Professional Documents
Culture Documents
Ngy 1 Ngy 2 Ni Dung Mc Tiu Bi 2: Bi 1 : Cc bc u lm quen v ng quan v Cisco T L ch Hc: Trong 5 ngy cu hnh thit b bo mt ca Firewall Cisco (continue) Sng t 9h-11h30 Bi 3: Bi 2: Chi u t 14h-16h30Qun l thit b bo mt Cc bc u lm quen
v cu hnh thit b bo mt ca Cisco cisco ASA Bi 4: Access Control Lists
Ngy 3
Bi 5: Cisco Adaptive Security Device Manager Bi 6: Firewall Switch Modules (FWSM)
O TO Bo mt - Cisco Firewall
Bi 4: Cu hnh NAT v cu hnh nh tuyn Bi 5: Kim tra kt ni ti cc cng Inside, Outside, v DMZ Bi 6 :Cu hnh Access-lists (ACLs) trn firewall Bi 7: Qun tr Cisco firewall
Gii thiu
Ngi trnh by: 1. H Tn 2. V tr cng tc 3. Kinh nghim
Firewall l g ?
DMZ Vng mng
Internet
Firewall l mt h thng hoc mt nhm cc h thng Kim sot quyn truy cp gia hai hoc nhiu vng mng. .
Packet Filtering
Proxy Server
DMZ: Server B
Proxy Server
Host A Internet
Data
Data
C AB-Yes AC-No
Outside Network
Inside Network
H thng bo mt ca Cisco
H thng bo mt ca cisco cung cp gii php an ninh , bo mt hng ti cc i tng khch hng. Mt s tnh nng ca thit b an ning bo mt ca cisco nh sau:
Host A
Data Internet
HTTP
Inside: Server C
Vic Kim sot truy nhp thng tin khng ch da vo a ch ngun V a ch ch ca gi tin gi n m cn da vo bng trng thi (state table)
State Table
Source address Destination address Source port Destination port Initial sequence no. Ack Flag
192.168.0.20 172.16.0.50 1026 80 49769 10.0.0.11 172.16.0.50 1026 80 49091
H iu hnh ring bit Stateful packet inspection Xc thc ngi dng Theo di, gim st cc ng dng v giao thc Modular policy framework Mng ring o (VPN) Cc ng cnh bo mt (cc firewall o) Stateful failover Transparent firewalls Qun tr da trn giao din web
Syn
Syn
Vic s dng h iu hnh ring bit loi tr c cc nguy c bo mt khi s dng chung vi cc h iu hnh khc
Gii thut kim tra gi tin -statefull packet inspection cung cp cc kt ni bo mt . Mc nh, gii thut ny cho php kt ni t my vng trong (cp bo mt cao hn) sang cc vng c cp bo mt thp hn Mc nh, gii thut ny chn cc kt ni t my vng ngoi (cp bo mt thp hn ) sang cc vng c cp bo cao hn Gii thut ny h tr xc thc, y quyn v theo di.
Modular Policy
Internet Headquarters T1
exec SE
Internet
S2S
S2S
Site C
Port 2010 OK Data
Site B
Class Map
C giao thc nh FTP, HTTP, H.323, and SQL*Net cn cc kt ni t Nhiu port khc nhau truyn d liu qua firewall . Thit b bo mt s theo di qu trnh kt ni ny. Cc port cn cho kt ni s c m mt cch an ton theo tng ng dng.
Traffic Flow Default Internet Systems Engineer Executives Site to Site
Policy Map
Services Inspect IPS Police Priority
Service Policy
Interface/Global Global Outside
Cc ng cnh bo mt
4 thit b firewall tht 1 thit b firewall tht 4 thit b firewall o
BA
NK
BA
NK
Internet
Internet
Transparent Firewall
Contexts
192.168.1.5
Internet
Internet
Internet
Kh nng d phng (Failover) m bo kt ni mng c thng sut khi mt thit b hng.. Active/standby: mt thit b s chy chnh, mt thit b s d phng. Active/Active: C hai thit b u chy , chia ti v d phng ln nhau. Stateful failover: duy tr trng thi kt ni khi mt thit b kt ni chnh hng.
C kh nng trin khai thit b bo mt layer 2 Cho php bo mt t layer 2 n layer 7 v hot ng nh mt thit b layer 2
Gi
ASA 5520
Gi
Chc nng
Chc nng
CSI1
Flash VPN
Slide 26 CSI1 note from graphics: the callout info does not match the photo
Cisco Systems, Inc., 27-Mar-07
B nh flash
Cc module SSMs
Cc interface c nh
4 cng 10/100/1000 Gigabit Ethernet 2 cng USB 2.0 *Vi thit b bo mt ASA 5510 h tr cng 10/100
Cng AUX
power
Status
RJ-45 ports
SFP ports
Tm tt
Firewall l thit b kim sot truy nhp t vng mng ny sang vng mng khch Statefull firewall l thit b hot ng hiu qu nht. Thit b bo mt ca cisco bao gm PIX v ASA . Cc thit b bo mt ASA 5510, 5520 nhm ti th trng cc doanh nghip va v nh. Cc chc nng ca thit b bo mt c th c m rng nh vo SSMs.
Cc ch truy nhp
Giao din ngi s dng
Ch Privileged
ciscoasa#
Internet
exit
Lnh exit dng thot khoi ch hin ti, tr v ch trc ciscoasa>
enable [priv_level]
Lnh ny cho php truy nhp vo ch Priviledged ciscoasa> enable password: ciscoasa#
ciscoasa> enable password: ciscoasa# configure terminal ciscoasa(config)# exit ciscoasa# exit ciscoasa>
Lnh help
ciscoasa > enable exit login logout perfmon ping quit help ? Turn on privileged commands Exit the current command mode Log in as a particular user Exit from current user profile to unprivileged mode Change or view performance monitoring options Test connectivity from specified interface to an IP address Exit the current command mode
Xem v lu li cu hnh
startupconfig
runningconfig (default)
ciscoasa(config)#
reload [at hh:mm [month day | day month]] [cancel] [in [hh:]mm] [max-hold-time [hh:]mm] [noconfirm] [quick] [reason text] [save-config]
Khi ng li , thit b s t ng ly li cu hnh startup-config copy vo running-config chy.
ciscoasa#
write erase
Xa cu hnh lc khi ng
File h thng
Release 7.0
and later
ciscoasa#
Software image Configuration file Private data ASDM image Backup image* Backup configuration file*
PIX flash:
ciscoasa# dir Directory of disk0:/ 8 -rw- 8202240 13:37:33 Jul 28 2006 1264 -rw- 5539756 13:21:13 Jul 28 2006 62947328 bytes total (49152000 bytes free)
asa721-k8.bin asdm-521.bin
Cc mc bo mt (security levels)
Kim tra trng thi ca thit b bo mt Vng DMZ
GigabitEthernet0/2 Security level 50 Interface name = DMZ
g0/2
Internet
g0/0 g0/1
Vng Outside
GigabitEthernet0/0 Security level 0 Interface name = outside
Vng Inside
GigabitEthernet0/1 Security level 100 Interface name = inside
Cu lnh show
asa1# show run interface . . . interface GigabitEthernet0/0 speed 1000 duplex full nameif outside security-level 0 ip address 192.168.1.2 255.255.255.0 ! interface GigabitEthernet0/1 speed 1000 duplex full nameif inside security-level 100 ip address 10.0.1.1 255.255.255.0 . . .
show memory
show run interface
asa1# show memory Free memory: Used memory: ------------Total memory: 468962336 bytes (87%) 67908576 bytes (13%) ---------------536870912 bytes (100%)
show interface
asa1# show interface Interface GigabitEthernet0/0 "outside", is up, line protocol is up Detected: Speed 1000 Mbps, Full-duplex Requested: Auto MAC address 000b.fcf8.c538, MTU 1500 IP address 192.168.1.2, subnet mask 255.255.255.0 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns input queue (curr/max blocks): hardware (0/0) software (0/0) output queue (curr/max blocks): hardware (0/0) software (0/0) Received 0 VLAN untagged packets, 0 bytes Transmitted 0 VLAN untagged packets, 0 bytes Dropped 0 VLAN untagged packets
Internet
10.0.1.4
Compiled on Wed 31-May-06 14:45 by root System image file is "disk0:/asa721-k8.bin" Config file at boot was "startup-config" ciscoasa up 2 mins 51 secs
ciscoasa#
asa1# show cpu usage CPU utilization for 5 seconds = 0%; 1 minute: 0%; 5 minutes: 0%
172.16.1.0
.1 10.0.1.0 10.1.1.0 .1
Internet
192.168.1.0 .2 .1
asa1# show ip address System IP Addresses: Interface GigabitEthernet0/0 GigabitEthernet0/1 GigabitEthernet0/2 Current IP Addresses: Interface GigabitEthernet0/0 GigabitEthernet0/1 GigabitEthernet0/2
g0/2
Internet
10.0.1.11
g0/0
GigabitEthernet0/0 Interface name = outside Security level = 0
g0/1
GigabitEthernet0/1 Interface name = inside Security level = 100
NAT
10.0.1.4
ciscoasa#
50
Internet
10.0.1.11
192.168.1.20
Outside mapped pool
192.168.1.20
10.0.1.11
Inside local
10.0.1.11
10.0.1.11
10.0.1.4
Xlate Table
10.0.1.4
ciscoasa#
ciscoasa#
show xlate
Displays the contents of the translation slots
asa1# show xlate 1 in use, 1 most used Global 192.168.1.20 Local 10.0.1.11
Lnh ping
g0/2 Internet
ciscoasa#
192.168.1.0 .1 10.0.1.0
Internet 10.0.1.11
g0/0
g0/1
10.0.1.4 ping [if_name] host [data pattern] [repeat count] [size bytes] [timeout seconds] [validate]
Kim tra s tn ti ca mt host trn mng
asa1(config)# show route S 0.0.0.0 0.0.0.0 [1/0] via 192.168.1.1, outside C 10.0.1.0 255.255.255.0 is directly connected, inside C* 127.0.0.0 255.255.0.0 is directly connected, cplane C 172.16.1.0 255.255.255.0 is directly connected, dmz C 192.168.1.0 255.255.255.0 is directly connected, outside
asa1# ping 10.0.1.11 Sending 5, 100-byte ICMP Echos to 10.0.1.11, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 10/12/20 ms
Lnh traceroute
Cu hnh c bn thit b Cisco firewall
Internet example.com
ciscoasa#
traceroute {destination_ip | hostname} [source source_ip | sourceinterface] [numeric] [timeout timeout_value] [probe probe_num] [ttl min_ttl max_ttl] [port port_value] [use-icmp]
Kim tra ng i ca gi tin n ch
asa1#traceroute 172.26.26.20
Thay i tn (hostname)
New York ( asa1)
hostname interface nameif ip address security-level speed duplex no shutdown nat-control nat global route
Internet
g0/2
Internet
Server
g0/0
g0/1 ciscoasa(config)#
hostname newname
Thay i hostname s dng dng lnh.
Cc lnh vi interface
GigabitEthernet0/2
g0/2
Internet
g0/0 g0/1
g0/2
Internet GigabitEthernet0/1
GigabitEthernet0/0
g0/0
GigabitEthernet0/0 Interface name = outside
g0/1
GigabitEthernet0/1 Interface name = inside
ciscoasa(config)#
nameif if_name
Vo ch cu hnh ring ca tng interface
Nhn a ch IP ng (DHCP)
Nhn DHCP
g0/0
g0/1
Internet
g0/0
GigabitEthernet0/0 Interface name = outside IP address = dhcp ciscoasa(config-if)#
ciscoasa(config-if)#
asa1(config)# interface GigabitEthernet0/0 asa1(config-if)# nameif outside asa1(config-if)# ip address 192.168.1.2 255.255.255.0
g0/0
GigabitEthernet0/0 Interface name = outside IP address = 192.168.1.2 Security level = 0
g0/1
g0/2
Internet
g0/0
ciscoasa(config-if)#
g0/1
security-level number
Gn mc bo mt cho interface
Inside Network
GigabitEthernet0/1 Security level 100 Interface name = inside
asa1(config)# interface GigabitEthernet0/0 asa1(config-if)# nameif outside asa1(config-if)# ip address 192.168.1.2 asa1(config-if)# security-level 0
ciscoasa(config)#
Internet g0/0
ciscoasa(config-if)# speed {10 | 100 | 1000 | auto | nonegotiate} duplex {auto | full | half} Thit lp tc v duplex cho interface asa1(config)# interface GigabitEthernet0/0 asa1(config-if)# nameif outside asa1(config-if)# ip address 192.168.1.2 asa1(config-if)# security-level 0 asa1(config-if)# speed 1000 asa1(config-if)# duplex full
management-only
Cu hnh interface ch chp nhn d liu qun tr
no management-only
Tt chc nng ch chp nhn d liu qun tr
asa1(config)# interface management0/0 Disables management-only mode (for ASA 5520, 5540 and 5550) asa1(config-if)# no management-only
g0/1
192.168.0.20
NAT
10.0.0.11 10.0.0.11 192.168.10 .11
Internet
ciscoasa(config-if)#
shutdown
Lnh shutdown s tt (disabled) interface Lnh no shutdown = bt (enabled) interface Disables management-only modeGigabitEthernet0/0 (for ASA 5520, 5540 and 5550) asa1(config)# interface Bng dch chuyn a ch
10.0.0.4
asa1(config-if)# no shutdown
Cu lnh nat
NAT
Internet
192.168.0.20 10.0.0.11 10.0.0.11 200.200.200.11 X.X.X.X 10.0.1.11 10.0.1.11
Internet
NAT
10.0.1.4
Translation Table
10.0.0.4
ciscoasa(config)#
asa1(config)# nat-control
Cu lnh global
Internet
10.0.1.11 192.168.1.20 10.0.1.11
NAT ciscoasa(config)#
10.0.1.4
ciscoasa(config)#
10.1.1.4
Cu hnh mu
172.16.1.0
.1 10.0.1.0 10.1.1.0 .1 .1 GigabitEthernet0/1 Interface name = inside Security level = 100 IP address = 10.0.1.1
Internet
10.0.1.0 .1 .11
insidehost 10.0.1.11
Internet
ciscoasa(config)#
asa1(config)# names asa1(config)# name 172.16.1.2 bastionhost asa1(config)# name 10.0.1.11 insidehost
asa1(config)# write terminal . . . interface GigabitEthernet0/0 speed 1000 duplex full nameif outside security-level 0 ip address 192.168.1.2 255.255.255.0 interface GigabitEthernet0/1 speed 1000 duplex full nameif inside security-level 100 ip address 10.0.1.1 255.255.255.0 . . .
Cu hnh mu (tip.)
bastionhost 172.16.1.2 172.16.1.0 .1 .2 .1 GigabitEthernet0/2 Interface name = dmz Security level = 50 IP address = 172.16.1.1 10.0.1.0 10.1.1.0 .1
Cu hnh mu (Tip.)
insidehost 10.1.1.11
bastionhost 172.16.1.2
Internet
192.168.1.0
Default Route
172.16.1.0
.2 .1 10.0.1.0
Route tnh
10.1.1.0 .102 .1
insidehost 10.1.1.11
Internet
interface GigabitEthernet0/2 nameif dmz security-level 50 speed 1000 duplex full ip address 172.16.1.1 255.255.255.0 passwd 2KFQnbNIdI.2KYOU encrypted hostname asa1 names name 172.16.1.2 bastionhost name 10.1.1.11 insidehost
192.168.1.0 .1 .2
.1
10.0.0.0
nat-control nat (inside) 1 0.0.0.0 0.0.0.0 0 0 global (outside) 1 192.168.1.20-192.168.1.254 route outside 0.0.0.0 0.0.0.0 192.168.1.1 1 route inside 10.1.1.0 255.255.255.0 10.0.1.102 1
Tm tt
Thit b bo mt cisco asa c 4 ch qun tr chnh l : unprivileged, privileged, configuration, v monitor. C hai b nh dng lu cu hnh bao gm : running configuration v startup configuration. Lnh show running-config hin th cu hnh ang lu b nh RAM ln mn hnh S dng lnh copy run start hoc write memory lu cu hnh . Interface vi mc bo mt cao hn c th truy nhp interface vi mc bo mt thp hn, nhng ngc li th khng c, tr khi c cu hnh access-list cho php. Lnh show gip hin th cc tham s qun l thit b. Cc lnh c bn u cu hnh cisco firewall bao gm : interface, nat, global, v route. Lnh nat v global hot ng ng thi dch chuyn a ch IP.
B i 3
Cu hnh telnet
Cu hnh qun l truy cp t xa
Internet
Telnet
10.0.0.11
ciscoasa(config)#
asa1(config)# telnet 10.0.0.11 255.255.255.255 inside asa1(config)# telnet timeout 15 asa1(config)# passwd telnetpass
who [local_ip]
Cho php xem user no ang c phin telnet ti thit b ciscoasa#
kill telnet_id
Kick mt phin telnet
Cu hnh SSH
username: pix ciscoasa(config)# ciscoasa(config)#
Cu hnh mu
crypto key generate rsa [usage-keys | general-keys] [label key-pair-label] [modulus size] [noconfirm]
To cp kha RSA mi ciscoasa(config)#
password: telnetpassword
SSH
Internet
172.26.26.50
write memory
Lu li cu hnh
asa1(config)# crypto key zeroize rsa asa1(config)# write memory asa1(config)# domain-name cisco.com asa1(config)# crypto key generate rsa modulus 1024 asa1(config)# write memory asa1(config)# ssh 172.26.26.50 255.255.255.255 outside asa1(config)# ssh timeout 30
ciscoasa(config)#
domain-name name
Cu hnh domain-name
Xem cu trc th mc
Qun l phn mm, cu hnh, license
Internet
10.0.0.11
10.0.0.3
Copy files
copy
Internet
10.0.0.11
Internet
config
10.0.0.3
FTP server
version?
10.0.0.11
10.0.0.3
ciscoasa#
show version
Hin th thng tin v phin bn, cu hnhphaanf cng, license key, v thi gian thit b chy.
asa1# show version Cisco Adaptive Security Appliance Software Version 7.2(1) Device Manager Version 5.2(1) Compiled on Wed 31-May-06 14:45 by root System image file is disk0:/asa721-k8.bin Config file at boot was startup-config asa1 up 17 hours 40 mins . . .
Nng cp phin bn
10.0.0.11
Internet
Summary
SSH cung cp kt ni qun tr t xa mt cch an ton, bo mt. TFTP c s dng nng cp image cho cisco firewall.. telnet c th c cu hnh trn tt c cc interface ca cisco firewall.
TFTP
10.0.0.3
ciscoasa#
B i 4
ACL trn interface chn hoc cho php cc gi tin n hoc i khi interface . Mt ACL ch cn m t c gi tin khi to ca ng dng, chiu tr v khng cn thit phi c trong ACL.
Nu khng c ACLs no c cu hnh trn interface th : Mc nh gi tin t inside Mc nh gi tin t outside outside c cho qua (outbound). inside b chn (inbound)
DMZ
172.16.1.2 Public Web Server
Inbound
Internet
X
.2 10.0.1.0
Inside
Internet
Inside
192.168.1.0 .1
Outside
Outside
Khng c ACL, mc nh d liu inbound s b chn. cho php d liu inbound, lm theo nh sau:
Cu hnh NAT tnh cho Web server Cu hnh inbound ACL Gn ACL cho interface Outside asa1(config)# static (DMZ,outside) 192.168.1.9 172.16.1.2 0 0
nh x mt a ch trong vng inside 172.16.1.2 tng ng vi mt a ch public 192.168.1.9.
Cu lnh: access-list
Cho php d liu Inbound HTTP Internet
ciscoasa(config)#
Cu lnh: access-group
Gn ACL cho interface
Inside
DMZ
172.16.1.2 Public Web Server
DMZ
Public Web Server
Inside
Internet
192.168.1.0 .1 .2 10.0.1.0
Outside
access-list id [line line-number] [extended] {deny | permit} {protocol | object-group protocol_obj_grp_id}{host sip | sip smask | interface ifc_name | object-group network_obj_grp_id | any} [operator port [port] | object-group service_obj_grp_id] {host dip | dip dmask | interface ifc_name | object-group network_obj_grp_id | any} [operator port [port] | object-group service_obj_grp_id | objectgroup icmp_type_obj_group_id] [log [[level] [interval secs] | disable | default]] [inactive | time-range time_range_name]
Outside
ciscoasa(config)#
ACLOUT 192.168.1.0
ACLIN
192.168.6.10 Internet
192.168.1.9
ACLIN
192.168.6.10
ACLOUT
asa1(config)# show access-list access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list ACLOUT; 4 elements access-list ACLOUT line 1 extended permit tcp 192.168.6.0 255.255.255.0 host 192.168.1.11 eq www (hitcnt=4)0x984ebd70 access-list ACLOUT line 2 extended permit tcp host 192.168.6.10 host 192.168.1.11 eq ftp (hitcnt=1) 0x53490ecd access-list ACLOUT line 3 extended permit tcp any host 192.168.1.9 eq www (hitcnt=8) 0x83af39ca access-list ACLOUT line 4 extended deny ip any any (hitcnt=4) 0x2ca30385 access-list ICMPDMZ; 1 elements access-list ICMPDMZ line 1 extended permit icmp host bastionhost any echo-reply
asa1(config)# clear access-list ACLOUT counters asa1(config)# show access-list access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list ACLOUT; 4 elements access-list ACLOUT line 1 extended permit tcp 192.168.6.0 255.255.255.0 host 192.168.1.11 eq www (hitcnt=0) 0x984ebd70 access-list ACLOUT line 2 extended permit tcp host 192.168.6.10 host 192.168.1.11 eq ftp (hitcnt=0) 0x53490ecd access-list ACLOUT line 3 extended permit tcp any host 192.168.1.9 eq www (hitcnt=0) 0x83af39ca access-list ACLOUT line 4 extended deny ip any any (hitcnt=0) 0x2ca30385
ACL Logging
ciscoasa(config)#
Internet
Syslog Server
access-list id [line line-number] [extended] {deny | permit} {protocol | object-group protocol_obj_grp_id}{host sip | sip smask | interface ifc_name | object-group network_obj_grp_id | any} [operator port [port] | object-group service_obj_grp_id] {host dip | dip dmask | interface ifc_name | object-group network_obj_grp_id | any} [operator port [port] | object-group service_obj_grp_id | object-group icmp_type_obj_group_id] [log [[level] [interval secs] | disable | default]] [inactive | time-range time_range_name]
former line 2
asa1(config)# access-list OUTSIDE-ACL permit icmp any host 192.168.1.11 log 7 interval 600
Cho php log li cc gi tin icmp ti 192.168.1.11
Cu lnh : icmp
Internet
Inside ciscoasa(config)#
Outside ICMP
Inside
Inbound
192.168.1.9
Internet
.1
192.168.1.0 .2 10.0.1.0
Outside asa1(config)# static (DMZ,outside) 192.168.1.9 172.16.1.2 0 0 asa1(config)# access-list ACLOUT permit tcp any host 192.168.1.9 eq www asa1(config)# access-group ACLOUT in interface outside
Cho php t bn ngoi truy nhp vo trang web ca DMZ server.
icmp {permit | deny} {host sip | sip smask | any} [icmp-type] if_name
Cho php hoc khng cho php ping n interface
Tm tt
ACLs cho php h thng xc nh kt ni no s c php i qua. Vi ICM ACLs , ta c th gip cho h thng khng b pht hin .
ASDM l g ?
Tng quan v ASDM
ASDM l mt cng c cu hnh, qun l thit b bo mt ca cisco, c da trn giao din web.
Chy a nn Hot ng da trn my o java S dng SSL m bo kt ni an ton, bo mt c ti trc vo b nh flash vi cc dng cisco ASA v Cisco PIX version 7.2 v mi hn. Phin kt ni ASDM 5 phin kt ni ASDM i vi mt thit b (single mode) 32 phin ni nu ch multiple mode Hot ng trn cc thit b bo mt : PIX 515E, 525, v 535* Hot ng trn cc thit b bo mt :Cisco ASA 5505, 5510, 5520, 5540, v 5550
Yu cu v trnh duyt web vi ASDM trnh duyt web c th chy c ASDM, cn nhng yu cu sau :
JavaScript v Java c cho php chy trong trnh duyt. SSL c cho php chy trong trnh duyt. Popup blockers c th chn ASDM khi chy.
Phn cng h tr
Chy ASDM
License tab
Ti nguyen H thng
Thng ip c log
Startup Wizard
VPN Wizard
Startup Wizard
Interfaces NAT v PAT Hostname Domain name Enable password
VPN Wizard
Site-to-Site Remote Access
Configuration Window
Interfaces
Cu hnh NAT
Chnh sa cc kt ni VPN (edit
VPN)
General IKE IPsec IP Address Management Load Balancing NAC WebVPN E-Mail Proxy
VPN
Cc cu hnh NAT NAT Policy NAT NAT exemption Maximum connections NAT0
Cu hnh nh tuyn
Global Objects
Route Tnh nh tuyn ng OSPF RIP Multicast IGMP MRoute PIM Proxy ARPs
Network Object Groups IP Names Service Groups Class Maps Inspect Maps Regular Expressions TCP Maps Time Ranges
Interfaces VPN IPS or Trend Micro Content Security Routing Properties Logging
Packet Tracer
Options Interface Source IP Source port
Flow lookup
Route lookup
Access list
Cc cng c
Help Command Line Interface Packet Tracer Ping Traceroute File Management Ugrade Software Upload ASDM Assistant Guide System Reload ASDM Java Console Help Topics Help for Current Screen Release Notes Getting Started VPN 3000 Migration Guide Glossary .
Tools
Summary
ASDM l mt cng c cu hnh thit b bo mt ca cisco da trn giao din web. Gim thiu cc cu hnh cn thit c th chy ASDM. ASDM cha nhiu cng c h tr gip cu hnh thit b bo mt. ASDM c mt s wizard sn c n gin ha vic cu hnh: Startup Wizard: Hng dn tng bc ta c th cu hnh khi t o . VPN Wizard: Hng dn tng bc ta cu hnh site-to-ste VPN hoc remote access VPN. High Availability and Scalability Wizard: Hng dn tng bc cu hnh active/active failover, active/standby failover, v VPN cluster load balancing
B i 6
FWSM (Cisco Firewall Services Module) c da trn cng ngh ca Cisco PiX, v th n cho cng mc bo mt v tin cy. FWSM l slot m rng trn Cisco switch 6500, router 7600
<#>
M hnh kt ni
V tr t MSFC
<#>
<#>
Trc khi cu hnh FWSM cn thc hin cc bc c bn sau : Kim tra vic ci t FWSM.
Kim tra cu hnh VLANs trn switch. Cu hnh VLANs cho FWSM .
<#>
<#>
Firewall VLAN-Group
To Vlan
<#>
Default route.
<#>
<#>
Khi ng li FWSM
FWSM1(config)# access-list 200 permit ip 10.1.1.0 255.255.255.0 any FWSM1(config)# access-group 200 in interface inside
Mc nh, mi d liu khng truyn qua c FWSM D liu c cho php trn mt interface, c th c php i qua cc interface khc.
Khi ng li FWSM
<#>
<#>
Summary
FWSM (Cisco Firewall Services Module) c da trn cng ngh ca Cisco PiX, v th n cho cng mc bo mt v tin cy. FWSM l slot m rng trn Cisco switch 6500, router 7600 H tr ch tranparent hoc ch routed. Cu lnh ca FWSM tng t nh cisco asa hay cisco PIX.
<#>