GWR1#sh run Building configuration... Current configuration : 34144 bytes ! ! Last configuration change at 22:30:04 EDT Mon Sep 12 2016 by ! NVRAM config last updated at 22:32:16 EDT Mon Sep 12 2016 by ! NVRAM config last updated at 22:32:16 EDT Mon Sep 12 2016 by version 15.2 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname GWR1 ! boot-start-marker boot system flash:/c2900-universalk9-mz.SPA.152-4.M6.bin boot-end-marker ! ! logging buffered 51200 warnings enable secret 5 enable password 7 ! aaa new-model ! ! aaa group server radius RADGP01 server auth-port acct-port server ! aaa authentication login default local aaa authentication login RADLIST group RADGP01 local aaa authorization exec default local aaa accounting update periodic 30 aaa accounting network RADAcctList action-type start-stop group RADGP01 ! ! ! ! ! ! aaa session-id common clock timezone EST -5 0 clock summer-time EDT recurring ! no ip source-route ip cef ! ! ip port-map http port tcp description http://:/f ip port-map user-git port tcp ip port-map https port tcp description https://:/rxhu ! no ip dhcp use vrf connected ! ! ! no ip domain lookup ip domain name ip host remote. ip host vpn. ip host surveillance. ip name-server ip name-server ip inspect log drop-pkt ip inspect hashtable-size 2048 ip inspect tcp idle-time 1800 ip inspect name FW http ip inspect name FW https ip inspect name FW dns ip inspect name FW ssh ip inspect name FW telnet ip inspect name FW icmp ip inspect name FW ntp ip inspect name FW ftps ip inspect name FW ftp ip inspect name FW sip ip inspect name FW tftp ip inspect name FW rtsp ip inspect name FW esmtp ip inspect name FW user-git ip inspect redundancy update seconds 30 no ipv6 cef ! parameter-map type inspect global log dropped-packets enable max-incomplete low 18000 max-incomplete high 20000 spoofed-acker off multilink bundle-name authenticated ! ! ! crypto pki trustpoint enrollment selfsigned subject-name revocation-check none rsakeypair ! crypto pki trustpoint enrollment terminal pem fqdn subject-name revocation-check crl rsakeypair ! ! crypto pki certificate chain certificate self-signed 01 quit crypto pki certificate chain certificate quit certificate ca quit license udi pid CISCO2911/K9 sn ! ! archive log config hidekeys path ftp:///rtrconfigs/GWR1-Running time-period 1440 object-group network _Ext_NTP_Servers host host host host ! object-group network FTP_VMs description FTP Servers host host ! object-group network MAIL_VMs host ! object-group service Mgmt_Svcs tcp eq tcp range ! object-group network Mgmt_VMs host ! object-group network PBX_Clients description Remote SIP Phones and Trunks 255.255.255.224 255.255.255.0 255.255.255.248 255.255.255.248 255.255.255.248 255.255.255.248 255.255.255.248 255.255.255.248 255.255.255.248 host 255.255.255.248 255.255.255.0 255.255.255.0 ! object-group network PBX_Server description PBX Server host ! object-group service SSH_Ports tcp eq tcp eq ! object-group network TEMP_SSH host ! object-group network VMs_Blocked_100 host 172.16.100. host 172.16.100. host 172.16.100. host 172.16.100. host 172.16.100. host 172.16.100. ! object-group network WWW_VMs host host ! object-group network External_DNS_Servers host host ! object-group network External_NTP_Servers host host host host ! object-group network LAN 172.16.100.0 255.255.255.0 172.16.200.0 255.255.255.0 172.16.250.0 255.255.255.0 172.16.210.0 255.255.255.0 172.16.150.0 255.255.255.0 ! object-group service PBXServices tcp eq tcp eq udp eq tcp eq tcp eq udp range tcp range ! object-group network X_INBOUND_SERVERS range 255.255.240.0 255.255.224.0 255.255.240.0 255.255.240.0 255.255.192.0 255.255.0.0 255.255.0.0 255.255.240.0 255.255.128.0 255.255.224.0 ! object-group network Remote_VPN_Peers 192.168.108.0 255.255.255.0 192.168.102.0 255.255.255.0 192.168.100.0 255.255.255.0 192.168.200.0 255.255.255.0 192.168.103.0 255.255.255.0 192.168.104.0 255.255.255.0 192.168.105.0 255.255.255.0 192.168.106.0 255.255.255.0 192.168.109.0 255.255.255.0 192.168.115.0 255.255.255.0 192.168.107.0 255.255.255.0 ! object-group network RouteMap_Hosts host 172.16.200. host 172.16.200. host 172.16.200. host 172.16.200. host 172.16.250. ! username privilege 15 password 7 username privilege 15 password 7 ! redundancy no crypto engine software ipsec ! ! ! ! ! no ip ftp passive ip ftp username ip ftp password 7 ip ssh time-out 60 ip ssh source-interface GigabitEthernet0/0 ip ssh version 2 ! track 1 interface GigabitEthernet0/0 line-protocol ! track 2 interface GigabitEthernet0/1 line-protocol ! class-map match-all voip match access-group 105 ! policy-map sub-voip-child-map class voip bandwidth 20 policy-map voipmap class voip priority 192 class class-default fair-queue policy-map sub-voip-parent-map class class-default shape average 2000000 service-policy sub-voip-child-map ! ! crypto keyring KeyRing pre-shared-key address key pre-shared-key address key pre-shared-key address key pre-shared-key address key pre-shared-key address key pre-shared-key address key pre-shared-key address key pre-shared-key address key pre-shared-key address key pre-shared-key address key pre-shared-key address key pre-shared-key address key pre-shared-key address key ! crypto vpn anyconnect flash0:/webvpn/anyconnect-win-3.1.07021-k9.pkg sequence 1 ! crypto vpn anyconnect flash0:/webvpn/anyconnect-macosx-i386-3.1.05152-k9.pkg sequence 2 ! crypto vpn anyconnect flash0:/webvpn/anyconnect-linux-64-3.1.05152-k9.pkg sequence 3 ! crypto vpn anyconnect flash0:/webvpn/anyconnect-linux-3.1.05152-k9.pkg sequence 4 ! crypto isakmp policy 159 encr hash authentication pre-share group 2 lifetime 10800 crypto isakmp invalid-spi-recovery crypto isakmp profile keyring KeyRing match identity address 255.255.255.255 crypto isakmp profile keyring KeyRing match identity address 255.255.255.255 crypto isakmp profile keyring KeyRing match identity address 255.255.255.255 crypto isakmp profile keyring KeyRing match identity address 255.255.255.255 crypto isakmp profile keyring KeyRing match identity address 255.255.255.255 crypto isakmp profile keyring KeyRing match identity address 255.255.255.255 crypto isakmp profile keyring KeyRing match identity address 255.255.255.255 crypto isakmp profile keyring KeyRing match identity address 255.255.255.255 crypto isakmp profile keyring KeyRing match identity address 255.255.255.255 crypto isakmp profile description *** *** keyring KeyRing match identity address 255.255.255.255 match identity address 255.255.255.255 crypto isakmp profile keyring KeyRing match identity address 255.255.255.255 ! ! crypto ipsec transform-set vpnset mode tunnel ! ! ! crypto map vpnmaps 116 ipsec-isakmp description *** *** set peer set transform-set vpnset set isakmp-profile match address crypto map vpnmaps 2333 description *** *** set peer set transform-set vpnset set isakmp-profile match address crypto map vpnmaps 7036 ipsec-isakmp description *** *** set peer set transform-set vpnset set isakmp-profile match address crypto map vpnmaps 7502 ipsec-isakmp description *** *** set peer set transform-set vpnset set isakmp-profile match address crypto map vpnmaps 10814 ipsec-isakmp description *** *** set peer set transform-set vpnset set isakmp-profile match address crypto map vpnmaps 12102 ipsec-isakmp description *** *** set peer set transform-set vpnset set isakmp-profile match address crypto map vpnmaps 12108 ipsec-isakmp description *** *** set peer set transform-set vpnset set isakmp-profile match address crypto map vpnmaps 14032 ipsec-isakmp description *** *** set peer set transform-set vpnset set isakmp-profile match address crypto map vpnmaps 15325 ipsec-isakmp description *** *** set peer set transform-set vpnset set isakmp-profile match address crypto map vpnmaps 22222 ipsec-isakmp description *** *** set peer set peer set transform-set vpnset match address crypto map vpnmaps 25014 ipsec-isakmp description *** *** set peer set transform-set vpnset set isakmp-profile match address ! ! ! ! ! interface Loopback0 ip address 10.10.10. 255.255.255.0 ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 description Upstream Link ip address 67...21 255.255.. ip access-group Internet-inbound-ACL in ip nat outside ip inspect FW out ip virtual-reassembly in ip tcp adjust-mss 1460 standby version 2 standby 159 ip 67...20 standby 159 priority 105 standby 159 preempt delay minimum 60 reload 120 sync 120 standby 159 name WANHA standby 159 track 2 decrement 10 duplex full speed 100 no cdp enable crypto map vpnmaps redundancy WANHA service-policy output voipmap ! interface GigabitEthernet0/1 description Downstream Links no ip address no ip redirects duplex auto speed auto ! interface GigabitEthernet0/1.150 description DMZ on LAN encapsulation dot1Q 150 ip address 172.16.150.251 255.255.255.0 no ip redirects ip virtual-reassembly in standby version 2 standby 150 ip 172.16.150.254 standby 150 priority 105 standby 150 preempt delay minimum 60 reload 120 sync 120 standby 150 track 1 decrement 10 service-policy output sub-voip-parent-map ! interface GigabitEthernet0/1.200 description Servers and VMs encapsulation dot1Q 200 ip address 172.16.200.251 255.255.255.0 no ip redirects ip nat inside ip virtual-reassembly in standby version 2 standby 200 ip 172.16.200.254 standby 200 priority 105 standby 200 preempt delay minimum 60 reload 120 sync 120 standby 200 name LANHAVMs standby 200 track 1 decrement 10 ! interface GigabitEthernet0/1.210 description VMotion encapsulation dot1Q 210 ip address 172.16.210.251 255.255.255.0 no ip redirects standby version 2 standby 210 ip 172.16.210.254 standby 210 priority 105 standby 210 preempt delay minimum 60 reload 120 sync 120 standby 210 track 1 decrement 10 ! interface GigabitEthernet0/1.250 description Mgmt encapsulation dot1Q 250 ip address 172.16.250.251 255.255.255.0 no ip redirects ip nat inside ip virtual-reassembly in standby version 2 standby 250 ip 172.16.250.254 standby 250 priority 105 standby 250 preempt delay minimum 60 reload 120 sync 120 standby 250 track 1 decrement 10 ! interface GigabitEthernet0/2 description Inband_Mgmt_Core ip address 10.2.2.1 255.255.255.0 ip nat inside ip virtual-reassembly in duplex auto speed auto ! ip local pool SSLVPN-net 10.10.10.2 10.10.10.150 ip forward-protocol nd ! ip http server ip http port ip http access-class 23 ip http authentication local ip http secure-server ip http secure-port ip http timeout-policy idle 60 life 86400 requests 10000 ! ip dns server ip nat pool NATedInternetBoundIPs 67...20 67...20 netmask 255.255.. ip nat inside source list 199 pool NATedInternetBoundIPs overload ip nat inside source static 172.16.200.20 67...24 route-map nonat reversible ip nat inside source static tcp 172.16.200.180 67...25 extendable ip nat inside source static tcp 172.16.250.220 67...25 extendable ip nat inside source static tcp 172.16.190.205 67...25 extendable ip nat inside source static tcp 172.16.100.71 67...25 extendable ip nat inside source static tcp 172.16.100.72 67...25 extendable ip nat inside source static tcp 172.16.100.73 67...25 extendable ip nat inside source static tcp 172.16.100.74 67...25 extendable ip nat inside source static tcp 172.16.100.75 67...25 extendable ip nat inside source static tcp 172.16.100.76 67...25 extendable ip nat inside source static tcp 172.16.250.150 67...25 extendable ip nat inside source static 172.16.200.25 67...26 ip nat inside source static 172.16.250.175 67...27 route-map nonat reversible ip nat inside source static tcp 172.16.200.95 22 67...28 22 extendable ip nat inside source static tcp 172.16.200.95 80 67...28 80 extendable ip nat inside source static tcp 172.16.200.95 443 67...28 443 extendable ip nat inside source static tcp 172.16.200.205 22 67...28 8022 extendable ip nat inside source static 172.16.200.85 67...29 route-map nonat reversible ip nat inside source static 172.16.200.30 67...30 route-map nonat reversible ip route 0.0.0.0 0.0.0.0 67...17 <--upstream ip route 172.16.100.0 255.255.255.0 10.2.2.2 <-- downstream ip route 172.16.230.0 255.255.255.0 10.2.2.2 ! ip access-list extended Internet-Outbound-ACL_100 permit ip any object-group LAN permit tcp object-group VMs_Blocked_100 eq any deny ip object-group VMs_Blocked_100 any permit ip any any ip access-list extended -Internet-inbound-ACL permit tcp host eq any permit tcp any host 67...21 eq permit tcp any host 67...22 eq permit tcp any host 67...20 eq permit object-group SSH_Ports any object-group TEMP_SSH permit tcp any object-group Mgmt_VMs eq permit tcp any host 67...25 eq permit object-group Mgmt_Svcs any object-group Mgmt_VMs permit tcp any object-group FTP_VMs eq permit tcp any object-group FTP_VMs range permit tcp any object-group WWW_VMs eq permit tcp any object-group WWW_VMs eq permit tcp object-group INBOUND_SERVERS object-group MAIL_VMs eq permit tcp any object-group MAIL_VMs eq permit tcp any object-group MAIL_VMs eq permit tcp any host 67...25 eq permit tcp any host 67...23 eq permit tcp any host 67...23 eq permit tcp any host 67...21 eq permit tcp any host 67...21 eq permit udp any host 67...21 eq permit udp any host 67...22 eq permit udp any host 67...20 eq permit udp host host 67...20 eq permit udp host host 67...20 eq permit udp object-group External_DNS_Servers eq any permit udp object-group External_NTP_Servers host 67...21 eq permit udp object-group External_NTP_Servers host 67...22 eq permit udp object-group External_NTP_Servers host 67...20 eq permit udp host 67...21 eq host eq permit udp host 67...22 eq host eq permit esp any host 67...21 permit esp any host 67...22 permit esp any host 67...20 permit object-group PBXServices object-group PBX_Clients object-group PBX_Server permit icmp any any deny ip any any log-input ip access-list extended permit ip 172.16.200.0 0.0.0.255 192.168.108.0 0.0.0.255 permit ip 172.16.250.0 0.0.0.255 192.168.108.0 0.0.0.255 deny ip any any log-input ip access-list extended permit ip 172.16.200.0 0.0.0.255 192.168.104.0 0.0.0.255 permit ip 172.16.250.0 0.0.0.255 192.168.104.0 0.0.0.255 deny ip any any log-input ip access-list extended permit ip 172.16.200.0 0.0.0.255 192.168.102.0 0.0.0.255 permit ip 172.16.250.0 0.0.0.255 192.168.102.0 0.0.0.255 deny ip any any log-input ip access-list extended permit ip 172.16.200.0 0.0.0.255 192.168.107.0 0.0.0.255 permit ip 172.16.250.0 0.0.0.255 192.168.107.0 0.0.0.255 deny ip any any log-input ip access-list extended permit ip 172.16.200.0 0.0.0.255 192.168.115.0 0.0.0.255 permit ip 172.16.250.0 0.0.0.255 192.168.115.0 0.0.0.255 deny ip any any log-input ip access-list extended permit ip 172.16.200.0 0.0.0.255 192.168.100.0 0.0.0.255 permit ip 172.16.250.0 0.0.0.255 192.168.100.0 0.0.0.255 permit ip 10.10.10.0 0.0.0.255 192.168.100.0 0.0.0.255 deny ip any any log-input ip access-list extended permit ip 172.16.200.0 0.0.0.255 192.168.200.0 0.0.0.255 permit ip 172.16.250.0 0.0.0.255 192.168.200.0 0.0.0.255 deny ip any any log-input ip access-list extended permit ip 172.16.200.0 0.0.0.255 192.168.106.0 0.0.0.255 permit ip 172.16.250.0 0.0.0.255 192.168.106.0 0.0.0.255 deny ip any any log-input ip access-list extended LINE_ACL remark SSH & Telnet Access permit tcp 172.16.100.0 0.0.0.255 any permit tcp 172.16.200.0 0.0.0.255 any permit tcp 172.16.250.0 0.0.0.255 any permit tcp any any eq deny ip any any log-input ip access-list extended permit ip 172.16.200.0 0.0.0.255 192.168.103.0 0.0.0.255 permit ip 172.16.250.0 0.0.0.255 192.168.103.0 0.0.0.255 deny ip any any log-input ip access-list extended permit ip 172.16.200.0 0.0.0.255 192.168.109.0 0.0.0.255 permit ip 172.16.250.0 0.0.0.255 192.168.109.0 0.0.0.255 deny ip any any log-input ip access-list extended permit ip 172.16.200.0 0.0.0.255 192.168.105.0 0.0.0.255 permit ip 172.16.250.0 0.0.0.255 192.168.105.0 0.0.0.255 deny ip any any log-input ip access-list extended UnixLab deny ip any object-group LAN permit ip any any ! ip radius source-interface GigabitEthernet0/1.200 ip access-list log-update threshold 1 access-list 2 remark SNMP Control access-list 2 permit access-list 2 permit access-list 2 deny any log access-list 23 remark HTTP Router Access access-list 23 permit 172.16.100.0 0.0.0.255 access-list 23 permit 172.16.200.0 0.0.0.255 access-list 23 permit 172.16.250.0 0.0.0.255 access-list 23 deny any log access-list 100 deny ip object-group RouteMap_Hosts object-group Remote_VPN_Peers access-list 100 permit ip object-group RouteMap_Hosts any access-list 100 permit ip any object-group RouteMap_Hosts access-list 100 deny ip any any access-list 105 remark VOIP (SIP/IAX/RTP/IAX2) traffic gets top priority (5) access-list 105 permit udp any any eq access-list 105 permit udp any any eq access-list 105 permit udp any any eq access-list 105 permit udp any any eq access-list 199 permit udp any object-group Ext_NTP_Servers eq ntp access-list 199 deny ip host 172.16.250. any access-list 199 deny ip host 172.16.250. any access-list 199 deny ip host 172.16.250. any access-list 199 deny ip host 172.16.200. any access-list 199 deny ip host 172.16.200. any access-list 199 deny ip host 172.16.250. any access-list 199 deny ip host 172.16.200. any access-list 199 deny ip 172.16.200.0 0.0.0.255 192.168.108.0 0.0.0.255 access-list 199 deny ip 172.16.250.0 0.0.0.255 192.168.108.0 0.0.0.255 access-list 199 deny ip 172.16.200.0 0.0.0.255 192.168.102.0 0.0.0.255 access-list 199 deny ip 172.16.250.0 0.0.0.255 192.168.102.0 0.0.0.255 access-list 199 deny ip 172.16.200.0 0.0.0.255 192.168.100.0 0.0.0.255 access-list 199 deny ip 172.16.250.0 0.0.0.255 192.168.100.0 0.0.0.255 access-list 199 deny ip 10.10.10.0 0.0.0.255 192.168.100.0 0.0.0.255 access-list 199 deny ip 172.16.200.0 0.0.0.255 192.168.200.0 0.0.0.255 access-list 199 deny ip 172.16.250.0 0.0.0.255 192.168.200.0 0.0.0.255 access-list 199 deny ip 172.16.200.0 0.0.0.255 192.168.103.0 0.0.0.255 access-list 199 deny ip 172.16.250.0 0.0.0.255 192.168.103.0 0.0.0.255 access-list 199 deny ip 172.16.200.0 0.0.0.255 192.168.105.0 0.0.0.255 access-list 199 deny ip 172.16.250.0 0.0.0.255 192.168.105.0 0.0.0.255 access-list 199 deny ip 172.16.200.0 0.0.0.255 192.168.104.0 0.0.0.255 access-list 199 deny ip 172.16.250.0 0.0.0.255 192.168.104.0 0.0.0.255 access-list 199 deny ip 172.16.200.0 0.0.0.255 192.168.106.0 0.0.0.255 access-list 199 deny ip 172.16.250.0 0.0.0.255 192.168.106.0 0.0.0.255 access-list 199 deny ip 172.16.200.0 0.0.0.255 192.168.107.0 0.0.0.255 access-list 199 deny ip 172.16.250.0 0.0.0.255 192.168.107.0 0.0.0.255 access-list 199 deny ip 172.16.200.0 0.0.0.255 192.168.109.0 0.0.0.255 access-list 199 deny ip 172.16.250.0 0.0.0.255 192.168.109.0 0.0.0.255 access-list 199 deny ip 172.16.200.0 0.0.0.255 192.168.115.0 0.0.0.255 access-list 199 deny ip 172.16.250.0 0.0.0.255 192.168.115.0 0.0.0.255 access-list 199 permit ip 172.16.100.0 0.0.0.255 any access-list 199 permit ip 172.16.190.0 0.0.0.255 any access-list 199 permit ip 172.16.200.0 0.0.0.255 any access-list 199 permit ip 172.16.250.0 0.0.0.255 any access-list 199 permit ip host 67...20 any access-list 199 permit udp host 67...20 any access-list 199 permit udp host 67...21 any access-list 199 deny ip any any cdp timer 240 ! route-map nonat permit 10 match ip address 100 ! ! snmp-server community RO 2 snmp-server location snmp-server contact snmp-server chassis-id GWR1 snmp-server enable traps entity-sensor threshold radius-server attribute 32 include-in-access-req format %h radius-server host 172.16.200. auth-port acct-port key 7 radius-server host 172.16.200. key 7 radius-server host 172.16.200. auth-port acct-port key 7 radius-server host 172.16.200. key 7 ! ! ! control-plane ! ! banner exec ^C You are now connected to GWR1. Proceed with Caution! ^C banner login ^C This system is solely for the use of authorized users for official purposes. You have no expectation of privacy in its use and to ensure that the system is functioning properly, individuals using this computer system are subject to having all of their activities monitored and recorded by system personnel. Use of this system evidences an express consent to such monitoring and agreement that if such monitoring reveals evidence of possible abuse or criminal activity, system personnel may provide the results of such monitoring to appropriate officials. ^C ! line con 0 exec-timeout 0 0 password 7 logging synchronous stopbits 1 line aux 0 line 2 no activation-character no exec transport preferred none transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 access-class LINE_ACL in exec-timeout 5 0 privilege level 15 password 7 logging synchronous transport input telnet ssh transport output telnet ssh line vty 5 15 access-class LINE_ACL in privilege level 15 transport input telnet ssh ! scheduler allocate 20000 1000 ntp server ntp server ntp server ! ! webvpn gateway SSLVPN-GW ip address 67...21 port http-redirect port 80 ssl trustpoint logging enable inservice ! webvpn context SSLVPN-Context login-message "Welcome to

, SSL VPN Service!" aaa authentication list RADLIST gateway SSLVPN-GW max-users 10 logging enable ! ssl authenticate verify all inservice ! policy group SSLVPN-Policy functions file-access functions file-browse functions file-entry functions svc-enabled functions svc-required banner "You will be now connected to our secure Networks." svc address-pool "SSLVPN-net" netmask 255.255.255.0 svc default-domain svc keep-client-installed svc dpd-interval client 600 svc rekey method new-tunnel svc split include 172.16.200.0 255.255.255.0 svc split include 172.16.250.0 255.255.255.0 svc split include 172.16.100.0 255.255.255.0 svc split include 10.10.10.0 255.255.255.0 svc split include 192.168.100.0 255.255.255.0 svc dns-server primary svc dns-server secondary default-group-policy SSLVPN-Policy ! end GWR1#