CISCO871#
CISCO871#
CISCO871#sh run
Building configuration...

Current configuration : 7066 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname CISCO871
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $1$b6Xk$hPAmTAZeTqjJIUpKItv4./
enable password 7 06151A3B5945001E160F005D5C54
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local 
aaa authorization network sdm_vpn_group_ml_1 local 
!
aaa session-id common
!
resource policy
!
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.99
!
ip dhcp pool VLAN10
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1 
   lease 4
 ip dhcp pool VLAN20
   import all
   network 192.168.2.0 255.255.255.0
   default-router 192.168.1.1  
   lease 4
!
ip dhcp pool SDM-DHCP
!
!
no ip bootp server
ip domain name CISCO871
ip name-server 208.67.222.222
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
 ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
vpdn enable
!
!
!
crypto pki trustpoint TP-self-signed-2805355612
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2805355612
 revocation-check none
 rsakeypair TP-self-signed-2805355612
!
!
 username xxx privilege 15 password 7 xxxx
!
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group home
 key xxxx
 pool SDM_POOL_1
 max-users 5
 netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
   match identity group home
   client authentication list sdm_vpn_xauth_ml_1
   isakmp authorization list sdm_vpn_group_ml_1
   client configuration address initiate
   client configuration address respond
   virtual-template 1
!
!
 crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
!
crypto ipsec profile SDM_Profile1
 set transform-set ESP-3DES-SHA 
 set isakmp-profile sdm-ike-profile-1
!
!
bridge irb
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0
 switchport access vlan 10
 spanning-tree portfast
!
interface FastEthernet1
 switchport access vlan 10
 spanning-tree portfast
!
interface FastEthernet2
  switchport access vlan 10
 spanning-tree portfast
!
interface FastEthernet3
 switchport access vlan 10
 spanning-tree portfast
!
interface FastEthernet4
 description $ETH-WAN$
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
 no cdp enable
!
interface Virtual-Template1 type tunnel
 description $FW_INSIDE$
 ip unnumbered BVI10
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SDM_Profile1
!
interface Dot11Radio0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 !
 encryption vlan 10 mode ciphers tkip 
 !
 ssid CISCO
    vlan 10
    authentication open 
    authentication key-management wpa
    guest-mode
    wpa-psk ascii 7 09404B1D14001E1C1B00012B3821
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 channel 2437
 station-role root
 no dot11 extension aironet
 no cdp enable
!
interface Dot11Radio0.10
 encapsulation dot1Q 10
 no snmp trap link-status
 bridge-group 10
 bridge-group 10 subscriber-loop-control
 bridge-group 10 spanning-disabled
 bridge-group 10 block-unknown-source
 no bridge-group 10 source-learning
 no bridge-group 10 unicast-flooding
!
interface Vlan1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
!
interface Vlan10
 no ip address
  ip nat inside
 ip virtual-reassembly
 bridge-group 10
 bridge-group 10 spanning-disabled
!
interface Vlan20
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
!
interface Dialer1
 description $FW_OUTSIDE$
 ip address negotiated
 ip access-group 102 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 ppp chap hostname xxxx
 ppp chap password 7 xxxx
 ppp pap sent-username xxxpassword 7 xxx
 ppp ipcp dns request
 ppp ipcp address accept
!
interface BVI10
 description Bridge to Internal Network$FW_INSIDE$
 ip address 192.168.1.1 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
!
ip local pool SDM_POOL_1 192.168.10.1 192.168.10.10
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
 
!
ip http server
ip http secure-server
ip nat inside source list 1 interface Dialer1 overload
!
ip access-list extended Guest_ACL
 deny   ip any 192.168.1.0 0.0.0.255
 permit ip any any
ip access-list extended Internet-inbound-ACL
 remark SDM_ACL Category=16
 permit udp any any eq non500-isakmp
 permit udp any any eq isakmp
 permit udp any eq bootps any eq bootpc
 permit ahp any any
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any traceroute
 permit gre any any
 permit esp any any
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.10.0 0.0.0.255
 access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit udp any host 192.168.1.1 eq non500-isakmp
access-list 100 permit udp any host 192.168.1.1 eq isakmp
access-list 100 permit esp any host 192.168.1.1
access-list 100 permit ahp any host 192.168.1.1
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
dialer-list 1 protocol ip list 1
no cdp run
!
!
control-plane
!
bridge 10 route ip
!
line con 0
  password 7 
 no modem enable
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 password 7 
 transport input telnet ssh
!
scheduler max-task-time 5000
end

CISCO871#