26648-lab - Cisco Support Community

advertisement
Network diagram
asa# sh run
: Saved
:
ASA Version 8.0(3)
!
hostname asa
domain-name example.com
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.0.2.200 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.0.1.200 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone ICT 7
dns server-group DefaultDNS
domain-name example.com
access-list inside_nat0_outbound extended permit ip any 10.0.3.0 255.255.255.0
no pager
logging enable
logging asdm debugging
mtu inside 1500
mtu outside 1500
ip local pool pool1 10.0.3.1-10.0.3.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
route outside 0.0.0.0 0.0.0.0 10.0.2.254 1
route inside 0.0.0.0 0.0.0.0 10.0.1.254 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESPAES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESPDES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic
SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
group-policy tunnel1 internal
group-policy tunnel1 attributes
vpn-tunnel-protocol IPSec
username remote1 password sjlpmOJZS8330gsa encrypted privilege 0
username remote1 attributes
vpn-group-policy tunnel1
tunnel-group tunnel1 type remote-access
tunnel-group tunnel1 general-attributes
address-pool pool1
default-group-policy tunnel1
tunnel-group tunnel1 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d450c3915347cd06375471015256a614
: end
ASA configuration
asa# sh ver
Cisco Adaptive Security Appliance Software Version 8.0(3)
Device Manager Version 6.1(3)
Compiled on Tue 06-Nov-07 22:59 by builders
System image file is "disk0:/asa803-k8.bin"
Config file at boot was "startup-config"
asa up 5 hours 20 mins
Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.01
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: GigabitEthernet0/0 : address is 001b.5496.3aba, irq 9
1: Ext: GigabitEthernet0/1 : address is 001b.5496.3abb, irq 9
2: Ext: GigabitEthernet0/2 : address is 001b.5496.3abc, irq 9
3: Ext: GigabitEthernet0/3 : address is 001b.5496.3abd, irq 9
4: Ext: Management0/0
: address is 001b.5496.3abe, irq 11
5: Int: Not used
: irq 11
6: Int: Not used
: irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs
: 150
Inside Hosts
: Unlimited
Failover
: Active/Active
VPN-DES
: Enabled
VPN-3DES-AES
: Enabled
Security Contexts
:2
GTP/GPRS
: Disabled
VPN Peers
: 750
WebVPN Peers
:2
AnyConnect for Mobile
: Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
This platform has an ASA 5520 VPN Plus license.
Serial Number: JMX1134L19R
Running Activation Key: 0x8b33724c 0x2c92ec69 0xdc2299cc 0xb2c8003c 0x081287a5
Configuration register is 0x1
Configuration last modified by enable_15 at 19:39:33.212 ICT Wed May 13 2009
ASA version
VPN client
asa# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 10.0.2.254 to network 0.0.0.0
S
C
C
S*
S
10.0.3.1 255.255.255.255 [1/0] via 10.0.2.254, outside
10.0.2.0 255.255.255.0 is directly connected, outside
10.0.1.0 255.255.255.0 is directly connected, inside
0.0.0.0 0.0.0.0 [1/0] via 10.0.2.254, outside
0.0.0.0 0.0.0.0 [255/0] via 10.0.1.254, inside tunneled
ASA routing
asa# %ASA-7-609001: Built local-host outside:10.0.2.100
%ASA-6-302021: Teardown ICMP connection for faddr 10.0.3.1/1280 gaddr 10.0.2.100/0
laddr 10.0.2.100/0 (remote1)
%ASA-7-609002: Teardown local-host outside:10.0.2.100 duration 0:00:00
%ASA-7-609001: Built local-host outside:10.0.2.100
%ASA-6-302021: Teardown ICMP connection for faddr 10.0.3.1/1280 gaddr 10.0.2.100/0
laddr 10.0.2.100/0 (remote1)
%ASA-7-609002: Teardown local-host outside:10.0.2.100 duration 0:00:00
%ASA-7-609001: Built local-host outside:10.0.2.100
%ASA-6-302021: Teardown ICMP connection for faddr 10.0.3.1/1280 gaddr 10.0.2.100/0
laddr 10.0.2.100/0 (remote1)
%ASA-7-609002: Teardown local-host outside:10.0.2.100 duration 0:00:00
%ASA-7-609001: Built local-host outside:10.0.2.100
%ASA-6-302021: Teardown ICMP connection for faddr 10.0.3.1/1280 gaddr 10.0.2.100/0
laddr 10.0.2.100/0 (remote1)
%ASA-7-609002: Teardown local-host outside:10.0.2.100 duration 0:00:00
ASA logging
Download