銀行網(wǎng)絡(luò)應(yīng)急預(yù)案XXXX

1、.：.；銀行網(wǎng)絡(luò)應(yīng)急方案XX股份網(wǎng)絡(luò)與平安效力部2021年2月目錄 TOC o 1-3 h z u HYPERLINK l _Toc316893996 一、銀行網(wǎng)絡(luò)構(gòu)造拓?fù)?PAGEREF _Toc316893996 h 3 HYPERLINK l _Toc316893997 二、骨干網(wǎng)通訊缺點(diǎn) PAGEREF _Toc316893997 h 3 HYPERLINK l _Toc316893998 1.缺點(diǎn)處置人員 PAGEREF _Toc316893998 h 3 HYPERLINK l _Toc316893999 2.電信、聯(lián)通網(wǎng)絡(luò)通訊缺點(diǎn) PAGEREF _Toc316893999 h

2、3 HYPERLINK l _Toc316894000 3.通訊缺點(diǎn)恢復(fù) PAGEREF _Toc316894000 h 3 HYPERLINK l _Toc316894001 4.到總行路由器缺點(diǎn) PAGEREF _Toc316894001 h 4 HYPERLINK l _Toc316894002 5.路由器缺點(diǎn)處置 PAGEREF _Toc316894002 h 4 HYPERLINK l _Toc316894003 三、中心交換機(jī)缺點(diǎn)應(yīng)急 PAGEREF _Toc316894003 h 5 HYPERLINK l _Toc316894004 1.一臺(tái)4506交換機(jī)缺點(diǎn)應(yīng)急 PAGERE

3、F _Toc316894004 h 5 HYPERLINK l _Toc316894005 2.當(dāng)中心交換同時(shí)癱瘓?jiān)?0分鐘內(nèi)保證業(yè)務(wù)正常運(yùn)作 PAGEREF _Toc316894005 h 7 HYPERLINK l _Toc316894006 四、第三方外聯(lián)區(qū)網(wǎng)絡(luò)應(yīng)急 PAGEREF _Toc316894006 h 19 HYPERLINK l _Toc316894007 1.第三方業(yè)務(wù)銀聯(lián)區(qū)網(wǎng)絡(luò)應(yīng)急 PAGEREF _Toc316894007 h 19 HYPERLINK l _Toc316894008 2.其它第三方業(yè)務(wù)區(qū)網(wǎng)絡(luò)應(yīng)急 PAGEREF _Toc316894008 h 46

4、HYPERLINK l _Toc316894009 五、聯(lián)絡(luò)方式： PAGEREF _Toc316894009 h 56銀行網(wǎng)絡(luò)構(gòu)造拓?fù)涔歉删W(wǎng)通訊缺點(diǎn)缺點(diǎn)處置人員 參與人：XX、XX、XX電信、聯(lián)通網(wǎng)絡(luò)通訊缺點(diǎn)根據(jù)到總行的兩臺(tái)cisco 7206路由器的日志以及實(shí)踐登陸設(shè)備運(yùn)用show int ATM4/0.1 、ping對(duì)端地址、show ip route、show log，查看上述相關(guān)設(shè)備和線路能否有反復(fù)重起、誤碼率高、異常路由、錯(cuò)誤銜接等情況即可確認(rèn)缺點(diǎn)。通訊缺點(diǎn)恢復(fù)恢復(fù)步驟：1重啟缺點(diǎn)新路相連路由器，看能否可以自動(dòng)恢復(fù)2) 斷電重起無(wú)法處理缺點(diǎn)的，停頓運(yùn)用缺點(diǎn)設(shè)備和線路，防止其影響網(wǎng)絡(luò)

5、其他部分。3) 如系線路缺點(diǎn)通知各有關(guān)方面逐項(xiàng)對(duì)照處置： 如為中國(guó)電信線路缺點(diǎn)，向31000000 報(bào)修，并通知分行辦公室相關(guān)人員。 如為中國(guó)聯(lián)通線路缺點(diǎn)，向XXXX 報(bào)修，并通知分行辦公室相關(guān)人員。到總行路由器缺點(diǎn)查看日志，檢查設(shè)備缺點(diǎn)前的異常日志信息；登陸路由器運(yùn)用show log，show ip int brie , show process cpu his , show ip route , ping對(duì)端地址等命令來(lái)確認(rèn)缺點(diǎn)。路由器缺點(diǎn)處置一旦發(fā)現(xiàn)到總行7206路由器缺點(diǎn)可按以下步驟來(lái)處置：聯(lián)絡(luò)XX公司，并啟動(dòng)原廠商保修效力備件改換程序。由于兩臺(tái)7206路由器是互為備份的，一臺(tái)發(fā)生缺點(diǎn)

6、不影響實(shí)踐業(yè)務(wù)，不調(diào)用庫(kù)房備件和集成商備件改換，等待原廠商備件到達(dá)。 對(duì)于可以在線插拔的接口模塊、有standby 的引擎和電源，優(yōu)先運(yùn)用在線改換方式。在線改換的詳細(xì)操作流程如下：a) 用筆記本電腦銜接在網(wǎng)絡(luò)設(shè)備的Console 上，啟動(dòng)Console 監(jiān)控和記錄；b) 預(yù)備好存檔的系統(tǒng)配置，備用。如有能夠，同時(shí)保管當(dāng)前系統(tǒng)配置；c) 對(duì)缺點(diǎn)模塊上銜接的線纜做好標(biāo)志，小心拔下；d) 做好平安接地，拔下缺點(diǎn)模塊；e) 檢查設(shè)備和模塊形狀，確認(rèn)能否影響整個(gè)設(shè)備或其他模塊正常運(yùn)轉(zhuǎn)，standby 模塊能否正常接納；f) 做好平安接地，插上改換的備件模塊；g) 檢查設(shè)備和模塊形狀，確認(rèn)能否可以正常識(shí)別

7、新模塊，能否影響其他模塊運(yùn)轉(zhuǎn)；h) 按原樣插上線纜；i) 檢查線纜銜接形狀正常；j) 確認(rèn)備件改換勝利。l 對(duì)于機(jī)箱、不能在線插拔的接口模塊、或者沒(méi)有standby 的引擎和電源，采用下電改換方式。下電改換的詳細(xì)操作流程如下：a) 預(yù)備好存檔的系統(tǒng)配置，備用。如有能夠，同時(shí)保管當(dāng)前系統(tǒng)配置；b) 預(yù)備好原先運(yùn)用的系統(tǒng)軟件，備用；c) 缺點(diǎn)設(shè)備下電；d) 對(duì)需求拔除的線纜做好標(biāo)志，小心拔下。假設(shè)機(jī)箱或引擎改換，需拔除一切銜接線纜；e) 改換備件；f) 用筆記本電腦銜接在網(wǎng)絡(luò)設(shè)備的Console 上，啟動(dòng)Console 監(jiān)控和記錄；g) 設(shè)備上電；h) 檢查系統(tǒng)自檢情況，確認(rèn)無(wú)硬件缺點(diǎn)；i) 安裝

8、系統(tǒng)軟件；j) 恢復(fù)系統(tǒng)配置；k) 冷啟動(dòng)，確認(rèn)軟硬件正常任務(wù)； l) 按原樣插上其他線纜；m) 檢查線纜銜接形狀正常；n) 確認(rèn)備件改換勝利。中心交換機(jī)缺點(diǎn)應(yīng)急一臺(tái)4506交換機(jī)缺點(diǎn)應(yīng)急查看日志，檢查設(shè)備缺點(diǎn)前的異常日志信息；登陸交換機(jī)運(yùn)用show log，show ip int brie , show process cpu his , show ip route , ping對(duì)端地址，show vlan brie , show vtp stat , show process mem , show modul , show diag , show ip eigrp nei , show c

9、dp nei等一系列命令來(lái)查找、確認(rèn)缺點(diǎn)。由于兩臺(tái)4506中心交換機(jī)完全是熱備的雙機(jī)，所以一臺(tái)發(fā)生缺點(diǎn)并不影響業(yè)務(wù)運(yùn)轉(zhuǎn)。對(duì)于配置問(wèn)題要制定正確的更改配置腳本，備份當(dāng)前配置以后實(shí)施更改；對(duì)于線路問(wèn)題的要制造新網(wǎng)線，交換缺點(diǎn)的網(wǎng)線；對(duì)于硬件問(wèn)題要練習(xí)XX公司，懇求硬件缺點(diǎn)維修。對(duì)于可以在線插拔的接口模塊、有standby 的引擎和電源，優(yōu)先運(yùn)用在線改換方式。在線改換的詳細(xì)操作流程如下：a) 用筆記本電腦銜接在網(wǎng)絡(luò)設(shè)備的Console 上，啟動(dòng)Console 監(jiān)控和記錄；b) 預(yù)備好存檔的系統(tǒng)配置，備用。如有能夠，同時(shí)保管當(dāng)前系統(tǒng)配置；c) 對(duì)缺點(diǎn)模塊上銜接的線纜做好標(biāo)志，小心拔下；d) 做好平安接

10、地，拔下缺點(diǎn)模塊；e) 檢查設(shè)備和模塊形狀，確認(rèn)能否影響整個(gè)設(shè)備或其他模塊正常運(yùn)轉(zhuǎn)，standby 模塊能否正常接納；f) 做好平安接地，插上改換的備件模塊；g) 檢查設(shè)備和模塊形狀，確認(rèn)能否可以正常識(shí)別新模塊，能否影響其他模塊運(yùn)轉(zhuǎn)；h) 按原樣插上線纜；i) 檢查線纜銜接形狀正常；j) 確認(rèn)備件改換勝利。l 對(duì)于機(jī)箱、不能在線插拔的接口模塊、或者沒(méi)有standby 的引擎和電源，采用下電改換方式。下電改換的詳細(xì)操作流程如下：a) 預(yù)備好存檔的系統(tǒng)配置，備用。如有能夠，同時(shí)保管當(dāng)前系統(tǒng)配置；b) 預(yù)備好原先運(yùn)用的系統(tǒng)軟件，備用；c) 缺點(diǎn)設(shè)備下電；d) 對(duì)需求拔除的線纜做好標(biāo)志，小心拔下。假設(shè)

11、機(jī)箱或引擎改換，需拔除一切銜接線纜；e) 改換備件；f) 用筆記本電腦銜接在網(wǎng)絡(luò)設(shè)備的Console 上，啟動(dòng)Console 監(jiān)控和記錄；g) 設(shè)備上電；h) 檢查系統(tǒng)自檢情況，確認(rèn)無(wú)硬件缺點(diǎn)；i) 安裝系統(tǒng)軟件；j) 恢復(fù)系統(tǒng)配置；k) 冷啟動(dòng)，確認(rèn)軟硬件正常任務(wù)；l) 對(duì)于交換機(jī)要將VTP 設(shè)置為Client 方式，首先銜接上行線纜，確認(rèn)VTP 復(fù)制正確；m) 按原樣插上其他線纜；n) 檢查線纜銜接形狀正常；o) 確認(rèn)備件改換勝利。當(dāng)中心交換同時(shí)癱瘓?jiān)?0分鐘內(nèi)保證業(yè)務(wù)正常運(yùn)作現(xiàn)有2臺(tái)備用的cisco3550，在兩臺(tái)中心cisco4506同事癱瘓后，將其作為中心交換來(lái)保證業(yè)務(wù)的正常運(yùn)作，同

12、時(shí)堅(jiān)持原有的網(wǎng)絡(luò)拓?fù)浼熬W(wǎng)絡(luò)中心的平安戰(zhàn)略和qos。3550中心交換配置定義設(shè)備命名hostname production設(shè)備軟件版本運(yùn)用支持動(dòng)態(tài)路由協(xié)議的IOS：c3550-i5k2l2q3-mz.121-13.EA1a.binVlan定義1 default active Fa0/1, Fa0/2, Fa0/35, Fa0/36 Fa0/37, Fa0/38, Fa0/39, Fa0/40 Fa0/41, Fa0/42, Fa0/43, Fa0/44 Fa0/45, Fa0/46, Fa0/47, Fa0/482 vlan0002 active Fa0/10, Fa0/21, Fa0/25,

13、Fa0/34 Gi0/1, Gi0/23 vlan0003 active Fa0/5, Fa0/8, Fa0/11, Fa0/12 Fa0/17, Fa0/19, Fa0/20, Fa0/22 Fa0/28, Fa0/29, Fa0/30, Fa0/324 vlan0004 active Fa0/13, Fa0/18, Fa0/275 vlan0005 active Fa0/76 vlan0006 active 10 vlan0010 active Fa0/4, Fa0/6, Fa0/1420 vlan0020 active 30 vlan0030 active 40 vlan0040 act

14、ive 50 VLAN0050 active 60 VLAN0060 active 63 vlan0063 active 128 vlan0128 active Fa0/3, Fa0/24, Fa0/26, Fa0/31 Fa0/33195 vlan195 active Fa0/16, Fa0/23196 vlan196 active 255 VLAN0255 active Fa0/9, Fa0/15Ip地址分配及hsrpinterface Vlan1 no ip address no ip redirects shutdown standby 10 priority 100 standby

15、10 preempt!interface Vlan2 ip address ip access-group 101 in no ip redirects standby 20 ip standby 20 priority 150 standby 20 preempt! interface Vlan3 ip address ip access-group 101 in no ip redirects standby 30 ip standby 30 priority 150 standby 30 preempt!interface Vlan4 ip address 6 92 no ip redi

16、rects standby 40 ip 5 standby 40 priority 150 standby 40 preempt!interface Vlan5 ip address 92 no ip redirects standby 50 ip standby 50 priority 150 standby 50 preempt!interface Vlan6 no ip address no ip redirects shutdown standby 60 ip standby 60 priority 150 standby 60 preempt!interface Vlan10 ip

17、address ip access-group 103 in no ip redirects standby 100 ip standby 100 timers 5 15 standby 100 priority 200 standby 100 preempt standby 100 track Vlan10 50!interface Vlan20 no ip address no ip redirects standby 110 timers 5 15 standby 110 priority 150 standby 110 preempt standby 110 track Vlan20

18、50!interface Vlan30 no ip address ip access-group 101 in no ip redirects shutdown standby 120 ip 00 standby 120 timers 5 15 standby 120 priority 200 standby 120 preempt standby 120 track Vlan30 50!interface Vlan40 no ip address ip access-group 101 in no ip redirects shutdown standby 130 ip 00 standb

19、y 130 timers 5 15 standby 130 priority 150 standby 130 preempt standby 130 track Vlan40 50!interface Vlan50 ip address ip helper-address 0 no ip redirects standby 150 ip standby 150 timers 5 15 standby 150 priority 150 standby 150 preempt standby 150 track Vlan150!interface Vlan63 no ip address no i

20、p redirects!interface Vlan128 ip address ip access-group 101 in no ip redirects standby 160 ip standby 160 timers 5 15 standby 160 priority 150 standby 160 preempt standby 160 track Vlan128 50!interface Vlan150 no ip address shutdown!interface Vlan195 ip address no ip redirects standby 195 ip standb

21、y 195 priority 150 standby 195 preempt!interface Vlan196 no ip address no ip redirects shutdown standby 196 ip standby 196 priority 100 standby 196 preempt!interface Vlan255 ip address no ip redirects standby 255 ip standby 255 priority 200 standby 255 preempt路由戰(zhàn)略router eigrp 20 redistribute static

22、network 55 no auto-summary no eigrp log-neighbor-changesip route 8ip route 55 8ip route 11 55 8ip route 8ip route 8ip route 45 55 8ip route 55 5ip route 55 6ip route 55 7ip route 1 55 8ip route 2 55 8ip route 3 55 8ip route 4 55 8interface Vlan2 ip address ip access-group 101 ininterface Vlan3 ip ad

23、dress ip access-group 101 ininterface Vlan30 no ip address ip access-group 101 ininterface Vlan40 no ip address ip access-group 101 ininterface Vlan128 ip address ip access-group 101 inaccess-list 101 permit ip host 40 host 46access-list 101 permit ip host 40 host 45access-list 101 deny ip 55 55acce

24、ss-list 101 deny ip 55 55access-list 101 deny ip 55 55access-list 101 deny ip 55 55access-list 101 deny ip 55 55access-list 101 deny ip 55 55access-list 101 permit ip any anyinterface Vlan10 ip address ip access-group 103 inaccess-list 103 permit ip host 45 host 0access-list 103 permit ip host 40 ho

25、st 0access-list 103 permit ip host 40 host 46access-list 103 permit ip host 40 host 45access-list 103 permit ip host 45 host 8access-list 103 permit ip host 40 host 8access-list 103 permit ip host 45 host 2access-list 103 permit ip host 40 host access-list 103 permit ip host 1 host 0access-list 103

26、permit ip 55 host access-list 103 permit ip 55 host access-list 103 permit ip 55 host access-list 103 permit ip 55 host 0access-list 103 permit ip 55 host 3access-list 103 permit ip 55 host 5access-list 103 permit ip 55 host 6access-list 103 permit ip 55 host 0access-list 103 permit ip 55 host 3acce

27、ss-list 103 permit ip 55 host 3access-list 103 permit ip 55 host 7access-list 103 permit ip host 45 host 9access-list 103 permit ip host 40 host 9access-list 103 deny ip 55 55access-list 103 deny ip 55 55access-list 103 deny ip 55 55access-list 103 deny ip 55 55access-list 103 deny ip 55 55access-li

28、st 103 deny ip 55 55access-list 103 permit ip any anyQos作為中心交換機(jī)無(wú)需在此配置qos平安戰(zhàn)略aaa new-modelaaa authentication login spdb-acs group tacacs+ enableaaa accounting exec spdb-acs start-stop group tacacs+aaa accounting commands 0 spdb-acs start-stop group tacacs+aaa accounting commands 1 spdb-acs start-stop

29、 group tacacs+aaa accounting commands 2 spdb-acs start-stop group tacacs+aaa accounting commands 3 spdb-acs start-stop group tacacs+aaa accounting commands 4 spdb-acs start-stop group tacacs+aaa accounting commands 5 spdb-acs start-stop group tacacs+aaa accounting commands 6 spdb-acs start-stop grou

30、p tacacs+aaa accounting commands 7 spdb-acs start-stop group tacacs+aaa accounting commands 8 spdb-acs start-stop group tacacs+aaa accounting commands 9 spdb-acs start-stop group tacacs+aaa accounting commands 10 spdb-acs start-stop group tacacs+aaa accounting commands 11 spdb-acs start-stop group t

31、acacs+aaa accounting commands 12 spdb-acs start-stop group tacacs+aaa accounting commands 13 spdb-acs start-stop group tacacs+aaa accounting commands 14 spdb-acs start-stop group tacacs+aaa accounting commands 15 spdb-acs start-stop group tacacs+ip tacacs source-interface Loopback0tacacs-server host

32、 7tacacs-server host 4tacacs-server key s9y8logging trap debugginglogging source-interface Loopback0logging 4logging 5line vty 0 4 exec-timeout 5 0 accounting commands 0 spdb-acs accounting commands 1 spdb-acs accounting commands 2 spdb-acs accounting commands 3 spdb-acs accounting commands 4 spdb-a

33、cs accounting commands 5 spdb-acs accounting commands 6 spdb-acs accounting commands 7 spdb-acs accounting commands 8 spdb-acs accounting commands 9 spdb-acs accounting commands 10 spdb-acs accounting commands 11 spdb-acs accounting commands 12 spdb-acs accounting commands 13 spdb-acs accounting com

34、mands 14 spdb-acs accounting commands 15 spdb-acs accounting exec spdb-acs login authentication spdb-acs網(wǎng)管配置access-list 10 permit 8access-list 10 permit 9access-list 10 permit 6access-list 10 permit 7access-list 10 permit 5snmp-server community public ROsnmp-server community read RO 10snmp-server tr

35、ap-source Loopback0snmp-server enable traps snmp authentication warmstartsnmp-server enable traps configsnmp-server enable traps entitysnmp-server enable traps rtrsnmp-server enable traps vtpsnmp-server host 4 public snmp-server host 5 read其他配置service timestamps debug datetime localtime show-timezon

36、eservice timestamps log datetime localtime show-timezoneservice password-encryptionno ip domain-lookupip cef load-sharing algorithm originalclock timezone BJT 8ntp source Loopback0ntp server 0monitor session 1 source vlan 1 , 10 , 192 rxmonitor session 1 destination interface Fa0/5網(wǎng)絡(luò)實(shí)施前期預(yù)備一、8條交叉線2條做

37、trunk，6條連向樓層交換機(jī)二、將樓層交換機(jī)的fa0/47和48口空出來(lái)，并做好相應(yīng)的配置實(shí)施步驟第一步：兩臺(tái)3550上架并加電啟用估計(jì)3分鐘第二步：將銜接hp小機(jī)的光纖接口連到3550上估計(jì)1分鐘 cisco4506主的gigabit1/1對(duì)應(yīng)3550主的gigabit0/1 cisco4506主的gigabit2/2對(duì)應(yīng)3550主的gigabit0/2 cisco4506備的gigabit1/1對(duì)應(yīng)3550主的gigabit0/1 cisco4506備的gigabit2/2對(duì)應(yīng)3550主的gigabit0/2第三步：將現(xiàn)成的交叉線在3550主備之間互連做etherchannel(估計(jì)1分

38、鐘) 3550主的fa0/47對(duì)應(yīng)3550備的fa0/47 3550主的fa0/48對(duì)應(yīng)3550備的fa0/48第四步：將連在cisco4506上一切的電口都挪向3550上估計(jì)5分鐘 cisco4506主的fa2/3對(duì)應(yīng)3550主的fa0/3 cisco4506主的fa2/4對(duì)應(yīng)3550主的fa0/4 以此類(lèi)推 cisco4506主的fa2/34對(duì)應(yīng)3550主的fa0/34 cisco4506備的fa2/3對(duì)應(yīng)3550備的fa0/3 cisco4506備的fa2/4對(duì)應(yīng)3550備的fa0/4 以此類(lèi)推 cisco4506備的fa2/34對(duì)應(yīng)3550備的fa0/34第五步：3臺(tái)樓層交換機(jī)與355

39、0之間的互連估計(jì)3分鐘 3550主的fa0/41對(duì)應(yīng)255.15的fa0/47 3550主的fa0/43對(duì)應(yīng)255.16的fa0/47 3550主的fa0/45對(duì)應(yīng)255.17的fa0/47 3550備的fa0/41對(duì)應(yīng)255.15的fa0/48 3550備的fa0/43對(duì)應(yīng)255.16的fa0/48 3550備的fa0/45對(duì)應(yīng)255.17的fa0/48第三方外聯(lián)區(qū)網(wǎng)絡(luò)應(yīng)急第三方業(yè)務(wù)銀聯(lián)區(qū)網(wǎng)絡(luò)應(yīng)急線路缺點(diǎn)：發(fā)生缺點(diǎn)時(shí)，登陸ASA防火墻、交換機(jī)、路由器經(jīng)過(guò)show log , show ip int brie , show interface , ping , show ip route ,

40、show route等命令來(lái)確認(rèn)相關(guān)接口在缺點(diǎn)發(fā)生前和發(fā)生時(shí)的形狀，找出問(wèn)題線路。假設(shè)是內(nèi)部網(wǎng)絡(luò)線路，在線改換的詳細(xì)操作流程如下：a) 用筆記本電腦銜接在網(wǎng)絡(luò)設(shè)備的Console 上，啟動(dòng)Console 監(jiān)控和記錄；b) 預(yù)備好存檔的系統(tǒng)配置，備用。如有能夠，同時(shí)保管當(dāng)前系統(tǒng)配置；c) 對(duì)缺點(diǎn)模塊上銜接的線纜做好標(biāo)志，小心拔下；d) 做好平安接地，插上改換的新網(wǎng)線 e) 檢查線纜銜接形狀正常；f) 確認(rèn)線纜改換勝利。假設(shè)是外部線纜，那么確認(rèn)缺點(diǎn)后，由XX打保修，聯(lián)絡(luò)聯(lián)通、挪動(dòng)公司人員前來(lái)維修。設(shè)備缺點(diǎn)：由于銀聯(lián)區(qū)一切的設(shè)備都是雙機(jī)熱備，所以一臺(tái)發(fā)生缺點(diǎn)并不影響業(yè)務(wù)運(yùn)轉(zhuǎn)。對(duì)于配置問(wèn)題要制定正確的

41、更改配置腳本，備份當(dāng)前配置以后實(shí)施更改；對(duì)于硬件問(wèn)題要練習(xí)XX公司，懇求硬件缺點(diǎn)維修。 兩臺(tái)設(shè)備缺點(diǎn)：運(yùn)用1臺(tái)ASA 5540防火墻備份ASA防火墻的配置、運(yùn)用1臺(tái)cisco 1841路由器備份銜接銀聯(lián)方路由器的配置，恣意1臺(tái)交換機(jī)無(wú)需配置用來(lái)備份銀聯(lián)區(qū)交換機(jī)。ASA防火墻配置：spdbsyasa# sh run: Saved:ASA Version 8.2(1) !hostname spdbsyasaenable password 2KFQnbNIdI.2KYOU encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface Gigabi

42、tEthernet0/0 speed 100 duplex full nameif outside security-level 0 ip address 8 !interface GigabitEthernet0/1 nameif inside security-level 100 ip address 8 !interface GigabitEthernet0/2 nameif dmz security-level 50 ip address !interface GigabitEthernet0/3 description LAN Failover Interface!interface

43、 Management0/0 shutdown no nameif no security-level no ip address!ftp mode passiveaccess-list IPP_PAT extended permit ip host 1 host 5 access-list IPP_PAT extended permit ip host 2 host 5 access-list IPP_PAT extended permit ip host 3 host 5 access-list IPP_PAT extended permit ip host 1 host 8 access

44、-list IPP_PAT extended permit ip host 2 host 8 access-list IPP_PAT extended permit ip host 3 host 8 access-list OUTSIDE_IN extended permit icmp any any access-list OUTSIDE_IN extended permit tcp host 1 host eq 21428 access-list OUTSIDE_IN extended permit tcp host 1 eq 21428 host access-list OUTSIDE_

45、IN extended permit tcp host 1 host eq 23428 access-list OUTSIDE_IN extended permit tcp host 1 eq 23428 host access-list OUTSIDE_IN extended permit tcp host 3 host eq 21428 access-list OUTSIDE_IN extended permit tcp host 3 eq 21428 host access-list OUTSIDE_IN extended permit tcp host 3 host eq 23428

46、access-list OUTSIDE_IN extended permit tcp host 3 eq 23428 host access-list OUTSIDE_IN extended permit tcp host 31 eq 6060 host 2 access-list OUTSIDE_IN extended permit udp 4 48 eq snmptrap access-list OUTSIDE_IN extended permit udp 4 48 eq syslog access-list OUTSIDE_IN extended permit udp host 4 eq

47、 radius access-list OUTSIDE_IN extended permit udp host 4 eq radius-acct access-list OUTSIDE_IN extended permit udp host 4 eq 1812 access-list OUTSIDE_IN extended permit udp host 4 eq 1813 access-list OUTSIDE_IN extended permit tcp host 4 eq tacacs access-list OUTSIDE_IN extended permit udp host 7 e

48、q radius access-list OUTSIDE_IN extended permit udp host 7 eq radius-acct access-list OUTSIDE_IN extended permit udp host 7 eq 1812 access-list OUTSIDE_IN extended permit udp host 7 eq 1813 access-list OUTSIDE_IN extended permit tcp host 7 eq tacacs access-list OUTSIDE_IN extended permit udp host 0

49、access-list OUTSIDE_IN extended permit tcp host 0 access-list INSIDE_OUT extended permit icmp any any access-list INSIDE_OUT extended permit tcp host 1 host 5 eq 21428 access-list INSIDE_OUT extended permit tcp host 1 eq 21428 host 5 access-list INSIDE_OUT extended permit tcp host 1 host 5 eq 23428

50、access-list INSIDE_OUT extended permit tcp host 1 eq 23428 host 5 access-list INSIDE_OUT extended permit tcp host 1 host 8 eq 21428 access-list INSIDE_OUT extended permit tcp host 1 eq 21428 host 8 access-list INSIDE_OUT extended permit tcp host 1 host 8 eq 23428 access-list INSIDE_OUT extended perm

51、it tcp host 1 eq 23428 host 8 access-list INSIDE_OUT extended permit tcp host 2 host 5 eq 21428 access-list INSIDE_OUT extended permit tcp host 2 eq 21428 host 5 access-list INSIDE_OUT extended permit tcp host 2 host 5 eq 23428 access-list INSIDE_OUT extended permit tcp host 2 eq 23428 host 5 access

52、-list INSIDE_OUT extended permit tcp host 2 host 8 eq 21428 access-list INSIDE_OUT extended permit tcp host 2 eq 21428 host 8 access-list INSIDE_OUT extended permit tcp host 2 host 8 eq 23428 access-list INSIDE_OUT extended permit tcp host 2 eq 23428 host 8 access-list INSIDE_OUT extended permit tcp

53、 host 3 host 5 eq 21428 access-list INSIDE_OUT extended permit tcp host 3 eq 21428 host 5 access-list INSIDE_OUT extended permit tcp host 3 host 5 eq 23428 access-list INSIDE_OUT extended permit tcp host 3 eq 23428 host 5 access-list INSIDE_OUT extended permit tcp host 3 host 8 eq 21428 access-list

54、INSIDE_OUT extended permit tcp host 3 eq 21428 host 8 access-list INSIDE_OUT extended permit tcp host 3 host 8 eq 23428 access-list INSIDE_OUT extended permit tcp host 3 eq 23428 host 8 access-list INSIDE_OUT extended permit tcp host 45 host 2 eq 6060 access-list INSIDE_OUT extended permit ip 4 48 a

55、ny access-list INSIDE_OUT extended permit ip host 4 any access-list INSIDE_OUT extended permit ip host 7 any access-list INSIDE_OUT extended permit udp host 0 any eq ntp access-list INSIDE_OUT extended permit udp host 2 any eq ntp pager lines 24mtu outside 1500mtu inside 1500mtu dmz 1500failoverfail

56、over lan unit primaryfailover lan interface failoverlan GigabitEthernet0/3failover polltime unit msec 500 holdtime 5failover interface ip failoverlan standby icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400global (outside) 2 nat (inside) 2 access-list IPP_PATstatic (

57、inside,outside) tcp 21428 3 21428 netmask 55 static (inside,outside) tcp 23428 3 23428 netmask 55 static (inside,outside) tcp telnet 3 telnet netmask 55 static (outside,inside) 5 1 netmask 55 static (outside,inside) 8 3 netmask 55 static (inside,outside) 2 45 netmask 55 static (outside,inside) 2 31

58、netmask 55 static (inside,outside) 0 0 netmask 55 static (inside,outside) 2 2 netmask 55 static (inside,outside) 5 5 netmask 55 static (inside,outside) 6 6 netmask 55 static (inside,outside) 7 7 netmask 55 static (inside,outside) 8 8 netmask 55 static (inside,outside) 9 9 netmask 55 static (inside,o

59、utside) 4 4 netmask 55 static (inside,outside) 7 7 netmask 55 access-group OUTSIDE_IN in interface outsideaccess-group INSIDE_OUT in interface insideroute outside 1 55 5 1route outside 3 55 5 1route inside 0 1route outside 5 1route inside 4 48 0 1route outside 31 55 5 1timeout xlate 3:00:00timeout c

60、onn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembl