某銀行網(wǎng)絡(luò)應(yīng)急方案

1、銀行網(wǎng)絡(luò)應(yīng)急方案XX股份有限公司網(wǎng)絡(luò)與安全服務(wù)部2012 年 2 月目錄 TOC o 1-5 h z HYPERLINK l bookmark4 o Current Document 一、銀行網(wǎng)絡(luò)結(jié)構(gòu)拓?fù)?2 HYPERLINK l bookmark6 o Current Document 二、骨干網(wǎng)通信故障 3 HYPERLINK l bookmark8 o Current Document 故障處理人員 3 HYPERLINK l bookmark10 o Current Document 電信、聯(lián)通網(wǎng)絡(luò)通信故障 3 HYPERLINK l bookmark12 o Current Doc

2、ument 通信故障恢復(fù) 3到總行路由器故障 3 HYPERLINK l bookmark14 o Current Document 路由器故障處理 3 HYPERLINK l bookmark16 o Current Document 三、核心交換機(jī)故障應(yīng)急 51.一臺 4506 交換機(jī)故障應(yīng)急 5 HYPERLINK l bookmark18 o Current Document 2.當(dāng)核心交換同時癱瘓在 20 分鐘內(nèi)保證業(yè)務(wù)正常運(yùn)作 6 HYPERLINK l bookmark20 o Current Document 四、第三方外聯(lián)區(qū)網(wǎng)絡(luò)應(yīng)急 18 HYPERLINK l bookma

3、rk22 o Current Document 1.第三方業(yè)務(wù)銀聯(lián)區(qū)網(wǎng)絡(luò)應(yīng)急 18 HYPERLINK l bookmark24 o Current Document 2.其它第三方業(yè)務(wù)區(qū)網(wǎng)絡(luò)應(yīng)急 46五、聯(lián)系方式： 55銀行網(wǎng)絡(luò)結(jié)構(gòu)拓?fù)涠?、骨干網(wǎng)通信故障故障處理人員參與人： XX、XX 、XX電信、聯(lián)通網(wǎng)絡(luò)通信故障根據(jù)到總行的兩臺 cisco 7206 路由器的日志以及實際登陸設(shè)備使用 show int ATM4/0.1 、ping 對端地址、 show ip route 、show log ，查看上述相關(guān)設(shè) 備和線路是否有反復(fù)重起、 誤碼率高、異常路由、錯誤連接等情況即可確認(rèn)故障。通信故障

4、恢復(fù)恢復(fù)步驟：1）重啟故障新路相連路由器，看是否能夠自動恢復(fù)2）斷電重起無法解決故障的，停止使用故障設(shè)備和線路，防止其影響網(wǎng)絡(luò) 其他部分。3）如系線路故障通知各有關(guān)方面（逐項對照處理） ： 如為中國電信線路故障， 向 31000000 報修，并通知分行辦公室相關(guān)人員。 如為中國聯(lián)通線路故障，向 XXXX 報修，并通知分行辦公室相關(guān)人員。到總行路由器故障 查看日志，檢查設(shè)備故障前的異常日志信息；登陸路由器使用 show log， show ip int brie , show process cpu his , show ip route , ping對端地址等命令來確認(rèn) 故障。路由器故障處理一

5、旦發(fā)現(xiàn)到總行 7206 路由器故障可按以下步驟來處理：聯(lián)系XX公司，并啟動原廠商保修服務(wù)備件更換程序。因為兩臺 7206路由器是互為備份的， 一臺發(fā)生故障不影響實際業(yè)務(wù)， 不調(diào) 用庫房備件和集成商備件更換，等待原廠商備件到達(dá)。 對于能夠在線插拔的接口模塊、有 standby 的引擎和電源，優(yōu)先使用在 線更換方式。在線更換的具體操作流程如下：用筆記本電腦連接在網(wǎng)絡(luò)設(shè)備的 Console 上，啟動 Console 監(jiān)控和記錄；準(zhǔn)備好存檔的系統(tǒng)配置，備用。如有可能，同時保存當(dāng)前系統(tǒng)配置；對故障模塊上連接的線纜做好標(biāo)記，小心拔下；做好安全接地，拔下故障模塊；檢查設(shè)備和模塊狀態(tài)，確認(rèn)是否影響整個設(shè)備或其

6、他模塊正常運(yùn)行， standby 模塊是否正常接管；做好安全接地，插上更換的備件模塊；檢查設(shè)備和模塊狀態(tài)，確認(rèn)是否能夠正常識別新模塊，是否影響其他模 塊運(yùn)行；按原樣插上線纜；檢查線纜連接狀態(tài)正常；確認(rèn)備件更換成功。l 對于機(jī)箱、不能在線插拔的接口模塊、或者沒有 standby 的引擎和電源， 采用下電更換方式。下電更換的具體操作流程如下：準(zhǔn)備好存檔的系統(tǒng)配置，備用。如有可能，同時保存當(dāng)前系統(tǒng)配置；準(zhǔn)備好原先使用的系統(tǒng)軟件，備用；故障設(shè)備下電；對需要拔除的線纜做好標(biāo)記，小心拔下。如果機(jī)箱或引擎更換，需拔除 所有連接線纜；更換備件；用筆記本電腦連接在網(wǎng)絡(luò)設(shè)備的 Console 上，啟動 Conso

7、le 監(jiān)控和記錄；設(shè)備上電；檢查系統(tǒng)自檢情況，確認(rèn)無硬件故障；安裝系統(tǒng)軟件；恢復(fù)系統(tǒng)配置；冷啟動，確認(rèn)軟硬件正常工作；按原樣插上其他線纜；檢查線纜連接狀態(tài)正常；確認(rèn)備件更換成功。三、核心交換機(jī)故障應(yīng)急一臺 4506 交換機(jī)故障應(yīng)急 查看日志，檢查設(shè)備故障前的異常日志信息；登陸交換機(jī)使用 show log， show ip int brie , show process cpu his , show ip route , ping 對端地址， show vlan brie , show vtp stat , show process mem , show modul , show diag ,

8、show ip eigrp nei , show cdp nei 等一系列命令來查找、確認(rèn)故障。因為兩臺 4506 核心交換機(jī)完全是熱備的雙機(jī)， 所以一臺發(fā)生故障并不影響 業(yè)務(wù)運(yùn)行。 對于配置問題要制定正確的更改配置腳本， 備份當(dāng)前配置以后實施更 改；對于線路問題的要制作新網(wǎng)線，替換故障的網(wǎng)線；對于硬件問題要練習(xí) XX 公司，申請硬件故障維修。對于能夠在線插拔的接口模塊、有standby的引擎和電源，優(yōu)先使用在線更 換方式。在線更換的具體操作流程如下：用筆記本電腦連接在網(wǎng)絡(luò)設(shè)備的Con sole上，啟動Con sole監(jiān)控和記錄；準(zhǔn)備好存檔的系統(tǒng)配置，備用。如有可能，同時保存當(dāng)前系統(tǒng)配置；對故

9、障模塊上連接的線纜做好標(biāo)記，小心拔下；做好安全接地，拔下故障模塊；檢查設(shè)備和模塊狀態(tài)，確認(rèn)是否影響整個設(shè)備或其他模塊正常運(yùn)行，standby 模塊是否正常接管；做好安全接地，插上更換的備件模塊；檢查設(shè)備和模塊狀態(tài)，確認(rèn)是否能夠正常識別新模塊，是否影響其他模 塊運(yùn)行；按原樣插上線纜；檢查線纜連接狀態(tài)正常；確認(rèn)備件更換成功。l 對于機(jī)箱、不能在線插拔的接口模塊、或者沒有 standby 的引擎和電源， 采用下電更換方式。下電更換的具體操作流程如下：準(zhǔn)備好存檔的系統(tǒng)配置，備用。如有可能，同時保存當(dāng)前系統(tǒng)配置；準(zhǔn)備好原先使用的系統(tǒng)軟件，備用；故障設(shè)備下電；對需要拔除的線纜做好標(biāo)記，小心拔下。如果機(jī)箱或

10、引擎更換，需拔除 所有連接線纜；更換備件；用筆記本電腦連接在網(wǎng)絡(luò)設(shè)備的 Console 上，啟動 Console 監(jiān)控和記錄；設(shè)備上電；檢查系統(tǒng)自檢情況，確認(rèn)無硬件故障；安裝系統(tǒng)軟件；恢復(fù)系統(tǒng)配置；冷啟動，確認(rèn)軟硬件正常工作；對于交換機(jī)要將 VTP 設(shè)置為 Client 模式，首先連接上行線纜，確認(rèn) VTP 復(fù)制正確；按原樣插上其他線纜；檢查線纜連接狀態(tài)正常；確認(rèn)備件更換成功。當(dāng)核心交換同時癱瘓在 20 分鐘內(nèi)保證業(yè)務(wù)正常運(yùn)作現(xiàn)有2臺備用的cisco3550,在兩臺核心cisco4506同事癱瘓后，將其作為核 心交換來保證業(yè)務(wù)的正常運(yùn)作， 同時保持原有的網(wǎng)絡(luò)拓?fù)浼熬W(wǎng)絡(luò)核心的安全策略 和 qos

11、。3550 核心交換配置定義設(shè)備命名hostname production設(shè)備軟件版本使用支持動態(tài)路由協(xié)議的 IOS：c3550-i5k2l2q3-mz.121-13.EA1a.bin Vlan 定義1 defaultactive Fa0/1, Fa0/2, Fa0/35,Fa0/36Fa0/39, Fa0/40Fa0/41, Fa0/42,Fa0/43,Fa0/44Fa0/45, Fa0/46,Fa0/47,Fa0/482vlan0002activeFa0/10, Fa0/21, Fa0/25,Fa0/34Gi0/1, Gi0/23vlan0003activeFa0/5, Fa0/8, Fa

12、0/11,Fa0/37,Fa0/38,Fa0/12Fa0/17, Fa0/19, Fa0/20, Fa0/22Fa0/28, Fa0/29,Fa0/30, Fa0/324vlan0004activeFa0/13, Fa0/18, Fa0/275vlan0005activeFa0/76vlan0006active10vlan0010activeFa0/4, Fa0/6, Fa0/1420vlan0020active30vlan0030active40vlan0040active50VLAN0050active60VLAN0060active63vlan0063active128vlan0128a

13、ctiveFa0/3, Fa0/24, Fa0/26,Fa0/31Fa0/33195vlan195activeFa0/16, Fa0/23196vlan196active255 VLAN0255activeFa0/9, Fa0/15Ip 地址分配及 hsrp interface Vlan1no ip address no ip redirects shutdown standby 10 priority 100 standby 10 preempt!interface Vlan2ip address ip access-group 101 in no ip redirectsstandby 2

14、0 ip standby 20 priority 150 standby 20 preempt!interface Vlan3ip address ip access-group 101 in no ip redirectsstandby 30 ip standby 30 priority 150 standby 30 preempt!interface Vlan4ip address 6 92 no ip redirectsstandby 40 ip 5 standby 40 priority 150standby 40 preempt interface Vlan5ip address 9

15、2 no ip redirectsstandby 50 ip standby 50 priority 150standby 50 preempt!interface Vlan6no ip addressno ip redirects shutdownstandby 60 ip standby 60 priority 150standby 60 preempt!interface Vlan10ip address ip access-group 103 inno ip redirectsstandby 100 ip standby 100 timers 5 15standby 100 prior

16、ity 200standby 100 preemptstandby 100 track Vlan10 50!interface Vlan20no ip addressno ip redirectsstandby 110 timers 5 15 standby 110 priority 150 standby 110 preempt standby 110 track Vlan20 50 !interface Vlan30 no ip address ip access-group 101 in no ip redirects shutdown standby 120 ip 00 standby

17、 120 timers 5 15 standby 120 priority 200 standby 120 preempt standby 120 track Vlan30 50!interface Vlan40 no ip address ip access-group 101 in no ip redirects shutdown standby 130 ip 00 standby 130 timers 5 15 standby 130 priority 150 standby 130 preempt standby 130 track Vlan40 50!interface Vlan50

18、ip address ip helper-address 0no ip redirectsstandby 150 ip standby 150 timers 5 15 standby 150 priority 150 standby 150 preempt standby 150 track Vlan150!interface Vlan63no ip addressno ip redirects!interface Vlan128ip address ip access-group 101 inno ip redirectsstandby 160 ip standby 160 timers 5

19、 15 standby 160 priority 150 standby 160 preempt standby 160 track Vlan128 50!interface Vlan150no ip addressshutdown!interface Vlan195ip address no ip redirectsstandby 195 ip standby 195 priority 150standby 195 preempt interface Vlan196no ip addressno ip redirectsshutdownstandby 196 ip standby 196 p

20、riority 100standby 196 preempt!interface Vlan255ip address no ip redirectsstandby 255 ip standby 255 priority 200standby 255 preempt路由策略router eigrp 20redistribute staticnetwork 55no auto-summaryno eigrp log-neighbor-changesip route 8ip route 55 8ip route 11 55 8ip route 8ip route 8 ip route 45 55 8

21、ip route 55 5ip route 55 6 ip route 55 7ip route 1 55 8ip route 2 55 8ip route 3 55 8 ip route 4 55 8 interface Vlan2ip address ip access-group 101 ininterface Vlan3ip address ip access-group 101 ininterface Vlan30no ip addressip access-group 101 ininterface Vlan40no ip addressip access-group 101 in

22、interface Vlan128ip address ip access-group 101 inaccess-list 101 permit ip host 40 host 46access-list 101 permit ip host 40 host 45access-list 101 denyip 55 55access-list 101 denyip 55 55access-list 101 denyip 55 55access-list 101 denyip 55 55access-list 101 denyip 55 55access-list 101 denyip 55 55

23、access-list 101 permit ip any anyinterface Vlan10ip address ip access-group 103 inaccess-list 103 permit ip host 45 host 0 access-list 103 permit ip host 40 host 0 access-list 103 permit ip host 40 host 46 access-list 103 permit ip host 40 host 45 access-list 103 permit ip host 45 host 8 access-list

24、 103 permit ip host 40 host 8 access-list 103 permit ip host 45 host 2 access-list 103 permit ip host 40 host access-list 103 permit ip host 1 host 0 access-list 103 permit ip 55 host access-list 103 permit ip 55 host access-list 103 permit ip 55 host access-list 103 permit ip 55 host 0 access-list

25、103 permit ip 55 host 3 access-list 103 permit ip 55 host 5 access-list 103 permit ip 55 host 6 access-list 103 permit ip 55 host 0 access-list 103 permit ip 55 host 3 access-list 103 permit ip 55 host 3 access-list 103 permit ip 55 host 7 access-list 103 permit ip host 45 host 9 access-list 103 per

26、mit ip host 40 host 9access-list 103 denyip 55 55access-list 103 denyip 55 55access-list 103 denyip 55 55access-list 103 denyip 55 55access-list 103 denyip 55 55access-list 103 deny ip 55 55 access-list 103 permit ip any anyQos 作為核心交換機(jī)無需在此配置 qos 安全策略 aaa new-modelaaa authentication login spdb-acs gr

27、oup tacacs+ enable aaa accounting exec spdb-acs start-stop group tacacs+ aaa accounting commands 0 spdb-acs start-stop group tacacs+ aaa accounting commands 1 spdb-acs start-stop group tacacs+ aaa accounting commands 2 spdb-acs start-stop group tacacs+ aaa accounting commands 3 spdb-acs start-stop g

28、roup tacacs+ aaa accounting commands 4 spdb-acs start-stop group tacacs+ aaa accounting commands 5 spdb-acs start-stop group tacacs+ aaa accounting commands 6 spdb-acs start-stop group tacacs+ aaa accounting commands 7 spdb-acs start-stop group tacacs+ aaa accounting commands 8 spdb-acs start-stop g

29、roup tacacs+ aaa accounting commands 9 spdb-acs start-stop group tacacs+ aaa accounting commands 10 spdb-acs start-stop group tacacs+ aaa accounting commands 11 spdb-acs start-stop group tacacs+ aaa accounting commands 12 spdb-acs start-stop group tacacs+ aaa accounting commands 13 spdb-acs start-st

30、op group tacacs+ aaa accounting commands 14 spdb-acs start-stop group tacacs+ aaa accounting commands 15 spdb-acs start-stop group tacacs+ ip tacacs source-interface Loopback0 tacacs-server host 7 tacacs-server host 4 tacacs-server key s9y8 logging trap debugging logging source-interface Loopback0lo

31、gging 4 logging 5 line vty 0 4exec-timeout 5 0accounting commands 0 spdb-acs accounting commands 1 spdb-acs accounting commands 2 spdb-acs accounting commands 3 spdb-acs accounting commands 4 spdb-acs accounting commands 5 spdb-acs accounting commands 6 spdb-acs accounting commands 7 spdb-acs accoun

32、ting commands 8 spdb-acs accounting commands 9 spdb-acs accounting commands 10 spdb-acs accounting commands 11 spdb-acs accounting commands 12 spdb-acs accounting commands 13 spdb-acs accounting commands 14 spdb-acs accounting commands 15 spdb-acs accounting exec spdb-acs login authentication spdb-a

33、cs 網(wǎng)管配置 access-list 10 permit 8 access-list 10 permit 9 access-list 10 permit 6 access-list 10 permit 7 access-list 10 permit 5 snmp-server community public RO snmp-server community read RO 10snmp-server trap-source Loopback0snmp-server enable traps snmp authentication warmstart snmp-server enable t

34、raps configsnmp-server enable traps entity snmp-server enable traps rtr snmp-server enable traps vtpsnmp-server host 4 public snmp-server host 5 read 其他配置service timestamps debug datetime localtime show-timezone service timestamps log datetime localtime show-timezone service password-encryption no i

35、p domain-lookupip cef load-sharing algorithm originalclock timezone BJT 8ntp source Loopback0ntp server 0monitor session 1 source vlan 1 , 10 , 192 rx monitor session 1 destination interface Fa0/5 網(wǎng)絡(luò)實施 前期準(zhǔn)備一、8條交叉線（2條做trunk, 6條連向樓層交換機(jī)）二、將樓層交換機(jī)的faO/47和48 口空出來，并做好相應(yīng)的配置 實施步驟第一步：兩臺 355O 上架并加電啟用（預(yù)計 3 分鐘）第

36、二步：將連接hp小機(jī)的光纖接口連到3550上（預(yù)計1分鐘） cisco4506主的 gigabit1/1 對應(yīng) 3550 主的 gigabit0/1 cisco4506主的 gigabit2/2 對應(yīng) 3550 主的 gigabit0/2 cisco4506備的 gigabit1/1 對應(yīng) 3550 主的 gigabit0/1cisco4506備的 gigabit2/2 對應(yīng) 3550 主的 gigabitO/2第三步：將現(xiàn)成的交叉線在 3550主備之間互連做ether- channel預(yù)計1分 鐘）3550 主的 faO/47 對應(yīng) 3550備的 faO/473550 主的 fa0/48 對

37、應(yīng) 3550 備的 fa0/48第四步：將連在cisco4506上所有的電口都挪向3550上（預(yù)計5分鐘）cisco4506 主的 fa2/3 對應(yīng) 3550 主的 fa0/3cisco4506 主的 fa2/4 對應(yīng) 3550 主的 fa0/4以此類推cisco4506 主的 fa2/34 對應(yīng) 3550 主的 fa0/34cisco4506 備的 fa2/3 對應(yīng) 3550 備的 fa0/3cisco4506備的 fa2/4 對應(yīng) 3550 備的 fa0/4以此類推cisco4506 備的 fa2/34 對應(yīng) 3550 備的 fa0/34第五步： 3臺樓層交換機(jī)與 3550之間的互連（預(yù)計

38、 3分鐘）3550主的 fa0/41 對應(yīng) 255.15的 fa0/473550主的 fa0/43 對應(yīng) 255.16的 fa0/473550 主的 fa0/45 對應(yīng) 255.17 的 fa0/473550備的 fa0/41 對應(yīng) 255.15的 fa0/483550備的 fa0/43 對應(yīng) 255.16的 fa0/483550 備的 fa0/45 對應(yīng) 255.17 的 fa0/48四、第三方外聯(lián)區(qū)網(wǎng)絡(luò)應(yīng)急1. 第三方業(yè)務(wù)銀聯(lián)區(qū)網(wǎng)絡(luò)應(yīng)急線路故障：發(fā)生故障時，登陸 ASA 防火墻、交換機(jī)、路由器通過 show log ,show ip int brie , show interface ,

39、ping , show ip route , show route 等命令來確認(rèn)相 關(guān)接口在故障發(fā)生前和發(fā)生時的狀態(tài)，找出問題線路。如果是內(nèi)部網(wǎng)絡(luò)線路，在線更換的具體操作流程如下：用筆記本電腦連接在網(wǎng)絡(luò)設(shè)備的 Console 上，啟動 Console 監(jiān)控和記錄；準(zhǔn)備好存檔的系統(tǒng)配置，備用。如有可能，同時保存當(dāng)前系統(tǒng)配置；對故障模塊上連接的線纜做好標(biāo)記，小心拔下；做好安全接地，插上更換的新網(wǎng)線檢查線纜連接狀態(tài)正常；確認(rèn)線纜更換成功。如果是外部線纜，則確認(rèn)故障后，由 XX 打保修電話，聯(lián)系聯(lián)通、移動公司 人員前來維修。設(shè)備故障 ：由于銀聯(lián)區(qū)所有的設(shè)備都是雙機(jī)熱備，所以一臺發(fā)生故障并不 影響業(yè)務(wù)運(yùn)

40、行。 對于配置問題要制定正確的更改配置腳本， 備份當(dāng)前配置以后實 施更改；對于硬件問題要練習(xí) XX 公司，申請硬件故障維修。兩臺設(shè)備故障 ：使用 1 臺 ASA 5540 防火墻備份 ASA 防火墻的配置、使用1 臺 cisco 1841路由器備份連接銀聯(lián)方路由器的配置，任意 1 臺交換機(jī)無需配置 用來備份銀聯(lián)區(qū)交換機(jī)。ASA 防火墻配置 ：spdbsyasa# sh run: SavedASA Version 8.2(1)!hostname spdbsyasaenable password 2KFQnbNIdI.2KYOU encryptedpasswd 2KFQnbNIdI.2KYOU e

41、ncryptednames!interface GigabitEthernet0/0speed 100duplex fullnameif outsidesecurity-level 0ip address 8 !interface GigabitEthernet0/1nameif insidesecurity-level 100ip address 8 !interface GigabitEthernet0/2nameif dmzsecurity-level 50ip address !interface GigabitEthernet0/3description LAN Failover I

42、nterface!interface Management0/0shutdownno nameifno security-levelno ip address!ftp mode passiveaccess-list IPP_PAT extended permit ip host 1 host 5access-list IPP_PAT extended permit ip host 2 host 5 access-list IPP_PAT extended permit ip host 3 host 5 access-list IPP_PAT extended permit ip host 1

43、host 8 access-list IPP_PAT extended permit ip host 2 host 8access-list IPP_PAT extended permit ip host 3 host 8access-list OUTSIDE_IN extended permit icmp any anyaccess-list OUTSIDE_IN extended permit tcp host 1 host eq 21428access-list OUTSIDE_IN extended permit tcp host 1 eq 21428 host access-list

44、 OUTSIDE_IN extended permit tcp host 1 host eq 23428access-list OUTSIDE_IN extended permit tcp host 1 eq 23428 host access-list OUTSIDE_IN extended permit tcp host 3 host eq 21428access-list OUTSIDE_IN extended permit tcp host 3 eq 21428 host access-list OUTSIDE_IN extended permit tcp host 3 host eq

45、 23428access-list OUTSIDE_IN extended permit tcp host 3 eq 23428 host access-list OUTSIDE_IN extended permit tcp host 31 eq 6060 host 2access-list OUTSIDE_IN extended permit udp 4 48 eq snmptrapaccess-list OUTSIDE_IN extended permit udp 4 48 eq syslogaccess-list OUTSIDE_INextendedpermitudphost4 eq r

46、adiusaccess-list OUTSIDE_INextendedpermitudphost4 eq radius-acctaccess-list OUTSIDE_INextendedpermitudphost4 eq 1812access-list OUTSIDE_INextendedpermitudphost4 eq 1813access-list OUTSIDE_INextendedpermittcphost4 eq tacacsaccess-list OUTSIDE_INextendedpermitudphost7 eq radiusaccess-list OUTSIDE_INex

47、tendedpermitudphost7 eq radius-acctaccess-list OUTSIDE_INextendedpermitudp host7 eq 1812access-list OUTSIDE_INextendedpermitudphost7 eq 1813access-list OUTSIDEINextendedpermittcphost7 eq tacacsaccess-list OUTSIDE_INextendedpermitudphost0access-list OUTSIDEINextendedpermittcphost0access-list INSIDE_O

48、UT extended permit icmp any anyaccess-list INSIDE_OUT extended permit tcp host 1 host 5 eq 21428access-list INSIDE_OUT extended permit tcp host 1 eq 21428 host5access-list INSIDE_OUT extended permit tcp host 1 host 5 eq 23428access-list INSIDE_OUT extended permit tcp host 1 eq 23428 host5access-list

49、 INSIDE_OUT extended permit tcp host 1 host 8 eq 21428access-list INSIDE_OUT extended permit tcp host 1 eq 21428 host8access-list INSIDE_OUT extended permit tcp host 1 host 8 eq 23428access-list INSIDE_OUT extended permit tcp host 1 eq 23428 host8access-list INSIDE_OUT extended permit tcp host 2 hos

50、t 5 eq 21428access-list INSIDE_OUT extended permit tcp host 2 eq 21428 host5access-list INSIDE_OUT extended permit tcp host 2 host 5 eq 23428access-list INSIDE_OUT extended permit tcp host 2 eq 23428 host5access-list INSIDE_OUT extended permit tcp host 2 host 8 eq 21428access-list INSIDE_OUT extende

51、d permit tcp host 2 eq 21428 host8access-list INSIDE_OUT extended permit tcp host 2 host 8 eq 23428access-list INSIDE_OUT extended permit tcp host 2 eq 23428 host8access-list INSIDE_OUT extended permit tcp host 3 host 5 eq 21428access-list INSIDE_OUT extended permit tcp host 3 eq 21428 host5access-l

52、ist INSIDE_OUT extended permit tcp host 3 host 5 eq 23428access-list INSIDE_OUT extended permit tcp host 3 eq 23428 host5access-list INSIDE_OUT extended permit tcp host 3 host 8 eq 21428access-list INSIDE_OUT extended permit tcp host 3 eq 21428 host8access-list INSIDE_OUT extended permit tcp host 3

53、host 8 eq 23428access-list INSIDE_OUT extended permit tcp host 3 eq 23428 host8access-list INSIDE_OUT extended permit tcp host 45 host 2 eq6060access-list INSIDE_OUT extended permit ip 4 48 any access-list INSIDE_OUT extended permit ip host 4 any access-list INSIDE_OUT extended permit ip host 7 anya

54、ccess-list INSIDE_OUT extended permit udp host 0 any eq ntp access-list INSIDE_OUT extended permit udp host 2 any eq ntp pager lines 24 mtu outside 1500 mtu inside 1500 mtu dmz 1500 failoverfailover lan unit primaryfailover lan interface failoverlan GigabitEthernet0/3failover polltime unit msec 500

55、holdtime 5failover interface ip failoverlan standby icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400global (outside) 2 nat (inside) 2 access-list IPP_PATstatic (inside,outside)tcp21428321428netmask55static (inside,outside)tcp23428323428netmask55static (inside,outsi

56、de)tcptelnet3telnetnetmask55static (outside,inside) 5 1 netmask 55static (outside,inside) 8 3 netmask 55static (inside,outside) 2 45 netmask 55static (outside,inside) 2 31 netmask 55 static (inside,outside) 0 0 netmask 55 static (inside,outside) 2 2 netmask 55 static (inside,outside) 5 5 netmask 55

57、static (inside,outside) 6 6 netmask 55 static (inside,outside) 7 7 netmask 55 static (inside,outside) 8 8 netmask 55 static (inside,outside) 9 9 netmask 55 static (inside,outside) 4 4 netmask 55 static (inside,outside) 7 7 netmask 55 access-group OUTSIDE_IN in interface outside access-group INSIDE_O

58、UT in interface inside route outside 1 55 5 1 route outside 3 55 5 1 route inside 0 1 route outside 5 1 route inside 4 48 0 1 route outside 31 55 5 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

59、mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS proto

60、col radius aaa-server spdb-acs protocol tacacs+ aaa-server spdb-acs (inside) host 7key s9y8 aaa-server spdb-acs (inside) host 4key s9y9aaa authentication ssh console spdb-acssnmp-server host inside 5 community readsnmp-server host inside 6 poll community readsnmp-server host inside 7 poll community