Networking-forum.com

Cisco Security • Re: Remote access vpn virtual access lines getting clogged u

2012-08-20

censored config here

Thanks
[code]

Current configuration : 9341 bytes
!
! Last configuration change at 16:53:46 UTC Thu Aug 16 2012
!
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CWCH
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login NO_LOGIN none
aaa authentication login admin local
aaa authentication login RAVPN_AUTHEN group radius local
aaa authorization network RAVPN_AUTHOR local
!
!
!
!
!
aaa session-id common
!
memory-size iomem 10

ip source-route
!
!
!
!
ip cef
no ip domain lookup

ip inspect name UserTraffic http
ip inspect name UserTraffic https
ip inspect name UserTraffic dns
ip inspect name UserTraffic tcp
ip inspect name UserTraffic udp
ip inspect name UserTraffic icmp

login block-for 180 attempts 5 within 60
login delay 2
login quiet-mode access-class QUIETMODE
login on-failure log every 3
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid
!
!
username *****
username ******
!
!
!
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 15
encr 3des
authentication pre-share
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
lifetime 7800
crypto isakmp key ***** address *******
crypto isakmp fragmentation
crypto isakmp keepalive 10 4
crypto isakmp nat keepalive 30
crypto isakmp client configuration address-pool local RAVPN_POOL
!
crypto isakmp client configuration group RAVPN_GROUP
key *************
dns ******
wins *****
domain ***.local
pool RAVPN_POOL
acl RAVPN_SPLIT
max-users 8
netmask 255.255.255.0
crypto isakmp profile RAVPN_PROFILE
match identity group RAVPN_GROUP
client authentication list RAVPN_AUTHEN
isakmp authorization list RAVPN_AUTHOR
client configuration address respond
virtual-template 1
!
crypto ipsec security-association idle-time 7800
!
crypto ipsec transform-set VPN_SET esp-3des esp-sha-hmac
mode transport
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
mode transport
crypto ipsec transform-set AES_MD5_TUNNEL esp-aes 256 esp-md5-hmac
!
crypto ipsec profile DMVPN
set transform-set VPN_SET
!
crypto ipsec profile DataTunnels
set transform-set AES-SHA
!
!
crypto dynamic-map RemoteVPNS 20
set transform-set VPN_SET
set isakmp-profile RAVPN_PROFILE
reverse-route
!
!
crypto map HOME_VPNS 10 ipsec-isakmp
set peer *****
set transform-set VPN_SET
match address T****VPN
crypto map HOME_VPNS 20 ipsec-isakmp
set peer ******
set transform-set VPN_SET
match address J***VPN
crypto map HOME_VPNS 30 ipsec-isakmp dynamic RemoteVPNS
!
!
!
!
!
interface Loopback0
ip address 192.168.250.1 255.255.255.0
!
****
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface ATM0
description PPP DIALER TO ***
no ip address
no atm ilmi-keepalive
pvc 1/50
dialer pool-member 1
protocol ppp dialer
!
!
interface FastEthernet0
description INTERNAL LAN
switchport access vlan 101
!
interface FastEthernet1
switchport access vlan 101
!
interface FastEthernet2
switchport access vlan 201
!
interface FastEthernet3
switchport access vlan 500
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile DMVPN
!
interface Vlan1
no ip address
shutdown
!
interface Vlan101
ip address ***** 255.255.255.0
ip nat inside
ip virtual-reassembly
shutdown
!
interface Vlan201
ip address ******* 255.255.255.252
ip nat inside
ip virtual-reassembly
!
interface Vlan500
ip address ***** 255.255.255.252
ip nat inside
ip virtual-reassembly
!
interface Dialer1
ip address negotiated
ip access-group INBOUND in
ip nbar protocol-discovery
ip nat outside
ip inspect UserTraffic out
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1300
load-interval 30
dialer pool 1
ppp chap hostname ****
ppp chap password 7 *******
no cdp enable
crypto map HOME_VPNS
!
!
router eigrp 100
network *****.0
network **********.0
redistribute static
!
router nhrp
!
router odr
!
ip local pool RAVPN_POOL 192.168.250.2 192.168.250.10
ip forward-protocol nd
no ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
no ip nat service sip udp port 5060
ip nat inside source list OUTBOUND interface Dialer1 overload
ip nat inside source static tcp**3 80 interface Dialer1 80
ip nat inside source static tcp ***** 443 interface Dialer1 443
ip nat inside source static tcp ******** interface Dialer1 25
ip route 0.0.0.0 0.0.0.0 Dialer1
ip ro****
!
ip access-list extended INBOUND
permit ip 192.168.250.0 0.0.0.15 1*******0 0.0.0.255
deny tcp any any eq 22
deny tcp any any eq telnet
permit tcp any host *.*.*.123 eq www
permit tcp any host *.*.*.123 eq 443
permit tcp any host *.*.*.123 eq smtp
permit udp any host *.*.*.123 eq isakmp
permit esp any host *.*.*.123
permit ahp any host *.*.*.123
permit tcp any host *.*.*.123 eq 54321
permit udp any host *.*.*.123 eq 54321
permit udp any host *.*.*.123 eq non500-isakmp
deny ip any any
permit ip any any
ip access-list extended J****VPN
permit ip ** 0.0.0.255 ********* 0.0.0.255
ip access-list extended OUTBOUND
deny ip 1*****.0 0.0.0.255 192.168.250.0 0.0.0.15
deny ip *****.0 0.0.0.255 17*****.0 0.0.0.255
deny ip *******0.0.0.255 1*****.0 0.0.0.255
permit tcp any any eq smtp
permit tcp any any eq 443
permit ip 1*****.*****.0 0.0.0.255 any
permit ip 2.1***.*.0 0.0.0.255 any
deny ip any any
ip access-list extended RAVPN_SPLIT
permit ip 192.168.250.0 0.0.0.15 any
permit ip 1***.0 0.0.0.255 any
permit ip 1**.0 0.0.0.255 any
permit ip 1*****3.0 0.0.0.255 any
permit ip 1******.0 0.0.0.255 any
permit ip 1*******5.0 0.0.0.255 any
ip access-list extended RemoteVPN
permit ip 1*******.0 0.0.0.255 192.168.250.0 0.0.0.15
ip access-list extended T***VPN
permit ip 1***** 0.0.0.255 ******0.0.0.255
!
no cdp run

!
!
!
!
radius-server host 1*********3 auth-port 1812 acct-port 1813 key ***********
!
!
control-plane
!
banner motd ^C########################### WARNING ###########################
Access to this device is for authorized users only. Unauthorized access is
strictly prohibted! Unauothorized users will be prosecuted!

###############################################################^C
!
line con 0
privilege level 15
logging synchronous
login authentication NO_LOGIN
no modem enable
line aux 0
password *************
line vty 0 4
access-class 23 in
privilege level 15
password *******
logging synchronous
transport input ssh
!
end
[code]

Statistics: Posted by AWilderbeast — Mon Aug 20, 2012 2:26 pm