interface Vlan2
nameif outside --------------------对端口命名外端口 security-level 0 --------------------设置端口等级 ip address X.X.X.X 255.255.255.224 --------------------调试外网地址 !
interface Vlan3
nameif inside --------------------对端口命名内端口 security-level 100 --------------------调试外网地址 ip address 192.168.1.1 255.255.255.0 --------------------设置端口等级 !
interface Ethernet0/0
switchport access vlan 2 --------------------设置端口VLAN与VLAN2绑定 !
interface Ethernet0/1
switchport access vlan 3 --------------------设置端口VLAN与VLAN3绑定 !
interface Ethernet0/2 shutdown !
interface Ethernet0/3 shutdown !
interface Ethernet0/4 shutdown !
interface Ethernet0/5 shutdown !
interface Ethernet0/6 shutdown !
interface Ethernet0/7 shutdown !
passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive
dns domain-lookup inside dns server-group DefaultDNS name-server 211.99.129.210 name-server 202.106.196.115
access-list 102 extended permit icmp any any ------------------设置ACL列表(允许ICMP全部通过)
access-list 102 extended permit ip any any ------------------设置ACL列表(允许所有IP全部通过)
pager lines 24 mtu outside 1500 mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400
global (outside) 1 interface ------------------设置NAT地址映射到外网口
nat (inside) 1 0.0.0.0 0.0.0.0 ------------------NAT地址池(所有地址) access-group 102 in interface outside ------------------设置ACL列表绑定到外端口 route outside 0.0.0.0 0.0.0.0 x.x.x.x 1 ------------------设置到外网的默认路由 timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute no snmp-server location no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 0.0.0.0 0.0.0.0 inside ------------------设置TELNET所有地址进入
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside ------------------设置SSH所有地址进入 ssh timeout 30 ssh version 2
console timeout 0 !
dhcpd address 192.168.1.100-192.168.1.199 inside ------------------设置DHCP服务器地址池
dhcpd dns 211.99.129.210 202.106.196.115 interface inside ------------------设置DNS服务器到内网端口
dhcpd enable inside ------------------设置DHCP应用到内网端口 !
前几天去客户那调试CISCO-ASA-5505设备,第一次摸,跟PIX一样,呵呵.没有技术含量,都是最基本的.其他业务配置暂时没配,会及时更新的.Cisco ASA5505配置 cisco, config, telnet, 防火墙, Cisco 1.配置防火墙名 ciscoasa> enable
ciscoasa# configure terminal
ciscoasa(config)# hostname asa5505 2.配置telnet
asa5505(config)#telnet 192.168.1.0 255.255.255.0 inside ↑//允许内部接口192.168.1.0网段telnet防火墙
3.配置密码
asa5505(config)# password cisco ------------------远程密码
asa5505(config)# enable password cisco ------------------特权模式密码 4.配置IP
asa5505(config)# interface vlan 2 ------------------进入vlan2
asa5505(config-if)# ip address 218.16.37.222 255.255.255.192 ------------------vlan2配置IP asa5505(config)#show ip address vlan2 ------------------验证配置 5.端口加入vlan
asa5505(config)# interface e0/3 ------------------进入接口e0/3
asa5505(config-if)# switchport access vlan 3 ------------------接口e0/3加入vlan3 asa5505(config)# interface vlan 3 ------------------进入vlan3
asa5505(config-if)# ip address 10.10.10.36 255.255.255.224 ------------------vlan3配置IP asa5505(config-if)# nameif dmz ------------------vlan3名 asa5505(config-if)# no shutdown ------------------开启
asa5505(config-if)# show switch vlan ------------------验证配置 6.最大传输单元MTU
asa5505(config)#mtu inside 1500 ------------------inside最大传输单元1500字节 asa5505(config)#mtu outside 1500 ------------------outside最大传输单元1500字节 asa5505(config)#mtu dmz 1500 ------------------dmz最大传输单元1500字节 7.配置arp表的超时时间
asa5505(config)#arp timeout 14400 ------------------arp表的超时时间14400秒 8.FTP模式
asa5505(config)#ftp mode passive ------------------FTP被动模式 9.配置域名
asa5505(config)#domain-name Cisco.com
10.启动日志
asa5505(config)#logging enable ------------------启动日志
asa5505(config)#logging asdm informational ------------------启动asdm报告日志 asa5505(config)#Show logging ------------------验证配置 11.启用http服务
asa5505(config)#http server enable ------------------启动HTTP server,便于ASDM连接。 asa5505(config)#http 0.0.0.0 0.0.0.0 outside ------------------对外启用ASDM连接 asa5505(config)#http 0.0.0.0 0.0.0.0 inside ------------------对内启用ASDM连接 12.控制列表
access-list acl_out extended permit tcp any any eq www ------------------允许tcp协议80端口入站 access-list acl_out extended permit tcp any any eq https ------------------允许tcp协议443端口入站
access-list acl_out extended permit tcp any host 218.16.37.223 eq ftp ↑//允许tcp协议21端口到218.16.37.223主机
access-list acl_out extended permit tcp any host 218.16.37.224 eq 3389 ↑//允许tcp协议3389端口到218.16.37.224主机
access-list acl_out extended permit tcp any host 218.16.37.225 eq 1433 ↑//允许tcp协议1433端口到218.16.37.225主机
access-list acl_out extended permit tcp any host 218.16.37.226 eq 8080
↑//允许tcp协议8080端口到218.16.37.226主机 asa5505(config)#show access-list ------------------验证配置 13.设置路由
asa5505(config)#route dmz 10.0.0.0 255.0.0.0 10.10.10.33 1
↑//静态路由到10.0.0.0网段经过10.10.10.33网关跳数为1 asa5505(config)#route outside 0.0.0.0 0.0.0.0 218.16.37.193 1 ↑//默认路由到所有网段经过218.16.37.193网关跳数为1 asa5505# show route ------------------显示路由信息 14.静态NAT
asa5505(config)# static (inside,outside) 218.16.37.223 192.168.1.6 netmask 255.255.255.255 ↑//外网218.16.37.223映射到内网192.168.1.6
asa5505(config)#access-list acl_out extended permit icmp any any ↑//控制列表名acl_out允许ICMP协议
asa5505(config)#access-group acl_out in interface outside
↑//控制列表acl_out应用到outside接口
asa5505(config)#static (inside,dmz) 10.10.10.37 192.168.1.16 netmask 255.255.255.255 ↑//dmz10.10.10.37映射到内网192.168.1.16
asa5505(config)#access-list acl_dmz extended permit icmp any any ↑//控制列表名acl_dmz允许ICMP协议
asa5505(config)#access-group acl_dmz in interface dmz -----------------控制列表acl_out应用到dmz接口 asa5505(config)#Show nat ------------------验证配置 15.动态NAT
asa5505(config)#global(outside) 1 218.201.35.224-218.201.35.226 ------------------定义全局地址池
asa5505(config)#nat(inside) 1 192.168.1.20-192.168.1.22 ------------------内部转换地址池 asa5505(config)# show xlate ------------------验证配置 16.基于端口NAT(PAT)
asa5505(config)#global (outside) 2 interface ----------------定义全局地址即outside地址:218.16.37.222
asa5505(config)#nat (inside) 2 192.168.1.0 255.255.255.0 ------------------内部转换地址池 asa5505(config)# show xlate ------------------验证配置 17.基于LAN故障倒换(failover) 1).主防火墙配置
asa5505(config)#failover mac addr outside 001a.2b3c.4d11 001a.2b3c.4w12----故障倒换虚拟MAC地址
asa5505(config)#failover mac addr inside 001a.2b3c.4d21 001a.2b3c.4w22-----故障倒换虚拟MAC地址
asa5505(config)#failover mac addr inside 001a.2b3c.4d21 001a.2b3c.4w32-----故障倒换虚拟MAC地址
asa5505(config)#failover ------------------启动故障倒换
asa5505(config)#failover lan unit primary ------------------设置主要防火墙
asa5505(config)#failover lan interface standby Vlan4 ------------------故障倒换接口名standby asa5505(config)#failover interface ip standby 172.168.32.1 255.255.255.252 standby 172.168.32.2
↑//配置主防火墙IP:172.168.32.1,备用防火墙IP:172.168.32.2 asa5505# show failover ------------------验证配置 2).备防火墙配置
asa5505(config)#failover mac addr outside 001a.2b3c.4d11 001a.2b3c.4w12----故障倒换虚拟MAC地址
asa5505(config)#failover mac addr inside 001a.2b3c.4d21 001a.2b3c.4w22------故障倒换虚拟MAC地址asa5505(config)#failover mac addr inside 001a.2b3c.4d21 001a.2b3c.4w32------故障倒换虚拟MAC地址asa5505(config)#failover ------------------启动故障倒换 asa5505(config)#failover lan unit secondary ------------------设置备用防火墙
asa5505(config)#failover lan interface standby Vlan4 ------------------故障倒换接口名standby asa5505(config)#failover interface ip standby 172.168.32.1 255.255.255.252 standby 172.168.32.2
↑//配置主防火墙IP:172.168.32.1,备用防火墙IP:172.168.32.2 asa5505# show failover ------------------验证配置 18.显示mac地址
asa5505# show switch mac-address-table
19.保存配置
asa5505# write memoryCisco ASA 5505防火墙地址映射问题解决前些天帮朋友配置一台Cisco ASA5505防火墙, 映射总是不成功. 在网上也看到很多朋友遇到了这种问题,都在寻问这个解决方法.有人已经将问题解决了,但没给出解决方案. 也许这并不是一个很复杂的难题,但我希望通过博客能帮助朋友们及时得到这个小问题的处理. 基本情况:
WAN: 221.221.147.195 Gateway: 221.221.147.200 LAN: 192.168.0.1 内网中有一台服务器,地址: 192.168.0.10 端口: 8089
故障描述: 内网可正常连接至服务器,外网无法连接. 端口映射出现问题. 解决方法: 命令行错误, 已更正并解决.
问题重点: 采用 \映射. 目前配置如下: ASA Version 7.2(2) !
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted names !
interface Vlan1 nameif inside security-level 100
ip address 192.168.0.1 255.255.255.0 !
interface Vlan2 nameif outside security-level 0
ip address 221.221.147.195 255.255.255.252 !
Cisco ASA 5505 防火墙常用配置案例
