两个ASA的配置,公网地址被我替换了,如有雷同,敬请原谅,麻烦兄弟们帮我看看:
' G" _& n6 c- i: {# D) e8 c* Y6 _7 y南昌ASA:
8 E9 G. e) z, H; k( F0 lASA Version 7.2(3)
/ Z# i' ] F% A4 X( A+ G!
: r ?9 s& U" P+ V7 b* Z! Thostname DIYFW
& c% i U, P. |3 d, ddomain-name tpybank.com0 s) F! o- ?* [
enable password 7qs4CxXJz.NTdDlq encrypted
! N: A5 A, G: Q/ @names
( B P- V" F# A1 i, f!
1 U( a( q2 {; k. b) M8 o. k! ?interface GigabitEthernet0/0, w- `; f8 d; g5 b2 ]" M
nameif outside
9 J- `8 D! r+ z: L security-level 0
! ~1 I3 e5 v, q ip address 59.59.59.59 255.255.255.0
; y" E5 k3 F' \!
, M7 @3 r% t" }, |: H0 h# Binterface GigabitEthernet0/19 h- c/ V; L6 \, p, I
nameif inside
0 b4 \$ ^; c5 E5 x3 L& x security-level 100
* H3 {0 i- L% F! A$ v ip address 172.0.0.1 255.255.255.0
7 w% w3 J; n) r!) R' j) e D, r" [
interface GigabitEthernet0/2
- i, O6 A& _- u0 w* x shutdown: L2 U6 [& j3 P1 M/ i& V
no nameif
2 _4 E9 }# a( U; R0 G no security-level1 i/ G% S: t+ L4 R3 [6 I/ s* {
no ip address
/ e5 T2 x7 O3 q1 N; ^* z, H v!
; L' s! z3 ]& @0 u+ h6 _interface GigabitEthernet0/3. k, d3 w* \2 p2 x$ j; y: ^$ v0 S+ o
no nameif& r" |( S" T( B! [; \) [3 U) U
no security-level
$ k9 {, ~( D9 d8 k no ip address( K) q: l. q% ^0 S: A2 s- C- n; P
!4 l- ]7 P% z/ ?" v) ]
interface Management0/0
1 X% w9 V t7 i$ z* b! s- m& e shutdown
3 K! y8 ? e3 }0 y no nameif
* W: b& l) I. U- e( ?& {( \0 B no security-level
9 h) K2 |# e8 Y7 N, S no ip address
) F6 k; m9 _- I4 a7 ~. l) h6 N# ]!: p0 E- k: S8 b, L7 C7 R
passwd 2KFQnbNIdI.2KYOU encrypted) \+ c$ Y/ l5 a/ l& d: Y
ftp mode passive# v2 U4 x" l$ |. } S
dns server-group DefaultDNS+ G+ T: W2 U( I* _" z; Q
domain-name tpybank.com
- G; M- |' j" ~! }/ Eaccess-list outside extended permit ip any any ' t9 I4 W4 o6 @9 n. [, t- S& Q
access-list inside extended permit ip any any
+ R, _2 W+ p) n6 haccess-list inside extended permit icmp any any
1 `9 k6 [1 s2 v+ i- s7 |access-list vpnclient standard permit 10.10.0.0 255.255.240.0 Q% d' M/ a5 `. K' b9 H
access-list vpnclient standard permit 172.0.0.0 255.255.255.0
) i+ K# b! v# e' haccess-list ipsecclient standard permit any ! A( O# u5 f* k9 M! e
access-list 100 extended permit ip 10.10.10.0 255.255.255.0 any 6 ?; @/ G$ z2 u! |
access-list 101 extended permit ip any any
2 o- P; D2 J* K h$ M6 Caccess-list jcsh-group_splitTunnelAcl standard permit any
+ b7 J# x, w' Z3 @ b/ }% V( m% gaccess-list outside1 extended permit ip any any
R2 a' y1 E/ G; raccess-list no-nat extended permit ip 172.16.0.0 255.255.255.0 172.31.255.0 255.255.255.0
, x4 s% a7 M) m; X0 B; M" R( w. G/ }* {access-list no-nat extended permit ip 10.10.0.0 255.255.240.0 172.31.255.0 255.255.255.0 ! x! t1 H) G1 _; g. G% \, l6 x
access-list no-nat extended permit ip 10.10.0.0 255.255.240.0 10.10.20.0 255.255.255.0 1 ]0 O9 ?8 u f- C& X1 O. W7 H
access-list no-nat extended permit ip 172.0.0.0 255.255.255.0 10.10.20.0 255.255.255.0 % H) I0 ^5 U7 X7 u& h7 h3 s& X
access-list nctogzvpn extended permit ip 10.10.0.0 255.255.240.0 10.10.20.0 255.255.255.0 7 j* w' |1 Z3 u% O: E
access-list nctogzvpn extended permit ip 172.0.0.0 255.255.255.0 10.10.20.0 255.255.255.0
) V$ v3 j9 A6 @& s3 Upager lines 24, ?+ x5 i* U7 u
logging enable( I' Q3 ? P4 `% n5 F. a
logging monitor debugging
- k6 f8 f5 ^. M% v+ {logging buffered debugging
' @( _/ P% B$ ologging trap debugging @7 H* b% ^: O6 L
logging asdm informational3 P! m. Z: M/ t$ P: P+ m
logging host inside 10.10.10.179
4 ]& u2 s9 a0 }6 h# G! G1 O: e5 Nmtu outside 1500
0 w. w2 Z% s4 z1 c9 b: Rmtu inside 1500
5 Y/ {5 T; x# q0 i9 uip local pool ipsecvpnpool 172.31.255.0-172.31.255.254 mask 255.255.255.00 r/ F' i* _5 N& S! u, T* [7 O1 i9 L
ip verify reverse-path interface outside4 `9 A2 m; P3 E/ J" u2 b+ f* p) h2 }; L
no failover0 n; r ~4 L+ L! {" ~3 b) J, M# B: D2 E
icmp unreachable rate-limit 1 burst-size 1
) t( G0 U$ n G# uicmp permit any outside
6 X8 v9 p1 E: M, [icmp permit any inside
- Q) D' }2 l! H: m' e. ]asdm image disk0:/ASDM-523.BIN. T' p( m! ~. P; u' u& V! a$ j$ J
no asdm history enable& n( D% X0 i/ T s
arp timeout 14400
5 w/ U3 W! v5 U: K! M C. xglobal (outside) 101 interface6 u) M$ U W. P$ E# d: w* V
nat (inside) 0 access-list no-nat
8 H1 n4 T7 A. ~7 A' M! h" S3 y% Wnat (inside) 101 0.0.0.0 0.0.0.0( n, l) H2 d X+ h; Y" S2 w
static (inside,outside) 59.59.59.115 10.10.10.99 netmask 255.255.255.255 ! {* H @+ a$ q5 X( L9 o& K
static (inside,outside) 59.59.59.126 10.10.10.192 netmask 255.255.255.255 % M: f. [) V H0 U* C2 U' j2 z# t
access-group outside in interface outside
8 }1 ~ E \! O l( saccess-group inside in interface inside e$ q3 I8 a+ j+ U# v
route outside 0.0.0.0 0.0.0.0 59.59.59.1 1+ @" }. l+ n% H
route inside 10.10.0.0 255.255.240.0 172.0.0.2 1* {0 d( @: V Y& x7 y
timeout xlate 3:00:009 l1 `4 e. M& i8 |5 T; _8 l
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02* k1 {; `, w2 p% V
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00$ K# p9 ]4 R: @$ w9 Q8 E8 Z6 T
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00' n8 Q4 q# b( [. T: z
timeout uauth 0:05:00 absolute) ]0 @# f: e7 Q1 f& O# _, Q
aaa authentication ssh console LOCAL
2 J4 d X1 c9 ?! B( U9 x2 nhttp server enable' u1 n2 J" H( i; T
http 0.0.0.0 0.0.0.0 outside
* S0 l, V6 X3 N/ E) p! _snmp-server host inside 10.10.10.19 community typ100
# X3 B8 K/ y( \% I$ Yno snmp-server location
f0 j# d8 Q( O: }; J! y& S- x9 xno snmp-server contact
* |% z: Q! B/ z7 b+ A" N7 j" lsnmp-server enable traps snmp authentication linkup linkdown coldstart
. C5 d& F+ B; Y( Qsnmp-server enable traps syslog, Z) o, w& m* `1 `0 M6 h
snmp-server enable traps ipsec start stop' C# L0 B9 ~7 v# z8 T0 I
snmp-server enable traps entity config-change fru-insert fru-remove
( f5 U5 v. P, N6 X/ k2 N6 F' h4 dsnmp-server enable traps remote-access session-threshold-exceeded
" [6 z; `3 O0 b5 a0 P* Oservice resetoutside" Y2 F$ L- O8 [( [: f } _
crypto ipsec transform-set dialvpn esp-des esp-md5-hmac 1 f! \6 f6 I; R& w* j, i! x3 ?0 N6 A
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
& ~' n, Q; V# d( Pcrypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac 4 l3 y3 f3 H; Z: r8 g! H
crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport+ B/ N9 ^) t1 H4 T: Y, F
crypto ipsec transform-set nctogztrans esp-des esp-sha-hmac 4 e9 r" E# F; o
crypto dynamic-map dynomap 10 set transform-set dialvpn
% d( ]+ i# F( Y! b) g& i% w$ Tcrypto dynamic-map dynomap 10 set reverse-route
8 d+ C4 ~) T8 _1 J) E! Acrypto dynamic-map outside_dyn_map 20 set pfs
& Q \6 n1 z# `8 Lcrypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA+ P: I# C! c& d$ r( t# V. [% N8 [
crypto dynamic-map outside_dyn_map 40 set pfs
7 i- e& I g" u. j/ l& F( Dcrypto dynamic-map outside_dyn_map 40 set transform-set TRANS_ESP_DES_SHA# S% E* y: y) R1 D4 ?4 L
crypto map vpnpeer 10 ipsec-isakmp dynamic dynomap
8 z' j9 e8 R. x9 q7 b1 j5 Scrypto map vpnpeer 60 match address nctogzvpn 9 ^1 y* T2 @2 v4 `% ?+ m7 c
crypto map vpnpeer 60 set peer 59.59.59.60
2 ?- L% j/ i% o7 fcrypto map vpnpeer 60 set transform-set nctogztrans# h+ c) Q9 t; Z9 d" E9 B8 O
crypto map vpnpeer interface outside
2 S- S9 P* W6 i* w$ E; N1 e/ `crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map* Y6 P* `5 H& ~2 f! ?8 }! N. F* [
crypto isakmp identity address / s. L) j7 r" F+ B4 Z
crypto isakmp enable outside$ J+ ]- _* k" b3 K# y6 V z8 S
crypto isakmp policy 1
# ~ l4 J! I& S2 B authentication pre-share
1 g! O: |3 a! [/ }, p# ^) g encryption des
. v3 V: R. w8 c8 p hash md5" u2 l" E5 I! s) s
group 2
# y6 \ M' A/ d ? lifetime 86400 p4 v' a* R. a
crypto isakmp policy 30
/ G; g% ~, D" x authentication pre-share$ b; X3 u) b. }& j$ `
encryption des
( i1 M& d' `0 D, v4 X hash sha! z# p. j% G2 w6 X# c
group 2- o7 \' a' E, j3 u5 Q# v- t. M5 a
lifetime 864005 f7 c2 F3 ~; \2 L2 D
crypto isakmp policy 50
6 `- G1 l2 {* u2 p# R authentication crack+ s& [2 ]- {: N, j X0 v
encryption des) S t+ c! I$ ^, } V
hash sha) c& A# r( {' e- y
group 2
6 f0 r5 _9 C H9 {0 ^8 ~ lifetime 86400
7 u0 E# j4 r) Q) \. Y% scrypto isakmp nat-traversal 20
# ?' V( {, J3 V/ i! j/ mvpn-sessiondb max-session-limit 4503 \/ t2 x ~5 q! b. q
telnet timeout 52 |! d. J1 t. I M
ssh 0.0.0.0 0.0.0.0 outside3 n+ W, w, e3 Y4 \; R) H
ssh 0.0.0.0 0.0.0.0 inside. s: {5 U# @* p6 g3 x% \: ~6 a3 I5 G4 {
ssh timeout 5
% D7 S' M. ~6 C- M5 F0 }ssh version 1
, z* ?+ G, F4 w1 cconsole timeout 00 @+ j+ r) [% k* N, x4 }
priority-queue inside
9 g& q9 ~ b1 q!
$ k J$ v' Z- @+ g0 xclass-map limitconnect# F/ I% q1 f* R* c/ v/ D4 j; Q
match access-list 101
$ z9 V9 X' h) f1 @. e& oclass-map QOS- C3 ?/ D0 Z4 D5 D+ q( C
match access-list 100
d2 w( W R' y5 ^9 f1 }5 ^4 D( cclass-map type inspect http match-all httpfilter. h: B. m7 F+ I: {! s/ ?" ]( o/ u
match req-resp content-type mismatch9 @6 f9 Y2 b$ E2 V0 p1 b0 J
match request header allow length gt 50004 ?. j# f1 M1 P" Z
match response header count gt 200
' ^) r$ j0 E' ? match request uri length gt 1000 t1 \2 g9 H7 _: |2 K$ B
class-map type inspect ftp match-all ftpfilter& \ f; W: j) H1 v
match request-command mkd
l1 F+ e9 \/ b6 Y. ^6 Vclass-map inspection_default2 T, x* C M/ ~1 y' {% B
match default-inspection-traffic0 Z7 M# n$ Y* z/ c6 n% x
class-map flitcontent2 p% c0 [. P* ?+ y: W
match access-list 100- k( O& k& {5 Q- V0 \. \
!2 u5 i+ A( V8 c8 f5 C9 C4 l7 c
!# h" e1 E( _' V( i: b2 t# r
policy-map limitconnect
) R: A3 Q" J }5 ^ class limitconnect
: ?! `& x# W/ j+ v set connection conn-max 30000 ! x8 [8 H1 Y; E7 R+ K! h
policy-map QOS
7 K# f( x6 g' O9 d2 {* r- n class QOS # @0 q9 S' U8 q: }
class limitconnect
; ?" n8 Q _8 n L8 b6 ]4 E set connection conn-max 30000 - f, I$ q' n3 _1 S# U/ K" h! p
policy-map global_policy
( M% j0 S! Y2 ^3 G6 w class inspection_default
5 m& |: ^7 j! P, ` inspect ftp + h$ P0 {3 s6 \1 S9 h* G
inspect h323 h225 8 e' Y/ M( U: l- [- ~- J
inspect h323 ras
( |* @3 c3 j8 ?& z* [ q. t- r! e/ L inspect rsh ' h) q; P+ X% e1 N
inspect rtsp
" j5 K; u ?, B& ]4 P( X3 b inspect esmtp 4 U0 y) n, m9 q4 V
inspect sqlnet 6 h( ]9 c( R4 z2 _: c5 @) p/ u
inspect skinny , m$ w- g6 R( t4 }, a4 q
inspect sunrpc " C" Y! q( e' S
inspect xdmcp & y$ f- Y6 j, E: i
inspect sip ! D9 X2 k" v, b; ~+ ~
inspect netbios # z# K) n( U h
inspect tftp 5 e- {2 T- O+ }; f6 Z! U% n! {, M( ?
inspect icmp - K8 o# e2 x6 Z: {
policy-map flitcontent
$ [& o& U' m4 z' T class flitcontent. e7 ~' u* P2 B5 }3 ?
!( U( N; [0 y) e3 _8 Y8 F! ^7 f( k5 b
service-policy global_policy global
( b) L/ k4 V$ a/ x/ Qservice-policy QOS interface inside
7 A( N" D, _& Hgroup-policy sk-group internal" L7 x* }" S- d
group-policy sk-group attributes
- p! F- X& u) U5 @7 {, ?. `) r split-tunnel-policy tunnelspecified w1 ^8 W9 ]" K8 ~7 t q
split-tunnel-network-list value vpnclient
5 d) a- N/ Z5 V5 xusername vpnuser password ZC2U2lwElxOuM0y+z/4mXg== nt-encrypted privilege 09 [, `+ n# y5 B4 ]9 @9 \5 l
username networker password Ge08R8/YEb1oXNI9 encrypted privilege 04 Z: h/ Y& M0 V
tunnel-group sk-group type ipsec-ra" p( i. K D0 L- I9 T) o8 P& D g: W$ [
tunnel-group sk-group general-attributes' Z; u# O8 O; R. H6 A
address-pool ipsecvpnpool
) t2 T9 W3 y% | o5 S# s4 _ d9 e default-group-policy sk-group9 g2 x: K' ]+ x( ]' {7 q# a q
tunnel-group sk-group ipsec-attributes2 m1 |/ @; c7 l0 ~/ L
pre-shared-key *6 L# h9 a4 k/ N* {0 I, D9 Z' u8 ?
tunnel-group 59.59.59.60 type ipsec-l2l: z+ S/ h. x9 P* l: Z# A' V
tunnel-group 59.59.59.60 ipsec-attributes6 { `9 H" O. p, u' }& | p
pre-shared-key *
8 t# t; i2 Q5 ]# Y, u6 ?- aprompt hostname context ! Y& j7 p) O3 t2 U4 E3 B! k& A9 I7 x
Cryptochecksum:200b24ebb637185e77dc3623b20a596a) x+ U1 _( W7 ?6 O- o6 M2 J1 z
: end
5 h! G: ]* x+ K! I Q: S) U+ [" y2 Z- {1 `5 r
. |& h9 v2 ~: j w+ o+ U广州ASA:
2 d7 s( e- h% W. P, A, x. |ASA Version 8.2(4) ' i# x) ^. |8 P$ z4 {! J; {
!
, S% i6 m8 O y8 mhostname GZFW
K/ U# A7 o5 n8 L! i5 t! Odomain-name tpy100.com
8 h8 h1 y i$ d* Z/ L. |8 Eenable password r2GUYr0JBoB38neH encrypted
5 X3 `/ d/ T+ w5 l" F! xpasswd 2KFQnbNIdI.2KYOU encrypted, o$ g% \' R1 K5 c) A1 }- ^
names! ~( m9 z. a) M. {! T6 @8 d1 a; y
!
1 [ E: J( {; U7 r4 kinterface GigabitEthernet0/0' q, f, {* q3 a' G. y: B
nameif outside
7 L" Z. [7 f4 j! r r security-level 00 `' j u+ O+ N( o
ip address 59.59.59.60 255.255.255.240
) S- q' ~' |! o!# x9 q- n% t; n6 B9 X, N- a" k! z
interface GigabitEthernet0/1
& X/ w8 L/ z; X! h# T: v/ z nameif inside+ x9 a0 A, C- C3 G4 W3 ?
security-level 100$ {3 a5 u; n+ e& y/ @1 I
ip address 10.10.20.254 255.255.255.0
0 G( |% |/ O- g!
- W6 S4 ~! [7 \, F5 [* t5 F5 @interface GigabitEthernet0/2
9 S) s3 n, H1 d% X no nameif+ H0 f6 w+ O5 W6 Q+ l& {+ j
no security-level
# L. Q9 j2 p' V+ V( d no ip address
) d/ q/ ?) J) P!
; t" p7 Q- [" ?, l1 w" Linterface GigabitEthernet0/3
+ q& ^3 [0 l1 ~* _! R8 R no nameif) \+ T3 T0 I9 r% u+ i0 a
no security-level
: r" f. T# m' V# h' b no ip address/ L8 @0 S5 _) W
!+ i' y" Y( |- T5 M3 R) Y
interface Management0/0
* w) e+ ^) F3 b1 q; z% Y6 S nameif management
6 a ?" i3 b% @" p. g+ m security-level 100
6 D9 B! E" w: J. c( @# w* ^ W ip address 192.168.51.254 255.255.255.0
1 a+ e7 z1 R( }0 x% l3 T" @ management-only1 x$ J, \" m3 q9 Z
!2 X7 {! e* F6 ~/ i
boot system disk0:/asa824-k8.bin! c3 ?6 }1 e& _! W
ftp mode passive, s! }; P4 h9 H# G2 K6 E# t4 T
clock timezone CST 8
9 q% T! }7 v% b# l( Gdns server-group DefaultDNS! e( \" E2 @8 L0 j: ~( P. {! G
domain-name tpy100.com- O- t, s V/ m# m" R- d
access-list outside extended permit ip any any . m$ \0 o& T. g( j! P. t
access-list outside extended permit icmp any any
4 O- u" h5 e! v# K4 Baccess-list outside extended permit tcp any any ( J' K& E7 M! q% ^/ U
access-list outside extended permit udp any any " a- R1 G, x I) ^8 O
access-list inside extended permit ip any any
# H1 L9 x8 W; |, F7 Z0 h iaccess-list inside extended permit icmp any any * Z1 t( Y$ g: H# Y
access-list nonat extended permit ip 10.10.20.0 255.255.255.0 10.120.19.0 255.255.255.0
4 ^0 F9 F2 b6 E% G- Q* Daccess-list nonat extended permit ip 192.168.2.0 255.255.255.0 10.120.19.0 255.255.255.0 3 L3 t" j- `5 Q" A6 l2 H) F5 \
access-list nonat extended permit ip 192.168.51.0 255.255.255.0 10.120.19.0 255.255.255.0 % E p* T0 C' Q* T
access-list nonat extended permit ip 10.10.20.0 255.255.255.0 10.10.0.0 255.255.240.0 2 h( X- b, o! K! r7 N
access-list nonat extended permit ip 192.168.2.0 255.255.255.0 10.10.0.0 255.255.240.0
" Q& m4 K" g' L; [$ x s) v" f' @, Eaccess-list nonat extended permit ip 10.10.20.0 255.255.255.0 172.0.0.0 255.255.255.0 6 x+ K5 u. R0 R0 m
access-list nonat extended permit ip 192.168.2.0 255.255.255.0 172.0.0.0 255.255.255.0 ' G3 Z8 y1 N+ {/ u0 N6 O
access-list vpn-client standard permit 10.10.20.0 255.255.255.0 8 E/ Q9 U, F0 L6 I: g' B7 H0 E% l
access-list vpn-client standard permit 192.168.2.0 255.255.255.0
4 R) y' J( R+ w; d) U \, t# Faccess-list vpn-client standard permit 192.168.51.0 255.255.255.0 : z' m' x8 s% o3 F, Q" P2 I$ }
access-list nctogzvpn extended permit ip 10.10.20.0 255.255.255.0 10.10.0.0 255.255.240.0 , R' w9 o% k" ~& u
access-list nctogzvpn extended permit ip 192.168.2.0 255.255.255.0 10.10.0.0 255.255.240.0 1 F! I6 P, F4 @
access-list nctogzvpn extended permit ip 10.10.20.0 255.255.255.0 172.0.0.0 255.255.255.0 ! _! }2 s4 ?4 A2 ~2 J
access-list nctogzvpn extended permit ip 192.168.2.0 255.255.255.0 172.0.0.0 255.255.255.0
0 [$ n- N k2 q- ?( _& \1 z9 Apager lines 24
* S# \; R# }$ ~$ i! w+ f1 wlogging enable
$ p, }& J# ^; H6 t2 R; ~ blogging asdm informational
; l/ _$ y. g9 T6 W. w1 [mtu outside 1500
- y+ ^ d# C" D" u/ s. Emtu inside 15007 x- A" |9 v) ^2 i& Q! {) k' ?5 L. D
mtu management 15008 a1 b; z S, N7 Z# H$ D% V3 q
ip local pool vpnpool 10.120.19.1-10.120.19.254 mask 255.255.255.0
) X+ R* O# h/ @+ S! Z3 qno failover3 A4 |- `! m1 W; Q; x; c
icmp unreachable rate-limit 1 burst-size 1 \& D7 J6 [. L: K {6 R/ k# r1 S. O
icmp permit any outside
) m; y% K! B6 Dicmp permit any inside, e2 a& L5 }1 K2 ]/ B8 O7 z- C
asdm image disk0:/asdm-641.bin
) A; }# e$ s$ P- c% n% g$ pno asdm history enable
; V$ d: j" @% L! U, C" Carp timeout 14400* O" b5 F4 J4 o
global (outside) 101 interface
* m$ G; k' M" Xnat (inside) 0 access-list nonat) m z+ |! y' \) N/ x% c
nat (inside) 101 0.0.0.0 0.0.0.0; u. z* C( x# M7 ], m" o% N6 J s. l
static (inside,outside) 59.59.59.244 10.10.20.4 netmask 255.255.255.255
& V3 N) m u- w5 i ~static (inside,outside) 59.59.59.245 10.10.20.5 netmask 255.255.255.255 % j5 z ~. B/ _8 O2 z( ?, e
static (inside,outside) 59.59.59.243 10.10.20.3 netmask 255.255.255.255
, G, J- q' E* w3 [5 [ Ustatic (inside,outside) 59.59.59.246 10.10.20.6 netmask 255.255.255.255
; @# z- _ w$ i* q! ]static (inside,outside) 59.59.59.247 10.10.20.7 netmask 255.255.255.255
! `; v; q2 x" J% |0 Z! Qstatic (inside,outside) 59.59.59.248 10.10.20.8 netmask 255.255.255.255 / T9 u# v3 V! E2 X. S5 ~
static (inside,outside) 59.59.59.249 192.168.2.101 netmask 255.255.255.255 4 J" q& w& t, p s
access-group outside in interface outside3 k$ x* L4 C0 s+ b9 u; z+ {
access-group inside in interface inside
8 k4 x6 o) h9 p) B; b& a! |8 Vroute outside 0.0.0.0 0.0.0.0 59.59.59.241 1: f% R' w- t3 v8 B& P2 l$ j
route inside 192.168.2.0 255.255.255.0 10.10.20.1 1
1 G/ Z3 [' V+ }, \timeout xlate 3:00:00
8 K" X: y. ?4 d0 b) d- Xtimeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
, q* T& F- ^# V6 Rtimeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
) i3 @; x( k* M2 H7 h1 J6 ctimeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00& L5 r5 ^0 ^1 a& e/ q0 t
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
3 b6 _% f9 q6 q# h* {1 y: ~) `timeout tcp-proxy-reassembly 0:01:00* y9 R# S0 J @/ h' j' k0 x
dynamic-access-policy-record DfltAccessPolicy- r* ~( _' D0 {+ i2 @& p+ X
aaa authentication ssh console LOCAL
P+ O5 \ U3 W0 m6 }$ d d' X5 ^aaa authentication telnet console LOCAL
( U. i* N! I F; k- X1 J) Chttp server enable
2 U2 C* v% n. t% L+ ^3 z* [ K5 Uhttp 0.0.0.0 0.0.0.0 inside* Y2 V1 n) O* E; @9 D/ ^( f% h* Q3 R# H
http 0.0.0.0 0.0.0.0 outside
3 ~- v& P- d1 h# W4 f) |6 ano snmp-server location
3 f8 i3 F6 |) V' ?6 Z+ s4 bno snmp-server contact
( \: t" Y# h* [0 Zsnmp-server enable traps snmp authentication linkup linkdown coldstart: U: |: E* i) N1 E- m: l7 }* r
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
7 U3 Y8 F3 w7 @( J8 P1 P# ecrypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
5 w' m" S* @, i# D: P% H( t5 Q4 ~crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac
# M4 N5 s- c- R8 ^1 ]crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport1 s0 w9 W- j% t) T9 @0 K I
crypto ipsec transform-set nctogztrans esp-des esp-sha-hmac / s+ B; M9 h' u$ _0 x4 s% x$ D
crypto ipsec security-association lifetime seconds 28800
8 ~! U& N3 R5 Ccrypto ipsec security-association lifetime kilobytes 46080002 j9 Z1 A0 c* ^0 w- H5 W
crypto dynamic-map dynomap 10 set transform-set ESP-DES-MD5
* |8 u6 J# T" q* i/ l9 q |1 O1 Ucrypto map vpnpeer 10 ipsec-isakmp dynamic dynomap! V3 M" O! l3 Y- a+ J ~- ~
crypto map vpnpeer 60 match address nctogzvpn
3 `6 v: @$ w5 r0 Dcrypto map vpnpeer 60 set peer 59.59.59.59
, J$ ^9 ]2 J/ a3 Hcrypto map vpnpeer 60 set transform-set nctogztrans S7 G7 w. u2 j
crypto map vpnpeer interface outside& G& P% q( L$ z3 E
crypto isakmp identity address
% T7 B7 h9 Y0 }! Qcrypto isakmp enable outside* `( a% a% l- `: C, H
crypto isakmp policy 10
. X, _% l9 d6 {( W# }% q! @- J* L authentication pre-share8 ?. Y: G6 B- w i* ]/ i( N( z4 o" M
encryption des
( T4 r4 T+ N3 r6 x) ` hash md59 R% [$ c/ [0 D" X
group 29 N" d+ H. {9 [" b1 _
lifetime 86400! s& d$ b1 r' A7 @
crypto isakmp policy 30
* b6 J$ w% \8 G/ |7 e( {9 i. y authentication pre-share
9 o( g) Z% h, F encryption des) l" i$ p6 X6 r& o- R0 w
hash sha
* _" v i7 t l, q1 Z" l( s group 2
, R! d$ Y" D# v, O; D lifetime 86400
+ [0 c6 M# ?- P& r* |+ X) k+ r* Dtelnet 0.0.0.0 0.0.0.0 inside) C8 h/ V6 g/ s% ]( D
telnet timeout 57 C0 f/ ^; t3 `3 U& S
ssh 0.0.0.0 0.0.0.0 outside. i2 F2 e( |! a& ?% x" M+ X1 `
ssh 0.0.0.0 0.0.0.0 inside( T+ Z* [* @( j H
ssh timeout 5
! m# G" f" p& Issh version 10 Y/ P+ J2 _' H- w4 W4 M
console timeout 0! I# u! J) h2 U I0 d. T% ^- f
management-access management7 u% l5 z* H( N. V# [; N- {" _
threat-detection basic-threat) f2 S ~' ]8 O) T) N
threat-detection statistics access-list! p# G- h% x- x* _) r
no threat-detection statistics tcp-intercept/ u" C; K, R2 z: x9 C- N
webvpn
) R1 E. D8 \4 Fgroup-policy betterlife internal: ?7 c! `* G' g% \
group-policy betterlife attributes& ^0 r9 |2 k7 I) L9 j) G
vpn-tunnel-protocol IPSec l2tp-ipsec
$ P4 }9 ~; n5 t, H* S, w split-tunnel-policy tunnelspecified" o1 ?8 u0 @8 J9 q( L
split-tunnel-network-list value vpn-client
1 ~ Q+ @' F: ^5 q5 P5 husername vpnuser password 35y3osDoYvzwb04ktFQIgA== nt-encrypted# C3 Q6 E1 k" B1 ^: g4 v/ `
username vpnuser attributes+ Z& P" ^: S# H9 P0 p
service-type remote-access1 Z& n H. z7 b3 C: G7 b
username networker password oDfhMUGcNlh2Hyjp encrypted privilege 0' t) h- B) t) o5 g+ V, L
tunnel-group betterlife type remote-access$ l# v! n, L9 Q# y$ f+ a
tunnel-group betterlife general-attributes
4 s4 v$ a8 b. ^. p' G9 i5 R address-pool vpnpool
) g3 W4 `8 t% d6 u- I' s default-group-policy betterlife- w+ a7 O1 s& W5 u
tunnel-group betterlife ipsec-attributes# j4 z c. q+ W2 y* }
pre-shared-key *****
' Y |! E# m1 d8 K2 _( L% dtunnel-group 59.59.59.59 type ipsec-l2l
4 h9 F; \0 w; v! U. {, A. L( ytunnel-group 59.59.59.59 ipsec-attributes
- T( q$ B* p; s d$ S" G/ Q pre-shared-key *****
& H1 O5 O) R& C9 d!
. t2 i( N: N' U/ ?4 l' eclass-map inspection_default
& F& c O: q5 O/ l6 e! x match default-inspection-traffic
9 X5 V7 u1 \# a6 _, e, f3 ]: H!
0 b$ a$ N" U0 C$ @# o- }!
" N- D/ L4 A. P( c- tpolicy-map global_policy
2 L& a. J$ ?( |; H% H class inspection_default5 \5 ]8 l% n5 U% k2 l
inspect ftp
9 q& H& s( |8 h2 ?4 J inspect h323 h225 & g+ r; l5 W3 H2 S0 H; @9 u, O
inspect h323 ras
; |: t+ G4 u/ s* ]" v inspect rsh
/ J$ w" ^- C+ m# a6 b8 l inspect rtsp
8 A5 S' h4 t& @ inspect esmtp 1 q, |- B2 B. ]. h6 V( g; z( I
inspect sqlnet 2 l- S/ R+ n! A# n1 l+ Z6 b' Q
inspect skinny * ]: q1 C% G, |2 O, V4 H, h) ]
inspect sunrpc ; \- q' V( E% F( C* z0 }0 i4 ~
inspect xdmcp % M$ N8 j& @4 | _ G! |
inspect sip 3 S: }, i+ m; e: S* F6 M4 r4 n
inspect netbios
1 c# H0 U0 Y- T# b8 } inspect tftp
1 F) z# Z' g- Z9 Y6 f1 x& i inspect icmp
& v$ Q" K0 ?9 d+ G+ @- ~/ m!
8 \6 q, p% Q+ h/ r3 Bservice-policy global_policy global
1 x) w# l6 U4 _4 w+ j8 O2 t- Lprompt hostname context 6 s3 @, g7 C, `' Q0 c% Z& ]
call-home$ \' f0 ^, P7 X) P$ F2 O
profile CiscoTAC-1+ u3 _( T* I+ m! C( ]" m* H: t
no active
% S% q: z* Y( ` destination address http https://tools.cisco.com/its/service/...es/DDCEService8 B* V. \4 |% c6 v. K
destination address email callhome@cisco.com
, ~- g$ |9 O9 R8 L2 \) E4 C destination transport-method http
# v% {( n' n3 B E subscribe-to-alert-group diagnostic; Q4 {2 A' h. N. }
subscribe-to-alert-group environment: \1 C' i- V3 P" \
subscribe-to-alert-group inventory periodic monthly V& a. g+ e+ C" X5 a$ v9 \
subscribe-to-alert-group configuration periodic monthly
$ ?! B* n- O4 b- V! C4 n4 d subscribe-to-alert-group telemetry periodic daily9 @0 W+ K* G9 Z c
Cryptochecksum:3321c1f8720e4ec4583796ab04d8f0fe) _7 }7 n" V. c J: E* p; s
: end |
所有IT类厂商认证考试题库下载
【新盟教育】2023最新华为HCIA全套视频合集【网工基础全覆盖】---国sir公开课合集
【新盟教育】网工小白必看的!2023最新版华为认证HCIA Datacom零基础全套实战课
原创_超融合自动化运维工具cvTools
重量级~~30多套JAVA就业班全套 视频教程(请尽快下载,链接失效后不补)
链接已失效【超过几百G】EVE 国内和国外镜像 全有了 百度群分享
某linux大佬,积累多年的电子书(约300本)
乾颐堂现任明教教主Python完整版
乾颐堂 教主技术进化论 2018-2019年 最新31-50期合集视频(各种最新技术杂谈视频)
Python学习视频 0起点视频 入门到项目实战篇 Python3.5.2视频教程 共847集 能学102天
约21套Python视频合集 核心基础视频教程(共310G,已压缩)
最新20180811录制 IT爱好者-清风羽毛 - 网络安全IPSec VPN实验指南视频教程
最新20180807录制EVE开机自启动虚拟路由器并桥接物理网卡充当思科路由器
