收藏
下载资源 加入VIP,省得不是一点点

CISCO_ASA5510_防火墙配置手册.doc

上传人:11****ws 文档编号:3115182 上传时间:2019-05-21 格式:DOC 页数:14 大小:68KB
下载 相关 举报
CISCO_ASA5510_防火墙配置手册.doc_第1页
第1页 / 共14页
CISCO_ASA5510_防火墙配置手册.doc_第2页
第2页 / 共14页
CISCO_ASA5510_防火墙配置手册.doc_第3页
第3页 / 共14页
CISCO_ASA5510_防火墙配置手册.doc_第4页
第4页 / 共14页
CISCO_ASA5510_防火墙配置手册.doc_第5页
第5页 / 共14页
点击查看更多>>
资源描述

1、CISCO ASA5510 防火墙配置手册一 密码配置1.telnet 密码Ciscoasa(config)#passwd 123 (用于 telnet 登陆 ASA 的密码)2.enable 密码Ciscoasa(config)#enable password 456 (进入 enable 特权模式的密码)3.设备命名Ciscoasa(config)#hostname wy-ciscoasa二 接口配置2.1 接口命名Ciscoasa(config)#interface Ethernet0/0Ciscoasa(config-if)#nameif outside 一般的情况将 E0/0 命为外

2、网接口,而将 E0/1 命为内网接口。2.2 配置接口安全级别Ciscoasa(config-if)#security-level 100 (100 指权限,数字越高权限越高)2.3 配置 IP 地址Ciscoasa(config-if)#ip address 219.139.*.*2.4 关闭/ 激活接口Ciscoasa(config-if)#shutdown/no shutdown三 静态路由配置Ciscoasa(config)#route inside 192.168.3.0 255.255.255.0 192.168.10.1 意思为:在 inside 接口上创建一条到 192.168

3、.3.0/24 网络走 192.168.10.1 的路由,ASA 会将到 192.168.3.0/24 网络的所有数据包转发给下一条192.168.10.1Ciscoasa(config)#route outside 0.0.0.0 0.0.0.0 219.139.50.1创建一条外网默认路由,ASA 将所有互联网流量转发给 internet 网关219.139.50.1四 网络地址转换(NAT)配置4.1NAT 的简介NAT 实现的方式有三种:动态 NAT 、静态 NAT、PAT动态 NAT:指将内部网络私有 IP 地址转换为公有 IP 地址,IP 地址不确定,是随机的,所有被授权访问 in

4、telnet 的私有 IP 地址可随机转换为任何指定合法 IP 地址。静态 NAT:指 IP 地址一对一的转换。PAT:指改变外出数据包的源端口并进行端口转换。内部所有网络均可以共享一个合法外部 IP 地址实现对 intelnet 的访问,从而可以最大限度节约 IP地址资源。同时,又可以隐藏网络内部的所有主机,有效避免来自己intelnet 的攻击。因此,武英项目做 NAT 时推荐用 PAT。4.2 动态 NAT 的配置Ciscoasa(config)#nat (inside) 1 192.168.3.0 255.255.0.0将网络接口为 172.16.0.0/16 网络激活 NATCisc

5、oasa(config)#global(outside) 1 219.139.50.40-219.139.*.* netmask 255.255.255.0将把来自 insid 接口 1291.68.3.0/24 网络的地址动态转换为 219.139.50.40-219.139.*.*的地址。4.3 静态 NAT 的配置Ciscoasa(config)#nat (inside) 2 192.168.16.254 255.255.255.255将此地址激活 NATCiscoasa(config)#global 2 219.139.*.* 255.255.255.0将 192.168.16.254

6、 这个地址转换为 219.139.*.*4.4 PAT 配置Ciscoasa(config)#nat (inside) 3 192.168.16.0 255.255.0.0将此地址激活 NATCiscoasa(config)#global (outside) 3 interface(这个是电信只提供了一个 IP 时可以这样做,所有内网共享一个 IP 上网)4.5 端口映射的配置4.5.1 什么时候要做端口映射当外网需要访问内网中的一台服务器时,ASA 并不知道访问的是哪 一台内网中的机器,这时就需要做静态的端口映射。4.5.2 端口映射的配置语法:Ciscoasa(config)#access

7、-list list-name extended permit tcp/udp any hsot outside_address eq port_numlist_name:访问控制列表名称tcp/udp:需要映射的协议类型port_num:需要映射的端口号Ciscoasa(config)#static (inside,outside) tcp/udp interface port_num local_address port_num netmask 255.255.255.255Tcp/udp:需要映射的协议类型port_num:映射前的端口号local_address:映射后的内网主机 IP

8、 地址port_num:映射后的端口号例如:Ciscoasa(config)#access-list 100 extended permit tcp any host 219.139.*.* eq 80允许外网访问 219.139.*.*的 tcp 80 端口Ciscoasa(config)#static (inside,outside) tcp interface 80 192.168.16.254 80 netmask 255.255.255.255外网访问 218.21.217.162 的 tcp 80 端口时启用静态 PAT 映射到内网192.168.16.254 的 tcp 80 端

9、口Ciscoasa(config)#access-group 100 in intercae outside per-user-override访问必须调用 ACL备注如果,只是需要将内网一个服务器映射到公网可以这样做ciscoasa(config)#static (inside, outside) 219.139.*.* 192.168.16.254ciscoasa(config)#static (inside, outside) 219.139.*.* 192.168.16.254 10000 10 /后面的 10000 为限制连接数,10 为限制的半开连接数。五 访问控制列表(ACL)配

10、置5.1 配置访问控制列表的一般步骤配置访问控制列表接口方向的调用5.2 标准访问控制列表语法 ciscoasa(config)#access-list list_name standard deny/permit des_address netmasklist_name:标准访问控制列表的名称(1-99)deny/permit: 阻止或是允许符合此条规则的流量des_address : 需要做控制的目的地址netmask:需要做控制的目的地址的掩码ciscoasa(config)#access-group list_name in/out interface interface_namein

11、/out:标准访问控制列表的名称interface_name:调用控制列表的接口名5.3 扩展访问控制列表ciscoasa(config)#access-list list-name extended deny/permit tcp/udp sour_address sour_mask des_address des_mask eq port_numlist-name:扩展访问控制列表名称deny/permit:拒绝/ 允许符合此条规则的流量tcp/udp: 此条规则匹配的协议sour_address: 此条规则匹配的源地址sour_mask: 此条规则匹配的源地址掩码des_address:

12、 此条规则匹配目的地址des_mask: 此条规则匹配目的地址掩码port_num: 此条规则匹配的端口号ciscoasa(config)#access-group list_name in/out interface interface_namein/out:调用接口的入与出口向interface_name: 调用控制列表的接口名例句 1: ciscoasa(config)# access-list 400 extended deny udp 192.168.3.0 255.255.255.0 192.168.16.254 255.255.255.255 eq 80阻止源地址 192.168

13、.3.0/24 网段对目的地址 192.168.16.254 主机ciscoasa(config)#access-group 400 in interface inside六 ASA 防火墙工作状态调试6.1 查看当前 ASA 配置Ciscoasa# show running-config 查看 CPU 得用率:show cpu usage(正常应该在 80%以下)内存使用:Ciscoasa#show memoryXlate 表大小Ciscoasa#show conn count端口状态Ciscoasa#show interface interface_name6.2 验证防火墙的连接性Pin

14、g Ciscoasa#ping ip_address(ip 地址 )查看路由表Ciscoasa#show routeASA 防火墙 ACL 检查Ciscoasa#show access-listCISCO ASA 具体配置如下:: Saved: Written by enable_15 at 01:00:46.039 UTC Tue Sep 21 2010!ASA Version 8.2(1) !hostname wy-asazlzzxenable password kt7r2AarZ0QwX7lH encryptedpasswd PLBb27eKLE1o9FTB encryptednames

15、!interface Ethernet0/0nameif outsidesecurity-level 0ip address 219.139.*.* 255.255.255.0 !interface Ethernet0/1nameif insidesecurity-level 100ip address 192.168.10.1 255.255.255.0 !interface Ethernet0/2shutdownno nameifno security-levelno ip address!interface Ethernet0/3shutdownno nameifno security-

16、levelno ip address!interface Management0/0shutdownnameif managementsecurity-level 100ip address 192.168.1.1 255.255.255.0 management-only!ftp mode passivesame-security-traffic permit inter-interfaceaccess-list 100 extended permit tcp any host 219.139.*.* eq www access-list 100 extended permit tcp an

17、y host 219.139.*.* eq 81 access-list 100 extended permit tcp any host 219.139.*.* eq 88 access-list 100 extended permit tcp any host 219.139.*.* eq 230 access-list 100 extended permit tcp any host 219.139.*.* eq 8888 access-list 100 extended permit tcp any host 219.139.*.* eq 85 access-list 100 exte

18、nded permit tcp any host 219.139.*.* eq 6060 access-list 100 extended permit tcp any host 219.139.*.* eq 5070 access-list 100 extended permit tcp any host 219.139.*.* eq 6080 access-list 100 extended permit tcp any host 219.139.*.* eq 10000 access-list 100 extended permit tcp any host 219.139.*.* eq

19、 231 access-list 100 extended permit tcp any host 219.139.*.* eq 1433 access-list 100 extended permit tcp any host 219.139.*.* eq 9000 access-list 100 extended permit tcp any host 219.139.*.* eq 84 access-list 100 extended permit tcp any host 219.139.*.* eq 10020 access-list 100 extended permit tcp

20、any host 219.139.*.* eq 10040 access-list 100 extended permit tcp any host 219.139.*.* eq 87 access-list 100 extended permit tcp any host 219.139.*.* eq 10101 access-list 100 extended permit udp any host 219.139.*.* eq 3200 access-list 100 extended permit tcp any host 219.139.*.* eq 86 access-list 1

21、00 extended permit tcp any host 219.139.*.* eq 9999 access-list 100 extended permit tcp any host 219.139.*.* eq sip access-list 100 extended permit tcp any host 219.139.*.* eq 5080 access-list 100 extended permit tcp any host 219.139.*.* eq 10100 access-list 100 extended permit udp any host 219.139.

22、*.* eq 3201 access-list 100 extended permit tcp any host 219.139.*.* eq 3389 access-list 100 extended permit tcp any host 219.139.*.* eq ftp access-list 100 extended permit tcp any host 219.139.*.* eq 8080 access-list 100 extended permit tcp any host 219.139.*.* eq 82 access-list 100 extended permit

23、 tcp any host 219.139.*.* eq 83 access-list 100 extended permit tcp any host 219.139.*.* eq 16000 access-list 100 extended permit tcp any host 219.139.*.* eq 15000 access-list 100 extended permit tcp any host 219.139.*.* eq 8088 access-list 100 extended permit tcp any host 219.139.*.* eq 211 access-

24、list 100 extended permit tcp any host 219.139.*.* eq 9099 access-list 100 extended permit tcp any host 219.139.*.* eq 8000 access-list 100 extended permit tcp any host 219.139.*.* eq 7777 access-list 100 extended permit udp any host 219.139.*.* eq 6661 access-list 100 extended permit tcp any host 21

25、9.139.*.* eq 8500 access-list 100 extended permit tcp any host 219.139.*.* eq 8600 access-list 100 extended permit udp any host 219.139.*.* eq 3100 access-list 100 extended permit tcp any host 219.139.*.* eq 8081 access-list 110 extended permit ip 192.168.3.0 255.255.255.0 any access-list 110 extend

26、ed permit ip 192.168.4.0 255.255.255.0 any access-list 110 extended permit ip 192.168.5.0 255.255.255.0 any access-list 110 extended permit ip 192.168.6.0 255.255.255.0 any access-list 110 extended permit ip 192.168.7.0 255.255.255.0 any access-list 110 extended permit ip 192.168.8.0 255.255.255.0 a

27、ny access-list 110 extended permit ip 192.168.10.0 255.255.255.0 any access-list 110 extended permit ip 192.168.11.0 255.255.255.0 any access-list 110 extended permit ip 192.168.21.0 255.255.255.0 any access-list 110 extended permit ip 192.168.31.0 255.255.255.0 any access-list 110 extended permit i

28、p 192.168.41.0 255.255.255.0 any access-list 110 extended permit ip 192.168.51.0 255.255.255.0 any access-list 110 extended permit ip 192.168.61.0 255.255.255.0 any access-list 110 extended permit ip 192.168.71.0 255.255.255.0 any access-list 110 extended permit ip 192.168.100.0 255.255.255.0 any ac

29、cess-list 110 extended permit ip 192.168.16.0 255.255.255.0 any access-list 110 extended permit ip 192.168.9.0 255.255.255.0 any access-list acl_insde extended permit ip any any access-list 10 standard permit any access-list 200 extended permit ip any any access-list 120 extended permit ip any host

30、219.139.*.* pager lines 24logging asdm informationalmtu outside 1500mtu inside 1500mtu management 1500icmp unreachable rate-limit 1 burst-size 1asdm image disk0:/asdm-621.binno asdm history enablearp timeout 14400nat-controlglobal (outside) 1 interfacenat (inside) 1 192.168.100.0 255.255.255.0nat (i

31、nside) 1 0.0.0.0 0.0.0.0static (inside,outside) tcp interface 81 192.168.16.247 81 netmask 255.255.255.255 static (inside,outside) tcp interface 88 192.168.16.249 88 netmask 255.255.255.255 static (inside,outside) tcp interface 230 192.168.16.250 230 netmask 255.255.255.255 static (inside,outside) t

32、cp interface 8888 192.168.16.247 8888 netmask 255.255.255.255 static (inside,outside) tcp interface 85 192.168.16.250 85 netmask 255.255.255.255 static (inside,outside) tcp interface 6060 192.168.16.223 6060 netmask 255.255.255.255 static (inside,outside) tcp interface 5070 192.168.16.223 5070 netma

33、sk 255.255.255.255 static (inside,outside) tcp interface 6080 192.168.16.223 6080 netmask 255.255.255.255 static (inside,outside) tcp interface 10000 192.168.16.247 10000 netmask 255.255.255.255 static (inside,outside) tcp interface 231 192.168.16.247 231 netmask 255.255.255.255 static (inside,outsi

34、de) tcp interface 1433 192.168.16.223 1433 netmask 255.255.255.255 static (inside,outside) tcp interface 9000 192.168.16.223 9000 netmask 255.255.255.255 static (inside,outside) tcp interface 84 192.168.16.247 84 netmask 255.255.255.255 static (inside,outside) udp interface 3100 192.168.16.247 3100

35、netmask 255.255.255.255 static (inside,outside) tcp interface 10020 192.168.16.247 10020 netmask 255.255.255.255 static (inside,outside) tcp interface 10040 192.168.16.247 10040 netmask 255.255.255.255 static (inside,outside) tcp interface 87 192.168.16.223 87 netmask 255.255.255.255 static (inside,

36、outside) tcp interface 10101 192.168.16.223 10101 netmask 255.255.255.255 static (inside,outside) udp interface 3200 192.168.16.223 3200 netmask 255.255.255.255 static (inside,outside) tcp interface 86 192.168.16.246 86 netmask 255.255.255.255 static (inside,outside) tcp interface 9999 192.168.16.246 9999 netmask 255.255.255.255 static (inside,outside) tcp interface sip 192.168.16.246 sip netmask

展开阅读全文
相关资源
相关搜索

当前位置:首页 > 教育教学资料库 > 精品笔记

Copyright © 2018-2021 Wenke99.com All rights reserved

工信部备案号浙ICP备20026746号-2  

公安局备案号:浙公网安备33038302330469号

本站为C2C交文档易平台,即用户上传的文档直接卖给下载用户,本站只是网络服务中间平台,所有原创文档下载所得归上传人所有,若您发现上传作品侵犯了您的权利,请立刻联系网站客服并提供证据,平台将在3个工作日内予以改正。