防火墙的基本命令
查看防火墙的接口配置 show interface ip brief #这里和以往路由器和交换机不同 (sh ip interface brief)
查看路由:show route
默认策略
高安全级别到低安全级别的流量是放行的
低安全级别到高安全级别的流量是拒绝的
配置inside区和outside区
ciscoasa>en
ciscoasa#config t
ciscoasa(config)#hostname ASA2
ASA2(config)#int g1/1
ASA2(config-if)#nameif inside
ASA2(config-if)# security-level 100 //5505-X防火墙只要配置上inside区,默认安全级别就是100
ASA2(config-if)#ip address 192.168.4.2 255.255.255.0
en
不同区域之间的互通配置
tips:首先设置接口端口区域,通过设置acl策略并将access-group作用域interface 区域中
ciscoasa(config)#interface gigabitEthernet 1/1 ciscoasa(config-if)#ip address 200.1.1.1 255.255.255.0 ciscoasa(config-if)#no shutdown ciscoasa(config-if)#nameif inside INFO: Security level for “inside” set to 100 by default. ciscoasa(config-if)#security-level 0 ciscoasa(config)#interface gigabitEthernet 1/2 ciscoasa(config-if)#ip address 201.1.1.1 255.255.255.0 ciscoasa(config-if)#no shutdown ciscoasa(config-if)#nameif outside INFO: Security level for “outside” set to 0 by default. ciscoasa(config)#interface gigabitEthernet 1/3 ciscoasa(config-if)#ip address 203.1.1.1 255.255.255.0 ciscoasa(config-if)#no shutdown ciscoasa(config)#interface gigabitEthernet 1/3 ciscoasa(config-if)#nameif dmz INFO: Security level for “dmz” set to 0 by default. ciscoasa(config)#route inside 200.1.1.0 255.255.255.0 200.1.1.2 #静态路由就自行添加了 ciscoasa(config)#route outside 202.1.1.0 255.255.255.0 201.1.1.2 ciscoasa(config)#route dmz 204.1.1.0 255.255.255.0 203.1.1.2 ciscoasa(config)#access-list 101 extended permit ip any any //允许ip tcp icmp协议通过 ciscoasa(config)#access-list 101 extended permit tcp any any ciscoasa(config)#access-list 101 extended permit icmp any any ciscoasa(config)#access-group 101 in interface dmz //在每个端口的出入方向进行acl部署 ciscoasa(config)#access-group 101 out interface dmz ciscoasa(config)#access-group 101 in interface inside ciscoasa(config)#access-group 101 out interface inside ciscoasa(config)#access-group 101 in interface outside ciscoasa(config)#access-group 101 out interface outside
配置asa的telnet和ssh
telnet配置
tips: 最低安全级别的接口不支持telnet 例如outside
ciscoasa(config)#telnet ?
configure mode commands/options:
WORD The IP address of the host and/or network authorized to
login to the system
X:X:X:X::X/<0-128> IPv6 address/prefix authorized to login to the system
timeout Configure telnet idle timeout
ciscoasa(config)#telnet 172.16.10.0 255.255.255.0 inside #设置telnet的区域和网段
ciscoasa(config)#username lisen password miller #本地账户
ciscoasa(config)#aaa auth
ciscoasa(config)#aaa authentication ? #进行本地验证
configure mode commands/options:
ssh SSH
telnet Telnet
ciscoasa(config)#aaa authentication telnet ?
configure mode commands/options:
console Specify this keyword to identify a server group for administrative
authentication
ciscoasa(config)#aaa authentication telnet console ?
configure mode commands/options:
LOCAL Predefined server tag for AAA protocol 'local'
ciscoasa(config)#aaa authentication telnet console LOCAL
ssh配置
asa#conf t asa(config)#hostname asa #配置主机名 asa(config)#domain-name chinaskills.cn #配置域名信息 asa(config)#crypto key generate ? asa(config)#crypto key generate rsa modulus 1024 #配置rsa的密钥长度 WARNING: You have a RSA keypair already defined named <Default-RSA-Key>. Do you really want to replace them? [yes/no]: yes Keypair generation process begin. Please wait... asa(config)#ssh timeout 1 #配置过期时间 asa(config)#aaa authentication ssh console lo asa(config)#aaa authentication ssh console loCAL #配置ssh本地登录 asa(config)#username chian password P@ssword!23 #配置本地账户密码 asa(config)#ssh 10.1.1.0 255.255.255.0 inside #放行能够ssh的网段
ASA版本9.x SSH和Telnet在内部和外部接口配置示例 (cisco.com)
思科基于Cisco PT模拟器的防火墙配置实验案例详解_专业认证_IT专业知识_脚本之家 (jb51.net)
标签:思科,防火墙,telnet,access,interface,asa,ciscoasa,5506,config From: https://www.cnblogs.com/lisenMiller/p/17190018.html