Tải bản đầy đủ - 0 (trang)
Chapter 19. Firewall Management Using ASDM

Chapter 19. Firewall Management Using ASDM

Tải bản đầy đủ - 0trang

AccessControlLists

AsdiscussedinChapter5,"NetworkAccessControl,"youcanuseaccess

controllists(ACLs)tofiltertrafficpassingthroughCiscoASA.Youcansetupa

traffic-filteringACLunderConfiguration>Features>SecurityPolicy>

AccessRules.ClickAddtocreateanewACL.Figure19-1showsanewaccess

controlentry(ACE)addedintoASDMtoblockwebtrafficcominginfromthe

outsidehostlocatedat209.165.201.1toaninsidewebserverlocatedat

209.165.202.131.ThisACEisapartofanACL,whichisautomaticallycreated

byASDMandappliedtotheinterface.ASDMprovidesaniceRuleFlow

DiagramsectiontoillustratehowtheACLpolicywillbeappliedtothetraffic.

Thesourceordestinationhost/networkaddressesmaybeIPaddresses,an

interfacename,oranobjectgroup.Youmayalsoenteradescriptionatthe

bottomofthescreentolabelthepurposeofthisentry.

Figure19-1.SettingUpanACE

[Viewfullsizeimage]



Note

AnACEisreferredtoasanaccessruleintheASDMinterface.



Figure19-2illustratesthecompleteACLwithtwoACEs.

Figure19-2.DisplayingtheEntireACL

[Viewfullsizeimage]



Thefirstentrydeniesthetrafficoriginatingfromthehostlocatedat

209.165.201.1.ThesecondentryallowswebtraffictopassthroughCiscoASA

ifitiseitherofthefollowing:



SourcedfromanyIPaddress,excepttheonethatisblocked.

DestinedfortheIPaddressofthewebserver.

Example19-1showsthecorrespondingACLgeneratedbyASDM.TheACL

nameisoutside_access_inanditisappliedtotheoutsideinterfaceinthe

inbounddirection.

Example19-1.ACLGeneratedbyASDM



access-listoutside_access_inremarkACEtoblockweb-trafficd

209.165.202.131from209.165.201.1



access-listoutside_access_inextendeddenytcphost209.165.20

209.165.202.131eqwww



access-listoutside_access_inextendedpermittcpanyhost209.

access-groupoutside_access_inininterfaceoutside



TheuseofobjectgroupscansimplifyboththeCLIandGUIconfigurationif

numeroushostsneedtobefilteredusingsimilarproperties.Fornetwork-based

objectgroups,CiscoASAneedstoknowwhereahostoranetworkexists.To

accomplishthis,navigatetoConfiguration>Features>BuildingBlocks>

Host/NetworksandthenclickAddunderHosts/NetworksGroups.Youcan

entertheIPaddressesofthehostseitherbyclickingExistingHostsand

NetworksandaddingthemfromthelistorbyclickingNewHostorNetwork,

typingthenewaddress,andthenaddingitwiththeAddbutton,asshownin

Figure19-3.TheexistinghostsarethepreviouslyaddedhostsintheASDMlist.

Theadministratorhasnamedthisobjectgroupinside_web_serversandhas

groupedthreeinsideIPaddressesinthelist.



Figure19-3.DefininganObjectGroupinASDM

[Viewfullsizeimage]



Afterdefiningtheobjectgroups,youcanmapanACE,asshowninFigure19-4.

Thetrafficfromtheoutsidehostsdefinedintheoutside_hostsnetworkgroupis

allowedtopassthroughCiscoASAtothehostsontheinsidenetworkthatare

identifiedintheinside_web_serversgrouponTCPport80.

Figure19-4.MappinganObjectGroupinASDM

[Viewfullsizeimage]



Example19-2showstheconfigurationgeneratedbyASDMwhenusingobject

groups.

Example19-2.ACLwithObjectGroupsGeneratedbyASDM

object-groupnetworkinside_web_servers

network-object209.165.202.131255.255.255.255

network-object209.165.202.132255.255.255.255



network-object209.165.202.135255.255.255.255

object-groupnetworkoutside_hosts

network-object209.165.201.1255.255.255.255

network-object209.165.201.2255.255.255.255

network-object209.165.201.10255.255.255.255



access-listoutside_access_inline1extendedpermittcpobject

object-groupinside_web_serverseq80

access-groupoutside_access_inininterfaceoutside



UsingASDM,youcanconfigureasecurityCiscoASAtofilterActiveXand

Javaappletsfromthetrafficpassingthroughit.Tosetthisup,choose

Configuration>Features>SecurityPolicy>FilterRules,whichresultsin

thewindowshowninFigure19-5.Here,CiscoASAisbeingsetuptofilter

ActiveXcodefromthewebrequeststhatoriginatedfromtheinsidenetwork

209.165.202.128/27andaredestinedforanyaddressontheoutsidenetwork.

Figure19-5.ContentFiltering

[Viewfullsizeimage]



AddressTranslation

YoucanconfigureaddresstranslationunderConfiguration>Features>NAT.

ASDMallowsbothdynamicandstaticNAT/PATforeitherallorselectedhosts

ontheinsideandtheoutsidenetworks.ClickAddtodefineanewNAT/PAT

policyintheAddAddressTranslationRulewindow.AsshowninFigure19-6,

ASDMisidentifyingtheinsidenetworkof192.168.10.0/24foraddress

translation.

Figure19-6.DefiningaNAT/PATPolicy

[Viewfullsizeimage]



InFigure9-6,theadministratorhasalsocheckedtheEnableTrafficThroughthe



FirewallWithoutAddressTranslationwindow.Thisoptionappearsinthemain

windowunderConfiguration>FeaturesandNAT.Thisoptionallowstraffic

thatdoesnotmatchanyNATpolicytopassthroughthesecurityCiscoASA

withoutchangingthesourceordestinationaddresses.However,thepacketsthat

matchtheNAT/PATpoliciesaretranslated.

SecureMe,afictitiouscompany,wantstodynamicallytranslatetheinside

192.168.10.0/24networkfromapoolofpublicaddresses.ClickManagePools

todefineanewpoolofIPaddresses,asshowninFigure19-7.Becausethe

insidehostswillbetranslatedtotheoutsidenetwork,selecttheoutsideinterface

andclickAddtoaddarangeofIPaddressesfrom209.165.200.230to

209.165.200.235tobemappedtoapoolIDof10.The209.165.200.236address

isusedforPATifalltheotheraddresseshavebeenassigned.ClickOKtofinish

thesetup.

Figure19-7.DefiningaPoolofAddresses

[Viewfullsizeimage]



IfyouneedtoconfigurestaticNAT,clicktheStaticradiobuttonintheAdd

AddressTranslationRulewindowandspecifythetranslatedaddressintheIP

Addressbox,asshowninFigure19-8,inwhichaninsidehost,192.168.10.100,

isbeingtranslatedto209.165.200.240.

Figure19-8.StaticAddressTranslation

[Viewfullsizeimage]



ToconfigureDNSDoctoringandthemaximumconnectionlimits,discussedin

Chapter5,clickNATOptionsintheAddAddressTranslationRulewindowto

opentheAdvancedNATOptionswindow,showninFigure19-9.Inthiscase,

theadministratorhasrestrictedthemaximumTCP-basedconnectionstonot



exceed500forthestaticentrycreatedinthepreviousstep.Themaximum

embryonicconnectionlimitis200,andCiscoASAisbeingsetuptorandomize

thesequencenumbersintheTCPpackets.

Figure19-9.SettingtheTCP-BasedandEmbryonicConnection

Limits



ASDMalsosupportsNATexemptionpoliciestobypassaddresstranslation.You

configurethesepoliciesunderConfiguration>Features>NAT>Translation



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 19. Firewall Management Using ASDM

Tải bản đầy đủ ngay(0 tr)

×