思科ASA新机器常用基础配置(初始配置)

配置主机名，设置enable密码和登陆密码
hostname ASA5510
enable password cisco encrypted
passwd cisco encrypted
username luotao password xxxxxx

user-identity default-domain LOCAL //未知
aaa authentication ssh console LOCAL //ssh使用本地验证
aaa authentication telnet console LOCAL //telnet使用本地验证
aaa authorization command LOCAL

配置时区
clock timezone beijing 0 8

配置外网口、内网口、管理口
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 11.11.11.11 255.255.255.248
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.1.1.254 255.255.255.0 standby 10.1.1.253
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0

配置远程管理：
telnet 10.1.100.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside

配置FailOver
主防火墙配置：
int G0/6
description LAN/STATE Failover Interface
no sh
exit
failover lan unit primary
failover lan interface HA GigabitEthernet0/6
failover key cisco // 可选
failover link HA GigabitEthernet0/6 //会话保持
failover interface ip HA 10.10.10.1 255.255.255.0 standby 10.10.10.2
failover
备防火墙配置：
int G0/6
description LAN/STATE Failover Interface
no sh
exit
全局
failover lan unit secondary
failover lan interface HA GigabitEthernet0/6 //指定心跳线接口
failover key cisco // 可选
fial int ip HA 10.10.10.2 255.255.255.0 standby 10.10.10.1
failover //开始同步

查看双机命令：show failover
主墙配置同步到备墙命令：write standby

双机关系建立好后，再进行以下的配置：

NAT:内部的服务器或电脑要上网
global (outside) 1 interface 
nat (inside) 1 10.1.0.0 255.255.0.0 
//1是ID号，要相同,10.1.0.0/16是内网的网段

或者是使用以下配置
object-group network inside-to-outside
 network-object 10.1.10.0 255.255.255.0
 network-object 10.1.20.0 255.255.255.0
nat (inside,outside) source dynamic inside-to-outside interface

NAT:向互联网发布服务，一对一的IP映射
object network ser10.1.10.31
 host 10.1.10.31
object network ser10.1.10.31
 nat (inside,outside) static 11.11.11.12

配置访问控制：
access-list acl-out-to-in extended permit icmp any any
access-list acl-out-to-in extended permit tcp any host 10.1.10.101 eq 8080
access-list acl-out-to-in extended permit tcp any host 10.1.10.102 eq 35778 
access-list acl-out-to-in extended deny ip any any 

access-group acl-out-to-in in interface outside

配置路由
route outside 0.0.0.0 0.0.0.0 11.11.11.1 1 
route inside 10.1.10.0 255.255.255.0 10.1.1.1 1 
route inside 10.1.20.0 255.255.255.0 10.1.1.1 1 

SLA：
sla monitor 1
 type echo protocol ipIcmpEcho X.X.X.X interface outside
 frequency 5
sla monitor schedule 1 life forever start-time now
track 1 rtr 1 reachability
route outside 0.0.0.0 0.0.0.0 11.11.11.1 1 track 1

可选配置：DHCP
dhcpd address 10.1.1.1-10.1.1.200 inside
dhcpd dns 114.114.114.114
dhcpd lease 3600
dhcpd ping_timeout 500
dhcpd domain jzsec.com
dhcpd enable inside 在inside区域开启

可选配置：配置http管理，允许网段通过http访问
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.1.100.0 255.255.255.0 inside

其它可选配置：
icmp unreachable rate-limit 1 burst-size 1 //防止快ping
icmp deny any outside //拒绝外网的ping
icmp permit any inside //允许inside区域的ping