CA防火墙ASA配置-白红宇

CA防火墙ASA配置

阅读量：6120 次

发布时间：2019-06-21

本文共 4881 字，大约阅读时间需要 16 分钟。

ASA Version 7.2(4)

hostname wlgs-outside

domain-name wlgs-outside.com

enable password tsjKg7JHkl3qMaXK encrypted

passwd tsjKg7JHkl3qMaXK encrypted

names

dns-guard

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 111.111.107.193 255.255.255.192

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 192.168.15.254 255.255.255.0

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

ftp mode passive

dns server-group DefaultDNS

domain-name wlgs-outside.com

access-list 109 extended permit ip host 10.65.160.102 any

access-list 109 extended permit ip 192.168.30.0 255.255.255.0 any

access-list 109 extended deny ip any any

access-list no-nat extended permit ip 192.168.15.0 255.255.255.0 192.168.30.0 255.255.255.0

access-list ***split standard permit 192.168.15.0 255.255.255.0

access-list split-ssl extended permit ip 192.168.15.0 255.255.255.0 any

access-list 108 extended permit icmp any any

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool ***-pool 192.168.30.1-192.168.30.100 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/ASDM-524.BIN

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list no-nat

nat (inside) 1 0.0.0.0 0.0.0.0

access-group 108 in interface outside

access-group split-ssl in interface inside

route outside 0.0.0.0 0.0.0.0 219.235.107.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

snmp-server host outside 219.235.107.193 community public

no snmp-server location

no snmp-server contact

snmp-server community public

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

crypto ipsec transform-set ***set esp-3des esp-sha-hmac

crypto dynamic-map dymap 10 set transform-set ***set

crypto dynamic-map dymap 10 set reverse-route

crypto map ***map 10 ipsec-isakmp dynamic dymap

crypto map ***map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp enable inside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 60

console timeout 0

management-access inside

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

ssl encryption des-sha1 rc4-md5

web***

enable outside

svc image disk0:/sslclient-win-1.1.0.154.pkg 1

svc enable

tunnel-group-list enable

group-policy myssl***-group-policy internal

group-policy myssl***-group-policy attributes

***-tunnel-protocol web***

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ***split

web***

svc enable

group-policy wlgs internal

group-policy wlgs attributes

***-idle-timeout 1800

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ***split

username test password P4ttSyrm33SV8TYp encrypted

username test attributes

***-group-policy myssl***-group-policy

username web*** password yLRmYA5FRKBhsE1j encrypted

username web*** attributes

***-group-policy myssl***-group-policy

username fenghuimin password jKr/TV8ffJpqYtHY encrypted

username datapart password cmuSZjj2pzwasn8i encrypted

username sunruichao password oqiShihZQ55e1wHo encrypted

username sunrc password ukmQRDeqEfWQZGTu encrypted

tunnel-group wlgs type ipsec-ra

tunnel-group wlgs general-attributes

address-pool ***-pool

authentication-server-group (outside) LOCAL

default-group-policy wlgs

tunnel-group wlgs ipsec-attributes

pre-shared-key *

tunnel-group myssl***-group type web***

tunnel-group myssl***-group general-attributes

address-pool ***-pool

tunnel-group myssl***-group web***-attributes

group-alias wlgs enable

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

service-policy global_policy global

prompt hostname context

Cryptochecksum:66e9cd91eb0e03a762e085a8591d0dd7

: end

转载于:https://blog.51cto.com/sunrc/2283297

你可能感兴趣的文章

Mindjet MindManager 2019使用教程：

NGUI Label Color Code

查看>>

.NET Core微服务之基于Polly+AspectCore实现熔断与降级机制

python实现牛顿法求解求解最小值（包括拟牛顿法）【最优化课程笔记】

查看>>

js中var、let、const的区别

查看>>

腾讯云加入LoRa联盟成为发起成员，加速推动物联网到智联网的进化

查看>>

从Python2到Python3：超百万行代码迁移实践

查看>>

Windows Server已可安装Docker，Azure开始支持Mesosphere

微软正式发布PowerShell Core 6.0

查看>>

Amazon发布新的会话管理器

查看>>