Cisco's ASA Firewall is a stateful firewall that maintains a connection table (conn) about user information, by default the ASA provides stateful connections to TCP and UDP traffic, and is non-stateful to the ICMP protocol.
The message traversal process for Cisco ASA is as follows:
A new TCP message view to establish the connection
1. The ASA checks if the ACL is allowed to connect
2. ASA performs a routing query if there is a route then the ASA creates an Conn entry
3, the ASA detects a predefined set of rules in the detection engine, determines whether to forward according to the detection engine detection results
4, the ASA receives the return message to carry on the Conn table comparison to whether has the item to have to allow not to discard
If a port from a low security level is to access a high-security port, the packet arrives at the firewall to check that the ACL and the Conn table match one of the entries can be forwarded!
ASA access Rule
Ports with high security levels allow access to ports with low security levels
Ports with low security level do not allow access to high-security ports
Two ports have the same security level and can not access each other
Here are some basic configurations of the ASA through experiments
Experimental topology
Software version GNS3 0.8.6 ASA image is ASA8.0 (2)
650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M00/76/D4/wKioL1ZdUFXwZkkUAAAp6QdKJQk086.png "title=" nm44w) 7377i6u5dydk%33yi.png "alt=" Wkiol1zdufxwzkkuaaap6qdkjqk086.png "/>
Experimental requirements
Allow R1 loopback to communicate with R2
Allow R1 and R2 to telnet to each other
Allow R1 telnet to the ASA
Allows R2 to SSH remote management of the ASA
Address planning
R1 Loopback 0 IP:192.168.10.1/24 (analog intranet network segment)
R1 f0/0 ip:11.0.0.2/24
R2 Loopback 0 IP:12.0.0.2/24
R2 Loopback 0 IP:202.106.1.1/24
ASA1 e0/0 ip:11.0.0.1/24
ASA1 E0/1 ip:12.0.0.1/24
R1 configuration:
Some simple configurations don't explain here.
R1#conf T
R1 (config) #int f0/0
R1 (config-if) #ip add 11.0.0.2 255.255.255.0
R1 (config-if) #no shut
R1 (config-if) #int Loo 0
R1 (config-if) #ip add 192.168.10.1 255.255.255.0
R1 (config-if) #no shut
R1 (config-if) #exit
R1 (config) #ip Route 0.0.0.0 0.0.0.0 11.0.0.1
R1 (config) #line vty 0 4
R1 (config-line) #password abc123
R1 (Config-line) #login
R1 (Config-line) #exit
R1 (config) #enable password abc123
R2 configuration:
R2#conf T
R2 (config) #int f0/0
R2 (config-if) #ip add 12.0.0.2 255.255.255.0
R2 (config-if) #no shut
R2 (config-if) #int Loo 0
R2 (config-if) #ip add 202.106.1.1 255.255.255.0
R2 (config-if) #no shut
R2 (config) #ip Route 0.0.0.0 0.0.0.0 12.0.0.1
R2 (config) #line vty 0 4
R2 (Config-line) #pas
R2 (config-line) #password abc123
R2 (Config-line) #login
R2 (Config-line) #exit
R2 (config) #enable password abc123
ASA1 configuration:
Using the "/mnt/disk0/lina_monitor" command in the Cisco emulator to convert Linux mode to Cisco command line
Ciscoasa> Enable
Password: //No password to enter directly on the line
ciscoasa# conf t
Ciscoasa (config) # hostname ASA1 //Change device name
ASA1 (config) # int e0/0
ASA1 (config-if) # Nameif inside //interface on Cisco devices to have a logical name (name can be arbitrarily defined) otherwise the IP address does not take effect, the default outside port security level is 100, all other interfaces are 0. Security level can be defined by "security-level"
Info:security level for ' inside ' set to ' default '.
ASA1 (config-if) # IP Add 11.0.0.1 255.255.255.0
ASA1 (config-if) # no shut
ASA1 (config-if) # int E0/1
ASA1 (config-if) # Nameif outside
Info:security level for ' outside ' set to 0 by default.
ASA1 (config-if) # IP Add 12.0.0.1 255.255.255.0
ASA1 (config-if) # no shut
Viewing interface information usingshow interface IP Brief
650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/76/D5/wKiom1ZdVLexkfYMAABfsUESYmc890.png "title=" a2b6_ D3i2cywmgelklnaivx.png "alt=" Wkiom1zdvlexkfymaabfsuesymc890.png "/>
To view the route table of the ASA usingshow Route
650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M01/76/D5/wKiom1ZdVSKzEJEVAAB1ooyXmoE507.png "title=" 3V ' VS) [441T ' 6n_%8kwc38l.png "alt=" Wkiom1zdvskzejevaab1ooyxmoe507.png "/>
Firewalls currently only have direct-attached two segment routes and do not have routing information for R1 and R2 ring back ports
adding static routes
ASA1 (config) # route outside 202.106.1.0 255.255.255.0 12.0.0.2
ASA1 (config) # route inside 192.168.10.0 255.255.255.0 11.0.0.2
650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M01/76/D4/wKioL1ZdVlrTGFRnAACKWHxX6oo270.png "title=" f5u{ Pro7jto@n%8g]sln995.png "alt=" Wkiol1zdvlrtgfrnaackwhxx6oo270.png "/>
Can you use R1 to Telnet R2 success?
It was obviously a success.
650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/76/D6/wKioL1Zdbbey4KijAAAnS5RmOws810.png "title=" I ' j%8i G8a~xc}lvys ' 4[9$d.png "alt=" Wkiol1zdbbey4kijaaans5rmows810.png "/>
Use "Show conn Detail" To view the ASA's Conn table
650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M01/76/D6/wKioL1ZdbkuBw5FjAACeO7CjhBE617.png "title=" M48gxexulz]wwy7$[j@fw{n.png "alt=" Wkiol1zdbkubw5fjaaceo7cjhbe617.png "/> You can see a TCP connection from the diagram, Is inside 11.0.0.2 access to outside's 202.106.1.1 23-Port connection
Use R1 to ping R2 can ping pass?
Apparently there's no ping-through.
650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/76/D7/wKiom1ZdbsjyNk0TAAA6s4k2GYE082.png "title=" {F_WTR }ynab034nird (f46w.png "alt=" Wkiom1zdbsjynk0taaa6s4k2gye082.png "/>
Because the ASA firewall for Cisco only records connections to TCP and UDP protocols, the ICMP is not logged connected so the packet returns when the view ACL and the Conn table are not found corresponding entries are discarded directly.
Using ACLs to allow ICMP protocol
ASA1 (config) # access-list permit ICMP 202.106.1.0 255.255.255.0 192.168.10.0 255.255.255.0
The above mentioned that the port security level is high can access port security level is low, so only return back. Defines an 202.106.1.0 network segment that allows ICMP traffic to access the 192.168.10.0 segment
ASA1 (config) # Access-group in interface outside//apply the list to the in direction of the outside interface
Test
650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M01/76/D6/wKioL1ZdcQLx1wdxAABHse2Tf1Q504.png "title=" Z ' 9PAV1) V3 ' c66cluqw}jox.png "alt=" Wkiol1zdcqlx1wdxaabhse2tf1q504.png "/>
Let's consider a question, now R2 telnet R1 can succeed?
650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M02/76/D6/wKioL1ZdcWiScvGxAAAiyk-l7lU705.png "title=" Q1S1PP6PR ' JGA9 ' nzxi0z6t.png "alt=" Wkiol1zdcwiscvgxaaaiyk-l7lu705.png "/>
Apparently, it was rejected.
According to the experience, it is clear that there are no entries in the ASA's Conn table and ACLs that match this request
Defining ACLS
ASA1 (config) # access-list permit tcp 202.106.1.0 255.255.255.0 192.168.10.0 255.255.255.0 eq 23
Allow the 202.106.1.0 network segment to access Port 23 of the 192.168.10.0 segment, since the previous 110 list has been applied to the interface and is not applied again here.
Test
650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M00/76/D7/wKiom1ZdcuPTE8t0AAAomzHYJoQ302.png "title=" c4{ s61@7m@3q0o ' {' D ((u~u.png "alt=" Wkiom1zdcupte8t0aaaomzhyjoq302.png "/>
Configure the Telnet capability of the ASA
ASA1 (config) # enable password abc123 //Configure privileged mode password
ASA1 (config) # passwd abc123 //configure Telnet password
ASA1 (config) # telnet 192.168.10.0 255.255.255.0 inside //configuration allows 192.168.10.0 network segment telnet, the least secure port on the Cisco firewall is not allowed to use Telnet access.
Test
650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M01/76/D7/wKioL1ZddGPRSWIrAAAxT6RCHMg764.png "title=" Paim)% Jk7f7rmw8c77gzwvb.png "alt=" Wkiol1zddgprswiraaaxt6rchmg764.png "/>
Configure Telnet login with user name and password
ASA1 (config) # username Test password abc123 //Create a user
ASA1 (config) # AAA authentication Telnet console local //configure Telnet login for native authentication, where local is case sensitive
Test
650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M02/76/D8/wKiom1ZddMPxdC7aAAA3PFPojfs216.png "title=" H_p "[ PD3MS$YLG0%WV (eh5w.png "alt=" Wkiom1zddmpxdc7aaaa3pfpojfs216.png "/>
Manage your device using SSH original
Cisco firewall only allows the lowest port security level to use SSH original management device
The SSH configuration is as follows:
ASA1 (config) # Crypto key generate RSA modulus 1024x768 //Generate an RSA key, key length 1024bit
ASA1 (config) # SSH version 2 //using version 2
ASA1 (config) # ssh 12.0.0.2 255.255.255.255 outside //Allow 12.0.0.2 this address from the outside port using SSH for remote access
Test
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/76/D7/wKioL1ZddpbDI0b_AAAehca2etM448.png "title=" _ ZQBP9DL~4XKTP (9Z_QJV@N.png "alt=" Wkiol1zddpbdi0b_aaaehca2etm448.png "/>
-L: Logged in User name
Cisco firewall default SSH login user name is pix, password is telnet password. Using the PIX is not secure and can be logged on with local user name authentication so that the PIX cannot log on.
SSH login with a local user name
ASA1 (config) # AAA authentication SSH Console LOCAL
Test
650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/76/D8/wKiom1ZddvXxeHQ5AAAaL821__U555.png "title=" W}_]GC %eek0zfyd[c45$~dw.png "alt=" Wkiom1zddvxxehq5aaaal821__u555.png "/>
Login successful
Supplemental command:
Write memory //Save configuration
Clear Configure All//Clears all current configurations
Clear Configure Access-list //Clear All Access control lists
Write erase //delete startup-config configuration file
This article is from the "Sunj" blog, make sure to keep this source http://sunjie123.blog.51cto.com/1263687/1718606
Cisco ASA basic Theory with configuration