CISCO-ASA5510-防火墙配置手册_第1页
CISCO-ASA5510-防火墙配置手册_第2页
CISCO-ASA5510-防火墙配置手册_第3页
CISCO-ASA5510-防火墙配置手册_第4页
CISCO-ASA5510-防火墙配置手册_第5页
已阅读5页,还剩16页未读 继续免费阅读

下载本文档

版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领

文档简介

CISCOASA5510防火墙配置手册密码配置1.telnet密码Ciscoasa(config)#passwd123(用于telnet登陆ASA的密码)2.enable密码Ciscoasa(config)#enablepassword456(进入enable特权模式的密码)3.设备命名Ciscoasa(config)#hostnamewy-ciscoasa接口配置2.1接口命名Ciscoasa(config)#interfaceEthernet0/0Ciscoasa(config-if)#nameifoutside一般的情况将E0/0命为外网接口,而将E0/1命为内网接口。2.2配置接口安全级别Ciscoasa(config-if)#security-level100(100指权限,数字越高权限越高)2.3配置IP地址Ciscoasa(config-if)#ipaddress219.139.*.* 2.4关闭/激活接口Ciscoasa(config-if)#shutdown/noshutdown静态路由配置Ciscoasa(config)#routeinside意思为:在inside接口上创建一条到/24网络走的路由,ASA会将到/24网络的所有数据包转发给下一条Ciscoasa(config)#routeoutside创建一条外网默认路由,ASA将所有互联网流量转发给internet网关网络地址转换(NAT)配置4.1NAT的简介NAT实现的方式有三种:动态NAT、静态NAT、PAT动态NAT:指将内部网络私有IP地址转换为公有IP地址,IP地址不确定,是随机的,所有被授权访问intelnet的私有IP地址可随机转换为任何指定合法IP地址。静态NAT:指IP地址一对一的转换。PAT:指改变外出数据包的源端口并进行端口转换。内部所有网络均可以共享一个合法外部IP地址实现对intelnet的访问,从而可以最大限度节约IP地址资源。同时,又可以隐藏网络内部的所有主机,有效避免来自己intelnet的攻击。因此,武英项目做NAT时推荐用PAT。4.2动态NAT的配置Ciscoasa(config)#nat(inside)1将网络接口为/16网络激活NATCiscoasa(config)#global(outside)10-219.139.*.*netmask将把来自insid接口12/24网络的地址动态转换为0-219.139.*.*的地址。4.3静态NAT的配置Ciscoasa(config)#nat(inside)25455将此地址激活NATCiscoasa(config)#global(outside)2219.139.*.*将54这个地址转换为219.139.*.*4.4PAT配置Ciscoasa(config)#nat(inside)3将此地址激活NATCiscoasa(config)#global(outside)3interface(这个是电信只提供了一个IP时可以这样做,所有内网共享一个IP上网)4.5端口映射的配置4.5.1什么时候要做端口映射当外网需要访问内网中的一台服务器时,ASA并不知道访问的是哪一台内网中的机器,这时就需要做静态的端口映射。4.5.2端口映射的配置语法:Ciscoasa(config)#access-listlist-nameextendedpermittcp/udpanyhsotoutside_addresseqport_numlist_name:访问控制列表名称tcp/udp:需要映射的协议类型port_num:需要映射的端口号Ciscoasa(config)#static(inside,outside)tcp/udpinterfaceport_numlocal_addressport_numnetmask55Tcp/udp:需要映射的协议类型port_num:映射前的端口号local_address:映射后的内网主机IP地址port_num:映射后的端口号例如:Ciscoasa(config)#access-list100extendedpermittcpanyhost219.139.*.*eq80允许外网访问219.139.*.*的tcp80端口Ciscoasa(config)#static(inside,outside)tcpinterface805480netmask55外网访问62的tcp80端口时启用静态PAT映射到内网54的tcp80端口Ciscoasa(config)#access-group100inintercaeoutsideper-user-override访问必须调用ACL备注如果,只是需要将内网一个服务器映射到公网可以这样做ciscoasa(config)#static(inside,outside)219.139.*.*54

ciscoasa(config)#static(inside,outside)219.139.*.*541000010

//后面的10000为限制连接数,10为限制的半开连接数。五访问控制列表(ACL)配置5.1配置访问控制列表的一般步骤配置访问控制列表接口方向的调用5.2标准访问控制列表语法

ciscoasa(config)#access-listlist_namestandarddeny/permitdes_addressnetmasklist_name:标准访问控制列表的名称(1-99)deny/permit:阻止或是允许符合此条规则的流量des_address:需要做控制的目的地址netmask:需要做控制的目的地址的掩码ciscoasa(config)#access-grouplist_namein/outinterfaceinterface_namein/out:标准访问控制列表的名称interface_name:调用控制列表的接口名5.3扩展访问控制列表ciscoasa(config)#access-listlist-nameextendeddeny/permittcp/udpsour_addresssour_maskdes_addressdes_maskeqport_numlist-name:扩展访问控制列表名称deny/permit:拒绝/允许符合此条规则的流量tcp/udp:此条规则匹配的协议sour_address:此条规则匹配的源地址sour_mask:此条规则匹配的源地址掩码des_address:此条规则匹配目的地址des_mask:此条规则匹配目的地址掩码port_num:此条规则匹配的端口号ciscoasa(config)#access-grouplist_namein/outinterfaceinterface_namein/out:调用接口的入与出口向interface_name:调用控制列表的接口名例句1:ciscoasa(config)#access-list400extendeddenyudp5455eq80阻止源地址/24网段对目的地址54主机ciscoasa(config)#access-group400ininterfaceinside六ASA防火墙工作状态调试6.1查看当前ASA配置Ciscoasa#showrunning-config查看CPU得用率:showcpuusage(正常应该在80%以下)内存使用:Ciscoasa#showmemoryXlate表大小Ciscoasa#showconncount端口状态Ciscoasa#showinterfaceinterface_name6.2验证防火墙的连接性PingCiscoasa#pingip_address(ip地址)查看路由表Ciscoasa#showrouteASA防火墙ACL检查Ciscoasa#showaccess-listCISCOASA具体配置如下::Saved:Writtenbyenable_15at01:00:46.039UTCTueSep212010!ASAVersion8.2(1)!hostnamewy-asazlzzxenablepasswordkt7r2AarZ0QwX7lHencryptedpasswdPLBb27eKLE1o9FTBencryptednames!interfaceEthernet0/0nameifoutsidesecurity-level0ipaddress219.139.*.*!interfaceEthernet0/1nameifinsidesecurity-level100ipaddress!interfaceEthernet0/2shutdownnonameifnosecurity-levelnoipaddress!interfaceEthernet0/3shutdownnonameifnosecurity-levelnoipaddress!interfaceManagement0/0shutdownnameifmanagementsecurity-level100ipaddressmanagement-only!ftpmodepassivesame-security-trafficpermitinter-interfaceaccess-list100extendedpermittcpanyhost219.139.*.*eqwwwaccess-list100extendedpermittcpanyhost219.139.*.*eq81access-list100extendedpermittcpanyhost219.139.*.*eq88access-list100extendedpermittcpanyhost219.139.*.*eq230access-list100extendedpermittcpanyhost219.139.*.*eq8888access-list100extendedpermittcpanyhost219.139.*.*eq85access-list100extendedpermittcpanyhost219.139.*.*eq6060access-list100extendedpermittcpanyhost219.139.*.*eq5070access-list100extendedpermittcpanyhost219.139.*.*eq6080access-list100extendedpermittcpanyhost219.139.*.*eq10000access-list100extendedpermittcpanyhost219.139.*.*eq231access-list100extendedpermittcpanyhost219.139.*.*eq1433access-list100extendedpermittcpanyhost219.139.*.*eq9000access-list100extendedpermittcpanyhost219.139.*.*eq84access-list100extendedpermittcpanyhost219.139.*.*eq10020access-list100extendedpermittcpanyhost219.139.*.*eq10040access-list100extendedpermittcpanyhost219.139.*.*eq87access-list100extendedpermittcpanyhost219.139.*.*eq10101access-list100extendedpermitudpanyhost219.139.*.*eq3200access-list100extendedpermittcpanyhost219.139.*.*eq86access-list100extendedpermittcpanyhost219.139.*.*eq9999access-list100extendedpermittcpanyhost219.139.*.*eqsipaccess-list100extendedpermittcpanyhost219.139.*.*eq5080access-list100extendedpermittcpanyhost219.139.*.*eq10100access-list100extendedpermitudpanyhost219.139.*.*eq3201access-list100extendedpermittcpanyhost219.139.*.*eq3389access-list100extendedpermittcpanyhost219.139.*.*eqftpaccess-list100extendedpermittcpanyhost219.139.*.*eq8080access-list100extendedpermittcpanyhost219.139.*.*eq82access-list100extendedpermittcpanyhost219.139.*.*eq83access-list100extendedpermittcpanyhost219.139.*.*eq16000access-list100extendedpermittcpanyhost219.139.*.*eq15000access-list100extendedpermittcpanyhost219.139.*.*eq8088access-list100extendedpermittcpanyhost219.139.*.*eq211access-list100extendedpermittcpanyhost219.139.*.*eq9099access-list100extendedpermittcpanyhost219.139.*.*eq8000access-list100extendedpermittcpanyhost219.139.*.*eq7777access-list100extendedpermitudpanyhost219.139.*.*eq6661access-list100extendedpermittcpanyhost219.139.*.*eq8500access-list100extendedpermittcpanyhost219.139.*.*eq8600access-list100extendedpermitudpanyhost219.139.*.*eq3100access-list100extendedpermittcpanyhost219.139.*.*eq8081access-list110extendedpermitipanyaccess-list110extendedpermitipanyaccess-list110extendedpermitipanyaccess-list110extendedpermitipanyaccess-list110extendedpermitipanyaccess-list110extendedpermitipanyaccess-list110extendedpermitipanyaccess-list110extendedpermitipanyaccess-list110extendedpermitipanyaccess-list110extendedpermitipanyaccess-list110extendedpermitipanyaccess-list110extendedpermitipanyaccess-list110extendedpermitipanyaccess-list110extendedpermitipanyaccess-list110extendedpermitipanyaccess-list110extendedpermitipanyaccess-list110extendedpermitipanyaccess-listacl_insdeextendedpermitipanyanyaccess-list10standardpermitanyaccess-list200extendedpermitipanyanyaccess-list120extendedpermitipanyhost219.139.*.*pagerlines24loggingasdminformationalmtuoutside1500mtuinside1500mtumanagement1500icmpunreachablerate-limit1burst-size1asdmimagedisk0:/asdm-621.binnoasdmhistoryenablearptimeout14400nat-controlglobal(outside)1interfacenat(inside)1nat(inside)1static(inside,outside)tcpinterface814781netmask55static(inside,outside)tcpinterface884988netmask55static(inside,outside)tcpinterface23050230netmask55static(inside,outside)tcpinterface8888478888netmask55static(inside,outside)tcpinterface855085netmask55static(inside,outside)tcpinterface6060236060netmask55static(inside,outside)tcpinterface5070235070netmask55static(inside,outside)tcpinterface6080236080netmask55static(inside,outside)tcpinterface100004710000netmask55static(inside,outside)tcpinterface23147231netmask55static(inside,outside)tcpinterface1433231433netmask55static(inside,outside)tcpinterface9000239000netmask55static(inside,outside)tcpinterface844784netmask55static(inside,outside)udpinterface3100473100netmask55static(inside,outside)tcpinterface100204710020netmask55static(inside,outside)tcpinterface100404710040netmask55static(inside,outside)tcpinterface872387netmask55static(inside,outside)tcpinterface101012310101netmask55static(inside,outside)udpinterface3200233200netmask55static(inside,outside)tcpinterface864686netmask55static(inside,outside)tcpinterface9999469999netmask55static(inside,outside)tcpinterfacesip46sipnetmask55static(inside,outside)tcpinterface5080465080netmask55static(inside,outside)tcpinterface101004610100netmask55static(inside,outside)udpinterface3201463201netmask55static(inside,outside)tcpinterface8080498080netmask55static(inside,outside)tcpinterface825182netmask55static(inside,outside)tcpinterface835283netmask55static(inside,outside)tcpinterface160005116000netmask55static(inside,outside)tcpinterface150005215000netmask55static(inside,outside)tcpinterface8088518088netmask55static(inside,outside)tcpinterface21151211netmask55static(inside,outside)tcpinterface9099529099netmask55static(inside,outside)tcpinterface8000498000netmask55static(inside,outside)tcpinterface7777547777netmask55static(inside,outside)udpinterface666106661netmask55static(inside,outside)tcpinterface8500518500netmask55static(inside,outside)tcpinterface8600518600netmask55static(inside,outside)tcpinterface80818081netmask55static(inside,outside)tcpinterface3389543389netmask55static(inside,outside)tcpinterface8001498001netmask55static(inside,outside)tcpinterfacewww54wwwnetmask55dnsaccess-group120ininterfaceoutsideaccess-group200ininterfaceinsiderouteoutside1routeinside1routeinside1routeinside1routeinside1routeinside1routeinside1routeinside1routeinside1routeinside1routeinside1routeinside1routeinside1routeinside1routeinside1routeinside1routeinside1routeinside1timeoutxlate3:00:00timeoutconn1:00:00half-closed0:10:00udp0:02:00icmp0:00:02t

温馨提示

  • 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
  • 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
  • 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
  • 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
  • 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
  • 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
  • 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

评论

0/150

提交评论