我的公司有一个 50 Mbps 下行/上行连接。我刚刚从 PIX 515E 迁移到 ASA 5512。以前,一个用户可以从 Internet 下载一个大文件并阻止所有其他用户访问 Internet,直到下载完成。我认为这是 PIX 无法处理 50 Mbps 连接的限制。当我们在2016年有 20 Mbps 连接时,我们没有这个问题。
但是,即使安装了 ASA,我们仍然会遇到此问题。这看起来不像是 QoS 的事情,因为它不是 HTTP/S 与 FTP 的对比。而是一个 HTTP/S 下载会阻止所有其他 HTTP/S 下载。
似乎如果一个用户以 50 Mbps 的速度开始下载,而第二个用户需要下载一些东西,那么 ASA 应该为每个用户分配 25 Mbps。这是我必须手动配置的东西吗?
编辑:要求输出。
输出show resource usage(show resource usage all detail太长)
ASA-Primary# sh resource usage
Resource Current Peak Limit Denied Context
SSH Server 1 1 5 0 System
ASDM 1 2 30 0 System
Syslogs [rate] 0 8 N/A 0 System
Conns 874 2312 100000 0 System
Xlates 755 2151 N/A 0 System
Hosts 9246 9417 N/A 0 System
Conns [rate] 11 204 N/A 0 System
Inspects [rate] 2 52 N/A 0 System
Routes 15 15 unlimited 0 System
运行配置,擦洗:
!
ASA Version 9.2(2)4
!
hostname ASA-Primary
domain-name domain.example.com
enable password redactedredacted encrypted
xlate per-session permit tcp any4 any6
xlate per-session permit tcp any6 any6
xlate per-session permit tcp any4 any4
xlate per-session permit udp any6 any6 eq domain
xlate per-session permit udp any6 any4 eq domain
xlate per-session permit tcp any6 any4
xlate per-session permit udp any4 any6 eq domain
xlate per-session permit udp any4 any4 eq domain
passwd redactedredacted encrypted
names
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address FF.SS.TT.35 255.255.255.224
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.16.14.2 255.255.255.0
!
interface GigabitEthernet0/2
nameif dmz1
security-level 50
ip address 172.16.8.1 255.255.255.0
!
interface GigabitEthernet0/3
nameif dmz2
security-level 50
ip address 172.16.137.1 255.255.255.0
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
description ASA-Primary Management port
management-only
nameif management
security-level 100
ip address 10.3.8.99 255.255.252.0
!
banner login *** WARNING -- ACCESS TO THIS SYSTEM IS PROHIBITED ***
boot system disk0:/asa922-4-smp-k8.bin
boot system disk0:/asa902-smp-k8.bin
boot system disk0:/asa861-2-smp-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.3.8.7
name-server 10.3.0.3
domain-name domain.example.com
object network inside-10.3
subnet 10.3.0.0 255.255.0.0
object network inside-172.16.138
subnet 172.16.138.0 255.255.255.0
object network inside-172.16.136
subnet 172.16.136.0 255.255.255.0
object network inside-172.16.139
subnet 172.16.139.0 255.255.255.0
object network EndUserIP-soandso1
host re.dac.t.ed
object network EndUserIP-soandso2
host re.dac.t.ed
object network EndUserIP-soandso3
host re.dac.t.ed
object network EndUserIP-soandso4
host re.dac.t.ed
object network OutsideVendor-1
subnet 206.160.83.0 255.255.255.0
object network wanIP-ISP1-Host033
host FF.SS.TT.33
object network wanIP-ISP1-Host034
host FF.SS.TT.34
object network wanIP-ISP1-Host035
host FF.SS.TT.35
description External WAN IP FF.SS.TT.35/27 on primary ISP, Global WAN IP
object network wanIP-ISP1-Host036
host FF.SS.TT.36
object network wanIP-ISP1-Host037
host FF.SS.TT.37
object network wanIP-ISP1-Host038
host FF.SS.TT.38
object network wanIP-ISP1-Host039
host FF.SS.TT.39
description External WAN IP FF.SS.TT.39/27 on primary ISP, external SSH
object network wanIP-ISP1-Host040
host FF.SS.TT.40
object network wanIP-ISP1-Host041
host FF.SS.TT.41
object network wanIP-ISP1-Host042
host FF.SS.TT.42
description External WAN IP FF.SS.TT.42/27 on primary ISP, WWW
object network wanIP-ISP1-Host043
host FF.SS.TT.43
object network wanIP-ISP1-Host044
host FF.SS.TT.44
object network wanIP-ISP1-Host045
host FF.SS.TT.45
object network wanIP-ISP1-Host046
host FF.SS.TT.46
object network wanIP-ISP1-Host047
host FF.SS.TT.47
object network wanIP-ISP1-Host048
host FF.SS.TT.48
object network wanIP-ISP1-Host049
host FF.SS.TT.49
object network wanIP-ISP1-Host050
host FF.SS.TT.50
object network wanIP-ISP1-Host051
host FF.SS.TT.51
object network wanIP-ISP1-Host052
host FF.SS.TT.52
object network wanIP-ISP1-Host053
host FF.SS.TT.53
object network wanIP-ISP1-Host054
host FF.SS.TT.54
object network wanIP-ISP1-Host055
host FF.SS.TT.55
object network wanIP-ISP1-Host056
host FF.SS.TT.56
object network wanIP-ISP1-Host057
host FF.SS.TT.57
object network wanIP-ISP1-Host058
host FF.SS.TT.58
object network wanIP-ISP1-Host059
host FF.SS.TT.59
description External WAN IP FF.SS.TT.59/27 on primary ISP, FTP
object network wanIP-ISP1-Host060
host FF.SS.TT.60
object network wanIP-ISP1-Host061
host FF.SS.TT.61
object network wanIP-ISP1-Host062
host FF.SS.TT.62
object network workstationIP-1
host 10.3.9.99
object network serverIP-clock
host 172.16.137.50
object network serverIP-vxx1
host 172.16.8.8
object network serverIP-INCWeb
host 172.16.138.145
object network serverIP-Proxy
host 172.16.8.53
object network serverIP-proof
host 172.16.137.60
object network serverIP-FTP
host 10.3.8.48
object network serverIP-NewerFTP
host 10.3.8.148
object network serverIP-bud
host 10.3.8.88
object network serverIP-vxx2
host 10.3.4.250
object network serverIP-syslog
host 10.3.9.86
object network serverIP-smart
host 172.16.137.5
object network serverIP-www
host 172.16.137.42
object network serverIP-Webmail
host 172.16.137.30
object network serverIP-DC1
host 10.3.0.3
object network serverIP-edgcap
host 10.3.24.5
object network serverIP-m1
host 10.3.12.14
object network serverIP-m2
host 10.3.12.15
object network serverIP-m3
host 10.3.12.25
object network vpn-tunnelrs-site1
subnet 10.191.5.0 255.255.255.248
object network vpn-tunnelrs-site2
subnet 10.191.37.0 255.255.255.248
object network vpn-tunnelvanco-group-10
subnet 10.100.10.0 255.255.255.0
object network vpn-tunnelvanco-group-20
subnet 10.100.20.0 255.255.255.0
object network vpn-tunnelvanco-group-30
subnet 10.100.30.0 255.255.255.0
object network vpn-tunnelvanco-group-40
subnet 10.100.40.0 255.255.255.0
object network vpn-fin
subnet 172.16.0.0 255.255.252.0
object network serverIP-INCWeb
host 10.3.9.141
object network serverIP-INCWebVlan5
host 172.16.138.141
object-group network oldspamfilter
description all oldspamfilter and google app ip addresses
network-object 64.18.0.0 255.255.240.0
network-object 64.223.160.0 255.255.224.0
network-object 66.102.0.0 255.255.224.0
network-object 66.249.80.0 255.255.240.0
network-object 72.14.192.0 255.255.192.0
network-object 74.125.0.0 255.255.0.0
network-object 173.194.0.0 255.255.0.0
network-object 207.126.144.0 255.255.240.0
network-object 209.85.128.0 255.255.128.0
network-object 216.239.32.0 255.255.224.0
object-group network DenyBadHosts
description Use this group to block access from inside to out
network-object host 63.209.213.22
network-object host 63.211.120.39
network-object host 66.151.158.177
network-object host 66.98.192.81
network-object host 81.173.5.198
network-object host 172.16.253.162
network-object host 207.44.246.72
network-object host 217.64.35.211
object-group network inside-nets
description All the internal LAN addresses
network-object object inside-10.3
network-object object inside-172.16.138
network-object object inside-172.16.136
network-object object inside-172.16.139
object-group network cloudproduct
network-object 4.232.123.0 255.255.255.0
object-group network ExternalAccess-FTPServer
description Access group to allow WWW/HTTPS on the FTP Server
network-object object OutsideVendor-1
network-object object EndUserIP-soandso4
network-object object EndUserIP-soandso3
network-object object EndUserIP-soandso1
network-object object EndUserIP-soandso2
object-group network ExternalAccess-syslog
description Access group to allow SSH
network-object object EndUserIP-soandso1
network-object object EndUserIP-soandso2
object-group network ExternalAccess-RDP
network-object object EndUserIP-soandso4
network-object object EndUserIP-soandso3
network-object object EndUserIP-soandso1
network-object object EndUserIP-soandso2
object-group network access-ssh
description This is for allowing SSH access.
network-object object EndUserIP-soandso1
network-object object EndUserIP-soandso4
network-object object EndUserIP-soandso3
network-object object EndUserIP-soandso2
object-group network ExternalAccess-NewerFTP
description Allow certain services to the Newer FTP server
network-object object EndUserIP-soandso1
object-group network DM_INLINE_NETWORK_1
group-object cloudproduct
group-object oldspamfilter
object-group icmp-type DM_INLINE_ICMP_1
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object unreachable
object-group icmp-type DM_INLINE_ICMP_2
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object unreachable
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_SERVICE_2
service-object esp
service-object udp destination eq 4500
service-object udp destination eq isakmp
object-group service DM_INLINE_TCP_1 tcp
port-object eq 8080
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_10 tcp
port-object eq www
port-object eq https
port-object eq pop3
object-group service DM_INLINE_TCP_11 tcp
port-object eq ftp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_12 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_13 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_2 tcp
port-object eq 3876
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_3 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_4 tcp
port-object eq 2052
port-object range 28000 30000
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_5 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_6 tcp
port-object range 38700 39699
port-object eq ftp
object-group service DM_INLINE_TCP_7 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_8 tcp
port-object range 38700 39699
port-object eq ftp
object-group service DM_INLINE_TCP_9 tcp
port-object eq www
port-object eq https
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_SERVICE_3
service-object tcp destination eq smtp
service-object tcp-udp destination eq domain
object-group service DM_INLINE_SERVICE_5
service-object tcp-udp destination eq 20000
service-object tcp destination eq 2051
service-object tcp destination eq 2737
object-group service DM_INLINE_TCP_14 tcp
port-object eq 8080
port-object eq ftp
port-object eq www
port-object eq https
object-group network vpn-vanco
network-object object vpn-tunnelvanco-group-10
network-object object vpn-tunnelvanco-group-20
network-object object vpn-tunnelvanco-group-30
network-object object vpn-tunnelvanco-group-40
object-group network DM_INLINE_NETWORK_2
network-object 172.16.8.0 255.255.255.0
group-object inside-nets
network-object 172.16.137.0 255.255.255.0
object-group network DM_INLINE_NETWORK_3
network-object 172.16.137.0 255.255.255.0
group-object inside-nets
network-object 172.16.8.0 255.255.255.0
object-group icmp-type DM_INLINE_ICMP_3
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object unreachable
object-group icmp-type DM_INLINE_ICMP_4
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object unreachable
object-group service DM_INLINE_TCP_15 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_16 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_SERVICE_6
service-object esp
service-object udp destination eq 4500
service-object udp destination eq isakmp
access-list InsideToOut extended deny ip any object-group DenyBadHosts
access-list InsideToOut extended permit ip object-group inside-nets any inactive
access-list InsideToOut extended permit ip any any inactive
access-list InsideToOut extended permit object-group TCPUDP any any
access-list InsideToOut extended permit icmp any any object-group DM_INLINE_ICMP_2
access-list InsideToOut remark This AL is for LAN-to-WAN communication, applied to inside int, incoming traffic
access-list OutsideToIn extended deny ip object-group DenyBadHosts any
access-list OutsideToIn extended permit icmp any any object-group DM_INLINE_ICMP_1
access-list OutsideToIn extended permit tcp object-group access-ssh object serverIP-syslog eq ssh
access-list OutsideToIn extended permit object-group DM_INLINE_PROTOCOL_1 any object serverIP-smart eq domain inactive
access-list OutsideToIn extended permit tcp object-group DM_INLINE_NETWORK_1 object serverIP-smart eq smtp inactive
access-list OutsideToIn extended permit object-group DM_INLINE_SERVICE_2 any object serverIP-vxx1
access-list OutsideToIn extended permit tcp any object serverIP-www object-group DM_INLINE_TCP_1
access-list OutsideToIn extended permit tcp object-group access-ssh object serverIP-vxx2 eq ssh
access-list OutsideToIn extended permit tcp any object serverIP-vxx2 object-group DM_INLINE_TCP_2
access-list OutsideToIn extended permit tcp any object wanIP-ISP1-Host044 object-group DM_INLINE_TCP_9 inactive
access-list OutsideToIn extended permit tcp any object serverIP-Webmail object-group DM_INLINE_TCP_10 inactive
access-list OutsideToIn extended permit tcp any object wanIP-ISP1-Host046 object-group DM_INLINE_TCP_11 inactive
access-list OutsideToIn extended permit tcp any object wanIP-ISP1-Host047 object-group DM_INLINE_TCP_12 inactive
access-list OutsideToIn extended permit tcp any object serverIP-INCWeb object-group DM_INLINE_TCP_3
access-list OutsideToIn extended permit tcp any object wanIP-ISP1-Host051 object-group DM_INLINE_TCP_13 inactive
access-list OutsideToIn extended permit tcp any object serverIP-proxy object-group DM_INLINE_TCP_4
access-list OutsideToIn extended permit tcp any object serverIP-clock object-group DM_INLINE_TCP_15 inactive
access-list OutsideToIn extended permit tcp any object serverIP-proof object-group DM_INLINE_TCP_16 inactive
access-list OutsideToIn extended permit tcp any object serverIP-bud object-group DM_INLINE_TCP_5
access-list OutsideToIn extended permit tcp any object serverIP-FTP object-group DM_INLINE_TCP_6
access-list OutsideToIn extended permit tcp object-group ExternalAccess-FTPServer object serverIP-FTP object-group DM_INLINE_TCP_7
access-list OutsideToIn extended permit tcp any object serverIP-NewerFTP object-group DM_INLINE_TCP_8
access-list OutsideToIn extended permit tcp object-group ExternalAccess-RDP object workstationIP-jb2 eq 3389
access-list OutsideToIn remark This AL is for WAN-to-LAN communication, applied to outside int, incoming traffic
access-list dmz2_access_in extended permit object-group DM_INLINE_SERVICE_3 object serverIP-smart object-group inside-nets inactive
access-list dmz2_access_in extended permit tcp object serverIP-www any object-group DM_INLINE_TCP_14
access-list dmz2_access_in extended permit tcp object serverIP-www object serverIP-INCWebVlan5 eq 1433
access-list dmz2_access_in extended permit object-group DM_INLINE_PROTOCOL_1 object serverIP-www object serverIP-DC1 eq domain
access-list dmz2_access_in extended permit icmp 172.16.137.0 255.255.255.0 object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_ICMP_3
access-list dmz1_access_in extended permit object-group DM_INLINE_SERVICE_6 object serverIP-vxx1 any
access-list dmz1_access_in extended permit object-group DM_INLINE_PROTOCOL_1 object serverIP-proxy object serverIP-DC1 eq domain
access-list dmz1_access_in extended permit object-group DM_INLINE_SERVICE_5 object serverIP-proxy object serverIP-edgcap
access-list dmz1_access_in extended permit icmp 172.16.8.0 255.255.255.0 object-group DM_INLINE_NETWORK_3 object-group DM_INLINE_ICMP_4
pager lines 24
logging enable
logging emblem
logging console errors
logging trap errors
logging asdm errors
logging from-address ASA-Primary@domain.example.com
logging recipient-address redacted@domain.example.com level errors
logging device-id hostname
logging host management 10.3.8.100 format emblem
logging host management 10.3.9.86
logging debug-trace
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu dmz2 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static serverIP-syslog wanIP-ISP1-Host039
nat (dmz2,outside) source static serverIP-smart wanIP-ISP1-Host040
nat (dmz1,outside) source static serverIP-vxx1 wanIP-ISP1-Host041
nat (dmz2,outside) source static serverIP-www wanIP-ISP1-Host042
nat (inside,outside) source static serverIP-vxx2 wanIP-ISP1-Host043
nat (dmz2,outside) source static serverIP-Webmail wanIP-ISP1-Host045
nat (inside,outside) source static serverIP-INCWeb wanIP-ISP1-Host048
nat (dmz1,outside) source static serverIP-proxy wanIP-ISP1-Host053
nat (dmz2,outside) source static serverIP-proof wanIP-ISP1-Host055
nat (inside,outside) source static serverIP-bud wanIP-ISP1-Host057
nat (inside,outside) source static serverIP-FTP wanIP-ISP1-Host059
nat (inside,outside) source static serverIP-NewerFTP wanIP-ISP1-Host060
nat (inside,outside) source static workstationIP-jb2 wanIP-ISP1-Host062
!
object network inside-10.3
nat (inside,outside) dynamic interface
object network inside-172.16.138
nat (inside,outside) dynamic interface
object network inside-172.16.136
nat (inside,outside) dynamic interface
object network inside-172.16.139
nat (inside,outside) dynamic interface
access-group OutsideToIn in interface outside
access-group InsideToOut in interface inside
access-group dmz1_access_in in interface dmz1
access-group dmz2_access_in in interface dmz2
access-group InsideToOut in interface management
route outside 0.0.0.0 0.0.0.0 FF.SS.TT.33 1
route inside 10.3.0.0 255.255.0.0 172.16.14.1 1
route inside 172.16.136.0 255.255.255.0 172.16.14.1 1
route inside 172.16.138.0 255.255.255.0 172.16.14.1 1
route inside 172.16.139.0 255.255.255.0 172.16.14.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http server idle-timeout 30
http 10.3.0.0 255.255.0.0 management
snmp-server host management 10.3.8.100 community *****
no snmp-server location
no snmp-server contact
snmp-server community domainx
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
subject-name CN=10.3.8.99,CN=ASA-Primary
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
certificate de3b56b6
dcca47ce 2ab256ea 73e8b438 b5343658 039afd17 33c89acc 3bb88d3c 23aa8f8d
fe2637bf f975a578 42e4ded6 1fc3019f 3dd50ad8 1d664d5a 5c732327 31d13864
b7252051 2bbdd613 2c7e8a9d 28c4fb77 a952e739 bdb56818 171f87bd c9901844
62e19b16 b3c6196d f19d5498 091853da c20d9c4a 15c017d4 6787eacc 207a97d0
8a216da2 689bf587 da9187d0 fea8a437 082ff6a8 c6797d53 2015ee13 a00eb3ab
bc484059 0efac2a7 7579da75 3df90528 e56e004c c5356289 10a90e89 10b0d275
f3cae516 2e20b1bf 0c5754ea f6a2f8f5 37324067 c9551e10 7e929dc1 9a897405
2bcdd584 e423e95b 92ad328c f396cfb4 f2321928 fdd51911 7eeed1da 2c8410e3
5d9a1b6c 2bef3f80 9bae84ef 70a641f3 34d7aea1 01e863b1 0bd2d027 ee09d795
bb91a799 d77a0eb4 ea5fbcc4 67523724 eea8aa3e 7fab421a b4b419b7 63daf90c
91849dfb 7d7c5bd6 50c3ab86 e0faad99 d69913c2 61d4db08 00798434 1a6316a7
f25ba250 ed435c47 3081a891 c34c4ef1 314bfe42 57a360f1 74358a3e 5470affb
a4736d51 9183b322 450c4c63 8e810d2b b29ac9a3 f68a5a5b 92eeff9a d312566a
3aaed420 0392906c 4bb88800 0a7b1ca9 60edcb8b 888afe1a d5b8c317 5949c6fd
03566452 6391e8c0 8965560c 218341a1 d2b9edc5 afa5fd1f 16810622 f44cdd40
94387d0c 3372a1b5 31393406 40ebb5af 91451161 aa1ee356 707d052b 33faaf83
cd
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
!!!!! Crypto policies removed.
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 10.3.0.0 255.255.0.0 management
telnet timeout 30
ssh stricthostkeycheck
ssh pubkey-chain
server 10.3.8.24
key-hash sha256 ef:ce:99:44:f5:8c:60:56:bb:e8:61:00:40:c1:83:95:da:bd:99:6e:23:ff:aa:11:9a:95:9f:7f:c2:e5:7d:88
ssh 10.3.0.0 255.255.0.0 management
ssh 172.16.13.0 255.255.255.0 management
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.3.0.3 source inside
ntp server 10.3.8.7 source inside prefer
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 management vpnlb-ip
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 management
webvpn
anyconnect-essentials
username admin password 90914faa252c87b4 encrypted
username soandso1 password 4e9c4a964337bd60 encrypted privilege 15
username soandso2 password b573e047c82d0d81 encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
user-statistics accounting
!
service-policy global_policy global
smtp-server 92.24.131.6
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 18
subscribe-to-alert-group configuration periodic monthly 18
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4bafe8c52c88da32c6aede34d020b7e3
: end