Current configuration : 15203 bytes
!
! No configuration change since last restart
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname NH_2951RO
!
boot-start-marker
boot system flash:c2900-universalk9-mz.SPA.152-1.T.bin
boot-end-marker
!
!
security authentication failure rate 5 log
logging buffered 51200 warnings
enable secret 5 *
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
clock timezone MSK 4 0
!
no ipv6 cef
no ip source-route
!
!
!
ip dhcp binding cleanup interval 600
ip dhcp excluded-address 192.168.11.1 192.168.11.50
ip dhcp excluded-address 192.168.12.1 192.168.12.50
ip dhcp excluded-address 192.168.13.1 192.168.13.50
ip dhcp excluded-address 192.168.14.1 192.168.14.50
ip dhcp excluded-address 192.168.15.1 192.168.15.50
ip dhcp excluded-address 192.168.16.1 192.168.16.50
ip dhcp excluded-address 192.168.10.1 192.168.10.50
ip dhcp excluded-address 192.168.9.1 192.168.9.10
ip dhcp excluded-address 172.1.0.1 172.1.0.100
!
ip dhcp pool NGD
network 192.168.11.0 255.255.255.0
default-router 192.168.11.1
dns-server 192.168.11.3 192.168.11.1 8.8.8.8
lease 7
!
ip dhcp pool Ai
network 192.168.12.0 255.255.255.0
dns-server 192.168.12.3 192.168.12.1 8.8.8.8
default-router 192.168.12.1
lease 7
!
ip dhcp pool Saw
network 192.168.13.0 255.255.255.0
default-router 192.168.13.1
dns-server 8.8.8.8 8.8.4.4
lease 7
!
ip dhcp pool Partners
network 192.168.14.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 192.168.14.1
lease 7
!
ip dhcp pool Guest
network 192.168.15.0 255.255.255.0
default-router 192.168.15.1
dns-server 8.8.8.8 8.8.4.4
lease 7
!
ip dhcp pool Voip
network 192.168.16.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 192.168.16.1
lease 30
!
ip dhcp pool DMZ
network 192.168.10.0 255.255.255.0
dns-server 192.168.12.3 192.168.12.1 8.8.8.8
default-router 192.168.12.1
lease 7
!
ip dhcp pool LETO
network 172.1.0.0 255.255.224.0
dns-server 8.8.8.8 8.8.4.4
default-router 172.1.0.1
lease 0 3
!
ip dhcp pool Slo
network 192.168.18.0 255.255.255.0
default-router 192.168.18.1
dns-server 8.8.8.8 8.8.4.4
lease 30
!
ip dhcp pool Co-W
network 192.168.19.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 192.168.19.1
lease 7
!
!
no ip bootp server
ip domain name new*.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
!
multilink bundle-name authenticated
!
!
!
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3286905914
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3286905914
revocation-check none
rsakeypair TP-self-signed-3286905914
!
!
crypto pki certificate chain TP-self-signed-3286905914
certificate self-signed 01
3082022B 30820194 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 39303539 3134301E 170D3131 30383039 30303430
34325A17 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 65642D43 65727469 66696361 74652D33 32383639
30353931 3430819F 2A864886 F70D0101 01050003 818D0030 81890281
8100E122 187BC580 DF871BEF 1F8C4C4C 3D008A3B 7206AEE3
AE6913AB 22D10DE 0C8F118F B3F231EF A8E31BB6 A96DE08B 0D4A7F87
C97AA13A EE9B12C 519DFF0F 0A456715 D3DB7FC7 5968D358 A9DA6736
BF96BCDE C67524C8 43AD3C34 9F3A058F F318918B 6491D15A 97B51BD7
3D5B0203 010001A3 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14DC53CA AE6FC232 30621B1B C4BF3622 0437D8C3 8F301D06
03551D0E 04160414 DC53CAAE 6FC23230 621B1BC4 BF362204 37D8C38F 300D0609
2A864886 F70D0101 05050003 818100CB B3B2791B 7DF1C3E5 83F725B5 5F998EAD
EAC52E0C A1A11F89 F5EC539C 0A66DE92 0B2AFAD8 0B9628EE 839BA677 1178A6BB
78A6494F 893FC774 F7E51A2A FC2E701F E9F33C7C 7AB7C2CA 9DBD7F72
4F599939 241E4964 907FE64C D5F6EC87 CAE582AD B4AEE1A5 7FB680B1
E92CACCA 679590AC AD2B6CC7 64819C
quit
voice-card 0
!
!
!
!
!
!
!
!
license udi pid CISCO2921/K9 sn FCZ1***
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package uck9
!
!
!
redundancy
!
!
!
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group Main_VPN_Group
key ***
dns 192.168.11.3 192.168.11.1
domain nd.local
pool SDM_POOL_1
acl 101
crypto isakmp profile ciscocp-ike-profile-1
match identity group Main_VPN_Group
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
!
interface Loopback0
ip address 172.16.0.1 255.255.255.0
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description WAN_to_U
ip address 94.140.2**.75 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
description to_2960S
no ip address
negotiation auto
!
interface GigabitEthernet0/0/0.1
description MGT
encapsulation dot1Q 1 native
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0/0.10
description DMZ
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
ip access-group DMZ_LAN in
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0/0.11
description ND
encapsulation dot1Q 11
ip address 192.168.11.1 255.255.255.0
ip access-group NGD_LAN in
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0/0.12
description Ai
encapsulation dot1Q 12
ip address 192.168.12.1 255.255.255.0
ip access-group AIRIS_LAN in
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0/0.13
description Saw
encapsulation dot1Q 13
ip address 192.168.13.1 255.255.255.0
ip access-group SAWATZKY_LAN in
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0/0.14
description Partners
encapsulation dot1Q 14
ip address 192.168.14.1 255.255.255.0
ip access-group PARTNERS_LAN in
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0/0.15
description Guest
encapsulation dot1Q 15
ip address 192.168.15.1 255.255.255.0
ip access-group GUEST_LAN in
ip nat inside
ip virtual-reassembly in
rate-limit output 4096000 32000 32000 conform-action continue exceed-action drop
!
interface GigabitEthernet0/0/0.16
description VoIP
encapsulation dot1Q 16
ip address 192.168.16.1 255.255.255.0
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0/0.17
description LETO
encapsulation dot1Q 17
ip address 172.1.0.1 255.255.224.0
ip access-group LETO_FREE_WIFI in
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0/0.18
description Slo
encapsulation dot1Q 18
ip address 192.168.18.1 255.255.255.0
ip access-group Slow_Kitchen in
ip nat inside
ip virtual-reassembly in
rate-limit output 4096000 32000 32000 conform-action continue exceed-action drop
!
interface GigabitEthernet0/0/0.19
description Co-W
encapsulation dot1Q 19
ip address 192.168.19.1 255.255.255.0
ip access-group Co-Working in
ip nat inside
ip virtual-reassembly in
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
!
ip local pool SDM_POOL_1 192.168.11.150 192.168.11.200
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip dns server
ip nat pool NGD_NAT_POOL 94.140.2**.75 94.140.2**.75 netmask 255.255.255.248
ip nat inside source list 150 pool NGD_NAT_POOL overload
ip nat inside source static tcp 192.168.12.3 20 94.140.2**.75 20 extendable
ip nat inside source static tcp 192.168.12.3 21 94.140.2**.75 21 extendable
ip nat inside source static tcp 192.168.1.6 22 94.140.2**.75 22 extendable
ip nat inside source static tcp 172.1.1.14 47 94.140.2**.75 47 extendable
ip nat inside source static tcp 192.168.1.6 80 94.140.2**.75 80 extendable
ip nat inside source static tcp 172.1.1.14 1723 94.140.2**.75 1723 extendable
ip nat inside source static tcp 192.168.18.150 47 94.140.2**.76 47 extendable
ip nat inside source static tcp 192.168.10.3 80 94.140.2**.76 80 extendable
ip nat inside source static tcp 192.168.18.150 1723 94.140.2**.76 1723 extendable
ip nat inside source static tcp 192.168.18.150 3389 94.140.2**.76 3389 extendable
ip nat inside source static tcp 192.168.18.150 4899 94.140.2**.76 4899 extendable
ip nat inside source static tcp 192.168.18.150 4999 94.140.2**.76 4999 extendable
ip nat inside source static tcp 192.168.18.150 5555 94.140.2**.76 5555 extendable
ip nat inside source static 192.168.10.2 94.140.2**.77 extendable
ip route 0.0.0.0 0.0.0.0 94.140.2**.73
!
ip access-list extended AI_LAN
deny ip any 192.168.10.0 0.0.0.255
deny ip any 192.168.11.0 0.0.0.255
deny ip any 192.168.13.0 0.0.0.255
deny ip any 192.168.14.0 0.0.0.255
deny ip any 192.168.15.0 0.0.0.255
deny ip any 192.168.16.0 0.0.0.255
permit ip any any
ip access-list extended Co-W
deny ip any 172.0.0.0 0.0.0.255
deny ip any 192.168.10.0 0.0.0.255
deny ip any 192.168.11.0 0.0.0.255
deny ip any 192.168.12.0 0.0.0.255
deny ip any 192.168.13.0 0.0.0.255
deny ip any 192.168.14.0 0.0.0.255
deny ip any 192.168.15.0 0.0.0.255
deny ip any 192.168.16.0 0.0.0.255
deny ip any 192.168.17.0 0.0.0.255
deny ip any 192.168.18.0 0.0.0.255
permit ip any any
ip access-list extended DMZ_LAN
deny ip any 192.168.13.0 0.0.0.255
deny ip any 192.168.14.0 0.0.0.255
deny ip any 192.168.15.0 0.0.0.255
deny ip any 192.168.16.0 0.0.0.255
permit ip any any
ip access-list extended GUEST_LAN
permit udp any any eq bootpc
permit udp any any eq bootps
permit tcp 192.168.15.0 0.0.0.255 eq 443 192.168.11.0 0.0.0.255
permit icmp 192.168.15.0 0.0.0.255 192.168.11.0 0.0.0.255 echo
permit icmp 192.168.15.0 0.0.0.255 192.168.11.0 0.0.0.255 echo-reply
permit icmp 192.168.15.0 0.0.0.255 192.168.1.0 0.0.0.255 echo
permit icmp 192.168.15.0 0.0.0.255 192.168.1.0 0.0.0.255 echo-reply
permit tcp 192.168.15.0 0.0.0.255 eq 443 192.168.1.0 0.0.0.255
deny ip any 192.168.10.0 0.0.0.255
deny ip any 192.168.11.0 0.0.0.255
deny ip any 192.168.12.0 0.0.0.255
deny ip any 192.168.13.0 0.0.0.255
deny ip any 192.168.14.0 0.0.0.255
deny ip any 192.168.16.0 0.0.0.255
permit tcp 192.168.15.0 0.0.0.255 any eq www
permit tcp 192.168.15.0 0.0.0.255 any eq 443
permit tcp 192.168.15.0 0.0.0.255 any eq pop3
permit tcp 192.168.15.0 0.0.0.255 any eq 143
permit tcp 192.168.15.0 0.0.0.255 any eq 993
permit tcp 192.168.15.0 0.0.0.255 any eq 995
permit tcp 192.168.15.0 0.0.0.255 any eq 587
permit tcp 192.168.15.0 0.0.0.255 any eq smtp
permit tcp 192.168.15.0 0.0.0.255 any eq ftp
permit tcp 192.168.15.0 0.0.0.255 any eq ftp-data
permit tcp 192.168.15.0 0.0.0.255 any eq 37
permit tcp 192.168.15.0 0.0.0.255 any eq daytime
permit udp 192.168.15.0 0.0.0.255 any eq time
permit udp 192.168.15.0 0.0.0.255 any eq domain
permit udp 192.168.15.0 0.0.0.255 any eq ntp
deny ip any any
ip access-list extended LETO
deny ip any 192.168.10.0 0.0.0.255
deny ip any 192.168.11.0 0.0.0.255
deny ip any 192.168.12.0 0.0.0.255
deny ip any 192.168.13.0 0.0.0.255
deny ip any 192.168.14.0 0.0.0.255
deny ip any 192.168.15.0 0.0.0.255
deny ip any 192.168.16.0 0.0.0.255
permit ip any any
ip access-list extended ND_LAN
deny ip any 192.168.12.0 0.0.0.255
deny ip any 192.168.13.0 0.0.0.255
deny ip any 192.168.14.0 0.0.0.255
deny ip any 192.168.15.0 0.0.0.255
permit ip any any
ip access-list extended PARTNERS_LAN
deny ip any 192.168.10.0 0.0.0.255
deny ip any 192.168.12.0 0.0.0.255
deny ip any 192.168.13.0 0.0.0.255
deny ip any 192.168.15.0 0.0.0.255
deny ip any 192.168.16.0 0.0.0.255
deny ip any 192.168.11.0 0.0.0.255
deny tcp host 192.168.14.68 any eq www
permit ip any any
ip access-list extended SAW_LAN
deny ip any 192.168.10.0 0.0.0.255
deny ip any 192.168.11.0 0.0.0.255
deny ip any 192.168.12.0 0.0.0.255
deny ip any 192.168.14.0 0.0.0.255
deny ip any 192.168.15.0 0.0.0.255
deny ip any 192.168.16.0 0.0.0.255
permit ip any any
ip access-list extended Slo
deny ip any 192.168.10.0 0.0.0.255
deny ip any 192.168.11.0 0.0.0.255
deny ip any 192.168.12.0 0.0.0.255
deny ip any 192.168.13.0 0.0.0.255
deny ip any 192.168.14.0 0.0.0.255
deny ip any 192.168.15.0 0.0.0.255
deny ip any 192.168.16.0 0.0.0.255
deny ip any 192.168.17.0 0.0.0.255
permit ip any any
ip access-list extended VOIP_LAN
deny ip any 192.168.10.0 0.0.0.255
deny ip any 192.168.11.0 0.0.0.255
deny ip any 192.168.12.0 0.0.0.255
deny ip any 192.168.13.0 0.0.0.255
deny ip any 192.168.14.0 0.0.0.255
deny ip any 192.168.15.0 0.0.0.255
permit ip any any
!
access-list 100 permit ip any any
access-list 101 remark CCP_ACL Category=4
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
access-list 123 permit tcp 192.168.1.0 0.0.0.255 any eq 22
access-list 123 permit tcp 192.168.11.0 0.0.0.255 any eq 22
access-list 123 deny ip any any
access-list 150 permit ip 172.1.0.0 0.0.3.255 any
access-list 150 permit ip 192.168.0.0 0.0.255.255 any
access-list 150 permit ip 172.1.0.0 0.0.31.255 any
!
!
!
!
!
snmp-server community nhcomm RO
snmp-server enable traps entity-sensor threshold
!
!
control-plane host
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
gatekeeper
shutdown
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 123 in
transport input telnet ssh
line vty 5 15
access-class 123 in
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp source GigabitEthernet0/0/0.1
ntp master
ntp update-calendar
ntp server 46.165.196.144
ntp server 129.70.132.35
ntp server 85.214.230.247
time-range WIFI
periodic daily 1:00 to 8:00
!
end