headoffice Cisco Running config=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2010.11

1.  
2. headoffice Cisco Running config
3.  
4.  
5. =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2010.11.11 22:52:33 =~=~=~=~=~=~=~=~=~=~=~=
6. show runn
7. AMBLIB-RTR-1#show running-config
8. Building configuration...
9.  
10. Current configuration : 12557 bytes
11. !
12. ! Last configuration change at 15:16:53 UTC Thu Nov 11 2010 by epicsupport
13. ! NVRAM config last updated at 12:22:51 UTC Tue Nov 9 2010 by epicsupport
14. !
15. version 12.4
16. no service pad
17. service tcp-keepalives-in
18. service tcp-keepalives-out
19. service timestamps debug datetime msec localtime show-timezone
20. service timestamps log datetime msec localtime show-timezone
21. service password-encryption
22. service sequence-numbers
23. !
24. hostname AMBLIB-RTR-1
25. !
26. boot-start-marker
27. boot-end-marker
28. !
29. security authentication failure rate 3 log
30. logging buffered 30000 informational
31. enable secret 5 $1$bhvM$EAslD0FXdOXj6SzrmrUbZ/
32. --More--  !
33. aaa new-model
34. !
35. !
36. aaa authentication password-prompt "Enter your Password:"
37. aaa authentication username-prompt "Enter your Username:"
38. aaa authentication login default local
39. aaa authentication login remote group radius
40. aaa authorization network default local
41. aaa authorization network remote local
42. !
43. aaa session-id common
44. !
45. resource policy
46. !
47. memory-size iomem 25
48. clock summer-time bst recurring last Sun Mar 2:00 last Sun Oct 2:00
49. no ip source-route
50. ip cef
51. !
52. !
53. !
54. !
55. --More--  no ip bootp server
56. ip domain name am-lib.local
57. ip name-server 194.72.6.57
58. ip name-server 194.73.82.242
59. ip ssh time-out 30
60. ip ssh version 2
61. ip inspect name FW cuseeme timeout 3600
62. ip inspect name FW ftp timeout 3600
63. ip inspect name FW rcmd timeout 3600
64. ip inspect name FW realaudio timeout 3600
65. ip inspect name FW tftp timeout 30
66. ip inspect name FW udp timeout 3600
67. ip inspect name FW tcp timeout 3600
68. ip inspect name FW h323 timeout 3600
69. ip inspect name FW sip timeout 3600
70. login block-for 100 attempts 3 within 100
71. login delay 3
72. login quiet-mode access-class LOGIN-ACL
73. login on-failure log
74. login on-success log
75. !
76. !
77. crypto pki trustpoint TP-self-signed-1379823495
78. --More--   enrollment selfsigned
79. subject-name cn=IOS-Self-Signed-Certificate-1379823495
80. revocation-check none
81. rsakeypair TP-self-signed-1379823495
82. !
83. !
84. crypto pki certificate chain TP-self-signed-1379823495
85. certificate self-signed 01
86. 30820251 308201BA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
87. 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
88. 69666963 6174652D 31333739 38323334 3935301E 170D3032 30333031 30303239
89. 35315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
90. 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 33373938
91. 32333439 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
92. 8100B183 C3306E39 2F284B30 19A86844 85DA6AAA CCCD6AB0 8A725712 C8F8AE7D
93. 6C556F92 5D264AF0 FEF3A675 BC4B6405 8785C502 FFB26B26 14E8C1A0 0ABC07D1
94. 1EFB3903 82D8E846 2993E8A5 C7C6C466 8D8B92A6 FD94111B 7EA832FA 2B5CFE10
95. CE3EEA56 3778AC93 DE4DB1B7 F45F599B E6595817 65A3D34D E5EAFBDB 7B40D4C6
96. F7470203 010001A3 79307730 0F060355 1D130101 FF040530 030101FF 30240603
97. 551D1104 1D301B82 19414D42 4C49422D 5254522D 312E616D 2D6C6962 2E6C6F63
98. 616C301F 0603551D 23041830 1680144C BCD76DA0 027E04F1 EA61BC9D C769A052
99. C6851F30 1D060355 1D0E0416 04144CBC D76DA002 7E04F1EA 61BC9DC7 69A052C6
100. 851F300D 06092A86 4886F70D 01010405 00038181 0057F904 D3930374 D0FC1007
101. --More--   CC01033A FEC49D5E CF56A680 BC0E9E68 B1BCAD55 E32E8033 C703583D 8C33B8A3
102. 53DC86E0 692FE324 21AA3585 83FB0826 8E8756C4 78D5A772 7B33DC75 EEE69FD4
103. 420D2AB6 82798C67 141C989A 0CC69D6B 5932E0F9 E37C22CE D8FA51EC 2A7C2CE7
104. 913BB018 C03447A9 493C4005 C150763E 92A45A5B AE
105. quit
106. username epicit privilege 15 secret 5 $1$qeJm$pjO/4.1NfZX2EsOFtJPfw0
107. username epicsupport privilege 15 secret 5 $1$Vfe.$GmaO6JeorN/Os05FceIoa1
108. !
109. !
110. !
111. crypto isakmp policy 10
112. encr 3des
113. authentication pre-share
114. group 2
115. lifetime 28800
116. !
117. crypto isakmp policy 20
118. encr 3des
119. authentication pre-share
120. crypto isakmp key LR-ZERO1 address 193.220.61.149
121. crypto isakmp key LR-ZERO1 address 193.220.61.164
122. !
123. crypto isakmp client configuration group VPNCLIENT
124. --More--   key L3kk3rVPNCLIENT
125. dns 10.0.50.1 10.0.50.254
126. wins 10.0.50.1
127. domain am-lib.local
128. pool VPNCLIENTPOOL
129. acl 140
130. crypto isakmp profile VPNclient
131. description VPN clients profile
132. match identity group VPNCLIENT
133. client authentication list remote
134. isakmp authorization list remote
135. client configuration address respond
136. !
137. !
138. crypto ipsec transform-set MainSet esp-3des esp-sha-hmac
139. !
140. crypto dynamic-map DYNMAP 5
141. set transform-set MainSet
142. set isakmp-profile VPNclient
143. !
144. !
145. crypto map MYMAP local-address Vlan2
146. crypto map MYMAP 10 ipsec-isakmp
147. --More--   set peer 193.220.61.149
148. set transform-set MainSet
149. match address 160
150. crypto map MYMAP 20 ipsec-isakmp
151. set peer 193.220.61.164
152. set transform-set MainSet
153. match address 170
154. crypto map MYMAP 100 ipsec-isakmp dynamic DYNMAP
155. !
156. bridge irb
157. !
158. !
159. !
160. interface ATM0
161. no ip address
162. shutdown
163. no atm ilmi-keepalive
164. dsl operating-mode auto
165. !
166. interface FastEthernet0
167. switchport access vlan 2
168. !
169. interface FastEthernet1
170. --More--  !
171. interface FastEthernet2
172. !
173. interface FastEthernet3
174. !
175. interface Dot11Radio0
176. no ip address
177. !
178. broadcast-key change 45
179. !
180. !
181. encryption mode ciphers tkip
182. !
183. ssid AMWLAN
184. authentication open
185. authentication key-management wpa
186. guest-mode
187. infrastructure-ssid optional
188. wpa-psk ascii 7 123828203E2A22137B2D75
189. !
190. speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
191. channel 2462
192. station-role root
193. --More--   bridge-group 1
194. bridge-group 1 subscriber-loop-control
195. bridge-group 1 spanning-disabled
196. bridge-group 1 block-unknown-source
197. no bridge-group 1 source-learning
198. no bridge-group 1 unicast-flooding
199. !
200. interface Vlan1
201. no ip address
202. no ip redirects
203. no ip unreachables
204. no ip proxy-arp
205. ip virtual-reassembly
206. bridge-group 1
207. !
208. interface Vlan2
209. description Connected to Shared Internet Connection
210. ip address 94.185.232.3 255.255.255.240
211. ip access-group 100 in
212. ip verify unicast reverse-path
213. no ip redirects
214. no ip unreachables
215. no ip proxy-arp
216. --More--   ip nat outside
217. ip inspect FW out
218. ip virtual-reassembly
219. ip tcp adjust-mss 1375
220. no snmp trap link-status
221. crypto map MYMAP
222. !
223. interface BVI1
224. description Connected to internal LAN
225. ip address 10.0.50.254 255.255.255.0
226. ip access-group 110 in
227. no ip redirects
228. no ip unreachables
229. no ip proxy-arp
230. ip nat inside
231. ip virtual-reassembly
232. !
233. ip local pool VPNCLIENTPOOL 10.0.51.1 10.0.51.60
234. ip route 0.0.0.0 0.0.0.0 94.185.232.1
235. !
236. ip dns server
237. !
238. no ip http server
239. --More--  ip http authentication local
240. ip http secure-server
241. ip nat inside source route-map NONAT interface Vlan2 overload
242. ip nat inside source static tcp 10.0.50.1 25 94.185.232.3 25 route-map STATIC extendable
243. ip nat inside source static tcp 10.0.50.1 80 94.185.232.3 80 route-map STATIC extendable
244. ip nat inside source static tcp 10.0.50.1 110 94.185.232.3 110 route-map STATIC extendable
245. ip nat inside source static tcp 10.0.50.1 443 94.185.232.3 443 route-map STATIC extendable
246. ip nat inside source static tcp 10.0.50.1 3389 94.185.232.3 3389 route-map STATIC extendable
247. ip nat inside source static tcp 10.0.50.1 5060 94.185.232.3 5060 route-map STATIC extendable
248. ip nat inside source static tcp 10.0.50.1 5061 94.185.232.3 5061 route-map STATIC extendable
249. !
250. !
251. access-list 100 remark ###Allow SSH
252. access-list 100 permit tcp host 62.3.203.35 host 94.185.232.3 eq 22
253. access-list 100 permit tcp host 83.244.252.130 host 94.185.232.3 eq 22
254. access-list 100 permit tcp host 78.86.118.156 host 94.185.232.3 eq 22
255. --More--  access-list 100 remark ###Allow GRE, ESP, ISAKMP & PPTP for VPN
256. access-list 100 permit tcp any host 94.185.232.3 eq 1723
257. access-list 100 permit gre any host 94.185.232.3
258. access-list 100 permit esp any any
259. access-list 100 permit udp any any eq isakmp
260. access-list 100 permit udp any any eq non500-isakmp
261. access-list 100 remark ###Allow POP3/SMTP to server
262. access-list 100 permit tcp 89.167.219.0 0.0.0.255 host 94.185.232.3 eq smtp
263. access-list 100 permit tcp 80.169.59.0 0.0.0.255 host 94.185.232.3 eq smtp
264. access-list 100 permit tcp host 212.147.136.149 host 94.185.232.3 eq smtp
265. access-list 100 permit tcp host 89.149.149.67 host 94.185.232.3 eq smtp
266. access-list 100 permit tcp any host 94.185.232.3 eq smtp
267. access-list 100 permit tcp any host 94.185.232.3 eq pop3
268. access-list 100 remark ###Allow HTTP/HTTPS to server
269. access-list 100 permit tcp any host 94.185.232.3 eq 443
270. access-list 100 permit tcp any host 94.185.232.3 eq www
271. access-list 100 remark ###Allow FTP to server
272. access-list 100 permit tcp any host 94.185.232.3 eq ftp
273. access-list 100 permit tcp any host 94.185.232.3 eq 8090
274. access-list 100 permit tcp any host 94.185.232.3 eq ftp-data
275. access-list 100 remark ###Allow RDP to server
276. access-list 100 permit tcp host 62.3.203.35 host 94.185.232.3 eq 3389
277. access-list 100 permit tcp host 78.86.118.156 host 94.185.232.3 eq 3389
278. --More--  access-list 100 permit tcp any host 94.185.232.3 eq 3389
279. access-list 100 remark ###Allow SNMP to router
280. access-list 100 permit udp host 62.3.203.35 host 94.185.232.3 eq snmp
281. access-list 100 permit udp host 78.86.118.156 host 94.185.232.3 eq snmp
282. access-list 100 remark ###Allow SIP to server for OCS
283. access-list 100 permit tcp any host 94.185.232.3 eq 5060
284. access-list 100 permit udp any host 94.185.232.3 eq 5060
285. access-list 100 permit tcp any host 94.185.232.3 eq 5061
286. access-list 100 permit udp any host 94.185.232.3 eq 5061
287. access-list 100 remark ###Allow DNS lookups
288. access-list 100 permit udp host 194.72.6.57 eq domain host 94.185.232.3
289. access-list 100 permit udp host 194.73.82.242 eq domain host 94.185.232.3
290. access-list 100 remark ###Allow NTP time synch
291. access-list 100 permit udp host 158.43.128.33 host 94.185.232.3 eq ntp
292. access-list 100 permit udp host 158.43.128.66 host 94.185.232.3 eq ntp
293. access-list 100 permit udp host 158.43.192.66 host 94.185.232.3 eq ntp
294. access-list 100 remark ###Allow ICMP
295. access-list 100 permit icmp any any
296. access-list 100 remark ###Explicit deny all
297. access-list 100 deny ip any any log
298. access-list 110 permit ip 10.0.50.0 0.0.0.255 10.0.51.0 0.0.0.255
299. access-list 110 permit ip 10.0.50.0 0.0.0.255 10.10.1.0 0.0.0.255
300. access-list 110 remark ###Anti-spoof Internally
301. --More--  access-list 110 deny udp any eq netbios-dgm any
302. access-list 110 deny udp any eq netbios-ns any
303. access-list 110 deny udp any eq netbios-ss any
304. access-list 110 deny udp any eq 445 any
305. access-list 110 deny tcp any eq 137 any
306. access-list 110 deny tcp any eq 138 any
307. access-list 110 deny tcp any eq 139 any
308. access-list 110 deny tcp any eq 445 any
309. access-list 110 permit udp any eq bootpc any eq bootps
310. access-list 110 permit ip 10.0.50.0 0.0.0.255 any
311. access-list 110 deny ip any any log
312. access-list 110 permit ip 10.0.50.0 0.0.0.255 10.10.20.0 0.0.0.255
313. access-list 140 remark ###VPN Client Split Tunneling
314. access-list 140 permit ip 10.0.50.0 0.0.0.255 any
315. access-list 140 permit ip 10.0.51.0 0.0.0.255 any
316. access-list 150 deny ip 10.0.50.0 0.0.0.255 10.0.51.0 0.0.0.255
317. access-list 150 deny ip 10.0.50.0 0.0.0.255 10.10.1.0 0.0.0.255
318. access-list 150 permit ip 10.0.50.0 0.0.0.255 any
319. access-list 160 remark ###Match traffic for Liberia
320. access-list 160 permit ip 10.0.50.0 0.0.0.255 10.10.1.0 0.0.0.255
321. access-list 170 permit ip 10.0.50.0 0.0.0.255 10.10.20.0 0.0.0.255
322. snmp-server community EpicIT-RO RO
323. snmp-server community EpicIT-RW RW
324. --More--  !
325. !
326. !
327. route-map STATIC permit 10
328. match ip address 150
329. !
330. route-map NONAT permit 10
331. match ip address 150
332. !
333. radius-server host 10.0.50.1 auth-port 1645 acct-port 1646
334. radius-server retransmit 1
335. radius-server timeout 1
336. radius-server key 7 00281C0800540557
337. !
338. control-plane
339. !
340. bridge 1 protocol ieee
341. bridge 1 route ip
342.  
343. privilege exec level 2 enable
344. !
345. line con 0
346. exec-timeout 0 0
347. privilege level 15
348. no modem enable
349. transport output all
350. stopbits 1
351. line aux 0
352. transport output all
353. stopbits 1
354. line vty 0 4
355. --More--   privilege level 15
356. length 0
357. transport input ssh
358. !
359. scheduler max-task-time 5000
360. ntp clock-period 17208153
361. ntp server 158.43.128.33
362. ntp server 158.43.128.66
363. ntp server 158.43.192.66
364. !
365. webvpn context Default_context
366. ssl authenticate verify all
367. !
368. no inservice
369. !
370. end
371.  
372. AMBLIB-RTR-1#