object grouping
services group
端口号
http
https
ftp
network group
网络号
192.168.0.10
192.168.0.11
192.168.0.12
objects 类型
protocols-inside_protocols
tcp
udp
networks and hosts-inside_hosts
10.0.1.11
10.0.2.11
services-dmz_services
icmp-ping
echo
echo-reply
fw1(config)#object-group network inside_eng
fw1(config-network)#network-object host 10.0.0.1
fw1(config-network)#network-object host 10.0.0.2
fw1(config)#object-group service host_services tcp
fw1(config-service)#port-object eq http
fw1(config-service)#port-object eq https
fw1(config-service)#port-object eq ftp
fw1(config)#access-list inside permit tcp object-group inside_eng any oobject-group host_services
fw1(config)#object-group icmp-type ping
fw1(config-icmp)#icmp-object echo
fw1(config-icmp)#icmp-object echo-reply
object group嵌套
两个同种的object group可以被另外一个object group调用.
fw1(config)#object-group network inside_eng
fw1(config-network)#network-object host 10.0.0.1
fw1(config-network)#network-object host 10.0.0.2
fw1(config)#object-group network inside_mktg
fw1(config-network)#network-object host 10.0.1.1
fw1(config-network)#network-object host 10.0.1.2
fw1(config)#object-group network inside_eng
fw1(config-network)#group-object inside_eng
fw1(config-network)#group-object inside_mktg
清除
fw1(config)#no object-group network all_dmz
fw1(config)#clear config object-group protocol
网管
telnet配置
fw1(config)#telnet 10.0.0.11 255.255.255.255 inside
fw1(config)#telnet timeout 15
fw1(config)#passwd telnetpass
pix只能作为telnet server不能作为telnet的client
outside接口是不允许telnet的.
ssh配置
fw1(config)#crypto key zeroize rsa
fw1(config)#write memory
fw1(confg)#domain-name cisco.com
fw1(config)#crypto key generate rsa modulus 1024
fw1(config)#wirte memory
fw1(config)#ssh 172.26.26.50 255.255.255.255 outside
fw1(config)#ssh timeout 30
fw1(config)#debug ssh
实验拓扑:
pix:
int e0
nameif inside
ip add 192.168.11.254 255.255.255.0
no sh
int e1
nameif dmz
security-level 50
ip add 10.1.1.254 255.255.255.0
no sh
int e2
nameif outside
ip add 218.18.100.254 255.255.255.0
no sh
telnet 配置:
telnet 0 0 inside
passwd smoke
who(查看登录的用户)
kill 0(踢出用户)
ssh 配置:
clock timezone GMT +8
clock set 19:40:00 19 mar 2007
crypto key generate rsa general-keys(产生密钥)
ssh 0 0 outside
outside:
ssh -l pix(默认用户名) -c des(默认3des,修改为des) 218.18.100.254
pix:
show ssh sessiongs(查看ssh登录用户)
ssh disconnect 0(清除连接用户)
使用用户名和密码认证
aaa认证类型
1.登录到认证设备
2.穿越网络认证设备
cut-through
proxy
3.拨入设备
ipsec
ssl vpn
aaa授权类型
1.网管的访问
2.cut-through proxy
3.tunnelaaa审计类型
1.网管访问
2.cut-through proxy
3.tuunel ipsec,sslvpn
网管流量使用aaa认证
telnet
serial
ssh
enable
pix:
aaa配置
aaa-server 3a(名字) protocol tacacs+
aaa-server 3a (outside) host 218.18.100.241
key smoke
test aaa-server authentication 3a host 218.18.100.241 username pix722 password cisco
网管aaa例子:
fw1(config)#aaa authentication serial console my_acs LOCAL
fw1(config)#aaa authentication enable console my_acs LOCAL
fw1(config)#aaa authentication telnet console my_acs LOCAL
fw1(config)#aaa authentication ssh console my_acs LOCAL
pix:
show aaa-server
aaa authentication telnet console(关键字) LOCAL(区分打小写)
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
enable password cisco123(做了就no不掉)
aaa authentication enable console LOCAL
aaa authentication telnet console 3a LOCAL(先用aaa认证,然后用local认证)
aaa-server 3a protocol tacacs+
reactivation-mode timed(快速重新起来,在30s内检测到aaa服务器的问题)
本地认证
fw1(config)#username admin password cisco123
fw1(config)#aaa authentication telnet console LOCAL
fw1(config)#aaa local authentication attempts max-fail 3(用户尝试最大3次被锁住)
fw1(config)#show aaa local user
pix1:
aaa local authentication attempts max-fail 3
cut-through proxy对于穿越pix的流量作认证审计授权.
认证类型
telnet
http
ftp
https
fw1(config)#access-list 110 permit tcp any host 192.168.2.11 eq ftp
fw1(config)#access-list 110 permit tcp any host 192.168.2.10 eq www
fw1(config)#aaa authentication match 110 outside my_acs
pix1:
access-list cut permit tcp any any eq 23
aaa authentication match cut inside 3a(满足cut列表在inside过来流量去3a服务器认证)
nat (inside) 1 192.168.10.0 255.255.255.0
global (outside) 1 interface
outside:
line vty 0 4
password cisco
login
inside:
ip route 0.0.0.0 0.0.0.0 192.168.10.254
pix:
show uauth(查看认证信息)
absolute timeout:0:05:00(每5分钟认证一次)
inactivity timeout:0:00:00(超时时间不限制)
修改uauth时间,要修改uauth时间超过3小时,必须先修改xlate时间,默认xlate时间3小时.
pix:
show run timeout(查看timeout时间)
timeout xlate 5:00:00
timeout uauth 5:00:00 absolute(认证时间时间)
show uauth
timeout uauth 0:10:00 inactivity(超时时间)
clear uauth(清除认证记录)
outside:
ip http server
pix:
access-list cut permit tcp any any eq 80
show uauth
auth-prompt accept(接受) you are welcome.
auth-prompt prompt(提示) pppppprompt
auth-prompt reject (拒绝) hahahahaha
access-list cut permit tcp any any eq 443
outside:
ip http secure-server
先接受pix的证书,再输入用户名密码,再加载路由器证书.
pix:
access-list cut permit tcp any any eq 21
对非标准的流量作cut-through.
1.捆绑,先连接其他一些标准流量,然后在访问非标准流量.
2.使用虚拟telnet连接然后就可以连接其他流量.如果想注销连接可以再次连接虚拟telnet地址,输入用户名密码就注销成功.
pix:
access-list cut permit tcp any any eq 3030
outside:
line vty 0 4
rotary 30
虚拟telnet
access-list cut permit tcp any host 218.18.100.100
virtual telnet 218.18.100.100(虚拟telnet)
虚拟telnet地址必须是一个未被使用了的全局地址.
虚拟http
解决web server使用iis架设的,并且iis也有用户名和密码认证,就会产生问题,pix的cut-through和iis的认证就会产生到url里面,这样会导致认证失败.把第一个认证给pix,把第二个认证给iis.
outside:
ip http authentication local
username cisco privilege 15 password cisco
pix:
virtual http 218.18.100.101(虚拟http,全局地址) warning(告诉这个连接被重定向了)
access-list cut permit tcp any any eq 80
tunnel 认证(vpn认证)
授权
根据不同用户分发不同权限.
pix:
aaa authorization match cut inside 3a
access-list out permit icmp any any
access-group out inside interface out
access-list cut permit icmp any any
四种标准协议授权
per-group setup
command authorization
unmatched cisco ios commands
deny
command
ftp
arguments
none
unlisted arguments(点击permit所有)
permit
非标准授权
per-group setup
command authorization
unmatched cisco ios commands
deny
command
1/8(icmp)
arguments
none
unlisted arguments
permit
downloadable acl authorization(acl下载授权)
downloadable acls:
认证请求到aaa服务器
认证相应包含acl.
acl下载用户或者组acl认证.
downloadable acls过程
1.用户http/telnet请求.
2.到达pix做cut-through,把认证信息发送到aaa服务器.
3.aaa服务器发出一个接受,down acls.
pix:
aaa-server 3ar protocol radius
aaa-server 3ar (outside) host 218.18.100.241
key cisco
access-list cut permit ip any any
virtual telnet 218.18.100.100
aaa authentication match cut inside 3ar
access-list aclin permit tcp any host 218.18.100.100 eq 23
access-group aclin in interface inside per-user-override(对用户的acl)
accounting审计
1.网管accounting
2.穿越的accounting
例子:
fw1(config)#access-list 110 permit tcp any host 192.168.2.10 eq ftp
fw1(config)#access-list 110 permit tcp any host 192.168.2.10 eq www
fw1(config)#aaa accounting match 110 outside my_acs
pix:
access-list cut permit tcp any any(只能对tcp/udp做accounting)
aaa authencation match cut inside 3ar
aaa accounting match cut inside 3ar
网管流量作审计
pix:
aaa authentication telnet console 3a
aaa accounting telnet console 3a(对登陆登出做审计)
aaa accounting command 3a(命令审计)
命令审计例子:
fw1(config)#aaa accounting command privilege 6 mytacacs
fw1#show curpriv(查看当前权限)
fw1(config)#aaa-server mytacacs protocol tacacs+
fw1(config-aaa-server-group)#aaa-server mytacacs (inside) host 10.0.0.2 thekey timeout 20
fw1(config-aaa-server-host)#aaa authentication enable console mytacacs
fw1(config)#aaa authorization command mytacacs
fw1(config)#privilege configure level 10 command access-list
fw1(config)#username keny password chickadee privilege 10
fw1(config)#aaa authorization command LOCAL
fw1(config)#aaa authentication enable console LOCAL
pix密码恢复,到思科官网下载npxx.bin xx代表版本号.
asa(config)#noservice password-recovery(asa这条命令不允许密码恢复,如果恢复清空配置)
pix:
aaa authentication http console LOCAL
http 0 0 inside
http server enable
show version
需要device manager version 5.2(2)
copy ftp admin-522.bin flash:/
asdmin image flash:/asdm-522.bin
软件版本pix722.bin和asdm-522.bin后面两个数字要相同.