ASA 5510常用配置命令手册

ftp mode passive dns domain-lookup outside same-security-traffic permit intra-interface access-list 111 extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list 111 extended permit icmp any any access-list 111 extended permit udp any any eq domain access-list 111 extended permit tcp any any eq www access-list 111 extended permit tcp any any eq ftp access-list 111 extended permit tcp any any eq ftp-data access-list 111 extended permit tcp any any eq https access-list 111 extended permit tcp any any eq 2967 access-list 111 extended permit udp any any eq 2967 access-list 111 extended permit udp any any eq 38293 access-list 111 extended permit udp any any eq 50 access-list 111 extended permit udp any any eq isakmp access-list 111 extended permit udp any any eq 10000 access-list split standard permit 192.168.0.0 255.255.255.0 access-list 112 extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list 112 extended permit icmp 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0 echo-reply access-list 112 extended permit icmp 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0 pager lines 24 logging asdm informational mtu outside 1500 mtu inside 1500 mtu management 1500 mtu inside0 1500 ip local pool testvpn 192.168.2.5-192.168.2.253 mask 255.255.255.0 no failover asdm image disk0:/asdm505.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list nonat nat (inside) 1 0.0.0.0 0.0.0.0 access-group 112 in interface outside access-group 111 in interface inside route outside 0.0.0.0 0.0.0.0 *.*.*.* 1 route inside 192.168.2.0 255.255.255.0 192.168.1.2 1 route inside 192.168.2.0 255.255.255.0 192.168.0.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
isakmp policy 65535 lifetime 86400 isakmp nat-traversal 20 tunnel-group vpn1 type ipsec-ra tunnel-group vpn1 general-attributes address-pool testvpn default-group-policy vpn1 tunnel-group vpn1 ipsec-attributes pre-shared-key * telnet timeout 5 ssh 0.0.0.0 0.0.0.0 outside ssh 192.168.0.0 255.255.255.0 inside ssh timeout 60 ssh version 2 console timeout 0 dhcpd address 192.168.0.5-192.168.0.254 inside dhcpd address 192.168.3.5-192.168.3.253 inside0 dhcpd dns 218.6.200.139 202.98.96.68 dhcpd lease 3000 dhcpd ping_timeout 50 dhcpd enable inside ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default
timeout uauth 0:05:00 absolute group-policy vpn1 internal group-pol来自百度文库cy vpn1 attributes dns-server value 218.6.200.139 202.98.96.68 vpn-idle-timeout 60 vpn-tunnel-protocol IPSec ipsec-udp enable split-tunnel-policy tunnelspecified split-tunnel-network-list value nonat webvpn username test password P4ttSyrm33SV8TYp encrypted username test attributes vpn-group-policy vpn1 vpn-tunnel-protocol IPSec webvpn username telnet1 password PcqDoDILCSVk03rz encrypted privilege 15 username telnet1 attributes vpn-group-policy vpn1 vpn-tunnel-protocol IPSec webvpn username cisco1 password ffIRPGpDSOJh9YLq encrypted username cisco1 attributes vpn-tunnel-protocol IPSec webvpn aaa authentication ssh console LOCAL http server enable http 192.168.0.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 43200 isakmp policy 65535 authentication pre-share isakmp policy 65535 encryption 3des isakmp policy 65535 hash md5 isakmp policy 65535 group 2
inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global client-update enable
ASA5510 常用配置.另外 RA-VPN 配置!!
ASA5510(config)# sh run : Saved : ASA Version 7.0(5) ! hostname ASA5510 domain-name www.cdbgs.com enable password 9jNfZuG3TC5tCVH0 encrypted names dns-guard ! interface Ethernet0/0 description link public nameif outside security-level 0 ip address *.*.*.* 255.255.255.0 ! interface Ethernet0/1 description link inside nameif inside security-level 100 ip address 192.168.0.1 255.255.255.0 ! interface Ethernet0/2 nameif inside0 security-level 100 ip address 192.168.3.1 255.255.255.0 ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 shutdown nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! passwd ErxOrHUu6ViMiiRU encrypted