TCL(config)#
TCL# show run
: Saved
:ASA Version 7.2(3)
!hostname TCL
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU2 4 encrypted
*********定义IP地址和客户端的映射,或者是对IP地址的命名********************
names
name 192.168.1.9 bgs1
name 192.168.1.27 bgs2
name 192.168.1.11 licm
name 192.168.1.7 liuxb
name 192.168.1.10 FileServer
name 192.168.1.62 changjh
………………………
………………………..
!
*************定义内网接口********************
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
*************定义外网接口********************
interface Vlan2
nameif outside
security-level 0
ip address pppoe setroute
!
interface Ethernet0/0
!
************将端口0/1加入到VLAN1中******************
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd ************** encrypted
!
**************客户端上网时间的限制********************************
time-range everyday
periodic daily 7:50 to 21:00
!
time-range weekdays
periodic weekdays 7:50 to 18:10
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
*****************定义不同的策略网络主机组****************************
object-group network high1
network-object host FileServer
object-group network high2
network-object host licm
network-object host cw1
network-object host lizl
********************定义不同的策略服务组************************
object-group service tcp1 tcp
port-object range www www
port-object range 81 81
object-group service tcp_dns tcp
port-object range pop3 pop3
port-object range smtp smtp
port-object range domain domain
object-group service udp_dns udp
port-object range domain domain
object-group service tcp2 tcp
port-object range https https
port-object range 445 445
port-object range 465 465
port-object range www www
port-object range 81 81
port-object range 995 995
************针对上面的用户和服务组(类)制定访问控制策略****************
access-list inside_access_in extended permit tcp any any object-group tcp_dns log disable
access-list inside_access_in extended permit udp any any object-group udp_dns log disable
access-list inside_access_in extended permit tcp object-group high1 any object-group tcp1 log disable
access-list inside_access_in extended permit tcp object-group high2 any object-group tcp2 log disable time-range everyday
access-list inside_access_in extended permit tcp object-group high3 any object-group tcp2 log disable time-range everyday
access-list inside_access_in extended permit ip object-group normal1 any log disable time-range everyday
access-list inside_access_in extended permit tcp object-group normal2 any object-group tcp1 log disable time-range everyday
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
*******************ip地址和MAC地址绑定*******************************
arp inside 192.168.1.150 000d.87c5.9876
arp inside xuerx1 0002.a59b.453b
arp inside 192.168.1.115 0013.d3de.4376
arp inside gaoyf 00c0.9f26.f0da
arp inside guopy 0009.6be3.25f4
arp inside hehx 00c0.9f26.ee16
…………..
………………
arp timeout 14400
*************配置NAT转换*********************************
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
******************配置默认路由*******************
route outside 0.0.0.0 0.0.0.0 118.81.66.1 8(该条路由是自动获取的)
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
*************配置客户端管理ASDM*******************************
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 10
ssh timeout 5
console timeout 0
*******************配置PPPOE*****************************************
vpdn group adsl request dialout pppoe
vpdn group adsl localname *******
vpdn group adsl ppp authentication pap
vpdn username gslr password *********
dhcpd auto_config outside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
username root password ************* encrypted privilege 15
prompt hostname context
Cryptochecksum:**************f
: end