ciscoasa#show running-config
: Saved
:
ASA Version 8.0(2)
!
!--- In order to set the firewall mode to transparent mode
firewall transparent ----------------------------
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0 ----------------------------------
nameif outside
security-level 0
!
interface Ethernet0/1 ---------------------------------
nameif inside
security-level 100
!
interface Ethernet0/2
shutdown
no nameif
no security-level
!
interface Ethernet0/3
shutdown
no nameif
no security-level
!
interface Management0/0
shutdown
no nameif
no security-level
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
pager lines 24
mtu outside 1500
mtu inside 1500
!--- IP Address for the Management.
!--- Avoid using this IP Address as a default gateway.
!--- The security appliance uses this address as the source address
!--- for traffic originating on the security appliance, such as system
!--- messages or communications with AAA servers. You can also use this
!--- address for remote management access.
ip address 192.168.1.1 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
!--- Output Suppressed
service-policy global_policy global
prompt hostname context
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
ciscoasa(config)#
===============================================
透明模式
ciscoasa# show run
: Saved
:
ASA Version 7.2(3)
!
firewall transparent
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
nameif inside
security-level 100
!
interface Ethernet0/0
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
pager lines 24
mtu inside 1500
ip address 159.0.0.1 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm p_w_picpath disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
username cisco password cisco
prompt hostname context
Cryptochecksum:cd0ecb7a35572b3e3b3ca0ac29f7d72c
: end
ciscoasa#
需输入的命令
firewall transparent
int ethernet 0/0
no shut
int ethernet 0/1
no shut
int ethernet 0/2
no shut
int ethernet 0/3
no shut
int ethernet 0/4
no shut
int ethernet 0/5
no shut
int ethernet 0/6
no shut
int ethernet 0/7
no shut
hostname
qinmuguan
interface Vlan1
nameif inside
ip address 159.0.0.8 255.255.255.0
http server enable
http 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 inside
username cisco password cisco
===================================================================
en
conf t
interface ethernet0 auto 激活接口
interface ethernet1 auto 激活接口
int vlan1起vlan1
nameif outside命名vlan1为外网口
security-level 0安全级别为0
ip address 61.145.56.1 255.255.255.252地址
end
int vlan 2起vlan2
nameif insiede命名为内网口
security-levlel 100安全级别100
ip address 192.168.1.1 255.255.255.0地址
end
int Eth0/0进ethernet口
switchport access vlan 1加vlan1
end
int Eth0/1进ethernet口
switchport access vlan 2加vlan2
end
global (outside) 1 61.145.56.1 61.145.56.1 地址池
nat (inside) 1 0 0 地址池映射
router outside 0 0 61.145.56.1 默认路由指向网关
telnet 192.168.1. 0 255.255.255.0 inside 配置telnet
补充:要是PIX一定要使用7.0以上版本的才支持透明模式,还有需要注意的ASA5505系列只能起VLAN做三层接口,像ASA5510及PIX直接使用接口做NAMEIF INSIDE和NAMEIF OUTSIDE就可以了,不需要起VLAN来走三层接口! 而且透明的话VLAN间是可以互通的!!!所以在配置的时候不要被VLAN所误解!
PIX和ASA之间开启协议端口也有区别,PIX是使用fixup,ASA是inspect
如果是直接从高安全级别的向低安全级别访问的话(如从内口向外口访问不需要专门开端口直接可以访问的)
如果是开启服务让外部访问内部服务的话
static (inside,outside) udp 外部地址 端口 内部地址 端口 netmask
再写一条access-list 让外部能访问你的UDP端口
再把这个access-list应用外部口上就行了
access-list 110 permit udp any any eq 550
access-list 110 permit udp any any eq 10001
int ouside
access-group 110 in outside
static(inside,outsidde)udp 外部IP PORT 内部IP PORT NETMASK 255.255.255.255
accesss-list outside extended premit udp any host 外部IP eq 端口
accesss-list outside extended premit udp any host 内部IP eq 端口
---------------------------------------------------------------
针对asa和pix的7.x
透明模式只支持两个接口,透明模式也可以用multi-context
注意透明模式没有nat,没有路由
1. 3层流量要明确放行(ospf,eigrp),要想跨防火墙建邻居,两边都要permit
2. 直连的outside和inside网络必须属于相同子网
3. 必须要配置一个网管ip地址,必须~~~
4 网管ip和内外网ip在同一段.
5. 管理ip不能做内网网关
6. 可以配置网关,但是只做网管用,远程访问防火墙用
7. 每个接口必须在不同vlan,(这个是看的资料上写的,暂时不是很理解)
8. 所有流量都可由ip acl和ethernet acl控制是否放行,eth acl只能管二层流量,但是如果deny any了,则 2,3层都不过
9. arp不需要放行就可以过去,除arp外,所有二层流量默认都不通
10. cdp不可以过
透明模式不支持,nat, dynamic routing protocol,ipv6, dhcp relay,qos, multicast, 不能终结***
: Saved
:
ASA Version 8.0(2)
!
!--- In order to set the firewall mode to transparent mode
firewall transparent ----------------------------
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0 ----------------------------------
nameif outside
security-level 0
!
interface Ethernet0/1 ---------------------------------
nameif inside
security-level 100
!
interface Ethernet0/2
shutdown
no nameif
no security-level
!
interface Ethernet0/3
shutdown
no nameif
no security-level
!
interface Management0/0
shutdown
no nameif
no security-level
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
pager lines 24
mtu outside 1500
mtu inside 1500
!--- IP Address for the Management.
!--- Avoid using this IP Address as a default gateway.
!--- The security appliance uses this address as the source address
!--- for traffic originating on the security appliance, such as system
!--- messages or communications with AAA servers. You can also use this
!--- address for remote management access.
ip address 192.168.1.1 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
!--- Output Suppressed
service-policy global_policy global
prompt hostname context
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
ciscoasa(config)#
===============================================
透明模式
ciscoasa# show run
: Saved
:
ASA Version 7.2(3)
!
firewall transparent
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
nameif inside
security-level 100
!
interface Ethernet0/0
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
pager lines 24
mtu inside 1500
ip address 159.0.0.1 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm p_w_picpath disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
username cisco password cisco
prompt hostname context
Cryptochecksum:cd0ecb7a35572b3e3b3ca0ac29f7d72c
: end
ciscoasa#
需输入的命令
firewall transparent
int ethernet 0/0
no shut
int ethernet 0/1
no shut
int ethernet 0/2
no shut
int ethernet 0/3
no shut
int ethernet 0/4
no shut
int ethernet 0/5
no shut
int ethernet 0/6
no shut
int ethernet 0/7
no shut
hostname
qinmuguan
interface Vlan1
nameif inside
ip address 159.0.0.8 255.255.255.0
http server enable
http 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 inside
username cisco password cisco
===================================================================
en
conf t
interface ethernet0 auto 激活接口
interface ethernet1 auto 激活接口
int vlan1起vlan1
nameif outside命名vlan1为外网口
security-level 0安全级别为0
ip address 61.145.56.1 255.255.255.252地址
end
int vlan 2起vlan2
nameif insiede命名为内网口
security-levlel 100安全级别100
ip address 192.168.1.1 255.255.255.0地址
end
int Eth0/0进ethernet口
switchport access vlan 1加vlan1
end
int Eth0/1进ethernet口
switchport access vlan 2加vlan2
end
global (outside) 1 61.145.56.1 61.145.56.1 地址池
nat (inside) 1 0 0 地址池映射
router outside 0 0 61.145.56.1 默认路由指向网关
telnet 192.168.1. 0 255.255.255.0 inside 配置telnet
补充:要是PIX一定要使用7.0以上版本的才支持透明模式,还有需要注意的ASA5505系列只能起VLAN做三层接口,像ASA5510及PIX直接使用接口做NAMEIF INSIDE和NAMEIF OUTSIDE就可以了,不需要起VLAN来走三层接口! 而且透明的话VLAN间是可以互通的!!!所以在配置的时候不要被VLAN所误解!
PIX和ASA之间开启协议端口也有区别,PIX是使用fixup,ASA是inspect
如果是直接从高安全级别的向低安全级别访问的话(如从内口向外口访问不需要专门开端口直接可以访问的)
如果是开启服务让外部访问内部服务的话
static (inside,outside) udp 外部地址 端口 内部地址 端口 netmask
再写一条access-list 让外部能访问你的UDP端口
再把这个access-list应用外部口上就行了
access-list 110 permit udp any any eq 550
access-list 110 permit udp any any eq 10001
int ouside
access-group 110 in outside
static(inside,outsidde)udp 外部IP PORT 内部IP PORT NETMASK 255.255.255.255
accesss-list outside extended premit udp any host 外部IP eq 端口
accesss-list outside extended premit udp any host 内部IP eq 端口
---------------------------------------------------------------
针对asa和pix的7.x
透明模式只支持两个接口,透明模式也可以用multi-context
注意透明模式没有nat,没有路由
1. 3层流量要明确放行(ospf,eigrp),要想跨防火墙建邻居,两边都要permit
2. 直连的outside和inside网络必须属于相同子网
3. 必须要配置一个网管ip地址,必须~~~
4 网管ip和内外网ip在同一段.
5. 管理ip不能做内网网关
6. 可以配置网关,但是只做网管用,远程访问防火墙用
7. 每个接口必须在不同vlan,(这个是看的资料上写的,暂时不是很理解)
8. 所有流量都可由ip acl和ethernet acl控制是否放行,eth acl只能管二层流量,但是如果deny any了,则 2,3层都不过
9. arp不需要放行就可以过去,除arp外,所有二层流量默认都不通
10. cdp不可以过
透明模式不支持,nat, dynamic routing protocol,ipv6, dhcp relay,qos, multicast, 不能终结***