show logging 缓存日志
FW(config)# show run route 查看路由
FW(config)# ip verify reverse-path interface Outside 在Outside接口开启URPF
FW# packet-tracer input inside tcp 10.1.1.2 1024 202.100.1.1 23 detailed 包跟踪
FW# copy runn flash:/preconfig.cfg 配置备份
ciscoasa(config)# route Outside 0.0.0.0 0.0.0.0 202.100.1.1 配置默认路由
配置管理接口:
FW(config)# inter g5
FW(config-if)# management-only
FW(config-if)# nameif mgmt
FW(config-if)# security-level 100
FW(config-if)# ip address 10.10.10.10 255.255.255.0
ACL
access-list outside extended permit tcp host 202.100.1.1 10.1.1.0 255.255.255.0 eq telnet
access-list outside extended permit tcp host 202.100.1.1 192.168.1.0 255.255.255.0 eq www
FW(config)# access-list outside deny ip any any log
FW(config)# access-group outside in interface Outside 在接口入方向调用访问控制列表outside
FW(config)# sh run access-group 查看调用
查看时间
FW(config)# show clock
基于时间的ACL
FW(config)# time-range TimeLimit
FW(config-time-range)# periodic weekdays 08:00 to 21:00
access-list outside line 2 permit tcp 202.100.1.0 255.255.255.0 10.1.1.1 255.255.255.255 eq www time-range TimeLimit
FW(config-time-range)# show access-list 查看ACL详细信息
Object-Group 技术允许创建一个可以重复使用的地址和服务绑定集
FW(config)# object network server01
FW(config-network-object)# host 10.1.1.1
FW(config)# object-group network Group-Network
FW(config-network-object-group)# network-object object server01
FW# sh run object
object network In_filter
object network server01
host 10.1.1.1
FW(config)# object-group service Group-Server
FW(config-service-object-group)# service-object icmp
FW(config-service-object-group)# service-object esp
FW(config-service-object-group)# service-object tcp destination eq ftp
FW(config-service-object-group)# service-object udp
W(config)# Group-Network
object-group network Group-Network
network-object object server01
object-group service Group-Server
service-object icmp
service-object esp
service-object tcp
service-object udp
service-object udp destination eq domain
service-object tcp destination eq ftp
access-list outside line 01 permit object-group Group-Server 202.100.1.0 255.255.255.0 object-group Group-Network
FW(config)# sh run access-list
access-list outside extended permit object-group Group-Server 202.100.1.0 255.255.255.0 object-group Group-Network
access-list outside extended permit tcp host 202.100.1.1 10.1.1.0 255.255.255.0 eq telnet
access-list outside extended permit tcp 202.100.1.0 255.255.255.0 host 192.168.1.1 eq www time-range TimeLimit
access-list outside extended permit tcp 202.100.1.0 255.255.255.0 host 10.1.1.1 eq www time-range TimeLimit
access-list outside extended deny ip any any log
MPF
FW(config)# class-map MatchTraffic
FW(config)# policy-map Behavior
FW(config-pmap)# class MatchTraffic
FW(config-pmap-c)# ?
MPF policy-map class configuration commands:
exit Exit from MPF class action configuration mode
help Help for MPF policy-map class/match submode commands
no Negate or set default values of a command
police Rate limit traffic for this class
priority Strict scheduling priority for this class
quit Exit from MPF class action configuration mode
service-policy Configure QoS Service Policy
set Set connection values
shape Traffic Shaping
user-statistics configure user statistics for identity firewall
<cr>
csc Content Security and Control service module
flow-export Configure filters for NetFlow events
inspect Protocol inspection services
ips Intrusion prevention services
FW(config-pmap-c)# inspect http
FW(config-pmap-c)# end
FW(config)# service-policy Behavior interface Outside 调用到接口
FW(config)# http server telnet
FW(config)# telnet 10.1.1.0 255.255.255.0 inside 开启telnet服务
FW(config)# username admin password cisco123 privilege 15 配置用户及密码
FW(config)# aaa authentication telnet console LOCAL 本地aaa认证对telnet服务
配置管理是端口
FW(config)# class-map type management MGMT-Telnet
FW(config-cmap)# match port tcp eq telnet
FW(config-cmap)# show runn class-map
class-map type management MGMT-Telnet
match port tcp eq telnet
FW(config)# policy-map Inside-MGMT-telnet
FW(config-pmap)# class MGMT-Telnet 关联calss-map
FW(config-pmap-c)# ? 对匹配流量的管理行为
MPF policy-map class configuration commands:
exit Exit from MPF class action configuration mode
help Help for MPF policy-map class/match submode commands
no Negate or set default values of a command
quit Exit from MPF class action configuration mode
service-policy Configure QoS Service Policy
set Set connection values
shape Traffic Shaping
user-statistics configure user statistics for identity firewall
<cr>
flow-export Configure filters for NetFlow events
inspect Protocol inspection services
FW(config-pmap-c)# set connection conn-max 1 最大连接数为1 (telnet)
FW(config-pmap-c)# show runn policy-map
!
policy-map Behavior
class MatchTraffic
inspect http
inspect icmp
policy-map Inside-MGMT-telnet
class MGMT-Telnet
set connection conn-max 1
!
FW(config)# service-policy Inside-MGMT-telnet interface Inside 把服务调用到接口
FW(config)# show runn service-policy
service-policy Behavior global
service-policy Inside-MGMT-telnet interface Inside
添加ICMP监控
FW(config)# class-map inspection_default
FW(config-cmap)# match default-inspection-traffic
FW(config)# class-map inspection_default
FW(config)# policy-map global_policy
FW(config-pmap)# class inspection_default
FW(config-pmap-c)# inspect icmp
FW(config)# service-policy global_policy global 应用到全局
匹配vnp流量
ESP是vpn流量
FW(config)# access-list ESP permit esp any any
FW(config)# class-map ESP-Class
FW(config-cmap)# match access-list ESP
FW(config)# policy-map global_policy
FW(config-pmap)# ?
MPF policy-map configuration commands
class Policy criteria
description Specify policy-map description
exit Exit from MPF policy-map configuration mode
help Help for MPF policy-map configuration commands
no Negate or set default values of a command
rename Rename this policy-map
<cr>
FW(config-pmap)# class ESP-Class
FW(config-pmap-c)# inspect ipsec-pass-thru
FW(config-pmap-c)# show run policy-map
!
policy-map global_policy
class inspection_default
inspect icmp
class ESP-Class
inspect ipsec-pass-thru
policy-map Behavior
class MatchTraffic
inspect http
policy-map Inside-MGMT-telnet
class MGMT-Telnet
set connection conn-max 2
!
ASA会话超时
查看防火墙模式
FW# show firewall