Building configuration... Current configuration : 8699 bytes ! version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname ROUTER871 ! boot-start-marker boot-end-marker ! logging buffered 16384 ! no aaa new-model ip cef ! ! ! ! crypto pki trustpoint TP-self-signed-1579893558 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1579893558 revocation-check none rsakeypair TP-self-signed-1579893558 ! ! crypto pki certificate chain TP-self-signed-1579893558 certificate self-signed 01 3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 31353739 38393335 3538301E 170D3037 30383138 31383237 33385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 35373938 39333535 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100D914 14189B87 CE5E5015 A09AA8F5 19036EE4 0297119A F2D4F41B 766D57A8 CF4ABE54 13BFAB8A 3C4AD19B 62EFC0FB AD3EDF67 0CA2756D D640738E 34FAF5FC B857AF58 5F97B1C6 8A70CC54 66B2B705 BC15C464 B01C4FF2 FBE39933 1180FE9D 666DED94 F67F4173 4BD526E7 EB31DC95 E9F8A456 4D62E3A0 6DA55B0A F7F6E136 041D0203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603 551D1104 0B300982 07544A50 2D56504E 301F0603 551D2304 18301680 14CBAB54 E4C73143 BAB69CCF 6A9D4B32 DA0CB16C C5301D06 03551D0E 04160414 CBAB54E4 C73143BA B69CCF6A 9D4B32DA 0CB16CC5 300D0609 2A864886 F70D0101 04050003 818100BA C6B7460B 157EBA8F 6313B985 F907F65B 723F4179 908AB314 3D294D86 5456CA9A DA21A870 779E1513 B1AADA88 2BB992C2 BDC3B442 71277B61 790ECA23 0615EC8A CED14723 E6378988 139B2D2C D0E413B1 E67591C5 1AFDB121 33137C96 C1AB46A9 1B23B635 6781BBDC F24B6518 DAC5EEFB 521CF839 5E553763 C850049B 7F4470 quit ! ! username [user] privilege 15 secret 5 $1$J5X7$Lza4y093b9CI2eCPj3zN9. ! ! class-map match-any CLASS_MAIL_TRAFFIC match access-group name MAIL_TRAFFIC class-map match-any CLASS_INTERNET_TRAFFIC match access-group name WEB_TRAFFIC class-map match-any CLASS_VPN_TRAFFIC match access-group name VPN_TRAFFIC ! ! policy-map REMOTE_SITE_BANDWIDTH_MGMT class CLASS_MAIL_TRAFFIC priority percent 20 class CLASS_VPN_TRAFFIC priority percent 40 class CLASS_INTERNET_TRAFFIC bandwidth remaining percent 100 class class-default fair-queue ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key [presharedkey] address [REMOTE_SITE_IP_ADDRESS] ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel toREMOTE_SITE set peer [REMOTE_SITE_IP_ADDRESS] set transform-set ESP-3DES-SHA match address 100 ! ! ! ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 ip address [LOCAL_PUBLIC_IP_1] 255.255.255.248 ip access-group 120 in ip access-group 125 out ip accounting output-packets ip accounting access-violations ip nat outside ip virtual-reassembly duplex auto speed auto crypto map SDM_CMAP_1 ! interface Vlan1 ip address 172.30.205.12 255.255.255.0 ip access-group 130 in ip nat inside ip virtual-reassembly ! ip route 0.0.0.0 0.0.0.0 [ADSL_MODEM_GATEWAY] ip route 133.0.0.0 255.0.0.0 172.30.162.254 ip route 172.30.159.0 255.255.255.0 172.30.162.254 ip route 172.30.160.0 255.255.255.0 172.30.162.254 ip route 172.30.161.0 255.255.255.0 172.30.162.254 ip route 172.30.162.0 255.255.255.0 172.30.162.254 ! ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload ip nat inside source static 172.30.205.5 [LOCAL_PUBLIC_IP_2] extendable ! ip access-list extended MAIL_TRAFFIC permit ip host [LOCAL_PUBLIC_IP_2] host [MAIL_SITE_B] permit ip host [LOCAL_PUBLIC_IP_2] host [MAIL_SITE_A] ip access-list extended VPN_TRAFFIC permit ip host [LOCAL_PUBLIC_IP_1] host [REMOTE_SITE_IP_ADDRESS] ip access-list extended WEB_TRAFFIC permit tcp any any eq www permit tcp any any eq 443 permit tcp any any eq ftp ! access-list 100 remark SDM_ACL Category=4 access-list 100 remark IPSec Rule access-list 100 permit ip 172.30.205.0 0.0.0.255 133.0.0.0 0.255.255.255 access-list 100 permit ip 172.30.205.0 0.0.0.255 172.30.159.0 0.0.0.255 access-list 100 permit ip 172.30.205.0 0.0.0.255 172.30.160.0 0.0.0.255 access-list 100 permit ip 172.30.205.0 0.0.0.255 172.30.161.0 0.0.0.255 access-list 100 permit ip 172.30.205.0 0.0.0.255 172.30.162.0 0.0.0.255 access-list 101 deny ip 172.30.205.0 0.0.0.255 133.0.0.0 0.255.255.255 access-list 101 deny ip 172.30.205.0 0.0.0.255 172.30.159.0 0.0.0.255 access-list 101 deny ip 172.30.205.0 0.0.0.255 172.30.160.0 0.0.0.255 access-list 101 deny ip 172.30.205.0 0.0.0.255 172.30.161.0 0.0.0.255 access-list 101 deny ip 172.30.205.0 0.0.0.255 172.30.162.0 0.0.0.255 access-list 101 permit ip 172.30.205.0 0.0.0.255 any access-list 120 permit ip host [REMOTE_SITE_IP_ADDRESS] host [LOCAL_PUBLIC_IP_1] access-list 120 permit tcp host [MAIL_SITE_B] host [LOCAL_PUBLIC_IP_2] access-list 120 permit tcp host [MAIL_SITE_A] host [LOCAL_PUBLIC_IP_2] access-list 120 permit icmp any host [LOCAL_PUBLIC_IP_1] echo access-list 120 permit icmp any host [LOCAL_PUBLIC_IP_1] echo-reply access-list 120 permit icmp any host [LOCAL_PUBLIC_IP_1] time-exceeded access-list 120 permit icmp any host [LOCAL_PUBLIC_IP_1] unreachable access-list 120 permit icmp any host [LOCAL_PUBLIC_IP_2] echo access-list 120 permit icmp any host [LOCAL_PUBLIC_IP_2] echo-reply access-list 120 permit icmp any host [LOCAL_PUBLIC_IP_2] time-exceeded access-list 120 permit icmp any host [LOCAL_PUBLIC_IP_2] unreachable access-list 120 deny ip any host [LOCAL_PUBLIC_IP_2] log access-list 120 permit tcp any host [LOCAL_PUBLIC_IP_1] eq 22 access-list 120 deny tcp any host [LOCAL_PUBLIC_IP_1] eq telnet access-list 120 deny tcp any host [LOCAL_PUBLIC_IP_1] eq www access-list 120 deny tcp any host [LOCAL_PUBLIC_IP_1] eq 443 access-list 120 permit ip any any access-list 125 permit ip host [LOCAL_PUBLIC_IP_2] host [MAIL_SITE_A] access-list 125 permit ip host [LOCAL_PUBLIC_IP_2] host [MAIL_SITE_B] access-list 125 permit ip any any access-list 130 permit ip 172.30.205.0 0.0.0.255 133.0.0.0 0.255.255.255 access-list 130 permit ip 172.30.205.0 0.0.0.255 172.30.159.0 0.0.0.255 access-list 130 permit ip 172.30.205.0 0.0.0.255 172.30.160.0 0.0.0.255 access-list 130 permit ip 172.30.205.0 0.0.0.255 172.30.161.0 0.0.0.255 access-list 130 permit ip 172.30.205.0 0.0.0.255 172.30.162.0 0.0.0.255 access-list 130 permit tcp host 172.30.205.4 any eq www access-list 130 permit tcp host 172.30.205.4 any eq 443 access-list 130 permit tcp host 172.30.205.4 any eq ftp access-list 130 permit tcp host 172.30.205.4 any eq domain access-list 130 permit udp host 172.30.205.4 any eq domain access-list 130 permit icmp host 172.30.205.4 any echo access-list 130 permit tcp host 172.30.205.5 any eq www access-list 130 permit tcp host 172.30.205.5 any eq 443 access-list 130 permit tcp host 172.30.205.5 any eq ftp access-list 130 permit tcp host 172.30.205.5 any eq domain access-list 130 permit udp host 172.30.205.5 any eq domain access-list 130 permit icmp host 172.30.205.5 any echo access-list 130 permit tcp host 172.30.205.5 host [MAIL_SITE_A] eq smtp access-list 130 permit tcp host 172.30.205.5 host [MAIL_SITE_B] access-list 130 permit tcp host 172.30.205.16 any eq www access-list 130 permit tcp host 172.30.205.16 any eq 443 access-list 130 permit tcp host 172.30.205.16 any eq ftp access-list 130 permit tcp host 172.30.205.16 any eq domain access-list 130 permit udp host 172.30.205.16 any eq domain access-list 130 permit icmp host 172.30.205.16 any echo access-list 130 permit tcp host 172.30.205.21 any eq www access-list 130 permit tcp host 172.30.205.21 any eq 443 access-list 130 permit tcp host 172.30.205.21 any eq ftp access-list 130 permit tcp host 172.30.205.21 any eq domain access-list 130 permit udp host 172.30.205.21 any eq domain access-list 130 permit icmp host 172.30.205.21 any echo access-list 130 permit tcp host 172.30.205.23 any eq www access-list 130 permit tcp host 172.30.205.23 any eq 443 access-list 130 permit tcp host 172.30.205.23 any eq ftp access-list 130 permit tcp host 172.30.205.23 any eq domain access-list 130 permit udp host 172.30.205.23 any eq domain access-list 130 permit icmp host 172.30.205.23 any echo access-list 130 deny ip any any log ! ! route-map SDM_RMAP_1 permit 1 match ip address 101 ! ! control-plane ! ! line con 0 login local no modem enable line aux 0 login local line vty 0 4 login local transport input ssh ! scheduler max-task-time 5000 end