Cisco Router Configuration - How do you know if an Access-List is being applied?
Hello Cisco Experts,
I have inherited a router that has a bunch of access-lists configured. Most of them are extended lists that seem to be not in use by the lines that is configured. I'm not questioning whether they should be used or not, I just want to find out how to know whether they are being applied or if not, I will delete them.
Also is there any reason why I should be careful if I delete a unused access-list? I will be taking over admin from here on.
Thanks!
I have inherited a router that has a bunch of access-lists configured. Most of them are extended lists that seem to be not in use by the lines that is configured. I'm not questioning whether they should be used or not, I just want to find out how to know whether they are being applied or if not, I will delete them.
Also is there any reason why I should be careful if I delete a unused access-list? I will be taking over admin from here on.
Thanks!
ASKER
I will be on a trip so I will post back if I need assistance by Monday or Tuesday.
If the running-config is long and your paranoid about missing the list being applied somewhere you can do a
sh run | i <name_of_access-list>
If the output of this command is only the ACL you know its not being applied somewhere. If it returns anything else like IRmoore mentions above its probably in use
sh run | i <name_of_access-list>
If the output of this command is only the ACL you know its not being applied somewhere. If it returns anything else like IRmoore mentions above its probably in use
ASKER
dylan_leggatt, I tried the command you suggested and I am not confident because one access-list in know I need did not have any output after I ran the command.
Is it accurate when I do a show access-list command that if there is no matches, then the line is not in use? Or if not, why does some lines have matches (i.e. 10583 matches) and some doesn't. I am also not using the "log" entry at the end of each line.
Is it accurate when I do a show access-list command that if there is no matches, then the line is not in use? Or if not, why does some lines have matches (i.e. 10583 matches) and some doesn't. I am also not using the "log" entry at the end of each line.
ASKER
Here is my config. Can anyone help?
version 12.4
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service compress-config
service sequence-numbers
!
hostname Cisco
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 52000 debugging
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authentication login sdm_vpn_xauth_ml_3 local
aaa authentication login sdm_vpn_xauth_ml_4 local
aaa authentication login sdm_vpn_xauth_ml_5 local
aaa authentication login sdm_vpn_xauth_ml_6 local
aaa authentication login sdm_vpn_xauth_ml_7 local
aaa authentication login sdm_vpn_xauth_ml_8 local
aaa authentication login sdm_vpn_xauth_ml_9 local
aaa authentication login sdm_vpn_xauth_ml_10 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
aaa authorization network sdm_vpn_group_ml_3 local
aaa authorization network sdm_vpn_group_ml_4 local
aaa authorization network sdm_vpn_group_ml_5 local
aaa authorization network sdm_vpn_group_ml_6 local
aaa authorization network sdm_vpn_group_ml_7 local
aaa authorization network sdm_vpn_group_ml_8 local
aaa authorization network sdm_vpn_group_ml_9 local
aaa authorization network sdm_vpn_group_ml_10 local
!
aaa session-id common
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
ip dhcp smart-relay
ip dhcp relay information option
!
!
no ip bootp server
ip name-server 4.2.2.2
ip name-server 64.65.64.1
ip inspect name sdm_ins_in_100 dns
ip inspect name sdm_ins_in_100 https
ip inspect name sdm_ins_in_100 icmp
ip inspect name sdm_ins_in_100 http
ip inspect name sdm_ins_out_100 https
ip inspect name sdm_ins_out_100 http
ip inspect name sdm_ins_out_100 tcp
ip inspect name sdm_ins_out_100 udp
ip inspect name sdm_ins_out_100 ftp
ip inspect name SDM_LOW http
ip inspect name SDM_LOW https
!
!
!
!
!
class-map match-any VOICE
match dscp ef
!
!
policy-map QOS
class VOICE
priority 512
!
!
crypto ipsec transform-set ESP-3DES-SHA1 esp-des esp-md5-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA1
reverse-route
!
crypto dynamic-map SDM_DYNMAP_2 1
set transform-set ESP-3DES-SHA1
reverse-route
!
crypto dynamic-map SDM_DYNMAP_3 1
set transform-set ESP-3DES-SHA1
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_9
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_9
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
crypto map SDM_CMAP_2 client authentication list sdm_vpn_xauth_ml_4
crypto map SDM_CMAP_2 isakmp authorization list sdm_vpn_group_ml_4
crypto map SDM_CMAP_2 client configuration address respond
crypto map SDM_CMAP_2 65535 ipsec-isakmp dynamic SDM_DYNMAP_2
!
crypto map SDM_CMAP_3 client authentication list sdm_vpn_xauth_ml_10
crypto map SDM_CMAP_3 isakmp authorization list sdm_vpn_group_ml_10
crypto map SDM_CMAP_3 client configuration address respond
crypto map SDM_CMAP_3 65535 ipsec-isakmp dynamic SDM_DYNMAP_3
!
!
!
!
!
interface FastEthernet0/0
description LAN Interface$FW_INSIDE$$ETH-L
ip address 192.168.1.1 255.255.255.0
ip access-group 106 in
ip access-group 114 out
ip helper-address 192.168.37.4
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
speed auto
crypto map SDM_CMAP_3
!
interface FastEthernet0/0.2
encapsulation dot1Q 2
ip address 192.168.2.1 255.255.255.0
no cdp enable
!
interface FastEthernet0/0.11
encapsulation dot1Q 11
ip address 192.168.5.1 255.255.255.0
no cdp enable
!
interface Serial0/0
description WAN Interface$FW_OUTSIDE$
ip address (public_ip) 255.255.255.252
ip access-group 113 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip inspect sdm_ins_in_100 in
ip inspect sdm_ins_out_100 out
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
crypto map SDM_CMAP_1
!
interface Serial1/0
description P2P to Branch Office
ip address 192.168.7.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
ip route-cache flow
service-module t1 timeslots 1-24
service-policy output QOS
!
ip local pool SDM_POOL_1 192.168.2.1 192.168.2.10
ip local pool SDM_POOL_4 192.168.37.1 192.168.37.254
ip local pool SDM_POOL_2 192.168.3.1
ip route 0.0.0.0 0.0.0.0 (public_ip) permanent
ip route 192.168.4.0 255.255.255.0 192.168.7.2 permanent
ip route 192.168.37.0 255.255.255.0 192.168.7.2 permanent
!
ip flow-top-talkers
top 25
sort-by bytes
cache-timeout 100
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
no ip nat create flow-entries
ip nat inside source route-map SDM_RMAP_1 interface Serial0/0 overload
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 remark Network(s) to be NATed
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 deny any
access-list 2 remark HTTP(S) Access to SDM
access-list 10 remark Permit Java
access-list 10 remark SDM_ACL Category=1
access-list 10 permit any
access-list 100 remark VTY Access
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip host 192.168.37.4 any
access-list 100 deny ip any any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 deny ip any any
access-list 101 remark VTY Access-class list
access-list 101 remark SDM_ACL Category=1
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip 192.168.37.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark SDM_ACL Category=4
access-list 103 deny ip 192.168.37.0 0.0.0.255 host 192.168.2.1
access-list 103 deny ip 192.168.37.0 0.0.0.255 host 192.168.2.2
access-list 103 deny ip 192.168.37.0 0.0.0.255 host 192.168.2.3
access-list 103 deny ip 192.168.37.0 0.0.0.255 host 192.168.2.4
access-list 103 deny ip 192.168.37.0 0.0.0.255 host 192.168.2.5
access-list 103 deny ip 192.168.37.0 0.0.0.255 host 192.168.2.6
access-list 103 deny ip 192.168.37.0 0.0.0.255 host 192.168.2.7
access-list 103 deny ip 192.168.37.0 0.0.0.255 host 192.168.2.8
access-list 103 deny ip 192.168.37.0 0.0.0.255 host 192.168.2.9
access-list 103 deny ip 192.168.37.0 0.0.0.255 host 192.168.2.10
access-list 103 deny ip 192.168.37.0 0.0.0.255 host 192.168.3.1
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.10
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.3.1
access-list 103 deny ip 192.168.2.0 0.0.0.255 host 192.168.1.61
access-list 103 deny ip any host 192.168.2.1
access-list 103 deny ip any host 192.168.2.2
access-list 103 deny ip any host 192.168.2.3
access-list 103 deny ip any host 192.168.2.4
access-list 103 deny ip any host 192.168.2.5
access-list 103 deny ip any host 192.168.2.6
access-list 103 deny ip any host 192.168.2.7
access-list 103 deny ip any host 192.168.2.8
access-list 103 deny ip any host 192.168.2.9
access-list 103 permit ip any host 192.168.2.10
access-list 103 deny ip 192.168.1.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 103 deny ip host 192.168.1.1 any
access-list 103 deny ip any 192.168.37.0 0.0.0.255
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.1
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.2
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.3
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.4
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.5
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.6
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.7
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.8
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.9
access-list 103 permit ip 192.168.1.0 0.0.0.255 host 192.168.2.10
access-list 103 permit ip 192.168.1.0 0.0.0.255 any
access-list 104 permit ip 192.168.1.0 0.0.0.255 any
access-list 104 permit ip 192.168.37.0 0.0.0.255 any
access-list 104 remark SDM_ACL Category=4
access-list 105 remark Test DNS ACL
access-list 105 permit udp any any eq domain
access-list 105 permit udp any eq domain any
access-list 106 permit ip host 192.168.2.1 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.2 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.3 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.4 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.5 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.6 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.7 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.8 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.9 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.10 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.3.1 192.168.37.0 0.0.0.255
access-list 106 permit ahp any host 192.168.1.1
access-list 106 permit esp any host 192.168.1.1
access-list 106 permit udp any host 192.168.1.1 eq isakmp
access-list 106 permit udp any host 192.168.1.1 eq non500-isakmp
access-list 106 permit ip host 192.168.3.1 192.168.1.0 0.0.0.255
access-list 106 permit ip 192.168.37.0 0.0.0.255 192.0.0.0 0.255.255.255
access-list 106 permit ip host 192.168.2.10 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.9 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.8 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.7 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.6 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.5 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.4 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.3 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.2 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.1 192.168.1.0 0.0.0.255
access-list 106 deny ip (public_ip) 0.0.0.3 any
access-list 106 deny ip host 255.255.255.255 any
access-list 106 deny ip 127.0.0.0 0.255.255.255 any
access-list 106 permit ip any any
access-list 106 remark auto generated by SDM firewall configuration
access-list 106 remark SDM_ACL Category=1
access-list 111 deny ip host 192.168.1.60 host 192.168.2.10
access-list 111 deny ip host 192.168.1.60 host 192.168.2.9
access-list 111 deny ip host 192.168.1.60 host 192.168.2.8
access-list 111 deny ip host 192.168.1.60 host 192.168.2.7
access-list 111 deny ip host 192.168.1.60 host 192.168.2.6
access-list 111 deny ip host 192.168.1.60 host 192.168.2.5
access-list 111 deny ip host 192.168.1.60 host 192.168.2.4
access-list 111 deny ip host 192.168.1.60 host 192.168.2.3
access-list 111 deny ip host 192.168.1.60 host 192.168.2.2
access-list 111 deny ip host 192.168.1.60 host 192.168.2.1
access-list 111 permit ip host 192.168.1.60 any
access-list 111 remark SDM_ACL Category=2
access-list 113 remark WAN Interface Inbound
access-list 113 remark SDM_ACL Category=1
access-list 113 permit tcp host 165.248.35.72 any
access-list 113 permit ip host 192.168.2.1 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.2 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.3 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.4 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.5 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.6 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.7 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.8 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.9 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.10 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.3.1 192.168.37.0 0.0.0.255
access-list 113 permit ahp any host (public_ip)
access-list 113 permit esp any host (public_ip)
access-list 113 permit udp any host (public_ip) eq isakmp
access-list 113 permit udp any host (public_ip) eq non500-isakmp
access-list 113 permit ip host 192.168.3.1 192.168.1.0 0.0.0.255
access-list 113 permit ip 192.168.37.0 0.0.0.255 192.0.0.0 0.255.255.255
access-list 113 permit ip host 192.168.2.10 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.9 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.8 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.7 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.6 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.5 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.4 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.3 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.2 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.1 192.168.1.0 0.0.0.255
access-list 113 deny ip 192.168.1.0 0.0.0.255 any
access-list 113 permit icmp any host (public_ip) echo-reply
access-list 113 permit icmp any host (public_ip) time-exceeded
access-list 113 permit icmp any host (public_ip) unreachable
access-list 113 permit ahp any host (public_ip) log
access-list 113 permit tcp any host (public_ip) eq 22
access-list 113 permit tcp any host (public_ip) eq cmd
access-list 113 deny ip 10.0.0.0 0.255.255.255 any
access-list 113 deny ip 172.16.0.0 0.15.255.255 any
access-list 113 deny ip 192.168.0.0 0.0.255.255 any
access-list 113 deny ip 127.0.0.0 0.255.255.255 any
access-list 113 deny ip host 255.255.255.255 any
access-list 113 deny ip host 0.0.0.0 any
access-list 113 permit esp any host (public_ip) log
access-list 113 permit udp any host (public_ip) eq non500-isakmp log
access-list 113 permit udp any host (public_ip) eq isakmp log
access-list 113 permit ip host 192.168.2.1 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.2 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.3 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.4 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.5 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.6 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.7 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.8 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.9 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.10 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.3.1 192.168.1.0 0.0.0.255 log
access-list 113 permit tcp any host (public_ip) eq 443
access-list 113 permit tcp any host (public_ip) eq smtp
access-list 113 permit tcp any host (public_ip) eq www
access-list 113 deny ip any any log
access-list 114 permit ip any any
access-list 114 remark LAN Interface Outbound
access-list 114 remark SDM_ACL Category=17
access-list 121 permit ip 192.168.37.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 121 remark SDM_ACL Category=1
snmp-server community public RO
no cdp run
!
route-map SDM_RMAP_4 permit 1
match ip address 110
!
route-map SDM_RMAP_5 permit 1
match ip address 111
!
route-map SDM_RMAP_1 permit 1
match ip address 103
!
route-map SDM_RMAP_2 permit 1
match ip address 108
!
route-map SDM_RMAP_3 permit 1
match ip address 109
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 100 in
transport input telnet ssh
line vty 5 15
access-class 101 in
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
endversion 12.4
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service compress-config
service sequence-numbers
!
hostname Cisco
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 52000 debugging
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authentication login sdm_vpn_xauth_ml_3 local
aaa authentication login sdm_vpn_xauth_ml_4 local
aaa authentication login sdm_vpn_xauth_ml_5 local
aaa authentication login sdm_vpn_xauth_ml_6 local
aaa authentication login sdm_vpn_xauth_ml_7 local
aaa authentication login sdm_vpn_xauth_ml_8 local
aaa authentication login sdm_vpn_xauth_ml_9 local
aaa authentication login sdm_vpn_xauth_ml_10 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
aaa authorization network sdm_vpn_group_ml_3 local
aaa authorization network sdm_vpn_group_ml_4 local
aaa authorization network sdm_vpn_group_ml_5 local
aaa authorization network sdm_vpn_group_ml_6 local
aaa authorization network sdm_vpn_group_ml_7 local
aaa authorization network sdm_vpn_group_ml_8 local
aaa authorization network sdm_vpn_group_ml_9 local
aaa authorization network sdm_vpn_group_ml_10 local
!
aaa session-id common
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
ip dhcp smart-relay
ip dhcp relay information option
!
!
no ip bootp server
ip name-server 4.2.2.2
ip name-server 64.65.64.1
ip inspect name sdm_ins_in_100 dns
ip inspect name sdm_ins_in_100 https
ip inspect name sdm_ins_in_100 icmp
ip inspect name sdm_ins_in_100 http
ip inspect name sdm_ins_out_100 https
ip inspect name sdm_ins_out_100 http
ip inspect name sdm_ins_out_100 tcp
ip inspect name sdm_ins_out_100 udp
ip inspect name sdm_ins_out_100 ftp
ip inspect name SDM_LOW http
ip inspect name SDM_LOW https
!
!
!
!
!
class-map match-any VOICE
match dscp ef
!
!
policy-map QOS
class VOICE
priority 512
!
!
crypto ipsec transform-set ESP-3DES-SHA1 esp-des esp-md5-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA1
reverse-route
!
crypto dynamic-map SDM_DYNMAP_2 1
set transform-set ESP-3DES-SHA1
reverse-route
!
crypto dynamic-map SDM_DYNMAP_3 1
set transform-set ESP-3DES-SHA1
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_9
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_9
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
crypto map SDM_CMAP_2 client authentication list sdm_vpn_xauth_ml_4
crypto map SDM_CMAP_2 isakmp authorization list sdm_vpn_group_ml_4
crypto map SDM_CMAP_2 client configuration address respond
crypto map SDM_CMAP_2 65535 ipsec-isakmp dynamic SDM_DYNMAP_2
!
crypto map SDM_CMAP_3 client authentication list sdm_vpn_xauth_ml_10
crypto map SDM_CMAP_3 isakmp authorization list sdm_vpn_group_ml_10
crypto map SDM_CMAP_3 client configuration address respond
crypto map SDM_CMAP_3 65535 ipsec-isakmp dynamic SDM_DYNMAP_3
!
!
!
!
!
interface FastEthernet0/0
description LAN Interface$FW_INSIDE$$ETH-L
ip address 192.168.1.1 255.255.255.0
ip access-group 106 in
ip access-group 114 out
ip helper-address 192.168.37.4
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
speed auto
crypto map SDM_CMAP_3
!
interface FastEthernet0/0.2
encapsulation dot1Q 2
ip address 192.168.2.1 255.255.255.0
no cdp enable
!
interface FastEthernet0/0.11
encapsulation dot1Q 11
ip address 192.168.5.1 255.255.255.0
no cdp enable
!
interface Serial0/0
description WAN Interface$FW_OUTSIDE$
ip address (public_ip) 255.255.255.252
ip access-group 113 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip inspect sdm_ins_in_100 in
ip inspect sdm_ins_out_100 out
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
crypto map SDM_CMAP_1
!
interface Serial1/0
description P2P to Branch Office
ip address 192.168.7.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
ip route-cache flow
service-module t1 timeslots 1-24
service-policy output QOS
!
ip local pool SDM_POOL_1 192.168.2.1 192.168.2.10
ip local pool SDM_POOL_4 192.168.37.1 192.168.37.254
ip local pool SDM_POOL_2 192.168.3.1
ip route 0.0.0.0 0.0.0.0 (public_ip) permanent
ip route 192.168.4.0 255.255.255.0 192.168.7.2 permanent
ip route 192.168.37.0 255.255.255.0 192.168.7.2 permanent
!
ip flow-top-talkers
top 25
sort-by bytes
cache-timeout 100
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
no ip nat create flow-entries
ip nat inside source route-map SDM_RMAP_1 interface Serial0/0 overload
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 remark Network(s) to be NATed
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 deny any
access-list 2 remark HTTP(S) Access to SDM
access-list 10 remark Permit Java
access-list 10 remark SDM_ACL Category=1
access-list 10 permit any
access-list 100 remark VTY Access
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip host 192.168.37.4 any
access-list 100 deny ip any any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 deny ip any any
access-list 101 remark VTY Access-class list
access-list 101 remark SDM_ACL Category=1
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip 192.168.37.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark SDM_ACL Category=4
access-list 103 deny ip 192.168.37.0 0.0.0.255 host 192.168.2.1
access-list 103 deny ip 192.168.37.0 0.0.0.255 host 192.168.2.2
access-list 103 deny ip 192.168.37.0 0.0.0.255 host 192.168.2.3
access-list 103 deny ip 192.168.37.0 0.0.0.255 host 192.168.2.4
access-list 103 deny ip 192.168.37.0 0.0.0.255 host 192.168.2.5
access-list 103 deny ip 192.168.37.0 0.0.0.255 host 192.168.2.6
access-list 103 deny ip 192.168.37.0 0.0.0.255 host 192.168.2.7
access-list 103 deny ip 192.168.37.0 0.0.0.255 host 192.168.2.8
access-list 103 deny ip 192.168.37.0 0.0.0.255 host 192.168.2.9
access-list 103 deny ip 192.168.37.0 0.0.0.255 host 192.168.2.10
access-list 103 deny ip 192.168.37.0 0.0.0.255 host 192.168.3.1
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.10
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.3.1
access-list 103 deny ip 192.168.2.0 0.0.0.255 host 192.168.1.61
access-list 103 deny ip any host 192.168.2.1
access-list 103 deny ip any host 192.168.2.2
access-list 103 deny ip any host 192.168.2.3
access-list 103 deny ip any host 192.168.2.4
access-list 103 deny ip any host 192.168.2.5
access-list 103 deny ip any host 192.168.2.6
access-list 103 deny ip any host 192.168.2.7
access-list 103 deny ip any host 192.168.2.8
access-list 103 deny ip any host 192.168.2.9
access-list 103 permit ip any host 192.168.2.10
access-list 103 deny ip 192.168.1.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 103 deny ip host 192.168.1.1 any
access-list 103 deny ip any 192.168.37.0 0.0.0.255
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.1
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.2
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.3
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.4
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.5
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.6
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.7
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.8
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.9
access-list 103 permit ip 192.168.1.0 0.0.0.255 host 192.168.2.10
access-list 103 permit ip 192.168.1.0 0.0.0.255 any
access-list 104 permit ip 192.168.1.0 0.0.0.255 any
access-list 104 permit ip 192.168.37.0 0.0.0.255 any
access-list 104 remark SDM_ACL Category=4
access-list 105 remark Test DNS ACL
access-list 105 permit udp any any eq domain
access-list 105 permit udp any eq domain any
access-list 106 permit ip host 192.168.2.1 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.2 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.3 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.4 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.5 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.6 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.7 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.8 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.9 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.10 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.3.1 192.168.37.0 0.0.0.255
access-list 106 permit ahp any host 192.168.1.1
access-list 106 permit esp any host 192.168.1.1
access-list 106 permit udp any host 192.168.1.1 eq isakmp
access-list 106 permit udp any host 192.168.1.1 eq non500-isakmp
access-list 106 permit ip host 192.168.3.1 192.168.1.0 0.0.0.255
access-list 106 permit ip 192.168.37.0 0.0.0.255 192.0.0.0 0.255.255.255
access-list 106 permit ip host 192.168.2.10 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.9 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.8 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.7 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.6 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.5 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.4 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.3 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.2 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.1 192.168.1.0 0.0.0.255
access-list 106 deny ip (public_ip) 0.0.0.3 any
access-list 106 deny ip host 255.255.255.255 any
access-list 106 deny ip 127.0.0.0 0.255.255.255 any
access-list 106 permit ip any any
access-list 106 remark auto generated by SDM firewall configuration
access-list 106 remark SDM_ACL Category=1
access-list 111 deny ip host 192.168.1.60 host 192.168.2.10
access-list 111 deny ip host 192.168.1.60 host 192.168.2.9
access-list 111 deny ip host 192.168.1.60 host 192.168.2.8
access-list 111 deny ip host 192.168.1.60 host 192.168.2.7
access-list 111 deny ip host 192.168.1.60 host 192.168.2.6
access-list 111 deny ip host 192.168.1.60 host 192.168.2.5
access-list 111 deny ip host 192.168.1.60 host 192.168.2.4
access-list 111 deny ip host 192.168.1.60 host 192.168.2.3
access-list 111 deny ip host 192.168.1.60 host 192.168.2.2
access-list 111 deny ip host 192.168.1.60 host 192.168.2.1
access-list 111 permit ip host 192.168.1.60 any
access-list 111 remark SDM_ACL Category=2
access-list 113 remark WAN Interface Inbound
access-list 113 remark SDM_ACL Category=1
access-list 113 permit tcp host 165.248.35.72 any
access-list 113 permit ip host 192.168.2.1 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.2 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.3 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.4 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.5 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.6 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.7 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.8 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.9 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.10 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.3.1 192.168.37.0 0.0.0.255
access-list 113 permit ahp any host (public_ip)
access-list 113 permit esp any host (public_ip)
access-list 113 permit udp any host (public_ip) eq isakmp
access-list 113 permit udp any host (public_ip) eq non500-isakmp
access-list 113 permit ip host 192.168.3.1 192.168.1.0 0.0.0.255
access-list 113 permit ip 192.168.37.0 0.0.0.255 192.0.0.0 0.255.255.255
access-list 113 permit ip host 192.168.2.10 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.9 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.8 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.7 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.6 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.5 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.4 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.3 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.2 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.1 192.168.1.0 0.0.0.255
access-list 113 deny ip 192.168.1.0 0.0.0.255 any
access-list 113 permit icmp any host (public_ip) echo-reply
access-list 113 permit icmp any host (public_ip) time-exceeded
access-list 113 permit icmp any host (public_ip) unreachable
access-list 113 permit ahp any host (public_ip) log
access-list 113 permit tcp any host (public_ip) eq 22
access-list 113 permit tcp any host (public_ip) eq cmd
access-list 113 deny ip 10.0.0.0 0.255.255.255 any
access-list 113 deny ip 172.16.0.0 0.15.255.255 any
access-list 113 deny ip 192.168.0.0 0.0.255.255 any
access-list 113 deny ip 127.0.0.0 0.255.255.255 any
access-list 113 deny ip host 255.255.255.255 any
access-list 113 deny ip host 0.0.0.0 any
access-list 113 permit esp any host (public_ip) log
access-list 113 permit udp any host (public_ip) eq non500-isakmp log
access-list 113 permit udp any host (public_ip) eq isakmp log
access-list 113 permit ip host 192.168.2.1 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.2 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.3 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.4 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.5 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.6 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.7 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.8 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.9 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.10 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.3.1 192.168.1.0 0.0.0.255 log
access-list 113 permit tcp any host (public_ip) eq 443
access-list 113 permit tcp any host (public_ip) eq smtp
access-list 113 permit tcp any host (public_ip) eq www
access-list 113 deny ip any any log
access-list 114 permit ip any any
access-list 114 remark LAN Interface Outbound
access-list 114 remark SDM_ACL Category=17
access-list 121 permit ip 192.168.37.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 121 remark SDM_ACL Category=1
snmp-server community public RO
no cdp run
!
route-map SDM_RMAP_4 permit 1
match ip address 110
!
route-map SDM_RMAP_5 permit 1
match ip address 111
!
route-map SDM_RMAP_1 permit 1
match ip address 103
!
route-map SDM_RMAP_2 permit 1
match ip address 108
!
route-map SDM_RMAP_3 permit 1
match ip address 109
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 100 in
transport input telnet ssh
line vty 5 15
access-class 101 in
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
end
version 12.4
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service compress-config
service sequence-numbers
!
hostname Cisco
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 52000 debugging
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authentication login sdm_vpn_xauth_ml_3 local
aaa authentication login sdm_vpn_xauth_ml_4 local
aaa authentication login sdm_vpn_xauth_ml_5 local
aaa authentication login sdm_vpn_xauth_ml_6 local
aaa authentication login sdm_vpn_xauth_ml_7 local
aaa authentication login sdm_vpn_xauth_ml_8 local
aaa authentication login sdm_vpn_xauth_ml_9 local
aaa authentication login sdm_vpn_xauth_ml_10 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
aaa authorization network sdm_vpn_group_ml_3 local
aaa authorization network sdm_vpn_group_ml_4 local
aaa authorization network sdm_vpn_group_ml_5 local
aaa authorization network sdm_vpn_group_ml_6 local
aaa authorization network sdm_vpn_group_ml_7 local
aaa authorization network sdm_vpn_group_ml_8 local
aaa authorization network sdm_vpn_group_ml_9 local
aaa authorization network sdm_vpn_group_ml_10 local
!
aaa session-id common
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
ip dhcp smart-relay
ip dhcp relay information option
!
!
no ip bootp server
ip name-server 4.2.2.2
ip name-server 64.65.64.1
ip inspect name sdm_ins_in_100 dns
ip inspect name sdm_ins_in_100 https
ip inspect name sdm_ins_in_100 icmp
ip inspect name sdm_ins_in_100 http
ip inspect name sdm_ins_out_100 https
ip inspect name sdm_ins_out_100 http
ip inspect name sdm_ins_out_100 tcp
ip inspect name sdm_ins_out_100 udp
ip inspect name sdm_ins_out_100 ftp
ip inspect name SDM_LOW http
ip inspect name SDM_LOW https
!
!
!
!
!
class-map match-any VOICE
match dscp ef
!
!
policy-map QOS
class VOICE
priority 512
!
!
crypto ipsec transform-set ESP-3DES-SHA1 esp-des esp-md5-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA1
reverse-route
!
crypto dynamic-map SDM_DYNMAP_2 1
set transform-set ESP-3DES-SHA1
reverse-route
!
crypto dynamic-map SDM_DYNMAP_3 1
set transform-set ESP-3DES-SHA1
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_9
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_9
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
crypto map SDM_CMAP_2 client authentication list sdm_vpn_xauth_ml_4
crypto map SDM_CMAP_2 isakmp authorization list sdm_vpn_group_ml_4
crypto map SDM_CMAP_2 client configuration address respond
crypto map SDM_CMAP_2 65535 ipsec-isakmp dynamic SDM_DYNMAP_2
!
crypto map SDM_CMAP_3 client authentication list sdm_vpn_xauth_ml_10
crypto map SDM_CMAP_3 isakmp authorization list sdm_vpn_group_ml_10
crypto map SDM_CMAP_3 client configuration address respond
crypto map SDM_CMAP_3 65535 ipsec-isakmp dynamic SDM_DYNMAP_3
!
!
!
!
!
interface FastEthernet0/0
description LAN Interface$FW_INSIDE$$ETH-L
ip address 192.168.1.1 255.255.255.0
ip access-group 106 in
ip access-group 114 out
ip helper-address 192.168.37.4
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
speed auto
crypto map SDM_CMAP_3
!
interface FastEthernet0/0.2
encapsulation dot1Q 2
ip address 192.168.2.1 255.255.255.0
no cdp enable
!
interface FastEthernet0/0.11
encapsulation dot1Q 11
ip address 192.168.5.1 255.255.255.0
no cdp enable
!
interface Serial0/0
description WAN Interface$FW_OUTSIDE$
ip address (public_ip) 255.255.255.252
ip access-group 113 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip inspect sdm_ins_in_100 in
ip inspect sdm_ins_out_100 out
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
crypto map SDM_CMAP_1
!
interface Serial1/0
description P2P to Branch Office
ip address 192.168.7.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
ip route-cache flow
service-module t1 timeslots 1-24
service-policy output QOS
!
ip local pool SDM_POOL_1 192.168.2.1 192.168.2.10
ip local pool SDM_POOL_4 192.168.37.1 192.168.37.254
ip local pool SDM_POOL_2 192.168.3.1
ip route 0.0.0.0 0.0.0.0 (public_ip) permanent
ip route 192.168.4.0 255.255.255.0 192.168.7.2 permanent
ip route 192.168.37.0 255.255.255.0 192.168.7.2 permanent
!
ip flow-top-talkers
top 25
sort-by bytes
cache-timeout 100
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
no ip nat create flow-entries
ip nat inside source route-map SDM_RMAP_1 interface Serial0/0 overload
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 remark Network(s) to be NATed
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 deny any
access-list 2 remark HTTP(S) Access to SDM
access-list 10 remark Permit Java
access-list 10 remark SDM_ACL Category=1
access-list 10 permit any
access-list 100 remark VTY Access
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip host 192.168.37.4 any
access-list 100 deny ip any any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 deny ip any any
access-list 101 remark VTY Access-class list
access-list 101 remark SDM_ACL Category=1
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip 192.168.37.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark SDM_ACL Category=4
access-list 103 deny ip 192.168.37.0 0.0.0.255 host 192.168.2.1
access-list 103 deny ip 192.168.37.0 0.0.0.255 host 192.168.2.2
access-list 103 deny ip 192.168.37.0 0.0.0.255 host 192.168.2.3
access-list 103 deny ip 192.168.37.0 0.0.0.255 host 192.168.2.4
access-list 103 deny ip 192.168.37.0 0.0.0.255 host 192.168.2.5
access-list 103 deny ip 192.168.37.0 0.0.0.255 host 192.168.2.6
access-list 103 deny ip 192.168.37.0 0.0.0.255 host 192.168.2.7
access-list 103 deny ip 192.168.37.0 0.0.0.255 host 192.168.2.8
access-list 103 deny ip 192.168.37.0 0.0.0.255 host 192.168.2.9
access-list 103 deny ip 192.168.37.0 0.0.0.255 host 192.168.2.10
access-list 103 deny ip 192.168.37.0 0.0.0.255 host 192.168.3.1
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.10
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.3.1
access-list 103 deny ip 192.168.2.0 0.0.0.255 host 192.168.1.61
access-list 103 deny ip any host 192.168.2.1
access-list 103 deny ip any host 192.168.2.2
access-list 103 deny ip any host 192.168.2.3
access-list 103 deny ip any host 192.168.2.4
access-list 103 deny ip any host 192.168.2.5
access-list 103 deny ip any host 192.168.2.6
access-list 103 deny ip any host 192.168.2.7
access-list 103 deny ip any host 192.168.2.8
access-list 103 deny ip any host 192.168.2.9
access-list 103 permit ip any host 192.168.2.10
access-list 103 deny ip 192.168.1.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 103 deny ip host 192.168.1.1 any
access-list 103 deny ip any 192.168.37.0 0.0.0.255
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.1
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.2
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.3
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.4
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.5
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.6
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.7
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.8
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.9
access-list 103 permit ip 192.168.1.0 0.0.0.255 host 192.168.2.10
access-list 103 permit ip 192.168.1.0 0.0.0.255 any
access-list 104 permit ip 192.168.1.0 0.0.0.255 any
access-list 104 permit ip 192.168.37.0 0.0.0.255 any
access-list 104 remark SDM_ACL Category=4
access-list 105 remark Test DNS ACL
access-list 105 permit udp any any eq domain
access-list 105 permit udp any eq domain any
access-list 106 permit ip host 192.168.2.1 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.2 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.3 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.4 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.5 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.6 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.7 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.8 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.9 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.10 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.3.1 192.168.37.0 0.0.0.255
access-list 106 permit ahp any host 192.168.1.1
access-list 106 permit esp any host 192.168.1.1
access-list 106 permit udp any host 192.168.1.1 eq isakmp
access-list 106 permit udp any host 192.168.1.1 eq non500-isakmp
access-list 106 permit ip host 192.168.3.1 192.168.1.0 0.0.0.255
access-list 106 permit ip 192.168.37.0 0.0.0.255 192.0.0.0 0.255.255.255
access-list 106 permit ip host 192.168.2.10 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.9 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.8 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.7 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.6 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.5 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.4 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.3 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.2 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.1 192.168.1.0 0.0.0.255
access-list 106 deny ip (public_ip) 0.0.0.3 any
access-list 106 deny ip host 255.255.255.255 any
access-list 106 deny ip 127.0.0.0 0.255.255.255 any
access-list 106 permit ip any any
access-list 106 remark auto generated by SDM firewall configuration
access-list 106 remark SDM_ACL Category=1
access-list 111 deny ip host 192.168.1.60 host 192.168.2.10
access-list 111 deny ip host 192.168.1.60 host 192.168.2.9
access-list 111 deny ip host 192.168.1.60 host 192.168.2.8
access-list 111 deny ip host 192.168.1.60 host 192.168.2.7
access-list 111 deny ip host 192.168.1.60 host 192.168.2.6
access-list 111 deny ip host 192.168.1.60 host 192.168.2.5
access-list 111 deny ip host 192.168.1.60 host 192.168.2.4
access-list 111 deny ip host 192.168.1.60 host 192.168.2.3
access-list 111 deny ip host 192.168.1.60 host 192.168.2.2
access-list 111 deny ip host 192.168.1.60 host 192.168.2.1
access-list 111 permit ip host 192.168.1.60 any
access-list 111 remark SDM_ACL Category=2
access-list 113 remark WAN Interface Inbound
access-list 113 remark SDM_ACL Category=1
access-list 113 permit tcp host 165.248.35.72 any
access-list 113 permit ip host 192.168.2.1 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.2 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.3 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.4 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.5 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.6 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.7 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.8 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.9 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.10 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.3.1 192.168.37.0 0.0.0.255
access-list 113 permit ahp any host (public_ip)
access-list 113 permit esp any host (public_ip)
access-list 113 permit udp any host (public_ip) eq isakmp
access-list 113 permit udp any host (public_ip) eq non500-isakmp
access-list 113 permit ip host 192.168.3.1 192.168.1.0 0.0.0.255
access-list 113 permit ip 192.168.37.0 0.0.0.255 192.0.0.0 0.255.255.255
access-list 113 permit ip host 192.168.2.10 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.9 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.8 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.7 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.6 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.5 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.4 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.3 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.2 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.1 192.168.1.0 0.0.0.255
access-list 113 deny ip 192.168.1.0 0.0.0.255 any
access-list 113 permit icmp any host (public_ip) echo-reply
access-list 113 permit icmp any host (public_ip) time-exceeded
access-list 113 permit icmp any host (public_ip) unreachable
access-list 113 permit ahp any host (public_ip) log
access-list 113 permit tcp any host (public_ip) eq 22
access-list 113 permit tcp any host (public_ip) eq cmd
access-list 113 deny ip 10.0.0.0 0.255.255.255 any
access-list 113 deny ip 172.16.0.0 0.15.255.255 any
access-list 113 deny ip 192.168.0.0 0.0.255.255 any
access-list 113 deny ip 127.0.0.0 0.255.255.255 any
access-list 113 deny ip host 255.255.255.255 any
access-list 113 deny ip host 0.0.0.0 any
access-list 113 permit esp any host (public_ip) log
access-list 113 permit udp any host (public_ip) eq non500-isakmp log
access-list 113 permit udp any host (public_ip) eq isakmp log
access-list 113 permit ip host 192.168.2.1 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.2 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.3 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.4 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.5 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.6 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.7 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.8 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.9 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.10 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.3.1 192.168.1.0 0.0.0.255 log
access-list 113 permit tcp any host (public_ip) eq 443
access-list 113 permit tcp any host (public_ip) eq smtp
access-list 113 permit tcp any host (public_ip) eq www
access-list 113 deny ip any any log
access-list 114 permit ip any any
access-list 114 remark LAN Interface Outbound
access-list 114 remark SDM_ACL Category=17
access-list 121 permit ip 192.168.37.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 121 remark SDM_ACL Category=1
snmp-server community public RO
no cdp run
!
route-map SDM_RMAP_4 permit 1
match ip address 110
!
route-map SDM_RMAP_5 permit 1
match ip address 111
!
route-map SDM_RMAP_1 permit 1
match ip address 103
!
route-map SDM_RMAP_2 permit 1
match ip address 108
!
route-map SDM_RMAP_3 permit 1
match ip address 109
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 100 in
transport input telnet ssh
line vty 5 15
access-class 101 in
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
endversion 12.4
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service compress-config
service sequence-numbers
!
hostname Cisco
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 52000 debugging
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authentication login sdm_vpn_xauth_ml_3 local
aaa authentication login sdm_vpn_xauth_ml_4 local
aaa authentication login sdm_vpn_xauth_ml_5 local
aaa authentication login sdm_vpn_xauth_ml_6 local
aaa authentication login sdm_vpn_xauth_ml_7 local
aaa authentication login sdm_vpn_xauth_ml_8 local
aaa authentication login sdm_vpn_xauth_ml_9 local
aaa authentication login sdm_vpn_xauth_ml_10 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
aaa authorization network sdm_vpn_group_ml_3 local
aaa authorization network sdm_vpn_group_ml_4 local
aaa authorization network sdm_vpn_group_ml_5 local
aaa authorization network sdm_vpn_group_ml_6 local
aaa authorization network sdm_vpn_group_ml_7 local
aaa authorization network sdm_vpn_group_ml_8 local
aaa authorization network sdm_vpn_group_ml_9 local
aaa authorization network sdm_vpn_group_ml_10 local
!
aaa session-id common
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
ip dhcp smart-relay
ip dhcp relay information option
!
!
no ip bootp server
ip name-server 4.2.2.2
ip name-server 64.65.64.1
ip inspect name sdm_ins_in_100 dns
ip inspect name sdm_ins_in_100 https
ip inspect name sdm_ins_in_100 icmp
ip inspect name sdm_ins_in_100 http
ip inspect name sdm_ins_out_100 https
ip inspect name sdm_ins_out_100 http
ip inspect name sdm_ins_out_100 tcp
ip inspect name sdm_ins_out_100 udp
ip inspect name sdm_ins_out_100 ftp
ip inspect name SDM_LOW http
ip inspect name SDM_LOW https
!
!
!
!
!
class-map match-any VOICE
match dscp ef
!
!
policy-map QOS
class VOICE
priority 512
!
!
crypto ipsec transform-set ESP-3DES-SHA1 esp-des esp-md5-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA1
reverse-route
!
crypto dynamic-map SDM_DYNMAP_2 1
set transform-set ESP-3DES-SHA1
reverse-route
!
crypto dynamic-map SDM_DYNMAP_3 1
set transform-set ESP-3DES-SHA1
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_9
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_9
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
crypto map SDM_CMAP_2 client authentication list sdm_vpn_xauth_ml_4
crypto map SDM_CMAP_2 isakmp authorization list sdm_vpn_group_ml_4
crypto map SDM_CMAP_2 client configuration address respond
crypto map SDM_CMAP_2 65535 ipsec-isakmp dynamic SDM_DYNMAP_2
!
crypto map SDM_CMAP_3 client authentication list sdm_vpn_xauth_ml_10
crypto map SDM_CMAP_3 isakmp authorization list sdm_vpn_group_ml_10
crypto map SDM_CMAP_3 client configuration address respond
crypto map SDM_CMAP_3 65535 ipsec-isakmp dynamic SDM_DYNMAP_3
!
!
!
!
!
interface FastEthernet0/0
description LAN Interface$FW_INSIDE$$ETH-L
ip address 192.168.1.1 255.255.255.0
ip access-group 106 in
ip access-group 114 out
ip helper-address 192.168.37.4
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
speed auto
crypto map SDM_CMAP_3
!
interface FastEthernet0/0.2
encapsulation dot1Q 2
ip address 192.168.2.1 255.255.255.0
no cdp enable
!
interface FastEthernet0/0.11
encapsulation dot1Q 11
ip address 192.168.5.1 255.255.255.0
no cdp enable
!
interface Serial0/0
description WAN Interface$FW_OUTSIDE$
ip address (public_ip) 255.255.255.252
ip access-group 113 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip inspect sdm_ins_in_100 in
ip inspect sdm_ins_out_100 out
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
crypto map SDM_CMAP_1
!
interface Serial1/0
description P2P to Branch Office
ip address 192.168.7.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
ip route-cache flow
service-module t1 timeslots 1-24
service-policy output QOS
!
ip local pool SDM_POOL_1 192.168.2.1 192.168.2.10
ip local pool SDM_POOL_4 192.168.37.1 192.168.37.254
ip local pool SDM_POOL_2 192.168.3.1
ip route 0.0.0.0 0.0.0.0 (public_ip) permanent
ip route 192.168.4.0 255.255.255.0 192.168.7.2 permanent
ip route 192.168.37.0 255.255.255.0 192.168.7.2 permanent
!
ip flow-top-talkers
top 25
sort-by bytes
cache-timeout 100
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
no ip nat create flow-entries
ip nat inside source route-map SDM_RMAP_1 interface Serial0/0 overload
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 remark Network(s) to be NATed
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 deny any
access-list 2 remark HTTP(S) Access to SDM
access-list 10 remark Permit Java
access-list 10 remark SDM_ACL Category=1
access-list 10 permit any
access-list 100 remark VTY Access
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip host 192.168.37.4 any
access-list 100 deny ip any any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 deny ip any any
access-list 101 remark VTY Access-class list
access-list 101 remark SDM_ACL Category=1
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip 192.168.37.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark SDM_ACL Category=4
access-list 103 deny ip 192.168.37.0 0.0.0.255 host 192.168.2.1
access-list 103 deny ip 192.168.37.0 0.0.0.255 host 192.168.2.2
access-list 103 deny ip 192.168.37.0 0.0.0.255 host 192.168.2.3
access-list 103 deny ip 192.168.37.0 0.0.0.255 host 192.168.2.4
access-list 103 deny ip 192.168.37.0 0.0.0.255 host 192.168.2.5
access-list 103 deny ip 192.168.37.0 0.0.0.255 host 192.168.2.6
access-list 103 deny ip 192.168.37.0 0.0.0.255 host 192.168.2.7
access-list 103 deny ip 192.168.37.0 0.0.0.255 host 192.168.2.8
access-list 103 deny ip 192.168.37.0 0.0.0.255 host 192.168.2.9
access-list 103 deny ip 192.168.37.0 0.0.0.255 host 192.168.2.10
access-list 103 deny ip 192.168.37.0 0.0.0.255 host 192.168.3.1
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.10
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.3.1
access-list 103 deny ip 192.168.2.0 0.0.0.255 host 192.168.1.61
access-list 103 deny ip any host 192.168.2.1
access-list 103 deny ip any host 192.168.2.2
access-list 103 deny ip any host 192.168.2.3
access-list 103 deny ip any host 192.168.2.4
access-list 103 deny ip any host 192.168.2.5
access-list 103 deny ip any host 192.168.2.6
access-list 103 deny ip any host 192.168.2.7
access-list 103 deny ip any host 192.168.2.8
access-list 103 deny ip any host 192.168.2.9
access-list 103 permit ip any host 192.168.2.10
access-list 103 deny ip 192.168.1.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 103 deny ip host 192.168.1.1 any
access-list 103 deny ip any 192.168.37.0 0.0.0.255
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.1
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.2
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.3
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.4
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.5
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.6
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.7
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.8
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.9
access-list 103 permit ip 192.168.1.0 0.0.0.255 host 192.168.2.10
access-list 103 permit ip 192.168.1.0 0.0.0.255 any
access-list 104 permit ip 192.168.1.0 0.0.0.255 any
access-list 104 permit ip 192.168.37.0 0.0.0.255 any
access-list 104 remark SDM_ACL Category=4
access-list 105 remark Test DNS ACL
access-list 105 permit udp any any eq domain
access-list 105 permit udp any eq domain any
access-list 106 permit ip host 192.168.2.1 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.2 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.3 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.4 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.5 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.6 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.7 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.8 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.9 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.2.10 192.168.37.0 0.0.0.255
access-list 106 permit ip host 192.168.3.1 192.168.37.0 0.0.0.255
access-list 106 permit ahp any host 192.168.1.1
access-list 106 permit esp any host 192.168.1.1
access-list 106 permit udp any host 192.168.1.1 eq isakmp
access-list 106 permit udp any host 192.168.1.1 eq non500-isakmp
access-list 106 permit ip host 192.168.3.1 192.168.1.0 0.0.0.255
access-list 106 permit ip 192.168.37.0 0.0.0.255 192.0.0.0 0.255.255.255
access-list 106 permit ip host 192.168.2.10 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.9 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.8 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.7 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.6 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.5 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.4 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.3 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.2 192.168.1.0 0.0.0.255
access-list 106 permit ip host 192.168.2.1 192.168.1.0 0.0.0.255
access-list 106 deny ip (public_ip) 0.0.0.3 any
access-list 106 deny ip host 255.255.255.255 any
access-list 106 deny ip 127.0.0.0 0.255.255.255 any
access-list 106 permit ip any any
access-list 106 remark auto generated by SDM firewall configuration
access-list 106 remark SDM_ACL Category=1
access-list 111 deny ip host 192.168.1.60 host 192.168.2.10
access-list 111 deny ip host 192.168.1.60 host 192.168.2.9
access-list 111 deny ip host 192.168.1.60 host 192.168.2.8
access-list 111 deny ip host 192.168.1.60 host 192.168.2.7
access-list 111 deny ip host 192.168.1.60 host 192.168.2.6
access-list 111 deny ip host 192.168.1.60 host 192.168.2.5
access-list 111 deny ip host 192.168.1.60 host 192.168.2.4
access-list 111 deny ip host 192.168.1.60 host 192.168.2.3
access-list 111 deny ip host 192.168.1.60 host 192.168.2.2
access-list 111 deny ip host 192.168.1.60 host 192.168.2.1
access-list 111 permit ip host 192.168.1.60 any
access-list 111 remark SDM_ACL Category=2
access-list 113 remark WAN Interface Inbound
access-list 113 remark SDM_ACL Category=1
access-list 113 permit tcp host 165.248.35.72 any
access-list 113 permit ip host 192.168.2.1 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.2 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.3 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.4 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.5 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.6 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.7 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.8 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.9 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.2.10 192.168.37.0 0.0.0.255
access-list 113 permit ip host 192.168.3.1 192.168.37.0 0.0.0.255
access-list 113 permit ahp any host (public_ip)
access-list 113 permit esp any host (public_ip)
access-list 113 permit udp any host (public_ip) eq isakmp
access-list 113 permit udp any host (public_ip) eq non500-isakmp
access-list 113 permit ip host 192.168.3.1 192.168.1.0 0.0.0.255
access-list 113 permit ip 192.168.37.0 0.0.0.255 192.0.0.0 0.255.255.255
access-list 113 permit ip host 192.168.2.10 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.9 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.8 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.7 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.6 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.5 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.4 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.3 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.2 192.168.1.0 0.0.0.255
access-list 113 permit ip host 192.168.2.1 192.168.1.0 0.0.0.255
access-list 113 deny ip 192.168.1.0 0.0.0.255 any
access-list 113 permit icmp any host (public_ip) echo-reply
access-list 113 permit icmp any host (public_ip) time-exceeded
access-list 113 permit icmp any host (public_ip) unreachable
access-list 113 permit ahp any host (public_ip) log
access-list 113 permit tcp any host (public_ip) eq 22
access-list 113 permit tcp any host (public_ip) eq cmd
access-list 113 deny ip 10.0.0.0 0.255.255.255 any
access-list 113 deny ip 172.16.0.0 0.15.255.255 any
access-list 113 deny ip 192.168.0.0 0.0.255.255 any
access-list 113 deny ip 127.0.0.0 0.255.255.255 any
access-list 113 deny ip host 255.255.255.255 any
access-list 113 deny ip host 0.0.0.0 any
access-list 113 permit esp any host (public_ip) log
access-list 113 permit udp any host (public_ip) eq non500-isakmp log
access-list 113 permit udp any host (public_ip) eq isakmp log
access-list 113 permit ip host 192.168.2.1 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.2 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.3 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.4 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.5 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.6 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.7 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.8 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.9 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.2.10 192.168.1.0 0.0.0.255 log
access-list 113 permit ip host 192.168.3.1 192.168.1.0 0.0.0.255 log
access-list 113 permit tcp any host (public_ip) eq 443
access-list 113 permit tcp any host (public_ip) eq smtp
access-list 113 permit tcp any host (public_ip) eq www
access-list 113 deny ip any any log
access-list 114 permit ip any any
access-list 114 remark LAN Interface Outbound
access-list 114 remark SDM_ACL Category=17
access-list 121 permit ip 192.168.37.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 121 remark SDM_ACL Category=1
snmp-server community public RO
no cdp run
!
route-map SDM_RMAP_4 permit 1
match ip address 110
!
route-map SDM_RMAP_5 permit 1
match ip address 111
!
route-map SDM_RMAP_1 permit 1
match ip address 103
!
route-map SDM_RMAP_2 permit 1
match ip address 108
!
route-map SDM_RMAP_3 permit 1
match ip address 109
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 100 in
transport input telnet ssh
line vty 5 15
access-class 101 in
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I would like to implement your suggestion regarding acl 100 and 101, but do not know what the difference is between line vty 0 4 and line vty 5 15. I remember it being some kind of permission with 15 being the highest but it's been a long time.
If I consolidate using your command line vty 0 15 will that allow both user's access to the router? We have a third party vendor for our phones that needs access to the router.
I believe acl 2 is for http for the sdm but not acl 100 and 101, those are for line vty access.
Do you know what acl 1 is for? I can't seem to figure that one out.
If I consolidate using your command line vty 0 15 will that allow both user's access to the router? We have a third party vendor for our phones that needs access to the router.
I believe acl 2 is for http for the sdm but not acl 100 and 101, those are for line vty access.
Do you know what acl 1 is for? I can't seem to figure that one out.
Does not look like acl 1 is applied anywhere.
The vty lines are telnet sessions into the router. By default it supports up to 16 simultanenous telnet sessions to the router itself. You cannot determine which group you will be assigned, except they are first come first served. Lines vty 0 4 must be exhausted with concurrent sessions before line vty 5 will be used. I would simply use acl 100 on 0-15 and delete 101 because 101 will virtually never be used and 100 includes the same subnet.
Acl 103 is a total mess. Since it is applied to the NAT process for the sole purpose of bypassing nat between the local lan and the VPN clients, it can be consolidated down to a simple acl like this:
access-list 103 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 103 permit ip any any
Done.
The vty lines are telnet sessions into the router. By default it supports up to 16 simultanenous telnet sessions to the router itself. You cannot determine which group you will be assigned, except they are first come first served. Lines vty 0 4 must be exhausted with concurrent sessions before line vty 5 will be used. I would simply use acl 100 on 0-15 and delete 101 because 101 will virtually never be used and 100 includes the same subnet.
Acl 103 is a total mess. Since it is applied to the NAT process for the sole purpose of bypassing nat between the local lan and the VPN clients, it can be consolidated down to a simple acl like this:
access-list 103 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 103 permit ip any any
Done.
ASKER
Does access-list 103 have to have the deny entry before the permit entry? Also does this ACL also have a implicit deny at the end of the ACL?
Thanks for taking the time to help me understand this. I appreciate it a lot.
Thanks for taking the time to help me understand this. I appreciate it a lot.
ASKER
I also am trying to consolidate the line vty 0 4 and line vty 5 15 but am running into an error. I can delete vty 5 15 but when I try to add a new line for vty 0 15 it just adds the line vty 5 15 again. So then i try to delete both vty 0 4 and 5 15, i can delete vty 5 15 but get this error when i try to delete vty 0 4.
Cisco(config)#no line vty 0 4
% Can't delete last 5 VTY lines
Is there a way to edit this instead of deleting it? I can't seem to consolidate to make the line vty 0 15.
Cisco(config)#no line vty 0 4
% Can't delete last 5 VTY lines
Is there a way to edit this instead of deleting it? I can't seem to consolidate to make the line vty 0 15.
Yes, acl 103 has to have the deny line first. Since the acle is applied to nat, it is saying this:
If your IP address is 192.168.1.x and you are going to 192.168.2.x then you are denied from the nat process.
If your IP address is 192.168.1.x and you are going anyplace else, you are permitted to use NAT.
For the vty, just simply do this:
line vty 0 15
access-class 100 in
If it still shows two different groups in the config, they should at least now have the same acl 100, and you're done. Don't waste braincells trying to figure out why it shows up that way.
If your IP address is 192.168.1.x and you are going to 192.168.2.x then you are denied from the nat process.
If your IP address is 192.168.1.x and you are going anyplace else, you are permitted to use NAT.
For the vty, just simply do this:
line vty 0 15
access-class 100 in
If it still shows two different groups in the config, they should at least now have the same acl 100, and you're done. Don't waste braincells trying to figure out why it shows up that way.
ASKER
Thank you so much for your input! I really appreciate it!
They can be applied to interfaces
They can be used to define NAT traffic
They can be used to apply to route-maps
They can be used to define VPN traffic
You just need to see the whole config to see what acls are being applied where.
"show ip interface x/x" will tell you if any acls are applied to the interface.
If you need help, just post the config. Edit the public IP addresses and any text that gives out too much information..