去年卖个某大型企业的ASA5510防火墙，附实际的配置，并且都解释了得很清楚，非常值得参考的资料！ HYPERLINK"http://www.8cmd.com/attachment.php?aid=3690&k=3473d83bb0bdef1dd57503edc9a4d007&t=1280403472&nothumb=yes&sid=6379oUonq1RQZXKYEP7SAyE2KqkG63fjtRwPGShB29oMdA0"\o"CISCOASA5510实际配置案例及详解.JPG"\t"_blank"下载(32.44KB) 2008-12-1511:07 ASA5510#SHOWRUN:Saved:ASAVersion7.0(6)!hostnameASA5510enablepassword2KFQnbNIdI.2KYOUencryptednamesdns-guard!interfaceEthernet0/0此接口为外部网络接口nameifoutside设置为OUTSIDE外部接口模式security-level0外部接口模式安全级别为最高0ipaddress192.168.3.234255.255.255.0添加外部IP地址（一般为电信÷网通提供）! interfaceEthernet0/1此接口为内部网络接口nameifinside设置为INSIDE内部接口模式security-level100内部接口模式安全级别为100ipaddress10.1.1.1255.255.0.0添加内部IP地址（一般为公司自行分配）!interfaceEthernet0/2没用到SHUTDOWN关闭shutdownnonameifnosecurity-levelnoipaddress!interfaceManagement0/0没用到SHUTDOWN关闭nameifmanagementsecurity-level100ipaddress192.168.1.1255.255.255.0没用，用网线连接<SPANclass=t_tagonclick=tagshow(event)href="tag.php?name=%B9%DC%C0%ED">管理的端口。management-only!passwd2KFQnbNIdI.2KYOUencryptedftpmodepassivepagerlines24loggingasdminformationalmtuoutside1500mtuinside1500mtumanagement1500noasdmhistoryenablearptimeout14400global(outside)1interface一定要打表示PAT端口扩展：“1”为其<SPANclass=t_tagonclick=tagshow(event)href="tag.php?name=NAT">NATIDnat(inside)110.1.0.0255.255.0.0转换所有10.1.0.0的内部地址routeoutside0.0.0.00.0.0.0192.168.3.2541内部所有地址访问外部地址出口为电信－网通提供的网关地址timeoutxlate3:00:00timeoutconn1:00:00half-closed0:10:00udp0:02:00icmp0:00:02timeoutsunrpc0:10:00h3230:05:00h2251:00:00mgcp0:05:00timeoutmgcp-pat0:05:00sip0:30:00sip_media0:02:00timeoutuauth0:05:00absolutehttpserverenablehttp192.168.1.0255.255.255.0managementnosnmp-serverlocationnosnmp-servercontactsnmp-serverenabletrapssnmpauthenticationlinkuplinkdowncoldstarttelnettimeout5sshtimeout5consoletimeout0dhcpdaddress10.1.1.30-10.1.1.200inside<SPANclass=t_tagonclick=tagshow(event)href="tag.php?name=DHCP">DHCP自动提供分配范围为10.1.1.30－200dhcpdaddress192.168.1.2-192.168.1.254management无效dhcpddns192.168.0.1DNS添加：可以是电信网通提供直接添加，或者自己的DNS<SPANclass=t_tagonclick=tagshow(even