ASA Version 8.2(1)
!
hostname WXFW01
domain-name wsn.cn
enable password wx0HKf8M.UwVlNWQ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 58.214.236.146 255.255.255.240
!
interface GigabitEthernet0/1
nameif dmz
security-level 50
ip address 10.13.250.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif inside
security-level 100
ip address 10.13.1.251 255.255.255.0
!
interface GigabitEthernet0/3
nameif outsideCNC
security-level 0
ip address 221.6.*.* 255.255.255.240
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone CST 8
dns domain-lookup outside
dns domain-lookup dmz
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.13.2.81
domain-name wsn.cn
same-security-traffic permit intra-interface
access-list internet extended permit ip any any
access-list out_to_in extended permit tcp any any eq smtp
access-list out_to_in extended permit tcp any any eq pop3
access-list out_to_in extended permit tcp any any eq www
access-list out_to_in extended permit tcp any any eq https
access-list out_to_in extended permit tcp any any eq 81
access-list out_to_in extended permit tcp any any eq 4001
access-list rate-limit extended permit tcp any host 58.214.*.* eq www
access-list rate-limit extended permit tcp any host 58.214.*.* eq 81
access-list rate-limit extended permit tcp any host 58.214.*.* eq 4001
access-list Split_Tunnel_List standard permit 10.13.1.0 255.255.255.0
access-list Split_Tunnel_List standard permit 10.13.2.0 255.255.255.0
access-list Split_Tunnel_List standard permit 10.13.246.0 255.255.255.0
access-list Split_Tunnel_List standard permit 10.10.1.0 255.255.255.0
access-list 300 extended permit ip host 10.13.1.251 host 10.21.1.1
pager lines 24
mtu outside 1500
mtu dmz 1500
mtu inside 1500
mtu outsideCNC 1500
ip local pool vpnclient 10.13.246.10-10.13.246.100 mask 255.255.255.0
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outsideCNC) 1 interface
static (dmz,outside) tcp 58.214.*.* www 10.13.250.30 www netmask 255.255.255.255 dns
static (dmz,outside) tcp 58.214.*.* 81 10.13.250.30 81 netmask 255.255.255.255 dns
static (dmz,outside) tcp 58.214.*.* 4001 10.13.250.31 4001 netmask 255.255.255.255 dns
static (dmz,outside) tcp 58.214.*.* smtp 10.13.250.16 smtp netmask 255.255.255.255 dns
static (dmz,outside) tcp 58.214.*.* pop3 10.13.250.16 pop3 netmask 255.255.255.255 dns
static (dmz,outside) tcp 58.214.*.* www 10.13.250.16 www netmask 255.255.255.255 dns
static (dmz,outside) tcp 58.214.*.* https 10.13.250.16 https netmask 255.255.255.255 dns
static (dmz,outsideCNC) tcp 221.6.*.* smtp 10.13.250.16 smtp netmask 255.255.255.255 dns
static (dmz,outsideCNC) tcp 221.6.*.* pop3 10.13.250.16 pop3 netmask 255.255.255.255 dns
static (dmz,outsideCNC) tcp 221.6.*.* www 10.13.250.16 www netmask 255.255.255.255 dns
static (dmz,outsideCNC) tcp 221.6.*.* https 10.13.250.16 https netmask 255.255.255.255 dns
static (dmz,outsideCNC) tcp 221.6.*.* www 10.13.250.30 www netmask 255.255.255.255 dns
access-group out_to_in in interface outside
access-group out_to_in in interface dmz
access-group out_to_in in interface outsideCNC
!
router eigrp 720
network 10.13.1.0 255.255.255.0
network 10.13.246.0 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 58.214.*.* 1
route inside 10.10.1.0 255.255.255.0 10.13.1.1 1
route inside 10.13.2.0 255.255.255.0 10.13.1.1 1
route inside 10.13.3.0 255.255.255.0 10.13.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server vpn protocol radius
aaa-server vpn (inside) host 10.13.2.83
key WSNasa520IBM777
http server enable
snmp-server host inside 10.13.3.39 community cisco version 2c
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set bjset01 esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dymap 10 set transform-set myset
crypto dynamic-map dymap 10 set reverse-route
crypto map mymap 5 match address 300
crypto map mymap 5 set peer 221.6.*.*
crypto map mymap 5 set transform-set bjset01
crypto map mymap 10 ipsec-isakmp dynamic dymap
crypto map mymap interface outside
crypto map mymap interface outsideCNC
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp enable outsideCNC
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 100000
crypto isakmp policy 30
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy vpnpolicy internal
group-policy vpnpolicy attributes
dns-server value 10.13.2.81
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value wsn.cn
intercept-dhcp 255.255.255.0 disable
username wsnvpn password sQ8tgzSAeBv51YQE encrypted
tunnel-group vpn type remote-access
tunnel-group vpn general-attributes
address-pool (inside) vpnclient
address-pool vpnclient
authentication-server-group vpn
authentication-server-group (outside) vpn
authentication-server-group (outsideCNC) vpn
default-group-policy vpnpolicy
tunnel-group vpn ipsec-attributes
pre-shared-key *
tunnel-group 221.6.*.* type ipsec-l2l
tunnel-group 221.6.*.* ipsec-attributes
pre-shared-key *
!
class-map rate-limit
match access-list rate-limit
class-map inspection_default
match default-inspection-traffic
class-map meeting
match flow ip destination-address
match tunnel-group vpn
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
policy-map rate-limit
class rate-limit
police input 10000000
class meeting
police output 2000000000
!
service-policy global_policy global
service-policy rate-limit interface outside
service-policy rate-limit interface outsideCNC
prompt hostname context
Cryptochecksum:998182373575a1fd798b24460d3b0a81
: end
(责任编辑:编程世界)