cisco版本8.4以上+基本上网+端口映射+SSH.docx

基本上网+端口映射+SSHsh run: Saved:ASA Version 8.4(4)1 !hostname ciscoasaenable password 2KFQnbNIdI.2KYOU encrypted 正常加密配置！enable密码passwd 2KFQnbNIdI.2KYOU encryptednames!interface Ethernet0/0 正常配置！ nameif outside security-level 0 ip address X.X.X.X !interface Ethernet0/1 正常配置！ nameif inside security-level 100 ip address !interface Ethernet0/2 shutdown no nameif no security-level no ip address! interface Ethernet0/3 shutdown no nameif no security-level no ip address!interface Management0/0 shutdown no nameif no security-level no ip address management-only!ftp mode passiveobject network inside-outside 引入object，上网的地址段 subnet 上网子网，可以写 object network server 端口映射的服务器地址 host 54 不写掩码object network server-outside 外网ip，多个公网ip一对一映射用 host X.X.X.Xobject network pc host object network server63888 服务器4个端口映射 host 54object network server5900 host 54object network server5901 host 54object network server11034 host 54access-list 110 extended permit ip any any 正常配置！access-list 110 extended permit icmp any any pager lines 24mtu outside 1500mtu inside 1500icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400!object network inside-outside NAT配置 nat (inside,outside) dynamic interface 只有一个公网ip配置， nat (inside,outside) dynamic X.X.X.X 写特定公网ip，多个公网ip配置方法1多个公网ip配置方法2举例：对于有大量公网地址用户，常应用在运营商或者公司内网Object network outside Range 0Object network inside Subnet Nat (inside,outside) static outsideobject network server 端口映射！4个端口 nat (inside,outside) static interface service tcp 5903 5903 object network server5900 nat (inside,outside) static interface service tcp 5900 5900 object network server5901 nat (inside,outside) static interface service tcp 5901 5901 object network server11034 nat (inside,outside) static interface service tcp 11034 11034 access-group 110 in interface outside 正常配置！access-group 110 in interface insideroute outside Y.Y.Y.Y 1默认路由正常配置！timeout xlate 3:00:00 timeout pat-xlate 0:00:30timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00dynamic-access-policy-record DfltAccessPolicyuser-identity default-domain LOCAL SSH配置先配置此命令，其它正常配置！aaa authentication ssh console LOCAL. SSH本地验证，aaa authentication telnet console LOCAL telnet 验证no snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstart warmstartcrypto ca trustpoint _SmartCallHome_ServerCA crl configure crypto ca certificate chain _SmartCallHome_ServerCA certificate ca 6ecc7aa5a7032009b8cebcf4e952d491telnet insidetelnet timeout 5ssh outside SSHssh insidessh timeout 60ssh version 1ssh key-exchange group dh-group1-sha1console timeout 0dhcpd dns N.N.N.N dhcp配置!dhcpd address -00 insidedhcpd enable inside!threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptusername admin password eY/fQXw7Ure8Qrz7 encrypted SSH调用用户名和密码username cisco password 3USUcOPFUiMCO4Jk encrypted SSH调用用户名和密码!class-map inspection_default match default-inspection-traffic !policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect s