39
Cisco ASA Firewall Guia Prático 2014 v1.0 Renato Pesca

Cisco ASA Firewall v1.0.pdf

Tags:

Embed Size (px)

Citation preview

Cisco ASA Firewall Guia Prtico 2014 v1.0 Renato Pesca 1Sumrio 2Topologia ............................................................................................. 3 3Prepara!o "o Appliance ..................................................................... 3 3.1Con#igura$es "e Re"e .................................................................. % 3.2Con#igura$es "e Rotas .................................................................. & 3.3Root 'sico .................................................................................... ( 3.4C)* no AS+, ................................................................................ 11 3.-Gerencia"or "e Ar.uivos ............................................................. 13 4)icena "o Appliance .......................................................................... 14 -*ntegra!o entre Re"es ...................................................................... 1- /Sincronis0os 1tili2a"os...................................................................... 1- %345etos .............................................................................................. 1/ %.16etwor7 345ects8Groups ............................................................. 1/ %.2Service 345ects8Groups ................................................................ 1% &6AT .................................................................................................... 1( &.1Tipos "e 6AT ................................................................................ 21 &.29eri#ica!o "e 6AT na C)* ............................................................ 22 &.3:sta"o "as Cone;$es ................................................................... 22 (AC) ..................................................................................................... 23 (.1Glo4al Access )ists ....................................................................... 2- 10Pu4lic Servers .................................................................................. 2/ 11Features .......................................................................................... 2& 12'ac7up e Restore ............................................................................ 2& 12.1'ac7up ...................................................................................... 2& 12.2Restore ..................................................................................... 31 13Trou4lesacessare0osainter#ace"ea"0inistra!o pelapri0eirave2e0issopo"eser#eitoe0 Configuration>>DeviceManagement>>Users/AAA>>UserAccounts> con#or0e #iguras % e &. Figura (: $ria%&o de usu!rio) etapa 1 Figura *: $ria%&o de usu!rio) etapa 2 AtenteDse"e.ueu0usuriosCterper0iss!oparaloginviaSSIcaso se5a 0arca"a a op!o correspon"ente. 3.1Configuraes de Rede :st!o"ispon=veise0DeviceSetup>>nterfaces>con#or0e#igura(.3 co0an"o@showinterfacesAapresentaas0es0asin#or0a$ese0lin logica0ente "e #or0a 0enos a0igvel. Figura +: $onfigura%,es de interface AtBagorasCt=nca"au0aco0seurespectivoSecurit# $evel. :0geral>oSecurit#$evel"einter#acesparaare"einternaBo0aior poss=vel F100G. 3 "a re"e "02 po"e ser a5usta"o para -0. Para o Cisco ASA> por pa"r!o o #lu;o "e "a"os entre inter#aces B per0iti"o .uan"ooSecurit#$evel"ainter#aceorige0"os"a"osB0aior"o.ueo "a inter#ace "estino. 3.2Configuraes de Rotas Acess=veis no ca0in> %outing >> Static %outes. Caso se5a necessrioa"icionar u0arota>proce"aco0atare#ae0DeviceSetup>> %outing >>Static %outes >> A!!. Figura 1-: .otas est!ticas configuradas Figura 11: $onfigura%&o de rota est!tica :0 geral> e0 @&ptionsA> vocH po"e "ei;ar o pa"r!o 0arca"o F'oneG. 3.3Root sico :0+eviceManagement>>S#stemmage/Configutation>>(oot mage/Configuration >> A!! B poss=vel locali2ar a i0age0 "o AS+,. Figura 12: /ocali0a%&o de imagem do A12M Figura 13: 1elecionando uma imagem de A12M para o boot 3.!C"# no AS$% 3 print "e tela ne0 se0pre B a 0el B poss=vel o4ter a sa="a "o co0an"o @s 1- e 1/G. Figura 14: Acessando a 3anela de execu%&o de comandos a partir da interface gr!fica Figura 1#: 4anela de execu%&o de comandos a partir da interface gr!fica Figura 1': 1a5da do comando 6sho7 running8config6 executado a partir da interface gr!fica 3.&'erenciador de Ar(ui)os Caso se5a necessrio gerenciar i0agens ou ar.uivos no appliance> po"eDse utili2ar o gerencia"or "e ar.uivos atrela"o E inter#ace e0 ve2 "e e;ecutar os co0an"os "e trans#erHncia F.ue e0 geral utili2a0 t#tp e8ou #tpG via console.:ste acesso se " atravBs "e )ools >> *ile Management. As #iguras 1% e 1& "e0onstra0 a utili2a!o. Figura 1(: Acessando o 9erenciador de Ar:ui"os Figura 1*: ;tili0ando o 9erenciador de Ar:ui"os !"icena do Appliance Acess=vel atravBs "e Device Management >> $icensing >> Activation +e#. Figura 1+: /icen%as 2ispon5"eis ntegrao entre Redes 3#irewallBorienta"oao45etos>.uepo"e0ser porta "e acesso Fo45etoG> etc. 3tr#egoentreasinter#aceso4e"eceEpriori"a"eassocia"aEinter#ace FSecuritK)evelG>"e0a100.Porpa"r!o>otr#ego"einter#aces"e*+ 0aior para *+ 0enor B li4era"o. *Sincronismos +tili,ados 3CiscoASApo"eutili2aru0a4ase"eusuriosn!onecessaria0ente con#igura"a local0ente> co0o> por e;e0plo> )+AP> TACACS> etc. :le po"e ar0a2enar logs e0 servi"ores FS#slog ServersG. 3e.uipa0entopossuibuffer"e20(/4Ktes>constante0entereescrito> para opera$es "e troubleshooting> assi0 co0o suporte a S6,P para .ue se5a 0onitora"o "e acor"o co0 as necessi"a"es "o a"0inistra"or. -./0etos -.11et2or3 ./0ects4'roups 3s o45etos po"e0 consistir "e en"ereos "e re"e e grupos "e en"ereos. Para criar u0 o45eto ou grupo "e re"e> "iri5aDse E Configuration >> *irewall >> &b,ects >> 'etwor- &b,ects/.roup >> Configuration. Figura 2-: $ria%ao de ob3eto de rede Figura 21: > Configuration. Figura 22: $ria%&o de ser"i%o de rede Figura 23: bser"e :ue "oc? pode adicionar "!rios protocolos ao grupo rec@m8criado AMembers in 9roupB 51AT As regras "e 6AT po"e0 ser visuali2a"as e0 Configuration >> *irewall >> 'A) %ules. Co0 4ase na topologia apresenta"a> ser cria"o u0 6AT para ca"a *P 9*P> re"irecionan"o to"o o tr#ego Fou parte "eleG para u0 *P na re"e a4ai;o Fre"e )A6G. Figura 2#: $aminho para cria%&o de regra de CAT Figura 2': $ria%&o de regra de CAT Figura 2(: $onfigura%&o de regra de CAT 34serve4e0osca0pos@SourcenterfaceA>@DestinationnterfaceA> @SourceA!!ressA>@DestinationA!!ressAeosca0posparaopacote tra"u2i"o F)ranslate! /ac-etG.As possi4ili"a"es "e trans#or0a!o "e pacotes s!o 0Lltiplas "epen"en"o "a topologia e0 opera!o e "a necessi"a"e e0 .uest!o. 5.1Tipos de 1AT 6ATpressup$eta4elas"e0apea0ento.:lepo"eserestticoou "inM0ico. A"i#erenapo"esere;plica"a"aseguinte0aneira?supon"iga0os> 1(2.1/&.1.0824> on"e sua 0.uina possui o *P 1(2.1/&.1.-0G. Acone;!oB"a"apelatupla1(2.1/&.1.-0?&000JJ1%3.1(4.42.14&?&0. Nuan"ovocHenviaestare.uisi!o>o#irewall>.uepossui*PpL4lico>B .ue0 vai reali2ar a cone;!o co0 o Google e repassar os resulta"os a vocH. Portanto>elereali2au00apea0entoparasa4erpara.ue0enviara resposta "o Google. :0u06AT"inM0ico>o#irewallescole.uan"oele rece4er a resposta> ele alterar o *P "estino "o pacote "e resposta F.ue no casoBoprCprio#irewallG>parao*P"esua0.uinainterna F1(2.1/&.1.-0G>co0opore;e0plo?1%3.1(4.42.14&?&0JJ 1(2.1/&.1.-0?&000. Se o 6AT #osse esttico> o #irewall respeitaria as cone;$es con#or0e a sua porta alta local> ou se5a> a4riria cone;!o co0 o Google utili2an"o o *P "ele e a porta alta &000. 5.26erificao de 1AT na C"# As regras visuali2a"as e0 Configuration >> *irewall >> 'A) %ules po"e0 ser igual0ente o4ti"as via console8SSI co0 o co0an"o @show natA. Figura 2*: erifica%&o de regras de CAT "ia linha de comando 5.37stado das Cone8es O a o4ten!o "os esta"os "as cone;$es tra"u2i"as B 0ais e#iciente0ente o4ti"a atravBs "o acesso e0 0o"o te;to utili2an"o o co0an"o @show xlateA. 9AC" AcrPni0o"e@AccessControl$istAou)ista"eControle"eAcessos. Representa0 e#etiva0ente as @regras "e #irewallA "o Cisco ASA. Ta04B0constituiu0o45etoco0postoporoutroso45etos>co0o in#or0a"o na se!o -. AsAC)spo"e0servisuali2a"ase0Configuration>>*irewall>>Access %ules. Averi#ica!o"eAC)e0con5untoco0arotina"elog"oAS+,B e;tre0a0ente Ltil "urante u0 troubleshooting. Figura 2+: A$/s Figura 3-: $ria%&o de A$/ Figura 31: $onfigura%&o de A$/ 9.1'lo/al Access "ists Q u0a classe "e AC) .ue a4range to"as as inter#aces "o Cisco ASA.34serva!o?le04reDse"e.uenase!oanterioru0aAC)po"ia"e#inir a inter#ace "e entra"a "e u0 pacote Fca0po nterfaceG> e .ue u0a regra "e 6AT possui recurso para .ue se5a0 "e#ini"as a entra"a e sa="a "o pacote. As .lobal Access $ists po"e0 ser visuali2a"as e0 Configuration >> *irewall > .lobal %ules. :stetipo"eAC)"eveserusa"aco0pru"Hncia>poisoseuuso in"iscri0ina"o tornar o appliance "esorgani2a"o e "i#=cil "e a"0inistrar. Figura 32: $ria%&o de 9lobal Access /ist Figura 33: $onfigura%&o de 9lobal Access /ist rec@m8criada 1: Pu/lic Ser)ers 3conceito"e/ublicServer"e#ineoacessoe;ternoa porB0 reco0en"a0os o full. Figura 3': DacEup acess5"el atra"@s de Tool >> Backup Configuration Figura 3(: DacEup personali0ado) onde seleciona8se somente o :ue se :uer guardar Figura 3*: 2efini%&o de ar:ui"o de bacEup) com extens&o 0ip Figura 3+: 9era%&o de bacEup personali0ado Figura 4-: $onclus&o de bacEup personali0ado 12.2 Restore 3restore"orunning0configBsi0plesFvi"e#igura2(Gein5etvelno appliance atravBs "o gerencia"or "e ar.uivos Fse!o 3.-G. 3restore"obac-upco0pleto>.ue"evesergera"oco0ae;tens!o2ip> po"esere#etua"oatravBs"ainter#acegr#ica"o0es0o0o"o.ueo 4ac7up full. Figura 41: .estore acess5"el em Tools >> Restore Configurations Figura 42: 1ele%&o de ar:ui"o de bacEup a ser restaurado Figura 43: 1ele%&o de bacEup a ser restaurado para o appliance Aextens&o 0ipB Figura 44: 2efini%&o dos itens a serem restaurados Figura 4#: A"iso de restaura%&o sobre o :ue pode acontecer com as configura%,es "igentes Figura 4': traceroutee/ac-et)racers!o4oas#erra0entas"e anlise. 3/ac-et)racer#a2anlise"eu0aorige0parau0"estinoeviceDversa> "escreven"oto"ootra5eto"opacoteeain#luHncia"eca"aregraso4re ele. Nuan"oopacoteBli4era"ooin"ica"orBe;i4i"onacorver"e>caso contrrio> na cor ver0elo.uepo"eser"etecta"o#acil0enteco0a #erra0enta /ac-et )racer. A#erra0enta"eloggingBacess=vele0Monitoring>>$ogging>>1iew> on"e o #iltro "ese5a"o po"e ser con#igura"o. Pingetraceroutes!o#erra0entasco0unsna0aioria"ossiste0asunix li-e> acess=veis e0 )ools >> /ing e )ools >> )raceroute> respectiva0ente. Figura 4(: Acesso ao Packet Tracer Figura 4*: Fxemplo de uso do Packet Tracer Figura 4+: Acessando o Logging Figura #-: Fxemplo de uso do Logging Figura #1: Acessando o Traceroute Figura #2: Fxemplo de uso do Traceroute Figura #3: Acessando o Ping Figura #4: Fxemplo de uso do Ping


Configure the ASA/PIX firewall Firewall · Web viewConfigure the ASA/PIX firewall Firewall names!--- Access control list (ACL) for interesting traffic to be encrypted and !--- to

Configure the ASA/PIX firewall Firewall · Web viewConfigure the ASA/PIX firewall Firewall names!--- Access control list (ACL) for interesting traffic to be encrypted and !--- to

Documents
Deploying Cisco ASA Firewall Solutions ford2zmdbbm9feqrf.cloudfront.net/2013/usa/pdf/BRKCRT-… ·  · 2013-06-26–Deploying Cisco ASA Firewall Solutions v2.0 ... ASA 5510 + (300

Deploying Cisco ASA Firewall Solutions ford2zmdbbm9feqrf.cloudfront.net/2013/usa/pdf/BRKCRT-… ·  · 2013-06-26–Deploying Cisco ASA Firewall Solutions v2.0 ... ASA 5510 + (300

Documents
configuring basic firewall policies on cisco asa appliances

configuring basic firewall policies on cisco asa appliances

Education
Deploy Failover/High Availability in ASA Firewall

Deploy Failover/High Availability in ASA Firewall

Technology
Configuración de VPN Remote Access en Firewall ASA 5510

Configuración de VPN Remote Access en Firewall ASA 5510

Documents
Deploying Cisco ASA Firewall Solutions (FIREWALL) · PDF fileDeploying Cisco ASA Firewall Solutions (FIREWALL) ... command? A. nspect ... and telnet connections to the Cisco ASA C

Deploying Cisco ASA Firewall Solutions (FIREWALL) · PDF fileDeploying Cisco ASA Firewall Solutions (FIREWALL) ... command? A. nspect ... and telnet connections to the Cisco ASA C

Documents
Creating a cisco asa or pix firewall

Creating a cisco asa or pix firewall

Technology
Cisco Deploying Cisco ASA Firewall Solutions (FIREWALL) by Jassean · 2019-10-25 · The Cisco ASA has NAT control disabled on each security context. B. The Cisco ASA is using inside

Cisco Deploying Cisco ASA Firewall Solutions (FIREWALL) by Jassean · 2019-10-25 · The Cisco ASA has NAT control disabled on each security context. B. The Cisco ASA is using inside

Documents
MahindraComviva SMS Firewall V1.0

MahindraComviva SMS Firewall V1.0

Documents
343o do Firewall Cisco ASA 5500)

343o do Firewall Cisco ASA 5500)

Documents
Upgrade ASA and ASDM Cisco ASA Firewall - · PDF fileUpgrade ASA and ASDM Cisco ASA Firewall Complete these steps to upgrade a software image on the ASA 5500 using ASDM. 1. Select

Upgrade ASA and ASDM Cisco ASA Firewall - · PDF fileUpgrade ASA and ASDM Cisco ASA Firewall Complete these steps to upgrade a software image on the ASA 5500 using ASDM. 1. Select

Documents
Asa 91 Firewall Config

Asa 91 Firewall Config

Documents
Asa 91 Firewall Cli

Asa 91 Firewall Cli

Documents
Sample Mastering ASA WB v1.0

Sample Mastering ASA WB v1.0

Documents
Cisco ASA, PIX, and FWSM Firewall Handbook

Cisco ASA, PIX, and FWSM Firewall Handbook

Documents
Cisco Adaptive Security Appliances (ASA) Firewall and Virtual

Cisco Adaptive Security Appliances (ASA) Firewall and Virtual

Documents
CISCO ASA Firewall quick configuration guide

CISCO ASA Firewall quick configuration guide

Documents
Practica con firewall asa

Practica con firewall asa

Documents
Maximising Firewall Performance - alcatron.net Live 2013 Melbourne/Cisco Live... · Maximising Firewall Performance BRKSEC-3021 . ... Firewall and VPN Firewall Multiservice ASA 5540

Maximising Firewall Performance - alcatron.net Live 2013 Melbourne/Cisco Live... · Maximising Firewall Performance BRKSEC-3021 . ... Firewall and VPN Firewall Multiservice ASA 5540

Documents
Cisco ASA Firewall Fundamentals, 3rd Edition

Cisco ASA Firewall Fundamentals, 3rd Edition

Documents
Deploying Cisco ASA Firewall Solutions

Deploying Cisco ASA Firewall Solutions

Documents
ASA Firewall, Microsoft ForeFront Gateway y TACACS

ASA Firewall, Microsoft ForeFront Gateway y TACACS

Documents
ASA Firewall Lab Manual

ASA Firewall Lab Manual

Documents
Topcerts 642-617 Exam - Deploying Cisco ASA Firewall Solutions

Topcerts 642-617 Exam - Deploying Cisco ASA Firewall Solutions

Documents
Configuración y Documentación de ACL y Firewall ASA

Configuración y Documentación de ACL y Firewall ASA

Technology
Cisco ASA Series Firewall CLI 컨피그레이션 가이드 소프트웨어 버전 9 · iii Cisco ASA Series Firewall CLI 컨피그레이션 가이드 목차 설명서 정보 xvii

Cisco ASA Series Firewall CLI 컨피그레이션 가이드 소프트웨어 버전 9 · iii Cisco ASA Series Firewall CLI 컨피그레이션 가이드 목차 설명서 정보 xvii

Documents
CCNP Security FIREWALL Notes - 13Cubed · PDF fileCCNP Security FIREWALL Notes Introduction: 642-617 (this test) >> ASA Software v8.2 642-618 >> ASA Software v8.3 Firewall Solutions

CCNP Security FIREWALL Notes - 13Cubed · PDF fileCCNP Security FIREWALL Notes Introduction: 642-617 (this test) >> ASA Software v8.2 642-618 >> ASA Software v8.3 Firewall Solutions

Documents
CLI Book 2: Cisco ASA Series Firewall CLI Configuration ... ASA Series Firewall 9.4... · 1-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 1 Basic Access Control Step

CLI Book 2: Cisco ASA Series Firewall CLI Configuration ... ASA Series Firewall 9.4... · 1-2 Cisco ASA Series Firewall CLI Configuration Guide Chapter 1 Basic Access Control Step

Documents
Cisco ASA 5505, ASA 5510, ASA 5520, ASA 5540, ASA · PDF fileCisco ASA 5500 Series Adaptive Security Appliances integrate world-class firewall, unified communications security, VPN,

Cisco ASA 5505, ASA 5510, ASA 5520, ASA 5540, ASA · PDF fileCisco ASA 5500 Series Adaptive Security Appliances integrate world-class firewall, unified communications security, VPN,

Documents
Cisco asa-firewall-fundamentals-2nd-edition

Cisco asa-firewall-fundamentals-2nd-edition

Technology