|
|
|
Автор |
Сообщение |
real1st
Зарегистрирован: 04 окт 2011, 19:33 Сообщения: 1314
|
Можешь sh run скинуть?
|
21 мар 2016, 16:32 |
|
|
CrAlex
Зарегистрирован: 27 мар 2012, 21:37 Сообщения: 353
|
f@ntasist0 писал(а): Можешь sh run скинуть? А легко Код: CRALEX-ASA# sh run : Saved : : Serial Number: JMX1138Z077 : Hardware: ASA5505, 1024 MB RAM, CPU Geode 500 MHz : ASA Version 9.1(6)4 ! hostname CRALEX-ASA domain-name home.ru enable password 8Ry2YjIyt7RRXU24 encrypted xlate per-session deny tcp any4 any4 xlate per-session deny tcp any4 any6 xlate per-session deny tcp any6 any4 xlate per-session deny tcp any6 any6 xlate per-session deny udp any4 any4 eq domain xlate per-session deny udp any4 any6 eq domain xlate per-session deny udp any6 any4 eq domain xlate per-session deny udp any6 any6 eq domain passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Ethernet0/0 description INTERNET CONECTION switchport access vlan 2 ! interface Ethernet0/1 description CRALEX-CORE (ip 192.168.1.254) switchport trunk allowed vlan 1,111 switchport trunk native vlan 1 switchport mode trunk ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.251 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 pppoe client vpdn group RTC-INTERNET ip address pppoe setroute ! interface Vlan3 nameif outside-orbita security-level 0 no ip address ! interface Vlan111 description #CrAlex LAN Wi-Fi_GUEST VLAN nameif GUEST security-level 10 ip address 172.16.111.251 255.255.255.0 ! boot system disk0:/asa916-4-k8.bin ftp mode passive dns domain-lookup outside dns server-group DefaultDNS name-server 8.8.8.8 name-server 77.88.8.8 domain-name pakharev.ru object network INSIDE-LAN subnet 192.168.1.0 255.255.255.0 object network INSIDE-LAN-MAPED subnet 10.155.77.0 255.255.255.0 object network GUEST-LAN subnet 172.16.111.0 255.255.255.0 object network WIFI-LAN subnet 172.16.100.0 255.255.255.0 object network FTP_LOCAL host 192.168.1.100 object network THECLOUD-LAN subnet 172.16.200.0 255.255.255.0 object-group network obj_any object-group network ALLOW-IPSEC-2-WORK-LOCAL network-object object INSIDE-LAN object-group network REMOTE-WORK network-object 10.77.0.0 255.255.0.0 network-object 10.78.0.0 255.255.0.0 network-object 10.79.0.0 255.255.0.0 network-object 10.80.0.0 255.255.0.0 network-object 10.81.0.0 255.255.0.0 network-object 10.0.66.0 255.255.255.0 object-group network TO-OUT-NAT-ALLOW network-object object INSIDE-LAN network-object object GUEST-LAN network-object object WIFI-LAN access-list IPSEC-2-WORK extended permit ip 10.155.77.0 255.255.255.0 10.77.0.0 255.255.0.0 access-list IPSEC-2-WORK extended permit ip 10.155.77.0 255.255.255.0 10.78.0.0 255.255.0.0 access-list IPSEC-2-WORK extended permit ip 10.155.77.0 255.255.255.0 10.79.0.0 255.255.0.0 access-list IPSEC-2-WORK extended permit ip 10.155.77.0 255.255.255.0 10.80.0.0 255.255.0.0 access-list IPSEC-2-WORK extended permit ip 10.155.77.0 255.255.255.0 10.81.0.0 255.255.0.0 access-list IPSEC-2-WORK extended permit ip 10.155.77.0 255.255.255.0 10.0.66.0 255.255.255.0 access-list STATIC2OSPF standard permit 10.0.66.0 255.255.255.0 access-list STATIC2OSPF standard permit 10.80.0.0 255.255.0.0 access-list STATIC2OSPF standard permit 10.81.0.0 255.255.0.0 access-list STATIC2OSPF standard permit 10.79.0.0 255.255.0.0 access-list STATIC2OSPF standard permit 10.77.0.0 255.255.0.0 access-list STATIC2OSPF standard permit 10.78.0.0 255.255.0.0 access-list STATIC2OSPF standard permit 172.16.200.0 255.255.255.0 access-list GUEST-LIMIT extended permit ip object GUEST-LAN any access-list GUEST-LIMIT extended permit ip any object GUEST-LAN access-list IPSEC-2-THECLOUD extended permit ip 192.168.1.0 255.255.255.0 172.16.200.0 255.255.255.0 pager lines 24 logging asdm informational logging host outside 172.16.200.84 mtu inside 1500 mtu outside 1500 mtu outside-orbita 1500 mtu GUEST 1500 no failover icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (inside,outside) source static INSIDE-LAN INSIDE-LAN destination static THECLOUD-LAN THECLOUD-LAN nat (inside,outside) source static INSIDE-LAN INSIDE-LAN-MAPED destination static REMOTE-WORK REMOTE-WORK nat (outside,inside) source static REMOTE_HOST_4_FTP REMOTE_HOST_4_FTP destination static interface FTP_LOCAL service objFTP objFTP nat (inside,outside) source dynamic TO-OUT-NAT-ALLOW interface access-group OUTSIDE-ACL in interface outside ! route-map STATIC2OSPF-RM permit 10 match ip address STATIC2OSPF set metric 1 ! ! router ospf 1 network 192.168.1.0 255.255.255.0 area 1 log-adj-changes redistribute static metric 1000 subnets route-map STATIC2OSPF-RM ! route outside 0.0.0.0 0.0.0.0 83.221.214.196 1 route outside 10.0.66.0 255.255.255.0 83.221.214.196 1 route outside 10.77.0.0 255.255.0.0 83.221.214.196 1 route outside 10.78.0.0 255.255.0.0 83.221.214.196 1 route outside 10.79.0.0 255.255.0.0 83.221.214.196 1 route outside 10.80.0.0 255.255.0.0 83.221.214.196 1 route outside 10.81.0.0 255.255.0.0 83.221.214.196 1 route outside 172.16.200.0 255.255.255.0 83.221.214.196 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication ssh console LOCAL aaa authorization exec LOCAL auto-enable http server enable http 192.168.1.0 255.255.255.0 inside http 172.16.200.0 255.255.255.0 inside snmp-server host inside 172.16.200.84 community ***** version 2c no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec ikev1 transform-set AES-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set 3DES-MD5 esp-3des esp-md5-hmac crypto ipsec security-association pmtu-aging infinite crypto map OUTSIDE-MAP 1 match address IPSEC-2-WORK crypto map OUTSIDE-MAP 1 set pfs crypto map OUTSIDE-MAP 1 set peer 19.17.9.4 crypto map OUTSIDE-MAP 1 set ikev1 transform-set AES-SHA crypto map OUTSIDE-MAP 1 set security-association lifetime seconds 3600 crypto map OUTSIDE-MAP 2 match address IPSEC-2-THECLOUD crypto map OUTSIDE-MAP 2 set pfs crypto map OUTSIDE-MAP 2 set peer 19.15.4.3 crypto map OUTSIDE-MAP 2 set ikev1 transform-set 3DES-MD5 crypto map OUTSIDE-MAP 2 set security-association lifetime seconds 3600 crypto map OUTSIDE-MAP interface outside crypto ca trustpoint _SmartCallHome_ServerCA no validation-usage crl configure crypto ca trustpool policy crypto ca certificate chain _SmartCallHome_ServerCA certificate ca 6ecc7aa5a7032009b8cebcf4e952d491 quit crypto ikev2 enable outside crypto ikev1 enable outside crypto ikev1 policy 1 authentication pre-share encryption aes-256 hash sha group 2 lifetime 36000 crypto ikev1 policy 2 authentication pre-share encryption aes hash sha group 2 lifetime 3600 crypto ikev1 policy 3 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 telnet timeout 5 ssh stricthostkeycheck ssh 192.168.1.0 255.255.255.0 inside ssh 172.16.200.0 255.255.255.0 inside ssh 19.17.9.0 255.255.255.0 outside ssh timeout 5 ssh version 2 ssh key-exchange group dh-group1-sha1 console timeout 0 management-access inside vpdn group RTC-INTERNET request dialout pppoe vpdn group RTC-INTERNET localname j2fx vpdn group RTC-INTERNET ppp authentication pap vpdn username j2fx password *****
threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn anyconnect-essentials username support password GJ69k encrypted privilege 15 tunnel-group 19.17.9.4 type ipsec-l2l tunnel-group 19.17.9.4 ipsec-attributes ikev1 pre-shared-key ***** tunnel-group 19.15.4.3 type ipsec-l2l tunnel-group 19.15.4.3 ipsec-attributes ikev1 pre-shared-key ***** ! class-map LIMIT match access-list GUEST-LIMIT class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map FOR-LIMIT-SPEED class LIMIT police input 512000 96000 police output 512000 96000 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp ! service-policy global_policy global service-policy FOR-LIMIT-SPEED interface GUEST prompt hostname context no call-home reporting anonymous Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e : end
|
21 мар 2016, 16:49 |
|
|
amir
Зарегистрирован: 01 янв 1970, 03:00 Сообщения: 227
|
Ну так вот же собака: nat (inside,outside) source static INSIDE-LAN INSIDE-LAN destination static THECLOUD-LAN THECLOUD-LAN route-lookup
|
21 мар 2016, 16:54 |
|
|
CrAlex
Зарегистрирован: 27 мар 2012, 21:37 Сообщения: 353
|
amir писал(а): Ну так вот же собака: nat (inside,outside) source static INSIDE-LAN INSIDE-LAN destination static THECLOUD-LAN THECLOUD-LAN route-lookup Ну я же говорил где то все элементарно было... Спасибо всем
|
21 мар 2016, 17:02 |
|
|
Radm
Зарегистрирован: 04 июн 2021, 10:25 Сообщения: 5
|
Проблема доступа к SNMP(inside интерфейс через site-to-site) актуальна вновь на новых прошивках вроде как с 9.14. У меня сейчас 9.16.2 та же проблема, в логах видно соединение устанавливается, но опрос по SNMP не работает. https://community.cisco.com/t5/security-documents/asa-snmp-polling-via-vpn-site-to-site-tunnel/tac-p/4475187
|
28 сен 2021, 10:10 |
|
|
_2e_
Зарегистрирован: 14 май 2009, 12:57 Сообщения: 2067 Откуда: Волгоград
|
аса это всегда праздник. ибо пикс с@аный. ибо pbx с@аный. и чо б они не делали - всё только хуже. =)
|
29 сен 2021, 11:44 |
|
|
root99
Зарегистрирован: 29 май 2017, 21:19 Сообщения: 1404
|
АСА в виде железа АСА это уже история так как EOL
|
29 сен 2021, 11:46 |
|
|
_2e_
Зарегистрирован: 14 май 2009, 12:57 Сообщения: 2067 Откуда: Волгоград
|
root99 писал(а): АСА в виде железа АСА это уже история так как EOL они идеологически была всегда EOL
|
29 сен 2021, 11:55 |
|
|
Кто сейчас на конференции |
Сейчас этот форум просматривают: Baidu [Spider] и гости: 50 |
|
Вы не можете начинать темы Вы не можете отвечать на сообщения Вы не можете редактировать свои сообщения Вы не можете удалять свои сообщения Вы не можете добавлять вложения
|
|
|
|