思科安全的考纲就不用说了,但个人认为最难的是记命令,尤其那些个命令生产环境虽然要用,但都是依赖文档,考试的时候最好还是熟记。本篇就是整理归纳,懒得翻文档查google了。
一. ASA的HA (默写了5遍。。。)
Primary Unit:
failover failover lan unit primary failover lan FAILOVER interface gi0/2 failover link STATEFUL gi0/3 failover interface ip FAILOVER 1.1.1.1 255.255.255.252 standby 1.1.1.2 failover interface ip STATEFUL 2.2.2.1 255.255.255.252 standby 2.2.2.2
Secondary Unit
failover failover lan unit secondary failover lan interface FAILOVER gi0/2 failover link STATEFUL gi0/3 failover interface ip FAILOVER 1.1.1.1 255.255.255.252 standby 1.1.1.2 failover interface ip STATEFUL 2.2.2.2 255.255.255.252 standby 2.2.2.2
show failover state/ show failover 等验证命令不放了,不过要记得查看monitor interface
使用prompt hostname state来显示是否是active standby
ASA有个特性,所有的流量必须得在配置了nameif security-level才能生效。比如,你只配置了接口的ip,而没有nameif 和security level,是无法ping通的。
练习下multi context但是ASAv不支持(其实也很好理解,虚拟机为啥要支持虚拟防火墙?再装个虚拟机不就完了么),但不管如何,抄一遍命令,加深下印象,不做注释了,项目都起过了。
ASA1:
mode multiple 接口部分 interface Gi0/1 no shut interface Gi0/2 no shut interface Gi0/1.10 vlan 10 interface Gi0/1.20 vlan 20 interface Gi0/2.30 vlan 30 interface Gi/0.240 vlan 40
Context C1 allocate-interface GigaEthernet0/1.10 allocate-interface GigaEthernet0/2.30 config-url disk0:/c1.cfg Context C2 allocate-interface GigaEthernet0/1.20 allocate-interface GigaEthernet0/2.40 config-url disk0:/c2.cfg
HA部分 failover failover lan unit primary failover lan FAILOVER interface gi0/6 failover link STATEFUL gi0/7 failover interface ip FAILOVER 1.1.1.1 255.255.255.252 standby 1.1.1.2 failover interface ip STATEFUL 2.2.2.1 255.255.255.252 standby 2.2.2.2
failover-group 1 primary preempt
failover-group 2 secondary preempt
context C1 join-failover-group 1 context C2 joint-failover-group 2
ASA2
mode multiple
接口配置 interface Gi0/1 no shut interface Gi0/2 no shut interface gi0/1.10 vlan 10 interface gi0/1.20 vlan 20 interface gi0/2.30 vlan 30 interface gi0/2.40 vlan 40
context C1 allocate-interface GigaEthernet0/1.10 allocate-interface GigaEthernet0/2.30 config-url disk0:/c1.cfg
context C2 allocate-interface GigaEthernet0/1.20 allocate-interface GigaEthernet0/2.40 config-url disk0:/c2.cfg
HA的部分 failover failover lan unit secondary failover lan FAILOVER interface gi0/6 failover link STATEFUL gi0/7 failover interface ip FAILOVER 1.1.1.1 255.255.255.252 standby 1.1.1.2 failover interface ip STATEFUL 2.2.2.1 255.255.255.252 standby 2.2.2.2
二. ASA的NAT
先说个ASA的特性,我们知道由于security-level的存在,高级别进入级别的流量被默认放行,反之低级别进入高级别默认block。但是我们一旦在接口下配置了ACL,所有security-level都其实作废了。其实在生产环境下,security-level是没啥用的。。。参考文档: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115904-asa-config-dmz-00.html
说回NAT,由于NAT的命令实在是太多了,项目中我也一般是用ASDM去配的。 留着这份文档日后再看。 https://www.practicalnetworking.net/stand-alone/cisco-asa-nat/
三. FTD接口与路由
嫌麻烦,直接用OSPF把所有5台CSR和FTD打通,这里直接截下图。毕竟FTD的OSPF配置还是5分钟就能明白搞定的。
可以进入FTD的console查看OSPF邻居接口状况
由于FTD是ASA的底层,所以一些我们熟知的ASA命令仍然是可以使用的。
下一篇写DM×××,使用证书认证。