Cisco ASA Firewall Common configuration (ASA Version 8.2 (5))

Source: Internet
Author: User
Tags ssh access


Note: Intranet port: 192.168.3.253 External Network port: 192.168.6.45 (The following instructions are accordingly)!!!


Join VLAN in interface mode:

Switchport Access VLAN 2


VLAN interface Configuration IP Address:

Interface Vlan1

Nameif inside

Security-level 50

IP address 192.168.3.253 255.255.255.0


To configure Port mappings:

access-list outside_access Extended permit IP any any to create an access control list

access-group outside_access in interface Outside applied to the external network port

static (inside,outside) TCP interface 192.168.3.222 3389 netmask 255.255.255.255 do port mapping


To configure NAT:

Global (outside) 1 interface

Nat (inside) 1 192.168.3.0 255.255.255.0


Configuring an SSH Connection

username xxx password xxxxxx privilege Create user

AAA Authentication Enable console LOCAL

AAA authentication SSH Console local enable SSH native user authentication

ssh 192.168.3.0 255.255.255.0 inside SSH access control

Crypto key generate RSA open SSH Service


To add a static route:

Route outside 0.0.0.0 0.0.0.0 192.168.6.254 1

Route inside 192.168.6.0 255.255.255.0 192.168.6.254 1


To resolve the NAT reflow problem:

The following is a solution given by the forum

can use hairpinning+static Nat, the principle is to allow inside incoming traffic, without other interfaces go out and directly from the inside interface, the configuration is as follows: (note 1.1.1.1 for the public IP, 192.168.1.10 for the network IP)
1. Open hairpinning:same-security-traffic Permit Intra-interface
2. Define the global address for intranet users to access internal servers using hairpinning:Global (inside) 1 interface
3, address mapping, the public network port mapping to the intranet port
Static (inside,outside) tcp 1.1.1.1 www 192.168.1.10 www netmask 255.255.255.255
4. Define address mappings for hairpinning traffic return paths
Static (inside,inside) tcp 1.1.1.1 www 192.168.1.10 www netmask 255.255.255.255
5. Define ACLS:access-list 101 Extended per TCP any host 1.1.1.1 eq www
6. Apply the ACL to the external interface:Access-group 101 in interface outside


With the case of self-configuration: The intranet of a machine Remote Desktop server map to the external network, and the intranet terminal can be accessed through the extranet IP.


To turn on NAT:

Global (outside) 1 interface

Nat (inside) 1 192.168.3.0 255.255.255.0

Do port mapping:

static (inside,outside) TCP interface 192.168.3.222 3389 netmask 255.255.255.255

To do access control for an external network port:

Access-list outside_access Extended permit IP any any

Access-group Outside_access in Interface Outside

The above directive realizes, the external network user accesses the internal terminal through the public network IP, but the intranet user cannot access (only uses the intranet IP access).

Same-security-traffic Permit Intra-interface

Global (inside) 1 interface

Static (inside,inside) TCP 192.168.6.45 192.168.3.222 3389 netmask 255.255.255.255


About speed limit:

Access-list Extended Permit IP 192.168.3.0 255.255.255.0 any

Access-list Extended Permit IP any 192.168.3.0 255.255.255.0

Class-map 1000

Match Access-list 1000

Policy-map Xiansu

Class 1000

Police output 8000000 1600000 conform-action transmit exceed-action drop

Police input 8000000 1600000 conform-action transmit exceed-action drop

\ \ normal rate 1Mbps burst 2Mbps in accordance with the forwarding exceeded the burst is discarded

Service-policy Xiansu interface inside application to interface






======================================

This article is from "retrograde person" blog, declined reprint!

Cisco ASA Firewall Common configuration (ASA Version 8.2 (5))

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.