CISCO ASA防火墙配置命令

0
3523

恢复出厂重启之后,刚开始会提示让你输入相应的防火墙模式:透明模式或者路由模式,输入密码等。

[successbox]本防火墙配置信息[/successbox]

Serial Number: *******
: Hardware: ASA5512, 4096 MB RAM, CPU Clarkdale 2800 MHz, 1 CPU (2 cores)
:
ASA Version 9.12(1)

debug 查看具体错误
——–PPPoE拨号上网,与深信服上网行为控制器(ac1000 ver:AC 12.0.5)–网桥模式,Cisco三层: ws-3850-24t ,华为傻瓜二层组网

一、基本配置(默认为路由模式)

1. 设置主机名、开机密码等

hostname MYASA —-更改主机名字为“MYASA”
enable password ******* —-设置密码

2. 开启http服务
http server enable
http 192.168.192.168 255.255.255.0 inside

username steady privilege 15 password @Music.1.1

aaa authentication http console steady

2.1 开启Telnet登录

telnet 192.168.1.3 255.255.255.255 inside
telnet 0 0 dmz
username admin password cisco123 privilege 15
aaa authentication telnet console LOCAL

2.2 —–设置时间(也可以设置ntp同步)
clock timezone GMT +8

clock set 12:52:00 Jul 1 2019

3. 配置端口

interface GigabitEthernet0/0
duplex full
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
no shutdown
exit

int GigabitEthernet0/1
duplex full
nameif outside
security-level 0
pppoe client vpdn group Steady
—-ip address pppoe setroute ip地址为pppoe自动获取
no shutdown
exit
object-group network Steady

interface Management0/0
security-level 0
ip address 192.168.192.168 255.255.255.0
no sh

dns server-group Steady —设置dns
name-server 114.114.114.114
name-server 8.8.8.8

4.配置默认路由

route inside 192.168.0.0 255.255.255.0 192.168.1.2

5.设置nat

object network inside
subnet 192.168.1.0 255.255.255.0
object network outside-pool
subnet 0.0.0.0 0.0.0.0
object network outside
subnet 0.0.0.0 0.0.0.0

nat (inside,outside) source dynamic Steady interface

object network Steady
nat (inside,outside) dynamic interface
object network outside
nat (inside,outside) dynamic interface
access-group inside in interface inside
access-group outside in interface outside

二、配置vpdn PPPoE拨号
新版本的PPPoE配置
vpdn group Steady request dialout pppoe
vpdn group Steady ppp authentication chap
vpdn group Steady localname sbit01
vpdn username ****** password *********
dhcpd auto_config outside
mtu outside 1492
int GigabitEthernet0/1
ip address pppoe setroute
pppoe client vpdn group Steady
copy run start

步骤1

通过从接口配置模式输入以下命令启用PPPoE客户端:

hostname(config-if)#ip address pppoe [ setroute ]

hostname(config)#interface gigabitethernet 0/1

hostname(config-if)#ip address pppoe

第2步

为PPPoE客户端指定VPDN组,以便在接口配置模式下使用以下命令(可选):

hostname(config-if)#pppoe client vpdn group Steady

8.25前版本的PPPoE配置:

interface Vlan1 //默认VLAN1里的接口都是内网接口

里面的名字

安全级别100

IP地址192.168.1.1 255.255.255.0

接口Vlan2 //在这里VLAN2为外网接口

外面的名字

安全级别0

pppoe客户端vpdn组adsl
ip address pppoe setroute ////启动拨号,如果没有配默认路由,则必须加上

在1400以外的mtu

全局(外部)1接口// NAT地址转换

nat(内部)1 0.0.0.0 0.0.0.0

接口Vlan2

外面的名字

安全级别0

pppoe客户端vpdn组adsl

ip address pppoe setroute

vpdn启用

vpdn组adsl请求拨出pppoe

vpdn group adsl localname xxxxxx

vpdn group adsl ppp authentication pap

vpdn用户名xxxxxx密码*****

dhcpd dns 202.96.128.166 202.96.128.86

dhcpd地址192.168.20.50-192.168.20.200里面

dhcpd dns 221.228.255.1

dhcpd启用里面

———-V8.4

ADSL协议设置:

vpdn group adsl ppp authentication pap

上网设置:

———
object network outside
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface

object network inside
subnet 192.168.1.0 255.255.255.0
exit

object network outside-pool
subnet 0.0.0.0 0.0.0.0
exit

object network inside
nat (inside,outside) dynamic outside-pool

dns domain-lookup inside
dns domain-lookup outside
dns server-group Steady
name-server 114.114.114.114
name-server 8.8.8.8

开放ICMP列表:

access-list outside_in extended permit icmp any any

access-group outside_in in interface outside

远程管理SSH:

V8.4

username schh password cisco
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5

———————————-
access-list inside extended permit icmp any any
access-list inside extended permit ip any any

access-list outside extended permit icmp any any

nat (inside,outside) source dynamic Steady interface

access-group outside in interface outside

access-group inside in interface inside

static (inside,outside) ****** 10.10.10.190 netmask 255.255.255.255 这条命令的意思是让外网的主机可以访问到这台服务器,要服务器可以访问外网还必须弄NAT,例如:
global(outside)1 internet
nat(inside) 1 0.0.0.0 0.0.0.0

另外ASA默认是禁止ping的,需要用ACL允许icmp的包进入,如
access-list 100 permit icmp any any
access-group 100 in int outside

mtu outsid 1492
mtu inside 1500

6.nat对比—旧
nat (Inside) 1 0.0.0.0 0.0.0.0
global (Outside) 1 intface

——-新nat
内网
ip address 192.168.1.1
外网
ip address 0.0.0.0

object network steady
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) source dynamic steady interface

nat配置
object network inside-outside-all
subnet 0.0.0.0 0.0.0.0
object network 192.168.1.1:80
host 192.168.1.1
object network 192.168.1.1:443
host 192.168.1.1
object network 192.168.1.1:25
host 192.168.1.1
object network 192.168.1.1:143
host 192.168.1.1
object network 192.168.1.1:8686
host 192.168.1.1
object network 192.168.1.1:995
host 192.168.1.1
object network 192.168.1.1:993
host 192.168.1.1
object network 192.168.1.1:994
host 192.168.1.1
三、安全策略:

access-list 100 extended permit tcp any host 192.168.1.1 eq www
access-list 100 extended permit tcp any host 192.168.1.1 eq 80
access-list 100 extended permit tcp any host 192.168.1.1 eq 8080
access-list 100 extended permit tcp any host 192.168.1.1 eq 443
access-list 100 extended permit tcp any host 192.168.1.1 eq 25
access-list 100 extended permit tcp any host 192.168.1.1 eq 143
access-list 100 extended permit tcp any host 192.168.1.1 eq 8686
access-list 100 extended permit tcp any host 192.168.1.1 eq 993
access-list 100 extended permit tcp any host 192.168.1.1 eq 994
access-list 100 extended permit tcp any host 192.168.1.1 eq 995
access-list 101 extended permit ip any any
access-list 101 extended permit icmp any any
access-list 102 extended permit tcp any host 0.0.0.0 eq www
access-list internet-in extended permit tcp any host 192.168.1.1 eq www

object network inside-outside-all
nat (inside,outside) dynamic interface
object network 192.168.2.1:80
nat (inside,outside) static interface service tcp 80 80
object network 192.168.1.1:8080
nat (inside,outside) static interface service tcp 8080 8080
object network 192.168.1.1:443
nat (inside,outside) static interface service tcp 443 443
object network 192.168.1.1:25
nat (inside,outside) static interface service tcp 25 25
object network 192.168.1.1:143
nat (inside,outside) static interface service tcp 143 143
object network 192.168.1.1:993
nat (inside,outside) static interface service tcp 993 993
object network 192.168.1.1:994
nat (inside,outside) static interface service tcp 994 994
object network 192.168.1.1:995
nat (inside,outside) static interface service tcp 995 995
object network 192.168.1.1
nat (inside,outside) static interface service udp 80 80

access-group 100 in interface outside

四、 检测配置
show vpdn pppinterface

show vpdn username

show vpdn group

show ip add outside pppoe

show interface ip brief 检查是否正确获取到地址跟路由
show route
show user
show nat detail
show x
show interface ip brief

五 、保存配置

wr