当前位置:文档之家 › ASA 5510常用配置命令手册

ASA 5510常用配置命令手册

  • 格式:pdf
  • 大小:18.30 KB
  • 文档页数:5

下载文档原格式

  / 5

合集下载

CISCOASA5510配置手册

CISCOASA5510配置手册

CISCOASA5510 // OKciscoasa#showverCiscoAdaptiveSecurityApplianceSoftwareVersion7.2(4) DeviceManagerVersion5.2(4)CompiledonSun06-Apr-0813:39bybuildersSystemimagefileis"disk0:/asa724-k8.bin" Configfileatbootwas"startup-config"ciscoasaup3mins5secsHardware:ASA5520,512MBRAM,CPUPentium4Celeron2000MHz InternalATACompactFlash,256MBBIOSFlashFirmwareHub@0xffe00000,1024KBEncryptionhardwaredevice:CiscoASA-55x0on-boardaccelerator(revision0x0) Bootmicrocode:CNlite-MC-Boot-Cisco-1.2SSL/IKEmicrocode:CNlite-MC-IPSEC-Admin-3.03IPSecmicrocode:CNlite-MC-IPSECm-MAIN-2.050:Ext:GigabitEthernet0/0:addressisc47d.4f85.1708,irq91:Ext:GigabitEthernet0/1:addressisc47d.4f85.1709,irq92:Ext:GigabitEthernet0/2:addressisc47d.4f85.170a,irq93:Ext:GigabitEthernet0/3:addressisc47d.4f85.170b,irq94:Ext:Management0/0:addressisc47d.4f85.1707,irq115:Int:Notused:irq116:Int:Notused:irq5MaximumVLANs:150InsideHosts:UnlimitedFailover:Active/ActiveVPN-DES:EnabledVPN-3DES-AES:DisabledSecurityContexts:2GTP/GPRS:DisabledVPNPeers:750WebVPNPeers:2ThisplatformhasanASA5520VPNPluslicense.SerialNumber:JMX1406L0Y6RunningActivationKey:0x6a2659550xf07c223d0x2cf345f40xb34478840xc128879b Configurationregisteris0x1Configurationlastmodifiedbyenable_15at12:23:52.072UTCMonSep62010 ciscoasa#showrun:Saved:ASAVersion7.2(4)!hostnameciscoasadomain-namedefault.domain.invalidenablepasswordgfFm2E3sthJOc7bqencryptedpasswd2KFQnbNIdI.2KYOUencryptednames!interfaceGigabitEthernet0/0nameifuntrust!interfaceGigabitEthernet0/1 nameifdmzsecurity-level50ipaddress172.18.19.254255.255.255.0!interfaceGigabitEthernet0/2 nameiftrustsecurity-level100ipaddress172.18.1.1255.255.255.0!interfaceGigabitEthernet0/3nonameifnosecurity-levelnoipaddress!interfaceManagement0/0 nameifmanagementsecurity-level100ipaddress192.168.1.1255.255.255.0 management-only!ftpmodepassivednsserver-groupDefaultDNSdomain-namedefault.domain.invalid access-list102extendedpermiticmpanyany access-list102extendedpermitipanyany pagerlines24loggingenablemtudmz1500mtutrust1500mtumanagement1500nofailovericmpunreachablerate-limit1burst-size1asdmimagedisk0:/ASDM-524.BINnoasdmhistoryenablearptimeout14400global(untrust)1interfacenat(trust)10.0.0.00.0.0.0static(trust,untrust)tcp113.105.88.5786172.18.11.886netmask255.255.255.255static(trust,untrust)tcp113.105.88.575000172.18.11.85000netmask255.255.255.255 static(trust,untrust)tcp113.105.88.586800172.18.11.1306800netmask255.255.255.255 static(trust,untrust)tcp113.105.88.584800172.18.11.1304800netmask255.255.255.255 static(trust,untrust)tcp113.105.88.583306172.18.11.1303306netmask255.255.255.255 static(trust,untrust)udp113.105.88.586800172.18.11.1306800netmask255.255.255.255 static(trust,untrust)udp113.105.88.584800172.18.11.1304800netmask255.255.255.255 static(trust,untrust)udp113.105.88.583306172.18.11.1303306netmask255.255.255.255 static(trust,untrust)tcp113.105.88.5881172.18.11.13081netmask255.255.255.255 static(trust,untrust)udp113.105.88.5881172.18.11.13081netmask255.255.255.255 static(trust,untrust)tcp113.105.88.601011172.18.11.91011netmask255.255.255.255 static(trust,untrust)udp113.105.88.601011172.18.11.91011netmask255.255.255.255 static(trust,untrust)tcp113.105.88.601018172.18.11.91018netmask255.255.255.255 static(trust,untrust)udp113.105.88.601018172.18.11.91018netmask255.255.255.255 static(trust,untrust)tcp113.105.88.5981172.18.15.99wwwnetmask255.255.255.255 static(trust,untrust)tcp113.105.88.592000172.18.15.992000netmask255.255.255.255 static(trust,untrust)udp113.105.88.592000172.18.15.992000netmask255.255.255.255 static(trust,untrust)udp113.105.88.59www172.18.15.99wwwnetmask255.255.255.255 static(trust,untrust)tcp113.105.88.598080172.18.15.998080netmask255.255.255.255static(trust,untrust)tcp113.105.88.59ftp-data172.18.11.123ftp-datanetmask255.255.255.255 static(trust,untrust)tcp113.105.88.59ftp172.18.11.123ftpnetmask255.255.255.255static(trust,untrust)tcp113.105.88.59telnet172.18.11.123telnetnetmask255.255.255.255 static(trust,untrust)tcp113.105.88.591010172.18.11.1231000netmask255.255.255.255 static(trust,untrust)tcp113.105.88.598003172.18.11.1238003netmask255.255.255.255 static(trust,untrust)tcp113.105.88.598010172.18.11.1238010netmask255.255.255.255 static(trust,untrust)tcp113.105.88.598012172.18.11.1238012netmask255.255.255.255 static(trust,untrust)tcp113.105.88.598880172.18.11.1238880netmask255.255.255.255 static(trust,untrust)tcp113.105.88.601012172.18.11.91012netmask255.255.255.255 static(trust,untrust)tcp113.105.88.601013172.18.11.91013netmask255.255.255.255 static(trust,untrust)tcp113.105.88.601014172.18.11.91014netmask255.255.255.255 static(trust,untrust)udp113.105.88.601012172.18.11.91012netmask255.255.255.255 static(trust,untrust)udp113.105.88.601013172.18.11.91013netmask255.255.255.255 static(trust,untrust)udp113.105.88.601014172.18.11.91014netmask255.255.255.255 static(trust,untrust)tcp113.105.88.595000172.18.15.995000netmask255.255.255.255 static(trust,untrust)tcp113.105.88.594000172.18.15.994000netmask255.255.255.255 static(trust,untrust)tcp113.105.88.602000172.18.11.92000netmask255.255.255.255 static(trust,untrust)udp113.105.88.602000172.18.11.92000netmask255.255.255.255 static(trust,untrust)tcp113.105.88.592009172.18.15.992009netmask255.255.255.255 static(trust,untrust)udp113.105.88.592009172.18.15.992009netmask255.255.255.255 static(trust,untrust)tcp113.105.88.598081172.18.15.998081netmask255.255.255.255 static(trust,untrust)udp113.105.88.598081172.18.15.998081netmask255.255.255.255 static(trust,untrust)tcp113.105.88.602001172.18.11.92001netmask255.255.255.255 static(trust,untrust)tcp113.105.88.602002172.18.11.92002netmask255.255.255.255 static(trust,untrust)tcp113.105.88.602003172.18.11.92003netmask255.255.255.255 static(trust,untrust)tcp113.105.88.602004172.18.11.92004netmask255.255.255.255 static(trust,untrust)tcp113.105.88.602005172.18.11.92005netmask255.255.255.255static(trust,untrust)tcp113.105.88.602010172.18.11.92010netmask255.255.255.255 static(trust,untrust)udp113.105.88.602001172.18.11.92001netmask255.255.255.255 static(trust,untrust)udp113.105.88.602002172.18.11.92002netmask255.255.255.255 static(trust,untrust)udp113.105.88.602003172.18.11.92003netmask255.255.255.255 static(trust,untrust)udp113.105.88.602004172.18.11.92004netmask255.255.255.255 static(trust,untrust)udp113.105.88.602005172.18.11.92005netmask255.255.255.255 static(trust,untrust)udp113.105.88.602006172.18.11.92006netmask255.255.255.255 static(trust,untrust)udp113.105.88.602007172.18.11.92007netmask255.255.255.255 static(trust,untrust)udp113.105.88.602008172.18.11.92008netmask255.255.255.255 static(trust,untrust)udp113.105.88.602009172.18.11.92009netmask255.255.255.255 static(trust,untrust)udp113.105.88.602010172.18.11.92010netmask255.255.255.255 static(trust,untrust)113.105.88.61172.18.11.10netmask255.255.255.255access-group102ininterfaceuntrustrouteuntrust0.0.0.00.0.0.010.92.8.91routetrust172.18.11.0255.255.255.0172.18.1.21routetrust172.18.12.0255.255.255.0172.18.1.21routetrust172.18.13.0255.255.255.0172.18.1.21routetrust172.18.14.0255.255.255.0172.18.1.21routetrust172.18.15.0255.255.255.0172.18.1.21routetrust172.18.16.0255.255.255.0172.18.1.21routetrust172.18.17.0255.255.255.0172.18.1.21routetrust172.18.18.0255.255.255.0172.18.1.21timeoutxlate3:00:00timeoutconn1:00:00half-closed0:10:00udp0:02:00icmp0:00:02timeoutsunrpc0:10:00h3230:05:00h2251:00:00mgcp0:05:00mgcp-pat0:05:00 timeoutsip0:30:00sip_media0:02:00sip-invite0:03:00sip-disconnect0:02:00 timeoutsip-provisional-media0:02:00uauth0:05:00absolutenosnmp-serverlocationnosnmp-servercontactsnmp-serverenabletrapssnmpauthenticationlinkuplinkdowncoldstart telnet0.0.0.00.0.0.0trusttelnettimeout5ssh0.0.0.00.0.0.0untrustsshtimeout30consoletimeout0usernameadminpasswordf3UhLvUj1QsXsuK7encrypted!!prompthostnamecontextCryptochecksum:634aa0023e75546939c8b013c69a61b7:endciscoasa#showstartciscoasa#showstartup-config:Saved:Writtenbyenable_15at12:24:22.081UTCMonSep62010!ASAVersion7.2(4)!hostnameciscoasadomain-namedefault.domain.invalidenablepasswordgfFm2E3sthJOc7bqencryptedpasswd2KFQnbNIdI.2KYOUencryptednames!interfaceGigabitEthernet0/0nameifuntrust!interfaceGigabitEthernet0/1 nameifdmzsecurity-level50ipaddress172.18.19.254255.255.255.0!interfaceGigabitEthernet0/2 nameiftrustsecurity-level100ipaddress172.18.1.1255.255.255.0!interfaceGigabitEthernet0/3nonameifnosecurity-levelnoipaddress!interfaceManagement0/0 nameifmanagementsecurity-level100ipaddress192.168.1.1255.255.255.0 management-only!ftpmodepassivednsserver-groupDefaultDNSdomain-namedefault.domain.invalid access-list102extendedpermiticmpanyany access-list102extendedpermitipanyany pagerlines24loggingenablemtudmz1500mtutrust1500mtumanagement1500nofailovericmpunreachablerate-limit1burst-size1asdmimagedisk0:/ASDM-524.BINnoasdmhistoryenablearptimeout14400global(untrust)1interfacenat(trust)10.0.0.00.0.0.0static(trust,untrust)tcp113.105.88.5786172.18.11.886netmask255.255.255.255static(trust,untrust)tcp113.105.88.575000172.18.11.85000netmask255.255.255.255 static(trust,untrust)tcp113.105.88.586800172.18.11.1306800netmask255.255.255.255 static(trust,untrust)tcp113.105.88.584800172.18.11.1304800netmask255.255.255.255 static(trust,untrust)tcp113.105.88.583306172.18.11.1303306netmask255.255.255.255 static(trust,untrust)udp113.105.88.586800172.18.11.1306800netmask255.255.255.255 static(trust,untrust)udp113.105.88.584800172.18.11.1304800netmask255.255.255.255 static(trust,untrust)udp113.105.88.583306172.18.11.1303306netmask255.255.255.255 static(trust,untrust)tcp113.105.88.5881172.18.11.13081netmask255.255.255.255 static(trust,untrust)udp113.105.88.5881172.18.11.13081netmask255.255.255.255 static(trust,untrust)tcp113.105.88.601011172.18.11.91011netmask255.255.255.255 static(trust,untrust)udp113.105.88.601011172.18.11.91011netmask255.255.255.255 static(trust,untrust)tcp113.105.88.601018172.18.11.91018netmask255.255.255.255 static(trust,untrust)udp113.105.88.601018172.18.11.91018netmask255.255.255.255 static(trust,untrust)tcp113.105.88.5981172.18.15.99wwwnetmask255.255.255.255 static(trust,untrust)tcp113.105.88.592000172.18.15.992000netmask255.255.255.255 static(trust,untrust)udp113.105.88.592000172.18.15.992000netmask255.255.255.255 static(trust,untrust)udp113.105.88.59www172.18.15.99wwwnetmask255.255.255.255 static(trust,untrust)tcp113.105.88.598080172.18.15.998080netmask255.255.255.255static(trust,untrust)udp113.105.88.598000172.18.11.1238000netmask255.255.255.255 static(trust,untrust)tcp113.105.88.596999172.18.11.1236999netmask255.255.255.255 static(trust,untrust)tcp113.105.88.59ftp-data172.18.11.123ftp-datanetmask255.255.255.255 static(trust,untrust)tcp113.105.88.59ftp172.18.11.123ftpnetmask255.255.255.255static(trust,untrust)tcp113.105.88.59telnet172.18.11.123telnetnetmask255.255.255.255 static(trust,untrust)tcp113.105.88.591010172.18.11.1231000netmask255.255.255.255 static(trust,untrust)tcp113.105.88.598003172.18.11.1238003netmask255.255.255.255 static(trust,untrust)tcp113.105.88.598010172.18.11.1238010netmask255.255.255.255 static(trust,untrust)tcp113.105.88.598012172.18.11.1238012netmask255.255.255.255 static(trust,untrust)tcp113.105.88.598880172.18.11.1238880netmask255.255.255.255 static(trust,untrust)tcp113.105.88.601012172.18.11.91012netmask255.255.255.255 static(trust,untrust)tcp113.105.88.601013172.18.11.91013netmask255.255.255.255 static(trust,untrust)tcp113.105.88.601014172.18.11.91014netmask255.255.255.255 static(trust,untrust)udp113.105.88.601012172.18.11.91012netmask255.255.255.255 static(trust,untrust)udp113.105.88.601013172.18.11.91013netmask255.255.255.255 static(trust,untrust)udp113.105.88.601014172.18.11.91014netmask255.255.255.255 static(trust,untrust)tcp113.105.88.595000172.18.15.995000netmask255.255.255.255 static(trust,untrust)tcp113.105.88.594000172.18.15.994000netmask255.255.255.255 static(trust,untrust)tcp113.105.88.602000172.18.11.92000netmask255.255.255.255 static(trust,untrust)udp113.105.88.602000172.18.11.92000netmask255.255.255.255 static(trust,untrust)tcp113.105.88.592009172.18.15.992009netmask255.255.255.255 static(trust,untrust)udp113.105.88.592009172.18.15.992009netmask255.255.255.255 static(trust,untrust)tcp113.105.88.598081172.18.15.998081netmask255.255.255.255 static(trust,untrust)udp113.105.88.598081172.18.15.998081netmask255.255.255.255 static(trust,untrust)tcp113.105.88.602001172.18.11.92001netmask255.255.255.255 static(trust,untrust)tcp113.105.88.602002172.18.11.92002netmask255.255.255.255 static(trust,untrust)tcp113.105.88.602003172.18.11.92003netmask255.255.255.255 static(trust,untrust)tcp113.105.88.602004172.18.11.92004netmask255.255.255.255 static(trust,untrust)tcp113.105.88.602005172.18.11.92005netmask255.255.255.255static(trust,untrust)tcp113.105.88.602008172.18.11.92008netmask255.255.255.255 static(trust,untrust)tcp113.105.88.602009172.18.11.92009netmask255.255.255.255 static(trust,untrust)tcp113.105.88.602010172.18.11.92010netmask255.255.255.255 static(trust,untrust)udp113.105.88.602001172.18.11.92001netmask255.255.255.255 static(trust,untrust)udp113.105.88.602002172.18.11.92002netmask255.255.255.255 static(trust,untrust)udp113.105.88.602003172.18.11.92003netmask255.255.255.255 static(trust,untrust)udp113.105.88.602004172.18.11.92004netmask255.255.255.255 static(trust,untrust)udp113.105.88.602005172.18.11.92005netmask255.255.255.255 static(trust,untrust)udp113.105.88.602006172.18.11.92006netmask255.255.255.255 static(trust,untrust)udp113.105.88.602007172.18.11.92007netmask255.255.255.255 static(trust,untrust)udp113.105.88.602008172.18.11.92008netmask255.255.255.255 static(trust,untrust)udp113.105.88.602009172.18.11.92009netmask255.255.255.255 static(trust,untrust)udp113.105.88.602010172.18.11.92010netmask255.255.255.255 static(trust,untrust)113.105.88.61172.18.11.10netmask255.255.255.255access-group102ininterfaceuntrustrouteuntrust0.0.0.00.0.0.010.92.8.91routetrust172.18.11.0255.255.255.0172.18.1.21routetrust172.18.12.0255.255.255.0172.18.1.21routetrust172.18.13.0255.255.255.0172.18.1.21routetrust172.18.14.0255.255.255.0172.18.1.21routetrust172.18.15.0255.255.255.0172.18.1.21routetrust172.18.16.0255.255.255.0172.18.1.21routetrust172.18.17.0255.255.255.0172.18.1.21routetrust172.18.18.0255.255.255.0172.18.1.21timeoutxlate3:00:00timeoutconn1:00:00half-closed0:10:00udp0:02:00icmp0:00:02timeoutsunrpc0:10:00h3230:05:00h2251:00:00mgcp0:05:00mgcp-pat0:05:00 timeoutsip0:30:00sip_media0:02:00sip-invite0:03:00sip-disconnect0:02:00 timeoutsip-provisional-media0:02:00uauth0:05:00absolutehttpserverenablehttp0.0.0.00.0.0.0trustnosnmp-serverlocationnosnmp-servercontactsnmp-serverenabletrapssnmpauthenticationlinkuplinkdowncoldstart telnet0.0.0.00.0.0.0trusttelnettimeout5ssh0.0.0.00.0.0.0untrustsshtimeout30consoletimeout0usernameadminpasswordf3UhLvUj1QsXsuK7encrypted!!prompthostnamecontextCryptochecksum:634aa0023e75546939c8b013c69a61b7 ciscoasa#。

asa5510限速等配置

asa5510限速等配置
ciscoasa(config)# hostname gametuzi 命名
gametuzi(config)# hostname gametuzi5510 新的名字
gametuzi5510(config)# int e0/0 进入E0/0 接口
gametuzi5510(config-if)# security-level 0 配置安全级别 因为是外部接口,安全级别为最高
拓扑图如下:
限速配置如下:
access-list rate_limit_1 extended permit ip any host 192.168.1.2 //(限制192.168.1.2下载)
access-list rate_limit_1 extended permit ip host 192.168.1.2 any //(限制192.168.1.2上传)
gametuzi5510# conf t
gametuzi5510(config)# global (outside) 1 interface PAT地址转换!
gametuzi5510(config)# end
gametuzi5510# conf t
gametuzi5510(config)# route outside 0.0.0.0 0.0.0.0 192.168.3.254 默认路由 访问所有外部地址从192.168.3.254 流出。
Ciscoasa(config)#access-group 100 in intercae outside per-user-override
访问必须调用ACL
备注如果,只是需要将内网一个服务器映射到公网可以这样做
ciscoasa(config)#static (inside, outside) 219.139.*.* 192.168.16.254

思科ASA 5510防火墙实战配置中文手册

思科ASA 5510防火墙实战配置中文手册

配置设备介绍:(只为做实验实际应用请根据自己具体情况更改相关参数即可)核心交换机4507提供VLAN3 网关地址:192.168。

3。

254提供DNS 服务器连接:192。

168.0。

1接入交换机2960提供VLAN3 TURNK 连接,可用IP 地址为192。

168。

3。

0-192.168。

3.240掩码:255.255。

255.0网关:192.168.3.254DNS:192.168。

0.1内网实验防火墙CISCO ASA 5510E0/0 IP:192.168。

3。

234E0/1 IP 10。

1。

1。

1实现配置策略1. 动态内部PC1 DHCP 自动获得IP 地址,可访问INTERNET,并PING 通外部网关。

PC1 Ethernet adapter 本地连接:Connection—specific DNS Suffix 。

: gametuziDescription . 。

. . . . 。

:Broadcom 440x rollerPhysical Address。

. . 。

. . 。

: 00-13-77-04—9Dhcp Enabled。

. 。

. 。

. 。

:YesAutoconfiguration Enabled 。

. . :YesIP Address. 。

. 。

. . . 。

. :10.1.1。

20Subnet Mask . . . . 。

. 。

. 。

: 255.255。

0.0Default Gateway . . 。

. 。

: 10.1。

1.1DHCP Server . 。

. 。

. 。

. : 10。

1。

1。

1DNS Servers . . . . . 。

. . 。

: 192.168.0。

12. 静态内部PC2 手动分配地址,可访问INTERNET ,并PING 通外部网关. PC1 Ethernet adapter 本地连接:Connection—specific DNS Suffix 。

cisco ASA5510_罐IOS

cisco ASA5510_罐IOS

asa rommon 5510 罐IOS首先做一下说明,恢复过程中用到的是ASA 5520上的千兆以太网端口(GE),1个快速以太网端口(MGMT),一个Console口,使用3CDaemon软件,一台PC,备份的asa708-k8.bin 和asdm-508.bin,Console线,普通网线。

2、下面是步骤及配置信息开启5520电源,开机会有如下提示:Use BREAK or ESC to interrupt boot.Use SPACE to begin boot immediately.然后按“ESC”键进入监控模式。

3、在监控模式下可以用“?”或“help”获得命令帮助,下面是用“?”或“help”后提示的恢复命令。

rommon #0>?Variables: Use "sync" to store in NVRAMADDRESS= <addr> local IP addressCONFIG= <name> config file path/nameGATEWAY= <addr> gateway IP addressIMAGE= <name> image file path/nameLINKTIMEOUT= <num> Link UP timeout (seconds)PKTTIMEOUT= <num> packet timeout (seconds)PORT= <name> ethernet interface portRETRY= <num> Packet Retry Count (Ping/TFTP)SERVER= <addr> server IP addressVLAN= <num> enable/disable DOT1Q tagging on the selected port 。

ASA5510配置实例1

ASA5510配置实例1

配置设备介绍:(只为做实验实际应用请根据自己具体情况更改相关参数即可)核心交换机 4507提供VLAN3 网关地址:192.168.3.254提供 DNS 服务器连接:192.168.0.1接入交换机 2960提供 VLAN3 TURNK 连接,可用IP 地址为192.168.3.0-192.168.3.240掩码:255.255.255.0网关:192.168.3.254DNS: 192.168.0.1内网实验防火墙 CISCO ASA 5510E0/0 IP:192.168.3.234E0/1 IP 10.1.1.1实现配置策略1. 动态内部 PC1 DHCP 自动获得IP 地址,可访问INTERNET,并PING 通外部网关。

PC1 Ethernet adapter 本地连接:Connection-specific DNS Suffix . : gametuziDescription . . . . . . . . . . . : Broadcom 440x rollerPhysical Address. . . . . . . . . : 00-13-77-04-9Dhcp Enabled. . . . . . . . . . . : YesAutoconfiguration Enabled . . . . : YesIP Address. . . . . . . . . . . . : 10.1.1.20Subnet Mask . . . . . . . . . . . : 255.255.0.0Default Gateway . . . . . . . . . : 10.1.1.1DHCP Server . . . . . . . . . . . : 10.1.1.1DNS Servers . . . . . . . . . . . : 192.168.0.12. 静态内部 PC2 手动分配地址,可访问 INTERNET ,并PING 通外部网关。

ASA防火墙配置

ASA防火墙配置

ASA防火墙初始配置1.模式介绍“>”用户模式firewall>enable 由用户模式进入到特权模式password:“#”特权模式firewall#config t 由特权模式进入全局配置模式“(config)#”全局配置模式防火墙的配置只要在全局模式下完成就可以了。

2.接口配置(以5510以及更高型号为例,5505接口是基于VLAN的):interface Ethernet0/0nameif inside (接口的命名,必须!)security-level 100(接口的安全级别)ip address 10.0.0.10 255.255.255.0no shutinterface Ethernet0/1nameif outsidesecurity-level 0ip address 202.100.1.10 255.255.255.0no shut3.路由配置:默认路由:route outside 0 0 202.100.1.1 (0 0 为0.0.0.0 0.0.0.0)静态路由:route inside 192.168.1.0 255.255.255.0 10.0.0.15505接口配置:interface Ethernet0/0!interface Ethernet0/1switchport access vlan 2interface Vlan1nameif insidesecurity-level 100ip address 192.168.6.1 255.255.255.0!interface Vlan2nameif outsidesecurity-level 0ip address 202.100.1.10ASA防火墙NAT配置内网用户要上网,我们必须对其进行地址转换,将其转换为在公网上可以路由的注册地址,防火墙的nat和global是同时工作的,nat定义了我们要进行转换的地址,而global定义了要被转换为的地址,这些配置都要在全局配置模式下完成,Nat配置:firewall(config)# nat (inside) 1 0 0上面inside代表是要被转换得地址,1要和global 后面的号对应,类似于访问控制列表号,也是从上往下执行,0 0 代表全部匹配(第一个0代表地址,第二个0代表掩码),内部所有地址都回进行转换。

ASA5510防火墙VPN配置

ASA5510防火墙remote ipsec vpn配置1、IPSEC VPN 基本配置access-list no-nat extended permit ip//定义VPN数据流nat (inside) 0 access-list no-nat//设置IPSEC VPN数据不作nat翻译1ip local pool vpn-pool mask//划分地址池,用于VPN用户拨入之后分配的地址。

crypto ipsec transform-set vpnset esp-des esp-md5-hmac//定义一个变换集myset,用esp-md5加密的。

(网上一般都是用esp-3des esp-sha-hmac 或esp-des esp-sha-hmac,而我使用的防火墙没开启3des,所以只能使用esp-des;至于esp-sha-hmac ,不知为什么,使用它隧道组始终无法连接上,所以改用esp-md5-hmac。

具体原因不清楚。

)(补充:后来利用ASA5520防火墙做了关于esp-3des esp-sha-hmac 加密的测试,成功!)crypto dynamic-map dymap 10 set transform-set vpnset//把vpnset添加到动态加密策略dynmapcrypto dynamic-map dymap 10 set reverse-routecrypto map vpnmap 10 ipsec-isakmp dynamic dymap//把动态加密策略绑定到vpnmap动态加密图上crypto map vpnmap interface outside//把动态加密图vpnmap绑定到outside口2crypto isakmp identity addresscrypto isakmp enable outside// outside接口启用isakmpcrypto isakmp policy 10//进入isakmp的策略定义模式authentication pre-share//使用pre-shared key进行认证encryption des//定义协商用DES加密算法(与前面对应,这里使用des,而不是3des)hash md5//定义协商用md5加密算法(和前面一样,网上使用的是sha,我这里为了配合前面的esp-md5-hmac,而使用md5) group 2//定义协商组为2,标准有1、2、3、5等多组,主要用于块的大小和生命时间等3lifetime 86400//定义生命时间group-policy whjt internal//定义策略组(用于想进入的)想要运用策略组就必须用默认的策略组名,否则无法激活该组。

Cisco_A5510(HA)配置

Failover On Failover unit Primary
Failover LAN Interface: failover Ethernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
hostname(config)# interface Ethernet0/3
hostname(config-if)# no shutdown
hostname(config)# failover
hostname(config)# copy running-config startup-config
hostname(config-if)# failover lan unit secondary
hostname(config)# failover
hostname(config)# copy running-config startup-config
! 在配置完成后,主机自动将当前配置同步到备机上,此时在两台主机上show run看到的配置已经一致了。
注意:在配置完网络接口以后,运行no shutdown 启用接口。
A5510 -1 (Secondary Host):
hostname(config)# interface Ethernet0/3 description LAN Failover Interface
hostname(config)# failover lan interface failover Ethernet0/3

Cisco ASA5510 双出口策略路由配置

Asa/PIX的Static Route Tracking命令可以有效解决双ISP出口的问题存在问题:静态路由没有固定的机制来决定是否可用,即使下一跳不可达,静态路由还是会存在路由表里,是有当ASA自己的和这条路由相关接口down了,才会从路由表里删除解决办法:Static Route Tracking这个feature提供一种方法来追踪静态路由,当主路由失效时可以安装备份路由进路由表,例如:2条缺省指向不同ISP,当主的ISP 断了,可以立即启用备用ISP 链路,它是使用ICMP来进行追踪的,如果在一定holdtime没有收到reply的话就认为这条链路down了,就会立即删除该静态路由,预先设置的备份路由就会进入路由表。

注意:配置时要在outside口上放开icmp reply(如果打开了icmp限制)pixFirewall(config)#sla monitor sla_id #指定检测的slaIDPixfirewall(config-sla-monitor)# type echo protocol ipIcmpEcho target_ip interfaceif_name #指定检测的协议类型为ICMP协议,并指定检测目的地址和接口这个必须是个可以ping通的地址,当这个地址不可用时,track跟踪的路由就会被删除,备份路由进路由表pixFirewall(config)#sla monitor schedule sla_id [life {forever | seconds}][start-time {hh:mm [:ss][month day | day month]| pending | now | after hh:mm:ss}][ageout seconds][recurring]#指定一个Schedule,一般会是start now必须要写时间表,不然track的路由进不了路由表pixFirewall(config)# track track_id rtr sla_id reachability #指定一个TrackID,并要求追踪SlaID 的可达性pixFirewall(config)# route if_name dest_ip mask gateway_ip [admin_distance]track track_i #设定默认路由,并绑定一个TrackID配置实例:sla monitor 1type echo protocol ipIcmpEcho 202.1.1.2 interface dxsla monitor schedule 1 start-time now(必须配置,不然track的路由进不了路由表)track 2 rtr 1 reachabilityroute dx 0.0.0.0 0.0.0.0 202.1.1.2 1 track 2 (电信默认网关,会追踪地址的可达性)route wt 0.0.0.0 0.0.0.0 101.1.1.2 2 (网通默认网关)当配置的202.1.1.2 ping不通(ICMP协议不能Reachability)的时候,route dx 0.0.0.0 0.0.0.0 202.1.1.2 1就会在路由表里删除,并由第二条默认路由即route wt 0.0.0.0 0.0.0.0 101.1.1.2 2取代,当202.1.1.2恢复后,又会重新变为dx 0.0.0.0 0.0.0.0 202.1.1.2 1这个feature我想大家在很多项目里都会遇到,ASA可以有效解决!这与我们用路由器实现双出口备份是一样的,通过配置SAA,检查其连通性。

5510防火墙配置(尚阳)


.255.0
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 192.168.25.0
255.255 .255.0
access-list nonat extended permit ip 10.80.1.0 255.255.255.0 192.168.25.0 255.25
ip address 10.1.5.1 255.255.255.248
!
interface Ethernet0/2
description to_Dianxing
nameif outside1
security-level 0
ip address 183.62.194.98 255.255.255.248
access-list split-ssl standard permit 10.1.7.0 255.255.255.0
access-list split-ssl standard permit 10.1.1.0 255.255.255.0
access-list split-ssl standard permit 10.10.1.0 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0management-only !
  1. 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
  2. 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
  3. 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
ASA5510 常用配置.另外 RA-VPN 配置!!
ASA5510(config)# sh run : Saved : ASA Version 7.0(5) ! hostname ASA5510 domain-name enable password 9jNfZuG3TC5tCVH0 encrypted names dns-guard ! interface Ethernet0/0 description link public nameif outside security-level 0 ip address *.*.*.* 255.255.255.0 ! interface Ethernet0/1 description link inside nameif inside security-level 100 ip address 192.168.0.1 255.255.255.0 ! interface Ethernet0/2 nameif inside0 security-level 100 ip address 192.168.3.1 255.255.255.0 ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 shutdown nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! passwd ErxOrHUu6ViMiiRU encrypted
timeout uauth 0:05:00 absolute group-policy vpn1 internal group-policy vpn1 attributes dns-server value 218.6.200.139 202.98.96.68 vpn-idle-timeout 60 vpn-tunnel-protocol IPSec ipsec-udp enable split-tunnel-policy tunnelspecified split-tunnel-network-list value nonat webvpn username test password P4ttSyrm33SV8TYp encrypted username test attributes vpn-group-policy vpn1 vpn-tunnel-protocol IPSec webvpn username telnet1 password PcqDoDILCSVk03rz encrypted privilege 15 username telnet1 attributes vpn-group-policy vpn1 vpn-tunnel-protocol IPSec webvpn username cisco1 password ffIRPGpDSOJh9YLq encrypted username cisco1 attributes vpn-tunnel-protocol IPSec webvpn aaa authentication ssh console LOCAL http server enable http 192.168.0.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 43200 isakmp policy 65535 authentication pre-share isakmp policy 65535 encryption 3des isakmp policy 65535 hash md5 isakmp policy 65535 group 2
ftp mode passive dns domain-lookup outside same-security-traffic permit intra-interface access-list 111 extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list 111 extended permit icmp any any access-list 111 extended permit udp any any eq domain access-list 111 extended permit tcp any any eq www access-list 111 extended permit tcp any any eq ftp access-list 111 extended permit tcp any any eq ftp-data access-list 111 extended permit tcp any any eq https access-list 111 extended permit tcp any any eq 2967 access-list 111 extended permit udp any any eq 2967 access-list 111 extended permit udp any any eq 38293 access-list 111 extended permit udp any any eq 50 access-list 111 extended permit udp any any eq isakmp access-list 111 extended permit udp any any eq 10000 access-list split standard permit 192.168.0.0 255.255.255.0 access-list 112 extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list 112 extended permit icmp 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0 echo-reply access-list 112 extended permit icmp 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0 pager lines 24 logging asdm informational mtu outside 1500 mtu inside 1500 mtu management 1500 mtu inside0 1500 ip local pool testvpn 192.168.2.5-192.168.2.253 mask 255.255.255.0 no failover asdm image disk0:/asdm505.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list nonat nat (inside) 1 0.0.0.0 0.0.0.0 access-group 112 in interface outside access-group 111 in interface inside route outside 0.0.0.0 0.0.0.0 *.*.*.* 1 route inside 192.168.2.0 255.255.255.0 192.168.1.2 1 route inside 192.168.2.0 255.255.255.0 192.168.0.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip535 lifetime 86400 isakmp nat-traversal 20 tunnel-group vpn1 type ipsec-ra tunnel-group vpn1 general-attributes address-pool testvpn default-group-policy vpn1 tunnel-group vpn1 ipsec-attributes pre-shared-key * telnet timeout 5 ssh 0.0.0.0 0.0.0.0 outside ssh 192.168.0.0 255.255.255.0 inside ssh timeout 60 ssh version 2 console timeout 0 dhcpd address 192.168.0.5-192.168.0.254 inside dhcpd address 192.168.3.5-192.168.3.253 inside0 dhcpd dns 218.6.200.139 202.98.96.68 dhcpd lease 3000 dhcpd ping_timeout 50 dhcpd enable inside ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default