Add to Favorites | Login | Register
Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

About us Contact us

ASA system Management and Log _ 02

2025-02-23 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Share

Shulou(Shulou.com)06/01 Report--

Domain name DNSASA1 (config) # hostname ASA1ASA1 (config) # domain-name java.localASA1 (config) # show running-config dns dns domain-lookup DMZ / / dns resolution all go out the DMZ port DNS server-group DefaultDNS name-server 192.168.15.200 / / these two entries can directly tap dns + under the global. Domain-name java.local time ASA1 (config) # clock timezone GMT + 8 / / set time zone + 8 means East 8 ASA1 (config) # clock set 10:26:00 Jun 10 2016 / / set time ASA1 (config) # show clock 10 GMT Fri Jun 27 GMT Fri Jun 10 2016NTP synchronization (client) ASA1 (config) # show running-config ntp ntp authentication-key 1 md5 cisco ntp authenticate ntp trusted-key 1 ntp server 192.168.12.100 key 1 source DMZASA file system ASA1 (config) # dir / all / / Virtual machine can only see the asdm disk0:/asa842-k8.bin / / boot system optional system disk0:/asdm-731.bin / / asdm p_w_picpath asdm image disk0:/boot.cfg / / cfg startup configuration file runningconfig and start invisible ASA1 (config) # boot system disk0:/asa842-k8.binASA1 (config) # asdm _ Picpath disk0:/asdm-731.binASA1 (config) # copy running-config disk0:/boot.cfg / / Save running to the specified file ASA1 (config) # boot config disk0:/boot.cfg / / specify the startup-loaded configuration file

Log system

Can be sent to: console;ASDM;Monitor;Buffer;Syslog;SNMP Trap;Email;NetFlow

The format and message level of the log:

Logging defaults to disable logging enablelogging console 7 / / which means sending level 7 (all information) to the console port to cancel adding nologging buffered 7 / / storing logging asdm informational / / sending logs to ASDM level 6 ASA1 (config) # show running-config logging logging enablelogging trap debugging / / sending a specified log level (a list can be customized) * * logging list locketest level information class ospf / / define a list of ospf * * logging trap Debugging / / send locketestlogging message 503001 level alerts / / set the information level from 503001 to 1no logging message 503001 / / disable logging 503001logging host DMZ 192.168.12.1 / / specify the interface log server (syslogserver) IP address

Debugging tool Packet Tracer

Packet Tracer simulates a packet traversing the data channel of ASA and tracks the entire processing of the packet by ASA.

ASA1 (config) # packet-tracer input dmZ icmp 192.168.12.100 8 0 192.168.12.139 Phase: 1 / View routing Type: ROUTE-LOOKUPSubtype: Resolve Egress InterfaceResult: ALLOWConfig:Additional Information:in 192.168.12.139 255.255.255.255 identityPhase: 2Type: ACCESS-LISTSubtype: Result: ALLOWConfig:Implicit RuleAdditional Information:Phase: 3Type: NATSubtype: ALLOWConfig:Additional Information:Phase: 4 / View ip's options field By default, firewalls do not allow ip packages with options Type: IP-OPTIONSSubtype: Result: ALLOWConfig:Additional Information:Phase: 5Type: CLUSTER-REDIRECTSubtype: cluster-redirectResult: ALLOWConfig:Additional Information:Phase: 6Type: INSPECTSubtype: np-inspectResult: ALLOWConfig:Additional Information:Phase: 7Type: INSPECTSubtype: np-inspectResult: ALLOWConfig:Additional Information:Phase: 8Type: FLOW-CREATIONSubtype: Result: ALLOWConfig:Additional Information:New flow created with id 33 Packet dispatched to next moduleResult:input-interface: DMZinput-status: upinput-line-status: upoutput-interface: NP Identity Ifcoutput-status: upoutput-line-status: upAction: allow

Grab the bag

ASA1 (config) # capture test interface dmz ASA1 (config) # no capture test interface dmz / / stop grabbing the packet ASA1 (config) # no capture test / / deleting the packet ASA1 (config) # show capture test23 packets captured 1: 13GRV 41.259263 192.168.12.139.514 > 192.168.12.139.514 > 192.168.12.1.514: udp 88 2: 13MAX 34MAX 41.259340 192.168.12.139.514 > 192.168. 12.1.514: udp 107.. 23: 13 Frev 35 17.952999 192.168.12.139.514 > 192.168.12.1.514: udp 94 23 packets shown

Configure with external network port

Under the interface ASA1 (config-if) # security-level 100 / / it is recommended to set the highest security level ASA1 (config-if) # management-only / / for network management only

Telnet network management

Enable Telnet network manager ASA1 (config) # telnet 192.168.17.100 255.255.255.255.255 inside / / allow specified ipTelnetASA1 (config) # telnet 00 DMZ / / allow all Telnet connections from DMZ port Note: Telnet with the lowest interface level is not allowed to enter ASA1 (config) # passwd cisco / / password ASA1 (config) # enable password 502ASA1 (config) # username admin password cisco privilege 15 is required / / you can also use local user authentication ASA1 (config) # aaa authentication telnet console LOCAL / / to log in locally to the Telnet login application

SSH network management

ASA1 (config) # show running-config dns / / configure the domain name dns domain-lookup DMZDNS server-group DefaultDNS name-server 192.168.12.100 domain-name java.local ASA1 (config) # crypto key generate rsa modulus 1024 / / generate the encryption key for SSH encryption session ASA1 (config) # ssh 192.168.17.100 255.255.255.255 inside / / allow access to ASA1 (config) # aaa authentication ssh console LOCAL / / Local authentication of aaa for ssh ASA1 (config) # ssh 0 0 DMZ Note: Telnet cannot be used remotely Must use ssh

Create a local management account

ASA1 (config) # username admin attributes / / set the property named admin account ASA1 (config-username) # service-type? / / set the service type (anything can be used if not set) username mode commands/options: admin User is allowed access to the configuration prompt. / / allowed to enter config nas-prompt User is allowed access to the exec prompt. / / you cannot enter config remote-access User is allowed network access with low permissions. / / only remote aaa authentication enable console LOCAL / / these two sentences can make service-type effective aaa authorization exec LOCALR3#ssh-l admin 192.168.12.100 / / Log in

HTTPS network management

ASA1 (config) # http server enableASA1 (config) # http 192.168.12.0 255.255.255.0 DMZASA1 (config) # aaa authentication http console LOCAL ASA1 (config) # username cisco password cisco privilege 15 / / permission must be 15 levels only ASDMASA requires a server certificate (default is ASA self-signed certificate-generally error is reported) customer authentication: one-time password certificate authentication + one-time password for any password AAA

SNMP

Only v1/v2c/v3 SNMPV3 has the encryption authentication function. Authentication includes MD5 or SHA, encryption includes DES or RSA

ASA1 (config) # snmp-server group group001 v3 priv / / create group ASA1 (config) # snmp-server user admin group001 v3 auth md5 cisco privde des Cisco / / account admin belongs to group001 group version v3 certified md5 password is Cisco encrypted des password CiscoASA1 (config) # snmp-server host dmZ 192.168.12.1 version 3 admin / / v1 v2 replace version 3 with comunit ASA1 (config) # snmp-server location beijing / / for instructions (optional) ASA1 (config) # snmp-server contact xiaomingASA1 (config) # snmp-server enable traps snmp? / / allow trap snmp some information configure mode commands/options: authentication Enable authentication trap coldstart Enable coldStart trap linkdown Enable linkDown trap linkup Enable linkUp trap warmstart Enable warmstart trap

Authentication management access

ASA1 (config) # aaa-server aaaname protocol? / / define the protocol and name to be used configure mode commands/options: http-form Protocol HTTP form-based kerberos Protocol Kerberos ldap Protocol LDAP radius Protocol RADIUS sdi Protocol SDI tacacs+ Protocol TACACS+ASA1 (config) # aaa-server aaaname (DMZ) host 192.168.12.100 cisco / / define the server location and key-cisco on ssh use AAAASA1 (config) # aaa authentication ssh console aaaname LOCAL Note: Remember that if no aaa authentication exec LOCAL wants to do local authorization, set an account with the same username and password on the authentication server locally: ASA1 (config) # username test1 password cisco privilege 15

Self-signed certificate

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Tag Search: Authentication password log network management encryption service file server level certificate system information interface data level account login configuration management one-time vpn macOS Linux MariaDB MySQL Docker Shulou Information Shulou Technology Shulou Tech Info OPPO Reno Redmi Xiaomi NVidia Microsoft Huawei Apple Xiaomi Huawei MariaDB NVidia MySQL Shulou Tech Info Shulou Information Shulou Technology vpn macOS Apple Redmi OPPO Reno Microsoft Docker Linux Xiaomi Huawei MariaDB NVidia MySQL Shulou Tech Info Shulou Information Shulou Technology vpn macOS Apple Redmi OPPO Reno Microsoft Docker Linux

Share To

Related

Network Security

More Network Security >

Latest Network Security More Network Security >

Latest Internet Technology More Internet Technology >

Latest Development More Development >

Latest Database More Database >

Latest Servers More Servers >

Latest Mobile Phone More Mobile Phone >

Latest Android Software More Android Software >

Latest Apple Software More Apple Software >

Latest Computer Software News More Computer Software News >

Latest IT Information More IT Information >

Wechat

About us Contact us Product review car news thenatureplanet

© 2024 shulou.com SLNews company. All rights reserved.

12
Report