Principles and basic configurations of cisco ASA firewall security algorithms (I)

I. security algorithms of ASA

1) ASA is a stateful firewall with a connection table about user information, called the conn table. The key information in the table is as follows:

Source IP Address

Destination IP address

The IP Protocol only applies to Tcp and UDP. status detection is not performed on ICMP ,)

IP protocol information: tcp and udp port numbers, tcp serial numbers, and tcp control bits)

2) Principles of security algorithms

Raw packet -------- ACL-----------XLATE, conn ---------- Application Layer Detection -------- returned Packet

When a new packet arrives at the ASA, the ASA first checks the ACL to check whether the packet is allowed. If yes, it passes through the connection table conn and creates a new entry in it. Then, it checks the application layer. If yes, the message is forwarded to the target host. Then, the target host responds. The ASA receives the returned message and performs detection. If the information in the conn table matches, the request passes.

Ii. basic configuration of ASA

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/09424UO8-0.jpg "title =" 3.jpg" alt = "145534590.jpg"/>

1) log on to the firewall

Like other Cisco devices, you can connect to the firewall through the Console. If the initial privileged password is null, remote connection is enabled)

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/09424S330-1.jpg "title =" 1.jpg" alt = "142.163511.jpg"/>

2) configure the internal interface and IP address

Divided into inside intranet), outside Internet), dmz security zone) three areas.

Intranet access to the Internet and dmz server web), Internet access to dmz server web)

The Dmz server opens ports 80, 21, and 3389 respectively.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/09424W510-2.jpg "title =" 2.jpg" alt = "145418646.jpg"/>

3) configure the remote connection between the route and the pc

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/09424U312-3.jpg "title =" 5.jpg" alt = "150508964.jpg"/>

Vty is configured for each pc to facilitate the following test

By default, access to low-security interfaces from high-security interfaces is allowed.

Deny Access From the low security level to the high security level. For example, outside cannot access the inside, because the outside level is the lowest, You need to configure the ACL to access the inside.

Communication between interfaces of the same security level is prohibited.

Use pc1 in the inside area to access pc3 in outside

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/09424Q511-4.jpg "title =" 6.jpg" alt = "151349310.jpg"/>

Access inside pc1 using pc3 in the outside area

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/09424RM0-5.jpg "title =" 9.jpg" alt = "152122901.jpg"/>

Access is not allowed, because low-level access is prohibited by default. After the ACL is set below, access is allowed.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/09424U917-6.jpg "title =" 8.jpg" alt = "152213640.jpg"/>

Pc1 is connected to pc3.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/09424Q457-7.jpg "title =" 10.jpg" alt = "152340138.jpg"/>

View the conn table

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/09424WH6-8.jpg "title =" 11.jpg" alt = "152544243.jpg"/>

Conclusion: Configuring ACL on the ASA has the following functions: 1. Allow inbound connections and 2. Control outbound connection traffic.

3) Dynamic NAT is used on the client)

Specify the CIDR Block for address translation

Asaconfig) # nat inside) 1 10.0.0.0 255.255.255.0

Define global address pool

Asa (config) # global (outside) 1 200.0.0.1-200.0.0.10

Implement Dynamic NAT commands for all network segments in the inside Area

Asaconfig) nat inside) 1 0 0

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/09424WG3-9.jpg "title =" 12.jpg" alt = "153446703.jpg"/>

4) Dynamic PAT

Specify the CIDR Block for address translation

Asaconfig) # nat inside) 1 10.0.0.0 255.255.255.0

Asaconfig) # global outside) 1 202.106.1.1

You can directly use the IP address of the outside interface for conversion.

Asaconfig) # global outside) 1 interface

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/09424Q292-10.jpg "style =" float: none; "title =" 13.jpg" alt = "154454784.jpg"/>

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/09424WO9-11.jpg "style =" float: none; "title =" 15.jpg" alt = "154515701.jpg"/>

5) Static NAT (an intranet server is released, and the dmz zone stores servers ,)

Format: static (source port, target port) target address, Source Address

Static dmz, outside) 201.10.10.10 192.168.2.2

Access-list out_to_dmz permit ip host 172.16.16.2 host 201.10.10.10

Access-group out_to_dmz in int outside

The idea is that the destination address in the acl Configuration command is 201.10.10.10, instead of the actual ip192.168.2.2, which is a one-to-one fixed conversion, the server that publishes static NAT to the public network can respond to the connection of the Internet client, or the internet can initiate a connection to the server.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/09424Q5G-12.jpg "title =" 16.jpg" alt = "160846127.jpg"/>

6) Multiple Static PAT servers share a public IP address with different ports and publish it to the Internet.

Format: static (source port, target port) [tcp | upd] target address target port Source Address Source Port

Static (dmz, outside) tcp 201.10.10.10 80 192.168.2.2 80

Access-list out_to_dmz permit ip host 172.16.16.2 host 201.10.10.10

Access-group out_to_dmz in int outside

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/09424Q324-13.jpg "title =" 19.jpg" alt = "161722843.jpg"/>

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/09424U028-14.jpg "title =" 18.jpg" alt = "161241103.jpg"/>