一.初始配置
ciscoasa> enable
ciscoasa# configure terminal
ciscoasa(config)# hostname asa5505
2.配置telnet
asa5505(config)#telnet 192.168.1.0 255.255.255.0 inside ↑//允许内部接口
192.168.1.0网段telnet防火墙
3.配置密码
asa5505(config)# password cisco ------------------远程密码
asa5505(config)# enable password cisco ------------------特权模式密码
二.接口配置
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 119.95.225.242 255.255.255.252
interface GigabitEthernet0/1
nameif Inside
security-level 100
ip address 192.168.102.1 255.255.255.0
interface GigabitEthernet0/2
nameif dmz
security-level 100
ip address 192.168.103.1 255.255.255.0
dns domain-lookup inside
dns server-group DefaultDNS
name-server 211.99.129.210
name-server 202.106.196.115
domain-name cnpcfcc.cn
三.路由设置
route Outside 0.0.0.0 0.0.0.0 119.97.225.241 1 ------------------设置到外
网的默认路由
route Inside 192.168.100.0 255.255.255.0 192.168.102.2 1
route Inside 192.168.101.0 255.255.255.0 192.168.102.2 1------------设置
到内网路由
route Inside 192.168.103.0 255.255.255.0 192.168.102.2 1
route Inside 192.168.104.0 255.255.255.0 192.168.102.2 1
四.访问控制
1.基本访问控制
access-list 101 extended permit ip any any ------------------设置ACL列表
(允许许所有IP全部通过)
access-list 101 extended permit icmp any any ------------------设置ACL列
表(允许ICMP全部通过)
access-group 101 in interface outside --------------控制列表101应用到
outside接口
2.其他访问控制
access-list acl_out extended permit tcp any any eq www ------------------允
许tcp协议80端口入站
access-list acl_out extended permit tcp any any eq https ------------------
允许tcp协议443端口入站
access-list acl_out extended permit tcp any host 218.16.37.223 eq ftp
//允许tcp协议21
端口到218.16.37.223主机
access-list acl_out extended permit tcp any host 218.16.37.224 eq 3389 远
程桌面
//允许tcp协议3389
端口到218.16.37.224主机
access-list acl_out extended permit tcp any host 218.16.37.225 eq 1433 sql
默认端口
//允许tcp协议1433
端口到218.16.37.225主机
access-list acl_out extended permit tcp any host 218.16.37.226 eq 8080 www
代理服务
//允许tcp协议8080
端口到218.16.37.226主机
五.地址映射
global (outside) 1 interface ----------------------------------------设
置NAT地址映射到外网口
nat (inside) 1 0.0.0.0 0.0.0.0 0---------------------------------NAT地
址池(所有地址映射到外网)0无最大会话数限制
或者
nat (Inside) 1 192.168.100.0 255.255.255.0
nat (Inside) 1 192.168.102.0 255.255.255.0------------------------将这些
内网地址映射到外网
nat (Inside) 1 192.168.103.0 255.255.255.0
六.其他映射
asa5505(config)# static (inside,outside) 218.16.37.223 192.168.1.6 netmask
255.255.255.255
//外网218.16.37.223
映射到内网192.168.1.6
asa5505(config)#static (inside,dmz) 10.10.10.37 192.168.1.16 netmask
255.255.255.255
//dmz10.10.10.37映
射到内网192.168.1.16
asa5505(config)#static (inside,outside) 221.221.147.195 192.168.0.10 tcp
8089
//外网218.16.37.223:8089映
射到内网192.168.1.6:8089