博威---云架构决胜云计算

 找回密码
 注册

QQ登录

只需一步,快速开始

搜索
查看: 2295|回复: 2

第一次接触CISCO,有问题求教

[复制链接]
发表于 2007-11-23 17:21:52 | 显示全部楼层 |阅读模式
公司接上级安排刚购置了一台cisco asa 5510
主要是用来做vpn
之前公司是用的isa做代理来控制员工上网等
安装好后由请来的工程师调试好vpn后就走了
公司要求对某些ip要进行上网限制,只能上几个特定的网站,其他的都要封掉
之前用isa建个策略很简单就搞定了
而现在对asa完全没有头绪
请各位帮忙看看怎样来写这个命令?或者用asdm能做上述限制么?
还有就是怎样开启ethernet0/3口?我想用来做学习测试用

另外各位能提供些适合我这种初学者的书籍或电子文档么
谢谢
下面是我们公司的配置代码

GUIZHOUJIUYAN# sh config
: Saved
: Written by enable_15 at 03:08:31.708 UTC Wed Nov 14 2007
!
ASA Version 7.0(6)
!
hostname GUIZHOUJIUYAN
enable password 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 61.189.158.244 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/2
nameif kefang
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list 130 extended permit ip any 192.168.0.0 255.255.0.0
access-list vpn extended permit ip host 192.168.0.211 host 172.28.1.5
access-list vpn extended permit ip host 192.168.0.212 host 172.28.1.5
access-list nat0 extended permit ip host 192.168.0.211 host 172.28.1.5
access-list nat0 extended permit ip host 192.168.0.212 host 172.28.1.5
access-list icmp extended permit icmp any any
access-list lan0 extended deny ip host 192.168.0.23 any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu kefang 1500
mtu management 1500
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nat0
nat (inside) 1 192.168.0.0 255.255.0.0
nat (kefang) 1 192.168.2.0 255.255.255.0
static (inside,outside) tcp interface www 192.168.0.33 www netmask 255.255.255.255
static (inside,outside) tcp interface 8080 192.168.0.20 8080 netmask 255.255.255.255
access-group icmp in interface outside
route outside 0.0.0.0 0.0.0.0 61.189.158.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set mac esp-des esp-md5-hmac
crypto dynamic-map dyn_vpn 10 set transform-set mac
crypto map outside_map 20 match address vpn
crypto map outside_map 20 set peer 202.98.222.80
crypto map outside_map 20 set transform-set mac
crypto map outside_map interface outside
crypto ca trustpoint mo
crl configure
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp nat-traversal  20
tunnel-group 202.98.222.80 type ipsec-l2l
tunnel-group 202.98.222.80 ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
telnet 192.168.0.1 255.255.255.255 inside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 61.189.158.244 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.2-192.168.2.254 kefang
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd dns 202.98.192.68 202.98.198.168
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable kefang
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
Cryptochecksum:01f12e9209c1e5be228551c4ce553834
GUIZHOUJIUYAN#
发表于 2007-11-23 18:44:08 | 显示全部楼层
没什么问题啊。上CISCO网站下配置手册,只能看那个了。
 楼主| 发表于 2007-11-23 22:41:01 | 显示全部楼层
我的主要问题是怎么来限制某些ip让他只能上指定的网站
如让192.168.0.22只能上www.gzjiuyuan.com

另外还有就是怎么才能配置ethernet0/3
?
您需要登录后才可以回帖 登录 | 注册

本版积分规则

小黑屋|手机版|Archiver|boway Inc. ( 冀ICP备10011147号 )

GMT+8, 2024-11-28 01:01 , Processed in 0.241016 second(s), 16 queries .

Powered by Discuz! X3.4

Copyright © 2001-2021, Tencent Cloud.

快速回复 返回顶部 返回列表