version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime localtime show-timezone year service timestamps log datetime localtime show-timezone year service password-encryption ! hostname (something) ! boot-start-marker boot-end-marker ! logging buffered 16384 informational logging rate-limit console 15 except errors enable secret 5 (something) ! aaa new-model ! ! aaa authentication login default local aaa authorization network default local ! ! aaa session-id common clock timezone CST 9 30 clock summer-time CSuT recurring last Sun Oct 2:00 last Sun Mar 2:00 no ip source-route ip cef ! ! no ip bootp server no ip domain lookup ip domain name (something.com.au) ! ! ! ! ! username shochr password 7 (something) username cdradmin privilege 15 secret 5 (something) username admin secret 5 (something) ! ! no crypto isakmp enable ! crypto isakmp policy 10 encr 3des authentication pre-share group 5 lifetime 3600 ! crypto isakmp policy 20 encr 3des authentication pre-share group 2 lifetime 14400 ! crypto isakmp policy 30 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key (something) address (ip of vpn destination, DHP) no-xauth crypto isakmp key (something) address (ip of vpn destination, QLD) no-xauth crypto isakmp xauth timeout 20 ! crypto isakmp client configuration group (something) key (something) dns 192.168.1.2 139.130.4.4 wins 192.168.1.2 domain (something.com.au) pool vpn-clients acl encrypt-to-vpn-clients ! ! crypto ipsec transform-set transform-3des-sha esp-3des esp-sha-hmac crypto ipsec transform-set vpn ah-md5-hmac esp-3des esp-sha-hmac crypto ipsec df-bit clear ! crypto dynamic-map vpn-dynamic 10 set transform-set transform-3des-sha reverse-route ! ! crypto map encrypt-traffic client authentication list default crypto map encrypt-traffic isakmp authorization list default crypto map encrypt-traffic client configuration address respond crypto map encrypt-traffic 10 ipsec-isakmp set peer (ip of vpn destination, QLD) set transform-set vpn match address encrypt-to-queensland crypto map encrypt-traffic 20 ipsec-isakmp set peer (ip of vpn destination, DHP) set transform-set vpn match address encrypt-to-dhp crypto map encrypt-traffic 200 ipsec-isakmp dynamic vpn-dynamic ! ! ! ! interface Tunnel1 description --- GRE over IPSec tunnel to Queensland --- ip unnumbered Vlan1 ip mtu 1372 tunnel source (static ip of ADSL service) tunnel destination (ip of vpn destination, QLD) ! interface Tunnel2 description --- GRE over IPSec tunnel to DHP --- ip unnumbered Vlan1 ip mtu 1372 tunnel source (static ip of ADSL service) tunnel destination (ip of vpn destination, DHP) ! interface ATM0 description --- Telstra ADSL Wholesale --- no ip address no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0.1 point-to-point description --- PVC to ConnectDSL --- no snmp trap link-status pvc 8/35 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface Vlan1 description --- LAN connenction --- ip address 192.168.1.15 255.255.255.0 hold-queue 100 out ! interface Dialer0 description --- AAPT DSL --- ip address negotiated encapsulation ppp dialer pool 1 dialer idle-timeout 0 dialer persistent dialer-group 1 no cdp enable ppp authentication chap pap callin ppp chap hostname (something).connectdsl.com.au ppp chap password 7 (something) ppp pap sent-username (something).connectdsl.com.au password 7 (something) ! ip local pool vpn-clients 192.168.127.1 192.168.127.239 ip classless ip route 0.0.0.0 0.0.0.0 192.168.1.1 ip route 192.168.8.0 255.255.255.0 Tunnel2 ip route 192.168.64.0 255.255.255.0 Tunnel1 ! ip http server no ip http secure-server ! ip access-list standard snmp-cdr permit (ip of external host that needs to be able to do some management stuff) permit (ip of external host that needs to be able to do some management stuff) permit (ip of external host that needs to be able to do some management stuff) permit (ip of external host that needs to be able to do some management stuff) permit (ip of external host that needs to be able to do some management stuff) ip access-list standard vty-in permit (ip of external host that needs to be able to do some management stuff) permit (ip of external host that needs to be able to do some management stuff) permit (ip of external host that needs to be able to do some management stuff) permit (ip of external host that needs to be able to do some management stuff) permit (ip of external host that needs to be able to do some management stuff) ! ip access-list extended dialer0-in remark Block commonly spoofed addresses deny ip 10.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.0.255.255 any deny ip 127.0.0.0 0.255.255.255 any remark Allow SNMP from CBSI Permit udp host (ip of external host that needs to be able to do some management stuff) any eq snmp permit udp host (ip of external host that needs to be able to do some management stuff) any eq snmp permit udp host (ip of external host that needs to be able to do some management stuff) any eq snmp permit udp host (ip of external host that needs to be able to do some management stuff) any eq snmp permit udp host (ip of external host that needs to be able to do some management stuff) any eq snmp remark Allow ICMP except redirects deny icmp any any redirect permit icmp any any remark Allow NTP and DNS to the router permit udp host 128.250.36.2 eq ntp host (static ip of ADSL service) eq ntp permit udp host 128.250.37.2 eq ntp host (static ip of ADSL service) eq ntp permit udp host 128.250.36.3 eq ntp host (static ip of ADSL service) eq ntp permit udp host 203.2.124.164 eq domain host (static ip of ADSL service) gt 1023 permit udp host 203.2.124.165 eq domain host (static ip of ADSL service) gt 1023 deny ip any any log ip access-list extended dialer1-out deny ip any 10.0.0.0 0.255.255.255 deny ip any 172.0.0.0 0.16.255.255 deny ip any 192.168.0.0 0.0.255.255 deny ip any 127.0.0.0 0.255.255.255 permit ip any any ip access-list extended encrypt-to-dhp permit gre host (static ip of ADSL service) host (ip of vpn destination, DHP) ip access-list extended encrypt-to-queensland permit gre host (static ip of ADSL service) host (ip of vpn destination, QLD) ip access-list extended encrypt-to-vpn-clients permit ip 192.168.0.0 0.0.255.255 any ip access-list extended ethernet0-in remark --- Block W32.Blaster virus remark --- block TFTP deny udp any any eq tftp remark --- block W32.Blaster related protocols deny tcp any any eq 135 deny udp any any eq 135 remark --- block other vulnerable MS protocols deny udp any any eq netbios-ns deny udp any any eq netbios-dgm deny tcp any any eq 139 deny udp any any eq netbios-ss deny tcp any any eq 445 deny tcp any any eq 593 remark --- block remote access due to W32.Blaster deny tcp any any eq 4444 remark --- Block Slammer virus deny udp any any eq 1434 permit ip any any ip access-list extended vpn-ho-dhp permit ip 192.168.1.0 0.0.0.255 192.168.8.0 0.0.0.255 ! dialer-list 1 protocol ip permit no cdp run ! ! ! control-plane ! banner login ^CCUse of this network and computer systems is restricted to authorised users. User activity is monitored and recorded by system personnel. Anyone using the network expressly consents to such monitoring and recording. Unauthorised access to this system is a criminal offence under Australian law (Federal Crimes Act 1914 Part VIA). It is a criminal offence to: (1) Obtain access to data without authority. - Penalty 2 years imprisonment. (2) Damage, delete, alter or insert data without authority. - Penalty 10 years imprisonment. If possible criminal activity is detected, system records, along with certain personal information, may be provided to law enforcement officials.^C ! line con 0 exec-timeout 120 0 no modem enable transport output all line aux 0 no exec transport output all line vty 0 4 access-class vty-in in exec-timeout 120 0 login authentication local transport input telnet ssh transport output all ! scheduler max-task-time 5000 sntp server 128.250.36.2 sntp server 128.250.37.2 sntp server 128.250.36.3 end (something)