! ! Last configuration change at 18:24:57 PDT Tue May 13 2008 ! NVRAM config last updated at 12:30:48 PDT Mon May 12 2008 ! version 12.3 service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone no service password-encryption service compress-config ! hostname ICRouter ! boot-start-marker boot system flash:c1841-advsecurityk9-mz.123-14.T7.bin boot-end-marker ! logging buffered 16000 debugging enable password passwd1 ! no aaa new-model ! resource policy ! clock timezone PDT -8 mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ip subnet-zero ip cef ! ! ip inspect max-incomplete low 100 ip inspect max-incomplete high 150 ip inspect one-minute high 2000 ip inspect one-minute low 1500 ip inspect dns-timeout 10 ip inspect name wall ftp timeout 1800 ip inspect name wall tcp timeout 900 ip inspect name wall h323 timeout 450 ip inspect name wall udp timeout 450 ip inspect name wall skinny timeout 450 ip inspect name wall rtsp timeout 450 ip inspect name wall sip timeout 450 ip tcp synwait-time 15 no ip dhcp use vrf connected ip dhcp excluded-address 192.168.3.10 ip dhcp excluded-address 192.168.3.1 192.168.3.10 ip dhcp excluded-address 192.168.3.20 192.168.3.254 ! ip dhcp pool Guest network 192.168.3.0 255.255.255.0 default-router 192.168.3.10 dns-server 4.2.2.1 198.6.1.4 lease 0 12 ! ! no ip ips deny-action ips-interface ip tftp source-interface FastEthernet0/1 ip domain name icpage.com ip name-server 4.2.2.1 ip name-server 198.6.1.4 ! no ftp-server write-enable ! ! ! ! process-max-time 152 ! class-map match-all VOIP match access-group name VOIP class-map match-all ELSE match access-group name ELSE ! ! policy-map QOS class VOIP bandwidth 1374 queue-limit 16 class ELSE bandwidth 170 class class-default fair-queue ! ! no crypto isakmp ccm ! ! ! interface Null0 no ip unreachables ! interface FastEthernet0/0 description DMZ Interface bandwidth 10000 ip address 192.168.4.254 255.255.255.0 secondary ip address 67.xxx.xxx.65 255.255.255.224 ip access-group DMZ-ACCESS in no ip unreachables ip inspect wall in ip inspect wall out ip nat inside ip virtual-reassembly duplex auto speed auto no cdp enable no mop enabled ! interface FastEthernet0/1 description LAN Interface bandwidth 10000 ip address 192.168.3.10 255.255.255.0 secondary ip address 192.168.2.10 255.255.255.0 ip access-group LAN-ACCESS in no ip proxy-arp ip inspect wall in ip nat inside ip virtual-reassembly duplex auto speed auto no cdp enable no mop enabled ! interface Serial0/0/0 description Internet Interface bandwidth 1544 ip address 67.xx.xxx.182 255.255.255.252 ip access-group OUT_IN in ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly encapsulation ppp load-interval 30 traffic-shape rate 1500000 187500 0 1000 no cdp enable max-reserved-bandwidth 100 service-policy output QOS ! router rip redistribute connected network 67.0.0.0 network 192.168.2.0 ! no ip classless ip route 0.0.0.0 0.0.0.0 67.94.231.181 ip route 10.0.0.0 255.0.0.0 Null0 ip route 169.xxx.0.0 255.255.0.0 Null0 ip route 172.xx.0.0 255.240.0.0 Null0 ip route 213.xx.xx.141 255.255.255.255 Null0 ! ip http server no ip http secure-server ip nat inside source list NAT interface Serial0/0/0 overload ip nat inside source static tcp 192.168.2.131 5900 67.xxx.xxx.66 5900 extendable ip nat inside source static tcp 192.168.2.131 6502 67.xxx.xxx.66 6502 extendable ip nat inside source static tcp 192.168.2.242 5900 67.xxx.xxx.72 5900 extendable ip nat inside source static tcp 192.168.2.242 6502 67.xxx.xxx.72 6502 extendable ip nat inside source static tcp 192.168.2.245 389 67.xxx.xxx.73 389 extendable ip nat inside source static tcp 192.168.2.245 4661 67.xxx.xxx.73 4661 extendable ip nat inside source static tcp 192.168.2.245 4662 67.xxx.xxx.73 4662 extendable ip nat inside source static udp 192.168.2.245 4665 67.xxx.xxx.73 4665 extendable ip nat inside source static udp 192.168.2.245 4672 67.xxx.xxx.73 4672 extendable ip nat inside source static tcp 192.168.2.245 5900 67.xxx.xxx.73 5900 extendable ip nat inside source static tcp 192.168.2.245 6502 67.xxx.xxx.73 6502 extendable ip nat inside source static tcp 192.168.2.245 24375 67.xxx.xxx.73 24375 extendable ip nat inside source static udp 192.168.2.245 24375 67.xxx.xxx.73 24375 extendable ip nat inside source static tcp 192.168.2.245 33106 67.xxx.xxx.73 33106 extendable ip nat inside source static tcp 192.168.2.245 61411 67.xxx.xxx.73 61411 extendable ip nat inside source static tcp 192.168.2.231 5900 67.xxx.xxx.74 5900 extendable ip nat inside source static tcp 192.168.2.231 6502 67.xxx.xxx.74 6502 extendable ip nat inside source static tcp 192.168.2.232 5900 67.xxx.xxx.75 5900 extendable ip nat inside source static tcp 192.168.2.232 6502 67.xxx.xxx.75 6502 extendable ip nat inside source static tcp 192.168.2.233 5900 67.xxx.xxx.76 5900 extendable ip nat inside source static tcp 192.168.2.233 6502 67.xxx.xxx.76 6502 extendable ip nat inside source static tcp 192.168.2.234 5900 67.xxx.xxx.77 5900 extendable ip nat inside source static tcp 192.168.2.234 6502 67.xxx.xxx.77 6502 extendable ip nat inside source static tcp 192.168.2.235 5900 67.xxx.xxx.78 5900 extendable ip nat inside source static tcp 192.168.2.235 6502 67.xxx.xxx.78 6502 extendable ip nat inside source static tcp 192.168.2.236 5900 67.xxx.xxx.79 5900 extendable ip nat inside source static tcp 192.168.2.236 6502 67.xxx.xxx.79 6502 extendable ip nat inside source static tcp 192.168.2.238 5900 67.xxx.xxx.80 5900 extendable ip nat inside source static tcp 192.168.2.238 6502 67.xxx.xxx.80 6502 extendable ip nat inside source static tcp 192.168.2.246 80 67.xxx.xxx.81 80 extendable ip nat inside source static tcp 192.168.2.246 5900 67.xxx.xxx.81 5900 extendable ip nat inside source static tcp 192.168.2.241 5900 67.xxx.xxx.82 5900 extendable ip nat inside source static tcp 192.168.2.241 6502 67.xxx.xxx.82 6502 extendable ip nat inside source static tcp 192.168.2.182 5900 67.xxx.xxx.83 5900 extendable ip nat inside source static tcp 192.168.2.182 6502 67.xxx.xxx.83 6502 extendable ip nat inside source static tcp 192.168.2.248 80 67.xxx.xxx.85 80 extendable ip nat inside source static tcp 192.168.2.248 5900 67.xxx.xxx.85 5900 extendable ip nat inside source static tcp 192.168.2.132 5900 67.xxx.xxx.87 5900 extendable ip nat inside source static tcp 192.168.2.132 6502 67.xxx.xxx.87 6502 extendable ip nat inside source static tcp 192.168.2.229 5900 67.xxx.xxx.88 5900 extendable ip nat inside source static tcp 192.168.2.229 6502 67.xxx.xxx.88 6502 extendable ip nat inside source static tcp 192.168.2.134 80 67.xxx.xxx.89 80 extendable ip nat inside source static tcp 192.168.2.134 3001 67.xxx.xxx.89 3001 extendable ip nat inside source static tcp 192.168.2.134 3005 67.xxx.xxx.89 3005 extendable ip nat inside source static tcp 192.168.2.134 5900 67.xxx.xxx.89 5900 extendable ip nat inside source static tcp 192.168.2.134 6502 67.xxx.xxx.89 6502 extendable ip nat inside source static tcp 192.168.2.134 6911 67.xxx.xxx.89 6911 extendable ip nat inside source static tcp 192.168.2.134 8080 67.xxx.xxx.89 8080 extendable ip nat inside source static tcp 192.168.2.134 8081 67.xxx.xxx.89 8081 extendable ip nat inside source static tcp 192.168.2.134 8082 67.xxx.xxx.89 8082 extendable ip nat inside source static tcp 192.168.2.134 8083 67.xxx.xxx.89 8083 extendable ip nat inside source static tcp 192.168.2.134 8084 67.xxx.xxx.89 8084 extendable ip nat inside source static tcp 192.168.2.134 8085 67.xxx.xxx.89 8085 extendable ip nat inside source static tcp 192.168.2.134 8090 67.xxx.xxx.89 8090 extendable ip nat inside source static tcp 192.168.2.101 80 67.xxx.xxx.90 80 extendable ip nat inside source static tcp 192.168.2.101 5900 67.xxx.xxx.90 5900 extendable ip nat inside source static tcp 192.168.2.101 6502 67.xxx.xxx.90 6502 extendable ! ip access-list standard ELSE permit 67.xxx.xxx.89 permit 67.xxx.xxx.88 permit 67.xxx.xxx.91 permit 67.xxx.xxx.90 permit 67.xxx.xxx.93 permit 67.xxx.xxx.92 permit 67.xxx.xxx.94 permit 67.xxx.xxx.81 permit 67.xxx.xxx.80 permit 67.xxx.xxx.83 permit 67.xxx.xxx.82 permit 67.xxx.xxx.85 permit 67.xxx.xxx.84 permit 67.xxx.xxx.87 permit 67.xxx.xxx.86 permit 67.xxx.xxx.73 permit 67.xxx.xxx.72 permit 67.xxx.xxx.75 permit 67.xxx.xxx.74 permit 67.xxx.xxx.77 permit 67.xxx.xxx.76 permit 67.xxx.xxx.79 permit 67.xxx.xxx.78 permit 67.xxx.xxx.66 permit 67.xxx.xxx.71 permit 67.xxx.xxx.70 permit 67.xx.xxx.182 ip access-list standard MANAGE permit 75.xx.xx.41 permit 192.168.2.131 permit 192.168.2.134 ip access-list standard VOIP permit 67.xxx.xxx.94 permit 67.xxx.xxx.67 permit 67.xxx.xxx.69 permit 67.xxx.xxx.68 ! ip access-list extended DMZ-ACCESS remark ACL to control traffic from the DMZ to the Internal Network and the Internet permit udp 67.xxx.xxx.64 0.0.0.31 192.168.2.0 0.0.0.255 eq 135 permit udp 67.xxx.xxx.64 0.0.0.31 192.168.2.0 0.0.0.255 range netbios-ns netbios-ss permit udp 67.xxx.xxx.64 0.0.0.31 192.168.2.0 0.0.0.255 eq 445 permit tcp 67.xxx.xxx.64 0.0.0.31 192.168.2.0 0.0.0.255 eq 135 permit tcp 67.xxx.xxx.64 0.0.0.31 192.168.2.0 0.0.0.255 eq 139 permit tcp 67.xxx.xxx.64 0.0.0.31 192.168.2.0 0.0.0.255 eq 445 permit ip 67.xxx.xxx.64 0.0.0.31 192.168.4.0 0.0.0.255 permit ip 192.168.4.0 0.0.0.255 67.xxx.xxx.64 0.0.0.31 deny udp any any range netbios-ns netbios-ss deny udp any any eq 445 deny udp any any eq 135 deny tcp any any eq 135 deny tcp any any eq 139 deny tcp any any eq 445 deny tcp any any eq 1434 deny tcp any eq 1434 any deny udp any any eq 1900 permit ip any any permit tcp any any eq domain permit udp any any eq domain ip access-list extended LAN-ACCESS remark ACL to control traffic from the Internal Network to the DMZ and the Internet permit udp 192.168.2.0 0.0.0.255 67.xxx.xxx.64 0.0.0.31 eq 135 permit udp 192.168.2.0 0.0.0.255 67.xxx.xxx.64 0.0.0.31 range netbios-ns netbios-ss permit udp 192.168.2.0 0.0.0.255 67.xxx.xxx.64 0.0.0.31 eq 445 permit tcp 192.168.2.0 0.0.0.255 67.xxx.xxx.64 0.0.0.31 eq 139 permit tcp 192.168.2.0 0.0.0.255 67.xxx.xxx.64 0.0.0.31 eq 445 deny udp any any eq 135 deny udp any any range netbios-ns netbios-ss deny udp any any eq 445 deny tcp any any eq 135 deny tcp any any eq 139 deny tcp any any eq 445 deny tcp any any eq 1434 deny tcp any eq 1434 any deny udp any any eq 1900 remark Rules for Guest PC's permit tcp 192.168.3.0 0.0.0.255 any eq www permit tcp 192.168.3.0 0.0.0.255 any eq 443 permit tcp 192.168.3.0 0.0.0.255 any range ftp-data ftp permit tcp 192.168.3.0 0.0.0.255 any eq smtp permit tcp 192.168.3.0 0.0.0.255 any eq pop3 permit ip any any deny tcp any any eq 161 deny udp any any eq snmp deny tcp any any eq 1123 deny tcp any any eq 1126 ! ip access-list extended NAT deny ip 192.168.2.0 0.0.0.255 67.xxx.xxx.64 0.0.0.31 permit ip 192.168.2.0 0.0.0.255 any permit ip 192.168.3.0 0.0.0.255 any permit ip host 192.168.4.11 any ! ip access-list extended OUT_IN permit tcp any gt 1023 host 67.xxx.xxx.67 range ftp-data 22 permit tcp any gt 1023 host 67.xxx.xxx.67 eq pop3 permit tcp any gt 1023 host 67.xxx.xxx.67 eq www permit tcp any gt 1023 host 67.xxx.xxx.67 eq 10000 permit tcp any gt 1023 host 67.xxx.xxx.67 eq 443 permit tcp any gt 1023 host 67.xxx.xxx.67 eq 3306 permit udp any gt 1023 host 67.xxx.xxx.67 eq 2427 permit udp any gt 1023 host 67.xxx.xxx.67 eq 5038 permit udp any gt 1023 host 67.xxx.xxx.67 eq 2727 permit udp any gt 1023 host 67.xxx.xxx.67 eq 4569 permit tcp any gt 1023 host 67.xxx.xxx.67 eq 5038 permit tcp any gt 1023 host 67.xxx.xxx.67 eq 5432 permit tcp any gt 1023 host 67.xxx.xxx.67 eq 4520 permit tcp any gt 1023 host 67.xxx.xxx.67 eq 1314 permit tcp any gt 1023 host 67.xxx.xxx.67 eq 2727 permit udp any gt 1023 host 67.xxx.xxx.67 eq 5036 permit udp any gt 1023 host 67.xxx.xxx.67 range 5060 5069 permit udp any gt 1023 host 67.xxx.xxx.67 range 10000 20000 permit tcp any gt 1023 host 67.xxx.xxx.68 eq 2727 permit tcp any gt 1023 host 67.xxx.xxx.68 eq www permit tcp any gt 1023 host 67.xxx.xxx.68 eq 10000 permit udp any gt 1023 host 67.xxx.xxx.68 eq 2427 permit udp any gt 1023 host 67.xxx.xxx.68 eq 4569 permit udp any gt 1023 host 67.xxx.xxx.68 eq 5038 permit udp any gt 1023 host 67.xxx.xxx.68 eq 5036 permit udp any gt 1023 host 67.xxx.xxx.68 range 5060 5069 permit udp any gt 1023 host 67.xxx.xxx.68 range 10000 20000 permit tcp any gt 1023 host 67.xxx.xxx.69 eq smtp permit tcp any gt 1023 host 67.xxx.xxx.69 eq 5038 permit tcp any gt 1023 host 67.xxx.xxx.69 eq 5432 permit tcp any gt 1023 host 67.xxx.xxx.69 eq 4520 permit tcp any gt 1023 host 67.xxx.xxx.69 eq 1314 permit tcp any gt 1023 host 67.xxx.xxx.69 eq 2727 permit tcp any gt 1023 host 67.xxx.xxx.69 range ftp-data 22 permit tcp any gt 1023 host 67.xxx.xxx.69 eq www permit tcp any gt 1023 host 67.xxx.xxx.69 eq pop3 permit tcp any gt 1023 host 67.xxx.xxx.69 eq 10000 permit tcp any gt 1023 host 67.xxx.xxx.69 eq 443 permit tcp any gt 1023 host 67.xxx.xxx.69 eq 3306 permit udp any gt 1023 host 67.xxx.xxx.69 eq 5038 permit udp any gt 1023 host 67.xxx.xxx.69 eq 2427 permit udp any gt 1023 host 67.xxx.xxx.69 eq 4569 permit udp any gt 1023 host 67.xxx.xxx.69 eq 5036 permit udp any gt 1023 host 67.xxx.xxx.69 range 10000 20000 permit udp any gt 1023 host 67.xxx.xxx.69 range 5060 5069 permit udp any gt 1023 host 67.xxx.xxx.70 eq 2427 permit udp any gt 1023 host 67.xxx.xxx.70 eq 4569 permit udp any gt 1023 host 67.xxx.xxx.70 eq 5036 permit udp any gt 1023 host 67.xxx.xxx.70 range 10000 20000 permit tcp any gt 1023 host 67.xxx.xxx.70 range ftp-data 22 permit tcp any gt 1023 host 67.xxx.xxx.70 eq smtp permit tcp any gt 1023 host 67.xxx.xxx.70 eq www permit tcp any gt 1023 host 67.xxx.xxx.70 eq nntp permit tcp any gt 1023 host 67.xxx.xxx.70 eq 443 permit tcp any gt 1023 host 67.xxx.xxx.70 eq 3306 permit tcp any gt 1023 host 67.xxx.xxx.71 range ftp-data 22 permit tcp any gt 1023 host 67.xxx.xxx.71 eq smtp permit tcp any gt 1023 host 67.xxx.xxx.71 eq www permit tcp any gt 1023 host 67.xxx.xxx.71 eq pop3 permit tcp any gt 1023 host 67.xxx.xxx.71 eq nntp permit tcp any gt 1023 host 67.xxx.xxx.71 eq 443 permit tcp any gt 1023 host 67.xxx.xxx.71 eq 3306 permit udp any gt 1023 host 67.xxx.xxx.73 eq 4662 permit tcp any gt 1023 host 67.xxx.xxx.73 eq 4662 permit udp any gt 1023 host 67.xxx.xxx.73 eq 4672 permit tcp any gt 1023 host 67.xxx.xxx.73 eq 4711 permit udp any gt 1023 host 67.xxx.xxx.73 eq 24375 permit tcp any gt 1023 host 67.xxx.xxx.73 eq 61411 permit tcp any gt 1023 host 67.xxx.xxx.73 eq 389 permit udp any gt 1023 host 67.xxx.xxx.73 eq 34527 permit tcp any gt 1023 host 67.xxx.xxx.73 eq 44587 permit tcp any gt 1023 host 67.xxx.xxx.81 eq www permit tcp any gt 1023 host 67.xxx.xxx.84 eq www permit tcp any gt 1023 host 67.xxx.xxx.85 eq www permit tcp any gt 1023 host 67.xxx.xxx.86 eq www permit tcp any gt 1023 host 67.xxx.xxx.86 eq 443 permit tcp any gt 1023 host 67.xxx.xxx.86 eq 5900 permit tcp any gt 1023 host 67.xxx.xxx.89 eq www permit tcp any gt 1023 host 67.xxx.xxx.91 eq www permit tcp any gt 1023 host 67.xxx.xxx.91 eq 5900 permit tcp any gt 1023 host 67.xxx.xxx.91 eq 6502 permit tcp any gt 1023 host 67.xxx.xxx.91 eq 3306 permit tcp any gt 1023 host 67.xxx.xxx.94 eq smtp permit tcp any gt 1023 host 67.xxx.xxx.94 range ftp-data 22 permit tcp any gt 1023 host 67.xxx.xxx.94 eq pop3 permit tcp any gt 1023 host 67.xxx.xxx.94 eq www permit tcp any gt 1023 host 67.xxx.xxx.94 eq 443 permit tcp any gt 1023 host 67.xxx.xxx.94 eq 3306 permit udp any gt 1023 host 67.xxx.xxx.94 eq 2427 permit udp any gt 1023 host 67.xxx.xxx.94 eq 5038 permit udp any gt 1023 host 67.xxx.xxx.94 eq 2727 permit udp any gt 1023 host 67.xxx.xxx.94 eq 4569 permit tcp any gt 1023 host 67.xxx.xxx.94 eq 5038 permit tcp any gt 1023 host 67.xxx.xxx.94 eq 5432 permit tcp any gt 1023 host 67.xxx.xxx.94 eq 4520 permit tcp any gt 1023 host 67.xxx.xxx.94 eq 1314 permit tcp any gt 1023 host 67.xxx.xxx.94 eq 2727 permit udp any gt 1023 host 67.xxx.xxx.94 eq 5036 permit tcp any gt 1023 host 67.xxx.xxx.71 eq 5900 permit tcp any gt 1023 host 67.xxx.xxx.70 eq 5900 permit tcp any gt 1023 host 67.xxx.xxx.79 eq 6502 permit tcp any gt 1023 host 67.xxx.xxx.70 eq 6502 permit tcp any gt 1023 host 67.xxx.xxx.72 eq 6502 permit tcp any gt 1023 host 67.xxx.xxx.74 eq 6502 permit tcp any gt 1023 host 67.xxx.xxx.75 eq 6502 permit tcp any gt 1023 host 67.xxx.xxx.76 eq 6502 permit tcp any gt 1023 host 67.xxx.xxx.77 eq 6502 permit tcp any gt 1023 host 67.xxx.xxx.78 eq 6502 permit tcp any gt 1023 host 67.xxx.xxx.80 eq 6502 permit tcp any gt 1023 host 67.xxx.xxx.89 range 8080 8085 permit tcp any gt 1023 host 67.xxx.xxx.89 eq 8090 permit tcp any gt 1023 host 67.xxx.xxx.89 eq 3001 permit tcp any gt 1023 host 67.xxx.xxx.89 eq 3005 permit tcp any gt 1023 host 67.xxx.xxx.89 eq 6911 permit tcp any gt 1023 host 67.xxx.xxx.71 eq 6502 permit tcp any gt 1023 host 67.xxx.xxx.66 eq 6502 permit tcp any gt 1023 host 67.xxx.xxx.71 eq 465 permit tcp any gt 1023 host 67.xxx.xxx.70 eq 8181 permit tcp any gt 1023 host 67.xxx.xxx.70 eq 81 permit udp any gt 1023 host 67.xxx.xxx.71 eq ntp permit tcp any gt 1023 host 67.xxx.xxx.94 eq 5900 permit tcp any gt 1023 host 67.xxx.xxx.94 eq 6502 permit tcp any eq nntp any permit icmp any any echo permit icmp any any echo-reply permit icmp any any traceroute permit udp any eq ntp any permit udp any any eq domain permit tcp any any eq domain permit ip host 82.xxx.xxx.15 any permit ip host 75.xx.xxx.219 any permit ip host 75.xx.xxx.41 any permit ip host 89.xxx.xx.192 any permit ip host 75.xx.xxx.54 any ! logging trap warnings logging 67.xxx.xxx.66 snmp-server community public RO snmp-server community passwd RW 10 snmp-server community ICPAGE RO 10 snmp-server location Buena_Park snmp-server contact admin bhfisher@icpage.com snmp-server enable traps tty no cdp run ! ! control-plane ! ! line con 0 password passwd2 transport output all line aux 0 line vty 0 4 access-class MANAGE in password passwd1 login transport input all transport output all ! ntp clock-period 17042193 ntp source Serial0/0/0 ntp master 14 ntp server 128.9.176.30 end