Shulou(Shulou.com)06/01 Report--

Needless to say about the outline of Cisco security, but I think the most difficult thing is to remember orders, especially those orders, although the production environment is to be used, but all rely on documentation, it is best to memorize them during the exam. This article is to sort out and summarize, do not bother to look up the google.

one。 HA of ASA

(dictated 5 times. )

Primary Unit:

Failover

Failover lan unit primary

Failover lan FAILOVER interface gi0/2

Failover link STATEFUL gi0/3

Failover interface ip FAILOVER 1.1.1.1 255.255.255.252 standby 1.1.1.2

Failover interface ip STATEFUL 2.2.2.1 255.255.255.252 standby 2.2.2.2

Secondary Unit

Failover

Failover lan unit secondary

Failover lan interface FAILOVER gi0/2

Failover link STATEFUL gi0/3

Failover interface ip FAILOVER 1.1.1.1 255.255.255.252 standby 1.1.1.2

Failover interface ip STATEFUL 2.2.2.2 255.255.255.252 standby 2.2.2.2

Show failover state/ show failover and other verification commands are not released, but remember to check monitor interface.

Use prompt hostname state to show if it is active standby

ASA has a feature that all traffic must be configured with nameif security-level to take effect. For example, if you only configure the ip of the interface, you can't ping without nameif and security level.

Practice multi context but ASAv doesn't support it (in fact, it's easy to understand why virtual machines support virtual firewalls? Install another virtual machine), but in any case, copy the command, deepen the impression, do not make comments, the project has been played.

ASA1:

Mode multiple

Interface part

Interface Gi0/1

No shut

Interface Gi0/2

No shut

Interface Gi0/1.10

Vlan 10

Interface Gi0/1.20

Vlan 20

Interface Gi0/2.30

Vlan 30

Interface Gi/0.240

Vlan 40

Context C1

Allocate-interface GigaEthernet0/1.10

Allocate-interface GigaEthernet0/2.30

Config-url disk0:/c1.cfg

Context C2

Allocate-interface GigaEthernet0/1.20

Allocate-interface GigaEthernet0/2.40

Config-url disk0:/c2.cfg

HA part

Failover

Failover lan unit primary

Failover lan FAILOVER interface gi0/6

Failover link STATEFUL gi0/7

Failover interface ip FAILOVER 1.1.1.1 255.255.255.252 standby 1.1.1.2

Failover interface ip STATEFUL 2.2.2.1 255.255.255.252 standby 2.2.2.2

Failover-group 1

Primary

Preempt

Failover-group 2

Secondary

Preempt

Context C1

Join-failover-group 1

Context C2

Joint-failover-group 2

ASA2

Mode multiple

Interface configuration

Interface Gi0/1

No shut

Interface Gi0/2

No shut

Interface gi0/1.10

Vlan 10

Interface gi0/1.20

Vlan 20

Interface gi0/2.30

Vlan 30

Interface gi0/2.40

Vlan 40

Context C1

Allocate-interface GigaEthernet0/1.10

Allocate-interface GigaEthernet0/2.30

Config-url disk0:/c1.cfg

Context C2

Allocate-interface GigaEthernet0/1.20

Allocate-interface GigaEthernet0/2.40

Config-url disk0:/c2.cfg

Part of HA

Failover

Failover lan unit secondary

Failover lan FAILOVER interface gi0/6

Failover link STATEFUL gi0/7

Failover interface ip FAILOVER 1.1.1.1 255.255.255.252 standby 1.1.1.2

Failover interface ip STATEFUL 2.2.2.1 255.255.255.252 standby 2.2.2.2

two。 NAT of ASA

Let's start with the feature of ASA. We know that due to the existence of security-level, high-level entry-level traffic is released by default, while low-level traffic enters high-level default block. But once we configure ACL under the interface, all security-level are actually invalidated. In fact, in a production environment, security-level is useless. Reference documentation:

Https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115904-asa-config-dmz-00.html

Back to NAT, because there are so many commands from NAT, I usually use ASDM to match them in the project.

Keep this document and read it later.

Https://www.practicalnetworking.net/stand-alone/cisco-asa-nat/

three。 FTD interface and routing

If it is troublesome, use OSPF to connect all 5 CSR and FTD directly. Here is a screenshot. After all, the OSPF configuration of FTD can be understood in 5 minutes.

You can go to FTD's console to view the interface status of OSPF neighbors.

Because FTD is the underlying layer of ASA, some familiar ASA commands are still available.

The next article is to write DM × ×, using certificate authentication.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.