CISCO ASA5510 防火墙配置手册
一. 密码配置
1.telnet 密码
Ciscoasa(config)#passwd 123 (用于 telnet 登陆 ASA的密码 )
2.enable密码
Ciscoasa(config)#enable password 456 (进入 enable 特权模式的密码 )
3.设备命名
Ciscoasa(config)#hostname wy-ciscoasa
二. 接口配置
2.1 接口命名
Ciscoasa(config)#interface Ethernet0/ 0
Ciscoasa(config-if)#nameif outside 一般的情况将 E0/0 命为外网接口,而将 E0/1命为内网接口。
2.2 配置接口安全级别
Ciscoasa(config-if)#security-level 100 (100 指权限,数字越高权限越高 )
2.3 配置 IP地址
Ciscoasa(config-if)#ip address 219.139.*.*
2.4 关闭/激活接口
Ciscoasa(config-if)#shutdown/no shutdown
三. 静态路由配置
Ciscoasa(config)#route inside 192.168.3.0 255.255.255.0 192.168.10.1
意思为:在 inside 接口上创建一条到 192.168.3.0/24 网络走 192.168.10.1 的路由, ASA会将到 192.168.3.0/24网络的所有数据包转发给下一条192.168.10.1
Ciscoasa(config)#route outside 0.0.0.0 0.0.0.0 219.139.50.1
创建一条外网默认路由, ASA将所有互联网流量转发给 internet 网关219.139.50.1
四. 网络地址转换( NAT)配置
4.1NAT的简介
NAT实现的方式有三种:动态 NAT 、静态 NAT、PAT
动态 NAT:指将内部网络私有 IP地址转换为公有 IP地址, IP 地址不确定,是随机的,所有被授权访问 intelnet 的私有 IP 地址可随机转换为任何指定合法 IP地址。
静态 NAT:指 IP地址一对一的转换。
PAT:指改变外出数据包的源端口并进行端口转换。内部所有网络均可以共享一个合法外部 IP地址实现对 intelnet 的访问,从而可以最大限度节约 IP地址资源。同时,又可以隐藏网络内部的所有主机, 有效避免来自己 intelnet的攻击。因此,武英项目做 NAT时推荐用 PAT。
4.2 动态 NAT的配置
Ciscoasa(config)#nat (inside) 1 192.168.3.0 255.255.0.0
将网络接口为 172.16.0.0/16网络激活 NAT
Ciscoasa(config)#global(outside) 1 219.139.50.40-219.139.*.* netmask 255.255.255.0
将把来自 insid 接口 1291.68.3.0/24 网络的地址动态转换为219.139.50.40-219.139.*.*的地址。
4.3 静态 NAT的配置
Ciscoasa(config)#nat (inside) 2 192.168.16.254 255.255.255.255
将此地址激活 NAT
Ciscoasa(config)#global 2 219.139.*.* 255.255.255.0
将 192.168.16.254这个地址转换为 219.139.*.*
4.4 PAT配置
Ciscoasa(config)#nat (inside) 3 192.168.16.0 255.255.0.0
将此地址激活 NAT
Ciscoasa(config)#global (outside) 3 interface( 这个是电信只提供了一个 IP时可
以这样做,所有内网共享一个 IP上网)
4.5 端口映射的配置
4.5.1 什么时候要做端口映射
当外网需要访问内网中的一台服务器时, ASA并不知道访问的是哪一台内网中的机器,这时就需要做静态的端口映射。
4.5.2 端口映射的配置
语法: Ciscoasa(config)#access-list list-name extended permit tcp/udp any hsot
outside_address eq port_num
list_name: 访问控制列表名称
tcp/udp:需要映射的协议类型
port_num:需要映射的端口号
Ciscoasa(config)#static (inside,outside) tcp/udp interface port_num
local_address port_num netmask 255.255.255.255
Tcp/udp: 需要映射的协议类型
port_num:映射前的端口号
local_address :映射后的内网主机 IP地址
port_num:映射后的端口号
例如:Ciscoasa(config)#access-list 100 extended permit tcp any host 219.139.*.*eq 80
允许外网访问 219.139.*.*的 tcp 80 端口
Ciscoasa(config)#static (inside,outside) tcp interface 80 192.168.16.254 80
netmask 255.255.255.255
外网访问 218.21.217.162的 tcp 80 端口时启用静态 PAT映射到内网
192.168.16.254的 tcp 80 端口
Ciscoasa(config)#access-group 100 in intercae outside per-user-override
访问必须调用 ACL
备注如果,只是需要将内网一个服务器映射到公网可以这样做
ciscoasa(config)#static (inside, outside) 219.139.*.* 192.168.16.254
ciscoasa(config)#static (inside, outside) 219.139.*.* 192.168.16.254 10000
10 // 后面的 10000为限制连接数, 10 为限制的半开连接数。
五 访问控制列表( ACL)配置
5.1 配置访问控制列表的一般步骤
配置访问控制列表
接口方向的调用
5.2 标准访问控制列表
语法 ciscoasa(config)#access-list list_name standard deny/permitdes_address
netmask
list_name:标准访问控制列表的名称( 1-99)
deny/permit:阻止或是允许符合此条规则的流量
des_address :需要做控制的目的地址
netmask:需要做控制的目的地址的掩码
ciscoasa(config)#access-group list_name in/out interface interface_name
in/out:标准访问控制列表的名称
interface_name: 调用控制列表的接口名
5.3 扩展访问控制列表
ciscoasa(config)#access-list list-name extended deny/permittcp/udp
sour_address sour_maskdes_address des_mask eq port_num
list-name: 扩展访问控制列表名称
deny/permit:拒绝/允许符合此条规则的流量
tcp/udp:此条规则匹配的协议
sour_address :此条规则匹配的源地址
sour_mask:此条规则匹配的源地址掩码
des_address :此条规则匹配目的地址
des_mask :此条规则匹配目的地址掩码
port_num:此条规则匹配的端口号
ciscoasa(config)#access-group list_name in/out interface interface_name
in/out:调用接口的入与出口向
interface_name:调用控制列表的接口名
例句 1:ciscoasa(config)# access-list 400 extended deny udp 192.168.3.0
255.255.255.0 192.168.16.254 255.255.255.255 eq 80
阻止源地址 192.168.3.0/24 网段对目的地址 192.168.16.254 主机
ciscoasa(config)#access-group 400 in interface inside
六 ASA防火墙工作状态调试
6.1 查看当前 ASA配置
Ciscoasa# show running-config
查看 CPU得用率: show cpu usage( 正常应该在 80%以下)
内存使用:
Ciscoasa#show memory
Xlate 表大小
Ciscoasa#show conn count
端口状态
Ciscoasa#show interface interface_name
6.2 验证防火墙的连接性
Ping
Ciscoasa#ping ip_address(ip地址)
查看路由表
Ciscoasa#show route
ASA防火墙 ACL检查
Ciscoasa#show access-list
CISCO ASA 具体配置如下:
: Saved
: Written by enable_15 at 01:00:46.039 UTC Tue Sep 21 2010
!
ASA Version 8.2(1)
!
hostname wy-asazlzzx
enable password kt7r2AarZ0QwX7lH encrypted
passwd PLBb27eKLE1o9FTB encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 219.139.*.* 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
same-security-traffic permit inter-interface
access-list 100 extended permit tcp any host 219.139.*.* eq www
access-list 100 extended permit tcp any host 219.139.*.* eq 81
access-list 100 extended permit tcp any host 219.139.*.* eq 88
access-list 100 extended permit tcp any host 219.139.*.* eq 230
access-list 100 extended permit tcp any host 219.139.*.* eq 8888
access-list 100 extended permit tcp any host 219.139.*.* eq 85
access-list 100 extended permit tcp any host 219.139.*.* eq 6060
access-list 100 extended permit tcp any host 219.139.*.* eq 5070
access-list 100 extended permit tcp any host 219.139.*.* eq 6080
access-list 100 extended permit tcp any host 219.139.*.* eq 10000
access-list 100 extended permit tcp any host 219.139.*.* eq 231
access-list 100 extended permit tcp any host 219.139.*.* eq 1433
access-list 100 extended permit tcp any host 219.139.*.* eq 9000
access-list 100 extended permit tcp any host 219.139.*.* eq 84
access-list 100 extended permit tcp any host 219.139.*.* eq 10020
access-list 100 extended permit tcp any host 219.139.*.* eq 10040
access-list 100 extended permit tcp any host 219.139.*.* eq 87
access-list 100 extended permit tcp any host 219.139.*.* eq 10101
access-list 100 extended permit udp any host 219.139.*.* eq 3200
access-list 100 extended permit tcp any host 219.139.*.* eq 86
access-list 100 extended permit tcp any host 219.139.*.* eq 9999
access-list 100 extended permit tcp any host 219.139.*.* eq sip
access-list 100 extended permit tcp any host 219.139.*.* eq 5080
access-list 100 extended permit tcp any host 219.139.*.* eq 10100
access-list 100 extended permit udp any host 219.139.*.* eq 3201
access-list 100 extended permit tcp any host 219.139.*.* eq 3389
access-list 100 extended permit tcp any host 219.139.*.* eq ftp
access-list 100 extended permit tcp any host 219.139.*.* eq 8080
access-list 100 extended permit tcp any host 219.139.*.* eq 82
access-list 100 extended permit tcp any host 219.139.*.* eq 83
access-list 100 extended permit tcp any host 219.139.*.* eq 16000
access-list 100 extended permit tcp any host 219.139.*.* eq 15000
access-list 100 extended permit tcp any host 219.139.*.* eq 8088
access-list 100 extended permit tcp any host 219.139.*.* eq 211
access-list 100 extended permit tcp any host 219.139.*.* eq 9099
access-list 100 extended permit tcp any host 219.139.*.* eq 8000
access-list 100 extended permit tcp any host 219.139.*.* eq 7777
access-list 100 extended permit udp any host 219.139.*.* eq 6661
access-list 100 extended permit tcp any host 219.139.*.* eq 8500
access-list 100 extended permit tcp any host 219.139.*.* eq 8600
access-list 100 extended permit udp any host 219.139.*.* eq 3100
access-list 100 extended permit tcp any host 219.139.*.* eq 8081
access-list 110 extended permit ip 192.168.3.0 255.255.255.0 any
access-list 110 extended permit ip 192.168.4.0 255.255.255.0 any
access-list 110 extended permit ip 192.168.5.0 255.255.255.0 any
access-list 110 extended permit ip 192.168.6.0 255.255.255.0 any
access-list 110 extended permit ip 192.168.7.0 255.255.255.0 any
access-list 110 extended permit ip 192.168.8.0 255.255.255.0 any
access-list 110 extended permit ip 192.168.10.0 255.255.255.0 any
access-list 110 extended permit ip 192.168.11.0 255.255.255.0 any
access-list 110 extended permit ip 192.168.21.0 255.255.255.0 any
access-list 110 extended permit ip 192.168.31.0 255.255.255.0 any
access-list 110 extended permit ip 192.168.41.0 255.255.255.0 any
access-list 110 extended permit ip 192.168.51.0 255.255.255.0 any
access-list 110 extended permit ip 192.168.61.0 255.255.255.0 any
access-list 110 extended permit ip 192.168.71.0 255.255.255.0 any
access-list 110 extended permit ip 192.168.100.0 255.255.255.0 any
access-list 110 extended permit ip 192.168.16.0 255.255.255.0 any
access-list 110 extended permit ip 192.168.9.0 255.255.255.0 any
access-list acl_insde extended permit ip any any
access-list 10 standard permit any
access-list 200 extended permit ip any any
access-list 120 extended permit ip any host 219.139.*.*
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 192.168.100.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 81 192.168.16.247 81 netmask
255.255.255.255
static (inside,outside) tcp interface 88 192.168.16.249 88 netmask
255.255.255.255
static (inside,outside) tcp interface 230 192.168.16.250 230 netmask
255.255.255.255
static (inside,outside) tcp interface 8888 192.168.16.247 8888 netmask
255.255.255.255
static (inside,outside) tcp interface 85 192.168.16.250 85 netmask
255.255.255.255
static (inside,outside) tcp interface 6060 192.168.16.223 6060 netmask
255.255.255.255
static (inside,outside) tcp interface 5070 192.168.16.223 5070 netmask
255.255.255.255
static (inside,outside) tcp interface 6080 192.168.16.223 6080 netmask
255.255.255.255
static (inside,outside) tcp interface 10000 192.168.16.247 10000 netmask
255.255.255.255
static (inside,outside) tcp interface 231 192.168.16.247 231 netmask
255.255.255.255
static (inside,outside) tcp interface 1433 192.168.16.223 1433 netmask
255.255.255.255
static (inside,outside) tcp interface 9000 192.168.16.223 9000 netmask
255.255.255.255
static (inside,outside) tcp interface 84 192.168.16.247 84 netmask
255.255.255.255
static (inside,outside) udp interface 3100 192.168.16.247 3100 netmask
255.255.255.255
static (inside,outside) tcp interface 10020 192.168.16.247 10020 netmask
255.255.255.255
static (inside,outside) tcp interface 10040 192.168.16.247 10040 netmask
255.255.255.255
static (inside,outside) tcp interface 87 192.168.16.223 87 netmask
255.255.255.255
static (inside,outside) tcp interface 10101 192.168.16.223 10101 netmask
255.255.255.255
static (inside,outside) udp interface 3200 192.168.16.223 3200 netmask
255.255.255.255
static (inside,outside) tcp interface 86 192.168.16.246 86 netmask
255.255.255.255
static (inside,outside) tcp interface 9999 192.168.16.246 9999 netmask
255.255.255.255
static (inside,outside) tcp interface sip 192.168.16.246 sip netmask
255.255.255.255
static (inside,outside) tcp interface 5080 192.168.16.246 5080 netmask
255.255.255.255
static (inside,outside) tcp interface 10100 192.168.16.246 10100 netmask
255.255.255.255
static (inside,outside) udp interface 3201 192.168.16.246 3201 netmask
255.255.255.255
static (inside,outside) tcp interface 8080 192.168.16.249 8080 netmask
255.255.255.255
static (inside,outside) tcp interface 82 192.168.16.251 82 netmask
255.255.255.255
static (inside,outside) tcp interface 83 192.168.16.252 83 netmask
255.255.255.255
static (inside,outside) tcp interface 16000 192.168.16.251 16000 netmask
255.255.255.255
static (inside,outside) tcp interface 15000 192.168.16.252 15000 netmask
255.255.255.255
static (inside,outside) tcp interface 8088 192.168.16.251 8088 netmask
255.255.255.255
static (inside,outside) tcp interface 211 192.168.16.251 211 netmask
255.255.255.255
static (inside,outside) tcp interface 9099 192.168.16.252 9099 netmask
255.255.255.255
static (inside,outside) tcp interface 8000 192.168.16.249 8000 netmask
255.255.255.255
static (inside,outside) tcp interface 7777 192.168.16.254 7777 netmask
255.255.255.255
static (inside,outside) udp interface 6661 192.168.16.40 6661 netmask
255.255.255.255
static (inside,outside) tcp interface 8500 192.168.16.251 8500 netmask
255.255.255.255
static (inside,outside) tcp interface 8600 192.168.16.251 8600 netmask
255.255.255.255
static (inside,outside) tcp interface 8081 192.168.16.1 8081 netmask
255.255.255.255
static (inside,outside) tcp interface 3389 192.168.16.254 3389 netmask
255.255.255.255
static (inside,outside) tcp interface 8001 192.168.16.249 8001 netmask
255.255.255.255
static (inside,outside) tcp interface www 192.168.16.254 www netmask
255.255.255.255 dns
access-group 120 in interface outside
access-group 200 in interface inside
route outside 0.0.0.0 0.0.0.0 219.139.50.1 1
route inside 192.18.16.0 255.255.255.0 192.168.1.2 1
route inside 192.168.3.0 255.255.255.0 192.168.10.2 1
route inside 192.168.4.0 255.255.255.0 192.168.10.2 1
route inside 192.168.5.0 255.255.255.0 192.168.10.2 1
route inside 192.168.6.0 255.255.255.0 192.168.10.2 1
route inside 192.168.7.0 255.255.255.0 192.168.10.2 1
route inside 192.168.8.0 255.255.255.0 192.168.10.2 1
route inside 192.168.9.0 255.255.255.0 192.168.10.2 1
route inside 192.168.11.0 255.255.255.0 192.168.10.2 1
route inside 192.168.16.0 255.255.255.0 192.168.10.2 1
route inside 192.168.21.0 255.255.255.0 192.168.10.2 1
route inside 192.168.31.0 255.255.255.0 192.168.10.2 1
route inside 192.168.41.0 255.255.255.0 192.168.10.2 1
route inside 192.168.51.0 255.255.255.0 192.168.10.2 1
route inside 192.168.61.0 255.255.255.0 192.168.10.2 1
route inside 192.168.71.0 255.255.255.0 192.168.10.2 1
route inside 192.168.100.0 255.255.255.0 192.168.10.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:8be70372fa840cf34638dc522883d306
: end
共有 0 条评论