思科ASA新機器常用基礎配置(初始配置)

配置主機名，設置enable密碼和登陸密碼
hostname ASA5510
enable password cisco encrypted
passwd cisco encrypted
username luotao password xxxxxx

user-identity default-domain LOCAL //未知
aaa authentication ssh console LOCAL //ssh使用本地驗證
aaa authentication telnet console LOCAL //telnet使用本地驗證
aaa authorization command LOCAL

配置時區
clock timezone beijing 0 8

配置外網口、內網口、管理口
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 11.11.11.11 255.255.255.248
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.1.1.254 255.255.255.0 standby 10.1.1.253
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0

配置遠程管理：
telnet 10.1.100.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside

配置FailOver
主防火牆配置：
int G0/6
description LAN/STATE Failover Interface
no sh
exit
failover lan unit primary
failover lan interface HA GigabitEthernet0/6
failover key cisco // 可選
failover link HA GigabitEthernet0/6 //會話保持
failover interface ip HA 10.10.10.1 255.255.255.0 standby 10.10.10.2
failover
備防火牆配置：
int G0/6
description LAN/STATE Failover Interface
no sh
exit
全局
failover lan unit secondary
failover lan interface HA GigabitEthernet0/6 //指定心跳線接口
failover key cisco // 可選
fial int ip HA 10.10.10.2 255.255.255.0 standby 10.10.10.1
failover //開始同步

查看雙機命令：show failover
主牆配置同步到備牆命令：write standby

雙機關係建立好後，再進行以下的配置：

NAT:內部的服務器或電腦要上網
global (outside) 1 interface 
nat (inside) 1 10.1.0.0 255.255.0.0 
//1是ID號，要相同,10.1.0.0/16是內網的網段

或者是使用以下配置
object-group network inside-to-outside
 network-object 10.1.10.0 255.255.255.0
 network-object 10.1.20.0 255.255.255.0
nat (inside,outside) source dynamic inside-to-outside interface

NAT:向互聯網發佈服務，一對一的IP映射
object network ser10.1.10.31
 host 10.1.10.31
object network ser10.1.10.31
 nat (inside,outside) static 11.11.11.12

配置訪問控制：
access-list acl-out-to-in extended permit icmp any any
access-list acl-out-to-in extended permit tcp any host 10.1.10.101 eq 8080
access-list acl-out-to-in extended permit tcp any host 10.1.10.102 eq 35778 
access-list acl-out-to-in extended deny ip any any 

access-group acl-out-to-in in interface outside

配置路由
route outside 0.0.0.0 0.0.0.0 11.11.11.1 1 
route inside 10.1.10.0 255.255.255.0 10.1.1.1 1 
route inside 10.1.20.0 255.255.255.0 10.1.1.1 1 

SLA：
sla monitor 1
 type echo protocol ipIcmpEcho X.X.X.X interface outside
 frequency 5
sla monitor schedule 1 life forever start-time now
track 1 rtr 1 reachability
route outside 0.0.0.0 0.0.0.0 11.11.11.1 1 track 1

可選配置：DHCP
dhcpd address 10.1.1.1-10.1.1.200 inside
dhcpd dns 114.114.114.114
dhcpd lease 3600
dhcpd ping_timeout 500
dhcpd domain jzsec.com
dhcpd enable inside 在inside區域開啓

可選配置：配置http管理，允許網段通過http訪問
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.1.100.0 255.255.255.0 inside

其它可選配置：
icmp unreachable rate-limit 1 burst-size 1 //防止快ping
icmp deny any outside //拒絕外網的ping
icmp permit any inside //允許inside區域的ping