- Configuring the Cisco PIX/ASA. - administrator access to the graphical user interface (GUI), the Adaptive Security Device Manager (ASDM) (previously known as the PIX Device Manager [PDM] for software versions previous to 7.0).. - To initially configure a PIX out of the box, connect a serial connecter to the console port of the PIX (which is typically outlined with a light blue color). - Assign IP addresses for the firewall interfaces.. - Configure the firewall name, domain name, and passwords.. - Configure the firewall routing settings.. - Configure the firewall for remote management access.. - Configure logging on the firewall.. - Assigning IP Addresses to the Firewall Interfaces. - To communicate on the network, the firewall needs to have IP addresses assigned to the firewall interfaces. - The process of doing this changed between PIX/ASA version 6.x and 7.x, but the fundamental steps are the same: Enable the interface, configure the interface itself, and assign an IP address to the interface.. - To assign IP addresses to the PIX interfaces, the administrator must enter configuration mode. - The next step to configuring the interface is to assign a name and security level to the interface. - For example, this allows you to use inside to refer to the Ethernet1 interface. - The firewall supports static IP addresses on all interfaces and can also be configured to use DHCP or PPPoE-assigned addresses on the outside interface only. - Assigning IP Addresses in PIX/ASA 7.x. - The setroute option enables you to configure the firewall to use the route assigned by the DHCP server as the default route for the firewall.. - You need to do this anytime you are finished running commands and are ready for the firewall configuration to be made permanent.. - Configuring the Firewall Name, Domain Name, and Passwords. - Now that the firewall has been assigned IP addresses and the interfaces are functioning properly the next step is to configure some basic firewall configuration values such as the firewall host name, domain name, and passwords. - configurations are the same for all versions of the PIX/ASA software. - At this point, the firewall is able to authenticate administrative access and remote. - Configuring the Firewall Routing Settings. - With IP connectivity established, the next step is to configure routing for the firewall.. - The firewall supports both static routes and dynamic routing using Open Shortest Path First (OSPF. - The value 1 at the end of the route command specifies the metric to the next hop and is optional. - In general, the default route will point to the next-hop router for the firewall on the internet, for example pointing to the Internet service provider router.. - Configuring the Firewall for Remote Management Access. - Both Telnet and SSH are used to provide CLI access to the firewall, whereas the ASDM/PDM provides an HTTPS-based GUI management console.. - Telnet remote management is the simplest, yet least secure, method of remotely managing the firewall. - This makes it easy for a malicious user to capture the data and learn things like the usernames and passwords required to gain access to the firewall. - Telnet to the outside interface if it is protected by IPsec).. - For example, in the preceding command, only the host with IP address is allowed to connect to the firewall. - Because of the general insecurity of Telnet, and because SSH provides the same functionality to the firewall, use SSH instead of Telnet.. - Assign a host and domain name to the firewall.. - Configure the firewall to allow SSH access.. - The procedure for assigning the host and domain name for the firewall was covered previously in this chapter. - For the PIX/ASA 7.x software, generating the RSA keys requires the use of the following command:. - You can specify a modulus size of the default size), or 2048. - Unlike previous software versions, the RSA keys are saved when you save the firewall configuration (for example, by running the command copy running-config startup- config).. - After the RSA keys have been generated, the step to actually permit SSH access to the firewall is the same for all software versions and is similar to how Telnet access is permitted. - Unlike Telnet, SSH can also be configured for remote access to the outside interface.. - In general, SSHv2 is considered more secure, and the firewall can be restricted to only supporting SSHv2 by running the ssh version 2 command.. - In addition to the CLI management methods, PIX/ASA firewalls support a GUI for. - The ASDM/PDM functions as a web-based management interface using a small web server running on the firewall and Java plug-ins on the client computer to function. - First, you must ensure that you have downloaded and installed the ASDM/PDM software on the firewall (by default, it is included with the firewall). - Second, you need to enable the HTTP server on the firewall by running the http server enable command. - Historically, access to the ASDM/PDM is performed by connecting to the web server using a web browser such as Microsoft Internet Explorer. - Just enter the IP address or host name of the firewall and the appropriate username and password. - If you do not use any form of AAA, leave the username blank and enter the enable password to connect to the firewall. - configuration of the firewall and display the General Device Information screen, as shown in Figure 6-3. - The ASDM is an intuitive GUI interface that you can use to configure the firewall in lieu of the CLI.. - In most situations, to provide for this outbound traffic functionality you need to configure NAT because the firewall will typically be hiding the internal network IP addresses from the external network resources using NAT. - The firewall keeps track of which communications sessions belong to each internal host and allows the firewall to perform the required translations.. - The syntax of the command is this:. - A notable exception to this is the nat 0 access-list acl-name command, which configures the firewall to not use NAT for any addresses that match the corresponding ACL. - If you specify a single address instead of performing NAT, the firewall will automatically perform PAT instead. - When all the IP addresses are being used by NAT, the firewall will automatically switch to using PAT (assuming that a PAT statement has been configured) to allow more addresses out. - Alternatively, if you only have the IP address that is assigned to the interface, you can simplify the global command as follows:. - Configuring NAT for PIX/ASA 7.x. - A major difference between the PIX/ASA 7.x software and previous versions is that by default the firewall does not require NAT and will allow outbound access with no additional configuration required. - Of course, if your environment requires NAT (which most Internet-connected firewalls require), you must execute the appropriate NAT configuration commands on the firewall.. - When NAT control is disabled (the default), the firewall allows communications with outside hosts without the configuration of a NAT rule. - Controlling traffic is the cornerstone of all firewalls, and the PIX/ASA controls the flow of traffic through the firewall by implementing ACLs. - For example, you might build one ACL to control traffic coming from the Internet to a DMZ segment and then build another ACL with different ACEs to control traffic coming from the DMZ to the internal network.. - default (Optional) Sets logging to the default method, which is to send system log message 106023 for each denied packet.. - If you do not specify a line number, the ACE is added to the end of the ACL. - In the case of applying application inspection to a class map (the class- map and inspect commands), this keyword applies inspection to the packet.. - (Optional) Schedules each ACE to be activated at specific times of the day and week by applying a time range to the ACE. - port 80 (HTTP) from any source to the destination 10.21.67.2. - You can view the ACL to see that both lines have been added to the same ACL by. - The hitcnt value displays whether any packets have matched the ACE, which can assist in troubleshooting connectivity through the firewall. - After the ACL has been defined, the firewall still is not using the ACL. - So, for example, if you wanted to apply an ACL for traffic coming from the internet to a DMZ segment, you would apply the ACL to the outside interface of the firewall, thus allowing it to filter traffic coming into the firewall on the outside interface.. - To build an egress filter (for example, to filter traffic from the inside network to the outside network), you would apply the appropriate ACL to the inside interface.. - Regardless of which software the firewall is running, ACLs are applied to an interface by running the access-group command. - For example, if you want to apply the ACL that was previously defined (ACL out_in_01) to the outside interface on the firewall, you run the following command:. - Configuring Logging on the Firewall. - One of the most valuable capabilities of any firewall is the ability to log events so that the administrator can be informed of and aware of what is going on with the firewall. - Cisco PIX/ASA firewalls use syslog for the logging of all events on the firewall (syslog and logging in general is discussed in much greater detail in Chapter 12, "What Is My Firewall Telling Me?". - ASDM (PIX/ASA 7.x only). - Regardless of the logging method implemented, it is important to ensure that the firewall. - Console, monitor, and ASDM logging all function in a similar manner in that they are all designed to output the logging results to the management interface (the CLI in the case of console and monitor logging or the ASDM GUI in the case of ASDM logging).. - Before you can enable any particular method of logging, the first step is to enable logging in general on the firewall by running the command logging on from the global configuration mode of execution. - This command causes the firewall to display all log messages to the console session of the firewall. - If you are using Telnet or SSH to connect to the firewall and you want to have the log messages display in the Telnet or SSH session, run the logging monitor [logging-list | level] command. - This causes the firewall to log all messages to Telnet or SSH sessions, but they will not actually be displayed to the active Telnet or SSH session until you also run the command terminal monitor. - Terminal monitor enables the display of the syslog messages to the current Telnet or SSH session. - You can stop the display of syslog messages, while still having the firewall perform monitor logging, by running the command terminal no monitor. - These commands are the same for all versions of the PIX/ASA software.. - Debug logging can cause events to be lost from the logging buffer due to volume of data and in extreme circumstances can have a negative impact on the performance of the firewall due to the amount of logging messages. - In some cases, the only method of recovering from logging debug messages is to reboot the firewall.. - To use the ASDM, you need to launch the ASDM and login to the firewall. - The last step is to save the configuration changes to the firewall to cause the firewall to use the updated configuration. - If you return to the home screen (by clicking the Home button in the taskbar), you will now see the syslog messages being displayed in the ASDM interface in the Latest ASDM Syslog Messages group box, as shown in Figure 6- 6.. - Although logging to the console, monitor or ASDM can be handy for troubleshooting problems and viewing log messages while logged in to the firewall, if you need to store logs for long-term archive or auditing purposes, you need to configure the firewall to transmit the syslog messages to a remote syslog server. - Then, you need to define what syslog server the firewall should transmit the syslog messages to by running the logging host interface-name syslog-ip [tcp/port | udp/ port]. - At a minimum, you need to define the interface that the syslog server is connected to (typically the inside interface) and the IP address of the syslog server. - For example, if you want to transmit syslog messages to the syslog server running on and you want to transmit logging levels errors or above, you run the following commands:. - At this point, the firewall will transmit the syslog messages to the syslog server (in this case, using the default port UDP 514).
Xem thử không khả dụng, vui lòng xem tại trang nguồn hoặc xem
Tóm tắt