TXT

asa-5540

By Larry Bradley,2014-10-11 02:20
12 views 0
asa-5540

ASA-5540#

    ASA-5540# sh run

    : Saved

    :

    ASA Version 7.0(8)

    !

    hostname ASA-5540

    domain-name default.domain.invalid

    enable password rb4TOs4CoO.za9V8 encrypted

    passwd 2KFQnbNIdI.2KYOU encrypted names

    dns-guard

    !

    interface GigabitEthernet0/0

     description To JCH-2821

     nameif outside

     security-level 0

     ip address 124.207.221.242 255.255.255.0

    !

    interface GigabitEthernet0/1

     description To CORE4507

     nameif inside

     security-level 100

     ip address 10.10.1.2 255.255.255.0

    !

    interface GigabitEthernet0/2

     shutdown

     no nameif

     no security-level

     no ip address

    !

    interface GigabitEthernet0/3

     shutdown

     no nameif

     no security-level

     no ip address

    !

    interface Management0/0

     nameif guanli

     security-level 0

     ip address 192.168.1.1 255.255.255.0

     management-only

    !

    ftp mode passive

    access-list 101 extended permit icmp any host 124.207.221.243 echo-reply access-list 101 extended permit tcp any host 124.207.221.244 eq www access-list 101 extended permit tcp any host 124.207.221.244 eq 1701 access-list 101 extended permit tcp any host 124.207.221.244 eq 8015 access-list 101 extended permit tcp any host 124.207.221.244 eq 7890 access-list 101 extended permit icmp any host 124.207.221.244 echo-reply access-list 101 extended permit ip any host 124.207.221.245 access-list 101 extended permit ip any host 124.207.221.246 access-list 101 extended permit icmp any host 124.207.221.247 echo-reply access-list 101 extended permit ip any host 124.207.221.248 access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.1 68.0.0 255.255.0.0

    access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 172.1 6.200.0 255.255.255.0

    access-list outside_cryptomap_20 extended permit ip 172.16.0.0 255.255.0.0 192.1 68.0.0 255.255.0.0

    access-list split_tunnel extended permit ip 172.16.0.0 255.255.0.0 any access-list NO_WAN_ACCESS extended deny ip host 172.16.17.20 any log access-list NO_WAN_ACCESS extended deny ip host 172.16.17.34 any log access-list NO_WAN_ACCESS extended deny ip host 172.16.17.33 any log access-list NO_WAN_ACCESS extended deny ip host 172.16.17.12 any log access-list NO_WAN_ACCESS extended deny ip host 172.16.17.32 any log access-list NO_WAN_ACCESS extended deny ip host 172.16.17.35 any log access-list NO_WAN_ACCESS extended deny ip host 172.16.17.36 any log access-list NO_WAN_ACCESS extended deny ip host 172.16.17.37 any log access-list NO_WAN_ACCESS extended deny ip host 172.16.17.38 any log access-list NO_WAN_ACCESS extended deny ip host 172.16.12.14 any access-list NO_WAN_ACCESS extended deny ip host 172.16.12.16 any access-list NO_WAN_ACCESS extended deny ip host 172.16.17.52 any log access-list NO_WAN_ACCESS extended deny ip host 172.16.17.23 any log access-list NO_WAN_ACCESS extended deny ip host 172.16.17.24 any log access-list NO_WAN_ACCESS extended deny ip host 172.16.17.17 any log access-list NO_WAN_ACCESS extended deny ip host 172.16.17.27 any log access-list NO_WAN_ACCESS extended permit ip any any

    pager lines 24

    logging enable

    logging buffered debugging

    logging asdm informational

    mtu outside 1500

    mtu inside 1500

    mtu guanli 1500

    ip local pool mypool 172.16.200.1-172.16.200.254 mask 255.255.255.0 no failover

    asdm image disk0:/ASDM-508.BIN

no asdm history enable

    arp timeout 14400

    global (outside) 1 124.207.221.243

    global (outside) 10 124.207.221.247

    nat (inside) 0 access-list inside_nat0_outbound

    nat (inside) 10 192.168.1.0 255.255.255.0

    nat (inside) 1 172.16.0.0 255.255.0.0

    static (inside,outside) 124.207.221.244 172.16.100.111 netmask 255.255.255.255 d

    ns

    static (inside,outside) 124.207.221.245 172.16.20.39 netmask 255.255.255.255 dns

static (inside,outside) 124.207.221.246 192.168.1.85 netmask 255.255.255.255 dns

static (inside,outside) 124.207.221.248 172.16.100.6 netmask 255.255.255.255 dns

access-group 101 in interface outside

    access-group NO_WAN_ACCESS in interface inside

    route outside 0.0.0.0 0.0.0.0 124.207.221.241 1

    route inside 192.168.1.0 255.255.255.0 10.10.1.1 1

    route inside 172.16.0.0 255.255.0.0 10.10.1.1 1

    timeout xlate 3:00:00

    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute

group-policy cisco internal

    group-policy cisco attributes

     split-tunnel-policy tunnelspecified

     split-tunnel-network-list value split_tunnel

     webvpn

    username ccie password 2sJRAjsaH0bfKgTp encrypted

    username cisco password ffIRPGpDSOJh9YLq encrypted privilege 0 http server enable

    http 192.168.1.0 255.255.255.0 guanli

    no snmp-server location

    no snmp-server contact

    snmp-server enable traps snmp authentication linkup linkdown coldstart

    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds

    28800

    crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobyte

    s 4608000

    crypto dynamic-map outside_dyn_map 20 set reverse-route crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer 121.8.142.178 crypto map outside_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map 20 set security-association lifetime seconds 28800

    crypto map outside_map 20 set security-association lifetime kilobytes 4608000

    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside

    isakmp identity address

    isakmp enable outside

    isakmp policy 10 authentication pre-share

    isakmp policy 10 encryption 3des

    isakmp policy 10 hash sha

    isakmp policy 10 group 2

    isakmp policy 10 lifetime 86400

    tunnel-group 121.8.142.178 type ipsec-l2l

    tunnel-group 121.8.142.178 ipsec-attributes

     pre-shared-key *

    tunnel-group cisco type ipsec-ra

    tunnel-group cisco general-attributes

     address-pool mypool

     default-group-policy cisco

    tunnel-group cisco ipsec-attributes

     pre-shared-key *

    telnet 172.16.0.0 255.255.0.0 inside

    telnet 10.10.1.0 255.255.255.0 inside

    telnet timeout 20

    ssh timeout 5

    console timeout 0

    !

    class-map inspection_default

     match default-inspection-traffic

    !

    !

    policy-map global_policy

     class inspection_default

     inspect dns maximum-length 512

     inspect ftp

     inspect h323 h225

     inspect h323 ras

     inspect rsh

     inspect rtsp

     inspect esmtp

     inspect sqlnet

     inspect skinny

     inspect sunrpc

     inspect xdmcp

     inspect sip

     inspect netbios

     inspect tftp !

    service-policy global_policy global

    Cryptochecksum:721594fa05bd5bd32a08fd89b1a5d644

    : end

    ASA-5540#

    ASA-5540#

    ASA-5540#

    ASA-5540#

    ASA-5540#

    ASA-5540#

Report this document

For any questions or suggestions please email
cust-service@docsford.com