服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 思科ASA作为小型办公室的ISP GW
Intereting Posts
closures电源开关将远程closures另一个开关? 在Linux上设置tomcat autostart? 服务器丢弃NIC和其他PCI设备 FTP在IIS8上部分上传 同一networking上的两台电脑不能ping通对方,也不能查看NetBios资源 如何configurationIIS以允许访问PHP脚本的networking资源? 有什么更好的方法来configurationOracle RAC 11g R2的内存? 使用lpstat获得lp工作状态 如何获得netcat的udp响应 服务器(httpd或mysql)通过从源代码构build还是使用yum / apt存储库进行安装,会不会在性能上有所不同? Docker化jira 7.3.5与nginx反向代理基地url问题 如何在Windows 2008 Server上压缩大型日志文件? 在Ubuntu上创build文件和文件夹的XAMPP错误403 Hyper-v iSCSInetworking设置 共享主机 – 没有主域名的子域名

思科ASA作为小型办公室的ISP GW

我有Cisco ASA与ISP路由器形成静态路由关系。

我不打算使用任何华丽Anyconnect VPN或IPS防火墙。

但是一些简单的ACL来保证networking安全。

configuration粘贴在下面,

在这种情况下是否设置了有状态防火墙? 由于只有内部启动的stream量才能获得NAT,并从外部返回?

这个configuration是否包含安全性所需的基本事物? (从外部阻止pipe理访问,阻止来自外部的阻止,从外部阻止私有IP等)。

我在个人主机级别进行防火墙/防病毒强化。 当我不想在ASA模块上花费额外的预算时,这是一个好方法吗?

谢谢。 

ASAisp# ASAisp# show run ASA Version 9.2(4) ! hostname ASAisp domain-name soho.com xlate per-session deny tcp any4 any4 xlate per-session deny tcp any4 any6 xlate per-session deny tcp any6 any4 xlate per-session deny tcp any6 any6 xlate per-session deny udp any4 any4 eq domain xlate per-session deny udp any4 any6 eq domain xlate per-session deny udp any6 any4 eq domain xlate per-session deny udp any6 any6 eq domain passwd .jaY8R6W./JP9tz1 encrypted names ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 172.16.0.1 255.255.0.0 ! interface Vlan2 nameif outside security-level 0 ip address dhcp ! boot system disk0:/asa924-k8.bin ftp mode passive clock timezone PST -8 clock summer-time PDT recurring dns domain-lookup inside dns server-group DefaultDNS name-server 84.200.69.80 name-server 8.8.8.8 domain-name soho.com same-security-traffic permit inter-interface same-security-traffic permit intra-interface access-list inside_access_in extended permit ip 172.16.0.0 255.255.0.0 any4 access-list outside_access_in extended deny ip 10.0.0.0 255.0.0.0 any access-list outside_access_in extended deny ip 172.16.0.0 255.240.0.0 any access-list outside_access_in extended deny ip 192.168.0.0 255.255.0.0 any pager lines 24 logging enable logging buffer-size 987564 logging buffered informational logging asdm informational mtu inside 1500 mtu outside 1500 ip verify reverse-path interface inside ip verify reverse-path interface outside icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-762-150.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected ! nat (inside,outside) after-auto source dynamic any interface access-group inside_access_in in interface inside access-group outside_access_in in interface outside router ospf 1 router-id 5.5.5.5 network 10.10.10.0 255.255.255.0 area 0 log-adj-changes ! route outside 0.0.0.0 0.0.0.0 1.2.3.4 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication ssh console LOCAL aaa authentication http console LOCAL aaa local authentication attempts max-fail 3 http server enable http 172.16.0.0 255.255.0.0 inside no snmp-server location no snmp-server contact crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy no crypto isakmp nat-traversal telnet timeout 5 ssh stricthostkeycheck ssh 172.16.0.0 255.255.0.0 inside ssh timeout 5 ssh version 2 ssh key-exchange group dh-group1-sha1 console timeout 0 management-access inside dhcp-client client-id interface outside dhcpd dns 84.200.69.80 8.8.8.8 dhcpd domain soho.com dhcpd update dns both override dhcpd option 3 ip 172.16.0.1 ! dhcpd address 172.16.1.100-172.16.1.130 inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics host threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ntp server 216.228.192.69 source outside group-policy DfltGrpPolicy attributes vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless username sndlt password ulTKijFmUYuV.Wg5 encrypted privilege 15 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:a5696a05725e77f8ef546ce93ebb692d : end ASAisp# ASAisp#

需要使用非标准端口#来定义。 

 object-group service DM_INLINE_SERVICE_1 service-object udp destination eq 4444 object network openNW-udp nat (inside,outside) static interface service udp 4444 4444