1.基本配置及配置内外网接口
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
conf t
hostname ASAFW #设置主机名
enable secret pass123 #设置特权密码
clock timezone GMT 8 #设置时区
dns domain-lookup inside
dns server-group DefaultDNS
name-server 114.114.114.114
name-server 223.5.5.5
name-server 223.6.6.6
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 118.25.235.100 255.255.255.0
#我的外网IP是118.25.235.100
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
#我的内网网段是192.168.2.0/24
2.配置外网路由
1
2
route outside 0.0.0.0 0.0.0.0 118.25.235.1 1
# route outside 0.0.0.0 0.0.0.0 外网网关 1
3.配置内网NAT上网配置
1
2
3
nat-control
global (outside) 1 interface
nat (inside) 1 192.168.2.0 255.255.255.0
4.配置DHCP服务器
1
2
3
4
5
dhcpd lease 14400
dhcpd address 192.168.2.2-192.168.2.254 inside
#设置DHCP的IP地址池
dhcpd dns 114.114.114.114 223.5.5.5 interface inside
dhcpd enable inside
5.配置端口映射(因为我外网只有一个IP因此,设置的时候就是interface,一定要先设置外网IP再来设置端口映射)
1
2
3
4
5
6
7
static (inside,outside) tcp interface 80 192.168.2.2 80 netmask 255.255.255.255
static (inside,outside) tcp interface 443 192.168.2.242 tcp netmask 255.255.255.255
如果存在多个外网IP,如何设置端口映射呢?
static (inside,outside) tcp 118.25.235.101 80 192.168.2.2 80 netmask 255.255.255.255
static (inside,outside) tcp 118.25.235.101 443 192.168.2.242 tcp netmask 255.255.255.255
直接将IP写上,注意如果只有一个IP,只能写interface
6.ACL及内外网策略
1
2
3
4
5
6
access-list outside extended permit ip any any
access-list outside extended deny icmp any any
access-list inside extended permit icmp any any
access-list inside extended permit ip any any
access-group outside in interface outside
access-group inside in interface inside
7.配置ssh登录
1
2
3
4
5
6
crypto key generate rsa modulus 1024
aaa authentication ssh console LOCAL
username user1 password xxxx //配置ssh用户名密码
ssh version 1
ssh 0.0.0.0 0.0.0.0 inside //配置SSH内网可以登录及访问
#ssh 0.0.0.0 0.0.0.0 outside //配置SSH外网可登录,一般我不打开外网登录,因为只能使用ssh version 1
8.设置ASA系统时间及SNMP
1
2
3
clock set 13:14:00 2 feb 2012
snmp-server host inside 192.168.2.2 community public version 2c
snmp-server enable traps
9.IP限时限速
定义在上班时间段(09:00-18:00)内IP进行限速
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
#设置时段
time-range rate_limit
periodic daily 9:00 to 18:00
#设置IP,需要设置上传或下载速度
access-list rate_limit20 extended permit ip host 192.168.2.20 any time-range rate_limit
access-list rate_limit20 extended permit ip any host 192.168.2.20 time-range rate_limit
#限速
class-map map20
match access-list rate_limit20
policy-map rate_limit
class map20
police input 10240000 5120 #最多1M的下载速度
police output 10240000 5120 #最多1M的上传速度
service-policy rate_limit interface inside
如果需要定义一段IP呢,比如我要定义从192.168.2.20-192.168.2.199这个ip段内IP的速度怎么处理呢,因为一个policy-map里最多含64个class map,那怎么处理呢
注意一下这种策略是IP段所有IP速度之和不大于1M,这样限速没有意义:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ 以下限速的是整个IP段的速度之和进行限制
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
time-range rate_limit
periodic daily 09:00 to 18:00
object-group network rate_limit
network-object 192.168.2.0 255.255.255.0
access-list rate_limit extended permit ip object-group rate_limit any time-range rate_limit
access-list rate_limit extended permit ip any object-group rate_limit time-range rate_limit
class-map map1
match access-list rate_limit
policy-map map2
class map1
police input 10240000 5120
police output 10240000 5120
service-policy map2 interface inside
如何配置呢,找一个折中点:我们把每10个IP作为一组,这样即便是能下载但是也只影响10个人的网速
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
object-group network rate_limit20
network-object 192.168.2.20 255.255.255.255
network-object 192.168.2.21 255.255.255.255
network-object 192.168.2.22 255.255.255.255
network-object 192.168.2.23 255.255.255.255
network-object 192.168.2.24 255.255.255.255
network-object 192.168.2.25 255.255.255.255
network-object 192.168.2.26 255.255.255.255
network-object 192.168.2.27 255.255.255.255
network-object 192.168.2.28 255.255.255.255
network-object 192.168.2.29 255.255.255.255
object-group network rate_limit30
network-object 192.168.2.30 255.255.255.255
network-object 192.168.2.31 255.255.255.255
network-object 192.168.2.32 255.255.255.255
network-object 192.168.2.33 255.255.255.255
network-object 192.168.2.34 255.255.255.255
network-object 192.168.2.35 255.255.255.255
network-object 192.168.2.36 255.255.255.255
network-object 192.168.2.37 255.255.255.255
network-object 192.168.2.38 255.255.255.255
network-object 192.168.2.39 255.255.255.255
object-group network rate_limit40
network-object 192.168.2.40 255.255.255.255
network-object 192.168.2.41 255.255.255.255
network-object 192.168.2.42 255.255.255.255
network-object 192.168.2.43 255.255.255.255
network-object 192.168.2.44 255.255.255.255
network-object 192.168.2.45 255.255.255.255
network-object 192.168.2.46 255.255.255.255
network-object 192.168.2.47 255.255.255.255
network-object 192.168.2.48 255.255.255.255
network-object 192.168.2.49 255.255.255.255
access-list rate_limit20 extended permit ip object-group rate_limit20 any time-range rate_limit
access-list rate_limit20 extended permit ip any object-group rate_limit20 time-range rate_limit
access-list rate_limit30 extended permit ip object-group rate_limit30 any time-range rate_limit
access-list rate_limit30 extended permit ip any object-group rate_limit30 time-range rate_limit
access-list rate_limit40 extended permit ip object-group rate_limit40 any time-range rate_limit
access-list rate_limit40 extended permit ip any object-group rate_limit40 time-range rate_limit
class-map map20
match access-list rate_limit20
class-map map30
match access-list rate_limit30
class-map map40
match access-list rate_limit40
policy-map rate_limit
class map20
police input 10240000 5120
police output 10240000 5120
class map30
police input 10240000 5120
police output 10240000 5120
class map40
police input 10240000 5120
police output 10240000 5120
service-policy rate_limit interface inside
9.开启ASDM图形化管理
1
2
3
4
5
webvpn
username admin password admin
http server enable 或者http server enable 8080(端口号)
http 0.0.0.0 0.0.0.0 inside
asdm image disk0:/asdm-722.bin
10.如何保存配置
1
copy running-config startup-config
11.备份配置及操作系统
1
2
3
4
5
6
7
8
9
10
11
show flash
--#-- --length-- -----date/time------ path
3 4096 Aug 16 2017 12:25:12 log
8 4096 Aug 16 2017 12:25:24 crypto_archive
9 4096 Aug 16 2017 12:25:26 coredumpinfo
10 43 Aug 16 2017 12:25:26 coredumpinfo/coredump.cfg
78 15261696 Aug 16 2017 12:36:40 asa824-k8.bin
79 24047892 Aug 16 2017 12:39:12 asdm-722.bin
copy asa824-k8.bin t
copy asdm-722.bin t
copy running-config tftp://192.168.2.3
运维网声明
1、欢迎大家加入本站运维交流群:群②:261659950 群⑤:202807635 群⑦870801961 群⑧679858003
2、本站所有主题由该帖子作者发表,该帖子作者与运维网 享有帖子相关版权
3、所有作品的著作权均归原作者享有,请您和我们一样尊重他人的著作权等合法权益。如果您对作品感到满意,请购买正版
4、禁止制作、复制、发布和传播具有反动、淫秽、色情、暴力、凶杀等内容的信息,一经发现立即删除。若您因此触犯法律,一切后果自负,我们对此不承担任何责任
5、所有资源均系网友上传或者通过网络收集,我们仅提供一个展示、介绍、观摩学习的平台,我们不对其内容的准确性、可靠性、正当性、安全性、合法性等负责,亦不承担任何法律责任
6、所有作品仅供您个人学习、研究或欣赏,不得用于商业或者其他用途,否则,一切后果均由您自己承担,我们对此不承担任何法律责任
7、如涉及侵犯版权等问题,请您及时通知我们,我们将立即采取措施予以解决
8、联系人Email:admin@iyunv.com 网址:www.yunweiku.com