asa 5550_asa配置

asa 5550由刀豆文库小编整理，希望给你工作、学习、生活带来方便，猜你可能喜欢“asa配置”。

ASA Version 8.2(1)!

hostname ciscoasa

domain-name asa5505.com

enable paword 2KFQnbNIdI.2KYOU encrypted

pawd 2KFQnbNIdI.2KYOU encrypted

names

dns-guard!

interface Vlan1

nameif inside

security-level 100

ip addre 192.168.11.1 255.255.255.0!

interface Vlan2

nameif outside

security-level 0

ip addre 27.115.xx.xxx 255.255.255.xxx!

interface Ethernet0/0

switchport acce vlan 2

speed 100 duplex full!

interface Ethernet0/1!

interface Ethernet0/2!

interface Ethernet0/3!

interface Ethernet0/4

speed 100

duplex full!

interface Ethernet0/5!

interface Ethernet0/6!

interface Ethernet0/7!

ftp mode paive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS domain-name asa5505.com

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp acce-list out extended permit icmp any any

acce-list out extended permit tcp any host 27.115.xx.xxx eq smtp

acce-list 120 extended permit tcp any host 27.115.xx.xxx eq 3389

acce-list 120 extended permit tcp any host 27.115.xx.xxx eq 1433

acce-list 120 extended permit tcp any host 27.115.xx.xxx eq 8090

acce-list 120 extended permit tcp any host 27.115.xx.xxx eq 8091

acce-list 120 extended permit tcp any host 27.115.xx.xxx eq 8092

acce-list 120 extended permit tcp any host 27.115.xx.xxx eq pptp

acce-list 120 extended permit gre any host 27.115.xx.xxx

acce-list 120 extended permit ah any host 27.115.xx.xxx

acce-list 120 extended permit esp any host 27.115.xx.xxx

acce-list 120 extended permit udp any host 27.115.xx.xxx eq 1701

acce-list 120 extended permit ip any any

acce-list 120 extended permit tcp any any

acce-list 120 extended permit udp any any

acce-list vpn_link standard permit 192.168.11.0 255.255.255.0

acce-list inside_nat extended permit ip 192.168.11.0 255.255.255.0 10.33.166.0

255.255.255.128

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool vpn-pool 10.33.166.1-10.33.166.100 mask 255.255.255.0

ip verify reverse-path interface inside

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global(outside)1 interface

nat(inside)0 acce-list inside_nat

nat(inside)1 0.0.0.0 0.0.0.0

static(inside,outside)tcp interface 1433 192.168.11.44 1433 netmask 255.255.25

5.255

static(inside,outside)tcp interface 3389 192.168.11.44 3389 netmask 255.255.25

5.255

static(inside,outside)tcp interface 8091 192.168.11.44 8091 netmask 255.255.25

5.255

static(inside,outside)tcp interface 8092 192.168.11.44 8092 netmask 255.255.25

5.255

static(inside,outside)tcp interface 8090 192.168.11.44 8090 netmask 255.255.25

5.255

static(inside,outside)tcp interface pptp 192.168.11.44 pptp netmask 255.255.25

5.255

static(inside,outside)udp interface 1701 192.168.11.44 1701 netmask 255.255.25

5.255

acce-group 120 in interface inside

acce-group 120 in interface outside

route outside 0.0.0.0 0.0.0.0 27.115.91.217 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reaembly 0:01:00

dynamic-acce-policy-record DfltAccePolicy

aaa authentication telnet console LOCAL

aaa authentication h console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 outside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec security-aociation lifetime seconds 28800

crypto ipsec security-aociation lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-SHA

ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca server

shutdown

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5 h 0.0.0.0 0.0.0.0 inside

h 0.0.0.0 0.0.0.0 outside h timeout 5

console timeout 0

dhcpd dns 210.22.70.3 210.22.84.3!

dhcpd addre 192.168.11.50-192.168.11.129 inside

dhcpd dns 192.168.11.44 210.22.70.3 interface inside

dhcpd enable inside!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics acce-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 averag

e-rate 200

webvpn

group-policy vpnlink internal

group-policy vpnlink attributes

dns-server value 210.22.70.3 210.22.84.3

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpn_link

username cisco paword 3USUcOPFUiMCO4Jk encrypted

username ciscovpn paword 3USUcOPFUiMCO4Jk encrypted

username ciscovpn attributes

vpn-group-policy vpnlink

service-type remote-acce

username martec paword xPix6l/t1.eRJRdf encrypted privilege 15

tunnel-group vpnlink type remote-acce

tunnel-group vpnlink general-attributes

addre-pool vpn-pool

default-group-policy vpnlink

tunnel-group vpnlink ipsec-attributes

pre-shared-key *!

cla-map inspection_default

match default-inspection-traffic!

policy-map type inspect dns preset_dns_map

parameters

meage-length maximum 512

policy-map global_policy

cla inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp!

service-policy global_policy global

prompt hostname context

Cryptochecksum:d29ef0f7cdd71a0a8f2db10bc56a8c08