CISCO 5520防火墙配置实例

CISCO5520防火墙配置实例本人在项目中已经两次接触到思科5500系列防火墙的配置应用了，根据项目的需求不同，详细的配置也不一样，因此汇总了一个通用版本的思科5500系列防火墙的配置，不详之处，请各位大虾给予指点，谢谢！CD-ASA5520#showrun:Saved:ASAVersion7.2(2)!hostnameCD-ASA5520 //给防火墙命名domain-namedefault.domain.invalid//定义工作域enablepassword9jNfZuG3TC5tCVH0encrypted//进入特权模式的密码namesdns-guard!interfaceGigabitEthernet0/0//内网接口：duplexfull//接口作工模式：全双工，半双，自适应nameifinside//为端口命名：内部接口insidesecurity-level100//设置安全级别0~100值越大越安全ipaddress192.168.1.1255.255.255.0//设置本端口的IP地址!interfaceGigabitEthernet0/1//外网接口nameifoutside//为外部端口命名：外部接口outsidesecurity-level0ipaddress202.98.131.122255.255.255.0//IP地址配置!interfaceGigabitEthernet0/2nameifdmzsecurity-level50ipaddress192.168.2.1255.255.255.0!interfaceGigabitEthernet0/3shutdownnonameifnosecurity-levelnoipaddress!interfaceManagement0/0//防火墙管理地址shutdownnonameifnosecurity-levelnoipaddress!passwd2KFQnbNIdI.2KYOUencryptedftpmodepassiveclocktimezoneCST8dnsserver-groupDefaultDNSdomain-namedefault.domain.invalidaccess-listoutside_permitextendedpermittcpanyinterfaceoutsideeq3389//访问控制列表access-listoutside_permitextendedpermittcpanyinterfaceoutsiderange3000030010//允许外部任何用户可以访问outside接口的30000-30010的端口。pagerlines24loggingenable//启动日志功能loggingasdminformationalmtuinside1500内部最大传输单元为1500字节mtuoutside1500mtudmz1500iplocalpoolvpnclient192.168.200.1-192.168.200.200mask255.255.255.0//定义一个命名为vpnclient的IP地址池,为remote用户分配IP地址nofailovericmpunreachablerate-limit1burst-size1asdmimagedisk0:/asdm-522.binnoasdmhistoryenablearptimeout14400//arp空闲时间为14400秒global(outside)1interface//由于没有配置NAT故这里是不允许内部用户上INTERNETstatic(dmz,outside)tcpinterface30000192.168.2.230000netmask255.255.255.255//端口映射可以解决内部要公布的服务太多，而申请公网IP少问题。static(dmz,outside)tcpinterface30001192.168.2.230001netmask255.255.255.255//把dmz区192.168.2.230002映射给外部30002端口上。static(dmz,outside)tcpinterface30002192.168.2.230002netmask255.255.255.255static(dmz,outside)tcpinterface30003192.168.2.230003netmask255.255.255.255static(dmz,outside)tcpinterface30004192.168.2.230004netmask255.255.255.255static(dmz,outside)tcpinterface30005192.168.2.230005netmask255.255.255.255static(dmz,outside)tcpinterface30006192.168.2.230006netmask255.255.255.255static(dmz,outside)tcpinterface30007192.168.2.230007netmask255.255.255.255static(dmz,outside)tcpinterface30008192.168.2.230008netmask255.255.255.255static(dmz,outside)tcpinterface30009192.168.2.230009netmask255.255.255.255static(dmz,outside)tcpinterface30010192.168.2.230010netmask255.255.255.255static(dmz,outside)tcpinterface3389192.168.2.23389netmask255.255.255.255access-groupoutside_permitininterfaceoutside//把outside_permit控制列表运用在外部接口的入口方向。routeoutside0.0.0.00.0.0.0202.98.131.1261//定义一个默认路由。timeoutconn1:00:00half-closed0:10:00udp0:02:00icmp0:00:02timeoutsunrpc0:10:00h3230:05:00h2251:00:00mgcp0:05:00mgcp-pat0:05:00timeoutsip0:30:00sip_media0:02:00sip-invite0:03:00sip-disconnect0:02:00timeoutuauth0:05:00absolute------------定义一个命名为vpnclient的组策略-------------------------group-policyvpnclientinternal//创建一个内部的组策略。group-policyvpnclientattributes//设置vpnclient组策略的参数wins-servervalue192.168.1.10//定义WINS-SERVER的IP地址。dns-servervalue192.168.1.1061.139.2.69//定义dns-server的IP地址。vpn-idle-timeoutnone//终止连接时间设为默认值vpn-session-timeoutnone//会话超时采用默认值vpn-tunnel-protocolIPSec//定义通道使用协议为IPSEC。split-tunnel-policytunnelspecified//定义。default-domainvaluecisco.com//定义默认域名为cisco.com------------定义一个命名为l2lvpn的组策略-------------------------group-policyl2lvpninternalgroup-policyl2lvpnattributeswins-servervalue192.168.1.10dns-servervalue192.168.1.1061.139.2.69vpn-simultaneous-logins3vpn-idle-timeoutnonevpn-session-timeoutnonevpn-tunnel-protocolIPSecusernametestpasswordP4ttSyrm33SV8TYpencryptedprivilege0//创建一个远程访问用户来访问安全应用usernameciscopassword3USUcOPFUiMCO4Jkencryptedhttpserverenable//启动HTTP服务http0.0.0.00.0.0.0inside//允许内部主机HTTP连接nosnmp-serverlocationnosnmp-servercontactsnmp-serverenabletrapssnmpauthenticationlinkuplinkdowncoldstart//snmp的默认配置cryptoipsectransform-setESP-DES-MD5esp-desesp-md5-hmac//配置转集（定义了IPSC隧道使用的加密和信息完整性算法集合）cryptodynamic-mapvpn_dyn_map10settransform-setESP-DES-MD5//为动态加密图条目定义传换集cryptomapoutside_map10ipsec-isakmpdynamicvpn_dyn_map//创建一个使用动态加密条目的加密图cryptomapoutside_mapinterfaceoutside//将outside_map加密图应用到outside端口------------配置IKE--------------cryptoisakmpenableoutside//在ostside接口启动ISAKMPcryptoisakmppolicy20//isakmmp权值，值越小权值越高authenticationpre-share//指定同位体认证方法是共享密钥encryptiondes//指定加密算法hashmd5//指定使用MD5散列算法group2//指定diffie-hellman组2lifetime86400//指定SA（协商安全关联）的生存时间cryptoisakmppolicy65535authenticationpre-shareencryptiondeshashmd5group2lifetime86400-------------调用组策略-----------------cryptoisakmpnat-traversal20tunnel-groupDefaultL2LGroupgeneral-attributes//配置这个通道组的认证方法default-group-policyl2lvpn//指定默认组策略名称。tunnel-groupDefaultL2LGroupipsec-attributes//配置认证方法为IPSECpre-shared-key*//提供IKE连接的预共享密钥tunnel-groupvpnclienttypeipsec-ra//设置连接类型为远程访问。tunnel-groupvpnclientgeneral-attributes//配置这个通道组的认证方法address-poolvpnclient//定义所用的地址池default-group-policyvpnclient//定义默认组策略-----设置认证方式和共享密钥-------------tunnel-groupvpnclientipsec-attributes//配置认证方法为IPSECpre-shared-key*//提供IKE