akomik
Junior Member | Редактировать | Профиль | Сообщение | ICQ | Цитировать | Сообщить модератору
Здравствуйте!
Имеется сей агрегат с настроенным VPN и доступом в инет по определенному протоколу и определенному порту... надо добавить соединение по порту и протоколу.... в Cisco новичок... По мануалу не могу понять что после чего ставить.... Вот конфигурация
!
interface Ethernet0/0
nameif inet
security-level 0
ip address 80.85.111.2 255.255.255.252
!
interface Ethernet0/1
nameif mgmt
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/2
nameif prod
security-level 100
ip address 10.1.2.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif cisco_mgmt
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa832-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup prod
dns server-group DefaultDNS
name-server 80.85.96.131
name-server 80.85.97.70
domain-name mgmt.maltapay.local
object network inet_prod
host 80.85.111.226
object network prod_network
subnet 10.1.2.0 255.255.255.0
object network mgmt_network
subnet 10.1.1.0 255.255.255.0
object network mgmt_vpn_network
subnet 10.1.4.0 255.255.255.0
object network inet_ps01
host 80.85.111.227
object network inet_ps02
host 80.85.111.229
object network prod_ps01
host 10.1.2.11
object network prod_ps02
host 10.1.2.12
object service ms-rdp
service tcp destination eq 3389
object network inet_test01
host 80.85.111.228
object network prod_test01
host 10.1.2.14
object service ekassir-monitor-admin-http
service tcp destination eq 12047
object service ekassir-monitor-admin-tcp
service tcp destination eq 12087
object service ekassir-monitor-paypoint
service tcp destination eq 12067
object service ekassir-paysys-admin-http
service tcp destination eq 11047
object service ekassir-paysys-admin-tcp
service tcp destination eq 11087
object service ekassir-paysys-payment
service tcp destination eq 11077
object network inet_tm01
host 80.85.111.230
object network prod_tm01
host 10.1.2.13
object network inet_sa01
host 80.85.111.2
object network vodafone_mt_prod
host 192.168.114.13
object network vodafone_mt_test
host 192.168.114.17
object-group network inet_ps
network-object object inet_ps01
network-object object inet_ps02
object-group service ekassir-monitor
service-object object ekassir-monitor-paypoint
object-group service ekassir-paysys
service-object object ekassir-paysys-payment
object-group service DM_INLINE_SERVICE_1
group-object ekassir-monitor
group-object ekassir-paysys
object-group icmp-type icmp-prod
icmp-object echo
icmp-object echo-reply
icmp-object unreachable
object-group network inet_tm
network-object object inet_tm01
object-group network prod_ps
network-object object prod_ps01
network-object object prod_ps02
object-group network prod_tm
network-object object prod_tm01
object-group network DM_INLINE_NETWORK_1
network-object object prod_ps01
network-object object prod_ps02
network-object object prod_test01
object-group network DM_INLINE_NETWORK_2
network-object object vodafone_mt_prod
network-object object vodafone_mt_test
access-list inet_access_in extended permit udp any object inet_sa01 eq isakmp
access-list inet_access_in extended permit esp any object inet_sa01
access-list inet_access_in extended permit ah any object inet_sa01
access-list inet_access_in extended permit icmp any object-group prod_ps object-group icmp-prod
access-list inet_access_in extended permit object-group ekassir-paysys any object-group prod_ps
access-list inet_access_in extended permit icmp any object-group prod_tm object-group icmp-prod
access-list inet_access_in extended permit object-group ekassir-monitor any object-group prod_tm
access-list inet_access_in extended permit icmp any object prod_test01 object-group icmp-prod
access-list inet_access_in extended permit object-group DM_INLINE_SERVICE_1 any object prod_test01
access-list mgmt_ra_splitTunnelAcl standard permit 10.1.1.0 255.255.255.0
access-list inet_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2
pager lines 24
logging asdm informational
mtu inet 1500
mtu mgmt 1500
mtu prod 1500
mtu cisco_mgmt 1500
ip local pool mgmt_ra 10.1.4.1-10.1.4.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-633.bin
no asdm history enable
arp timeout 14400
nat (inet,inet) source static mgmt_network mgmt_network destination static mgmt_vpn_network mgmt_vpn_network
nat (prod,inet) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2
nat (prod,inet) source static prod_ps01 inet_ps01 dns
nat (prod,inet) source static prod_ps02 inet_ps02 dns
nat (prod,inet) source static prod_tm01 inet_tm01 dns
nat (prod,inet) source static prod_test01 inet_test01 dns
nat (prod,inet) source dynamic prod_network inet_prod dns
access-group inet_access_in in interface inet
route inet 0.0.0.0 0.0.0.0 80.85.111.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http server idle-timeout 15
http 192.168.1.0 255.255.255.0 cisco_mgmt
http 10.1.1.0 255.255.255.0 mgmt
http 10.1.4.0 255.255.255.0 mgmt
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192
-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map inet_map 1 match address inet_1_cryptomap
crypto map inet_map 1 set peer 80.85.96.2
crypto map inet_map 1 set transform-set ESP-AES-256-SHA
crypto map inet_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inet_map interface inet
crypto isakmp enable inet
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
telnet timeout 15
ssh scopy enable
ssh 10.1.1.0 255.255.255.0 mgmt
ssh 10.1.4.0 255.255.255.0 mgmt
ssh 192.168.1.0 255.255.255.0 cisco_mgmt
ssh timeout 15
ssh version 2
console timeout 15
management-access mgmt
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 129.6.15.29
ntp server 129.6.15.28
webvpn
group-policy mgmt_ra internal
group-policy mgmt_ra attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value mgmt_ra_splitTunnelAcl
username ***********password*********** encrypted privilege 0
username ***********attributes
vpn-group-policy mgmt_ra
service-type remote-access
username ***********password*********** encrypted privilege 0
username ***********password*********** encrypted privilege 0
username ***********attributes
vpn-group-policy mgmt_ra
service-type remote-access
username ***********password*********** encrypted privilege 0
username ***********attributes
vpn-group-policy mgmt_ra
service-type remote-access
username ***********password *********** encrypted
username ***********password *********** encrypted privilege 0
username ***********attributes
vpn-group-policy mgmt_ra
service-type remote-access
username ***********password***********. encrypted privilege 0
username ***********attributes
vpn-group-policy mgmt_ra
service-type remote-access
username**** password*********** encrypted privilege 3
username ***********password *********** encrypted privilege 15
tunnel-group mgmt_ra type remote-access
tunnel-group mgmt_ra general-attributes
address-pool mgmt_ra
default-group-policy mgmt_ra
tunnel-group mgmt_ra ipsec-attributes
pre-shared-key *****
tunnel-group 80.85.96.2 type ipsec-l2l
tunnel-group 80.85.96.2 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
!
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
нужно добавить соединение на 10,1,2,14 с 80,85,111,228 по 11032 порту
|
