溫馨提示×
您好,登錄后才能下訂單哦!
點擊 登錄注冊 即表示同意《億速云用戶服務條款》
您好,登錄后才能下訂單哦!
有些朋友對配防火墻還是有問題,其實配置ASA防火墻很簡單,常用的命令有hostname、interface(ip address、no shutdown、nameif、security-level)、nat、global、route、static、access-list、access-group。
下面來解析一臺ASA 8.0的配置
ASA Version 8.0(2) //注意版本,8.3以后NAT命令有所變化
!
hostname ciscoasa //主機名
domain-name sannet.net
enable password 2KFQnbNIdI.2KYOU encrypted //enable密碼
names
!
interface Ethernet0/0
nameif inside //定義內網口
security-level 100 //安全級別
ip address 192.168.1.254 255.255.255.0 //內網IP 地址
!
interface Ethernet0/1
nameif dmz //定義DMZ區域
security-level 50 //安全級別
ip address 172.16.1.254 255.255.255.0 //DMZ區域 IP 地址
!
interface Ethernet0/2
nameif outside //定義外網口
security-level 0 //安全級別
ip address 221.222.1.2 255.255.255.0 //外網IP地址
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd W6dWZr89yLlX1S1u encrypted //telnet 密碼
ftp mode passive
dns server-group DefaultDNS
domain-name sannet.net //域名 ssh使用
access-list ToDmz extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0 //去往DMZ不做NAT的acl
access-list telnet extended permit tcp any interface outside eq 2023 //外網訪問內網的acl
pager lines 24
mtu inside 1500
mtu dmz 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control //開啟nat
global (outside) 1 interface //定義外網映射地址
nat (inside) 0 access-list ToDmz //定義不做NAT轉換區域
nat (inside) 1 0.0.0.0 0.0.0.0 //定義內網NAT轉換地址
static (dmz,outside) tcp interface 2023 172.16.1.2 telnet netmask 255.255.255.255 //端口地址轉換
static (dmz,outside) 221.222.1.3 172.16.1.1 netmask 255.255.255.255 //私有地址轉換
access-group telnet in interface outside //外網口接收ACL(telnet)的流量
route outside 0.0.0.0 0.0.0.0 221.222.1.1 1 //默認路由
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h423 0:05:00 h325 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet 0.0.0.0 0.0.0.0 inside //定義內網telnet網段
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside //定義外網ssh網段
ssh timeout 5
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h423 h325
inspect h423 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp //定義可以通過icmp流量,可使用命令fixup protocol icmp
!
service-policy global_policy global
username cisco password vzoACXLxNjqisKsJ encrypted
prompt hostname context
Cryptochecksum:b38407b376659065819b3044e94283f1
: end
免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。
