ASA/PIX/FWSM 实施关注事项 绝对重要!!!

network

ASA/PIX/FWSM 实施关注事项 绝对重要!!!

[size=111%]§Enable ip verify reverse-path on all interfaces
[size=111%]§Set embryonic and maximum connection counts on static and nat statements; for 7.2.1+ use per-client-max
    nat (inside) 1 10.0.0.0 255.0.0.0 tcp 50 50 udp 50
                                                             con enb
Configure logging to syslog server (but be carefull on tcp syslog)
[size=111%]§Baseline CPU load, connection counts, xlate counts, and traffic (per interface)
[size=111%]§Disable telnet access, use SSH for management access
[size=111%]§Enable authentication for management access (console/SSH/Telnet/enable); use TACACS+ or RADIUS with LOCAL as the Fallback
[size=111%]§Restrict DMZ access inbound to your internal networks