!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 <removed>
!
aaa new-model
!
!
aaa group server radius sdm-vpn-server-group-1
 server <lan server ip> auth-port 1645 acct-port 1646
!
aaa authentication login local_authen local
aaa authentication ppp default group radius
aaa authorization exec local_author local
aaa authorization network default group radius
aaa authorization network sdm_vpn_group_ml_1 group sdm-vpn-server-group-1
aaa accounting exec default start-stop group radius
aaa accounting connection default start-stop group radius
aaa accounting resource default start-stop-failure group radius
!
!
aaa session-id common
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 3:00
dot11 phone
dot11 arp-cache
no ip source-route
ip icmp rate-limit unreachable 100
ip icmp rate-limit unreachable DF 1
ip cef
!
ip nbar pdlm flash:/rtp-124.pdlm
!
!
!
ip tcp ecn
ip tcp selective-ack
ip tcp window-size 169360
ip tcp synwait-time 10
no ip bootp server
ip domain name johnpavel.local
ip name-server <lan server ip>
ip port-map user-terminal port tcp 3389 description Terminal Services
ip port-map user-mmsu port udp 1755 description MMSU
ip port-map user-sharepoint port tcp 444 description Windows Sharepoint Services
ip port-map user-rtspu port udp 5005 description RTSPU
ip port-map user-remote-web port tcp 4125 description Remote Web Workplace
ip port-map user-nat-stun port udp 3478 description Simple Traversal of UDP through NAT
ip ssh time-out 60
ip dhcp-server <lan server ip>
login block-for 15 attempts 2 within 30
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 1
 no l2tp tunnel authentication
 l2tp tunnel password 7
 l2tp tunnel receive-window 256
!
 
parameter-map type inspect pmap-audit
  audit-trail on
password encryption aes
!
crypto pki trustpoint TP-self-signed-...
!
crypto pki trustpoint <server>
 enrollment mode ra
 enrollment url http://<server>:80/certsrv/mscep/mscep.dll
 usage ike
 password 7 08781A1C2F495C4E422F545573087C7B10
 revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-...
  quit
crypto pki certificate chain ...
  quit
no crypto engine onboard 0
!
!
username <user> privilege 15 secret 5 <removed>
!
!
class-map type inspect match-all sdm-cls-http-1
 match access-group name InternalServer
 match protocol http
class-map type inspect match-any AllowedOut
 description Permitted Traffic to internet
 match protocol https
 match protocol dns
 match protocol imap
 match protocol icmp
 match protocol ftp
 match protocol smtp extended
 match protocol sip
 match protocol user-nat-stun
 match protocol ntp
 match protocol pop3
 match protocol pptp
 match protocol rtsp
 match protocol realmedia
 match protocol netshow
 match protocol appleqtc
 match protocol streamworks
 match protocol vdolive
 match protocol telnet
class-map type inspect match-all sdm-cls-http
 match protocol http
class-map type inspect match-any SDM_GRE
 match access-group name SDM_GRE
class-map type inspect match-any ExternallyVisibleProtocols
 description Externally-visible protocols
 match protocol http
 match protocol https
 match protocol smtp extended
 match protocol user-sharepoint
 match protocol user-remote-web
 match protocol pptp
 match class-map SDM_GRE
 match protocol user-terminal
 match protocol rtsp
 match protocol netshow
 match protocol user-mmsu
 match protocol user-rtspu
class-map type inspect match-any returningGRE
 description Returning GRE for PPTP
 match class-map SDM_GRE
class-map type inspect match-any SDM_ESP
 match access-group name SDM_ESP
class-map type inspect match-all ICMPReply
 description Only certain pings permitted to router
 match access-group name ICMPReply
class-map type inspect match-any RouterToOutside
 description Permit router-generated traffic out
 match protocol tcp
 match protocol udp
 match protocol icmp
class-map type inspect match-all ExternallyVisibleServices
 description Externally-visible protocols headed to server
 match access-group name InternalServer
 match class-map ExternallyVisibleProtocols
class-map type inspect match-any IPSec
 description For L2TP/IPSec
 match class-map SDM_ESP
 match protocol isakmp
 match protocol ipsec-msft
class-map type inspect http match-any sdm-http-blockparam
 match  request port-misuse any
class-map type inspect match-any InvalidSource
 description Invalid source addresses for internally-generated outgoing traffic
 match access-group name InvalidSource
class-map type inspect http match-any sdm-app-httpmethods
 match  request method bcopy
 match  request method bdelete
 match  request method bmove
 match  request method bpropfind
 match  request method bproppatch
 match  request method connect
 match  request method copy
 match  request method delete
 match  request method edit
 match  request method getattribute
 match  request method getattributenames
 match  request method getproperties
 match  request method index
 match  request method lock
 match  request method mkcol
 match  request method mkdir
 match  request method move
 match  request method notify
 match  request method options
 match  request method poll
 match  request method propfind
 match  request method proppatch
 match  request method put
 match  request method revadd
 match  request method revlabel
 match  request method revlog
 match  request method revnum
 match  request method save
 match  request method search
 match  request method setattribute
 match  request method startrev
 match  request method stoprev
 match  request method subscribe
 match  request method trace
 match  request method unedit
 match  request method unlock
 match  request method unsubscribe
class-map type inspect http match-any sdm-http-allowparam
 match  req-resp protocol-violation
!
!
policy-map type inspect RouterToInside
 description Router to LAN
 class class-default
  inspect
policy-map type inspect InsideToRouter
 description LAN to router
 class class-default
  inspect
policy-map type inspect http sdm-action-app-http
 class type inspect http sdm-http-blockparam
  log
  reset
 class type inspect http sdm-app-httpmethods
  log
  reset
 class type inspect http sdm-http-allowparam
  log
  allow
 class class-default
policy-map type inspect InsideToOutside
 description LAN to Internet
 class type inspect returningGRE
  inspect pmap-audit
 class type inspect InvalidSource
  drop log
 class type inspect sdm-cls-http
  inspect
  service-policy http sdm-action-app-http
 class type inspect AllowedOut
  inspect
 class class-default
  drop log
policy-map type inspect OutsideToInside
 description Internet to LAN (server)
 class type inspect ExternallyVisibleServices
  inspect pmap-audit
 class class-default
  drop log
policy-map type inspect OutSideToRouter
 description Permitted traffic from internet to router
 class type inspect ICMPReply
  pass
 class type inspect IPSec
  pass
 class class-default
  drop log
policy-map type inspect RouterToOutSide
 description Router to internet
 class type inspect RouterToOutside
  inspect pmap-audit
 class class-default
  pass
!
zone security Inside
zone security Outside
zone-pair security InsideToOutside source Inside destination Outside
 service-policy type inspect InsideToOutside
zone-pair security RouterToInside source self destination Inside
 service-policy type inspect RouterToInside
zone-pair security InsideToRouter source Inside destination self
 service-policy type inspect InsideToRouter
zone-pair security OutsideToRouter source Outside destination self
 service-policy type inspect OutSideToRouter
zone-pair security RouterToOutside source self destination Outside
 service-policy type inspect RouterToOutSide
zone-pair security OutsideToInside source Outside destination Inside
 service-policy type inspect OutsideToInside
!
!
crypto isakmp policy 10
 encr aes 256
 group 2
!
crypto isakmp policy 20
 encr aes 192
 group 2
!
crypto isakmp policy 30
 encr aes
 group 2
!
crypto isakmp policy 40
 encr 3des
 group 2
!
crypto isakmp policy 50
 encr aes 256
 authentication pre-share
 group 2
!
crypto isakmp policy 60
 encr aes 192
 authentication pre-share
 group 2
!
crypto isakmp policy 70
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp policy 80
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key 6 <removed> address 0.0.0.0 0.0.0.0 no-xauth
!
!
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
 mode transport
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
 mode transport
crypto ipsec transform-set ESP-AES192-SHA esp-aes 192 esp-sha-hmac
 mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
 mode transport
!
crypto dynamic-map Dynamic-CryptoMap 1
 description IPSec
 set transform-set ESP-AES128-SHA ESP-3DES-SHA
 reverse-route
!
!
crypto map IPSec-Policy 65535 ipsec-isakmp dynamic Dynamic-CryptoMap
!
bridge irb
!
!
!
interface Null0
 no ip unreachables
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting access-violations
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 description Be* Unlimited$ES_WAN$$FW_OUTSIDE$
 bandwidth receive 17800
 ip address <my external ip address> <my external mask>
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting access-violations
 ip mtu 1500
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 zone-member security Outside
 ip tcp adjust-mss 1460
 no snmp trap link-status
 atm route-bridged ip
 pvc BeUnlimited 0/101
  oam-pvc manage
  encapsulation aal5snap
 !
 crypto map IPSec-Policy
!
interface FastEthernet0
 description Switch
!
interface FastEthernet1
 description titan
!
interface FastEthernet2
 description Yellow
!
interface FastEthernet3
 description phone
!
interface Virtual-Template1
 description L2TP$FW_OUTSIDE$
 ip unnumbered BVI1
 ip verify unicast reverse-path
 no ip redirects
 ip accounting access-violations
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 zone-member security Inside
 ip route-cache flow
 ip tcp adjust-mss 1360
 peer default ip address dhcp
 no keepalive
 ppp mtu adaptive
 ppp authentication eap ms-chap-v2
 ppp ipcp header-compression ack
 ppp ipcp username unique
!
interface Dot11Radio0
 description Wireless
 no ip address
 ip accounting access-violations
 !
 encryption mode ciphers tkip
 !
 ssid Wireless
    authentication open
    authentication key-management wpa
    accounting radius
    guest-mode
    wpa-psk ascii 7 <removed>
 !
 world-mode dot11d country GB indoor
 speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
 station-role root
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface Vlan1
 description LAN$FW_INSIDE$$ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 no ip address
 ip accounting access-violations
 ip tcp adjust-mss 1460
 bridge-group 1
!
interface BVI1
 description LAN Wireless bridge$ES_LAN$$FW_INSIDE$
 ip address <router ip address> 255.255.255.0
 no ip redirects
 no ip proxy-arp
 ip accounting access-violations
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 zone-member security Inside
 ip route-cache flow
!
router bgp <removed>
 no synchronization
 bgp log-neighbor-changes
 neighbor 195.66.241.98 remote-as <removed>
 neighbor 195.66.241.98 description cymru
 neighbor 195.66.241.98 password 7 <removed>
 neighbor 195.66.241.98 ebgp-multihop 255
 neighbor 195.66.241.98 prefix-list cymru-out out
 neighbor 195.66.241.98 route-map CYMRUBOGONS in
 neighbor 195.66.241.98 maximum-prefix 100 90
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 <remote gateway ip address>
ip route 192.0.2.1 255.255.255.255 Null0
ip route <cymru ip address> 255.255.255.255 <remote gateway ip address>
!
ip bgp-community new-format
ip community-list 10 permit <removed>
ip flow-cache timeout active 1
ip flow-export version 9
ip flow-export destination <netflow monitor ip> 9996
ip flow-top-talkers
 top 50
 sort-by bytes
 cache-timeout 3600000
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp <lan server ip> 80 interface ATM0.1 80
ip nat inside source static tcp <lan server ip> 25 interface ATM0.1 25
ip nat inside source static tcp <lan server ip> 443 interface ATM0.1 443
ip nat inside source static tcp <lan server ip> 444 interface ATM0.1 444
ip nat inside source static tcp <lan server ip> 4125 interface ATM0.1 4125
ip nat inside source static tcp <lan server ip> 1723 interface ATM0.1 1723
ip nat inside source static tcp <lan server ip> 3389 interface ATM0.1 3389
ip nat inside source static tcp <lan server ip> 554 interface ATM0.1 554
ip nat inside source static tcp <lan server ip> 1755 interface ATM0.1 1755
ip nat inside source static udp <lan server ip> 1755 interface ATM0.1 1755
ip nat inside source static udp <lan server ip> 5005 interface ATM0.1 5005
ip nat inside source list 1 interface ATM0.1 overload
!
ip access-list extended ICMPReply
 permit icmp any any host-unreachable
 permit icmp any any port-unreachable
 permit icmp any any ttl-exceeded
 permit icmp any any packet-too-big
ip access-list extended InternalServer
 remark Traffic to server
 remark SDM_ACL Category=128
 permit ip any host <lan server ip>
ip access-list extended InvalidSource
 remark Invalid Source Address on LAN
 remark SDM_ACL Category=128
 permit ip host 255.255.255.255 any
 permit ip <gateway network> <inverse gateway mask> any
 permit ip 127.0.0.0 0.255.255.255 any
ip access-list extended SDM_ESP
 remark SDM_ACL Category=0
 permit esp any any
ip access-list extended SDM_GRE
 remark SDM_ACL Category=0
 permit gre any any
!
!
ip prefix-list cymru-out seq 5 deny 0.0.0.0/0 le 32
ip radius source-interface BVI1
logging trap debugging
logging <lan server ip>
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit <lan network> <lan network mask>
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit <lan network> <lan network mask>
access-list 2 deny   any
access-list 112 remark VTY Access-class list
access-list 112 remark SDM_ACL Category=1
access-list 112 permit ip <lan network> <lan network mask> any
access-list 112 deny   ip any any
snmp-server community <removed> RW
snmp-server community <removed> RO
snmp-server ifindex persist
no cdp run
!
!
!
route-map CYMRUBOGONS permit 10
 description Filter bogons learned from cymru.com bogon route-servers
 match community 10
 set ip next-hop 192.0.2.1
!
radius-server host <lan server ip> auth-port 1645 acct-port 1646 key 7 <removed>
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!
^C
alias exec ru sh run
alias exec ri sh run | i
alias exec rb sh run | b
!
line con 0
 login authentication local_authen
 no modem enable
 transport output telnet
 speed 115200
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 access-class 112 in
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17175104
ntp server 193.190.230.66 source ATM0.1
ntp server 213.2.4.80 source ATM0.1
end
 

got feedback?

got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by aryoba
last modified: 2010-12-15 08:21:49