03 思科防火墻基本配置

1、,Lesson 3,© 2005 Cisco Systems, Inc. All rights reserved.,SNPA v4.0—3-1,開始思科安全設(shè)備,,© 2005 Cisco Systems, Inc. All rights reserved.,SNPA v4.0—3-2,用戶接口,防火墻訪問模式,思科防火墻有4個安全管理訪問模式:UnprivilegedPrivilegedConfigurati

2、onMonitor,,,,,,,Internet,,pixfirewall> enablepassword:pixfirewall#,enable [priv_level],firewall>,Used to control access to the privileged mode讓你可以訪問到其他模式,Access Privilege Mode,訪問配置模式: configure terminal 命令,conf

3、igure terminal,firewall#,Used to start configuration mode to enter configuration commands from a terminal,pixfirewall> enablepassword:pixfirewall# configure terminalpixfirewall(config)# exitpixfirewall# exitpixf

4、irewall>,exit,firewall#,Used to exit from an access mode,pixfirewall > help ? enable Turn on privileged commands exit Exit the current command mode login Log in as a particular user logout Exit from

5、 current command mode, and to unprivileged mode quit Exit the current command modepixfirewall > help enable USAGE: enable [] DESCRIPTION: enable Turn on privileged commands,he

6、lp 命令,,© 2005 Cisco Systems, Inc. All rights reserved.,SNPA v4.0—3-7,文件管理,查看和保存你的配置,The following commands enable you to view or save your configuration:copy run startshow running-configshow startup-configwrite

7、memorywrite terminal,,,To save configuration changes:copy run start,running-config,startup-config(saved),Configuration Changes,,,Clearing Running Configuration,firewall(config)#,clear configure all,Clears the runni

8、ng-configuration,fw1(config)# clear config all,,,Clear the running configuration:clear config all,running-config,startup-config(default),,Clearing Startup Configuration,firewall#,write erase,Clears the startup config

9、uration,Fw1# write erase,,,Clear the startup configuration:Write erase,running-config,startup-config(default),,Reload the Configuration: reload Command,Reboots the security appliance and reloads the configurationReb

10、oots can be scheduled,fw1# reloadProceed with reload?[confirm] y Rebooting...,reload [noconfirm] [cancel] [quick] [save-config] [max-hold-time [hh:]mm [{in [hh:]mm |{at hh:mm [{month day} | {day month}]}] [reason text

11、],firewall(config)#,File System,,Software ImageConfiguration filePrivate data filePDM imageCrash information,Release 6.and earlier,Release 7.and later,,Software imageConfiguration filePrivate dataPDM imageBack

12、up image*Backup configurationfile*Virtual firewall Configuration file*,* Space available,,10.0.0.11,,,,Displaying Stored Files: System and Configuration,Display the directory contents.,firewall(config)#,,10.0.0.11,,

13、,,PIX FirewallFlash:,ASADisk0:Disk1:,firewall# dirDirectory of flash:/3 -rw- 4902912 13:37:33 Jul 27 2005 pix-701.bin4 -rw- 6748932 13:21:13 Jul 28 2005 asdm-501.bin16128000 bytes total (4

14、472832 bytes free),dir [/recursive] [[{disk0:|disk1:|flash:}][}]],Selecting Boot System File,Can store more than one system image and configuration fileDesignates which system image and startup configuration file to boo

15、t,fw1(config)# boot system flash:/pix-701.bin,Boot [system | config} ,firewall(config)#,firewall# dirDirectory of flash:/3 -rw- 4902912 13:37:33 Jul 27 2005 pix-701.bin4 -rw- 6748932 13:21:13 Ju

16、l 28 2005 asdm-501.bin16128000 bytes total (4472832 bytes free),,Verifying the Startup System Image,Display the system boot image.,fw1# show bootvarBOOT variable = flash:/pix-701.binCurrent BOOT variable = flash:/p

17、ix-701.binCONFIG_FILE variable =Current CONFIG_FILE variable =,show bootvar,firewall(config)#,,10.0.0.11,,,Boot Imageflash:/pix-701.bin,Configured,,Running,,,© 2005 Cisco Systems, Inc. All rights reserved.,SNPA v

18、4.0—3-16,Security Appliance Security Levels,Functions of the Security Appliance: Security Algorithm,Implements stateful connection control through the security appliance.Allows one-way (outbound) connections with a mini

19、mum number of configuration changes. An outbound connection is a connection originating from a host on a more-protected interface and destined for a host on a less-protected network.Monitors return packets to ensure tha

20、t they are valid.Randomizes the first TCP sequence number to minimize the risk of attack.,Security Level Example,,,e0,e2,e1,,Internet,,,,,© 2005 Cisco Systems, Inc. All rights reserved.,SNPA v4.0—3-19,Basic Securit

21、y Appliance Configuration,,,Assigning Hostname to Security Appliance: Changing the CLI Prompt,pixfirewall(config)# hostname BostonBoston(config)#,hostname newname,pixfirewall(config)#,Changes the hostname in the PIX Fi

22、rewall CLI prompt,,Server,Boston,,Server,New_York,,Server,Dallas,,pixfirewall(config)# hostname BostonBoston(config)#,hostname newname,Basic CLI Commands for Security Appliances,hostnameinterface nameif ip address s

23、ecurity-level speed duplex no shutdownnat-controlnatglobalroute,,,,e0,e2,e1,,Internet,interface hardware_id,firewall(config)#,fw1(config)# interface ethernet0 (GigabitEthernet0/0)fw1(config-if)#,interface Command

24、 and Subcommands,Specifies a perimeter interface and its slot location on the firewall,Ethernet0,Ethernet2,Ethernet1,nameif hardware_id if_name,firewall(config-if)#,fw1(config)# interface ethernet0 (GigabitEthernet0/0)f

25、w1(config-if)# nameif outside,Assign an Interface Name:nameif Subcommand,Assigns a name to each perimeter interface on the PIX Firewall Security Appliance.,Ethernet0 Interface name = outside,Ethernet2 Interface name =

26、 dmz,Ethernet1 Interface name = inside,ip address ip_address [netmask],firewall(config-if)#,Assign Interface IP Address: ip address Subcommand,Assigns an IP address to each interface,fw1(config)# interface ethernet0 (G

27、igabitEthernet0/0)fw1(config-if)# nameif outsidefw1(config-if)# ip address 192.168.1.2 255.255.255.0,Ethernet0 Interface name = outside IP address = 192.168.1.2,DHCP-Assigned Address,fw1(config)# interface ethernet0

28、(GigabitEthernet0/0)fw1(config-if)# nameif outside fw1(config-if)# ip address dhcp,firewall(config-if)#,ip address if_name dhcp [setroute] [retry retry_cnt],Enables the DHCP client feature on the outside interface,,,,e

29、0,,Internet,,DHCP Assigned,Ethernet0 Interface name = outside IP address = DHCP,security-level number,firewall(config-if)#,Assign a Security Level: security-level SubCommands,Assigns a security level to the interface,

30、fw1(config)# interface ethernet0 (GigabitEthernet0/0)fw1(config-if)# nameif outsidefw1(config-if)# ip address 192.168.1.2fw1(config-if)# security-level 0,Ethernet0 Interface name = outside IP address = 192.168.1.2

31、Security level = 0,speed [hardware_speed]duplex [duplex_operation],firewall(config-if)#,Assign an Interface Speed and Duplex: speed and duplex SubCommands,Enables an interface speed and duplex,fw1(config)# interface eth

32、ernet0 (GigabitEthernet0/0)fw1(config-if)# nameif outsidefw1(config-if)# ip address 192.168.1.2fw1(config-if)# security-level 0 fw1(config-if)# speed 100fw1(config-if)# duplex full,Ethernet0 Speed =100 Duplex = fu

33、ll,management-onlyno management-only,firewall(config-if)#,ASA Management Interface,To set an interface to accept management traffic only,fw1(config)# interface management 0/0fw1(config-if)# nameif outsidefw1(config-if

34、)# ip address 192.168.1.2fw1(config-if)# security-level 0,Ethernet0 Management = only,Network Address Translation,,,,,10.0.0.11,10.0.0.4,Translation Table,,,10.0.0.11,192.168.0.20,,192.168.10 .11,,NAT,Enable NAT Contro

35、l,,,,,10.0.0.11,10.0.0.4,Translation Table,,,10.0.0.11,192.168.0.20,,200.200.200.11,,NAT,fw1(config)# nat-control,Enable or disable NAT configuration requirement,nat [(if_name)] nat_id address [netmask] [dns] [[tcp] tcp_

36、max_conns [emb_limit] [norandomseq]]] [udp udp_max_conns],firewall(config)#,nat Command,Enables IP address translation,fw1(config)# nat (inside) 1 0.0.0.0 0.0.0.0 0 0,,,,,10.0.0.11,10.0.0.4,,10.0.0.11,,,X.X.X.X,NAT,globa

37、l Command,Works with the nat command to assign a registered or public IP address to an internal host when accessing the outside network through the firewall, for example, 192.168.0.20-192.168.0.254,,fw1(config)# nat (ins

38、ide) 1 0.0.0.0 0.0.0.0fw1(config)# global (outside) 1 192.168.0.20-192.168.0.254,firewall(config)#,global[(if_name)] nat_id {mapped_ip[-mapped_ip][netmask mapped_mask]} | interface,,,,,10.0.0.11,10.0.0.4,,10.0.0.11,,,1

39、92.168.0.20,NAT,route if_name ip_address netmask gateway_ip [metric],firewall(config)#,Configure a Static Route: route Command,Defines a static or default route for an interface,fw1(config)# route outside 0.0.0.0 0.0.0.0

40、 192.168.0.1 1fw1(config)# route inside 10.0.1.0 255.255.255.0 10.0.0.102 1,192.168.0.1,,,,,10.0.1.11,10.0.1.4,Default Route,10.0.0.102,Static Route,fw1(config)# namesfw1(config)# name 172.16.0.2 bastionhostfw1(config

41、)# name 10.0.0.11 insidehost,HostName-to-IP-Address Mapping: name Command,Configures a list of name-to-IP-address mappings on the security appliance,name ip_address name,firewall(config)#,,,“bastionhost”172.16.0.2,172.

42、16.0.0,.2,.1,10.0.0.0,.1,.11,“insidehost”10.0.0.11,,Configuration Example,write terminalinterface ethernet0 nameif outside security-level 0 speed 100 duplex full ip address 192.168.2.2 255.255.255.0interfac

43、e ethernet1 nameif inside security-level 100 speed 100 duplex full ip address 10.0.1.1 255.255.255.0,,,,,172.16.6.0,.1,10.0.6.0,.1,192.168.6.0,.2,10.1.6.0,.1,Ethernet0 Interface name = outside Security level

44、= 0 IP address = 192.168.6.2,Ethernet1 Interface name = inside Security level = 100 IP address = 10.0.6.1,,Internet,Configuration Example (Cont.),interface ethernet2 nameif dmz security-level 50 speed 100 du

45、plex full ip address 172.16.2.2 255.255.255.0 passwd 2KFQnbNIdI.2KYOU encrypted hostname fw1 names name 172.16.6.2 bastionhost name 10.1.6.11 insidehost,,,,,172.16.6.0,.1,10.0.6.0,.1,192.168.6.0,.2,10.1.6.0,.1,Eth

46、ernet2 Interface name = dmz Security level = 50 IP address = 172.16.6.1,,Internet,“insidehost”10.1.6.11,“bastionhost”172.16.6.2,Configuration Example (Cont.),nat-controlnat (inside) 1 0.0.0.0 0.0.0.0 0 0global (ou

47、tside) 1 192.168.6.20-192.168.6.254route outside 0.0.0.0 0.0.0.0 192.168.6.1 1route inside 10.1.6.0 255.255.255.0 10.0.6.102 1,,,,,,10.0.0.0,,,Mapped Pool192.168.6.20 - 254,172.16.6.0,.2,.1,.102,“insidehost”10.1.6.11

48、,“bastionhost”172.16.6.2,10.0.6.0,.1,192.168.6.0,.2,.1,10.1.6.0,.1,Default Route,Static Route,,Internet,,© 2005 Cisco Systems, Inc. All rights reserved.,SNPA v4.0—3-38,Examining Security Appliance Status,fw1# show

49、interfaceInterface GigabitEthernet0/0 "outside", is up, line protocol is up Detected: Speed 100 Mbps, Full-duplex Requested: Auto MAC address 000b.fcf8.c538, MTU 1500 IP address

50、 192.168.1.2, subnet mask 255.255.255.0 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packe

51、ts output, 0 bytes, 0 underruns input queue (curr/max blocks): hardware (0/0) software (0/0) output queue (curr/max blocks): hardware (0/0) software (0/0) Received 0 VLAN untagged packets,

52、 0 bytes Transmitted 0 VLAN untagged packets, 0 bytes Dropped 0 VLAN untagged packets,show Commands,fw1# show run interface!interface Ethernet0 speed 100 duplex full nameif outside s

53、ecurity-level 0 ip address 192.168.2.2 255.255.255.0!interface Ethernet1 speed 100 duplex full nameif inside security-level 100 ip address 10.0.2.1 255.255.255.0,show run interface,show interface,fw1# show memory

54、Free memory: 49046552 bytesUsed memory: 18062312 bytes------------- ----------------Total memory: 67108864 bytes,show memory Command,Displays system memory usage information,firewall#,show mem

55、ory,fw1# show cpu usageCPU utilization for 5 seconds = 0%; 1 minute: 0%; 5 minutes: 0%,show cpu usage Command,Displays CPU use,firewall#,show cpu usage,,,,,10.0.0.11,10.0.0.4,,Internet,show version Command,Displays the

56、security appliance’s software version, operating time since its last reboot, processor type, Flash memory type, interface boards, serial number (BIOS identification), and activation key value.,firewall#,show version,Cisc

57、o PIX Security Appliance Software Version 7.0(1)Compiled on Thu 31-Mar-05 14:37 by buildersSystem image file is "flash:/pix-701.bin"Config file at boot was "startup-config"pixfirewall up 12 mins

58、 24 secsHardware: PIX-515, 128 MB RAM, CPU Pentium 200 MHzFlash i28F640J5 @ 0x300, 16MB……………,fw1# show ip addressSystem IP Addresses:Interface Name IP address Subnet maskEthernet0 outs

59、ide 192.168.1.2 255.255.255.0CONFIGEthernet1 inside 10.0.1.1 255.255.255.0CONFIG Ethernet2 dmz 172.16.1.1 255.255.255.0CONFIG Current IP Addresses:Interfa

60、ce Name IP address Subnet maskEthernet0 outside 192.168.1.2 255.255.255.0CONFIG Ethernet1 inside 10.0.1.1 255.255.255.0CONFIG Ethernet2 dmz

61、 172.16.1.1 255.255.255.0CONFIG,show ip address Command,,,,,172.16.6.0,.1,10.0.6.0,.1,192.168.6.0,.2,10.1.6.0,.1,,Internet,fw1# show interfaceinterface ethernet0 "outside" is up, line protocol is

62、up Hardware is i82559 ethernet, address is 0050.54ff.653a IP address 192.168.0.2, subnet mask 255.255.255.0 MTU 1500 bytes, BW 100000 Kbit full duplex 4 packets input, 282 bytes, 0 no buffer Receive

63、d 0 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 20 packets output, 1242 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets

64、 0 babbles, 0 late collisions, 0 deferred 0 lost carrier, 0 no carrier input queue (curr/max blocks): hardware (128/128) software (0 output queue (curr/max blocks): hardware (0/1) software (0/1),s

65、how interface Command,show nameif Command,fw1# show nameifInterface Name SecurityEthernet0 outside 0Ethernet1 inside 100Ethernet2

66、 dmz 50,Ethernet0 Interface name = outside Security level = 0,Ethernet2 Interface name = dmz Security level = 50,Ethernet1 Interface name = inside Security level = 100,,,,e0,e2,e1,,Internet,

67、show run nat Command,fw1# show run natnat (inside) 1 10.0.0.0 255.255.255.0 0 0,,,,,10.0.0.11,10.0.0.4,,10.0.0.X,,,X.X.X.X,NAT,Displays a single host or range of hosts to be translated,firewall#,show run nat,,Internet,s

68、how run global Command,fw1# show run globalglobal (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0,Mapped Pool192.168.0.20-192.168.0.254,,,,,10.0.0.11,10.0.0.4,,10.0.0.X,,,Displays the pool of mapped addres