API tools faq
paste
Mamba6

WAN-GATEWAY-CONFIG

Mamba6
Mar 6th, 2017
53
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.23 KB | None | 0 0
raw download clone embed print report
  1. !
  2. ! Last configuration change at 19:24:03 UTC Sat Mar 4 2017 by <is-admin>
  3. upgrade fpd auto
  4. version 15.2
  5. no service pad
  6. service timestamps debug datetime msec
  7. service timestamps log datetime msec
  8. no service password-encryption
  9. !
  10. hostname WAN-GATEWAY
  11. !
  12. boot-start-marker
  13. boot system flash <adventerprisek9-mz.152-4.M11.bin>
  14. boot-end-marker
  15. !
  16. !
  17. logging buffered 326768
  18. enable secret 5 <omitted>
  19. !
  20. aaa new-model
  21. !
  22. !
  23. aaa authentication banner 
  24.  
  25. ##############################################################
  26. ##### */BANNER TEXT*/ #####
  27. ##############################################################
  28.  
  29. 
  30. aaa authentication password-prompt PASSWORD:
  31. aaa authentication username-prompt USERNAME:
  32. aaa authentication login default local
  33. aaa authentication login SSLVPN-AAA local
  34. aaa authentication enable default enable
  35. !
  36. !
  37. !
  38. !
  39. !
  40. aaa session-id common
  41. !
  42. !
  43. !
  44. ip dhcp excluded-address 10.0.210.1 10.0.210.5
  45. ip dhcp excluded-address 10.0.210.250 10.0.210.254
  46. ip dhcp excluded-address 10.0.220.1 10.0.220.5
  47. ip dhcp excluded-address 10.0.220.250 10.0.220.254
  48. ip dhcp excluded-address 10.0.240.1 10.0.240.5
  49. ip dhcp excluded-address 10.0.240.250 10.0.240.254
  50. ip dhcp excluded-address 10.0.0.1 10.0.0.100
  51. ip dhcp excluded-address 10.0.110.0 10.0.110.255
  52. ip dhcp excluded-address 10.0.230.0 10.0.230.199
  53. ip dhcp excluded-address 10.0.230.250 10.0.230.255
  54. !
  55. ip dhcp pool VLAN210-POOL
  56. network 10.0.210.0 255.255.255.0
  57. default-router 10.0.210.1
  58. dns-server 8.8.8.8 4.4.4.4
  59. domain-name ad.example.com
  60. !
  61. ip dhcp pool VLAN220-POOL
  62. network 10.0.220.0 255.255.255.0
  63. default-router 10.0.220.1
  64. dns-server 8.8.8.8 4.4.4.4
  65. domain-name ad.example.com
  66. !
  67. ip dhcp pool VLAN240-POOL
  68. network 10.0.240.0 255.255.255.0
  69. default-router 10.0.240.1
  70. dns-server 8.8.8.8 4.4.4.4
  71. domain-name ad.example.com
  72. !
  73. ip dhcp pool VLAN230-POOL
  74. network 10.0.230.0 255.255.255.0
  75. dns-server 8.8.8.8 4.4.4.4
  76. domain-name ad.example.com
  77. default-router 10.0.230.1
  78. !
  79. !
  80. !
  81. no ip domain lookup
  82. ip domain name ad.example.com
  83. ip cef
  84. login block-for 60 attempts 3 within 60
  85. login on-failure log every 3
  86. login on-success log
  87. ipv6 unicast-routing
  88. ipv6 cef
  89. !
  90. !
  91. multilink bundle-name authenticated
  92. !
  93. !
  94. !
  95. !
  96. !
  97. !
  98. !
  99. crypto pki trustpoint SSL-VPN-CERT
  100. enrollment selfsigned
  101. subject-name CN=WAN-GATEWAY.AD.EXAMPLE.COM
  102. revocation-check crl
  103. rsakeypair SSL-VPN-KEY
  104. !
  105. !
  106. crypto pki certificate chain SSL-VPN-CERT
  107. certificate self-signed 03 nvram:WAN-GATEWAYa#3.cer
  108. username <omitted>
  109. username <omitted>
  110. !
  111. !
  112. controller ISA 1/1
  113. !
  114. ip ssh version 2
  115. !
  116. class-map type inspect match-any DHCP-SERVER-CMAP
  117. match access-group name ACL-DHCP-SERVER
  118. class-map type inspect match-any ALL-TRAFFIC-CMAP
  119. match protocol udp
  120. match protocol tcp
  121. match protocol icmp
  122. class-map type inspect match-any DHCP-CLIENT-CMAP
  123. match access-group name ACL-DHCP-CLIENT
  124. class-map type inspect match-all ED-ACCESS-CMAP
  125. match protocol udp
  126. match access-group name ACL-PERMIT-ED
  127. class-map type inspect match-all SSL-VPN-CMAP
  128. match access-group name ACL-VPN-ACCESS
  129. class-map type inspect match-any SSH-CLIENT-CMAP
  130. match access-group name ACL-SSH-CLIENT
  131. !
  132. policy-map type inspect UNTRUSTED-TO-SELF-PMAP
  133. class type inspect SSL-VPN-CMAP
  134. inspect
  135. class type inspect DHCP-SERVER-CMAP
  136. pass
  137. class type inspect SSH-CLIENT-CMAP
  138. inspect
  139. class class-default
  140. drop
  141. policy-map type inspect TRUSTED-TO-UNTRUSTED-PMAP
  142. class type inspect ALL-TRAFFIC-CMAP
  143. inspect
  144. class class-default
  145. drop
  146. policy-map type inspect SELF-TO-UNTRUSTED-PMAP
  147. class type inspect DHCP-CLIENT-CMAP
  148. inspect
  149. class type inspect ALL-TRAFFIC-CMAP
  150. inspect
  151. class class-default
  152. drop
  153. policy-map type inspect UNTRUSTED-TO-TRUSTED-PMAP
  154. class type inspect ED-ACCESS-CMAP
  155. inspect
  156. class class-default
  157. drop
  158. !
  159. zone security Trusted
  160. description INSIDE-LAN-NETWORK
  161. zone security Untrusted
  162. description OUTSIDE-WAN-NETWORK
  163. zone-pair security UNTRUSTED-TO-TRUSTED-ZP source Untrusted destination Trusted
  164. service-policy type inspect UNTRUSTED-TO-TRUSTED-PMAP
  165. zone-pair security TRUSTED-TO-UNTRUSTED-ZP source Trusted destination Untrusted
  166. service-policy type inspect TRUSTED-TO-UNTRUSTED-PMAP
  167. zone-pair security SELF-TO-UNTRUSTED-ZP source self destination Untrusted
  168. service-policy type inspect SELF-TO-UNTRUSTED-PMAP
  169. zone-pair security UNTRUSTED-TO-SELF-ZP source Untrusted destination self
  170. service-policy type inspect UNTRUSTED-TO-SELF-PMAP
  171. zone-pair security TRUSTED source Trusted destination Trusted
  172. service-policy type inspect TRUSTED-TO-UNTRUSTED-PMAP
  173. !
  174. !
  175. crypto vpn anyconnect disk0:/webvpn/anyconnect-win-4.4.00243-webdeploy-k9.pkg sequence 1
  176. !
  177. !
  178. !
  179. !
  180. !
  181. !
  182. !
  183. !
  184. !
  185. interface Loopback0
  186. ip address 10.1.50.1 255.255.255.0
  187. shutdown
  188. !
  189. interface Loopback1
  190. ip address 172.16.31.255 255.255.255.255
  191. !
  192. interface GigabitEthernet0/0
  193. description LINK TO INTERNET
  194. ip address dhcp
  195. ip nat outside
  196. ip virtual-reassembly in
  197. zone-member security Untrusted
  198. no ip route-cache
  199. duplex auto
  200. speed auto
  201. media-type rj45
  202. no negotiation auto
  203. ipv6 address dhcp
  204. !
  205. interface GigabitEthernet0/1
  206. description LINK TO LAN CORE
  207. ip address 10.0.0.2 255.255.255.0
  208. ip nat inside
  209. ip virtual-reassembly in
  210. zone-member security Trusted
  211. no ip route-cache
  212. duplex auto
  213. speed auto
  214. media-type gbic
  215. negotiation auto
  216. !
  217. interface GigabitEthernet0/2
  218. description DISABLED
  219. no ip address
  220. ip nat inside
  221. ip virtual-reassembly in
  222. zone-member security Trusted
  223. no ip route-cache
  224. shutdown
  225. duplex auto
  226. speed auto
  227. media-type rj45
  228. no negotiation auto
  229. !
  230. interface Virtual-Template1
  231. ip unnumbered Loopback1
  232. zone-member security Trusted
  233. !
  234. ip local pool SSL-VPN-POOL 10.1.50.100 10.1.50.200
  235. ip forward-protocol nd
  236. ip http server
  237. ip http authentication local
  238. ip http secure-server
  239. ip http timeout-policy idle 600 life 86400 requests 10000
  240. !
  241. !
  242. ip nat inside source list 99 interface GigabitEthernet0/0 overload
  243. !ip nat inside source static tcp 10.0.0.2 22 interface GigabitEthernet0/0 22
  244. ip nat inside source static udp 10.0.210.250 5100 interface GigabitEthernet0/0 5100
  245. ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
  246. ip route 10.0.210.0 255.255.255.0 GigabitEthernet0/1 10.0.0.254
  247. ip route 10.0.220.0 255.255.255.0 GigabitEthernet0/1 10.0.0.254
  248. ip route 10.0.230.0 255.255.255.0 GigabitEthernet0/1 10.0.0.254
  249. ip route 10.0.240.0 255.255.255.0 GigabitEthernet0/1 10.0.0.254
  250. ip route 10.0.110.0 255.255.255.0 GigabitEthernet0/1 10.0.0.254
  251. ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
  252. !
  253. ip access-list standard SSL-SPLIT-TUN
  254. permit 10.0.210.0 0.0.0.255
  255. permit 10.0.220.0 0.0.0.255
  256. permit 10.0.230.0 0.0.0.255
  257. permit 10.0.240.0 0.0.0.255
  258. permit 10.0.110.0 0.0.0.255
  259. permit 10.0.0.0 0.0.0.255
  260. ip access-list standard TERM-CONN
  261. permit 10.0.0.0 0.255.255.255
  262. !permit 172.16.0.0 0.15.255.255
  263. !permit 192.168.0.0 0.0.255.255
  264. deny any
  265. !
  266. ip access-list extended ACL-DHCP-CLIENT
  267. permit udp any any eq bootps
  268. ip access-list extended ACL-DHCP-SERVER
  269. permit udp any any eq bootpc
  270. ip access-list extended ACL-PERMIT-ED
  271. permit udp any any eq 5100
  272. ip access-list extended ACL-SSH-CLIENT
  273. permit tcp any any eq 22
  274. ip access-list extended ACL-VPN-ACCESS
  275. permit tcp any any eq www
  276. permit tcp any any eq 443
  277. !
  278. access-list 99 permit 10.0.0.0 0.0.255.255
  279. access-list 99 permit 172.16.0.0 0.15.255.255
  280. access-list 99 permit 192.168.0.0 0.0.255.255
  281. access-list 99 deny any
  282. !
  283. !
  284. !
  285. !
  286. !
  287. !
  288. control-plane
  289. !
  290. !
  291. !
  292. mgcp profile default
  293. !
  294. !
  295. !
  296. gatekeeper
  297. shutdown
  298. !
  299. !
  300. line con 0
  301. logging synchronous
  302. stopbits 1
  303. line aux 0
  304. stopbits 1
  305. line vty 0 4
  306. access-class TERM-CONN in
  307. logging synchronous
  308. transport preferred ssh
  309. transport input telnet ssh
  310. !
  311. !
  312. !
  313. webvpn gateway SSL-VPN
  314. hostname WAN-GATEWAY
  315. ip interface GigabitEthernet0/0 port 443
  316. http-redirect port 80
  317. ssl trustpoint SSL-VPN-CERT
  318. inservice
  319. !
  320. webvpn context SSL-VPN
  321. !
  322. ssl authenticate verify all
  323. no inservice
  324. !
  325. policy group SSL-POLICY
  326. !
  327. !
  328. webvpn context SSL-CTXT
  329. gateway SSL-VPN
  330. !
  331. ssl authenticate verify all
  332. inservice
  333. !
  334. policy group SSL-POLICY
  335. functions svc-enabled
  336. functions svc-required
  337. svc address-pool "SSL-VPN-POOL" netmask 255.255.255.0
  338. svc keep-client-installed
  339. default-group-policy SSL-POLICY
  340. !
  341. end
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!