Main > WorkPad

Pitz Work Pad

Cisco Switch

Testkonfig fuer ASA vrf test

WorkPadContextSetup5585X

WorkPadTestASAPrimary

WorkPadTestASASecondary

WorkPadTestASAGeolocation

WorkPadACSA | WorkTempBla

Switch

TEST123#show run
Building configuration...

Current configuration : 2577 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname TEST123
!
boot-start-marker
boot-end-marker
!
logging buffered 8192 informational
!
!
!
no aaa new-model
system mtu routing 1500
vtp mode transparent
authentication mac-move permit
ip subnet-zero
no ip source-route
ip routing
!
!
ip vrf A
 rd 10:10
!
ip vrf B
 rd 20:20
!
!
!
!
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 10
 name VRF-A
!
vlan 20
 name VRF-B
!
vlan 999
 state suspend
!
!
!
!
interface FastEthernet0/1
 description zum KUNDEN A
 switchport access vlan 10
 switchport mode access
 switchport nonegotiate
 spanning-tree portfast
 spanning-tree bpdufilter enable
 spanning-tree bpduguard enable
!
interface FastEthernet0/2
 description zum KUNDEN B
 switchport access vlan 20
 switchport mode access
 switchport nonegotiate
 spanning-tree portfast
 spanning-tree bpdufilter enable
 spanning-tree bpduguard enable
!
interface FastEthernet0/3
 shutdown
!
interface FastEthernet0/4
 shutdown
!
interface FastEthernet0/5
 shutdown
!
interface FastEthernet0/6
 shutdown
!
interface FastEthernet0/7
 shutdown
!
interface FastEthernet0/8
 shutdown
!
interface FastEthernet0/9
 shutdown
!
interface FastEthernet0/10
 shutdown
!
interface FastEthernet0/11
 shutdown
!
interface FastEthernet0/12
 shutdown
!
interface FastEthernet0/13
 shutdown
!
interface FastEthernet0/14
 shutdown
!
interface FastEthernet0/15
 shutdown
!
interface FastEthernet0/16
 shutdown
!
interface FastEthernet0/17
 shutdown
!
interface FastEthernet0/18
 shutdown
!
interface FastEthernet0/19
 shutdown
!
interface FastEthernet0/20
 shutdown
!
interface FastEthernet0/21
 shutdown
!
interface FastEthernet0/22
 shutdown
!
interface FastEthernet0/23
 shutdown
!
interface FastEthernet0/24
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 10,20
 switchport mode trunk
 switchport nonegotiate
!
interface GigabitEthernet0/1
 shutdown
!
interface GigabitEthernet0/2
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan10
 ip vrf forwarding A
 ip address 10.10.10.1 255.255.255.0
!
interface Vlan20
 ip vrf forwarding B
 ip address 20.20.20.1 255.255.255.0
!
ip classless
ip route vrf A 0.0.0.0 0.0.0.0 10.10.10.2
ip route vrf B 0.0.0.0 0.0.0.0 20.20.20.2
no ip http server
no ip http secure-server
!
!
ip sla enable reaction-alerts
!
!
!
line con 0
line vty 0 4
 login
line vty 5 15
 login
!
end

ASA context system

ciscoasa# show run
: Saved
:
ASA Version 8.4(2) <system>
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
mac-address auto prefix 1234
!
interface GigabitEthernet0/0
 description -- Shared Interface for virtuell Firewalls
!
interface GigabitEthernet0/0.10
 description -- Kunde A
 vlan 10
!
interface GigabitEthernet0/0.20
 description -- Kunde B
 vlan 20
!
interface GigabitEthernet0/1
 shutdown
!
interface GigabitEthernet0/2
 shutdown
!
interface GigabitEthernet0/3
 shutdown
!
interface Management0/0
 shutdown
!
class default
  limit-resource All 0
  limit-resource ASDM 5
  limit-resource SSH 5
  limit-resource Telnet 5
!

ftp mode passive
pager lines 24
no failover
no asdm history enable
arp timeout 14400
console timeout 0

admin-context admin
context admin
  description -- Administrationscontext fuer die virtuellen Firewalls
  config-url disk0:/admin.cfg
!

context KundeA
  description -- Virtuelle Firewall KundeA
  allocate-interface GigabitEthernet0/0
  allocate-interface GigabitEthernet0/0.10
  config-url disk0:/kundea.cfg
!

context KundeB
  description --  Virtuelle Firewall KundeB
  allocate-interface GigabitEthernet0/0
  allocate-interface GigabitEthernet0/0.20
  config-url disk0:/kundeb.cfg
!

prompt hostname context
no call-home reporting anonymous
Cryptochecksum:b0897d7e023760196b4ed83f1003fc36
: end

mac-address auto is important for the shared interface between the virtual firewalls, because the classifier uses interface, MAC or NAT-rule for classification, but not IP (except management interface). If you use a unused interface, for example GigabitEthernet0/1, this must be physical up!

ASA context KundeA

ciscoasa/KundeA# show run
: Saved
:
ASA Version 8.4(2) <context>
!
hostname KundeA
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0.10
 nameif inside
 security-level 100
 ip address 10.10.10.2 255.255.255.0
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 30.30.30.1 255.255.255.0
!
access-list outside_acl extended permit ip any any
access-list inside_acl extended permit ip any any
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group inside_acl in interface inside
access-group outside_acl in interface outside
route outside 20.20.20.0 255.255.255.0 30.30.30.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
telnet timeout 5
ssh timeout 5
dhcpd address 10.10.10.10-10.10.10.20 inside
dhcpd enable inside
!
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:f54fe3d8bf788d8a5f42b58581bafcf8
: end

ASA context KundeB

ciscoasa/KundeB# show run
: Saved
:
ASA Version 8.4(2) <context>
!
hostname KundeB
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0.20
 nameif inside
 security-level 100
 ip address 20.20.20.2 255.255.255.0
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 30.30.30.2 255.255.255.0
!
access-list outside_acl extended permit ip any any
access-list inside_acl extended permit ip any any
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group inside_acl in interface inside
access-group outside_acl in interface outside
route outside 10.10.10.0 255.255.255.0 30.30.30.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
telnet timeout 5
ssh timeout 5
dhcpd address 20.20.20.10-20.20.20.20 inside
dhcpd enable inside
!
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:20de28308247a19b2dccfaa0d2548c3b
: end

I Attachment Action Size Date Who Comment
Security_Policy_NOC.docdoc Security_Policy_NOC.doc manage 60 K 23 Nov 2011 - 14:04 StephanPietzko Muster Security Policy NOC