ASA测试环境搭建
公司新采购一台CISCO ASA 5520,以前只玩过JUNIPER的 防火墙,没接触过CISCO的防火墙,试着先搭建一个测试环境,再慢慢摸索其他的功能。
ASA 5520 启用三个接口,分别为E0/0,E0/1,E0/2(实际环境为千兆口,模拟器只能模拟百兆口),接口配置如下:
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/1
nameif dmz
security-level 50
ip address 172.16.1.1 255.255.255.0
!
interface Ethernet0/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
OUTSIDE路由器配置:
interface FastEthernet0/0
ip address 10.1.1.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.1.1.1
DMZ路由器配置:
interface FastEthernet0/0
ip address 172.16.1.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 172.16.1.1
INSIDE-PC配置:
IP:192.168.1.2
GW:192.168.1.1
ASA配置:
清除全部配置:
myfiewall(config)# clear config all
ciscoasa(config)#
设定各端口地址及Security level:
ciscoasa(config)# interface ethernet 0/0
ciscoasa(config-if)# ip addr 10.1.1.1 255.255.255.0
ciscoasa(config-if)# no sh
ciscoasa(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-if)# description OUTSIDE
ciscoasa(config-if)# interface ethernet 0/1
ciscoasa(config-if)# ip addr 172.16.1.1 255.255.255.0
ciscoasa(config-if)# no sh
ciscoasa(config-if)# nameif dmz
INFO: Security level for "dmz" set to 0 by default.
ciscoasa(config-if)# sec
ciscoasa(config-if)# security-level 50
ciscoasa(config-if)# desc
ciscoasa(config-if)# description DMZ
ciscoasa(config-if)# interface ethernet 0/2
ciscoasa(config-if)# ip addr 192.168.1.1 255.255.255.0
ciscoasa(config-if)# no sh
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# description INSIDE
ciscoasa(config)# hostname MyFirewall
MyFirewall(config)#
设定ASDM从inside管理:
MyFirewall(config)# username cisco password cisco privilege 15
MyFirewall(config)# aaa authentication http console LOCAL
MyFirewall(config)# http server enable
MyFirewall(config)# http 0.0.0.0 0.0.0.0 inside
测试与outside及dmz区域的连通性:
MyFirewall# ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
MyFirewall# ping 172.16.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/12/30 ms
MyFirewall# ping 10.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/10/30 ms
MyFirewall#
配置outside侧路由器IP及默认路由:
outside(config)#hostname outside
outside(config)#interface fastEthernet 0/0
outside(config-if)#ip addr 10.1.1.2 255.255.255.0
outside(config-if)#no sh
outside(config-if)#description OUTSIDE
outside(config-if)#end
outside#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/17/36 ms
outside#
配置dmz侧路由器及默认路由:
DMZ(config)#hostname DMZ
DMZ(config)#interface fastEthernet 0/0
DMZ(config-if)#ip add 172.16.1.2 255.255.255.0
DMZ(config-if)#no shu
DMZ(config-if)#description DMZ
DMZ(config-if)#end
DMZ#ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/39/108 ms
DMZ#
WEB界面管理ASA:
下载并安装运行ASDM管理工具。
备注:
后续增加内容:NAT、×××、ROUTE、FIREWALL等其他常用功能。
转载于:https://blog.51cto.com/bobo365/1892495