User-based MPF
username user1 password cisco username user2 password cisco !! Create two accounts for user authentication with object-group user group1 !! Create an object group user local\user1 !! The user that matches the local data, or it can be ACS. object-group user group2 user Local\user2 access-list 100 extended permit tcp any any eq 80 !! Matching traffic aaa authentication match 100 inside local !! As long as these traffic are certified, the certification database for local access-list filter-shrun permit tcp object-group-user group1 any any eq www !! Matches the traffic, and is User 1. access-list filter-who permit tcp object-group-user group2 any any eq www regex who "Who" !! Configure regular expressions with "who" keyword regex shrun "sh/run" class-map class1 match access-list filter-shrun !! Matching traffic class-map class2 match access-list filter-who policy-map type inspect http policy-map1 !! Note that this is a 5-7-storey parameters match request uri regex shrun !! When there is a keyword in the regular expression in this traffic, drop-connection log !! Discard and do log policy-map type inspect http policy-map2 parameters Match request uri regex who reset policy-map global_policy class class1 inspect http policy-map1 !! Depth Filter   CLASS CLASS2   INSPECT HTTP POLICY-MAP2
Botnet Traffic Filter
ASDM can add it yourself
Nat
Object NAT: can only convert source or destination IP
Twice NAT: Convert source and target IP under meet policy
Static (commonly used to specify server external port conversions), PAT (dynamic address plus port translation), Identity NAT (bypass part address)
A network segment transforms an address range
Configuring Dynamic Natobject network innet subnet 192.168.17.0 255.255.255.0object network outnet range 192.168.16.60 192.168.16.70 object network innet nat (inside,outside) dynamic outnet view Asa (config) # show xlate1 in use, 1 most usedflags: d - dns, e - extended, i - Identity, i - dynamic, r - portmap, s - static, t - twice, n - net-to-netnat from inside :192.168.17.100 to outside:192.168.16.65 flags i idle 0:01:03 timeout 3:00:00asa (config) # show running-config nat!object network innet nat ( inside,outside) dynamic outnetasa (config) # show running-config object network object network innet subnet 192.168.17.0 255.255.255.0object network outnet range 192.168.16.60 192.168.16.70asa (config) # show running-config timeout timeout xlate 3:00:00TIMEOUT PAT-XLATE 0:00:30: Change the NAT timeout time Asa (config) # timeout xlate 1:0:0 clear conversion table ASA ( Config) # clear xlate
Static NAT
Change the range of the network segment in the dynamic object to host and then static.
One range converts one address to another port
Pat!object Network innet NAT (INSIDE,DMZ) dynamic 192.168.12.110//Direct point to an address to asa# show Xlate 1 in use, 2 most Usedflag S:d-DNS, e-extended, i-identity, I-dynamic, R-portmap, S-static, T-twice, N-net-to-nettcp PAT from inside:192.168.17.100/49526 to dmz:192.168.12.110/49526 flags ri idle 0:01:15 timeout 0:00:30
Dynamic conversion first, the address pool runs out and then switches Pat
Object Network Outpool range 192.168.16.119 192.168.16.120object network innet subnet 7.7.7.0 255.255.255.0!object networ K innet Nat (inside,outside) Dynamic Outpool interface//If the address pool is exhausted use the IP of the interface as Pat
650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M00/83/67/wKiom1dyQrXRoijJAAAL0LrMPno601.png "style=" float: none; "title=" 119.PNG "alt=" Wkiom1dyqrxroijjaaal0lrmpno601.png "/>
650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M01/83/66/wKioL1dyQrWwPQPVAAAMHXeNpnA478.png "style=" float: none; "title=" 120.PNG "alt=" Wkiol1dyqrwwpqpvaaamhxenpna478.png "/>
650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M01/83/67/wKiom1dyQraxnwjuAAALjc1kDLg501.png "style=" float: none; "title=" 139.PNG "alt=" Wkiom1dyqraxnwjuaaaljc1kdlg501.png "/>
650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M02/83/66/wKioL1dyQrbgCKAhAAAMnf8t0eM659.png "style=" Float:none; "title=" 1392.PNG "alt=" Wkiol1dyqrbgckahaaamnf8t0em659.png "/>
asa# show x4 in use, 4 most usedflags : d - dns, e - extended, i - identity, i - dynamic , r - portmap, s - static, t - twice, n - net-to-neticmp pat from inside:7.7.7.1/14 to dmz :192.168.12.139/14 flags ri idle 0:00:04 timeout 0:00:30nat from inside:7.7.7.3 to dmz:192.168.12.119 flags i idle 0:00:08 timeout 1:00:00nat from inside:7.7.7.2 to dmz:192.168.12.120 flags i idle 0:00:06 timeout 1:00:00icmp pat from inside:7.7.7.7/15 to dmz : 192.168.12.139/15 flags ri idle 0:00:01 timeout 0:00:30
Pat Address Pool
Nat (INSIDE,DMZ) dynamic Pat-pool Dmzpool Round-robin a different port dmzpool the address in the Round-robin represents the address in the polling address pool
asa (config-network-object) # show x4 in use, 4 most usedflags: d - dns, e - extended, i - identity, i - dynamic, r - portmap, s - static, t - twice, n - net-to-neticmp pat from inside :7.7.7.1/22 to dmz:192.168.12.119/22 flags ri idle 0:00:03 timeout 0:00:30icmp pat from inside:7.7.7.3/20 to dmz:192.168.12.119/20 flags ri idle 0:00:07 timeout 0:00:30ICMP PAT from inside:7.7.7.2/21 to dmz:192.168.12.120/21 flags ri idle 0:00:05 timeout 0:00:30icmp pat from inside:7.7.7.7/23 to dmz:192.168.12.120/23 flags ri idle 0:00:01 Timeout 0:00:30
Static Pat
Object Network Dmz_web_server host 192.168.12.100 NAT (dmz,outside) static interface service TCP www www//FTP 2121 etc. Note: There is this sentence, can access 192.168.16.139, but can not access 192.168.12.100 No this sentence, can visit 192.168.12.100 access-list OUT-DMZ Extended Permit TCP any object dmz_web_server eq www access-group out-dmz in interface outside
ASA (config-network-object) # show X1 in use, 4 most usedflags:d-DNS, e-extended, i-identity, I-dynamic, R-portma P, S-static, T-twice, n-net-to-nettcp PAT from dmz:192.168.12.100 80-80 to OUTSIDE:192.168.16.139 80-80 FLA GS SR Idle 0:02:40 timeout 0:00:00
Outside Mouth grab Bag:
650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M01/83/87/wKiom1d1AUqRsBHvAAASGzh6wEs545.png "style=" float: none; "Title=" Pat. PNG "alt=" Wkiom1d1auqrsbhvaaasgzh6wes545.png "/>
DMZ Port Grab Bag:
650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/83/85/wKioL1d1AUug_8UMAAARieDTQGo835.png "style=" float: none; PNG "alt=" Wkiol1d1auug_8umaaariedtqgo835.png "/>" in "title=".
Static NAT DNS Rewrite
650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/83/87/wKiom1d1As3w115eAAG91JYr83o258.png "title=" DNS. PNG "alt=" Wkiom1d1as3w115eaag91jyr83o258.png "/>
Note: DNS inspection must be activated on the ASA
Object Network Inside-web-serverhost 10.1.1.101object network Inside-web-servernat (inside,outside) static 202.100.1.101 DNS
Tamper with the address of DNS resolution, intranet access www.cisco.com is actually a Web server to access the intranet
Dynamic Identity NAT
The Dynamic Identity NAT translates the local address to the same address, to the low security level of the interface. (only high to low)
Outbound traffic generates a temporary conversion slot in the conversion table.
Static Identity NAT
Ditto, but a permanent table item
Twice Nat
Only the source matches will be converted by matching,
If you bypass only a few packets from the object Nat (thus, twice Nat default precedence object NAT), you can set the conversion to a consistent, similar to identity NAT, of course, you can also set other (such as VPN configuration)
Object Network dst-1 host 1.1.1.1object network dst-202 host 202.100.1.1object network pat-1 host 202.100.1.101object NETW Ork pat-2 host 202.100.1.102object network inside-network subnet 10.1.1.0 255.255.255.0object service telnet23 Service TCP Destination EQ telnetobject Service telnet3032 service TCP Destination EQ 3032 nat (inside,outside) source Dynamic Inside -network pat-1 Destination static dst-1 dst-1 service telnet23 telnet23nat (inside,outside) source Dynamic Inside-network Pat-2 destination static dst-202 dst-202 service telnet3032 telnet3032
Main differences between Network Object NAT and twice NAT
Object Nat:nat is a parameter of object, which is an object that can be conveniently used for invocation (e.g. ACL) and can only be changed to source or target
Twice Nat:object is a NAT parameter that can be added to a custom object (or group) with strong extensibility and can be changed at the same time.
Nat Order
Priority one:
Twice the order in which NAT is typed
Twice can adjust the order arbitrarily
Priority two: Object NAT
Static transformations take precedence over dynamic transformations
If the types are the same, sort by
1. Address range
2.IP Address Number Size
4.Object Sort by name
192.168.1.1/32 (Static) 10.1.1.0/24 (static) 192.168.1.0/24 (static) 172.16.1.0/24 (dynamic) (Object ABC) 172.16.1.0/24 (Dynamic) (Object Def) 192.168.1.0/24 (dynamic
Priority three: twice NAT
After-auto
Change sort
The default twice Nat precedence object NAT, when twice Nat plus After-auto parameter, is placed after the object Nat
Nat (Inside,outside) after-auto source dynamic inside-network pat-1 destination static dst-1 dst-1 service telnet23 telnet 23
After the twice Nat to be in front, need to add 1
Nat (Inside,outside) 1 source dynamic inside-network pat-1 destination static dst-1 dst-1 service telnet23 telnet23
This article is from the "Try" blog, so be sure to keep this source http://beening.blog.51cto.com/9079117/1795029
ASA user-based MPF, advanced access control, and address translation _05