One of the most important features for a firewall product is logging events. This blog will show you how to log management and analysis of the ASA, the principle and configuration of ASA transparent mode, and implement URL filtering using the iOS features of the ASA firewall.
First, URL filtering
With the feature URL filtering of the ASA firewall iOS, access to the website domain name can be controlled to achieve some management purposes.
The implementation of URL filtering is generally divided into the following three steps:
(1) Create a Class-map (class map) to identify the transport traffic.
(2) Create POLICY-MAP (policy map), associate Class-map.
(3) Apply Policy-map to the interface.
case: as shown, implementing a host in a network segment 192.168.1.0/24 prohibits access to www.4399.com, but allows access to other sites, such as www.163.com
650) this.width=650; "src=" Https://s1.51cto.com/wyfs02/M00/07/4F/wKiom1nHdySS3QrsAADpyb-eAUQ007.png "title=" Yang Shufan 04.png "alt=" Wkiom1nhdyss3qrsaadpyb-eauq007.png "/>
The configuration steps are as follows:
(1) Configure the interface IP, realize the whole network interworking (slightly)
(2) Create a Class-map (class map) to identify the transport traffic.
Asa (config) # access-list aaa permit tcp 192.168.1.0 255.255.255.0 any eq www //create Aclasa (config) # class-map aaa1 //Create Class-mapasa (CONFIG-CMAP) # match access-list aaa //defines the allowed traffic in Class-map ASA (CONFIG-CMAP) # exitasa ( config) # regex urla "\.4399\.com" //defines a regular expression named Urla, which indicates that the URL extension is "4399.com" Asa (config) # class-map type regex match-any urla1 //creates a class-map with a type of regex,match-any that matches any of the ASA ( CONFIG-CMAP) # match regex urla //definition Urlasa (config-cmap) # exitasa (config) # Class-map type inspect http urla2 //Create Class-map, type inspect http ( Check HTTP traffic) ASA (CONFIG-CMAP) # match request header host regex class urla1 //the URL extension in the host domain in the HTTP request header will be discarded if it is "4399.com". REGEX CLASS URLA1 represents a call to Class-map with the name Urla1
(3) Create POLICY-MAP (policy map), associate Class-map.
Asa (config) # policy-map type Inspect HTTP policy1//Create POLICY-MAP, type inspect HTTP (check HTTP traffic) ASA (CONFIG-PMAP) # class URL A2//Call the Class-mapasa (config-pmap-c) # drop-connection Log//drop packet that was created before and close the connection and send the System log Asa (config) # p Olicy-map policy2//Create policy-map that will be applied to the interface ASA (CONFIG-PMAP) # class AAA1//Call before the Class-mapasa created (CO NFIG-PMAP-C) # Inspect HTTP policy1//check HTTP traffic
(4) Apply Policy-map to the interface.
Asa (config) # Service-policy Policy2 interface inside
Note: an interface can only apply one policy-map.
Second, log management
One of the most important features of any firewall product is logging events, and the ASA uses a synchronization log (syslog) to record all events that occur on the firewall.
1. Security level of log information
The security level of the log information is divided into eight levels:
650) this.width=650; "src=" Https://s4.51cto.com/wyfs02/M02/A6/01/wKioL1nHiK-SSY_IAACovh9MF7g504.png "title=" Yang Shufan 05.png "alt=" Wkiol1nhik-ssy_iaacovh9mf7g504.png "/>
The urgency of information is ranked high and low in importance, emergencies (very urgent) is of the highest importance, while debugging (commissioning) is of the lowest importance.
2 . Configuration Log
Log information can be exported to log buffer (log buffers), ASDM, and log servers.
Before configuring the log, you typically need to configure the time zone and times, as follows:
(1) Configure the time zone with the following command:
Asa (config) # clock timezone Peking 8
Where Peking is used to indicate the name of the time zone, 8 refers to the offset from the international standard Time, the value range is 23 ... 23.
(2) Configure the time, the command is as follows:
Asa (config) # clock set 19:30:00 SEP 2017
You can then configure log Buffer, ASDM, and the log server separately.
(3) Configure log Bufferwith the following command:
Asa (config) # logging Enableasa (config) # logging buffered informational//configuration log level, can also write 6, representing levels above 6 (0-6 levels)
Note: The default size for log buffer is 4KB.
Asa (config) # Show logging//view log Bufferasa (config) # clear logging buffer//clear Log Buffer
(4) Configure the ASDM log with the following command:
Asa (config) # logging Enableasa (config) # logging ASDM Informational//represents levels above 6, informational available 6 means Asa (config) # CLE AR logging ASDM//Clear ASDM
(5) Configuring the log server
Currently, there are many log server software. Firewall Analyzer is a Web-based firewall log analysis software that enables you to monitor network perimeter security devices, collect and archive logs, and generate reports. Firewall Analyzer can help network security administrators monitor bandwidth and firewall security events, gain a comprehensive understanding of network security, monitor usage/unused firewall policies and optimize policies, and plan network capacity through trend analysis. Firewall Analyzer supports a variety of devices/vendors that support Windows and Linux platforms.
Case: Install firewall Analyzer 6 on win 2008 as shown
650) this.width=650; "src=" Https://s2.51cto.com/wyfs02/M02/A6/01/wKioL1nHklKQ9QBUAACq2MJE1jw628.png "title=" Yang Shufan 07.png "alt=" Wkiol1nhklkq9qbuaacq2mje1jw628.png "/>
The configuration of the ① on the ASA firewall is as follows:
Asa (config) # logging Enableasa (config) # logging timestamp//enable timestamp Asa (config) # logging trap Informationalasa (config # Logging host inside 192.168.0.1//define the IP address of the log server and the interface of the ASA
The ASA communicates with the log server by default using the UDP protocol 514 port.
After the ②firewall Analyzer 6 is installed, two syslogserver are enabled by default, listening for UDP 514 ports and 1514 ports respectively. First Use Firewall Analyzer to start the service program, and then use "Firewall Analyzer Web Client" to enter the client interface, enter the initial user name and password.
③ runs the command ping 192.168.0.1-l 10000-t simulated attack on the host Windows7 and then can view the corresponding event on the Web interface of Firewall Analyzer.
650) this.width=650; "src=" Https://s5.51cto.com/wyfs02/M00/A6/02/wKioL1nHmDLTsoL-AAKyFxLgJxE194.png "title=" Yang Shufan 08.png "alt=" Wkiol1nhmdltsol-aakyfxlgjxe194.png "/>
Under Security Statistics, click View syslogs to view detailed log information.
④ can generate reports from Firewall Analyzer's event summary reports and security reports.
650) this.width=650; "src=" Https://s1.51cto.com/wyfs02/M00/07/51/wKiom1nHmRrxqwe4AALfcavmdxU592.png "title=" Yang Shufan 09.png "alt=" Wkiom1nhmrrxqwe4aalfcavmdxu592.png "/>
Third, transparent mode
The ASA security appliance can operate in two modes, the route mode and the transparent mode, by default the ASA is in route mode.
650) this.width=650; "src=" Https://s1.51cto.com/wyfs02/M01/07/51/wKiom1nHm1rAeAFxAACkDlNKUu4399.png "title=" Yang Shufan 10.png "alt=" Wkiom1nhm1raeafxaackdlnkuu4399.png "/>
1. Transparent mode
The ASA supports transparent mode starting with version 7.0.
Under routing by default, the ASA acts as a three-tier device, forwarding packets based on the destination IP address; In transparent mode, the ASA acts as a two-tier device that forwards the data frame based on the destination MAC address (when NAT is not configured).
In versions prior to 8.0, nat,8.0 and its subsequent versions were not supported in transparent mode to support NAT configuration. If the Nat,asa forwarding packet is configured, the route lookup is still used.
While in transparent mode, the ASA is a two-tier device, but differs from the switch processing data frames.
* for unicast data frames where the destination MAC address is unknown, the ASA does not flood but is discarded directly.
* The ASA does not participate in the STP (Spanning Tree Protocol).
The destination MAC address for the default allow traversal in transparent mode is as follows:
* broadcast MAC address: FFFF.FFFF.FFFF
* Ipv4 multicast MAC addresses from 0100.5e00.0000 to 0100.5EFE.FFFF.
* Ipv6 multicast MAC addresses from 3333.0000.0000 to 3333.FFFF.FFFF.
* BPDU Multicast MAC Address: 0100.0CCC.CCCD (Cisco private).
* AppleTalk multicast MAC addresses from 0900.0700.0000 to 0900.07FF.FFFF.
The default three-tier traffic allowed in transparent mode is as follows:
* allow IPV4 traffic to automatically go from high-level interfaces to low-level interfaces without having to configure ACLs.
* allow ARP traffic to traverse in both directions without having to configure ACLs.
While the ASA is running in transparent mode, it continues to use application-tier intelligence to perform state detection and general firewall functions, but only two zones are supported.
In transparent mode, you do not need to configure an IP address on the interface so that you do not have to redesign your existing IP network for easy deployment.
2. Configuration of Transparent mode
(1) Switch to transparent mode, the command is as follows:
Asa (config) # firewall Transparentciscoasa (config) #
It is important to note that the current configuration is cleared when switching.
The commands to view the current working mode are as follows:
Ciscoasa (config) # Show firewall
If you want to re-switch to route mode, you need to use the command:no firewall transparent.
(2) Managing IP addresses
You need to assign an IP address to the ASA for administrative purposes, and the management IP address must be in the same connection subnet. The ASA uses the administrative IP address as the source IP address of the packet originating from the ASA, such as a system message, AAA, or syslog server.
The configuration commands for managing IP addresses are as follows
Ciscoasa (config) #ip address IP [mask]
(3) MAC Address Table and learning
ciscoasa# Show mac-address-table//View MAC Address Table Ciscoasa (config) # mac-address-table aging-time minutes//Set up dynamic Mac strip purpose Expiration Time (default 5 minutes) Ciscoasa (config) # mac-address-table static logical_if_name mac_address//Set static Mac entry Ciscoasa (config) # mac-l Earn Logical_if_name Disable//Disable MAC address learning for specific interfaces
Case 1:The company has added a firewall for network security, configured ASA transparent mode for ease of deployment, and the management IP address is configured as 192.168.1.253
650) this.width=650; "src=" Https://s4.51cto.com/wyfs02/M01/A6/02/wKioL1nHn0eB0rV0AACO60iG6Rw288.png "title=" Yang Shufan 11.png "alt=" Wkiol1nhn0eb0rv0aaco60ig6rw288.png "/>
The ASA is configured as follows:
Ciscoasa (config) # firewall Transparentciscoasa (config) # hostname Asaasa (config) # int E0/0asa (config-if) # no Shasa ( CONFIG-IF) # Nameif Outsideasa (config-if) # security-level 0asa (config) # int E0/1asa (config-if) # no Shasa (config-if) # Nameif Insideasa (config-if) # Security-level 100asa (config-if) # Exitasa (config) # IP add 192.168.1.253 255.255.255.0/ /Configuration Management IP Address
Case 2: as shown in order to enhance the security of the managed server, an ASA is added and configured as transparent mode, the management IP address is 209.165.201.1/28
650) this.width=650; "src=" Https://s2.51cto.com/wyfs02/M00/07/52/wKiom1nHpc_yUUhqAACPSTnUjks008.png "title=" Yang Shufan 12.png "alt=" Wkiom1nhpc_yuuhqaacpstnujks008.png "/>
The ASA is configured as follows:
ciscoasa (config) # firewall transparentciscoasa (config) # Hostname asaasa (config) # int e0/0asa (config-if) # no shutasa (config-if) # int e0/0.10asa (config-if) # vlan 10asa (config-if) # nameif insideasa (config-if) # int e0/0.20asa (config-if) # vlan 20asa (config-if) # nameif outsideasa (config) # ip add 209.165.201.1 255.255.255.240asa (config) # access-list ysf permit icmp any any asa (config) # access-list ysf permit tcp any any eq 80asa (config) # access-list ysf permit tcp any any eq 21asa ( config) # access-list ysf permit tcp any any eq 25asa (config) # Access-list ysf deny ip any anyasa (config) # access-group ysf in Interface outside
This article is from the "Yang Shufan" blog, make sure to keep this source http://yangshufan.blog.51cto.com/13004230/1968241
Firewall (ASA) Advanced configuration URL filtering, log management, transparent mode