Fire Wall 防火墙,相信混IT圈的小伙伴们都知道这玩意,当然,防火墙也分软件防火墙与硬件防火墙。
硬件防火墙又分为:基于PC架构与基于ASIC芯片
今天来聊一聊思科的硬件防火墙 Cisco ASA
Cisco ASA 防火墙产品线挺多:Cisco ASA5505 Cisco ASA5510 Cisco ASA5520 Cisco ASA5540 Cisco ASA5550 等等
ASA 的基本配置步骤如下:
配置主机名、域名
hostname [hostname]
domain-name xx.xx
hostname Cisco-ASA 5520
domain-name ciscosas.com.cn
配置登陆用户名密码
password [password]
enable password [password]
配置接口、路由
interface interface_name
nameif [name]
name 有三种接口类型 insdie outside dmz
security-level xx(数值)
数值越大接口安全级别越高
注:默认inside 100 ,outside 0 ,dmz 介于二者之间
静态路由
route interface_number network mask next-hop-address
route outside 0.0.0.0 0.0.0.0 210.210.210.1
配置远程管理接入
Telnet
telnet {network | ip-address } mask interface_name
telnet 192.168.1.0 255.255.255.0 inside
telnet 210.210.210.0 255.255.255.0 outside
SSH
crypto key generate rsa modulus {1024| 2048 }
指定rsa系数,思科推荐1024
ssh timeout minutes
ssh version version_number
crypto key generate rsa modulus 1024
ssh timeout 30
ssh version 2
配置 ASDM(自适应安全设备管理器)接入
http server enbale port 启用功能
http {networdk | ip_address } mask interface_name
asdm image disk0:/asdm_file_name 指定文件位置
username user password password privilege 15
NAT
nat-control
nat interface_name nat_id local_ip mask
global interface_name nat_id {global-ip [global-ip] |interface}
nat-control
nat inside 1 192.168.1.0 255.255.255.0
global outside 1 interface
global dmz 1 192.168.202.100-192.168.202.150
ACL
access-list list-name standad permit | deny ip mask
access-list list-name extendad permit | deny protocol source-ip mask destnation-ip mask port
access-group list-name in | out interface interface_name
如果内网服务器需要以布到公网上
staic real-interface mapped-interface mapped-ip real-ip
staic (dmz,outside) 210.210.202.100 192.168.202.1
保存配置
wirte memory
清除配置
clear configure (all)
标签:Cisco,name,ip,mask,防火墙,ASA,interface From: https://www.cnblogs.com/speednet/p/16945656.html