version 12.4 service nagle no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service pt-vty-logging service sequence-numbers ! hostname -- ! boot-start-marker boot-end-marker ! security authentication failure rate 3 log security passwords min-length 6 logging count logging message-counter syslog logging buffered 51200 informational no logging rate-limit enable secret ! aaa new-model ! ! aaa authentication login default local aaa authentication login CVPN local aaa authentication ppp default local aaa authorization network default local ! ! aaa session-id common memory-size iomem 10 clock timezone GMT+1 1 clock summer-time GMT+1 recurring last Sun Mar 2:00 last Sun Oct 3:00 errdisable recovery cause bpduguard errdisable recovery cause rootguard errdisable recovery cause link-flap ! ! no ip source-route ! ! ip cef no ip bootp server ip domain name ip name-server 8.8.8.8 ip name-server 8.8.4.4 ip inspect tcp reassembly queue length 18 ip inspect tcp reassembly memory limit 200 ip inspect name FW_Dialer10_IN tcp ip inspect name FW_Dialer10_IN udp ip inspect name FW_Dialer10_IN icmp ip inspect name FW_Dialer10_IN http java-list 80 ip inspect name FW_Dialer10_IN ftp ip inspect name FW_Dialer10_IN smtp ip inspect name FW_Dialer10_IN ssh ip inspect name FW_Dialer10_IN ntp ip inspect name FW_Dialer10_IN https ip inspect name FW_Dialer10_OUT tcp router-traffic ip inspect name FW_Dialer10_OUT udp router-traffic ip inspect name FW_Dialer10_OUT icmp ip inspect name FW_Dialer10_OUT http java-list 80 ip inspect name FW_Dialer10_OUT ftp ip inspect name FW_Dialer10_OUT rtsp login block-for 300 attempts 5 within 90 login delay 2 login on-failure log login on-success log no ipv6 cef ! ! ! ! username privilege 15 view root secret ! crypto logging session ! crypto isakmp policy 10 encr aes 256 authentication pre-share group 2 crypto isakmp nat keepalive 15 ! crypto isakmp client configuration group key dns domain pool ILP_CVPN_CLIENT acl ACL_CVPN_CLIENT crypto isakmp profile CIP_CVPN_CLIENT match identity group client authentication list CVPN isakmp authorization list CVPN client configuration address respond ! ! crypto ipsec transform-set CIT_CVPN_CLIENT esp-aes 256 esp-sha-hmac ! crypto dynamic-map CDM_CVPN_CLIENT 10 set transform-set CIT_CVPN_CLIENT set isakmp-profile CIP_CVPN_CLIENT ! ! crypto map CMP_CVPN_CLIENT 10 ipsec-isakmp dynamic CDM_CVPN_CLIENT ! archive log config record rc logging enable logging size 1000 notify syslog contenttype plaintext hidekeys ! ! controller VDSL 0 ! ip ssh rsa keypair-name RSA_SSH ! ! ! interface Loopback10 description Bypass NAT for IPsec ip address 1.1.1.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip route-cache same-interface ip route-cache policy ! interface Null0 no ip unreachables ! interface Ethernet0 no ip address ! interface Ethernet0.201 encapsulation dot1Q 201 pppoe enable group global pppoe-client dial-pool-number 10 ! interface BRI0 no ip address encapsulation hdlc shutdown isdn termination multidrop ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface Vlan1 description LAN ip address 192.168.1.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip nat inside no ip virtual-reassembly ip route-cache policy ip tcp adjust-mss 1452 ip policy route-map RMP_Vlan1_NO_NAT hold-queue 100 in hold-queue 100 out ! interface Dialer10 description VDSL mtu 1492 ip address Negotiated ip access-group ACL_Dialer10_IN in ip access-group ACL_Dialer10_OUT out no ip redirects no ip proxy-arp ip flow ingress ip nat outside ip inspect FW_Dialer10_IN in ip inspect FW_Dialer10_OUT out no ip virtual-reassembly encapsulation ppp ip route-cache policy dialer pool 10 dialer-group 10 no cdp enable ppp authentication pap callin ppp pap sent-username password crypto map CMP_CVPN_CLIENT ! ip local pool ILP_CVPN_CLIENT 192.168.254.100 192.168.254.200 ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 Dialer10 permanent ip route 10.0.0.0 255.0.0.0 Null0 ip route 172.16.0.0 255.240.0.0 Null0 ip route 192.168.0.0 255.255.0.0 Null0 ip route 192.168.254.0 255.255.255.0 Dialer10 name ILP_CVPN_CLIENT no ip http server no ip http secure-server ! ip nat inside source route-map RMP_Dialer10_OVERLOAD interface Dialer10 overload ip nat inside source static tcp 192.168.1.1 25 int Dialer10 25 extendable ip nat inside source static tcp 192.168.1.1 443 int Dialer10 443 extendable ip nat inside source static tcp 192.168.1.1 3389 int Dialer10 3389 extendable ! ip access-list standard ACL_SNMP permit 192.168.1.0 0.0.0.255 ip access-list standard ACL_VTY04_IN permit 192.168.1.0 0.0.0.255 permit 192.168.254.0 0.0.0.255 ! ip access-list extended ACL_CVPN_CLIENT permit ip 192.168.1.0 0.0.0.255 192.168.254.0 0.0.0.255 ip access-list extended ACL_Dialer10_IN remark Deny internal networks deny ip 192.168.1.0 0.0.0.255 any remark Anti-spoofing deny ip host 0.0.0.0 any deny ip host 255.255.255.255 any deny ip 10.0.0.0 0.255.255.255 any deny ip 127.0.0.0 0.255.255.255 any deny ip 169.254.0.0 0.0.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.0.255.255 any deny ip 224.0.0.0 15.255.255.255 any remark VPN permit udp any any eq isakmp permit udp any any eq non500-isakmp permit udp any eq non500-isakmp any permit esp any any permit gre any any permit tcp any any eq 1723 remark Standard WWW services permit tcp any any eq www permit tcp any any eq 443 permit tcp any any eq 444 permit tcp any any eq pop3 permit tcp any any eq smtp permit tcp any any eq 22 permit tcp any any eq ident permit udp any any eq ntp remark Belastingdienst permit tcp any any eq 389 permit tcp any any eq 587 remark SNMP permit udp any any eq snmp remark RDP datamex permit tcp any any eq 3389 remark SQL permit tcp any any eq 1433 permit udp any any eq 1434 remark ABNAMRO Telebanking permit tcp host 193.172.44.45 any permit udp host 193.172.44.45 any permit tcp host 194.151.107.44 any permit udp host 194.151.107.44 any permit tcp host 193.172.44.78 any permit udp host 193.172.44.78 any permit tcp host 194.151.107.76 any permit udp host 194.151.107.76 any remark ICMP permit icmp any any echo permit icmp any any echo-reply permit icmp any any packet-too-big permit icmp any any time-exceeded permit icmp any any unreachable deny icmp any any deny tcp any range 0 65535 any range 0 65535 deny udp any range 0 65535 any range 0 65535 deny ip any any ip access-list extended ACL_Dialer10_OUT remark VPN permit esp any any permit gre any any permit ahp any any remark Standard WWW services permit ip any any permit icmp any any ip access-list extended ACL_Dialer10_OVERLOAD deny ip 192.168.1.0 0.0.0.255 192.168.254.0 0.0.0.255 permit ip 192.168.1.0 0.0.0.255 any ip access-list extended ACL_Vlan1_NO_NAT permit ip 192.168.1.0 0.0.0.255 192.168.254.0 0.0.0.255 ! logging trap debugging access-list 80 remark ---------------------------------------------------------- access-list 80 remark ip inspect http java-list access-list 80 permit any access-list 80 remark ---------------------------------------------------------- no cdp run ! ! ! ! route-map RMP_Vlan1_NO_NAT permit 10 match ip address ACL_Vlan1_NO_NAT set ip next-hop 1.1.1.2 ! route-map RMP_Dialer10_OVERLOAD permit 10 match ip address ACL_Dialer10_OVERLOAD match interface Dialer10 ! snmp-server community RO ACL_SNMP snmp-server location snmp-server contact snmp-server enable traps tty ! control-plane ! banner motd $ ************************************************************* This system is restricted to authorized users for legitimate purposes and is subject to audit. The unauthorized access, use or modification of computer systems or the data contained therein or in transit to/from, may be illegal. Contact information: ************************************************************* $ alias exec ct configure terminal alias exec sf show flash: alias exec sir show ip route alias exec siib show ip int brief alias exec cir clear ip route * alias exec sr show running-config alias exec spch show proces cpu history alias exec sdia show dsl int atm alias exec sis show int summary alias exec sv show version alias exec siisc show ip ips signature count ! line con 0 exec-timeout 120 0 privilege level 15 no modem enable transport output all stopbits 1 line aux 0 transport output all line vty 0 4 access-class ACL_VTY04_IN in exec-timeout 1800 0 timeout login response 200 privilege level 15 password transport preferred ssh transport input telnet ssh transport output all ! scheduler max-task-time 5000 scheduler interval 500 ntp server 136.10.4.4 ntp server 194.88.2.88 ntp server 131.211.187.240 sntp server 193.79.237.14 sntp broadcast client end