实验网络结构图:
DNS Server------(outside)ASA-Firewall(inside)------------LAN Client
---------------------------------------------------
IP地址分配
外网:210.10.10.0/30
内网:192.168.201.0/24
DMZ: 192.168.202.0/24
---------------------------------------------------
ASA基本配置:
配置主机名、域名和密码
配置接口
配置路由
配置远程管理接入
为出站流量配置网络地址转换
配置ACL
enable
conf t
hostname ASA5520
domain-name xapc.com.cn
enable password ASA5520
passwd cisco
conf t
interface ethernet 0/0
nameif outside
security-level 0
ip address 210.10.10.2 255.255.255.0
no shutdown
exit
interface ethernet 0/1
nameif inside
security-level 100
ip address 192.168.201.1 255.255.255.0
no shutdown
exit
interface ethernet 0/2
nameif dmz
security-level 50
ip address 192.168.202.1 255.255.255.0
no shutdown
exit
int e0/3
ip add 192.168.201.89 255.255.255.0
nameif guanli
security-level 0
no shutdown
exit
route outside 0.0.0.0 0.0.0.0 210.10.10.1
end
show route
conf t
telnet 192.168.201.0 255.255.255.0 inside
telnet timeout 15
crypto key generate rsa modulus 1024
ssh 192.168.201.0 255.255.255.0 inside
ssh 0 0 outside
ssh timeout 30
ssh version 2
http server enable 8008
http 192.168.201.0 255.255.255.0 inside
http 0 0 outside
http 0 0 inside
asdm p_w_picpath disk0:/asdm-615.bin
username xapc password xapccomcn privilege 15
nat-control
nat (inside) 1 0 0
global (outside) 1 interface
global (dmz) 1 192.168.202.100-192.168.202.110
access-list in_to_out deny ip 192.168.201.33 255.255.255.255 any
access-list in_to_out permit ip any any
access-group in_to_out in interface inside
static (dmz,outside) 210.10.10.2 192.168.202.2
access-list out_to_dmz permit tcp any host 210.10.10.2 eq 80
access-group out_to_dmz in interface outside
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any unreachable
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any
access-list 111 permit ip any any
access-group 111 in int outside
access-group 111 in int inside
access-group 111 in int dmz
access-group 111 in int guanli
end
write memory
copy running-config startup-config
清除配置信息:
conf t
clear configure all
clear configure command [level2 command]
end
===================================================
ASA的高级应用- URL过滤
conf t
access-list tcp_filter1 permit tcp 192.168.201.0 255.255.255.240 any eq www
class-map tcp_filter_class1
match access-list tcp_filter1
exit
regex url1 \.sina\.com
class-map type regex match-any url_class1
match regex url1
exit
class-map type inspect http http_url_class1
match not request header host regex class url_class1
exit
policy-map type inspect http http_url_policy1
class http_url_class1
drop-connection log
exit
exit
policy-map inside_http_url_policy
class tcp_filter_class1
inspect http http_url_policy1
exit
exit
service-policy inside_http_url_policy interface inside
--------------
access-list tcp_filter2 permit tcp any any eq www
class-map tcp_filter_class2
match access-list tcp_filter2
exit
regex url2 \.game\.com
class-map type regex match-any url_class2
match regex url2
exit
class-map type inspect http http_url_class2
match request header host regex class url_class2
exit
policy-map type inspect http http_url_policy2
class http_url_class2
drop-connection log
exit
exit
policy-map inside_http_url_policy
class tcp_filter_class2
inspect http http_url_policy2
exit
exit
service-policy inside_http_url_policy interface inside
---------------------
启用相关日志
logging enable
logging buffered informational
logging asdm informational
logging trap informational
logging host inside 192.168.201.1
=--------------------------
启用基本威胁检测
threat-detection basic-threat
fragment chain 1
ip audit name name {info | attack} [action [alarm] [drop] [reset]]
ip audit name inside_ids_info info action alarm
ip audit name inside_ids_attack attack action alarm
ip audit name outside_ids_info info action alarm
ip audit name outside_ids_attack attack action alarm reset
ip audit interface inside inside_ids_info
ip audit interface inside inside_ids_attack
ip audit interface outside outside_ids_info
ip audit interface outside outside_ids_attack
ip audit signature 2000 disable
no ip audit signature 2000
==============================================
启用远程管理的配置:
config t
web***
username zhang password cisco
http server enable
http 192.168.201.0 255.255.255.0 guanli
end
==============================================
在ASA上配置IPSec ×××:
基本配置
conf t
route outside 0 0 ISP网关
nat-control
nat (inside) 1 0 0
global (outside) 1 interface
NAT豁免,即指定某些地址的流量不进行NAT转换
access-list nonat extended permit ip 192.168.201.0 255.255.255.0 210.10.10.0 255.255.255.0
nat (inside) 0 access-list nonat
启用ISAKMP(cisco路由器上IKE默认是启用的,但ASA防火墙上IKE默认为关闭,必须显式启用)
crypto isakmp enable outside
配置ISAKMP策略(防火墙与路由器在策略的默认设置上存在差异,主要是在加密、HASH算法以及身份认证方式上存在差异)
crypto isakmp policy 1
encryption aes
hash sha
authentication pre-share
group 1
exit
isakmp key xapcedu address 210.10.10.1
ASA 7.0及以上版本一般使用隧道组来配置(当企业内部需要建立多条×××隧道时,隧道组可以减少配置量)
tunnel-group 200.0.0.1 type ipsec-l2l
tunnel-group 200.0.0.1 ipsec-attributes
pre-shared-key xapcedu
exit
配置crypto ACL (只能使用名称列表)
access-list xa*** extended permit ip 192.168.201.0 255.255.255.0 210.10.10.0 255.255.255.0
配置数据连接的传输集
crypto ipsec transform-set xapc-set esp-aes esp-sha-hmac
配置crypto map并应用到outside接口上
crypto map xapc-map 1 match address xa***
crypto map xapc-map 1 set peer 210.10.10.1
crypto map xapc-map 1 set transform-set xapc-set
crypto map xapc-map interface outside
==========================================
路由器实现NAT-T
外网发起建立管理连接或数据连接
conf t
ip nat inside source list access-list-number interface f0/1 overload
ip nat inside source static udp local-ip 500 interface f0/1 500
ip nat inside source static udp local-ip 4500 interface f0/1 4500
debug crypto isakmp
show crypto isakmp sa
debug crypto ipsec