In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-05 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
CD-ASA5520# show run
: Saved
:
ASA Version 7.2 (2)
!
Hostname CD-ASA5520 / / name the firewall
Domain-name default.domain.invalid / / define the work domain
Enable password 9jNfZuG3TC5tCVH0 encrypted / / password to enter privileged mode
Names
Dns-guard
!
Interface GigabitEthernet0/0 / / Private network API:
Duplex full / / interface operation mode: full-duplex, half-duplex, adaptive
Nameif inside / / name the port: inner interface inside
Security-level 100 / / set security level 0,100, the higher the value, the more secure.
Ip address 192.168.1.1 255.255.255.0 / / set the IP address of this port
!
Interface GigabitEthernet0/1 / / external network interface
Nameif outside / / name the external port: external interface outside
Security-level 0
Ip address 202.98.131.122 255.255.255.0 / / IP address configuration
!
Interface GigabitEthernet0/2
Nameif dmz
Security-level 50
Ip address 192.168.2.1 255.255.255.0
!
Interface GigabitEthernet0/3
Shutdown
No nameif
No security-level
No ip address
!
Interface Management0/0 / / Firewall management address
Shutdown
No nameif
No security-level
No ip address
!
Passwd 2KFQnbNIdI.2KYOU encrypted
Ftp mode passive
Clock timezone CST 8
Dns server-group DefaultDNS
Domain-name default.domain.invalid
Access-list outside_permit extended permit tcp any interface outside eq 3389
/ / access control list
Access-list outside_permit extended permit tcp any interface outside range 30000 30010
/ / allow any external user to access ports 30000-30010 of the outside interface.
Pager lines 24
Logging enable / / start the logging function
Logging asdm informational
The maximum internal transmission unit of mtu inside 1500 is 1500 bytes
Mtu outside 1500
Mtu dmz 1500
Ip local pool * * client 192.168.200.1-192.168.200.200 mask 255.255.255.0
/ / define an IP address pool named * client, and assign IP addresses to remote users
No failover
Icmp unreachable rate-limit 1 burst-size 1
Asdm p_w_picpath disk0:/asdm-522.bin
No asdm history enable
Arp timeout 14400 / / arp idle time is 14400 seconds
Global (outside) 1 interface / / Internal users are not allowed to use INTERNET here because NAT is not configured
Static (dmz,outside) tcp interface 30000 192.168.2.2 30000 netmask 255.255.255.255
/ / Port mapping can solve the problem of too many internal services to be published and few applications for public network IP.
Static (dmz,outside) tcp interface 30001 192.168.2.2 30001 netmask 255.255.255.255
/ / Map dmz area 192.168.2.2 30002 to external port 30002.
Static (dmz,outside) tcp interface 30002 192.168.2.2 30002 netmask 255.255.255.255
Static (dmz,outside) tcp interface 30003 192.168.2.2 30003 netmask 255.255.255.255
Static (dmz,outside) tcp interface 30004 192.168.2.2 30004 netmask 255.255.255.255
Static (dmz,outside) tcp interface 30005 192.168.2.2 30005 netmask 255.255.255.255
Static (dmz,outside) tcp interface 30006 192.168.2.2 30006 netmask 255.255.255.255
Static (dmz,outside) tcp interface 30007 192.168.2.2 30007 netmask 255.255.255.255
Static (dmz,outside) tcp interface 30008 192.168.2.2 3008 netmask 255.255.255.255
Static (dmz,outside) tcp interface 30009 192.168.2.2 30009 netmask 255.255.255.255
Static (dmz,outside) tcp interface 30010 192.168.2.2 30010 netmask 255.255.255.255
Static (dmz,outside) tcp interface 3389 192.168.2.2 3389 netmask 255.255.255.255
Access-group outside_permit in interface outside
/ / apply the outside_permit control list to the entry direction of the external interface.
Route outside 0.0.0.0 0.0.0.0 202.98.131.126 1 / / defines a default route.
Timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Timeout sunrpc 0:10:00 h423 0:05:00 h325 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
Timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
Timeout uauth 0:05:00 absolute
-define a group policy named * client-
Group-policy * client internal / / create an internal group policy.
Group-policy * client attributes / / set * client group policy parameters
Wins-server value 192.168.1.10 / / defines the IP address of the WINS-SERVER.
Dns-server value 192.168.1.10 61.139.2.69 / / defines the IP address of the dns-server.
* *-idle-timeout none / / the connection termination time is set to the default value
* *-session-timeout none / / session timeout uses the default value
* *-tunnel-protocol IPSec / / defines the tunnel usage protocol as IPSEC.
Split-tunnel-policy tunnelspecified / / definition.
Default-domain value cisco.com / / defines the default domain name as cisco.com
-define a group policy named l2lpolicies *
Group-policy l2lcards * internal
Group-policy l2lcards * attributes
Wins-server value 192.168.1.10
Dns-server value 192.168.1.10 61.139.2.69
* *-simultaneous-logins 3
* *-idle-timeout none
* *-session-timeout none
* *-tunnel-protocol IPSec
Username test password P4ttSyrm33SV8TYp encrypted privilege 0
/ / create a remote access user to access the security application
Username cisco password 3USUcOPFUiMCO4Jk encrypted
Http server enable / / start the HTTP service
Http 0.0.0.0 0.0.0.0 inside / / allow internal host HTTP connections
No snmp-server location
No snmp-server contact
Snmp-server enable traps snmp authentication linkup linkdown coldstart
/ / default configuration of snmp
Crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
/ / configure the transform set (defines the set of encryption and information integrity algorithms used by the IPSC tunnel)
Crypto dynamic-map * * _ dyn_map 10 set transform-set ESP-DES-MD5
/ / define a transfer set for dynamic encryption graph entries
Crypto map outside_map 10 ipsec-isakmp dynamic * * _ dyn_map
/ / create an encryption graph using dynamic encryption entries
Crypto map outside_map interface outside
/ / apply outside_map encryption graph to outside port
-configure IKE-
Crypto isakmp enable outside / / launch ISAKMP on the ostside interface
Crypto isakmp policy 20 / / isakmmp weight, the smaller the value, the higher the weight
Authentication pre-share / / specifies that the appositive authentication method is a shared key
Encryption des / / specify encryption algorithm
Hash md5 / / specifies to use the MD5 hash algorithm
Group 2 / / specify diffie-hellman group 2
Lifetime 86400 / / specify the time to live for SA (negotiate security association)
Crypto isakmp policy 65535
Authentication pre-share
Encryption des
Hash md5
Group 2
Lifetime 86400
-call Group Policy-
Crypto isakmp nat-traversal 20
Tunnel-group DefaultL2LGroup general-attributes / / configure the authentication method for this channel group
Default-group-policy l2lpolicies assigned * / / specifies the default group policy name.
Tunnel-group DefaultL2LGroup ipsec-attributes / / configure authentication method as IPSEC
Pre-shared-key * / / provides a pre-shared key for IKE connections
Tunnel-group * client type ipsec-ra / / sets the connection type to remote access.
Tunnel-group * client general-attributes / / configure the authentication method of this tunnel group
Address-pool * client / / defines the address pool used
Default-group-policy * client / / define default group policy
-set authentication method and shared key-
Tunnel-group * client ipsec-attributes / / configure authentication method as IPSEC
Pre-shared-key * / / provides a pre-shared key for IKE connections
Telnet timeout 5 / / telnet timeout setting
Ssh 0.0.0.0 0.0.0.0 outside / / allow external SSH access to the firewall
Ssh timeout 60 / / SSH connection timeout setting
Console timeout 0 / / console timeout setting
Dhcp-client update dns server both
Dhcpd dns 61.139.2.69 202.98.96.68 / / DNS released by dhcp
!
Dhcpd address 192.168.1.10-192.168.1.254 inside / / address pool published to the intranet
Dhcpd enable inside / / start the DHCP service.
!
!
Class-map inspection_default
Match default-inspection-traffic
!
!
Policy-map type inspect dns migrated_dns_map_1
Parameters
Message-length maximum 512
Policy-map global_policy
Class inspection_default
Inspect dns migrated_dns_map_1
Inspect ftp
Inspect h423 h325
Inspect h423 ras
Inspect netbios
Inspect rsh
Inspect rtsp
Inspect skinny
Inspect esmtp
Inspect sqlnet
Inspect sunrpc
Inspect tftp
Inspect sip
Inspect xdmcp
!
Service-policy global_policy global
Prompt hostname context
Cryptochecksum:25e66339116f52e443124a23fef3d373
: end
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.