Configurando Cisco ASA 5505

Tema en 'General' comenzado por Howard Smith, 20 de Noviembre de 2017.

  1. Howard Smith

    Howard Smith Member

    [​IMG]

    [​IMG]

    [​IMG]

    Código (Text):
    CCNAS-ASA# show runn
    : Saved
    :
    ASA Version 8.2(5)
    !
    hostname CCNAS-ASA
    domain-name ccnasecurity.com
    enable password PmNe1e0C3tJdCLe8 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address 10.40.30.174 255.255.255.0
    !
    interface Vlan10
    no nameif
    no security-level
    no ip address
    !
    ftp mode passive
    dns server-group DefaultDNS
    domain-name ccnasecurity.com
    object-group network inside-net
    access-list howardlan extended permit ip 192.168.1.0 255.255.255.0 any
    access-list publicas extended permit ip host 10.40.30.174 any
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 192.168.1.0 255.255.255.0
    route outside 0.0.0.0 0.0.0.0 10.40.30.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet 192.168.1.0 255.255.255.0 inside
    telnet timeout 10
    ssh timeout 5
    console timeout 0
    dhcpd dns 209.165.201.2
    dhcpd auto_config outside
    !
    dhcpd address 192.168.1.5-192.168.1.20 inside
    dhcpd enable inside
    !

    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
    !
    service-policy global_policy global
    prompt hostname context
    call-home reporting anonymous prompt 1
    Cryptochecksum:05236ab87d304b496917ac10556948cc
    : end
     
     
  2. Howard Smith

    Howard Smith Member

    Tambien pueden revisar esta configuración en la cual se esta implementando Zonas DMZ
    Código (Text):
    pdxasa# show run
    : Saved
    :
    ASA Version 8.2(5)
    !
    hostname pdxasa
    domain-name ********
    enable password *********** encrypted
    passwd ************* encrypted
    names
    name 192.168.x2.xx Site2
    name 192.168.x1.xx Site1
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    switchport access vlan 3
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.x1.xx 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address 50.xx.xx.53 255.255.255.248
    !
    interface Vlan3
    no forward interface Vlan1
    nameif DMZ
    security-level 50
    ip address 192.168.2.1 255.255.255.0
    !

    object-group service Avaya tcp-udp
    port-object range 1718 1719
    port-object range 1718 1720
    port-object eq 5005
    port-object range 49152 53247
    port-object range 50801 50802
    port-object range 50804 50805
    port-object eq 50808
    port-object range 50812 50813

    access-list icmp_allow extended permit icmp any any
    access-list outside_rule extended permit tcp any host 50.xx.xx.54 object-group Avaya
    pager lines 24

    mtu inside 1500
    mtu outside 1500
    mtu DMZ 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (DMZ) 1 192.168.2.0 255.255.255.0
    static (inside,outside) 50.xx.xx.54 192.168.x1.10 netmask 255.255.255.255
    route outside 0.0.0.0 0.0.0.0 50.xx.xx.58 1
    route inside Site2 255.255.255.0 192.168.x1.xx 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy




    dhcpd address 192.168.2.2-192.168.2.10 DMZ
    dhcpd dns 4.2.2.2 8.8.8.8 interface DMZ
    dhcpd lease 86400 interface DMZ
    dhcpd enable DMZ
     

Comparte esta página