CISCO ASA配置

ciscoasa> en

Password:

ciscoasa# conf t

ciscoasa(config)# int e0/0

ciscoasa(config-if)# nameif inside

INFO: Security level for "inside" set to 100 by default.

ciscoasa(config-if)# security-level 100

ciscoasa(config-if)# ip add 10.1.1.1 255.255.255.0

ciscoasa(config-if)# no shutdown

ciscoasa(config-if)# int e0/1

ciscoasa(config-if)# nameif outside

INFO: Security level for "outside" set to 0 by default.

ciscoasa(config-if)# security-level 0

ciscoasa(config-if)# ip add 20.1.1.1 255.255.255.0

ciscoasa(config-if)# no shutdown

ciscoasa(config-if)#

基本测试

inside#ping 10.1.1.1

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 8/27/52 ms

inside#

outside#ping 20.1.1.1

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.1.1.1, timeout is 2 seconds:

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 12/34/64 ms

outside#

inside主机和outside主机都能ping通网关。

inside主机向outside主机发起telnet连接

inside#telnet 20.1.1.2

Trying 20.1.1.2 ... Open

 

User Access Verification

 

Password:

outside>en

Password:

outside#

ASA默认从高安全级别到低安全级别的访问是允许的，telnet连接属于tcp 连接，

ciscoasa# show conn detail

1 in use, 1 most used

Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,

       B - initial SYN from outside, C - CTIQBE media, D - DNS, d - dump,

       E - outside back connection, F - outside FIN, f - inside FIN,

       G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,

       i - incomplete, J - GTP, j - GTP data, K - GTP t3-response

       k - Skinny media, M - SMTP data, m - SIP media, n - GUP

       O - outbound data, P - inside back connection, q - SQL*Net data,

       R - outside acknowledged FIN,

       R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,

       s - awaiting outside SYN, T - SIP, t - SIP transient, U - up

       X - inspected by service module

TCP outside:20.1.1.2/23 inside:10.1.1.2/11001 flags UIO

outside#show users

    Line       User       Host(s)              Idle       Location

*  0 con 0                idle                 00:00:00   

 130 vty 0                idle                 00:00:15 10.1.1.2

 

  Interface    User               Mode         Idle     Peer Address

从低安全级别到高安全级别的访问，其结果是无法访问。

outside#telnet 10.1.1.2

Trying 10.1.1.2 ...

% Connection timed out; remote host not responding

如果让outside主机能够访问inside主机，需在防火墙上写入站规则：

ciscoasa(config)# access-list out-to-in permit ip host 20.1.1.2 host 10.1.1.2

ciscoasa(config)# access-group out-to-in in interface outside

ciscoasa(config)#

测试

outside#telnet 10.1.1.2

Trying 10.1.1.2 ... Open

User Access Verification

 

Password:

inside>en

Password:

inside#

入站规则也可以这样写

ciscoasa(config)# access-list out-to-in permit tcp host 20.1.1.2 host 10.1.1.2 eq 23

ciscoasa(config)# access-group out-to-in in interface outside

如果在ASA防火墙上做控制出站的规则，可以这样写

ciscoasa(config)# access-list in-to-out deny , , ip 10.1.1.0 255.255.255.0 any

ciscoasa(config)# access-list in-to-out permit ip any any

ciscoasa(config)# access-group in-to-out in interface inside

测试

inside#telnet 20.1.1.2

Trying 20.1.1.2 ...

% Connection refused by remote host

****************************************************************************************

   江苏思朋信息科技有限公司主要从事IT技术培训及技术咨询服务，是苏州权威的IT教育机构。