CISCO ASA Configuration Notes

Last Update:2015-09-16 Source: Internet

Author: User

Tags snmp ssh access

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

cd-asa5520# Show Run

: Saved

ASA Version 7.2 (2)

Hostname cd-asa5520//Name the firewall

Domain-name Default.domain.invalid//define a working field

Enable password 9jnfzug3tc5tcvh0 encrypted//password to enter privileged mode

Names

Dns-guard

Interface gigabitethernet0/0//Intranet interface:

Duplex full//Interface working mode: Fully duplex, semi-dual, adaptive

Nameif inside//For Port naming: internal interface inside

Security-level 100//Set security level 0~100 the larger the value the more secure

IP address 192.168.1.1 255.255.255.0//Set IP addresses for this port

Interface GIGABITETHERNET0/1//External network interface

Nameif outside//name for external port: external interface outside

Security-level 0

IP address 202.98.131.122 255.255.255.0//IP addresses configuration

Interface GIGABITETHERNET0/2

Nameif DMZ

Security-level 50

IP address 192.168.2.1 255.255.255.0

Interface GIGABITETHERNET0/3

Shutdown

No Nameif

No Security-level

No IP address

Interface management0/0//firewall management address

Shutdown

No Nameif

No Security-level

No IP address

passwd 2kfqnbnidi.2kyou Encrypted

FTP mode passive

Clock timezone CST 8

DNS Server-group Defaultdns

Domain-name Default.domain.invalid

Access-list Outside_permit extended permit TCP any interface outside EQ 3389

Access Control List

Access-list Outside_permit extended permit TCP any interface outside range 30000 30010

Allows any external user to access the 30000-30010 port of the outside interface.

Pager lines 24

Logging enable//start log function

Logging ASDM Informational

MTU inside 1500 internal maximum transmission Unit is 1500 bytes

MTU outside 1500

MTU DMZ 1500

IP local pool vpnclient 192.168.200.1-192.168.200.200 mask 255.255.255.0

Define a pool of IP addresses named vpnclient, assigning IP addresses to remote users

No failover

ICMP unreachable rate-limit 1 burst-size 1

ASDM Image Disk0:/asdm-522.bin

No ASDM history enable

ARP Timeout 14400//arp idle time is 14,400 seconds

Global (Outside) 1 interface//The Internet is not allowed for internal users because NAT is not configured

Static (dmz,outside) TCP interface 30000 192.168.2.2 30000 netmask 255.255.255.255

Port mapping can resolve the internal service to be advertised too much, but the application of public network IP less problems.

Static (dmz,outside) TCP interface 30001 192.168.2.2 30001 netmask 255.255.255.255

Map the DMZ 192.168.2.2 30002 to the external 30002 port.

Static (dmz,outside) TCP interface 30002 192.168.2.2 30002 netmask 255.255.255.255

Static (dmz,outside) TCP interface 30003 192.168.2.2 30003 netmask 255.255.255.255

Static (dmz,outside) TCP interface 30004 192.168.2.2 30004 netmask 255.255.255.255

Static (dmz,outside) TCP interface 30005 192.168.2.2 30005 netmask 255.255.255.255

Static (dmz,outside) TCP interface 30006 192.168.2.2 30006 netmask 255.255.255.255

Static (dmz,outside) TCP interface 30007 192.168.2.2 30007 netmask 255.255.255.255

Static (dmz,outside) TCP interface 30008 192.168.2.2 3008 netmask 255.255.255.255

Static (dmz,outside) TCP interface 30009 192.168.2.2 30009 netmask 255.255.255.255

Static (dmz,outside) TCP interface 30010 192.168.2.2 30010 netmask 255.255.255.255

Static (dmz,outside) TCP interface 3389 192.168.2.2 3389 netmask 255.255.255.255

Access-group Outside_permit in interface outside

Apply the Outside_permit control list to the entry direction of the external interface.

Route outside 0.0.0.0 0.0.0.0 202.98.131.126 1//define a default route.

Timeout conn 1:00:00 half-closed 0:10:00 UDP 0:02:00 ICMP 0:00:02

Timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 MGCP 0:05:00 mgcp-pat 0:05:00

Timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

Timeout Uauth 0:05:00 Absolute

------------Define a group Policy that is named Vpnclient-------------------------

Group-policy vpnclient Internal//Create an internal Group Policy.

Group-policy vpnclient attributes//Set parameters for Vpnclient Group Policy

Wins-server value 192.168.1.10//defines the IP address of the wins-server.

Dns-server value 192.168.1.10 61.139.2.69//defines the IP address of the dns-server.

Vpn-idle-timeout None//terminating connection time set to default value

Vpn-session-timeout None//session timeout with default value

Vpn-tunnel-protocol IPSec//defines the Channel usage protocol for IPSec.

Split-tunnel-policy tunnelspecified//definition.

Default-domain value my3377.com//defines the default domain name as my3377.com

------------Define a group Policy that is named L2lvpn-------------------------

Group-policy L2lvpn Internal

Group-policy L2lvpn Attributes

Wins-server value 192.168.1.10

Dns-server value 192.168.1.10 61.139.2.69

Vpn-simultaneous-logins 3

Vpn-idle-timeout None

Vpn-session-timeout None

Vpn-tunnel-protocol IPSec

Username Test Password P4ttsyrm33sv8typ encrypted privilege 0

Create a remote access user to access the security app

Username my3377 Password 3USUCOPFUIMCO4JK encrypted

HTTP server enable//start HTTP Service

HTTP 0.0.0.0 0.0.0.0 inside//Allow internal host HTTP connection

No snmp-server location

No Snmp-server Contact

Snmp-server Enable traps SNMP authentication Linkup Linkdown Coldstart

Default configuration for SNMP

Crypto IPSec Transform-set esp-des-md5 esp-des Esp-md5-hmac

Configuring the Transpose (defines the collection of encryption and information integrity algorithms used by the IPSC tunnel)

Crypto Dynamic-map Vpn_dyn_map set Transform-set esp-des-md5

Define a transfer set for a dynamic crypto diagram entry

Crypto map Outside_map ipsec-isakmp dynamic Vpn_dyn_map

Create an encrypted diagram that uses dynamic encryption entries

Crypto map Outside_map interface outside

Apply the Outside_map encryption diagram to the outside port

------------Configuring Ike--------------

Crypto ISAKMP enable outside//start ISAKMP on Ostside interface

Crypto ISAKMP policy,//isakmmp weight, the lower the value, the higher the value

Authentication Pre-share//Specifies that the same-level authentication method is a shared key

Encryption des//Specify encryption algorithm

Hash MD5//specify using MD5 hashing algorithm

Group 2//Specify Diffie-hellman Group 2

Lifetime 86400//Specify the time-to-live for SA (Negotiate security association)

Crypto ISAKMP policy 65535

Authentication Pre-share

Encryption des

Hash MD5

Group 2

Lifetime 86400

-------------Call Group Policy-----------------

Crypto ISAKMP nat-traversal 20

Tunnel-group Defaultl2lgroup general-attributes//Configuring the authentication method for this channel group

Default-group-policy L2lvpn//Specifies the default Group Policy name.

Tunnel-group defaultl2lgroup ipsec-attributes//Configure authentication method for IPSec

Pre-shared-key *//Pre-shared key for IKE connection

Tunnel-group vpnclient type Ipsec-ra//Set the connection type to remote access.

Tunnel-group vpnclient general-attributes//Configuring the authentication method for this channel group

Address-pool vpnclient//define the address pool used

Default-group-policy vpnclient//define default Group Policy

-----Set up authentication methods and shared keys-------------

Tunnel-group vpnclient ipsec-attributes//Configure authentication method for IPSec

Pre-shared-key *//Pre-shared key for IKE connection

Telnet Timeout 5//telnet timeout setting

SSH 0.0.0.0 0.0.0.0 outside//allow external SSH access firewall

SSH Timeout//SSH connection Timeout setting

Console timeout 0//console timeout setting

Dhcp-client Update DNS server both

DHCPD DNS 61.139.2.69 202.98.96.68//dhcp published DNS

DHCPD address 192.168.1.10-192.168.1.254 inside//addresses pool published to intranet

DHCPD enable inside//start DHCP service.

Class-map Inspection_default

Match default-inspection-traffic

Policy-map type Inspect DNS migrated_dns_map_1

Parameters

Message-length Maximum 512

Policy-map Global_policy

Class Inspection_default

Inspect DNS Migrated_dns_map_1

Inspect FTP

Inspect h323 h225

Inspect h323 RAS

Inspect NetBIOS

Inspect RSH

Inspect RTSP

Inspect Skinny

Inspect ESMTP

Inspect Sqlnet

Inspect SUNRPC

Inspect TFTP

Inspect SIP

Inspect XDMCP

Service-policy Global_policy Global

Prompt hostname context

cryptochecksum:25e66339116f52e443124a23fef3d373

: End

This article is from the "Sky" blog, please be sure to keep this source http://haikuotiankong.blog.51cto.com/633188/1695335

CISCO ASA Configuration Notes

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More