cisco ASA配置(一).docx

本人的是自己摸索的，所以肤浅的很，但是愿意拿出来和大家分享一下因为太绝了，这块的命令和switch、router的都不一样。ASA5510# write erase清除ASA配置兩點注意事項1. 不要再下wr或者copy running-config startup-config2. 先要show version將下面的Information備份下來Running Activation Key: 0x0000000 0x00000000 0x00000000 0x00000000 0x843cd8aehostname ASA5510domain-name default.domain.invalidenable password XXVfCWsIr6DY92H0 encrypted設定enable passwordnamesdns-guard!interface Ethernet0/0nameif outside給接口命名security-level 0設置安全等級ip address 48 設定IP address and Subnet Mask別忘了下 no shutdown!interface Ethernet0/1nameif insidesecurity-level 100ip address !interface Ethernet0/2shutdownno nameifno security-levelno ip address!interface Ethernet0/3shutdownno nameifno security-levelno ip address!interface Management0/0shutdown 管理接口，nameif management通常情況我是將他SHUTDOWN的security-level 100ip address management-only!passwd 2KFQnbNIdI.2KYOU encrypted 設置telnet密碼boot system disk0:/asa722-k8.bin設置開機引導的IOS文件不知道用什麽文件引導的话，可以先show flash查看一下,選擇最新的就可以了。ASA5510# show flash-#- -length- -date/time- path6 6746112Aug 27 2006 23:06:48 asa711-k8.bin7 7552312Aug 27 2006 23:05:30 asdm511.bin10 8312832Feb 16 2007 01:13:44 asa722-k8.bin11 5623108Feb 16 2007 01:23:36 asdm522.bin12 14524416 Jul 31 2007 23:41:20 asa802-k8.bin20156416 bytes available (42790912 bytes used) ftp mode passivedns server-group DefaultDNSdomain-name default.domain.invalidobject-group network Public 設置一個群組，名稱是publicnetwork-object host 80network-object host 11 群組的内容network-object IP address and Subnet Mask or hostnetwork-object host 12 設定群組的目的是便于管理，用來DENY OR PERMIT,以減少ACL的條目數量。network-object host 17 network-object host 7network-object host 28network-object host 8network-object host 16network-object host 2network-object host network-object host 1network-object host 9access-list 102 extended permit icmp any any 擴展的ACL in outsideaccess-list 119 extended permit ip any 擴展的ACL in insideaccess-list 119 extended permit ip anyaccess-list 119 extended permit ip anyaccess-list 119 extended permit icmp any anyaccess-list 119 extended permit ip any object-group Publicpager lines 24logging enablelogging buffered warningslogging asdm informationalmtu outside 1500設置MTU值，值和速度成正比，和穩定性成反比，一般設定1500OR1942mtu inside 1500mtu management 1500icmp unreachable rate-limit 1 burst-size 1icmp permit any outsideicmp permit any insideasdm image disk0:/asdm522.bin 用ASDM工具CONNECT的IOS文件版本no asdm history enablearp timeout 14400global (outside) 1 interface配置动态NATnat (inside) 1 配置内部IP地址池static (inside,outside) tcp pop3 11 pop3 netmask 255.255255.255 配置静态NATstatic (inside,outside) tcp smtp 11 smtp netmask 255.255255.255access-group 102 in interface outside 将ACL应用到 outside接口access-group 119 in interface inside将ACL应用到 inside接口route outside xxx.xxx.xxx.xxx 1 静态路由表 是ISP分配的gatewayroute inside 1route inside 1route inside 1route inside 1route inside 1route inside 1route inside 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout uauth 0:05:00 absoluteusername brianwu password CLhdP7PpHY9i8Amo encrypted添加的用户名和密码username fortunegao password OLuVCAGFe/2qmg4o encryptedaaa authentication telnet console LOCAL TELNET启用AAA验证aaa authentication http console LOCAL http启用AAA验证http server enable启动HTTP server,便于ASDM连接。http outside对外启用ASDM连接http inside 对内启用ASDM连接no snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstarttelnet inside 对内启用TELNET连接telnet timeout 5ssh timeout 5console timeout 0!class-map inspection_defaultmatch default-inspection-traffic!policy-map global_policyclass inspection_defaultinspect ftpinspect h323 h225inspect h323 rasinspect netbiosinspect rshinspect rtspinsp