1. 常用技巧
Sh ru ntp查看与ntp有关的
Sh ru crypto 查看与***有关的
Sh ru | inc crypto 只是关健字过滤而已
2. 故障倒换
failover
failover lan unit primary
failover lan interface testint Ethernet0/3
failover link testint Ethernet0/3
failover mac address Ethernet0/1 0018.1900.5000 0018.1900.5001
failover mac address Ethernet0/0 0018.1900.4000 0018.1900.4001
failover mac address Ethernet0/2 0018.1900.6000 0018.1900.6001
failover mac address Management0/0 0018.1900.7000 0018.1900.7001
failover interface ip testint 10.3.3.1 255.255.255.0 standby 10.3.3.2
注:最好配置虚拟MAC地址
sh failover显示配置信息
write standby写入到备用的防火墙中
failover命令集如下:
configure mode commands/options:
interface Configure the IP address and mask to be used for failover
and/or stateful update information
interface-policy Set the policy for failover due to interface failures
key Configure the failover shared secret or key
lan Specify the unit as primary or secondary or configure the
interface and vlan to be used for failover communication
link Configure the interface and vlan to be used as a link for
stateful update information
mac Specify the virtual mac address for a physical interface
polltime Configure failover poll interval
replication Enable HTTP (port 80) connection replication
timeout Specify the failover reconnect timeout value for
asymmetrically routed sessions
sh failover 命令集如下:
history Show failover switching history
interface Show failover command interface information
state Show failover internal state information
statistics Show failover command interface statistics information
| Output modifiers
<cr>
3. 配置telnet、ssh及http管理
username jiang password Csmep3VzvPQPCbkx encrypted privilege 15
aaa authentication enable console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http 192.168.40.0 255.255.255.0 management
ssh 192.168.40.0 255.255.255.0 inside
4. ***常用管理命令
sh ***-sessiondb full l2l 显示site to site 之***通道情况
sh ipsec stats 显示ipsec通道情况
sh ***-sessiondb summary 显示***汇总信息
sh ***-sessiondb detail l2l 显示ipsec详细信息
sh ***-sessiondb detail svc 查看ssl client信息
sh ***-sessiondb detail web*** 查看web***信息
sh ***-sessiondb detail full l2l 相当于linux下的ipsec whack –status 如果没有建立连接,则表示ipsec通道还没有建立起来。
5. 配置访问权限
可以建立对象组,设定不同的权限,如:
object-group network testgroup
description test
network-object 192.168.100.34 255.255.255.255
access-list inside_access_in line 2 extended permit ip object-group all any
access-group inside_access_in in interface inside
6. 配置sitetosite之×××
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmaccrypto map outside_map 20 match address outside_cryptomap_20_1
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 218.16.105.48
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group 218.16.105.48 type ipsec-l2l
tunnel-group 218.16.105.48 ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
tunnel-group-map enable rules
注:打打PFS并设定以IP地址作为peer名,一个接口只能有一个加密图
7. web***配置(ssl ***)
web***
enable outside
character-encoding gb2312
csd p_w_picpath disk0:/securedesktop-asa-3.1.1.16.pkg
svc p_w_picpath disk0:/sslclient-win-1.1.0.154.pkg 1
svc enable
customization customization1
title text TEST Web××× system
title style background-color:white;color: rgb(51,153,0);border-bottom:5px groo
ve #669999;font-size:larger;vertical-align:middle;text-align:left;font-weight:bold
tunnel-group-list enable
注:也可通过ASDM图形界面进行配置
登录后,可访问内部资源,如下例:(客户端首先要安装Java插件jre-1_5_0-windows-i586.exe,并打开浏览器的ActiveX)
1) https://ssl***.test.com.cn 输入用户名和密码
2) 出现工具条
3) 在Enter Web Address内输入192.168.40.8即可访问内部网站
4)在browse network输入192.168.40.8即可访问共享文件
5)点击application access,即可查看端口转发设置,如使用putty访问本机的2023端口,则即可通过ssh登录192.168.40.8
Sh ru ntp查看与ntp有关的
Sh ru crypto 查看与***有关的
Sh ru | inc crypto 只是关健字过滤而已
2. 故障倒换
failover
failover lan unit primary
failover lan interface testint Ethernet0/3
failover link testint Ethernet0/3
failover mac address Ethernet0/1 0018.1900.5000 0018.1900.5001
failover mac address Ethernet0/0 0018.1900.4000 0018.1900.4001
failover mac address Ethernet0/2 0018.1900.6000 0018.1900.6001
failover mac address Management0/0 0018.1900.7000 0018.1900.7001
failover interface ip testint 10.3.3.1 255.255.255.0 standby 10.3.3.2
注:最好配置虚拟MAC地址
sh failover显示配置信息
write standby写入到备用的防火墙中
failover命令集如下:
configure mode commands/options:
interface Configure the IP address and mask to be used for failover
and/or stateful update information
interface-policy Set the policy for failover due to interface failures
key Configure the failover shared secret or key
lan Specify the unit as primary or secondary or configure the
interface and vlan to be used for failover communication
link Configure the interface and vlan to be used as a link for
stateful update information
mac Specify the virtual mac address for a physical interface
polltime Configure failover poll interval
replication Enable HTTP (port 80) connection replication
timeout Specify the failover reconnect timeout value for
asymmetrically routed sessions
sh failover 命令集如下:
history Show failover switching history
interface Show failover command interface information
state Show failover internal state information
statistics Show failover command interface statistics information
| Output modifiers
<cr>
3. 配置telnet、ssh及http管理
username jiang password Csmep3VzvPQPCbkx encrypted privilege 15
aaa authentication enable console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http 192.168.40.0 255.255.255.0 management
ssh 192.168.40.0 255.255.255.0 inside
4. ***常用管理命令
sh ***-sessiondb full l2l 显示site to site 之***通道情况
sh ipsec stats 显示ipsec通道情况
sh ***-sessiondb summary 显示***汇总信息
sh ***-sessiondb detail l2l 显示ipsec详细信息
sh ***-sessiondb detail svc 查看ssl client信息
sh ***-sessiondb detail web*** 查看web***信息
sh ***-sessiondb detail full l2l 相当于linux下的ipsec whack –status 如果没有建立连接,则表示ipsec通道还没有建立起来。
5. 配置访问权限
可以建立对象组,设定不同的权限,如:
object-group network testgroup
description test
network-object 192.168.100.34 255.255.255.255
access-list inside_access_in line 2 extended permit ip object-group all any
access-group inside_access_in in interface inside
6. 配置sitetosite之×××
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmaccrypto map outside_map 20 match address outside_cryptomap_20_1
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 218.16.105.48
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group 218.16.105.48 type ipsec-l2l
tunnel-group 218.16.105.48 ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
tunnel-group-map enable rules
注:打打PFS并设定以IP地址作为peer名,一个接口只能有一个加密图
7. web***配置(ssl ***)
web***
enable outside
character-encoding gb2312
csd p_w_picpath disk0:/securedesktop-asa-3.1.1.16.pkg
svc p_w_picpath disk0:/sslclient-win-1.1.0.154.pkg 1
svc enable
customization customization1
title text TEST Web××× system
title style background-color:white;color: rgb(51,153,0);border-bottom:5px groo
ve #669999;font-size:larger;vertical-align:middle;text-align:left;font-weight:bold
tunnel-group-list enable
注:也可通过ASDM图形界面进行配置
登录后,可访问内部资源,如下例:(客户端首先要安装Java插件jre-1_5_0-windows-i586.exe,并打开浏览器的ActiveX)
1) https://ssl***.test.com.cn 输入用户名和密码
2) 出现工具条
3) 在Enter Web Address内输入192.168.40.8即可访问内部网站
4)在browse network输入192.168.40.8即可访问共享文件
5)点击application access,即可查看端口转发设置,如使用putty访问本机的2023端口,则即可通过ssh登录192.168.40.8
转载于:https://blog.51cto.com/jsilencer/318666
2345
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
