ASA防火墙配置笔记二〇〇六年十月二十七日序言:Cisco新的防火墙ASA系列已经面市了,将逐步取代PIX防火墙,网上关于ASA配置资料很少,现把我积累的ASA配置技术编写一个文档,供大家参考。如有问题,可发邮件给我。1........................................................................................常用技巧12........................................................................................故障倒换13........................................................配置telnet、ssh及http管理34.........................................................................vpn常用管理命令35................................................................................配置访问权限36...................................................................配置sitetosite之VPN47...............................................................webvpn配置(sslvpn)48...............................................................................远程拨入VPN59............................................................................日志服务器配置610...........................................................................Snmp网管配置711.....................................................................................ACS配置712....................................................................................AAA配置713......................................................................................升级IOS814......................................................................................疑难杂症81.常用技巧Shruntp查看与ntp有关的Shrucrypto查看与vpn有关的Shru|inccrypto只是关健字过滤而已2.故障倒换failoverfailoverlanunitprimaryfailoverlaninterfacetestintEthernet0/3failoverlinktestintEthernet0/3failovermacaddressEthernet0/10018.1900.50000018.1900.5001failovermacaddressEthernet0/00018.1900.40000018.1900.4001failovermacaddressEthernet0/20018.1900.60000018.1900.6001failovermacaddressManagement0/00018.1900.70000018.1900.7001failoverinterfaceiptestint10.3.3.1255.255.255.0standby10.3.3.2注:最好配置虚拟MAC地址shfailover显示配置信息writestandby写入到备用的防火墙中failover命令集如下:configuremodecommands/options:interfaceConfiguretheIPaddressandmasktobeusedforfailoverand/orstatefulupdateinformationinterface-policySetthepolicyforfailoverduetointerfacefailureskeyConfigurethefailoversharedsecretorkeylanSpecifytheunitasprimaryorsecondaryorconfiguretheinterfaceandvlantobeusedforfailovercommunicationlinkConfiguretheinterfaceandvlantobeusedasalinkforstatefulupdateinformationmacSpecifythevirtualmacaddressforaphysicalinterfacepolltimeConfigurefailoverpollintervalreplicationEnableHTTP(port80)connectionreplicationtimeoutSpecifythefailoverreconnecttimeoutvalueforasymmetricallyroutedsessionsshfailover命令集如下:historyShowfailoverswitchinghistoryinterfaceShowfailovercommandinterfaceinformationstateShowfailoverinternalstateinformationstatisticsShowfailovercommandinterfacestatisticsinformation|Outputmodifierscr3.配置telnet、ssh及http管理usernamejiangpasswordCsmep3VzvPQPCbkxencryptedprivilege15aaaauthenticationenableconsoleLOCALaaaauthenticationtelnetconsoleLOCALaaaauthenticationsshconsoleLOCALaaaauthorizationcommandLOCALhttp192.168.40.0255.255.255.0managementssh192.168.40.0255.255.255.0inside4.vpn常用管理命令shvpn-sessiondbfulll2l显示sitetosite之vpn通道情况shipsecstats显示ipsec通道情况shvpn-sessiondbsummary显示vpn汇总信息shvpn-sessiondbdetaill2l显示ipsec详细信息shvpn-sessiondbdetailsvc查看sslclient信息shvpn-sessiondbdetailwebvpn查看webvpn信息shvpn-sessiondbdetailfulll2l相当于linux下的ipsecwhack–status如果没有建立连接,则表示ipsec通道还没有建立起来。5.配置访问权限可以建立对象组,设定不同的权限,如:object-groupnetworktestgroupdescriptiontestnetwork-object192.168.100.34255.255.255.255access-listinside_access_inline2extendedpermitipobject-groupallanyaccess-groupinside_access_inininterfaceinside6.配置sitetosite之VPNcryptoipsectransform-setESP-3DES-SHAesp-3desesp-sha-hmaccryptomapoutside_map20matchaddressoutside_cryptomap_20_1cryptomapoutside_map20setpfscryptomapoutside_map20setpeer218.16.105.48cryptomapoutside_map20settransform-setESP-3DES-SHAcryptomapoutside_mapinterfaceoutsideisakmpidentityaddressisakmpenableoutsideisakmppolicy10authenticationpre-shareisakmppolicy10encryption3desisakmppolicy10hashshaisakmppolicy10group2isakmppolicy10lifetime86400tunnel-group218.16.105.48typeipsec-l2ltunnel-group218.16.105.48ipsec-attributespre-shared-key*peer-id-validatenochecktunnel-group-mapenablerules注:打打PFS并设定以IP地址作为peer名,一个接口只能有一个加密图7.webvpn配置(sslvpn)webvpnenableoutsidecharacter-encodinggb2312csdimagedisk0:/securedesktop-asa-3.1.1.16.pkgsvcimagedisk0:/sslclient-win-1.1.0.154.pkg1svcenablecustomizationcustomization1titletextTESTWebVPNsystemtitlestylebackground-color:white;color:rgb(51,153,0);border-bottom:5pxgroove#669999;font-size:larger;vertical-align:middle;text-align:left;font-weight:boldtunnel-group-listenable注:也可通过ASDM图形界面进行配置登录后,可访问内部资源,如下例:(客户端首先要安装Java插件jre-1_5_0-windows-i586.exe,并打开浏览器的ActiveX)1))出现工具条3)在EnterWebAddress内输入192.168.40.8即可访问内部网站4)在browsenetwork输入192.168.40.8即可访问共享文件5)点击applicationaccess,即可查看端口转发设置,如使用putty访问本机的2023端口,则即可通过ssh登录192.168.40.88.远程拨入VPN相关的ASA配置命令如下:access-listinside_access_inextendedpermitipobject-groupremotegroupanyaccess-listinside_access_inextendedpermiticmpobject-groupremotegroupanyaccess-listremotevpn_splitTu