ASA5585 firewall IDC Data room mounting notes
Preface:
Currently, online gaming companies use ASA5520. When web websites are often attacked by others, 0.28 million connections are used up, resulting in abnormal services. This problem must be solved immediately. According to the network architecture of many Internet companies, changing the firewall is a good solution. Two brands were proposed to the leader for approval, one cisco ASA and one juniper SRX. The leader chose Cisco. I am sad for juniper here. The leader has always thought that Cisco's switch is easy to use, so he thinks that Cisco's firewall is also very powerful. In fact, juniper's firewall is better than Cisco's ASA ). I went to the Cisco official website to find 2 million concurrent products. Cisco also asked, said 5580 production was discontinued, purchase 5585, performance is better, and calculate the discount, than the old 5580-20 also cheaper 1000, then set the ASA5585-20-K9.
Step 1: product procurement
The Order details are as follows:
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J6312H5-0.jpg "/>
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J6315A9-1.jpg "/>
The company spent 0.35 million RMB in total. Cisco's service is really expensive, and it will cost 0.13 million RMB in three years. In fact, service fees are expensive for foreign companies, whether it is Cisco, oracle, or IBM small machine.
Step 2: hardware acceptance
Work with supplier engineers to inspect and accept equipment. The large box is the ASA5585 firewall, and the small box is the redundant power supply. I also purchased two SM multi-mode optical fiber cables. I asked the machine room for help and said it was in the warehouse. No device is lost on the hardware, and the packaging is complete. Split the box.
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J63124c-2.jpg "/>
Step 3: Prepare for mounting
3.1 redundant power supply module, chassis ears, ASA5585 firewall like a dell R710 server.
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J6315392-3.jpg "/>
3.2 cabinet Teng Space
Remove the cisco 3825 Router from the rack in a cabinet and leave a 2U space. The ASA5585 can be reached here.
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J6311G5-4.jpg "/>
Step 4: rack mounting
At this time, I was dumb. the power cord plug is 16A and cannot be connected to the rack plug. When I purchased this product, I specifically asked Cisco factory engineers. He said that the power plug is standard and the National Standard. So before I came to Beijing, I didn't think there was a problem with the power cord plug. I 've searched for Suning, a big supermarket, hardware, and gree air conditioners with 1000 square meters of Jiuxianqiao in Beijing. They didn't have a switch header for 10A to 16A. No way, taobao, I found that Xiao Jia hutong, which is located on the street outside andingmenwai, was sold and sold. I bought two conversion headers and spent 20 Yuan on them.
The charge is 60, and the plug is 20, which costs 80 in total. It is a waste of 4 hours for two conversion headers. So pay attention to the power problems of high-end products, such as HP blade chassis and IBM small machine.
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J63141T-5.jpg "/>
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J6312c4-6.jpg "/>
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J6314330-7.jpg "/>
Step 5: Software acceptance
Log on to ASA5585 and check the software copyright and License.
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J6314641-8.jpg "/>
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0J6312023-9.jpg "/>
According to the purchase order list compared to the "show version", found that there is a less, that is, "ASA5585-SEC-PL", the other are normal, to register this question, and call the supplier's pre-sales manager, he checked it and said that it was not indicated in the contract. No matter for now, he went back to Shenzhen to apply for the original contract.
Step 6: function debugging
6.1 internal and external network
Inter e0/0
Nameif outside
Security-level 0
Ip address 211. xxx.193.x 255.255.255.255.128
Int e0/1
Name if inside
Security-level 100
Ip add 10.98.2.5 255.255.255.0
Internet route: route outside 0.0.0.0 0.0.0.0 211. xxx.193.1
Intranet route: route inside 10.98.2.0 255.255.255.0 10.98.2.1
6.2 set host name and Domain Name:
Hostname ASA5585-20
Domain-name xxxx.com
6.3 set the enable password. The command is as follows:
Enable password xxxxxx // this parameter is set when the password is configured on the spot. More than 8 characters are used.
6.4 set the account and password. The command is as follows:
Username xxxx password xxxx privilege 15 // used for ASDM and SSH Control
Crypto key generate rsa modulus 1024 // generate the ssh logon key
6.5 Enable telnet and SSH access Firewall
Telnet 0.0.0.0 0.0.0.0 inside // enable Intranet telnet
Telnet timeout 5
Aaa authentication enable console LOCAL // set en authentication to LOCAL authentication
Aaa authentication telnet console LOCAL // set the telnet certificate to LOCAL authentication
Aaa authentication ssh console LOCAL // set SSH authentication to LOCAL authentication
Ssh 0.0.0.0 0.0.0.0 outside
Ssh 0.0.0.0 0.0.0.0 inside // use SSH for internal and external interfaces
Ssh timeout 30
Ssh version 2 // set the SSH version to 2
Console timeout 0
6.6 NAT translation and ing Version 8.4)
6.6.1 convert internal servers to access the Internet
Object network inside-outside-all // intranet server NAT
Subnet 0.0.0.0 0.0.0.0
Nat (inside, outside) dynamic 211. xxx.193.10
6.6.2 ing www and open ports
Object ntwork inside-server215 // Intranet web server ing port 80 to Internet
Host 10.98.2.25
Nat (inside, outside) static 211. xxx.193.12 service tcp www
6.6.3 open the ing Port
Access-list pass-policy extended permit icmp any
Access-list pass-policy extended permit tcp any host 10.98.2.25 eq www
6.7 VPN connection Version 8.4)
Object network szzb // defines the Shenzhen VPN group
Subnet 172.16.4.0 255.25.255.0
Object network bjwz // defines the Beijing VPN group
Subnet 10.98.2.0 255.255.255.255.0
Access-list bj-sz-vpn extended permit ip object obj-172.16.4.0 object obj-10.98.2.0
Nat (inside, outside) source static obj-172.16.4.0 obj-172.16.4.0 destination static obj-10.98.2.0 obj-10.98.2.0
Crypto ipsec ikev1 transform-set vpn_set esp-des esp-md5-hmac
Crypto map vpn_map 70 match address bj-sz-vpn
Crypto map vpn_map 70 set peer 124.114.169.xx
Crypto map vpn_map 70 set ikev1 transform-set vpn_set
Crypto map vpn_map interface outside
Crypto ikev1 enable outside
Crypto ikev1 policy 1
Authentication pre-share
Encryption des
Hash md5
Group 2
Lifectime 86400
Tunnel-group 124. x type ipsec-l2l
Tunnel-group 124. x ipsec-attributes
Ikev1 pre-shared-key cisco.com
Xxxxxxx
Step 7: Verify NAT and VPN Parameters
Show nat detail
Show xlate
Show conn
Show run nat
Show nat pool
Sh crypto isakmp sa
Sh crypto ipsec sa
Sh crypto isakmp stats
This article is from the "System Network O & M" blog, please be sure to keep this source http://369369.blog.51cto.com/319630/806508