ASA–常见应用配置


实验网络结构图:
DNS Server——–(outside)ASA-Firewall(inside)——-LAN Client
|
DMZ-WEB-Server
—————————————————
IP地址分配
外网:210.10.10.0/30
内网:192.168.210.0/24
DMZ: 192.168.202.0/24
—————————————————-
ASA基本配置:
配置主机名、域名和密码
配置接口
配置路由
配置远程管理接入
为出站流量配置网络地址转换
配置ACL
enable
conf t
hostname ASA5520
domain-name lpq.com
enable password ASA5520
passwd ciscoconf t
interface e0/0
nameif outside
security-level 0
ip address 210.10.10.2 255.255.255.0
no shutdown
exitinterface e0/1
nameif inside
security-level 100
ip address 192.168.201.1 255.255.255.0
no shutdown
exitinterface e0/2
nameif dmz
security-level 50
ip address 192.168.202.1 255.255.255.0
no shutdown
exitroute outside 0.0.0.0 0.0.0.0 210.10.10.1
end
show routeconf t
telnet 192.168.201.0 255.255.255.0 inside
telnet timeout 15crypto key generate rsa modulus 1024
ssh 192.168.201.0 255.255.255.0 inside
ssh 0 0 outside
ssh timeout 30
ssh version 2
username ASA5520 password cisco
aaa authertication ssh console LOCAL
passwd aaahttp server enable 8008
http 192.168.201.0 255.255.255.0 inside
http 0 0 outside
http 0 0 inside
asdm p_w_picpath disk0:/asdm-615.bin
username admin password admin privilege 15
—————————————————————-access-list 111 extended permit icmp any any
access-list 111 permit ip any anyaccess-group 111 in inter outside
access-group 111 in inter inside
access-group 111 in inter dmzaccess-list testacl deny ip 192.168.201.33 255.255.255.255 any
access-list testacl permit ip any anyaccess-group testacl in inter inside
——————————————–
nat-control
nat (inside) 1 0 0
global (outside) 1 interface
global (dmz) 1 192.168.202.100-192.168.202.110static (dmz,outside) 210.10.10.10.2 192.168.202.2
access-list out_to_dmz permit tcp any host 210.10.10.2 eq 80
access-group out_to_dmz in interface outsideend
write memory
copy running-config startup-config清除配置信息:
conf t
clear configure all
clear configure comman [level2 command]
end
===========================================
ASA的高级应用-URL过滤conf t
access-list tcp_filter1 permit tcp 192.168.201.0 255.255.255.240 any eq wwwclass-map tcp_filter_class1
match access-list tcp_filter1
exitregex url1 .sina.comclass-map type regex match-any url_class1
match免费云主机域名 regex url1
exitclass-map type inspect http http_url_class1
match not request header host regex class url_class1
exitpolicy-map type inspect http http_url_policy1
class http_url_class1
drop-connection log
exit
exitpolicy-map inside_http_url_policy
class tcp_filter_class1
inspect http http_url_policy1
exit
exitservice-policy inside_http_url_policy interface inside //完整配置时删除此行
—————-access-list tcp_filter2 permit tcp any any eq wwwclass-map tcp_filter_class2
match access-list tcp_filter2
exitregex url2 .game.com
class-map type regex match-any url_class2
match regex url2
exitclass-map type inspect http http_url_class2
match request header host regex class url_class2
exitpolicy-map type inspect http http_url_policy2
class http_url_class2
drop-connection log
exit
exitpolicy-map inside_http_url_policy
class tcp_filter_class2
inspect http http_url_policy2
exit
exitservice-policy inside_http_url_policy interface inside—————————————

相关推荐: DHCP实验(三)

DHCP实验(三)一、实验拓扑二、实验要求使用路由器模拟一台DHCP服务器配置dhcp服务器为vlan10和vlan20的pc分配地址vlan10为192.168.10.x/24,vlan20为192.168.20.x/24三、实验配置配置好交换机的trunk…

免责声明:本站发布的图片视频文字,以转载和分享为主,文章观点不代表本站立场,本站不承担相关法律责任;如果涉及侵权请联系邮箱:360163164@qq.com举报,并提供相关证据,经查实将立刻删除涉嫌侵权内容。

(0)
打赏 微信扫一扫 微信扫一扫
上一篇 4天前
下一篇 4天前