cisco-asa-5505基本配置 |
||
cisco-asa-5505基本配置
interface Vlan2
nameif outside ----------------------------------------對端口命名外端口 security-level 0 ----------------------------------------設置端口等級 ip address X.X.X.X 255.255.255.224 --------------------調試外網地址 ! interface Vlan3 nameif inside ----------------------------------------對端口命名內端口 security-level 100 ----------------------------------------調試外網地址 ip address 192.168.1.1 255.255.255.0 --------------------設置端口等級 ! interface Ethernet0/0 switchport access vlan 2 ----------------------------------------設置端口VLAN與VLAN2綁定 ! interface Ethernet0/1 switchport access vlan 3 ----------------------------------------設置端口VLAN與VLAN3綁定 ! interface Ethernet0/2 shutdown ! interface Ethernet0/3 shutdown ! interface Ethernet0/4 shutdown ! interface Ethernet0/5 shutdown ! interface Ethernet0/6 shutdown ! interface Ethernet0/7 shutdown ! passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive dns domain-lookup inside dns server-group DefaultDNS name-server 211.99.129.210 name-server 202.106.196.115 access-list 102 extended permit icmp any any ------------------設置ACL列表(允許ICMP全部通過) access-list 102 extended permit ip any any ------------------設置ACL列表(允許所有IP全部通過) pager lines 24 mtu outside 1500 mtu inside 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 global (outside) 1 interface ----------------------------------------設置NAT地址映射到外網口 nat (inside) 1 0.0.0.0 0.0.0.0 0---------------------------------NAT地址池(所有地址)0無最大會話數限制 access-group 102 in interface outside ------------------―――設置ACL列表綁定到外端口 route outside 0.0.0.0 0.0.0.0 x.x.x.x 1 ------------------設置到外網的默認路由 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart telnet 0.0.0.0 0.0.0.0 inside ----------------------------------------設置TELNET所有地址進入 telnet timeout 5 ssh 0.0.0.0 0.0.0.0 outside ----------------------------------------設置SSH所有地址進入 ssh timeout 30 ssh version 2 console timeout 0 ! dhcpd address 192.168.1.100-192.168.1.199 inside ------------------設置DHCP服務器地址池 dhcpd dns 211.99.129.210 202.106.196.115 interface inside ------------------設置DNS服務器到內網端口 dhcpd enable inside --------------------------------------------------------------設置DHCP應用到內網端口 ! 前幾天去客戶那調試CISCO-ASA-5505設備,第一次摸,跟PIX一樣,呵呵.沒有技術含量,都是最基本的.其他業務配置暫時沒配,會及時更新的.
Cisco ASA5505配置
cisco, config, telnet, 防火牆, Cisco 1.配置防火牆名 ciscoasa> enable ciscoasa# configure terminal ciscoasa(config)# hostname asa5505 2.配置telnet asa5505(config)#telnet 192.168.1.0 255.255.255.0 inside ↑//允許內部接口192.168.1.0網段telnet防火牆 3.配置密碼 asa5505(config)# password cisco ------------------遠程密碼 asa5505(config)# enable password cisco ------------------特權模式密碼 4.配置IP asa5505(config)# interface vlan 2 ------------------進入vlan2 asa5505(config-if)# ip address 218.16.37.222 255.255.255.192 ------------------vlan2配置IP asa5505(config)#show ip address vlan2 ------------------驗證配置 5.端口加入vlan asa5505(config)# interface e0/3 ------------------進入接口e0/3 asa5505(config-if)# switchport access vlan 3 ------------------接口e0/3加入vlan3 asa5505(config)# interface vlan 3 ------------------進入vlan3 asa5505(config-if)# ip address 10.10.10.36 255.255.255.224 ------------------vlan3配置IP asa5505(config-if)# nameif dmz ------------------vlan3名 asa5505(config-if)# no shutdown ------------------開啓 asa5505(config-if)# show switch vlan ------------------驗證配置 6.最大傳輸單元MTU asa5505(config)#mtu inside 1500 ------------------inside最大傳輸單元1500字節 asa5505(config)#mtu outside 1500 ------------------outside最大傳輸單元1500字節 asa5505(config)#mtu dmz 1500 ------------------dmz最大傳輸單元1500字節 7.配置arp表的超時時間 asa5505(config)#arp timeout 14400 ------------------arp表的超時時間14400秒 8.FTP模式 asa5505(config)#ftp mode passive ------------------FTP被動模式 9.配置域名 asa5505(config)#domain-name Cisco.com 10.啓動日誌 asa5505(config)#logging enable ------------------啓動日誌 asa5505(config)#logging asdm informational ------------------啓動asdm報告日誌 asa5505(config)#Show logging ------------------驗證配置 11.啓用http服務 asa5505(config)#http server enable ------------------啓動HTTP server,便於ASDM連接。 asa5505(config)#http 0.0.0.0 0.0.0.0 outside ------------------對外啓用ASDM連接 asa5505(config)#http 0.0.0.0 0.0.0.0 inside ------------------對內啓用ASDM連接 12.控制列表 access-list acl_out extended permit tcp any any eq www ------------------允許tcp協議80端口入站 access-list acl_out extended permit tcp any any eq https ------------------允許tcp協議443端口入站 access-list acl_out extended permit tcp any host 218.16.37.223 eq ftp ↑//允許tcp協議21端口到218.16.37.223主機 access-list acl_out extended permit tcp any host 218.16.37.224 eq 3389 ↑//允許tcp協議3389端口到218.16.37.224主機 access-list acl_out extended permit tcp any host 218.16.37.225 eq 1433 ↑//允許tcp協議1433端口到218.16.37.225主機 access-list acl_out extended permit tcp any host 218.16.37.226 eq 8080 ↑//允許tcp協議8080端口到218.16.37.226主機 asa5505(config)#show access-list ------------------驗證配置 13.設置路由 asa5505(config)#route dmz 10.0.0.0 255.0.0.0 10.10.10.33 1 ↑//靜態路由到10.0.0.0網段經過10.10.10.33網關跳數爲1 asa5505(config)#route outside 0.0.0.0 0.0.0.0 218.16.37.193 1 ↑//默認路由到所有網段經過218.16.37.193網關跳數爲1 asa5505# show route ------------------顯示路由信息 14.靜態NAT asa5505(config)# static (inside,outside) 218.16.37.223 192.168.1.6 netmask 255.255.255.255 ↑//外網218.16.37.223映射到內網192.168.1.6 asa5505(config)#access-list acl_out extended permit icmp any any ↑//控制列表名acl_out允許ICMP協議 asa5505(config)#access-group acl_out in interface outside ↑//控制列表acl_out應用到outside接口 asa5505(config)#static (inside,dmz) 10.10.10.37 192.168.1.16 netmask 255.255.255.255 ↑//dmz10.10.10.37映射到內網192.168.1.16 asa5505(config)#access-list acl_dmz extended permit icmp any any ↑//控制列表名acl_dmz允許ICMP協議 asa5505(config)#access-group acl_dmz in interface dmz -----------------控制列表acl_out應用到dmz接口 asa5505(config)#Show nat ------------------驗證配置 15.動態NAT asa5505(config)#global(outside) 1 218.201.35.224-218.201.35.226 ------------------定義全局地址池 asa5505(config)#nat(inside) 1 192.168.1.20-192.168.1.22 ------------------內部轉換地址池 asa5505(config)# show xlate ------------------驗證配置 16.基於端口NAT(PAT) asa5505(config)#global (outside) 2 interface ----------------定義全局地址即outside地址:218.16.37.222 asa5505(config)#nat (inside) 2 192.168.1.0 255.255.255.0 ------------------內部轉換地址池 asa5505(config)# show xlate ------------------驗證配置 17.基於LAN故障倒換(failover) 1).主防火牆配置 asa5505(config)#failover mac addr outside 001a.2b3c.4d11 001a.2b3c.4w12----故障倒換虛擬MAC地址 asa5505(config)#failover mac addr inside 001a.2b3c.4d21 001a.2b3c.4w22-----故障倒換虛擬MAC地址 asa5505(config)#failover mac addr inside 001a.2b3c.4d21 001a.2b3c.4w32-----故障倒換虛擬MAC地址 asa5505(config)#failover ------------------啓動故障倒換 asa5505(config)#failover lan unit primary ------------------設置主要防火牆 asa5505(config)#failover lan interface standby Vlan4 ------------------故障倒換接口名standby asa5505(config)#failover interface ip standby 172.168.32.1 255.255.255.252 standby 172.168.32.2 ↑//配置主防火牆IP:172.168.32.1,備用防火牆IP:172.168.32.2 asa5505# show failover ------------------驗證配置 2).備防火牆配置 asa5505(config)#failover mac addr outside 001a.2b3c.4d11 001a.2b3c.4w12----故障倒換虛擬MAC地址 asa5505(config)#failover mac addr inside 001a.2b3c.4d21 001a.2b3c.4w22------故障倒換虛擬MAC地址asa5505(config)#failover mac addr inside 001a.2b3c.4d21 001a.2b3c.4w32------故障倒換虛擬MAC地址asa5505(config)#failover ------------------啓動故障倒換 asa5505(config)#failover lan unit secondary ------------------設置備用防火牆 asa5505(config)#failover lan interface standby Vlan4 ------------------故障倒換接口名standby asa5505(config)#failover interface ip standby 172.168.32.1 255.255.255.252 standby 172.168.32.2 ↑//配置主防火牆IP:172.168.32.1,備用防火牆IP:172.168.32.2 asa5505# show failover ------------------驗證配置 18.顯示mac地址 asa5505# show switch mac-address-table 19.保存配置 asa5505# write memory Cisco ASA 5505防火牆地址映射問題
解 決前些天幫朋友配置一臺Cisco ASA5505防火牆, 映射總是不成功. 在網上也看到很多朋友遇到了這種問題,都在尋問這個解決方法.有人已經將問題解決了,但沒給出解決方案. 也許這並不是一個很複雜的難題,但我希望通過博客能幫助朋友們及時得到這個小問題的處理.
基本情況: WAN: 221.221.147.195 Gateway: 221.221.147.200 LAN: 192.168.0.1 內網中有一臺服務器,地址: 192.168.0.10 端口: 8089 故障描述: 內網可正常連接至服務器,外網無法連接. 端口映射出現問題. 解決方法: 命令行錯誤, 已更正並解決. 問題重點: 採用 "static (inside,outside) 221.221.147.195 192.168.0.10 tcp 8089" 映射. 目前配置如下: ASA Version 7.2(2) ! hostname ciscoasa enable password 8Ry2YjIyt7RRXU24 encrypted names ! interface Vlan1 nameif inside security-level 100 ip address 192.168.0.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 221.221.147.195 255.255.255.252 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive access-list 101 extended permit tcp any host 221.221.147.195 eq 8089 access-list 101 extended permit icmp any any access-list 101 extended permit tcp any any access-list 101 extended permit udp any any pager lines 24 logging asdm informational mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 global (outside) 1 interface static (inside,outside) 221.221.147.195 192.168.0.10 netmask 255.255.255.255 tcp 8089 0 access-group 101 in interface outside route outside 0.0.0.0 0.0.0.0 221.221.147.200 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute http server enable no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd auto_config outside ! ! class-map inspection_default match default-inspection-traffic ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum:30e219cbc04a4c919e7411de55e14a64 : end ciscoasa(config)# ------------------------------------------------------------ 在找尋解決方案過程中,有朋友做了重要提示, 採用: static (inside,outside) int 192.168.0.10 tcp 8089 做映射,但出現警告提示: WARNING: static redireting all traffics at outside interface; WARNING: all services terminating at outside interface are disabled. 後來將命令改成: static (inside,outside) 221.221.147.195 192.168.0.10 tcp 8089 問題解決. ASA5505配置筆記
ASA5505配置筆記 1.IP地址配置 <config>#int vlan1 <config-if>#>nameif outside <config-if>#security-level 0 <config-if>#ip address 172.16.1.1 255.255.0.0. <config-if>#end <config>#int vlan 2 <config-if>#nameif insiede <config-if>#security-levlel 100 <config-if>#ip address 192.168.1.1 255.255.255.0 <config-if>#end 2.把端口指定到相應VLAN中 <config>#int Eth0/0 <config-if>#switchport access vlan 1 <config-if>end <config>#int Eth0/1 <config-if>switchport access vlan 2 <config-if>end <config>#exit 3.配置Http.telnet和ssh管理 <config>#username xxx password xxxxxx encrypted privilege 15 <config>#aaa authentication enable console LOCAL <config>#aaa authentication telnet console LOCAL <config>#aaa authentication http console LOCAL <config>#aaa authentication ssh console LOCAL <config>#aaa autoentication command LOCAL <config>#http server enable <config>#http 192.168.1.0 255.255.255.0 inside <config>#telnet 192.168.1.0 255.255.255.0 inside <config>#ssh 192.168.1.0 255.255.255.0 inside <config>#crypto key generate rsa(打開SSH服務) 4.***配置 ***配置可在ASDM模式下配置,具體配置略 CISCO ASA 5510實際配置案例及詳解
去年賣個某大型企業的ASA5510防火牆,附實際的配置,並且都解釋了得很清楚,非常值得參考的資料!
2008-12-15 11:07 ASA5510# SHOW RUN : Saved : ASA Version 7.0(6) ! hostname ASA5510 enable password 2KFQnbNIdI.2KYOU encrypted names dns-guard ! interface Ethernet0/0 此接口爲外部網絡接口 nameif outside 設置爲 OUTSIDE 外部接口模式 security-level 0 外部接口模式安全級別爲 最高 0 ip address 192.168.3.234 255.255.255.0 添加外部IP地址 (一般爲電信÷網通提供) ! interface Ethernet0/1此接口爲內部網絡接口 nameif inside設置爲 INSIDE 內部接口模式 security-level 100內部接口模式安全級別爲 100 ip address 10.1.1.1 255.255.0.0添加內部IP地址 (一般爲公司自行分配) ! interface Ethernet0/2 沒用到 SHUTDOWN 關閉 shutdown no nameif no security-level no ip address ! interface Management0/0沒用到 SHUTDOWN 關閉 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 沒用,用網線連接<SPAN class=t_tag onclick=tagshow(event) href="tag.php?name=%B9%DC%C0%ED">管理的端口。 management-only ! passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive pager lines 24 logging asdm informational mtu outside 1500 mtu inside 1500 mtu management 1500 no asdm history enable arp timeout 14400 global (outside) 1 interface 一定要打表示 PAT端口擴展:“1”爲其<SPAN class=t_tag onclick=tagshow(event) href="tag.php?name=NAT">NAT ID nat (inside) 1 10.1.0.0 255.255.0.0 轉換所有10.1.0.0 的內部地址 route outside 0.0.0.0 0.0.0.0 192.168.3.254 1 內部所有地址訪問外部地址出口爲 電信-網通 提供的網關地址 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute http server enable http 192.168.1.0 255.255.255.0 management no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 10.1.1.30-10.1.1.200 inside <SPAN class=t_tag href="tag.php?name=DHCP">DHCP 自動提供分配範圍 爲10.1.1.30-200 dhcpd address 192.168.1.2-192.168.1.254 management 無效 dhcpd dns 192.168.0.1 DNS 添加:可以是電信網通提供 直接添加,或者自己的DNS<SPAN class=t_tag onclick=tagshow(event) href="tag.php?name=%B7%FE%CE%F1%C6%F7">服務器地址。 dhcpd lease 3600 dhcpd ping_timeout 50 dhcpd domain suzhou.jy 域名 dhcpd enable inside 打開內部網段自動分配 dhcpd enable management 無效 Cryptochecksum:6148633dac00f8f7a3418833f98d5ad4 access-group icmp_in in interface outside 這兩句表示, access-list icmp_in extended permit icmp any any 允許PING包發送或接收 : end |