Cisco ASA 5500防火墙个人基本配置手册
思科5505防火墙配置
asa 5505 常用配置2009-06-01 16:13asa 55051.配置防火墙名ciscoasa> enableciscoasa# configure terminalciscoasa(config)# hostname asa55052.配置telnetasa5505(config)#telnet 192.168.1.0 255.255.255.0 inside//允许内部接口192.168.1.0网段telnet防火墙3.配置密码asa5505(config)# password cisco//远程密码asa5505(config)# enable password cisco//特权模式密码4.配置IPasa5505(config)# interface vlan 2//进入vlan2asa5505(config-if)# ip address 218.xxx.37.222 255.255.255.192 //vlan2配置IPasa5505(config)#show ip address vlan2//验证配置5.端口加入vlanasa5505(config)# interface e0/3//进入接口e0/3asa5505(config-if)# switchport access vlan 3//接口e0/3加入vlan3asa5505(config)# interface vlan 3//进入vlan3asa5505(config-if)# ip address 10.10.10.36 255.255.255.224//vlan3配置IPasa5505(config-if)# nameif dmz//vlan3名asa5505(config-if)# no shutdown//开启asa5505(config-if)# show switch vlan//验证配置6.最大传输单元MTUasa5505(config)#mtu inside 1500//inside最大传输单元1500字节asa5505(config)#mtu outside 1500//outside最大传输单元1500字节asa5505(config)#mtu dmz 1500//dmz最大传输单元1500字节7.配置arp表的超时时间asa5505(config)#arp timeout 14400//arp表的超时时间14400秒8.FTP模式asa5505(config)#ftp mode passive//FTP被动模式9.配置域名asa5505(config)#domain-name 10.启动日志asa5505(config)#logging enable//启动日志asa5505(config)#logging asdm informational//启动asdm报告日志asa5505(config)#Show logging//验证配置11.启用http服务asa5505(config)#http serverenable//启动HTTP server,便于ASDM连接。
ASA5500 ACL配置详解
访问控制列表(ACL)是防火墙配置中最常用的技术之一,下面以Cisco ASA5500为例介绍一下在不同的应用环境中访问控制列表的具体配置。
1)发布服务器要将内部服务器发布要公网上,只要配置一个静态NAT和与之对应的ACL就可以,下面是将内部地址192.168.0.100服务器的WWW发布的具体配置,公网地址200.200.200.200。
static (inside,outside) 200.200.200.200 192.168.0.100access-list OUTSIDE_IN extended permit tcp any host 200.200.200.200 eq ww waccess-group OUTSIDE_IN in interface outside2)基于时间的ACLASA5500支持基于时间的ACL,下面的例子将周一到周五工作时间的www流量限制为1Mb/ s。
time-range working_timeperiodic weekdays 9:00 to 17:00access-list HTTP extended permit tcp any eq 80 any time-rang working_time class-map HTTPmatch port tcp eq wwwpolicy-map HTTPclass HTTPpolice output 1000000 1000service-policy HTTP interface inside3)Lan-to-Lan VPN ACL基于端口的ACL对于VPN流量是不起作用的,因此需要使用vpn-filter命令来对Lan-to-La n和Remote AccessVPN流量进行过滤和控制。
下面的例子只允许本地10.10.10.0/24网段的PC访问VPN对段192.168.0.100服务器的FTP服务,在这里需要注意ACL中的源地址是指VPN对段的地址。
Cisco ASA5505防火墙详细配置教程及实际配置案例
Cisco ASA5505防火墙详细配置教程及实际配置案例interface Vlan2nameif outside ----------------------------------------对端口命名外端口security-level 0 ----------------------------------------设置端口等级ip address X.X.X.X 255.255.255.224 --------------------调试外网地址!interface Vlan3nameif inside ----------------------------------------对端口命名内端口security-level 100 ----------------------------------------调试外网地址ip address 192.168.1.1 255.255.255.0 --------------------设置端口等级!interface Ethernet0/0switchport access vlan 2 ----------------------------------------设置端口VLAN与VLAN2绑定!interface Ethernet0/1switchport access vlan 3 ----------------------------------------设置端口VLAN与VLAN3绑定!interface Ethernet0/2shutdown!interface Ethernet0/3shutdown!interface Ethernet0/4shutdown!interface Ethernet0/5shutdown!interface Ethernet0/6shutdown!interface Ethernet0/7shutdown!passwd 2KFQnbNIdI.2KYOU encryptedftp mode passivedns domain-lookup insidedns server-group DefaultDNSname-server 211.99.129.210name-server 202.106.196.115access-list 102 extended permit icmp any any ------------------设置ACL列表(允许ICMP全部通过)access-list 102 extended permit ip anyany ------------------设置ACL列表(允许所有IP全部通过)pager lines 24mtu outside 1500mtu inside 1500icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400global (outside) 1 interface ----------------------------------------设置NAT地址映射到外网口nat (inside) 1 0.0.0.0 0.0.0.0 0---------------------------------NAT地址池(所有地址)0无最大会话数限制access-group 102 in interface outside ------------------―――设置ACL列表绑定到外端口route outside 0.0.0.0 0.0.0.0 x.x.x.x 1 ------------------设置到外网的默认路由timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absoluteno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstart telnet 0.0.0.0 0.0.0.0 inside ----------------------------------------设置TELNET所有地址进入telnet timeout 5ssh 0.0.0.0 0.0.0.0 outside ----------------------------------------设置SSH所有地址进入ssh timeout 30ssh version 2console timeout 0!dhcpd address 192.168.1.100-192.168.1.199inside ------------------设置DHCP服务器地址池dhcpd dns 211.99.129.210 202.106.196.115 interfaceinside ------------------设置DNS服务器到内网端口dhcpd enableinside --------------------------------------------------------------设置DHCP应用到内网端口!前几天去客户那调试CISCO-ASA-5505设备,第一次摸,跟PIX一样,呵呵.没有技术含量,都是最基本的.其他业务配置暂时没配,会及时更新的.Cisco ASA5505配置cisco, config, telnet, 防火墙, Cisco1.配置防火墙名ciscoasa> enableciscoasa# configure terminalciscoasa(config)# hostname asa55052.配置telnetasa5505(config)#telnet 192.168.1.0 255.255.255.0 inside ↑//允许内部接口192.168.1.0网段telnet防火墙3.配置密码asa5505(config)# password cisco ------------------远程密码asa5505(config)# enable password cisco ------------------特权模式密码4.配置IPasa5505(config)# interface vlan 2 ------------------进入vlan2asa5505(config-if)# ip address 218.16.37.222 255.255.255.192 ------------------vlan2配置IPasa5505(config)#show ip address vlan2 ------------------验证配置5.端口加入vlanasa5505(config)# interface e0/3 ------------------进入接口e0/3asa5505(config-if)# switchport access vlan 3 ------------------接口e0/3加入vlan3asa5505(config)# interface vlan 3 ------------------进入vlan3asa5505(config-if)# ip address 10.10.10.36 255.255.255.224 ------------------vlan3配置IPasa5505(config-if)# nameif dmz ------------------vlan3名asa5505(config-if)# no shutdown ------------------开启asa5505(config-if)# show switch vlan ------------------验证配置6.最大传输单元MTUasa5505(config)#mtu inside 1500 ------------------inside最大传输单元1500字节asa5505(config)#mtu outside 1500 ------------------outside最大传输单元1500字节asa5505(config)#mtu dmz 1500 ------------------dmz最大传输单元1500字节7.配置arp表的超时时间asa5505(config)#arp timeout 14400 ------------------arp表的超时时间14400秒8.FTP模式asa5505(config)#ftp mode passive ------------------FTP被动模式9.配置域名asa5505(config)#domain-name 10.启动日志asa5505(config)#logging enable ------------------启动日志asa5505(config)#logging asdm informational ------------------启动asdm报告日志asa5505(config)#Show logging ------------------验证配置11.启用http服务asa5505(config)#http server enable ------------------启动HTTP server,便于ASDM连接。
Cisco_ASA5500_firewall_配置技巧及实例
一、思科ASA防火墙精华配置总结思科防火墙PIX ASA 配置总结一(基础):下面是我工作以来的配置总结,有些东西是6.3版本的,但不影响在7.*版本的配置。
一:6个基本命令:nameif、interface、ip address 、nat、global、route。
二:基本配置步骤:step1: 命名接口名字nameif ethernet0 outside security0nameif ethernet1 inside security100nameif ethernet2 dmz security50**7版本的配置是先进入接口再命名。
step2:配置接口速率interface ethernet0 10full autointerface ethernet1 10full autointerface ethernet2 10fullstep3:配置接口地址ip address outside 218.106.185.82ip address inside 192.168.100.1 255.255.255.0ip address dmz 192.168.200.1 255.255.255.0step4:地址转换(必须)* 安全高的区域访问安全低的区域(即内部到外部)需NAT和global;nat(inside) 1 192.168.1.1 255.255.255.0global(outside) 1 222.240.254.193 255.255.255.248***nat (inside) 0 192.168.1.1 255.255.255.255 表示192.168.1.1这个地址不需要转换。
直接转发出去。
* 如果内部有服务器需要映像到公网地址(外网访问内网)则需要static和conduit或者acl.static (inside, outside) 222.240.254.194 192.168.1.240static (inside, outside) 222.240.254.194 192.168.1.240 10000 10后面的10000为限制连接数,10为限制的半开连接数。
ciscoASA防火墙详细配置
access-list 102 extended permit icmp any any
------------------ 设 置
ACL 列表(允许 ICMP 全部通过)
access-list 102 extended permit ip any any 列表(允许所有 IP 全部通过) pager lines 24 mtu outside 1500 mtu inside 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable
address
218.16.37.222
255.255.255.192
------------------vlan2 配置 IP
asa5505(config)#show ip address vlan2 ------------------验证配置
5.端口加入 vlan
asa5505(config)# interface e0/3 ------------------进入接口 e0/3
cisco-asa-5505 基本配置
interface Vlan2nameif outside ----------------------------------------对端口命名外端口
security-level 0 ----------------------------------------设置端口等级
有地址)0 无最大会话数限制
access-group 102 in interface outside
------------------―――设置 ACL
列表绑定到外端口 端口绑定
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1 路由
配置asa 5505防火墙
配置asa 5505防火墙1.配置防火墙名ciscoasa> enableciscoasa# configure terminalciscoasa(config)# hostname asa55052.配置Http.telnet和ssh管理<config>#username xxx password xxxxxx encrypted privilege 15 <config>#aaa authentication enable console LOCAL<config>#aaa authentication telnet console LOCAL<config>#aaa authentication http console LOCAL<config>#aaa authentication ssh console LOCAL<config>#aaa autoentication command LOCAL<config>#http server enable<config>#http 192.168.1.0 255.255.255.0 inside<config>#telnet 192.168.1.0 255.255.255.0 inside<config>#ssh 192.168.1.0 255.255.255.0 inside<config>#crypto key generate rsa(打开SSH服务)//允许内部接口192.168.1.0网段telnet防火墙3.配置密码asa5505(config)# password cisco//远程密码asa5505(config)# enable password cisco//特权模式密码4.配置IPasa5505(config)# interface vlan 2//进入vlan2asa5505(config-if)# ip address 218.xxx.37.222 255.255.255.192 //vlan2配置IPasa5505(config)#show ip address vlan2//验证配置5.端口加入vlanasa5505(config)# interface e0/3//进入接口e0/3asa5505(config-if)# switchport access vlan 3//接口e0/3加入vlan3asa5505(config)# interface vlan 3//进入vlan3asa5505(config-if)# ip address 10.10.10.36 255.255.255.224//vlan3配置IPasa5505(config-if)# nameif dmz//vlan3名asa5505(config-if)# no shutdown//开启asa5505(config-if)# show switch vlan//验证配置6.最大传输单元MTUasa5505(config)#mtu inside 1500//inside最大传输单元1500字节asa5505(config)#mtu outside 1500//outside最大传输单元1500字节asa5505(config)#mtu dmz 1500//dmz最大传输单元1500字节7.配置arp表的超时时间asa5505(config)#arp timeout 14400//arp表的超时时间14400秒8.FTP模式asa5505(config)#ftp mode passive//FTP被动模式9.配置域名asa5505(config)#domain-name 10.启动日志asa5505(config)#logging enable//启动日志asa5505(config)#logging asdm informational//启动asdm报告日志asa5505(config)#Show logging//验证配置11.启用http服务asa5505(config)#http server enable ///启动HTTP server,便于ASDM连接。
ASA5500-X身份防火墙与CDA配置指南
ASA5500-X身份防火墙与CDA配置指南一、目的 (1)二、网络拓扑 (1)三、CDA的安装与配置 (2)四、ASA5515-X安装CX模块 (4)五、Windows 2008 R2的配置 (8)六、ASA-CX的策略配置 (17)七、ASA-CX功能验证 (26)一、目的本文介绍了在ASA5515-X防火墙上,通过与思科Context Directory Agent(简称CDA)软件协同工作,实现基于身份的访问策略与控制。
主要内容包括以下几个部分::ASA5515-X上CX模块的安装与配置步骤。
CDA的安装与配置步骤。
Windows 2008 R2服务器与CDA配合时,需要的修改哪些内容。
二、网络拓扑以下是本次配置实例的网络拓扑图:三、CDA的安装与配置思科Context Directory Agent(简称CDA)是一套软件,ASA5515-X的CX模块通过CDA能够获取IP地址与用户身份的映射关系,从而可以在ASA-CX上实现基于用户身份的安全访问策略。
通过思科CCO可以下载获取CDA的ISO格式的软件。
CDA软件本身包含了操作系统,它可以安装在一台专用的x86服务器上,或者VMware的ESX或ESXi虚拟机上。
在VMWare 虚拟机上安装时,注意Guest OS类型要选择:Linux CentOS 4/5 32bit。
以下是将CDA安装在ESXi5.0服务器上的安装和配置步骤:步骤1:在CCO下载CDA软件:/download/type.html?mdfid=284143128&flowid=31442步骤2:在VMware ESXi5.0上安装CDA。
步骤3:完成安装后,在login提示符下输入setup,进行基本配置。
以下为配置举例:localhost.localdomain login: setupPress ‘Ctrl-C’ to abort setupEnter Hostname[]: cda-serverEnter IP address []: 10.10.10.83Enter IP netmask []: 255.255.255.0Enter IP default gateway []: 10.10.10.3Enter default DNS domain []: Enter primary nameserver []: 10.10.10.80Enter secondary nameserver? Y/N: nEnter primary NTP server []: 10.10.10.80Enter secondary NTP server? Y/N: nEnter system timezone [UTC]: Asia/ShanghaiEnter username [admin]: adminEnter password:Enter password again:Bringing up the network interface...Pinging the gateway...Pinging the primary nameserver...Do not use ‘Ctrl-C’ from this point on...Installing applications...Installing cda...Pre installPost InstallApplication bundle (cda) installed successfully=== Initial setup for application: cda ===Generating configuration...Rebooting...步骤4:打开浏览器,输入https://10.10.10.83,输入已经创建好的用户名和密码,登陆CDA的GUI页面。
思科5505火墙配置
asa 5505 常用配置2009-06-01 16:13asa 55051.配置防火墙名ciscoasa> enableciscoasa# configure terminalciscoasa(config)# hostname asa55052.配置telnetasa5505(config)#telnet inside//允许内部接口3.配置密码asa5505(config)# password cisco//远程密码asa5505(config)# enable password cisco //特权模式密码4.配置IPasa5505(config)# interface vlan 2//进入vlan2asa5505(config-if)# ip address//vlan2配置IPasa5505(config)#show ip address vlan2 //验证配置5.端口加入vlan//进入接口e0/3asa5505(config-if)# switchport access vlan 3 //接口e0/3加入vlan3asa5505(config)# interface vlan 3//进入vlan3asa5505(config-if)# ip address//vlan3配置IPasa5505(config-if)# nameif dmz//vlan3名asa5505(config-if)# no shutdown//开启asa5505(config-if)# show switch vlan//验证配置6.最大传输单元MTUasa5505(config)#mtu inside 1500//inside最大传输单元1500字节asa5505(config)#mtu outside 1500//outside最大传输单元1500字节asa5505(config)#mtu dmz 1500//dmz最大传输单元1500字节7.配置arp表的超时时间//arp表的超时时间14400秒8.FTP模式asa5505(config)#ftp mode passive//FTP被动模式9.配置域名asa5505(config)#domain-name 10.启动日志asa5505(config)#logging enable//启动日志asa5505(config)#logging asdm informational //启动asdm报告日志asa5505(config)#Show logging//验证配置11.启用http服务asa5505(config)#http serverenable//启动HTTP server,便于ASDM连接。
思科5505配置详解
*如果内部有服务器需要映射到公网地址(外网访问内网)则需要static和conduit或者acl.
static (in side, outside) 222.240.254.194 192.168.1.240
nat命令配置语法:n at (if_ name) n at_id local_ip [n etmark]
必要的漏洞)
ACL实现的功能和conduit一样都可实现策略访问,只是ACL稍微麻烦点。conduit现在在
7版本已经不能用了。
Access-list101permit tcp any host 222.240.254.194 eq 101 in in terface outside (绑定到接口)
1、定义外口
in terface Ethernet。/。进入端口nameif outside定义端口为外口security-level0定义安全等级为0no shut激活端口
ip address .X驱>255.255.255.248设置IP
2、定义内口
in terface Ethernet0/1
n ameif in side定义端口为内
或
global (outside) 1 in terface当ISP只分配给一个IP是,直接使用分配给外口的IP地址。
5、设置默认路由
route outside0 0218.17.148.14指定下一条为IPS指定的网关地址
查看NAT转换情况
show xlate
:6个基本命令:n ameif、in terface、ip address、n at、global、route。
ASA_5505入门配置手册
1. 初始配置ciscoasa> enable 从进入用户模式进入特权模式ciscoasa# configure terminal 从特权模式进入全局配置模式ciscoasa(config)# hostname AYKJ-FW 更改防火墙名称AYKJ-FW(config)# passwd aykj 配置远程登录密码AYKJ-FW(config)# enable password aykj 配置enable密码2. 端口配置AYKJ-FW(config)# interface Vlan2 创建SVI口,ASA5505必须通过SVI口配置地址AYKJ-FW(config)# nameif outside 定义为outside口,即连接外网接口AYKJ-FW(config)# security-level 0 定义安全级别,范围0~100,其中inside、outside 口安全级别为系统自动定义和生成AYKJ-FW(config)# ip address 221.226.186.58 255.255.255.252 配置运营商分配公网地址AYKJ-FW(config)# interface Vlan3AYKJ-FW(config)# nameif inside 定义为inside口,即连接内网接口AYKJ-FW(config)# security-level 100 inside口默认安全级别100AYKJ-FW(config)# ip address 10.0.0.1 255.255.255.0 配置内网口地址3. 管理配置AYKJ-FW(config)# telnet 0.0.0.0 0.0.0.0 inside 允许内网所有地址通过telnet登录防火墙AYKJ-FW(config)# ssh 0.0.0.0 0.0.0.0 outside 允许外网所有地址通过ssh登录防火墙AYKJ-FW(config)# ssh version 1 使用ssh版本1AYKJ-FW(config)# http server enable 开启web页面,即开启asdm,与传统的如ASA5520等有专门管理口的防火墙不同,ASA5505只要启用服务,并应用到端口,那么只要网络通畅就可以通过asdm管理,更加灵活AYKJ-FW(config)# http 0.0.0.0 0.0.0.0 insideAYKJ-FW(config)# http 0.0.0.0 0.0.0.0 outside 这两条命令意味着所有只要能够访问防火墙的地址均可以通过asdm管理防火墙4. 路由配置AYKJ-FW(config)# route outside 0.0.0.0 0.0.0.0 221.226.186.57 配置上网默认路由,下一条为运营商分配的网关AYKJ-FW(config)# route inside [内网网段] [掩码] [防火墙内网口] 配置内网路由,由于本次内网与防火墙在一个地址段,所以不需要5. NAT配置5.1 动态NAT配置AYKJ-FW(config)# global (outside) 1 interface 将outside接口设置为NA T的外网接口AYKJ-FW(config)# nat (inside) 1 10.0.0.0 255.255.255.0 允许内网网段通过NA T访问互联网5.2 静态NAT映射AYKJ-FW(config)# access-list perout extended permit tcp any host 221.226.186.58 eq www 首先在防火墙外网口开放需要做映射的端口AYKJ-FW(config)# access-group perout in interface outside 在外网口启用该ACLAYKJ-FW(config)# static (inside,outside) tcp interface www 10.0.0.150 www netmask 255.255.255.255 将内网服务器的端口映射到外网AYKJ-FW(config)# global (inside) 1 interfaceAYKJ-FW(config)# static (inside,inside) tcp 221.226.186.58 www 10.0.0.150 www netmask 255.255.255.255 以上两条命令的作用是当内网用户通过外网地址去访问内网服务器时,直接映射到内网,如果不做则内网用户不能通过外网地址访问内网服务器6. VPN配置6.1 VPN基础配置AYKJ-FW(config)# ip local pool vpn 10.0.1.210-10.0.1.220 mask 255.255.255.0 创建vpn 地址池,地址池应与本地网段不在同一个段AYKJ-FW(config)# access-list inside_nat0_outbound extended permit ip 10.0.0.0255.255.255.0 10.0.1.0 255.255.255.0 定义vpn流量与内网流量的互访AYKJ-FW(config)# nat (inside) 0 access-list inside_nat0_outbound 该流量不参与nat翻译AYKJ-FW(config)# access-list split standard permit 10.0.0.0 255.255.255.0 定义vpn用户允许访问网段AYKJ-FW(config)# username asa password cisco 创建vpn用户,不做策略则该用户可以通过SSL和IPSEC拨入VPN6.2 SSL(WEB) VPN配置AYKJ-FW(config)# webvpn 配置webvpnAYKJ-FW(config-webvpn)# enable outside 在外网口启用webvpnAYKJ-FW(config-webvpn)# svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 调用vpn 客户端软件AYKJ-FW(config-webvpn)# svc enable 启用客户端软件AYKJ-FW(config)# group-policy ssl internal 创建webvpn组策略AYKJ-FW(config)# group-policy ssl attributes 配置组策略属性AYKJ-FW(config-group-policy)# vpn-tunnel-protocol svc webvpn 启用webvpn隧道AYKJ-FW(config-group-policy)# split-tunnel-policy tunnelspecified 只允许split匹配流量通过vpn隧道AYKJ-FW(config-group-policy)# split-tunnel-network-list value split 水平分割策略使用split,由于vpn用户没有网关,需要通过该策略使vpn用户访问内网AYKJ-FW(config)# tunnel-group ssl type remote-access 创建vpn隧道,类型为远程接入AYKJ-FW(config)# tunnel-group ssl general-attributes 配置vpn隧道基础属性AYKJ-FW(config-tunnel-general)# address-pool vpn 调用vpn地址池6.3 IPSEC VPN 配置AYKJ-FW(config)# crypto isakmp enable outside 在outside口启用ipsec vpnAYKJ-FW(config)# crypto isakmp disconnect-notify 连接中断时报错AYKJ-FW(config)# crypto isakmp policy 10 配置策略优先级AYKJ-FW(config-isakmp-policy)# authentication pre-share 通过预共享密钥拨入vpn AYKJ-FW(config-isakmp-policy)# encryption 3des通过3des格式加密数据AYKJ-FW(config-isakmp-policy)# hash md5 通过md5算法校验数据AYKJ-FW(config-isakmp-policy)# group 2 设置迪夫-赫尔曼算法组AYKJ-FW(config-isakmp-policy)# lifetime 86400 设置连接时长AYKJ-FW(config)# group-policy aykj internal创建ipsec vpn策略组AYKJ-FW(config)# group-policy aykj attributes 配置策略组属性AYKJ-FW(config-group-policy)# vpn-tunnel-protocol IPSec 启用ipsec vpn隧道AYKJ-FW(config-group-policy)# split-tunnel-policy tunnelspecified 只允许split匹配流量通过vpn隧道AYKJ-FW(config-group-policy)# split-tunnel-network-list value split 水平分割策略使用split,由于vpn用户没有网关,需要通过该策略使vpn用户访问内网AYKJ-FW(config)# tunnel-group aykj type remote-access 创建vpn隧道,类型为远程接入AYKJ-FW(config)# tunnel-group aykj general-attributes 配置隧道基础属性AYKJ-FW(config-tunnel-general)# address-pool vpn调用地址池AYKJ-FW(config-tunnel-general)# default-group-policy aykj 调用组策略AYKJ-FW(config)# tunnel-group aykj ipsec-attributes 配置隧道ipsec属性AYKJ-FW(config-tunnel-ipsec)# pre-shared-key aykj 预共享密钥为aykj。
cisco-asa-5505基本配置
cisco-asa-5505基本配置interface Vlan2nameif outside ----------------------------------------对端口命名外端口security-level 0 ----------------------------------------设置端口等级ip address X.X.X.X 255.255.255.224 --------------------调试外网地址!interface Vlan3nameif inside ----------------------------------------对端口命名内端口security-level 100 ----------------------------------------调试外网地址ip address 192.168.1.1 255.255.255.0 --------------------设置端口等级!interface Ethernet0/0switchport access vlan 2 ----------------------------------------设置端口VLAN与VLAN2绑定!interface Ethernet0/1switchport access vlan 3 ----------------------------------------设置端口VLAN与VLAN3绑定!interface Ethernet0/2shutdown!interface Ethernet0/3shutdown!interface Ethernet0/4shutdown!interface Ethernet0/5shutdown!interface Ethernet0/6shutdown!interface Ethernet0/7shutdown!passwd 2KFQnbNIdI.2KYOU encryptedftp mode passivedns domain-lookup insidedns server-group DefaultDNSname-server 211.99.129.210name-server 202.106.196.115access-list 102 extended permit icmp any any ------------------设置ACL列表(允许ICMP全部通过)access-list 102 extended permit ip any any ------------------设置ACL列表(允许所有IP全部通过)pager lines 24mtu outside 1500mtu inside 1500icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400global (outside) 1 interface ----------------------------------------设置NAT地址映射到外网口nat (inside) 1 0.0.0.0 0.0.0.0 0---------------------------------NAT地址池(所有地址)0无最大会话数限制access-group 102 in interface outside ------------------―――设置ACL列表绑定到外端口route outside 0.0.0.0 0.0.0.0 x.x.x.x 1 ------------------设置到外网的默认路由timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absoluteno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstarttelnet 0.0.0.0 0.0.0.0 inside ----------------------------------------设置TELNET所有地址进入telnet timeout 5ssh 0.0.0.0 0.0.0.0 outside ----------------------------------------设置SSH所有地址进入ssh timeout 30ssh version 2console timeout 0!dhcpd address 192.168.1.100-192.168.1.199 inside ------------------设置DHCP 服务器地址池dhcpd dns 211.99.129.210 202.106.196.115 interface inside ------------------设置DNS服务器到内网端口dhcpd enable inside --------------------------------------------------------------设置DHCP应用到内网端口!前几天去客户那调试CISCO-ASA-5505设备,第一次摸,跟PIX一样,呵呵.没有技术含量,都是最基本的.其他业务配置暂时没配,会及时更新的.Cisco ASA5505配置cisco, config, telnet, 防火墙, Cisco1.配置防火墙名ciscoasa> enableciscoasa# configure terminalciscoasa(config)# hostname asa55052.配置telnetasa5505(config)#telnet 192.168.1.0 255.255.255.0 inside ↑//允许内部接口192.168.1.0网段telnet防火墙3.配置密码asa5505(config)# password cisco ------------------远程密码asa5505(config)# enable password cisco ------------------特权模式密码4.配置IPasa5505(config)# interface vlan 2 ------------------进入vlan2asa5505(config-if)# ip address 218.16.37.222 255.255.255.192 ------------------vlan2配置IPasa5505(config)#show ip address vlan2 ------------------验证配置5.端口加入vlanasa5505(config)# interface e0/3 ------------------进入接口e0/3asa5505(config-if)# switchport access vlan 3 ------------------接口e0/3加入vlan3asa5505(config)# interface vlan 3 ------------------进入vlan3asa5505(config-if)# ip address 10.10.10.36 255.255.255.224 ------------------vlan3配置IPasa5505(config-if)# nameif dmz ------------------vlan3名asa5505(config-if)# no shutdown ------------------开启asa5505(config-if)# show switch vlan ------------------验证配置6.最大传输单元MTUasa5505(config)#mtu inside 1500 ------------------inside最大传输单元1500字节asa5505(config)#mtu outside 1500 ------------------outside最大传输单元1500字节asa5505(config)#mtu dmz 1500 ------------------dmz最大传输单元1500字节7.配置arp表的超时时间asa5505(config)#arp timeout 14400 ------------------arp表的超时时间14400秒8.FTP模式asa5505(config)#ftp mode passive ------------------FTP被动模式9.配置域名asa5505(config)#domain-name 10.启动日志asa5505(config)#logging enable ------------------启动日志asa5505(config)#logging asdm informational ------------------启动asdm报告日志asa5505(config)#Show logging ------------------验证配置11.启用http服务asa5505(config)#http server enable ------------------启动HTTP server,便于ASDM连接。
Cisco ASA5500 配置手册
Cisco ASA5500系列防火墙基本配置手册一、配置基础1.1用户接口思科防火墙支持下列用户配置方式:Console,Telnet,SSH(1.x或者2.0,2.0为7.x新特性),ASDM的http方式,VMS的Firewall Management Center。
支持进入Rom Monitor模式,权限分为用户模式和特权模式,支持Help,History和命令输出的搜索和过滤。
用户模式:Firewall> 为用户模式,输入enable进入特权模式Firewall#。
特权模式下输入config t 可以进入全局配置模式。
通过exit,ctrl-z退回上级模式。
配置特性:在原有命令前加no可以取消该命令。
Show running-config 或者 write terminal显示当前配置。
Show running-config all显示所有配置,包含缺省配置。
Tab可以用于命令补全,ctrl-l可以用于重新显示输入的命令(适用于还没有输入完命令被系统输出打乱的情况),help和history相同于IOS命令集。
Show命令支持 begin,include,exclude,grep 加正则表达式的方式对输出进行过滤和搜索。
Terminal width 命令用于修改终端屏幕显示宽度,缺省为80个字符,pager命令用于修改终端显示屏幕显示行数,缺省为24行。
1.2初始配置跟路由器一样可以使用setup进行对话式的基本配置。
二、配置连接性2.1配置接口接口基础:防火墙的接口都必须配置接口名称,接口IP地址和掩码和安全等级。
接口基本配置:Firewall(config)# interface hardware-id 进入接口模式Firewall(config-if)# speed {auto | 10 | 100 | nonegotiate} 设置接口速率Firewall(config-if)# duplex {auto | full | half} 接口工作模式Firewall(config-if)# [no] shutdown 激活或关闭接口Firewall(config-if)# nameif if_name 配置接口名称Firewall(config-if)# security-level level 定义接口的安全级别例:interface GigabitEthernet0/0nameif outsidesecurity-level 0ip address 125.78.33.22 255.255.255.248!interface GigabitEthernet0/1nameif insidesecurity-level 100ip address 192.168.18.254 255.255.255.0在配置中,接口被命名为外部接口(outside),安全级别是0;被命名为内部接口(inside),安全级别是100.安全级别取值范围为1~99,数字越大安全级别越高。
CISCO_ASA_5500产品手册
CISCO ASA 5500 系列自适应安全设备Cisco® ASA 5500 系列自适应安全设备除了提供前所未有的服务灵活性、模块化可扩展性、特性可延伸性和更低的部署和运营成本之外,还可为各类企业、服务提供商和任务关键型数据中心提供一套功能强大的高度集成、以市场为主导的安全服务。
经过市场验证的安全功能• ——Cisco ASA 5500系列整合了多种全功能、高性能安全服务,其中包括应用层防火墙、SSL 和IPsec VPN 、IPS全局相关服务和担保、抗病毒、反垃圾邮件、防网络钓鱼和网页过滤服务。
结合实时的信誉技术,这些技术提供高效的网络层和应用层安全、基于用户的访问控制、蠕虫防护、恶意软件防护、员工更高的工作效率、即时消息传送和点对点控制、以及安全的远程用户和站点连接。
唯一采用市场领先声誉技术的IPS ——Cisco IPS 全局相关服务提供过去 IPS 两倍的效率和担保,保证客户无后顾之忧。
Cisco ASA 5585-X 提供一系列桌面和移动平台的无缝式客户端和无客户端访问,并通过集成的 Web 安全和 IPS 策略执行和威胁保护实现永久安全的移动。
图 1. CISCO ASA 5500 系列自适应安全设备CISCO ASA 5500 系列帮助企业提高在保护自身网络和应用方面的工作效率,并通过以下方面提供卓越的投资保护:Cisco ASA 5500 系列自适应安全设备是Cisco 无边界安全网络的核心组件,提供出色的可扩展性,广泛的技术和解决方案,以及高效、永久的安全性,以满足多种部署需求。
通过整合世界上最被公认的防火墙;提供 Cisco 全局相关服务和担保的综合、高效的入侵防御系统(IPS);以及高性能 VPN 和始终开通的远程访问,Cisco ASA 5500 系列为企业提供安全的高性能连接并保护关键资产实现最高生产率。
可扩展的集成服务体系结构——Cisco ASA 5500系列通过硬件和软件可扩展性的独特结合以及强大的模块策略框架 (MPF) 向企业提• 供强大的自适应保护,免受快速演变的威胁环境干扰。
asa5505思科防火墙
公司网络不断更新,新进一设备名为cisco ASA-5505防火墙。
公司准备把四台监控系统服务器通过防火墙与公司现有网络隔离。
但是现有的服务器有三台在之前分别在给市煤管局、集团公司、国投总公司提供监控信息。
所以更改IP地址的话会很麻烦。
所以公司决定将原有三台电脑的IP地址做地址转换。
开放相应端口即可。
公司现有网络段为192.168.0.0 隔离后网络段为172.168.1.0 IOS版本为ASA-7.2 与之前版本的配置有一定区别。
下面说说具体的操作步骤:1、将四台监控系统服务器通过普通交换机连接接,交换机接防火墙1口,防火墙0口与公司现有网络交换机连接,用console线将防火墙与PC连接到一起。
2、打开PC运行超级终端,出现新建连接界面,随便输入名称确定,出现借口选择界面,选择相应的COM口即可,确定出现COM口属性设置,恢复默认即可。
3、进入防火墙出现Pre-configure PIX Firewall now through interactive prompts [yes]? 意思是否进入交互配置对话模式选择N4、进入防火墙的命令提示符界面,ciscoasa> 在后面输入enable 进入特权模式 ciscoasa#在后面输入conf t 进入全局配置模式。
这时。
就可以对防火墙进行配置了。
5、配置防火墙名 ciscoasa(config)# hostname dyq配置防火墙密码 (config)#enable password admin配置IP dyq(config)# interface vlan 1dyq(config-if)# ip address 192.168.0.251255.255.255.0dyq(config-if)# noshutdowndyq(config-if)#security-level 0dyq(config-if)#nameif outsidedyq(config-if)#exitdyq(config)# interface vlan 2dyq(config-if)#ip address 172.168.1.1255.255.255.0dyq(config-if)#noshutdowndyq(config-if)#security-level 100dyq(config-if)#nameif insidedyq(config-if)#exit将e0和e1口加入VLAN dyq(config)# interface ethernet 0/0dyq(config-if)# no shutdowndyq(config-if)# switchport access vlan 1dyq(config-if)# exitdyq(config)#inter face ethernet 0/1 同上配置telnet 远程登录 dyq(config)#telnet 0 0 inside配置telnet 远程登录密码 dyq(config)#password admin配置访问控制列表 dyq(config)#access-list acl_out extended permit tcp any any eq wwwdyq(config)#access-list acl_out extended permit icmp any anydyq(config)#access-list acl_out extended permit tcp any host 192.168.0.7 eq 1433dyq(config)#access-list acl_out extended permit tcp any host 192.168.0.8 eq 8080dyq(config)#access-list acl_out extended permit tcp any host 192.168.0.8 eq 445dyq(config)#access-list acl_out extended permit tcp any host 192.168.0.8 eq 1433dyq(config)#access-list acl_out extended permit tcp any host 192.168.0.9 eq www允许主机192.168.0.9开放80端口 acl_out 为访问控制列表号验证访问控制列表 show access-list配置路由 dyq(config)#route outside 0 0 192.168.0.1 验证 show route配置静态NAT dyq(config)#static(inside,outside) 192.168.0.7 172.168.1.10 netmask 255.255.255.255dyq(config)#static(inside,outside) 192.168.0.8 172.168.1.20 netmask 255.255.255.255dyq(config)#static(inside,outside) 192.168.0.9 172.168.1.30 netmask 255.255.255.255IP地址转换内网IP172.168.1.x转换为外网IP192.168.0.x配置动态NAT(PAT) dyq(config)#global(outside) 1 interfacedyq(config)#nat (inside) 1 172.168.1.0 255.255.255.0或者dyq(config)#nat (inside) 1 0 0。
ASA5500配置说明
择1024 bit
2. 保存RSA Keys到flash,
hostname(config)# write mem
3. 指定允许从哪个接口和哪个源地址通过SSH连入到ASA hostname(config)# ssh
source_IP_address mask source_interface
access-group outside_permit in interface outside
//把outside_permit控制列表运用在外部接口的入口方向。
route outside 0.0.0.0 0.0.0.0 202.98.131.126 1 //定义一个默认路由。
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
static (dmz,outside) tcp interface 30010 192.168.2.2 30010 netmask 255.255.255.255
static (dmz,outside) tcp interface 3389 192.168.2.2 3389 netmask 255.255.255.255
//端口映射 可以解决内部要公布的服务太多,而申请公网IP少问题。
static (dmz,outside) tcp interface 30001 192.168.2.2 30001 netmask 255.255.255.255
//把dmz区192.168.2.2 30002 映射给外部30002端口上。
//访问控制列表
access-list outside_permit extended permit tcp any interface outside range 30000
Cisco ASA 5500和ASA 5500-X系列下一代防火墙数据册说明书
Data Sheet Cisco ASA 5500 and ASA 5500-X SeriesNext-Generation Firewalls for the Internet EdgeCisco® ASA 5500 and ASA 5500-X Series Next-Generation Firewalls integrate the world’s most proven stateful inspection firewall with a comprehensive suite of highly integrated next-generation firewall services for networks of all sizes - small and midsize businesses with one or a few locations, large enterprises, service providers, and mission-critical data centers. The Cisco ASA 5500 and ASA 5500-X SeriesNext-Generation Firewalls deliver MultiScale™ performance with unprecedented services flexibility, including next-generation firewall capabilities, modular scalability, feature extensibility, and lower deployment and operations costs.Midsize businesses protecting the Internet edge require the same level of protection as large enterprise networks. You require enterprise-strength security, but purchasing a firewall that was built to handle the performance needs and budget of a large enterprise would be unnecessary and a waste of company resources. You need a firewall that provides the performance you need at a price you can afford, along with the visibility and control you need to take advantage of new applications and devices without compromising security.Features and BenefitsCisco ASA 5500 and ASA 5500-X Series Next-Generation Firewalls are available in a wide range of sizes and performance levels to fit your network and budget while offering the same proven level of security that protects some of the largest networks at some of the most security-conscious companies in the world. The ASA 5500 and ASA 5500-X Next-Generation Series Firewalls scale to meet the performance and security requirements of a wide range of network applications, to correspond with your changing needs.Like their enterprise counterparts, Cisco ASA 5500 and ASA 5500-X Series Next-Generation Firewalls for the Internet edge protect critical assets through:●Exceptional next-generation firewall services that provide the visibility and control your enterprise needs tosafely take advantage of new applications and devices1●Application Visibility and Control (AVC) to control specific behaviors within allowed micro-applications●Web Security Essentials (WSE) to restrict web and web application usage based on reputation of the site●Broad and deep network security through an array of integrated cloud- and software-based next-generationfirewall services backed by Cisco Security Intelligence Operations (SIO)●Highly effective intrusion prevention system (IPS) with Cisco Global Correlation●High-performance VPN and always-on remote access●The ability to enable additional security services quickly and easily in response to changing needs1 Please contact your sales representative for availability.Cisco ASA 5525-X, 5545-X, and 5555-XThe Cisco ASA 5525-X, 5545-X, and 5555-X are next-generation firewalls that combine the most widely deployed stateful inspection firewall in the industry with a comprehensive suite of next-generation network security services - for comprehensive security without compromise. They help meet evolving security needs by delivering multiple next-generation security services, multigigabit performance, flexible interface options, and redundant power supplies, all in a compact 1-RU form factor. These firewalls optionally provide broad and deep network security services through an array of integrated cloud- and software-based security services, including Application Visibility and Control (AVC), Web Security Essentials (WSE), Cisco Cloud Web Security (CWS), and the only context-aware IPS - with no need for additional hardware modules.The ASA 5525-X, 5545-X, and 5555-X Next-Generation Firewalls are part of the ASA 5500-X Series, which is built on the same proven security platform as the rest of the ASA family of firewalls and delivers superior performance for exceptional operational efficiency. These models are designed to meet evolving security needs by providing, among other things, innovative next-generation firewall services that make it possible to take advantage of new applications and devices without compromising security. Unlike other next-generation firewalls, the Cisco ASA 5500-X Series keeps pace with rapidly evolving needs by offering end-to-end network intelligence gained from combining the visibility from local traffic with in-depth global network intelligence through:●Cisco TrustSec® technology●Cisco AnyConnect® Secure Mobility Solution for unique mobile client insight●Cisco Security Intelligence Operations (SIO) for near-real-time threat information and proactive protection●Cisco ASA Next-Generation Firewall ServicesWith up to 4 Gbps of firewall throughput, 1,000,000 concurrent firewall connections, 50,000 connections per second, and 6 integrated Gigabit Ethernet interfaces, the ASA 5525-X, 5545-X, and 5555-X are excellent choices for businesses requiring high performance, cost effectiveness, exceptional application visibility and control, and an extensible security solution that can grow with their changing needs.Cisco ASA 5520, 5540, and 5550The Cisco ASA 5520, 5540, and 5550 are modular, high-performance firewalls that deliver security services with Active/Active high availability and Gigabit Ethernet connectivity for medium-sized enterprise networks. With Gigabit Ethernet interfaces and support for up to 200 VLANs, businesses can easily deploy the Cisco ASA 5520, 5540, and 5550 into multiple zones within their network. The Cisco ASA 5520, 5540, and 5550 scale with businesses as their network security requirements grow, delivering solid investment protection.Businesses can extend their SSL and IPsec VPN capacity to support a larger number of mobile workers, remote sites, and business partners. Up to 5000 Cisco AnyConnect and/or clientless VPN peers can be supported. VPN capacity and resiliency can be increased by taking advantage of integrated VPN clustering and load-balancing capabilities. The Cisco ASA 5520, 5540, and 5550 support up to 10 firewalls in a cluster, offering a maximum of 50,000 AnyConnect and/or clientless VPN peers or 50,000 IPsec VPN peers per cluster. For business continuity and event planning, the Cisco ASA 5520, 5540, and 5550 can also benefit from Cisco VPN Flex licenses, which enable administrators to react to or plan for short-term “bursts” of concurrent Premium VPN remote-access users for up to two months.The advanced application-layer security and content security defenses provided by these firewalls can be extended by deploying the high-performance intrusion prevention and worm mitigation capabilities of the Advanced Inspection and Prevention Security Services Module (AIP SSM) or the comprehensive malware protection of the Content Security and Control Security Services Module (CSC SSM). Using these optional security context capabilities, businesses can deploy up to 100 virtual firewalls within a physical appliance to enable compartmentalized control of security policies on a departmental level. This virtualization strengthens security and reduces overall management and support costs while consolidating multiple security devices into a single appliance.Table 1 compares the features and capacities of the Cisco ASA 5500 and ASA 5500-X Series Next-Generation Firewalls for the Internet Edge.Table 1. Cisco ASA 5500 and ASA 5500-X Series Next-Generation Firewalls for the Internet EdgeUp to 450 Mbps 2 Gbps Up to 650 Mbps 3 Gbps Up to 1.2 Gbps 4 Gbps2 Maximum throughput measured with UDP traffic under ideal conditions.3 Multiprotocol: Traffic profile consisting primarily of TCP-based protocols/applications, such as HTTP, SMTP, FTP, IMAPv4, BitTorrent, and DNS.4 Firewall traffic that does not go through the IPS service can have higher throughput.5 Throughput was measured using ASA CX Software Release 9.1.1 with multiprotocol traffic profile with both AVC and WSE. Traffic logging was enabled as well.6 VPN throughput and sessions count depend on the ASA device configuration and VPN traffic patterns. These elements should be taken into consideration as part of your capacity planning.7 Separately licensed feature; includes two SSL licenses with base system.Regulatory and Standards ComplianceSafety UL 60950, CSAC22.2 No. 60950,EN 60950 IEC60950,AS/NZS60950 IEC 60950-1:2005, 2nd EditionEN 60950-1:2006+A11: 2009UL 60950-1:2007,2nd Edition;CSA C22.2 No.60950-1-07, 2ndEditionUL 60950, CSAC22.2 No. 60950,EN 60950 IEC60950,AS/NZS60950IEC 60950-1:2005, 2nd EditionEN 60950-1:2006+A11: 2009UL 60950-1:2007,2nd Edition;CSA C22.2 No.60950-1-07, 2ndEditionUL 60950, CSAC22.2 No. 60950,EN 60950 IEC60950,AS/NZS60950IEC 60950-1:2005, 2nd EditionEN 60950-1:2006+A11: 2009UL 60950-1:2007,2nd Edition;CSA C22.2 No.60950-1-07, 2ndEditionElectromagnetic Compatibility (EMC) CE marking, FCCPart 15 Class A,AS/NZS CISPR22Class A, VCCIClass A, EN55022Class A, CISPR22Class A,EN61000-3-2,EN61000-3-3CE: EN550222006+A1: 2007Class A; EN550241998+A1:2001+A2:2003; EN61000-3-2 2009;EN61000-3-3 2008;FCC:CFR 47, Part15 Subpart BClass A2010,ANSI C63.42009;ICES-003 ISSUE 4FEBRUARY.2004;VCCI:V-3/2011.04;C-TICK:AS/NZSCISPR 22,2009KC:KN22 & KN24CE marking, FCCPart 15 Class A,AS/NZS CISPR22Class A, VCCIClass A, EN55022Class A, CISPR22Class A,EN61000-3-2,EN61000-3-3CE: EN550222006+A1: 2007Class A; EN550241998+A1:2001+A2:2003; EN61000-3-2 2009;EN61000-3-3 2008;FCC:CFR 47, Part15 Subpart BClass A2010,ANSI C63.42009;ICES-003 ISSUE 4FEBRUARY.2004;VCCI:V-3/2011.04;C-TICK:AS/NZSCISPR 22,2009KC:KN22 & KN24CE marking, FCCPart 15 Class A,AS/NZS CISPR22Class A, VCCIClass A, EN55022Class A, CISPR22Class A,EN61000-3-2,EN61000-3-3CE: EN550222006+A1: 2007Class A; EN550241998+A1:2001+A2:2003; EN61000-3-2 2009;EN61000-3-3 2008;FCC:CFR 47, Part15 Subpart BClass A2010,ANSI C63.42009;ICES-003 ISSUE 4FEBRUARY.2004;VCCI:V-3/2011.04;C-TICK:AS/NZSCISPR 22,2009KC:KN22 & KN24Industry Certifications Common CriteriaEAL4 US DoDApplication-LevelFirewall forMedium-RobustnessEnvironments,Common CriteriaEAL2 for IPS onAIP SSM-10 and -20, FIPS 140-2Level 2, and NEBSLevel 3In process:Common CriteriaEAL4+ US DoDApplication-LevelFirewall forMedium-RobustnessEnvironments, andCommon CriteriaEAL4 forIPsec/SSL VPNIn process FIPS 140-2 Level2In process:Common CriteriaEAL4+ US DoDApplication-LevelFirewall forMedium-RobustnessEnvironments, andCommon CriteriaEAL4 forIPsec/SSL VPNIn process FIPS 140-2 Level2In process:Common CriteriaEAL4+ US DoDApplication-LevelFirewall forMedium-RobustnessEnvironments, andCommon CriteriaEAL4 forIPsec/SSL VPNIn processCisco ASA 5500 Series Security Services Processors, Modules, and CardsThe Cisco ASA 5500 Series brings a new level of integrated security performance to networks with its highly effective IPS services and multiprocessor hardware architecture. This architecture allows businesses to adapt and extend the high-performance security services profile of the Cisco ASA 5500 Series. Customers can add additional high-performance services using security services modules with dedicated security co-processors, and can custom-tailor flow-specific policies using a highly flexible policy framework. This adaptable architecture enables businesses to deploy new security services when and where they are needed, such as adding the broad range of intrusion prevention and advanced antiworm services delivered by the IPS modules via the AIP SSM and AIP SSC, or the comprehensive malware protection and content security services enabled by the CSC SSM. Further, the Cisco ASA 5500 Series architecture allows Cisco to introduce new services to address new threats, giving businesses outstanding investment protection.The Cisco ASA 5500 Series AIP SSM and AIP SSC are inline, network-based solutions that accurately identify, classify, and stop malicious traffic before it affects business continuity for IPv4, IPv6, and hybrid IPv6 and IPv4 networks. They combine inline prevention services with innovative technologies, resulting in total confidence in the provided protection of the deployed IPS solution, without the fear of legitimate traffic being dropped. The AIP SSM and AIP SSC also offer comprehensive network protection through their unique ability to collaborate with other network security resources, providing a proactive approach to protecting the network.Accurate inline prevention technologies provide unparalleled confidence to take preventive action on a broader range of threats without the risk of dropping legitimate traffic. These unique technologies offer intelligent, automated, contextual analysis of data and help ensure that businesses are getting the most out of their intrusion prevention solutions. Furthermore, the IPS SSP, AIP SSM, and AIP SSC use multivector threat identification to protect the network from policy violations, vulnerability exploitations, and anomalous activity through detailed inspection of traffic in Layers 2 through 7.Table 2 details the AIP SSM models that are available, and their respective performance and physical characteristics.Table 2. Characteristics of Cisco ASA 5500 Series AIP SSM Models225 Mbps with Cisco ASA 5520 375 Mbps with Cisco ASA 5520500 Mbps with Cisco ASA 5540 450 Mbps with Cisco ASA 5520 650 Mbps with Cisco ASA 5540Cisco ASA 5500 Series Content Security and Control ModuleThe Cisco ASA 5500 Series CSC SSM delivers industry-leading threat protection and content control at the Internet edge, providing comprehensive antivirus, antispyware, file blocking, antispam, antiphishing, URL blocking and filtering, and content filtering services in an easy-to-manage solution. The CSC SSM bolsters the Cisco ASA 5500 Series’ strong security capabilities, providing customers with additional protection of and control over the content of their business communications. The module provides additional flexibility and choice over the functioning and deployment of Cisco ASA 5500 Series firewalls. Licensing options enable organizations to customize the features and capabilities to each group’s needs, with features that include advanced content services and increased user capacity. The CSC SSM ships with a default feature set that provides antivirus, antispyware, and file blocking services.A Plus license is available for each CSC SSM at an additional charge, delivering capabilities such as antispam, antiphishing, URL blocking and filtering, and content control services. Businesses can extend the user capacity of the CSC SSM by purchasing and installing additional user licenses. A detailed listing of these options is shown in Table 3 and in the CSC SSM data sheet.Table 3. Characteristics of Cisco ASA 5500 Series CSC SSMsCisco ASA 5520 Cisco ASA 5520Cisco ASA 5540Cisco ASA 5500 Series 4-Port Gigabit Ethernet ModuleThe Cisco ASA 5500 Series 4-Port Gigabit Ethernet SSM enables businesses to better segment network traffic into separate security zones, providing more granular security for their network environment. These zones can range from the Internet to internal corporate departments/sites to DMZs. This high-performance module supports both copper and optical connection options by including four 10/100/1000 copper RJ-45 ports and four SFP ports. Businesses can choose between copper or fiber ports, providing flexibility for data center, campus, or enterprise edge connectivity. The module extends the I/O profile of the Cisco ASA 5500 Series to a total of five Fast Ethernet and four Gigabit Ethernet ports on the Cisco ASA 5510. Table 4 lists the characteristics of the Cisco ASA 5500 Series 4-Port Gigabit Ethernet SSMs.Table 4. Characteristics of Cisco ASA 5500 Series 4-Port Gigabit Ethernet SSMsFour 10/100/1000BASE-TFour (Gigabit Ethernet Optical SFP 1000BASE-SX or LX/LH transceiver supported)Cisco ASA 5500-X Series 6-Port Gigabit Ethernet Interface CardsCisco ASA 5500-X Series 6-port Gigabit Ethernet Interface Cards extend the I/O profile of the ASA 5525-X through ASA 5555-X by providing additional GE ports. The cards provide the following benefits:●Better segmentation of network traffic (into separate security zones)●Fiber-optic cable connectivity for long distance communication●Load sharing of traffic as well as protection against link failure by using EtherChannel●Support for Jumbo Ethernet frames of up to 9000 bytes●Protection against cable failure for the most demanding Active/Active and full mesh firewall deployments Table 5 lists the characteristics of the Cisco ASA 5500-X Series 6-Port Gigabit Ethernet Interface Cards.Table 5. Characteristics of Cisco ASA 5500-X Series 6-Port Gigabit Ethernet Interface CardsSix 10/100/1000BASE-T Six (Gigabit Ethernet Optical SFP 1000BASE-SX or LX/LHtransceiver supported)Ordering InformationTo place an order, visit the Cisco Ordering Home Page. Table 6 provides ordering information for the Cisco ASA 5500 Series and ASA 5500-X Series Next-Generation Firewalls.Table 6. Ordering InformationTo Download the SoftwareVisit the Cisco Software Center to download Cisco ASA Software.Service and SupportCisco services help you protect your network investment, optimize network operations, and prepare your network for new applications to extend network intelligence and the power of your business.Included in the “Operate” phase of the service lifecycle are Cisco Sec urity IntelliShield Alert Manager Service, Cisco SMARTnet® Service, Cisco Service Provider Base, and Cisco Services for IPS. These services are suitable for enterprise, commercial, and service provider customers.Cisco Security IntelliShield Alert Manager Service provides a customizable, web-based threat and vulnerability alert service that allows organizations to easily access timely, accurate, and credible information about potential vulnerabilities in their environment.Cisco Services for IPS supports modules, platforms, and bundles of platforms and modules that feature IPS capabilities. Cisco SMARTnet and Service Provider Base support other products in this family.Cisco CapitalFinancing to Help You Achieve Your ObjectivesCisco Capital can help you acquire the technology you need to achieve your objectives and stay competitive. We can help you reduce CapEx. Accelerate your growth. Optimize your investment dollars and ROI. Cisco Capital financing gives you flexibility in acquiring hardware, software, services, and complementary third-party equipment. And there’s just one predictable payment. Cisco Capital is available in more than 100 countries. Learn more.For More InformationFor more information, please visit the following links:●Cisco ASA 5500 and ASA 5500-X Series Next-Generation Firewalls: /go/asa●Cisco Adaptive Security Device Manager: /go/asdm●Cisco Security Services: /en/US/products/svcs/ps2961/ps2952/serv_group_home.html●Cisco ASA 5500 Series and ASA 5500-X Series Licensing Information:/en/US/products/ps6120/products_licensing_information_listing.html。
思科ASA 5500-X系列下一代防火墙和AnyConnect安全移动客户端产品手册说明书
产品手册Cisco AnyConnect 安全移动客户端和 Cisco ASA 5500-X 系列下一代防火墙 (VPN)思科® ASA 5500-X 系列下一代防火墙是专门构建的平台,兼具一流的安全功能和 VPN 服务。
组织可以获得互联网传输的连接和成本收益,且不会影响公司安全策略的完整性。
通过将安全套接字层 (SSL) 和 IP 安全 (IPsec) VPN 服务与全面威胁防御技术相结合,思科 ASA 5500-X 系列下一代防火墙可以提供高度可定制的网络接入,满足各种部署环境的要求,同时提供高级终端和网络级安全性(图 1)。
图 1.适合任意部署方案的可定制 VPN 服务AnyConnect 与思科 ASA 5500-X 系列自适应安全设备自适应安全设备可以为任意连接场景提供灵活的技术,每台设备最多可扩展至支持 10,000 个并发用户。
它通过以下方面提供易于管理的全隧道网络接入:●SSL(DTLS 和 TLS)●IPsec VPN 客户端技术●针对统一合规性和思科 Web 安全设备进行了优化的 AnyConnect®安全移动客户端●高级无客户端 SSL VPN 功能●网络感知站点到站点 VPN 连接此解决方案为移动用户、远程站点、承包商和业务合作伙伴提供高度安全的公共网络连接。
无需辅助设备即可轻松扩展 VPN 和保证其安全,从而降低 VPN 部署和运营相关的成本。
AnyConnect 安全移动客户端的优点包括:●SSL(TLS 和 DTLS)和基于 IPsec 的全网络访问:全网络访问可以为几乎所有的应用或网络资源提供网络层远程用户连接,而且通常用于将访问扩展至被管理的计算机,例如属于公司的笔记本电脑。
通过AnyConnect 安全移动客户端、Microsoft 第 2 层隧道协议 (L2TP) IPsec VPN 客户端、Apple iOS 和 Mac OS X 内置 IPsec VPN 客户端和各种支持 IPsec IKEv2 的第三方远程访问 VPN 客户端,均可获得连接。
Cisco ASA 5500 常用配置命令手册
Cisco ASA 5500 常用配置命令手册默认分类 2010-03-03 16:36:09 阅读56 评论0字号:大中小订阅Cisco ASA 5500 常用配置命令手册1. 常用技巧Shruntp查看与ntp有关的Shru crypto 查看与vpn有关的Shru | inc crypto 只是关健字过滤而已2.故障倒换failoverfailoverlan unit primaryfailoverlan interface testint Ethernet0/3failover link testint Ethernet0/3failover mac address Ethernet0/1 0018.1900.5000 0018.1900.5001 failover mac address Ethernet0/0 0018.1900.4000 0018.1900.4001 failover mac address Ethernet0/2 0018.1900.6000 0018.1900.6001 failover mac address Management0/0 0018.1900.7000 0018.1900.7001 failover interface iptestint 10.3.3.1 255.255.255.0 standby 10.3.3.2注:最好配置虚拟MAC地址sh failover显示配置信息write standby写入到备用的防火墙中failover命令集如下:interface Configure the IP address and mask to be used for failover and/orstateful update informationinterface-policy Set the policy for failover due to interface failureskey Configure the failover shared secret or keylan Specify the unit as primary or secondary or configure the interface and vlan to be used for failover communication link Configure the interface and vlan to be used as a link for stateful update informationmac Specify the virtual mac address for a physical interfacepolltime Configure failover poll intervalreplication Enable HTTP (port 80) connection replicationtimeout Specify the failover reconnect timeout value forasymmetrically routed sessionssh failover 命令集如下:history Show failover switching historyinterface Show failover command interface informationstate Show failover internal state informationstatistics Show failover command interface statistics information| Output modifiers<cr>3配置telnet、ssh及http管理usernamejiang password Csmep3VzvPQPCbkx encrypted privilege 15 aaa authentication enable console LOCALaaa authentication telnet console LOCALaaa authentication ssh console LOCALaaa authorization command LOCALhttp 192.168.40.0 255.255.255.0 managementssh 192.168.40.0 255.255.255.0 inside4. vpn常用管理命令shvpn-sessiondb full l2l 显示site to site 之vpn通道情况shipsec stats 显示ipsec通道情况shvpn-sessiondb summary 显示vpn汇总信息shvpn-sessiondb detail l2l 显示ipsec详细信息shvpn-sessiondb detail svc 查看ssl client信息shvpn-sessiondb detail webvpn查看webvpn信息shvpn-sessiondb detail full l2l 相当于linux下的ipsec whack –status 如果没有建立连接,则表示ipsec通道还没有建立起来。
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
二、 实验环境
ASA 防火墙 eth0 接口定义为 outside 区,Security-Level:0,接 Router F0/0;ASA 防火墙 eth1 接口定 义为 insdie 区,Security-Level:100,接 Switch 的上联口;ASA 防火墙 Eth2 接口定义为 DMZ 区, Security-Level:60,接 Mail Server。
最新【 2009 CCIE RS Lab(160,N1-N7)版本视频】【wolf ccvp ccie安全视频】全套视频 联系QQ:986942623 By:koyChai
Cisco ASA 5500 不同安全级别区域实现互访实验 一、 网络拓扑
最新【 2009 CCIE RS LQaQb:(98166904,26N213-NC7C)I版E 本se视rv频ic】e 【提wo供lf ccvp ccie安全视频】全套视频
三、 实验目的
实现 inside 区域能够访问 outside,即 Switch 能够 ping 通 Router 的 F0/0(202.100.10.2);dmz 区能 够访问 outside,即 Mail Server 能够 ping 通 Router 的 F0/0(202.100.10.2); outside 能够访问 insdie 区的 Web Server 的 http 端口(80)和 dmz 区的 Mail Server 的 pop3 端口(110)、 smtp 端口(25).
-2最新【 2009 CCIE RS Lab(160,N1-N7)版本视频】【wolf ccvp ccie安全视频】全套视频 联系QQ:986942623
最新【 2009 CCIE RS Lab(160,N1-N7)版本视频】【wolf ccvp ccie安全视频】全套视频 联系QQ:986942623
四、 详细配置步骤
By:koyChai
1、端口配置 CiscoASA(config)# interface ethernet 0 CiscoASA(config)#nameif ouside CiscoASA(config-if)# security-level 0 CiscoASA(config-if)# ip address 202.100.10.1 255.255.255.0 CiscoASA(config-if)# no shut CiscoASA(config)# interface ethernet 1 CiscoASA(config)#nameif inside CiscoASA(config-if)# security-level 100 CiscoASA(config-if)# ip address 192.168.1.1 255.255.255.0 CiscoASA(config-if)# no shut CiscoASA(config)# interface ethernet 2 CiscoASA(config)#nameif dmz
-1最新【 2009 CCIE RS Lab(160,N1-N7)版本视频】【wolf ccvp ccie安全视频】全套视频 联系QQ:986942623
最新【 2009 CCIE RS Lab(160,N1-N7)版本视频】【wolf ccvp ccie安全视频】全套视频 联系QQ:986942623
7、在接口上应用 access-list CiscoASA(config)# access-group 101 in interface outside CiscoASA(config)#access-group 102 in interface inside CiscoASA(config)#access-group 103 in interface dmz
最新【CCC2CCCC4CC53、、、、iiiiiiiiisssssssssccccccccc2定定定路ooooooooo0AAAAAAAAA义义义由0SSSSSSSSS9配高低静AAAAAAAAA(((((((((置安安态CcccccccccoooooooooC全全InnnnnnnnnIPfffffffffiiiiiiiiiE映接接ggggggggg--))))-))ii####i##射口口Rfff)))gnngrrS###(区区oolaaloouunttsipbb域也域Letto((eecaaQidaansull需称用moiQdbhsnr((udii:duozs(d要一于ttri)tumsy9eedit-1)sde进对高8zsl1seie1)061d6v1行一安100e090e07..)li40020地映全,n15...2t0010e址射接i6..6Nnr00f.2t11转)a口e023.cr-.51fe0换区5Na.2cC0.705的域e.C0.)50I.进I版2.20PE05范行215本.9.s12围I20eP5视.015转r.6.1v0频8换0i..12c的】.2e1地1【址提w范o##供l默外围f认网c路访cv由问p内c网c服ie务安器全的视路由频】全套视频
By:ko区域流向低权限区域时
1、只要路由配通了,无须配置 nat/global,也无须配置 access-list,就可以直接 telnet 低权限区域主机; 2、只要路由配通了,同时配置了 access-list,无须配置 nat/global,就可以直接 ping 通低权限区域主机; 3、只要路由配通了,同时配置了 nat/global/access-list,此时 telnet/ping 均会执行地址转换
最新【 2009 CCIE RS LQaQb:(98166904,26N213-NC7C)I版E 本se视rv频ic】e 【提wo供lf ccvp ccie安全视频】全套视频
-3最新【 2009 CCIE RS Lab(160,N1-N7)版本视频】【wolf ccvp ccie安全视频】全套视频 联系QQ:986942623
2、当流量从低权限区域流向高权限区域时
1、即使路由已经配通了,也不能成功访问; 2、路由已经配通了,同时必须正确配置了 static IP 地址映射及 access-list,才能成功访问; 3、调通路由是基础,同时只跟 static/access-list 有关,而跟 nat/global 毫无关系。