电信和联通两个出口 都做不同的vpn
不定时会出现 联通 和电信两个vpn中断 ,之后会自动恢复
配置如下:
sh run
: Saved
:
: Serial Number: JAD2237050X
: Hardware: ASA5508, 8192 MB RAM, CPU Atom C2000 series 2000 MHz, 1 CPU (8 cores)
:
ASA Version 9.8(2)
!
hostname ciscoasa
enable password $sha512$5000$eTDOJHs10fEJaARtWTTZWg==$/cYRVCW9XPSn07qcNv0f6A== pbkdf2
names
!
interface GigabitEthernet1/1
nameif outside_dx
security-level 0
ip address *.*.*.230 255.255.255.252
!
interface GigabitEthernet1/2
nameif outside_lt
security-level 0
ip address *.*.*.198 255.255.255.252
!
interface GigabitEthernet1/3
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone CST 8
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_any_dx
subnet 0.0.0.0 0.0.0.0
object network obj_any_lt
subnet 0.0.0.0 0.0.0.0
object service t8082
service tcp destination eq 8082
object service t5588
service tcp destination eq 5588
object service t11521
service tcp destination eq 11521
object service t11522
service tcp destination eq 11522
object service t11523
service tcp destination eq 11523
object service t11524
service tcp destination eq 11524
object service t6547
service tcp destination eq 6547
object service t3399
service tcp destination eq 3399
object service t1234
service tcp destination eq 1234
object service t8081
service tcp destination eq 8081
object service t8099
service tcp destination eq 8099
object service t8088
service tcp destination eq 8088
object service t8055
service tcp destination eq 8055
object service t8072
service tcp destination eq 8072
object service t3355
service tcp destination eq 3355
object service t4434
service tcp destination eq 4434
object service t3388
service tcp destination eq 3388
object service w-t9088
service tcp destination eq 9088
object service w-t9099
service tcp destination eq 9099
object service w-t9055
service tcp destination eq 9055
object service w-t6666
service tcp destination eq 6666
object network obj-192.168.1.174
host 192.168.1.174
object network obj-192.168.1.175
host 192.168.1.175
object network obj-192.168.1.176
host 192.168.1.176
object network obj-192.168.1.213
host 192.168.1.213
object network obj-192.168.1.88
host 192.168.1.88
object network obj-outside-dx
host *.*.*.230
object network obj-outside-lt
host *.*.*.198
object service t80
service tcp destination eq www
object network obj-vpn192.168.96.0
subnet 192.168.96.0 255.255.240.0
object network obj-vpn192.168.48.0
subnet 192.168.48.0 255.255.240.0
object network obj-lan192.168.0.0
subnet 192.168.0.0 255.255.240.0
object network obj-vpn192.168.16.0
subnet 192.168.16.0 255.255.240.0
object service t5599
service tcp destination eq 5599
object network obj-192.168.8.88
host 192.168.8.88
access-list to-cyzyl extended permit ip 192.168.0.0 255.255.240.0 192.168.96.0 255.255.240.0
access-list to-vpn1 extended permit ip 192.168.0.0 255.255.240.0 192.168.16.0 255.255.240.0
pager lines 24
logging enable
logging monitor informational
logging buffered informational
logging trap informational
logging asdm informational
logging flash-bufferwrap
mtu outside_dx 1500
mtu outside_lt 1500
mtu inside 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-782.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
object network obj_any
nat (any,outside_dx) dynamic interface
object network obj_any_dx
nat (inside,outside_dx) dynamic interface
object network obj_any_lt
nat (inside,outside_lt) dynamic interface
access-group out2in in interface outside_dx
access-group out2in in interface outside_lt
route outside_dx 0.0.0.0 0.0.0.0 58.56.131.229 1
route outside_lt 0.0.0.0 0.0.0.0 27.223.8.197 200
route outside_lt *.*.*238 255.255.255.255 27.223.8.197 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable 10448
http 192.168.1.0 255.255.255.0 outside_lt
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside_dx
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set my-set esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set my-set-1 esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map l2l 2 match address to-cyzyl
crypto map l2l 2 set peer *.*.*78
crypto map l2l 2 set ikev1 transform-set my-set
crypto map l2l interface outside_dx
crypto map lan2lan 3 match address to-vpn1
crypto map lan2lan 3 set peer *.*.*238
crypto map lan2lan 3 set ikev1 transform-set my-set-1
crypto map lan2lan interface outside_lt
crypto ca trustpool policy
crypto isakmp identity address
crypto isakmp disconnect-notify
crypto ikev1 enable outside_dx
crypto ikev1 enable outside_lt
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 outside_dx
ssh 0.0.0.0 0.0.0.0 outside_lt
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside_dx
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port number-of-rate 3
threat-detection statistics protocol number-of-rate 3
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
port 10443
anyconnect enable
cache
disable
error-recovery disable
dynamic-access-policy-record DfltAccessPolicy
username test password $sha512$5000$oS4/YXQV4n7xcNHppky1Tw==$jrMD11XGlCu+HOzUdHfM5Q== pbkdf2
username ldskyway password $sha512$5000$/7iRHP1HVsjJAKYefWZYcg==$9sPSuyxLi3VQ8sE6qpnfCg== pbkdf2
tunnel-group *.*.*78 type ipsec-l2l
tunnel-group *.*.*78 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group *.*.*238 type ipsec-l2l
tunnel-group *.*.*238 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp