! bridge irb ! interface ATM0/0 no ip address no ip mroute-cache no atm ilmi-keepalive pvc 0/35 encapsulation aal5snap ! bundle-enable dsl operating-mode auto bridge-group 1 hold-queue 224 in ! interface Ethernet0/0 description disabled no ip address no ip mroute-cache shutdown half-duplex no cdp enable ! interface Ethernet0/1 description connected to Private ip address 192.168.0.254 255.255.255.0 ip access-group 100 in ip nat inside no ip route-cache half-duplex no cdp enable ! interface BVI1 description connected to Internet ip address 14.32.17.102 255.255.255.0 ip access-group 101 in no ip unreachables ip nat outside no ip mroute-cache ! router rip version 2 passive-interface BVI1 network 192.168.0.0 no auto-summary ! ip nat inside source list 1 interface BVI1 overload ip nat inside source static 192.168.0.1 14.32.17.228 ip nat inside source static 192.168.0.3 14.32.17.150 ip classless ip route 0.0.0.0 0.0.0.0 14.32.17.1 ! ! access-list 1 permit 192.168.0.0 0.0.0.255 access-list 5 permit 192.5.41.40 access-list 5 permit 192.5.41.41 access-list 5 permit 17.254.0.27 access-list 5 deny any access-list 7 permit 192.168.0.0 0.0.0.255 access-list 7 deny any access-list 99 deny any access-list 100 permit ip any any access-list 101 remark # Start - Inbound # access-list 101 remark # Block bogus external networks access-list 101 deny ip 0.0.0.0 1.255.255.255 any access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip 169.254.0.0 0.0.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 224.0.0.0 31.255.255.255 any access-list 101 deny ip 255.0.0.0 0.255.255.255 any access-list 101 remark # block known exploited ports access-list 101 deny tcp any any range 135 139 log access-list 101 deny udp any any range 135 netbios-ss log access-list 101 deny icmp any any echo access-list 101 permit icmp any any access-list 101 remark # Web server for domain.com # access-list 101 permit tcp any host 14.32.17.228 eq 22 log access-list 101 permit tcp any host 14.32.17.228 eq www access-list 101 permit tcp any host 14.32.17.228 eq 115 access-list 101 permit tcp any host 14.32.17.228 eq 443 access-list 101 permit udp any host 14.32.17.228 eq domain access-list 101 permit tcp any host 14.32.17.228 eq 554 access-list 101 permit tcp any host 14.32.17.228 eq 7070 access-list 101 remark # web server for domain2.com # access-list 101 permit tcp any host 14.32.17.150 eq 22 log access-list 101 permit tcp any host 14.32.17.150 eq www access-list 101 permit tcp any host 14.32.17.150 eq 115 access-list 101 permit tcp any host 14.32.17.150 eq 443 access-list 101 remark # Allow ipsec VPN traffic access-list 101 permit udp any any eq isakmp access-list 101 permit udp any any eq non500-isakmp access-list 101 permit esp any any access-list 101 permit ahp any any access-list 101 remark # misc. explicit internal/router acls access-list 101 permit udp any any gt 1024 access-list 101 permit udp any eq ntp any eq ntp access-list 101 permit tcp any host 14.32.17.102 eq 22 log access-list 101 permit tcp any any established access-list 101 permit ip 192.168.0.0 0.0.255.255 any access-list 101 remark # finally, block everything else and log it access-list 101 deny tcp any any log access-list 101 deny udp any any log access-list 101 deny ip any any log access-list 101 remark # End - Inbound # access-list 110 permit ip 192.168.0.0 0.0.0.255 192.168.254.0 0.0.0.255 access-list 115 deny ip 192.168.0.0 0.0.0.255 192.168.254.0 0.0.0.255 access-list 115 permit ip 192.168.0.0 0.0.0.255 any access-list 120 permit ip host 192.168.0.1 192.168.254.0 0.0.0.255 no cdp run ! bridge 1 protocol ieee bridge 1 route ip no call rsvp-sync !