思科防火墙asa5520 arp攻击
发布网友
发布时间:2022-04-30 17:17
我来回答
共3个回答
热心网友
时间:2022-06-28 07:00
ASA Local:
ASA Version 7.X
no names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 30.30.30.1 255.255.255.0
!--- This line allows the unicast of OSPF over the IPsec tunnel.
ospf network point-to-point non-broadcast
!--- This line is optional and not required for OSPF to work.
!--- Enable this option only if you want to enable MD5 digest for OSPF.
ospf message-digest-key 10 md5 cisco
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
enable password cisco encrypted
passwd cisco encrypted
hostname Local
ftp mode passive
!--- These access control list (ACL) entries define
!--- interesting traffic for IPsec encryption and allow
!--- the traffic to bypass NAT. Note that OSPF is permitted and only
!--- in the crypto ACL.
same-security-traffic permit intra-interface
access-list nonat extended permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0
access-list outside_cryptomap_10 extended permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0
access-list outside_cryptomap_10 extended permit ospf interface outside host 40.40.40.2
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any echo inside
icmp permit any echo-reply inside
asdm image disk0:/asdm-502.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
!--- Do not translate traffic with NAT.
nat (inside) 0 access-list nonat
nat (inside) 10 10.10.10.0 255.255.255.0
!
!--- This is OSPF.
!--- Note: You must define the outside network of the remote peer.
router ospf 100
network 10.10.10.0 255.255.255.0 area 0
network 30.30.30.0 255.255.255.0 area 0
network 40.40.40.0 255.255.255.0 area 0
!--- This is where OSPF is told where the
!--- PEER is located.
neighbor 40.40.40.2 interface outside
log-adj-changes
!
!--- This is a host based static. This is not always
!--- necessary, but recommended to prevent recursive routing loops when
!--- OSPF comes up over the IPsec tunnel.
route outside 40.40.40.2 255.255.255.255 30.30.30.2 1
route outside 0.0.0.0 0.0.0.0 30.30.30.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 sunrpc 0:10:00
h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.4.50 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
!--- This is the IPsec and IKE/ISAKMP configuration.
!--- Make sure basic IPsec connectivity is present
!--- before you add in OSPF.
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer 40.40.40.2
crypto map outside_map 10 set transform-set myset
crypto map outside_map 10 set security-association lifetime seconds 86400
crypto map outside_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
tunnel-group 40.40.40.2 type ipsec-l2l
tunnel-group 40.40.40.2 ipsec-attributes
pre-shared-key cisco
class-map inspection_default
match default-inspection-traffic
policy-map asa_global_fw_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy asa_global_fw_policy global
Cryptochecksum:3d5f16a67ec0fa20aa3882acaa348e28
: end
ASA Remote:
ASA Version 7.X
no names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 40.40.40.2 255.255.255.0
!--- This line allows the unicast of OSPF over to
!--- the IPsec tunnel.
ospf network point-to-point non-broadcast
!--- This line is optional and not required for OSPF to work.
!--- Enable this option only if you want to enable MD5 digest for OSPF.
ospf message-digest-key 10 md5 cisco
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 20.20.20.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
enable password cisco encrypted
passwd cisco encrypted
hostname Remote
ftp mode passive
!--- These ACL entries define interesting traffic for IPsec encryption and allow
!--- the traffic to bypass NAT. Note that OSPF is permitted and only in the crypto ACL.
same-security-traffic permit intra-interface
access-list nonat extended permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list crypto extended permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list crypto extended permit ospf interface outside host 30.30.30.1
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any echo inside
icmp permit any echo-reply inside
asdm image disk0:/asdm-502.bin
no asdm history enable
arp timeout 14400
global (outside) 20 interface
!--- Do not translate traffic with NAT.
nat (inside) 0 access-list nonat
nat (inside) 20 20.20.20.0 255.255.255.0
!
!--- This is OSPF.
!--- Note: You must define the remote peer's outside network.
router ospf 100
network 20.20.20.0 255.255.255.0 area 0
network 30.30.30.0 255.255.255.0 area 0
network 40.40.40.0 255.255.255.0 area 0
!--- This is where the OSPF is told where the PEER is located.
neighbor 30.30.30.1 interface outside
log-adj-changes
!
!--- This is a host based static. This is not always necessary, but recommended to
prevent recursive routing loops when OSPF comes up over the IPsec tunnel.
route outside 0.0.0.0 0.0.0.0 40.40.40.1 1
route outside 30.30.30.1 255.255.255.255 40.40.40.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 sunrpc 0:10:00
h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.4.50 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
!--- This is the IPsec configuration. Make sure basic IPsec connectivity is present
before you add in OSPF.
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map * 10 match address crypto
crypto map * 10 set peer 30.30.30.1
crypto map * 10 set transform-set myset
crypto map * interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
tunnel-group 30.30.30.1 type ipsec-l2l
tunnel-group 30.30.30.1 ipsec-attributes
pre-shared-key cisco
class-map inspection_default
match default-inspection-traffic
policy-map asa_global_fw_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy asa_global_fw_policy global
Cryptochecksum:3d5f16a67ec0fa20aa3882acaa348e28
: end
热心网友
时间:2022-06-28 07:00
防火墙防不住内网的arp攻击的。原理上决定的。
热心网友
时间:2022-06-28 07:01
推荐一款Cisco SDM软件可以直接连接到防火墙,图形化界面管理,绑定IP地址,再用杀毒软件清除内网ARP病毒。追问这防火墙没有http功能,所以不能用这个软件
帮选一台防火墙,单位电脑150台,内网服务器2台,提供web服。
一般易操作的都是功能不咋强大 强大的都不咋容易操作 个人建议CISCO ASA5505-SEC-BUN-K9不错 我公司用的就这种 就是外形不咋好看 但是很强大,稳定性不用我说你也相信思科吧 要是想简单操作的 那就买深信服 有点贵但是操作简单。图形界面的 其实要是路由器强大的话根本用不到硬件防火墙 很多路...
静态ip - StormProxies
"StormProxies是全球大数据IP资源服务商,其住宅代理网络由真实的家庭住宅IP组成,可为企业或个人提供满足各种场景的代理产品。点击免费测试(注册即送1G流量)StormProxies有哪些优势?1、IP+端口提取形式,不限带宽,IP纯净高匿;2、覆盖全球200+的国家与地区,超7000万住宅IP。3、高可靠性,24小时稳定运行,平均99.99%的可用率;4、性价比更高,便宜好用,单个IP也能享受最优价格,没有额外费用;5、易于使用,支持HTTP/HTTPS/SOCKS5协议,提供多种API参数,网络集成更快捷;6、客服全天在线为您排忧解难,并可根据您的业务需求制定更合适的代理…StormProxies是全球大数据IP资源服务商,其住宅代理网络由真实的家庭住宅IP组成,可为企业或个人提供满足各种场景的代理产品。点击免费测试(注册即送1G流量)StormProxies有哪些优势?1、IP+端口提取形式,不限带宽,IP纯净高匿;2、覆盖全球20...
思科防火墙ASA5520 ipsec vpn 配置实例
tunnel-group 30.30.30.1 ipsec-attributes pre-shared-key cisco class-map inspection_default match default-inspection-traffic policy-map asa_global_fw_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp i...
cisco ASA 5520防火墙支持IP和MAC地址绑定吗?
支持。如 ASA5550(config)#arp inside 192.168.12.1 ABCD.12DA.3456(Hardware MAC address)
对于cisco ASA5520防火墙我这边有固定的外网IP如何使内部交换机cisco2970...
外网配置ip地址,并命名为“outside”,内网设置私有ip,如192.168.1,并命名为“inside”,最后再做网络地址转换即可。楼主可参考下面:1.进入外接口:nameif outside ip add 固定IP地址 no shutdown 2.进入内接口:nameif inside ip add 私有IP地址 no shutdown 3.NAT(网络地址转换):nat-contro...
cisco asa5200防火墙配置管理地址后不能登录,内网与外网怎么配置就可以...
telnet timeout 5 ssh 0.0.0.0 0.0.0.0 outside ssh timeout 5 ssh version 1 console timeout 0 aaa authentication ssh console LOCAL aaa authorization command LOCAL 配置telnet 或者SSH来管理设备,这样就可以管理设备了。如果你是用console口直接登陆的话,需要用到自己电脑的COM口,现在...