! ! Last configuration change at 07:41:52 BST Sat Jul 2 2016 by root version 15.2 no service pad service timestamps debug datetime msec localtime service timestamps log datetime msec localtime service password-encryption service internal no service dhcp ! hostname LaminatesFibre ! boot-start-marker boot-end-marker ! ! logging buffered 16386 logging rate-limit 100 except warnings no logging console no logging monitor enable secret 4 xxx ! aaa new-model ! ! aaa authentication login default local aaa authentication ppp default local ! ! ! ! ! aaa session-id common memory-size iomem 10 clock timezone GMT 0 0 clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00 ! ip domain name shoredist.local ip inspect log drop-pkt ip inspect WAAS flush-timeout 10 ip inspect name firewall tcp timeout 3600 ip inspect name firewall udp timeout 3600 ip cef login block-for 180 attempts 3 within 180 login on-failure log login on-success log no ipv6 cef ! parameter-map type inspect global log dropped-packets enable max-incomplete low 18000 max-incomplete high 20000 spoofed-acker off ! multilink bundle-name authenticated license udi pid xx-SEC-K9 sn xx ! ! archive log config hidekeys object-group network og-L1-Allow-NTP description Allow NTP from these hosts host 129.6.15.28 ! object-group network og-L1-MainServer description Main server host 192.168.7.2 ! object-group network og-L1-Allow-SMTP description Allow outbound SMTP from these hosts group-object og-L1-MainServer ! object-group network og-L1-JimHome description Jim Willsher Home IP host 88.97.xx.2xx42 ! object-group network og-L2-Allow-AdminRDP description Allow Administrative RDP from these hosts group-object og-L1-JimHome group-object og-L1-MainServer ! object-group network og-L2-Allow-DRAC description Allow SSH from these hosts group-object og-L1-JimHome ! object-group network og-L2-Allow-SNMP description Allow SNMP from these hosts group-object og-L1-JimHome ! object-group network og-L2-Allow-SSH description Allow SSH from these hosts group-object og-L1-JimHome group-object og-L1-MainServer host 82.71.xx.xx ! object-group network og-L2-Allow-iData description Allow iData to access the phones host 188.66.81.146 host 81.174.241.136 host 84.92.36.250 ! username root privilege 15 secret 5 xx ! ! ! ! ! controller VDSL 0 ! ip ssh version 2 ! track 10 ip sla 10 reachability delay down 180 up 10 ! track 20 ip sla 20 reachability delay down 180 up 10 ! ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key PASS address 82.69.10.202 ! ! crypto ipsec transform-set TS esp-3des esp-md5-hmac mode transport ! ! crypto ipsec profile protect-gre set security-association lifetime seconds 86400 set transform-set TS ! ! ! ! ! ! interface Tunnel0 ip address 172.16.1.1 255.255.255.0 ip mtu 1400 ip tcp adjust-mss 1360 tunnel source 82.69.1.37 tunnel destination 82.69.10.202 tunnel protection ipsec profile protect-gre ! interface Ethernet0 no ip address ! interface Ethernet0.101 encapsulation dot1Q 101 pppoe enable group global pppoe-client dial-pool-number 1 ! interface ATM0 no ip address ip nbar protocol-discovery no atm ilmi-keepalive ! interface FastEthernet0 no ip address ! interface FastEthernet1 no ip address ! interface FastEthernet2 no ip address ! interface FastEthernet3 no ip address ! interface Vlan1 description Shore LAN ip address 192.168.7.1 255.255.255.0 ip access-group acl-INT-IN in ip nbar protocol-discovery ip nat inside ip nat enable ip inspect firewall in ip virtual-reassembly in ip tcp adjust-mss 1452 hold-queue 100 in hold-queue 100 out ! interface Dialer0 bandwidth inherit ip address negotiated ip access-group acl-EXT-IN in ip access-group acl-EXT-OUT out ip nbar protocol-discovery ip nat outside ip virtual-reassembly in encapsulation ppp ip tcp header-compression iphc-format ip tcp adjust-mss 1452 dialer pool 1 ppp authentication chap callin ppp chap hostname xx@zen ppp chap password 7 xx ppp ipcp dns request ppp ipcp wins request no cdp enable ip rtp header-compression iphc-format ! ip forward-protocol nd no ip http server no ip http secure-server ! ! ip dns server no ip nat service sip udp port 5060 ip nat inside source list acl-NAT-Ranges interface Dialer0 overload ip nat inside source static tcp 192.168.7.2 33890 interface Dialer0 33890 ip nat inside source static tcp 192.168.7.2 25 interface Dialer0 25 ip nat inside source static tcp 192.168.7.2 443 interface Dialer0 443 ip nat inside source static tcp 192.168.7.2 1723 interface Dialer0 1723 ip nat inside source static tcp 192.168.7.3 5900 interface Dialer0 5900 ip nat inside source static tcp 192.168.7.3 5901 interface Dialer0 5901 ip nat inside source static tcp 192.168.7.6 30080 interface Dialer0 30080 ip nat inside source static tcp 192.168.7.4 32443 interface Dialer0 32443 ip nat inside source static tcp 192.168.7.9 3389 interface Dialer0 3389 ip nat inside source static tcp 192.168.7.7 33891 interface Dialer0 33891 ip nat inside source static tcp 192.168.7.51 8082 interface Dialer0 8082 ip nat inside source static udp 192.168.7.51 8082 interface Dialer0 8082 ip nat inside source static tcp 192.168.7.3 32445 interface Dialer0 32445 ip route 0.0.0.0 0.0.0.0 Dialer0 ip route 192.168.3.0 255.255.255.0 172.16.1.2 ! ip access-list extended acl-EXT-IN remark Inbound external interface remark The below set the rfc1918 private exclusions deny ip 192.168.0.0 0.0.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 10.0.0.0 0.255.255.255 any deny ip any any fragments remark =================================================== remark Allow established sessions back in permit tcp any any established remark =================================================== remark Allow selected SSH traffic and log all blocked SSH traffic permit tcp object-group og-L2-Allow-SSH any eq 22 log deny tcp any any eq 22 log remark =================================================== remark Remote Desktop permit tcp any any eq 3389 permit tcp object-group og-L2-Allow-AdminRDP any eq 33890 permit tcp object-group og-L2-Allow-AdminRDP any eq 33891 remark =================================================== remark Various services permit tcp any any eq smtp permit udp any any eq ntp permit tcp any any eq 443 permit tcp any any eq 30080 remark =================================================== remark iDRAC (both) permit tcp object-group og-L2-Allow-DRAC any range 5900 5901 permit tcp object-group og-L2-Allow-DRAC any eq 32443 permit tcp object-group og-L2-Allow-DRAC any eq 32445 remark =================================================== remark iData Telephones permit tcp object-group og-L2-Allow-iData any eq 8082 permit udp object-group og-L2-Allow-iData any eq 8082 remark =================================================== remark SNMP access permit udp object-group og-L2-Allow-SNMP any eq snmp remark =================================================== remark Allow PPTP VPN connections permit tcp any any eq 1723 permit gre any any remark =================================================== remark General DNS stuff permit udp any eq domain any remark =================================================== remark Standard acceptable icmp rules permit icmp any any echo permit icmp any any echo-reply permit icmp any any source-quench permit icmp any any packet-too-big permit icmp any any time-exceeded remark =================================================== remark Block everything else deny ip any any remark =================================================== ip access-list extended acl-EXT-OUT deny ip any host 66.179.42.233 permit ip any any ip access-list extended acl-INT-IN permit tcp object-group og-L1-Allow-SMTP any eq smtp log deny tcp any any eq smtp log deny udp any host 239.255.255.250 eq 1900 permit ip any any ip access-list extended acl-NAT-Ranges deny ip 192.168.7.0 0.0.0.255 192.168.3.0 0.0.0.255 permit ip 192.168.7.0 0.0.0.255 any ! ip sla auto discovery ip sla 10 icmp-echo 8.8.8.8 source-interface Vlan1 frequency 10 ip sla schedule 10 life forever start-time now ip sla 20 icmp-echo 208.67.222.222 source-interface Vlan1 frequency 10 ip sla schedule 20 life forever start-time now ip access-list logging interval 10 logging trap debugging logging facility local6 dialer-list 1 protocol ip permit ! snmp-server community Shore RO ! ! ! control-plane ! ! ! line con 0 no modem enable transport output all line aux 0 transport output all line vty 0 4 exec-timeout 30 0 privilege level 15 length 40 width 160 transport input ssh transport output all ! ntp master ntp server 129.6.15.28 event manager applet ema-FIBRE-Down event tag PingDown1 track 10 state down event tag PingDown2 track 20 state down trigger correlate event PingDown1 and event PingDown2 action 10 syslog msg "********** WARNING! Fibre Line Down! **********" action 20 reload event manager applet ema-FIBRE-Up event tag PingUp1 track 10 state up event tag PingUp2 track 20 state up trigger correlate event PingUp1 or event PingUp2 action 10 syslog msg "********** Fibre Line UP **********" ! end