Cisco asa虚拟防火墙实施案例

 

SecureMe在芝加哥有一个办公室，该办公室可以为两家小型企业提供防火墙服务，分别是Bear

和Cubs。Bears和Cubs都有自己的安全策略要实现，而芝加哥的安全设备只有两个接口。所以，

在此使用虚拟防火墙技术。另外，为节省外部接口上的共有地址空间，管理员使用了子网掩码

255.255.255.248.SecureMe以及Cubs和Bears的安全需求如下：

SecureMe的安全需求：

1. 允许网络172.18.82.0/24发起SSH回话。使用位于172.18.82.101的AAA服务器。

2. 将所有系统产生的日志消息存储进172.18.82.100的日志服务器中。

Bears的安全需求：

1. 仅允许子网192.168.10.0/24 中的主机通过HTTP 访问主机

198.133.219.25（www.cisco.com），拒绝所有的流量

2. 应使用接口PAT将源IP地址转换为209.165.200.225

3. 阻塞并记录所有在外部接口入站的流量

Cubs的安全需求：

1. 所有192.168.20.0/24中的主机都应访问互联网

2. 应使用接口PAT将源IP地址转换为209.165.201.10

3. 允许HTTP客户端从互联网访问DMZ网络中的Cub的web服务器（192.168.21.10），该

地址在互联网显示的是209.165.200.231

4. 阻塞并记录所有其他从外部接口入站的流量

System Execution Space

Chicago#shwo run

ASA Version 8.2(1) <system>

!

hostname Chicago

!Main GigabitEthernet0/0 interface

interface GigbitEthernet0/0

!Sub-interface assigned to the Bears context as the outside interface. A VLAN ID is assigned

to the interface

interface GigbitEthernet0/0.100

description Bears outside interface

vlan 100

!Sub-interface assigned to the Cubs context as the outside interface. A VLAN ID is assigned

to the interface

interface GigbitEthernet0/0.200

description Cubs outside interface

vlan 200

!Sub-interface assigned to the Cubs context as the dmz interface. A VLAN ID is assigned to

the interface

interface GigbitEthernet0/0.210

description Cubs dmz interface

vlan 210

!Main GigabitEthernet0/0 interface

interface GigbitEthernet0/1

!Sub-interface assigned to the Bears context as the inside interface. A VLAN ID is assigned to

the interface

interface GigbitEthernet0/1.101

description Bears inside interface

vlan 101

!Sub-interface assigned to the Cubs context as the inside interface. A VLAN ID is assigned to

the interface

interface GigbitEthernet0/1.201

description Cubs inside interface

vlan 201

!Main Management0/0 interface

interface Manangemnet0/0

!”admin” context definition along with the allocated interface

admin-context admin

!context named “admin” is the designated Admin context

context admin

description admin context

allocate-interface Management0/0

config-url disk0:/admin.cfg

!”Bears” context definition along with the allocated interface

context Bears

description Bears Context

allocate-interface GigabitEthernet0/0.100

allocate-interface GigabitEthernet0/1.101

config-url disk0:/Bears.cfg

! ”Cubs” context definition along with the allocated interface

context Cubs

description Cubs Context

allocate-interface GigbitEthernet0/200

allocate-interface GigbitEthernet0/210

allocate-interface GigbitEthernet0/201

config-url disk0:/Cubs.cfg

Admin Context

Chicago/admin#show running

ASA Versin 8.2(1) <context>

!

hostname admin

!Management interface of the admin context with security level set to 100

interface Management0/0

nameif mgmt

security-level 100

ip address 172.18.82.64 255.255.255.0

management-only

!

!configuration of a syslog server with timestamped logging level set to informational

logging enable

logging timestamp

logging trap informational

logging host mamt 172.18.82.100

!

!configuration of AAA server using RADIUS for authenticatin

aaa-server RADIUS protocol radius

aaa-server RADIUS (mgmt) host 172.18.82.101

key C1$c0123

!setting up SSH authentication

ssh 172.18.82.0 255.255.255.0 mgmt

Bears Context

Chicago/Bears#show running

ASA Version 8.2(1) <context>

!

hostname Bears

!Outside interface of the Bears context with security level set to 0

interface GigbitEthernet0/0.100

nameif outside

security-level 0

ip address 209.165.200.225 255.255.255.224

!Inside interface of the Bears context with security level set to 100

interface GigabitEthernet0/1.101

nameif inside

security-level 100

ip address 192.168.10.1 255.255.255.0

!Access-list configuration to permit web traffic initiated from the inside network to

198.133.219.25

access-list inside_access_in extended permit tcp 192.168.10.0 255.255.255.0 host

192.133.219.25 www

!Access-list configuration to deny all internet originated traffic

access-list outside_access_in extended deny ip any any log

!NAT configuration to allow inside hosts to get internet connectivity

global (outside) 1 interface

nat (inside) 1 192.168.10.0 255.255.255.0

!The access-list is applied to the inside interface

access-group inside_access_in in interface inside

!The access-list is applied to the outside interface

access-group outside_access_in in interface outside

!Default route

route outside 0.0.0.0 0.0.0.0 209.165.200.226 1

Cubs Context

Chicago/Cubs#show running

ASA Version 8.2(1) <context>

!

hostname Cubs

!Outside interface of the Cubs context with security level set to 0

interface GigbitEthernet0/0.200

nameif outside

security-level 0

ip address 209.165.201.1 255.255.255.224

!DMZ interface of the Cubs context with security level set to 50

interface GigabitEthernet0/1.210

nameif inside

security-level 50

ip address 192.168.21.1 255.255.255.224

!Inside interface of the Cubs context with security level set to 100

interface GigabitEthernet0/1.201

nameif dmz

security-level 50

ip address 192.168.20.1 255.255.255.0

!Access-list configuration to allow web traffic

access-list outside_access_in extended permit tcp any host 209.165.201.11 eq www

access-list outside_access_in extended deny ip any any log

!NAT configuration to allow inside hosts to get internet connectivity

nat (inside) 1 192.168.20.0 255.255.255.0

global (outside) 1 209.165.201.10 netmask 255.255.255.255

!Static address translation for the web-server

static (dmz,outside) 209.165.201.11 192.168.21.10 netmask 255.255.255.255

!The access-list is applied to the outside interface

access-group inside_access_in in interface inside

!Default route

route outside 0.0.0.0 0.0.0.0 209.165.200.226 1

SecureMe 是一个互联网服务提供商，为其客户端提供防火墙业务。SecureMe 有两个客户，

Dodgers和Lakers。他们的需求如下：

SecureMe的安全需求：

1. 通过SecureMe 的全局安全策略，能使访问设备的用户仅限于AAA服务器上的可靠用户。

AAA服务器的地址是172.18.82.101，密码是C1$c0123

2. SecureMe的公有地址有限，因此他需要所有虚拟防火墙使用PAT进行地址转换

3. SecureMe不希望虚拟防火墙管理员看到为他们分配的虚拟防火墙端口

4. 只能SSH和ASDM对设备和虚拟防火墙进行管理

Dodgers的安全需求：

1.Dodgers的虚拟防火墙保护的主机可以访问Lakers虚拟防火墙保护的Web服务器，该服务

器的IP地址为192.168.21.10

2.主机用户能够查看自己的E-mail消息。而E-mail服务器的IP地址为209.165.202.130.

3.将私有IP地址转换为外部接口的IP地址（109.165.200.226）

4.阻塞并记录所有的入站流量

Lakers的安全需求：

1.Lakers虚拟防火墙保护的主机可以自由访问互联网资源

2.应使用PAT将原有的IP地址转换为外部接口的IP地址

3.在外部接口上阻塞并记录所有入站流量，除了那些从Dodgers内部网络发来，并去往Web

服务器的流量

另外，SecureMe 希望通过实施资源管理技术为不同的客户出售不同的服务。他们需要限制

Dodgers，使其每秒最多收到1000个连接；同时，对Lakers不做任何限制。SecureMe的拓扑如

下：

 

 

System Execution Space

LA-ASA#show running

ASA version 8.2(1) <system>

hostname LA-ASA

!

mac-address auto

!

!Management0/0 interface

interface Management0/0

!

!Main GigbitEthernet0/0 interface used as the shared outside interface

interface GigbitEthernet0/0

description Outside shared interface

!

!Main GigbitEthernet0/1 interface

interface GigabitEthernet0/1

!Sub-interface assigned to Dodgers as the inside interface.A VLAN ID is assigned to the

interface

interface GigabitEthernet0/1.10

description Dodgers Inside Interface

vlan 10

!Sub-interface assigned to Lakers as the inside interface . A VlAN ID is assigned to the

interface

interface GigabitEthernet0/1.20

description Lakers Inside Interface

vlan 20

!

!Sub-intrface assigned to Laker as the dmz interface.A VLAN DI is assigned to the interface

interfce GigabitEthernet0/1.25

description Lakers DMZ interface

vlan 25

!

class Glod

limit-resource rate Conns 1000

!context named “admin” is the designated Admin context

admin-context admin

!”admin” context definition along with the allocated interfaces

context admin

allocate-interface Management0/0

config-url disk0:/admin.cfg

!

!”Dodgers” context definition along with the allocated interface

context Dodgers

descriprion Dodgers Context

member Glod

allocate-interface GigabitEthernet0/0 DodgersOutside

allocate-interface GigabitEthernet0/1.10 DodgersInside

config-url disk0:/Dodgers.cfg

!

!”Lakers” context definition along with the allocated interface

context Lakers

description Lakers Context

allocate-interface GigabitEthernet0/0 LakersOutside

allocate-interface GigabitEthernet0/1.20 LakersInside

allocate-interface GigabitEthernet0/1.25 LakersDMZ

config-url disk0:/Lakers.cfg

Admin Context

LA-ASA/admin#show running

ASA version 8.2(1) <system>

hostname LA-ASA

!Management interface of the admin context with security level set to 100

interface Management0/0

nameif mgmt

security-level 100

ip address 172.18.82.64 255.255.255.0

management-only

!RADIUS server with an IP address of 172.18.82.101

aaa-server RADIUS protocol radius

aaa-server RADIUS (mgmt) host 172.18.82.101

key C1$0123

!AAA authentication for SSH and HTTP sessions

aaa authentication ssh console RADIUS

aaa authentication http console RADIUS

!SSH sessions to be accepted from 172.18.82.0/24

ssh 172.18.82.0 255.255.255.0 mgmt

Dodgers Context

LA-ASA/Dodgers#show running

ASA version 8.2(1) <system>

hostname Dodgers

!outside interface of the Dodgers context with security level set to 0

interface DodgersOutside

nameif outside

security-level 0

ip address 209.165.200.226 255.255.255.224

!inside interface of the Dodgers context with security level set to 100

interface DodgersInside

nameif inside

security-level 100

ip address 192.168.10.1 255.255.255.0

!Access-list configuration to allow email and web traffic. The access-list is applied to the

inside interface.

access-list inside_access_in extended permit tcp 192.168.10.0 255.255.255.0 host

209.165.202.130 eq smtp log

access-list inside_access_in extended permit tcp 192.168.10.0 255.255.255.0 host

209.165.200.230 eq www log

!Access-list configuration to deny all packets. The access-list is applied to the outside

interface

access-list outside_access_in extended deny ip any any log

!nat policy

global (outside) 1 interface

nat (inside) 1 192.168.10.0 255.255.255.0

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

!Default route

route outside 0.0.0.0 0.0.0.0 209.165.200.225 1

Lakers Context

LA-ASA/Lakers#show running

ASA Version 8.2(1) <system>

hostname Lakers

!outside interface of the Lakers context with security level set to 0

interface LakersOutside

nameif outside

security-level 0

ip address 209.165.200.227 255.255.255.224

!

!inside interface of the Lakers context with security level set to 100

interface LakersInside

nameif inside

security-level 100

ip address 192.168.20.1 255.255.255.0

!

!dmz interface of the Lakers context with security level set 50

interface LakersDMZ

nameif dmz

security-level 50

ip address 192.168.21.1 255.255.255.0

!

!Access-list configuration to allow incoming web request. The access-list is applied to the

outside interface

access-list outside_access_in extended permit tcp host 209.165.200.226 host

209.165.200.230 eq www

access-list outside_access_in extended deny ip any any log

access-group outside_access_in interface outside

!Address translation policies

global (outside) 1 interface

nat inside) 1 192.168.20.0 255.255.255.0

static (dmz,outside) 209.165.200.230 192.168.21.10 netmask 255.255.255.255

!Default route

route outside 0.0.0.0 0.0.0.0 209.165.200.225.1

检测虚拟防火墙

show mode

show context

show admin-context

show cpu usage context all

转载于:https://blog.51cto.com/qinlouke/1037809