hostname ciscoasa
enable password UBMuSr2NjOdZ6AiU encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address *.*.188.101 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/2
nameif outside1
security-level 0
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.100.1 255.255.255.0
!
boot system disk0:/asa915-k8.bin
ftp mode passive
object network inside-net
subnet 10.10.0.0 255.255.0.0
object network 192.168.110.0
subnet 192.168.110.0 255.255.255.0
object network inside-net1
subnet 192.168.10.0 255.255.255.0
object network 10.10.90.2
host 10.10.90.2
object network 10.10.90.2-01
host 10.10.90.2
object network 10.10.90.2-02
host 10.10.90.2
object-group network 10.10.20.0
object-group network 10.10.30.0
object-group network 10.10.40.0
object-group network 10.10.50.0
object-group network 10.10.60.0
object-group network 10.10.70.0
object-group network 10.10.80.0
object-group network 10.10.90.0
object-group network 10.10.100.0
object-group network 192.168.0.0
access-list out extended permit icmp any any
access-list out extended permit ip any4 any4
access-list out extended permit ip 10.10.0.0 255.255.0.0 192.168.110.0 255.255.255.0
access-list out extended permit tcp any host 10.10.90.11 eq 8001
access-list out extended permit tcp any host 10.10.90.11 eq 3001
access-list out extended permit tcp any host 10.10.90.11 eq 3000
access-list out extended permit tcp any host 10.10.90.11 eq 8000
access-list out extended permit tcp any host 10.10.90.11 eq 3002
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 192.168.110.0 255.255.255.0
access-list inside extended permit ip any4 any4
access-list inside extended permit icmp any4 any4
access-list inside extended permit ip 10.10.40.0 255.255.255.0 any4
pager lines 24
mtu outside 1500
mtu inside 1500
mtu outside1 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static inside-net inside-net destination static 192.168.110.0 192.168.110.0 no-proxy-arp route-lookup
!
object network inside-net
nat (inside,outside) dynamic interface
object network inside-net1
nat (inside,outside) dynamic interface
object network 10.10.90.11
nat (inside,outside) static interface service tcp 8000 8001
object network 10.10.90.11-02
nat (inside,outside) static interface service tcp 3001 3002
access-group out in interface outside
access-group inside in interface inside
route outside 0.0.0.0 0.0.0.0 *.*.188.113 1
route inside 10.10.20.0 255.255.255.0 192.168.10.2 1
route inside 10.10.30.0 255.255.255.0 192.168.10.2 1
route inside 10.10.40.0 255.255.255.0 192.168.10.2 1
route inside 10.10.50.0 255.255.255.0 192.168.10.2 1
route inside 10.10.60.0 255.255.255.0 192.168.10.2 1
route inside 10.10.70.0 255.255.255.0 192.168.10.2 1
route inside 10.10.80.0 255.255.255.0 192.168.10.2 1
route inside 10.10.90.0 255.255.255.0 192.168.10.2 1
route inside 10.10.100.0 255.255.255.0 192.168.10.2 1
route inside 172.168.20.0 255.255.255.0 172.1.1.1 1
route outside 192.168.110.0 255.255.255.0 *.*.188.113 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
snmp-server host inside 10.10.20.102 community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps syslog
crypto ipsec ikev1 transform-set vpn esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map zhongxin 10 match address nonat
crypto map zhongxin 10 set peer *.*.57.242
crypto map zhongxin 10 set ikev1 transform-set vpn
crypto map zhongxin interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
console timeout 0
vpdn username test password ***** store-local
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username xinma2$ password 1e9gh.L.XaMzYLwr encrypted
username admin password 2oQYYbTOhyNUXKB4 encrypted
tunnel-group *.*.57.244 type ipsec-l2l
tunnel-group *.*.57.244 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:ce9e55fed38a72f49f631c90b9f36b37
: end
http://bbs.51cto.com/thread-1099521-1-1.html
asa 5512 端口映射问题
最新推荐文章于 2020-05-11 15:37:35 发布