思科ASA5505防火墙配置成功实例

合集下载

相关主题

1、下载文档前请自行甄别文档内容的完整性，平台不提供额外的编辑、内容补充、找答案等附加服务。
2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
3、如文档侵犯您的权益，请联系客服反馈,我们会尽快为您处理(人工客服工作时间：9:00-18:30)。

配置要求：

1、分别划分inside（内网）、outside（外网）、dmz（安全区）三个区域。

2、内网可访问外网及dmz内服务器（web），外网可访问dmz内服务器（web）。

3、Dmz服务器分别开放80、21、3389端口。

说明：由于防火墙许可限制“no forward interface Vlan1”dmz内服务器无法访问外网。

具体配置如下：希望对需要的朋友有所帮助

ASA Version 7.2(4)

!

hostname asa5505

enable password tDElRpQcbH/qLvnn encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif outside

security-level 0

ip address 外网IP 外网掩码

!

interface Vlan2

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

ip address 172.16.1.1 255.255.255.0

!

interface Ethernet0/0

description outside

!

interface Ethernet0/1

description inside

switchport access vlan 2

!

interface Ethernet0/2

description dmz

switchport access vlan 3

!

interface Ethernet0/3

description inside

switchport access vlan 2

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

ftp mode passive

object-group service outside-to-dmz tcp

port-object eq www

port-object eq ftp

port-object eq 3389

access-list aaa extended permit tcp any host 外网IP object-group outsid e-

to-dmz

access-list bbb extended permit tcp host 172.16.1.2 192.168.1.0 255.255. 255.0 ob

ject-group outside-to-dmz

pager lines 24

mtu outside 1500

mtu inside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (dmz) 1 172.16.1.10-172.16.1.254 netmask 255.255.255.0

nat (inside) 1 192.168.1.0 255.255.255.0

nat (dmz) 1 172.16.1.0 255.255.255.0

alias (inside) 221.203.36.86 172.16.1.2 255.255.255.255

static (dmz,outside) tcp interface www 172.16.1.2 www netmask 255.255.2 55.255 d

ns

static (dmz,outside) tcp interface ftp 172.16.1.2 ftp netmask 255.255.2 55.255 d

ns

static (dmz,outside) tcp interface 3389 172.16.1.2 3389 netmask 255.255. 255.255

dns

static (inside,dmz) 172.16.1.2 192.168.1.0 netmask 255.255.255.255 dns access-group aaa in interface outside

access-group bbb in interface dmz

route outside 0.0.0.0 0.0.0.0 外网网关 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute