!This is the running config of the router: 172.16.1.1 !---------------------------------------------------------------------------- !version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname SSCRTWANB1 ! boot-start-marker boot-end-marker ! security authentication failure rate 3 log security passwords min-length 6 logging buffered 51200 debugging logging console critical enable secret 5 $1$d4mD$gh1.MJwzhhjzGb5Zs.6h7/ ! aaa new-model ! ! aaa authentication login local_authen local aaa authentication login sdm_vpn_xauth_ml_1 local aaa authorization exec local_author local aaa authorization network sdm_vpn_group_ml_1 local ! aaa session-id common clock timezone PCTime -7 no ip source-route no ip dhcp use vrf connected ip dhcp excluded-address 172.16.1.1 172.16.1.229 ! ip dhcp pool sdm-pool1 import all network 172.16.1.0 255.255.255.0 dns-server 172.16.1.11 68.2.16.25 default-router 172.16.1.1 ! ! ip tcp synwait-time 10 ip cef ip domain name intra.windigo.us ip name-server 68.2.16.25 ip name-server 68.2.16.30 no ip bootp server ip inspect name DEFAULT100 cuseeme ip inspect name DEFAULT100 ftp ip inspect name DEFAULT100 h323 ip inspect name DEFAULT100 icmp ip inspect name DEFAULT100 netshow ip inspect name DEFAULT100 rcmd ip inspect name DEFAULT100 realaudio ip inspect name DEFAULT100 rtsp ip inspect name DEFAULT100 esmtp ip inspect name DEFAULT100 sqlnet ip inspect name DEFAULT100 streamworks ip inspect name DEFAULT100 tftp ip inspect name DEFAULT100 tcp ip inspect name DEFAULT100 udp ip inspect name DEFAULT100 vdolive ip ssh authentication-retries 2 ! ! crypto pki trustpoint TP-self-signed-933743407 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-933743407 revocation-check none rsakeypair TP-self-signed-933743407 ! ! crypto pki certificate chain TP-self-signed-933743407 certificate self-signed 01 30820251 308201BA A0030201 02020101 300D0609 2A864886 F70D0101 04050030 30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 39333337 34333430 37301E17 0D303631 32333130 30353233 325A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3933 33373433 34303730 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 BE11437B B7035B93 AFCAA025 1D617F12 F45E97E2 EC8BAF92 C7D08FE0 E45ABEDA 8D50C893 A9B579AC 4928827C 80DC71AB 0CAA90ED 69C81B4E 3763075D 024D36A0 B55074D7 72809D88 1C407795 7EDBEAB2 4BD5EAD7 EC2E80A9 F1718F77 6767A8D3 8EAA770E E43E2CE8 5BFFFE81 64B6698F 262371B9 446EA8AA EE3B34BF 051E5D91 02030100 01A37B30 79300F06 03551D13 0101FF04 05300301 01FF3026 0603551D 11041F30 1D821B53 53435254 57414E42 312E696E 7472612E 77696E64 69676F2E 7573301F 0603551D 23041830 168014E6 42793CB4 0234771F 0E0FD77E C645DB86 983AD930 1D060355 1D0E0416 0414E642 793CB402 34771F0E 0FD77EC6 45DB8698 3AD9300D 06092A86 4886F70D 01010405 00038181 000BC19A CF6EC134 1AE121BD 52A5E346 EC2D9727 BB90F6F8 12F48EA8 997BF923 D9672F61 1F4737BF DF9FE117 26C48BF3 16D2C99F DE14DBF7 1CCA3A93 B6BF5009 F1ED9F6C 4CB41098 09504172 74B16C4D E361EAD1 D447588E 5C70E591 005C1CE2 1B1ECC3D 3DF04FC3 7C993AC2 42BA456E BC68E53F 0B7F1FA2 3167BE06 89B509C9 51 quit username xxxxxxxx privilege 15 secret 5 xxxxxxxx username xxxxxxxx privilege 15 secret 5 xxxxxxxx ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group Teamsters key xxxxxxxx dns 172.16.1.15 domain intra.windigo.local pool SDM_POOL_1 acl 103 include-local-lan max-users 54 max-logins 1 netmask 255.255.255.0 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto dynamic-map SDM_DYNMAP_1 1 set security-association idle-time 86400 set transform-set ESP-3DES-SHA reverse-route ! ! crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1 crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto map SDM_CMAP_1 client configuration address respond crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 ! ! ! interface Null0 no ip unreachables ! interface Ethernet0 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-Ethernet 10/100$$ES_LAN$$FW_INSIDE$ ip address 172.16.1.1 255.255.255.0 ip access-group 100 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow ! interface Ethernet1 description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$ ip address dhcp client-id Ethernet1 ip access-group 101 in no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip inspect DEFAULT100 out ip virtual-reassembly ip route-cache flow duplex auto crypto map SDM_CMAP_1 ! interface Ethernet2 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow ! interface FastEthernet1 duplex auto speed auto ! interface FastEthernet2 duplex auto speed auto ! interface FastEthernet3 duplex auto speed auto ! interface FastEthernet4 duplex auto speed auto ! ip local pool SDM_POOL_1 172.16.2.200 172.16.2.254 ip http server ip http access-class 2 ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ! ip nat inside source static tcp 172.16.1.16 2000 interface Ethernet1 2000 ip nat inside source route-map SDM_RMAP_1 interface Ethernet1 overload ! logging trap debugging access-list 1 remark INSIDE_IF=Ethernet0 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 172.16.1.0 0.0.0.255 access-list 2 remark HTTP Access-class list access-list 2 remark SDM_ACL Category=1 access-list 2 permit 172.16.1.0 0.0.0.255 access-list 2 deny any access-list 100 remark auto generated by Cisco SDM Express firewall configuration access-list 100 remark SDM_ACL Category=1 access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip any any access-list 101 remark auto generated by Cisco SDM Express firewall configuration access-list 101 remark SDM_ACL Category=1 access-list 101 remark TCAdmin access-list 101 permit tcp any any eq 2000 access-list 101 permit ip host 172.16.2.200 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.201 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.202 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.203 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.204 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.205 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.206 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.207 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.208 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.209 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.210 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.211 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.212 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.213 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.214 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.215 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.216 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.217 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.218 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.219 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.220 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.221 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.222 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.223 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.224 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.225 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.226 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.227 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.228 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.229 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.230 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.231 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.232 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.233 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.234 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.235 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.236 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.237 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.238 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.239 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.240 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.241 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.242 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.243 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.244 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.245 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.246 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.247 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.248 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.249 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.250 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.251 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.252 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.253 172.0.0.0 0.255.255.255 access-list 101 permit ip host 172.16.2.254 172.0.0.0 0.255.255.255 access-list 101 permit udp any any eq non500-isakmp access-list 101 permit udp any any eq isakmp access-list 101 permit esp any any access-list 101 permit ahp any any access-list 101 permit udp host 68.2.16.30 eq domain any access-list 101 permit udp host 68.2.16.25 eq domain any access-list 101 permit tcp any any eq ftp access-list 101 permit udp any eq bootps any eq bootpc access-list 101 deny ip 172.16.1.0 0.0.0.255 any access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any time-exceeded access-list 101 permit icmp any any unreachable access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip host 255.255.255.255 any access-list 101 deny ip any any access-list 102 remark VTY Access-class list access-list 102 remark SDM_ACL Category=1 access-list 102 permit ip 172.16.1.0 0.0.0.255 any access-list 102 deny ip any any access-list 103 remark SDM_ACL Category=4 access-list 103 permit ip 172.0.0.0 0.255.255.255 any access-list 104 remark SDM_ACL Category=2 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.200 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.201 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.202 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.203 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.204 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.205 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.206 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.207 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.208 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.209 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.210 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.211 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.212 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.213 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.214 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.215 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.216 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.217 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.218 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.219 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.220 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.221 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.222 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.223 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.224 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.225 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.226 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.227 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.228 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.229 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.230 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.231 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.232 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.233 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.234 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.235 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.236 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.237 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.238 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.239 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.240 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.241 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.242 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.243 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.244 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.245 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.246 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.247 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.248 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.249 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.250 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.251 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.252 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.253 access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.254 access-list 104 permit ip 172.16.1.0 0.0.0.255 any snmp-server community WINSNMP RO snmp-server location SSC snmp-server contact GLDO snmp-server host 172.16.1.10 ********** no cdp run route-map SDM_RMAP_1 permit 1 match ip address 104 ! ! control-plane ! banner exec ^CCC % Password expiration warning. ----------------------------------------------------------------------- Cisco Router and Security Device Manager (SDM) is installed on this device and it provides the default username "cisco" for one-time use. If you have already used the username "cisco" to login to the router and your IOS image supports the "one-time" user option, then this username has already expired. You will not be able to login to the router with this username after you exit this session. It is strongly suggested that you create a new username with a privilege level of 15 using the following command. username privilege 15 secret 0 Replace and with the username and password you want to use. ----------------------------------------------------------------------- ^C banner login ^CCC ************************** **AUTHORIZED ACCESS ONLY** ************************** THIS SYSTEM IS FOR BUSSINESS USE ONLY. ANY UNATHORIZED ACCESS OF THIS SYSTEM OR UNATHORIZED USE OF THIS SYSTEMS RESOURCES IS PUNISHABLE BY LAW. ACTIIVTY ON THIS SYSTEM IS LOGGED AND MONITORED. WINDIGO WILL GATHER ALL APPROPRIATE EVIDENCE OF CRIMINIAL ACTIVITY OR MISCONDUCT TO PROVIDE TO APPROPRATE AUTHORITIES. WINDIGO WILL PROSECUTE AT THE FULLEST EXTENT. ************************************************************* **Disconnect IMMEDIATELY if you are not an authorized user!** *************************************************************^C ! line con 0 login authentication local_authen no modem enable transport output telnet line aux 0 login authentication local_authen transport output telnet line vty 0 4 access-class 102 in authorization exec local_author login authentication local_authen transport input ssh ! scheduler max-task-time 5000 scheduler interval 500 end