思科ASA防火墙基本配置思科ASA防火墙基本配置FireWall防火墙，它是一种位于内部网络与外部网络之间的网络安全系统，当然，防火墙也分软件防火墙与硬件防火墙。硬件防火墙又分为：基于PC架构与基于ASIC芯片今天来聊一聊思科的.硬件防火墙CiscoASACiscoASA防火墙产品线挺多：CiscoASA5505CiscoASA5510CiscoASA5520CiscoASA5540CiscoASA5550等等ASA的基本配置步骤如下：配置主机名、域名hostname[hostname]domain-namexx.xxhostnameCisco-ASA5520domain-nameciscosas.com.cn配置登陆用户名密码password[password]enablepassword[password]配置接口、路由interfaceinterface_namenameif[name]name有三种接口类型insdieoutsidedmzsecurity-levelxx(数值)数值越大接口安全级别越高注：默认inside100,outside0,dmz介于二者之间静态路由routeinterface_numbernetworkmasknext-hop-addressrouteoutside0.0.0.00.0.0.0210.210.210.1配置远程管理接入Telnettelnet{network|ip-address}maskinterface_nametelnet192.168.1.0255.255.255.0insidetelnet210.210.210.0255.255.255.0outsideSSHcryptokeygeneratersamodulus{1024|2048}指定rsa系数，思科推荐1024sshtimeoutminutessshversionversion_numbercryptokeygeneratersamodulus1024sshtimeout30sshversion2配置ASDM(自适应安全设备管理器)接入httpserverenbaleport启用功能http{networdk|ip_address}maskinterface_nameasdmimagedisk0:/asdm_file_name指定文件位置usernameuserpasswordpasswordprivilege15NATnat-controlnatinterface_namenat_idlocal_ipmaskglobalinterface_namenat_id{global-ip[global-ip]|interface}nat-controlnatinside1192.168.1.0255.255.255.0globaloutside1interfaceglobaldmz1192.168.202.100-192.168.202.150ACLaccess-listlist-namestandadpermit|denyipmaskaccess-listlist-nameextendadpermit|denyprotocolsource-ipmaskdestnation-ipmaskportaccess-grouplist-namein|outinterfaceinterface_name如果内网服务器需要以布到公网上staicreal-interfacemapped-interfacemapped-ipreal-ipstaic(dmz,outside)210.210.202.100192.168.202.1保存配置wirtememory清除配置clearconfigure(all)