hostnameASA5520//设置主机名enablepassword******encrypted//enable密码passwd******//telnet密码interfaceGigabitE
.
hostname ASA5520 //设置主机名
enable password ****** encrypted //enable密码
passwd ****** //telnet密码
interface GigabitEthernet0
nameif inside//定义端口角色
security-level 100//设置安全级别
ipaddress 192.168.10.1 255.255.255.0 //配置ip地址
!
interface GigabitEthernet1
nameif dmz
security-level 50
ipaddress 192.168.11.1 255.255.255.0
!
interface GigabitEthernet2
nameif outside
security-level 0
ipaddress 192.168.12.1 255.255.255.0
ftp mode passive
object network inside_outside
subnet 0 0 //所有主机可以接入外网
object network inside_outside
nat (inside,outside) dynamic interface //使用outside端口地址转换
object network obj-ftp//ftp端口映射
host 192.168.12.1
object network obj-ftp
nat (dmz,outside) static interface service tcp ftp ftp
object network obj-http //http端口映射
host 192.168.12.2
object network obj-http
nat (dmz,outside) static interface service tcp www www
subnet 192.168.0.0 255.255.0.0
object network inside_dmz_pool //访问dmz用nat转换,避免dmz被攻破直接接入inside,提升安全
range 192.168.11.10 192.168.11.100 //创建转换池
object network inside_dmz_nat
subnet 192.168.0.0 255.255.0.0 //要转换的子网
nat (inside,dmz) dynamic inside_dmz_pool //使用地址池动态转换
object-group service permit_service tcp
port-object eq www
port-object eq https
port-object eq pop3
port-object eq smtp
port-object eq imap4
object-group service dns_service tcp-udp
port-object eq domain
access-list inside_dmz extended permit tcp any any
access-list inside_dmz extended permit icmp any any
access-list dmz_inside extended permit tcp any any
access-list dmz_inside extended permit icmp any any
access-list inside_outside extended permit tcp any any
access-list inside_outside extended permit icmp any any
access-list outside_inside extended permit tcp any any
access-list outside_inside extended permit icmp any any
access-group dmz_inside in interface inside
access-group inside_dmz in interface dmz
access-group outside_inside in interface outside
mtu inside 1500
mtu dmz 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h2251:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable //开启http服务,asdm需要
http 0.0.0.0 0.0.0.0 management //management口可以asdm控制
telnet 0.0.0.0 0.0.0.0 inside //内网可以使用telnet
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside //外网可以使用ssh
ssh timeout 5 //ssh5分钟超时
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statisticstcp-intercept
web***
username baigp password ****** privilege 15 //用户名密码权限等
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL //ssh使用本地验证
aaa authentication telnet console LOCAL //telnet使用本地验证
aaa authorization command LOCAL
!
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
noactive
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
