思科ASA新机器常用基础配置(初始配置)

思科ASA新机器常用基础配置(初始配置)

配置主机名，设置enable密码和登陆密码hostname ASA5510enable password cisco encryptedpasswd cisco encryptedusername luotao password xxxxxx

user-identity default-domain LOCAL //未知aaa authentication ssh console LOCAL //ssh使用本地验证aaa authentication telnet console LOCAL //telnet使用本地验证aaa authorization command LOCAL

配置时区clock timezone beijing 0 8

配置外网口、内网口、管理口interface GigabitEthernet0/0nameif outsidesecurity-level 0ip address 11.11.11.11 255.255.255.248 !interface GigabitEthernet0/1nameif insidesecurity-level 100ip address 10.1.1.254 255.255.255.0 standby 10.1.1.253!interface Management0/0management-onlynameif managementsecurity-level 100ip address 192.168.1.1 255.255.255.0

配置远程管理：telnet 10.1.100.0 255.255.255.0 insidetelnet timeout 5ssh 0.0.0.0 0.0.0.0 insidessh timeout 5ssh key-exchange group dh-group1-sha1console timeout 0management-access inside

配置FailOver主防火墙配置：int G0/6description LAN/STATE Failover Interfaceno shexitfailover lan unit primaryfailover lan interface HA GigabitEthernet0/6failover key cisco // 可选 failover link HA GigabitEthernet0/6 //会话保持failover interface ip HA 10.10.10.1 255.255.255.0 standby 10.10.10.2failover备防火墙配置：int G0/6description LAN/STATE Failover Interfaceno shexit全局failover lan unit secondary failover lan interface HA GigabitEthernet0/6 //指定心跳线接口failover key cisco // 可选 fial int ip HA 10.10.10.2 255.255.255.0 standby 10.10.10.1failover //开始同步

查看双机命令：show failover主墙配置同步到备墙命令：write standby

双机关系建立好后，再进行以下的配置： NAT:内部的服务器或电脑要上网 global (outside) 1 interface nat (inside) 1 10.1.0.0 255.255.0.0 //1是ID号，要相同,10.1.0.0/16是内网的网段 或者是使用以下配置 object-group network inside-to-outside network-object 10.1.10.0 255.255.255.0 network-object 10.1.20.0 255.255.255.0 nat (inside,outside) source dynamic inside-to-outside interface NAT:向互联网发布服务，一对一的IP映射 object network ser10.1.10.31 host 10.1.10.31 object network ser10.1.10.31 nat (inside,outside) static 11.11.11.12 配置访问控制： access-list acl-out-to-in extended permit icmp any any access-list acl-out-to-in extended permit tcp any host 10.1.10.101 eq 8080 access-list acl-out-to-in extended permit tcp any host 10.1.10.102 eq 35778 access-list acl-out-to-in extended deny ip any any access-group acl-out-to-in in interface outside 配置路由 route outside 0.0.0.0 0.0.0.0 11.11.11.1 1 route inside 10.1.10.0 255.255.255.0 10.1.1.1 1 route inside 10.1.20.0 255.255.255.0 10.1.1.1 1 SLA： sla monitor 1 type echo protocol ipIcmpEcho X.X.X.X interface outside frequency 5 sla monitor schedule 1 life forever start-time now track 1 rtr 1 reachability route outside 0.0.0.0 0.0.0.0 11.11.11.1 1 track 1

可选配置：DHCPdhcpd address 10.1.1.1-10.1.1.200 inside dhcpd dns 114.114.114.114dhcpd lease 3600dhcpd ping_timeout 500dhcpd domain jzsec.comdhcpd enable inside 在inside区域开启

可选配置：配置server enable192.168.1.0 255.255.255.0 management10.1.100.0 255.255.255.0 inside

其它可选配置：icmp unreachable rate-limit 1 burst-size 1 //防止快ping icmp deny any outside //拒绝外网的pingicmp permit any inside //允许inside区域的ping

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。