clear configure all
er erase
enable password WSBoxasa1@ encrypted
=================SSH================================
第一步,生成一个key
ciscoasa (config)# crypto key generate rsa
第二步,允许ssh从outside接口登录
ciscoasa (config)# ssh 0.0.0.0 0.0.0.0 outside
第三步,登录密码
默认情况下,用户名是pix,密码为passwd的密码,可通过ciscoasa (config)# passwd ***修改
第四步(附加),为ssh启用本地aaa
ciscoasa (config)# aaa authentication enable console LOCAL //注意:LOCAL要手动大写,不要先小写个 “l”然后按tab,那样就报错。
ciscoasa (config)# aaa authentication ssh enable console LOCAL
设置一个本地账号
ciscoasa (config)#username wswonder password wswonder
interface GigabitEthernet0/0
duplex full
nameif outside
security-level 0
ip address 192.168.10.174 255.255.255.0
!
interface GigabitEthernet0/1
duplex full
nameif inside
security-level 100
ip address 192.168.8.254 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
//访问控制列表
addcess-list 1 extended permit ip 192.168.8.0 netmask 255.255.255.0 any
addcess-list 1 extended permit ip 10.100.10.0 netmask 255.255.255.0 any
access-list outside_permit extended permit ip 10.0.0.0 netmask 255.0.0.0 interface outside eq 22
access-list outside_permit extended permit ip 172.0.0.0 netmask 255.0.0.0 interface outside eq 22
access-list outside_permit extended permit ip 10.0.0.0 netmask 255.0.0.0 ip 192.168.10.237 eq 80
access-list outside_permit extended permit ip 172.0.0.0 netmask 255.0.0.0 ip 192.168.10.237 eq 80
access-list outside_permit extended permit tcp any interface outside eq 80
access-list outside_permit extended deny any any
# access-list outside_permit extended permit tcp any interface outside range 30000 30010 //允许外部任何用户可以访问outside 接口的30000-30010的端口。
nat (inside) 1 access-list 1
global (outside) 1 192.168.10.237
static (inside,outside) tcp 192.168.10.237 www 192.168.8.11 www netmask 255.255.255.255
static (inside,outside) tcp 192.168.10.237 ssh 192.168.8.201 ssh netmask 255.255.255.255
access-group outside_permit in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.10.1 1
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15