Cisco Firewall Internet Configuration Analysis


  •     SPOTO
  • |
  •   Posted on: 2019-05-23
  • |
  •   Views: 84
  • |
  •   Category:
  • CCIE Lab

Cisco Firewall Internet Configuration Analysis

 

The following are all the problems you will encounter when working through the CCIE RS LAB EXAM.

 

Cisco's firewall mainly refers to the firewall after 5512. The previous 5510 series basically do not explain because the production is discontinued. Let's talk about the configuration is not meaningful. There mainly refers to the 5500X series firewall. Here mainly to give some of the most commonly used configurations, the reader of this book knows nothing about the firewall but these configurations can be configured on the public network, basically solve the problem. Of course, I still hope that everyone can in the case of the public network go to the Cisco website to download the configuration manual and want to understand why this configuration.

 

 

The first is to open the HTTP function. This function is mainly used to remotely or allow administrators to manage the firewall in the form of WEB. Everyone is accustomed to the order. I am not exception but now Cisco is pushing the WEB way. In fact, this WEB has some functions that are particularly useful. For example, if I configure VPN, it is basically a configuration with WEB. It may take only one minute. The configuration is successful but the difference of the ability to pass the command may not be configured in one day. However, it also has problems. For example, when troubleshooting, it is especially complicated. You should use the command and graphics interface together.

 

Basic configuration:

 

Configure the user password: username cisco password cisco privilege 15 . After the username and password are configured, you need to call the following command to take effect.

 

aaa authentication http console LOCAL

 

aaa authentication ssh console LOCAL

 

aaa authentication telnet console LOCAL

 

aaa authentication enable console LOCAL

Configure HTTP function:

 

http server enable

 

username cisco password cisco privilege 15

 

 

asdm image disk0:/asdm-713.bin boot system

 

disk0:/asa911-4-smp-k8.bin http 0 0 inside

 

http 0 0 outside

 

Note that the IOS version here should be the same platform as ASDM. Of course, it can be different. Pay attention to the software to install JAVE here. This software version is JAVE7. This JAVE is often problematic. • Everyone will often encounter this when they install ASDM.

 

Happening:

 

 

 

The above situation may be the reason why the JAVE installed by you and the software version of ASDM are different. The solution can only be to reinstall JAVE. This has no experience to say that can only say that the newer version of the software you installed. The corresponding JAVE is also newer, this also requires repeated attempts. I often make mistakes on this.

 

The following is the configuration of SSH Telnet login, you should pay attention to mandatory local authentication, otherwise your SSH is no way to use.

 

aaa authentication http console LOCAL

 

aaa authentication ssh console LOCAL

 

crypto key generate rsa modulus 1024

 

y

 

ssh 0.0.0.0 0.0.0.0 inside

 

ssh 0.0.0.0 0.0.0.0 outside

 

ssh timeout 30

 

ssh version 2

 

telnet 0.0.0.0 0.0.0.0 inside

 

console timeout 0

 

The following configuration is to release ICMP traffic, we all know that the default is not PING public network, you must release it. You can also write ICMP ACL release but I like to use the following way to release.

 

policy-map global_policy

 

class inspection_default inspect icmp

 

The above configuration is common and the configuration is the same on each firewall. Let's look at the configuration of the interface:

 

interface GigabitEthernet0/0

 

 nameif outside

 

 security-level 0

 

ip address 183.129.X.X 255.255.255.X

 

!

 

interface GigabitEthernet0/1

 

nameif inside

 

security-level 100

 

ip address 192.168.1.1 255.255.255.0

 

 

The above configuration is the internal and external interface address and security level of the firewall. Everyone knows that the security level is the basic means of separating the internal and external networks. That is the default high security level can access the external network but the low security level cannot access the internal network inside. It can access outside.It is feasible and vice versa. If you need to visit, you need to clear it. Note that the router does not have this feature.

 

 

object network outstatic

 

subnet 0.0.0.0 0.0.0.0

 

object network inside

 

subnet 192.168.0.0 255.255.0.0

 

nat (inside,outside) source dynamic inside interface

 

route outside 0.0.0.0 0.0.0.0 183.129.X.X

 

 

The above commands are very important and the meaning is very simple. That is to do port address translation. We all know that the internal network does not do address translation is not on the public network. In general, the enterprise has only one public network address so you must do port conversion before you can go to the public network. Note that the above subnet 192.168.0.0 255.255.0.0 is to enlarge it. The last default route is definitely needed, otherwise there is no way to go to the public network. The address is the gateway that the operator gives you.

 

Of course, if there is a three-layer core exchange, you need a command to open communication with the intranet route inside 192.168.0.0 255.255.0.0 192.168.1.2

 

 

Well, in the general case configuration here, the enterprise can go to the public network basically 80% of the customers here are configured successfully. Some customers need to configure VPN and port mapping, here are configured as follows:

 

object network tcp21

 

host 192.168.1.249

 

object network tcp53

 

host 192.168.1.249

 

object network udp53

 

host 192.168.1.249

 

object network tcp33789

 

host 192.168.40.199

 

object network tcp36952

 

host 192.168.40.199

 

object network tcp443

 

host 192.168.1.5

 

access-list 101 extended permit tcp any host 192.168.1.249 eq 808

 

access-list 101 extended permit tcp any host 192.168.1.249 eq 5000

 

access-list 101 extended permit tcp any host 192.168.1.250 eq 8081

 

access-list 101 extended permit tcp any host 192.168.1.249 eq ftp

 

access-list 101 extended permit tcp any host 192.168.1.249 eq domain

 

access-list 101 extended permit tcp any host 192.168.40.199 eq 36952

 

access-list 101 extended permit tcp any host 192.168.40.199 eq 33789

 

!

 

object network static

 

nat (inside,outside) static interface service tcp 808 808

 

object network static1

 

nat (inside,outside) static interface service tcp 5000 5000

 

object network test

 

nat (inside,outside) static interface service tcp 135 135

 

object network tcp8081

 

nat (inside,outside) static interface service tcp 8081 8081

 

object network tcp21

 

nat (inside,outside) static interface service tcp ftp ftp

 

object network tcp53

 

nat (inside,outside) static interface service tcp domain domain

 

object network udp53

 

nat (inside,outside) static interface service udp domain domain

 

object network tcp33789

 

nat (inside,outside) static interface service tcp 33789 33789

 

object network tcp36952

 

nat (inside,outside) static interface service tcp 36952 36952

 

The port mapping of the above configuration pays attention to the real address.

 

 

DOWNLOAD MORE CCIE RS LAB PRACTICE EXAM

 

More you may be interested:

 

Cisco CCIE RS lab exam, even someone else passed through this method?

 

Be careful with the dump liar! Teach you how to prevent being cheated!

 

[exclusive] Information about CISCO CERTIFICATION EXAM latest dumps this week

 

Comments:


Start the discussion...


To Leave a Comment or reply to posts please log in