Shulou(Shulou.com)06/01 Report--

The principle and basic configuration of Enterprise Firewall algorithm

Multiple safety zone

The concept and function of DMZ region

The DMZ (demilitarzed zone) exclusion zone, also known as the "demilitarized zone"; a network area between the internal and external networks of an enterprise

The security level is between inside and outside

Access default rule: high security level allows access to low security level, low security level forbids access to high security level

Tips: the representation of the application

Any application, at the packet level, is represented by sockets (transport layer protocol + port number)

In the process of representing the application, if only one port is mentioned, then the port is the destination port and the source port is the random port.

If an application is represented by 2 ports, you need to focus on distinguishing which is the source port and which is the target port (column: DHCP:udp67,68 server 67, client 68)

UPS: uninterruptible power supply (weak power project in computer room)

Summary:

Flow control principle between security levels and ACL release traffic principle: ACL priority is high (if the traffic that has formed a conn entry is not controlled by acl)

The query Logic relationship between various function sheets in ASA

Whether it is high-level to low-level or low-level to high-level, when traffic goes to a port, if ACL releases the corresponding traffic on the port, then:

i. Look up the routing table, confirm the port, form the conn entry, and then send it out.

ii. If a traffic has been processed by ASA and forms a CONN directory, it will not be processed by the acl table.

By default on Tips:ASA, ports with the same security level cannot communicate, if you want to achieve communication

The following command: same-security-traffic permit inter-interface

NAT on ASA

Nat type:

Dynamic nat

Dynamic pat

Static nat

Static pat

Generally, the public network address is assigned automatically, so the interface is used for address translation.

ASA remote configuration Management:

Configure ASA access password and enable password first

Enable password xxx enable password

Password xxx login password

Client connection: ssh-l {user name} {IP address}

Log management (basis for maintenance of equipment at work)

Security level of log information

Configuration Log:

Log information can be output to: log buffer (log buffer, not recommended, power outage clearance)

ASDM; log server (preferably)

Debugging level should not be used easily, it will damage the equipment.

ASMD View Log

The logging function of ASA is turned off by default

TIPS: time is very important. It is best to configure the ntp (network time protocol) server.

Show clock viewing time

Clock set? Configuration time

A core device as a server: nat master

Other clients: nat server IP address (server)

You can find some log analysis software:

Assignment:

Experimental requirements: R1 can telnet ASA firewall

R2 can ssh ASA firewall

Access to the public network using web

Basic configuration

Port IP address, default route.

ASA configuration:

1.telnet configuration:

Enable password xxx enable password

Username telent password tel123 local user password

Aaa authentication telnet (Select Protocol) console LOCAL (uppercase)

Telnet 192.168.10.0 255.255.255.0 inside enables telnet remote access

2.ssh configuration:

Hostname asa123

Domain-name xxxxx.Com

Cryto key generate (generated) rse modulus (unit of measurement) 1024 (default)

Ssh 0 0 outside

Username ssh password ssh223 local user password

Aaa authentication ssh (Select Protocol) console LOCAL (uppercase)

3.WEB configuration

Cloud connection: add a HUB or switch to the firewall

Copy the asdm file to the ASA firewall directory disk 0

Http server enable enables https service

Http 0 0 outside

Asdm image disk0:/asdm-649.bin provides ASDM software downloaded by the client.

Username cisco password cisco privilege 15 (highest priority, default 1)

Enter your own browser: asaIP address, (https) download client

To install asdm, you need to install JAVA (corresponding jre-6u45-windows-x64.exe)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.