cisco ASA 防火墙 5520 配置实例

ASA Version 7.0(8)
!
hostname asa5520
domain-name zhanggy.com
enable password eY/fQXw7Ure8Qrz7 encrypted
passwd eY/fQXw7Ure8Qrz7 encrypted
names
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 222.222.222.158 255.255.255.240
!
interface GigabitEthernet0/1
nameif dmz
security-level 50
ip address 172.18.1.254 255.255.255.0
!
interface GigabitEthernet0/2
nameif inside
security-level 75
ip address 10.26.100.253 255.255.255.0
!
interface GigabitEthernet0/3
nameif insidesec
security-level 85
ip address 172.16.1.254 255.255.255.0
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
object-group service permit_service tcp
port-object eq www
port-object eq https
port-object eq pop3
port-object eq smtp
object-group service dns_service tcp-udp
port-object eq domain
access-list inside_access_in extended permit ip 10.26.0.0 255.255.0.0 any
access-list insidegynet_access_in extended permit ip 172.16.1.0 255.255.255.0 any
access-list dmz_access_in extended permit ip 172.18.1.0 255.255.255.0 any
access-list outside_access_in extended permit ip any host 222.222.222.146
access-list outside_access_in extended permit ip any host 222.222.222.147
access-list outside_access_in extended permit ip any host 222.222.222.148
pager lines 24
logging asdm informational
mtu outside 1500
mtu dmz 1500
mtu inside 1500
mtu insidegynet 1500
mtu management 1500
no failover
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
global (dmz) 10 interface
nat (dmz) 10 172.18.1.0 255.255.255.0
nat (inside) 10 10.26.0.0 255.255.0.0
nat (insidegynet) 10 172.16.1.0 255.255.255.0
static (dmz,outside) tcp 222.222.222.146 www 172.18.1.80 www netmask 255.255.255.255
static (dmz,outside) tcp 222.222.222.146 ftp 172.18.1.80 ftp netmask 255.255.255.255
static (inside,outside) tcp 222.222.222.146 26 10.26.23.77 26 netmask 255.255.255.255
static (inside,outside) tcp 222.222.222.146 5900 10.26.0.8 5900 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
access-group inside_access_in in interface inside
access-group insidesec_access_in in interface insidegynet
route outside 0.0.0.0 0.0.0.0 222.222.222.145 1
route inside 10.26.0.0 255.255.192.0 10.26.100.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username admin password eY/fQXw7Ure8Qrz7 encrypted privilege 15
http server enable
http 10.26.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 30
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:732bb38ac3e5ee4b5fb319e5084c4072
: end