Cisco ASA Firewall Common configuration (ASA Version 8.2 (5))

Note: Intranet port: 192.168.3.253 External Network port: 192.168.6.45 (The following instructions are accordingly)!!!

Join VLAN in interface mode:

Switchport Access VLAN 2

VLAN interface Configuration IP Address:

Interface Vlan1

Nameif inside

Security-level 50

IP address 192.168.3.253 255.255.255.0

To configure Port mappings:

access-list outside_access Extended permit IP any any to create an access control list

access-group outside_access in interface Outside applied to the external network port

static (inside,outside) TCP interface 192.168.3.222 3389 netmask 255.255.255.255 do port mapping

To configure NAT:

Global (outside) 1 interface

Nat (inside) 1 192.168.3.0 255.255.255.0

Configuring an SSH Connection

username xxx password xxxxxx privilege Create user

AAA Authentication Enable console LOCAL

AAA authentication SSH Console local enable SSH native user authentication

ssh 192.168.3.0 255.255.255.0 inside SSH access control

Crypto key generate RSA open SSH Service

To add a static route:

Route outside 0.0.0.0 0.0.0.0 192.168.6.254 1

Route inside 192.168.6.0 255.255.255.0 192.168.6.254 1

To resolve the NAT reflow problem:

The following is a solution given by the forum

can use hairpinning+static Nat, the principle is to allow inside incoming traffic, without other interfaces go out and directly from the inside interface, the configuration is as follows: (note 1.1.1.1 for the public IP, 192.168.1.10 for the network IP)
1. Open hairpinning:same-security-traffic Permit Intra-interface
2. Define the global address for intranet users to access internal servers using hairpinning:Global (inside) 1 interface
3, address mapping, the public network port mapping to the intranet port
Static (inside,outside) tcp 1.1.1.1 www 192.168.1.10 www netmask 255.255.255.255
4. Define address mappings for hairpinning traffic return paths
Static (inside,inside) tcp 1.1.1.1 www 192.168.1.10 www netmask 255.255.255.255
5. Define ACLS:access-list 101 Extended per TCP any host 1.1.1.1 eq www
6. Apply the ACL to the external interface:Access-group 101 in interface outside

With the case of self-configuration: The intranet of a machine Remote Desktop server map to the external network, and the intranet terminal can be accessed through the extranet IP.

To turn on NAT:

Global (outside) 1 interface

Nat (inside) 1 192.168.3.0 255.255.255.0

Do port mapping:

static (inside,outside) TCP interface 192.168.3.222 3389 netmask 255.255.255.255

To do access control for an external network port:

Access-list outside_access Extended permit IP any any

Access-group Outside_access in Interface Outside

The above directive realizes, the external network user accesses the internal terminal through the public network IP, but the intranet user cannot access (only uses the intranet IP access).

Same-security-traffic Permit Intra-interface

Global (inside) 1 interface

Static (inside,inside) TCP 192.168.6.45 192.168.3.222 3389 netmask 255.255.255.255

About speed limit:

Access-list Extended Permit IP 192.168.3.0 255.255.255.0 any

Access-list Extended Permit IP any 192.168.3.0 255.255.255.0

Class-map 1000

Match Access-list 1000

Policy-map Xiansu

Class 1000

Police output 8000000 1600000 conform-action transmit exceed-action drop

Police input 8000000 1600000 conform-action transmit exceed-action drop

\ \ normal rate 1Mbps burst 2Mbps in accordance with the forwarding exceeded the burst is discarded

Service-policy Xiansu interface inside application to interface

======================================

This article is from "retrograde person" blog, declined reprint!

Cisco ASA Firewall Common configuration (ASA Version 8.2 (5))