cisco ASA 防火墙常用配置(ASA Version 8.2(5) )

时间:2015-08-21 17:27:27   收藏:0   阅读:1493


注:内网口:192.168.3.253  外网口:192.168.6.45  (以下指令皆据此)!!!


接口模式下加入vlan:

switchport access vlan 2


vlan接口配置IP地址:

interface Vlan1

 nameif inside

 security-level 50

 ip address 192.168.3.253 255.255.255.0


配置端口映射:

access-list Outside_Access extended permit ip any any   创建访问控制列表

access-group Outside_Access in interface outside  应用到外网口

static (inside,outside) tcp interface 5000 192.168.3.222 3389 netmask 255.255.255.255 做端口映射


配置NAT:

global (outside) 1 interface

nat (inside) 1 192.168.3.0 255.255.255.0


配置SSH连接

 username xxx password xxxxxx  privilege 15   创建用户

 aaa authentication enable console LOCAL

 aaa authentication ssh console LOCAL  启用ssh本地用户认证

 ssh 192.168.3.0 255.255.255.0 inside  ssh访问控制

 crypto key generate rsa     打开ssh服务


添加静态路由: 

route outside 0.0.0.0 0.0.0.0 192.168.6.254 1

route inside 192.168.6.0 255.255.255.0 192.168.6.254 1


解决NAT的回流问题:

以下是论坛给出的解决方案

可以使用Hairpinning+Static Nat,原理是允许inside进来的流量,未经其它接口出去而直接从inside接口返回,配置如下:(注释1.1.1.1为公网ip, 192.168.1.10为内网ip)
1、开启Hairpinning: same-security-traffic permit intra-interface
2、为内网用户使用hairpinning访问内部服务器定义global地址: global(inside) 1 interface
3、地址映射,将公网端口映射到内网端口
     static (inside,outside) tcp 1.1.1.1 www 192.168.1.10 www netmask 255.255.255.255
4、为hairpinning流量返回路径定义地址映射
      static (inside,inside) tcp 1.1.1.1 www 192.168.1.10 www netmask 255.255.255.255
5、定义acl :access-list 101 extended per tcp any host 1.1.1.1 eq www
6、将ACL应用到外部接口: access-group 101 in interface outside


结合案例自行配置: 内网一台机器的远程桌面服务器映射到外网,并是内网终端可以通过外网ip访问。


开启NAT:

global (outside) 1 interface

nat (inside) 1 192.168.3.0 255.255.255.0 

做端口映射:

static (inside,outside) tcp interface 5000 192.168.3.222 3389 netmask 255.255.255.255 

做针对外网口的访问控制:

access-list Outside_Access extended permit ip any any

access-group Outside_Access in interface outside

以上指令实现了,外网用户通过公网ip访问内部终端, 但内网用户不能访问(只能使用内网ip访问)。

same-security-traffic permit intra-interface

global (inside) 1 interface

static (inside,inside) tcp 192.168.6.45 5000 192.168.3.222 3389 netmask 255.255.255.255


关于限速:

access-list 1000 extended permit ip 192.168.3.0 255.255.255.0 any 

access-list 1000 extended permit ip any 192.168.3.0 255.255.255.0 

class-map 1000

 match access-list 1000

policy-map XIANSU

 class 1000

 police output 8000000 1600000 conform-action transmit exceed-action drop

 police input  8000000 1600000 conform-action transmit exceed-action drop

\\正常速率1Mbps 突发2Mbps 符合就转发 超出突发就丢弃

service-policy XIANSU interface inside    应用到接口






======================================

本文出自 “逆行者” 博客,谢绝转载!

评论(0
© 2014 mamicode.com 版权所有 京ICP备13008772号-2  联系我们:gaon5@hotmail.com
迷上了代码!