CISCO ASA Cisco firewall common commands

Enterprise 2023-06-05 08:29:17 views: null

CISCO ASA firewall commonly used commands are: nameif, interface, ip address, nat, global, route, static, etc.
global
specifies the public network address range: defines the address pool.
The configuration syntax of the Global command:
global (if_name) nat_id ip_address-ip_address [netmark global_mask]
Among them:
(if_name): Indicates the name of the external network interface, usually outside.
nat_id: ID of the established address pool (to be referenced by nat).
ip_address-ip_address: Indicates a range of ip addresses.
[netmark global_mask]: Indicates the network mask of the global ip address.
The nat
address conversion command converts the private ip of the internal network to the public network ip of the external network.
Nat command configuration syntax: nat (if_name) nat_id local_ip [netmark]
Among them:
(if_name): Indicates the interface name, generally inside.
nat_id: Indicates the address pool, defined by the global command.
local_ip: Indicates the ip address of the intranet. For 0.0.0.0, it means all hosts in the intranet.
[netmark]: Indicates the subnet mask of the intranet ip address.
route
The route command defines a static route.
grammar:
route (if_name) 0 0 gateway_ip [metric]
where:
(if_name): indicates the interface name.
0 0: indicates all hosts
Gateway_ip: indicates the ip address or next hop of the gateway router.
[metric]: routing cost. The default value is 1.
static
Configure static IP address translation, so that internal addresses correspond to external addresses one by one.
Syntax:
static(internal_if_name,external_if_name) outside_ip_addr inside_ ip_address
Among them:
internal_if_name represents the internal network interface with a higher security level, such as inside.
external_if_name indicates an external network interface with a lower security level, such as outside.
outside_ip_address indicates the public ip address of the external network.
inside_ip_address indicates the local ip address of the internal network.
(The order inside the brackets is first inside and then outside, and the order of the outside is first outside and then inside)
For example:
asa(config)#static (inside, outside) 133.0.0.1 192.168.0.8
means the internal ip address 192.168.0.8, when accessing the outside is translated into the 133.0.0.1 global address

asa#conf t
asa(config)# hostname asa   //设置主机名
asa(config)#enable password cisco     //设置密码
  配置外网的接口,名字是outside,安全级别0,输入ISP给您提供的地址就行了。
asa(config)#interface GigabitEthernet0/0
asa(config)#nameif outside                      //名字是outside
asa(config)#securit-level 0                    //安全级别0
asa(config)#ip address *.*.*.* 255.255.255.0   //配置公网IP地址
asa(config)#duplex full
asa(config)#
asa(config)#no shutdown
  配置内网的接口,名字是inside,安全级别100
asa(config)#interface GigabitEthernet0/1
asa(config)#nameif inside
asa(config)#securit-level 100
asa(config)#duplex full
asa(config)#speed 100
asa(config)#no shutdown
  配置DMZ的接口,名字是dmz,安全级别50
asa(config)#interface GigabitEthernet0/2
asa(config)#nameif dmz
asa(config)#securit-level 50
asa(config)#duplex full
asa(config)#
asa(config)#no shutdown
  网络部分设置
asa(config)#nat(inside) 1 192.168.1.1 255.255.255.0
asa(config)#global(outside) 1 222.240.254.193 255.255.255.248
asa(config)#nat (inside) 0 192.168.1.1 255.255.255.255     //表示192.168.1.1这个地址不需要转换。直接转发出去。
asa(config)#global (outside) 1 133.1.0.1-133.1.0.14      //定义的地址池
asa(config)#nat (inside) 1 0 0                           //0 0表示转换网段中的所有地址。定义内部网络地址将要翻译成的全局地址或地址范围
  配置静态路由
asa(config)#route outside 0 0 133.0.0.2                        //设置默认路由  133.0.0.2为下一跳
如果内部网段不是直接接在防火墙内口,则需要配置到内部的路由。
asa(config)#Route inside 192.168.10.0 255.255.255.0 192.168.1.1 1
  地址转换
asa(config)#static (dmz,outside) 133.1.0.1 10.65.1.101        ;静态NAT
asa(config)#static (dmz,outside) 133.1.0.2 10.65.1.102        ;静态NAT
asa(config)#static (inside,dmz) 10.66.1.200 10.66.1.200       ;静态NAT
如果内部有服务器需要映射到公网地址(外网访问内网)则需要static
asa(config)#static (inside, outside) 222.240.254.194 192.168.1.240
asa(config)#static (inside, outside) 222.240.254.194 192.168.1.240 10000 10   //后面的10000为限制连接数,10为限制的半开连接数
ACL实现策略访问
asa(config)#access-list 101 permit ip any host 133.1.0.1 eq www;设置ACL
asa(config)#access-list 101 permit ip any host 133.1.0.2 eq ftp;设置ACL
asa(config)#access-list 101 deny ip any any                    ;设置ACL
asa(config)#access-group 101 in interface outside     ;将ACL应用在outside端口
    当内部主机访问外部主机时,通过nat转换成公网IP,访问internet。
    当内部主机访问中间区域dmz时,将自己映射成自己访问服务器,否则内部主机将会映射成地址池的IP,到外部去找。
    当外部主机访问中间区域dmz时,对133.0.0.1映射成10.65.1.101,static是双向的。

    PIX的所有端口默认是关闭的,进入PIX要经过acl入口过滤。
    静态路由指示内部的主机和dmz的数据包从outside口出去。


 

Guess you like

Origin blog.csdn.net/hu5566798/article/details/130057457
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com