簡介
本檔案介紹如何在管理連線埠失敗時將超文字傳輸通訊協定(HTTP)存取新增到Firepower執行緒防禦(FTD)。
必要條件
需求
思科建議您瞭解以下主題:
採用元件
本文中的資訊係根據以下軟體和硬體版本:
- Cisco Firepower 1120執行緒防禦版本7.4.2
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。
設定
組態
步驟1.在裝置的主控台作業階段上,連線到FTD指令行介面層級(CLISH):
Cisco Firepower Extensible Operating System (FX-OS) Software
TAC support: http://www.cisco.com/tac
Copyright (c) 2009-2019, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained in this software are
owned by other third parties and used and distributed under
license.
Certain components of this software are licensed under the "GNU General Public
License, version 3" provided with ABSOLUTELY NO WARRANTY under the terms of
"GNU General Public License, Version 3", available here:
http://www.gnu.org/licenses/gpl.html. See User Manual (''Licensing'') for
details.
Certain components of this software are licensed under the "GNU General Public
License, version 2" provided with ABSOLUTELY NO WARRANTY under the terms of
"GNU General Public License, version 2", available here:
http://www.gnu.org/licenses/old-licenses/gpl-2.0.html. See User Manual
(''Licensing'') for details.
Certain components of this software are licensed under the "GNU LESSER GENERAL
PUBLIC LICENSE, version 3" provided with ABSOLUTELY NO WARRANTY under the terms
of "GNU LESSER GENERAL PUBLIC LICENSE" Version 3", available here:
http://www.gnu.org/licenses/lgpl.html. See User Manual (''Licensing'') for
details.
Certain components of this software are licensed under the "GNU Lesser General
Public License, version 2.1" provided with ABSOLUTELY NO WARRANTY under the
terms of "GNU Lesser General Public License, version 2", available here:
http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html. See User Manual
(''Licensing'') for details.
Certain components of this software are licensed under the "GNU Library General
Public License, version 2" provided with ABSOLUTELY NO WARRANTY under the terms
of "GNU Library General Public License, version 2", available here:
http://www.gnu.org/licenses/old-licenses/lgpl-2.0.html. See User Manual
(''Licensing'') for details.
KSEC-FPR1140-1# connect ftd
步驟2.從FTD CLISH中,通過expert命令訪問Linux shell並提升為管理員許可權:
>
> expert
admin@KSEC-FPR1140-1:/$ sudo su
Password:
root@KSEC-FPR1140-1:/#
步驟3.使用LinaConfigTool將HTTP命令專案推入Lina配置,並建立靜態路由,以將流量從Linux端運行的Web伺服器傳送到Lina端的nlp_int_tap介面:
root@KSEC-FPR1140-1:/# LinaConfigTool "http 192.168.1.0 255.255.255.0 inside"
root@KSEC-FPR1140-1:/#
root@KSEC-FPR1140-1:/# ip route add 192.168.1.0/24 via 169.254.1.1
root@KSEC-FPR1140-1:/#
root@KSEC-FPR1140-1:/#
步驟4.返回FTD CLISH,確認已自動建立網路位址轉譯(NAT)規則:
root@KSEC-FPR1140-1:/#
root@KSEC-FPR1140-1:/#
root@KSEC-FPR1140-1:/# exit
exit
admin@KSEC-FPR1140-1:/$ exit
logout
> show nat detail
Manual NAT Policies Implicit (Section 0)
1 (nlp_int_tap) to (inside) source static nlp_server__http_192.168.1.0_intf4 interface destination static 0_192.168.1.0_3 0_192.168.1.0_3 service tcp https https
translate_hits = 0, untranslate_hits = 0
Source - Origin: 169.254.1.3/32, Translated: 10.10.105.87/24
Destination - Origin: 192.168.1.0/24, Translated: 192.168.1.0/24
Service - Protocol: tcp Real: https Mapped: https
步驟5.在資料介面上訪問FDM UI,並從UI在資料介面上建立管理訪問許可權,以永久保留更改:


驗證
開啟瀏覽器並嘗試使用資料介面IP地址訪問FDM。

疑難排解
執行資料包捕獲並確認:
- 流量正在到達資料介面。
- 流量正被轉發到nlp_int_tap介面。