Documente Academic
Documente Profesional
Documente Cultură
ASA 5510
( Sec Plus)
ASA 5520
ASA 5520
VPN Plus
ASA 5540
ASA 5540
VPN Plus
ASA 5540
VPN Premium
50 / 100 Mbps
100 Mbps
with SSM-AIP 10
200 Mbps
with SSM-AIP 20
200 Mbps
with SSM-AIP 20
200 Mbps
with SSM-AIP 20
200 Mbps
with SSM-AIP 20
200 Mbps
with SSM-AIP 20
Maximum Connections
32,000 64,000
130,000
130,000
280,000
280,000
280,000
50 150
300
750
500
2,000
5,000
Shared
Shared
Shared
Shared
Shared, up to 1,250
Shared, up to 2,500
No
Yes
Yes
Yes
Yes
Yes
High Availability
None A/S
Interfaces
3 x 10/100 + OOB
5 10/100
4 x 10/100/1000,
1 10/100
4 x 10/100/1000,
1 10/100
4 x 10/100/1000,
1 10/100
4 x 10/100/1000,
1 10/100
4 x 10/100/1000,
1 10/100
Security Contexts
No
Up to 10
Up to 10
Up to 50
Up to 50
Up to 50
VLANs Supported
0 10
25
25
100
100
100
PIX 515E UR
PIX 515E UR
PIX 525+
PIX 525+
PIX 525+
VPN 3005-
VPN 3005++
VPN 3020
VPN 3015
VPN 3030
VPN 3060
ASA 5500 ?
Cisco ASA ?
1.
!!!
.
, IPSec VPN, SSL VPN, IPS/IDS, Anti-x
2.
!!!
.
3.
!!!
.
-Routing Protocol , Multicast
Cisco Security ASA 5500
8
Cisco ASA ?
4.
!!!
Active/ Active Failover
Acitve / Active
5.
!!!
6.
!!!
Application Level
Application Inspection IPS
Cisco Security ASA 5500
9
10
CLI
Pre-configure Firewall now through interactive prompts [yes]?
Firewall Mode [Routed]:
Routed Mode(Layer 3) Bridge(Transparent-Layer2) Mode
Routed Mode NAT , Network , Transparent
Enable password [<use current password>]: cisco
Allow password recovery [yes]?
Clock (UTC):
Year [2005]:
Month [Nov]:
Day [2]:
Time [01:14:54]: 17:48:00
System Clock
Inside IP address: 192.168.1.1
Inside network mask: 255.255.255.0
Host name: ASA
Inside IP Address Host
Use this configuration and write to flash? Yes
Setup Config
Inside Interface or Management Interface
Management Interface
Interface - Management0/0
Out Of Band , Failover Interface
Interface
Interface GigabitEthernet0/0 ~3
,, , Failover
Console, Aux Interface
console Aux
Management Interface
Interface Management0/0
no shutdown
description Interface for Management
nameif Mgmt-Interface
management-only
Management
ip address 1.1.1.1 255.255.255.0
Mgmt IP Address
12
Inside Interface or Management Interface
Interface(Outside)
Interface GigabitEthernet0/0
no shutdown
nameif outside
Internet Interface
security-level 0
Interface 0
ip address 10.10.10.1 255.255.255.0
IP Address
Interface(Inside)
interface GigabitEthernet0/1
nameif inside
Network interface
security-level 100
Network 100
ip address 192.168.1.1 255.255.255.0
interface GigabitEthernet0/2
description interface for LAN
nameif inside-2
Network ( 0~100)
security-level 100
ip address 20.20.20.1 255.255.255.0
Same-Security-Level
same-security-traffic permit inter-interface
nameif (Security-level)
Same-Security-level
13
ASA Firmware ASDM Loading
ASA Firmware Upload
ASA# copy ftp://anonymous@192.168.1.10/asa704-k8.bin disk0:
ASA ASDM Upload
ASA# copy ftp://anonymous@192.168.1.10/asdm504.bin disk0:
Firmware Boot
ASA(config)# boot system disk0:asa704-k8.bin
ASA# sh bootvar
Current BOOT variable = disk0:/asa704-k8.bin
Disk0:
ASA# dir
Directory of disk0:/
2706 -rw- 1589
2707 -rw- 1009
2709 -rw- 1318
2711 -rw- 2167
2712 -rw- 5437440
4040 -rw- 5958324
14
ASDM/ Telnet
ASDM
ASA(config)# http server enable
Web Service Enable
ASA(config)# http 192.168.0.0 255.255.0.0 inside
Network
ASA(config)# asdm image disk0:/asdm504.bin
ASDM image URL
Telnet
15
ASDM
16
ASDM
https
1
https://ipaddress
SSL Yes
ID, Password
17
ASDM
ASDM 5.0 Launcher Install
Local PC ASDM
ASA
18
ASDM
Local PC ASDM Launcher
Local PC
19
ASDM
Local PC ASDM Launcher
Install
20
ASDM
ASDM Launcher
ASDM Launcher
21
ASDM
ASDM Main Menu
3
5
ASA Interface
2
VPN
CPU/Memory
ASDM Syslog
22
ASDM
Firewall
23
ASDM
Launch Startup Wizard
1
1
ASDM
24
ASDM
Step 1 Config
1
2
ASDM
Inside Interface IP
25
ASDM
Step 2
ASA Host
Password
26
ASDM
Step 3 Outside Interface
1
Outside( Traffic)
Interface
2
Outside interface IP
27
ASDM
Step 4 Interface
Interface
28
ASDM
Step 5 DHCP Server
DHCP IP
29
ASDM
Step 6 NAT/PAT
NAT IP
2
PAT IP Interface
3
NAT/PAT
30
ASDM
Step 7
Web , Telnet
- IP Address Type
31
ASDM
Step 8
32
ASDM
Config
33
Interface
34
ASDM Interface
1
2
3
Interface
Interface
Feature Interface
4
Same-Security-level
35
ASDM Interface
Management Interface
1
2
3
Interface
Mgmt
4
Interface
0 ~100
Interface IP Address
(Duplex, Speed)
36
ASDM Interface
Outside Interface
1
2
3
Interface
Mgmt
4
5
Interface
Outside 0
Interface IP Address
(Duplex, Speed)
37
ASDM Interface
Inside Interface
1
2
3
Interface
Mgmt
4
5
Interface
Inside 100
Interface IP Address
(Duplex, Speed)
38
ASDM Interface
Interface CLI Command
39
NAT/PAT
40
NAT/PAT I
NAT + Real IP
Cisco ASA
5500
192.168.1.10
192.168.1.x
10.10.10.64 ~ 127
192.168.1.1
10.10.10.1
20.20.20.10
10.10.10.10
20.20.20.1
20.20.20.x
IP
1 NAT
192.168.1.x IP Address 10.10.10.65 ~ 127 IP Address
2 NAT IP
20.20.20.x IP address NAT .
41
NAT/PAT I
Translation Rule
2
1
NAT Add
Feature NAT Translation Rule
Feature NAT
42
NAT/PAT I
Translation Rule NAT
Add Browse :
NAT IP Address
5
6
Add Browse :
NAT IP Address
43
NAT/PAT I
Translation Rule IP
Interface
PAT
9
IP Address
Range IP Pool
44
NAT/PAT I
Translation Exemption Rule NAT
2
1
No NAT Add
Feature NAT Trans Exe Rule
Feature NAT
45
NAT/PAT I
Translation Exemption Rule NAT
No Nat Exempt
NAT
Interface / IP
NAT
Outbound Traffic
46
NAT/PAT I
CLI
CLI NAT
Inside Interface 192.168.1.x Network (Outside) ,
10.10.10.65 ~ 10.10.10.126 IP Address .
global (outside) 1 10.10.10.65-10.10.10.126 netmask 255.255.255.192
nat (inside) 1 192.168.1.0 255.255.255.0
NAT/PAT II
Port Redirection
NAT + Real IP
Server
Telnet Service
10.10.10.200
telnet
Cisco ASA
5500
192.168.3.1
Inside 192.168.1.1
192.168.3.33
10.10.10.1
Server
FTP Service
10.10.10.201
FTP
IP
2.
Redirection
IP 80 , IP 8080
48
NAT/PAT II
Port Redirection
1
1
Port Redirection Rule
1
49
NAT/PAT II
Port Redirection
1
2
IP Address Redirection
Service Port
50
NAT/PAT II
Port Redirection
1
NAT Translation Server
TCP UDP Connection
- TCP, UDP
2
TCP 3-way Half-open
embryonic wqjthrdl Connction
- Server Syn Flooding Attack
51
NAT/PAT II
CLI Port Redirection
CLI Port Redirection
Inside Interface 192.168.3.x Network (Outside) ,
10.10.10.65 ~ 10.10.10.126 IP Address .
global (outside) 1 10.10.10.65-10.10.10.126 netmask 255.255.255.192
nat (inside) 1 192.168.3.0 255.255.255.0
52
NAT/PAT II
CLI Port Redirection
CLI Port Redirection
Translation Monitoring
ASA-1# sh xlate
PAT Global 10.10.10.200(23) Local 192.168.3.1(23)
PAT Global 10.10.10.201(21) Local 192.168.3.33(21)
PAT 10.10.10.200 Telnet 192.168.3.1
Redirection, 10.10.10.201 FTP 192.168.3.33 Redirection
ASA-1# sh conn
TCP out 100.100.100.100:5001 in 192.168.3.33:20 idle 0:00:07 bytes 0 flags saA
TCP out 100.100.100.100:1257 in 192.168.3.33:21 idle 0:00:16 bytes 277 flags UIOB
TCP out 100.100.100.100:1261 in 192.168.3.1:23 idle 0:00:02 bytes 91 flags UIOB
Connection
Flag
53
Filtering
Access-list
54
Filtering
Security Policy Main Menu
1
1
1
55
Filtering
1
1
Action
Select an Action
Apply to Traffic - in/outbound Traffic
2
Syslog & Time Range
Syslog ACL Syslog
Time Range ,, ACL
3
Source/Destination
Source Destination Network
56
Filtering
Manage Service Group
1
Manage Groups
ADD
4
4
2
Well Known Service Port Port
Service Port
57
Filtering
Manage Service Group
58
Filtering
Time Range Filtering
Time Range Name ACL
1
2
ACL
ACL
,,
59
Filtering
Time Range Filtering
1
ACL
- , (~),(~),
2
ACL
-
3
ACL
- ()
60
Filtering
,
61
Filtering
,
62
Filtering
,
1
Host, Network
Host, Network
Add Host
Host
63
Filtering
CLI ACL
CLI ACL
Host Name
Service
object-group service FTP tcp-udp
port-object range 20 21
Network Group
object-group network whchoi-group
description whchoi-group
network-object whchoi-33 255.255.255.255
network-object 192.168.3.1 255.255.255.255
network-object whchoi-34 255.255.255.255
ACL
time-range TFTP-Time
absolute start 04:59 30 November 2005 end 04:59 02 December 2005
periodic weekdays 8:00 to 20:00
ACL
access-list outside_access_in extended permit udp any host whchoi eq tftp time-range TFTP-Time
access-list outside_access_in extended permit tcp any host whchoi object-group FTP
access-list outside_access_in extended deny ip any any log
64
65
Device Administration
66
Device Administration
Device Host,Domain Password
1
67
Device Administration
AAA
Privileged
Service type
68
Device Administration
User Account
69
Device Administration
Banner
70
Device Administration
ASDM/HTTPS
3
ASDM Host,Network
Interface
71
Device Administration
Telnet
3
Telnet Host,Network
Interface
72
Device Administration
SSH
3
1
Telnet Host,Network
Interface
73
Device Administration
SNMP
74
Device Administration
ICMP Rule
1
75
Device Administration
Time Zone GMT +09:00 Seoul
76
Device Administration
Boot Image ASDM Image
Boot Image
ASDM Image
77
Device Administration
CLI
CLI Device Administration
Device Host Domain name
hostname ASA-1
domain-name cisco.com
password
Username
ASDM/HTTP
Telnet
telnet 0.0.0.0 0.0.0.0 outside
telnet 1.1.1.0 255.255.255.0 Mgmt-Interface
telnet 0.0.0.0 0.0.0.0 inside
78
Device Administration
CLI
CLI Device Administration
SMTP Server
smtp-server 192.168.3.55
SNMP
ICMP
clock time
clock timezone KST 9 0
clock set 18:22:58 NOV 9 2005
NTP
boot image
79
ASA 5500
80
ASA Properties
81
ASA Properties
AAA Server Group
1
2
82
ASA Properties
AAA Server
3
Auth
83
ASA Properties
CLI AAA Setup
CLI AAA Setup
AAA Server Group
aaa-server 192.168.3.111 protocol radius
accounting-mode single
reactivation-mode depletion deadtime 10
max-failed-attempts 3
Auth. Prompt
84
ASA Properties
Anti-Spoofing
Anti-Spoofing (IP )
IP
Blocking
CLI
ip verify reverse-path interface inside
85
ASA Properties
Fragment
Fragment
Fragment Reassembly Fragment Database Packet Size
86
ASA Properties
Time Out
Time Out
Protocol Connection Idle Time
Idle Time Session Close
87
ASA Properties
Time Out
CLI
arp inside 192.168.3.111 aaaa.bbbb.cccc
88
ASA Properties
Auto Update
Auto Update
Server Image
89
ASA Properties
DHCP
1
DHCP Service
ASA Properties
ASA IDS S.W
1
IP Audit
Policy Type Attack Info
Action Alarm , Drop, Reset
Interface
interface
- Attack , Information
91
ASA Properties
ASA IDS S.W
Signature Number
Information Attack
Signature
Signature
92
ASA Properties
CLI ASA S.W IDS
CLI Audit Signature
AAA Server Group
ip audit name P1 attack action reset
ip audit name P2 info action alarm
Audit
ip audit interface inside P2
ip audit interface inside P1
Audit Interface
no ip audit signature 1000
Audit Signature
93
ASA Properties
Logging
1
Logging Setup
-Loggin Enable, Debug Message
-Failover Standby Unit Logging
-EMBLEM Syslog
3
Log
-Flash
-FTP Server
94
ASA Properties
Logging
Logging Filter
-Internal , , Telnet Session, Syslog
SNMP Trap, E-mail, ASDM Logging
Filtering
Syslog
-Syslog Facility
- Syslog
95
ASA Properties
Logging
Syslog Server
- IP address, Protocol , Port , EMBLEM
Syslog Server
96
ASA Properties
Logging
E-mail Setup
- Event
Rate Limit
- DDoS Log System
, Log Rate Limit
97
ASA Properties
CLI Logging
CLI Logging
Logging
logging enable
logging standby Standby
logging debug-trace Debug
logging emblem Cisco EMBLEM logging
logging timestamp Time Stamp
logging host inside 192.168.3.39 Logging Server
logging from-address source@cisco.com Logging Source E-Mail
logging recipient-address whchoi@cisco.com level Errors
Logging
logging rate-limit 100 5 level Notifications
Logging
98
ASA Properties
SSL URL Filtering Server
SSL ()
- SSL
-SSL VPN SSL
99
ASA Properties
PQ(Priority Queue)
PQ
-LLQ PQ
-Voice Traffic Traffic Delay, Jitter
Traffic
CLI
priority-queue inside
tx-ring-limit 80
queue-limit 2048
100
101
192.168.3.33
192.168.1.1
10.10.10.1
FTP
100.100.100.100
FTP Down
FTP Inspection
Inside Network ,
Inside Network , .
102
103
2
Deny FTP Command
104
105
FTP Inspection
Policy name
2
Class Group
106
Inspection Map
4
107
108
192.168.3.33
192.168.1.1
10.10.10.1
100.100.100.100
Well Known P2P,
Messanger,Tunneled Application
HTTP Inspection
Inside Network P2P(Kazza,E-Donkey), Messanger(MSN,Yahoo,..),
Tunneled Application
109
110
- Action Syslog
Application
111
3
1
Inspection Map
4
112
113
ASA Active/Active
114
Admin
10.10.10.1
Virtual-1
20.20.20.1
Admin
10.10.10.2
Failover
192.168.5.1
Virtual-1
20.20.20.2
Failover
192.168.5.2
Admin
192.168.1.1
S
Virtual-1
192.168.2.1
S
Admin
192.168.1.2
Virtual-1
192.168.2.2
115
Multi-Context Active/Active
116
Context Group
Context Interface /
3
4
Context Config
Failover Group
117
Context Group
Context Interface /
3
4
Context Config
Failover Group
118
1
Failover
119
Interface Policy
120
121
122
123
124
125
126
127