ASA防火墻基本配置

一.設置接口
interface gigabitEthernet 0/0
nameif outside
security-level 0
ip address 172.16.1.1 255.255.255.252
no shutdown

二.設置外網路由
route outside 0.0.0.0 0.0.0.0 192.168.2.1 1 track 1
route outside1 0.0.0.0 0.0.0.0 192.168.10.1 2 track 2

三.設置內網路由
route inside 192.168.0.0 255.255.255.0 172.16.1.6 1

四.設置DHCP和DNS服務器
dhcpd address 192.168.8.2-192.168.8.60 inside //DHCP地址池

dhcpd dns 192.168.1.4 192.168.1.10 //DNS
dhcpd lease 864000 //設置租期時間,單位秒（10天）
dhcpd domain everrich.com //設置地址域
dhcpd enable inside //啟動DHCP，應用到inside口
dns name-server

五.設置ACL（外口）
access-list outside extended permit icmp any any
access-list outside extended permit ip any any

access-list outside extended permit tcp host x.x.x.x host x.x.x.x eq 8082

六.將ACL應用到接口
access-group outside in interface outside

七.設置端口映射
object network static-inside-address163
host 192.168.1.12
nat (inside,outside) static interface service tcp 8081 18081

八.設置PAT
object network inside-outside
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface

九.多線路PAT配置
object network inside-outside1
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
object network inside-outside2
subnet 0.0.0.0 0.0.0.0
nat (inside,outside1) dynamic interface

十.配置SLA
1.配置檢測模塊（模塊編號123）
sla monitor 123
type echo protocol ipIcmpEcho 4.2.2.2 interface outside
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
2.配置track關聯檢測模塊（track編號1）
track 1 rtr 123 reachability
3.應用track到路由上
route outside 0.0.0.0 0.0.0.0 203.0.113.2 1 track 1

十一.設置ASDM
http server enable
http 192.168.1.0 255.255.255.0 management
http 121.127.13.194 255.255.255.255 outside(允許某個IP可)
http 121.127.13.242 255.255.255.255 outside

十二.設置ssl
crypto key generate rsa modulus 1024 //指定rsa系數的大小,這個值越大,產生rsa的時間越長,cisco推薦使用1024
aaa authentication ssh console LOCAL
ssh IP mask outside
ssh IP mask inside

十三.設置telnet
aaa authentication telnet console LOCAL
telnet 0.0.0.0 0.0.0.0 inside

ASA基本配置