配置asa 5505防火墙
1.配置防火墙名
ciscoasa> enable
ciscoasa# configure terminal
ciscoasa(config)# hostname asa5505
2.配置Http.telnet和ssh管理
#username xxx password xxxxxx encrypted privilege 15
#aaa authentication enable console LOCAL
#aaa authentication telnet console LOCAL
#aaa authentication http console LOCAL
#aaa authentication ssh console LOCAL
#aaa autoentication command LOCAL
#http server enable
#http 192.168.1.0 255.255.255.0 inside
#telnet 192.168.1.0 255.255.255.0 inside
#ssh 192.168.1.0 255.255.255.0 inside
#crypto key generate rsa(打开SSH服务)
//允许内部接口192.168.1.0网段telnet防火墙
3.配置密码
asa5505(config)# password cisco
//远程密码
asa5505(config)# enable password cisco
//特权模式密码
4.配置IP
asa5505(config)# interface vlan 2
//进入vlan2
asa5505(config-if)# ip address 218.xxx.37.222 255.255.255.192
//vlan2配置IP
asa5505(config)#show ip address vlan2
//验证配置
5.端口加入vlan
asa5505(config)# interface e0/3
//进入接口e0/3
asa5505(config-if)# switchport access vlan 3
//接口e0/3加入vlan3
asa5505(config)# interface vlan 3
//进入vlan3
asa5505(config-if)# ip address 10.10.10.36 255.255.255.224
//vlan3配置IP
asa5505(config-if)# nameif dmz
//vlan3名
asa5505(config-if)# no shutdown
//开启
asa5505(config-if)# show switch vlan
//验证配置
6.最大传输单元MTU
asa5505(config)#mtu inside 1500
//inside最大传输单元1500字节
asa5505(config)#mtu outside 1500
//outside最大传输单元1500字节
asa5505(config)#mtu dmz 1500
//dmz最大传输单元1500字节
7.配置arp表的超时时间
asa5505(config)#arp timeout 14400
//arp表的超时时间14400秒
8.FTP模式
asa5505(config)#ftp mode passive
//FTP被动模式
9.配置域名
asa5505(config)#domain-name Cisco.com
10.启动日志
asa5505(config)#logging enable
//启动日志
asa5505(config)#logging asdm informational
//启动asdm报告日志
asa5505(config)#Show logging
//验证配置
11.启用http服务
asa5505(config)#http server enable ///启动HTTP server,便于ASDM连接。
asa5505(config)#http 0.0.0.0 0.0.0.0 outside
//对外启用ASDM连接
asa5505(config)#http 0.0.0.0 0.0.0.0 inside
//对内启用ASDM连接
12.控制列表
access-list acl_out extended permit tcp any any eq www
//允许tcp协议80端口入站
access-list acl_out extended permit tcp any any eq https
//允许tcp协议443端口入站
access-list acl_out extended permit tcp any host 218.xxx.37.223 eq ftp //允许tcp协议21端口到218.xxx.37.223主机
access-list acl_out extended permit tcp any host 218.xxx.37.224 eq 3389 //允许tcp协议3389端口到218.xxx.37.224主机
access-list acl_out extended permit tcp any host 218.xxx.37.225 eq 1433 //允许tcp协议1433端口到218.xxx.37.225主机
access-list acl_out extended permit tcp any host 218.xxx.37.226 eq 8080 //允许tcp协议8080端口到218.xxx.37.226主机
asa5505(config)#show access-list
//验证配置
13.设置路由
asa5505(config)#route dmz 10.0.0.0 255.0.0.0 10.10.10.33 1
//静态路由到10.0.0.0网段经过10.10.10.33网关跳数为1
asa5505(config)#route outside 0.0.0.0 0.0.0.0 218.16.37.193 1
//默认路由到所有网段经过218.xxx.37.193网关跳数为1
asa5505# show route
//显示路由信息
14.静态NAT
asa5505(config)# static (inside,outside) 218.xxx.37.223 192.168.1.6 netmask 255.255.255.255
//外网218.xxx.37.223映射到内网192.168.1.6
asa5505(config)#access-list acl_out extended permit icmp any any
//控制列表名acl_out允许ICMP协议
asa5505(config)#access-group acl_out in interface outside
//控制列表acl_out应用到outside接口
asa5505(config)#static (inside,dmz) 10.10.10.37 192.168.1.16 netmask 255.255.255.255
//dmz10.10.10.37映射到内网192.168.1.16
asa5505(config)#access-list acl_dmz extended permit icmp any any
//控制列表名acl_dmz允许ICMP协议
asa5505(config)#access-group acl_dmz in interface dmz
//控制列表acl_out应用到dmz接口
asa5505(config)#Show nat
//验证配置
15.动态NAT
asa5505(config)#global(outside) 1 218.201.35.224-218.201.35.226
//定义全局地址池
asa5505(config)#nat(inside) 1 192.168.1.20-192.168.1.22
//内部转换地址池
asa5505(config)# show xlate
//验证配置
16.基于端口NAT(PAT)
asa5505(config)#global (outside) 2 interface
//定义全局地址即outside地址:218.xxx.37.222
asa5505(config)#nat (inside) 2 192.168.1.0 255.255.255.0
//内部转换地址池
asa5505(config)# show xlate
//验证配置
17.基于LAN故障倒换(failover)
1).主防火墙配置
asa5505(config)#failover mac addr outside 001a.2b3c.4d11 001a.2b3c.4w12 //故障倒换虚拟MAC地址
asa5505(config)#failover mac addr inside 001a.2b3c.4d21 001a.2b3c.4w22 //故障倒换虚拟MAC地址
asa5505(config)#failover mac addr inside 001a.2b3c.4d21 001a.2b3c.4w32 //故障倒换虚拟MAC地址
asa5505(config)#failover
//启动故障倒换
asa5505(config)#failover lan unit primary
//设置主要防火墙
asa5505(config)#failover lan interface standby Vlan4
//故障倒换接口名standby
asa5505(config)#failover interface ip standby 172.168.32.1 255.255.255.252 standby 172.168.32.2
//配置主防火墙IP:172.168.32.1,备用防火墙IP:172.168.32.2
asa5505# show failover
//验证配置
2).备防火墙配置
asa5505(config)#failover mac addr outside 001a.2b3c.4d11 001a.2b3c.4w12 //故障倒换虚拟MAC地址
asa5505(config)#failover mac addr inside 001a.2b3c.4d21 001a.2b3c.4w22 //故障倒换虚拟MAC地址
asa5505(config)#failover mac addr inside 001a.2b3c.4d21 001a.2b3c.4w32 //故障倒换虚拟MAC地址
asa5505(config)#failover
//启动故障倒换
asa5505(config)#failover lan unit secondary
//设置备用防火墙
asa5505(config)#failover lan interface standby Vlan4
//故障倒换接口名standby
asa5505(config)#failover interface ip standby 172.168.32.1 255.255.255.252 standby 172.168.32.2
//配置主防火墙IP:172.168.32.1,备用防火墙IP:172.168.32.2
asa5505# show failover
//验证配置
18.显示mac地址
asa5505# show switch mac-address-table
19.保存配置
asa5505# write memory
配置asa 5505防火墙
1.配置防火墙名
ciscoasa> enable
ciscoasa# configure terminal
ciscoasa(config)# hostname asa5505
2.配置Http.telnet和ssh管理
#username xxx password xxxxxx encrypted privilege 15
#aaa authentication enable console LOCAL
#aaa authentication telnet console LOCAL
#aaa authentication http console LOCAL
#aaa authentication ssh console LOCAL
#aaa autoentication command LOCAL
#http server enable
#http 192.168.1.0 255.255.255.0 inside
#telnet 192.168.1.0 255.255.255.0 inside
#ssh 192.168.1.0 255.255.255.0 inside
#crypto key generate rsa(打开SSH服务)
//允许内部接口192.168.1.0网段telnet防火墙
3.配置密码
asa5505(config)# password cisco
//远程密码
asa5505(config)# enable password cisco
//特权模式密码
4.配置IP
asa5505(config)# interface vlan 2
//进入vlan2
asa5505(config-if)# ip address 218.xxx.37.222 255.255.255.192
//vlan2配置IP
asa5505(config)#show ip address vlan2
//验证配置
5.端口加入vlan
asa5505(config)# interface e0/3
//进入接口e0/3
asa5505(config-if)# switchport access vlan 3
//接口e0/3加入vlan3
asa5505(config)# interface vlan 3
//进入vlan3
asa5505(config-if)# ip address 10.10.10.36 255.255.255.224
//vlan3配置IP
asa5505(config-if)# nameif dmz
//vlan3名
asa5505(config-if)# no shutdown
//开启
asa5505(config-if)# show switch vlan
//验证配置
6.最大传输单元MTU
asa5505(config)#mtu inside 1500
//inside最大传输单元1500字节
asa5505(config)#mtu outside 1500
//outside最大传输单元1500字节
asa5505(config)#mtu dmz 1500
//dmz最大传输单元1500字节
7.配置arp表的超时时间
asa5505(config)#arp timeout 14400
//arp表的超时时间14400秒
8.FTP模式
asa5505(config)#ftp mode passive
//FTP被动模式
9.配置域名
asa5505(config)#domain-name Cisco.com
10.启动日志
asa5505(config)#logging enable
//启动日志
asa5505(config)#logging asdm informational
//启动asdm报告日志
asa5505(config)#Show logging
//验证配置
11.启用http服务
asa5505(config)#http server enable ///启动HTTP server,便于ASDM连接。
asa5505(config)#http 0.0.0.0 0.0.0.0 outside
//对外启用ASDM连接
asa5505(config)#http 0.0.0.0 0.0.0.0 inside
//对内启用ASDM连接
12.控制列表
access-list acl_out extended permit tcp any any eq www
//允许tcp协议80端口入站
access-list acl_out extended permit tcp any any eq https
//允许tcp协议443端口入站
access-list acl_out extended permit tcp any host 218.xxx.37.223 eq ftp //允许tcp协议21端口到218.xxx.37.223主机
access-list acl_out extended permit tcp any host 218.xxx.37.224 eq 3389 //允许tcp协议3389端口到218.xxx.37.224主机
access-list acl_out extended permit tcp any host 218.xxx.37.225 eq 1433 //允许tcp协议1433端口到218.xxx.37.225主机
access-list acl_out extended permit tcp any host 218.xxx.37.226 eq 8080 //允许tcp协议8080端口到218.xxx.37.226主机
asa5505(config)#show access-list
//验证配置
13.设置路由
asa5505(config)#route dmz 10.0.0.0 255.0.0.0 10.10.10.33 1
//静态路由到10.0.0.0网段经过10.10.10.33网关跳数为1
asa5505(config)#route outside 0.0.0.0 0.0.0.0 218.16.37.193 1
//默认路由到所有网段经过218.xxx.37.193网关跳数为1
asa5505# show route
//显示路由信息
14.静态NAT
asa5505(config)# static (inside,outside) 218.xxx.37.223 192.168.1.6 netmask 255.255.255.255
//外网218.xxx.37.223映射到内网192.168.1.6
asa5505(config)#access-list acl_out extended permit icmp any any
//控制列表名acl_out允许ICMP协议
asa5505(config)#access-group acl_out in interface outside
//控制列表acl_out应用到outside接口
asa5505(config)#static (inside,dmz) 10.10.10.37 192.168.1.16 netmask 255.255.255.255
//dmz10.10.10.37映射到内网192.168.1.16
asa5505(config)#access-list acl_dmz extended permit icmp any any
//控制列表名acl_dmz允许ICMP协议
asa5505(config)#access-group acl_dmz in interface dmz
//控制列表acl_out应用到dmz接口
asa5505(config)#Show nat
//验证配置
15.动态NAT
asa5505(config)#global(outside) 1 218.201.35.224-218.201.35.226
//定义全局地址池
asa5505(config)#nat(inside) 1 192.168.1.20-192.168.1.22
//内部转换地址池
asa5505(config)# show xlate
//验证配置
16.基于端口NAT(PAT)
asa5505(config)#global (outside) 2 interface
//定义全局地址即outside地址:218.xxx.37.222
asa5505(config)#nat (inside) 2 192.168.1.0 255.255.255.0
//内部转换地址池
asa5505(config)# show xlate
//验证配置
17.基于LAN故障倒换(failover)
1).主防火墙配置
asa5505(config)#failover mac addr outside 001a.2b3c.4d11 001a.2b3c.4w12 //故障倒换虚拟MAC地址
asa5505(config)#failover mac addr inside 001a.2b3c.4d21 001a.2b3c.4w22 //故障倒换虚拟MAC地址
asa5505(config)#failover mac addr inside 001a.2b3c.4d21 001a.2b3c.4w32 //故障倒换虚拟MAC地址
asa5505(config)#failover
//启动故障倒换
asa5505(config)#failover lan unit primary
//设置主要防火墙
asa5505(config)#failover lan interface standby Vlan4
//故障倒换接口名standby
asa5505(config)#failover interface ip standby 172.168.32.1 255.255.255.252 standby 172.168.32.2
//配置主防火墙IP:172.168.32.1,备用防火墙IP:172.168.32.2
asa5505# show failover
//验证配置
2).备防火墙配置
asa5505(config)#failover mac addr outside 001a.2b3c.4d11 001a.2b3c.4w12 //故障倒换虚拟MAC地址
asa5505(config)#failover mac addr inside 001a.2b3c.4d21 001a.2b3c.4w22 //故障倒换虚拟MAC地址
asa5505(config)#failover mac addr inside 001a.2b3c.4d21 001a.2b3c.4w32 //故障倒换虚拟MAC地址
asa5505(config)#failover
//启动故障倒换
asa5505(config)#failover lan unit secondary
//设置备用防火墙
asa5505(config)#failover lan interface standby Vlan4
//故障倒换接口名standby
asa5505(config)#failover interface ip standby 172.168.32.1 255.255.255.252 standby 172.168.32.2
//配置主防火墙IP:172.168.32.1,备用防火墙IP:172.168.32.2
asa5505# show failover
//验证配置
18.显示mac地址
asa5505# show switch mac-address-table
19.保存配置
asa5505# write memory