ASA 防火墙的 inside区域与outside区域

注:测试用telnet来测试
因为ASA默认之给TCP与UDP形成CONN表
icmp协议不能形成CONN表所以用ping方式
来测试是ping不通的是正常现象

ASA.配置:

ciscoasa# show running-config
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif Intside
security-level 0
ip address 192.168.10.254 255.255.255.0
!
interface GigabitEthernet1
nameif outside
security-level 0
ip address 192.168.20.254 255.255.255.0
!
interface GigabitEthernet2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
pager lines 24
mtu Intside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
crashinfo save disable
Cryptochecksum:715f838bf34db00a308a613eb31214ac
: end
ciscoasa# conf t
ciscoasa(config)# in g0
ciscoasa(config-if)# no na
ciscoasa(config-if)#no nameif Intside
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# --
^
ERROR: % Invalid input detected at ‘^‘ marker.
ciscoasa(config-if)#
ciscoasa(config-if)# qq
^
ERROR: % Invalid input detected at ‘^‘ marker.
ciscoasa(config-if)# q
ciscoasa(config)# q
ciscoasa# show rou
ciscoasa# show route
ciscoasa# show run
ciscoasa# show running-config
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif inside
security-level 100
ip address 192.168.10.254 255.255.255.0
!
interface GigabitEthernet1
nameif outside
security-level 0
ip address 192.168.20.254 255.255.255.0
!
interface GigabitEthernet2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
crashinfo save disable
Cryptochecksum:b6be07c60b5c6f70fdd258745b715629

R1配置:
[Connection to 192.168.20.1 closed by foreign host]
R1#show run
R1#show running-config
Building configuration...

Current configuration : 1164 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip tcp synwait-time 5
!
ip cef
no ip domain lookup
!
interface Ethernet0/0
ip address 192.168.10.1 255.255.255.0
half-duplex
!
interface Ethernet0/1
no ip address
shutdown
half-duplex
!
interface Ethernet0/2
no ip address
shutdown
half-duplex
!
interface Ethernet0/3
no ip address
shutdown
half-duplex
!
interface Ethernet1/0
no ip address
shutdown
half-duplex
!
interface Ethernet1/1
no ip address
shutdown
half-duplex
!
interface Ethernet1/2
no ip address
shutdown
half-duplex
!
interface Ethernet1/3
no ip address
shutdown
half-duplex
!
no ip http server
no ip http secure-server
ip route 192.168.20.0 255.255.255.0 192.168.10.254
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end

R2配置:
R2#show running-config
Building configuration...

Current configuration : 1198 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
enable password 123
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip tcp synwait-time 5
!
!
ip cef
no ip domain lookup
!
interface Ethernet0/0
no ip address
shutdown
half-duplex
!
interface Ethernet0/1
ip address 192.168.20.1 255.255.255.0
half-duplex
!
interface Ethernet0/2
no ip address
shutdown
half-duplex
!
interface Ethernet0/3
no ip address
shutdown
half-duplex
!
interface Ethernet1/0
no ip address
shutdown
half-duplex
!
interface Ethernet1/1
no ip address
shutdown
half-duplex
!
interface Ethernet1/2
no ip address
shutdown
half-duplex
!
interface Ethernet1/3
no ip address
shutdown
half-duplex
!
no ip http server
no ip http secure-server
ip route 192.168.10.0 255.255.255.0 192.168.20.254
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
password asd
login

原文地址:http://blog.51cto.com/13585615/2084333

时间: 2024-10-13 00:28:11

ASA 防火墙的 inside区域与outside区域的相关文章

配置Cisco的ASA防火墙(三个区域)

配置Cisco的ASA防火墙(三个区域),布布扣,bubuko.com

Firewalld--01 防火墙安全、基本指令、区域配置

目录 Firewalld防火墙安全.基本指令.区域配置 1. 防火墙安全基本概述 2. 防火墙使用区域管理 3. 防火墙基本指令参数 4.防火墙区域配置策略 Firewalld防火墙安全.基本指令.区域配置 安全 1.按OSI七层模型 物理层 数据链路层 网络层 传输层 会话层 表示层 应用层 安全公司: 安全狗 知道创宇 牛盾云 物理环境: 物理环境: 硬件安全 机柜上锁,避免电源被拔(UPS, 可以双电源),网线被拔(打标签) 温度,硬件检查 网络安全 (硬件防火墙(防DOS),软件防火墙

asa防火墙基本上网综合实验

实验要求: 分别划分inside(内网),outside(外网),dmz(服务器区)三个区 配置PAT,直接使用outside接口的ip地址进行转换 配置静态NAT,发布内网服务器 启用NAT控制,配置NAT豁免,内网访问dmz区中的主机时,不做NAT转换 R1配置: R1#conf t Enter configuration commands, one per line.  End with CNTL/Z. R1(config)#host outsite outsite(config)#int

ASA防火墙的应用

实验 实验拓扑图: 实验环境:   在虚拟机上搭建一台2008服务器和一台linux服务器:     实验要求:   一,在ASA防火墙上配置inside,outside,dmz区域,配置ACL实现ICMP流量可以穿越防火墙. 二,通过配置ACL禁止DMZ区域访问outside区域,但可以访问inside区域. 三,将内网的10.0网段通过动态PAT转换成公网outside接口地址访问WEB网页. 四,创建静态PAT将DMZ区域的Apache服务器内网地址映射成公网地址. 五,配置SSH,在in

ASA 防火墙

ASA是状态化防火墙,会建立一个用户信息连接表(Conn),连接表中包含的相关信息有源IP地址.目的IP地址.IP协议(如TCP或UDP).IP协议信息(如TCP/UDP的端口号.TCP序列号和TCP控制位). ASA安全算法原理会执行三项基本操作 1.访问控制列表-基于特定网络.主机和服务控制网络访问,有两个作用允许入站连接和控制出站的流量 2.连接表-维护每个连接状态信息,在已建立的连接中有效转发数据流量,入站流量如果conn表中没有将会丢弃 3.检查引擎-执行状态检查和应用层检查 工作原理

ASA防火墙应用配置(NAT和PAT)

                                         实验配置ASA应用(NAT和PAT) inisde区域是内部,ip地址192.168.1.1网关,outside区域是外部,也就是公网12.0.0.0网段,DMZ区域是隔离区,ip地址192.168.10.1 C3是server2008服务器并且提供WEB网站,IP地址13.0.0.2,网关13.0.0.1,虚拟机网卡绑定VMnet1 C2是linux服务器并且提供APACHE服务,ip地址192.168.10.1

基于ASA防火墙做URL地址过滤

下面直接开始操作实验过程.SW1和SW2上面只需要关闭路由功能就行.下面是在ASA防火墙上的操作,启动ASA的startup-config配置文件. 然后配置ASA防火墙的IP地址,设置相应的区域,并且做了一个NAT地址转换. 此时配置完成就可以互相连通了.下面来检查客户机的IP地址配置,本地连接2回环网卡的配置如下所示. 下面再来检查linux服务器的IP地址配置,首先查看连接网卡VMnet1要和拓扑图衔接,宿主机上的VMnet1设置为自动获取就行. 编辑linux服务器的IP地址.子网掩码和

【思科防火墙】思科ASA防火墙企业网实例

前提:随着网络发展,网络安全成为当前重要的课题,越来越多的公司会选择将防火墙作为公司出口设备,相比于路由器,防火墙除了具有转发路由的功能外,还可以对内部.外部的流量进行过滤,从而进一步加强公司网络的安全性. 实验拓扑: 实验目的:如图,公司内网划分为两个vlan,vlan10和vlan 20,将三层交换机M1作为网关,将思科防火墙ASA1作为公司的出口设备,R1为运营商路由器,在R1环回口1.1.1.1/32模拟外网. 在ASA1上做PAT,使得内网主机可以上外网 在ASA1上做配置,使得R1可

简单配置基于OSPF、ASA防火墙的网络拓扑

今天简单来配置一个防火墙三项外围网网络拓扑图,基于OSPF推荐步骤:*** R1和R2配置OSPF宣告指定的OSPF区域 R2和R3配置OSPF宣告指定的OSPF区域 R3和R4配置OSPF宣告的指定的区域 R4和PC1.DMZ区域的服务器通信使用默认路由 ASA访问访问OSPF内部网络配置默认路由 R4配置路由重分发全网互通 DMZ服务器模拟web和telnet将服务器发布到Outside指定的IP地址上,使用PC访问测试实验步骤:** R1进入0/0接口配置IP地址192.168.1.1R1