SlideShare una empresa de Scribd logo

Configuring cisco asa and pix firewalls part3

Descargar como DOCX, PDF
IT Tech
IT Tech
Tecnología
1 de 8
Configuring Cisco ASA and PIX Firewalls-Part2 5. Working With Objects Firewall Builder is based on the concept of objects. There are a variety of different object types used to define IP objects that can be used as the Source and Destination in your firewall rules. Two of the most common IP objects used in firewall rules are Networks and Addresses. Network Objects To create the example Network object representing the internal 10.10.10.0/24 network shown in the diagram on the previous page, go to the object tree on the left side of the screen and double-click the folder labeled Objects to expand it. Right click on the folder called Networks and select “New Network”. This creates a new network object. In the lower portion of your screen, called the Editor Panel, you can modify the properties of this new network object. Change the object name to something matching the function. In this example we name it “Internal Network” to represent the network connected to our "inside" interface. The address is set to 10.10.10.0 and the netmask is 255.255.255.0. Figure 13. New Network Object Note When editing the attributes of an object there is no Apply or Submit button. Once you edit an attribute, as soon as you move away from the field you were editing the change immediately takes effect. Address Objects To create an object representing a single IP address, similar to the host parameter in
a Cisco access list, go to the object tree, right-click on the Addresses folder, and select "New Address". In the Editor Panel change the name of the new address object to something that reflects its function, for example “POP3 Server”. Also set the IP address. Figure 14. New Address Object You may have noticed that we did not create any objects for the TCP services like HTTP and SSH needed for the firewall object rules shown in the example. This is because Firewall Builder comes with hundreds of predefined objects for commonly used objects like TCP services. 6. Configuring Policy Rules (Access Lists) After you have created a firewall object and network objects you can start to configure the firewall's rules. When you create a firewall object, for example asa-1 from our previous example, it is opened automatically in the object tree and its Policy object is opened in the main window for editing. The Policy object is where access list rules are configured. To add a new rule to the Policy, click on the green icon at the top left of the main window. This creates a new rule with default values set to deny all. Figure 15. Default Rule Every rule includes the following sections: Source - this can be one or more IP objects. The default value is Any which is the same as the "any" parameter in a Cisco access list that matches all IP addresses. Destination - this can be one or more IP objects. The default value is Any which is the same as the "any" parameter in a Cisco access list that matches all IP addresses. Service - this can be one or more Service objects. Example services include
TCP and UDP protocols like HTTP and DNS. The default value is Any which matches any IP service and is the same as the "ip" parameter in Cisco access lists. Interface - this can be one or more interfaces configured on the firewall (router) object. The default value is All which means the rule will be applied as an access list to all configured interfaces. Direction - options are Inbound, Outbound, and Both. This defines whether the resulting access-group will be applied to interfaces as "in" or "out". Both will generate an identical rule for "in" and "out". The default value is Both. Action - options are Accept and Deny. This matches the Cisco access list parameters "permit" and "deny". The default value is Deny. Options - options are Logging On and Logging Off. Setting Logging On matches the Cisco access list parameter "log". The default value is Logging On. Configuring a Rule In the example below, the fields in the rule will be set to the values that match the first rule from our example scenario (scenario rules shown in figure below). This first rule controls SSH access to the firewall itself. Figure 16. Scenario Rules Setting the Source To set the Source of a rule, drag-and-drop at least one IP object from the tree to the Source field of your rule. For example, drag the Network object called Internal Network that you created earlier to the Source column of the rule as shown below. Figure 17. Setting the Source After you drop the network object into the rule the Source field will change from Any to Internal Network. Figure 18. After Source is Set
Note You can have more than one IP object in the Source and Destination fields. When Firewall Builder generates the Cisco command line access lists it will automatically split the rule into multiple lines if necessary. Setting the Destination Setting the Destination is exactly the same as setting the Source, except you drag-and-drop IP objects in to the Destination field of the rule. For our first example rule we want the Destination to be the "inside" interface of the firewall object. Drag-and-drop the Ethernet0/1 object from the object tree to the Destination column. Figure 19. Setting the Destination After you drop the interface object into the rule the Destination field will change from Any to "inside", the label of the Ethernet0/1 interface. Figure 20. After Destination is Set Setting the Service Firewall Builder comes with hundreds of predefined objects including Service objects for almost all standard protocols. To access these objects switch to the Standard library by selecting it from the drop down at the top of the Object tree window. Figure 21. Switching Libraries
Services are located in the Services folder. In this rule we want to set the service to SSH, so you would navigate to the SSH service by opening the Services folder, then opening the TCP folder and scrolling down until you find the "ssh" object. Once you find the ssh object, drag-and-drop from the tree on the left in to the Service section of the rule in the Rules window. Figure 22. Setting the Service Note To switch back to the User library, which contains objects you have created, click on the drop down menu that says Standard and select User from the list of libraries. Setting the Interface If desired, set the Interface for the rule by dragging-and-dropping an interface object from the firewall (router) object to the Interface section of the rule. This will explicitly define which interface on the router that the access list will be applied to as an "access-group". Figure 23. Setting the Interface
Setting the Direction The direction of the rule is based on the traffic you want to filter. Traffic coming in to an interface should have the rule Direction set to Inbound and traffic going out of an interface should have the rule Direction set to Outbound. In our example the direction of the rule will be Inbound since it is controlling access to the firewall itself on the "inside" interface. Right-click and set the direction to Inbound. The Direction, Network Zone and the Interface settings in a rule will determine which interfaces should have this rule applied. Note A word about Inbound vs. Outbound access lists: Older PIX versions did not support outbound access lists on interfaces, so by default Firewall Builder emulates this behavior. This means if you create an outbound rule on an interface, Firewall Builder will convert that to inbound rules on all other interfaces. You can change this behavior by editing the Firewall Settings for the firewall object and clicking the checkbox next to "Generate outbound ACLs". Setting the Action The action controls whether traffic matching the rule should be permitted or denied. Remember, all Cisco access lists have an implicit deny at the end of the list, so any traffic that has not matched a rule that permits the traffic will be dropped. Right-click and set the action to "Accept" to allow the SSH traffic from the local network to the firewall. Setting the Options Logging for rule matches is set in the Options section. By default logging is turned on. To turn logging off, right-click in the Options section and select Logging Off. Example of a Complete Rule The following is the first rule from our example which allows traffic from the internal network to the firewall's inside interface that has a traffic type of SSH. Figure 24. New Rule with Fields Set
6.1. Additional Tips For Working with Rules Adding a Rule To add a new rule click the icon at the top of the Rules Editor window. This inserts a new rule above the current rule. To add a new rule below the current rule right-click on a rule and select "Add New Rule Below". Figure 25. Adding Rules Copy-and-Paste In addition to drag-and-drop you can also copy-and-paste objects. For example, you can right-click on the Internal Network object in the first rule and select Copy. Navigate to the Source section of the new rule you just created and right-click and select Paste. Using Filters to Find Objects Filters provide a way to quickly find objects in the tree without having to open multiple folders and scroll. For example, if you wanted to use the POP3 protocol in a rule you could use the filter to find it. The POP3 protocol object is located in the Standard library, so select it from the dropdown menu at the top of the Object Window. Type pop3 in to the filter field. This will display all objects in the current library that contain pop3. Figure 26. Using Filter to Find Objects Note After you are done with the filtered object, clear the filter field by clicking the X to
the right of the input box and then switch back to the User library by selecting it in the dropdown menu at the top of the object panel. Example of Completed Rules For our example we needed to create two firewall rules. The completed firewalll rules are shown in the diagram below. Figure 27. Two Rules More… Cisco Guide: Migration of Cisco PIX 500 Series to Cisco ASA 5500 Series Cisco PIX Firewall Basics

Recomendados

Chapter 27 Networking - Deitel & Deitel
Chapter 27 Networking - Deitel & DeitelChapter 27 Networking - Deitel & Deitel
Chapter 27 Networking - Deitel & DeitelCSDeptSriKaliswariCo
 
Sumo Logic QuickStart Webinar
Sumo Logic QuickStart WebinarSumo Logic QuickStart Webinar
Sumo Logic QuickStart WebinarSumo Logic
 
Sumo Logic Quickstart Training 10/14/2015
Sumo Logic Quickstart Training 10/14/2015Sumo Logic Quickstart Training 10/14/2015
Sumo Logic Quickstart Training 10/14/2015Sumo Logic
 
Optimizing Your Search Experience
Optimizing Your Search ExperienceOptimizing Your Search Experience
Optimizing Your Search ExperienceSumo Logic
 
Password Policy and Account Lockout Policies
Password Policy and Account Lockout PoliciesPassword Policy and Account Lockout Policies
Password Policy and Account Lockout Policiesanilinvns
 
Disk management server
Disk management serverDisk management server
Disk management serveranilinvns
 
Windows Server 2012
Windows Server 2012Windows Server 2012
Windows Server 2012anilinvns
 
Windows Server 2008 R2 Overview
Windows Server 2008 R2 OverviewWindows Server 2008 R2 Overview
Windows Server 2008 R2 OverviewAlexander Schek
 

Recomendados

Chapter 27 Networking - Deitel & Deitel
Chapter 27 Networking - Deitel & DeitelChapter 27 Networking - Deitel & Deitel
Chapter 27 Networking - Deitel & DeitelCSDeptSriKaliswariCo
 
Sumo Logic QuickStart Webinar
Sumo Logic QuickStart WebinarSumo Logic QuickStart Webinar
Sumo Logic QuickStart WebinarSumo Logic
 
Sumo Logic Quickstart Training 10/14/2015
Sumo Logic Quickstart Training 10/14/2015Sumo Logic Quickstart Training 10/14/2015
Sumo Logic Quickstart Training 10/14/2015Sumo Logic
 
Optimizing Your Search Experience
Optimizing Your Search ExperienceOptimizing Your Search Experience
Optimizing Your Search ExperienceSumo Logic
 
Password Policy and Account Lockout Policies
Password Policy and Account Lockout PoliciesPassword Policy and Account Lockout Policies
Password Policy and Account Lockout Policiesanilinvns
 
Disk management server
Disk management serverDisk management server
Disk management serveranilinvns
 
Windows Server 2012
Windows Server 2012Windows Server 2012
Windows Server 2012anilinvns
 
Windows Server 2008 R2 Overview
Windows Server 2008 R2 OverviewWindows Server 2008 R2 Overview
Windows Server 2008 R2 OverviewAlexander Schek
 
Creating a cisco asa or pix firewall
Creating a cisco asa or pix firewallCreating a cisco asa or pix firewall
Creating a cisco asa or pix firewallIT Tech
 
Configuring cisco asa and pix firewalls part4
Configuring cisco asa and pix firewalls part4Configuring cisco asa and pix firewalls part4
Configuring cisco asa and pix firewalls part4IT Tech
 
Configuring cisco asa and pix firewalls part2
Configuring cisco asa and pix firewalls part2Configuring cisco asa and pix firewalls part2
Configuring cisco asa and pix firewalls part2IT Tech
 
©Regis University, All Rights Reserved Unauthorized distribu.docx
©Regis University, All Rights Reserved Unauthorized distribu.docx©Regis University, All Rights Reserved Unauthorized distribu.docx
©Regis University, All Rights Reserved Unauthorized distribu.docxgerardkortney
 
Neutron kilo
Neutron kiloNeutron kilo
Neutron kiloLukas Korous
 
Appcelerator - using node.ACS (part 1)
Appcelerator - using node.ACS (part 1)Appcelerator - using node.ACS (part 1)
Appcelerator - using node.ACS (part 1)Mobile Data Systems Ltd.
 
From A to Z | WireShark Tutorial
From A to Z | WireShark TutorialFrom A to Z | WireShark Tutorial
From A to Z | WireShark TutorialTurkHackTeam EDU
 
3 Ways to Get Started with a React App in 2024.pdf
3 Ways to Get Started with a React App in 2024.pdf3 Ways to Get Started with a React App in 2024.pdf
3 Ways to Get Started with a React App in 2024.pdfBOSC Tech Labs
 
Network And Network Address Translation
Network And Network Address TranslationNetwork And Network Address Translation
Network And Network Address TranslationErin Moore
 
Network Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
Network Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage ServiceNetwork Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
Network Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage ServiceCloudian
 
opnet lab report
opnet lab reportopnet lab report
opnet lab reportSadia Shachi
 
DotNetNuke
DotNetNukeDotNetNuke
DotNetNukeAmbati Sreedhar
 
EE5111 a0195042 j_iot_project_report_update
EE5111 a0195042 j_iot_project_report_updateEE5111 a0195042 j_iot_project_report_update
EE5111 a0195042 j_iot_project_report_updateJingmingPeng1
 
Internet protocol security
Internet protocol securityInternet protocol security
Internet protocol securityfarhan516
 
Using prime[31] to connect your unity game to azure mobile services
Using prime[31] to connect your unity game to azure mobile servicesUsing prime[31] to connect your unity game to azure mobile services
Using prime[31] to connect your unity game to azure mobile servicesDavid Voyles
 
Curiosity Bits Tutorial: Mining Twitter User Profile on Python V2
Curiosity Bits Tutorial: Mining Twitter User Profile on Python V2Curiosity Bits Tutorial: Mining Twitter User Profile on Python V2
Curiosity Bits Tutorial: Mining Twitter User Profile on Python V2Weiai Wayne Xu
 
Netfilter: Making large iptables rulesets scale
Netfilter: Making large iptables rulesets scaleNetfilter: Making large iptables rulesets scale
Netfilter: Making large iptables rulesets scalebrouer
 
Setting up the hyperledger composer in ubuntu
Setting up the hyperledger composer in ubuntuSetting up the hyperledger composer in ubuntu
Setting up the hyperledger composer in ubuntukesavan N B
 
Smart (3 files merged)
Smart (3 files merged)Smart (3 files merged)
Smart (3 files merged)City University
 
01-01-2017 This section will lay out the implementation plan o.docx
01-01-2017 This section will lay out the implementation plan o.docx01-01-2017 This section will lay out the implementation plan o.docx
01-01-2017 This section will lay out the implementation plan o.docxhoney725342
 
Cisco ip phone key expansion module setup
Cisco ip phone key expansion module setupCisco ip phone key expansion module setup
Cisco ip phone key expansion module setupIT Tech
 
Cisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guideCisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guideIT Tech
 

Más contenido relacionado

Similar a Configuring cisco asa and pix firewalls part3

Creating a cisco asa or pix firewall
Creating a cisco asa or pix firewallCreating a cisco asa or pix firewall
Creating a cisco asa or pix firewallIT Tech
 
Configuring cisco asa and pix firewalls part4
Configuring cisco asa and pix firewalls part4Configuring cisco asa and pix firewalls part4
Configuring cisco asa and pix firewalls part4IT Tech
 
Configuring cisco asa and pix firewalls part2
Configuring cisco asa and pix firewalls part2Configuring cisco asa and pix firewalls part2
Configuring cisco asa and pix firewalls part2IT Tech
 
©Regis University, All Rights Reserved Unauthorized distribu.docx
©Regis University, All Rights Reserved Unauthorized distribu.docx©Regis University, All Rights Reserved Unauthorized distribu.docx
©Regis University, All Rights Reserved Unauthorized distribu.docxgerardkortney
 
From A to Z | WireShark Tutorial
From A to Z | WireShark TutorialFrom A to Z | WireShark Tutorial
From A to Z | WireShark TutorialTurkHackTeam EDU
 
3 Ways to Get Started with a React App in 2024.pdf
3 Ways to Get Started with a React App in 2024.pdf3 Ways to Get Started with a React App in 2024.pdf
3 Ways to Get Started with a React App in 2024.pdfBOSC Tech Labs
 
Network And Network Address Translation
Network And Network Address TranslationNetwork And Network Address Translation
Network And Network Address TranslationErin Moore
 
Network Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
Network Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage ServiceNetwork Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
Network Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage ServiceCloudian
 
EE5111 a0195042 j_iot_project_report_update
EE5111 a0195042 j_iot_project_report_updateEE5111 a0195042 j_iot_project_report_update
EE5111 a0195042 j_iot_project_report_updateJingmingPeng1
 
Internet protocol security
Internet protocol securityInternet protocol security
Internet protocol securityfarhan516
 
Using prime[31] to connect your unity game to azure mobile services
Using prime[31] to connect your unity game to azure mobile servicesUsing prime[31] to connect your unity game to azure mobile services
Using prime[31] to connect your unity game to azure mobile servicesDavid Voyles
 
Curiosity Bits Tutorial: Mining Twitter User Profile on Python V2
Curiosity Bits Tutorial: Mining Twitter User Profile on Python V2Curiosity Bits Tutorial: Mining Twitter User Profile on Python V2
Curiosity Bits Tutorial: Mining Twitter User Profile on Python V2Weiai Wayne Xu
 
Netfilter: Making large iptables rulesets scale
Netfilter: Making large iptables rulesets scaleNetfilter: Making large iptables rulesets scale
Netfilter: Making large iptables rulesets scalebrouer
 
Setting up the hyperledger composer in ubuntu
Setting up the hyperledger composer in ubuntuSetting up the hyperledger composer in ubuntu
Setting up the hyperledger composer in ubuntukesavan N B
 
01-01-2017 This section will lay out the implementation plan o.docx
01-01-2017 This section will lay out the implementation plan o.docx01-01-2017 This section will lay out the implementation plan o.docx
01-01-2017 This section will lay out the implementation plan o.docxhoney725342
 

Similar a Configuring cisco asa and pix firewalls part3 (20)

Creating a cisco asa or pix firewall
Creating a cisco asa or pix firewallCreating a cisco asa or pix firewall
Creating a cisco asa or pix firewall
 
Configuring cisco asa and pix firewalls part4
Configuring cisco asa and pix firewalls part4Configuring cisco asa and pix firewalls part4
Configuring cisco asa and pix firewalls part4
 
Configuring cisco asa and pix firewalls part2
Configuring cisco asa and pix firewalls part2Configuring cisco asa and pix firewalls part2
Configuring cisco asa and pix firewalls part2
 
©Regis University, All Rights Reserved Unauthorized distribu.docx
©Regis University, All Rights Reserved Unauthorized distribu.docx©Regis University, All Rights Reserved Unauthorized distribu.docx
©Regis University, All Rights Reserved Unauthorized distribu.docx
 
Neutron kilo
Neutron kiloNeutron kilo
Neutron kilo
 
Appcelerator - using node.ACS (part 1)
Appcelerator - using node.ACS (part 1)Appcelerator - using node.ACS (part 1)
Appcelerator - using node.ACS (part 1)
 
From A to Z | WireShark Tutorial
From A to Z | WireShark TutorialFrom A to Z | WireShark Tutorial
From A to Z | WireShark Tutorial
 
3 Ways to Get Started with a React App in 2024.pdf
3 Ways to Get Started with a React App in 2024.pdf3 Ways to Get Started with a React App in 2024.pdf
3 Ways to Get Started with a React App in 2024.pdf
 
Network And Network Address Translation
Network And Network Address TranslationNetwork And Network Address Translation
Network And Network Address Translation
 
Network Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
Network Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage ServiceNetwork Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
Network Setup Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
 
opnet lab report
opnet lab reportopnet lab report
opnet lab report
 
DotNetNuke
DotNetNukeDotNetNuke
DotNetNuke
 
EE5111 a0195042 j_iot_project_report_update
EE5111 a0195042 j_iot_project_report_updateEE5111 a0195042 j_iot_project_report_update
EE5111 a0195042 j_iot_project_report_update
 
Internet protocol security
Internet protocol securityInternet protocol security
Internet protocol security
 
Using prime[31] to connect your unity game to azure mobile services
Using prime[31] to connect your unity game to azure mobile servicesUsing prime[31] to connect your unity game to azure mobile services
Using prime[31] to connect your unity game to azure mobile services
 
Curiosity Bits Tutorial: Mining Twitter User Profile on Python V2
Curiosity Bits Tutorial: Mining Twitter User Profile on Python V2Curiosity Bits Tutorial: Mining Twitter User Profile on Python V2
Curiosity Bits Tutorial: Mining Twitter User Profile on Python V2
 
Netfilter: Making large iptables rulesets scale
Netfilter: Making large iptables rulesets scaleNetfilter: Making large iptables rulesets scale
Netfilter: Making large iptables rulesets scale
 
Setting up the hyperledger composer in ubuntu
Setting up the hyperledger composer in ubuntuSetting up the hyperledger composer in ubuntu
Setting up the hyperledger composer in ubuntu
 
Smart (3 files merged)
Smart (3 files merged)Smart (3 files merged)
Smart (3 files merged)
 
01-01-2017 This section will lay out the implementation plan o.docx
01-01-2017 This section will lay out the implementation plan o.docx01-01-2017 This section will lay out the implementation plan o.docx
01-01-2017 This section will lay out the implementation plan o.docx
 

Más de IT Tech

Cisco ip phone key expansion module setup
Cisco ip phone key expansion module setupCisco ip phone key expansion module setup
Cisco ip phone key expansion module setupIT Tech
 
Cisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guideCisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guideIT Tech
 
Cisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guideCisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guideIT Tech
 
Hpe pro liant gen9 to gen10 server transition guide
Hpe pro liant gen9 to gen10 server transition guideHpe pro liant gen9 to gen10 server transition guide
Hpe pro liant gen9 to gen10 server transition guideIT Tech
 
The new cisco isr 4461 faq
The new cisco isr 4461 faqThe new cisco isr 4461 faq
The new cisco isr 4461 faqIT Tech
 
New nexus 400 gigabit ethernet (400 g) switches
New nexus 400 gigabit ethernet (400 g) switchesNew nexus 400 gigabit ethernet (400 g) switches
New nexus 400 gigabit ethernet (400 g) switchesIT Tech
 
Tested cisco isr 1100 delivers the richest set of wi-fi features
Tested cisco isr 1100 delivers the richest set of wi-fi featuresTested cisco isr 1100 delivers the richest set of wi-fi features
Tested cisco isr 1100 delivers the richest set of wi-fi featuresIT Tech
 
Aruba campus and branch switching solution
Aruba campus and branch switching solutionAruba campus and branch switching solution
Aruba campus and branch switching solutionIT Tech
 
Cisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switchesCisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switchesIT Tech
 
Cisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switchesCisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switchesIT Tech
 
Cisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modesCisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modesIT Tech
 
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dellCompetitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dellIT Tech
 
Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000IT Tech
 
The difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fexThe difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fexIT Tech
 
Cisco transceiver modules for compatible cisco switches series
Cisco transceiver modules for compatible cisco switches seriesCisco transceiver modules for compatible cisco switches series
Cisco transceiver modules for compatible cisco switches seriesIT Tech
 
Guide to the new cisco firepower 2100 series
Guide to the new cisco firepower 2100 seriesGuide to the new cisco firepower 2100 series
Guide to the new cisco firepower 2100 seriesIT Tech
 
892 f sfp configuration example
892 f sfp configuration example892 f sfp configuration example
892 f sfp configuration exampleIT Tech
 
Cisco nexus 7000 and nexus 7700
Cisco nexus 7000 and nexus 7700Cisco nexus 7000 and nexus 7700
Cisco nexus 7000 and nexus 7700IT Tech
 
Cisco firepower ngips series migration options
Cisco firepower ngips series migration optionsCisco firepower ngips series migration options
Cisco firepower ngips series migration optionsIT Tech
 
Eol transceiver to replacement model
Eol transceiver to replacement modelEol transceiver to replacement model
Eol transceiver to replacement modelIT Tech
 

Más de IT Tech (20)

Cisco ip phone key expansion module setup
Cisco ip phone key expansion module setupCisco ip phone key expansion module setup
Cisco ip phone key expansion module setup
 
Cisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guideCisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guide
 
Cisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guideCisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guide
 
Hpe pro liant gen9 to gen10 server transition guide
Hpe pro liant gen9 to gen10 server transition guideHpe pro liant gen9 to gen10 server transition guide
Hpe pro liant gen9 to gen10 server transition guide
 
The new cisco isr 4461 faq
The new cisco isr 4461 faqThe new cisco isr 4461 faq
The new cisco isr 4461 faq
 
New nexus 400 gigabit ethernet (400 g) switches
New nexus 400 gigabit ethernet (400 g) switchesNew nexus 400 gigabit ethernet (400 g) switches
New nexus 400 gigabit ethernet (400 g) switches
 
Tested cisco isr 1100 delivers the richest set of wi-fi features
Tested cisco isr 1100 delivers the richest set of wi-fi featuresTested cisco isr 1100 delivers the richest set of wi-fi features
Tested cisco isr 1100 delivers the richest set of wi-fi features
 
Aruba campus and branch switching solution
Aruba campus and branch switching solutionAruba campus and branch switching solution
Aruba campus and branch switching solution
 
Cisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switchesCisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switches
 
Cisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switchesCisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switches
 
Cisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modesCisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modes
 
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dellCompetitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
 
Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000
 
The difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fexThe difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fex
 
Cisco transceiver modules for compatible cisco switches series
Cisco transceiver modules for compatible cisco switches seriesCisco transceiver modules for compatible cisco switches series
Cisco transceiver modules for compatible cisco switches series
 
Guide to the new cisco firepower 2100 series
Guide to the new cisco firepower 2100 seriesGuide to the new cisco firepower 2100 series
Guide to the new cisco firepower 2100 series
 
892 f sfp configuration example
892 f sfp configuration example892 f sfp configuration example
892 f sfp configuration example
 
Cisco nexus 7000 and nexus 7700
Cisco nexus 7000 and nexus 7700Cisco nexus 7000 and nexus 7700
Cisco nexus 7000 and nexus 7700
 
Cisco firepower ngips series migration options
Cisco firepower ngips series migration optionsCisco firepower ngips series migration options
Cisco firepower ngips series migration options
 
Eol transceiver to replacement model
Eol transceiver to replacement modelEol transceiver to replacement model
Eol transceiver to replacement model
 

Último

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 

Último (20)

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 

Configuring cisco asa and pix firewalls part3

  • 1. Configuring Cisco ASA and PIX Firewalls-Part2 5. Working With Objects Firewall Builder is based on the concept of objects. There are a variety of different object types used to define IP objects that can be used as the Source and Destination in your firewall rules. Two of the most common IP objects used in firewall rules are Networks and Addresses. Network Objects To create the example Network object representing the internal 10.10.10.0/24 network shown in the diagram on the previous page, go to the object tree on the left side of the screen and double-click the folder labeled Objects to expand it. Right click on the folder called Networks and select “New Network”. This creates a new network object. In the lower portion of your screen, called the Editor Panel, you can modify the properties of this new network object. Change the object name to something matching the function. In this example we name it “Internal Network” to represent the network connected to our "inside" interface. The address is set to 10.10.10.0 and the netmask is 255.255.255.0. Figure 13. New Network Object Note When editing the attributes of an object there is no Apply or Submit button. Once you edit an attribute, as soon as you move away from the field you were editing the change immediately takes effect. Address Objects To create an object representing a single IP address, similar to the host parameter in
  • 2. a Cisco access list, go to the object tree, right-click on the Addresses folder, and select "New Address". In the Editor Panel change the name of the new address object to something that reflects its function, for example “POP3 Server”. Also set the IP address. Figure 14. New Address Object You may have noticed that we did not create any objects for the TCP services like HTTP and SSH needed for the firewall object rules shown in the example. This is because Firewall Builder comes with hundreds of predefined objects for commonly used objects like TCP services. 6. Configuring Policy Rules (Access Lists) After you have created a firewall object and network objects you can start to configure the firewall's rules. When you create a firewall object, for example asa-1 from our previous example, it is opened automatically in the object tree and its Policy object is opened in the main window for editing. The Policy object is where access list rules are configured. To add a new rule to the Policy, click on the green icon at the top left of the main window. This creates a new rule with default values set to deny all. Figure 15. Default Rule Every rule includes the following sections: Source - this can be one or more IP objects. The default value is Any which is the same as the "any" parameter in a Cisco access list that matches all IP addresses. Destination - this can be one or more IP objects. The default value is Any which is the same as the "any" parameter in a Cisco access list that matches all IP addresses. Service - this can be one or more Service objects. Example services include
  • 3. TCP and UDP protocols like HTTP and DNS. The default value is Any which matches any IP service and is the same as the "ip" parameter in Cisco access lists. Interface - this can be one or more interfaces configured on the firewall (router) object. The default value is All which means the rule will be applied as an access list to all configured interfaces. Direction - options are Inbound, Outbound, and Both. This defines whether the resulting access-group will be applied to interfaces as "in" or "out". Both will generate an identical rule for "in" and "out". The default value is Both. Action - options are Accept and Deny. This matches the Cisco access list parameters "permit" and "deny". The default value is Deny. Options - options are Logging On and Logging Off. Setting Logging On matches the Cisco access list parameter "log". The default value is Logging On. Configuring a Rule In the example below, the fields in the rule will be set to the values that match the first rule from our example scenario (scenario rules shown in figure below). This first rule controls SSH access to the firewall itself. Figure 16. Scenario Rules Setting the Source To set the Source of a rule, drag-and-drop at least one IP object from the tree to the Source field of your rule. For example, drag the Network object called Internal Network that you created earlier to the Source column of the rule as shown below. Figure 17. Setting the Source After you drop the network object into the rule the Source field will change from Any to Internal Network. Figure 18. After Source is Set
  • 4. Note You can have more than one IP object in the Source and Destination fields. When Firewall Builder generates the Cisco command line access lists it will automatically split the rule into multiple lines if necessary. Setting the Destination Setting the Destination is exactly the same as setting the Source, except you drag-and-drop IP objects in to the Destination field of the rule. For our first example rule we want the Destination to be the "inside" interface of the firewall object. Drag-and-drop the Ethernet0/1 object from the object tree to the Destination column. Figure 19. Setting the Destination After you drop the interface object into the rule the Destination field will change from Any to "inside", the label of the Ethernet0/1 interface. Figure 20. After Destination is Set Setting the Service Firewall Builder comes with hundreds of predefined objects including Service objects for almost all standard protocols. To access these objects switch to the Standard library by selecting it from the drop down at the top of the Object tree window. Figure 21. Switching Libraries
  • 5. Services are located in the Services folder. In this rule we want to set the service to SSH, so you would navigate to the SSH service by opening the Services folder, then opening the TCP folder and scrolling down until you find the "ssh" object. Once you find the ssh object, drag-and-drop from the tree on the left in to the Service section of the rule in the Rules window. Figure 22. Setting the Service Note To switch back to the User library, which contains objects you have created, click on the drop down menu that says Standard and select User from the list of libraries. Setting the Interface If desired, set the Interface for the rule by dragging-and-dropping an interface object from the firewall (router) object to the Interface section of the rule. This will explicitly define which interface on the router that the access list will be applied to as an "access-group". Figure 23. Setting the Interface
  • 6. Setting the Direction The direction of the rule is based on the traffic you want to filter. Traffic coming in to an interface should have the rule Direction set to Inbound and traffic going out of an interface should have the rule Direction set to Outbound. In our example the direction of the rule will be Inbound since it is controlling access to the firewall itself on the "inside" interface. Right-click and set the direction to Inbound. The Direction, Network Zone and the Interface settings in a rule will determine which interfaces should have this rule applied. Note A word about Inbound vs. Outbound access lists: Older PIX versions did not support outbound access lists on interfaces, so by default Firewall Builder emulates this behavior. This means if you create an outbound rule on an interface, Firewall Builder will convert that to inbound rules on all other interfaces. You can change this behavior by editing the Firewall Settings for the firewall object and clicking the checkbox next to "Generate outbound ACLs". Setting the Action The action controls whether traffic matching the rule should be permitted or denied. Remember, all Cisco access lists have an implicit deny at the end of the list, so any traffic that has not matched a rule that permits the traffic will be dropped. Right-click and set the action to "Accept" to allow the SSH traffic from the local network to the firewall. Setting the Options Logging for rule matches is set in the Options section. By default logging is turned on. To turn logging off, right-click in the Options section and select Logging Off. Example of a Complete Rule The following is the first rule from our example which allows traffic from the internal network to the firewall's inside interface that has a traffic type of SSH. Figure 24. New Rule with Fields Set
  • 7. 6.1. Additional Tips For Working with Rules Adding a Rule To add a new rule click the icon at the top of the Rules Editor window. This inserts a new rule above the current rule. To add a new rule below the current rule right-click on a rule and select "Add New Rule Below". Figure 25. Adding Rules Copy-and-Paste In addition to drag-and-drop you can also copy-and-paste objects. For example, you can right-click on the Internal Network object in the first rule and select Copy. Navigate to the Source section of the new rule you just created and right-click and select Paste. Using Filters to Find Objects Filters provide a way to quickly find objects in the tree without having to open multiple folders and scroll. For example, if you wanted to use the POP3 protocol in a rule you could use the filter to find it. The POP3 protocol object is located in the Standard library, so select it from the dropdown menu at the top of the Object Window. Type pop3 in to the filter field. This will display all objects in the current library that contain pop3. Figure 26. Using Filter to Find Objects Note After you are done with the filtered object, clear the filter field by clicking the X to
  • 8. the right of the input box and then switch back to the User library by selecting it in the dropdown menu at the top of the object panel. Example of Completed Rules For our example we needed to create two firewall rules. The completed firewalll rules are shown in the diagram below. Figure 27. Two Rules More… Cisco Guide: Migration of Cisco PIX 500 Series to Cisco ASA 5500 Series Cisco PIX Firewall Basics