ASA防火牆配置筆記1

1. 常用技巧
Sh ru ntp查看與ntp有關的
Sh ru crypto 查看與***有關的
Sh ru | inc crypto 只是關健字過濾而已
2. 故障倒換
failover
failover lan unit primary
failover lan interface testint Ethernet0/3
failover link testint Ethernet0/3
failover mac address Ethernet0/1 0018.1900.5000 0018.1900.5001
failover mac address Ethernet0/0 0018.1900.4000 0018.1900.4001
failover mac address Ethernet0/2 0018.1900.6000 0018.1900.6001
failover mac address Management0/0 0018.1900.7000 0018.1900.7001
failover interface ip testint 10.3.3.1 255.255.255.0 standby 10.3.3.2
注：最好配置虛擬MAC地址
sh failover顯示配置信息
write standby寫入到備用的防火牆中

failover命令集如下：
configure mode commands/options:
interface Configure the IP address and mask to be used for failover
and/or stateful update information
interface-policy Set the policy for failover due to interface failures
key Configure the failover shared secret or key
lan Specify the unit as primary or secondary or configure the
interface and vlan to be used for failover communication
link Configure the interface and vlan to be used as a link for
stateful update information
mac Specify the virtual mac address for a physical interface
polltime Configure failover poll interval
replication Enable HTTP (port 80) connection replication
timeout Specify the failover reconnect timeout value for
asymmetrically routed sessions

sh failover 命令集如下：

history Show failover switching history
interface Show failover command interface information
state Show failover internal state information
statistics Show failover command interface statistics information
| Output modifiers
<cr>
3. 配置telnet、ssh及http管理
username jiang password Csmep3VzvPQPCbkx encrypted privilege 15
aaa authentication enable console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http 192.168.40.0 255.255.255.0 management
ssh 192.168.40.0 255.255.255.0 inside
4. ***常用管理命令
sh ***-sessiondb full l2l 顯示site to site 之***通道情況
sh ipsec stats 顯示ipsec通道情況
sh ***-sessiondb summary 顯示***彙總信息
sh ***-sessiondb detail l2l 顯示ipsec詳細信息
sh ***-sessiondb detail svc 查看ssl client信息
sh ***-sessiondb detail web*** 查看web***信息
sh ***-sessiondb detail full l2l 相當於linux下的ipsec whack –status 如果沒有建立連接，則表示ipsec通道還沒有建立起來。
5. 配置訪問權限
可以建立對象組，設定不同的權限，如：
object-group network testgroup
description test
network-object 192.168.100.34 255.255.255.255
access-list inside_access_in line 2 extended permit ip object-group all any
access-group inside_access_in in interface inside
6. 配置sitetosite之***
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmaccrypto map outside_map 20 match address outside_cryptomap_20_1
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 218.16.105.48
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside

isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

tunnel-group 218.16.105.48 type ipsec-l2l
tunnel-group 218.16.105.48 ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
tunnel-group-map enable rules

注：打打PFS並設定以IP地址作爲peer名，一個接口只能有一個加密圖

7. web***配置（ssl ***）
web***
enable outside
character-encoding gb2312
csd image disk0:/securedesktop-asa-3.1.1.16.pkg
svc image disk0:/sslclient-win-1.1.0.154.pkg 1
svc enable
customization customization1
title text TEST Web*** system
title style background-color:white;color: rgb(51,153,0);border-bottom:5px groo
ve #669999;font-size:larger;vertical-align:middle;text-align:left;font-weight:bold
tunnel-group-list enable

注：也可通過ASDM圖形界面進行配置

登錄後，可訪問內部資源，如下例：（客戶端首先要安裝Java插件jre-1_5_0-windows-i586.exe,並打開瀏覽器的ActiveX）
1) https://ssl***.test.com.cn 輸入用戶名和密碼

2) 出現工具條

3) 在Enter Web Address內輸入192.168.40.8即可訪問內部網站

4）在browse network輸入192.168.40.8即可訪問共享文件
5)點擊application access，即可查看端口轉發設置，如使用putty訪問本機的2023端口，則即可通過ssh登錄192.168.40.8