ASA5520防火墙双机配置

CISCO PIX/ASA Failover 技术是一项故障转移配置的技术，需要两台完全一样的设备，通过一个连接，连接到对方（这个连接也叫心跳线）。

该技术用到的两台设备分为：主用和备用，备用处于待机状态。

当主用设备故障后，备用设备可启用，并设置为主用，运行自主用设备复制过来的配置（配置是跟随主用设备移动的），从而解决单点故障。

本次配置主用和备用之间采用两根心跳线，一根用于数据同步，一根用于状态同步。

配置之前请将用做心跳线的端口激活。

primary的配置(主用)：asa1(configif)# failover lan enable //启用基于LAN的Failover(适用于PIX) asa1(config)# failover lan unit primary //指定设备的角色asa1(config)# failover lan interface FO e2 //指定Failover 接口INFO: Nonfailover interface config is cleared on Ethernet2 and its subint erfacesasa1(config)# failover interface ip FO 192.168.1.1 255.255.255.0 standby 192.168.1.2 //配置FO IP地址（用于数据同步）；asa1(config) # failover link STA e3//指定state接口的为e3，并命名为STA asa1(config) # failover interface ip STA 192.168.2.1 255.255.255.0 standby 192.168.2.2//指定名字为STA的接口IP（用于状态同步）；asa1(config)# failover lan key ccxx //配置Failover key （用于对通讯加密，可配置也可不配）asa1(config)# failover //启用Failover；注意，此命令一定要先在Active上输入，否则会引起配置拷错；将一个接口指定为failover 接口后，再show inter 的时候，该接口就显示为：interface Ethernet3description LAN Failover Interfacesecondary的配置（备用）：asa1(configif)# failover lan enable //启用基于LAN的Failover(适用于PIX) asa1(config)# failover lan unit secondary //指定设备的角色asa1(config)# failover lan interface FO e2 //指定Failover 接口INFO: Nonfailover interface config is cleared on Ethernet2 and its subint erfacesasa1(config)# failover interface ip FO 192.168.1.1 255.255.255.0 standby 192.168.1.2 //配置FO IP地址（用于数据同步）；asa1(config) # failover link STA e3//指定state接口的为e3，并命名为STA asa1(config) # failover interface ip STA 192.168.2.1 255.255.255.0 standby 192.168.2.2//指定名字为STA的接口IP（用于状态同步）；asa1(config)# failover lan key ccxx //配置Failover key （用于对通讯加密，可配置也可不配）asa1(config)# failover //启用Failover；注意，此命令一定要先在Active上输入，否则会引起配置拷错；查看failover命令如下：show run | include faiover注：配置成功后将看到六条命令行。

ASA5520防火墙的安装配置说明一、通过超级终端连接防火墙。

先将防火墙固定在机架上，接好电源；用随机带来的一根蓝色的线缆将防火墙与笔记本连接起来。

注意：该线缆是扁平的，一端是RJ-45接口，要接在防火墙的console端口；另一端是串口，要接到笔记本的串口上.建立新连接，给连接起个名字。

选择COM口，具体COM1还是COM3应该根据自己接的COM来选择，一般接COM1就可以。

选择9600,回车就可以连接到命令输入行。

二、防火墙提供4种管理访问模式：1．非特权模式。

防火墙开机自检后，就是处于这种模式。

系统显示为firewall> 2．特权模式。

输入enable进入特权模式，可以改变当前配置。

显示为firewall# 3．配置模式。

在特权模式下输入configure terminal进入此模式，绝大部分的系统配置都在这里进行。

显示为firewall(config)#4．监视模式。

PIX防火墙在开机或重启过程中，按住Escape键或发送一个“Break”字符，进入监视模式。

这里可以更新操作系统映象和口令恢复。

显示为monitor>三、基本配置步骤在PC机上用串口通过cisco产品控制线连接防火墙的Console口（9600-N-8-1），使用超级终端连接。

在提示符的后面有一个大于号“>”，你处在asa用户模式。

使用en或者enable命令修改权限模式。

asafirewall> en //输入en 或 enable 回车Password： //若没有密码则直接回车即可asafirewall# //此时便拥有了管理员模式，此模式下可以显示内容但不能配置，若要配置必须进入到通用模式asafirewall# config t // 进入到通用模式的命令asafirewall(config)# hostname sjzpix1 //设置防火墙的名称Sjzpix1(config)# password zxm10 //设置登陆口令为zxm10Sjzpix1(config)# enable password zxm10 //设置启动模式口令，用于获得管理员模式访问1．配置各个网卡Sjzpix1(config)# interface GigabitEthernet0/0 //配置防火墙的E0 端口Sjzpix1(config-if)# security-level 0 //设置成最低级别Sjzpix1(config-if)# nameif outside //设置E0 端口为外部端口Sjzpix1(config-if)# speed auto //设置成自动设置网口速率Sjzpix1(config-if)# ip address 10.0.1.50 255.255.255.0 standby 10.0.1.51// 10.0.1.50 为该防火墙分配的公网IP，255.255.255.0为该防火墙公网IP对应的掩码，若该防火墙没有主备用方式则配置命令中的红色字体部分不需要配置。

ASA5520，双ISP接入配置实现功能如下：1，部分网通站点走网通线路，其余走电信实现负载均衡（电信为主）2，任何一条链路断掉，另一条可以继续用3，电信网通口上都启用VPNClient，保证电信，网通客户端都可以顺利拨入jxwsj(config)# show run: Saved:ASA Version 7.0(5)!hostname jxwsjdomain-name enable password fCoWG.vztqKmZjts encryptednamesdns-guard!interface GigabitEthernet0/0description tocncnameif outsidesecurity-level 0ip address 网通IP 255.255.255.248!interface GigabitEthernet0/1nameif insidesecurity-level 100ip address 192.1.5.2 255.255.255.0!interface GigabitEthernet0/2description to cntnameif ctsecurity-level 0ip address 电信IP 255.255.255.248!interface GigabitEthernet0/3nameif govsecurity-level 40ip address 21.36.255.14 255.255.255.0!interface Management0/0nameif managementsecurity-level 100ip address 192.168.1.1 255.255.255.0management-only!passwd nRRwDj.AHmVtB9jY encryptedftp mode passiveaccess-list 110 extended permit ip any anyaccess-list 150 extended permit tcp any any eq wwwaccess-list 150 extended permit tcp any any eq 8080access-list 150 extended permit tcp any any eq lotusnotesaccess-list 150 extended permit icmp any anyaccess-list 150 extended deny ip any anyaccess-list inside_in extended permit ip any anyaccess-list 102 extended permit ip 192.168.0.0 255.255.255.0 192.168.200.0 255.255.255.0 access-list 102 extended permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0 access-list 102 extended permit ip 192.168.3.0 255.255.255.0 192.168.200.0 255.255.255.0 access-list 102 extended permit ip 192.168.4.0 255.255.255.0 192.168.200.0 255.255.255.0 access-list 102 extended permit ip 192.1.5.0 255.255.255.0 192.168.200.0 255.255.255.0 access-list tempdeny extended deny ip host 192.168.3.11 anyaccess-list tempdeny extended deny ip host 192.168.3.12 anyaccess-list tempdeny extended deny ip host 192.168.3.13 anyaccess-list tempdeny extended deny ip host 192.168.3.14 anyaccess-list tempdeny extended permit ip any anyaccess-list 111 extended permit ip any anypager lines 24logging asdm informationalmtu outside 1500mtu inside 1500mtu gov 1500mtu management 1500mtu ct 1500ip local pool vpdn 192.168.200.1-192.168.200.100no failoverasdm image disk0:/asdm505.binno asdm history enablearp inside 192.168.3.14 0016.1727.a178arp inside 192.168.3.13 000a.480b.2295arp inside 192.168.3.12 0030.1b31.a88barp inside 192.168.3.11 000a.480e.24a4arp timeout 14400global (outside) 1 interfaceglobal (gov) 1 interfaceglobal (ct) 1 interfacenat (inside) 0 access-list 102nat (inside) 1 0.0.0.0 0.0.0.0access-group 110 in interface outsideaccess-group tempdeny in interface insideaccess-group 150 in interface govaccess-group 111 in interface ctroute outside 0.0.0.0 0.0.0.0 网通网关254route outside 222.160.0.0 255.224.0.0 网通网关1 route outside 222.162.0.0 255.255.0.0 网通网关1 route outside 222.160.0.0 255.254.0.0 网通网关1 route outside 222.136.0.0 255.248.0.0 网通网关1 route outside 222.132.0.0 255.252.0.0 网通网关1 route outside 222.128.0.0 255.252.0.0 网通网关1 route outside 221.216.0.0 255.248.0.0 网通网关1 route outside 221.213.0.0 255.255.0.0 网通网关1 route outside 221.212.0.0 255.255.0.0 网通网关1 route outside 221.208.0.0 255.252.0.0 网通网关1 route outside 221.207.0.0 255.255.192.0 网通网关1 route outside 221.204.0.0 255.254.0.0 网通网关1 route outside 221.200.0.0 255.252.0.0 网通网关1 route outside 221.199.192.0 255.255.240.0 网通网关1 route outside 221.199.128.0 255.255.192.0 网通网关1 route outside 221.199.32.0 255.255.240.0 网通网关1 route outside 221.199.0.0 255.255.224.0 网通网关1 route outside 221.198.0.0 255.255.0.0 网通网关1 route outside 221.196.0.0 255.254.0.0 网通网关1 route outside 221.192.0.0 255.252.0.0 网通网关1 route outside 221.14.0.0 255.254.0.0 网通网关1 route outside 221.13.128.0 255.255.128.0 网通网关1 route outside 221.13.64.0 255.255.224.0 网通网关1 route outside 221.13.0.0 255.255.192.0 网通网关1 route outside 125.210.0.0 255.255.0.0 网通网关1 route outside 58.100.0.0 255.255.0.0 网通网关1 route outside 219.82.0.0 255.255.0.0 网通网关1 route outside 218.108.0.0 255.255.0.0 网通网关1 route outside 221.12.128.0 255.255.192.0 网通网关1 route outside 221.12.0.0 255.255.128.0 网通网关1 route outside 221.11.128.0 255.255.224.0 网通网关1 route outside 221.11.0.0 255.255.128.0 网通网关1 route outside 221.10.0.0 255.255.0.0 网通网关1 route outside 221.8.0.0 255.254.0.0 网通网关1route outside 221.7.128.0 255.255.128.0 网通网关1 route outside 221.7.64.0 255.255.224.0 网通网关1 route outside 221.7.0.0 255.255.192.0 网通网关1 route outside 221.6.0.0 255.255.0.0 网通网关1route outside 221.4.0.0 255.254.0.0 网通网关1route outside 221.3.128.0 255.255.128.0 网通网关1 route outside 221.0.0.0 255.252.0.0 网通网关1route outside 218.67.128.0 255.255.128.0 网通网关1 route outside 218.60.0.0 255.254.0.0 网通网关1 route outside 218.56.0.0 255.252.0.0 网通网关1 route outside 218.28.0.0 255.254.0.0 网通网关1 route outside 218.26.0.0 255.254.0.0 网通网关1 route outside 218.24.0.0 255.254.0.0 网通网关1 route outside 218.12.0.0 255.255.0.0 网通网关1 route outside 218.11.0.0 255.255.0.0 网通网关1 route outside 218.10.0.0 255.255.0.0 网通网关1 route outside 218.8.0.0 255.254.0.0 网通网关1route outside 218.7.0.0 255.255.0.0 网通网关1route outside 202.111.160.0 255.255.224.0 网通网关1 route outside 202.111.128.0 255.255.224.0 网通网关1 route outside 202.110.192.0 255.255.192.0 网通网关1 route outside 202.110.64.0 255.255.192.0 网通网关1 route outside 202.110.0.0 255.255.192.0 网通网关1 route outside 202.108.0.0 255.255.0.0 网通网关1 route outside 202.107.0.0 255.255.128.0 网通网关1 route outside 202.106.0.0 255.255.0.0 网通网关1 route outside 202.102.224.0 255.255.224.0 网通网关1 route outside 202.102.128.0 255.255.192.0 网通网关1 route outside 202.99.224.0 255.255.224.0 网通网关1 route outside 202.99.192.0 255.255.224.0 网通网关1 route outside 202.99.128.0 255.255.192.0 网通网关1 route outside 202.99.64.0 255.255.192.0 网通网关1 route outside 202.99.0.0 255.255.192.0 网通网关1 route outside 202.98.0.0 255.255.224.0 网通网关1 route outside 202.97.192.0 255.255.192.0 网通网关1 route outside 202.97.160.0 255.255.224.0 网通网关1 route outside 202.97.128.0 255.255.224.0 网通网关1 route outside 202.96.64.0 255.255.224.0 网通网关1 route outside 202.96.0.0 255.255.192.0 网通网关1 route outside 61.189.0.0 255.255.128.0 网通网关1 route outside 61.182.0.0 255.255.0.0 网通网关1 route outside 61.181.0.0 255.255.0.0 网通网关1 route outside 61.180.128.0 255.255.128.0 网通网关1 route outside 61.179.0.0 255.255.0.0 网通网关1 route outside 61.176.0.0 255.255.0.0 网通网关1 route outside 61.168.0.0 255.255.0.0 网通网关1 route outside 61.167.0.0 255.255.0.0 网通网关1 route outside 61.163.0.0 255.255.0.0 网通网关1 route outside 61.162.0.0 255.255.0.0 网通网关1 route outside 61.161.128.0 255.255.128.0 网通网关1route outside 61.159.0.0 255.255.192.0 网通网关1route outside 61.158.128.0 255.255.128.0 网通网关1route outside 61.156.0.0 255.255.0.0 网通网关1route outside 61.148.0.0 255.254.0.0 网通网关1route outside 61.139.128.0 255.255.192.0 网通网关1route outside 61.138.128.0 255.255.192.0 网通网关1route outside 61.138.64.0 255.255.192.0 网通网关1route outside 61.138.0.0 255.255.192.0 网通网关1route outside 61.137.128.0 255.255.128.0 网通网关1route outside 61.136.64.0 255.255.192.0 网通网关1route outside 61.135.0.0 255.255.0.0 网通网关1route outside 61.134.96.0 255.255.224.0 网通网关1route outside 61.133.0.0 255.255.128.0 网通网关1route outside 61.55.0.0 255.255.0.0 网通网关1route outside 61.54.0.0 255.255.0.0 网通网关1route outside 61.52.0.0 255.254.0.0 网通网关1route outside 61.48.0.0 255.252.0.0 网通网关1route outside 60.220.0.0 255.252.0.0 网通网关1route outside 60.216.0.0 255.254.0.0 网通网关1route outside 60.208.0.0 255.248.0.0 网通网关1route outside 60.31.0.0 255.255.0.0 网通网关1route outside 60.24.0.0 255.248.0.0 网通网关1route outside 60.16.0.0 255.248.0.0 网通网关1route outside 60.13.128.0 255.255.128.0 网通网关1route outside 60.13.0.0 255.255.192.0 网通网关1route outside 60.12.0.0 255.255.0.0 网通网关1route outside 60.10.0.0 255.255.0.0 网通网关1route outside 60.8.0.0 255.254.0.0 网通网关1route outside 60.0.0.0 255.248.0.0 网通网关1route inside 192.168.0.0 255.255.255.0 192.1.5.1 1route inside 192.168.3.0 255.255.255.0 192.1.5.1 1route inside 192.168.4.0 255.255.255.0 192.1.5.1 1route inside 192.168.1.0 255.255.255.0 192.1.5.1 1route gov 21.0.0.0 255.0.0.0 21.36.255.1 1route ct 0.0.0.0 0.0.0.0 电信网关1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00timeout uauth 0:05:00 absolutegroup-policy clientgroup internalgroup-policy clientgroup attributesvpn-idle-timeout 20split-tunnel-policy tunnelallwebvpnusername zmkm password B1MJgn6i2mF.NKjz encrypted username owen password G7ZPUlDLDg6W94ag encrypted username cisco password e1OkT/res2LB3io6 encryptedhttp server enablehttp 192.168.0.2 255.255.255.255 insidehttp 192.168.1.0 255.255.255.0 managementno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set aaades esp-3des esp-md5-hmaccrypto ipsec transform-set aaades1 esp-3des esp-md5-hmaccrypto dynamic-map dynomap 10 set transform-set aaadescrypto dynamic-map dynomap1 20 set transform-set aaades1crypto map vpnpeer 20 ipsec-isakmp dynamic dynomapcrypto map vpnpeer interface outsidecrypto map vpnpeer1 30 ipsec-isakmp dynamic dynomap1crypto map vpnpeer1 interface ctisakmp identity addressisakmp enable outsideisakmp enable ctisakmp policy 10 authentication pre-shareisakmp policy 10 encryption 3desisakmp policy 10 hash md5isakmp policy 10 group 2isakmp policy 10 lifetime 86400tunnel-group huhao type ipsec-ratunnel-group huhao general-attributesaddress-pool vpdnauthorization-server-group LOCALdefault-group-policy clientgrouptunnel-group huhao ipsec-attributespre-shared-key *tunnel-group cnt type ipsec-ratunnel-group cnt general-attributesaddress-pool vpdnauthentication-server-group noneauthorization-server-group LOCALdefault-group-policy clientgrouptunnel-group cnt ipsec-attributespre-shared-key *telnet 0.0.0.0 0.0.0.0 insidetelnet timeout 5ssh 0.0.0.0 0.0.0.0 outsidessh 0.0.0.0 0.0.0.0 ctssh timeout 60console timeout 0dhcpd address 192.168.1.2-192.168.1.254 management dhcpd lease 3600dhcpd ping_timeout 50Cryptochecksum:38caa994b55d5b8bf627a1e972ed56ee : end。

客户需求说明：外网进来一个专线和8个IP地址，114.113.159.246—253，子网掩码255.255.255.192，对外网关114.113.159.254。

由于客户还没有搬进办公区，所以VLAN划分以及策略上的一些设置需要全部搬过来之后才能确定，目前的需求是，所有的点，大约150个左右，都能上网即可，具体策略等全部搬过来之后再定。

设备配置：ASA配置（管理地址192.168.0.1）：ciscoasa# sh run: Saved:ASA Version 7.0(8)!hostname ciscoasaenable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptednamesdns-guard!interface GigabitEthernet0/0 外网接口nameif outside 接口名security-level 0 安全级别ip address 114.113.159.247 255.255.255.192 ip地址!interface GigabitEthernet0/1 内网接口nameif inside 接口名security-level 100 安全级别ip address 192.168.0.1 255.255.255.0 ip地址!interface GigabitEthernet0/2shutdownno nameifno security-levelno ip address!interface GigabitEthernet0/3shutdownno nameifno security-levelno ip address!interface Management0/0shutdownno nameifno security-levelno ip address!ftp mode passiveaccess-list Per_inside extended permit icmp any any列表名扩展的允许icmp包来自内网任何机器access-list Per_inside extended permit ip any anyip包access-list Per_outside extended permit icmp any anyicmp保来自外网任意地址pager lines 24mtu outside 1500mtu inside 1500no failoverno asdm history enablearp timeout 14400global (outside) 8 interface nat外网接口nat (inside) 8 192.168.0.0 255.255.255.0 nat内网地址access-group Per_outside in interface outside 将列表挂在接口上access-group Per_inside in interface insideroute outside 0.0.0.0 0.0.0.0 114.113.159.254 1 静态路由到出接口下一跳timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00timeout uauth 0:05:00 absoluteno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000telnet timeout 5ssh timeout 5console timeout 0!class-map inspection_defaultmatch default-inspection-traffic!!policy-map global_policyclass inspection_defaultinspect dns maximum-length 512inspect ftpinspect h323 h225inspect h323 rasinspect netbiosinspect rshinspect rtspinspect skinnyinspect esmtpinspect sqlnetinspect sunrpcinspect tftpinspect sipinspect xdmcp!service-policy global_policy globalCryptochecksum:d41d8cd98f00b204e9800998ecf8427e: end3560G配置（管理地址192.168.0.2）：3560G#sh runBuilding configuration...Current configuration : 2883 bytes!version 12.2no service padservice timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname 3560G!enable password cisco!no aaa new-modelsystem mtu routing 1500ip subnet-zero!!!!no file verify autospanning-tree mode pvstspanning-tree extend system-id!vlan internal allocation policy ascending!interface GigabitEthernet0/1 进入接口switchport trunk encapsulation dot1q 封装trunk switchport mode trunk trunk模式!interface GigabitEthernet0/2switchport trunk encapsulation dot1qswitchport mode trunk!interface GigabitEthernet0/3switchport trunk encapsulation dot1qswitchport mode trunk!interface GigabitEthernet0/4switchport trunk encapsulation dot1qswitchport mode trunk!interface GigabitEthernet0/5switchport trunk encapsulation dot1qswitchport mode trunk!interface GigabitEthernet0/6switchport trunk encapsulation dot1qswitchport mode trunkinterface GigabitEthernet0/7 switchport trunk encapsulation dot1q switchport mode trunk!interface GigabitEthernet0/8 switchport trunk encapsulation dot1q switchport mode trunk!interface GigabitEthernet0/9 switchport trunk encapsulation dot1q switchport mode trunk!interface GigabitEthernet0/10 switchport trunk encapsulation dot1q switchport mode trunk!interface GigabitEthernet0/11 switchport trunk encapsulation dot1q switchport mode trunk!interface GigabitEthernet0/12 switchport trunk encapsulation dot1q switchport mode trunk!interface GigabitEthernet0/13 switchport trunk encapsulation dot1q switchport mode trunk!interface GigabitEthernet0/14 switchport trunk encapsulation dot1q switchport mode trunk!interface GigabitEthernet0/15 switchport trunk encapsulation dot1q switchport mode trunk!interface GigabitEthernet0/16 switchport trunk encapsulation dot1q switchport mode trunk!interface GigabitEthernet0/17 switchport trunk encapsulation dot1q switchport mode trunkinterface GigabitEthernet0/18 switchport trunk encapsulation dot1q switchport mode trunk!interface GigabitEthernet0/19 switchport trunk encapsulation dot1q switchport mode trunk!interface GigabitEthernet0/20 switchport trunk encapsulation dot1q switchport mode trunk!interface GigabitEthernet0/21 switchport trunk encapsulation dot1q switchport mode trunk!interface GigabitEthernet0/22 switchport trunk encapsulation dot1q switchport mode trunk!interface GigabitEthernet0/23 switchport trunk encapsulation dot1q switchport mode trunk!interface GigabitEthernet0/24 switchport trunk encapsulation dot1q switchport mode trunk!interface GigabitEthernet0/25!interface GigabitEthernet0/26!interface GigabitEthernet0/27!interface GigabitEthernet0/28!interface Vlan1ip address 192.168.0.2 255.255.255.0 !ip classlessip http server!!control-plane!!line con 0line vty 0 4password ciscologinline vty 5 15login!End2918配置（管理地址192.168.0.3-9，13）：2918-1#sh runBuilding configuration...Current configuration : 1322 bytes!version 12.2no service padservice timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname 2918-1 设备名：2918-1/8 !boot-start-markerboot-end-marker!enable password cisco!no aaa new-modelsystem mtu routing 1500ip subnet-zero!!!!!!spanning-tree mode pvstspanning-tree extend system-id!vlan internal allocation policy ascending!!interface FastEthernet0/1 !interface FastEthernet0/2 !interface FastEthernet0/3 !interface FastEthernet0/4 !interface FastEthernet0/5 !interface FastEthernet0/6 !interface FastEthernet0/7 !interface FastEthernet0/8 !interface FastEthernet0/9 !interface FastEthernet0/10 !interface FastEthernet0/11 !interface FastEthernet0/12 !interface FastEthernet0/13 !interface FastEthernet0/14 !interface FastEthernet0/15 !interface FastEthernet0/16 !interface FastEthernet0/17 !interface FastEthernet0/18 !interface FastEthernet0/19 !interface FastEthernet0/20 !interface FastEthernet0/21 !interface FastEthernet0/22!interface FastEthernet0/23!interface FastEthernet0/24!interface GigabitEthernet0/1!interface GigabitEthernet0/2!interface Vlan1ip address 192.168.0.3 255.255.255.0no ip route-cache!ip http server!control-plane!!line con 0line vty 0 4password ciscologinline vty 5 15login!end施工总结：在项目实施过程中遇到一些问题，譬如在ASA上做配置的时候，将原来成功的配置贴上去之后进行测试，发现不起作用，后来用2918交换机模拟PC却没有问题。

hostname asa-1enable password cisco!interface GigabitEthernet0/0nameif insidesecurity-level 100ip address 192.200.31.249 255.255.255.192 standby 192.200.31.248!interface GigabitEthernet0/1description LAN Failover Interface（做failover link的接口不需要做地址配置）!interface GigabitEthernet0/2description STATE Failover Interface!interface GigabitEthernet0/3nameif outsidesecurity-level 100ip address 192.200.31.4 255.255.255.224 standby 192.200.31.5!interface Management0/0shutdownnameif managementsecurity-level 100ip address 10.168.1.1 255.255.255.0management-only!same-security-traffic permit inter-interface!failoverfailover lan unit primaryfailover lan interface faillink（自己起的failover名字）GigabitEthernet0/1（心跳线接口）failover polltime unit 1 holdtime 3failover link statelink GigabitEthernet0/2failover interface ip faillink 10.168.100.1 255.255.255.0 standby 10.168.100.2 failover interface ip statelink 10.168.101.1 255.255.255.0 standby 10.168.101.2 monitor-interface outsidemonitor-interface insideicmp permit any insideicmp permit any outsideroute inside 192.200.31.32 255.255.255.224 192.200.31.250 1route inside 192.200.31.64 255.255.255.192 192.200.31.250 1route inside 192.200.31.128 255.255.255.192 192.200.31.250 1route inside 192.200.31.192 255.255.255.192 192.200.31.250 1route outside 0.0.0.0 0.0.0.0 192.200.31.1 1telnet 0.0.0.0 0.0.0.0 insidetelnet 0.0.0.0 0.0.0.0 outside!hostname asa-2enable password 2KFQnbNIdI.2KYOU encryptedpasswd 2KFQnbNIdI.2KYOU encryptednamesno dns-guard!interface Ethernet0/0nameif insidesecurity-level 100ip address 192.200.31.249 255.255.255.192 standby 192.200.31.248 !interface Ethernet0/1description LAN Failover Interface!interface Ethernet0/2description STATE Failover Interfaceshutdown!interface Ethernet0/3nameif outsidesecurity-level 100ip address 192.200.31.4 255.255.255.224 standby 192.200.31.5!interface Management0/0nameif managementsecurity-level 100ip address 10.168.1.1 255.255.255.0management-only!no ftp mode passiveclock timezone CST 8same-security-traffic permit inter-interfacepager lines 24logging asdm informationalmtu inside 1500mtu outside 1500mtu management 1500failoverfailover lan unit primaryfailover lan interface faillink Ethernet0/1failover polltime unit 1 holdtime 3failover link statelink Ethernet0/2failover interface ip faillink 10.168.100.1 255.255.255.0 standby 10.168.100.2 failover interface ip statelink 10.168.101.1 255.255.255.0 standby 10.168.101.2 icmp permit any insideicmp permit any outsideno asdm history enablearp timeout 14400route inside 192.200.31.128 255.255.255.192 192.200.31.250 1route inside 192.200.31.64 255.255.255.192 192.200.31.250 1route inside 192.200.31.32 255.255.255.224 192.200.31.250 1route outside 0.0.0.0 0.0.0.0 192.200.31.1 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00timeout uauth 0:05:00 absolutehttp server enableno snmp-server locationno snmp-server contactcrypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000telnet 0.0.0.0 0.0.0.0 insidetelnet 0.0.0.0 0.0.0.0 outsidetelnet timeout 5ssh timeout 5console timeout 0dhcpd ping_timeout 50!<--- More --->class-map inspection_defaultmatch default-inspection-traffic!!policy-map global_policyclass inspection_defaultinspect dns maximum-length 512inspect ftpinspect h323 h225inspect h323 rasinspect rshinspect rtspinspect esmtpinspect sqlnetinspect skinnyinspect sunrpcinspect xdmcpinspect sipinspect netbiosinspect tftp!Cryptochecksum:a0b294ccce697e561e4e0fcf9e1cae91 : endasa-2#### END LOG - DATE: 090313, TIME: 024509 ###。

一般网络机构来理解asa5520外网-----asa5520----分别是内网和dmzasa配置都在全局模式下配置，很多跟cisco路由交换的一样（大同小异）第一次连接防火墙时有个初始化配置主要有配置密码，时间，内部ip，和管理ip1、配置主机名、域名、和密码主机名：ciscoasa5520（config）#hostname 5520域名：5520（config）#domain—name 密码：5520（config）#enable password asa5520 （特权密码）5520（config）#password cisco （telnet密码）2、配置接口名字、安全级别5520（config）#int f0/15520（config）#nameif inside (内网，dmz，outside)5520（config）#security-level 100 （安全级别为100，dmz：50，outside：0）5520（config）#ip add 192.168.1.1 255.255.255.0 (配置ip地址)5520（config）#no shut5520（config）#exit查看接口show interface ipbriefshow interface f/03、配置路由5520（config）#route 接口名目标网段掩码下一跳例上网的缺省路由5520（config）#route outside 0.0.0.0 0.0.0.0 61.232.14.815520（config）#route inside 192.168.0.0 0.0.255.255 192.168.1.254查看路由show route4、管理（启用telnet或者ssh）5520（config）#telnet ip或网段掩码接口例：5520（config）#telnet 192.168.2.20 255.255.255.0 inside（表示只允许这个ip地址telnet asa）5520（config）#telnet 192.168.2.0 255.255.255.0 inside （表示允许这个ip段telnet asa）设置telnet超时5520（config）#telnet timeout 30 单位为分ssh为密文传送（RSA密钥对）5520（config）#cryto key generate rsa modulus 1024连接5520（config）#ssh 192.168.2.0 255.255.255.0 inside5520（config）#ssh 0 0 outside 允许外网任意ip连接配置空闲超时ssh timeout 30ssh version 25、远程接入ASDM（cisco的自适应安全管理器）客户端可以用cisco自带的软件也可以装jre走https启用https服务器功能5520（config）#http server enable 端口号（越大越好）设置允许接入网段5520（config）#http 网段|ip 掩码接口名（http 0 0 outside 外网任何ip接入）指定ASDM的映像位置5520（config）#asdm image disk0:/asdmfilse(这个一般用show version产看版本号)配置客户端登录使用的用户名和密码5520（config）# username 用户名password 密码privilege 156、nat的配置（这个好像与pix类似）5520（config）# nat （interface-名）nat-id 本地ip 掩码5520（config）#global （接口名）nat-id 全局ip、网段或接口例：5520（config）#nat-control （启用nat）5520（config）#nat（inside）1 0 0 （可以指定一个网段或者全部）5520（config）#global （outside）1 interface （这就称了pat，当然也可以写一个ip段或者一个ip）5520（config）# global（dmz）1 172.16.1.100-172.16.1.110 意思与上差不多这里要注意：内网到dmz区域都应是nat如果内网到dmz用路由的话，这样可能导致黑客先攻击dmz，然后长区直入到内网。