酒店专线 asa5510 配置

陈如星

aya-FW# sh  run
: Saved
:
ASA Version 8.2(1)
!
hostname Maya-FW
domain-name cisco
enable password .1a2rb3fWfqrSx8t encrypted
passwd .1a2rb3fWfqrSx8t encrypted
names
!
interface Ethernet0/0
description to cisco2811
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.0
!
interface Ethernet0/1
description link_to_KY-4503
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/2
description link_to_BG-4503
nameif dmz
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface Ethernet0/3
nameif mngt
security-level 99
ip address 192.168.5.1 255.255.255.0
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
ftp mode passive
dns server-group DefaultDNS
domain-name cisco
same-security-traffic permit inter-interface
object-group network denywebsites
network-object host 60.28.218.241
network-object host 61.135.196.100
network-object 123.125.58.0 255.255.255.0
network-object 123.125.59.0 255.255.255.0
network-object 123.125.57.0 255.255.255.0
network-object 123.125.56.0 255.255.255.0
network-object 220.181.23.0 255.255.255.0
network-object 123.103.66.0 255.255.255.0
network-object 119.161.132.0 255.255.255.0
network-object 119.161.133.0 255.255.255.0
network-object 125.39.48.0 255.255.255.0
network-object 123.125.44.0 255.255.255.0
network-object 125.39.32.0 255.255.255.0
network-object 123.125.4.0 255.255.255.0
network-object host 222.73.205.89
network-object host 123.125.223.11
network-object host 61.135.196.106
network-object host 123.125.46.182
object-group network denyhost
network-object host 172.16.101.128
object-group network permithost
network-object host 172.16.11.60
access-list 119 extended deny ip any object-group denyhost
access-list 119 extended deny ip object-group denyhost any
access-list 119 extended deny ip 172.16.11.0 255.255.255.0 object-group denywebs
ites
access-list 119 extended permit ip any any
access-list out extended permit icmp any any
access-list out extended permit ip any host 192.168.3.2
access-list out extended permit ip any host 172.16.20.61
access-list out extended permit ip any host 192.168.3.3
access-list out extended permit ip any host 192.168.3.4
access-list out extended permit ip any host 192.168.3.5
access-list out extended permit ip any host 192.168.3.6
access-list out extended permit ip any host 192.168.3.7
access-list out extended permit ip any host 192.168.3.8
access-list out extended permit ip any host 192.168.3.9
access-list out extended permit ip any host 192.168.3.10
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu mngt 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group out in interface outside
access-group 119 in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
route inside 172.16.0.0 255.255.0.0 192.168.2.2 1
route dmz 172.16.10.0 255.255.255.0 192.168.3.2 1
route inside 172.17.0.0 255.255.0.0 192.168.2.2 1
route inside 172.18.0.0 255.255.0.0 192.168.2.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.16.11.60 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 outside
telnet 172.16.11.252 255.255.255.255 inside
telnet 172.16.11.0 255.255.255.0 inside
telnet 172.16.10.60 255.255.255.255 dmz
telnet 0.0.0.0 0.0.0.0 mngt
telnet timeout 5
ssh timeout 10
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username cisco password ffIRPGpDSOJh9YLq encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:2904f2a3987f302f5c4a8085168b4c5b
: end

lining_163