! version 17.4 service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers platform qfp utilization monitor load 80 no platform punt-keepalive disable-kernel-core platform hardware throughput crypto 50000 ! hostname router01 ! boot-start-marker boot-end-marker ! ! security authentication failure rate 3 log security passwords min-length 8 logging buffered 524288 informational ! no aaa new-model ! ! ! ! ! ! ! ip host support.YOUDONTWANNAKNOW.COM 192.168.11.15 ip name-server 8.8.8.8 ip domain name TESR.YOUDONTWANNAKNOW.COM ip dhcp excluded-address 10.73.0.1 10.73.0.230 ip dhcp excluded-address 10.73.0.251 10.73.0.254 ip dhcp excluded-address 10.73.2.1 10.73.2.230 ip dhcp excluded-address 10.73.2.251 10.73.2.254 ! ip dhcp pool maint network 10.73.0.0 255.255.255.0 default-router 10.73.0.254 dns-server 10.73.0.254 ! ip dhcp pool game network 10.73.2.0 255.255.255.0 default-router 10.73.2.254 dns-server 10.73.2.254 ! ip dhcp pool dante network 10.73.24.0 255.255.255.0 default-router 10.73.24.254 dns-server 10.73.24.254 ! ! ! login on-success log ! ! ! ! ! ! ! no subscriber templating ! ! ! ! ! vtp domain TESR vtp mode transparent ! multilink bundle-name authenticated ! ! ! ! ! crypto pki trustpoint TP-self-signed-2225009057 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-2225009057 revocation-check none rsakeypair TP-self-signed-2225009057 ! crypto pki trustpoint SLA-TrustPoint enrollment pkcs12 revocation-check crl ! ! ! ! no license feature hseck9 license udi pid C1111-8P sn FCZ2530R9DQ license boot suite FoundationSuiteK9 archive path ftp://192.168.11.1/TESR/router/router1-confg write-memory time-period 10080 memory free low-watermark processor 70888 ! diagnostic bootup level minimal ! spanning-tree extend system-id ! ! redundancy mode none ! ! ! ! ! ! vlan internal allocation policy ascending ! vlan 2 name game ! vlan 21 name iptv ! vlan 24 name dante ! vlan 26 name NDI ! vlan 90 name INTERCONNECT ! vlan 100 name idrac ! vlan 120 name idrac-game ! ! class-map type inspect match-all MonitoringAccess match access-group name MonitoringHosts match protocol snmp class-map type inspect match-any IPSecProtocols match protocol isakmp match protocol ipsec-msft class-map type inspect match-any AllTrafficTcpUdp match protocol tcp match protocol udp class-map type inspect match-all SecurityToDomainController match access-group name ActiveDirectoryPorts match access-group name ServiceServer class-map type inspect match-all ManagementAccess match access-group name ManagementHosts class-map type inspect match-all VPNOutsideToInside match access-group name RemoteLanToLocalLan class-map type inspect match-any InspectTraffic match protocol dns match protocol ftp match protocol https match protocol icmp match protocol imap match protocol pop3 match protocol netshow match protocol shell match protocol realmedia match protocol rtsp match protocol smtp match protocol sql-net match protocol streamworks match protocol tftp match protocol vdolive match protocol tcp match protocol udp match protocol http class-map type inspect match-any DHCPAccess match access-group name dhcp-client class-map type inspect match-any SDM_SSH match access-group name SDM_SSH class-map type inspect match-all AllowICMP match protocol icmp class-map type inspect match-any SDM_HTTPS match access-group name SDM_HTTPS class-map type inspect match-all InvalidSource match access-group name InvalidSource class-map type inspect match-all SiteToSiteVPN match access-group name SiteToSiteVPNPeers match class-map IPSecProtocols class-map type inspect match-any ManagementProtocols match class-map SDM_SSH match class-map SDM_HTTPS ! policy-map type inspect pol_in_out class type inspect InvalidSource drop log class type inspect InspectTraffic inspect class class-default drop policy-map type inspect pol_out_self class type inspect AllowICMP inspect class type inspect ManagementAccess inspect class type inspect SiteToSiteVPN pass class type inspect MonitoringAccess pass class class-default drop policy-map type inspect pol_self_out class type inspect AllowICMP inspect class type inspect AllTrafficTcpUdp inspect class class-default drop policy-map type inspect pol_out_security class type inspect VPNOutsideToInside inspect class class-default drop policy-map type inspect pol_security_out class type inspect InvalidSource drop log class type inspect InspectTraffic inspect class class-default drop policy-map type inspect pol_in_security class type inspect InspectTraffic inspect class class-default drop policy-map type inspect pol_security_in class type inspect SecurityToDomainController inspect class class-default drop log policy-map type inspect pol_out_in class type inspect VPNOutsideToInside inspect class class-default drop ! ! zone security LAN zone security WAN zone security VPN zone security SEC zone-pair security LAN-SEC source LAN destination SEC service-policy type inspect pol_in_security zone-pair security LAN-WAN source LAN destination WAN service-policy type inspect pol_in_out zone-pair security SEC-LAN source SEC destination LAN service-policy type inspect pol_security_in zone-pair security SEC-WAN source SEC destination WAN service-policy type inspect pol_security_out zone-pair security SELF-WAN source self destination WAN service-policy type inspect pol_self_out zone-pair security WAN-LAN source WAN destination LAN service-policy type inspect pol_out_in zone-pair security WAN-SEC source WAN destination SEC service-policy type inspect pol_out_security zone-pair security WAN-SELF source WAN destination self service-policy type inspect pol_out_self ! ! ! ! ! ! crypto isakmp policy 1 encryption aes 256 authentication pre-share group 5 crypto isakmp key WHATEVER_SHOULD_BE_HERE_ITS_NOT address 8.8.8.8_CAUSE_I_CAN crypto isakmp keepalive 30 10 periodic crypto isakmp nat keepalive 15 ! ! crypto ipsec transform-set MyTransformSet esp-aes 256 esp-sha-hmac mode tunnel ! ! ! crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel to8.8.8.8_CAUSE_I_CAN set peer 8.8.8.8_CAUSE_I_CAN set transform-set MyTransformSet set pfs group5 match address 110 ! ! ! ! ! ! ! ! interface GigabitEthernet0/0/0 description ISP ip address 8.8.4.4_CAUSE_I_CAN 255.255.255.248 ip nat outside zone-member security WAN media-type rj45 negotiation auto crypto map SDM_CMAP_1 ip virtual-reassembly ! interface GigabitEthernet0/0/1 no ip address shutdown negotiation auto ! interface GigabitEthernet0/1/0 switchport mode trunk ! interface GigabitEthernet0/1/1 switchport mode trunk ! interface GigabitEthernet0/1/2 switchport mode trunk ! interface GigabitEthernet0/1/3 switchport mode trunk ! interface GigabitEthernet0/1/4 switchport mode trunk ! interface GigabitEthernet0/1/5 switchport mode trunk ! interface GigabitEthernet0/1/6 switchport mode trunk ! interface GigabitEthernet0/1/7 switchport mode trunk ! interface Vlan1 description maint ip address 10.73.0.254 255.255.255.0 ip nat inside zone-member security LAN ip virtual-reassembly ! interface Vlan2 description game ip address 10.73.2.254 255.255.255.0 ip pim sparse-dense-mode ip nat inside zone-member security LAN ip virtual-reassembly ! interface Vlan100 description idrac-maint ip address 10.73.120.254 255.255.255.0 secondary ip address 10.73.100.254 255.255.255.0 ip nat inside zone-member security LAN ip virtual-reassembly ! no ip http server no ip http secure-server ip forward-protocol nd no ip forward-protocol udp ip ftp source-interface Vlan1 ip ftp username cisco ip ftp password 7 044F5E1158271F7F2603103A28 ip dns server ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0/0 overload ip route 0.0.0.0 0.0.0.0 8.8.4.4_CAUSE_I_CAN_ROUTE ! ! ip access-list extended ActiveDirectoryPorts 10 permit tcp any any 20 permit udp any any ip access-list extended CISCO-CWA-URL-REDIRECT-ACL ip access-list extended InvalidSource 10 permit ip host 255.255.255.255 any 20 permit ip 127.0.0.0 0.255.255.255 any ip access-list extended ManagementHosts 10 remark CCP_ACL Category=1 10 permit ip host 8.8.8.8_CAUSE_I_CAN any 20 permit ip 192.168.11.0 0.0.0.255 any ip access-list extended MonitoringHosts 10 remark CCP_ACL Category=128 10 permit ip host 192.168.11.1 any ip access-list extended RemoteLanToLocalLan 10 permit ip 192.168.11.0 0.0.0.255 10.73.0.0 0.0.255.255 ip access-list extended SDM_HTTPS 10 remark CCP_ACL Category=1 10 permit tcp any any eq 443 ip access-list extended SDM_SSH 10 remark CCP_ACL Category=1 10 permit tcp any any eq 22 ip access-list extended ServiceServer 10 remark CCP_ACL Category=1 10 permit ip any host 10.73.2.1 ip access-list extended SiteToSiteVPNPeers 10 remark CCP_ACL Category=1 10 permit ip host 8.8.8.8_CAUSE_I_CAN any ip access-list extended TicketImportExportPort 10 permit tcp any any range 8888 8889 ip access-list extended TicketImportExportServer 10 permit ip any host 10.73.5.201 ip access-list extended TicketNotificationPort 10 permit tcp any any eq 8900 ip access-list extended dhcp-client 10 permit udp any any eq bootps 20 permit udp any any eq bootpc ip access-list extended term_access 10 remark CCP_ACL Category=1 10 permit tcp 10.73.0.0 0.0.255.255 any eq 22 20 permit tcp 192.168.11.0 0.0.0.255 any eq 22 30 permit tcp host 8.8.8.8_CAUSE_I_CAN any eq 22 40 deny ip any any log ! ip sla 200 icmp-echo 192.168.11.254 source-interface Vlan1 timeout 6000 frequency 10 ip sla schedule 200 life forever start-time now ip access-list extended 110 10 remark CCP_ACL Category=4 10 remark IPSec Rule 10 permit ip 10.73.0.0 0.0.255.255 192.168.11.0 0.0.0.255 ip access-list extended 111 10 deny ip 10.73.0.0 0.0.255.255 192.168.11.0 0.0.0.255 20 permit ip 10.73.0.0 0.0.255.255 any ! route-map SDM_RMAP_1 permit 1 match ip address 111 ! snmp-server community public RO snmp-server location MAIN AV CONTROL ROOM snmp-server enable traps config-copy snmp-server enable traps config snmp-server enable traps config-ctid snmp-server enable traps cpu threshold snmp-server host 10.73.0.160 public ! ! ! control-plane ! ! line con 0 login local transport input none stopbits 1 line vty 0 4 access-class term_access in login local transport input ssh line vty 5 15 access-class term_access in login local transport input ssh ! call-home ! If contact email address in call-home is configured as sch-smart-licensing@cisco.com ! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications. contact-email-addr sch-smart-licensing@cisco.com profile "CiscoTAC-1" active destination transport-method http ntp master ! ! ! ! ! ! end