查看当前防火墙的工作模式:


ciscoasa# show firewall

Firewall mode: Router


配置防火墙为透明模式:


ciscoasa(config)# firewall transparent


配置防火墙为路由模式:


ciscoasa(config)# firewall router


PS:配置透明防火墙之后,运行配置会被清除,请注意保存配置到Flash存储器。


 


配置透明防火墙:


ciscoasa(config)# firewall transparent


ciscoasa# show firewall 

Firewall mode: Transparent


配置区域和管理IP:


ciscoasa(config)# interface ethernet 0/0


ciscoasa(config-if)# nameif inside


ciscoasa(config-if)# ip address 192.168.1.201 255.255.255.0


ciscoasa(config-if)# no shu


ciscoasa(config)# interface ethernet 0/1


ciscoasa(config-if)# nameif outside


ciscoasa(config-if)# no shu


默认路由:


ciscoasa(config)# route outside 0 0 10.1.1.2


静态路由:


ciscoasa(config)# route inside 192.168.100.0 255.255.255.0 192.168.1.3


查看MAC地址获取进程状态:


ciscoasa(config)# show mac-learn    

interface                         mac learn

-------------------------------------------

 inside                             enabled

 outside                            enabled

查看MAC地址表:

ciscoasa(config)# show mac-address-table inside 

interface                   mac  address          type      Age(min)

------------------------------------------------------------------

inside                     0023.4ee0.7b6c          dynamic    5

inside                     d0df.9a02.b1ac          dynamic    5

inside                     0022.1961.760c          dynamic    5

inside                     0015.0065.8e00          dynamic    5

inside                     ec6c.9f02.26ba          dynamic    5


设置MAC地址过期时间:


ciscoasa(config)# mac-address-table aging-time 10


为常用的主机定义静态MAC地址表表项:


ciscoasa(config)# mac-address-table static inside 0023.4ee0.7b6c


MAC地址表中该MAC的类型:


ciscoasa(config)# show mac-address-table 

interface                   mac  address          type      Age(min)

------------------------------------------------------------------

inside                     0023.4ee0.7b6c          static


在一个接口上禁用MAC地址获取功能:


ciscoasa(config)# mac-learn outside disable


添加静态ARP表项(永不过期):


ciscoasa(config)# arp inside 192.168.1.120 0023.4ee0.7b6c


启用ARP检测:


ciscoasa(config)# arp-inspection inside enable flood


ciscoasa(config)# arp-inspection outside enable no-flood


显示每个接口的ARP检测状态:


ciscoasa(config)# show arp-inspection 

interface                arp-inspection         miss

----------------------------------------------------

inside                   enabled                flood

outside                  enabled                no-flood


配置接口访问列表(不检测,双向放通BPDU和IPX流量):


ciscoasa(config)# access-list access1 ethertype permit bpdu


ciscoasa(config)# access-list access1 ethertype permit ipx


ciscoasa(config)# access-group access1 in interface inside


ciscoasa(config)# access-group access1 in interface outside


配置一条ACL允许所有IP协议:


 ciscoasa(config)# access-list access2 permit any


 


相同级别的接口之间允许安全访问:


ciscoasa(config)# same-security-traffic permit inter-interface


ciscoasa(config)# same-security-traffic permit intra-interface


 


查看NAT连接信息的xlate表:


ciscoasa(config)# show xlate

0 in use, 0 most used


ciscoasa(config)# show conn 

0 in use, 1 most used 


 


静态NAT端口映射:


ciscoasa(config)# static (inside,outside) 10.1.1.1 192.168.0.5 netmask 255.255.255.255   一对一主机全映射


ciscoasa(config)# static (inside,outside) interface 192.168.0.5 netmask 255.255.255.255 将外部接口地址转换到内部主机地址192.168.0.5


ciscoasa(config)# static (inside,outside) tcp 10.1.1.1 www 192.168.0.5 www netmask 255.255.255.255        把外网口IP10.1.1.1的80端口访问映射到192.168.0.5的80端口


ciscoasa(config)# static (inside,outside) tcp 10.1.1.1 smtp 192.168.0.10 smtp netmask 255.255.255.255        把外网口IP10.1.1.1的25端口访问映射到192.168.0.10的25端口


 


在外部接口上放通映射的端口:


ciscoasa(config)# access-list access1 permit tcp any host 10.1.1.1 eq www


ciscoasa(config)# access-list access1 permit tcp any host 10.1.1.1 eq smtp


ciscoasa(config)# access-group access1 in interface outside


 


使用具有ACL访问控制的条目不进行NAT转换,NAT豁免:


ciscoasa(config)# access-list access2 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0


ciscoasa(config)# access-list access2 permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0


ciscoasa(config)# access-list access2 permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0


ciscoasa(config)# nat (inside) 0 access-list access2


PS:当192.168.0.0/24网段的主机访问192.168.1.0/24、192.168.2.0/24、192.168.3.0/24网段的主机时,不进行NAT转换。


 


将特殊的ACL访问控制条目转换为一个固定的IP10.1.1.1:


ciscoasa(config)# access-list access3 permit ip 192.168.0.0 255.255.0.0 10.10.0.0 255.255.0.0 

ciscoasa(config)# static (inside,outside) 10.1.1.1 access-list access3 0 0


 


PAT全局转换,内部192.168.0.0/16的主机访问任意IP,转换到outside接口的全局IP:


ciscoasa(config)# access-list access4 permit ip 192.168.0.0 255.255.0.0 any 

ciscoasa(config)# nat (inside) 1 access-list access4 


ciscoasa(config)# global (outside) 1 interface


INFO: outside interface address added to PAT pool


 


动态NAT:


ciscoasa(config)# access-list access4 permit ip 192.168.0.0 255.255.0.0 any 

ciscoasa(config)# nat (inside) 1 access-list access4 


ciscoasa(config)# global (outside) 1 10.1.1.1-10.1.1.254 netmask 255.255.255.0


 


在内部接口上只放通允许的网段:


ciscoasa(config)# access-list access0 permit ip 192.168.0.0 255.255.255.0 any


ciscoasa(config)# access-list access1 permit ip 192.168.1.0 255.255.255.0 any


ciscoasa(config)# access-list access1 deny ip any any


ciscoasa(config)# access-group access0 in interface inside


 


查看当前配置的ACL:


ciscoasa(config)# show running-config access-list 

access-list access1 extended permit tcp any host 10.1.1.1 eq www 

access-list access1 extended permit tcp any host 10.1.1.1 eq smtp 

access-list access2 extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 

access-list access3 extended permit ip 192.168.0.0 255.255.0.0 any


 


ciscoasa(config)# show access-list 

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

            alert-interval 300

access-list access1; 2 elements

access-list access1 line 1 extended permit tcp any host 10.1.1.1 eq www 


accss-list access1 line 2 extended permit tcp any host 10.1.1.1 eq smtp 

access-list access2; 1 elements

access-list access2 line 1 extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list access3; 1 elements


access-list access3 line 1 extended permit ip 192.168.0.0 255.255.0.0 any


 


ACL重命名:


ciscoasa(config)# access-list access3 rename access_3


 


ACL添加说明:


ciscoasa(config)# access-list access3 remark ACL_3_NAT


ciscoasa(config)# access-list access1 line 2 remark ACL_SMTP_PERMIT


 


移除一条ACL:


ciscoasa(config)# no access-list access1 extended permit ip any any


 


定义网络对象组:


ciscoasa(config)# object-group network Accounting_Addrs


ciscoasa(config-network)# description List of Accounting Dept IP Addresses


ciscoasa(config-network)# network-object host 192.168.0.1


ciscoasa(config-network)# network-object host 192.168.0.2


ciscoasa(config-network)# network-object host 192.168.0.3


ciscoasa(config-network)# network-object 192.168.1.0 255.255.255.0


PS:在对象组中新增的主机IP,会自动在被使用的ACL中扩展。


 


网络对象组的引用:


ciscoasa(config)# object-group network RemoteSite_addrs


ciscoasa(config-network)# group-object Accounting_Addrs


 


定义协议对象组:


ciscoasa(config)# object-group protocol Tunnel1_proto


ciscoasa(config-protocol)# description Tunneling Protocols


ciscoasa(config-protocol)# protocol-object ipinip


ciscoasa(config-protocol)# protocol-object esp


ciscoasa(config-protocol)# protocol-object ah


ciscoasa(config-protocol)# protocol-object gre


 


协议对象组的引用:


ciscoasa(config)# object-group protocol Group1_proto


ciscoasa(config-protocol)# group-object Tunnel1_proto


 


定义基本服务对象组:


ciscoasa(config-protocol)# object-group service Web_ports tcp


ciscoasa(config-service)# description TCP ports users by Web browsers


ciscoasa(config-service)# port-object eq www


ciscoasa(config-service)# port-object eq https


ciscoasa(config-service)# port-object range 8080 8088


ciscoasa(config-service)# exit


 


基本服务对象组的引用:


ciscoasa(config)# object-group service Example_ports tcp 

ciscoasa(config-service)# group-object Web_ports


 


定义增强型服务对象组:


ciscoasa(config-service)# object-group service test


ciscoasa(config-service)# description test service


ciscoasa(config-service)# service-object icmp echo


ciscoasa(config-service)# service-object icmp echo-reply


ciscoasa(config-service)# service-object esp


ciscoasa(config-service)# service-object udp eq isakmp


ciscoasa(config-service)# service-object udp source 10000


ciscoasa(config-service)# service-object tcp eq www


ciscoasa(config-service)# exit


PS:增强型服务对象组只能被ACL调用一次。


 


在ACL中使用对象组:


ciscoasa(config)# access-list access5 extended permit tcp object-group RemoteSite_addrs any object-group Web_ports


ciscoasa(config)# access-list access6 extended permit object-group test any host 192.168.0.100


 


重置ACL匹配计数器:


ciscoasa(config)# clear access-list access5 counters


 


恶意主机规避:


ciscoasa(config)# shun 172.21.4.8


查看连接:


ciscoasa(config)# show conn


查看规避:


ciscoasa(config)# show shun


查看系统日志:


ciscoasa(config)# show logging


查看规避统计信息:

ciscoasa(config)# show shun statistics


移除特定的规避源地址:


ciscoasa(config)# no shun 172.21.4.8