version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime localtime show-timezone year service timestamps log datetime localtime show-timezone year service password-encryption ! hostname (something) ! boot-start-marker boot-end-marker ! logging buffered 16384 informational logging rate-limit console 15 except errors enable secret 5 (something) ! aaa new-model ! ! aaa authentication login default local aaa authorization network default local ! ! aaa session-id common clock timezone CST 9 30 clock summer-time CSuT recurring last Sun Oct 2:00 last Sun Mar 2:00 no ip source-route ip cef ! ! ip inspect max-incomplete high 1100 ip inspect max-incomplete low 1100 ip inspect one-minute high 1100 ip inspect one-minute low 1100 ip inspect name Ethernet_0 tcp ip inspect name Ethernet_0 udp ip inspect name Ethernet_0 cuseeme ip inspect name Ethernet_0 ftp ip inspect name Ethernet_0 h323 ip inspect name Ethernet_0 rcmd ip inspect name Ethernet_0 realaudio ip inspect name Ethernet_0 smtp ip inspect name Ethernet_0 streamworks ip inspect name Ethernet_0 vdolive ip inspect name Ethernet_0 sqlnet ip inspect name Ethernet_0 tftp ip inspect name Ethernet_0 http ip inspect name Ethernet_0 icmp ip inspect name Dialer_1 tcp ip inspect name Dialer_1 udp ip inspect name Dialer_1 tftp no ip bootp server no ip domain lookup ip domain name (something.com.au) ip name-server 203.8.183.1 ip name-server 192.189.54.17 ! ! ! ! ! username (something) password 7 (something) username (something) privilege 15 secret 5 (something) username (something) secret 5 (something) ! ! ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 ! crypto isakmp policy 2 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key (something) address (DHP VPN endpoint external ip) no-xauth crypto isakmp key (something) address (QLD VPN endpoint external ip) no-xauth crypto isakmp xauth timeout 20 ! crypto isakmp client configuration group (something) key (something) dns 192.168.1.2 139.130.4.4 wins 192.168.1.2 domain (something.com.au) pool vpn-clients acl encrypt-to-vpn-clients ! ! crypto ipsec transform-set transform-3des-sha esp-3des esp-sha-hmac crypto ipsec transform-set vpn esp-3des esp-sha-hmac crypto ipsec df-bit clear ! crypto dynamic-map vpn-dynamic 10 set transform-set transform-3des-sha reverse-route ! ! crypto map (something)-australia client authentication list default crypto map (something)-australia isakmp authorization list default crypto map (something)-australia client configuration address respond crypto map (something)-australia 1 ipsec-isakmp set peer (DHP VPN endpoint external ip) set transform-set vpn match address encrypt-to-dhp crypto map (something)-australia 2 ipsec-isakmp set peer (QLD VPN endpoint external ip) set transform-set vpn match address encrypt-to-queensland crypto map (something)-australia 200 ipsec-isakmp dynamic vpn-dynamic ! crypto map encrypt-traffic client authentication list default crypto map encrypt-traffic isakmp authorization list default crypto map encrypt-traffic client configuration address respond crypto map encrypt-traffic 10 ipsec-isakmp set peer (QLD VPN endpoint external ip) set transform-set vpn match address encrypt-to-queensland crypto map encrypt-traffic 20 ipsec-isakmp set peer (DHP VPN endpoint external ip) set transform-set vpn match address encrypt-to-dhp crypto map encrypt-traffic 200 ipsec-isakmp dynamic vpn-dynamic ! ! ! ! interface Tunnel1 description --- GRE over IPSec tunnel to Queensland --- ip unnumbered Vlan1 ip mtu 1372 tunnel source (router/ADSL external ip) tunnel destination (QLD VPN endpoint external ip) tunnel path-mtu-discovery ! interface Tunnel2 description --- GRE over IPSec tunnel to DHP --- ip unnumbered Vlan1 ip mtu 1372 tunnel source (router/ADSL external ip) tunnel destination (DHP VPN endpoint external ip) tunnel path-mtu-discovery ! interface ATM0 description --- ADSL --- no ip address ip verify unicast reverse-path no ip redirects no ip unreachables ip accounting access-violations no ip mroute-cache atm vc-per-vp 256 no atm ilmi-keepalive dsl operating-mode auto hold-queue 224 in ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface Vlan1 description --- LAN connenction --- ip address 192.168.1.15 255.255.255.0 no ip redirects no ip unreachables ip accounting access-violations ip nat inside ip virtual-reassembly ip tcp adjust-mss 1452 hold-queue 100 out ! interface Dialer1 ip address negotiated ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp ip accounting access-violations ip mtu 1492 ip nat outside ip virtual-reassembly encapsulation ppp dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap pap callin ppp chap hostname something.connectdsl.com.au ppp chap password 7 (something) ppp pap sent-username something.connectdsl.com.au password 7 (something) crypto map (something)-australia ! ip local pool vpn-clients 192.168.127.1 192.168.127.239 ip route 0.0.0.0 0.0.0.0 192.168.1.1 ip route 192.168.8.0 255.255.255.0 Tunnel2 ip route 192.168.64.0 255.255.255.0 Tunnel1 ! no ip http server no ip http secure-server ip nat inside source list nat-control interface Dialer1 overload ! ip access-list standard snmp-cdr permit (external ip of admin/managment) permit (external ip of admin/managment) permit (external ip of admin/managment) permit (external ip of admin/managment) permit (external ip of admin/managment) ip access-list standard vty-in permit (external ip of admin/managment) permit (external ip of admin/managment) permit (external ip of admin/managment) permit (external ip of admin/managment) permit (external ip of admin/managment) permit 192.168.0.0 0.0.255.255 ! ip access-list extended dialer1-in remark Allow traffic over VPN permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 permit ip host (QLD VPN endpoint external ip) any permit ip host (DHP VPN endpoint external ip) any remark Block commonly spoofed addresses deny ip 10.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.0.255.255 any deny ip 127.0.0.0 0.255.255.255 any remark Allow SNMP from CBSI permit udp host (external ip of admin/managment) any eq snmp permit udp host (external ip of admin/managment) any eq snmp permit udp host (external ip of admin/managment) any eq snmp permit udp host (external ip of admin/managment) any eq snmp permit udp host (external ip of admin/managment) any eq snmp remark Allow VPN tunnels remark (something) Home Products permit udp host (DHP VPN endpoint external ip) host (router/ADSL external ip) eq isakmp permit ahp host (DHP VPN endpoint external ip) host (router/ADSL external ip) remark Queensland permit udp host (QLD VPN endpoint external ip) host (router/ADSL external ip) eq isakmp permit ahp host (QLD VPN endpoint external ip) host (router/ADSL external ip) remark VPN Clients permit udp any host (router/ADSL external ip) eq isakmp permit esp any host (router/ADSL external ip) remark Allow ICMP except redirects deny icmp any any redirect permit icmp any any remark Allow NTP and DNS to the router permit udp host 128.250.36.2 eq ntp host (router/ADSL external ip) eq ntp permit udp host 128.250.37.2 eq ntp host (router/ADSL external ip) eq ntp permit udp host 128.250.36.3 eq ntp host (router/ADSL external ip) eq ntp permit udp host 203.2.124.164 eq domain host (router/ADSL external ip) gt 1023 permit udp host 203.2.124.165 eq domain host (router/ADSL external ip) gt 1023 deny ip any any log remark Allow traffic over VPN remark Block commonly spoofed addresses remark Allow SNMP from CBSI remark Allow VPN tunnels remark Home Products remark Queensland remark VPN Clients remark Allow ICMP except redirects remark Allow NTP and DNS to the router remark Allow traffic over VPN remark Block commonly spoofed addresses remark Allow SNMP from CBSI remark Allow VPN tunnels remark Home Products remark Queensland remark VPN Clients remark Allow ICMP except redirects remark Allow NTP and DNS to the router ip access-list extended dialer1-out remark Allow traffic over VPN permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 remark deny all other private IP ranges deny ip any 10.0.0.0 0.255.255.255 deny ip any 172.0.0.0 0.16.255.255 deny ip any 192.168.0.0 0.0.255.255 deny ip any 127.0.0.0 0.255.255.255 remark Allow everything else permit ip any any remark Allow traffic over VPN remark deny all other private IP ranges remark Allow everything else remark Allow traffic over VPN remark deny all other private IP ranges remark Allow everything else ip access-list extended encrypt-to-dhp permit gre host (router/ADSL external ip) host (DHP VPN endpoint external ip) ip access-list extended encrypt-to-queensland permit gre host (router/ADSL external ip) host (QLD VPN endpoint external ip) ip access-list extended encrypt-to-vpn-clients permit ip 192.168.0.0 0.0.255.255 any ip access-list extended ethernet0-in remark Allow traffic over VPN permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 remark --- Block W32.Blaster virus remark --- block TFTP deny udp any any eq tftp remark --- block W32.Blaster related protocols deny tcp any any eq 135 deny udp any any eq 135 remark --- block other vulnerable MS protocols deny udp any any eq netbios-ns deny udp any any eq netbios-dgm deny tcp any any eq 139 deny udp any any eq netbios-ss deny tcp any any eq 445 deny tcp any any eq 593 remark --- block remote access due to W32.Blaster deny tcp any any eq 4444 remark --- Block Slammer virus deny udp any any eq 1434 permit ip any any remark Allow traffic over VPN remark --- Block W32.Blaster virus remark --- block TFTP remark --- block W32.Blaster related protocols remark --- block other vulnerable MS protocols remark --- block remote access due to W32.Blaster remark --- Block Slammer virus remark Allow traffic over VPN remark --- Block W32.Blaster virus remark --- block TFTP remark --- block W32.Blaster related protocols remark --- block other vulnerable MS protocols remark --- block remote access due to W32.Blaster remark --- Block Slammer virus ip access-list extended nat-control deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 ip access-list extended vpn-ho-dhp permit ip 192.168.1.0 0.0.0.255 192.168.8.0 0.0.0.255 ip access-list extended vpn-ho-queensland permit ip 192.168.1.0 0.0.0.255 192.168.64.0 0.0.0.255 ! dialer-list 1 protocol ip permit ! ! ! control-plane ! banner login ^C Use of this network and computer systems is restricted to authorised users. User activity is monitored and recorded by system personnel. Anyone using the network expressly consents to such monitoring and recording. Unauthorised access to this system is a criminal offence under Australian law (Federal Crimes Act 1914 Part VIA). It is a criminal offence to: (1) Obtain access to data without authority. - Penalty 2 years imprisonment. (2) Damage, delete, alter or insert data without authority. - Penalty 10 years imprisonment. If possible criminal activity is detected, system records, along with certain personal information, may be provided to law enforcement officials.^C ! line con 0 exec-timeout 120 0 no modem enable transport output all stopbits 1 line aux 0 no exec transport output all line vty 0 4 access-class vty-in in exec-timeout 120 0 login authentication local length 0 transport input telnet ssh transport output all ! scheduler max-task-time 5000 sntp server 128.250.36.2 sntp server 128.250.37.2 sntp server 128.250.36.3 end (something)#