Shulou(Shulou.com)06/01 Report--

ASA is a stateful firewall that establishes a user information connection table (Conn). The connection table contains relevant information such as source IP address, destination IP address, IP protocol (such as TCP or UDP), IP protocol information (such as TCP/UDP port number, TCP serial number and TCP control bit).

one。 working principle

The ASA security algorithm performs three basic operations

1. Access control list-controls network access based on specific networks, hosts, and services, with two functions: allowing inbound connections and controlling outbound traffic

two。 Connection table-maintains each connection status information, forwards data traffic effectively in established connections, and discards inbound traffic if it is not in the conn table

3. Inspection engine-performs status checks and application layer checks

How it works:

II. Security level of ASA interface

1. Each interface has a security level that ranges from 0 to 100, and the higher the number, the higher the security level. Inside defaults to 100 and outside defaults to 0.

Direct access to interfaces with different security levels follows three default rules

Allow outbound-allow traffic from high security level interfaces to low security level interfaces to pass through

No inbound-prohibit traffic from low security level interfaces to high security level interfaces

Direct communication between interfaces with the same security level is prohibited

The concept of 2.DMZ area

DMZ, commonly known as "demilitarized zone" or "demilitarized zone", is a network area between an enterprise's internal network and an external network, which can place servers that must be made public, such as the company's WEB server or forum, and so on.

The security level of the DMZ zone is between inside and outside, and there are six default access rules, so it is necessary to configure the security level when configuring the DMZ zone.

Inside can access outside

Inside can range DMZ

DMZ can access outside

DMZ cannot access inside

Outside can access DMZ

Outside cannot access inside

III. Basic configuration of ASA

Configure the hostname and privileged password the same as the Cisco router

Configure the Telnet password: asa (config) # passwd mima

Name of the configuration interface: asa (config-if) # nameif name

Description: name is the interface name inside, outside or DMZ, etc.

Configure interface security level: asa (config-if) # security-level number

Description: the range value of number represents the security level, 0,100.

As shown in the figure: methods for configuring interface names, security levels, IP, static routes, and ACL

IV. Remote management of ASA

1.telnet can realize the remote management from internal network to ASA, but if it is external network access, it cannot be managed by telnet.

Configuration command: asa (config) # telnet (network | ip-address) mask interface-name

For example, 1:asa (config) # telnet 192.168.1.0 255.255.255.0 inside

Indicates that clients on the 192.168.1.0 network segment can be managed by telnet

For example, 2:asa (config) # telnet 192.168.1.1 255.255.255.255 inside

Indicates that only the IP address 192.168.1.1 can be managed.

The 2.SSH method can realize the secure remote management of ASA, and it can be managed through the external network connection, which needs to be connected by using Secure CRT software area.

Configuration command: asa (config) # host asa configuration hostname is asa

Asa (config) # domain-name asadomain.com configure the domain name asadomain.com

Asa (config) # crypto key generate rsa modulus 1024 generates a RSA key pair. Default is 1024 bits.

Asa (config) # ssh (network | ip-address) mask interface-name configure ssh to allow access

Asa (config) # ssh 0 0 outside indicates that it can be accessed from an external interface

Asa (config) # ssh timeout 30 configures the idle timeout, which means that you will exit after 30 minutes of idle time, but you may not configure it.

Asa (config) # ssh version version-number configures SSH version, which supports both version 1 and version 2 by default

Experiment

The steps of the experiment:

1. Configure the IP address and static route of each device. The router will not explain it here. Let's talk about the configuration of ASA.

two。 Configure ASA access rules

3. Verification

5. Application of NAT on ASA

There are four types of NAT on ASA: dynamic NAT, dynamic PAT static NAT and static PAT

1. Dynamic NAT configuration syntax

Asa (config) # nat (interface-name) nat-id local-ip mask

Asa (config) # global (interface-name) nat-id global-ip-global-ip

Interface-name: represents whether the interface to be converted is inside or DMZ, etc.

Nat-id: represents the name of the current nat. The same transformation relationship nat-id must be the same when configuring nat transformations.

Local-ip: the network segment that represents the inside local address to be translated by nat

Mask: mask of the inside local address

Global-ip-global-ip: indicates the scope of the inside global address pool

Configuration Lab:

Experimental steps: routing and IP address are not demonstrated here. Here is how to configure dynamic NAT.

two。 Dynamic PAT configuration syntax

Asa (config) # nat (interface-name) nat-id local-ip mask

Asa (config) # global (interface-name) nat-id interface

The only difference between this and dynamic NAT is that there is no need to write the scope of the inside global address pool, because multiple internal local addresses are translated into one internal global address, so the translation can be applied directly to the interface.

Configuration Lab:

Experimental steps: routing and IP address are not demonstrated here. Here is how to configure dynamic NAT.

3. Static NAT configuration syntax

Asa (config) # static (local-name,global-name) global-ip local-ip

And you need to create corresponding ACL access rules.

Configuration Lab:

Experimental steps: routing and IP address are not demonstrated here. Here is how to configure static NAT.

4. Static PAT configuration syntax

Asa (config) # static (local-name,global-name) {tcp | udp} global-ip global-port

Local-ip local-port

Tcp | udp: indicates whether tcp protocol or udp protocol is to be used

Global-port: the protocol port number that represents the corresponding protocol port number, internal global address and internal local address should be the same.

And you need to create corresponding ACL access rules.

Experimental steps: routing and IP address are not demonstrated here. Here is how to configure static PAT.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.