※Cisco ASA 5506基本設定:
2017.08.22
▲1、使用Console線(9600,n,8,1),連接上Cisco ASA 5506
預設Enable密碼:無。
▲2、ASA5506# show interface ip brief //查看,介面名稱,及有那些介面。(下列狀況已使用精靈導引開機設定過。)
Interface IP-Address OK? Method Status Protocol
Virtual0 127.1.0.1 YES unset up up
GigabitEthernet1/1 unassigned YES unset
administratively down down
GigabitEthernet1/2 unassigned YES unset
administratively down down
GigabitEthernet1/3 unassigned YES unset
administratively down down
GigabitEthernet1/4 unassigned YES unset
administratively down down
GigabitEthernet1/5 unassigned YES unset
administratively down down
GigabitEthernet1/6 unassigned YES unset
administratively down down
GigabitEthernet1/7 unassigned YES unset
administratively down down
GigabitEthernet1/8 unassigned YES unset
administratively down down
Internal-Control1/1 127.0.1.1 YES unset up up
Internal-Data1/1 unassigned YES unset
up
down
Internal-Data1/2 unassigned YES unset
up
up
Internal-Data1/3 unassigned YES unset
up
up
Internal-Data1/4 169.254.1.1 YES unset
up
up
Management1/1 10.10.10.254 YES unset
down
down
▲3、利用Management1/1做為,初始WEB設定連接介面
ASA5506#
configure terminal
ASA5506(config)# interface
management 1/1
ASA5506(config-if)#
nameif MGMT
ASA5506(config-if)# ip address 10.10.10.254
255.255.255.0
ASA5506(config-if)# no shutdown
▲4、啟用Web管理功能
ASA5506(config)# http server enable //啟用http服務,可透過WEB瀏覽器連接https://10.10.10.254下載Cisco ASDM-IDM Launcher管理軟體
ASA5506(config)# http 0.0.0.0 0.0.0.0 MGMT //不限定那些來源的ip可經由Management1/1介面管理Cisco ASA 5506
※註:Cisco ASDM-IDM Launcher為管理CISCO
ASA防火牆,常用管理工具。
▲5、設定Web管理登入帳號、密碼:
ASA5506(config)# username jimmy password
12345678 privilege 15 //設定帳號 Jimmy;密碼:1234578;管理等級:15
ASA5506(config)# write memory //儲存設定
▲6、將GigabitEthernet1/1→設定為與中華電信小烏龜連接之WAN接口
ASA5506(config)# interface gigabitEthernet 1/1
ASA5506(config-if)# nameif WAN
ASA5506(config-if)# ip address 123.45.67.89 255.255.255.0
ASA5506(config-if)# no shutdown
ASA5506(config)#route WAN 0.0.0.0 0.0.0.0 123.45.67.254 1
▲7、建立BVI介面,並將GigabitEthernet1/2~1/7→設定為Layer
2 Switch運作模式
※GUI:Configuration→Device Setup→Interface Settings→Interfaces→Add→Bridge
Group Interface...→輸入Interface Name及IP
address→OK→Apply。
interface gigabitEthernet
1/2~1/7需使用指令模式操作!
ASA5506(config)# interface BVI 1
ASA5506(config)# description Jimmy_Subnet
ASA5506(config)# nameif Inside //後面有部份設定會參考到此別名
ASA5506(config)# security-level 100
ASA5506(config)# ip address 192.168.100.254 255.255.255.0
ASA5506(config)# interface gigabitEthernet 1/2
ASA5506(config-if)# no nameif
ASA5506(config-if)# bridge-group 1
ASA5506(config-if)# nameif LAN2
ASA5506(config-if)# no shutdown
ASA5506(config)# interface gigabitEthernet 1/3
ASA5506(config-if)# no nameif
ASA5506(config-if)# bridge-group 1
ASA5506(config-if)# nameif LAN3
ASA5506(config-if)# no shutdown
..... interface gigabitEthernet
1/4~7以此類推,ASA並無interface range指令。
▲8、GigabitEthernet1/8→設定為DMZ區
※GUI:Configuration→Device Setup→Interface Settings→Interfaces→點選要設定的介面→Edit→輸入Interface
Name及IP address→OK→Apply。
ASA5506(config)# interface GigabitEthernet1/8
ASA5506(config-if)# nameif DMZ
ASA5506(config-if)# ip address
172.16.100.254 255.255.255.0
▲9、設定NAT,使GigabitEthernet1/2~1/7可透過GigabitEthernet1/1(WAN)上網。
※GUI:Configuration→Firewall→NAT Rules→Add→「Add
"Network Object" NAT Rules...」
Type:Network
IP Address:192.168.100.0
Netmask:255.255.255.0
勾選「Add Automatic Address
Translation Rules」
Type:Dynamic PAT(Hide)
Translated Addr:下拉選WAN
ASA5506(config)#
object network Jimmy_Subnet
ASA5506(config-network-object)#
subnet 192.168.100.0 255.255.255.0
ASA5506(config-network-object)#
description Jimmy_Subnet-NAT-to_WAN
ASA5506(config-network-object)#
nat (any,WAN) dynamic interface
▲10、將BVI介面『Inside』啟用DHCP功能
※GUI:Configuration→Device Management→DHCP→DHCP Server→滑鼠雙擊Inside→輸入相關資訊後→OK→Apply。
ASA5506(config)# dhcpd address 192.168.100.100-192.168.100.160
ASA5506(config)#
dhcpd dns 168.95.1.1 8.8.8.8 interface
ASA5506(config)#
dhcpd enable
▲11、允許使用者透過LAN2~7來管理Cisco
ASA 5506;允許234.56.78.90經由WAN介面管理Cisco
ASA 5506
※GUI:Configuration→Device Management→Management Access→ASDM/HTTPS/Telnet/SSH→按下ADD新增!
ASA5506(config)#http 192.168.100.0 255.255.255.0 LAN2
ASA5506(config)#http 192.168.100.0 255.255.255.0 LAN3
ASA5506(config)#http 192.168.100.0 255.255.255.0 LAN4
ASA5506(config)#http 192.168.100.0 255.255.255.0 LAN5
ASA5506(config)#http 192.168.100.0 255.255.255.0 LAN6
ASA5506(config)#http 192.168.100.0 255.255.255.0 LAN7
ASA5506(config)#http 234.56.78.90 255.255.255.255 WAN
▲12、設定時區及NTP
Server
※GUI:Configuration→Device
Setup→System Time→Clock→TimeZone→下拉選取→Apply。
※GUI:Configuration→Device
Setup→System Time→NTP→Add→輸入相關資訊→OK→Apply。
ASA5506(config)#clock timezone CST 8
ASA5506(config)#ntp server 118.163.81.61 source WAN prefer
ASA5506(config)#ntp server 211.22.103.158 source
▲13、設定可Ping到外部
※GUI:Configuration→Firewall→Service
Policy→global_policy→Edit→Rule
Actions→勾選ICMP選項→OK→Apply。
ASA5506# configure terminal
ASA5506(config)#
policy-map ?
configure mode
commands/options:
WORD < 129 char policy-map name
type Specifies the type of policy-map
ASA5506(config)#
policy-map global_policy
ASA5506(config-pmap)#
class ?
mpf-policy-map mode
commands/options:
WORD
configure mode
commands/options:
WORD < 129 char
ASA5506(config-pmap)# class inspection_default
ASA5506(config-pmap-c)#
inspect icmp
▲14、設定User可透過MGMT介面,SSH管理Cisco
ASA5506
※GUI:Configuration→Device
Management→Management Access→ASDM/HTTPS/Telnet/SSH→按下ADD新增!
ASA5506(config)#
crypto key generate rsa modulus 512
ASA5506(config)#
ssh 0.0.0.0 0.0.0.0
ASA5506(config)#
ssh timeout 5 (單位:分鐘)
ASA5506(config)#
aaa authentication ssh console LOCAL
▲15、設定相關Banner
※GUI:Configuration→Device
Management→Management Access→Command Line (CLI)→Banner
ASA5506(config)#banner exec
##### A C C E S S - W A R N I N G !#####
ASA5506(config)#banner exec This is a Private computer system. Unauthorized
access
ASA5506(config)#banner exec or use is prohibited and only authorized users
are permitted.
ASA5506(config)#banner exec
ASA5506(config)#banner exec
ASA5506(config)#banner login
*** W A R N I N G ***
ASA5506(config)#banner login
Unauthorized access prohibited. All access is
ASA5506(config)#banner login
monitored, and trespassers shall be prosecuted
ASA5506(config)#banner login to the
fullest extent of the law.
ASA5506(config)#banner login
ASA5506(config)#banner login
ASA5506(config)#banner motd *** UNAUTHORIZED ACCESS TO THIS DEVICE IS
PROHIBITED ! ***
ASA5506(config)#banner motd
ASA5506(config)#banner motd
ASA5506(config)#banner asdm
ASA5506(config)#banner asdm
###################################################
ASA5506(config)#banner asdm
***IMPORTANT NOTICES***
ASA5506(config)#banner asdm
You have logged in to a Secure Device!!!
ASA5506(config)#banner asdm If
you are not authorized to access this device,
ASA5506(config)#banner asdm log out immediately or risk possible criminal
consequences.
ASA5506(config)#banner asdm
###################################################
▲16、其它常用指令:
ASA5506# copy
running-config startup-config //儲存設定,指令1
ASA5506# write memory //儲存設定,指令2 (指令1、指令2則一用即可。)
ASA5506# show
running-config //顯示目前運作設定
ASA5506# show version //顯示版本
ASA5506#
show ip address //顯示各介面IP位置
ASA5506#
show interface ip brief //顯示各介面連接狀態
ASA5506#
reload //重新開機。 ※無關機指令!
※GUI:Cisco ASDM-IML Launcher→Tools→Backup Configurations
