0%

cisco-asa-5520

发表于 更新于 分类于
本文字数: 12k 阅读时长 ≈ 11 分钟
cisco asa 5520 配置

2016-08-09-cisco-asa-5520

显示一级命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Type help or '?' for a list of available commands.
yz5520> ?

  clear       Reset functions
  enable      Turn on privileged commands
  exit        Exit from the EXEC
  help        Interactive help for commands
  login       Log in as a particular user
  logout      Exit from the EXEC
  no          Negate a command or set its defaults
  ping        Send echo messages
  quit        Exit from the EXEC
  show        Show running system information
  traceroute  Trace route to destination
yz5520>

enable

进入管理模式

enable password

修改 enable 密码

configure terminal

进入全局配置模式

passwd

默认用户是 pix
修改 ssh 密码

show run

查看配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
: Saved
:
ASA Version 8.2(1)
!
hostname yz5520
domain-name ync365.com
enable password *** encrypted
passwd *** encrypted
names
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 221.122.119.2 255.255.255.0
!
interface GigabitEthernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 nameif inside2
 security-level 100
 ip address 30.0.1.254 255.255.255.0
!
interface GigabitEthernet0/3
 nameif inside
 security-level 100
 ip address 20.0.1.254 255.255.255.0
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone CST 8
dns server-group DefaultDNS
 domain-name ync365.com
access-list no-nat extended permit ip 20.0.1.0 255.255.255.0 172.17.2.0 255.255.255.0
access-list no-nat extended permit ip 20.0.1.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list ync365-vpn_splitTunnelAd standard permit 20.0.1.0 255.255.255.0
access-list out-in extended permit icmp any any
access-list out-in extended permit tcp any host 221.122.119.6 eq www
access-list out-in extended permit tcp any host 221.122.119.9 eq 11000
access-list outside_1_cryptomap extended permit ip 20.0.1.0 255.255.255.0 10.0.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu inside2 1500
ip local pool vpnpool 172.17.2.1-172.17.2.50 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 20.0.1.0 255.255.255.0
static (inside,outside) tcp 221.122.119.6 www 20.0.1.91 www netmask 255.255.255.255
static (inside,outside) tcp 221.122.119.9 11000 20.0.1.94 11000 netmask 255.255.255.255
access-group out-in in interface outside
route outside 0.0.0.0 0.0.0.0 221.122.119.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
snmp-server host inside 20.0.1.252 community public
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside-dyn-map 10 set transform-set vpnset
crypto dynamic-map outside-dyn-map 10 set security-association lifetime seconds 288000
crypto dynamic-map outside-dyn-map 10 set reverse-route
crypto map outside-map 1 match address outside_1_cryptomap
crypto map outside-map 1 set peer 203.158.23.160
crypto map outside-map 1 set transform-set ESP-3DES-SHA
crypto map outside-map 10 ipsec-isakmp dynamic outside-dyn-map
crypto map outside-map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 43200
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
ssh version 2
console timeout 30
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy ync365-vpn internal
group-policy ync365-vpn attributes
 dns-server value 8.8.8.8
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ync365-vpn_splitTunnelAd
 default-domain value ync365.com
username duanzhaoqian password *** encrypted
tunnel-group ync365-vpn type remote-access
tunnel-group ync365-vpn general-attributes
 address-pool vpnpool
 default-group-policy ync365-vpn
tunnel-group ync365-vpn ipsec-attributes
 pre-shared-key *
tunnel-group 203.158.23.160 type ipsec-l2l
tunnel-group 203.158.23.160 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
  message-length maximum client auto
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0f024f9e9c7a7f6f8d7d476188a2ca3a
: end

查看局部配置

1
2
3
4
5
6
7
8
9
yz5520(config)# show run access-list
access-list no-nat extended permit ip 20.0.1.0 255.255.255.0 172.17.2.0 255.255.255.0
access-list no-nat extended permit ip 20.0.1.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list ync365-vpn_splitTunnelAd standard permit 20.0.1.0 255.255.255.0
access-list out-in extended permit icmp any any
access-list out-in extended permit tcp any host 221.122.119.6 eq www
access-list out-in extended permit tcp any host 221.122.119.9 eq 11000
access-list outside_1_cryptomap extended permit ip 20.0.1.0 255.255.255.0 10.0.1.0 255.255.255.0
yz5520(config)#

interface GigabitEthernet0/1

进入网卡配置模式

1
2
3
4
5
6
7
8
9
yz5520(config)#  interface ?

configure mode commands/options:
  GigabitEthernet  GigabitEthernet IEEE 802.3z
  Management       Management interface
  Redundant        Redundant Interface
  <cr>
yz5520(config)#  interface  GigabitEthernet0/1
yz5520(config-if)#

quit

退出

access-list

添加访问

1
access-list out-in extended permit tcp any host 221.122.119.9 eq 11000

取消访问

1
no access-list out-in extended permit tcp any host 221.122.119.9 eq 11000

static

添加映射

1
static (inside,outside) tcp 221.122.119.9 11000 20.0.1.94 11000 netmask 255.255.255.255

取消映射

1
no static (inside,outside) tcp 221.122.119.9 11000 20.0.1.94 11000 netmask 255.255.255.255

不同网段互相访问

1
2
access-list no-nat extended permit ip 20.0.1.0 255.255.255.0 10.0.1.0 255.255.255.0
static (inside2,inside) 10.0.1.0 10.0.1.0 netmask 255.255.255.0

VPN172 段访问 10、20 段

1
2
3
4
access-list no-nat extended permit ip 20.0.1.0 255.255.255.0 172.17.2.0 255.255.255.0
access-list no-nat extended permit ip 10.0.1.0 255.255.255.0 172.17.2.0 255.255.255.0
nat (inside) 0 access-list no-nat
nat (inside2) 0 access-list no-nat

允许访问公网

1
2
nat (inside) 1 20.0.1.0 255.255.255.0
nat (inside2) 1 10.0.1.0 255.255.255.0

wirte

保存配置

1
wirte memory
1
2
3
4
5
6
7
8
9
10
11
yz5520(config)# write ?

exec mode commands/options:
  erase     Clear flash memory configuration
  memory    Save active configuration to the flash
  net       Save the active configuration to the tftp server
  standby   Save the active configuration on the active unit to the flash on
            the standby unit
  terminal  Display the current active configuration
  <cr>
yz5520(config)#

clear configure

清除配置

1
2
//清除VPN用户
clear configure username duanzhaoqian

demo config

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
yz5520(config)# show run
: Saved
:
ASA Version 8.2(1)
!
hostname yz5520
domain-name ync365.com
enable password *** encrypted
passwd *** encrypted
names
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 221.122.119.2 255.255.255.0
!
interface GigabitEthernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 nameif inside2
 security-level 100
 ip address 10.0.1.254 255.255.255.0
!
interface GigabitEthernet0/3
 nameif inside
 security-level 100
 ip address 20.0.1.254 255.255.255.0
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone CST 8
dns server-group DefaultDNS
 domain-name ync365.com
same-security-traffic permit inter-interface
access-list no-nat extended permit ip 20.0.1.0 255.255.255.0 172.17.2.0 255.255.255.0
access-list no-nat extended permit ip 10.0.1.0 255.255.255.0 172.17.2.0 255.255.255.0
access-list no-nat extended permit ip 20.0.1.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list ync365-vpn_splitTunnelAd standard permit 20.0.1.0 255.255.255.0
access-list ync365-vpn_splitTunnelAd standard permit 10.0.1.0 255.255.255.0
access-list out-in extended permit icmp any any
access-list out-in extended permit tcp any host 221.122.119.6 eq www
pager lines 24
mtu outside 1500
mtu inside 1500
mtu inside2 1500
ip local pool vpnpool 172.17.2.1-172.17.2.50 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 20.0.1.0 255.255.255.0
nat (inside2) 0 access-list no-nat
nat (inside2) 1 10.0.1.0 255.255.255.0
static (inside,outside) tcp 221.122.119.6 www 20.0.1.91 www netmask 255.255.255.255
static (inside2,inside) 10.0.1.0 10.0.1.0 netmask 255.255.255.0
access-group out-in in interface outside
route outside 0.0.0.0 0.0.0.0 221.122.119.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
snmp-server host inside 20.0.1.252 community public
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside-dyn-map 10 set transform-set vpnset
crypto dynamic-map outside-dyn-map 10 set security-association lifetime seconds 288000
crypto dynamic-map outside-dyn-map 10 set reverse-route
crypto map outside-map 1 set peer 203.158.23.160
crypto map outside-map 1 set transform-set ESP-3DES-SHA
crypto map outside-map 10 ipsec-isakmp dynamic outside-dyn-map
crypto map outside-map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 43200
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
ssh version 2
console timeout 30
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy ync365-vpn internal
group-policy ync365-vpn attributes
 dns-server value 8.8.8.8
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ync365-vpn_splitTunnelAd
 default-domain value ync365.com
username duanzq password *** encrypted
username duanzhaoqian password *** encrypted
tunnel-group ync365-vpn type remote-access
tunnel-group ync365-vpn general-attributes
 address-pool vpnpool
 default-group-policy ync365-vpn
tunnel-group ync365-vpn ipsec-attributes
 pre-shared-key *
tunnel-group 203.158.23.160 type ipsec-l2l
tunnel-group 203.158.23.160 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
  message-length maximum client auto
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:644e75a9d106b532653c38ae902181eb
: end
yz5520(config)#