思科防火墙5506-x基础
防火墙的基本命令
查看防火墙的接口配置 show interface ip brief #这里和以往路由器和交换机不同 (sh ip interface brief)
查看路由:show route
默认策略
高安全级别到低安全级别的流量是放行的
低安全级别到高安全级别的流量是拒绝的
配置inside区和outside区
ciscoasa>en
ciscoasa#config t
ciscoasa(config)#hostname ASA2
ASA2(config)#int g1/1
ASA2(config-if)#nameif inside
ASA2(config-if)# security-level 100 //5505-X防火墙只要配置上inside区,默认安全级别就是100
ASA2(config-if)#ip address 192.168.4.2 255.255.255.0
en
不同区域之间的互通配置
tips:首先设置接口端口区域,通过设置acl策略并将access-group作用域interface 区域中
ciscoasa(config)#interface gigabitEthernet 1/1
ciscoasa(config-if)#ip address 200.1.1.1 255.255.255.0
ciscoasa(config-if)#no shutdown
ciscoasa(config-if)#nameif inside
INFO: Security level for “inside” set to 100 by default.
ciscoasa(config-if)#security-level 0
ciscoasa(config)#interface gigabitEthernet 1/2
ciscoasa(config-if)#ip address 201.1.1.1 255.255.255.0
ciscoasa(config-if)#no shutdown
ciscoasa(config-if)#nameif outside
INFO: Security level for “outside” set to 0 by default.
ciscoasa(config)#interface gigabitEthernet 1/3
ciscoasa(config-if)#ip address 203.1.1.1 255.255.255.0
ciscoasa(config-if)#no shutdown
ciscoasa(config)#interface gigabitEthernet 1/3
ciscoasa(config-if)#nameif dmz
INFO: Security level for “dmz” set to 0 by default.
ciscoasa(config)#route inside 200.1.1.0 255.255.255.0 200.1.1.2 #静态路由就自行添加了
ciscoasa(config)#route outside 202.1.1.0 255.255.255.0 201.1.1.2
ciscoasa(config)#route dmz 204.1.1.0 255.255.255.0 203.1.1.2
ciscoasa(config)#access-list 101 extended permit ip any any //允许ip tcp icmp协议通过
ciscoasa(config)#access-list 101 extended permit tcp any any
ciscoasa(config)#access-list 101 extended permit icmp any any
ciscoasa(config)#access-group 101 in interface dmz //在每个端口的出入方向进行acl部署
ciscoasa(config)#access-group 101 out interface dmz
ciscoasa(config)#access-group 101 in interface inside
ciscoasa(config)#access-group 101 out interface inside
ciscoasa(config)#access-group 101 in interface outside
ciscoasa(config)#access-group 101 out interface outside
配置asa的telnet和ssh
telnet配置
tips: 最低安全级别的接口不支持telnet 例如outside
ciscoasa(config)#telnet ?
configure mode commands/options:
WORD The IP address of the host and/or network authorized to
login to the system
X:X:X:X::X/<0-128> IPv6 address/prefix authorized to login to the system
timeout Configure telnet idle timeout
ciscoasa(config)#telnet 172.16.10.0 255.255.255.0 inside #设置telnet的区域和网段
ciscoasa(config)#username lisen password miller #本地账户
ciscoasa(config)#aaa auth
ciscoasa(config)#aaa authentication ? #进行本地验证
configure mode commands/options:
ssh SSH
telnet Telnet
ciscoasa(config)#aaa authentication telnet ?
configure mode commands/options:
console Specify this keyword to identify a server group for administrative
authentication
ciscoasa(config)#aaa authentication telnet console ?
configure mode commands/options:
LOCAL Predefined server tag for AAA protocol 'local'
ciscoasa(config)#aaa authentication telnet console LOCAL
ssh配置
asa#conf t
asa(config)#hostname asa #配置主机名
asa(config)#domain-name chinaskills.cn #配置域名信息
asa(config)#crypto key generate ?
asa(config)#crypto key generate rsa modulus 1024 #配置rsa的密钥长度
WARNING: You have a RSA keypair already defined named <Default-RSA-Key>.
Do you really want to replace them? [yes/no]: yes
Keypair generation process begin. Please wait...
asa(config)#ssh timeout 1 #配置过期时间
asa(config)#aaa authentication ssh console lo
asa(config)#aaa authentication ssh console loCAL #配置ssh本地登录
asa(config)#username chian password P@ssword!23 #配置本地账户密码
asa(config)#ssh 10.1.1.0 255.255.255.0 inside #放行能够ssh的网段
