This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
wiki:site:cisco:asa [2018/01/17 16:11] root vytvořeno |
wiki:site:cisco:asa [2018/01/24 21:27] (current) root |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | < | + | ====== Cisco ASA5505 ====== |
- | : Saved | + | * Lze konfigurovat aplikací ASDM nebo přes CLI |
+ | * CLI není tak intuitivní, | ||
- | : | + | WAN / LAN: |
- | : Serial Number: ***************** | + | <code bash> |
- | : Hardware: | + | interface GigabitEthernet1/ |
- | : | + | |
- | ASA Version 9.6(1) | + | |
- | ! | + | |
- | hostname firewall | + | |
- | enable password ************** encrypted | + | |
- | names | + | |
- | ip local pool VPNpool 192.168.5.1-192.168.5.50 mask 255.255.255.0 | + | |
- | + | ||
- | ! | + | |
- | interface GigabitEthernet1/ | + | |
| | ||
| | ||
| | ||
- | ip address | + | ip address |
! | ! | ||
interface GigabitEthernet1/ | interface GigabitEthernet1/ | ||
Line 24: | Line 15: | ||
| | ||
| | ||
- | ip address 192.168.1.1 255.255.255.0 | + | ip address 192.168.1.1 255.255.255.0 |
- | ! | + | </code> |
- | interface GigabitEthernet1/3 | + | |
- | shutdown | + | NAT maškaráda: |
- | no nameif | + | <code bash> |
- | no security-level | + | nat (inside, |
- | no ip address | + | </code> |
- | ! | + | |
- | interface GigabitEthernet1/ | + | NAT portforward: |
- | | + | <code bash> |
- | no nameif | + | object network |
- | no security-level | + | |
- | no ip address | + | |
- | ! | + | |
- | interface | + | |
- | shutdown | + | |
- | no nameif | + | |
- | no security-level | + | |
- | no ip address | + | |
- | ! | + | |
- | interface GigabitEthernet1/6 | + | |
- | shutdown | + | |
- | no nameif | + | |
- | no security-level | + | |
- | no ip address | + | |
- | ! | + | |
- | interface GigabitEthernet1/ | + | |
- | | + | |
- | no nameif | + | |
- | no security-level | + | |
- | no ip address | + | |
- | ! | + | |
- | interface GigabitEthernet1/ | + | |
- | | + | |
- | no nameif | + | |
- | no security-level | + | |
- | no ip address | + | |
- | ! | + | |
- | interface Management1/ | + | |
- | | + | |
- | no nameif | + | |
- | no security-level | + | |
- | no ip address | + | |
- | ! | + | |
- | ftp mode passive | + | |
- | clock timezone CET 1 | + | |
- | clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00 | + | |
- | dns domain-lookup outside | + | |
- | dns domain-lookup inside | + | |
- | dns server-group DefaultDNS | + | |
- | | + | |
- | | + | |
- | object network | + | |
- | | + | |
- | object network Server-AD | + | |
host 192.168.1.2 | host 192.168.1.2 | ||
object service SRC-HTTP | object service SRC-HTTP | ||
Line 84: | Line 31: | ||
object service SRC-HTTPS | object service SRC-HTTPS | ||
| | ||
- | object service SRC-RDP | + | |
- | service tcp source eq 3389 | + | # dst-nat |
- | object service SRC-SMTP | + | access-list OUTSIDE extended permit tcp any object |
- | | + | access-list OUTSIDE extended permit tcp any object |
- | object service SRC-SMTPS | + | |
- | | + | # src-nat (zachování portu služby) |
- | object service SRC-IMAPV4 | + | nat (inside, |
- | | + | nat (inside, |
- | object service SRC-IMAPV4S | + | |
- | | + | access-group OUTSIDE |
- | object network VPNCLA | + | </ |
- | | + | |
- | object network LAN | + | DNS client: |
- | | + | <code bash> |
- | object network WAN-IP-16 | + | dns domain-lookup outside |
- | host x.x.x.16 | + | dns domain-lookup inside |
- | object network WAN-IP-17 | + | dns server-group DefaultDNS |
- | host x.x.x.17 | + | name-server |
- | object network AnyVPN | + | |
- | | + | </ |
- | access-list OUTSIDE extended permit tcp any object | + | |
- | access-list OUTSIDE extended permit tcp any object | + | Český čas: |
- | access-list OUTSIDE extended permit tcp any object Server-AD eq 3389 | + | <code bash> |
- | access-list OUTSIDE extended permit tcp any object Server-AD eq smtp | + | clock timezone CET 1 |
- | access-list OUTSIDE extended permit tcp any object Server-AD eq 465 | + | clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00 |
- | access-list OUTSIDE | + | |
- | access-list OUTSIDE extended permit tcp any object Server-AD eq imap4 | + | ntp server x.x.x.x |
- | access-list outside_cryptomap_20 extended permit ip object LAN object VPNCLA | + | </ |
- | access-list no_nat extended permit ip object LAN object VPNCLA | + | |
- | access-list SPLIT standard permit | + | Logování: |
- | pager lines 24 | + | <code bash> |
- | logging enable | + | logging enable |
logging timestamp | logging timestamp | ||
logging buffer-size 512000 | logging buffer-size 512000 | ||
logging buffered informational | logging buffered informational | ||
logging asdm informational | logging asdm informational | ||
- | mtu outside 1500 | + | </ |
- | mtu inside 1500 | + | |
- | icmp unreachable rate-limit 1 burst-size 1 | + | Povolení ICMP: |
- | no asdm history enable | + | <code bash> |
- | arp timeout 14400 | + | policy-map global_policy |
- | no arp permit-nonconnected | + | class inspection_default |
- | nat (inside, | + | |
- | nat (inside, | + | </ |
- | nat (inside, | + | |
- | nat (inside, | + | Management: |
- | nat (inside, | + | <code bash> |
- | nat (inside, | + | enable |
- | nat (inside, | + | username admin password ********* privilege 15 |
- | nat (inside, | + | |
- | nat (inside, | + | |
- | ! | + | |
- | object network obj_any | + | |
- | nat (any, | + | |
- | ! | + | |
- | nat (inside, | + | |
- | access-group OUTSIDE in interface outside | + | |
- | route outside 0.0.0.0 0.0.0.0 213.168.183.1 1 | + | |
- | route inside 172.27.12.0 255.255.255.0 192.168.1.95 1 | + | |
- | route inside 192.168.30.0 255.255.255.0 192.168.1.95 1 | + | |
- | timeout xlate 3:00:00 | + | |
- | timeout pat-xlate 0:00:30 | + | |
- | timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 | + | |
- | timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 | + | |
- | timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 | + | |
- | timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute | + | |
- | timeout tcp-proxy-reassembly 0:01:00 | + | |
- | timeout floating-conn 0:00:00 | + | |
- | ldap attribute-map MAP-ANYCONNECT-LOGIN | + | |
- | | + | |
- | | + | |
- | aaa-server LDAP protocol ldap | + | |
- | aaa-server LDAP (inside) host 192.168.1.2 | + | |
- | ldap-base-dn DC=DOMAIN, | + | |
- | ldap-scope subtree | + | |
- | ldap-naming-attribute sAMAccountName | + | |
- | | + | |
- | ldap-login-dn DOMAIN\ciscoasa | + | |
- | | + | |
- | | + | |
- | | + | |
- | user-identity default-domain LOCAL | + | |
aaa authentication ssh console LOCAL | aaa authentication ssh console LOCAL | ||
+ | |||
+ | http server enable | ||
http 192.168.1.0 255.255.255.0 inside | http 192.168.1.0 255.255.255.0 inside | ||
- | http 213.168.186.2 255.255.255.255 outside | + | http 213.168.x.x 255.255.255.255 outside |
- | no snmp-server location | + | |
- | no snmp-server contact | + | ssh 213.168.x.x 255.255.255.255 outside |
- | service sw-reset-button | + | ssh 192.168.1.0 255.255.255.0 inside |
- | crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac | + | ssh timeout 30 |
+ | ssh version 2 | ||
+ | ssh key-exchange group dh-group1-sha1 | ||
+ | |||
+ | no call-home reporting anonymous | ||
+ | </ | ||
+ | |||
+ | IPSec Site-to-Site VPN: | ||
+ | <code bash> | ||
+ | object network VPNCLA | ||
+ | | ||
+ | object network LAN | ||
+ | | ||
+ | |||
+ | access-list outside_cryptomap_20 extended permit ip object LAN object VPNCLA | ||
+ | |||
+ | access-list no_nat extended permit ip object LAN object VPNCLA | ||
+ | |||
+ | nat (inside, | ||
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac | crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac | ||
- | crypto ipsec security-association pmtu-aging infinite | + | |
crypto map outside_map 20 match address outside_cryptomap_20 | crypto map outside_map 20 match address outside_cryptomap_20 | ||
- | crypto map outside_map 20 set peer r.r.r.r | + | crypto map outside_map 20 set peer 213.168.x.x |
crypto map outside_map 20 set ikev1 transform-set ESP-3DES-SHA | crypto map outside_map 20 set ikev1 transform-set ESP-3DES-SHA | ||
crypto map outside_map interface outside | crypto map outside_map interface outside | ||
Line 187: | Line 122: | ||
group 2 | group 2 | ||
| | ||
- | telnet timeout 5 | ||
- | ssh stricthostkeycheck | ||
- | ssh s.s.s.s 255.255.255.255 outside | ||
- | ssh 192.168.1.0 255.255.255.0 inside | ||
- | ssh timeout 30 | ||
- | ssh version 2 | ||
- | ssh key-exchange group dh-group1-sha1 | ||
- | console timeout 0 | ||
- | dhcpd auto_config outside | + | tunnel-group |
- | ! | + | tunnel-group |
- | dhcpd address 192.168.1.5-192.168.1.254 inside | + | ikev1 pre-shared-key ***** |
- | ! | + | </ |
- | ntp server t.t.t.t | + | |
- | webvpn | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | tunnel-group-list enable | + | |
- | | + | |
- | disable | + | |
- | | + | |
- | group-policy ANYCONNECT_NO_ACCESS internal | + | |
- | group-policy ANYCONNECT_NO_ACCESS attributes | + | |
- | | + | |
- | group-policy ANYCONNECT internal | + | |
- | group-policy ANYCONNECT attributes | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | dynamic-access-policy-record DfltAccessPolicy | + | |
- | username admin password *************** encrypted privilege 15 | + | |
- | tunnel-group r.r.r.r | + | |
- | tunnel-group | + | |
- | ikev1 pre-shared-key | + | |
- | tunnel-group ANYCONNECT_VPN type remote-access | + | |
- | tunnel-group ANYCONNECT_VPN general-attributes | + | |
- | | + | |
- | | + | |
- | | + | |
- | tunnel-group ANYCONNECT_VPN webvpn-attributes | + | |
- | | + | |
- | ! | + | |
- | class-map inspection_default | + | |
- | match default-inspection-traffic | + | |
- | ! | + | |
- | ! | + | |
- | policy-map type inspect dns preset_dns_map | + | |
- | | + | |
- | message-length maximum client auto | + | |
- | message-length maximum 512 | + | |
- | policy-map global_policy | + | |
- | class inspection_default | + | |
- | inspect dns preset_dns_map | + | |
- | inspect ftp | + | |
- | inspect h323 h225 | + | |
- | inspect h323 ras | + | |
- | inspect rsh | + | |
- | inspect rtsp | + | |
- | inspect esmtp | + | |
- | inspect sqlnet | + | |
- | inspect skinny | + | |
- | inspect sunrpc | + | |
- | inspect xdmcp | + | |
- | inspect sip | + | |
- | inspect netbios | + | |
- | inspect tftp | + | |
- | inspect ip-options | + | |
- | inspect icmp | + | |
- | ! | + | |
- | service-policy global_policy global | + | |
- | prompt hostname context | + | |
- | no call-home reporting anonymous | + | |
- | Cryptochecksum: | + | |
- | : end | + | |
- | </ |