Difference between revisions of "Cisco ASA"
Helikopter (talk | contribs) m (→VPN) |
Helikopter (talk | contribs) |
||
Line 34: | Line 34: | ||
domain-name inhouse.local | domain-name inhouse.local | ||
crypto key generate rsa modulus 2048 | crypto key generate rsa modulus 2048 | ||
+ | |||
+ | ==Diverse== | ||
+ | ===ICMP-inspection=== | ||
+ | Default så är inte icmp-inspection påslaget. | ||
+ | fixup protocol icmp | ||
+ | Alternativt | ||
+ | policy-map global_policy | ||
+ | class inspection_default | ||
+ | inspect icmp | ||
+ | ===ARP Inspection=== | ||
+ | arp inside 193.10.161.37 0c0c.0c0c.0c03 alias | ||
+ | --- | ||
+ | |||
+ | ===Management access=== | ||
+ | Vill man managera sin brandvägg genom en VPN-tunnel måste man komplettera ssh/http-kommandon med: | ||
+ | management-access inside | ||
+ | |||
+ | ===Botnet Filtering=== | ||
+ | #köp licens | ||
+ | #Enable DNS Client | ||
+ | |||
+ | ===NTP=== | ||
+ | clock timezone CEST 1 0 | ||
+ | clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 60 | ||
+ | ntp server 94.199.180.200 source outside | ||
+ | |||
+ | ===uRPF=== | ||
+ | ip verify reverse-path interface outside | ||
+ | |||
+ | ===Logging=== | ||
+ | logging enable | ||
+ | logging console 4 | ||
+ | |||
+ | ===Certificate Management=== | ||
+ | show crypto ca certificate | ||
+ | (config) crypto ca export | ||
+ | show crypto key mypubkey rsa | ||
===Global Timeouts=== | ===Global Timeouts=== | ||
Line 318: | Line 355: | ||
failover | failover | ||
− | == | + | ==SLA== |
− | + | route outside 0.0.0.0 0.0.0.0 1.1.1.1 1 track 1 | |
− | + | sla monitor 10 | |
− | + | type echo protocol ipIcmpEcho 1.1.1.1 interface outside | |
− | + | num-packets 3 | |
− | + | frequency 5 | |
− | + | sla monitor schedule 10 life forever start-time now | |
− | + | track 1 rtr 10 reachability | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
==VPN== | ==VPN== |
Revision as of 11:45, 8 December 2015
Adaptive Security Appliance är Ciscos VPN- och brandväggsenhet. Detta är skrivet för 8.4 och senare.
Contents
Konfiguration
Grunder
conf t hostname ASA
IP adress
int e0/0 mac-address 0011.2233.4455 security-level 100 nameif inside ip address 10.0.0.1 255.255.255.0 no shut exit
Default route och DNS
route outside 0.0.0.0 0.0.0.0 190.10.160.1 1 same-security-traffic permit inter-interface dns domain-lookup outside dns name-server 8.8.8.8
ASDM
ASDM är en javamjukvara man kan använda för GUI till ASA. Slå på det och vitlista IP/nät.
http server enable http 10.0.0.0 255.255.255.0 inside
Skapa användare så att det går att logga in. Peka autentisering mot lokal databas.
username admin password cisco privilege 15 aaa authentication http console LOCAL
SSH
ssh 10.0.0.0 255.255.255.0 inside ssh timeout 60 ssh version 2 aaa authentication ssh console LOCAL domain-name inhouse.local crypto key generate rsa modulus 2048
Diverse
ICMP-inspection
Default så är inte icmp-inspection påslaget.
fixup protocol icmp
Alternativt
policy-map global_policy class inspection_default inspect icmp
ARP Inspection
arp inside 193.10.161.37 0c0c.0c0c.0c03 alias ---
Management access
Vill man managera sin brandvägg genom en VPN-tunnel måste man komplettera ssh/http-kommandon med:
management-access inside
Botnet Filtering
#köp licens #Enable DNS Client
NTP
clock timezone CEST 1 0 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 60 ntp server 94.199.180.200 source outside
uRPF
ip verify reverse-path interface outside
Logging
logging enable logging console 4
Certificate Management
show crypto ca certificate (config) crypto ca export show crypto key mypubkey rsa
Global Timeouts
timeout xlate 10:00:00 timeout uauth 10:00:00 absolute timeout uauth 09:00:00 inactivity
Permanent Self-Signed Certificate
crypto ca trustpoint ASDM_TrustPoint0 id-usage ssl-ipsec no fqdn subject-name CN=ASA enrollment self crypto ca enroll ASDM_TrustPoint0 noconfirm
DHCP
Klient
int e0/0 ip address dhcp setroute exit dhcp-client client-id interface outside
Server
dhcpd address 10.0.0.50-10.0.0.60 inside dhcpd enable inside dhcpd dns 8.8.8.8 interface inside
OBS ASA don't repond to unicast dhcp requests
NAT
PAT
nat (inside,outside) 1 source dynamic any interface
Dynamic
object network inside_10 subnet 10.0.0.0 255.255.255.0 object network outside-pool range 193.10.161.190 193.10.161.199 object network inside_10 nat (inside,any) dynamic outside-pool
Static
object network dmz_server host 172.16.0.5 object network dmz_global host 193.10.161.31 object network dmz_server nat (dmz,outside) static dmz_global
Port Forwarding
object network websrv host 10.1.1.3 nat (inside,outside) static interface service tcp 80 80 exit access-list outside_access_in permit tcp any object websrv eq http
ACL
access-list ACL1 permit tcp any object dmz_server eq http access-group ACL1 in interface outside
Routing
Static
route inside 10.0.1.0 255.255.255.0 {next hop address} 10
OSPF
router ospf 1 area 1 network 10.0.0.0 255.255.255.0 area 1
RIP
router rip no auto-summary version 2 network 10.0.0.0
EIGRP
router eigrp 1 network 10.0.0.0 255.255.255.0
Modular Policy Framework
Application Inspection
access-list dmz_ftp permit tcp any any eq ftp
Class Map
class-map FTP-class-MAP match access-list dmz_ftp
Policy Map
policy-map FTP-policy-MAP class FTP-class-MAP inspect ftp
Service Policy
service-policy FTP-policy-MAP interface dmz
QoS
priority-queue inside
Class Map
class-map VOIP match dscp 46
Policy Map
policy-map inside-policy class VOIP priority
Service Policy
service-policy inside-policy interface inside
Tweaking Connections
access-list ACL1 permit tcp any object dmz_server eq http class-map TCP-Sessions match access-list ACL1 policy-map Conn-Limits class TCP-Sessions set connection conn-max 500 embryonic-conn-max 50 set connection timeout embryonic 0:05:00 half-closed 0:10:00 service-policy Conn-Limits interface outside
TCP Intercept
access-list ACL1 permit tcp any object dmz_server eq http class-map no-syn-flood-class match access-list ACL1 policy-map NO-SYN-FLOOD class no syn-flood-class set connection embryonic-conn-max 50 service-policy NO-SYN-FLOOD interface outside
Advanced Application Inspection - HTTP
policy-map type inspect http http-inspect-pmap parameters protocol-violation action dropconnection log match req-resp content-type mismatch drop-connection log policy-map global_policy class inspection_default inspect http http-inspect-pmap
VLAN - !5505
int e0/2 no shut int e0/2.10 vlan 10 security-level 100 nameif VLAN10 ip add 10.0.10.1 255.255.255.0 no shut exit
EtherChannel
interface e0/2 channel-group mode Active interface e0/3 channel-group mode Active interface port-channel1 port-channel load-balance src-port port-channel min-bundle 1 lacp max-bundle 8 duplex auto speed auto nameif DMZ security-level 50 ip add 10.0.10.1 255.255.255.0 no shut exit
Redundancy
interface e0/4 no shut interface e0/5 no shut interface redundant1 member interface e0/4 member interface e0/5 nameif outside security-level ip address 193.10.161.31 no shut exit
Transparent - 5505
firewall transparent int BVI 1 ip add 193.10.161.38 255.255.255.0 exit int e0/0 switchport access vlan 1 no shut int e0/1 switchport access vlan 2 no shut interface vlan 1 security-level 100 nameif inside bridge-group 1 no shut interface vlan 2 security-level 0 nameif outside bridge-group 1 no shut
AAA
aaa-server OUR-GROUP protocol radius aaa-server OUR-GROUP (inside) host 10.0.0.50 key ******** radius-common-pw ********* exit
Cut-through User AAA
access-list outside_authentication permit tcp any object dmz-server eq http username bob password cisco priv 2 username bob attributes service-type remote-access exit aaa authentication match outside_authentication outside LOCAL
Failover
#Criteria ASA1 int e0/0 ip address 193.10.161.38 255.255.254.0 standby 193.10.161.39 int e0/1 ip address 10.0.0.1 255.255.255.0 standby 10.0.0.2 failover lan interface Fail-1 e0/3 failover interface ip Fail-1 10.1.1.1 255.255.255.252 standby 10.1.1.2 failover key cisco failover link Fail-2 e0/4 failover interface ip Fail-2 10.2.2.1 255.255.255.252 standby 10.2.2.2 failover replication http failover lan unit primary failover mac address e0/0 0000.1111.2222 0000.3333.4444 failover ASA2 int e0/3 no shut exit failover lan interface Fail-1 e0/3 failover interface ip Fail-1 10.1.1.1 255.255.255.252 standby 10.1.1.2 failover key cisco failover lan unit secondary failover
Virtual Firewall
mode multiple changeto context admin changeto system mac-address auto class silver limit resource asdm 3 context newcontext member silver allocate-interface e0/3 allocate-interface e0/4 config-url disk0:/newcontext.cfg
Active/Active Failover
changeto system prompt hostname priority failover group 1 primary preempt 120 exit failover group 2 secondary preempt 120 exit context Ctx-1 join-failover-group 1 exit context Ctx-2 join-failover-group 2 exit int e0/4 no shut int e0/5 no shut exit failover lan unit primary failover lan interface Fail-1 e0/4 failover interface ip Fail-1 10.1.1.1 255.255.255.252 standby 10.1.1.2 failover link Fail-2 e0/4 failover interface ip Fail-2 10.2.2.1 255.255.255.252 standby 10.2.2.2 failover int e0/3 no shut exit failover lan unit secondary failover lan interface Fail-1 e0/3 failover interface ip Fail-1 10.1.1.1 255.255.255.252 standby 10.1.1.2 failover
SLA
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1 track 1 sla monitor 10 type echo protocol ipIcmpEcho 1.1.1.1 interface outside num-packets 3 frequency 5 sla monitor schedule 10 life forever start-time now track 1 rtr 10 reachability
VPN
Förutsättningar för att sätta upp VPN-tunnlar är att klocka måste gå rätt och att NAT-regler måste ligga i rätt ordning.
Kolla hur man gör på aktuell version
vpnsetup site-to-site steps vpnsetup ipsec-remote-access steps
Troubleshoot
show crypto isakmp sa detail show vpn-sessiondb detail l2l