Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- !
- version 12.4
- service timestamps debug datetime msec
- service timestamps log datetime msec
- service password-encryption
- !
- hostname TRN-01
- !
- boot-start-marker
- boot-end-marker
- !
- logging message-counter syslog
- no logging buffered
- !
- no aaa new-model
- dot11 syslog
- ip source-route
- !
- !
- no ip dhcp use vrf connected
- ip dhcp excluded-address 172.16.1.10
- ip dhcp excluded-address 172.16.1.4
- ip dhcp excluded-address 172.16.1.6
- ip dhcp excluded-address 172.16.1.26
- ip dhcp excluded-address 172.16.1.28
- !
- ip dhcp pool WIFI
- network 172.16.1.0 255.255.255.224
- domain-name emrlab.info
- dns-server 208.67.222.222
- default-router 172.16.1.1
- option 150 ip 172.16.1.1
- option 66 ip 172.16.1.1
- !
- !
- ip cef
- no ip domain lookup
- ip domain name emrlab.info
- ipv6 unicast-routing
- ipv6 cef
- !
- <CRYPTO CERTIFICATES FOR SSH AND SO ON SNIPPED>
- !
- <USERNAME INFO SNIPPED>
- !
- !
- crypto isakmp policy 1
- encr 3des
- hash md5
- authentication pre-share
- group 2
- crypto isakmp key <SECRET-KEY-SNIPPED> address <REMOTE WAN IP>
- crypto isakmp invalid-spi-recovery
- crypto isakmp nat keepalive 20
- !
- !
- crypto ipsec transform-set TS esp-3des esp-md5-hmac
- mode transport
- !
- crypto ipsec profile protect-gre
- set security-association lifetime seconds 86400
- set transform-set TS
- !
- !
- !
- !
- ip ssh time-out 60
- ip ssh authentication-retries 5
- ip ssh version 2
- !
- !
- !
- interface Tunnel0
- description Hurricane Electric IPv6 Tunnel Broker
- no ip address
- ipv6 address <GLOBAL IPV6>::2/64
- ipv6 enable
- ipv6 traffic-filter IPV6_TUNNEL_SEC_INBOUND in
- tunnel source <LOCAL PUBLIC>
- tunnel destination 209.51.181.2
- tunnel mode ipv6ip
- !
- interface Tunnel1
- ip address 172.16.254.9 255.255.255.252
- tunnel source <LOCAL PUBLIC>
- tunnel destination <REMOTE WAN>
- tunnel protection ipsec profile protect-gre
- !
- interface FastEthernet0/0
- no ip address
- duplex auto
- speed auto
- !
- interface FastEthernet0/0.32
- encapsulation dot1Q 32
- ip address 172.16.1.33 255.255.255.224
- ip access-group 101 in
- !
- interface FastEthernet0/0.64
- encapsulation dot1Q 64
- ip address 172.16.1.65 255.255.255.224
- ip access-group 101 in
- ip nat inside
- ip virtual-reassembly
- !
- interface FastEthernet0/0.66
- encapsulation dot1Q 66
- ip address 172.16.1.161 255.255.255.224
- ip nat inside
- ip virtual-reassembly
- ipv6 address FE80:A11::1 link-local
- ipv6 address <IPV6>/48
- ipv6 enable
- ipv6 rip process enable
- ipv6 rip process default-information only
- !
- interface FastEthernet0/0.96
- encapsulation dot1Q 96
- ip address 172.16.1.97 255.255.255.224
- ip nat inside
- ip virtual-reassembly
- !
- interface FastEthernet0/0.100
- encapsulation dot1Q 100
- ip address 172.16.1.1 255.255.255.224
- ip nat inside
- ip virtual-reassembly
- !
- interface FastEthernet0/0.128
- encapsulation dot1Q 128
- ip address 172.16.1.129 255.255.255.224
- ip access-group 101 in
- ip nat inside
- ip virtual-reassembly
- !
- interface FastEthernet0/1
- ip address dhcp client-id FastEthernet0/1
- ip access-group INBOUND_WAN in
- ip nat outside
- ip virtual-reassembly
- duplex auto
- speed auto
- no cdp enable
- !
- interface Serial0/1/0
- no ip address
- shutdown
- !
- router ospf 1
- log-adjacency-changes
- passive-interface FastEthernet0/1
- network 172.16.1.160 0.0.0.31 area 0
- network 172.16.1.0 0.0.0.255 area 0
- network 172.16.254.8 0.0.0.3 area 0
- !
- ip local pool test 172.16.1.26 172.16.1.28
- ip forward-protocol nd
- ip route 172.16.2.0 255.255.255.0 Tunnel1 115
- no ip http server
- ip http authentication local
- ip http secure-server
- !
- !
- ip nat portmap PBX
- appl udp-rtp startport 8960 size 192
- no ip nat create flow-entries
- no ip nat service allow-sip-even-rtp-port
- ip nat inside source static tcp 172.16.1.10 12000 interface FastEthernet0/1 12000
- ip nat inside source static tcp 172.16.1.130 11000 interface FastEthernet0/1 11000
- ip nat inside source static udp 172.16.1.130 11000 interface FastEthernet0/1 11000
- ip nat inside source list 1 interface FastEthernet0/1 overload
- ip nat inside source static tcp 172.16.1.107 22 <LOCAL PUBLIC> 22 extendable
- ip nat inside source static tcp 172.16.1.10 3389 <LOCAL PUBLIC> 3389 extendable
- ip nat inside source static udp 172.16.1.131 5060 <LOCAL PUBLIC> 5060 extendable
- ip nat inside source static tcp 172.16.1.131 5090 <LOCAL PUBLIC> 5090 extendable
- ip nat inside source static udp 172.16.1.131 5090 <LOCAL PUBLIC> 5090 extendable
- ip nat inside source static 172.16.1.131 <LOCAL PUBLIC> route-map PBX
- !
- ip access-list standard ALLOW_SSH
- permit <REMOTE PUBLIC> log
- permit 172.16.1.0 0.0.0.31
- permit 172.16.2.0 0.0.0.31 log
- !
- ip access-list extended INBOUND_WAN
- permit udp any any eq bootps
- permit udp any any eq bootpc
- permit udp any host 172.16.1.131 eq 5060
- permit udp any host 172.16.1.131 eq 5090
- permit tcp any host 172.16.1.131 eq 5060
- permit udp any host 172.16.1.131 range 9000 9094
- permit icmp host 66.220.2.74 host <LOCAL PUBLIC>
- permit tcp host <REMOTE WAN> host <LOCAL PUBLIC> eq 22
- permit tcp host <REMOTE WAN> host <LOCAL PUBLIC> eq 3389
- permit tcp host <OTHER WAN> host <LOCAL PUBLIC> eq 3389
- permit icmp host <REMOTE WAN> host <LOCAL PUBLIC>
- permit udp host <REMOTE WAN> eq isakmp host <LOCAL PUBLIC> eq isakmp
- permit esp host <REMOTE WAN> host <LOCAL PUBLIC>
- permit udp any host <LOCAL PUBLIC> eq 3389
- permit udp any host <LOCAL PUBLIC> eq 11000
- permit tcp any host <LOCAL PUBLIC> eq 11000
- deny icmp any any echo
- deny icmp any any redirect
- deny icmp any any timestamp-request
- deny icmp any any information-request
- deny icmp any any mask-request
- deny ip 10.0.0.0 0.255.255.255 any
- deny ip 172.16.0.0 0.15.255.255 any
- deny ip 192.168.0.0 0.0.255.255 any
- deny ip 127.0.0.0 0.255.255.255 any
- deny ip 169.254.0.0 0.0.0.255 any
- permit ip any any
- !
- access-list 1 permit 172.16.1.0 0.0.0.255
- access-list 101 permit tcp host 172.16.1.8 host 172.16.1.1 eq www log
- access-list 101 permit tcp host 172.16.1.8 host 172.16.1.1 eq 443 log
- access-list 101 deny tcp any host 172.16.1.1 eq www
- access-list 101 deny tcp any host 172.16.1.1 eq 443
- access-list 101 permit ip any any
- access-list 101 remark RESTRICT SDM ACCESS
- access-list 105 remark SITE_TO_SITE_VPN_TUNNEL_ACCESS_LIST
- access-list 105 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255
- access-list 106 deny ip host <LOCAL PUBLIC> host <REMOTE WAN>
- access-list 106 deny ip any 172.16.254.0 0.0.0.3
- access-list 106 deny ip any 172.16.2.0 0.0.0.255
- access-list 106 permit udp any any range 9000 9094
- ipv6 route ::/0 Tunnel0
- ipv6 router rip process
- !
- !
- !
- !
- !
- route-map PBX permit 10
- match ip address 106
- !
- !
- snmp-server community test RO
- snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
- tftp-server flash:cnu41.2-7-5-50.sbn
- tftp-server flash:CVM41.2-0-1-45.sbn
- tftp-server flash:Jar41.2-9-1-45.sbn
- tftp-server flash:TERM41.7-0-2-0S.loads
- tftp-server flash:TERM61.DEFAULT.loads
- tftp-server flash:/term41.default.loads alias term41.default.loads
- tftp-server flash:/SCCP41.8-3-3S.loads alias SCCP41.8-3-3S.loads
- tftp-server flash:/cnu41.8-3-2-27.sbn alias cnu41.8-3-2-27.sbn
- tftp-server flash:/jar41sccp.8-3-2-27.sbn alias jar41sccp.8-3-2-27.sbn
- tftp-server flash:/apps41.8-3-2-27.sbn alias apps41.8-3-2-27.sbn
- tftp-server flash:/cvm41sccp.8-3-2-27.sbn alias cvm41sccp.8-3-2-27.sbn
- tftp-server flash:/dsp41.8-3-2-27.sbn alias dsp41.8-3-2-27.sbn
- tftp-server flash:SIP41.9-2-1S.loads alias SIP41.9-2-1S.loads
- tftp-server flash:SEP01001aa137efb8.cnf.xml alias SEP01001aa137efb8.cnf.xml
- tftp-server flash:jar41sip.9-2-1TH1-13.sbn alias jar41sip.9-2-1TH1-13.sbn
- tftp-server flash:cnu41.9-2-1TH1-13.sbn alias cnu41.9-2-1TH1-13.sbn
- tftp-server flash:apps41.9-2-1TH1-13.sbn alias apps41.9-2-1TH1-13.sbn
- tftp-server flash:dsp41.9-2-1TH1-13.sbn alias dsp41.9-2-1TH1-13.sbn
- tftp-server flash:cvm41sip.9-2-1TH1-13.sbn alias cvm41sip.9-2-1TH1-13.sbn
- tftp-server flash:SEP01001aa137efb8.cnf.xml alias SEP001AA137EFB8.cnf.xml
- tftp-server flash:SEP001AA137EFB8.cnf.xml alias SEP001AA137EFB8.cnf.xml
- tftp-server flash:DRdialplan.xml alias DRdialplan.xml
- tftp-server flash:XMLDefault.cnf.xml alias XMLDefault.cnf.xml
- tftp-server flash:/apps41.8-3-0-50.sbn alias apps41.8-3-0-50.sbn
- tftp-server flash:/cnu41.8-3-0-50.sbn alias cnu41.8-3-0-50.sbn
- tftp-server flash:/cvm41sip.8-3-0-50.sbn alias cvm41sip.8-3-0-50.sbn
- tftp-server flash:/dsp41.8-3-0-50.sbn alias dsp41.8-3-0-50.sbn
- tftp-server flash:/jar41sip.8-3-0-50.sbn alias jar41sip.8-3-0-50.sbn
- tftp-server flash:/SIP41.8-3-1S.loads alias SIP41.8-3-1S.loads
- !
- ipv6 access-list IPV6_TUNNEL_SEC_INBOUND
- deny ipv6 ::/3 any log
- deny ipv6 8000::/2 any log
- deny ipv6 C000::/3 any log
- deny ipv6 E000::/4 any log
- deny ipv6 F000::/5 any log
- deny ipv6 F800::/6 any log
- deny ipv6 FC00::/7 any log
- deny ipv6 FE00::/8 any log
- deny ipv6 FF00::/8 any log
- permit icmp any any time-exceeded
- permit icmp any any packet-too-big
- permit icmp any any echo-request
- permit icmp any any echo-reply
- permit ipv6 any any
- !
- control-plane
- !
- !
- banner login
- -------------------------------------------------------------------------------
- UNAUTHORIZED ACCESS STRICTLY AND LEGALLY PROHIBITED
- You must have explicit authorized permission to access
- or modify this device in any way.
- Unuathorized access, or attempt of access may result
- in civil or criminal action.
- All activities are logged and monitored.
- -------------------------------------------------------------------------------
- !
- line con 0
- logging synchronous
- line aux 0
- line vty 0 4
- access-class ALLOW_SSH in
- exec-timeout 30 0
- logging synchronous
- login local
- transport input ssh
- line vty 5 807
- access-class ALLOW_SSH in
- exec-timeout 30 0
- logging synchronous
- login local
- transport input ssh
- !
- scheduler allocate 20000 1000
- end
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement