The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]

форумы  помощь  поиск  регистрация  майллист  вход/выход  слежка  RSS
"Cisco asa 5510 выпала из сети"
Вариант для распечатки  
Пред. тема | След. тема 
Форум Маршрутизаторы CISCO и др. оборудование. (Маршрутизация)
Изначальное сообщение [ Отслеживать ]

"Cisco asa 5510 выпала из сети"  +/
Сообщение от turion (ok) on 27-Июн-11, 16:59 
Раньше конфигурировать подобное железо не приходилось,поэтому пришел к вам за помощью.

имеется cisco asa 5510 и нужно на нее установить следующие настройки выданные провайдером

ip 92.216.222.143
маска подсети 255.255.255.248
основной шлюз 92.216.222.138
DNS-сервер 8.8.8.8

На асе есть заливка,которую нужно скорректировать.

ASA Version 7.0(8)
!
command-alias exec h help
command-alias exec lo logout
command-alias exec p ping
command-alias exec s show
terminal width 80
hostname FW01-BB-RCHCH
domain-name FFOMS.RU
enable password 2KFKYOU encrypted
no fips enable
passwd 2KFKYOU encrypted
names
dns-guard
!
interface Ethernet0/0
speed auto
duplex auto
nameif outside
security-level 0
ip address 92.216.222.143 255.255.255.0
!
interface Ethernet0/1
speed auto
duplex auto
no nameif
no security-level
no ip address
!
interface Ethernet0/1.5
vlan 5
nameif Telecom
security-level 90
ip address 11.21.256.2 255.255.255.0
!
interface Ethernet0/1.151
vlan 151
nameif Server01
security-level 100
ip address 11.21.152.2 255.255.255.0
!
interface Ethernet0/1.201
vlan 101
nameif Inside01
security-level 80
ip address 11.21.202.2 255.255.255.0
!
interface Ethernet0/2
speed auto
duplex auto
no nameif
no security-level
no ip address
!
interface Ethernet0/2.6
vlan 6
nameif KSHin
security-level 60
ip address 11.21.255.18 255.255.255.240
!
interface Ethernet0/2.7
vlan 7
nameif KSHout
security-level 40
ip address 11.21.255.34 255.255.255.240
!
interface Ethernet0/2.11
vlan 11
nameif DMZ
security-level 50
ip address 11.21.253.2 255.255.255.0
!
interface Management0/0
speed auto
duplex auto
shutdown
no nameif
no security-level
no ip address
management-only
!
checkheaps check-interval 60
checkheaps validate-checksum 60
ftp mode passive
clock timezone MSK 3
clock summer-time MSD recurring last Sun Apr 3:00 last Sun Oct 3:00 60
object-group network SRV-MTR-RCHCH
description MTR FOR HECH
network-object 11.21.152.21 255.255.255.252
network-object 11.21.152.25 255.255.255.255
object-group network SRV-MTR-RALT
description MTR FOR ALTAY
network-object 11.5.152.21 255.255.255.252
network-object 11.5.152.25 255.255.255.255
object-group network SRV-MTR-ALL
group-object SRV-MTR-ALT
object-group service DSPD udp
port-object eq 55782
port-object eq 55783
port-object eq 55781
pager lines 24
logging enable
logging emblem
logging buffer-size 4096
logging asdm-buffer-size 100
logging host KSHin 11.256.255.21
logging host KSHin 11.256.255.19
logging debug-trace
logging flash-minimum-free 3076
logging flash-maximum-allocation 1024
logging rate-limit 1 10 message 620002
logging rate-limit 1 10 message 717015
logging rate-limit 1 10 message 717018
logging rate-limit 1 10 message 419003
logging rate-limit 1 10 message 405002
logging rate-limit 1 10 message 405001
logging rate-limit 1 10 message 710002
logging rate-limit 1 10 message 209003
logging rate-limit 1 10 message 209004
logging rate-limit 1 10 message 209005
logging rate-limit 1 10 message 110003
logging rate-limit 1 10 message 110002
mtu outside 1500
mtu Telecom 1500
mtu Server01 1500
mtu Inside01 1500
mtu KSHin 1500
mtu KSHout 1500
mtu DMZ 1500
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
static (KSHout,outside) udp interface 55781 11.21.255.39 55781 netmask 255.255.255.255
static (KSHout,outside) udp interface 55782 11.21.255.42 55782 netmask 255.255.255.255
static (KSHout,outside) udp interface 55780 11.21.255.36 55780 netmask 255.255.255.255
access-group CSM_FW_ACL_outside in interface outside
access-group CSM_FW_ACL_Telecom in interface Telecom
access-group CSM_FW_ACL_Server01 in interface Server01
access-group CSM_FW_ACL_Inside01 in interface Inside01
access-group CSM_FW_ACL_KSHin in interface KSHin
access-group CSM_FW_ACL_KSHout in interface KSHout
access-group CSM_FW_ACL_DMZ in interface DMZ
route outside 0.0.0.0 0.0.0.0 92.216.222.138 1
route KSHin 14.0.0.0 255.0.0.0 10.20.254.25 1
route KSHin 13.0.0.0 255.0.0.0 10.20.254.22 1
route KSHin 12.0.0.0 255.0.0.0 10.20.254.19 1
route KSHin 11.255.0.0 255.255.0.0 11.21.255.20 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server ACS protocol tacacs+
aaa-server ACS (KSHin) host 11.256.255.15
key cisco
aaa-server ACS (KSHin) host 11.256.255.16
key cisco
group-policy DfltGrpPolicy internal
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
webvpn
  functions url-entry
  no html-content-filter
  no homepage
  no filter
  no url-list
  no port-forward
  port-forward-name value Application Access
username abumagin password i/jW.Vxl9MU90Y2e encrypted privilege 15
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
aaa authentication http console ACS LOCAL
aaa authentication ssh console ACS LOCAL
aaa authentication serial console ACS LOCAL
aaa authentication telnet console ACS LOCAL
aaa accounting enable console ACS
aaa accounting serial console ACS
aaa accounting ssh console ACS
aaa accounting telnet console ACS
aaa accounting command privilege 15 ACS
aaa local authentication attempts max-fail 5
http server enable
http 11.256.255.19 255.255.255.255 KSHin
snmp-server host KSHin 11.256.255.18 trap community monitor_rd version 2c udp-port 162
snmp-server host KSHin 11.256.255.19 community monitor_rd version 2c udp-port 162
snmp-server host KSHin 11.256.255.21 trap community monitor_rd version 2c udp-port 162
no snmp-server location
no snmp-server contact
snmp-server community monitor_rd
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
snmp-server enable
snmp-server listen-port 161
fragment size 200 outside
fragment chain 24 outside
fragment timeout 5 outside
no fragment reassembly full outside
fragment size 200 Telecom
fragment chain 24 Telecom
fragment timeout 5 Telecom
no fragment reassembly full Telecom
fragment size 200 Server01
fragment chain 24 Server01
fragment timeout 5 Server01
no fragment reassembly full Server01
fragment size 200 Inside01
fragment chain 24 Inside01
fragment timeout 5 Inside01
no fragment reassembly full Inside01
fragment size 200 KSHin
fragment chain 24 KSHin
fragment timeout 5 KSHin
no fragment reassembly full KSHin
fragment size 200 KSHout
fragment chain 24 KSHout
fragment timeout 5 KSHout
no fragment reassembly full KSHout
fragment size 200 DMZ
fragment chain 24 DMZ
fragment timeout 5 DMZ
no fragment reassembly full DMZ
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-ipsec
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
no sysopt uauth allow-http-cache
no sysopt noproxyarp outside
no sysopt noproxyarp Telecom
no sysopt noproxyarp Server01
no sysopt noproxyarp Inside01
no sysopt noproxyarp KSHin
no sysopt noproxyarp KSHout
no sysopt noproxyarp DMZ
service password-recovery
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec fragmentation before-encryption outside
crypto ipsec fragmentation before-encryption Telecom
crypto ipsec fragmentation before-encryption Server01
crypto ipsec fragmentation before-encryption Inside01
crypto ipsec fragmentation before-encryption KSHin
crypto ipsec fragmentation before-encryption KSHout
crypto ipsec fragmentation before-encryption DMZ
crypto ipsec df-bit copy-df outside
crypto ipsec df-bit copy-df Telecom
crypto ipsec df-bit copy-df Server01
crypto ipsec df-bit copy-df Inside01
crypto ipsec df-bit copy-df KSHin
crypto ipsec df-bit copy-df KSHout
crypto ipsec df-bit copy-df DMZ
isakmp identity hostname
tunnel-group DefaultL2LGroup type ipsec-l2l
tunnel-group DefaultL2LGroup general-attributes
no accounting-server-group
default-group-policy DfltGrpPolicy
tunnel-group DefaultL2LGroup ipsec-attributes
no pre-shared-key
peer-id-validate req
no chain
no trust-point
isakmp keepalive threshold 10 retry 2
tunnel-group DefaultRAGroup type ipsec-ra
tunnel-group DefaultRAGroup general-attributes
no address-pool
authentication-server-group LOCAL
no authorization-server-group
no accounting-server-group
default-group-policy DfltGrpPolicy
no dhcp-server
no strip-realm
no strip-group
tunnel-group DefaultRAGroup ipsec-attributes
no pre-shared-key
no authorization-required
authorization-dn-attributes CN OU
peer-id-validate req
no radius-with-expiry
no chain
no trust-point
isakmp keepalive threshold 300 retry 2
vpn-addr-assign aaa
vpn-addr-assign dhcp
vpn-addr-assign local
no vpn-sessiondb max-session-limit
no vpn-sessiondb max-webvpn-session-limit
no remote-access threshold
telnet timeout 5
ssh 11.21.256.1 255.255.255.0 Telecom
ssh 11.256.255.19 255.255.255.255 KSHin
ssh 11.256.106.1 255.255.255.0 KSHin
ssh 11.256.255.21 255.255.255.255 KSHin
ssh 11.256.255.18 255.255.255.255 KSHin
ssh 11.256.255.22 255.255.255.255 KSHin
ssh timeout 5
console timeout 1
dhcpd address 11.21.202.12-11.21.202.51 Inside01
dhcpd dns 11.21.202.2
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd domain FFOMS.RU
dhcpd enable Inside01
!
class-map class-default
match any
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
class class-default
!
service-policy global_policy global
ntp authentication-key 1 md5 *
ntp authenticate
ntp trusted-key 1
ntp server 11.256.251.3 key 1 source KSHin
ntp server 11.256.251.2 key 1 source KSHin prefer
webvpn
title WebVPN Service
username-prompt Username
password-prompt Password
login-message Please enter your username and password
logout-message Goodbye
no logo
title-color #9999cc
secondary-color #ccccff
text-color white
secondary-text-color black
default-idle-timeout 1800
no http-proxy
no https-proxy
no accounting-server-group
authentication-server-group LOCAL
no authorization-server-group
default-group-policy DfltGrpPolicy
authentication aaa
no authorization-required
authorization-dn-attributes CN OU
imap4s
port 993
no server
outstanding 20
name-separator :
server-separator @
authentication-server-group LOCAL
no authorization-server-group
no accounting-server-group
default-group-policy DfltGrpPolicy
no authentication
no authorization-required
authorization-dn-attributes CN OU
pop3s
port 995
no server
outstanding 20
name-separator :
server-separator @
authentication-server-group LOCAL
no authorization-server-group
no accounting-server-group
default-group-policy DfltGrpPolicy
no authentication
no authorization-required
authorization-dn-attributes CN OU
smtps
port 988
no server
outstanding 20
name-separator :
server-separator @
authentication-server-group LOCAL
no authorization-server-group
no accounting-server-group
default-group-policy DfltGrpPolicy
authentication aaa
no authorization-required
authorization-dn-attributes CN OU
auto-update device-id hostname
auto-update poll-period 720 0 5
auto-update timeout 0
Cryptochecksum:b04d4531a
: end

Ответить | Правка | Cообщить модератору

Оглавление

Сообщения по теме [Сортировка по времени | RSS]


1. "Cisco asa 5510 выпала из сети"  +/
Сообщение от slayer (??) on 28-Июн-11, 09:02 
видимо сами думать вообще не разу не хотите
Ответить | Правка | ^ к родителю #0 | Наверх | Cообщить модератору

3. "Cisco asa 5510 выпала из сети"  +/
Сообщение от turion (ok) on 28-Июн-11, 10:10 
> видимо сами думать вообще не разу не хотите

Неоценимый совет. Я же говорю,что раньше не работал с оборудованием циско.Заливку делал другой человек и он сейчас вне доступа.Просто скажите какой командой днс-сервер прописывается?Более или менее разобрался только с этим днс-сервером застрял

Ответить | Правка | ^ к родителю #1 | Наверх | Cообщить модератору

2. "Cisco asa 5510 выпала из сети"  +/
Сообщение от Snaut (ok) on 28-Июн-11, 09:55 
> DNS-сервер 8.8.8.8

Жесть :-D

Ответить | Правка | ^ к родителю #0 | Наверх | Cообщить модератору

4. "Cisco asa 5510 выпала из сети"  +/
Сообщение от turion (ok) on 28-Июн-11, 10:19 
>> DNS-сервер 8.8.8.8
> Жесть :-D

Мне тоже понравилось. :) Вот такой вот юморной провайдер.Это было бы смешно,если бы была альтернатива.

Ответить | Правка | ^ к родителю #2 | Наверх | Cообщить модератору

Архив | Удалить

Рекомендовать для помещения в FAQ | Индекс форумов | Темы | Пред. тема | След. тема




Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру