! ! Last configuration change at 21:29:54 MEST Sat Oct 21 2006 ! version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime localtime show-timezone service timestamps log datetime localtime show-timezone service password-encryption service sequence-numbers no service dhcp ! hostname cisco ! boot-start-marker boot-end-marker ! security passwords min-length 6 logging buffered 4096 informational logging console warnings enable secret 5 XXXXXXXXXX ! aaa new-model ! ! aaa authentication login login_vpn_xauth local aaa authorization network login_vpn_group local ! aaa session-id common ! resource policy ! clock timezone MET 1 clock summer-time MEST recurring last Sun Mar 2:00 last Sun Oct 3:00 no network-clock-participate slot 1 no network-clock-participate wic 0 no ip source-route no ip gratuitous-arps ip cef ip tcp selective-ack ip tcp synwait-time 10 ip tcp path-mtu-discovery ! ! ! ! no ip bootp server ip domain name XXXXXX.local ip name-server 192.168.0.1 ip ssh time-out 60 ip ssh authentication-retries 2 ip ssh version 2 vpdn enable ! ! ! ! crypto pki trustpoint TP-self-signed-XXXXXXXX enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-XXXXXX revocation-check none rsakeypair TP-self-signed-XXXXXXX ! ! crypto pki certificate chain TP-self-signed-XXXXXX certificate self-signed XXX quit username XXXX privilege 15 password 7 XXXXX username XXXXX privilege 0 secret 5 XXXXX ! ! class-map type inspect match-any special-cmap match protocol smtp extended match protocol bittorrent match protocol http match protocol https match protocol ssh match protocol pop3 match protocol imap match protocol imaps match protocol ftp match protocol ftps match protocol telnet match protocol telnets match protocol icmp match protocol tcp match protocol udp class-map type inspect match-all ports-above-1024-cmap match access-group 102 match class-map special-cmap class-map type inspect match-any clients-cmap match protocol smtp extended match protocol http match protocol https match protocol dns match protocol ssh match protocol pop3 match protocol imap match protocol ftp match protocol ftps match protocol imaps match protocol msnmsgr match protocol ntp match protocol appleqtc match protocol realmedia match protocol telnet match protocol telnets match access-group 101 match protocol tcp match protocol udp match protocol icmp class-map type inspect match-any forwardings-cmap match protocol bittorrent match protocol https class-map type inspect match-any vpn-cmap match protocol isakmp match access-group 103 ! ! policy-map type inspect private-internet-policy class type inspect ports-above-1024-cmap inspect class type inspect clients-cmap inspect class class-default policy-map type inspect internet-private-policy class type inspect forwardings-cmap inspect class type inspect vpn-cmap inspect class class-default ! zone security private zone security internet zone-pair security private-internet source private destination internet service-policy type inspect private-internet-policy zone-pair security internet-private source internet destination private service-policy type inspect internet-private-policy ! ! crypto isakmp policy 1 encryption aes authentication pre-share group 2 ! crypto isakmp client configuration group vpngroup key XXXXXX dns 192.168.0.1 wins 192.168.0.1 domain XXXXXX.local pool vpnpool acl 105 save-password include-local-lan split-dns XXXXXX.local max-users 10 netmask 255.255.255.0 ! ! crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac ! crypto dynamic-map vpn_cmap 1 set transform-set ESP-AES-SHA reverse-route ! ! crypto map vpn_clients client authentication list login_vpn_xauth crypto map vpn_clients isakmp authorization list login_vpn_group crypto map vpn_clients client configuration address respond crypto map vpn_clients 65535 ipsec-isakmp dynamic vpn_cmap ! ! ! ! interface Null0 no ip unreachables ! interface FastEthernet0/0 description LAN interface ip address 192.168.0.2 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly zone-member security private ip route-cache flow no ip mroute-cache duplex auto speed auto no keepalive no cdp enable no mop enabled ! interface Ethernet1/0 description T-DSL physical WAN interface no ip address ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow no ip mroute-cache half-duplex ntp disable pppoe enable pppoe-client dial-pool-number 1 no keepalive no cdp enable no mop enabled ! interface Dialer1 description T-DSL virtual WAN interface mtu 1492 ip address negotiated ip access-group 100 in ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly zone-member security internet encapsulation ppp ip route-cache flow ip tcp adjust-mss 1452 no ip mroute-cache dialer pool 1 dialer-group 1 ntp disable no keepalive no cdp enable ppp authentication chap callin ppp chap hostname ispusername ppp pap sent-username XXX/XXXX@XXX.XX password 7 XXXXXXX crypto map vpn_clients ! ip local pool vpnpool 192.168.1.1 192.168.1.10 ip route 0.0.0.0 0.0.0.0 Dialer1 ! ! ip http server ip http access-class 1 ip http secure-server ip nat translation tcp-timeout 1800 ip nat translation udp-timeout 240 ip nat translation dns-timeout 45 ip nat inside source static tcp 192.168.0.30 6889 interface Dialer1 6889 ip nat inside source static tcp 192.168.0.1 443 interface Dialer1 443 ip nat inside source route-map NAT_map interface Dialer1 overload ! logging facility local0 logging source-interface FastEthernet0/0 logging 192.168.0.1 access-list 1 remark *********************** access-list 1 remark *** HTTP access/log *** access-list 1 remark *********************** access-list 1 permit 192.168.0.1 access-list 1 permit 192.168.0.30 access-list 1 deny any log access-list 2 remark ********************** access-list 2 remark *** SSH access/log *** access-list 2 remark ********************** access-list 2 permit XX.XXX.XX.XXX access-list 2 permit 192.168.0.0 0.0.0.255 access-list 2 deny any log access-list 3 remark *********************** access-list 3 remark *** SNMP access/log *** access-list 3 remark *********************** access-list 3 permit 192.168.0.1 access-list 3 deny any log access-list 100 remark ****************************** access-list 100 remark *** Inbound ACL on dialer1 *** access-list 100 remark ****************************** access-list 100 remark *** Deny martian ips access-list 100 deny ip host 0.0.0.0 any access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255 access-list 100 deny ip 10.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255 access-list 100 deny ip 172.16.0.0 0.15.255.255 255.240.0.0 0.15.255.255 access-list 100 deny ip 192.168.0.0 0.0.255.255 255.255.0.0 0.0.255.255 access-list 100 deny ip 192.0.2.0 0.0.0.255 255.255.255.0 0.0.0.255 access-list 100 deny ip 169.254.0.0 0.0.255.255 255.255.0.0 0.0.255.255 access-list 100 deny ip 240.0.0.0 15.255.255.255 any access-list 100 deny ip 255.0.0.0 0.255.255.255 any access-list 100 deny ip 224.0.0.0 31.255.255.255 any access-list 100 remark *** Deny fragmented icmp access-list 100 deny icmp any any fragments access-list 100 remark *** Allow certain icmp types access-list 100 permit icmp any any net-unreachable access-list 100 permit icmp any any host-unreachable access-list 100 permit icmp any any port-unreachable access-list 100 permit icmp any any packet-too-big access-list 100 permit icmp any any administratively-prohibited access-list 100 permit icmp any any source-quench access-list 100 permit icmp any any ttl-exceeded access-list 100 permit icmp any any echo-reply access-list 100 permit icmp any any echo access-list 100 deny icmp any any access-list 100 remark *** Permit remaining ip traffic access-list 100 permit ip any any access-list 101 remark ********************************* access-list 101 remark *** ACL for clients-class-map *** access-list 101 remark ********************************* access-list 101 remark *** Allow certain icmp types access-list 101 permit icmp any any echo access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any parameter-problem access-list 101 permit icmp any any packet-too-big access-list 101 permit icmp any any source-quench access-list 101 remark *** Permit DNS lookups from 192.168.0.1 access-list 101 permit udp host 192.168.0.1 any eq domain access-list 101 remark *** Standard ACL for 192.168.0.0/24 network access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq ftp access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq ftp-data access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq 22 access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq smtp access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq www access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq 81 access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq 88 access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq pop3 access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq ident access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq 143 access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq 443 access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq 554 access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq 1755 access-list 101 permit udp 192.168.0.0 0.0.0.255 any eq 1755 access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq 1863 access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq 3128 access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq 4040 access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq 5190 access-list 101 permit tcp 192.168.0.0 0.0.0.255 any range 6600 6669 access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq 7070 access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq 7071 access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq 8000 access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq 8001 access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq 8080 access-list 102 remark ******************************************************************** access-list 102 remark *** Permit tcp/udp from host 192.168.0.30 port greater than 1024 *** access-list 102 remark ******************************************************************** access-list 102 permit tcp host 192.168.0.30 any gt 1024 access-list 102 permit udp host 192.168.0.30 any gt 1024 access-list 103 remark ************************************** access-list 103 remark *** ACL for incoming ipsec traffic *** access-list 103 remark ************************************** access-list 103 permit ip any any access-list 104 remark **************************************** access-list 104 remark *** Deny vpn traffic from being NATet ** access-list 104 remark **************************************** access-list 104 deny ip 192.168.0.0 0.0.0.255 host 192.168.1.1 access-list 104 deny ip 192.168.0.0 0.0.0.255 host 192.168.1.2 access-list 104 deny ip 192.168.0.0 0.0.0.255 host 192.168.1.3 access-list 104 deny ip 192.168.0.0 0.0.0.255 host 192.168.1.4 access-list 104 deny ip 192.168.0.0 0.0.0.255 host 192.168.1.5 access-list 104 deny ip 192.168.0.0 0.0.0.255 host 192.168.1.6 access-list 104 deny ip 192.168.0.0 0.0.0.255 host 192.168.1.7 access-list 104 deny ip 192.168.0.0 0.0.0.255 host 192.168.1.8 access-list 104 deny ip 192.168.0.0 0.0.0.255 host 192.168.1.9 access-list 104 deny ip 192.168.0.0 0.0.0.255 host 192.168.1.10 access-list 104 permit ip 192.168.0.0 0.0.0.255 any access-list 105 remark **************************** access-list 105 remark *** ACL for split tunnel *** access-list 105 remark **************************** access-list 105 permit ip 192.168.0.0 0.0.0.255 any dialer-list 1 protocol ip permit snmp-server community XXXX RW 3 no cdp run ! ! route-map NAT_map permit 1 match ip address 104 ! ! ! control-plane ! ! ! banner exec  XXXXXX  banner login  XXXXXXX ! line con 0 exec-timeout 0 0 password 7 XXXXXX line aux 0 exec-timeout 0 1 password 7 XXXXXX no exec line vty 0 4 access-class 2 in exec-timeout 0 0 transport input ssh transport output none ! scheduler allocate 4000 1000 ntp clock-period 17208493 ntp source FastEthernet0/0 ntp server 192.168.0.1 source FastEthernet0/0 prefer ! end