防火墙配置手册
防火墙配置手册
1. 安装防火墙之前需要确定的信息:
1)防火墙安装地点,防火墙上连交换机的相关配置(确认与防火墙相连的交换机端口属于哪个Vlan ,由此确认防火墙外网口使用的IP 地址)
2)防火墙内网口IP 地址应由作业部来分配(询问对方二级网络的管理者),防火墙内网口地址作为二级服务器的网关。
3)防火墙需要添加的策略,策略由二级或三级人员来确认。策略一般形式:
10.88.253.XX (三级服务器地址)----访问----192.168.1.XX(二级服务器地址)----TCP1521(使用协议和端口号) (三级至二级策略需要添加)
192.168.1.XX(二级服务器地址)----访问----10.88.253.XX(三级服务器地址)----TCP1521(使用协议和端口号) (一般二级至三级策略不做添加)
其中三级服务器地址、二级服务器地址、使用协议和端口号根据实际情况来确定。
4)NAT 转换之后的地址,将二级网络服务器的地址转换成为三级网络中的地址,其地址与防火墙外网口地址在同一网段。
安装实例:1)防火墙在指挥中心汇聚层交换机g2/1口(Vlan2 ,10.99.215.0/24)防火墙外网口地址为10.99.215.240(地址可由管理员分配或者防火墙安装人员自己确认后告知管理员)。
2)防火墙内网口地址为192.168.2.2(二级确定)
3)添加策略:10.88.253.60访问192.168.2.1----TCP8080(防火墙安装申请人确定)
4)NAT 转换192.168.2.1----10.99.215.242(管理员或安装人员确定)
2. 防火墙加电启动:
CISCO SYSTEMS
Embedded BIOS Version 1.0(12)13 08/28/08 15:50:37.45
Low Memory: 632 KB
High Memory: 507 MB
PCI Device Table.
Bus Dev Func VendID DevID Class Irq
00 01 00 1022 2080 Host Bridge
00 01 02 1022 2082 Chipset En/Decrypt 11
00 0C 00 1148 4320 Ethernet 11
00 0D 00 177D 0003 Network En/Decrypt 10
00 0F 00 1022 2090 ISA Bridge
00 0F 02 1022 2092 IDE Controller
00 0F 03 1022 2093 Audio 10
00 0F 04 1022 2094 Serial Bus 9
00 0F 05 1022 2095 Serial Bus 9
Evaluating BIOS Options ...
Launch BIOS Extension to setup ROMMON
Cisco Systems ROMMON Version (1.0(12)13) #0: Thu Aug 28 15:55:27 PDT 2008
Platform ASA5505
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Launching BootLoader...
Default configuration file contains 1 entry.
Searching / for images to boot.
Loading /asa724-k8.bin... Booting...
#######################################################################################################################################################################################################################################################################################################################################################################################################
###################################################################################################################
512MB RAM
Total SSMs found: 0
Total NICs found: 10
88E6095 rev 2 Gigabit Ethernet @ index 09 MAC: 0000.0003.0002
88E6095 rev 2 Ethernet @ index 08 MAC: c84c.7570.c1bb
88E6095 rev 2 Ethernet @ index 07 MAC: c84c.7570.c1ba
88E6095 rev 2 Ethernet @ index 06 MAC: c84c.7570.c1b9
88E6095 rev 2 Ethernet @ index 05 MAC: c84c.7570.c1b8
88E6095 rev 2 Ethernet @ index 04 MAC: c84c.7570.c1b7
88E6095 rev 2 Ethernet @ index 03 MAC: c84c.7570.c1b6
88E6095 rev 2 Ethernet @ index 02 MAC: c84c.7570.c1b5
88E6095 rev 2 Ethernet @ index 01 MAC: c84c.7570.c1b4
y88acs06 rev16 Gigabit Ethernet @ index 00 MAC: c84c.7570.c1bc
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 50
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Disabled
VPN Peers : 10
WebVPN Peers : 2
Dual ISPs : Disabled
VLAN Trunk Ports : 0
This platform has a Base license.
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0) Boot microcode : CNlite-MC-Boot-Cisco-1.2 SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03 IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
Cisco Adaptive Security Appliance Software Version 7.2(4)
****************************** Warning ******************************* This product contains cryptographic features and is
subject to United States and local country laws
governing, import, export, transfer, and use.
Delivery of Cisco cryptographic products does not
imply third-party authority to import, export,
distribute, or use encryption. Importers, exporters,
distributors and users are responsible for compliance
with U.S. and local country laws. By using this
product you agree to comply with applicable laws and
regulations. If you are unable to comply with U.S.
and local laws, return the enclosed items immediately.
A summary of U.S. laws governing Cisco cryptographic
products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by
sending email to [email protected].
******************************* Warning *******************************
Copyright (c) 1996-2008 by Cisco Systems, Inc.
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Cryptochecksum (unchanged): a2d81b58 91233e1e c472925c 202e14e6
Type help or '?' for a list of available commands.
ciscoasa>
ciscoasa>
ciscoasa>
ciscoasa>
3. 通过show run命令查看防火墙初始配置,防火墙初始密码为空
ciscoasa> en
Password: (直接回车)
ciscoasa# sh run (查看初始配置)
: Saved
:
ASA Version 7.2(4)
hostname ciscoasa (防火墙命名)
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1 (防火墙内网口所在Vlan ,配置时不需改动)
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0 (防火墙内网口初始配置,需要改动) !
interface Vlan2 (防火墙外网口所在Vlan )
nameif outside
security-level 0
ip address dhcp setroute (防火墙外网口初始配置,需要改动)
!
interface Ethernet0/0
switchport access vlan 2 (e0/0属于外网口,在配置时不做改动)
!
interface Ethernet0/1 (初始情况下e0/0-7均为内网口,配置时不做改动) !
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
interface Ethernet0/7
!
ftp mode passive
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface (配置时需要删除)
nat (inside) 1 0.0.0.0 0.0.0.0 (配置时需要删除)
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.129 inside (配置时需要删除)
dhcpd enable inside (配置时需要删除)
!
!
prompt hostname context
Cryptochecksum:a2d81b5891233e1ec472925c202e14e6
: end
4. 配置防火墙
1)首先删除已经标示出的4条语句,并给防火墙命名
ciscoasa> en
Password:
ciscoasa# conf t
ciscoasa(config)# host FW-ZHZX-TEST-ASA5505-01 (防火墙命名规则)
FW-ZHZX-TEST-ASA5505-01(config)# no dhcpd enable inside
FW-ZHZX-TEST-ASA5505-01(config)# no dhcpd address 192.168.1.2-192.168.1.129 in$ (当语句过长时,自动缩进)
FW-ZHZX-TEST-ASA5505-01(config)# no global (outside) 1 interface
FW-ZHZX-TEST-ASA5505-01(config)# no nat (inside) 1 0.0.0.0 0.0.0.0
FW-ZHZX-TEST-ASA5505-01(config)#
(我们可以直接复制粘贴)
2)更改防火墙防火墙外网口和内网口地址
FW-ZHZX-TEST-ASA5505-01(config)# int vlan 1 (设置Vlan1地址)
FW-ZHZX-TEST-ASA5505-01(config-if)# no ip address 192.168.1.1 255.255.255.0 (删除原先初始地址)
FW-ZHZX-TEST-ASA5505-01(config-if)# ip address 192.168.2.2 255.255.255.0 (配置新IP 地址和子网掩码)
FW-ZHZX-TEST-ASA5505-01(config-if)# int vlan 2
FW-ZHZX-TEST-ASA5505-01(config-if)# no ip address dhcp setroute (删除原先配置)
FW-ZHZX-TEST-ASA5505-01(config-if)# ip add 10.99.215.240 255.255.255.0 (配置新IP 地址和子网掩码)
FW-ZHZX-TEST-ASA5505-01(config-if)# exit
FW-ZHZX-TEST-ASA5505-01(config)#
可以再次使用show run命令来查看防火墙配置(省略)
3)配置NAT
将二级网络中的服务器地址192.168.1.1转换成为三级网络地址10.99.215.242
FW-ZHZX-TEST-ASA5505-01(config)#static (inside,outside) 10.99.215.242 192.168.1.1 (注意转换之后的地址再前,源地址在后,注意空格)
FW-ZHZX-TEST-ASA5505-01(config)#
4)配置访问控制列表
FW-ZHZX-TEST-ASA5505-01(config)# access-list out extended permit tcp host 10.88.253.60 host 10.99.215.242 eq 1521
其中access-list 是指访问控制列表;out 是列表的名称,可以更改;tcp 是使用的协议;在单个主机ip 地址之前需要添加host ;源地址(10.88.253.60)在前,目的地址(10.99.215.242)再后,目的地址必须是转换之后的地址;1521为端口号
FW-ZHZX-TEST-ASA5505-01(config)# access-list out extended per icmp any any Icmp 全开,用于ping 测试
FW-LGQ-YLFXZX-ASA5505-01(config)# access-group out in interface outside access-group 的命名和access-list 的命名必须相同,将此列表应用到outside 口的in 方向
5)配置默认路由
FW-LGQ-YLFXZX-ASA5505-01(config)# route outside 0.0.0.0 0.0.0.0 10.99.215.1 防火墙外网口的路由,指向外网口所在网段的网关。当内网存在路由时需要在内网口同样添加路由。
6)配置ssh 和telnet
在外网使用ssh 登录,在内网使用telnet 登录
FW-ZHZX-TEST-ASA5505-01(config)# ssh 0.0.0.0 0.0.0.0 outside
FW-ZHZX-TEST-ASA5505-01(config)# telnet 0.0.0.0 0.0.0.0 inside
7)配置用户名和密码
FW-ZHZX-TEST-ASA5505-01(config)# username cisco password passw0rd
FW-ZHZX-TEST-ASA5505-01(config)# passwd passw0rd
FW-ZHZX-TEST-ASA5505-01(config)# enable password passw0rd
FW-ZHZX-TEST-ASA5505-01(config)# crypto key generate rsa modulus 1024(设置密钥)
INFO: The name for the keys will be:
Keypair generation process begin. Please wait...
FW-ZHZX-TEST-ASA5505-01(config)#wr (注意保存)
Building configuration...
Cryptochecksum: 2fa9b4ac af6f3830 db4cb104 41c0dc32
1784 bytes copied in 1.190 secs (1784 bytes/sec)
[OK]
5. 将防火墙安装到指定位置并测试
将电脑配上二级服务器地址并连接到防火墙的内网口,通过电脑ping 三级地址,能ping 通说明配置基本正确
最终配置
FW-ZHZX-TEST-ASA5505-01(config)# sh run
: Saved
:
ASA Version 7.2(4)
!
hostname FW-ZHZX-TEST-ASA5505-01 (防火墙命名)
enable password mrWn3gw5IdrzQmiH encrypted (登录使用的用户名和密码,已经加 passwd mrWn3gw5IdrzQmiH encrypted 密)
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0 (内网相关配置)
ip address 10.99.215.240 255.255.255.0 (外网相关配置)
!
interface Ethernet0/0 (e0/0为外网口)
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7 ( 其余均为内网口)
!
ftp mode passive
access-list out extended permit icmp any any
access-list out extended permit tcp host 10.88.253.60 host 10.99.215.242 eq sqlnet
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
static (inside,outside) 10.99.215.242 192.168.2.1 netmask 255.255.255.255 access-group out in interface outside
route outside 0.0.0.0 0.0.0.0 10.99.215.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
username cisco password yRcFCw7nvKbWOrIP encrypted
!
!
prompt hostname context
Cryptochecksum:2fa9b4acaf6f3830db4cb10441c0dc32 : end