ASA user-based MPF, advanced access control, and address translation _05

User-based MPF

username user1 password cisco username user2 password cisco  !! Create two accounts for user authentication with  object-group user group1  !! Create an object group   user local\user1 !! The user that matches the local data, or it can be ACS.  object-group user group2  user Local\user2 access-list 100  extended permit tcp any any eq 80  !! Matching traffic  aaa authentication match 100 inside local  !! As long as these traffic are certified, the certification database for local  access-list filter-shrun permit tcp object-group-user  group1 any  any eq www  !! Matches the traffic, and is User 1.  access-list filter-who permit tcp object-group-user group2 any any   eq www regex who  "Who"   !! Configure regular expressions with "who" keyword  regex shrun  "sh/run"  class-map class1  match  access-list filter-shrun  !! Matching traffic  class-map class2  match access-list filter-who policy-map type  inspect http policy-map1 !!   Note that this is a 5-7-storey   parameters  match request uri regex shrun  !! When there is a keyword in the regular expression in this traffic,   drop-connection log  !! Discard and do log policy-map type inspect http policy-map2  parameters   Match request uri regex who   reset policy-map global_policy  class class1   inspect http policy-map1   !! Depth Filter   CLASS CLASS2   INSPECT HTTP POLICY-MAP2

Botnet Traffic Filter

ASDM can add it yourself

Nat

Object NAT: can only convert source or destination IP

Twice NAT: Convert source and target IP under meet policy

Static (commonly used to specify server external port conversions), PAT (dynamic address plus port translation), Identity NAT (bypass part address)

A network segment transforms an address range

Configuring Dynamic Natobject network innet subnet 192.168.17.0 255.255.255.0object network  outnet range 192.168.16.60 192.168.16.70 object network innet nat   (inside,outside)  dynamic outnet   view Asa (config) # show xlate1 in  use, 1 most usedflags: d - dns, e - extended, i -  Identity, i - dynamic, r - portmap,       s  - static, t - twice, n - net-to-netnat from inside :192.168.17.100 to outside:192.168.16.65 flags i idle 0:01:03 timeout  3:00:00asa (config) # show running-config nat!object network innet nat  ( inside,outside)  dynamic outnetasa (config) # show running-config object network  object network innet subnet 192.168.17.0 255.255.255.0object network outnet range 192.168.16.60  192.168.16.70asa (config) # show running-config timeout timeout xlate  3:00:00TIMEOUT PAT-XLATE 0:00:30: Change the NAT timeout time Asa (config) # timeout xlate 1:0:0 clear conversion table ASA ( Config) # clear xlate

Static NAT

Change the range of the network segment in the dynamic object to host and then static.

One range converts one address to another port

Pat!object Network innet NAT (INSIDE,DMZ) dynamic 192.168.12.110//Direct point to an address to asa# show Xlate 1 in use, 2 most Usedflag S:d-DNS, e-extended, i-identity, I-dynamic, R-portmap, S-static, T-twice, N-net-to-nettcp PAT from inside:192.168.17.100/49526 to dmz:192.168.12.110/49526 flags ri idle 0:01:15 timeout 0:00:30

Dynamic conversion first, the address pool runs out and then switches Pat

Object Network Outpool range 192.168.16.119 192.168.16.120object network innet subnet 7.7.7.0 255.255.255.0!object networ K innet Nat (inside,outside) Dynamic Outpool interface//If the address pool is exhausted use the IP of the interface as Pat

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M00/83/67/wKiom1dyQrXRoijJAAAL0LrMPno601.png "style=" float: none; "title=" 119.PNG "alt=" Wkiom1dyqrxroijjaaal0lrmpno601.png "/>

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M01/83/66/wKioL1dyQrWwPQPVAAAMHXeNpnA478.png "style=" float: none; "title=" 120.PNG "alt=" Wkiol1dyqrwwpqpvaaamhxenpna478.png "/>

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M01/83/67/wKiom1dyQraxnwjuAAALjc1kDLg501.png "style=" float: none; "title=" 139.PNG "alt=" Wkiom1dyqraxnwjuaaaljc1kdlg501.png "/>

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M02/83/66/wKioL1dyQrbgCKAhAAAMnf8t0eM659.png "style=" Float:none; "title=" 1392.PNG "alt=" Wkiol1dyqrbgckahaaamnf8t0em659.png "/>

asa# show x4 in use, 4 most usedflags :  d - dns, e - extended, i - identity, i - dynamic ,  r - portmap,       s - static, t -  twice, n - net-to-neticmp pat from inside:7.7.7.1/14 to dmz :192.168.12.139/14 flags ri idle 0:00:04 timeout 0:00:30nat from  inside:7.7.7.3 to dmz:192.168.12.119 flags i idle 0:00:08 timeout  1:00:00nat from inside:7.7.7.2 to dmz:192.168.12.120 flags i idle  0:00:06 timeout 1:00:00icmp pat from inside:7.7.7.7/15 to dmz : 192.168.12.139/15 flags ri idle 0:00:01 timeout 0:00:30 

Pat Address Pool

Nat (INSIDE,DMZ) dynamic Pat-pool Dmzpool Round-robin a different port dmzpool the address in the Round-robin represents the address in the polling address pool

asa (config-network-object) # show x4 in use, 4  most usedflags: d - dns, e - extended, i - identity,  i - dynamic, r - portmap,       s -  static, t - twice, n - net-to-neticmp pat from inside :7.7.7.1/22 to dmz:192.168.12.119/22 flags ri idle 0:00:03 timeout  0:00:30icmp pat from inside:7.7.7.3/20 to dmz:192.168.12.119/20 flags ri  idle 0:00:07 timeout 0:00:30ICMP PAT from inside:7.7.7.2/21 to  dmz:192.168.12.120/21 flags ri idle 0:00:05 timeout 0:00:30icmp pat  from inside:7.7.7.7/23 to dmz:192.168.12.120/23 flags ri idle 0:00:01  Timeout 0:00:30 

Static Pat

Object Network Dmz_web_server host 192.168.12.100 NAT (dmz,outside) static interface service TCP www www//FTP 2121 etc.  Note: There is this sentence, can access 192.168.16.139, but can not access 192.168.12.100 No this sentence, can visit 192.168.12.100 access-list OUT-DMZ Extended Permit TCP any object dmz_web_server eq www access-group out-dmz in interface outside

ASA (config-network-object) # show X1 in use, 4 most usedflags:d-DNS, e-extended, i-identity, I-dynamic, R-portma P, S-static, T-twice, n-net-to-nettcp PAT from dmz:192.168.12.100 80-80 to OUTSIDE:192.168.16.139 80-80 FLA GS SR Idle 0:02:40 timeout 0:00:00

Outside Mouth grab Bag:

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M01/83/87/wKiom1d1AUqRsBHvAAASGzh6wEs545.png "style=" float: none; "Title=" Pat. PNG "alt=" Wkiom1d1auqrsbhvaaasgzh6wes545.png "/>

DMZ Port Grab Bag:

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/83/85/wKioL1d1AUug_8UMAAARieDTQGo835.png "style=" float: none; PNG "alt=" Wkiol1d1auug_8umaaariedtqgo835.png "/>" in "title=".

Static NAT DNS Rewrite

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/83/87/wKiom1d1As3w115eAAG91JYr83o258.png "title=" DNS. PNG "alt=" Wkiom1d1as3w115eaag91jyr83o258.png "/>

Note: DNS inspection must be activated on the ASA

Object Network Inside-web-serverhost 10.1.1.101object network Inside-web-servernat (inside,outside) static 202.100.1.101 DNS

Tamper with the address of DNS resolution, intranet access www.cisco.com is actually a Web server to access the intranet

Dynamic Identity NAT

1. The Dynamic Identity NAT translates the local address to the same address, to the low security level of the interface. (only high to low)

2. Outbound traffic generates a temporary conversion slot in the conversion table.

Static Identity NAT

Ditto, but a permanent table item

Twice Nat

Only the source matches will be converted by matching,

If you bypass only a few packets from the object Nat (thus, twice Nat default precedence object NAT), you can set the conversion to a consistent, similar to identity NAT, of course, you can also set other (such as VPN configuration)

Object Network dst-1 host 1.1.1.1object network dst-202 host 202.100.1.1object network pat-1 host 202.100.1.101object NETW  Ork pat-2 host 202.100.1.102object network inside-network subnet 10.1.1.0 255.255.255.0object service telnet23 Service TCP Destination EQ telnetobject Service telnet3032 service TCP Destination EQ 3032 nat (inside,outside) source Dynamic Inside -network pat-1 Destination static dst-1 dst-1 service telnet23 telnet23nat (inside,outside) source Dynamic Inside-network Pat-2 destination static dst-202 dst-202 service telnet3032 telnet3032

Main differences between Network Object NAT and twice NAT

Object Nat:nat is a parameter of object, which is an object that can be conveniently used for invocation (e.g. ACL) and can only be changed to source or target

Twice Nat:object is a NAT parameter that can be added to a custom object (or group) with strong extensibility and can be changed at the same time.

Nat Order

Priority one:

Twice the order in which NAT is typed

Twice can adjust the order arbitrarily
Priority two: Object NAT
Static transformations take precedence over dynamic transformations
If the types are the same, sort by
1. Address range
2.IP Address Number Size
4.Object Sort by name

192.168.1.1/32 (Static) 10.1.1.0/24 (static) 192.168.1.0/24 (static) 172.16.1.0/24 (dynamic) (Object ABC) 172.16.1.0/24 (Dynamic) (Object Def) 192.168.1.0/24 (dynamic

Priority three: twice NAT
After-auto

Change sort

The default twice Nat precedence object NAT, when twice Nat plus After-auto parameter, is placed after the object Nat

Nat (Inside,outside) after-auto source dynamic inside-network pat-1 destination static dst-1 dst-1 service telnet23 telnet 23

After the twice Nat to be in front, need to add 1

Nat (Inside,outside) 1 source dynamic inside-network pat-1 destination static dst-1 dst-1 service telnet23 telnet23

This article is from the "Try" blog, so be sure to keep this source http://beening.blog.51cto.com/9079117/1795029

ASA user-based MPF, advanced access control, and address translation _05