因工作需要,对CISCO ASA5505进行简单的配置,参考网上的文章总结了部分简单的功能配置方法,主要是PAT,WEB SSL VPN的配置,还有简单的访问控制列表。
----- 1. 设备命名--------
ciscoasa> enable
ciscoasa# configure terminal
ciscoasa(config)# hostname ASA5505
----- 2. 添加enable密码 ----------
ASA5505(config)# password xxxxx ------------------远程密码
ASA5505(config)# enable password xxxxx ------------------特权模式密码
----- 3. 配置内网接口 ----------
ASA5505(config)# interface vlan 3
ASA5505(config-if)# ip address 192.168.10.1 255.255.255.0 ----分配IP地址
ASA5505(config-if)# nameif inside ----内网子网命名
ASA5505(config-if)# security-level 100 ----安全级别设定(0-最高级 100-最低级)
ASA5505(config-if)# exit
----- 4. 配置外网接口 ----------
ASA5505(config)# interface vlan 2
ASA5505(config-if)# ip address 10.2.0.1 255.255.255.0 ----分配IP地址
ASA5505(config-if)# nameif outside ----内网子网命名
ASA5505(config-if)# security-level 0 ----安全级别设定(0-最高级 100-最低级)
ASA5505(config-if)# exit
----- 5. 端口加入VLAN ----------
ASA5505(config)# interface e0/1 ------------------进入接口e0/1
ASA5505(config-if)# switchport access vlan 3 ------------------接口e0/1加入vlan3
ASA5505(config-if)# exit
ASA5505(config)# interface vlan 3 ------------------进入vlan3
ASA5505(config-if)# show switch vlan ------------------验证配置
----- 6. 启用http服务 ----------
ASA5505(config)#http server enable ------------------启动HTTP server,便于ASDM连接。
ASA5505(config)#http 192.168.10.0 255.255.255.0 inside ------------------对内启用ASDM连接
----- 7. 启用ssh服务 ----------
ASA5505(config)# aaa authentication ssh console LOCAL
ASA5505(config)# username xxxx password xxxx -------创建ssh用户
ASA5505(config)# passwd xxxx
ASA5505(config)# ssh xxx.xxx.xxx.xxx 255.255.255.252 outside ----允许某网段进行ssh访问
ASA5505(config)# ssh 192.168.10.0 255.255.255.0 inside ----允许192.168.10.13的网段进行ssh访问
ASA5505(config)# ssh timeout 30 ------设置30分钟超时
----- 8. 设置DNS ----------
ASA5505(config)# dns name-server 202.106.0.20 ------设置DNS服务器
ASA5505(config)# dns name-server 202.96.64.68 ------设置DNS服务器
ASA5505(config)# dns domain-lookup inside --------DNS设置作用在内网
----- 9. 设置基于端口NAT ----------
ASA5505(config)# global (outside) 1 interface ----------------定义全局地址即outside地址
ASA5505(config)# nat (inside) 1 192.168.10.0 255.255.255.0 ------------------内部转换地址池
ASA5505(config)# show xlate -------验证配置
----- 10. 添加静态路由 ----------
ASA5505(config)# route outside 0.0.0.0 0.0.0.0 10.2.0.254 1
----- 11. 建立对象组 ----------
ASA5505(config)# object-group network mgmgroup
ASA5505(config)# description remote management
ASA5505(config)# network-object xxx.xxx.xxx.xxx 255.255.255.0
----- 12. 添加控制列表 ----------
---------对象组 ----------------
ASA5505(config)# access-list aclout extended permit tcp object-group mgmgroup host xxx.xxx.xxx.xxx eq 13392
ASA5505(config)# access-list aclout extended permit tcp object-group mgmgroup host xxx.xxx.xxx.xxx eq 1633
ASA5505(config)# access-list aclout extended permit tcp object-group mgmgroup host xxx.xxx.xxx.xxx eq 16104
-------单IP-------------------
ASA5505(config)# same-security-traffic permit intra-interface ------------允许内网访问外网地址或域名
ASA5505(config)# access-list aclout extended permit icmp any any ---------- 允许所有IP使用ICMP
ASA5505(config)# access-list aclout extended permit ip any any ---------- 允许所有IP访问
ASA5505(config)# access-list aclout extended permit tcp any host xxx.xxx.xxx.xxx eq 13392 -----允许tcp协议13392端口到xxx.xxx.xxx.xxx主机
ASA5505(config)# access-list aclout extended permit tcp any host xxx.xxx.xxx.xxx eq 1633 -----允许tcp协议1633端口到xxx.xxx.xxx.xxx主机
ASA5505(config)# access-list aclout extended permit tcp any host xxx.xxx.xxx.xxx eq 16104 -----允许tcp协议16104端口到xxx.xxx.xxx.xxx主机
ASA5505(config)# access-list aclin extended permit ip any any
ASA5505(config)# access-list aclin extended permit icmp any any
ASA5505(config)# access-list aclin extended permit tcp any any
----- 13. 应用控制列表到VLAN ----------
ASA5505(config)# access-group aclin in interface inside
ASA5505(config)# access-group aclout in interface outside
----- 14. 端口映射 ----------
ASA5505(config)# static (inside,outside) tcp interface 13392 xxx.xxx.xxx.xxx 3389 netmask 255.255.255.255
ASA5505(config)# static (inside,outside) tcp interface 1633 xxx.xxx.xxx.xxx 1433 netmask 255.255.255.255
ASA5505(config)# static (inside,outside) udp interface 16104 xxx.xxx.xxx.xx snmp netmask 255.255.255.255
----- 15. WEB SSL VPN ----------
-----生成一个RSA密钥的证书,该名称是是唯一的
ASA5505(config)# crypto key generate rsa label sslvpnkeypair
----建立一个自我信任点颁发的证书
ASA5505(config)# crypto ca trustpoint localtrust
ASA5505(config-ca-trustpoint)# enrollment self
ASA5505(config-ca-trustpoint)# fqdn sslvpn.deepnight.net
ASA5505(config-ca-trustpoint)# subject-name CN=sslvpn.deepnight.net
ASA5505(config-ca-trustpoint)# keypair sslvpnkeypair
ASA5505(config-ca-trustpoint)# crypto ca enroll localtrust noconfirm
CISCOASA(config)# ssl trust-point localtrust outside
------配置SSL VPN客户端-----
ASA5505(config)# webvpn
ASA5505(config-webvpn)# svc image disk0:/sslclient-win-1.1.4.179-anyconnect.pkg 1
------启用SSL VPN访问------
ASA5505(config-webvpn)# enable outside
ASA5505(config-webvpn)# svc enable
ASA5505(config-webvpn)# tunnel-group-list enable
ASA5505(config-webvpn)# exit
------建立SSL VPN拨号地址池------
ASA5505(config)# ip local pool SSLClientPool 192.168.20.1-192.168.20.20 mask 255.255.255.0
------创建组策略-------
ASA5505(config)# group-policy SSLCLientPolicy internal
ASA5505(config)# group-policy SSLCLientPolicy attributes
ASA5505(config-group-policy)# dns-server value 202.106.0.20 202.96.64.68
ASA5505(config-group-policy)# vpn-tunnel-protocol svc
ASA5505(config-group-policy)# address-pools value SSLClientPool
ASA5505(config-group-policy)# exit
-------配置访问列表旁路-----
ASA5505(config)# sysopt connection permit-vpn
--------创建连接配置文件和隧道组-----------
---------创建隧道组SSL 客户端------
ASA5505(config)# tunnel-group SSLClientProfile type remote-access
---------给SSL VPN隧道分配特定的属性----------
ASA5505(config)# tunnel-group SSLClientProfile general-attributes
ASA5505(config-tunnel-general)# default-group-policy SSLCLientPolicy
ASA5505(config-tunnel-general)# tunnel-group SSLClientProfile webvpn-attributes
ASA5505(config-tunnel-webvpn)# group-alias SSLVPNClient enable
ASA5505(config-tunnel-webvpn)# exit
--------------将隧道组列表在webvpn中开启-------
ASA5505(config)# webvpn
ASA5505(config-webvpn)# tunnel-group-list enable
ASA5505(config-webvpn)# exit
-------------配置NAT免除--------
ASA5505(config)# access-list no_nat extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
ASA5505(config)# nat (inside) 0 access-list no_nat
-----------配置用户账户--------
ASA5505(config)# username xxxx password xxxx
ASA5505(config)# username xxxx attributes
ASA5505(config-username)# service-type remote-access
ASA5505(config-username)# exit
------------配置隧道分离------
ASA5505(config)# access-list vpnclient_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0
ASA5505(config)# group-policy SSLCLientPolicy attributes
ASA5505(config-group-policy)# split-tunnel-policy tunnelspecified
ASA5505(config-group-policy)# split-tunnel-network-list value vpnclient_splitTunnelAcl
ASA5505(config-group-policy)# exit
----- 16. 日志输出功能 ----------
-------服务器端日志收集使用的是3CDaemon------
ASA5505(config)# logging enable ------开启日志功能
ASA5505(config)# logging trap informational ------指定日志级别
ASA5505(config)# logging asdm informational ------指定asdm级别
ASA5505(config)# logging host inside xx.xxx.xxx.xxx ------------指定接收服务器