ASA5512X IPS模块高级配置

最新推荐文章于 2025-08-18 21:33:50 发布

weixin_34208283

最新推荐文章于 2025-08-18 21:33:50 发布

阅读量949

点赞数

CC 4.0 BY-SA版权

文章标签：网络

原文链接：http://blog.51cto.com/hp6055637667/1316380

实验一：在单模式防火墙中，把不同流量送往不同的虚拟Sensor

实验一实验拓扑:

ASA配置:

ASAVersion9.1(1)4
!
hostnameASA
enablepassword8Ry2YjIyt7RRXU24encrypted
passwd2KFQnbNIdI.2KYOUencrypted
names
!
interfaceGigabitEthernet0/0
nameifOutside
security-level0
ipaddress202.100.1.10255.255.255.0
!
interfaceGigabitEthernet0/1
nameifInside
security-level100
ipaddress10.1.1.10255.255.255.0
!
interfaceGigabitEthernet0/2
nameifDMZ
security-level50
ipaddress192.168.1.10255.255.255.0
!
interfaceGigabitEthernet0/3
shutdown
nonameif
nosecurity-level
noipaddress
!
interfaceGigabitEthernet0/4
shutdown
nonameif
nosecurity-level
noipaddress
!
interfaceGigabitEthernet0/5
shutdown
nonameif
nosecurity-level
noipaddress
!
interfaceManagement0/0（注意管理接口仅仅只是“noshutdown”）
management-only
nonameif
nosecurity-level
noipaddress
!
ftpmodepassive
access-listInside-to-Internetextendedpermitip10.1.1.0255.255.255.0any
access-listInside-to-DMZextendedpermitip10.1.1.0255.255.255.0192.168.1.0255.255.255.0
pagerlines24
mtuOutside1500
mtuInside1500
mtuDMZ1500
nofailover
icmpunreachablerate-limit1burst-size1
noasdmhistoryenable
arptimeout14400
noarppermit-nonconnected
timeoutxlate3:00:00
timeoutpat-xlate0:00:30
timeoutconn1:00:00half-closed0:10:00udp0:02:00icmp0:00:02
timeoutsunrpc0:10:00h3230:05:00h2251:00:00mgcp0:05:00mgcp-pat0:05:00
timeoutsip0:30:00sip_media0:02:00sip-invite0:03:00sip-disconnect0:02:00
timeoutsip-provisional-media0:02:00uauth0:05:00absolute
timeouttcp-proxy-reassembly0:01:00
timeoutfloating-conn0:00:00
dynamic-access-policy-recordDfltAccessPolicy
user-identitydefault-domainLOCAL
httpserverenable
http0.0.0.00.0.0.0Inside
nosnmp-serverlocation
nosnmp-servercontact
snmp-serverenabletrapssnmpauthenticationlinkuplinkdowncoldstartwarmstart
cryptoipsecsecurity-associationpmtu-aginginfinite
cryptocatrustpoolpolicy
telnettimeout5
sshtimeout5
consoletimeout0
threat-detectionbasic-threat
threat-detectionstatisticsaccess-list
nothreat-detectionstatisticstcp-intercept
web***
anyconnect-essentials
!
class-mapInside-to-Internet
matchaccess-listInside-to-Internet
class-mapinspection_default
matchdefault-inspection-traffic
class-mapInside-to-DMZ
matchaccess-listInside-to-DMZ
!
!
policy-maptypeinspectdnspreset_dns_map
parameters
message-lengthmaximumclientauto
message-lengthmaximum512
policy-mapglobal_policy
classinspection_default
inspectdnspreset_dns_map
inspectftp
inspecth323h225
inspecth323ras
inspectrsh
inspectrtsp
inspectesmtp
inspectsqlnet
inspectskinny
inspectsunrpc
inspectxdmcp
inspectsip
inspectnetbios
inspecttftp
inspectip-options
inspecticmp
classInside-to-DMZ
ipsinlinefail-opensensorMingJiao-VS1
classInside-to-Internet
ipsinlinefail-opensensorMingJiao-VS2
!
service-policyglobal_policyglobal
prompthostnamecontext
call-homereportinganonymousprompt2
Cryptochecksum:432474dca0ef8b81b2dbb22aad0eb98d
:end

IPS配置（创建多个虚拟sensor，并且为不同虚拟Sensor关联不同的Signatures定义策略）:（严重注意并没有为虚拟Sensor指派接口）

测试:（Inside路由器pingDMZ和Outside路由器进行测试）

实验二：在多模式防火墙中，把不同虚拟防火墙的流量送往不同的虚拟Sensor

实验二实验拓扑:

ASASYSTEM配置:

ASAVersion9.1(1)4<system>
!
hostnameASA
enablepassword8Ry2YjIyt7RRXU24encrypted
mac-addressautoprefix37048
!
interfaceGigabitEthernet0/0
!
interfaceGigabitEthernet0/1
!
interfaceGigabitEthernet0/2
!
interfaceGigabitEthernet0/3
shutdown
!
interfaceGigabitEthernet0/4
shutdown
!
interfaceGigabitEthernet0/5
shutdown
!
interfaceManagement0/0
!
classdefault
limit-resourceAll0
limit-resourceMac-addresses65535
limit-resourceASDM5
limit-resourceSSH5
limit-resourceTelnet5
!

ftpmodepassive
pagerlines24
nofailover
noasdmhistoryenable
arptimeout14400
noarppermit-nonconnected
consoletimeout0

admin-contextadmin
contextadmin
allocate-interfaceManagement0/0
config-urldisk0:/admin.cfg
!

contextMingJiao-FW-1
allocate-interfaceGigabitEthernet0/1
allocate-interfaceGigabitEthernet0/2

allocate-ipsMingJiao-VS1ips1default
allocate-ipsMingJiao-VS2ips2
config-urldisk0:/MingJiao-FW-1.cfg
!

contextMingJiao-FW-2
allocate-interfaceGigabitEthernet0/0
allocate-interfaceGigabitEthernet0/1
allocate-ipsMingJiao-VS2mingjiaoips2default
allocate-ipsMingJiao-VS1mingjiaoips1
config-urldisk0:/MingJiao-FW-2.cfg
!

prompthostnamecontext
nocall-homereportinganonymous
Cryptochecksum:bc5d9c8b60dc6d64b114c009495cab42
:end
ASAadmin防火墙配置:

ASAVersion9.1(1)4<context>
!
hostnameadmin
enablepassword8Ry2YjIyt7RRXU24encrypted
passwd2KFQnbNIdI.2KYOUencrypted
names
!
interfaceManagement0/0
management-only
nameifMangement
security-level100
ipaddress10.1.1.10255.255.255.0
!
pagerlines24
mtuMangement1500
icmpunreachablerate-limit1burst-size1
noasdmhistoryenable
arptimeout14400
timeoutxlate3:00:00
timeoutpat-xlate0:00:30
timeoutconn1:00:00half-closed0:10:00udp0:02:00icmp0:00:02
timeoutsunrpc0:10:00h3230:05:00h2251:00:00mgcp0:05:00mgcp-pat0:05:00
timeoutsip0:30:00sip_media0:02:00sip-invite0:03:00sip-disconnect0:02:00
timeoutsip-provisional-media0:02:00uauth0:05:00absolute
timeouttcp-proxy-reassembly0:01:00
timeoutfloating-conn0:00:00
user-identitydefault-domainLOCAL
httpserverenable
http0.0.0.00.0.0.0Mangement
nosnmp-serverlocation
nosnmp-servercontact
snmp-serverenabletrapssnmpauthenticationlinkuplinkdowncoldstartwarmstart
cryptoipsecsecurity-associationpmtu-aginginfinite
telnettimeout5
sshtimeout5
nothreat-detectionstatisticstcp-intercept
!
class-mapinspection_default
matchdefault-inspection-traffic
!
!
policy-maptypeinspectdnspreset_dns_map
parameters
message-lengthmaximumclientauto
message-lengthmaximum512
policy-mapglobal_policy
classinspection_default
inspectdnspreset_dns_map
inspectftp
inspecth323h225
inspecth323ras
inspectrsh
inspectrtsp
inspectesmtp
inspectsqlnet
inspectskinny
inspectsunrpc
inspectxdmcp
inspectsip
inspectnetbios
inspecttftp
inspectip-options
!
service-policyglobal_policyglobal
Cryptochecksum:bae90faeca2fe1f1ca63c352581d62e3
:end

ASAMingJiao-FW-1防火墙配置:

ASAVersion9.1(1)4<context>
!
hostnameMingJiao-FW-1
enablepassword8Ry2YjIyt7RRXU24encrypted
passwd2KFQnbNIdI.2KYOUencrypted
names
!
interfaceGigabitEthernet0/1
mac-address0001.0001.0001
nameifInside
security-level100
ipaddress10.1.1.100255.255.255.0
!
interfaceGigabitEthernet0/2
nameifDMZ
security-level50
ipaddress192.168.1.10255.255.255.0
!
access-listInside-to-DMZextendedpermitip10.1.1.0255.255.255.0192.168.1.0255.255.255.0
pagerlines24
mtuInside1500
mtuDMZ1500
icmpunreachablerate-limit1burst-size1
noasdmhistoryenable
arptimeout14400
timeoutxlate3:00:00
timeoutpat-xlate0:00:30
timeoutconn1:00:00half-closed0:10:00udp0:02:00icmp0:00:02
timeoutsunrpc0:10:00h3230:05:00h2251:00:00mgcp0:05:00mgcp-pat0:05:00
timeoutsip0:30:00sip_media0:02:00sip-invite0:03:00sip-disconnect0:02:00
timeoutsip-provisional-media0:02:00uauth0:05:00absolute
timeouttcp-proxy-reassembly0:01:00
timeoutfloating-conn0:00:00
user-identitydefault-domainLOCAL
nosnmp-serverlocation
nosnmp-servercontact
cryptoipsecsecurity-associationpmtu-aginginfinite
telnettimeout5
sshtimeout5
nothreat-detectionstatisticstcp-intercept
!
class-mapinspection_default
matchdefault-inspection-traffic
class-mapInside-to-DMZ
matchaccess-listInside-to-DMZ
!
!
policy-maptypeinspectdnspreset_dns_map
parameters
message-lengthmaximumclientauto
message-lengthmaximum512
policy-mapglobal_policy
classinspection_default
inspectdnspreset_dns_map
inspectftp
inspecth323h225
inspecth323ras
inspectip-options
inspectnetbios
inspectrsh
inspectrtsp
inspectskinny
inspectesmtp
inspectsqlnet
inspectsunrpc
inspecttftp
inspectsip
inspectxdmcp
inspecticmp
classInside-to-DMZ
ipsinlinefail-open
!
service-policyglobal_policyglobal
Cryptochecksum:9af1986e75ae41f061ac8278ec74be3a
:end

ASAMingJiao-FW-2防火墙配置:

ASAVersion9.1(1)4<context>
!
hostnameMingJiao-FW-2
enablepassword8Ry2YjIyt7RRXU24encrypted
passwd2KFQnbNIdI.2KYOUencrypted
names
!
interfaceGigabitEthernet0/1
mac-address0002.0002.0002
nameifInside
security-level100
ipaddress10.1.1.200255.255.255.0
!
interfaceGigabitEthernet0/0
nameifOutside
security-level0
ipaddress202.100.1.10255.255.255.0
!
access-listInside-to-Internet-ICMPextendedpermiticmp10.1.1.0255.255.255.0any
access-listInside-to-Internet-TCPextendedpermittcp10.1.1.0255.255.255.0any
pagerlines24
mtuInside1500
mtuOutside1500
icmpunreachablerate-limit1burst-size1
noasdmhistoryenable
arptimeout14400
timeoutxlate3:00:00
timeoutpat-xlate0:00:30
timeoutconn1:00:00half-closed0:10:00udp0:02:00icmp0:00:02
timeoutsunrpc0:10:00h3230:05:00h2251:00:00mgcp0:05:00mgcp-pat0:05:00
timeoutsip0:30:00sip_media0:02:00sip-invite0:03:00sip-disconnect0:02:00
timeoutsip-provisional-media0:02:00uauth0:05:00absolute
timeouttcp-proxy-reassembly0:01:00
timeoutfloating-conn0:00:00
user-identitydefault-domainLOCAL
nosnmp-serverlocation
nosnmp-servercontact
cryptoipsecsecurity-associationpmtu-aginginfinite
telnettimeout5
sshtimeout5
nothreat-detectionstatisticstcp-intercept
!
class-mapInside-to-Internet-ICMP
matchaccess-listInside-to-Internet-ICMP
class-mapinspection_default
matchdefault-inspection-traffic
class-mapInside-to-Internet-TCP
matchaccess-listInside-to-Internet-TCP
!
!
policy-maptypeinspectdnspreset_dns_map
parameters
message-lengthmaximumclientauto
message-lengthmaximum512
policy-mapglobal_policy
classinspection_default
inspectdnspreset_dns_map
inspectftp
inspecth323h225
inspecth323ras
inspectip-options
inspectnetbios
inspectrsh
inspectrtsp
inspectskinny
inspectesmtp
inspectsqlnet
inspectsunrpc
inspecttftp
inspectsip
inspectxdmcp
inspecticmp
classInside-to-Internet-ICMP
ipsinlinefail-close
classInside-to-Internet-TCP
ipspromiscuousfail-opensensormingjiaoips1
!
service-policyglobal_policyglobal
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
:end