security - cisco firewall training. course flow nội dung mục tiêu lịch học: trong 5 ngày...
Post on 11-Jan-2016
224 Views
Preview:
TRANSCRIPT
Security - Cisco FirewallSecurity - Cisco FirewallTRAINING TRAINING
Course FlowCourse Flow
Nội Dung
Mục Tiêu
Lịch Học: Trong 5 ngày
Sáng từ 9h-11h30
Chiều từ 14h-16h30
AM
8h30-11h30
Theory
PM
14h-17h
Hand-on Lab
Day 1 Day 2 Day 3
Lesson 1: Cisco Security Appliances Overview Lesson 2: Getting Started with Cisco Security Appliances
Lession 1: Console connection setting
Lession 2: Execute general command
Lession 3: Configure Security Appliance Interfaces
Lesson 2: Getting Started with Cisco Security Appliances (continue)
Lesson :3Managing the Security Appliance Lession 4:Access Control Lists
Lession 4: Configure NAT, and Routing Lession 5: Test the Inside, Outside, and DMZ Interface ConnectivityLession 6 :Configure ACLs on the Security Appliance
Lesson 5: Cisco Adaptive Security Device Manager
Lesson 6: Firewall Switch Modules (FWSM)
Lession 7: Managing the Security Appliance
IntroductionIntroduction
Trainer Introduction
1. Name:
2. Position :
3. Experiences:
Trainee Introduction
1. Name
2. Position :
3. Security Network knowledges and experiences…
Lession 1Lession 1 Cisco Security Appliances Overview Cisco Security Appliances Overview
What Is a Firewall?What Is a Firewall?
Outside
Network
DMZ
Network
Inside
Network
Internet
A firewall is a system or group of systems that manages access between two or more networks.
Firewall TechnologiesFirewall Technologies
Firewall operations are based on one of three technologies:
Packet filtering Proxy server Stateful packet filtering
Data A B
Data A C
DMZ:Server B
Inside:Server C
Host A
AB-YesAC-No
Internet
Limits information that is allowed into a network based on the destination and source address
Packet FilteringPacket Filtering
Proxy ServerProxy Server
Outside
Network
Proxy
Server
Inside
Network
Internet
Requests connections on behalf of a client
Stateful Packet FilteringStateful Packet Filtering
172.16.0.50
10.0.0.11
1026
80
49091
Syn
172.16.0.50
192.168.0.20
49769
Syn
1026
80
Source portDestination address
Source address
Initial sequence no.Destination port
FlagAck
State Table
DMZ:Server B
Inside:Server C
Host A
Internet
Limits information that is allowed into a network based not only on the destination and source addresses, but also on the packets state table content
Data HTTP A B
Security Appliances: What Are They?Security Appliances: What Are They?
Cisco security appliances deliver enterprise-class security for small-to-medium-sized business and enterprise networks in a modular, purpose-built appliance. Some features of Cisco security appliances are:
Proprietary operating system Stateful packet inspection User-based authentication Protocol and application inspection Modular policy framework Virtual private networking Security contexts (virtual firewalls) Stateful failover capabilities Transparent firewalls Web-based management solutions
Proprietary Operating SystemProprietary Operating System
Eliminates the risks associated with general-purpose operating systems
Stateful Packet InspectionStateful Packet Inspection
The stateful packet inspection algorithm provides stateful connection security.
• It tracks source and destination ports and addresses, TCP sequence numbers, and additional TCP flags.• It randomizes the initial TCP sequence number of each new connection.
By default, the stateful packet inspection algorithm allows connections originating from hosts on inside (higher security level) interfaces.
By default, the stateful packet inspection algorithm drops connection attempts originating from hosts on outside (lower security level) interfaces.
The stateful packet inspection algorithm supports authentication, authorization, and accounting.
Application-Aware InspectionApplication-Aware Inspection
FTPServer Client
ControlPort2008
DataPort2010
DataPort20
ControlPort21
Data - Port 2010
Port 2010 OK
Data
Protocols such as FTP, HTTP, H.323, and SQL*Net need to negotiate connections to dynamically assigned source or destination ports through the firewall.
The security appliance inspects packets above the network layer.
The security appliance securely opens and closes negotiated ports for legitimate client-server connections through the firewall.
HeadquartersSystem Engineer
Site B
Executives
Site C
T1
Internet
SEexec
S2S S2S
Internet
Modular PolicyModular Policy
Class MapTraffic Flow
DefaultInternet
Systems EngineerExecutivesSite to Site
Policy MapServicesInspect
IPSPolicePriority
Service PolicyInterface/Global
GlobalOutside
Virtual Private NetworkVirtual Private Network
B A N K
Site to Site
Remote Access
IPsec VPNSSL VPN
Internet
B A N K
Headquarters
Security Context (Virtual Firewall)Security Context (Virtual Firewall)
Four Physical Firewalls One Physical FirewallFour Virtual Firewalls
InternetInternet
Ability to create multiple security contexts (virtual firewalls) within a single security appliance
Failover Capabilities: Active/Standby, Failover Capabilities: Active/Standby, Active/Active, and Stateful FailoverActive/Active, and Stateful Failover
Primary:Failed Firewall
Secondary: Active Firewall
Internet
Failover: Active/Standby
Primary: Failed/Standby
Failover: Active/Active
Secondary: Active/Active
Internet
Contexts
Failover protects the network if the primary security appliance goes offline..
– Active/standby: Only one unit can be actively processing traffic; the other is hot standby.
– Active/Active: Both units can process traffic and serve as backup units.
Stateful failover maintains the operating state during failover.
2121
Transparent FirewallTransparent Firewall
192.168.1.2
192.168.1.5
Internet
Has the ability to deploy a security appliance in a secure bridging mode
Provides rich Layers 2 through 7 security services as a Layer 2 device
Web-Based Management SolutionsWeb-Based Management Solutions
Adaptive Security Device
Manager
Models and Features of Cisco Security Appliances
ASA 5500 SeriesASA 5500 Series
SMB
Pri
ce
Functionality
Gigabit Ethernet
EnterpriseROBOSOHO SP
ASA 5520
ASA 5540
ASA 5510
ASA 5550
ASA 5505
SP = service provider
PIX 500 SeriesPIX 500 Series
SMB
Pri
ce
Functionality
Gigabit Ethernet
EnterpriseROBO
PIX 515E
PIX 525
PIX 535
SOHO
PIX 501
PIX 506E
SP
Cisco ASA 5510 Adaptive Security Cisco ASA 5510 Adaptive Security Appliance Appliance
Delivers advanced security and networking services, including high-performance VPN services, for small and medium-sized businesses and enterprise branch offices
Provides up to 130,000 concurrent connections Provides up to 300-Mbps firewall throughput Provides interface support
• Up to 5 10/100 Fast Ethernet interfaces• Up to 25 VLANs• Up to 5 contexts
Supports failover• Active/standby
Supports VPNs• Site to site (250 peers)• Remote access• WebVPN
Supports optional SSMs (Cisco ASA AIP SSM, Cisco ASA CSC SSM, and four-portGigabit Ethernet SSM)
Cisco ASA 5520 Adaptive Security Cisco ASA 5520 Adaptive Security Appliance Appliance
Delivers advanced security services, including high-performance VPN services, for medium-sized enterprise networks
Provides up to 280,000 concurrent connections Provides up to 450-Mbps firewall throughput Provides Interface support
• 4 10/100/1000 Gigabit Ethernet interfaces• 1 10/100 Fast Ethernet interface• Up to 100 VLANs• Up to 20 contexts
Supports failover• Active/standby• Active/active
Supports VPNs• Site to site (750 peers)• Remote access• WebVPN
Supports optional SSMs (Cisco ASA AIP SSM, Cisco ASA CSC SSM, and four-portGigabit Ethernet SSM)
Cisco ASA 5540 Adaptive Security Cisco ASA 5540 Adaptive Security Appliance Appliance
Delivers high-performance, high-density security services, including high-performance VPN services, for medium-sized and large enterprise networks and service provider networks
Provides up to 400,000 concurrent connections Provides up to 650-Mbps firewall throughput Provides Interface support
• 4 10/100/1000 Gigabit Ethernet interfaces• 1 10/100 Fast Ethernet interface• Up to 200 VLANs• Up to 50 contexts
Supports failover• Active/standby• Active/active
Supports VPNs• Site to site (5,000 peers)• Remote access • WebVPN
Supports optional SSMs (Cisco ASA AIP SSM, Cisco ASA CSC SSM, and four-portGigabit Ethernet SSM)
ASA 5510, 5520, and 5540 Adaptive ASA 5510, 5520, and 5540 Adaptive Security Appliances Front PanelSecurity Appliances Front Panel
Power
Status
Active
Flash
VPN
ASA 5510, 5520, and 5540 Adaptive ASA 5510, 5520, and 5540 Adaptive Security Appliances Back PanelSecurity Appliances Back Panel
Security servicesmodule
Fixed interfaces
CompactFlash
ASA 5510, 5520, and 5540 Adaptive ASA 5510, 5520, and 5540 Adaptive Security Appliances ConnectorsSecurity Appliances Connectors
Four 10/100/1000Gigabit Ethernet ports*
10/100 out-of-bandmanagement port
AUX ports
CompactFlash
Two USB 2.0 ports
Power supply(AC or DC)
Console port
*ASA 5510 Adaptive Security Appliance supports 10/100 Fast Ethernet ports.
Cisco ASA Security Services ModuleCisco ASA Security Services Module
High-performance module designed to provide additional security services
Diskless (Flash-based) design for improved reliability
Gigabit Ethernet port for out-of-band management
•SSM ModelsSSM Models
Power Status
Speed
Link andactivity
SSM-10
2.0-GHz processor
1.0 GB RAM
SSM-20
2.4-GHz processor
2.0 GB RAM
Four-Port Gigabit Ethernet SSMFour-Port Gigabit Ethernet SSM
RJ-45 linkLED
RJ-45speedLED
SFP linkLED
SFPspeedLED
RJ-45ports
PowerLED
StatusLED SFP
ports
SummarySummary
A firewall is a system or group of systems that manages access between two or more networks.
Statefull firewall is a device works most effectively Cisco Security Appliance including Cisco PIX and ASA. Security devices ASA 5510, 5520 targeting the small and medium
enterprises. The function of security devices can be expanded by the SSMs
Lession 2Lession 2
Getting Started with Cisco Security Appliances
User Interface
ciscoasa>
ciscoasa#
ciscoasa(config)#
monitor>
A Cisco security appliance has four main administrative access modes:
UnprivilegedPrivilegedConfiguration
Monitor
Security Appliance Access ModesSecurity Appliance Access Modes
ciscoasa> enable
password:
ciscoasa#
enable [priv_level]
ciscoasa>
Used to control access to the privileged mode
Enables you to enter other access modes
Access Privileged ModeAccess Privileged Mode
Internet
Access Configuration Mode: configure Access Configuration Mode: configure terminal Commandterminal Command
configure terminal
ciscoasa#
Used to start configuration mode to enter configuration commands from a terminal
ciscoasa> enable
password:
ciscoasa# configure terminal
ciscoasa(config)# exit
ciscoasa# exit
ciscoasa>
exit
ciscoasa#
Used to exit from an access mode
ciscoasa > help ?
enable Turn on privileged commands
exit Exit the current command mode
login Log in as a particular user
logout Exit from current user profile to unprivileged mode
perfmon Change or view performance monitoring options
ping Test connectivity from specified interface to an IP address
quit Exit the current command mode
ciscoasa > help enable
USAGE:
enable [<priv_level>]
help Commandhelp Command
File Management
The following commands enable you to view your configuration:
Show running-config Show startup-config
The following commands enable you to save your configuration:
copy run start write memory
To save configuration changes:
copy run start
running-
config
startup-
config
(saved)
Configuration
Changes
Viewing and Saving Your ConfigurationViewing and Saving Your Configuration
Clearing Running ConfigurationClearing Running Configuration
ciscoasa(config)#
clear configure all
Clears the running configuration
ciscoasa(config)# clear config all
Clear the running configuration:
clear config all
running-
config
(default)
startup-
config
Clearing Startup ConfigurationClearing Startup Configuration
ciscoasa#
write erase
Clears the startup configuration
ciscoasa# write erase
Clear the startup configuration:
write erase
running-
config
startup-
config
(default)
Reload the Configuration: reload Reload the Configuration: reload CommandCommand
Reboots the security appliance and reloads the configuration
Allows scheduled reboots
ciscoasa# reload
Proceed with reload?[confirm] y
Rebooting...
reload [at hh:mm [month day | day month]] [cancel] [in [hh:]mm] [max-hold-time [hh:]mm] [noconfirm] [quick] [reason text] [save-config]
ciscoasa#
File SystemFile System
Release 7.0and later
Software image Configuration file Private data ASDM image Backup image* Backup
configuration file*
Displaying Stored Files: System and Displaying Stored Files: System and ConfigurationConfiguration
Display the directory contents
ciscoasa#
PIX Security Appliance
flash:
ASA
disk0:
disk1:
ciscoasa# dir
Directory of disk0:/
8 -rw- 8202240 13:37:33 Jul 28 2006 asa721-k8.bin
1264 -rw- 5539756 13:21:13 Jul 28 2006 asdm-521.bin
62947328 bytes total (49152000 bytes free)
dir [/all] [/recursive] [all-filesystems] [disk0: | disk1: | flash: | system:]
Internet
Security Level ExampleSecurity Level Example
Outside Network
GigabitEthernet0/0
Security level 0
Interface name = outside
DMZ Network
GigabitEthernet0/2
Security level 50
Interface name = DMZ
Inside Network
GigabitEthernet0/1
Security level 100
Interface name = inside
g0/0
g0/2
g0/1Internet
Examining Security Appliance Status
asa1# show interfaceInterface GigabitEthernet0/0 "outside", is up, line protocol is up Detected: Speed 1000 Mbps, Full-duplex Requested: Auto MAC address 000b.fcf8.c538, MTU 1500 IP address 192.168.1.2, subnet mask 255.255.255.0 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns input queue (curr/max blocks): hardware (0/0) software (0/0) output queue (curr/max blocks): hardware (0/0) software (0/0) Received 0 VLAN untagged packets, 0 bytes Transmitted 0 VLAN untagged packets, 0 bytes Dropped 0 VLAN untagged packets
show Commandsshow Commands
asa1# show run interface. . .interface GigabitEthernet0/0 speed 1000 duplex full nameif outside security-level 0 ip address 192.168.1.2 255.255.255.0!interface GigabitEthernet0/1 speed 1000 duplex full nameif inside security-level 100 ip address 10.0.1.1 255.255.255.0 . . .
show run interface
show interface
asa1# show memory
Free memory: 468962336 bytes (87%)
Used memory: 67908576 bytes (13%)
------------- ----------------
Total memory: 536870912 bytes (100%)
show memory Commandshow memory Command
ciscoasa#
show memory
asa1# show cpu usage
CPU utilization for 5 seconds = 0%; 1 minute: 0%; 5 minutes: 0%
show cpu usage Commandshow cpu usage Command
ciscoasa#
show cpu usage
10.0.1.11
10.0.1.4
Internet
show version Commandshow version Commandasa1# show versionCisco Adaptive Security Appliance Software Version 7.2(1)Device Manager Version 5.2(1)
Compiled on Wed 31-May-06 14:45 by rootSystem image file is "disk0:/asa721-k8.bin"Config file at boot was "startup-config"
ciscoasa up 2 mins 51 secs
Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHzInternal ATA Compact Flash, 64MBBIOS Flash AT49LW080 @ 0xffe00000, 1024KB. . .
asa1# show ip address
System IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 outside 192.168.1.2 255.255.255.0 CONFIG
GigabitEthernet0/1 inside 10.0.1.1 255.255.255.0 CONFIG
GigabitEthernet0/2 dmz 172.16.1.1 255.255.255.0 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask MethodGigabitEthernet0/0 outside 192.168.1.2 255.255.255.0 CONFIGGigabitEthernet0/1 inside 10.0.1.1 255.255.255.0 CONFIG GigabitEthernet0/2 dmz 172.16.1.1 255.255.255.0 CONFIG
show ip address Commandshow ip address Command
Internet192.168.1.0 10.0.1.0 10.1.1.0
172.16.1.0
.2
.1
.1 .1
asa1# show interfaceInterface GigabitEthernet0/0 "outside", is up, line protocol is up Hardware is i82546GB rev03, BW 1000 Mbps Full-Duplex(Full-duplex), 100 Mbps(100 Mbps) MAC address 0013.c482.2e4c, MTU 1500 IP address 192.168.1.2, subnet mask 255.255.255.0 8 packets input, 1078 bytes, 0 no buffer Received 8 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 L2 decode drops 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions 0 late collisions, 0 deferred input queue (curr/max blocks): hardware (8/0) software (0/0) output queue (curr/max blocks): hardware (0/0) software (0/0) Traffic Statistics for "outside": 8 packets input, 934 bytes 0 packets output, 0 bytes 8 packets dropped 1 minute input rate 0 pkts/sec, 0 bytes/sec 1 minute output rate 0 pkts/sec, 0 bytes/sec 1 minute drop rate, 0 pkts/sec 5 minute input rate 0 pkts/sec, 0 bytes/sec 5 minute output rate 0 pkts/sec, 0 bytes/sec 5 minute drop rate, 0 pkts/sec
show interface Commandshow interface Command
show nameif Commandshow nameif Command
asa1# show nameifInterface Name SecurityGigabitEthernet0/0 outside 0GigabitEthernet0/1 inside 100
GigabitEthernet0/2 dmz 50
GigabitEthernet0/0
Interface name = outside
Security level = 0
GigabitEthernet0/2
Interface name = dmz
Security level = 50
GigabitEthernet0/1
Interface name = inside
Security level = 100
g0/0
g0/2
g0/1Internet
show run nat Commandshow run nat Command
asa1# show run nat
nat (inside) 1 10.0.1.0 255.255.255.0 0 0
Displays a single host or range of hosts to be translated
ciscoasa#
show run nat
10.0.1.11
10.0.1.4
10.0.1.XX.X.X.X
NAT
Internet
show run global Commandshow run global Command
asa1# show run global
global (outside) 1 192.168.1.20-192.168.1.254 netmask 255.255.255.0
Displays the pool of mapped addresses
ciscoasa#
show run global
Mapped Pool
192.168.1.20-192.168.1.254
10.0.1.11
10.0.1.4
10.0.1.X
Internet
show xlate Commandshow xlate Command
asa1# show xlate
1 in use, 1 most used
Global 192.168.1.20 Local 10.0.1.11
Displays the contents of the translation slots
ciscoasa#
show xlate
192.168.1.2010.0.1.11
10.0.1.4
10.0.1.11
Inside
local
Outside
mapped pool
10.0.1.11192.168.1.20
Xlate Table
Internet
show route Commandshow route Command
asa1(config)# show route
S 0.0.0.0 0.0.0.0 [1/0] via 192.168.1.1, outside
C 10.0.1.0 255.255.255.0 is directly connected, inside
C* 127.0.0.0 255.255.0.0 is directly connected, cplane
C 172.16.1.0 255.255.255.0 is directly connected, dmz
C 192.168.1.0 255.255.255.0 is directly connected, outside
g0/0
g0/2
g0/1Internet
10.0.1.0192.168.1.0
.1
172.16.1.0
Displays the contents of the routing table
ciscoasa#
show route [interface_name [ip_address [netmask [static]]]]
ping Commandping Command
Determines whether other devices are visible from the security appliance
asa1# ping 10.0.1.11
Sending 5, 100-byte ICMP Echos to 10.0.1.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/12/20 ms
ping [if_name] host [data pattern] [repeat count] [size bytes] [timeout seconds] [validate]
ciscoasa#
10.0.1.11
10.0.1.4
Internet
traceroute Commandtraceroute Command
asa1#traceroute 172.26.26.20
traceroute {destination_ip | hostname} [source source_ip | source-interface] [numeric] [timeout timeout_value] [probe probe_num] [ttl min_ttl max_ttl] [port port_value] [use-icmp]
ciscoasa#
Determines the route packets will take to their destination
Internet
example.com
Basic Security Appliance Configuration
Basic CLI Commands for Security Basic CLI Commands for Security Appliances Appliances
hostname interface
• nameif• ip address• security-level• speed• duplex• no shutdown
nat-control nat global route
g0/0
g0/2
g0/1Internet
Assigning a Hostname to Security Assigning a Hostname to Security Appliance: Changing the CLI PromptAppliance: Changing the CLI Prompt
ciscoasa(config)#
Changes the hostname in the security appliance CLI prompt
ciscoasa(config)# hostname asa1asa1(config)#
hostname newname
New York ( asa1)
Server
Boston
(asa2)
Server
Server
Dallas
(asa3)
Internet
interface {physical_interface[.subinterface] | mapped_name}
ciscoasa(config)#
asa1(config)# interface GigabitEthernet0/0
asa1(config-if)#
interface Command and interface Command and SubcommandsSubcommands
Enters configuration mode for the interface you specify
GigabitEthernet0/0
GigabitEthernet0/2
GigabitEthernet0/1
g0/0
g0/2
g0/1Internet
nameif if_name
ciscoasa(config-if)#
asa1(config)# interface GigabitEthernet0/0
asa1(config-if)# nameif outside
Assign an Interface Name:Assign an Interface Name:nameif Subcommandnameif Subcommand
Assigns a name to an interface on the security appliance.
GigabitEthernet0/2
Interface name = dmz
GigabitEthernet0/0
Interface name = outside
GigabitEthernet0/1
Interface name = inside
g0/0
g0/2
g0/1Internet
ip address ip_address [mask] [standby ip_address]
ciscoasa(config-if)#
Assign Interface IP Address: Assign Interface IP Address: ip address Subcommandip address Subcommand
Assigns an IP address to each interface
asa1(config)# interface GigabitEthernet0/0
asa1(config-if)# nameif outside
asa1(config-if)# ip address 192.168.1.2 255.255.255.0
GigabitEthernet0/0
Interface name = outside
IP address = 192.168.1.2
g0/0
g0/2
g0/1Internet
DHCP-Assigned AddressDHCP-Assigned Address
asa1(config)# interface GigabitEthernet0/0
asa1(config-if)# nameif outside
asa1(config-if)# ip address dhcp
ciscoasa(config-if)#
ip address dhcp [setroute]
Enables the DHCP client feature on the outside interface
GigabitEthernet0/0
Interface name = outside
IP address = dhcp
g0/0
DHCP
Assigned
Internet
security-level number
ciscoasa(config-if)#
Assign a Security Level: security-level Assign a Security Level: security-level SubcommandsSubcommands
Assigns a security level to the interface
asa1(config)# interface GigabitEthernet0/0
asa1(config-if)# nameif outside
asa1(config-if)# ip address 192.168.1.2
asa1(config-if)# security-level 0
GigabitEthernet0/0
Interface name = outside
IP address = 192.168.1.2
Security level = 0
g0/0
g0/2
g0/1Internet
Enables communication between interfaces with the same security level or allows traffic to enter and exit the same interface
ciscoasa(config)#
asa1(config)# same-security-traffic permit inter-interface
same-security-traffic permit {inter-interface | intra-interface}
DMZ NetworkGigabitEthernet0/2
Security level 100
Interface name = dmz
g0/0
g0/2
g0/1Internet
Inside NetworkGigabitEthernet0/1
Security level 100
Interface name = inside
Interfaces with Same Security Level: Interfaces with Same Security Level: same-security-traffic Commandsame-security-traffic Command
speed {10 | 100 | 1000 | auto | nonegotiate}
duplex {auto | full | half}
Assign an Interface Speed and Duplex: Assign an Interface Speed and Duplex: speed and duplex SubCommandsspeed and duplex SubCommands
Enable the interface speed and duplex
ciscoasa(config-if)#
GigabitEthernet0/0
Speed =1000
Duplex = full
g0/0
g0/2
g0/1Internet
asa1(config)# interface GigabitEthernet0/0
asa1(config-if)# nameif outside
asa1(config-if)# ip address 192.168.1.2
asa1(config-if)# security-level 0
asa1(config-if)# speed 1000
asa1(config-if)# duplex full
management-only
ciscoasa(config-if)#
ASA Management InterfaceASA Management Interface
Disables management-only mode (for ASA 5520, 5540 and 5550)asa1(config)# interface management0/0
asa1(config-if)# no management-only
no management-only
Configures an interface to accept management traffic only
Disables management-only mode
Management0/0
Management only = no
g0/0
g0/2
g0/1Internet
m0/0
Disables management-only mode (for ASA 5520, 5540 and 5550)asa1(config)# interface GigabitEthernet0/0
asa1(config-if)# no shutdown
shutdown
Disables an interface
no shutdown = enabled
ciscoasa(config-if)#
GigabitEthernet0/0
Enabled
g0/0
g0/2
g0/1Internet
Enabling and Disabling Interfaces: Enabling and Disabling Interfaces: shutdown Subcommandshutdown Subcommand
Network Address Translation Network Address Translation
Inside
Local
Outside
Mapped Pool
10.0.0.11192.168.0.20
10.0.0.11
10.0.0.4Translation Table
10.0.0.11192.168.0.20
192.168.10 .11
NAT
Internet
Enable NAT Control Enable NAT Control
asa1(config)# nat-control
Enable or disable NAT configuration requirement
Inside
Local
Outside
Mapped Pool
10.0.0.11192.168.0.20
10.0.0.11
10.0.0.4Translation Table
10.0.0.11192.168.0.20
200.200.200.11
NAT
Internet
nat (if_name) nat_id address [netmask] [dns]
ciscoasa(config)#
nat Commandnat Command
Enables IP address translation
asa1(config)# nat (inside) 1 0.0.0.0 0.0.0.0
10.0.1.11
10.0.1.4
10.0.1.11X.X.X.X
NAT
Internet
global Commandglobal Command
Works with the nat command to assign a registered or public IP address to an internal host when accessing the outside network through the firewall, for example, 192.168.0.20-192.168.0.254
asa1(config)# nat (inside) 1 0.0.0.0 0.0.0.0
asa1(config)# global (outside) 1 192.168.1.20-192.168.1.254
global(if_name) nat_id {mapped_ip[-mapped_ip][netmask mapped_mask]} | interface
ciscoasa(config)#
10.0.1.11
10.0.1.4
10.0.1.11192.168.1.20
NAT
Internet
route if_name ip_address netmask gateway_ip [metric]
ciscoasa(config)#
Configure a Static Route: route Configure a Static Route: route CommandCommand
Defines a static or default route for an interface
asa1(config)# route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
asa1(config)# route inside 10.1.1.0 255.255.255.0 10.0.1.102 1
192.168.1.110.1.1.11
10.1.1.4
Default Route
10.0.1.102
Static Route
Internet
asa1(config)# names
asa1(config)# name 172.16.1.2 bastionhost
asa1(config)# name 10.0.1.11 insidehost
Host Name-to-IP-Address Mapping: Host Name-to-IP-Address Mapping: name Commandname Command
Configures a list of name-to-IP-address mappings on the security appliance
name ip_address name
ciscoasa(config)#
.2
.1
10.0.1.0
.1Internet
“bastionhost”
172.16.1.2
172.16.1.0
.11
“insidehost”
10.0.1.11
Configuration ExampleConfiguration Example
asa1(config)# write terminal
. . .
interface GigabitEthernet0/0
speed 1000
duplex full
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.0
interface GigabitEthernet0/1
speed 1000
duplex full
nameif inside
security-level 100
ip address 10.0.1.1 255.255.255.0 . . .
GigabitEthernet0/0
Interface name = outside
Security level = 0
IP address = 192.168.1.2
GigabitEthernet0/1
Interface name = inside
Security level = 100
IP address = 10.0.1.1
172.16.1.0 .1
10.0.1.0
.1
192.168.1.0
.2
10.1.1.0
.1Internet
Configuration Example (Cont.)Configuration Example (Cont.)
interface GigabitEthernet0/2
nameif dmz
security-level 50
speed 1000
duplex full
ip address 172.16.1.1 255.255.255.0
passwd 2KFQnbNIdI.2KYOU encrypted
hostname asa1
names
name 172.16.1.2 bastionhost
name 10.1.1.11 insidehost
172.16.1.0.1
10.0.1.0
.1
192.168.1.0
.2
10.1.1.0
.1
GigabitEthernet0/2
Interface name = dmz
Security level = 50
IP address = 172.16.1.1“insidehost”
10.1.1.11
“bastionhost”
172.16.1.2
Internet
Configuration Example (Cont.)Configuration Example (Cont.)
nat-control
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
global (outside) 1 192.168.1.20-192.168.1.254
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
route inside 10.1.1.0 255.255.255.0 10.0.1.102 1
10.0.0.0Mapped Pool
192.168.1.20 - 254
172.16.1.0 .2
.1
.102
“insidehost”
10.1.1.11
“bastionhost”
172.16.1.2
10.0.1.0
.1
192.168.1.0
.2.1
10.1.1.0
.1
Default Route Static Route
Internet
SummarySummary
Cisco security appliances have four main administrative access modes: unprivileged, privileged, configuration, and monitor.
There are two configuration memories in the Cisco security appliances: running configuration and startup configuration.
The show running-config command displays the current configuration in the security appliance RAM on the terminal.
You can use the copy run start or the write memory command to save the current running configuration to flash memory, startup configuration.
Interfaces with a higher security level can access interfaces with a lower security level, but interfaces with a lower security level cannot access interfaces with a higher security level unless given permission.
The security appliance show commands help you manage the security appliance.
The basic commands that are necessary to configure Cisco security appliances are the following: interface, nat, global, and route.
The nat and global commands work together to translate IP addresses.
Lession 3Lession 3
Managing the Security Appliance
Managing System Access
telnet {{hostname | IP_address mask interface_name} | {IPv6_address interface_name} | {timeout number}}
ciscoasa(config)#
asa1(config)# telnet 10.0.0.11 255.255.255.255 inside
asa1(config)# telnet timeout 15
asa1(config)# passwd telnetpass
Enables you to specify which hosts can access the security appliance console with Telnet and set the maximum time a console Telnet session can be idle before being logged off by the security appliance
Sets the password for Telnet access to set the security appliance
passwd password [encrypted]
ciscoasa(config)#
10.0.0.11TelnetInternet
Configuring Telnet Access to the Configuring Telnet Access to the Security Appliance ConsoleSecurity Appliance Console
Viewing and Disabling TelnetViewing and Disabling Telnet
kill telnet_id
ciscoasa#
Terminates a Telnet session
Enables you to view which IP addresses are currently accessing the security appliance console via Telnet
who [local_ip]
ciscoasa#
Removes the Telnet connection and the idle timeout from the configuration
clear configure telnet
ciscoasa(config)#
Displays IP addresses permitted to access the security appliance via Telnet
show running-config telnet [timeout]
ciscoasa#
SSH Connections to the Security SSH Connections to the Security ApplianceAppliance
SSH connections to the security appliance: Provide secure remote access Provide strong authentication and encryption Require RSA key pairs for the security appliance Require 3DES/AES or DES activation keys Allow up to five SSH clients to simultaneously access
the security appliance console Use the Telnet password for local authentication
crypto key zeroize {rsa | dsa} [label key-pair-label] [default] [noconfirm]
Configuring SSH Access to the Configuring SSH Access to the Security Appliance ConsoleSecurity Appliance Console
Removes any previously generated RSA keys
ciscoasa(config)#
Saves the CA state
write memory
ciscoasa(config)#
Configures the domain name
domain-name name
ciscoasa(config)#
Generates an RSA key pair
crypto key generate rsa [usage-keys | general-keys] [label key-pair-label] [modulus size] [noconfirm]
ciscoasa(config)#
Specifies the host or network authorized to initiate an SSH connection
ssh {ip_address mask | ipv6_address/prefix} interface
ciscoasa(config)#
Specifies how long a session can be idle before being disconnected
ssh timeout number
ciscoasa(config)#
asa1(config)# crypto key zeroize rsa
asa1(config)# write memory
asa1(config)# domain-name cisco.com
asa1(config)# crypto key generate rsa modulus 1024
asa1(config)# write memory
asa1(config)# ssh 172.26.26.50 255.255.255.255 outside
asa1(config)# ssh timeout 30
172.26.26.50
SSH
username: pix
password: telnetpassword
Internet
Connecting to the Security Appliance Connecting to the Security Appliance with an SSH Clientwith an SSH Client
Managing Software, Licenses, and Configurations
Viewing Directory ContentsViewing Directory Contents
Displays the directory contents
dir [/all] [/recursive] [all-filesystems | [disk0: | disk1: | flash: | system:] path]
ciscoasa#
asa1# dir
Directory of disk0:/
4346 -rw- 8202240 15:01:10 Oct 19 2006 asa721-k8.bin
6349 -rw- 5539756 15:30:39 Oct 19 2006 asdm521.bin
7705 -rw- 3334 07:03:57 Oct 22 2006 old_running.cfg
62947328 bytes total (29495296 bytes free)
10.0.0.3
10.0.0.11
192.168.0.0
dirInternet
You can use the pwd command to display the current working directory.
Copying FilesCopying Files
Copies a file from one location to another
copy [/noconfirm | /pcap] {url | running-config | startup-config} {running-config | startup-config | url}
ciscoasa#
asa1# copy disk0:MYCONTEXT.cfg startup-config
10.0.0.3
10.0.0.11
192.168.0.0
copyInternet
Copies the file MYCONTEXT.cfg from disk0 to the startup configuration
ciscoasa#
ciscoasa#
Downloading and Backing Up Downloading and Backing Up Configuration Files ExampleConfiguration Files Example
Copies the configuration file from an FTP server
Copies the configuration file to an FTP server
10.0.0.3
10.0.0.11
192.168.0.0
FTP server
configInternet
copy ftp: startup-config
copy running-config ftp:
Image Upgrade
Viewing Version InformationViewing Version Information
asa1# show version
Cisco Adaptive Security Appliance Software Version 7.2(1)
Device Manager Version 5.2(1)
Compiled on Wed 31-May-06 14:45 by root
System image file is “disk0:/asa721-k8.bin”
Config file at boot was “startup-config”
asa1 up 17 hours 40 mins . . .
show version
ciscoasa#
Displays the software version, hardware configuration, license key, and related uptime data
10.0.0.3
10.0.0.11version?
Internet
Image UpgradeImage Upgrade
asa1# copy tftp://10.0.0.3/asa721-k8.bin flash
copy tftp://server[/path]/filename flash:/filename
ciscoasa#
Enables you to change software images without accessing the TFTP monitor mode.
The TFTP server at IP address 10.0.0.3 receives the command and determines the actual file location from its root directory information. The server then downloads the TFTP image to the security appliance.
10.0.0.3
10.0.0.11
TFTPInternet
SummarySummary
SSH provides secure remote management of the security appliance. TFTP is used to upgrade the software image on security appliances. You can enable Telnet to the security appliance on all interfaces.
.
Lesson 4Lesson 4
Access Control Lists (ACLs)
Security Appliance ACL Security Appliance ACL ConfigurationConfiguration
Outside Inside
ACL for
Inbound Access
ACL for
Outbound Access
No ACL
- Outbound permitted by default
- Inbound denied by default
Security appliance configuration philosophy is interface-based.Interface ACL permits and denies the initial incoming and outgoing packets on that
interface.
An ACL must describe only the initial packet of the application; return traffic does not need to be described.
If no ACL is attached to an interface:
The outbound packet is permitted by default.
The inbound packet is denied by default.
Internet
Inbound Traffic to DMZ Web ServerInbound Traffic to DMZ Web Server
There is no ACL, so by default, inbound access is denied. To permit inbound traffic, complete the following steps:
Configure a static translation for the web server address
Configure an inbound ACL
Apply the ACL to the outside interface
192.168.1.0
10.0.1.0
Public Web Server
DMZ
Inside
Outside.2.1
InboundX
Internet
192.168.1.0
10.0.1.0
Public Web Server
DMZ
Inside
Outside.2.1
192.168.1.9
172.16.1.2
Maps an inside private address to an outside public address
asa1(config)# static (DMZ,outside) 192.168.1.9 172.16.1.2 0 0
Create a Static Translation for Web Create a Static Translation for Web ServerServer
Internet
access-list Commandaccess-list Command
Permits outside HTTP traffic to access the public web server
asa1(config)# access-list ACLOUT permit tcp any host 192.168.1.9 eq www
ciscoasa(config)#
access-list id [line line-number] [extended] {deny | permit} {protocol | object-group protocol_obj_grp_id}{host sip | sip smask | interface ifc_name | object-group network_obj_grp_id | any} [operator port [port] | object-group service_obj_grp_id] {host dip | dip dmask | interface ifc_name | object-group network_obj_grp_id | any} [operator port [port] | object-group service_obj_grp_id | object-group icmp_type_obj_group_id] [log [[level] [interval secs] | disable | default]] [inactive | time-range time_range_name]
192.168.1.0
10.0.1.0
Public Web Server
DMZ
Inside
Outside.2.1
192.168.1.9
172.16.1.2Permit Inbound
HTTP
Internet
access-group Commandaccess-group Command
192.168.1.0
10.0.1.0
Public Web Server
DMZ
Inside
Outside.2.1
Applies an ACL to an interface
asa1(config)# access-group ACLOUT in interface outside
Apply ACL
to interface
ciscoasa(config)#
access-group access-list {in | out} interface interface_name [per-user-override]
Internet
showshow access-list Commandaccess-list Command
asa1(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list ACLOUT; 4 elements
access-list ACLOUT line 1 extended permit tcp 192.168.6.0 255.255.255.0 host 192.168.1.11 eq www (hitcnt=4)0x984ebd70
access-list ACLOUT line 2 extended permit tcp host 192.168.6.10 host 192.168.1.11 eq ftp (hitcnt=1) 0x53490ecd
access-list ACLOUT line 3 extended permit tcp any host 192.168.1.9 eq www (hitcnt=8) 0x83af39ca
access-list ACLOUT line 4 extended deny ip any any (hitcnt=4) 0x2ca30385
access-list ICMPDMZ; 1 elements
access-list ICMPDMZ line 1 extended permit icmp host bastionhost any echo-reply
ICMPDMZ
ACLINACLOUT
192.168.1.0192.168.6.10
Internet
clear access-list counters Commandclear access-list counters Command
asa1(config)# clear access-list ACLOUT counters
asa1(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list ACLOUT; 4 elements
access-list ACLOUT line 1 extended permit tcp 192.168.6.0 255.255.255.0 host 192.168.1.11 eq www (hitcnt=0) 0x984ebd70
access-list ACLOUT line 2 extended permit tcp host 192.168.6.10 host 192.168.1.11 eq ftp (hitcnt=0) 0x53490ecd
access-list ACLOUT line 3 extended permit tcp any host 192.168.1.9 eq www (hitcnt=0) 0x83af39ca
access-list ACLOUT line 4 extended deny ip any any (hitcnt=0) 0x2ca30385
Internet
192.168.6.10
Web Server172.16.1.2
192.168.1.9ACLIN
ACLOUT
ACL LoggingACL Logging
Enables the logging option for inbound ICMP to 192.168.1.11
asa1(config)# access-list OUTSIDE-ACL permit icmp any host 192.168.1.11 log 7 interval 600
ciscoasa(config)#
ACL Syslog
Messages
access-list id [line line-number] [extended] {deny | permit} {protocol | object-group protocol_obj_grp_id}{host sip | sip smask | interface ifc_name | object-group network_obj_grp_id | any} [operator port [port] | object-group service_obj_grp_id] {host dip | dip dmask | interface ifc_name | object-group network_obj_grp_id | any} [operator port [port] | object-group service_obj_grp_id | object-group icmp_type_obj_group_id] [log [[level] [interval secs] | disable | default]] [inactive | time-range time_range_name]
Internet
Syslog
Server
ACL CommentsACL Comments
asa1(config)# access-list ACLOUT line 2 remark WebMailA access-list
Inserts ACL comment
ciscoasa(config)#
access-list id [line line-number] remark text
asa1(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300
access-list ACLOUT; 6 elements
access-list ACLOUT line 1 extended permit tcp any host 192.168.1.7 eq www (hitcnt=0) 0x3df6ed1e
access-list ACLOUT line 2 remark WebMailA access-list
access-list ACLOUT line 3 extended permit tcp any host 192.168.1.8 eq www (hitcnt=0) 0xd5383eba
access-list ACLOUT line 4 extended permit tcp any host 192.168.1.9 eq www (hitcnt=0)0x2c4288ad
access-list ACLOUT line 5 extended permit tcp any host 192.168.1.10 eq www (hitcnt=0) 0xb70c935b
access-list ACLOUT line 6 extended permit tcp any host 192.168.1.11 eq www (hitcnt=0) 0x8b43382e
former line 2
Inbound HTTP Access SolutionInbound HTTP Access Solution
Permits outside HTTP traffic to access the public web server
asa1(config)# static (DMZ,outside) 192.168.1.9 172.16.1.2 0 0
asa1(config)# access-list ACLOUT permit tcp any host 192.168.1.9 eq www
asa1(config)# access-group ACLOUT in interface outside
192.168.1.0
10.0.1.0
Public Web Server
DMZ
Inside
Outside.2.1
192.168.1.9
172.16.1.2
Inbound
Internet
icmp Commandicmp Command
Enables or disables pinging to an interface
asa1(config)# icmp permit any echo-reply outside
asa1(config)# icmp permit any unreachable outside
ciscoasa(config)#
icmp {permit | deny} {host sip | sip smask | any} [icmp-type] if_name
Outside Inside
ICMP Echo
ICMP UnreachableX
Permits all unreachable messages at the outside interface and denies all ping requests at the outside interface
Internet
SummarySummary
ACLs enable you to determine which systems can establish connections through your security appliance.
With ICMP ACLs, you can disable pinging to a security appliance interface so that your security appliance cannot be detected on your network.
.
Lession 5Lession 5
Cisco Adaptive Security Device
Manager
ASDM Overview and Operating Requirements
What Is ASDM?What Is ASDM?
ASDM is a browser-based configuration tool designed to help configure and monitor your security appliance.
Internet
SSL Secure Tunnel
ASDM FeaturesASDM Features
Runs on a variety of platforms Implemented in Java to provide robust, real-time monitoring Works with SSL to ensure secure communication with the PIX security
appliance Comes preloaded in flash memory on new Cisco ASA and Cisco PIX
security appliances running Versions 7.2 and later ASDM sessions
• 5 ASDM sessions per unit (single mode) or context (multiple mode)
• 32 sessions per unit in multiple mode Operates on PIX 515E, 525, and 535* Security Appliances Operates on Cisco ASA 5505, 5510, 5520, 5540, and 5550 Security
Appliances
* ASDM Version 5.2 is not supported on the PIX 501 or 506 Security Appliance.
ASDM Security Appliance ASDM Security Appliance RequirementsRequirements
* ASDM Version 5.2 requires Security Appliance Software Version 7.2.
A security appliance must meet the following requirements to run ASDM:
Activation key that enables DES or 3DES
Supported Java plug-in
Security appliance software version compatible with the ASDM software version you plan to use*
Hardware model compatible with the ASDM software version you plan to use
ASDM Browser RequirementsASDM Browser Requirements
To access ASDM from a browser, the following requirements must be met:
JavaScript and Java must be enabled on the computer where the browser resides.
SSL must be enabled in the browser.
Popup blockers may prevent ASDM from starting.
Supported PlatformsSupported Platforms
Windows Sun Solaris Linux
Running ASDMRunning ASDM
Run ASDM as a: Local
application Java applet
Launch Startup Wizard
Configure the Security Appliance to Configure the Security Appliance to Use ASDMUse ASDM
Before you can use ASDM, you need to enter the following information on the security appliance via a console terminal:
Time Inside IP address Inside network mask Host name Domain name Enable the HTTP server on the security appliance IP addresses of hosts authorized to access
HTTP server
If more than one ASDM image is stored in the flash memory of your security appliance, also specify the ASDM image to be used.
Setup DialogSetup Dialog
Pre-configure Firewall now through interactive prompts [yes]? <Enter>
Firewall Mode [Routed]:
Enable Password [<use current password>]: cisco123
Allow password recovery [yes] ?
Clock (UTC)
Year [2006]: <Enter>
Month [Sep]: <Enter>
Day [2]: <Enter>
Time [10:21:49]: <Enter>
Inside IP address: 10.0.1.1
Inside network mask: 255.255.255.0
Host name: asa1
Domain name: ciscoasa.com
IP address of host running Device Manager: 10.0.1.11
Use this configuration and write to flash? Y
Navigating ASDM Configuration Windows
ASDM Home WindowASDM Home Window
Main toolbar
Device
Information
General
LicenseVPN Status
System
Resources
Interface
Status
Traffic
Status
Menu bar
Syslog Messages
ASDM Home Window (Cont.)ASDM Home Window (Cont.)
License tab
Startup WizardStartup Wizard
Startup Wizard Interfaces NAT and PAT Hostname Domain name Enable
password
VPN WizardVPN Wizard
VPN Wizard Site-to-Site Remote
Access
Note: Use Configuration > VPN to edit VPN connections.
High Availability and Scalability High Availability and Scalability WizardWizard
High Availability and Scalability Wizard Active/Active
Failover
Active/Standby Failover
VPN Cluster Load Balancing
Configuration WindowConfiguration Window
Configuration Interface Security
Policy NAT VPN IPS or CSD
Manager Routing Global
Objects Properties
InterfacesInterfaces
IP address
– Static
– DHCP
Same security level
Security PolicySecurity Policy
Access Rules
AAA Rules
Filter Rules
Service Policy Rules
NATNAT
Translation Rules• NAT• Policy NAT• NAT
exemption• Maximum
connections• Embryonic
connections NAT0
VPNVPN
Edit VPN General IKE IPsec IP Address
Management Load Balancing NAC WebVPN E-Mail Proxy
Note: Use the Remote Access or Site-to-Site VPN Wizard for new VPN connections.
RoutingRouting
Static Routes
Dynamic Routing
– OSPF
– RIP
Multicast
– IGMP
– MRoute
– PIM
Proxy ARPs
Global ObjectsGlobal Objects
Network Object Groups
IP Names Service Groups Class Maps Inspect Maps Regular
Expressions TCP Maps Time Ranges
Monitoring ButtonMonitoring Button
Interfaces VPN IPS or Trend
Micro Content Security
Routing Properties Logging
The Interface Graphs panel enables you to monitor per-interface statistics, such as bit rates, for each enabled interface on the security appliance.
Interface Graphs PanelInterface Graphs Panel
Packet TracerPacket Tracer
Interface
Source IPSource port
Destination IP
Destination port
Flow lookup
Route lookup
Access list
Options > PreferencesOptions > Preferences
Options
ToolsTools
Tools Command Line
Interface Packet Tracer Ping Traceroute File
Management Ugrade
Software Upload ASDM
Assistant Guide System Reload ASDM Java
Console
Help Help
Help Help Topics Help for
Current Screen
Release Notes
Getting Started
VPN 3000 Migration Guide
Glossary ….
Online Help Online Help
SummarySummary
ASDM is a browser-based tool used to configure your security appliance. Minimal setup on the security appliance is required to run ASDM. ASDM contains several tools in addition to the GUI to help you configure your
security appliance. The following ASDM wizards are available to simplify security appliance
configuration:• Startup Wizard: Walks you step by step through the initial configuration of
the security appliance• VPN Wizard: Walks you step by step through the creation of site-to-site
and remote access VPNs• High Availability and Scalability Wizard: Walks you step by step through
the configuration of active/active failover, active/standby failover, and VPN cluster load balancing
Lession 6Lession 6
Firewall Switch Modules (FWSM)
OverviewOverview
• The Cisco Firewall Services Module (FWSM) is based on Cisco PIX Security Appliance technology, and therefore offers the same security and reliability
• The FWSM is a line card for the Cisco Catalyst
6500 family of switches and the Cisco 7600 Series Internet routers.
<#>
FWSM Key FeaturesFWSM Key Features
• Brings switching and firewalls into a single chassis
• Based on PIX Firewall technology
• Supports transparent or routed firewall mode
• Up to 100 security contexts
– Up to 256 VLANs per context
– Up to 1000 VLANs all contexts
• 5-Gbps throughput
• One million concurrent connections
• 100,000 connections per second
• Multiple blades supported in one chassis (4 maximum)
• Dynamic routing via RIP v1 and v2 and OSPF
• High availability via intra- or inter-chassis stateful failover
<#>
FWSM and PIX Firewall FeatureFWSM and PIX Firewall FeatureComparisonComparison
<#>
Network ModelNetwork Model
<#>
MSFC placementMSFC placement
<#>
Getting Started with the FWSMGetting Started with the FWSM
Before you can begin configuring the FWSM,
complete the following tasks:
• Verify FWSM installation.
• Configure the switch VLANs.
• Configure the FWSM VLANs.
<#>
Verify FWSM InstallationVerify FWSM Installation
<#>
Configure the Switch VLANsConfigure the Switch VLANs
<#>
Create Vlan
Defines a controlled VLAN on the MSFC. Assigns an IP address.
Firewall VLAN-GroupFirewall VLAN-Group
Attaches the VLAN and firewall group to the slot where the FWSM is located
Creates a firewall group of controlled VLANs
Configure the FWSM InterfacesConfigure the FWSM Interfaces
<#>
Establishes a console session with the module Processor should always be 1
Configure a Default RouteConfigure a Default Route
• Default route• Static routes are required in multiple context mode.
Configure the FWSM Access-ListConfigure the FWSM Access-List
FWSM1(config)# access-list 200 permit ip 10.1.1.0 255.255.255.0 anyFWSM1(config)# access-group 200 in interface inside
By default all traffic is denied through the FWSM.• Traffic permitted into an interface can exit through any other interface
Resetting and Rebooting the FWSMResetting and Rebooting the FWSM
Resets and reboots the FWSM
SummarySummary
• The FWSM is a line card for the Cisco Catalyst
6500 family of switches and the Cisco 7600 Series Internet routers.
• The FWSM is a high-performance firewall solution based on PIX Firewall Security Appliance technology.
• The FWSM supports transparent and routed firewall modes.
• The FWSM commands are almost identical to security appliance commands.
• PDM can be used to configure and monitor
the FWSM.
top related