Quản trị mạng - Implementing the cisco adaptive security appliance (asa)
The management interface depends on the model of ASA:
– Cisco ASA 5505 - The management switch port can be
any port, except for Ethernet 0/0.
– Cisco ASA 5510 and higher - The interface to connect is
Management 0/0
50 trang |
Chia sẻ: nguyenlam99 | Lượt xem: 817 | Lượt tải: 0
Bạn đang xem trước 20 trang tài liệu Quản trị mạng - Implementing the cisco adaptive security appliance (asa), để xem tài liệu hoàn chỉnh bạn click vào nút DOWNLOAD ở trên
Implementing the Cisco Adaptive
Security Appliance (ASA)
CCNA Security
1
Objectives
2
Overview of the ASA
• Which kind of branch is appropriate for
the IOS firewall solution ?
Refer to 10.1.1.1
• What is disadvantage of the IOS firewall
solution ?
3
Overview of the ASA
4
Overview of the ASA
• The ASA is a standalone firewall device that is a
primary component of the Cisco SecureX architecture.
• All six ASA models provide advanced stateful firewall
features and VPN functionality.
• The biggest difference between the models is the
maximum traffic throughput handled by each model
and the number and type of interfaces.
• The choice of ASA model will depend on an
organization's requirements, such as maximum
throughput, maximum connections per second, and
budget.
5
Overview of the ASA
• The ASA software combines firewall, VPN
concentrator, and intrusion prevention functionality
into one software image.
• Previously, these functions were available in three
separate devices, each with its own software and
hardware.
1. PIX
2. VPN concentrator
3. IDS
6
Overview of the ASA
Other advanced ASA features include these:
1. ASA virtualization
2. High availability with failover
3. Identity firewall
4. Threat control and containment services
Refer to 10.1.1.1
7
Overview of the ASA
• All ASA models can be configured and managed using
either the command line interface or the Adaptive
Security Device Manager (ASDM).
8
Overview of the ASA
• By default, the ASA treats a defined inside
interface as the trusted network, and any
defined outside interfaces as untrusted
networks.
• Each interface has an associated security level
• An ASA provides the same as ZPF/CBAC
features but the configuration differs markedly
from the IOS router configuration of ZPF.
9
Refer to 10.1.1.2
Overview of the ASA
10
Overview of the ASA
11
Overview of the ASA
• The ASA is a stateful firewall. It tracks the state of the TCP or UDP
network connections traversing it.
• All traffic forwarded through an ASA is inspected using the Adaptive
Security Algorithm and is either allowed to pass through or is
dropped.
12
Refer to 10.1.1.3
Overview of the ASA
• Session management path ?
• Control plane path ?
• Layer 7 inspection ?
• Fast path ?
13
Refer to 10.1.1.3
Overview of the ASA
Refer to 10.1.1.4
14
Overview of the ASA
• Most ASA appliances come pre-installed with either a Base
license or a Security Plus license.
• To provide additional features to the ASA, additional time-
based or optional licenses can be purchased.
• Combining these additional licenses to the pre-installed
licenses creates a permanent license. The permanent
license is then activated by installing a permanent
activation key using the activation-key command.
15
Overview of the ASA
• Only one permanent license key can be installed and once
it is installed, it is referred to as the running license.
• To verify the license information on an ASA device, use the
show version or the show activation-key command.
16
Overview of the ASA
Refer to 10.1.1.5
The ASA 5505 Features
• The Cisco ASA 5505 is a full-featured security appliance
for small businesses, branch offices, and enterprise
teleworker environments.
• It delivers a high-performance firewall, SSL VPN, IPsec
VPN, and rich networking services in a modular, plug-and-
play appliance.
18
Refer to 10.1.2.1
Security Level
• Security levels define the level of trustworthiness of an
interface. The higher the level, the more trusted the
interface. The security level numbers range between 0
(untrustworthy) to 100 (very trustworthy)
• Each operational interface must have a name and a
security level from 0 (lowest) to 100 (highest) assigned.
19
Refer to 10.1.2.2
Security levels help control:
1.Network access
2. Inspection engines
3.Filtering
Security Level
• On an ASA 5505, Layer 3 parameters are configured on a switch
virtual interface (SVI). An SVI, a logical VLAN interface, requires a
name, interface security level, and IP address.
Refer to 10.1.2.2
20
The Deployment of the ASA 5505
• The ASA 5505 is commonly used as an edge security device that connects a
small business to an ISP device, such as a DSL or cable modem, for access to
the Internet.
Refer to 10.1.2.3
21
The ASA 5510 Features
Refer to 10.1.2.4
22
Default Configuration of ASA 5510 and higher
• The default factory configuration includes the following:
1. The management interface, Management 0/0, is preconfigured with
the IP address 192.168.1.1 and mask 255.255.255.0.
2. The DHCP server is enabled on the ASA, so a PC connecting to the
interface receives an address between 192.168.1.2 and
192.168.1.254.
3. The HTTP server is enabled for ASDM and is accessible to users on
the 192.168.1.0 network.
23
Refer to 10.1.2.5
ASA Access Modes
• User EXEC mode - ciscoasa> en
• Privileged EXEC mode - ciscoasa# config t
• Global configuration mode - ciscoasa(config)#
• Various sub-configuration modes, for example -
ciscoasa(config-if)#
• ROMMON mode - ROMMON>
24
ASA Access Modes
25
IOS and ASA Commands
1. Execute any ASA CLI command regardless of the current
configuration mode prompt. The IOS do command is not
required or recognized.
2. Provide a brief description and command syntax when
Unlike an ISR, the ASA performs as follows:
help is entered followed by the command.
3. Interrupt show command output using Q. The IOS
requires the use of Ctrl+C (^C).
26
Refer to 10.2.1.1
IOS and ASA Commands
27
Default Configuration
• The ASA 5505 ships with a default configuration that, in
most cases, is sufficient for a basic SOHO deployment.
• The configuration includes two preconfigured VLAN
networks: VLAN1 and VLAN2. VLAN 1 is for the inside
network and VLAN 2 is for the outside network.
• The ASA can be restored to its factory default configuration
by using the configure factory-default global
configuration command.
28
Refer to 10.2.1.2
Erase Configuration and Reboot
• The ASA startup configuration can be erased using the
write erase and reload commands.
• Note: Unlike router IOS, the ASA does not recognize the
erase startup-config command.
• Once rebooted, the ASA displays the following prompt
"Pre-configure Firewall now through interactive
prompts [yes]?"
29
Refer to 10.2.1.3
Configuration Management Settings and Services
• Configure Basic Settings
• Configure the Interfaces
Refer to 10.2.2.1
30
Configuration Management Settings and Services
Refer to 10.2.2.2
31
Configuration Management Settings and Services
• Configure a Default Route
Refer to 10.2.2.2
32
Configuration Management Settings and Services
• Configure Telnet Access
Refer to 10.2.2.3
33
Configuration Management Settings and Services
• Configure NTP Services
Refer to 10.2.2.3
34
Configuration Management Settings and Services
• Configure DHCP Services
Refer to 10.2.2.4
35
Configuration Management Settings and Services
• Configure DHCP Services
Refer to 10.2.2.4
36
Introduction to ASDM
• The management interface depends on the model of ASA:
– Cisco ASA 5505 - The management switch port can be
any port, except for Ethernet 0/0.
– Cisco ASA 5510 and higher - The interface to connect is
Management 0/0.
37
Note: To remove and disable the ASA HTTP server service, use the global
configuration command clear configure http.
Refer to 10.2.3.1
Introduction to ASDM
Refer to 10.2.3.2 - 5
38
ASDM Wizards
Refer to 10.2.4.1 - 4
39
Object Groups
• The advantage is that when an object is modified, the
change is automatically applied to all rules that use the
specified object. Therefore, objects make it easy to
maintain configurations.
40
Refer to 10.2.5.1 - 5
ACLs
• ASA ACLs differ from IOS ACLs in that they use a network
mask (e.g., 255.255.255.0) instead of a wildcard mask
(e.g. 0.0.0.255). Also most ASA ACLs are named instead
of numbered.
41
Refer to 10.2.6.1 - 5
NAT Service on an ASA
• The ASA supports NAT and PAT and these addresses can
also be provided either statically or dynamically.
42
Refer to 10.2.7.1 - 4
Access Control on an ASA
• The ASA can authenticate all administrative connections to the ASA, including
Telnet, SSH, console, ASDM using HTTPS, and privileged EXEC.
• The ASA can authorize the following items:
– Management commands
– Network access
– VPN access
43
Refer to 10.2.8.1 - 5
Service Policies on an ASA
• Modular Policy Framework (MPF) configuration defines a
set of rules for applying firewall features, such as traffic
inspection and QoS, to the traffic that traverses the ASA.
44
Refer to 10.2.9.1 - 5
ASA Remote-Access VPN Options
• Enterprise users are requesting support for their mobile
devices including smart phones, tablets, notebooks, and a
broader range of laptop manufacturers and operating
systems.
45
Refer to 10.3.1.1 - 5
ASA Remote-Access VPN Options
• Cisco AnyConnect is available for the following platforms:
– iOS devices (iPhone, iPad, and iPod Touch)
– Android OS (select models)
– BlackBerry
– Windows Mobile 6.1
– HP webOS
– Nokia Symbian
46
Refer to 10.3.1.1 - 5
Clientless SSL VPN
47
Refer to 10.3.2.1 - 2
Configuring Clientless SSL VPN
48
Refer to 10.3.3.1 - 4
AnyConnect SSL VPN
49
Refer to 10.3.4.1 - 2
Configuring AnyConnect SSL VPN
50
Refer to 10.3.5.1 - 5
Các file đính kèm theo tài liệu này:
- ccna_security_chapter_10_implementing_the_cisco_adaptive_security_appliance_asa_9445_3378.pdf