API tools faq
paste
Advertisement
xtropx

1841 Config

xtropx
Feb 5th, 2013
393
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 9.68 KB | None | 0 0
raw download clone embed print report
  1. !
  2. version 12.4
  3. service timestamps debug datetime msec
  4. service timestamps log datetime msec
  5. service password-encryption
  6. !
  7. hostname TRN-01
  8. !
  9. boot-start-marker
  10. boot-end-marker
  11. !
  12. logging message-counter syslog
  13. no logging buffered
  14. !
  15. no aaa new-model
  16. dot11 syslog
  17. ip source-route
  18. !
  19. !
  20. no ip dhcp use vrf connected
  21. ip dhcp excluded-address 172.16.1.10
  22. ip dhcp excluded-address 172.16.1.4
  23. ip dhcp excluded-address 172.16.1.6
  24. ip dhcp excluded-address 172.16.1.26
  25. ip dhcp excluded-address 172.16.1.28
  26. !
  27. ip dhcp pool WIFI
  28. network 172.16.1.0 255.255.255.224
  29. domain-name emrlab.info
  30. dns-server 208.67.222.222
  31. default-router 172.16.1.1
  32. option 150 ip 172.16.1.1
  33. option 66 ip 172.16.1.1
  34. !
  35. !
  36. ip cef
  37. no ip domain lookup
  38. ip domain name emrlab.info
  39. ipv6 unicast-routing
  40. ipv6 cef
  41. !
  42. <CRYPTO CERTIFICATES FOR SSH AND SO ON SNIPPED>
  43. !
  44. <USERNAME INFO SNIPPED>
  45. !
  46. !
  47. crypto isakmp policy 1
  48. encr 3des
  49. hash md5
  50. authentication pre-share
  51. group 2
  52. crypto isakmp key <SECRET-KEY-SNIPPED> address <REMOTE WAN IP>
  53. crypto isakmp invalid-spi-recovery
  54. crypto isakmp nat keepalive 20
  55. !
  56. !
  57. crypto ipsec transform-set TS esp-3des esp-md5-hmac
  58. mode transport
  59. !
  60. crypto ipsec profile protect-gre
  61. set security-association lifetime seconds 86400
  62. set transform-set TS
  63. !
  64. !
  65. !
  66. !
  67. ip ssh time-out 60
  68. ip ssh authentication-retries 5
  69. ip ssh version 2
  70. !
  71. !
  72. !
  73. interface Tunnel0
  74. description Hurricane Electric IPv6 Tunnel Broker
  75. no ip address
  76. ipv6 address <GLOBAL IPV6>::2/64
  77. ipv6 enable
  78. ipv6 traffic-filter IPV6_TUNNEL_SEC_INBOUND in
  79. tunnel source <LOCAL PUBLIC>
  80. tunnel destination 209.51.181.2
  81. tunnel mode ipv6ip
  82. !
  83. interface Tunnel1
  84. ip address 172.16.254.9 255.255.255.252
  85. tunnel source <LOCAL PUBLIC>
  86. tunnel destination <REMOTE WAN>
  87. tunnel protection ipsec profile protect-gre
  88. !
  89. interface FastEthernet0/0
  90. no ip address
  91. duplex auto
  92. speed auto
  93. !
  94. interface FastEthernet0/0.32
  95. encapsulation dot1Q 32
  96. ip address 172.16.1.33 255.255.255.224
  97. ip access-group 101 in
  98. !
  99. interface FastEthernet0/0.64
  100. encapsulation dot1Q 64
  101. ip address 172.16.1.65 255.255.255.224
  102. ip access-group 101 in
  103. ip nat inside
  104. ip virtual-reassembly
  105. !
  106. interface FastEthernet0/0.66
  107. encapsulation dot1Q 66
  108. ip address 172.16.1.161 255.255.255.224
  109. ip nat inside
  110. ip virtual-reassembly
  111. ipv6 address FE80:A11::1 link-local
  112. ipv6 address <IPV6>/48
  113. ipv6 enable
  114. ipv6 rip process enable
  115. ipv6 rip process default-information only
  116. !
  117. interface FastEthernet0/0.96
  118. encapsulation dot1Q 96
  119. ip address 172.16.1.97 255.255.255.224
  120. ip nat inside
  121. ip virtual-reassembly
  122. !
  123. interface FastEthernet0/0.100
  124. encapsulation dot1Q 100
  125. ip address 172.16.1.1 255.255.255.224
  126. ip nat inside
  127. ip virtual-reassembly
  128. !
  129. interface FastEthernet0/0.128
  130. encapsulation dot1Q 128
  131. ip address 172.16.1.129 255.255.255.224
  132. ip access-group 101 in
  133. ip nat inside
  134. ip virtual-reassembly
  135. !
  136. interface FastEthernet0/1
  137. ip address dhcp client-id FastEthernet0/1
  138. ip access-group INBOUND_WAN in
  139. ip nat outside
  140. ip virtual-reassembly
  141. duplex auto
  142. speed auto
  143. no cdp enable
  144. !
  145. interface Serial0/1/0
  146. no ip address
  147. shutdown
  148. !
  149. router ospf 1
  150. log-adjacency-changes
  151. passive-interface FastEthernet0/1
  152. network 172.16.1.160 0.0.0.31 area 0
  153. network 172.16.1.0 0.0.0.255 area 0
  154. network 172.16.254.8 0.0.0.3 area 0
  155. !
  156. ip local pool test 172.16.1.26 172.16.1.28
  157. ip forward-protocol nd
  158. ip route 172.16.2.0 255.255.255.0 Tunnel1 115
  159. no ip http server
  160. ip http authentication local
  161. ip http secure-server
  162. !
  163. !
  164. ip nat portmap PBX
  165. appl udp-rtp startport 8960 size 192
  166. no ip nat create flow-entries
  167. no ip nat service allow-sip-even-rtp-port
  168. ip nat inside source static tcp 172.16.1.10 12000 interface FastEthernet0/1 12000
  169. ip nat inside source static tcp 172.16.1.130 11000 interface FastEthernet0/1 11000
  170. ip nat inside source static udp 172.16.1.130 11000 interface FastEthernet0/1 11000
  171. ip nat inside source list 1 interface FastEthernet0/1 overload
  172. ip nat inside source static tcp 172.16.1.107 22 <LOCAL PUBLIC> 22 extendable
  173. ip nat inside source static tcp 172.16.1.10 3389 <LOCAL PUBLIC> 3389 extendable
  174. ip nat inside source static udp 172.16.1.131 5060 <LOCAL PUBLIC> 5060 extendable
  175. ip nat inside source static tcp 172.16.1.131 5090 <LOCAL PUBLIC> 5090 extendable
  176. ip nat inside source static udp 172.16.1.131 5090 <LOCAL PUBLIC> 5090 extendable
  177. ip nat inside source static 172.16.1.131 <LOCAL PUBLIC> route-map PBX
  178. !
  179. ip access-list standard ALLOW_SSH
  180. permit <REMOTE PUBLIC> log
  181. permit 172.16.1.0 0.0.0.31
  182. permit 172.16.2.0 0.0.0.31 log
  183. !
  184. ip access-list extended INBOUND_WAN
  185. permit udp any any eq bootps
  186. permit udp any any eq bootpc
  187. permit udp any host 172.16.1.131 eq 5060
  188. permit udp any host 172.16.1.131 eq 5090
  189. permit tcp any host 172.16.1.131 eq 5060
  190. permit udp any host 172.16.1.131 range 9000 9094
  191. permit icmp host 66.220.2.74 host <LOCAL PUBLIC>
  192. permit tcp host <REMOTE WAN> host <LOCAL PUBLIC> eq 22
  193. permit tcp host <REMOTE WAN> host <LOCAL PUBLIC> eq 3389
  194. permit tcp host <OTHER WAN> host <LOCAL PUBLIC> eq 3389
  195. permit icmp host <REMOTE WAN> host <LOCAL PUBLIC>
  196. permit udp host <REMOTE WAN> eq isakmp host <LOCAL PUBLIC> eq isakmp
  197. permit esp host <REMOTE WAN> host <LOCAL PUBLIC>
  198. permit udp any host <LOCAL PUBLIC> eq 3389
  199. permit udp any host <LOCAL PUBLIC> eq 11000
  200. permit tcp any host <LOCAL PUBLIC> eq 11000
  201. deny icmp any any echo
  202. deny icmp any any redirect
  203. deny icmp any any timestamp-request
  204. deny icmp any any information-request
  205. deny icmp any any mask-request
  206. deny ip 10.0.0.0 0.255.255.255 any
  207. deny ip 172.16.0.0 0.15.255.255 any
  208. deny ip 192.168.0.0 0.0.255.255 any
  209. deny ip 127.0.0.0 0.255.255.255 any
  210. deny ip 169.254.0.0 0.0.0.255 any
  211. permit ip any any
  212. !
  213. access-list 1 permit 172.16.1.0 0.0.0.255
  214. access-list 101 permit tcp host 172.16.1.8 host 172.16.1.1 eq www log
  215. access-list 101 permit tcp host 172.16.1.8 host 172.16.1.1 eq 443 log
  216. access-list 101 deny tcp any host 172.16.1.1 eq www
  217. access-list 101 deny tcp any host 172.16.1.1 eq 443
  218. access-list 101 permit ip any any
  219. access-list 101 remark RESTRICT SDM ACCESS
  220. access-list 105 remark SITE_TO_SITE_VPN_TUNNEL_ACCESS_LIST
  221. access-list 105 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255
  222. access-list 106 deny ip host <LOCAL PUBLIC> host <REMOTE WAN>
  223. access-list 106 deny ip any 172.16.254.0 0.0.0.3
  224. access-list 106 deny ip any 172.16.2.0 0.0.0.255
  225. access-list 106 permit udp any any range 9000 9094
  226. ipv6 route ::/0 Tunnel0
  227. ipv6 router rip process
  228. !
  229. !
  230. !
  231. !
  232. !
  233. route-map PBX permit 10
  234. match ip address 106
  235. !
  236. !
  237. snmp-server community test RO
  238. snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
  239. tftp-server flash:cnu41.2-7-5-50.sbn
  240. tftp-server flash:CVM41.2-0-1-45.sbn
  241. tftp-server flash:Jar41.2-9-1-45.sbn
  242. tftp-server flash:TERM41.7-0-2-0S.loads
  243. tftp-server flash:TERM61.DEFAULT.loads
  244. tftp-server flash:/term41.default.loads alias term41.default.loads
  245. tftp-server flash:/SCCP41.8-3-3S.loads alias SCCP41.8-3-3S.loads
  246. tftp-server flash:/cnu41.8-3-2-27.sbn alias cnu41.8-3-2-27.sbn
  247. tftp-server flash:/jar41sccp.8-3-2-27.sbn alias jar41sccp.8-3-2-27.sbn
  248. tftp-server flash:/apps41.8-3-2-27.sbn alias apps41.8-3-2-27.sbn
  249. tftp-server flash:/cvm41sccp.8-3-2-27.sbn alias cvm41sccp.8-3-2-27.sbn
  250. tftp-server flash:/dsp41.8-3-2-27.sbn alias dsp41.8-3-2-27.sbn
  251. tftp-server flash:SIP41.9-2-1S.loads alias SIP41.9-2-1S.loads
  252. tftp-server flash:SEP01001aa137efb8.cnf.xml alias SEP01001aa137efb8.cnf.xml
  253. tftp-server flash:jar41sip.9-2-1TH1-13.sbn alias jar41sip.9-2-1TH1-13.sbn
  254. tftp-server flash:cnu41.9-2-1TH1-13.sbn alias cnu41.9-2-1TH1-13.sbn
  255. tftp-server flash:apps41.9-2-1TH1-13.sbn alias apps41.9-2-1TH1-13.sbn
  256. tftp-server flash:dsp41.9-2-1TH1-13.sbn alias dsp41.9-2-1TH1-13.sbn
  257. tftp-server flash:cvm41sip.9-2-1TH1-13.sbn alias cvm41sip.9-2-1TH1-13.sbn
  258. tftp-server flash:SEP01001aa137efb8.cnf.xml alias SEP001AA137EFB8.cnf.xml
  259. tftp-server flash:SEP001AA137EFB8.cnf.xml alias SEP001AA137EFB8.cnf.xml
  260. tftp-server flash:DRdialplan.xml alias DRdialplan.xml
  261. tftp-server flash:XMLDefault.cnf.xml alias XMLDefault.cnf.xml
  262. tftp-server flash:/apps41.8-3-0-50.sbn alias apps41.8-3-0-50.sbn
  263. tftp-server flash:/cnu41.8-3-0-50.sbn alias cnu41.8-3-0-50.sbn
  264. tftp-server flash:/cvm41sip.8-3-0-50.sbn alias cvm41sip.8-3-0-50.sbn
  265. tftp-server flash:/dsp41.8-3-0-50.sbn alias dsp41.8-3-0-50.sbn
  266. tftp-server flash:/jar41sip.8-3-0-50.sbn alias jar41sip.8-3-0-50.sbn
  267. tftp-server flash:/SIP41.8-3-1S.loads alias SIP41.8-3-1S.loads
  268. !
  269. ipv6 access-list IPV6_TUNNEL_SEC_INBOUND
  270. deny ipv6 ::/3 any log
  271. deny ipv6 8000::/2 any log
  272. deny ipv6 C000::/3 any log
  273. deny ipv6 E000::/4 any log
  274. deny ipv6 F000::/5 any log
  275. deny ipv6 F800::/6 any log
  276. deny ipv6 FC00::/7 any log
  277. deny ipv6 FE00::/8 any log
  278. deny ipv6 FF00::/8 any log
  279. permit icmp any any time-exceeded
  280. permit icmp any any packet-too-big
  281. permit icmp any any echo-request
  282. permit icmp any any echo-reply
  283. permit ipv6 any any
  284. !
  285. control-plane
  286. !
  287. !
  288. banner login 
  289.  
  290. -------------------------------------------------------------------------------
  291. UNAUTHORIZED ACCESS STRICTLY AND LEGALLY PROHIBITED
  292.  
  293. You must have explicit authorized permission to access
  294. or modify this device in any way.
  295.  
  296. Unuathorized access, or attempt of access may result
  297. in civil or criminal action.
  298.  
  299. All activities are logged and monitored.
  300.  
  301. -------------------------------------------------------------------------------
  302.  
  303. 
  304. !
  305. line con 0
  306. logging synchronous
  307. line aux 0
  308. line vty 0 4
  309. access-class ALLOW_SSH in
  310. exec-timeout 30 0
  311. logging synchronous
  312. login local
  313. transport input ssh
  314. line vty 5 807
  315. access-class ALLOW_SSH in
  316. exec-timeout 30 0
  317. logging synchronous
  318. login local
  319. transport input ssh
  320. !
  321. scheduler allocate 20000 1000
  322. end
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!