ASAv931安裝&初始化及ASDM管理
來源 https://blog.51cto.com/380531251/1702308
https://www.cisco.com/c/en/us/products/security/adaptive-security-appliance-asa-software/index.html
https://www.cisco.com/c/zh_cn/products/security/asa-next-generation-firewall-services/index.html
https://www.cisco.com/c/en/us/support/security/adaptive-security-appliance-asa-software/series.html
https://www.cisco.com/c/en/us/support/security/adaptive-security-appliance-asa-software/products-installation-and-configuration-guides-list.html
https://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asaroadmap.html
https://www.cisco.com/c/zh_cn/td/docs/security/asa/asa912/asav/quick-start-book/asav-912-qsg/asav-912-qsg_chapter_0110.html
https://shvechkov.tripod.com/nptp_setup.zip
http://f.usht.ru/Cisco/IOS/ASA-PIX/KGen/Cisco%20ASA%20Keygen.exe
所需軟件
-
Vmware worksataion虛擬機;
-
ASAv931,Cisco的ASAv即Vmware workstation版的ASA;
-
nptp軟件,用於創建連接虛擬機的端口,相當於中間鍵;
-
Cisco ASA Keygen.exe,密鑰機,用於創建ASA的授權License,永久激活ASA;
-
tftpd32.400,用於上傳asdm軟件到ASAv;
-
jre-7u45-windows-i586,使用ASDM需要安裝java環境;
二.安裝及初始化
1.安裝ASAv
首先,下載完ASAv931.zip后,解壓出來。
打開Vmware Workstation,點擊【文件】--【打開】,找到ASAv931所在位置,點擊里面的ASAv.vmx打開虛擬機
以上都是默認參數。
-
內存建議2G及以上,防止后期使用ASDM連接時出錯;
-
建議添加幾個網卡,方便后面的實驗。每個網卡相當於一個防火牆的接口;以上網卡,第一個為管理端口:manmagement0/0;其余依次為GigabitEthernet0/0、GigabitEthernet0/1……………..
打開之后,需要為虛擬機添加一個串行接口,用於CRT或shell等軟件通過telnet連接虛擬機。相當於真實設備上的Console口。
點擊【編輯虛擬機設置】
點擊【添加】
選擇【串行端口】
選擇【輸出到命名管道】
復制命名管道的內容,然后點擊完成,最后點擊確定創建串行端口。
打開虛擬機,啟動並開始初始化
選擇第一行,回車開始啟動
注:
啟動過程中,有的一次就能啟動進入系統,有的則一直重啟;如果遇到后一種情況,請多重啟幾次;如果還是不行,建議刪除重新安裝。
成功進入系統。
2.系統初始化
雖然添加了串行端口,並且進入了系統,但此時串行端口並沒有打開。解壓ASAv931之后,得到的文件夾里也有提示文件,內容如下
ASAv 虛擬化防火牆中,默認的serial口是沒有打開的,根據思科的官方文檔,打開serial口的方法如下: 導入了ASAv的vmware中,啟動ASAv,啟動完畢之后運行下列命令: ciscoasa(config)# cd coredumpinfo ciscoasa(config)# copy coredump.cfg disk0:/use_ttyS0 |
所以還需要根據提示來打開串行端口
ciscosa>enable Password: //默認沒有密碼,直接回車即可 ciscosa>config t ciscoasa(config)# cd coredumpinfo ciscoasa(config)# copy coredump.cfg disk0:/use_ttyS0 ciscos#wr ciscosa#reload //打開串行端口之后,保存配置並重啟生效 |
有了串行口,還需要有一個連接的端口。此時就需要用到准備好的nptp軟件;此軟件相當於中間鍵,創建一個真機與虛擬機連接的端口。具體操作如下:
雙擊nptp.exe安裝,得到piped.exe,然后點擊打開
點擊【Edit】--【new】來新建連接端口
-
【Pipe】處填寫創建串行口時產生的【命名管道】符;
-
【Port】為自定義項;
填寫完后,點擊【Add】添加
注:連接虛擬機期間,此界面不要關閉,否則不能使用CRT&shell類軟件連接ASA虛擬防火牆。最小化即可。
然后打開CRT,新建會話
使用telnet協議。
-
【主機名】填寫如上地址
-
端口號填寫在nptp里面設置的
點擊完成,創建會話,然后連接即可。
默認安裝的ASA系統是沒有授權的。很多功能需要授權之后才能使用。
使用show version查看激活狀態
ciscoasa# show version Cisco Adaptive Security Appliance Software Version 9.3(1) //ASAv版本 Device Manager Version 7.3(1) //DM版本,版本號是ASAv版本號減2,兩者要匹配
Compiled on Wed 23-Jul-14 18:16 PDT by builders System p_w_picpath file is "boot:/asa931-smp-k8.bin" Config file at boot was "startup-config"
ciscoasa up 1 min 48 secs //系統已經啟動1分鍾48秒
Hardware: ASAv, 2048 MB RAM, CPU Xeon 5600 series 2600 MHz, 1 CPU (2 cores) //介紹內存,CPU型號 Internal ATA Compact Flash, 256MB Slot 1: ATA Compact Flash, 8192MB BIOS Flash Firmware Hub @ 0x0, 0KB
0: Ext: Management0/0 : address is 000c.2986.4a11, irq 10 1: Ext: GigabitEthernet0/0 : address is 000c.2986.4a1b, irq 5 2: Ext: GigabitEthernet0/1 : address is 000c.2986.4a25, irq 9 3: Ext: GigabitEthernet0/2 : address is 000c.2986.4a2f, irq 10 4: Ext: GigabitEthernet0/3 : address is 000c.2986.4a39, irq 5 5: Ext: GigabitEthernet0/4 : address is 000c.2986.4a43, irq 9 6: Ext: GigabitEthernet0/5 : address is 000c.2986.4a4d, irq 11
ASAv Platform License State: Unlicensed //顯示未授權 *Install 1219410848 vCPU ASAv platform license for full functionality the Running Activation Key is not valid,using default setting Licensed features for this platform: Virtual CPUs : 0 perpetual //無虛擬CPU Maximum Physical Interfaces : 10 perpetual //最大物理接口10個 Maximum VLANs : 100 perpetual //最大VLAN數 Inside Hosts : Unlimited perpetual Failover : Active/Standby perpetual //支持防火牆的備份 Encryption-DES : Enabled perpetual Encryption-3DES-AES : Enabled perpetual Security Contexts : 0 perpetual//不支持安全虛擬防火牆 GTP/GPRS : Disabled perpetual//定位未開啟 AnyConnect Premium Peers : 2 perpetual AnyConnect Essentials : Disabled perpetual Other ××× Peers : 250 perpetual Total ××× Peers : 250 perpetual Shared License : Disabled perpetual AnyConnect for Mobile : Disabled perpetual AnyConnect for Cisco ××× Phone : Disabled perpetual Advanced Endpoint Assessment : Disabled perpetual UC Phone Proxy Sessions : 2 perpetual Total UC Proxy Sessions : 2 perpetual Botnet Traffic Filter : Enabled perpetual Intercompany Media Engine : Disabled perpetual Cluster : Disabled perpetual
This platform has an ASAv ××× Premium license. Serial Number: 9AGRB5FHKDK Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
Image type : Release Key version : A |
如上,只是開啟了部分功能。
用Cisco ASA Keygen為系統授權
說明:
-
Serial Number:系統的序列號,show version可以查看系統序列號;
-
Licensed Cores:選擇Premium,為系統永久授權。
使用步驟:
填寫序列號,點擊【Greedy 】--【Licensed Cores】選擇【Premium】,即永久授權。點擊【Etis atis animatis】…得到圖片最下面的授權碼。直接復制即可。
-
提示
如果想直接復制激活碼並粘貼,請先完成CRT連接操作,否則直接在ASAv中敲命令,需手動輸入。所以建議先設置好串行口的連接。
激活,直接把激活器產生的命令在ASA的全局配置模式輸入即可
ciscoasa(config)# activation-key 0xc82ee460 0xacb8e2ec 0xd9f2e89c 0xc6dcaca8 0activation-key 0xc82ee460 0xacb8e2ec 0xd9f2e89c 0xc6dcaca8 0$ Validating activation key. This may take a few minutes... Failed to retrieve permanent activation key.
ASAv platform license state is Compliant.
********************************************************************** WARNING: AnyConnect Essentials license active. Basic ××× support is in effect. For specific details, please refer to Cisco AnyConnect ××× Client Administrator Guide. **********************************************************************
Both Running and Flash permanent activation key was updated with the requested key, and will become active after the next reload. ciscoasa(config)# wr //保存 Building configuration... Cryptochecksum: b2a5d3fb 7b56f4cf ca578695 5c26009d
3348 bytes copied in 0.40 secs [OK] |
激活之后查看
ciscoasa(config)# show version
Cisco Adaptive Security Appliance Software Version 9.3(1) Device Manager Version 7.3(1)
Compiled on Wed 23-Jul-14 18:16 PDT by builders System p_w_picpath file is "boot:/asa931-smp-k8.bin" Config file at boot was "startup-config"
ciscoasa up 1 min 48 secs
Hardware: ASAv, 2048 MB RAM, CPU Xeon 5600 series 2600 MHz, 1 CPU (2 cores) Internal ATA Compact Flash, 256MB Slot 1: ATA Compact Flash, 8192MB BIOS Flash Firmware Hub @ 0x0, 0KB
0: Ext: Management0/0 : address is 000c.2986.4a11, irq 10 1: Ext: GigabitEthernet0/0 : address is 000c.2986.4a1b, irq 5 2: Ext: GigabitEthernet0/1 : address is 000c.2986.4a25, irq 9 3: Ext: GigabitEthernet0/2 : address is 000c.2986.4a2f, irq 10 4: Ext: GigabitEthernet0/3 : address is 000c.2986.4a39, irq 5 5: Ext: GigabitEthernet0/4 : address is 000c.2986.4a43, irq 9 6: Ext: GigabitEthernet0/5 : address is 000c.2986.4a4d, irq 11
ASAv Platform License State: Compliant The Running Activation Key feature: 10000 AnyConnect Premium sessions exceed the limit on the platform, reduced to 250 AnyConnect Premium sessions. The Running Activation Key feature: 10000 UC Proxy sessions exceed the limit on the platform, reduced to 500 UC Proxy sessions.
Licensed features for this platform: Virtual CPUs : 3 perpetual Maximum Physical Interfaces : 10 perpetual Maximum VLANs : 100 perpetual Inside Hosts : Unlimited perpetual Failover : Active/Standby perpetual Encryption-DES : Enabled perpetual Encryption-3DES-AES : Enabled perpetual Security Contexts : 0 perpetual GTP/GPRS : Enabled perpetual AnyConnect Premium Peers : 250 perpetual AnyConnect Essentials : 250 perpetual Other ××× Peers : 250 perpetual Total ××× Peers : 250 perpetual Shared License : Enabled perpetual AnyConnect for Mobile : Enabled perpetual AnyConnect for Cisco ××× Phone : Enabled perpetual Advanced Endpoint Assessment : Enabled perpetual UC Phone Proxy Sessions : 500 perpetual Total UC Proxy Sessions : 500 perpetual Botnet Traffic Filter : Enabled perpetual Intercompany Media Engine : Disabled perpetual Cluster : Disabled perpetual
This platform has an ASAv ××× Premium license.
Serial Number: 9A65V2SMUFT Running Permanent Activation Key: 0x4037f240 0xe879e34c 0x5d922cd8 0xf1500454 0x8b30da9b
Image type : Release Key version : A
Configuration has not been modified since last system restart. ciscoasa(config)# Warning: Memory resource allocation is less than the minimum requirement limit of 4096 MB. If this condition persists, the performance will be lower than normal. |
激活成功。
3.安裝圖形化管理界面ASDM
Cisco的ASA也有圖形化管理界面,是cisco官方出版的軟件—asdm圖形化管理界面。最為安全產品,各大廠商都支持圖形化界面,Cisco也不例外,圖形化與CLI均可實現配置。下面簡單介紹符合安裝圖形化管理界面ASDM
安裝圖形化管理界面,要保證ASA有asdm這款軟件,當然,對應不同的ASA,asdm也是不同的,前面介紹過,asdm的版本號是ASA的版本號減2得到,所以此處需要asdm-731.bin這個版本。
那么ASA中有沒有這個軟件呢?可以查看flash
ciscoasa# show disk0: --#-- --length-- -----date/time------ path 9 4096 Jun 14 2014 22:55:44 log 10 4096 Jun 14 2014 22:57:46 coredumpinfo 11 59 Jun 14 2014 22:57:46 coredumpinfo/coredump.cfg 86 25088760 Nov 22 2014 18:50:26 asdm-731.bin 8 59 Oct 12 2015 15:09:16 use_ttyS0 87 12378114 Nov 22 2014 18:40:58 anyconnect-linux-64-4.0.00048-k9.pkg 88 2241667 Nov 22 2014 18:41:58 anyconnect-macosx-i386-compliance-3.6.9492.2.pkg 89 16202135 Nov 22 2014 18:42:30 anyconnect-win-4.0.00048-k9.pkg 90 15328888 Nov 22 2014 18:45:18 anyconnect-macosx-i386-4.0.00048-k9.pkg 91 4700062 Nov 22 2014 18:47:36 anyconnect-win-compliance-3.6.9492.2.pkg
8571076608 bytes total (8483897344 bytes free) |
存在此軟件。直接激活即可。
在激活之前,需要介紹下,當沒有這個軟件時,如何上傳到ASAv中。此時,就要用到准備的tftpd32軟件。此軟件可以把本地計算機模擬為tftp服務器。可以實現上傳與下載。
當然,要實現上傳與下載,需要本地機與ASAv之間能夠通信。所以需要把ASAv與本地機進行橋接。直接把ASAv的管理口即第一塊網卡與本地進行橋接即可。
然后,修改虛擬防火牆的管理端口的地址,與本地敲擊網卡在同一個網段即可
ciscoasa# config t ciscoasa(config)# inter management 0/0 ciscoasa(config-if)# ip add 192.168.10.100 255.255.255.0 Waiting for the earlier web*** instance to terminate... Previous instance shut down. Starting a new one. ciscoasa(config-if)# show ip add System IP Addresses: Interface Name IP address Subnet mask Method Management0/0 mgmt 192.168.10.100 255.255.255.0 manual Current IP Addresses: Interface Name IP address Subnet mask Method Management0/0 mgmt 192.168.10.100 255.255.255.0 manual |
注:防火牆的管理端口缺省只用於管理,不能實現與其他端口之間的流量轉發。如果想讓管理端口實現與其他端口之間的流量轉發,需要在管理端口中使用命令:no management-only.但是此命令需要授權之后才能使用。
開始上傳asdm軟件
打開之前准備的tftpd文件,把asdm軟件放入此文件夾
(上傳到ASA的軟件必須與tftp軟件在同一個文件夾)
打開tftpd32軟件
選擇路徑並選擇本機IP(安裝此軟件是把本機當成了TFTP服務器,所以地址應該是本機的地址)
然后打開CRT登錄界面,做如下操作
ciscoasa# copy tftp flash:
Address or name of remote host []? 192.168.10.100 <ASAv的地址> Source filename []? asdm-721.bin <源文件名> Destination filename [asdm-721.bin]? <目的文件名保持不變> Accessing tftp://192.168.10.1/asdm-721.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Writing file disk0:/asdm-721.bin... !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 24095116 bytes copied in 12.590 secs (2007926 bytes/sec) |
安裝(或說激活)ASDM軟件
ciscoasa(config)# asdm p_w_picpath disk0:/asdm-731.bin <此命令安裝asdm軟件,但不會提示> |
開啟http服務並設置允許連接的遠程主機
ciscoasa(config)# http server enable ciscoasa(config)# http 192.168.10.0 255.255.255.0 mgmt |
注:雖然是http服務,但是web連接使用的是https協議。安全產品的web登錄都是https協議。
創建登錄賬戶並設置http登錄本地驗證
ciscoasa(config)# username user1 password woaimsj privilege 15 ciscoasa(config)# aaa authentication http console LOCAL |
打開瀏覽器訪問ASA虛擬機
如圖:圖形化管理界面要安裝兩個軟件:ASDM Launcher、JAVA軟件
ASDM的安裝,必須是基於JAVA環境的,所以需要安裝JAVA。
首先安裝准備好的JAVA軟件,安裝過程略。
然后點擊安裝ASDM Launcher,點擊后輸入ASA上創建的賬戶登陸
登錄后,會直接提示運行。點擊運行,然后下一步直至完成即可。安裝完成后會在桌面上生成一個圖標,直接打開,如下:
輸入ASAv的地址及賬戶,點擊OK登錄即可
登錄后的界面如下:
以后的登錄就是使用此軟件,不在使用web登錄。如需登錄,直接點擊桌面上的圖標即可。
============== End