以下是我今年十一的时候去配置的。 cxd-A为固定IP,asa5510 cxd-B为adsl拨号,asa5505,请注意两台防火墙的版本号,一个是8.0,一个是7.21 W$ u7 q: B* @. i
cxd-A(config)# sh run
, f" c# f3 F, u; g0 N a) K: Saved1 t% p$ @7 w1 q2 u( R R; D5 I
:
Y0 b( i( \( t8 i4 k4 GASA Version 8.0(2) 4 m0 h( f t! J
!* M! d1 l& O+ B# B2 F
hostname cxd-A2 W2 o5 e% _: K2 w/ k* K
domain-name default.domain.invalid
- g; O2 P; k: K6 mnames
D! t. G1 c' e$ r) S' ~dns-guard
0 t1 n6 o' j& b* {0 z!
4 j3 w0 ^. U! k ?- dinterface Ethernet0/04 e$ ^+ O" p& f" s. A& ^
nameif outside( }& F% n5 ~$ g5 V0 P
security-level 0
6 z8 a9 l) k3 l6 E6 V ip address 外网ip
+ B1 U* J F. c& t O" o/ p!
% t$ I- S# o3 R7 d% p \# ~& winterface Ethernet0/1
6 Q2 X$ ^ n* n+ B" K, P nameif inside$ ?2 m5 Z' y9 L4 i! ^# M
security-level 100
" o* G) s5 [# }" ~5 E6 P' Kip address 192.168.1.254 255.255.255.0 0 x: O9 h' M7 }* ~' `" r! V
!
" t0 s# k. a3 a! a9 n8 W+ Ointerface Ethernet0/2
! B8 I, t* Y3 q. b/ e" ^' t shutdown0 B2 @& h) Y( H- d' u
no nameif
1 w6 s" Z7 g+ |( x$ w5 a( E no security-level
' ^$ C1 \. y5 ~! [3 |1 b no ip address
, u( c" L6 {4 y$ Z!
! D) n& H5 u' sinterface Ethernet0/3" [- q7 |* B/ r3 A, Q- m4 r+ I2 n/ r
shutdown
( M- w" `( x/ C; s2 Z) s. g* P no nameif
) A+ _- ~! c) b1 X5 |$ p. G no security-level
/ @# a' M( [! J$ L no ip address
( r o- {. Z A. a4 k1 {- [( Q1 ~!/ L" e" T7 ~% k/ F# g3 ?
interface Management0/0+ c' V0 g, P/ h
shutdown# f' n2 X9 b/ J+ Y
nameif guanli
! d$ V7 S5 W' M8 f) Q+ }# ` security-level 100
" E. P: T2 H, e3 L- w/ o$ \ ip address 10.0.0.1 255.255.255.0
' B2 Z& s S% i: P management-only
8 G3 k' W" X( o7 D. [5 ^!% J- y* v6 D$ c. @" b8 R
& @8 r" ^/ r- B/ X4 lboot system disk0:/asa802-k8.bin
% ]! Z- k3 B- S. f* u& B# A2 Q5 Bno ftp mode passive( z8 l5 O' q. ]; Q6 W1 w! ~
dns server-group DefaultDNS
0 N6 M! Z1 P' s3 M9 ^8 l domain-name default.domain.invalid0 O2 R# _- @. B1 e$ ~& p' m
" X1 b% t6 n& w$ ]) ]; Daccess-list cxd-A_to_cxd-B extended permit ip 192.168.1.0 255.255.255.0 192.168.11.0 255.255.255.0
/ u2 r' W1 a% G; e$ B4 daccess-list cxd-A_to_cxd-C extended permit ip 192.168.1.0 255.255.255.0 192.168.12.0 255.255.255.0
. J- T' }( V; ?& _8 ]access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.12.0 255.255.255.0 / w2 ?* z* l, w; b
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.11.0 255.255.255.0 ' h: P( {! r' N) k, q3 A
pager lines 24
: ~1 J2 b: o+ wlogging asdm informational8 ]7 P" f2 Z- }5 l( ]- J/ ]
mtu outside 1492
/ X6 c- v, a( R* Ymtu inside 14926 P7 `/ y( w& ?. x. G* W9 A4 w
mtu guanli 15002 @' d/ K" Y0 s/ W I. d
icmp unreachable rate-limit 1 burst-size 1
6 ]3 W. }: w5 ?5 D0 D% Q, G0 Casdm image disk0:/asdm-508.bin8 L3 i! T0 C: C9 l' h
no asdm history enable$ }5 h6 W+ r8 x9 w- U+ H
arp timeout 144001 u/ F3 z; @, H3 i: h
nat-control
" o$ |% I `8 mglobal (outside) 1 interface
}4 g t. C0 L1 B8 F* M( \' Bnat (inside) 0 access-list nonat
5 F1 d. c; W( F1 c: Nnat (inside) 1 0.0.0.0 0.0.0.0) O% K2 T4 O" ?% W9 e' ^, A
access-group outside-inside in interface outside
& Y5 J# E% V* K5 hroute outside 0.0.0.0 0.0.0.0 外网网关 1* y4 H1 N& ?; d
timeout xlate 3:00:00# |! L# K. g- R1 `7 C0 ` T
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02- Z/ w1 y* z- X% x- w
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00, f% l. M- c4 c, W- G& w
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
, u) Z# m# g! Q! m M; Wtimeout uauth 0:05:00 absolute
0 d6 o. S. D+ Y" P2 ydynamic-access-policy-record DfltAccessPolicy8 c% s5 _# i1 I+ f2 J1 u
no snmp-server location' W% N L5 H' C
no snmp-server contact
3 e7 G% W6 V& V" H) ~$ ~" Csnmp-server enable traps snmp authentication linkup linkdown coldstart4 k2 q, m, R' _! @ @3 Z
crypto ipsec transform-set esp esp-des esp-none - d; b' ^8 G' p, W# s9 L
crypto dynamic-map cryptomap 11 match address cxd-A_to_cxd-B- P) H; }, y% r5 G% _1 f
crypto dynamic-map cryptomap 11 set transform-set esp
; w" v! N" k6 l! ^0 qcrypto dynamic-map cryptomap 12 match address cxd-A_to_cxd-C9 ~& I0 W. O2 `2 M: G0 s
crypto dynamic-map cryptomap 12 set transform-set esp5 m: I. Y( ?, X* L6 Q( X1 X- o! A/ x& P
crypto map cryptomap 11 ipsec-isakmp dynamic cryptomap
& j5 B0 w1 D! O- u5 {crypto map cryptomap interface outside
/ ~% b. E8 @/ E1 P0 G5 f# Xcrypto isakmp identity hostname
2 _! j. C1 ?1 _1 D7 y, }7 kcrypto isakmp enable outside
; K8 ^( P1 M' [crypto isakmp policy 111 S' F* V& Q; D4 |* `
authentication pre-share
8 g6 T/ Y5 b5 c5 Y( L; P I encryption des
I% I! t \1 ]5 Y3 \" r hash sha, g) r3 K* ]- m3 S4 @, E `
group 2
2 N/ w) A/ M0 q+ a0 t. b lifetime 86400
' }; G1 E. S' L& ~7 y( h: u: Vcrypto isakmp nat-traversal 3600: T; c4 I3 [0 B, H$ \: g$ C/ T
telnet timeout 59 @1 v5 Q6 f2 ]: v, L4 X
ssh 0.0.0.0 0.0.0.0 outside
: {. [6 h# z8 ossh 192.168.1.0 255.255.255.0 inside# x% p: I; N# @9 C
ssh timeout 60; `+ q' x# z. F4 J- I# u$ J
ssh version 2
" i" p; I. t/ a: H) Z% C& Yconsole timeout 0+ Q! E0 x3 d2 c' G1 s
priority-queue outside! D9 r* X4 f. u9 @. R' [
tx-ring-limit 2568 c; B3 x5 J6 `
threat-detection basic-threat0 u- c( k" w* S& [. w4 e$ [
threat-detection statistics access-list
* N$ M+ S4 [; I- S!$ D3 k1 _5 u/ Q6 l
class-map vpn-qos
! q R6 l4 Y3 A. @# b match flow ip destination-address
2 D& D. m* r6 V) I match tunnel-group DefaultL2LGroup4 R- F6 `3 z# b
class-map inspection_default
( L' W# }7 p; I; I match default-inspection-traffic& `2 F3 A4 J& x( U3 ~ V4 Y3 _ G
!
9 Q- W8 o* U: F1 l/ V; m# i!
1 a ~0 z. t! }: j. ]9 ~policy-map type inspect dns migrated_dns_map_1
) U% k/ V5 S$ }% |. Q, o parameters 6 d2 S: l* c9 r
message-length maximum 512" c3 ^4 {% e- w! e
policy-map global_policy
% M6 Z, t: E1 o5 t0 }* i class inspection_default) k" R1 H. e0 V! W6 Z. Y/ C$ O
inspect dns migrated_dns_map_1
/ ~9 q1 f: l% n5 v( c8 D2 n( N inspect ftp * m" Z5 V; K2 a1 F3 O
inspect h323 h225 + }7 X, b% q5 ~8 \/ f9 w
inspect h323 ras ) G( `" e3 Z0 w" b# E' w
inspect rsh & c- I/ d. }, s9 i# L1 Q: p9 O! D
inspect rtsp * e& y! X5 E) x) C6 ^8 Z
inspect esmtp % I. ~7 y# R2 v- k9 B
inspect sqlnet
/ ^+ e$ L* S$ e/ {+ o8 f9 W* t; D inspect skinny ) m& ]. j* v/ S( C# n
inspect sunrpc + S/ x' H5 y" C% I) Q0 Z
inspect xdmcp " A3 d" ^2 j. U. d- e" l
inspect sip
( x. J! w" ~8 f' B inspect netbios
# K+ x0 u& W9 d- P6 i8 \ inspect tftp
4 Y G2 z/ b1 y1 f* ~4 H0 ~policy-map vpn-qos
! A8 ^+ X& O5 b( H% {' {; [ class vpn-qos
% F3 G0 B; m( G( \# @9 x) [ priority
* V$ T6 f* e, g/ ~: q8 ?; upolicy-map global_default
- ?/ \# [- R0 d7 o) }" J! \6 E!
0 r! s9 y7 [- z; I. Gservice-policy global_policy global# K/ ?0 {5 B/ [
service-policy vpn-qos interface outside% |9 ?$ _4 S3 m2 O2 o
ntp server 192.168.11.1 source inside
& t& R0 t/ k) dssl encryption des-sha1 rc4-md5% t) C* l3 S% X+ v2 A! l0 s; Y* K4 Z
group-policy tunnel internal
! c4 h" ^7 t; `% R" rgroup-policy tunnel attributes$ f ?- i4 Y q! t, @# |, J
nem enable
0 _1 R1 U' V2 e3 _3 ~" V* G' Qtunnel-group DefaultL2LGroup ipsec-attributes0 V* h& t( H# a+ e4 D
pre-shared-key *; M! Y# o1 U6 Y* x4 g
isakmp keepalive threshold 3600 retry 10! y% }! p: q9 p* V! j
prompt hostname context
`. U; z' W: b& c, p* k. d
) b6 P1 Z6 E6 M: end
, O* V* V, o) r- {6 k9 }9 h" u
; f# e$ q1 h$ F* e4 y8 a0 a2 K+ L3 w2 U" D: ^
* u1 k* `. Y$ Z0 u. r
cxd-B(config)# sh run! K( q. J; \6 `
: Saved
/ Z# h" N9 R+ c/ s1 D:& p# q; y5 j* R1 H: _( [
ASA Version 7.2(4) 7 ^8 s# [% G1 C' j% B0 Q. i
!1 L# R3 }7 h6 M
hostname cxd-B' F5 A9 w! D( ]7 a: k
names! f" d& Z7 D3 ]( z7 h
!5 c: C3 Y8 L' n9 ^4 ~. o
interface Vlan1$ J! ]# m8 g, `, v2 n- W
nameif inside
6 n2 W" Z" x5 U; {. Z5 @ security-level 100: b8 {* f# d% u5 j
ip address 192.168.11.1 255.255.255.0
. Q: k5 R9 W4 \- {* J!* Q1 S" }5 g* [2 T" s
interface Vlan2& T$ b! E$ b4 N1 x
nameif outside. S2 P5 h) K0 g# y* Y1 R S
security-level 0
; g- C, ~1 ?. N. Y# M+ k pppoe client vpdn group adsl
! n2 j! q2 s4 f" h8 Z4 k ip address pppoe setroute
# [9 }' L# F: ~: O* Q$ b' j) R& n!! l) o T) S9 B- c) ^8 \; u
interface Ethernet0/0: D5 T' K+ V; }$ J' Z6 q
switchport access vlan 2
* n# ?2 J/ `$ N5 O4 Q' N, E!* K$ t1 `2 C' ?! T: f# _0 q' D( w
interface Ethernet0/1
2 D1 T8 x. _# n!
: r W9 f h2 P3 K) M4 linterface Ethernet0/2, O6 \- y' h1 ^1 p6 v
!
7 B7 S$ A9 h/ Rinterface Ethernet0/39 l! [! M" q( N- L7 t9 n
!
x0 O. k: w1 a* P9 G' Ginterface Ethernet0/44 z! Z1 I6 a; d( K) r6 F0 S) t
!
8 B* U9 l. x+ R4 p0 Pinterface Ethernet0/5
" |1 J) C7 l# B!- L/ v- |! h! L! ?
interface Ethernet0/6* Y8 R4 Y/ K" x" \
!
: B( G$ Q2 d; v' i! P |interface Ethernet0/75 n$ K, z/ j% P/ g4 T: m8 r- }
!5 _2 U) g) u% t5 D; z: o9 J
ftp mode passive1 ~9 F0 W0 L. z
access-list cxd-B_to_cxd-A extended permit ip 192.168.11.0 255.255.255.0 192.168.1.0 255.255.255.0
, `" H# s* `7 r+ k2 @0 u- ~/ oaccess-list nonat extended permit ip 192.168.11.0 255.255.255.0 192.168.1.0 255.255.255.0 ) `% P# j/ \& x
access-list 111 extended permit ip 192.168.11.0 255.255.255.0 192.168.1.0 255.255.255.0
% ]" N1 W" _5 y) Y6 {& F) Q1 u: m0 naccess-list 111 extended deny ip any any 9 J, j- M$ ~. R/ a4 s3 ]
access-group 111 in interface inside5 E" O; V+ A7 E6 S* t
pager lines 24
[5 N( j* Y# ?% ^ C! s" Jlogging enable; p( d0 g4 \; m( b4 `" X5 i, I2 Z
logging timestamp/ }0 ~5 P) T/ _
logging trap debugging4 Q4 X+ q1 ^& g- Z& c1 {9 G
logging asdm informational
$ c: S0 y7 q5 K9 ^2 Ylogging host inside 192.168.1.41
) q( D% a% y1 k; F b# }mtu inside 1500
: ?& [8 ?% R7 E0 c# G; Bmtu outside 1500
5 T7 g9 m2 w0 Z1 J& ~* Xicmp unreachable rate-limit 1 burst-size 1# P9 \& |" _4 {# L9 T
no asdm history enable
5 j+ P) c$ a2 X' Rarp timeout 14400
; I4 e2 \* q6 y# ~global (outside) 1 interface* H' Z: u# e' Z: Q! W0 |9 C5 }
nat (inside) 0 access-list nonat2 @+ X4 h9 N' q! o$ w
nat (inside) 1 192.168.11.0 255.255.255.0
# H& q @6 ], `8 o- m/ E+ Ztimeout xlate 3:00:00$ O* [) l! }; \' H
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:025 ^0 F; }8 c8 n/ u- z* H! H
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:005 Q- `+ P) x6 \4 o' E# P! }" n8 y
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
6 \! S8 Z$ `5 l2 N& c& \timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute& d$ O6 ~5 |+ n4 ^
no snmp-server location% P; ^4 e% \/ C5 \2 m+ r% S
no snmp-server contact
; p5 O+ J, f' F1 [9 z) Q9 bsnmp-server enable traps snmp authentication linkup linkdown coldstart: Z6 U' s* P& j7 i, ]/ a, Z. ?. [
crypto ipsec transform-set esp esp-des esp-none ( N3 ?9 @1 v! }4 z
crypto map cryptomap 11 match address cxd-B_to_cxd-A6 \) C; M+ x. A! ]( t, W
crypto map cryptomap 11 set peer 外网ip
1 R( [, U) C5 O* x1 \crypto map cryptomap 11 set transform-set esp
- K) K% V- c& F. Z$ _9 \crypto map cryptomap interface outside; s7 W9 s$ e, M, ~4 ^, F3 A1 b5 T' Q
crypto isakmp identity hostname $ @* S; N- z( t( j: p
crypto isakmp enable outside
- K0 c5 w3 l! D$ L! B& [crypto isakmp policy 11
" K6 P* d" D' h8 O( H8 _ c authentication pre-share& r. f% Y0 f! H& L& e0 Y
encryption des
- q) p9 d) F, u; [# S hash sha
* W Y7 ]" z- X& E group 2
, |( M+ n$ P+ Y | lifetime 86400
; m; d& H0 M) Rtelnet 192.168.11.0 255.255.255.0 inside" A, }' D( |0 j) Y6 f* t
telnet 0.0.0.0 0.0.0.0 outside) Y c6 n/ [7 c1 _* `+ c
telnet timeout 5) ]3 L- }2 d1 b' e% b
ssh 192.168.11.0 255.255.255.0 inside
+ K$ i9 X" Q. l1 [- C* i, w, wssh 0.0.0.0 0.0.0.0 outside
- Z& ^1 Z2 U' Y4 I% Qssh timeout 5
+ |5 q$ Y9 V; x; Z& J( [2 lssh version 1
; s& k' O4 `; m2 m4 ]/ ]! Qconsole timeout 0
- K# \6 [2 K p4 T' Dvpdn group adsl request dialout pppoe
, H! I4 q2 f S( H$ Z3 Y; cvpdn group adsl localname 拨号用户名
; A! i" ?* Y$ f* i. e% wvpdn group adsl ppp authentication pap' ~. Z( J3 X, @1 C% `( O
vpdn username 拨号用户名 password *********
9 e/ {( U( R2 H0 ^+ zdhcpd dns ??????
7 W& l( i' B+ F- j2 T* L- E% k1 edhcpd auto_config outside
; H% |/ l9 ?0 ~!
& J+ s7 L! _+ Qdhcpd address 192.168.11.2-192.168.11.33 inside
, b1 T+ z* t8 j* X+ o& |dhcpd enable inside
# Q! {. j, v# N. w8 x!: x! E) N( g; w1 @/ z
6 F' J8 ]& P2 |+ k+ _& Y% p. U3 r
tunnel-group 总部外网IP type ipsec-l2l( W" k+ h4 \9 K# C# K9 w% `
tunnel-group 总部外网IP ipsec-attributes( v: T9 [* f* ~) H2 d- E& U
pre-shared-key *
/ n' V' Z& r, |0 o# I9 s' k! # D( a3 K0 T3 p) E1 p
class-map inspection_default
5 ~* J1 X4 `& L match default-inspection-traffic* P, Q p- F2 V* s
!8 y' M! z9 E% f6 @. `
! s+ U% W7 n, x0 O/ j; i- ^
policy-map type inspect dns preset_dns_map
" m' v6 ^( h+ p, @( b: X. } parameters
+ G& l4 Y* l, b2 P' ~ message-length maximum 512/ F5 h1 y7 ~ P# x. @) `' y
policy-map global_policy
8 J+ v8 F$ g! }+ h8 W# \ class inspection_default* L7 u. j, x) v5 Y- y+ W
inspect dns preset_dns_map ! V4 {- b5 U2 n3 k
inspect ftp
7 k$ |7 P, e) R( }3 q* o inspect h323 h225
) F3 Z3 n1 V& ` P inspect h323 ras . @1 g7 {8 i0 G7 m, h8 l( {
inspect rsh ' _/ w" T6 r) G: W' g- ]
inspect rtsp : K' z$ g7 I5 |( Z+ d
inspect esmtp ) ?& b; i4 e3 H: G4 j4 b! _
inspect sqlnet
?. d/ {! H7 e9 P4 y inspect skinny ' W! [ d) \( X# B G. y" Q' u7 W
inspect sunrpc
& u9 J/ M. H& K, k inspect xdmcp
d; y3 e6 }' m8 K' E/ p inspect sip
, E' [4 A7 v5 S( i' z8 ^1 r inspect netbios
2 |) m+ ]. q% E" B inspect tftp
( a! x, w& H H" n+ b$ U# \, u0 h! 3 J' V) b4 ]1 J, \
service-policy global_policy global0 i P4 _% H: }2 E* ^
prompt hostname context
, N2 w8 S4 v4 {5 P R' @6 ^2 }! a: m( m( j+ l
: end |
所有IT类厂商认证考试题库下载
【新盟教育】2023最新华为HCIA全套视频合集【网工基础全覆盖】---国sir公开课合集
【新盟教育】网工小白必看的!2023最新版华为认证HCIA Datacom零基础全套实战课
原创_超融合自动化运维工具cvTools
重量级~~30多套JAVA就业班全套 视频教程(请尽快下载,链接失效后不补)
链接已失效【超过几百G】EVE 国内和国外镜像 全有了 百度群分享
某linux大佬,积累多年的电子书(约300本)
乾颐堂现任明教教主Python完整版
乾颐堂 教主技术进化论 2018-2019年 最新31-50期合集视频(各种最新技术杂谈视频)
Python学习视频 0起点视频 入门到项目实战篇 Python3.5.2视频教程 共847集 能学102天
约21套Python视频合集 核心基础视频教程(共310G,已压缩)
最新20180811录制 IT爱好者-清风羽毛 - 网络安全IPSec VPN实验指南视频教程
最新20180807录制EVE开机自启动虚拟路由器并桥接物理网卡充当思科路由器
[复制链接]
