【 Weak current College 】 firewall configuration prerequisites of six major command parsing---Power By 【 China power house network 】

The basic functionality of the firewall, is through six commands.　　In General, unless you have special security needs, the six commands can basically get the firewall configuration. The following author combines CISCO firewall, to talk about the basic configuration of the firewall, you want to be able to give you a reference.　　The first command: firewall configuration interface Interface is the most basic commands in one of his main function is to turn off interface, configuration, interface, interface names, etc. To buy a firewall, the firewall of the end are closed, so that the firewall buy, without any configuration, to prevent the enterprise network, the firewall will not work, and can also lead to a corporate network.　　1. configure the interface speed in the firewall, configure the interface speed in two ways, one is a manual configuration, another is configured automatically. Manual configuration is needed user manual specifies Firewall interface communication speed;　　and auto-configuration, the Firewall interface automatically according to the connected equipment, to determine the required communication speed.　　Such as: interface ethernet0 auto-configure the interface automatically sets the connection speed "," Interface ethernet2 100ful--2 manual for an interface to specify your connection speed, 100MBIT/S.　　Here, the parameter is etnernet2 ethernet0 or firewall's interfaces, and the subsequent parameter represents the specific speed. The author recommends configuring interface speed, it is necessary to pay attention to two issues.　　One is to use manual specify the interface speed, then specify the speeds must be followed by his attached devices at the same speed as, otherwise, there will be some unexpected errors. If the firewall to connect to a switch, the switch port speed must be followed by a firewall, set here to match the speed. Second, although the firewall provides automatic settings interface speed, however, in practice, the author or not suggest that you use this function. Because this automatic configuration interface speed, can affect the performance of the firewall.　　Moreover, it sometimes judgment, to network communication failure. Therefore, in General, regardless of the author, or Cisco's official information, it is recommended that you use the manual configuration interface speed. 2. close and open interfaces of the firewall has more than one interface, for safety's sake, open interfaces do not, you need timely to close. Generally available shutdown command to shut down the Firewall interface. But here with Cisco IOS Software has a different, that is, if you want to open the interface, then do not use no shutdown command.　　In the firewall configuration commands, not this one. But should be used without parameters, the shutdown command, to an interface to manage mode. I propose in the firewall configuration, don't put all the interfaces are open, you need to interface to open several interfaces.　　If all interfaces are open, affect Firewall operating efficiency, and, on the enterprise network security will be affected. Or that he will reduce the firewall for the enterprise network control strength. The second command: nameif General firewall factory, Cisco is also the name for the firewall configuration, such as ethernet0, etc., that is, the physical location of the firewall with an interface name is the same. However, it is clear that this is our management is negative, we are not able to see from the name, the intuitive interface is used to do is connect to the corporate internal network interfaces or connection of external network interface enterprise. Therefore, the network administrator and want to be able to command the interface name, use more intuitive name to describe the interface uses, such as the use of outside command to indicate that the interface is used to connect to external networks; whereas the use of inside command to describe this interface is used to connect the internal network. At the same time, the name to the port, you can also specify the security level for this interface. Nameif command basic format following Nameif hardware-id if-name security-level where hardware-id represents the Firewall interface specific location, such as ethernet0 or ethernet1 etc.　　These are Cisco firewall when the factory already set up, cannot be changed. If no interface to rename, we can only name through this interface location, to configure the corresponding interface parameters. While you are our if-name for this interface specifies a specific name. In General, the name you want to be able to reflect the use of this interface, as if to this interface with the same nickname, can you want to be able to reflect the actual use of this interface.　　In addition, the name, network administrators must also comply with certain rules. As the name string without spaces, different numbers or other special characters (this is not conducive to subsequent operations), in length cannot be more than 48 characters. Security-level represents the security level for this interface. In General, you can put the internal interface of the security level can be set a little higher, but the enterprise the external interface of the security level you can set a low point. So, according to the access rules of the firewall, the security level of high security level interface can defense low interface.　　In other words, do not require special settings, the internal network can access the corporate external network. But if the external network to access the internal network, because it is the security level to low level interface to access a secure high interface, you have to do some special settings, such as the need for access control list support, and so on. The author proposes to give the interface configuration security levels, generally do not need to set very complex security level. In the security requirements of enterprises in General, you only need to register the interface ofthe security is divided into two levels (GeneralOnly two interfaces, a connection to the external network, a connection to the internal network), so that the firewall's security level management, will facilitate many. Additionally, the intranet security level higher than the level of security for an external network.　　Because from the enterprise security considerations, our basic principle is the internal network to access the external network can let go, and the external network to access the internal network, will be limited, mainly because of restrictions on viruses, Trojans, etc. to the enterprise network hazards. However, if internal to external access also have restrictions, such as not allowing access to the FTP server, and so on, you can use access control lists or other technical means. In the name of the interface, to reflect the use of this interface, otherwise the name will have no meaning. Generally, if you can use inside or outside to indicate connection intranet and Extranet interface. So, in, network administrators in the sight of the interface name, they know the purpose of this interface. This can improve the efficiency of our firewall maintenance.　　We follow this name to be configured on the interface, it is easier to implement, without having to think I need to configure what is the name of the interface. If we really forget interface name, you can use show nameif command to verify the configuration of the interface name.　　The third command: IP address of the firewall management, for each enabled firewall interface configuration for IP addresses. In General, the firewall IP address supports two ways, one is achieved through automatic gain, such as through the enterprise network, the DHCP server to obtain an IP address;　　the second is the user manually specified IP address. The specific format of this command to IP adress if-name IP [NETMASK] if we use the above command, to firewall IF-NAME interfaces configured aliases, then in follow-up of other commands, such as the configuration of the IP address of the command, you do not need to use the interface name of a location, and can use this alias to specific interface settings-related parameters. If we manually specified IP address, several issues need to be aware of. First, if there is a DHCP server in your enterprise, you should pay attention to the network address conflict. The firewall on the interface IP address, the entire enterprise network, must be unique;　　otherwise, it will cause an IP address conflict error. So, if there is a DHCP server in the enterprise, then the DHCP server configuration, note that the Firewall interface used by the IP address should not be a DHCP server to automatically assign IP address pool, otherwise, it is easy to cause IP address conflicts. In addition, to manually configure IP address, in order to manage the convenience, it is best to specify the IP address of the succession. In other words, the firewall IP address for each interface is continuous.　　The author in enterprise IP address planning, specially for the firewall's interface has four reserved IP address. Even though, there is no use to this interface, in order to avoid future use by that time, the IP address is not continuous, so that in the entire network IP address planning, or to set aside enough IP addresses. Here's the network mask is not required.　　If the network administrator configure the firewall, the network mask is not configured, then the Firewall automatically according to the structure of the enterprise's internal network, the firewall will automatically to set a network mask. So, in normal circumstances, the netmask can be set, so fill in error, resulting in unnecessary loss. The authors suggest that if you use DHCP mode to obtain the IP address of the interface, then the DHCP server configuration, it is best to give each interface of the firewall configuration for IP address.　So, you can help us to manage the firewall's interface. If enterprise network size is larger, the security level is high, it is generally recommended that you do not use DHCP, you need to give each interface of the firewall manually specified IP address. The first four commands: NAT and GLOBAL, STATIC commands use NAT (network address translation) command, the network administrator can set the internal IP address of a group of converted into external public network address;　　and global command is used to define the network address translation order NAT converted address or address range. Simply put, using NAT commands and command, to achieve a GLOBAL IP address between the conversion, you can implement IP address mapped to the port. The network address translation commands in practical work is very useful. We all know that public IP address is, basically, a company with only one or two public network address. And for enterprises, their file server, OA system, mail servers, etc. may require external access, and if not, then the NAT technology in public networks to access, you must have a public IP address. This greatly limits the internal information system for external access, Home Office, travel time access internal network, and so on, become impossible. And now the network address translation technology, is to overcome this problem.　　In the network address translation with the help of technology, you can put the internal IP address with port only mapped to external public network IP address. So, the intranet IP address has a valid public IP address outside the company's employees can, through Internet access to internal information system. In practice, the most used is the local address is converted to a delayed global address instead of an address range.　　As the company's ERP server IP address is, at this point, if 192.168.0.6 we hope, external staff, as in other cities of a sales office, they will be able to use the public network address 202.96.96.240 access this server. To achieve this, the how to configure?Static (inside, outside)192.168.0.6 202.96.96.236 at this time, external users can use the public IP address 202.96.96.236, to access the corporate internal ERP system.　　In fact, this command is configured in the firewall server, has this one-to-one relationship.　　When an external network through this IP address accessed 202.96.96.236, firewall server, will convert the IP address, so you achieve 192.268.0.6 external network access to the enterprise's internal information system. However, if more than an information system, OA system (192.168.0.5) and ERP (192.168.0.6), work from home, or traveling outside people need to be able to access the server, at this point, how to deal with? If the enterprise has two public IP addresses, so much the better, you only need to OA system and ERP system which correspond to a public IP address. However, the question now is, only one IP address, at this point, how to deal with?　　for this, we can use static command, implement port redirection. Simply put, port redirection, and allows external users to connect to a specific IP address and port, and let the firewall will this data traffic is redirected to the appropriate internal address. The authors remind 1, should have sufficient global IP address to match the native NAT command specifies the IP address. Otherwise, you can use a combination of PAT (according to port corresponding IP addresses) to address the global shortage of addresses.　　But for the vast majority of Chinese enterprises, basically addresses are not sufficient, to use PAT technology to solve address shortage. PAT technology, maximum allowed 64000 clients (internal IP address) uses the same public network IP address. 2, network address translation in addition to the public network ID address shortage, there is also a very good side-effects. It is possible to hide the internal hosts, thereby achieving internal host security. If the above example, if a user needs access to the outside of the enterprise ERP server, then they only need to knowthe public network address, do not need to know whether they are visiting is internal to that one server, this server's IP address is a number. So, you can maximize the protection of the internal server.　　Fifth order: ICMP commands when we do the related configuration, the next work we need to use the test command, to determine the accuracy of our configuration. The most basic of two of the test command, PING and DEBUG commands. The ping command our network administrators are very familiar with. However, in the firewall has a special place, he is in default, the firewall will reject all come from the external interface of the ICMP type. When we PING an outside network IP address connection with each other, if open, then the opponent would return an ICMP response. While the firewall by default, will deny this ICMP traffic.　　This is mainly for security reasons.　　However, in our testing, we don't like firewalls prevent the receiving of the ICMP response answer, otherwise we will not be able to test their work. Therefore, the configuration of the firewall is just beginning, we often need to enable firewall allows receiving this flow, we need to enable firewall permit commands through the flow.　　We can use this command to achieve this demand: icmp permit any any outside.　　Awareness of this command is to allow ICMP protocol running on the firewall to allow unimpeded access firewall receives from the external ICMP traffic.　　The authors warn, however, after the test, it is able to restore the original settings, which let the firewall deny receiving ICMP traffic from the external interface, for improving the internal security, very helpful, such as the ability to work well to prevent DOS attacks, and so on. Sixth command: write memory. In General, we are on the firewall configuration changes will not be written directly to Flash when the firewall. Firewall so design is to prevent the network administrator, 000 it's all too easy to do some difficult to restore the settings,you only need to restart the firewall, you can restore the previous settings.　　In other words, to update the configuration of the firewall, in order not to put his written to Flash memory, a firewall typically put it stored in RAM. While the data in RAM, when firewall restart will be lost.　　Therefore, when you configure the test is complete, be sure to keep in mind that you want to use to write memory command related configuration changes are written to Flash memory. So, to be able to restart the firewall, these related configuration will still be able to work. The authors remind before without testing, it is best not to change the configuration is written to Flash memory.　　Because once written to Flash memory, you should do some difficult to restore the configuration, and testing problems, at this point, you can reset the firewall, the previous configuration will be lost, replied to the factory condition, for our network administrators, is a big blow. Therefore, the General need to test the related configuration, and then will be able to use this command to permanently save the configuration. However, the firewall configuration, it is necessary to pay attention to not power off, otherwise, your configuration will work best. However, if one firewall, connected to the UPS power, is a more sensible approach.