,,,,,,,,,,,,,有些朋友对配防火墙还是有问题,其实配置ASA防火墙很简单,常用的命令有
,,,,,,,,,,,,,下面来解析一台ASA 8.0的配置
ASA Version 8.0 (2),,//!
hostname ciscoasa ,,//主机名
domain-name sannet.net ,
enable password 2 kfqnbnidi.2kyou encrypted ,,//启用密码名称
!
interface Ethernet0/0
, nameif inside ,,,,//定义内网口
, security-level 100年,,,//安全级别
, ip address 192.168.1.254 255.255.255.0 ,,//内网ip 地址
!
interface Ethernet0/1
, nameif dmz ,,,//定义DMZ区域
, security-level 50,,//安全级别
, ip address 172.16.1.254 255.255.255.0 ,//DMZ区域,ip 地址
!
interface Ethernet0/2
, nameif outside ,,,//定义外网口
, security-level 0,,,//安全级别,,
, ip address 221.222.1.2 255.255.255.0 //外网IP地址
!
interface Ethernet0/3
, shutdown ,,,,
, no nameif
, no 安全级别
, no ip 地址
!
interface Ethernet0/4
,
关闭,no nameif
, no 安全级别
, no ip 地址
!
interface Ethernet0/5
,
关闭,no nameif
, no 安全级别
, no ip 地址
!
passwd W6dWZr89yLlX1S1u encrypted //telnet 密码
ftp mode passive
dns server-group DefaultDNS
domain-name sannet.net //域名 ssh使用
access-list ToDmz extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0 //去往DMZ不做NAT的acl
access-list telnet extended permit tcp any interface outside eq 2023 //外网访问内网的acl
pager lines 24
mtu inside 1500
mtu dmz 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control //开启nat
global (outside) 1 interface //定义外网映射地址
nat (inside) 0 access-list ToDmz //定义不做NAT转换区域
nat (inside) 1 0.0.0.0 0.0.0.0 //定义内网NAT转换地址
static (dmz,outside) tcp interface 2023 172.16.1.2 telnet netmask 255.255.255.255 //端口地址转换
static (dmz,outside) 221.222.1.3 172.16.1.1 netmask 255.255.255.255 //私有地址转换
access-group telnet in interface outside //外网口接收ACL(telnet)的流量
route outside 0.0.0.0 0.0.0.0 221.222.1.1 1 //默认路由
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h423 0:05:00 h325 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet 0.0.0.0 0.0.0.0 inside //定义内网telnet网段
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside //定义外网ssh网段
ssh timeout 5
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
, match default-inspection-traffic
!
!null