The reason why the compass to draw a circle, because feet away, the same heart!
========================== passion Thanksgiving Responsible
review:
1, control firewall -----
2, security zones: trust trusted zone --- 85 ---- security level area network
traffic untrust non-trusted zone security level 5 --- --- Internet
DMZ demilitarized zone, demilitarized area - 50 ---- server security level
local 100 local area
3, different security zones interoperability --- security policy
within the private network address translation to achieve a total of address --- NAT policy --- NAPT / EASYIP
implement extranet access network server ----- NAT Policy - Server Mapping
4, segment of network operators and export connections --- may not be a public address
Telnet ------ open service
set up access control on VTY interfaces -----
==========================================
1, the Cisco Firewall
PIX firewall hardware
module of firewall
ASA adaptive security Appliance
2, two product lines
SOHO / enterprise branch / corporate boundaries / campus / data center: firewall applications
--- outside the network boundary
between the internal network boundaries ---
3, Cisco VM simulator
--- using VM firewall to open ASA8.42 mirror
--- --- open PIPED agent software click the top left icon --- power connector sub-sample input VM-- pipeline path
(Virtual Machine Options - - copy the contents of the pipeline ---) ---------- firewall link
port-- enter 3000. ---- with CRT links
--- --- Quick Links ---- CRT open protocol telnet
host 127.0.0.1
port 3000
4 --------------- basic configuration
asa> // user mode
asa> ENable // enter privileged mode
Password: tedu.cn
ASA # // this mode is the privilege mode
asa # conf t // enter global configuration mode
ASA # the configure Terminal
ASA (config) # // this mode global configuration mode
asa # show running-config // view the current configuration file contents
asa (config) # clear configure all // clear all configuration
# ciscoasa
ciscoasa # T // into the conf global configuration mode
ciscoasa (config) # G0 interface
ciscoasa (config-IF) // # 255.255.255.0 IP interface configuration 192.168.1.254 the Add the IP
ciscoasa (config-IF) Inside the nameif # / / configure network interface logic area name
ciscoasa (config-if) # security -level 90 // security level configuration
ciscoasa (config-if) # no shutdown // activation Interface
ciscoasa (config) # G1 interface
ciscoasa (config-IF) the Add 192.168.8.254 255.255.255.0 IP #
ciscoasa (config-IF) // # Outside the nameif disposed external network interface logic area name
ciscoasa (config-if) # security- 10 Level
ciscoasa (config-IF) the shutdown # NO
. 5 -------------------------
a zone interface represents an
interface name: physical interface G0
logical interface ---------- representatives of security zones
inside ---------- equivalent Huawei Trust
Outside ---------- equivalent Huawei untrust
security level value of Cisco You can change!
chifanla (config) # hostname asa // apparatus renamed
ASA (config) #
. 6 --------------------------
default rule
1, to allow the station connection (outbound)
--- WEB server within the network can access the external network
2, blocks inbound connections (inbound)
client --- external network can not access the network server --ping
3, prohibit access interface to exchange the same level of security
- you can not access the external network intranet WEB server
7, ICMP ---- ping application
--- echo-request request packet
--- echo-reply response packets
ACL allows inbound connection with:
ASA (config) # Access-List KLA the permit ICMP echo-Host 192.168.8.5 192.168.1.5 Host Reply
---- ----------------- - ------------------- ----------
list the source host name of the target host packets type
asa (config) # access-group kunla in outside interface
// list application on kunla feed direction outside the logical interface
---------------------------------- --------
achieve within the network of a network host access external server
asa (config) # no access- list // delete kunla permit icmp host 192.168.8.5 host 192.168.1.5 echo -r access control lists --- preceded NO
asa (config) # access-list wangduan permit icmp host 192.168.8.5 192.168.1.0 255.255.255.0 echo-reply -------------------------- -
net segment within the network
ASA (config) # Access Group wangduan-in interface outside
// the list of applications in the direction of the outside interface
-------------------- ----------------------
basic 1-99
extended 100-199
asa (config) # hostname xiuxi // change the device name
xiuxi (config) # enable password 123456 // set the privileged password
xiuxi (config) # wr // Save the configuration
xiuxi (config) # copy running- config startup-config // save configuration
------------------------------------------
200.8.8.248/29 29-24 = 532 subnets available IP - 6 ratings: 254 249 ---
11111111.11111111.11111111.11111000 /29
255.255.255.248
NAPT ---- public pool address 200.8.8.249
xiuxi (config) # object network napt // NAT to create a project named
xiuxi (config-network-object) # subnet 192.168.1.0 255.255.255.0 // configuration need to convert private addresses
xiuxi (config-network-object) # nat (inside, outside) dynamic 200.8.8.249 // configure the public address translation
easy IP---基于出接口
xiuxi(config)# object network easyip
xiuxi(config-network-object)# subnet 192.168.1.0 255.255.255.0
xiuxi(config-network-object)# nat (inside,outside) dynamic interface
------------------------------------------