네트워크/ASA Firewall&VPN 2015. 11. 25. 16:37

ASA 제2장 기본 설정 및 ASDM 설치/접속

 

2장에서는 ASA 기본 설정과 ASDM 설치 및 접속 방법에 대해서 알아보도록 하겠습니다.

 

 

[그림 1-1] ASA Firewall 토폴로지

 

 

nameif

구간

Security-Level

 서브넷

 inside

내부 네트워크

100

 10.0.1.0/24

 outside

외부 네트워크

0

 121.160.30.0/24

198.133.219.0/24

 dmz

DMZ 네트워크

50

 192.168.1.0/24

[표 1-1] ASA 인터페이스 정보

 

 

 

Step1) PC Loopback 인터페이스에 '10.0.1.11/24' 및 기본 게이트웨이 '10.0.1.11'를 설정한다.

 

 

Step2) [표 1-1]를 참고하여 ASA1 G0, G1, G2 인터페이스에 Nameif 및 IP 주소 설정을 실시한다.

 

ciscoasa> en
Password:
ciscoasa#
ciscoasa# conf t
ciscoasa(config)# hostname ASA1
ASA1(config)#
ASA1(config)# int g1
ASA1(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ASA1(config-if)#
ASA1(config-if)# ip address 10.0.1.1 255.255.255.0
ASA1(config-if)# no shutdown
ASA1(config-if)#
ASA1(config-if)# int g2
ASA1(config-if)# nameif dmz  
INFO: Security level for "dmz" set to 0 by default.
ASA1(config-if)#
ASA1(config-if)# security-level 50
ASA1(config-if)# ip address 192.168.1.1 255.255.255.0
ASA1(config-if)# no shutdown
ASA1(config-if)#
ASA1(config-if)# int g0
ASA1(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ASA1(config-if)#
ASA1(config-if)# ip address 121.160.30.1 255.255.255.0
ASA1(config-if)# no shutdown
ASA1(config-if)#


ASA1(config-if)# show int ip brief
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0           121.160.30.1    YES manual up                    up 
GigabitEthernet1           10.0.1.1        YES manual up                    up 
GigabitEthernet2           192.168.1.1     YES manual up                    up 
GigabitEthernet3           unassigned      YES unset  administratively down up 
GigabitEthernet4           unassigned      YES unset  administratively down up 
GigabitEthernet5           unassigned      YES unset  administratively down up 

 

ASA1(config-if)# show ip address
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
GigabitEthernet0         outside                121.160.30.1    255.255.255.0   manual
GigabitEthernet1         inside                 10.0.1.1        255.255.255.0   manual
GigabitEthernet2         dmz                    192.168.1.1     255.255.255.0   manual
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
GigabitEthernet0         outside                121.160.30.1    255.255.255.0   manual
GigabitEthernet1         inside                 10.0.1.1        255.255.255.0   manual
GigabitEthernet2         dmz                    192.168.1.1     255.255.255.0   manual

 

ASA1(config-if)# show nameif
Interface                Name                     Security
GigabitEthernet0         outside                    0
GigabitEthernet1         inside                   100
GigabitEthernet2         dmz                       50

 

 

Step3) LocalServer, DMZ, R1, ExternalServer 기본 설정을 실시한다. 기본 게이트웨이 지정은 정적 기본 경로로 대체한다.

 

 - 라우터 공통 설정

 

Router(config)#ip http server

Router(config)#line vty 0 4

Router(config-line)#no login

Router(config-line)#privilege level 15

 

 

LocalServer(config)#int fa0/0
LocalServer(config-if)#ip address 10.0.1.10 255.255.255.0
LocalServer(config-if)#no shutdown
LocalServer(config-if)#
LocalServer(config-if)#ip route 0.0.0.0 0.0.0.0 10.0.1.1

DMZ(config)#int fa0/0
DMZ(config-if)#ip address 192.168.1.2 255.255.255.0
DMZ(config-if)#no shutdown
DMZ(config-if)#
DMZ(config-if)#ip route 0.0.0.0 0.0.0.0 192.168.1.1

 

R1(config)#int fa0/0
R1(config-if)#ip address 121.160.30.2 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#
R1(config-if)#int fa0/1
R1(config-if)#ip address 198.133.219.2 255.255.255.0
R1(config-if)#no shutdown

 

ExternalServer(config)#int fa0/1
ExternalServer(config-if)#ip address 198.133.219.1 255.255.255.0
ExternalServer(config-if)#no shutdown
ExternalServer(config-if)#
ExternalServer(config-if)#ip route 0.0.0.0 0.0.0.0 198.133.219.2

 

 

Step4) 구성이 완료되었다면, 연결된 인접 장비간에 Ping 테스트를 실시한다.

 

ASA1#ping 10.0.1.11
ASA1#ping 10.0.1.10
ASA1#ping 192.168.1.2
ASA1#ping 121.160.30.2

R1#ping 121.160.30.1
R1#ping 198.133.219.1

 

 

Step5) R1에서 inside, dmz 구간으로 패켓 전송이 가능하도록 정적 경로를 설정한다.

 

R1(config)#ip route 10.0.1.0 255.255.255.0 121.160.30.1
R1(config)#ip route 192.168.1.0 255.255.255.0 121.160.30.1

 

 

Step6) ASA1에서 outside 방향으로 정적 기본 경로를 설정한다.

 

ASA1(config)# route outside 0.0.0.0 0.0.0.0 121.160.30.2
ASA1(config)#
ASA1(config)# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 121.160.30.2 to network 0.0.0.0

C    10.0.1.0 255.255.255.0 is directly connected, inside
C    192.168.1.0 255.255.255.0 is directly connected, dmz
C    121.160.30.0 255.255.255.0 is directly connected, outside
S*   0.0.0.0 0.0.0.0 [1/0] via 121.160.30.2, outside

 

 

Step7) 구성이 완료되었다면, Ping 테스트를 실시한다.

 

ExternalServer#ping 10.0.1.11

ExternalServer#ping 10.0.1.10

ExternalServer#ping 192.168.1.2

 

DMZ#ping 10.0.1.11

DMZ#ping 10.0.1.10

DMZ#ping 198.133.219.1

 

LocalServer#ping 192.168.1.2

LocalServer#ping 198.133.219.1

 

PC>ping 192.168.1.2

PC>ping 198.133.219.1

 

 

Step8)  Telnet 접속 및 HTTP 접근 테스트를 실시한다.

 

ExternalServer#telnet 10.0.1.10

ExternalServer#telnet 10.0.1.10 80

ExternalServer#telnet 192.168.1.2

ExternalServer#telnet 192.168.1.2 80

 

DMZ#telnet 10.0.1.10

DMZ#telnet 10.0.1.10 80

DMZ#telnet 198.133.219.1

DMZ#telnet 198.133.219.1 80

 

LocalServer#telnet 192.168.1.2

LocalServer#telnet 192.168.1.2 80

LocalServer#telnet 198.133.219.1

LocalServer#telnet 198.133.219.1 80

 

PC>telnet 192.168.1.2

브라우저 -> 'http://192.168.1.2'

 

PC>telnet 198.133.219.1

브라우저 -> 'http://198.133.219.1'

 

 

Step9) R1에서 다음과 같이 수동으로 시간을 설정한 이후, NTP 서버로 동작하도록 구성한다.

 

R1#clock set 10:00:00 25 nov 2015
R1#
R1#conf t

R1(config)#ntp source fa0/0      
R1(config)#ntp master 1

R1(config)#
R1(config)#do show clock
10:00:35.167 UTC Wed Nov 25 2015

 

 

Step10) ASA1은 R1으로부터 NTP을 이용하여 시간이 동기화 되도록한다.

 

ASA1(config)# ntp server 121.160.30.2 source outside prefer
ASA1(config)# clock timezone KST 9

 

ASA1(config)# show clock detail
19:03:30.795 KST Wed Nov 25 2015
Time source is NTP
UTC time is: 10:03:30 UTC Wed Nov 25 2015

ASA1(config)# show ntp status 
Clock is synchronized, stratum 2, reference is 121.160.30.2
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is da0005ed.c0d5388f (19:03:25.753 KST Wed Nov 25 2015)
clock offset is -123.3757 msec, root delay is 35.14 msec
root dispersion is 261.44 msec, peer dispersion is 138.03 msec

 

 

Step11) Syslog 서버로 로그 메세지가 전송되도록 Syslog 설정을 실시한다. 이때, Syslog 서버는 PC가 실시한다.

 

 - PC에서 Kiwi Syslog 서버 실행

 

ASA1(config)# logging enable
ASA1(config)# logging trap debugging
ASA1(config)# logging asdm informational
ASA1(config)# logging host inside 10.0.1.11

 

 

Step12) ASDM 설치 및 ASDM 접속을 실시한다.

 

ASA1(config)# copy tftp://10.0.1.11/asdm-649-103.bin disk0:/asdm-649-103.bin

Address or name of remote host [10.0.1.11]?

Source filename [asdm-649-103.bin]?

Destination filename [asdm-649-103.bin]?

Accessing tftp://10.0.1.11/asdm-649-103.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ~ 중간 생략 ~ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!
19706880 bytes copied in 42.470 secs (469211 bytes/sec)

 

ASA1(config)# show flash
--#--  --length--  -----date/time------  path
    5  4096        Nov 23 2015 17:49:20  log
   10  4096        Nov 23 2015 17:49:28  coredumpinfo
   11  59          Nov 23 2015 17:49:28  coredumpinfo/coredump.cfg
   15  4096        Nov 25 2015 20:38:14  boot
   16  6           Nov 25 2015 19:07:16  boot/grub.conf
   78  0           Nov 25 2015 20:40:12  nat_ident_migrate
   91  19706880    Nov 25 2015 21:21:18  asdm-649-103.bin

 


ASA1(config)# asdm image disk0:/asdm-649-103.bin
ASA1(config)# http server enable
ASA1(config)#
ASA1(config)# http 10.0.1.11 255.255.255.255 inside

 

 

Step13)

 

 

 

 

 

 

저작자표시 비영리 변경금지

'네트워크 > ASA Firewall&VPN' 카테고리의 다른 글

ASA 제6장 NAT&PAT를 이용한 방화벽 구축  (0) 2015.11.25
ASA 제5장 MPF를 이용한 방화벽 구축  (0) 2015.11.25
ASA 제4장 Object-Group를 이용한 방화벽 구축  (0) 2015.11.25
ASA 제3장 Access-List를 이용한 방화벽 구축  (0) 2015.11.25
ASA 제1장 GNS3를 이용한 ASA 8.4 구현 및 토폴로지 구성  (0) 2015.11.25
Posted by 김정우 강사(카카오톡 : kim10322)
,

티스토리툴바

Q