Fire Wall 防火牆,它是一種位於內部網路與外部網路之間的網路安全系統,當然,防火牆也分軟體防火牆與硬體防火牆。
硬體防火牆又分為:基於PC架構與基於ASIC晶片
今天來聊一聊思科的'硬體防火牆 Cisco ASA
Cisco ASA 防火牆產品線挺多:Cisco ASA5505 Cisco ASA5510 Cisco ASA5520 Cisco ASA5540 Cisco ASA5550 等等
ASA 的基本配置步驟如下:配置主機名、域名
hostname [hostname]
domain-name
hostname Cisco-ASA 5520
domain-name
配置登陸使用者名稱密碼
password [password]
enable password [password]
配置介面、路由
interface interface_name
nameif [name]
name 有三種介面型別 insdie outside dmz
security-level xx(數值)
數值越大介面安全級別越高
注:預設inside 100 ,outside 0 ,dmz 介於二者之間
靜態路由
route interface_number network mask next-hop-address
route outside
配置遠端管理接入
Telnet
telnet {network | ip-address } mask interface_name
telnet inside
telnet outside
SSH
crypto key generate rsa modulus {1024| 2048 }
指定rsa係數,思科推薦1024
ssh timeout minutes
ssh version version_number
crypto key generate rsa modulus 1024
ssh timeout 30
ssh version 2
配置 ASDM(自適應安全裝置管理器)接入
http server enbale port 啟用功能
http {networdk | ip_address } mask interface_name
asdm image disk0:/asdm_file_name 指定檔案位置
username user password password privilege 15
NAT
nat-control
nat interface_name nat_id local_ip mask
global interface_name nat_id {global-ip [global-ip] |interface}
nat-control
nat inside 1
global outside 1 interface
global dmz 1
ACL
access-list list-name standad permit | deny ip mask
access-list list-name extendad permit | deny protocol source-ip mask destnation-ip mask port
access-group list-name in | out interface interface_name
如果內網服務器需要以布到公網上
staic real-interface mapped-interface mapped-ip real-ip
staic (dmz,outside)
儲存配置
wirte memory
清除配置
clear configure (all)