Home | 简体中文 | 繁体中文 | 杂文 | 知乎专栏 | 51CTO学院 | CSDN程序员研修院 | Github | OSChina 博客 | 腾讯云社区 | 阿里云栖社区 | Facebook | Linkedin | Youtube | 打赏(Donations) | About
知乎专栏多维度架构

12.5. Example

12.5.1. ASA Firewall

例 12.2. ASA 5550

			
: Saved
:
ASA Version 8.2(1)
!
hostname asa5550
enable password Yi7fhXUH4X/ZMh encrypted
passwd 2KFQnNId2KYOU encrypted
names
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 110.112.133.60 255.255.255.192
!
interface GigabitEthernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
interface GigabitEthernet1/0
 nameif inside
 security-level 100
 ip address 172.16.0.254 255.255.255.0
!
interface GigabitEthernet1/1
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
access-list outside extended permit icmp any any
access-list outside extended permit udp any host 110.112.133.20 eq domain
access-list outside extended permit udp any host 110.112.133.23 eq domain
access-list outside extended permit udp any host 110.112.133.18 eq domain
access-list outside extended permit tcp any host 110.112.133.18 eq ssh
access-list outside extended permit tcp any host 110.112.133.7 eq ftp
access-list outside extended permit tcp any host 110.112.133.21 eq www
access-list outside extended permit tcp any host 110.112.133.22 eq www
access-list outside extended permit tcp any host 110.112.133.13 eq 3389
access-list outside extended permit tcp any host 110.112.133.24 eq 3389
access-list outside extended permit tcp any host 110.112.133.9 eq www
access-list outside extended permit tcp any host 110.112.133.29 eq ssh
access-list outside extended permit tcp any host 110.112.133.29 eq www
access-list outside extended permit udp any host 110.112.133.29 eq 1194
access-list outside extended permit tcp any host 110.112.133.6 eq www
access-list outside extended permit tcp any host 110.112.133.7 eq www
access-list outside extended permit tcp any host 110.112.133.8 eq www
access-list outside extended permit tcp any host 110.112.133.10 eq www
access-list outside extended permit tcp any host 110.112.133.11 eq www
access-list outside extended permit tcp any host 110.112.133.12 eq www
access-list outside extended permit tcp any host 110.112.133.27 eq www
access-list outside extended permit tcp any host 110.112.133.28 eq www
access-list outside extended permit tcp any host 110.112.133.25 eq www
access-list outside extended permit tcp any host 110.112.133.25 eq 3389
access-list outside extended permit tcp any host 110.112.133.18 eq 3306
access-list outside extended permit tcp any host 110.112.133.13 eq ftp
access-list outside extended permit tcp any host 110.112.133.13 eq 8000
access-list outside extended permit tcp any host 110.112.133.26 eq ssh
access-list outside extended permit tcp any host 110.112.133.5 eq www
access-list outside extended permit tcp any host 110.112.133.26 eq ftp
access-list outside extended permit tcp any host 110.112.133.14 eq 8080
access-list outside extended permit tcp any host 110.112.133.19 eq www
access-list outside extended permit tcp any host 110.112.133.17 eq www
access-list outside extended permit tcp any host 110.112.133.16 eq www
access-list outside extended permit tcp any host 110.112.133.4 eq www
access-list outside extended permit tcp any host 110.112.133.4 eq ftp
access-list outside extended permit tcp any host 110.112.133.4 eq ssh
access-list outside extended deny udp any host 110.112.133.7
access-list outside extended permit tcp any host 110.112.133.62 eq www
access-list outside extended permit tcp any host 110.112.133.62 eq ssh
access-list outside extended permit tcp any host 110.112.133.24 eq 5900
access-list outside extended permit tcp any host 110.112.133.35 eq www
access-list outside extended permit tcp any host 110.112.133.35 eq 3389
access-list outside extended permit tcp any host 110.112.133.38 eq www
access-list outside extended deny udp any host 110.112.133.38
access-list outside extended permit tcp any host 110.112.133.44 eq www
access-list outside extended permit tcp any host 110.112.133.44 eq 5900
access-list outside extended permit tcp any host 110.112.133.8 eq https
access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.27 eq ssh
access-list outside extended permit tcp any any eq www
access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.28 eq ssh
access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.11 eq ssh
access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.12 eq ssh
access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.8 eq ssh
access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.9 eq ssh
access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.15 eq ssh
access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.29 eq ftp
access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.10 eq ftp
access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.10 eq ssh
access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.9 eq ftp
access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.8 eq ftp
access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.11 eq ftp
access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.12 eq ftp
access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.5 eq ftp
access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.25 eq ftp
access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.16 eq 3306
access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.18 eq 3306
access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.5 eq ssh
access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.17 eq 1526
access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.7 eq ssh
access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.21 eq ssh
access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.21 eq ftp
access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.54 eq sqlnet
access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.35 eq ftp
access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.25 eq sqlnet
access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.25 eq ssh
access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.38 eq ssh
access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.33
access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.42 eq 3389
access-list outside extended permit tcp any host 110.112.133.44
access-list inside extended permit icmp any any
access-list inside extended permit ip any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu management 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 172.16.0.0 255.255.255.0
static (inside,outside) 110.112.133.61 172.16.0.51 netmask 255.255.255.255
static (inside,outside) 110.112.133.6 172.16.0.6 netmask 255.255.255.255
static (inside,outside) 110.112.133.7 172.16.0.7 netmask 255.255.255.255
static (inside,outside) 110.112.133.8 172.16.0.8 netmask 255.255.255.255
static (inside,outside) 110.112.133.10 172.16.0.10 netmask 255.255.255.255
static (inside,outside) 110.112.133.11 172.16.0.11 netmask 255.255.255.255
static (inside,outside) 110.112.133.12 172.16.0.12 netmask 255.255.255.255
static (inside,outside) 110.112.133.15 172.16.0.15 netmask 255.255.255.255
static (inside,outside) 110.112.133.28 172.16.0.28 netmask 255.255.255.255
static (inside,outside) 110.112.133.20 172.16.0.20 netmask 255.255.255.255
static (inside,outside) 110.112.133.23 172.16.0.23 netmask 255.255.255.255
static (inside,outside) 110.112.133.22 172.16.0.22 netmask 255.255.255.255
static (inside,outside) 110.112.133.13 172.16.0.33 netmask 255.255.255.255
static (inside,outside) 110.112.133.14 172.16.0.34 netmask 255.255.255.255
static (inside,outside) 110.112.133.24 172.16.0.41 netmask 255.255.255.255
static (inside,outside) 110.112.133.29 172.16.0.2 netmask 255.255.255.255
static (inside,outside) 110.112.133.9 172.16.0.9 netmask 255.255.255.255
static (inside,outside) 110.112.133.27 172.16.0.27 netmask 255.255.255.255
static (inside,outside) 110.112.133.26 172.16.0.26 netmask 255.255.255.255
static (inside,outside) 110.112.133.5 172.16.0.13 netmask 255.255.255.255
static (inside,outside) 110.112.133.19 172.16.0.19 netmask 255.255.255.255
static (inside,outside) 110.112.133.4 172.16.0.4 netmask 255.255.255.255
static (inside,outside) 110.112.133.16 172.16.0.56 netmask 255.255.255.255
static (inside,outside) 110.112.133.21 172.16.0.24 netmask 255.255.255.255
static (inside,outside) 110.112.133.35 172.16.0.35 netmask 255.255.255.255
static (inside,outside) 110.112.133.25 172.16.0.54 netmask 255.255.255.255
static (inside,outside) 110.112.133.38 172.16.0.38 netmask 255.255.255.255
static (inside,outside) 110.112.133.33 172.16.0.3 netmask 255.255.255.255
static (inside,outside) 110.112.133.42 172.16.0.42 netmask 255.255.255.255
static (inside,outside) 110.112.133.18 172.16.0.216 netmask 255.255.255.255
static (inside,outside) 110.112.133.44 172.16.0.44 netmask 255.255.255.255
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 110.112.133.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 management
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 172.16.0.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
dhcpd address 172.16.0.210-172.16.0.220 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username root password 5UR7s8NU670UrLPQ encrypted
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
  inspect http
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:3d468f00f692b6364b2485bc8a3fa65c
: end