cisco asa co ban.docx
TRANSCRIPT
Bi 1: ASA C BN1. Gii thiu cu lnh c bn:- ASA c 2 cch cu hnh: CLI v ASDM- Ban u khi khi ng xong ASA, ta s thy dng lnh user mode l:ciscoasa>ciscoasa l tn mc nh ca thit b ASA.- Ta c th dng du ? xem nhng t kha gi .
- xem cc thng tin cn thit trn thit b ta dung t kha show ?
- Mun vo privileged mode ta dung t kha enable vi password mc nh l trng.
- cu hnh cho thit b ta phi vo mode config vi cu lnh nh sau:
- Lu cu hnh tng t nh router.- t password console v enable tng t nh router.- C th dng phm Tab hin y cu lnh.- Xa cu hnh:ciscoasa# write erase
2. Cu hnh cc interface:- Thit b ASA c cc cng console, cng Ethernet v cng management (cng qun l c chc nng ging cng console).- Nh router, thit b ASA mun cu hnh ip, speed hay duplex ta u phi vo cng vi cc cu lnh ging vi router.
ciscoasa# configure terminalciscoasa(config)# interface [ethernet0/1 | management0/0]ciscoasa(config-if)#
- d nh hn nu ta khng nh tn cng vt l ca ASA th ta c th dung tn lun l thay cho tn cng vt l vi t kha l nameifciscoasa(config-if)# nameif tn
- Cu lnh t cho cng interface hon ton tng t nh router.- c im mi ca ASA khc vi router l Security Level , vit tt l sec-lvl (mc bo mt trn cng). Sec-lvl c gi tr t 0 100 vi 100 l mc bo mt cao nht, v mc nh c gi tr l 0.- Trng hp ta to sub-interface cho ASA th bt buc ta phi khai bo VLAN km theo tng ng vi VLAN trn Switch m cng ca ASA cm vo.
V d ta c s v c cu hnh nh sau:
ciscoasa>ciscoasa> enablePassword:ciscoasa#ciscoasa# configure terminalciscoasa(config)# hostname ASA1ASA1(config)# interface Mamagement0/0ASA1(config-if)# nameif mgmtASA1(config-if)# security-level 100ASA1(config-if)# ip address 192.168.1.11 255.255.255.0ASA1(config-if)# no shutdownASA1(config)# interface Ethernet0/1ASA1(config-if)# no shutdownASA1(config)# interface Ethernet0/1.1201ASA1(config-if)# vlan 1201ASA1(config-if)# nameif fw1ASA1(config-if)# security-level 50ASA1(config-if)# ip address 172.16.61.1 255.255.255.0ASA1(config)# interface Ethernet0/1.1212ASA1(config-if)# vlan 1212ASA1(config-if)# description *** Welcome to the VnPro ***ASA1(config-if)# nameif svcsASA1(config-if)# security-level 99ASA1(config-if)# ip address 172.16.62.171 255.255.255.240ASA1(config-if)# endASA1# - Xem li ton b cu hnh:
- Xem tn i din v ip ca cng
- Tin hnh ping kim tra kt ni:
- Mt tnh nng c bit na l cng vt l ca ASA 5505 c tnh nng nh cng ca thit b switch. C ngha l trn cng ca ASA, ta c th cu hnh trunking, to vlan, gn cng vo vlan.
V d nh s sau y:
ciscoasa>ciscoasa> enablePassword:ciscoasa#ciscoasa# configure terminalciscoasa(config)# hostname ASA5505ASA5505(config)# interface Ethernet0/5ASA5505(config-if)# switchport access vlan 100ASA5505(config-if)# no shutdownASA5505(config)# interface Ethernet0/3ASA5505(config-if)# switchport trunk allow vlan 100, 201ASA5505(config-if)# switchport mode trunkASA5505(config-if)# no shutdownASA5505(config)# interface vlan 100ASA5505(config-vlan)# description *** Management Interface ***ASA5505(config-vlan)# nameif mgmtASA5505(config-vlan)# security-level 100ASA5505(config-vlan)# ip address 192.168.1.2 255.255.255.0ASA5505(config-vlan)# no shutdownASA5505(config)# interface vlan 201ASA5505(config-vlan)# description *** DMZ Network ***ASA5505(config-vlan)# nameif dmzASA5505(config-vlan)# security-level 50ASA5505(config-vlan)# ip address 172.16.201.2 255.255.255.0ASA5505(config-vlan)# no shutdown - Xem li ton b cu hnh:
- Xem thng tin cc cng c gn cho vlan no:
3. Telnet:- i vi ASA th ch chp nhn gi tin telnet vi ip ngun l mng 192.168.1.0/24 v vi username mc nh l admin.- Telnet s dng c s d liu l LOCAL, y l t kha mc nh cho cc dng ASA.- Cc bc cu hnhBc 1: To username v passwordciscoasa(config)# username admin password tnpass privileged 15Bc 2: Bt xc thc telnet trn ASAciscoasa(config)# aaa authentication telnet console LOCAL
4. SSH:- i vi ASA th ch chp nhn gi tin ssh vi ip ngun l mng 192.168.1.0/24 v vi username mc nh l admin.- Cu hnh SSH trn ASA cng tng t nh trn router. Ch mt im khc l ta bt SSH ln bng cu aaa - Cc bc cu hnhBc 1: To username v passwordciscoasa(config)# username admin password tnpass privileged 15Bc 2: Bt tnh nng AAAciscoasa(config)# aaa new-modelBc 3: To domain cho qu trnh SSHciscoasa(config)# ip domain-name tnBc 4: To keyciscoasa(config)# crypto key generate rsaHow many bits in the modulus [512]: 1024Bc 5: Chn version cho SSHciscoasa(config)# ip ssh version 2Bc 6: Kch hot tnh nng SSH v p vo VTYciscoasa(config)# aaa authentication login TERMINAL-LINES localciscoasa(config)# line vty 0 4ciscoasa(config-line)# login authentication TERMINAL-LINES 5. Cho php cu hnh ASA bng ASDM- i vi ASA th ch chp nhn cu hnh bng ASDM vi ip ngun l mng 192.168.1.0/24 v vi username mc nh l admin.- ASDM phi c ci t trc tip ln Flash.- Cc bc cu hnh:
Bc 1: To username v passwordciscoasa(config)# username admin password tnpass privileged 15Bc 2: nh ngha ip cho php cu hnh v xc thc vi c s d liu ca ASAciscoasa(config)# http 192.168.1.0 255.255.255.0 mgmtciscoasa(config)# aaa authentication http console LOCALBc 3: Bt tnh nng HTTP Serverciscoasa(config)# http server enableBc 4: nh ngha v tr lu ASDMciscoasa(config)# asdm image disk0:/asdm-621.bin
6. Qun l license:- Cu lnh xem license ca ASAciscoasa# show version- Thay i license:ciscoasa(config)# activation-key key-id
Bi 2: Cu Hnh C Bn Cisco ASA
Cc ch cu hnh trong Cisco IOS: Ciscoasa> User modeCiscoasa# Privileged mode (hoc Enable mode)Ciscoasa(config)# Ch Global ConfigurationCiscoasa(config-if)# Ch Interface ConfigurationCiscoasa(config-subif)# Ch Subinterface ConfigurationCiscoasa(config-line)# Ch cu hnh Line
Cu lnhM t
Ciscoasa> enablehocCiscoasa> enaT User mode vo Privileged mode.
Ciscoasa# configure terminalhocCiscoasa# conf tVo Configuration mode.
Ciscoasa# show running-confighocCiscoasa# show runHin th cu hnh ang chy trn RAM.
Ciscoasa# show startup-configHin th file cu hnh startup c lu trong NVRAM.
Ciscoasa# copy running-config startup-confighocCiscoasa# writehocCiscoasa# wr
Lu file cu hnh ang chy trn RAM (file running-config) vo NVRAM.
Ciscoasa# show ?Hin th tc c cc cu lnh show c kh nng thc thi.
Ciscoasa# show clockHin th gi cu hnh
Ciscoasa# show versionHin th cc thng tin v Cisco IOS hin ti.
Ciscoasa# show flashHin th cc thng tin v b nh flash.
Ciscoasa(config)# hostname namet tn cho Ciscoasa.
Ciscoasa(config)# enable password passwordt password cho Enable v t m ha password.
Ciscoasa(config)# banner motd # messenger #Hin th thng ip khi ngi dng truy cp vo thit b.
Ciscoasa(config-if)# description messengerCu hnh m t cho interface.
Ciscoasa(config-if)# nameif namet tn cho cng vt l chnh
Ciscoasa# show interface ip briefHin th thng tin tng qut ca tt c interface, bao gm: trng thi cng (up, down, administrative down), a ch ip, tn cng.
Ciscoasa# show interface {interface_number}Xem thng tin chi tit cng (a ch MAC, speed, bandwidth, v.v).
Ciscoasa# show routeHin th bng nh tuyn ca Ciscoasa.
Ciscoasa# erase startup-configXa ton b cu trn ciscoasa.
Ciscoasa# reloadKhi ng li thit b.
Lu :- Cc bn c th dng cu lnh show ti bt k mode no.- C th xa cu lnh thc thi va nhp bng cch dng t no trc cu lnh.- Cisco IOS c tnh nng gi t kha tip theo trong cu lnh vi du ?.- Mt s phm tt nn nh:+ Quay li u dng: Ctrl-A+ Xung cui dng: Ctrl-E+ Xa 1 dng: Ctrl-X+ Xa 1 t: Ctrl-W+ Gi lnh va nhp trc trong b nh m (tng ng pha mi tn up): Ctrl-P+ Tr v cu lnh va thc thi trc (tng ng phm mi tn down): Ctrl-N
Mt sa u hnh c bn cho Firewall Cisco:Cu hnh c bn:t password cho ch privileged mode:enable password passwordt user name v password phn quyn truy cpasa5520(config)# username admin password admin privilege 15t tn Firewall v Banner:Pixfirewall (config) #hostname CorpFW1 Pixfirewall (config) # banner exec Unauthorized access will be prosecutedCu hnh mc nh ban u:configure factory-defaulthoc: hostname(config)# clear configure allCu hnh Telnet cho Firewall:Cu hnh cho interface:asa5520# config tasa5520(config)# int gi0/3asa5520(config-if)# no shasa5520(config-if)# nameif LAN2INFO: Security level for "LAN2" set to 0 by default.asa5520(config-if)# security-level 100asa5520(config-if)# ip address 192.168.2.1 255.255.255.0Cu hnh telnet:asa5520(config)# password ciscoasa5520(config)# telnet 10.7.0.0 255.255.255.0 insideCu hnh ASDM:To user truy cp:asa5520(config)# username admin password admin privilege 15Cu hnh a ch qun tr:asa5520# config tasa5520(config)# int gi0/3asa5520(config-if)# ip address 192.168.2.1 255.255.255.0Bt HTTP server:pixfirewall(config)#http server enableCu hnh a ch my qun tr:pixfirewall(config)#http 192.168.1.1 255.255.255.0 insideKim tra thng tin trn Flash:- Firewall# dir flash:/Kim tra kt ni n TFTP:- Firewall# ping 192.168.254.2Khai bo TFTP:- Firewall(config)# tftp-server outside 192.168.254.2Copy t TFTP- Firewall# copy tftp://192.168.254.2/newimage.bin flash:imageSau khi upgrade ln phin bn mi phi update li Activation key:- hostname(config)# activation-key 0xe02888da 0x4ba7bed6 0xf1c123ae 0xffd8624eKim tra thng tin license:- show activation-key detailCrack PassWord:Vo RMON thay i gi tr thanh ghi:rommon #0> confregCurrent Configuration Register: 0x00000001Configuration Summary:boot default image from FlashDo you wish to change this configuration? y/n [n]: yenable boot to ROMMON prompt? y/n [n]:enable TFTP netboot? y/n [n]:enable Flash boot? y/n [n]:select specific Flash image index? y/n [n]:disable system configuration? y/n [n]: ygo to ROMMON prompt if netboot fails? y/n [n]:enable passing NVRAM file specs in auto-boot mode? y/n [n]:disable display of BREAK or ESC key prompt during auto-boot? y/n [n]:Current Configuration Register: 0x00000040Khi ng li vi password trng, copy cu hnh start -> run:ciscoasa# copy startup-config running-configFirewall# configure terminalFirewall(config)# password passwordFirewall(config)# enable password enablepassKhi phc ni dung thanh ghi v gi tr mc nh:Firewall(config)# config-register 0x00000001Lu li cu hnh v khi ng li ASAFirewall# copy running-config startup-config Cu hnh:Real address of the Web server 192.168.1.4; Internet address 10.1.1.3 Real address of the Mail server 192.168.1.15; Internet address 10.1.1.4Real address of the FTP server 192.168.1.10; Internet address 10.1.1.5Cu hnh cho Interface:interface Ethernet0nameif outsidesecuritylevel 0ip address 10.1.1.2 255.255.255.0!interface Ethernet1nameif insidesecuritylevel 100ip address 192.168.1.1 255.255.255.0To 1 Access list cho php Ping ra ngoi:accesslist 100 extended permit icmp any any echoreplyaccesslist 100 extended permit icmp any any timeexceededaccesslist 100 extended permit icmp any any unreachableaccesslist 100 extended permit tcp any host 10.1.1.3 eq wwwaccesslist 100 extended permit tcp any host 10.1.1.4 eq smtpaccesslist 100 extended permit tcp any host 10.1.1.5 eq ftpaccessgroup 100 in interface outside
To NAT i ra ngoi:To NAT Pool i ra ngoi:global (outside) 1 10.1.1.1510.1.1.253global (outside) 1 10.1.1.254nat (inside) 1 0.0.0.0 0.0.0.0Cu lnh NAT cho cc serverstatic (inside,outside) 10.1.1.3 192.168.1.4 netmask 255.255.255.255static (inside,outside) 10.1.1.4 192.168.1.15 netmask 255.255.255.255static (inside,outside) 10.1.1.5 192.168.1.10 netmask 255.255.255.255Cu hnh Route ra ngoi:route outside 0.0.0.0 0.0.0.0 10.1.1.1 1Cu Hnh PPPoE cho ng cp quang kt ni internet:vpdn group VietVuong request dialout pppoevpdn group VietVuong localname FTTH_vietvuong_vcptovpdn group VietVuong ppp authentication papvpdn username FTTH_vietvuong_vcpto password hanoi123Cu hnh cho interface Vlan vi dng ASA5505:interface Vlan10nameif outsidesecurity-level 0pppoe client vpdn group VietVuongip address pppoe setroute no shutCu hnh gn Port cho VLAN:interface Ethernet0/0description Internet connection to VNPT ISPswitchport access vlan 10no shutNu l dng 5510 th dng : interface Gigabit Ethernet 0nameif outsidesecurity-level 0pppoe client vpdn group VietVuongip address pppoe setroute no shutCu hnh cc Banner:banner exec Chi duoc truy cap khi co cap phep cua xxxxxxxbanner login Chi duoc truy cap khi co cap phep cua xxxxxxbanner asdm Chi duoc truy cap khi co cap phep cua xxxxxx