ASA配置笔记.docx

上传人:b****3 文档编号:3457009 上传时间:2022-11-23 格式:DOCX 页数:15 大小:20.95KB
下载 相关 举报
ASA配置笔记.docx_第1页
第1页 / 共15页
ASA配置笔记.docx_第2页
第2页 / 共15页
ASA配置笔记.docx_第3页
第3页 / 共15页
ASA配置笔记.docx_第4页
第4页 / 共15页
ASA配置笔记.docx_第5页
第5页 / 共15页
点击查看更多>>
下载资源
资源描述

ASA配置笔记.docx

《ASA配置笔记.docx》由会员分享,可在线阅读,更多相关《ASA配置笔记.docx(15页珍藏版)》请在冰豆网上搜索。

ASA配置笔记.docx

ASA配置笔记

ASA配置笔记

ASA配置笔记

1.常用技巧.......................................................................................1

2.故障倒换.......................................................................................1

3.配置telnet、ssh及http管理............................................................3

4.vpn常用管理命令..........................................................................3

5.配置访问权限................................................................................3

6.配置sitetosite之VPN......................................................................4

7.webvpn配置(sslvpn).................................................................4

8.远程拨入VPN................................................................................5

9.日志服务器配置.............................................................................6

10.Snmp网管配置.............................................................................7

11.ACS配置......................................................................................7

12.AAA配置.....................................................................................7

13.升级IOS......................................................................................8

14.疑难杂症......................................................................................8

1.常用技巧

Shruntp查看与ntp有关的

Shrucrypto查看与vpn有关的

Shru|inccrypto只是关健字过滤而已

2.故障倒换

failover

failoverlanunitprimary

failoverlaninterfacetestintEthernet0/3

failoverlinktestintEthernet0/3

failovermacaddressEthernet0/10018.1900.50000018.1900.5001

failovermacaddressEthernet0/00018.1900.40000018.1900.4001

failovermacaddressEthernet0/20018.1900.60000018.1900.6001

failovermacaddressManagement0/00018.1900.70000018.1900.7001

failoverinterfaceiptestint10.3.3.1255.255.255.0standby10.3.3.2

注:

最好配置虚拟MAC地址

shfailover显示配置信息

writestandby写入到备用的防火墙中

failover命令集如下:

configuremodecommands/options:

interfaceConfiguretheIPaddressandmasktobeusedforfailover

and/orstatefulupdateinformation

interface-policySetthepolicyforfailoverduetointerfacefailures

keyConfigurethefailoversharedsecretorkey

lanSpecifytheunitasprimaryorsecondaryorconfigurethe

interfaceandvlantobeusedforfailovercommunication

linkConfiguretheinterfaceandvlantobeusedasalinkfor

statefulupdateinformation

macSpecifythevirtualmacaddressforaphysicalinterface

polltimeConfigurefailoverpollinterval

replicationEnableHTTP(port80)connectionreplication

timeoutSpecifythefailoverreconnecttimeoutvaluefor

asymmetricallyroutedsessions

shfailover命令集如下:

historyShowfailoverswitchinghistory

interfaceShowfailovercommandinterfaceinformation

stateShowfailoverinternalstateinformation

statisticsShowfailovercommandinterfacestatisticsinformation

|Outputmodifiers

3.配置telnet、ssh及http管理

usernamejiangpasswordCsmep3VzvPQPCbkxencryptedprivilege15

aaaauthenticationenableconsoleLOCAL

aaaauthenticationtelnetconsoleLOCAL

aaaauthenticationsshconsoleLOCAL

aaaauthorizationcommandLOCAL

http192.168.40.0255.255.255.0management

ssh192.168.40.0255.255.255.0inside

4.vpn常用管理命令

shvpn-sessiondbfulll2l显示sitetosite之vpn通道情况

shipsecstats显示ipsec通道情况

shvpn-sessiondbsummary显示vpn汇总信息

shvpn-sessiondbdetaill2l显示ipsec详细信息

shvpn-sessiondbdetailsvc查看sslclient信息

shvpn-sessiondbdetailwebvpn查看webvpn信息

shvpn-sessiondbdetailfulll2l相当于linux下的ipsecwhack?

Cstatus如果没有建立连接,则表示ipsec通道还没有建立起来。

5.配置访问权限

可以建立对象组,设定不同的权限,如:

object-groupnetworktestgroup

descriptiontest

network-object192.168.100.34255.255.255.255

access-listinside_access_inline2extendedpermitipobject-groupallany

access-groupinside_access_inininterfaceinside

6.配置sitetosite之VPN

cryptoipsectransform-setESP-3DES-SHAesp-3desesp-sha-hmac

cryptomapoutside_map20matchaddressoutside_cryptomap_20_1

cryptomapoutside_map20setpfs

cryptomapoutside_map20setpeer218.16.105.48

cryptomapoutside_map20settransform-setESP-3DES-SHA

cryptomapoutside_mapinterfaceoutside

isakmpidentityaddress

isakmpenableoutside

isakmppolicy10authenticationpre-share

isakmppolicy10encryption3des

isakmppolicy10hashsha

isakmppolicy10group2

isakmppolicy10lifetime86400

tunnel-group218.16.105.48typeipsec-l2l

tunnel-group218.16.105.48ipsec-attributes

pre-shared-key*

peer-id-validatenocheck

tunnel-group-mapenablerules

注:

打打PFS并设定以IP地址作为peer名,一个接口只能有一个加密图

7.webvpn配置(sslvpn)

webvpn

enableoutside

character-encodinggb2312

csdimagedisk0:

/securedesktop-asa-3.1.1.16.pkg

svcimagedisk0:

/sslclient-win-1.1.0.154.pkg1

svcenable

customizationcustomization1

titletextTESTWebVPNsystem

titlestylebackground-color:

white;color:

rgb(51,153,0);border-bottom:

5pxgroo

ve#669999;font-size:

larger;vertical-align:

middle;text-align:

left;font-weight:

bold

tunnel-group-listenable

注:

也可通过ASDM图形界面进行配置

登录后,可访问内部资源,如下例:

(客户端首先要安装Java插件jre-1_5_0-windows-i586.exe,并打开浏览器的ActiveX)

1)输入用户名和密码

2)出现工具条

3)在EnterWebAddress内输入192.168.40.8即可访问内部网站

4)在browsenetwork输入192.168.40.8即可访问共享文件

5)点击applicationaccess,即可查看端口转发设置,如使用putty访问本机的2023端口,则即可通过ssh登录192.168.40.8

8.远程拨入VPN

相关的ASA配置命令如下:

access-listinside_access_inextendedpermitipobject-groupremotegroupany

access-listinside_access_inextendedpermiticmpobject-groupremotegroupany

access-listremotevpn_splitTunnelAclstandardpermit192.168.100.0255.255.255.0

access-listvpnclient_splitTunnelAclstandardpermit192.168.100.0255.255.255.0

iplocalpooldialuserIP192.168.101.1-192.168.101.254mask255.255.255.0

group-policyremotevpnattributes

dns-servervalue202.96.128.68192.168.40.16

default-domainvalue

usernamejiangpasswordCsmep3VzvPQPCbkxencryptedprivilege15

cryptoipsectransform-setESP-3DES-SHAesp-3desesp-sha-hmac

cryptoipsectransform-setESP-DES-MD5esp-desesp-md5-hmac

cryptoipsectransform-setESP-DES-SHAesp-desesp-sha-hmac

cryptodynamic-mapoutside_dyn_map20setpfs

cryptodynamic-mapoutside_dyn_map20settransform-setESP-3DES-SHA

cryptodynamic-mapoutside_dyn_map20setreverse-route

cryptomapoutside_map65535ipsec-isakmpdynamicoutside_dyn_map

cryptomapoutside_mapinterfaceoutside

tunnel-groupremotevpntypeipsec-ra

tunnel-groupremotevpngeneral-attributes

address-pooldialuserIP

default-group-policyremotevpn

tunnel-groupremotevpnipsec-attributes

pre-shared-key*

客户端设置如下:

9.日志服务器配置

loggingenable

loggingtimestamp

loggingemblem

loggingtrapinformational

loggingasdmwarnings

logginghostinside192.168.40.115formatemblem

loggingpermit-hostdown

vpn-simultaneous-logins3

10.Snmp网管配置

snmp-serverhostinside192.168.40.47communitytestsnmp

snmp-serverlocationDG-GTEST

snmp-servercontactjiangdaoyou:

6162

snmp-servercommunitytestsnmp

snmp-serverenabletrapssnmpauthenticationlinkuplinkdowncoldstart

注:

指定主机后,192.168.40.47才可能进行管理

11.ACS配置

安装后管理:

http:

//ip:

2002通过ACS可以进行授权、认证等等很多功能

因内容太多,暂省略

12.AAA配置

Aaa服务器配置:

aaa-serverradius_dghost

keydfdfdfdf146**U

authentication-port1812

accounting-port1813

radius-common-pwdfdfdfdf146**U

对于拨入vpn的配置

tunnel-groupvg_testerpgeneral-attributes

address-poolciscovpnuser

authentication-server-groupradius_dg

default-group-policyvg_testerp

13.升级IOS

copytftp:

//192.168.40.180/asa/asa721-k8.bindisk0:

/asa721-k8.bin

bootsystemdisk0:

/asa721-k8.bin(多个Image时使用)

interfaceVlan2

nameifoutside--------------------对端口命名外端口

security-level0--------------------设置端口等级

ipaddressX.X.X.X255.255.255.224--------------------调试外网地址

!

interfaceVlan3

nameifinside--------------------对端口命名内端口

security-level100--------------------调试外网地址

ipaddress192.168.1.1255.255.255.0--------------------设置端口等级

!

interfaceEthernet0/0

switchportaccessvlan2--------------------设置端口VLAN与VLAN2绑定

!

interfaceEthernet0/1

switchportaccessvlan3--------------------设置端口VLAN与VLAN3绑定

!

interfaceEthernet0/2

shutdown

!

interfaceEthernet0/3

shutdown

!

interfaceEthernet0/4

shutdown

!

interfaceEthernet0/5

shutdown

!

interfaceEthernet0/6

shutdown

!

interfaceEthernet0/7

shutdown

!

passwd2KFQnbNIdI.2KYOUencrypted

ftpmodepassive

dnsdomain-lookupinside

dnsserver-groupDefaultDNS

name-server211.99.129.210

name-server202.106.196.115

access-list102extendedpermiticmpanyany------------------设置ACL列表(允许ICMP全部通过)

access-list102extendedpermitipanyany------------------设置ACL列表(允许所有IP全部通过)

pagerlines24

mtuoutside1500

mtuinside1500

icmpunreachablerate-limit1burst-size1

noasdmhistoryenable

arptimeout14400

global(outside)1interface------------------设置NAT地址映射到外网口

nat(inside)10.0.0.00.0.0.0------------------NAT地址池(所有地址)

access-group102ininterfaceoutside------------------设置ACL列表绑定到外端口

routeoutside0.0.0.00.0.0.0x.x.x.x1------------------设置到外网的默认路由

timeoutxlate3:

00:

00

timeoutconn1:

00:

00half-closed0:

10:

00udp0:

02:

00icmp0:

00:

02

timeoutsunrpc0:

10:

00h3230:

05:

00h2251:

00:

00mgcp0:

05:

00mgcp-pat0:

05:

00

timeoutsip0:

30:

00sip_media0:

02:

00sip-invite0:

03:

00sip-disconnect0:

02:

00

timeoutuauth0:

05:

00absolute

nosnmp-serverlocation

nosnmp-servercontact

snmp-serverenabletrapssnmpauthenticationlinkuplinkdowncoldstart

telnet0.0.0.00.0.0.0inside------------------设置TELNET所有地址进入

telnettimeout5

ssh0.0.0.00.0.0.0outside------------------设置SSH所有地址进入

sshtimeout30

sshversion2

consoletimeout0

!

dhcpdaddress192.168.1.100-192.168.1.199inside------------------设置DHCP服务器地址池

dhcpddns211.99.129.210202.106.196.115interfaceinside------------------设置DNS服务器到内网端口

dhcpdenableinside------------------设置DHCP应用到内网端口

CD-ASA5520

展开阅读全文
相关资源
猜你喜欢
相关搜索

当前位置:首页 > 人文社科 > 设计艺术

copyright@ 2008-2022 冰豆网网站版权所有

经营许可证编号:鄂ICP备2022015515号-1