Cisco Firewall Internet Configuration Analysis

The following are all the problems you will encounter when working through CCIE RS LAB EXAM.

Cisco's firewall mainly refers to the firewall after 5512. The previous 5510 series basically do not explain because the production is discontinued. Let's talk about the configuration is not meaningful. There mainly refers to the 5500X series firewall. Here mainly to give some of the most commonly used configurations, the reader of this book knows nothing about the firewall but these configurations can be configured on the public network, basically solve the problem. Of course, I still hope that everyone can in the case of the public network go to the Cisco website to download the configuration manual and want to understand why this configuration.

The first is to open the HTTP function. This function is mainly used to remotely or allow administrators to manage the firewall in the form of WEB. Everyone is accustomed to the order. I am not exception but now Cisco is pushing the WEB way. In fact, this WEB has some functions that are particularly useful. For example, if I configure VPN, it is basically a configuration with WEB. It may take only one minute. The configuration is successful but the difference of the ability to pass the command may not be configured in one day. However, it also has problems. For example, when troubleshooting, it is especially complicated. You should use the command and graphics interface together.

Basic configuration:

Configure the user password: username cisco password cisco privilege 15 . After the username and password are configured, you need to call the following command to take effect.

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

aaa authentication enable console LOCAL

Configure HTTP function:

http server enable

username cisco password cisco privilege 15 

asdm image disk0:/asdm-713.bin boot system

disk0:/asa911-4-smp-k8.bin http 0 0 inside

http 0 0 outside

Note that the IOS version here should be the same platform as ASDM. Of course, it can be different. Pay attention to the software to install JAVE here. This software version is JAVE7. This JAVE is often problematic. • Everyone will often encounter this when they install ASDM.

Happening:

The above situation may be the reason why the JAVE installed by you and the software version of ASDM are different. The solution can only be to reinstall JAVE. This has no experience to say that can only say that the newer version of the software you installed. The corresponding JAVE is also newer, this also requires repeated attempts. I often make mistakes on this.

The following is the configuration of SSH Telnet login, you should pay attention to mandatory local authentication, otherwise your SSH is no way to use.

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

crypto key generate rsa modulus 1024

y

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 30

ssh version 2

telnet 0.0.0.0 0.0.0.0 inside

console timeout 0

The following configuration is to release ICMP traffic, we all know that the default is not PING public network, you must release it. You can also write ICMP ACL release but I like to use the following way to release.

policy-map global_policy

class inspection_default inspect icmp

The above configuration is common and the configuration is the same on each firewall. Let's look at the configuration of the interface:

interface GigabitEthernet0/0

 nameif outside

 security-level 0

ip address 183.129.X.X 255.255.255.X

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

The above configuration is the internal and external interface address and security level of the firewall. Everyone knows that the security level is the basic means of separating the internal and external networks. That is the default high security level can access the external network but the low security level cannot access the internal network inside. It can access outside.It is feasible and vice versa. If you need to visit, you need to clear it. Note that the router does not have this feature.

object network outstatic

subnet 0.0.0.0 0.0.0.0

object network inside

subnet 192.168.0.0 255.255.0.0

nat (inside,outside) source dynamic inside interface

route outside 0.0.0.0 0.0.0.0 183.129.X.X

The above commands are very important and the meaning is very simple. That is to do port address translation. We all know that the internal network does not do address translation is not on the public network. In general, the enterprise has only one public network address so you must do port conversion before you can go to the public network. Note that the above subnet 192.168.0.0 255.255.0.0 is to enlarge it. The last default route is definitely needed, otherwise there is no way to go to the public network. The address is the gateway that the operator gives you.

Of course, if there is a three-layer core exchange, you need a command to open communication with the intranet route inside 192.168.0.0 255.255.0.0 192.168.1.2

Well, in the general case configuration here, the enterprise can go to the public network basically 80% of the customers here are configured successfully. Some customers need to configure VPN and port mapping, here are configured as follows:

object network tcp21

host 192.168.1.249

object network tcp53

host 192.168.1.249

object network udp53

host 192.168.1.249

object network tcp33789

host 192.168.40.199

object network tcp36952

host 192.168.40.199

object network tcp443

host 192.168.1.5

access-list 101 extended permit tcp any host 192.168.1.249 eq 808

access-list 101 extended permit tcp any host 192.168.1.249 eq 5000

access-list 101 extended permit tcp any host 192.168.1.250 eq 8081

access-list 101 extended permit tcp any host 192.168.1.249 eq ftp

access-list 101 extended permit tcp any host 192.168.1.249 eq domain

access-list 101 extended permit tcp any host 192.168.40.199 eq 36952

access-list 101 extended permit tcp any host 192.168.40.199 eq 33789

!

object network static

nat (inside,outside) static interface service tcp 808 808

object network static1

nat (inside,outside) static interface service tcp 5000 5000

object network test

nat (inside,outside) static interface service tcp 135 135

object network tcp8081

nat (inside,outside) static interface service tcp 8081 8081

object network tcp21

nat (inside,outside) static interface service tcp ftp ftp

object network tcp53

nat (inside,outside) static interface service tcp domain domain

object network udp53

nat (inside,outside) static interface service udp domain domain

object network tcp33789

nat (inside,outside) static interface service tcp 33789 33789

object network tcp36952

nat (inside,outside) static interface service tcp 36952 36952

The port mapping of the above configuration pays attention to the real address.