! version 15.4 service timestamps debug datetime service timestamps log datetime localtime service internal service sequence-numbers ! hostname c892 ! boot-start-marker boot system flash c890-universalk9-mz.154-3.M4.bin boot-end-marker ! ! logging buffered 2147483 no logging console ! no aaa new-model clock timezone Riyadh 3 0 ! ! no ip gratuitous-arps ! ip domain lookup source-interface GigabitEthernet0 ip domain name yourdomain.com ip name-server 82.209.240.241 ip name-server 82.209.243.241 ip multicast-routing ip inspect WAAS flush-timeout 10 ip inspect name Firewall ftp ip inspect name Firewall ftps ip cef login on-failure log no ipv6 cef ! parameter-map type inspect global log dropped-packets enable max-incomplete low 18000 max-incomplete high 20000 ! ! ! ! multilink bundle-name authenticated ! ! ! cts logging verbose ! ! archive log config logging enable logging size 500 notify syslog contenttype plaintext hidekeys ! redundancy notification-timer 120000 ! ! ! ! no cdp run ! track 1 ip sla 1 reachability delay down 5 up 10 ! ! class-map type inspect match-any DMZ_WAN_CLASS match access-group name Allow_All_ACL-DMZ class-map type inspect match-any WAN_DMZ_CLASS match access-group name WAN_DMZ_ACL class-map type inspect match-any LAN_WAN_CLASS match access-group name Allow_All_ACL class-map type inspect match-any WAN_LAN_CLASS match access-group name WAN_LAN_ACL class-map type inspect match-any LAN_DMZ_CLASS match access-group name Allow_All_ACL class-map type inspect match-any DMZ_LAN_CLASS match access-group name DMZ_LAN_ACL ! policy-map type inspect DMZ_LAN_POLICY class type inspect DMZ_LAN_CLASS inspect class class-default drop log policy-map type inspect DMZ_WAN_POLICY class type inspect DMZ_WAN_CLASS inspect class class-default drop policy-map type inspect LAN_DMZ_POLICY class type inspect LAN_DMZ_CLASS inspect class class-default pass policy-map type inspect WAN_DMZ_POLICY class type inspect WAN_DMZ_CLASS inspect class class-default drop policy-map type inspect WAN_LAN_POLICY class type inspect WAN_LAN_CLASS inspect class class-default drop log policy-map type inspect LAN_WAN_POLICY class type inspect LAN_WAN_CLASS inspect class class-default drop log ! zone security LAN zone security DMZ zone security WAN zone-pair security LAN_DMZ source LAN destination DMZ service-policy type inspect LAN_DMZ_POLICY zone-pair security DMZ_LAN source DMZ destination LAN service-policy type inspect DMZ_LAN_POLICY zone-pair security WAN_DMZ source WAN destination DMZ service-policy type inspect WAN_DMZ_POLICY zone-pair security DMZ_WAN source DMZ destination WAN service-policy type inspect DMZ_WAN_POLICY zone-pair security LAN_WAN source LAN destination WAN service-policy type inspect LAN_WAN_POLICY zone-pair security WAN_LAN source WAN destination LAN service-policy type inspect WAN_LAN_POLICY ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp policy 2 encr 3des authentication pre-share group 2 lifetime 28800 crypto isakmp key 111 address 8.8.8.8 crypto isakmp key 111 address 7.7.7.7 crypto isakmp key 111 address 6.6.6.6 crypto isakmp key 111 address 5.5.5.5 crypto isakmp key 111 address 4.4.4.4 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac mode tunnel crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac mode tunnel crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac mode tunnel crypto ipsec df-bit clear ! ! ! crypto map SDM_CMAP_2 1 ipsec-isakmp description Tunnel to_BS set peer 7.7.7.7 set peer 8.8.8.8 set security-association lifetime seconds 28800 set transform-set ESP-3DES-SHA1 match address 100 crypto map SDM_CMAP_2 2 ipsec-isakmp description Tunnel to6.6.6.6 set peer 6.6.6.6 set security-association lifetime seconds 28800 set transform-set ESP-3DES-SHA1 set pfs group2 match address UIS_VPN crypto map SDM_CMAP_2 3 ipsec-isakmp description Tunnel to5.5.5.5 set peer 5.5.5.5 set security-association lifetime seconds 28800 set transform-set ESP-3DES-SHA1 match address Parimatch_VPN crypto map SDM_CMAP_2 4 ipsec-isakmp description Tunnel to4.4.4.4 set peer 4.4.4.4 set transform-set ESP-3DES-SHA1 match address Life_VPN ! ! ! ! ! interface BRI0 no ip address encapsulation hdlc shutdown isdn termination multidrop ! interface FastEthernet0 description Inside switchport access vlan 3 no ip address ! interface FastEthernet1 description Inside switchport access vlan 3 no ip address ! interface FastEthernet2 description Inside switchport access vlan 3 no ip address ! interface FastEthernet3 description Inside switchport access vlan 3 no ip address ! interface FastEthernet4 description DMZ switchport access vlan 4 no ip address ! interface FastEthernet5 description DMZ switchport access vlan 4 no ip address ! interface FastEthernet6 description DMZ switchport access vlan 4 no ip address ! interface FastEthernet7 description DMZ switchport access vlan 4 no ip address ! interface FastEthernet8 description ISP2 ip address 10.1.36.126 255.255.255.252 ip nat outside ip virtual-reassembly in zone-member security WAN ip tcp adjust-mss 1452 duplex auto speed auto ! interface GigabitEthernet0 description $ETH-WAN$ ip address 194.194.194.194 255.255.255.0 ip nat outside ip virtual-reassembly in zone-member security WAN ip tcp adjust-mss 1452 duplex auto speed auto crypto map SDM_CMAP_2 ! interface Vlan1 no ip address ! interface Vlan3 ip address 192.168.3.254 255.255.255.0 ip nat inside ip virtual-reassembly in zone-member security LAN ip tcp adjust-mss 1452 ! interface Vlan4 ip address 192.168.4.254 255.255.255.0 ip nat inside ip virtual-reassembly in zone-member security DMZ ip tcp adjust-mss 1452 ! ! ip forward-protocol nd ip http server ip http port 8080 ip http access-class 23 ip http authentication local ip http secure-server ip http secure-port 9843 ip http timeout-policy idle 60 life 86400 requests 10000 ! ! ip tftp source-interface Vlan3 ip nat pool gate-to-parimatch 172.17.193.100 172.17.193.100 netmask 255.255.255.0 ip nat pool gate-to-lifesmsc 194.194.194.193 194.194.194.193 netmask 255.255.255.0 ip nat pool to-bft 10.1.36.126 10.1.36.126 netmask 255.255.255.0 ip nat inside source list 102 pool to-bft overload ip nat inside source list 104 pool gate-to-parimatch overload ip nat inside source list 105 pool gate-to-lifesmsc overload ip nat inside source static tcp 192.168.4.10 443 interface GigabitEthernet0 443 ip nat inside source static tcp 192.168.4.10 80 interface GigabitEthernet0 80 ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0 overload ip nat inside source static 192.168.4.1 172.17.199.100 route-map route-to-uis-test ip nat inside source static tcp 192.168.4.11 21 194.194.194.192 21 extendable ip nat inside source static tcp 192.168.4.11 80 194.194.194.192 80 extendable ip route 0.0.0.0 0.0.0.0 194.194.194.1 permanent ip route 10.0.0.0 255.0.0.0 FastEthernet8 ip route 10.16.98.99 255.255.255.255 194.194.194.1 ip ssh port 9822 rotary 1 ! ip access-list extended Allow_All_ACL permit ip 192.168.3.0 0.0.0.255 any permit ip 192.168.4.0 0.0.0.255 any permit icmp any any ip access-list extended Allow_All_ACL-DMZ permit esp any any permit tcp host 192.168.4.1 host 192.168.111.2 eq 1521 deny ip 192.168.4.0 0.0.0.255 192.168.111.0 0.0.0.255 deny ip 192.168.4.0 0.0.0.255 172.17.19.0 0.0.0.255 permit icmp 192.168.4.0 0.0.0.255 any permit ip 192.168.4.0 0.0.0.255 any ip access-list extended DMZ_LAN_ACL permit tcp 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255 eq 1521 ip access-list extended Life_VPN permit tcp host 194.194.194.193 host 81.54.99.99 eq 17000 permit tcp host 194.194.194.193 host 81.54.99.92 eq 2775 permit tcp host 194.194.194.193 host 81.54.99.93 eq 2775 deny ip any any ip access-list extended Parimatch_VPN permit ip 172.17.193.0 0.0.0.255 host 172.32.2.1 deny ip any any ip access-list extended SSH9822 permit tcp any any eq 9822 deny ip any any log ip access-list extended UIS_VPN permit ip 192.168.3.0 0.0.0.255 host 172.16.194.100 permit ip 192.168.4.0 0.0.0.255 host 172.16.194.100 permit ip host 172.17.199.100 host 172.16.194.100 ip access-list extended WAN_DMZ_ACL permit tcp any any established permit tcp any any eq ftp permit tcp any any range 6000 7000 permit tcp any any eq 995 permit tcp any any eq 465 permit tcp any any eq www permit tcp any any eq 443 permit icmp any any permit esp any any permit ip 192.168.111.0 0.0.0.255 192.168.4.0 0.0.0.255 permit ip 172.17.19.0 0.0.0.255 192.168.4.0 0.0.0.255 permit ip host 172.16.194.100 192.168.4.0 0.0.0.255 deny ip any any ip access-list extended WAN_LAN_ACL permit ip 10.0.0.0 0.0.0.255 any permit ip 192.168.111.0 0.0.0.255 192.168.3.0 0.0.0.255 permit ip host 172.16.194.100 192.168.3.0 0.0.0.255 permit ip 172.17.19.0 0.0.0.255 192.168.3.0 0.0.0.255 permit icmp any any deny ip any any ! ip sla 1 icmp-echo 192.168.111.254 source-interface Vlan3 request-data-size 16 threshold 3000 timeout 3000 frequency 3 logging trap notifications logging facility local4 logging source-interface Vlan3 logging host 192.168.111.50 dialer-list 1 protocol ip permit ! ! route-map SDM_RMAP_TO_BFT permit 10 match ip address 102 match interface fastEthernet8 ! route-map SDM_RMAP_1 permit 10 match ip address 101 match interface GigabitEthernet0 ! ! access-list 23 remark CCP_ACL Category=1 access-list 23 permit any access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.111.0 0.0.0.255 access-list 100 remark IPSEC-BS access-list 100 permit ip 192.168.3.0 0.0.0.255 172.16.177.0 0.0.0.255 access-list 100 permit ip 192.168.3.0 0.0.0.255 172.16.61.0 0.0.0.255 access-list 100 permit ip 192.168.3.0 0.0.0.255 172.17.19.0 0.0.0.255 access-list 100 permit ip 192.168.4.0 0.0.0.255 192.168.111.0 0.0.0.255 access-list 100 permit ip 192.168.4.0 0.0.0.255 172.16.177.0 0.0.0.255 access-list 100 permit ip 192.168.4.0 0.0.0.255 172.16.61.0 0.0.0.255 access-list 100 permit ip 192.168.4.0 0.0.0.255 172.17.19.0 0.0.0.255 access-list 100 permit ip host 192.168.4.1 host 10.18.144.20 access-list 100 permit ip host 172.32.2.1 192.168.111.0 0.0.0.255 access-list 101 deny ip 192.168.3.0 0.0.0.255 192.168.111.0 0.0.0.255 access-list 101 deny ip 192.168.3.0 0.0.0.255 172.16.177.0 0.0.0.255 access-list 101 deny ip 192.168.3.0 0.0.0.255 172.16.61.0 0.0.0.255 access-list 101 deny ip 192.168.3.0 0.0.0.255 172.17.19.0 0.0.0.255 access-list 101 deny ip 192.168.4.0 0.0.0.255 192.168.111.0 0.0.0.255 access-list 101 deny ip 192.168.4.0 0.0.0.255 172.16.177.0 0.0.0.255 access-list 101 deny ip 192.168.4.0 0.0.0.255 172.16.61.0 0.0.0.255 access-list 101 deny ip 192.168.4.0 0.0.0.255 172.17.19.0 0.0.0.255 access-list 101 deny ip 192.168.3.0 0.0.0.255 host 172.16.194.100 access-list 101 deny ip 192.168.4.0 0.0.0.255 host 172.16.194.100 access-list 101 deny ip host 192.168.4.1 host 10.18.144.20 access-list 101 deny ip 192.168.3.0 0.0.0.255 10.0.0.0 0.0.0.255 access-list 101 permit ip 192.168.3.0 0.0.0.255 any access-list 101 permit ip 192.168.4.0 0.0.0.255 any access-list 102 permit ip 192.168.3.0 0.0.0.255 10.0.0.0 0.0.0.255 access-list 102 deny ip any any access-list 103 permit tcp host 192.168.4.1 eq 22 host 172.16.194.100 eq 22 access-list 104 permit ip host 192.168.4.1 host 172.32.2.1 access-list 105 permit ip host 192.168.4.1 host 81.54.99.99 access-list 105 permit ip host 192.168.4.1 host 81.54.99.92 access-list 105 permit ip host 192.168.4.1 host 81.54.99.93 access-list 120 permit tcp 192.168.3.0 0.0.0.255 any eq www access-list 120 deny ip any any ! control-plane ! ! mgcp behavior rsip-range tgcp-only mgcp behavior comedia-role none mgcp behavior comedia-check-media-src disable mgcp behavior comedia-sdp-force disable ! mgcp profile default ! ! ! line con 0 login local line aux 0 line vty 0 4 access-class SSH9822 in privilege level 15 login local rotary 1 transport input ssh line vty 5 15 access-class SSH9822 in privilege level 15 login local rotary 1 transport input ssh ! ntp server 2.by.pool.ntp.org ! end