ASA 5510常用配置命令手册
CISCOASA5510配置手册
CISCOASA5510 // OKciscoasa#showverCiscoAdaptiveSecurityApplianceSoftwareVersion7.2(4) DeviceManagerVersion5.2(4)CompiledonSun06-Apr-0813:39bybuildersSystemimagefileis"disk0:/asa724-k8.bin" Configfileatbootwas"startup-config"ciscoasaup3mins5secsHardware:ASA5520,512MBRAM,CPUPentium4Celeron2000MHz InternalATACompactFlash,256MBBIOSFlashFirmwareHub@0xffe00000,1024KBEncryptionhardwaredevice:CiscoASA-55x0on-boardaccelerator(revision0x0) Bootmicrocode:CNlite-MC-Boot-Cisco-1.2SSL/IKEmicrocode:CNlite-MC-IPSEC-Admin-3.03IPSecmicrocode:CNlite-MC-IPSECm-MAIN-2.050:Ext:GigabitEthernet0/0:addressisc47d.4f85.1708,irq91:Ext:GigabitEthernet0/1:addressisc47d.4f85.1709,irq92:Ext:GigabitEthernet0/2:addressisc47d.4f85.170a,irq93:Ext:GigabitEthernet0/3:addressisc47d.4f85.170b,irq94:Ext:Management0/0:addressisc47d.4f85.1707,irq115:Int:Notused:irq116:Int:Notused:irq5MaximumVLANs:150InsideHosts:UnlimitedFailover:Active/ActiveVPN-DES:EnabledVPN-3DES-AES:DisabledSecurityContexts:2GTP/GPRS:DisabledVPNPeers:750WebVPNPeers:2ThisplatformhasanASA5520VPNPluslicense.SerialNumber:JMX1406L0Y6RunningActivationKey:0x6a2659550xf07c223d0x2cf345f40xb34478840xc128879b Configurationregisteris0x1Configurationlastmodifiedbyenable_15at12:23:52.072UTCMonSep62010 ciscoasa#showrun:Saved:ASAVersion7.2(4)!hostnameciscoasadomain-namedefault.domain.invalidenablepasswordgfFm2E3sthJOc7bqencryptedpasswd2KFQnbNIdI.2KYOUencryptednames!interfaceGigabitEthernet0/0nameifuntrust!interfaceGigabitEthernet0/1 nameifdmzsecurity-level50ipaddress172.18.19.254255.255.255.0!interfaceGigabitEthernet0/2 nameiftrustsecurity-level100ipaddress172.18.1.1255.255.255.0!interfaceGigabitEthernet0/3nonameifnosecurity-levelnoipaddress!interfaceManagement0/0 nameifmanagementsecurity-level100ipaddress192.168.1.1255.255.255.0 management-only!ftpmodepassivednsserver-groupDefaultDNSdomain-namedefault.domain.invalid access-list102extendedpermiticmpanyany access-list102extendedpermitipanyany pagerlines24loggingenablemtudmz1500mtutrust1500mtumanagement1500nofailovericmpunreachablerate-limit1burst-size1asdmimagedisk0:/ASDM-524.BINnoasdmhistoryenablearptimeout14400global(untrust)1interfacenat(trust)10.0.0.00.0.0.0static(trust,untrust)tcp113.105.88.5786172.18.11.886netmask255.255.255.255static(trust,untrust)tcp113.105.88.575000172.18.11.85000netmask255.255.255.255 static(trust,untrust)tcp113.105.88.586800172.18.11.1306800netmask255.255.255.255 static(trust,untrust)tcp113.105.88.584800172.18.11.1304800netmask255.255.255.255 static(trust,untrust)tcp113.105.88.583306172.18.11.1303306netmask255.255.255.255 static(trust,untrust)udp113.105.88.586800172.18.11.1306800netmask255.255.255.255 static(trust,untrust)udp113.105.88.584800172.18.11.1304800netmask255.255.255.255 static(trust,untrust)udp113.105.88.583306172.18.11.1303306netmask255.255.255.255 static(trust,untrust)tcp113.105.88.5881172.18.11.13081netmask255.255.255.255 static(trust,untrust)udp113.105.88.5881172.18.11.13081netmask255.255.255.255 static(trust,untrust)tcp113.105.88.601011172.18.11.91011netmask255.255.255.255 static(trust,untrust)udp113.105.88.601011172.18.11.91011netmask255.255.255.255 static(trust,untrust)tcp113.105.88.601018172.18.11.91018netmask255.255.255.255 static(trust,untrust)udp113.105.88.601018172.18.11.91018netmask255.255.255.255 static(trust,untrust)tcp113.105.88.5981172.18.15.99wwwnetmask255.255.255.255 static(trust,untrust)tcp113.105.88.592000172.18.15.992000netmask255.255.255.255 static(trust,untrust)udp113.105.88.592000172.18.15.992000netmask255.255.255.255 static(trust,untrust)udp113.105.88.59www172.18.15.99wwwnetmask255.255.255.255 static(trust,untrust)tcp113.105.88.598080172.18.15.998080netmask255.255.255.255static(trust,untrust)tcp113.105.88.59ftp-data172.18.11.123ftp-datanetmask255.255.255.255 static(trust,untrust)tcp113.105.88.59ftp172.18.11.123ftpnetmask255.255.255.255static(trust,untrust)tcp113.105.88.59telnet172.18.11.123telnetnetmask255.255.255.255 static(trust,untrust)tcp113.105.88.591010172.18.11.1231000netmask255.255.255.255 static(trust,untrust)tcp113.105.88.598003172.18.11.1238003netmask255.255.255.255 static(trust,untrust)tcp113.105.88.598010172.18.11.1238010netmask255.255.255.255 static(trust,untrust)tcp113.105.88.598012172.18.11.1238012netmask255.255.255.255 static(trust,untrust)tcp113.105.88.598880172.18.11.1238880netmask255.255.255.255 static(trust,untrust)tcp113.105.88.601012172.18.11.91012netmask255.255.255.255 static(trust,untrust)tcp113.105.88.601013172.18.11.91013netmask255.255.255.255 static(trust,untrust)tcp113.105.88.601014172.18.11.91014netmask255.255.255.255 static(trust,untrust)udp113.105.88.601012172.18.11.91012netmask255.255.255.255 static(trust,untrust)udp113.105.88.601013172.18.11.91013netmask255.255.255.255 static(trust,untrust)udp113.105.88.601014172.18.11.91014netmask255.255.255.255 static(trust,untrust)tcp113.105.88.595000172.18.15.995000netmask255.255.255.255 static(trust,untrust)tcp113.105.88.594000172.18.15.994000netmask255.255.255.255 static(trust,untrust)tcp113.105.88.602000172.18.11.92000netmask255.255.255.255 static(trust,untrust)udp113.105.88.602000172.18.11.92000netmask255.255.255.255 static(trust,untrust)tcp113.105.88.592009172.18.15.992009netmask255.255.255.255 static(trust,untrust)udp113.105.88.592009172.18.15.992009netmask255.255.255.255 static(trust,untrust)tcp113.105.88.598081172.18.15.998081netmask255.255.255.255 static(trust,untrust)udp113.105.88.598081172.18.15.998081netmask255.255.255.255 static(trust,untrust)tcp113.105.88.602001172.18.11.92001netmask255.255.255.255 static(trust,untrust)tcp113.105.88.602002172.18.11.92002netmask255.255.255.255 static(trust,untrust)tcp113.105.88.602003172.18.11.92003netmask255.255.255.255 static(trust,untrust)tcp113.105.88.602004172.18.11.92004netmask255.255.255.255 static(trust,untrust)tcp113.105.88.602005172.18.11.92005netmask255.255.255.255static(trust,untrust)tcp113.105.88.602010172.18.11.92010netmask255.255.255.255 static(trust,untrust)udp113.105.88.602001172.18.11.92001netmask255.255.255.255 static(trust,untrust)udp113.105.88.602002172.18.11.92002netmask255.255.255.255 static(trust,untrust)udp113.105.88.602003172.18.11.92003netmask255.255.255.255 static(trust,untrust)udp113.105.88.602004172.18.11.92004netmask255.255.255.255 static(trust,untrust)udp113.105.88.602005172.18.11.92005netmask255.255.255.255 static(trust,untrust)udp113.105.88.602006172.18.11.92006netmask255.255.255.255 static(trust,untrust)udp113.105.88.602007172.18.11.92007netmask255.255.255.255 static(trust,untrust)udp113.105.88.602008172.18.11.92008netmask255.255.255.255 static(trust,untrust)udp113.105.88.602009172.18.11.92009netmask255.255.255.255 static(trust,untrust)udp113.105.88.602010172.18.11.92010netmask255.255.255.255 static(trust,untrust)113.105.88.61172.18.11.10netmask255.255.255.255access-group102ininterfaceuntrustrouteuntrust0.0.0.00.0.0.010.92.8.91routetrust172.18.11.0255.255.255.0172.18.1.21routetrust172.18.12.0255.255.255.0172.18.1.21routetrust172.18.13.0255.255.255.0172.18.1.21routetrust172.18.14.0255.255.255.0172.18.1.21routetrust172.18.15.0255.255.255.0172.18.1.21routetrust172.18.16.0255.255.255.0172.18.1.21routetrust172.18.17.0255.255.255.0172.18.1.21routetrust172.18.18.0255.255.255.0172.18.1.21timeoutxlate3:00:00timeoutconn1:00:00half-closed0:10:00udp0:02:00icmp0:00:02timeoutsunrpc0:10:00h3230:05:00h2251:00:00mgcp0:05:00mgcp-pat0:05:00 timeoutsip0:30:00sip_media0:02:00sip-invite0:03:00sip-disconnect0:02:00 timeoutsip-provisional-media0:02:00uauth0:05:00absolutenosnmp-serverlocationnosnmp-servercontactsnmp-serverenabletrapssnmpauthenticationlinkuplinkdowncoldstart telnet0.0.0.00.0.0.0trusttelnettimeout5ssh0.0.0.00.0.0.0untrustsshtimeout30consoletimeout0usernameadminpasswordf3UhLvUj1QsXsuK7encrypted!!prompthostnamecontextCryptochecksum:634aa0023e75546939c8b013c69a61b7:endciscoasa#showstartciscoasa#showstartup-config:Saved:Writtenbyenable_15at12:24:22.081UTCMonSep62010!ASAVersion7.2(4)!hostnameciscoasadomain-namedefault.domain.invalidenablepasswordgfFm2E3sthJOc7bqencryptedpasswd2KFQnbNIdI.2KYOUencryptednames!interfaceGigabitEthernet0/0nameifuntrust!interfaceGigabitEthernet0/1 nameifdmzsecurity-level50ipaddress172.18.19.254255.255.255.0!interfaceGigabitEthernet0/2 nameiftrustsecurity-level100ipaddress172.18.1.1255.255.255.0!interfaceGigabitEthernet0/3nonameifnosecurity-levelnoipaddress!interfaceManagement0/0 nameifmanagementsecurity-level100ipaddress192.168.1.1255.255.255.0 management-only!ftpmodepassivednsserver-groupDefaultDNSdomain-namedefault.domain.invalid access-list102extendedpermiticmpanyany access-list102extendedpermitipanyany pagerlines24loggingenablemtudmz1500mtutrust1500mtumanagement1500nofailovericmpunreachablerate-limit1burst-size1asdmimagedisk0:/ASDM-524.BINnoasdmhistoryenablearptimeout14400global(untrust)1interfacenat(trust)10.0.0.00.0.0.0static(trust,untrust)tcp113.105.88.5786172.18.11.886netmask255.255.255.255static(trust,untrust)tcp113.105.88.575000172.18.11.85000netmask255.255.255.255 static(trust,untrust)tcp113.105.88.586800172.18.11.1306800netmask255.255.255.255 static(trust,untrust)tcp113.105.88.584800172.18.11.1304800netmask255.255.255.255 static(trust,untrust)tcp113.105.88.583306172.18.11.1303306netmask255.255.255.255 static(trust,untrust)udp113.105.88.586800172.18.11.1306800netmask255.255.255.255 static(trust,untrust)udp113.105.88.584800172.18.11.1304800netmask255.255.255.255 static(trust,untrust)udp113.105.88.583306172.18.11.1303306netmask255.255.255.255 static(trust,untrust)tcp113.105.88.5881172.18.11.13081netmask255.255.255.255 static(trust,untrust)udp113.105.88.5881172.18.11.13081netmask255.255.255.255 static(trust,untrust)tcp113.105.88.601011172.18.11.91011netmask255.255.255.255 static(trust,untrust)udp113.105.88.601011172.18.11.91011netmask255.255.255.255 static(trust,untrust)tcp113.105.88.601018172.18.11.91018netmask255.255.255.255 static(trust,untrust)udp113.105.88.601018172.18.11.91018netmask255.255.255.255 static(trust,untrust)tcp113.105.88.5981172.18.15.99wwwnetmask255.255.255.255 static(trust,untrust)tcp113.105.88.592000172.18.15.992000netmask255.255.255.255 static(trust,untrust)udp113.105.88.592000172.18.15.992000netmask255.255.255.255 static(trust,untrust)udp113.105.88.59www172.18.15.99wwwnetmask255.255.255.255 static(trust,untrust)tcp113.105.88.598080172.18.15.998080netmask255.255.255.255static(trust,untrust)udp113.105.88.598000172.18.11.1238000netmask255.255.255.255 static(trust,untrust)tcp113.105.88.596999172.18.11.1236999netmask255.255.255.255 static(trust,untrust)tcp113.105.88.59ftp-data172.18.11.123ftp-datanetmask255.255.255.255 static(trust,untrust)tcp113.105.88.59ftp172.18.11.123ftpnetmask255.255.255.255static(trust,untrust)tcp113.105.88.59telnet172.18.11.123telnetnetmask255.255.255.255 static(trust,untrust)tcp113.105.88.591010172.18.11.1231000netmask255.255.255.255 static(trust,untrust)tcp113.105.88.598003172.18.11.1238003netmask255.255.255.255 static(trust,untrust)tcp113.105.88.598010172.18.11.1238010netmask255.255.255.255 static(trust,untrust)tcp113.105.88.598012172.18.11.1238012netmask255.255.255.255 static(trust,untrust)tcp113.105.88.598880172.18.11.1238880netmask255.255.255.255 static(trust,untrust)tcp113.105.88.601012172.18.11.91012netmask255.255.255.255 static(trust,untrust)tcp113.105.88.601013172.18.11.91013netmask255.255.255.255 static(trust,untrust)tcp113.105.88.601014172.18.11.91014netmask255.255.255.255 static(trust,untrust)udp113.105.88.601012172.18.11.91012netmask255.255.255.255 static(trust,untrust)udp113.105.88.601013172.18.11.91013netmask255.255.255.255 static(trust,untrust)udp113.105.88.601014172.18.11.91014netmask255.255.255.255 static(trust,untrust)tcp113.105.88.595000172.18.15.995000netmask255.255.255.255 static(trust,untrust)tcp113.105.88.594000172.18.15.994000netmask255.255.255.255 static(trust,untrust)tcp113.105.88.602000172.18.11.92000netmask255.255.255.255 static(trust,untrust)udp113.105.88.602000172.18.11.92000netmask255.255.255.255 static(trust,untrust)tcp113.105.88.592009172.18.15.992009netmask255.255.255.255 static(trust,untrust)udp113.105.88.592009172.18.15.992009netmask255.255.255.255 static(trust,untrust)tcp113.105.88.598081172.18.15.998081netmask255.255.255.255 static(trust,untrust)udp113.105.88.598081172.18.15.998081netmask255.255.255.255 static(trust,untrust)tcp113.105.88.602001172.18.11.92001netmask255.255.255.255 static(trust,untrust)tcp113.105.88.602002172.18.11.92002netmask255.255.255.255 static(trust,untrust)tcp113.105.88.602003172.18.11.92003netmask255.255.255.255 static(trust,untrust)tcp113.105.88.602004172.18.11.92004netmask255.255.255.255 static(trust,untrust)tcp113.105.88.602005172.18.11.92005netmask255.255.255.255static(trust,untrust)tcp113.105.88.602008172.18.11.92008netmask255.255.255.255 static(trust,untrust)tcp113.105.88.602009172.18.11.92009netmask255.255.255.255 static(trust,untrust)tcp113.105.88.602010172.18.11.92010netmask255.255.255.255 static(trust,untrust)udp113.105.88.602001172.18.11.92001netmask255.255.255.255 static(trust,untrust)udp113.105.88.602002172.18.11.92002netmask255.255.255.255 static(trust,untrust)udp113.105.88.602003172.18.11.92003netmask255.255.255.255 static(trust,untrust)udp113.105.88.602004172.18.11.92004netmask255.255.255.255 static(trust,untrust)udp113.105.88.602005172.18.11.92005netmask255.255.255.255 static(trust,untrust)udp113.105.88.602006172.18.11.92006netmask255.255.255.255 static(trust,untrust)udp113.105.88.602007172.18.11.92007netmask255.255.255.255 static(trust,untrust)udp113.105.88.602008172.18.11.92008netmask255.255.255.255 static(trust,untrust)udp113.105.88.602009172.18.11.92009netmask255.255.255.255 static(trust,untrust)udp113.105.88.602010172.18.11.92010netmask255.255.255.255 static(trust,untrust)113.105.88.61172.18.11.10netmask255.255.255.255access-group102ininterfaceuntrustrouteuntrust0.0.0.00.0.0.010.92.8.91routetrust172.18.11.0255.255.255.0172.18.1.21routetrust172.18.12.0255.255.255.0172.18.1.21routetrust172.18.13.0255.255.255.0172.18.1.21routetrust172.18.14.0255.255.255.0172.18.1.21routetrust172.18.15.0255.255.255.0172.18.1.21routetrust172.18.16.0255.255.255.0172.18.1.21routetrust172.18.17.0255.255.255.0172.18.1.21routetrust172.18.18.0255.255.255.0172.18.1.21timeoutxlate3:00:00timeoutconn1:00:00half-closed0:10:00udp0:02:00icmp0:00:02timeoutsunrpc0:10:00h3230:05:00h2251:00:00mgcp0:05:00mgcp-pat0:05:00 timeoutsip0:30:00sip_media0:02:00sip-invite0:03:00sip-disconnect0:02:00 timeoutsip-provisional-media0:02:00uauth0:05:00absolutehttpserverenablehttp0.0.0.00.0.0.0trustnosnmp-serverlocationnosnmp-servercontactsnmp-serverenabletrapssnmpauthenticationlinkuplinkdowncoldstart telnet0.0.0.00.0.0.0trusttelnettimeout5ssh0.0.0.00.0.0.0untrustsshtimeout30consoletimeout0usernameadminpasswordf3UhLvUj1QsXsuK7encrypted!!prompthostnamecontextCryptochecksum:634aa0023e75546939c8b013c69a61b7 ciscoasa#。
asa5510限速等配置
gametuzi(config)# hostname gametuzi5510 新的名字
gametuzi5510(config)# int e0/0 进入E0/0 接口
gametuzi5510(config-if)# security-level 0 配置安全级别 因为是外部接口,安全级别为最高
拓扑图如下:
限速配置如下:
access-list rate_limit_1 extended permit ip any host 192.168.1.2 //(限制192.168.1.2下载)
access-list rate_limit_1 extended permit ip host 192.168.1.2 any //(限制192.168.1.2上传)
gametuzi5510# conf t
gametuzi5510(config)# global (outside) 1 interface PAT地址转换!
gametuzi5510(config)# end
gametuzi5510# conf t
gametuzi5510(config)# route outside 0.0.0.0 0.0.0.0 192.168.3.254 默认路由 访问所有外部地址从192.168.3.254 流出。
Ciscoasa(config)#access-group 100 in intercae outside per-user-override
访问必须调用ACL
备注如果,只是需要将内网一个服务器映射到公网可以这样做
ciscoasa(config)#static (inside, outside) 219.139.*.* 192.168.16.254
思科ASA 5510防火墙实战配置中文手册
配置设备介绍:(只为做实验实际应用请根据自己具体情况更改相关参数即可)核心交换机4507提供VLAN3 网关地址:192.168。
3。
254提供DNS 服务器连接:192。
168.0。
1接入交换机2960提供VLAN3 TURNK 连接,可用IP 地址为192。
168。
3。
0-192.168。
3.240掩码:255.255。
255.0网关:192.168.3.254DNS:192.168。
0.1内网实验防火墙CISCO ASA 5510E0/0 IP:192.168。
3。
234E0/1 IP 10。
1。
1。
1实现配置策略1. 动态内部PC1 DHCP 自动获得IP 地址,可访问INTERNET,并PING 通外部网关。
PC1 Ethernet adapter 本地连接:Connection—specific DNS Suffix 。
: gametuziDescription . 。
. . . . 。
:Broadcom 440x rollerPhysical Address。
. . 。
. . 。
: 00-13-77-04—9Dhcp Enabled。
. 。
. 。
. 。
:YesAutoconfiguration Enabled 。
. . :YesIP Address. 。
. 。
. . . 。
. :10.1.1。
20Subnet Mask . . . . 。
. 。
. 。
: 255.255。
0.0Default Gateway . . 。
. 。
: 10.1。
1.1DHCP Server . 。
. 。
. 。
. : 10。
1。
1。
1DNS Servers . . . . . 。
. . 。
: 192.168.0。
12. 静态内部PC2 手动分配地址,可访问INTERNET ,并PING 通外部网关. PC1 Ethernet adapter 本地连接:Connection—specific DNS Suffix 。
cisco ASA5510_罐IOS
asa rommon 5510 罐IOS首先做一下说明,恢复过程中用到的是ASA 5520上的千兆以太网端口(GE),1个快速以太网端口(MGMT),一个Console口,使用3CDaemon软件,一台PC,备份的asa708-k8.bin 和asdm-508.bin,Console线,普通网线。
2、下面是步骤及配置信息开启5520电源,开机会有如下提示:Use BREAK or ESC to interrupt boot.Use SPACE to begin boot immediately.然后按“ESC”键进入监控模式。
3、在监控模式下可以用“?”或“help”获得命令帮助,下面是用“?”或“help”后提示的恢复命令。
rommon #0>?Variables: Use "sync" to store in NVRAMADDRESS= <addr> local IP addressCONFIG= <name> config file path/nameGATEWAY= <addr> gateway IP addressIMAGE= <name> image file path/nameLINKTIMEOUT= <num> Link UP timeout (seconds)PKTTIMEOUT= <num> packet timeout (seconds)PORT= <name> ethernet interface portRETRY= <num> Packet Retry Count (Ping/TFTP)SERVER= <addr> server IP addressVLAN= <num> enable/disable DOT1Q tagging on the selected port 。
ASA5510配置实例1
配置设备介绍:(只为做实验实际应用请根据自己具体情况更改相关参数即可)核心交换机 4507提供VLAN3 网关地址:192.168.3.254提供 DNS 服务器连接:192.168.0.1接入交换机 2960提供 VLAN3 TURNK 连接,可用IP 地址为192.168.3.0-192.168.3.240掩码:255.255.255.0网关:192.168.3.254DNS: 192.168.0.1内网实验防火墙 CISCO ASA 5510E0/0 IP:192.168.3.234E0/1 IP 10.1.1.1实现配置策略1. 动态内部 PC1 DHCP 自动获得IP 地址,可访问INTERNET,并PING 通外部网关。
PC1 Ethernet adapter 本地连接:Connection-specific DNS Suffix . : gametuziDescription . . . . . . . . . . . : Broadcom 440x rollerPhysical Address. . . . . . . . . : 00-13-77-04-9Dhcp Enabled. . . . . . . . . . . : YesAutoconfiguration Enabled . . . . : YesIP Address. . . . . . . . . . . . : 10.1.1.20Subnet Mask . . . . . . . . . . . : 255.255.0.0Default Gateway . . . . . . . . . : 10.1.1.1DHCP Server . . . . . . . . . . . : 10.1.1.1DNS Servers . . . . . . . . . . . : 192.168.0.12. 静态内部 PC2 手动分配地址,可访问 INTERNET ,并PING 通外部网关。
ASA防火墙配置
ASA防火墙初始配置1.模式介绍“>”用户模式firewall>enable 由用户模式进入到特权模式password:“#”特权模式firewall#config t 由特权模式进入全局配置模式“(config)#”全局配置模式防火墙的配置只要在全局模式下完成就可以了。
2.接口配置(以5510以及更高型号为例,5505接口是基于VLAN的):interface Ethernet0/0nameif inside (接口的命名,必须!)security-level 100(接口的安全级别)ip address 10.0.0.10 255.255.255.0no shutinterface Ethernet0/1nameif outsidesecurity-level 0ip address 202.100.1.10 255.255.255.0no shut3.路由配置:默认路由:route outside 0 0 202.100.1.1 (0 0 为0.0.0.0 0.0.0.0)静态路由:route inside 192.168.1.0 255.255.255.0 10.0.0.15505接口配置:interface Ethernet0/0!interface Ethernet0/1switchport access vlan 2interface Vlan1nameif insidesecurity-level 100ip address 192.168.6.1 255.255.255.0!interface Vlan2nameif outsidesecurity-level 0ip address 202.100.1.10ASA防火墙NAT配置内网用户要上网,我们必须对其进行地址转换,将其转换为在公网上可以路由的注册地址,防火墙的nat和global是同时工作的,nat定义了我们要进行转换的地址,而global定义了要被转换为的地址,这些配置都要在全局配置模式下完成,Nat配置:firewall(config)# nat (inside) 1 0 0上面inside代表是要被转换得地址,1要和global 后面的号对应,类似于访问控制列表号,也是从上往下执行,0 0 代表全部匹配(第一个0代表地址,第二个0代表掩码),内部所有地址都回进行转换。
ASA5510防火墙VPN配置
ASA5510防火墙remote ipsec vpn配置1、IPSEC VPN 基本配置access-list no-nat extended permit ip//定义VPN数据流nat (inside) 0 access-list no-nat//设置IPSEC VPN数据不作nat翻译1ip local pool vpn-pool mask//划分地址池,用于VPN用户拨入之后分配的地址。
crypto ipsec transform-set vpnset esp-des esp-md5-hmac//定义一个变换集myset,用esp-md5加密的。
(网上一般都是用esp-3des esp-sha-hmac 或esp-des esp-sha-hmac,而我使用的防火墙没开启3des,所以只能使用esp-des;至于esp-sha-hmac ,不知为什么,使用它隧道组始终无法连接上,所以改用esp-md5-hmac。
具体原因不清楚。
)(补充:后来利用ASA5520防火墙做了关于esp-3des esp-sha-hmac 加密的测试,成功!)crypto dynamic-map dymap 10 set transform-set vpnset//把vpnset添加到动态加密策略dynmapcrypto dynamic-map dymap 10 set reverse-routecrypto map vpnmap 10 ipsec-isakmp dynamic dymap//把动态加密策略绑定到vpnmap动态加密图上crypto map vpnmap interface outside//把动态加密图vpnmap绑定到outside口2crypto isakmp identity addresscrypto isakmp enable outside// outside接口启用isakmpcrypto isakmp policy 10//进入isakmp的策略定义模式authentication pre-share//使用pre-shared key进行认证encryption des//定义协商用DES加密算法(与前面对应,这里使用des,而不是3des)hash md5//定义协商用md5加密算法(和前面一样,网上使用的是sha,我这里为了配合前面的esp-md5-hmac,而使用md5) group 2//定义协商组为2,标准有1、2、3、5等多组,主要用于块的大小和生命时间等3lifetime 86400//定义生命时间group-policy whjt internal//定义策略组(用于想进入的)想要运用策略组就必须用默认的策略组名,否则无法激活该组。
Cisco_A5510(HA)配置
Failover LAN Interface: failover Ethernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
hostname(config)# interface Ethernet0/3
hostname(config-if)# no shutdown
hostname(config)# failover
hostname(config)# copy running-config startup-config
hostname(config-if)# failover lan unit secondary
hostname(config)# failover
hostname(config)# copy running-config startup-config
! 在配置完成后,主机自动将当前配置同步到备机上,此时在两台主机上show run看到的配置已经一致了。
注意:在配置完网络接口以后,运行no shutdown 启用接口。
A5510 -1 (Secondary Host):
hostname(config)# interface Ethernet0/3 description LAN Failover Interface
hostname(config)# failover lan interface failover Ethernet0/3
Cisco ASA5510 双出口策略路由配置
Asa/PIX的Static Route Tracking命令可以有效解决双ISP出口的问题存在问题:静态路由没有固定的机制来决定是否可用,即使下一跳不可达,静态路由还是会存在路由表里,是有当ASA自己的和这条路由相关接口down了,才会从路由表里删除解决办法:Static Route Tracking这个feature提供一种方法来追踪静态路由,当主路由失效时可以安装备份路由进路由表,例如:2条缺省指向不同ISP,当主的ISP 断了,可以立即启用备用ISP 链路,它是使用ICMP来进行追踪的,如果在一定holdtime没有收到reply的话就认为这条链路down了,就会立即删除该静态路由,预先设置的备份路由就会进入路由表。
注意:配置时要在outside口上放开icmp reply(如果打开了icmp限制)pixFirewall(config)#sla monitor sla_id #指定检测的slaIDPixfirewall(config-sla-monitor)# type echo protocol ipIcmpEcho target_ip interfaceif_name #指定检测的协议类型为ICMP协议,并指定检测目的地址和接口这个必须是个可以ping通的地址,当这个地址不可用时,track跟踪的路由就会被删除,备份路由进路由表pixFirewall(config)#sla monitor schedule sla_id [life {forever | seconds}][start-time {hh:mm [:ss][month day | day month]| pending | now | after hh:mm:ss}][ageout seconds][recurring]#指定一个Schedule,一般会是start now必须要写时间表,不然track的路由进不了路由表pixFirewall(config)# track track_id rtr sla_id reachability #指定一个TrackID,并要求追踪SlaID 的可达性pixFirewall(config)# route if_name dest_ip mask gateway_ip [admin_distance]track track_i #设定默认路由,并绑定一个TrackID配置实例:sla monitor 1type echo protocol ipIcmpEcho 202.1.1.2 interface dxsla monitor schedule 1 start-time now(必须配置,不然track的路由进不了路由表)track 2 rtr 1 reachabilityroute dx 0.0.0.0 0.0.0.0 202.1.1.2 1 track 2 (电信默认网关,会追踪地址的可达性)route wt 0.0.0.0 0.0.0.0 101.1.1.2 2 (网通默认网关)当配置的202.1.1.2 ping不通(ICMP协议不能Reachability)的时候,route dx 0.0.0.0 0.0.0.0 202.1.1.2 1就会在路由表里删除,并由第二条默认路由即route wt 0.0.0.0 0.0.0.0 101.1.1.2 2取代,当202.1.1.2恢复后,又会重新变为dx 0.0.0.0 0.0.0.0 202.1.1.2 1这个feature我想大家在很多项目里都会遇到,ASA可以有效解决!这与我们用路由器实现双出口备份是一样的,通过配置SAA,检查其连通性。
5510防火墙配置(尚阳)
.255.0
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 192.168.25.0
255.255 .255.0
access-list nonat extended permit ip 10.80.1.0 255.255.255.0 192.168.25.0 255.25
ip address 10.1.5.1 255.255.255.248
!
interface Ethernet0/2
description to_Dianxing
nameif outside1
security-level 0
ip address 183.62.194.98 255.255.255.248
access-list split-ssl standard permit 10.1.7.0 255.255.255.0
access-list split-ssl standard permit 10.1.1.0 255.255.255.0
access-list split-ssl standard permit 10.10.1.0 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0management-only !
cisco ASA5510配置实例
cisco ASA5510配置实例2008年11月11日 07:52ASA5510# SHOW RUN: Saved:ASA Version 7.0(6)!hostname ASA5510enable password 2KFQnbNIdI.2KYOU encryptednamesdns-guard!interface Ethernet0/0 此接口为外部网络接口nameif outside 设置为 OUTSIDE 外部接口模式security-level 0 外部接口模式安全级别为最低 0ip address 192.168.3.234 255.255.255.0 添加外部IP地址(一般为电信/网通提供)!interface Ethernet0/1此接口为内部网络接口nameif inside设置为 INSIDE 内部接口模式security-level 100内部接口模式安全级别最高为 100ip address 10.1.1.1 255.255.0.0添加内部IP地址!interface Ethernet0/2 没用到shutdownno nameifno security-levelno ip address!interface Management0/0nameif managementsecurity-level 100ip address 192.168.1.1 255.255.255.0 没用,用网线连接管理的端口。
management-only!passwd 2KFQnbNIdI.2KYOU encryptedftp mode passivepager lines 24logging asdm informationalmtu outside 1500mtu inside 1500mtu management 1500no asdm history enablearp timeout 14400global (outside) 1 interface 一定要打表示 PAT端口扩展:“1”为其NAT ID nat (inside) 1 10.1.0.0 255.255.0.0 转换所有10.1.0.0 的内部地址route outside 0.0.0.0 0.0.0.0 192.168.3.254 1 缺省路由timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00timeout uauth 0:05:00 absolutehttp server enable 打开http serverhttp 192.168.1.0 255.255.255.0 management 限定能通过http方式访问防火墙的机器no snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstart telnet timeout 5ssh timeout 5console timeout 0dhcpd address 10.1.1.30-10.1.1.200 inside DHCP 自动提供分配范围为10.1.1.30-200dhcpd address 192.168.1.2-192.168.1.254 managementdhcpd dns 192.168.0.1 DNS 添加:可以是电信网通提供直接添加,或者自己的DNS服务器地址。
Cisco_asa_5510升级IOS和ASDM
----------------以下内容为我升级IOS的详细步骤-------------------------------------------------------show version 查看当前运行的系统信息,包括启动文件(即IOS)等show boot 查看当前的IOS信息show asdm image 查看当前运行的ASDM信息copy nvram:/filename tftp://ip/filename 用tftp协议进行文件传输boot system file 设置IOS启动文件asdm image file 设置asdm启动文件(用no是取消)erase / format 删除所有文件文件传输可以使用ftp,http,tftp等协议,建议使用tftp协议,简单易用。
可以使用一般的路由器连接模式,也可以用console登陆,使用management口连接都行。
1、telnet上asaGZ5510>ena 进入特权模式GZ5510#conft 进入配置模式GZ5510(config)#dir 查看asa上的文件Directory ofdisk0:/ 我的设备没有单独购买flash,所以文件位置在disk04879 -rw- 8202240 19:18:10 Nov 16 2011 asa721-k8.bin2391 -rw- 5539756 00:43:38 Nov 05 2007 asdm521.bin4842 drw- 0 18:51:24 Nov 16 2011 log4843 drw- 0 18:51:36 Nov 16 2011 crypto_archive255426560 bytes total (215465984 bytes free)2、找台PC,运行tftpd32.exe,设置目录,传输文件GZ5510(config)# show ver 命令解释看前面Cisco Adaptive Security Appliance Software Version 7.2(1)Device Manager Version 5.2(1)。
Cisco ASA 5510 (8.2) 配置过程
Cisco ASA 5510 (8.2)配置过程1.为了配置简单,准备安装ASDM(6.5)图形管理界面,经过查看手册和网上收集资料,我具体安装方法如下:1)从随机光盘里安装Java,然后安装ASDM,安装比较简单,也不需要做什么配置;刚开始是win7 64位操作系统,然后直接安装ASDM,提示需要安装Java,直接从Oracle 网上下载最新版本安装,再安装ASDM还是提示需要安装Java,怀疑环境变量的问题,进行设置,还是没有弄好。
系统本来有点慢,格了安装XP,直接从光盘安装Java(1.6),再安装ASDM,什么也不用设置,一切正常。
2)用串口线连接进5510,需要进行简单设置才能使用ASDM正常登录。
串口下输入以下命令:ciscoasa>ciscoasa> enPassword:ciscoasa# conf t 进入全局模式ciscoasa(config)# web*** 进入WEB***模式(经过测试不进这个模式,直接设置用户名和密码也可以)ciscoasa(config-web***)# username cisco password cisco 新建一个用户和密码ciscoasa(config)# int m 0/0 进入管理口ciscoasa(config-if)# ip address 172.16.0.1 255.255.255.0 添加IP地址(新设备默认就有管理IP:192.168.1.1)ciscoasa(config-if)# nameif guanli 给管理口设个名字ciscoasa(config-if)# no shutdown 激活接口ciscoasa(config)#q 退出管理接口ciscoasa(config)# http server enable 开启HTTP服务ciscoasa(config)# http 172.16.0.0 255.255.255.0 guanli 在管理口设置可管理的IP地址ciscoasa(config)# show run 查看一下配置ciscoasa(config)# wr m 保存经过以上配置就可以用ASDM配置防火墙了。
使用中控WebSight发布的防火墙ASA5510配置说明
使⽤中控WebSight发布的防⽕墙ASA5510配置说明使⽤WebSight发布的防⽕墙配置说明⼀、综述在某项⽬中⽤户要求利⽤DCS数据服务站将⼯艺装置的数据通过WEB发布,在⼚长办公室的办公电脑上可以实时查看控制装置的信息,同时为了防⽌⼯⼚管理⽹的病毒等侵⼊控制⽹,在两者之间设置了⼀个防⽕墙。
⼆、硬件配置2.1 DCS控制室1)历史数据服务器电脑⼀台。
配置4块⽹卡,其中3块连接DCS内部的控制⽹和操作⽹;第四块⽹卡作为web发布端⼝。
操作系统WINDOWS XP。
2)思科防⽕墙ASA5510⼀台。
3)⽹络双绞线若⼲。
2.2 ⼚长办公室1)办公电脑⼀台。
此电脑有⼀块单独⽤于和DCS通讯的⽹卡接⼝。
操作系统WINDOWS XP,安装了IE浏览器。
2)若有⼚长办公室内有多台电脑需要连接查看控制装置信息需要配置交换机。
2.3连接附件1)根据CCR中央控制室和⼚长办公室距离的不同,需要配置相应的光纤,光纤尾纤,光纤跳线和光纤接续盒等。
三、软件配置2.1 DCS控制室1)WINDOWS XP,并安装IIS(Internet 信息服务)组件。
2)AdvanTrol Pro2.5 SP06。
3)PIMS WebSight 发布软件2.2⼚长办公室1)WINDOWS XP,并安装了IE6.0以上的版本。
四、参考⽂件1)《中控WebSight监控软件Web发布软件使⽤⼿册》及《Internet 信息服务组件IIS安装规范》2)《ASA5510 User Manual》五、⽹络拓扑图整个⽹络拓扑结构如下图所⽰:第 2 页共10 页六、连接步骤6.1 在历史数据服务器HS140上安装IIS服务组件,websight发布软件。
设置第四块⽹卡的IP地址为:172.30.1.140,⼦⽹掩码为:255.255.255.0,默认⽹关为:172.30.1.1。
注意默认⽹关不能忘记设置。
如下图所⽰做好组态,点击web发布命令,启动监控软件,为DCS数据web发布做好准备。
ASA5510透明模式配置
access-group permit_any in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
mtu outside 1500
mtu inside 1500
ip address 192.168.1.100 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
prompt hostname context
Cryptochecksum:741e0fcf1b4761a28f88dd49041bdef3
: end
ciscoasa(config)#
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
ASA5510(config)# sh run : Saved : ASA Version 7.0(5) ! hostname ASA5510 domain-name enable password 9jNfZuG3TC5tCVH0 encrypted names dns-guard ! interface Ethernet0/0 description link public nameif outside security-level 0 ip address *.*.*.* 255.255.255.0 ! interface Ethernet0/1 description link inside nameif inside security-level 100 ip address 192.168.0.1 255.255.255.0 ! interface Ethernet0/2 nameif inside0 security-level 100 ip address 192.168.3.1 255.255.255.0 ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 shutdown nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! passwd ErxOrHUu6ViMiiRU encrypted
timeout uauth 0:05:00 absolute group-policy vpn1 internal group-policy vpn1 attributes dns-server value 218.6.200.139 202.98.96.68 vpn-idle-timeout 60 vpn-tunnel-protocol IPSec ipsec-udp enable split-tunnel-policy tunnelspecified split-tunnel-network-list value nonat webvpn username test password P4ttSyrm33SV8TYp encrypted username test attributes vpn-group-policy vpn1 vpn-tunnel-protocol IPSec webvpn username telnet1 password PcqDoDILCSVk03rz encrypted privilege 15 username telnet1 attributes vpn-group-policy vpn1 vpn-tunnel-protocol IPSec webvpn username cisco1 password ffIRPGpDSOJh9YLq encrypted username cisco1 attributes vpn-tunnel-protocol IPSec webvpn aaa authentication ssh console LOCAL http server enable http 192.168.0.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 43200 isakmp policy 65535 authentication pre-share isakmp policy 65535 encryption 3des isakmp policy 65535 hash md5 isakmp policy 65535 group 2
ftp mode passive dns domain-lookup outside same-security-traffic permit intra-interface access-list 111 extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list 111 extended permit icmp any any access-list 111 extended permit udp any any eq domain access-list 111 extended permit tcp any any eq www access-list 111 extended permit tcp any any eq ftp access-list 111 extended permit tcp any any eq ftp-data access-list 111 extended permit tcp any any eq https access-list 111 extended permit tcp any any eq 2967 access-list 111 extended permit udp any any eq 2967 access-list 111 extended permit udp any any eq 38293 access-list 111 extended permit udp any any eq 50 access-list 111 extended permit udp any any eq isakmp access-list 111 extended permit udp any any eq 10000 access-list split standard permit 192.168.0.0 255.255.255.0 access-list 112 extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list 112 extended permit icmp 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0 echo-reply access-list 112 extended permit icmp 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0 pager lines 24 logging asdm informational mtu outside 1500 mtu inside 1500 mtu management 1500 mtu inside0 1500 ip local pool testvpn 192.168.2.5-192.168.2.253 mask 255.255.255.0 no failover asdm image disk0:/asdm505.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list nonat nat (inside) 1 0.0.0.0 0.0.0.0 access-group 112 in interface outside access-group 111 in interface inside route outside 0.0.0.0 0.0.0.0 *.*.*.* 1 route inside 192.168.2.0 255.255.255.0 192.168.1.2 1 route inside 192.168.2.0 255.255.255.0 192.168.0.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip535 lifetime 86400 isakmp nat-traversal 20 tunnel-group vpn1 type ipsec-ra tunnel-group vpn1 general-attributes address-pool testvpn default-group-policy vpn1 tunnel-group vpn1 ipsec-attributes pre-shared-key * telnet timeout 5 ssh 0.0.0.0 0.0.0.0 outside ssh 192.168.0.0 255.255.255.0 inside ssh timeout 60 ssh version 2 console timeout 0 dhcpd address 192.168.0.5-192.168.0.254 inside dhcpd address 192.168.3.5-192.168.3.253 inside0 dhcpd dns 218.6.200.139 202.98.96.68 dhcpd lease 3000 dhcpd ping_timeout 50 dhcpd enable inside ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default