ASA测试环境搭建

公司新采购一台CISCO ASA 5520，以前只玩过JUNIPER的 防火墙，没接触过CISCO的防火墙，试着先搭建一个测试环境，再慢慢摸索其他的功能。

测试环境描述：

ASA 5520 启用三个接口，分别为E0/0,E0/1,E0/2(实际环境为千兆口，模拟器只能模拟百兆口)，接口配置如下：

interface Ethernet0/0

 nameif outside

 security-level 0

 ip address 10.1.1.1 255.255.255.0 

!

interface Ethernet0/1

 nameif dmz

 security-level 50

 ip address 172.16.1.1 255.255.255.0 

!

interface Ethernet0/2

 nameif inside

 security-level 100

 ip address 192.168.1.1 255.255.255.0 

OUTSIDE路由器配置：

interface FastEthernet0/0

ip address 10.1.1.2 255.255.255.0

ip route 0.0.0.0 0.0.0.0 10.1.1.1

DMZ路由器配置：

interface FastEthernet0/0

ip address 172.16.1.2 255.255.255.0

ip route 0.0.0.0 0.0.0.0 172.16.1.1

INSIDE-PC配置：

IP：192.168.1.2

GW：192.168.1.1

ASA配置：

清除全部配置：

myfiewall(config)# clear config all

ciscoasa(config)#

设定各端口地址及Security level：

ciscoasa(config)# interface ethernet 0/0

ciscoasa(config-if)# ip addr 10.1.1.1 255.255.255.0

ciscoasa(config-if)# no sh

ciscoasa(config-if)# nameif outside

INFO: Security level for "outside" set to 0 by default.

ciscoasa(config-if)# description OUTSIDE

ciscoasa(config-if)# interface ethernet 0/1        

ciscoasa(config-if)# ip addr 172.16.1.1 255.255.255.0

ciscoasa(config-if)# no sh 

ciscoasa(config-if)# nameif dmz

INFO: Security level for "dmz" set to 0 by default.

ciscoasa(config-if)# sec

ciscoasa(config-if)# security-level 50

ciscoasa(config-if)# desc

ciscoasa(config-if)# description DMZ

ciscoasa(config-if)# interface ethernet 0/2          

ciscoasa(config-if)# ip addr 192.168.1.1 255.255.255.0

ciscoasa(config-if)# no sh

ciscoasa(config-if)# nameif inside

INFO: Security level for "inside" set to 100 by default.

ciscoasa(config-if)# description INSIDE

ciscoasa(config)# hostname MyFirewall

MyFirewall(config)#

设定ASDM从inside管理：

MyFirewall(config)# username cisco password cisco privilege 15

MyFirewall(config)# aaa authentication http console LOCAL

MyFirewall(config)# http server enable 

MyFirewall(config)# http 0.0.0.0 0.0.0.0 inside

测试与outside及dmz区域的连通性：

MyFirewall# ping 192.168.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

MyFirewall# ping 172.16.1.2 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/12/30 ms

MyFirewall# ping 10.1.1.2  

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/10/30 ms

MyFirewall# 

配置outside侧路由器IP及默认路由：

outside(config)#hostname outside

outside(config)#interface fastEthernet 0/0

outside(config-if)#ip addr 10.1.1.2 255.255.255.0

outside(config-if)#no sh

outside(config-if)#description OUTSIDE

outside(config-if)#end

outside#ping 10.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/17/36 ms

outside#

配置dmz侧路由器及默认路由：

DMZ(config)#hostname DMZ

DMZ(config)#interface fastEthernet 0/0

DMZ(config-if)#ip add 172.16.1.2 255.255.255.0

DMZ(config-if)#no shu

DMZ(config-if)#description DMZ

DMZ(config-if)#end

DMZ#ping 172.16.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/39/108 ms

DMZ#

WEB界面管理ASA：

https://192.168.1.1 

下载并安装运行ASDM管理工具。


备注:
后续增加内容：NAT、×××、ROUTE、FIREWALL等其他常用功能。

转载于:https://blog.51cto.com/bobo365/1892495