NguyenPhanDinhPhuoc_NguyenVanHung_DangMinhTri-Lop 07T4-Nhóm 10B

TRNG I HC BCH KHOA

KHOA CNG NGH THNG TIN

B MN MNG V TRUYN THNG

BO CO MN HC

AN TON THNG TIN MNG

ti:Khai thc cc chc nng ca ASA Firewall trn GNS3

Sinh vin

: Nguyn Vn Hng Nguyn Phan nh Phc ng Minh Tr

Nhm

: 10B

Ngi hng dn : TS. Nguyn Tn Khi

Nng 2011

Nguyn Phan nh Phc Nguyn Vn Hng ng Minh Tr

NHN XT CA GIO VIN HNG DN............................................................................................................................................................ ............................................................................................................................................................ ............................................................................................................................................................ ............................................................................................................................................................ ............................................................................................................................................................ ............................................................................................................................................................ ............................................................................................................................................................ ............................................................................................................................................................ ............................................................................................................................................................ ............................................................................................................................................................ ............................................................................................................................................................ ............................................................................................................................................................ ............................................................................................................................................................ ............................................................................................................................................................ ............................................................................................................................................................ ............................................................................................................................................................ ............................................................................................................................................................ ............................................................................................................................................................ ............................................................................................................................................................ ............................................................................................................................................................ ............................................................................................................................................................ ............................................................................................................................................................

4

Khai thc cc chc nng ASA firewall trn GNS3

5

MC LCI. TNG QUAN V TNG LA..................................................................8A. B. C. D.

GII THIU TNG LA................................................................................8 PHN LOI: ..............................................................................................8 CHC NNG CA FIREWALL..........................................................................9 NHNG HN CH CA FIREWALL..................................................................10

II. TNG LA CISCO ASA........................................................................10 1. GII THIU .............................................................................................10B.

CC CHC NNG C BN............................................................................11 i. Cc ch lm vic...........................................................................11 ii. Qun l file.........................................................................................12 iii. Mc bo mt (Security Level)....................................................12

C.

NETWORK ACCESS TRANSLATION(NAT)......................................................14 a. Khi nim...........................................................................................14 ii. Cc k thut NAT.............................................................................14 iii. NAT trn thit b ASA.....................................................................17

V D:.......................................................................................................18 ................................................................................................................18D. E.

ACCESS CONTROL LISTS(ACL)..................................................................18 VPN.....................................................................................................21 a. Gii thiu...........................................................................................21

C BC TIN HNH BI CC THIT B IPSEC:.................................................22 ii. Site-to-site VPN................................................................................23 iii. Remote access VPN.........................................................................23 iv. AnyConnect VPN.............................................................................24 Cung cp y kt ni mng ti ngi dng xa.Firewall ASA, lm vic nh mt my ch WebVPN, gn mt a ch IP cho ngi dng xa v ngi s dng mng. V vy, tt c cc giao thc IP v nhng ng dng thng qua ng hm VPN m khng c bt k vn g. V d, mt ngi dng xa, sau khi chng thc thnh cng AnyConnect VPN, c th m mt kt ni t my tnh xa ti mt Window Terminal Server bn trong mng trung tm. Mc d mt client c yu cu ci t trn my tnh ca ngi dng, client ny c th c cung cp t ng cho ngi s dng t ASA. Ngi dng c th kt ni vi mt trnh duyt ti firewall asa v ti v client Java theo yu cu. Client java c th vn cn c ci t hoc b loi b t my tnh ca ngi s dng khi ngt kt ni t thit b ASA.


Client ny c kich c nh(khong 3 mb) v c lu tr trng b nh Flash ca ASA...........................................................................................................24 ...............................................................................................................25 Hnh 11. S mng m t kt ni AnyConnect VPN.......................25 C hai la chn ci t ban u cho khch hng AnyConnect:..........25 Cc bc cu hnh AnyConnect VPN.............................................25F.

ROUTING PROTOCOL..................................................................................28 a. Khi nim...........................................................................................28 ii. Cc k thut nh tuyn....................................................................29 nh tuyn tnh.....................................................................................29

C 3 LOI NH TUYN TNH:........................................................................29 DIRECTLY CONNECTED ROUTE: CC NG KT NI TRC TIP C T NG TO ASA KHI BN CU HNH MT A CH IP TRN MT GIAO DIN THIT B...............................................................................................................29RA TRONG BNG NH TUYN

NORMAL STATIC ROUTE: CUNG CP NG I C NH V MT MNG C TH NO .......................................................................................................................29 DEFAULT ROUTE: DEFAULT ROUTE L TUYN NG MC NH C CU HNHTNH CA ROUTER L NI M KHI ROUTER NHN C MT GI TN CN CHUYN N MNG NO M MNG KHNG C TRONG BNG NH TUYN CA ROUTER TH N S Y RA DEFAULT ROUTE.....................................................................................................29

................................................................................................................30 HNH 12. M HNH MNG M T NH TUYN TNH..........................................30G. H.

D PHNG NG TRUYN SLA.................................................................31 CHUYN I S PHNG (FAILOVER).............................................................31 a. Gii thiu...........................................................................................31 ii. Phn loi Failover..............................................................................32 iii. Trin khai Failover ..........................................................................32

III. TRIN KHAI CC TNH NNG ASA TRN GNS3.............................35 1. M HNH TRIN KHAI................................................................................35 a. M hnh thc t..................................................................................35 ii. M hnh trn GNS3...........................................................................35B.

CU HNH TRN ASA...............................................................................36 a. nh tuyn..........................................................................................36 ii. Acess Control List.............................................................................36 iii. NAT..................................................................................................37 iv. Gim st ng truyn.....................................................................37

6


7

v. DHCP.................................................................................................38


I.a.

Tng quan v tng laGii thiu tng la

Trong ngnh mng my tnh, bc tng la (firewall) l ro chn m mt s c nhn, t chc, doanh nghip, c quan nh nc lp ra nhm ngn chn ngi dng mng Internet truy cp cc thng tin khng mong mun hoc/v ngn chn ngi dng t bn ngoi truy nhp cc thng tin bo mt nm trong mng ni b. Tng la l mt thit b phn cng v/hoc mt phn mm hot ng trong mt mi trng my tnh ni mng ngn chn mt s lin lc b cm bi chnh sch an ninh ca c nhn hay t chc, vic ny tng t vi hot ng ca cc bc tng ngn la trong cc ta nh. Tng la cn c gi l Thit b bo v bin gii (Border Protection Device - BPD), c bit trong cc ng cnh ca NATO, hay b lc gi tin (packet filter) trong h iu hnh BSD - mt phin bn Unix ca i hc California, Berkeley. Nhim v c bn ca tng la l kim sot giao thng d liu gia hai vng tin cy khc nhau. Cc vng tin cy (zone of trust) in hnh bao gm: mng Internet (vng khng ng tin cy) v mng ni b (mt vng c tin cy cao). Mc ch cui cng l cung cp kt ni c kim sot gia cc vng vi tin cy khc nhau thng qua vic p dng mt chnh sch an ninh v m hnh kt ni da trn nguyn tc quyn ti thiu (principle of least privilege). Cu hnh ng n cho cc tng la i hi k nng ca ngi qun tr h thng. Vic ny i hi hiu bit ng k v cc giao thc mng v v an ninh my tnh. Nhng li nh c th bin tng la thnh mt cng c an ninh v dng. c kin thc xy dng mt tng la c cc tnh nng chng li cc yu t ph hoi i hi phi c trnh chuyn nghip v k nng trong vic bo mt v an ninh. b. Phn loi: Cc tng la c chia ra thnh hai dng: Firewall cng (bn ngoi) v firewall mm (bn trong). Trong c hai u c nhng nhc im v u im ring. Quyt nh la chn loi tng la no s dng l kh quan trng. Firewall cng: in hnh l cc tng la mng, thit b m rng ny c t gia my tnh hoc mng v cp hoc modem DSL. Nhiu hng v nh cung cp dch v Internet (ISP) a ra cc thit b router trong cng bao gm cc tnh nng tng la. Tng la phn cng c s dng c hiu qu trong vic bo v nhiu my tnh m vn c mc bo mt cao cho mt my tnh n. Nu bn ch c mt my tnh pha sau tng la, hoc nu bn chc chn rng tt c cc my tnh khc trn mng c cp nht cc bn v min ph v virus, worm v cc m nguy him khc th bn khng cn m rng s bo v ca mt phn mm tng la. Tng la phn cng c u im trong vic phn chia cc thit b ang chy trn h iu hnh ring, v vy chng cung cp kh nng chng li cc tn cng.Mt s loi Firewall cng nh: ASA, PIX, Fortinet, Juniper c im ca Firewall cng: Hot ng tng Network v tng Transport8


9

Tc x l Tnh bo mt cao Tnh linh hot thp Kh nng nng cp thp. Khng kim tra c ni dung gi tin Tuy nhin hin nay cng c rt nhiu nhng firewall cng c th tch hp nhiu chc nng. Ngoi lm chc nng tng la bo mt, chng cn km theo cc module khc nh routing,vpn,

Hnh 1. M hnh Firewall cng Firewall mm: Mt vi h iu hnh c tng la km theo, nu h iu hnh ca bn khng c th cng d dng kim c t mt s ca hng my tnh hay hng phn mm hoc cc nh cung cp dch v Internet.Mt s Firewall mm nh ISA server,Zone Alarm, Norton firewall,cc phn mm antivirut hay cc h iu hnh u c tnh nng firewall c im: Hot ng tng Application Tnh linh hot cao: C th thm, bt cc quy tc, cc chc nng. C th kim tra c ni dung ca gi tin (thng qua cc t kha).

Hnh 2. M hnh Firewall mm.

c.

Chc nng ca Firewall Kim sot lung thng tin gia Intranet v Internet


Thit lp c ch iu khin dng thng tin gia mng bn trong (Intranet) v mng Internet. C th l: Cho php hoc cm nhng dch v truy nhp ra ngoi (t Intranet ra Internet). Cho php hoc cm nhng dch v php truy nhp vo trong (t Internet vo Intranet).

Hnh 3. M t lung d liu vo ra gia internet v intranet Theo di lung d liu mng gia Internet v Intranet. Kim sot a ch truy nhp, cm a ch truy nhp. Kim sot ngi s dng v vic truy nhp ca ngi s dng. Kim sot ni dung thng tin thng tin lu chuyn trn mng d. Nhng hn ch ca firewall Firewall khng thng minh nh con ngi c th c hiu tng loi thng tin v phn tch ni dung tt hay xu ca n. Firewall ch c th ngn chn s xm nhp ca nhng ngun thng tin khng mong mun nhng phi xc nh r cc thng s a ch Firewall khng bo v c cc tn cng i vng qua n. V d nh thit b modems, t chc tin cy, dch v tin cy (SSL/SSH). Firewall cng khng th chng li cc cuc tn cng bng d liu (datadrivent attack). Khi c mt s chng trnh c chuyn theo th in t, vt qua firewall vo trong mng c bo v v bt u hot ng y. Firewall khng th bo v chng li vic truyn cc chng trnh hoc file nhim virut.

II.

Tng la Cisco ASA1. Gii thiu

Tng la Cisco ASA l cng ngh mi nht trong cc gii php tng la c a ra bi Cisco, hin nay ang thay th cc tng la PIX rt tt. ASA vit10


11

tt ca Adaptive Security Appliances, lm c hai nhim v l mt tng la v ng dng anti-malware. Cisco ASA hot ng theo c ch gim st gi theo trng thi (Stateful Packet Inspection), thc hin iu khin trng thi kt ni khi qua thit b bo mt(ghi nhn trng thi ca tng gi thuc kt ni xc nh theo loi giao thc hay ng dng). Cho php kt ni mt chiu(outbuond-i ra) vi rt t vic cu hnh. Mt kt ni i ra l mt kt ni t thit b trn cng c mc bo mt cao n thit b trn mng c mc bo mt thp hn. Trng thi c ghi nhn s dng gim st v kim tra gi tr v.Thay i ngu nhin gi tr tun t (sequence number) trong gi TCP gim ri ro ca s tn cng. Hot ng theo kin trc phn vng bo mt da theo cng, cng tin cy (trusted) hay mc bo mt cao v cng khng tin cy (untrusted) hay mc bo mt thp. Qui tc chnh cho mc bo mt l thit b t vng tin cy c th truy cp c thit b truy cp vng khng tin cy hay cn gi l outbound. Ngc li t vng bo mt thp khng th truy cp vng bo mt cao tr khi c cho php bi ACL hay cn gi l inbound. Mc bo mt (Security Level) 100: y l mc bo mt cao nht, thng c gn cho cng thuc mng bn trong (inside). Mc bo mt 0: l mc bo mt thp nht, thng c gn cho cng m kt ni ra Internet hay vng khng tin cy cn gi l vng bn ngoi (outside). Mc bo mt t 1-99: Cho php bn s dng gn cho nhng cng cn li nu yu cu m rng vng mng. Do trong qu trnh cu hnh thng tin cho cng m bo mi cng c gn gi tr mc bo mt da vo chnh sch phn vng bo v ca bn thng qua cu lnh security-level. b. i. Cc chc nng c bn Cc ch lm vic Firewall ASA c 4 ch lm vic chnh: Ch gim st (Monitor Mode): Hin th du nhc monitor>.

y l ch c bit cho php bn cp nht cc hnh nh qua mng hoc khi phc mt khu.Trong khi ch gim st, bn c th nhp lnh xc nh v tr ca mt my ch TFTP v v tr ca hnh nh phn mm hoc file hnh nh nh phn khi phc mt khu ti v.Bn truy cp vo ch ny bng cch nhn "Break" hoc "ESC" cha kha ngay lp tc sau khi bt ngun thit b. Ch khng c quyn (Unprivileged Mode): Hin th du nhc

>. Ch ny cung cp tm nhn hn ch ca cc thit b an ninh.Bn khng th cu hnh bt c iu g t ch ny. bt u vi cu hnh, lnh u tin bn cn phi bit l lnh enable. nh enable v nhn Enter. Cc mt khu ban u l trng, do , nhn


Enter mt ln na chuyn sang ch truy cp tip theo (Privileged Mode). Ch c quyn (Privileged Mode): Hin th du nhc #. Cho

php bn thay i cc thit lp hin hnh.Bt k lnh trong ch khng c quyn cng lm vic trong ch ny.T ch ny, bn c th xem cu hnh hin ti bng cch s dng show runningconfig.Tuy nhin, bn khng th cu hnh bt c iu g cho n khi bn i n ch cu hnh (Configuration Mode). Bn truy cp vo ch cu hnh bng cch s dng lnh configure terminal t ch c quyn. Ch cu hnh (Configuration Mode): ch ny hin th du nhc

(config)#. Cho php bn thay i tt c thit lp cu hnh h thng. S dng exit t mi ch tr v ch trc .

ii.

Qun l file

C hai loi file cu hnh trong cc thit b an ninh Cisco: runningconfiguration v startup-configuration. Loi file u tin running-configuration l mt trong nhng file hin ang chy trn thit b, v c lu tr trong b nh RAM ca firewall. Bn c th xem cu hnh ny bng cch g show running-config t cc ch Privileged. Bt k lnh m bn nhp vo firewall c lu trc tip bng trong running-config v c hiu lc thi hnh ngay lp tc. K t khi cu hnh chy c lu trong b nh RAM, nu thit b b mt ngun, n s mt bt k thay i cu hnh m khng c lu trc . lu li cu hnh ang chy, s dng copy run start hoc write memory. Hai lnh ny s copy running-config vo startup-config ci m c lu tr trong b nh flash. Loi th hai startup-configuration l cu hnh sao lu ca runningconfiguration. N c lu tr trong b nh flash, v vy n khng b mt khi cc thit b khi ng li. Ngoi ra, startup-configuration c ti khi thit b khi ng. xem startup-configuration c lu tr, g lnh show startup-config. iii. Mc bo mt (Security Level) Security Level c gn cho interface (hoc vt l hay logical sub-interfaces) v n c bn mt s t 0-100 ch nh nh th no tin cy interface lin quan n mt interface khc trn thit b. Mc bo mt cao hn th interface cng ng tin cy hn (v do cc mng kt ni pha sau n) c coi l, lin quan n12


13

interface khc. V mi interface firewall i din cho mt mng c th (hoc khu vc an ninh), bng cch s dng mc bo mt, chng ta c th ch nh mc tin tng khu vc an ninh ca chng ta. Cc quy tc chnh cho mc bo mt l mt interface (hoc zone) vi mt mc bo mt cao hn c th truy cp vo mt interface vi mt mc bo mt thp hn. Mt khc, mt interface vi mt mc bo mt thp hn khng th truy cp vo mt interface vi mt mc bo mt cao hn, m khng c s cho php r rng ca mt quy tc bo mt (Access Control List - ACL). Mt s mc bo mt in hnh: Security Level 0: y l mc bo mt thp nht v n c gn

mc nh interface bn ngoi ca firewall. l mc bo mt t tin cy nht v phi c ch nh ph hp vi mng (interface) m chng ta khng mun n c bt k truy cp vo mng ni b ca chng ta. Mc bo mt ny thng c gn cho interface kt ni vi Internet. iu ny c ngha rng tt c cc thit b kt ni Internet khng th c quyn truy cp vo bt k mng pha sau firewall, tr khi r rng cho php mt quy tc ACL. Security Level 1 n 99: Nhng mc bo mt c th c khu

vc bo mt vng ngoi (v d nh khu vc DMZ, khu vc qun l,...). Security Level 100: y l mc bo mt cao nht v n c gn

mc nh interface bn trong ca tng la. y l mc bo mt ng tin cy nht v phi c gn cho mng (interface) m chng ta mun p dng bo v nhiu nht t cc thit b an ninh.Mc bo mt ny thng c gn cho interface kt ni mng ni b cng ty ng sau n.


Hnh 4. M t cc mc bo mt trong h thng mng Vic truy cp gia Security Level tun theo cc quy nh sau: Truy cp t Security Level cao hn ti Security Level thp hn: Cho

php tt c lu lng truy cp c ngun gc t Security Level cao hn tr khi quy nh c th b hn ch bi mt Access Control List (ACL). Nu NAT-Control c kch hot trn thit b, sau c mt cp chuyn i nat/global gia cc interface c Security Level t cao ti thp. Truy cp t Security Level thp hn Security Level cao hn: Chn tt

c lu lng truy cp tr khi c cho php bi mt ACL. Nu NATControl c kch hot trn thit b ny, sau c phi l mt NAT tnh gia cc interface c Security Level t cao ti thp. Truy cp gia cc interface c cng mt Security Level: Theo mc

nh l khng c php, tr khi bn cu hnh lnh same-securitytraffic permit. c. Network Access Translation(NAT) a. Khi nim

S suy gim ca khng gian a ch cng cng IPv4 buc cc cng ng Internet suy ngh v cch thay th ca a ch my ch ni mng. NAT do c to ra gii quyt cc vn xy ra vi vic m rng ca Internet. Mt s trong nhng li th ca vic s dng NAT trong cc mng IP nh sau : NAT gip gim thiu ton cu cn kit a ch IP cng cng . Networks c th s dng RFC 1918 - khng gian a ch tin ni b . NAT tng cng an ninh bng cch n networks topology v addressing. NAT ging nh mt router, n chuyn tip cc gi tin gia nhng lp mng khc nhau trn mt mng ln. NAT dch hay thay i mt hoc c hai a ch bn trong mt gi tin khi gi tin i qua mt router, hay mt s thit b khc. Thng thng, NAT thng thay i a ch (thng l a ch ring) c dng bn trong mt mng sang a ch cng cng. NAT cng c th coi nh mt firewall c bn. thc hin c cng vic , NAT duy tr mt bng thng tin v mi gi tin c gi qua. Khi mt PC trn mng kt ni n 1 website trn Internet header ca a ch IP ngun c thay i v thay th bng a ch Public m c cu hnh sn trn NAT server , sau khi c gi tin tr v NAT da vo bng record m n lu v cc gi tin, thay i a ch IP ch thnh a ch ca PC trong mng v chuyn tip i. Thng qua c ch qun tr mng c kh nng lc cc gi tin c gi n hay gi t mt a ch IP v cho php hay cm truy cp n mt port c th. ii. Cc k thut NAT14


15

K thut NAT tnh(STATIC NAT) Vi NAT tnh, a ch IP thng c nh x tnh vi nhau thng qua cc lnh cu hnh. Trong NAT tnh, mt a ch Inside Local lun lun c nh x vo a ch Inside Global. Nu c s dng, mi a ch Outside Local lun lun nh x vo cng a ch Outside Global. NAT tnh khng c tit kim a ch thc. Mc d NAT tnh khng gip tit kim a ch IP, c ch NAT tnh cho php mt my ch bn trong hin din ra ngoi Internet, bi v my ch s lun dng cng mt a ch IP thc . Cch thc thc hin NAT tnh th d dng v ton b c ch dch a ch c thc hin bi mt cng thc n gin: a ch ch = a ch mng mi OR (a ch ngun AND ( NOT netmask)) V d : Mt a ch private c map vi mt a ch public. V d 1 mt my trng mng LAN c a ch 10. 1. 1. 1 c phin dch thnh 1 a ch public 20. 1. 1. 1 khi gi tin ra ngoi Internet. Bt u bng mt gi tin c gi t mt PC bn tri ca hnh n mt my ch bn phi a ch 170. 1. 1. 1. a ch ngun private 10. 1. 1. 1 c dch thnh mt a ch thc 200. 1. 1. 1. My client gi ra mt gi tin vi a ch ngun 10. 1. 1. 1 nhng router NAT thay i a ch ngun thnh 200. 1. 1. 1. Khi server nhn c mt gi tin vi a ch ngun 200. 1. 1. 1, my ch ngh rng n ang ni chuyn vi my 200. 1. 1. 1, v vy my ch tr li li bng mt gi tin gi v a ch ch 200. 1. 1. 1. Router sau s dch a ch ch 200. 1. 1. 1 ngc li thnh 10. 1. 1. 1.

Hnh 5. M t NAT Tnh ca mt mng Lan ra ngoi Internet K thut NAT ng(Dynamic NAT)


Vi NAT, khi s IP ngun khng bng s IP ch. S host chia s ni chung b gii hn bi s IP ch c sn. NAT ng phc tp hn NAT tnh, v th chng phi lu gi li thng tin kt ni v thm ch tm thng tin ca TCP trong packet. Mt s ngi dng n thay cho NAT tnh v mc ch bo mt. Nhng ngi t bn ngoi khng th tm c IP no kt ni vi host ch nh v ti thi im tip theo host ny c th nhn mt IP hon ton khc. Nhng kt ni t bn ngoi th ch c th khi nhng host ny vn cn nm gi mt IP trong bng NAT ng. Ni m NAT router lu gi nhng thng tin v IP bn trong (IP ngun )c lin kt vi NAT-IP(IP ch). Cho mt v d trong mt session ca FPT non-passive. Ni m server c gng thit lp mt knh truyn d liu v th khi server c gng gi mt IP packet n FTP client th phi c mt entry cho client trong bng NAT. N vn phi cn lin kt mt IPclient vi cng mt NAT-IPs khi client bt u mt knh truyn control tr khi FTP session ri sau mt thi gian timeout. Xin ni thm giao thc FTP c 2 c ch l passive v nonpassive . Giao thc FTP lun dng 2 port (control v data) . Vi c ch passive (th ng ) host kt ni s nhn thng tin v data port t server v ngc li nonpassive th host kt ni s ch nh dataport yu cu server lng nghe kt ni ti. Bt c khi no nu mt ngi t bn ngoi mun kt ni vo mt host ch nh bn trong mng ti mt thi im ty ch c 2 trng hp : Host bn trong khng c mt entry trong bng NAT khi s nhn c thng tin host unreachable hoc c mt entry nhng NAT-IPs l khng bit. Bit c IP ca mt kt ni bi v c mt kt ni t host bn trong ra ngoi mng. Tuy nhin ch l NAT-IPs v khng phi l IP tht ca host. V thng tin ny s b mt sau mt thii gian timeout ca entry ny trong bng NAT router V d: Mt a ch private c map vi mt a ch public t mt nhm cc da ch public. V d mt mng LAN c a ch 10. 1. 1. 1/8 c phin dch thnh 1 a ch public trong di 200. 1. 1. 1 n 200. 1. 1. 100 khi gi tin ra ngoi Internet.

Hnh 6. Bng NAT ng ca mt mng LAN16


17

K thut NAT overloading ( hay PAT) Dng nh x nhiu a ch IP ring sang mt a ch cng cng v mi a ch ring c phn bit bng s port. C ti 65. 356 a ch ni b c th chuyn i sang 1 a ch cng cng. Nhng thc t th khang 4000 port. PAT hot ng bng cch nh du mt s dng lu lng TCP hoc UDP t nhiu my cc b bn trong xut hin nh cng t mt hoc mt vi a ch Inside Global. Vi PAT, thay v ch dch a ch IP, NAT cng dch cc cng khi cn thit.V bi v cc trng ca cng c chiu di 16 bit, mi a ch Inside Global c th h tr ln n 65000 kt ni TCP v UDP ng thi. V d, trong mt h thng mng c 1000 my, mt a ch IP thc c dng nh l a ch Inside Global duy nht c th qun l trung bnh su dng d liu n v i t cc my trn Internet. V d : PAT map nhiu a ch Private n mt a ch Public, vic phn bit cc a ch Private ny c da theo port, v d IP address 10. 1. 1. 1 s c map n ip address 200. 1. 1. 6:port_number * Mi quan h gia NAT v PAT PAT c mi quan h gn gi vi NAT nn vn thng c gi l NAT Trong NAT, nhn chung ch a ch ip c i. C s tng ng 1:1 gia a ch ring v a ch cng cng. Trong PAT, c a ch ring ca ngi gi v cng u c thay i. Thit b PAT s chn s cng m cc hosts trn mng cng cng s nhn thy. Trong NAT, nhng gi tin t ngoi mng vo c nh tuyn ti a ch IP ch ca n trn mng ring bng cch tham chiu a ch ngn i vo. Trong PAT, Ch c mt a ch IP cng cng c nhn thy t bn ngoi v gi tin i vo t mng cng cng c nh tuyn ti ch ca chng trn mng ring bng cch tham chiu ti bng qun l tng cp cng private v public lu trong thit b PAT. Ci ny thng c gi l connection tracking. Mt s thit b cung cp NAT, nh broadband routers, thc t cung cp PAT. v l do ny, c s nhm ln ng k gia cc thut ng. Nhn chung ngi ta s dng NAT bao gm nhng thit b PAT . iii.

NAT trn thit b ASA Cisco ASA firewalls h tr hai loi chuyn i a ch chnh Dynamic NAT translation:

Dch source address trn interface bo mt cao hn vo mt phm vi (hoc 1 pool) ca a ch IP trn mt interface km an ton hn, cho kt ni ra ngoi. Lnh nat xc nh my ch ni b s c dch, v lnh global xc nh cc pool a ch trn outgoing interface . Cu hnh Dynamic NAT translation: ciscoasa(config)# nat (internal_interface_name) nat-id internal network IP subnet ciscoasa(config)# global (external_interface_name) nat-id external IP pool range


Static NAT translation:

Cung cp mt, lp bn a ch thng tr mt-mt gia mt IP trn mt interface an ton hn v mt IP trn mt interface km an ton. Vi thch hp Access Control List (ACL), static NAT cho php cc host trn mt interface km an ton (v d nh Internet ) truy cp my ch trn mt interface bo mt cao hn (v d: Web Server trn DMZ) vi lng ln thc tIP address ca cc my ch trn interface bo mt cao hn. Cu hnh Static NAT translation: ciscoasa(config)# static (real_interface_name,mapped_interface_name) mapped_IP real_IP netmasksubnet_mask S dng PAT cng cho nhiu kt ni t cc my ch khc nhau ni b c th c ghp trn mt a ch IP public nhng s dng s cng ngun khc nhau V d:

Hnh 7. M t c ch PAT(NAT overload) ciscoasa(config)# nat (inside) 1 192.168.1.0 255.255.255.0 Inside Subnet to use PAT ciscoasa(config)# global (outside) 1 100.1.1.2 netmask 255.255.255.255 Use a single global IP address for PAT Trong v d trn, tt c cc a ch ni b (192.168.1.0/24) s s dng mt a ch IP public (100.1.1.2) vi port khc nhau. l, khi my ch 192.168.1.1 kt ni Internet bn ngoi my ch, cc bc tng la s dch a ch public v port vo 100.1.1.2 vi port 1024. Tng t nh vy, my ch 192.168.1.2 s c dch mt ln na vo 100.1.1.2, nhng vi mt destinate port khc nhau (1025) . Cc port ngun c t ng thay i vi mt s duy nht hn so vi 1023.Mt PAT a ch duy nht c th h tr khong 64.000 my ni b. d. Access Control Lists(ACL). Mt trong nhng yu t quan trng cn thit qun l giao tip lu lng mng l c ch iu khin truy cp, cn c gi l Access Control List.

18


19

Hnh 8. S ACL iu khin truy cp mng Access Control List(danh sch iu khin truy cp), nh tn ca n, l mt danh sch cc bo co(c gi l mc kim sot truy cp) cho php hoc t chi lu lng truy cp t mt ngun n mt ch n.Sau khi mt ACL c cu hnh, n c p dng cho mt giao din vi mt lnh access-group. Nu khng c ACL c p dng cho mt interface, lu lng truy cp ra bn ngoi(from inside to outside) c php theo mc nh, v lu lng truy cp trong ni b(from outside to inside) b t chi theo mc nh. ACL c th c p dng(bng cch s dng lnh access-group) theo 2 hng "in" v"out" ca traffic i vi cc interface. Chiu "in" ca ACL kim sot lu lng truy cp vo mt interface, v theo hng "out"ca ACL kim sot traffic ra khi mt interface. Trong s trn, c hai ACL th hin (cho Inbound v cho Outbound Access) c p dng cho hng "in" interface ca outside v inside tng ng. Sau y l nhng hng dn thit k v thc hin cc ACL: i vi Outbound Traffic(T vng c security-level cao hn n thp hn), tham s a ch ngun mt mc ACL l a ch thc s thc t ca my ch hoc mng. i vi Inbound Traffic(T vng c security-level thp hn n cao hn), tham s a ch ch ACL l a ch IP ton cu chuyn dch. ACL l lun lun kim tra trc khi chuyn dch a ch c thc hin trn thit b bo mt. ACL ngoi vic hn ch lu lng thng qua tng la, n c th c s dng cng nh l mt ng truyn la chn c ch p dng mt vi hnh ng khc lu lng truy cp c la chn, nh m ha, dch thut, lp chnh sch, cht lng dch v, vv Lnh cu hnh default ACL: ciscoasa(config)# access-list access_list_name [line line_number] [extended] {deny | permit} protocol source_address mask [operator source_port] dest_address mask [operator dest_port] Lnh cho php truy cp ca mt nhm s dng p dng cho ACL: ciscoasa(config)# interface_name access-group access_list_name [in|out] interface

Cc tham s trong lnh:


access_list_name :mt tn m t ca ACLc th. Cng tn c s dng trong lnh access-group. lineline_number : Mi mc ACL c s dng ring ca mnh. extended: S dng khi bn xc nh c hai ngun v a ch ch trong ACL. deny|permit :Xc nh liu lu lng truy cp c th c php hoc b t chi. protocol: Ch nhgiao thc giao thng(IP, TCP, UDP, vv). source_address mask: Ch nh a ch IP ngun v subnet mask. Nu l mt a ch IP duy nht, bn c th s dng t kho"host" m khng c mt n. Bn cngc th s dng t kha "any" ch nh bt k a ch. [operator source_port]: Ch nh s cng ngun ca lu lng c ngun gc. Cc t kha"operator" c th c "lt" (t hn), "gt" (ln hn), "eq" (tng ng), "neq" (Khngbng), "phm vi" (phm vi port). Nu source_port khng c quy nh c th, tng la ph hp vi ttc cc port. dest_address mask: y l a ch IP ch v subnet mask. Bn c th s dng nhng t kha host hoc any. [operator dest_port]: Ch nh s cng ch m cc ngun lu lng yu cu truy cp vo. Cc t kha"operator" c th c"lt" (t hn), "gt" (ln hn), "eq" (tng ng),"Neq" (khng bng), "range" (range of port). Nu khng c dest-port c quy nh c th, cc bc tng la kt hp tt c cc cng. Cc v d ACL di y s cung cp cho chng ta mt hnh dung tt hn ca lnh cu hnh : ciscoasa(config)# access-list DMZ_IN extended permit ip any any ciscoasa(config)# access-group DMZ_IN in interface DMZ Cc lnh cu hnh trn s cho tt c cc lu lng mng thng qua tng la ciscoasa(config)# access-list INSIDE_IN 255.255.255.0 200.1.1.0 255.255.255.0 ciscoasa(config)# access-list INSIDE_IN 255.255.255.0 host 210.1.1.1 eq 80 extended extended deny deny tcp tcp 192.168.1.0 192.168.1.0

ciscoasa(config)# access-list INSIDE_IN extended permit ip any any ciscoasa(config)# access-group INSIDE_IN in interface inside V d trn s t chi tt c lu lng truy cp TCP t 192.168.1.0/24 mng ni b ca chng ti i vi 200.1.1.0/24 mng bn ngoi.Ngoi ra, n s t chi

20


21

kt ni HTTP(port80) t ni b ca chng ti mng li cc my chbn ngoi210.1.1.1. Tt c cc kt ni khc s c cho php t bn trong. ciscoasa(config)# access-list OUTSIDE_IN extended permit tcp any host 100.1.1.1 eq 80 ciscoasa(config)# access-group OUTSIDE_IN in interface outside Lnh cu hnhACL trn s cho php bt k my ch trn Internet truy cp vo my ch Web Server ca chng ti(100.1.1.1). Ch rng a ch 100.1.1.1 l a ch cng cng ton cu ca my ch web ca chng ta. e. VPN a. Gii thiu

VPN l cm t vit tt ca Virtual Private Network, v c bn y l kt ni t 1 v tr ny ti v tr khc hnh thnh m hnh mng LAN vi nhng dch v h tr nh email, intranet... ch c truy cp khi ngi dng khai bo ng cc thng tin c thit lp sn. Cc thit b Cisco ASA, ngoi chc nng tng la ct li ca chng, c th c s dng kt ni bo mt mng LAN t xa (VPN Site-to-Site) hoc cho php remote user/teleworkers an ton giao tip vi mng cng ty ca h(VPN Remote Access). Cisco h tr mt s dng VPN trn ASA nhng ni chung l phn ra 2 loi hoc l "IPSec VPNs " hoc "SSL VPNs". Cc th loi u tin s dng giao thc IPSec bo mt thng tin trong khi loi th hai s dng SSL. SSL VPN cn c gi l WebVPN trong thut ng ca Cisco. Hai im chung VPN c h tr bi Cisco ASA c tip tc chia thnh cc cng ngh VPN sau. IPSec Based VPNs: Lan-to-Lan IPSec VPN: c s dng kt ni cc mng LAN t xa thng qua phng tin truyn thng khng an ton (e.g Internet). N chy gia ASA-to-ASA hoc Router ASA-to-Cisco. Remote Access with IPSec VPN Client: Mt phn mm VPN client c ci t trn my tnh ca ngi dng cung cp truy cp t xa vo mng trung tm.S dng giao thc IPSec v cung cp kt ni mng y kt ni ngi dng t xa. Ngi s dng s dng cc ng dng ca h ti cc trang web trung tm nh thng thng m khng c mt VPN ti ch SSL Based VPNs (WebVPN): Clientless Mode WebVPN: y l trin khai u tin WebVPN SSL h tr t ASA phin bn 7.0 v sau . N cho php ngi dng thit lp bo mt t xa truy cp VPN ng hm bng cch s dng ch l mt trnh duyt Web. Khng cn cho mt phn mm hoc phn cng no. Tuy nhin, ch cc ng dng gii hn c th c truy cp t xa.


AnyConnect WebVPN: Java c bit khch hng da trn c ci t trn my tnh ca ngi s dng cung cp mt ng hm SSL an ton n cc trang web trung tm. Cung cp kt ni mng y (tng t nh vi IP Sec khch hng truy cp t xa).Tt c cc ng dng ti trang web trung tm c th c truy cp t xa. IP Security (IPSec) l mt tiu chun m IETF cho php thng tin lin lc m ha. l mt ph hp vi cc giao thc cung cp d liu bo mt, tnh ton vn v xc thc.Mt mng ring o(VPN) l mt ng hm tin an ton trn mt con ng khng an ton (v d nh qua Internet). IPSEC do l tng xy dng mng ring o trn Internet hay bt k mng khng an ton khc. IPSec hot ng lp mng, m ha v thm nh cc gi IP gia mt thit b bo mt tng la v tham gia IPSec cc thit b khc, chng hn nh thit b nh tuyn Cisco, Cisco bc tng la khc, phn mmVPN... Cc giao thc IPSec sau y v tiu chun s c s dng sau ny trong tho lun ca chng ti, v vy l mt tng tt gii thch ngn gn chc nng v s dng ca h: ESP (Encapsulation Security Payload): y l giao thc u tin ca hai giao thc chnh trong cc tiu chun IPSec. N cung cp tnh ton vn d liu, xc thc v bo mtdch v. ESP c s dng m ha ti trng d liu ca cc gi tin IP. AH (Authentication Header): y l giao thc th hai ca hai giao thc chnh ca IPSec. N cung cp tnh ton vn d liu, xc thc, v pht li pht hin. N khng cung cp dch v m ha, nhng thay v n hot ng nh mt ch k s cho cc gi d liu m bo rng gi mo d liu khng xy ra. Internet Key Exchange (IKE): y l c ch c s dng bi cc thit b an ninh an ton trao i kho mt m,chng thc IPSec v m phn cc thng s an ton IPSec.Trn ASAFirewall, iu ny ng ngha vi ISAKMP nh chng ta s thy trong cu hnh IPSec. DES, 3DES, AES: Tt c y l nhng thut ton m ha c h tr bi CiscoFirewall ASA.DES l yu nht (s dng kha m ha 56-bit), v AESl mnh nht(s dng128,192,hoc 256 bit m ha). 3DES l mt s la chn gia, n s dng kha m ha168-bit. Diffie-Hellman (DH): y l mt kha cng khai mt m giao thc c s dng bi IKE thit lp cc kha phin. MD5, SHA-1: y l nhng thut ton Hash c s dng xc thc d liu gi. SHA l mnh hn MD5. Sercurity Association(SA): SA l mt kt ni gia hai ng nghip IPSec. Mi ngang hng IPSec duy tr mt c s d liu SA, trong b nh ca n c cha cc thng s SA. SA l duy nht xc nh bi a ch peer IPSec, giao thc bo mt, v ch s tham s bo mt (SPI). C bc tin hnh bi cc thit b IPSec: Interesting Traffic:Cc thit b IPSec nhn lu lng truy cp bo v.22


23

Giai on 1 (ISAKMP):Cc thit b IPSec m phn v mt chnh sch an ninh IKEv thit lp mt knh an ton lin lc. Giai on 2 (IPSec): Cc thit b IPSec m phn v mt chnh sch bo mt IPSec bo v d liu. Data Transfer:: D liu c chuyn giao mt cch an ton gia cc ng nghip IPSec da trn IPSec cc thng s v cc phm m phn trong giai on trc. IPSEc Tunnel Terminated: IPSec SA chm dt khi thi gian hoc mt khi lng d liu nht nh t c. ii. Site-to-site VPN

Hnh 9. S mng m t kt ni site to site IPSec VPN. Site-to-Site IPSec VPN i khi c gi l LAN-to-LAN VPN. Nh tn ca n, loi VPN kt ni hai mng LAN xa qua Internet.Thng thng, mng ni b s dng c nhn gii quyt nh th hin trn s ca chng ti trn.Nu khng c kt ni VPN, hai mng LAN trn (LAN-1 v LAN-2) s khng c th giao tip.Bng cch cu hnh Site-to-Site IPSec VPN gia hai bc tng la ASA, chng ta c th thit lp mt ng hm an ton qua Internet, v thng qua lu lng truy cp mng LAN tin ca chng ti bn trong ng hm ny.Kt qu l cc host trong mng 192.168.1.0/24 c th trc tip truy cp vo my ch trong mng 192.168.2.0/24 (v ngc li) l nu chng c t trong cng mt mng LAN. ng hm IPSec c thit lp gia cc a ch IP public ca firewall(100.100.100.1 v 200.200.200.1). iii. Remote access VPN Loi th hai ca IPSec VPN m chng ta s m t l Remote access VPN bng cch s dng CiscoVPN client ngi dng t xa.y l loi VPNcho php remote users/teleworkers vi truy cp Internet thit lp mt ng hm IPSecVPN an ton gia mng cng ty ca h. Cc ngi s dng phi c mtphn mm CiscoVPN client c ci t trn my tnh ca h s cho php mt giao tip an ton vi ASA Firewall trong vn phng trung tm. Sau khi VPN c thit lp gia ngi dng t xa v cc bc tng la ASA, ngi dng c gn mt a ch IP ring t mt h bi c xc nh trc, v sau c nh km trn mng LAN doanh nghip.


Hnh 10. S mng m t kt ni Remote Access VPN V d cu trc lin kt trn mng trn cho thy ASA Firewall bo v mng LAN doanh nghip, v ngi dng t xa vi mt khch hng phn mm VPN thit lp mt kt ni an ton vi ASA.Mt a ch IP trong phm vi cc 192.168.20.0/24 s c giao cho khch hng VPN, m s c php giao tip vi 192.168.1.0/24 mng ni b cng ty.Khi truy cp t xa VPN c thit lp, ngi dng t xa theo mc nh s khng th truy cp bt c iu g khc trn Internet, tr cc mng LAN doanh nghip.Hnh vi ny c th c thay i bng cch cu hnh "split tunnel" tnh nng v tng la, tuy nhin khng nn dng cho mc ch an ninh. iv. AnyConnect VPN Cung cp y kt ni mng ti ngi dng xa.Firewall ASA, lm vic nh mt my ch WebVPN, gn mt a ch IP cho ngi dng xa v ngi s dng mng. V vy, tt c cc giao thc IP v nhng ng dng thng qua ng hm VPN m khng c bt k vn g. V d, mt ngi dng xa, sau khi chng thc thnh cng AnyConnect VPN, c th m mt kt ni t my tnh xa ti mt Window Terminal Server bn trong mng trung tm. Mc d mt client c yu cu ci t trn my tnh ca ngi dng, client ny c th c cung cp t ng cho ngi s dng t ASA. Ngi dng c th kt ni vi mt trnh duyt ti firewall asa v ti v client Java theo yu cu. Client java c th vn cn c ci t hoc b loi b t my tnh ca ngi s dng khi ngt kt ni t thit b ASA. Client ny c kich c nh(khong 3 mb) v c lu tr trng b nh Flash ca ASA. Hot ng ca AnyConnect VPN S di y cho ta thy mt m hnh mng vi ASA v mt ngi dng xa kt ni thng qua AnyConnect VPN:

24


25

Hnh 11. S mng m t kt ni AnyConnect VPN T s trn, firewall ASA c cu hnh nh mt Server Anyconnect VPN. Mt ngi dng xa truy cp vo Internet v a ch IP my tnh ca anh y l 10.1.1.1(NIC IP). Ngi s dng c th lm c l do ng sau c mt nh tuyn lm NAT/PAT v c mt a ch IP private c dch ra t a ch IP Public bi b nh tuyn NAT. Khi ngi s dng xa kt ni v chng thc thnh cng ti ASA vi Client Anyconnect, ASA s gn mt a ch IP ni b ti ngi s dng t mt di IP c cu hnh trc( Range 192.168.5.1-20). T s trn, ASA gn IP 192.168.5.1 cho ngi dng xa. iu ny c ngha rng ngi dng t xa l hu nh gn lin vi mng LAN ca cng ty ng sau firewall ASA. C hai la chn ci t ban u cho khch hng AnyConnect: S dng clientless WebVPN portal. Ci t bng tay bi ngi s dng. S dng cc clientless web Portal, ngi s dng u tin kt ni v xc thc ASA vi mt trnh duyt web an ton v cc Client JAVA Anyconnect l t ng ti v v ci t trn my tnh ca ngi dng(ngi s dng cng c th bm vo tabAnyConnecttrn cc portal WebVPN ti v cc client). iu ny c ngha rng cc Client Java(phn m rng .PKG) c lu trn v nh flash bi cc qun tr vin. Phng php ny c a thch bi v n t ng phn phi Client cho ngi dng xa. Vi phng php ci t bng tay, qun tr mng phi ti v cc client thch hp Java (Microsoft MSI gi ci t hoc mt trong cc phin bn h iu hnh khc) trn trang web ca Cisco v cung cp cc tp tin cho ngi s dng ci t hng dn s dng trn my tnh xch tay ca h. Vi phng php ny, ngi dng khng cn phi ng nhp trong h thng thng qua ch clientless bt u tunnel SSL VPN. Thay vo ,ngi dng c th bt u t cc Client AnyConnect th cng t my tnh ca h v cung cp thng tin xc thc ca h cho ASA. Cc bc cu hnh AnyConnect VPN


STEP1: Chuyn file PKG vo flash trn ASA u tin, bn cu ti v mt trong cc file .pkg t trang web ca Cisco. Mt v d file Windows client c dng anyconnect-win-x.x.xxxx-k9.pkg. copy file .pkg vo flash dng lnh ASA# copy {tftp|ftp|scp}://[ip address]/anyconnect-win-x.x.xxxx-k9.pkg disk0: STEP2: Kim tra cc file .pkg c trong flash cha.Ngoi ra, phi cho php dch v web anyconnect trn giao din bn ngoi ca ASA. ASA#configure terminal ASA(config)#webvpn ASA(config-webvpn)#svc image disk0:/anyconnect-win-2.3.2016-k9.pkg 1 ASA(config-webvpn)#enable outside ASA(config-webvpn)#svc enable Lu : s 1 vo cui ca tp tin gi l th t tp tin. N c s dng khi bn c nhiu hn mt hnh nh c lu tr trn flash ASA (v d nh hnh nh AnyConnect client dnh cho Windows v MAC). STEP 3: Min giao thng WebVPN SSL t kim tra Access List vo giao din bn ngoi. Theo mc nh, giao thng WebVPN l khng c min kim tra Danh sch truy cp khi chm dt trn giao din bn ngoi, khi lu lng c gii m, n c kim tra cc inbound ACL p dng ln giao din outside. Bn phi c bao gm bo co cp php cho lu lng truy cp gii m trong ACL hoc s dng sysopt connect permit-vpn. ASA(config)# sysopt connection permit-vpn STEP 4: Bc ny l ty chn, nhng n thc s l hu ch. Tt c cc SSL VPN thng tin lin lc gia ngi s dng t xa v ASA lm vic vi bo mt HTTPS(port 443). iu ny c ngha l ngi dng phi s dng https://[ASA IP Public] trn trnh duyt ca h.V hu ht ngi dng s quen s dng http://, nn bn c th thit lp cng chuyn hng ngi dng c th s dng http:// (port 80),ASA s t ng chuyn hng trnh duyt n cng 443. ASA(config)# http redirect outside 80

STEP 5: To mt vng a ch IP t ASA gn a ch cho ngi dng xa. T s trn ta thy sau khi ngi dng chng thc, ASA gn a ch IP cho ngi dng xa trong vng t 192.168.5.1 n 192.168.5.20

26


27

ASA(config)# ip local pool VPNpool 192.168.5.1-192.168.5.20 mask 255.255.255.0 STEP 6: To mt NAT giao thng gia cc mng LAN ca cng ty pha sau ASA(192.168.1.0/24) v vng a ch ca ngi dng xa ASA(config)# access-list NONAT extended 255.255.255.0 192.168.5.0 255.255.255.0 ASA(config)# nat (inside) 0 access-list NONAT ASA(config)# nat (inside) 1 0.0.0.0 0.0.0.0 permit ip 192.168.1.0

ASA(config)# global (outside) 1 interface We assume that we do PAT on the outside interface STEP 7: To mt Group Policy cho ngi s dng Anyconnect WebVPN Group Policy cho php bn tch bit cc ngi dng truy cp t xa vo cc nhm vi cc thuc tnh khc nhau. Cc thuc tnh Group Policy c th c cu hnh gm da ch Server DNS, cc thit lp chia ng hm, lm th no Client s ti c v(t ng hoc sau khi ngi s dng iu khin), nu cc phn mm client s li vnh vin trn my tnh ngi dng. ASA(config)# group-policy policy name internal ASA(config)# group-policy policy name attributes ASA(config-group-policy)# vpn-tunnel-protocol {[svc] [webvpn][ipsec] [l2tp-ipsec]} ASA(config-group-policy)# webvpn ASA(config-group-webvpn)# svc keep-installer {installed | none} ASA(config-group-webvpn)# svc ask {none | enable [default {webvpn | svc} timeout value]} Ch thch: svc keep-installer {installed | none} installed ngha l client vn c ci t vnh vin trn my tnh ca ngi dng ngay c sau khi ngt kt ni. Mc nh l client c g b ci t sau khi ngi dng ngt kt ni t phin AnyConnect. svc ask {none | enable [default {webvpn | svc} timeout value]}

Lnh ny l lm nh th no AnyConnect Client s c tiv my tnh ca ngi s dng. STEP 8: To mt Tunnel Group. Tunnel Group phi kt hp vi Group Policy c cu hnh trn.N cng lin kt vi Group Policy vi cc vng a ch IP m chng ta cu hnh cho ngi dng t xa. ASA(config)# tunnel-group tunnel name type remote-access ASA(config)# tunnel-group tunnel name general-attributes ASA(config-tunnel-general)# default-group-policy group policy name


Assign the Group Policy configured in Step7 above.ASA(config-tunnel-general)# address-pool IP Pool for VPN Gn vng a ch IP c cu hnh trong Step5 trn ASA(config-tunnel-general)# exit ASA(config)# tunnel-group tunnel name webvpn-attributes ASA(config-tunnel-webvpn)# group-alias group_name_alias enable To mt ci tn b danh cho cc nhm ng hm s c lit k trn cc bn ghi trn mn hnh ca Client AnyConnect. ASA(config-tunnel-webvpn)# exit ASA(config)# webvpn ASA(config-webvpn)#tunnel-group-list enable

Kch hot tnh nng danh sch cc tn b danh trn cc bn ghi trn mn hnh ca Client AnyConnectSTEP 9: To mt ngi dng cc b trn ASA, n s c s dng chng thc AnyConnect ASA(config)# username ssluser1 password secretpass ASA(config)# username ssluser1 attributes ASA(config-username)# service-type remote-access f. Routing Protocol a. Khi nim Trc ht bn cn phi bit rng cc thit b ASA khng phi l mt b nh tuyn y chc nng.Tuy nhin, n vn c mt bng nh tuyn c s dng chn con ng tt nht t c mt mng ch nht nh.Sau khi tt c, nu mt gi tin vt qua c s kim tra ca firewall rule, n cn phi c nh tuyn bi firewall n ch ca n. Cisco ASA Firewall thit b h tr c hai nh tuyn tnh v ng. Ba giao thc nh tuyn ng c h tr, c th l RIP, OSPF v EIGRP. N rt cao nn thch tnh cu hnh nh tuyn trn cc bc tng la ASA, thay v nh tuyn ng. iu ny l do s dng cc giao thc nh tuyn ng c th phi by cu trc mng ni b ca bn vi mng bn ngoi. Nu bn khng cn thn vi cu hnh nh tuyn ng, n c th bt u broadcard cc mng con mng ni b ca bn vi cc mng bn ngoi khng ng tin cy. Tuy nhin, c nhng tnh hung m cu hnh nh tuyn ng l cn thit.Mt trng hp nh vy s l mt mng li ln trong ASAFirewall l nm trong mng ni b hoc trung tm d liu.Trong trng hp ny, bn s c hng li t vic s dng mt giao thc nh tuyn ng trn ASA v bn s khng phi cu hnh nh tuyn tnh m cng c th nguy c tit l bt k mng con n vi cc mng khng tin cy s khng c (v ASA nm su bn trong campus network). Sau y l mt s thc hnh giao thc nh tuyn tt nht cho cc ASA: i vi cc mng nh, ch s dng nh tuyn tnh. S dng nh tuyn tnh mc nh ch l a ch gateway kt ni vi outside interface

28


29

(thng l Internet), v cng s dng cc nh tuyn tnh cho cc mng ni b c nhiu hn 1 hop (tc l khng kt ni trc tip). Bt k mng c kt ni trc tip vo mt ASA interface KHNG cn bt k cu hnh tuyn ng tnh,ASA Firewall s lm nhng vic ny. Nu ASA l kt ni trn chu vi ca mng (tc l bin gii gia cc mng ng tin cy v khng tin cy), sau xc nh mt kt ni mc nh i vi cc mng bn ngoi khng ng tin cy, v sau cu hnh nh tuyn tnh c th i vi cc mng ni b. Nu ASA l nm bn trong mt mng rng lnvi cc tuyn ng mng ni b nhiu, th s dng cu hnh mt giao thc nh tuyn ng. ii. Cc k thut nh tuyn nh tuyn tnh C 3 loi nh tuyn tnh: Directly Connected Route: cc ng kt ni trc tip c t ng to ra trong bng nh tuyn ASA khi bn cu hnh mt a ch IP trn mt giao din thit b Normal Static Route: cung cp ng i c nh v mt mng c th no Default Route: Default route l tuyn ng mc nh c cu hnh tnh ca router l ni m khi router nhn c mt gi tn cn chuyn n mng no m mng khng c trong bng nh tuyn ca router th n s y ra default route S dng lnh Route cu hnh nh tuyn tnh: ASA(config)# route [interface-name] [destination-network] [netmask] [gateway] [interface-name]: y l ASA interface ni gi tin s i ra. [destination-network] [netmask]: a ch ch v mt n mng con [gateway]: Hop tip theo m ASA s gi gi tin n i vi cu hnh nh tuyn tnh, tham kho s di y


Hnh 12. M hnh mng m t nh tuyn tnh ASA(config)# route outside 0.0.0.0 0.0.0.0 100.1.1.1 (Default Route) ASA(config)# route inside 192.168.2.0 255.255.255.0 192.168.1.1 (Static Route. To reach network 192.168.2.0 send the packets to 192.168.1.1) nh tuyn ng RIP : RIP l mt trong cc giao thc nh tuyn ng c nht.Mc d n khng c s dng rng ri trong cc mng hin nay, bn vn tm thy n trong mt s trng hp. CiscoASA phin bn7.x h tr RIP mt cch hn ch.Cc thit b ASA(v7.x) ch c th chp nhn cc tuyn RIP v tychn qung co cho static route.Tuy nhin, n khng c th nhn c RIP qung b t mt mng hng xm v sau qung b routec ho mng hng xm khc. Tuy nhin t ASA phin bn 8.x, cc thit b bo mt h tr y chc nng RIP.C hai RIPv1 v RIPv2 c h tr.Tuy nhin, bng cch s dng RIPv1 l khng c khuyn khch bi v n khng h tr nh tuyn cp nht xc thc. OSPF: OSPF (OpenShortestPath First) l mt giao thc nh tuyn ng da trn Link States ch khng phi l Distance Vectors (chng hn nh RIP) la chn ng i ti u.N l mt giao thc nh tuyn tt hn v kh nng m rng hn so vi RIP, l l do ti sao s dng rng ri trong cc mng doanh nghip ln.OSPF c th rt phc tp v ngi ta c th vit c mt cun sch cho n. EIGRP EIGRP l phin bn nng cao ca IGRP c.N l mt giao thc c quyn ca Cisco m ch chy gia cc thit b Cisco. H tr cho EIGRP trn Cisco ASA c t phin bn 8.0 v sau .Mc d EIGRP l rt d s dng v linh hot, thit k mng v qun tr vin ngn ngi s dng n rng ri k t khi n ch lm

30


31

vic vi thit b Cisco, v vy bn c hiu qu ph thuc vo mt nh cung cp duy nht.(Lu : IPv6 c h tr trn Cisco ASA chy EIGRP.) g. D phng ng truyn SLA Khi bn cu hnh mt tuyn ng tnh trn cc thit b an ninh, tuyn ng tn ti vnh vin trong cc bng nh tuyn. Cch duy nht cho cc tuyn ng tnh b loi b khi bng nh tuyn l khi cc interface trn ASA b tt. Trong tt c cc trng hp khc, chng hn nh khi cng mc nh t xa b down lm ng truyn b gin on, cc ASA s tip tc gi cc gi tin n router cng ca n m khng bit rng n thc s l down. T ASA phin bn 7.2 tr ln, tnh nng theo di cc tuyn ng tnh c gii thiu. ASAtheo di cc tuyn ng tnh bng cch gi cc gi tin ICMP echo request thng qua tuyn ng nh tuyn tnh chnh v ch i tr li. Nu con ng chnh b down, mt con ng th cp c s dng. Tnh nng ny rt hu ch khi bn mun thc hin Dual-ISP d phng, nh trong s di y

Hnh 13. M t ng d phng SLA Trong kch bn mng trn, interface eth0/0 (bn ngoi) c kt ni vi ISP chnh v interface eth0/1 (d phng) c kt ni vi cc ISP d phng. Hai tuyn ng tnh mc nh s c cu hnh (mt cho mi ISP) s s dng tnh nng "theo di". Tuyn ng ISP chnh s c theo di bng cch s dng cc yu cu ICMP cho. Nu echoreply khng nhn c trong mt khong thi gian c xc nh trc, con ng th cp tnh s c s dng. Tuy nhin lu rng cch ny ch ph hp cho traffic bn ngoi (c ngha l, t mng bn trong i vi Internet) h. Chuyn i s phng (Failover) a. Gii thiu Failover l c im duy nht c quyn ca Cisco trong cc thit b bo mt. Failover cung cp kh nng d phng gia cc thit b bo mt ASA: mt thit b s d phng cho 1 thit b khc. C ch d phng ny cung cp tnh n hi trong


h thng mng ca bn. V ph thuc vo cc loi failover bn s dng v lm th no bn thc thi failover, tin trnh failover c th, trong hu ht cc trng hp, n trong sut vi cc ngi dng v cc hosts. Trong phn ny, cc bn s tm hiu c im failover. Ti s tho lun v 2 loi failover l hardware v stateful, yu cu bn phi ci t mt failover, hn ch m bn s gp khi thc thi failover, v lm th no x l nng cp phn mm cho cp thit b ASA trong qu trnh cu hnh failover. ii. Phn loi Failover C hai loi failover: hardware failover (trong vi trng hp c gi l stateless failover) v stateful failover. Khi failover phin bn u tin c s dng, ch c hardware failover sn c. Bt u t phin bn 6, stateful failover mi c thc thi. Hardware failover ch cung cp cho d phng v phn cng trong thut ng khc, ngi ta gi n l physical-failover ca mt thit b. Cu hnh gia hai thit b ASA c ng b, nhng khng c g khc na. Vy nn, v d, nu mt kt ni gia thit b c x l bi mt ASA v n b failed, thit b ASA khc c th chim quyn chuyn tip giao thng ca thit b fail. Nhng t khi kt ni gc khng ti to li vi thit b th hai, kt ni s fail: iu ng ngha vi vic, tt c cc kt ni cn hot ng s mt v phi thc hin kt ni li qua thit b th hai. i vi hardware failover, mt failover link s c yu cu gia 2 thit b ASA, vn ny c tho lun trong phn Failover Cabling . Stateful failover cung cp c phn cng v d phng trng thi. Bn cnh cu hnh cc thit b bo mt ASA ng b, cc thng tin khc cng c ng b theo. Vic ng b ny bao gm thng tin v cc bng routing, xlate, ngy gi hin ti, bng a ch MAC layer 2(nu thit b ASA trong trng thi transparent), SIP, kt ni VPN. Khi thc thi stateful failover, bn s cn hai links gia cc ASA, mt link failover v mt link stateful. iii. Trin khai Failover C hai s thc thi m Cisco h tr cho failover. Qua version 6 ca OS, ch c active/standby c h tr, vi active/active th c h tr t version 7. Phn ny s tho lun v hai loi failover v lm th no nh a ch IP, MAC ca thit b c thc thi trong c hai loi . Active/Standby Failover Thc thi active/standby failover c hai thit b: primary v secondary. Bi mc nh th primary s c vai tr lm active v secondary ng vai tr l standby. Ch c thit b ng vai tr l active s x l giao thng gia cc interfaces. Ngoi tr mt vi thng s, tt c cu hnh thay i thc thi trn active s c ng b sang thit b standby. Thit b l standby s nh l mt hot standby hoc backup cho thit b active. N khng chuyn giao thng qua cc interfaces. Chc nng chnh ca n l kim sot hot ng ca thit b active v t a n ln vai tr active nu thit b active khng cn hot ng.

32


33

Hnh 14. M hnh Active/standby failover Addressing and Failover Mi thit b (hoc context) tham gia vo failover cn c a ch duy nht IP v MAC cho mi subnet m n kt ni n. Nu failover xy ra, thit b hin ti lm standby s c thng chc ln vai tr active v thay i IP, MAC ca n ging vi thit b primary. Thit b active mi sau gi cc frames ra ngoi mi interface update bng a ch MAC kt ni trc tip. Ch rng thit b ASA failed s khng tr thnh mt thit b standby tr khi vn l nguyn nhn ca failover c gii quyt. Sau khi vn c tho g, thit b trc c vai tr lm active s hot ng failover tr li vi vai tr standby v nhn li a ch IP, MAC nh thit b standby bnh thng. Trong active/standby failover, khng c qu trnh chim quyn, tuy nhin, trong active/active failover, l mt s la chn.


Hnh 15. M hnh Failover and addressing Active/Active Failover Trong khi thc thi Active/Active failover, c hai thit b ASA trong failover pair u x l giao thng. hon thnh iu ny, hai context cn c to ra, CTX1 s thc thi vai tr active v chuyn tip giao thng cho LAN bn tri v lm standby cho LAN bn phi v ngc li i vi CTX2. Sau , cc tuyn ng tnh trn cc routers kt ni trc tip c s dng load-balance giao thng gia hai context, nu chng c chy trong ch routed. Nu cc contexts ang chy trong ch transparent, cc routers kt ni trc tip c th s dng cc giao thc ng hc v hai ng c cost bng nhau qua cc contexts ti cc routers trn cc side khc.

34


35

Hnh 15. M hnh Active/active failover

III. Trin khai cc tnh nng ASA trn GNS31. M hnh trin khai a. M hnh thc tFTP Server WEB Server

10.0.0.2/24

10.0.0.2/24

200 .200 .200 .2/24 Remote PC 10.0.0.0/24 DMZ

200.200.200.0/24 INTERNET

203.162.4.0/24 Outside E0/2 Primary ISP E0/3

E0/1

192.168.10.0/24 Inside E0/0

ASA

192.168.10.2/24

123.0.0.0/24

INTERNET Backup ISP

ii.

M hnh trn GNS3


b.

Cu hnh trn ASA a. nh tuyn

Trong m hnh trin khai, ASA firewall c nhim v nh tuyn cho tt c cc mng ni b i ra ngoi Internet. Vic nh tuyn c th ty thuc vo nh cu m ta c th s dng nh tuyn tnh (static route v default-route) hoc nh tuyn ng (RIP, EIGRP, OSPF). Tuy nhin, vi cc thit b nh tuyn cc cng ty quy m khng ln, inh tuyn tnh c u tin s dng. Trong m hnh ny ta s dng nh tuyn mc nh (default-route) cho mng ni b i n ISP bn ngoi. ciscoasa(config)# route outside 0.0.0.0 0.0.0.0 203.162.4.2 ii. Acess Control List

Mc nh, ASA ch cho php cc traffic i t ni c security-level cao n ni c security-level thp. tin cho vic x l s c mng c thun li hn, ta cho php cc traffic ICMP c i t vng DMZ (security-level 50) vo vng inside (security-level 100). access-list DMZ_access_in extended permit icmp any any Tng t cng c access list trn interface outside cho php cc gi tin ICMP c i qua access-list 101 extended permit icmp any any Trong s trn, cng ty s xy dng h thng web server v FTP server h tr cho hot ng ca cng ty. y, ta s xy dng Web server IIS v FTP server trong vng DMZ c a ch 10.0.0.2 v c NAT ra bn ngoi ra a ch 203.162.4.100 cho php tt c cc my tnh ngoi Internet truy cp c Web server ca cng ty. cc my bn ngoi truy cp c, ta s to ra access control list cho php http v ftp vo a ch 203.162.4.100.

36


37

access-list 101 extended permit tcp any host 203.162.4.100 eq www access-list 101 extended permit tcp any host 203.162.4.100 eq ftp access-list 101 extended permit tcp any host 203.162.4.100 eq ftp-data iii. NAT

Nh m hnh c p dng ph bin hin nay trong h thng mng ca cc cc cng ty, tt c cc traffic i t mng bn trong ra bn ngoi u s dng c ch chuyn dch a ch (PAT). Tt c cc mng trong m hnh gm 192.168.10.0/24 v 10.0.0.0/24 u c PAT ra a ch interface outside 203.162.4.1. u ny gip tang tnh bo mt ca h thng mng. nat (inside) 1 192.168.10.0 255.255.255.0 nat (DMZ) 1 10.10.10.0 255.255.255.0 global (outside) 1 interface global (backup) 1 interface Ngoi ra, vic public cc web server v ftp server ni b ra bn ngoi cng cn NAT tnh. y, web server v ftp server c a ch 10.0.0.2 c public ra bn ngoi vi a ch 203.162.4.100 static (DMZ,outside) tcp 203.162.4.100 ftp-data 10.10.10.2 ftp-data netmask 255. 255.255.255 static (DMZ,outside) tcp 203.162.4.100 ftp 10.10.10.2 ftp netmask 255.255.255.25 5 static (DMZ,outside) tcp 203.162.4.100 www 10.10.10.2 www netmask 255.255.255.255 iv. Gim st ng truyn

Vic t kt ni trn ng truyn thng xuyn xy ra. i vi cc s c pha trong mng ni b, vic x l s c i vi cc nh qun tr c thc hin ch ng. Tuy nhin, cc s c xy ra m nguyn nhn pha cc ISP th chng ta khng kim sot c. V vy, m bo cho h thng thng tin c sn sang bt c lc no, ngi ta thng thu thm mt ng truyn mng d phng chuyn sang s dng khi ng mng chnh xy ra s c. ASA h tr c ch gim st ng truyn mng v chuyn sang ng d phng ngay lp tc. iu ny c thc hin thng qua vic ASA lien tc ping n a ch ISP, nu trong khong thi gian mc nh m n khng nhn c cu tr li t ISP th n coi nh ng truyn n ISP gp s c v ngay lp tc chuyn sang ng d phng. Trong thi gian chy ng d phng, n vn lien tc ping n Primary ISP, nu n nhn c cu tr li t Primary bt c lc no, n s chuyn sang dng ng truyn n Primary ISP . sla monitor 100 type echo protocol ipIcmpEcho 203.162.4.2 interface outside timeout 3000


frequency 5 sla monitor schedule 100 life forever start-time now track 10 rtr 100 reachability route outside 0.0.0.0 0.0.0.0 203.162.4.2 1 track 10 route backup 0.0.0.0 0.0.0.0 123.0.0.2 254 v. trong dhcpd address 192.168.10.50-192.168.10.100 inside dhcpd dns 8.8.8.8 interface inside dhcpd enable inside DHCP Ta xy dng DHCP server ngay trn ASA n cp IP cho mng bn

38


39

PH LCCu hnh ca ASA ciscoasa# show run : Saved : ASA Version 8.0(2) ! hostname ciscoasa enable password 8Ry2YjIyt7RRXU24 encrypted names ! interface Ethernet0/0 nameif inside security-level 100 ip address 192.168.10.1 255.255.255.0 ! interface Ethernet0/1 nameif DMZ security-level 50 ip address 10.10.10.1 255.255.255.0 ! interface Ethernet0/2 nameif outside security-level 0 ip address 203.162.4.1 255.255.255.0 ! interface Ethernet0/3 nameif backup security-level 100 ip address 123.0.0.1 255.255.255.0 ! interface Ethernet0/4 shutdown


no nameif no security-level no ip address ! interface Ethernet0/5 shutdown no nameif no security-level no ip address ! passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive access-list icmp-in extended permit icmp any any access-list 101 extended permit tcp any host 203.162.4.100 eq www access-list 101 extended permit tcp any host 203.162.4.100 eq ftp access-list 101 extended permit icmp any any access-list 101 extended permit tcp any host 203.162.4.100 eq ftp-data access-list NO_NAT extended permit ip 192.168.10.0 255.255.255.0 10.10.10.0 255. 255.255.0 access-list DMZ_access_in extended permit icmp any any pager lines 24 mtu inside 1500 mtu DMZ 1500 mtu outside 1500 mtu backup 1500 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-602.bin no asdm history enable arp timeout 14400 nat-control global (outside) 1 interface global (backup) 1 interface nat (inside) 0 access-list NO_NAT

40


41

nat (inside) 1 192.168.10.0 255.255.255.0 nat (DMZ) 1 10.10.10.0 255.255.255.0 static (DMZ,outside) tcp 203.162.4.100 ftp-data 10.10.10.2 ftp-data netmask 255. 255.255.255 static (DMZ,outside) tcp 203.162.4.100 ftp 10.10.10.2 ftp netmask 255.255.255.25 5 static (DMZ,outside) 255.255.255.25 tcp 203.162.4.100 www 10.10.10.2 www netmask 5

access-group DMZ_access_in in interface DMZ access-group 101 in interface outside route outside 0.0.0.0 0.0.0.0 203.162.4.2 1 track 10 route backup 0.0.0.0 0.0.0.0 123.0.0.2 254 timeout xlate 3:00:00

Documents

NguyenPhanDinhPhuoc_NguyenVanHung_DangMinhTri-Lop 07T4-Nhóm 10B