cisco asa防火墙部署案例
查看当前防火墙的工作模式:
ciscoasa# show firewall
Firewall mode: Router
配置防火墙为透明模式:
ciscoasa(config)# firewall transparent
配置防火墙为路由模式:
ciscoasa(config)# firewall router
PS:配置透明防火墙之后,运行配置会被清除,请注意保存配置到Flash存储器。
配置透明防火墙:
ciscoasa(config)# firewall transparent
ciscoasa# show firewall
Firewall mode: Transparent
配置区域和管理IP:
ciscoasa(config)# interface ethernet 0/0
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# ip address 192.168.1.201 255.255.255.0
ciscoasa(config-if)# no shu
ciscoasa(config)# interface ethernet 0/1
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# no shu
默认路由:
ciscoasa(config)# route outside 0 0 10.1.1.2
静态路由:
ciscoasa(config)# route inside 192.168.100.0 255.255.255.0 192.168.1.3
查看MAC地址获取进程状态:
ciscoasa(config)# show mac-learn
interface mac learn
-------------------------------------------
inside enabled
outside enabled
查看MAC地址表:
ciscoasa(config)# show mac-address-table inside
interface mac address type Age(min)
------------------------------------------------------------------
inside 0023.4ee0.7b6c dynamic 5
inside d0df.9a02.b1ac dynamic 5
inside 0022.1961.760c dynamic 5
inside 0015.0065.8e00 dynamic 5
inside ec6c.9f02.26ba dynamic 5
设置MAC地址过期时间:
ciscoasa(config)# mac-address-table aging-time 10
为常用的主机定义静态MAC地址表表项:
ciscoasa(config)# mac-address-table static inside 0023.4ee0.7b6c
MAC地址表中该MAC的类型:
ciscoasa(config)# show mac-address-table
interface mac address type Age(min)
------------------------------------------------------------------
inside 0023.4ee0.7b6c static
在一个接口上禁用MAC地址获取功能:
ciscoasa(config)# mac-learn outside disable
添加静态ARP表项(永不过期):
ciscoasa(config)# arp inside 192.168.1.120 0023.4ee0.7b6c
启用ARP检测:
ciscoasa(config)# arp-inspection inside enable flood
ciscoasa(config)# arp-inspection outside enable no-flood
显示每个接口的ARP检测状态:
ciscoasa(config)# show arp-inspection
interface arp-inspection miss
----------------------------------------------------
inside enabled flood
outside enabled no-flood
配置接口访问列表(不检测,双向放通BPDU和IPX流量):
ciscoasa(config)# access-list access1 ethertype permit bpdu
ciscoasa(config)# access-list access1 ethertype permit ipx
ciscoasa(config)# access-group access1 in interface inside
ciscoasa(config)# access-group access1 in interface outside
配置一条ACL允许所有IP协议:
ciscoasa(config)# access-list access2 permit any
相同级别的接口之间允许安全访问:
ciscoasa(config)# same-security-traffic permit inter-interface
ciscoasa(config)# same-security-traffic permit intra-interface
查看NAT连接信息的xlate表:
ciscoasa(config)# show xlate
0 in use, 0 most used
ciscoasa(config)# show conn
0 in use, 1 most used
静态NAT端口映射:
ciscoasa(config)# static (inside,outside) 10.1.1.1 192.168.0.5 netmask 255.255.255.255 一对一主机全映射
ciscoasa(config)# static (inside,outside) interface 192.168.0.5 netmask 255.255.255.255 将外部接口地址转换到内部主机地址192.168.0.5
ciscoasa(config)# static (inside,outside) tcp 10.1.1.1 www 192.168.0.5 www netmask 255.255.255.255 把外网口IP10.1.1.1的80端口访问映射到192.168.0.5的80端口
ciscoasa(config)# static (inside,outside) tcp 10.1.1.1 smtp 192.168.0.10 smtp netmask 255.255.255.255 把外网口IP10.1.1.1的25端口访问映射到192.168.0.10的25端口
在外部接口上放通映射的端口:
ciscoasa(config)# access-list access1 permit tcp any host 10.1.1.1 eq www
ciscoasa(config)# access-list access1 permit tcp any host 10.1.1.1 eq smtp
ciscoasa(config)# access-group access1 in interface outside
使用具有ACL访问控制的条目不进行NAT转换,NAT豁免:
ciscoasa(config)# access-list access2 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
ciscoasa(config)# access-list access2 permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
ciscoasa(config)# access-list access2 permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0
ciscoasa(config)# nat (inside) 0 access-list access2
PS:当192.168.0.0/24网段的主机访问192.168.1.0/24、192.168.2.0/24、192.168.3.0/24网段的主机时,不进行NAT转换。
将特殊的ACL访问控制条目转换为一个固定的IP10.1.1.1:
ciscoasa(config)# access-list access3 permit ip 192.168.0.0 255.255.0.0 10.10.0.0 255.255.0.0
ciscoasa(config)# static (inside,outside) 10.1.1.1 access-list access3 0 0
PAT全局转换,内部192.168.0.0/16的主机访问任意IP,转换到outside接口的全局IP:
ciscoasa(config)# access-list access4 permit ip 192.168.0.0 255.255.0.0 any
ciscoasa(config)# nat (inside) 1 access-list access4
ciscoasa(config)# global (outside) 1 interface
INFO: outside interface address added to PAT pool
动态NAT:
ciscoasa(config)# access-list access4 permit ip 192.168.0.0 255.255.0.0 any
ciscoasa(config)# nat (inside) 1 access-list access4
ciscoasa(config)# global (outside) 1 10.1.1.1-10.1.1.254 netmask 255.255.255.0
在内部接口上只放通允许的网段:
ciscoasa(config)# access-list access0 permit ip 192.168.0.0 255.255.255.0 any
ciscoasa(config)# access-list access1 permit ip 192.168.1.0 255.255.255.0 any
ciscoasa(config)# access-list access1 deny ip any any
ciscoasa(config)# access-group access0 in interface inside
查看当前配置的ACL:
ciscoasa(config)# show running-config access-list
access-list access1 extended permit tcp any host 10.1.1.1 eq www
access-list access1 extended permit tcp any host 10.1.1.1 eq smtp
access-list access2 extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list access3 extended permit ip 192.168.0.0 255.255.0.0 any
ciscoasa(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list access1; 2 elements
access-list access1 line 1 extended permit tcp any host 10.1.1.1 eq www
accss-list access1 line 2 extended permit tcp any host 10.1.1.1 eq smtp
access-list access2; 1 elements
access-list access2 line 1 extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list access3; 1 elements
access-list access3 line 1 extended permit ip 192.168.0.0 255.255.0.0 any
ACL重命名:
ciscoasa(config)# access-list access3 rename access_3
ACL添加说明:
ciscoasa(config)# access-list access3 remark ACL_3_NAT
ciscoasa(config)# access-list access1 line 2 remark ACL_SMTP_PERMIT
移除一条ACL:
ciscoasa(config)# no access-list access1 extended permit ip any any
定义网络对象组:
ciscoasa(config)# object-group network Accounting_Addrs
ciscoasa(config-network)# description List of Accounting Dept IP Addresses
ciscoasa(config-network)# network-object host 192.168.0.1
ciscoasa(config-network)# network-object host 192.168.0.2
ciscoasa(config-network)# network-object host 192.168.0.3
ciscoasa(config-network)# network-object 192.168.1.0 255.255.255.0
PS:在对象组中新增的主机IP,会自动在被使用的ACL中扩展。
网络对象组的引用:
ciscoasa(config)# object-group network RemoteSite_addrs
ciscoasa(config-network)# group-object Accounting_Addrs
定义协议对象组:
ciscoasa(config)# object-group protocol Tunnel1_proto
ciscoasa(config-protocol)# description Tunneling Protocols
ciscoasa(config-protocol)# protocol-object ipinip
ciscoasa(config-protocol)# protocol-object esp
ciscoasa(config-protocol)# protocol-object ah
ciscoasa(config-protocol)# protocol-object gre
协议对象组的引用:
ciscoasa(config)# object-group protocol Group1_proto
ciscoasa(config-protocol)# group-object Tunnel1_proto
定义基本服务对象组:
ciscoasa(config-protocol)# object-group service Web_ports tcp
ciscoasa(config-service)# description TCP ports users by Web browsers
ciscoasa(config-service)# port-object eq www
ciscoasa(config-service)# port-object eq https
ciscoasa(config-service)# port-object range 8080 8088
ciscoasa(config-service)# exit
基本服务对象组的引用:
ciscoasa(config)# object-group service Example_ports tcp
ciscoasa(config-service)# group-object Web_ports
定义增强型服务对象组:
ciscoasa(config-service)# object-group service test
ciscoasa(config-service)# description test service
ciscoasa(config-service)# service-object icmp echo
ciscoasa(config-service)# service-object icmp echo-reply
ciscoasa(config-service)# service-object esp
ciscoasa(config-service)# service-object udp eq isakmp
ciscoasa(config-service)# service-object udp source 10000
ciscoasa(config-service)# service-object tcp eq www
ciscoasa(config-service)# exit
PS:增强型服务对象组只能被ACL调用一次。
在ACL中使用对象组:
ciscoasa(config)# access-list access5 extended permit tcp object-group RemoteSite_addrs any object-group Web_ports
ciscoasa(config)# access-list access6 extended permit object-group test any host 192.168.0.100
重置ACL匹配计数器:
ciscoasa(config)# clear access-list access5 counters
恶意主机规避:
ciscoasa(config)# shun 172.21.4.8
查看连接:
ciscoasa(config)# show conn
查看规避:
ciscoasa(config)# show shun
查看系统日志:
ciscoasa(config)# show logging
查看规避统计信息:
ciscoasa(config)# show shun statistics
移除特定的规避源地址:
ciscoasa(config)# no shun 172.21.4.8
本文出自 “运维之家(Q群:1991706)” 博客,请务必保留此出处http://304076020.blog.51cto.com/7503470/1563925
郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。