CISCO ASA配置
ciscoasa> en
Password:
ciscoasa# conf t
ciscoasa(config)# int e0/0
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# ip add 10.1.1.1 255.255.255.0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# int e0/1
ciscoasa(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-if)# security-level 0
ciscoasa(config-if)# ip add 20.1.1.1 255.255.255.0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)#
基本测试
inside#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/27/52 ms
inside#
outside#ping 20.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 12/34/64 ms
outside#
inside主机和outside主机都能ping通网关。
inside主机向outside主机发起telnet连接
inside#telnet 20.1.1.2
Trying 20.1.1.2 ... Open
User Access Verification
Password:
outside>en
Password:
outside#
ASA默认从高安全级别到低安全级别的访问是允许的,telnet连接属于tcp 连接,
ciscoasa# show conn detail
1 in use, 1 most used
Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
B - initial SYN from outside, C - CTIQBE media, D - DNS, d - dump,
E - outside back connection, F - outside FIN, f - inside FIN,
G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,
i - incomplete, J - GTP, j - GTP data, K - GTP t3-response
k - Skinny media, M - SMTP data, m - SIP media, n - GUP
O - outbound data, P - inside back connection, q - SQL*Net data,
R - outside acknowledged FIN,
R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,
s - awaiting outside SYN, T - SIP, t - SIP transient, U - up
X - inspected by service module
TCP outside:20.1.1.2/23 inside:10.1.1.2/11001 flags UIO
outside#show users
Line User Host(s) Idle Location
* 0 con 0 idle 00:00:00
130 vty 0 idle 00:00:15 10.1.1.2
Interface User Mode Idle Peer Address
从低安全级别到高安全级别的访问,其结果是无法访问。
outside#telnet 10.1.1.2
Trying 10.1.1.2 ...
% Connection timed out; remote host not responding
如果让outside主机能够访问inside主机,需在防火墙上写入站规则:
ciscoasa(config)# access-list out-to-in permit ip host 20.1.1.2 host 10.1.1.2
ciscoasa(config)# access-group out-to-in in interface outside
ciscoasa(config)#
测试
outside#telnet 10.1.1.2
Trying 10.1.1.2 ... Open
User Access Verification
Password:
inside>en
Password:
inside#
入站规则也可以这样写
ciscoasa(config)# access-list out-to-in permit tcp host 20.1.1.2 host 10.1.1.2 eq 23
ciscoasa(config)# access-group out-to-in in interface outside
如果在ASA防火墙上做控制出站的规则,可以这样写
ciscoasa(config)# access-list in-to-out deny , , ip 10.1.1.0 255.255.255.0 any
ciscoasa(config)# access-list in-to-out permit ip any any
ciscoasa(config)# access-group in-to-out in interface inside
测试
inside#telnet 20.1.1.2
Trying 20.1.1.2 ...
% Connection refused by remote host
Copyright 2023 江苏思朋信息科技有限公司 版权所有 技术支持:星度网络 苏ICP备2021003433号-2
地址:苏州市吴中区石湖西路188号万达广场西楼(苏州大学国家大学科技园吴中分园)19楼1902室(吴中万达1号门附近) 咨询热线:0512-80682876