Difference between revisions of "Cisco ASA"
Helikopter (talk | contribs) m (→NTP) |
Helikopter (talk | contribs) |
||
Line 21: | Line 21: | ||
===ASDM=== | ===ASDM=== | ||
− | ASDM är en javamjukvara man kan använda för GUI till ASA. Slå på det och vitlista IP/nät. | + | ASDM är en javamjukvara man kan använda för GUI till ASA. |
+ | asdm image disk0:/asdm-752.bin | ||
+ | show asdm image | ||
+ | Slå på det och vitlista IP/nät som får ansluta. | ||
http server enable | http server enable | ||
http 10.0.0.0 255.255.255.0 inside | http 10.0.0.0 255.255.255.0 inside | ||
Line 46: | Line 49: | ||
Vill man managera sin brandvägg genom en VPN-tunnel måste man komplettera ssh/http-kommandon med: | Vill man managera sin brandvägg genom en VPN-tunnel måste man komplettera ssh/http-kommandon med: | ||
management-access inside | management-access inside | ||
+ | |||
+ | ===Upgrade=== | ||
+ | copy http://<webbserver.se>/filer/asa952-smp-k8.bin disk0:/ | ||
+ | boot system disk0:/asa952-smp-k8.bin | ||
+ | show bootvar | ||
+ | wr | ||
+ | reload | ||
+ | |||
+ | ===Reset=== | ||
+ | clear configure all | ||
+ | crypto key zeroize rsa | ||
+ | Setup basic firewall | ||
+ | configure factory-default | ||
==Diverse== | ==Diverse== | ||
Line 55: | Line 71: | ||
class inspection_default | class inspection_default | ||
inspect icmp | inspect icmp | ||
+ | |||
+ | ===Traceroute=== | ||
+ | Tillåt traceroute genom en ASA | ||
+ | access-list ACL extended permit icmp any any time-exceeded | ||
+ | access-list ACL extended permit icmp any any unreachable | ||
+ | |||
+ | ===Accelerated Security Path=== | ||
+ | show asp drop | ||
+ | capture asp-drop type asp-drop all | ||
+ | show capture asp-drop | ||
===ARP Inspection=== | ===ARP Inspection=== | ||
arp inside 193.10.161.37 0c0c.0c0c.0c03 alias | arp inside 193.10.161.37 0c0c.0c0c.0c03 alias | ||
--- | --- | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
===Botnet Filtering=== | ===Botnet Filtering=== | ||
Line 78: | Line 98: | ||
===uRPF=== | ===uRPF=== | ||
ip verify reverse-path interface outside | ip verify reverse-path interface outside | ||
+ | show run ip verify reverse-path | ||
===Logging=== | ===Logging=== | ||
Line 161: | Line 182: | ||
access-group ACL1 in interface outside | access-group ACL1 in interface outside | ||
show access-list ACL1 | show access-list ACL1 | ||
+ | Matcha på DNS-namn | ||
+ | object network hackernet.se | ||
+ | fqdn v4 hackernet.se | ||
==Routing== | ==Routing== | ||
Line 354: | Line 378: | ||
allocate-interface e0/4 | allocate-interface e0/4 | ||
config-url disk0:/newcontext.cfg | config-url disk0:/newcontext.cfg | ||
+ | Save in all contexts | ||
+ | wr mem all | ||
===Active/Active Failover=== | ===Active/Active Failover=== |
Revision as of 18:15, 26 March 2016
Adaptive Security Appliance är Ciscos VPN- och brandväggsenhet. Detta är skrivet för 8.4 och senare.
Hårdvara och mjukvara kompatibilitet
Contents
Konfiguration
Grunder
conf t hostname ASA
IP adress
int e0/0 mac-address 0011.2233.4455 security-level 100 nameif inside ip address 10.0.0.1 255.255.255.0 no shut exit
Default route och DNS
route outside 0.0.0.0 0.0.0.0 190.10.160.1 1 same-security-traffic permit inter-interface dns domain-lookup outside dns name-server 8.8.8.8
ASDM
ASDM är en javamjukvara man kan använda för GUI till ASA.
asdm image disk0:/asdm-752.bin show asdm image
Slå på det och vitlista IP/nät som får ansluta.
http server enable http 10.0.0.0 255.255.255.0 inside
Skapa användare så att det går att logga in. Peka autentisering mot lokal databas.
username admin password cisco privilege 15 aaa authentication http console LOCAL
SSH
ssh 10.0.0.0 255.255.255.0 inside ssh timeout 60 ssh version 2 aaa authentication ssh console LOCAL domain-name inhouse.local crypto key generate rsa modulus 2048
Mgmt VRF
Man kan sedan 9.5 lägga management-interface i en egen routingtabell.
int gi0/1 management-only show route management-only show asp table routing management-only
Management access
Vill man managera sin brandvägg genom en VPN-tunnel måste man komplettera ssh/http-kommandon med:
management-access inside
Upgrade
copy http://<webbserver.se>/filer/asa952-smp-k8.bin disk0:/ boot system disk0:/asa952-smp-k8.bin show bootvar wr reload
Reset
clear configure all crypto key zeroize rsa
Setup basic firewall
configure factory-default
Diverse
ICMP-inspection
Default så är inte icmp-inspection påslaget.
fixup protocol icmp
Alternativt
policy-map global_policy class inspection_default inspect icmp
Traceroute
Tillåt traceroute genom en ASA
access-list ACL extended permit icmp any any time-exceeded access-list ACL extended permit icmp any any unreachable
Accelerated Security Path
show asp drop capture asp-drop type asp-drop all show capture asp-drop
ARP Inspection
arp inside 193.10.161.37 0c0c.0c0c.0c03 alias ---
Botnet Filtering
#köp licens #Enable DNS Client
NTP
clock timezone CEST 1 0 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 60 ntp server 94.199.180.200 source outside show ntp status
uRPF
ip verify reverse-path interface outside show run ip verify reverse-path
Logging
logging enable logging console 4
Certificate Management
show crypto ca certificate (config) crypto ca export show crypto key mypubkey rsa
Jumbo Frames
jumbo frame-reservation mtu inside 9000 mtu outside 9000
Global Timeouts
timeout xlate 10:00:00 timeout uauth 10:00:00 absolute timeout uauth 09:00:00 inactivity
Permanent Self-Signed Certificate
crypto ca trustpoint ASDM_TrustPoint0 id-usage ssl-ipsec no fqdn subject-name CN=ASA enrollment self crypto ca enroll ASDM_TrustPoint0 noconfirm
SNMP
snmp-server host inside 10.0.0.50 community PUBLIC version 2c show snmp-server oidlist #"hidden command"
DHCP
Klient
int e0/0 ip address dhcp setroute exit dhcp-client client-id interface outside
Server
dhcpd address 10.0.0.50-10.0.0.60 inside dhcpd enable inside dhcpd dns 8.8.8.8 interface inside
OBS ASA don't repond to unicast dhcp requests
NAT
PAT
nat (inside,outside) 1 source dynamic any interface
Dynamic
object network inside_10 subnet 10.0.0.0 255.255.255.0 object network outside-pool range 193.10.161.190 193.10.161.199 object network inside_10 nat (inside,any) dynamic outside-pool
Static
object network dmz_server host 172.16.0.5 object network dmz_global host 193.10.161.31 object network dmz_server nat (dmz,outside) static dmz_global
Exempt
object network LAN1 subnet 1.1.1.0 255.255.255.0 object network LAN2 subnet 2.2.2.0 255.255.255.0 nat (inside,outside) 1 source static LAN1 LAN1 destination static LAN2 LAN2
1an är viktig så att regeln hamnar först
Show
show run nat
Port Forwarding
object network websrv host 10.1.1.3 nat (inside,outside) static interface service tcp 80 80 exit access-list outside_access_in permit tcp any object websrv eq http
ACL
access-list ACL1 permit tcp any object dmz_server eq http access-list ACL1 line 15 permit tcp any object dmz_server eq https access-group ACL1 in interface outside show access-list ACL1
Matcha på DNS-namn
object network hackernet.se fqdn v4 hackernet.se
Routing
Static
route inside 10.0.1.0 255.255.255.0 {next hop address} 10
OSPF
router ospf 1 area 1 network 10.0.0.0 255.255.255.0 area 1
RIP
router rip no auto-summary version 2 network 10.0.0.0
EIGRP
router eigrp 1 network 10.0.0.0 255.255.255.0
Modular Policy Framework
Application Inspection
access-list dmz_ftp permit tcp any any eq ftp
Class Map
class-map FTP-class-MAP match access-list dmz_ftp
Policy Map
policy-map FTP-policy-MAP class FTP-class-MAP inspect ftp
Service Policy
service-policy FTP-policy-MAP interface dmz
QoS
priority-queue inside
Class Map
class-map VOIP match dscp 46
Policy Map
policy-map inside-policy class VOIP priority
Service Policy
service-policy inside-policy interface inside
Tweaking Connections
access-list ACL1 permit tcp any object dmz_server eq http class-map TCP-Sessions match access-list ACL1 policy-map Conn-Limits class TCP-Sessions set connection conn-max 500 embryonic-conn-max 50 set connection timeout embryonic 0:05:00 half-closed 0:10:00 service-policy Conn-Limits interface outside
TCP Intercept
access-list ACL1 permit tcp any object dmz_server eq http class-map no-syn-flood-class match access-list ACL1 policy-map NO-SYN-FLOOD class no syn-flood-class set connection embryonic-conn-max 50 service-policy NO-SYN-FLOOD interface outside
Advanced Application Inspection - HTTP
policy-map type inspect http http-inspect-pmap parameters protocol-violation action dropconnection log match req-resp content-type mismatch drop-connection log policy-map global_policy class inspection_default inspect http http-inspect-pmap
VLAN - !5505
int e0/2 no shut int e0/2.10 vlan 10 security-level 100 nameif VLAN10 ip add 10.0.10.1 255.255.255.0 no shut exit
EtherChannel
interface e0/2 channel-group mode Active interface e0/3 channel-group mode Active interface port-channel1 port-channel load-balance src-port port-channel min-bundle 1 lacp max-bundle 8 duplex auto speed auto nameif DMZ security-level 50 ip add 10.0.10.1 255.255.255.0 no shut exit
Redundancy
Samma som etherchannel fast endast ett ben är aktivt i taget. Användbart om asan är kopplad till 2 switchar utan MLAG (t.ex. vPC).
interface e0/4 no shut interface e0/5 no shut interface redundant1 member interface e0/4 member interface e0/5 nameif outside security-level ip address 193.10.161.31 no shut exit
Transparent - 5505
firewall transparent int BVI 1 ip add 193.10.161.38 255.255.255.0 exit int e0/0 switchport access vlan 1 no shut int e0/1 switchport access vlan 2 no shut interface vlan 1 security-level 100 nameif inside bridge-group 1 no shut interface vlan 2 security-level 0 nameif outside bridge-group 1 no shut
AAA
aaa-server OUR-GROUP protocol radius aaa-server OUR-GROUP (inside) host 10.0.0.50 key ******** radius-common-pw ********* exit
Cut-through User AAA
access-list outside_authentication permit tcp any object dmz-server eq http username bob password cisco priv 2 username bob attributes service-type remote-access exit aaa authentication match outside_authentication outside LOCAL
Failover
#Criteria ASA1 int e0/0 ip address 193.10.161.38 255.255.254.0 standby 193.10.161.39 int e0/1 ip address 10.0.0.1 255.255.255.0 standby 10.0.0.2 failover lan interface Fail-1 e0/3 failover interface ip Fail-1 10.1.1.1 255.255.255.252 standby 10.1.1.2 failover key cisco failover link Fail-2 e0/4 failover interface ip Fail-2 10.2.2.1 255.255.255.252 standby 10.2.2.2 failover replication http failover lan unit primary failover mac address e0/0 0000.1111.2222 0000.3333.4444 failover ASA2 int e0/3 no shut exit failover lan interface Fail-1 e0/3 failover interface ip Fail-1 10.1.1.1 255.255.255.252 standby 10.1.1.2 failover key cisco failover lan unit secondary failover
Virtual Firewall
mode multiple changeto context admin changeto system mac-address auto class silver limit resource asdm 3 context newcontext member silver allocate-interface e0/3 allocate-interface e0/4 config-url disk0:/newcontext.cfg
Save in all contexts
wr mem all
Active/Active Failover
changeto system prompt hostname priority failover group 1 primary preempt 120 exit failover group 2 secondary preempt 120 exit context Ctx-1 join-failover-group 1 exit context Ctx-2 join-failover-group 2 exit int e0/4 no shut int e0/5 no shut exit failover lan unit primary failover lan interface Fail-1 e0/4 failover interface ip Fail-1 10.1.1.1 255.255.255.252 standby 10.1.1.2 failover link Fail-2 e0/4 failover interface ip Fail-2 10.2.2.1 255.255.255.252 standby 10.2.2.2 failover int e0/3 no shut exit failover lan unit secondary failover lan interface Fail-1 e0/3 failover interface ip Fail-1 10.1.1.1 255.255.255.252 standby 10.1.1.2 failover
SLA
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1 track 1 sla monitor 10 type echo protocol ipIcmpEcho 1.1.1.1 interface outside num-packets 3 frequency 5 sla monitor schedule 10 life forever start-time now track 1 rtr 10 reachability
VPN
Se ASA VPN
REST API
Man kan lägga till en agent så att ASAn får ett REST API.
copy http://<webbserver>/asa-restapi-122-lfbff-k8.SPA disk0: rest-api image disk0:/asa-restapi-122-lfbff-k8.SPA rest-api agent
Sedan behöver webbservern konfigureras om inte det är gjort, se ASDM
Använd en REST-klient (Firefox/Chrome)
https:<asa-ip>/api/objects/networkobjects
Docs
Följer med agenten
https://<asa-ip>/doc/