wiki:site:cisco:asa
This is an old revision of the document!
interface GigabitEthernet1/1 # Popis description WAN nameif outside security-level 0 ip address 213.168.183.16 255.255.255.192 ! interface GigabitEthernet1/2 description LAN nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0
: Saved : : Serial Number: ***************** : Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores) : ASA Version 9.6(1) ! hostname firewall enable password ************** encrypted names ip local pool VPNpool 192.168.5.1-192.168.5.50 mask 255.255.255.0 ! interface GigabitEthernet1/1 description WAN nameif outside security-level 0 ip address x.x.x.x y.y.y.y ! interface GigabitEthernet1/2 description LAN nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface GigabitEthernet1/3 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/5 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/6 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/7 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/8 shutdown no nameif no security-level no ip address ! interface Management1/1 management-only no nameif no security-level no ip address ! ftp mode passive clock timezone CET 1 clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00 dns domain-lookup outside dns domain-lookup inside dns server-group DefaultDNS name-server 192.168.1.2 name-server 8.8.8.8 object network obj_any subnet 0.0.0.0 0.0.0.0 object network Server-AD host 192.168.1.2 object service SRC-HTTP service tcp source eq www object service SRC-HTTPS service tcp source eq https object service SRC-RDP service tcp source eq 3389 object service SRC-SMTP service tcp source eq smtp object service SRC-SMTPS service tcp source eq 465 object service SRC-IMAPV4 service tcp source eq imap4 object service SRC-IMAPV4S service tcp source eq 993 object network VPNCLA subnet 192.168.20.0 255.255.255.0 object network LAN subnet 192.168.1.0 255.255.255.0 object network WAN-IP-16 host x.x.x.16 object network WAN-IP-17 host x.x.x.17 object network AnyVPN subnet 192.168.5.0 255.255.255.0 access-list OUTSIDE extended permit tcp any object Server-AD eq www access-list OUTSIDE extended permit tcp any object Server-AD eq https access-list OUTSIDE extended permit tcp any object Server-AD eq 3389 access-list OUTSIDE extended permit tcp any object Server-AD eq smtp access-list OUTSIDE extended permit tcp any object Server-AD eq 465 access-list OUTSIDE extended permit tcp any object Server-AD eq 993 access-list OUTSIDE extended permit tcp any object Server-AD eq imap4 access-list outside_cryptomap_20 extended permit ip object LAN object VPNCLA access-list no_nat extended permit ip object LAN object VPNCLA access-list SPLIT standard permit 192.168.1.0 255.255.255.0 pager lines 24 logging enable logging timestamp logging buffer-size 512000 logging buffered informational logging asdm informational mtu outside 1500 mtu inside 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (inside,outside) source static LAN LAN destination static VPNCLA VPNCLA no-proxy-arp route-lookup nat (inside,outside) source static Server-AD WAN-IP-16 service SRC-HTTP SRC-HTTP nat (inside,outside) source static Server-AD WAN-IP-16 service SRC-HTTPS SRC-HTTPS nat (inside,outside) source static Server-AD WAN-IP-16 service SRC-RDP SRC-RDP nat (inside,outside) source static Server-AD WAN-IP-16 service SRC-SMTP SRC-SMTP nat (inside,outside) source static Server-AD WAN-IP-16 service SRC-SMTPS SRC-SMTPS nat (inside,outside) source static Server-AD WAN-IP-16 service SRC-IMAPV4 SRC-IMAPV4 nat (inside,outside) source static Server-AD WAN-IP-16 service SRC-IMAPV4S SRC-IMAPV4S nat (inside,outside) source static LAN LAN destination static AnyVPN AnyVPN no-proxy-arp route-lookup ! object network obj_any nat (any,outside) dynamic interface ! nat (inside,outside) after-auto source dynamic any interface access-group OUTSIDE in interface outside route outside 0.0.0.0 0.0.0.0 213.168.183.1 1 route inside 172.27.12.0 255.255.255.0 192.168.1.95 1 route inside 192.168.30.0 255.255.255.0 192.168.1.95 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 ldap attribute-map MAP-ANYCONNECT-LOGIN map-name memberOf Group-Policy map-value memberOf CN=vpn_users,OU=skupiny,DC=DOMAIN,DC=local ANYCONNECT aaa-server LDAP protocol ldap aaa-server LDAP (inside) host 192.168.1.2 ldap-base-dn DC=DOMAIN,DC=local ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password *********** ldap-login-dn DOMAIN\ciscoasa ldap-over-ssl enable server-type microsoft ldap-attribute-map MAP-ANYCONNECT-LOGIN user-identity default-domain LOCAL aaa authentication ssh console LOCAL http 192.168.1.0 255.255.255.0 inside http 213.168.186.2 255.255.255.255 outside no snmp-server location no snmp-server contact service sw-reset-button crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association pmtu-aging infinite crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer r.r.r.r crypto map outside_map 20 set ikev1 transform-set ESP-3DES-SHA crypto map outside_map interface outside crypto ca trustpool policy crypto ikev1 enable outside crypto ikev1 policy 20 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet timeout 5 ssh stricthostkeycheck ssh s.s.s.s 255.255.255.255 outside ssh 192.168.1.0 255.255.255.0 inside ssh timeout 30 ssh version 2 ssh key-exchange group dh-group1-sha1 console timeout 0 dhcpd auto_config outside ! dhcpd address 192.168.1.5-192.168.1.254 inside ! ntp server t.t.t.t webvpn enable outside anyconnect image disk0:/anyconnect-win-3.1.14018-k9.pkg 1 anyconnect image disk0:/anyconnect-macosx-i386-3.1.14018-k9.pkg 2 anyconnect image disk0:/anyconnect-linux-64-3.1.14018-k9.pkg 3 anyconnect enable tunnel-group-list enable cache disable error-recovery disable group-policy ANYCONNECT_NO_ACCESS internal group-policy ANYCONNECT_NO_ACCESS attributes vpn-simultaneous-logins 0 group-policy ANYCONNECT internal group-policy ANYCONNECT attributes wins-server value 192.168.1.2 dns-server value 192.168.1.2 8.8.8.8 vpn-simultaneous-logins 25 vpn-tunnel-protocol ssl-client ssl-clientless split-tunnel-policy tunnelspecified split-tunnel-network-list value SPLIT default-domain value DOMAIN.local dynamic-access-policy-record DfltAccessPolicy username admin password *************** encrypted privilege 15 tunnel-group r.r.r.r type ipsec-l2l tunnel-group r.r.r.r ipsec-attributes ikev1 pre-shared-key ************ tunnel-group ANYCONNECT_VPN type remote-access tunnel-group ANYCONNECT_VPN general-attributes address-pool VPNpool authentication-server-group LDAP default-group-policy ANYCONNECT_NO_ACCESS tunnel-group ANYCONNECT_VPN webvpn-attributes group-alias ANYCONNECT enable ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:2cf8158ddc1e00d83e2668756a68b974 : end
wiki/site/cisco/asa.1516262128.txt.gz · Last modified: 2018/01/18 08:55 by root
