Cisco Firewall-Application of ASA Security Device

Source: Internet
Author: User

Lab Environment1. prepare four virtual machines, use the windows 2003 system, configure the Web server and the Out server respectively, set up the site and, and set up the DNS server on the Out server to parse www. sjzz. comIP address: and www. out. comIP address: ). PC1 is an intranet client, windows XP is used, and is used for DNS servers. 2. Simulate an ASA System Using asa802-k8.bin, Qemu, qemuPCAP, Linux. 3. Use DynamipsGUI to simulate a vro. 650) this. width = 650; "onclick = 'window. open (" Refimg = "+ this. src) 'border =" 0 "alt =" "src =" "/>Lab Purpose: 1. You can only access ASA from PC1 through SSH; 2. You can access the website of outside and DMZ from PC1, and access the website of Dmz from the Out host. 3. ping the host from pc1.The IP addresses of each device are allocated as follows:: PC1: ASA firewall Inside interface: firewall Outside interface: firewall Dmz interface: router F0. 0.0.1/30ISP vrof0 F0/0: 200. 2.2.254/24Out server: server: following figure shows how to bridge network adapters of virtual machines.: Three NICs of the ASA firewall: VMnet0, VMnet1, and VMnet2PC1: VMnet0Web server: VMnet2Out server: VMnet8The router connection simulated by DynamipsGUI is as follows:: Router1 F0/0 <----> XPC P0/8
Router1 F1/0 <----> XPC P0/11. Configure vroisp ISP: Router (config) # int f0/0
Router (config-if) # ip add
Router (config-if) # no sh
Router (config-if) # int f1/0
Router (config-if) # ip add
Router (config-if) # no sh
Router (config-if) # exit
Router (config) # ip route Ii. Configure the ASA Device: Used to configure the host name, domain name, password for telnet or SSH) ciscoasa (config) # hostname ASA
ASA (config) # domain-name
ASA (config) # enable password cisco
ASA (config) # passwd cisco
Configure the Interface Name, security level, and IP address ASA (config) # int e0/0
ASA (config-if) # nameif inside
ASA (config-if) # security-level 100
ASA (config-if) # ip add
ASA (config-if) # no sh
ASA (config-if) # int e0/1
ASA (config-if) # nameif outside
ASA (config-if) # security-level 0
ASA (config-if) # ip add
ASA (config-if) # no sh
ASA (config-if) # int e0/2
ASA (config-if) # nameif dmz
ASA (config-if) # security-level 50
ASA (config-if) # ip add
ASA (config-if) # no sh
ASA (config-if) # configure SSH for route outside, allowing to access ASA: ASA (config) through SSH) # crypto key generate rsa modulus 1024 // generate the key pair. The default length is 1024ASA (config) # ssh insideASA (config) # ssh time
ASA (config) # ssh timeout 30
ASA (config) # ssh version 2 allows Intranet host PC1 to access the website configuration in the outside and dmz areas: ASA (config) # nat-controlASA (config) # nat (inside) 1 0 0
ASA (config) # global (outside) 1 int
ASA (config) # global (dmz) 1

Web server settings that allow external Out hosts to access dmz:
ASA (config) # static (dmz, outside)
ASA (config) # access-list out_to_dmz permit tcp any host eq www
ASA (config) # access-group out_to_dmz in int outside

Allow Intranet host PC1ping from Internet out host settings:
ASA (config) # access-list 111 permit icmp any echo-reply
ASA (config) # access-list 111 permit icmp any unreachable
ASA (config) # access-list 111 permit icmp any time-exceeded
ASA (config) # access-group 111 in int outside Save settings: ASA (config) # write memory or ASA (config) # copy running-config startup-config configuration Summary: 1. from high security level Inside) to access low security level Outside), you need to configure dynamic nat and global commands. 2. to access a high-security interface from a low-security interface, you must configure the ACL.Iii. Verification: 1. PC1 ( can access the ASA device via SSH using the putty tool): 650) this. width = 650; "onclick = 'window. open (" Refimg = "+ this. src) 'border = "0" alt = "" src = ""/> in this case, you can view the ssh session: 650) this. width = 650; "onclick = 'window. open (" Refimg = "+ this. src) 'border = "0" alt = "" src = ""/> 2. pc11900000.88) visit dmz and outside websites: 650) this. width = 650; "onclick = 'window. open (" Refimg = "+ this. src) 'border =" 0 "alt =" "src =" "/>
650) this. width = 650; "onclick = 'window. open (" Refimg = "+ this. src) 'border = "0" alt = "" src = ""/> 3. access the dmz area Web site from the Out Host: 650) this. width = 650; "onclick = 'window. open (" Refimg = "+ this. src) 'border = "0" alt = "" src = ""/> you can view the address translation entry: 650) this. width = 650; "onclick = 'window. open (" Refimg = "+ this. src) 'border = "0" alt = "" src = ""/> 4. ping the host in the outside area using PC1 ( By default, the ASA device prohibits ICMP packet traversal. However, in the preceding configuration, PC1 is allowed to ping the host, to verify: 650) this. width = 650; "onclick = 'window. open (" Refimg = "+ this. src) 'border = "0" alt = "" src = ""/> after debugging, it is better to Disable ICMP packets from traversing the ASA firewall, this improves security to a certain extent.

This article from the "Do not go, come to chase" blog, please be sure to keep this source

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.