标签:
The Cisco ASA can operate:
Routed Firewall Mode | Transparent Firewall Mode |
Use when only IP packets are to be inspected | Use when non-IP packets must be forwarded |
Network readdresing is necessary across the ASA | Network readdressing is not necessary. |
All interfaces can be used | Only two interfaces can be used. |
All ASA features are available. |
The following feature are not available:
|
ciscoasa#show firewall //Verifying the Current Firewall Mode
ciscoasa(config)#firewall transparent //enable transparent firewall mode
Configure ASA Transparent Mode Interface(Only inside & outside):
Example:
ciscoasa(config)#interface e0/0
ciscoasa(config-if)#nameif outside
ciscoasa(config-if)#security-level 0
ciscoasa(config-if)#no shutdown
ciscoasa(config-if)#exit
ciscoasa(config)#interface e0/1
ciscoasa(config-if)#nameif inside
ciscoasa(config-if)#security-level 100
ciscoasa(config-if)#no shutdown
ciscoasa(config)#ip address ip-address subnet-mask //configure management ip address
ciscoasa(config)#route interface network mask gateway [metric]
ciscoasa(config)#access-list acl_id ehtertype {permit | deny} {any | bpdu | ipx | mpls-unicast | mpls-multicast | ethertype}
the ehtertype value can be a 16-bit hex number greater than 0x600, or one of the following keywords:
Well-known EtherType values are assigned and maintained by the IEEE. You can search or download the most current list of values at http://standards.ieee.org/develop/regauth/
ethertype/eth.txt.
By default: an ASA in transparent firewall Mode forwards all ARP packets.
To detect and prevent ARP spoofing, you can configure the ASA to support ARP insepction. ARP inspection uses static ARP entries as the basis for its inspection process.
ciscoasa(config)#arp interface ip_address mac_addresss(nnnn.nnnn.nnnn)
ciscoasa(config)#arp-inspection interface enable [flood | no-flood]
ciscoasa#show arp-inspection
The malicious host might not stop with just one spoofed MAC address. It might also send so many packets with spoofed address. DoS attack
to prevent MAC address spoofing attacks, you can disable MAC address learnning completely.
ciscoasa(config)#mac-learn interface disable
ciscoasa(config)#mac-address-table static interface mac_address
ciscoasa(config)#show mac-learn
ciscoasa(config)#show mac-address-table
标签:
原文地址:http://www.cnblogs.com/elewei/p/4711230.html