Пока изучаешь как работает сетевое устройства Cisco ASA 5505 что-то не получается с первого раза и понимаешь что хорошо было бы вернуть к дефолтным значениям, начать все заново. Ниже пошаговые действия чтобы осуществить столь простое действия, но это уже после, а сперва было многое не понятно и как-то не по себе. Вообщем нужно разбирать и эмулировать все описанные инструкции и возможности в документации на официальном сайте cisсo чтобы ориентировать в настройках. Ведь ни когда не имевши дело – сложно вообще представить как получить желаемое. Но я не отчаиваюсь и двигаюсь вперед. Многие уже сталкивающиеся скажу, да тут все просто и заострять внимание на таком простом действии – это все пустая трата времени – ответ мой всем таким – не смотрите или напишите что-нибудь свое, поделитесь результатами наработок и будет Вам честь и хвала, а говорить негатив может каждый.
Подключаюсь к устройству через консольный порт:
ciscoasa> enable
Password:
ciscoasa# config terminal
ciscoasa(config)# config factory-default
WARNING: The boot system configuration will be cleared.
The first image found in disk0:/ will be used to boot the
system on the next reload.
Verify there is a valid image on disk0:/ or the system will
not boot.
Begin to apply factory-default configuration:
Clear all configuration
WARNING: DHCPD bindings cleared on interface ‘inside’, address pool removed
Executing command: interface Ethernet 0/0
Executing command: switchport access vlan 2
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/1
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/2
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/3
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/4
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/5
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/6
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/7
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface vlan2
Executing command: nameif outside
INFO: Security level for “outside” set to 0 by default.
Executing command: no shutdown
Executing command: ip address dhcp setroute
Executing command: exit
Executing command: interface vlan1
Executing command: nameif inside
INFO: Security level for “inside” set to 100 by default.
Executing command: ip address 192.168.1.1 255.255.255.0
Executing command: security-level 100
Executing command: allow-ssc-mgmt
ERROR: SSC card is not available
Executing command: no shutdown
Executing command: exit
Executing command: object network obj_any
Executing command: subnet 0.0.0.0 0.0.0.0
Executing command: nat (inside,outside) dynamic interface
Executing command: exit
Executing command: http server enable
Executing command: http 192.168.1.0 255.255.255.0 inside
Executing command: dhcpd address 192.168.1.5-192.168.1.36 inside
Executing command: dhcpd auto_config outside
Executing command: dhcpd enable inside
Executing command: logging asdm informational
Factory-default configuration is completed
Отображаю текущую конфигурацию:
ciscoasa(config)# show running-config
: Saved
:
ASA Version 8.3(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network obj_any
nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.36 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:5a4f3ded26ff5320c8227773c51cfdce
: end
Чтобы сохранить текущую конфигурацию: (ввожу в консоли управления команду ниже)
ciscoasa(config)# write memory
Building configuration…
Cryptochecksum: 5a4f3ded 26ff5320 c8227773 c51cfdce
2460 bytes copied in 1.540 secs (2460 bytes/sec)
[OK]
Этой заметкой я не претендую на точность передаваемых действий, я всего лишь учусь.
Перезагружаю устройство: (вот чем хорошо консольное подключение сразу видишь что делает и как делает устройство)
ciscoasa(config)# reload
Proceed with reload? [confirm]
ciscoasa(config)#
***
*** — START GRACEFUL SHUTDOWN —
Shutting down isakmp
Shutting down webvpn
Shutting down webvpn
Shutting down File system
***
*** — SHUTDOWN NOW —
Process shutdown finished
Rebooting…..
CISCO SYSTEMS
Embedded BIOS Version 1.0(12)13 08/28/08 15:50:37.45
Low Memory: 632 KB
High Memory: 507 MB
PCI Device Table.
Bus Dev Func VendID DevID Class Irq
00 01 00 1022 2080 Host Bridge
00 01 02 1022 2082 Chipset En/Decrypt 11
00 0C 00 1148 4320 Ethernet 11
00 0D 00 177D 0003 Network En/Decrypt 10
00 0F 00 1022 2090 ISA Bridge
00 0F 02 1022 2092 IDE Controller
00 0F 03 1022 2093 Audio 10
00 0F 04 1022 2094 Serial Bus 9
00 0F 05 1022 2095 Serial Bus 9
Evaluating BIOS Options …
Launch BIOS Extension to setup ROMMON
Cisco Systems ROMMON Version (1.0(12)13) #0: Thu Aug 28 15:55:27 PDT 2008
Platform ASA5505
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Launching BootLoader…
Default configuration file contains 1 entry.
Searching / for images to boot.
Loading /asa832-npe-k8.bin… Booting…
Platform ASA5505
Loading…
�dosfsck 2.11, 12 Mar 2005, FAT32, LFN
Starting check/repair pass.
Starting verification pass.
/dev/hda1: 104 files, 15011/62844 clusters
dosfsck(/dev/hda1) returned 0
IO memory 39583744 bytes
Processor memory 382734336, Reserved memory: 62914560 (DSOs: 0 + kernel: 629145)
Total SSMs found: 0
Total NICs found: 10
88E6095 rev 2 Gigabit Ethernet @ index 09 MAC: 0000.0003.0002
88E6095 rev 2 Ethernet @ index 08 MAC: 74a0.2f5a.e2d5
88E6095 rev 2 Ethernet @ index 07 MAC: 74a0.2f5a.e2d4
88E6095 rev 2 Ethernet @ index 06 MAC: 74a0.2f5a.e2d3
88E6095 rev 2 Ethernet @ index 05 MAC: 74a0.2f5a.e2d2
88E6095 rev 2 Ethernet @ index 04 MAC: 74a0.2f5a.e2d1
88E6095 rev 2 Ethernet @ index 03 MAC: 74a0.2f5a.e2d0
88E6095 rev 2 Ethernet @ index 02 MAC: 74a0.2f5a.e2cf
88E6095 rev 2 Ethernet @ index 01 MAC: 74a0.2f5a.e2ce
y88acs06 rev16 Gigabit Ethernet @ index 00 MAC: 74a0.2f5a.e2d6
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
Verify the activation-key, it might take a while…
Running Permanent Activation Key: 0x6218f56c 0xac92ad8f 0xbcd2012c 0xbbc48c80 0
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 3 DMZ Restricted
Dual ISPs : Disabled perpetual
VLAN Trunk Ports : 0 perpetual
Inside Hosts : 10 perpetual
Failover : Disabled perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Disabled perpetual
SSL VPN Peers : 2 perpetual
Total VPN Peers : 10 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
AnyConnect Essentials : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has a Base license.
Cisco Adaptive Security Appliance Software Version 8.3(2)
****************************** Warning *******************************
This product contains cryptographic features and is
subject to United States and local country laws
governing, import, export, transfer, and use.
Delivery of Cisco cryptographic products does not
imply third-party authority to import, export,
distribute, or use encryption. Importers, exporters,
distributors and users are responsible for compliance
with U.S. and local country laws. By using this
product you agree to comply with applicable laws and
regulations. If you are unable to comply with U.S.
and local laws, return the enclosed items immediately.
A summary of U.S. laws governing Cisco cryptographic
products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by
sending email to export@cisco.com.
******************************* Warning *******************************
Copyright (c) 1996-2010 by Cisco Systems, Inc.
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software – Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
*************************************************************************
** **
** Note that for a failover deployment, both devices in the pair **
** must have identical memory. **
** **
*************************************************************************
Reading from flash…
!.
Cryptochecksum (unchanged): 5a4f3ded 26ff5320 c8227773 c51cfdce
Type help or ‘?’ for a list of available commands.
Отлично то что мне и нужно было. Работает, теперь я могу повторять свои тесты сколько угодно и если что-то мне не понравиться откатиться до дефолтного состояния, а пока до встречи с уважением автор блога – ekzorchik
Спасибо, за шаги – искал их давно.