ciscoasa> en Password: ciscoasa# show run : Saved : ASA Version 8.2(1) ! hostname ciscoasa enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface GigabitEthernet0/0 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/1 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! interface GigabitEthernet1/0 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/1 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/3 shutdown no nameif no security-level no ip address ! ftp mode passive pager lines 24 logging asdm informational mtu management 1500 no failover icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy http server enable http 192.168.1.0 255.255.255.0 management no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 192.168.1.2-192.168.1.254 management dhcpd enable management ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum:2ca307ae725244ecf965030aa8ee6a2b : end ciscoasa#
使用靜態IP地址
ciscoasa(config-if)# no dhcpd address 192.168.1.2-192.168.1.254 management ciscoasa(config)# no dhcpd enable management ciscoasa(config)# interface Management0/0 ciscoasa(config-if)# ip address 192.168.3.254 255.255.255.0 Waiting for the earlier webvpn instance to terminate... Previous instance shut down. Starting a new one.
使用DHCP分配IP地址
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0 Waiting for the earlier webvpn instance to terminate... Previous instance shut down. Starting a new one. ciscoasa(config-if)# dhcpd address 192.168.1.2-192.168.1.254 management ciscoasa(config)# dhcpd enable management ciscoasa(config)#
ciscoasa(config)# interface GigabitEthernet0/0 ciscoasa(config-if)# nameif outside INFO: Security level for "outside" set to 0 by default. ciscoasa(config-if)# ip address 172.16.0.2 255.255.255.0 ciscoasa(config-if)# no shutdown ciscoasa(config-if)# interface GigabitEthernet1/0 ciscoasa(config-if)# nameif inside INFO: Security level for "inside" set to 100 by default. ciscoasa(config-if)# ip address 192.168.3.254 255.255.255.0 ciscoasa(config-if)# no shutdown ciscoasa(config-if)# show ip System IP Addresses: Interface Name IP address Subnet mask Method GigabitEthernet0/0 outside 172.16.0.2 255.255.255.0 manual Management0/0 management 192.168.1.1 255.255.255.0 manual GigabitEthernet1/0 inside 192.168.3.254 255.255.255.0 manual Current IP Addresses: Interface Name IP address Subnet mask Method GigabitEthernet0/0 outside 172.16.0.2 255.255.255.0 manual Management0/0 management 192.168.1.1 255.255.255.0 manual GigabitEthernet1/0 inside 192.168.3.254 255.255.255.0 manual
黑名單規則
access-list outside extended permit icmp any any access-list outside deny ip any any access-list outside extended permit tcp any any eq www access-list outside extended permit tcp any any eq https access-list outside extended permit tcp any host 28.6.7.23 eq ftp access-list outside permit tcp any host 202.96.134.133 eq www access-list outside permit ip any host 133.11.20.21 eq ftp access-group outside in interface outside
白名單規則
access-list outside extended permit ip any any access-list outside extended permit icmp any any access-list outside extended permit tcp any any access-list outside extended permit udp any any access-list outside deny ip any host 192.168.0.1 access-list outside deny ip any host 192.168.0.2 eq www access-group outside in interface outside
下面是一個簡單的黑白名單實例
object-group network blacklist description deny ip to example.com network-object 61.191.55.0 255.255.255.0 network-object host 61.190.10.181 network-object host 61.190.10.182 network-object host 61.190.10.183 network-object host 61.191.55.248 network-object host 61.190.10.181 network-object host 61.185.114.87 network-object host 60.210.111.236 network-object host 218.64.182.105 network-object host 210.51.51.157 network-object host 63.221.138.204 network-object host 119.188.10.163 access-list outside extended deny tcp object-group blacklist host 120.12.14.7 object-group network whitelist description deny ip to example.com network-object 61.191.50.0 255.255.255.0 network-object host 61.190.10.18 network-object host 61.191.55.24 network-object host 61.190.10.18 network-object host 61.185.114.8 network-object host 60.210.111.23 network-object host 218.64.182.10 network-object host 210.51.51.15 network-object host 63.221.138.20 network-object host 119.188.10.16 access-list outside extended permit tcp object-group whitelist host 120.12.14.7
連接埠實例
object-group network dbhost description database network-object 172.16.4.0 255.255.255.0 network-object 172.16.5.0 255.255.255.0 object-group service dbport tcp description database port-object eq 3306 port-object eq 2521 port-object eq 5432 object-group network www description www network-object 172.16.4.0 255.255.255.0 network-object 172.16.5.0 255.255.255.0 object-group service webport tcp description database port-object eq www port-object range 81 88 access-list outside extended permit tcp object-group dbhost host 172.16.4.10 object-group dbport access-list outside extended permit tcp any object-group webport any
access-list outside extended permit icmp any any access-list outside extended permit tcp any any eq www access-list outside extended permit tcp any any eq ssh access-list outside extended permit udp any host 120.112.13.20 eq domain access-list outside extended permit udp any host 120.112.13.23 eq domain access-list outside extended permit tcp any host 120.112.13.18 eq ssh access-list outside extended permit tcp any host 120.112.13.7 eq ftp access-list outside extended permit tcp any host 120.112.13.21 eq www access-list outside extended permit tcp host 113.106.63.1 host 120.112.13.27 eq ssh access-list outside extended permit tcp host 113.106.63.1 host 120.112.13.28 eq ssh access-list outside extended permit tcp host 113.106.63.1 host 120.112.13.11 eq ssh access-list outside extended permit tcp host 113.106.63.1 host 120.112.13.12 eq ssh access-list outside extended permit tcp host 113.106.63.1 host 120.112.13.8 eq ssh access-list outside extended permit tcp host 113.106.63.1 host 120.112.13.9 eq ssh access-list outside extended permit tcp host 113.106.63.1 host 120.112.13.15 eq ssh access-list outside extended permit tcp host 113.106.63.1 host 120.112.13.29 eq ftp access-list outside extended permit tcp host 113.106.63.1 host 120.112.13.10 eq ftp access-list outside extended permit tcp host 113.106.63.1 host 120.112.13.10 eq ssh access-list outside deny ip 192.168.0.0 0.255.255.255 any access-list outside deny ip 127.0.0.0 0.255.255.255 any access-list outside extended permit tcp any host 120.112.13.33 access-list outside permit ip any any access-list inside extended permit icmp any any access-list inside extended permit ip any any
ciscoasa(config)# access-list outside permit icmp any any ciscoasa(config)# access-group outside in interface outside ciscoasa(config)# show access-list access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list outside; 1 elements; name hash: 0x1a47dec4 access-list outside line 1 extended permit icmp any any (hitcnt=0) 0x390a154c
extended關鍵字可能省略 access-list outside permit ip any any,另外我比較喜歡用nameif做acl 名稱,這樣比較直觀如: outside,你也可以使用傳統100,101什麼的
把inside區域的所有地址進行映射,映射為outside連接埠的那個公網IP地址。
globle (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0
指定其他IP
asa(config)#nat(inside) 1 192.168.1.1 255.255.255.0 asa(config)#global(outside) 1 222.240.254.193 255.255.255.248
定義的地址池
asa(config)#nat (inside) 0 192.168.1.1 255.255.255.255 //表示192.168.1.1這個地址不需要轉換。直接轉發出去。 asa(config)#global (outside) 1 133.1.0.1-133.1.0.14 //定義的地址池 asa(config)#nat (inside) 1 0 0 //0 0表示轉換網段中的所有地址。定義內部網絡地址將要翻譯成的全局地址或地址範圍
我的配置
global (outside) 1 interface nat (inside) 1 172.16.1.0 255.255.255.0 0 0
static (inside,outside) 222.24.24.2 192.168.1.2 static (inside,outside) 222.24.24.2 192.168.1.2 4096 32
後面的4096為限制連接數,32為限制的半開連接數。
asa(config)#static (dmz,outside) 13.1.0.2 10.65.1.102 ;靜態NAT asa(config)#static (inside,dmz) 10.66.1.20 10.66.1.20 ;靜態NAT
timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00
snmp-server host inside 172.16.1.2 snmp-server location GuangDong snmp-server contact neo.chen@example.com snmp-server community public
創建用戶
username cisco password cisco #明文密碼 username cisco password 3USUcOPFUiMCO4Jk encrypted #加密密碼 username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15 #不需要enable密碼
匹配地址 172.16.0.1 255.255.255.255
匹配網段 172.16.0.0 255.255.255.0
所有地址 0.0.0.0 0.0.0.0
username cisco password cisco aaa authentication telnet console LOCAL telnet 0.0.0.0 0.0.0.0 inside telnet timeout 5
1) username xxxx password xxxx 2) passwd xxxxx 3) ssh x.x.x.x x.x.x.x {inside/outside} 4) crypto key generate rsa modulus {512/768/1024/2048} 5) aaa authentication ssh console LOCAL
username cisco password cisco passwd cisco ssh 172.16.0.1 255.255.255.255 outside crypto key generate rsa modulus 2048 aaa authentication ssh console LOCAL
ciscoasa(config)# access-list TEST200K permit ip host x.x.x.x any ciscoasa(config)# class-map internet ciscoasa(config-cmap)# match access-list TEST200K ciscoasa(config)# policy-map out-police ciscoasa(config-pmap)# class internet ciscoasa(config-pmap-c)# police output 200000 1000 conform-action transmit exceed-action drop ciscoasa(config)# service-policy out-police interface outside
使用NAT映射後應該配置到inside介面上
access-list 200k extended permit ip any host x.x.x.x access-list 500k extended permit ip any host x.x.x.x class-map 200k match access-list 200k policy-map limit200k class 200k police input 2096000 1048 police output 2096000 1048 service-policy limit200k interface inside class-map 500k match access-list 500k policy-map limit500k class 500k police input 2096000 1048 police output 2096000 1048 service-policy limit500k interface inside
interface GigabitEthernet1/1 ! interface GigabitEthernet1/1.1 description STATE Failover Interface vlan 2 ! interface GigabitEthernet1/1.2 description LAN Failover Interface vlan 3 ! failover failover lan unit primary failover lan interface failover GigabitEthernet1/1.2 failover link state GigabitEthernet1/1.1 failover interface ip failover 172.16.10.1 255.255.255.248 standby 172.16.10.2 failover interface ip state 172.16.10.9 255.255.255.248 standby 172.16.10.10
ciscoasa# show failover state State Last Failure Reason Date/Time This host - Primary Active Ifc Failure 14:49:44 UTC Oct 26 2011 outside: No Link Other host - Secondary Standby Ready Comm Failure 16:27:18 UTC Oct 26 2011 ====Configuration State=== Sync Done ====Communication State=== Mac set
ciscoasa(config)# firewall transparent ciscoasa(config)# show firewall Firewall mode: Transparent
interface GigabitEthernet0/0 nameif outside security-level 0 ! interface GigabitEthernet1/0 nameif inside security-level 100 ! access-list outside extended permit icmp any any access-list outside extended permit ip any any access-list outside extended permit udp any any access-list outside extended permit tcp any any access-group outside in interface outside ip address 192.168.0.247 255.255.255.0 route outside 0.0.0.0 0.0.0.0 192.168.0.254 asdm image disk0:/asdm-645.bin http server enable http 0.0.0.0 0.0.0.0 inside
例 7.1. firewall transparent
ciscoasa(config)# sh run : Saved : ASA Version 8.2(5) ! firewall transparent hostname ciscoasa enable password zXKclT3IcSf6EDMe encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface GigabitEthernet0/0 nameif outside security-level 0 ! interface GigabitEthernet0/1 shutdown no nameif no security-level ! interface GigabitEthernet0/2 shutdown no nameif no security-level ! interface GigabitEthernet0/3 shutdown no nameif no security-level ! interface Management0/0 shutdown no nameif no security-level management-only ! interface GigabitEthernet1/0 nameif inside security-level 100 ! interface GigabitEthernet1/1 shutdown no nameif no security-level ! interface GigabitEthernet1/2 shutdown no nameif no security-level ! interface GigabitEthernet1/3 shutdown no nameif no security-level ! ftp mode passive access-list outside extended permit icmp any any access-list outside extended permit ip any any access-list outside extended permit udp any any access-list outside extended permit tcp any any pager lines 24 mtu outside 1500 mtu inside 1500 ip address 192.168.0.6 255.255.255.0 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-645.bin no asdm history enable arp timeout 14400 access-group outside in interface outside route outside 0.0.0.0 0.0.0.0 192.168.0.254 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy http server enable http 0.0.0.0 0.0.0.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet timeout 5 ssh timeout 5 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:30eb28a5a6b73fb3638eb279d27086c1 : end
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/monitor_syslog.html
logging enable logging timestamp logging trap warnings logging host inside 172.16.1.9 logging facility local0
ciscoasa(config)# logging trap ? configure mode commands/options: <0-7> Enter syslog level (0 - 7) WORD Specify the name of logging list alerts Immediate action needed (severity=1) critical Critical conditions (severity=2) debugging Debugging messages (severity=7) emergencies System is unusable (severity=0) errors Error conditions (severity=3) informational Informational messages (severity=6) notifications Normal but significant conditions (severity=5) warnings Warning conditions (severity=4) ciscoasa(config)# logging trap informational ciscoasa(config)# logging trap notifications
ciscoasa(config)# ntp server 172.16.0.5 ciscoasa(config)# clock timezone GMT +8 ciscoasa(config)# clock timezone EST +8 ciscoasa(config)# sh clock detail 18:47:06.931 EST Fri Jan 6 2012 Time source is NTP UTC time is: 10:47:06 UTC Fri Jan 6 2012 ciscoasa(config)# sh ntp status Clock is synchronized, stratum 4, reference is 172.16.3.52 nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6 reference time is d2b14f98.93025c85 (18:46:48.574 EST Fri Jan 6 2012) clock offset is -11.4445 msec, root delay is 309.22 msec root dispersion is 497.94 msec, peer dispersion is 391.02 msec ciscoasa(config)# clock timezone UTC +8 ciscoasa(config)# sh ntp status Clock is synchronized, stratum 4, reference is 172.16.3.52 nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6 reference time is d2b15000.8fce7067 (18:48:32.561 UTC Fri Jan 6 2012) clock offset is -10.7866 msec, root delay is 309.19 msec root dispersion is 124.11 msec, peer dispersion is 16.31 msec ciscoasa(config)# clock timezone CST 8 ciscoasa(config)# sh ntp status Clock is synchronized, stratum 4, reference is 172.16.3.52 nominal freq is 99.9984 Hz, actual freq is 99.9985 Hz, precision is 2**6 reference time is d2b15040.8f989fe3 (18:49:36.560 CST Fri Jan 6 2012) clock offset is -17.1219 msec, root delay is 309.23 msec root dispersion is 136.72 msec, peer dispersion is 21.61 msec
我建議你放棄tftp,目前主流設備都支持很多協議。我比較喜歡使用ftp
ciscoasa# copy running-config ftp://test:your_pasword@172.16.0.2 Source filename [running-config]? Address or name of remote host [172.16.1.2]? Destination username [test]? Destination password [******]? Destination filename [running-config]? Cryptochecksum: e5bb0305 02196b08 59efc7e5 9b4e1132 !!!!!! 19447 bytes copied in 3.900 secs (6482 bytes/sec)