Shulou(Shulou.com)06/01 Report--

Previously published an article is ASA 8.0 version, after using 8.4 found that there are many differences in the command, a special 8.4 version of the command can be compared with the previous command and reference

It is important to note that

1. There is no nat 0 here, which means there is no bypass to the DMZ area.

two。 If it is an ASA 5505 device, you need to define the vlan port address and add the corresponding firewall port to the corresponding vlan.

:

ASA Version 8.4 (2) / / version 8.4

!

Hostname fw

Enable password 8Ry2YjIyt7RRXU24 encrypted

Passwd 2KFQnbNIdI.2KYOU encrypted

Names

!

Interface GigabitEthernet0

Nameif inside

Security-level 100

Ip address 192.168.1.254 255.255.255.0

!

Interface GigabitEthernet1

Nameif dmz

Security-level 50

Ip address 172.16.1.254 255.255.255.0

!

Interface GigabitEthernet2

Nameif outside

Security-level 0

Ip address 221.222.1.2 255.255.255.0

!

Interface GigabitEthernet3

Shutdown

No nameif

No security-level

No ip address

!

Interface GigabitEthernet4

Shutdown

No nameif

No security-level

No ip address

!

Interface GigabitEthernet5

Shutdown

No nameif

No security-level

No ip address

!

Ftp mode passive

Object network inside / / define nat intranet segment

Subnet 0.0.0.0 0.0.0.0

Object network outside / / define the public network address

Host 221.222.1.2

Object network telnet / / define the internal server address of the port to be published

Host 172.16.1.2

Object network www

Host 172.16.1.1

Object network towww / / defines the external internal address of the NAT translation (this address is static NAT)

Host 221.222.1.3

Object network totelnet

Host 221.222.1.4

Object network natoutside

Host 221.222.1.5

Access-list outtodmz extended permit tcp any object www eq www / / define the traffic that needs to be released

Access-list outtodmz extended permit tcp any object www eq telnet

Access-list outtodmz extended permit tcp any object telnet eq telnet

Access-list outtodmz extended permit tcp any object telnet eq www

Pager lines 24

Mtu dmz 1500

Mtu outside 1500

Mtu inside 1500

No failover

Icmp unreachable rate-limit 1 burst-size 1

No asdm history enable

Arp timeout 14400

!

Object network inside / / define dynamic many-to-one NAT

Nat (dmz,outside) dynamic interface

Object network telnet / / define port translation

Nat (dmz,outside) static interface service tcp telnet 2023

Object network www / / define static one-to-one NAT

Nat (dmz,outside) static towww

Access-group outtodmz in interface outside / / apply ACL to port for traffic release

Route outside 0.0.0.0 0.0.0.0 221.222.1.1 1 / / default route

Timeout xlate 3:00:00

Timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Timeout sunrpc 0:10:00 h423 0:05:00 h325 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

Timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

Timeout tcp-proxy-reassembly 0:01:00

Timeout floating-conn 0:00:00

Dynamic-access-policy-record DfltAccessPolicy

User-identity default-domain LOCAL

No snmp-server location

No snmp-server contact

Snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

Telnet timeout 5

Ssh timeout 5

Console timeout 0

Threat-detection basic-threat

Threat-detection statistics access-list

No threat-detection statistics tcp-intercept

!

Class-map inspection_default

Match default-inspection-traffic

!

!

Policy-map type inspect dns preset_dns_map

Parameters

Message-length maximum client auto

Message-length maximum 512

Policy-map global_policy

Class inspection_default

Inspect dns preset_dns_map

Inspect ftp

Inspect h423 h325

Inspect h423 ras

Inspect ip-options

Inspect netbios

Inspect rsh

Inspect rtsp

Inspect skinny

Inspect esmtp

Inspect sqlnet

Inspect sunrpc

Inspect tftp

Inspect sip

Inspect xdmcp

Inspect icmp

!

Service-policy global_policy global

Prompt hostname context

No call-home reporting anonymous

Call-home

Profile CiscoTAC-1

No active

Destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

Destination address email callhome@cisco.com

Destination transport-method http

Subscribe-to-alert-group diagnostic

Subscribe-to-alert-group environment

Subscribe-to-alert-group inventory periodic monthly

Subscribe-to-alert-group configuration periodic monthly

Subscribe-to-alert-group telemetry periodic daily

Crashinfo save disable

Cryptochecksum:ceec7cf7a060a0ab5127d816542bb2db

: end

An example of ASA QOS speed limit

Access-list qos extended permitip host 192.168.1.10 host 192.168.2.10

Access-list qos extended permitip host 192.168.2.10 host 192.168.1.10

Class-map qos

Match access-list qos

Policy-map qos

Class qos

Police output 10000

Police input 10000

Service-policy qos interfaceinside

Note:

If the traffic is an established session, the packet will not look for the newly established policy

Only newly generated sessions after the newly established policy will collide with this policy

Http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113396-asa-packet-flow-00.html

If there is a NAT after 8.3, ACL needs to match the actual IP address of the source.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.