Cisco ASA firewall security algorithm principle and basic configuration (2)

Iii. NAT Control

1) Disable NAT control. By default, no NAT-control is disabled)

In this case, the NAT rule is not required. If you do not have a NAT rule, you can also allow outbound traffic, but do not convert it to a real ip address.

2) Enable NAT-control)

This is a required NAT rule. Otherwise, it is out of the station and there is no matching NAT rule.

4. NAT Exemption

When NAT control is enabled, a corresponding NAT rule is required for each initiate connection, and an exemption is configured to bypass the NAT rule. Such as VPN), NAT exemption allows two-way communication. Only high-level applications are allowed.

To configure NAT exemption, you must first define an ACL to specify the traffic to bypass the NAT rule.

Next I will configure to exempt the PC2 host 10.1.1.2 based on the previous topology)

Asaconfig) # access-list nonat permit ip 10.1.1.0 255.255.255.0 172.16.16.0 255.255.255.0

Asaconfig) # nat inside) 0 access-list nonat

In this way, the host in the CIDR Block 172.16.16.0/24 of pc2 does not undergo NAT translation.

5. Remote Management of ASA

1) Configure to allow telnet access

Asaconfig) # telnet 10.1.1.0 255.255.255.0 inside this configuration only allows the 10.1.1.0/24 network segment to use telnet access.

You can also allow only one host to access through telnet.

Asaconfig) # telnet 10.1.1.22 255.255.255.255 inside

2) Configure ssh access

Cisco asaconfig) # host asa configuration host Name

Asaconfig) # domain-name accp.com configure the domain name

Asa (config) # passwd PasswordThe passwd command specifies a remote access password, which is also applicable to telnet.

Asaconfig) # crypto key generate rsa modulus 1024 generate an RSA key pair

Asa (config) # write mem save key

View key pairs

Asaconfig) # show crypto key mypubkey rsa

Allow ssh access

Asaconfig) # ssh 10.1.1.0 255.255.255.0 inside

Asaconfig) # ssh 0 0 outside

Asa config) # ssh version 2

3) Configure ASDM access

1) enable the HTTPS Server Function

Asaconfig) # http server enable {port}

2) allow https access

Asaconfig) # http 10.1.1.0 255.255.255.0 inside

3) specify the location of the ASDM Image

Asaconfig) # asdm image disk0:/asdmfile

4) configure the username and password used for Client Login

Asaconfig) # username maid password 123456 privileges 15

5) Run ASDM in web Mode

Vi. Log Management

Log information security levels are classified into eight levels

0 emergency is very urgent)

1 alert urgent)

2 critical)

3 error)

4 warning)

5 notification note)

6. information Reminder)

7 debugging)

1) configuration log

Asaconfig) # clock timezone peking 8

2) configure the time

Asaconfig) # clock set 11:30:00 26 sep 2013

3) Enable log

Asaconfig) # logging enable

Asaconfig) # logging timestamp enable timestamp

Asaconfig) # logging trap information

Asaconfig) # logging host inside 10.1.1.2