memory lu cu hnh . Interface vi mc bo mt cao hn c th truy nhp interface vi mc bo mt thp hn, nhng ngc li th khng c, tr khi c cu hnh access-list cho php. Lnh show gip hin th cc tham s qun l thit b. Cc lnh c bn u cu hnh cisco firewall bao gm : interface, nat, global, v route. Lnh nat v global hot ng ng thi dch chuyn a ch IP.

B i 3

Qun l thit b bo mt cisco ASA

Cu hnh telnet
Cu hnh qun l truy cp t xa
Internet

Telnet

10.0.0.11

ciscoasa(config)#

telnet {{hostname | IP_address mask interface_name} | {IPv6_address interface_name} | {timeout number}}

Cho php ta cu hnh nhng host c php telnet ti cisco firewall ciscoasa(config)#

passwd password [encrypted]

Cu hnh mt khu dng cho vic telnet ti cisco firewall

asa1(config)# telnet 10.0.0.11 255.255.255.255 inside asa1(config)# telnet timeout 15 asa1(config)# passwd telnetpass

Xem v xa cu hnh Telnet

ciscoasa#

Cu hnh cho php truy nhp SSH

Kt ni SSH ti cisco firewall:
Cung cp gii php truy nhp t xa an ton, bo mt Xc thc v m ha mnh i hi cp kha RSA trn firewall Yu cu kha kich hot 3DES/AES hoc DES Cho php 5 phin SSH kt ni cng lc. S dng mt khu ca telnet cho vic truy nhp

show running-config telnet [timeout]

Hin th cu hnh cc my c cho php telnet ciscoasa(config)#

clear configure telnet

Xa cu hnh telnet ciscoasa#

who [local_ip]
Cho php xem user no ang c phin telnet ti thit b ciscoasa#

kill telnet_id
Kick mt phin telnet

Cu hnh SSH
username: pix ciscoasa(config)# ciscoasa(config)#

Cu hnh mu

crypto key zeroize {rsa | dsa} [label key-pair-label] [default] [noconfirm]

G b cp kha RSA c ciscoasa(config)#

crypto key generate rsa [usage-keys | general-keys] [label key-pair-label] [modulus size] [noconfirm]
To cp kha RSA mi ciscoasa(config)#

password: telnetpassword

SSH
Internet

172.26.26.50

write memory
Lu li cu hnh

ssh {ip_address mask | ipv6_address/prefix} interface

Cho php nhng host ch nh c php kt ni ssh ti. ciscoasa(config)#

asa1(config)# crypto key zeroize rsa asa1(config)# write memory asa1(config)# domain-name cisco.com asa1(config)# crypto key generate rsa modulus 1024 asa1(config)# write memory asa1(config)# ssh 172.26.26.50 255.255.255.255 outside asa1(config)# ssh timeout 30

ciscoasa(config)#

domain-name name
Cu hnh domain-name

ssh timeout number

Lng thi gian idle trc khi kt ni b ngt

Xem cu trc th mc
Qun l phn mm, cu hnh, license
Internet

dir 192.168.0.0 ciscoasa#

10.0.0.11

10.0.0.3

dir [/all] [/recursive] [all-filesystems | [disk0: | disk1: | flash: | system:] path]

Hin th ni dung ca th mc hay a cn xem
asa1# dir Directory of disk0:/ 4346 -rw- 8202240 15:01:10 Oct 19 2006 6349 -rw- 5539756 15:30:39 Oct 19 2006 7705 -rw- 3334 07:03:57 Oct 22 2006 asa721-k8.bin asdm521.bin old_running.cfg

62947328 bytes total (29495296 bytes free)

C th s dng lnh pwd xem ng dn ca th mc hin thi.

Copy files

Backup & restore file cu hnh

10.0.0.11

copy
Internet

10.0.0.11

Internet

192.168.0.0 192.168.0.0 10.0.0.3 ciscoasa#

config

10.0.0.3

FTP server

copy ftp: startup-config

ciscoasa#

copy [/noconfirm | /pcap] {url | running-config | startup-config} {running-config | startup-config | url}

Copy file t th mc ny sang th mc khc

Copy file cu hnh t ftp server ciscoasa#

copy running-config ftp: asa1# copy disk0:MYCONTEXT.cfg startup-config

Copy file MYCONTEXT.cfg t disk0 vo startup configuration Copy file cu hnh sang FTP server

Xem thng tin v phin bn

Nng cp h iu hnh
Internet

version?

10.0.0.11

10.0.0.3
ciscoasa#

show version
Hin th thng tin v phin bn, cu hnhphaanf cng, license key, v thi gian thit b chy.
asa1# show version Cisco Adaptive Security Appliance Software Version 7.2(1) Device Manager Version 5.2(1) Compiled on Wed 31-May-06 14:45 by root System image file is disk0:/asa721-k8.bin Config file at boot was startup-config asa1 up 17 hours 40 mins . . .

Nng cp phin bn
10.0.0.11
Internet

Summary
SSH cung cp kt ni qun tr t xa mt cch an ton, bo mt. TFTP c s dng nng cp image cho cisco firewall.. telnet c th c cu hnh trn tt c cc interface ca cisco firewall.

TFTP

10.0.0.3

ciscoasa#

copy tftp://server[/path]/filename flash:/filename

Copy file image nng cp t tftp server

asa1# copy tftp://10.0.0.3/asa721-k8.bin flash

TFTP server a ch 10.0.0.3 khi nhn c yu cu download ca cisco asa s t ng ti image xung flash ca cisco asa

Cu hnh ACLs trn cisco firewall

Internet
Outside ACL for Inbound Access Inside ACL for Outbound Access

B i 4
ACL trn interface chn hoc cho php cc gi tin n hoc i khi interface . Mt ACL ch cn m t c gi tin khi to ca ng dng, chiu tr v khng cn thit phi c trong ACL.

Access Control Lists (ACLs)

Nu khng c ACLs no c cu hnh trn interface th : Mc nh gi tin t inside Mc nh gi tin t outside outside c cho qua (outbound). inside b chn (inbound)

D liu Inbound ti DMZ Web Server

DMZ
Public Web Server

Cu hnh NAT tnh cho web server

DMZ
172.16.1.2 Public Web Server

Inbound
Internet

X
.2 10.0.1.0

Inside
Internet

192.168.1.9 192.168.1.0 .1 .2 10.0.1.0

Inside

192.168.1.0 .1

Outside

Outside

Khng c ACL, mc nh d liu inbound s b chn. cho php d liu inbound, lm theo nh sau:
Cu hnh NAT tnh cho Web server Cu hnh inbound ACL Gn ACL cho interface Outside asa1(config)# static (DMZ,outside) 192.168.1.9 172.16.1.2 0 0
nh x mt a ch trong vng inside 172.16.1.2 tng ng vi mt a ch public 192.168.1.9.

Cu lnh: access-list
Cho php d liu Inbound HTTP Internet
ciscoasa(config)#

Cu lnh: access-group
Gn ACL cho interface
Inside

DMZ
172.16.1.2 Public Web Server

DMZ
Public Web Server

192.168.1.9 192.168.1.0 .1 .2 10.0.1.0

Inside
Internet
192.168.1.0 .1 .2 10.0.1.0

Outside

access-list id [line line-number] [extended] {deny | permit} {protocol | object-group protocol_obj_grp_id}{host sip | sip smask | interface ifc_name | object-group network_obj_grp_id | any} [operator port [port] | object-group service_obj_grp_id] {host dip | dip dmask | interface ifc_name | object-group network_obj_grp_id | any} [operator port [port] | object-group service_obj_grp_id | objectgroup icmp_type_obj_group_id] [log [[level] [interval secs] | disable | default]] [inactive | time-range time_range_name]

Outside
ciscoasa(config)#

access-group access-list {in | out} interface interface_name [per-user-override]

Gn ACL cho interface

asa1(config)# access-list ACLOUT permit tcp any host 192.168.1.9 eq www

Cho php t bn ngoi c truy nhp web server DMZ server

asa1(config)# access-group ACLOUT in interface outside

Cu lnh: show access-list

ICMPDMZ
Internet

Cu lnh: clear access-list counters

Web Server 172.16.1.2

ACLOUT 192.168.1.0

ACLIN

192.168.6.10 Internet

192.168.1.9

ACLIN

192.168.6.10

ACLOUT

asa1(config)# show access-list access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list ACLOUT; 4 elements access-list ACLOUT line 1 extended permit tcp 192.168.6.0 255.255.255.0 host 192.168.1.11 eq www (hitcnt=4)0x984ebd70 access-list ACLOUT line 2 extended permit tcp host 192.168.6.10 host 192.168.1.11 eq ftp (hitcnt=1) 0x53490ecd access-list ACLOUT line 3 extended permit tcp any host 192.168.1.9 eq www (hitcnt=8) 0x83af39ca access-list ACLOUT line 4 extended deny ip any any (hitcnt=4) 0x2ca30385 access-list ICMPDMZ; 1 elements access-list ICMPDMZ line 1 extended permit icmp host bastionhost any echo-reply

asa1(config)# clear access-list ACLOUT counters asa1(config)# show access-list access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list ACLOUT; 4 elements access-list ACLOUT line 1 extended permit tcp 192.168.6.0 255.255.255.0 host 192.168.1.11 eq www (hitcnt=0) 0x984ebd70 access-list ACLOUT line 2 extended permit tcp host 192.168.6.10 host 192.168.1.11 eq ftp (hitcnt=0) 0x53490ecd access-list ACLOUT line 3 extended permit tcp any host 192.168.1.9 eq www (hitcnt=0) 0x83af39ca access-list ACLOUT line 4 extended deny ip any any (hitcnt=0) 0x2ca30385

ACL Logging
ciscoasa(config)#

Ch thch cho ACL

access-list id [line line-number] remark text

Internet

Chn vo li ch thch cho access-list

ACL Syslog Messages

ciscoasa(config)#

Syslog Server

asa1(config)# access-list ACLOUT line 2 remark WebMailA access-list

asa1(config)# show access-list access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alertinterval 300 access-list ACLOUT; 6 elements access-list ACLOUT line 1 extended permit tcp any host 192.168.1.7 eq www (hitcnt=0) 0x3df6ed1e access-list ACLOUT line 2 remark WebMailA access-list access-list ACLOUT line 3 extended permit tcp any host 192.168.1.8 eq www (hitcnt=0) 0xd5383eba access-list ACLOUT line 4 extended permit tcp any host 192.168.1.9 eq www (hitcnt=0)0x2c4288ad access-list ACLOUT line 5 extended permit tcp any host 192.168.1.10 eq www (hitcnt=0) 0xb70c935b access-list ACLOUT line 6 extended permit tcp any host 192.168.1.11 eq www (hitcnt=0) 0x8b43382e

access-list id [line line-number] [extended] {deny | permit} {protocol | object-group protocol_obj_grp_id}{host sip | sip smask | interface ifc_name | object-group network_obj_grp_id | any} [operator port [port] | object-group service_obj_grp_id] {host dip | dip dmask | interface ifc_name | object-group network_obj_grp_id | any} [operator port [port] | object-group service_obj_grp_id | object-group icmp_type_obj_group_id] [log [[level] [interval secs] | disable | default]] [inactive | time-range time_range_name]

former line 2

asa1(config)# access-list OUTSIDE-ACL permit icmp any host 192.168.1.11 log 7 interval 600
Cho php log li cc gi tin icmp ti 192.168.1.11

Cu hnh ACL cho inbound http

DMZ
172.16.1.2 Public Web Server

Cu lnh : icmp

Internet
Inside ciscoasa(config)#

Outside ICMP

Inside

Inbound
192.168.1.9

Internet
.1

192.168.1.0 .2 10.0.1.0

Outside asa1(config)# static (DMZ,outside) 192.168.1.9 172.16.1.2 0 0 asa1(config)# access-list ACLOUT permit tcp any host 192.168.1.9 eq www asa1(config)# access-group ACLOUT in interface outside
Cho php t bn ngoi truy nhp vo trang web ca DMZ server.

icmp {permit | deny} {host sip | sip smask | any} [icmp-type] if_name
Cho php hoc khng cho php ping n interface

asa1(config)# icmp permit any outside

Cho php ping t bn ngoi vo interface

Tm tt
ACLs cho php h thng xc nh kt ni no s c php i qua. Vi ICM ACLs , ta c th gip cho h thng khng b pht hin .

B i 5 Cisco Adaptive Security Device Manager (ASDM)

ASDM l g ?
Tng quan v ASDM

Internet SSL Secure Tunnel

ASDM l mt cng c cu hnh, qun l thit b bo mt ca cisco, c da trn giao din web.

Cc tnh nng ca ASDM

Cc yu cu i vi cisco firewall chy ASDM

Thit b bo mt ca Cisco cn p ng cc yu cu sau chy ASDM:
Kha kch hot DES hoc 3DES H tr java-plugin H iu hnh ca firewall phi tng thch vi ASDM s ci t. Phn cng tng thch.

Chy a nn Hot ng da trn my o java S dng SSL m bo kt ni an ton, bo mt c ti trc vo b nh flash vi cc dng cisco ASA v Cisco PIX version 7.2 v mi hn. Phin kt ni ASDM 5 phin kt ni ASDM i vi mt thit b (single mode) 32 phin ni nu ch multiple mode Hot ng trn cc thit b bo mt : PIX 515E, 525, v 535* Hot ng trn cc thit b bo mt :Cisco ASA 5505, 5510, 5520, 5540, v 5550

* ASDM phin bn 5.2 i hi thit b bo mt chy h iu hnh phin bn 7.2.

Yu cu v trnh duyt web vi ASDM trnh duyt web c th chy c ASDM, cn nhng yu cu sau :
JavaScript v Java c cho php chy trong trnh duyt. SSL c cho php chy trong trnh duyt. Popup blockers c th chn ASDM khi chy.

Phn cng h tr

Windows Sun Solaris Linux

Chy ASDM

Cu hnh cisco firewall chy ASDM

s dng c ASDM ,trn cisco firewall cn c cc thng s nh sau :
Thi gian a ch IP bn interface inside v subnet mask Host name Domain name M dch v http server Cho php mt a ch my ch nh c truy nhp vo ASDM

Chy ASDM di dng: Ci ASDM ln my tnh Java applet

Chy Startup Wizard

Cu hnh khi to qua console

Giao din qun tr ca ASDM
Pre-configure Firewall now through interactive prompts [yes]? <Enter> Firewall Mode [Routed]: Enable Password [<use current password>]: cisco123 Allow password recovery [yes] ? Clock (UTC) Year [2006]: <Enter> Month [Sep]: <Enter> Day [2]: <Enter> Time [10:21:49]: <Enter> Inside IP address: 10.0.1.1 Inside network mask: 255.255.255.0 Host name: asa1 Domain name: ciscoasa.com IP address of host running Device Manager: 10.0.1.11 Use this configuration and write to flash? Y

ASDM Home Window

Menu bar Main toolbar Thng tin thit b License Trng thi VPN Trng thi d liu

ASDM Home Window (tip.)

Trng thi Interface

License tab

Ti nguyen H thng

Thng ip c log

Startup Wizard

VPN Wizard

Startup Wizard
Interfaces NAT v PAT Hostname Domain name Enable password

VPN Wizard
Site-to-Site Remote Access

Ch : chn Configuration > VPN chnh sa cc kt ni VPN

High Availability and Scalability Wizard

Configuration Interface Security Policy NAT VPN IPS CSD Manager Routing Global Objects Properties

Configuration Window

High Availability and Scalability Wizard

Active/Active Failover Active/Standby Failover VPN Cluster Load Balancing

Interfaces

Cc chnh sch bo mt (Security Policy)

IP address Static DHCP Same security level

Access Rules AAA Rules Filter Rules Service Policy Rules

Cu hnh NAT
Chnh sa cc kt ni VPN (edit
VPN)
General IKE IPsec IP Address Management Load Balancing NAC WebVPN E-Mail Proxy

VPN

Cc cu hnh NAT NAT Policy NAT NAT exemption Maximum connections NAT0

Ch : s dng Remote Access hoc Site-to-Site VPN Wizard to kt ni VPN mi.

Cu hnh nh tuyn

Global Objects

Route Tnh nh tuyn ng OSPF RIP Multicast IGMP MRoute PIM Proxy ARPs

Network Object Groups IP Names Service Groups Class Maps Inspect Maps Regular Expressions TCP Maps Time Ranges

Cc la chn trong mc Monitoring

Biu trng thi interface

Interfaces VPN IPS or Trend Micro Content Security Routing Properties Logging

Biu ny cho php theo di trng thi (byte, load,..) ca cc interface

Packet Tracer
Options Interface Source IP Source port

Options > Preferences

Destination IP Destination port

Flow lookup

Route lookup

Access list

Cc cng c
Help Command Line Interface Packet Tracer Ping Traceroute File Management Ugrade Software Upload ASDM Assistant Guide System Reload ASDM Java Console Help Topics Help for Current Screen Release Notes Getting Started VPN 3000 Migration Guide Glossary .

Phn gip (Help)

Tools

Gip trc tuyn (online Help)

Summary
ASDM l mt cng c cu hnh thit b bo mt ca cisco da trn giao din web. Gim thiu cc cu hnh cn thit c th chy ASDM. ASDM cha nhiu cng c h tr gip cu hnh thit b bo mt. ASDM c mt s wizard sn c n gin ha vic cu hnh: Startup Wizard: Hng dn tng bc ta c th cu hnh khi t o . VPN Wizard: Hng dn tng bc ta cu hnh site-to-ste VPN hoc remote access VPN. High Availability and Scalability Wizard: Hng dn tng bc cu hnh active/active failover, active/standby failover, v VPN cluster load balancing

Tng quan v FWSM

B i 6

Firewall Switch Modules (FWSM)

FWSM (Cisco Firewall Services Module) c da trn cng ngh ca Cisco PiX, v th n cho cng mc bo mt v tin cy. FWSM l slot m rng trn Cisco switch 6500, router 7600

Cc tnh nng chnh ca FWSM

Cho php Switch v Firewall trn cng mt nn tng phn cng. Da trn cng ngh ca cisco PIX. H tr ch tranparent hoc ch routed. Ln ti 100 Ng cnh an ninh (security contexts) Ln ti 256 VLANs vi mi ng cnh ln ti 1000 VLANs vi tt c ng cnh Thng lng 5-Gbps Cho php Mt triu kt ni ng thi Cho php 100,000 kt ni trong mt giy Cho php nhiu firewall trong mt thit b phn cng (ti a 4) nh tuyn ng vi RIP v1 , v2 v OSPF Cu hnh d phng
<#>

So snh tnh nng ca FWSM v PIX

<#>

M hnh kt ni

V tr t MSFC

<#>

<#>

Bt u lm quen cu hnh FWSM

Kim tra vic ci t FWSM

Trc khi cu hnh FWSM cn thc hin cc bc c bn sau : Kim tra vic ci t FWSM.
Kim tra cu hnh VLANs trn switch. Cu hnh VLANs cho FWSM .

<#>

<#>

Kim tra cu hnh VLANs trn switch

Firewall VLAN-Group

To Vlan

nh ngha mt VLAN qun tr trn MSFC. Gn mt a ch IP .

To mt nhm Vlan-group nhm cc VLAN cn kim sot

Gn cc Vlan-group cho cc firewall tng ng vi slot cm vo

<#>

Cu hnh cc Interfaces ca FWSM

Cu hnh Default Route

Cu hnh phin console ti FWSM thng s v Processor lun l 1

Default route.

<#>

<#>

Cu hnh FWSM Access-List

Khi ng li FWSM

FWSM1(config)# access-list 200 permit ip 10.1.1.0 255.255.255.0 any FWSM1(config)# access-group 200 in interface inside

Mc nh, mi d liu khng truyn qua c FWSM D liu c cho php trn mt interface, c th c php i qua cc interface khc.

Khi ng li FWSM

<#>

<#>

Summary
FWSM (Cisco Firewall Services Module) c da trn cng ngh ca Cisco PiX, v th n cho cng mc bo mt v tin cy. FWSM l slot m rng trn Cisco switch 6500, router 7600 H tr ch tranparent hoc ch routed. Cu lnh ca FWSM tng t nh cisco asa hay cisco PIX.

<#>