51CTO下载-CISCO防火墙培训

ziyuninglu
1 ℃
2020-01-29

整理文档很辛苦，赏杯茶钱您下走！

还剩 ... 页未读，继续阅读 >>

免费阅读已结束，点击下载阅读编辑剩下 ... 页

阅读已结束，您可以下载文档离线阅读编辑

资源描述

CISCO防火墙配置培训防火墙模式firewall用户模式基本检查功能firewall#特权模式所有的检查权限，测试权限安装模式初始提示安装界面firewall(config)#配置模式命令配置状态在配置的子系统里其它模式firewall(config-mode)#只引导了BOOT，没有引导操作系统的状态。rommonRommon模式模式切换firewall(config)#firewallfirewall#Firewall#configtermFirewall(config)#:::Firewall(config)#(commands)Firewall(config)#Firewall(config)#exitFirewall#•用户模式•特权模式•配置模式FirewallenablePassword:xxxxxxFirewall#Firewall#(commands)Firewall#Firewall#exitFirewall密码的设置enablepasswordpasswordpasswdpasswordfirewall（config)#–特权密码–telnet访问密码firewall(config)#基本命令telnet命令（远程登陆）firewall(config)#–开启哪些用户从哪个端口的TELNET功能telnetip_address[netmask][if_name]如：telnet172.16.1.48255.255.255.248insidehttp命令（WEB访问）firewall(config)#–规定能WEB访问的地址段httpip_address[netmask][if_name]httpserverenablefirewall(config)#–打开WEB访问服务hostnameandping命令firewall(config)#hostnameproteus•hostnamecommandhostnamenewname•pingcommandping[if_name]ip_addressfirewall(config)#firewall(config)#show命令•Thefollowingareshowcommands:–showhistory–showmemory–showversion–showxlate–showcpuusage–Showrunning-configshow?Show命令例子firewall#showinterfaceoutsideinterfaceethernet0“outside”isup,lineprotocolisuphardwareisi82557ethernet,addressis0060.7380.2f16ipaddress192.168.0.2,subnetmask255.255.255.0MTU1500bytes,BW1000000Kbithalfduplex1184342packetsinput,1222298001bytes,0nobufferreceived26broadcasts,27runts,0giants4inputerrors,0crc,4frame,0overrun,0ignored,0abort1310091packetsoutput,547097270bytes,0underruns0unicastrpfdrops0outputerrors,28075collisions,0interfaceresets0babbles,0latecollisions,117573deferred0lostcarrier,0nocarrierinputqueue(curr/maxblocks):hardware(128/128)software(0/1)outputqueue(curr/maxblocks):hardware(0/2)software(0/1)firewall#showipaddressBuildingconfiguration……SystemIPAddresses:ipaddressoutside192.168.0.2255.255.255.0ipaddressinside10.0.0.1255.255.255.0ipaddressdmz172.16.0.1255.255.255.0CurrentIPAddresses:ipaddressoutside192.168.0.2255.255.255.0ipaddressinside10.0.0.1255.255.255.0ipaddressdmz172.16.0.1255.255.255.0安全级别InternetFirewallOutsidenetworke0•Securitylevel0•Interfacename=outsidePerimeternetworke2•Securitylevel50•Interfacename=DMZInsidenetworke1•Securitylevel100•Interfacename=insidee0e1e2六个主要命令ASA系统主要命令–nameif–interface–ipaddress–nat–global–route命令1:nameifnameifhardware_idif_namesecurity_levelfirewall(config)#firewall(config)#nameifethernet2vpnsidesec4–Nameif命令：给端口定一个名称与安全级别.命令2:interfaceinterfacehardware_idhardware_speedfirewall(config)#–interface命令：定义端口的类型与能力。nimbleASA(config)#interfacegigabitEthernet0/0nimbleASA(config-if)#duplexfullnimbleASA(config-if)#speed1000•外部、内部定义为1000Mbps、full-duplex端口。命令3:ipaddressipaddressif_nameip_address[netmask]firewall(config)#–ipaddress命令：给端口分配IP。nimbleASA(config)#interfacegigabitEthernet0/1nimbleASA(config-if)#ipaddress172.30.0.5255.255.255.0命令4:natnat[(if_name)]nat_idlocal_ip[netmask]firewall(config)#–nat命令：定义对外要保护的内部IP.firewall(config)#nat(inside)10.0.0.00.0.0.0命令5:global–与NAT命令一起使用，内部保护的IP对外访问时所代替的IP（公有）。firewall(config)#nat(inside)10.0.0.00.0.0.0firewall(config)#global(outside)1192.168.0.20-192.168.0.254firewall(config)#global[(if_name)]nat_id{global_ip[-global_ip][netmaskglobal_mask]}|interface•定义用内部在访问INTERNET时所用的转换的公有IP范围：192.168.0.20–192.168.0.254NATExample2310.0.0.349090SourceportDestinationaddrSourceaddrDestinationport200.200.200.1049090SourceportDestinationaddrSourceaddrDestinationport192.168.0.20200.200.200.1023InternetTranslationtable10.0.0.3192.168.0.20InsideOutsideInsideLocalIPAddressGlobalIPPool10.0.0.310.0.0.4192.168.0.20192.168.0.21命令6:routerouteif_nameip_addressnetmaskgateway_ip[metric]pixfirewall(config)#–route定义某端口的静态或默认路由。.pixfirewall(config)#routeoutside0.0.0.00.0.0.0192.168.0.11static命令firewall(config)#static(internal_if_name，external_if_name)outside_ip_addressinside_ip_address•其中internal_if_name表示内部网络接口，安全级别较高，如inside。external_if_name为外部网络接口，安全级别较低，如outside等。outside_ip_address为正在访问的较低安全级别的接口上的ip地址。inside_ip_address为内部网络的本地ip地址。firewall(config)#static(inside,outside)192.168.0.1010.0.0.3netmask255.255.255.2550010.0.0.3192.168.0.1192.168.0.210.0.0.1FirewallPerimeterrouter•Packetsentfrom10.0.0.3hasasourceaddressof192.168.0.10•PermanentlymapsasingleIPaddress•RecommendedforinternalservicehostsPortRedirectionExampleInternet172.16.0.2WebServer192.168.0.1192.168.0.210.0.0.1FirewallPerimeterrouterfirewall(config)#static(inside,outside)tcpinterfacetelnet10.0.0.4telnetnetmask255.255.255.25500firewall(config)#static(inside,outside)tcp192.168.0.98080172.16.0.2:8080NoNetworkAddressTranslation(nat0)firewall(config)#nat(inside)0192.168.0.9255.255.255.255firewall(config)#shownatnat0192.168.0.9willbenon-translated•nat0ensuresthat192.168.0.9isnottranslated.•ASAremainsineffectwithnat0.192.168.0.9192.168.0.1192.168.0.2PIXFirewallPerimeterrouter10.0.0.1VPN的理论基础1、为IPSec做准备为IPSec做准备涉及到确定详细的加密策略，包括确定我们要保护的主机和网络，选择一种认证方法，确定有关IPSec对等体的详细信息，确定我们所需的IPSec特性，并确认现有的访问控制列表允许IPSec数据流通过；步骤1：根据对等体的数量和位置在IPSec对等体间确定一个IKE（IKE阶段1，或者主模式）策略；步骤2：确定IPSec（IKE阶段2，或快捷模式）策略，包括IPSec对等体的细节信息，例如IP地址及IPS