Home | Mirror | Search |
例 7.2. ASA 5550
: Saved : ASA Version 8.2(1) ! hostname asa5550 enable password Yi7fhXUH4X/ZMh encrypted passwd 2KFQnNId2KYOU encrypted names ! interface GigabitEthernet0/0 nameif outside security-level 0 ip address 110.112.133.60 255.255.255.192 ! interface GigabitEthernet0/1 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! interface GigabitEthernet1/0 nameif inside security-level 100 ip address 172.16.0.254 255.255.255.0 ! interface GigabitEthernet1/1 no nameif no security-level no ip address ! interface GigabitEthernet1/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/3 shutdown no nameif no security-level no ip address ! ftp mode passive access-list outside extended permit icmp any any access-list outside extended permit udp any host 110.112.133.20 eq domain access-list outside extended permit udp any host 110.112.133.23 eq domain access-list outside extended permit udp any host 110.112.133.18 eq domain access-list outside extended permit tcp any host 110.112.133.18 eq ssh access-list outside extended permit tcp any host 110.112.133.7 eq ftp access-list outside extended permit tcp any host 110.112.133.21 eq www access-list outside extended permit tcp any host 110.112.133.22 eq www access-list outside extended permit tcp any host 110.112.133.13 eq 3389 access-list outside extended permit tcp any host 110.112.133.24 eq 3389 access-list outside extended permit tcp any host 110.112.133.9 eq www access-list outside extended permit tcp any host 110.112.133.29 eq ssh access-list outside extended permit tcp any host 110.112.133.29 eq www access-list outside extended permit udp any host 110.112.133.29 eq 1194 access-list outside extended permit tcp any host 110.112.133.6 eq www access-list outside extended permit tcp any host 110.112.133.7 eq www access-list outside extended permit tcp any host 110.112.133.8 eq www access-list outside extended permit tcp any host 110.112.133.10 eq www access-list outside extended permit tcp any host 110.112.133.11 eq www access-list outside extended permit tcp any host 110.112.133.12 eq www access-list outside extended permit tcp any host 110.112.133.27 eq www access-list outside extended permit tcp any host 110.112.133.28 eq www access-list outside extended permit tcp any host 110.112.133.25 eq www access-list outside extended permit tcp any host 110.112.133.25 eq 3389 access-list outside extended permit tcp any host 110.112.133.18 eq 3306 access-list outside extended permit tcp any host 110.112.133.13 eq ftp access-list outside extended permit tcp any host 110.112.133.13 eq 8000 access-list outside extended permit tcp any host 110.112.133.26 eq ssh access-list outside extended permit tcp any host 110.112.133.5 eq www access-list outside extended permit tcp any host 110.112.133.26 eq ftp access-list outside extended permit tcp any host 110.112.133.14 eq 8080 access-list outside extended permit tcp any host 110.112.133.19 eq www access-list outside extended permit tcp any host 110.112.133.17 eq www access-list outside extended permit tcp any host 110.112.133.16 eq www access-list outside extended permit tcp any host 110.112.133.4 eq www access-list outside extended permit tcp any host 110.112.133.4 eq ftp access-list outside extended permit tcp any host 110.112.133.4 eq ssh access-list outside extended deny udp any host 110.112.133.7 access-list outside extended permit tcp any host 110.112.133.62 eq www access-list outside extended permit tcp any host 110.112.133.62 eq ssh access-list outside extended permit tcp any host 110.112.133.24 eq 5900 access-list outside extended permit tcp any host 110.112.133.35 eq www access-list outside extended permit tcp any host 110.112.133.35 eq 3389 access-list outside extended permit tcp any host 110.112.133.38 eq www access-list outside extended deny udp any host 110.112.133.38 access-list outside extended permit tcp any host 110.112.133.44 eq www access-list outside extended permit tcp any host 110.112.133.44 eq 5900 access-list outside extended permit tcp any host 110.112.133.8 eq https access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.27 eq ssh access-list outside extended permit tcp any any eq www access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.28 eq ssh access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.11 eq ssh access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.12 eq ssh access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.8 eq ssh access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.9 eq ssh access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.15 eq ssh access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.29 eq ftp access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.10 eq ftp access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.10 eq ssh access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.9 eq ftp access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.8 eq ftp access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.11 eq ftp access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.12 eq ftp access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.5 eq ftp access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.25 eq ftp access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.16 eq 3306 access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.18 eq 3306 access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.5 eq ssh access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.17 eq 1526 access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.7 eq ssh access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.21 eq ssh access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.21 eq ftp access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.54 eq sqlnet access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.35 eq ftp access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.25 eq sqlnet access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.25 eq ssh access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.38 eq ssh access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.33 access-list outside extended permit tcp host 110.102.60.1 host 110.112.133.42 eq 3389 access-list outside extended permit tcp any host 110.112.133.44 access-list inside extended permit icmp any any access-list inside extended permit ip any any pager lines 24 logging asdm informational mtu outside 1500 mtu management 1500 mtu inside 1500 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-621.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 172.16.0.0 255.255.255.0 static (inside,outside) 110.112.133.61 172.16.0.51 netmask 255.255.255.255 static (inside,outside) 110.112.133.6 172.16.0.6 netmask 255.255.255.255 static (inside,outside) 110.112.133.7 172.16.0.7 netmask 255.255.255.255 static (inside,outside) 110.112.133.8 172.16.0.8 netmask 255.255.255.255 static (inside,outside) 110.112.133.10 172.16.0.10 netmask 255.255.255.255 static (inside,outside) 110.112.133.11 172.16.0.11 netmask 255.255.255.255 static (inside,outside) 110.112.133.12 172.16.0.12 netmask 255.255.255.255 static (inside,outside) 110.112.133.15 172.16.0.15 netmask 255.255.255.255 static (inside,outside) 110.112.133.28 172.16.0.28 netmask 255.255.255.255 static (inside,outside) 110.112.133.20 172.16.0.20 netmask 255.255.255.255 static (inside,outside) 110.112.133.23 172.16.0.23 netmask 255.255.255.255 static (inside,outside) 110.112.133.22 172.16.0.22 netmask 255.255.255.255 static (inside,outside) 110.112.133.13 172.16.0.33 netmask 255.255.255.255 static (inside,outside) 110.112.133.14 172.16.0.34 netmask 255.255.255.255 static (inside,outside) 110.112.133.24 172.16.0.41 netmask 255.255.255.255 static (inside,outside) 110.112.133.29 172.16.0.2 netmask 255.255.255.255 static (inside,outside) 110.112.133.9 172.16.0.9 netmask 255.255.255.255 static (inside,outside) 110.112.133.27 172.16.0.27 netmask 255.255.255.255 static (inside,outside) 110.112.133.26 172.16.0.26 netmask 255.255.255.255 static (inside,outside) 110.112.133.5 172.16.0.13 netmask 255.255.255.255 static (inside,outside) 110.112.133.19 172.16.0.19 netmask 255.255.255.255 static (inside,outside) 110.112.133.4 172.16.0.4 netmask 255.255.255.255 static (inside,outside) 110.112.133.16 172.16.0.56 netmask 255.255.255.255 static (inside,outside) 110.112.133.21 172.16.0.24 netmask 255.255.255.255 static (inside,outside) 110.112.133.35 172.16.0.35 netmask 255.255.255.255 static (inside,outside) 110.112.133.25 172.16.0.54 netmask 255.255.255.255 static (inside,outside) 110.112.133.38 172.16.0.38 netmask 255.255.255.255 static (inside,outside) 110.112.133.33 172.16.0.3 netmask 255.255.255.255 static (inside,outside) 110.112.133.42 172.16.0.42 netmask 255.255.255.255 static (inside,outside) 110.112.133.18 172.16.0.216 netmask 255.255.255.255 static (inside,outside) 110.112.133.44 172.16.0.44 netmask 255.255.255.255 access-group outside in interface outside route outside 0.0.0.0 0.0.0.0 110.112.133.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy aaa authentication telnet console LOCAL aaa authentication ssh console LOCAL aaa authentication http console LOCAL http server enable http 192.168.1.0 255.255.255.0 management http 0.0.0.0 0.0.0.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet 0.0.0.0 0.0.0.0 management telnet 0.0.0.0 0.0.0.0 inside telnet timeout 5 ssh 172.16.0.0 255.255.255.0 inside ssh timeout 5 console timeout 0 dhcpd address 192.168.1.2-192.168.1.254 management dhcpd enable management ! dhcpd address 172.16.0.210-172.16.0.220 inside dhcpd dns 8.8.8.8 interface inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn username root password 5UR7s8NU670UrLPQ encrypted ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect icmp inspect http ! service-policy global_policy global prompt hostname context Cryptochecksum:3d468f00f692b6364b2485bc8a3fa65c : end