[Cisco Firewall] Cisco ASA firewall Enterprise Network instance

Premise: With the development of the network, network security has become an important topic at present. More and more companies will choose to use the firewall as the company's egress device. Compared with the router, the firewall not only has the forwarding routing function, it can also filter internal and external traffic to further enhance the security of the company's network.

 

Tutorial topology:

650) This. width = 650; "Title =" 1.png" src = "http://s3.51cto.com/wyfs02/M00/4D/B5/wKioL1RYKBWCFhs2AAGNknRlOcE202.jpg" alt = "wkiol1rykbwcfhs2aagnknrloce202.jpg"/>

 

Objective: To divide the company's intranet into two VLANs: vlan10 and VLAN 20. Use layer-3 Switch M1 as the gateway and Cisco Firewall asa1 as the company's egress device. R1 is the carrier's router, simulate the Internet at the R1 loose 1.1.1.1/32.

1. Pat on asa1 to enable Intranet hosts to access the Internet

2. Configure asa1 so that R1 can remotely manage the SW1 switch.

 

Tutorial steps:

1. Perform basic configuration first

SW1

SW1 # conf t
SW1 (config) # No IP routing
SW1 (config) # VLAN

SW1 (config-VLAN) # int F1/1
SW1 (config-If) # switchport access VLAN 10
SW1 (config-If) # int F1/2
SW1 (config-If) # switchport access VLAN 20
SW1 (config-If) # int F1/3
SW1 (config-If) # switchport mode trunk

 

M1

M1 # conf t
M1 (config) # IP routing
M1 (config) # VLAN 10, 20

M1 (config-VLAN) # int F1/1
M1 (config-If) # No sh
M1 (config-If) # switchport mode trunk
M1 (config-If) # ex

M1 (config) # int VLAN 10
M1 (config-If) # IP add 192.168.10.1 255.255.255.0
M1 (config-If) # No sh

M1 (config-If) # int VLAN 20
M1 (config-If) # IP add 192.168.20.1 255.255.255.0
M1 (config-If) # No sh
M1 (config-If) # ex

M1 (config) # int F0/0
M1 (config-If) # IP add 11.0.0.1 255.255.255.0
M1 (config-If) # No sh
M1 (config-If) # ex

M1 (config) # IP Route 0.0.0.0 0.0.0.0 11.0.0.2 // indicates a default entry in the egress firewall.

 

Asa1

Note: When configuring interfaces for the ASA firewall, you must specify the internal interface inside and the external interface outside.

Ciscoasa> en
Password:
Ciscoasa #
Ciscoasa # conf t
Ciscoasa (config) # int E0/0

Ciscoasa (config-If) # nameif inside
Ciscoasa (config-If) # IP add 11.0.0.2 255.255.255.0
Ciscoasa (config-If) # No sh

Ciscoasa (config-If) # int E0/1
Ciscoasa (config-If) # nameif outside.
Ciscoasa (config-If) # IP add 12.0.0.2 255.255.255.0
Ciscoasa (config-If) # No sh
Ciscoasa (config-If) # ex

A default route entry for a carrier router and a static route entry for the Intranet. The router configuration is slightly different here.
Ciscoasa (config) # route outside 0 0 12.0.0.1
Ciscoasa (config) # route inside 192.168.0.0 255.255.0.0 11.0.0.1

 

R1

R1 (config) # int F0/0
R1 (config-If) # IP add 12.0.0.1 255.255.255.0
R1 (config-If) # No sh

 

Configure loopback port l0 to simulate the Internet
R1 (config-If) # int l0
R1 (config-If) # IP add
R1 (config-If) # IP add 1.1.1.1 255.255.255.255
R1 (config-If) # No sh
R1 (config-If) # ex

 

2. By default, the ASA firewall allows Intranet regions to access external areas, while external areas cannot access internal areas. to access these areas, You need to configure an ACL to match them.

Asa1

Ciscoasa (config) # access-List Test permit IP any

 

In direction of the application's external interface (that is, external to internal)
Ciscoasa (config) # access-group test in int outside

 

Perform dynamic pat on asa1 to enable the Intranet host to access the Internet through the Internet Port

Asa1

Ciscoasa (config) # NAT (inside) 1 192.168.10.0 255.255.255.0
Ciscoasa (config) # NAT (inside) 1 192.168.20.0 255.255.255.0

 

Use the Internet port E0/1 to access the Internet

Ciscoasa (config) # global (outside) 1 int

 

You can test whether to access R1 on C1.

650) This. width = 650; "Title =" 2.png" src = "http://s3.51cto.com/wyfs02/M01/4D/B6/wKioL1RYNIfB7ZTXAACwA9wd37k763.jpg" alt = "wkiol1rynib7ztxaacwa9wd37k763.jpg"/>

Yes.

 

Because it is impossible for the carrier router R1 to know the Intranet address of the company, to allow R1 to remotely manage SW1, we must perform Pat static port ing on asa1, map the telnet port of SW1 to the Telnet port of E0/1.

First, configure and manage vlan1 to enable remote logon.

 

SW1

SW1 (config) # int VLAN 1
SW1 (config-If) # IP add 192.168.8.8 255.255.255.0
SW1 (config-If) # No sh
SW1 (config-If) # ex

SW1 (config) # Line vty 0 4
SW1 (config-line) # password ABC
SW1 (config-line) # Login

 

Specify the Default Gateway

SW1 (config) # IP default-Gateway 192.168.8.1

M1

M1 (config) # int VLAN 1
M1 (config-If) # IP add 192.168.8.1 255.255.255.0
M1 (config-If) # No sh

 

Port ing on asa1

Asa1

Ciscoasa (config) # static (inside, outside) TCP int telnet192.168.8.8 Telnet netmask

255.255.255.255

 

Add an entry in the ACL to allow R1 to access port 23 of E0/1.
Ciscoasa (config) # access-List Test permit TCP 12.0.0.1 255.255.255.255 12.0.0.2 255.255.255 EQ 23

 

Test results on r1

R1

R1 # telnet 12.0.0.2
Trying 12.0.0.2... open

User Access Verification

Password:
SW1>
SW1>
SW1>

 

You have successfully remotely logged on to SW1. The experiment is complete.

This article is from the "ne Road" blog, please be sure to keep this source http://332162926.blog.51cto.com/8831013/1571545

[Cisco Firewall] Cisco ASA firewall Enterprise Network instance