ciscoASA防火墙详细配置

安全级别：0-100从高安全级别到低安全级别的流量放行的从低安全到高安全级别流量禁止的ASA防火墙的特性是基于TCP和UDP链路状态的，会话列表，记录出去的TCP或者UDP 流量，这些流量返回的时候，防火墙是放行的。

ASA防火墙的基本配置!interface Ethernet0/0nameif insidesecurity-level 99ip address 192.168.1.2 255.255.255.0!interface Ethernet0/1nameif dmzsecurity-level 50ip address 172.16.1.2 255.255.255.0!interface Ethernet0/2nameif outsidesecurity-level 1ip address 200.1.1.2 255.255.255.0ciscoasa# show nameifInterface Name SecurityEthernet0/0 inside 99Ethernet0/1 dmz 50Ethernet0/2 outside 12、路由器上配置配置接口地址路由--默认、静态配置VTY 远程登录R3：interface FastEthernet0/0ip address 200.1.1.1 255.255.255.0no shutdown配置去内网络的路由ip route 192.168.1.0 255.255.255.0 200.1.1.2配置去DMZ区域的路由ip route 172.161.0 255.255.255.0 200.1.1.2配置远程登录VTYR3(config)#line vty 0 2R3(config-line)#password 666R3(config-line)#loginR2：interface FastEthernet0/0ip address 172.16.1.1 255.255.255.0no shutdown配置默认路由IP route 0.0.0.0 0.0.0.0 172.16.1.2配置远程登录VTYR3(config)#line vty 0 2R3(config-line)#password 666R3(config-line)#loginR2：interface FastEthernet0/0ip address 192.168.1.1 255.255.255.0no shutdown配置默认路由IP route 0.0.0.0 0.0.0.0 192.168.1.2配置远程登录VTYR3(config)#line vty 0 2R3(config-line)#password 666R3(config-line)#loginR1可以Telnet R3 ，反过来不行R1不可以ping通R3防火墙放行流量防火墙能放行R3低安全级别的---R1高安全级别区域--Telnet流量ciscoasa(config)# access-list 100 permit tcp host 200.1.1.1 host 192.168.1.1 eq 23应用列表到接口ciscoasa(config)# access-group 100 in interface outside验证：防火墙能放行R3低安全级别的---R1高安全级别区域--ICMP流量ciscoasa(config)# access-list 100 permit icmp host 200.1.1.1 host 192.168.1.1验证。

ciscoASA防火墙如何配置思科cisco是全球高端顶尖的通讯厂商，其出产的路由器功能也是世界级的，那么你知道cisco ASA防火墙如何配置的吗?下面是店铺整理的一些关于cisco ASA防火墙如何配置的相关资料，供你参考。

cisco ASA防火墙配置的方法：常用命令有：nameif、interface、ip address、nat、global、route、static等。

global指定公网地址范围：定义地址池。

Global命令的配置语法：global (if_name) nat_id ip_address-ip_address [netmark global_mask]其中：(if_name)：表示外网接口名称，一般为outside。

nat_id：建立的地址池标识(nat要引用)。

ip_address-ip_address：表示一段ip地址范围。

[netmark global_mask]：表示全局ip地址的网络掩码。

nat地址转换命令，将内网的私有ip转换为外网公网ip。

nat命令配置语法：nat (if_name) nat_id local_ip [netmark]其中：(if_name)：表示接口名称，一般为inside.nat_id：表示地址池，由global命令定义。

local_ip：表示内网的ip地址。

对于0.0.0.0表示内网所有主机。

[netmark]：表示内网ip地址的子网掩码。

routeroute命令定义静态路由。

语法：route (if_name) 0 0 gateway_ip [metric]其中：(if_name)：表示接口名称。

0 0 ：表示所有主机Gateway_ip：表示网关路由器的ip地址或下一跳。

[metric]：路由花费。

缺省值是1。

static配置静态IP地址翻译，使内部地址与外部地址一一对应。

语法：static(internal_if_name,external_if_name) outside_ip_addr inside_ ip_address其中：internal_if_name表示内部网络接口，安全级别较高，如inside。

思科ASA防火墙基本配置思科ASA防火墙基本配置Fire Wall 防火墙，它是一种位于内部网络与外部网络之间的网络安全系统，当然，防火墙也分软件防火墙与硬件防火墙。

硬件防火墙又分为：基于PC架构与基于ASIC芯片今天来聊一聊思科的'硬件防火墙 Cisco ASACisco ASA 防火墙产品线挺多：Cisco ASA5505 Cisco ASA5510 Cisco ASA5520 Cisco ASA5540 Cisco ASA5550 等等ASA 的基本配置步骤如下：配置主机名、域名hostname [hostname]domain-name xx.xxhostname Cisco-ASA 5520domain-name 配置登陆用户名密码password [password]enable password [password]配置接口、路由interface interface_namenameif [name]name 有三种接口类型 insdie outside dmzsecurity-level xx(数值)数值越大接口安全级别越高注：默认inside 100 ,outside 0 ,dmz 介于二者之间静态路由route interface_number network mask next-hop-addressroute outside 0.0.0.0 0.0.0.0 210.210.210.1配置远程管理接入Telnettelnet {network | ip-address } mask interface_nametelnet 192.168.1.0 255.255.255.0 insidetelnet 210.210.210.0 255.255.255.0 outsideSSHcrypto key generate rsa modulus {1024| 2048 }指定rsa系数，思科推荐1024ssh timeout minutesssh version version_numbercrypto key generate rsa modulus 1024ssh timeout 30ssh version 2配置 ASDM(自适应安全设备管理器)接入http server enbale port 启用功能http {networdk | ip_address } mask interface_nameasdm image disk0:/asdm_file_name 指定文件位置username user password password privilege 15NATnat-controlnat interface_name nat_id local_ip maskglobal interface_name nat_id {global-ip [global-ip] |interface} nat-controlnat inside 1 192.168.1.0 255.255.255.0global outside 1 interfaceglobal dmz 1 192.168.202.100-192.168.202.150ACLaccess-list list-name standad permit | deny ip maskaccess-list list-name extendad permit | deny protocol source-ip mask destnation-ip mask portaccess-group list-name in | out interface interface_name如果内网服务器需要以布到公网上staic real-interface mapped-interface mapped-ip real-ip staic (dmz,outside) 210.210.202.100 192.168.202.1保存配置wirte memory清除配置clear configure (all)【思科ASA防火墙基本配置】。

一、基本配置#hostname name //名字的设置#interface gigabitethernet0/0 //进入接口0/0#nameif outside //配置接口名为outside#security-level 0 //设置安全级别。

级别从0--100，级别越高安全级别越高#ip address 218.xxx.xxx.xxx 255.255.255.248 //设置外部ip地址#no shutdown#interface ethernet0/1 //进入接口0/1#nameif inside //配置接口名为inside#security-level 100 //设置安全级别。

级别从0--100，级别越高安全级别越高#ip address 192.168.10.1 255.255.255.0 //设置ip地址#duplex full //全双工#speed 100 //速率#no shutdown#interface ethernet0/2 //进入接口0/2#nameif dmz //配置接口名为dmz#security-level 50 //设置安全级别。

级别从0--100，级别越高安全级别越高#ip address 192.168.9.1 255.255.255.0 //设置dmz接口ip地址#no shutdown#interface Management0/0 //进入管理接口# nameif guanli //接口名# security-level 100 //安全级别#ip address 192.168.1.1 255.255.255.0 //IP地址注意：security-level 配置安全级别。

默认外网接口为0/0 安全级别默认为0内网接口为0/1 安全级别默认为100dmz 接口为0/2 安全级别默认为50默认情况下，相同安全级别接口之间不允许通信，可以使用以下命令：#same-security-traffic permit interface //允许相同安全级别接口之间互相通信。

思科ASA防火墙精华配置总结思科防火墙PIX ASA 配置总结一（基础）：下面是我工作以来的配置总结，有些东西是6.3版本的，但不影响在7.＊版本的配置。

一：6个基本命令：nameif、interface、ip address 、nat、global、route。

二：基本配置步骤：step1: 命名接口名字nameif ethernet0 outside security0nameif ethernet1 inside security100nameif ethernet2 dmz security50＊＊7版本的配置是先进入接口再命名。

step2：配置接口速率interface ethernet0 10full autointerface ethernet1 10full autointerface ethernet2 10fullstep3：配置接口地址ip address outside 218.106.185.82ip address inside 192.168.100.1 255.255.255.0ip address dmz 192.168.200.1 255.255.255.0step4：地址转换（必须）* 安全高的区域访问安全低的区域（即内部到外部）需NAT 和global;nat(inside) 1 192.168.1.1 255.255.255.0global(outside) 1 222.240.254.193 255.255.255.248＊＊＊nat (inside) 0 192.168.1.1 255.255.255.255 表示192.168.1.1这个地址不需要转换。

直接转发出去。

* 如果内部有服务器需要映像到公网地址(外网访问内网)则需要static和conduit或者acl.static (inside, outside) 222.240.254.194 192.168.1.240static (inside, outside) 222.240.254.194 192.168.1.240 10000 10后面的10000为限制连接数，10为限制的半开连接数。

ASA防火墙怎么样配置asa防火墙配置方法一：cisco asa5550防火墙配置总结asa防火墙配置一、网络拓扑|172.x.x.x|outside|========|=========|| |-----internet 61.x.x.x|========|=========||inside|133.x.x.x防火墙分别配置三个端口，端口名称和ip地址分配如上。

client的ip address pool为100.100.100.0 255.255.255.0。

asa防火墙配置二、配置过程1、建立动态mapcrypto ipsec transform-set myset esp-aes-256 esp-sha-hmaccrypto dynamic-map dymap 1 set transform-set mysetcrypto dynamic-map dymap 1 set reverse-routecrypto map mymap 1 ipsec-isakmp dynamic dymapcrypto map mymap interface internetcrypto isakmp enable internetcrypto isakmp policy 10authentication pre-shareencryption 3deshash shagroup 2lifetime 86400crypto isakmp nat-traversal 202、建立tunnel groupasa防火墙配置方法二：interface ethernet0/0nameif insidesecurity-level 100ip address 192.168.1.1 255.255.255.0 (内网防火墙接口ip)interface ethernet0/1nameif outsidesecurity-level 0ip address 1.1.1.1 255.255.255.0(外网固定ip) global (outside) 1 interfacenat (inside) 1 192.168.8.0 255.255.255.0route outside 0.0.0.0 0.0.0.0 1.1.1.2 1(外网网关)asa防火墙配置方法三：首先你需要定义下内网的流量access-list 100 permit ip 192.168.0.0 255.255.255.0 any 这个就是表示所有的192.168.0.0/16的网络定义natglobal ( outside ) 1 interfacenat ( inside ) 1 access-list 100另外还需要放行流量access-list acl permit ip any any ( 由于不清楚你的流量我就放行所有了)access-group acl in interface outsideaccess-group acl out interface outside看了“asa防火墙怎么样配置”文章的。

ASA防火墙初始配置1.模式介绍“>”用户模式firewall>enable 由用户模式进入到特权模式password:“#”特权模式firewall#config t 由特权模式进入全局配置模式“（config）#”全局配置模式防火墙的配置只要在全局模式下完成就可以了。

2.接口配置(以5510以及更高型号为例，5505接口是基于VLAN的)：interface Ethernet0/0nameif inside (接口的命名，必须！)security-level 100（接口的安全级别）ip address 10.0.0.10 255.255.255.0no shutinterface Ethernet0/1nameif outsidesecurity-level 0ip address 202.100.1.10 255.255.255.0no shut3.路由配置：默认路由：route outside 0 0 202.100.1.1 （0 0 为0.0.0.0 0.0.0.0）静态路由：route inside 192.168.1.0 255.255.255.0 10.0.0.15505接口配置:interface Ethernet0/0!interface Ethernet0/1switchport access vlan 2interface Vlan1nameif insidesecurity-level 100ip address 192.168.6.1 255.255.255.0!interface Vlan2nameif outsidesecurity-level 0ip address 202.100.1.10ASA防火墙NAT配置内网用户要上网，我们必须对其进行地址转换，将其转换为在公网上可以路由的注册地址，防火墙的nat和global是同时工作的，nat定义了我们要进行转换的地址，而global定义了要被转换为的地址，这些配置都要在全局配置模式下完成，Nat配置：firewall（config）# nat (inside) 1 0 0上面inside代表是要被转换得地址，1要和global 后面的号对应，类似于访问控制列表号，也是从上往下执行，0 0 代表全部匹配（第一个0代表地址，第二个0代表掩码），内部所有地址都回进行转换。

实验10 思科ASA防火墙的NAT配置一、实验目标1、掌握思科ASA防火墙的NAT规则的基本原理；2、掌握常见的思科ASA防火墙的NAT规则的配置方法。

二、实验拓扑根据下图搭建拓扑通过配置ASA防火墙上的NAT规则，使得inside区能单向访问DMZ区和outside区，DMZ区和outside区能够互访。

三、实验配置1、路由器基本网络配置，配置IP地址和默认网关R1#conf tR1(config)#int f0/0R1(config-if)#ip address 192.168.2.1 255.255.255.0R1(config-if)#no shutdownR1(config-if)#exitR1(config)#ip default-gateway 192.168.2.254 //配置默认网关R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.2.254 //添加默认路由R1(config)#exitR1#writeR2#conf tR2(config)#int f0/0R2(config-if)#ip address 202.1.1.1 255.255.255.0R2(config-if)#no shutdownR2(config-if)#exitR2(config)#ip default-gateway 202.1.1.254R2(config)#exitR2#writeServer#conf tServer(config)#no ip routing //用路由器模拟服务器，关闭路由功能Server(config)#int f0/0Server(config-if)#ip address 192.168.1.1 255.255.255.0Server(config-if)#no shutdownServer(config-if)#exitServer(config)#ip default-gateway 192.168.1.254Server(config)#exitServer#write*说明：实际配置中最好在三台路由器上都添加一条通往防火墙的默认路由，但在本实验中Server和R2不配置不影响实验效果。

实验目的监测防火墙的默认安全控制1、思考默认从内部到外部ping测不通，但是Telnet可以，为什么？2、如何用访问控制列表实现ICMP流量的放行？一、构建实验拓扑2、规划IP地址如图3、配置outside和inside的路由器接口地址和静态路由先配置内部路由器Router>enRouter#conf tRouter(config)#interface f0/0Router(config-if)#ip add 192.168.1.1 255.255.255.0 配置接口地址Router(config-if)#no shutdownRouter(config-if)#exitRouter(config)#ip route 200.1.1.0 255.255.255.0 192.168.1.254 配置到外部的静态路由Router(config)#endRouter#第二步：Outside路由器配置Router>enRouter#conf tRouter(config)#interface f0/0Router(config-if)#ip address 200.1.1.1 255.255.255.0 接口地址Router(config-if)#no shutdownRouter(config-if)#exitRouter(config)#ip route 192.168.1.0 255.255.255.0 200.1.1.254 配置到内部的静态路由Router(config)#endRouter(config)#hostname outside 修改路由器的名字outside(config)#outside(config)#line vty 0 4 开启线程通道outside(config-line)#login% Login disabled on line 194, until 'password' is set% Login disabled on line 195, until 'password' is set% Login disabled on line 196, until 'password' is set% Login disabled on line 197, until 'password' is set% Login disabled on line 198, until 'password' is setoutside(config-line)#password 666 设置远程密码outside(config-line)#exoutside(config-line)#exitoutside(config)#enable password 888 设置路由器的特权密码第三步： ASA配置ciscoasa#ciscoasa#conf tciscoasa(config)#interface vlan 1 进入虚接口ciscoasa(config-if)#ip address 192.168.1.254 255.255.255.0 虚接口地址ciscoasa(config-if)#no shutdown^ciscoasa(config-if)#nameif inside 命名为insideciscoasa(config-if)#security-level 100 设置接口安全级别为100ciscoasa(config-if)#exitciscoasa(config)#interface e0/1 把物理接口e0/1划入vlan1 ciscoasa(config-if)#switchport access vlan 1ciscoasa(config-if)#exitciscoasa(config)#interface vlan 2 进入虚接口vlan2ciscoasa(config-if)#nameif outside 命名为outsideciscoasa(config-if)#security-level 0 安全级别为 0ciscoasa(config-if)#ip add 200.1.1.254 255.255.255.0 配置虚接口地址ciscoasa(config-if)#no shutdownciscoasa(config-if)#exitciscoasa(config)#interface e0/0 把物理接口e0/0 划入到vlan2 ciscoasa(config-if)#switchport access vlan 2ciscoasa(config-if)#endciscoasa#ciscoasa#第四步监测防火墙ping内部和外部可以通ciscoasa#ping 192.168.1.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:.Success rate is 80 percent (4/5), round-trip min/avg/max = 0/2/5 msciscoasa#ping 200.1.1.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 200.1.1.1, timeout is 2 seconds:.Success rate is 80 percent (4/5), round-trip min/avg/max = 0/2/8 msciscoasa#show routeCodes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGPi - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODRP - periodic downloaded static routeGateway of last resort is not setC 192.168.1.0 255.255.255.0 is directly connected, insideC 200.1.1.0 255.255.255.0 is directly connected, outside（学会在防火墙上创建路由，本题没有用此路由）创建路由ciscoasa(config)#route inside 0.0.0.0 0.0.0.0 192.168.1.1ciscoasa(config)#route outside 0.0.0.0 0.0.0.0 200.1.1.1检查内网ping测外部Router#ping 200.1.1.1 //监测网络连通性Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 200.1.1.1, timeout is 2 seconds: .....Success rate is 0 percent (0/5)Ping命令不通防火墙拦截来自外部的ＩＣＭＰ包内部Ｔｅｌｎｅｔ外部Router#telnet 200.1.1.1Trying 200.1.1.1 ...OpenUser Access VerificationPassword:outside>enPassword:outside#outside#outside#exi可以Telnet成功，说明防火墙的状态监测机制起到作用第五步：放行来自外部的ICMP流量ASA用ACL放行icpm流量ciscoasa(config)#access-list out permit icmp any anyciscoasa(config)#access-group out in interface outsideciscoasa(config)#检查实验结果从内部的路由ping外部的outside路由，结果可以通说明放行成功。

Cisco ASA硬件防火墙实验【实验目的】ASA防火墙的基本配置和高级的URL过滤等【实验拓扑】【实验步骤】一、Cisco ASA防火墙的基本配置:1、配置主机名、域名、密码EnableConf tHostname ASA5520 配置主机名为ASA5520Domaln-name 配置域名为Enable password ASA5520 配置特权密码Password cisco 配置远程登录密码2、配置接口Conf tInterface e0/0Nameif inside 配置接口的名字为insideSecurity-level 100 配置接口的安全级别为100Ip address 192.168.0.1 255.255.255.0 配置接口IP地址No shutdown 开启端口ExitInterface e0/1Nameif outside 配置接口的名字为outsideSecurity-level 0 配置接口的安全级别为0Ip address 202.140.11.2 255.255.255.0 配置接口IP地址No shutdown 开启端口ExitInterface e0/0Nameif DMZ 配置接口的名字为DMZSecurity-level 50 配置接口的安全级别为50Ip address 192.168.1.1 255.255.255.0 配置接口IP地址No shutdown 开启端口Exit3、配置路由Conf tRoute outside 0.0.0.0 0.0.0.0 202.140.11.1 配置缺省路由是任意到达出口的地址的下一条是202.140.11.1(因为防火墙有可能不是直接W AN所以要设置默认路由)4、配置远程管理接入配置telnet接入Conf ttelnet 192.168.0.0 255.255.255.0 inside 配置telnet管理接入地址为inside的192.168.0.0/24这个网段的地址telnet 192.168.0.3 255.255.255.255 inside 也可以配置只允许一台主机的接入telnet timeout 30 配置telnet超时为30分钟配置ssh接入Conf tCrypto key generate rsa modulus 1024 生成RSA密钥对Ssh 192.168.0.0 255.255.255.0 inside 配置ssh接入地址为inside的192.168.0.0/24这个网段的地址Ssh 0 0 outside 配置ssh接入地址为outside的任意网段的地址Ssh timeout 30 配置超时为30分钟Ssh version 2 配置版本号为2配置ASDM(自适应安全设备管理器)接入Conf tHttp server enable 65123 打开防火墙HTTPS服务功能http 0 0 outside 配置防火墙允许HTTPS接入的地址为任意asdm image disk0:/asdmfile 指定ASDM映像位置username zhangsan password zhangsan privilege 15 配置客户端登录使用的用户名和密码为zhangsan特权为最高的15级5、为出站流量配置网络地址转换Conf tNat control 启用NAT功能Nat (inside) 1 0 0 指定需要被转换的地址为全内网Global (outside) 1 interface 定义一个全局地址池Global (dmz) 1 192.168.1.100-192.168.1.110 定义一个到达dmz的地址池6、配置ACLConf tAccess-list test1 standard permit 192.168.0.0 255.255.255.0 配置允许192.168.0.0/24这个网段的地址Access-list test2 extended permit tcp any any eq www 配置允许任意的地址访问任意网站Access-group test1 in interface dmz 把test1应用到接口上7、过滤URL配置例子：IP地址范围在192.168.0.2-192.168.0.15中的主机只能访问，不能访问其它任何网站。

Data Sheet Cisco ASA 5500 and ASA 5500-X SeriesNext-Generation Firewalls for the Internet EdgeCisco® ASA 5500 and ASA 5500-X Series Next-Generation Firewalls integrate the world’s most proven stateful inspection firewall with a comprehensive suite of highly integrated next-generation firewall services for networks of all sizes - small and midsize businesses with one or a few locations, large enterprises, service providers, and mission-critical data centers. The Cisco ASA 5500 and ASA 5500-X SeriesNext-Generation Firewalls deliver MultiScale™ performance with unprecedented services flexibility, including next-generation firewall capabilities, modular scalability, feature extensibility, and lower deployment and operations costs.Midsize businesses protecting the Internet edge require the same level of protection as large enterprise networks. You require enterprise-strength security, but purchasing a firewall that was built to handle the performance needs and budget of a large enterprise would be unnecessary and a waste of company resources. You need a firewall that provides the performance you need at a price you can afford, along with the visibility and control you need to take advantage of new applications and devices without compromising security.Features and BenefitsCisco ASA 5500 and ASA 5500-X Series Next-Generation Firewalls are available in a wide range of sizes and performance levels to fit your network and budget while offering the same proven level of security that protects some of the largest networks at some of the most security-conscious companies in the world. The ASA 5500 and ASA 5500-X Next-Generation Series Firewalls scale to meet the performance and security requirements of a wide range of network applications, to correspond with your changing needs.Like their enterprise counterparts, Cisco ASA 5500 and ASA 5500-X Series Next-Generation Firewalls for the Internet edge protect critical assets through:●Exceptional next-generation firewall services that provide the visibility and control your enterprise needs tosafely take advantage of new applications and devices1●Application Visibility and Control (AVC) to control specific behaviors within allowed micro-applications●Web Security Essentials (WSE) to restrict web and web application usage based on reputation of the site●Broad and deep network security through an array of integrated cloud- and software-based next-generationfirewall services backed by Cisco Security Intelligence Operations (SIO)●Highly effective intrusion prevention system (IPS) with Cisco Global Correlation●High-performance VPN and always-on remote access●The ability to enable additional security services quickly and easily in response to changing needs1 Please contact your sales representative for availability.Cisco ASA 5525-X, 5545-X, and 5555-XThe Cisco ASA 5525-X, 5545-X, and 5555-X are next-generation firewalls that combine the most widely deployed stateful inspection firewall in the industry with a comprehensive suite of next-generation network security services - for comprehensive security without compromise. They help meet evolving security needs by delivering multiple next-generation security services, multigigabit performance, flexible interface options, and redundant power supplies, all in a compact 1-RU form factor. These firewalls optionally provide broad and deep network security services through an array of integrated cloud- and software-based security services, including Application Visibility and Control (AVC), Web Security Essentials (WSE), Cisco Cloud Web Security (CWS), and the only context-aware IPS - with no need for additional hardware modules.The ASA 5525-X, 5545-X, and 5555-X Next-Generation Firewalls are part of the ASA 5500-X Series, which is built on the same proven security platform as the rest of the ASA family of firewalls and delivers superior performance for exceptional operational efficiency. These models are designed to meet evolving security needs by providing, among other things, innovative next-generation firewall services that make it possible to take advantage of new applications and devices without compromising security. Unlike other next-generation firewalls, the Cisco ASA 5500-X Series keeps pace with rapidly evolving needs by offering end-to-end network intelligence gained from combining the visibility from local traffic with in-depth global network intelligence through:●Cisco TrustSec® technology●Cisco AnyConnect® Secure Mobility Solution for unique mobile client insight●Cisco Security Intelligence Operations (SIO) for near-real-time threat information and proactive protection●Cisco ASA Next-Generation Firewall ServicesWith up to 4 Gbps of firewall throughput, 1,000,000 concurrent firewall connections, 50,000 connections per second, and 6 integrated Gigabit Ethernet interfaces, the ASA 5525-X, 5545-X, and 5555-X are excellent choices for businesses requiring high performance, cost effectiveness, exceptional application visibility and control, and an extensible security solution that can grow with their changing needs.Cisco ASA 5520, 5540, and 5550The Cisco ASA 5520, 5540, and 5550 are modular, high-performance firewalls that deliver security services with Active/Active high availability and Gigabit Ethernet connectivity for medium-sized enterprise networks. With Gigabit Ethernet interfaces and support for up to 200 VLANs, businesses can easily deploy the Cisco ASA 5520, 5540, and 5550 into multiple zones within their network. The Cisco ASA 5520, 5540, and 5550 scale with businesses as their network security requirements grow, delivering solid investment protection.Businesses can extend their SSL and IPsec VPN capacity to support a larger number of mobile workers, remote sites, and business partners. Up to 5000 Cisco AnyConnect and/or clientless VPN peers can be supported. VPN capacity and resiliency can be increased by taking advantage of integrated VPN clustering and load-balancing capabilities. The Cisco ASA 5520, 5540, and 5550 support up to 10 firewalls in a cluster, offering a maximum of 50,000 AnyConnect and/or clientless VPN peers or 50,000 IPsec VPN peers per cluster. For business continuity and event planning, the Cisco ASA 5520, 5540, and 5550 can also benefit from Cisco VPN Flex licenses, which enable administrators to react to or plan for short-term “bursts” of concurrent Premium VPN remote-access users for up to two months.The advanced application-layer security and content security defenses provided by these firewalls can be extended by deploying the high-performance intrusion prevention and worm mitigation capabilities of the Advanced Inspection and Prevention Security Services Module (AIP SSM) or the comprehensive malware protection of the Content Security and Control Security Services Module (CSC SSM). Using these optional security context capabilities, businesses can deploy up to 100 virtual firewalls within a physical appliance to enable compartmentalized control of security policies on a departmental level. This virtualization strengthens security and reduces overall management and support costs while consolidating multiple security devices into a single appliance.Table 1 compares the features and capacities of the Cisco ASA 5500 and ASA 5500-X Series Next-Generation Firewalls for the Internet Edge.Table 1. Cisco ASA 5500 and ASA 5500-X Series Next-Generation Firewalls for the Internet EdgeUp to 450 Mbps 2 Gbps Up to 650 Mbps 3 Gbps Up to 1.2 Gbps 4 Gbps2 Maximum throughput measured with UDP traffic under ideal conditions.3 Multiprotocol: Traffic profile consisting primarily of TCP-based protocols/applications, such as HTTP, SMTP, FTP, IMAPv4, BitTorrent, and DNS.4 Firewall traffic that does not go through the IPS service can have higher throughput.5 Throughput was measured using ASA CX Software Release 9.1.1 with multiprotocol traffic profile with both AVC and WSE. Traffic logging was enabled as well.6 VPN throughput and sessions count depend on the ASA device configuration and VPN traffic patterns. These elements should be taken into consideration as part of your capacity planning.7 Separately licensed feature; includes two SSL licenses with base system.Regulatory and Standards ComplianceSafety UL 60950, CSAC22.2 No. 60950,EN 60950 IEC60950,AS/NZS60950 IEC 60950-1:2005, 2nd EditionEN 60950-1:2006+A11: 2009UL 60950-1:2007,2nd Edition;CSA C22.2 No.60950-1-07, 2ndEditionUL 60950, CSAC22.2 No. 60950,EN 60950 IEC60950,AS/NZS60950IEC 60950-1:2005, 2nd EditionEN 60950-1:2006+A11: 2009UL 60950-1:2007,2nd Edition;CSA C22.2 No.60950-1-07, 2ndEditionUL 60950, CSAC22.2 No. 60950,EN 60950 IEC60950,AS/NZS60950IEC 60950-1:2005, 2nd EditionEN 60950-1:2006+A11: 2009UL 60950-1:2007,2nd Edition;CSA C22.2 No.60950-1-07, 2ndEditionElectromagnetic Compatibility (EMC) CE marking, FCCPart 15 Class A,AS/NZS CISPR22Class A, VCCIClass A, EN55022Class A, CISPR22Class A,EN61000-3-2,EN61000-3-3CE: EN550222006+A1: 2007Class A; EN550241998+A1:2001+A2:2003; EN61000-3-2 2009;EN61000-3-3 2008;FCC:CFR 47, Part15 Subpart BClass A2010,ANSI C63.42009;ICES-003 ISSUE 4FEBRUARY.2004;VCCI:V-3/2011.04;C-TICK:AS/NZSCISPR 22,2009KC:KN22 & KN24CE marking, FCCPart 15 Class A,AS/NZS CISPR22Class A, VCCIClass A, EN55022Class A, CISPR22Class A,EN61000-3-2,EN61000-3-3CE: EN550222006+A1: 2007Class A; EN550241998+A1:2001+A2:2003; EN61000-3-2 2009;EN61000-3-3 2008;FCC:CFR 47, Part15 Subpart BClass A2010,ANSI C63.42009;ICES-003 ISSUE 4FEBRUARY.2004;VCCI:V-3/2011.04;C-TICK:AS/NZSCISPR 22,2009KC:KN22 & KN24CE marking, FCCPart 15 Class A,AS/NZS CISPR22Class A, VCCIClass A, EN55022Class A, CISPR22Class A,EN61000-3-2,EN61000-3-3CE: EN550222006+A1: 2007Class A; EN550241998+A1:2001+A2:2003; EN61000-3-2 2009;EN61000-3-3 2008;FCC:CFR 47, Part15 Subpart BClass A2010,ANSI C63.42009;ICES-003 ISSUE 4FEBRUARY.2004;VCCI:V-3/2011.04;C-TICK:AS/NZSCISPR 22,2009KC:KN22 & KN24Industry Certifications Common CriteriaEAL4 US DoDApplication-LevelFirewall forMedium-RobustnessEnvironments,Common CriteriaEAL2 for IPS onAIP SSM-10 and -20, FIPS 140-2Level 2, and NEBSLevel 3In process:Common CriteriaEAL4+ US DoDApplication-LevelFirewall forMedium-RobustnessEnvironments, andCommon CriteriaEAL4 forIPsec/SSL VPNIn process FIPS 140-2 Level2In process:Common CriteriaEAL4+ US DoDApplication-LevelFirewall forMedium-RobustnessEnvironments, andCommon CriteriaEAL4 forIPsec/SSL VPNIn process FIPS 140-2 Level2In process:Common CriteriaEAL4+ US DoDApplication-LevelFirewall forMedium-RobustnessEnvironments, andCommon CriteriaEAL4 forIPsec/SSL VPNIn processCisco ASA 5500 Series Security Services Processors, Modules, and CardsThe Cisco ASA 5500 Series brings a new level of integrated security performance to networks with its highly effective IPS services and multiprocessor hardware architecture. This architecture allows businesses to adapt and extend the high-performance security services profile of the Cisco ASA 5500 Series. Customers can add additional high-performance services using security services modules with dedicated security co-processors, and can custom-tailor flow-specific policies using a highly flexible policy framework. This adaptable architecture enables businesses to deploy new security services when and where they are needed, such as adding the broad range of intrusion prevention and advanced antiworm services delivered by the IPS modules via the AIP SSM and AIP SSC, or the comprehensive malware protection and content security services enabled by the CSC SSM. Further, the Cisco ASA 5500 Series architecture allows Cisco to introduce new services to address new threats, giving businesses outstanding investment protection.The Cisco ASA 5500 Series AIP SSM and AIP SSC are inline, network-based solutions that accurately identify, classify, and stop malicious traffic before it affects business continuity for IPv4, IPv6, and hybrid IPv6 and IPv4 networks. They combine inline prevention services with innovative technologies, resulting in total confidence in the provided protection of the deployed IPS solution, without the fear of legitimate traffic being dropped. The AIP SSM and AIP SSC also offer comprehensive network protection through their unique ability to collaborate with other network security resources, providing a proactive approach to protecting the network.Accurate inline prevention technologies provide unparalleled confidence to take preventive action on a broader range of threats without the risk of dropping legitimate traffic. These unique technologies offer intelligent, automated, contextual analysis of data and help ensure that businesses are getting the most out of their intrusion prevention solutions. Furthermore, the IPS SSP, AIP SSM, and AIP SSC use multivector threat identification to protect the network from policy violations, vulnerability exploitations, and anomalous activity through detailed inspection of traffic in Layers 2 through 7.Table 2 details the AIP SSM models that are available, and their respective performance and physical characteristics.Table 2. Characteristics of Cisco ASA 5500 Series AIP SSM Models225 Mbps with Cisco ASA 5520 375 Mbps with Cisco ASA 5520500 Mbps with Cisco ASA 5540 450 Mbps with Cisco ASA 5520 650 Mbps with Cisco ASA 5540Cisco ASA 5500 Series Content Security and Control ModuleThe Cisco ASA 5500 Series CSC SSM delivers industry-leading threat protection and content control at the Internet edge, providing comprehensive antivirus, antispyware, file blocking, antispam, antiphishing, URL blocking and filtering, and content filtering services in an easy-to-manage solution. The CSC SSM bolsters the Cisco ASA 5500 Series’ strong security capabilities, providing customers with additional protection of and control over the content of their business communications. The module provides additional flexibility and choice over the functioning and deployment of Cisco ASA 5500 Series firewalls. Licensing options enable organizations to customize the features and capabilities to each group’s needs, with features that include advanced content services and increased user capacity. The CSC SSM ships with a default feature set that provides antivirus, antispyware, and file blocking services.A Plus license is available for each CSC SSM at an additional charge, delivering capabilities such as antispam, antiphishing, URL blocking and filtering, and content control services. Businesses can extend the user capacity of the CSC SSM by purchasing and installing additional user licenses. A detailed listing of these options is shown in Table 3 and in the CSC SSM data sheet.Table 3. Characteristics of Cisco ASA 5500 Series CSC SSMsCisco ASA 5520 Cisco ASA 5520Cisco ASA 5540Cisco ASA 5500 Series 4-Port Gigabit Ethernet ModuleThe Cisco ASA 5500 Series 4-Port Gigabit Ethernet SSM enables businesses to better segment network traffic into separate security zones, providing more granular security for their network environment. These zones can range from the Internet to internal corporate departments/sites to DMZs. This high-performance module supports both copper and optical connection options by including four 10/100/1000 copper RJ-45 ports and four SFP ports. Businesses can choose between copper or fiber ports, providing flexibility for data center, campus, or enterprise edge connectivity. The module extends the I/O profile of the Cisco ASA 5500 Series to a total of five Fast Ethernet and four Gigabit Ethernet ports on the Cisco ASA 5510. Table 4 lists the characteristics of the Cisco ASA 5500 Series 4-Port Gigabit Ethernet SSMs.Table 4. Characteristics of Cisco ASA 5500 Series 4-Port Gigabit Ethernet SSMsFour 10/100/1000BASE-TFour (Gigabit Ethernet Optical SFP 1000BASE-SX or LX/LH transceiver supported)Cisco ASA 5500-X Series 6-Port Gigabit Ethernet Interface CardsCisco ASA 5500-X Series 6-port Gigabit Ethernet Interface Cards extend the I/O profile of the ASA 5525-X through ASA 5555-X by providing additional GE ports. The cards provide the following benefits:●Better segmentation of network traffic (into separate security zones)●Fiber-optic cable connectivity for long distance communication●Load sharing of traffic as well as protection against link failure by using EtherChannel●Support for Jumbo Ethernet frames of up to 9000 bytes●Protection against cable failure for the most demanding Active/Active and full mesh firewall deployments Table 5 lists the characteristics of the Cisco ASA 5500-X Series 6-Port Gigabit Ethernet Interface Cards.Table 5. Characteristics of Cisco ASA 5500-X Series 6-Port Gigabit Ethernet Interface CardsSix 10/100/1000BASE-T Six (Gigabit Ethernet Optical SFP 1000BASE-SX or LX/LHtransceiver supported)Ordering InformationTo place an order, visit the Cisco Ordering Home Page. Table 6 provides ordering information for the Cisco ASA 5500 Series and ASA 5500-X Series Next-Generation Firewalls.Table 6. Ordering InformationTo Download the SoftwareVisit the Cisco Software Center to download Cisco ASA Software.Service and SupportCisco services help you protect your network investment, optimize network operations, and prepare your network for new applications to extend network intelligence and the power of your business.Included in the “Operate” phase of the service lifecycle are Cisco Sec urity IntelliShield Alert Manager Service, Cisco SMARTnet® Service, Cisco Service Provider Base, and Cisco Services for IPS. These services are suitable for enterprise, commercial, and service provider customers.Cisco Security IntelliShield Alert Manager Service provides a customizable, web-based threat and vulnerability alert service that allows organizations to easily access timely, accurate, and credible information about potential vulnerabilities in their environment.Cisco Services for IPS supports modules, platforms, and bundles of platforms and modules that feature IPS capabilities. Cisco SMARTnet and Service Provider Base support other products in this family.Cisco CapitalFinancing to Help You Achieve Your ObjectivesCisco Capital can help you acquire the technology you need to achieve your objectives and stay competitive. We can help you reduce CapEx. Accelerate your growth. Optimize your investment dollars and ROI. Cisco Capital financing gives you flexibility in acquiring hardware, software, services, and complementary third-party equipment. And there’s just one predictable payment. Cisco Capital is available in more than 100 countries. Learn more.For More InformationFor more information, please visit the following links:●Cisco ASA 5500 and ASA 5500-X Series Next-Generation Firewalls: /go/asa●Cisco Adaptive Security Device Manager: /go/asdm●Cisco Security Services: /en/US/products/svcs/ps2961/ps2952/serv_group_home.html●Cisco ASA 5500 Series and ASA 5500-X Series Licensing Information:/en/US/products/ps6120/products_licensing_information_listing.html。

CISCO ASA防火墙ASDM安装和配置准备工作：准备一条串口线一边接台式机或笔记本一边接防火墙的CONSOLE 接口，通过开始——>程序——> 附件——>通讯——>超级终端输入一个连接名，比如“ASA”,单击确定。

选择连接时使用的COM口，单击确定。

点击还原为默认值。

点击确定以后就可能用串口来配置防火墙了。

在用ASDM图形管理界面之前须在串口下输入一些命令开启ASDM。

在串口下输入以下命令：ciscoasa>ciscoasa> enPassword:ciscoasa# conf t 进入全局模式ciscoasa(config)# webvpn 进入WEBVPN模式ciscoasa(config-webvpn)# username cisco password cisco 新建一个用户和密码ciscoasa(config)# int m 0/0 进入管理口ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0添加IP地址ciscoasa(config-if)# nameif guanli 给管理口设个名字ciscoasa(config-if)# no shutdown 激活接口ciscoasa(config)#q 退出管理接口ciscoasa(config)# http server enable 开启HTTP服务ciscoasa(config)# http 192.168.1.0 255.255.255.0 guanli 在管理口设置可管理的IP地址ciscoasa(config)# show run 查看一下配置ciscoasa(config)# wr m 保存经过以上配置就可以用ASDM配置防火墙了。

首先用交叉线把电脑和防火墙的管理口相连，把电脑设成和管理口段的IP 地址,本例中设为192.168.1.0 段的IP打开浏览器在地址栏中输入管理口的IP地址:[url]https://192.168.1.1/admin[/url]弹出一下安全证书对话框，单击“是”输入用户名和密码（就是在串口的WEBVPN模式下新建的用户和密码），然后点击“确定”。

..Cisco ASA 防火墙图文配置实例本文是基于ASA5540 和 ASA5520 的配置截图所做的一篇配置文档，从最初始的配置开始：1、连接防火墙登陆与其他的 Cisco 设备一样，用 Console 线连接到防火墙，初始特权密码为空。

2、配置部接口和 IP 地址进入到接口配置模式，配置接口的 IP 地址，并指定为 inside。

防火墙的地址配置好后，进行测试，确认可以和防火墙通讯。

3、用 dir 命令查看当前的 Image 文件版本。

4、更新 Image 文件。

准备好 TFTP 服务器和新的 Image 文件，开始更新。

5、更新 ASDM。

6、更新完成后，再用 dir 命令查看8、存盘，重启9、用 sh version 命令验证启动文件，可以发现当前的 Image 文件就是更新后的10、设置允许用图形界面来管理 ASA 防火墙表示部接口的任意地址都可以通过 http 的方式来管理防火墙。

11、打开浏览器，在地址栏输入防火墙部接口的 IP 地址选择“是”按钮。

12、出现安装 ASDM 的画面选择“Install ASDM Launcher and Run ASDM”按钮，开始安装过程。

13、安装完成后会在程序菜单中添加一个程序组14、运行 ASDM Launcher，出现登陆画面15、验证证书单击“是”按钮后，开始登陆过程16、登陆进去后，出现防火墙的配置画面，就可以在图形界面下完成 ASA 防火墙的配置17、选择工具栏的“Configuration”按钮18、选择“Interface”，对防火墙的接口进行配置，这里配置g0/3接口选择 g0/3 接口，并单击右边的“Edit”按钮19、配置接口的 IP 地址，并将该接口指定为 outside单击 OK 后，弹出“Security Level Change”对话框，单击 OK 20、编辑 g0/1 接口，并定义为 DMZ 区域21、接口配置完成后，要单击 apply 按钮，以应用刚才的改变，这一步一定不能忘22、设置静态路由单击 Routing->Static Route->Add23、设置 enable 密码24、允许 ssh 方式登录防火墙25、增加用户定义 ssh 用本地数据库验证26、用 ssh 登录测试登录成功27、建立动态 NAT 转换选择 Add Dynamic NAT RuleInterface 选择 inside，Source 处输入 any 单击 Manage 按钮单击 add，增加一个地址池Interface 选择 Outside，选择 PAT，单击 Add 按钮单击 OK完成了添加动态 NAT 转换28、静态 NAT 转换由于笔者 2009 年离开了原单位，有些配置的截图没有做，新单位又没有 ASA 防火墙，只好参考《ASA8.0/ASDM6.0 测试报告》的截图和文档来完成本文，并将该文档中部分常用的配置联接在本文后，对该文的作者表示感。

cisco-asa 防火墙配置hostname CD-ASA5520 //给防火墙命名domain-namedefault.domain.invalid //定义工作域enable password 9jNfZuG3TC5tCVH0 encrypted // 进入特权模式的密码names dns-guard！interface GigabitEthernet0/0 //内网接口：duplex full //接口作工模式：全双工，半双，自适应nameif inside //为端口命名：内部接口inside security-level 100 //设置安全级别 0~100 值越大越安全ip address192.168.1.1 255.255.255.0 //设置本端口的IP地址！interface GigabitEthernet0/1 //外网接口nameif outside //为外部端口命名：外部接口outside security-level 0 ip address 202.98.131.122 255.255.255.0 //IP地址配置！interface GigabitEthernet0/2 nameif dmz security-level 50 ip address 192.168.2.1 255.255.255.0！interface GigabitEthernet0/3 shutdown no nameif no security-level no ip address！interface Management0/0 //防火墙管理地址shutdown no nameif no security-level no ip address！passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive clock timezone CST 8 dns server-group DefaultDNS domain-name default.domain.invalid access-list outside_permit extended permit tcp any interface outside eq 3389 //访问控制列表access-list outside_permit extended permit tcp any interface outside range 30000 30010 //允许外部任何用户可以访问outside 接口的30000-30010的端口。

一，配置接口配置外网口：interface GigabitEthernet0/0nameif outside 定义接口名字security-level 0ip address 111.160.45.147 255.255.255.240 设定ipnoshut!配置内网口：interface GigabitEthernet0/1nameif insidesecurity-level 100ip address 20.0.0.2 255.255.255.252noshut二，配置安全策略access-list outside_acl extended permit icmp any any配置允许外网pingaccess-group outside_acl in interface outside 应用策略到outside口access-list inside_access_in extended permit ip any any配置允许内网访问外网access-group inside_access_in in interface inside应用到inside口三，设置路由route outside 0.0.0.0 0.0.0.0 111.160.45.145 1配置到出口的默认路由route inside 10.1.0.0 255.255.0.0 20.0.0.1 1 配置到内网的静态路由四，配置natobject network nat_net配置需要nat的内网网段subnet 0.0.0.0 0.0.0.0nat (inside,outside) source dynamic nat_net interface配置使用出接口ip做转换ip 五，配置远程管理配置telet管理：telnet 0.0.0.0 0.0.0.0 outsidetelnet 0.0.0.0 0.0.0.0 insidetelnet timeout 30配置ssh管理：crypto key generate rsa建立密钥并保存一次wrissh 0.0.0.0 0.0.0.0 outsidessh 0.0.0.0 0.0.0.0 insidessh timeout 30ssh version 1配置用户名密码：username admin password yfz4EIInjghXNlcu encrypted privilege 15。

图解Cisco ASA防火墙SSL VPN的配置(图)随着现在互联网的飞速发展，企业规模也越来越大，一些分支企业、在外办公以及SOHO一族们，需要随时随地的接入到我们企业的网络中，来完成我们一些日常的工作，这时我们VPN在这里就成了一个比较重要的一个角色了。

SSL VPN设备有很多。

如Cisco 路由器、Cisco PIX防火墙、Cisco ASA 防火墙、Cisco VPN3002 硬件客户端或软件客户端。

这极大地简化了远程端管理和配置。

说的简单点就是在Server 端配置复杂的策略和密钥管理等命令，而在我们的客户端上只要配置很简单的几条命令就能和Server端建立VPN链路的一种技术，主要的目的当然就是简化远端设备的配置和管理。

那么今天我们看看我们要实现的是SSL VPN，那什么是SSL VPN呢？SSL VPN是解决远程用户访问敏感公司数据最简单最安全的解决技术。

与复杂的IPSec VPN相比，SSL通过简单易用的方法实现信息远程连通。

任何安装浏览器的机器都可以使用SSL VPN，这是因为SSL 内嵌在浏览器中，它不需要象传统IPSec VPN一样必须为每一台客户机安装客户端软件。

什么是SSL VPN？从概念角度来说，SSL VPN即指采用SSL 〔Security Socket Layer〕协议来实现远程接入的一种新型VPN技术。

SSL 协议是网景公司提出的基于WEB应用的安全协议，它包括：服务器认证、客户认证〔可选〕、SSL链路上的数据完整性和SSL链路上的数据保密性。

对于内、外部应用来说，使用SSL可保证信息的真实性、完整性和保密性。

目前SSL 协议被广泛应用于各种浏览器应用，也可以应用于Outlook等使用TCP协议传输数据的C/S应用。

正因为SSL 协议被内置于IE等浏览器中，使用SSL 协议进行认证和数据加密的SSL VPN就可以免于安装客户端。

相对于传统的IPSEC VPN而言，SSL VPN具有部署简单，无客户端，维护成本低，网络适应强等特点，这两种类型的VPN之间的差异就类似C/S构架和B/S构架的区别。