ciscoasa ssl*** 网关模式（ciscoasa5512-x）

ciscoasa ssl*** 网关模式（ciscoasa5512-x）

ciscoasa# sh run: Saved:ASA Version 8.2(1) !hostname ciscoasaenable password ajgvZKkj9OFA/xdm encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!---------------地址配置----------------------------interface Ethernet0/0duplex fullnameif outsidesecurity-level 0ip address X.104.203.13 255.255.255.0 !interface Ethernet0/1duplex fullnameif insidesecurity-level 100ip address 172.28.192.249 255.255.255.0 !interface Ethernet0/2shutdownno nameifno security-levelno ip address!interface Ethernet0/3shutdownno nameifno security-levelno ip address!interface Management0/0shutdownno nameifno security-levelno ip address!ftp mode passive-----------------------地址组配置------------------object-group network dhcpnetwork-object X.118.139.0 255.255.255.0object-group network homenetwork-object 10.0.0.0 255.0.0.0

access-list ingate extended permit ip any any *----------------隧道分割acl----------------access-list 101 extended permit ip object-group home object-group *dhcp

access-list outgate extended permit ip any any pager lines 24mtu outside 1500mtu inside 1500------------------地址池-----------------ip local pool pool X.118.139.20-X.118.139.100 mask 255.255.255.0no failovericmp unreachable rate-limit 1 burst-size 1icmp permit any outsideicmp permit any insideno asdm history enablearp timeout 14400global (outside) 1 interfacenat (inside) 0 access-list 101 ------------------流量不被NAT---------nat (inside) 1 0.0.0.0 0.0.0.0

access-group outgate in interface outsideaccess-group ingate in interface inside

route outside 0.0.0.0 0.0.0.0 X.104.203.9 1route inside 10.0.0.0 255.0.0.0 172.28.192.254 1route inside 172.28.0.0 255.255.0.0 172.28.192.254 1

timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00dynamic-access-policy-record DfltAccessPolicy

-----------radius服务器-----------------aaa-server ssl protocol radiusaaa-server ssl (inside) host 172.28.2.101key vxicisco

no snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstart

*-------------------ipsec配置----------------------crypto ipsec transform-set 3000policy esp-3des esp-sha-hmac crypto ipsec transform-set 3000policy mode transportcrypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000crypto dynamic-map 3000policy 10 set transform-set 3000policycrypto map 3000policy 10 ipsec-isakmp dynamic 3000policycrypto map 3000policy interface outsidecrypto isakmp enable outsidecrypto isakmp policy 5authentication pre-shareencryption deshash md5group 2lifetime 86400crypto isakmp policy 65535authentication pre-shareencryption 3deshash shagroup 2lifetime 86400crypto isakmp nat-traversal 10 -----NAT-T-----------

telnet 0.0.0.0 0.0.0.0 insidetelnet timeout 5ssh 0.0.0.0 0.0.0.0 insidessh timeout 5console timeout 0threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptntp server 172.28.5.98--------------ssl策略组配置---------------group-policy 3000policy internalgroup-policy 3000policy attributesdns-server value X.118.144.252split-tunnel-policy tunnelspecifiedsplit-tunnel-network-list value 101

username admin password MAjIcpRREUJ5ncoRkeaaDw== nt-encryptedusername vxiadmin password /1ganKF8WKayiiD0 encrypted

*tunnel-group DefaultRAGroup general-attributestunnel-group 3000 type remote-accesstunnel-group 3000 general-attributesaddress-pool poolauthentication-server-group sslauthentication-server-group (inside) LOCAL ----本地认证default-group-policy 3000policytunnel-group 3000 ipsec-attributespre-shared-key cisco**!class-map inspection_defaultmatch default-inspection-traffic!!policy-map type inspect dns preset_dns_mapparametersmessage-length maximum 512policy-map global_policyclass inspection_defaultinspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect pptp !service-policy global_policy globalprompt hostname context Cryptochecksum:e01e9e79cec447e93fd18bd515e7fecc: end

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。