實驗 6 :交換器 / 路由器 / 防火牆 之封包過濾功能設定與操作
description
Transcript of 實驗 6 :交換器 / 路由器 / 防火牆 之封包過濾功能設定與操作
-
6//*/Web ServerPublic IP : 140.125.32.19Outside 140.125.32.19Inside 192.168.100.1Cisco Switch 3560DMZ192.168.30.1VLAN 2VLAN 3Cisco ASA 5520VLAN 4
-
*scenarioScenarioVLAN234VLAN234DMZWeb ServerPrivate IP192.168.30.30Public IP : 140.125.32.19Outside 140.125.32.19Inside 192.168.100.1Cisco Switch 3560DMZ192.168.30.1VLAN 2VLAN 3Cisco ASA 5520VLAN 4 6//
-
Firewall InterfacesFirewall Interfaces Outsideip140.125.32.19DMZInsideDMZ Web ServerMail Server Ip192.168.30.30Inside InsideIp192.168.100.1Security levellevelSecurity levellevellevellevelleveldenyOutside0DMZ50Inside100*DMZIP address 192.168.30.30Security level 50Firewall 6//
-
Firewall Interfaces Firewall ASDMASDMCommand Line Interface (CLI) IPASDMCLICLIIPciscoasa(config)#interface int_numciscoasa(config-if)#nameif name ciscoasa(config-if)#ip add ip_add netmasksecurity-level ciscoasa(config-if)# security-level value* 6//
-
Firewall Interfaces Firewall ASDMASDM1.Configuration2.Device Setup3.InterfacesEdit
*Configuration>Device Setup>InterfacesEdit intfaces 6//
-
SwitchSwitchVLANVLANSwitchPort SecurityCAM table overflowMAC address spoofingSwitch ABCVLANPort Security*A BC Switch 6//
-
SwitchVLANVLANVLANSwitch#vlan databaseSwitch(vlan)#vlan IDID1~4094VLAN 1CiscoVLANPortVLAN 1VLAN 11002~10051005~4094Extended-rangeVTPVLAN ip addressSwitch(config)#interface vlan IDSwitch(config-if)#ip address ip_address netmaskPortVLANSwitch(config)#interface interface_numberSwitch(config-if-range)#switchport mode accessSwitch(config-if-range)#switchport access vlan ID*VLANPortVLANPort 6//
-
SwitchVLANVLANSwitchDHCPIPVLAN 1VLAN234DHCPIPrangeDHCPSwitch(config)#service dhcpDHCPSwitch(config)#ip dhcp pool pool_nameSwitch(dhcp-config)#network ip_add netmaskSwitch(dhcp-config)#default-router ip_addSwitch(dhcp-config)#dns-server ip_add
*VLAN 6//
-
Switch*Port SecurityPort SecurityCAM Table OverflowMAC Spoofing(1):fa0/7PortMAC1SwitchShutdown1Port SecurityAIPShow port-securityCurrentAddr1Port1()BHUBfa0/7shutdownABviolationshutdownprotectrestrictviolationPort SecurityShow Port Security 6//
-
NAT*NATNAT 6//
-
NATNATNAT:InsideOutsideNAT140.125.32.19global (Outside) 1 interfacenat (Inside) 1 192.168.0.0 255.255.0.0
DMZOutsideDMZ Web serverIP192.168.30.30static NAT 192.168.30.30140.125.32.19*ASDM NATNAT InsideOutsideGlobal (Outside) 1 interfacenat (Inside) 1 192.168.0.0 255.255.0.0DMZOutsidestatic (DMZ,Outside) 140.125.32.13 192.168.30.30 netmask 255.255.255.255DMZ 192.168.30.30Inside192.168.0.0/16140.125.32.19 only www140.125.32.19 6//
-
Access rulesAccess listNATSecurity levelACL(DMZ)ACLACLDMZACLHTTPDMZDMZ access list OutsideOutsideweb server(IP140.125.32.19)
*ASDM Access rules Access rules access-list Outside_access_in line 1 permit tcp any host 140.125.32.19eq www 6//
-
Configuring Filter RulesActiveXjava ActiveXjava()ActiveXjavaActiveXjava ActiveXjavaASDM80ActiveX*ActiveXjava filter activex 80 192.168.0.0 255.255.0.0 0 0filter {activex|java} service src_ip netmask des_ip netmaskASDM ActiveXjava 6//
-
Configuring PolicyPolicyACL(IP)( )PolicyPolicyCLIPolicyclass-mappolicy-mapservice-policyASDM Service Policy Rule Wizard *Policy 6//
-
Configuring Policy ()Class-map ()Class-maptrafficClass-map1. class-map2.(:ACL)ACLPolicySYN-floodclass-maptcpconnection(ACLtc1)class-mapACL*Class-map Pix(config)#class-map tcp_halfPix(config)#match access-list tcp_halfPix(config)# access-list tcp_half extended permit tcp any any 6//
-
Configuring Policy ()Policy-mapclass-mapPolicy-mapPolicy-mapPolicy-map1.Policy-map2.class-map3.class-maptcp connectiontcp connectionPolicy-maptcp_halfclass-map1half-opencisco preventing network attackshttp://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/protect.html*Class-map Pix(config)#class-map tcp_halfPix(config)#match access-list tcp_halfPix(config)# access-list tcp_half extended permit tcp any anyPolicy-map Pix(config)#policy-map tcp_half_openPix(config -pmap)#class tcp_halfPix(config pmap-c)#set connection embryonic-conn-max 1 6//
-
Configuring Policy ()Service-PolicyService-Policy Policyclass-mappolicy-mapPolicypolicyglobal *Class-map Pix(config)#class-map tcp_halfPix(config-cmap)#match access-list tcp_halfPix(config)# access-list tcp_half extended permit tcp any anyPolicy-map Pix(config)#policy-map tcp_half_openPix(config -pmap)#class tcp_halfPix(config pmap-c)#set connection embryonic-conn-max 1Policy-map ciscoasa(config)# service-policy tcp_half_open global 6//
-
Configuring Policy (ASDM)Policy (ASDM)PolicyASDMPolicyService Policy RulePolicyPolicyglobal
* 6//
-
Configuring Policy (ASDM)Policy (ASDM)Service Policy Ruleclass-mapUse an existing traffic classclass-mapACLPolicy* 6//
-
Configuring Policy (ASDM)Policy (ASDM)ACLTCP* 6//
-
Configuring Policy (ASDM)Policy (ASDM)Protocol InspectionConnection SettingsQos* 6//
-
Configuring Policy (ASDM)Policy (ASDM)TCPhalf-open1Maximum Embryonic Connection1Default(0)* 6//
-
Configuring Policy (ASDM)
Port-SecurityVLANASDMASDMASDM* 6//