· 7 years ago · Aug 31, 2018, 10:48 PM
1version 15.4
2no service pad
3service timestamps debug datetime msec
4service timestamps log datetime msec
5no service password-encryption
6!
7hostname ournetwork.com
8!
9boot-start-marker
10boot-end-marker
11!
12!
13logging buffered 4096
14!
15aaa new-model
16!
17!
18aaa authentication login default local
19!
20!
21!
22!
23!
24aaa session-id common
25wan mode ethernet
26clock timezone GMT -5 0
27!
28!
29!
30!
31!
32ip dhcp excluded-address 192.168.100.1 192.168.100.149
33ip dhcp excluded-address 192.168.100.245 192.168.100.255
34!
35!
36!
37ip inspect udp idle-time 600
38ip inspect name INSPECT_RULE tcp
39ip inspect name INSPECT_RULE udp
40ip domain name ournetwork.com
41ip name-server 172.87.80.1
42ip name-server 172.87.81.1
43ip ddns update method DynDNS
44 HTTP
45 add http://phmsearch:VDFtNTRMIWZl@dynupdate.no-ip.com/nic/update?hostname=ournetwork.com&myip=<a>
46 interval maximum 1 0 0 0
47 interval minimum 0 1 0 0
48!
49ip cef
50no ipv6 cef
51!
52!
53flow record nbar-appmon
54 match ipv4 source address
55 match ipv4 destination address
56 match application name
57 collect interface output
58 collect counter bytes
59 collect counter packets
60 collect timestamp absolute first
61 collect timestamp absolute last
62!
63!
64flow monitor application-mon
65 cache timeout active 60
66 record nbar-appmon
67!
68!
69!
70!
71!
72!
73!
74!
75!
76!
77crypto pki trustpoint TP-self-signed-291005808
78 enrollment selfsigned
79 subject-name cn=IOS-Self-Signed-Certificate-291005808
80 revocation-check none
81 rsakeypair TP-self-signed-291005808
82!
83!
84crypto pki certificate chain TP-self-signed-291005808
85 certificate self-signed 01
86 30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
87 30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
88 69666963 6174652D 32393130 30353830 38301E17 0D313730 39303431 33323432
89 385A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
90 532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3239 31303035
91 38303830 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
92 A1DC25DB AD83F952 ED8EF6E1 AE8D49A0 0DAF6845 9B6776CB 4AE78CD3 86D54EC3
93 595279C2 6594BA28 692D56DC 9C318C83 5F2842E6 69746D5A C4AC41DF A028D87F
94 B90AE32C 5D889F92 53400E1C AF6B9699 6DE4515E 2FACB17F B9A714C0 D30CC7AE
95 C617FDA3 EE7B583D A70BA255 EC4EA49C 4EAE02A7 9F245BC1 2FE509E3 250FB5CF
96 02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
97 23041830 1680149C 6AD5B7C6 F3E7E923 15CFE396 63C868CC 4D210330 1D060355
98 1D0E0416 04149C6A D5B7C6F3 E7E92315 CFE39663 C868CC4D 2103300D 06092A86
99 4886F70D 01010505 00038181 0097E885 5E0773C1 3D243D54 62530FB2 A9E8FE5A
100 3B67F25E 126BF94F BE98F31A 79BB5AE1 09CA4D37 D55F8524 29862CA7 91A00DF0
101 0326F8E5 83649855 3F393103 6B8B6095 3511BA8D 69501DB9 8CD12705 CAD3B528
102 788C84B2 99647FCE 03F65995 C9DFCB60 8DE87511 33BDB06D E2A134E5 CA396A21
103 06AC8976 324B233C EFE4D902 20
104 quit
105!
106!
107username admin privilege 15 secret 5 $1$eIsV$bTzpw1PI7q6a5Gt4UHrQ9p4Xx1
108
109!
110!
111controller VDSL 0
112 shutdown
113no cdp run
114!
115!
116class-map match-all CLASS_DATA
117 match access-group 106
118class-map match-all CLASS_VOIP
119 match access-group 103
120!
121policy-map POLICY_OUT
122 class CLASS_VOIP
123 priority
124 class CLASS_DATA
125 police 15000000 conform-action transmit exceed-action drop
126policy-map POLICY_IN
127 class CLASS_DATA
128 police 130000000 conform-action transmit exceed-action drop
129!
130zone security LAN
131zone security WAN
132zone security VPN
133zone security DMZ
134!
135!
136!
137!
138!
139crypto isakmp policy 1
140 encr aes
141 authentication pre-share
142 group 5
143crypto isakmp key secretkey address 99.249.122.22 no-xauth
144!
145crypto ipsec security-association lifetime seconds 86400
146!
147crypto ipsec transform-set myset esp-aes esp-sha-hmac
148 mode tunnel
149crypto ipsec df-bit clear
150!
151!
152!
153crypto map ipsec-phm-to-ournetwork 10 ipsec-isakmp
154 set peer 99.249.122.22
155 set transform-set myset
156 set pfs group5
157 match address vpn-enc
158!
159!
160!
161!
162!
163interface ATM0
164 no ip address
165 shutdown
166 no atm ilmi-keepalive
167!
168interface Ethernet0
169 no ip address
170 shutdown
171!
172interface FastEthernet0
173 description My Connection
174 no ip address
175 spanning-tree portfast
176!
177interface FastEthernet1
178 no ip address
179!
180interface FastEthernet2
181 no ip address
182!
183interface FastEthernet3
184 no ip address
185!
186interface GigabitEthernet0
187 no ip address
188!
189interface GigabitEthernet1
190 description PrimaryWANDesc_
191 ip address dhcp
192 ip nat outside
193 ip virtual-reassembly in
194 duplex auto
195 speed auto
196 crypto map ipsec-phm-to-ournetwork
197!
198interface Vlan1
199 description $ETH_LAN$
200 ip address 192.168.100.1 255.255.255.0
201 ip access-group 101 in
202 ip nat inside
203 ip virtual-reassembly in
204 ip tcp adjust-mss 1452
205 crypto ipsec df-bit clear
206!
207ip forward-protocol nd
208ip http server
209ip http authentication local
210ip http secure-server
211ip http secure-ciphersuite rc4-128-md5
212ip http secure-client-auth
213ip http secure-trustpoint ournetwork.com
214ip http max-connections 4
215ip http timeout-policy idle 240 life 480 requests 100
216ip http path /ournetwork.com:80
217!
218!
219ip nat translation timeout 600
220ip nat translation tcp-timeout 600
221ip nat translation udp-timeout 600
222no ip nat service sip udp port 5060
223ip nat inside source static tcp 192.168.100.10 1433 interface GigabitEthernet1 56665
224ip nat inside source static tcp 192.168.100.10 3389 interface GigabitEthernet1 3389
225ip nat inside source static tcp 192.168.100.2 48522 interface GigabitEthernet1 48522
226ip nat inside source static tcp 192.168.100.2 443 interface GigabitEthernet1 5443
227ip nat inside source static udp 192.168.100.2 443 interface GigabitEthernet1 5443
228ip nat inside source static tcp 192.168.100.2 902 interface GigabitEthernet1 902
229ip nat inside source static udp 192.168.100.2 903 interface GigabitEthernet1 903
230ip nat inside source static tcp 192.168.100.100 8843 interface GigabitEthernet1 8843
231ip nat inside source static tcp 192.168.100.101 4001 interface GigabitEthernet1 4001
232ip nat inside source static tcp 192.168.100.104 4004 interface GigabitEthernet1 4004
233ip nat inside source static tcp 192.168.100.102 4002 interface GigabitEthernet1 4002
234ip nat inside source static tcp 192.168.100.103 4003 interface GigabitEthernet1 4003
235ip nat inside source static tcp 192.168.100.105 4005 interface GigabitEthernet1 4005
236ip nat inside source static tcp 192.168.100.106 4006 interface GigabitEthernet1 4006
237ip nat inside source static tcp 192.168.100.108 4008 interface GigabitEthernet1 4008
238ip nat inside source static tcp 192.168.100.109 4009 interface GigabitEthernet1 4009
239ip nat inside source static udp 192.168.100.107 4007 interface GigabitEthernet1 4007
240ip nat inside source static tcp 192.168.100.107 4007 interface GigabitEthernet1 4007
241ip nat inside source static tcp 192.168.100.10 135 interface GigabitEthernet1 135
242ip nat inside source static tcp 192.168.100.110 4010 interface GigabitEthernet1 4010
243ip nat inside source static tcp 192.168.100.111 4011 interface GigabitEthernet1 4011
244ip nat inside source static tcp 192.168.100.100 4000 interface GigabitEthernet1 4000
245ip nat inside source static udp 192.168.100.221 443 interface GigabitEthernet1 8443
246ip nat inside source static udp 192.168.100.221 1194 interface GigabitEthernet1 8894
247ip nat inside source route-map nonat interface GigabitEthernet1 overload
248ip route 0.0.0.0 0.0.0.0 GigabitEthernet1
249!
250ip access-list extended vpn-enc
251 permit ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255
252ip access-list extended vpn-no-nat
253 deny ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255
254 permit ip 192.168.100.0 0.0.0.255 any
255 permit ip any any
256!
257!
258route-map nonat permit 10
259 match ip address vpn-no-nat
260!
261snmp-server community public RO
262snmp-server community private RW
263snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
264snmp-server enable traps vrrp
265snmp-server enable traps flowmon
266snmp-server enable traps call-home message-send-fail server-fail
267snmp-server enable traps tty
268snmp-server enable traps flash insertion removal low-space
269snmp-server enable traps auth-framework sec-violation auth-fail
270snmp-server enable traps adslline
271snmp-server enable traps vdsl2line
272snmp-server enable traps adsl2line
273snmp-server enable traps pw vc
274snmp-server enable traps energywise
275snmp-server enable traps dial
276snmp-server enable traps dsp card-status
277snmp-server enable traps dsp oper-state
278snmp-server enable traps dsp video-usage
279snmp-server enable traps dsp video-out-of-resource
280snmp-server enable traps bgp cbgp2
281snmp-server enable traps cnpd
282snmp-server enable traps config-copy
283snmp-server enable traps config
284snmp-server enable traps config-ctid
285snmp-server enable traps entity
286snmp-server enable traps fru-ctrl
287snmp-server enable traps resource-policy
288snmp-server enable traps event-manager
289snmp-server enable traps hsrp
290snmp-server enable traps ipmulticast
291snmp-server enable traps mempool
292snmp-server enable traps cpu threshold
293snmp-server enable traps rsvp
294snmp-server enable traps syslog
295snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency
296snmp-server enable traps l2tun session
297snmp-server enable traps l2tun pseudowire status
298snmp-server enable traps vtp
299snmp-server enable traps atm subif
300snmp-server enable traps entity-ext
301snmp-server enable traps firewall serverstatus
302snmp-server enable traps ike policy add
303snmp-server enable traps ike policy delete
304snmp-server enable traps ike tunnel start
305snmp-server enable traps ike tunnel stop
306snmp-server enable traps ipsec cryptomap add
307snmp-server enable traps ipsec cryptomap delete
308snmp-server enable traps ipsec cryptomap attach
309snmp-server enable traps ipsec cryptomap detach
310snmp-server enable traps ipsec tunnel start
311snmp-server enable traps ipsec tunnel stop
312snmp-server enable traps ipsec too-many-sas
313snmp-server enable traps ipsla
314snmp-server enable traps ccme
315snmp-server enable traps srst
316snmp-server enable traps voice
317snmp-server enable traps dnis
318snmp-server enable traps bulkstat collection transfer
319snmp-server enable traps vrfmib vrf-up vrf-down vnet-trunk-up vnet-trunk-down
320access-list 101 remark INSIDE_OUT
321access-list 101 deny ip host 255.255.255.255 any
322access-list 101 deny ip 127.0.0.0 0.255.255.255 any
323access-list 101 permit ip any any
324access-list 102 remark OUTSIDE_IN
325access-list 102 permit udp any any eq bootps
326access-list 102 permit udp any any eq bootpc
327access-list 102 permit udp any any eq domain
328access-list 102 permit tcp any any eq 56665
329access-list 102 permit gre any any
330access-list 102 permit esp any any
331access-list 102 permit ahp any any
332access-list 102 permit udp any eq domain any
333access-list 102 permit udp any any eq isakmp
334access-list 102 permit udp any any eq non500-isakmp
335access-list 102 permit tcp any any eq 3389
336access-list 102 permit tcp any any eq 6880
337access-list 102 permit tcp any any eq www
338access-list 102 permit tcp any any eq 5222
339access-list 102 permit tcp any any eq 48522
340access-list 102 permit tcp any any eq 5443
341access-list 102 permit udp any any eq 5443
342access-list 102 permit tcp any any eq 902
343access-list 102 permit udp any any eq 903
344access-list 102 permit tcp any any eq 4000
345access-list 102 permit tcp any any eq 4001
346access-list 102 permit tcp any any eq 4002
347access-list 102 permit tcp any any eq 4003
348access-list 102 permit tcp any any eq 4004
349access-list 102 permit tcp any any eq 4005
350access-list 102 permit tcp any any eq 4006
351access-list 102 permit tcp any any eq 4007
352access-list 102 permit tcp any any eq 4008
353access-list 102 permit tcp any any eq 4009
354access-list 102 permit tcp any any eq 4445
355access-list 102 permit tcp any any eq 22
356access-list 102 permit icmp any any
357access-list 102 permit udp any 192.110.174.0 0.0.0.255
358access-list 102 permit udp 192.110.174.0 0.0.0.255 any
359access-list 102 permit tcp any any eq 4010
360access-list 102 permit tcp any any eq 4011
361access-list 103 remark VOIP_TRAFFIC
362access-list 103 permit udp any 192.110.174.0 0.0.0.255
363access-list 103 permit udp 192.110.174.0 0.0.0.255 any
364access-list 104 permit ip 192.168.100.0 0.0.0.255 any
365access-list 106 remark DATA_TRAFFIC
366access-list 106 deny udp any 192.110.174.0 0.0.0.255
367access-list 106 deny udp 192.110.174.0 0.0.0.255 any
368access-list 106 permit ip any any
369access-list 106 permit esp any any
370!
371!
372!
373!
374line con 0
375 no modem enable
376line aux 0
377line vty 0 4
378 access-class 23 in
379 privilege level 15
380 transport input telnet ssh
381!
382scheduler allocate 60000 1000
383ntp server north-america.pool.ntp.org
384!
385end