Security - Cisco Firewall TRAINING

Security - Cisco FirewallSecurity - Cisco FirewallTRAINING TRAINING

Course FlowCourse Flow

Nội Dung

Mục Tiêu

Lịch Học: Trong 5 ngày

Sáng từ 9h-11h30

Chiều từ 14h-16h30

AM

8h30-11h30

Theory

PM

14h-17h

Hand-on Lab

Day 1 Day 2 Day 3

Lesson 1: Cisco Security Appliances Overview Lesson 2: Getting Started with Cisco Security Appliances

Lession 1: Console connection setting

Lession 2: Execute general command

Lession 3: Configure Security Appliance Interfaces

Lesson 2: Getting Started with Cisco Security Appliances (continue)

Lesson :3Managing the Security Appliance Lession 4:Access Control Lists

Lession 4: Configure NAT, and Routing Lession 5: Test the Inside, Outside, and DMZ Interface ConnectivityLession 6 :Configure ACLs on the Security Appliance

Lesson 5: Cisco Adaptive Security Device Manager

Lesson 6: Firewall Switch Modules (FWSM)

Lession 7: Managing the Security Appliance

IntroductionIntroduction

Trainer Introduction

1. Name:

2. Position :

3. Experiences:

Trainee Introduction

1. Name

2. Position :

3. Security Network knowledges and experiences…

Lession 1Lession 1 Cisco Security Appliances Overview Cisco Security Appliances Overview

What Is a Firewall?What Is a Firewall?

Outside

Network

DMZ

Network

Inside

Network

Internet

A firewall is a system or group of systems that manages access between two or more networks.

Firewall TechnologiesFirewall Technologies

Firewall operations are based on one of three technologies:

Packet filtering Proxy server Stateful packet filtering

Data A B

Data A C

DMZ:Server B

Inside:Server C

Host A

AB-YesAC-No

Internet

Limits information that is allowed into a network based on the destination and source address

Packet FilteringPacket Filtering

Proxy ServerProxy Server

Outside

Network

Proxy

Server

Inside

Network

Internet

Requests connections on behalf of a client

Stateful Packet FilteringStateful Packet Filtering

172.16.0.50

10.0.0.11

1026

80

49091

Syn

172.16.0.50

192.168.0.20

49769

Syn

1026

80

Source portDestination address

Source address

Initial sequence no.Destination port

FlagAck

State Table

DMZ:Server B

Inside:Server C

Host A

Internet

Limits information that is allowed into a network based not only on the destination and source addresses, but also on the packets state table content

Data HTTP A B

Security Appliances: What Are They?Security Appliances: What Are They?

Cisco security appliances deliver enterprise-class security for small-to-medium-sized business and enterprise networks in a modular, purpose-built appliance. Some features of Cisco security appliances are:

Proprietary operating system Stateful packet inspection User-based authentication Protocol and application inspection Modular policy framework Virtual private networking Security contexts (virtual firewalls) Stateful failover capabilities Transparent firewalls Web-based management solutions

Proprietary Operating SystemProprietary Operating System

Eliminates the risks associated with general-purpose operating systems

Stateful Packet InspectionStateful Packet Inspection

The stateful packet inspection algorithm provides stateful connection security.

• It tracks source and destination ports and addresses, TCP sequence numbers, and additional TCP flags.• It randomizes the initial TCP sequence number of each new connection.

By default, the stateful packet inspection algorithm allows connections originating from hosts on inside (higher security level) interfaces.

By default, the stateful packet inspection algorithm drops connection attempts originating from hosts on outside (lower security level) interfaces.

The stateful packet inspection algorithm supports authentication, authorization, and accounting.

Application-Aware InspectionApplication-Aware Inspection

FTPServer Client

ControlPort2008

DataPort2010

DataPort20

ControlPort21

Data - Port 2010

Port 2010 OK

Data

Protocols such as FTP, HTTP, H.323, and SQL*Net need to negotiate connections to dynamically assigned source or destination ports through the firewall.

The security appliance inspects packets above the network layer.

The security appliance securely opens and closes negotiated ports for legitimate client-server connections through the firewall.

HeadquartersSystem Engineer

Site B

Executives

Site C

T1

Internet

SEexec

S2S S2S

Internet

Modular PolicyModular Policy

Class MapTraffic Flow

DefaultInternet

Systems EngineerExecutivesSite to Site

Policy MapServicesInspect

IPSPolicePriority

Service PolicyInterface/Global

GlobalOutside

Virtual Private NetworkVirtual Private Network

B A N K

Site to Site

Remote Access

IPsec VPNSSL VPN

Internet

B A N K

Headquarters

Security Context (Virtual Firewall)Security Context (Virtual Firewall)

Four Physical Firewalls One Physical FirewallFour Virtual Firewalls

InternetInternet

Ability to create multiple security contexts (virtual firewalls) within a single security appliance

Failover Capabilities: Active/Standby, Failover Capabilities: Active/Standby, Active/Active, and Stateful FailoverActive/Active, and Stateful Failover

Primary:Failed Firewall

Secondary: Active Firewall

Internet

Failover: Active/Standby

Primary: Failed/Standby

Failover: Active/Active

Secondary: Active/Active

Internet

Contexts

Failover protects the network if the primary security appliance goes offline..

– Active/standby: Only one unit can be actively processing traffic; the other is hot standby.

– Active/Active: Both units can process traffic and serve as backup units.

Stateful failover maintains the operating state during failover.

2121

Transparent FirewallTransparent Firewall

192.168.1.2

192.168.1.5

Internet

Has the ability to deploy a security appliance in a secure bridging mode

Provides rich Layers 2 through 7 security services as a Layer 2 device

Web-Based Management SolutionsWeb-Based Management Solutions

Adaptive Security Device

Manager

Models and Features of Cisco Security Appliances

ASA 5500 SeriesASA 5500 Series

SMB

Pri

ce

Functionality

Gigabit Ethernet

EnterpriseROBOSOHO SP

ASA 5520

ASA 5540

ASA 5510

ASA 5550

ASA 5505

SP = service provider

PIX 500 SeriesPIX 500 Series

SMB

Pri

ce

Functionality

Gigabit Ethernet

EnterpriseROBO

PIX 515E

PIX 525

PIX 535

SOHO

PIX 501

PIX 506E

SP

Cisco ASA 5510 Adaptive Security Cisco ASA 5510 Adaptive Security Appliance Appliance

Delivers advanced security and networking services, including high-performance VPN services, for small and medium-sized businesses and enterprise branch offices

Provides up to 130,000 concurrent connections Provides up to 300-Mbps firewall throughput Provides interface support

• Up to 5 10/100 Fast Ethernet interfaces• Up to 25 VLANs• Up to 5 contexts

Supports failover• Active/standby

Supports VPNs• Site to site (250 peers)• Remote access• WebVPN

Supports optional SSMs (Cisco ASA AIP SSM, Cisco ASA CSC SSM, and four-portGigabit Ethernet SSM)

Cisco ASA 5520 Adaptive Security Cisco ASA 5520 Adaptive Security Appliance Appliance

Delivers advanced security services, including high-performance VPN services, for medium-sized enterprise networks

Provides up to 280,000 concurrent connections Provides up to 450-Mbps firewall throughput Provides Interface support

• 4 10/100/1000 Gigabit Ethernet interfaces• 1 10/100 Fast Ethernet interface• Up to 100 VLANs• Up to 20 contexts

Supports failover• Active/standby• Active/active

Supports VPNs• Site to site (750 peers)• Remote access• WebVPN

Supports optional SSMs (Cisco ASA AIP SSM, Cisco ASA CSC SSM, and four-portGigabit Ethernet SSM)

Cisco ASA 5540 Adaptive Security Cisco ASA 5540 Adaptive Security Appliance Appliance

Delivers high-performance, high-density security services, including high-performance VPN services, for medium-sized and large enterprise networks and service provider networks

Provides up to 400,000 concurrent connections Provides up to 650-Mbps firewall throughput Provides Interface support

• 4 10/100/1000 Gigabit Ethernet interfaces• 1 10/100 Fast Ethernet interface• Up to 200 VLANs• Up to 50 contexts

Supports failover• Active/standby• Active/active

Supports VPNs• Site to site (5,000 peers)• Remote access • WebVPN

Supports optional SSMs (Cisco ASA AIP SSM, Cisco ASA CSC SSM, and four-portGigabit Ethernet SSM)

ASA 5510, 5520, and 5540 Adaptive ASA 5510, 5520, and 5540 Adaptive Security Appliances Front PanelSecurity Appliances Front Panel

Power

Status

Active

Flash

VPN

ASA 5510, 5520, and 5540 Adaptive ASA 5510, 5520, and 5540 Adaptive Security Appliances Back PanelSecurity Appliances Back Panel

Security servicesmodule

Fixed interfaces

CompactFlash

ASA 5510, 5520, and 5540 Adaptive ASA 5510, 5520, and 5540 Adaptive Security Appliances ConnectorsSecurity Appliances Connectors

Four 10/100/1000Gigabit Ethernet ports*

10/100 out-of-bandmanagement port

AUX ports

CompactFlash

Two USB 2.0 ports

Power supply(AC or DC)

Console port

*ASA 5510 Adaptive Security Appliance supports 10/100 Fast Ethernet ports.

Cisco ASA Security Services ModuleCisco ASA Security Services Module

High-performance module designed to provide additional security services

Diskless (Flash-based) design for improved reliability

Gigabit Ethernet port for out-of-band management

•SSM ModelsSSM Models

Power Status

Speed

Link andactivity

SSM-10

2.0-GHz processor

1.0 GB RAM

SSM-20

2.4-GHz processor

2.0 GB RAM

Four-Port Gigabit Ethernet SSMFour-Port Gigabit Ethernet SSM

RJ-45 linkLED

RJ-45speedLED

SFP linkLED

SFPspeedLED

RJ-45ports

PowerLED

StatusLED SFP

ports

SummarySummary

A firewall is a system or group of systems that manages access between two or more networks.

Statefull firewall is a device works most effectively Cisco Security Appliance including Cisco PIX and ASA. Security devices ASA 5510, 5520 targeting the small and medium

enterprises. The function of security devices can be expanded by the SSMs

Lession 2Lession 2

Getting Started with Cisco Security Appliances

User Interface

ciscoasa>

ciscoasa#

ciscoasa(config)#

monitor>

A Cisco security appliance has four main administrative access modes:

UnprivilegedPrivilegedConfiguration

Monitor

Security Appliance Access ModesSecurity Appliance Access Modes

ciscoasa> enable

password:

ciscoasa#

enable [priv_level]

ciscoasa>

Used to control access to the privileged mode

Enables you to enter other access modes

Access Privileged ModeAccess Privileged Mode

Internet

Access Configuration Mode: configure Access Configuration Mode: configure terminal Commandterminal Command

configure terminal

ciscoasa#

Used to start configuration mode to enter configuration commands from a terminal

ciscoasa> enable

password:

ciscoasa# configure terminal

ciscoasa(config)# exit

ciscoasa# exit

ciscoasa>

exit

ciscoasa#

Used to exit from an access mode

ciscoasa > help ?

enable Turn on privileged commands

exit Exit the current command mode

login Log in as a particular user

logout Exit from current user profile to unprivileged mode

perfmon Change or view performance monitoring options

ping Test connectivity from specified interface to an IP address

quit Exit the current command mode

ciscoasa > help enable

USAGE:

enable [<priv_level>]

help Commandhelp Command

File Management

The following commands enable you to view your configuration:

Show running-config Show startup-config

The following commands enable you to save your configuration:

copy run start write memory

To save configuration changes:

copy run start

running-

config

startup-

config

(saved)

Configuration

Changes

Viewing and Saving Your ConfigurationViewing and Saving Your Configuration

Clearing Running ConfigurationClearing Running Configuration

ciscoasa(config)#

clear configure all

Clears the running configuration

ciscoasa(config)# clear config all

Clear the running configuration:

clear config all

running-

config

(default)

startup-

config

Clearing Startup ConfigurationClearing Startup Configuration

ciscoasa#

write erase

Clears the startup configuration

ciscoasa# write erase

Clear the startup configuration:

write erase

running-

config

startup-

config

(default)

Reload the Configuration: reload Reload the Configuration: reload CommandCommand

Reboots the security appliance and reloads the configuration

Allows scheduled reboots

ciscoasa# reload

Proceed with reload?[confirm] y

Rebooting...

reload [at hh:mm [month day | day month]] [cancel] [in [hh:]mm] [max-hold-time [hh:]mm] [noconfirm] [quick] [reason text] [save-config]

ciscoasa#

File SystemFile System

Release 7.0and later

Software image Configuration file Private data ASDM image Backup image* Backup

configuration file*

Displaying Stored Files: System and Displaying Stored Files: System and ConfigurationConfiguration

Display the directory contents

ciscoasa#

PIX Security Appliance

flash:

ASA

disk0:

disk1:

ciscoasa# dir

Directory of disk0:/

8 -rw- 8202240 13:37:33 Jul 28 2006 asa721-k8.bin

1264 -rw- 5539756 13:21:13 Jul 28 2006 asdm-521.bin

62947328 bytes total (49152000 bytes free)

dir [/all] [/recursive] [all-filesystems] [disk0: | disk1: | flash: | system:]

Internet

Security Level ExampleSecurity Level Example

Outside Network

GigabitEthernet0/0

Security level 0

Interface name = outside

DMZ Network

GigabitEthernet0/2

Security level 50

Interface name = DMZ

Inside Network

GigabitEthernet0/1

Security level 100

Interface name = inside

g0/0

g0/2

g0/1Internet

Examining Security Appliance Status

asa1# show interfaceInterface GigabitEthernet0/0 "outside", is up, line protocol is up Detected: Speed 1000 Mbps, Full-duplex Requested: Auto MAC address 000b.fcf8.c538, MTU 1500 IP address 192.168.1.2, subnet mask 255.255.255.0 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns input queue (curr/max blocks): hardware (0/0) software (0/0) output queue (curr/max blocks): hardware (0/0) software (0/0) Received 0 VLAN untagged packets, 0 bytes Transmitted 0 VLAN untagged packets, 0 bytes Dropped 0 VLAN untagged packets

show Commandsshow Commands

asa1# show run interface. . .interface GigabitEthernet0/0 speed 1000 duplex full nameif outside security-level 0 ip address 192.168.1.2 255.255.255.0!interface GigabitEthernet0/1 speed 1000 duplex full nameif inside security-level 100 ip address 10.0.1.1 255.255.255.0 . . .

show run interface

show interface

asa1# show memory

Free memory: 468962336 bytes (87%)

Used memory: 67908576 bytes (13%)

------------- ----------------

Total memory: 536870912 bytes (100%)

show memory Commandshow memory Command

ciscoasa#

show memory

asa1# show cpu usage

CPU utilization for 5 seconds = 0%; 1 minute: 0%; 5 minutes: 0%

show cpu usage Commandshow cpu usage Command

ciscoasa#

show cpu usage

10.0.1.11

10.0.1.4

Internet

show version Commandshow version Commandasa1# show versionCisco Adaptive Security Appliance Software Version 7.2(1)Device Manager Version 5.2(1)

Compiled on Wed 31-May-06 14:45 by rootSystem image file is "disk0:/asa721-k8.bin"Config file at boot was "startup-config"

ciscoasa up 2 mins 51 secs

Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHzInternal ATA Compact Flash, 64MBBIOS Flash AT49LW080 @ 0xffe00000, 1024KB. . .

asa1# show ip address

System IP Addresses:

Interface Name IP address Subnet mask Method

GigabitEthernet0/0 outside 192.168.1.2 255.255.255.0 CONFIG

GigabitEthernet0/1 inside 10.0.1.1 255.255.255.0 CONFIG

GigabitEthernet0/2 dmz 172.16.1.1 255.255.255.0 CONFIG

Current IP Addresses:

Interface Name IP address Subnet mask MethodGigabitEthernet0/0 outside 192.168.1.2 255.255.255.0 CONFIGGigabitEthernet0/1 inside 10.0.1.1 255.255.255.0 CONFIG GigabitEthernet0/2 dmz 172.16.1.1 255.255.255.0 CONFIG

show ip address Commandshow ip address Command

Internet192.168.1.0 10.0.1.0 10.1.1.0

172.16.1.0

.2

.1

.1 .1

asa1# show interfaceInterface GigabitEthernet0/0 "outside", is up, line protocol is up Hardware is i82546GB rev03, BW 1000 Mbps Full-Duplex(Full-duplex), 100 Mbps(100 Mbps) MAC address 0013.c482.2e4c, MTU 1500 IP address 192.168.1.2, subnet mask 255.255.255.0 8 packets input, 1078 bytes, 0 no buffer Received 8 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 L2 decode drops 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions 0 late collisions, 0 deferred input queue (curr/max blocks): hardware (8/0) software (0/0) output queue (curr/max blocks): hardware (0/0) software (0/0) Traffic Statistics for "outside": 8 packets input, 934 bytes 0 packets output, 0 bytes 8 packets dropped 1 minute input rate 0 pkts/sec, 0 bytes/sec 1 minute output rate 0 pkts/sec, 0 bytes/sec 1 minute drop rate, 0 pkts/sec 5 minute input rate 0 pkts/sec, 0 bytes/sec 5 minute output rate 0 pkts/sec, 0 bytes/sec 5 minute drop rate, 0 pkts/sec

show interface Commandshow interface Command

show nameif Commandshow nameif Command

asa1# show nameifInterface Name SecurityGigabitEthernet0/0 outside 0GigabitEthernet0/1 inside 100

GigabitEthernet0/2 dmz 50

GigabitEthernet0/0

Interface name = outside

Security level = 0

GigabitEthernet0/2

Interface name = dmz

Security level = 50

GigabitEthernet0/1

Interface name = inside

Security level = 100

g0/0

g0/2

g0/1Internet

show run nat Commandshow run nat Command

asa1# show run nat

nat (inside) 1 10.0.1.0 255.255.255.0 0 0

Displays a single host or range of hosts to be translated

ciscoasa#

show run nat

10.0.1.11

10.0.1.4

10.0.1.XX.X.X.X

NAT

Internet

show run global Commandshow run global Command

asa1# show run global

global (outside) 1 192.168.1.20-192.168.1.254 netmask 255.255.255.0

Displays the pool of mapped addresses

ciscoasa#

show run global

Mapped Pool

192.168.1.20-192.168.1.254

10.0.1.11

10.0.1.4

10.0.1.X

Internet

show xlate Commandshow xlate Command

asa1# show xlate

1 in use, 1 most used

Global 192.168.1.20 Local 10.0.1.11

Displays the contents of the translation slots

ciscoasa#

show xlate

192.168.1.2010.0.1.11

10.0.1.4

10.0.1.11

Inside

local

Outside

mapped pool

10.0.1.11192.168.1.20

Xlate Table

Internet

show route Commandshow route Command

asa1(config)# show route

S 0.0.0.0 0.0.0.0 [1/0] via 192.168.1.1, outside

C 10.0.1.0 255.255.255.0 is directly connected, inside

C* 127.0.0.0 255.255.0.0 is directly connected, cplane

C 172.16.1.0 255.255.255.0 is directly connected, dmz

C 192.168.1.0 255.255.255.0 is directly connected, outside

g0/0

g0/2

g0/1Internet

10.0.1.0192.168.1.0

.1

172.16.1.0

Displays the contents of the routing table

ciscoasa#

show route [interface_name [ip_address [netmask [static]]]]

ping Commandping Command

Determines whether other devices are visible from the security appliance

asa1# ping 10.0.1.11

Sending 5, 100-byte ICMP Echos to 10.0.1.11, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 10/12/20 ms

ping [if_name] host [data pattern] [repeat count] [size bytes] [timeout seconds] [validate]

ciscoasa#

10.0.1.11

10.0.1.4

Internet

traceroute Commandtraceroute Command

asa1#traceroute 172.26.26.20

traceroute {destination_ip | hostname} [source source_ip | source-interface] [numeric] [timeout timeout_value] [probe probe_num] [ttl min_ttl max_ttl] [port port_value] [use-icmp]

ciscoasa#

Determines the route packets will take to their destination

Internet

example.com

Basic Security Appliance Configuration

Basic CLI Commands for Security Basic CLI Commands for Security Appliances Appliances

hostname interface

• nameif• ip address• security-level• speed• duplex• no shutdown

nat-control nat global route

g0/0

g0/2

g0/1Internet

Assigning a Hostname to Security Assigning a Hostname to Security Appliance: Changing the CLI PromptAppliance: Changing the CLI Prompt

ciscoasa(config)#

Changes the hostname in the security appliance CLI prompt

ciscoasa(config)# hostname asa1asa1(config)#

hostname newname

New York ( asa1)

Server

Boston

(asa2)

Server

Server

Dallas

(asa3)

Internet

interface {physical_interface[.subinterface] | mapped_name}

ciscoasa(config)#

asa1(config)# interface GigabitEthernet0/0

asa1(config-if)#

interface Command and interface Command and SubcommandsSubcommands

Enters configuration mode for the interface you specify

GigabitEthernet0/0

GigabitEthernet0/2

GigabitEthernet0/1

g0/0

g0/2

g0/1Internet

nameif if_name

ciscoasa(config-if)#

asa1(config)# interface GigabitEthernet0/0

asa1(config-if)# nameif outside

Assign an Interface Name:Assign an Interface Name:nameif Subcommandnameif Subcommand

Assigns a name to an interface on the security appliance.

GigabitEthernet0/2

Interface name = dmz

GigabitEthernet0/0

Interface name = outside

GigabitEthernet0/1

Interface name = inside

g0/0

g0/2

g0/1Internet

ip address ip_address [mask] [standby ip_address]

ciscoasa(config-if)#

Assign Interface IP Address: Assign Interface IP Address: ip address Subcommandip address Subcommand

Assigns an IP address to each interface

asa1(config)# interface GigabitEthernet0/0

asa1(config-if)# nameif outside

asa1(config-if)# ip address 192.168.1.2 255.255.255.0

GigabitEthernet0/0

Interface name = outside

IP address = 192.168.1.2

g0/0

g0/2

g0/1Internet

DHCP-Assigned AddressDHCP-Assigned Address

asa1(config)# interface GigabitEthernet0/0

asa1(config-if)# nameif outside

asa1(config-if)# ip address dhcp

ciscoasa(config-if)#

ip address dhcp [setroute]

Enables the DHCP client feature on the outside interface

GigabitEthernet0/0

Interface name = outside

IP address = dhcp

g0/0

DHCP

Assigned

Internet

security-level number

ciscoasa(config-if)#

Assign a Security Level: security-level Assign a Security Level: security-level SubcommandsSubcommands

Assigns a security level to the interface

asa1(config)# interface GigabitEthernet0/0

asa1(config-if)# nameif outside

asa1(config-if)# ip address 192.168.1.2

asa1(config-if)# security-level 0

GigabitEthernet0/0

Interface name = outside

IP address = 192.168.1.2

Security level = 0

g0/0

g0/2

g0/1Internet

Enables communication between interfaces with the same security level or allows traffic to enter and exit the same interface

ciscoasa(config)#

asa1(config)# same-security-traffic permit inter-interface

same-security-traffic permit {inter-interface | intra-interface}

DMZ NetworkGigabitEthernet0/2

Security level 100

Interface name = dmz

g0/0

g0/2

g0/1Internet

Inside NetworkGigabitEthernet0/1

Security level 100

Interface name = inside

Interfaces with Same Security Level: Interfaces with Same Security Level: same-security-traffic Commandsame-security-traffic Command

speed {10 | 100 | 1000 | auto | nonegotiate}

duplex {auto | full | half}

Assign an Interface Speed and Duplex: Assign an Interface Speed and Duplex: speed and duplex SubCommandsspeed and duplex SubCommands

Enable the interface speed and duplex

ciscoasa(config-if)#

GigabitEthernet0/0

Speed =1000

Duplex = full

g0/0

g0/2

g0/1Internet

asa1(config)# interface GigabitEthernet0/0

asa1(config-if)# nameif outside

asa1(config-if)# ip address 192.168.1.2

asa1(config-if)# security-level 0

asa1(config-if)# speed 1000

asa1(config-if)# duplex full

management-only

ciscoasa(config-if)#

ASA Management InterfaceASA Management Interface

Disables management-only mode (for ASA 5520, 5540 and 5550)asa1(config)# interface management0/0

asa1(config-if)# no management-only

no management-only

Configures an interface to accept management traffic only

Disables management-only mode

Management0/0

Management only = no

g0/0

g0/2

g0/1Internet

m0/0

Disables management-only mode (for ASA 5520, 5540 and 5550)asa1(config)# interface GigabitEthernet0/0

asa1(config-if)# no shutdown

shutdown

Disables an interface

no shutdown = enabled

ciscoasa(config-if)#

GigabitEthernet0/0

Enabled

g0/0

g0/2

g0/1Internet

Enabling and Disabling Interfaces: Enabling and Disabling Interfaces: shutdown Subcommandshutdown Subcommand

Network Address Translation Network Address Translation

Inside

Local

Outside

Mapped Pool

10.0.0.11192.168.0.20

10.0.0.11

10.0.0.4Translation Table

10.0.0.11192.168.0.20

192.168.10 .11

NAT

Internet

Enable NAT Control Enable NAT Control

asa1(config)# nat-control

Enable or disable NAT configuration requirement

Inside

Local

Outside

Mapped Pool

10.0.0.11192.168.0.20

10.0.0.11

10.0.0.4Translation Table

10.0.0.11192.168.0.20

200.200.200.11

NAT

Internet

nat (if_name) nat_id address [netmask] [dns]

ciscoasa(config)#

nat Commandnat Command

Enables IP address translation

asa1(config)# nat (inside) 1 0.0.0.0 0.0.0.0

10.0.1.11

10.0.1.4

10.0.1.11X.X.X.X

NAT

Internet

global Commandglobal Command

Works with the nat command to assign a registered or public IP address to an internal host when accessing the outside network through the firewall, for example, 192.168.0.20-192.168.0.254

asa1(config)# nat (inside) 1 0.0.0.0 0.0.0.0

asa1(config)# global (outside) 1 192.168.1.20-192.168.1.254

global(if_name) nat_id {mapped_ip[-mapped_ip][netmask mapped_mask]} | interface

ciscoasa(config)#

10.0.1.11

10.0.1.4

10.0.1.11192.168.1.20

NAT

Internet

route if_name ip_address netmask gateway_ip [metric]

ciscoasa(config)#

Configure a Static Route: route Configure a Static Route: route CommandCommand

Defines a static or default route for an interface

asa1(config)# route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

asa1(config)# route inside 10.1.1.0 255.255.255.0 10.0.1.102 1

192.168.1.110.1.1.11

10.1.1.4

Default Route

10.0.1.102

Static Route

Internet

asa1(config)# names

asa1(config)# name 172.16.1.2 bastionhost

asa1(config)# name 10.0.1.11 insidehost

Host Name-to-IP-Address Mapping: Host Name-to-IP-Address Mapping: name Commandname Command

Configures a list of name-to-IP-address mappings on the security appliance

name ip_address name

ciscoasa(config)#

.2

.1

10.0.1.0

.1Internet

“bastionhost”

172.16.1.2

172.16.1.0

.11

“insidehost”

10.0.1.11

Configuration ExampleConfiguration Example

asa1(config)# write terminal

. . .

interface GigabitEthernet0/0

speed 1000

duplex full

nameif outside

security-level 0

ip address 192.168.1.2 255.255.255.0

interface GigabitEthernet0/1

speed 1000

duplex full

nameif inside

security-level 100

ip address 10.0.1.1 255.255.255.0 . . .

GigabitEthernet0/0

Interface name = outside

Security level = 0

IP address = 192.168.1.2

GigabitEthernet0/1

Interface name = inside

Security level = 100

IP address = 10.0.1.1

172.16.1.0 .1

10.0.1.0

.1

192.168.1.0

.2

10.1.1.0

.1Internet

Configuration Example (Cont.)Configuration Example (Cont.)

interface GigabitEthernet0/2

nameif dmz

security-level 50

speed 1000

duplex full

ip address 172.16.1.1 255.255.255.0

passwd 2KFQnbNIdI.2KYOU encrypted

hostname asa1

names

name 172.16.1.2 bastionhost

name 10.1.1.11 insidehost

172.16.1.0.1

10.0.1.0

.1

192.168.1.0

.2

10.1.1.0

.1

GigabitEthernet0/2

Interface name = dmz

Security level = 50

IP address = 172.16.1.1“insidehost”

10.1.1.11

“bastionhost”

172.16.1.2

Internet

Configuration Example (Cont.)Configuration Example (Cont.)

nat-control

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

global (outside) 1 192.168.1.20-192.168.1.254

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

route inside 10.1.1.0 255.255.255.0 10.0.1.102 1

10.0.0.0Mapped Pool

192.168.1.20 - 254

172.16.1.0 .2

.1

.102

“insidehost”

10.1.1.11

“bastionhost”

172.16.1.2

10.0.1.0

.1

192.168.1.0

.2.1

10.1.1.0

.1

Default Route Static Route

Internet

SummarySummary

Cisco security appliances have four main administrative access modes: unprivileged, privileged, configuration, and monitor.

There are two configuration memories in the Cisco security appliances: running configuration and startup configuration.

The show running-config command displays the current configuration in the security appliance RAM on the terminal.

You can use the copy run start or the write memory command to save the current running configuration to flash memory, startup configuration.

Interfaces with a higher security level can access interfaces with a lower security level, but interfaces with a lower security level cannot access interfaces with a higher security level unless given permission.

The security appliance show commands help you manage the security appliance.

The basic commands that are necessary to configure Cisco security appliances are the following: interface, nat, global, and route.

The nat and global commands work together to translate IP addresses.

Lession 3Lession 3

Managing the Security Appliance

Managing System Access

telnet {{hostname | IP_address mask interface_name} | {IPv6_address interface_name} | {timeout number}}

ciscoasa(config)#

asa1(config)# telnet 10.0.0.11 255.255.255.255 inside

asa1(config)# telnet timeout 15 

asa1(config)# passwd telnetpass

Enables you to specify which hosts can access the security appliance console with Telnet and set the maximum time a console Telnet session can be idle before being logged off by the security appliance

Sets the password for Telnet access to set the security appliance

passwd password [encrypted]

ciscoasa(config)#

10.0.0.11TelnetInternet

Configuring Telnet Access to the Configuring Telnet Access to the Security Appliance ConsoleSecurity Appliance Console

Viewing and Disabling TelnetViewing and Disabling Telnet

kill telnet_id

ciscoasa#

Terminates a Telnet session

Enables you to view which IP addresses are currently accessing the security appliance console via Telnet

who [local_ip]

ciscoasa#

Removes the Telnet connection and the idle timeout from the configuration

clear configure telnet

ciscoasa(config)#

Displays IP addresses permitted to access the security appliance via Telnet

show running-config telnet [timeout]

ciscoasa#

SSH Connections to the Security SSH Connections to the Security ApplianceAppliance

SSH connections to the security appliance: Provide secure remote access Provide strong authentication and encryption Require RSA key pairs for the security appliance Require 3DES/AES or DES activation keys Allow up to five SSH clients to simultaneously access

the security appliance console Use the Telnet password for local authentication

crypto key zeroize {rsa | dsa} [label key-pair-label] [default] [noconfirm]

Configuring SSH Access to the Configuring SSH Access to the Security Appliance ConsoleSecurity Appliance Console

Removes any previously generated RSA keys

ciscoasa(config)#

Saves the CA state

write memory

ciscoasa(config)#

Configures the domain name

domain-name name

ciscoasa(config)#

Generates an RSA key pair

crypto key generate rsa [usage-keys | general-keys] [label key-pair-label] [modulus size] [noconfirm]

ciscoasa(config)#

Specifies the host or network authorized to initiate an SSH connection

ssh {ip_address mask | ipv6_address/prefix} interface

ciscoasa(config)#

Specifies how long a session can be idle before being disconnected

ssh timeout number

ciscoasa(config)#

asa1(config)# crypto key zeroize rsa

asa1(config)# write memory

asa1(config)# domain-name cisco.com

asa1(config)# crypto key generate rsa modulus 1024

asa1(config)# write memory

asa1(config)# ssh 172.26.26.50 255.255.255.255 outside

asa1(config)# ssh timeout 30

172.26.26.50

SSH

username: pix

password: telnetpassword

Internet

Connecting to the Security Appliance Connecting to the Security Appliance with an SSH Clientwith an SSH Client

Managing Software, Licenses, and Configurations

Viewing Directory ContentsViewing Directory Contents

Displays the directory contents

dir [/all] [/recursive] [all-filesystems | [disk0: | disk1: | flash: | system:] path]

ciscoasa#

asa1# dir

Directory of disk0:/

4346 -rw- 8202240 15:01:10 Oct 19 2006 asa721-k8.bin

6349 -rw- 5539756 15:30:39 Oct 19 2006 asdm521.bin

7705 -rw- 3334 07:03:57 Oct 22 2006 old_running.cfg

62947328 bytes total (29495296 bytes free)

10.0.0.3

10.0.0.11

192.168.0.0

dirInternet

You can use the pwd command to display the current working directory.

Copying FilesCopying Files

Copies a file from one location to another

copy [/noconfirm | /pcap] {url | running-config | startup-config} {running-config | startup-config | url}

ciscoasa#

asa1# copy disk0:MYCONTEXT.cfg startup-config

10.0.0.3

10.0.0.11

192.168.0.0

copyInternet

Copies the file MYCONTEXT.cfg from disk0 to the startup configuration

ciscoasa#

ciscoasa#

Downloading and Backing Up Downloading and Backing Up Configuration Files ExampleConfiguration Files Example

Copies the configuration file from an FTP server

Copies the configuration file to an FTP server

10.0.0.3

10.0.0.11

192.168.0.0

FTP server

configInternet

copy ftp: startup-config

copy running-config ftp:

Image Upgrade

Viewing Version InformationViewing Version Information

asa1# show version

Cisco Adaptive Security Appliance Software Version 7.2(1)

Device Manager Version 5.2(1)

Compiled on Wed 31-May-06 14:45 by root

System image file is “disk0:/asa721-k8.bin”

Config file at boot was “startup-config”

asa1 up 17 hours 40 mins . . .

show version

ciscoasa#

Displays the software version, hardware configuration, license key, and related uptime data

10.0.0.3

10.0.0.11version?

Internet

Image UpgradeImage Upgrade

asa1# copy tftp://10.0.0.3/asa721-k8.bin flash

copy tftp://server[/path]/filename flash:/filename

ciscoasa#

Enables you to change software images without accessing the TFTP monitor mode.

The TFTP server at IP address 10.0.0.3 receives the command and determines the actual file location from its root directory information. The server then downloads the TFTP image to the security appliance.

10.0.0.3

10.0.0.11

TFTPInternet

SummarySummary

SSH provides secure remote management of the security appliance. TFTP is used to upgrade the software image on security appliances. You can enable Telnet to the security appliance on all interfaces.

.

Lesson 4Lesson 4

Access Control Lists (ACLs)

Security Appliance ACL Security Appliance ACL ConfigurationConfiguration

Outside Inside

ACL for

Inbound Access

ACL for

Outbound Access

No ACL

- Outbound permitted by default

- Inbound denied by default

Security appliance configuration philosophy is interface-based.Interface ACL permits and denies the initial incoming and outgoing packets on that

interface.

An ACL must describe only the initial packet of the application; return traffic does not need to be described.

If no ACL is attached to an interface:

The outbound packet is permitted by default.

The inbound packet is denied by default.

Internet

Inbound Traffic to DMZ Web ServerInbound Traffic to DMZ Web Server

There is no ACL, so by default, inbound access is denied. To permit inbound traffic, complete the following steps:

Configure a static translation for the web server address

Configure an inbound ACL

Apply the ACL to the outside interface

192.168.1.0

10.0.1.0

Public Web Server

DMZ

Inside

Outside.2.1

InboundX

Internet

192.168.1.0

10.0.1.0

Public Web Server

DMZ

Inside

Outside.2.1

192.168.1.9

172.16.1.2

Maps an inside private address to an outside public address

asa1(config)# static (DMZ,outside) 192.168.1.9 172.16.1.2 0 0

Create a Static Translation for Web Create a Static Translation for Web ServerServer

Internet

access-list Commandaccess-list Command

Permits outside HTTP traffic to access the public web server

asa1(config)# access-list ACLOUT permit tcp any host 192.168.1.9 eq www

ciscoasa(config)#

access-list id [line line-number] [extended] {deny | permit} {protocol | object-group protocol_obj_grp_id}{host sip | sip smask | interface ifc_name | object-group network_obj_grp_id | any} [operator port [port] | object-group service_obj_grp_id] {host dip | dip dmask | interface ifc_name | object-group network_obj_grp_id | any} [operator port [port] | object-group service_obj_grp_id | object-group icmp_type_obj_group_id] [log [[level] [interval secs] | disable | default]] [inactive | time-range time_range_name]

192.168.1.0

10.0.1.0

Public Web Server

DMZ

Inside

Outside.2.1

192.168.1.9

172.16.1.2Permit Inbound

HTTP

Internet

access-group Commandaccess-group Command

192.168.1.0

10.0.1.0

Public Web Server

DMZ

Inside

Outside.2.1

Applies an ACL to an interface

asa1(config)# access-group ACLOUT in interface outside

Apply ACL

to interface

ciscoasa(config)#

access-group access-list {in | out} interface interface_name [per-user-override]

Internet

showshow access-list Commandaccess-list Command

asa1(config)# show access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

alert-interval 300

access-list ACLOUT; 4 elements

access-list ACLOUT line 1 extended permit tcp 192.168.6.0 255.255.255.0 host 192.168.1.11 eq www (hitcnt=4)0x984ebd70

access-list ACLOUT line 2 extended permit tcp host 192.168.6.10 host 192.168.1.11 eq ftp (hitcnt=1) 0x53490ecd

access-list ACLOUT line 3 extended permit tcp any host 192.168.1.9 eq www (hitcnt=8) 0x83af39ca

access-list ACLOUT line 4 extended deny ip any any (hitcnt=4) 0x2ca30385

access-list ICMPDMZ; 1 elements

access-list ICMPDMZ line 1 extended permit icmp host bastionhost any echo-reply

ICMPDMZ

ACLINACLOUT

192.168.1.0192.168.6.10

Internet

clear access-list counters Commandclear access-list counters Command

asa1(config)# clear access-list ACLOUT counters

asa1(config)# show access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

alert-interval 300

access-list ACLOUT; 4 elements

access-list ACLOUT line 1 extended permit tcp 192.168.6.0 255.255.255.0 host 192.168.1.11 eq www (hitcnt=0) 0x984ebd70

access-list ACLOUT line 2 extended permit tcp host 192.168.6.10 host 192.168.1.11 eq ftp (hitcnt=0) 0x53490ecd

access-list ACLOUT line 3 extended permit tcp any host 192.168.1.9 eq www (hitcnt=0) 0x83af39ca

access-list ACLOUT line 4 extended deny ip any any (hitcnt=0) 0x2ca30385

Internet

192.168.6.10

Web Server172.16.1.2

192.168.1.9ACLIN

ACLOUT

ACL LoggingACL Logging

Enables the logging option for inbound ICMP to 192.168.1.11

asa1(config)# access-list OUTSIDE-ACL permit icmp any host 192.168.1.11 log 7 interval 600

ciscoasa(config)#

ACL Syslog

Messages

access-list id [line line-number] [extended] {deny | permit} {protocol | object-group protocol_obj_grp_id}{host sip | sip smask | interface ifc_name | object-group network_obj_grp_id | any} [operator port [port] | object-group service_obj_grp_id] {host dip | dip dmask | interface ifc_name | object-group network_obj_grp_id | any} [operator port [port] | object-group service_obj_grp_id | object-group icmp_type_obj_group_id] [log [[level] [interval secs] | disable | default]] [inactive | time-range time_range_name]

Internet

Syslog

Server

ACL CommentsACL Comments

asa1(config)# access-list ACLOUT line 2 remark WebMailA access-list

Inserts ACL comment

ciscoasa(config)#

access-list id [line line-number] remark text

asa1(config)# show access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300

access-list ACLOUT; 6 elements

access-list ACLOUT line 1 extended permit tcp any host 192.168.1.7 eq www (hitcnt=0) 0x3df6ed1e

access-list ACLOUT line 2 remark WebMailA access-list

access-list ACLOUT line 3 extended permit tcp any host 192.168.1.8 eq www (hitcnt=0) 0xd5383eba

access-list ACLOUT line 4 extended permit tcp any host 192.168.1.9 eq www (hitcnt=0)0x2c4288ad

access-list ACLOUT line 5 extended permit tcp any host 192.168.1.10 eq www (hitcnt=0) 0xb70c935b

access-list ACLOUT line 6 extended permit tcp any host 192.168.1.11 eq www (hitcnt=0) 0x8b43382e

former line 2

Inbound HTTP Access SolutionInbound HTTP Access Solution

Permits outside HTTP traffic to access the public web server

asa1(config)# static (DMZ,outside) 192.168.1.9 172.16.1.2 0 0

asa1(config)# access-list ACLOUT permit tcp any host 192.168.1.9 eq www

asa1(config)# access-group ACLOUT in interface outside

192.168.1.0

10.0.1.0

Public Web Server

DMZ

Inside

Outside.2.1

192.168.1.9

172.16.1.2

Inbound

Internet

icmp Commandicmp Command

Enables or disables pinging to an interface

asa1(config)# icmp permit any echo-reply outside

asa1(config)# icmp permit any unreachable outside

ciscoasa(config)#

icmp {permit | deny} {host sip | sip smask | any} [icmp-type] if_name

Outside Inside

ICMP Echo

ICMP UnreachableX

Permits all unreachable messages at the outside interface and denies all ping requests at the outside interface

Internet

SummarySummary

ACLs enable you to determine which systems can establish connections through your security appliance.

With ICMP ACLs, you can disable pinging to a security appliance interface so that your security appliance cannot be detected on your network.

.

Lession 5Lession 5

Cisco Adaptive Security Device

Manager

ASDM Overview and Operating Requirements

What Is ASDM?What Is ASDM?

ASDM is a browser-based configuration tool designed to help configure and monitor your security appliance.

Internet

SSL Secure Tunnel

ASDM FeaturesASDM Features

Runs on a variety of platforms Implemented in Java to provide robust, real-time monitoring Works with SSL to ensure secure communication with the PIX security

appliance Comes preloaded in flash memory on new Cisco ASA and Cisco PIX

security appliances running Versions 7.2 and later ASDM sessions

• 5 ASDM sessions per unit (single mode) or context (multiple mode)

• 32 sessions per unit in multiple mode Operates on PIX 515E, 525, and 535* Security Appliances Operates on Cisco ASA 5505, 5510, 5520, 5540, and 5550 Security

Appliances

* ASDM Version 5.2 is not supported on the PIX 501 or 506 Security Appliance.

ASDM Security Appliance ASDM Security Appliance RequirementsRequirements

* ASDM Version 5.2 requires Security Appliance Software Version 7.2.

A security appliance must meet the following requirements to run ASDM:

Activation key that enables DES or 3DES

Supported Java plug-in

Security appliance software version compatible with the ASDM software version you plan to use*

Hardware model compatible with the ASDM software version you plan to use

ASDM Browser RequirementsASDM Browser Requirements

To access ASDM from a browser, the following requirements must be met:

JavaScript and Java must be enabled on the computer where the browser resides.

SSL must be enabled in the browser.

Popup blockers may prevent ASDM from starting.

Supported PlatformsSupported Platforms

Windows Sun Solaris Linux

Running ASDMRunning ASDM

Run ASDM as a: Local

application Java applet

Launch Startup Wizard

Configure the Security Appliance to Configure the Security Appliance to Use ASDMUse ASDM

Before you can use ASDM, you need to enter the following information on the security appliance via a console terminal:

Time Inside IP address Inside network mask Host name Domain name Enable the HTTP server on the security appliance IP addresses of hosts authorized to access

HTTP server

If more than one ASDM image is stored in the flash memory of your security appliance, also specify the ASDM image to be used.

Setup DialogSetup Dialog

Pre-configure Firewall now through interactive prompts [yes]? <Enter>

Firewall Mode [Routed]:

Enable Password [<use current password>]: cisco123

Allow password recovery [yes] ?

Clock (UTC)

Year [2006]: <Enter>

Month [Sep]: <Enter>

Day [2]: <Enter>

Time [10:21:49]: <Enter>

Inside IP address: 10.0.1.1

Inside network mask: 255.255.255.0

Host name: asa1

Domain name: ciscoasa.com

IP address of host running Device Manager: 10.0.1.11

Use this configuration and write to flash? Y

Navigating ASDM Configuration Windows

ASDM Home WindowASDM Home Window

Main toolbar

Device

Information

General

LicenseVPN Status

System

Resources

Interface

Status

Traffic

Status

Menu bar

Syslog Messages

ASDM Home Window (Cont.)ASDM Home Window (Cont.)

License tab

Startup WizardStartup Wizard

Startup Wizard Interfaces NAT and PAT Hostname Domain name Enable

password

VPN WizardVPN Wizard

VPN Wizard Site-to-Site Remote

Access

Note: Use Configuration > VPN to edit VPN connections.

High Availability and Scalability High Availability and Scalability WizardWizard

High Availability and Scalability Wizard Active/Active

Failover

Active/Standby Failover

VPN Cluster Load Balancing

Configuration WindowConfiguration Window

Configuration Interface Security

Policy NAT VPN IPS or CSD

Manager Routing Global

Objects Properties

InterfacesInterfaces

IP address

– Static

– DHCP

Same security level

Security PolicySecurity Policy

Access Rules

AAA Rules

Filter Rules

Service Policy Rules

NATNAT

Translation Rules• NAT• Policy NAT• NAT

exemption• Maximum

connections• Embryonic

connections NAT0

VPNVPN

Edit VPN General IKE IPsec IP Address

Management Load Balancing NAC WebVPN E-Mail Proxy

Note: Use the Remote Access or Site-to-Site VPN Wizard for new VPN connections.

RoutingRouting

Static Routes

Dynamic Routing

– OSPF

– RIP

Multicast

– IGMP

– MRoute

– PIM

Proxy ARPs

Global ObjectsGlobal Objects

Network Object Groups

IP Names Service Groups Class Maps Inspect Maps Regular

Expressions TCP Maps Time Ranges

Monitoring ButtonMonitoring Button

Interfaces VPN IPS or Trend

Micro Content Security

Routing Properties Logging

The Interface Graphs panel enables you to monitor per-interface statistics, such as bit rates, for each enabled interface on the security appliance.

Interface Graphs PanelInterface Graphs Panel

Packet TracerPacket Tracer

Interface

Source IPSource port

Destination IP

Destination port

Flow lookup

Route lookup

Access list

Options > PreferencesOptions > Preferences

Options

ToolsTools

Tools Command Line

Interface Packet Tracer Ping Traceroute File

Management Ugrade

Software Upload ASDM

Assistant Guide System Reload ASDM Java

Console

Help Help

Help Help Topics Help for

Current Screen

Release Notes

Getting Started

VPN 3000 Migration Guide

Glossary ….

Online Help Online Help

SummarySummary

ASDM is a browser-based tool used to configure your security appliance. Minimal setup on the security appliance is required to run ASDM. ASDM contains several tools in addition to the GUI to help you configure your

security appliance. The following ASDM wizards are available to simplify security appliance

configuration:• Startup Wizard: Walks you step by step through the initial configuration of

the security appliance• VPN Wizard: Walks you step by step through the creation of site-to-site

and remote access VPNs• High Availability and Scalability Wizard: Walks you step by step through

the configuration of active/active failover, active/standby failover, and VPN cluster load balancing

Lession 6Lession 6

Firewall Switch Modules (FWSM)

OverviewOverview

• The Cisco Firewall Services Module (FWSM) is based on Cisco PIX Security Appliance technology, and therefore offers the same security and reliability

• The FWSM is a line card for the Cisco Catalyst

6500 family of switches and the Cisco 7600 Series Internet routers.

<#>

FWSM Key FeaturesFWSM Key Features

• Brings switching and firewalls into a single chassis

• Based on PIX Firewall technology

• Supports transparent or routed firewall mode

• Up to 100 security contexts

– Up to 256 VLANs per context

– Up to 1000 VLANs all contexts

• 5-Gbps throughput

• One million concurrent connections

• 100,000 connections per second

• Multiple blades supported in one chassis (4 maximum)

• Dynamic routing via RIP v1 and v2 and OSPF

• High availability via intra- or inter-chassis stateful failover

<#>

FWSM and PIX Firewall FeatureFWSM and PIX Firewall FeatureComparisonComparison

<#>

Network ModelNetwork Model

<#>

MSFC placementMSFC placement

<#>

Getting Started with the FWSMGetting Started with the FWSM

Before you can begin configuring the FWSM,

complete the following tasks:

• Verify FWSM installation.

• Configure the switch VLANs.

• Configure the FWSM VLANs.

<#>

Verify FWSM InstallationVerify FWSM Installation

<#>

Configure the Switch VLANsConfigure the Switch VLANs

<#>

Create Vlan

Defines a controlled VLAN on the MSFC. Assigns an IP address.

Firewall VLAN-GroupFirewall VLAN-Group

Attaches the VLAN and firewall group to the slot where the FWSM is located

Creates a firewall group of controlled VLANs

Configure the FWSM InterfacesConfigure the FWSM Interfaces

<#>

Establishes a console session with the module Processor should always be 1

Configure a Default RouteConfigure a Default Route

• Default route• Static routes are required in multiple context mode.

Configure the FWSM Access-ListConfigure the FWSM Access-List

FWSM1(config)# access-list 200 permit ip 10.1.1.0 255.255.255.0 anyFWSM1(config)# access-group 200 in interface inside

By default all traffic is denied through the FWSM.• Traffic permitted into an interface can exit through any other interface

Resetting and Rebooting the FWSMResetting and Rebooting the FWSM

Resets and reboots the FWSM

SummarySummary

• The FWSM is a line card for the Cisco Catalyst

6500 family of switches and the Cisco 7600 Series Internet routers.

• The FWSM is a high-performance firewall solution based on PIX Firewall Security Appliance technology.

• The FWSM supports transparent and routed firewall modes.

• The FWSM commands are almost identical to security appliance commands.

• PDM can be used to configure and monitor

the FWSM.