C114门户论坛百科APPEN| 举报 切换到宽版

亚星游戏官网

 找回密码
 注册

只需一步,快速开始

短信验证,便捷登录

搜索
查看: 2036|回复: 1

ASA配置笔记 [复制链接]

军衔等级:

亚星游戏官网-yaxin222  上校

注册:2008-1-3
发表于 2008-3-5 08:02:00 |显示全部楼层
<div class="prod-news-content-text"><p>1.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 常用技巧&nbsp;</p><p>Sh ru ntp查看与ntp有关的<br/>Sh ru crypto 查看与vpn有关的<br/>Sh ru | inc crypto 只是关健字过滤而已</p><p>2.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 故障倒换<br/>failover</p><br/><p><script language="javascript" src="/CMS/JS/newsad.js"></script>failover lan unit primary</p><br/><p>failover lan interface testint Ethernet0/3</p><br/><p>failover link testint Ethernet0/3</p><br/><p>failover mac address Ethernet0/1 0018.1900.5000 0018.1900.5001</p><br/><p>failover mac address Ethernet0/0 0018.1900.4000 0018.1900.4001</p><br/><p>failover mac address Ethernet0/2 0018.1900.6000 0018.1900.6001</p><br/><p>failover mac address Management0/0 0018.1900.7000 0018.1900.7001</p><br/><p>failover interface ip testint 10.3.3.1 255.255.255.0 standby 10.3.3.2</p><br/><p>注:最好配置虚拟MAC地址</p><br/><p>sh failover显示配置信息</p><br/><p>write standby写入到备用的防火墙中&nbsp;</p><br/><p>failover命令集如下:</p><br/><p>configure mode commands/options:</p><br/><p>&nbsp; interface&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Configure the IP address and mask to be used for failover</p><br/><p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; and/or stateful update information</p><br/><p>&nbsp; interface-policy&nbsp; Set the policy for failover due to interface failures</p><br/><p>&nbsp; key&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Configure the failover shared secret or key</p><br/><p>&nbsp; lan&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Specify the unit as primary or secondary or configure the</p><br/><p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; interface and vlan to be used for failover communication</p><br/><p>&nbsp; link&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Configure the interface and vlan to be used as a link for</p><br/><p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; stateful update information</p><br/><p>&nbsp; mac&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Specify the virtual mac address for a physical interface</p><br/><p>&nbsp; polltime&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Configure failover poll interval</p><br/><p>&nbsp; replication&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Enable HTTP (port 80) connection replication</p><br/><p>&nbsp; timeout&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Specify the failover reconnect timeout value for</p><br/><p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; asymmetrically routed sessions</p><p>sh failover 命令集如下:</p><p>&nbsp; history&nbsp;&nbsp;&nbsp;&nbsp; Show failover switching history</p><br/><p>&nbsp; interface&nbsp;&nbsp; Show failover command interface information</p><br/><p>&nbsp; state&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Show failover internal state information</p><br/><p>&nbsp; statistics&nbsp; Show failover command interface statistics information</p><br/><p>&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Output modifiers</p><br/><p>&nbsp; &lt;cr&gt;</p><br/><p>3.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 配置telnet、ssh及http管理<br/>username jiang password Csmep3VzvPQPCbkx encrypted privilege 15</p><br/><p>aaa authentication enable console LOCAL</p><br/><p>aaa authentication telnet console LOCAL</p><br/><p>aaa authentication ssh console LOCAL</p><br/><p>aaa authorization command LOCAL </p><br/><p>http 192.168.40.0 255.255.255.0 management </p><br/><p>ssh 192.168.40.0 255.255.255.0 inside</p><br/><p>4.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; vpn常用管理命令<br/>sh vpn-sessiondb full l2l 显示site to site 之vpn通道情况</p><br/><p>sh ipsec stats 显示ipsec通道情况</p><br/><p>sh vpn-sessiondb summary 显示vpn汇总信息</p><br/><p>sh vpn-sessiondb detail l2l 显示ipsec详细信息</p><br/><p>sh vpn-sessiondb detail svc 查看ssl client信息</p><br/><p>sh vpn-sessiondb detail webvpn 查看webvpn信息</p><br/><p>sh vpn-sessiondb detail full l2l 相当于linux下的ipsec whack ?Cstatus 如果没有建立连接,则表示ipsec通道还没有建立起来。</p><br/><p>5.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 配置访问权限<br/>可以建立对象组,设定不同的权限,如:</p><br/><p>&nbsp;&nbsp;&nbsp; object-group network testgroup</p><br/><p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; description test</p><br/><p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; network-object 192.168.100.34 255.255.255.255</p><br/><p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list inside_access_in line 2 extended permit ip object-group all any</p><br/><p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-group inside_access_in in interface inside</p><br/><p>6.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 配置sitetosite之VPN</p><br/><p>crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac</p><br/><p>crypto map outside_map 20 match address outside_cryptomap_20_1</p><br/><p>crypto map outside_map 20 set pfs</p><br/><p>crypto map outside_map 20 set peer 218.16.105.48</p><br/><p>crypto map outside_map 20 set transform-set ESP-3DES-SHA</p><br/><p>crypto map outside_map interface outside</p><p>isakmp identity address</p><br/><p>isakmp enable outside</p><br/><p>isakmp policy 10 authentication pre-share</p><br/><p>isakmp policy 10 encryption 3des</p><br/><p>isakmp policy 10 hash sha</p><br/><p>isakmp policy 10 group 2</p><br/><p>isakmp policy 10 lifetime 86400</p><p>tunnel-group 218.16.105.48 type ipsec-l2l</p><br/><p>tunnel-group 218.16.105.48 ipsec-attributes</p><br/><p>&nbsp;pre-shared-key *</p><br/><p>&nbsp;peer-id-validate nocheck</p><br/><p>tunnel-group-map enable rules&nbsp;</p><br/><p>注:打打PFS并设定以IP地址作为peer名,一个接口只能有一个加密图</p><p>7.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; webvpn配置(ssl vpn)<br/>webvpn</p><br/><p>&nbsp;enable outside</p><br/><p>&nbsp;character-encoding gb2312</p><br/><p>&nbsp;csd image disk0:/securedesktop-asa-3.1.1.16.pkg</p><br/><p>&nbsp;svc image disk0:/sslclient-win-1.1.0.154.pkg 1</p><br/><p>&nbsp;svc enable</p><br/><p>customization customization1</p><br/><p>&nbsp; title text TEST WebVPN system</p><br/><p>&nbsp; title style background-color:white;color: rgb(51,153,0);border-bottom:5px groo</p><br/><p>ve #669999;font-size:larger;vertical-align:middle;text-align:left;font-weight:bold</p><br/><p>&nbsp;tunnel-group-list enable</p><p>注:也可通过ASDM图形界面进行配置</p><p>登录后,可访问内部资源,如下例:(客户端首先要安装Java插件jre-1_5_0-windows-i586.exe,并打开浏览器的ActiveX)</p><br/><p>1) <a href="https://sslvpn.test.com.cn/"></a><a href="https://sslvpn.test.com.cn/" target="_blank"></a><a href="https://sslvpn.test.com.cn/" target="_blank">https://sslvpn.test.com.cn</a><a></a><a></a> 输入用户名和密码&nbsp;</p><br/><p>2) 出现工具条</p><br/><p>3) 在Enter Web Address内输入192.168.40.8即可访问内部网站</p><br/><p>4)在browse network输入192.168.40.8即可访问共享文件</p><br/><p>5)点击application access,即可查看端口转发设置,如使用putty访问本机的2023端口,则即可通过ssh登录192.168.40.8</p><br/><p>8.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 远程拨入VPN<br/>相关的ASA配置命令如下:&nbsp;</p><br/><p>access-list inside_access_in extended permit ip object-group remotegroup any</p><br/><p>access-list inside_access_in extended permit icmp object-group remotegroup any</p><br/><p>access-list remotevpn_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0&nbsp;</p><br/><p>access-list vpnclient_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0&nbsp;</p><br/><p>ip local pool dialuserIP 192.168.101.1-192.168.101.254 mask 255.255.255.0&nbsp;</p><br/><p>group-policy remotevpn attributes</p><br/><p>&nbsp;dns-server value 202.96.128.68 192.168.40.16</p><br/><p>&nbsp;default-domain value test.com.cn</p><br/><p>username jiang password Csmep3VzvPQPCbkx encrypted privilege 15&nbsp;</p><br/><p>crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac</p><br/><p>crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac</p><br/><p>crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac</p><br/><p>crypto dynamic-map outside_dyn_map 20 set pfs</p><br/><p>crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA</p><br/><p>crypto dynamic-map outside_dyn_map 20 set reverse-route</p><p>crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map</p><br/><p>crypto map outside_map interface outside</p><p>tunnel-group remotevpn type ipsec-ra</p><br/><p>tunnel-group remotevpn general-attributes</p><br/><p>&nbsp;address-pool dialuserIP</p><br/><p>&nbsp;default-group-policy remotevpn</p><br/><p>tunnel-group remotevpn ipsec-attributes</p><br/><p>&nbsp;pre-shared-key *</p><p>客户端设置如下:</p><p>9.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 日志服务器配置<br/>logging enable</p><br/><p>logging timestamp</p><br/><p>logging emblem</p><br/><p>logging trap informational</p><br/><p>logging asdm warnings</p><br/><p>logging host inside 192.168.40.115 format emblem</p><br/><p>logging permit-hostdown</p><br/><p>&nbsp;vpn-simultaneous-logins 3</p><p>10.&nbsp; Snmp网管配置<br/>snmp-server host inside 192.168.40.47 community testsnmp</p><br/><p>snmp-server location DG-GTEST</p><br/><p>snmp-server contact jiangdaoyou:6162</p><br/><p>snmp-server community testsnmp</p><br/><p>snmp-server enable traps snmp authentication linkup linkdown coldstart&nbsp;</p><br/><p>注:指定主机后,192.168.40.47才可能进行管理11.&nbsp; ACS配置<br/>&nbsp;&nbsp;&nbsp; 安装后管理:<a href="http://ip:2002/"></a><a href="http://ip:2002/" target="_blank"></a><a href="http://ip:2002/" target="_blank">http://ip:2002</a><a></a><a></a> 通过ACS可以进行授权、认证等等很多功能</p><br/><p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 因内容太多,暂省略</p><br/><p>12.&nbsp; AAA配置<br/>Aaa服务器配置:</p><br/><p>aaa-server radius_dg host dc03.xxxx.com</p><br/><p>&nbsp;key dfdfdfdf146**U</p><br/><p>&nbsp;authentication-port 1812</p><br/><p>&nbsp;accounting-port 1813</p><br/><p>&nbsp;radius-common-pw dfdfdfdf146**U&nbsp;</p><br/><p>对于拨入vpn的配置</p><br/><p>tunnel-group vg_testerp general-attributes</p><br/><p>&nbsp;address-pool ciscovpnuser</p><br/><p>&nbsp;authentication-server-group radius_dg</p><br/><p>&nbsp;default-group-policy vg_testerp</p><br/><p>13.&nbsp; 升级IOS<br/>copy t<a href="ftp://192.168.40.180/asa/asa721-k8.bin" target="_blank"></a><a href="ftp://192.168.40.180/asa/asa721-k8.bin" target="_blank">ftp://192.168.40.180/asa/asa721-k8.bin</a><a></a> disk0:/asa721-k8.bin </p><br/><p>boot system disk0:/asa721-k8.bin (多个Image时使用)&nbsp;</p><br/><p>14.&nbsp; 疑难杂症<br/>1)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 在远程子网不能ping通过对方的网关,如在无锡格兰不能ping 192.168.40.251</p><p>输入命令:management-access inside (通过ASDM不能设置这一项)</p><p>2)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; NAT有时不能快速启作用</p><p>使用命令:clear xlate即可</p></div>

举报本楼

本帖有 1 个回帖,您需要登录后才能浏览 登录 | 注册
您需要登录后才可以回帖 登录 | 注册 |

手机版|C114 ( 沪ICP备12002291号-1 )|联系大家 |网站地图  

GMT+8, 2024-11-16 23:34 , Processed in 0.325329 second(s), 15 queries , Gzip On.

Copyright © 1999-2023 C114 All Rights Reserved

Discuz Licensed

回顶部
XML 地图 | Sitemap 地图