思科防火墙ASA5520 外观

网络拓扑图如下

内网 网段 192.168.2.0/24

公网IP地址 118.25.235.100

公网IP地址网关:118.25.235.1.1

防火墙内网IP:192.168.2.1/24

配置步骤：

1、基本配置及配置内外网接口

conf t

hostname ASAFW #设置主机名

enable secret pass123 #设置特权密码

clock timezone GMT 8 #设置时区

dns domain-lookup inside

dns server-group DefaultDNS

name-server 114.114.114.114

name-server 223.5.5.5

name-server 223.6.6.6

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 118.25.235.100 255.255.255.0

#外网IP是118.25.235.100

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 192.168.2.1 255.255.255.0

#内网网段是192.168.2.0/24

2、配置外网路由

#route outside 0.0.0.0 0.0.0.0 118.25.235.1 1

3、配置内网NAT上网配置

nat-control

global (outside) 1 interface

nat (inside) 1 192.168.2.0 255.255.255.0

4、配置DHCP服务器

dhcpd lease 14400

dhcpd address 192.168.2.2-192.168.2.254 inside

#设置DHCP的IP地址池

dhcpd dns 114.114.114.114 223.5.5.5 interface inside

dhcpd enable inside

5、配置端口映射

(因为我外网只有一个IP因此，设置的时候就是interface,一定要先 设置外网IP再来设置端口映射)

static (inside,outside) tcp interface 80 192.168.2.2 80 netmask 255.255.255.255

static (inside,outside) tcp interface 443 192.168.2.242 tcp netmask 255.255.255.255

如果存在多个外网IP，如何设置端口映射呢？

static (inside,outside) tcp 118.25.235.101 80 192.168.2.2 80 netmask 255.255.255.255

static (inside,outside) tcp 118.25.235.101 443 192.168.2.242 tcp netmask 255.255.255.255

直接将IP写上，注意如果只有一个IP，只能写interface

6、ACL及内外网策略

access-list outside extended permit ip any any

access-list outside extended deny icmp any any

access-list inside extended permit icmp any any

access-list inside extended permit ip any any

access-group outside in interface outside

access-group inside in interface inside

7、配置ssh登录

crypto key generate rsa modulus 1024

aaa authentication ssh console LOCAL

username user1 password xxxx //配置ssh用户名密码

ssh version 1

ssh 0.0.0.0 0.0.0.0 inside //配置SSH内网可以登录及访问

#ssh 0.0.0.0 0.0.0.0 outside //配置SSH外网可登录

8、设置ASA系统时间及SNMP

clock set 13:14:00 2 feb 2012

snmp-server host inside 192.168.2.2 community public version 2c

snmp-server enable traps

9、开启ASDM图形化管理

webvpn

username admin password admin

http server enable 或者http server enable 8080(端口号)

http 0.0.0.0 0.0.0.0 inside

asdm image disk0:/asdm-722.bin

10、保存配置

copy running-config startup-config

11、备份配置及操作系统

show flash

--#-- --length-- -----date/time------ path

3 4096 Aug 16 2017 12:25:12 log

8 4096 Aug 16 2017 12:25:24 crypto_archive

9 4096 Aug 16 2017 12:25:26 coredumpinfo

10 43 Aug 16 2017 12:25:26 coredumpinfo/coredump.cfg

78 15261696 Aug 16 2017 12:36:40 asa824-k8.bin

79 24047892 Aug 16 2017 12:39:12 asdm-722.bin

copy asa824-k8.bin tftp://192.168.2.3

copy asdm-722.bin tftp://192.168.2.3

copy running-config tftp://192.168.2.3