cd-asa5520# Show Run
: Saved
:
ASA Version 7.2 (2)
!
Hostname cd-asa5520//Name the firewall
Domain-name Default.domain.invalid//define a working field
Enable password 9jnfzug3tc5tcvh0 encrypted//password to enter privileged mode
Names
Dns-guard
!
Interface gigabitethernet0/0//Intranet interface:
Duplex full//Interface working mode: Fully duplex, semi-dual, adaptive
Nameif inside//For Port naming: internal interface inside
Security-level 100//Set security level 0~100 the larger the value the more secure
IP address 192.168.1.1 255.255.255.0//Set IP addresses for this port
!
Interface GIGABITETHERNET0/1//External network interface
Nameif outside//name for external port: external interface outside
Security-level 0
IP address 202.98.131.122 255.255.255.0//IP addresses configuration
!
Interface GIGABITETHERNET0/2
Nameif DMZ
Security-level 50
IP address 192.168.2.1 255.255.255.0
!
Interface GIGABITETHERNET0/3
Shutdown
No Nameif
No Security-level
No IP address
!
Interface management0/0//firewall management address
Shutdown
No Nameif
No Security-level
No IP address
!
passwd 2kfqnbnidi.2kyou Encrypted
FTP mode passive
Clock timezone CST 8
DNS Server-group Defaultdns
Domain-name Default.domain.invalid
Access-list Outside_permit extended permit TCP any interface outside EQ 3389
Access Control List
Access-list Outside_permit extended permit TCP any interface outside range 30000 30010
Allows any external user to access the 30000-30010 port of the outside interface.
Pager lines 24
Logging enable//start log function
Logging ASDM Informational
MTU inside 1500 internal maximum transmission Unit is 1500 bytes
MTU outside 1500
MTU DMZ 1500
IP local pool vpnclient 192.168.200.1-192.168.200.200 mask 255.255.255.0
Define a pool of IP addresses named vpnclient, assigning IP addresses to remote users
No failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM Image Disk0:/asdm-522.bin
No ASDM history enable
ARP Timeout 14400//arp idle time is 14,400 seconds
Global (Outside) 1 interface//The Internet is not allowed for internal users because NAT is not configured
Static (dmz,outside) TCP interface 30000 192.168.2.2 30000 netmask 255.255.255.255
Port mapping can resolve the internal service to be advertised too much, but the application of public network IP less problems.
Static (dmz,outside) TCP interface 30001 192.168.2.2 30001 netmask 255.255.255.255
Map the DMZ 192.168.2.2 30002 to the external 30002 port.
Static (dmz,outside) TCP interface 30002 192.168.2.2 30002 netmask 255.255.255.255
Static (dmz,outside) TCP interface 30003 192.168.2.2 30003 netmask 255.255.255.255
Static (dmz,outside) TCP interface 30004 192.168.2.2 30004 netmask 255.255.255.255
Static (dmz,outside) TCP interface 30005 192.168.2.2 30005 netmask 255.255.255.255
Static (dmz,outside) TCP interface 30006 192.168.2.2 30006 netmask 255.255.255.255
Static (dmz,outside) TCP interface 30007 192.168.2.2 30007 netmask 255.255.255.255
Static (dmz,outside) TCP interface 30008 192.168.2.2 3008 netmask 255.255.255.255
Static (dmz,outside) TCP interface 30009 192.168.2.2 30009 netmask 255.255.255.255
Static (dmz,outside) TCP interface 30010 192.168.2.2 30010 netmask 255.255.255.255
Static (dmz,outside) TCP interface 3389 192.168.2.2 3389 netmask 255.255.255.255
Access-group Outside_permit in interface outside
Apply the Outside_permit control list to the entry direction of the external interface.
Route outside 0.0.0.0 0.0.0.0 202.98.131.126 1//define a default route.
Timeout conn 1:00:00 half-closed 0:10:00 UDP 0:02:00 ICMP 0:00:02
Timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 MGCP 0:05:00 mgcp-pat 0:05:00
Timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
Timeout Uauth 0:05:00 Absolute
------------Define a group Policy that is named Vpnclient-------------------------
Group-policy vpnclient Internal//Create an internal Group Policy.
Group-policy vpnclient attributes//Set parameters for Vpnclient Group Policy
Wins-server value 192.168.1.10//defines the IP address of the wins-server.
Dns-server value 192.168.1.10 61.139.2.69//defines the IP address of the dns-server.
Vpn-idle-timeout None//terminating connection time set to default value
Vpn-session-timeout None//session timeout with default value
Vpn-tunnel-protocol IPSec//defines the Channel usage protocol for IPSec.
Split-tunnel-policy tunnelspecified//definition.
Default-domain value my3377.com//defines the default domain name as my3377.com
------------Define a group Policy that is named L2lvpn-------------------------
Group-policy L2lvpn Internal
Group-policy L2lvpn Attributes
Wins-server value 192.168.1.10
Dns-server value 192.168.1.10 61.139.2.69
Vpn-simultaneous-logins 3
Vpn-idle-timeout None
Vpn-session-timeout None
Vpn-tunnel-protocol IPSec
Username Test Password P4ttsyrm33sv8typ encrypted privilege 0
Create a remote access user to access the security app
Username my3377 Password 3USUCOPFUIMCO4JK encrypted
HTTP server enable//start HTTP Service
HTTP 0.0.0.0 0.0.0.0 inside//Allow internal host HTTP connection
No snmp-server location
No Snmp-server Contact
Snmp-server Enable traps SNMP authentication Linkup Linkdown Coldstart
Default configuration for SNMP
Crypto IPSec Transform-set esp-des-md5 esp-des Esp-md5-hmac
Configuring the Transpose (defines the collection of encryption and information integrity algorithms used by the IPSC tunnel)
Crypto Dynamic-map Vpn_dyn_map set Transform-set esp-des-md5
Define a transfer set for a dynamic crypto diagram entry
Crypto map Outside_map ipsec-isakmp dynamic Vpn_dyn_map
Create an encrypted diagram that uses dynamic encryption entries
Crypto map Outside_map interface outside
Apply the Outside_map encryption diagram to the outside port
------------Configuring Ike--------------
Crypto ISAKMP enable outside//start ISAKMP on Ostside interface
Crypto ISAKMP policy,//isakmmp weight, the lower the value, the higher the value
Authentication Pre-share//Specifies that the same-level authentication method is a shared key
Encryption des//Specify encryption algorithm
Hash MD5//specify using MD5 hashing algorithm
Group 2//Specify Diffie-hellman Group 2
Lifetime 86400//Specify the time-to-live for SA (Negotiate security association)
Crypto ISAKMP policy 65535
Authentication Pre-share
Encryption des
Hash MD5
Group 2
Lifetime 86400
-------------Call Group Policy-----------------
Crypto ISAKMP nat-traversal 20
Tunnel-group Defaultl2lgroup general-attributes//Configuring the authentication method for this channel group
Default-group-policy L2lvpn//Specifies the default Group Policy name.
Tunnel-group defaultl2lgroup ipsec-attributes//Configure authentication method for IPSec
Pre-shared-key *//Pre-shared key for IKE connection
Tunnel-group vpnclient type Ipsec-ra//Set the connection type to remote access.
Tunnel-group vpnclient general-attributes//Configuring the authentication method for this channel group
Address-pool vpnclient//define the address pool used
Default-group-policy vpnclient//define default Group Policy
-----Set up authentication methods and shared keys-------------
Tunnel-group vpnclient ipsec-attributes//Configure authentication method for IPSec
Pre-shared-key *//Pre-shared key for IKE connection
Telnet Timeout 5//telnet timeout setting
SSH 0.0.0.0 0.0.0.0 outside//allow external SSH access firewall
SSH Timeout//SSH connection Timeout setting
Console timeout 0//console timeout setting
Dhcp-client Update DNS server both
DHCPD DNS 61.139.2.69 202.98.96.68//dhcp published DNS
!
DHCPD address 192.168.1.10-192.168.1.254 inside//addresses pool published to intranet
DHCPD enable inside//start DHCP service.
!
!
Class-map Inspection_default
Match default-inspection-traffic
!
!
Policy-map type Inspect DNS migrated_dns_map_1
Parameters
Message-length Maximum 512
Policy-map Global_policy
Class Inspection_default
Inspect DNS Migrated_dns_map_1
Inspect FTP
Inspect h323 h225
Inspect h323 RAS
Inspect NetBIOS
Inspect RSH
Inspect RTSP
Inspect Skinny
Inspect ESMTP
Inspect Sqlnet
Inspect SUNRPC
Inspect TFTP
Inspect SIP
Inspect XDMCP
!
Service-policy Global_policy Global
Prompt hostname context
cryptochecksum:25e66339116f52e443124a23fef3d373
: End
This article is from the "Sky" blog, please be sure to keep this source http://haikuotiankong.blog.51cto.com/633188/1695335
CISCO ASA Configuration Notes