Cisco/chapter.firewall.asa.xml at master · Qingfenglv/Cisco · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
<?xml version="1.0" encoding="UTF-8"?>
<section id="asa">
	<title>Cisco ASA Firewall</title>
	<section id="asa.start">
		<title>Console 登录</title>
		<screen>
		<![CDATA[
ciscoasa> en
Password:
ciscoasa# show run
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
interface GigabitEthernet1/0
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
pager lines 24
logging asdm informational
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:2ca307ae725244ecf965030aa8ee6a2b
: end
ciscoasa#
		]]>
		</screen>
		<section>
			<title>清除配置文件</title>
			<screen>
ciscoasa# conf t
ciscoasa(config)# clear config all
WARNING: DHCPD bindings cleared on interface 'management', address pool removed
ciscoasa(config)#
			</screen>
		</section>
	</section>
	<section id="asa.management">
		<title>Management0/0</title>
		<para>使用静态IP地址</para>
		<screen>
ciscoasa(config-if)# no dhcpd address 192.168.1.2-192.168.1.254 management
ciscoasa(config)# no dhcpd enable management
ciscoasa(config)# interface Management0/0
ciscoasa(config-if)# ip address 192.168.3.254 255.255.255.0
Waiting for the earlier webvpn instance to terminate...
Previous instance shut down. Starting a new one.
		</screen>
		<para>使用DHCP分配IP地址</para>
		<screen>
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
Waiting for the earlier webvpn instance to terminate...
Previous instance shut down. Starting a new one.
ciscoasa(config-if)# dhcpd address 192.168.1.2-192.168.1.254 management
ciscoasa(config)# dhcpd enable management
ciscoasa(config)#
		</screen>
	</section>
	<section id="asa.interface">
		<title>接口配置</title>
		<screen>
ciscoasa(config)# interface GigabitEthernet0/0
ciscoasa(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-if)# ip address 172.16.0.2 255.255.255.0
ciscoasa(config-if)# no shutdown


ciscoasa(config-if)# interface GigabitEthernet1/0
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# ip address 192.168.3.254 255.255.255.0
ciscoasa(config-if)# no shutdown

ciscoasa(config-if)# show ip
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
GigabitEthernet0/0       outside                172.16.0.2      255.255.255.0   manual
Management0/0            management             192.168.1.1     255.255.255.0   manual
GigabitEthernet1/0       inside                 192.168.3.254   255.255.255.0   manual
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
GigabitEthernet0/0       outside                172.16.0.2      255.255.255.0   manual
Management0/0            management             192.168.1.1     255.255.255.0   manual
GigabitEthernet1/0       inside                 192.168.3.254   255.255.255.0   manual
		</screen>
		<section>
			<title>子接口</title>
			<screen>
interface GigabitEthernet1/0.1
 no vlan
 no nameif
 no security-level
 ip address 172.16.7.254 255.255.255.0
			</screen>
		</section>
	</section>
	<section id="asa.route">
		<title>route</title>
		<screen>
ciscoasa(config)# route outside 0 0 172.16.0.1
show route
		</screen>
	</section>
	<section id="asa.acl">
		<title>ACL</title>
		<section>
			<title>Blacklist</title>
			<para>黑名单规则</para>
			<screen>
access-list outside extended permit icmp any any
access-list outside deny ip any any
access-list outside extended permit tcp any any eq www
access-list outside extended permit tcp any any eq https
access-list outside extended permit tcp any host 28.6.7.23 eq ftp
access-list outside permit tcp any host 202.96.134.133 eq www
access-list outside permit ip any host 133.11.20.21 eq ftp
access-group outside in interface outside
			</screen>
		</section>
		<section>
			<title>Whitelist</title>
			<para>白名单规则</para>
			<screen>
access-list outside extended permit ip any any
access-list outside extended permit icmp any any
access-list outside extended permit tcp any any
access-list outside extended permit udp any any
access-list outside deny ip any host 192.168.0.1
access-list outside deny ip any host 192.168.0.2 eq www
access-group outside in interface outside
			</screen>
		</section>
		<section id="object-group">
			<title>object-group</title>
			<para>下面是一个简单的黑白名单实例</para>
			<screen>
object-group network blacklist
 description deny ip to example.com
 network-object 61.191.55.0 255.255.255.0
 network-object host 61.190.10.181
 network-object host 61.190.10.182
 network-object host 61.190.10.183
 network-object host 61.191.55.248
 network-object host 61.190.10.181
 network-object host 61.185.114.87
 network-object host 60.210.111.236
 network-object host 218.64.182.105
 network-object host 210.51.51.157
 network-object host 63.221.138.204
 network-object host 119.188.10.163

access-list outside extended deny tcp object-group blacklist host 120.12.14.7

object-group network whitelist
 description deny ip to example.com
 network-object 61.191.50.0 255.255.255.0
 network-object host 61.190.10.18
 network-object host 61.191.55.24
 network-object host 61.190.10.18
 network-object host 61.185.114.8
 network-object host 60.210.111.23
 network-object host 218.64.182.10
 network-object host 210.51.51.15
 network-object host 63.221.138.20
 network-object host 119.188.10.16
access-list outside extended permit tcp object-group whitelist host 120.12.14.7
			</screen>
			<para>端口实例</para>
			<screen>
object-group network dbhost
 description database
 network-object 172.16.4.0 255.255.255.0
 network-object 172.16.5.0 255.255.255.0
object-group service dbport tcp
 description database
 port-object eq 3306
 port-object eq 2521
 port-object eq 5432
object-group network www
 description www
 network-object 172.16.4.0 255.255.255.0
 network-object 172.16.5.0 255.255.255.0
object-group service webport tcp
 description database
 port-object eq www
 port-object range 81 88


access-list outside extended permit tcp object-group dbhost host 172.16.4.10 object-group dbport
access-list outside extended permit tcp any object-group webport any
			</screen>
		</section>
		<section>
			<title>Example</title>
			<screen>
access-list outside extended permit icmp any any
access-list outside extended permit tcp any any eq www
access-list outside extended permit tcp any any eq ssh
access-list outside extended permit udp any host 120.112.13.20 eq domain
access-list outside extended permit udp any host 120.112.13.23 eq domain
access-list outside extended permit tcp any host 120.112.13.18 eq ssh
access-list outside extended permit tcp any host 120.112.13.7 eq ftp
access-list outside extended permit tcp any host 120.112.13.21 eq www
access-list outside extended permit tcp host 113.106.63.1 host 120.112.13.27 eq ssh
access-list outside extended permit tcp host 113.106.63.1 host 120.112.13.28 eq ssh
access-list outside extended permit tcp host 113.106.63.1 host 120.112.13.11 eq ssh
access-list outside extended permit tcp host 113.106.63.1 host 120.112.13.12 eq ssh
access-list outside extended permit tcp host 113.106.63.1 host 120.112.13.8 eq ssh
access-list outside extended permit tcp host 113.106.63.1 host 120.112.13.9 eq ssh
access-list outside extended permit tcp host 113.106.63.1 host 120.112.13.15 eq ssh
access-list outside extended permit tcp host 113.106.63.1 host 120.112.13.29 eq ftp
access-list outside extended permit tcp host 113.106.63.1 host 120.112.13.10 eq ftp
access-list outside extended permit tcp host 113.106.63.1 host 120.112.13.10 eq ssh
access-list outside deny ip 192.168.0.0 0.255.255.255 any
access-list outside deny ip 127.0.0.0 0.255.255.255 any
access-list outside extended permit tcp any host 120.112.13.33
access-list outside permit ip any any

access-list inside extended permit icmp any any
access-list inside extended permit ip any any
			</screen>
			<screen>
ciscoasa(config)# access-list outside permit icmp any any
ciscoasa(config)# access-group outside in interface outside
ciscoasa(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list outside; 1 elements; name hash: 0x1a47dec4
access-list outside line 1 extended permit icmp any any (hitcnt=0) 0x390a154c
			</screen>
			<para>extended关键字可能省略 access-list outside permit ip any any，另外我比较喜欢用nameif做acl 名称，这样比较直观如： outside，你也可以使用传统100，101什么的</para>
		</section>
	</section>
	<section id="asa.nat">
		<title>配置NAT映射</title>
		<para>把inside区域的所有地址进行映射，映射为outside端口的那个公网IP地址。</para>
		<screen>
globle (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
		</screen>
		<para>指定其他IP</para>
		<screen>
asa(config)#nat(inside) 1 192.168.1.1 255.255.255.0
asa(config)#global(outside) 1 222.240.254.193 255.255.255.248
		</screen>
		<para>定义的地址池</para>
		<screen>
asa(config)#nat (inside) 0 192.168.1.1 255.255.255.255     //表示192.168.1.1这个地址不需要转换。直接转发出去。
asa(config)#global (outside) 1 133.1.0.1-133.1.0.14      //定义的地址池
asa(config)#nat (inside) 1 0 0                           //0 0表示转换网段中的所有地址。定义内部网络地址将要翻译成的全局地址或地址范围
		</screen>
		<para>我的配置</para>
		<screen>
global (outside) 1 interface
nat (inside) 1 172.16.1.0 255.255.255.0 0 0
		</screen>
		<section id="asa.nat.ip">
			<title>IP 映射</title>
			<screen>
static (inside,outside) 222.24.24.2 192.168.1.2
static (inside,outside) 222.24.24.2 192.168.1.2 4096 32
			</screen>
			<para>后面的4096为限制连接数，32为限制的半开连接数。</para>
			<screen>
asa(config)#static (dmz,outside) 13.1.0.2 10.65.1.102        ;静态NAT
asa(config)#static (inside,dmz) 10.66.1.20 10.66.1.20        ;静态NAT
			</screen>
		</section>
		<section id="asa.nat.port">
			<title>端口映射</title>
			<screen>
static (inside,outside) tcp 61.144.203.40 80 192.168.0.116 80 netmask 255.255.255.255 0 0
static (inside,outside) tcp 61.144.203.40 20 192.168.0.116 20 netmask 255.255.255.255 0 0
static (inside,outside) 221.221.147.195 192.168.0.10 netmask 255.255.255.255 tcp 8089 0
			</screen>
		</section>
	</section>
	<section id="asa.timeout">
		<title>timeout</title>
		<screen>
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
		</screen>
	</section>
	<section id="asa.dhcpd">
		<title>DHCP</title>
		<section>
			<title>management</title>
			<screen>
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
			</screen>
		</section>
		<section>
			<title>inside</title>
			<screen>
dhcpd address 192.168.1.100-192.168.1.199 inside 					设置DHCP服务器地址池
dhcpd dns 208.67.222.222 208.67.220.220 interface inside 			设置DNS服务器到内网端口
dhcpd enable inside 												设置DHCP应用到内网端口
			</screen>
		</section>
	</section>
	<section id="asa.snmp">
		<title>SNMP</title>
		<screen>
snmp-server host inside 172.16.1.2
snmp-server location GuangDong
snmp-server contact neo.chen@example.com
snmp-server community public
		</screen>
	</section>
	<section id="asa.login">
		<title>用户登录</title>
		<para>创建用户</para>
		<screen>
username cisco password cisco									#明文密码
username cisco password 3USUcOPFUiMCO4Jk encrypted				#加密密码
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15 #不需要enable密码
		</screen>
		<para>匹配地址 	172.16.0.1 255.255.255.255</para>
		<para>匹配网段	172.16.0.0 255.255.255.0</para>
		<para>所有地址	0.0.0.0 0.0.0.0</para>
		<section>
			<title>Telnet</title>
			<screen>
username cisco password cisco
aaa authentication telnet console LOCAL
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
			</screen>
		</section>
		<section>
			<title>SSH</title>
			<screen>
1) username xxxx password xxxx
2) passwd xxxxx
3) ssh x.x.x.x x.x.x.x {inside/outside}
4) crypto key generate rsa modulus {512/768/1024/2048}
5) aaa authentication ssh console LOCAL
			</screen>
			<screen>
username cisco password cisco
passwd cisco
ssh 172.16.0.1 255.255.255.255 outside
crypto key generate rsa modulus 2048
aaa authentication ssh console LOCAL
			</screen>
		</section>
	</section>
	<section id="asa.vpn">
		<title>VPN</title>
		<section>
			<title>site to site</title>
		</section>
		<section>
			<title>webvpn</title>
		</section>
	</section>
	<section id="asa.ervice-policy">
		<title>service-policy</title>
		<screen>
ciscoasa(config)# access-list TEST200K permit ip host x.x.x.x any
ciscoasa(config)# class-map internet
ciscoasa(config-cmap)# match access-list TEST200K

ciscoasa(config)# policy-map out-police
ciscoasa(config-pmap)# class internet

ciscoasa(config-pmap-c)# police output 200000 1000 conform-action transmit exceed-action drop

ciscoasa(config)# service-policy out-police interface outside
		</screen>
		<para>使用NAT映射后应该配置到inside接口上</para>
		<screen>
access-list 200k extended permit ip any host x.x.x.x
access-list 500k extended permit ip any host x.x.x.x

class-map 200k
    match access-list 200k
policy-map limit200k
    class 200k
        police input 2096000 1048
        police output 2096000 1048
service-policy limit200k interface inside

class-map 500k
    match access-list 500k
policy-map limit500k
    class 500k
        police input 2096000 1048
        police output 2096000 1048
service-policy limit500k interface inside
		</screen>
	</section>
	<section id="asa.failover">
		<title>failover</title>
		<screen>
interface GigabitEthernet1/1
!
interface GigabitEthernet1/1.1
 description STATE Failover Interface
 vlan 2
!
interface GigabitEthernet1/1.2
 description LAN Failover Interface
 vlan 3
!

failover
failover lan unit primary
failover lan interface failover GigabitEthernet1/1.2
failover link state GigabitEthernet1/1.1
failover interface ip failover 172.16.10.1 255.255.255.248 standby 172.16.10.2
failover interface ip state 172.16.10.9 255.255.255.248 standby 172.16.10.10
		</screen>
		<screen>
ciscoasa# show failover state

               State          Last Failure Reason      Date/Time
This host  -   Primary
               Active         Ifc Failure              14:49:44 UTC Oct 26 2011
                              outside: No Link
Other host -   Secondary
               Standby Ready  Comm Failure             16:27:18 UTC Oct 26 2011

====Configuration State===
	Sync Done
====Communication State===
	Mac set
		</screen>
	</section>
	<section id="transparent">
		<title>透明防火墙(transparent)</title>
		<screen>
ciscoasa(config)# firewall transparent
ciscoasa(config)# show firewall
Firewall mode: Transparent
		</screen>
		<screen>
interface GigabitEthernet0/0
 nameif outside
 security-level 0
!
interface GigabitEthernet1/0
 nameif inside
 security-level 100
!
access-list outside extended permit icmp any any
access-list outside extended permit ip any any
access-list outside extended permit udp any any
access-list outside extended permit tcp any any

access-group outside in interface outside

ip address 192.168.0.247 255.255.255.0
route outside 0.0.0.0 0.0.0.0 192.168.0.254

asdm image disk0:/asdm-645.bin

http server enable
http 0.0.0.0 0.0.0.0 inside
		</screen>
		<example>
			<title>firewall transparent</title>
			<screen>
ciscoasa(config)# sh run
: Saved
:
ASA Version 8.2(5)
!
firewall transparent
hostname ciscoasa
enable password zXKclT3IcSf6EDMe encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
!
interface GigabitEthernet0/1
 shutdown
 no nameif
 no security-level
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 management-only
!
interface GigabitEthernet1/0
 nameif inside
 security-level 100
!
interface GigabitEthernet1/1
 shutdown
 no nameif
 no security-level
!
interface GigabitEthernet1/2
 shutdown
 no nameif
 no security-level
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
!
ftp mode passive
access-list outside extended permit icmp any any
access-list outside extended permit ip any any
access-list outside extended permit udp any any
access-list outside extended permit tcp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address 192.168.0.6 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.0.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:30eb28a5a6b73fb3638eb279d27086c1
: end
			</screen>
		</example>
	</section>
	<section id="logging">
		<title>logging</title>
		<para>http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/monitor_syslog.html</para>
		<screen>
logging enable
logging timestamp
logging trap warnings
logging host inside 172.16.1.9
logging facility local0
		</screen>
		<screen>
		<![CDATA[

ciscoasa(config)# logging trap ?


configure mode commands/options:

  <0-7>          Enter syslog level (0 - 7)

  WORD           Specify the name of logging list

  alerts         Immediate action needed           (severity=1)

  critical       Critical conditions               (severity=2)

  debugging      Debugging messages                (severity=7)

  emergencies    System is unusable                (severity=0)

  errors         Error conditions                  (severity=3)

  informational  Informational messages            (severity=6)

  notifications  Normal but significant conditions (severity=5)

  warnings       Warning conditions                (severity=4)

ciscoasa(config)# logging trap informational

ciscoasa(config)# logging trap notifications
		]]>
		</screen>
	</section>
	<section id="ntp">
		<title>ntp</title>
		<screen>
		<![CDATA[
ciscoasa(config)# ntp server 172.16.0.5

ciscoasa(config)# clock timezone GMT +8

ciscoasa(config)# clock timezone EST +8

ciscoasa(config)# sh clock detail

18:47:06.931 EST Fri Jan 6 2012

Time source is NTP

UTC time is: 10:47:06 UTC Fri Jan 6 2012


ciscoasa(config)# sh ntp status

Clock is synchronized, stratum 4, reference is 172.16.3.52

nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6

reference time is d2b14f98.93025c85 (18:46:48.574 EST Fri Jan 6 2012)

clock offset is -11.4445 msec, root delay is 309.22 msec

root dispersion is 497.94 msec, peer dispersion is 391.02 msec


ciscoasa(config)# clock timezone UTC +8

ciscoasa(config)# sh ntp status

Clock is synchronized, stratum 4, reference is 172.16.3.52

nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6

reference time is d2b15000.8fce7067 (18:48:32.561 UTC Fri Jan 6 2012)

clock offset is -10.7866 msec, root delay is 309.19 msec

root dispersion is 124.11 msec, peer dispersion is 16.31 msec


ciscoasa(config)# clock timezone CST 8

ciscoasa(config)# sh ntp status

Clock is synchronized, stratum 4, reference is 172.16.3.52

nominal freq is 99.9984 Hz, actual freq is 99.9985 Hz, precision is 2**6

reference time is d2b15040.8f989fe3 (18:49:36.560 CST Fri Jan 6 2012)

clock offset is -17.1219 msec, root delay is 309.23 msec

root dispersion is 136.72 msec, peer dispersion is 21.61 msec
		]]>
		</screen>
	</section>
	<section id="asdm">
		<title>asdm</title>
		<screen>
asdm image disk0:/asdm-645.bin
		</screen>
	</section>
	<section>
		<title>备份配置文件</title>
		<para>我建议你放弃tftp,目前主流设备都支持很多协议。我比较喜欢使用ftp</para>
		<screen>
ciscoasa# copy running-config ftp://test:your_pasword@172.16.0.2

Source filename [running-config]?

Address or name of remote host [172.16.1.2]?

Destination username [test]?

Destination password [******]?

Destination filename [running-config]?
Cryptochecksum: e5bb0305 02196b08 59efc7e5 9b4e1132
!!!!!!
19447 bytes copied in 3.900 secs (6482 bytes/sec)
		</screen>
	</section>
</section>