Tổng hợp mẫu cấu hình cơ bản firewall ASA

Đặt IP cho các interface của ASA

interface GigabitEthernet0/0

 nameif inside

 security-level 100

 ip address 192.168.1.1 255.255.255.0

!

interface GigabitEthernet0/1

 nameif outside

 security-level 0

 ip address 10.1.2.1 255.255.255.0

NAT overload ra internet

object network LAN

subnet 192.168.1.0 255.255.255.0

 nat (inside,outside) dynamic interface

Cho ping từ LAN ra internet

policy-map global_policy

 class inspection_default

 inspect icmp

Khai route ra internet

route outside 0.0.0.0 0.0.0.0 10.1.2.2

Cấu hình ACL và áp vào interface wan

access-list outside_access_in extended permit icmp any any

access-group outside_access_in in interface outside

NAT ra ip tĩnh và allow bên ngoài truy cập http https

object network obj-192.168.1.100

 host 192.168.1.100

 nat (inside,outside) static 200.200.200.200

!

access-list outside_access_in extended permit tcp any object obj-192.168.1.100 eq www

!

access-list outside_access_in extended permit tcp any object obj-192.168.1.100 eq https

!

access-group outside_access_in in interface outside

!

Check bảng nat

show xlate

Cấu hình sub-interface

interface GigabitEthernet0/0

no shutdown

exit

!

interface GigabitEthernet0/0.10

 vlan 10

 nameif inside

 security-level 100

 ip address 192.168.1.1 255.255.255.0

 no shutdown

 exit

!

Cấu hình rule cho phép vlan 100 truy cập https sang vlan 200

!

object-group network vlan100_hosts

 network-object 192.168.100.0 255.255.255.0

object-group network vlan200_hosts

 network-object 192.168.200.0 255.255.255.0

 !

access-list vlan100_to_200 extended permit tcp object-group vlan100_hosts object-group vlan200_hosts eq https

!