! ! Last configuration change at 11:39:42 aest Tue Apr 17 2007 by admin ! NVRAM config last updated at 11:39:46 aest Tue Apr 17 2007 by admin ! version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname c877w ! boot-start-marker boot-end-marker ! enable secret 5 $1$VaXq$5LV9LUzpY8WhB1rSCahm1. ! aaa new-model ! ! aaa authentication login default local aaa authentication login sdm_vpn_xauth_ml_1 local aaa authentication login sdm_vpn_xauth_ml_2 local aaa authorization exec default local aaa authorization network sdm_vpn_group_ml_1 local aaa authorization network sdm_vpn_group_ml_2 local ! aaa session-id common ! resource policy ! clock timezone aest 10 clock summer-time aest date Oct 28 2007 2:00 Mar 30 2008 2:00 ip subnet-zero no ip source-route ip cef no ip dhcp use vrf connected ip dhcp excluded-address 10.1.1.254 ip dhcp excluded-address 10.1.1.1 10.1.1.20 ip dhcp excluded-address 10.1.2.100 10.1.2.110 ! ip dhcp pool fnDHCPPool network 10.1.1.0 255.255.255.0 default-router 10.1.1.254 dns-server 10.1.1.1 139.130.4.4 61.3.133.192 61.9.134.49 ! ! ip inspect name myFirewall tcp ip inspect name myFirewall udp ip inspect name myFirewall cuseeme ip inspect name myFirewall h323 ip inspect name myFirewall rcmd ip inspect name myFirewall realaudio ip inspect name myFirewall streamworks ip inspect name myFirewall vdolive ip inspect name myFirewall sqlnet ip inspect name myFirewall tftp ip inspect name myFirewall ftp ip inspect name myFirewall icmp ip inspect name myFirewall sip ip inspect name myFirewall esmtp max-data 52428800 ip inspect name myFirewall fragment maximum 256 timeout 1 ip inspect name myFirewall netshow ip inspect name myFirewall pptp ip inspect name myFirewall rtsp ip inspect name myFirewall skinny ip name-server 139.130.4.4 ! ! ! username admin privilege 15 password 0 XXXXX username trist privilege 15 password 0 XXXXX ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group vpn key XXXXX pool SDM_POOL_1 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto dynamic-map SDM_DYNMAP_1 1 set transform-set ESP-3DES-SHA reverse-route ! ! crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_2 crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_2 crypto map SDM_CMAP_1 client configuration address respond crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 ! bridge irb ! ! interface ATM0 no ip address no atm ilmi-keepalive dsl operating-mode adsl2+ ! interface ATM0.1 point-to-point pvc 8/35 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface Dot11Radio0 no ip address ! broadcast-key vlan 1 change 60 ! ! encryption vlan 1 mode ciphers tkip ! ssid fnme vlan 1 authentication open authentication key-management wpa wpa-psk ascii 0 XXXXX ! world-mode dot11d country AU outdoor speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role root ! interface Dot11Radio0.1 encapsulation dot1Q 1 native no snmp trap link-status bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface Vlan1 no ip address bridge-group 1 ! interface Dialer0 ip address negotiated ip access-group 101 in ip inspect myFirewall out ip nat outside ip virtual-reassembly encapsulation ppp dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname XXXXX ppp chap password 0 XXXXX crypto map SDM_CMAP_1 ! interface BVI1 ip address 10.1.1.254 255.255.255.0 ip access-group 102 in ip nat inside ip virtual-reassembly ! ip local pool SDM_POOL_1 10.1.2.100 10.1.2.110 ip classless ip route 0.0.0.0 0.0.0.0 Dialer0 ! ip http server no ip http secure-server ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload ! access-list 1 remark INSIDE_IF=Vlan1 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 10.1.1.0 0.0.0.255 access-list 100 remark SDM_ACL Category=2 access-list 100 deny ip any host 10.1.2.100 access-list 100 deny ip any host 10.1.2.101 access-list 100 deny ip any host 10.1.2.102 access-list 100 deny ip any host 10.1.2.103 access-list 100 deny ip any host 10.1.2.104 access-list 100 deny ip any host 10.1.2.105 access-list 100 deny ip any host 10.1.2.106 access-list 100 deny ip any host 10.1.2.107 access-list 100 deny ip any host 10.1.2.108 access-list 100 deny ip any host 10.1.2.109 access-list 100 deny ip any host 10.1.2.110 access-list 100 permit ip 10.1.1.0 0.0.0.255 any access-list 101 remark Outside interface = Dialer0 access-list 101 remark SDM_ACL Category=17 access-list 101 permit ip host 10.1.2.100 any access-list 101 permit ip host 10.1.2.101 any access-list 101 permit ip host 10.1.2.102 any access-list 101 permit ip host 10.1.2.103 any access-list 101 permit ip host 10.1.2.104 any access-list 101 permit ip host 10.1.2.105 any access-list 101 permit ip host 10.1.2.106 any access-list 101 permit ip host 10.1.2.107 any access-list 101 permit ip host 10.1.2.108 any access-list 101 permit ip host 10.1.2.109 any access-list 101 permit ip host 10.1.2.110 any access-list 101 permit udp any any eq non500-isakmp access-list 101 permit udp any any eq isakmp access-list 101 permit esp any any access-list 101 permit ahp any any access-list 101 remark Block all private addresses access-list 101 deny ip 0.0.0.0 0.255.255.255 any access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip 169.254.0.0 0.0.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.0.2.0 0.0.0.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 224.0.0.0 15.255.255.255 any access-list 101 deny ip 240.0.0.0 7.255.255.255 any access-list 101 deny ip 248.0.0.0 7.255.255.255 any access-list 101 deny ip host 255.255.255.255 any access-list 101 remark Allow specific ports access to network access-list 101 permit tcp any any eq www access-list 101 permit tcp any any eq domain access-list 101 permit udp any any eq domain access-list 101 permit tcp any any eq ftp-data access-list 101 permit tcp any any eq ftp access-list 101 permit tcp any any eq 22 access-list 101 permit tcp any any eq telnet access-list 101 permit tcp any any eq smtp access-list 101 permit udp any any eq tftp access-list 101 permit tcp any any eq pop3 access-list 101 permit tcp any any eq nntp access-list 101 permit udp any any eq snmp access-list 101 permit tcp any any eq 443 access-list 101 permit icmp any any echo access-list 101 deny ip any 169.254.0.0 0.0.255.255 access-list 101 deny ip any 192.0.2.0 0.0.0.255 access-list 102 remark Inside LAN interface (BVI1) access-list 102 permit ip any host 10.1.1.254 access-list 102 remark DHCP Server Request access-list 102 permit ip any host 255.255.255.255 access-list 102 deny ip any host 10.1.1.255 access-list 102 remark Block all private addresses access-list 102 deny ip any 0.0.0.0 0.255.255.255 access-list 102 deny ip any 10.0.0.0 0.255.255.255 access-list 102 deny ip any 127.0.0.0 0.255.255.255 access-list 102 deny ip any 169.254.0.0 0.0.255.255 access-list 102 deny ip any 172.16.0.0 0.15.255.255 access-list 102 deny ip any 192.0.0.0 0.0.255.255 access-list 102 deny ip any 192.168.0.0 0.0.255.255 access-list 102 deny ip any 198.18.0.0 0.0.255.255 access-list 102 deny ip any 224.0.0.0 0.0.15.255 access-list 102 deny ip any 255.0.0.0 0.255.255.255 access-list 102 remark Block NetBIOS access-list 102 deny udp any any eq 135 access-list 102 deny tcp any any eq 135 access-list 102 deny udp any any eq netbios-ns access-list 102 deny udp any any eq netbios-dgm access-list 102 deny tcp any any eq 445 access-list 102 permit ip 10.1.1.0 0.0.0.255 any access-list 102 deny ip any any log dialer-list 1 protocol ip permit route-map SDM_RMAP_1 permit 1 match ip address 100 ! ! control-plane ! bridge 1 protocol ieee bridge 1 route ip ! line con 0 password XXXXX logging synchronous no modem enable line aux 0 line vty 0 4 password XXXXX ! scheduler max-task-time 5000 end