配置主机名,设置enable密码和登陆密码
hostname ASA5510
enable password cisco encrypted
passwd cisco encrypted
username luotao password xxxxxx
user-identity default-domain LOCAL //未知
aaa authentication ssh console LOCAL //ssh使用本地验证
aaa authentication telnet console LOCAL //telnet使用本地验证
aaa authorization command LOCAL
配置时区
clock timezone beijing 0 8
配置外网口、内网口、管理口
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 11.11.11.11 255.255.255.248
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.1.1.254 255.255.255.0 standby 10.1.1.253
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
配置远程管理:
telnet 10.1.100.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
配置FailOver
主防火墙配置:
int G0/6
description LAN/STATE Failover Interface
no sh
exit
failover lan unit primary
failover lan interface HA GigabitEthernet0/6
failover key cisco // 可选
failover link HA GigabitEthernet0/6 //会话保持
failover interface ip HA 10.10.10.1 255.255.255.0 standby 10.10.10.2
failover
备防火墙配置:
int G0/6
description LAN/STATE Failover Interface
no sh
exit
全局
failover lan unit secondary
failover lan interface HA GigabitEthernet0/6 //指定心跳线接口
failover key cisco // 可选
fial int ip HA 10.10.10.2 255.255.255.0 standby 10.10.10.1
failover //开始同步
查看双机命令:show failover
主墙配置同步到备墙命令:write standby
双机关系建立好后,再进行以下的配置:
NAT:内部的服务器或电脑要上网
global (outside) 1 interface
nat (inside) 1 10.1.0.0 255.255.0.0
//1是ID号,要相同,10.1.0.0/16是内网的网段
或者是使用以下配置
object-group network inside-to-outside
network-object 10.1.10.0 255.255.255.0
network-object 10.1.20.0 255.255.255.0
nat (inside,outside) source dynamic inside-to-outside interface
NAT:向互联网发布服务,一对一的IP映射
object network ser10.1.10.31
host 10.1.10.31
object network ser10.1.10.31
nat (inside,outside) static 11.11.11.12
配置访问控制:
access-list acl-out-to-in extended permit icmp any any
access-list acl-out-to-in extended permit tcp any host 10.1.10.101 eq 8080
access-list acl-out-to-in extended permit tcp any host 10.1.10.102 eq 35778
access-list acl-out-to-in extended deny ip any any
access-group acl-out-to-in in interface outside
配置路由
route outside 0.0.0.0 0.0.0.0 11.11.11.1 1
route inside 10.1.10.0 255.255.255.0 10.1.1.1 1
route inside 10.1.20.0 255.255.255.0 10.1.1.1 1
SLA:
sla monitor 1
type echo protocol ipIcmpEcho X.X.X.X interface outside
frequency 5
sla monitor schedule 1 life forever start-time now
track 1 rtr 1 reachability
route outside 0.0.0.0 0.0.0.0 11.11.11.1 1 track 1
可选配置:DHCP
dhcpd address 10.1.1.1-10.1.1.200 inside
dhcpd dns 114.114.114.114
dhcpd lease 3600
dhcpd ping_timeout 500
dhcpd domain jzsec.com
dhcpd enable inside 在inside区域开启
可选配置:配置http管理,允许网段通过http访问
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.1.100.0 255.255.255.0 inside
其它可选配置:
icmp unreachable rate-limit 1 burst-size 1 //防止快ping
icmp deny any outside //拒绝外网的ping
icmp permit any inside //允许inside区域的ping