Current configuration : 19090 bytes ! ! Last configuration change at 19:37:47 PCTime Thu Oct 30 2008 by peter ! version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname peterhome-877 ! boot-start-marker boot-end-marker ! logging message-counter syslog logging buffered 51200 logging console critical enable secret 5******* ! aaa new-model ! ! aaa authentication login NO_AUTHENT line aaa authentication login NDS_RADIUS group radius local aaa authorization exec default group radius if-authenticated aaa authorization exec NDS_RADIUS group radius if-authenticated aaa authorization network vpnclient local ! ! aaa session-id common clock timezone PCTime 0 clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00 ! ! dot11 syslog ! dot11 ssid ***** authentication open authentication key-management wpa guest-mode wpa-psk ascii 7 1***** ! no ip source-route ! ! ip nbar port-map citrix tcp 2598 1494 no ip dhcp use vrf connected ip dhcp excluded-address 192.168.9.1 192.168.9.20 ! ip dhcp pool CLIENT import all network 192.168.9.0 255.255.255.0 default-router 192.168.9.254 dns-server ***** netbios-name-server 192.168.0.13 lease 0 2 ! ip dhcp pool Laptop import all host 192.168.9.80 255.255.255.0 client-identifier 0100.0e35.ae7c.cc default-router 192.168.9.254 netbios-name-server 192.168.0.13 dns-server ****** ! ip dhcp pool PC import all host 192.168.9.25 255.255.255.0 client-identifier 0100.0c76.930e.8a default-router 192.168.9.254 netbios-name-server 192.168.0.13 dns-server ****** ! ip dhcp pool laptop dns-server **** ! ip dhcp pool phones network 172.16.9.0 255.255.255.0 option 150 ip 172.16.100.252 default-router 172.16.9.254 dns-server **** ! ! ip cef no ip bootp server ip domain name ***** ip name-server ***** ip name-server **** ip inspect log drop-pkt ip inspect name firewall appfw firewall ip inspect name firewall tcp ip inspect name firewall udp ip inspect name firewall cuseeme ip inspect name firewall ftp ip inspect name firewall h323 ip inspect name firewall netshow ip inspect name firewall rcmd ip inspect name firewall realaudio ip inspect name firewall rtsp ip inspect name firewall sqlnet ip inspect name firewall streamworks ip inspect name firewall tftp ip inspect name firewall vdolive ip inspect name firewall icmp ip inspect name firewall esmtp ip inspect name firewall citrix ip inspect name firewall https ip inspect name firewall dns ip inspect name firewall skinny ip inspect name firewall sip-tls ip inspect name firewall sip ip inspect name firewall ica ip inspect name firewall citriximaclient ip inspect name firewall icabrowser ip inspect name firewall telnet ip inspect name firewall syslog ip inspect name firewall syslog-conn ip inspect name firewall fragment maximum 256 timeout 1 ip inspect name firewall snmp ip inspect name firewall snmptrap ip inspect name firewall ident ip inspect name firewall tacacs-ds ip inspect name firewall radius ip inspect name firewall kerberos ip inspect name firewall tacacs ip inspect name firewall ace-svr no ipv6 cef ! appfw policy-name firewall application http ! multilink bundle-name authenticated ! ! ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 lifetime 28800 ! crypto isakmp policy 2 encr aes 256 authentication pre-share group 2 lifetime 28800 ! crypto isakmp policy 3 encr 3des hash md5 authentication pre-share group 2 lifetime 28800 ! crypto isakmp policy 4 encr 3des hash md5 authentication pre-share group 2 lifetime 28800 ! crypto isakmp keepalive 12 ! crypto isakmp client configuration group vpnclient key **** dns 192.168.0.13 domain **** pool ippool acl splittunnel ! ! crypto ipsec transform-set peter esp-3des esp-sha-hmac crypto ipsec transform-set DYNA-3DES esp-3des esp-md5-hmac crypto ipsec transform-set site2site esp-aes 256 esp-sha-hmac crypto ipsec transform-set vpnclient esp-3des esp-md5-hmac ! crypto dynamic-map dynamap 10 set transform-set site2site ! ! ! crypto map vpnclient local-address Dialer1 crypto map vpnclient client authentication list NDS_RADIUS crypto map vpnclient isakmp authorization list vpnclinet crypto map vpnclient client configuration address respond crypto map vpnclient 40 ipsec-isakmp dynamic dynamap ! archive log config hidekeys ! ! ip tcp synwait-time 10 ip tftp source-interface BVI1 ip ssh time-out 60 ip ssh authentication-retries 2 ! class-map match-any telnet match access-group name telnet_traffic match protocol telnet class-map match-any ef match dscp ef class-map match-any af21 match dscp af21 class-map match-any af31 match dscp af31 class-map match-any citrix match access-group name citrix_traffic match dscp af21 class-map match-any voice-signaling match access-group name voice_control match protocol sip match protocol skinny match dscp af31 class-map match-any voice-traffic match access-group name voice_traffic match dscp ef match protocol rtp audio class-map match-any skype match protocol skype ! ! policy-map QUEUE-TRAFFIC class ef priority percent 25 class af31 bandwidth 16 class af21 bandwidth 36 class skype bandwidth 100 class class-default fair-queue policy-map MARK-TRAFFIC class voice-traffic set dscp ef class voice-signaling set dscp af31 class citrix set dscp af21 ! ! bridge irb ! ! interface Loopback1 description To allow WebVPN to use ippool ip address 172.16.229.254 255.255.255.0 ! interface Tunnel0 NOT IMPORTANT ! interface Tunnel1 NOT IMPORTANT ! interface ATM0 description ADSL Interface bandwidth 448 no ip address no ip mroute-cache atm vc-per-vp 64 no atm ilmi-keepalive pvc 0 0/38 description ADSL PVC vbr-nrt 448 448 encapsulation aal5mux ppp dialer dialer pool-member 1 ! dsl operating-mode itu-dmt max-reserved-bandwidth 90 ! interface FastEthernet0 description Linux Server ! interface FastEthernet1 description Tivo ! interface FastEthernet2 description 5-port Switch - Xbox/KitchenTivo ! interface FastEthernet3 description Peters IP Phone switchport mode trunk switchport voice vlan 2 service-policy input MARK-TRAFFIC service-policy output MARK-TRAFFIC ! interface Dot11Radio0 description Wireless Radio (LAN) no ip address ip nat inside ip virtual-reassembly ! encryption mode ciphers tkip ! ssid **** ! speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 station-role root no cdp enable bridge-group 1 bridge-group 1 spanning-disabled ! interface Vlan1 description VLAN1 - PRIVATE LAN, Bridged to BVI1 no ip address ip nbar protocol-discovery ip nat inside ip virtual-reassembly bridge-group 1 service-policy input MARK-TRAFFIC service-policy output MARK-TRAFFIC ! interface Vlan2 description VOICE VLAN ip address 172.16.9.254 255.255.255.0 ip nbar protocol-discovery ip nat inside ip virtual-reassembly service-policy input MARK-TRAFFIC service-policy output MARK-TRAFFIC ! interface Dialer1 description Dialer interface for ADSL bandwidth 448 ip address aa.bb.cc.dd 255.255.255.252 ip access-group inbound in ip access-group outbound out ip mtu 1442 ip nat outside ip inspect firewall out ip virtual-reassembly encapsulation ppp load-interval 30 dialer pool 1 dialer-group 1 ppp authentication chap pap callin ppp chap hostname ***** ppp chap password ***** ppp pap sent-username ***** ppp ipcp dns request ppp ipcp wins request ppp multilink ppp multilink interleave ppp multilink fragment delay 10 crypto map vpnclient hold-queue 224 in ! interface BVI1 description Bridged Wireless & Ethernet Interface (PRIVATE) ip address 192.168.9.254 255.255.255.0 ip nbar protocol-discovery ip flow ingress ip flow egress ip nat inside ip virtual-reassembly ip tcp adjust-mss 1458 service-policy input MARK-TRAFFIC service-policy output MARK-TRAFFIC ! ip local pool ippool 172.16.9.1 172.16.9.10 ip local pool ippool-webvpn 172.16.229.1 172.16.229.9 ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 Dialer1 ip route 172.16.0.0 255.255.255.0 192.168.0.254 ip route 172.16.10.0 255.255.255.0 192.168.10.252 ip route 172.16.100.0 255.255.255.0 192.168.10.254 ip route 192.168.0.0 255.255.0.0 Tunnel0 ip route 192.168.10.0 255.255.255.0 Tunnel1 ip http server ip http access-class 1 ip http authentication aaa login-authentication NDS_RADIUS ip http secure-server ip http secure-client-auth ip http timeout-policy idle 5 life 86400 requests 10000 ! ip flow-top-talkers top 10 sort-by bytes match destination address 192.168.9.0 0.0.0.255 ! ip nat inside source route-map nonat interface Dialer1 overload ip nat inside source static tcp 192.168.9.1 20 aa.bb.cc.dd 20 route-map linux extendable ip nat inside source static tcp 192.168.9.1 21 aa.bb.cc.dd 21 route-map linux extendable ip nat inside source static tcp 192.168.9.25 69 aa.bb.cc.dd 69 route-map desktop extendable ip nat inside source static udp 192.168.9.25 69 aa.bb.cc.dd 69 route-map desktop extendable ip nat inside source static tcp 192.168.9.1 80 aa.bb.cc.dd 80 route-map linux extendable ip nat inside source static tcp 192.168.9.25 6882 aa.bb.cc.dd 6882 route-map desktop extendable ! ip access-list standard snmp-rw permit 192.168.9.0 0.0.0.255 ! ip access-list extended citrix_traffic permit tcp any eq 1494 any permit tcp any any eq 1494 permit tcp any eq 2598 any permit tcp any any eq 2598 ip access-list extended desktop remark NAT for Non-VPN to Desktop deny ip host 192.168.9.25 172.16.9.0 0.0.0.255 permit tcp host 192.168.9.25 eq 69 any permit udp host 192.168.9.25 eq tftp any permit tcp host 192.168.9.25 eq 6882 any ip access-list extended inbound remark Firewall Inbound remark ICMP permit icmp any any administratively-prohibited permit icmp any any echo permit icmp any any echo-reply permit icmp any any packet-too-big permit icmp any any time-exceeded permit icmp any any traceroute permit icmp any any unreachable remark VPN permit esp any any permit udp any any eq isakmp permit udp any any eq 10000 permit tcp any any eq 1723 permit gre any any permit udp any any eq non500-isakmp permit ip 172.16.9.0 0.0.0.255 any remark Internal Services permit tcp any host aa.bb.cc.dd eq 69 permit udp any host aa.bb.cc.dd eq tftp permit tcp any host aa.bb.cc.dd eq ftp permit tcp any host aa.bb.cc.dd eq ftp-data permit udp any eq domain any remark for WebVPN permit tcp any host aa.bb.cc.dd eq 443 ip access-list extended laptop remark NAT for Non-VPN to Laptop deny ip host 192.168.9.80 172.16.9.0 0.0.0.255 permit tcp host 192.168.9.80 eq ftp any permit tcp host 192.168.9.80 eq ftp-data any ip access-list extended linux remark NAT for Non-VPN to Linux deny ip host 192.168.9.1 172.16.9.0 0.0.0.255 permit tcp host 192.168.9.1 eq ftp-data any permit tcp host 192.168.9.1 eq ftp any permit tcp host 192.168.9.1 eq www any ip access-list extended noNAT remark exclude VPN traffic from NAT process deny ip 192.168.9.0 0.0.0.255 192.168.0.0 0.0.255.255 deny ip 192.168.9.0 0.0.0.255 172.16.0.0 0.0.255.255 deny ip 192.168.9.0 0.0.0.255 10.0.0.0 0.0.0.255 deny ip 172.16.9.0 0.0.0.255 192.168.0.0 0.0.255.255 deny ip 172.16.9.0 0.0.0.255 172.16.0.0 0.0.255.255 deny ip 172.16.9.0 0.0.0.255 10.0.0.0 0.0.0.255 permit ip 192.168.9.0 0.0.0.255 any permit ip 172.16.9.0 0.0.0.255 any ! ip radius source-interface BVI1 dialer-list 1 protocol ip permit snmp-server community rowe RW snmp-rw snmp-server community public RO ! ! ! ! route-map laptop permit 1 description Do not use Static NAT from VPN to Laptop match ip address laptop ! route-map desktop permit 1 match ip address desktop linux ! route-map tivoweb permit 15 match ip address tivo ! route-map nonat permit 10 match ip address noNAT ! radius-server host 192.168.0.1 auth-port 1645 acct-port 1646 key*********** radius-server host 192.168.0.5 auth-port 1645 acct-port 1646 key************* radius-server timeout 1 ! control-plane ! bridge 1 protocol ieee bridge 1 route ip ! ! scheduler max-task-time 5000 scheduler allocate 4000 1000 scheduler interval 500 ntp server 192.168.0.7 ! peterhome-877#