- 积分
- 199
- 鸿鹄币
- 个
- 好评度
- 点
- 精华
- 最后登录
- 1970-1-1
- 阅读权限
- 20
- 听众
- 收听
助理工程师
|
欢迎大家到我的博客中学习
http://blog.sina.com.cn/s/blog_52ddfea301019pei.html
大家注意:近期我还会陆续推出后续关于IPS模块和Cisco下一代防火墙“ASA CX Context-Aware Security”的介绍,下面是下一代防火墙的简介:
http://blog.sina.com.cn/s/blog_52ddfea301019pei.html
拓扑图介绍:
<IMG title="Yeslab现任明教教主ASA 5512X IPS模块初始化" name=image_operate_69021364552954857 alt="Yeslab现任明教教主ASA 5512X IPS模块初始化" src="http://s13.sinaimg.cn/mw690/52ddfea3gd90dbcd421fc&690" action-type="show-slide" action-data="http%3A%2F%2Fs13.sinaimg.cn%2Fmw690%2F52ddfea3gd90dbcd421fc%26690" real_src="http://s13.sinaimg.cn/mw690/52ddfea3gd90dbcd421fc&690">
把IPS SYSTEM image拷贝到ASA5512X本地Flash:
ciscoasa# dir
Directory of disk0:/
10 drwx 4096 19:44:02 Aug 24 2012 log
22 drwx 4096 19:44:16 Aug 24 2012 crypto_archive
110 -rwx 0 19:44:16 Aug 24 2012 nat_ident_migrate
23 drwx 4096 19:44:18 Aug 24 2012 coredumpinfo
120 -rwx 44324864 02:36:38 Mar 29 2013 IPS-SSP_5512-K9-sys-1.1-a-7.1-7-E4.aip
111 -rwx 4096 00:00:00 Jan 01 1980 FSCK0000.REC
112 -rwx 24576 00:00:00 Jan 01 1980 FSCK0001.REC
113 -rwx 4096 00:00:00 Jan 01 1980 FSCK0002.REC
114 -rwx 28672 00:00:00 Jan 01 1980 FSCK0003.REC
115 -rwx 4096 00:00:00 Jan 01 1980 FSCK0004.REC
116 -rwx 2600 01:22:00 Mar 21 2013 old_running.cfg
117 -rwx 1760 01:22:00 Mar 21 2013 admin.cfg
118 -rwx 37435392 02:33:24 Mar 21 2013 asa911-4-smp-k8.bin
119 -rwx 17989292 02:34:52 Mar 21 2013 asdm-712.bin
安装IPS SYSTEM Image:
ciscoasa# sw-module module ips recover configure image disk0:IPS-SSP_5512-K9-sys-1.1-a-7.1-7-E4.aip
把启动IPS模块:
ciscoasa# sw-module module ips recover boot
查看IPS模块状态(正在Recover中):
ciscoasa# show module ips details
Getting details from the Service Module, please wait...
Unable to read details from module ips
Card Type: Unknown
Model: N/A
Hardware version: N/A
Serial Number: FCH16327W76
Firmware version: N/A
Software version:
MAC Address Range: 30f7.0d48.90b6 to 30f7.0d48.90b6
Data Plane Status: Not Applicable
Status: Recover
License: IPS Module Enabled 32 days
查看IPS模块状态(正常):
ciscoasa# show module ips details
Getting details from the Service Module, please wait...
Card Type: ASA 5512-X IPS Security Services Processor
Model: ASA5512-IPS
Hardware version: N/A
Serial Number: FCH16327W76
Firmware version: N/A
Software version: 7.1(7)E4
MAC Address Range: 30f7.0d48.90b6 to 30f7.0d48.90b6
App. name: IPS
App. Status: Reload
App. Status Desc: Starting up
App. version: 7.1(7)E4
Data Plane Status: Down
Status: Up
License: IPS Module Enabled 32 days
Mgmt IP addr: 192.168.1.2
Mgmt Network mask: 255.255.255.0
Mgmt Gateway: 192.168.1.1
Mgmt web ports: 443
Mgmt TLS enabled: true
查看ASA模块:
ciscoasa# show module
Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
0 ASA 5512-X with SW, 6 GE Data, 1 GE Mgmt, AC ASA5512 FCH16327W76
ips ASA 5512-X IPS Security Services Processor ASA5512-IPS FCH16327W76
cxsc Unknown N/A FCH16327W76
Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
0 30f7.0d48.90b8 to 30f7.0d48.90bf 1.0 2.1(9)8 9.1(1)4
ips 30f7.0d48.90b6 to 30f7.0d48.90b6 N/A N/A 7.1(7)E4
cxsc 30f7.0d48.90b6 to 30f7.0d48.90b6 N/A N/A
Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
ips IPS Up 7.1(7)E4
cxsc Unknown No Image Present Not Applicable
Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
0 Up Sys Not Applicable
ips Up Up
cxsc Unresponsive Not Applicable
Mod License Name License Status Time Remaining
---- -------------- --------------- ---------------
ips IPS Module Enabled 32 days
进入IPS模块Console口,并进行IPS初始化:
ciscoasa# session ips
Opening command session with module ips.
Connected to module ips. Escape character sequence is 'CTRL-^X'.
login: cisco
Password:
You are required to change your password immediately (password aged)
Changing password for cisco.
(current) password:
New password:
Retype new password:
***NOTICE***
This product contains cryptographic features and is subject to United States
and local country laws governing import, export, transfer and use. Delivery
of Cisco cryptographic products does not imply third-party authority to import,
export, distribute or use encryption. Importers, exporters, distributors and
users are responsible for compliance with U.S. and local country laws. By using
this product you agree to comply with applicable laws and regulations. If you
are unable to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
***LICENSE NOTICE***
There is no license key installed on this IPS platform.
The system will continue to operate with the currently installed
signature set. A valid license must be obtained in order to apply
signature updates. Please go to http://www.cisco.com/go/license
to obtain a new license or install a license.
--- Basic Setup ---
--- System Configuration Dialog ---
At any point you may enter a question mark '?' for help.
User ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.
Current time: Fri Mar 29 02:42:20 2013
Setup Configuration last modified: Fri Mar 29 02:41:47 2013
Enter host name[sensor]:
Enter IP interface[192.168.1.2/24,192.168.1.1]: 10.1.1.253/24,10.1.1.254
Modify current access list?[no]: yes
Current access list entries:
No entries
Permit: 10.1.1.0/24
Permit:
Use DNS server for Global Correlation?[no]:
Use HTTP proxy server for Global Correlation?[no]:
Modify system clock settings?[no]:
Participation in the SensorBase Network allows Cisco to
collect aggregated statistics about traffic sent to your IPS.
SensorBase Network Participation level?[off]:
The following configuration was entered.
service host
network-settings
host-ip 10.1.1.253/24,10.1.1.254
host-name sensor
telnet-option disabled
access-list 10.1.1.0/24
ftp-timeout 300
no login-banner-text
dns-primary-server disabled
dns-secondary-server disabled
dns-tertiary-server disabled
http-proxy no-proxy
exit
time-zone-settings
offset 0
standard-time-zone-name UTC
exit
summertime-option disabled
ntp-option disabled
exit
service global-correlation
network-participation off
exit
[0] Go to the command prompt without saving this config.
[1] Return to setup without saving this config.
[2] Save this configuration and exit setup.
[3] Continue to Advanced setup.
Enter your selection[3]: 2
Warning: DNS or HTTP proxy is required for global correlation inspection and reputation filtering, but no DNS or proxy servers are defined.
--- Configuration Saved ---
Complete the advanced setup using CLI or IDM.
To use IDM,point your web browser at https://>.
sensor#
配置ASA引导流量进入IPS模块:
access-list out extended permit icmp any any
access-group out in interface Outside
access-list Internet-Traffic extended permit ip 172.16.1.0 255.255.255.0 any
class-map Internet-Traffic-Class
match access-list Internet-Traffic
policy-map global_policy
class Internet-Traffic-Class
ips inline fail-open
通过ASDM管理IPS模块(填写IPS模块管理IP地址与帐号) :
<IMG title="Yeslab现任明教教主ASA 5512X IPS模块初始化" name=image_operate_1471364551579271 alt="Yeslab现任明教教主ASA 5512X IPS模块初始化" src="http://s13.sinaimg.cn/mw690/52ddfea3gd90d680074dc&690" width=690 height=490 action-type="show-slide" action-data="http%3A%2F%2Fs13.sinaimg.cn%2Fmw690%2F52ddfea3gd90d680074dc%26690" real_src="http://s13.sinaimg.cn/mw690/52ddfea3gd90d680074dc&690">
正式进入嵌入在ASDM中的IDM :
<IMG title="Yeslab现任明教教主ASA 5512X IPS模块初始化" name=image_operate_60671364551530050 alt="Yeslab现任明教教主ASA 5512X IPS模块初始化" src="http://s6.sinaimg.cn/mw690/52ddfea3gd90d68121f25&690" width=690 height=487 action-type="show-slide" action-data="http%3A%2F%2Fs6.sinaimg.cn%2Fmw690%2F52ddfea3gd90d68121f25%26690" real_src="http://s6.sinaimg.cn/mw690/52ddfea3gd90d68121f25&690">
默认Sensor接口(PortChannel0/0)已经处于激活状态 :
<IMG title="Yeslab现任明教教主ASA 5512X IPS模块初始化" name=image_operate_21871364551529243 alt="Yeslab现任明教教主ASA 5512X IPS模块初始化" src="http://s15.sinaimg.cn/mw690/52ddfea3gd90d6828f2be&690" width=690 height=486 action-type="show-slide" action-data="http%3A%2F%2Fs15.sinaimg.cn%2Fmw690%2F52ddfea3gd90d6828f2be%26690" real_src="http://s15.sinaimg.cn/mw690/52ddfea3gd90d6828f2be&690">
需要关联Sensor接口(PortChannel0/0)到VS0 :
<IMG title="Yeslab现任明教教主ASA 5512X IPS模块初始化" name=image_operate_49881364551528466 alt="Yeslab现任明教教主ASA 5512X IPS模块初始化" src="http://s2.sinaimg.cn/mw690/52ddfea3gd90d68401a21&690" width=690 height=486 action-type="show-slide" action-data="http%3A%2F%2Fs2.sinaimg.cn%2Fmw690%2F52ddfea3gd90d68401a21%26690" real_src="http://s2.sinaimg.cn/mw690/52ddfea3gd90d68401a21&690">
激活sig2004用于测试 :
<IMG title="Yeslab现任明教教主ASA 5512X IPS模块初始化" name=image_operate_65441364551527803 alt="Yeslab现任明教教主ASA 5512X IPS模块初始化" src="http://s9.sinaimg.cn/mw690/52ddfea3gd90d684d55e8&690" width=690 height=485 action-type="show-slide" action-data="http%3A%2F%2Fs9.sinaimg.cn%2Fmw690%2F52ddfea3gd90d684d55e8%26690" real_src="http://s9.sinaimg.cn/mw690/52ddfea3gd90d684d55e8&690">
进入ASDM Monitoring面板中的IPS面板,来查询日志 :
<IMG title="Yeslab现任明教教主ASA 5512X IPS模块初始化" name=image_operate_75261364551846001 alt="Yeslab现任明教教主ASA 5512X IPS模块初始化" src="http://s13.sinaimg.cn/mw690/52ddfea3gd90d687bc8dc&690" action-type="show-slide" action-data="http%3A%2F%2Fs13.sinaimg.cn%2Fmw690%2F52ddfea3gd90d687bc8dc%26690" real_src="http://s13.sinaimg.cn/mw690/52ddfea3gd90d687bc8dc&690">
可以看到Inside路由器ping Outside路由器的流量 :
<IMG title="Yeslab现任明教教主ASA 5512X IPS模块初始化" name=image_operate_20861364551526658 alt="Yeslab现任明教教主ASA 5512X IPS模块初始化" src="http://s9.sinaimg.cn/mw690/52ddfea3g7c1af0d7c648&690" width=690 height=429 action-type="show-slide" action-data="http%3A%2F%2Fs9.sinaimg.cn%2Fmw690%2F52ddfea3g7c1af0d7c648%26690" real_src="http://s9.sinaimg.cn/mw690/52ddfea3g7c1af0d7c648&690">
<IMG title="Yeslab现任明教教主ASA 5512X IPS模块初始化" name=image_operate_99311364551527226 alt="Yeslab现任明教教主ASA 5512X IPS模块初始化" src="http://s4.sinaimg.cn/mw690/52ddfea3gd90d685d04a3&690" width=690 height=493 action-type="show-slide" action-data="http%3A%2F%2Fs4.sinaimg.cn%2Fmw690%2F52ddfea3gd90d685d04a3%26690" real_src="http://s4.sinaimg.cn/mw690/52ddfea3gd90d685d04a3&690">
|
|
简体中文
英语
日语
韩语
法语
西班牙语
越南语
泰语
阿拉伯语
俄语
葡萄牙语
德语
意大利语
希腊语
荷兰语
波兰语
保加利亚语
爱沙尼亚语
丹麦语
芬兰语
捷克语
罗马尼亚语
斯洛文尼亚语
瑞典语
匈牙利语
繁体中文
文言文
发表于 2013-4-3 11:43:03
置顶卡
喧嚣卡
变色卡
千斤顶
