注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

涅槃

文档收藏

 
 
 

日志

 
 
 
 

【转载】CISCO ASA5520(转载)  

2014-10-23 17:13:03|  分类: 网络相关 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |
本文转载自lx_jasmine《CISCO ASA5520(转载)》
CISCO ASA5520

ASA 5520配置例子

(ASA系列防火墙的IOS是7.0的,PIX系列防火墙的IOS是6.0的)

Firewall(config)#hostname ASA                                          指定主机名
domain-name heraeus.com               指定域名—本地域
enable password                               指定使能口令
names

ASA (config)#interface GigabitEthernet0/0

ASA (config-if)#no nameif
no security-level
no ip address
!
interface GigabitEthernet0/0.150        进入子端口
vlan 150
nameif inside_data                              指定端口名
security-level 50                                  指定端口优先级
ip address 172.26.24.6 255.255.255.252
!
interface GigabitEthernet0/0.151
vlan 151
nameif inside_voice
security-level 50
ip address 10.48.8.1 255.255.255.0

interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.161
vlan 161
nameif web
security-level 50
ip address 172.26.30.1 255.255.255.0
!
interface GigabitEthernet0/1.163
vlan 163
nameif secure
security-level 50
ip address 172.26.31.1 255.255.255.0
!
interface GigabitEthernet0/2
description LAN/STATE Failover Interface for Future
!
interface GigabitEthernet0/3
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3.154
vlan 154
nameif sprint
security-level 50
ip address 172.26.24.9 255.255.255.252
!
interface Management0/0
nameif outside
security-level 50
ip address 222.66.83.18 255.255.255.240
!
boot system disk0:/asa704-k8.bin
ftp mode passive
clock timezone cet 8
dns domain-lookup inside_data
dns name-server 172.26.16.17
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group icmp-type icmp_echo_request
icmp-object echo
object-group icmp-type icmp_echo_reply
icmp-object echo-reply
object-group icmp-type ICMP_echo
group-object icmp_echo_request
group-object icmp_echo_reply
object-group service udp_tftp udp
port-object eq tftp
object-group service udp_citrix udp
port-object eq 1604
object-group service udp_radius udp
port-object eq 1812
object-group service udp_radius_acct udp
port-object eq 1813
object-group service udp_rsa_5500 udp
port-object eq 5500
object-group service tcp_http tcp
port-object eq www
object-group service tcp_http_8080 tcp
port-object eq 8080
object-group service tcp_https tcp
port-object eq https
object-group service tcp_ftp tcp
port-object eq ftp
object-group service tcp_ntp tcp
port-object eq 123
object-group service udp_ntp udp
port-object eq ntp
object-group service tcp_smtp tcp
port-object eq smtp
object-group service tcp_ssh tcp
port-object eq ssh
object-group service tcp_squid_3128 tcp
port-object eq 3128
object-group service tcp_squid_2370 tcp
port-object eq 2370
object-group service tcp_sapdps_47xx tcp
port-object range 4700 4799
object-group service tcp_sapgw_33xx tcp
port-object range 3300 3399
object-group service tcp_sapdp_32xx tcp
port-object range 3200 3299
object-group service tcp_sapgws_48xx tcp
port-object range 4800 4899
object-group service tcp_sapms_36xx tcp
port-object range 3600 3699
object-group service tcp_jetdirect_9100 tcp
port-object eq 9100
object-group service tcp_printer tcp
port-object eq lpd
object-group service tcp_tacacs_plus tcp
port-object eq tacacs
object-group service TCP_squid_web tcp
group-object tcp_http
group-object tcp_https
group-object tcp_http_8080
object-group service TCP_squid_ftp tcp
group-object tcp_ftp
object-group service TCP_squid_all tcp
group-object TCP_squid_web
group-object TCP_squid_ftp
object-group service TCP_squid_port tcp
group-object tcp_squid_3128
group-object tcp_squid_2370
object-group service TCP_sap tcp
group-object tcp_sapdps_47xx
group-object tcp_sapgw_33xx
group-object tcp_sapdp_32xx
group-object tcp_sapgws_48xx
group-object tcp_sapms_36xx
object-group service TCP_printing tcp
group-object tcp_jetdirect_9100
group-object tcp_printer
object-group network n_VLAN108_16
network-object 172.26.16.0 255.255.255.0
object-group network n_VLAN105_22
network-object 172.26.22.0 255.255.255.0
object-group network n_VLAN106_25
network-object 172.26.25.0 255.255.255.0
object-group network n_VLAN163_31
network-object 172.26.31.0 255.255.255.0
object-group service TCP_dameware tcp
group-object tcp_dameware_6129
group-object tcp_dameware_6130
object-group network N_RFC1918
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
object-group service TCP_client_auth tcp
group-object tcp_http
group-object tcp_https
group-object tcp_telnet

object-group network h_china_ntpserver
network-object host 202.108.158.139

object-group network h_auth42
network-object host 172.26.31.42

object-group network H_auth
group-object h_auth42

object-group network H_ntp_servers
group-object h_china_ntpserver

access-list TRIGGER extended permit tcp any object-group H_auth object-group TCP_client_auth

access-list NONAT remark # this is a nat rule, only permits are allowed
access-list NONAT remark # no nat inside our networks
access-list NONAT extended permit ip object-group N_RFC1918 object-group N_RFC1918

access-list POLICY remark # counterpart of trigger rule
access-list POLICY extended permit tcp any object-group H_auth object-group TCP_client_auth

access-list POLICY remark # # ntp
access-list POLICY extended permit tcp any object-group H_ntp_servers object-group tcp_ntp
access-list POLICY extended permit udp any object-group H_ntp_servers object-group udp_ntp

access-list HIDING remark # this is a nat rule, only permits are allowed
access-list HIDING extended permit ip object-group N_RFC1918 any

access-list IPS extended permit ip any any

tcp-map mss
exceed-mss allow
!

pager lines 22
logging enable
logging console critical
logging monitor errors
logging buffered critical
logging trap errors
logging facility 16
logging host secure 172.26.31.142
logging permit-hostdown
mtu inside_data 1500
mtu web 1500
mtu secure 1500
mtu sprint 1500
mtu outside 1500
ip verify reverse-path interface inside_data
ip verify reverse-path interface web
ip verify reverse-path interface secure
ip verify reverse-path interface sprint
ip verify reverse-path interface outside
asdm image disk0:/asdm502.bin
no asdm history enable
arp outside {mac-outside interface} {hiding IP)
arp timeout 14400
global outside 1 {hiding ip} netmask 255.255.255.0
nat (inside_data) 0 access-list NONAT
nat (inside_voice) 0 access-list NONAT
nat (sprint) 0 access-list NONAT
nat (secure) 0 access-list NONAT
nat (inside_data) 1 access-list HIDING
route inside_data 172.26.25.0 255.255.255.0 172.26.24.5 1
route inside_data 172.26.22.0 255.255.255.0 172.26.24.5 1
route inside_data 172.26.16.0 255.255.255.0 172.26.24.5 1
route sprint 172.16.0.0 255.240.0.0 172.26.24.10 1
route sprint 10.0.0.0 255.0.0.0 172.26.24.10 1
route sprint 192.168.0.0 255.255.0.0 172.26.24.10 1

access-group POLICY in interface inside_data per-user-override
access-group POLICY in interface inside_voice
access-group POLICY in interface web
access-group POLICY in interface secure per-user-override
access-group POLICY in interface sprint per-user-override
access-group POLICY in interface outside

timeout xlate 3:00:00
timeout conn 2:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:10
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:00:00 absolute uauth 0:15:00 inactivity

virtual telnet 172.26.24.xx

auth-prompt prompt Please enter your username and password
auth-prompt accept Authentication succeeded.
auth-prompt reject Authentication failed. Try again.
telnet timeout 5
ssh scopy enable
ssh 172.22.161.0 255.255.255.0 sprint
ssh 172.26.16.0 255.255.255.0 inside_data
ssh 172.26.31.0 255.255.255.0 secure
ssh timeout 60
ssh version 2
console timeout 0
management-access inside_data
mangement-acccess sprint

class-map my-ips-class
match access-list IPS
class-map VoIP
match dscp cs3 ef
class-map inspection_default
match default-inspection-traffic
class-map mss-map
match access-list MSS-exceptions

policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect rtsp
inspect skinny
inspect tftp
inspect sip
inspect icmp
inspect ctiqbe
inspect dns
inspect http
class mss-map
set connection advanced-options mss
class my-ips-class
ips promiscuous fail-open
policy-map qos
class VoIP
priority
policy-map my-ips-policy
class my-ips-class
ips promiscuous fail-open

service-policy global_policy global
ntp server 202.108.158.139

rdca4fwep

shafw01(config)# sh run
: Saved
:
ASA Version 7.0(4)
!
hostname shafw01
domain-name heraeus.com
enable password .68HJO4Qmg83HE2S encrypted
names
!
interface GigabitEthernet0/0
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/0.150
vlan 150
nameif inside_data
security-level 50
ip address 172.26.24.18 255.255.255.240
!
interface GigabitEthernet0/0.151
vlan 151
nameif inside_voice
security-level 50
ip address 10.48.8.1 255.255.255.0
!
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.161
vlan 161
nameif web
security-level 50
ip address 172.26.30.1 255.255.255.0
!
interface GigabitEthernet0/1.163
vlan 163
nameif secure
security-level 50
ip address 172.26.31.1 255.255.255.0
!
interface GigabitEthernet0/2
description LAN/STATE Failover interface for futer!
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3.154
vlan 154
nameif sprint
security-level 50
ip address 172.26.24.9 255.255.255.0
!
interface Management0/0
nameif outside
security-level 50
ip address 222.66.83.18 255.255.255.240
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/0
boot system disk0:/asa704-k8.bin
ftp mode passive
clock timezone cet 8
dns domain-lookup inside_data
dns name-server 172.26.16.17
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group icmp-type icmp_echo_request
icmp-object echo
object-group icmp-type icmp_echo_reply
object-group network h_china_ntpserver
network-object host 202.108.158.139
object-group network h_auth42
network-object host 172.26.31.42
network-object host 172.26.24.19
object-group network N_RFC1918
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
object-group network n_VLAN108_16
network-object 172.26.16.0 255.255.255.0
object-group network n_VLAN105_22
network-object 172.26.22.0 255.255.255.0
object-group network n_VLAN106_25
network-object 172.26.25.0 255.255.255.0
object-group network n_VLAN163_31
network-object 172.26.31.0 255.255.255.0
object-group network n_VLAN108_18
network-object 172.26.18.0 255.255.255.0
object-group network N_RDCA_S_C
group-object n_VLAN108_18
group-object n_VLAN108_16
group-object n_VLAN105_22
object-group service tcp_http tcp
port-object eq www
object-group service tcp_https tcp
port-object eq https
object-group service tcp_telnet tcp
port-object eq telnet
object-group service TCP_client_auth tcp
group-object tcp_http
group-object tcp_https
group-object tcp_telnet
object-group service tcp_http_8080 tcp
port-object eq 8080
object-group service tcp_ftp tcp
port-object eq ftp
object-group service tcp_ntp tcp
port-object eq 123
object-group service udp_ntp udp
port-object eq ntp
object-group service tcp_smtp tcp
port-object eq smtp
object-group service tcp_ssh tcp
port-object eq ssh
object-group network H_auth
group-object h_auth42
object-group network H_ntp_servers
group-object h_china_ntpserver
object-group service TCP_webservice tcp
group-object tcp_http
group-object tcp_https
access-list HIDING extended permit ip object-group N_RFC1918 any
access-list HIDING remark # this is a nat rule, only permits are allowed
access-list NONAT extended permit ip object-group N_RFC1918 object-group N_RFC1918
access-list POLICY remark # counterpart of trigger rule
access-list POLICY extended permit tcp any object-group H_auth object-group TCP_client_auth
access-list POLICY remark # # ntp
access-list POLICY extended permit tcp any object-group H_ntp_servers object-group tcp_ntp
access-list POLICY extended permit udp any object-group H_ntp_servers object-group udp_ntp
access-list POLICY remark # RDCA-webbrowsing rule
access-list POLICY extended permit tcp object-group N_RDCA_S_C any object-group TCP_webservice log
access-list POLICY remark # All Internal Network is allowed
access-list POLICY remark # All Internal Network Traffic is allowed
access-list POLICY extended permit ip object-group N_RFC1918 object-group N_RFC1918 log
access-list POLICY extended deny ip any any log
access-list IPS extended permit ip any any
pager lines 24
logging enable
logging buffer-size 10000
logging console critical
logging monitor errors
logging buffered errors
logging trap errors
logging facility 16
logging host secure 172.26.31.142
logging permit-hostdown
mtu inside_data 1500
mtu inside_voice 1500
mtu web 1500
mtu secure 1500
mtu sprint 1500
mtu outside 1500
ip verify reverse-path interface inside_data
ip verify reverse-path interface web
ip verify reverse-path interface secure
ip verify reverse-path interface sprint
ip verify reverse-path interface outside
no failover
asdm image disk0:/asdm504.bin
no asdm history enable
arp outside 222.66.83.19 0013.c482.3ffc
arp timeout 14400
global (outside) 1 222.66.83.19 netmask 255.255.255.255
nat (inside_data) 0 access-list NONAT
nat (inside_data) 1 access-list HIDING
nat (inside_voice) 0 access-list NONAT
nat (secure) 0 access-list NONAT
nat (sprint) 0 access-list NONAT
access-group POLICY in interface inside_data
access-group POLICY in interface web
access-group POLICY in interface sprint
access-group POLICY in interface outside
route inside_data 172.26.23.0 255.255.255.0 172.26.24.17 1
route inside_data 172.26.10.0 255.255.255.0 172.26.24.17 1
route inside_data 172.26.25.0 255.255.255.0 172.26.24.17 1
route inside_data 172.26.22.0 255.255.255.0 172.26.24.17 1
route inside_data 172.26.16.0 255.255.255.0 172.26.24.17 1
route inside_data 172.26.18.0 255.255.255.0 172.26.24.17 1
route sprint 172.16.0.0 255.240.0.0 172.26.24.10 1
route sprint 10.0.0.0 255.0.0.0 172.26.24.10 1
route sprint 192.168.0.0 255.255.0.0 172.26.24.10 1
route outside 0.0.0.0 0.0.0.0 222.66.83.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username wafersys password N3432S3svONQ.rWm encrypted
username rdcafwadmin password iqtp6BSrFydQnyAe encrypted
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
virtual telnet 172.26.24.19
auth-prompt prompt Please enter your username and password
auth-prompt accept Authentication succeeded.
auth-prompt reject Authentication failed. Try again.
telnet timeout 5
ssh scopy enable
ssh 172.22.161.0 255.255.255.0 inside_data
ssh 172.22.163.0 255.255.255.0 inside_data
ssh 172.26.18.0 255.255.255.0 inside_data
ssh timeout 60
ssh version 2
console timeout 0
management-access inside_data
!
class-map my-ips-class
match access-list IPS
class-map Voip
match dscp cs3 ef
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
class my-ips-class
ips promiscuous fail-open
policy-map qos
class Voip
priority
policy-map my-ips-policy
class my-ips-class
ips promiscuous fail-open
!
service-policy global_policy global
ntp server 202.108.158.139
Cryptochecksum:c46fbf0ead94c0a5c60d415f8b5ce82b
: end
shafw01(config)# sh ver

Cisco Adaptive Security Appliance Software Version 7.0(4)
Device Manager Version 5.0(4)

Compiled on Thu 13-Oct-05 21:43 by builders
System image file is "disk0:/asa704-k8.bin"
Config file at boot was "startup-config"

shafw01 up 47 mins 3 secs

Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 64MB
BIOS Flash AT49LW080: @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CNlite-MC-Boot-Cisco-1.2
SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: GigabitEthernet0/0 : address is 0013.c482.3ff8, irq 9
1: Ext: GigabitEthernet0/1 : address is 0013.c482.3ff9, irq 9
2: Ext: GigabitEthernet0/2 : address is 0013.c482.3ffa, irq 9
3: Ext: GigabitEthernet0/3 : address is 0013.c482.3ffb, irq 9
4: Ext: Management0/0 : address is 0013.c482.3ffc, irq 11
5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11
6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 25
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 300

This platform has a Base license.

Serial Number: JMX0949K06H
Running Activation Key: 0x7626e778 0xf831bcc6 0x445328fc 0x84003414 0x0e1bcb8a
Configuration register is 0x1
Configuration last modified by enable_15 at 16:29:59.641 cet Thu Feb 16 2006
shafw01(config)#
shafw01(config)#
shafw01(config)#
shafw01(config)#
shafw01(config)# sh int ip brief
shafw01(config)# sh int ip brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 unassigned YES unset up up
GigabitEthernet0/0.150 172.26.24.18 YES CONFIG up up
GigabitEthernet0/0.151 10.48.8.1 YES CONFIG up up
GigabitEthernet0/1 unassigned YES unset up up
GigabitEthernet0/1.161 172.26.30.1 YES CONFIG up up
GigabitEthernet0/1.163 172.26.31.1 YES CONFIG up up
GigabitEthernet0/2 unassigned YES unset administratively down down
GigabitEthernet0/3 unassigned YES unset up up
GigabitEthernet0/3.154 172.26.24.9 YES CONFIG up up
Internal-Control0/0 127.0.1.1 YES unset up up
Internal-Data0/0 unassigned YES unset up up
Management0/0 222.66.83.18 YES CONFIG up up

 

 

ASA5520,双ISP接入配置 

实现功能如下:
1,部分网通站点走网通线路,其余走电信实现负载均衡(电信为主)
2,任何一条链路断掉,另一条可以继续用
3,电信网通口上都启用VPNClient,保证电信,网通客户端都可以顺利拨入
jxwsj(config)# show run
: Saved
:
ASA Version 7.0(5)
!
hostname jxwsj
domain-name cisco.com
enable password fCoWG.vztqKmZjts encrypted
names
dns-guard
!
interface GigabitEthernet0/0
description tocnc
nameif outside
security-level 0
ip address 网通IP 255.255.255.248
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.1.5.2 255.255.255.0
!
interface GigabitEthernet0/2
description to cnt
nameif ct
security-level 0
ip address 电信IP 255.255.255.248
!
interface GigabitEthernet0/3
nameif gov
security-level 40
ip address 21.36.255.14 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd nRRwDj.AHmVtB9jY encrypted
ftp mode passive
access-list 110 extended permit ip any any
access-list 150 extended permit tcp any any eq www
access-list 150 extended permit tcp any any eq 8080
access-list 150 extended permit tcp any any eq lotusnotes
access-list 150 extended permit icmp any any
access-list 150 extended deny ip any any
access-list inside_in extended permit ip any any
access-list 102 extended permit ip 192.168.0.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list 102 extended permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list 102 extended permit ip 192.168.3.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list 102 extended permit ip 192.168.4.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list 102 extended permit ip 192.1.5.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list tempdeny extended deny ip host 192.168.3.11 any
access-list tempdeny extended deny ip host 192.168.3.12 any
access-list tempdeny extended deny ip host 192.168.3.13 any
access-list tempdeny extended deny ip host 192.168.3.14 any
access-list tempdeny extended permit ip any any
access-list 111 extended permit ip any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu gov 1500
mtu management 1500
mtu ct 1500
ip local pool vpdn 192.168.200.1-192.168.200.100
no failover
asdm image disk0:/asdm505.bin
no asdm history enable
arp inside 192.168.3.14 0016.1727.a178
arp inside 192.168.3.13 000a.480b.2295
arp inside 192.168.3.12 0030.1b31.a88b
arp inside 192.168.3.11 000a.480e.24a4
arp timeout 14400
global (outside) 1 interface
global (gov) 1 interface
global (ct) 1 interface
nat (inside) 0 access-list 102
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 110 in interface outside
access-group tempdeny in interface inside
access-group 150 in interface gov
access-group 111 in interface ct
route outside 0.0.0.0 0.0.0.0 网通网关 254
route outside 222.160.0.0 255.224.0.0 网通网关 1
route outside 222.162.0.0 255.255.0.0 网通网关 1
route outside 222.160.0.0 255.254.0.0 网通网关 1
route outside 222.136.0.0 255.248.0.0 网通网关 1
route outside 222.132.0.0 255.252.0.0 网通网关 1
route outside 222.128.0.0 255.252.0.0 网通网关 1
route outside 221.216.0.0 255.248.0.0 网通网关 1
route outside 221.213.0.0 255.255.0.0 网通网关 1
route outside 221.212.0.0 255.255.0.0 网通网关 1
route outside 221.208.0.0 255.252.0.0 网通网关 1
route outside 221.207.0.0 255.255.192.0 网通网关 1
route outside 221.204.0.0 255.254.0.0 网通网关 1
route outside 221.200.0.0 255.252.0.0 网通网关 1
route outside 221.199.192.0 255.255.240.0 网通网关 1
route outside 221.199.128.0 255.255.192.0 网通网关 1
route outside 221.199.32.0 255.255.240.0 网通网关 1
route outside 221.199.0.0 255.255.224.0 网通网关 1
route outside 221.198.0.0 255.255.0.0 网通网关 1
route outside 221.196.0.0 255.254.0.0 网通网关 1
route outside 221.192.0.0 255.252.0.0 网通网关 1
route outside 221.14.0.0 255.254.0.0 网通网关 1
route outside 221.13.128.0 255.255.128.0 网通网关 1
route outside 221.13.64.0 255.255.224.0 网通网关 1
route outside 221.13.0.0 255.255.192.0 网通网关 1
route outside 125.210.0.0 255.255.0.0 网通网关 1
route outside 58.100.0.0 255.255.0.0 网通网关 1
route outside 219.82.0.0 255.255.0.0 网通网关 1
route outside 218.108.0.0 255.255.0.0 网通网关 1
route outside 221.12.128.0 255.255.192.0 网通网关 1
route outside 221.12.0.0 255.255.128.0 网通网关 1
route outside 221.11.128.0 255.255.224.0 网通网关 1
route outside 221.11.0.0 255.255.128.0 网通网关 1
route outside 221.10.0.0 255.255.0.0 网通网关 1
route outside 221.8.0.0 255.254.0.0 网通网关 1
route outside 221.7.128.0 255.255.128.0 网通网关 1
route outside 221.7.64.0 255.255.224.0 网通网关 1
route outside 221.7.0.0 255.255.192.0 网通网关 1
route outside 221.6.0.0 255.255.0.0 网通网关 1
route outside 221.4.0.0 255.254.0.0 网通网关 1
route outside 221.3.128.0 255.255.128.0 网通网关 1
route outside 221.0.0.0 255.252.0.0 网通网关 1
route outside 218.68.0.0 255.254.0.0 网通网关 1
route outside 218.67.128.0 255.255.128.0 网通网关 1
route outside 218.60.0.0 255.254.0.0 网通网关 1
route outside 218.56.0.0 255.252.0.0 网通网关 1
route outside 218.28.0.0 255.254.0.0 网通网关 1
route outside 218.26.0.0 255.254.0.0 网通网关 1
route outside 218.24.0.0 255.254.0.0 网通网关 1
route outside 218.12.0.0 255.255.0.0 网通网关 1
route outside 218.11.0.0 255.255.0.0 网通网关 1
route outside 218.10.0.0 255.255.0.0 网通网关 1
route outside 218.8.0.0 255.254.0.0 网通网关 1
route outside 218.7.0.0 255.255.0.0 网通网关 1
route outside 202.111.160.0 255.255.224.0 网通网关 1
route outside 202.111.128.0 255.255.224.0 网通网关 1
route outside 202.110.192.0 255.255.192.0 网通网关 1
route outside 202.110.64.0 255.255.192.0 网通网关 1
route outside 202.110.0.0 255.255.192.0 网通网关 1
route outside 202.108.0.0 255.255.0.0 网通网关 1
route outside 202.107.0.0 255.255.128.0 网通网关 1
route outside 202.106.0.0 255.255.0.0 网通网关 1
route outside 202.102.224.0 255.255.224.0 网通网关 1
route outside 202.102.128.0 255.255.192.0 网通网关 1
route outside 202.99.224.0 255.255.224.0 网通网关 1
route outside 202.99.192.0 255.255.224.0 网通网关 1
route outside 202.99.128.0 255.255.192.0 网通网关 1
route outside 202.99.64.0 255.255.192.0 网通网关 1
route outside 202.99.0.0 255.255.192.0 网通网关 1
route outside 202.98.0.0 255.255.224.0 网通网关 1
route outside 202.97.192.0 255.255.192.0 网通网关 1
route outside 202.97.160.0 255.255.224.0 网通网关 1
route outside 202.97.128.0 255.255.224.0 网通网关 1
route outside 202.96.64.0 255.255.224.0 网通网关 1
route outside 202.96.0.0 255.255.192.0 网通网关 1
route outside 61.189.0.0 255.255.128.0 网通网关 1
route outside 61.182.0.0 255.255.0.0 网通网关 1
route outside 61.181.0.0 255.255.0.0 网通网关 1
route outside 61.180.128.0 255.255.128.0 网通网关 1
route outside 61.179.0.0 255.255.0.0 网通网关 1
route outside 61.176.0.0 255.255.0.0 网通网关 1
route outside 61.168.0.0 255.255.0.0 网通网关 1
route outside 61.167.0.0 255.255.0.0 网通网关 1
route outside 61.163.0.0 255.255.0.0 网通网关 1
route outside 61.162.0.0 255.255.0.0 网通网关 1
route outside 61.161.128.0 255.255.128.0 网通网关 1
route outside 61.161.0.0 255.255.192.0 网通网关 1
route outside 61.159.0.0 255.255.192.0 网通网关 1
route outside 61.158.128.0 255.255.128.0 网通网关 1
route outside 61.156.0.0 255.255.0.0 网通网关 1
route outside 61.148.0.0 255.254.0.0 网通网关 1
route outside 61.139.128.0 255.255.192.0 网通网关 1
route outside 61.138.128.0 255.255.192.0 网通网关 1
route outside 61.138.64.0 255.255.192.0 网通网关 1
route outside 61.138.0.0 255.255.192.0 网通网关 1
route outside 61.137.128.0 255.255.128.0 网通网关 1
route outside 61.136.64.0 255.255.192.0 网通网关 1
route outside 61.135.0.0 255.255.0.0 网通网关 1
route outside 61.134.96.0 255.255.224.0 网通网关 1
route outside 61.133.0.0 255.255.128.0 网通网关 1
route outside 61.55.0.0 255.255.0.0 网通网关 1
route outside 61.54.0.0 255.255.0.0 网通网关 1
route outside 61.52.0.0 255.254.0.0 网通网关 1
route outside 61.48.0.0 255.252.0.0 网通网关 1
route outside 60.220.0.0 255.252.0.0 网通网关 1
route outside 60.216.0.0 255.254.0.0 网通网关 1
route outside 60.208.0.0 255.248.0.0 网通网关 1
route outside 60.31.0.0 255.255.0.0 网通网关 1
route outside 60.24.0.0 255.248.0.0 网通网关 1
route outside 60.16.0.0 255.248.0.0 网通网关 1
route outside 60.13.128.0 255.255.128.0 网通网关 1
route outside 60.13.0.0 255.255.192.0 网通网关 1
route outside 60.12.0.0 255.255.0.0 网通网关 1
route outside 60.10.0.0 255.255.0.0 网通网关 1
route outside 60.8.0.0 255.254.0.0 网通网关 1
route outside 60.0.0.0 255.248.0.0 网通网关 1
route inside 192.168.0.0 255.255.255.0 192.1.5.1 1
route inside 192.168.3.0 255.255.255.0 192.1.5.1 1
route inside 192.168.4.0 255.255.255.0 192.1.5.1 1
route inside 192.168.1.0 255.255.255.0 192.1.5.1 1
route gov 21.0.0.0 255.0.0.0 21.36.255.1 1
route ct 0.0.0.0 0.0.0.0 电信网关 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy clientgroup internal
group-policy clientgroup attributes
vpn-idle-timeout 20
split-tunnel-policy tunnelall
webvpn
username zmkm password B1MJgn6i2mF.NKjz encrypted
username owen password G7ZPUlDLDg6W94ag encrypted
username cisco password e1OkT/res2LB3io6 encrypted
http server enable
http 192.168.0.2 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set aaades esp-3des esp-md5-hmac
crypto ipsec transform-set aaades1 esp-3des esp-md5-hmac
crypto dynamic-map dynomap 10 set transform-set aaades
crypto dynamic-map dynomap1 20 set transform-set aaades1
crypto map vpnpeer 20 ipsec-isakmp dynamic dynomap
crypto map vpnpeer interface outside
crypto map vpnpeer1 30 ipsec-isakmp dynamic dynomap1
crypto map vpnpeer1 interface ct
isakmp identity address
isakmp enable outside
isakmp enable ct
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group huhao type ipsec-ra
tunnel-group huhao general-attributes
address-pool vpdn
authorization-server-group LOCAL
default-group-policy clientgroup
tunnel-group huhao ipsec-attributes
pre-shared-key *
tunnel-group cnt type ipsec-ra
tunnel-group cnt general-attributes
address-pool vpdn
authentication-server-group none
authorization-server-group LOCAL
default-group-policy clientgroup
tunnel-group cnt ipsec-attributes
pre-shared-key *
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 ct
ssh timeout 60
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
Cryptochecksum:38caa994b55d5b8bf627a1e972ed56ee
: end

  评论这张
 
阅读(727)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2018