! ! No configuration change since last restart version 15.2 no service pad service timestamps debug datetime msec localtime service timestamps log datetime msec localtime service password-encryption service internal no service dhcp ! hostname InveralmondFibre ! boot-start-marker boot-end-marker ! ! logging buffered 16386 logging rate-limit 100 except warnings no logging console no logging monitor enable secret 4 xxx ! aaa new-model ! ! aaa authentication login default local aaa authentication ppp default local ! ! aaa session-id common memory-size iomem 10 clock timezone GMT 0 0 clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00 ip domain name shoredist.local ip inspect log drop-pkt ip inspect WAAS flush-timeout 10 ip inspect name firewall tcp timeout 3600 ip inspect name firewall udp timeout 3600 ip cef login block-for 180 attempts 3 within 180 login on-failure log login on-success log no ipv6 cef ! parameter-map type inspect global log dropped-packets enable max-incomplete low 18000 max-incomplete high 20000 spoofed-acker off ! multilink bundle-name authenticated license udi pid xx-SEC-K9 sn xx ! ! archive log config hidekeys object-group network og-L1-Allow-NTP description Allow NTP from these hosts host 129.6.15.28 ! object-group network og-L1-MainServer description Main server host 192.168.3.2 ! object-group network og-L1-Allow-SMTP description Allow outbound SMTP from these hosts group-object og-L1-MainServer ! object-group network og-L1-JimHome description Jim Willsher Home IP host 88.97.xx.xx ! object-group network og-L1-MermaidPanels description Mermaid Panels IP host 82.69.xx.xx ! object-group network og-L1-ShoreLaminates description Shore Laminates IP host 82.69.1.37 ! object-group network og-L2-Allow-SNMP description Allow SNMP from these hosts group-object og-L1-JimHome ! object-group network og-L2-Allow-SQL description Allow SQL Server from these hosts group-object og-L1-JimHome group-object og-L1-MermaidPanels group-object og-L1-ShoreLaminates ! object-group network og-L2-Allow-SSH description Allow SSH from these hosts group-object og-L1-JimHome group-object og-L1-MainServer host 82.69.1.37 ! username root privilege 15 secret 5 xxx. ! ! ! ! ! controller VDSL 0 ! ip ssh version 2 ! track 10 ip sla 10 reachability delay down 180 up 10 ! track 20 ip sla 20 reachability delay down 180 up 10 ! ! ! ! ! ! ! ! ! interface Tunnel0 ip address 172.16.1.2 255.255.255.0 ip mtu 1400 ip tcp adjust-mss 1360 tunnel source 82.69.10.202 tunnel destination 82.69.1.37 ! interface Ethernet0 no ip address ! interface Ethernet0.101 encapsulation dot1Q 101 pppoe enable group global pppoe-client dial-pool-number 1 ! interface ATM0 no ip address ip nbar protocol-discovery no atm ilmi-keepalive ! interface FastEthernet0 no ip address ! interface FastEthernet1 no ip address ! interface FastEthernet2 no ip address ! interface FastEthernet3 no ip address ! interface Vlan1 description Inveralmond LAN ip address 192.168.3.1 255.255.255.0 ip access-group acl-INT-IN in ip nbar protocol-discovery ip nat inside ip nat enable ip inspect firewall in ip virtual-reassembly in ip tcp adjust-mss 1452 hold-queue 100 in hold-queue 100 out ! interface Dialer0 bandwidth inherit ip address negotiated ip access-group acl-EXT-IN in ip access-group acl-EXT-OUT out ip nbar protocol-discovery ip nat outside ip virtual-reassembly in encapsulation ppp ip tcp header-compression iphc-format ip tcp adjust-mss 1452 dialer pool 1 ppp authentication chap callin ppp chap hostname xx@zen ppp chap password 7 xx ppp ipcp dns request ppp ipcp wins request no cdp enable ip rtp header-compression iphc-format ! ip forward-protocol nd no ip http server no ip http secure-server ! ! ip dns server ip nat pool passiveFTP 192.168.3.2 192.168.3.2 netmask 255.255.255.0 type rotary ip nat inside source list acl-NAT-Ranges interface Dialer0 overload ip nat inside source static tcp 192.168.3.2 80 interface Dialer0 80 ip nat inside source static tcp 192.168.3.2 443 interface Dialer0 443 ip nat inside source static tcp 192.168.3.2 1723 interface Dialer0 1723 ip nat inside source static tcp 192.168.3.2 3389 interface Dialer0 3389 ip nat inside source static tcp 192.168.3.2 20 interface Dialer0 20 ip nat inside source static tcp 192.168.3.2 21 interface Dialer0 21 ip nat inside source static tcp 192.168.3.4 8001 interface Dialer0 8001 ip nat inside source static tcp 192.168.3.4 8002 interface Dialer0 8002 ip nat inside source static tcp 192.168.3.4 8000 interface Dialer0 8000 ip nat inside source static tcp 192.168.3.2 1433 interface Dialer0 1433 ip nat inside destination list acl-passiveFTP pool passiveFTP ip route 0.0.0.0 0.0.0.0 Dialer0 ip route 192.168.7.0 255.255.255.0 172.16.1.1 ! ip access-list extended acl-EXT-IN remark Inbound external interface remark The below set the rfc1918 private exclusions deny ip 192.168.0.0 0.0.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 10.0.0.0 0.255.255.255 any deny ip any any fragments remark =================================================== remark Allow established sessions back in permit tcp any any established remark =================================================== remark allow all HTTP/s traffic from everywhere permit tcp any any eq 443 remark =================================================== remark allow all HTTP traffic from specific addresses permit tcp object-group og-L1-JimHome any eq www remark =================================================== remark FTP permit tcp any any eq ftp permit tcp any any eq ftp-data remark Passive FTP ports matching passive FTP config permit tcp any any range 50000 50050 remark =================================================== remark Allow PPTP VPN connections permit tcp any any eq 1723 permit gre any any remark =================================================== remark CCTV Monitoring permit tcp any any range 8000 8002 remark =================================================== remark Remote Desktop permit tcp object-group og-L1-JimHome any eq 3389 remark =================================================== remark SQL Server permit tcp object-group og-L2-Allow-SQL any eq 1433 remark =================================================== remark Allow selected SSH traffic and log all blocked SSH traffic permit tcp object-group og-L2-Allow-SSH any eq 22 log deny tcp any any eq 22 log remark =================================================== remark SNMP Monitoring permit udp object-group og-L2-Allow-SNMP any eq snmp remark =================================================== remark General DNS stuff permit udp any eq domain any remark =================================================== remark Standard acceptable icmp rules permit icmp any any echo permit icmp any any echo-reply permit icmp any any source-quench permit icmp any any packet-too-big permit icmp any any time-exceeded remark =================================================== remark Block everything else deny ip any any remark =================================================== ip access-list extended acl-EXT-OUT deny ip any host 66.179.42.233 permit ip any any ip access-list extended acl-INT-IN permit tcp object-group og-L1-Allow-SMTP any eq smtp log deny tcp any any eq smtp log deny udp any host 239.255.255.250 eq 1900 permit ip any any ip access-list extended acl-NAT-Ranges deny ip 192.168.3.0 0.0.0.255 192.168.7.0 0.0.0.255 permit ip 192.168.3.0 0.0.0.255 any ip access-list extended acl-passiveFTP permit tcp any any range 50000 50050 ip access-list extended passiveFTPNew permit tcp any any range 50000 50050 ! ip sla auto discovery ip sla 10 icmp-echo 8.8.8.8 source-interface Vlan1 frequency 10 ip sla schedule 10 life forever start-time now ip sla 20 icmp-echo 208.67.222.222 source-interface Vlan1 frequency 10 ip sla schedule 20 life forever start-time now ip access-list logging interval 10 logging trap debugging logging facility local6 dialer-list 1 protocol ip permit ! snmp-server community Inveralmond RO ! ! ! control-plane ! ! ! line con 0 no modem enable transport output all line aux 0 transport output all line vty 0 4 exec-timeout 30 0 privilege level 15 length 40 width 160 transport input ssh transport output all ! ntp master ntp server 129.6.15.28 event manager applet ema-FIBRE-Down event tag PingDown1 track 10 state down event tag PingDown2 track 20 state down trigger correlate event PingDown1 and event PingDown2 action 10 syslog msg "********** WARNING! Fibre Line Down! **********" action 20 reload event manager applet ema-FIBRE-Up event tag PingUp1 track 10 state up event tag PingUp2 track 20 state up trigger correlate event PingUp1 or event PingUp2 action 10 syslog msg "********** Fibre Line UP **********" ! end