Building configuration... Current configuration : 6381 bytes ! version 12.3 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname FCC-1721 ! boot-start-marker boot-end-marker ! security authentication failure rate 5 log security passwords min-length 6 logging buffered 51200 warnings enable secret 5 xxxxxxxxxxxx ! no aaa new-model ! resource policy ! clock timezone EST -5 clock summer-time EDT date Apr 6 2003 2:00 Oct 26 2003 2:00 mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ip subnet-zero no ip source-route ip cef ! ! ip inspect log drop-pkt ip inspect name SDM_LOW cuseeme ip inspect name SDM_LOW dns ip inspect name SDM_LOW ftp ip inspect name SDM_LOW h323 ip inspect name SDM_LOW https ip inspect name SDM_LOW icmp ip inspect name SDM_LOW imap ip inspect name SDM_LOW pop3 ip inspect name SDM_LOW netshow ip inspect name SDM_LOW rcmd ip inspect name SDM_LOW realaudio ip inspect name SDM_LOW rtsp ip inspect name SDM_LOW esmtp ip inspect name SDM_LOW sqlnet ip inspect name SDM_LOW streamworks ip inspect name SDM_LOW tftp ip inspect name SDM_LOW tcp ip inspect name SDM_LOW udp ip inspect name SDM_LOW vdolive ip inspect name SDM_LOW pptp ip tcp synwait-time 10 no ip dhcp use vrf connected ip dhcp excluded-address 192.168.1.1 192.168.1.99 ip dhcp excluded-address 192.168.1.200 192.168.1.255 ! ip dhcp pool DHCPPool network 192.168.1.0 255.255.255.0 default-router 192.168.1.12 import all ! ! ip ips sdf location flash://sdmips.sdf no ip ips deny-action ips-interface ip ips notify SDEE ip ips signature 4050 0 disable ip ips signature 2001 0 disable ip ips signature 2005 0 disable ip ips name sdm_ips_rule no ip bootp server no ip domain lookup ! no ftp-server write-enable ! ! crypto pki trustpoint TP-self-signed-35394xxxxx enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-35394xxxxx revocation-check none rsakeypair TP-self-signed-35394xxxxx ! ! crypto pki certificate chain TP-self-signed-35394xxxxx certificate self-signed 01 username sdm privilege 15 secret 5 xxxxxxxxxxxxxxx ! ! no crypto isakmp ccm ! ! ! interface Null0 no ip unreachables ! interface Ethernet0 description $FW_OUTSIDE$ ip address dhcp ip access-group 102 in no ip redirects no ip unreachables no ip proxy-arp ip inspect SDM_LOW out ip ips sdm_ips_rule in ip nat outside ip virtual-reassembly ip route-cache flow half-duplex ! interface FastEthernet0 description $FW_INSIDE$ ip address 192.168.1.12 255.255.255.0 ip access-group 100 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow speed auto ! ip classless ! ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 600 life 86400 requests 10000 ip nat inside source list 1 interface Ethernet0 overload ip nat inside source static tcp 192.168.1.2 8080 interface Ethernet0 8080 ip nat inside source static tcp 192.168.1.12 443 interface Ethernet0 29443 ip nat inside source static tcp 192.168.1.12 22 interface Ethernet0 2922 ip nat inside source static udp 192.168.1.12 23981 interface Ethernet0 23981 ! access-list 1 remark SDM_ACL Category=2 access-list 1 remark **NAT IP access** access-list 1 permit 192.168.1.0 0.0.0.255 access-list 100 remark auto generated by SDM firewall configuration access-list 100 remark SDM_ACL Category=1 access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 remark **Permit VPN connections out** access-list 100 permit gre any any log access-list 100 permit ip any any access-list 102 remark auto generated by SDM firewall configuration access-list 102 remark SDM_ACL Category=1 access-list 102 deny ip 192.168.1.0 0.0.0.255 any access-list 102 remark **Allow DHCP for Ethernet0 interface** access-list 102 permit udp any eq bootps any eq bootpc access-list 102 remark **Allow certain ICMP types** access-list 102 permit icmp any any echo-reply access-list 102 permit icmp any any time-exceeded access-list 102 permit icmp any any unreachable access-list 102 remark **Deny private ips for spoofing and log** access-list 102 deny ip 10.0.0.0 0.255.255.255 any log access-list 102 deny ip 127.0.0.0 0.255.255.255 any log access-list 102 deny ip 169.254.0.0 0.0.255.255 any log access-list 102 deny ip 172.16.0.0 0.15.255.255 any log access-list 102 deny ip 192.168.0.0 0.0.255.255 any log access-list 102 deny ip 223.0.0.0 0.255.255.255 any log access-list 102 deny ip 224.0.0.0 31.255.255.255 any log access-list 102 deny ip host 255.255.255.255 any log access-list 102 remark **Permit VPN/PPTP connections back in** access-list 102 permit gre any any log access-list 102 remark **Permit external NAT services** access-list 102 permit tcp any any eq 2922 log access-list 102 permit tcp any any eq 29443 access-list 102 permit tcp any any eq 8080 access-list 102 deny ip any any no cdp run ! control-plane ! ! line con 0 logging synchronous login local transport output telnet line aux 0 login local no exec transport output telnet line vty 0 4 privilege level 15 logging synchronous login local transport input telnet ssh line vty 5 15 privilege level 15 logging synchronous login local transport input telnet ssh ! scheduler allocate 4000 1000 scheduler interval 500 end