Cisco ASA Firewall
Cisco ASA Firewall
Neo Chen (netkiller)
<openunix@163.com>
Copyright © 2011 http://netkiller.github.com
下面是我多年积累下来的经验总结,整理成文档供大家参考:
Netkiller Architect 手札
Netkiller Linux 手札
Netkiller Developer 手札
Netkiller Database 手札
Netkiller Debian 手札
Netkiller CentOS 手札
Netkiller FreeBSD 手札
Netkiller Shell 手札
Netkiller Web 手札
Netkiller Monitoring 手札
Netkiller Storage 手札
Netkiller Mail 手札
Netkiller Security 手札
Netkiller PostgreSQL 手札
Netkiller MySQL 手札
Netkiller LDAP 手札
Netkiller Cryptography 手札
Netkiller Intranet 手札
Netkiller Cisco IOS 手札
Netkiller Writer 手札
Netkiller Version 手札
Netkiller Studio Linux 手札
2.1. Console 登录
ciscoasa> en
Password:
ciscoasa# show run
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
interface GigabitEthernet1/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
pager lines 24
logging asdm informational
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:2ca307ae725244ecf965030aa8ee6a2b
: end
ciscoasa#
2.1.1. 清除配置文件
ciscoasa# conf t
ciscoasa(config)# clear config all
WARNING: DHCPD bindings cleared on interface 'management', address pool removed
ciscoasa(config)#
2.2. Management0/0
使用静态IP地址
ciscoasa(config-if)# no dhcpd address 192.168.1.2-192.168.1.254 management
ciscoasa(config)# no dhcpd enable management
ciscoasa(config)# interface Management0/0
ciscoasa(config-if)# ip address 192.168.3.254 255.255.255.0
Waiting for the earlier webvpn instance to terminate...
Previous instance shut down. Starting a new one.
使用DHCP分配IP地址
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
Waiting for the earlier webvpn instance to terminate...
Previous instance shut down. Starting a new one.
ciscoasa(config-if)# dhcpd address 192.168.1.2-192.168.1.254 management
ciscoasa(config)# dhcpd enable management
ciscoasa(config)#
2.3. 接口配置
ciscoasa(config)# interface GigabitEthernet0/0
ciscoasa(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-if)# ip address 172.16.0.2 255.255.255.0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface GigabitEthernet1/0
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# ip address 192.168.3.254 255.255.255.0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# show ip
System IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 outside 172.16.0.2 255.255.255.0 manual
Management0/0 management 192.168.1.1 255.255.255.0 manual
GigabitEthernet1/0 inside 192.168.3.254 255.255.255.0 manual
Current IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 outside 172.16.0.2 255.255.255.0 manual
Management0/0 management 192.168.1.1 255.255.255.0 manual
GigabitEthernet1/0 inside 192.168.3.254 255.255.255.0 manual
2.3.1. 子接口
interface GigabitEthernet1/0.1
no vlan
no nameif
no security-level
ip address 172.16.7.254 255.255.255.0
2.4. route
ciscoasa(config)# route outside 0 0 172.16.0.1
show route
2.5. ACL
2.5.1. Blacklist
黑名单规则
access-list outside extended permit icmp any any
access-list outside deny ip any any
access-list outside extended permit tcp any any eq www
access-list outside extended permit tcp any any eq https
access-list outside extended permit tcp any host 28.6.7.23 eq ftp
access-list outside permit tcp any host 202.96.134.133 eq www
access-list outside permit ip any host 133.11.20.21 eq ftp
access-group outside in interface outside
2.5.2. Whitelist
白名单规则
access-list outside extended permit ip any any
access-list outside extended permit icmp any any
access-list outside extended permit tcp any any
access-list outside extended permit udp any any
access-list outside deny ip any host 192.168.0.1
access-list outside deny ip any host 192.168.0.2 eq www
access-group outside in interface outside
2.5.3. object-group
下面是一个简单的黑白名单实例
object-group network blacklist
description deny ip to example.com
network-object 61.191.55.0 255.255.255.0
network-object host 61.190.10.181
network-object host 61.190.10.182
network-object host 61.190.10.183
network-object host 61.191.55.248
network-object host 61.190.10.181
network-object host 61.185.114.87
network-object host 60.210.111.236
network-object host 218.64.182.105
network-object host 210.51.51.157
network-object host 63.221.138.204
network-object host 119.188.10.163
access-list outside extended deny tcp object-group blacklist host 120.12.14.7
object-group network whitelist
description deny ip to example.com
network-object 61.191.50.0 255.255.255.0
network-object host 61.190.10.18
network-object host 61.191.55.24
network-object host 61.190.10.18
network-object host 61.185.114.8
network-object host 60.210.111.23
network-object host 218.64.182.10
network-object host 210.51.51.15
network-object host 63.221.138.20
network-object host 119.188.10.16
access-list outside extended permit tcp object-group whitelist host 120.12.14.7
端口实例
object-group network dbhost
description database
network-object 172.16.4.0 255.255.255.0
network-object 172.16.5.0 255.255.255.0
object-group service dbport tcp
description database
port-object eq 3306
port-object eq 2521
port-object eq 5432
object-group network www
description www
network-object 172.16.4.0 255.255.255.0
network-object 172.16.5.0 255.255.255.0
object-group service webport tcp
description database
port-object eq www
port-object range 81 88
access-list outside extended permit tcp object-group dbhost host 172.16.4.10 object-group dbport
access-list outside extended permit tcp any object-group webport any
2.5.4. Example
access-list outside extended permit icmp any any
access-list outside extended permit tcp any any eq www
access-list outside extended permit tcp any any eq ssh
access-list outside extended permit udp any host 120.112.13.20 eq domain
access-list outside extended permit udp any host 120.112.13.23 eq domain
access-list outside extended permit tcp any host 120.112.13.18 eq ssh
access-list outside extended permit tcp any host 120.112.13.7 eq ftp
access-list outside extended permit tcp any host 120.112.13.21 eq www
access-list outside extended permit tcp host 113.106.63.1 host 120.112.13.27 eq ssh
access-list outside extended permit tcp host 113.106.63.1 host 120.112.13.28 eq ssh
access-list outside extended permit tcp host 113.106.63.1 host 120.112.13.11 eq ssh
access-list outside extended permit tcp host 113.106.63.1 host 120.112.13.12 eq ssh
access-list outside extended permit tcp host 113.106.63.1 host 120.112.13.8 eq ssh
access-list outside extended permit tcp host 113.106.63.1 host 120.112.13.9 eq ssh
access-list outside extended permit tcp host 113.106.63.1 host 120.112.13.15 eq ssh
access-list outside extended permit tcp host 113.106.63.1 host 120.112.13.29 eq ftp
access-list outside extended permit tcp host 113.106.63.1 host 120.112.13.10 eq ftp
access-list outside extended permit tcp host 113.106.63.1 host 120.112.13.10 eq ssh
access-list outside deny ip 192.168.0.0 0.255.255.255 any
access-list outside deny ip 127.0.0.0 0.255.255.255 any
access-list outside extended permit tcp any host 120.112.13.33
access-list outside permit ip any any
access-list inside extended permit icmp any any
access-list inside extended permit ip any any
ciscoasa(config)# access-list outside permit icmp any any
ciscoasa(config)# access-group outside in interface outside
ciscoasa(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list outside; 1 elements; name hash: 0x1a47dec4
access-list outside line 1 extended permit icmp any any (hitcnt=0) 0x390a154c
extended关键字可能省略 access-list outside permit ip any any,另外我比较喜欢用nameif做acl 名称,这样比较直观如: outside,你也可以使用传统100,101什么的
2.6. 配置NAT映射
把inside区域的所有地址进行映射,映射为outside端口的那个公网IP地址。
globle (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
指定其他IP
asa(config)#nat(inside) 1 192.168.1.1 255.255.255.0
asa(config)#global(outside) 1 222.240.254.193 255.255.255.248
定义的地址池
asa(config)#nat (inside) 0 192.168.1.1 255.255.255.255 //表示192.168.1.1这个地址不需要转换。直接转发出去。
asa(config)#global (outside) 1 133.1.0.1-133.1.0.14 //定义的地址池
asa(config)#nat (inside) 1 0 0 //0 0表示转换网段中的所有地址。定义内部网络地址将要翻译成的全局地址或地址范围
我的配置
global (outside) 1 interface
nat (inside) 1 172.16.1.0 255.255.255.0 0 0
2.6.1. IP 映射
static (inside,outside) 222.24.24.2 192.168.1.2
static (inside,outside) 222.24.24.2 192.168.1.2 4096 32
后面的4096为限制连接数,32为限制的半开连接数。
asa(config)#static (dmz,outside) 13.1.0.2 10.65.1.102 ;静态NAT
asa(config)#static (inside,dmz) 10.66.1.20 10.66.1.20 ;静态NAT
2.6.2. 端口映射
static (inside,outside) tcp 61.144.203.40 80 192.168.0.116 80 netmask 255.255.255.255 0 0
static (inside,outside) tcp 61.144.203.40 20 192.168.0.116 20 netmask 255.255.255.255 0 0
static (inside,outside) 221.221.147.195 192.168.0.10 netmask 255.255.255.255 tcp 8089 0
2.7. timeout
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
2.8. DHCP
2.8.1. management
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
2.8.2. inside
dhcpd address 192.168.1.100-192.168.1.199 inside 设置DHCP服务器地址池
dhcpd dns 208.67.222.222 208.67.220.220 interface inside 设置DNS服务器到内网端口
dhcpd enable inside 设置DHCP应用到内网端口
2.9. SNMP
snmp-server host inside 172.16.1.2
snmp-server location GuangDong
snmp-server contact neo.chen@xiu.com
snmp-server community public
2.10. 用户登录
创建用户
username cisco password cisco#明文密码
username cisco password 3USUcOPFUiMCO4Jk encrypted#加密密码
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15 #不需要enable密码
匹配地址 172.16.0.1 255.255.255.255
匹配网段172.16.0.0 255.255.255.0
所有地址0.0.0.0 0.0.0.0
2.10.1. Telnet
username cisco password cisco
aaa authentication telnet console LOCAL
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
2.10.2. SSH
1) username xxxx password xxxx
2) passwd xxxxx
3) ssh x.x.x.x x.x.x.x {inside/outside}
4) crypto key generate rsa modulus {512/768/1024/2048}
5) aaa authentication ssh console LOCAL
username cisco password cisco
passwd cisco
ssh 172.16.0.1 255.255.255.255 outside
crypto key generate rsa modulus 2048
aaa authentication ssh console LOCAL
2.11. VPN
2.11.1. site to site
2.11.2. webvpn
2.12. service-policy
ciscoasa(config)# access-list TEST200K permit ip host x.x.x.x any
ciscoasa(config)# class-map internet
ciscoasa(config-cmap)# match access-list TEST200K
ciscoasa(config)# policy-map out-police
ciscoasa(config-pmap)# class internet
ciscoasa(config-pmap-c)# police output 200000 1000 conform-action transmit exceed-action drop
ciscoasa(config)# service-policy out-police interface outside
使用NAT映射后应该配置到inside接口上
access-list 200k extended permit ip any host x.x.x.x
access-list 500k extended permit ip any host x.x.x.x
class-map 200k
match access-list 200k
policy-map limit200k
class 200k
police input 2096000 1048
police output 2096000 1048
service-policy limit200k interface inside
class-map 500k
match access-list 500k
policy-map limit500k
class 500k
police input 2096000 1048
police output 2096000 1048
service-policy limit500k interface inside
2.13. failover
interface GigabitEthernet1/1
!
interface GigabitEthernet1/1.1
description STATE Failover Interface
vlan 2
!
interface GigabitEthernet1/1.2
description LAN Failover Interface
vlan 3
!
failover
failover lan unit primary
failover lan interface failover GigabitEthernet1/1.2
failover link state GigabitEthernet1/1.1
failover interface ip failover 172.16.10.1 255.255.255.248 standby 172.16.10.2
failover interface ip state 172.16.10.9 255.255.255.248 standby 172.16.10.10
ciscoasa# show failover state
State Last Failure Reason Date/Time
This host- Primary
Active Ifc Failure 14:49:44 UTC Oct 26 2011
outside: No Link
Other host - Secondary
Standby ReadyComm Failure 16:27:18 UTC Oct 26 2011
====Configuration State===
Sync Done
====Communication State===
Mac set
2.14. 透明防火墙(transparent)
ciscoasa(config)# firewall transparent
ciscoasa(config)# show firewall
Firewall mode: Transparent
interface GigabitEthernet0/0
nameif outside
security-level 0
!
interface GigabitEthernet1/0
nameif inside
security-level 100
!
access-list outside extended permit icmp any any
access-list outside extended permit ip any any
access-list outside extended permit udp any any
access-list outside extended permit tcp any any
access-group outside in interface outside
ip address 192.168.0.247 255.255.255.0
route outside 0.0.0.0 0.0.0.0 192.168.0.254
asdm image disk0:/asdm-645.bin
http server enable
http 0.0.0.0 0.0.0.0 inside
例 7.1. firewall transparent
ciscoasa(config)# sh run
: Saved
:
ASA Version 8.2(5)
!
firewall transparent
hostname ciscoasa
enable password zXKclT3IcSf6EDMe encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
!
interface Management0/0
shutdown
no nameif
no security-level
management-only
!
interface GigabitEthernet1/0
nameif inside
security-level 100
!
interface GigabitEthernet1/1
shutdown
no nameif
no security-level
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
!
ftp mode passive
access-list outside extended permit icmp any any
access-list outside extended permit ip any any
access-list outside extended permit udp any any
access-list outside extended permit tcp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address 192.168.0.6 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.0.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:30eb28a5a6b73fb3638eb279d27086c1
: end
2.15. asdm
asdm image disk0:/asdm-645.bin
2.16. 备份配置文件
我建议你放弃tftp,目前主流设备都支持很多协议。我比较喜欢使用ftp
ciscoasa# copy running-config ftp://test:your_pasword@172.16.0.2
Source filename ?
Address or name of remote host ?
Destination username ?
Destination password [******]?
Destination filename ?
Cryptochecksum: e5bb0305 02196b08 59efc7e5 9b4e1132
!!!!!!
19447 bytes copied in 3.900 secs (6482 bytes/sec)
页:
[1]