ASA-防火墙-cisco
The role of the ASA firewall 1, in the network to isolate dangerous traffic, no point. The principle of the ASA firewall 1. Distinguish different areas by security level: internal area, external area, demilitarized zone. By default: High-level traffic can go to lower levels, Low-level traffic can not go to high-level, The same level of unbelief. Inside default security level is 100 name unique Outside default security several times is 0 name unique MDZ (demilitarized zone) The default security level is 0 names unique 2. Deployment Deployed where security protection is required or where traffic is isolated. Classic Deployment Scenarios ISP-----FW----GW----core-router----core-switch ISP-----GW--Outside---FW--inside--core-router----Core-switch
|
DMZ (Server) ISP-----GW--outside--FW- | ---
FW-----Core-router--Core-switch |
DMZ(server)
3. Configuration of Firewall interface
1, to be equipped with the interface name (logical name): Nameif xxx
2, to be equipped with the interface security level Security-level 0~100
3, to be equipped with the interface IP IP address xxxx
ASA Traffic Forwarding
1, Traffic forwarding mode
Outbound traffic: From high security level to low level traffic.
Inbound traffic: From Low security levels to high-level traffic.
2, the way of forwarding processing traffic, the work process.
A, only for TCP and UDP traffic, all other traffic to kill.
b, the process of working from a high security level to a low security level.
The routing table of the local ASA is matched first, if the match is first determined out of the port, forwarded out, and an entry is formed within the Conn table.
The match is discarded if it is unsuccessful.
C, when the return packet sent out, the first view of the Conn table, there are entries in the View route table, forwarded out.
No entries are discarded.
Experimental results
Ping does not pass
Telnet Pass
If you want to ping, call the ACL on the back port of the ping packet
Validation command:
Asa:
Show interface IP Brief <---View the status and IP address of the interface;
Show Route <---View the route table above the ASA
Show run interface Gi0 <----View the configuration of one interface
ASA (config) # clear Config All <----clear a running profile
Router:
Show IP Interface Brief
Show IP route
Comparison of ACLS and Conn tables.
Experimental basic Environment:
Inside Security Level-
Outside security Level 0
Dmz Security level-
R1 can telnetR2 and R4,r4 telnetR2.
1, the interface on the E2 to allow R4 access to R1 ACL, can not access, will not form a conn table.
Asa (config) # access-list R1 Permit TCP host 192.168.3.1 host 192.168.1.1 eq
ASA (config) # access-group R1 in int Erface DMZ
before R4TELNETR1
asa# Show conn
0 in use, 1 most useddmz#telnet 192.168.1.1
r4telnetr1
Trying 192 .168.1.1. Open
User Access verification
Password:
inside>enable
Password:
inside#
Telnet after
1 in use, 2 most used
TCP DMZ 192.168.3.1:21477 inside 192.168.1.1:23, Idle 0:00:54, bytes 163, flags UIOB
Conclusion: active flow whether from high to low, or low to high , if the port has an ACL release rule, find the routing table, identify the port, forward it, and form the Conn table. (Note the order, immutable).
2, R1 can telnet to R2
A, if E0 call an out of the ACL, will not pass.
b, if the E1 bar with an entry ACL, will not pass.
ASA (config) # access-list Gdtel deny TCP host 192.168.1.1 EQ 23 (note the port when data goes back)
Host 192.168.2.1
ASA (config) # access-list Gdtel permit ip any to cancel the effect of the default deny of the last ACL
ASA (config) # Access-group Gdtel in interface outside call in entry
ASA (config) # Access-group Gdtel out interface inside call out
Inside#telnet 192.168.2.1
Trying 192.168.2.1 ... Open
Outside>
outside>en
Outside>enable
Password:
outside#
conclusion, as long as the flow from the high security level, the formation of the Conn table, when the data returned, the equivalent of a more than a death medal, will not be killed
3, R1 can telnet to R2
A, if the Deny ACL in the E0 call entry, will not pass.
b, if the E1 call out of the rejected ACL, will not pass.
conclusion, for a condition, that is inevitable.
For the B condition, it is also different, and there is no conn table.
Reason: If the E1 call out of the rejected ACL, then the data is can go into the ASA, and look at the route table, the route table, including the path of R1 telnetR2, from which port out, then we have to check the port has no ACL, a check out the ACL, The data is then directly pass and does not form a conn table.
》》》》
ASA Application Pnat
A new configuration in the system after version 8.4.
Pnat
Intranet Access External Network
The ASA (config) # Object network NAT (random) defines an object type (network) for Nat.
ASA (config-network-object) # subnet 192.168.1.0 255.255.255.0 equivalent to creating ACLs
ASA (Config-network-object) # NAT (Inside (intranet port), outside (extranet port)) dynamic interface equivalent to calling ACL
The basic idea and application of Cisco-asa