通信人家园
标题:
ASA配置笔记
[查看完整版帖子]
[打印本页]
时间:
2008-3-5 08:02
作者:
webcj
标题:
ASA配置笔记
<div class="prod-news-content-text"><p>1. 常用技巧 </p><p>Sh ru ntp查看与ntp有关的<br/>Sh ru crypto 查看与vpn有关的<br/>Sh ru | inc crypto 只是关健字过滤而已</p><p>2. 故障倒换<br/>failover</p><br/><p><script language="javascript" src="/CMS/JS/newsad.js"></script>failover lan unit primary</p><br/><p>failover lan interface testint Ethernet0/3</p><br/><p>failover link testint Ethernet0/3</p><br/><p>failover mac address Ethernet0/1 0018.1900.5000 0018.1900.5001</p><br/><p>failover mac address Ethernet0/0 0018.1900.4000 0018.1900.4001</p><br/><p>failover mac address Ethernet0/2 0018.1900.6000 0018.1900.6001</p><br/><p>failover mac address Management0/0 0018.1900.7000 0018.1900.7001</p><br/><p>failover interface ip testint 10.3.3.1 255.255.255.0 standby 10.3.3.2</p><br/><p>注:最好配置虚拟MAC地址</p><br/><p>sh failover显示配置信息</p><br/><p>write standby写入到备用的防火墙中 </p><br/><p>failover命令集如下:</p><br/><p>configure mode commands/options:</p><br/><p> interface Configure the IP address and mask to be used for failover</p><br/><p> and/or stateful update information</p><br/><p> interface-policy Set the policy for failover due to interface failures</p><br/><p> key Configure the failover shared secret or key</p><br/><p> lan Specify the unit as primary or secondary or configure the</p><br/><p> interface and vlan to be used for failover communication</p><br/><p> link Configure the interface and vlan to be used as a link for</p><br/><p> stateful update information</p><br/><p> mac Specify the virtual mac address for a physical interface</p><br/><p> polltime Configure failover poll interval</p><br/><p> replication Enable HTTP (port 80) connection replication</p><br/><p> timeout Specify the failover reconnect timeout value for</p><br/><p> asymmetrically routed sessions</p><p>sh failover 命令集如下:</p><p> history Show failover switching history</p><br/><p> interface Show failover command interface information</p><br/><p> state Show failover internal state information</p><br/><p> statistics Show failover command interface statistics information</p><br/><p> | Output modifiers</p><br/><p> <cr></p><br/><p>3. 配置telnet、ssh及http管理<br/>username jiang password Csmep3VzvPQPCbkx encrypted privilege 15</p><br/><p>aaa authentication enable console LOCAL</p><br/><p>aaa authentication telnet console LOCAL</p><br/><p>aaa authentication ssh console LOCAL</p><br/><p>aaa authorization command LOCAL </p><br/><p>http 192.168.40.0 255.255.255.0 management </p><br/><p>ssh 192.168.40.0 255.255.255.0 inside</p><br/><p>4. vpn常用管理命令<br/>sh vpn-sessiondb full l2l 显示site to site 之vpn通道情况</p><br/><p>sh ipsec stats 显示ipsec通道情况</p><br/><p>sh vpn-sessiondb summary 显示vpn汇总信息</p><br/><p>sh vpn-sessiondb detail l2l 显示ipsec详细信息</p><br/><p>sh vpn-sessiondb detail svc 查看ssl client信息</p><br/><p>sh vpn-sessiondb detail webvpn 查看webvpn信息</p><br/><p>sh vpn-sessiondb detail full l2l 相当于linux下的ipsec whack ?Cstatus 如果没有建立连接,则表示ipsec通道还没有建立起来。</p><br/><p>5. 配置访问权限<br/>可以建立对象组,设定不同的权限,如:</p><br/><p> object-group network testgroup</p><br/><p> description test</p><br/><p> network-object 192.168.100.34 255.255.255.255</p><br/><p> access-list inside_access_in line 2 extended permit ip object-group all any</p><br/><p> access-group inside_access_in in interface inside</p><br/><p>6. 配置sitetosite之VPN</p><br/><p>crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac</p><br/><p>crypto map outside_map 20 match address outside_cryptomap_20_1</p><br/><p>crypto map outside_map 20 set pfs</p><br/><p>crypto map outside_map 20 set peer 218.16.105.48</p><br/><p>crypto map outside_map 20 set transform-set ESP-3DES-SHA</p><br/><p>crypto map outside_map interface outside</p><p>isakmp identity address</p><br/><p>isakmp enable outside</p><br/><p>isakmp policy 10 authentication pre-share</p><br/><p>isakmp policy 10 encryption 3des</p><br/><p>isakmp policy 10 hash sha</p><br/><p>isakmp policy 10 group 2</p><br/><p>isakmp policy 10 lifetime 86400</p><p>tunnel-group 218.16.105.48 type ipsec-l2l</p><br/><p>tunnel-group 218.16.105.48 ipsec-attributes</p><br/><p> pre-shared-key *</p><br/><p> peer-id-validate nocheck</p><br/><p>tunnel-group-map enable rules </p><br/><p>注:打打PFS并设定以IP地址作为peer名,一个接口只能有一个加密图</p><p>7. webvpn配置(ssl vpn)<br/>webvpn</p><br/><p> enable outside</p><br/><p> character-encoding gb2312</p><br/><p> csd image disk0:/securedesktop-asa-3.1.1.16.pkg</p><br/><p> svc image disk0:/sslclient-win-1.1.0.154.pkg 1</p><br/><p> svc enable</p><br/><p>customization customization1</p><br/><p> title text TEST WebVPN system</p><br/><p> title style background-color:white;color: rgb(51,153,0);border-bottom:5px groo</p><br/><p>ve #669999;font-size:larger;vertical-align:middle;text-align:left;font-weight:bold</p><br/><p> tunnel-group-list enable</p><p>注:也可通过ASDM图形界面进行配置</p><p>登录后,可访问内部资源,如下例:(客户端首先要安装Java插件jre-1_5_0-windows-i586.exe,并打开浏览器的ActiveX)</p><br/><p>1) <a href="https://sslvpn.test.com.cn/"></a><a href="https://sslvpn.test.com.cn/" target="_blank"></a><a href="https://sslvpn.test.com.cn/" target="_blank">https://sslvpn.test.com.cn</a><a></a><a></a> 输入用户名和密码 </p><br/><p>2) 出现工具条</p><br/><p>3) 在Enter Web Address内输入192.168.40.8即可访问内部网站</p><br/><p>4)在browse network输入192.168.40.8即可访问共享文件</p><br/><p>5)点击application access,即可查看端口转发设置,如使用putty访问本机的2023端口,则即可通过ssh登录192.168.40.8</p><br/><p>8. 远程拨入VPN<br/>相关的ASA配置命令如下: </p><br/><p>access-list inside_access_in extended permit ip object-group remotegroup any</p><br/><p>access-list inside_access_in extended permit icmp object-group remotegroup any</p><br/><p>access-list remotevpn_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0 </p><br/><p>access-list vpnclient_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0 </p><br/><p>ip local pool dialuserIP 192.168.101.1-192.168.101.254 mask 255.255.255.0 </p><br/><p>group-policy remotevpn attributes</p><br/><p> dns-server value 202.96.128.68 192.168.40.16</p><br/><p> default-domain value test.com.cn</p><br/><p>username jiang password Csmep3VzvPQPCbkx encrypted privilege 15 </p><br/><p>crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac</p><br/><p>crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac</p><br/><p>crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac</p><br/><p>crypto dynamic-map outside_dyn_map 20 set pfs</p><br/><p>crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA</p><br/><p>crypto dynamic-map outside_dyn_map 20 set reverse-route</p><p>crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map</p><br/><p>crypto map outside_map interface outside</p><p>tunnel-group remotevpn type ipsec-ra</p><br/><p>tunnel-group remotevpn general-attributes</p><br/><p> address-pool dialuserIP</p><br/><p> default-group-policy remotevpn</p><br/><p>tunnel-group remotevpn ipsec-attributes</p><br/><p> pre-shared-key *</p><p>客户端设置如下:</p><p>9. 日志服务器配置<br/>logging enable</p><br/><p>logging timestamp</p><br/><p>logging emblem</p><br/><p>logging trap informational</p><br/><p>logging asdm warnings</p><br/><p>logging host inside 192.168.40.115 format emblem</p><br/><p>logging permit-hostdown</p><br/><p> vpn-simultaneous-logins 3</p><p>10. Snmp网管配置<br/>snmp-server host inside 192.168.40.47 community testsnmp</p><br/><p>snmp-server location DG-GTEST</p><br/><p>snmp-server contact jiangdaoyou:6162</p><br/><p>snmp-server community testsnmp</p><br/><p>snmp-server enable traps snmp authentication linkup linkdown coldstart </p><br/><p>注:指定主机后,192.168.40.47才可能进行管理11. ACS配置<br/> 安装后管理:<a href="http://ip:2002/"></a><a href="http://ip:2002/" target="_blank"></a><a href="http://ip:2002/" target="_blank">http://ip:2002</a><a></a><a></a> 通过ACS可以进行授权、认证等等很多功能</p><br/><p> 因内容太多,暂省略</p><br/><p>12. AAA配置<br/>Aaa服务器配置:</p><br/><p>aaa-server radius_dg host dc03.xxxx.com</p><br/><p> key dfdfdfdf146**U</p><br/><p> authentication-port 1812</p><br/><p> accounting-port 1813</p><br/><p> radius-common-pw dfdfdfdf146**U </p><br/><p>对于拨入vpn的配置</p><br/><p>tunnel-group vg_testerp general-attributes</p><br/><p> address-pool ciscovpnuser</p><br/><p> authentication-server-group radius_dg</p><br/><p> default-group-policy vg_testerp</p><br/><p>13. 升级IOS<br/>copy t<a href="ftp://192.168.40.180/asa/asa721-k8.bin" target="_blank"></a><a href="ftp://192.168.40.180/asa/asa721-k8.bin" target="_blank">ftp://192.168.40.180/asa/asa721-k8.bin</a><a></a> disk0:/asa721-k8.bin </p><br/><p>boot system disk0:/asa721-k8.bin (多个Image时使用) </p><br/><p>14. 疑难杂症<br/>1) 在远程子网不能ping通过对方的网关,如在无锡格兰不能ping 192.168.40.251</p><p>输入命令:management-access inside (通过ASDM不能设置这一项)</p><p>2) NAT有时不能快速启作用</p><p>使用命令:clear xlate即可</p></div>
时间:
2008-3-5 09:58
作者:
tryjydfj
??????????????????????????????????/
通信人家园 (https://www.txrjy.com/)
Powered by C114