有些朋友对配防火墙还是有问题,其实配置ASA防火墙很简单,常用的命令有hostname、interface(ip address、no shutdown、nameif、security-level)、nat、global、route、static、access-list、access-group。
创新互联公司坚持“要么做到,要么别承诺”的工作理念,服务领域包括:成都网站设计、做网站、企业官网、英文网站、手机端网站、网站推广等服务,满足客户于互联网时代的白城网站设计、移动媒体设计的需求,帮助企业找到有效的互联网解决方案。努力成为您成熟可靠的网络建设合作伙伴!
下面来解析一台ASA 8.0的配置
ASA Version 8.0(2) //注意版本,8.3以后NAT命令有所变化
!
hostname ciscoasa //主机名
domain-name sannet.net
enable password 2KFQnbNIdI.2KYOU encrypted //enable密码
names
!
interface Ethernet0/0
nameif inside //定义内网口
security-level 100 //安全级别
ip address 192.168.1.254 255.255.255.0 //内网IP 地址
!
interface Ethernet0/1
nameif dmz //定义DMZ区域
security-level 50 //安全级别
ip address 172.16.1.254 255.255.255.0 //DMZ区域 IP 地址
!
interface Ethernet0/2
nameif outside //定义外网口
security-level 0 //安全级别
ip address 221.222.1.2 255.255.255.0 //外网IP地址
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd W6dWZr89yLlX1S1u encrypted //telnet 密码
ftp mode passive
DNS server-group DefaultDNS
domain-name sannet.net //域名 ssh使用
access-list ToDmz extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0 //去往DMZ不做NAT的acl
access-list telnet extended permit tcp any interface outside eq 2023 //外网访问内网的acl
pager lines 24
mtu inside 1500
mtu dmz 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control //开启nat
global (outside) 1 interface //定义外网映射地址
nat (inside) 0 access-list ToDmz //定义不做NAT转换区域
nat (inside) 1 0.0.0.0 0.0.0.0 //定义内网NAT转换地址
static (dmz,outside) tcp interface 2023 172.16.1.2 telnet netmask 255.255.255.255 //端口地址转换
static (dmz,outside) 221.222.1.3 172.16.1.1 netmask 255.255.255.255 //私有地址转换
access-group telnet in interface outside //外网口接收ACL(telnet)的流量
route outside 0.0.0.0 0.0.0.0 221.222.1.1 1 //默认路由
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h423 0:05:00 h325 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet 0.0.0.0 0.0.0.0 inside //定义内网telnet网段
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside //定义外网ssh网段
ssh timeout 5
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h423 h325
inspect h423 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp //定义可以通过icmp流量,可使用命令fixup protocol icmp
!
service-policy global_policy global
username cisco password vzoACXLxNjqisKsJ encrypted
prompt hostname context
Cryptochecksum:b38407b376659065819b3044e94283f1
: end
