ASA防火墙技术要点二〇〇六年九月二十七日1.基本配置....................................................................................................12.常用技巧....................................................................................................23.故障倒换....................................................................................................24.配置telnet、ssh及http管理....................................................................35.vpn常用管理命令.....................................................................................46.配置访问权限............................................................................................47.配置端口NAT(PAT)..................................................................................48.NAT一般规则...........................................................................................59.DMZ区访问内网服务器..........................................................................510.配置sitetosite之VPN.............................................................................511.webvpn配置(sslvpn).........................................................................612.远程拨入VPN.........................................................................................913.日志服务器配置....................................................................................1114.Snmp网管配置......................................................................................1115.ACS配置...............................................................................................1116.AAA配置..............................................................................................1217.升级IOS................................................................................................1318.疑难杂症................................................................................................131.基本配置配置名称hostnamemelcohkasadomain-namecosmel.com配置用户及密码:usernameahsupasswordWtIBQAqhMu/Lx5iyencryptedprivilege15aaaauthenticationhttpconsoleLOCALaaaauthenticationsshconsoleLOCALaaaauthenticationtelnetconsoleLOCALaaaauthenticationenableconsoleLOCALenablepasswordiraxXocttscgektgencrypted配置时区:clocktimezoneHKST8第1页共14页ntpserver192.168.2.16sourceinsideprefer或ntpserverstdtime.gov.hksourceoutsideprefershclock显示时间信息配置http和telnet管理:management-accessinsidehttp192.168.0.0255.255.0.0insidetelnet192.168.0.0255.255.0.0inside2.常用技巧Shruntp查看与ntp有关的Shrucrypto查看与vpn有关的Shru|inccrypto只是关健字过滤而已copyrunning-configflash:/20070305.cfg把某一天的配置保存一下3.故障倒换failoverfailoverlanunitprimaryfailoverlaninterfacetestintEthernet0/3failoverlinktestintEthernet0/3failovermacaddressEthernet0/10018.1900.50000018.1900.5001failovermacaddressEthernet0/00018.1900.40000018.1900.4001failovermacaddressEthernet0/20018.1900.60000018.1900.6001failovermacaddressManagement0/00018.1900.70000018.1900.7001failoverinterfaceiptestint10.3.3.1255.255.255.0standby10.3.3.2注:最好配置虚拟MAC地址shfailover显示配置信息writestandby写入到备用的防火墙中failover命令集如下:configuremodecommands/options:第2页共14页interfaceConfiguretheIPaddressandmasktobeusedforfailoverand/orstatefulupdateinformationinterface-policySetthepolicyforfailoverduetointerfacefailureskeyConfigurethefailovers...
