全部博文(1015)
分类: 系统运维
2012-05-08 14:12:54
http://skybird.blog.51cto.com/896558/614682
1.1 ASA 5505 Default Configuration
interface Ethernet 0/0
switchport access vlan 2
no shutdown
interface Ethernet 0/1
switchport access vlan 1
no shutdown
interface Ethernet 0/2
switchport access vlan 1
no shutdown
interface Ethernet 0/3
switchport access vlan 1
no shutdown
interface Ethernet 0/4
switchport access vlan 1
no shutdown
interface Ethernet 0/5
switchport access vlan 1
no shutdown
interface Ethernet 0/6
switchport access vlan 1
no shutdown
interface Ethernet 0/7
switchport access vlan 1
no shutdown
interface vlan2
nameif outside
no shutdown
ip address dhcp setroute
interface vlan1
nameif inside
ip address 192.168.1.1 255.255.255.0
security-level 100
no shutdown
object network obj_any
subnet 0 0
nat (inside,outside) dynamic interface
http server enable
http 192.168.1.0 255.255.255.0 inside
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd auto_config outside
dhcpd enable inside
注: 1.两个Vlan 1-2,e0/1-e0/7 vlan 1,e0/0 vlan 2 。
2.开启DHCP功能,pool 192.168.1.2-1.254,当DHCP Client能够获取这个pool地址,并且同时还有一条默认路由指向SVI 1。
3.启用HTTP 功能,可以直接通过ASDM网管,
4.把Inside 所有址址做了一个PAT。
1.2 ASA 5510 Default Configuration
interface management 0/0
ip address 192.168.1.1 255.255.255.0
nameif management
security-level 100
no shutdown
http server enable
http 192.168.1.0 255.255.255.0 management
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
注:1.默认man0/0 ip 192.168.1.1。
2.启用DHCP、HTTP功能。
3. 网管主机可以通过来网管ASA5510。
1.3 ASA初如化配置
预置
Outside
interface FastEthernet0/0
no shut
ip address 202.100.1.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 202.100.1.10
line vty 0 5
no login
Inside
interface FastEthernet0/0
no shut
ip address 192.168.1.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.1.10
line vty 0 5
no login
DMZ
interface FastEthernet0/0
no shut
ip address 172.16.1.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 172.16.1.10
line vty 0 5
no login
ASA基本初始化
当初始启动一台ASA时(可以用console线缆连接到ASA console口),问是不是按照提示配置ASA
Cryptochecksum (changed): d41d8cd9 8f00b204 e9800998 ecf8427e
Pre-configure Firewall now through interactive prompts [yes]?
如果按Y,按照提示配置ASA,当然可以按crtl+z退出。
ciscoasa>
ciscoasa> enable 输入enable回车,默认密码为空。
Password:
ciscoasa#
ciscoasa(config)# hostname ASA 配置主机名。
ASA(config)# interface e0/0
ASA(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
注:用nameif命令为e0/0接口命名一个名字。默认为0。安全级别的范围0-100,
Inside默认为100,其它均为0。可以通过security-level命令配置接口级别。数字越大,级别越高。
ASA(config-if)# no shutdown
ASA(config-if)# ip add 202.100.1.10 255.255.255.0
测试一 ASA默认允许与拒绝流量
ASA(config)# pin 202.100.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/8/40 ms
ASA(config)# ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms
ASA(config)# ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/20 ms
注:在8.4的OS中,加入了TCP ping。
Inside#telnet 202.100.1.1
Trying 202.100.1.1 ... Open
Outside>
Inside#telnet 172.16.1.1
Trying 172.16.1.1 ... Open
DMZ>
DMZ#telnet 202.100.1.1
Trying 202.100.1.1 ... Open
Outside>
DMZ#192.168.1.1
Trying 192.168.1.1 ...
Outside#192.168.1.1
Trying 192.168.1.1 ...
Outside#172.16.1.1
Trying 172.16.1.1 ...
注:由于ASA安全的监控算法,默认Outbound流量是允许的,Inbound流量是拒绝的。
Outbound:高安全级别接口到低安全级别接口。
Inbound:低安全级别接口到高安全级别接口。
ASA(config)# sh conn detail
2 in use, 4 most used
Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
B - initial SYN from outside, C - CTIQBE media, D - DNS, d - dump,
E - outside back connection, F - outside FIN, f - inside FIN,
G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,
i - incomplete, J - GTP, j - GTP data, K - GTP t3-response
k - Skinny media, M - SMTP data, m - SIP media, n - GUP
O - outbound data, P - inside back connection, q - SQL*Net data,
R - outside acknowledged FIN,
R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,
s - awaiting outside SYN, T - SIP, t - SIP transient, U - up
X - inspected by service module
TCP DMZ:172.16.1.1/23 Inside:192.168.1.1/14402 flags UIO
TCP outside:202.100.1.1/23 Inside:192.168.1.1/58727 flags UIO
ASA(config)# clear local-host 清除状态化表项
测试二、Ping
Inside#ping 202.100.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Outside#debug ip icmp
ICMP packet debugging is on
*Mar 1 00:37:18.091: ICMP: echo reply sent, src 202.100.1.1, dst 192.168.1.1
*Mar 1 00:37:18.099: ICMP: echo reply sent, src 202.100.1.1, dst 192.168.1.1
*Mar 1 00:37:20.095: ICMP: echo reply sent, src 202.100.1.1, dst 192.168.1.1
*Mar 1 00:37:20.099: ICMP: echo reply sent, src 202.100.1.1, dst 192.168.1.1
*Mar 1 00:37:22.095: ICMP: echo reply sent, src 202.100.1.1, dst 192.168.1.1
分析:路由与接口都没有问题的情况下,为什么不通?
1.默认ASA只对穿越的TCP/UDP维护状态化信息,不对ICMP维护状态化信息。
2.Oubound发起流量可以抵达Inbound方向,只是返回的echo reply被ASA丢弃。表明ASA
默认策略依然有效。
3.我们可以通过监控或者ACL来解决。
ASA(config)# policy-map global_policy
ASA(config-pmap)# class inspection_default
ASA(config-pmap-c)# inspect icmp
Inside#ping 202.100.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.1, timeout is 2 seconds:
!!!!!
ASA# sh conn
1 in use, 4 most used
ICMP out 202.100.1.1:0 in 172.16.1.1:3 idle 0:00:01 bytes 360
注:默认ICMP维护状态化时间为2ms。
Outside#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
.....
注:监控了ICMP为什么从Inbound发起的流量不通?因为ASA影响初如化流量。
ASA(config)# access-list out_acl permit icmp any any
ASA(config)# access-group out_acl in interface outside
注: ACL名字 方向 接口 接口名字
Outside#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/10/20 ms
测试三、配置静态路由、动态路由协议
ASA(config)# route outside 0 0 202.100.1.1
ASA(config)# route inside 2.2.2.2 255.255.255.255 192.168.1.1
ASA(config)# ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms
ASA(config)# ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
ASA(config)# route inside 2.2.2.2 255.255.255.255 192.168.4.1
ERROR: ERROR: The maximum number of equal cost routes allowed is 3
ERROR: Cannot add route entry, possible conflict with existing routes
注:ASA最多支持三条相同出接口,相同目的,用于负载均衡的静态路由。
S 2.2.2.2 255.255.255.255 [1/0] via 192.168.1.1, Inside
[1/0] via 192.168.2.1, Inside
[1/0] via 192.168.3.1, Inside
ASA(config)# router ?
configure mode commands/options:
eigrp Enhanced Interior Gateway Routing Protocol (EIGRP)
ospf Open Shortest Path First (OSPF)
rip Routing Information Protocol (RIP)
ASA(config)# router ospf 100
ASA(config-router)# network 202.100.1.0 255.255.255.0 ar 0
ASA(config)# router eigrp 100
ASA(config-router)# no auto-summary
ASA(config-router)# net 192.168.1.0 255.255.255.0
ASA(config)# router rip
ASA(config-router)# version 2
ASA(config-router)# net 172.16.1.0
注:在ASA中,所有的掩码都为正掩码。
O 1.1.1.1 255.255.255.255 [110/11] via 202.100.1.1, 0:01:06, outside
D 2.2.2.0 255.255.255.0 [90/128768] via 192.168.1.1, 0:01:00, Inside
R 3.3.3.0 255.255.255.0 [120/1] via 172.16.1.1, 0:00:09, DMZ
测试四、配置NTP
一、手动配置时间
ASA(config)# clock timezone GTM 8
ASA(config)# clock set 11:10:10 Aug 23 2010
二、NTP配置
ASA(config)#ntp authentication-key 1 md5 cisco123
ASA(config)#ntp authenticate
ASA(config)#ntp trusted-key 1
ASA(config)#ntp server 192.168.1.1 key 1
注:ASA只能做NTP Client,不能做NTP Server。
测试五、配置Syslog
ASA(config)# logging enable 默认禁用,路由器与交换机默认启用。
ASA(config)#logging timestamp
ASA(config)#logging trap errors
ASA(config)#logging host Inside 172.16.1.1
测试六、ASA本地网管
一、Telnet
ASA(config)# telnet 0.0.0.0 0.0.0.0 Inside
ASA(config)# telnet 172.16.1.1 255.255.255.255 DMZ
测试
Inside#telnet 192.168.1.10
Trying 192.168.1.10 ... Open
User Access Verification
Password:
Type help or '?' for a list of available commands.
ASA>
注:ASA只能做为Telnet服务器,不能做为Telnet Client。默认Telnet
密码为cisco,可通过passwd命令更改,默认enable 密码为空,可通过
enable password命令更改。最低级别接口,不支持Telnet,如Outside接口。
ASA(config)# username telnet password cisco
ASA(config)# aaa authentication telnet console LOCAL
测试
Inside#telnet 192.168.1.10
Trying 192.168.1.10 ... Open
User Access Verification
Username: telnet
Password: *****
Type help or '?' for a list of available commands.
ASA>
ASA(config)# who
0: 192.168.1.1
ASA(config)# kill 0
注:可通过who命令查看telnet会话信息,kill命令清除telnet会话信息。ASA默认最多
支持5个telnet会话信息,timeout时间默认为5分钟。
二、SSH
ASA(config)# hostname ASA
ASA(config)# domain-name cisco.com
ASA(config)# crypto key generate rsa
INFO: The name for the keys will be:
Keypair generation process begin. Please wait.
ASA(config)# ssh 0 0 inside
ASA(config)# ssh 202.100.1.1 255.255.255.255 outside
测试
Outside#ssh -l pix 202.100.1.10
Password:
Type help or '?' for a list of available commands.
ASA>
注:SSH默认用户名为pix,密码为cisco,可通过passwd命令更改,默认enable 密码为空,可通过enable password命令更改。
ASA(config)# sh ssh sessions
SID Client IP Version Mode Encryption Hmac State Username
0 202.100.1.1 1.99 IN aes128-cbc sha1 SessionStarted pix
OUT aes128-cbc sha1 SessionStarted pix
ASA(config)# ssh disconnect 0
注:可通过sh ssh sessions 命令查看ssh 会话信息,ssh disconnect命令清除ssh 会话信息。ASA默认最多支持5个ssh 会话信息,可通过ssh timeout 命令更改timeout时间。如果让ASA支持SSH 3DES加密,必须有相应License授权。
ASA(config)# username ccie password cisco
ASA(config)# aaa authentication ssh console LOCAL
Inside#ssh -l ccie 192.168.1.10
Password:
Type help or '?' for a list of available commands.
ASA>
三、ASDM
Cisco Adaptive Security Appliance Software Version 8.0(2)
Device Manager Version 6.1(5)
注:初始的ASA里面默认已经把ASDM加载到flash里面。ASDM版本号大于等于ASA IOS减去2。
ASA(config)# hostname ASA
ASA(config)# domain-name cisco.com
ASA(config)# crypto key generate rsa
INFO: The name for the keys will be:
Keypair generation process begin. Please wait.
ASA(config)# enable password cisco123
ASA(config)# http server enable
ASA(config)# http 0 0 outside
ASA(config)# username asdm password cisco123
ASA(config)# aaa authentication http console LOCAL
测试
注:网管PC要安装JAVA程序。最新的IOS 8.4,需要安装6.1 JAVA程序。
由于不上传文件受限,有些无法上传。
常用排错命令
ASA(config)# ping
ASA(config)# traceroute
ASA(config)# capture telnet interface outside
ASA(config)# show capture telnet
254 packets captured
1: 07:49:31.313063 802.3 encap packet
2: 07:49:33.354382 802.3 encap packet
3: 07:49:33.434334 192.168.1.1 > 224.0.0.10: ip-proto-88, length 40
4: 07:49:35.323378 802.3 encap packet
ASA(config)# no capture telnet 关闭抓包
ASA(config)# capture telnet access-list OUT 也可以用ACL匹配某个流量抓包
ASA(config)# packet-tracer input inside tcp 192.168.1.1 2000 202.100.1.1 23
注:packet-tracer可以帮我们模拟包的过程,更好的分析包走向。
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 202.100.1.0 255.255.255.0 outside
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 474, packet dispatched to next module
Phase: 7
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 202.100.1.1 using egress ifc outside
adjacency Active
next-hop mac address c200.0480.0000 hits 44
Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow