Sie sind auf Seite 1von 104

The above FAQ link shows some basic network setup using routers and switches.

Fo
llowing is more network design samples that are also common in many organization
s.
Sample 1:
Internet
|
|
Router
|
|
Firewall
|
|
Layer-3 Switch
| | |
| | |
Layer-2 | Layer-2
Switch | Switch
|
Layer-2 Switch
Background
* This sample configuration assumes the Router to do NAT/PAT, firewall to do sta
tefull firewall, and Layer-3 Switch to act as both switch and router to route in
ternal traffic. To learn more about NAT/PAT, check out the following FAQ for det
ail Cisco Forum FAQ NAT, PAT, Port Forward, Internet and Server Access: Introducti
on and Practices
Sample 1 Configuration
Router
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
version 12.2
no parser cache
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
logging buffered 4096 informational
enable secret 5 **********
!
ip subnet-zero
!
!!!!!!!!!!!!! This is the ISP's DNS IP addresses
ip name-server 1.1.1.2
ip name-server 1.1.1.3
!!!!!!!!!!!!!
!
!
!
!
!
!!!!!!!!!!!! This is the LAN side facing the PIX outside interface
interface Ethernet0
ip address 10.10.10.1 255.255.255.252
ip nat inside
no cdp enable
!
!!!!!!!!!!!! This is to the ISP modem
interface Ethernet1
ip address 1.1.0.2 255.255.255.252
ip nat outside
no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.0.1
ip route 10.0.0.0 255.0.0.0 10.10.10.2
no ip http server
!
ip nat inside source static tcp 10.10.11.2 80 1.1.0.2 80
ip nat inside source static tcp 10.10.11.2 443 1.1.0.2 443
ip nat inside source static tcp 10.10.11.3 20 1.1.0.2 20
ip nat inside source static tcp 10.10.11.3 21 1.1.0.2 21
ip nat inside source static tcp 10.10.11.4 25 1.1.0.2 25
ip nat inside source static tcp 10.10.11.4 110 1.1.0.2 110
ip nat inside source list 1 interface Ethernet1 overload
!
access-list 1 remark Permit Only Inside Subnets
access-list 1 permit 10.10.8.0 0.0.3.255
no cdp run
!
line con 0
exec-timeout 120 0
stopbits 1
line vty 0 4
exec-timeout 0 0
access-class 1 in
login local
length 0
!
scheduler max-task-time 5000
end
PIX Firewall
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd ***** encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network WEB
network-object host 10.10.11.2
object-group network FTP
network-object host 10.10.11.3
object-group network MAIL
network-object host 10.10.11.4
object-group service MAIL_SERVICES tcp
port-object eq smtp
port-object eq pop3
object-group service WEB_SERVICES tcp
port-object eq www
port-object eq https
access-list INBOUND permit icmp any any
access-list INBOUND permit tcp any object-group WEB object-group WEB_SERVICES
access-list INBOUND permit tcp any object-group MAIL object-group MAIL_SERVICES
access-list INBOUND permit tcp any object-group FTP range ftp-data ftp
access-list nonat permit ip any any
pager lines 24
logging on
logging console warnings
logging monitor warnings
mtu outside 1500
mtu inside 1500
ip address outside 10.10.10.2 255.255.255.252
ip address inside 10.10.11.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.10.11.5 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
nat (inside) 0 access-list nonat
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
route inside 10.0.0.0 255.0.0.0 10.10.11.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.10.11.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.10.11.5 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Switch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
vlan 1,7,11-13
!
ip routing
!
interface FastEthernet0/1
description LAN 1
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/2
description LAN 1
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/3
description LAN 1
switchport access vlan 11
switchport mode access
!
interface FastEthernet0/4
description LAN 2
switchport access vlan 12
switchport mode access
!
interface FastEthernet0/5
description LAN 2
switchport access vlan 12
switchport mode access
!
interface FastEthernet0/6
description Management port
switchport access vlan 7
switchport mode access
!
interface FastEthernet0/7
description Layer-2 Switch 3
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/8
description Layer-2 Switch 2
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/9
description Layer-2 Switch 1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/12
description To Firewall
switchport access vlan 7
switchport mode access
!
interface Vlan1
description VLAN database management only
shutdown
!
interface Vlan7
description Management
ip address 10.10.11.2 255.255.255.0
!
interface Vlan11
description LAN 1
ip address 10.0.1.1 255.255.255.0
!
interface Vlan12
description LAN 2
ip address 10.0.2.1 255.255.255.0
!
interface Vlan13
description LAN 3
ip address 10.0.3.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.10.11.1
Sample 2:
Internet
|
|
Router
|
|
Switch
| |
DMZ ----- Firewall - Firewall (two redundant firewal
ls)
1 2
| |
Layer-3 ---- Layer-3 (two redundant Layer-3
switches)
Switch 1 Switch 2
| | | | | |
| | | | | |
| | Layer-2 | |
| | Switch | |
| | | |
| Layer-2 Switch |
| |
| |
+- Layer-2 Switch -+
Background
Switch
* The Layer-3 switches act as Spanning-Tree Root Bridges of all switches and as
HSRP service providers. For preliminary info on Root Bridge, check out the follo
wing link: Understanding and Configuring Spanning Tree Protocol (STP) on Catalys
t Switches. For preliminary info on HSRP, check out the following link: Hot Stan
dby Router Protocol Features and Functionality
* Rapid Spanning Tree protocol is used to provide faster convergence yet stable
network. For more info on Rapid Spanning Tree, check out the following link: Und
erstanding Rapid Spanning Tree Protocol (802.1w)
* For some VLAN, the Layer-3 Switch 1 is the Root Bridge primary while the Layer
-3 Switch 2 is the backup. For other VLAN, the Layer-3 Switch 2 is the Root Brid
ge primary while the Layer-3 Switch 1 is the backup.
* Similarly; for some VLAN, the Layer-3 Switch 1 is the HSRP primary while the L
ayer-3 Switch 2 is the backup. For other VLAN, the Layer-3 Switch 2 is the HSRP
primary while the Layer-3 Switch 1 is the backup.
* For VLAN connection reliability, the same Layer-3 switch should be for both Ro
ot Bridge and HSRP primary
* In this sample configuration; VLAN 5, 7, 100 Root Bridge and HSRP primaries ar
e at Layer-3 Switch 1 while VLAN 1, 20, 200 Root Bridge and HSRP primaries are a
t Layer-3 Switch 2
* To avoid unnecessary traffic flow, only some VLAN is allowed to pass through o
n some trunks between switches
* There is IP routing in place between Layer-3 switches and the firewalls
Firewall
* The firewall could be either PIX Firewall or ASA, running OS 7.x or later
* Firewall setup is LAN-based Active/Standby failover, which in a sense is simil
ar to HSRP/VRRP mechanism where the firewall primary interface IP address is the
"virtual" gateway for the interface subnet to reach other network. For more inf
o on PIX/ASA Active/Standby failover, check out the following link: How Failover
Works on the Cisco Secure PIX Firewall
* The firewall acts as both Internet firewall and IPSec VPN Concentrator. For mo
re info on this, check out the forum's FAQ Cisco Forum FAQ Configure PIX/ASA as bo
th Internet Firewall and VPN Concentrator
(The Internet or Outside) Router/Switch
* There is a basic Internet firewall at the router to filter absolute questionab
le inbound traffic from the Internet to the network. For more info on this, chec
k out the forum's FAQ Cisco Forum FAQ Basic Internet Firewall for Routers without
IOS image Firewall feature
* There is no need for the router to do stateful firewall since there is already
the firewall appliance (PIX/ASA) to do the stateful firewall functionality
AAA Command Set
* All Cisco devices on this sample configuration uses proper AAA command set for
security reason. For more info on this, check out the forum's FAQ Cisco Forum FA
Q Secure and Monitor Network Access with AAA (TACACS/RADIUS) and Privilege Level
Sample 2 Configuration
Router
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
version 12.3
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname *****
!
boot-start-marker
boot-end-marker
!
logging buffered 16384
enable secret 5 *****
!
username **** secret 5 *****
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
!
!
!
aaa session-id common
clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
ip domain-list ****
ip domain-list ****
no ip domain-lookup
ip domain-name ****
!
!
interface FastEthernet0/0
description To Internet Switch
ip address 1.0.0.2 255.255.255.248
speed 100
duplex full
!
interface Serial0/0
description To ISP
ip address 1.1.1.2 255.255.255.252
ip access-group SecureRouter in
no cdp enable
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 1.0.0.112 255.255.255.240 1.0.0.6
ip route 10.0.0.0 255.0.0.0 1.0.0.6
ip route 172.16.0.0 255.240.0.0 1.0.0.6
!
ip classless
no ip http server
no ip http secure-server
!
ip tacacs source-interface FastEthernet0/0
!
ip access-list extended SecureRouter
remark Access List used to Secure Perimeter Router
remark Deny Special Use IP Address Sources (RFC 3330)
deny ip host 0.0.0.0 any
deny ip host 255.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 224.0.0.0 0.15.255.255 any
remark Deny Private IP Address Space (RFC 1918)
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
remark Permit SSH Traffic
permit tcp any 1.0.0.104 0.0.0.7 eq 22
remark Permit Necessary ICMP traffic
permit icmp any host 1.0.0.2 echo-reply
permit icmp any host 1.0.0.6 echo-reply
permit icmp any 1.0.0.104 0.0.0.7 echo-reply
permit icmp any 1.0.0.112 0.0.0.15 echo-reply
permit icmp any host 1.0.0.2 unreachable
permit icmp any host 1.0.0.6 unreachable
permit icmp any 1.0.0.104 0.0.0.7 unreachable
permit icmp any 1.0.0.112 0.0.0.15 unreachable
permit icmp any host 1.0.0.2 time-exceeded
permit icmp any host 1.0.0.6 time-exceeded
permit icmp any 1.0.0.104 0.0.0.7 time-exceeded
permit icmp any 1.0.0.112 0.0.0.15 time-exceeded
deny icmp any any
remark Permit VPN Access
permit esp any host 1.0.0.106
permit ahp any host 1.0.0.106
permit udp any host 1.0.0.106 eq isakmp
permit udp any host 1.0.0.106 eq non500-isakmp
remark Permit Internet Firewall to control Global IP Address
permit ip any host 1.0.0.108
remark Permit Internet Firewall to control DMZ
permit ip any 1.0.0.112 0.0.0.15
remark Permit Established TCP session
permit tcp any host 1.0.0.2 established
permit tcp any host 1.0.0.6 established
permit tcp any 1.0.0.104 0.0.0.7 established
deny ip any any
!
logging source-interface FastEthernet0/0
logging 172.17.200.232
access-list 52 remark Internal SNMP RO access
access-list 52 permit 172.17.100.0 0.0.0.255
access-list 52 permit 172.17.200.0 0.0.0.255
access-list 52 permit 10.4.5.0 0.0.0.255
access-list 85 permit 1.169.31.226
access-list 85 permit 1.148.0.138
access-list 85 permit 1.43.53.170
access-list 85 permit 1.87.201.10
access-list 85 permit 1.109.89.198
access-list 85 permit 1.194.74.26
access-list 85 permit 1.194.74.22
access-list 85 permit 1.169.195.194
access-list 85 permit 1.169.198.96 0.0.0.7
access-list 85 permit 172.17.100.0 0.0.0.255
access-list 85 permit 172.17.190.0 0.0.0.255
access-list 85 permit 172.17.200.0 0.0.0.255
access-list 85 permit 10.13.100.0 0.0.0.255
access-list 85 permit 10.13.190.0 0.0.0.255
access-list 85 permit 10.13.200.0 0.0.0.255
access-list 85 permit 12.14.179.64 0.0.0.31
access-list 85 permit 1.117.15.128 0.0.0.31
access-list 85 permit 1.148.22.96 0.0.0.15
access-list 85 permit 1.252.30.96 0.0.0.31
access-list 85 permit 1.128.17.64 0.0.0.15
access-list 85 permit 1.169.34.0 0.0.0.7
access-list 85 permit 1.162.70.192 0.0.0.15
!
snmp-server community ***** RO 52
snmp-server enable traps tty
snmp-server enable traps syslog
tacacs-server host 172.17.200.231
tacacs-server directed-request
tacacs-server key 7 ******
!
control-plane
!
banner motd ^C
WARNING: ACCESS TO AND USE OF THIS AUTOMATED INFORMATION SYSTEM IS LIMITED TO AU
THORISED PERSONS!
Activities on and access to this system are monitored and recorded.
Use of this system is your express consent to such monitoring and recording.

ANY UNAUTHORIZED ACCCESS TO OR USE OF THIS SYSTEM IS PROHIBITED AND COULD RESULT
IN CRIMINAL AND/OR CIVIL PENALTIES.^C
!
line con 0
exec-timeout 5 0
line vty 0 4
access-class 85 in
exec-timeout 30 0
transport input ssh
line vty 5 15
access-class 85 in
exec-timeout 30 0
transport input ssh
!
ntp clock-period 36028978
ntp source FastEthernet0/0
ntp server 10.4.5.5
ntp server 172.16.0.5 prefer
end
Switch (Layer-3 capable)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname *****
!
boot-start-marker
boot-end-marker
!
logging buffered 16384
enable secret 5 *****
!
username **** secret 5 *****
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
!
!
!
aaa session-id common
clock timezone EST -5
clock summer-time EDT recurring
system mtu routing 1500
ip subnet-zero
ip routing
ip domain-list ****
ip domain-list ****
no ip domain-lookup
ip domain-name ****
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree portfast default
spanning-tree portfast bpduguard default
spanning-tree portfast bpdufilter default
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
interface FastEthernet0/1
description To Internet Router
no switchport
ip address 1.0.0.6 255.255.255.248
speed 100
duplex full
!
interface FastEthernet0/2
no switchport
no ip address
speed 100
duplex full
!
interface FastEthernet0/3
description ASA Internet Active
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/4
description ASA Internet Standby
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/5
shutdown
!
interface FastEthernet0/6
shutdown
!
interface FastEthernet0/7
shutdown
!
interface FastEthernet0/8
shutdown
!
interface FastEthernet0/9
shutdown
!
interface FastEthernet0/10
shutdown
!
interface FastEthernet0/11
shutdown
!
interface FastEthernet0/12
shutdown
!
interface Vlan1
no ip address
shutdown
!
interface Vlan2
description Outside Network
ip address 1.0.0.105 255.255.255.248
!
ip route 0.0.0.0 0.0.0.0 1.0.0.1
ip route 1.0.0.112 255.255.255.240 1.0.0.106
ip route 10.0.0.0 255.0.0.0 1.0.0.106
ip route 172.16.0.0 255.240.0.0 1.0.0.106
!
ip classless
no ip http server
no ip http secure-server
!
ip tacacs source-interface Vlan2
!
!
logging source-interface Vlan2
logging 172.17.200.232
access-list 52 remark Internal SNMP RO access
access-list 52 permit 172.17.100.0 0.0.0.255
access-list 52 permit 172.17.200.0 0.0.0.255
access-list 52 permit 10.4.5.0 0.0.0.255
access-list 85 permit 1.169.31.226
access-list 85 permit 1.148.0.138
access-list 85 permit 1.43.53.170
access-list 85 permit 1.87.201.10
access-list 85 permit 1.109.89.198
access-list 85 permit 1.194.74.26
access-list 85 permit 1.194.74.22
access-list 85 permit 1.169.195.194
access-list 85 permit 1.169.198.96 0.0.0.7
access-list 85 permit 172.17.100.0 0.0.0.255
access-list 85 permit 172.17.190.0 0.0.0.255
access-list 85 permit 172.17.200.0 0.0.0.255
access-list 85 permit 10.13.100.0 0.0.0.255
access-list 85 permit 10.13.190.0 0.0.0.255
access-list 85 permit 10.13.200.0 0.0.0.255
access-list 85 permit 12.14.179.64 0.0.0.31
access-list 85 permit 1.117.15.128 0.0.0.31
access-list 85 permit 1.148.22.96 0.0.0.15
access-list 85 permit 1.252.30.96 0.0.0.31
access-list 85 permit 1.128.17.64 0.0.0.15
access-list 85 permit 1.169.34.0 0.0.0.7
access-list 85 permit 1.162.70.192 0.0.0.15
!
snmp-server community ***** RO 52
snmp-server enable traps tty
snmp-server enable traps syslog
tacacs-server host 172.17.200.231
tacacs-server directed-request
tacacs-server key 7 ******
!
control-plane
!
banner motd ^C
WARNING: ACCESS TO AND USE OF THIS AUTOMATED INFORMATION SYSTEM IS LIMITED TO AU
THORISED PERSONS!
Activities on and access to this system are monitored and recorded.
Use of this system is your express consent to such monitoring and recording.

ANY UNAUTHORIZED ACCCESS TO OR USE OF THIS SYSTEM IS PROHIBITED AND COULD RESULT
IN CRIMINAL AND/OR CIVIL PENALTIES.^C
!
line con 0
exec-timeout 5 0
line vty 0 4
access-class 85 in
exec-timeout 30 0
transport input ssh
line vty 5 15
access-class 85 in
exec-timeout 30 0
transport input ssh
!
ntp clock-period 36028978
ntp source Vlan2
ntp server 10.4.5.5
ntp server 172.16.0.5 prefer
end
Firewall 1 (Active)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
ASA Version 7.2(3)
!
hostname ****
domain-name ****
enable password ***** encrypted
names
dns-guard
!
interface GigabitEthernet0/0
description Outside Switch
nameif outside
security-level 0
ip address 1.0.0.106 255.255.255.248 standby 1.0.0.107
!
interface GigabitEthernet0/1
description Core Switches
nameif inside
security-level 100
ip address 10.7.0.4 255.255.255.0 standby 10.7.0.5
!
interface GigabitEthernet0/2
description DMZ Switches
nameif dmz
security-level 50
ip address 1.0.0.113 255.255.255.240 standby 1.0.0.114
!
interface GigabitEthernet0/3
!
interface Management0/0
!
interface Management0/0.254
description STATE Failover Interface
vlan 254
!
interface Management0/0.255
description LAN Failover Interface
vlan 255
!
passwd **** encrypted
banner motd WARNING: ACCESS TO AND USE OF THIS AUTOMATED INFORMATION SYSTEM IS L
IMITED TO AUTHORISED PERSONS!
banner motd Activities on and access to this system are monitored and recorded.
banner motd Use of this system is your express consent to such monitoring and re
cording.
banner motd
banner motd ANY UNAUTHORIZED ACCCESS TO OR USE OF THIS SYSTEM IS PROHIBITED AND
COULD RESULTIN CRIMINAL AND/OR CIVIL PENALTIES.
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name ****
object-group protocol TCP-UDP
protocol-object tcp
protocol-object udp
object-group service Nachi_Worm tcp-udp
port-object eq 707
object-group service Kerberos tcp-udp
port-object eq 4444
object-group service MS_Ports tcp-udp
port-object eq 135
port-object range 137 139
port-object eq 445
port-object eq 593
object-group service IM_Virus tcp-udp
port-object eq 5001
object-group service Zincite_Virus tcp-udp
port-object eq 1034
object-group service Sasser_Worm tcp
port-object eq 5554
port-object eq 9996
object-group service Beagle.O_Virus tcp-udp
port-object eq 81
object-group network gotomypc.com
network-object host 66.151.158.177
object-group service Dameware tcp-udp
port-object eq 6129
object-group service Mail_Services tcp
port-object eq smtp
port-object eq pop3
object-group network INSIDE
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
object-group network IT
network-object 172.17.190.0 255.255.255.0
network-object 10.13.190.0 255.255.255.0
network-object 10.13.100.0 255.255.255.0
network-object 10.13.200.0 255.255.255.0
network-object 172.17.100.0 255.255.255.0
network-object 172.17.200.0 255.255.255.0
object-group network Net_Monitor
network-object host 172.17.200.126
network-object host 172.17.200.130
network-object host 172.17.200.131
network-object host 172.17.200.132
network-object host 172.17.200.127
object-group network DC
network-object host 10.13.200.161
network-object host 172.17.200.161
network-object host 172.17.200.162
object-group network NTP
network-object host 172.16.0.5
network-object host 10.4.5.5
object-group network Internet_Routers
network-object host 1.0.0.2
network-object host 1.0.0.6
object-group network Internet_Switches
network-object host 1.0.0.105
object-group network MARS
network-object host 172.17.200.232
object-group service SYSLOG udp
port-object eq syslog
object-group network ACS
network-object host 172.17.200.231
object-group service TACACS tcp
port-object eq tacacs
object-group service MARS_UDP udp
port-object eq syslog
port-object eq 2055
object-group network CISCOOUTSIDE
group-object Internet_Routers
group-object Internet_Switches
object-group network DMZ_NET
network-object 1.0.0.112 255.255.255.240
object-group network OUTSIDE
group-object DMZ_NET
object-group network Blocked_Subnet
network-object 168.95.5.0 255.255.255.192
object-group network Vendor_Subnet
network-object 10.7.180.0 255.255.255.0
object-group network Special_Subnets
group-object IT
group-object Vendor_Subnet
object-group network MXtremes
network-object host 1.0.0.117
object-group network WWW
network-object host 1.0.0.118
network-object host 1.0.0.110
object-group service WEB_SERVICES tcp
port-object eq www
port-object eq https
object-group network DMZ_SWITCH
network-object host 1.0.0.115
network-object host 1.0.0.116
object-group service LDAP tcp
port-object eq ldap
object-group network XBH
network-object host 10.13.100.13
network-object host 172.16.0.10
network-object host 172.17.100.50
network-object host 172.17.100.60
network-object host 172.17.100.61
network-object host 172.17.100.62
object-group network MXtremes-FTP-Inside
network-object host 172.17.200.102
object-group network Outside_Network
network-object 1.252.30.96 255.255.255.224
network-object 1.162.70.192 255.255.255.240
network-object 1.14.179.64 255.255.255.224
object-group network Outside
network-object 1.0.0.0 255.255.255.248
network-object 1.0.0.104 255.255.255.248
object-group network Borderware
network-object host 207.236.65.226
object-group service MXtremes_TCP tcp
port-object eq https
port-object eq 10101
object-group network CTXCAG
network-object host 1.0.0.120
object-group network CTXCAGMGMT
network-object 10.13.100.0 255.255.255.0
network-object 10.13.190.0 255.255.255.0
network-object 10.13.200.0 255.255.255.0
network-object 172.17.100.0 255.255.255.0
network-object 172.17.200.0 255.255.255.0
network-object host 172.17.150.120
network-object host 172.17.150.121
network-object host 172.17.150.122
network-object host 172.17.150.123
network-object host 172.17.150.124
network-object 172.17.190.0 255.255.255.0
object-group service CITRIXCAG tcp
port-object range 9001 9002
port-object eq 9005
object-group network CTXFARM
network-object host 172.17.200.170
network-object host 172.17.200.173
network-object host 172.17.200.174
network-object host 172.17.200.175
network-object host 172.17.200.176
network-object host 172.17.150.120
network-object host 172.17.150.121
network-object host 172.17.150.122
network-object host 172.17.150.123
network-object host 172.17.150.124
network-object 172.17.50.0 255.255.255.0
network-object 172.17.60.0 255.255.255.0
network-object 10.13.50.0 255.255.255.0
network-object 10.13.60.0 255.255.255.0
network-object 10.13.100.0 255.255.255.0
network-object 10.13.200.0 255.255.255.0
object-group service CITRIXPROD tcp
port-object eq www
port-object eq citrix-ica
port-object eq 2598
object-group service VNC_TCP tcp
port-object eq 5900
object-group service backup tcp-udp
description ports for backupexec
port-object range 1025 1030
port-object eq 10000
object-group network VPN_Group2
network-object 192.168.185.0 255.255.255.0
object-group network VPN_Group1
network-object 192.168.189.0 255.255.255.0
access-list nonat remark No NAT for Special Subnets
access-list nonat extended permit ip object-group INSIDE object-group CISCOOUTSI
DE
access-list nonat extended permit ip object-group INSIDE object-group OUTSIDE
access-list nonat extended permit ip object-group INSIDE object-group VPN_Group1
access-list nonat extended permit ip object-group INSIDE object-group VPN_Group2
access-list inside remark Allow Mail Server to Send Mail to anyone
access-list inside extended permit tcp object-group XBH any eq smtp
access-list inside remark Block other users from pop3 and smtp mail
access-list inside extended deny tcp any any object-group Mail_Services
access-list inside remark Deny Control Channel Commands for Nachi worm
access-list inside extended deny object-group TCP-UDP any any object-group Nachi
_Worm
access-list inside remark Deny Kerberos Authentication
access-list inside extended deny object-group TCP-UDP any any object-group Kerbe
ros
access-list inside remark Block Vulnerable Microsoft Ports
access-list inside extended deny object-group TCP-UDP any any object-group MS_Po
rts
access-list inside remark Block IM VIRUS
access-list inside extended deny object-group TCP-UDP any any object-group IM_Vi
rus
access-list inside remark Block zincite virus
access-list inside extended deny object-group TCP-UDP any any object-group Zinci
te_Virus
access-list inside remark Block Sasser Worm
access-list inside extended deny tcp any any object-group Sasser_Worm
access-list inside remark Block Beagle.O virus
access-list inside extended deny object-group TCP-UDP any any object-group Beagl
e.O_Virus
access-list inside remark Block gotomypc.com
access-list inside extended deny ip any object-group gotomypc.com
access-list inside remark Block Dameware
access-list inside extended deny object-group TCP-UDP any any object-group Damew
are
access-list inside remark Allow SNMP Monitoring to DMZ from Inside
access-list inside extended permit udp object-group Net_Monitor object-group DMZ
_NET range snmp snmptrap
access-list inside remark Allow GTO to do ICMP management to DMZ
access-list inside extended permit icmp object-group IT object-group DMZ_NET
access-list inside remark Allow GTO to telnet and SSH to DMZ
access-list inside extended permit tcp object-group IT object-group DMZ_NET rang
e ssh telnet
access-list inside remark Allow GTO to open http and https on DMZ
access-list inside extended permit tcp object-group IT object-group DMZ_NET obje
ct-group WEB_SERVICES
access-list inside remark Allow Remote Control of servers by GTO
access-list inside extended permit tcp object-group IT object-group DMZ_NET obje
ct-group VNC_TCP
access-list inside remark Allow backupexec to dmz
access-list inside extended permit tcp object-group IT object-group DMZ_NET obje
ct-group backup
access-list inside remark Allow CAG Management into the DMZ
access-list inside extended permit tcp object-group CTXCAGMGMT object-group CTXC
AG object-group CITRIXCAG
access-list inside remark Deny other access to DMZ
access-list inside extended deny ip any object-group DMZ_NET
access-list inside remark Permit All traffic thereafter
access-list inside extended permit ip any any
access-list nonat_dmz remark No NAT for DMZ Subnets
access-list nonat_dmz extended permit ip object-group DMZ_NET any
access-list outside remark Permitted Inbound Traffic
access-list outside remark deny this IP to anywhere
access-list outside extended deny ip object-group Blocked_Subnet any
access-list outside remark TACACS Traffic
access-list outside extended permit tcp object-group CISCOOUTSIDE object-group A
CS object-group TACACS
access-list outside remark MARS Traffic
access-list outside extended permit udp object-group CISCOOUTSIDE object-group M
ARS object-group MARS_UDP
access-list outside remark NTP Traffic
access-list outside extended permit udp object-group CISCOOUTSIDE object-group N
TP eq ntp
access-list outside remark allow all ping traffic
access-list outside extended permit icmp any any
access-list outside remark allow anyone to smtp to Mail Firewalls in DMZ
access-list outside extended permit tcp any object-group MXtremes eq smtp
access-list outside remark allow Outside network to manage MXtremes
access-list outside extended permit tcp object-group Outside_Network object-grou
p MXtremes eq https
access-list outside remark allow Borderware support access to MXtreme
access-list outside extended permit tcp object-group Borderware object-group MXt
remes object-group MXtremes_TCP
access-list outside remark allow traffic to access WWW server
access-list outside extended permit tcp any object-group WWW object-group WEB_SE
RVICES
access-list outside remark allow SSL to the CAGs from anyone
access-list outside extended permit tcp any object-group CTXCAG object-group WEB
_SERVICES
access-list dmz remark Permitted Inbound Traffic
access-list dmz remark allow TACACS traffic from DMZ Switches to ACS
access-list dmz extended permit tcp object-group DMZ_SWITCH object-group ACS eq
tacacs
access-list dmz remark MARS Traffic
access-list dmz extended permit udp object-group DMZ_SWITCH object-group MARS ob
ject-group MARS_UDP
access-list dmz remark allow DMZ network to get internal time
access-list dmz extended permit udp object-group DMZ_NET object-group NTP eq ntp
access-list dmz remark allow ping
access-list dmz extended permit icmp any any
access-list dmz remark allow MXtremes to do LDAP against inside
access-list dmz extended permit tcp object-group MXtremes object-group DC object
-group LDAP
access-list dmz remark allow MXtremes to do DNS lookups inside
access-list dmz extended permit udp object-group MXtremes object-group DC eq dom
ain
access-list dmz remark deny MXtremes to source WWW and SSL on their own to INSID
E
access-list dmz extended deny tcp object-group MXtremes object-group INSIDE obje
ct-group WEB_SERVICES
access-list dmz remark allow MXtremes WWW and SSL to ANY
access-list dmz extended permit tcp object-group MXtremes any object-group WEB_S
ERVICES
access-list dmz remark allow MXtremes to forward mail to Mail servers and Intern
et
access-list dmz extended permit tcp object-group MXtremes object-group XBH eq sm
tp
access-list dmz extended deny tcp object-group MXtremes object-group INSIDE eq s
mtp
access-list dmz extended permit tcp object-group MXtremes any eq smtp
access-list dmz remark Allow MXtremes to upload mail logs to nycsrvmxl1
access-list dmz extended permit tcp object-group MXtremes object-group MXtremes-
FTP-Inside range ftp-data ftp
access-list dmz remark deny Web server to source www and SSL on its own to INSID
E
access-list dmz extended deny tcp object-group WWW object-group INSIDE object-gr
oup WEB_SERVICES
access-list dmz remark allow Web server WWW and SSL to Anyone
access-list dmz extended permit tcp object-group WWW any object-group WEB_SERVIC
ES
access-list dmz remark allow Citrix CAGs to Citrix Farm
access-list dmz extended permit tcp object-group CTXCAG object-group CTXFARM obj
ect-group CITRIXPROD
access-list dmz remark deny Citrix CAGs to SSL on its own to INSIDE
access-list dmz extended deny tcp object-group CTXCAG object-group INSIDE eq htt
ps
access-list dmz remark allow Citrix CAGs to SSL on its own to others
access-list dmz extended permit tcp object-group CTXCAG any eq https
access-list IPS_Inspection remark ASA IPS Inspect following traffic flow
access-list IPS_Inspection extended permit ip object-group INSIDE object-group O
utside_Network
access-list IPS_Inspection extended permit ip object-group INSIDE object-group D
MZ_NET
access-list IPS_Inspection extended permit ip object-group INSIDE object-group V
PN_Group1
access-list IPS_Inspection extended permit ip object-group INSIDE object-group V
PN_Group2
access-list IPS_Inspection extended permit ip object-group INSIDE any
access-list IPS_Inspection extended permit ip object-group DMZ_NET any
access-list IPS_Inspection extended permit ip object-group Outside_Network any
access-list IPS_Inspection extended permit ip any object-group Outside
access-list IPS_Inspection extended permit ip any object-group DMZ_NET
access-list IPS_Inspection extended permit ip any object-group INSIDE
access-list IPS_Inspection extended permit ip any any log
access-list nonat-VPN_Group1 remark No NAT for VPN Group 1
access-list nonat-VPN_Group1 extended permit ip object-group INSIDE object-group
VPN_Group1
access-list nonat-VPN_Group2 remark No NAT for VPN Group 2
access-list nonat-VPN_Group2 extended permit ip object-group INSIDE object-group
VPN_Group2
pager lines 24
logging enable
logging timestamp
logging standby
logging buffer-size 16384
logging buffered errors
logging trap debugging
logging history errors
logging asdm informational
logging mail debugging
logging facility 19
logging device-id hostname
logging host inside 172.17.200.232
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool group2 192.168.185.1-192.168.185.254
ip local pool group1 192.168.189.1-192.168.189.254
failover
failover lan unit primary
failover lan interface failover Management0/0.255
failover link state Management0/0.254
failover interface ip failover 192.168.0.249 255.255.255.252 standby 192.168.0.2
50
failover interface ip state 192.168.0.253 255.255.255.252 standby 192.168.0.254
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 1.0.0.108
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list nonat_dmz
access-group outside in interface outside
access-group inside in interface inside
access-group dmz in interface dmz
!
route outside 0.0.0.0 0.0.0.0 1.0.0.105
route inside 10.0.0.0 255.0.0.0 10.7.0.1
route inside 172.16.0.0 255.240.0.0 10.7.0.1
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server NT_DOMAIN protocol nt
aaa-server NT_DOMAIN host 10.7.200.161
nt-auth-domain-controller *****
aaa-server TACACS protocol tacacs+
reactivation-mode depletion deadtime 3
max-failed-attempts 4
aaa-server TACACS host 172.17.200.231
key *****
aaa authentication http console TACACS LOCAL
aaa authentication telnet console TACACS LOCAL
aaa authentication enable console TACACS LOCAL
aaa authentication serial console TACACS LOCAL
aaa authentication ssh console TACACS LOCAL
aaa authorization command TACACS LOCAL
aaa accounting enable console TACACS
aaa accounting serial console TACACS
aaa accounting ssh console TACACS
aaa accounting telnet console TACACS
aaa accounting command privilege 15 TACACS
snmp-server host inside 172.17.200.126 community *****
snmp-server host inside 172.17.200.127 community *****
snmp-server host inside 172.17.200.130 community *****
snmp-server host inside 172.17.200.131 community *****
snmp-server host inside 172.17.200.132 community *****
no snmp-server location
no snmp-server contact
snmp-server community ****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
service resetoutside
crypto ipsec transform-set set10 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set set20 esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set set10
crypto dynamic-map dynmap 20 set transform-set set20
crypto map map 10 ipsec-isakmp dynamic dynmap
crypto map map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet timeout 5
ssh 1.252.30.96 255.255.255.224 outside
ssh 1.14.179.64 255.255.255.224 outside
ssh 10.13.100.0 255.255.255.0 inside
ssh 10.13.200.0 255.255.255.0 inside
ssh 10.13.190.0 255.255.255.0 inside
ssh 10.13.0.0 255.255.255.0 inside
ssh 172.17.100.0 255.255.255.0 inside
ssh 172.17.190.0 255.255.255.0 inside
ssh 172.17.200.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
!
class-map IPS_Class
match access-list IPS_Inspection
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
class IPS_Class
ips promiscuous fail-open
!
service-policy global_policy global
ntp server 10.4.5.5 source inside
ntp server 172.16.0.5 source inside prefer
group-policy Group1 internal
group-policy Group1 attributes
wins-server value 10.13.100.103
dns-server value 10.13.100.103
vpn-idle-timeout 1440
split-tunnel-policy tunnelspecified
split-tunnel-network-list value nonat-VPN_Group1
default-domain value *****
group-policy Group2 internal
group-policy Group2 attributes
wins-server value 10.13.100.103
dns-server value 10.13.100.103
vpn-idle-timeout 1440
split-tunnel-policy tunnelspecified
split-tunnel-network-list value nonat-VPN_Group2
default-domain value *****
username ***** password ****** encrypted privilege 15
username ***** attributes
vpn-group-policy Group1
group-lock value Group1
username ***** password ****** encrypted privilege 15
tunnel-group Group2 type ipsec-ra
tunnel-group Group2 general-attributes
address-pool group2
authentication-server-group NT_DOMAIN
default-group-policy Group2
tunnel-group Group2 ipsec-attributes
pre-shared-key *
tunnel-group Group1 type ipsec-ra
tunnel-group Group1 general-attributes
address-pool group1
authentication-server-group NT_DOMAIN LOCAL
default-group-policy Group1
tunnel-group Group1 ipsec-attributes
pre-shared-key *
prompt hostname context
: end
Firewall 2 (Standby)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
ASA Version 7.2(3)
!
hostname ****
domain-name ****
enable password ***** encrypted
names
dns-guard
!
interface GigabitEthernet0/0
description Outside Switch
nameif outside
security-level 0
ip address 1.0.0.106 255.255.255.248 standby 1.0.0.107
!
interface GigabitEthernet0/1
description Core Switches
nameif inside
security-level 100
ip address 10.7.0.4 255.255.255.0 standby 10.7.0.5
!
interface GigabitEthernet0/2
description DMZ Switches
nameif dmz
security-level 50
ip address 1.0.0.113 255.255.255.240 standby 1.0.0.114
!
interface GigabitEthernet0/3
!
interface Management0/0
!
interface Management0/0.254
description STATE Failover Interface
vlan 254
!
interface Management0/0.255
description LAN Failover Interface
vlan 255
!
passwd **** encrypted
banner motd WARNING: ACCESS TO AND USE OF THIS AUTOMATED INFORMATION SYSTEM IS L
IMITED TO AUTHORISED PERSONS!
banner motd Activities on and access to this system are monitored and recorded.
banner motd Use of this system is your express consent to such monitoring and re
cording.
banner motd
banner motd ANY UNAUTHORIZED ACCCESS TO OR USE OF THIS SYSTEM IS PROHIBITED AND
COULD RESULTIN CRIMINAL AND/OR CIVIL PENALTIES.
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name ****
object-group protocol TCP-UDP
protocol-object tcp
protocol-object udp
object-group service Nachi_Worm tcp-udp
port-object eq 707
object-group service Kerberos tcp-udp
port-object eq 4444
object-group service MS_Ports tcp-udp
port-object eq 135
port-object range 137 139
port-object eq 445
port-object eq 593
object-group service IM_Virus tcp-udp
port-object eq 5001
object-group service Zincite_Virus tcp-udp
port-object eq 1034
object-group service Sasser_Worm tcp
port-object eq 5554
port-object eq 9996
object-group service Beagle.O_Virus tcp-udp
port-object eq 81
object-group network gotomypc.com
network-object host 66.151.158.177
object-group service Dameware tcp-udp
port-object eq 6129
object-group service Mail_Services tcp
port-object eq smtp
port-object eq pop3
object-group network INSIDE
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
object-group network IT
network-object 172.17.190.0 255.255.255.0
network-object 10.13.190.0 255.255.255.0
network-object 10.13.100.0 255.255.255.0
network-object 10.13.200.0 255.255.255.0
network-object 172.17.100.0 255.255.255.0
network-object 172.17.200.0 255.255.255.0
object-group network Net_Monitor
network-object host 172.17.200.126
network-object host 172.17.200.130
network-object host 172.17.200.131
network-object host 172.17.200.132
network-object host 172.17.200.127
object-group network DC
network-object host 10.13.200.161
network-object host 172.17.200.161
network-object host 172.17.200.162
object-group network NTP
network-object host 172.16.0.5
network-object host 10.4.5.5
object-group network Internet_Routers
network-object host 1.0.0.2
network-object host 1.0.0.6
object-group network Internet_Switches
network-object host 1.0.0.105
object-group network MARS
network-object host 172.17.200.232
object-group service SYSLOG udp
port-object eq syslog
object-group network ACS
network-object host 172.17.200.231
object-group service TACACS tcp
port-object eq tacacs
object-group service MARS_UDP udp
port-object eq syslog
port-object eq 2055
object-group network CISCOOUTSIDE
group-object Internet_Routers
group-object Internet_Switches
object-group network DMZ_NET
network-object 1.0.0.112 255.255.255.240
object-group network OUTSIDE
group-object DMZ_NET
object-group network Blocked_Subnet
network-object 168.95.5.0 255.255.255.192
object-group network Vendor_Subnet
network-object 10.7.180.0 255.255.255.0
object-group network Special_Subnets
group-object IT
group-object Vendor_Subnet
object-group network MXtremes
network-object host 1.0.0.117
object-group network WWW
network-object host 1.0.0.118
network-object host 1.0.0.110
object-group service WEB_SERVICES tcp
port-object eq www
port-object eq https
object-group network DMZ_SWITCH
network-object host 1.0.0.115
network-object host 1.0.0.116
object-group service LDAP tcp
port-object eq ldap
object-group network XBH
network-object host 10.13.100.13
network-object host 172.16.0.10
network-object host 172.17.100.50
network-object host 172.17.100.60
network-object host 172.17.100.61
network-object host 172.17.100.62
object-group network MXtremes-FTP-Inside
network-object host 172.17.200.102
object-group network Outside_Network
network-object 1.252.30.96 255.255.255.224
network-object 1.162.70.192 255.255.255.240
network-object 1.14.179.64 255.255.255.224
object-group network Outside
network-object 1.0.0.0 255.255.255.248
network-object 1.0.0.104 255.255.255.248
object-group network Borderware
network-object host 207.236.65.226
object-group service MXtremes_TCP tcp
port-object eq https
port-object eq 10101
object-group network CTXCAG
network-object host 1.0.0.120
object-group network CTXCAGMGMT
network-object 10.13.100.0 255.255.255.0
network-object 10.13.190.0 255.255.255.0
network-object 10.13.200.0 255.255.255.0
network-object 172.17.100.0 255.255.255.0
network-object 172.17.200.0 255.255.255.0
network-object host 172.17.150.120
network-object host 172.17.150.121
network-object host 172.17.150.122
network-object host 172.17.150.123
network-object host 172.17.150.124
network-object 172.17.190.0 255.255.255.0
object-group service CITRIXCAG tcp
port-object range 9001 9002
port-object eq 9005
object-group network CTXFARM
network-object host 172.17.200.170
network-object host 172.17.200.173
network-object host 172.17.200.174
network-object host 172.17.200.175
network-object host 172.17.200.176
network-object host 172.17.150.120
network-object host 172.17.150.121
network-object host 172.17.150.122
network-object host 172.17.150.123
network-object host 172.17.150.124
network-object 172.17.50.0 255.255.255.0
network-object 172.17.60.0 255.255.255.0
network-object 10.13.50.0 255.255.255.0
network-object 10.13.60.0 255.255.255.0
network-object 10.13.100.0 255.255.255.0
network-object 10.13.200.0 255.255.255.0
object-group service CITRIXPROD tcp
port-object eq www
port-object eq citrix-ica
port-object eq 2598
object-group service VNC_TCP tcp
port-object eq 5900
object-group service backup tcp-udp
description ports for backupexec
port-object range 1025 1030
port-object eq 10000
object-group network VPN_Group2
network-object 192.168.185.0 255.255.255.0
object-group network VPN_Group1
network-object 192.168.189.0 255.255.255.0
access-list nonat remark No NAT for Special Subnets
access-list nonat extended permit ip object-group INSIDE object-group CISCOOUTSI
DE
access-list nonat extended permit ip object-group INSIDE object-group OUTSIDE
access-list nonat extended permit ip object-group INSIDE object-group VPN_Group1
access-list nonat extended permit ip object-group INSIDE object-group VPN_Group2
access-list inside remark Allow Mail Server to Send Mail to anyone
access-list inside extended permit tcp object-group XBH any eq smtp
access-list inside remark Block other users from pop3 and smtp mail
access-list inside extended deny tcp any any object-group Mail_Services
access-list inside remark Deny Control Channel Commands for Nachi worm
access-list inside extended deny object-group TCP-UDP any any object-group Nachi
_Worm
access-list inside remark Deny Kerberos Authentication
access-list inside extended deny object-group TCP-UDP any any object-group Kerbe
ros
access-list inside remark Block Vulnerable Microsoft Ports
access-list inside extended deny object-group TCP-UDP any any object-group MS_Po
rts
access-list inside remark Block IM VIRUS
access-list inside extended deny object-group TCP-UDP any any object-group IM_Vi
rus
access-list inside remark Block zincite virus
access-list inside extended deny object-group TCP-UDP any any object-group Zinci
te_Virus
access-list inside remark Block Sasser Worm
access-list inside extended deny tcp any any object-group Sasser_Worm
access-list inside remark Block Beagle.O virus
access-list inside extended deny object-group TCP-UDP any any object-group Beagl
e.O_Virus
access-list inside remark Block gotomypc.com
access-list inside extended deny ip any object-group gotomypc.com
access-list inside remark Block Dameware
access-list inside extended deny object-group TCP-UDP any any object-group Damew
are
access-list inside remark Allow SNMP Monitoring to DMZ from Inside
access-list inside extended permit udp object-group Net_Monitor object-group DMZ
_NET range snmp snmptrap
access-list inside remark Allow GTO to do ICMP management to DMZ
access-list inside extended permit icmp object-group IT object-group DMZ_NET
access-list inside remark Allow GTO to telnet and SSH to DMZ
access-list inside extended permit tcp object-group IT object-group DMZ_NET rang
e ssh telnet
access-list inside remark Allow GTO to open http and https on DMZ
access-list inside extended permit tcp object-group IT object-group DMZ_NET obje
ct-group WEB_SERVICES
access-list inside remark Allow Remote Control of servers by GTO
access-list inside extended permit tcp object-group IT object-group DMZ_NET obje
ct-group VNC_TCP
access-list inside remark Allow backupexec to dmz
access-list inside extended permit tcp object-group IT object-group DMZ_NET obje
ct-group backup
access-list inside remark Allow CAG Management into the DMZ
access-list inside extended permit tcp object-group CTXCAGMGMT object-group CTXC
AG object-group CITRIXCAG
access-list inside remark Deny other access to DMZ
access-list inside extended deny ip any object-group DMZ_NET
access-list inside remark Permit All traffic thereafter
access-list inside extended permit ip any any
access-list nonat_dmz remark No NAT for DMZ Subnets
access-list nonat_dmz extended permit ip object-group DMZ_NET any
access-list outside remark Permitted Inbound Traffic
access-list outside remark deny this IP to anywhere
access-list outside extended deny ip object-group Blocked_Subnet any
access-list outside remark TACACS Traffic
access-list outside extended permit tcp object-group CISCOOUTSIDE object-group A
CS object-group TACACS
access-list outside remark MARS Traffic
access-list outside extended permit udp object-group CISCOOUTSIDE object-group M
ARS object-group MARS_UDP
access-list outside remark NTP Traffic
access-list outside extended permit udp object-group CISCOOUTSIDE object-group N
TP eq ntp
access-list outside remark allow all ping traffic
access-list outside extended permit icmp any any
access-list outside remark allow anyone to smtp to Mail Firewalls in DMZ
access-list outside extended permit tcp any object-group MXtremes eq smtp
access-list outside remark allow Outside network to manage MXtremes
access-list outside extended permit tcp object-group Outside_Network object-grou
p MXtremes eq https
access-list outside remark allow Borderware support access to MXtreme
access-list outside extended permit tcp object-group Borderware object-group MXt
remes object-group MXtremes_TCP
access-list outside remark allow traffic to access WWW server
access-list outside extended permit tcp any object-group WWW object-group WEB_SE
RVICES
access-list outside remark allow SSL to the CAGs from anyone
access-list outside extended permit tcp any object-group CTXCAG object-group WEB
_SERVICES
access-list dmz remark Permitted Inbound Traffic
access-list dmz remark allow TACACS traffic from DMZ Switches to ACS
access-list dmz extended permit tcp object-group DMZ_SWITCH object-group ACS eq
tacacs
access-list dmz remark MARS Traffic
access-list dmz extended permit udp object-group DMZ_SWITCH object-group MARS ob
ject-group MARS_UDP
access-list dmz remark allow DMZ network to get internal time
access-list dmz extended permit udp object-group DMZ_NET object-group NTP eq ntp
access-list dmz remark allow ping
access-list dmz extended permit icmp any any
access-list dmz remark allow MXtremes to do LDAP against inside
access-list dmz extended permit tcp object-group MXtremes object-group DC object
-group LDAP
access-list dmz remark allow MXtremes to do DNS lookups inside
access-list dmz extended permit udp object-group MXtremes object-group DC eq dom
ain
access-list dmz remark deny MXtremes to source WWW and SSL on their own to INSID
E
access-list dmz extended deny tcp object-group MXtremes object-group INSIDE obje
ct-group WEB_SERVICES
access-list dmz remark allow MXtremes WWW and SSL to ANY
access-list dmz extended permit tcp object-group MXtremes any object-group WEB_S
ERVICES
access-list dmz remark allow MXtremes to forward mail to Mail servers and Intern
et
access-list dmz extended permit tcp object-group MXtremes object-group XBH eq sm
tp
access-list dmz extended deny tcp object-group MXtremes object-group INSIDE eq s
mtp
access-list dmz extended permit tcp object-group MXtremes any eq smtp
access-list dmz remark Allow MXtremes to upload mail logs to nycsrvmxl1
access-list dmz extended permit tcp object-group MXtremes object-group MXtremes-
FTP-Inside range ftp-data ftp
access-list dmz remark deny Web server to source www and SSL on its own to INSID
E
access-list dmz extended deny tcp object-group WWW object-group INSIDE object-gr
oup WEB_SERVICES
access-list dmz remark allow Web server WWW and SSL to Anyone
access-list dmz extended permit tcp object-group WWW any object-group WEB_SERVIC
ES
access-list dmz remark allow Citrix CAGs to Citrix Farm
access-list dmz extended permit tcp object-group CTXCAG object-group CTXFARM obj
ect-group CITRIXPROD
access-list dmz remark deny Citrix CAGs to SSL on its own to INSIDE
access-list dmz extended deny tcp object-group CTXCAG object-group INSIDE eq htt
ps
access-list dmz remark allow Citrix CAGs to SSL on its own to others
access-list dmz extended permit tcp object-group CTXCAG any eq https
access-list IPS_Inspection remark ASA IPS Inspect following traffic flow
access-list IPS_Inspection extended permit ip object-group INSIDE object-group O
utside_Network
access-list IPS_Inspection extended permit ip object-group INSIDE object-group D
MZ_NET
access-list IPS_Inspection extended permit ip object-group INSIDE object-group V
PN_Group1
access-list IPS_Inspection extended permit ip object-group INSIDE object-group V
PN_Group2
access-list IPS_Inspection extended permit ip object-group INSIDE any
access-list IPS_Inspection extended permit ip object-group DMZ_NET any
access-list IPS_Inspection extended permit ip object-group Outside_Network any
access-list IPS_Inspection extended permit ip any object-group Outside
access-list IPS_Inspection extended permit ip any object-group DMZ_NET
access-list IPS_Inspection extended permit ip any object-group INSIDE
access-list IPS_Inspection extended permit ip any any log
access-list nonat-VPN_Group1 remark No NAT for VPN Group 1
access-list nonat-VPN_Group1 extended permit ip object-group INSIDE object-group
VPN_Group1
access-list nonat-VPN_Group2 remark No NAT for VPN Group 2
access-list nonat-VPN_Group2 extended permit ip object-group INSIDE object-group
VPN_Group2
pager lines 24
logging enable
logging timestamp
logging standby
logging buffer-size 16384
logging buffered errors
logging trap debugging
logging history errors
logging asdm informational
logging mail debugging
logging facility 19
logging device-id hostname
logging host inside 172.17.200.232
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool group2 192.168.185.1-192.168.185.254
ip local pool group1 192.168.189.1-192.168.189.254
failover
failover lan interface failover Management0/0.255
failover link state Management0/0.254
failover interface ip failover 192.168.0.249 255.255.255.252 standby 192.168.0.2
50
failover interface ip state 192.168.0.253 255.255.255.252 standby 192.168.0.254
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 1.0.0.108
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list nonat_dmz
access-group outside in interface outside
access-group inside in interface inside
access-group dmz in interface dmz
!
route outside 0.0.0.0 0.0.0.0 1.0.0.105
route inside 10.0.0.0 255.0.0.0 10.7.0.1
route inside 172.16.0.0 255.240.0.0 10.7.0.1
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server NT_DOMAIN protocol nt
aaa-server NT_DOMAIN host 10.7.200.161
nt-auth-domain-controller *****
aaa-server TACACS protocol tacacs+
reactivation-mode depletion deadtime 3
max-failed-attempts 4
aaa-server TACACS host 172.17.200.231
key *****
aaa authentication http console TACACS LOCAL
aaa authentication telnet console TACACS LOCAL
aaa authentication enable console TACACS LOCAL
aaa authentication serial console TACACS LOCAL
aaa authentication ssh console TACACS LOCAL
aaa authorization command TACACS LOCAL
aaa accounting enable console TACACS
aaa accounting serial console TACACS
aaa accounting ssh console TACACS
aaa accounting telnet console TACACS
aaa accounting command privilege 15 TACACS
snmp-server host inside 172.17.200.126 community *****
snmp-server host inside 172.17.200.127 community *****
snmp-server host inside 172.17.200.130 community *****
snmp-server host inside 172.17.200.131 community *****
snmp-server host inside 172.17.200.132 community *****
no snmp-server location
no snmp-server contact
snmp-server community ****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
service resetoutside
crypto ipsec transform-set set10 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set set20 esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set set10
crypto dynamic-map dynmap 20 set transform-set set20
crypto map map 10 ipsec-isakmp dynamic dynmap
crypto map map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet timeout 5
ssh 1.252.30.96 255.255.255.224 outside
ssh 1.14.179.64 255.255.255.224 outside
ssh 10.13.100.0 255.255.255.0 inside
ssh 10.13.200.0 255.255.255.0 inside
ssh 10.13.190.0 255.255.255.0 inside
ssh 10.13.0.0 255.255.255.0 inside
ssh 172.17.100.0 255.255.255.0 inside
ssh 172.17.190.0 255.255.255.0 inside
ssh 172.17.200.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
!
class-map IPS_Class
match access-list IPS_Inspection
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
class IPS_Class
ips promiscuous fail-open
!
service-policy global_policy global
ntp server 10.4.5.5 source inside
ntp server 172.16.0.5 source inside prefer
group-policy Group1 internal
group-policy Group1 attributes
wins-server value 10.13.100.103
dns-server value 10.13.100.103
vpn-idle-timeout 1440
split-tunnel-policy tunnelspecified
split-tunnel-network-list value nonat-VPN_Group1
default-domain value *****
group-policy Group2 internal
group-policy Group2 attributes
wins-server value 10.13.100.103
dns-server value 10.13.100.103
vpn-idle-timeout 1440
split-tunnel-policy tunnelspecified
split-tunnel-network-list value nonat-VPN_Group2
default-domain value *****
username ***** password ****** encrypted privilege 15
username ***** attributes
vpn-group-policy Group1
group-lock value Group1
username ***** password ****** encrypted privilege 15
tunnel-group Group2 type ipsec-ra
tunnel-group Group2 general-attributes
address-pool group2
authentication-server-group NT_DOMAIN
default-group-policy Group2
tunnel-group Group2 ipsec-attributes
pre-shared-key *
tunnel-group Group1 type ipsec-ra
tunnel-group Group1 general-attributes
address-pool group1
authentication-server-group NT_DOMAIN LOCAL
default-group-policy Group1
tunnel-group Group1 ipsec-attributes
pre-shared-key *
prompt hostname context
: end
Layer 3 Switch 1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname *****
!
logging buffered 16384 debugging
enable secret 5 ********
!
username ****** secret 5 ******
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
!
aaa session-id common
clock timezone EST -5
clock summer-time EDT recurring
system mtu routing 1500
udld enable

ip subnet-zero
ip routing
ip domain-list *****
ip domain-list *****
no ip domain-lookup
ip domain-name *****
!
!
!
!
!
!
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree portfast default
spanning-tree portfast bpduguard default
spanning-tree portfast bpdufilter default
spanning-tree extend system-id
spanning-tree uplinkfast
spanning-tree backbonefast
spanning-tree vlan 1,20,200 priority 16384
spanning-tree vlan 5,7,100 priority 8192
!
vlan internal allocation policy ascending
!
!
!
!
interface Port-channel1
switchport trunk encapsulation isl
switchport trunk allowed vlan 1,5,7
switchport mode trunk
!
interface GigabitEthernet0/1
description To Firewall 1
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet0/2
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet0/3
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet0/4
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet0/5
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet0/6
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet0/7
description To Layer-2 Private Switch port 11
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,7,20
switchport mode trunk
!
interface GigabitEthernet0/8
description To Layer-2 Switch 3 port 11
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,5,7
switchport mode trunk
!
interface GigabitEthernet0/9
description To Layer-2 Switch 2 port 11
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,7,100
switchport mode trunk
!
interface GigabitEthernet0/10
description To Layer-2 Switch 1 port 11
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,7,200
switchport mode trunk
!
interface GigabitEthernet0/11
description To Layer-3 Switch 2 port 11
switchport trunk encapsulation isl
switchport trunk allowed vlan 1,5,7
switchport mode trunk
channel-group 1 mode on
!
interface GigabitEthernet0/12
description To Layer-3 Switch 2 port 11
switchport trunk encapsulation isl
switchport trunk allowed vlan 1,5,7
switchport mode trunk
channel-group 1 mode on
!
interface Vlan1
no ip address
shutdown
!
interface Vlan5
description Production (Active)
ip address 10.0.7.2 255.255.255.0
ip directed-broadcast 30
standby 5 ip 10.0.7.1
standby 5 priority 105
standby 5 preempt
!
interface Vlan7
description Management (Active)
ip address 10.7.0.2 255.255.255.0
standby 7 ip 10.7.0.1
standby 7 priority 105
standby 7 preempt
!
interface Vlan20
description Private Network (Standby)
ip address 172.20.6.2 255.255.255.0
standby 20 ip 172.20.6.1
standby 20 preempt
!
interface Vlan100
description Server 1 (Active)
ip address 10.7.100.2 255.255.255.0
standby 100 ip 10.7.100.1
standby 100 priority 105
standby 100 preempt
!
interface Vlan200
description Server 2 (Standby)
ip address 10.7.200.2 255.255.255.0
standby 200 ip 10.7.200.1
!
ip route 0.0.0.0 0.0.0.0 10.7.0.4
!
ip classless
no ip http server
no ip http secure-server
!
ip tacacs source-interface Vlan7
!
logging source-interface Vlan7
logging 172.17.200.232
access-list 30 remark Wake-On LAN
access-list 30 permit 172.17.200.125
access-list 50 permit 10.7.0.0 0.0.0.7
access-list 50 permit 172.17.100.0 0.0.0.255
access-list 50 permit 172.17.190.0 0.0.0.255
access-list 50 permit 172.17.200.0 0.0.0.255
access-list 50 permit 10.13.100.0 0.0.0.255
access-list 50 permit 10.13.190.0 0.0.0.255
access-list 50 permit 10.13.200.0 0.0.0.255
access-list 50 permit 192.168.189.0 0.0.0.255
access-list 50 permit 192.168.190.0 0.0.0.255
access-list 52 remark Internal SNMP RO access
access-list 52 permit 172.17.100.0 0.0.0.255
access-list 52 permit 172.17.200.0 0.0.0.255
access-list 52 permit 10.13.100.0 0.0.0.255
access-list 52 permit 10.13.200.0 0.0.0.255
access-list 115 remark Private Network
access-list 115 deny icmp any any
access-list 115 permit ip 172.20.6.0 0.0.0.255 host 224.0.0.2
access-list 115 permit ip 172.20.6.0 0.0.0.255 host 224.0.0.10
access-list 115 permit ip 172.20.6.0 0.0.0.255 host 224.0.0.102
access-list 115 permit ip 172.20.6.0 0.0.0.255 172.20.0.0 0.0.255.255
snmp-server community ***** RO 52
tacacs-server host 172.17.200.231 key 7 *******
tacacs-server directed-request
radius-server source-ports 1645-1646
!
control-plane
!
banner motd ^C
WARNING: ACCESS TO AND USE OF THIS AUTOMATED INFORMATION SYSTEM IS LIMITED TO AU
THORISED PERSONS!
Activities on and access to this system are monitored and recorded.
Use of this system is your express consent to such monitoring and recording.

ANY UNAUTHORIZED ACCCESS TO OR USE OF THIS SYSTEM IS PROHIBITED AND COULD RESULT
IN CRIMINAL AND/OR CIVIL PENALTIES.^C
!
line con 0
logging synchronous
line vty 0 4
access-class 50 in
logging synchronous
transport input ssh
line vty 5 15
access-class 50 in
transport input ssh
!
ntp clock-period 36028537
ntp source Vlan7
ntp server 10.4.5.5
ntp server 172.16.0.5 prefer
end
Layer 3 Switch 2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname *****
!
logging buffered 16384 debugging
enable secret 5 *****
!
username ***** secret 5 *****
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
!
aaa session-id common
clock timezone EST -5
clock summer-time EDT recurring
system mtu routing 1500
udld enable

ip subnet-zero
ip routing
ip domain-list *****
ip domain-list *****
no ip domain-lookup
ip domain-name *****
!
!
!
!
!
!
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree portfast default
spanning-tree portfast bpduguard default
spanning-tree portfast bpdufilter default
spanning-tree extend system-id
spanning-tree uplinkfast
spanning-tree backbonefast
spanning-tree vlan 1,20,200 priority 8192
spanning-tree vlan 5,7,100 priority 16384
!
vlan internal allocation policy ascending
!
!
!
!
interface Port-channel1
switchport trunk encapsulation isl
switchport trunk allowed vlan 1,5,7
switchport mode trunk
!
interface GigabitEthernet0/1
description To Firewall 2
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet0/2
switchport access vlan 7
switchport mode access
!
interface GigabitEthernet0/3
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet0/4
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet0/5
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet0/6
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet0/7
description To Layer-2 Private Switch port 12
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,7,20
switchport mode trunk
!
interface GigabitEthernet0/8
description To Layer-2 Switch 3 port 12
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,5,7
switchport mode trunk
!
interface GigabitEthernet0/9
description To Layer-2 Switch 2 port 12
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,7,200
switchport mode trunk
!
interface GigabitEthernet0/10
description To Layer-2 Switch 1 port 12
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,7,100
switchport mode trunk
!
interface GigabitEthernet0/11
description To Layer-3 Switch 1 port 12
switchport trunk encapsulation isl
switchport trunk allowed vlan 1,5,7
switchport mode trunk
channel-group 1 mode on
!
interface GigabitEthernet0/12
description To Layer-3 Switch 1 port 12
switchport trunk encapsulation isl
switchport trunk allowed vlan 1,5,7
switchport mode trunk
channel-group 1 mode on
!
interface Vlan1
no ip address
shutdown
!
interface Vlan5
description Production (Standby)
ip address 10.0.7.3 255.255.255.0
ip directed-broadcast 30
standby 5 ip 10.0.7.1
!
interface Vlan7
description Management (Standby)
ip address 10.7.0.3 255.255.255.0
standby 7 ip 10.7.0.1
!
interface Vlan20
description Private Network (Active)
ip address 172.20.6.3 255.255.255.0
standby 20 ip 172.20.6.1
standby 20 priority 105
standby 20 preempt
!
interface Vlan100
description Server 1 (Standby)
ip address 10.7.100.3 255.255.255.0
standby 100 ip 10.7.100.1
!
interface Vlan200
description Server 2 (Active)
ip address 10.7.200.3 255.255.255.0
standby 200 ip 10.7.200.1
standby 200 priority 105
standby 200 preempt
!
ip route 0.0.0.0 0.0.0.0 10.7.0.4
!
ip classless
no ip http server
no ip http secure-server
!
ip tacacs source-interface Vlan7
!
logging source-interface Vlan7
logging 172.17.200.232
access-list 30 remark Wake-On LAN
access-list 30 permit 172.17.200.125
access-list 50 permit 10.7.0.0 0.0.0.7
access-list 50 permit 172.17.100.0 0.0.0.255
access-list 50 permit 172.17.190.0 0.0.0.255
access-list 50 permit 172.17.200.0 0.0.0.255
access-list 50 permit 10.13.100.0 0.0.0.255
access-list 50 permit 10.13.190.0 0.0.0.255
access-list 50 permit 10.13.200.0 0.0.0.255
access-list 50 permit 192.168.189.0 0.0.0.255
access-list 50 permit 192.168.190.0 0.0.0.255
access-list 52 remark Internal SNMP RO access
access-list 52 permit 172.17.100.0 0.0.0.255
access-list 52 permit 172.17.200.0 0.0.0.255
access-list 52 permit 10.13.100.0 0.0.0.255
access-list 52 permit 10.13.200.0 0.0.0.255
access-list 115 remark Private Network
access-list 115 deny icmp any any
access-list 115 permit ip 172.20.6.0 0.0.0.255 host 224.0.0.2
access-list 115 permit ip 172.20.6.0 0.0.0.255 host 224.0.0.10
access-list 115 permit ip 172.20.6.0 0.0.0.255 host 224.0.0.102
access-list 115 permit ip 172.20.6.0 0.0.0.255 172.20.0.0 0.0.255.255
snmp-server community ****** RO 52
tacacs-server host 172.17.200.231 key 7 ******
tacacs-server directed-request
radius-server source-ports 1645-1646
!
control-plane
!
banner motd ^C
WARNING: ACCESS TO AND USE OF THIS AUTOMATED INFORMATION SYSTEM IS LIMITED TO AU
THORISED PERSONS!
Activities on and access to this system are monitored and recorded.
Use of this system is your express consent to such monitoring and recording.

ANY UNAUTHORIZED ACCCESS TO OR USE OF THIS SYSTEM IS PROHIBITED AND COULD RESULT
IN CRIMINAL AND/OR CIVIL PENALTIES.^C
!
line con 0
logging synchronous
line vty 0 4
access-class 50 in
logging synchronous
transport input ssh
line vty 5 15
access-class 50 in
transport input ssh
!
ntp clock-period 36029003
ntp source Vlan7
ntp server 10.4.5.5
ntp server 172.16.0.5 prefer
end
Sample 3:
Internet
| |
| |
Internet Internet
Router 1 Router 2
| |
| |
DMZ ----- Firewall Firewall (two redundant firewal
ls)
1 2
| |
| |
Bluecoat ProxySG1 int 0:0 --- Router 1 Router 2 --- Bluecoat ProxySG1 i
nt 1:0
| \ / |
| \ / |
Layer-3 ---- Layer-3 (two redundant Layer-3
switches)
Switch 1 Switch 2
| | | | | |
| | | | | |
| | Layer-2 | |
| | Switch | |
| | | |
| Layer-2 Switch |
| |
| |
+-- WAN Router 1 --+
|
|
WAN Router 2
|
|
Bluecoat ProxySG2 int 0:0 ---- Layer-3 Switch --- Firewall --- Internet
Router --- Internet
| | |
| | |
Layer-2 | Layer-2
Switch | Switch
|
Layer-2 Switch
Background
* The Bluecoat ProxySG appliances do WCCP with routers and switch that support W
CCP version 2 "redirect out" command. More detail on WCCP can be found here: Cisc
o Forum FAQ WCCP with Router/MSFC and Blue Coat ProxySG
* Site that has two Internet connections (the HQ) does Internet traffic load sha
re which some subnets take ISP 1 as primary and other subnets take ISP 2 as prim
ary
* The ProxySG appliances intercept outbound traffic from Inside machines out to
the Internet and initiate outbound connection using the appliances IP address on
behalf of Inside machines as part of the proxy mechanism
* Note that the proxy mechanism could screw up the BGP load share mechanism. The
refore any BGP load share mechanism must occur before the traffic is intercepted
or proxied. This is the reason why the HQ has Routers 1 and 2 to do the WCCP fo
r the interception, redirection, and proxy mechanism and let the Layer-3 Switche
s 1 and 2 do the BGP load share mechanism.
* Similar Routers 1 and 2 are not needed in Branch site since the site only has
single Internet connection and no Internet load share.
* All Outbound BGP load share mechanism at HQ site can be seen as "too complex"
from Branch site perspective, hence the reason of HQ site has BGP Confederation
in place. For more info on BGP Confederation, check out the following link: BGP
Case Studies: BGP Confederation
Sample 3 Configuration
Internet Router 1:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
interface FastEthernet0
description Internet
ip address dhcp
ip nat outside
no cdp enable
!
interface FastEthernet1
description Firewall 1
ip address 10.0.0.1 255.255.255.252
ip nat inside
!
router bgp 64748
no synchronization
bgp log-neighbor-changes
network 0.0.0.0
network 10.0.0.0 mask 255.255.255.252
neighbor 10.0.1.1 remote-as 64750
neighbor 10.0.1.1 description Router 1
neighbor 10.0.1.1 ebgp-multihop 3
neighbor 10.0.1.1 prefix-list NON-IN in
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 dhcp
ip route 10.0.0.0 255.0.0.0 10.0.0.2
ip route 172.16.0.0 255.240.0.0 10.0.0.2
ip route 192.168.0.0 255.255.0.0 10.0.0.2
!
ip nat inside source list 1 interface FastEthernet0 overload
ip nat inside source static tcp 192.168.0.50 80 interface FastEthernet0 80
!
ip prefix-list NON-IN description Internal Subnets are never visible
ip prefix-list NON-IN seq 10 deny 0.0.0.0/0 le 32
access-list 1 remark Permitted Subnets to go out to the Internet
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 1 permit 172.16.0.0 0.15.255.255
access-list 1 permit 192.168.0.0 0.0.255.255
Internet Router 2:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
interface FastEthernet0
description Physical xDSL Interface
no ip address
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
!
interface FastEthernet1
description Firewall 2
ip address 10.0.0.5 255.255.255.252
ip nat inside
!
interface Dialer1
description Logical xDSL Interface
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname
ppp chap password
ppp pap sent-username password
ppp ipcp route default
ppp ipcp dns request
ppp ipcp address accept
!
router bgp 64749
no synchronization
bgp log-neighbor-changes
network 0.0.0.0
network 10.0.0.4 mask 255.255.255.252
neighbor 10.0.1.5 remote-as 64750
neighbor 10.0.1.5 description Router 2
neighbor 10.0.1.5 ebgp-multihop 3
neighbor 10.0.1.5 prefix-list NON-IN in
no auto-summary
!
ip route 10.0.0.0 255.0.0.0 10.0.0.6
ip route 172.16.0.0 255.240.0.0 10.0.0.6
ip route 192.168.0.0 255.255.0.0 10.0.0.6
ip nat inside source list 1 interface Dialer1 overload
!
ip prefix-list NON-IN description Internal Subnets are never visible
ip prefix-list NON-IN seq 10 deny 0.0.0.0/0 le 32
access-list 1 remark Permitted Subnets to go out to the Internet
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 1 permit 172.16.0.0 0.15.255.255
access-list 1 permit 192.168.0.0 0.0.255.255
!
dialer-list 1 protocol ip permit
Firewall 1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
object-group icmp-type ICMP-INBOUND
icmp-object 0
icmp-object 3
icmp-object 11
access-list outside remark Permitted Inbound Traffic
access-list outside permit icmp any any object-group ICMP-INBOUND
access-list outside permit tcp any host 192.168.0.50 eq 80
ip address outside 10.0.0.2 255.255.255.252
ip address inside 10.0.1.2 255.255.255.252
ip address dmz 192.168.0.1 255.255.255.0
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
nat (dmz) 0 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 10.0.0.1 1
route inside 10.0.0.0 255.0.0.0 10.0.1.1 1
route inside 172.16.0.0 255.240.0.0 10.0.1.1 1
route inside 192.168.0.0 255.255.0.0 10.0.1.1 1
Firewall 2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
object-group icmp-type ICMP-INBOUND
icmp-object 0
icmp-object 3
icmp-object 11
access-list outside remark Permitted Inbound Traffic
access-list outside permit icmp any any object-group ICMP-INBOUND
ip address outside 10.0.0.6 255.255.255.252
ip address inside 10.0.1.6 255.255.255.252
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 10.0.0.5 1
route inside 10.0.0.0 255.0.0.0 10.0.1.5 1
route inside 172.16.0.0 255.240.0.0 10.0.1.5 1
route inside 192.168.0.0 255.255.0.0 10.0.1.5 1
Router 1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
ip wccp version 2
ip wccp 10
ip wccp 20
!
interface Loopback0
description Blue Coat ProxySG Home Router 1
ip address 192.168.66.1 255.255.255.255
!
interface FastEthernet0
description Firewall 1
ip address 10.0.1.1 255.255.255.252
ip wccp 10 redirect out
ip wccp 20 redirect out
!
interface FastEthernet1
description Layer-3 Switch 1
ip address 10.0.1.9 255.255.255.252
!
interface FastEthernet2
description Layer-3 Switch 2
ip address 10.0.1.13 255.255.255.252
!
interface FastEthernet3
description Blue Coat ProxySG int 0:0
ip address 10.0.2.1 255.255.255.0
!
router rip
version 2
redistribute bgp 65002 route-map BGP-to-RIP
passive-interface FastEthernet0
network 10.0.0.0
default-information originate
no auto-summary
!
router bgp 65002
no synchronization
bgp log-neighbor-changes
bgp confederation identifier 64750
bgp confederation peers 65001 65003 65004
network 10.0.1.0 mask 255.255.255.252
network 10.0.2.0 mask 255.255.255.0
neighbor 10.0.0.1 remote-as 64748
neighbor 10.0.0.1 description Internet Router 1
neighbor 10.0.0.1 ebgp-multihop 3
neighbor 10.0.0.1 soft-reconfiguration inbound
neighbor 10.0.1.10 remote-as 65001
neighbor 10.0.1.10 description Layer-3 Switch 1
neighbor 10.0.1.10 soft-reconfiguration inbound
neighbor 10.0.1.14 remote-as 65001
neighbor 10.0.1.14 description Layer-3 Switch 2
neighbor 10.0.1.14 soft-reconfiguration inbound
no auto-summary
!
ip route 10.0.0.1 255.255.255.255 10.0.1.2
!
access-list 10 remark Permitted Subnets to Redistribute
access-list 10 deny 10.0.1.0 0.0.0.3
access-list 10 deny 10.0.1.8 0.0.0.7
access-list 10 deny 10.0.2.0 0.0.0.255
access-list 10 permit any
!
route-map BGP-to-RIP permit 10
match ip address 10
set metric 1
set tag 64748
Router 2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
ip wccp version 2
ip wccp 10
ip wccp 20
!
interface Loopback0
description Blue Coat ProxySG Home Router 2
ip address 192.168.66.2 255.255.255.255
!
interface FastEthernet0
description Firewall 2
ip address 10.0.1.5 255.255.255.252
ip wccp 10 redirect out
ip wccp 20 redirect out
!
interface FastEthernet1
description Layer-3 Switch 1
ip address 10.0.1.17 255.255.255.252
!
interface FastEthernet2
description Layer-3 Switch 2
ip address 10.0.1.21 255.255.255.252
!
interface FastEthernet3
description Blue Coat ProxySG int 1:0
ip address 10.0.3.1 255.255.255.0
!
router rip
version 2
redistribute bgp 65003 route-map BGP-to-RIP
passive-interface FastEthernet0
network 10.0.0.0
default-information originate
no auto-summary
!
router bgp 65003
no synchronization
bgp log-neighbor-changes
bgp confederation identifier 64750
bgp confederation peers 65001 65002 65004
network 10.0.1.4 mask 255.255.255.252
network 10.0.3.0 mask 255.255.255.0
neighbor 10.0.0.5 remote-as 64749
neighbor 10.0.0.5 description Internet Router 2
neighbor 10.0.0.5 ebgp-multihop 3
neighbor 10.0.0.5 soft-reconfiguration inbound
neighbor 10.0.1.18 remote-as 65001
neighbor 10.0.1.18 description Layer-3 Switch 1
neighbor 10.0.1.18 soft-reconfiguration inbound
neighbor 10.0.1.22 remote-as 65001
neighbor 10.0.1.22 description Layer-3 Switch 2
neighbor 10.0.1.22 soft-reconfiguration inbound
no auto-summary
!
ip route 10.0.0.5 255.255.255.255 10.0.1.6
!
access-list 10 remark Permitted Subnets to Redistribute
access-list 10 deny 10.0.1.4 0.0.0.3
access-list 10 deny 10.0.1.16 0.0.0.7
access-list 10 deny 10.0.3.0 0.0.0.255
access-list 10 permit any
!
route-map BGP-to-RIP permit 10
match ip address 10
set metric 1
set tag 64749
Blue Coat ProxySG1 configuration
1. Interface
interface 0:0
IP Address : 10.0.2.6
Subnet Mask : 255.255.255.0
Default Gateway: 10.0.2.1

interface 1:0
IP Address : 10.0.3.6
Subnet Mask : 255.255.255.0
Default Gateway: 10.0.3.1
2. WCCP
wccp enable
wccp version 2
service-group 20
assignment-type mask
mask-scheme destination-ip
priority 1
protocol 6
ports 80 80 80 80 80 80 80 80
interface 0:0
interface 1:0
home-router 192.168.66.1
home-router 192.168.66.2
forwarding-type GRE
end
service-group 10
assignment-type mask
mask-scheme destination-ip
priority 1
protocol 6
ports 80 21 443 554 5004 5005 1755 8554
interface 0:0
interface 1:0
home-router 192.168.66.1
home-router 192.168.66.2
forwarding-type GRE
end
3. Static Routes for Home Router IP Address Reachability
192.168.66.1 255.255.255.255 10.0.2.1
192.168.66.2 255.255.255.255 10.0.3.1
Layer-3 Switch 1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
vlan 1,11-13,100
!
ip routing
!
interface FastEthernet0/1
description WAN Router 1
no switchport
ip address 10.0.1.25 255.255.255.252
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
description To Layer-2 Switch 1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,11,100
switchport mode trunk
!
interface FastEthernet0/7
description To Layer-2 Switch 2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,11
switchport mode trunk
!
interface FastEthernet0/8
description To Layer-2 Switch 3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,11-12
switchport mode trunk
!
interface FastEthernet0/9
description To Layer-2 Switch 4
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,11,13
switchport mode trunk
!
interface FastEthernet0/10
description To Router 1
no switchport
ip address 10.0.1.10 255.255.255.252
!
interface FastEthernet0/11
description To Router 2
no switchport
ip address 10.0.1.14 255.255.255.252
!
interface FastEthernet0/12
description To Layer-3 Switch 2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1
switchport mode trunk
!
interface Vlan1
description VLAN database management only
shutdown
!
interface Vlan11
description Network Management (Active)
ip address 10.0.11.2 255.255.255.0
standby 11 ip 10.0.11.1
standby 11 priority 105
standby 11 preempt
!
interface Vlan12
description Administration (Standby)
ip address 10.0.12.2 255.255.255.0
standby 12 ip 10.0.12.1
!
interface Vlan13
description Sales (Active)
ip address 10.0.13.2 255.255.255.0
standby 13 ip 10.0.13.1
standby 13 priority 105
standby 13 preempt
!
interface Vlan100
description Server (Standby)
ip address 10.0.100.2 255.255.255.0
standby 100 ip 10.0.100.1
!
router rip
version 2
network 10.0.0.0
no auto-summary
!
router bgp 65001
no synchronization
bgp log-neighbor-changes
bgp confederation identifier 64750
bgp confederation peers 65002 65003 65004
network 10.0.1.8 mask 255.255.255.252
network 10.0.1.12 mask 255.255.255.252
network 10.0.11.0 mask 255.255.255.0
network 10.0.12.0 mask 255.255.255.0
network 10.0.13.0 mask 255.255.255.0
network 10.0.100.0 mask 255.255.255.0
neighbor 10.0.1.9 remote-as 65002
neighbor 10.0.1.9 description Router 1
neighbor 10.0.1.9 soft-reconfiguration inbound
neighbor 10.0.1.9 route-map ISP1 out
neighbor 10.0.1.13 remote-as 65003
neighbor 10.0.1.13 description Router 2
neighbor 10.0.1.13 soft-reconfiguration inbound
neighbor 10.0.1.13 route-map ISP2 out
neighbor 10.0.1.26 remote-as 65004
neighbor 10.0.1.26 description WAN Router 1
neighbor 10.0.1.26 soft-reconfiguration inbound
neighbor 10.0.11.3 remote-as 65001
neighbor 10.0.11.3 description Layer-3 Switch 2
neighbor 10.0.11.3 soft-reconfiguration inbound
no auto-summary
!
access-list 20 remark Subnets to use ISP1 as Primary
access-list 20 permit 10.0.11.0 0.0.0.255
access-list 20 permit 10.0.100.0 0.0.0.255
access-list 20 permit 10.1.11.0 0.0.0.255
!
access-list 21 remark Subnets to use ISP2 as Primary
access-list 21 permit 10.0.12.0 0.0.0.255
access-list 21 permit 10.0.13.0 0.0.0.255
access-list 21 permit 10.1.12.0 0.0.0.255
access-list 21 permit 10.1.13.0 0.0.0.255
!
route-map ISP1 permit 10
match ip address 20
set local-preference 105
!
route-map ISP1 permit 20
match ip address 21
set local-preference 100
!
route-map ISP2 permit 10
match ip address 20
set local-preference 100
!
route-map ISP2 permit 20
match ip address 21
set local-preference 105
Layer-3 Switch 2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
vlan 1,11-13,100
!
ip routing
!
interface FastEthernet0/1
description WAN Router 1
no switchport
ip address 10.0.1.29 255.255.255.252
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
description To Layer-2 Switch 1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,11,100
switchport mode trunk
!
interface FastEthernet0/7
description To Layer-2 Switch 2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,11
switchport mode trunk
!
interface FastEthernet0/8
description To Layer-2 Switch 3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,11-12
switchport mode trunk
!
interface FastEthernet0/9
description To Layer-2 Switch 4
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,11,13
switchport mode trunk
!
interface FastEthernet0/10
description To Router 1
no switchport
ip address 10.0.1.18 255.255.255.252
!
interface FastEthernet0/11
description To Router 2
no switchport
ip address 10.0.1.22 255.255.255.252
!
interface FastEthernet0/12
description To Layer-3 Switch 2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1
switchport mode trunk
!
interface Vlan1
description VLAN database management only
shutdown
!
interface Vlan11
description Network Management (Standby)
ip address 10.0.11.3 255.255.255.0
standby 11 ip 10.0.11.1
!
interface Vlan12
description Administration (Active)
ip address 10.0.12.3 255.255.255.0
standby 12 ip 10.0.12.1
standby 12 priority 105
standby 12 preempt
!
interface Vlan13
description Sales (Standby)
ip address 10.0.13.3 255.255.255.0
standby 13 ip 10.0.13.1
!
interface Vlan100
description Server (Active)
ip address 10.0.100.3 255.255.255.0
standby 100 ip 10.0.100.1
standby 100 priority 105
standby 100 preempt
!
router rip
version 2
network 10.0.0.0
no auto-summary
!
router bgp 65001
no synchronization
bgp log-neighbor-changes
bgp confederation identifier 64750
bgp confederation peers 65002 65003 65004
network 10.0.1.16 mask 255.255.255.252
network 10.0.1.20 mask 255.255.255.252
network 10.0.11.0 mask 255.255.255.0
network 10.0.12.0 mask 255.255.255.0
network 10.0.13.0 mask 255.255.255.0
network 10.0.100.0 mask 255.255.255.0
neighbor 10.0.1.17 remote-as 65002
neighbor 10.0.1.17 description Router 1
neighbor 10.0.1.17 soft-reconfiguration inbound
neighbor 10.0.1.17 route-map ISP1 out
neighbor 10.0.1.21 remote-as 65003
neighbor 10.0.1.21 description Router 2
neighbor 10.0.1.21 soft-reconfiguration inbound
neighbor 10.0.1.23 route-map ISP2 out
neighbor 10.0.1.30 remote-as 65004
neighbor 10.0.1.30 description WAN Router 1
neighbor 10.0.1.30 soft-reconfiguration inbound
neighbor 10.0.11.2 remote-as 65001
neighbor 10.0.11.2 description Layer-3 Switch 1
neighbor 10.0.11.2 soft-reconfiguration inbound
no auto-summary
!
access-list 20 remark Subnets to use ISP1 as Primary
access-list 20 permit 10.0.11.0 0.0.0.255
access-list 20 permit 10.0.100.0 0.0.0.255
access-list 20 permit 10.1.11.0 0.0.0.255
!
access-list 21 remark Subnets to use ISP2 as Primary
access-list 21 permit 10.0.12.0 0.0.0.255
access-list 21 permit 10.0.13.0 0.0.0.255
access-list 21 permit 10.1.12.0 0.0.0.255
access-list 21 permit 10.1.13.0 0.0.0.255
!
route-map ISP1 permit 10
match ip address 20
set local-preference 105
!
route-map ISP1 permit 20
match ip address 21
set local-preference 100
!
route-map ISP2 permit 10
match ip address 20
set local-preference 100
!
route-map ISP2 permit 20
match ip address 21
set local-preference 105
WAN 1 Router
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
interface FastEthernet0
description Layer-3 Switch 1
ip address 10.0.1.26 255.255.255.252
!
interface FastEthernet1
description Layer-3 Switch 2
ip address 10.0.1.30 255.255.255.252
!
interface Serial0
description WAN Router 2
ip address 10.250.0.1 255.255.255.252
!
router rip
version 2
redistribute bgp 65004 route-map BGP-to-RIP
passive-interface Serial0
network 10.0.0.0
default-information originate
no auto-summary
!
router bgp 65004
no synchronization
bgp log-neighbor-changes
bgp confederation identifier 64750
bgp confederation peers 65001 65002 65003
network 10.0.1.24 mask 255.255.255.252
network 10.0.1.28 mask 255.255.255.252
aggregate-address 10.0.0.0 255.255.0.0
neighbor 10.0.1.25 remote as 65001
neighbor 10.0.1.25 description Layer-3 Switch 1
neighbor 10.0.1.25 soft-reconfiguration inbound
neighbor 10.0.1.29 remote-as 65001
neighbor 10.0.1.29 description Layer-3 Switch 2
neighbor 10.0.1.29 soft-reconfiguration inbound
neighbor 10.250.0.2 remote-as 64751
neighbor 10.250.0.2 description Remote Office
neighbor 10.250.0.2 soft-reconfiguration inbound
neighbor 10.250.0.2 prefix-list HQ out
no auto-summary
!
ip prefix-list HQ description Permitted BGP Subnet Announcement
ip prefix-list HQ seq 10 permit 0.0.0.0/0
ip prefix-list HQ seq 20 permit 10.0.0.0/16
!
access-list 10 remark Permitted Subnets to Redistribute
access-list 10 deny 10.0.1.24 0.0.0.7
access-list 10 deny 10.250.0.0 0.0.0.3
access-list 10 permit any
!
route-map BGP-to-RIP permit 10
match ip address 10
set metric 1
set tag 64751
WAN 2 Router
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
interface FastEthernet0
description Layer-3 Switch
ip address 10.1.1.26 255.255.255.252
!
interface Serial0
description WAN Router 1
ip address 10.250.0.2 255.255.255.252
!
router rip
version 2
redistribute bgp 64751 route-map BGP-to-RIP
passive-interface Serial0
network 10.0.0.0
default-information originate
no auto-summary
!
router bgp 64751
no synchronization
bgp log-neighbor-changes
network 10.1.1.24 mask 255.255.255.252
aggregate-address 10.1.0.0 255.255.0.0
neighbor 10.1.1.25 remote as 64751
neighbor 10.1.1.25 description Internet Router
neighbor 10.1.1.25 soft-reconfiguration inbound
neighbor 10.250.0.1 remote-as 64750
neighbor 10.250.0.1 description HQ
neighbor 10.250.0.1 soft-reconfiguration inbound
neighbor 10.250.0.1 prefix-list Branch out
no auto-summary
!
ip prefix-list Branch description Permitted BGP Subnet Announcement
ip prefix-list Branch seq 10 permit 0.0.0.0/0
ip prefix-list Branch seq 20 permit 10.1.0.0/16
!
access-list 10 remark Permitted Subnets to redistribute
access-list 10 deny 10.250.0.0 0.0.0.3
access-list 10 permit any
!
route-map BGP-to-RIP permit 10
match ip address 10
set metric 1
!
Layer-3 Switch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
vlan 1,11-13,100
!
ip routing
!
ip wccp version 2
ip wccp 10
ip wccp 20
!
interface Loopback0
ip address 192.168.67.1 255.255.255.255
!
interface FastEthernet0/1
description WAN Router 2
no switchport
ip address 10.1.1.25 255.255.255.252
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
description Bluecoat ProxySG2 int 0:0
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/6
description To Layer-2 Switch 1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,11,100
switchport mode trunk
!
interface FastEthernet0/7
description To Layer-2 Switch 2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,11
switchport mode trunk
!
interface FastEthernet0/8
description To Layer-2 Switch 3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,11-12
switchport mode trunk
!
interface FastEthernet0/9
description To Layer-2 Switch 4
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,11,13
switchport mode trunk
!
interface FastEthernet0/10
description To Firewall
no switchport
ip address 10.1.1.5 255.255.255.252
ip wccp 10 redirect out
ip wccp 20 redirect out
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface Vlan1
description VLAN database management only
shutdown
!
interface Vlan2
description Bluecoat ProxySG 2 int 0:0
ip address 10.1.2.1 255.255.255.0
!
interface Vlan11
description Network Management
ip address 10.1.11.1 255.255.255.0
!
interface Vlan12
description Administration
ip address 10.1.12.1 255.255.255.0
!
interface Vlan13
description Sales
ip address 10.1.13.1 255.255.255.0
!
interface Vlan100
description Server
ip address 10.1.100.1 255.255.255.0
!
router rip
version 2
redistribute bgp 64751 route-map BGP-to-RIP
passive-interface FastEthernet0/10
network 10.0.0.0
default-information originate
no auto-summary
!
router bgp 64751
no synchronization
bgp log-neighbor-changes
network 10.1.1.4 mask 255.255.255.252
network 10.1.11.0 mask 255.255.255.0
network 10.1.12.0 mask 255.255.255.0
network 10.1.13.0 mask 255.255.255.0
network 10.1.100.0 mask 255.255.255.0
neighbor 10.1.0.1 remote-as 64752
neighbor 10.1.0.1 description Internet Router
neighbor 10.1.0.1 ebgp-multihop 3
neighbor 10.1.0.1 soft-reconfiguration inbound
neighbor 10.1.1.26 remote-as 64751
neighbor 10.1.1.26 description WAN Router 2
neighbor 10.1.1.26 soft-reconfiguration inbound
no auto-summary
!
ip route 10.1.0.1 255.255.255.255 10.1.1.6
!
access-list 10 remark Permitted Subnets to redistribute
access-list 10 deny 10.0.1.16 0.0.0.7
access-list 10 deny 10.0.11.0 0.0.0.255
access-list 10 deny 10.0.12.0 0.0.0.255
access-list 10 deny 10.0.13.0 0.0.0.255
access-list 10 deny 10.0.100.0 0.0.0.255
access-list 10 permit any
!
route-map BGP-to-RIP permit 10
match ip address 10
set metric 1
Blue Coat ProxySG2 configuration
1. Interface
interface 0:0
IP Address : 10.1.2.6
Subnet Mask : 255.255.255.0
Default Gateway: 10.1.2.1
2. WCCP
wccp enable
wccp version 2
service-group 20
assignment-type mask
mask-scheme destination-ip
priority 1
protocol 6
ports 80 80 80 80 80 80 80 80
interface 0:0
interface 1:0
home-router 192.168.67.1
forwarding-type GRE
end
service-group 10
assignment-type mask
mask-scheme destination-ip
priority 1
protocol 6
ports 80 21 443 554 5004 5005 1755 8554
interface 0:0
interface 1:0
home-router 192.168.67.1
forwarding-type GRE
end
3. Static Routes for Home Router IP Address Reachability
192.168.67.1 255.255.255.255 10.1.2.1
Firewall
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
object-group icmp-type ICMP-INBOUND
icmp-object 0
icmp-object 3
icmp-object 11
access-list outside remark Permitted Inbound Traffic
access-list outside permit icmp any any object-group ICMP-INBOUND
ip address outside 10.1.0.2 255.255.255.252
ip address inside 10.1.1.6 255.255.255.252
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
nat (dmz) 0 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 10.1.0.1 1
route inside 10.0.0.0 255.0.0.0 10.1.1.5 1
route inside 172.16.0.0 255.240.0.0 10.1.1.5 1
route inside 192.168.0.0 255.255.0.0 10.1.1.5 1
Internet Router:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
interface FastEthernet0
description Internet
ip address dhcp
ip nat outside
no cdp enable
!
interface FastEthernet1
description Firewall
ip address 10.1.0.1 255.255.255.252
ip nat inside
!
router bgp 64752
no synchronization
bgp log-neighbor-changes
network 0.0.0.0
network 10.1.0.0 mask 255.255.255.252
neighbor 10.1.1.5 remote-as 64751
neighbor 10.1.1.5 description Layer-3 Switch
neighbor 10.1.1.5 ebgp-multihop 3
neighbor 10.1.1.5 prefix-list NON-IN in
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 dhcp
ip route 10.0.0.0 255.0.0.0 10.1.0.2
ip route 172.16.0.0 255.240.0.0 10.1.0.2
ip route 192.168.0.0 255.255.0.0 10.1.0.2
!
ip nat inside source list 1 interface FastEthernet0 overload
!
ip prefix-list NON-IN description Internal Subnets are never visible
ip prefix-list NON-IN seq 10 deny 0.0.0.0/0 le 32
access-list 1 remark Permitted Subnets to go out to the Internet
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 1 permit 172.16.0.0 0.15.255.255
access-list 1 permit 192.168.0.0 0.0.255.255
Some discussions
DHCP Question
Design concept!
Expand got feedback?
by aryoba See Profile
last modified: 2010-07-27 12:59:15