Bài giảng CCNA Security - Chapter 10: Implementing the Cisco Adaptive Security Appliance (ASA)

Overview of the ASA

• Which kind of branch is appropriate for

the IOS firewall solution ?

Refer to

• What is disadvantage of the IOS firewall

solution ?

pdf50 trang | Chia sẻ: phuongt97 | Ngày: 15/07/2021 | Lượt xem: 20 | Lượt tải: 0download
Bạn đang xem trước 20 trang nội dung tài liệu Bài giảng CCNA Security - Chapter 10: Implementing the Cisco Adaptive Security Appliance (ASA), để xem tài liệu hoàn chỉnh bạn click vào nút DOWNLOAD ở trên
Implementing the Cisco Adaptive Security Appliance (ASA) CCNA Security 1 Objectives 2 Overview of the ASA • Which kind of branch is appropriate for the IOS firewall solution ? Refer to • What is disadvantage of the IOS firewall solution ? 3 Overview of the ASA 4 Overview of the ASA • The ASA is a standalone firewall device that is a primary component of the Cisco SecureX architecture. • All six ASA models provide advanced stateful firewall features and VPN functionality. • The biggest difference between the models is the maximum traffic throughput handled by each model and the number and type of interfaces. • The choice of ASA model will depend on an organization's requirements, such as maximum throughput, maximum connections per second, and budget. 5 Overview of the ASA • The ASA software combines firewall, VPN concentrator, and intrusion prevention functionality into one software image. • Previously, these functions were available in three separate devices, each with its own software and hardware. 1. PIX 2. VPN concentrator 3. IDS 6 Overview of the ASA Other advanced ASA features include these: 1. ASA virtualization 2. High availability with failover 3. Identity firewall 4. Threat control and containment services Refer to 7 Overview of the ASA • All ASA models can be configured and managed using either the command line interface or the Adaptive Security Device Manager (ASDM). 8 Overview of the ASA • By default, the ASA treats a defined inside interface as the trusted network, and any defined outside interfaces as untrusted networks. • Each interface has an associated security level • An ASA provides the same as ZPF/CBAC features but the configuration differs markedly from the IOS router configuration of ZPF. 9 Refer to Overview of the ASA 10 Overview of the ASA 11 Overview of the ASA • The ASA is a stateful firewall. It tracks the state of the TCP or UDP network connections traversing it. • All traffic forwarded through an ASA is inspected using the Adaptive Security Algorithm and is either allowed to pass through or is dropped. 12 Refer to Overview of the ASA • Session management path ? • Control plane path ? • Layer 7 inspection ? • Fast path ? 13 Refer to Overview of the ASA Refer to 14 Overview of the ASA • Most ASA appliances come pre-installed with either a Base license or a Security Plus license. • To provide additional features to the ASA, additional time- based or optional licenses can be purchased. • Combining these additional licenses to the pre-installed licenses creates a permanent license. The permanent license is then activated by installing a permanent activation key using the activation-key command. 15 Overview of the ASA • Only one permanent license key can be installed and once it is installed, it is referred to as the running license. • To verify the license information on an ASA device, use the show version or the show activation-key command. 16 Overview of the ASA Refer to The ASA 5505 Features • The Cisco ASA 5505 is a full-featured security appliance for small businesses, branch offices, and enterprise teleworker environments. • It delivers a high-performance firewall, SSL VPN, IPsec VPN, and rich networking services in a modular, plug-and- play appliance. 18 Refer to Security Level • Security levels define the level of trustworthiness of an interface. The higher the level, the more trusted the interface. The security level numbers range between 0 (untrustworthy) to 100 (very trustworthy) • Each operational interface must have a name and a security level from 0 (lowest) to 100 (highest) assigned. 19 Refer to Security levels help control: 1.Network access 2. Inspection engines 3.Filtering Security Level • On an ASA 5505, Layer 3 parameters are configured on a switch virtual interface (SVI). An SVI, a logical VLAN interface, requires a name, interface security level, and IP address. Refer to 20 The Deployment of the ASA 5505 • The ASA 5505 is commonly used as an edge security device that connects a small business to an ISP device, such as a DSL or cable modem, for access to the Internet. Refer to 21 The ASA 5510 Features Refer to 22 Default Configuration of ASA 5510 and higher • The default factory configuration includes the following: 1. The management interface, Management 0/0, is preconfigured with the IP address and mask 2. The DHCP server is enabled on the ASA, so a PC connecting to the interface receives an address between and 3. The HTTP server is enabled for ASDM and is accessible to users on the network. 23 Refer to ASA Access Modes • User EXEC mode - ciscoasa> en • Privileged EXEC mode - ciscoasa# config t • Global configuration mode - ciscoasa(config)# • Various sub-configuration modes, for example - ciscoasa(config-if)# • ROMMON mode - ROMMON> 24 ASA Access Modes 25 IOS and ASA Commands 1. Execute any ASA CLI command regardless of the current configuration mode prompt. The IOS do command is not required or recognized. 2. Provide a brief description and command syntax when Unlike an ISR, the ASA performs as follows: help is entered followed by the command. 3. Interrupt show command output using Q. The IOS requires the use of Ctrl+C (^C). 26 Refer to IOS and ASA Commands 27 Default Configuration • The ASA 5505 ships with a default configuration that, in most cases, is sufficient for a basic SOHO deployment. • The configuration includes two preconfigured VLAN networks: VLAN1 and VLAN2. VLAN 1 is for the inside network and VLAN 2 is for the outside network. • The ASA can be restored to its factory default configuration by using the configure factory-default global configuration command. 28 Refer to Erase Configuration and Reboot • The ASA startup configuration can be erased using the write erase and reload commands. • Note: Unlike router IOS, the ASA does not recognize the erase startup-config command. • Once rebooted, the ASA displays the following prompt "Pre-configure Firewall now through interactive prompts [yes]?" 29 Refer to Configuration Management Settings and Services • Configure Basic Settings • Configure the Interfaces Refer to 30 Configuration Management Settings and Services Refer to 31 Configuration Management Settings and Services • Configure a Default Route Refer to 32 Configuration Management Settings and Services • Configure Telnet Access Refer to 33 Configuration Management Settings and Services • Configure NTP Services Refer to 34 Configuration Management Settings and Services • Configure DHCP Services Refer to 35 Configuration Management Settings and Services • Configure DHCP Services Refer to 36 Introduction to ASDM • The management interface depends on the model of ASA: – Cisco ASA 5505 - The management switch port can be any port, except for Ethernet 0/0. – Cisco ASA 5510 and higher - The interface to connect is Management 0/0. 37 Note: To remove and disable the ASA HTTP server service, use the global configuration command clear configure http. Refer to Introduction to ASDM Refer to - 5 38 ASDM Wizards Refer to - 4 39 Object Groups • The advantage is that when an object is modified, the change is automatically applied to all rules that use the specified object. Therefore, objects make it easy to maintain configurations. 40 Refer to - 5 ACLs • ASA ACLs differ from IOS ACLs in that they use a network mask (e.g., instead of a wildcard mask (e.g. Also most ASA ACLs are named instead of numbered. 41 Refer to - 5 NAT Service on an ASA • The ASA supports NAT and PAT and these addresses can also be provided either statically or dynamically. 42 Refer to - 4 Access Control on an ASA • The ASA can authenticate all administrative connections to the ASA, including Telnet, SSH, console, ASDM using HTTPS, and privileged EXEC. • The ASA can authorize the following items: – Management commands – Network access – VPN access 43 Refer to - 5 Service Policies on an ASA • Modular Policy Framework (MPF) configuration defines a set of rules for applying firewall features, such as traffic inspection and QoS, to the traffic that traverses the ASA. 44 Refer to - 5 ASA Remote-Access VPN Options • Enterprise users are requesting support for their mobile devices including smart phones, tablets, notebooks, and a broader range of laptop manufacturers and operating systems. 45 Refer to - 5 ASA Remote-Access VPN Options • Cisco AnyConnect is available for the following platforms: – iOS devices (iPhone, iPad, and iPod Touch) – Android OS (select models) – BlackBerry – Windows Mobile 6.1 – HP webOS – Nokia Symbian 46 Refer to - 5 Clientless SSL VPN 47 Refer to - 2 Configuring Clientless SSL VPN 48 Refer to - 4 AnyConnect SSL VPN 49 Refer to - 2 Configuring AnyConnect SSL VPN 50 Refer to - 5

Các file đính kèm theo tài liệu này:

  • pdfbai_giang_ccna_security_chapter_10_implementing_the_cisco_ad.pdf
Tài liệu liên quan