cisco-asa-5505基本配置

cisco-asa-5505基本配置

interface Vlan2

nameif outside ----------------------------------------对端口命名外端口 security-level 0 ----------------------------------------设置端口等级

ip address X.X.X.X 255.255.255.224 --------------------调试外网地址 !

interface Vlan3

nameif inside ----------------------------------------对端口命名内端口 security-level 100 ----------------------------------------调试外网地址 ip address 192.168.1.1 255.255.255.0 --------------------设置端口等级 !

interface Ethernet0/0

switchport access vlan 2 ----------------------------------------设置端口VLAN与VLAN2绑定 !

interface Ethernet0/1

switchport access vlan 3 ----------------------------------------设置端口VLAN与VLAN3绑定 !

interface Ethernet0/2 shutdown !

interface Ethernet0/3 shutdown !

interface Ethernet0/4 shutdown !

interface Ethernet0/5 shutdown !

interface Ethernet0/6 shutdown !

interface Ethernet0/7 shutdown !

passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive

dns domain-lookup inside dns server-group DefaultDNS name-server 211.99.129.210 name-server 202.106.196.115

access-list 102 extended permit icmp any any ------------------设置ACL列表（允许ICMP全部通过）

access-list 102 extended permit ip any any ------------------设置ACL列表（允许所有IP全部通过） pager lines 24 mtu outside 1500 mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400

global (outside) 1 interface ----------------------------------------设置NAT地址映射到外网口

nat (inside) 1 0.0.0.0 0.0.0.0 0---------------------------------NAT地址池（所有地址）0无最大会话数限制

access-group 102 in interface outside ------------------―――设置ACL列表绑定到外端口

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1 ------------------设置到外网的默认路由 timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute no snmp-server location no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdowncoldstart

telnet 0.0.0.0 0.0.0.0 inside ----------------------------------------设置TELNET所有地址进入

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside ----------------------------------------设置SSH所有地址进入 ssh timeout 30 ssh version 2

console timeout 0 !

dhcpd address 192.168.1.100-192.168.1.199 inside ------------------设置DHCP服务器地址池

dhcpddns 211.99.129.210 202.106.196.115 interface inside ------------------设置DNS服务器到内网端口

dhcpd enable inside --------------------------------------------------------------设置DHCP应用到内网端口 !

前几天去客户那调试CISCO-ASA-5505设备,第一次摸,跟PIX一样,呵呵.没有技术含量,都是最基本的.其他业务配置暂时没配,会及时更新的. Cisco ASA5505配置

cisco, config, telnet, 防火墙, Cisco 1.配置防火墙名 ciscoasa> enable

ciscoasa# configure terminal

ciscoasa(config)# hostname asa5505 2.配置telnet

asa5505(config)#telnet 192.168.1.0 255.255.255.0 inside ↑//允许内部接口192.168.1.0网段telnet防火墙 3.配置密码

asa5505(config)# password cisco ------------------远程密码

asa5505(config)# enable password cisco ------------------特权模式密码 4.配置IP

asa5505(config)# interface vlan 2 ------------------进入vlan2

asa5505(config-if)# ip address 218.16.37.222 255.255.255.192 ------------------vlan2配置IP

asa5505(config)#show ip address vlan2 ------------------验证配置 5.端口加入vlan

asa5505(config)# interface e0/3 ------------------进入接口e0/3

asa5505(config-if)# switchport access vlan 3 ------------------接口e0/3加入vlan3 asa5505(config)# interface vlan 3 ------------------进入vlan3

asa5505(config-if)# ip address 10.10.10.36 255.255.255.224 ------------------vlan3配置IP

asa5505(config-if)# nameifdmz ------------------vlan3名 asa5505(config-if)# no shutdown ------------------开启

asa5505(config-if)# show switch vlan ------------------验证配置 6.最大传输单元MTU

asa5505(config)#mtu inside 1500 ------------------inside最大传输单元1500字节 asa5505(config)#mtu outside 1500 ------------------outside最大传输单元1500字节 asa5505(config)#mtudmz 1500 ------------------dmz最大传输单元1500字节 7.配置arp表的超时时间

asa5505(config)#arp timeout 14400 ------------------arp表的超时时间14400秒 8.FTP模式

asa5505(config)#ftp mode passive ------------------FTP被动模式 9.配置域名

asa5505(config)#domain-name Cisco.com 10.启动日志

asa5505(config)#logging enable ------------------启动日志

asa5505(config)#logging asdm informational ------------------启动asdm报告日志 asa5505(config)#Show logging ------------------验证配置 11.启用http服务

asa5505(config)#http server enable ------------------启动HTTP server,便于ASDM连接。 asa5505(config)#http 0.0.0.0 0.0.0.0 outside ------------------对外启用ASDM连接 asa5505(config)#http 0.0.0.0 0.0.0.0 inside ------------------对内启用ASDM连接 12.控制列表

access-list acl_out extended permit tcp any anyeq www ------------------允许tcp协议80

端口入站

access-list acl_out extended permit tcp any anyeq https ------------------允许tcp协议443端口入站

access-list acl_out extended permit tcp any host 218.16.37.223 eq ftp ↑//允许tcp协议21端口到218.16.37.223主机

access-list acl_out extended permit tcp any host 218.16.37.224 eq 3389 ↑//允许tcp协议3389端口到218.16.37.224主机

access-list acl_out extended permit tcp any host 218.16.37.225 eq 1433 ↑//允许tcp协议1433端口到218.16.37.225主机

access-list acl_out extended permit tcp any host 218.16.37.226 eq 8080 ↑//允许tcp协议8080端口到218.16.37.226主机

asa5505(config)#show access-list ------------------验证配置 13.设置路由

asa5505(config)#route dmz 10.0.0.0 255.0.0.0 10.10.10.33 1 ↑//静态路由到10.0.0.0网段经过10.10.10.33网关跳数为1 asa5505(config)#route outside 0.0.0.0 0.0.0.0 218.16.37.193 1 ↑//默认路由到所有网段经过218.16.37.193网关跳数为1 asa5505# show route ------------------显示路由信息 14.静态NAT

asa5505(config)# static (inside,outside) 218.16.37.223 192.168.1.6 netmask 255.255.255.255

↑//外网218.16.37.223映射到内网192.168.1.6

asa5505(config)#access-list acl_out extended permit icmp any any ↑//控制列表名acl_out允许ICMP协议

asa5505(config)#access-group acl_out in interface outside ↑//控制列表acl_out应用到outside接口

asa5505(config)#static (inside,dmz) 10.10.10.37 192.168.1.16 netmask 255.255.255.255

↑//dmz10.10.10.37映射到内网192.168.1.16

asa5505(config)#access-list acl_dmz extended permit icmp any any ↑//控制列表名acl_dmz允许ICMP协议

asa5505(config)#access-group acl_dmz in interface dmz -----------------控制列表acl_out应用到dmz接口 asa5505(config)#Show nat ------------------验证配置 15.动态NAT

asa5505(config)#global(outside) 1 218.201.35.224-218.201.35.226 ------------------定义全局地址池

asa5505(config)#nat(inside) 1 192.168.1.20-192.168.1.22 ------------------内部转换地址池

asa5505(config)# show xlate ------------------验证配置 16.基于端口NAT（PAT）

asa5505(config)#global (outside) 2 interface ----------------定义全局地址即outside地址：218.16.37.222

asa5505(config)#nat (inside) 2 192.168.1.0 255.255.255.0 ------------------内部转换地

址池

asa5505(config)# show xlate ------------------验证配置 17.基于LAN故障倒换（failover） 1).主防火墙配置

asa5505(config)#failover mac addr outside 001a.2b3c.4d11 001a.2b3c.4w12----故障倒换虚拟MAC地址

asa5505(config)#failover mac addr inside 001a.2b3c.4d21 001a.2b3c.4w22-----故障倒换虚拟MAC地址

asa5505(config)#failover mac addr inside 001a.2b3c.4d21 001a.2b3c.4w32-----故障倒换虚拟MAC地址

asa5505(config)#failover ------------------启动故障倒换

asa5505(config)#failover lan unit primary ------------------设置主要防火墙

asa5505(config)#failover lan interface standby Vlan4 ------------------故障倒换接口名standby

asa5505(config)#failover interface ip standby 172.168.32.1 255.255.255.252 standby 172.168.32.2

↑//配置主防火墙IP：172.168.32.1,备用防火墙IP：172.168.32.2 asa5505# show failover ------------------验证配置 2).备防火墙配置

asa5505(config)#failover mac addr outside 001a.2b3c.4d11 001a.2b3c.4w12----故障倒换虚拟MAC地址

asa5505(config)#failover mac addr inside 001a.2b3c.4d21 001a.2b3c.4w22------故障倒换虚拟MAC地址asa5505(config)#failover mac addr inside 001a.2b3c.4d21

001a.2b3c.4w32------故障倒换虚拟MAC地址asa5505(config)#failover ------------------启动故障倒换

asa5505(config)#failover lan unit secondary ------------------设置备用防火墙

asa5505(config)#failover lan interface standby Vlan4 ------------------故障倒换接口名standby

asa5505(config)#failover interface ip standby 172.168.32.1 255.255.255.252 standby 172.168.32.2

↑//配置主防火墙IP：172.168.32.1,备用防火墙IP：172.168.32.2 asa5505# show failover ------------------验证配置 18.显示mac地址

asa5505# show switch mac-address-table 19.保存配置

asa5505# write memory

Cisco ASA 5505防火墙地址映射问题

解决前些天帮朋友配置一台Cisco ASA5505防火墙, 映射总是不成功. 在网上也看到很多朋友遇到了这种问题,都在寻问这个解决方法.有人已经将问题解决了,但没给出解决方案. 也许这并不是一个很复杂的难题,但我希望通过博客能帮助朋友们及时得到这个小问题的处理. 基本情况:

WAN: 221.221.147.195 Gateway: 221.221.147.200 LAN: 192.168.0.1 内网中有一台服务器,地址: 192.168.0.10 端口: 8089

故障描述: 内网可正常连接至服务器,外网无法连接. 端口映射出现问题. 解决方法: 命令行错误, 已更正并解决.

问题重点: 采用 \映射. 目前配置如下: ASA Version 7.2(2) !

hostnameciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted names !

interface Vlan1 nameif inside security-level 100

ip address 192.168.0.1 255.255.255.0 !

interface Vlan2 nameif outside security-level 0

ip address 221.221.147.195 255.255.255.252 !

interface Ethernet0/0 switchport access vlan 2 !

interface Ethernet0/1 !

interface Ethernet0/2 ! !

interface Ethernet0/4 !

interface Ethernet0/5 !

interface Ethernet0/6 !

interface Ethernet0/7 !

passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive

access-list 101 extended permit tcp any host 221.221.147.195 eq 8089 access-list 101 extended permit icmp any any access-list 101 extended permit tcp any any access-list 101 extended permit udp any any pager lines 24

logging asdm informational

mtu inside 1500 mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400

global (outside) 1 interface

static (inside,outside) 221.221.147.195 192.168.0.10 netmask 255.255.255.255 tcp 8089 0

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 221.221.147.200 1 timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute http server enable

no snmp-server location no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdowncoldstart telnet timeout 5 ssh timeout 5 console timeout 0

dhcpdauto_config outside ! !

class-mapinspection_default match default-inspection-traffic !

policy-map type inspect dnspreset_dns_map parameters

message-length maximum 512 policy-map global_policy class inspection_default inspect dnspreset_dns_map inspect ftp

inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios

inspect tftp !

service-policyglobal_policy global prompt hostname context

Cryptochecksum:30e219cbc04a4c919e7411de55e14a64 : end

ciscoasa(config)#

------------------------------------------------------------

在找寻解决方案过程中,有朋友做了重要提示, 采用: static (inside,outside) int 192.168.0.10 tcp 8089 做映射,但出现警告提示:

WARNING: static redireting all traffics at outside interface;

WARNING: all services terminating at outside interface are disabled.

后来将命令改成: static (inside,outside) 221.221.147.195 192.168.0.10 tcp 8089 解决.

ASA5505配置笔记

ASA5505配置笔记 1.IP地址配置

#int vlan1

#>nameif outside #security-level 0

#ip address 172.16.1.1 255.255.0.0. #end #intvlan 2

#nameifinsiede #security-levlel 100

#ip address 192.168.1.1 255.255.255.0 #end

2.把端口指定到相应VLAN中 #int Eth0/0

#switchport access vlan 1 end

#int Eth0/1

switchport access vlan 2 end #exit

3.配置Http.telnet和ssh管理

#username xxx password xxxxxx encrypted privilege 15 #aaa authentication enable console LOCAL #aaa authentication telnet console LOCAL #aaa authentication http console LOCAL #aaa authentication ssh console LOCAL #aaaautoentication command LOCAL #http server enable

#http 192.168.1.0 255.255.255.0 inside

问题#telnet 192.168.1.0 255.255.255.0 inside #ssh 192.168.1.0 255.255.255.0 inside #crypto key generate rsa(打开SSH服务) 4.VPN配置

VPN配置可在ASDM模式下配置,具体配置略 CISCO ASA 5510实际配置案例及详解

去年卖个某大型企业的ASA5510防火墙，附实际的配置，并且都解释了得很清楚，非常值得参考的资料！

2008-12-15 11:07

ASA5510# SHOW RUN : Saved :

ASA Version 7.0(6) !

hostname ASA5510

enable password 2KFQnbNIdI.2KYOU encrypted names dns-guard !

interface Ethernet0/0 此接口为外部网络接口 nameif outside 设置为 OUTSIDE 外部接口模式 security-level 0 外部接口模式安全级别为最高 0

ip address 192.168.3.234 255.255.255.0 添加外部IP地址（一般为电信÷网通提供） !

interface Ethernet0/1此接口为内部网络接口 nameif inside设置为 INSIDE 内部接口模式

security-level 100内部接口模式安全级别为 100 ip address 10.1.1.1

255.255.0.0添加内部IP地址（一般为公司自行分配） !

interface Ethernet0/2 没用到 SHUTDOWN 关闭 shutdown no nameif

no security-level no ip address

!

interface Management0/0没用到 SHUTDOWN 关闭 nameif

management

security-level 100

ip address 192.168.1.1 255.255.255.0

没用，用网线连接

passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive pager lines 24 logging asdm informational mtu outside 1500 mtu inside 1500 mtu management 1500

no asdm history enable arp timeout 14400

global (outside) 1 interface 一定要打表示 PAT端口扩展：“1”为其

nat (inside) 1 10.1.0.0 255.255.0.0 转换所有10.1.0.0 的内部地址 route outside 0.0.0.0 0.0.0.0 192.168.3.254 1

内部所有地址访问外部地址出口为电信－网通提供的网关地址 timeout xlate 3:00:00 timeout conn 1:00:00

half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323

0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute http server enable

http 192.168.1.0 255.255.255.0 management no snmp-server location

no snmp-server contact

snmp-server enable traps snmp

authentication linkup linkdowncoldstart telnet timeout 5 ssh timeout 5

console timeout 0

dhcpd address 10.1.1.30-10.1.1.200 inside

class=t_tagonclick=tagshow(event) href=\自动提供分配范围

为10.1.1.30－200

dhcpd address 192.168.1.2-192.168.1.254 management 无效

dhcpddns 192.168.0.1 DNS 添加：可以是电信网通提供直接添加，或者自己的DNS

href=\服务器地址。 dhcpd lease 3600

dhcpdping_timeout 50

dhcpd domain suzhou.jy域名

dhcpd enable inside 打开内部网段自动分配 dhcpd enable management 无效

Cryptochecksum:6148633dac00f8f7a3418833f98d5ad4 access-group icmp_in in

interface outside 这两句表示，

access-list icmp_in extended permit icmp any any允许PING包发送或接收 : end ,