序列
|
功能说明
|
PIX
配置
|
NETSCREEN
配置
|
ASA
配置
|
1
|
定义区域
|
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security80
|
set interface "ethernet1" zone "Trust"
set interface "ethernet2" zone "DMZ"
set interface "ethernet3" zone "Untrust"
|
在接口状态下配置:interface GigabitEthernet0/1
nameif DMZ
security-level 30
ip address 2.6.7.1 255.255.255.0
|
2
|
HA |
failover
failover timeout 0:00:00
failover ip address outside 2.16.253.4
failover ip address inside 2.6.1.82
failover ip address dmz 2.16.1.130
failover ip address wan 2.16.1.4
|
set nsrp cluster id 1
set nsrp rto-mirror sync
set nsrp vsd-group id 0 priority 100
set nsrp monitor interface ethernet1
set nsrp monitor interface ethernet3
|
failover
failover lan unit primary
failover lan interface HA GigabitEthernet0/3
failover mac address GigabitEthernet0/1 0018.1900.5000 0018.1900.5001
failover mac address GigabitEthernet0/2 0018.1900.6000 0018.1900.6001
failover mac address Management0/0 0018.1900.7000 0018.1900.7001
failover mac address GigabitEthernet0/0 0018.1900.4000 0018.1900.4001
failover link HA GigabitEthernet0/3
failover interface ip HA 60.60.60.1 255.255.255.0 standby 60.60.60.2
|
3
|
日志
|
logging trap critical
logging facility 20
logging host inside 2.6.1.2
|
set syslog config "2.6.1.253" "local0" "local0" "debug"
set syslog enable
set syslog traffic
|
logging trap critical
logging facility 20
logging host inside 2.6.1.2
|
4
|
端口区域绑定和IP定义
|
ip address outside 2.16.253.3 255.255.255.0
ip address inside 2.6.1.81 255.255.255.0
ip address dmz 2.16.1.129 255.255.255.128
|
set interface "ethernet1" zone "Trust"
set interface "ethernet2" zone "DMZ"
set interface "ethernet3" zone "Untrust"
set interface ethernet1 ip 2.6.1.81/24
set interface ethernet2 ip 2.16.1.129/28
set interface ethernet3 ip 2.16.253.3/24
set interface ethernet3 route
|
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 2.6.5.216 255.255.255.0
|
5
|
内网到外网允许访问
|
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
|
set policy id 4 name "ANY1" from "Trust" to "Untrust" "Any" "Any" "ANY" Permit
|
access-list inside_access_in extended permit ip any any
|
6
|
静态映射
|
static (inside,outside) 2.16.1.38 2.6.2.38 netmask 255.255.255.255 0 0
……..
|
set interface "ethernet3" mip 2.16.1.38 host 2.6.2.38 netmask 255.255.255.255 vr "trust-vr"
|
static (inside,outside) 2.6.5.215 2.6.6.6 netmask 255.255.255.255
|
7
|
策略
|
conduit permit tcp host 23.168.1.38 eq telnet host 2.16.253.55
|
set policy id 6 name "U-T ICMP" from "Untrust" to "Trust" "2.16.253.55/32" "MIP(2.16.1.38)" "TELNET" Permit
|
access-list DMZ_access_in extended permit tcp host 2.6.7.11 eq ftp host 2.6. 6.7 eq ftp
|
8
|
路由
|
route outside 0.0.0.0 0.0.0.0 2.16.253.8 1
|
set route 0.0.0.0/0 interface ethernet3 gateway 2.16.253.8 1
|
route outside 0.0.0.0 0.0.0.0 2.6.5.1 1
|
9
|
SNMP |
snmp-server host inside 2.6.1.253
snmp-server location XianWailian
snmp-server contact FangHaitao
snmp-server community 111
snmp-server enable trap
|
set snmp community "INSIDE" Read-Write Trap-on traffic
set snmp host "INSIDE" 2.6.1.253 255.255.255.255
set snmp location "FangHaitao"
set snmp contact "XianWailian"
set snmp name "ns204"
|
snmp-server host inside 2.6.1.253
snmp-server location XianWailian
snmp-server contact FangHaitao
snmp-server community 111
snmp-server enable trap
|
10
|
TELNET
|
telnet 2.64.5.76 255.255.255.255
telnet timeout 10
|
set admin manager-ip 2.64.5.76 255.255.255.255
NETSCREEN
通过指定IP地址来限制可
telnet
到防火墙的终端。
|
telnet 2.64.7.0 255.255.255.0 DMZ
telnet 2.64.6.0 255.255.255.0 inside
|