1、ASA防火墙配置要点ASA防火墙技术要点二六年九月二十七日1.基本配置配置名称hostname melcohkasadomain-name 配置用户及密码:username ahsu password WtIBQAqhMu/Lx5iy encrypted privilege 15aaa authentication http console LOCALaaa authentication ssh console LOCALaaa authentication telnet console LOCALaaa authentication enable console LOCALenable pa
2、ssword iraxXocttscgektg encrypted配置时区:clock timezone HKST 8ntp server source inside prefer或ntp server source outside prefersh clock显示时间信息配置http和telnet管理: management-access inside http inside telnet inside 2.常用技巧Sh ru ntp查看与ntp有关的Sh ru crypto 查看与vpn有关的Sh ru | inc crypto 只是关健字过滤而已copy running-config f
3、lash:/.cfg 把某一天的配置保存一下3.故障倒换failoverfailover lan unit primaryfailover lan interface testint Ethernet0/3failover link testint Ethernet0/3failover mac address Ethernet0/1 mac address Ethernet0/0 mac address Ethernet0/2 mac address Management0/0 interface ip testint 10.3.3.1 standby 注:最好配置虚拟MAC地址sh fai
4、lover显示配置信息write standby写入到备用的防火墙中failover命令集如下:configure mode commands/options: interface Configure the IP address and mask to be used for failover and/or stateful update information interface-policy Set the policy for failover due to interface failures key Configure the failover shared secret or k
5、ey lan Specify the unit as primary or secondary or configure the interface and vlan to be used for failover communication link Configure the interface and vlan to be used as a link for stateful update information mac Specify the virtual mac address for a physical interface polltime Configure failove
6、r poll interval replication Enable HTTP (port 80) connection replication timeout Specify the failover reconnect timeout value for asymmetrically routed sessions sh failover 命令集如下: history Show failover switching history interface Show failover command interface information state Show failover intern
7、al state information statistics Show failover command interface statistics information | Output modifiers 4.配置telnet、ssh及http管理username jiang password Csmep3VzvPQPCbkx encrypted privilege 15aaa authentication enable console LOCALaaa authentication telnet console LOCALaaa authentication ssh console L
8、OCALaaa authorization command LOCAL http management ssh inside (打开ssh服务:crypto key generate rsa )5.vpn常用管理命令sh vpn-sessiondb full l2l 显示site to site 之vpn通道情况sh ipsec stats 显示ipsec通道情况sh vpn-sessiondb summary 显示vpn汇总信息sh vpn-sessiondb detail l2l 显示ipsec详细信息sh vpn-sessiondb detail svc 查看ssl client信息sh
9、 vpn-sessiondb detail webvpn 查看webvpn信息sh vpn-sessiondb detail full l2l 相当于linux下的ipsec whack status 如果没有建立连接,则表示ipsec通道还没有建立起来。6.配置访问权限可以建立对象组,设定不同的权限,如: object-group network testgroup description test network-object access-list inside_access_in line 2 extended permit ip object-group all any access
10、-group inside_access_in in interface inside7.配置端口NAT(PAT)对于存在多个IP地址时,直接配置NAT即可,比较简单,略对于ASA只有一个IP地址(如连接ADSL)时,可用外部接口的IP地址进行PAT,如通过outside接口IP地址访问内网中的一台terminal服务器:static (inside,outside) tcp interface 3389 3389 netmask dns8.NAT一般规则 对于ASA防火墙,如果存在DMZ区,一般NAT规则为:inside接口:建立动态规则,到ouside和DMZ时NAT成接口地址;如果需要把
11、内网中一组IP地址NAT成一个固定的公网IP地址,则需要建立动态策略NAT规则。DMZ接口:建立静态规则,10.2.2.165到ouside时NAT成一个固定的公网IPOutside接口:一般不需要做规则一般情况下:outside和DMZ都设置为Proxy-ARP注:以上配置好之后,可以使用内网和DMZ区访问internet,intenet可以访问DMZ区服务器。内网可以通过10.2.2.x访问DMZ(ping 会自动解析为)9.DMZ区访问内网服务器对于DMZ区的服务器,如果想访问内网中的服务器(如数据库及DC),除一般规则外,还需要如下NAT规则:static (inside,dmz) 1
12、0.2.2.16 netmask dns tcp 0 0 udp 0即DMZ的服务器访问10.2.2.16即为访问内网中的DC服务器(内网IP为) 注:DMZ接口一定要打开Proxy-ARP功能。10.配置sitetosite之VPNcrypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmaccrypto map outside_map 20 match address outside_cryptomap_20_1crypto map outside_map 20 set pfscrypto map outside_map 20 s
13、et peer map outside_map 20 set transform-set ESP-3DES-SHAcrypto map outside_map interface outsideisakmp identity addressisakmp enable outsideisakmp policy 10 authentication pre-shareisakmp policy 10 encryption 3desisakmp policy 10 hash shaisakmp policy 10 group 2isakmp policy 10 lifetime 86400tunnel
14、-group type ipsec-l2ltunnel-group ipsec-attributes pre-shared-key * peer-id-validate nochecktunnel-group-map enable rules注:打打PFS并设定以IP地址作为peer名,一个接口只能有一个加密图11. webvpn配置(ssl vpn)webvpn enable outside character-encoding gb2312 csd image disk0:/3.1.1 svc image disk0:/1.1.0 1 svc enablecustomization cus
15、tomization1 title text CML WebVPN system title style background-color:white;color: rgb(51,153,0);border-bottom:5px groove #669999;font-size:larger;vertical-align:middle;text-align:left;font-weight:bold tunnel-group-list enable注:也可通过ASDM图形界面进行配置登录后,可访问内部资源,如下例:(客户端首先要安装Java插件,并打开浏览器的ActiveX)1) 输入用户名和
16、密码2) 出现工具条3) 在Enter Web Address内输入即可访问内部网站4)在browse network输入即可访问共享文件12.5)点击application access,即可查看端口转发设置,如使用putty访问本机的2023端口,则即可通过ssh登录远程拨入VPN相关的ASA配置命令如下:access-list inside_access_in extended permit ip object-group remotegroup anyaccess-list inside_access_in extended permit icmp object-group remot
17、egroup anyaccess-list remotevpn_splitTunnelAcl standard permit vpnclient_splitTunnelAcl standard permit local pool dialuserIP mask remotevpn attributes dns-server value default-domain value jiang password Csmep3VzvPQPCbkx encrypted privilege 15crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha
18、-hmaccrypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmaccrypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmaccrypto dynamic-map outside_dyn_map 20 set pfscrypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHAcrypto dynamic-map outside_dyn_map 20 set reverse-routecrypto ma
19、p outside_map 65535 ipsec-isakmp dynamic outside_dyn_mapcrypto map outside_map interface outsidetunnel-group remotevpn type ipsec-ratunnel-group remotevpn general-attributes address-pool dialuserIP default-group-policy remotevpntunnel-group remotevpn ipsec-attributes pre-shared-key *客户端设置如下:13.日志服务器
20、配置logging enablelogging timestamplogging emblemlogging trap informationallogging asdm warningslogging host inside format emblemlogging permit-hostdown vpn-simultaneous-logins 3注:在linux vpn服务器上:asa查看警告信息、asainfo查看asa的访问信息14.Snmp网管配置snmp-server host inside community cmlsystemsnmp-server location DG-CM
21、Lsnmp-server contact jiangdaoyou:6162snmp-server community cmlsystemsnmp-server enable traps snmp authentication linkup linkdown coldstart注:指定主机后,才可能进行管理15.ACS配置 安装后管理: 通过ACS可以进行授权、认证等等很多功能16.AAA配置Aaa服务器配置:aaa-server radius_dg host key dfdfdfdf146*U authentication-port 1812 accounting-port 1813 radi
22、us-common-pw dfdfdfdf146*U对于拨入vpn的配置tunnel-group vg_testerp general-attributes address-pool ciscovpnuser authentication-server-group radius_dg default-group-policy vg_testerp然后在dc03上安装IAS服务,并进行设置,如下:17.升级IOScopy disk0:/ boot system disk0:/ (多个Image时使用)asdm image disk0:/激活3des功能(由K8变成k9)activation-key 0x850d314d 0x485d8ce1 0x28f319ac 0x8a3c941c 0x4833ca88然后reload重新启动即可18.疑难杂症在远程子网不能ping通过对方的网关,如在无锡格兰不能ping 输入命令:management-access inside (通过ASDM不能设置这一项)1)NAT有时不能快速启作用使用命令:clear xlate即可2) 内网不能ping通内部的web服务器内网IP地址设置静态NAT后,取消inside接口的Proxy ARP功能即可
copyright@ 2008-2022 冰豆网网站版权所有
经营许可证编号:鄂ICP备2022015515号-1