欢迎来到天天文库
浏览记录
ID:38210095
大小:32.50 KB
页数:4页
时间:2019-05-25
《CISCO+ASA+5520配置手册》由会员上传分享,免费在线阅读,更多相关内容在行业资料-天天文库。
CD-ASA5520#showrun:Saved:ASAVersion7.2(2)!hostnameCD-ASA5520 //给防火墙命名domain-namedefault.domain.invalid //定义工作域 enablepassword9jNfZuG3TC5tCVH0encrypted //进入特权模式的密码namesdns-guard!interfaceGigabitEthernet0/0 //内网接口:duplexfull //接口作工模式:全双工,半双,自适应 nameifinside //为端口命名:内部接口insidesecurity-level100 //设置安全级别0~100值越大越安全ipaddress192.168.1.1255.255.255.0 //设置本端口的IP地址!interfaceGigabitEthernet0/1 //外网接口nameifoutside //为外部端口命名:外部接口outsidesecurity-level0ipaddress202.98.131.122255.255.255.0//IP地址配置!interfaceGigabitEthernet0/2nameifdmzsecurity-level50ipaddress192.168.2.1255.255.255.0! interfaceGigabitEthernet0/3shutdownnonameifnosecurity-levelnoipaddress!interfaceManagement0/0 //防火墙管理地址shutdownnonameifnosecurity-levelnoipaddress!passwd2KFQnbNIdI.2KYOUencryptedftpmodepassive clocktimezoneCST8dnsserver-groupDefaultDNSdomain-namedefault.domain.invalidaccess-listoutside_permitextendedpermittcpanyinterfaceoutsideeq3389 //访问控制列表access-listoutside_permitextendedpermittcpanyinterfaceoutsiderange3000030010//允许外部任何用户可以访问outside接口的30000-30010的端口。pagerlines 24loggingenable //启动日志功能loggingasdminformationalmtuinside1500 内部最大传输单元为1500字节mtuoutside1500mtudmz1500iplocalpoolvpnclient192.168.200.1-192.168.200.200mask255.255.255.0//定义一个命名为vpnclient的IP地址池,为remote用户分配IP地址nofailovericmpunreachablerate-limit1burst-size1asdmimagedisk0:/asdm-522.binnoasdmhistoryenablearptimeout14400 //arp空闲时间为14400秒global(outside)1interface//由于没有配置NAT故这里是不允许内部用户上INTERNETstatic(dmz,outside)tcpinterface30000192.168.2.230000netmask255.255.255.255//端口映射可以解决内部要公布的服务太多,而申请公网IP少问题。static(dmz,outside)tcpinterface30001192.168.2.230001netmask255.255.255.255//把dmz区192.168.2.230002映射给外部30002端口上。static(dmz,outside)tcpinterface30002192.168.2.230002netmask255.255.255.255static(dmz,outside)tcpinterface30003192.168.2.230003netmask255.255.255.255static(dmz,outside)tcpinterface30004192.168.2.230004netmask255.255.255.255static(dmz,outside)tcpinterface30005192.168.2.230005netmask255.255.255.255static(dmz,outside)tcpinterface30006192.168.2.230006netmask255.255.255.255static(dmz,outside)tcpinterface30007192.168.2.230007netmask255.255.255.255static(dmz,outside)tcpinterface30008192.168.2.23008netmask255.255.255.255static(dmz,outside)tcpinterface30009192.168.2.230009netmask255.255.255.255static(dmz,outside)tcpinterface30010192.168.2.230010netmask255.255.255.255static(dmz,outside)tcpinterface3389192.168.2.23389netmask255.255.255.255access-groupoutside_permitininterfaceoutside //把outside_permit控制列表运用在外部接口的入口方向。routeoutside0.0.0.00.0.0.0202.98.131.1261//定义一个默认路由。timeoutconn1:00:00half-closed0:10:00udp0:02:00icmp0:00:02timeoutsunrpc0:10:00h3230:05:00h2251:00:00mgcp0:05:00mgcp-pat0:05:00timeoutsip0:30:00sip_media0:02:00sip-invite0:03:00sip-disconnect0:02:00timeoutuauth0:05:00absolute------------定义一个命名为vpnclient的组策略-------------------------group-policyvpnclientinternal //创建一个内部的组策略。 group-policyvpnclientattributes //设置vpnclient组策略的参数wins-servervalue192.168.1.10 //定义WINS-SERVER的IP地址。dns-servervalue192.168.1.1061.139.2.69//定义dns-server的IP地址。vpn-idle-timeoutnone //终止连接时间设为默认值vpn-session-timeoutnone //会话超时采用默认值vpn-tunnel-protocolIPSec //定义通道使用协议为IPSEC。split-tunnel-policytunnelspecified //定义。default-domainvaluecisco.com //定义默认域名为cisco.com------------定义一个命名为l2lvpn的组策略-------------------------group-policyl2lvpninternal group-policyl2lvpnattributeswins-servervalue192.168.1.10dns-servervalue192.168.1.10 61.139.2.69vpn-simultaneous-logins3vpn-idle-timeoutnonevpn-session-timeoutnonevpn-tunnel-protocolIPSecusernametestpasswordP4ttSyrm33SV8TYpencryptedprivilege0//创建一个远程访问用户来访问安全应用usernameciscopassword3USUcOPFUiMCO4Jkencryptedhttpserverenable //启动HTTP服务http0.0.0.00.0.0.0inside //允许内部主机HTTP连接nosnmp-serverlocationnosnmp-servercontactsnmp-serverenabletrapssnmpauthenticationlinkuplinkdowncoldstart//snmp的默认配置cryptoipsectransform-setESP-DES-MD5esp-desesp-md5-hmac//配置转集(定义了IPSC隧道使用的加密和信息完整性算法集合)cryptodynamic-mapvpn_dyn_map10settransform-setESP-DES-MD5//为动态加密图条目定义传换集cryptomapoutside_map10ipsec-isakmpdynamicvpn_dyn_map//创建一个使用动态加密条目的加密图cryptomapoutside_mapinterfaceoutside//将outside_map加密图应用到outside端口------------配置IKE--------------cryptoisakmpenableoutside //在ostside接口启动ISAKMPcryptoisakmppolicy20 //isakmmp权值,值越小权值越高authenticationpre-share //指定同位体认证方法是共享密钥encryptiondes //指定加密算法hashmd5 //指定使用MD5散列算法group2 //指定diffie-hellman组2lifetime86400 //指定SA(协商安全关联)的生存时间cryptoisakmppolicy65535authenticationpre-shareencryptiondeshashmd5group2lifetime86400-------------调用组策略-----------------cryptoisakmpnat-traversal20 tunnel-groupDefaultL2LGroupgeneral-attributes//配置这个通道组的认证方法default-group-policyl2lvpn //指定默认组策略名称。tunnel-groupDefaultL2LGroupipsec-attributes//配置认证方法为IPSECpre-shared-key* //提供IKE连接的预共享密钥tunnel-groupvpnclienttypeipsec-ra //设置连接类型为远程访问。 tunnel-groupvpnclientgeneral-attributes //配置这个通道组的认证方法address-poolvpnclient //定义所用的地址池default-group-policyvpnclient //定义默认组策略-----设置认证方式和共享密钥-------------tunnel-groupvpnclientipsec-attributes //配置认证方法为IPSECpre-shared-key* //提供IKE连接的预共享密钥telnettimeout5 //telnet超时设置ssh0.0.0.00.0.0.0outside //允许外部通SSH访问防火墙sshtimeout60 //SSH连接超时设置consoletimeout0 //控制台超时设置 dhcp-clientupdatednsserverbothdhcpddns61.139.2.69202.98.96.68 //dhcp发布的DNS!dhcpdaddress192.168.1.10-192.168.1.254inside //向内网发布的地址池dhcpdenableinside //启动DHCP服务。!!class-mapinspection_defaultmatchdefault-inspection-traffic!!policy-maptypeinspectdnsmigrated_dns_map_1parameters message-lengthmaximum512policy-mapglobal_policyclassinspection_default inspectdnsmigrated_dns_map_1inspectftpinspecth323h225inspecth323rasinspectnetbiosinspectrshinspectrtspinspectskinnyinspectesmtpinspectsqlnetinspectsunrpcinspecttftpinspectsipinspectxdmcp!service-policyglobal_policyglobalprompthostnamecontextCryptochecksum:25e66339116f52e443124a23fef3d373:end
此文档下载收益归作者所有
举报原因
联系方式
详细说明
内容无法转码请点击此处