ASA Version 7配置.doc

ASA Version 7.2(4) !hostname ciscoasadomain-name default.domain.invalidenable password jDUXMyqeIzxQIVgK encryptedpasswd jDUXMyqeIzxQIVgK encryptednames!interface Vlan1 nameif inside security-level 100 ip address !interface Vlan2 nameif outside security-level 0 ip address 11 !interface Ethernet0/0 switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2! interface Ethernet0/3! interface Ethernet0/4! interface Ethernet0/5! interface Ethernet0/6! interface Ethernet0/7! ftp mode passivedns server-group DefaultDNS domain-name default.domain.invalidaccess-list inside extended permit ip any any access-list outside extended permit ip any any access-list go-vpn extended permit ip interface inside access-list split-ssl extended permit ip any pager lines 24logging enablelogging asdm informationalmtu outside 1500mtu inside 1500ip local pool ssl-vpn -00icmp unreachable rate-limit 1 burst-size 1asdm image disk0:/asdm-611.binasdm history enablearp timeout 14400global (outside) 1 interfacenat (inside) 0 access-list go-vpnnat (inside) 1 static (inside,outside) tcp interface www 00 www netmask 55 access-group outside in interface outsideaccess-group inside in interface insideroute outside 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutehttp server enable 444http insidehttp insideno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstarttelnet insidetelnet timeout 5ssh scopy enablessh outsidessh timeout 5 ssh version 1 console timeout 0 webvpn enable outside csd image disk0:/securedesktop-asa-15-k9.pkg svc enable tunnel-group-list enablegroup-policy mysslvpn-group-policy internalgroup-policy mysslvpn-group-policy attributes vpn-tunnel-protocol webvpn split-tunnel-policy tunnelspecified split-tunnel-network-list value split-ssl webvpn svc enable username test password P4ttSyrm33SV8TYp encryptedusername test attributes vpn-group-policy mysslvpn-group-policyusername admin password fbFbxQS63ePiLd41 encryptedtunnel-group mysslvpn-group type webvpntunnel-group mysslvpn-group general-attributes address-pool ssl-vpntunnel-group mysslvpn-group webvpn-attributes group-alias group2 enable! class-map inspection_default match default-inspection-traffic! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy globalprompt hostname context Cryptochecksum:1c712711e5c58893c3dd6b45cd3f4972: end 关于CISCO PIX/ASA alias NDS参数命令讨论网上很多帖子都讨论过这个问题，内部到底能不能通过域名和公网地址访问内部服务器的问题。有如下两个方法：方法一：通过dns后缀解决static (inside,outside ) netmask 55 dnsaccess-list 100 extended permit tcp any host eq 80access-group 100 in interface ouside其实就在静态影射命令的后面加了一个dns后缀 ，就能通过域名访问内部服务器，其实原理很简单，因为我们的dns服务器在防火墙外面（或者说是电信解析的），内部没有dns服务器，所以当我们通过域名访问内部网络的时候，首先通过防火墙找到电信的dns服务器，由外网的dns服务器解吸域名 为对应的公网地址 这个时候 如果没加dns这个后缀。防火墙会认为这个web服务器就在防火墙的外面，就后丢掉这个dns回复包，但加了这个dns后缀后 会把这个公网地址重定向为内网地址 。然后内网用户就可以通过这个地址访问web服务器了。在内部测试ping 解析返回的是这个地址方法二 通过别名alias 命令解决static (inside,outside ) netmask 55access-list 100 extended permit tcp any host eq 80access-group 100 in interface ousidealias (inside) 55这个办法原理也和上面一样 只是实现方式不同，不在静态隐射后面加dns后缀。在添加一条别名命令alias也可以把域名重新定向为内步地