ASA 基本配置和解释

 

TCL(config)#

TCL# show run

: Saved

:ASA Version 7.2(3)

!hostname TCL

domain-name default.domain.invalid

enable password 8Ry2YjIyt7RRXU2 4 encrypted

*********定义IP地址和客户端的映射,或者是对IP地址的命名********************

names

name 192.168.1.9 bgs1

name 192.168.1.27 bgs2

name 192.168.1.11 licm

name 192.168.1.7 liuxb

name 192.168.1.10 FileServer

name 192.168.1.62 changjh

………………………

………………………..

!

*************定义内网接口********************

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

*************定义外网接口********************

interface Vlan2

nameif outside

security-level 0

ip address pppoe setroute

!

interface Ethernet0/0

!

************将端口0/1加入到VLAN1中******************

interface Ethernet0/1

switchport access vlan 2

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd ************** encrypted

!

**************客户端上网时间的限制********************************

time-range everyday

periodic daily 7:50 to 21:00

!

time-range weekdays

periodic weekdays 7:50 to 18:10

!

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

*****************定义不同的策略网络主机组****************************

object-group network high1

network-object host FileServer

object-group network high2

network-object host licm

network-object host cw1

network-object host lizl

********************定义不同的策略服务组************************

object-group service tcp1 tcp

port-object range www www

port-object range 81 81

object-group service tcp_dns tcp

port-object range pop3 pop3

port-object range smtp smtp

port-object range domain domain

object-group service udp_dns udp

port-object range domain domain

object-group service tcp2 tcp

port-object range https https

port-object range 445 445

port-object range 465 465

port-object range www www

port-object range 81 81

port-object range 995 995

************针对上面的用户和服务组(类)制定访问控制策略****************

access-list inside_access_in extended permit tcp any any object-group tcp_dns log disable

access-list inside_access_in extended permit udp any any object-group udp_dns log disable

access-list inside_access_in extended permit tcp object-group high1 any object-group tcp1 log disable

access-list inside_access_in extended permit tcp object-group high2 any object-group tcp2 log disable time-range everyday

access-list inside_access_in extended permit tcp object-group high3 any object-group tcp2 log disable time-range everyday

access-list inside_access_in extended permit ip object-group normal1 any log disable time-range everyday

access-list inside_access_in extended permit tcp object-group normal2 any object-group tcp1 log disable time-range everyday

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

*******************ip地址和MAC地址绑定*******************************

arp inside 192.168.1.150 000d.87c5.9876

arp inside xuerx1 0002.a59b.453b

arp inside 192.168.1.115 0013.d3de.4376

arp inside gaoyf 00c0.9f26.f0da

arp inside guopy 0009.6be3.25f4

arp inside hehx 00c0.9f26.ee16

…………..

………………

arp timeout 14400

*************配置NAT转换*********************************

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group inside_access_in in interface inside

******************配置默认路由*******************

route outside 0.0.0.0 0.0.0.0 118.81.66.1 8(该条路由是自动获取的)

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

*************配置客户端管理ASDM*******************************

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 10

ssh timeout 5

console timeout 0

*******************配置PPPOE*****************************************

vpdn group adsl request dialout pppoe

vpdn group adsl localname *******

vpdn group adsl ppp authentication pap

vpdn username gslr password *********

dhcpd auto_config outside

!

 

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

username root password ************* encrypted privilege 15

prompt hostname context

Cryptochecksum:**************f

: end

你可能感兴趣的:(基本配置,asa)