dopo un bel periodo trascorso calmo e tranquillo con il vecchio CBAC, ho avuto la brillante idea di aggiornare la IOS su un 877-K9 dalla versione 124-6.T7 alla 124-24.T4 per usufruire del più versatile (dice Cisco) C3PL (o come si chiama).
Aggiornata la IOS, tutto ha ripreso a funzionare correttamente come prima.
La conf prevede 3 VPN site-to-site verso tre sedi differenti. E fin qui tutto bene.
I dolori sono cominciati quando ho attivato il firewall con impostazioni base.
Vi premetto che uso SDM per le confingurazioni che, anche se è un pò sporco, ha fatto fino ad oggi il suo "sporco lavoro".
Appena attivato il firewall mi ha tagliato fuori le connessioni attraverso le VPN.
Nel test le VPN sono su e sembrano andar bene, ma il firewall non permette il traffico dalle 3 lan verso quella della sede centrale.
Ho provato di tutto, anche ad impostare i permit sul firewall dall'esterno verso l'interno dei 3 indirizzi lan, ma non c'è nulla da fare. L'RDM Microsoft non si collega, e le sedi remote non pingano il server della sede centrale.
Mi servirebbe un aiuto, nella lettura della conf, per cercare di individuare quale ACL o quale MATCH sta creando problemi alle connessioni VPN.
Lo so, la conf è lunghetta, ma spero in qualche santo che mi dia una mano, anche per cercare di capire dove sto sbagliando
CONF
- Building configuration...
Current configuration : 22071 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Avezzano
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 $1$II8H$bqDvQTur2KtIKdhOk7FAD1
!
no aaa new-model
clock timezone Berlin 1
clock summer-time Berlin date Mar 30 2003 2:00 Oct 26 2003 3:00
!
crypto pki trustpoint TP-self-signed-2526784081
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2526784081
revocation-check none
rsakeypair TP-self-signed-2526784081
!
!
crypto pki certificate chain TP-self-signed-2526784081
certificate self-signed 01
30820251 308201BA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32353236 37383430 3831301E 170D3037 30393035 31373032
35355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 35323637
38343038 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C294 4459243D 770C905E 0224A87E A3EBEE68 F794A12E 248FDCF0 62B80B4C
402A7E8C A8DABCF2 981CA9B2 34548BF7 DDB3FDE2 600D2FAB B274D0AB 89877F37
7F0265CE C5F91417 868D44D2 FF780C9C 0A00F71C BFE83E78 B3172336 6E5B41F6
E92D4AF5 4C0D47FB 1E303805 C8170D92 F1E5A8C2 F608C9E6 50540C85 704A1E31
11630203 010001A3 79307730 0F060355 1D130101 FF040530 030101FF 30240603
551D1104 1D301B82 19417665 7A7A616E 6F2E696E 74657262 7573696E 6573732E
6974301F 0603551D 23041830 16801400 DBA8616C 31FD7A3D 034E6122 7CD8A6CC
748D1A30 1D060355 1D0E0416 041400DB A8616C31 FD7A3D03 4E61227C D8A6CC74
8D1A300D 06092A86 4886F70D 01010405 00038181 009C6029 672AD9B1 FFCE82B5
EF046850 8A53CB99 7015D697 EED1E85A 36FE96FF D90BCCA9 89454D7E 8E06965B
F05C4462 6B913B6F 0CF638C9 32AB686A 16F3A821 E7F87306 4C0318F2 946DE2DF
BF45F297 000A740B 797262B6 3ACF1FDF 98C448D9 A61D3D90 6722E437 436E2E89
B3FD3FC7 0E09FEB7 0A29192C FDA84A0C 8C58DFC2 89
quit
dot11 syslog
no ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.41 192.168.1.254
ip dhcp excluded-address 192.168.1.1 192.168.1.10
!
ip dhcp pool sdm-pool1
import all
network 192.168.1.0 255.255.255.0
dns-server 151.99.125.1 192.168.1.2
default-router 192.168.1.1
domain-name ridolfi.intra
netbios-name-server 192.168.1.2
lease 15
!
!
ip cef
no ip bootp server
ip domain name interbusiness.it
ip name-server 151.99.125.1
ip name-server 151.99.0.100
no ip ips notify log
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username xxxxxxx privilege 15 secret 5 $1$RF1.$pdaxwN34yy4V0No9shLa7.
username xxxxxxx privilege 15 secret 5 $1$3g2/$/UF.J1oB8RGygWn4jK2wD0
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
hash md5
authentication pre-share
crypto isakmp key xxxxxxx address 88.35.xx.33
crypto isakmp key xxxxxxx address 94.88.xx.57
crypto isakmp key xxxxxxx address 93.189.xx.160
!
!
crypto ipsec transform-set Personale esp-des
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to88.35.xx.33
set peer 88.35.xx.33
set transform-set Personale
set pfs group1
match address 102
reverse-route
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to94.88.xx.57
set peer 94.88.xx.57
set transform-set ESP-3DES-SHA
match address 107
crypto map SDM_CMAP_1 3 ipsec-isakmp
description Tunnel to93.189.xx.160
set peer 93.189.xx.160
set transform-set ESP-3DES-SHA
match address 109
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 113
class-map type inspect match-any SDM_TELNET
match access-group name SDM_TELNET
class-map type inspect match-any SDM_HTTP
match access-group name SDM_HTTP
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any sdm-mgmt-cls-0
match class-map SDM_TELNET
match class-map SDM_HTTP
match class-map SDM_SHELL
match class-map SDM_SSH
match class-map SDM_HTTPS
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 112
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-mgmt-cls-sdm-permit-5
match class-map sdm-mgmt-cls-0
match access-group 119
class-map type inspect match-all sdm-mgmt-cls-sdm-permit-4
match class-map sdm-mgmt-cls-0
match access-group 118
class-map type inspect match-all sdm-mgmt-cls-sdm-permit-1
match class-map sdm-mgmt-cls-0
match access-group 115
class-map type inspect match-all sdm-mgmt-cls-sdm-permit-0
match class-map sdm-mgmt-cls-0
match access-group 114
class-map type inspect match-all sdm-mgmt-cls-sdm-permit-3
match class-map sdm-mgmt-cls-0
match access-group 117
class-map type inspect match-all sdm-mgmt-cls-sdm-permit-2
match class-map sdm-mgmt-cls-0
match access-group 116
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
match access-group 111
class-map type inspect match-all sdm-protocol-http
match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-VPNOutsideToInside-1
class type inspect sdm-cls-VPNOutsideToInside-1
pass
class class-default
drop
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-insp-traffic
inspect
class type inspect sdm-protocol-http
inspect
class class-default
drop
policy-map type inspect sdm-permit
class type inspect SDM_VPN_PT
pass
class type inspect sdm-mgmt-cls-sdm-permit-0
inspect
class type inspect sdm-mgmt-cls-sdm-permit-1
inspect
class type inspect sdm-mgmt-cls-sdm-permit-2
inspect
class type inspect sdm-mgmt-cls-sdm-permit-3
inspect
class type inspect sdm-mgmt-cls-sdm-permit-4
inspect
class type inspect sdm-mgmt-cls-sdm-permit-5
inspect
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-VPNOutsideToInside-1
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
!
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description IP Esterno$ES_WAN$$FW_OUTSIDE$
ip address 88.41.xx.121 255.255.255.xxx
ip access-group 106 in
ip verify unicast reverse-path
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
pvc 8/35
encapsulation aal5snap
!
crypto map SDM_CMAP_1
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description IP Interno$ES_LAN$$ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip access-group 108 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip route 88.35.xx.33 255.255.255.255 ATM0.1
ip route 93.189.xx.160 255.255.255.255 ATM0.1
ip route 94.88.xx.57 255.255.255.255 ATM0.1
ip http server
ip http access-class 3
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat pool Spoltore 192.168.1.50 192.168.1.60 netmask 255.255.255.0
ip nat inside source route-map SDM_RMAP_1 interface ATM0.1 overload
!
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
ip access-list extended SDM_HTTP
remark SDM_ACL Category=0
permit tcp any any eq www
ip access-list extended SDM_HTTPS
remark SDM_ACL Category=0
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark SDM_ACL Category=0
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark SDM_ACL Category=0
permit tcp any any eq 22
ip access-list extended SDM_TELNET
remark SDM_ACL Category=0
permit tcp any any eq telnet
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 94.88.xx.57
access-list 2 permit 88.35.xx.33
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 permit 194.184.xx.129
access-list 2 permit 93.189.xx.160
access-list 2 permit 192.168.2.0 0.0.0.255
access-list 2 permit 192.168.3.0 0.0.0.255
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 permit 192.168.4.0 0.0.0.255
access-list 3 remark Auto generated by SDM Management Access feature
access-list 3 remark SDM_ACL Category=1
access-list 3 permit 194.184.xx.129
access-list 3 permit 192.168.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 103 remark Auto generated by SDM Management Access feature
access-list 103 remark SDM_ACL Category=1
access-list 103 permit tcp 192.168.2.0 0.0.0.255 host 192.168.1.1 eq telnet
access-list 103 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq telnet
access-list 103 permit tcp 192.168.2.0 0.0.0.255 host 192.168.1.1 eq 22
access-list 103 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq 22
access-list 103 permit tcp 192.168.2.0 0.0.0.255 host 192.168.1.1 eq www
access-list 103 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq www
access-list 103 permit tcp 192.168.2.0 0.0.0.255 host 192.168.1.1 eq 443
access-list 103 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq 443
access-list 103 permit tcp 192.168.2.0 0.0.0.255 host 192.168.1.1 eq cmd
access-list 103 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq cmd
access-list 103 permit tcp 192.168.4.0 0.0.0.255 host 192.168.1.1
access-list 103 deny tcp any host 192.168.1.1 eq telnet
access-list 103 deny tcp any host 192.168.1.1 eq 22
access-list 103 deny tcp any host 192.168.1.1 eq www
access-list 103 deny tcp any host 192.168.1.1 eq 443
access-list 103 deny tcp any host 192.168.1.1 eq cmd
access-list 103 deny udp any host 192.168.1.1 eq snmp
access-list 103 permit ip any any
access-list 104 remark SDM_ACL Category=2
access-list 104 permit tcp 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 105 remark Auto generated by SDM Management Access feature
access-list 105 remark SDM_ACL Category=1
access-list 105 permit ip host 194.184.xx.129 any
access-list 105 permit ip 192.168.1.0 0.0.0.255 any
access-list 105 permit ip host 94.88.xx.57 any
access-list 105 permit ip 192.168.3.0 0.0.0.255 any
access-list 105 permit ip 192.168.2.0 0.0.0.255 any
access-list 105 permit ip host 88.35.xx.33 any
access-list 105 permit ip 192.168.4.0 0.0.0.255 any
access-list 105 deny ip any any
access-list 106 remark Auto generated by SDM Management Access feature
access-list 106 remark SDM_ACL Category=1
access-list 106 permit tcp host 194.184.xx.129 host 88.41.xx.121 eq telnet
access-list 106 permit tcp host 0.0.0.0 host 88.41.xx.121 eq telnet
access-list 106 permit tcp host 94.88.xx.57 host 88.41.xx.121 eq telnet
access-list 106 permit tcp 192.168.3.0 0.0.0.255 host 88.41.xx.121 eq telnet
access-list 106 permit tcp host 192.168.2.0 host 88.41.xx.121 eq telnet
access-list 106 permit tcp host 88.35.xx.33 host 88.41.xx.121 eq telnet
access-list 106 permit tcp host 194.184.xx.129 host 88.41.xx.121 eq 22
access-list 106 permit tcp host 0.0.0.0 host 88.41.xx.121 eq 22
access-list 106 permit tcp host 94.88.xx.57 host 88.41.xx.121 eq 22
access-list 106 permit tcp 192.168.3.0 0.0.0.255 host 88.41.xx.121 eq 22
access-list 106 permit tcp host 192.168.2.0 host 88.41.xx.121 eq 22
access-list 106 permit tcp host 88.35.xx.33 host 88.41.xx.121 eq 22
access-list 106 permit tcp host 194.184.xx.129 host 88.41.xx.121 eq www
access-list 106 permit tcp host 0.0.0.0 host 88.41.xx.121 eq www
access-list 106 permit tcp host 94.88.xx.57 host 88.41.xx.121 eq www
access-list 106 permit tcp 192.168.3.0 0.0.0.255 host 88.41.xx.121 eq www
access-list 106 permit tcp host 192.168.2.0 host 88.41.xx.121 eq www
access-list 106 permit tcp 192.168.1.0 0.0.0.255 host 88.41.xx.121 eq www
access-list 106 permit tcp host 88.35.xx.33 host 88.41.xx.121 eq www
access-list 106 permit tcp host 194.184.xx.129 host 88.41.xx.121 eq 443
access-list 106 permit tcp host 0.0.0.0 host 88.41.xx.121 eq 443
access-list 106 permit tcp host 94.88.xx.57 host 88.41.xx.121 eq 443
access-list 106 permit tcp 192.168.3.0 0.0.0.255 host 88.41.xx.121 eq 443
access-list 106 permit tcp host 192.168.2.0 host 88.41.xx.121 eq 443
access-list 106 permit tcp 192.168.1.0 0.0.0.255 host 88.41.xx.121 eq 443
access-list 106 permit tcp host 88.35.xx.33 host 88.41.xx.121 eq 443
access-list 106 permit tcp host 194.184.xx.129 host 88.41.xx.121 eq cmd
access-list 106 permit tcp host 0.0.0.0 host 88.41.xx.121 eq cmd
access-list 106 permit tcp host 94.88.xx.57 host 88.41.xx.121 eq cmd
access-list 106 permit tcp 192.168.3.0 0.0.0.255 host 88.41.xx.121 eq cmd
access-list 106 permit tcp host 192.168.2.0 host 88.41.xx.121 eq cmd
access-list 106 permit tcp host 88.35.xx.33 host 88.41.xx.121 eq cmd
access-list 106 deny tcp any host 88.41.xx.121 eq telnet
access-list 106 deny tcp any host 88.41.xx.121 eq 22
access-list 106 deny tcp any host 88.41.xx.121 eq www
access-list 106 deny tcp any host 88.41.xx.121 eq 443
access-list 106 deny tcp any host 88.41.xx.121 eq cmd
access-list 106 deny udp any host 88.41.xx.121 eq snmp
access-list 106 permit udp host 151.99.125.1 eq domain any
access-list 106 permit udp host 151.99.0.100 eq domain any
access-list 106 remark IPSec Rule
access-list 106 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 106 permit udp host 93.189.xx.160 host 88.41.xx.121 eq non500-isakmp
access-list 106 permit udp host 93.189.xx.160 host 88.41.xx.121 eq isakmp
access-list 106 permit esp host 93.189.xx.160 host 88.41.xx.121
access-list 106 permit ahp host 93.189.xx.160 host 88.41.xx.121
access-list 106 remark Auto generated by SDM for NTP (123) ntp.inrim.it
access-list 106 permit udp host 193.204.xx.105 eq ntp host 88.41.xx.121 eq ntp
access-list 106 permit udp host 151.99.0.100 eq domain host 88.41.xx.121
access-list 106 permit udp host 151.99.125.1 eq domain host 88.41.xx.121
access-list 106 deny ip 192.168.1.0 0.0.0.255 any
access-list 106 permit icmp any host 88.41.xx.121 echo-reply
access-list 106 permit icmp any host 88.41.xx.121 time-exceeded
access-list 106 permit icmp any host 88.41.xx.121 unreachable
access-list 106 deny ip 10.0.0.0 0.255.255.255 any
access-list 106 deny ip 172.16.0.0 0.15.255.255 any
access-list 106 deny ip 192.168.0.0 0.0.255.255 any
access-list 106 deny ip 127.0.0.0 0.255.255.255 any
access-list 106 deny ip host 255.255.255.255 any
access-list 106 deny ip host 0.0.0.0 any
access-list 106 remark IPSec Rule
access-list 106 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 106 permit udp host 94.88.xx.57 host 88.41.xx.121 eq non500-isakmp
access-list 106 permit udp host 94.88.xx.57 host 88.41.xx.121 eq isakmp
access-list 106 permit esp host 94.88.xx.57 host 88.41.xx.121
access-list 106 permit ahp host 94.88.xx.57 host 88.41.xx.121
access-list 106 remark IPSec Rule
access-list 106 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 106 permit udp host 88.35.xx.33 host 88.41.xx.121 eq non500-isakmp
access-list 106 permit udp host 88.35.xx.33 host 88.41.xx.121 eq isakmp
access-list 106 permit esp host 88.35.xx.33 host 88.41.xx.121
access-list 106 permit ahp host 88.35.xx.33 host 88.41.xx.121
access-list 106 permit ip any any
access-list 107 remark SDM_ACL Category=4
access-list 107 remark IPSec Rule
access-list 107 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 108 remark auto generated by SDM firewall configuration
access-list 108 remark SDM_ACL Category=1
access-list 108 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq telnet
access-list 108 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq 22
access-list 108 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq www
access-list 108 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq 443
access-list 108 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq cmd
access-list 108 deny tcp any host 192.168.1.1 eq telnet
access-list 108 deny tcp any host 192.168.1.1 eq 22
access-list 108 deny tcp any host 192.168.1.1 eq www
access-list 108 deny tcp any host 192.168.1.1 eq 443
access-list 108 deny tcp any host 192.168.1.1 eq cmd
access-list 108 deny udp any host 192.168.1.1 eq snmp
access-list 108 deny ip 88.41.xx.120 0.0.0.7 any
access-list 108 deny ip host 255.255.255.255 any
access-list 108 deny ip 127.0.0.0 0.255.255.255 any
access-list 108 permit ip any any
access-list 109 remark SDM_ACL Category=4
access-list 109 remark IPSec Rule
access-list 109 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 110 permit tcp any any eq www
access-list 110 permit tcp any any
access-list 110 permit udp any any
access-list 110 permit icmp any any
access-list 111 remark SDM_ACL Category=128
access-list 111 permit ip host 255.255.255.255 any
access-list 111 permit ip 127.0.0.0 0.255.255.255 any
access-list 111 permit ip 88.41.xx.120 0.0.0.7 any
access-list 112 remark SDM_ACL Category=128
access-list 112 permit ip host 93.189.xx.160 any
access-list 113 remark SDM_ACL Category=0
access-list 113 remark IPSec Rule
access-list 113 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 113 remark IPSec Rule
access-list 113 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 113 remark IPSec Rule
access-list 113 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 114 remark Auto generated by SDM Management Access feature
access-list 114 remark SDM_ACL Category=1
access-list 114 permit ip 192.168.3.0 0.0.0.255 host 88.41.xx.121
access-list 115 remark Auto generated by SDM Management Access feature
access-list 115 remark SDM_ACL Category=1
access-list 115 permit ip host 192.168.2.0 host 88.41.xx.121
access-list 116 remark Auto generated by SDM Management Access feature
access-list 116 remark SDM_ACL Category=1
access-list 116 permit ip host 94.88.xx.57 host 88.41.xx.121
access-list 117 remark Auto generated by SDM Management Access feature
access-list 117 remark SDM_ACL Category=1
access-list 117 permit ip host 0.0.0.0 host 88.41.xx.121
access-list 118 remark Auto generated by SDM Management Access feature
access-list 118 remark SDM_ACL Category=1
access-list 118 permit ip host 88.35.xx.33 host 88.41.xx.121
access-list 119 remark Auto generated by SDM Management Access feature
access-list 119 remark SDM_ACL Category=1
access-list 119 permit ip host 194.184.xx.129 host 88.41.xx.121
no cdp run
!
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
control-plane
!
banner login ^CCCCCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
access-class 105 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp server 193.204.114.105 prefer
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end