Обнулить от текущих настроек Cisco ASA 5505

Posted by

Пока изучаешь как работает сетевое устройства Cisco ASA 5505 что-то не получается с первого раза и понимаешь что хорошо было бы вернуть к дефолтным значениям, начать все заново. Ниже пошаговые действия чтобы осуществить столь простое действия, но это уже после, а сперва было многое не понятно и как-то не по себе. Вообщем нужно разбирать и эмулировать все описанные инструкции и возможности в документации на официальном сайте cisсo чтобы ориентировать в настройках. Ведь ни когда не имевши дело – сложно вообще представить как получить желаемое. Но я не отчаиваюсь и двигаюсь вперед. Многие уже сталкивающиеся скажу, да тут все просто и заострять внимание на таком простом действии – это все пустая трата времени – ответ мой всем таким – не смотрите или напишите что-нибудь свое, поделитесь результатами наработок и будет Вам честь и хвала, а говорить негатив может каждый.

Подключаюсь к устройству через консольный порт:

ciscoasa> enable

Password:

ciscoasa# config terminal

ciscoasa(config)# config factory-default

WARNING: The boot system configuration will be cleared.

The first image found in disk0:/ will be used to boot the

system on the next reload.

Verify there is a valid image on disk0:/ or the system will

not boot.

Begin to apply factory-default configuration:

Clear all configuration

WARNING: DHCPD bindings cleared on interface ‘inside’, address pool removed

Executing command: interface Ethernet 0/0

Executing command: switchport access vlan 2

Executing command: no shutdown

Executing command: exit

Executing command: interface Ethernet 0/1

Executing command: switchport access vlan 1

Executing command: no shutdown

Executing command: exit

Executing command: interface Ethernet 0/2

Executing command: switchport access vlan 1

Executing command: no shutdown

Executing command: exit

Executing command: interface Ethernet 0/3

Executing command: switchport access vlan 1

Executing command: no shutdown

Executing command: exit

Executing command: interface Ethernet 0/4

Executing command: switchport access vlan 1

Executing command: no shutdown

Executing command: exit

Executing command: interface Ethernet 0/5

Executing command: switchport access vlan 1

Executing command: no shutdown

Executing command: exit

Executing command: interface Ethernet 0/6

Executing command: switchport access vlan 1

Executing command: no shutdown

Executing command: exit

Executing command: interface Ethernet 0/7

Executing command: switchport access vlan 1

Executing command: no shutdown

Executing command: exit

Executing command: interface vlan2

Executing command: nameif outside

INFO: Security level for «outside» set to 0 by default.

Executing command: no shutdown

Executing command: ip address dhcp setroute

Executing command: exit

Executing command: interface vlan1

Executing command: nameif inside

INFO: Security level for «inside» set to 100 by default.

Executing command: ip address 192.168.1.1 255.255.255.0

Executing command: security-level 100

Executing command: allow-ssc-mgmt

ERROR: SSC card is not available

Executing command: no shutdown

Executing command: exit

Executing command: object network obj_any

Executing command: subnet 0.0.0.0 0.0.0.0

Executing command: nat (inside,outside) dynamic interface

Executing command: exit

Executing command: http server enable

Executing command: http 192.168.1.0 255.255.255.0 inside

Executing command: dhcpd address 192.168.1.5-192.168.1.36 inside

Executing command: dhcpd auto_config outside

Executing command: dhcpd enable inside

Executing command: logging asdm informational

Factory-default configuration is completed

Отображаю текущую конфигурацию:

ciscoasa(config)# show running-config

: Saved

:

ASA Version 8.3(2)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

object network obj_any

subnet 0.0.0.0 0.0.0.0

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

!

object network obj_any

nat (inside,outside) dynamic interface

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.5-192.168.1.36 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:5a4f3ded26ff5320c8227773c51cfdce

: end

Чтобы сохранить текущую конфигурацию: (ввожу в консоли управления команду ниже)

ciscoasa(config)# write memory

Building configuration…

Cryptochecksum: 5a4f3ded 26ff5320 c8227773 c51cfdce

2460 bytes copied in 1.540 secs (2460 bytes/sec)

[OK]

Этой заметкой я не претендую на точность передаваемых действий, я всего лишь учусь.

Перезагружаю устройство: (вот чем хорошо консольное подключение сразу видишь что делает и как делает устройство)

ciscoasa(config)# reload

Proceed with reload? [confirm]

ciscoasa(config)#

***

*** — START GRACEFUL SHUTDOWN —

Shutting down isakmp

Shutting down webvpn

Shutting down webvpn

Shutting down File system

***

*** — SHUTDOWN NOW —

Process shutdown finished

Rebooting…..

CISCO SYSTEMS

Embedded BIOS Version 1.0(12)13 08/28/08 15:50:37.45

Low Memory: 632 KB

High Memory: 507 MB

PCI Device Table.

Bus Dev Func VendID DevID Class Irq

00 01 00 1022 2080 Host Bridge

00 01 02 1022 2082 Chipset En/Decrypt 11

00 0C 00 1148 4320 Ethernet 11

00 0D 00 177D 0003 Network En/Decrypt 10

00 0F 00 1022 2090 ISA Bridge

00 0F 02 1022 2092 IDE Controller

00 0F 03 1022 2093 Audio 10

00 0F 04 1022 2094 Serial Bus 9

00 0F 05 1022 2095 Serial Bus 9

Evaluating BIOS Options …

Launch BIOS Extension to setup ROMMON

Cisco Systems ROMMON Version (1.0(12)13) #0: Thu Aug 28 15:55:27 PDT 2008

Platform ASA5505

Use BREAK or ESC to interrupt boot.

Use SPACE to begin boot immediately.

Launching BootLoader…

Default configuration file contains 1 entry.

Searching / for images to boot.

Loading /asa832-npe-k8.bin… Booting…

Platform ASA5505

Loading…

�dosfsck 2.11, 12 Mar 2005, FAT32, LFN

Starting check/repair pass.

Starting verification pass.

/dev/hda1: 104 files, 15011/62844 clusters

dosfsck(/dev/hda1) returned 0

IO memory 39583744 bytes

Processor memory 382734336, Reserved memory: 62914560 (DSOs: 0 + kernel: 629145)

Total SSMs found: 0

Total NICs found: 10

88E6095 rev 2 Gigabit Ethernet @ index 09 MAC: 0000.0003.0002

88E6095 rev 2 Ethernet @ index 08 MAC: 74a0.2f5a.e2d5

88E6095 rev 2 Ethernet @ index 07 MAC: 74a0.2f5a.e2d4

88E6095 rev 2 Ethernet @ index 06 MAC: 74a0.2f5a.e2d3

88E6095 rev 2 Ethernet @ index 05 MAC: 74a0.2f5a.e2d2

88E6095 rev 2 Ethernet @ index 04 MAC: 74a0.2f5a.e2d1

88E6095 rev 2 Ethernet @ index 03 MAC: 74a0.2f5a.e2d0

88E6095 rev 2 Ethernet @ index 02 MAC: 74a0.2f5a.e2cf

88E6095 rev 2 Ethernet @ index 01 MAC: 74a0.2f5a.e2ce

y88acs06 rev16 Gigabit Ethernet @ index 00 MAC: 74a0.2f5a.e2d6

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)

Boot microcode : CN1000-MC-BOOT-2.00

SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06

Verify the activation-key, it might take a while…

Running Permanent Activation Key: 0x6218f56c 0xac92ad8f 0xbcd2012c 0xbbc48c80 0

Licensed features for this platform:

Maximum Physical Interfaces : 8 perpetual

VLANs : 3 DMZ Restricted

Dual ISPs : Disabled perpetual

VLAN Trunk Ports : 0 perpetual

Inside Hosts : 10 perpetual

Failover : Disabled perpetual

VPN-DES : Enabled perpetual

VPN-3DES-AES : Disabled perpetual

SSL VPN Peers : 2 perpetual

Total VPN Peers : 10 perpetual

Shared License : Disabled perpetual

AnyConnect for Mobile : Disabled perpetual

AnyConnect for Cisco VPN Phone : Disabled perpetual

AnyConnect Essentials : Disabled perpetual

Advanced Endpoint Assessment : Disabled perpetual

Botnet Traffic Filter : Disabled perpetual

Intercompany Media Engine : Disabled perpetual

This platform has a Base license.

Cisco Adaptive Security Appliance Software Version 8.3(2)

****************************** Warning *******************************

This product contains cryptographic features and is

subject to United States and local country laws

governing, import, export, transfer, and use.

Delivery of Cisco cryptographic products does not

imply third-party authority to import, export,

distribute, or use encryption. Importers, exporters,

distributors and users are responsible for compliance

with U.S. and local country laws. By using this

product you agree to comply with applicable laws and

regulations. If you are unable to comply with U.S.

and local laws, return the enclosed items immediately.

A summary of U.S. laws governing Cisco cryptographic

products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by

sending email to export@cisco.com.

******************************* Warning *******************************

Copyright (c) 1996-2010 by Cisco Systems, Inc.

Restricted Rights Legend

Use, duplication, or disclosure by the Government is

subject to restrictions as set forth in subparagraph

(c) of the Commercial Computer Software — Restricted

Rights clause at FAR sec. 52.227-19 and subparagraph

(c) (1) (ii) of the Rights in Technical Data and Computer

Software clause at DFARS sec. 252.227-7013.

Cisco Systems, Inc.

170 West Tasman Drive

San Jose, California 95134-1706

*************************************************************************

** **

** Note that for a failover deployment, both devices in the pair **

** must have identical memory. **

** **

*************************************************************************

Reading from flash…

!.

Cryptochecksum (unchanged): 5a4f3ded 26ff5320 c8227773 c51cfdce

Type help or ‘?’ for a list of available commands.

Отлично то что мне и нужно было. Работает, теперь я могу повторять свои тесты сколько угодно и если что-то мне не понравиться откатиться до дефолтного состояния, а пока до встречи с уважением автор блога — ekzorchik

Leave a Reply

Ваш e-mail не будет опубликован. Обязательные поля помечены *

два × четыре =