|
这是XX科研机构ASA5520防火墙用上了全部功能.
这是XX科研机构ASA5520防火墙应用LAN-LAN (动太IP地址)-ipsecvpn-sslvpn-AAA(windows AD
认证)
ASA Version 7.2(2)
!
hostname CD-ASA5520
domain-name default.domain.invalid
enable password iMsyYaAobonWHTAx encrypted
names
dns-guard
!
interface GigabitEthernet0/0
duplex full
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address *.*.*122 255.255.255.0
!
interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone CST 8
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit intra-interface
access-list outside_permit extended permit udp any interface outside eq 16000
access-list outside_permit extended permit udp any interface outside eq 60000
access-list outside_permit extended permit udp any interface outside eq 6669
access-list outside_permit extended permit tcp any interface outside eq 5452
access-list outside_permit extended permit icmp any any
access-list inside_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list 100 extended permit ip 192.168.1.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list 100 extended permit ip 192.168.200.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list 100 extended permit ip 10.10.10.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list splittunnel standard permit 192.168.1.0 255.255.255.0
access-list splittunnel standard permit 192.168.16.0 255.255.255.0
pager lines 24
logging enable
logging asdm warnings
logging host inside 192.168.1.129 format emblem
logging permit-hostdown
logging class sys asdm alerts
logging class vpn asdm alerts
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool vpnclient 192.168.200.1-192.168.200.200 mask 255.255.255.0
ip local pool ssl-user 10.10.10.1-10.10.10.50
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
static (dmz,outside) udp interface 16000 192.168.2.2 16000 netmask 255.255.255.255
static (dmz,outside) udp interface 60000 192.168.2.2 60000 netmask 255.255.255.255
static (dmz,outside) udp interface 6669 192.168.2.2 6669 netmask 255.255.255.255
static (dmz,outside) tcp interface 5452 192.168.2.2 5452 netmask 255.255.255.255
access-group outside_permit in interface outside
route outside 0.0.0.0 0.0.0.0 *.*.*126 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server vpn protocol radius
aaa-server vpn host 192.168.1.129
timeout 30
key cisco123
group-policy mysslvpn-group-policy internal
group-policy mysslvpn-group-policy attributes
vpn-tunnel-protocol webvpn
webvpn
svc enable
group-policy vpnclient internal
group-policy vpnclient attributes
wins-server value 192.168.1.10
dns-server value 192.168.1.10 61.139.2.69
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol IPSec
default-domain value cisco.com
group-policy l2lvpn internal
group-policy l2lvpn attributes
wins-server value 192.168.1.10
dns-server value 192.168.1.10 61.139.2.69
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol IPSec
username test password LTfBjYjCrzZdSji0Nod2kw== nt-encrypted privilege 5
username test attributes
vpn-group-policy mysslvpn-group-policy
username skychen password 7fFvYcEbvJWTIWTB encrypted privilege 15
username cisco password jyV7i27DkE6FyekU encrypted privilege 15
username hwxian password dpY21DedfTLBOIdw encrypted privilege 15
http server enable 8080
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map vpn_dyn_map 10 set transform-set ESP-DES-MD5
crypto map outside_map 10 ipsec-isakmp dynamic vpn_dyn_map
crypto map outside_map interface outside
crypto map outside_map 10 match address 100
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group DefaultL2LGroup general-attributes
default-group-policy l2lvpn
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group vpnclient type ipsec-ra
tunnel-group vpnclient general-attributes
address-pool vpnclient
authentication-server-group vpn
authentication-server-group (inside) vpn
default-group-policy vpnclient
tunnel-group vpnclient ipsec-attributes
pre-shared-key *
tunnel-group mysslvpn-group type webvpn
tunnel-group mysslvpn-group general-attributes
address-pool ssl-user
tunnel-group mysslvpn-group webvpn-attributes
group-alias group2 enable
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
dhcp-client update dns server both
dhcpd dns 61.139.2.69 202.98.96.68
!
dhcpd address 192.168.1.10-192.168.1.254 inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
!
service-policy global_policy global
webvpn
enable outside
svc image disk0:/sslclient-win-1.1.3.173.pkg 1
svc enable
tunnel-group-list enable
prompt hostname context
Cryptochecksum:2018b3083a53e1cfb5ce32713f0d0784
: end
CD-ASA5520# |
|