《2.Cisco 防火墙配置.ppt》由会员分享,可在线阅读,更多相关《2.Cisco 防火墙配置.ppt(67页珍藏版)》请在taowenge.com淘文阁网|工程机械CAD图纸|机械工程制图|CAD装配图下载|SolidWorks_CaTia_CAD_UG_PROE_设计图分享下载上搜索。
1、Configuring the PIX FirewallPIX目录目录lPIX基本构成基本构成lPIX基本设置方式基本设置方式lPIX命令状态命令状态lPIX文件管理文件管理lPIX常用配置命令常用配置命令lPIX典型案例典型案例一、一、Cisco防火墙组成部分防火墙组成部分CPUROMFlashRAMInterface内部区域内部区域外部区域外部区域DMZ防火墙的基本职责防火墙的基本职责不允许外部设备访问内部网络不允许外部设备访问内部网络允许外部设备有限的访问允许外部设备有限的访问DMZ区区允许内部设备访问外部网络允许内部设备访问外部网络允许内部设备有限的访问允许内部设备有限的访问DMZ区区
2、2、PIX基本设置方式基本设置方式lCONltelnetlSshlVpn远程用户(远程用户(outside)只能通过只能通过SSH或或VPN来进行来进行对对PIX配置配置PIX支持支持SNMP,但只能通过但只能通过SNMP监视监视PIX,但不但不能通过它进行配置能通过它进行配置3、PIX命令状态命令状态l非特权模式非特权模式 pixfirewalll特权模式特权模式 pixfirewall#l配置模式配置模式 pixfirewall(config)#l监控模式监控模式monitorPIX OS的升级或进行密码恢复用该模式的升级或进行密码恢复用该模式4、PIX文件管理文件管理Write memo
3、ry保存配置文件到保存配置文件到flashConfig memory将配置文件从将配置文件从flash调入内存调入内存Write net保存配置文件到保存配置文件到TFTP服务器服务器Config net将配置文件从将配置文件从TFTP服务器调入内存服务器调入内存Copy tftp flash:Write erase删除配置文件删除配置文件5、PIX常用配置命令常用配置命令:Nameif有有6个配置命令是配置个配置命令是配置PIX防火墙的基础:防火墙的基础:nameif、interface、ip add、nat、global、routelNameif为为PIX的每个接口分配一个名字,并指定安全
4、级别的每个接口分配一个名字,并指定安全级别(PIX的内部接口和外部接口除外,它们的名字是的内部接口和外部接口除外,它们的名字是确省的,其中确省的,其中ethernet0被命名为被命名为outside,安全级安全级别为别为0,ethernet1被命名为被命名为inside,安全级别为安全级别为100)例:将接口例:将接口e2命名为命名为dmz,并为其分配安全级别并为其分配安全级别50nameif ethernet2 dmz security50linterface5、PIX常用配置命令常用配置命令:interface|ip addInterface设置设置PIX速度,并启用接口(默认处于速度,并
5、启用接口(默认处于shutdown状态)状态)示例示例interface ethernet2 100full接口设置为接口设置为100M,全双工,并启用它全双工,并启用它interface ethernet2 100full shutdownIp addressIp address dmz 192.168.1.1 255.255.255.0为接口为接口DMZ分配分配IP地址地址5、PIX常用配置命令常用配置命令:nat|globalNat用来指定被翻译的网段或主机地址,Global用来定义翻译完成后的网络地址一般Nat和global联合使用,nat还可以单独使用,这时它不可用来进行地址翻译,而
6、只做简单的数据转发natNat(inside)1 10.1.1.0 255.255.255.0将内网地址10.1.1.0/24进行翻译(其中1代表全局地址池,必须和响应的global命令匹配)可用0.0.0.0 0.0.0.0代表所有地址,简写0 0,如nat(inside)1 0 0globalGlobal(outside)1 202.1.1.1-202.1.1.10 netmask 255.255.255.0Global(outside)1 202.1.1.1 netmask 255.255.255.0 将nat标号为1的地址进行翻译Global(dmz)0 172.16.1.0 255.
7、255.255.0 0代表透明转发,不做地址翻译5、PIX常用配置命令常用配置命令:routerouteRoute outside 0.0.0.0 0.0.0.0 192.168.1.2其他命令其他命令ACLOutbound、apply 相当于访问控制列表相当于访问控制列表实现由内到外的访问控制例如:禁止内网用户对某些站点进行访问例如:禁止内网用户对某些站点进行访问Outbound 10 deny 202.1.1.1 255.255.255.255 www tcpApply(inside)10 outgoing_dest将将ACL应用到内接口上,应用到内接口上,outgoing_dest表示根
8、据目的过表示根据目的过滤,(滤,(outgoing_src是根据源地址过滤)是根据源地址过滤)Static、conduit实现由外到内的访问5、PIX常用配置命令常用配置命令Static、conduit示例示例Static(inside,outsite)192.168.1.199 10.1.1.199 netmask 255.255.255.255将内部地址10.1.1.199静态映射成外部192.168.1.199公有地址Conduit permit tcp host 192.168.1.199 eq www any允许外部任何地址对主机进行WWW访问6、PIX典型案例典型案例需求描述需求描
9、述PIX安装安装2个网口,一个连外部网段,一个连内部,内部有个网口,一个连外部网段,一个连内部,内部有www、mail、ftp服务器服务器l配置接口配置接口nameif e0 outside security0 nameif e1 outside security100interface e0 autointerface e1 auto 配置为自适应配置为自适应10/100/1000ip add inside 10.1.1.254 255.255.255.0ip add outside 202.16.1.1 255.255.255.240l配置由内到外的访问配置由内到外的访问nat(insid
10、e)1 0 0global(outside)1 202.16.1.3-202.16.1.7global(outside)1 202.16.1.8route outside 0 0 202.16.1.2 1 1表示墙只有表示墙只有1跳跳l配置由外到内的访问配置由外到内的访问static(inside,outside)202.16.1.14 10.1.1.250 netmask 255.255.255.255conduit permit tcp host 202.16.1.14 eq www anyl常规配置常规配置pass ciscoenable pass ciscoExamining the
11、PIX Firewall Statusshow Commandshow memoryshow versionshow ip addressshow interfaceshow cpu usageLab1、防火墙配置基础、防火墙配置基础1.配置接口配置接口Conf tNameif ethernet0 outside security0Nameif ethernet1 inside security100Nameif ethernet2 dmz security50Interface ethernet0 autoInterface ethernet1 autoInterface ethernet2
12、 autoIp address outside 192.168.20.1 255.255.255.0Ip address inside 172.16.10.1 255.255.255.0Ip address dmz 10.10.10.10 255.255.255.0Router outside 0.0.0.0 0.0.0.0 192.168.20.1Write memoryLab1、防火墙配置基础、防火墙配置基础2.保存和查看配置保存和查看配置pix1(config)#ping 192.168.10.10 192.168.10.10 response received-0ms 192.168.
13、10.10 response received-0ms 192.168.10.10 response received-0mspix1(config)#write memoryBuilding configuration.Cryptochecksum:dfe4a212 2d798b65 c28d5c76 86c2aa92OKpix1(config)#pix1(config)#write terminalpix1(config)#show runLab2、防火墙配置基础、防火墙配置基础A、访问类型:、访问类型:出站连接:从高到低的接口出站连接:从高到低的接口入站连接:从低到高的接口入站连接:从低
14、到高的接口B、配置出站连接:、配置出站连接:缺省情况下,缺省情况下,PIX允许所有出站连接;允许所有出站连接;还要使用还要使用NAT和和GLOBAL命令完成连接;思科建议尽可能在防火墙上启用命令完成连接;思科建议尽可能在防火墙上启用NAT接口级别相同的网络不会产生连接接口级别相同的网络不会产生连接.pix2(config)#nat(inside)2 0 0pix2(config)#nat(dmz)2 0 0pix2(config)#global(outside)2 192.168.30.2 netmask 255.255.255.0pix2(config)#global(outside)2 1
15、92.168.40.2-192.168.40.100 netmask 255.255.255.0Lab2、防火墙配置基础、防火墙配置基础C、配置入站访问连接、配置入站访问连接缺省情况下缺省情况下,入站连接是被拒绝的入站连接是被拒绝的.任何入站连接都需要进行配置任何入站连接都需要进行配置.可以使用可以使用static和和conduit完成任务完成任务.如如:在在DMZ中加了一台中加了一台WEB服务器服务器,如何发布到互联网中如何发布到互联网中.pix2(config)#static(inside,outside)202.103.24.111 192.168.40.2 netmask 255.25
16、5.255.255 0 0pix2(config)#conduit permit host 202.103.24.111 eq www anyCisco IOS Threat Defense FeaturesImplementing Cisco IOS FirewallsConfiguring Cisco IOS Firewall from the CLICisco IOS Firewall ConfigurationTasks Using the CLI1.Pick an interface:internal or external.2.Configure IP ACLs at the in
17、terface.3.Define inspection rules.4.Apply inspection rules and ACLs to interfaces.5.Test and verify.Set Audit Trails and AlertsRouter(config)#logging onRouter(config)#logging host 10.0.0.3Router(config)#ip inspect audit-trailRouter(config)#no ip inspect alert-offEnables the delivery of audit trail m
18、essages using syslogip inspect audit-trailRouter(config)#Enables real-time alertsno ip inspect alert-offRouter(config)#Define Inspection Rules forApplication Protocolsip inspect name inspection-name protocol alert on|off audit-trail on|off timeout secondsDefines the application protocols to inspect.
19、Will be applied to an interface:Available protocols are tcp,udp,icmp,smtp,esmtp,cuseeme,ftp,ftps,http,h323,netshow,rcmd,realaudio,rpc,rtsp,sip,skinny,sqlnet,tftp,vdolive,etc.Alert,audit-trail,and timeout are configurable per protocol,and override global settings.Router(config)#Router(config)#ip insp
20、ect name FWRULE smtp alert on audit-trail on timeout 300Router(config)#ip inspect name FWRULE ftp alert on audit-trail on timeout 300Apply an Inspection Rule to an Interfaceip inspect inspection-name in|outApplies the named inspection rule to an interfaceRouter(config-if)#Router(config)#interface e0
21、/0Router(config-if)#ip inspect FWRULE inApplies the inspection rule to interface e0/0 in inward directionGuidelines for Applying InspectionRules and ACLs to InterfacesOn the interface where traffic initiates:Apply ACL on the inward direction that permits only wanted traffic.Apply rule on the inward
22、direction that inspects wanted traffic.On all other interfaces,apply ACL on the inward direction that denies all unwanted traffic.Example:Two-Interface Firewallip inspect name OUTBOUND tcp ip inspect name OUTBOUND udpip inspect name OUTBOUND icmp!interface FastEthernet0/0 ip access-group OUTSIDEACL
23、in!interface FastEthernet0/1 ip inspect OUTBOUND in ip access-group INSIDEACL in!ip access-list extended OUTSIDEACL permit icmp any any packet-too-big deny ip any any log!ip access-list extended INSIDEACL permit tcp any any permit udp any any permit icmp any anyExample:Three-Interface Firewallinterf
24、ace FastEthernet0/0 ip inspect OUTSIDE in ip access-group OUTSIDEACL in!interface FastEthernet0/1 ip inspect INSIDE in ip access-group INSIDEACL in!interface FastEthernet0/2 ip access-group DMZACL in!ip inspect name INSIDE tcp ip inspect name OUTSIDE tcp!ip access-list extended OUTSIDEACL permit tcp
25、 any host 200.1.2.1 eq 25 permit tcp any host 200.1.2.2 eq 80 permit icmp any any packet-too-big deny ip any any log!ip access-list extended INSIDEACL permit tcp any any eq 80 permit icmp any any packet-too-big deny ip any any log!ip access-list extended DMZACL permit icmp any any packet-too-big den
26、y ip any any logVerifying Cisco IOS Firewallshow ip inspect name inspection-nameshow ip inspect configshow ip inspect interfacesshow ip inspect session detailshow ip inspect statisticsshow ip inspect allDisplays inspections,interface configurations,sessions,and statisticsRouter#show ip inspect sessi
27、onEstablished Sessions Session 6155930C(10.0.0.3:35009)=(172.30.0.50:34233)tcp SIS_OPEN Session 6156F0CC(10.0.0.3:35011)=(172.30.0.50:34234)tcp SIS_OPEN Session 6156AF74(10.0.0.3:35010)=(172.30.0.50:5002)tcp SIS_OPENRouter#Troubleshooting Cisco IOS Firewalldebug ip inspect function-tracedebug ip ins
28、pect object-creationdebug ip inspect object-deletiondebug ip inspect eventsdebug ip inspect timersdebug ip inspect detailGeneral debug commandsdebug ip inspect protocolProtocol-specific debugRouter#Router#Basic and Advanced Firewall WizardsBasic and Advanced Firewall WizardsSDM offers configuration
29、wizards to simplify Cisco IOS Firewall configuration.Two configuration wizards exist:Basic Firewall Configuration wizard:Supports two interface types(Inside and Outside)Applies predefined rulesAdvanced Firewall Configuration wizard:Supports more interfaces(Inside,Outside,and DMZ)Applies predefined o
30、r custom rulesConfiguring a Basic FirewallConfiguring a Basic Firewall1.2.3.4.Basic Firewall Interface ConfigurationBasic Firewall Configuration Summary and DeploymentReviewing the Basic Firewall for the Originating TrafficReviewing the Basic Firewall for the Returning TrafficResulting Basic Firewal
31、l Inspection Rule ConfigurationRouter#show running-config|include ip inspect nameip inspect name SDM_LOW cuseemeip inspect name SDM_LOW dnsip inspect name SDM_LOW ftpip inspect name SDM_LOW h323ip inspect name SDM_LOW httpsip inspect name SDM_LOW icmpip inspect name SDM_LOW imapip inspect name SDM_L
32、OW pop3ip inspect name SDM_LOW netshowip inspect name SDM_LOW rcmdip inspect name SDM_LOW realaudioip inspect name SDM_LOW rtspip inspect name SDM_LOW esmtpip inspect name SDM_LOW sqlnetip inspect name SDM_LOW streamworksip inspect name SDM_LOW tftpip inspect name SDM_LOW tcpip inspect name SDM_LOW
33、udpip inspect name SDM_LOW vdolive Resulting Basic Firewall ACL ConfigurationRouter#show running-config|include access-listaccess-list 100 remark autogenerated by SDM firewall configurationaccess-list 100 remark SDM_ACL Category=1access-list 100 deny ip 200.0.0.0 0.0.0.3 anyaccess-list 100 deny ip h
34、ost 255.255.255.255 anyaccess-list 100 deny ip 127.0.0.0 0.255.255.255 anyaccess-list 100 permit ip any anyaccess-list 101 remark autogenerated by SDM firewall configurationaccess-list 101 remark SDM_ACL Category=1access-list 101 deny ip 10.1.1.0 0.0.0.255 anyaccess-list 101 permit icmp any host 200
35、.0.0.1 echo-replyaccess-list 101 permit icmp any host 200.0.0.1 time-exceededaccess-list 101 permit icmp any host 200.0.0.1 unreachableaccess-list 101 deny ip 10.0.0.0 0.255.255.255 anyaccess-list 101 deny ip 172.16.0.0 0.15.255.255 anyaccess-list 101 deny ip 192.168.0.0 0.0.255.255 anyaccess-list 1
36、01 deny ip 127.0.0.0 0.255.255.255 anyaccess-list 101 deny ip host 255.255.255.255 anyaccess-list 101 deny ip host 0.0.0.0 anyaccess-list 101 deny ip any any logResulting Basic Firewall Interface ConfigurationRouter#show running-config|begin interfaceinterface FastEthernet0/0 description$FW_INSIDE$i
37、p address 10.1.1.1 255.255.255.0 ip access-group 100 in!interface Serial0/0/0 description$FW_OUTSIDE$ip address 200.0.0.1 255.255.255.252 ip access-group 101 in ip verify unicast reverse-path ip inspect SDM_LOW out!Configuring Interfaces on an Advanced FirewallConfiguring Interfaces onan Advanced Fi
38、rewall2.3.4.1.Advanced Firewall Interface ConfigurationConfiguring a DMZ on an Advanced FirewallAdvanced Firewall DMZService ConfigurationAdvanced Firewall DMZService Configuration:TCPAdvanced Firewall DMZService Configuration:UDPAdvanced Firewall DMZService Configuration(Cont.)Advanced Firewall Sec
39、urity ConfigurationAdvanced Firewall Security PolicyAdvanced Firewall Protocolsand ApplicationsAdvanced Firewall Protocolsand Applications(Cont.)Advanced Firewall Protocolsand Applications(Cont.)Advanced Firewall Inspection ParametersAdvanced Firewall Security Policy SelectionComplete the Configurat
40、ionAdvanced Firewall ConfigurationSummary and DeploymentResulting Advanced FirewallInspection Rule ConfigurationRouter#show running-config|include ip inspect nameip inspect name appfw_100 tcp audit-trail onip inspect name appfw_100 udpip inspect name appfw_100 ftpip inspect name dmzinspect tcpip ins
41、pect name dmzinspect udpResulting Advanced FirewallACL ConfigurationRouter#show running-config|include access-listaccess-list 100 remark autogenerated by SDM firewall configurationaccess-list 100 remark SDM_ACL Category=1access-list 100 deny ip 200.0.0.0 0.0.0.3 anyaccess-list 100 deny ip 192.168.0.
42、0 0.0.0.255 anyaccess-list 100 deny ip host 255.255.255.255 anyaccess-list 100 deny ip 127.0.0.0 0.255.255.255 anyaccess-list 100 permit ip any anyaccess-list 101 remark autogenerated by SDM firewall configurationaccess-list 101 remark SDM_ACL Category=1access-list 101 deny ip any any logaccess-list
43、 102 remark autogenerated by SDM firewall configurationaccess-list 102 remark SDM_ACL Category=1access-list 102 deny ip 192.168.0.0 0.0.0.255 anyaccess-list 102 deny ip 10.1.1.0 0.0.0.255 anyaccess-list 102 permit icmp any host 200.0.0.1echo-replyaccess-list 102 permit icmp any host 200.0.0.1 time-e
44、xceededaccess-list 102 permit icmp any host 200.0.0.1 unreachableaccess-list 102 permit tcp any host 192.168.0.2 eq wwwaccess-list 102 permit udp any host 192.168.0.3 eq isakmpaccess-list 102 deny ip 10.0.0.0 0.255.255.255 anyaccess-list 102 deny ip 172.16.0.0 0.15.255.255 anyaccess-list 102 deny ip
45、 192.168.0.0 0.0.255.255 anyaccess-list 102 deny ip 127.0.0.0 0.255.255.255 anyaccess-list 102 deny ip host 255.255.255.255 anyaccess-list 102 deny ip host 0.0.0.0 anyaccess-list 102 deny ip any any logResulting Advanced FirewallInterface ConfigurationRouter#show running-config|begin interfaceinterf
46、ace FastEthernet0/0 description$FW_INSIDE$ip address 10.1.1.1 255.255.255.0 ip access-group 100 in ip inspect appfw_100 in!interface FastEthernet0/1 description$FW_DMZ$ip address 192.168.0.1 255.255.255.0 ip access-group 101 in ip inspect dmzinspect out!interface Serial0/0/0 description$FW_OUTSIDE$i
47、p address 200.0.0.1 255.255.255.252 ip access-group 102 in ip verify unicast reverse-path!Viewing Firewall ActivityPreparing for Firewall Activity Viewing1.2.3.5.6.4.Viewing Firewall Log1.2.SummaryCisco IOS Firewall can be configured using the CLI or the SDM.Inspection rules must specify which proto
48、cols will be inspected by the firewall engine at an interface.Inspection rules can help protect hosts against certain DoS attacks involving fragmented IP packets.SDM offers configuration wizards to expedite the firewall configuration process.Basic Firewall Configuration wizard supports two interfaces and predefines filter rules.Advanced Firewall Configuration wizard supports three interfaces and customized filter rules.SDM offers monitoring capabilities to view the firewall activity.