Click here to load reader

Training Asg Cisco

  • View

  • Download

Embed Size (px)

Text of Training Asg Cisco

Corporate 2 Template

O TO V CHUYN GIAOH THNG BO MT THNG TINCTY TNHH TH &TT MINH TRCT: 08 62966066Fax: 08 62966060Email: [email protected]: Hi Minh

Email: [email protected]: 091 8397 2261Ni dungAstaro Security GatewayM hnh trin khaiGii thiu v cu hnh c bnCu hnh cc thng s mngQun tr

CISCO VLAN, VTP, STP Gii thiu v m hnh trin khaiHng dn cu hnh c bn Qun tr

Astaro Security Gateway

M hnh trin khaiSecuring central offices, branch offices and mobile workers

H thng mng bao gm nhiu vng khc nhau:Ngi dngMy chQun tr- internalInternet: externalDMZ: public server

4Gii thiu v TNH NNGAstaro Security GatewayKin trc Astaro Security Gateway

Central, browser-basedmanagement & reporting of all applications

VPN & wirelessextensions

Software Appliance

Flexible DeploymentVirtual Appliance

Integration of complete email, web& network protectionNetworking features for high availability and load balancing

Endpoint Security& Mobile Control

6Astaro - Thit b tt c trong 1/ SimComplete protection for your network Wireless Controller forAstaro Access PointsMulti-Zone (SSID) support Wireless Security

optionalURL FilterAntivirus & AntispywareApplication ControlWeb Security

optionaloptionalReverse ProxyWeb Application FirewallAntivirusWeb Application Security

Intrusion PreventionIPSec/SSL VPNBranch Office Security Network Security

optionalAnti Spam & PhishingDual Virus ProtectionEmail EncryptionMail Security

optionalStateful FirewallNetwork Address TranslationPPTP/L2TP Remote Access

Essential Firewall

Astaro 2008Astaro Overview Page 7Cc dng sn phm AstaroHardwareAppliance110/120220320425525625Multiple + REDEnvironmentSmall networkMedium networkMedium networkLarge networkLarge networkLarge networkLarge networks+ branchesNetwork Ports4886 & 2 SFP10 & 4 SFP10 & 8 SFPMultipleMax. recommended FW users10/8030080015003500500010000+Max. recommended UTM users10/3575200600130020005000Software Appliance *Runs on Intel-compatible PCs and serversVirtualAppliance *VMware Ready & Citrix Ready certified Runs in Hyper-V, KVM, and other virtual environments

Astaro 2008Astaro Overview Page 812 bc cu hnh asgAstaro Security GatewayBc 1 Khi ng3. Cp ngun v Khi ng thit bDefault IP: Astaro hardware: t IP my tnh lp mng 192.168.0.x Dng web browser vo webadmin

1. Kt ni port eth0 vo switch ni b2. Kt ni port eth1 vo modem ADSL Lu chp nhn Certificate khi browser bo liBc 2 Thit lp tn t chc

Hostname: tn ca thit b trong domainCompany: tn t chcCity: thnh phCountry: VietnamUser admin password: xxxEmail ca adminBc 3 ng nhpRefresh v vo trang ng nhp. Nhp user admin, password va mi t vo qun tr

Bc 4: Ci t theo Winzard

Click Next tip tcBc 5: t IP LAN

t IP port LANBt DHCP cp IP cho my tnh14Bc 6 Ci t cng WAN

Chn interface: eth1Chn type: DSL PPPoEUsername: do nh cung cp ADSL cpPassword: do nh cung cp ADSL cpBc 7 Thit lp Firewall

Cho php nhng dch v ngi dng bn trong c th ra ngoiBc 8 Chng xm nhp

Bt h thng chng xm nhpBc 9 IM / P2P

Chn IM chattingChn P2P download(ty chn)Bc 10 Web proxy

Thit lp Web proxy(ty chn)Bc 11 Thit lp Mail Proxy

Thit lp Mail proxy(ty chn)Bc 12 - Tng kt cc thng s

Bm finish hon thnh ci tWebadmin

TheThrobberGiao din WebAdmin Main-MenuSubmenus appear when clickedRelease InformationLogin InformationContext-HelpRefreshThe Dashboard23Cu trc menu

Chn menu chnh xut hin cc menu bn diMi menu c nhiu Tab

Tm menu theo keywords

nh ngha i tng: Definitionsnh ngha cc i tng

S dng tn thay v IP addressesD dng thay i v troubleshootingC th ko th i tng d dng, nhanh chng Drag&Drop (DnD)

Cc loi i tng thuc NetworkHostDNS HostDNS GroupNetworkMulticast groupNetwork groupAvailability Group

25Network Interfaces Thit lp kt ni WAN cho thit bType: DSLHardware: eth1Username/pass ADSLMTUDefault route

26Network Settings- Static Routingnh ngha lm sao n mt lp mng no 3 loi routing:Interface routePackets c gi n trc tip port LANS dng dynamic interfaces (PPP), lc ny khng bit chnh xc gatewayGateway routePackages c gi n 1 router, IP : the next hop.Blackhole routePackets s b qua, khng routing.

.Default route c thit lp Interface.

27Network Services - DNSGlobal:Cho php nhn request t ALLOWED NetworksForwardersChuyn DSN requests n DNS servers bn ngoi hoc bn trong.Static EntriesMappings of hostnames to IP addresses.

28Network Services - DHCP ServerDHPC in ASG can be used to assign basic network parameters to client hosts. DHCP service can run on multiple interfaces, with each interface having its own configuration set. Make the following settings:InterfaceThe NIC from which the IP addresses should be assigned to the clients.Range start/end IP range to be used as an address pool on that interface. Range must be inside the network attached to the interface.DNS Server 1/2: IP addresses of the DNS servers.Default gatewayDomain nameTime after the IP addresses have to be refreshed (lease)Choose if you want have the DHCP server assign IP addresses only to clients that have an entry on the Static MAC/IP Mappings tab.WINS node typeDepending on WINS node type selection, the WINS Server text box appears where you must enter the IP address of the WINS server. The following WINS node types are available: B-, P-, M-, H-Nodes. WINS serverThe IP address of the WINS server (depending on the selected WINS node type).

29Network Services DHCP Static MappingC th gn IP c nh cho mt MAC AddressS dng packet filter rules thit lp chnh sch lc gi tin cho IP c gn.IP gn tnh nn nm ngoi vng cp ca DHCP Pool trnh trng IP.Xem bng Lease Table thy cc IP cp v ngy bt u, ngy ht hn.

30Chnh sch Bo mt mngAstaro Security Gateway Phn 2

Packet Filter TableDefault View Packet Filter TableEdit


CloneGroup nameOrderSourceDestinationActionandServiceDescription(optional)Activate/Deactivate32Packet Filter Thng sPacket filter engine ca ASG c lc biSource IPProtocol/ServiceTarget IP

Cu hnh Rules s dng cc Definition.

Cc rule trong bng c sp xp th t u tin t trn xung di..

Cc chnh sch c th thit lp:Allow : cho phpDrop : t chi v khng thng boReject : t chi v thng bo gi tin b t chi

Bt k hnh ng cho php c ty chn logging ghi traffic vo logNu khng c rule no match ng vi gi tin th gi tin s b t chi v ghi nhn li.

33Packet Filter Cc cu hnh khcRules:

Ni lu tr bng packet filter rule.ICMP:

iu khin cc hnh vi ca giao thc ICMP.Advanced:

Cc ty chn khc v IP Stack v cc thit lp nng cao.

Ngn theo a l:

Trn nn tng thng tin ca GeoIP cc packet c th b chn theo tng v tr a l, vng min. 34Packet Filter Thm/sa ruleGn vo mt group Name

Tn ca ruleChuyn rule n mt v tr trn bng rule

The sources:IP or GroupThe service:TCP/UDP/IPThe destinations:IP or GroupWhat to do: Action: Allow, Drop or RejectWhen to do:The timeLog Packets:Yes or NoComment:Whatever helpsThm rule mi

Sa rule

35Network Address Translation / Khi nim v NATAstaro Security Gateway cung cp 3 loi NAT khc nhau:Masquerading: Bt kh nng s dng IP private i ra ngoi Internet. Nhiu ngi dng chung 1 IP public.DNAT: Chuyn traffic n t bn ngoi vo my ch bn trong h thng ni b. SNAT: i IP ngun ca packet. Trng hp c nhiu IP public. Email server i 1 IP, Web Server i 1 IP khc.

RFC 1918-IP172.16.65.0/24Official IP prevention systemAstaro Security GatewayThit lp chng xm nhp

Lp mng c bo vBt / tt IPSXem live logThit lp chng xm nhp (tt)

Bt/Tt chng Port Scan t bn ngoi internetQun trAstaro Security GatewayKim tra Log

Xem LOGXem LOG Thi gian thcXa LOGTm kim trong LOGXem log trong trong thi gian trcXem bo co

Ngy, tun, thng, nmHardwareNetworkWebMailRemoteT ng gi bo co nh k

Gi report hng ngy v ngi qun trSao lu v phc hi cu hnh

To backupUpload backupTi v backupPhc hi backupT ng sao lu cu hnh theo ngy, tunT ng sao lu cu hnh

T ng sao lu cu hnh theo ngy, tunGi bn sao lu qua emailnh k theo tunCp nht firmware

T ng cp nht v ci t mu tn cng miT ng kim tra bn cp nht miClick ci t khi c bn cp nht miPhc hi cu hnh v mc nh

Phc hi cu hnh v mc nh bng LCD trn hardware - 1. Nhn Enter - 2. Nhn nt mi tn xung 2 ln. Dng ch Factory Reset xut hin - 3. Nhn Enter. LCD hin dng ch No. - 4. Nht nt mi tn xung ng (Yes) - 5. Nhn Enter, qu trnh reset bt u - 6. Thit b t ng tt ngun, cn bt ngun liPhc hi cu hnh v mc nh (tt)

Phc hi cu hnh mc nhReset passwordHNG DN CU HNH VTP, VLANS, STP TRN CISCO SWITCH49Gii thiu m hnh trin khai



CU HNH VTPTrng HBK TP.HCM - Khoa Khoa hoc & Ky thut may tinh 200853Computer Network 2- S1_3750(config)#vtp mode server Device mode already VTP SERVER. - S1_3750(config)#vtp domain hvhq Changing VTP domain name from NULL to hvhq- S1_3750(config)#vtp password cisco Setting device VLAN database password to cisco - S2_3560(config)#vtp mode client Setting device to VTP CLIENT mode. - S2(config)#vtp domain hvhq Domain name already set to lab4.Cu hnh VTP- S2_3560(config)#vtp password cisco Setting device VLAN database password to cisco - S3_3560(config)#vtp mode client Setting device to VTP CLIENT mode. - S3_3560(config)#vtp domain hvhq Changing VTP domain name from NULL to lab4 S3_3560(config)#vtp password cisco Setting device VLAN database password to ciscoCu hnh TRUNK- S1_3750(config)#interface range gi0/1-2- S1_3750(config-if-range)#switchport mode trunk- S1_3750(config-if-range)#switchport trunk encap dot1.q- S1_3750(config-if-range)#no shutdown- S1_3750(config-if-range)#endCu hn

Search related