Upload
trannhi
View
222
Download
0
Embed Size (px)
Citation preview
This Router is configured with ZoneBasedFirewalling!!
Building configuration...
version 15.1
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ROUTER
!
boot-start-marker
boot-end-marker
!
!
logging buffered 1000000 informational
logging persistent size 500000 filesize 50000
no logging console
enable secret 4 **********
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login COMP_WEBVPN_AUTHE_LIST local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
!
memory-size iomem 10
clock timezone CET 1 0
clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-
revocation-check none
rsakeypair TP-self-signed-
!
crypto pki trustpoint Comodo2013_TP
enrollment terminal
fqdn vpn.COMP-ts.com
subject-name CN=vpn.COMP.com,OU=ICT,O= B.V.,L=ST=Limburg,C=NL
revocation-check crl
rsakeypair SSLVPN
!
crypto pki trustpoint UTNAddTrust
enrollment terminal
revocation-check crl
!
crypto pki trustpoint ComodoHighAssuranceCA
enrollment terminal
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-
certificate self-signed 01
quit
crypto pki certificate chain Comodo2013_TP
certificate B6300E06 03551D0F
quit
certificate ca 1690C329B6780607511F05B0344846CB
quit
crypto pki certificate chain UTNAddTrust
certificate ca 01
quit
crypto pki certificate chain ComodoHighAssuranceCA
certificate ca 1690C329B6780607511F05B0344846CB
quit
no ip source-route
!
!
!
!
!
ip cef
ip domain name COMP.local
ip name-server 8.8.8.8
ip name-server 8.8.4.4
no ipv6 cef
!
!
!
!
multilink bundle-name authenticated
parameter-map type ooo global
tcp reassembly queue length 128
tcp reassembly memory limit 8192
!
!
!
!
!
!
license udi pid CISCO891-K9 sn ***
!
!
archive
log config
hidekeys
object-group service COMMUNICATION
tcp eq 8000
tcp eq 8001
tcp eq 8002
tcp eq 8003
tcp eq 8004
tcp eq 8005
!
object-group network ISP_COMP_HTTPS_OG
host 192.168.20.53
host 192.168.20.60
host 192.168.20.54
!
object-group network ISP_COMP_HTTP_OG
host 192.168.20.60
!
object-group network ISP_COMP_SMTP_OG
host 192.168.20.58
!
object-group network COMP_ISP_SMTP_OG
host 192.168.20.53
host 192.168.20.58
!
object-group network ICTINFRA_EXT_OG
host 212.178.223.68
host 185.47.120.1
!
object-group network WEBSENSE_ICT_OG
host 212.203.16.67
host 212.178.107.133
host 212.203.16.66
host 212.178.107.132
!
vtp interface Vlan10
vtp domain COMP
vtp mode transparent
vtp version 2
username admin privilege 15 secret 4 ***
username jeff privilege 0 secret 4 ***
!
!
!
!
vlan 10
name DATA
!
vlan 99
name GUEST
!
ip tcp synwait-time 10
ip tcp path-mtu-discovery age-timer 30
ip tftp source-interface Vlan10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh logging events
ip ssh version 2
ip scp server enable
!
class-map type inspect match-any ISP_SELF_INSP_CM
match access-group name ISP_SELF_INSP_ACL
class-map type inspect match-any SELF_ISP_INSP_CM
match access-group name SELF_ISP_INSP_ACL
class-map type inspect match-any COMP_ISP_PASS_CM
match access-group name COMP_ISP_PASS_ACL
class-map type inspect match-any ISP_COMP_PASS_CM
match access-group name ISP_COMP_PASS_ACL
class-map type inspect match-all ISP_COMP_HTTPS_INSP_CM
match protocol https
match access-group name ISP_COMP_HTTPS_ACL
class-map type inspect match-any GUEST_SELF_PASS_CM
match access-group name GUEST_SELF_PASS_ACL
match access-group name GUEST_SELF_PASS_ACL6
class-map type inspect match-any SELF_GUEST_PASS_CM
match access-group name SELF_GUEST_PASS_ACL
match access-group name SELF_GUEST_PASS_ACL6
class-map type inspect match-any ISP_SELF_PASS_CM
match access-group name ISP_SELF_PASS_ACL
class-map type inspect match-any SELF_ISP_PASS_CM
match access-group name SELF_ISP_PASS_ACL
class-map type inspect match-any GUEST_SELF_INSP_CM
match access-group name GUEST_SELF_INSP_ACL
match access-group name GUEST_SELF_INSP_ACL6
class-map type inspect match-any SELF_GUEST_INSP_CM
match access-group name SELF_GUEST_INSP_ACL
match access-group name SELF_GUEST_INSP_ACL6
class-map type inspect match-any COMP_ISP_INSP_CM
match protocol ftp
match access-group name COMP_ISP_INSP_ACL
class-map type inspect match-any ISP_COMP_INSP_CM
match access-group name ISP_COMP_INSP_ACL
class-map type inspect match-any COMP_SELF_INSP_CM
match access-group name COMP_SELF_INSP_ACL
class-map type inspect match-any SELF_COMP_INSP_CM
match access-group name SELF_COMP_INSP_ACL
class-map type inspect match-any GUEST_ISP_INSP_CM
match access-group name GUEST_ISP_INSP_ACL
match access-group name GUEST_ISP_INSP_ACL6
class-map type inspect match-any ISP_GUEST_INSP_CM
match access-group name ISP_GUEST_INSP_ACL
match access-group name ISP_GUEST_INSP_ACL6
class-map type inspect match-all COMP_ISP_SMTP_DROP_CM
match protocol smtp
class-map type inspect match-all COMP_ISP_SMTP_INSP_CM
match access-group name COMP_ISP_SMTP_ACL
match access-group name SMTP_PORT_ACL
class-map type inspect match-all ISP_COMP_SMTP_INSP_CM
match access-group name ISP_COMP_SMTP_ACL
match access-group name SMTP_PORT_ACL
class-map type inspect match-all ISP_COMP_HTTP_INSP_CM
match protocol http
match access-group name ISP_COMP_HTTP_ACL
class-map type inspect match-any GUEST_ISP_PASS_CM
match access-group name GUEST_ISP_PASS_ACL
match access-group name GUEST_ISP_PASS_ACL6
class-map type inspect match-any ISP_GUEST_PASS_CM
match access-group name ISP_GUEST_PASS_ACL
match access-group name ISP_GUEST_PASS_ACL6
class-map type inspect match-any COMP_SELF_PASS_CM
match access-group name COMP_SELF_PASS_ACL
class-map type inspect match-any SELF_COMP_PASS_CM
match access-group name SELF_COMP_PASS_ACL
!
!
policy-map type inspect COMP_SELF_PM
class type inspect COMP_SELF_PASS_CM
pass
class type inspect COMP_SELF_INSP_CM
inspect
class class-default
drop
policy-map type inspect SELF_COMP_PM
class type inspect SELF_COMP_PASS_CM
pass
class type inspect SELF_COMP_INSP_CM
inspect
class class-default
drop
policy-map type inspect GUEST_ISP_PM
class type inspect GUEST_ISP_PASS_CM
pass
class type inspect GUEST_ISP_INSP_CM
inspect
class class-default
drop
policy-map type inspect ISP_GUEST_PM
class type inspect ISP_GUEST_PASS_CM
pass
class type inspect ISP_GUEST_INSP_CM
inspect
class class-default
drop
policy-map type inspect ISP_SELF_PM
class type inspect ISP_SELF_PASS_CM
pass
class type inspect ISP_SELF_INSP_CM
inspect
class class-default
drop
policy-map type inspect SELF_ISP_PM
class type inspect SELF_ISP_PASS_CM
pass
class type inspect SELF_ISP_INSP_CM
inspect
class class-default
drop
policy-map type inspect GUEST_SELF_PM
class type inspect GUEST_SELF_PASS_CM
pass
class type inspect GUEST_SELF_INSP_CM
inspect
class class-default
drop
policy-map type inspect SELF_GUEST_PM
class type inspect SELF_GUEST_PASS_CM
pass
class type inspect SELF_GUEST_INSP_CM
inspect
class class-default
drop
policy-map type inspect COMP_ISP_PM
class type inspect COMP_ISP_SMTP_INSP_CM
inspect
class type inspect COMP_ISP_SMTP_DROP_CM
drop
class type inspect COMP_ISP_PASS_CM
pass
class type inspect COMP_ISP_INSP_CM
inspect
class class-default
drop
policy-map type inspect ISP_COMP_PM
class type inspect ISP_COMP_HTTP_INSP_CM
inspect
class type inspect ISP_COMP_HTTPS_INSP_CM
inspect
class type inspect ISP_COMP_SMTP_INSP_CM
inspect
class type inspect ISP_COMP_PASS_CM
pass
class type inspect ISP_COMP_INSP_CM
inspect
class class-default
drop
!
zone security ISP
zone security COMP
zone security GUEST
zone-pair security ISP_SELF_ZP source ISP destination self
service-policy type inspect ISP_SELF_PM
zone-pair security SELF_ISP_ZP source self destination ISP
service-policy type inspect SELF_ISP_PM
zone-pair security COMP_SELF_ZP source COMP destination self
service-policy type inspect COMP_SELF_PM
zone-pair security SELF_COMP_ZP source self destination COMP
service-policy type inspect SELF_COMP_PM
zone-pair security COMP_ISP_ZP source COMP destination ISP
service-policy type inspect COMP_ISP_PM
zone-pair security ISP_COMP_ZP source ISP destination COMP
service-policy type inspect ISP_COMP_PM
zone-pair security GUEST_SELF_ZP source GUEST destination self
service-policy type inspect GUEST_SELF_PM
zone-pair security SELF_GUEST_ZP source self destination GUEST
service-policy type inspect SELF_GUEST_PM
zone-pair security GUEST_ISP_ZP source GUEST destination ISP
service-policy type inspect GUEST_ISP_PM
zone-pair security ISP_GUEST_ZP source ISP destination GUEST
service-policy type inspect ISP_GUEST_PM
!
!
!
!
!
!
!
interface Loopback9
description CITRIX_PUBLIC_IP
ip address 98.104.122.9 255.255.255.255
ip nat outside
ip virtual-reassembly in
zone-member security ISP
!
interface Loopback10
description SYNERGY
ip address 98.104.122.10 255.255.255.255
ip nat outside
ip virtual-reassembly in
zone-member security ISP
!
interface Loopback11
description GUESTVLAN_PUBLIC_IP
ip address 98.104.122.11 255.255.255.255
ip nat outside
ip virtual-reassembly in
zone-member security ISP
!
interface Loopback12
description WEBVPN
ip address 98.104.122.12 255.255.255.255
ip nat outside
ip virtual-reassembly in
zone-member security ISP
!
interface FastEthernet0
description GUEST_NETWORK
switchport access vlan 99
no ip address
spanning-tree portfast
!
interface FastEthernet1
no ip address
shutdown
!
interface FastEthernet2
no ip address
shutdown
!
interface FastEthernet3
no ip address
shutdown
!
interface FastEthernet4
no ip address
shutdown
!
interface FastEthernet5
no ip address
shutdown
!
interface FastEthernet6
no ip address
shutdown
!
interface FastEthernet7
no ip address
shutdown
!
interface FastEthernet8
description DATA_VLAN
ip address 192.168.20.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
zone-member security COMP
ip tcp adjust-mss 1380
load-interval 30
duplex auto
speed auto
!
interface Virtual-Template10
description WEBVPN_COMP
ip unnumbered Loopback12
zone-member security COMP
!
interface GigabitEthernet0
description ISP
bandwidth 10000
ip address WAN IP 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
zone-member security ISP
load-interval 30
duplex full
speed 100
no cdp enable
!
interface Vlan1
no ip address
!
interface Vlan10
no ip address
!
interface Vlan99
description GUEST_VLAN
ip address 120.10.1.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
zone-member security GUEST
ip tcp adjust-mss 1380
load-interval 30
!
interface Async1
no ip address
encapsulation slip
!
ip local pool COMP_WEBVPN_IPPOOL 172.18.254.1 172.18.254.254
no ip forward-protocol nd
!
!
no ip http server
ip http authentication local
no ip http secure-server
ip nat inside source list GUEST_NAT_ACL interface Loopback11 overload
ip nat inside source list NAT_ACL interface GigabitEthernet0 overload
ip nat inside source static 192.168.20.60 interface Loopback9
ip nat inside source static 192.168.20.54 interface Loopback10
ip nat inside source static tcp 192.168.20.53 443 interface GigabitEthernet0 443
ip nat inside source static tcp 192.168.20.58 25 interface GigabitEthernet0 25
ip route 0.0.0.0 0.0.0.0 GatewayIP
!
ip access-list extended GUEST_ISP_INSP_ACL
deny ip any host 217.160.208.160
permit icmp any any
permit tcp any any eq smtp
permit udp any any eq domain
permit tcp any any eq domain
permit tcp any any eq www
permit tcp any any eq pop3
permit tcp any any eq 443
permit tcp any any eq 1723
deny ip any any
ip access-list extended GUEST_ISP_PASS_ACL
permit gre any any
deny ip any any
ip access-list extended GUEST_NAT_ACL
permit ip 120.10.1.0 0.0.0.255 any
ip access-list extended GUEST_SELF_INSP_ACL
deny ip any any
ip access-list extended GUEST_SELF_PASS_ACL
permit icmp any any echo
deny ip any any
ip access-list extended ISP_GUEST_INSP_ACL
deny ip any any
ip access-list extended ISP_GUEST_PASS_ACL
deny ip any any
ip access-list extended ISP_COMP_HTTPS_ACL
permit ip any object-group ISP_COMP_HTTPS_OG
ip access-list extended ISP_COMP_HTTP_ACL
permit ip any object-group ISP_COMP_HTTP_OG
ip access-list extended ISP_COMP_INSP_ACL
deny ip any any
ip access-list extended ISP_COMP_PASS_ACL
deny ip any any
ip access-list extended ISP_COMP_SMTP_ACL
permit ip object-group WEBSENSE_ICT_OG object-group ISP_COMP_SMTP_OG
ip access-list extended ISP_SELF_INSP_ACL
deny ip any any
ip access-list extended ISP_SELF_PASS_ACL
permit ip object-group ICTINFRA_EXT_OG any
permit icmp any any echo
permit tcp any any eq www
permit tcp any any eq 443
deny ip any any
ip access-list extended NAT_ACL
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip 10.0.0.0 0.255.255.255 any
permit ip 172.16.0.0 0.15.255.255 any
permit ip 192.168.0.0 0.0.255.255 any
ip access-list extended COMP_ISP_INSP_ACL
deny ip any host 217.160.208.160
permit tcp any any eq ftp-data
permit tcp any any eq ftp
permit tcp any any eq domain
permit udp any any eq domain
permit tcp any any eq www
permit tcp any any eq 123
permit udp any any eq ntp
permit tcp any any eq 443
permit udp any any eq 1194
permit tcp any any eq 1352
permit tcp any any eq 1533
permit tcp object-group ISP_COMP_SMTP_OG any eq 2703
permit tcp any any eq 3101
permit tcp any any eq 4000
permit udp any any eq 4000
permit tcp any any eq 8000
permit tcp any any eq 8443
permit tcp object-group ISP_COMP_SMTP_OG any eq 24441
permit object-group COMMUNICATION any any
deny ip any any
ip access-list extended COMP_ISP_PASS_ACL
deny ip any any
ip access-list extended COMP_ISP_SMTP_ACL
permit ip object-group COMP_ISP_SMTP_OG any
deny ip any any
ip access-list extended COMP_SELF_INSP_ACL
deny ip any any
ip access-list extended COMP_SELF_PASS_ACL
permit icmp any any echo
permit tcp any any eq 22
deny ip any any
ip access-list extended SELF_GUEST_INSP_ACL
permit ip any any
deny ip any any
ip access-list extended SELF_GUEST_PASS_ACL
permit icmp any any
deny ip any any
ip access-list extended SELF_ISP_INSP_ACL
permit ip any any
ip access-list extended SELF_ISP_PASS_ACL
permit ip any object-group ICTINFRA_EXT_OG
permit icmp any any echo-reply
permit tcp any eq www any
permit tcp any eq 443 any
deny ip any any
ip access-list extended SELF_COMP_INSP_ACL
permit ip any any
ip access-list extended SELF_COMP_PASS_ACL
permit icmp any any echo-reply
permit tcp any eq 22 any
deny ip any any
ip access-list extended SMTP_PORT_ACL
permit tcp any any eq smtp
!
!
!
!
!
!
snmp-server group ICTBEHEER v3 priv write READWRITE
snmp-server view READWRITE internet included
snmp-server view READWRITE system included
snmp-server view READWRITE interfaces included
snmp-server view READWRITE chassis included
snmp-server ifindex persist
snmp-server trap-source GigabitEthernet0
snmp-server source-interface informs GigabitEthernet0
snmp-server location CIty
snmp-server contact COMP
!
!
!
ipv6 access-list GUEST_ISP_PASS_ACL6
sequence 1000 deny ipv6 any any
!
ipv6 access-list ISP_GUEST_PASS_ACL6
sequence 1000 deny ipv6 any any
!
ipv6 access-list GUEST_ISP_INSP_ACL6
sequence 1000 deny ipv6 any any
!
ipv6 access-list ISP_GUEST_INSP_ACL6
sequence 1000 permit ipv6 any any
!
ipv6 access-list GUEST_SELF_PASS_ACL6
sequence 1000 deny ipv6 any any
!
ipv6 access-list SELF_GUEST_PASS_ACL6
sequence 1000 deny ipv6 any any
!
ipv6 access-list GUEST_SELF_INSP_ACL6
sequence 1000 deny ipv6 any any
!
ipv6 access-list SELF_GUEST_INSP_ACL6
sequence 1000 permit ipv6 any any
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
. Unauthorized access strictly prohibited.
line con 0
session-timeout 5
timeout login response 10
logging synchronous
transport output telnet
speed 115200
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
transport output telnet
line vty 0 4
session-timeout 5
timeout login response 10
privilege level 15
transport input ssh
!
ntp source GigabitEthernet0
ntp server 217.77.132.1
!
webvpn gateway WEBVPN_GW
ip address 98.104.122.12 port 443
http-redirect port 80
ssl trustpoint Comodo2013_TP
inservice
!
webvpn install svc flash:/webvpn/anyconnect-win-3.1.04059-k9.pkg sequence 1
!
webvpn context COMP_CT
title "COMP WebVPN"
ssl authenticate verify all
!
login-message "Welkom bij COMP"
!
policy group COMP_PG
functions svc-enabled
svc address-pool "COMP_WEBVPN_IPPOOL" netmask 255.255.255.0
svc default-domain "COMP.lan"
svc keep-client-installed
svc dpd-interval client 30
svc dpd-interval gateway 30
svc keepalive 60
svc rekey method new-tunnel
svc split include 192.168.20.0 255.255.255.0