欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  数据库

CCSP/CCVP--ASA5520配置例子

程序员文章站 2022-05-28 13:59:52
...

hostname shafw01 domain-name heraeus.com enable password names ! interface GigabitEthernet0/0 no nameif no security-level no ip address ! interface GigabitEthernet0/0.150 vlan 150 nameif inside_data security-level 50 ip address 172.26.24.6

hostname shafw01

domain-name heraeus.com

enable password

names

!

interface GigabitEthernet0/0

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/0.150

vlan 150

nameif inside_data

security-level 50

ip address 172.26.24.6 255.255.255.252

!

interface GigabitEthernet0/0.151

vlan 151

nameif inside_voice

security-level 50

ip address 10.48.8.1 255.255.255.0!

interface GigabitEthernet0/1

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/1.161

vlan 161

nameif web

security-level 50

ip address 172.26.30.1 255.255.255.0

!

interface GigabitEthernet0/1.163

vlan 163

nameif secure

security-level 50

ip address 172.26.31.1 255.255.255.0

!

interface GigabitEthernet0/2

description LAN/STATE Failover Interface for Future

!

interface GigabitEthernet0/3

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3.154

vlan 154

nameif sprint

security-level 50

ip address 172.26.24.9 255.255.255.252

!

interface Management0/0

nameif outside

security-level 50

ip address 222.66.83.18 255.255.255.240

!

boot system disk0:/asa704-k8.bin

ftp mode passive

clock timezone cet 8

dns domain-lookup inside_data

dns name-server 172.26.16.17

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group icmp-type icmp_echo_request

icmp-object echo

object-group icmp-type icmp_echo_reply

icmp-object echo-reply

object-group icmp-type ICMP_echo

group-object icmp_echo_request

group-object icmp_echo_reply

object-group service udp_tftp udp

port-object eq tftp

object-group service udp_citrix udp



port-object eq 1604

object-group service udp_radius udp

port-object eq 1812

object-group service udp_radius_acct udp

port-object eq 1813

object-group service udp_rsa_5500 udp

port-object eq 5500

object-group service tcp_http tcp

port-object eq www

object-group service tcp_http_8080 tcp

port-object eq 8080

object-group service tcp_https tcp

port-object eq https

object-group service tcp_ftp tcp

port-object eq ftp

object-group service tcp_ntp tcp

port-object eq 123

object-group service udp_ntp udp

port-object eq ntp

object-group service tcp_smtp tcp

port-object eq smtp

object-group service tcp_ssh tcp

port-object eq ssh

object-group service tcp_squid_3128 tcp

port-object eq 3128

object-group service tcp_squid_2370 tcp

port-object eq 2370

object-group service tcp_sapdps_47xx tcp

port-object range 4700 4799

object-group service tcp_sapgw_33xx tcp

port-object range 3300 3399

object-group service tcp_sapdp_32xx tcp

port-object range 3200 3299

object-group service tcp_sapgws_48xx tcp

port-object range 4800 4899

object-group service tcp_sapms_36xx tcp

port-object range 3600 3699

object-group service tcp_jetdirect_9100 tcp

port-object eq 9100

object-group service tcp_printer tcp

port-object eq lpd

object-group service tcp_tacacs_plus tcp

port-object eq tacacs

object-group service TCP_squid_web tcp

group-object tcp_http

group-object tcp_https

group-object tcp_http_8080

object-group service TCP_squid_ftp tcp

group-object tcp_ftp

object-group service TCP_squid_all tcp

group-object TCP_squid_web

group-object TCP_squid_ftp

object-group service TCP_squid_port tcp

group-object tcp_squid_3128

group-object tcp_squid_2370

object-group service TCP_sap tcp

group-object tcp_sapdps_47xx



group-object tcp_sapgw_33xx

group-object tcp_sapdp_32xx

group-object tcp_sapgws_48xx

group-object tcp_sapms_36xx

object-group service TCP_printing tcp

group-object tcp_jetdirect_9100

group-object tcp_printer

object-group network n_VLAN108_16

network-object 172.26.16.0 255.255.255.0

object-group network n_VLAN105_22

network-object 172.26.22.0 255.255.255.0

object-group network n_VLAN106_25

network-object 172.26.25.0 255.255.255.0

object-group network n_VLAN163_31

network-object 172.26.31.0 255.255.255.0

object-group service TCP_dameware tcp

group-object tcp_dameware_6129

group-object tcp_dameware_6130

object-group network N_RFC1918

network-object 10.0.0.0 255.0.0.0

network-object 172.16.0.0 255.240.0.0

network-object 192.168.0.0 255.255.0.0

object-group service TCP_client_auth tcp

group-object tcp_http

group-object tcp_https

group-object tcp_telnetobject-group network h_china_ntpserver

network-object host 202.108.158.139object-group network h_auth42

network-object host 172.26.31.42object-group network H_auth

group-object h_auth42object-group network H_ntp_servers

group-object h_china_ntpserveraccess-list TRIGGER extended permit tcp any object-group H_auth object-group TCP_client_auth access-list NONAT remark # this is a nat rule, only permit's are allowed

access-list NONAT remark # no nat inside our networks

access-list NONAT extended permit ip object-group N_RFC1918 object-group N_RFC1918 access-list POLICY remark # counterpart of trigger rule

access-list POLICY extended permit tcp any object-group H_auth object-group TCP_client_auth access-list POLICY remark # # ntp

access-list POLICY extended permit tcp any object-group H_ntp_servers object-group tcp_ntp

access-list POLICY extended permit udp any object-group H_ntp_servers object-group udp_ntpaccess-list HIDING remark # this is a nat rule, only permit's are allowed



access-list HIDING extended permit ip object-group N_RFC1918 anyaccess-list IPS extended permit ip any any tcp-map mss

exceed-mss allow

!pager lines 22

logging enable

logging console critical

logging monitor errors

logging buffered critical

logging trap errors

logging facility 16

logging host secure 172.26.31.142

logging permit-hostdown

mtu inside_data 1500

mtu web 1500

mtu secure 1500

mtu sprint 1500

mtu outside 1500

ip verify reverse-path interface inside_data

ip verify reverse-path interface web

ip verify reverse-path interface secure

ip verify reverse-path interface sprint

ip verify reverse-path interface outside

asdm image disk0:/asdm502.bin

no asdm history enable

arp outside {mac-outside interface} {hiding IP)

arp timeout 14400

global outside 1 {hiding ip} netmask 255.255.255.0

nat (inside_data) 0 access-list NONAT

nat (inside_voice) 0 access-list NONAT

nat (sprint) 0 access-list NONAT

nat (secure) 0 access-list NONAT

nat (inside_data) 1 access-list HIDING

route inside_data 172.26.25.0 255.255.255.0 172.26.24.5 1

route inside_data 172.26.22.0 255.255.255.0 172.26.24.5 1

route inside_data 172.26.16.0 255.255.255.0 172.26.24.5 1

route sprint 172.16.0.0 255.240.0.0 172.26.24.10 1

route sprint 10.0.0.0 255.0.0.0 172.26.24.10 1

route sprint 192.168.0.0 255.255.0.0 172.26.24.10 1access-group POLICY in interface inside_data per-user-override

access-group POLICY in interface inside_voice

access-group POLICY in interface web

access-group POLICY in interface secure per-user-override

access-group POLICY in interface sprint per-user-override

access-group POLICY in interface outsidetimeout xlate 3:00:00

timeout conn 2:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:10

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00



timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:00:00 absolute uauth 0:15:00 inactivityvirtual telnet 172.26.24.xxauth-prompt prompt Please enter your username and password

auth-prompt accept Authentication succeeded.

auth-prompt reject Authentication failed. Try again.

telnet timeout 5

ssh scopy enable

ssh 172.22.161.0 255.255.255.0 sprint

ssh 172.26.16.0 255.255.255.0 inside_data

ssh 172.26.31.0 255.255.255.0 secure

ssh timeout 60

ssh version 2

console timeout 0

management-access inside_data

mangement-acccess sprintclass-map my-ips-class

match access-list IPS

class-map VoIP

match dscp cs3

ef

class-map inspection_default

match default-inspection-traffic

class-map mss-map

match access-list MSS-exceptionspolicy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect rtsp

inspect skinny

inspect tftp

inspect sip

inspect icmp

inspect ctiqbe

inspect dns

inspect http

class mss-map

set connection advanced-options mss

class my-ips-class

ips promiscuous fail-open

policy-map qos

class VoIP

priority

policy-map my-ips-policy

class my-ips-class

ips promiscuous fail-openservice-policy global_policy global

ntp server 202.108.158.139rdca4fwepshafw01(config)# sh run

: Saved

:

ASA Version 7.0(4)

!

hostname shafw01

domain-name heraeus.com

enable password .68HJO4Qmg83HE2S encrypted

names

!

interface GigabitEthernet0/0

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/0.150

vlan 150

nameif inside_data

security-level 50

ip address 172.26.24.18 255.255.255.240

!

interface GigabitEthernet0/0.151

vlan 151

nameif inside_voice

security-level 50



ip address 10.48.8.1 255.255.255.0

!

interface GigabitEthernet0/1

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/1.161

vlan 161

nameif web

security-level 50

ip address 172.26.30.1 255.255.255.0

!

interface GigabitEthernet0/1.163

vlan 163

nameif secure

security-level 50

ip address 172.26.31.1 255.255.255.0

!

interface GigabitEthernet0/2

description LAN/STATE Failover interface for futer!

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3.154

vlan 154

nameif sprint

security-level 50

ip address 172.26.24.9 255.255.255.0

!

interface Management0/0

nameif outside

security-level 50

ip address 222.66.83.18 255.255.255.240

!

passwd 2KFQnbNIdI.2KYOU encrypted

boot system disk0:/0

boot system disk0:/asa704-k8.bin

ftp mode passive

clock timezone cet 8

dns domain-lookup inside_data

dns name-server 172.26.16.17

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group icmp-type icmp_echo_request

icmp-object echo

object-group icmp-type icmp_echo_reply

object-group network h_china_ntpserver

network-object host 202.108.158.139

object-group network h_auth42

network-object host 172.26.31.42

network-object host 172.26.24.19

object-group network N_RFC1918

network-object 10.0.0.0 255.0.0.0

network-object 172.16.0.0 255.240.0.0

network-object 192.168.0.0 255.255.0.0

object-group network n_VLAN108_16

network-object 172.26.16.0 255.255.255.0

object-group network n_VLAN105_22

network-object 172.26.22.0 255.255.255.0



object-group network n_VLAN106_25

network-object 172.26.25.0 255.255.255.0

object-group network n_VLAN163_31

network-object 172.26.31.0 255.255.255.0

object-group network n_VLAN108_18

network-object 172.26.18.0 255.255.255.0

object-group network N_RDCA_S_C

group-object n_VLAN108_18

group-object n_VLAN108_16

group-object n_VLAN105_22

object-group service tcp_http tcp

port-object eq www

object-group service tcp_https tcp

port-object eq https

object-group service tcp_telnet tcp

port-object eq telnet

object-group service TCP_client_auth tcp

group-object tcp_http

group-object tcp_https

group-object tcp_telnet

object-group service tcp_http_8080 tcp

port-object eq 8080

object-group service tcp_ftp tcp

port-object eq ftp

object-group service tcp_ntp tcp

port-object eq 123

object-group service udp_ntp udp

port-object eq ntp

object-group service tcp_smtp tcp

port-object eq smtp

object-group service tcp_ssh tcp

port-object eq ssh

object-group network H_auth

group-object h_auth42

object-group network H_ntp_servers

group-object h_china_ntpserver

object-group service TCP_webservice tcp

group-object tcp_http

group-object tcp_https

access-list HIDING extended permit ip object-group N_RFC1918 any

access-list HIDING remark # this is a nat rule, only permit's are allowed

access-list NONAT extended permit ip object-group N_RFC1918 object-group N_RFC1918

access-list POLICY remark # counterpart of trigger rule

access-list POLICY extended permit tcp any object-group H_auth object-group TCP_client_auth

access-list POLICY remark # # ntp

access-list POLICY extended permit tcp any object-group H_ntp_servers object-group tcp_ntp

access-list POLICY extended permit udp any object-group H_ntp_servers object-group udp_ntp



access-list POLICY remark # RDCA-webbrowsing rule

access-list POLICY extended permit tcp object-group N_RDCA_S_C any object-group TCP_webservice log

access-list POLICY remark # All Internal Network is allowed

access-list POLICY remark # All Internal Network Traffic is allowed

access-list POLICY extended permit ip object-group N_RFC1918 object-group N_RFC1918 log

access-list POLICY extended deny ip any any log

access-list IPS extended permit ip any any

pager lines 24

logging enable

logging buffer-size 10000

logging console critical

logging monitor errors

logging buffered errors

logging trap errors

logging facility 16

logging host secure 172.26.31.142

logging permit-hostdown

mtu inside_data 1500

mtu inside_voice 1500

mtu web 1500

mtu secure 1500

mtu sprint 1500

mtu outside 1500

ip verify reverse-path interface inside_data

ip verify reverse-path interface web

ip verify reverse-path interface secure

ip verify reverse-path interface sprint

ip verify reverse-path interface outside

no failover

asdm image disk0:/asdm504.bin

no asdm history enable

arp outside 222.66.83.19 0013.c482.3ffc

arp timeout 14400

global (outside) 1 222.66.83.19 netmask 255.255.255.255

nat (inside_data) 0 access-list NONAT

nat (inside_data) 1 access-list HIDING

nat (inside_voice) 0 access-list NONAT

nat (secure) 0 access-list NONAT

nat (sprint) 0 access-list NONAT

access-group POLICY in interface inside_data

access-group POLICY in interface web

access-group POLICY in interface sprint

access-group POLICY in interface outside

route inside_data 172.26.23.0 255.255.255.0 172.26.24.17 1

route inside_data 172.26.10.0 255.255.255.0 172.26.24.17 1

route inside_data 172.26.25.0 255.255.255.0 172.26.24.17 1

route inside_data 172.26.22.0 255.255.255.0 172.26.24.17 1



route inside_data 172.26.16.0 255.255.255.0 172.26.24.17 1

route inside_data 172.26.18.0 255.255.255.0 172.26.24.17 1

route sprint 172.16.0.0 255.240.0.0 172.26.24.10 1

route sprint 10.0.0.0 255.0.0.0 172.26.24.10 1

route sprint 192.168.0.0 255.255.0.0 172.26.24.10 1

route outside 0.0.0.0 0.0.0.0 222.66.83.17 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username wafersys password N3432S3svONQ.rWm encrypted

username rdcafwadmin password iqtp6BSrFydQnyAe encrypted

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

virtual telnet 172.26.24.19

auth-prompt prompt Please enter your username and password

auth-prompt accept Authentication succeeded.

auth-prompt reject Authentication failed. Try again.

telnet timeout 5

ssh scopy enable

ssh 172.22.161.0 255.255.255.0 inside_data

ssh 172.22.163.0 255.255.255.0 inside_data

ssh 172.26.18.0 255.255.255.0 inside_data

ssh timeout 60

ssh version 2

console timeout 0

management-access inside_data

!

class-map my-ips-class

match access-list IPS

class-map Voip

match dscp cs3

ef

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

class my-ips-class



ips promiscuous fail-open

policy-map qos

class Voip

priority

policy-map my-ips-policy

class my-ips-class

ips promiscuous fail-open

!

service-policy global_policy global

ntp server 202.108.158.139

Cryptochecksum:c46fbf0ead94c0a5c60d415f8b5ce82b

: end

shafw01(config)# sh verCisco Adaptive Security Appliance Software Version 7.0(4)

Device Manager Version 5.0(4)Compiled on Thu 13-Oct-05 21:43 by builders

System image file is "disk0:/asa704-k8.bin"

Config file at boot was "startup-config"shafw01 up 47 mins 3 secsHardware:

ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz

Internal ATA Compact Flash, 64MB

BIOS Flash AT49LW080: @ 0xffe00000, 1024KBEncryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

Boot microcode

: CNlite-MC-Boot-Cisco-1.2

SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03

IPSec microcode

: CNlite-MC-IPSECm-MAIN-2.04

0: Ext: GigabitEthernet0/0

: address is 0013.c482.3ff8, irq 9

1: Ext: GigabitEthernet0/1

: address is 0013.c482.3ff9, irq 9

2: Ext: GigabitEthernet0/2

: address is 0013.c482.3ffa, irq 9

3: Ext: GigabitEthernet0/3

: address is 0013.c482.3ffb, irq 9

4: Ext: Management0/0

: address is 0013.c482.3ffc, irq 11

5: Int: Internal-Data0/0

: address is 0000.0001.0002, irq 11

6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs

: 25

Inside Hosts

: Unlimited

Failover

: Active/Active

VPN-DES

: Enabled

VPN-3DES-AES

: Enabled

Security Contexts

: 2

GTP/GPRS

: Disabled

VPN Peers

: 300This platform has a Base license.

Serial Number: JMX0949K06H

Running Activation Key: 0x7626e778 0xf831bcc6 0x445328fc 0x84003414 0x0e1bcb8a



Configuration register is 0x1

Configuration last modified by enable_15 at 16:29:59.641 cet Thu Feb 16 2006

shafw01(config)#

shafw01(config)#

shafw01(config)#

shafw01(config)#

shafw01(config)# sh int ip brief

shafw01(config)# sh int ip brief

Interface

IP-Address

OK? Method Status

Protocol

GigabitEthernet0/0

unassigned

YES unset

up

up

GigabitEthernet0/0.150

172.26.24.18

YES CONFIG up

up

GigabitEthernet0/0.151

10.48.8.1

YES CONFIG up

up

GigabitEthernet0/1

unassigned

YES unset

up

up

GigabitEthernet0/1.161

172.26.30.1

YES CONFIG up

up

GigabitEthernet0/1.163

172.26.31.1

YES CONFIG up

up

GigabitEthernet0/2

unassigned

YES unset

administratively down down

GigabitEthernet0/3

unassigned

YES unset

up

up

GigabitEthernet0/3.154

172.26.24.9

YES CONFIG up

up

Internal-Control0/0

127.0.1.1

YES unset

up

up

Internal-Data0/0

unassigned

YES unset

up

up

Management0/0

222.66.83.18

YES CONFIG up

up