Cisco ASA Advanced Configuration
first, to prevent IP Shard Attack
1 , Ip the principle of sharding;
2 , Ip security issues with sharding;
3 , Prevention Ip Shards.
these three questions have been described in detail before and are not introduced here. For more information, please check the previous article:IP sharding principle and analysis.
Second, URL Filter
Use ASA Firewall IOS the characteristics URL filtering can control the domain name of the visited website to achieve some sort of management purpose.
Implementation URL filtering is generally divided into the following three steps :
( 1 Create a class-map (class-map) to identify the transport traffic.
( 2 Create policy-map (Policy map), associate class-map.
( 3 ) apply the policy-map to the interface.
Note: An interface can only apply one Policy-map .
Third, log management
for any firewall product, one of the most important features is logging events, ASA Use the synchronization log ( syslog ) to record all events that occurred on the firewall.
1 , the security level of the log information
The security level of the log information is divided into eight levels.
the urgency of information is ranked in terms of importance from high to low, Emergencies (very urgent) is of the highest importance, and Debugging (commissioning) The least important .
2 , configuration Log
log information can be output to Log Buffer (log buffer), ASDM and log servers.
Before configuring the log, you typically need to configure the time zone and times, as follows:
1 ) Configure the time zone:
The command is as follows:
Asa (config) # clock timezone Peking 8
which Peking to indicate the name of your time zone, 8 is the offset from the international standard Time, which is worth the value range of -23~23 .
2 ) configuration time:
The command is as follows:
Asa (config) # clock set 10:30:00 June 2013
which Ten corresponding hours, - corresponding minutes, xx corresponds to seconds, + corresponding Day, June corresponding month, - corresponding year.
you can then configure each Log Buffer , ASDM and log servers.
3 ) configuration Log Buffer
The command is as follows:
Asa (config) # logging enable
Asa (config) # logging buffered informational// Configuration Informational level of log, can also write 6 , indicating 6 The above level ( 0~6 level).
Note: Log Buffer The default size is 4KB .
View Log Buffer the command is as follows:
Asa (config) # show logging
Clear Log Buffer the command is as follows:
Asa (config) # clear logging Buffer
4 ) configuration ASDM Log
The command is as follows:
Asa (config) # logging enable
Asa (config) # logging ASDM Informational
Clear ASDM the command is as follows:
Asa (config) # clear logging asdm
5 ) Configure the log server
Currently, there are many log server software. Firewall Analyzer is a Web -based firewall log analysis software that enables you to monitor network perimeter security devices, collect and archive logs, and generate reports. Firewall Analyzer enables network security administrators to effectively monitor bandwidth and firewall security events, gain a comprehensive understanding of network security, monitor usage / unused firewall policies, and optimize policies , planning network capacity through trend analysis. Firewall Analyzer supports a variety of devices / vendors that support Windows and Linux platform.
Network environment:
a single Win7 as a visitor, win2008 installed on a Firewall Analyzer 6 , a log server, separated by a firewall.
The configuration is as follows:
( 1 ) in ASA the firewall is configured as follows:
Asa (config) # logging enable
Asa (config) #logging timestamp// Enable time stamp
Asa (config) # Logging trap Informational
Asa (config) # logging host inside 192.168.0.1// of the log server IP Address and connection ASA the interface
ASA communication with the log server is used by default UDP Protocol 514 Port.
( 2 ) Firewall Analyzer 6 after installation, two are enabled by default Syslogserver , monitor separately UDP of the 514 Ports and 1514 Port. Start the service program using Firewall Analyzer and then use theFirewall Analyzer Web Client "Enter the user interface, entering the initial user name and password.
( 3 ) on the host Windows7 Run command on Ping 192.168.0.1-l 10000-t simulate the attack and then Firewall Analyzer of the Web the corresponding event can be viewed on the interface.
under Security Statistics, click View syslogs "To view detailed log information.
The format of the log information is as follows:
%asa-level-message_number:message_text
The meanings of the fields are described as follows:
Level : Security level number.
Message-number : The number of the log information to 6 digit representation.
Message_text : A description of the log information.
Attention:
despite Debugging levels of logging can help diagnose and troubleshoot network failures, but be very careful when you apply them. Because of the large number of log messages at the debugging level , improper use may adversely affect the work of the firewall.
( 4 ) can be achieved by Firewall Analyzer Event Summary Report, security report Generation report.
Four, transparent mode
ASA The security appliance can operate in two modes, the routing mode and the transparent mode, by default ASA in route mode.
1 , transparent mode overview
ASA from 7.0 The version starts to support transparent mode.
under routing by default, ASA serves as a three-tier device for purpose-based Ip address forwarding packet; In transparent mode, ASA serves as a two-tier device for purpose-based MAC Address forwarding data frames (no configuration NAT time).
in the 8.0 in previous versions, the transparent mode does not support NAT , 8.0 and subsequent version support NAT configuration. If NATis configured, theASA forwards packets still use route lookups.
in transparent mode ASA Although it is a two-tier device, it differs from the switch processing data frames.
1 ) for the purpose MAC unicast data frames with unknown address, ASA do not flood, but discard directly.
2 ) ASA do not participate STP (Spanning Tree Protocol).
The purpose of the default allow traversal in transparent mode MAC The address is as follows:
1 ) Broadcast MAC Address: FFFF.FFFF.FFFF
2 ) Ipv4 Multicast MAC address from 0100.5e00.0000 to the 0100.5EFE. FFFF.
3 ) Ipv6 Multicast MAC address from 3333.0000.0000 to the 3333.ffff.ffff .
4 ) BPDUs Multicast MAC Address: 0100.0CCC. CCCD (Cisco private).
5 ) AppleTalk Multicast MAC address from 0900.0700.0000 to the 0900.07FF. FFFF.
The default three-tier traffic allowed in transparent mode is as follows:
1 ) Allow Ipv4 traffic is automatically from a high-level interface to a low-level interface without the need to configure ACL .
2 ) Allow ARP traffic bidirectional traversal without the need to configure ACL .
ASA when running in transparent mode, you continue to use application-tier intelligence to perform state detection and general firewall features, but only two zones are supported.
no configuration on the interface is required in transparent mode Ip address so that you don't have to redesign your existing Ip Network for easy deployment.
2 , transparent mode configuration
1 ) switch to transparent mode
The command is as follows:
Asa (config) # Firewall transparent
Ciscoasa (config) #
need to Note is: The current configuration is cleared when switching.
The commands to view the current working mode are as follows:
Ciscoasa (config) # Show firewall
Firewall mode:transparent
If you want to re-switch to route mode, you need to use the command: No firewall transparent .
2 ) Management IP Address
need to ASA Assign a Ip address for administrative purposes, management Ip The address must be in the same connection subnet. The ASA uses the management IP address as the source IP of the packet originating from the ASA addresses, such as system messages, AAA or SYSLOG server.
Management Ip the configuration command for the address is as follows:
Ciscoasa (config) #ip address IP Address [ subnet mask ]
3 ) MAC Address Table and learning
View MAC the command for the Address table is as follows:
ciscoasa# Show Mac-address-table
set up dynamic MAC Expiration time of the entry (default 5 minutes) command is as follows:
Ciscoasa (config) #mac-address-table aging-time minutes
set Static MAC the command for the entry is as follows:
Ciscoasa (config) # mac-address-table static logical_if_name mac_address
prohibit a specific interface MAC the command for address learning is as follows:
Ciscoasa (config) # Mac-learn logical_if_name Disable
Word meaning:
Identification : identifier ; offset : Offset ; fragment: Shard ; Inspect : Check ; buffer : Buffers ; Transparent: Transparent ; match: matches; TimeZone: time zone; timestamp: Time stamp ; MTU(maximun TransmissionUnit): Maximum transmission unit ; teardrop: Teardrop
Cisco ASA Advanced Configuration