ASA 5500系列防火墙基本配置

一.初始配置
ciscoasa> enable
ciscoasa# configure terminal
ciscoasa(config)# hostname asa5505
2.配置telnet
asa5505(config)#telnet 192.168.1.0 255.255.255.0 inside ↑//允许内部接口
192.168.1.0网段telnet防火墙
3.配置密码
asa5505(config)# password cisco ------------------远程密码
asa5505(config)# enable password cisco ------------------特权模式密码
二.接口配置
 interface GigabitEthernet0/0
 nameif Outside
 security-level 0
 ip address 119.95.225.242 255.255.255.252
 interface GigabitEthernet0/1
 nameif Inside
 security-level 100
 ip address 192.168.102.1 255.255.255.0
 interface GigabitEthernet0/2
 nameif dmz
 security-level 100
 ip address 192.168.103.1 255.255.255.0
 dns domain-lookup inside
 dns server-group DefaultDNS
 name-server 211.99.129.210
 name-server 202.106.196.115
 domain-name cnpcfcc.cn

三.路由设置
  route Outside 0.0.0.0 0.0.0.0 119.97.225.241 1 ------------------设置到外
网的默认路由
  route Inside 192.168.100.0 255.255.255.0 192.168.102.2 1
  route Inside 192.168.101.0 255.255.255.0 192.168.102.2 1------------设置
到内网路由
  route Inside 192.168.103.0 255.255.255.0 192.168.102.2 1
  route Inside 192.168.104.0 255.255.255.0 192.168.102.2 1

四.访问控制
1.基本访问控制
   access-list 101 extended permit ip any any ------------------设置ACL列表
(允许许所有IP全部通过)
   access-list 101 extended permit icmp any any ------------------设置ACL列
表(允许ICMP全部通过)
   access-group 101 in interface outside --------------控制列表101应用到
outside接口
  
2.其他访问控制
access-list acl_out extended permit tcp any any eq www ------------------允
许tcp协议80端口入站
access-list acl_out extended permit tcp any any eq https ------------------
允许tcp协议443端口入站
access-list acl_out extended permit tcp any host 218.16.37.223 eq ftp
                                                           //允许tcp协议21
端口到218.16.37.223主机
access-list acl_out extended permit tcp any host 218.16.37.224 eq 3389  远
程桌面
                                                          //允许tcp协议3389
端口到218.16.37.224主机
access-list acl_out extended permit tcp any host 218.16.37.225 eq 1433  sql
默认端口
                                                         //允许tcp协议1433
端口到218.16.37.225主机
access-list acl_out extended permit tcp any host 218.16.37.226 eq 8080 www
代理服务
                                                         //允许tcp协议8080
端口到218.16.37.226主机
五.地址映射
   global (outside) 1 interface  ----------------------------------------设
置NAT地址映射到外网口
   nat (inside) 1 0.0.0.0 0.0.0.0  0---------------------------------NAT地
址池(所有地址映射到外网)0无最大会话数限制
   或者
   nat (Inside) 1 192.168.100.0 255.255.255.0
   nat (Inside) 1 192.168.102.0 255.255.255.0------------------------将这些
内网地址映射到外网
   nat (Inside) 1 192.168.103.0 255.255.255.0
六.其他映射
asa5505(config)# static (inside,outside) 218.16.37.223 192.168.1.6 netmask
255.255.255.255
                                                       //外网218.16.37.223
映射到内网192.168.1.6
asa5505(config)#static (inside,dmz) 10.10.10.37 192.168.1.16 netmask
255.255.255.255
                                                         //dmz10.10.10.37映
射到内网192.168.1.16
asa5505(config)#static (inside,outside) 221.221.147.195 192.168.0.10 tcp
8089
                                                 //外网218.16.37.223:8089映
射到内网192.168.1.6:8089

你可能感兴趣的:(防火墙,职场,休闲)