Cisco asa虚拟防火墙实施案例-白红宇

Cisco asa虚拟防火墙实施案例

阅读量：6735 次

发布时间：2019-06-25

本文共 11008 字，大约阅读时间需要 36 分钟。

SecureMe在芝加哥有一个办公室，该办公室可以为两家小型企业提供防火墙服务，分别是Bear

和Cubs。Bears和Cubs都有自己的安全策略要实现，而芝加哥的安全设备只有两个接口。所以，

在此使用虚拟防火墙技术。另外，为节省外部接口上的共有地址空间，管理员使用了子网掩码

255.255.255.248.SecureMe以及Cubs和Bears的安全需求如下：

SecureMe的安全需求：

1. 允许网络172.18.82.0/24发起SSH回话。使用位于172.18.82.101的AAA服务器。

2. 将所有系统产生的日志消息存储进172.18.82.100的日志服务器中。

Bears的安全需求：

1. 仅允许子网192.168.10.0/24 中的主机通过HTTP 访问主机

198.133.219.25（www.cisco.com），拒绝所有的流量

2. 应使用接口PAT将源IP地址转换为209.165.200.225

3. 阻塞并记录所有在外部接口入站的流量

Cubs的安全需求：

1. 所有192.168.20.0/24中的主机都应访问互联网

2. 应使用接口PAT将源IP地址转换为209.165.201.10

3. 允许HTTP客户端从互联网访问DMZ网络中的Cub的web服务器（192.168.21.10），该

地址在互联网显示的是209.165.200.231

4. 阻塞并记录所有其他从外部接口入站的流量

System Execution Space

Chicago#shwo run

ASA Version 8.2(1) <system>

hostname Chicago

!Main GigabitEthernet0/0 interface

interface GigbitEthernet0/0

!Sub-interface assigned to the Bears context as the outside interface. A VLAN ID is assigned

to the interface

interface GigbitEthernet0/0.100

description Bears outside interface

vlan 100

!Sub-interface assigned to the Cubs context as the outside interface. A VLAN ID is assigned

to the interface

interface GigbitEthernet0/0.200

description Cubs outside interface

vlan 200

!Sub-interface assigned to the Cubs context as the dmz interface. A VLAN ID is assigned to

the interface

interface GigbitEthernet0/0.210

description Cubs dmz interface

vlan 210

!Main GigabitEthernet0/0 interface

interface GigbitEthernet0/1

!Sub-interface assigned to the Bears context as the inside interface. A VLAN ID is assigned to

the interface

interface GigbitEthernet0/1.101

description Bears inside interface

vlan 101

!Sub-interface assigned to the Cubs context as the inside interface. A VLAN ID is assigned to

the interface

interface GigbitEthernet0/1.201

description Cubs inside interface

vlan 201

!Main Management0/0 interface

interface Manangemnet0/0

!”admin” context definition along with the allocated interface

admin-context admin

!context named “admin” is the designated Admin context

context admin

description admin context

allocate-interface Management0/0

config-url disk0:/admin.cfg

!”Bears” context definition along with the allocated interface

context Bears

description Bears Context

allocate-interface GigabitEthernet0/0.100

allocate-interface GigabitEthernet0/1.101

config-url disk0:/Bears.cfg

! ”Cubs” context definition along with the allocated interface

context Cubs

description Cubs Context

allocate-interface GigbitEthernet0/200

allocate-interface GigbitEthernet0/210

allocate-interface GigbitEthernet0/201

config-url disk0:/Cubs.cfg

Admin Context

Chicago/admin#show running

ASA Versin 8.2(1) <context>

hostname admin

!Management interface of the admin context with security level set to 100

interface Management0/0

nameif mgmt

security-level 100

ip address 172.18.82.64 255.255.255.0

management-only

!configuration of a syslog server with timestamped logging level set to informational

logging enable

logging timestamp

logging trap informational

logging host mamt 172.18.82.100

!configuration of AAA server using RADIUS for authenticatin

aaa-server RADIUS protocol radius

aaa-server RADIUS (mgmt) host 172.18.82.101

key C1$c0123

!setting up SSH authentication

ssh 172.18.82.0 255.255.255.0 mgmt

Bears Context

Chicago/Bears#show running

ASA Version 8.2(1) <context>

hostname Bears

!Outside interface of the Bears context with security level set to 0

interface GigbitEthernet0/0.100

nameif outside

security-level 0

ip address 209.165.200.225 255.255.255.224

!Inside interface of the Bears context with security level set to 100

interface GigabitEthernet0/1.101

nameif inside

security-level 100

ip address 192.168.10.1 255.255.255.0

!Access-list configuration to permit web traffic initiated from the inside network to

198.133.219.25

access-list inside_access_in extended permit tcp 192.168.10.0 255.255.255.0 host

192.133.219.25 www

!Access-list configuration to deny all internet originated traffic

access-list outside_access_in extended deny ip any any log

!NAT configuration to allow inside hosts to get internet connectivity

global (outside) 1 interface

nat (inside) 1 192.168.10.0 255.255.255.0

!The access-list is applied to the inside interface

access-group inside_access_in in interface inside

!The access-list is applied to the outside interface

access-group outside_access_in in interface outside

!Default route

route outside 0.0.0.0 0.0.0.0 209.165.200.226 1

Cubs Context

Chicago/Cubs#show running

ASA Version 8.2(1) <context>

hostname Cubs

!Outside interface of the Cubs context with security level set to 0

interface GigbitEthernet0/0.200

nameif outside

security-level 0

ip address 209.165.201.1 255.255.255.224

!DMZ interface of the Cubs context with security level set to 50

interface GigabitEthernet0/1.210

nameif inside

security-level 50

ip address 192.168.21.1 255.255.255.224

!Inside interface of the Cubs context with security level set to 100

interface GigabitEthernet0/1.201

nameif dmz

security-level 50

ip address 192.168.20.1 255.255.255.0

!Access-list configuration to allow web traffic

access-list outside_access_in extended permit tcp any host 209.165.201.11 eq www

access-list outside_access_in extended deny ip any any log

!NAT configuration to allow inside hosts to get internet connectivity

nat (inside) 1 192.168.20.0 255.255.255.0

global (outside) 1 209.165.201.10 netmask 255.255.255.255

!Static address translation for the web-server

static (dmz,outside) 209.165.201.11 192.168.21.10 netmask 255.255.255.255

!The access-list is applied to the outside interface

access-group inside_access_in in interface inside

!Default route

route outside 0.0.0.0 0.0.0.0 209.165.200.226 1

SecureMe 是一个互联网服务提供商，为其客户端提供防火墙业务。SecureMe 有两个客户，

Dodgers和Lakers。他们的需求如下：

SecureMe的安全需求：

1. 通过SecureMe 的全局安全策略，能使访问设备的用户仅限于AAA服务器上的可靠用户。

AAA服务器的地址是172.18.82.101，密码是C1$c0123

2. SecureMe的公有地址有限，因此他需要所有虚拟防火墙使用PAT进行地址转换

3. SecureMe不希望虚拟防火墙管理员看到为他们分配的虚拟防火墙端口

4. 只能SSH和ASDM对设备和虚拟防火墙进行管理

Dodgers的安全需求：

1.Dodgers的虚拟防火墙保护的主机可以访问Lakers虚拟防火墙保护的Web服务器，该服务

器的IP地址为192.168.21.10

2.主机用户能够查看自己的E-mail消息。而E-mail服务器的IP地址为209.165.202.130.

3.将私有IP地址转换为外部接口的IP地址（109.165.200.226）

4.阻塞并记录所有的入站流量

Lakers的安全需求：

1.Lakers虚拟防火墙保护的主机可以自由访问互联网资源

2.应使用PAT将原有的IP地址转换为外部接口的IP地址

3.在外部接口上阻塞并记录所有入站流量，除了那些从Dodgers内部网络发来，并去往Web

服务器的流量

另外，SecureMe 希望通过实施资源管理技术为不同的客户出售不同的服务。他们需要限制

Dodgers，使其每秒最多收到1000个连接；同时，对Lakers不做任何限制。SecureMe的拓扑如

下：

System Execution Space

LA-ASA#show running

ASA version 8.2(1) <system>

hostname LA-ASA

mac-address auto

!Management0/0 interface

interface Management0/0

!Main GigbitEthernet0/0 interface used as the shared outside interface

interface GigbitEthernet0/0

description Outside shared interface

!Main GigbitEthernet0/1 interface

interface GigabitEthernet0/1

!Sub-interface assigned to Dodgers as the inside interface.A VLAN ID is assigned to the

interface

interface GigabitEthernet0/1.10

description Dodgers Inside Interface

vlan 10

!Sub-interface assigned to Lakers as the inside interface . A VlAN ID is assigned to the

interface

interface GigabitEthernet0/1.20

description Lakers Inside Interface

vlan 20

!Sub-intrface assigned to Laker as the dmz interface.A VLAN DI is assigned to the interface

interfce GigabitEthernet0/1.25

description Lakers DMZ interface

vlan 25

class Glod

limit-resource rate Conns 1000

!context named “admin” is the designated Admin context

admin-context admin

!”admin” context definition along with the allocated interfaces

context admin

allocate-interface Management0/0

config-url disk0:/admin.cfg

!”Dodgers” context definition along with the allocated interface

context Dodgers

descriprion Dodgers Context

member Glod

allocate-interface GigabitEthernet0/0 DodgersOutside

allocate-interface GigabitEthernet0/1.10 DodgersInside

config-url disk0:/Dodgers.cfg

!”Lakers” context definition along with the allocated interface

context Lakers

description Lakers Context

allocate-interface GigabitEthernet0/0 LakersOutside

allocate-interface GigabitEthernet0/1.20 LakersInside

allocate-interface GigabitEthernet0/1.25 LakersDMZ

config-url disk0:/Lakers.cfg

Admin Context

LA-ASA/admin#show running

ASA version 8.2(1) <system>

hostname LA-ASA

!Management interface of the admin context with security level set to 100

interface Management0/0

nameif mgmt

security-level 100

ip address 172.18.82.64 255.255.255.0

management-only

!RADIUS server with an IP address of 172.18.82.101

aaa-server RADIUS protocol radius

aaa-server RADIUS (mgmt) host 172.18.82.101

key C1$0123

!AAA authentication for SSH and HTTP sessions

aaa authentication ssh console RADIUS

aaa authentication http console RADIUS

!SSH sessions to be accepted from 172.18.82.0/24

ssh 172.18.82.0 255.255.255.0 mgmt

Dodgers Context

LA-ASA/Dodgers#show running

ASA version 8.2(1) <system>

hostname Dodgers

!outside interface of the Dodgers context with security level set to 0

interface DodgersOutside

nameif outside

security-level 0

ip address 209.165.200.226 255.255.255.224

!inside interface of the Dodgers context with security level set to 100

interface DodgersInside

nameif inside

security-level 100

ip address 192.168.10.1 255.255.255.0

!Access-list configuration to allow email and web traffic. The access-list is applied to the

inside interface.

access-list inside_access_in extended permit tcp 192.168.10.0 255.255.255.0 host

209.165.202.130 eq smtp log

access-list inside_access_in extended permit tcp 192.168.10.0 255.255.255.0 host

209.165.200.230 eq www log

!Access-list configuration to deny all packets. The access-list is applied to the outside

interface

access-list outside_access_in extended deny ip any any log

!nat policy

global (outside) 1 interface

nat (inside) 1 192.168.10.0 255.255.255.0

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

!Default route

route outside 0.0.0.0 0.0.0.0 209.165.200.225 1

Lakers Context

LA-ASA/Lakers#show running

ASA Version 8.2(1) <system>

hostname Lakers

!outside interface of the Lakers context with security level set to 0

interface LakersOutside

nameif outside

security-level 0

ip address 209.165.200.227 255.255.255.224

!inside interface of the Lakers context with security level set to 100

interface LakersInside

nameif inside

security-level 100

ip address 192.168.20.1 255.255.255.0

!dmz interface of the Lakers context with security level set 50

interface LakersDMZ

nameif dmz

security-level 50

ip address 192.168.21.1 255.255.255.0

!Access-list configuration to allow incoming web request. The access-list is applied to the

outside interface

access-list outside_access_in extended permit tcp host 209.165.200.226 host

209.165.200.230 eq www

access-list outside_access_in extended deny ip any any log

access-group outside_access_in interface outside

!Address translation policies

global (outside) 1 interface

nat inside) 1 192.168.20.0 255.255.255.0

static (dmz,outside) 209.165.200.230 192.168.21.10 netmask 255.255.255.255

!Default route

route outside 0.0.0.0 0.0.0.0 209.165.200.225.1

检测虚拟防火墙

show mode

show context

show admin-context

show cpu usage context all

转载于:https://blog.51cto.com/qinlouke/1037809

你可能感兴趣的文章

Tablayout ViewPage 使用示例

查看>>

linux下面MySQL变量修改及生效

查看>>

Android 6.0 如何默认打开user版本的root权限【转】

查看>>

TP框架在做上传时候提示：没有上传的文件!

查看>>

leetcode 485. Max Consecutive Ones

Spring Boot 2.0 整合 FreeMarker 模板引擎

查看>>

Java 知识点

查看>>

Nginx+Tomcat高性能负载均衡集群搭建

查看>>

BZOJ3573: [Hnoi2014]米特运输(树上乱搞)

告警系统需求分析告警系统主脚本告警系统配置文件告警系统监控项目

查看>>

JavaServer Faces (JSF) with Spring

查看>>

知物由学 | 这些企业大佬如何看待2018年的安全形势？

查看>>

[转]Mongodb的下载和安装

查看>>