spoke857#wr t Building configuration... Current configuration : 8815 bytes ! version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption ! hostname spoke857 ! boot-start-marker boot-end-marker ! logging buffered 16000 debugging no logging console enable password xxxxxxxxx ! aaa new-model ! ! aaa authentication login default local aaa authentication login userlist local aaa authentication ppp default local aaa authorization network groupauthor local ! aaa session-id common ! resource policy ! no ip source-route ip icmp rate-limit unreachable 2 no ip dhcp use vrf connected ip dhcp excluded-address 192.168.10.254 ! ip dhcp pool sdm-pool network 192.168.10.0 255.255.255.0 dns-server a.b.c.d domain-name xxxxxxxx default-router 192.168.10.254 ! ! ip cef ip inspect name FW ftp ip inspect name FW smtp ip inspect name FW udp ip inspect name FW tcp ip inspect name FW http java-list 3 no ip bootp server no ip domain lookup ip domain name local ip name-server a.b.c.d ! ! crypto pki trustpoint TP-self-signed-318600233 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-318600233 revocation-check none rsakeypair TP-self-signed-318600233 ! ! crypto pki certificate chain TP-self-signed-318600233 certificate self-signed 01 3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 33313836 30303233 33301E17 0D303230 33303130 30303730 325A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3331 38363030 32333330 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 9B19545B D34C64E2 E70CAE82 BA0AE149 3D5DF582 A703594B 9D6DB6BF 87B931FD 41BAE6D6 35D2F447 BD24B9F0 FCD1E2EF 93B0F8F6 B8C88C1B E623A76B 35DE558C A4F6B12C BA9EBF88 5FEA8AE0 6E1D778F 729D88E0 A001451E 713E569F 48C96DE2 C669BE4C 36FC26C9 E5FD55D0 8A209478 CB1094B0 1E5178C2 7BAE63CC E2BDDEE9 02030100 01A37730 75300F06 03551D13 0101FF04 05300301 01FF3022 0603551D 11041B30 19821779 6F75726E 616D652E 796F7572 646F6D61 696E2E63 6F6D301F 0603551D 23041830 16801405 46AAA17C 42225C67 166ABF3B D71A2C6B 900DD930 1D060355 1D0E0416 04140546 AAA17C42 225C6716 6ABF3BD7 1A2C6B90 0DD9300D 06092A86 4886F70D 01010405 00038181 001C1F9F 0A7AEF89 8FB1F10C 701ED2E3 100E98CE C4998AB4 78B62101 B85EAEB1 09DD0080 D1581935 97B24177 C4BDC19F 26F76A43 997EEE84 F0172348 841F63C0 188EF495 51D8E3DE 5BB6E407 FEFE1FD5 00868EFE DAE155F2 394934D0 24884E1D 9EEE9190 9D4A3702 52EDFC43 3B089DEC FB5AF293 C0D12466 CDF77E4B 56F7221A 1B quit username xxxxx password xxxxx ! ! ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp key cisco123 address xxx.yy.228.55 ! ! crypto ipsec transform-set myset esp-3des esp-sha-hmac ! crypto map mymap 10 ipsec-isakmp set peer xxx.yy.228.55 set transform-set myset match address 100 ! ! ! interface ATM0 no ip address no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0.1 point-to-point no snmp trap link-status pvc 0/100 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface Vlan1 description (Connected to LAN) ip address 192.168.10.254 255.255.255.0 ip access-group 102 in ip nat inside ip virtual-reassembly ip tcp adjust-mss 1452 ! interface Dialer0 ip address negotiated previous ip access-group InternetInbound in no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly encapsulation ppp no ip route-cache cef no ip route-cache no ip mroute-cache dialer pool 1 dialer-group 1 no cdp enable ppp pap sent-username fffffffffffff password gggggggggggg ppp ipcp dns accept ppp ipcp route default crypto map mymap ! interface Dialer1 no ip address no cdp enable ! no ip forward-protocol udp netbios-ns no ip forward-protocol udp netbios-dgm ip route 0.0.0.0 0.0.0.0 Dialer0 ! no ip http server no ip http secure-server ip nat translation timeout 600 ip nat translation tcp-timeout 600 ip nat translation finrst-timeout 30 ip nat translation icmp-timeout 30 ip nat inside source list Internet interface Dialer0 overload ! ip access-list extended Internet deny ip 192.168.10.0 0.0.0.255 192.168.5.0 0.0.0.255 permit ip 192.168.10.0 0.0.0.255 any ip access-list extended InternetInbound permit ip 192.168.10.0 0.0.0.255 192.168.5.0 0.0.0.255 permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255 deny ip host 255.255.255.255 any deny ip host 0.0.0.0 any deny ip 127.0.0.0 0.255.255.255 any deny ip 10.0.0.0 0.255.255.255 any deny ip 172.0.0.0 0.31.255.255 any deny ip 192.168.0.0 0.0.255.255 any deny ip 224.0.0.0 31.255.255.255 any permit udp any any eq isakmp permit tcp any eq www any permit tcp any eq 443 any permit udp host a.b.c.d eq domain any permit tcp any eq smtp any permit tcp any eq pop3 any permit tcp any eq 444 any permit tcp any eq 3389 any permit tcp any eq 4125 any permit udp any any eq non500-isakmp permit gre any any permit esp any any permit icmp any any echo permit icmp any any echo-reply permit icmp any any ttl-exceeded permit icmp any any packet-too-big permit ip host xxx.yy.228.55 any deny ip any any log ! access-list 1 remark The local LAN. access-list 1 permit 192.168.10.0 0.0.0.255 access-list 2 permit ddd.fff.236.243 access-list 2 remark Where management can be done from. access-list 2 permit 192.168.10.0 0.0.0.255 access-list 3 remark Traffic not to check for intrustion detection. access-list 3 deny 192.168.5.0 0.0.0.255 access-list 3 deny 192.168.2.0 0.0.0.255 access-list 3 permit any access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.5.0 0.0.0.255 access-list 102 remark Traffic allowed to enter the router from the Ethernet access-list 102 permit ip any host 192.168.10.254 access-list 102 deny ip any host 192.168.10.255 access-list 102 deny udp any any eq tftp log access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.5.0 0.0.0.255 access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 102 deny ip any 0.0.0.0 0.255.255.255 log access-list 102 deny ip any 10.0.0.0 0.255.255.255 log access-list 102 deny ip any 127.0.0.0 0.255.255.255 log access-list 102 deny ip any 169.254.0.0 0.0.255.255 log access-list 102 deny ip any 172.16.0.0 0.15.255.255 log access-list 102 deny ip any 192.0.2.0 0.0.0.255 log access-list 102 deny ip any 192.168.0.0 0.0.255.255 log access-list 102 deny ip any 198.18.0.0 0.1.255.255 log access-list 102 deny udp any any eq 135 log access-list 102 deny tcp any any eq 135 log access-list 102 deny udp any any eq netbios-ns log access-list 102 deny udp any any eq netbios-dgm log access-list 102 deny tcp any any eq 445 log access-list 102 permit ip 192.168.10.0 0.0.0.255 any access-list 102 permit ip any host 255.255.255.255 access-list 102 deny ip any any log access-list 105 remark Traffic to NAT access-list 105 deny ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 105 deny ip 192.168.10.0 0.0.0.255 192.168.5.0 0.0.0.255 access-list 105 permit ip 192.168.10.0 0.0.0.255 any access-list 110 remark Site to Site VPN access-list 110 permit ip 192.168.10.0 0.0.0.255 192.168.5.0 0.0.0.255 access-list 110 deny ip 192.168.10.0 0.0.0.255 any access-list 150 remark NAT bypass for VPN traffic access-list 150 deny ip 192.168.10.0 0.0.0.255 192.168.5.0 0.0.0.255 access-list 150 permit ip 192.168.10.0 0.0.0.255 any access-list 170 permit ip 192.168.0.0 0.0.255.255 any dialer-list 1 protocol ip permit no cdp run route-map nonat permit 10 match ip address 150 ! ! control-plane ! banner motd ^CCC**** UNAUTHORIZED ACCESS PROHIBITED !****^C ! line con 0 exec-timeout 60 0 logging synchronous no modem enable line aux 0 line vty 0 4 exec-timeout 60 0 logging synchronous transport input telnet ssh ! end