Sunteți pe pagina 1din 16

security level

high to low aloowed

low to high deny

with the help acl low to high allow

exa

asa

outside 0

inside 100

dmz 50

all traffic high to low allowed


including icmp

only tcp and udp traffic inspected


it make state table where source and destination ip and mac add

this table make entry in conn table but only for tcp and udp

return traffic for entry

first thing if packet come than it check

conn table

it is called implicit inspection

implicit means it done automatically but can see like in acl last line
deny any any

diff between default and implicit

default means i can see this entry so that i can change or delete

but in implicit i know but i can see so that i cant delete or change

or i can disable default but cant implicit

icmp is allowed high to low


but not allowed low to high
as no entry in conn table

as there are bydefault no inspection or no entry in conn table

but what if two interface with same sec level

will not ping each other


if we put acl still cant ping
it will ping if command same -sec-tra-per-int

why

as

one int is connected to partner 1

other is connected with partner 2

as i dont want to communication between partner 1 and partner 2

high to low always allow but can be deny by acl


acl always presedence

only place acl not presedence is conn table

if i have deny ip any any

and i telnet inside to outside

when it return it will check conn table first

if entry found here then it will allow and it will not check acl

asa made by pix and concentrator asa web vpn was not there means ssl

r1

int 0/0
ip add 10.11.11.1 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 10.11.11.10

r2

int f0/0
ip add 192.1.20.2 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 192.1.20.10

r3

int f0/0
ip add 192.168.3.3 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 192.168.3.10

r4

int f0/0
ip add 192.168.4.4 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 192.168.4.10

asa

inside or outside not case sensitive if take all capital or small or mix

int e0/0
nameif Outside

most of not case sensitive

auto will get 0 sec level

ip add 192.1.20.10
no sh

int e0/1
nameif Inside if i use any word instead of inside it will get 0
and if on next line i put inside it will not get 100
as it already get sec level

so first need to clear previous sec level

so cle conf int e0/1


auto get 100
ip add 10.11.11.10 255.255.255.0
no sh

route outside 0 0 192.1.20.2

here o of outside is small but we give in nameif Outside is o is capital

and in sh run route

it will take o is capital as in nameif is capital

int e2
nameif dmz
sec 50
ip add 192.168.3.10
no sh

int e3
nameif dmz4
ip add 192.168.3.10
no sh

now al ping

here r2 will ping asa outside

why

diff in acl

acl on router two type

to the traffic and through the traffic

in asa it check only through traffic

on asa

acc-list abc deny ip a a


acc-group abc in int outside

but now on r2

it will again ping asa outside

why asa acl on asa work for through the traffic

service enable on int if int enable

service disable if int disable

but icmp is up

icmp deny any outside

now r2 will not ping asa outside

it is only for to traffic

to traffic controlled by asa

through traffic controlled by acl

now on asa

acc-list abc permit ip any any


acc-gro abc in int outside

on r2

will not ping asa outside

but r1 will ping

now enable telnet on r2

line vty 0 4
password cisco
login

on asa1

telnet 10.11.11.0 255.255.255.0 inside

means r1 cann take telnet on r2

on r1

telnet 192.1.20.2
cisco
okok

on r2

telnet 10.11.11.1

nonnoo

due to low to high traffic

now on r3

telnet 192.168.20.2

okoko

here 50 to 0

on r3

tel 192.168.4.4

nono

will not go to 50 to 100


or 50 to 50

even acl will not work

on asa

acc-list abc per ip any any


acc gro abc in int dmz 3

on r3

tel 192.168.4.4

nono

now on asa

same-sec-tra per int-interface

now

cle conf acc-list

now on r3

tel 192.168.4.4

yes

on asa

acc-list abc den ip any any


acc gro abc in int dmz 3

on r3

tel 192.168.4.4

nono

here first same sec will come then acl will come and check

first check route acl then nat

in 8.4 first nat then acl

dhcpd add 192.168.3.51-192.168.3.100 dmz3

dhcpd dns 192.168.3.5


dhcpd wins 192.168.3.6

dhcpd enable dmz3

here asa act as a dhcp server for dmz 3

S-ar putea să vă placă și