1、asa5520 防火墙透明模式的配置例子 ciscoasa# sh run : Saved : ASA Version 7.2(3) ! firewall transparent hostname ciscoasa domain-name default.domain.invalid enable password 8Ry2YjIyt7RRXU24 encrypted names ! interface GigabitEthernet0/0 nameif outside security-level 0 ! interface GigabitEthernet0/1 nameif inside
2、security-level 100 ! interface GigabitEthernet0/2 shutdown no nameif no security-level ! interface GigabitEthernet0/3 shutdown no nameif no security-level ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! passwd 2KFQnbNIdI.2KYOU enc
3、rypted ftp mode passive dns server-group DefaultDNS domain-name default.domain.invalid access-list acl_inside extended permit ip any any access-list acl_inside extended permit icmp any any access-list acl_outside extended permit tcp any any eq 3306 access-list acl_outside extended permit tcp any any
4、 eq www access-list acl_outside extended permit tcp any any eq 8080 access-list acl_outside extended permit tcp any any eq https access-list acl_outside extended permit tcp any any eq sqlnet access-list acl_outside extended permit tcp any any eq ftp access-list acl_outside extended permit tcp any an
5、y eq 1433 access-list acl_outside extended permit esp any any access-list acl_outside extended permit udp any any eq isakmp access-list acl_outside extended permit tcp any any eq pop3 access-list acl_outside extended permit tcp any any eq smtp access-list acl_outside extended permit icmp any any pag
6、er lines 24 mtu outside 1500 mtu inside 1500 mtu management 1500 ip address 172.16.177.208 255.255.255.0 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/ASDM-523.BIN no asdm history enable arp timeout 14400 access-group acl_outside in interface outside access-group acl_insid
7、e in interface inside timeout xlate 3:00:00 timeout conn 0:20:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute
8、http server enable http 192.168.1.0 255.255.255.0 management http 0.0.0.0 0.0.0.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart telnet timeout 5 ssh timeout 5 console timeout 0 ! class-map inspection_default match default
9、-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny in
10、spect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect pptp ! service-policy global_policy global username cisco password 3USUcOPFUiMCO4Jk encrypted prompt hostname context Cryptochecksum:4682fd668f251c28d32a0cb82a3ac5f3 : end ciscoasa# 注意点:语句 ip address 172.16.177.208 255.255.255.0 是在 interface GigabitEthernet0/0 下配的,自己跑到外面来了,如果不配这个,好像 ping 不通。