CiscoASA5540配置相关内容

: Saved
: Written by enable_15 at 08:09:x.091 CST Tue Mar 27 2012
!
ASA Version 8.2(1)
!
hostname China
enable password RXYhbH6a5oKqSZh/ encrypted
passwd 14I.66Rt.5iO8KLl encrypted
names
dns-guard
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 218.x.x.x  255.255.255.224
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 192.168.x.x 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
!
time-range http
 periodic daily 0:00 to 12:05
 periodic daily 12:50 to 23:59
!
ftp mode paChinave
clock timezone CST 8
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 202.102.134.68
 name-server 202.102.152.3
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list 103 extended permit ip any any
access-list 103 extended permit icmp any any
access-list 103 extended permit tcp any any
access-list 103 extended permit udp any any
access-list 103 remark EES Server outside IP address
access-list 103 extended permit tcp any host 218.x.x.x eq www
access-list 103 extended permit tcp any host 218.x.x.x eq www
access-list 150 extended permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list 120 remark GMT Messanger& Drawing Distribution System
access-list 120 extended permit ip any host 222.237.160.33
access-list 120 remark mantou-web
access-list 120 extended permit ip any host 210.205.6.114
access-list 120 remark tianqi-web
access-list 120 extended permit ip any host 221.2.150.140
access-list 120 remark WEB Conference-1
access-list 120 extended permit ip any host 222.122.8.217
access-list 120 remark WEB Conference-2
access-list 120 extended permit ip any host 222.122.8.220
access-list 120 remark Daum Dic
access-list 120 extended permit ip any host 121.254.2x.102
access-list 120 remark Daum Dic
access-list 120 extended permit ip any host 211.233.29.33
access-list 120 remark Daum Dic
access-list 120 extended permit ip any host 121.254.206.25
access-list 120 remark Daum Dic
access-list 120 extended permit ip any 110.45.215.0 255.255.255.0
access-list 120 remark Daum Dic
access-list 120 extended permit ip any host 211.115.77.39
access-list 120 remark Daum Dic
access-list 120 extended permit ip any 114.108.157.0 255.255.255.0
access-list 120 remark Daum Dic
access-list 120 extended permit ip any host 110.45.229.148
access-list 120 remark Daum Dic
access-list 120 extended permit ip any 180.70.134.0 255.255.255.0
access-list 120 remark www.2345.com
access-list 120 extended deny ip any host 61.1x.8.189
access-list 120 extended deny ip host 192.168.2.2 any time-range http
access-list 120 extended deny ip host 192.168.2.3 any time-range http
access-list 120 extended................(网段2-52段，0段，100段，200段)
（ACL120就是每个网段254个地址全部写上，50个网段等于50*254条ACL）这里省略。
access-list 120 extended permit ip host 192.168.0.253 any time-range http
access-list 120 extended deny ip host 192.168.0.254 any time-range http
access-list 120 extended permit ip any any
access-list 120 extended permit tcp any any eq www
access-list 130 extended permit ip any 192.168.125.0 255.255.255.0
access-list 144 extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging list Event level emergencies
logging list Event message 101002
logging console informational
logging monitor informational
logging trap informational
logging asdm informational
logging host inside 192.168.6.120 format emblem
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool ***-pool 192.168.125.1-192.168.125.254 mask 255.255.255.0
ip verify reverse-path interface inside
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 130
nat (inside) 1 0.0.0.0 0.0.0.0
"static (inside,outside) tcp interface 9080 192.168.0.201 9080 netmask 255.255.255.255 "
"static (inside,outside) 218.x.x.41 192.168.0.x netmask 255.255.255.255 "
"static (inside,outside) 218.x.x.42 192.168.0.x netmask 255.255.255.255 "
"static (inside,outside) 218.x.x.43 192.168.0.x netmask 255.255.255.255 "
"static (inside,outside) 218.x.x.45 192.168.0.x netmask 255.255.255.255 "
"static (inside,outside) 218.x.x.47 192.168.0.x netmask 255.255.255.255 "
"static (inside,outside) 218.x.x.46 192.168.0.x netmask 255.255.255.255 "
"static (inside,outside) 218.x.x.44 192.168.0.10 netmask 255.255.255.255 "
access-group 103 in interface outside
access-group 120 in interface inside
route outside 0.0.0.0 0.0.0.0 218.x.x.33 1
route inside 192.168.0.0 255.255.255.0 192.168.x.1 1
route inside 192.168.2.0 255.255.255.0 192.168.x.1 1
route inside 192.168.3.0 255.255.255.0 192.168.x.1 1
route inside 192.168.4.0 255.255.255.0 192.168.x.1 1
route inside 192.168.5.0 255.255.255.0 192.168.x.1 1
route inside 192.168.6.0 255.255.255.0 192.168.x.1 1
route inside 192.168.7.0 255.255.255.0 192.168.x.1 1
route inside 192.168.8.0 255.255.255.0 192.168.x.1 1
route inside 192.168.9.0 255.255.255.0 192.168.x.1 1
route inside 192.168.10.0 255.255.255.0 192.168.x.1 1
route inside 192.168.11.0 255.255.255.0 192.168.x.1 1
route inside 192.168.12.0 255.255.255.0 192.168.x.1 1
route inside 192.168.13.0 255.255.255.0 192.168.x.1 1
route inside 192.168.14.0 255.255.255.0 192.168.x.1 1
route inside 192.168.15.0 255.255.255.0 192.168.x.1 1
route inside 192.168.16.0 255.255.255.0 192.168.x.1 1
route inside 192.168.17.0 255.255.255.0 192.168.x.1 1
route inside 192.168.18.0 255.255.255.0 192.168.x.1 1
route inside 192.168.19.0 255.255.255.0 192.168.x.1 1
route inside 192.168.20.0 255.255.255.0 192.168.x.1 1
route inside 192.168.21.0 255.255.255.0 192.168.x.1 1
route inside 192.168.22.0 255.255.255.0 192.168.x.1 1
route inside 192.168.23.0 255.255.255.0 192.168.x.1 1
route inside 192.168.24.0 255.255.255.0 192.168.x.1 1
route inside 192.168.25.0 255.255.255.0 192.168.x.1 1
route inside 192.168.26.0 255.255.255.0 192.168.x.1 1
route inside 192.168.27.0 255.255.255.0 192.168.x.1 1
route inside 192.168.28.0 255.255.255.0 192.168.x.1 1
route inside 192.168.29.0 255.255.255.0 192.168.x.1 1
route inside 192.168.30.0 255.255.255.0 192.168.x.1 1
route inside 192.168.31.0 255.255.255.0 192.168.x.1 1
route inside 192.168.32.0 255.255.255.0 192.168.x.1 1
route inside 192.168.33.0 255.255.255.0 192.168.x.1 1
route inside 192.168.34.0 255.255.255.0 192.168.x.1 1
route inside 192.168.35.0 255.255.255.0 192.168.x.1 1
route inside 192.168.36.0 255.255.255.0 192.168.x.1 1
route inside 192.168.37.0 255.255.255.0 192.168.x.1 1
route inside 192.168.38.0 255.255.255.0 192.168.x.1 1
route inside 192.168.39.0 255.255.255.0 192.168.x.1 1
route inside 192.168.40.0 255.255.255.0 192.168.x.1 1
route inside 192.168.41.0 255.255.255.0 192.168.x.1 1
route inside 192.168.42.0 255.255.255.0 192.168.x.1 1
route inside 192.168.43.0 255.255.255.0 192.168.x.1 1
route inside 192.168.44.0 255.255.255.0 192.168.x.1 1
route inside 192.168.45.0 255.255.255.0 192.168.x.1 1
route inside 192.168.49.0 255.255.255.0 192.168.x.1 1
route inside 192.168.100.0 255.255.255.0 192.168.x.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
http redirect management 80
http redirect inside 80
http redirect outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map newmap 30 set transform-set myset
crypto map newmap 65535 ipsec-isakmp dynamic newmap
crypto map newmap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
ssh version 1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
!
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
web***
 enable outside
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 web***
  url-list value Services
group-policy cisco12 internal
group-policy cisco12 attributes
 ***-tunnel-protocol web***
 web***
  url-list none
username aaron password 44HycUhXeU/2s0DB encrypted
username kimdm password aCISAbFUFQ10TJg/ encrypted
username jyjung password WGd3z3.zq8.vjt4w encrypted
username ahnjb password bAVJDg2/3TCcCx7i encrypted
username cisco password w1y5Yra/IoYQWsoT encrypted
tunnel-group zhang11 type remote-access
tunnel-group zhang11 general-attributes
 address-pool ***-pool
tunnel-group zhang11 ipsec-attributes
 pre-shared-key sanjin123
tunnel-group test type remote-access
tunnel-group test general-attributes
 address-pool ***-pool
tunnel-group test ipsec-attributes
 pre-shared-key sanjin123
tunnel-group cisco*** type remote-access
tunnel-group cisco*** general-attributes
 default-group-policy cisco12
tunnel-group China_*** type remote-access
tunnel-group China_*** general-attributes
 address-pool ***-pool
tunnel-group China_*** ipsec-attributes
 pre-shared-key sanjin123
tunnel-group China_××× type remote-access
tunnel-group China_××× web***-attributes
 group-alias China enable
 group-url https://218.x.x.40/China enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum x2
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
!
service-policy global_policy global
smtp-server 192.168.0.211
prompt hostname context
Cryptochecksum:4941c62cc4dcaa898a2x94b904e1828
: end
 

转载于:https://blog.51cto.com/leiyu/839526