|
|
楼主 |
发表于 2008-3-14 06:00:56
|
显示全部楼层
备的一侧
: Saved
:
ASA Version 7.2(3)18
!
hostname BJ-CA-ASA-2
domain-name BJ-CA-ASA-2
enable password ECCUaJvvj6rilQTW encrypted
passwd .Pppqn8rWgaGlh3f encrypted
names
dns-guard
!
interface GigabitEthernet0/0
description Link-TO-PIX-DMZ
mac-address 001b.d454.e198 standby 001b.d46e.3966
nameif outside
security-level 0
ip address 192.168.224.27 255.255.255.248 standby 192.168.224.28
!
interface GigabitEthernet0/1
description Link-TO-Intranet
mac-address 001b.d454.e199 standby 001b.d46e.3967
nameif inside
security-level 100
ip address 192.168.224.33 255.255.255.248 standby 192.168.224.37
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
nameif manage
security-level 0
!
boot system disk0:/asa723-18-k8.bin
ftp mode passive
clock timezone BeiJing 8
dns domain-lookup inside
dns server-group DefaultDNS
timeout 4
name-server 192.168.2.12
name-server 192.168.32.32
name-server 192.168.32.31
domain-name HD-ASA5540
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip host 191.10.4.21 host 191.100.227.192
access-list outside_cryptomap_20 extended permit ip host 191.10.4.21 host 191.100.227.192
access-list outside_cryptomap_dyn_21 extended permit ip any host 192.168.236.200
access-list VPN extended permit ip 192.168.247.0 255.255.255.0 192.168.230.0 255.255.255.0
access-list VPN extended permit ip 192.168.248.0 255.255.255.0 192.168.230.0 255.255.255.0
access-list Inbound extended permit ip any any
access-list Split_Tunnel_List remark The corporate network behind the ASA.
access-list Split_Tunnel_List standard deny 192.168.254.0 255.255.255.0
access-list Split_Tunnel_List standard deny 192.168.115.0 255.255.255.0
access-list Split_Tunnel_List remark The corporate network behind the ASA.
access-list SOHO-ACL remark The network out of the LAN.
access-list SOHO-ACL standard deny 192.168.252.0 255.255.255.0
access-list SOHO-ACL standard permit 192.168.0.0 255.240.0.0
access-list SOHO-ACL standard permit 10.0.0.0 255.0.0.0
access-list SOHO-ACL remark The network out of the LAN.
pager lines 24
logging enable
logging timestamp
logging buffer-size 20480
logging buffered debugging
logging trap debugging
logging asdm informational
logging host inside 192.168.90.27
mtu outside 1500
mtu inside 1500
mtu manage 1500
ip local pool TESTpool 192.168.230.10-192.168.230.100
failover
failover lan unit secondary
failover lan interface state GigabitEthernet0/3
failover polltime unit msec 300 holdtime 1
failover replication http
failover link state GigabitEthernet0/3
failover interface ip state 192.168.2.1 255.255.255.0 standby 192.168.2.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
!
route-map 115-ospf permit 10
match ip address 15
!
route outside 192.168.224.1 255.255.255.255 192.168.224.25 1
route outside 0.0.0.0 0.0.0.0 192.168.224.25 1
!
router ospf 100
network 192.168.224.32 255.255.255.248 area 0
log-adj-changes
redistribute static subnets route-map 115-ospf
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
ldap attribute-map cisco1
ldap attribute-map cisco2
aaa-server HQ.CORP.DFL protocol ldap
aaa-server HQ.CORP.DFL (inside) host 192.168.32.33
server-port 389
ldap-base-dn dc=hq,dc=corp,dc=dfl
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn CN=acs_svc_test,ou=802.1x,ou=Service Accounts,dc=hq,dc=corp,dc=dfl
server-type auto-detect
ldap-attribute-map cisco1
aaa-server PVI protocol ldap
aaa-server PVI (inside) host 192.168.32.35
ldap-base-dn ou=363310,ou=363300,ou=363000,ou=360000,ou=300000,ou=000000,dc=pvi,dc=corp,dc=dfl
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn CN=sslvpntest,ou=TEST,dc=pvi,dc=corp,dc=dfl
server-type microsoft
ldap-attribute-map cisco2
aaa-server PVI-HD protocol ldap
aaa-server PVI-HD (inside) host 192.168.16.1
ldap-base-dn ou=363310,ou=363300,ou=363000,ou=360000,ou=300000,ou=000000,dc=pvi,dc=corp,dc=dfl
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn CN=sslvpntest,ou=TEST,dc=pvi,dc=corp,dc=dfl
server-type microsoft
ldap-attribute-map cisco2
http server enable 8080
http 192.168.227.0 255.255.255.0 manage
snmp-server host inside 192.168.90.27 community xxxxxx
no snmp-server location
no snmp-server contact
snmp-server community fengshen
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set vpnset esp-des esp-md5-hmac
crypto dynamic-map dyn1 1 set transform-set SET1
crypto dynamic-map dyn1 1 set reverse-route
crypto dynamic-map vpn-map 10 set transform-set vpnset
crypto map mymap1 65535 ipsec-isakmp dynamic dyn1
crypto map vpn 10 ipsec-isakmp dynamic vpn-map
crypto map vpn interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 7200
crypto isakmp nat-traversal 15
telnet 192.168.254.0 255.255.255.0 inside
telnet timeout 30
ssh timeout 5
console timeout 0
ntp server 192.168.254.1
tftp-server inside 192.168.90.48 BG-ASA-5520-1
webvpn
enable outside
url-list BookMarks "SEA" http://oa.wujin.gov 1
url-list BookMarks "EHR" http://oa.wujin.gov 2
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list value BookMarks
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy lanyou internal
group-policy lanyou attributes
split-tunnel-policy tunnelall
group-policy zttest internal
group-policy zttest attributes
dns-server value 192.168.2.12 192.168.247.4
vpn-filter value deny-access-internet
split-tunnel-network-list value Deny-access-internet
group-policy C-WH-OA-SJGLB internal
group-policy C-WH-OA-SJGLB attributes
wins-server none
dhcp-network-scope none
default-domain none
webvpn
svc dpd-interval client none
svc dpd-interval gateway none
group-policy PVI internal
group-policy PVI attributes
webvpn
svc dpd-interval client none
svc dpd-interval gateway none
username ZERO password uybI0kx6cyjrSF.a encrypted
username ZERO attributes
vpn-group-policy VLS
vpn-tunnel-protocol IPSec
vpn-framed-ip-address 192.168.230.100 255.255.255.0
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold infinite
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 10 retry 10
tunnel-group testzt type ipsec-ra
tunnel-group testzt ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns migrated_dns_map_1
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a20bac683f09ac91d037a243b58c8ab3
: end |
|
IP卡
狗仔卡
发表于 2008-3-14 06:00:42
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡