Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- !
- ! Last configuration change at 19:24:03 UTC Sat Mar 4 2017 by <is-admin>
- upgrade fpd auto
- version 15.2
- no service pad
- service timestamps debug datetime msec
- service timestamps log datetime msec
- no service password-encryption
- !
- hostname WAN-GATEWAY
- !
- boot-start-marker
- boot system flash <adventerprisek9-mz.152-4.M11.bin>
- boot-end-marker
- !
- !
- logging buffered 326768
- enable secret 5 <omitted>
- !
- aaa new-model
- !
- !
- aaa authentication banner
- ##############################################################
- ##### */BANNER TEXT*/ #####
- ##############################################################
- aaa authentication password-prompt PASSWORD:
- aaa authentication username-prompt USERNAME:
- aaa authentication login default local
- aaa authentication login SSLVPN-AAA local
- aaa authentication enable default enable
- !
- !
- !
- !
- !
- aaa session-id common
- !
- !
- !
- ip dhcp excluded-address 10.0.210.1 10.0.210.5
- ip dhcp excluded-address 10.0.210.250 10.0.210.254
- ip dhcp excluded-address 10.0.220.1 10.0.220.5
- ip dhcp excluded-address 10.0.220.250 10.0.220.254
- ip dhcp excluded-address 10.0.240.1 10.0.240.5
- ip dhcp excluded-address 10.0.240.250 10.0.240.254
- ip dhcp excluded-address 10.0.0.1 10.0.0.100
- ip dhcp excluded-address 10.0.110.0 10.0.110.255
- ip dhcp excluded-address 10.0.230.0 10.0.230.199
- ip dhcp excluded-address 10.0.230.250 10.0.230.255
- !
- ip dhcp pool VLAN210-POOL
- network 10.0.210.0 255.255.255.0
- default-router 10.0.210.1
- dns-server 8.8.8.8 4.4.4.4
- domain-name ad.example.com
- !
- ip dhcp pool VLAN220-POOL
- network 10.0.220.0 255.255.255.0
- default-router 10.0.220.1
- dns-server 8.8.8.8 4.4.4.4
- domain-name ad.example.com
- !
- ip dhcp pool VLAN240-POOL
- network 10.0.240.0 255.255.255.0
- default-router 10.0.240.1
- dns-server 8.8.8.8 4.4.4.4
- domain-name ad.example.com
- !
- ip dhcp pool VLAN230-POOL
- network 10.0.230.0 255.255.255.0
- dns-server 8.8.8.8 4.4.4.4
- domain-name ad.example.com
- default-router 10.0.230.1
- !
- !
- !
- no ip domain lookup
- ip domain name ad.example.com
- ip cef
- login block-for 60 attempts 3 within 60
- login on-failure log every 3
- login on-success log
- ipv6 unicast-routing
- ipv6 cef
- !
- !
- multilink bundle-name authenticated
- !
- !
- !
- !
- !
- !
- !
- crypto pki trustpoint SSL-VPN-CERT
- enrollment selfsigned
- subject-name CN=WAN-GATEWAY.AD.EXAMPLE.COM
- revocation-check crl
- rsakeypair SSL-VPN-KEY
- !
- !
- crypto pki certificate chain SSL-VPN-CERT
- certificate self-signed 03 nvram:WAN-GATEWAYa#3.cer
- username <omitted>
- username <omitted>
- !
- !
- controller ISA 1/1
- !
- ip ssh version 2
- !
- class-map type inspect match-any DHCP-SERVER-CMAP
- match access-group name ACL-DHCP-SERVER
- class-map type inspect match-any ALL-TRAFFIC-CMAP
- match protocol udp
- match protocol tcp
- match protocol icmp
- class-map type inspect match-any DHCP-CLIENT-CMAP
- match access-group name ACL-DHCP-CLIENT
- class-map type inspect match-all ED-ACCESS-CMAP
- match protocol udp
- match access-group name ACL-PERMIT-ED
- class-map type inspect match-all SSL-VPN-CMAP
- match access-group name ACL-VPN-ACCESS
- class-map type inspect match-any SSH-CLIENT-CMAP
- match access-group name ACL-SSH-CLIENT
- !
- policy-map type inspect UNTRUSTED-TO-SELF-PMAP
- class type inspect SSL-VPN-CMAP
- inspect
- class type inspect DHCP-SERVER-CMAP
- pass
- class type inspect SSH-CLIENT-CMAP
- inspect
- class class-default
- drop
- policy-map type inspect TRUSTED-TO-UNTRUSTED-PMAP
- class type inspect ALL-TRAFFIC-CMAP
- inspect
- class class-default
- drop
- policy-map type inspect SELF-TO-UNTRUSTED-PMAP
- class type inspect DHCP-CLIENT-CMAP
- inspect
- class type inspect ALL-TRAFFIC-CMAP
- inspect
- class class-default
- drop
- policy-map type inspect UNTRUSTED-TO-TRUSTED-PMAP
- class type inspect ED-ACCESS-CMAP
- inspect
- class class-default
- drop
- !
- zone security Trusted
- description INSIDE-LAN-NETWORK
- zone security Untrusted
- description OUTSIDE-WAN-NETWORK
- zone-pair security UNTRUSTED-TO-TRUSTED-ZP source Untrusted destination Trusted
- service-policy type inspect UNTRUSTED-TO-TRUSTED-PMAP
- zone-pair security TRUSTED-TO-UNTRUSTED-ZP source Trusted destination Untrusted
- service-policy type inspect TRUSTED-TO-UNTRUSTED-PMAP
- zone-pair security SELF-TO-UNTRUSTED-ZP source self destination Untrusted
- service-policy type inspect SELF-TO-UNTRUSTED-PMAP
- zone-pair security UNTRUSTED-TO-SELF-ZP source Untrusted destination self
- service-policy type inspect UNTRUSTED-TO-SELF-PMAP
- zone-pair security TRUSTED source Trusted destination Trusted
- service-policy type inspect TRUSTED-TO-UNTRUSTED-PMAP
- !
- !
- crypto vpn anyconnect disk0:/webvpn/anyconnect-win-4.4.00243-webdeploy-k9.pkg sequence 1
- !
- !
- !
- !
- !
- !
- !
- !
- !
- interface Loopback0
- ip address 10.1.50.1 255.255.255.0
- shutdown
- !
- interface Loopback1
- ip address 172.16.31.255 255.255.255.255
- !
- interface GigabitEthernet0/0
- description LINK TO INTERNET
- ip address dhcp
- ip nat outside
- ip virtual-reassembly in
- zone-member security Untrusted
- no ip route-cache
- duplex auto
- speed auto
- media-type rj45
- no negotiation auto
- ipv6 address dhcp
- !
- interface GigabitEthernet0/1
- description LINK TO LAN CORE
- ip address 10.0.0.2 255.255.255.0
- ip nat inside
- ip virtual-reassembly in
- zone-member security Trusted
- no ip route-cache
- duplex auto
- speed auto
- media-type gbic
- negotiation auto
- !
- interface GigabitEthernet0/2
- description DISABLED
- no ip address
- ip nat inside
- ip virtual-reassembly in
- zone-member security Trusted
- no ip route-cache
- shutdown
- duplex auto
- speed auto
- media-type rj45
- no negotiation auto
- !
- interface Virtual-Template1
- ip unnumbered Loopback1
- zone-member security Trusted
- !
- ip local pool SSL-VPN-POOL 10.1.50.100 10.1.50.200
- ip forward-protocol nd
- ip http server
- ip http authentication local
- ip http secure-server
- ip http timeout-policy idle 600 life 86400 requests 10000
- !
- !
- ip nat inside source list 99 interface GigabitEthernet0/0 overload
- !ip nat inside source static tcp 10.0.0.2 22 interface GigabitEthernet0/0 22
- ip nat inside source static udp 10.0.210.250 5100 interface GigabitEthernet0/0 5100
- ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
- ip route 10.0.210.0 255.255.255.0 GigabitEthernet0/1 10.0.0.254
- ip route 10.0.220.0 255.255.255.0 GigabitEthernet0/1 10.0.0.254
- ip route 10.0.230.0 255.255.255.0 GigabitEthernet0/1 10.0.0.254
- ip route 10.0.240.0 255.255.255.0 GigabitEthernet0/1 10.0.0.254
- ip route 10.0.110.0 255.255.255.0 GigabitEthernet0/1 10.0.0.254
- ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
- !
- ip access-list standard SSL-SPLIT-TUN
- permit 10.0.210.0 0.0.0.255
- permit 10.0.220.0 0.0.0.255
- permit 10.0.230.0 0.0.0.255
- permit 10.0.240.0 0.0.0.255
- permit 10.0.110.0 0.0.0.255
- permit 10.0.0.0 0.0.0.255
- ip access-list standard TERM-CONN
- permit 10.0.0.0 0.255.255.255
- !permit 172.16.0.0 0.15.255.255
- !permit 192.168.0.0 0.0.255.255
- deny any
- !
- ip access-list extended ACL-DHCP-CLIENT
- permit udp any any eq bootps
- ip access-list extended ACL-DHCP-SERVER
- permit udp any any eq bootpc
- ip access-list extended ACL-PERMIT-ED
- permit udp any any eq 5100
- ip access-list extended ACL-SSH-CLIENT
- permit tcp any any eq 22
- ip access-list extended ACL-VPN-ACCESS
- permit tcp any any eq www
- permit tcp any any eq 443
- !
- access-list 99 permit 10.0.0.0 0.0.255.255
- access-list 99 permit 172.16.0.0 0.15.255.255
- access-list 99 permit 192.168.0.0 0.0.255.255
- access-list 99 deny any
- !
- !
- !
- !
- !
- !
- control-plane
- !
- !
- !
- mgcp profile default
- !
- !
- !
- gatekeeper
- shutdown
- !
- !
- line con 0
- logging synchronous
- stopbits 1
- line aux 0
- stopbits 1
- line vty 0 4
- access-class TERM-CONN in
- logging synchronous
- transport preferred ssh
- transport input telnet ssh
- !
- !
- !
- webvpn gateway SSL-VPN
- hostname WAN-GATEWAY
- ip interface GigabitEthernet0/0 port 443
- http-redirect port 80
- ssl trustpoint SSL-VPN-CERT
- inservice
- !
- webvpn context SSL-VPN
- !
- ssl authenticate verify all
- no inservice
- !
- policy group SSL-POLICY
- !
- !
- webvpn context SSL-CTXT
- gateway SSL-VPN
- !
- ssl authenticate verify all
- inservice
- !
- policy group SSL-POLICY
- functions svc-enabled
- functions svc-required
- svc address-pool "SSL-VPN-POOL" netmask 255.255.255.0
- svc keep-client-installed
- default-group-policy SSL-POLICY
- !
- end
Add Comment
Please, Sign In to add comment