Six key commands required in the firewall configuration

The basic function of a firewall is done by six commands. In general, unless there is a special security requirement, this six command can basically handle the configuration of the firewall. The following author on the combination of Cisco firewall, to talk about the Basic Firewall configuration, I hope to give you a little reference.





First command: interface





interface is one of the most basic commands in the firewall configuration, and his main function is to turn off the interface, configure the interface speed, name the interface, and so on. When you buy a firewall, each end of the firewall is closed, so, after the firewall bought, if not to do any configuration, to prevent on the enterprise network, then the firewall can not work, but also will lead to different corporate networks.





1, configure interface speed





in the firewall, there are two ways to configure the interface speed, one is manual configuration, the other is automatic configuration. Manual configuration is to require users to manually specify the speed of the firewall interface, and automatically configured, the firewall interface will automatically depend on the device connected to determine the required speed of communication.





such as: interface Ethernet0 Auto-configure "Automatic connection speed" for the interface





Interface Ethernet2 100ful--Manually specify connection speed for interface 2, 100mbit/s.





here, the parameter ethernet0 or Etnernet2 represents the interface of the firewall, and the following parameters represent the specific speed.





I suggest





when configuring the interface speed, you should pay attention to two problems.





First, if you specify the speed of the interface manually, the specified speed must be the same as the speed of the device he is connected to, otherwise, there will be some unexpected errors. If a switch is connected to a firewall, the port speed of the switch must match the speed set up here.





The second is that although the firewall provides the ability to set the interface speed automatically, however, in the actual work, the author still does not recommend the use of this function. Because this automatically configures the interface speed, it can affect the performance of the firewall. Moreover, it can sometimes judge errors and cause communication failures to the network. Therefore, in general, whether it is the author, or Cisco's official information, all recommend that you use manual configuration interface speed.





2, close and open Interface




There are multiple interfaces on the
firewall, and for security reasons, open interfaces need to be closed in a timely manner. The shutdown command is generally available to turn off the interface of the firewall. But this is a different thing from Cisco's iOS software, which is that if you want to open this interface, you don't have to use the No shutdown command. In the firewall configuration command, there is no this one. Instead of using the shutdown command with no parameters, you should set an interface to a management mode.





I suggest





when the firewall is configured, do not open all the interfaces, need to use a few interfaces, open several interfaces. If you open all the interfaces, it will affect the operating efficiency of the firewall, and the security of the Enterprise network will also have an impact. Or, he would reduce the intensity of the firewall's control over the corporate network.





second command: Nameif





General Firewall factory, Cisco will also configure the firewall name, such as Ethernet0 and so on, that is, the physical location of the firewall and the interface name is the same. However, obviously, this is not good for our management, we can not intuitively see from the name, what this interface is used to do, is to connect the enterprise's internal network interface, or connect the enterprise's external network interface. So, the network administrator, want to be able to redirect the name of this interface, using the more intuitive name to describe the purpose of the interface, such as using the outside command to indicate that the interface is used to connect the external network, and the use of the inside command to describe the interface is used to connect the internal network. Also, when naming a port, you can specify the security level of the interface.




The basic format of the
Nameif command is as follows





nameif Hardware-id if-name security-level





Where Hardware-id represents the specific location of the interface on the firewall, such as Ethernet0 or ETHERNET1, and so on. These are Cisco firewalls that have been set up at the factory and cannot be changed. If we do not rename the interface, we can only configure the corresponding interface parameters through this interface location name.





and If-name is the specific name we specify for this interface. In general, the name would like to reflect the purpose of the interface, as if it were nicknamed the interface, to reflect the actual use of the interface. In addition, the name of the word, our network administrator must also follow certain rules. If the name is not in the middle of a space, different with numbers or other special characters (this is not conducive to subsequent operations), in length can not be more than 48 characters.





Security-level represents the security level of this interface. In general, you can set the security level of the enterprise internal interface a little higher, and the security level of the enterprise external interface can be set lower. In this way, depending on the access rules of the firewall, a high level of security interface can defend the lower security level of the interface. That is, an enterprise's internal network can access an enterprise's external network without the need for special settings. If the external network accesses the internal network, because it is a low security interface to access the security-level interface, you must make some special settings, such as the need for access control list support, and so on.





I suggest





when configuring security levels for interfaces, it is generally not necessary to set a very complex level of security. In the security requirements of the general enterprise, only need to put the security of the interface into two levels (generally use only two interfaces, a connection to the external network, a connection to the internal network), so, the firewall security level management, will be convenient for many.





In addition, the security level of an enterprise's internal network is higher than that of the external network. Because from the enterprise security considerations, our basic principle is that the internal network access to the external network can be liberalized, and the external network access to the internal network, it is necessary to limit, it is mainly out of the limits of viruses, Trojans and other enterprises to the network caused by the harm of the purpose. However, if there are restrictions on external access within the enterprise, such as not allowing access to the FTP server, and so on, you can use the Access control list or other technical means to achieve.





To be able to reflect the purpose of this interface when naming an interface, otherwise naming it is not a good idea. In general, if you can use inside or outside to express the interface between intranet and extranet. In this case, when the network administrator sees the interface name, it knows the purpose of the interface. These can improve the efficiency of our firewall maintenance. It's easier to implement the interface when we follow that name, without having to think about the interface name I need to configure. If we really forget the interface name, we can use the show Nameif command to verify the configuration of the interface name.





Third command: IP address





in firewall management, configure the IP address for each enabled firewall interface. Generally speaking, the IP address of the firewall supports two kinds of obtaining way, one is by automatically obtains, if can obtain the IP address through the enterprise intranet's DHCP server; second, the user specifies the IP address by hand.





the exact format of this command is





ip adress if-name ip [NETMASK]





If we use the above If-name command, to the firewall interface to configure the alias, then in the subsequent other commands, such as the configuration of IP address command, you do not need to take the location of the interface name, and can directly use this alias for specific interface settings related parameters.





If we specify the IP address by hand, we need to pay attention to several issues. First, if there is a DHCP server in the enterprise, you should pay attention to the problem of this network address conflict. This firewall interface IP address, in the enterprise's entire network, also must remain unique, otherwise, it will cause the IP address conflict error. Therefore, if there is a DHCP server in the enterprise, then in the DHCP server configuration, it is important to note that this firewall interface used by the IP address should not be in the DHCP server automatically allocated IP address pool, otherwise, it is easy to cause the conflict of IP address.





In addition, when you manually configure the IP address, in order to manage the convenience, it is best to specify a continuous IP address. In other words, the IP address of each interface of the firewall is continuous. In the IP address planning of the enterprise, the author specially reserved 4 IP addresses for the interface of the firewall. Even if this interface is not currently used, the IP address is not contiguous in order to avoid future use, so the IP address of the entire network is reserved for a sufficient number of IP addresses.





the netmask here is not necessary. If the network administrator does not configure the network mask when the firewall is configured, the firewall automatically sets a netmask to the structure of the internal network of the enterprise. Therefore, under normal circumstances, this network mask can not be set, so as not to fill in the wrong words, but also caused unnecessary losses.





I suggest





if the IP address of the interface is obtained by DHCP, it is best to configure a continuous IP address for each interface of the firewall when the DHCP server is configured. In this way, we can facilitate the management of the firewall interface. If the enterprise network size is larger, security level is relatively high, then generally recommended not to use DHCP, but need to give each interface of the firewall to manually specify the IP address.


Fourth command: NAT and global, static command





using the NAT (Network address translation) command, a network administrator can convert an internal set of IP addresses to an external public network address, while the global command defines the range of addresses or addresses that are converted to a Network Address translation command NAT. Simply put, the NAT command and Global command enable the conversion between IP addresses and the mapping of IP addresses to ports.





This network address Translation command is very useful in practical work. We all know, now the public network IP address is very scarce, basically, a business only one to two public network address. And for enterprises, their file servers, OA systems, mail servers and so on may need external access, and if there is no NAT technology, then in the public network to access, must have the public network IP address. This greatly limits the enterprise internal information System external access, Home Office, travel to the enterprise internal network and so on, become unable to achieve. And now the network address translation technology, is to solve this problem produced. With the help of network address translation technology, the IP address of the enterprise can be mapped to the IP address of the external public network. In this case, the IP address of the intranet has a legitimate public network IP address, then the employees outside the company can access the enterprise's internal information system through the Internet.





in practical work, the most use is to convert the local address to a global address, rather than an address range. If the company's internal ERP server IP address is 192.168.0.6, at this point, if we hope that external employees, such as in other cities in a sales office, they can use 202.96.96.240 this public network address to access this server. To implement this requirement, how do I configure it?





Static (inside,outside) 192.168.0.6 202.96.96.236





at this point, external users can use this 202.96.96.236 public network IP address, to access the enterprise internal ERP system.





in fact, after configuring this command, in the firewall server, there is this one by one corresponding relationship. When the external network through the access to 202.96.96.236 this IP address, in the firewall server, the IP address will be converted to 192.268.0.6, so that the external network access to the enterprise's internal information system.





However, at this time if more than such an information system, now OA system (192.168.0.5) and ERP system (192.168.0.6), Home Office or people on business trips need to be able to access the two servers, at this time, how to deal with it?





If the enterprise has two public network IP address, it is good to do, just to the OA system and ERP system corresponding to a public network IP address can. However, the problem now is that the enterprise has only one IP address, at this time, how to deal with it? To do so, we can use the static command to implement the redirection of the port. Simply put, port redirection allows external users to connect to an internal specific IP address and port, and allow the firewall to redirect the data traffic to the appropriate internal address.





the author reminds





1, there should be sufficient global IP address to match the native IP address specified by the NAT command. Otherwise, you can use the PAT (depending on the port's corresponding IP address) to solve the global address shortage problem. And for the vast majority of Chinese enterprises, the basic address is not enough, to use Pat technology to solve the problem of address shortage. Pat Technology, allows up to 64,000 clients (internal IP address) to use the same public network IP address.





2, network address translation In addition to solve the public network ID address shortage problem, there is a good side effect. It is possible to hide the internal host, so as to achieve the security of the internal host. As in the above example, if the outside users need to access the enterprise internal ERP server, then they only need to know the public network address on it, do not need to know exactly what they are accessing the internal server, the server's IP address is how much. In this way, you can maximize the security of your enterprise's internal servers.





Fifth command: ICMP command





when we do the relevant configuration, the next job we need to use the test command to determine the accuracy of our configuration. The most basic two test commands are the ping and debug commands.





Ping Command Our network administrator is very familiar with. However, there is a special place in the firewall that, by default, the firewall rejects all ICMP input traffic from the external interface. When we ping an extranet IP address, if the connection with the other is smooth, then the other side will return an ICMP response answer. By default, the firewall will reject this ICMP traffic. This is mainly due to security considerations. However, when we were testing, we did not like the firewall to stop receiving this ICMP response answer, otherwise we would not be able to test the work.





So, when the firewall just started to configure, we often need to let the firewall allow to receive this traffic, we need to use the permit command to let the firewall through this traffic.





We can use this command to implement this requirement: ICMP permit any any outside. The idea of this command is to allow the ICMP protocol to run unimpeded on the firewall, allowing the firewalls to receive ICMP traffic from the outside.





I remind





However, after testing, it is best to restore the original settings, that is, let the firewall refused to receive this from the external interface ICMP traffic, which is to improve the internal security of the enterprise, very helpful, such as good to prevent Dos attacks, and so on.





Sixth command: Write memory.





in general, the changes we make to the firewall configuration are not written directly into the flash memory of the firewall. Firewall such design, is to prevent network administrator million accidentally, made some difficult to restore the settings, only need to restart the firewall, you can restore the previous settings. In other words, the firewall in the update configuration, in the absence of the command to write him to the flash memory, firewalls are generally stored in the RAM first. The data in RAM, when the firewall restarts, will be lost.





So, when the configuration test is complete, remember to write the relevant change configuration to the flash memory using the Write Memory command. In this way, these related configurations can still work after the firewall restarts.





I remind





It is best not to write the change configuration to the flash memory until you have tested it. Because once you write to the flash memory, if you do some difficult to restore the configuration, and in the test when there are problems, at this point, you can only reset the firewall, the previous configuration will be all lost, back to the factory state, which for our network administrator, is a great blow. Therefore, the general need for the relevant configuration test is correct, before you can use this command, permanent save configuration.





However, in the firewall configuration, be careful not to power off, otherwise, you do the configuration will be toppled. However, it is advisable to connect to the UPS power at the end of the firewall.