0%

cisco-asa-5520-8.4.7

发表于 更新于 分类于
本文字数: 2.7k 阅读时长 ≈ 2 分钟
cisco 8.4.7 配置记录

ASA5520

恢复 image

https://www.cisco.com/public/technotes/smbsa/en/us/remote/5500_image_rcvry.pdf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
ASA Version 8.4(7)
hostname
domain-name
enable password
passwd (默认pix用户密码)

interface GigabitEthernet0/3
ip address 192.168.2.125 255.255.255.0
nameif outside
no shutdown

interface GigabitEthernet0/0
ip address 172.10.10.1 255.255.255.0
nameif inside
no shutdown

access-list out-in extended permit icmp any any
access-group out-in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.254 1
username duanzhaoqian password duanzhaoqian privilege 15

SSH登录
crypto key generate rsa
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
aaa authentication ssh console LOCAL

telnet登录
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5

nat (inside,outside) source dynamic any interface(这样设置导致interface PAT无效,不建议使用)

object network all
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface

object network 8080
host 172.10.10.10
nat (inside,outside) static interface service tcp 8080 8080 (第二个端口号是outside端口)

object network 80
host 172.10.10.10
nat (inside,outside) static 192.168.2.126 service tcp 8080 80

access-list out-in extended permit tcp any object 8080
access-group out-in in interface outside

VPN 配置

https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/vpn_remote_access.html

https://networkology.net/2012/10/07/ipsec-remote-access-vpn-asa-8-4-part-1-basic/

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
crypto ikev1 policy 1
authentication pre-share
encryption des
hash md5
group 2
lifetime 43200
crypto ikev1 enable outside

access-list vpn_acl standard permit 172.10.10.0 255.255.255.0
group-policy vpn internal
group-policy vpn attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpn_acl

ip local pool vpnpool 172.1.1.1-172.1.1.50 mask 255.255.255.0
crypto ipsec ikev1 transform-set FirstSet esp-des esp-md5-hmac
tunnel-group vpngroup type remote-access
tunnel-group vpngroup general-attributes
address-pool vpnpool
default-group-policy vpn
tunnel-group vpngroup ipsec-attributes
ikev1 pre-shared-key vpnpassword
crypto dynamic-map dyn1 1 set ikev1 transform-set FirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside

object-group network obj_172.1.1.0
 network-object 172.1.1.0 255.255.255.0
object-group network obj_172.10.10.0
 network-object 172.10.10.0 255.255.255.0
nat (inside,outside) source static obj_172.10.10.0 obj_172.10.10.0 destination static obj_172.1.1.0 obj_172.1.1.0 no-proxy-arp route-lookup

思科设备上的权限等级从 0 ~ 15,缺省情况下存在三个命令等级 0、1、15

privilege level 0——包括 disable、enable、exit、help 和 logout 命令

privilege level 1——用户通过 telnet 登录到路由器时等级为 1;router>提示符下所有用户等级命令均属于 level 1

privilege level 15——包括 router#提示符下所有特权等级的命令

常用排错命令:

1
2
3
4
5
6
7
8
show run nat
show run object
show run object-group
show nat detail
show xlate (nat链)
show conn
show nat pool
debug nat 255