Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

Cisco ASA5520 configuration description

2025-04-05 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Share

Shulou(Shulou.com)06/01 Report--

CD-ASA5520# show run

: Saved

:

ASA Version 7.2 (2)

!

Hostname CD-ASA5520 / / name the firewall

Domain-name default.domain.invalid / / define the work domain

Enable password 9jNfZuG3TC5tCVH0 encrypted / / password to enter privileged mode

Names

Dns-guard

!

Interface GigabitEthernet0/0 / / Private network API:

Duplex full / / interface operation mode: full-duplex, half-duplex, adaptive

Nameif inside / / name the port: inner interface inside

Security-level 100 / / set security level 0,100, the higher the value, the more secure.

Ip address 192.168.1.1 255.255.255.0 / / set the IP address of this port

!

Interface GigabitEthernet0/1 / / external network interface

Nameif outside / / name the external port: external interface outside

Security-level 0

Ip address 202.98.131.122 255.255.255.0 / / IP address configuration

!

Interface GigabitEthernet0/2

Nameif dmz

Security-level 50

Ip address 192.168.2.1 255.255.255.0

!

Interface GigabitEthernet0/3

Shutdown

No nameif

No security-level

No ip address

!

Interface Management0/0 / / Firewall management address

Shutdown

No nameif

No security-level

No ip address

!

Passwd 2KFQnbNIdI.2KYOU encrypted

Ftp mode passive

Clock timezone CST 8

Dns server-group DefaultDNS

Domain-name default.domain.invalid

Access-list outside_permit extended permit tcp any interface outside eq 3389

/ / access control list

Access-list outside_permit extended permit tcp any interface outside range 30000 30010

/ / allow any external user to access ports 30000-30010 of the outside interface.

Pager lines 24

Logging enable / / start the logging function

Logging asdm informational

The maximum internal transmission unit of mtu inside 1500 is 1500 bytes

Mtu outside 1500

Mtu dmz 1500

Ip local pool * * client 192.168.200.1-192.168.200.200 mask 255.255.255.0

/ / define an IP address pool named * client, and assign IP addresses to remote users

No failover

Icmp unreachable rate-limit 1 burst-size 1

Asdm p_w_picpath disk0:/asdm-522.bin

No asdm history enable

Arp timeout 14400 / / arp idle time is 14400 seconds

Global (outside) 1 interface / / Internal users are not allowed to use INTERNET here because NAT is not configured

Static (dmz,outside) tcp interface 30000 192.168.2.2 30000 netmask 255.255.255.255

/ / Port mapping can solve the problem of too many internal services to be published and few applications for public network IP.

Static (dmz,outside) tcp interface 30001 192.168.2.2 30001 netmask 255.255.255.255

/ / Map dmz area 192.168.2.2 30002 to external port 30002.

Static (dmz,outside) tcp interface 30002 192.168.2.2 30002 netmask 255.255.255.255

Static (dmz,outside) tcp interface 30003 192.168.2.2 30003 netmask 255.255.255.255

Static (dmz,outside) tcp interface 30004 192.168.2.2 30004 netmask 255.255.255.255

Static (dmz,outside) tcp interface 30005 192.168.2.2 30005 netmask 255.255.255.255

Static (dmz,outside) tcp interface 30006 192.168.2.2 30006 netmask 255.255.255.255

Static (dmz,outside) tcp interface 30007 192.168.2.2 30007 netmask 255.255.255.255

Static (dmz,outside) tcp interface 30008 192.168.2.2 3008 netmask 255.255.255.255

Static (dmz,outside) tcp interface 30009 192.168.2.2 30009 netmask 255.255.255.255

Static (dmz,outside) tcp interface 30010 192.168.2.2 30010 netmask 255.255.255.255

Static (dmz,outside) tcp interface 3389 192.168.2.2 3389 netmask 255.255.255.255

Access-group outside_permit in interface outside

/ / apply the outside_permit control list to the entry direction of the external interface.

Route outside 0.0.0.0 0.0.0.0 202.98.131.126 1 / / defines a default route.

Timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Timeout sunrpc 0:10:00 h423 0:05:00 h325 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

Timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

Timeout uauth 0:05:00 absolute

-define a group policy named * client-

Group-policy * client internal / / create an internal group policy.

Group-policy * client attributes / / set * client group policy parameters

Wins-server value 192.168.1.10 / / defines the IP address of the WINS-SERVER.

Dns-server value 192.168.1.10 61.139.2.69 / / defines the IP address of the dns-server.

* *-idle-timeout none / / the connection termination time is set to the default value

* *-session-timeout none / / session timeout uses the default value

* *-tunnel-protocol IPSec / / defines the tunnel usage protocol as IPSEC.

Split-tunnel-policy tunnelspecified / / definition.

Default-domain value cisco.com / / defines the default domain name as cisco.com

-define a group policy named l2lpolicies *

Group-policy l2lcards * internal

Group-policy l2lcards * attributes

Wins-server value 192.168.1.10

Dns-server value 192.168.1.10 61.139.2.69

* *-simultaneous-logins 3

* *-idle-timeout none

* *-session-timeout none

* *-tunnel-protocol IPSec

Username test password P4ttSyrm33SV8TYp encrypted privilege 0

/ / create a remote access user to access the security application

Username cisco password 3USUcOPFUiMCO4Jk encrypted

Http server enable / / start the HTTP service

Http 0.0.0.0 0.0.0.0 inside / / allow internal host HTTP connections

No snmp-server location

No snmp-server contact

Snmp-server enable traps snmp authentication linkup linkdown coldstart

/ / default configuration of snmp

Crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

/ / configure the transform set (defines the set of encryption and information integrity algorithms used by the IPSC tunnel)

Crypto dynamic-map * * _ dyn_map 10 set transform-set ESP-DES-MD5

/ / define a transfer set for dynamic encryption graph entries

Crypto map outside_map 10 ipsec-isakmp dynamic * * _ dyn_map

/ / create an encryption graph using dynamic encryption entries

Crypto map outside_map interface outside

/ / apply outside_map encryption graph to outside port

-configure IKE-

Crypto isakmp enable outside / / launch ISAKMP on the ostside interface

Crypto isakmp policy 20 / / isakmmp weight, the smaller the value, the higher the weight

Authentication pre-share / / specifies that the appositive authentication method is a shared key

Encryption des / / specify encryption algorithm

Hash md5 / / specifies to use the MD5 hash algorithm

Group 2 / / specify diffie-hellman group 2

Lifetime 86400 / / specify the time to live for SA (negotiate security association)

Crypto isakmp policy 65535

Authentication pre-share

Encryption des

Hash md5

Group 2

Lifetime 86400

-call Group Policy-

Crypto isakmp nat-traversal 20

Tunnel-group DefaultL2LGroup general-attributes / / configure the authentication method for this channel group

Default-group-policy l2lpolicies assigned * / / specifies the default group policy name.

Tunnel-group DefaultL2LGroup ipsec-attributes / / configure authentication method as IPSEC

Pre-shared-key * / / provides a pre-shared key for IKE connections

Tunnel-group * client type ipsec-ra / / sets the connection type to remote access.

Tunnel-group * client general-attributes / / configure the authentication method of this tunnel group

Address-pool * client / / defines the address pool used

Default-group-policy * client / / define default group policy

-set authentication method and shared key-

Tunnel-group * client ipsec-attributes / / configure authentication method as IPSEC

Pre-shared-key * / / provides a pre-shared key for IKE connections

Telnet timeout 5 / / telnet timeout setting

Ssh 0.0.0.0 0.0.0.0 outside / / allow external SSH access to the firewall

Ssh timeout 60 / / SSH connection timeout setting

Console timeout 0 / / console timeout setting

Dhcp-client update dns server both

Dhcpd dns 61.139.2.69 202.98.96.68 / / DNS released by dhcp

!

Dhcpd address 192.168.1.10-192.168.1.254 inside / / address pool published to the intranet

Dhcpd enable inside / / start the DHCP service.

!

!

Class-map inspection_default

Match default-inspection-traffic

!

!

Policy-map type inspect dns migrated_dns_map_1

Parameters

Message-length maximum 512

Policy-map global_policy

Class inspection_default

Inspect dns migrated_dns_map_1

Inspect ftp

Inspect h423 h325

Inspect h423 ras

Inspect netbios

Inspect rsh

Inspect rtsp

Inspect skinny

Inspect esmtp

Inspect sqlnet

Inspect sunrpc

Inspect tftp

Inspect sip

Inspect xdmcp

!

Service-policy global_policy global

Prompt hostname context

Cryptochecksum:25e66339116f52e443124a23fef3d373

: end

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Network Security

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report