思科ASA5505防火墙配置成功实例
配置要求:
1、 分别划分inside(内网)、outside(外网)、dmz(安全区)三个区域。
2、 内网可访问外网及dmz内服务器(web),外网可访问dmz内服务器(web)。
3、 Dmz服务器分别开放80、21、3389端口。
说明:由于防火墙许可限制“no forward interface Vlan1”dmz内服务器无法访问外网。
具体配置如下:希望对需要的朋友有所帮助
ASA Version 7.2(4)
!
hostname asa5505
enable password tDElRpQcbH/qLvnn encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif outside
security-level 0
ip address 外网IP 外网掩码
!
interface Vlan2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 172.16.1.1 255.255.255.0
!
interface Ethernet0/0
description outside
!
interface Ethernet0/1
description inside
switchport access vlan 2
!
interface Ethernet0/2
description dmz
switchport access vlan 3
!
interface Ethernet0/3
description inside
switchport access vlan 2
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
object-group service outside-to-dmz tcp
port-object eq www
port-object eq ftp
port-object eq 3389
access-list aaa extended permit tcp any host 192.1.4.99 object-group outside-to-dmz
access-list bbb extended permit tcp host 172.16.1.2 192.168.1.0 255.255.255.0 object-group outside-to-dmz
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 172.16.1.10-172.16.1.254 netmask 255.255.255.0
nat (inside) 1 192.168.1.0 255.255.255.0
nat (dmz) 1 172.16.1.0 255.255.255.0
alias (inside) 221.203.36.86 172.16.1.2 255.255.255.255
static (dmz,outside) tcp interface www 172.16.1.2 www netmask 255.255.255.255 dns
static (dmz,outside) tcp interface ftp 172.16.1.2 ftp netmask 255.255.255.255 dns
static (dmz,outside) tcp interface 3389 172.16.1.2 3389 netmask 255.255.255.255 dns
static (inside,dmz) 172.16.1.2 192.168.1.0 netmask 255.255.255.255 dns
access-group aaa in interface outside
access-group bbb in interface dmz
route outside 0.0.0.0 0.0.0.0 192.1.4.251 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
no snmp-server location
no snmp-server
contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:9d2a6010d4fc078cf026f98dcec96007
: end
asa5505(config)#