Firepower4110 防火墙机框和ASA之间切换
PFR-4110-A#
PFR-4110-A# connect module 1 console 进入ASA模式
ciscoASA#
Firepower2130 防火墙机框和ASA之间切换
PFR-2130-A#
PFR-2130-A# connect asa 进入ASA模式
ciscoASA#
ASA模式和firepower模式之间来回切换 通过Ctrl + A + D
Firepower-module1> 通过shift +~ 或 键盘insert
telnet> quit
Connection closed.
PFR-4110-A#
负载均衡配置:
interface GigabitEthernet1/7
description TO_F2N1C03-WAN-01_G1/27
channel-group 1 mode active
no shutdown
interface GigabitEthernet1/8
description TO_F2N1C03-WAN-02_G1/27
channel-group 1 mode active
no shutdown
interface port-channel 1
lacp max-bundle 8
port-channel load-balance vlan-src-dst-ip-port
nameif inside
security-level 100
ip address 11.190.62.1 255.255.255.240 standby 11.190.62.2
no shutdown
ASA防火墙主备配置:
interface GigabitEthernet1/1
description TO_DD-F2N1C03-WAN-BLFW-01_G1/1
channel-group 3 mode active
no shutdown
interface GigabitEthernet1/2
description TO_DD-F2N1C03-WAN-BLFW-01_G1/2
channel-group 3 mode active
no shutdown
interface port-channel 3.1
description FO Interface
vlan 1
no shutdown
interface port-channel 3.2
description SA Interface
vlan 2
no shutdown
failover
failover lan unit primary
failover key bankofdl
failover lan interface FO port-channel3.1
failover interface ip FO 55.0.0.5 255.255.255.252 standby 55.0.0.6
failover link SA port-channel3.2
failover interface ip SA 55.0.0.9 255.255.255.252 standby 55.0.0.10
注意:所有的配置只需要在主设备配置,之后备机会同步主机相关配置,但是不会同步 startup-config,保险起见主备机同步完成之后需要执行 wr 相互保存设置
查看命令:
show failover state //查看主备状态
ASA添加策略
策略示例一:
# object-group network ECC_PC
network-object 10.190.172.0 255.255.255.0
# object-group network old_TA_BLJ
network-object host 188.188.8.240
# object-group service oldtabljTCP tcp
port-object eq ssh
port-object eq 3389
port-object eq 10050
port-object eq 10000
port-object eq 3306
port-object eq https
# access-list in-out extended permit tcp object-group ECC_PC object-group old_TA_BLJ object-group oldtabljTCP
注意:在access-list中3个object-group的含义如下:
object-group Network object-group for source address
object-group Network object-group for destination address
object-group Optional service object-group for destination port
策略示例二:
# object-group network ECC_PC
network-object host 10.190.172.0/22
# object-group network GDSJ
network-object host 192.168.0.195
# access-list in-out extended permit tcp object-group ECC_PC object-group GDSJ eq 7080
注意:可以通过一下多种方式来做服务模式匹配
eq Port equal to operator
gt Port greater than operator
inactive Keyword for disabling an ACL element
log Keyword for enabling log option on this ACL element
lt Port less than operator
neq Port not equal to operator
调用ACL列表
access-group in-out in interface inside 将匹配到access-group中的所有ACL列表从inside接口出去
access-group out-in in interface outside 将匹配到access-group中的所有ACL列表从outside接口出去
SSH配置
管理口配置:
interface Management1/1
management-only
nameif management
security-level 0
ip address 10.254.202.51 255.255.255.0 standby 10.254.202.52
ciscoasa(config)#crypto key generate rsa (创建RSA密钥,默认是1024bit) //指定rsa系数的大小,这个值越大,产生rsa的时间越长,cisco推荐使用1024.
ciscoasa(config)#ssh 0.0.0.0 0.0.0.0 management //0.0.0.0 0.0.0.0 表示任何外部主机都能通过SSH访问management接口,当然你可以指定具体的主机或网络来进行访问,management也可以改为inside或outside即表示内部通过SSH访问防火墙
ciscoasa(config)#ssh timeout 30 //设置超时时间,单位为分钟
ciscoasa(config)#ssh version 1 //指定SSH版本,可以选择版本2
用本地用户认证的配置如下:
username localadmin password cisco privilege 15
aaa authentication SSH console LOCAL
客户端ssh到防火墙,例如是router:
outside#ssh -l admin ?
-c Select encryption algorithm
-m Select HMAC algorithm
-o Specify options
-p Connect to this port
-v Specify SSH Protocol Version
WORD IP address or hostname of a remote system
outside#ssh -l admin 20.1.1.1
Password:
查看命令
show ssh //参看SSH配置信息
show crypto key mypubkey rsa //查看产生的rsa密钥值
SNMP和syslog配置
snmp-server host management 10.254.160.32 community DLBankSNMP version 2c
snmp-server enable traps all
logging host management 10.254.160.32
logging trap warnings
logging device-id hostname
logging enable
logging timestamp