Shulou(Shulou.com)06/01 Report--

For firewall products, one of the most important functions is to log events. This blog will introduce how to manage and analyze ASA logs, the principle and configuration of ASA transparent mode, and the implementation of URL filtering by using the IOS feature of ASA firewall.

1. URL filtering

Using the characteristic of ASA firewall IOS, URL filtering can control the domain name of the website visited, so as to achieve some management purpose.

Implementing URL filtering is generally divided into the following three steps:

(1) create a class-map (class map) to identify transport traffic.

(2) create a policy-map (policy map) and associate the class-map.

(3) apply policy-map to the interface.

Example: as shown in the following figure, the host in the network segment 192.168.1.0 to 24 forbids access to www.4399.com, but allows access to other websites, such as www.163.com

The configuration steps are as follows:

(1) configure the interface IP to realize the interconnection of the whole network (omitted)

(2) create a class-map (class map) to identify transport traffic.

Asa (config) # access-list aaa permit tcp 192.168.1.0 255.255.255.0 any eq www / / create ACLasa (config) # class-map aaa1 / / create class-mapasa (config-cmap) # match access-list aaa / / define allowed traffic in class-map asa (config-cmap) # exitasa (config) # regex urla "\ .4399\ .com" / / define a regular expression named urla Indicates that the URL extension is "4399.com" asa (config) # class-map type regex match-any urla1 / / create class-map, and type regex,match-any means matching any asa (config-cmap) # match regex urla / / definition URLasa (config-cmap) # exitasa (config) # class-map type inspect http urla2 / / create class-map The URL extension of type inspect http (check http traffic) asa (config-cmap) # match request header host regex class urla1 / / in the host domain in the http request header is discarded if it is "4399.com". Regex class urla1 means to call a class-map with the name urla1

(3) create a policy-map (policy map) and associate the class-map.

Asa (config) # policy-map type inspect http policy1 / / create policy-map with the type inspect http (check http traffic) asa (config-pmap) # class urla2 / / call the previously created class-mapasa (config-pmap-c) # drop-connection log / / drop packet and close the connection, and send Syslog asa (config) # policy-map policy2 / / create policy-map Apply to interface asa (config-pmap) # class aaa1 / / call class-mapasa (config-pmap-c) # inspect http policy1 / / check http traffic

(4) apply policy-map to the interface.

Asa (config) # service-policy policy2 interface inside

Note: only one policy-map can be applied to an interface.

II. Log management

One of the most important features of any firewall product is logging events, and ASA uses synchronous logging (syslog) to record all events that occur on the firewall.

1. Security level of log information

The security level of log information is divided into eight levels, as shown in the figure:

The urgency of information is ranked from highest to lowest importance, with emergencies (very urgent) being the most important and debugging (debugging) the least important.

two。 Configuration log

Log information can be output to Log Buffer (log buffer), ASDM, and log server.

Before configuring the log, you generally need to configure the time zone and time, as follows:

(1) configure time zone. The command is as follows:

Asa (config) # clock timezone peking 8

Where peking is used to indicate the name of the time zone, 8 refers to the offset from the international standard time, the value range is-23. twenty-three.

(2) configure time. The command is as follows:

Asa (config) # clock set 19:30:00 24 Sep 2017

You can then configure Log Buffer, ASDM, and log servers, respectively.

(3) configure Log Buffer with the following command:

Asa (config) # logging enableasa (config) # logging buffered informational / / configure the level of the log. You can also write 6 to indicate a level above 6 (level 0-6)

Note: the default size of Log Buffer (log buffer) is 4KB.

Asa (config) # show logging / / View Log Bufferasa (config) # clear logging buffer / / clear Log Buffer

(4) configure ASDM log with the following command:

Asa (config) # logging enableasa (config) # logging asdm informational / / indicates a level above 6, and informational can use 6 to indicate asa (config) # clear logging asdm / / clear ASDM

(5) configure log server

At present, there are a lot of log server software. Firewall Analyzer is a firewall log analysis software based on Web, which can monitor the security devices around the network, collect and archive logs, and generate reports. Firewall Analyzer can help network security administrators effectively monitor bandwidth and firewall security events, fully understand the security status of the network, monitor used / unused firewall policies and optimize policies, and plan network capacity through trend analysis. Firewall Analyzer supports multiple devices / vendors and supports Windows and Linux platforms.

Example: install Firewall Analyzer 6 on win 2008 as shown in the following figure

The configuration of ① at the ASA firewall is as follows:

Asa (config) # logging enableasa (config) # logging timestamp / / enable timestamp asa (config) # logging trap informationalasa (config) # logging host inside 192.168.0.1 / / defines the IP address of the log server and the interface of ASA

ASA uses port 514 of UDP protocol by default to communicate with the log server.

When ② Firewall Analyzer 6 is installed, two SyslogServer are enabled by default, listening on port 514 and port 1514 of UDP, respectively. First use Firewall Analyzer to start the service program, then use "Firewall Analyzer Web Client" to enter the user interface and enter the initial user name and password.

③ runs the command ping 192.168.0.1-l 10000-t to simulate * * on the host Windows7, and then the corresponding events can be seen on the Web interface of Firewall Analyzer.

Click View Syslogs under Security Statistics to view detailed log information.

④ can generate reports through Firewall Analyzer event summary reports and security reports.

III. Transparent mode

The ASA security appliance can operate in two modes, route mode and transparent mode, and ASA is in route mode by default.

1. Transparent mode

ASA has supported transparent mode since version 7. 0.

By route default, ASA acts as a layer 3 device that forwards packets based on the destination Ip address; in transparent mode, ASA acts as a layer 2 device that forwards data frames based on the destination MAC address (when NAT is not configured).

In versions prior to 8.0, NAT,8.0 and its subsequent versions did not support NAT configuration in transparent mode. Route lookups are still used if NAT,ASA is configured to forward packets.

Although the ASA in transparent mode is a layer 2 device, it is different from the switch in dealing with data frames.

* for unicast data frames whose destination MAC address is unknown, ASA will not flood but discard them directly.

* ASA does not participate in STP (spanning Tree Protocol).

The destination MAC addresses that are allowed to traverse by default in transparent mode are as follows:

* broadcast MAC address: FFFF.FFFF.FFFF

* Ipv4 Multicast MAC addresses from 0100.5E00.0000 to 0100.5EFE.FFFF.

* Ipv6 Multicast MAC address from 3333.0000.0000 to 3333.FFFF.FFFF.

* BPDU Multicast MAC address: 0100.0CCC.CCCD (Cisco Private).

* AppleTalk Multicast MAC address from 0900.0700.0000 to 0900.07FF.FFFF.

The layer 3 traffic allowed by default in transparent mode is as follows:

* allow Ipv4 traffic to automatically move from a high-level interface to a low-level interface without having to configure ACL.

* allow two-way traversal of ARP traffic without having to configure ACL.

When ASA is running in transparent mode, it continues to use the application layer to intelligently perform stateful inspection and regular firewall functions, but only two areas are supported.

In transparent mode, there is no need to configure Ip addresses on the interface, so there is no need to redesign the existing Ip network to facilitate deployment.

two。 Configuration of transparent mode

(1) switch to transparent mode with the following command:

Asa (config) # firewall transparentciscoasa (config) #

It is important to note that the current configuration is cleared when switching.

The command to view the current working mode is as follows:

Ciscoasa (config) # show firewall

If you want to switch back to route mode, use the command: no firewall transparent.

(2) manage IP addresses

An IP address needs to be assigned to the ASA for administrative purposes, and the management Ip address must be on the same connected subnet. ASA uses the management IP address as the source IP address for packets originating from ASA, such as system messages, AAA, or SYSLOG servers.

The configuration commands for managing IP addresses are as follows

Ciscoasa (config) # ip address ip [mask]

(3) MAC address table and learning

Ciscoasa# show mac-address-table / / View MAC address table ciscoasa (config) # mac-address-table aging-time minutes / / set the expiration time of dynamic MAC entries (default 5 minutes) ciscoasa (config) # mac-address-table static logical_if_name mac_address / / set static MAC entries ciscoasa (config) # mac-learn logical_if_name disable / / disable MAC address learning for specific interfaces

Case 1: as shown in the figure, the company has added a firewall for network security. In order to facilitate deployment, the ASA is configured in transparent mode, and the management IP address is configured as 192.168.1.253.

The configuration of ASA is as follows:

Ciscoasa (config) # firewall transparentciscoasa (config) # hostname asaasa (config) # int e0/0asa (config-if) # no shasa (config-if) # nameif outsideasa (config-if) # security-level 0asa (config) # int e0/1asa (config-if) # no shasa (config-if) # nameif insideasa (config-if) # security-level 100asa (config-if) # exitasa (config) # ip add 192.168.1.253 255.255.255.0 / configuration Management IP address

Case 2: as shown in the following figure, in order to enhance the security of the managed server, an ASA has been added and configured in transparent mode, and the management IP address is 209.165.201.1and28.

The configuration of ASA is as follows:

Ciscoasa (config) # firewall transparentciscoasa (config) # hostname asaasa (config) # int e0/0asa (config-if) # no shutasa (config-if) # int e0/0.10asa (config-if) # vlan 10asa (config-if) # nameif insideasa (config-if) # int e0/0.20asa (config-if) # vlan 20asa (config-if) # nameif outsideasa (config) # ip add 209.165.201.1 255.255.255.240asa (config) # access-list ysf permit icmp any any asa (config ) # access-list ysf permit tcp any any eq 80asa (config) # access-list ysf permit tcp any any eq 21asa (config) # access-list ysf permit tcp any any eq 25asa (config) # access-list ysf deny ip any anyasa (config) # access-group ysf in interface outside

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.