ASA
mode multiple ---查看 show mode
firewall transparent ---查看 show firewall
hostname ASA ---墙的命名
interface Ethernet0/0 ---四个接口no shutdown
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
admin-context admin ---定义一个admin的墙,子墙可以起名为c1和c2,也可以直接用admin
context admin
allocate-interface Ethernet0/0 inside ---如果这里打inside,那么在子墙下面看到的不再是接口Ethernet0/0,而是inside
allocate-interface Ethernet0/2 outside
config-url disk0:/admin.cfg ---配置保存目录
!
context c1
allocate-interface Ethernet0/1 inside
allocate-interface Ethernet0/3 outside
config-url disk0:/c1.cfg
!
切换到子墙
changeto context admin
changeto context c1
切换回到全局
changeto system
__________________________________________________________________________
hostname admin
interface inside
nameif inside --- 定义安全级别
security-level 100 ---inside默认为100,为最高,其余的都为0
!
interface outside
nameif outside
security-level 0
ip address 10.1.1.100 255.255.255.0 ---每个子墙下面要写一条和防火墙两侧同一网段的ip 地址 必须
access-list out extended permit icmp any any ---放行icmp,用于测试
access-group out in interface outside ---调用列表
_____________________________________________________________________________
hostname c1
interface inside
nameif inside --- 定义安全级别
security-level 100 ---inside默认为100,为最高,其余的都为0
!
interface outside
nameif outside
security-level 0
ip address 10.1.2.100 255.255.255.0 ---每个子墙下面要写一条地址 必须。 经过测试,随便写个地址也可以通
access-list out extended permit icmp any any --- 放行icmp,用于测试
access-group out in interface outside ---调用列表
____________________________________________________________________________-
多模下有包分类,即traffic如何知道到那个子墙下,ASA定义了三种包分类:有优先级
- unique interface
- unique mac (在share interface情况下,即第一条不满足的情况。可以使用mac auto,也可以自定义mac ,常用的是mac auto)
- nat configuration
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/fwmode.html#wp1201980
cisco给出的图片
转载于:https://blog.51cto.com/zhangqc/599976
1203
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
