Конфиг устройства
ASA Version 9.2(2)
!
hostname ASA
domain-name tmproj.ru
enable password aD5MLkHiNxRshnib encrypted
passwd pSrI5Zw54ciEXY2w encrypted
names
dns-guard
ip local pool vpn_ip_pool 192.168.5.2-192.168.5.51 mask 255.255.255.0
!
interface GigabitEthernet0/0
description DMZ->DMZservers
nameif dmz
security-level 50
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/1
description outside->Router1
nameif outside
security-level 0
ip address 192.168.10.2 255.255.255.252
!
interface GigabitEthernet0/2
duplex full
nameif inside
security-level 100
no ip address
!
interface GigabitEthernet0/2.5
description VLAN5
vlan 5
nameif inside5
security-level 100
ip address 192.168.5.1 255.255.255.0
!
interface GigabitEthernet0/2.10
description VLAN10
vlan 10
nameif inside10
security-level 100
ip address 10.0.0.1 255.255.248.0
!
interface GigabitEthernet0/2.11
description VLAN11
vlan 11
nameif inside11
security-level 100
ip address 172.0.0.1 255.255.255.0
!
interface GigabitEthernet0/3
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.4.1 255.255.255.0
!
boot system disk0:/asa922-smp-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup inside10
dns server-group DefaultDNS
name-server 10.0.0.10
name-server 10.0.0.11
domain-name tmproj.ru
same-security-traffic permit inter-interface
object network mail.tmproj.ru
host 10.0.0.8
object network Synology
host 10.0.0.20
object network Ivan-Server
host 172.0.0.18
object network Nagios-server
host 172.0.0.100
object network syslog-serv.tmproj.ru
host 10.0.0.6
object network Cisco2911
host 192.168.10.1
object network vpn-network
subnet 192.168.5.0 255.255.255.0
object network outside_ip
host 192.168.10.2
object-group service DM_INLINE_TCP_1 tcp
port-object eq 587
port-object eq 993
port-object eq https
port-object eq smtp
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq 10011
service-object tcp destination eq 2008
service-object tcp destination eq 30033
service-object tcp destination eq 41144
service-object tcp destination eq ssh
service-object udp destination eq 2010
service-object udp destination eq 30033
service-object udp destination eq 9987
object-group network TMP_NETWORKS
network-object 10.0.0.0 255.255.248.0
network-object 172.0.0.0 255.255.255.0
object-group service DM_INLINE_SERVICE_2
service-object icmp echo
service-object icmp echo-reply
service-object icmp unreachable
service-object tcp destination eq www
service-object tcp destination eq ssh
object-group service DM_INLINE_SERVICE_3
service-object tcp destination eq 20443
service-object udp destination eq 4500
service-object udp destination eq isakmp
service-object udp destination eq 10000
service-object icmp
service-object udp destination eq echo
service-object icmp echo-reply
service-object icmp information-reply
service-object icmp information-request
access-list ADMIN extended permit ip 10.0.0.0 255.255.248.0 any
access-list ADMIN remark any any
access-list ADMIN extended deny ip any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit ip 192.168.10.0 255.255.255.252 any
access-list outside_access_in remark permit from outside to mail.tmproj.ru
access-list outside_access_in extended permit tcp any object mail.tmproj.ru object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any object Synology eq 5006
access-list outside_access_in remark permit from ouside to Ivan-server
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object Ivan-Server
access-list outside_access_in remark permit from outside for Nagios-server
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any object Nagios-server
access-list outside_access_in extended permit tcp any object syslog-serv.tmproj.ru eq 59000
access-list outside_access_in remark syslog-server trafic
access-list outside_access_in extended permit udp object Cisco2911 object syslog-serv.tmproj.ru eq syslog
access-list outside_access_in remark Permit port for VPN
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any object outside_ip
access-list outside_access_in extended deny ip any any
access-list inside1_access_in remark permit any any
access-list inside1_access_in extended permit ip 172.0.0.0 255.255.255.0 any
access-list inside1_access_in remark deny any any
access-list inside1_access_in extended deny ip any any
access-list global_access remark permit any any
access-list global_access extended permit ip any any inactive
access-list dmz_access_in extended permit ip any any
access-list dmz_access_in remark deny any any
access-list dmz_access_in extended deny ip any any
access-list inside10_access_in remark permit any any
access-list inside10_access_in extended permit ip any any log disable inactive
access-list inside10_access_in extended permit ip 10.0.0.0 255.255.248.0 any log disable
access-list inside10_access_in remark deny any any
access-list inside10_access_in extended deny ip any any
access-list inside11_access_in remark permit any any
access-list inside11_access_in extended permit ip any any inactive
access-list inside11_access_in extended permit ip 172.0.0.0 255.255.255.0 any log disable
access-list inside11_access_in remark deny any any
access-list inside11_access_in extended deny ip any any
access-list inside_access_in remark permit any any
access-list inside_access_in extended permit ip any any log disable
access-list inside_access_in remark deny any any
access-list inside_access_in extended deny ip any any
access-list inside5_access_in extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging console warnings
logging monitor alerts
logging buffered informational
logging asdm warnings
logging debug-trace
logging class auth trap emergencies
mtu dmz 1500
mtu outside 1500
mtu inside 1500
mtu inside10 1500
mtu inside11 1500
mtu management 1500
mtu inside5 1500
ip verify reverse-path interface dmz
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface management
ip audit name 1 attack action alarm drop
ip audit interface outside 1
ip audit info action alarm drop
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo outside
icmp permit any echo inside10
icmp permit any echo inside11
asdm image disk0:/asdm-722.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group dmz_access_in in interface dmz
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group inside10_access_in in interface inside10
access-group inside11_access_in in interface inside11
access-group inside5_access_in in interface inside5
access-group global_access global
route outside 0.0.0.0 0.0.0.0 192.168.10.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
ldap attribute-map tmp_ldap
map-name memberOf IETF-Radius-Class
dynamic-access-policy-record DfltAccessPolicy
aaa-server tmp_ldap protocol ldap
max-failed-attempts 5
aaa-server tmp_ldap (inside10) host 10.0.0.10
timeout 20
server-port 3268
ldap-base-dn dc=tmproj,dc=ru
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password ****************
ldap-login-dn cn=tonica,ou=otdel_it,ou=tmp_all,dc=tmproj,dc=ru
server-type auto-detect
ldap-attribute-map tmp_ldap
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization exec LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.4.0 255.255.255.0 management
http 10.0.0.0 255.255.248.0 inside10
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside10_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside10_map interface inside10
crypto map inside5_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside5_map interface inside5
crypto ca trustpoint TMPVPN
enrollment self
fqdn vpn.tmproj.ru
subject-name CN=TMPROJ
proxy-ldc-issuer
crl configure
crypto ca trustpoint asa.tmproj.ru
enrollment self
subject-name CN=asa,OU=IT,O=Transmashproekt OAO,C=RU,St=RUSSIA,L=R
ip-address 10.0.0.10
proxy-ldc-issuer
crl configure
crypto ca trustpool policy
crypto ca certificate chain TMPVPN
certificate 0e1d9653
3082023a 308201a3 a0030201 0202040e 1d965330 0d06092a 864886f7 0d010105
0500302f 310f300d 06035504 03130654 4d50524f 4a311c30 1a06092a 864886f7
0d010902 160d7670 6e2e746d 70726f6a 2e727530 1e170d31 34303631 37313232
3930385a 170d3234 30363134 31323239 30385a30 2f310f30 0d060355 04031306
544d5052 4f4a311c 301a0609 2a864886 f70d0109 02160d76 706e2e74 6d70726f
6a2e7275 30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181
00b091fa b04b6668 23569756 8fad5777 d68d6f42 eac776d7 1bc076e7 ba9797dc
e4dd12a4 a5f6a100 a87d9527 f7d517c7 06765b0e 88181fae dbe84cbd 1035f840
09b765dd 1f887ab5 53eee6b5 c1caaa59 c8eb79e3 986f1175 ece14a55 e11ffdf6
a652d950 1aa2c3fe c0d8637e abda5a59 2a5c3331 fe17759d d1e38dd7 3fb20a27
d1020301 0001a363 3061300f 0603551d 130101ff 04053003 0101ff30 0e060355
1d0f0101 ff040403 02018630 1f060355 1d230418 30168014 7248fb78 466f3cd7
da4bbdb7 229aec8f 30560739 301d0603 551d0e04 16041472 48fb7846 6f3cd7da
4bbdb722 9aec8f30 56073930 0d06092a 864886f7 0d010105 05000381 810011b1
d1ff439a 2e671c9a de8dff86 738f1445 386ef2a6 5747633e 3479f76e 50d0b2ec
23176df4 0d6c6582 0bdff8e6 b1a3592d b5c4b87c 38b0cd1b b150cd7c 82f4c017
32a884e7 f133bfa4 7b91487a 041bf8c5 dd68c659 98a7f72c b02905f0 94d4e695
3ad77932 391fa838 b02804f9 a8b11494 217471db 55478a12 1343646b ffeb
quit
crypto ca certificate chain asa.tmproj.ru
certificate 101d9653
30820310 30820279 a0030201 02020410 1d965330 0d06092a 864886f7 0d010105
05003081 99310a30 08060355 04071301 52310f30 0d060355 04081306 52555353
4941310b 30090603 55040613 02525531 1c301a06 0355040a 13135472 616e736d
61736870 726f656b 74204f41 4f310b30 09060355 040b1302 4954310c 300a0603
55040313 03617361 31343016 06092a86 4886f70d 01090813 0931302e 302e302e
3130301a 06092a86 4886f70d 01090216 0d415341 2e746d70 726f6a2e 7275301e
170d3134 30363137 31333134 32385a17 0d323430 36313431 33313432 385a3081
99310a30 08060355 04071301 52310f30 0d060355 04081306 52555353 4941310b
30090603 55040613 02525531 1c301a06 0355040a 13135472 616e736d 61736870
726f656b 74204f41 4f310b30 09060355 040b1302 4954310c 300a0603 55040313
03617361 31343016 06092a86 4886f70d 01090813 0931302e 302e302e 3130301a
06092a86 4886f70d 01090216 0d415341 2e746d70 726f6a2e 72753081 9f300d06
092a8648 86f70d01 01010500 03818d00 30818902 818100b0 91fab04b 66682356
97568fad 5777d68d 6f42eac7 76d71bc0 76e7ba97 97dce4dd 12a4a5f6 a100a87d
9527f7d5 17c70676 5b0e8818 1faedbe8 4cbd1035 f84009b7 65dd1f88 7ab553ee
e6b5c1ca aa59c8eb 79e3986f 1175ece1 4a55e11f fdf6a652 d9501aa2 c3fec0d8
637eabda 5a592a5c 3331fe17 759dd1e3 8dd73fb2 0a27d102 03010001 a3633061
300f0603 551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201
86301f06 03551d23 04183016 80147248 fb78466f 3cd7da4b bdb7229a ec8f3056
0739301d 0603551d 0e041604 147248fb 78466f3c d7da4bbd b7229aec 8f305607
39300d06 092a8648 86f70d01 01050500 03818100 45888fc2 b0baec53 d0e33e8d
6ff443e1 9d056c50 78c8f6b5 1e2c217c 204738a9 1b688a23 4ec1a9b9 68e3934b
d70a034c ba9d7eec 7337bda9 57f6675b da621d69 e1abac99 6c3243f4 d2db49da
43ebd8fe 2e1633a1 28108e59 ef91e622 d496e039 f871964f fb90f66d a6eccf4b
397ea005 6f4731d8 48474811 77ed3b8b 507a9996
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 20443
crypto ikev2 enable inside10 client-services port 20443
crypto ikev2 enable inside5 client-services port 20443
crypto ikev2 remote-access trustpoint asa.tmproj.ru
crypto ikev1 enable outside
crypto ikev1 enable inside10
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 10.0.0.0 255.255.248.0 inside10
ssh 172.0.0.0 255.255.255.0 inside11
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
no ipv6-vpn-addr-assign aaa
no ipv6-vpn-addr-assign local
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd lease 604800
!
dhcpd address 172.0.0.100-172.0.0.150 inside11
dhcpd dns 8.8.8.8 8.8.4.4 interface inside11
dhcpd lease 604800 interface inside11
dhcpd option 3 ip 172.0.0.1 interface inside11
dhcpd option 7 ip 10.0.0.6 interface inside11
dhcpd enable inside11
!
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 1200 burst-rate 1900 average-rate 1600
dynamic-filter updater-client enable
dynamic-filter use-database
dynamic-filter enable interface dmz
dynamic-filter enable interface outside
dynamic-filter enable interface inside
dynamic-filter enable interface inside10
dynamic-filter enable interface inside11
dynamic-filter drop blacklist interface outside threat-level range very-low very-high
dynamic-filter drop blacklist interface inside10 threat-level range high very-high
dynamic-filter drop blacklist interface inside11 threat-level range very-low very-high
dynamic-filter ambiguous-is-black
dynamic-filter whitelist
name nnm-club.me
name www.ulmart.ru
address 10.0.0.8 255.255.255.255
address 10.0.0.11 255.255.255.255
address 10.0.0.10 255.255.255.255
name urod.ru
name fontanka.ru
dynamic-filter blacklist
name palevo.com
ntp server 10.0.0.10 source inside10
ssl encryption 3des-sha1 aes128-sha1 aes256-sha1
ssl trust-point asa.tmproj.ru inside5
ssl trust-point asa.tmproj.ru outside
ssl trust-point asa.tmproj.ru inside10
webvpn
port 20443
enable outside
enable inside10
enable inside5
dtls port 20443
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.1.05170-k9.pkg 1
anyconnect profiles vpn_anyconnect_client_profile disk0:/vpn_anyconnect_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
wins-server value 10.0.0.10
dns-server value 10.0.0.10 10.0.0.11
vpn-tunnel-protocol ikev2 ssl-clientless
default-domain value tmproj.ru
group-policy GroupPolicy_vpn_anyconnect internal
group-policy GroupPolicy_vpn_anyconnect attributes
wins-server value 10.0.0.10
dns-server value 10.0.0.10 10.0.0.11
vpn-tunnel-protocol ikev1 ikev2
default-domain value tmproj.ru
webvpn
anyconnect profiles value vpn_anyconnect_client_profile type user
username tonica password XXXXXXXXXXX encrypted privilege 15
username alterego password XXXXXXXXXXXXXX encrypted privilege 15
tunnel-group vpn_anyconnect type remote-access
tunnel-group vpn_anyconnect general-attributes
address-pool (inside10) vpn_ip_pool
address-pool vpn_ip_pool
authentication-server-group tmp_ldap
default-group-policy GroupPolicy_vpn_anyconnect
nat-assigned-to-public-ip outside
tunnel-group vpn_anyconnect webvpn-attributes
group-alias vpn_anyconnect enable
!
class-map inside10-class
match default-inspection-traffic
class-map inside11-class
match any
class-map inspection_default
match default-inspection-traffic
class-map inside11-class1
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
id-randomization
id-mismatch action log
tsig enforced action log
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect dns preset_dns_map dynamic-filter-snoop
class class-default
user-statistics accounting
policy-map inside10-policy
class inside10-class
inspect esmtp
inspect ftp
inspect http
inspect dns dynamic-filter-snoop
inspect icmp
inspect icmp error
inspect ip-options
inspect ils
policy-map type inspect gtp default_gtp_map
parameters
policy-map inside11-policy
class inside11-class
inspect tftp
class inside11-class1
inspect ctiqbe
inspect dcerpc
inspect esmtp
inspect ftp
inspect gtp default_gtp_map
inspect h323 h225
inspect h323 ras
inspect http
inspect icmp
inspect icmp error
inspect ils
inspect ip-options
inspect ipsec-pass-thru
inspect mgcp
inspect netbios
inspect pptp
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect snmp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect waas
inspect xdmcp
inspect dns dynamic-filter-snoop
!
service-policy global_policy global
service-policy inside10-policy interface inside10
service-policy inside11-policy interface inside11
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:4d447f490c9370538dc74393b4642b1b
: end
|
Вариант для распечатки
