CISCO ASA5505做transparent模式稍微特殊一点:ASA5505的接口不能配置成路由口,只能用SVI接口,没有加license时,只能允许配置2个vlan。
下面是cisco官网上防火墙配置成透明模式的要求:
1.版本要求:
- PIX Security Appliance with 7.x and later
- ASA with version 7.x and later
2.Follow these guidelines when you plan your transparent firewall network:
- A management IP address is required; for multiple context mode, an IP address is required for each context.
Unlike routed mode, which requires an IP address for each interface, a transparent firewall has an IPaddress assigned to the entire device. The security appliance uses this IP address as the source addressfor packets that originate on the security appliance, such as system messages or AAA communications
The management IP address must be on the same subnet as the connected network. You cannot set the subnet to a host subnet (255.255.255.255).
- The transparent security appliance uses an inside interface and an outside interface only. If your platform includes a dedicated management interface, you can also configure the management interface or subinterface for management traffic only.
In single mode, you can only use two data interfaces (and the dedicated management interface, if available) even if your security appliance includes more than two interfaces.
- Each directly connected network must be on the same subnet.
- Do not specify the security appliance management IP address as the default gateway for connected devices; devices need to specify the router on the other side of the security appliance as the default gateway.
- For multiple context mode, each context must use different interfaces; you cannot share an interface across contexts.
- For multiple context mode, each context typically uses a different subnet. You can use subnets that overlap, but your network topology requires router and NAT configuration to make it possible from a routing standpoint.
- You must use an extended access list to allow Layer 3 traffic, such as IP traffic, through the security appliance.
You can also optionally use an EtherType access list to allow non−IP traffic through.
ASA5505透明模式下完全配置 Version 7.2(3) (7.2版本配置来源于网络)
ciscoasa# show run
: Saved : ASA Version 7.2(3) ! firewall transparent hostname ciscoasa domain-name default.domain.invalid enable password 8Ry2YjIyt7RRXU24 encrypted names ! interface Vlan1 nameif inside security-level 100 ! interface Vlan2 nameif outside security-level 0 ! interface Ethernet0/0 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 switchport access vlan 2 ! interface Ethernet0/5 switchport access vlan 2 ! interface Ethernet0/6 ! interface Ethernet0/7 ! passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive dns server-group DefaultDNS domain-name default.domain.invalid access-list 111 extended permit tcp any any eq ftp-data access-list 111 extended permit tcp any any eq ssh access-list 111 extended permit tcp any any eq www access-list 111 extended permit tcp any any eq 8080 access-list 111 extended permit tcp any any eq 6600 access-list 111 extended permit tcp any any eq 7877 access-list 111 extended permit tcp any any range 2020 2121 access-list 111 extended permit tcp any any range 6800 6900 access-list 111 extended permit tcp any any range 5200 5400 access-list 111 extended permit icmp any any pager lines 24 mtu inside 1500 mtu outside 1500ip address 192.168.100.100 255.255.255.0icmp unreachable rate-limit 1 burst-size 1 asdm p_w_picpath disk0:/asdm-523.bin no asdm history enable arp timeout 14400 access-group 111 in interface outside timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute http server enable http 0.0.0.0 0.0.0.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart telnet 0.0.0.0 0.0.0.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum:871ee08b54631ff021ad0c4a1a3db59d : end ciscoasa# *************7.2版本,5505配置管理IP的命令式#ip address ip**************ASA5505透明模式下完全配置 Version 8.4(3) (8.4版本是近期工作中的配置) ciscoasa# show run
: Saved : ASA Version 8.4(3) ! firewall transparent hostname ciscoasa enable password 2KFQnbNIdI.2KYOU encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Ethernet0/0 description outside switchport access vlan 2 ! interface Ethernet0/1 description inside ! interface Ethernet0/2 shutdown ! interface Ethernet0/3 shutdown ! interface Ethernet0/4 shutdown ! interface Ethernet0/5 shutdown ! interface Ethernet0/6 shutdown ! interface Ethernet0/7 shutdown ! interface Vlan1 nameif inside bridge-group 1 security-level 100 ! interface Vlan2 nameif outside bridge-group 1 security-level 0 !interface BVI1 ip address 172.16.5.140 255.255.255.0 ! ftp mode passive access-list 100 extended permit ip 172.16.0.0 255.255.255.0 any access-list 100 extended permit tcp 172.16.0.0 255.255.255.0 any access-list 100 extended permit udp 172.16.0.0 255.255.255.0 any pager lines 24 mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 access-group 100 in interface outside timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart telnet timeout 5 ssh timeout 5 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context Cryptochecksum:25ff7651711142ae22159248f08f3d97 : end ciscoasa# wr Building configuration... Cryptochecksum: 25ff7651 711142ae 22159248 f08f3d972488 bytes copied in 1.20 secs (2488 bytes/sec)
[OK] *************8.4版本,5505配置管理IP的命令式没有#ip address ip这条命令,需要引入桥接IP,然后将vlan加到这个BVI组里面************