ASA防火墙配置命令-王军.doc_第1页
ASA防火墙配置命令-王军.doc_第2页
ASA防火墙配置命令-王军.doc_第3页
ASA防火墙配置命令-王军.doc_第4页
ASA防火墙配置命令-王军.doc_第5页
已阅读5页,还剩8页未读 继续免费阅读

下载本文档

版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领

文档简介

ASA防火墙配置命令(v1.0)作者王军审核分类网络子类防火墙时间2019年2月15日版本说明版本日期内容编写人V1.02010-3-14创建文档王军目 录1. 常用技巧32. 故障倒换33. 配置telnet、ssh及http管理54. vpn常用管理命令55. 配置访问权限66. 配置sitetosite之VPN67. webvpn配置(ssl vpn)78. 远程拨入VPN89. 日志服务器配置1010. Snmp网管配置1111. ACS配置1112. AAA配置1113. 升级IOS1214. 疑难杂症121. 常用技巧Sh ru ntp查看与ntp有关的Sh ru crypto 查看与vpn有关的Sh ru | inc crypto 只是关健字过滤而已2. 故障倒换failoverfailover lan unit primaryfailover lan interface testint Ethernet0/3failover link testint Ethernet0/3failover mac address Ethernet0/1 0018.1900.5000 0018.1900.5001failover mac address Ethernet0/0 0018.1900.4000 0018.1900.4001failover mac address Ethernet0/2 0018.1900.6000 0018.1900.6001failover mac address Management0/0 0018.1900.7000 0018.1900.7001failover interface ip testint standby 注:最好配置虚拟MAC地址sh failover显示配置信息write standby写入到备用的防火墙中failover命令集如下:configure mode commands/options: interface Configure the IP address and mask to be used for failover and/or stateful update information interface-policy Set the policy for failover due to interface failures key Configure the failover shared secret or key lan Specify the unit as primary or secondary or configure the interface and vlan to be used for failover communication link Configure the interface and vlan to be used as a link for stateful update information mac Specify the virtual mac address for a physical interface polltime Configure failover poll interval replication Enable HTTP (port 80) connection replication timeout Specify the failover reconnect timeout value for asymmetrically routed sessionssh failover 命令集如下: history Show failover switching history interface Show failover command interface information state Show failover internal state information statistics Show failover command interface statistics information | Output modifiers 3. 配置telnet、ssh及http管理username jiang password Csmep3VzvPQPCbkx encrypted privilege 15aaa authentication enable console LOCALaaa authentication telnet console LOCALaaa authentication ssh console LOCALaaa authorization command LOCAL http management ssh inside4. vpn常用管理命令sh vpn-sessiondb full l2l 显示site to site 之vpn通道情况sh ipsec stats 显示ipsec通道情况sh vpn-sessiondb summary 显示vpn汇总信息sh vpn-sessiondb detail l2l 显示ipsec详细信息sh vpn-sessiondb detail svc 查看ssl client信息sh vpn-sessiondb detail webvpn 查看webvpn信息sh vpn-sessiondb detail full l2l 相当于linux下的ipsec whack status 如果没有建立连接,则表示ipsec通道还没有建立起来。5. 配置访问权限可以建立对象组,设定不同的权限,如: object-group network testgroup description test network-object 4 55 access-list inside_access_in line 2 extended permit ip object-group all any access-group inside_access_in in interface inside6. 配置sitetosite之VPNcrypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmaccrypto map outside_map 20 match address outside_cryptomap_20_1crypto map outside_map 20 set pfscrypto map outside_map 20 set peer 8crypto map outside_map 20 set transform-set ESP-3DES-SHAcrypto map outside_map interface outsideisakmp identity addressisakmp enable outsideisakmp policy 10 authentication pre-shareisakmp policy 10 encryption 3desisakmp policy 10 hash shaisakmp policy 10 group 2isakmp policy 10 lifetime 86400tunnel-group 8 type ipsec-l2ltunnel-group 8 ipsec-attributespre-shared-key *peer-id-validate nochecktunnel-group-map enable rules注:打打PFS并设定以IP地址作为peer名,一个接口只能有一个加密图7. webvpn配置(ssl vpn)webvpnenable outsidecharacter-encoding gb2312csd image disk0:/securedesktop-asa-6.pkgsvc image disk0:/sslclient-win-54.pkg 1svc enablecustomization customization1 title text TEST WebVPN system title style background-color:white;color: rgb(51,153,0);border-bottom:5px groove #669999;font-size:larger;vertical-align:middle;text-align:left;font-weight:boldtunnel-group-list enable注:也可通过ASDM图形界面进行配置登录后,可访问内部资源,如下例:(客户端首先要安装Java插件jre-1_5_0-windows-i586.exe,并打开浏览器的ActiveX)1) 输入用户名和密码2) 出现工具条3) 在Enter Web Address内输入即可访问内部网站4)在browse network输入即可访问共享文件5)点击application access,即可查看端口转发设置,如使用putty访问本机的2023端口,则即可通过ssh登录8. 远程拨入VPN相关的ASA配置命令如下:access-list inside_access_in extended permit ip object-group remotegroup anyaccess-list inside_access_in extended permit icmp object-group remotegroup anyaccess-list remotevpn_splitTunnelAcl standard permit access-list vpnclient_splitTunnelAcl standard permit ip local pool dialuserIP -54 mask group-policy remotevpn attributesdns-server value 8 6default-domain value username jiang password Csmep3VzvPQPCbkx encrypted privilege 15crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmaccrypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmaccrypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmaccrypto dynamic-map outside_dyn_map 20 set pfscrypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHAcrypto dynamic-map outside_dyn_map 20 set reverse-routecrypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_mapcrypto map outside_map interface outsidetunnel-group remotevpn type ipsec-ratunnel-group remotevpn general-attributesaddress-pool dialuserIPdefault-group-policy remotevpntunnel-group remotevpn ipsec-attributespre-shared-key *客户端设置如下:9. 日志服务器配置logging enablelogging timestamplogging emblemlogging trap informationallogging asdm warningslogging host inside 15 format emblemlogging permit-hostdownvpn-simultaneous-logins 310. Snmp网管配置snmp-server host inside 7 community testsnmpsnmp-server location DG-GTESTsnmp-server contact jiangdaoyou:6162snmp-server community testsnmpsnmp-server enable traps snmp authentication linkup linkdown coldstart注:指定主机后,192.168.40
人人文库> 全部分类> 应用文书 > 事务文书

温馨提示

  • 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
  • 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
  • 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
  • 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
  • 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
  • 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
  • 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

最新文档

评论

0/150

提交评论