CISCO+ASA+5520配置手冊.doc

CD-ASA5520# show run: Saved:ASA Version 7.2(2) !hostname CD-ASA5520 /給防火墻命名domain-name default.domain.invalid /定義工作域 enable password 9jNfZuG3TC5tCVH0 encrypted / 進入特權模式的密碼 namesdns-guard!interface GigabitEthernet0/0 /內網接口：duplex full /接口作工模式：全雙工，半雙，自適應 nameif inside /為端口命名 ：內部接口insidesecurity-level 100 /設置安全級別 0100 值越大越安全ip address /設置本端口的IP地址!interface GigabitEthernet0/1 /外網接口nameif outside /為外部端口命名 ：外部接口outsidesecurity-level 0ip address 22 /IP地址配置!interface GigabitEthernet0/2nameif dmzsecurity-level 50ip address ! interface GigabitEthernet0/3shutdownno nameifno security-levelno ip address!interface Management0/0 /防火墻管理地址shutdownno nameifno security-levelno ip address!passwd 2KFQnbNIdI.2KYOU encryptedftp mode passive clock timezone CST 8dns server-group DefaultDNSdomain-name default.domain.invalidaccess-list outside_permit extended permit tcp any interface outside eq 3389 /訪問控制列表access-list outside_permit extended permit tcp any interface outside range 30000 30010 /允許外部任何用戶可以訪問outside 接口的30000-30010的端口。pager lines 24logging enable /啟動日志功能logging asdm informationalmtu inside 1500 內部最大傳輸單元為1500字節(jié)mtu outside 1500mtu dmz 1500ip local pool vpnclient -00 mask /定義一個命名為vpnclient的IP地址池,為remote用戶分配IP地址no failovericmp unreachable rate-limit 1 burst-size 1asdm image disk0:/asdm-522.binno asdm history enablearp timeout 14400 /arp空閑時間為14400秒 global (outside) 1 interface /由于沒有配置NAT 故這里是不允許內部用戶上INTERNETstatic (dmz,outside) tcp interface 30000 30000 netmask 55 /端口映射 可以解決內部要公布的服務太多，而申請公網IP少問題。static (dmz,outside) tcp interface 30001 30001 netmask 55 /把dmz區(qū) 30002 映射給外部30002端口上。static (dmz,outside) tcp interface 30002 30002 netmask 55 static (dmz,outside) tcp interface 30003 30003 netmask 55 static (dmz,outside) tcp interface 30004 30004 netmask 55 static (dmz,outside) tcp interface 30005 30005 netmask 55 static (dmz,outside) tcp interface 30006 30006 netmask 55 static (dmz,outside) tcp interface 30007 30007 netmask 55 static (dmz,outside) tcp interface 30008 3008 netmask 55 static (dmz,outside) tcp interface 30009 30009 netmask 55 static (dmz,outside) tcp interface 30010 30010 netmask 55 static (dmz,outside) tcp interface 3389 3389 netmask 55 access-group outside_permit in interface outside /把outside_permit控制列表運用在外部接口的入口方向。route outside 26 1 /定義一個默認路由。timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout uauth 0:05:00 absolute-定義一個命名為vpnclient的組策略-group-policy vpnclient internal /創(chuàng)建一個內部的組策略。 group-policy vpnclient attributes /設置vpnclient組策略的參數(shù) wins-server value 0 /定義WINS-SERVER 的IP地址。dns-server value 0 9 /定義dns-server的IP地址。vpn-idle-timeout none /終止連接時間設為默認值 vpn-session-timeout none /會話超時采用默認值vpn-tunnel-protocol IPSec /定義通道使用協(xié)議為IPSEC。split-tunnel-policy tunnelspecified /定義。 default-domain value /定義默認域名為-定義一個命名為l2lvpn的組策略-group-policy l2lvpn internal group-policy l2lvpn attributeswins-server value 0dns-server value 0 9vpn-simultaneous-logins 3vpn-idle-timeout nonevpn-session-timeout nonevpn-tunnel-protocol IPSec username test password P4ttSyrm33SV8TYp encrypted privilege 0 /創(chuàng)建一個遠程訪問用戶來訪問安全應用username cisco password 3USUcOPFUiMCO4Jk encryptedhttp server enable /啟動HTTP服務http inside /允許內部主機HTTP連接no snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstart/snmp的默認配置crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac/配置轉集（定義了IPSC隧道使用的加密和信息完整性算法集合）crypto dynamic-map vpn_dyn_map 10 set transform-set ESP-DES-MD5 /為動態(tài)加密圖條目定義傳換集crypto map outside_map 10 ipsec-isakmp dynamic vpn_dyn_map /創(chuàng)建一個使用動態(tài)加密條目的加密圖crypto map outside_map interface outside/將 outside_map加密圖應用到outside端口-配置IKE-crypto isakmp enable outside /在ostside 接口啟動ISAKMP crypto isakmp policy 20 /isakmmp權值，值越小權值越高authentication pre-share /指定同位體認證方法是共享密鑰encryption des /指定加密算法hash md5 /指定使用MD5散列算法group 2 /指定diffie-hellman組2lifetime 86400 /指定SA（協(xié)商安全關聯(lián)）的生存時間crypto isakmp policy 65535 authentication pre-shareencryption deshash md5group 2lifetime 86400-調用組策略-crypto isakmp nat-traversal 20 tunnel-group DefaultL2LGroup general-attributes /配置這個通道組的認證方法default-group-policy l2lvpn /指定默認組策略名稱。tunnel-group DefaultL2LGroup ipsec-attributes /配置認證方法為IPSECpre-shared-key * /提供IKE連接的預共享密鑰tunnel-group vpnclient type ipsec-ra /設置連接類型為遠程訪問。 tunnel-group vpnclient general-attributes /配置這個通道組的認證方法address-pool vpnclient /定義所用的地址池default-group-policy vpnclient /定義默認組策略-設置認證方式和共享密鑰-tunnel-group vpnclient ipsec-attributes /配置認證方法為IPSECpre-shared-key * /提供IKE連接的預共享密鑰telnet timeout 5 /telnet 超時設置ssh outside /允許外部通SSH訪問防火墻ssh timeout 60 /SSH連接超時設置console timeout 0 /控制臺超時設置 dhcp-client update dns server bothdhcpd dns 9 8 /dhcp 發(fā)布的DNS!dhcpd address 0-54 inside /向內網發(fā)布的地址池dhcpd enable inside /啟動DHCP服務。!class-map inspection_defaultmatch default-inspection-traffic!policy-map type inspect dns migrated_dns_map_1parameters message-length maximum 512policy-map global_policy class inspection_defaultinspect dns migrated_dns_map_1 i