The following are all the problems you will encounter when working through CCIE RS LAB EXAM.
Cisco's firewall mainly refers to the firewall after 5512. The previous 5510 series basically do not explain because the production is discontinued. Let's talk about the configuration is not meaningful. There mainly refers to the 5500X series firewall. Here mainly to give some of the most commonly used configurations, the reader of this book knows nothing about the firewall but these configurations can be configured on the public network, basically solve the problem. Of course, I still hope that everyone can in the case of the public network go to the Cisco website to download the configuration manual and want to understand why this configuration.
The first is to open the HTTP function. This function is mainly used to remotely or allow administrators to manage the firewall in the form of WEB. Everyone is accustomed to the order. I am not exception but now Cisco is pushing the WEB way. In fact, this WEB has some functions that are particularly useful. For example, if I configure VPN, it is basically a configuration with WEB. It may take only one minute. The configuration is successful but the difference of the ability to pass the command may not be configured in one day. However, it also has problems. For example, when troubleshooting, it is especially complicated. You should use the command and graphics interface together.
Basic configuration:
Configure the user password: username cisco password cisco privilege 15 . After the username and password are configured, you need to call the following command to take effect.
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
Configure HTTP function:
http server enable
username cisco password cisco privilege 15
asdm image disk0:/asdm-713.bin boot system
disk0:/asa911-4-smp-k8.bin http 0 0 inside
http 0 0 outside
Note that the IOS version here should be the same platform as ASDM. Of course, it can be different. Pay attention to the software to install JAVE here. This software version is JAVE7. This JAVE is often problematic. • Everyone will often encounter this when they install ASDM.
Happening:
The above situation may be the reason why the JAVE installed by you and the software version of ASDM are different. The solution can only be to reinstall JAVE. This has no experience to say that can only say that the newer version of the software you installed. The corresponding JAVE is also newer, this also requires repeated attempts. I often make mistakes on this.
The following is the configuration of SSH Telnet login, you should pay attention to mandatory local authentication, otherwise your SSH is no way to use.
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
crypto key generate rsa modulus 1024
y
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
ssh version 2
telnet 0.0.0.0 0.0.0.0 inside
console timeout 0
The following configuration is to release ICMP traffic, we all know that the default is not PING public network, you must release it. You can also write ICMP ACL release but I like to use the following way to release.
policy-map global_policy
class inspection_default inspect icmp
The above configuration is common and the configuration is the same on each firewall. Let's look at the configuration of the interface:
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 183.129.X.X 255.255.255.X
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
The above configuration is the internal and external interface address and security level of the firewall. Everyone knows that the security level is the basic means of separating the internal and external networks. That is the default high security level can access the external network but the low security level cannot access the internal network inside. It can access outside.It is feasible and vice versa. If you need to visit, you need to clear it. Note that the router does not have this feature.
object network outstatic
subnet 0.0.0.0 0.0.0.0
object network inside
subnet 192.168.0.0 255.255.0.0
nat (inside,outside) source dynamic inside interface
route outside 0.0.0.0 0.0.0.0 183.129.X.X
The above commands are very important and the meaning is very simple. That is to do port address translation. We all know that the internal network does not do address translation is not on the public network. In general, the enterprise has only one public network address so you must do port conversion before you can go to the public network. Note that the above subnet 192.168.0.0 255.255.0.0 is to enlarge it. The last default route is definitely needed, otherwise there is no way to go to the public network. The address is the gateway that the operator gives you.
Of course, if there is a three-layer core exchange, you need a command to open communication with the intranet route inside 192.168.0.0 255.255.0.0 192.168.1.2
Well, in the general case configuration here, the enterprise can go to the public network basically 80% of the customers here are configured successfully. Some customers need to configure VPN and port mapping, here are configured as follows:
object network tcp21
host 192.168.1.249
object network tcp53
host 192.168.1.249
object network udp53
host 192.168.1.249
object network tcp33789
host 192.168.40.199
object network tcp36952
host 192.168.40.199
object network tcp443
host 192.168.1.5
access-list 101 extended permit tcp any host 192.168.1.249 eq 808
access-list 101 extended permit tcp any host 192.168.1.249 eq 5000
access-list 101 extended permit tcp any host 192.168.1.250 eq 8081
access-list 101 extended permit tcp any host 192.168.1.249 eq ftp
access-list 101 extended permit tcp any host 192.168.1.249 eq domain
access-list 101 extended permit tcp any host 192.168.40.199 eq 36952
access-list 101 extended permit tcp any host 192.168.40.199 eq 33789
!
object network static
nat (inside,outside) static interface service tcp 808 808
object network static1
nat (inside,outside) static interface service tcp 5000 5000
object network test
nat (inside,outside) static interface service tcp 135 135
object network tcp8081
nat (inside,outside) static interface service tcp 8081 8081
object network tcp21
nat (inside,outside) static interface service tcp ftp ftp
object network tcp53
nat (inside,outside) static interface service tcp domain domain
object network udp53
nat (inside,outside) static interface service udp domain domain
object network tcp33789
nat (inside,outside) static interface service tcp 33789 33789
object network tcp36952
nat (inside,outside) static interface service tcp 36952 36952
The port mapping of the above configuration pays attention to the real address.
Commentaires