12月 312013
 

添加用户

ciscoasa(config)# username admin password admin privilege 15

开启本地用户数据库验证

ciscoasa(config)# aaa authorization command LOCAL

取消后,直接使用管理密码验证登录(cisco)
添加后,使用虚拟用户帐户验证登录

ciscoasa(config)# aaa authentication ssh console LOCAL

asa-5505-ssh-telnet-enable-01 asa-5505-ssh-telnet-enable-02

生成服务密钥

ciscoasa(config)# crypto key generate rsa modulus 1024
 INFO: The name for the keys will be: <Default-RSA-Key>
 Keypair generation process begin. Please wait...
ciscoasa(config)#

开启内网及外网所有网段的SSH服务

ciscoasa(config)# ssh 192.168.15.0 255.255.255.0 inside
ciscoasa(config)# ssh 0.0.0.0 0.0.0.0 outside
ciscoasa(config)# telnet 0 0 inside

指定SSH服务版本

ciscoasa(config)# ssh version 2

开启内网指定网段的Telnet服务

ciscoasa(config)# aaa authentication telnet console LOCAL
ciscoasa(config)# telnet 192.168.15.0 255.255.255.0 inside

设置时区,时间并查看当前系统时间

ciscoasa(config)# clock timezone HKST 8
ciscoasa(config)# clock set 18:45:40 9 Jan 2014
ciscoasa(config)# sh clock
18:46:00.019 HKST Thu Jan 9 2014
12月 232013
 

清除配置

5505-1(config)# write erase
Erase configuration in flash memory? [confirm]

重启

5505-1# reload
Proceed with reload? [confirm]

提示是否进行预配置

Pre-configure Firewall now through interactive prompts [yes]? no
Type help or ‘?’ for a list of available commands.
ciscoasa> ?

clear Reset functions
enable Turn on privileged commands
exit Exit from the EXEC
help Interactive help for commands
login Log in as a particular user
logout Exit from the EXEC
no Negate a command or set its defaults
ping Send echo messages
quit Exit from the EXEC
show Show running system information
traceroute Trace route to destination

进入特权模式(密码为空)查看初始配置信息

ciscoasa> en
 Password:
 ciscoasa# show run
 : Saved
 :
 ASA Version 8.4(2)
 !
 hostname ciscoasa
 enable password 8Ry2YjIyt7RRXU24 encrypted
 passwd 2KFQnbNIdI.2KYOU encrypted
 names
 !
 interface Ethernet0/0
 shutdown
 !
 interface Ethernet0/1
 shutdown
 !
 interface Ethernet0/2
 shutdown
 !
 interface Ethernet0/3
 shutdown
 !
 interface Ethernet0/4
 shutdown
 !
 interface Ethernet0/5
 shutdown
 !
 interface Ethernet0/6
 shutdown
 !
 interface Ethernet0/7
 shutdown
 !
 interface Vlan1
 no nameif
 no security-level
 no ip address
 !
 ftp mode passive
 pager lines 24
 no failover
 icmp unreachable rate-limit 1 burst-size 1
 no asdm history enable
 arp timeout 14400
 timeout xlate 3:00:00
 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
 timeout tcp-proxy-reassembly 0:01:00
 timeout floating-conn 0:00:00
 dynamic-access-policy-record DfltAccessPolicy
 user-identity default-domain LOCAL
 no snmp-server location
 no snmp-server contact
 snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
 telnet timeout 5
 ssh timeout 5
 console timeout 0
threat-detection basic-threat
 threat-detection statistics access-list
 no threat-detection statistics tcp-intercept
 !
 class-map inspection_default
 match default-inspection-traffic
 !
 !
 policy-map type inspect dns preset_dns_map
 parameters
 message-length maximum client auto
 message-length maximum 512
 policy-map global_policy
 class inspection_default
 inspect dns preset_dns_map
 inspect ftp
 inspect h323 h225
 inspect h323 ras
 inspect ip-options
 inspect netbios
 inspect rsh
 inspect rtsp
 inspect skinny
 inspect esmtp
 inspect sqlnet
 inspect sunrpc
 inspect tftp
 inspect sip
 inspect xdmcp
 !
 service-policy global_policy global
 prompt hostname context
 call-home
 profile CiscoTAC-1
 no active
 destination address http https://tools.cisco.com/its/service/oddce/services/De
 destination address email callhome@cisco.com
 destination transport-method http
 subscribe-to-alert-group diagnostic
 subscribe-to-alert-group environment
 subscribe-to-alert-group inventory periodic monthly
 subscribe-to-alert-group configuration periodic monthly
 subscribe-to-alert-group telemetry periodic daily
 Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
 : end
 ciscoasa#

 

3月 272013
 

Postfix日志(/var/log/maillog)显示有关防火墙设置的信息

 Mar 27 12:05:02 pfx postfix/smtp[7463]: AF67B212CA6: enabling PIX workarounds: 
 disable_esmtp delay_dotcrlf for mx1.hotmail.com[65.55.37.104]:25 

使用Telnet从本地LAN网络或本机连接服务器25端口时显示的正常信息

220 pfx.sample.com ESMTP Postfix (2.8.14)
EHLO test.sample.com
250-pfx.sample.om
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN CRAM-MD5
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Continue reading »