 |
|
HP : 0 / 80
MP : 10 / 983
EXP : 22%
|
|
江湖游客
成员等级: 4
发表总数: 30
金币总数: 95
所属组别: 普通成员
注册日期: 2004/11/5
|
最近调试个cisco asa5510 防火墙 发生几个奇怪的事情一个是:在配置remote vpn的时候 按照asdm的向导配置第一次死活也不通 然后在那个基础上在做一次相同的步骤就好了 就是把vpnpool换个地址段就可以了,但是奇怪的拨号上来以后还是分配的原来开始配置的那个地址池。第二是:asa默认的配置有个inspect skinny 策略是默认的,但是我的 asa 是后来升级过的原来的720版本没有这个策略,在升级到721后就有了这个默认的策略(还发现个现象在升级了ios后vpn peer数目由原来的150增加到250),我开始没注意这个但是后来在墙放到网络中发现连众上不去了,然后我就将这个策略no 去就好了 很奇怪,请各位看看配置,随便解释下skinny是什么服务 我查了下文档好象和语音有关系,但是想不通为什么将连众也不能上了
配置:
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
description connect internat
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.252
!
interface Ethernet0/1
description connect office
nameif bgw
security-level 100
ip address 10.124.21.1 255.255.248.0
!
interface Ethernet0/2
nameif xiaoq
security-level 95
ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/3
description description connect www servser/Emalil server
nameif DMZ
security-level 50
ip address x.x.x.x 255.255.255.240
!
interface Management0/0
nameif management
security-level 0
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list xiaoq_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 10.124.16.0 255.255.248.0
access-list bgw_nat0_outbound extended permit ip 10.124.16.0 255.255.248.0 host x.x.x.x
access-list bgw_nat0_outbound extended permit ip 10.124.16.0 255.255.248.0 host x.x.x.x
access-list bgw_nat0_outbound extended permit ip 10.124.16.0 255.255.248.0 192.168.0.0 255.255.255.0
access-list bgw_nat0_outbound extended permit ip 10.124.16.0 255.255.248.0 10.124.21.192 255.255.255.240
access-list bgw_nat0_outbound extended permit ip 10.124.16.0 255.255.248.0 1.1.1.0 255.255.255.240
access-list outside_access_in extended permit tcp any host x.x.x.x eq www
access-list outside_access_in extended permit tcp any host x.x.x.x eq www
access-list outside_access_in extended permit tcp any host x.x.x.x eq pop3
access-list outside_access_in extended permit tcp any host x.x.x.x eq smtp
access-list xiaoq_access_in extended permit tcp 192.168.0.0 255.255.255.0 host 10.124.21.66 eq www
access-list xiaoq_access_in extended permit tcp 192.168.0.0 255.255.255.0 host 10.124.21.66 eq ftp
access-list xiaoq_access_in extended permit tcp 192.168.0.0 255.255.255.0 host 10.124.21.66 eq ftp-data
access-list xiaoq_access_in extended permit ip 192.168.0.0 255.255.255.0 host 10.124.21.66
access-list xiaoq_access_in extended permit ip any 211.138.109.76 255.255.255.252
access-list outside_cryptomap extended permit ip any 10.124.21.192 255.255.255.240
access-list outside_cryptomap_1 extended permit ip any 1.1.1.0 255.255.255.240
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu bgw 1500
mtu xiaoq 1500
mtu DMZ 1500
mtu outside 1500
ip local pool vpnpool 10.124.21.193-10.124.21.203 mask 255.255.248.0
no failover
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
global (outside) 101 x.x.x.x netmask 255.255.255.240
nat (bgw) 0 access-list bgw_nat0_outbound
nat (bgw) 101 10.124.16.0 255.255.248.0
nat (xiaoq) 0 access-list xiaoq_nat0_outbound outside
nat (xiaoq) 101 0.0.0.0 0.0.0.0
access-group xiaoq_access_in in interface xiaoq
access-group outside_access_in in interface outside
route bgw 10.0.0.0 255.0.0.0 10.124.19.2 1
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol l2tp-ipsec
username user password V9WDqkbVcVAqrUu3rqCccA== nt-encrypted privilege 0
username user attributes
vpn-group-policy DefaultRAGroup
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_DES_SHA
crypto dynamic-map outside_dyn_map 40 set transform-set TRANS_ESP_DES_SHA
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group DefaultRAGroup general-attributes
address-pool vpnpool
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:bd8a63361f32a925dd5b1e7d196d89e0
: end
如果将英语的26个字母由A到Z分别编上1到26的分数,
你的知识(KNOWLEDGE)只能得到11+14+15+23+12+5+4+7+5=96分
你努力工作(HARDWORK)也只能得到8+1+18+4+23+15+18+11=98分
只有你的态度(ATTITUDE)才是左右你生命全部的1+20+20+9+20+21+4+5=100分 |
