Asa配置大全 - 360文档中心

合集下载

相关主题

asa5520常用配置

1、下载文档前请自行甄别文档内容的完整性，平台不提供额外的编辑、内容补充、找答案等附加服务。
2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
3、如文档侵犯您的权益，请联系客服反馈,我们会尽快为您处理(人工客服工作时间：9:00-18:30)。

1、ASA基本配置

静态路由：route outside 192.168.100.0 255.255.255.0 192.168.1.99

配置允许telnet：telnet 192.168.10.0 255.255.255.0 inside

配置telnet超时时间：telnet timeout 5

配置本地认证telnet与console：aaa authentication telnet console LOCAL

配置SSH生成密钥对：

aaa authentication ssh console LOCAL

ciscoasa(config)# crypto key generate rsa

INFO: The name for the keys will be:

Keypair generation process begin. Please wait...

ciscoasa(config)#

配置允许SSH：ssh 192.168.10.0 255.255.255.0 inside

配置允许ASDM管理：

http server enable

http 192.168.10.0 255.255.255.0 inside

asdm image disk0:/asdm-602.bin

username cisco password cisco privilege 15

配置PAT：

nat (inside) 1 192.168.10.0 255.255.255.0

global (outside) 1 interface

配置端口映射：

access-list to_server extended permit tcp any host 192.168.1.99 eq www

access-group to_server in interface outside

static (inside,outside) tcp interface www 192.168.10.98 www netmask 255.255.255.255

配置ACL：

access-list to_server extended permit tcp any host 192.168.1.99 eq www

access-group to_server in interface outside

配置允许ICMP穿越：

policy-map global_policy

class inspection_default

inspect icmp

配置URL过滤：

url-server (outside) vendor websense host 192.168.1.100 timeout 30 protocol TCP version 1 connections 5

filter url http 192.168.10.0 255.255.255.0 0.0.0.0 0.0.0.0 allow

日志管理：

开启logging：logging enable

开启console日志：logging console 7

将日志发送到日志服务器：

logging trap 7

logging host inside 192.168.10.98

配置IPS：

ip audit name zxd info action alarm

ip audit name cisco attack action alarm

ip audit interface outside zxd

ip audit interface outside cisco

2、VPN配置

ASA IPSec L2L配置：

access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0 nat (inside) 0 access-list nonat

crypto ipsec transform-set cisco esp-des esp-none

crypto map cisco 10 match address nonat

crypto map cisco 10 set peer 192.168.1.96

crypto map cisco 10 set transform-set cisco

crypto map cisco interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption des

hash sha

group 1

tunnel-group 192.168.1.96 type ipsec-l2l

tunnel-group 192.168.1.96 ipsec-attributes

pre-shared-key cisco

ASA Remote VPN Server配置：

ip local pool vpnpool 192.168.2.250-192.168.2.254

group-policy vpntest internal

group-policy vpntest attributes

vpn-tunnel-protocol IPSec

username zhong password xiaodong

tunnel-group vpntest type remote-access

tunnel-group vpntest general-attributes

address-pool vpnpool

default-group-policy vpntest

tunnel-group vpntest ipsec-attributes