: Saved
: Written by enable_15 at 08:09:x.091 CST Tue Mar 27 2012
!
ASA Version 8.2(1)
!
hostname China
enable password RXYhbH6a5oKqSZh/ encrypted
passwd 14I.66Rt.5iO8KLl encrypted
names
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 218.x.x.x 255.255.255.224
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.x.x 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
!
time-range http
periodic daily 0:00 to 12:05
periodic daily 12:50 to 23:59
!
ftp mode paChinave
clock timezone CST 8
dns domain-lookup outside
dns server-group DefaultDNS
name-server 202.102.134.68
name-server 202.102.152.3
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list 103 extended permit ip any any
access-list 103 extended permit icmp any any
access-list 103 extended permit tcp any any
access-list 103 extended permit udp any any
access-list 103 remark EES Server outside IP address
access-list 103 extended permit tcp any host 218.x.x.x eq www
access-list 103 extended permit tcp any host 218.x.x.x eq www
access-list 150 extended permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list 120 remark GMT Messanger& Drawing Distribution System
access-list 120 extended permit ip any host 222.237.160.33
access-list 120 remark mantou-web
access-list 120 extended permit ip any host 210.205.6.114
access-list 120 remark tianqi-web
access-list 120 extended permit ip any host 221.2.150.140
access-list 120 remark WEB Conference-1
access-list 120 extended permit ip any host 222.122.8.217
access-list 120 remark WEB Conference-2
access-list 120 extended permit ip any host 222.122.8.220
access-list 120 remark Daum Dic
access-list 120 extended permit ip any host 121.254.2x.102
access-list 120 remark Daum Dic
access-list 120 extended permit ip any host 211.233.29.33
access-list 120 remark Daum Dic
access-list 120 extended permit ip any host 121.254.206.25
access-list 120 remark Daum Dic
access-list 120 extended permit ip any 110.45.215.0 255.255.255.0
access-list 120 remark Daum Dic
access-list 120 extended permit ip any host 211.115.77.39
access-list 120 remark Daum Dic
access-list 120 extended permit ip any 114.108.157.0 255.255.255.0
access-list 120 remark Daum Dic
access-list 120 extended permit ip any host 110.45.229.148
access-list 120 remark Daum Dic
access-list 120 extended permit ip any 180.70.134.0 255.255.255.0
access-list 120 remark www.2345.com
access-list 120 extended deny ip any host 61.1x.8.189
access-list 120 extended deny ip host 192.168.2.2 any time-range http
access-list 120 extended deny ip host 192.168.2.3 any time-range http
access-list 120 extended................(网段2-52段,0段,100段,200段)
(ACL120就是每个网段254个地址全部写上,50个网段等于50*254条ACL)这里省略。
access-list 120 extended permit ip host 192.168.0.253 any time-range http
access-list 120 extended deny ip host 192.168.0.254 any time-range http
access-list 120 extended permit ip any any
access-list 120 extended permit tcp any any eq www
access-list 130 extended permit ip any 192.168.125.0 255.255.255.0
access-list 144 extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging list Event level emergencies
logging list Event message 101002
logging console informational
logging monitor informational
logging trap informational
logging asdm informational
logging host inside 192.168.6.120 format emblem
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool ***-pool 192.168.125.1-192.168.125.254 mask 255.255.255.0
ip verify reverse-path interface inside
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 130
nat (inside) 1 0.0.0.0 0.0.0.0
"static (inside,outside) tcp interface 9080 192.168.0.201 9080 netmask 255.255.255.255 "
"static (inside,outside) 218.x.x.41 192.168.0.x netmask 255.255.255.255 "
"static (inside,outside) 218.x.x.42 192.168.0.x netmask 255.255.255.255 "
"static (inside,outside) 218.x.x.43 192.168.0.x netmask 255.255.255.255 "
"static (inside,outside) 218.x.x.45 192.168.0.x netmask 255.255.255.255 "
"static (inside,outside) 218.x.x.47 192.168.0.x netmask 255.255.255.255 "
"static (inside,outside) 218.x.x.46 192.168.0.x netmask 255.255.255.255 "
"static (inside,outside) 218.x.x.44 192.168.0.10 netmask 255.255.255.255 "
access-group 103 in interface outside
access-group 120 in interface inside
route outside 0.0.0.0 0.0.0.0 218.x.x.33 1
route inside 192.168.0.0 255.255.255.0 192.168.x.1 1
route inside 192.168.2.0 255.255.255.0 192.168.x.1 1
route inside 192.168.3.0 255.255.255.0 192.168.x.1 1
route inside 192.168.4.0 255.255.255.0 192.168.x.1 1
route inside 192.168.5.0 255.255.255.0 192.168.x.1 1
route inside 192.168.6.0 255.255.255.0 192.168.x.1 1
route inside 192.168.7.0 255.255.255.0 192.168.x.1 1
route inside 192.168.8.0 255.255.255.0 192.168.x.1 1
route inside 192.168.9.0 255.255.255.0 192.168.x.1 1
route inside 192.168.10.0 255.255.255.0 192.168.x.1 1
route inside 192.168.11.0 255.255.255.0 192.168.x.1 1
route inside 192.168.12.0 255.255.255.0 192.168.x.1 1
route inside 192.168.13.0 255.255.255.0 192.168.x.1 1
route inside 192.168.14.0 255.255.255.0 192.168.x.1 1
route inside 192.168.15.0 255.255.255.0 192.168.x.1 1
route inside 192.168.16.0 255.255.255.0 192.168.x.1 1
route inside 192.168.17.0 255.255.255.0 192.168.x.1 1
route inside 192.168.18.0 255.255.255.0 192.168.x.1 1
route inside 192.168.19.0 255.255.255.0 192.168.x.1 1
route inside 192.168.20.0 255.255.255.0 192.168.x.1 1
route inside 192.168.21.0 255.255.255.0 192.168.x.1 1
route inside 192.168.22.0 255.255.255.0 192.168.x.1 1
route inside 192.168.23.0 255.255.255.0 192.168.x.1 1
route inside 192.168.24.0 255.255.255.0 192.168.x.1 1
route inside 192.168.25.0 255.255.255.0 192.168.x.1 1
route inside 192.168.26.0 255.255.255.0 192.168.x.1 1
route inside 192.168.27.0 255.255.255.0 192.168.x.1 1
route inside 192.168.28.0 255.255.255.0 192.168.x.1 1
route inside 192.168.29.0 255.255.255.0 192.168.x.1 1
route inside 192.168.30.0 255.255.255.0 192.168.x.1 1
route inside 192.168.31.0 255.255.255.0 192.168.x.1 1
route inside 192.168.32.0 255.255.255.0 192.168.x.1 1
route inside 192.168.33.0 255.255.255.0 192.168.x.1 1
route inside 192.168.34.0 255.255.255.0 192.168.x.1 1
route inside 192.168.35.0 255.255.255.0 192.168.x.1 1
route inside 192.168.36.0 255.255.255.0 192.168.x.1 1
route inside 192.168.37.0 255.255.255.0 192.168.x.1 1
route inside 192.168.38.0 255.255.255.0 192.168.x.1 1
route inside 192.168.39.0 255.255.255.0 192.168.x.1 1
route inside 192.168.40.0 255.255.255.0 192.168.x.1 1
route inside 192.168.41.0 255.255.255.0 192.168.x.1 1
route inside 192.168.42.0 255.255.255.0 192.168.x.1 1
route inside 192.168.43.0 255.255.255.0 192.168.x.1 1
route inside 192.168.44.0 255.255.255.0 192.168.x.1 1
route inside 192.168.45.0 255.255.255.0 192.168.x.1 1
route inside 192.168.49.0 255.255.255.0 192.168.x.1 1
route inside 192.168.100.0 255.255.255.0 192.168.x.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
http redirect management 80
http redirect inside 80
http redirect outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map newmap 30 set transform-set myset
crypto map newmap 65535 ipsec-isakmp dynamic newmap
crypto map newmap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
ssh version 1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
!
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
web***
enable outside
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
web***
url-list value Services
group-policy cisco12 internal
group-policy cisco12 attributes
***-tunnel-protocol web***
web***
url-list none
username aaron password 44HycUhXeU/2s0DB encrypted
username kimdm password aCISAbFUFQ10TJg/ encrypted
username jyjung password WGd3z3.zq8.vjt4w encrypted
username ahnjb password bAVJDg2/3TCcCx7i encrypted
username cisco password w1y5Yra/IoYQWsoT encrypted
tunnel-group zhang11 type remote-access
tunnel-group zhang11 general-attributes
address-pool ***-pool
tunnel-group zhang11 ipsec-attributes
pre-shared-key sanjin123
tunnel-group test type remote-access
tunnel-group test general-attributes
address-pool ***-pool
tunnel-group test ipsec-attributes
pre-shared-key sanjin123
tunnel-group cisco*** type remote-access
tunnel-group cisco*** general-attributes
default-group-policy cisco12
tunnel-group China_*** type remote-access
tunnel-group China_*** general-attributes
address-pool ***-pool
tunnel-group China_*** ipsec-attributes
pre-shared-key sanjin123
tunnel-group China_××× type remote-access
tunnel-group China_××× web***-attributes
group-alias China enable
group-url https://218.x.x.40/China enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum x2
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
smtp-server 192.168.0.211
prompt hostname context
Cryptochecksum:4941c62cc4dcaa898a2x94b904e1828
: end
转载于:https://blog.51cto.com/leiyu/839526