version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname ******** ! boot-start-marker boot-end-marker ! logging buffered 51200 warnings ! no aaa new-model ! resource policy ! clock timezone PCTime -5 clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00 ip cef ! ! ip dhcp use vrf connected ip dhcp excluded-address 10.1.10.1 10.1.10.127 ip dhcp excluded-address 10.1.10.197 10.1.10.254 ip dhcp excluded-address 10.1.30.1 10.1.30.126 ip dhcp excluded-address 10.1.30.228 10.1.30.254 ip dhcp excluded-address 10.1.40.1 10.1.40.126 ip dhcp excluded-address 10.1.40.228 10.1.40.254 ip dhcp excluded-address 10.1.50.1 10.1.50.126 ip dhcp excluded-address 10.1.50.228 10.1.50.254 ip dhcp excluded-address 10.1.60.1 10.1.60.126 ip dhcp excluded-address 10.1.60.228 10.1.60.254 ip dhcp excluded-address 10.1.70.1 10.1.70.126 ip dhcp excluded-address 10.1.70.228 10.1.70.254 ip dhcp excluded-address 10.1.80.1 10.1.80.126 ip dhcp excluded-address 10.1.80.228 10.1.80.254 ip dhcp excluded-address 10.1.20.1 10.1.20.126 ip dhcp excluded-address 10.1.20.228 10.1.20.254 ! ip dhcp pool Vlan1 import all network 10.1.10.0 255.255.255.0 domain-name vlan1.domain.com dns-server 10.1.10.8 default-router 10.1.10.1 ! ip dhcp pool vlan2 import all network 10.1.20.0 255.255.255.0 domain-name vlan1.domain.com dns-server 10.1.10.8 default-router 10.1.20.1 ! ip dhcp pool vlan3 import all network 10.1.30.0 255.255.255.0 domain-name vlan1.domain.com dns-server 10.1.10.8 default-router 10.1.30.1 ! ip dhcp pool vlan4 import all network 10.1.40.0 255.255.255.0 domain-name vlan1.domain.com dns-server 10.1.10.8 default-router 10.1.40.1 ! ip dhcp pool vlan5 import all network 10.1.50.0 255.255.255.0 domain-name vlan1.domain.com dns-server 10.1.10.8 default-router 10.1.50.1 ! ip dhcp pool vlan6 import all network 10.1.60.0 255.255.255.0 domain-name vlan1.domain.com dns-server 10.1.10.8 default-router 10.1.60.1 ! ip dhcp pool vlan7 import all network 10.1.70.0 255.255.255.0 domain-name vlan1.domain.com dns-server 10.1.10.8 default-router 10.1.70.1 ! ip dhcp pool vlan8 import all network 10.1.80.0 255.255.255.0 domain-name vlan1.domain.com dns-server 10.1.10.8 default-router 10.1.80.1 ! ! ip domain name domain.com ip name-server x.x.x.195 ip name-server x.x.x.122 ip inspect name SDM_LOW cuseeme ip inspect name SDM_LOW dns ip inspect name SDM_LOW ftp ip inspect name SDM_LOW h323 ip inspect name SDM_LOW https ip inspect name SDM_LOW icmp ip inspect name SDM_LOW imap ip inspect name SDM_LOW pop3 ip inspect name SDM_LOW netshow ip inspect name SDM_LOW rcmd ip inspect name SDM_LOW realaudio ip inspect name SDM_LOW rtsp ip inspect name SDM_LOW esmtp ip inspect name SDM_LOW sqlnet ip inspect name SDM_LOW streamworks ip inspect name SDM_LOW tftp ip inspect name SDM_LOW tcp ip inspect name SDM_LOW udp ip inspect name SDM_LOW vdolive ! ! crypto pki trustpoint TP-self-signed-3459452820 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-3459452820 revocation-check none rsakeypair TP-self-signed-3459452820 ! ! crypto pki certificate chain TP-self-signed-3459452820 certificate self-signed 01 30820252 308201BB A0030201 02020101 300D0609 2A864886 F70D0101 04050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 33343539 34353238 3230301E 170D3036 30393236 31363030 31325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34353934 35323832 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100DB9D 09FF8C43 FDA4E060 2E110B1F B71D6CB1 D75FB7EB F00EC3CA 4D86E7D8 99D76C59 581AC631 66FACE20 82654262 59149BD9 B8621F40 DB6EB2DF 88A238AE 37363B6B A41051B4 CF5BC4B1 BB4B1933 9ADFCF21 B6903649 31397224 8D1910EF 38FE3FF5 B53E1657 FE508FCC 7F4AD1E7 73C6916A 41E5E0C3 4925D83F 49CBDCD9 120F0203 010001A3 7A307830 0F060355 1D130101 FF040530 030101FF 30250603 551D1104 1E301C82 1A6F6E62 6F617264 2E736368 6F6F6E65 726D6574 656F722E 636F6D30 1F060355 1D230418 30168014 20C31051 A41071A4 5567BEDF D45B2394 DA0CF605 301D0603 551D0E04 16041420 C31051A4 1071A455 67BEDFD4 5B2394DA 0CF60530 0D06092A 864886F7 0D010104 05000381 81005E6C B59E000C 8FEF64F6 843B0D77 B89A7AE3 73C70889 7C275362 1652FE16 2EFFDFCD F76A58D6 DD08F7C6 9556EA96 F0F5F1A6 1E377B4B 18E88349 9D95458C 41B60EB5 D541A50A E7AE0A2C C4808032 39F36A98 B8972C56 4013D47C C5A69D17 AC2B8A2F BD63F9C1 F70E83F0 B2855947 5D643E5F A20B4D4B 438D22C1 D5D83701 698A quit ! track 123 rtr 1 reachability ! track 456 rtr 2 reachability ! ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp key cisco123 address x.x.x.230 ! ! crypto ipsec transform-set 3des-with-sha esp-3des esp-sha-hmac ! crypto map vpntunnels 10 ipsec-isakmp set peer x.x.x.230 set transform-set 3des-with-sha match address VPNToOnshore ! ! ! ! interface FastEthernet0/0 description PS WAN$ETH-WAN$ ip address x.x.x.158 255.255.255.248 ip access-group PSAcl in ip nat outside ip inspect SDM_LOW out ip virtual-reassembly duplex auto speed auto crypto map vpntunnels ! interface FastEthernet0/1 description SB WAN$ETH-WAN$ ip address x.x.x.166 255.255.255.248 ip access-group SBAcl in ip nat outside ip inspect SDM_LOW out ip virtual-reassembly duplex auto speed auto ! interface FastEthernet0/0/0 switchport mode trunk ! interface FastEthernet0/0/1 shutdown ! interface FastEthernet0/0/2 shutdown ! interface FastEthernet0/0/3 shutdown ! interface BRI0/1/0 no ip address encapsulation hdlc shutdown ! interface Vlan1 description Default Vlan ip address 10.1.10.1 255.255.255.0 ip access-group sdm_vlan1_in in ip nat inside ip virtual-reassembly ! interface Vlan20 ip address 10.1.20.1 255.255.255.0 ! interface Vlan30 ip address 10.1.30.1 255.255.255.0 ! interface Vlan40 ip address 10.1.40.1 255.255.255.0 ! interface Vlan50 ip address 10.1.50.1 255.255.255.0 ! interface Vlan60 ip address 10.1.60.1 255.255.255.0 ! interface Vlan70 ip address 10.1.70.1 255.255.255.0 ! interface Vlan80 ip address 10.1.80.1 255.255.255.0 ! ip route 0.0.0.0 0.0.0.0 x.x.x.157 track 123 ip route 0.0.0.0 0.0.0.0 x.x.x.165 track 456 ip route x.x.x.4 255.255.255.255 x.x.x.157 ip route x.x.x.4 255.255.255.255 x.x.x.165 ! ! ip http server ip http authentication local ip http secure-server ip http secure-port 8443 ip http timeout-policy idle 60 life 86400 requests 10000 ip nat inside source route-map PSFA00 interface FastEthernet0/0 overload ip nat inside source route-map SBFA01 interface FastEthernet0/1 overload ip nat inside source static tcp 10.1.10.8 3389 interface FastEthernet0/1 3389 ip nat inside source static tcp 10.1.10.8 5900 interface FastEthernet0/0 5900 ! ip access-list extended DenyNAT deny ip 10.1.10.0 0.0.0.255 192.168.0.0 0.0.0.255 permit ip 10.1.10.0 0.0.0.255 any permit ip 10.1.20.0 0.0.0.255 any permit ip 10.1.30.0 0.0.0.255 any permit ip 10.1.40.0 0.0.0.255 any permit ip 10.1.50.0 0.0.0.255 any permit ip 10.1.60.0 0.0.0.255 any permit ip 10.1.70.0 0.0.0.255 any permit ip 10.1.80.0 0.0.0.255 any ip access-list extended PSAcl permit tcp any host x.x.x.158 eq 3389 permit tcp any host x.x.x.158 eq 5900 permit tcp any host x.x.x.166 eq 3389 permit tcp any host x.x.x.166 eq 5900 permit udp host x.x.x.122 eq domain any permit udp host x.x.x.195 eq domain any permit udp host x.x.x.230 host x.x.x.166 eq non500-isakmp permit udp host x.x.x.230 host x.x.x.166 eq isakmp permit esp host x.x.x.230 host x.x.x.166 deny ip 10.1.10.0 0.0.0.255 any permit icmp any any permit tcp any host x.x.x.158 eq 22 permit tcp any host x.x.x.166 eq 22 permit tcp any host x.x.x.158 eq 8443 permit tcp any host x.x.x.166 eq 8443 deny ip 10.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.0.255.255 any deny ip 127.0.0.0 0.255.255.255 any deny ip host 255.255.255.255 any deny ip any any log ip access-list extended SBAcl remark SDM_ACL Category=17 permit ahp host x.x.x.230 host x.x.x.158 permit ip 192.168.0.0 0.0.0.255 10.1.10.0 0.0.0.255 permit tcp any host x.x.x.158 eq 3389 permit tcp any host x.x.x.158 eq 5900 permit tcp any host x.x.x.166 eq 3389 permit tcp any host x.x.x.166 eq 5900 permit udp host x.x.x.122 eq domain any permit udp host x.x.x.195 eq domain any permit udp host x.x.x.230 host x.x.x.158 eq non500-isakmp permit udp host x.x.x.230 host x.x.x.158 eq isakmp permit esp host x.x.x.230 host x.x.x.158 deny ip 10.1.10.0 0.0.0.255 any permit icmp any any permit tcp any host x.x.x.158 eq 22 permit tcp any host x.x.x.166 eq 22 permit tcp any host x.x.x.158 eq 8443 permit tcp any host x.x.x.166 eq 8443 deny ip 10.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.0.255.255 any deny ip 127.0.0.0 0.255.255.255 any deny ip host 255.255.255.255 any deny ip any any log ip access-list extended VPNToOnshore permit ip 10.1.10.0 0.0.0.255 192.168.0.0 0.0.0.255 ip access-list extended sdm_vlan1_in remark SDM_ACL Category=1 deny ip x.x.x.0 0.0.0.255 any deny ip host 255.255.255.255 any deny ip 127.0.0.0 0.255.255.255 any permit ip any any ! ip sla 1 icmp-echo x.x.x.4 timeout 2500 threshold 10000 verify-data frequency 5 history hours-of-statistics-kept 6 history distributions-of-statistics-kept 5 history statistics-distribution-interval 10 history buckets-kept 25 history enhanced interval 900 buckets 100 ip sla schedule 1 life forever start-time now ip sla 2 icmp-echo x.x.x.4 timeout 2500 threshold 10000 verify-data frequency 5 history hours-of-statistics-kept 6 history distributions-of-statistics-kept 5 history statistics-distribution-interval 10 history buckets-kept 25 history enhanced interval 900 buckets 100 ip sla schedule 2 life forever start-time now access-list 1 remark INSIDE_IF=Vlan1 access-list 1 remark SDM_ACL Category=16 access-list 1 permit 10.1.10.0 0.0.0.255 access-list 100 remark VlanInbound access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip any any access-list 101 deny ip 10.1.10.0 0.0.0.255 192.168.0.0 0.0.0.255 access-list 101 permit ip 10.1.10.0 0.0.0.255 any access-list 101 permit ip 10.1.20.0 0.0.0.255 any access-list 101 permit ip 10.1.30.0 0.0.0.255 any access-list 101 permit ip 10.1.40.0 0.0.0.255 any access-list 101 permit ip 10.1.50.0 0.0.0.255 any access-list 101 permit ip 10.1.60.0 0.0.0.255 any access-list 101 permit ip 10.1.70.0 0.0.0.255 any access-list 101 permit ip 10.1.80.0 0.0.0.255 any ! ! ! route-map PSFA00 permit 10 match ip address 101 match interface FastEthernet0/0 ! route-map SBFA01 permit 10 match ip address 101 match interface FastEthernet0/1 ! ! ! ! control-plane ! ! banner login ^C ----------------------------------------------------------------------- ***************Authorized access only*************** This system is the property of IM Design. Disconnect IMMEDIATELY if you are not authorized! If you choose to connect your activities will be monitored and reported. ----------------------------------------------------------------------- ^C ! line con 0 login local line aux 0 line vty 0 4 privilege level 15 login local transport input telnet ssh line vty 5 15 privilege level 15 login local transport input telnet ssh ! scheduler allocate 20000 1000 end