204实验指导ASA基本配置.docx
《204实验指导ASA基本配置.docx》由会员分享,可在线阅读,更多相关《204实验指导ASA基本配置.docx(26页珍藏版)》请在冰豆网上搜索。
204实验指导ASA基本配置
实验指导(防火墙基本配置)
一、实验任务
●任务:
1.从内网能主动访问DMZ区、外网,反之不然
2.DMZ区能主动访问外网,反之不然
二、实验步骤
1.预配:
-------------------------
R1:
hostnameR1
interfacee0/0
noshutdown
duplexfull
ipaddress10.15.15.1255.255.255.0
interfaceloo0
ipaddress10.1.1.1255.255.255.0
iproute10.0.0.0255.0.0.010.15.15.5
linevty04
passwordcisco
login
-------------------------
R2:
hostnameR2
interfacee0/0
noshutdown
duplexfull
ipaddress10.25.25.2255.255.255.0
interfaceloo0
ipaddress10.2.2.2255.255.255.0
routerrip
network10.0.0.0
linevty04
passwordcisco
login
-------------------------
R3:
hostnameR3
interfacee0/0
noshutdown
duplexfull
ipaddress10.35.35.3255.255.255.0
interfaceloo0
ipaddress10.3.3.3255.255.255.0
routerrip
network10.0.0.0
linevty04
passwordcisco
login
S1:
(在“#”下执行以下命令)
vlandatabase
vlan2
vlan3
exit
conft
hostnameSwitch
interfaceFastEthernet0/0
shutdown
interfaceFastEthernet0/5
noshutdown
switchporttrunknativevlan1000
switchporttrunkendot
switchportmodetrunk
duplexfull
speed10
interfaceFastEthernet0/2
switchportmodeaccess
switchportaccessvlan2
interfaceFastEthernet0/3
switchportmodeaccess
switchportaccessvlan3
2.基本配置(PIX上):
hostnamePIX1
interfaceEthernet0
noshutdown
!
interfaceEthernet0.1
vlan1
nameifOutside
ipaddress10.15.15.5255.255.255.0
!
interfaceEthernet0.2
vlan2
nameifInside
ipaddress10.25.25.5255.255.255.0
!
interfaceEthernet0.3
vlan3
nameifDMZ
ipaddress10.35.35.5255.255.255.0
!
routeoutside0010.15.15.1
测试:
从PIXping各个路由器,检测网络的连通性
3.配置路由协议(PIX):
routerrip
network10.0.0.0
redistributestatic
在PIX上showroute检测路由表,在其他路由器上也检测路由表
4.配置安全等级(PIX):
interfaceEthernet0.1
security-level0
interfaceEthernet0.2
security-level100
interfaceEthernet0.3
security-level50
5.测试:
三个路由之间互相telnet,查看是否只有从高安全等级到底安全等级才能telnet成功?
三、完整配置
-----------------------------R1------------------------
!
version12.4
servicetimestampsdebugdatetimemsec
servicetimestampslogdatetimemsec
noservicepassword-encryption
!
hostnameR1
!
boot-start-marker
boot-end-marker
!
!
noaaanew-model
memory-sizeiomem5
!
!
ipcef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interfaceLoopback0
ipaddress10.1.1.1255.255.255.0
!
interfaceEthernet0/0
ipaddress10.15.15.1255.255.255.0
full-duplex
!
interfaceEthernet0/1
noipaddress
shutdown
half-duplex
!
interfaceEthernet0/2
noipaddress
shutdown
half-duplex
!
interfaceEthernet0/3
noipaddress
shutdown
half-duplex
!
interfaceSerial1/0
noipaddress
shutdown
serialrestart-delay0
!
interfaceSerial1/1
noipaddress
shutdown
serialrestart-delay0
!
interfaceSerial1/2
noipaddress
shutdown
serialrestart-delay0
!
interfaceSerial1/3
noipaddress
shutdown
serialrestart-delay0
!
iphttpserver
noiphttpsecure-server
!
iproute10.0.0.0255.0.0.010.15.15.5
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
linecon0
lineaux0
linevty04
passwordcisco
login
!
!
End
-----------------------------R2------------------------
!
version12.4
servicetimestampsdebugdatetimemsec
servicetimestampslogdatetimemsec
noservicepassword-encryption
!
hostnameR2
!
boot-start-marker
boot-end-marker
!
!
noaaanew-model
memory-sizeiomem5
!
!
ipcef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interfaceLoopback0
ipaddress10.2.2.2255.255.255.0
!
interfaceEthernet0/0
ipaddress10.25.25.2255.255.255.0
full-duplex
!
interfaceEthernet0/1
noipaddress
shutdown
half-duplex
!
interfaceEthernet0/2
noipaddress
shutdown
half-duplex
!
interfaceEthernet0/3
noipaddress
shutdown
half-duplex
!
interfaceSerial1/0
noipaddress
shutdown
serialrestart-delay0
!
interfaceSerial1/1
noipaddress
shutdown
serialrestart-delay0
!
interfaceSerial1/2
noipaddress
shutdown
serialrestart-delay0
!
interfaceSerial1/3
noipaddress
shutdown
serialrestart-delay0
!
routerrip
network10.0.0.0
!
iphttpserver
noiphttpsecure-server
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
linecon0
lineaux0
linevty04
passwordcisco
login
!
!
End
-----------------------------R3------------------------
!
version12.4
servicetimestampsdebugdatetimemsec
servicetimestampslogdatetimemsec
noservicepassword-encryption
!
hostnameR3
!
boot-start-marker
boot-end-marker
!
!
noaaanew-model
memory-sizeiomem5
!
!
ipcef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interfaceLoopback0
ipaddress10.3.3.3255.255.255.0
!
interfaceEthernet0/0
ipaddress10.35.35.3255.255.255.0
full-duplex
!
interfaceEthernet0/1
noipaddress
shutdown
half-duplex
!
interfaceEthernet0/2
noipaddress
shutdown
half-duplex
!
interfaceEthernet0/3
noipaddress
shutdown
half-duplex
!
interfaceSerial1/0
noipaddress
shutdown
serialrestart-delay0
!
interfaceSerial1/1
noipaddress
shutdown
serialrestart-delay0
!
interfaceSerial1/2
noipaddress
shutdown
serialrestart-delay0
!
interfaceSerial1/3
noipaddress
shutdown
serialrestart-delay0
!
routerrip
network10.0.0.0
!
iphttpserver
noiphttpsecure-server
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
linecon0
lineaux0
linevty04
passwordcisco
login
!
!
End
-----------------------------S1------------------------
!
version12.4
servicetimestampsdebugdatetimemsec
servicetimestampslogdatetimemsec
noservicepassword-encryption
!
hostnameSwitch
!
boot-start-marker
boot-end-marker
!
!
noaaanew-model
memory-sizeiomem5
!
!
ipcef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interfaceFastEthernet0/0
shutdown
!
interfaceFastEthernet0/1
!
interfaceFastEthernet0/2
switchportaccessvlan2
!
interfaceFastEthernet0/3
switchportaccessvlan3
!
interfaceFastEthernet0/4
!
interfaceFastEthernet0/5
switchporttrunknativevlan1000
switchportmodetrunk
duplexfull
speed10
!
interfaceFastEthernet0/6
!
interfaceFastEthernet0/7
!
interfaceFastEthernet0/8
!
interfaceFastEthernet0/9
!
interfaceFastEthernet0/10
!
interfaceFastEthernet0/11
!
interfaceFastEthernet0/12
!
interfaceFastEthernet0/13
!
interfaceFastEthernet0/14
!
interfaceFastEthernet0/15
!
interfaceSerial1/0
noipaddress
shutdown
serialrestart-delay0
!
interfaceSerial1/1
noipaddress
shutdown
serialrestart-delay0
!
interfaceSerial1/2
noipaddress
shutdown
serialrestart-delay0
!
interfaceSerial1/3
noipaddress
shutdown
serialrestart-delay0
!
interfaceVlan1
noipaddress
!
iphttpserver
noiphttpsecure-server
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
linecon0
lineaux0
linevty04
!
!
End
-----------------------------PIX------------------------
!
hostnamePIX1
enablepassword2KFQnbNIdI.2KYOUencrypted
names
!
interfaceEthernet0
nonameif
nosecurity-level
noipaddress
!
interfaceEthernet0.1
vlan1
nameifOutside
security-level0
ipaddress10.15.15.5255.255.255.0
!
interfaceEthernet0.2
vlan2
nameifInside
security-level100
ipaddress10.25.25.5255.255.255.0
!
interfaceEthernet0.3
vlan3
nameifDMZ
security-level50
ipaddress10.35.35.5255.255.255.0
!
interfaceEthernet1
shutdown
nonameif
nosecurity-level
noipaddress
!
interfaceEthernet2
shutdown
nonameif
nosecurity-level
noipaddress
!
interfaceEthernet3
shutdown
nonameif
nosecurity-level
noipaddress
!
passwd2KFQnbNIdI.2KYOUencrypted
ftpmodepassive
pagerlines24
mtuOutside1500
mtuInside1500
mtuDMZ1500
nofailover
icmpunreachablerate-limit1burst-size1
noasdmhistoryenable
arptimeout14400
routeOutside0.0.0.00.0.0.010.15.15.11
!
routerrip
network10.0.0.0
redistributestatic
!
timeoutxlate3:
00:
00
timeoutconn1:
00:
00half-closed0:
10:
00udp0:
02:
00icmp0:
00:
02
timeoutsunrpc0:
10:
00h3230:
05:
00h2251:
00:
00mgcp0:
05:
00mgcp-pat0:
05:
00
timeoutsip0:
30:
00sip_media0:
02:
00sip-invite0:
03:
00sip-disconnect0:
02:
00
timeoutuauth0:
05:
00absolute
nosnmp-serverlocation
nosnmp-servercontact
snmp-serverenabletrapssnmpauthenticationlinkuplinkdowncoldstart
telnettimeout5
sshtimeout5
consoletimeout0
!
class-mapinspection_default
matchdefault-inspection-traffic
!
!
policy-maptypeinspectdnspreset_dns_map
parameters
message-lengthmaximum512
policy-mapglobal_policy
classinspection_default
inspectdnspreset_dns_map
inspectftp
inspecth323h225
inspecth323ras
inspectrsh
inspectrtsp
inspectesmtp
inspectsqlnet
inspectskinny
inspectsunrpc
inspectxdmcp
inspectsip
inspectnetbios
inspecttftp
!
service-policyglobal_policyglobal
prompthostnamecontext
Cryptochecksum:
182e4673c1560e8743cdf3f41858ebcc
:
end
升级会员 