: Saved
: Written by enable_15 at 17:29:52.128 UTC Wed Sep 252013
!
ASA Version 8.2(1)
!
hostname DAG-ASA5520
domain-name dag.com
enable password xssDdbX.oBjtGuKc encrypted
passwd bZNsTu/F3zs5M3hm encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level0
ip address10.78.216.92 255.255.255.192
!
interface GigabitEthernet0/1
nameif dmz
security-level50
ip address172.16.1.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif inside
security-level100
ip address 192.168.9.1255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
nosecurity-level
no ip address
!
interface Management0/0
shutdown
no nameif
security-level0
no ip address
!
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone UTC 8
dns domain-lookup outside
dns server-group DefaultDNS
name-server10.78.173.10
domain-namedag.com
!下面的访问控制列表主要功能是放行外部区域任意网址到outside网址的入向tcp访问
access-list outside_access_in extended permit tcp anyinterface outside
!下面的访问控制列表主要功能是放行dmz区域任意网址到dmz 网址的入向tcp访问
access-list dmz_access_in extended permit tcp anyinterface dmz
!下面的访问控制列表主要功能是放行外部区域任意网址到任意网址的入向icmp访问,由于每个接口
!单向只能设置一个访问控制列表,这个列表可能修改名为outside_access_in应用在outside上
access-list icmp_outside_in extended permit icmp anyany
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu dmz 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
asdm history enable
arp timeout 14400
!进行一一对映的网络地址转换,PAT,把对outside接口3389的访问转换成dmz区域中172.16.1.100
!的访问,这一名可以修改为下列等效语句:
!static (dmz,outside) tcp interface 172.16.1.100netmask 255.255.255.255 eq 3389
static (dmz,outside) tcp interface 3389 172.16.1.1003389 netmask 255.255.255.255
static (dmz,outside) tcp interface www 172.16.1.100www netmask 255.255.255.255
static (inside,dmz) tcp interface 3389 192.168.9.81 3389netmask 255.255.255.255
!把前面定义的访问控制列表应用到接口上,一般是用在低安全接口的入向上,以便从低安全区域向
!高安全区域进行访问,当然防火墙的默认设置是禁止的,所以必须进行设置。
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 10.78.216.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
http 192.168.9.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkuplinkdown coldstart
crypto ipsec security-association lifetime seconds28800
crypto ipsec security-association lifetime kilobytes4608000
crypto ca server
shutdown
cdp-urlhttp://10.78.216.92/+CSCOCA+/asa_ca.crl
crypto isakmp enable outside
telnet 10.78.216.98 255.255.255.255 outside
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh 192.168.9.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
!对dhcp进行设置
dhcpd dns 10.78.173.10 10.78.216.11
!
dhcpd address 192.168.9.240-192.168.9.249 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authenticate
ntp server 128.105.39.11 source outside
ssl server-version tlsv1
ssl encryption aes128-sha1 aes256-sha1 3des-sha1des-sha1
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svcwebvpn
username admin password eY/fQXw7Ure8Qrz7 encrypted
username administrator password mvcp/JO94b9XsM.Iencrypted
tunnel-group DefaultRAGroup webvpn-attributes
authenticationcertificate
group-aliascert disable
group-urlhttps://10.78.216.92/cert enable
!
!
prompt hostname context
Cryptochecksum:a2585c83136da85153260680c63730c7
: end