XXXX1801-NP#s ver Cisco IOS Software, C180X Software (C180X-ADVENTERPRISEK9-M), Version 12.4(11)T2, RELEASE SOFTWARE (fc4) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Mon 30-Apr-07 14:24 by prod_rel_team ROM: System Bootstrap, Version 12.3(8r)YH8, RELEASE SOFTWARE (fc2) XXXX1801-NP uptime is 13 minutes System returned to ROM by reload at 12:12:06 Napier Thu May 10 2007 System image file is "flash:c180x-adventerprisek9-mz.124-11.T2.bin" This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export@cisco.com. Cisco 1801 (MPC8500) processor (revision 0x400) with 118784K/12288K bytes of memory. Processor board ID FHK1105187H, with hardware revision 0000 9 FastEthernet interfaces 1 ISDN Basic Rate interface 1 ATM interface 62720K bytes of ATA CompactFlash (Read/Write) Configuration register is 0x2102 XXXX1801-NP#sh fla -#- --length-- -----date/time------ path 1 546882 May 3 2007 16:37:38 +12:00 crashinfo_20070503-043714 2 1038 May 3 2007 01:06:10 +12:00 home.shtml 3 2482 May 3 2007 01:06:22 +12:00 sdmconfig-180x.cfg 4 113152 May 3 2007 01:06:32 +12:00 home.tar 5 1164288 May 3 2007 01:06:46 +12:00 common.tar 6 6036480 May 3 2007 01:07:08 +12:00 sdm.tar 7 0 May 10 2007 12:13:14 +12:00 webvpn 8 406963 May 3 2007 01:11:22 +12:00 webvpn/svc.pkg 9 1687326 May 3 2007 01:11:44 +12:00 webvpn/sdesktop.pkg 10 7823 May 3 2007 01:12:26 +12:00 XXXXlogo.gif 11 19769308 May 3 2007 13:54:04 +12:00 c180x-adventerprisek9-mz.124-11.T2.bin 13 526448 May 4 2007 12:43:10 +12:00 crashinfo_20070504-004246 14 507397 May 4 2007 12:45:06 +12:00 crashinfo_20070504-004442 15 489358 May 4 2007 12:47:02 +12:00 crashinfo_20070504-004638 16 512265 May 4 2007 12:49:00 +12:00 crashinfo_20070504-004837 17 510925 May 4 2007 12:50:56 +12:00 crashinfo_20070504-005033 18 524464 May 4 2007 12:52:52 +12:00 crashinfo_20070504-005228 19 525154 May 4 2007 12:54:46 +12:00 crashinfo_20070504-005423 20 519597 May 4 2007 14:42:02 +12:00 crashinfo_20070504-024136 21 343894 May 4 2007 16:48:58 +12:00 crashinfo_20070504-044857 22 0 May 10 2007 12:15:02 +12:00 ipsstore 23 6159 May 10 2007 12:19:18 +12:00 ipsstore/XXXX1801-NP-sigdef-typedef.xml 24 21875 May 10 2007 12:19:20 +12:00 ipsstore/XXXX1801-NP-sigdef-category.xml 25 187573 May 10 2007 12:21:00 +12:00 ipsstore/XXXX1801-NP-sigdef-default.xml 29556736 bytes available (34459648 bytes used) XXXX1801-NP#s run Building configuration... Current configuration : 17026 bytes ! version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname XXXX1801-NP ! boot-start-marker boot-end-marker ! security authentication failure rate 3 log security passwords min-length 6 logging buffered 1536000 logging console critical enable secret ! aaa new-model ! ! aaa authentication login userauthen group radius aaa authentication login sdm_vpn_xauth_ml_1 group radius aaa authorization network userauthen group radius aaa authorization network groupauthor local ! ! aaa session-id common clock timezone Napier 12 clock summer-time Napier date Mar 16 2003 3:00 Oct 5 2003 2:00 no ip source-route ! ! ip cef ! ! ip tcp synwait-time 10 no ip bootp server ip domain name XXXX ip name-server 10.10.10.4 ip name-server 10.10.10.1 ip ssh time-out 60 ip ssh authentication-retries 2 ip inspect name DEFAULT100 appfw DEFAULT100 ip inspect name DEFAULT100 cuseeme ip inspect name DEFAULT100 ftp ip inspect name DEFAULT100 h323 ip inspect name DEFAULT100 icmp ip inspect name DEFAULT100 netshow ip inspect name DEFAULT100 rcmd ip inspect name DEFAULT100 realaudio ip inspect name DEFAULT100 rtsp ip inspect name DEFAULT100 sqlnet ip inspect name DEFAULT100 streamworks ip inspect name DEFAULT100 tftp ip inspect name DEFAULT100 tcp ip inspect name DEFAULT100 udp ip inspect name DEFAULT100 vdolive ip inspect name DEFAULT100 http ip inspect name DEFAULT100 smtp ip inspect name DEFAULT100 https ip ips config location flash:ipsstore/ retries 1 ip ips notify SDEE ip ips name myips ! ip ips signature-category category all retired true category ios_ips basic retired false ! ip urlfilter allow-mode on ip sdee messages 400 ip sdee alerts 1000 ip rcmd rcp-enable ip rcmd remote-host xxxxxxx 10.10.10.253 xxxxxx enable ip rcmd remote-username xxxxxxx ! appfw policy-name DEFAULT100 application http port-misuse p2p action reset alarm ! multilink bundle-name authenticated ! crypto pki trustpoint TP-self-signed-2325466727 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-2325466727 revocation-check none rsakeypair TP-self-signed-2325466727 ! ! crypto pki certificate chain TP-self-signed-2325466727 certificate self-signed 01 30820256 308201BF A0030201 02020101 300D0609 2A864886 F70D0101 04050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 32333235 34363637 3237301E 170D3037 30353033 30313233 30385A17 0D3230xxxxxxxxxxxxxxxxxxxxxxx585B9B1F 99B0DD26 816DE925 CFD70203 010001A3 7E307C30 0F060355 1D130101 FF040530 030101FF 30290603 551D1104 22302082 1E415045 58313830 312D4E50 2E617065 782D636F 6E73756C 742E636F 2E6E7A30 1F060355 1D230418 30168014 1EF967BC 36DDC768 4128B1C8 E42C17DB E46E2DD2 301D0603 551D0E04 1604141E F967BC36 DDC76841 28B1C8E4 2C17DBE4 6E2DD230 0D06092A 864886F7 0D010104 05000381 81004964 F0756681 5623CC8E 8715EDE3 AB8ABF56 25F9829A C23F65A5 F93057B7 890EB1FF 7960B253 75FEF2A9 FB86E3CE 0FF3D6BF 2C0243FB 293C971D 1CDCA2D8 33C35A68 54E6058A 26195DD7 8C53E04E 5D85616C 5ACB265D 931A292F B875F38E 6818210C 3CF07E41 1C88CA45 B7FDAEDE C2E5E839 3C45DC98 54F330EE 2860F0C1 BFEC quit ! crypto key pubkey-chain rsa named-key realm-cisco.pub signature key-string 30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101 00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16 17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128 B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E 5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35 FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85 50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36 006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE 2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3 F3020301 0001 quit ! ! username xxxxxxn43 privilege 15 secret xxxxxxx ! ! class-map match-any sdm_p2p_kazaa match protocol fasttrack match protocol kazaa2 class-map match-any sdm_p2p_edonkey match protocol edonkey class-map match-any sdm_p2p_gnutella match protocol gnutella class-map match-any sdm_p2p_bittorrent match protocol bittorrent ! ! policy-map sdmappfwp2p_DEFAULT100 class sdm_p2p_gnutella drop class sdm_p2p_bittorrent drop class sdm_p2p_edonkey drop class sdm_p2p_kazaa drop ! ! ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 crypto isakmp client configuration address-pool local fullclientPOOL ! crypto isakmp client configuration group remoteuser key xxxxxxx dns 10.10.10.4 10.10.10.1 domain XXXX-XXXX.co.nz pool fullclientPOOL acl 199 ! ! crypto ipsec transform-set macpolicy esp-3des esp-md5-hmac ! crypto dynamic-map macdyna 10 set transform-set macpolicy ! ! crypto map clientmap client authentication list userauthen crypto map clientmap isakmp authorization list groupauthor crypto map clientmap client configuration address respond crypto map clientmap 10 ipsec-isakmp dynamic macdyna ! ! ! ! interface Loopback0 description Used to configure WebVPN full client ip address 172.22.100.254 255.255.255.0 ip virtual-reassembly ! interface Null0 no ip unreachables ! interface FastEthernet0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow shutdown duplex auto speed auto ! interface BRI0 no ip address no ip redirects no ip unreachables no ip proxy-arp encapsulation hdlc ip route-cache flow shutdown ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 ! interface FastEthernet5 ! interface FastEthernet6 ! interface FastEthernet7 ! interface FastEthernet8 ! interface ATM0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0.1 point-to-point description $ES_WAN$$FW_OUTSIDE$ no ip redirects no ip unreachables no ip proxy-arp no snmp trap link-status pvc 0/100 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$ES_LAN$$FW_INSIDE$ ip address 10.10.10.254 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nbar protocol-discovery ip flow ingress ip flow egress ip nat inside ip virtual-reassembly ip route-cache flow ip tcp adjust-mss 1395 ! interface Dialer0 description $FW_OUTSIDE$ ip address negotiated ip access-group 101 in no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip inspect DEFAULT100 out ip ips myips in ip virtual-reassembly encapsulation ppp ip route-cache flow dialer pool 1 dialer-group 1 no cdp enable ppp pap sent-username XXXX06.xxx password 7 xxxxxxx crypto map clientmap service-policy input sdmappfwp2p_DEFAULT100 service-policy output sdmappfwp2p_DEFAULT100 ! ip local pool clientPOOL 172.22.100.1 172.22.100.253 ip local pool fullclientPOOL 172.22.101.1 172.22.101.253 ip route 0.0.0.0 0.0.0.0 Dialer0 ip route 10.10.4.0 255.255.255.0 10.10.10.2 ip route 10.10.6.0 255.255.255.0 10.10.10.2 ip route 10.10.8.0 255.255.255.0 10.10.10.2 ip route 10.115.0.0 255.255.0.0 10.10.10.33 ip route 192.0.0.0 255.255.255.0 10.10.10.33 ip route 192.168.73.0 255.255.255.0 10.10.10.33 ! ip flow-top-talkers top 20 sort-by bytes cache-timeout 3600000 ! ip http server ip http access-class 1 ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip nat inside source route-map nonat interface Dialer0 overload ip nat inside source static tcp 10.10.10.4 25 XXXX 25 extendable ! logging trap debugging access-list 1 remark Auto generated by SDM Management Access feature access-list 1 remark SDM_ACL Category=1 access-list 1 permit 10.10.0.0 0.0.255.255 access-list 1 permit 172.22.101.0 0.0.0.255 access-list 1 permit 172.22.100.0 0.0.0.255 access-list 1 deny any log access-list 100 remark Incomming access-list on VLAN1 access-list 100 permit ip host 10.10.10.105 any access-list 100 permit ip host 10.10.10.108 any access-list 100 permit tcp any any eq 2082 access-list 100 permit tcp any any eq 1494 access-list 100 permit tcp any any eq 443 access-list 100 permit tcp any any eq www access-list 100 permit tcp any any eq ftp access-list 100 permit tcp host 10.10.10.4 any eq smtp access-list 100 permit ip host 10.10.10.32 any access-list 100 permit ip host 10.10.10.4 any access-list 100 permit ip host 10.10.10.1 any access-list 100 permit ip any 172.22.100.0 0.0.0.255 access-list 100 permit ip any 172.22.101.0 0.0.0.255 access-list 100 permit ip any 10.10.8.0 0.0.0.255 access-list 100 permit ip any 10.10.6.0 0.0.0.255 access-list 100 permit ip any 10.10.4.0 0.0.0.255 access-list 100 permit ip any 10.115.0.0 0.0.255.255 access-list 100 permit tcp 10.10.0.0 0.0.255.255 host 10.10.10.254 eq telnet access-list 100 permit tcp 10.10.0.0 0.0.255.255 host 10.10.10.254 eq 22 access-list 100 permit tcp 10.10.0.0 0.0.255.255 host 10.10.10.254 eq www access-list 100 permit tcp 10.10.0.0 0.0.255.255 host 10.10.10.254 eq 443 access-list 100 permit tcp 10.10.0.0 0.0.255.255 host 10.10.10.254 eq cmd access-list 100 deny ip any any log access-list 101 remark Inbound access-list on Dialer0 access-list 101 remark SDM_ACL Category=17 access-list 101 permit tcp any any established access-list 101 permit tcp any host XXXX eq smtp access-list 101 permit tcp any host XXXX eq www access-list 101 permit tcp any host XXXX eq 443 access-list 101 deny ip 10.10.10.0 0.0.0.255 any log access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any time-exceeded access-list 101 permit icmp any any unreachable access-list 101 permit ahp any host XXXX access-list 101 permit esp any host XXXX access-list 101 permit udp any host XXXX eq isakmp access-list 101 permit udp any host XXXX eq non500-isakmp access-list 101 permit ip 172.22.100.0 0.0.0.255 10.10.0.0 0.0.255.255 access-list 101 permit ip 172.22.100.0 0.0.0.255 host XXXX access-list 101 permit ip 172.22.101.0 0.0.0.255 10.10.0.0 0.0.255.255 access-list 101 permit ip 172.22.101.0 0.0.0.255 host XXXX access-list 101 permit tcp host 219.89.115.114 any eq 22 access-list 101 permit icmp host 219.89.115.114 any access-list 101 deny ip 10.0.0.0 0.255.255.255 any log access-list 101 deny ip 172.16.0.0 0.15.255.255 any log access-list 101 deny ip 192.168.0.0 0.0.255.255 any log access-list 101 deny ip 127.0.0.0 0.255.255.255 any log access-list 101 deny ip host 255.255.255.255 any log access-list 101 deny ip host 0.0.0.0 any log access-list 101 deny ip any any log access-list 104 remark Telnet Access access-list 104 remark SDM_ACL Category=17 access-list 104 permit ip 10.10.0.0 0.0.255.255 any access-list 104 permit ip host 219.89.115.114 any access-list 104 permit ip 172.22.100.0 0.0.0.255 any access-list 104 permit ip 172.22.101.0 0.0.0.255 any access-list 104 deny ip any any log access-list 172 remark Matches which traffic gets NATd access-list 172 remark SDM_ACL Category=18 access-list 172 deny ip 10.10.0.0 0.0.255.255 172.22.100.0 0.0.0.255 access-list 172 deny ip 10.10.0.0 0.0.255.255 172.22.101.0 0.0.0.255 access-list 172 permit ip 10.10.0.0 0.0.255.255 any access-list 199 remark Match what traffic gets split tunneled access-list 199 remark SDM_ACL Category=20 access-list 199 permit ip 10.10.0.0 0.0.255.255 any dialer-list 1 protocol ip permit no cdp run ! ! ! route-map nonat permit 10 match ip address 172 ! ! ! radius-server host 10.10.10.4 auth-port 1645 acct-port 1646 key 7 xxxxxx ! control-plane ! banner exec ^CCC xxxx ^C banner login ^CCC xxxxxxxx ^C ! line con 0 transport output telnet line aux 0 transport output telnet line vty 0 4 access-class 104 in privilege level 15 login authentication groupauthor transport input telnet ssh line vty 5 15 access-class 104 in privilege level 15 login authentication groupauthor transport input telnet ssh ! scheduler allocate 4000 1000 scheduler interval 500 ! webvpn gateway XXXX ip address XXXX port 443 http-redirect port 80 ssl trustpoint TP-self-signed-308468063 inservice ! webvpn install svc flash:/webvpn/svc.pkg ! webvpn install csd flash:/webvpn/sdesktop.pkg ! webvpn context Default_context title "Unauthorised Access Prohibited All Access Is Monitored" logo file flash:/XXXXlogo.gif title-color #004186 secondary-color #c0c0c0 ssl authenticate verify all ! url-list "XXXXInternalwebSites" heading "XXXX Internal Web Sites" url-text "Intranet" url-value "http://intranet" url-text "Outlook Web Access" url-value "http://xxxxxxxexchange" ! ! policy group InternalWebSites url-list "XXXXInternalwebSites" hide-url-bar default-group-policy InternalWebSites aaa authentication list userauthen inservice ! ! webvpn context webvpn title "Unauthorised Access Prohibited All Access is Monitored" logo file flash:/XXXXlogo.gif title-color #004186 secondary-color #c0c0c0 ssl authenticate verify all ! ! policy group webvpn functions svc-required svc address-pool "clientPOOL" svc default-domain "XXXX-xxxxx" svc keep-client-installed svc rekey method new-tunnel svc split dns "XXXX-xxxxxx" svc split include 10.10.0.0 255.255.0.0 svc dns-server primary 10.10.10.4 svc dns-server secondary 10.10.10.1 default-group-policy webvpn aaa authentication list userauthen gateway XXXX domain webvpn inservice ! end XXXX1801-NP#sh mem Head Total(b) Used(b) Free(b) Lowest(b) Largest(b) Processor 838CBCCC 62079796 60659088 1420708 954272 1229772 I/O 7400000 12582912 6268444 6314468 6314468 6314396