03 思科防火墙基本配置.ppt

,Lesson3,2005CiscoSystems,Inc.Allrightsreserved.,SNPAv4.03-1,开始思科安全设备,2005CiscoSystems,Inc.Allrightsreserved.,SNPAv4.03-2,用户接口,防火墙访问模式,思科防火墙有4个安全管理访问模式:UnprivilegedPrivilegedConfigurationMonitor,Internet,pixfirewallenablepassword:pixfirewall#,enablepriv_level,firewall,Usedtocontrolaccesstotheprivilegedmode让你可以访问到其他模式,AccessPrivilegeMode,访问配置模式:configureterminal命令,configureterminal,firewall#,Usedtostartconfigurationmodetoenterconfigurationcommandsfromaterminal,pixfirewallenablepassword:pixfirewall#configureterminalpixfirewall(config)#exitpixfirewall#exitpixfirewall,exit,firewall#,Usedtoexitfromanaccessmode,pixfirewallhelp?enableTurnonprivilegedcommandsexitExitthecurrentcommandmodeloginLoginasaparticularuserlogoutExitfromcurrentcommandmode,andtounprivilegedmodequitExitthecurrentcommandmodepixfirewallhelpenableUSAGE:enableDESCRIPTION:enableTurnonprivilegedcommands,help命令,2005CiscoSystems,Inc.Allrightsreserved.,SNPAv4.03-7,文件管理,查看和保存你的配置,Thefollowingcommandsenableyoutovieworsaveyourconfiguration:copyrunstartshowrunning-configshowstartup-configwritememorywriteterminal,Tosaveconfigurationchanges:copyrunstart,running-config,startup-config(saved),ConfigurationChanges,ClearingRunningConfiguration,firewall(config)#,clearconfigureall,Clearstherunning-configuration,fw1(config)#clearconfigall,Cleartherunningconfiguration:clearconfigall,running-config,startup-config(default),ClearingStartupConfiguration,firewall#,writeerase,Clearsthestartupconfiguration,Fw1#writeerase,Clearthestartupconfiguration:Writeerase,running-config,startup-config(default),ReloadtheConfiguration:reloadCommand,RebootsthesecurityapplianceandreloadstheconfigurationRebootscanbescheduled,fw1#reloadProceedwithreload?confirmyRebooting.,reloadnoconfirmcancelquicksave-configmax-hold-timehh:mminhh:mm|athh:mmmonthday|daymonthreasontext,firewall(config)#,FileSystem,SoftwareImageConfigurationfilePrivatedatafilePDMimageCrashinformation,Release6.andearlier,Release7.andlater,SoftwareimageConfigurationfilePrivatedataPDMimageBackupimage*Backupconfigurationfile*VirtualfirewallConfigurationfile*,*Spaceavailable,10.0.0.11,DisplayingStoredFiles:SystemandConfiguration,Displaythedirectorycontents.,firewall(config)#,10.0.0.11,PIXFirewallFlash:,ASADisk0:Disk1:,firewall#dirDirectoryofflash:/3-rw-490291213:37:33Jul272005pix-701.bin4-rw-674893213:21:13Jul282005asdm-501.bin16128000bytestotal(4472832bytesfree),dir/recursivedisk0:|disk1:|flash:,SelectingBootSystemFile,CanstoremorethanonesystemimageandconfigurationfileDesignateswhichsystemimageandstartupconfigurationfiletoboot,fw1(config)#bootsystemflash:/pix-701.bin,Bootsystem|config,firewall(config)#,firewall#dirDirectoryofflash:/3-rw-490291213:37:33Jul272005pix-701.bin4-rw-674893213:21:13Jul282005asdm-501.bin16128000bytestotal(4472832bytesfree),VerifyingtheStartupSystemImage,Displaythesystembootimage.,fw1#showbootvarBOOTvariable=flash:/pix-701.binCurrentBOOTvariable=flash:/pix-701.binCONFIG_FILEvariable=CurrentCONFIG_FILEvariable=,showbootvar,firewall(config)#,10.0.0.11,BootImageflash:/pix-701.bin,Configured,Running,2005CiscoSystems,Inc.Allrightsreserved.,SNPAv4.03-16,SecurityApplianceSecurityLevels,FunctionsoftheSecurityAppliance:SecurityAlgorithm,Implementsstatefulconnectioncontrolthroughthesecurityappliance.Allowsone-way(outbound)connectionswithaminimumnumberofconfigurationchanges.Anoutboundconnectionisaconnectionoriginatingfromahostonamore-protectedinterfaceanddestinedforahostonaless-protectednetwork.Monitorsreturnpacketstoensurethattheyarevalid.RandomizesthefirstTCPsequencenumbertominimizetheriskofattack.,SecurityLevelExample,e0,e2,e1,Internet,2005CiscoSystems,Inc.Allrightsreserved.,SNPAv4.03-19,BasicSecurityApplianceConfiguration,AssigningHostnametoSecurityAppliance:ChangingtheCLIPrompt,pixfirewall(config)#hostnameBostonBoston(config)#,hostnamenewname,pixfirewall(config)#,ChangesthehostnameinthePIXFirewallCLIprompt,Server,Boston,Server,New_York,Server,Dallas,pixfirewall(config)#hostnameBostonBoston(config)#,hostnamenewname,BasicCLICommandsforSecurityAppliances,hostnameinterfacenameifipaddresssecurity-levelspeedduplexnoshutdownnat-controlnatglobalroute,e0,e2,e1,Internet,interfacehardware_id,firewall(config)#,fw1(config)#interfaceethernet0(GigabitEthernet0/0)fw1(config-if)#,interfaceCommandandSubcommands,Specifiesaperimeterinterfaceanditsslotlocationonthefirewall,Ethernet0,Ethernet2,Ethernet1,nameifhardware_idif_name,firewall(config-if)#,fw1(config)#interfaceethernet0(GigabitEthernet0/0)fw1(config-if)#nameifoutside,AssignanInterfaceName:nameifSubcommand,AssignsanametoeachperimeterinterfaceonthePIXFirewallSecurityAppliance.,Ethernet0Interfacename=outside,Ethernet2Interfacename=dmz,Ethernet1Interfacename=inside,ipaddressip_addressnetmask,firewall(config-if)#,AssignInterfaceIPAddress:ipaddressSubcommand,AssignsanIPaddresstoeachinterface,fw1(config)#interfaceethernet0(GigabitEthernet0/0)fw1(config-if)#nameifoutsidefw1(config-if)#ipaddress192.168.1.2255.255.255.0,Ethernet0Interfacename=outsideIPaddress=192.168.1.2,DHCP-AssignedAddress,fw1(config)#interfaceethernet0(GigabitEthernet0/0)fw1(config-if)#nameifoutsidefw1(config-if)#ipaddressdhcp,firewall(config-if)#,ipaddressif_namedhcpsetrouteretryretry_cnt,EnablestheDHCPclientfeatureontheoutsideinterface,e0,Internet,DHCPAssigned,Ethernet0Interfacename=outsideIPaddress=DHCP,security-levelnumber,firewall(config-if)#,AssignaSecurityLevel:security-levelSubCommands,Assignsasecurityleveltotheinterface,fw1(config)#interfaceethernet0(GigabitEthernet0/0)fw1(config-if)#nameifoutsidefw1(config-if)#ipaddress192.168.1.2fw1(config-if)#security-level0,Ethernet0Interfacename=outsideIPaddress=192.168.1.2Securitylevel=0,speedhardware_speedduplexduplex_operation,firewall(config-if)#,AssignanInterfaceSpeedandDuplex:speedandduplexSubCommands,Enablesaninterfacespeedandduplex,fw1(config)#interfaceethernet0(GigabitEthernet0/0)fw1(config-if)#nameifoutsidefw1(config-if)#ipaddress192.168.1.2fw1(config-if)#security-level0fw1(config-if)#speed100fw1(config-if)#duplexfull,Ethernet0Speed=100Duplex=full,management-onlynomanagement-only,firewall(config-if)#,ASAManagementInterface,Tosetaninterfacetoacceptmanagementtrafficonly,fw1(config)#interfacemanagement0/0fw1(config-if)#nameifoutsidefw1(config-if)#ipaddress192.168.1.2fw1(config-if)#security-level0,Ethernet0Management=only,NetworkAddressTranslation,10.0.0.11,10.0.0.4,TranslationTable,10.0.0.11,192.168.0.20,192.168.10.11,NAT,EnableNATControl,10.0.0.11,10.0.0.4,TranslationTable,10.0.0.11,192.168.0.20,200.200.200.11,NAT,fw1(config)#nat-control,EnableordisableNATconfigurationrequirement,nat(if_name)nat_idaddressnetmaskdnstcptcp_max_connsemb_limitnorandomsequdpudp_max_conns,firewall(config)#,natCommand,EnablesIPaddresstranslation,fw1(config)#nat(inside)10.0.0.00.0.0.000,10.0.0.11,10.0.0.4,10.0.0.11,X.X.X.X,NAT,globalCommand,WorkswiththenatcommandtoassignaregisteredorpublicIPaddresstoaninternalhostwhenaccessingtheoutsidenetworkthroughthefirewall,forexample,192.168.0.20-192.168.0.254,fw1(config)#nat(inside)10.0.0.00.0.0.0fw1(config)#global(outside)1192.168.0.20-192.168.0.254,firewall(config)#,global(if_name)nat_idmapped_ip-mapped_ipnetmaskmapped_mask|interface,10.0.0.11,10.0.0.4,10.0.0.11,192.168.0.20,NAT,routeif_nameip_addressnetmaskgateway_ipmetric,firewall(config)#,ConfigureaStaticRoute:routeCommand,Definesastaticordefaultrouteforaninterface,fw1(config)#routeoutside0.0.0.00.0.0.0192.168.0.11fw1(config)#routeinside10.0.1.0255.255.255.010.0.0.1021,192.168.0.1,10.0.1.11,10.0.1.4,DefaultRoute,10.0.0.102,StaticRoute,fw1(config)#namesfw1(config)#name172.16.0.2bastionhostfw1(config)#name10.0.0.11insidehost,HostName-to-IP-AddressMapping:nameCommand,Configuresalistofname-to-IP-addressmappingsonthesecurityappliance,nameip_addressname,firewall(config)#,“bastionhost”172.16.0.2,172.16.0.0,.2,.1,10.0.0.0,.1,.11,“insidehost”10.0.0.11,ConfigurationExample,writeterminalinterfaceethernet0nameifoutsidesecurity-level0speed100duplexfullipaddress192.168.2.2255.255.255.0interfaceethernet1nameifinsidesecurity-level100speed100duplexfullipaddress10.0.1.1255.255.255.0,172.16.6.0,.1,10.0.6.0,.1,192.168.6.0,.2,10.1.6.0,.1,Ethernet0Interfacename=outsideSecuritylevel=0IPaddress=192.168.6.2,Ethernet1Interfacename=insideSecuritylevel=100IPaddress=10.0.6.1,Internet,ConfigurationExample(Cont.),interfaceethernet2nameifdmzsecurity-level50speed100duplexfullipaddress172.16.2.2255.255.255.0passwd2KFQnbNIdI.2KYOUencryptedhostnamefw1namesname172.16.6.2bastionhostname10.1.6.11insidehost,172.16.6.0,.1,10.0.6.0,.1,192.168.6.0,.2,10.1.6.0,.1,Ethernet2Interfacename=dmzSecuritylevel=50IPaddress=172.16.6.1,Internet,“insidehost”10.1.6.11,“bastionhost”172.16.6.2,ConfigurationExample(Cont.),nat-controlnat(inside)10.0.0.00.0.0.000global(outside)1192.168.6.20-192.168.6.254routeoutside0.0.0.00.0.0.0192.168.6.11routeinside10.1.6.0255.255.255.010.0.6.1021,10.0.0.0,MappedPool192.168.6.20-254,172.16.6.0,.2,.1,.102,“insidehost”10.1.6.11,“bastionhost”172.16.6.2,10.0.6.0,.1,192.168.6.0,.2,.1,10.1.6.0,.1,DefaultRoute,StaticRoute,Internet,2005CiscoSystems,Inc.Allrightsreserved.,SNPAv4.03-38,ExaminingSecurityApplianceStatus,fw1#showinterfaceInterfaceGigabitEthernet0/0outside,isup,lineprotocolisupDetected:Speed100Mbps,Full-duplexRequested:AutoMACaddress000b.fcf8.c538,MTU1500IPaddress192.168.1.2,subnetmask255.255.255.00packetsinput,0bytes,0nobufferReceived0broadcasts,0runts,0giants0inputerrors,0CRC,0frame,0overrun,0ignored,0abort0packetsoutput,0bytes,0underrunsinputqueue(curr/maxblocks):hardware(0/0)software(0/0)outputqueue(curr/maxblocks):hardware(0/0)software(0/0)Received0VLANuntaggedpackets,0bytesTransmitted0VLANuntaggedpackets,0bytesDropped0VLANuntaggedpackets,showCommands,fw1#showruninterface!interfaceEthernet0speed100duplexfullnameifoutsidesecurity-level0ipaddress192.168.2.2255.255.255.0!interfaceEthernet1speed100duplexfullnameifinsidesecurity-level100ipaddress10.0.2.1255.255.255.0,showruninterface,showinterface,fw1#showmemoryFreememory:49046552bytesUsedmemory:18062312bytes-Totalmemory:67108864bytes,showmemoryCommand,Displayssystemmemoryusageinformation,firewall#,showmemory,fw1#showcpuusageCPUutilizationfor5seconds=0%;1minute:0%;5minutes:0%,showcpuusageCommand,DisplaysCPUuse,firewall#,showcpuusage,10.0.0.11,10.0.0.4,Internet,showversionCommand,Displaysthesecurityappliancessoftwareversion,operatingtimesinceitslastreboot,processortype,Flashmemorytype,interfaceboards,serialnumber(BIOSidentification),andactivationkeyvalue.,firewall#,showversion,CiscoPIXSecurityApplianceSoftwareVersion7.0(1)CompiledonThu31-Mar-0514:37bybuildersSystemimagefileisflash:/pix-701.binConfigfileatbootwasstartup-configpixfirewallup12mins24secsHardware:PIX-515,128MBRAM,CPUPentium200MHzFlashi28F640J50 x300,16MB,fw1#showipaddressSystemIPAddresses:InterfaceNameIPaddressSubnetmaskEthernet0outside192.168.1.2255.255.255.0CONFIGEthernet1inside10.0.1.1255.255.255.0CONFIGEthernet2dmz172.16.1.1255.255.255.0CONFIGCurrentIPAddresses:InterfaceNameIPaddressSubnetmaskEthernet0outside192.168.1.2255.255.255.0CONFIGEthernet1inside10.0.1.1255.255.255.0CONFIGEthernet2dmz172.16.1.1255.255.255.0CONFIG,showipaddressCommand,172.16.6.0,.1,10.0.6.0,.1,192.168.6.0,.2,10.1.6.0,.1,Internet,fw1#showinterfaceinterfaceethernet0outsideisup,lineprotocolisupHardwareisi82559ethernet,addressis0050.54ff.653aIPaddress192.168.0.2,subnetmask255.255.255.0MTU1500bytes,BW100000Kbitfullduplex4packetsinput,282bytes,0nobufferReceived0broadcasts,0runts,0giants0inputerrors,0CRC,0frame,0overrun,0ignored,0abort20packetsoutput,1242bytes,0underruns0outputerrors,0collisions,0interfaceresets0babbles,0latecollisions,0deferred0lostcarrier,0nocarrierinputqueue(curr/maxblocks):hardware(128/128)software(0outputqueue(curr/maxblocks):hardware(0/1)software(0/1),showinterfaceCommand,shownameifCommand,fw1#shownameifInterfaceNameSecurityEthernet0outside0Ethernet1inside100Ethernet2dmz50,Ethernet0Interfacename=outsideSecuritylevel=0,Ethernet2Interfacename=dmzSecuritylevel=50,Ethernet1Interfacename=insideSecuritylevel=100,e0,e2,e1,Internet,showrunnatCommand,fw1#showrunnatnat(inside)110.0.0.0255.255.255.000,10.0.0.11,10.0.0.4,10.0.0.X,X.X.X.X,NAT,Displaysasinglehostorrangeofhoststobetranslated,firewall#,showrunnat,Internet,showrunglobalCommand,fw1#showrunglobalglobal(outside)1192.168.0.20-192.168.0.254netmask255.255.255.0,MappedPool192.168.0.20-192.168.0.254,10.0.0.11,10.0.0.4,10.0.0.X,Displaysthepoolofmappedaddresses,firewall#,showrunglobal,Internet,showxlateCommand,fw1#showxlate1inuse,1mostusedGlobal192.168.0.20Local10.0.0.11,192.168.0.20,10.0.0.11,10.0.0.4,10.0.0.11,Displaysthecontentsofthetranslationslots,firewall#,showxlate,Insidelocal,Outsidemappedpool,10.0.0.11,192.168.0.20,XlateTable,Internet,pingCommand,DetermineswhetherotherIPaddressesarevisiblefromthesecurityappliance,fw1#ping10.0.1.11Sending5,100-byteICMPEchosto10.0.1.11,timeoutis2seconds:!Successrateis100percent(5/5),round-tripmin/avg/max=10/12/20ms,pinghost,firewall#,10.0.0.11,10.0.0.4,Internet,showrouteCommand,fw1(config)#shrouteS0.0.0.00.0.0.01/0via192.168.1.1,outsideC10.0.1.0255.255.255.0isdirectlyconnected,insideC*127.0.0.0255.255.0.0isdirectlyconnected,cplaneC172.16.1.0255.255.255.0isdirectlyconnected,dmzC192.168.1.0255.255.255.0isdirectlyconnected,outside,e0,e2,e1,Internet,*ASA55X0only,WorksonlywiththeASA5500SeriesAdaptiveSecurityAppliances,2005CiscoSystems,Inc.Allrightsreserved.,SNPAv4.03-51,SettingTimeandUsingNTPSupport,clockCommand,Setsthesecurityapplianceclock,fw1#clockset21:0:0jul232003,clocksethh:mm:ssdaymonth|monthdayyear,firewall#,10.0.0.11,10.0.0.4,Wed23-Jul-0321:00,Internet,SettingDaylightSavingTimeandTimeZones,SpecifiesthatsummertimestartsonthefirstSundayinAprilat2a.m.andendsonthelastSundayinOctoberat2a.m.,fw1(config)#clocksummer-timePDTrecurring1SundayApril2:00lastSundayOctober2:00,clocksummer-timezonerecurringweekweekdaymonthhh:mmweekweekdaymonthhh:mmoffset,firewall(config)#,clocktimezonezonehoursminutes,firewall(config)#,Setstheclockdisplaytothetimezonespecified,Displayssummertimehoursduringthespecifiedsummertimedaterange,ntpCommand,SynchronizesthesecurityappliancewithanNTPserver,fw1(config)#ntpauthentication-key1234md5cisco123fw1(config)#ntptrusted-key1234fw1(config)#ntpserver10.0.0.12key1234sourceinsidepreferfw1(config)#ntpauthenticate,ntpserverip_addresskeynumbersourceif_nameprefer,firewall(config)#,10.0.0.11,10.0.0.12,NTPServer,Internet,2005CiscoSystems,Inc.Allrightsreserved.,SNPAv4.03-55,SyslogConfiguration,ConfigureSyslogOutputtoaSyslogServer,SyslogServer,SyslogMessages,Internet,LoggingOptions,ConsoleOutputtoconsoleBufferedOutputtointernalbufferMonitorOutputtoTelnetHostOutputtosyslogserverSNMPOutputtoSNMPserver,SyslogServer,Internet,LoggingOptions,Console,Telnet,InternalBuffer,SNMPServer,LoggingLevels,0Emergencies1Alerts2Critical3Errors4Warnings5Notifications6Informational7Debugging,SyslogServer,Internet,Console,Telnet,InternalBuffer,SNMPServer,LoggingLevels,ConfigureMessageOutputtoaSyslogServer,Designatethesysloghostserver.Setthelogginglevel.Enableloggingtimestamponsyslogmessages.Specifytheloggingdeviceidentifier.Enablelogging.,SyslogServer,10.0.1.11,SyslogMessages,fw1(config)#logginghostinside10.0.1.11fw1(config)#loggingtrapwarningsfw1(config)#loggingtimestampfw1(config)#loggingdevice-idpix6fw1(config)#loggingon,fw1,Internet,SyslogOutputExample,MessageIdentifier,LoggingDeviceIdentifier,LoggingDateandTimeStamp,LoggingDeviceIPAddress,LoggingLevel,CustomizeSyslogOutput,fw1(config)#loggingtrapwarningsfw1(config)#loggingmessage302013level4fw1(config)#loggingmessage302014level4,lo