Professional Documents
Culture Documents
NguyenPhanDinhPhuoc - NguyenVanHung - DangMinhTri-Lop 07T4-Nhóm 10B
NguyenPhanDinhPhuoc - NguyenVanHung - DangMinhTri-Lop 07T4-Nhóm 10B
BO CO MN HC
ti:
Khai thc cc chc nng ca ASA Firewall trn GNS3
Sinh vin
: Nguyn Vn Hng
Nguyn Phan nh Phc
ng Minh Tr
Nhm
: 10B
Nng 2011
MC LC
I. TNG QUAN V TNG LA..................................................................8
A.
B.
C.
D.
NHNG HN CH CA FIREWALL..................................................................10
C.
V D:.......................................................................................................18
................................................................................................................18
D.
E.
VPN.....................................................................................................21
a. Gii thiu...........................................................................................21
ROUTING PROTOCOL..................................................................................28
a. Khi nim...........................................................................................28
ii. Cc k thut nh tuyn....................................................................29
nh tuyn tnh.....................................................................................29
TNH
................................................................................................................30
HNH 12. M HNH MNG M T NH TUYN TNH..........................................30
G.
H.
v. DHCP.................................................................................................38
I.
a.
Phn loi:
Tc x l
Tnh bo mt cao
Tnh linh hot thp
Kh nng nng cp thp.
Khng kim tra c ni dung gi tin
Tuy nhin hin nay cng c rt nhiu nhng firewall cng c th tch hp nhiu
chc nng. Ngoi lm chc nng tng la bo mt, chng cn km theo cc
module khc nh routing,vpn,
c.
Nhng hn ch ca firewall
II.
Gii thiu
Tng la Cisco ASA l cng ngh mi nht trong cc gii php tng la
c a ra bi Cisco, hin nay ang thay th cc tng la PIX rt tt. ASA vit
10
11
Cc chc nng c bn
i.
Cc ch lm vic
Firewall ASA c 4 ch lm vic chnh:
Ch gim st (Monitor Mode): Hin th du nhc monitor>.
ii.
Qun l file
C hai loi file cu hnh trong cc thit b an ninh Cisco: runningconfiguration v startup-configuration.
Loi file u tin running-configuration l mt trong nhng file hin ang
chy trn thit b, v c lu tr trong b nh RAM ca firewall. Bn c th xem
cu hnh ny bng cch g show running-config t cc ch Privileged. Bt k
lnh m bn nhp vo firewall c lu trc tip bng trong running-config v c
hiu lc thi hnh ngay lp tc. K t khi cu hnh chy c lu trong b nh
RAM, nu thit b b mt ngun, n s mt bt k thay i cu hnh m khng c
lu trc . lu li cu hnh ang chy, s dng copy run start hoc write
memory. Hai lnh ny s copy running-config vo startup-config ci m c lu
tr trong b nh flash.
Loi th hai startup-configuration l cu hnh sao lu ca runningconfiguration. N c lu tr trong b nh flash, v vy n khng b mt khi cc
thit b khi ng li. Ngoi ra, startup-configuration c ti khi thit b khi
ng. xem startup-configuration c lu tr, g lnh show startup-config.
iii.
Mc bo mt (Security Level)
13
c lu lng truy cp tr khi c cho php bi mt ACL. Nu NATControl c kch hot trn thit b ny, sau c phi l mt NAT
tnh gia cc interface c Security Level t cao ti thp.
Truy cp gia cc interface c cng mt Security Level: Theo mc
Khi nim
Cc k thut NAT
14
15
17
18
19
access-group
access_list_name
[in|out]
interface
extended
deny
tcp
192.168.1.0
extended
deny
tcp
192.168.1.0
20
21
VPN
a.
Gii thiu
23
Site-to-site VPN
AnyConnect VPN
24
25
STEP 5:
To mt vng a ch IP t ASA gn a ch cho ngi dng xa. T s
trn ta thy sau khi ngi dng chng thc, ASA gn a ch IP cho ngi dng
xa trong vng t 192.168.5.1 n 192.168.5.20
26
27
permit
ip
192.168.1.0
Kch hot tnh nng danh sch cc tn b danh trn cc bn ghi trn mn
hnh ca Client AnyConnect
STEP 9: To mt ngi dng cc b trn ASA, n s c s dng chng
thc AnyConnect
ASA(config)# username ssluser1 password secretpass
ASA(config)# username ssluser1 attributes
ASA(config-username)# service-type remote-access
f.
Routing Protocol
a. Khi nim
28
29
Cc k thut nh tuyn
nh tuyn tnh
RIP :
OSPF:
EIGRP
30
31
32
33
34
35
WEB Server
10.0.0.2/24
10.0.0.2/24
203.162.4.0/24
Outside
200.200.200.0/24
INTERNET
E0/2
Primary ISP
E0/3
123.0.0.0/24
INTERNET
Backup ISP
ii.
E0/1
192.168.10.0/24
Inside
E0/0
ASA
192.168.10.2/24
b.
36
37
NAT
Gim st ng truyn
frequency 5
sla monitor schedule 100 life forever start-time now
track 10 rtr 100 reachability
route outside 0.0.0.0 0.0.0.0 203.162.4.2 1 track 10
route backup 0.0.0.0 0.0.0.0 123.0.0.2 254
v.
DHCP
Ta xy dng DHCP server ngay trn ASA n cp IP cho mng bn
trong
dhcpd address 192.168.10.50-192.168.10.100 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd enable inside
38
PH LC
Cu hnh ca ASA
ciscoasa# show run
: Saved
:
ASA Version 8.0(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/1
nameif DMZ
security-level 50
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/2
nameif outside
security-level 0
ip address 203.162.4.1 255.255.255.0
!
interface Ethernet0/3
nameif backup
security-level 100
ip address 123.0.0.1 255.255.255.0
!
interface Ethernet0/4
shutdown
39
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list icmp-in extended permit icmp any any
access-list 101 extended permit tcp any host 203.162.4.100 eq www
access-list 101 extended permit tcp any host 203.162.4.100 eq ftp
access-list 101 extended permit icmp any any
access-list 101 extended permit tcp any host 203.162.4.100 eq ftp-data
access-list NO_NAT extended permit ip 192.168.10.0 255.255.255.0 10.10.10.0
255.
255.255.0
access-list DMZ_access_in extended permit icmp any any
pager lines 24
mtu inside 1500
mtu DMZ 1500
mtu outside 1500
mtu backup 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (backup) 1 interface
nat (inside) 0 access-list NO_NAT
40
41
tcp
203.162.4.100
www
10.10.10.2
www netmask
5