ASA防火墙配置笔记

network

ASA防火墙配置笔记

二〇〇六年十月二十七日

序言：

Cisco新的防火墙ASA系列已经面市了，将逐步取代PIX防火墙，网上关于ASA配置资料很少，现把我积累的ASA配置技术编写一个文档，供大家参考。如有问题，可发邮件给我。
1.
常用技巧....................................................................................... 1
2.
故障倒换....................................................................................... 1
3.
配置telnet、ssh及http管理............................................................ 3
4.
vpn常用管理命令.......................................................................... 3
5.
配置访问权限................................................................................ 3
6.
配置sitetosite之VPN...................................................................... 4
7.
webvpn配置（ssl vpn）................................................................. 4
8.
远程拨入VPN................................................................................ 5
9.
日志服务器配置............................................................................. 6
10.
Snmp网管配置............................................................................. 7
11.
ACS配置...................................................................................... 7
12.
AAA配置..................................................................................... 7
13.
升级IOS...................................................................................... 8
14.
疑难杂症...................................................................................... 8

1.
常用技巧
Sh ru ntp查看与ntp有关的
Sh ru crypto 查看与vpn有关的
Sh ru | inc crypto 只是关健字过滤而已

2.
故障倒换failover
failover lan unit primary
failover lan interface testint Ethernet0/3
failover link testint Ethernet0/3
failover mac address Ethernet0/1 0018.1900.5000 0018.1900.5001
failover mac address Ethernet0/0 0018.1900.4000 0018.1900.4001
failover mac address Ethernet0/2 0018.1900.6000 0018.1900.6001
failover mac address Management0/0 0018.1900.7000 0018.1900.7001
failover interface ip testint 10.3.3.1 255.255.255.0 standby 10.3.3.2
注：最好配置虚拟MAC地址
sh failover显示配置信息
write standby写入到备用的防火墙中

failover命令集如下：
configure mode commands/options:

interface
Configure the IP address and mask to be used for failover

and/or stateful update information

interface-policy
Set the policy for failover due to interface failures

key
Configure the failover shared secret or key

lan
Specify the unit as primary or secondary or configure the

interface and vlan to be used for failover communication

link
Configure the interface and vlan to be used as a link for

stateful update information

mac
Specify the virtual mac address for a physical interface

polltime
Configure failover poll interval

replication
Enable HTTP (port 80) connection replication

timeout
Specify the failover reconnect timeout value for

asymmetrically routed sessions

sh failover 命令集如下：


history
Show failover switching history

interface
Show failover command interface information

state
Show failover internal state information

statistics
Show failover command interface statistics information

|
Output modifiers

<cr>
3.
配置telnet、ssh及http管理username jiang password Csmep3VzvPQPCbkx encrypted privilege 15
aaa authentication enable console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http 192.168.40.0 255.255.255.0 management
ssh 192.168.40.0 255.255.255.0 inside
4.
vpn常用管理命令sh vpn-sessiondb full l2l 显示site to site 之vpn通道情况
sh ipsec stats 显示ipsec通道情况
sh vpn-sessiondb summary 显示vpn汇总信息
sh vpn-sessiondb detail l2l 显示ipsec详细信息
sh vpn-sessiondb detail svc 查看ssl client信息
sh vpn-sessiondb detail webvpn 查看webvpn信息

sh vpn-sessiondb detail full l2l 相当于linux下的ipsec whack –status 如果没有建立连接，则表示ipsec通道还没有建立起来。
5.
配置访问权限可以建立对象组，设定不同的权限，如：

object-group network testgroup

description test

network-object 192.168.100.34 255.255.255.255


access-list inside_access_in line 2 extended permit ip object-group all any

access-group inside_access_in in interface inside
6.
配置sitetosite之VPN
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address outside_cryptomap_20_1
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 218.16.105.48
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside

isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

tunnel-group 218.16.105.48 type ipsec-l2l
tunnel-group 218.16.105.48 ipsec-attributes

pre-shared-key *

peer-id-validate nocheck
tunnel-group-map enable rules

注：打打PFS并设定以IP地址作为peer名，一个接口只能有一个加密图


7.
      webvpn配置（ssl vpn）webvpn

enable outside

character-encoding gb2312

csd image disk0:/securedesktop-asa-3.1.1.16.pkg

svc image disk0:/sslclient-win-1.1.0.154.pkg 1

svc enable
customization customization1

title text TEST WebVPN system

title style background-color:white;color: rgb(51,153,0);border-bottom:5px groo
ve #669999;font-size:larger;vertical-align:middle;text-align:left;font-weight:bold

tunnel-group-list enable

注：也可通过ASDM图形界面进行配置

登录后，可访问内部资源，如下例：（客户端首先要安装Java插件jre-1_5_0-windows-i586.exe,并打开浏览器的ActiveX）
1) https://sslvpn.test.com.cn 输入用户名和密码

2) 出现工具条

3) 在Enter Web Address内输入192.168.40.8即可访问内部网站

4）在browse network输入192.168.40.8即可访问共享文件
5)点击application access，即可查看端口转发设置，如使用putty访问本机的2023端口，则即可通过ssh登录192.168.40.8
8.
远程拨入VPN相关的ASA配置命令如下：

access-list inside_access_in extended permit ip object-group remotegroup any
access-list inside_access_in extended permit icmp object-group remotegroup any
access-list remotevpn_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0

access-list vpnclient_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0


ip local pool dialuserIP 192.168.101.1-192.168.101.254 mask 255.255.255.0

group-policy remotevpn attributes

dns-server value 202.96.128.68 192.168.40.16

default-domain value test.com.cn
username jiang password Csmep3VzvPQPCbkx encrypted privilege 15

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set reverse-route

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside

tunnel-group remotevpn type ipsec-ra
tunnel-group remotevpn general-attributes

address-pool dialuserIP

default-group-policy remotevpn
tunnel-group remotevpn ipsec-attributes

pre-shared-key *

客户端设置如下：

9.
日志服务器配置logging enable
logging timestamp
logging emblem
logging trap informational
logging asdm warnings
logging host inside 192.168.40.115 format emblem
logging permit-hostdown

vpn-simultaneous-logins 3

10.
Snmp网管配置snmp-server host inside 192.168.40.47 community testsnmp
snmp-server location DG-GTEST
snmp-server contact jiangdaoyou:6162
snmp-server community testsnmp
snmp-server enable traps snmp authentication linkup linkdown coldstart

注：指定主机后，192.168.40.47才可能进行管理

11.
ACS配置    安装后管理：http://ip:2002 通过ACS可以进行授权、认证等等很多功能
       因内容太多，暂省略
12.
AAA配置Aaa服务器配置：
aaa-server radius_dg host dc03.xxxx.com

key dfdfdfdf146**U

authentication-port 1812

accounting-port 1813

radius-common-pw dfdfdfdf146**U

对于拨入vpn的配置
tunnel-group vg_testerp general-attributes

address-pool ciscovpnuser

authentication-server-group radius_dg

default-group-policy vg_testerp
13.
升级IOScopy tftp://192.168.40.180/asa/asa721-k8.bin disk0:/asa721-k8.bin
boot system disk0:/asa721-k8.bin （多个Image时使用）

14.
疑难杂症1)
在远程子网不能ping通过对方的网关，如在无锡格兰不能ping 192.168.40.251
输入命令：management-access inside （通过ASDM不能设置这一项）

2)
NAT有时不能快速启作用
使用命令：clear xlate即可