Forskel mellem versioner af "SNAF 642-524"

Versionen fra 8. jun 2010, 06:56 (vis wikikode) Freesoft (diskussion | bidrag) (→‎Configure and verify network and interface settings using ASDM and CLI) ← Gå til forrige ændring		Versionen fra 8. jun 2010, 08:32 (vis wikikode) Freesoft (diskussion | bidrag) (→‎Configure and verify NAT globals, statics, NAT exemption, and Identity NAT using ASDM) Gå til næste ændring →
Linje 77:		Linje 77:
	Billeder af forskellige nat regler		Billeder af forskellige nat regler
		+	static (inside,management)  192.168.1.20 10.10.10.10 netmask 255.255.255.255
		+	Denne oversætter 192.168.1.20 på management til 10.10.10.10 på inside, så 10.10.10.10 server kan tilgås fra management via 192.168.1.20.
	NAT rækkefølge:		NAT rækkefølge:

---

Versionen fra 8. jun 2010, 08:32

SNAF - 642-524 - Securing Networks with ASA Foundation

Tager udgangs punkt i denne cisco test, da den er rigtig god og man kommer rundt om rigtig mange ting hvad en ASA kan.

Du kan nok næppe bestå ved kun at have læst dette, men jeg bruger selv siden som note til SNAF testen. Husk også at tage et kig på links.

Exam Topics

ASA version: 8.0.2

ASDM Version: 6.0.2

Configure Security Appliances for secured network connectivity

Configure and verify network and interface settings using ASDM and CLI

Configuration -> Device Setup -> Interfaces -> Tryk Add knap.

Interface Ethernet0/2
no shutdown
nameif DMZ
security-level 50
ip address  10.10.5.1 255.255.255.0

Sub interface

Fjern nameif fra "over" interface, for fjerne IP kontakt på denne.

Interface Ethernet0/2
no nameif

Interface Ethernet0/2.50
vlan 50
no shutdown
description Interface for vlan 50
nameif Vlan50
security-level 50
ip address  10.10.50.1 255.255.255.0

DHCP

ASDM: Configuration -> Device Management -> DHCP -> DHCP Server

CLI:

dhcpd address 10.10.10.10-10.10.10.20 inside
dhcpd enable inside
dhcpd dns 8.8.8.8  interface inside

---

Show

sh run nameif

interface Ethernet0/0
 nameif outside
 security-level 0

sh inter ip brief
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                192.168.200.101 YES DHCP   up                    up

Configure and verify NAT globals, statics, NAT exemption, and Identity NAT using ASDM

Static (høj, lav) lav høj netmask tcp [sim. tcp conn] [embryonic connections] udp [sim. udp conn]

Billeder af forskellige nat regler

static (inside,management)  192.168.1.20 10.10.10.10 netmask 255.255.255.255

Denne oversætter 192.168.1.20 på management til 10.10.10.10 på inside, så 10.10.10.10 server kan tilgås fra management via 192.168.1.20.

NAT rækkefølge:

• 1. Check Access Rules
• 2. Check routing table for exit interface
• 3. Look in current translation table
• 4. Checks for NAT Exemptions
• 5. Static NAT and PAT (regular and policy)
• 6. Policy dynamic NAT
• 7. regular dynamic NAT
• 8. If NAT control enabled, and no match through above, drop packet.

Configure and verify access-lists with or without object groups using ASDM

Billeder og forklaring af acl regler

Configure and verify routing and switching on Security Appliances

Describe the routing capabilities of the Security Appliance

ASDM: Conf -> Device Setup -> Routing

• Static
• RIP
• OSPF
• EIRGP

Use ASDM to configure VLANs on a Security Appliance interface

Se subinterface.

Hvis der ikke er nameif på "over" interfacet så er der IP kontakt på den og, med flere sub interfaces der automatisk en .1q trunk. Fra "Cisco Security Appliance Command Line Configuration Guide" : "For each VLAN to pass traffic, you need to configure an interface name (the nameif command), and for routed mode, an IP address."

Use ASDM to configure the passive RIP routing functionality of the Security Appliance

RIP version 2

ASDM:

router rip
 version 2
 passive-interface default

Configure and verify Authentication, Authorization, & Accounting services for Security Appliances

Configure ACS for Security Appliance support

ACS -> Network Conf -> AAA Clients -> Add Entry

AAA Client Hostname: ASA

AAA Client IP Address: 10.10.10.1

ACS -> User Setup Opret brugere

ACS -> Downloadale ACL ?

Use ASDM to configure the Security Appliance AAA features

Conf -> Device Management -> Users/AAA -> AAA Server Groups

Under AAA Server Groups opret en ny gruppe af servere.

Marker gruppen og vælg Add under Servers in the Selected Group.

RADIUS TACACS+

Configure and verify Auth-Proxy (cut-through proxy) using ASDM

Understøtter:

• TCP port 21, FTP
• TCP port 23, telnet
• TCP port 80, HTTP
• TCP port 443, HTTPS

Opsætning:

• Opret AAA server gruppe
• Tilføj AAA server
• Tilføj AAA regel i Configuration -> Firewall -> AAA Rules

Se brugere logget på: ASDM: Monitoring -> Properties -> Device Access -> Authenticated Users

CLI: show uauth

Slette brugere der er logget ind: clear uauth

Configuration -> Firewall -> AAA Rules -> Tryk på Advanced knappen, her kan du vælge om login skal sendes videre til (web) serveren i den anden ende.

Hvis serveren i den anden ende også kræver et login, men det forskelligt fra det AAA serveren kender, skal der bruges Virtual HTTP server.

ASDM: Configuration -> Firewall -> Advanced -> Virtual Access

Husk at web browsere kan cache login, så hvis Telnet og FTP ser ud til at virke normalt, men HTTP/S ikke timer ud, så kan det være det.

Authentication Prompt

Configuration -> Device Management -> Users/AAA -> Authentication Prompt

Authentication Timeouts

Configuration -> Firewall -> Advanced -> Global Timeouts

Configure and verify Layer 3 & 4 protocol inspection, Modular Policy Framework, and threat detection for Security Appliances

Configure and verify Layer 3 and Layer 4 protocol inspection using ASDM

" You can only apply one global policy, so if you want to alter the global policy, you need to either edit the default policy or disable it and apply a new one. (An interface policy overrides the global policy for a particular feature.)"

Rækkefølge: CBT Nuggets:

• 1. TCP normalization, connection limit and timeout, and seq # randomization
• 2. CSC
• 3. Application Inspection
• 4. IPS
• 5. QoS input policing
• 6. QoS output policing
• 7. QoS priority queuing

ASA Guide: Modular Policy Framework supports the following features:

• QoS input policing
• TCP normalization, TCP and UDP connection limits and timeouts, and TCP sequence number randomization
• CSC
• Application inspection (multiple types)
• IPS
• QoS output policing
• QoS standard priority queue
• QoS traffic shaping, hierarchical priority queue

Configure and verify Modular Policy Framework using ASDM

1. Service Policy (interface/global)
2. Match
3. Action

Use ASDM to configure and verify threat detection

Conf -> Firewall -> Threat Detection

Basic er stanard. Scanning kan sættes til.

Stats for: Top 10 / 200, Access rules, Port, Protocol, TCP Intercept

Configure and verify secure connectivity using VPNs

Configure and verify remote access VPNs using ASDM

Wizards -> IPsec VPN Wizard -> Remote Access

Configure and verify IPsec VPN clients with preshared keys using ASDM

Host: VPN Interface IP (Public)

Name: IPsec Connection Profile

Password: Pre Shared Key

Configure and verify site-to-site VPNs with preshared keys using ASDM

Wizards -> IPsec VPN Wizard -> Site to Site

Monitoring -> VPN -> Sessions

Verify IKE and IPsec using ASDM and CLI

show crypto isakmp

show crypto ipsec sa

show crypto ca certificates Show certificates

show crypto ca crls Show Certificate Revocation Lists

show run crypto map

Configure and verify clientless SSL VPN using ASDM

" The security appliance recognizes connections that need to be proxied, and the HTTP server interacts with the authentication subsystem to authenticate users. "

" Limit Internet access for users of Clientless SSL VPN. One way to do this is to clear the Enable URL entry check box on the Configuration > Remote Access VPN > Clientless SSL VPN Access > Dynamic Access Policies > Add or Edit > Functions tab. Then configure links to specific targets within the private network (Configuration > Remote Access VPN > Clientless SSL VPN Access > Dynamic Access Policies > Add or Edit > URL Lists tab). "

" Clientless SSL VPN—VPN via SSL/TLS. Uses a web browser to establish a secure remote-access tunnel to a VPN Concentrator; requires neither a software nor hardware client. Clientless SSL VPN can provide easy access to a broad range of enterprise resources, including corporate websites, web-enabled applications, NT/AD file share (web-enabled), e-mail, and other TCP-based applications from almost any computer that can reach HTTPS Internet sites. "

Configure and verify active/standby and active/active failover features on Security Appliances

Configure and verify active/standby failover using ASDM

failover reset

Configure and verify active/active failover using ASDM

Configure and verify redundant Interface using ASDM

Conf -> Device Setup -> Interfaces

Add Redundant Interface

Interface redundant1
 member-interface Ethernet0/2
 member-interface Ethernet0/3
 no shutdown
 description Redundant Interface 1
 nameif Redu1
 security-level 100
 ip address 10.10.5.1 255.255.255.0

Configure transparent firewall and virtual firewall features on a Security Appliance

Explain the purpose of virtual & transparent firewalls

Context: Virtuel firewall Understøtter ikke:

• Dynamisk routing
• VPN
• Multicast routing, bridging er understøttet.
• Threat Detection

Transparent firewall: Ingen IP på interfaces, kun mgmt ip Vlan på forskellige vlan, men samme netværk Ingen router hop, bump in the wire Kan forware ting som router mode ikke kan, EtherTypes

Configure and verify the transparent firewall feature of the Security Appliance using CLI

ASA(config)# firewall transparent

Alt conf bliver slettet, så husk at gemme

show mode

Configure and verify the virtual firewall feature of the Security Appliance using ASDM

Monitor and manage installed Security Appliances

Update, backup, and restore configurations and software images using ASDM and CLI

Blank conf, åbne for ASDM:

• Name: inside, give IP og netmask
• Sæt tid, hostname, og domæne
• Starte http service
• Tillade hosts ind på http
• Opt: Vælge asdm image

interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0

hostname ASA
domain-name domain.local
clock set hh:mm:ss DAY MONTH Year

http server enable
http 192.168.1.0 255.255.255.0 management

asdm image disk0:/asdm-602.bin

Boot image:

boot system disk0:/asa802-k8.bin

Install and verify Licensing using ASDM

ASDM: Configuration > Device Management > System Image/Configuration > Activation Key

1. Få key fra cisco.com ud fra serial no med show version kommando
2. Genstart ASA, for at sikre image i flash er det samme som kørende.
3. Gå til Configuration > Device Management > System Image/Configuration > Activation Key, skriv key ind med 4 eller 5 blokke med mellemrum i mellem.
4. Tryk på Update Activation Key
5. Genstart ASA for at aktivere key.

Configure and verify Console and SSH/Telnet access

ASDM: Conf -> Device Management -> Management Access -> Command Line (CLI) -> Secure Shell (SSH)

SSH kræver:

• Hostname
• Domain name
• Bruger oprettet
• RSA key

ASDM: Conf -> Device Management -> Users/AAA -> AAA Access -> Authentication

Ud for SSH, sæt hak og vælg LOCAL.

username AdminUser password AdminPass
aaa authentication ssh console LOCAL
crypto key generate rsa modulus 1024

ssh 192.168.1.0 255.255.255.0 management

ASDM: Conf -> Device Management -> Management Access -> Command Line (CLI) -> Telnet

telnet 192.168.1.0 255.255.255.0 management

Configure and utilize Logging using ASDM

ASDM: Conf -> Device Management -> Logging

-> Event Lists

-> Logging Filters

-> Syslog Servers

Diverse

The SAST keys can be seen via the show crypto key mypubkey rsa command.

" Note: If you remove a static command, current connections that use the translation are not affected. In order to remove these connections, enter the clear local-host command. You cannot clear static translations from the translation table with the clear xlate command; you must remove the static command instead. Only dynamic translations created by the nat and global commands can be removed with the clear xlate command. "

" NOTE If you don’t configure the nat-control command, then address translation is optional. The appliance will use any address translation policies you’ve configured, and if a packet doesn’t match a translation policy, it isn’t translated, but forwarded as is. "

ASA Links

ASDM 6.0 User Guide

ASA CLI Configuration Guide 8.0

https://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b1ee95.shtml

http://www.wr-mem.com/

http://www.wr-mem.com/?p=4

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml

https://supportforums.cisco.com/docs/DOC-1268

http://www.networkstraining.com/ciscoasaebook.php

http://www.networkworld.com/community/node/58537

http://www.iflipr.com/deck/search?query=snaf

https://learningnetwork.cisco.com/docs/DOC-2800

http://blog.ine.com/

https://learningnetwork.cisco.com/message/11409#11409

http://blog.ine.com/2009/04/19/understanding-modular-policy-framework/

http://oav.net/mirrors/cidr.html

http://www.quia.com/quiz/497859.html?AP_rand=334332925

http://www.ciscopress.com/articles/article.asp?p=24833&seqNum=6

http://www.subnet-calculator.com/