思科ASA5505防火墙配置成功实例

配置要求：

1、 分别划分inside（内网）、outside（外网）、dmz（安全区）三个区域。

2、 内网可访问外网及dmz内服务器（web），外网可访问dmz内服务器（web）。

3、 Dmz服务器分别开放80、21、3389端口。

说明：由于防火墙许可限制“no forward interface Vlan1”dmz内服务器无法访问外网。



具体配置如下：希望对需要的朋友有所帮助

ASA Version 7.2(4)

!

hostname asa5505

enable password tDElRpQcbH/qLvnn encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif outside

security-level 0

ip address 外网IP 外网掩码

!

interface Vlan2

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

ip address 172.16.1.1 255.255.255.0

!

interface Ethernet0/0

description outside

!

interface Ethernet0/1

description inside

switchport access vlan 2

!

interface Ethernet0/2

description dmz

switchport access vlan 3

!

interface Ethernet0/3

description inside

switchport access vlan 2

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

ftp mode passive

object-group service outside-to-dmz tcp

port-object eq www

port-object eq ftp

port-object eq 3389

access-list aaa extended permit tcp any host 192.1.4.99 object-group outside-to-dmz

access-list bbb extended permit tcp host 172.16.1.2 192.168.1.0 255.255.255.0 object-group outside-to-dmz

pager lines 24

mtu outside 1500

mtu inside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (dmz) 1 172.16.1.10-172.16.1.254 netmask 255.255.255.0

nat (inside) 1 192.168.1.0 255.255.255.0

nat (dmz) 1 172.16.1.0 255.255.255.0

alias (inside) 221.203.36.86 172.16.1.2 255.255.255.255

static (dmz,outside) tcp interface www 172.16.1.2 www netmask 255.255.255.255 dns

static (dmz,outside) tcp interface ftp 172.16.1.2 ftp netmask 255.255.255.255 dns

static (dmz,outside) tcp interface 3389 172.16.1.2 3389 netmask 255.255.255.255 dns

static (inside,dmz) 172.16.1.2 192.168.1.0 netmask 255.255.255.255 dns

access-group aaa in interface outside

access-group bbb in interface dmz

route outside 0.0.0.0 0.0.0.0 192.1.4.251 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

no snmp-server location

no snmp-server

contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0



!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect http

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:9d2a6010d4fc078cf026f98dcec96007

: end

asa5505(config)#