Shulou(Shulou.com)06/01 Report--

Software firewall and hardware firewall

1) Software firewall

System firewall, TMG firewall, IP tables firewall, slow data processing speed and poor stability

2) hardware firewall

ASA, convinced, Huawei all belong to hardware firewall, strong stability, fast data processing speed ASA5500 series security equipment

ASA 5505 for small businesses, ASA 5510 for medium enterprises, ASA 5520 for medium enterprises, modular, ASA 5540 for large and medium enterprises, ASA 5550 for large enterprises and service providers, ASA 5580 for large enterprises, data centers, operators using firewall feature classification

1) Application Firewall

Agent use

2) Network firewall

Identify packets transmitted over the network

3) stateful firewall

Hardware firewalls belong to stateful firewalls, which automatically identify the principle of stateful firewalls of transmitted data packets.

1) the information contained in the conn table of the stateful firewall

Source IP or network

Target IP or network

Protocol port number

2) the characteristics of icmp

Icmp protocol is not a stateful firewall.

Cannot communicate through the firewall by default

3) the characteristics of conn table

Protocols supported by conn table can be forwarded

The principle of ASA security algorithm that cannot be forwarded by firewall is not supported.

1) query ACL

Whether the access control list is allowed

2) query conn table

Check whether the conn table allows

3) Operation engine

The engine does not require administrator configuration

The engine can recognize the transmitted packets.

Simply configure ASA without recognizing that the operation instruction cannot be executed

1. Configure Hostnam

Ciscoasa#config t

Ciscoasa#hostname ASA

ASA (config) #

two。 Configure password

1) configure privileged password

ASA (config) # enable password pwd@123

2) configure remote login password

The concept and configuration of ASA (config) # password pwd@123 Interface

1) physical interface

Negotiate the working mode, negotiate the communication rate

2) logical interface

Configuration command

3) Common logical interfaces

Inside internal interface. The priority is 100 by default.

Outside external interface, the priority is 0 by default

Dmz demilitarized zone, which stores servers that provide services. The security level is between inside and outside, and the priority is lower than inside and higher than outside.

4) rules followed by different priorities

Low cannot access high, low security level cannot access high security level

High access low, high security level can access low

Inaccessible at the same security level and inaccessible at the same port priority

Low access and high access, need to configure access control list simple configuration interface

ASA (config) # int et 0amp 0, enter the physical interface

ASA (config-if) # nameif inside, configure logical name insideASA (config-if) # security-level 100modify interface priority 100ASA (config-if) # ip add 192.168.10.254 255.255.255.0ASA (config-if) # no shut

ASA#show interface ip brief, view interface information

ASA#show conn detail, view the conn table

Configure static and default

ASA (config) # route inside 192.168.10.0 255.255.255.0 192.168.20.1 configuration static

ASA (config) # route outside 0.0.0.0 0.0.0.0 192.168.30.1 configuration default, default can only have one

ASA#show route View routing tabl

ASA (config) # fixup protocol icmp add stateful connection configuration ACL (access control list)

ASA (config) # access-list out-to-in permit tcp 192.168.40.0 255.255.255.0 host 192.168.20.1 eq 23 allow hosts to access telnet

ASA (config) # int et 0ram 1 enters the interface

ASA (config) # access-group out-to-in in interface outside ACL application in outside interface for advanced ASA remote management

1) telnet

Internal management use, not encrypted, Cisco devices directly support, poor security

2) ssh

Strong security, suitable for wide area network management, transmission data encryption, need to configure AAA authentication

3) ASDM

The graphical configuration device provided by Cisco uses HTTPS protocol encryption for simple configuration telnet remote management

1) configuration allows the 192.168.10.0 network to remotely manage devices through inside

ASA (config) # telnet 192.168.10.0 255.255.255.0 inside

2) allow any network to be accessed through inside

ASA (config) # telnet 0 0 inside

3) telnet retention time is 5 minutes.

ASA (config) # telnet timeout 5 simple configuration SSH remote Management

1) create a domain name

ASA (config) # domain-name benet.com

2) use encryption algorithm rsa with length of 1024

ASA (config) # crypto key generate rsa modulus 1024

3) allow 192.168.20.0 to manage remotely through outside interface ssh

ASA (config) # ssh 192.168.20.0 255.255.255.0 outside

4) modified version

ASA (config) # ssh version 2

5) create a ssh account and password

ASA (config) # username cisco password pwd@123 privilege 15

6) enable AAA verification

ASA (config) # aaa authentication ssh console LOCAL

7) configure ssh hold time

ASA (config) # ssh timeout 10 configuration ASDM graphical tool Management

1) enable http function

ASA (config) # http server enable

2) specify the asdm client location

ASA (config) # asdm image disk0:/asdm-649.bin

3) allow public network to be managed by asdm

ASA (config) # http 192.168.20.0 255.255.255.0 outside

4) create an asdm account and password

ASA (config) # username cisco password pwd@123 privilege 15

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.