假设我有拓扑 L3Switch1 -> ASA -> L3Switch2
ASA 是否可以将 VLAN 信息传递给 L3Switch2?
示例设置
所以我有一个带有 2 个站点到站点 VPN 和一个远程访问 VPN 的 Cisco ASA 5505 设置,现在任何连接的东西(硬连线、S2S VPN 或 RA VPN)都可以毫无问题地相互通信。
问题是通过其中一个 S2S VPN 我有一个 Active Directory 设置,我正在尝试更改 RA VPN 以使用此 AS DS 提供的 LDAP 登录,但似乎 ASA 其自身无法通过S2S VPN。
所以 AD DS 服务器在 IP 上10.1.18.109
(由 ASA 运行的网络范围)
ASA is on 10.101.0.1/255.255.0.0
In Office (so Hardwired into ASA) is on 10.101.1.0/255.255.0.0
RA VPN is on 10.101.2.0/255.255.0.0
(网络范围通过 S2S VPN)
S2S VPN Ireland is on 10.2.0.0/255.255.0.0
S2S VPN London is on 10.1.0.0/255.255.0.0
所以我需要 ASA 与 10.1.18.109 对话,目前它无论如何都无法与它对话 LDAP 只是连接超时,并且 ping 失败了。
我试过的
VPN 的所有 NAT 规则都启用了已检查 ACL 的 Route Lookup,应该允许它
我如何测试
我一直在通过内部ping inside 10.1.18.109和外部的 VLAN 测试 pingping outside 10.1.18.109
我认为是错误的
我不是最好的,所以我认为这与在 10.101.0.1 IP 地址上运行的 ASA 有关,并且不允许访问 VPN
当前配置。
: Saved
:
ASA Version 9.1(1)
!
hostname ciscoasa
domain-name fabrikam.ltd
enable password xxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxx encrypted
names
ip local pool OutOfOfficePool 10.101.2.1-10.101.2.254 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.101.0.1 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address y.y.y.y 255.255.255.248
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 10.1.18.109
domain-name fabrikam.ltd
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network inside
subnet 10.101.0.0 255.255.0.0
object network inside-subnet
subnet 10.101.0.0 255.255.0.0
object network obj-SrcNet
subnet 0.0.0.0 0.0.0.0
object network obj-amzn-lon
subnet 10.1.0.0 255.255.0.0
object network obj-amzn-ire
subnet 10.2.0.0 255.255.0.0
object network NETWORK_OBJ_10.101.2.0_24
subnet 10.101.2.0 255.255.255.0
object network inoffice
subnet 10.101.1.0 255.255.255.0
object network outoffice
subnet 10.101.2.0 255.255.255.0
object network 10.X.X.X
range 10.2.0.0 10.2.255.255
access-list outside_acl extended permit ip host x.x.x.x host y.y.y.y
access-list outside_acl extended permit ip host v.v.v.v host y.y.y.y
access-list outside_acl extended permit ip host m.m.m.m host y.y.y.y
access-list outside_acl extended permit ip host z.z.z.z host y.y.y.y
access-list acl-amzn-lon extended permit ip any 10.1.0.0 255.255.0.0
access-list IRELAND-135 extended permit ip host m.m.m.m host y.y.y.y
access-list IRELAND-159 extended permit ip host z.z.z.z host y.y.y.y
access-list IRELAND-LOCAL extended permit ip any4 10.2.0.0 255.255.0.0
access-list outside_access_in extended permit ip host x.x.x.x host y.y.y.y
access-list outside_access_in extended permit ip host v.v.v.v host y.y.y.y
access-list acl-amzn extended permit ip any4 10.1.0.0 255.255.0.0
access-list amzn-filter extended permit ip 10.1.0.0 255.255.0.0 10.101.0.0 255.255.0.0
access-list ireland-filter extended permit ip 10.2.0.0 255.255.0.0 10.101.0.0 255.255.0.0
access-list outside_cryptomap_2 extended permit ip any4 10.2.0.0 255.255.0.0
access-list outside_cryptomap_2 extended permit ip any 10.1.0.0 255.255.0.0
access-list outside_cryptomap_3 extended permit ip any 10.2.0.0 255.255.0.0
access-list outside_cryptomap_1 extended permit ip any 10.1.0.0 255.255.0.0
access-list tcp_bypass extended permit tcp 10.101.1.0 255.255.255.0 10.101.2.0 255.255.255.0
access-list tcp_bypass extended permit tcp 10.1.0.0 255.255.0.0 10.101.2.0 255.255.255.0
access-list tcp_bypass extended permit tcp 10.101.2.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list tcp_bypass extended permit tcp 10.2.0.0 255.255.0.0 10.101.2.0 255.255.255.0
access-list tcp_bypass extended permit tcp 10.101.2.0 255.255.255.0 10.2.0.0 255.255.0.0
access-list inside_access_in extended permit ip any any
access-list acl-outside extended permit icmp any any echo
access-list acl-inside extended permit icmp any any echo
access-list global_mpc extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static obj-SrcNet obj-SrcNet destination static obj-amzn-ire obj-amzn-ire route-lookup
nat (inside,outside) source static obj-SrcNet obj-SrcNet destination static obj-amzn-lon obj-amzn-lon route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.101.2.0_24 NETWORK_OBJ_10.101.2.0_24 no-proxy-arp route-lookup
!
object network obj_any
nat (inside,outside) dynamic interface
object network inside-subnet
nat (inside,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 109.239.111.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server LDAP_SRV_GRP protocol ldap
aaa-server LDAP_SRV_GRP (outside) host 10.1.18.109
ldap-base-dn dc=fabrikam, dc=ltd
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn cn=Administrator, cn=Users, dc=fabrikam, dc=ltd
server-type microsoft
user-identity default-domain LOCAL
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sysopt connection tcpmss 1379
sla monitor 1
type echo protocol ipIcmpEcho 10.1.0.1 interface outside
frequency 5
sla monitor schedule 1 life forever start-time now
sla monitor 2
type echo protocol ipIcmpEcho 10.2.0.1 interface outside
frequency 5
sla monitor schedule 2 life forever start-time now
sla monitor 5
type echo protocol ipIcmpEcho 8.8.8.8 interface outside
frequency 5
sla monitor schedule 5 life forever start-time now
crypto ipsec ikev1 transform-set transform-amzn-lon esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set transform-amzn-ire esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set transfrom-amzn esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set transform-amzn esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set transfrom-amzn1 esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set transform-amzn1 esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set transform-ireland esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES128-SHA1_TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES128-SHA1_TRANS mode transport
crypto ipsec ikev1 transform-set APPLE_CLIENT esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set APPLE_CLIENT mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association replay window-size 128
crypto ipsec security-association pmtu-aging infinite
crypto ipsec df-bit clear-df outside
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS
crypto dynamic-map DYN_OUTSIDE 10000 set ikev1 transform-set ESP-AES128-SHA1_TRANS
crypto dynamic-map DYN_OUTSIDE 10000 set reverse-route
crypto map amazon_lon_map 1 match address acl-amzn-lon
crypto map amazon_lon_map 1 set pfs
crypto map amazon_lon_map 1 set peer x.x.x.x v.v.v.v
crypto map amazon_lon_map 1 set ikev1 transform-set transform-amzn-lon
crypto map amazon_lon_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map amazon_lon_map 1 set security-association lifetime seconds 3600
crypto map amazon_lon_map 2 match address outside_cryptomap_2
crypto map amazon_lon_map 2 set pfs
crypto map amazon_lon_map 2 set peer m.m.m.m z.z.z.z
crypto map amazon_lon_map 2 set ikev1 transform-set transform-ireland
crypto map amazon_lon_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map MAP_OUTSIDE 1 match address outside_cryptomap_1
crypto map MAP_OUTSIDE 1 set pfs
crypto map MAP_OUTSIDE 1 set peer x.x.x.x v.v.v.v
crypto map MAP_OUTSIDE 1 set ikev1 transform-set transfrom-amzn
crypto map MAP_OUTSIDE 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map MAP_OUTSIDE 1 set security-association lifetime seconds 3600
crypto map MAP_OUTSIDE 1 set reverse-route
crypto map MAP_OUTSIDE 2 match address outside_cryptomap_3
crypto map MAP_OUTSIDE 2 set pfs
crypto map MAP_OUTSIDE 2 set peer m.m.m.m z.z.z.z
crypto map MAP_OUTSIDE 2 set ikev1 transform-set transform-ireland
crypto map MAP_OUTSIDE 2 set security-association lifetime seconds 3600
crypto map MAP_OUTSIDE 2 set reverse-route
crypto map MAP_OUTSIDE 10000 ipsec-isakmp dynamic DYN_OUTSIDE
crypto map MAP_OUTSIDE interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ciscoasa
keypair OutOfOfficeKeyPair
proxy-ldc-issuer
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
subject-name CN=leeds.internal.fabrikam.ltd,O=fabrikam Limited,C=UK
keypair OutOfOfficeKeyPair
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint3
enrollment terminal
no validation-usage
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca * removed*
quit
crypto ca certificate chain ASDM_TrustPoint0
certificate 7f301c5c *removed*
quit
crypto ca certificate chain ASDM_TrustPoint3
certificate ca *removed*
quit
crypto isakmp identity address
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev1 enable outside
crypto ikev1 policy 201
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
crypto ikev1 policy 1000
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 2000
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 3000
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd domain leeds.internal.fabrikam.ltd
dhcpd auto_config outside
dhcpd option 3 ip 10.101.0.1 y.y.y.y
dhcpd option 6 ip 10.1.13.58 8.8.8.8
!
dhcpd address 10.101.1.1-10.101.1.254 inside
dhcpd domain leeds.internal.fabrikam.ltd interface inside
dhcpd option 3 ip 10.101.0.1 interface inside
dhcpd option 6 ip 10.1.13.58 8.8.8.8 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol l2tp-ipsec
default-domain value leeds.internal.fabrikam.ltd
group-policy DfltGrpPolicy attributes
group-policy OutOfOffice internal
group-policy OutOfOffice attributes
dns-server value 10.1.18.109 1.1.1.1
vpn-tunnel-protocol ikev1 l2tp-ipsec
default-domain value leeds.internal.fabrikam.ltd
group-policy ireland-filter internal
group-policy ireland-filter attributes
vpn-filter value ireland-filter
vpn-tunnel-protocol ikev1
group-policy filter1 internal
group-policy filter1 attributes
vpn-filter value amzn-filter
vpn-tunnel-protocol ikev1 ikev2
group-policy filter internal
group-policy filter attributes
vpn-filter value acl-amzn
username user1 password xxxxxxxxxxxxxxxxxxxxxxxx nt-encrypted
username user1 attributes
vpn-group-policy OutOfOffice
vpn-tunnel-protocol ikev1 l2tp-ipsec
service-type remote-access
tunnel-group DefaultRAGroup general-attributes
address-pool OutOfOfficePool
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
authentication ms-chap-v2
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x general-attributes
default-group-policy filter1
tunnel-group x.x.x.x ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 10 retry 10
tunnel-group v.v.v.v type ipsec-l2l
tunnel-group v.v.v.v general-attributes
default-group-policy filter1
tunnel-group v.v.v.v ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 10 retry 10
tunnel-group IRELAND-135 type ipsec-l2l
tunnel-group IRELAND-135 general-attributes
default-group-policy ireland-filter
tunnel-group IRELAND-135 ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 10 retry 10
tunnel-group IRELAND-159 type ipsec-l2l
tunnel-group IRELAND-159 general-attributes
default-group-policy ireland-filter
tunnel-group IRELAND-159 ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 10 retry 10
tunnel-group OutOfOffice type remote-access
tunnel-group OutOfOffice general-attributes
address-pool OutOfOfficePool
authentication-server-group LDAP_SRV_GRP LOCAL
default-group-policy OutOfOffice
tunnel-group OutOfOffice ipsec-attributes
ikev1 pre-shared-key *****
ikev1 trust-point ASDM_TrustPoint0
tunnel-group OutOfOffice ppp-attributes
authentication ms-chap-v2
tunnel-group m.m.m.m type ipsec-l2l
tunnel-group m.m.m.m general-attributes
default-group-policy ireland-filter
tunnel-group m.m.m.m ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group z.z.z.z type ipsec-l2l
tunnel-group z.z.z.z general-attributes
default-group-policy ireland-filter
tunnel-group z.z.z.z ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match access-list global_mpc
match default-inspection-traffic
class-map tcp_bypass
match access-list tcp_bypass
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
policy-map tcp_bypass_policy
class tcp_bypass
set connection advanced-options tcp-state-bypass
!
service-policy global_policy global
service-policy tcp_bypass_policy interface inside
prompt hostname context
no call-home reporting anonymous
: end
我什至尝试了端口 80 TCP ping 无济于事,
在外部界面上
Sending 5 TCP SYN requests to 10.1.18.109 port 80
from 109.239.111.4, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
在内部界面
Sending 5 TCP SYN requests to 10.1.18.109 port 80
from 109.239.111.4, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
Amazon AWS 上的 VPC 流日志未显示与该 IP 地址的任何尝试连接
我的 NAT 规则很容易看到,
早上好,
我收到来自 FirePower 的通知,说有一个 MALWARE-CNC Win.Trojan.Gh0st 变种出站连接到我们的交换服务器。我猜有一封电子邮件发送给我们的一名员工,其中包含恶意附件。不过,我想跟踪这封邮件是发给谁的。你知道这是否可能。我有源 IP,但 FirePower 通知告诉我的唯一信息是它被定向到我们的负载均衡器进行交换。也没有准确地告诉我它正在发送的邮箱。是否可以找到此信息?
谢谢,瑞安
在 Cisco ASA 上,对 running-config 的更改不会自动保存到 startup-config。这是通过“写入内存”或“复制运行配置启动配置”手动完成的,以将更改写入闪存。
我想验证配置更改是否已保存,而不是盲目地重复保存(我目前正在这样做)。我在 Google 上搜索了检查运行配置更改是否已保存到启动配置的命令,以下是我发现的两个丑陋的解决方法:
- “重新加载”命令
- 需要保存配置时输出“系统配置已修改。保存?[Y]es/[N]o: ”。
- 配置已保存时的“继续重新加载?[确认]”的输出。ANSWER NO 或类似的,以避免不必要的重启!!
- 将您的 running-config 和 startup-config复制到 text files。
- 使用“ diff ”实用程序比较文本文件的差异。
我希望有一个快速清理命令或程序来验证配置是否已保存,而不会冒意外重启的风险。如果您有建议,请发布。
我有一个带有网关的 VPN 可以连接到另一个使用 CISCO ASA 5550 版本 8.0(3) 的网络(本地移动运营商),在天蓝色方面我想宣传公共 IP 而不是本地天蓝色网络,因为移动运营商安全策略在其配置中不接受私有 ip。
隧道阶段 1 即将到来,第二阶段失败并出现错误,指出不允许使用 ip,这是 azure 本地网络。
从服务器(网络运营商允许公共 IP)我可以 ping 移动运营商网络网关,但我无法 ping 他们网络中的任何服务器。
我不确定可以做什么,但我猜测 NAT(也不知道该怎么做)可以做到或我不知道?
注意:所有资源均已使用 Azure 资源管理器设置
我将运行配置复制/粘贴到我直接连接的 PC 上的 .txt 文件中。如何将该配置粘贴或以其他方式上传到 ASA?
我发现的所有资源都只是谈论使用 TFTP,但必须有一种方法可以简单地将其粘贴回 running-config ...
我正在寻找使用 DSCP 标签为 VoIP 流量实施 QoS:EF 和 AF31。
VoIP 的 LLQ:
ciscoasa(config)# class-map cm_voip
ciscoasa(config-cmap)# match dscp ef
ciscoasa(config-cmap)# match dscp af31
ciscoasa(config)# policy-map pm_voip
ciscoasa(config-pmap)# class cm_voip
ciscoasa(config-pmap-c)# priority
ciscoasa(config-pmap-c)# service-policy pm_voip global
警察入站流量(非 VoIP):
ciscoasa(config)# class-map cm_data_inbound
ciscoasa(config-cmap)# no match dscp ef
ciscoasa(config-cmap)# no match dscp af31
ciscoasa(config)# policy-map pm_data_inbound
ciscoasa(config-pmap)# class cm_data_inbound
ciscoasa(config-pmap-c)# police input cir 98
ciscoasa(config-pmap-c)# service-policy pm_data_inbound interface outside
塑造出站流量(非 VoIP):
ciscoasa(config)# class-map cm_data_outbound
ciscoasa(config-cmap)# no match dscp ef
ciscoasa(config-cmap)# no match dscp af31
ciscoasa(config)# policy-map pm_data_outbound
ciscoasa(config-pmap)# class cm_data_outbound
ciscoasa(config-pmap-c)# shape output average 98
ciscoasa(config-pmap-c)# service-policy pm_data_outbound interface outside
这实际上会为 VoIP 流量保留 2% 的物理接口带宽吗?
-谢谢
我们的商业互联网提供商最近为我们的光纤连接启用了 IPv6。他们分配给我们使用 /48。太好了,我终于可以不再使用我们的 6in4 隧道了。或不?...
他们希望我们使用 PD,这很好,只是我们的 Cisco ASA 5505 似乎不支持它。事实上,我认为 ASA 仅支持 WAN 接口上的静态 IPv6 寻址。
我怎样才能得到这个工作?
对于隧道设置,我在我们的内部 ESXi 集群中设置了一个 Linux DMZ 主机来终止隧道。内部 IPv6 流量通过 ASA 到达 DMZ,由 Linux 主机插入隧道并再次通过 ASA 路由到隧道提供商。这非常难看,因为流量两次穿过 ASA 并造成混乱和脆弱的设置。
使用本机 IPv6,我希望有一种更简单的方法,即使我必须购买其他硬件。有小费吗?
我们正在建立一个 ipsec 隧道,当我查看要应用的配置时,我对如何回滚我们的更改不太满意。
我熟悉以这种方式保存配置:
copy running-config startup-config
我熟悉以相反的方式加载配置:
copy startup-config running-config
但是我知道最后一个命令将更多地合并以前的配置而不是覆盖,并且不能保证恢复的值。
我知道的唯一可靠的方法是运行 a reload,它会在重新启动时擦除 running-config 并完全从 startup-config 加载,但这会确定网络流量的中断,可能需要几分钟。
是否有另一种方法可以更可靠地恢复配置?
我发现了一个名为configure replace的命令,它看起来很有希望,但看起来好像我的 ASA 上没有它:
ciscoasa(config)# configure ?
configure mode commands/options:
WORD Configure from HTTP:
http(s)://[<user>:<password>@]<location>[:<port>]/<pathname>.
Place IPv6 address within square brackets if a port is
specified.
factory-default Configure from factory-default
memory Configure from memory
net Configure from tftp
exec mode commands/options:
terminal Configure using terminal/console
我的 ASA 有问题。我在 ASA 中设置了多个 WAN 和静态 NAT。我可以通过特定端口从这些 WAN 地址连接到我的服务器,但我遇到了互联网连接问题。我无法从该服务器浏览到外部。我错过了什么?
: Saved
:
: Serial Number: XXXXXXXXX
: Hardware: ASA5508, 8192 MB RAM, CPU Atom C2000 series 2000 MHz, 1 CPU (8 cores)
: Written by enable_15 at 22:59:07.919 GMT Wed Nov 30 2016
!
ASA Version 9.6(1)
!
hostname HC-ClientASA
enable password xxxxxxxxxxxxxxxxxx encrypted
names
ip local pool Test_DHCP_VPN 10.20.30.0-10.20.30.100 mask 255.255.255.0
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address xxx.xxx.xxx.74 255.255.255.248
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
description WAN for ServerTV
nameif ServerTV
security-level 80
ip address 192.168.96.1 255.255.255.0
!
interface GigabitEthernet1/5
description GuestWiFi interface for Access poitns
nameif GuestWiFi
security-level 100
ip address 172.16.64.1 255.255.248.0
!
interface GigabitEthernet1/6
description Parking interface To Server
nameif ParkingInterface
security-level 100
ip address 172.16.17.1 255.255.255.0
!
interface GigabitEthernet1/7
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
description Old WAN Interface
nameif WAN_OLD
security-level 0
ip address xxx.xxx.xxx.137 255.255.255.252
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone GMT 0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network OLD_GW
host xxx.xxx.xxx.138
description Old GW Interface
object network GuestWiFi_NAT_OLD
subnet 172.16.64.0 255.255.248.0
description GuestWiFi OLD WAN
object network NEW_GW
host xxx.xxx.xxx.73
description Telia New Gateway
object network TestGw
subnet 192.168.1.0 255.255.255.0
description Test NAT
object network VPN_POOL_10.20.30.0
subnet 10.20.30.0 255.255.255.128
description VPN Pool
object network GuestWiFiNAT
subnet 172.16.64.0 255.255.248.0
description NAT for guestWiFi
object network inside_NAT_OLD
subnet 192.168.1.0 255.255.255.0
description Inside OLD WAN
object network ParkingSystem
subnet 172.16.17.0 255.255.255.0
description Parking system NAT
object network ParkingSystem_NAT_OLD
subnet 172.16.17.0 255.255.255.0
description Parking S OLD WAN
object network ParkingSystemServers
subnet xxx.xxx.xxx.0 255.255.255.0
description Public WAN from Parking System
object network ParkingSystemSubnet
subnet 172.16.17.0 255.255.255.0
description Parking System Subnet
object network GuestWiFi
subnet 172.16.64.0 255.255.248.0
description GuestWiFi object
object network ParkingServer1
host 172.16.17.3
description ParkingServer1
object network ParkingServer2
host 172.16.17.4
description Parking server 2
object service TCP_Parking_771
service tcp source eq 771
description Port for Parking server1
object service TCP_Parking_771_U
service udp source eq 771
description Port for parking server UDP
object service TCP_Parking2_9100
service tcp source eq 9100
description Parking for server 2 TCP
object service TCP_Parking2_9100_U
service udp source eq 9100
description TCP_Parking2_9100_UDP
object network TestLabNAT
subnet 192.168.1.0 255.255.255.0
description TestLab NAT
object network GuestWiFiLAB
subnet 172.16.64.0 255.255.248.0
object network ParkingInterfaceLAB
subnet 172.16.17.0 255.255.255.0
description Test Lab interface
object network ServerInternet
subnet 192.168.96.0 255.255.255.0
description Server Internet In
object network ServerTVLab
subnet 192.168.96.0 255.255.255.0
description Test Lab
object network ServerTV_OLD
subnet 192.168.96.0 255.255.255.0
object network ServerServer
host 192.168.96.2
description ConnectionToServer
object network NETWORK_OBJ_10.20.30.0_25
subnet 10.20.30.0 255.255.255.128
object network Parking
subnet 172.16.17.0 255.255.255.0
object network ParkingNAT
subnet 172.16.17.0 255.255.255.0
object network ParkingSystems
host xxx.xxx.xxx.120
object network ParkingInterfaceOLD_WAN
subnet 172.16.17.0 255.255.255.0
object network Server1
subnet 192.168.96.0 255.255.255.0
object network Server2
host 192.168.96.2
object service iPerfServer
service tcp source eq 5001
object network ServerNet
subnet 192.168.96.0 255.255.255.0
object network WAN2
host xxx.xxx.xxx.75
object network ServerTV2
host 192.168.96.2
object network HostNatToOutside
subnet 192.168.96.0 255.255.255.0
object-group icmp-type DM_INLINE_ICMP_1
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object traceroute
icmp-object unreachable
object-group icmp-type DM_INLINE_ICMP_2
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object traceroute
icmp-object unreachable
object-group service ParkingObj tcp-udp
port-object eq 771
port-object eq 9100
object-group service ParkingPortsNAT tcp-udp
description OpenPortsForParking
port-object eq 771
port-object eq 9100
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group icmp-type DM_INLINE_ICMP_4
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object traceroute
icmp-object unreachable
object-group service DM_INLINE_SERVICE_1
service-object tcp-udp destination eq 4500
service-object tcp-udp destination eq 500
service-object tcp-udp destination eq 5001
service-object tcp-udp destination eq 8090
service-object tcp destination eq https
service-object tcp destination eq ssh
service-object udp destination eq snmp
object-group network DM_INLINE_NETWORK_6
network-object object ParkingServer1
network-object object ParkingServer2
object-group service NOC_Auth tcp-udp
port-object eq 8090
object-group service VPN_IPSec tcp-udp
port-object eq 4500
port-object eq 500
object-group service iPerf tcp-udp
port-object eq 5001
access-list inside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1
access-list inside_access_in extended permit object-group TCPUDP any any eq domain
access-list inside_access_in extended permit ip any any
access-list Test_Guest remark GuestWiFi network
access-list Test_Guest standard permit 172.16.64.0 255.255.248.0
access-list Test_Guest remark ParkingNetwork
access-list Test_Guest standard permit 172.16.17.0 255.255.255.0
access-list Test_Guest standard permit 192.168.96.0 255.255.255.0
access-list Test_Guest standard permit 192.168.1.0 255.255.255.0
access-list GuestWiFi_access_in extended permit icmp any any object-group DM_INLINE_ICMP_2
access-list GuestWiFi_access_in extended permit object-group TCPUDP any any eq domain
access-list GuestWiFi_access_in extended permit ip any any
access-list ParkingInterface_access_in extended permit object-group TCPUDP any any object-group ParkingObj
access-list ParkingInterface_access_in extended permit object-group TCPUDP any any eq domain
access-list ParkingInterface_access_in extended permit ip any any
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object ServerServer
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any echo
access-list ServerTVAccessList extended permit tcp any host 192.168.96.2 eq https
access-list ServerTVAccessList extended permit tcp any host 192.168.96.2 eq ssh
access-list ServerTVAccessList extended permit tcp any host 192.168.96.2 eq 8090
access-list ServerTVAccessList extended permit udp any host 192.168.96.2 eq 8090
access-list ServerTVAccessList extended permit udp any host 192.168.96.2 eq snmp
access-list ServerTVAccessList extended permit udp any host 192.168.96.2 eq 5001
access-list ServerTVAccessList extended permit tcp any host 192.168.96.2 eq 5001
access-list ServerTVAccessList extended permit tcp any host 192.168.96.2 eq 500
access-list ServerTVAccessList extended permit tcp any host 192.168.96.2 eq 4500
access-list ServerTVAccessList extended permit udp any host 192.168.96.2 eq 4500
access-list ServerTVAccessList extended permit udp any host 192.168.96.2 eq isakmp
access-list ServerTVAccessList extended permit icmp any any echo-reply
access-list ServerTV_access_in extended permit icmp any any object-group DM_INLINE_ICMP_4
access-list ServerTV_access_in extended permit object-group TCPUDP any any eq domain
access-list ServerTV_access_in extended permit ip any any
access-list WAN_OLD_access_in extended permit object-group TCPUDP xxx.xxx.xxx.0 255.255.255.0 object-group DM_INLINE_NETWORK_6 object-group ParkingPortsNAT
access-list WAN_OLD_access_in extended permit ip object ParkingSystems object ParkingSystemSubnet
access-list WAN_OLD_access_in extended permit ip any object ParkingSystemSubnet
access-list WAN_OLD_access_in extended permit ip any any inactive
access-list WAN_OLD_access_in extended permit icmp any any echo-reply
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu ServerTV 1500
mtu GuestWiFi 1500
mtu ParkingInterface 1500
mtu WAN_OLD 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any GuestWiFi
icmp permit any ParkingInterface
asdm image disk0:/asdm-762-150.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static VPN_POOL_10.20.30.0 VPN_POOL_10.20.30.0 no-proxy-arp route-lookup
nat (ParkingInterface,WAN_OLD) source static ParkingServer1 interface service any TCP_Parking_771
nat (ParkingInterface,WAN_OLD) source static ParkingServer1 interface service any TCP_Parking_771_U
nat (ParkingInterface,WAN_OLD) source static ParkingServer2 interface service any TCP_Parking2_9100
nat (ParkingInterface,WAN_OLD) source static ParkingServer2 interface service any TCP_Parking2_9100_U
!
object network GuestWiFi_NAT_OLD
nat (GuestWiFi,WAN_OLD) dynamic interface dns
object network inside_NAT_OLD
nat (inside,WAN_OLD) dynamic interface dns
object network ServerServer
nat (ServerTV,outside) static interface
object network ParkingInterfaceOLD_WAN
nat (ParkingInterface,WAN_OLD) dynamic interface dns
object network ServerTV2
nat (ServerTV,outside) static WAN2
access-group ServerTVAccessList in interface outside
access-group inside_access_in in interface inside
access-group ServerTV_access_in in interface ServerTV
access-group GuestWiFi_access_in in interface GuestWiFi
access-group ParkingInterface_access_in in interface ParkingInterface
access-group WAN_OLD_access_in in interface WAN_OLD
route WAN_OLD 0.0.0.0 0.0.0.0 xxx.xxx.xxx.138 1
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.73 2
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 172.16.64.0 255.255.248.0 GuestWiFi
http 10.20.30.0 255.255.255.0 GuestWiFi
http 172.16.17.0 255.255.255.0 ParkingInterface
http 192.168.96.0 255.255.255.0 ServerTV
http xxx.xxx.xxx.72 255.255.255.248 outside
http xxx.xxx.xxx.136 255.255.255.252 WAN_OLD
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map WAN_OLD_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map WAN_OLD_map interface WAN_OLD
crypto map TestLab_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=HC-ClientASA
keypair HC_Client_Odense
proxy-ldc-issuer
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate 50de3358
30820551 30820339 a0030201 02020450 de335830 0d06092a 864886f7 0d010105
05003038 31173015 06035504 03130e48 432d416e 64657273 656e4153 41311d30
1b06092a 864886f7 0d010902 160e4843 2d416e64 65727365 6e415341 301e170d
31363131 32323039 34353430 5a170d32 36313132 30303934 3534305a 30383117
30150603 55040313 0e48432d 416e6465 7273656e 41534131 1d301b06 092a8648
86f70d01 0902160e 48432d41 6e646572 73656e41 53413082 0222300d 06092a86
4886f70d 01010105 00038202 0f003082 020a0282 0201009b bf07918b 21978e37
0a517ac1 5d1eb7a3 1dca77f7 054b0615 7a85096b 87b3d32f b86e61b5 78fa6364
08d932b7 2e73d1a9 1acdef89 a5cf7dd2 a9dfa34c b5086cd2 6f954b83 680c5fcc
dee06f08 7030ff8d 729458e4 59780d58 ae72b300 4a0b2e7a ac608cb7 cd5ce92a
39184d2e 3a7fd589 8ddbea50 bb4100a7 58dbc795 011181ae 34a92ba3 21a3d844
4ba72a10 2ce287e9 586dedbd 25b82e69 fd400b6f ce7de623 54a079f3 d0d096cb
fa2e69b7 1269aa84 ac5ed471 e2604897 aea282ca 27bb86b3 d3a78ac1 d8fcfc84
0e62f59f 71878e7d 0d6d052f e4fd7d90 374dc860 a3cd83e2 772e58de 77e29583
03ecd3d4 9df22a1a 5903cc62 8f781e4d 2ecb281b efe0b1e4 211e5953 bb5cec6e
0a260312 f85fd498 8adbd9e7 23e2e32c 9b034df9 839d9bbe aa769171 bb464bfe
be066806 d5d56cdc 22427990 08c8eb4a 93d676da 13bb9662 ad3bcb05 d29d8b9a
c800abd0 d4f482d5 c7cb8aa9 50d67062 61a33965 0c0aa305 e21b844c 95b12ed4
293e4b31 fc9300a5 367ae17f defd89b3 74b1e9e5 d44a93a3 19fa9df0 4e4e6bee
c64beddd d2541da6 d3a2699f 37f90b3a 8c190c9c 889c3856 ace813cb 6e4a0026
e10e2233 52dae76e 47b31549 0dc98652 14b2714a 3f60170a b3d3fb03 84adada8
eacff402 fc1b1158 9df65d60 3b8346ad b49da8ab dc9401cc b1402b46 ebd88db2
fa2d35a5 afa9b0e6 1985baa2 81f9dc97 024ec940 2fdf6102 03010001 a3633061
300f0603 551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201
86301f06 03551d23 04183016 8014577e f2a6cd27 748802e9 0bc66c09 52098e7d
0fb3301d 0603551d 0e041604 14577ef2 a6cd2774 8802e90b c66c0952 098e7d0f
b3300d06 092a8648 86f70d01 01050500 03820201 0091f593 e31c5af8 4e8da415
039fcf93 bf770c4b f501da50 93dc9e57 f0f00b2e c7c2d53f 34547fcb 692976b3
337d293a 27d6f1be af40d76c cd78ef34 81a5cafc e9d60f7b 85de3870 5924468a
5dbba34f 63c1fe2c b14ab9b6 02634f45 7d40b61f 3d3a1378 8f4fafb4 9499bf7c
3784e9a9 fe4a7fac 3fb115b8 6e2b14e4 62bceea0 a8c5c5ba e2599857 f19c84ff
33f5f2a8 95c531ba d97d9e35 75f51081 e1451a22 60353ac7 2e2711d1 9e64fb52
45514b02 d362f07a bf874f23 f848da92 70ec10c8 f03741be 3bb28233 d78e95f8
26606b88 ff9f3f2a 8fe948eb 7005c9ed 9610cae9 90e4e6c1 69e98ec0 0e2debe7
d09a07cb ea159809 1dc1b666 a1401ea3 bb7e9203 f905c696 aee9d2f6 93978e82
4b6ec24e ab695964 64fd929c d0cfc46b dea848e5 d3cf56cb 08a2991f 7ddee7ef
5ed8869f 0be2a5ed dba14771 0d23ae29 6ebf7640 381106ff 99c1d56a 7d5ec7ad
cd432009 2ef4248e aa9b42b8 a71ead22 14b38dcb e343c945 064796d3 1e337d75
baccf54c 209b67f8 0e4e8fa8 cf7ce3f1 99cddf3b 18eced0d 770448aa 1b37d65a
09574ee9 d5985c00 bdb804c3 9c0e069e 9eaa50e3 b4694174 e17251b4 fc0bc169
845b7639 ebc47f37 894b5a5f d5662fa9 40b9898c 86a44b6b 805cb0ba 8607499d
2c330359 c0b30ef1 046b01b2 bad5d514 efea8647 55db6819 4eaf2da2 59e219b8
e8ff9053 f4e630b8 34f631c7 c49062a5 a0239c9a ef
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 enable WAN_OLD client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh stricthostkeycheck
ssh xxx.xxx.xxx.72 255.255.255.248 outside
ssh 192.168.1.0 255.255.255.0 GuestWiFi
ssh 172.16.64.0 255.255.248.0 GuestWiFi
ssh 10.20.30.0 255.255.255.0 GuestWiFi
ssh xxx.xxx.xxx.136 255.255.255.252 WAN_OLD
ssh timeout 10
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access GuestWiFi
dhcp-client client-id interface outside
dhcpd dns 8.8.8.8 8.8.4.4
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd dns 8.8.8.8 208.67.222.222 interface inside
dhcpd enable inside
!
dhcpd address 192.168.96.3-192.168.96.254 ServerTV
dhcpd dns 8.8.8.8 8.8.4.4 interface ServerTV
!
dhcpd address 172.16.64.2-172.16.64.250 GuestWiFi
dhcpd dns 8.8.8.8 208.67.222.222 interface GuestWiFi
dhcpd enable GuestWiFi
!
dhcpd address 172.16.17.33-172.16.17.250 ParkingInterface
dhcpd dns 8.8.8.8 8.8.8.8 interface ParkingInterface
dhcpd enable ParkingInterface
!
ssl trust-point ASDM_TrustPoint0 outside
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ASDM_TrustPoint0 ServerTV
ssl trust-point ASDM_TrustPoint0 GuestWiFi
ssl trust-point ASDM_TrustPoint0 ParkingInterface
ssl trust-point ASDM_TrustPoint0 WAN_OLD
webvpn
enable outside
enable WAN_OLD
anyconnect image disk0:/anyconnect-win-4.3.01095-k9.pkg 1
anyconnect profiles Test_GuestWiFi_client_profile disk0:/Test_GuestWiFi_client_profile.xml
anyconnect profiles VPN_Test_client_profile disk0:/VPN_Test_client_profile.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_VPN_Test internal
group-policy GroupPolicy_VPN_Test attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Test_Guest
default-domain none
webvpn
anyconnect profiles value VPN_Test_client_profile type user
dynamic-access-policy-record DfltAccessPolicy
username admin password xxxxxxxxxxxxxxx encrypted privilege 15
tunnel-group VPN_Test type remote-access
tunnel-group VPN_Test general-attributes
address-pool Test_DHCP_VPN
default-group-policy GroupPolicy_VPN_Test
tunnel-group VPN_Test webvpn-attributes
group-alias VPN_Test enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:14a2b233fa9e205b5a530e7925ef77ac
: end