Cisco ASA 5505 防火墙常用配置案例 

interface Ethernet0/0 switchport access vlan 2 !

interface Ethernet0/1 !

interface Ethernet0/2 ! !

interface Ethernet0/4 !

interface Ethernet0/5 !

interface Ethernet0/6 !

interface Ethernet0/7 !

passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive

access-list 101 extended permit tcp any host 221.221.147.195 eq 8089 access-list 101 extended permit icmp any any access-list 101 extended permit tcp any any access-list 101 extended permit udp any any pager lines 24

logging asdm informational mtu inside 1500 mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400

global (outside) 1 interface

static (inside,outside) 221.221.147.195 192.168.0.10 netmask 255.255.255.255 tcp 8089 0 access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 221.221.147.200 1 timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute http server enable

no snmp-server location no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart telnet timeout 5 ssh timeout 5

console timeout 0

dhcpd auto_config outside ! !

class-map inspection_default match default-inspection-traffic !

policy-map type inspect dns preset_dns_map parameters

message-length maximum 512 policy-map global_policy class inspection_default

inspect dns preset_dns_map inspect ftp

inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp !

service-policy global_policy global prompt hostname context

Cryptochecksum:30e219cbc04a4c919e7411de55e14a64 : end

ciscoasa(config)#

------------------------------------------------------------

在找寻解决方案过程中,有朋友做了重要提示, 采用: static (inside,outside) int 192.168.0.10 tcp 8089 做映射,但出现警告提示:

WARNING: static redireting all traffics at outside interface;

WARNING: all services terminating at outside interface are disabled.

后来将命令改成: static (inside,outside) 221.221.147.195 192.168.0.10 tcp 8089 问题解决.ASA5505配置笔记

ASA5505配置笔记 1.IP地址配置

#int vlan1

#>nameif outside #security-level 0

#ip address 172.16.1.1 255.255.0.0. #end #int vlan 2

#nameif insiede #security-levlel 100

#ip address 192.168.1.1 255.255.255.0 #end

2.把端口指定到相应VLAN中 #int Eth0/0

#switchport access vlan 1 end

#int Eth0/1

switchport access vlan 2 end #exit

3.配置Http.telnet和ssh管理

#username xxx password xxxxxx encrypted privilege 15 #aaa authentication enable console LOCAL #aaa authentication telnet console LOCAL #aaa authentication http console LOCAL #aaa authentication ssh console LOCAL #aaa autoentication command LOCAL #http server enable

#http 192.168.1.0 255.255.255.0 inside #telnet 192.168.1.0 255.255.255.0 inside #ssh 192.168.1.0 255.255.255.0 inside

#crypto key generate rsa(打开SSH服务) 4.VPN配置

VPN配置可在ASDM模式下配置,具体配置略CISCO ASA 5510实际配置案例及详解去年卖个某大型企业的ASA5510防火墙，附实际的配置，并且都解释了得很清楚，非常值得参考的资料！

2008-12-15 11:07 ASA5510# SHOW RUN : Saved :

ASA Version 7.0(6) !

hostname ASA5510

enable password 2KFQnbNIdI.2KYOU encrypted names dns-guard !

interface Ethernet0/0 此接口为外部网络接口 nameif outside 设置为 OUTSIDE 外部接口模式 security-level 0 外部接口模式安全级别为 最高 0

ip address 192.168.3.234 255.255.255.0 添加外部IP地址 （一般为电信÷网通提供） !

interface Ethernet0/1此接口为内部网络接口 nameif inside设置为 INSIDE 内部接口模式

security-level 100内部接口模式安全级别为 100 ip address 10.1.1.1

255.255.0.0添加内部IP地址 （一般为公司自行分配） !

interface Ethernet0/2 没用到 SHUTDOWN 关闭

shutdown no nameif

no security-level no ip address !

interface Management0/0没用到 SHUTDOWN 关闭 nameif

management security-level 100

ip address 192.168.1.1 255.255.255.0 没用，用网线连接管理的端口。 management-only !

passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive pager lines 24 logging asdm informational mtu outside 1500 mtu inside 1500 mtu management 1500

no asdm history enable arp timeout 14400

global (outside) 1 interface 一定要打表示 PAT端口扩展：“1”为其NAT ID nat (inside) 1 10.1.0.0 255.255.0.0 转换所有10.1.0.0 的内部地址 route outside 0.0.0.0 0.0.0.0 192.168.3.254 1

内部所有地址访问外部地址出口为 电信－网通 提供的网关地址 timeout xlate 3:00:00 timeout conn 1:00:00

half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323

0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute http server enable

http 192.168.1.0 255.255.255.0 management no snmp-server location

no snmp-server contact

snmp-server enable traps snmp

authentication linkup linkdown coldstart telnet timeout 5 ssh timeout 5

console timeout 0

dhcpd address 10.1.1.30-10.1.1.200 inside DHCP 自动提供分配范围 为10.1.1.30－200

dhcpd address 192.168.1.2-192.168.1.254 management 无效

dhcpd dns 192.168.0.1 DNS 添加：可以是电信网通提供 直接添加，或者自己的DNS服务器地址。

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd domain suzhou.jy 域名

dhcpd enable inside 打开内部网段自动分配 dhcpd enable management 无效

Cryptochecksum:6148633dac00f8f7a3418833f98d5ad4 access-group icmp_in in

interface outside 这两句表示，

access-list icmp_in extended permit icmp any any 允许PING包发送或接收 : end