自分がブログ検索で思い出せるよう、Cisco ASA5520のconfigをメモっておきます。CCNA Security取得時にごちゃごちゃいじったっきり、ほとんど触ってないので設定ぐちゃってます。logging hostが2つも設定されてたり、DNSサーバの指定がgoogleだったり宅内に設置した古いDNSサーバだったり、config自体も古いです。無駄な設定も多数入っています。
が、この設定で外部からVPN接続出来ています。。疎かな設定ですがご容赦ください。
※中古で購入した機器ですが、機器の特定を防ぐため、念の為シリアル番号やMACアドレスは伏せてます。
show version
asa5520# show version
Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 7.5(2)153
Compiled on Tue 05-May-09 22:45 by builders
System image file is "disk0:/asa821-k8.bin"
Config file at boot was "startup-config"
asa5520 up 15 days 11 hours
Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: GigabitEthernet0/0 : address is 001c.5826.XXXX, irq 9
1: Ext: GigabitEthernet0/1 : address is 001c.5826.XXXX, irq 9
2: Ext: GigabitEthernet0/2 : address is 001c.5826.XXXX, irq 9
3: Ext: GigabitEthernet0/3 : address is 001c.5826.XXXX, irq 9
4: Ext: Management0/0 : address is 001c.5826.XXXX, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 750
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has an ASA 5520 VPN Plus license.
Serial Number: XXXXXXXX
Running Activation Key: XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
Configuration register is 0x1
Configuration last modified by enable_15 at 09:20:57.132 JST Sat Oct 12 2019
asa5520#show running-config
asa5520# show running-config
: Saved
:
ASA Version 8.2(1)
!
hostname asa5520
domain-name pine.com
enable password hogehogehogehoge encrypted
passwd hogehogehogehoge encrypted
names
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.0.251 255.255.255.0
!
interface GigabitEthernet0/1
shutdown
nameif outside
security-level 0
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
no nameif
no security-level
no ip address
management-only
!
ftp mode passive
clock timezone JST 9
dns domain-lookup inside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 192.168.0.207
domain-name pine.com
same-security-traffic permit intra-interface
access-list DefaultRAGroup_splitTunnelAcl extended permit ip 192.168.0.0 255.255.255.0 any
pager lines 24
logging enable
logging timestamp
logging trap warnings
logging asdm warnings
logging facility 19
logging host inside 192.168.0.202
logging host inside 192.168.0.205
mtu inside 1500
mtu outside 1500
ip local pool Address-pool 192.168.0.110-192.168.0.120 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-752-153.bin
asdm history enable
arp timeout 14400
route inside 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
network-acl DefaultRAGroup_splitTunnelAcl
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
snmp-server host inside 192.168.0.208 community public version 2c
no snmp-server location
no snmp-server contact
snmp-server community *
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1300
no sysopt connection permit-vpn
crypto ipsec transform-set TRANS-ESP-AES-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set TRANS-ESP-AES-SHA mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec security-association replay disable
crypto ipsec security-association replay window-size 1024
crypto ipsec df-bit clear-df inside
crypto dynamic-map inside_dyn_map 10 set transform-set TRANS-ESP-AES-SHA
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 5
lifetime 2147483647
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 2147483647
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 133.243.238.243
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy L2TP-VPN internal
group-policy L2TP-VPN attributes
dns-server value 8.8.8.8 4.4.4.2
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol l2tp-ipsec
password-storage enable
split-tunnel-policy tunnelspecified
default-domain value pine.com
group-policy Clientless-VPN internal
group-policy Clientless-VPN attributes
vpn-tunnel-protocol webvpn
webvpn
url-list none
username arkey22 password hogehogehogehoge nt-encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool Address-pool
default-group-policy L2TP-VPN
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group Clientless-VPN type remote-access
tunnel-group Clientless-VPN general-attributes
default-group-policy Clientless-VPN
tunnel-group VPN-Client type remote-access
tunnel-group VPN-Client general-attributes
address-pool Address-pool
tunnel-group VPN-Client webvpn-attributes
group-alias home enable
group-alias test disable
!
class-map ANY
match any
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
class ANY
set connection decrement-ttl
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:696bbc96cb06a44de8532147168887ee
: end
asa5520#