[KEDUIT] 클라우드 컴퓨팅과 보안솔루션을 활용한 DC 엔지니어 양성교육 - Day76

1. 서론

    오늘은 ASA를 cli와 gui를 통해 설정하는 방법을 배워보았다.

2. 본론

1. ASA(Adaptive Security Appliance)

//ASA
# show version
# show firewall //Firewall mode: Router(Layer-3 Firewall)
!
# conf t
# firewall transparent //Layer-3 -> 2
# show firewall
# no firewall transparent //Layer-2 -> 3
!
# sh int ip br
# int g0/0
# no sh
# nameif Inside //ASA는 Interface에 이름을 설정해줘야만 동작
# description #Inside_Network#
# ip add 200.1.1.254 255.255.255.0
# security-level 100 //Inside는 default로 100이지만 설정하는 방법 확인
!
# int g0/1
# no sh
# nameif Outside
# desc #Outside_Network#
# ip add 1.1.100.1 255.255.255.252
# security-level 0
!
# int g0/2
# no sh
# nameif DMZ
# security-level 50
# desc #DMZ_Network#
# ip add 100.1.1.254 255.255.255.0
!
# int Manage 0/0
# no sh
# nameif Management
# security-level 100
# ip add 192.168.1.254 255.255.255.0
# desc #Management Interface#

//ISP
# int f0/1
# no sh
# ip add dhcp
!
# int f1/0
# no sh
# ip add 2.2.2.254 255.255.255.0
!
# int f0/0
# no sh
# ip add 1.1.100.6 255.255.255.252

//CE
# int f0/1
# no sh
# ip add 1.1.100.5 255.255.255.252
!
# int f0/0
# no sh
# ip add 1.1.100.2 255.255.255.252

//User
# no ip routing
# int f0/0
# ip add 200.1.1.2 255.255.255.0
!
# ip default-gateway 200.1.1.254

//Ping Test
//ISP
# ping 10.0.0.1
# ping 1.1.100.5
//CE
# ping 1.1.100.1
//User
# ping 200.1.1.254

//Routing
//ISP
# ip route 0.0.0.0 0.0.0.0 f0/1 10.0.0.1
# ip route 1.1.100.0 255.255.255.252 f0/0 1.1.100.5
# ip route 100.1.1.0 255.255.255.0 f0/0 1.1.100.5
# ip route 200.1.1.0 255.255.255.0 f0/0 1.1.100.5
//CE
# ip route 0.0.0.0 0.0.0.0 f0/1 1.1.100.6
# ip route 100.1.1.0 255.255.255.0 f0/0 1.1.100.1
# ip route 200.1.1.0 255.255.255.0 f0/0 1.1.100.1
//ASA
# route Outside 0 0 1.1.100.2

//NAT
//ISP
# ip access-list standard DMZ_Inside
# permit 100.1.1.0 0.0.0.255
# permit 200.1.1.0 0.0.0.255
# permit 2.2.2.0 0.0.0.255
# permit 1.1.100.0 0.0.0.3
!
# ip nat inside soruce list DMZ_Inside int f0/1 overload
!
# int f0/0
# ip nat inside
!
# int f1/0
# ip nat inside
!
# int f0/1
# ip nat outside

//ASA
# policy-map global_policy
# class inspection_default
# inspect icmp
!
# telnet 200.1.1.0 255.255.255.0 Inside
# telnet 100.1.1.0 255.255.255.0 DMZ
# telnet 1.1.100.2 255.255.255.255 Outside //Outside쪽은 telnet 안되는 것 확인
# password cisco
!
# aaa authentication ssh console LOCAL
# crypto key generate rsa modulus 1024
# ssh 200.1.1.0 255.255.255.0 Inside
# ssh 1.1.100.2 255.255.255.255 Outside //telnet과 달리 ssh는 security level이 낮은쪽에서도 가능

//ASDM(Adaptive Security Device Manager)
//ASA
# clear configure telnet
# clear configure ssh
# ssh 192.168.1.0 255.255.255.0 Management
!
# copy tftp: flash
192.168.1.1
asdm-781-150.bin
# dir /all
# username admin password cisco
# asdm image flash:asdm-781-150.bin
# http server enable
# http 192.168.1.1 255.255.255.255 Management

//Firewall
# access-list OUT->IN extended permit udp any host 100.1.1.250 eq 53 //numbered access list는 지원 x
# access-list OUT->IN extended permit udp any host 100.1.1.251 eq www
# access-list OUT->IN extended permit icmp any 100.1.1.0 255.255.255.0
# access-list OUT->IN extended deny ip any any
# access-group OUT-IN in interface Outside

# object network SALES
# subenet 200.1.1.0 255.255.255.0
!
# object network MGM
# subnet 200.2.2.0 255.255.255.0
!
# object network DNS_SVR
# host 100.1.1.250
!
# object network WEB_SVR
# host 100.1.1.251

3. 결론

    ASA의 UI가 생각보다 너무 좋지 않다.

4. 참고자료

1. Cisco Docs

1. ARP
2. CDP / VLAN
3. Frame Relay
4. Static Routing
5. VLAN
6. VTP
7. Routed Port
8. AD
9. Route Selection
10. FHRP
11. HSRP
12. DHCP
13. DNS
14. STP
15. NAT
16. EtherChannel
17. DTP
18. RIP
19. NTP
20. Offset List
21. Password Encryption
22. ACL
23. CAR Attack
24. Broadcast
25. Port Assignments
26. IPv6 Static Routing
27. HSRP for IPv6
28. Clock Rate
29. DHCPv6 Guard
30. EIGRP
31. Express Forwarding
32. Routing and Switching
33. Load Balancing
34. Ping, Traceroute
35. Load Balancing
36. Fast Switching
37. CEF
38. DNS
39. SSH
40. Regular Expression
41. OSPF
42. EIGRP’s SIA
43. NSSA
44. AAA
45. Understand the Zone-Based Policy Firewall Design
46. The Cisco SD-WAN Solution
47. Understand the Zone-Based Policy Firewall Design
48. ASA cli

2. Linux

1. rhel9’s docs
2. Linux Directory Structure
3. File Types in Linux
4. fstab
5. Vim Cheat Sheet
6. Protecting GRUB with a password
7. SELinux
8. DNS
9. Samba as a server
10. DHCP
11. NFS
12. SSH
13. VNC
14. heredoc
15. docker vs podman + buildqh + skopeo
16. Docker란?
17. Linux 컨테이너란?
18. Container vs VM
19. 컨테이너화란?
20. container
21. 컨테이너 오케스트레이션이란?
22. 쿠버네티스란?
23. 쿠버네티스 아키텍처 소개
24. 쿠버네티스 기본 사항 학습
25. 쿠버네티스 클러스터란?
26. Ansible과 Puppet: 알아야 할 사항

3. Docker / k8s

1. nextcloud
2. cadvisor
3. Dangling Image
4. Swarm
5. Install Docker Engine on Ubuntu
6. Install kubdadm
7. container-runtimes
8. kubectl cheat sheet

4. Web

1. HTML’s Elements
2. Emmet
3. JavaScript
4. Anchor Tag
5. Post, Get
6. Block, Inline Elements
7. Semantic Web
8. Semantic Elements
9. CSS
10. Viewport_meta_tag
11. Media_queries
12. JavaScript

5. DB

1. MySQL

---

클라우드 엔지니어를 꿈꾸며 공부를 시작한 초보 엔지니어입니다. 틀린점 또는 조언해주실 부분이 있으시면 친절하게 댓글 부탁드립니다. 방문해 주셔서 감사합니다 :)

---