Cisco Firewall-Application of ASA Security Device

Last Update:2013-12-27 Source: Internet

Author: User

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Lab Environment1. prepare four virtual machines, use the windows 2003 system, configure the Web server and the Out server respectively, set up the site www.sjzz.com and www.out.com, and set up the DNS server on the Out server to parse www. sjzz. comIP address: 200.1.1.253/29) and www. out. comIP address: 200.2.2.1 ). PC1 is an intranet client, windows XP is used, and 200.2.2.1 is used for DNS servers. 2. Simulate an ASA System Using asa802-k8.bin, Qemu, qemuPCAP, Linux. 3. Use DynamipsGUI to simulate a vro. 650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0ZR044O-0.jpg "/>Lab Purpose: 1. You can only access ASA from PC1 through SSH; 2. You can access the website of outside and DMZ from PC1, and access the website of Dmz from the Out host. 3. ping the host from pc1.The IP addresses of each device are allocated as follows:: PC1: 192.168.0.88 ASA firewall Inside interface: 192.168.0.254/24ASA firewall Outside interface: 200.0.0.2/30ASA firewall Dmz interface: 192.168.1.254/24ISP router F0. 0.0.1/30ISP vrof0 F0/0: 200. 2.2.254/24Out server: 200.2.2.1/24Web server: 192.168.1.1/24The following figure shows how to bridge network adapters of virtual machines.: Three NICs of the ASA firewall: VMnet0, VMnet1, and VMnet2PC1: VMnet0Web server: VMnet2Out server: VMnet8The router connection simulated by DynamipsGUI is as follows:: Router1 F0/0 <----> XPC P0/8
Router1 F1/0 <----> XPC P0/11. Configure vroisp ISP: Router (config) # int f0/0
Router (config-if) # ip add 200.2.2.254 255.255.255.0
Router (config-if) # no sh
Router (config-if) # int f1/0
Router (config-if) # ip add 200.0.0.1 255.255.255.252
Router (config-if) # no sh
Router (config-if) # exit
Router (config) # ip route 200.1.1.248 255.255.255.248 200.0.0.2 Ii. Configure the ASA Device: Used to configure the host name, domain name, password for telnet or SSH) ciscoasa (config) # hostname ASA
ASA (config) # domain-name asa.com
ASA (config) # enable password cisco
ASA (config) # passwd cisco
Configure the Interface Name, security level, and IP address ASA (config) # int e0/0
ASA (config-if) # nameif inside
ASA (config-if) # security-level 100
ASA (config-if) # ip add 192.168.0.254 255.255.255.0
ASA (config-if) # no sh
ASA (config-if) # int e0/1
ASA (config-if) # nameif outside
ASA (config-if) # security-level 0
ASA (config-if) # ip add 200.0.0.2 255.255.255.252
ASA (config-if) # no sh
ASA (config-if) # int e0/2
ASA (config-if) # nameif dmz
ASA (config-if) # security-level 50
ASA (config-if) # ip add 192.168.1.254 255.255.255.0
ASA (config-if) # no sh
ASA (config-if) # configure SSH for route outside 0.0.0.0 0.0.0.0 200.0.0.1, allowing 192.168.0.88 to access ASA: ASA (config) through SSH) # crypto key generate rsa modulus 1024 // generate the key pair. The default length is 1024ASA (config) # ssh 192.168.0.0 255.255.255.0 insideASA (config) # ssh time
ASA (config) # ssh timeout 30
ASA (config) # ssh version 2 allows Intranet host PC1 to access the website configuration in the outside and dmz areas: ASA (config) # nat-controlASA (config) # nat (inside) 1 0 0
ASA (config) # global (outside) 1 int
ASA (config) # global (dmz) 1 192.168.1.100-192.168.1.110

Web server settings that allow external Out hosts to access dmz:
ASA (config) # static (dmz, outside) 200.1.1.253 192.168.1.1
ASA (config) # access-list out_to_dmz permit tcp any host 200.1.1.253 eq www
ASA (config) # access-group out_to_dmz in int outside

Allow Intranet host PC1ping from Internet out host settings:
ASA (config) # access-list 111 permit icmp any echo-reply
ASA (config) # access-list 111 permit icmp any unreachable
ASA (config) # access-list 111 permit icmp any time-exceeded
ASA (config) # access-group 111 in int outside Save settings: ASA (config) # write memory or ASA (config) # copy running-config startup-config configuration Summary: 1. from high security level Inside) to access low security level Outside), you need to configure dynamic nat and global commands. 2. to access a high-security interface from a low-security interface, you must configure the ACL.Iii. Verification: 1. PC1 (192.168.0.88) can access the ASA device via SSH using the putty tool): 650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'border = "0" alt = "" src = "http://www.bkjia.com/uploads/allimg/131227/0ZR04335-1.jpg"/> in this case, you can view the ssh session: 650) this. width = 650; "onclick = 'window. open ("http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'border = "0" alt = "" src = "http://www.bkjia.com/uploads/allimg/131227/0ZR0O29-2.jpg"/> 2. pc11900000.88) visit dmz and outside websites: 650) this. width = 650; "onclick = 'window. open ("http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0ZR02547-3.jpg "/>
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'border = "0" alt = "" src = "http://www.bkjia.com/uploads/allimg/131227/0ZR06356-4.jpg"/> 3. access the dmz area Web site from the Out Host: 650) this. width = 650; "onclick = 'window. open ("http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'border = "0" alt = "" src = "http://www.bkjia.com/uploads/allimg/131227/0ZR05Z8-5.jpg"/> you can view the address translation entry: 650) this. width = 650; "onclick = 'window. open ("http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'border = "0" alt = "" src = "http://www.bkjia.com/uploads/allimg/131227/0ZR0JH-6.jpg"/> 4. ping the host in the outside area using PC1 (192.168.0.88). By default, the ASA device prohibits ICMP packet traversal. However, in the preceding configuration, PC1 is allowed to ping the host, to verify: 650) this. width = 650; "onclick = 'window. open ("http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'border = "0" alt = "" src = "http://www.bkjia.com/uploads/allimg/131227/0ZR0EK-7.jpg"/> after debugging, it is better to Disable ICMP packets from traversing the ASA firewall, this improves security to a certain extent.

This article from the "Do not go, come to chase" blog, please be sure to keep this source http://netslyz.blog.51cto.com/1006247/408251

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More

Cisco Firewall-Application of ASA Security Device

Contact Us

What's Trending

Top 10 Tags

Top 10 Keywords

A Free Trial That Lets You Build Big!

Sales Support

After-Sales Support

Cisco Firewall-Application of ASA Security Device

Contact Us

What's Trending

Top 10 Tags

Top 10 Keywords

Trending Topic

A Free Trial That Lets You Build Big!

Sales Support

After-Sales Support