防火墙课程.ppt

1、单击此处编辑母版标题样式,单击此处编辑母版文本样式,第二级,第三级,第四级,第五级,Firewall,Tranning,Eccom,Network,内容,1,、,PIX,系列硬件,2,、,ASA,系列硬件,3,、防火墙配置命令,4,、防火墙维护,思科防火墙分类,硬件分类,思科防火墙主要分为,2,类，老产品系列为,PIX,，新产品系列为,ASA5500,。,软件分类,思科防火墙以配置命令格式主要分为,2,类软件版本：,7.0,以上包括,7.0,和,7.0,以下。,PIX,系列硬件,PIX,系列,PIX Firewall 515E,PIX Firewall 525,PIX Firewall 535

2、PIX License Type,PIX License Type,501,：,Provided with a 10-user,50-user,or unlimited user licenses,506E,：,Provided in a single,unlimited-user license.,515E,、,525,、,535 provide 4 types of license,：,Unrestricted,（,UR,）,Restricted,（,R,）,Failover,（,FO,）,Failover-Active/Active,（,FO-A/A,）,PIX Firewall Li

3、cense Comparison,Cisco PIX 500,防火墙性能参考,产品,最高性能,流量端口,HA,501,60Mbps/7500*,conn,.,4 FE switch+1FE,不支持,506E,100Mbps/25000*,conn,.,2 FE,不支持,515E,190Mbps/130000,conn,.,2 FE,可扩充,1FE(R,Lic,.),和,4FE(UR,Lic,.),A/S+A/A*,525E,330Mbps/280000,conn,.,2 FE,可扩充,4FE,或,3GE(R,Lic,.),和,8FE,或,3GE(UR,Lic,.),A/S+A/A*,535,1

4、7Gbps/500000,conn,.,2 FE,可扩充,6FE,或,8GE(R,Lic,.),和,12FE,或,9GE(UR,Lic,.),A/S+A/A*,ASA,系列硬件,ASA,系列,ASA 5500,系列,5505 5520 5550,5510 5540,5580,ASA 5510,Feature,Description,Firewall Throughput,Up to 300Mbps,Concurrent Threat Mitigation Throughput,Up to 150 Mbps with AIP-SSM-10,VPN Throughput,Up to 170 Mb

5、ps,Concurrent Sessions,50,000/130,000*,IPSec VPN Peers,250,SSL VPN Peer License Levels,10,25,50,100,or 250,Security Contexts,Not supported,Interfaces,3 FE+1 management port;5 FE*,Virtual interfaces(,VLANs,),10;25*,High Availability,Not supported;Active/Standby*,*Upgrade available with Cisco ASA 5510

6、 Security Plus license,ASA 5520,Feature,Description,Firewall Throughput,Up to 450 Mbps,Concurrent Threat Mitigation Throughput,Up to 225 Mbps with AIP-SSM-10,Up to 375 Mbps with AIP-SSM-20,VPN Throughput,Up to 225 Mbps,Concurrent Sessions,280,000,IPSec VPN Peers,750,SSL VPN Peer License Levels*,10,2

7、5,50,100,250,500,or 750,Security Contexts,Up to 10*,Interfaces,4 GE and 1 FE,Virtual interfaces(,VLANs,),100,Scalability,VPN clustering and load balancing,High Availability,Active/Active,Active/Standby,*Separately licensed feature;includes two with base system,ASA 5540,Feature,Description,Firewall T

8、hroughput,Up to 650 Mbps,Concurrent Threat Mitigation Throughput,Up to 450 Mbps with AIP-SSM-20,VPN Throughput,Up to 325 Mbps,Concurrent Sessions,400,000,IPSec VPN Peers,5000,SSL VPN Peer License Levels*,10,25,50,100,250,500,750,1000 and 2500,Security Contexts,Up to 50*,Interfaces,4 GE and 1 FE,Virt

9、ual interfaces(,VLANs,),100,Scalability,VPN clustering and load balancing,High Availability,Active/Active,Active/Standby,*Separately licensed feature;includes two with base system,ASA 5550,Feature,Description,Firewall Throughput,Up to 1.2Gbps,VPN Throughput,Up to 450 Mbps,Concurrent Sessions,650,000

10、IPSec VPN Peers,5000,SSL VPN Peer License Levels,10,25,50,100,250,500,750,1000,2500 and 5000,Security Contexts,Up to 50*,Interfaces,8GE,4SFP and 1 FE,Virtual interfaces(,VLANs,),200,Scalability,VPN clustering and load balancing,High Availability,Active/Active,Active/Standby,*Separately licensed fea

11、ture;includes two with base system,Characteristics of Cisco ASA 5500 Series Adaptive Security Appliances,Characteristics of Cisco ASA 5500 Series Adaptive Security Appliances,防火墙配置命令,7.0,版本以下配置命令讲解,interface ethernet0 auto,设定端口,0,速率为自动,interface ethernet1 100full,设定端口,1,速率为,100,兆全双工,nameif,ethernet0

12、 outside security0,设定端口,0,名称为,outside,安全级别为,0,nameif,ethernet1 inside security100,设定端口,1,名称为,inside,安全级别为,100,nameif,ethernet2,dmz,security50,设定端口,2,名称为,dmz,安全级别为,50,enable password Dv0yXUGPM3Xt7xVs encrypted,特权密码,passwd,2KFQnbNIdI.2KYOU encrypted,登陆密码,访问控制列表,access-list 101 permit,ip,192.168.99.0 2

13、55.255.255.0 192.168.170.0 255.255.255.0,access-list 101 permit,ip,192.168.12.0 255.255.255.0 192.168.180.0 255.255.255.0,access-list 101 permit,ip,192.168.23.0 255.255.255.0 192.168.180.0 255.255.255.0,access-list 101 permit,ip,192.168.99.0 255.255.255.0 192.168.101.0 255.255.255.0,建立访问列表，允许特定网段的地址

14、访问某些网段,access-group 101 in interface outside,access-group 101 in interface inside,access-group 101 in interface,dmz,应用访问列表到接口上,接口地址及,MTU,mtu,outside 1500,mtu,inside 1500,mtu,dmz,1500,ip,address outside 10.1.1.4 255.255.255.224,设定外端口地址,ip,address inside 192.168.1.254 255.255.255.0,设定内端口地址,ip,address,

15、dmz,192.168.19.1 255.255.255.0,设定,DMZ,端口地址,日志记录,logging on,logging timestamp,logging buffered warnings,logging trap warnings,打开设备日志记录功能并设定记录的日志等级,查看日志命令：,show logging,NAT,配置,global(outside)1 10.1.1.13-10.1.1.28,global(outside)1 10.1.1.7-10.1.1.9,global(outside)1 10.1.1.10,定义内部网络地址将要翻译成的全局地址或地址范围,nat

16、inside)0 access-list 101,使得符合访问列表为,101,地址不通过翻译，对外部网络是可见的,nat,(inside)1 192.168.0.0 255.255.0.0 0 0,内部网络地址翻译成外部地址,nat,(,dmz,)1 192.168.0.0 255.255.0.0 0 0,DMZ,区网络地址翻译成外部地址,static(,inside,outside,)10.1.1.5 192.168.12.100,netmask,255.255.255.255,static(,inside,outside,)10.1.1.12 192.168.12.158,netmas

17、k,255.255.255.255,static(,inside,outside,)10.1.1.3 192.168.2.4,netmask,255.255.255.255,设定固定主机与外网固定,IP,之间的一对一静态转换,static(,dmz,outside,)10.1.1.2 192.168.19.2,netmask,255.255.255.255,设定,DMZ,区固定主机与外网固定,IP,之间的一对一静态转换,静态路由设置,route inside 192.168.2.0 255.255.255.0 192.168.1.1,route inside 192.168.3.0 255.2

18、55.255.0 192.168.1.1,route outside 192.168.4.0 255.255.255.0 192.168.10.1,7.0,版本以上配置命令讲解,防火墙,7.0,及以上版本的命令格式与路由器基本一样，在这里不再详述。举例如下：,防火墙维护,PIX Troubleshooting,工具,show command,Show connect,和,show connect detail,pix#,sh,conn,1514 in use,66418 most used,TCP out 210.72.32.92:4826 in 10.6.99.97:1433 idle 0:

19、00:15 Bytes 4454 flags UIOB,TCP out 210.72.32.92:4825 in 10.6.99.97:1433 idle 0:00:29 Bytes 4453 flags UIOB,pix#,sh,conn,det,1521 in use,66418 most used,Flags:A-awaiting inside ACK to SYN,a-awaiting outside ACK to SYN,B-initial SYN from outside,C-CTIQBE media,D-DNS,d-dump,E-outside back connection,F

20、outside FIN,f-inside FIN,G-group,g-MGCP,H-H.323,h-H.225.0,I-inbound data,i-incomplete,k-Skinny media,M-SMTP data,m-SIP media,O-outbound data,P-inside back connection,q-SQL*Net data,R-outside acknowledged FIN,R-UDP RPC,r-inside acknowledged FIN,S-awaiting inside SYN,s-awaiting outside SYN,T-SIP,t-SI

21、P transient,U-up,TCP dmz:210.72.32.92/4826 inside:10.6.99.97/1433 flags UIOB,TCP dmz:210.72.32.92/4825 inside:10.6.99.97/1433 flags UIOB,显示当前连接情况。,Show,xlate,和,show,xlate,detail,pix#,sh,xlate,861 in use,8295 most used,Global 210.72.33.20 Local 210.72.33.20,Global 219.235.129.18 Local 10.6.99.158,Glo

22、bal 210.72.32.178 Local 210.72.32.178,pix#,sh,xlate,det,873 in use,8295 most used,Flags:D-DNS,d-dump,I-identity,i-inside,n-no random,o-outside,r-,portmap,s-static,NAT from dmz:210.72.33.20 to outside:210.72.33.20 flags s,NAT from inside:10.6.99.158 to outside:219.235.129.18 flags s,显示当前,NAT,转换情况。,Sh

23、ow,cpu,usage,pix#,show,cpu,usage,CPU utilization for 5 seconds=2%;1 minute:2%;5 minutes:2%,显示当前,CPU,利用情况。,Show traffic,pix#sh,traffic,outside:,received(in 2.890,secs,):,0 packets189971 bytes,0,pkts,/sec65733 bytes/sec,transmitted(in 2.890,secs,):,0 packets2914252 bytes,0,pkts,/sec1008391 bytes/sec,i

24、nside:,received(in 2.890,secs,):,0 packets2627283 bytes,0,pkts,/sec909094 bytes/sec,transmitted(in 2.890,secs,):,0 packets170788 bytes,0,pkts,/sec59096 bytes/sec,dmz,:,received(in 2.890,secs,):,0 packets305187 bytes,0,pkts,/sec105601 bytes/sec,transmitted(in 2.890,secs,):,0 packets23331 bytes,0,pkts

25、/sec8073 bytes/sec,显示在,PIX,各个接口的流量情况，出、入包和字节数等。,Show local-host,pix#sh,local-host,Interface,dmz,:282 active,282 maximum active,0 denied,local host:,TCP connection count/limit=0/unlimited,TCP embryonic count=0,TCP intercept watermark=unlimited,UDP connection count/limit=0/unlimited,AAA:,Xlate(s,):,G

26、lobal 210.72.33.20 Local 210.72.33.20,Conn(s,):,显示本地主机的,TCP,、,UDP,连接和,NAT,情况。,PIX,调试中的问题应用不能正常使用,检查：,Permissions:,安全策略设置是否正确,Translation:,地址翻译设置是否正确。,Static,和,NAT,语句，,global,语句,Routing,：路由表是否正确,强烈建议：在,PIX,的安全策略、接口、路由，甚至配置改动的时候，尽可能在条件允许的情况下使用,clear,xlate,、,clear,arp,、,clear local-host,清除原有的,xlate,、,a

27、rp,和连接！,PIX Troubleshooting,案例分析,问题现象：,用户不能正常访问,Internet,。,新连接不能正常使用。,原有连接可正常使用。,分析过程：,第一步：检查,Syslog,%PIX-3-211001:Memory allocation Error,%PIX-3-211001:Memory allocation Error,第二步：检查可用内存,Hardware:PIX-515E,64M RAM,-show memory-,Free memory:714696 bytes,Used memory:66394168 bytes,-,Total memory:67108

28、864 bytes,PIX Troubleshooting,案例分析,第三步：是什么用尽了内存？,第四步：检查,Xlate,pix#sh,xlate,251 in use,258 most used,第五步：检查连接数,pix#sh,conn,147456 in use,147456 most used,为什么连接数这么高？,PIX Troubleshooting,案例分析,第六步：检查流量情况，用,show traffic,命令。,检查结果：大多数的流量都是流入,Inside,接口，从,Outside,接口流出。,-show traffic-,outside:,received(in 25.

29、000,secs,):,1475 packets469050 bytes,59,pkts,/sec18762 bytes/sec,transmitted,(in 25.000,secs,):,167619 packets9654480 bytes,6704,pkts,/sec,386179 bytes/sec,inside:,received,(in 25.000,secs,):,180224 packets10410480 bytes,7208,pkts,/sec,416419 bytes/sec,transmitted(in 25.000,secs,):,1050 packets11865

30、0 bytes,42,pkts,/sec4746 bytes/sec,PIX Troubleshooting,案例分析,第七步：分析,为什么连接数如此高，但,Xlate,数却不高？,结论：,每一个,Xlate,使用了大量的,connection,。,可能某个或者几个主机正在使用大量的,connection,。,大多数情况下是由病毒或者攻击引起的。,PIX Troubleshooting,案例分析,第八步：查找产生大量,connection,的主机,pix#sh,local-host|include host|count/limit,local host:,TCP connection coun

31、t/limit=,146608,/unlimited,UDP connection count/limit=0/unlimited,使用正则表达式，只查看,host,或者,count/limit,行。,结果表明：主机,10.1.1.99,几乎用了所有的连接，都是基于,TCP,的应用。,PIX Troubleshooting,案例分析,第九步：看看这台主机在做什么？,pix#sh,local-host 10.1.1.99,Interface inside:250 active,250 maximum active,0 denied,local host:,TCP connection count

32、/limit=,146608,/unlimited,TCP embryonic count=,146606,TCP intercept watermark=unlimited,UDP connection count/limit=0/unlimited,AAA:,Xlate(s,):,Global 209.165.201.21 Local 10.1.1.99,Conn(s,):,TCP out 64.101.32.153:,135,in 10.1.1.99:34580 idle 0:00:15 Bytes 0 flags,saA,TCP out 64.103.108.191:,135,in 1

33、0.1.1.99:8688 idle 0:00:29 Bytes 0 flags,saA,TCP out 64.100.205.160:,135,in 10.1.1.99:12335 idle 0:00:15 Bytes 0 flags,saA,TCP out 64.101.25.195:,135,in 10.1.1.99:2978 idle 0:00:20 Bytes 0 flags,saA,TCP out 64.101.33.128:,135,in 10.1.1.99:41589 idle 0:00:20 Bytes 0 flags,saA,Flags:A-awaiting inside

34、ACK to SYN,a-awaiting outside ACK to SYN,s-awaiting outside SYN,都是半连接状态，,TCP 135,，冲击波病毒,!,PIX Troubleshooting,案例分析,第十步：如何处理？,PIX,提供了两种方法限制每台主机的连接数。,TCP Intercept,Max Connections,TCP Intercept,主要针对源地址欺骗情况，这里不能使用，因为源地址主机是合法的。,第十一步：用,nat,命令或者,static,命令限制最大连接数。,P,ix,（,config)#nat,(inside)1 0.0.0.0,0.0.0

35、0,50 0,Pix#clear,local-host 10.1.1.99,pix#sh,local-host 10.1.1.99,Interface inside:250 active,250 maximum active,0 denied,local host:,TCP connection count/limit=,50/50,TCP embryonic count=,50,pix#sh,conn,126,in use,147456 most used,-show memory-,Free memory:,47716152,bytes,Used memory:19392712 bytes,-,Total memory:67108864 bytes,新网络建筑师,