分类: 思科产品

ASA系列防火墙升级全过程详解

2012-03-25 Lendy 思科产品

asa

asa(config)# dir
//显示文件目录
copy disk0:/asa707-k8.bin tftp://192.168.1.149/ asa707-k8.bin
//将原有IOS文件备份到TFTP服务器上
copy disk0:/asdm507.bin tftp://192.168.1.149/asdm507.bin
//将原有asdm文件备份到TFTP服务器上
copy tftp://192.168.1.149/asa803-k8.bin disk0:/asa803-k8.bin
//将新的IOS文件从TFTP服务器上拷贝到ASA中
copy tftp://192.168.1.149/asdm-603.bin disk0:/asdm-603.bin
//将新的IOS文件从TFTP服务器上拷贝到ASA中
asa(config)# dir
//再次显示目录,检查文件是否拷贝成功
asa(config)# no boot system disk0:/asa707-k8.bin
//取消原来的启动文件关联
asa(config)# dir
asa(config)# boot system disk0:/asa803-k8.bin
asa(config)# asdm image disk0:/asdm-603.bin
//设置IOS文件及ASDM文件的关联
Device Manager image set, but not a valid image file disk0:/asdm-603.bin
//由于新的IOS文件在重新启动前并未生效,所以会提示新的ASDM镜像在设置关联的时候会提示无效。
asa(config)# exit
asa# wr
//保存配置
asa# reload
//重新启动路由器之前新的IOS不会生效

其他还有关于一些周边的环境架设可以参见以后补充的文章
本文出自 “思想的邃空” 博客,请务必保留此出处http://lweibat.blog.51cto.com/525580/128046

 

PIX/ASA 7.x and later: Site to Site (L2L) IPsec VPN with Policy NAT Configuration Example

2012-03-24 Lendy 思科产品

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml?referring_site=smartnavRD

Introduction

This document describes the steps used to translate (NAT) the VPN traffic from one end that travel over a LAN-to-LAN (L2L) IPsec tunnel between two security appliances and also PAT the Internet traffic. Each security appliance has a private protected network behind it.

The network 192.168.1.0 in PIX-A is translated to 172.18.1.0 network and send the VPN traffic through the IPsec tunnel.

In L2L VPN, you can initiate the IPsec tunnel from either side of tunnel end points. In this scenario, PIX-A of inside network (192.168.1.0) is translated to 172.18.1.0 network using Policy NAT for VPN traffic. Because of this translation, the source network of the interesting traffic 172.18.1.0 is not reachable from PIX-B. If you try to initiate the tunnel from the PIX-B, the destination address of the VPN interesting traffic 172.18.1.0 , for example, natted network address of PIX-A, is not reachable. So you must initiate the VPN tunnel only from the PIX-A.
Continue…