CISCO-ASA5510-防火墻配置手冊(cè)

CISCOASA5510防火墻配置手冊(cè)密碼配置1.telnet密碼Ciscoasa(config)#passwd123(用于telnet登陸ASA的密碼)2.enable密碼Ciscoasa(config)#enablepassword456(進(jìn)入enable特權(quán)模式的密碼)3.設(shè)備命名Ciscoasa(config)#hostnamewy-ciscoasa接口配置2.1接口命名Ciscoasa(config)#interfaceEthernet0/0Ciscoasa(config-if)#nameifoutside一般的情況將E0/0命為外網(wǎng)接口，而將E0/1命為內(nèi)網(wǎng)接口。2.2配置接口安全級(jí)別Ciscoasa(config-if)#security-level100(100指權(quán)限，數(shù)字越高權(quán)限越高)2.3配置IP地址Ciscoasa(config-if)#ipaddress219.139.*.* 2.4關(guān)閉/激活接口Ciscoasa(config-if)#shutdown/noshutdown靜態(tài)路由配置Ciscoasa(config)#routeinside意思為：在inside接口上創(chuàng)建一條到/24網(wǎng)絡(luò)走的路由，ASA會(huì)將到/24網(wǎng)絡(luò)的所有數(shù)據(jù)包轉(zhuǎn)發(fā)給下一條Ciscoasa(config)#routeoutside創(chuàng)建一條外網(wǎng)默認(rèn)路由，ASA將所有互聯(lián)網(wǎng)流量轉(zhuǎn)發(fā)給internet網(wǎng)關(guān)網(wǎng)絡(luò)地址轉(zhuǎn)換（NAT）配置4.1NAT的簡(jiǎn)介NAT實(shí)現(xiàn)的方式有三種：動(dòng)態(tài)NAT、靜態(tài)NAT、PAT動(dòng)態(tài)NAT：指將內(nèi)部網(wǎng)絡(luò)私有IP地址轉(zhuǎn)換為公有IP地址，IP地址不確定，是隨機(jī)的，所有被授權(quán)訪問(wèn)intelnet的私有IP地址可隨機(jī)轉(zhuǎn)換為任何指定合法IP地址。靜態(tài)NAT：指IP地址一對(duì)一的轉(zhuǎn)換。PAT：指改變外出數(shù)據(jù)包的源端口并進(jìn)行端口轉(zhuǎn)換。內(nèi)部所有網(wǎng)絡(luò)均可以共享一個(gè)合法外部IP地址實(shí)現(xiàn)對(duì)intelnet的訪問(wèn)，從而可以最大限度節(jié)約IP地址資源。同時(shí)，又可以隱藏網(wǎng)絡(luò)內(nèi)部的所有主機(jī)，有效避免來(lái)自己intelnet的攻擊。因此，武英項(xiàng)目做NAT時(shí)推薦用PAT。4.2動(dòng)態(tài)NAT的配置Ciscoasa(config)#nat(inside)1將網(wǎng)絡(luò)接口為/16網(wǎng)絡(luò)激活NATCiscoasa(config)#global(outside)10-219.139.*.*netmask將把來(lái)自insid接口12/24網(wǎng)絡(luò)的地址動(dòng)態(tài)轉(zhuǎn)換為0-219.139.*.*的地址。4.3靜態(tài)NAT的配置Ciscoasa(config)#nat(inside)25455將此地址激活NATCiscoasa(config)#global(outside)2219.139.*.*將54這個(gè)地址轉(zhuǎn)換為219.139.*.*4.4PAT配置Ciscoasa(config)#nat(inside)3將此地址激活NATCiscoasa(config)#global(outside)3interface(這個(gè)是電信只提供了一個(gè)IP時(shí)可以這樣做，所有內(nèi)網(wǎng)共享一個(gè)IP上網(wǎng))4.5端口映射的配置4.5.1什么時(shí)候要做端口映射當(dāng)外網(wǎng)需要訪問(wèn)內(nèi)網(wǎng)中的一臺(tái)服務(wù)器時(shí)，ASA并不知道訪問(wèn)的是哪一臺(tái)內(nèi)網(wǎng)中的機(jī)器，這時(shí)就需要做靜態(tài)的端口映射。4.5.2端口映射的配置語(yǔ)法：Ciscoasa(config)#access-listlist-nameextendedpermittcp/udpanyhsotoutside_addresseqport_numlist_name:訪問(wèn)控制列表名稱tcp/udp:需要映射的協(xié)議類型port_num:需要映射的端口號(hào)Ciscoasa(config)#static(inside,outside)tcp/udpinterfaceport_numlocal_addressport_numnetmask55Tcp/udp:需要映射的協(xié)議類型port_num：映射前的端口號(hào)local_address：映射后的內(nèi)網(wǎng)主機(jī)IP地址port_num：映射后的端口號(hào)例如：Ciscoasa(config)#access-list100extendedpermittcpanyhost219.139.*.*eq80允許外網(wǎng)訪問(wèn)219.139.*.*的tcp80端口Ciscoasa(config)#static(inside,outside)tcpinterface805480netmask55外網(wǎng)訪問(wèn)62的tcp80端口時(shí)啟用靜態(tài)PAT映射到內(nèi)網(wǎng)54的tcp80端口Ciscoasa(config)#access-group100inintercaeoutsideper-user-override訪問(wèn)必須調(diào)用ACL備注如果，只是需要將內(nèi)網(wǎng)一個(gè)服務(wù)器映射到公網(wǎng)可以這樣做ciscoasa(config)#static(inside,outside)219.139.*.*54

ciscoasa(config)#static(inside,outside)219.139.*.*541000010

//后面的10000為限制連接數(shù)，10為限制的半開連接數(shù)。五訪問(wèn)控制列表（ACL）配置5.1配置訪問(wèn)控制列表的一般步驟配置訪問(wèn)控制列表接口方向的調(diào)用5.2標(biāo)準(zhǔn)訪問(wèn)控制列表語(yǔ)法

ciscoasa(config)#access-listlist_namestandarddeny/permitdes_addressnetmasklist_name:標(biāo)準(zhǔn)訪問(wèn)控制列表的名稱（1-99）deny/permit：阻止或是允許符合此條規(guī)則的流量des_address：需要做控制的目的地址netmask:需要做控制的目的地址的掩碼ciscoasa(config)#access-grouplist_namein/outinterfaceinterface_namein/out:標(biāo)準(zhǔn)訪問(wèn)控制列表的名稱interface_name:調(diào)用控制列表的接口名5.3擴(kuò)展訪問(wèn)控制列表ciscoasa(config)#access-listlist-nameextendeddeny/permittcp/udpsour_addresssour_maskdes_addressdes_maskeqport_numlist-name:擴(kuò)展訪問(wèn)控制列表名稱deny/permit:拒絕/允許符合此條規(guī)則的流量tcp/udp：此條規(guī)則匹配的協(xié)議sour_address：此條規(guī)則匹配的源地址sour_mask：此條規(guī)則匹配的源地址掩碼des_address：此條規(guī)則匹配目的地址des_mask：此條規(guī)則匹配目的地址掩碼port_num：此條規(guī)則匹配的端口號(hào)ciscoasa(config)#access-grouplist_namein/outinterfaceinterface_namein/out:調(diào)用接口的入與出口向interface_name：調(diào)用控制列表的接口名例句1：ciscoasa(config)#access-list400extendeddenyudp5455eq80阻止源地址/24網(wǎng)段對(duì)目的地址54主機(jī)ciscoasa(config)#access-group400ininterfaceinside六ASA防火墻工作狀態(tài)調(diào)試6.1查看當(dāng)前ASA配置Ciscoasa#showrunning-config查看CPU得用率：showcpuusage(正常應(yīng)該在80%以下)內(nèi)存使用：Ciscoasa#showmemoryXlate表大小Ciscoasa#showconncount端口狀態(tài)Ciscoasa#showinterfaceinterface_name6.2驗(yàn)證防火墻的連接性PingCiscoasa#pingip_address(ip地址)查看路由表Ciscoasa#showrouteASA防火墻ACL檢查Ciscoasa#showaccess-listCISCOASA具體配置如下：:Saved:Writtenbyenable_15at01:00:46.039UTCTueSep212010!ASAVersion8.2(1)!hostnamewy-asazlzzxenablepasswordkt7r2AarZ0QwX7lHencryptedpasswdPLBb27eKLE1o9FTBencryptednames!interfaceEthernet0/0nameifoutsidesecurity-level0ipaddress219.139.*.*!interfaceEthernet0/1nameifinsidesecurity-level100ipaddress!interfaceEthernet0/2shutdownnonameifnosecurity-levelnoipaddress!interfaceEthernet0/3shutdownnonameifnosecurity-levelnoipaddress!interfaceManagement0/0shutdownnameifmanagementsecurity-level100ipaddressmanagement-only!ftpmodepassivesame-security-trafficpermitinter-interfaceaccess-list100extendedpermittcpanyhost219.139.*.*eqwwwaccess-list100extendedpermittcpanyhost219.139.*.*eq81access-list100extendedpermittcpanyhost219.139.*.*eq88access-list100extendedpermittcpanyhost219.139.*.*eq230access-list100extendedpermittcpanyhost219.139.*.*eq8888access-list100extendedpermittcpanyhost219.139.*.*eq85access-list100extendedpermittcpanyhost219.139.*.*eq6060access-list100extendedpermittcpanyhost219.139.*.*eq5070access-list100extendedpermittcpanyhost219.139.*.*eq6080access-list100extendedpermittcpanyhost219.139.*.*eq10000access-list100extendedpermittcpanyhost219.139.*.*eq231access-list100extendedpermittcpanyhost219.139.*.*eq1433access-list100extendedpermittcpanyhost219.139.*.*eq9000access-list100extendedpermittcpanyhost219.139.*.*eq84access-list100extendedpermittcpanyhost219.139.*.*eq10020access-list100extendedpermittcpanyhost219.139.*.*eq10040access-list100extendedpermittcpanyhost219.139.*.*eq87access-list100extendedpermittcpanyhost219.139.*.*eq10101access-list100extendedpermitudpanyhost219.139.*.*eq3200access-list100extendedpermittcpanyhost219.139.*.*eq86access-list100extendedpermittcpanyhost219.139.*.*eq9999access-list100extendedpermittcpanyhost219.139.*.*eqsipaccess-list100extendedpermittcpanyhost219.139.*.*eq5080access-list100extendedpermittcpanyhost219.139.*.*eq10100access-list100extendedpermitudpanyhost219.139.*.*eq3201access-list100extendedpermittcpanyhost219.139.*.*eq3389access-list100extendedpermittcpanyhost219.139.*.*eqftpaccess-list100extendedpermittcpanyhost219.139.*.*eq8080access-list100extendedpermittcpanyhost219.139.*.*eq82access-list100extendedpermittcpanyhost219.139.*.*eq83access-list100extendedpermittcpanyhost219.139.*.*eq16000access-list100extendedpermittcpanyhost219.139.*.*eq15000access-list100extendedpermittcpanyhost219.139.*.*eq8088access-list100extendedpermittcpanyhost219.139.*.*eq211access-list100extendedpermittcpanyhost219.139.*.*eq9099access-list100extendedpermittcpanyhost219.139.*.*eq8000access-list100extendedpermittcpanyhost219.139.*.*eq7777access-list100extendedpermitudpanyhost219.139.*.*eq6661access-list100extendedpermittcpanyhost219.139.*.*eq8500access-list100extendedpermittcpanyhost219.139.*.*eq8600access-list100extendedpermitudpanyhost219.139.*.*eq3100access-list100extendedpermittcpanyhost219.139.*.*eq8081access-list110extendedpermitipanyaccess-list110extendedpermitipanyaccess-list110extendedpermitipanyaccess-list110extendedpermitipanyaccess-list110extendedpermitipanyaccess-list110extendedpermitipanyaccess-list110extendedpermitipanyaccess-list110extendedpermitipanyaccess-list110extendedpermitipanyaccess-list110extendedpermitipanyaccess-list110extendedpermitipanyaccess-list110extendedpermitipanyaccess-list110extendedpermitipanyaccess-list110extendedpermitipanyaccess-list110extendedpermitipanyaccess-list110extendedpermitipanyaccess-list110extendedpermitipanyaccess-listacl_insdeextendedpermitipanyanyaccess-list10standardpermitanyaccess-list200extendedpermitipanyanyaccess-list120extendedpermitipanyhost219.139.*.*pagerlines24loggingasdminformationalmtuoutside1500mtuinside1500mtumanagement1500icmpunreachablerate-limit1burst-size1asdmimagedisk0:/asdm-621.binnoasdmhistoryenablearptimeout14400nat-controlglobal(outside)1interfacenat(inside)1nat(inside)1static(inside,outside)tcpinterface814781netmask55static(inside,outside)tcpinterface884988netmask55static(inside,outside)tcpinterface23050230netmask55static(inside,outside)tcpinterface8888478888netmask55static(inside,outside)tcpinterface855085netmask55static(inside,outside)tcpinterface6060236060netmask55static(inside,outside)tcpinterface5070235070netmask55static(inside,outside)tcpinterface6080236080netmask55static(inside,outside)tcpinterface100004710000netmask55static(inside,outside)tcpinterface23147231netmask55static(inside,outside)tcpinterface1433231433netmask55static(inside,outside)tcpinterface9000239000netmask55static(inside,outside)tcpinterface844784netmask55static(inside,outside)udpinterface3100473100netmask55static(inside,outside)tcpinterface100204710020netmask55static(inside,outside)tcpinterface100404710040netmask55static(inside,outside)tcpinterface872387netmask55static(inside,outside)tcpinterface101012310101netmask55static(inside,outside)udpinterface3200233200netmask55static(inside,outside)tcpinterface864686netmask55static(inside,outside)tcpinterface9999469999netmask55static(inside,outside)tcpinterfacesip46sipnetmask55static(inside,outside)tcpinterface5080465080netmask55static(inside,outside)tcpinterface101004610100netmask55static(inside,outside)udpinterface3201463201netmask55static(inside,outside)tcpinterface8080498080netmask55static(inside,outside)tcpinterface825182netmask55static(inside,outside)tcpinterface835283netmask55static(inside,outside)tcpinterface160005116000netmask55static(inside,outside)tcpinterface150005215000netmask55static(inside,outside)tcpinterface8088518088netmask55static(inside,outside)tcpinterface21151211netmask55static(inside,outside)tcpinterface9099529099netmask55static(inside,outside)tcpinterface8000498000netmask55static(inside,outside)tcpinterface7777547777netmask55static(inside,outside)udpinterface666106661netmask55static(inside,outside)tcpinterface8500518500netmask55static(inside,outside)tcpinterface8600518600netmask55static(inside,outside)tcpinterface80818081netmask55static(inside,outside)tcpinterface3389543389netmask55static(inside,outside)tcpinterface8001498001netmask55static(inside,outside)tcpinterfacewww54wwwnetmask55dnsaccess-group120ininterfaceoutsideaccess-group200ininterfaceinsiderouteoutside1routeinside1routeinside1routeinside1routeinside1routeinside1routeinside1routeinside1routeinside1routeinside1routeinside1routeinside1routeinside1routeinside1routeinside1routeinside1routeinside1routeinside1timeoutxlate3:00:00timeoutconn1:00:00half-closed0:10:00udp0:02:00icmp0:00:02t