思科ASA 5510防火墙实战配置中文手册

精选文库配置设备介绍：（只为做实验实际应用请根据自己具体情况更改相关参数即可） 核心交换机 4507 提供VLAN3 网关地址：192.168.3.254 提供 DNS 服务器连接：192.168.0.1 接入交换机 2960 提供 VLAN3 TURNK 连接， 可用IP 地址为 192.168.3.0192.168.3.240 掩码：255.255.255.0 网关：192.168.3.254 DNS: 192.168.0.1 内网实验防火墙 CISCO ASA 5510 E0/0 IP:192.168.3.234 E0/1 IP 10.1.1.1 实现配置策略 1. 动态内部 PC1 DHCP 自动获得IP 地址，可访问INTERNET，并PING 通外部网关。 PC1 Ethernet adapter 本地连接: Connection-specific DNS Suffix . : gametuzi Description . . . . . . . . . . . : Broadcom 440x roller Physical Address. . . . . . . . . : 00-13-77-04-9 Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 10.1.1.20 Subnet Mask . . . . . . . . . . . : 255.255.0.0 Default Gateway . . . . . . . . . : 10.1.1.1 DHCP Server . . . . . . . . . . . : 10.1.1.1 DNS Servers . . . . . . . . . . . : 192.168.0.1 2. 静态内部 PC2 手动分配地址，可访问 INTERNET ，并PING 通外部网关。 PC1 Ethernet adapter 本地连接: Connection-specific DNS Suffix . : gametuzi Description . . . . . . . . . . . : Broadcom 440x roller Physical Address. . . . . . . . . : 00-13-77-04-9 Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 10.1.34.34 Subnet Mask . . . . . . . . . . . : 255.255.0.0 Default Gateway . . . . . . . . . : 10.1.1.1 DHCP Server . . . . . . . . . . . : 10.1.1.1 - Page 3- DNS Servers . . . . . . . . . . . : 192.168.0.1 3.ASA 5510 启动PAT NAT DNS DHCP服务 好开始连接 ASA 5510 ciscoasa# ciscoasa# conf t 进入全局配置模式 ciscoasa(config)# hos ciscoasa(config)# hostname gametuzi 命名 gametuzi(config)# gametuzi(config)# hostname gametuzi5510 新的名字 gametuzi5510(config)# conf t gametuzi5510(config)# int e0/0 进入E0/0 接口 gametuzi5510(config-if)# n gametuzi5510(config-if)# n? interface mode commands/options: nameif no configure mode commands/options: name names nat nat-control no ntp exec mode commands/options: no gametuzi5510(config-if)# name gametuzi5510(config-if)# nameif ou gametuzi5510(config-if)# nameif outside INFO: Security level for outside set to 0 by default. gametuzi5510(config-if)# sec gametuzi5510(config-if)# security-level 0 配置安全级别 因为是外部接口，安全级别为最高 gametuzi5510(config-if)# nameif outside 命名接口为外部接口 gametuzi5510(config-if)# ip gametuzi5510(config-if)# ip addre gametuzi5510(config-if)# ip address 192.168.3.234 255.255.255.0 添加IP 地址 gametuzi5510(config-if)# no shu 启动端口 gametuzi5510(config-if)# no shu gametuzi5510(config-if)# end gametuzi5510# conf t gametuzi5510(config)# int e0/1 进入E0/1 接口 gametuzi5510(config-if)# se gametuzi5510(config-if)# ser - Page 4-gametuzi5510(config-if)# secu gametuzi5510(config-if)# security-level 100设置内部安全级别为100 gametuzi5510(config-if)# na gametuzi5510(config-if)# name gametuzi5510(config-if)# nameif in gametuzi5510(config-if)# nameif inside 命名内部网络 gametuzi5510(config-if)# ip addre gametuzi5510(config-if)# ip address 10.1.1.1 255.255.0.0 添加IP 地址 gametuzi5510(config-if)# no shu gametuzi5510(config-if)# no shu gametuzi5510(config-if)# end gametuzi5510# go gametuzi5510# gol gametuzi5510# gol? ERROR: % Unrecognized command gametuzi5510# gl gametuzi5510# gl? ERROR: % Unrecognized command gametuzi5510# conf t gametuzi5510(config)# gol gametuzi5510(config)# gol? ERROR: % Unrecognized command gametuzi5510(config)# gk gametuzi5510(config)# gl? configure mode commands/options: global gametuzi5510(config)# gl gametuzi5510(config)# global ou gametuzi5510(config)# global (outside)1 in gametuzi5510(config)# global (outside)1 in? ERROR: % Unrecognized command gametuzi5510(config)# global (outside) 1 int gametuzi5510(config)# global (outside) 1 interface PAT 地址转换！ INFO: outside interface address added to PAT pool gametuzi5510(config)# end gametuzi5510# conf t gametuzi5510(config)# route ou gametuzi5510(config)# route outside 0.0.0.00.0.0.0192.168.3.254 默认路由访问所有外部地 址从192.168.3.254流出。 gametuzi5510(config)# nat (inside) 1 10.1.0.0 255.255.0.0 内部地址转换 10.1.0.0 网段 gametuzi5510(config)# dhcpd? configure mode commands/options: - Page 5-dhcpd gametuzi5510(config)# dhcpd ? configure mode commands/options: address Configure the IP pool address range after this keyword auto_config Enable auto configuration from client dns Configure the IP addresses of the DNS servers after this keyword domain Configure DNS domain name after this keyword enable Enable the DHCP server lease Configure the DHCPD lease length after this keyword option Configure options to pass to DHCP clients after this keyword ping_timeout Configure ping timeout value after this keyword wins Configure the IP addresses of the NETBIOS servers after this keyword gametuzi5510(config)# dhcpd adre gametuzi5510(config)# dhcpd addre gametuzi5510(config)# dhcpd address ? configure mode commands/options: WORD IP addresses, - gametuzi5510(config)# dhcpd address 10.1.1.20-10.1.1.150 ? configure mode commands/options: Available interfaces on which to enable the DHCP server: inside Name of interface Ethernet0/1 outside Name of interface Ethernet0/0 gametuzi5510(config)# dhcpd address 10.1.1.20-10.1.1.150 in gametuzi5510(config)# dhcpd address 10.1.1.20-10.1.1.150 inside ? configure mode commands/options: gametuzi5510(config)# dhcpd address 10.1.1.20-10.1.1.150 inside 配置DHCP可分配网段，并 标识为内部接口 gametuzi5510(config)# dhcpd ? configure mode commands/options: address Configure the IP pool address range after this keyword auto_config Enable auto configuration from client dns Configure the IP addresses of the DNS servers after this keyword domain Configure DNS domain name after this keyword enable Enable the DHCP server lease Configure the DHCPD lease length after this keyword - Page 6- option Configure options to pass to DHCP clients after this keyword ping_timeout Configure ping timeout value after this keyword wins Configure the IP addresses of the NETBIOS servers after this keyword gametuzi5510(config)# dhcpd dns ? configure mode commands/options: Hostname or A.B.C.D IP address of server 1 gametuzi5510(config)# dhcpd dns 192.168.0.1 添加DNS 解析服务器地址 gametuzi5510(config)# dhcpd do gametuzi5510(config)# dhcpd domain gametuzi 域名 gametuzi5510(config)# dhcpd en gametuzi5510(config)# dhcpd enable ? configure mode commands/options: Available interfaces on which to enable the DHCP server: inside Name of interface Ethernet0/1 outsideName of interface Ethernet0/0 gametuzi5510(config)# dhcpd enable in gametuzi5510(config)# dhcpd enable inside ? ERROR: % Unrecognized command gametuzi5510(config)# dhcpd enable inside ? configure mode commands/options: gametuzi5510(config)# dhcpd enable inside 启动内部DHCP 服务 gametuzi5510(config)# end gametuzi5510# wr 保存配置 Building configuration. Cryptochecksum: 7b31abf1 b002711b ecfb3fa0 1612c057 1797 bytes copied in 3.610 secs (599 bytes/sec) OK gametuzi5510# ac gametuzi5510# conf t gametuzi5510(config)# ac gametuzi5510(config)# acc gametuzi5510(config)# access-grou gametuzi5510(config)# access-group icmp_in in int gametuzi5510(config)# access-group icmp_in in interface ou gametuzi5510(config)# access-group icmp_in in interface outside ERROR: access-list does not exist gametuzi5510(config)# ac gametuzi5510(config)# acc - Page 7-gametuzi5510(config)# access-li gametuzi5510(config)# access-list icmp_in e gametuzi5510(config)# access-list