· 7 years ago · Aug 28, 2018, 03:58 PM
1Building configuration...
2
3Current configuration : 12927 bytes
4!
5! Last configuration change at 10:20:52 GMT Tue Aug 28 2018 by admin
6! NVRAM config last updated at 10:11:44 GMT Tue Aug 28 2018 by admin
7!
8version 15.4
9no service pad
10service timestamps debug datetime msec
11service timestamps log datetime msec
12no service password-encryption
13!
14hostname somehost.net
15!
16boot-start-marker
17boot-end-marker
18!
19!
20logging buffered 4096
21!
22aaa new-model
23!
24!
25aaa authentication login default local
26!
27!
28!
29!
30!
31aaa session-id common
32wan mode ethernet
33clock timezone GMT -5 0
34!
35!
36!
37!
38!
39ip dhcp excluded-address 192.168.100.1 192.168.100.149
40ip dhcp excluded-address 192.168.100.245 192.168.100.255
41!
42!
43!
44ip inspect udp idle-time 600
45ip inspect name INSPECT_RULE tcp
46ip inspect name INSPECT_RULE udp
47ip domain name somehost.net
48ip name-server 8.8.8.8
49ip name-server 8.8.4.4
50ip ddns update method DynDNS
51 HTTP
52 add http://somehost:VDFtNTRMIWZl@dynupdate.no-ip.com/nic/update?hostname=somehost .net&myip=<a>
53 interval maximum 1 0 0 0
54 interval minimum 0 1 0 0
55!
56ip cef
57no ipv6 cef
58!
59!
60flow record nbar-appmon
61 match ipv4 source address
62 match ipv4 destination address
63 match application name
64 collect interface output
65 collect counter bytes
66 collect counter packets
67 collect timestamp absolute first
68 collect timestamp absolute last
69!
70!
71flow monitor application-mon
72 cache timeout active 60
73 record nbar-appmon
74!
75!
76!
77!
78!
79!
80!
81!
82!
83!
84crypto pki trustpoint TP-self-signed-291005808
85 enrollment selfsigned
86 subject-name cn=IOS-Self-Signed-Certificate-291005808
87 revocation-check none
88 rsakeypair TP-self-signed-291005808
89!
90!
91crypto pki certificate chain TP-self-signed-291005808
92 certificate self-signed 01
93 30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
94 30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
95 69666963 6174652D 32393130 30353830 38301E17 0D313730 39303431 33323432
96 385A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
97 532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3239 31303035
98 38303830 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
99 A1DC25DB AD83F952 ED8EF6E1 AE8D49A0 0DAF6845 9B6776CB 4AE78CD3 86D54EC3
100 595279C2 6594BA28 692D56DC 9C318C83 5F2842E6 69746D5A C4AC41DF A028D87F
101 B90AE32C 5D889F92 53400E1C AF6B9699 6DE4515E 2FACB17F B9A714C0 D30CC7AE
102 C617FDA3 EE7B583D A70BA255 EC4EA49C 4EAE02A7 9F245BC1 2FE509E3 250FB5CF
103 02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
104 23041830 1680149C 6AD5B7C6 F3E7E923 15CFE396 63C868CC 4D210330 1D060355
105 1D0E0416 04149C6A D5B7C6F3 E7E92315 CFE39663 C868CC4D 2103300D 06092A86
106 4886F70D 01010505 00038181 0097E885 5E0773C1 3D243D54 62530FB2 A9E8FE5A
107 3B67F25E 126BF94F BE98F31A 79BB5AE1 09CA4D37 D55F8524 29862CA7 91A00DF0
108 0326F8E5 83649855 3F393103 6B8B6095 3511BA8D 69501DB9 8CD12705 CAD3B528
109 788C84B2 99647FCE 03F65995 C9DFCB60 8DE87511 33BDB06D E2A134E5 CA396A21
110 06AC8976 324B233C EFE4D902 20
111 quit
112!
113!
114username admin privilege 15 secret 5 $1$eIsV$bTzpw1PI7q64UHrQ9p4Xx1
115username myadmin privilege 15 secret 5 $1$SvTy$WBP8EqfcDiRA6Szvnad71.
116username name1t secret 5 $1$PF4I$o/oLlBh5hB3ZA0aJ6EOny0
117username name2 secret 5 $1$ppRL$RDHVJ.y3WrJdpHs5cTd9K1
118!
119!
120controller VDSL 0
121 shutdown
122no cdp run
123!
124!
125class-map match-all CLASS_DATA
126 match access-group 106
127class-map match-all CLASS_VOIP
128 match access-group 103
129!
130policy-map POLICY_OUT
131 class CLASS_VOIP
132 priority
133 class CLASS_DATA
134 police 15000000 conform-action transmit exceed-action drop
135policy-map POLICY_IN
136 class CLASS_DATA
137 police 130000000 conform-action transmit exceed-action drop
138!
139zone security LAN
140zone security WAN
141zone security VPN
142zone security DMZ
143!
144!
145!
146!
147!
148crypto isakmp policy 1
149 encr aes
150 authentication pre-share
151 group 2
152crypto isakmp key secretkey hostname anotherhost.net
153!
154!
155crypto ipsec transform-set myset esp-aes esp-sha-hmac
156 mode tunnel
157!
158!
159!
160crypto map ipsec-site1-to-site2 10 ipsec-isakmp
161 set peer 99.249.222.152
162 set transform-set myset
163 match address vpn-traffic
164!
165!
166!
167!
168!
169interface ATM0
170 no ip address
171 shutdown
172 no atm ilmi-keepalive
173!
174interface Ethernet0
175 no ip address
176 shutdown
177!
178interface FastEthernet0
179 description My Connection
180 no ip address
181 spanning-tree portfast
182!
183interface FastEthernet1
184 no ip address
185!
186interface FastEthernet2
187 no ip address
188!
189interface FastEthernet3
190 no ip address
191!
192interface GigabitEthernet0
193 no ip address
194!
195interface GigabitEthernet1
196 description PrimaryWANDesc_
197 ip address dhcp
198 ip nat outside
199 ip virtual-reassembly in
200 duplex auto
201 speed auto
202!
203interface Vlan1
204 description $ETH_LAN$
205 ip address 192.168.100.1 255.255.255.0
206 ip access-group 101 in
207 ip nat inside
208 ip virtual-reassembly in
209 ip tcp adjust-mss 1452
210!
211ip forward-protocol nd
212ip http server
213ip http authentication local
214ip http secure-server
215ip http secure-ciphersuite rc4-128-md5
216ip http secure-client-auth
217ip http secure-trustpoint somehost.net
218ip http max-connections 4
219ip http timeout-policy idle 240 life 480 requests 100
220ip http path /somehost.net:80
221!
222!
223ip nat translation timeout 600
224ip nat translation tcp-timeout 600
225ip nat translation udp-timeout 600
226no ip nat service sip udp port 5060
227ip nat inside source static tcp 192.168.100.10 1433 interface GigabitEthernet1 5 6665
228ip nat inside source static tcp 192.168.100.10 3389 interface GigabitEthernet1 3 389
229ip nat inside source static tcp 192.168.100.2 48522 interface GigabitEthernet1 4 8522
230ip nat inside source static tcp 192.168.100.2 443 interface GigabitEthernet1 544 3
231ip nat inside source static udp 192.168.100.2 443 interface GigabitEthernet1 544 3
232ip nat inside source static tcp 192.168.100.2 902 interface GigabitEthernet1 902
233ip nat inside source static udp 192.168.100.2 903 interface GigabitEthernet1 903
234ip nat inside source static tcp 192.168.100.100 8843 interface GigabitEthernet1 8843
235ip nat inside source static tcp 192.168.100.101 4001 interface GigabitEthernet1 4001
236ip nat inside source static tcp 192.168.100.104 4004 interface GigabitEthernet1 4004
237ip nat inside source static tcp 192.168.100.102 4002 interface GigabitEthernet1 4002
238ip nat inside source static tcp 192.168.100.103 4003 interface GigabitEthernet1 4003
239ip nat inside source static tcp 192.168.100.105 4005 interface GigabitEthernet1 4005
240ip nat inside source static tcp 192.168.100.106 4006 interface GigabitEthernet1 4006
241ip nat inside source static tcp 192.168.100.108 4008 interface GigabitEthernet1 4008
242ip nat inside source static tcp 192.168.100.109 4009 interface GigabitEthernet1 4009
243ip nat inside source static udp 192.168.100.107 4007 interface GigabitEthernet1 4007
244ip nat inside source static tcp 192.168.100.107 4007 interface GigabitEthernet1 4007
245ip nat inside source static tcp 192.168.100.10 135 interface GigabitEthernet1 13 5
246ip nat inside source list 100 interface GigabitEthernet1 overload
247ip nat inside source list 101 interface GigabitEthernet0 overload
248ip nat inside source list internet-access interface GigabitEthernet1 overload
249ip nat inside source list nat-list interface GigabitEthernet1 overload
250ip nat inside source static tcp 192.168.100.110 4010 interface GigabitEthernet1 4010
251ip nat inside source static tcp 192.168.100.111 4011 interface GigabitEthernet1 4011
252ip nat inside source static tcp 192.168.100.100 4000 interface GigabitEthernet1 4000
253ip nat inside source route-map RMAP_NAT interface GigabitEthernet1 overload
254!
255ip access-list extended vpn-traffic
256 permit ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255
257!
258!
259route-map RMAP_NAT permit 1
260 match ip address 100
261!
262snmp-server community public RO
263snmp-server community private RW
264snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
265snmp-server enable traps vrrp
266snmp-server enable traps flowmon
267snmp-server enable traps call-home message-send-fail server-fail
268snmp-server enable traps tty
269snmp-server enable traps ospf state-change
270snmp-server enable traps ospf errors
271snmp-server enable traps ospf retransmit
272snmp-server enable traps ospf lsa
273snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
274snmp-server enable traps ospf cisco-specific state-change shamlink interface
275snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
276snmp-server enable traps ospf cisco-specific errors
277snmp-server enable traps ospf cisco-specific retransmit
278snmp-server enable traps ospf cisco-specific lsa
279snmp-server enable traps flash insertion removal low-space
280snmp-server enable traps auth-framework sec-violation auth-fail
281snmp-server enable traps adslline
282snmp-server enable traps vdsl2line
283snmp-server enable traps adsl2line
284snmp-server enable traps pw vc
285snmp-server enable traps energywise
286snmp-server enable traps dial
287snmp-server enable traps dsp card-status
288snmp-server enable traps dsp oper-state
289snmp-server enable traps dsp video-usage
290snmp-server enable traps dsp video-out-of-resource
291snmp-server enable traps bgp cbgp2
292snmp-server enable traps cnpd
293snmp-server enable traps config-copy
294snmp-server enable traps config
295snmp-server enable traps config-ctid
296snmp-server enable traps entity
297snmp-server enable traps fru-ctrl
298snmp-server enable traps resource-policy
299snmp-server enable traps event-manager
300snmp-server enable traps hsrp
301snmp-server enable traps ipmulticast
302snmp-server enable traps mempool
303snmp-server enable traps cpu threshold
304snmp-server enable traps rsvp
305snmp-server enable traps syslog
306snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-c hange inconsistency
307snmp-server enable traps l2tun session
308snmp-server enable traps l2tun pseudowire status
309snmp-server enable traps vtp
310snmp-server enable traps atm subif
311snmp-server enable traps entity-ext
312snmp-server enable traps firewall serverstatus
313snmp-server enable traps ike policy add
314snmp-server enable traps ike policy delete
315snmp-server enable traps ike tunnel start
316snmp-server enable traps ike tunnel stop
317snmp-server enable traps ipsec cryptomap add
318snmp-server enable traps ipsec cryptomap delete
319snmp-server enable traps ipsec cryptomap attach
320snmp-server enable traps ipsec cryptomap detach
321snmp-server enable traps ipsec tunnel start
322snmp-server enable traps ipsec tunnel stop
323snmp-server enable traps ipsec too-many-sas
324snmp-server enable traps ipsla
325snmp-server enable traps ccme
326snmp-server enable traps srst
327snmp-server enable traps voice
328snmp-server enable traps dnis
329snmp-server enable traps bulkstat collection transfer
330snmp-server enable traps vrfmib vrf-up vrf-down vnet-trunk-up vnet-trunk-down
331access-list 100 permit ip any any
332access-list 101 remark INSIDE_OUT
333access-list 101 deny ip host 255.255.255.255 any
334access-list 101 deny ip 127.0.0.0 0.255.255.255 any
335access-list 101 permit ip any any
336access-list 102 remark OUTSIDE_IN
337access-list 102 permit udp any any eq bootps
338access-list 102 permit udp any any eq bootpc
339access-list 102 permit udp any any eq domain
340access-list 102 permit tcp any any eq 56665
341access-list 102 permit gre any any
342access-list 102 permit esp any any
343access-list 102 permit ahp any any
344access-list 102 permit udp any eq domain any
345access-list 102 permit udp any any eq isakmp
346access-list 102 permit udp any any eq non500-isakmp
347access-list 102 permit tcp any any eq 3389
348access-list 102 permit tcp any any eq 6880
349access-list 102 permit tcp any any eq www
350access-list 102 permit tcp any any eq 5222
351access-list 102 permit tcp any any eq 48522
352access-list 102 permit tcp any any eq 5443
353access-list 102 permit udp any any eq 5443
354access-list 102 permit tcp any any eq 902
355access-list 102 permit udp any any eq 903
356access-list 102 permit tcp any any eq 4000
357access-list 102 permit tcp any any eq 4001
358access-list 102 permit tcp any any eq 4002
359access-list 102 permit tcp any any eq 4003
360access-list 102 permit tcp any any eq 4004
361access-list 102 permit tcp any any eq 4005
362access-list 102 permit tcp any any eq 4006
363access-list 102 permit tcp any any eq 4007
364access-list 102 permit tcp any any eq 4008
365access-list 102 permit tcp any any eq 4009
366access-list 102 permit tcp any any eq 4445
367access-list 102 permit tcp any any eq 22
368access-list 102 permit icmp any any
369access-list 102 permit udp any 192.110.174.0 0.0.0.255
370access-list 102 permit udp 192.110.174.0 0.0.0.255 any
371access-list 102 deny ip any any
372access-list 102 permit tcp any any eq 4010
373access-list 102 permit tcp any any eq 4011
374access-list 103 remark VOIP_TRAFFIC
375access-list 103 permit udp any 192.110.174.0 0.0.0.255
376access-list 103 permit udp 192.110.174.0 0.0.0.255 any
377access-list 104 permit ip 192.168.100.0 0.0.0.255 any
378access-list 106 remark DATA_TRAFFIC
379access-list 106 deny udp any 192.110.174.0 0.0.0.255
380access-list 106 deny udp 192.110.174.0 0.0.0.255 any
381access-list 106 permit ip any any
382access-list 106 permit esp any any
383!
384!
385!
386!
387line con 0
388 no modem enable
389line aux 0
390line vty 0 4
391 access-class 23 in
392 privilege level 15
393 transport input telnet ssh
394!
395scheduler allocate 60000 1000
396ntp server north-america.pool.ntp.org
397!
398end