CISCO-ASA5510-防火墙配置手册

CISCOASA5510防火墙配置手册密码配置1.telnet密码Ciscoasa(config)#passwd123(用于telnet登陆ASA的密码)2.enable密码Ciscoasa(config)#enablepassword456(进入enable特权模式的密码)3.设备命名Ciscoasa(config)#hostnamewy-ciscoasa接口配置2.1接口命名Ciscoasa(config)#interfaceEthernet0/0Ciscoasa(config-if)#nameifoutside一般的情况将E0/0命为外网接口，而将E0/1命为内网接口。2.2配置接口安全级别Ciscoasa(config-if)#security-level100(100指权限，数字越高权限越高)2.3配置IP地址Ciscoasa(config-if)#ipaddress219.139.*.* 2.4关闭/激活接口Ciscoasa(config-if)#shutdown/noshutdown静态路由配置Ciscoasa(config)#routeinside意思为：在inside接口上创建一条到/24网络走的路由，ASA会将到/24网络的所有数据包转发给下一条Ciscoasa(config)#routeoutside创建一条外网默认路由，ASA将所有互联网流量转发给internet网关网络地址转换（NAT）配置4.1NAT的简介NAT实现的方式有三种：动态NAT、静态NAT、PAT动态NAT：指将内部网络私有IP地址转换为公有IP地址，IP地址不确定，是随机的，所有被授权访问intelnet的私有IP地址可随机转换为任何指定合法IP地址。静态NAT：指IP地址一对一的转换。PAT：指改变外出数据包的源端口并进行端口转换。内部所有网络均可以共享一个合法外部IP地址实现对intelnet的访问，从而可以最大限度节约IP地址资源。同时，又可以隐藏网络内部的所有主机，有效避免来自己intelnet的攻击。因此，武英项目做NAT时推荐用PAT。4.2动态NAT的配置Ciscoasa(config)#nat(inside)1将网络接口为/16网络激活NATCiscoasa(config)#global(outside)10-219.139.*.*netmask将把来自insid接口12/24网络的地址动态转换为0-219.139.*.*的地址。4.3静态NAT的配置Ciscoasa(config)#nat(inside)25455将此地址激活NATCiscoasa(config)#global(outside)2219.139.*.*将54这个地址转换为219.139.*.*4.4PAT配置Ciscoasa(config)#nat(inside)3将此地址激活NATCiscoasa(config)#global(outside)3interface(这个是电信只提供了一个IP时可以这样做，所有内网共享一个IP上网)4.5端口映射的配置4.5.1什么时候要做端口映射当外网需要访问内网中的一台服务器时，ASA并不知道访问的是哪一台内网中的机器，这时就需要做静态的端口映射。4.5.2端口映射的配置语法：Ciscoasa(config)#access-listlist-nameextendedpermittcp/udpanyhsotoutside_addresseqport_numlist_name:访问控制列表名称tcp/udp:需要映射的协议类型port_num:需要映射的端口号Ciscoasa(config)#static(inside,outside)tcp/udpinterfaceport_numlocal_addressport_numnetmask55Tcp/udp:需要映射的协议类型port_num：映射前的端口号local_address：映射后的内网主机IP地址port_num：映射后的端口号例如：Ciscoasa(config)#access-list100extendedpermittcpanyhost219.139.*.*eq80允许外网访问219.139.*.*的tcp80端口Ciscoasa(config)#static(inside,outside)tcpinterface805480netmask55外网访问62的tcp80端口时启用静态PAT映射到内网54的tcp80端口Ciscoasa(config)#access-group100inintercaeoutsideper-user-override访问必须调用ACL备注如果，只是需要将内网一个服务器映射到公网可以这样做ciscoasa(config)#static(inside,outside)219.139.*.*54

ciscoasa(config)#static(inside,outside)219.139.*.*541000010

//后面的10000为限制连接数，10为限制的半开连接数。五访问控制列表（ACL）配置5.1配置访问控制列表的一般步骤配置访问控制列表接口方向的调用5.2标准访问控制列表语法

ciscoasa(config)#access-listlist_namestandarddeny/permitdes_addressnetmasklist_name:标准访问控制列表的名称（1-99）deny/permit：阻止或是允许符合此条规则的流量des_address：需要做控制的目的地址netmask:需要做控制的目的地址的掩码ciscoasa(config)#access-grouplist_namein/outinterfaceinterface_namein/out:标准访问控制列表的名称interface_name:调用控制列表的接口名5.3扩展访问控制列表ciscoasa(config)#access-listlist-nameextendeddeny/permittcp/udpsour_addresssour_maskdes_addressdes_maskeqport_numlist-name:扩展访问控制列表名称deny/permit:拒绝/允许符合此条规则的流量tcp/udp：此条规则匹配的协议sour_address：此条规则匹配的源地址sour_mask：此条规则匹配的源地址掩码des_address：此条规则匹配目的地址des_mask：此条规则匹配目的地址掩码port_num：此条规则匹配的端口号ciscoasa(config)#access-grouplist_namein/outinterfaceinterface_namein/out:调用接口的入与出口向interface_name：调用控制列表的接口名例句1：ciscoasa(config)#access-list400extendeddenyudp5455eq80阻止源地址/24网段对目的地址54主机ciscoasa(config)#access-group400ininterfaceinside六ASA防火墙工作状态调试6.1查看当前ASA配置Ciscoasa#showrunning-config查看CPU得用率：showcpuusage(正常应该在80%以下)内存使用：Ciscoasa#showmemoryXlate表大小Ciscoasa#showconncount端口状态Ciscoasa#showinterfaceinterface_name6.2验证防火墙的连接性PingCiscoasa#pingip_address(ip地址)查看路由表Ciscoasa#showrouteASA防火墙ACL检查Ciscoasa#showaccess-listCISCOASA具体配置如下：:Saved:Writtenbyenable_15at01:00:46.039UTCTueSep212010!ASAVersion8.2(1)!hostnamewy-asazlzzxenablepasswordkt7r2AarZ0QwX7lHencryptedpasswdPLBb27eKLE1o9FTBencryptednames!interfaceEthernet0/0nameifoutsidesecurity-level0ipaddress219.139.*.*!interfaceEthernet0/1nameifinsidesecurity-level100ipaddress!interfaceEthernet0/2shutdownnonameifnosecurity-levelnoipaddress!interfaceEthernet0/3shutdownnonameifnosecurity-levelnoipaddress!interfaceManagement0/0shutdownnameifmanagementsecurity-level100ipaddressmanagement-only!ftpmodepassivesame-security-trafficpermitinter-interfaceaccess-list100extendedpermittcpanyhost219.139.*.*eqwwwaccess-list100extendedpermittcpanyhost219.139.*.*eq81access-list100extendedpermittcpanyhost219.139.*.*eq88access-list100extendedpermittcpanyhost219.139.*.*eq230access-list100extendedpermittcpanyhost219.139.*.*eq8888access-list100extendedpermittcpanyhost219.139.*.*eq85access-list100extendedpermittcpanyhost219.139.*.*eq6060access-list100extendedpermittcpanyhost219.139.*.*eq5070access-list100extendedpermittcpanyhost219.139.*.*eq6080access-list100extendedpermittcpanyhost219.139.*.*eq10000access-list100extendedpermittcpanyhost219.139.*.*eq231access-list100extendedpermittcpanyhost219.139.*.*eq1433access-list100extendedpermittcpanyhost219.139.*.*eq9000access-list100extendedpermittcpanyhost219.139.*.*eq84access-list100extendedpermittcpanyhost219.139.*.*eq10020access-list100extendedpermittcpanyhost219.139.*.*eq10040access-list100extendedpermittcpanyhost219.139.*.*eq87access-list100extendedpermittcpanyhost219.139.*.*eq10101access-list100extendedpermitudpanyhost219.139.*.*eq3200access-list100extendedpermittcpanyhost219.139.*.*eq86access-list100extendedpermittcpanyhost219.139.*.*eq9999access-list100extendedpermittcpanyhost219.139.*.*eqsipaccess-list100extendedpermittcpanyhost219.139.*.*eq5080access-list100extendedpermittcpanyhost219.139.*.*eq10100access-list100extendedpermitudpanyhost219.139.*.*eq3201access-list100extendedpermittcpanyhost219.139.*.*eq3389access-list100extendedpermittcpanyhost219.139.*.*eqftpaccess-list100extendedpermittcpanyhost219.139.*.*eq8080access-list100extendedpermittcpanyhost219.139.*.*eq82access-list100extendedpermittcpanyhost219.139.*.*eq83access-list100extendedpermittcpanyhost219.139.*.*eq16000access-list100extendedpermittcpanyhost219.139.*.*eq15000access-list100extendedpermittcpanyhost219.139.*.*eq8088access-list100extendedpermittcpanyhost219.139.*.*eq211access-list100extendedpermittcpanyhost219.139.*.*eq9099access-list100extendedpermittcpanyhost219.139.*.*eq8000access-list100extendedpermittcpanyhost219.139.*.*eq7777access-list100extendedpermitudpanyhost219.139.*.*eq6661access-list100extendedpermittcpanyhost219.139.*.*eq8500access-list100extendedpermittcpanyhost219.139.*.*eq8600access-list100extendedpermitudpanyhost219.139.*.*eq3100access-list100extendedpermittcpanyhost219.139.*.*eq8081access-list110extendedpermitipanyaccess-list110extendedpermitipanyaccess-list110extendedpermitipanyaccess-list110extendedpermitipanyaccess-list110extendedpermitipanyaccess-list110extendedpermitipanyaccess-list110extendedpermitipanyaccess-list110extendedpermitipanyaccess-list110extendedpermitipanyaccess-list110extendedpermitipanyaccess-list110extendedpermitipanyaccess-list110extendedpermitipanyaccess-list110extendedpermitipanyaccess-list110extendedpermitipanyaccess-list110extendedpermitipanyaccess-list110extendedpermitipanyaccess-list110extendedpermitipanyaccess-listacl_insdeextendedpermitipanyanyaccess-list10standardpermitanyaccess-list200extendedpermitipanyanyaccess-list120extendedpermitipanyhost219.139.*.*pagerlines24loggingasdminformationalmtuoutside1500mtuinside1500mtumanagement1500icmpunreachablerate-limit1burst-size1asdmimagedisk0:/asdm-621.binnoasdmhistoryenablearptimeout14400nat-controlglobal(outside)1interfacenat(inside)1nat(inside)1static(inside,outside)tcpinterface814781netmask55static(inside,outside)tcpinterface884988netmask55static(inside,outside)tcpinterface23050230netmask55static(inside,outside)tcpinterface8888478888netmask55static(inside,outside)tcpinterface855085netmask55static(inside,outside)tcpinterface6060236060netmask55static(inside,outside)tcpinterface5070235070netmask55static(inside,outside)tcpinterface6080236080netmask55static(inside,outside)tcpinterface100004710000netmask55static(inside,outside)tcpinterface23147231netmask55static(inside,outside)tcpinterface1433231433netmask55static(inside,outside)tcpinterface9000239000netmask55static(inside,outside)tcpinterface844784netmask55static(inside,outside)udpinterface3100473100netmask55static(inside,outside)tcpinterface100204710020netmask55static(inside,outside)tcpinterface100404710040netmask55static(inside,outside)tcpinterface872387netmask55static(inside,outside)tcpinterface101012310101netmask55static(inside,outside)udpinterface3200233200netmask55static(inside,outside)tcpinterface864686netmask55static(inside,outside)tcpinterface9999469999netmask55static(inside,outside)tcpinterfacesip46sipnetmask55static(inside,outside)tcpinterface5080465080netmask55static(inside,outside)tcpinterface101004610100netmask55static(inside,outside)udpinterface3201463201netmask55static(inside,outside)tcpinterface8080498080netmask55static(inside,outside)tcpinterface825182netmask55static(inside,outside)tcpinterface835283netmask55static(inside,outside)tcpinterface160005116000netmask55static(inside,outside)tcpinterface150005215000netmask55static(inside,outside)tcpinterface8088518088netmask55static(inside,outside)tcpinterface21151211netmask55static(inside,outside)tcpinterface9099529099netmask55static(inside,outside)tcpinterface8000498000netmask55static(inside,outside)tcpinterface7777547777netmask55static(inside,outside)udpinterface666106661netmask55static(inside,outside)tcpinterface8500518500netmask55static(inside,outside)tcpinterface8600518600netmask55static(inside,outside)tcpinterface80818081netmask55static(inside,outside)tcpinterface3389543389netmask55static(inside,outside)tcpinterface8001498001netmask55static(inside,outside)tcpinterfacewww54wwwnetmask55dnsaccess-group120ininterfaceoutsideaccess-group200ininterfaceinsiderouteoutside1routeinside1routeinside1routeinside1routeinside1routeinside1routeinside1routeinside1routeinside1routeinside1routeinside1routeinside1routeinside1routeinside1routeinside1routeinside1routeinside1routeinside1timeoutxlate3:00:00timeoutconn1:00:00half-closed0:10:00udp0:02:00icmp0:00:02t