no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption ! hostname HUBRTR ! boot-start-marker boot-end-marker ! logging buffered 102400 debugging enable password 7 0822455D0A16 ! aaa new-model ! ! aaa authentication login userauthen group radius local aaa authentication login groupauthor local aaa authentication login sdm_vpn_xauth_ml_1 group radius local aaa authorization network sdm_vpn_group_ml_1 local aaa authorization network groupauthor local ! aaa session-id common ! resource policy ! clock timezone NZST 12 clock summer-time NZDT recurring last Sun Sep 2:00 1 Sun Apr 3:00 ip subnet-zero ! ! ip cef ! ! no ip bootp server no ip domain lookup ip domain name site.internal ! ! voice-card 0 no dspfarm ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto pki trustpoint TP-self-signed-3148711764 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-3148711764 revocation-check none rsakeypair TP-self-signed-3148711764 ! ! crypto pki certificate chain TP-self-signed-3148711764 certificate self-signed 01 30820253 308201BC A0030201 02020101 300D0609 2A864886 F70D0101 04050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 33313438 37313137 3634301E 170D3039 30343038 31353330 30325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 31343837 31313736 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100BBF1 03FB4E55 9BB1D450 0BBF5221 83A23DFB FA728EE8 8FCCAFCE E3B7A1E5 F9B3717C 218D9477 24DA54DF 3C7EE5A9 430ED25A C2C91336 182140AF AC8029AC 46E76BDD C0AA5830 65601F9B 93B3A40F 639D00BD 9540F2EA 22C53B73 08CF44D6 AE43D95F B643C5C8 37708878 9A7EDE32 421F2D22 E955BF17 6B1CEC4B 6E87C8F1 78470203 010001A3 7B307930 0F060355 1D130101 FF040530 030101FF 30260603 551D1104 1F301D82 1B484947 504E432D 494E542E 68696767 696E732E 696E7465 726E616C 301F0603 551D2304 18301680 149A1D90 9DA2C6A8 85D4F1C9 864F2F36 6AE1A5EB 12301D06 03551D0E 04160414 9A1D909D A2C6A885 D4F1C986 4F2F366A E1A5EB12 300D0609 2A864886 F70D0101 04050003 81810008 3296D4A7 4B8E4F80 D9321FF1 3F75529D EE2C49BA EFC686F7 D6C689F2 4D05E97A 20F78ED8 7CF6615D B3960802 E39151E9 F0377781 8C420010 430C649C AEBCDDF0 E8BB978A 782BBDE6 BD171775 B876A4E9 D859E74B C635FF9F 0D587390 B6C8BA0E 94060B2C 79C64F45 986961A9 A9DF4A62 AB8B3123 652D936C 260363F4 6CDB77 quit username gen-i privilege 15 password 7 xxxxxxx archive log config hidekeys ! ! ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key spoke1shared address 125.236.237.198 no-xauth crypto isakmp key spoke2shared address 125.236.237.199 no-xauth crypto isakmp key spoke3shared address 125.236.237.200 no-xauth crypto isakmp key spoke4shared address 125.236.237.202 no-xauth crypto isakmp key spoke5shared address 125.236.237.197 no-xauth crypto isakmp client configuration address-pool local clientpool ! crypto isakmp client configuration group higginsgroup key shearedvpnkey dns 192.168.0.1 192.168.0.21 wins 192.168.0.1 domain higgins.internal acl 199 ! ! crypto ipsec transform-set macpolicy esp-3des esp-md5-hmac ! crypto dynamic-map SDM_DYNMAP_1 1 set transform-set macpolicy reverse-route ! ! crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1 crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto map SDM_CMAP_1 client configuration address respond crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel to REXB 125.236.237.197 set peer 125.236.237.197 set transform-set macpolicy match address 120 crypto map SDM_CMAP_1 2 ipsec-isakmp description Tunnel to LVN 125.236.237.198 set peer 125.236.237.198 set transform-set macpolicy match address 121 crypto map SDM_CMAP_1 3 ipsec-isakmp description Tunnel to PNC 125.236.237.199 set peer 125.236.237.199 set transform-set macpolicy match address 122 crypto map SDM_CMAP_1 4 ipsec-isakmp description Tunnel to BBULK 125.236.237.200 set peer 125.236.237.200 set transform-set macpolicy match address 123 crypto map SDM_CMAP_1 5 ipsec-isakmp description Tunnel to DCSP 125.236.237.202 set peer 125.236.237.202 set transform-set macpolicy match address 124 crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 ! ! ! ! ! interface Loopback1 ip address 1.1.1.1 255.255.255.0 ip nat inside ip virtual-reassembly ! interface FastEthernet0/0 description Public External IP$ETH-WAN$ ip address 192.168.250.248 255.255.255.0 secondary ip address 122.56.13.94 255.255.255.240 ip access-group 102 in ip verify unicast reverse-path no ip proxy-arp ip nat outside ip virtual-reassembly ip policy route-map policy-route duplex auto speed auto no snmp trap link-status crypto map SDM_CMAP_1 ! interface FastEthernet0/1 description Internal HO LAN$ETH-LAN$ ip address 192.168.0.252 255.255.255.0 ip access-group 110 in no ip proxy-arp ip nat inside ip virtual-reassembly duplex auto speed auto ! interface Serial0/0/0 no ip address shutdown clock rate 2000000 ! interface Serial0/1/0 ip address 10.1.0.1 255.255.255.0 ! ip local pool clientpool 172.16.100.1 172.16.100.254 ip classless ip route 0.0.0.0 0.0.0.0 122.56.13.81 ip route 0.0.0.0 0.0.0.0 192.168.250.251 ip route 10.0.0.0 255.255.255.0 192.168.0.251 ip route 10.0.1.0 255.255.255.0 192.168.0.251 ip route 10.0.2.0 255.255.255.0 192.168.0.251 ip route 10.0.3.0 255.255.255.0 192.168.0.251 ip route 10.0.4.0 255.255.255.0 192.168.0.251 ip route 10.0.5.0 255.255.255.0 192.168.0.251 ip route 10.0.6.0 255.255.255.0 192.168.0.251 ip route 125.236.237.0 255.255.255.0 122.56.13.81 ip route 192.168.1.0 255.255.255.0 192.168.0.251 ip route 192.168.2.0 255.255.255.0 192.168.0.251 ip route 192.168.3.0 255.255.255.0 192.168.0.251 ip route 192.168.4.0 255.255.255.0 192.168.0.251 ip route 192.168.5.0 255.255.255.0 192.168.0.251 ip route 192.168.6.0 255.255.255.0 192.168.0.251 ip route 192.168.7.0 255.255.255.0 192.168.0.251 ip route 192.168.8.0 255.255.255.0 122.56.13.81 ip route 192.168.11.0 255.255.255.0 192.168.0.251 ip route 192.168.13.0 255.255.255.0 192.168.0.251 ip route 192.168.14.0 255.255.255.0 192.168.0.251 ip route 192.168.16.0 255.255.255.0 192.168.0.251 ip route 192.168.100.0 255.255.255.0 192.168.0.253 ip route 192.168.101.0 255.255.255.0 192.168.0.251 ip route 192.168.102.0 255.255.255.0 192.168.0.251 ip route 192.168.103.0 255.255.255.0 192.168.0.251 ip route 192.168.104.0 255.255.255.0 192.168.0.251 ip route 192.168.105.0 255.255.255.0 192.168.0.251 ip route 192.168.106.0 255.255.255.0 192.168.0.251 ip route 192.168.107.0 255.255.255.0 192.168.0.251 ip route 192.168.111.0 255.255.255.0 192.168.0.251 ip route 192.168.113.0 255.255.255.0 192.168.0.251 ip route 192.168.114.0 255.255.255.0 192.168.0.251 ip route 192.168.116.0 255.255.255.0 192.168.0.251 ! ! ip http server ip http access-class 23 ip http authentication local ip http secure-server ip http timeout-policy idle 600 life 86400 requests 10000 ip nat inside source list 100 interface FastEthernet0/0 overload ip nat inside source static tcp 192.168.0.9 25 interface FastEthernet0/0 25 ip nat inside source static tcp 192.168.0.105 3788 interface FastEthernet0/0 3788 ip nat inside source static tcp 192.168.0.22 443 interface FastEthernet0/0 443 ip nat inside source route-map nonat interface FastEthernet0/0 overload ip nat inside source static network 172.16.200.2 122.56.13.90 /32 ip nat inside source static tcp 192.168.0.5 22 122.56.13.93 22 extendable ! access-list 100 permit ip 192.168.8.0 0.0.0.255 any access-list 102 remark Filter traffic Inbound from Internet access-list 102 remark Crypto from Client access-list 102 permit esp any host 122.56.13.94 access-list 102 permit udp any host 122.56.13.94 eq isakmp access-list 102 permit udp any host 122.56.13.94 eq non500-isakmp access-list 102 remark Traffic thru Tunnel access-list 102 permit ip 172.16.100.0 0.0.0.255 192.168.0.0 0.0.255.255 access-list 102 permit ip 172.16.100.0 0.0.0.255 192.168.100.0 0.0.0.255 access-list 102 permit ip 172.16.100.0 0.0.0.255 192.168.6.0 0.0.0.255 access-list 102 permit ip 172.16.100.0 0.0.0.255 192.168.106.0 0.0.0.255 access-list 102 remark Site-to-Site VPN Tunnels access-list 102 permit ip 192.168.8.0 0.0.0.255 192.168.0.0 0.0.0.255 access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255 access-list 102 permit ip 192.168.15.0 0.0.0.255 192.168.0.0 0.0.0.255 access-list 102 permit ip 192.168.17.0 0.0.0.255 192.168.0.0 0.0.0.255 access-list 102 permit ip 192.168.18.0 0.0.0.255 192.168.0.0 0.0.0.255 access-list 102 remark Other incoming traffic access-list 102 remark NTP, SSH & other traffic access-list 102 permit ip host 122.56.13.94 any access-list 102 permit udp host 139.80.64.114 any eq ntp access-list 102 remark gen-i SSH & ICMP to router access-list 102 permit tcp host 219.89.82.163 host 122.56.13.94 eq 22 access-list 102 permit icmp host 219.89.82.163 any access-list 102 remark Integral SSH to AIX (static NAT) access-list 102 permit tcp host 203.30.174.30 host 122.56.13.93 eq 22 access-list 102 deny icmp any any log access-list 102 permit tcp any any eq smtp access-list 102 permit udp any any eq domain access-list 102 permit tcp any any eq 443 access-list 102 permit tcp any any eq 3788 access-list 102 deny ip host 122.56.13.94 any log access-list 102 deny ip 192.168.0.0 0.0.255.255 any log access-list 102 deny ip 127.0.0.0 0.255.255.255 any log access-list 102 deny ip 10.0.0.0 0.255.255.255 any log access-list 102 deny ip 172.16.0.0 0.15.255.255 any log access-list 102 deny ip 224.0.0.0 15.255.255.255 any log access-list 102 deny icmp any any redirect log access-list 102 deny ip host 0.0.0.0 any log access-list 102 deny ip any host 255.255.255.255 log access-list 102 permit icmp any any unreachable access-list 102 permit icmp any any echo-reply access-list 102 permit icmp any any packet-too-big access-list 102 permit icmp any any time-exceeded access-list 102 permit icmp any any traceroute access-list 102 permit icmp any any administratively-prohibited access-list 102 permit gre any host 122.56.13.94 access-list 102 deny ip any any log access-list 110 remark Outbound traffic filter access-list 110 remark Deny LAN to DMZ access-list 110 deny ip 192.168.0.0 0.0.255.255 172.16.200.0 0.0.0.255 log access-list 110 remark Allow all access to VPN Client connections access-list 110 permit ip any 172.16.100.0 0.0.0.255 access-list 110 remark Telnet Sessions access-list 110 permit tcp any host 192.168.0.252 eq telnet access-list 110 remark marshal to anywhere (block lan bypass except servers) access-list 110 permit ip host 192.168.0.4 any access-list 110 permit ip host 192.168.0.5 any access-list 110 permit ip host 192.168.0.6 any access-list 110 permit ip host 192.168.0.8 any access-list 110 permit ip host 192.168.0.9 any access-list 110 permit ip host 192.168.0.1 any access-list 110 permit ip host 192.168.0.22 any access-list 110 permit ip host 192.168.0.196 any access-list 110 permit ip host 192.168.0.197 any access-list 110 permit ip host 192.168.0.198 any access-list 110 permit ip host 192.168.0.105 any access-list 110 permit ip host 192.168.0.131 any access-list 110 permit ip host 192.168.1.1 any access-list 110 permit ip host 192.168.3.1 any access-list 110 permit ip host 192.168.4.1 any access-list 110 permit ip host 192.168.5.1 any access-list 110 permit ip host 192.168.6.1 any access-list 110 permit ip host 192.168.11.1 any access-list 110 permit ip host 192.168.100.2 any access-list 110 permit ip host 192.168.100.3 any access-list 110 deny tcp any any eq www access-list 110 remark Inter-LAN traffic access-list 110 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 access-list 110 permit ip 192.168.0.0 0.0.255.255 10.0.0.0 0.0.255.255 access-list 110 remark navman outgoing from anywhere access-list 110 permit tcp any host 202.89.44.243 eq 2009 access-list 110 permit tcp any host 202.7.38.50 eq 6025 access-list 110 permit tcp any host 202.7.38.51 eq 6025 access-list 110 permit tcp any host 210.55.247.97 eq 3389 access-list 110 permit tcp host 192.168.0.116 any eq 22 access-list 110 remark timesync and dns lookups from anywhere access-list 110 permit udp any any eq ntp access-list 110 permit udp any any eq domain access-list 110 permit ip any 202.55.97.0 0.0.0.255 access-list 110 permit ip any 202.12.0.0 0.0.0.255 access-list 110 permit ip any 210.55.188.0 0.0.0.255 access-list 110 deny ip any any log access-list 120 remark SDM_ACL Category=4 access-list 120 remark IPSec Rule access-list 120 remark Matches peer tunnel Higgins Rex Bisman access-list 120 permit ip 192.168.0.0 0.0.255.255 192.168.18.0 0.0.0.255 access-list 121 remark SDM_ACL Category=4 access-list 121 remark IPSec Rule access-list 121 remark Matches peer tunnel Higgins Levin access-list 121 permit ip 192.168.0.0 0.0.255.255 192.168.8.0 0.0.0.255 access-list 122 remark SDM_ACL Category=4 access-list 122 remark IPSec Rule access-list 122 remark Matches peer tunnel Higgins PN Concrete access-list 122 permit ip 192.168.0.0 0.0.255.255 192.168.10.0 0.0.0.255 access-list 123 remark SDM_ACL Category=4 access-list 123 remark IPSec Rule access-list 123 remark Matches peer tunnel Higgins Bitumen Bulk access-list 123 permit ip 192.168.0.0 0.0.255.255 192.168.15.0 0.0.0.255 access-list 124 remark SDM_ACL Category=4 access-list 124 remark IPSec Rule access-list 124 remark Matches peer tunnel Higgins DCS Penny access-list 124 permit ip 192.168.0.0 0.0.255.255 192.168.17.0 0.0.0.255 access-list 172 remark Traffic not to be NATd access-list 172 deny ip 192.168.0.0 0.0.255.255 172.16.100.0 0.0.0.255 access-list 172 deny ip 192.168.0.0 0.0.255.255 192.168.18.0 0.0.0.255 access-list 172 deny ip 192.168.0.0 0.0.255.255 192.168.8.0 0.0.0.255 access-list 172 deny ip 192.168.0.0 0.0.255.255 192.168.10.0 0.0.0.255 access-list 172 deny ip 192.168.0.0 0.0.255.255 192.168.15.0 0.0.0.255 access-list 172 deny ip 192.168.0.0 0.0.255.255 192.168.17.0 0.0.0.255 access-list 172 remark Traffic Allowed to be NATd access-list 172 permit ip 192.168.0.0 0.0.255.255 any log access-list 172 permit ip 1.1.1.0 0.0.0.255 any log access-list 172 permit icmp any any access-list 172 deny ip any any log access-list 199 remark Match what traffic gets split tunneled access-list 199 permit ip 192.168.0.0 0.0.255.255 any access-list 199 permit ip 192.168.100.0 0.0.0.255 any access-list 199 permit ip 192.168.106.0 0.0.0.255 any access-list 199 permit ip 192.168.6.0 0.0.0.255 any ! route-map policy-route permit 10 match ip address 100 set interface Loopback1 ! route-map nonat permit 10 match ip address 172 ! ! ! radius-server host 192.168.0.1 auth-port 1645 acct-port 1646 key 7 030C0A0C015E2F5F5C081D0C0201 ! control-plane ! ! ! ! ! ! ! ! ! banner login ^CCC -------------------------------------------------------------------------- All access monitored and logged. If you have no reason to be here, go away -------------------------------------------------------------------------- ^C ! line con 0 exec-timeout 120 0 privilege level 15 line aux 0 modem InOut stopbits 1 speed 115200 flowcontrol hardware line vty 0 4 exec-timeout 120 0 privilege level 15 transport input telnet ssh line vty 5 15 exec-timeout 120 0 privilege level 15 transport input telnet ssh ! scheduler allocate 20000 1000 sntp server 139.80.64.114 ! end