分享Cisco ASA防火墙设备常用基线配置,目录如下:
步骤说明 | 配置命令 | 命令用途解释 | 常用检查命令 |
HA配置 (主墙) |
interface Redundant X member-interface GigabitEthernet0/6 member-interface GigabitEthernet0/7 ! failover lan unit primary failover lan interface <name> RedundantX failover link <name> RedundantX failover interface ip <name> ip_add1 mask standby ip_add2 failover key <password> ! monitor-interface <if_name> ! failover ! |
主墙配置: 1、指定HA互联接口:使用一组冗余接口作为HA链路; 2、定义Failover参数 1)定义主机箱(Primary) 2)定义同步配置接口,并进行命名 3)定义同步状态接口,并进行命名 4)定义HA接口IP及Stanby IP(可自定义) 5)定义Failover Message加密密钥 3、定义监控接口 1)管理接口不建议作为failover监控接口,以避免不必要的主备切换; 2)ASA防火墙默认只监控物理接口,子接口监控需要手工开启; 4、开启Failover 1)默认开启,建议先关闭,no failover; 2)主备墙的HA配置灌入后,先在主墙上开启,以防止备墙同步主墙; |
show failover show monitor-interface show running-config failover |
HA配置 (备墙) |
interface RedundantX member-interface GigabitEthernet0/6 member-interface GigabitEthernet0/7 ! failover lan unit secondary failover lan interface <name> RedundantX failover link <name> RedundantX failover interface ip <name> ip_add1 mask standby ip_add2 failover key <password> ! failover ! |
备墙配置: 1、指定HA互联接口:使用一组冗余接口作为HA链路; 2、定义Failover参数 1)定义备机箱(Secondary) 2)定义同步配置接口,并进行命名 3)定义同步状态接口,并进行命名 4)定义HA接口IP及Stanby IP 5)定义Failover Message加密密钥 3、开启Failover 1)建议先关闭; 2)主备墙的HA配置灌入后,待主墙先开启后,再开启; |
show failover show monitor-interface show running-config failover |
配置命令 | 命令用途解释 | 常用检查命令 |
interface GigabitEthernet0/X nameif outside security-level [0-100] ip address ip_add1 mask standby ip_add2 no shutdown ! interface GigabitEthernet0/Y nameif inside security-level [0-100] ip address ip_add1 mask standby ip_add2 no shutdown ! same-security-traffic permit inter-interface same-security-traffic permit intra-interface |
1、接口命名可自定义。命名为outside的接口,安全级别自动设为0,命名为inside的接口,安全级别自动设为100;其他命名,安全级别默认设为0。安全级别可手工进行调整[0,100]。 2、接口IP地址A.A.A.A及C.C.C.C为Active墙上的IP;A.A.A.B及C.C.C.D为Standby墙上的IP。 3、允许相同级别接口间流量穿越(inter-interface); 允许相同接口间流量穿越(intra-interface); 注:若允许同一入口拨入的VPN用户间通讯,需开启此命令; |
show interface show interface ip brief |
配置命令 | 命令用途解释 | 常用检查命令 |
route <if_name> <dest-ip> <mask> <gateway-ip> <distance> | 定义路由下一跳接口、目标网段、掩码、下一跳地址、AD值 | show route |
配置命令 | 命令用途解释 | 常用检查命令 |
object network <obj_name> {host ip_addr | subnet net_addr net_mask |range ip_addr_1 ip_addr_2} |
Object Network可定义一个单一的地址对象,包括host,subnet,or range; 注:Auto NAT也可在Oject Network下定义; |
show run object show run object group-type show run object group-id |
object service <obj_name> service {protocol | icmp icmp-type | {tcp | udp} [source operator port] [destination operator port]} |
Object Service可定义一个单一的服务对象,包括协议和可选的源端口、目的端口; | 同上 |
配置命令 | 命令用途解释 | 常用检查命令 |
object-group network <grp_id> network-object {object name | host ip_address | ip_address mask} |
Object-group Network可定义多个地址对象,包括调用object network或定义host、subnet; | show run object-g show run object-g group-type show run object-g group-id |
object-group service <grp_id> {tcp | udp | tcp-udp} port-object {eq port | range begin_port end_port} |
Object-group Service可定义多个服务tcp或udp服务对象,包括具体端口和端口区间; | 同上 |
配置命令 | 命令用途解释 | 常用检查命令 |
access-list <access_list_name> standard {deny | permit} {any | ip_address mask} | 标准访问控制列表 | show access-list show run access-list |
access-list <access_list_name> [line line_number] extended {deny | permit} {tcp | udp} {source_address mask | object nw_obj_id |object-group nw_grp_id} [operator port | object-group svc_grp_id] {dest_address mask | object nw_obj_id |object-group nw_grp_id} [operator port | object-group svc_grp_id] [log [[level] | disable]] [inactive | time-range time_range_name] |
扩展访问控制列表(TCP/UDP) | show access-list show run access-list |
access-list <access_list_name> [line line_number] extended {deny | permit} ip {source_address mask | object nw_obj_id |object-group nw_grp_id} {dest_address mask | object nw_obj_id |object-group nw_grp_id} [log [[level] | disable]] [inactive | time-range time_range_name] |
扩展访问控制列表(IP) | show access-list show run access-list |
access-list <access_list_name> [line line_number] extended {deny | permit} icmp {source_address mask | object nw_obj_id |object-group nw_grp_id} {dest_address mask | object nw_obj_id |object-group nw_grp_id} [icmp_type | object-group icmp_grp_id] [log [[level] | disable]] [inactive | time-range time_range_name] |
扩展访问控制列表(ICMP) | show access-list show run access-list |
access-group <access_list> { {in | out} interface interface_name [per-user-override] | global } |
接口调用 1、可针对指定接口做出向、入向调用; 注:per-user-override基于用户做download acl进行动态访问控制授权(仅限in方向); 2、可使用global全局调用,将策略应用于所有接口的入向; |
show run access-group |
配置命令 | 命令用途解释 | 常用检查命令 |
nat [(real_ifc,mapped_ifc)] [line | {after-auto [line]}] source static real_obj mapped_obj [destination static mapped_obj real_obj] [service mapped_dest_svc_obj real_dest_svc_obj] [dns][inactive] |
Manual NAT(TWICE NAT) - Static NAT or Static NAT-with-Port-Translation 1、STATIC NAT:一对一地址映射 2、可从内外双向发起连接 3、(可选)针对特定目标地址执行策略静态NAT转换 |
show nat show nat pool show xlate |
nat [(real_ifc,mapped_ifc)] [line | {after-auto [line]}] source dynamic {real_obj | any} {mapped_obj [interface]} [destination static mapped_obj real_obj] [service mapped_dest_svc_obj real_dest_svc_obj] [dns] [inactive] |
Manual NAT(TWICE NAT) - Dynamic NAT 1、Dynamic NAT:将一组真实地址转换为一组映射地址。 2、映射地址为“先来先得”原则,可使用interface参数,在地址用尽后调用接口地址映射。 3、仅可由真实地址端向外发起连接。 4、(可选)针对特定目标地址执行策略动态NAT转换 |
show nat show nat pool show xlate |
nat [(real_ifc,mapped_ifc)] [line | {after-auto [line]}] source dynamic {real-obj | any} {mapped_obj [interface] | [pat-pool mapped_obj [interface] | interface} [destination static {mapped_obj real_obj] [service mapped_dest_svc_obj real_dest_svc_obj] [dns] [inactive] |
Manual NAT(TWICE NAT) - Dynamic PAT (Hide) 1、Dynamic PAT:将一组真实地址映射至单一地址(端口复用) 2、映射地址可使用一个object组+interface、pat-pool+interface或直接使用interface地址 3、仅可由真实地址端向外发起连接 (可选)针对特定目标地址执行策略PAT转换 |
show nat show nat pool show xlate |
nat [(real_ifc,mapped_ifc)] [line | {after-auto [line]}] source static {nw_obj nw_obj | any any} [destination static mapped_obj real_obj] [service mapped_dest_svc_obj real_dest_svc_obj] [inactive] |
Manual NAT(TWICE NAT) - Identity NAT 1、Identity NAT:将真实地址静态转换为自身(即Bypass NAT) 2、(可选) 针对特定目标地址执行策略Identity NAT转换 |
show nat show nat pool show xlate |
object network obj_name {host ip_address | subnet subnet_address netmask | range ip_address_1 ip_address_2} nat [(real_ifc,mapped_ifc)] static {mapped_inline_ip | mapped_obj} [dns | service {tcp|udp} real_port mapped_port] |
AUTO NAT(OBJECT NAT) - Static NAT 1、参考前文 2、优先级次于MANUAL方式 3、无法针对目标地址执行策略NAT |
show nat show nat pool show xlate |
object network obj_name {host ip_address | subnet subnet_address netmask | range ip_address_1 ip_address_2} nat [(real_ifc,mapped_ifc)] dynamic mapped_obj [interface] [dns] |
AUTO NAT(OBJECT NAT) - Dynamic NAT 1、参考前文 2、优先级次于MANUAL方式 3、无法针对目标地址执行策略NAT |
show nat show nat pool show xlate |
object network obj_name {host ip_address | subnet subnet_address netmask | range ip_address_1 ip_address_2} nat [(real_ifc,mapped_ifc)] dynamic {mapped_inline_host_ip | mapped_obj | pat-pool mapped_obj | interface} [interface] [dns] |
AUTO NAT(OBJECT NAT) - Dynamic PAT 1、参考前文 2、优先级次于MANUAL方式 3、无法针对目标地址执行策略NAT |
show nat show nat pool show xlate |
object network obj_name {host ip_address | subnet subnet_address netmask | range ip_address_1 ip_address_2} nat [(real_ifc,mapped_ifc)] static {mapped_inline_ip | mapped_obj} |
AUTO NAT(OBJECT NAT) - Identity NAT 1、参考前文 2、优先级次于MANUAL方式 3、无法针对目标地址执行策略NAT |
show nat show nat pool show xlate |
NAT ODER 说明: 1、MANUAL NAT 2、AUTO NAT 3、MANUAL NAT (使用after-auto参数) |
同类NAT(MANUAL NAT 或 AUTO NAT): 依据顺序自上而下执行。可通过命令行line参数调整或使用WEB界面进行顺序调整。 |
-- |
NAT DNS参数使用情况说明: 1、内部主机使用域名方式访问内部服务器,且内部主机使用公网DNS做地址解析。 2、内部服务器在互联网有对应域名,且在防火墙有地址映射。 |
过程说明: 1、内部主机向外部DNS Server进行域名解析。 2、外部DNS Server回应Reply包,包含内部服务器的映射地址。 3、防火墙查看DNS Reply包,发现该数据包中的解析地址在映射条目中存在。 4、防火墙将DNS Reply包的地址自动修改为内部服务器的真实地址。 5、内部主机获取解析条目,解析地址为内部服务器真实地址。 |
-- |
NAT对应访问控制列表放行说明: 防火墙外侧访问内部服务器,防火墙外侧接口访问控制列表的目标地址使用real ip_addr |
-- | -- |
配置命令 | 命令用途解释 | 常用检查命令 |
hostname name | 配置主机名(主备墙的主机名相同) | -- |
enable password password | 配置enable密码 | -- |
username name password password privilege 15 | 配置本地管理用户 | -- |
interface Management0/0 nameif management security-level 100 ip address ip_add1 standby ip_add2 management-only |
配置管理接口 | -- |
domain-name name | 配置域名 | -- |
clock timezone zone [-]hours [minutes] ntp authenticate ntp trusted-key key_id ntp authentication-key key_id md5 key ntp server ip_address [key key_id] [source interface_name] [prefer] |
配置NTP | show ntp assosiation show ntp status |
banner login text | 配置BANNER | -- |
配置命令 | 命令用途解释 | 常用检查命令 |
crypto key generate rsa modulus 1024 ssh version 2 ssh subnet_address netmask interface_name ssh timeout 5 |
配置SSH访问 | -- |
http server enable [port] http subnet_address netmask interface_name |
配置WEB访问 | -- |
aaa-server server_group protocol {ldap | radius | tacacs+} aaa-server server_group [interface_name] host server_ip key password |
配置AAA服务 | test aaa {authentication |authorization} server-group |
aaa authentication {telnet | ssh | http | serial} console {LOCAL | server_group [LOCAL]} aaa authentication enable console {LOCAL | server_group [LOCAL]} aaa authorization command server_group [LOCAL] aaa accounting {serial | telnet | ssh | enable} console server-group aaa accounting command server-group |
配置AAA认证、授权、审计 | test aaa {authentication |authorization} server-group |
配置命令 | 命令用途解释 | 常用检查命令 |
logging enable logging timestamp logging buffer-size bytes logging buffered severity_level logging trap severity_level logging asdm severity_level logging host interface_name ip_address |
配置syslog 0 emergencies System is unusable. 1 alert Immediate action is needed. 2 critical Critical conditions. 3 error Error conditions. 4 warning Warning conditions. 5 notification Normal but significant conditions. 6 informational Informational messages only. 7 debugging Debugging messages only. |
show logging show logging message |
snmp-server enable traps [all | syslog | snmp [authentication | linkup | linkdown | coldstart | warmstart] | entity [config-change | fru-insert | fru-remove | fan-failure | cpu-temperature | chassis-fanfailure | power-supply-failure] | chassis-temperature | power-supply-presence | power-supply-temperature] | ikev2 [start | stop] | ipsec [start | stop] | remote-access [session-threshold-exceeded] | connection-limit-reached | cpu threshold rising | interface-threshold | memory-threshold | nat [packet-discard] snmp-server host ip_address [trap | poll] [community community-string] [version {1 | 2c username}] [udp-port port] |
配置SNMP | show snmp-server group show snmp-server statistics show snmp-server user |