环球速讯：思科防火墙5506-x基础

手机

iphone11大小尺寸是多少？苹果iPhone11和iPhone13的区别是什么？

警方通报辅警执法直播中被撞飞：犯罪嫌疑人已投案

家电

环球速讯：思科防火墙5506-x基础

2023-03-07 22:56:33 来源：博客园

防火墙的基本命令

查看防火墙的接口配置 show interface ip brief #这里和以往路由器和交换机不同 (sh ip interface brief)

查看路由:show route

(资料图片仅供参考)

默认策略

高安全级别到低安全级别的流量是放行的

低安全级别到高安全级别的流量是拒绝的

配置inside区和outside区

ciscoasa>en      ciscoasa#config t      ciscoasa(config)#hostname ASA2      ASA2(config)#int g1/1      ASA2(config-if)#nameif inside      ASA2(config-if)# security-level 100  //5505-X防火墙只要配置上inside区，默认安全级别就是100      ASA2(config-if)#ip address 192.168.4.2 255.255.255.0en

不同区域之间的互通配置

tips:首先设置接口端口区域,通过设置acl策略并将access-group作用域interface 区域中

ciscoasa(config)#interface gigabitEthernet 1/1ciscoasa(config-if)#ip address 200.1.1.1 255.255.255.0ciscoasa(config-if)#no shutdownciscoasa(config-if)#nameif insideINFO: Security level for “inside” set to 100 by default.ciscoasa(config-if)#security-level 0ciscoasa(config)#interface gigabitEthernet 1/2ciscoasa(config-if)#ip address 201.1.1.1 255.255.255.0ciscoasa(config-if)#no shutdownciscoasa(config-if)#nameif outsideINFO: Security level for “outside” set to 0 by default.ciscoasa(config)#interface gigabitEthernet 1/3ciscoasa(config-if)#ip address 203.1.1.1 255.255.255.0ciscoasa(config-if)#no shutdownciscoasa(config)#interface gigabitEthernet 1/3ciscoasa(config-if)#nameif dmzINFO: Security level for “dmz” set to 0 by default.ciscoasa(config)#route inside 200.1.1.0 255.255.255.0 200.1.1.2  #静态路由就自行添加了ciscoasa(config)#route outside 202.1.1.0 255.255.255.0 201.1.1.2ciscoasa(config)#route dmz 204.1.1.0 255.255.255.0 203.1.1.2ciscoasa(config)#access-list 101 extended permit ip any any //允许ip tcp icmp协议通过ciscoasa(config)#access-list 101 extended permit tcp any anyciscoasa(config)#access-list 101 extended permit icmp any anyciscoasa(config)#access-group 101 in interface dmz //在每个端口的出入方向进行acl部署ciscoasa(config)#access-group 101 out interface dmzciscoasa(config)#access-group 101 in interface insideciscoasa(config)#access-group 101 out interface insideciscoasa(config)#access-group 101 in interface outsideciscoasa(config)#access-group 101 out interface outside

配置asa的telnet和ssh

telnet配置

tips: 最低安全级别的接口不支持telnet 例如outside

ciscoasa(config)#telnet ?configure mode commands/options:  WORD                The IP address of the host and/or network authorized to                      login to the system  X:X:X:X::X/<0-128>  IPv6 address/prefix authorized to login to the system  timeout             Configure telnet idle timeoutciscoasa(config)#telnet 172.16.10.0 255.255.255.0 inside #设置telnet的区域和网段ciscoasa(config)#username lisen password miller #本地账户ciscoasa(config)#aaa authciscoasa(config)#aaa authentication ? #进行本地验证configure mode commands/options:  ssh     SSH  telnet  Telnetciscoasa(config)#aaa authentication telnet ?configure mode commands/options:  console  Specify this keyword to identify a server group for administrative           authenticationciscoasa(config)#aaa authentication telnet console ?configure mode commands/options:  LOCAL  Predefined server tag for AAA protocol "local"ciscoasa(config)#aaa authentication telnet console LOCAL

ssh配置

asa#conf tasa(config)#hostname asa　　　　#配置主机名asa(config)#domain-name chinaskills.cn　　#配置域名信息asa(config)#crypto key generate ?　　asa(config)#crypto key generate rsa modulus 1024 #配置rsa的密钥长度WARNING: You have a RSA keypair already defined named .Do you really want to replace them? [yes/no]: yesKeypair generation process begin. Please wait...asa(config)#ssh timeout 1　　#配置过期时间asa(config)#aaa authentication ssh console loasa(config)#aaa authentication ssh console loCAL 　　#配置ssh本地登录asa(config)#username chian password P@ssword!23　　　　#配置本地账户密码　asa(config)#ssh 10.1.1.0 255.255.255.0 inside　　#放行能够ssh的网段

ASA版本9.x SSH和Telnet在内部和外部接口配置示例 (cisco.com)

思科基于Cisco PT模拟器的防火墙配置实验案例详解_专业认证_IT专业知识_脚本之家 (jb51.net)

关键词：