ASA配置笔记.docx
《ASA配置笔记.docx》由会员分享,可在线阅读,更多相关《ASA配置笔记.docx(15页珍藏版)》请在冰豆网上搜索。
ASA配置笔记
ASA配置笔记
ASA配置笔记
1.常用技巧.......................................................................................1
2.故障倒换.......................................................................................1
3.配置telnet、ssh及http管理............................................................3
4.vpn常用管理命令..........................................................................3
5.配置访问权限................................................................................3
6.配置sitetosite之VPN......................................................................4
7.webvpn配置(sslvpn).................................................................4
8.远程拨入VPN................................................................................5
9.日志服务器配置.............................................................................6
10.Snmp网管配置.............................................................................7
11.ACS配置......................................................................................7
12.AAA配置.....................................................................................7
13.升级IOS......................................................................................8
14.疑难杂症......................................................................................8
1.常用技巧
Shruntp查看与ntp有关的
Shrucrypto查看与vpn有关的
Shru|inccrypto只是关健字过滤而已
2.故障倒换
failover
failoverlanunitprimary
failoverlaninterfacetestintEthernet0/3
failoverlinktestintEthernet0/3
failovermacaddressEthernet0/10018.1900.50000018.1900.5001
failovermacaddressEthernet0/00018.1900.40000018.1900.4001
failovermacaddressEthernet0/20018.1900.60000018.1900.6001
failovermacaddressManagement0/00018.1900.70000018.1900.7001
failoverinterfaceiptestint10.3.3.1255.255.255.0standby10.3.3.2
注:
最好配置虚拟MAC地址
shfailover显示配置信息
writestandby写入到备用的防火墙中
failover命令集如下:
configuremodecommands/options:
interfaceConfiguretheIPaddressandmasktobeusedforfailover
and/orstatefulupdateinformation
interface-policySetthepolicyforfailoverduetointerfacefailures
keyConfigurethefailoversharedsecretorkey
lanSpecifytheunitasprimaryorsecondaryorconfigurethe
interfaceandvlantobeusedforfailovercommunication
linkConfiguretheinterfaceandvlantobeusedasalinkfor
statefulupdateinformation
macSpecifythevirtualmacaddressforaphysicalinterface
polltimeConfigurefailoverpollinterval
replicationEnableHTTP(port80)connectionreplication
timeoutSpecifythefailoverreconnecttimeoutvaluefor
asymmetricallyroutedsessions
shfailover命令集如下:
historyShowfailoverswitchinghistory
interfaceShowfailovercommandinterfaceinformation
stateShowfailoverinternalstateinformation
statisticsShowfailovercommandinterfacestatisticsinformation
|Outputmodifiers
3.配置telnet、ssh及http管理
usernamejiangpasswordCsmep3VzvPQPCbkxencryptedprivilege15
aaaauthenticationenableconsoleLOCAL
aaaauthenticationtelnetconsoleLOCAL
aaaauthenticationsshconsoleLOCAL
aaaauthorizationcommandLOCAL
http192.168.40.0255.255.255.0management
ssh192.168.40.0255.255.255.0inside
4.vpn常用管理命令
shvpn-sessiondbfulll2l显示sitetosite之vpn通道情况
shipsecstats显示ipsec通道情况
shvpn-sessiondbsummary显示vpn汇总信息
shvpn-sessiondbdetaill2l显示ipsec详细信息
shvpn-sessiondbdetailsvc查看sslclient信息
shvpn-sessiondbdetailwebvpn查看webvpn信息
shvpn-sessiondbdetailfulll2l相当于linux下的ipsecwhack?
Cstatus如果没有建立连接,则表示ipsec通道还没有建立起来。
5.配置访问权限
可以建立对象组,设定不同的权限,如:
object-groupnetworktestgroup
descriptiontest
network-object192.168.100.34255.255.255.255
access-listinside_access_inline2extendedpermitipobject-groupallany
access-groupinside_access_inininterfaceinside
6.配置sitetosite之VPN
cryptoipsectransform-setESP-3DES-SHAesp-3desesp-sha-hmac
cryptomapoutside_map20matchaddressoutside_cryptomap_20_1
cryptomapoutside_map20setpfs
cryptomapoutside_map20setpeer218.16.105.48
cryptomapoutside_map20settransform-setESP-3DES-SHA
cryptomapoutside_mapinterfaceoutside
isakmpidentityaddress
isakmpenableoutside
isakmppolicy10authenticationpre-share
isakmppolicy10encryption3des
isakmppolicy10hashsha
isakmppolicy10group2
isakmppolicy10lifetime86400
tunnel-group218.16.105.48typeipsec-l2l
tunnel-group218.16.105.48ipsec-attributes
pre-shared-key*
peer-id-validatenocheck
tunnel-group-mapenablerules
注:
打打PFS并设定以IP地址作为peer名,一个接口只能有一个加密图
7.webvpn配置(sslvpn)
webvpn
enableoutside
character-encodinggb2312
csdimagedisk0:
/securedesktop-asa-3.1.1.16.pkg
svcimagedisk0:
/sslclient-win-1.1.0.154.pkg1
svcenable
customizationcustomization1
titletextTESTWebVPNsystem
titlestylebackground-color:
white;color:
rgb(51,153,0);border-bottom:
5pxgroo
ve#669999;font-size:
larger;vertical-align:
middle;text-align:
left;font-weight:
bold
tunnel-group-listenable
注:
也可通过ASDM图形界面进行配置
登录后,可访问内部资源,如下例:
(客户端首先要安装Java插件jre-1_5_0-windows-i586.exe,并打开浏览器的ActiveX)
1)输入用户名和密码
2)出现工具条
3)在EnterWebAddress内输入192.168.40.8即可访问内部网站
4)在browsenetwork输入192.168.40.8即可访问共享文件
5)点击applicationaccess,即可查看端口转发设置,如使用putty访问本机的2023端口,则即可通过ssh登录192.168.40.8
8.远程拨入VPN
相关的ASA配置命令如下:
access-listinside_access_inextendedpermitipobject-groupremotegroupany
access-listinside_access_inextendedpermiticmpobject-groupremotegroupany
access-listremotevpn_splitTunnelAclstandardpermit192.168.100.0255.255.255.0
access-listvpnclient_splitTunnelAclstandardpermit192.168.100.0255.255.255.0
iplocalpooldialuserIP192.168.101.1-192.168.101.254mask255.255.255.0
group-policyremotevpnattributes
dns-servervalue202.96.128.68192.168.40.16
default-domainvalue
usernamejiangpasswordCsmep3VzvPQPCbkxencryptedprivilege15
cryptoipsectransform-setESP-3DES-SHAesp-3desesp-sha-hmac
cryptoipsectransform-setESP-DES-MD5esp-desesp-md5-hmac
cryptoipsectransform-setESP-DES-SHAesp-desesp-sha-hmac
cryptodynamic-mapoutside_dyn_map20setpfs
cryptodynamic-mapoutside_dyn_map20settransform-setESP-3DES-SHA
cryptodynamic-mapoutside_dyn_map20setreverse-route
cryptomapoutside_map65535ipsec-isakmpdynamicoutside_dyn_map
cryptomapoutside_mapinterfaceoutside
tunnel-groupremotevpntypeipsec-ra
tunnel-groupremotevpngeneral-attributes
address-pooldialuserIP
default-group-policyremotevpn
tunnel-groupremotevpnipsec-attributes
pre-shared-key*
客户端设置如下:
9.日志服务器配置
loggingenable
loggingtimestamp
loggingemblem
loggingtrapinformational
loggingasdmwarnings
logginghostinside192.168.40.115formatemblem
loggingpermit-hostdown
vpn-simultaneous-logins3
10.Snmp网管配置
snmp-serverhostinside192.168.40.47communitytestsnmp
snmp-serverlocationDG-GTEST
snmp-servercontactjiangdaoyou:
6162
snmp-servercommunitytestsnmp
snmp-serverenabletrapssnmpauthenticationlinkuplinkdowncoldstart
注:
指定主机后,192.168.40.47才可能进行管理
11.ACS配置
安装后管理:
http:
//ip:
2002通过ACS可以进行授权、认证等等很多功能
因内容太多,暂省略
12.AAA配置
Aaa服务器配置:
aaa-serverradius_dghost
keydfdfdfdf146**U
authentication-port1812
accounting-port1813
radius-common-pwdfdfdfdf146**U
对于拨入vpn的配置
tunnel-groupvg_testerpgeneral-attributes
address-poolciscovpnuser
authentication-server-groupradius_dg
default-group-policyvg_testerp
13.升级IOS
copytftp:
//192.168.40.180/asa/asa721-k8.bindisk0:
/asa721-k8.bin
bootsystemdisk0:
/asa721-k8.bin(多个Image时使用)
interfaceVlan2
nameifoutside--------------------对端口命名外端口
security-level0--------------------设置端口等级
ipaddressX.X.X.X255.255.255.224--------------------调试外网地址
!
interfaceVlan3
nameifinside--------------------对端口命名内端口
security-level100--------------------调试外网地址
ipaddress192.168.1.1255.255.255.0--------------------设置端口等级
!
interfaceEthernet0/0
switchportaccessvlan2--------------------设置端口VLAN与VLAN2绑定
!
interfaceEthernet0/1
switchportaccessvlan3--------------------设置端口VLAN与VLAN3绑定
!
interfaceEthernet0/2
shutdown
!
interfaceEthernet0/3
shutdown
!
interfaceEthernet0/4
shutdown
!
interfaceEthernet0/5
shutdown
!
interfaceEthernet0/6
shutdown
!
interfaceEthernet0/7
shutdown
!
passwd2KFQnbNIdI.2KYOUencrypted
ftpmodepassive
dnsdomain-lookupinside
dnsserver-groupDefaultDNS
name-server211.99.129.210
name-server202.106.196.115
access-list102extendedpermiticmpanyany------------------设置ACL列表(允许ICMP全部通过)
access-list102extendedpermitipanyany------------------设置ACL列表(允许所有IP全部通过)
pagerlines24
mtuoutside1500
mtuinside1500
icmpunreachablerate-limit1burst-size1
noasdmhistoryenable
arptimeout14400
global(outside)1interface------------------设置NAT地址映射到外网口
nat(inside)10.0.0.00.0.0.0------------------NAT地址池(所有地址)
access-group102ininterfaceoutside------------------设置ACL列表绑定到外端口
routeoutside0.0.0.00.0.0.0x.x.x.x1------------------设置到外网的默认路由
timeoutxlate3:
00:
00
timeoutconn1:
00:
00half-closed0:
10:
00udp0:
02:
00icmp0:
00:
02
timeoutsunrpc0:
10:
00h3230:
05:
00h2251:
00:
00mgcp0:
05:
00mgcp-pat0:
05:
00
timeoutsip0:
30:
00sip_media0:
02:
00sip-invite0:
03:
00sip-disconnect0:
02:
00
timeoutuauth0:
05:
00absolute
nosnmp-serverlocation
nosnmp-servercontact
snmp-serverenabletrapssnmpauthenticationlinkuplinkdowncoldstart
telnet0.0.0.00.0.0.0inside------------------设置TELNET所有地址进入
telnettimeout5
ssh0.0.0.00.0.0.0outside------------------设置SSH所有地址进入
sshtimeout30
sshversion2
consoletimeout0
!
dhcpdaddress192.168.1.100-192.168.1.199inside------------------设置DHCP服务器地址池
dhcpddns211.99.129.210202.106.196.115interfaceinside------------------设置DNS服务器到内网端口
dhcpdenableinside------------------设置DHCP应用到内网端口
CD-ASA5520