思科ASA5505防火墙配置成功实例
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
配置要求:
1、分别划分inside(内网)、outside(外网)、dmz(安全区)三个区域。
2、内网可访问外网及dmz内服务器(web),外网可访问dmz内服务器(web)。
3、Dmz服务器分别开放80、21、3389端口。
说明:由于防火墙许可限制“no forward interface Vlan1”dmz内服务器无法访问外网。
具体配置如下:希望对需要的朋友有所帮助
ASA Version 7.2(4)
!
hostname asa5505
enable password tDElRpQcbH/qLvnn encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif outside
security-level 0
ip address 外网IP 外网掩码
!
interface Vlan2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 172.16.1.1 255.255.255.0
!
interface Ethernet0/0
description outside
!
interface Ethernet0/1
description inside
switchport access vlan 2
!
interface Ethernet0/2
description dmz
switchport access vlan 3
!
interface Ethernet0/3
description inside
switchport access vlan 2
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
object-group service outside-to-dmz tcp
port-object eq www
port-object eq ftp
port-object eq 3389
access-list aaa extended permit tcp any host 外网IP object-group outsid e-
to-dmz
access-list bbb extended permit tcp host 172.16.1.2 192.168.1.0 255.255. 255.0 ob
ject-group outside-to-dmz
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 172.16.1.10-172.16.1.254 netmask 255.255.255.0
nat (inside) 1 192.168.1.0 255.255.255.0
nat (dmz) 1 172.16.1.0 255.255.255.0
alias (inside) 221.203.36.86 172.16.1.2 255.255.255.255
static (dmz,outside) tcp interface www 172.16.1.2 www netmask 255.255.2 55.255 d
ns
static (dmz,outside) tcp interface ftp 172.16.1.2 ftp netmask 255.255.2 55.255 d
ns
static (dmz,outside) tcp interface 3389 172.16.1.2 3389 netmask 255.255. 255.255
dns
static (inside,dmz) 172.16.1.2 192.168.1.0 netmask 255.255.255.255 dns access-group aaa in interface outside
access-group bbb in interface dmz
route outside 0.0.0.0 0.0.0.0 外网网关 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute