Académique Documents
Professionnel Documents
Culture Documents
ASA
PIX-525
Processor: 600 MHz Pentium III
Memory: 128 MB SDRAM
Ethernet: 6 Configurable
Token Ring 4 configurable
FDDI 2 configurable
Ethernet/TR 6 total
Flash: 16 MB
Connections: 256,000+
VPN Tunnels : 2000
Cisco PIX 535
PIX-535
Processor: 1GhzPentium III
Memory: 512 MB SDRAM
Ethernet: 4/6 Configurable
Flash: 16 MB
Connections: 500,000
VPN Tunnels : 2000
PIX Firewall Models
Model 501 506e 515e 525 535
Status Flash
Power Active VPN
Compact Flash
Security Service Module
(SSM) Monitoring Port 10/100 Out of Band Console
Management Port Port
FTP
Server
failover active
− Minimizes single point of failure
− Maximizes reliability of network
− Transparent to users behind firewall
− Failover units must be identical model of PIX/ASA
Context Firewall
• Cisco feature for Cisco 5500 Series Adaptive Security Appliance with
software version 7.2 and later.
− Note: The multiple context feature is not supported on the ASA 5505
Series Adaptive Security Appliance. ASA 5510 supports maximum of 5
contexts even if it adds an additional 4Eth card.
• Partition a single device into multiple virtual deices. Each context is an
independent device with its own configuration.
• Supports routing tables, firewall features, IPS, and standalone devices etc…
• Multiple context mode does not support the following features:
− Dynamic routing protocols (Security contexts support only static routes.
You cannot enable OSPF or RIP in multiple context mode).
− VPN
− Multicast
• System administrator rights is mandatory when a user logs into admin
context.
• Admin context is not counted in the context license. For example, if you get
the default license, you are allowed to have one admin context and two
other contexts.
− when buying a new ASA5500 with a default license, we can run ‘three’
firewalls contexts
E E0
1 Internet
Internal
Inside Outside
LAN
E
2
DMZ
172.16.30.0/27
Basic Configuration – Interface
interface Ethernet0
description "Outside Interface-Conn to Internet Router"
nameif outside
security-level 0
ip address 200.200.200.1 255.255.255.252
interface Ethernet1
description "Inside Interface - Conn to Core Switch
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
interface Ethernet2
description "DMZ Interface towards DMZ1 servers"
nameif DMZ
security-level 50
ip address 172.16.30.1 255.255.255.224
!
Basic Configuration - DNS
• dns domain-lookup outside
• dns server-group DefaultDNS
• name-server 3.3.3.3
• name-server 4.4.4.4
• dns server-group DefaultDNS
• domain-name xyz.net
Basic Configuration - Time
• clock timezone IST 5 30
• ntp server 1.1.1.1
• ntp server 2.2.2.2
Basic Configuration - Logging
• logging enable
• logging timestamp
• logging monitor informational
• logging buffered informational
• logging trap informational
• logging asdm informational
• logging host <interface> <syslogger IP>
• Ex: logging host inside 10.10.10.1
•
Basic Configuration - SNMP
• snmp-server host <interface> 6.6.6.6 poll community "snmp-rostring"
• snmp-server host <interface> 7.7.7.7 poll community "snmp-rostring“
• snmp-server location "<location>"
• snmp-server contact "XYZ,Phone +91 123456789"
• ---------------------------------------------------------------------------------------------
---------------------------------------------------------
NAT
Static (inside,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
static (dmz,outside) 200.200.200.5 172.16.30.10 netmask 255.255.255.255
Commands
• Show ip address
• Show int ip brief
• Show failover
• Show interface
• Object-group
• Names
IPSEC - Recap
IKE Phase 1 Parameters
IKE encryption algorithm (DES, 3DES, or AES)
IKE authentication algorithm (MD5 or SHA-1)
IKE key (preshare, RSA signatures)
Diffie-Hellman version (1, 2, or 5)
IKE tunnel lifetime (time and/or byte count)
crypto isakmp policy 1 This creates a new isakmp policy, the number here usually doesn't matter
authentication pre-share Sets authentication type to a pre-shared key between IPSEC peers
group 2 Sets policy to use Diffie-Hellman group 2 type (768 bit key)
crypto map VPN-Map-1 10 ipsec-isakmp Creates an IPSEC map. You can have multiple tunnels per
interface by incrementing the "10" on the next map with the
same name "VPN-Map-1".
authentication pre-share Sets authentication type to a pre-shared key between IPSEC peers
group 2 Sets policy to use Diffie-Hellman group 2 type (768 bit key)
crypto isakmp key test123 address 100.100.100.100 This sets the pre-shared key for a specific IPSEC peer
crypto map VPN-Map-1 10 ipsec-isakmp Creates an IPSEC map. You can have multiple tunnels per
interface by incrementing the "10" on the next map with the
same name "VPN-Map-1".
permit udp host 100.100.100.100 any eq isakmp Permits IPSEC IKE setup from the peer
permit esp host 100.100.100.100 any Permits IPSEC payload from the peer