分享
 
 
 

CCSP/CCVP --ASA 5520配置例子

王朝other·作者佚名  2008-05-31
窄屏简体版  字體: |||超大  

hostname shafw01

domain-name heraeus.com

enable passWord

names

!

interface GigabitEthernet0/0

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/0.150

vlan 150

nameif inside_data

security-level 50

ip address 172.26.24.6 255.255.255.252

!

interface GigabitEthernet0/0.151

vlan 151

nameif inside_voice

security-level 50

ip address 10.48.8.1 255.255.255.0

!

interface GigabitEthernet0/1

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/1.161

vlan 161

nameif web

security-level 50

ip address 172.26.30.1 255.255.255.0

!

interface GigabitEthernet0/1.163

vlan 163

nameif secure

security-level 50

ip address 172.26.31.1 255.255.255.0

!

interface GigabitEthernet0/2

description LAN/STATE Failover Interface for Future

!

interface GigabitEthernet0/3

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3.154

vlan 154

nameif sprint

security-level 50

ip address 172.26.24.9 255.255.255.252

!

interface Management0/0

nameif outside

security-level 50

ip address 222.66.83.18 255.255.255.240

!

boot system disk0:/asa704-k8.bin

FTP mode passive

clock timezone cet 8

dns domain-lookup inside_data

dns name-server 172.26.16.17

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group icmp-type icmp_echo_request

icmp-object echo

object-group icmp-type icmp_echo_reply

icmp-object echo-reply

object-group icmp-type ICMP_echo

group-object icmp_echo_request

group-object icmp_echo_reply

object-group service udp_tftp udp

port-object eq tftp

object-group service udp_citrix udp

port-object eq 1604

object-group service udp_radius udp

port-object eq 1812

object-group service udp_radius_acct udp

port-object eq 1813

object-group service udp_rsa_5500 udp

port-object eq 5500

object-group service tcp_http tcp

port-object eq www

object-group service tcp_http_8080 tcp

port-object eq 8080

object-group service tcp_https tcp

port-object eq https

object-group service tcp_ftp tcp

port-object eq ftp

object-group service tcp_ntp tcp

port-object eq 123

object-group service udp_ntp udp

port-object eq ntp

object-group service tcp_smtp tcp

port-object eq smtp

object-group service tcp_ssh tcp

port-object eq ssh

object-group service tcp_squid_3128 tcp

port-object eq 3128

object-group service tcp_squid_2370 tcp

port-object eq 2370

object-group service tcp_sapdps_47xx tcp

port-object range 4700 4799

object-group service tcp_sapgw_33xx tcp

port-object range 3300 3399

object-group service tcp_sapdp_32xx tcp

port-object range 3200 3299

object-group service tcp_sapgws_48xx tcp

port-object range 4800 4899

object-group service tcp_sapms_36xx tcp

port-object range 3600 3699

object-group service tcp_jetdirect_9100 tcp

port-object eq 9100

object-group service tcp_printer tcp

port-object eq lpd

object-group service tcp_tacacs_plus tcp

port-object eq tacacs

object-group service TCP_squid_web tcp

group-object tcp_http

group-object tcp_https

group-object tcp_http_8080

object-group service TCP_squid_ftp tcp

group-object tcp_ftp

object-group service TCP_squid_all tcp

group-object TCP_squid_web

group-object TCP_squid_ftp

object-group service TCP_squid_port tcp

group-object tcp_squid_3128

group-object tcp_squid_2370

object-group service TCP_sap tcp

group-object tcp_sapdps_47xx

group-object tcp_sapgw_33xx

group-object tcp_sapdp_32xx

group-object tcp_sapgws_48xx

group-object tcp_sapms_36xx

object-group service TCP_printing tcp

group-object tcp_jetdirect_9100

group-object tcp_printer

object-group network n_VLAN108_16

network-object 172.26.16.0 255.255.255.0

object-group network n_VLAN105_22

network-object 172.26.22.0 255.255.255.0

object-group network n_VLAN106_25

network-object 172.26.25.0 255.255.255.0

object-group network n_VLAN163_31

network-object 172.26.31.0 255.255.255.0

object-group service TCP_dameware tcp

group-object tcp_dameware_6129

group-object tcp_dameware_6130

object-group network N_RFC1918

network-object 10.0.0.0 255.0.0.0

network-object 172.16.0.0 255.240.0.0

network-object 192.168.0.0 255.255.0.0

object-group service TCP_client_auth tcp

group-object tcp_http

group-object tcp_https

group-object tcp_telnet

object-group network h_china_ntpserver

network-object host 202.108.158.139

object-group network h_auth42

network-object host 172.26.31.42

object-group network H_auth

group-object h_auth42

object-group network H_ntp_servers

group-object h_china_ntpserver

Access-list TRIGGER extended permit tcp any object-group H_auth object-group TCP_client_auth

access-list NONAT remark # this is a nat rule, only permit's are allowed

access-list NONAT remark # no nat inside our networks

access-list NONAT extended permit ip object-group N_RFC1918 object-group N_RFC1918

access-list POLICY remark # counterpart of trigger rule

access-list POLICY extended permit tcp any object-group H_auth object-group TCP_client_auth

access-list POLICY remark # # ntp

access-list POLICY extended permit tcp any object-group H_ntp_servers object-group tcp_ntp

access-list POLICY extended permit udp any object-group H_ntp_servers object-group udp_ntp

access-list HIDING remark # this is a nat rule, only permit's are allowed

access-list HIDING extended permit ip object-group N_RFC1918 any

access-list IPS extended permit ip any any

tcp-map mss

exceed-mss allow

!

pager lines 22

logging enable

logging console critical

logging monitor errors

logging buffered critical

logging trap errors

logging facility 16

logging host secure 172.26.31.142

logging permit-hostdown

mtu inside_data 1500

mtu web 1500

mtu secure 1500

mtu sprint 1500

mtu outside 1500

ip verify reverse-path interface inside_data

ip verify reverse-path interface web

ip verify reverse-path interface secure

ip verify reverse-path interface sprint

ip verify reverse-path interface outside

asdm image disk0:/asdm502.bin

no asdm history enable

arp outside {mac-outside interface} {hiding IP)

arp timeout 14400

global outside 1 {hiding ip} netmask 255.255.255.0

nat (inside_data) 0 access-list NONAT

nat (inside_voice) 0 access-list NONAT

nat (sprint) 0 access-list NONAT

nat (secure) 0 access-list NONAT

nat (inside_data) 1 access-list HIDING

route inside_data 172.26.25.0 255.255.255.0 172.26.24.5 1

route inside_data 172.26.22.0 255.255.255.0 172.26.24.5 1

route inside_data 172.26.16.0 255.255.255.0 172.26.24.5 1

route sprint 172.16.0.0 255.240.0.0 172.26.24.10 1

route sprint 10.0.0.0 255.0.0.0 172.26.24.10 1

route sprint 192.168.0.0 255.255.0.0 172.26.24.10 1

access-group POLICY in interface inside_data per-user-override

access-group POLICY in interface inside_voice

access-group POLICY in interface web

access-group POLICY in interface secure per-user-override

access-group POLICY in interface sprint per-user-override

access-group POLICY in interface outside

timeout xlate 3:00:00

timeout conn 2:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:10

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:00:00 absolute uauth 0:15:00 inactivity

virtual telnet 172.26.24.xx

auth-prompt prompt Please enter your username and password

auth-prompt accept Authentication sUCceeded.

auth-prompt reject Authentication failed. Try again.

telnet timeout 5

ssh scopy enable

ssh 172.22.161.0 255.255.255.0 sprint

ssh 172.26.16.0 255.255.255.0 inside_data

ssh 172.26.31.0 255.255.255.0 secure

ssh timeout 60

ssh version 2

console timeout 0

management-access inside_data

mangement-acccess sprint

class-map my-ips-class

match access-list IPS

class-map VoIP

match dscp cs3 ef

class-map inspection_default

match default-inspection-traffic

class-map mss-map

match access-list MSS-exceptions

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect rtsp

inspect SKINny

inspect tftp

inspect sip

inspect icmp

inspect ctiqbe

inspect dns

inspect http

class mss-map

set connection advanced-options mss

class my-ips-class

ips promiscuous fail-open

policy-map qos

class VoIP

priority

policy-map my-ips-policy

class my-ips-class

ips promiscuous fail-open

service-policy global_policy global

ntp server 202.108.158.139

rdca4fwep

==========================================================================

shafw01(config)# sh run

: Saved

:

ASA Version 7.0(4)

!

hostname shafw01

domain-name heraeus.com

enable password .68HJO4Qmg83HE2S encrypted

names

!

interface GigabitEthernet0/0

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/0.150

vlan 150

nameif inside_data

security-level 50

ip address 172.26.24.18 255.255.255.240

!

interface GigabitEthernet0/0.151

vlan 151

nameif inside_voice

security-level 50

ip address 10.48.8.1 255.255.255.0

!

interface GigabitEthernet0/1

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/1.161

vlan 161

nameif web

security-level 50

ip address 172.26.30.1 255.255.255.0

!

interface GigabitEthernet0/1.163

vlan 163

nameif secure

security-level 50

ip address 172.26.31.1 255.255.255.0

!

interface GigabitEthernet0/2

description LAN/STATE Failover interface for futer!

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3.154

vlan 154

nameif sprint

security-level 50

ip address 172.26.24.9 255.255.255.0

!

interface Management0/0

nameif outside

security-level 50

ip address 222.66.83.18 255.255.255.240

!

passwd 2KFQnbNIdI.2KYOU encrypted

boot system disk0:/0

boot system disk0:/asa704-k8.bin

ftp mode passive

clock timezone cet 8

dns domain-lookup inside_data

dns name-server 172.26.16.17

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group icmp-type icmp_echo_request

icmp-object echo

object-group icmp-type icmp_echo_reply

object-group network h_china_ntpserver

network-object host 202.108.158.139

object-group network h_auth42

network-object host 172.26.31.42

network-object host 172.26.24.19

object-group network N_RFC1918

network-object 10.0.0.0 255.0.0.0

network-object 172.16.0.0 255.240.0.0

network-object 192.168.0.0 255.255.0.0

object-group network n_VLAN108_16

network-object 172.26.16.0 255.255.255.0

object-group network n_VLAN105_22

network-object 172.26.22.0 255.255.255.0

object-group network n_VLAN106_25

network-object 172.26.25.0 255.255.255.0

object-group network n_VLAN163_31

network-object 172.26.31.0 255.255.255.0

object-group network n_VLAN108_18

network-object 172.26.18.0 255.255.255.0

object-group network N_RDCA_S_C

group-object n_VLAN108_18

group-object n_VLAN108_16

group-object n_VLAN105_22

object-group service tcp_http tcp

port-object eq www

object-group service tcp_https tcp

port-object eq https

object-group service tcp_telnet tcp

port-object eq telnet

object-group service TCP_client_auth tcp

group-object tcp_http

group-object tcp_https

group-object tcp_telnet

object-group service tcp_http_8080 tcp

port-object eq 8080

object-group service tcp_ftp tcp

port-object eq ftp

object-group service tcp_ntp tcp

port-object eq 123

object-group service udp_ntp udp

port-object eq ntp

object-group service tcp_smtp tcp

port-object eq smtp

object-group service tcp_ssh tcp

port-object eq ssh

object-group network H_auth

group-object h_auth42

object-group network H_ntp_servers

group-object h_china_ntpserver

object-group service TCP_webservice tcp

group-object tcp_http

group-object tcp_https

access-list HIDING extended permit ip object-group N_RFC1918 any

access-list HIDING remark # this is a nat rule, only permit's are allowed

access-list NONAT extended permit ip object-group N_RFC1918 object-group N_RFC1918

access-list POLICY remark # counterpart of trigger rule

access-list POLICY extended permit tcp any object-group H_auth object-group TCP_client_auth

access-list POLICY remark # # ntp

access-list POLICY extended permit tcp any object-group H_ntp_servers object-group tcp_ntp

access-list POLICY extended permit udp any object-group H_ntp_servers object-group udp_ntp

access-list POLICY remark # RDCA-webbrowsing rule

access-list POLICY extended permit tcp object-group N_RDCA_S_C any object-group TCP_webservice log

access-list POLICY remark # All Internal Network is allowed

access-list POLICY remark # All Internal Network Traffic is allowed

access-list POLICY extended permit ip object-group N_RFC1918 object-group N_RFC1918 log

access-list POLICY extended deny ip any any log

access-list IPS extended permit ip any any

pager lines 24

logging enable

logging buffer-size 10000

logging console critical

logging monitor errors

logging buffered errors

logging trap errors

logging facility 16

logging host secure 172.26.31.142

logging permit-hostdown

mtu inside_data 1500

mtu inside_voice 1500

mtu web 1500

mtu secure 1500

mtu sprint 1500

mtu outside 1500

ip verify reverse-path interface inside_data

ip verify reverse-path interface web

ip verify reverse-path interface secure

ip verify reverse-path interface sprint

ip verify reverse-path interface outside

no failover

asdm image disk0:/asdm504.bin

no asdm history enable

arp outside 222.66.83.19 0013.c482.3ffc

arp timeout 14400

global (outside) 1 222.66.83.19 netmask 255.255.255.255

nat (inside_data) 0 access-list NONAT

nat (inside_data) 1 access-list HIDING

nat (inside_voice) 0 access-list NONAT

nat (secure) 0 access-list NONAT

nat (sprint) 0 access-list NONAT

access-group POLICY in interface inside_data

access-group POLICY in interface web

access-group POLICY in interface sprint

access-group POLICY in interface outside

route inside_data 172.26.23.0 255.255.255.0 172.26.24.17 1

route inside_data 172.26.10.0 255.255.255.0 172.26.24.17 1

route inside_data 172.26.25.0 255.255.255.0 172.26.24.17 1

route inside_data 172.26.22.0 255.255.255.0 172.26.24.17 1

route inside_data 172.26.16.0 255.255.255.0 172.26.24.17 1

route inside_data 172.26.18.0 255.255.255.0 172.26.24.17 1

route sprint 172.16.0.0 255.240.0.0 172.26.24.10 1

route sprint 10.0.0.0 255.0.0.0 172.26.24.10 1

route sprint 192.168.0.0 255.255.0.0 172.26.24.10 1

route outside 0.0.0.0 0.0.0.0 222.66.83.17 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username wafersys password N3432S3svONQ.rWm encrypted

username rdcafwadmin password iqtp6BSrFydQnyAe encrypted

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

virtual telnet 172.26.24.19

auth-prompt prompt Please enter your username and password

auth-prompt accept Authentication succeeded.

auth-prompt reject Authentication failed. Try again.

telnet timeout 5

ssh scopy enable

ssh 172.22.161.0 255.255.255.0 inside_data

ssh 172.22.163.0 255.255.255.0 inside_data

ssh 172.26.18.0 255.255.255.0 inside_data

ssh timeout 60

ssh version 2

console timeout 0

management-access inside_data

!

class-map my-ips-class

match access-list IPS

class-map Voip

match dscp cs3 ef

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

class my-ips-class

ips promiscuous fail-open

policy-map qos

class Voip

priority

policy-map my-ips-policy

class my-ips-class

ips promiscuous fail-open

!

service-policy global_policy global

ntp server 202.108.158.139

Cryptochecksum:c46fbf0ead94c0a5c60d415f8b5ce82b

: end

shafw01(config)# sh ver

Cisco Adaptive Security Appliance Software Version 7.0(4)

Device Manager Version 5.0(4)

Compiled on Thu 13-Oct-05 21:43 by builders

System image file is "disk0:/asa704-k8.bin"

Config file at boot was "startup-config"

shafw01 up 47 mins 3 secs

Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz

Internal ATA Compact Flash, 64MB

BIOS Flash AT49LW080: @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

Boot microcode : CNlite-MC-Boot-Cisco-1.2

SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04

0: Ext: GigabitEthernet0/0 : address is 0013.c482.3ff8, irq 9

1: Ext: GigabitEthernet0/1 : address is 0013.c482.3ff9, irq 9

2: Ext: GigabitEthernet0/2 : address is 0013.c482.3ffa, irq 9

3: Ext: GigabitEthernet0/3 : address is 0013.c482.3ffb, irq 9

4: Ext: Management0/0 : address is 0013.c482.3ffc, irq 11

5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11

6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 25

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Security Contexts : 2

GTP/GPRS : Disabled

VPN Peers : 300

This platform has a Base license.

Serial Number: JMX0949K06H

Running Activation Key: 0x7626e778 0xf831bcc6 0x445328fc 0x84003414 0x0e1bcb8a

Configuration register is 0x1

Configuration last modified by enable_15 at 16:29:59.641 cet Thu Feb 16 2006

shafw01(config)#

shafw01(config)#

shafw01(config)#

shafw01(config)#

shafw01(config)# sh int ip brief

shafw01(config)# sh int ip brief

Interface IP-Address OK? Method Status Protocol

GigabitEthernet0/0 unassigned YES unset up up

GigabitEthernet0/0.150 172.26.24.18 YES CONFIG up up

GigabitEthernet0/0.151 10.48.8.1 YES CONFIG up up

GigabitEthernet0/1 unassigned YES unset up up

GigabitEthernet0/1.161 172.26.30.1 YES CONFIG up up

GigabitEthernet0/1.163 172.26.31.1 YES CONFIG up up

GigabitEthernet0/2 unassigned YES unset administratively down down

GigabitEthernet0/3 unassigned YES unset up up

GigabitEthernet0/3.154 172.26.24.9 YES CONFIG up up

Internal-Control0/0 127.0.1.1 YES unset up up

Internal-Data0/0 unassigned YES unset up up

Management0/0 222.66.83.18 YES CONFIG up up

shafw01(config)#

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有