CCSP/CCVP--ASA5520配置例子
程序员文章站
2022-05-28 13:59:52
...
hostname shafw01 domain-name heraeus.com enable password names ! interface GigabitEthernet0/0 no nameif no security-level no ip address ! interface GigabitEthernet0/0.150 vlan 150 nameif inside_data security-level 50 ip address 172.26.24.6
hostname shafw01domain-name heraeus.com
enable password
names
!
interface GigabitEthernet0/0
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/0.150
vlan 150
nameif inside_data
security-level 50
ip address 172.26.24.6 255.255.255.252
!
interface GigabitEthernet0/0.151
vlan 151
nameif inside_voice
security-level 50
ip address 10.48.8.1 255.255.255.0!
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.161
vlan 161
nameif web
security-level 50
ip address 172.26.30.1 255.255.255.0
!
interface GigabitEthernet0/1.163
vlan 163
nameif secure
security-level 50
ip address 172.26.31.1 255.255.255.0
!
interface GigabitEthernet0/2
description LAN/STATE Failover Interface for Future
!
interface GigabitEthernet0/3
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3.154
vlan 154
nameif sprint
security-level 50
ip address 172.26.24.9 255.255.255.252
!
interface Management0/0
nameif outside
security-level 50
ip address 222.66.83.18 255.255.255.240
!
boot system disk0:/asa704-k8.bin
ftp mode passive
clock timezone cet 8
dns domain-lookup inside_data
dns name-server 172.26.16.17
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group icmp-type icmp_echo_request
icmp-object echo
object-group icmp-type icmp_echo_reply
icmp-object echo-reply
object-group icmp-type ICMP_echo
group-object icmp_echo_request
group-object icmp_echo_reply
object-group service udp_tftp udp
port-object eq tftp
object-group service udp_citrix udp
port-object eq 1604
object-group service udp_radius udp
port-object eq 1812
object-group service udp_radius_acct udp
port-object eq 1813
object-group service udp_rsa_5500 udp
port-object eq 5500
object-group service tcp_http tcp
port-object eq www
object-group service tcp_http_8080 tcp
port-object eq 8080
object-group service tcp_https tcp
port-object eq https
object-group service tcp_ftp tcp
port-object eq ftp
object-group service tcp_ntp tcp
port-object eq 123
object-group service udp_ntp udp
port-object eq ntp
object-group service tcp_smtp tcp
port-object eq smtp
object-group service tcp_ssh tcp
port-object eq ssh
object-group service tcp_squid_3128 tcp
port-object eq 3128
object-group service tcp_squid_2370 tcp
port-object eq 2370
object-group service tcp_sapdps_47xx tcp
port-object range 4700 4799
object-group service tcp_sapgw_33xx tcp
port-object range 3300 3399
object-group service tcp_sapdp_32xx tcp
port-object range 3200 3299
object-group service tcp_sapgws_48xx tcp
port-object range 4800 4899
object-group service tcp_sapms_36xx tcp
port-object range 3600 3699
object-group service tcp_jetdirect_9100 tcp
port-object eq 9100
object-group service tcp_printer tcp
port-object eq lpd
object-group service tcp_tacacs_plus tcp
port-object eq tacacs
object-group service TCP_squid_web tcp
group-object tcp_http
group-object tcp_https
group-object tcp_http_8080
object-group service TCP_squid_ftp tcp
group-object tcp_ftp
object-group service TCP_squid_all tcp
group-object TCP_squid_web
group-object TCP_squid_ftp
object-group service TCP_squid_port tcp
group-object tcp_squid_3128
group-object tcp_squid_2370
object-group service TCP_sap tcp
group-object tcp_sapdps_47xx
group-object tcp_sapgw_33xx
group-object tcp_sapdp_32xx
group-object tcp_sapgws_48xx
group-object tcp_sapms_36xx
object-group service TCP_printing tcp
group-object tcp_jetdirect_9100
group-object tcp_printer
object-group network n_VLAN108_16
network-object 172.26.16.0 255.255.255.0
object-group network n_VLAN105_22
network-object 172.26.22.0 255.255.255.0
object-group network n_VLAN106_25
network-object 172.26.25.0 255.255.255.0
object-group network n_VLAN163_31
network-object 172.26.31.0 255.255.255.0
object-group service TCP_dameware tcp
group-object tcp_dameware_6129
group-object tcp_dameware_6130
object-group network N_RFC1918
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
object-group service TCP_client_auth tcp
group-object tcp_http
group-object tcp_https
group-object tcp_telnetobject-group network h_china_ntpserver
network-object host 202.108.158.139object-group network h_auth42
network-object host 172.26.31.42object-group network H_auth
group-object h_auth42object-group network H_ntp_servers
group-object h_china_ntpserveraccess-list TRIGGER extended permit tcp any object-group H_auth object-group TCP_client_auth access-list NONAT remark # this is a nat rule, only permit's are allowed
access-list NONAT remark # no nat inside our networks
access-list NONAT extended permit ip object-group N_RFC1918 object-group N_RFC1918 access-list POLICY remark # counterpart of trigger rule
access-list POLICY extended permit tcp any object-group H_auth object-group TCP_client_auth access-list POLICY remark # # ntp
access-list POLICY extended permit tcp any object-group H_ntp_servers object-group tcp_ntp
access-list POLICY extended permit udp any object-group H_ntp_servers object-group udp_ntpaccess-list HIDING remark # this is a nat rule, only permit's are allowed
access-list HIDING extended permit ip object-group N_RFC1918 anyaccess-list IPS extended permit ip any any tcp-map mss
exceed-mss allow
!pager lines 22
logging enable
logging console critical
logging monitor errors
logging buffered critical
logging trap errors
logging facility 16
logging host secure 172.26.31.142
logging permit-hostdown
mtu inside_data 1500
mtu web 1500
mtu secure 1500
mtu sprint 1500
mtu outside 1500
ip verify reverse-path interface inside_data
ip verify reverse-path interface web
ip verify reverse-path interface secure
ip verify reverse-path interface sprint
ip verify reverse-path interface outside
asdm image disk0:/asdm502.bin
no asdm history enable
arp outside {mac-outside interface} {hiding IP)
arp timeout 14400
global outside 1 {hiding ip} netmask 255.255.255.0
nat (inside_data) 0 access-list NONAT
nat (inside_voice) 0 access-list NONAT
nat (sprint) 0 access-list NONAT
nat (secure) 0 access-list NONAT
nat (inside_data) 1 access-list HIDING
route inside_data 172.26.25.0 255.255.255.0 172.26.24.5 1
route inside_data 172.26.22.0 255.255.255.0 172.26.24.5 1
route inside_data 172.26.16.0 255.255.255.0 172.26.24.5 1
route sprint 172.16.0.0 255.240.0.0 172.26.24.10 1
route sprint 10.0.0.0 255.0.0.0 172.26.24.10 1
route sprint 192.168.0.0 255.255.0.0 172.26.24.10 1access-group POLICY in interface inside_data per-user-override
access-group POLICY in interface inside_voice
access-group POLICY in interface web
access-group POLICY in interface secure per-user-override
access-group POLICY in interface sprint per-user-override
access-group POLICY in interface outsidetimeout xlate 3:00:00
timeout conn 2:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:10
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:00:00 absolute uauth 0:15:00 inactivityvirtual telnet 172.26.24.xxauth-prompt prompt Please enter your username and password
auth-prompt accept Authentication succeeded.
auth-prompt reject Authentication failed. Try again.
telnet timeout 5
ssh scopy enable
ssh 172.22.161.0 255.255.255.0 sprint
ssh 172.26.16.0 255.255.255.0 inside_data
ssh 172.26.31.0 255.255.255.0 secure
ssh timeout 60
ssh version 2
console timeout 0
management-access inside_data
mangement-acccess sprintclass-map my-ips-class
match access-list IPS
class-map VoIP
match dscp cs3
ef
class-map inspection_default
match default-inspection-traffic
class-map mss-map
match access-list MSS-exceptionspolicy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect rtsp
inspect skinny
inspect tftp
inspect sip
inspect icmp
inspect ctiqbe
inspect dns
inspect http
class mss-map
set connection advanced-options mss
class my-ips-class
ips promiscuous fail-open
policy-map qos
class VoIP
priority
policy-map my-ips-policy
class my-ips-class
ips promiscuous fail-openservice-policy global_policy global
ntp server 202.108.158.139rdca4fwepshafw01(config)# sh run
: Saved
:
ASA Version 7.0(4)
!
hostname shafw01
domain-name heraeus.com
enable password .68HJO4Qmg83HE2S encrypted
names
!
interface GigabitEthernet0/0
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/0.150
vlan 150
nameif inside_data
security-level 50
ip address 172.26.24.18 255.255.255.240
!
interface GigabitEthernet0/0.151
vlan 151
nameif inside_voice
security-level 50
ip address 10.48.8.1 255.255.255.0
!
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.161
vlan 161
nameif web
security-level 50
ip address 172.26.30.1 255.255.255.0
!
interface GigabitEthernet0/1.163
vlan 163
nameif secure
security-level 50
ip address 172.26.31.1 255.255.255.0
!
interface GigabitEthernet0/2
description LAN/STATE Failover interface for futer!
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3.154
vlan 154
nameif sprint
security-level 50
ip address 172.26.24.9 255.255.255.0
!
interface Management0/0
nameif outside
security-level 50
ip address 222.66.83.18 255.255.255.240
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/0
boot system disk0:/asa704-k8.bin
ftp mode passive
clock timezone cet 8
dns domain-lookup inside_data
dns name-server 172.26.16.17
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group icmp-type icmp_echo_request
icmp-object echo
object-group icmp-type icmp_echo_reply
object-group network h_china_ntpserver
network-object host 202.108.158.139
object-group network h_auth42
network-object host 172.26.31.42
network-object host 172.26.24.19
object-group network N_RFC1918
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
object-group network n_VLAN108_16
network-object 172.26.16.0 255.255.255.0
object-group network n_VLAN105_22
network-object 172.26.22.0 255.255.255.0
object-group network n_VLAN106_25
network-object 172.26.25.0 255.255.255.0
object-group network n_VLAN163_31
network-object 172.26.31.0 255.255.255.0
object-group network n_VLAN108_18
network-object 172.26.18.0 255.255.255.0
object-group network N_RDCA_S_C
group-object n_VLAN108_18
group-object n_VLAN108_16
group-object n_VLAN105_22
object-group service tcp_http tcp
port-object eq www
object-group service tcp_https tcp
port-object eq https
object-group service tcp_telnet tcp
port-object eq telnet
object-group service TCP_client_auth tcp
group-object tcp_http
group-object tcp_https
group-object tcp_telnet
object-group service tcp_http_8080 tcp
port-object eq 8080
object-group service tcp_ftp tcp
port-object eq ftp
object-group service tcp_ntp tcp
port-object eq 123
object-group service udp_ntp udp
port-object eq ntp
object-group service tcp_smtp tcp
port-object eq smtp
object-group service tcp_ssh tcp
port-object eq ssh
object-group network H_auth
group-object h_auth42
object-group network H_ntp_servers
group-object h_china_ntpserver
object-group service TCP_webservice tcp
group-object tcp_http
group-object tcp_https
access-list HIDING extended permit ip object-group N_RFC1918 any
access-list HIDING remark # this is a nat rule, only permit's are allowed
access-list NONAT extended permit ip object-group N_RFC1918 object-group N_RFC1918
access-list POLICY remark # counterpart of trigger rule
access-list POLICY extended permit tcp any object-group H_auth object-group TCP_client_auth
access-list POLICY remark # # ntp
access-list POLICY extended permit tcp any object-group H_ntp_servers object-group tcp_ntp
access-list POLICY extended permit udp any object-group H_ntp_servers object-group udp_ntp
access-list POLICY remark # RDCA-webbrowsing rule
access-list POLICY extended permit tcp object-group N_RDCA_S_C any object-group TCP_webservice log
access-list POLICY remark # All Internal Network is allowed
access-list POLICY remark # All Internal Network Traffic is allowed
access-list POLICY extended permit ip object-group N_RFC1918 object-group N_RFC1918 log
access-list POLICY extended deny ip any any log
access-list IPS extended permit ip any any
pager lines 24
logging enable
logging buffer-size 10000
logging console critical
logging monitor errors
logging buffered errors
logging trap errors
logging facility 16
logging host secure 172.26.31.142
logging permit-hostdown
mtu inside_data 1500
mtu inside_voice 1500
mtu web 1500
mtu secure 1500
mtu sprint 1500
mtu outside 1500
ip verify reverse-path interface inside_data
ip verify reverse-path interface web
ip verify reverse-path interface secure
ip verify reverse-path interface sprint
ip verify reverse-path interface outside
no failover
asdm image disk0:/asdm504.bin
no asdm history enable
arp outside 222.66.83.19 0013.c482.3ffc
arp timeout 14400
global (outside) 1 222.66.83.19 netmask 255.255.255.255
nat (inside_data) 0 access-list NONAT
nat (inside_data) 1 access-list HIDING
nat (inside_voice) 0 access-list NONAT
nat (secure) 0 access-list NONAT
nat (sprint) 0 access-list NONAT
access-group POLICY in interface inside_data
access-group POLICY in interface web
access-group POLICY in interface sprint
access-group POLICY in interface outside
route inside_data 172.26.23.0 255.255.255.0 172.26.24.17 1
route inside_data 172.26.10.0 255.255.255.0 172.26.24.17 1
route inside_data 172.26.25.0 255.255.255.0 172.26.24.17 1
route inside_data 172.26.22.0 255.255.255.0 172.26.24.17 1
route inside_data 172.26.16.0 255.255.255.0 172.26.24.17 1
route inside_data 172.26.18.0 255.255.255.0 172.26.24.17 1
route sprint 172.16.0.0 255.240.0.0 172.26.24.10 1
route sprint 10.0.0.0 255.0.0.0 172.26.24.10 1
route sprint 192.168.0.0 255.255.0.0 172.26.24.10 1
route outside 0.0.0.0 0.0.0.0 222.66.83.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username wafersys password N3432S3svONQ.rWm encrypted
username rdcafwadmin password iqtp6BSrFydQnyAe encrypted
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
virtual telnet 172.26.24.19
auth-prompt prompt Please enter your username and password
auth-prompt accept Authentication succeeded.
auth-prompt reject Authentication failed. Try again.
telnet timeout 5
ssh scopy enable
ssh 172.22.161.0 255.255.255.0 inside_data
ssh 172.22.163.0 255.255.255.0 inside_data
ssh 172.26.18.0 255.255.255.0 inside_data
ssh timeout 60
ssh version 2
console timeout 0
management-access inside_data
!
class-map my-ips-class
match access-list IPS
class-map Voip
match dscp cs3
ef
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
class my-ips-class
ips promiscuous fail-open
policy-map qos
class Voip
priority
policy-map my-ips-policy
class my-ips-class
ips promiscuous fail-open
!
service-policy global_policy global
ntp server 202.108.158.139
Cryptochecksum:c46fbf0ead94c0a5c60d415f8b5ce82b
: end
shafw01(config)# sh verCisco Adaptive Security Appliance Software Version 7.0(4)
Device Manager Version 5.0(4)Compiled on Thu 13-Oct-05 21:43 by builders
System image file is "disk0:/asa704-k8.bin"
Config file at boot was "startup-config"shafw01 up 47 mins 3 secsHardware:
ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 64MB
BIOS Flash AT49LW080: @ 0xffe00000, 1024KBEncryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode
: CNlite-MC-Boot-Cisco-1.2
SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
IPSec microcode
: CNlite-MC-IPSECm-MAIN-2.04
0: Ext: GigabitEthernet0/0
: address is 0013.c482.3ff8, irq 9
1: Ext: GigabitEthernet0/1
: address is 0013.c482.3ff9, irq 9
2: Ext: GigabitEthernet0/2
: address is 0013.c482.3ffa, irq 9
3: Ext: GigabitEthernet0/3
: address is 0013.c482.3ffb, irq 9
4: Ext: Management0/0
: address is 0013.c482.3ffc, irq 11
5: Int: Internal-Data0/0
: address is 0000.0001.0002, irq 11
6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs
: 25
Inside Hosts
: Unlimited
Failover
: Active/Active
VPN-DES
: Enabled
VPN-3DES-AES
: Enabled
Security Contexts
: 2
GTP/GPRS
: Disabled
VPN Peers
: 300This platform has a Base license.
Serial Number: JMX0949K06H
Running Activation Key: 0x7626e778 0xf831bcc6 0x445328fc 0x84003414 0x0e1bcb8a
Configuration register is 0x1
Configuration last modified by enable_15 at 16:29:59.641 cet Thu Feb 16 2006
shafw01(config)#
shafw01(config)#
shafw01(config)#
shafw01(config)#
shafw01(config)# sh int ip brief
shafw01(config)# sh int ip brief
Interface
IP-Address
OK? Method Status
Protocol
GigabitEthernet0/0
unassigned
YES unset
up
up
GigabitEthernet0/0.150
172.26.24.18
YES CONFIG up
up
GigabitEthernet0/0.151
10.48.8.1
YES CONFIG up
up
GigabitEthernet0/1
unassigned
YES unset
up
up
GigabitEthernet0/1.161
172.26.30.1
YES CONFIG up
up
GigabitEthernet0/1.163
172.26.31.1
YES CONFIG up
up
GigabitEthernet0/2
unassigned
YES unset
administratively down down
GigabitEthernet0/3
unassigned
YES unset
up
up
GigabitEthernet0/3.154
172.26.24.9
YES CONFIG up
up
Internal-Control0/0
127.0.1.1
YES unset
up
up
Internal-Data0/0
unassigned
YES unset
up
up
Management0/0
222.66.83.18
YES CONFIG up
up