思科防火墙ASA5520 外观
网络拓扑图如下
内网 网段 192.168.2.0/24
公网IP地址 118.25.235.100
公网IP地址网关:118.25.235.1.1
防火墙内网IP:192.168.2.1/24
配置步骤:
1、基本配置及配置内外网接口
conf t
hostname ASAFW #设置主机名
enable secret pass123 #设置特权密码
clock timezone GMT 8 #设置时区
dns domain-lookup inside
dns server-group DefaultDNS
name-server 114.114.114.114
name-server 223.5.5.5
name-server 223.6.6.6
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 118.25.235.100 255.255.255.0
#外网IP是118.25.235.100
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
#内网网段是192.168.2.0/24
2、配置外网路由
#route outside 0.0.0.0 0.0.0.0 118.25.235.1 1
3、配置内网NAT上网配置
nat-control
global (outside) 1 interface
nat (inside) 1 192.168.2.0 255.255.255.0
4、配置DHCP服务器
dhcpd lease 14400
dhcpd address 192.168.2.2-192.168.2.254 inside
#设置DHCP的IP地址池
dhcpd dns 114.114.114.114 223.5.5.5 interface inside
dhcpd enable inside
5、配置端口映射
(因为我外网只有一个IP因此,设置的时候就是interface,一定要先 设置外网IP再来设置端口映射)
static (inside,outside) tcp interface 80 192.168.2.2 80 netmask 255.255.255.255
static (inside,outside) tcp interface 443 192.168.2.242 tcp netmask 255.255.255.255
如果存在多个外网IP,如何设置端口映射呢?
static (inside,outside) tcp 118.25.235.101 80 192.168.2.2 80 netmask 255.255.255.255
static (inside,outside) tcp 118.25.235.101 443 192.168.2.242 tcp netmask 255.255.255.255
直接将IP写上,注意如果只有一个IP,只能写interface
6、ACL及内外网策略
access-list outside extended permit ip any any
access-list outside extended deny icmp any any
access-list inside extended permit icmp any any
access-list inside extended permit ip any any
access-group outside in interface outside
access-group inside in interface inside
7、配置ssh登录
crypto key generate rsa modulus 1024
aaa authentication ssh console LOCAL
username user1 password xxxx //配置ssh用户名密码
ssh version 1
ssh 0.0.0.0 0.0.0.0 inside //配置SSH内网可以登录及访问
#ssh 0.0.0.0 0.0.0.0 outside //配置SSH外网可登录
8、设置ASA系统时间及SNMP
clock set 13:14:00 2 feb 2012
snmp-server host inside 192.168.2.2 community public version 2c
snmp-server enable traps
9、开启ASDM图形化管理
webvpn
username admin password admin
http server enable 或者http server enable 8080(端口号)
http 0.0.0.0 0.0.0.0 inside
asdm image disk0:/asdm-722.bin
10、保存配置
copy running-config startup-config
11、备份配置及操作系统
show flash
--#-- --length-- -----date/time------ path
3 4096 Aug 16 2017 12:25:12 log
8 4096 Aug 16 2017 12:25:24 crypto_archive
9 4096 Aug 16 2017 12:25:26 coredumpinfo
10 43 Aug 16 2017 12:25:26 coredumpinfo/coredump.cfg
78 15261696 Aug 16 2017 12:36:40 asa824-k8.bin
79 24047892 Aug 16 2017 12:39:12 asdm-722.bin
copy asa824-k8.bin tftp://192.168.2.3
copy asdm-722.bin tftp://192.168.2.3
copy running-config tftp://192.168.2.3