思科防火墙配置

配置要求：1、分别划分inside（内网）、outside（外网）、dmz（安全区）三个区域。

2、内网可访问外网及dmz内服务器（web），外网可访问dmz内服务器（web）。

3、Dmz服务器分别开放80、21、3389端口。

说明：由于防火墙许可限制“no forward interface Vlan1”dmz内服务器无法访问外网。

具体配置如下：希望对需要的朋友有所帮助ASA Version 7.2(4)!hostname asa5505enable password tDElRpQcbH/qLvnn encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface Vlan1nameif outsidesecurity-level 0ip address 外网IP 外网掩码!interface Vlan2nameif insidesecurity-level 100ip address 192.168.1.1 255.255.255.0!interface Vlan3no forward interface Vlan1nameif dmzsecurity-level 50ip address 172.16.1.1 255.255.255.0!interface Ethernet0/0description outside!interface Ethernet0/1description insideswitchport access vlan 2!interface Ethernet0/2description dmzswitchport access vlan 3!interface Ethernet0/3description insideswitchport access vlan 2!interface Ethernet0/4shutdown!interface Ethernet0/5shutdown!interface Ethernet0/6shutdown!interface Ethernet0/7shutdown!ftp mode passiveobject-group service outside-to-dmz tcpport-object eq wwwport-object eq ftpport-object eq 3389access-list aaa extended permit tcp any host 外网IP object-group outsid e-to-dmzaccess-list bbb extended permit tcp host 172.16.1.2 192.168.1.0 255.255. 255.0 object-group outside-to-dmzpager lines 24mtu outside 1500mtu inside 1500mtu dmz 1500icmp unreachable rate-limit 1 burst-size 1asdm image disk0:/asdm-524.binno asdm history enablearp timeout 14400global (outside) 1 interfaceglobal (dmz) 1 172.16.1.10-172.16.1.254 netmask 255.255.255.0nat (inside) 1 192.168.1.0 255.255.255.0nat (dmz) 1 172.16.1.0 255.255.255.0alias (inside) 221.203.36.86 172.16.1.2 255.255.255.255static (dmz,outside) tcp interface www 172.16.1.2 www netmask 255.255.2 55.255 dnsstatic (dmz,outside) tcp interface ftp 172.16.1.2 ftp netmask 255.255.2 55.255 dnsstatic (dmz,outside) tcp interface 3389 172.16.1.2 3389 netmask 255.255. 255.255dnsstatic (inside,dmz) 172.16.1.2 192.168.1.0 netmask 255.255.255.255 dns access-group aaa in interface outsideaccess-group bbb in interface dmzroute outside 0.0.0.0 0.0.0.0 外网网关 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absoluteno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstart telnet timeout 5ssh timeout 5console timeout 0!class-map inspection_defaultmatch default-inspection-traffic!!policy-map type inspect dns preset_dns_mapparametersmessage-length maximum 512policy-map global_policyclass inspection_defaultinspect dns preset_dns_mapinspect ftpinspect h323 h225inspect h323 rasinspect netbiosinspect rshinspect rtspinspect skinnyinspect esmtpinspect sqlnetinspect sunrpcinspect tftpinspect sipinspect xdmcpinspect http!service-policy global_policy globalprompt hostname contextCryptochecksum:9d2a6010d4fc078cf026f98dcec96007 : endasa5505(config)#。

一、防火墙登陆过程telnet 192.168.0.1输入：123用户名：en密码：srmciscoConf tShow run二、公网IP与内网IP映射：static (inside,outside) 61.142.114.180 192.168.0.7 netmask 255.255.255.255 0 0三、再打开端口：输入以下一笔命今如access-list acl-out permit tcp any host 61.142.114.183 eq 5800 (打开外部5800端口) access-list acl-out permit tcp any host 61.142.114.183 eq 5900 (打开外部5900端口) access-list acl-out permit tcp any host 61.142.114.183 eq 1433 (打开外部1433端口) access-list acl-in permit tcp any host 61.142.114.183 eq 1433 (打开内部1433端口) access-list acl-in permit tcp any host 61.142.114.183 eq 5900 (打开内部5900端口) access-list acl-in permit tcp any host 61.142.114.183 eq 5800 (打开内部5800端口)四、登出防火墙：logout五、增加上网电脑1、nat (inside) 1 192.168.0.188 255.255.255.255 0 0（上网电脑IP地址）2、arp inside 192.168.0.188 000f.eafa.645d alias（绑定上网电脑网卡MAC地址）六、取消上网电脑1、no nat (inside) 1 192.168.0.188 255.255.255.255 0 0（上网电脑IP地址）2、no arp inside 192.168.0.188 000f.eafa.645d alias（绑定上网电脑网卡MAC地址）七、增加可以远程控制防火墙电脑telnet 192.168.0.188 255.255.255.255 inside八、保存已做改动设置wr me九、以下为现存防火墙配置。

C. 配置fixup协议fixup命令作用是启用，禁止，改变一个服务或协议通过pix防火墙，由fixup命令指定的端口是pix防火墙要侦听的服务。

见下面例子：例1．Pix525(config)#fixup protocol ftp 21启用ftp协议，并指定ftp的端口号为21例2．Pix525(config)#fixup protocol http 80Pix525(config)#fixup protocol http 1080 为http协议指定80和1080两个端口。

例3．Pix525(config)#no fixup protocol smtp 80禁用smtp协议。

D. 设置telnettelnet有一个版本的变化。

在pix OS 5.0（pix操作系统的版本号）之前，只能从内部网络上的主机通过telnet访问pix。

在pix OS 5.0及后续版本中，可以在所有的接口上启用telnet 到pix的访问。

当从外部接口要telnet到pix防火墙时，telnet数据流需要用ipsec提供保护，也就是说用户必须配置pix来建立一条到另外一台pix，路由器或vpn客户端的ipsec隧道。

另外就是在PIX上配置SSH，然后用SSH client从外部telnet到PIX防火墙，PIX支持SSH1和SSH2，不过SSH1是免费软件，SSH2是商业软件。

相比之下cisco路由器的telnet就作的不怎么样了。

telnet配置语法：telnet local_ip [netmask] local_ip 表示被授权通过telnet访问到pix的ip 地址。

如果不设此项，pix的配置方式只能由console进行。

说了这么多，下面给出一个配置实例供大家参考。

Welcome to the PIX firewallType help or '?' for a list of available commands.PIX525> enPassword:PIX525#sh config: Saved:PIX Version 6.0(1) ------ PIX当前的操作系统版本为6.0Nameif ethernet0 outside security0Nameif ethernet1 inside security100 ------ 显示目前pix只有2个接口Enable password 7Y051HhCcoiRTSQZ encryptedPassed 7Y051HhCcoiRTSQZ encrypted ------ pix防火墙密码在默认状态下已被加密，在配置文件中不会以明文显示，telnet 密码缺省为ciscoHostname PIX525 ------ 主机名称为PIX525Domain-name ------ 本地的一个域名服务器，通常用作为外部访问Fixup protocol ftp 21Fixup protocol http 80fixup protocol h323 1720fixup protocol rsh 514fixup protocol smtp 25fixup protocol sqlnet 1521fixup protocol sip 5060 ------ 当前启用的一些服务或协议，注意rsh服务是不能改变端口号names ------ 解析本地主机名到ip地址，在配置中可以用名字代替ip地址，当前没有设置，所以列表为空pager lines 24 ------ 每24行一分页interface ethernet0 autointerface ethernet1 auto ------ 设置两个网卡的类型为自适应mtu outside 1500mtu inside 1500 ------ 以太网标准的MTU长度为1500字节ip address outside 61.144.51.42 255.255.255.248ip address inside 192.168.0.1 255.255.255.0 ------ pix外网的ip地址61.144.51.42，内网的ip地址192.168.0.1ip audit info action alarmip audit attack action alarm ------ pix入侵检测的2个命令。

asa5505思科防火墙公司网络不断更新，新进一设备名为cicoASA-5505防火墙。

公司准备把四台监控系统服务器通过防火墙与公司现有网络隔离。

但是现有的服务器有三台在之前分别在给市煤管局、集团公司、国投总公司提供监控信息。

所以更改IP地址的话会很麻烦。

所以公司决定将原有三台电脑的IP 地址做地址转换。

开放相应端口即可。

公司现有网络段为192.168.0.0隔离后网络段为172.168.1.0IOS版本为ASA-7.2与之前版本的配置有一定区别。

下面说说具体的操作步骤：1、将四台监控系统服务器通过普通交换机连接接，交换机接防火墙1口，防火墙0口与公司现有网络交换机连接，用conole线将防火墙与PC连接到一起。

2、打开PC运行超级终端，出现新建连接界面，随便输入名称确定，出现借口选择界面，选择相应的COM口即可，确定出现COM口属性设置，恢复默认即可。

3、进入防火墙出现Pre-configurePI某Firewallnowthroughinteractiveprompt[ye]意思是否进入交互配置对话模式选择N4、进入防火墙的命令提示符界面，cicoaa>在后面输入enable 进入特权模式cicoaa#在后面输入conft进入全局配置模式。

这时。

就可以对防火墙进行配置了。

5、配置防火墙名cicoaa(config)#hotnamedyq配置防火墙密码(config)#enablepawordadmin配置IPdyq(config)#interfacevlan1dyq(config-if)#ipaddre192.168.0.251255.255.255.0dyq(config-if)#nohutdowndyq(config-if)#ecurity-level0dyq(config-if)#nameifoutidedyq(config-if)#e某itdyq(config)#interfacevlan2dyq(config-if)#ipaddre172.168.1.1255.255.255.0dyq(config-if)#nohutdowndyq(config-if)#ecurity-level100dyq(config-if)#nameifinidedyq(config-if)#e某it将e0和e1口加入VLANdyq(config)#interfaceethernet0/0dyq(config-if)#nohutdown dyq(config-if)#witchportaccevlan1dyq(config-if)#e某itdyq(config)#interfaceethernet0/1同上dyq(config)#acce-litacl_oute某tendedpermiticmpanyanydyq(config)#acce-litacl_oute某tendedpermittcpanyhot192.168.0.7eq1433dyq(config)#acce-litacl_oute某tendedpermittcpanyhot192.168.0.8eq8080dyq(config)#acce-litacl_oute某tendedpermittcpanyhot192.168.0.8eq445dyq(config)#acce-litacl_oute某tendedpermittcpanyhot192.168.0.8eq1433允许主机192.168.0.9开放80端口acl_out为访问控制列表号验证访问控制列表howacce-lit配置路由dyq(config)#routeoutide00192.168.0.1验证howroute配置静态NATdyq(config)#tatic(inide,outide)192.168.0.7172.168.1.10netmak255.255.255.255dy q(config)#tatic(inide,outide)192.168.0.8172.168.1.20netmak255.255.255.255dy q(config)#tatic(inide,outide)192.168.0.9172.168.1.30netmak255.255.255.255IP 地址转换内网IP172.168.1.某转换为外网IP192.168.0.某配置动态NAT（PAT）dyq(config)#global(outide)1interfacedyq(config)#nat(inide)1172.1 68.1.0255.255.255.0或者dyq(config)#nat(inide)100。

思科ASA防火墙基本配置思科ASA防火墙基本配置Fire Wall 防火墙，它是一种位于内部网络与外部网络之间的网络安全系统，当然，防火墙也分软件防火墙与硬件防火墙。

硬件防火墙又分为：基于PC架构与基于ASIC芯片今天来聊一聊思科的'硬件防火墙 Cisco ASACisco ASA 防火墙产品线挺多：Cisco ASA5505 Cisco ASA5510 Cisco ASA5520 Cisco ASA5540 Cisco ASA5550 等等ASA 的基本配置步骤如下：配置主机名、域名hostname [hostname]domain-name xx.xxhostname Cisco-ASA 5520domain-name 配置登陆用户名密码password [password]enable password [password]配置接口、路由interface interface_namenameif [name]name 有三种接口类型 insdie outside dmzsecurity-level xx(数值)数值越大接口安全级别越高注：默认inside 100 ,outside 0 ,dmz 介于二者之间静态路由route interface_number network mask next-hop-addressroute outside 0.0.0.0 0.0.0.0 210.210.210.1配置远程管理接入Telnettelnet {network | ip-address } mask interface_nametelnet 192.168.1.0 255.255.255.0 insidetelnet 210.210.210.0 255.255.255.0 outsideSSHcrypto key generate rsa modulus {1024| 2048 }指定rsa系数，思科推荐1024ssh timeout minutesssh version version_numbercrypto key generate rsa modulus 1024ssh timeout 30ssh version 2配置 ASDM(自适应安全设备管理器)接入http server enbale port 启用功能http {networdk | ip_address } mask interface_nameasdm image disk0:/asdm_file_name 指定文件位置username user password password privilege 15NATnat-controlnat interface_name nat_id local_ip maskglobal interface_name nat_id {global-ip [global-ip] |interface} nat-controlnat inside 1 192.168.1.0 255.255.255.0global outside 1 interfaceglobal dmz 1 192.168.202.100-192.168.202.150ACLaccess-list list-name standad permit | deny ip maskaccess-list list-name extendad permit | deny protocol source-ip mask destnation-ip mask portaccess-group list-name in | out interface interface_name如果内网服务器需要以布到公网上staic real-interface mapped-interface mapped-ip real-ip staic (dmz,outside) 210.210.202.100 192.168.202.1保存配置wirte memory清除配置clear configure (all)【思科ASA防火墙基本配置】。

配置设备介绍:（只为做实验实际应用请根据自己具体情况更改相关参数即可）核心交换机4507提供VLAN3 网关地址：192.168。

3。

254提供DNS 服务器连接：192。

168.0。

1接入交换机2960提供VLAN3 TURNK 连接,可用IP 地址为192。

168。

3。

0－192.168。

3.240掩码:255.255。

255.0网关：192.168.3.254DNS：192.168。

0.1内网实验防火墙CISCO ASA 5510E0/0 IP:192.168。

3。

234E0/1 IP 10。

1。

1。

1实现配置策略1. 动态内部PC1 DHCP 自动获得IP 地址,可访问INTERNET，并PING 通外部网关。

PC1 Ethernet adapter 本地连接：Connection—specific DNS Suffix 。

: gametuziDescription . 。

. . . . 。

：Broadcom 440x rollerPhysical Address。

. . 。

. . 。

: 00-13-77-04—9Dhcp Enabled。

. 。

. 。

. 。

：YesAutoconfiguration Enabled 。

. . ：YesIP Address. 。

. 。

. . . 。

. ：10.1.1。

20Subnet Mask . . . . 。

. 。

. 。

: 255.255。

0.0Default Gateway . . 。

. 。

: 10.1。

1.1DHCP Server . 。

. 。

. 。

. : 10。

1。

1。

1DNS Servers . . . . . 。

. . 。

: 192.168.0。

12. 静态内部PC2 手动分配地址，可访问INTERNET ，并PING 通外部网关. PC1 Ethernet adapter 本地连接：Connection—specific DNS Suffix 。

思科防⽕墙 PIX ASA 配置总结⼀（基础）： 思科防⽕墙已经从PIX发展到ASA了，IOS也已经从早期的6.0发展到7.2。

但总体的配置思路并没有多少变化。

只是更加⼈性化，更加容易配置和管理了。

下⾯是我⼯作以来的配置总结，有些东西是6.3版本的，但不影响在7.＊版本的配置。

⼀：6个基本命令： nameif、 interface、 ip address 、nat、 global、 route。

⼆：基本配置步骤： step1: 命名接⼝名字 nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 ＊＊7版本的配置是先进⼊接⼝再命名。

step2：配置接⼝速率 interface ethernet0 10full auto interface ethernet1 10full auto interface ethernet2 10full step3：配置接⼝地址 ip address outside 218.106.185.82 ip address inside 192.168.100.1 255.255.255.0 ip address dmz 192.168.200.1 255.255.255.0 step4：地址转换（必须） * 安全⾼的区域访问安全低的区域（即内部到外部）需NAT和global; nat(inside) 1 192.168.1.1 255.255.255.0 global(outside) 1 222.240.254.193 255.255.255.248 ＊＊＊ nat (inside) 0 192.168.1.1 255.255.255.255 表⽰192.168.1.1这个地址不需要转换。

直接转发出去。

* 如果内部有服务器需要映射到公地址(外访问内)则需要static和conduit或者acl. static (inside, outside) 222.240.254.194 192.168.1.240 static (inside, outside) 222.240.254.194 192.168.1.240 10000 10 后⾯的10000为限制连接数，10为限制的半开连接数。

快速入门指南思科RV110W Wireless-N VPN 防火墙包装清单•Wireless-N VPN 防火墙•以太网电缆•电源适配器•快速入门指南•文档和软件（存储于 CD-ROM 光盘上）欢迎感谢您选择思科 RV110W Wireless-N VPN 防火墙。

RV110W 能够为小型办公室/家庭办公室 (SoHo) 及远程工作的专业人员提供简单、经济、安全的企业级 Internet 连接。

本指南介绍了如何物理安装 Cisco RV110W ，以及如何启动基于 Web 的设备管理器来配置和管理您的防火墙路由器。

安装 RV110W安放提示•环境温度 - 为防止防火墙路由器过热，请勿在环境温度超过 104°F (40°C) 的地方运行防火墙路由器。

•通风 - 请确保防火墙路由器周围的通风良好。

•机械负载 - 请确保防火墙路由器放置平稳，以免出现任何对防火墙路由器造成损坏的情况。

请将 Cisco RV110W 设备水平放置在平面上，以便设备依靠其四个橡胶支脚来支撑。

Cisco RV110W 特性前面板12后面板电源电源指示灯呈绿色亮起表示设备已接通电源。

接通电源过程中，此指示灯呈绿色闪烁。

WPSWi-Fi保护设置 (WPS) 按钮用于为网络中支持 WPS 的设备配置无线接入。

有关详情，请参阅《管理指南》或设备管理器帮助页面。

WAN Cisco RV110W 通过电缆调制解调器或 DSL 调制解调器连接至 Internet 时，WAN (Internet) 指示灯会呈绿色亮起。

Cisco RV110W 未连接至 Internet 时，此指示灯处于熄灭状态。

发送或接收数据时，此指示灯会呈绿色闪烁。

无线启用无线模块后，此指示灯会呈绿色亮起。

禁用无线模块后，此指示灯处于熄灭状态。

防火墙路由器在无线模块上传输或接收数据时，此指示灯会呈绿色闪烁。

LAN 端口标有编号的指示灯与 Cisco RV110W 上的 LAN 端口相对应。

思科防火墙设置增加一台服务器具体要求。

新增一台服务器地址：10.165.127.15/255.255.255.128。

需要nat转换成公网地址16.152.91.223 映射出去，并对外开通这台服务器的80端口。

在对外pix525上面增加如下： access-list acl_out permit tcp any host16.52.91.223 eq www //开放外网对新服务器 80端口static (inside,outside) 16.152.91.223 10.165.127.15 netmask255.255.255.255 0 0 ////外高桥新服务器地址转换16.152.91.223可是为什么转换后，不能访问16.52.91.223的网页，但确可以ping通16.52.91.223，但是访问10.165.127.15的主页是正常的？？具体配置如下： pix-525> enable Password: ***** pix-525# sh run : Saved :PIX Version 6.3(5)interface ethernet0 100full interface ethernet1 100fullnameif ethernet0 outside security0 nameif ethernet1 inside security100enable password FVHQD7n.FuCW78fS level 7 encrypted enable password2KFQnbNIdI.2KYOU encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname wgqpix-525fixup protocol dns maximum-length 512 fixup protocol ftp 21fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 namesaccess-list acl_out permit tcp any host 16.152.91.221 eq www access-list acl_out permit icmp any anyaccess-list acl_out permit tcp any host 16.152.91.220 eq https access-list acl_out permit tcp any host 16.152.91.223 eq wwwaccess-list outbound permit icmp any any access-list outbound permit ip any any pager lines 24 mtu outside 1500 mtu inside 1500ip address outside 16.152.91.222 255.255.255.128 ip address inside10.165.127.254 255.255.255.252 ip audit info action alarm ip audit attackaction alarm no failoverfailover timeout 0:00:00 failover poll 15no failover ip address outside no failover ip address inside no pdm history enable arp timeout 14400static (inside,outside) 16.152.91.221 10.165.127.11 netmask255.255.255.255 0 0 static (inside,outside) 16.152.91.220 10.165.127.23 netmask 255.255.255.255 0 0 static (inside,outside) 16.152.91.22310.165.127.15 netmask 255.255.255.255 0 0 access-group acl_out in interface outside access-group outbound in interface inside route outside 0.0.0.00.0.0.0 16.152.91.129 1route inside 10.165.0.0 255.255.0.0 10.165.127.253 1 timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h2251:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absoluteaaa-server TACACS+ protocol tacacs+aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radiusaaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enableno snmp-server location no snmp-server contactsnmp-server community public no snmp-server enable traps floodguard enabletelnet 10.165.6.225 255.255.255.255 inside telnet 10.165.127.12255.255.255.255 inside telnet 10.165.127.250 255.255.255.255 insidetelnet 10.165.6.15 255.255.255.255 inside telnet 10.165.6.16255.255.255.255 inside telnet timeout 5 ssh timeout 5 console timeout 0username admin password iuQeTKNaNbruxBKd encrypted privilege 2 terminal width 80Cryptochecksum:b2e1195d144f48f01fe66606cd31d0f2 : endwgqpix-525#最佳答案 ( 回答者: xintao800 ) PIX防火墙提供4种管理访问模式：2非特权模式。

思科ASA和PIX防火墙配置手册目录第一章配置基础 (1)1.1 用户接口 (1)1.2 防火墙许可介绍 (2)1.3 初始配置 (2)第二章配置连接性 (3)2.1 配置接口 (3)2.2 配置路由 (5)2.3 DHCP (6)2.4 组播的支持 (7)第三章防火墙的管理 (8)3.1 使用Security Context建立虚拟防火墙（7.x特性） (8)3.2 管理Flash文件系统 (9)3.3 管理配置文件 (10)3.4 管理管理会话 (10)3.5 系统重启和崩溃 (11)3.6 SNMP支持 (12)第四章用户管理 (13)4.1 一般用户管理 (13)4.2 本地数据库管理用户 (13)4.3 使用AAA服务器来管理用户 (14)4.4 配置AAA管理用户 (14)4.5 配置AAA支持用户Cut-Through代理 (15)4.6 密码恢复 (15)第五章防火墙的访问控制 (16)5.1 防火墙的透明模式 (16)思科ASA 和PIX 防火墙配置手册5.2 防火墙的路由模式和地址翻译 (17)5.3 使用ACL进行访问控制 (20)第六章配置Failover增加可用性 (23)6.1 配置Failover (23)6.2 管理Failover (25)6.3 升级Failover模式防火墙的OS镜像 (25)第七章配置负载均衡 (26)7.1 配置软件实现(只在6500 native ios模式下) (26)7.2 配置硬件实现 (27)7.3 配置CSS实现 (29)第八章日志管理 (30)8.1 时钟管理 (30)8.2 日志配置 (30)8.3 日志消息输出的微调 (32)8.4 日志分析 (33)第九章防火墙工作状态验证 (34)9.1 防火墙健康检查 (34)9.2 流经防火墙数据的监控 (34)9.3 验证防火墙的连接性 (35)思科ASA 和PIX 防火墙配置手册第一章配置基础1.1 用户接口思科防火墙支持下列用户配置方式：Console，Telnet，SSH（1.x或者2.0，2.0为7.x新特性，PDM的http方式（7.x以后称为ASDM）和VMS的Firewall Management Center。

Data SheetCisco Firepower Next-Generation Firewall (NGFW) Prevent breaches, get deep visibility to detect and stop threats fast, and automate your network and security operations to save time and work smarter.Model OverviewCisco Firepower 2100 SeriesThe industry’s first midrange NGFWs delivering sustainable performance when threat inspection is enabledCisco Firepower 4100 Series:The industry’s first 1RU NGFWs with 40-GbpsinterfacesCisco Firepower 9300:Ultra-high-performance NGFW, expandable as yourneeds growCisco ASA 5500-X Series:Models for branch offices, industrial applications, and the Internet edgeFirepower NGFWv:The NGFW for virtual and cloud environmentsPlatform Image SupportThe Cisco Firepower NGFW includes Application Visibility and Control (AVC), optional Next-Gen IPS (NGIPS), Cisco® Advanced Malware Protection (AMP) for Networks, and URL Filtering. The Cisco Firepower 2100 Series, 4100 Series, and 9300 appliances use the Cisco Firepower Threat Defense software image. Alternatively, Cisco Firepower 2100 Series, 4100 Series, and 9300 appliances can support the Cisco Adaptive Security Appliance (ASA) software image.Management OptionsCisco Firepower NGFWs may be managed in a variety of ways depending on the way you work, your environment, and your needs.The Cisco Firepower Management Center (formerly FireSIGHT) provides centralized management of the Cisco Firepower NGFW, the Cisco Firepower NGIPS, and Cisco AMP for Networks. It also provides threat correlation for network sensors and Advanced Malware Protection (AMP) for Endpoints.The Cisco Firepower Device Manager is available for local management of 2100 Series and select 5500-X Series devices running the Cisco Firepower Threat Defense software image.The Cisco Adaptive Security Device Manager is available for local management of the Cisco Firepower 2100 Series, 4100 Series, Cisco Firepower 9300 Series, and Cisco ASA 5500-X Series devices running the ASA software image.Cisco Defense Orchestrator cloud-based management is also available for consistent policy management across Cisco security devices running the ASA software image, enabling greater management efficiency for the distributed enterprise.Firepower DDoS MitigationAlso available on the Cisco Firepower 4100 Series and 9300 appliances is tightly integrated, comprehensive, behavioral DDoS mitigation for both network and application infrastructure protection. This DDoS mitigation is Radware’s Virtual DefensePro (vDP). It is available from and supported directly by Cisco.Cisco Firepower 2100 Series AppliancesThe Cisco Firepower 2100 Series is a family of four threat-focused NGFW security platforms that deliver business resiliency through superior threat defense. It offers exceptional sustained performance when advanced threat functions are enabled. These platforms uniquely incorporate an innovative dual multicore CPU architecture that optimizes firewall, crypto graphic, and threat inspection functions simultaneously. The series’ firewall throughput range addresses use cases from the Internet edge to the data center. Network Equipment Building Standards (NEBS)- compliance is supported by the Cisco Firepower 2100 Series platform.Cisco Firepower 4100 Series AppliancesThe Cisco Firepower 4100 Series is a family of four threat-focused NGFW security platforms. Their throughput range addresses data center and internet edge use cases. They deliver superior threat defense, at faster speeds, with a smaller footprint. Cisco Firepower 4100 Series supports flow-offloading, programmatic orchestration, and the management of security services with RESTful APIs. Network Equipment Building Standards (NEBS)-compliance is supported by the Cisco Firepower 4120 platform.Cisco Firepower 9300 Security ApplianceThe Cisco Firepower 9300 is a scalable (beyond 1 Tbps when clustered), carrier-grade, modular platform designed for service providers, high-performance computing centers, large data centers, campuses, high-frequency trading environments, and other environments that require low (less than 5-microsecond offload) latency and exceptional throughput. Cisco Firepower 9300 supports flow-offloading, programmatic orchestration, and the management of security services with RESTful APIs. It is also available in Network Equipment Building Standards (NEBS)-compliant configurations.Cisco ASA 5500-FTD-X Series AppliancesThe Cisco ASA 5500-FTD-X Series is a family of eight threat-focused NGFW security platforms. Their throughput range addresses use cases from the small or branch office to the Internet edge. They deliver superior threat defense in a cost-effective footprint.Cisco Firepower NGFW Virtual (NGFWv) AppliancesCisco Firepower NGFWv is available on VMware, KVM, and the Amazon Web Services (AWS) and Microsoft Azure environments for virtual, public, private, and hybrid cloud environments. Organizations employing SDN can rapidly provision and orchestrate flexible network protection with Firepower NGFWv. As well, organizations using NFV can further lower costs utilizing Firepower NGFWv.Performance Testing MethodologiesCisco uses a variety of testing methodologies in a lab environment to ensure the performance specifications we report are as close to real world as possible. Firewall performance is affected by many factors including network environment, packet sizes, packet type, TLS encryption, and more.Two modes of firewall testing exist: static or real world. Static testing leverages performance and security testing tools in a simulated environment. Real-world testing uses samples of live traffic on a production or side-car network. While static testing does not completely mimic performance in a real-world networking environment, we review and modify the static methodology to ensure the results are as close to real-world as possible.The following are test methodologies used for measurements listed in Table 1. Change in performance vs change in packet size is not linear, so extrapolation from a single test is not possible for the almost unlimited variety of network environments. Testing security efficacy or security service performance under loaded conditions adds even more complexity. For these reasons we rely on the 1024B HTTP Test.1024B HTTP Test (256KB Object)This number is to compare with other vendors at a 256KB object size. It uses a larger and commonly tested packet size for every simulated session. With the protocol overhead, the average frame size is around 1024 bytes. This represents typical production conditions for most firewall deployments.1500B UDP vs 64B UDPThis test uses a transactional UDP profile with either 1500B or 64B frames. Due to the stateless nature of UDP, it creates very little impact on a stateful NGFW. Many vendors use this profile to measure maximum firewall performance, however it is only practical as a comparison point. This test does not represent real-world conditions, therefore Cisco only uses it as a legacy metric for ASA performance. For NGFW products, various UDP packet size should only be used to test latency and not overall performance.Performance Specifications and Feature HighlightsTable 1 summarizes the capabilities of the Cisco Firepower NGFWv, Firepower 2100 Series, and 4100 Series and 9300 appliances as well as the Cisco ASA 5500-FTD-X appliances when running the Cisco Firepower Threat Defense image. All numbers are derived with two-way traffic evaluation to replicate the best security posture.Table 1. Cisco Firepower Threat Defense (FTD) Performance Specifications and Feature Highlights for Physical and Virtual AppliancesNote: Throughput assumes HTTP sessions.Performance will vary depending on features activated, and network traffic protocol mix, packet size characteristics and hypervisor employed (NGFWv). Performance is subject to change with new software releases. Consult your Cisco representative for detailed sizing guidance.Table 2 summarizes the performance and capabilities of the Cisco Firepower 2100, 4100 Series and 9300 appliances when running the ASA image. For Cisco ASA 5500-X Series performance specifications with the ASA image, please visit the Cisco ASA with FirePOWER Services data sheet.Table 2. ASA Performance and Capabilities on Firepower Appliances211021202130214041104120414041509300 9300 9300 9300Newconnections per second 18000 28000 40000 75000 150,000 250,000 350,000 800,000 800,0001.2 million 1.8 million 4 millionIPsec VPN throughput (450B UDP L2L test) 500 Mbps 700 Mbps 1 Gbps 2 Gbps 8 Gbps 10 Gbps 14 Gbps 15 Gbps 15 Gbps 18 Gbps 20 Gbps60 Gbps 3/ 40 GbpsIPsec/Cisco AnyConnect/Apex site-to-site VPN peers 1500 3500 7500 10000 10,000 15,000 20,000 20,000 20,000 20,000 20,000 60,0003/ 20,000Maximum number of VLANs 400 600 750 1024 1024 1024 1024 1024 1024 1024 1024 1024Security contexts (included; maximum) 2; 25 2; 25 2; 30 2; 40 10; 250 10; 250 10; 250 10; 250 10; 250 10; 250 10; 250 10; 250HighavailabilityActive/acti ve and active/sta ndby Active/acti ve and active/sta ndby Active/acti ve and active/sta ndbyActive/a ctive and active/st andby Active/acti ve and active/stan dby Active/acti ve and active/stan dby Active/acti ve and active/stan dby Active/acti ve and active/stan dby Active/acti ve and active/sta ndby Active/acti ve and active/sta ndby Active/acti ve and active/sta ndby Active/acti ve and active/sta ndbyClustering - - --Up to 16 appliances Up to 16 appliances Up to 16 appliances Up to 16 appliances Up to 5 appliances with 3 security modules each Up to 5 appliance s with three security modules each Up to 5 appliance s with three security modules eachUp to 5 appliance s with 3 security modules eachScalability VPN Load BalancingVPN Load Balancing, Firewall ClusteringCentralized management Centralized configuration, logging, monitoring, and reporting are performed by Cisco Security Manager or alternatively in the cloud with Cisco Defense Orchestrator Adaptive Security Device ManagerWeb-based, local management for small-scale deployments1 Throughput measured with 1500B User Datagram Protocol (UDP) traffic measured under ideal test conditions.2“Multiprotocol” refers to a traffic profile consisting primarily of TCP -based protocols and applications like HTTP, SMTP, FTP, IMAPv4, BitTorrent, and DNS. 3In unclustered configuration.Table 3.Operating Requirements for Firepower NGFWv Virtual AppliancesHardware SpecificationsTables 4, 5, and 6 summarize the hardware specifications for the 2100 Series, 4100 Series, and 9300 Series, respectively. Table 7 summarizes regulatory standards compliance. For Cisco ASA 5500-X Series hardware specifications, please visit the Cisco ASA with FirePOWER Services data sheet.Table 4. Cisco Firepower 2100 Series Hardware Specifications1 Dual power supplies are hot-swappable.2 Fans operate in a 3+1 redundant configuration where the system will continue to function with only3 operational fans. The 3 remaining fans will run at full speed.3 FPR-2130 platform is designed to be NEBS ready. The availability of NEBS certification is pending.Table 5. Cisco Firepower 4100 Series Hardware Specifications1 Dual power supplies are hot-swappable.Table 6. Cisco Firepower 9300 Hardware Specifications* Minimum turn-on voltage is -44V DCTable 7. Cisco Firepower 2100 Series, 4100 Series and Cisco Firepower 9300 NEBS, Regulatory, Safety, and EMC ComplianceCisco Trust Anchor TechnologiesCisco Trust Anchor Technologies provide a highly secure foundation for certain Cisco products. They enable hardware and software authenticity assurance for supply chain trust and strong mitigation against a man-in-the-middle compromise of software and firmware.Trust Anchor capabilities include:●Image signing: Cryptographically signed images provide assurance that the firmware, BIOS, and othersoftware are authentic and unmodified. As the system boots, the system’s software signatures are checked for integrity.●Secure Boot: Secure Boot anchors the boot sequence chain of trust to immutable hardware, mitigatingthreats against a system’s foundational state and the software that is to be loaded, regardless of a user’s privilege level. It provides layered protection against the persistence of illicitly modified firmware.●Trust Anchor module: A tamper-resistant, strong-cryptographic, single-chip solution provides hardwareauthenticity assurance to uniquely identify the product so that its origin can be confirmed to Cisco, providing assurance that the product is genuine.Firepower DDoS MitigationFirepower DDoS Mitigation is provided by Radware Virtual DefensePro (vDP), available and supported directly from Cisco on the following Cisco Firepower 9300 and 4100 series appliances:Radware vDP is an award-winning, real-time, behavioral DDoS attack mitigation solution that protects organizations against multiple DDoS threats. Firepower DDoS mitigation defends your application infrastructure against network and application degradation and outage.DDoS Mitigation: Protection SetFirepower’s vDP DDoS mitigation consists of patent-protected, adaptive, behavioral-based real-time signature technology that detects and mitigates zero-day network and application DDoS attacks in real time. It eliminates the need for human intervention and does not block legitimate user traffic when under attack.The following attacks are detected and mitigated:●SYN flood attacks●Network DDoS attacks, including IP floods, ICMP floods, TCP floods, UDP floods, and IGMP floods●Application DDoS attacks, including HTTP floods and DNS query floods●Anomalous flood attacks, such as nonstandard and malformed packet attacksPerformanceThe performance figures in Table 8 apply to all Cisco Firepower 4100 series models.Table 8. Key DDoS Performance Metrics for Cisco Firepower 4100 SeriesThe performance figures in Table 9 are for Cisco Firepower 9300 with 1 to 3 Security Modules irrespective of Security Module type (SM-24, SM-36 or SM-44).Table 9. Key DDoS Performance Metrics for Cisco Firepower 9300 with 1, 2, or 3 Security Modules.Ordering InformationCisco Smart LicensingThe Cisco Firepower NGFW is sold with Cisco Smart Licensing. Cisco understands that purchasing, deploying, managing, and tracking software licenses is complex. As a result, we are introducing Cisco Smart Software Licensing, a standardized licensing platform that helps customers understand how Cisco software is used across their network, thereby reducing administrative overhead and operating expenses.With Smart Licensing, you have a complete view of software, licenses, and devices from one portal. Licenses are easily registered and activated and can be shifted between like hardware platforms. Additional information is available here: https:///web/ordering/smart-software-licensing/index.html. Related information, on Smart Licensing Smart Accounts, is available here: https:///web/ordering/smart-software-manager/smart-accounts.html.Cisco Smart Net Total Care Support: Move Quickly with Anytime Access to Cisco Expertise and ResourcesCisco Smart Net Total Care™ is an award-winning technical support service that gives your IT staff direct anytime access to Technical Assistance Center (TAC) engineers and resources. You receive the fast, expert response and the dedicated accountability you require to resolve critical network issues.Smart Net Total Care provides the following device-level support:●Global access 24 hours a day, 365 days a year to specialized engineers in the Cisco TAC●Anytime access to the extensive online knowledge base, resources, and tools●Hardware replacement options include 2-hour, 4-hour, Next-Business-Day (NDB) advance replacement, aswell as Return For Repair (RFR)●Ongoing operating system software updates, including both minor and major releases within your licensedfeature set●Proactive diagnostics and real-time alerts on select devices with Smart Call HomeIn addition, with the optional Cisco Smart Net Total Care Onsite Service, a field engineer installs replacement parts at your location and helps ensure that your network operates optimally. For more information on Smart Net Total Care please visit: https:///c/en/us/services/portfolio/product-technical-support/smart-net-total-care.html.Select Part NumbersTables 10, 11, and 12 provide details on part numbers for Cisco Firepower NGFW solutions. Please consult the Ordering Guide for additional configuration options and accessories.Table 10. Cisco Firepower 2100 Series: Select Product ComponentsTable 11. Cisco Firepower 4100 Series: Select Product ComponentsTable 12. Cisco Firepower 9300: Select Product Components*Note: Firepower 9300 may also be deployed as a dedicated threat sensor, with fail-to-wire network modules. Please contact your Cisco representative for details.Table 13. Cisco Firepower NGFW VirtualNote: These optional security services licenses can be ordered with 1-, 3-, or 5-year subscriptions.Warranty InformationFind warranty information on at the Product Warranties page.Cisco ServicesCisco offers a wide range of service programs to accelerate customer success. These innovative services programs are delivered through a unique combination of people, processes, tools, and partners, resulting in high levels of customer satisfaction. Cisco Services help you protect your network investment, optimize network operations, and prepare your network for new applications to extend network intelligence and the power of your business. For more information about Cisco services for security, visit https:///go/services/security.Cisco CapitalFlexible payment solutions to help you achieve your objectivesCisco Capital makes it easier to get the right technology to achieve your objectives, enable business transformation and help you stay competitive. We can help you reduce the total cost of ownership, conserve capital, and accelerate growth. In more than 100 countries, our flexible payment solutions can help you acquire hardware, software, services and complementary third-party equipment in easy, predictable payments. Learn more.More Information for Service ProvidersFor information about Cisco Firepower in service provider environments, please visit:●https:///c/en/us/solutions/enterprise-networks/service-provider-security-solutions/More Information about Firepower NGFWsFor further information about Cisco Firepower NGFWs, please visit:●https:///go/ngfwMore Information about Cisco Anyconnect●Cisco AnyConnect Secure Mobility Clienthttps:///go/anyconnect●Cisco AnyConnect Ordering Guidehttps:///c/dam/en/us/products/security/anyconnect-og.pdf。

思科防火墙ASA5520配置博客分类：网络思科防火墙ASA5520配置：目的：1、内网可以上网2、内网可以访问DMZ区域的服务器3、外网可以通过公网IP访问DMZ区域的服务器要求：1、内网的网段192.168.10.02、DMZ的网段192.168.5.03、外网IP地址：200.200.200.82 200.200.200.83 网关255.255.255.248（这个地址一般是运营商提供）4、外网路由：200.200.200.815、DMZ区域的服务器IP地址：192.168.5.2步骤1：配置接口inside、outside和dmzinterface g0/0speed autoduplex autonameif insideSecurity-level 100ip address 192.168.10.1 255.255.255.0no shutexitinterface g0/1speed autoduplex autonameif outsideSecurity-level 0ip address 200.200.200.82 255.255.255.248 no shutexitinterface g0/2speed autoduplex autonameif dmzSecurity-level 50ip address 192.168.5.1 255.255.255.0no shutexit步骤2、添加外网路由route outside 0 0 200.200.200.81步骤3、做nat转换，使得内网可以上网，同时内网可以访问dmz区域的服务器nat-controlnat (inside) 1 192.168.10.0 255.255.255.0global (outside) 1 interfaceglobal (dmz) 1 interface步骤4、做静态nat，将对外网IP的访问转换到dmz区域的服务器static (dmz,outside) 200.200.200.83 192.168.5.2 netmask255.255.255.255 dns注意：这里的外网IP不是outside的接口地址，是另外一个公网IP步骤5、配置ACL规则，允许外网访问DMZ服务器access-list out_dmz extended permit tcp any host 200.200.200.83 eq wwwaccess-group out_dmz in interface outside到此配置结束，正常情况下上面的要求都可以实现了，但是可能由于每个机房的环境不一样，结果会有一些错误。

要想配置思科的防火墙得先了解这些命令：常用命令有：nameif、interface、ip address、nat、global、route、static等。

global指定公网地址范围：定义地址池。

Global命令的配置语法：global(if_name)nat_id ip_address-ip_address[netmark global_mask]其中：(if_name)：表示外网接口名称，一般为outside。

nat_id：建立的地址池标识(nat要引用)。

ip_address-ip_address：表示一段ip地址范围。

[netmark global_mask]：表示全局ip地址的网络掩码。

nat地址转换命令，将内网的私有ip转换为外网公网ip。

nat命令配置语法：nat(if_name)nat_id local_ip[netmark]其中：(if_name)：表示接口名称，一般为inside.nat_id：表示地址池，由global命令定义。

local_ip：表示内网的ip地址。

对于0.0.0.0表示内网所有主机。

[netmark]：表示内网ip地址的子网掩码。

routeroute命令定义静态路由。

语法：route(if_name)00gateway_ip[metric]其中：(if_name)：表示接口名称。

00：表示所有主机Gateway_ip：表示网关路由器的ip地址或下一跳。

[metric]：路由花费。

缺省值是1。

static配置静态IP地址翻译，使内部地址与外部地址一一对应。

语法：static(internal_if_name,external_if_name)outside_ip_addr inside_ip_address其中：internal_if_name表示内部网络接口，安全级别较高，如inside。

external_if_name表示外部网络接口，安全级别较低，如outside。

思科防⽕墙登陆及设置过程⼀、防⽕墙登陆过程telnet 192.168.0.1输⼊：123⽤户名：en密码：srmciscoConf tShow run⼆、公⽹IP与内⽹IP映射：static (inside,outside) 61.142.114.180 192.168.0.7 netmask 255.255.255.255 0 0三、再打开端⼝：输⼊以下⼀笔命今如access-list acl-out permit tcp any host 61.142.114.183 eq 5800 (打开外部5800端⼝) access-list acl-out permit tcp any host 61.142.114.183 eq 5900 (打开外部5900端⼝) access-list acl-out permit tcp any host 61.142.114.183 eq 1433 (打开外部1433端⼝) access-list acl-in permit tcp any host 61.142.114.183 eq 1433 (打开内部1433端⼝) access-list acl-in permit tcp any host 61.142.114.183 eq 5900 (打开内部5900端⼝) access-list acl-in permit tcp any host 61.142.114.183 eq 5800 (打开内部5800端⼝)四、登出防⽕墙：logout五、增加上⽹电脑1、nat (inside) 1 192.168.0.188 255.255.255.255 0 0（上⽹电脑IP地址）2、arp inside 192.168.0.188 000f.eafa.645d alias（绑定上⽹电脑⽹卡MAC地址）六、取消上⽹电脑1、no nat (inside) 1 192.168.0.188 255.255.255.255 0 0（上⽹电脑IP地址）2、no arp inside 192.168.0.188 000f.eafa.645d alias（绑定上⽹电脑⽹卡MAC地址）七、增加可以远程控制防⽕墙电脑telnet 192.168.0.188 255.255.255.255 inside⼋、保存已做改动设置wr me九、以下为现存防⽕墙配置。