防火墙Cisco-PIX和ASA的访问控制.pptVIP

查看当前连接详细信息 1 1 Connection pix1# show conn detail 2 in use, 9 most used Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN, B - initial SYN from outside, C - CTIQBE media, D - DNS, d - dump, E - outside back connection, F - outside FIN, f - inside FIN, G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data, i - incomplete, J - GTP, j - GTP data, k - Skinny media, M - SMTP data, m - SIP media, O - outbound data, P - inside back conn, q - SQL*Net data, R - outside acknowledged FIN, R - UDP RPC, r - inside acknowledged FIN, S - awaiting inside SYN, s - awaiting outside SYN, T - SIP, t - SIP transient, U - up TCP outside:1/80 inside:1/2824 flags UIO TCP outside:1/80 inside:1/2823 flags UIO Internet 查看xlate表 show xlate 查看地址翻译信息 pix1#show xlate 1 in use, 2 most used Global 0 Local 1 ciscopix# 1 1 0 1 Translation Internet show xlate detail 命令 pix1# show xlate detail 1 in use, 3 most used Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random, r - portmap, s - static NAT from inside:1 to outside:0 flags i 1 1 0 1 Translation Internet 实施访问控制 澎湃 IT 教育中心 防火墙的访问控制 Outside Inside ACL for Inbound Access ACL for Outbound Access No ACL - Outbound permitted by default - Inbound denied by default 基于接口的安全访问控制: 在接口上配置ACL用于允许或拒绝初化始的incoming或outgoing数据包. ACL必须正确描述初始化的数据包,返回的流量不需要单独的描述. 如果接口上没有配置ACL: 那么出站的数据包默认是允许的. 而进站的数据包默认是拒绝的. Internet 进站流量 由于这里没有ACL,所以默认情况 下,进站的流量会被阻止. 要允许进站的流量,需要完成如下步骤: 为WEB服务器配置静态的地址翻译 配置进站的ACL 应用ACL到外网接口 Public Web Server DMZ Inside Outside .2 .1 Inbound X Internet 为WEB服务器创建NAT Public Web Server DMZ Inside Outside .2 .1 pix1(config)# static (DMZ,outside) 0 0 Internet access-list 语法 允许HTTP流量到达WEB服务器 pix1(config)# access-list ACLOUT permit tcp any host eq www ciscoasa(config)# access-list id [line line-number] [extended] {deny | permit} {protocol | object-group protocol_obj_grp_id}{host sip | sip smask | interface ifc_name | object-group network_obj_grp_id |