Chinaunix首页 | 论坛 | 博客
  • 博客访问: 19006564
  • 博文数量: 7460
  • 博客积分: 10434
  • 博客等级: 上将
  • 技术积分: 78178
  • 用 户 组: 普通用户
  • 注册时间: 2008-03-02 22:54
文章分类

全部博文(7460)

文章存档

2011年(1)

2009年(669)

2008年(6790)

分类: 系统运维

2008-05-21 20:08:08

hostname shafw01
domain-name heraeus.com
enable password
names
!
interface GigabitEthernet0/0
no nameif
no security-level
no ip address
!
interface Gigab itEthernet0/0.150
vlan 150
nameif inside_data
security-level 50
ip address 172.26.24.6 255.255.255.252
!
interface GigabitEthernet0/0.151
vlan 151
nameif inside_voice
security-level 50
ip address 10.48.8.1 255.255.255.0

!
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.161
vlan 161
nameif web
security-level 50
ip address 172.26.30.1 255.255.255.0
!
interface GigabitEthernet0/1.163
vlan 163
nameif secure
security-level 50
ip address 172.26.31.1 255.255.255.0
!
interface GigabitEthernet0/2
description LAN/STATE Failover Interface for Future
!
interface GigabitEthernet0/3
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3.154
vlan 154
nameif sprint
security-level 50
ip address 172.26.24.9 255.255.255.252
!
interface Management0/0
nameif outside
security-level 50
ip address 222.66.83.18 255.255.255.240
!
boot system disk0:/asa704-k8.bin
ftp mode passive
clock timezone cet 8
dns domain-lookup inside_data
dns name-server 172.26.16.17
same-security-traffic permit inter-interface         
same-security-traffic permit intra-interface
object-group icmp-type icmp_echo_request
icmp-object echo
object-group icmp-type icmp_echo_reply
icmp-object echo-reply
object-group icmp-type ICMP_echo
group-object icmp_echo_request
group-object icmp_echo_reply
object-group service udp_tftp udp
port-object eq tftp
object-group service udp_citrix udp
port-object eq 1604
object-group service udp_radius udp
port-object eq 1812
object-group service udp_radius_acct udp
port-object eq 1813
object-group service udp_rsa_5500 udp
port-object eq 5500
object-group service tcp_http tcp
port-object eq www
object-group service tcp_http_8080 tcp
port-object eq 8080
object-group service tcp_https tcp
port-object eq https
object-group service tcp_ftp tcp
port-object eq ftp
object-group service tcp_ntp tcp
port-object eq 123
object-group service udp_ntp udp
port-object eq ntp
object-group service tcp_smtp tcp
port-object eq smtp
object-group service tcp_ssh tcp
port-object eq ssh
object-group service tcp_squid_3128 tcp
port-object eq 3128
object-group service tcp_squid_2370 tcp
port-object eq 2370
object-group service tcp_sapdps_47xx tcp
port-object range 4700 4799
object-group service tcp_sapgw_33xx tcp
port-object range 3300 3399
object-group service tcp_sapdp_32xx tcp
port-object range 3200 3299
object-group service tcp_sapgws_48xx tcp
port-object range 4800 4899
object-group service tcp_sapms_36xx tcp
port-object range 3600 3699
object-group service tcp_jetdirect_9100 tcp
port-object eq 9100
object-group service tcp_printer tcp
port-object eq lpd
object-group service tcp_tacacs_plus tcp
port-object eq tacacs
object-group service TCP_squid_web tcp
group-object tcp_http
group-object tcp_https
group-object tcp_http_8080
object-group service TCP_squid_ftp tcp
group-object tcp_ftp
object-group service TCP_squid_all tcp
group-object TCP_squid_web
group-object TCP_squid_ftp
object-group service TCP_squid_port tcp
group-object tcp_squid_3128
group-object tcp_squid_2370
object-group service TCP_sap tcp
group-object tcp_sapdps_47xx
group-object tcp_sapgw_33xx
group-object tcp_sapdp_32xx
group-object tcp_sapgws_48xx
group-object tcp_sapms_36xx
object-group service TCP_printing tcp
group-object tcp_jetdirect_9100
group-object tcp_printer
object-group network n_VLAN108_16
network-object 172.26.16.0 255.255.255.0
object-group network n_VLAN105_22
network-object 172.26.22.0 255.255.255.0
object-group network n_VLAN106_25
network-object 172.26.25.0 255.255.255.0
object-group network n_VLAN163_31
network-object 172.26.31.0 255.255.255.0
object-group service TCP_dameware tcp
group-object tcp_dameware_6129
group-object tcp_dameware_6130
object-group network N_RFC1918
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
object-group service TCP_client_auth tcp
group-object tcp_http
group-object tcp_https
group-object tcp_telnet

object-group network h_china_ntpserver
network-object host 202.108.158.139

object-group network h_auth42
network-object host 172.26.31.42

object-group network H_auth
group-object h_auth42

object-group network H_ntp_servers
group-object h_china_ntpserver

access-list TRIGGER extended permit tcp any object-group H_auth object-group TCP_client_auth

access-list NONAT remark # this is a nat rule, only permit's are allowed
access-list NONAT remark # no nat inside our networks
access-list NONAT extended permit ip object-group N_RFC1918 object-group N_RFC1918

access-list POLICY remark # counterpart of trigger rule
access-list POLICY extended permit tcp any object-group H_auth object-group TCP_client_auth

access-list POLICY remark # # ntp
access-list POLICY extended permit tcp any object-group H_ntp_servers object-group tcp_ntp
access-list POLICY extended permit udp any object-group H_ntp_servers object-group udp_ntp

access-list HIDING remark # this is a nat rule, only permit's are allowed
access-list HIDING extended permit ip object-group N_RFC1918 any

access-list IPS extended permit ip any any

tcp-map mss
  exceed-mss allow
!

pager lines 22
logging enable
logging console critical
logging monitor errors
logging buffered critical
logging trap errors
logging facility 16
logging host secure 172.26.31.142
logging permit-hostdown
mtu inside_data 1500
mtu web 1500
mtu secure 1500
mtu sprint 1500
mtu outside 1500
ip verify reverse-path interface inside_data
ip verify reverse-path interface web
ip verify reverse-path interface secure
ip verify reverse-path interface sprint
ip verify reverse-path interface outside
asdm image disk0:/asdm502.bin
no asdm history enable
arp outside {mac-outside interface} {hiding IP)
arp timeout 14400
global outside 1 {hiding ip} netmask 255.255.255.0
nat (inside_data) 0 access-list NONAT
nat (inside_voice) 0 access-list NONAT
nat (sprint) 0 access-list NONAT
nat (secure) 0 access-list NONAT
nat (inside_data) 1 access-list HIDING
route inside_data 172.26.25.0 255.255.255.0 172.26.24.5 1
route inside_data 172.26.22.0 255.255.255.0 172.26.24.5 1
route inside_data 172.26.16.0 255.255.255.0 172.26.24.5 1
route sprint 172.16.0.0 255.240.0.0 172.26.24.10 1
route sprint 10.0.0.0 255.0.0.0 172.26.24.10 1
route sprint 192.168.0.0 255.255.0.0 172.26.24.10 1

access-group POLICY in interface inside_data per-user-override
access-group POLICY in interface inside_voice
access-group POLICY in interface web
access-group POLICY in interface secure per-user-override
access-group POLICY in interface sprint per-user-override
access-group POLICY in interface outside

timeout xlate 3:00:00
timeout conn 2:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:10
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:00:00 absolute uauth 0:15:00 inactivity

virtual telnet 172.26.24.xx

auth-prompt prompt Please enter your username and password
auth-prompt accept Authentication succeeded.
auth-prompt reject Authentication failed. Try again.
telnet timeout 5
ssh scopy enable
ssh 172.22.161.0 255.255.255.0 sprint
ssh 172.26.16.0 255.255.255.0 inside_data
ssh 172.26.31.0 255.255.255.0 secure
ssh timeout 60
ssh version 2
console timeout 0
management-access inside_data
mangement-acccess sprint

class-map my-ips-class
match access-list IPS
class-map VoIP
match dscp cs3  ef
class-map inspection_default
match default-inspection-traffic
class-map mss-map
match access-list MSS-exceptions

policy-map global_policy
class inspection_default
  inspect ftp
  inspect h323 h225
  inspect rtsp
  inspect skinny
  inspect tftp
  inspect sip
  inspect icmp
  inspect ctiqbe
  inspect dns
  inspect http
class mss-map
  set connection advanced-options mss
class my-ips-class
  ips promiscuous fail-open
policy-map qos
class VoIP
  priority
policy-map my-ips-policy
class my-ips-class
  ips promiscuous fail-open

service-policy global_policy global
  ntp server 202.108.158.139

rdca4fwep

==========================================================================
shafw01(config)# sh run
: Saved
:
ASA Version 7.0(4)
!
hostname shafw01
domain-name heraeus.com
enable password .68HJO4Qmg83HE2S encrypted
names
!
interface GigabitEthernet0/0
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/0.150
vlan 150
nameif inside_data
security-level 50
ip address 172.26.24.18 255.255.255.240
!
interface GigabitEthernet0/0.151
vlan 151
nameif inside_voice
security-level 50
ip address 10.48.8.1 255.255.255.0
!            
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.161
vlan 161
nameif web
security-level 50
ip address 172.26.30.1 255.255.255.0
!
interface GigabitEthernet0/1.163
vlan 163
nameif secure
security-level 50
ip address 172.26.31.1 255.255.255.0
!
interface GigabitEthernet0/2
description LAN/STATE Failover interface for futer!
shutdown
no nameif
no security-level
no ip address
!            
interface GigabitEthernet0/3
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3.154
vlan 154
nameif sprint
security-level 50
ip address 172.26.24.9 255.255.255.0
!
interface Management0/0
nameif outside
security-level 50
ip address 222.66.83.18 255.255.255.240
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/0
boot system disk0:/asa704-k8.bin
ftp mode passive
clock timezone cet 8
dns domain-lookup inside_data
dns name-server 172.26.16.17
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group icmp-type icmp_echo_request
icmp-object echo
object-group icmp-type icmp_echo_reply
object-group network h_china_ntpserver
network-object host 202.108.158.139
object-group network h_auth42
network-object host 172.26.31.42
network-object host 172.26.24.19
object-group network N_RFC1918
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
object-group network n_VLAN108_16
network-object 172.26.16.0 255.255.255.0
object-group network n_VLAN105_22
network-object 172.26.22.0 255.255.255.0
object-group network n_VLAN106_25
network-object 172.26.25.0 255.255.255.0
object-group network n_VLAN163_31
network-object 172.26.31.0 255.255.255.0
object-group network n_VLAN108_18
network-object 172.26.18.0 255.255.255.0
object-group network N_RDCA_S_C
group-object n_VLAN108_18
group-object n_VLAN108_16
group-object n_VLAN105_22
object-group service tcp_http tcp
port-object eq www
object-group service tcp_https tcp
port-object eq https
object-group service tcp_telnet tcp
port-object eq telnet
object-group service TCP_client_auth tcp
group-object tcp_http
group-object tcp_https
group-object tcp_telnet
object-group service tcp_http_8080 tcp
port-object eq 8080
object-group service tcp_ftp tcp
port-object eq ftp
object-group service tcp_ntp tcp
port-object eq 123
object-group service udp_ntp udp
port-object eq ntp
object-group service tcp_smtp tcp
port-object eq smtp
object-group service tcp_ssh tcp
port-object eq ssh
object-group network H_auth
group-object h_auth42
object-group network H_ntp_servers
group-object h_china_ntpserver
object-group service TCP_webservice tcp
group-object tcp_http
group-object tcp_https
access-list HIDING extended permit ip object-group N_RFC1918 any
access-list HIDING remark # this is a nat rule, only permit's are allowed
access-list NONAT extended permit ip object-group N_RFC1918 object-group N_RFC1918
access-list POLICY remark # counterpart of trigger rule
access-list POLICY extended permit tcp any object-group H_auth object-group TCP_client_auth
access-list POLICY remark # # ntp
access-list POLICY extended permit tcp any object-group H_ntp_servers object-group tcp_ntp
access-list POLICY extended permit udp any object-group H_ntp_servers object-group udp_ntp
access-list POLICY remark # RDCA-webbrowsing rule
access-list POLICY extended permit tcp object-group N_RDCA_S_C any object-group TCP_webservice log
access-list POLICY remark # All Internal Network is allowed
access-list POLICY remark # All Internal Network Traffic is allowed
access-list POLICY extended permit ip object-group N_RFC1918 object-group N_RFC1918 log
access-list POLICY extended deny ip any any log
access-list IPS extended permit ip any any
pager lines 24
logging enable
logging buffer-size 10000
logging console critical
logging monitor errors
logging buffered errors
logging trap errors
logging facility 16
logging host secure 172.26.31.142
logging permit-hostdown
mtu inside_data 1500
mtu inside_voice 1500
mtu web 1500
mtu secure 1500
mtu sprint 1500
mtu outside 1500
ip verify reverse-path interface inside_data
ip verify reverse-path interface web
ip verify reverse-path interface secure
ip verify reverse-path interface sprint
ip verify reverse-path interface outside
no failover
asdm image disk0:/asdm504.bin
no asdm history enable
arp outside 222.66.83.19 0013.c482.3ffc
arp timeout 14400
global (outside) 1 222.66.83.19 netmask 255.255.255.255
nat (inside_data) 0 access-list NONAT
nat (inside_data) 1 access-list HIDING
nat (inside_voice) 0 access-list NONAT
nat (secure) 0 access-list NONAT
nat (sprint) 0 access-list NONAT
access-group POLICY in interface inside_data
access-group POLICY in interface web
access-group POLICY in interface sprint
access-group POLICY in interface outside
route inside_data 172.26.23.0 255.255.255.0 172.26.24.17 1
route inside_data 172.26.10.0 255.255.255.0 172.26.24.17 1
route inside_data 172.26.25.0 255.255.255.0 172.26.24.17 1
route inside_data 172.26.22.0 255.255.255.0 172.26.24.17 1
route inside_data 172.26.16.0 255.255.255.0 172.26.24.17 1
route inside_data 172.26.18.0 255.255.255.0 172.26.24.17 1
route sprint 172.16.0.0 255.240.0.0 172.26.24.10 1
route sprint 10.0.0.0 255.0.0.0 172.26.24.10 1
route sprint 192.168.0.0 255.255.0.0 172.26.24.10 1
route outside 0.0.0.0 0.0.0.0 222.66.83.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username wafersys password N3432S3svONQ.rWm encrypted
username rdcafwadmin password iqtp6BSrFydQnyAe encrypted
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
virtual telnet 172.26.24.19
auth-prompt prompt Please enter your username and password
auth-prompt accept Authentication succeeded.
auth-prompt reject Authentication failed. Try again.
telnet timeout 5
ssh scopy enable
ssh 172.22.161.0 255.255.255.0 inside_data
ssh 172.22.163.0 255.255.255.0 inside_data
ssh 172.26.18.0 255.255.255.0 inside_data
ssh timeout 60
ssh version 2
console timeout 0
management-access inside_data
!
class-map my-ips-class
match access-list IPS
class-map Voip
match dscp cs3  ef
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
class my-ips-class
  ips promiscuous fail-open
policy-map qos
class Voip
  priority
policy-map my-ips-policy
class my-ips-class
  ips promiscuous fail-open
!
service-policy global_policy global
ntp server 202.108.158.139
Cryptochecksum:c46fbf0ead94c0a5c60d415f8b5ce82b
: end
shafw01(config)# sh ver

Cisco Adaptive Security Appliance Software Version 7.0(4)
Device Manager Version 5.0(4)

Compiled on Thu 13-Oct-05 21:43 by builders
System image file is "disk0:/asa704-k8.bin"
Config file at boot was "startup-config"

shafw01 up 47 mins 3 secs

Hardware:   ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 64MB
BIOS Flash AT49LW080: @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CNlite-MC-Boot-Cisco-1.2
                             SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: GigabitEthernet0/0  : address is 0013.c482.3ff8, irq 9
1: Ext: GigabitEthernet0/1  : address is 0013.c482.3ff9, irq 9
2: Ext: GigabitEthernet0/2  : address is 0013.c482.3ffa, irq 9
3: Ext: GigabitEthernet0/3  : address is 0013.c482.3ffb, irq 9
4: Ext: Management0/0       : address is 0013.c482.3ffc, irq 11
5: Int: Internal-Data0/0    : address is 0000.0001.0002, irq 11
6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs               : 25
Inside Hosts                : Unlimited
Failover                    : Active/Active
VPN-DES                     : Enabled
VPN-3DES-AES                : Enabled
Security Contexts           : 2
GTP/GPRS                    : Disabled
VPN Peers                   : 300

This platform has a Base license.

Serial Number: JMX0949K06H
Running Activation Key: 0x7626e778 0xf831bcc6 0x445328fc 0x84003414 0x0e1bcb8a
Configuration register is 0x1
Configuration last modified by enable_15 at 16:29:59.641 cet Thu Feb 16 2006
shafw01(config)#
shafw01(config)#
shafw01(config)#
shafw01(config)#
shafw01(config)# sh int ip brief
shafw01(config)# sh int ip brief
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         unassigned      YES unset  up                    up  
GigabitEthernet0/0.150     172.26.24.18    YES CONFIG up                    up  
GigabitEthernet0/0.151     10.48.8.1       YES CONFIG up                    up  
GigabitEthernet0/1         unassigned      YES unset  up                    up  
GigabitEthernet0/1.161     172.26.30.1     YES CONFIG up                    up  
GigabitEthernet0/1.163     172.26.31.1     YES CONFIG up                    up  
GigabitEthernet0/2         unassigned      YES unset  administratively down down
GigabitEthernet0/3         unassigned      YES unset  up                    up  
GigabitEthernet0/3.154     172.26.24.9     YES CONFIG up                    up  
Internal-Control0/0        127.0.1.1       YES unset  up                    up  
Internal-Data0/0           unassigned      YES unset  up                    up  
Management0/0              222.66.83.18    YES CONFIG up                    up  
shafw01(config)#
阅读(332) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~