hostname shafw01
domain-name heraeus.com
enable password
names
!
interface GigabitEthernet0/0
no nameif
no security-level
no ip address
!
interface Gigab
itEthernet0/0.150
vlan 150
nameif inside_data
security-level 50
ip address 172.26.24.6 255.255.255.252
!
interface GigabitEthernet0/0.151
vlan 151
nameif inside_voice
security-level 50
ip address 10.48.8.1 255.255.255.0
!
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.161
vlan 161
nameif web
security-level 50
ip address 172.26.30.1 255.255.255.0
!
interface GigabitEthernet0/1.163
vlan 163
nameif secure
security-level 50
ip address 172.26.31.1 255.255.255.0
!
interface GigabitEthernet0/2
description LAN/STATE Failover Interface for Future
!
interface GigabitEthernet0/3
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3.154
vlan 154
nameif sprint
security-level 50
ip address 172.26.24.9 255.255.255.252
!
interface Management0/0
nameif outside
security-level 50
ip address 222.66.83.18 255.255.255.240
!
boot system disk0:/asa704-k8.bin
ftp mode passive
clock timezone cet 8
dns domain-lookup inside_data
dns name-server 172.26.16.17
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group icmp-type icmp_echo_request
icmp-object echo
object-group icmp-type icmp_echo_reply
icmp-object echo-reply
object-group icmp-type ICMP_echo
group-object icmp_echo_request
group-object icmp_echo_reply
object-group service udp_tftp udp
port-object eq tftp
object-group service udp_citrix udp
port-object eq 1604
object-group service udp_radius udp
port-object eq 1812
object-group service udp_radius_acct udp
port-object eq 1813
object-group service udp_rsa_5500 udp
port-object eq 5500
object-group service tcp_http tcp
port-object eq www
object-group service tcp_http_8080 tcp
port-object eq 8080
object-group service tcp_https tcp
port-object eq https
object-group service tcp_ftp tcp
port-object eq ftp
object-group service tcp_ntp tcp
port-object eq 123
object-group service udp_ntp udp
port-object eq ntp
object-group service tcp_smtp tcp
port-object eq smtp
object-group service tcp_ssh tcp
port-object eq ssh
object-group service tcp_squid_3128 tcp
port-object eq 3128
object-group service tcp_squid_2370 tcp
port-object eq 2370
object-group service tcp_sapdps_47xx tcp
port-object range 4700 4799
object-group service tcp_sapgw_33xx tcp
port-object range 3300 3399
object-group service tcp_sapdp_32xx tcp
port-object range 3200 3299
object-group service tcp_sapgws_48xx tcp
port-object range 4800 4899
object-group service tcp_sapms_36xx tcp
port-object range 3600 3699
object-group service tcp_jetdirect_9100 tcp
port-object eq 9100
object-group service tcp_printer tcp
port-object eq lpd
object-group service tcp_tacacs_plus tcp
port-object eq tacacs
object-group service TCP_squid_web tcp
group-object tcp_http
group-object tcp_https
group-object tcp_http_8080
object-group service TCP_squid_ftp tcp
group-object tcp_ftp
object-group service TCP_squid_all tcp
group-object TCP_squid_web
group-object TCP_squid_ftp
object-group service TCP_squid_port tcp
group-object tcp_squid_3128
group-object tcp_squid_2370
object-group service TCP_sap tcp
group-object tcp_sapdps_47xx
group-object tcp_sapgw_33xx
group-object tcp_sapdp_32xx
group-object tcp_sapgws_48xx
group-object tcp_sapms_36xx
object-group service TCP_printing tcp
group-object tcp_jetdirect_9100
group-object tcp_printer
object-group network n_VLAN108_16
network-object 172.26.16.0 255.255.255.0
object-group network n_VLAN105_22
network-object 172.26.22.0 255.255.255.0
object-group network n_VLAN106_25
network-object 172.26.25.0 255.255.255.0
object-group network n_VLAN163_31
network-object 172.26.31.0 255.255.255.0
object-group service TCP_dameware tcp
group-object tcp_dameware_6129
group-object tcp_dameware_6130
object-group network N_RFC1918
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
object-group service TCP_client_auth tcp
group-object tcp_http
group-object tcp_https
group-object tcp_telnet
object-group network h_china_ntpserver
network-object host 202.108.158.139
object-group network h_auth42
network-object host 172.26.31.42
object-group network H_auth
group-object h_auth42
object-group network H_ntp_servers
group-object h_china_ntpserver
access-list TRIGGER extended permit tcp any object-group H_auth object-group TCP_client_auth
access-list NONAT remark # this is a nat rule, only permit''s are allowed
access-list NONAT remark # no nat inside our networks
access-list NONAT extended permit ip object-group N_RFC1918 object-group N_RFC1918
access-list POLICY remark # counterpart of trigger rule
access-list POLICY extended permit tcp any object-group H_auth object-group TCP_client_auth
access-list POLICY remark # # ntp
access-list POLICY extended permit tcp any object-group H_ntp_servers object-group tcp_ntp
access-list POLICY extended permit udp any object-group H_ntp_servers object-group udp_ntp
access-list HIDING remark # this is a nat rule, only permit''s are allowed
access-list HIDING extended permit ip object-group N_RFC1918 any
access-list IPS extended permit ip any any
tcp-map mss
exceed-mss allow
!
CCSP/CCVP --ASA 5520配置例子
0
相关文章
关注我们
