两个ASA的配置,公网地址被我替换了,如有雷同,敬请原谅,麻烦兄弟们帮我看看:
- M6 f# k! i3 j! ?6 O. n6 g; [* i1 K南昌ASA:
* a6 o3 ^! M) d/ K, D$ nASA Version 7.2(3) $ J- D( I$ D9 j9 s# t% j: W- C: z
!2 z7 i9 x; D/ F! s
hostname DIYFW# D7 f5 g: w* E* @
domain-name tpybank.com
8 H- ~( V: |6 A9 t% N- ienable password 7qs4CxXJz.NTdDlq encrypted
- N, S: }5 m! K2 Xnames- }; ], x! X8 t6 Z7 z+ h) E2 K' Q
!, `( J ~5 @! E4 x3 _8 M( b
interface GigabitEthernet0/0: A& p+ U9 g$ |0 P* ^/ o3 b
nameif outside+ R5 ?0 L$ U! b; w% W
security-level 0
q4 c, D8 X6 g, L" O ip address 59.59.59.59 255.255.255.0
9 B5 z4 |7 w) J% f9 c$ D!4 g3 u6 ^& h' r$ T
interface GigabitEthernet0/13 k1 ^4 c. l; R4 g$ S1 Z0 c
nameif inside
2 [! }4 Q. \% m security-level 100! ~( @, m8 k' o- Q3 U
ip address 172.0.0.1 255.255.255.0
2 Y( U8 I1 S6 I4 `/ K: j0 G5 r' E! `: W9 t9 _) J: i
interface GigabitEthernet0/21 w& i, }% K# V
shutdown
0 {: S) |. B* H9 F* A no nameif6 h2 y5 J; q& X! {
no security-level
+ G& |- z) w4 {4 k6 k" Y& s" y8 T no ip address5 G, v1 u/ t7 T5 K; k6 @
!- y) p$ f0 e, z$ Z. Q; }, _ ~
interface GigabitEthernet0/3) t `9 c$ c- y( P2 k4 T
no nameif4 e2 f1 x( w: ?* _! d; h; d
no security-level+ l) E7 f$ c0 _: q8 D/ v: D. B4 i
no ip address
1 W1 l7 M- G& ^4 M3 C! x4 I!
; o0 C$ W" Q2 K9 r ~+ c' }6 e" `interface Management0/0 i5 X+ ^6 z; }( C9 w" M2 g
shutdown
6 E' a0 ^+ Q7 U [# p no nameif
6 q$ G6 b& W# f; s' y no security-level$ y- B: C6 s8 i6 Z1 ?: ?
no ip address
9 Y9 T* J4 K# F4 }4 [$ H1 ]; _!, ?* {) k e; q6 E& K c
passwd 2KFQnbNIdI.2KYOU encrypted
& s7 X" ~2 Y9 ?9 w3 |ftp mode passive
7 _0 y% I% N; y- M3 bdns server-group DefaultDNS
/ n& H7 b1 U0 I domain-name tpybank.com# D" Z6 _+ V o! E E T5 {- e
access-list outside extended permit ip any any # j( X" R1 X: n. b
access-list inside extended permit ip any any * T% P* l* y5 e, W" y
access-list inside extended permit icmp any any
# s/ g/ l, F. P x" iaccess-list vpnclient standard permit 10.10.0.0 255.255.240.0
+ U0 M1 q9 c7 B/ D# _ x( Q0 `" aaccess-list vpnclient standard permit 172.0.0.0 255.255.255.0
0 ~( G6 X8 Z# N0 a3 ?access-list ipsecclient standard permit any & L$ I* ]2 ^8 K/ j
access-list 100 extended permit ip 10.10.10.0 255.255.255.0 any : Y6 k7 e0 y: R- I% }
access-list 101 extended permit ip any any
) n5 [: u2 R/ {& u( }6 z" Zaccess-list jcsh-group_splitTunnelAcl standard permit any 8 Y4 C- [' |" l9 `9 W
access-list outside1 extended permit ip any any , A4 l& x0 }5 S5 L- A3 H
access-list no-nat extended permit ip 172.16.0.0 255.255.255.0 172.31.255.0 255.255.255.0 2 K* U/ Q/ Z; I8 q7 O P( T( d
access-list no-nat extended permit ip 10.10.0.0 255.255.240.0 172.31.255.0 255.255.255.0 ! c; Z) O. J# y% e3 q& K
access-list no-nat extended permit ip 10.10.0.0 255.255.240.0 10.10.20.0 255.255.255.0
+ {7 S$ V, W4 J9 p9 Aaccess-list no-nat extended permit ip 172.0.0.0 255.255.255.0 10.10.20.0 255.255.255.0 + Z {) K P$ U- d2 C5 \
access-list nctogzvpn extended permit ip 10.10.0.0 255.255.240.0 10.10.20.0 255.255.255.0
9 v0 q) { h$ v: `5 {4 l4 s# Daccess-list nctogzvpn extended permit ip 172.0.0.0 255.255.255.0 10.10.20.0 255.255.255.0
* z. d" z! `" E/ Z! n9 Ypager lines 249 s8 w9 e6 q+ ]; a8 [
logging enable3 {, f: ]3 `7 B' \, \' `1 I
logging monitor debugging$ I. V1 h& v4 Z5 ?
logging buffered debugging& d, p5 B5 f% M# t- a+ \
logging trap debugging
" W1 l9 X% m% S2 Qlogging asdm informational
. G$ m9 |" E+ ~5 klogging host inside 10.10.10.179$ X3 [9 ]; b( b- A8 E! [6 b
mtu outside 15007 p2 ^( F) [& F9 W" O
mtu inside 1500* g7 H) f6 J# o
ip local pool ipsecvpnpool 172.31.255.0-172.31.255.254 mask 255.255.255.09 S* `. W7 D- R( q4 \6 p7 M% K+ e( {
ip verify reverse-path interface outside
/ ^7 R) ^8 f1 y/ N& O0 R" k! I' i" pno failover
. y5 P1 L: Z( g1 Ficmp unreachable rate-limit 1 burst-size 12 m1 ]- c. Z& E5 z. c& t3 N) ]
icmp permit any outside
4 ]8 |$ b, P! K ^* t2 _, |icmp permit any inside
- V5 R, D& N' K- Wasdm image disk0:/ASDM-523.BIN6 J( I P% Y1 m/ p9 b; d
no asdm history enable5 z Z3 X; V3 |$ z. x/ L9 J0 w
arp timeout 14400
3 N; H V8 T; m. G8 m; Mglobal (outside) 101 interface
, H( U+ o7 c4 O8 T3 qnat (inside) 0 access-list no-nat7 @6 X9 _6 W% [
nat (inside) 101 0.0.0.0 0.0.0.0
! P, H9 ]$ V5 @. f7 Z: astatic (inside,outside) 59.59.59.115 10.10.10.99 netmask 255.255.255.255 7 |; j# Z; Z" s: L1 m
static (inside,outside) 59.59.59.126 10.10.10.192 netmask 255.255.255.255
# \$ Q) }) Q0 M, W- kaccess-group outside in interface outside
) R3 I$ _: R" ?7 `0 }4 Yaccess-group inside in interface inside* V0 q6 m! {. E _
route outside 0.0.0.0 0.0.0.0 59.59.59.1 1, k N4 c `4 ^ S2 y
route inside 10.10.0.0 255.255.240.0 172.0.0.2 1 H5 @: N& [* }' c- x. h, r
timeout xlate 3:00:002 \& @$ ^# x" N
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 k5 }& z1 D3 B2 d% Y- i
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:000 Z4 W! l) y' s4 |9 W& S
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
+ {) F4 ~5 F* h/ ~) K7 }3 qtimeout uauth 0:05:00 absolute
% ^/ j) G- Q& G' a% `, L; \aaa authentication ssh console LOCAL
' U, Z7 k2 s' ^; b/ j {4 Ohttp server enable
$ Y* c, c' `! r' Y2 b/ Ahttp 0.0.0.0 0.0.0.0 outside
4 e$ ]" `6 V# S' nsnmp-server host inside 10.10.10.19 community typ100
. n; U# ~3 L7 Vno snmp-server location n! A( D; k1 ]2 i0 I3 j
no snmp-server contact
4 P( s1 x3 g; U) b) U6 Ssnmp-server enable traps snmp authentication linkup linkdown coldstart( j, E) |( E) k5 W8 V, G
snmp-server enable traps syslog2 A$ W3 _1 t; _
snmp-server enable traps ipsec start stop. b4 a C9 ?( }/ a8 K
snmp-server enable traps entity config-change fru-insert fru-remove$ \, Q# S9 O, V5 j" g, J2 R
snmp-server enable traps remote-access session-threshold-exceeded9 M# Q& l" J" s
service resetoutside! \; O1 I) v \$ f& Y8 J
crypto ipsec transform-set dialvpn esp-des esp-md5-hmac " l0 U+ L6 K. D0 l" m. i! ?
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 4 U0 K4 H6 j* d: t" H9 F
crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac 2 H1 B6 X& ^: q6 C% c' s, r, g
crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport- w" b, w- k. f: ]
crypto ipsec transform-set nctogztrans esp-des esp-sha-hmac
" t6 a6 F1 Q) K7 @crypto dynamic-map dynomap 10 set transform-set dialvpn
3 i3 U5 W5 B0 B8 wcrypto dynamic-map dynomap 10 set reverse-route" P% B. Q7 n0 S
crypto dynamic-map outside_dyn_map 20 set pfs / r1 H& I& m6 C+ W. i
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA$ s% `# s+ h& w. M1 K3 k4 E. D
crypto dynamic-map outside_dyn_map 40 set pfs & ^7 v+ h# U( F4 {. F% j
crypto dynamic-map outside_dyn_map 40 set transform-set TRANS_ESP_DES_SHA+ g8 V' }3 _- F+ h/ |
crypto map vpnpeer 10 ipsec-isakmp dynamic dynomap
% o% ?0 ^* q* ncrypto map vpnpeer 60 match address nctogzvpn 2 |! J) }& ]! w
crypto map vpnpeer 60 set peer 59.59.59.60 ! n( L6 R+ d* R1 Q) F8 h
crypto map vpnpeer 60 set transform-set nctogztrans+ F. t3 `/ n t5 j/ o
crypto map vpnpeer interface outside
" \* p0 N# F6 H& y- Ocrypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
0 \' L- R' D# w$ h, hcrypto isakmp identity address
, F/ R; \- G# a3 ^6 ccrypto isakmp enable outside
, E5 b: k& @, [1 C$ {3 ccrypto isakmp policy 1
6 G7 Q7 f: r) B: S, _1 V* @5 ~ authentication pre-share% ?5 V3 }5 [9 e+ ~9 ~) k1 v3 G
encryption des8 f K; b8 {7 S0 F+ V6 I, ~
hash md5- }) F' a6 X, B; H- A4 T
group 29 J8 Y" j% q# ~; W# \$ h
lifetime 864004 X' Q8 f) p- T/ \
crypto isakmp policy 30
% }% E1 o- ?( A8 T' v authentication pre-share
/ m1 v# r6 T" o7 ^0 h& x5 f3 j encryption des, w0 ~9 O, V0 p0 h8 r1 |7 Y* s
hash sha
1 O( ~$ d: K" U) Y6 D5 n; ?) }7 P+ r group 2' p. q F& i( Q8 |( t
lifetime 86400
+ I4 J3 C' a; H: Z+ b: B6 z! f5 ucrypto isakmp policy 50; U7 f8 h) l1 M
authentication crack6 k6 j) u. l5 ~) Y
encryption des I4 ?, `/ ~- g4 J4 [3 T1 [
hash sha' J" v' b# d: s" z, S! |
group 2 E& v& \9 f( J4 P" h1 L, `
lifetime 864002 J9 W9 J, p" Y
crypto isakmp nat-traversal 20& z% p0 [6 D9 W7 f* ~0 D) K
vpn-sessiondb max-session-limit 450
% J' a- ^6 ?2 [, R) jtelnet timeout 55 Q0 ]6 A) i8 e g5 D- _
ssh 0.0.0.0 0.0.0.0 outside9 e2 _7 ]! w3 p" x. E
ssh 0.0.0.0 0.0.0.0 inside9 r) E% A. y% v6 l/ R( S
ssh timeout 50 x$ i% e% L# o: u3 O1 N( d7 G
ssh version 19 T$ ? r9 d1 c( i3 X1 Q l5 P
console timeout 0
& }8 w5 e& W$ \4 c6 ?7 dpriority-queue inside
/ {8 r' p2 n6 W; t/ l; L!8 I. {( P+ o5 p5 A3 c1 }: L2 k/ w" W
class-map limitconnect# z7 U, _8 H9 M' A, J( j- V
match access-list 101
- Z! `- b$ {, s& Z' s* z8 Gclass-map QOS) }$ w% G q% @& B' z
match access-list 100( x: o9 b$ T H3 C* Q! i
class-map type inspect http match-all httpfilter
1 X \0 I% e% [8 q" ? match req-resp content-type mismatch* F& L: P3 T" S9 u0 I
match request header allow length gt 5000
! R/ r5 D) Y, h9 [* ~: [0 R. J match response header count gt 2001 D- c+ R: r" l$ [/ c( e* }
match request uri length gt 10001 B( R6 u/ |' t) B% r) m
class-map type inspect ftp match-all ftpfilter
) K; {" L1 s9 v7 G3 ?' R match request-command mkd
# Y* a$ e1 d- u% h+ v; {2 f* a U. l( eclass-map inspection_default
4 ^# f) Y3 b% W3 A3 W# z2 G2 d match default-inspection-traffic' m0 t; A' @+ y7 a# |- S
class-map flitcontent) ]7 \" e$ J4 k/ z4 v
match access-list 100$ I6 }, v$ i R% x4 }
!* F' F0 r9 _2 m. b: ^
!
$ k5 h! `& y8 R+ e) t7 s+ @. q2 bpolicy-map limitconnect
3 q" p, z, ~2 K' v6 t, A; w& `/ `( a class limitconnect
0 y6 s6 }# `# F3 C set connection conn-max 30000 6 ^8 [# W0 O$ W! y9 ^
policy-map QOS! E- a7 Q8 F- Q- b* @3 [/ A7 ~
class QOS ' F& R0 P1 B' n- R
class limitconnect3 z# P% H$ n$ b" h) Q3 b1 G1 g! `
set connection conn-max 30000 , V4 {/ U! e1 G
policy-map global_policy
5 S+ j) Q! F) l! b5 s& g class inspection_default& m7 {5 E9 S, B7 X# {- u
inspect ftp
! L* W8 R |% O2 C) Q inspect h323 h225 4 X: K( g$ O' l; O3 D+ ]; @
inspect h323 ras " Z3 G+ T4 f( B* m3 T7 W6 U4 R
inspect rsh
) @8 W) p8 P( q2 @% ^ inspect rtsp
* j) q6 m7 v! h' N0 E) k inspect esmtp 9 b! z, a& L" D/ i9 z! Q
inspect sqlnet
- e5 X# D% ^! m2 ^ inspect skinny
$ V8 `3 \/ Y' j inspect sunrpc % u. e \; Z0 q5 Q" A: F$ d P9 O
inspect xdmcp
" r" @" y% p/ X inspect sip
8 P' X( I( E2 a( x* a inspect netbios
" G9 \) v$ m1 R2 Y+ _2 C# }! k inspect tftp
& n4 u U4 e4 f& K" P; |& L inspect icmp
3 M7 |2 l- j0 spolicy-map flitcontent/ c0 k8 q3 [% O! T" ]
class flitcontent
# J( J; M3 K2 u' y$ z1 W& K5 Y; {!& A4 e1 O6 {$ v$ l3 U
service-policy global_policy global6 F+ N" `% `2 Y4 g- O# @
service-policy QOS interface inside
, F' l) Y; ? c+ [1 ^group-policy sk-group internal
3 Y1 k$ T) z# l% U6 T; Wgroup-policy sk-group attributes
7 D) p3 V; n5 m/ [; m/ A split-tunnel-policy tunnelspecified
1 f1 x I. U( C" f0 H4 F( q split-tunnel-network-list value vpnclient
3 ~- n- E( v( Uusername vpnuser password ZC2U2lwElxOuM0y+z/4mXg== nt-encrypted privilege 0
/ @; F( C, G) t* y4 d9 nusername networker password Ge08R8/YEb1oXNI9 encrypted privilege 0
/ }, w8 ]! T( ]7 }4 n" B3 Ltunnel-group sk-group type ipsec-ra5 h5 i+ ?8 x5 R6 W5 Z* u, _
tunnel-group sk-group general-attributes
( |8 D* E( d. P% f5 W address-pool ipsecvpnpool
# n; y0 h: O) G# h7 L) | default-group-policy sk-group, E% w0 U. v( v1 p6 D+ O- @' q& d
tunnel-group sk-group ipsec-attributes8 Y* t3 J+ C* E, H0 [
pre-shared-key *3 ] R! H! ^' j% A
tunnel-group 59.59.59.60 type ipsec-l2l6 y* R1 R$ o; o$ Q; b
tunnel-group 59.59.59.60 ipsec-attributes
6 S; n1 r5 p- j5 i% g0 W pre-shared-key *. y1 _# K) `" r
prompt hostname context ! j3 c. Y1 G5 F v q& }$ O
Cryptochecksum:200b24ebb637185e77dc3623b20a596a
, P! X2 t9 E& R# c. R: e5 |: end/ Q" i" s+ z" u- C$ w, ?
* o. K) A. P. d- }2 S1 t2 u
" j( ? R- S( `7 ? ~" j" N y广州ASA:( X7 j# g2 A! R. S9 g0 b
ASA Version 8.2(4) & r) i% e" K/ e; E
!& P% O" S/ ~4 d* h8 Y' ]5 P
hostname GZFW4 l& T2 z3 {' s3 M1 R3 Q* \9 w
domain-name tpy100.com
& {* C$ ?7 \' Menable password r2GUYr0JBoB38neH encrypted) m5 r* s% @ V. c8 o& ?3 k
passwd 2KFQnbNIdI.2KYOU encrypted
: m1 R" b: c, v4 z% Z9 W8 S7 b, n) Xnames! H. I7 |( t. P( s/ _ J
!
! Q: N+ E0 }/ Sinterface GigabitEthernet0/0
. u. w8 l0 B) O& I% d- D- G; H nameif outside7 L: `" H4 O! _5 f3 }
security-level 06 ~9 q- w, D, E# j4 ], C0 j/ F' H7 n
ip address 59.59.59.60 255.255.255.240 * J- I- _2 k% P, `& o% Y9 {1 v
!
6 P- O+ P8 N) q# vinterface GigabitEthernet0/1: X" O9 K, N# T+ Y1 ?
nameif inside( R$ g+ w) C( _
security-level 1006 T3 ^5 q: P) z: Z
ip address 10.10.20.254 255.255.255.0 $ Y: R. z5 r4 \# ?: ^1 U! M; s1 d- I
!
4 \6 [& i# z6 k4 Cinterface GigabitEthernet0/2
, K5 h! ~- v. E2 O7 G8 Y# Y no nameif6 k8 B4 D: s! l0 w: d7 U
no security-level
6 E( ]- p! z% U no ip address, ~* U2 N# L" R9 n4 t ~2 K
!
0 r# B' L& y3 y$ `9 ointerface GigabitEthernet0/3/ P7 Z5 q/ |/ r0 O2 l" A
no nameif8 ~/ C( q3 y" N0 }, q0 z% i
no security-level
. Z5 l7 P# l5 Y" l# Z( f4 V% u, Z. J no ip address
. q- I% O) A1 F5 j4 v( `& _0 {!) \* A: u. h0 I, b
interface Management0/0
& m& A6 D% t' `* ? nameif management! z& J6 n7 m- y6 v3 J, Q/ m; e8 Z
security-level 100
; Y9 V2 R% r* f1 l" C5 x5 x1 Y ip address 192.168.51.254 255.255.255.0
( P* \& H! j: u0 A% h" n* @ management-only
/ y2 {! s" J& `7 K1 R8 l!$ F; a) o% V* l/ @- [+ \1 [
boot system disk0:/asa824-k8.bin
; y8 g9 N X6 G2 E/ aftp mode passive
5 F2 z- R4 O1 d' K# ?. r) n( k W, _. ?clock timezone CST 8) V0 |; R# | q3 B: M' y
dns server-group DefaultDNS
, @: C1 S5 W( b! E domain-name tpy100.com
- Y7 u( B8 c3 haccess-list outside extended permit ip any any
$ b) O# j+ _) W" Z, J$ Paccess-list outside extended permit icmp any any
3 S/ J3 w& y& K& ]* Xaccess-list outside extended permit tcp any any
% j- x2 }2 {" v7 c( xaccess-list outside extended permit udp any any ' i7 Y# Z S$ Z! J
access-list inside extended permit ip any any
4 t/ u8 S; r( W$ b7 daccess-list inside extended permit icmp any any ! N% u+ t* w! j5 W2 F
access-list nonat extended permit ip 10.10.20.0 255.255.255.0 10.120.19.0 255.255.255.0 ) F! T. Z( y# P+ }- \
access-list nonat extended permit ip 192.168.2.0 255.255.255.0 10.120.19.0 255.255.255.0
, k/ _: H! ]7 p; xaccess-list nonat extended permit ip 192.168.51.0 255.255.255.0 10.120.19.0 255.255.255.0
' a& K8 G3 W, u; h, n2 Aaccess-list nonat extended permit ip 10.10.20.0 255.255.255.0 10.10.0.0 255.255.240.0 , Q/ P* {1 X. P) s+ t1 X2 ~
access-list nonat extended permit ip 192.168.2.0 255.255.255.0 10.10.0.0 255.255.240.0 ! Z. F5 i B' `* O" I
access-list nonat extended permit ip 10.10.20.0 255.255.255.0 172.0.0.0 255.255.255.0 9 ^- f- n) [+ U. P5 Z
access-list nonat extended permit ip 192.168.2.0 255.255.255.0 172.0.0.0 255.255.255.0 5 i8 y- D; ~* j: f1 K
access-list vpn-client standard permit 10.10.20.0 255.255.255.0
/ z4 b' J& j8 N: ?access-list vpn-client standard permit 192.168.2.0 255.255.255.0
5 W. U9 x8 Y- q; E6 L! t3 Baccess-list vpn-client standard permit 192.168.51.0 255.255.255.0
1 L+ A* G6 g0 G8 @3 e/ n, \access-list nctogzvpn extended permit ip 10.10.20.0 255.255.255.0 10.10.0.0 255.255.240.0 / |7 l8 M1 j3 r4 c
access-list nctogzvpn extended permit ip 192.168.2.0 255.255.255.0 10.10.0.0 255.255.240.0 , f( [1 B, r: N5 c, Z! N
access-list nctogzvpn extended permit ip 10.10.20.0 255.255.255.0 172.0.0.0 255.255.255.0 ! @" g' ~/ |9 p F( j. }3 G! y
access-list nctogzvpn extended permit ip 192.168.2.0 255.255.255.0 172.0.0.0 255.255.255.0
3 }2 @0 d: W7 e: B- R% Hpager lines 24
l9 [. J' t0 T& l2 ?+ P( G- Nlogging enable/ m8 m9 o( ^& f k g1 |
logging asdm informational
) |" ~/ x( {( Y5 dmtu outside 15006 p0 @, H; {/ T7 ]
mtu inside 15006 o l7 O# h3 ?8 L- O% P
mtu management 1500
1 ?. v& B' v- ?* o3 H1 O& Qip local pool vpnpool 10.120.19.1-10.120.19.254 mask 255.255.255.05 L& v2 {( T9 t6 R
no failover
* i" X( W2 x% Xicmp unreachable rate-limit 1 burst-size 1
6 {. {' y& c# M. j4 A2 z/ zicmp permit any outside, F# G1 K' t( g) e
icmp permit any inside
% A1 E; r& F1 C1 D" `6 ~+ |asdm image disk0:/asdm-641.bin J* f! R/ O! `4 X! z
no asdm history enable
# u! I" X" t# O q7 Barp timeout 14400
# E1 B1 W! N" v& o9 `2 xglobal (outside) 101 interface2 F8 G; [% n. J1 U* i" |
nat (inside) 0 access-list nonat s7 w D/ H* t X. r; I- a
nat (inside) 101 0.0.0.0 0.0.0.0
- Q9 p+ d& j* H4 H1 Z) Jstatic (inside,outside) 59.59.59.244 10.10.20.4 netmask 255.255.255.255
3 Y6 C) a- h X2 r" lstatic (inside,outside) 59.59.59.245 10.10.20.5 netmask 255.255.255.255 2 a( J9 Y$ d7 N( B7 ^0 D3 y" n
static (inside,outside) 59.59.59.243 10.10.20.3 netmask 255.255.255.255
6 b) q1 ~$ T% S5 o, f! sstatic (inside,outside) 59.59.59.246 10.10.20.6 netmask 255.255.255.255
% I, T8 m+ f: n6 [static (inside,outside) 59.59.59.247 10.10.20.7 netmask 255.255.255.255
# C# t. C/ Q% ^- ostatic (inside,outside) 59.59.59.248 10.10.20.8 netmask 255.255.255.255
9 D8 K0 ^* F! d1 }static (inside,outside) 59.59.59.249 192.168.2.101 netmask 255.255.255.255 ! P/ M/ s) @ G3 Y$ X/ w
access-group outside in interface outside
: ^3 y6 T( k5 _3 p" ~( |access-group inside in interface inside6 f; t' q- r! r' I1 A
route outside 0.0.0.0 0.0.0.0 59.59.59.241 19 a p6 a2 m; V {
route inside 192.168.2.0 255.255.255.0 10.10.20.1 1
& o, I2 S: ]) |: V6 c& ctimeout xlate 3:00:00, ~- W/ G4 d, b* s& O
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
9 b+ E: v2 w9 Qtimeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:008 y/ R+ V1 G% P3 R: W2 r
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:000 y. s4 G, w& k
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute1 G! z, t+ V0 B' d. U8 R+ Q: J/ y+ a
timeout tcp-proxy-reassembly 0:01:00/ e; X7 X( ]5 M5 d; D. E
dynamic-access-policy-record DfltAccessPolicy2 R A( x1 S' s. ~
aaa authentication ssh console LOCAL
2 E$ W5 j) y3 gaaa authentication telnet console LOCAL " ?/ F+ z( X3 U6 F; B$ V
http server enable
5 V! \1 f, F" J# Q+ x9 S* B" Qhttp 0.0.0.0 0.0.0.0 inside2 K! {3 R6 R- {9 ?
http 0.0.0.0 0.0.0.0 outside, ~. t& y7 h: s! d6 N! X7 L
no snmp-server location
, p2 N; Z" _6 Gno snmp-server contact8 P9 G6 U" ]! \
snmp-server enable traps snmp authentication linkup linkdown coldstart# C( z0 p* W, K' t$ G
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
; C: _% S% p6 p! Xcrypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
+ [/ G# s) l0 i% x0 a4 dcrypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac
0 X4 a9 m4 A% f5 Qcrypto ipsec transform-set TRANS_ESP_DES_SHA mode transport* P+ h$ S3 c& }3 b6 {. g. B
crypto ipsec transform-set nctogztrans esp-des esp-sha-hmac
% Q2 \6 u: A6 O; E* `. T& _" \9 ]9 ocrypto ipsec security-association lifetime seconds 28800
# w/ _2 D5 K8 K6 l- n4 T& ccrypto ipsec security-association lifetime kilobytes 4608000
$ @% ?. I: Y& K' C! [, ycrypto dynamic-map dynomap 10 set transform-set ESP-DES-MD5- L! C* r) Y& Z5 `, R
crypto map vpnpeer 10 ipsec-isakmp dynamic dynomap% h6 {- ] |* c0 x) P
crypto map vpnpeer 60 match address nctogzvpn
9 N, J& z6 R4 u' ^! f/ Rcrypto map vpnpeer 60 set peer 59.59.59.59
# s" w! Y2 n" _4 U! x" ocrypto map vpnpeer 60 set transform-set nctogztrans
2 Z/ Q* U& ]# i2 U zcrypto map vpnpeer interface outside/ ~2 f& V- a% P
crypto isakmp identity address 4 y, M( I( _( `. Y' A
crypto isakmp enable outside- \0 e% P1 \ i
crypto isakmp policy 101 Z$ C# P3 t: Q: U
authentication pre-share
( p5 ]- f0 n4 N- M encryption des
- F8 B* _, c; [. X0 d+ i/ w3 j hash md5
% u; e0 @ S* F/ c; A+ I group 26 _* Y/ @2 C/ `- R. y2 z: z
lifetime 86400* N! e* m4 r0 E# D* }. }
crypto isakmp policy 30. Q6 t }! X1 \) e) v
authentication pre-share8 x: s% E) G$ P1 h6 [& ], E/ L& @
encryption des( t$ G! f6 B# y2 v7 v- G* U
hash sha8 A+ { A- {$ I+ w
group 2
8 I& F8 v! c7 t' Z. ?) f$ ~ ^" j lifetime 86400, G0 ^: ^" }! [' g. a3 `. h; [
telnet 0.0.0.0 0.0.0.0 inside
. f6 d& I! c U1 P( r( n- \. g, I. Ltelnet timeout 5
1 A5 ]( z% E2 c$ s2 o7 Essh 0.0.0.0 0.0.0.0 outside
" d7 B- F* A" N+ ~0 p$ q0 Fssh 0.0.0.0 0.0.0.0 inside
6 J0 f; P/ K% W( @$ d0 |+ u& Wssh timeout 5 i. Y# a- S6 e/ B1 U
ssh version 1- v: R5 k9 H5 T2 E2 i
console timeout 0) I3 K+ o, X/ O
management-access management/ w8 F9 v6 y) V9 h
threat-detection basic-threat; r9 P9 z0 A* h; k. X
threat-detection statistics access-list
8 y3 h) D; ^5 O) r' V. b4 v5 T; Pno threat-detection statistics tcp-intercept
2 R, B1 A/ y/ R4 |. t# Q2 S, ]webvpn
- a5 ]3 x: H9 v6 kgroup-policy betterlife internal* G; l! ?7 }7 R& t. i3 w. D# T
group-policy betterlife attributes
6 D9 ]) O; c* d! p% o( N vpn-tunnel-protocol IPSec l2tp-ipsec
2 y3 @; j: `- Q2 Y) X) D split-tunnel-policy tunnelspecified2 B6 L0 a6 U# s
split-tunnel-network-list value vpn-client8 _9 r$ J2 r: X: g4 p$ n
username vpnuser password 35y3osDoYvzwb04ktFQIgA== nt-encrypted
) L) Q; ~3 g+ A! c4 gusername vpnuser attributes( h& N8 W$ i. f' ]' \' g2 [
service-type remote-access9 q/ n3 h) S6 f" g1 g
username networker password oDfhMUGcNlh2Hyjp encrypted privilege 0; A/ H8 E p4 F5 b+ h. b) s
tunnel-group betterlife type remote-access* X# y6 |9 { k
tunnel-group betterlife general-attributes8 h' o1 P0 C+ F5 j, ^# V/ g0 o: ~+ G, {
address-pool vpnpool1 q' l4 Y- ^3 [
default-group-policy betterlife
f' {0 e8 F. p$ I2 C; \3 y( z- htunnel-group betterlife ipsec-attributes3 K5 ?# d* t2 i+ Q* b" t
pre-shared-key *****7 m% [& r/ P& o% Q: {
tunnel-group 59.59.59.59 type ipsec-l2l4 |9 n0 Q; `$ F
tunnel-group 59.59.59.59 ipsec-attributes
; a4 L, V& B; S8 _ pre-shared-key *****/ d) B6 F8 n% O" \. m6 Q- r
!( c! w$ Z- K* \: T
class-map inspection_default
! u7 ^& Z: G" k9 o/ }8 D match default-inspection-traffic
3 i2 P! |$ D0 |! ]$ K% z!( I& u1 s( W7 \$ g6 i" k, E W
!! W& _/ F+ S2 C
policy-map global_policy
D& ^' D3 b( y t5 ]/ I class inspection_default& b. {7 W6 D. L! E7 k8 U
inspect ftp
- i8 k0 `! ?+ a0 ~: O5 K inspect h323 h225 ) g7 M# F2 o6 z+ x2 |( @# N" N: l
inspect h323 ras
$ Q+ C- i, r H c8 P6 m( S r+ Y! | inspect rsh 4 y) l: w2 q2 x1 ^( t0 o
inspect rtsp , J! T% r$ R: M, v s& q1 G
inspect esmtp
- T+ o1 j3 ~0 q* G8 z" D& L inspect sqlnet
- P" U- N6 b! |( u. p# Z inspect skinny - F7 {* p9 J! W2 C. L8 K
inspect sunrpc % w K: W; b8 {, r* K6 o$ ~
inspect xdmcp : m) G5 X1 ]( J
inspect sip ' Y3 ^5 J' o6 B* ]
inspect netbios # \1 f' S8 b+ i3 h
inspect tftp
# a. @! |2 M, Y( @0 q- u; w5 O inspect icmp 7 `! w- s" Z! y
!
% H3 c; u6 V4 h7 l3 z9 Z2 f6 f7 [service-policy global_policy global
0 T# m' o8 Y h6 V0 d1 \5 r2 e6 lprompt hostname context
3 A G% T; s6 D2 U2 I) Icall-home
1 U, T- e' b$ }- ^+ `) R/ ]- ~( Q* g profile CiscoTAC-1+ x! G5 h( A$ u
no active
. n; W$ i3 u, h$ m, V; x8 b destination address http https://tools.cisco.com/its/service/...es/DDCEService( W0 u. g! R7 \5 R
destination address email callhome@cisco.com
/ F+ [& @! Z2 Z! v) Y6 I E7 P destination transport-method http# O5 h' X; s, S) P6 Z
subscribe-to-alert-group diagnostic
- [' K5 T# H8 @2 e subscribe-to-alert-group environment4 Q# u* r2 d4 B7 v, B
subscribe-to-alert-group inventory periodic monthly
) a" }# r, N3 h subscribe-to-alert-group configuration periodic monthly
2 M) h& e5 e' A% \, o0 N( ^, C. k8 S subscribe-to-alert-group telemetry periodic daily% }! w' J% V9 [" _
Cryptochecksum:3321c1f8720e4ec4583796ab04d8f0fe. g, M' I. E7 G! I( l: I1 E9 h
: end |
所有IT类厂商认证考试题库下载
【新盟教育】2023最新华为HCIA全套视频合集【网工基础全覆盖】---国sir公开课合集
【新盟教育】网工小白必看的!2023最新版华为认证HCIA Datacom零基础全套实战课
原创_超融合自动化运维工具cvTools
重量级~~30多套JAVA就业班全套 视频教程(请尽快下载,链接失效后不补)
链接已失效【超过几百G】EVE 国内和国外镜像 全有了 百度群分享
某linux大佬,积累多年的电子书(约300本)
乾颐堂现任明教教主Python完整版
乾颐堂 教主技术进化论 2018-2019年 最新31-50期合集视频(各种最新技术杂谈视频)
Python学习视频 0起点视频 入门到项目实战篇 Python3.5.2视频教程 共847集 能学102天
约21套Python视频合集 核心基础视频教程(共310G,已压缩)
最新20180811录制 IT爱好者-清风羽毛 - 网络安全IPSec VPN实验指南视频教程
最新20180807录制EVE开机自启动虚拟路由器并桥接物理网卡充当思科路由器
