思科ASA防火墙基本配置

电玩女神 2022-01-15 03:45 1576阅读 0赞

hostname ASA5520 //设置主机名

enable password ****** encrypted //enable密码

passwd ****** //telnet密码

interface GigabitEthernet0

nameif inside//定义端口角色

security-level 100//设置安全级别

ipaddress 192.168.10.1 255.255.255.0 //配置ip地址

!

interface GigabitEthernet1

nameif dmz

security-level 50

ipaddress 192.168.11.1 255.255.255.0

!

interface GigabitEthernet2

nameif outside

security-level 0

ipaddress 192.168.12.1 255.255.255.0

ftp mode passive

object network inside_outside

subnet 0 0 //所有主机可以接入外网

object network inside_outside

nat (inside,outside) dynamic interface //使用outside端口地址转换

object network obj-ftp//ftp端口映射

host 192.168.12.1

object network obj-ftp

nat (dmz,outside) static interface service tcp ftp ftp

object network obj-http //http端口映射

host 192.168.12.2

object network obj-http

nat (dmz,outside) static interface service tcp www www

subnet 192.168.0.0 255.255.0.0

object network inside_dmz_pool //访问dmz用nat转换,避免dmz被攻破直接接入inside,提升安全

range 192.168.11.10 192.168.11.100 //创建转换池

object network inside_dmz_nat

subnet 192.168.0.0 255.255.0.0 //要转换的子网

nat (inside,dmz) dynamic inside_dmz_pool //使用地址池动态转换

object-group service permit_service tcp
port-object eq www
port-object eq https
port-object eq pop3
port-object eq smtp

port-object eq imap4

object-group service dns_service tcp-udp
port-object eq domain

access-list inside_dmz extended permit tcp any any

access-list inside_dmz extended permit icmp any any

access-list dmz_inside extended permit tcp any any

access-list dmz_inside extended permit icmp any any

access-list inside_outside extended permit tcp any any

access-list inside_outside extended permit icmp any any

access-list outside_inside extended permit tcp any any

access-list outside_inside extended permit icmp any any

access-group dmz_inside in interface inside

access-group inside_dmz in interface dmz

access-group outside_inside in interface outside

mtu inside 1500

mtu dmz 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h2251:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable //开启http服务,asdm需要

http 0.0.0.0 0.0.0.0 management //management口可以asdm控制

telnet 0.0.0.0 0.0.0.0 inside //内网可以使用telnet

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside //外网可以使用ssh

ssh timeout 5 //ssh5分钟超时

ssh version 2

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statisticstcp-intercept

web***

username baigp password ****** privilege 15 //用户名密码权限等

aaa authentication enable console LOCAL

aaa authentication ssh console LOCAL //ssh使用本地验证

aaa authentication telnet console LOCAL //telnet使用本地验证

aaa authorization command LOCAL

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

!

prompt hostname context

call-home reporting anonymous

call-home

profile CiscoTAC-1

noactive

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

转载于:https://blog.51cto.com/baigp/1259549

发表评论

表情:
评论列表 (有 0 条评论,1576人围观)

还没有评论,来说两句吧...

相关阅读

    相关 ASA防火墙之日志管理

    对于任何防火墙产品来说,最重要的功能之一就是对时间进行日志记录,ASA使用同步日志来记录在防火墙上发生的所有时间。 日志信息的安全级别分为八个等级,如下所示: ![ASA防

    比眉伴天荒比眉伴天荒/ 0/ 478 阅读