CORE ROUTER
Current configuration : 3498 bytes
!
version 12.4
service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
security passwords min-length 10
!
hostname CORP
!
!
!
enable secret 5 $1$mERr$UBS6AqpcFjkupAnmSUCGG.
!
!
!
!
!
aaa new-model
!
--More--aaa new-model
!
aaa authentication login default local
!
!
aaa authorization exec default local
!
!
!
!
!
username CORPADMIN secret 5 $1$mERr$fPunCIN6tB/A1os48VIRu.
username Internet password 7 08024F40082A261E010803
username SSHAccess secret 5 $1$mERr$3mVxZHExBNJRy65mTbcvz.
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
!
crypto isakmp key Vpnpass101 address 198.133.219.2
!
!
crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac
!
crypto map VPN-MAP 10 ipsec-isakmp
set peer 198.133.219.2
set transform-set VPN-SET
match address 120
!
!
!
ip ssh version 2
ip ssh authentication-retries 2
ip ssh time-out 90
ip domain-name theccnas.com
!
!
ip inspect audit-trail
--ip inspect audit-trail
ip inspect name INTOCORP icmp
ip inspect name INTOCORP tcp
ip inspect name INTOCORP udp
spanning-tree mode pvst
!
ip ips config location flash:ipsdir/ retries 1
ip ips name corpips
ip ips signature-category
category all
retired true
category ios_ips basic
retired false
!
!
!
interface FastEthernet0/0
ip address 10.1.1.254 255.255.255.0
ip ips corpips out
ip access-group DMZFIREWALL out
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.10
encapsulation dot1Q 10
ip address 172.16.10.254 255.255.255.0
ip nat inside
!
interface FastEthernet0/1.25
encapsulation dot1Q 25
ip address 172.16.25.254 255.255.255.0
ip nat inside
More--interface FastEthernet0/1.99
encapsulation dot1Q 99 native
ip address 172.16.99.254 255.255.255.0
!
interface Serial0/0/0
ip address 209.165.200.226 255.255.255.252
encapsulation ppp
ppp authentication chap
ip access-group INCORP in
ip nat outside
ip inspect INTOCORP out
no cdp enable
crypto map VPN-MAP
!
interface Serial0/0/1
no ip address
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip nat pool PATPOOL 209.165.200.245 209.165.200.248 netmask 255.255.255.240
ip nat inside source list 1 pool PATPOOL overload
ip nat inside source static 10.1.1.2 209.165.200.241
ip nat inside source static 10.1.1.5 209.165.200.242
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
!
!
access-list 1 permit 172.16.0.0 0.0.255.255
access-list 12 permit host 172.16.25.5
access-list 12 permit host 198.133.219.35
ip access-list extended DMZFIREWALL
permit tcp any host 10.1.1.2 eq www
permit tcp any host 10.1.1.5 eq domain
permit udp any host 10.1.1.5 eq domain
permit ip 172.16.25.0 0.0.0.255 10.1.1.0 0.0.0.255
permit tcp 198.133.219.32 0.0.0.31 host 10.1.1.2 eq ftp
--More--
ip access-list extended INCORP
permit tcp any host 209.165.200.241 eq www
permit tcp any host 209.165.200.242 eq domain
permit udp any host 209.165.200.242 eq domain
permit tcp 198.133.219.0 0.0.0.31 host 209.165.200.226 eq 22
permit ip host 198.133.219.2 host 209.165.200.226
permit ip 198.133.219.32 0.0.0.31 209.165.200.240 0.0.0.15
access-list 120 permit ip 209.165.200.240 0.0.0.15 198.133.219.32 0.0.0.31
!
banner motd ^CAuthorized Access Only!^C
!
!
!
!
logging 172.16.25.2
line con 0
exec-timeout 20 0
logging synchronous
line vty 0 4
access-class 12 in
exec-timeout 20 0
transport input ssh
line vty 5 15
access-class 12 in
exec-timeout 20 0
transport input ssh
!
!
ntp server 172.16.25.2 key 0
ntp update-calendar
!
end
BRANCH
Current configuration : 2015 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
security passwords min-length 10
!
hostname Branch
!
!
!
enable secret 5 $1$mERr$UBS6AqpcFjkupAnmSUCGG.
!
!
!
!
!
!
username CORPADMIN secret 5 $1$mERr$fPunCIN6tB/A1os48VIRu.
username Internet password 7 08024F40082A261E010803
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
!
crypto isakmp key Vpnpass101 address 209.165.200.226
!
!
crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac
!
crypto map VPN-MAP 10 ipsec-isakmp
set peer 209.165.200.226
set transform-set VPN-SET
match address 120
!
!
!
ip ssh version 1
ip ssh authentication-retries 2
ip ssh time-out 90
!
!
spanning-tree mode pvst
!
class-map type inspect match-all BR-IN-CLASS-MAP
match access-group 110
!
policy-map type inspect BR-IN-OUT-PMAP
class type inspect BR-IN-CLASS-MAP
inspect
!
!
!
zone security BR-IN-ZONE
--More--
zone security BR-OUT-ZONE
zone-pair security IN-OUT-ZPAIR source BR-IN-ZONE destination BR-OUT-ZONE
service-policy type inspect BR-IN-OUT-PMAP
!
interface FastEthernet0/0
ip address 198.133.219.62 255.255.255.224
zone-member security BR-IN-ZONE
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
ip address 198.133.219.2 255.255.255.252
zone-member security BR-OUT-ZONE
encapsulation ppp
ppp authentication chap
no cdp enable
crypto map VPN-MAP
!
interface Serial0/0/1
no ip address
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
access-list 110 permit ip 198.133.219.32 0.0.0.31 any
access-list 120 permit ip 198.133.219.32 0.0.0.31 209.165.200.240 0.0.0.15
!
banner motd ^CAuthorized Access Only!^C
!
!
!
!
line con 0
exec-timeout 20 0
logging synchronous
login local
line vty 0 4
exec-timeout 20 0
login local
transport input none
line vty 5 15
exec-timeout 20 0
login local
transport input none