ASA/PIX/FWSM 实施关注事项 绝对重要!!!

network

ASA/PIX/FWSM 实施关注事项 绝对重要!!!


§Enable ip verify reverse-path on all interfaces
§Set embryonic and maximum connection counts on static and nat statements; for 7.2.1+ use per-client-max
    nat (inside) 1 10.0.0.0 255.0.0.0 tcp 50 50 udp 50
                                                             con enb
Configure logging to syslog server (but be carefull on tcp syslog)
§Baseline CPU load, connection counts, xlate counts, and traffic (per interface)
§Disable telnet access, use SSH for management access
§Enable authentication for management access (console/SSH/Telnet/enable); use TACACS+ or RADIUS with LOCAL as the Fallback
§Restrict DMZ access inbound to your internal networks

network

相关排错命令总结


PIX/ASA/FWSM:
§Syslog
§Debug icmp trace
§Show xlate/show conn/show local-host
§Show service policy/show asp-drop
§Packet capture
§http capture for webvpn
IOS security:
    Trace in the encrypted packet.
    jump up/down in isakmp/ipsec
ACS/ACSSE
    package.cab/debug on NAS
……
& experiences & knowledge & lab

network

排错的时候 应该考虑什么?


§Always formulate an accurate and detailed problem description before troubleshooting(which host, which account, which kind of application, which error message)
§Ensure you have set your trace levels properly
and gathered the appropriate traces after a
problem occurs (security products is far more trivial than IOS routers at this point)
§Use all the tools at your disposal to make searching through traces easier and quicker

cyd9922

强烈支持,好文章要顶