Table Of Contents
Device Configurations
Branch Configurations
Large Store Router #1
Large Store Router #2
Medium Store Router #1
Medium Store Router #2
Small Store Router #1
Data Center WAN Router #1
Data Center WAN Router #2
Large Store Switch #1
Large Store Switch #2
Large Store Switch #3
Large Store Switch #4
Medium StoreBranch Switch #1
Medium Store Switch #2
Large StoreWireless Controller
Medium StoreWireless Controller
Small Store Wireless controller in the Data Center
Large Store Access Point
Medium Store Access Point
Small Store Access Point
Internet Edge Configurations
Cisco Firewall Service Module
Cisco Catalyst 3750
Cisco Catalyst 6500
Cisco 7200 Edge Router
Cisco Application Control Engine
Data Center Configurations
Cisco Catalyst 3750
Cisco Catalyst 6500
Cisco 7206 VXR Router
Cisco Adaptive Security Appliance
Device Configurations
This appendix includes the following device configurations:
•
Branch Configurations
–
Large Store Router #1
–
Large Store Router #2
–
Medium Store Router #1
–
Medium Store Router #2
–
Small Store Router #1
–
Data Center WAN Router #1
–
Data Center WAN Router #2
–
Large Store Switch #1
–
Large Store Switch #2
–
Large Store Switch #3
–
Large Store Switch #4
–
Medium StoreBranch Switch #1
–
Medium Store Switch #2
–
Large StoreWireless Controller
–
Medium StoreWireless Controller
–
Small Store Wireless controller in the Data Center
–
Large Store Access Point
–
Medium Store Access Point
–
Small Store Access Point
•
Internet Edge Configurations
–
Cisco Firewall Service Module
–
Cisco Catalyst 3750
–
Cisco Catalyst 6500
–
Cisco 7200 Edge Router
–
Cisco Application Control Engine
•
Data Center Configurations
–
Cisco Catalyst 3750
–
Cisco Catalyst 6500
–
Cisco 7206 VXR Router
–
Cisco Adaptive Security Appliance
Branch Configurations
Large Store Router #1
------------------ show version ------------------
Cisco IOS Software, 3800 Software (C3845-ADVIPSERVICESK9-M), Version 12.4(9)T, RELEASE
SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Sat 17-Jun-06 00:59 by prod_rel_team
ROM: System Bootstrap, Version 12.3(11r)T2, RELEASE SOFTWARE (fc1)
RLRG-1 uptime is 11 weeks, 4 days, 3 hours, 7 minutes
System returned to ROM by reload at 18:34:08 UTC Mon Sep 25 2006
System restarted at 11:32:41 PSTDST Mon Sep 25 2006
System image file is "flash:c3845-advipservicesk9-mz.124-9.T.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
Cisco 3845 (revision 1.0) with 484352K/39936K bytes of memory.
Processor board ID FTX1027A34V
2 Gigabit Ethernet interfaces
2 Channelized T1/PRI ports
1 Virtual Private Network (VPN) Module
1 cisco service engine(s)
DRAM configuration is 64 bits wide with parity enabled.
250880K bytes of ATA System CompactFlash (Read/Write)
Configuration register is 0x2102
------------------ show running-config ------------------
Building configuration...
Current configuration : 28349 bytes
! Last configuration change at 15:59:42 PST Wed Dec 13 2006 by csm-user
! NVRAM config last updated at 14:27:43 PST Wed Dec 13 2006 by csm-user
service tcp-keepalives-in
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
no service password-recovery
boot system flash flash:c3845-advipservicesk9-mz.124-9.T.bin
logging buffered 8000000 informational
enable secret 5 <removed>
aaa authentication login RETAIL group tacacs+ local
aaa authentication login RLOCAL group tacacs+ local
aaa authentication enable default enable group tacacs+
aaa authorization exec default group tacacs+ if-authenticated
aaa accounting update newinfo
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
clock summer-time PSTDST recurring
no network-clock-participate wic 0
ip domain name RETAILPCILAB.LOCAL
ip name-server 192.168.42.130
ip inspect name CSM_INSPECT_1 http alert on audit-trail on
ip inspect name CSM_INSPECT_1 dns alert on audit-trail on
ip inspect name CSM_INSPECT_1 radius alert on audit-trail on
ip inspect name CSM_INSPECT_1 tacacs alert on audit-trail on
ip inspect name CSM_INSPECT_1 ssh alert on audit-trail on
ip inspect name CSM_INSPECT_1 ftp alert on audit-trail on
ip inspect name CSM_INSPECT_1 ldap alert on audit-trail on
ip inspect name CSM_INSPECT_1 snmp alert on audit-trail on
ip inspect name CSM_INSPECT_1 icmp alert on audit-trail on
ip inspect name CSM_INSPECT_1 tcp alert on audit-trail on
ip inspect name CSM_INSPECT_1 udp alert on audit-trail on
ip ips sdf location
https://192.168.42.133:443/ids-config/servlet/com.cisco.nm.mdc.ids.config.iosids.servlet.S
DFServlet/11/sdf-complete.xml
crypto pki trustpoint TP-self-signed-2307965259
subject-name cn=IOS-Self-Signed-Certificate-2307965259
rsakeypair TP-self-signed-2307965259
crypto pki trustpoint IDSMDC_CSMANAGER
enrollment url tftp://192.168.42.133/IDSMDC_CSMANAGER
crypto pki certificate chain TP-self-signed-2307965259
certificate self-signed 01
30820251 308201BA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32333037 39363532 3539301E 170D3036 31313130 30373135
34395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 33303739
36353235 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BCB5 6BEB2673 67F46DA8 ED399769 EF47B127 FD808294 8FD1F3D2 73A132DB
EBE20F9D 0EC13D52 DEB3657F 9255F969 7A5E229D 49D7BE9D 67A447BB 599EDB82
D202C8C9 06B31EB7 FEEF2AEF 8095B86D 4A38FD68 FE36A56A 66DE4756 50F0A149
A06831E9 9E329BD1 E0D9EA9A BB6E5332 CADFF616 ADE5C78B 0735F192 BE6EDAF3
6BBB0203 010001A3 79307730 0F060355 1D130101 FF040530 030101FF 30240603
551D1104 1D301B82 19524C52 472D312E 52455441 494C5043 494C4142 2E4C4F43
414C301F 0603551D 23041830 1680144F B86FC337 C9776698 F9C3EE8A 6DCD7C35
8B5A0C30 1D060355 1D0E0416 04144FB8 6FC337C9 776698F9 C3EE8A6D CD7C358B
5A0C300D 06092A86 4886F70D 01010405 00038181 0073BA65 64037FBF A0CAD768
1D8E8C04 B3D8BC68 0BFE30FB 4B6ABD53 D5346C81 C390440E 39C4B97D AADE602A
3150129E 02D50291 2BEB81C8 1075AA6A A47EAA32 CC52CD2B 6840A548 7CB33DE8
4BCDF73D F3C292AB 985A8376 C28F8085 764C6C82 315E1E9C 7DC98E70 DA35BB87
4BA630ED 66C86BF5 F1743F28 F27F23C0 18C230E5 47
crypto pki certificate chain IDSMDC_CSMANAGER
certificate ca 00CE88ED0F069AE8F5
30820209 30820172 020900CE 88ED0F06 9AE8F530 0D06092A 864886F7 0D010104
05003049 31123010 06035504 0B13096D 6963726F 736F6674 31123010 06035504
03130943 534D616E 61676572 311F301D 06092A86 4886F70D 01090116 1061646D
696E4064 6F6D6169 6E2E636F 6D301E17 0D303630 39323330 31303235 345A170D
31313039 32333031 30323534 5A304931 12301006 0355040B 13096D69 63726F73
6F667431 12301006 03550403 13094353 4D616E61 67657231 1F301D06 092A8648
86F70D01 09011610 61646D69 6E40646F 6D61696E 2E636F6D 30819F30 0D06092A
864886F7 0D010101 05000381 8D003081 89028181 00BE596C 97AD25EC 35D71F77
598DDDDB B8D30AAF 67B268D5 334EAB58 F7418364 664B920A E0011931 4EDF28D1
285B7C45 934EE887 00036A4A C0280132 88C48718 EF48F77E C9EBB27B 6FA11534
03B3B9CB 3DCEFCDC A1339BA4 22C8BFAD 47F50E51 AC04CD7A 03E81331 96BF4ACA
9A1CC2AD 3452AAEB FF84503C A571FB93 EC509A03 8B020301 0001300D 06092A86
4886F70D 01010405 00038181 003A2C37 FC8B0EF1 54E0B963 4D94C234 5EF94288
F6B0B46D 4EFECB7A D15991DE 05FE484E C9DB2AB8 A919DD2F 103545C4 EF7D9269
27975BAD 02CBDDA7 6492EC76 56845082 220A73D7 F9F60FA0 8E9EDDE8 5147E5EB
FB5A00E0 25872141 AA35FAC6 BEF300D9 97343B16 0600B102 F5D555F9 B8AA4D90
26E026CB 6F46B573 700207C8 71
username cisco privilege 15 secret 5 <removed>
channel-group 0 timeslots 1-24
ip access-group CSM_FW_ACL_Group-Async0 in
ip address 10.10.62.1 255.255.255.255
ip access-group CSM_FW_ACL_GigabitEthernet0/0 in
interface GigabitEthernet0/0
description ROUTER LINK TO SLRG-1
ip access-group CSM_FW_ACL_GigabitEthernet0/0 in
ip verify unicast source reachable-via rx
interface GigabitEthernet0/0.11
ip address 10.10.48.2 255.255.255.0
ip access-group CSM_FW_ACL_GigabitEthernet0/0.11 in
ip verify unicast source reachable-via rx
ip helper-address 192.168.42.130
ip inspect CSM_INSPECT_1 in
interface GigabitEthernet0/0.12
ip address 10.10.49.2 255.255.255.0
ip access-group CSM_FW_ACL_GigabitEthernet0/0.12 in
ip verify unicast source reachable-via rx
ip helper-address 192.168.42.130
ip inspect CSM_INSPECT_1 in
interface GigabitEthernet0/0.13
ip address 10.10.50.2 255.255.255.0
ip access-group CSM_FW_ACL_GigabitEthernet0/0.13 in
ip verify unicast source reachable-via rx
ip helper-address 192.168.42.130
ip inspect CSM_INSPECT_1 in
interface GigabitEthernet0/0.14
ip address 10.10.51.2 255.255.255.0
ip access-group CSM_FW_ACL_GigabitEthernet0/0.14 in
ip verify unicast source reachable-via rx
ip helper-address 192.168.42.130
ip inspect CSM_INSPECT_1 in
interface GigabitEthernet0/0.15
ip address 10.10.52.2 255.255.255.0
ip access-group CSM_FW_ACL_GigabitEthernet0/0.15 in
ip verify unicast source reachable-via rx
ip helper-address 192.168.42.130
ip inspect CSM_INSPECT_1 in
interface GigabitEthernet0/0.16
ip address 10.10.53.2 255.255.255.0
ip access-group CSM_FW_ACL_GigabitEthernet0/0.16 in
ip verify unicast source reachable-via rx
ip helper-address 192.168.42.130
ip inspect CSM_INSPECT_1 in
interface GigabitEthernet0/0.17
description WIRELESS GUEST
ip address 10.10.54.2 255.255.255.0
ip access-group CSM_FW_ACL_GigabitEthernet0/0.17 in
ip verify unicast source reachable-via rx
ip helper-address 192.168.42.130
ip inspect CSM_INSPECT_1 in
interface GigabitEthernet0/0.18
ip address 10.10.55.2 255.255.255.0
ip access-group CSM_FW_ACL_GigabitEthernet0/0.18 in
ip verify unicast source reachable-via rx
ip helper-address 192.168.42.130
ip inspect CSM_INSPECT_1 in
interface GigabitEthernet0/0.102
description ROUTER LINK TO RLRG-2 VIA SLRG-2
ip address 10.10.62.29 255.255.255.252
ip access-group CSM_FW_ACL_GigabitEthernet0/0.102 in
ip verify unicast source reachable-via rx
ip inspect CSM_INSPECT_1 in
interface GigabitEthernet0/0.1000
ip address 10.10.63.2 255.255.255.0
ip access-group CSM_FW_ACL_GigabitEthernet0/0.1000 in
ip verify unicast source reachable-via rx
ip inspect CSM_INSPECT_1 in
standby 100 ip 10.10.63.1
interface Service-Engine0/1
ip access-group CSM_FW_ACL_Group-Async0 in
ip verify unicast source reachable-via rx
interface GigabitEthernet0/1
description ROUTER LINK TO SLRG-2
ip access-group CSM_FW_ACL_GigabitEthernet0/0 in
ip verify unicast source reachable-via rx
interface GigabitEthernet0/1.101
description ROUTER LINK TO RLRG-2 VIA SLRG-2
ip address 10.10.62.25 255.255.255.252
ip access-group CSM_FW_ACL_GigabitEthernet0/0.102 in
ip verify unicast source reachable-via rx
ip inspect CSM_INSPECT_1 in
description RLRG-1 to RSP-1
ip access-group CSM_FW_ACL_Group-Async0 in
ip verify unicast source reachable-via rx
encapsulation frame-relay IETF
interface Serial0/0/0:0.1 point-to-point
ip address 10.10.62.17 255.255.255.252
ip access-group CSM_FW_ACL_Serial0/0/0:0.1 in
ip verify unicast source reachable-via rx
ip inspect CSM_INSPECT_1 in
frame-relay interface-dlci 103
ip access-group CSM_FW_ACL_Group-Async0 in
ip verify unicast source reachable-via rx
passive-interface default
no passive-interface GigabitEthernet0/0.102
no passive-interface GigabitEthernet0/1.101
no passive-interface Serial0/0/0:0.1
network 10.10.48.0 0.0.15.255 area 3
ip http authentication aaa login-authentication RETAIL
ip http timeout-policy idle 60 life 86400 requests 10000
ip tacacs source-interface Loopback0
ip access-list extended CSM_FW_ACL_GigabitEthernet0/0
remark Allow CSM-Server to access device through the Serial (external) Interface
permit icmp host 192.168.42.133 host 10.10.62.1 log
permit tcp host 192.168.42.133 host 10.10.62.1 eq 22 443 log
remark ---- permit ntp ----
permit udp any host 192.168.62.161 eq ntp
permit udp any host 192.168.62.162 eq ntp
permit udp any host 192.168.42.130 eq ntp
remark Drop anything not explicitly allowed
ip access-list extended CSM_FW_ACL_GigabitEthernet0/0.1000
remark Allow CSM-Server to access device through the Serial (external) Interface
permit icmp host 192.168.42.133 host 10.10.62.1 log
permit tcp host 192.168.42.133 host 10.10.62.1 eq 22 443 log
remark ---- permit ntp ----
permit udp any host 192.168.62.161 eq ntp
permit udp any host 192.168.62.162 eq ntp
permit udp any host 192.168.42.130 eq ntp
remark ---- Send logs to their mgmt utilities through the mgmt VLAN ----
permit tcp any host 192.168.42.134 eq 69 log
permit udp any host 192.168.42.134 eq tftp snmp snmptrap syslog log
remark ---- Ciscoworks so Managed Devices ----
permit tcp host 192.168.42.134 any eq 22 telnet www 443 log
permit udp host 192.168.42.134 any eq snmp snmptrap syslog log
remark ---- System messages to MARS ----
permit tcp any host 192.168.42.121 eq 2055 log
permit udp any host 192.168.42.121 eq snmp syslog log
remark ---- Allow network devices to use the ACS server ----
permit tcp any host 192.168.42.131 eq tacacs log
permit udp any host 192.168.42.131 eq 1812 log
remark ---- ping to Datacenter ----
permit icmp any 192.168.42.0 0.0.0.255 log
remark ---- HSRP health information ----
permit udp any host 224.0.0.2 eq 1985 log
remark ---- Ping Gateway ----
permit icmp 10.10.63.0 0.0.0.255 10.10.63.0 0.0.0.255 log
remark ---- Allow DHCP to work ----
permit udp any host 255.255.255.255 eq bootps log
permit udp any host 192.168.42.130 eq bootps log
remark Drop anything not explicitly allowed
ip access-list extended CSM_FW_ACL_GigabitEthernet0/0.102
remark ---- permit ntp ----
permit udp any host 192.168.62.161 eq ntp
remark Allow CSM-Server to access device through the Serial (external) Interface
permit icmp host 192.168.42.133 host 10.10.62.1 log
permit tcp host 192.168.42.133 host 10.10.62.1 eq 22 443 log
remark ---- Trusted ports for passing traffic in failure scenarios ----
permit udp any host 192.168.62.162 eq ntp
permit udp any host 192.168.42.130 eq ntp
remark Drop anything not explicitly allowed
remark ---- permit ntp ----
ip access-list extended CSM_FW_ACL_GigabitEthernet0/0.11
remark Allow CSM-Server to access device through the Serial (external) Interface
permit icmp host 192.168.42.133 host 10.10.62.1 log
permit tcp host 192.168.42.133 host 10.10.62.1 eq 22 443 log
remark ---- permit ntp ----
permit udp any host 192.168.62.161 eq ntp
permit udp any host 192.168.62.162 eq ntp
permit udp any host 192.168.42.130 eq ntp
permit tcp any host 192.168.42.140 eq smtp www 443 log
remark ---- HSRP health information ----
permit udp any host 224.0.0.2 eq 1985 log
remark ---- Ping Gateway ----
permit icmp 10.10.48.0 0.0.0.255 10.10.48.0 0.0.0.255 log
remark ---- Clients to ActiveDirectory Server ----
permit icmp any host 192.168.42.130 log
permit tcp any host 192.168.42.130 range 1024 65535 log
permit tcp any host 192.168.42.130 eq www 88 123 135 139 389 443 445 1028 log
permit udp any host 192.168.42.130 eq domain bootps 88 ntp 135 389 log
remark ---- POS Devices talking to Wincor ----
permit icmp any host 192.168.52.98 log
permit tcp any host 192.168.52.98 eq www 139 443 445 1433 3389 4064 log
permit udp any host 192.168.52.98 eq netbios-ns 445 1433 log
remark ---- POS to MSRMS Server ----
permit tcp any host 192.168.52.99 eq www 443 1433 1434 log
permit udp any host 192.168.52.99 eq 1433 1434 log
remark ---- Clients to CSA Manager ----
permit tcp any host 192.168.42.132 eq www 443 5401 5402 log
remark ---- Required for devices to perform windows updates ----
permit tcp any host 192.168.42.150 eq www 443 log
remark ---- Allow DHCP to work ----
permit udp any host 255.255.255.255 eq bootps log
permit udp any host 192.168.42.130 eq bootps log
remark Drop anything not explicitly allowed
ip access-list extended CSM_FW_ACL_GigabitEthernet0/0.12
remark Allow CSM-Server to access device through the Serial (external) Interface
permit icmp host 192.168.42.133 host 10.10.62.1 log
permit tcp host 192.168.42.133 host 10.10.62.1 eq 22 443 log
remark ---- permit ntp ----
permit udp any host 192.168.62.161 eq ntp
permit udp any host 192.168.62.162 eq ntp
permit udp any host 192.168.42.130 eq ntp
permit tcp any host 192.168.42.140 eq smtp www 443 log
remark ---- HSRP health information ----
permit udp any host 224.0.0.2 eq 1985 log
remark ---- Ping Gateway ----
permit icmp 10.10.49.0 0.0.0.255 10.10.49.0 0.0.0.255 log
remark ---- Clients to CSA Manager ----
permit tcp any host 192.168.42.132 eq www 443 5401 5402 log
remark ---- Required for devices to perform windows updates ----
permit tcp any host 192.168.42.150 eq www 443 log
remark ---- Allow DHCP to work ----
permit udp any host 255.255.255.255 eq bootps log
permit udp any host 192.168.42.130 eq bootps log
remark Drop anything not explicitly allowed
ip access-list extended CSM_FW_ACL_GigabitEthernet0/0.13
remark Allow CSM-Server to access device through the Serial (external) Interface
permit icmp host 192.168.42.133 host 10.10.62.1 log
permit tcp host 192.168.42.133 host 10.10.62.1 eq 22 443 log
remark ---- permit ntp ----
permit udp any host 192.168.62.161 eq ntp
permit udp any host 192.168.62.162 eq ntp
permit udp any host 192.168.42.130 eq ntp
remark ---- HSRP health information ----
permit udp any host 224.0.0.2 eq 1985 log
remark ---- Ping Gateway ----
permit icmp 10.10.50.0 0.0.0.255 10.10.50.0 0.0.0.255 log
remark Drop anything not explicitly allowed
ip access-list extended CSM_FW_ACL_GigabitEthernet0/0.14
remark Allow CSM-Server to access device through the Serial (external) Interface
permit icmp host 192.168.42.133 host 10.10.62.1 log
permit tcp host 192.168.42.133 host 10.10.62.1 eq 22 443 log
remark ---- permit ntp ----
permit udp any host 192.168.62.161 eq ntp
permit udp any host 192.168.62.162 eq ntp
permit udp any host 192.168.42.130 eq ntp
permit tcp any host 192.168.42.140 eq smtp www 443 log
remark ---- HSRP health information ----
permit udp any host 224.0.0.2 eq 1985 log
remark ---- Ping Gateway ----
permit icmp 10.10.51.0 0.0.0.255 10.10.51.0 0.0.0.255 log
remark ---- Clients to CSA Manager ----
permit tcp any host 192.168.42.132 eq www 443 5401 5402 log
remark ---- Required for devices to perform windows updates ----
permit tcp any host 192.168.42.150 eq www 443 log
remark ---- Allow DHCP to work ----
permit udp any host 255.255.255.255 eq bootps log
permit udp any host 192.168.42.130 eq bootps log
remark Drop anything not explicitly allowed
ip access-list extended CSM_FW_ACL_GigabitEthernet0/0.15
remark Allow CSM-Server to access device through the Serial (external) Interface
permit icmp host 192.168.42.133 host 10.10.62.1 log
permit tcp host 192.168.42.133 host 10.10.62.1 eq 22 443 log
remark ---- permit ntp ----
permit udp any host 192.168.62.161 eq ntp
permit udp any host 192.168.62.162 eq ntp
permit udp any host 192.168.42.130 eq ntp
permit tcp any host 192.168.42.140 eq smtp www 443 log
remark ---- HSRP health information ----
permit udp any host 224.0.0.2 eq 1985 log
remark ---- Ping Gateway ----
permit icmp 10.10.52.0 0.0.0.255 10.10.52.0 0.0.0.255 log
remark ---- Clients to ActiveDirectory Server ----
permit icmp any host 192.168.42.130 log
permit tcp any host 192.168.42.130 range 1024 65535 log
permit tcp any host 192.168.42.130 eq www 88 123 135 139 389 443 445 1028 log
permit udp any host 192.168.42.130 eq domain bootps 88 ntp 135 389 log
remark ---- POS Devices talking to Wincor ----
permit icmp any host 192.168.52.98 log
permit tcp any host 192.168.52.98 eq www 139 443 445 1433 3389 4064 log
permit udp any host 192.168.52.98 eq netbios-ns 445 1433 log
remark ---- POS to MSRMS Server ----
permit tcp any host 192.168.52.99 eq www 443 1433 1434 log
permit udp any host 192.168.52.99 eq 1433 1434 log
remark ---- Clients to CSA Manager ----
permit tcp any host 192.168.42.132 eq www 443 5401 5402 log
remark ---- Required for devices to perform windows updates ----
permit tcp any host 192.168.42.150 eq www 443 log
remark ---- Allow DHCP to work ----
permit udp any host 255.255.255.255 eq bootps log
permit udp any host 192.168.42.130 eq bootps log
remark Drop anything not explicitly allowed
ip access-list extended CSM_FW_ACL_GigabitEthernet0/0.16
remark Allow CSM-Server to access device through the Serial (external) Interface
permit icmp host 192.168.42.133 host 10.10.62.1 log
permit tcp host 192.168.42.133 host 10.10.62.1 eq 22 443 log
remark ---- permit ntp ----
permit udp any host 192.168.62.161 eq ntp
permit udp any host 192.168.62.162 eq ntp
permit udp any host 192.168.42.130 eq ntp
remark ---- HSRP health information ----
permit udp any host 224.0.0.2 eq 1985 log
remark ---- Ping Gateway ----
permit icmp 10.10.53.0 0.0.0.255 10.10.53.0 0.0.0.255 log
remark Drop anything not explicitly allowed
ip access-list extended CSM_FW_ACL_GigabitEthernet0/0.17
remark Allow CSM-Server to access device through the Serial (external) Interface
permit icmp host 192.168.42.133 host 10.10.62.1 log
permit tcp host 192.168.42.133 host 10.10.62.1 eq 22 443 log
remark ---- permit ntp ----
permit udp any host 192.168.62.161 eq ntp
permit udp any host 192.168.62.162 eq ntp
permit udp any host 192.168.42.130 eq ntp
remark ---- HSRP health information ----
permit udp any host 224.0.0.2 eq 1985 log
remark ---- Ping Gateway ----
permit icmp 10.10.54.0 0.0.0.255 10.10.54.0 0.0.0.255 log
remark ---- Allow DHCP to work ----
permit udp any host 255.255.255.255 eq bootps log
permit udp any host 192.168.42.130 eq bootps log
remark Drop anything not explicitly allowed
ip access-list extended CSM_FW_ACL_GigabitEthernet0/0.18
remark Allow CSM-Server to access device through the Serial (external) Interface
permit icmp host 192.168.42.133 host 10.10.62.1 log
permit tcp host 192.168.42.133 host 10.10.62.1 eq 22 443 log
remark ---- permit ntp ----
permit udp any host 192.168.62.161 eq ntp
permit udp any host 192.168.62.162 eq ntp
permit udp any host 192.168.42.130 eq ntp
remark ---- Send logs to their mgmt utilities through the mgmt VLAN ----
permit tcp any host 192.168.42.134 eq 69 log
permit udp any host 192.168.42.134 eq tftp snmp snmptrap syslog log
remark ---- System messages to MARS ----
permit tcp any host 192.168.42.121 eq 2055 log
permit udp any host 192.168.42.121 eq snmp syslog log
remark ---- Authenticate Wireless users ----
permit udp host 10.10.55.5 host 192.168.42.131 eq 1812 log
permit udp host 10.10.55.6 host 192.168.42.131 eq 1812 log
remark ---- HSRP health information ----
permit udp any host 224.0.0.2 eq 1985 log
remark ---- Ping Gateway ----
permit icmp 10.10.55.0 0.0.0.255 10.10.55.0 0.0.0.255 log
remark ---- Ping Gateway ----
remark ---- Allow controllers to talk to AP's ----
permit udp 10.10.55.0 0.0.0.255 eq 12222 12223 10.10.55.0 0.0.0.255 log
remark ---- Allow Wireless APs to talk to Controllers -----
permit udp 10.10.55.0 0.0.0.255 10.10.55.0 0.0.0.255 eq 12222 12223 log
remark ---- Controllers to WCS Server ----
permit icmp host 10.10.55.5 host 192.168.42.135 log
permit tcp host 10.10.55.5 host 192.168.42.135 eq 69 log
permit udp host 10.10.55.5 host 192.168.42.135 eq tftp snmp snmptrap log
permit icmp host 10.10.55.6 host 192.168.42.135 log
permit tcp host 10.10.55.6 host 192.168.42.135 eq 69 log
permit udp host 10.10.55.6 host 192.168.42.135 eq tftp snmp snmptrap log
remark ---- Allow DHCP to work ----
permit udp any host 255.255.255.255 eq bootps log
permit udp any host 192.168.42.130 eq bootps log
remark Drop anything not explicitly allowed
ip access-list extended CSM_FW_ACL_Group-Async0
remark Allow CSM-Server to access device through the Serial (external) Interface
permit icmp host 192.168.42.133 host 10.10.62.1 log
permit tcp host 192.168.42.133 host 10.10.62.1 eq 22 443 log
remark Drop anything not explicitly allowed
ip access-list extended CSM_FW_ACL_Serial0/0/0:0.1
remark ---- All ACLs for DC to Remote will be handled at the Data Center *before* it gets
put into the WAN
remark Allow CSM-Server to access device through the Serial (external) Interface
permit icmp host 192.168.42.133 host 10.10.62.1 log
permit tcp host 192.168.42.133 host 10.10.62.1 eq 22 443 log
remark Drop anything not explicitly allowed
logging source-interface Loopback0
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 192.168.42.0 0.0.0.255
access-list 23 deny any log
access-list 88 permit 192.168.42.0 0.0.0.255
access-list 88 deny any log
snmp-server group causer v3 priv notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F
snmp-server group casuser v3 auth access 88
snmp-server community <removed> RO 88
snmp-server community <removed> RW 88
snmp-server trap-source Loopback0
snmp-server packetsize 8192
snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps frame-relay multilink bundle-mismatch
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps rsvp
snmp-server enable traps rtr
snmp-server host 192.168.42.134 version 3 priv <removed>
snmp-server host 192.168.42.134 <removed>
tacacs-server host 192.168.42.131
tacacs-server domain-stripping
tacacs-server key 7 <removed>
**** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CISCO INC.****
**** AUTHORIZED USERS ONLY! ****
ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT
TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY
TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER
REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT
FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER
CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW
ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.
UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.
**** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CISCO INC.****
**** AUTHORIZED USERS ONLY! ****
ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT
TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY
TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER
REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT
FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER
CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW
ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.
UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.
THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!
session-timeout 15 output
login authentication RLOCAL
session-timeout 15 output
session-timeout 15 output
transport output pad telnet rlogin lapb-ta mop udptn v120
session-timeout 15 output
login authentication RETAIL
session-timeout 15 output
login authentication RETAIL
scheduler allocate 20000 1000
ntp clock-period 17179470
ntp server 192.168.62.162
ntp server 192.168.62.161 prefer
Large Store Router #2
------------------ show version ------------------
Cisco IOS Software, 3800 Software (C3845-ADVIPSERVICESK9-M), Version 12.4(9)T, RELEASE
SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Sat 17-Jun-06 00:59 by prod_rel_team
ROM: System Bootstrap, Version 12.3(11r)T2, RELEASE SOFTWARE (fc1)
RLRG-2 uptime is 4 weeks, 2 days, 20 hours, 34 minutes
System returned to ROM by error - a Software forced crash, PC 0x60D718F0 at 17:04:41 PST
Tue Nov 14 2006
System restarted at 17:12:53 PST Tue Nov 14 2006
System image file is "flash:c3845-advipservicesk9-mz.124-9.T.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
Cisco 3845 (revision 1.0) with 484352K/39936K bytes of memory.
Processor board ID FTX1027A34T
2 Gigabit Ethernet interfaces
2 Channelized T1/PRI ports
1 Virtual Private Network (VPN) Module
1 cisco service engine(s)
DRAM configuration is 64 bits wide with parity enabled.
250880K bytes of ATA System CompactFlash (Read/Write)
Configuration register is 0x2102
------------------ show running-config ------------------
Building configuration...
Current configuration : 27883 bytes
! Last configuration change at 16:06:29 PST Wed Dec 13 2006 by csm-user
! NVRAM config last updated at 14:34:40 PST Wed Dec 13 2006 by csm-user
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
no service password-recovery
boot system flash flash:c3845-advipservicesk9-mz.124-9.T.bin
logging buffered 8000000 informational
enable secret 5 <removed>
aaa authentication login RETAIL group tacacs+ local
aaa authentication login RLOCAL group tacacs+ local
aaa authentication enable default enable group tacacs+
aaa authorization exec default group tacacs+ if-authenticated
aaa accounting update newinfo
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
clock summer-time PSTDST recurring
no network-clock-participate wic 0
ip domain name RETAILPCILAB.LOCAL
ip name-server 192.168.42.130
ip inspect name CSM_INSPECT_1 http alert on audit-trail on
ip inspect name CSM_INSPECT_1 dns alert on audit-trail on
ip inspect name CSM_INSPECT_1 radius alert on audit-trail on
ip inspect name CSM_INSPECT_1 tacacs alert on audit-trail on
ip inspect name CSM_INSPECT_1 ssh alert on audit-trail on
ip inspect name CSM_INSPECT_1 ftp alert on audit-trail on
ip inspect name CSM_INSPECT_1 ldap alert on audit-trail on
ip inspect name CSM_INSPECT_1 snmp alert on audit-trail on
ip inspect name CSM_INSPECT_1 icmp alert on audit-trail on
ip inspect name CSM_INSPECT_1 tcp alert on audit-trail on
ip inspect name CSM_INSPECT_1 udp alert on audit-trail on
ip ips sdf location
https://192.168.42.133:443/ids-config/servlet/com.cisco.nm.mdc.ids.config.iosids.servlet.S
DFServlet/12/sdf-complete.xml
crypto pki trustpoint TP-self-signed-2860673641
subject-name cn=IOS-Self-Signed-Certificate-2860673641
rsakeypair TP-self-signed-2860673641
crypto pki trustpoint IDSMDC_CSMANAGER
enrollment url tftp://192.168.42.133/IDSMDC_CSMANAGER
crypto pki certificate chain TP-self-signed-2860673641
certificate self-signed 01
30820251 308201BA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32383630 36373336 3431301E 170D3036 31313133 30373436
33335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 38363036
37333634 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B6D5 2D1AA791 6C1FB7EB 4828E4FC 89454BA4 A7BEC0F1 4CED3338 03359A9F
D7F8E484 EB9886C3 EBD18D34 A4BEE81A A6692BAA B781E1FB 51433F6B 702035C6
DAB3BABD 7F1F63A7 920F70B3 2614C1D5 FFDF3766 4837BCB5 48E7B4AA 5E0C3B68
2FB241A3 EEB82533 5679B79B CDC55D98 6B2CB06B 2BB79BAB F2308E36 40A4F7B2
584F0203 010001A3 79307730 0F060355 1D130101 FF040530 030101FF 30240603
551D1104 1D301B82 19524C52 472D322E 52455441 494C5043 494C4142 2E4C4F43
414C301F 0603551D 23041830 16801451 13C43CB4 3AB3E3B0 FB000B00 A6569233
81FFB830 1D060355 1D0E0416 04145113 C43CB43A B3E3B0FB 000B00A6 56923381
FFB8300D 06092A86 4886F70D 01010405 00038181 0069175C 6FBD351F BE60E9A3
3B7B5F00 144C3D93 18522558 ED5D35C5 B47F92B4 7F6C8522 52FC8C93 3FAC4DDD
BC721185 3F47BB2D 71957001 C062AC30 EB9D523A 4FC7AE6F 55D18936 2076B539
DB88FADD 452D03C9 EFC6E22D 43494798 E840AA7C 2C60DCDD EB03954C 79B7DE7C
A6F522AA DFEEFA51 10C2D3CE 9190FA15 0F4A8C06 9C
crypto pki certificate chain IDSMDC_CSMANAGER
certificate ca 00CE88ED0F069AE8F5
30820209 30820172 020900CE 88ED0F06 9AE8F530 0D06092A 864886F7 0D010104
05003049 31123010 06035504 0B13096D 6963726F 736F6674 31123010 06035504
03130943 534D616E 61676572 311F301D 06092A86 4886F70D 01090116 1061646D
696E4064 6F6D6169 6E2E636F 6D301E17 0D303630 39323330 31303235 345A170D
31313039 32333031 30323534 5A304931 12301006 0355040B 13096D69 63726F73
6F667431 12301006 03550403 13094353 4D616E61 67657231 1F301D06 092A8648
86F70D01 09011610 61646D69 6E40646F 6D61696E 2E636F6D 30819F30 0D06092A
864886F7 0D010101 05000381 8D003081 89028181 00BE596C 97AD25EC 35D71F77
598DDDDB B8D30AAF 67B268D5 334EAB58 F7418364 664B920A E0011931 4EDF28D1
285B7C45 934EE887 00036A4A C0280132 88C48718 EF48F77E C9EBB27B 6FA11534
03B3B9CB 3DCEFCDC A1339BA4 22C8BFAD 47F50E51 AC04CD7A 03E81331 96BF4ACA
9A1CC2AD 3452AAEB FF84503C A571FB93 EC509A03 8B020301 0001300D 06092A86
4886F70D 01010405 00038181 003A2C37 FC8B0EF1 54E0B963 4D94C234 5EF94288
F6B0B46D 4EFECB7A D15991DE 05FE484E C9DB2AB8 A919DD2F 103545C4 EF7D9269
27975BAD 02CBDDA7 6492EC76 56845082 220A73D7 F9F60FA0 8E9EDDE8 5147E5EB
FB5A00E0 25872141 AA35FAC6 BEF300D9 97343B16 0600B102 F5D555F9 B8AA4D90
26E026CB 6F46B573 700207C8 71
username cisco privilege 15 secret 5 <removed>
channel-group 0 timeslots 1-24
ip address 10.10.62.2 255.255.255.255
ip access-group CSM_FW_ACL_GigabitEthernet0/0 in
ip inspect CSM_INSPECT_1 in
interface GigabitEthernet0/0
description ROUTER LINK TO SLRG-1
ip access-group CSM_FW_ACL_GigabitEthernet0/0 in
ip verify unicast source reachable-via rx
interface GigabitEthernet0/0.102
description ROUTER LINK TO RLRG-1 VIA SLRG-1
ip address 10.10.62.30 255.255.255.252
ip access-group CSM_FW_ACL_GigabitEthernet0/0.102 in
ip verify unicast source reachable-via rx
ip inspect CSM_INSPECT_1 in
interface Service-Engine0/1
ip access-group CSM_FW_ACL_Serial0/0/0:0 in
ip verify unicast source reachable-via rx
interface GigabitEthernet0/1
description ROUTER LINK TO SLRG-2
ip access-group CSM_FW_ACL_GigabitEthernet0/0 in
ip verify unicast source reachable-via rx
interface GigabitEthernet0/1.11
ip address 10.10.48.3 255.255.255.0
ip access-group CSM_FW_ACL_GigabitEthernet0/1.11 in
ip verify unicast source reachable-via rx
ip helper-address 192.168.42.130
ip inspect CSM_INSPECT_1 in
interface GigabitEthernet0/1.12
ip address 10.10.49.3 255.255.255.0
ip access-group CSM_FW_ACL_GigabitEthernet0/1.12 in
ip verify unicast source reachable-via rx
ip helper-address 192.168.42.130
ip inspect CSM_INSPECT_1 in
interface GigabitEthernet0/1.13
ip address 10.10.50.3 255.255.255.0
ip access-group CSM_FW_ACL_GigabitEthernet0/1.13 in
ip verify unicast source reachable-via rx
ip helper-address 192.168.42.130
ip inspect CSM_INSPECT_1 in
interface GigabitEthernet0/1.14
ip address 10.10.51.3 255.255.255.0
ip access-group CSM_FW_ACL_GigabitEthernet0/1.14 in
ip verify unicast source reachable-via rx
ip helper-address 192.168.42.130
ip inspect CSM_INSPECT_1 in
interface GigabitEthernet0/1.15
ip address 10.10.52.3 255.255.255.0
ip access-group CSM_FW_ACL_GigabitEthernet0/1.15 in
ip verify unicast source reachable-via rx
ip helper-address 192.168.42.130
ip inspect CSM_INSPECT_1 in
interface GigabitEthernet0/1.16
ip address 10.10.53.3 255.255.255.0
ip access-group CSM_FW_ACL_GigabitEthernet0/1.16 in
ip verify unicast source reachable-via rx
ip helper-address 192.168.42.130
ip inspect CSM_INSPECT_1 in
interface GigabitEthernet0/1.17
description WIRELESS GUEST
ip address 10.10.54.3 255.255.255.0
ip access-group CSM_FW_ACL_GigabitEthernet0/1.17 in
ip verify unicast source reachable-via rx
ip helper-address 192.168.42.130
ip inspect CSM_INSPECT_1 in
interface GigabitEthernet0/1.18
ip address 10.10.55.3 255.255.255.0
ip access-group CSM_FW_ACL_GigabitEthernet0/1.18 in
ip verify unicast source reachable-via rx
ip helper-address 192.168.42.130
ip inspect CSM_INSPECT_1 in
interface GigabitEthernet0/1.101
description ROUTER LINK TO RLRG-1 VIA SLRG-1
ip address 10.10.62.26 255.255.255.252
ip access-group CSM_FW_ACL_GigabitEthernet0/0.102 in
ip verify unicast source reachable-via rx
ip inspect CSM_INSPECT_1 in
interface GigabitEthernet0/1.1000
ip address 10.10.63.3 255.255.255.0
ip access-group CSM_FW_ACL_GigabitEthernet0/1.1000 in
ip verify unicast source reachable-via rx
ip inspect CSM_INSPECT_1 in
standby 100 ip 10.10.63.1
description RLRG-2 to RSP-2
ip access-group CSM_FW_ACL_Serial0/0/0:0 in
ip verify unicast source reachable-via rx
encapsulation frame-relay IETF
interface Serial0/0/0:0.1 point-to-point
ip address 10.10.62.21 255.255.255.252
ip access-group CSM_FW_ACL_Serial0/0/0:0.1 in
ip verify unicast source reachable-via rx
ip inspect CSM_INSPECT_1 in
frame-relay interface-dlci 203
passive-interface default
no passive-interface GigabitEthernet0/0.102
no passive-interface GigabitEthernet0/1.101
no passive-interface Serial0/0/0:0.1
network 10.10.48.0 0.0.15.255 area 3
ip http authentication aaa login-authentication RETAIL
ip http timeout-policy idle 60 life 86400 requests 10000
ip tacacs source-interface Loopback0
ip access-list extended CSM_FW_ACL_GigabitEthernet0/0
remark Allow CSM-Server to access device through the Serial (external) Interface
permit icmp host 192.168.42.133 host 10.10.62.2 log
permit tcp host 192.168.42.133 host 10.10.62.2 eq 22 443 log
remark ---- permit ntp ----
permit udp any host 192.168.62.161 eq ntp
permit udp any host 192.168.62.162 eq ntp
permit udp any host 192.168.42.130 eq ntp
remark Drop anything not explicitly allowed
ip access-list extended CSM_FW_ACL_GigabitEthernet0/0.102
remark ---- permit ntp ----
permit udp any host 192.168.62.161 eq ntp
remark Allow CSM-Server to access device through the Serial (external) Interface
permit icmp host 192.168.42.133 host 10.10.62.2 log
permit tcp host 192.168.42.133 host 10.10.62.2 eq 22 443 log
remark ---- Trusted ports for passing traffic in failure scenarios ----
permit udp any host 192.168.62.162 eq ntp
permit udp any host 192.168.42.130 eq ntp
remark Drop anything not explicitly allowed
remark ---- permit ntp ----
ip access-list extended CSM_FW_ACL_GigabitEthernet0/1.1000
remark Allow CSM-Server to access device through the Serial (external) Interface
permit icmp host 192.168.42.133 host 10.10.62.2 log
permit tcp host 192.168.42.133 host 10.10.62.2 eq 22 443 log
remark ---- permit ntp ----
permit udp any host 192.168.62.161 eq ntp
permit udp any host 192.168.62.162 eq ntp
permit udp any host 192.168.42.130 eq ntp
remark ---- Send logs to their mgmt utilities through the mgmt VLAN ----
permit tcp any host 192.168.42.134 eq 69 log
permit udp any host 192.168.42.134 eq tftp snmp snmptrap syslog log
remark ---- Ciscoworks so Managed Devices ----
permit tcp host 192.168.42.134 any eq 22 telnet www 443 log
permit udp host 192.168.42.134 any eq snmp snmptrap syslog log
remark ---- System messages to MARS ----
permit tcp any host 192.168.42.121 eq 2055 log
permit udp any host 192.168.42.121 eq snmp syslog log
remark ---- Allow network devices to use the ACS server ----
permit tcp any host 192.168.42.131 eq tacacs log
permit udp any host 192.168.42.131 eq 1812 log
remark ---- ping to Datacenter ----
permit icmp any 192.168.42.0 0.0.0.255 log
remark ---- HSRP health information ----
permit udp any host 224.0.0.2 eq 1985 log
remark ---- Ping Gateway ----
permit icmp 10.10.63.0 0.0.0.255 10.10.63.0 0.0.0.255 log
remark ---- Allow DHCP to work ----
permit udp any host 255.255.255.255 eq bootps log
permit udp any host 192.168.42.130 eq bootps log
remark Drop anything not explicitly allowed
ip access-list extended CSM_FW_ACL_GigabitEthernet0/1.11
remark Allow CSM-Server to access device through the Serial (external) Interface
permit icmp host 192.168.42.133 host 10.10.62.2 log
permit tcp host 192.168.42.133 host 10.10.62.2 eq 22 443 log
remark ---- permit ntp ----
permit udp any host 192.168.62.161 eq ntp
permit udp any host 192.168.62.162 eq ntp
permit udp any host 192.168.42.130 eq ntp
permit tcp any host 192.168.42.140 eq smtp www 443 log
remark ---- HSRP health information ----
permit udp any host 224.0.0.2 eq 1985 log
remark ---- Ping Gateway ----
permit icmp 10.10.48.0 0.0.0.255 10.10.48.0 0.0.0.255 log
remark ---- Clients to ActiveDirectory Server ----
permit icmp any host 192.168.42.130 log
permit tcp any host 192.168.42.130 range 1024 65535 log
permit tcp any host 192.168.42.130 eq www 88 123 135 139 389 443 445 1028 log
permit udp any host 192.168.42.130 eq domain bootps 88 ntp 135 389 log
remark ---- POS Devices talking to Wincor ----
permit icmp any host 192.168.52.98 log
permit tcp any host 192.168.52.98 eq www 139 443 445 1433 3389 4064 log
permit udp any host 192.168.52.98 eq netbios-ns 445 1433 log
remark ---- POS to MSRMS Server ----
permit tcp any host 192.168.52.99 eq www 443 1433 1434 log
permit udp any host 192.168.52.99 eq 1433 1434 log
remark ---- Clients to CSA Manager ----
permit tcp any host 192.168.42.132 eq www 443 5401 5402 log
remark ---- Required for devices to perform windows updates ----
permit tcp any host 192.168.42.150 eq www 443 log
remark ---- Allow DHCP to work ----
permit udp any host 255.255.255.255 eq bootps log
permit udp any host 192.168.42.130 eq bootps log
remark Drop anything not explicitly allowed
ip access-list extended CSM_FW_ACL_GigabitEthernet0/1.12
remark Allow CSM-Server to access device through the Serial (external) Interface
permit icmp host 192.168.42.133 host 10.10.62.2 log
permit tcp host 192.168.42.133 host 10.10.62.2 eq 22 443 log
remark ---- permit ntp ----
permit udp any host 192.168.62.161 eq ntp
permit udp any host 192.168.62.162 eq ntp
permit udp any host 192.168.42.130 eq ntp
permit tcp any host 192.168.42.140 eq smtp www 443 log
remark ---- HSRP health information ----
permit udp any host 224.0.0.2 eq 1985 log
remark ---- Ping Gateway ----
permit icmp 10.10.49.0 0.0.0.255 10.10.49.0 0.0.0.255 log
remark ---- Clients to CSA Manager ----
permit tcp any host 192.168.42.132 eq www 443 5401 5402 log
remark ---- Required for devices to perform windows updates ----
permit tcp any host 192.168.42.150 eq www 443 log
remark ---- Allow DHCP to work ----
permit udp any host 255.255.255.255 eq bootps log
permit udp any host 192.168.42.130 eq bootps log
remark Drop anything not explicitly allowed
ip access-list extended CSM_FW_ACL_GigabitEthernet0/1.13
remark Allow CSM-Server to access device through the Serial (external) Interface
permit icmp host 192.168.42.133 host 10.10.62.2 log
permit tcp host 192.168.42.133 host 10.10.62.2 eq 22 443 log
remark ---- permit ntp ----
permit udp any host 192.168.62.161 eq ntp
permit udp any host 192.168.62.162 eq ntp
permit udp any host 192.168.42.130 eq ntp
remark ---- HSRP health information ----
permit udp any host 224.0.0.2 eq 1985 log
remark ---- Ping Gateway ----
permit icmp 10.10.50.0 0.0.0.255 10.10.50.0 0.0.0.255 log
remark Drop anything not explicitly allowed
ip access-list extended CSM_FW_ACL_GigabitEthernet0/1.14
remark Allow CSM-Server to access device through the Serial (external) Interface
permit icmp host 192.168.42.133 host 10.10.62.2 log
permit tcp host 192.168.42.133 host 10.10.62.2 eq 22 443 log
remark ---- permit ntp ----
permit udp any host 192.168.62.161 eq ntp
permit udp any host 192.168.62.162 eq ntp
permit udp any host 192.168.42.130 eq ntp
permit tcp any host 192.168.42.140 eq smtp www 443 log
remark ---- HSRP health information ----
permit udp any host 224.0.0.2 eq 1985 log
remark ---- Ping Gateway ----
permit icmp 10.10.51.0 0.0.0.255 10.10.51.0 0.0.0.255 log
remark ---- Clients to CSA Manager ----
permit tcp any host 192.168.42.132 eq www 443 5401 5402 log
remark ---- Required for devices to perform windows updates ----
permit tcp any host 192.168.42.150 eq www 443 log
remark ---- Allow DHCP to work ----
permit udp any host 255.255.255.255 eq bootps log
permit udp any host 192.168.42.130 eq bootps log
remark Drop anything not explicitly allowed
ip access-list extended CSM_FW_ACL_GigabitEthernet0/1.15
remark Allow CSM-Server to access device through the Serial (external) Interface
permit icmp host 192.168.42.133 host 10.10.62.2 log
permit tcp host 192.168.42.133 host 10.10.62.2 eq 22 443 log
remark ---- permit ntp ----
permit udp any host 192.168.62.161 eq ntp
permit udp any host 192.168.62.162 eq ntp
permit udp any host 192.168.42.130 eq ntp
permit tcp any host 192.168.42.140 eq smtp www 443 log
remark ---- HSRP health information ----
permit udp any host 224.0.0.2 eq 1985 log
remark ---- Ping Gateway ----
permit icmp 10.10.52.0 0.0.0.255 10.10.52.0 0.0.0.255 log
remark ---- Clients to ActiveDirectory Server ----
permit icmp any host 192.168.42.130 log
permit tcp any host 192.168.42.130 range 1024 65535 log
permit tcp any host 192.168.42.130 eq www 88 123 135 139 389 443 445 1028 log
permit udp any host 192.168.42.130 eq domain bootps 88 ntp 135 389 log
remark ---- POS Devices talking to Wincor ----
permit icmp any host 192.168.52.98 log
permit tcp any host 192.168.52.98 eq www 139 443 445 1433 3389 4064 log
permit udp any host 192.168.52.98 eq netbios-ns 445 1433 log
remark ---- POS to MSRMS Server ----
permit tcp any host 192.168.52.99 eq www 443 1433 1434 log
permit udp any host 192.168.52.99 eq 1433 1434 log
remark ---- Clients to CSA Manager ----
permit tcp any host 192.168.42.132 eq www 443 5401 5402 log
remark ---- Required for devices to perform windows updates ----
permit tcp any host 192.168.42.150 eq www 443 log
remark ---- Allow DHCP to work ----
permit udp any host 255.255.255.255 eq bootps log
permit udp any host 192.168.42.130 eq bootps log
remark Drop anything not explicitly allowed
ip access-list extended CSM_FW_ACL_GigabitEthernet0/1.16
remark Allow CSM-Server to access device through the Serial (external) Interface
permit icmp host 192.168.42.133 host 10.10.62.2 log
permit tcp host 192.168.42.133 host 10.10.62.2 eq 22 443 log
remark ---- permit ntp ----
permit udp any host 192.168.62.161 eq ntp
permit udp any host 192.168.62.162 eq ntp
permit udp any host 192.168.42.130 eq ntp
remark ---- HSRP health information ----
permit udp any host 224.0.0.2 eq 1985 log
remark ---- Ping Gateway ----
permit icmp 10.10.53.0 0.0.0.255 10.10.53.0 0.0.0.255 log
remark Drop anything not explicitly allowed
ip access-list extended CSM_FW_ACL_GigabitEthernet0/1.17
remark Allow CSM-Server to access device through the Serial (external) Interface
permit icmp host 192.168.42.133 host 10.10.62.2 log
permit tcp host 192.168.42.133 host 10.10.62.2 eq 22 443 log
remark ---- permit ntp ----
permit udp any host 192.168.62.161 eq ntp
permit udp any host 192.168.62.162 eq ntp
permit udp any host 192.168.42.130 eq ntp
remark ---- HSRP health information ----
permit udp any host 224.0.0.2 eq 1985 log
remark ---- Ping Gateway ----
permit icmp 10.10.54.0 0.0.0.255 10.10.54.0 0.0.0.255 log
remark ---- Allow DHCP to work ----
permit udp any host 255.255.255.255 eq bootps log
permit udp any host 192.168.42.130 eq bootps log
remark Drop anything not explicitly allowed
ip access-list extended CSM_FW_ACL_GigabitEthernet0/1.18
remark Allow CSM-Server to access device through the Serial (external) Interface
permit icmp host 192.168.42.133 host 10.10.62.2 log
permit tcp host 192.168.42.133 host 10.10.62.2 eq 22 443 log
remark ---- permit ntp ----
permit udp any host 192.168.62.161 eq ntp
permit udp any host 192.168.62.162 eq ntp
permit udp any host 192.168.42.130 eq ntp
remark ---- Send logs to their mgmt utilities through the mgmt VLAN ----
permit tcp any host 192.168.42.134 eq 69 log
permit udp any host 192.168.42.134 eq tftp snmp snmptrap syslog log
remark ---- System messages to MARS ----
permit tcp any host 192.168.42.121 eq 2055 log
permit udp any host 192.168.42.121 eq snmp syslog log
remark ---- Authenticate Wireless users ----
permit udp host 10.10.55.5 host 192.168.42.131 eq 1812 log
permit udp host 10.10.55.6 host 192.168.42.131 eq 1812 log
remark ---- HSRP health information ----
permit udp any host 224.0.0.2 eq 1985 log
remark ---- Ping Gateway ----
permit icmp 10.10.55.0 0.0.0.255 10.10.55.0 0.0.0.255 log
remark ---- Ping Gateway ----
remark ---- Allow controllers to talk to AP's ----
permit udp 10.10.55.0 0.0.0.255 eq 12222 12223 10.10.55.0 0.0.0.255 log
remark ---- Allow Wireless APs to talk to Controllers -----
permit udp 10.10.55.0 0.0.0.255 10.10.55.0 0.0.0.255 eq 12222 12223 log
remark ---- Controllers to WCS Server ----
permit icmp host 10.10.55.5 host 192.168.42.135 log
permit tcp host 10.10.55.5 host 192.168.42.135 eq 69 log
permit udp host 10.10.55.5 host 192.168.42.135 eq tftp snmp snmptrap log
permit icmp host 10.10.55.6 host 192.168.42.135 log
permit tcp host 10.10.55.6 host 192.168.42.135 eq 69 log
permit udp host 10.10.55.6 host 192.168.42.135 eq tftp snmp snmptrap log
remark ---- Allow DHCP to work ----
permit udp any host 255.255.255.255 eq bootps log
permit udp any host 192.168.42.130 eq bootps log
remark Drop anything not explicitly allowed
ip access-list extended CSM_FW_ACL_Serial0/0/0:0
remark Allow CSM-Server to access device through the Serial (external) Interface
permit icmp host 192.168.42.133 host 10.10.62.2 log
permit tcp host 192.168.42.133 host 10.10.62.2 eq 22 443 log
remark Drop anything not explicitly allowed
ip access-list extended CSM_FW_ACL_Serial0/0/0:0.1
remark ---- All ACLs for DC to Remote will be handled at the Data Center *before* it gets
put into the WAN
remark Allow CSM-Server to access device through the Serial (external) Interface
permit icmp host 192.168.42.133 host 10.10.62.2 log
permit tcp host 192.168.42.133 host 10.10.62.2 eq 22 443 log
remark Drop anything not explicitly allowed
logging source-interface Loopback0
access-list 88 permit 192.168.42.0 0.0.0.255
access-list 88 deny any log
snmp-server group causer v3 priv notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF7F
snmp-server group casuser v3 auth access 88
snmp-server community <removed> RO 88
snmp-server community <removed> RW 88
snmp-server trap-source Loopback0
snmp-server packetsize 8192
snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps frame-relay multilink bundle-mismatch
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps rsvp
snmp-server enable traps rtr
snmp-server host 192.168.42.134 version 3 priv <removed>
snmp-server host 192.168.42.134 <removed>
tacacs-server host 192.168.42.131
tacacs-server directed-request
tacacs-server domain-stripping
tacacs-server key 7 <removed>
**** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CISCO INC.****
**** AUTHORIZED USERS ONLY! ****
ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT
TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY
TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER
REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT
FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER
CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW
ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.
UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.
**** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CISCO INC.****
**** AUTHORIZED USERS ONLY! ****
ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT
TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY
TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER
REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT
FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER
CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW
ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.
UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.
THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!
session-timeout 15 output
login authentication RLOCAL
session-timeout 15 output
session-timeout 15 output
transport output pad telnet rlogin lapb-ta mop udptn v120
session-timeout 15 output
login authentication RETAIL
session-timeout 15 output
login authentication RETAIL
scheduler allocate 20000 1000
ntp clock-period 17179777
ntp server 192.168.62.162
ntp server 192.168.62.161 prefer
Medium Store Router #1
------------------ show version ------------------
Cisco IOS Software, 3800 Software (C3845-ADVIPSERVICESK9-M), Version 12.4(9)T, RELEASE
SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Sat 17-Jun-06 00:59 by prod_rel_team
ROM: System Bootstrap, Version 12.3(11r)T2, RELEASE SOFTWARE (fc1)
RMED-1 uptime is 1 week, 3 days, 21 hours, 17 minutes
System returned to ROM by reload at 16:25:12 PST Mon Dec 4 2006
System restarted at 16:25:54 PST Mon Dec 4 2006
System image file is "flash:c3845-advipservicesk9-mz.124-9.T.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
Cisco 3845 (revision 1.0) with 485376K/38912K bytes of memory.
Processor board ID FTX1027A08Q
2 Gigabit Ethernet interfaces
2 Channelized T1/PRI ports
1 Virtual Private Network (VPN) Module
1 cisco content engine(s)
1 cisco Wireless LAN Controller(s)
DRAM configuration is 64 bits wide with parity enabled.
125440K bytes of ATA System CompactFlash (Read/Write)
Configuration register is 0x2102
------------------ show running-config ------------------
Building configuration...
Current configuration : 29725 bytes
! Last configuration change at 16:06:34 PST Wed Dec 13 2006 by csm-user
! NVRAM config last updated at 14:34:35 PST Wed Dec 13 2006 by csm-user
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
no service password-recovery
boot system flash flash:c3845-advipservicesk9-mz.124-9.T.bin
logging buffered 8000000 informational
enable secret 5 <removed>
aaa authentication login RETAIL group tacacs+ local
aaa authentication login RLOCAL group tacacs+ local
aaa authentication enable default enable group tacacs+
aaa authorization exec default group tacacs+ if-authenticated
aaa accounting update newinfo
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
clock summer-time PSTDST recurring
no network-clock-participate wic 0
ip domain name RETAILPCILAB.LOCAL
ip name-server 192.168.42.130
ip inspect name CSM_INSPECT_1 http alert on audit-trail on
ip inspect name CSM_INSPECT_1 dns alert on audit-trail on
ip inspect name CSM_INSPECT_1 radius alert on audit-trail on
ip inspect name CSM_INSPECT_1 tacacs alert on audit-trail on
ip inspect name CSM_INSPECT_1 ssh alert on audit-trail on
ip inspect name CSM_INSPECT_1 ftp alert on audit-trail on
ip inspect name CSM_INSPECT_1 ldap alert on audit-trail on
ip inspect name CSM_INSPECT_1 snmp alert on audit-trail on
ip inspect name CSM_INSPECT_1 icmp alert on audit-trail on
ip inspect name CSM_INSPECT_1 tcp alert on audit-trail on
ip inspect name CSM_INSPECT_1 udp alert on audit-trail on
ip ips sdf location
https://192.168.42.133:443/ids-config/servlet/com.cisco.nm.mdc.ids.config.iosids.servlet.S
DFServlet/7/sdf-complete.xml
ip ips name MediumStore list 23
crypto pki trustpoint TP-self-signed-3152768543
subject-name cn=IOS-Self-Signed-Certificate-3152768543
rsakeypair TP-self-signed-3152768543
crypto pki trustpoint IDSMDC_CSMANAGER
enrollment url tftp://192.168.42.133/IDSMDC_CSMANAGER
crypto pki certificate chain TP-self-signed-3152768543
certificate self-signed 01
30820251 308201BA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33313532 37363835 3433301E 170D3036 31303137 32333336
33305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 31353237
36383534 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100F26B 0F3A8F1A 81236BAE BF0BF7D6 6BC81158 30FF7143 0D5E2A1F 8C5672A1
2A2E59FC 68120573 C018079D 5CA9A874 C9DF93DD AF6C3494 D5393F73 643F0E0F
A778CF19 3823DEB2 A06BBCC5 E42DC606 235003C3 CA5135BC 90A34E7D EE16B116
D504B437 73EB46E8 97BADE2A 0F54D564 03540644 9E3B5A2F 21A6509A 85965A58
BA7B0203 010001A3 79307730 0F060355 1D130101 FF040530 030101FF 30240603
551D1104 1D301B82 19524D45 442D312E 52455441 494C5043 494C4142 2E4C4F43
414C301F 0603551D 23041830 16801401 5366E2FF A2A35080 84F65E4D E0B5925E
5D5AE130 1D060355 1D0E0416 04140153 66E2FFA2 A3508084 F65E4DE0 B5925E5D
5AE1300D 06092A86 4886F70D 01010405 00038181 0032411D 3470B6AE D314B70E
D00137E5 D5BA0261 3D36766D A2B7AA01 99006259 E1E26B8D 25B36E18 6DCE7D9E
07924127 F618E2A9 F170494D 1B50A1A9 0C54EB06 64B0BF58 97BF3EB3 AAF1005E
4E0FB668 5310A1C7 0A797201 6E8A06C5 8B7F9B8C F95DB0DC 3A18E38B 65C6486C
51B6C791 284F2C68 9A6D5EB0 B14CD9CD 076F7236 A7
crypto pki certificate chain IDSMDC_CSMANAGER
certificate ca 00CE88ED0F069AE8F5
30820209 30820172 020900CE 88ED0F06 9AE8F530 0D06092A 864886F7 0D010104
05003049 31123010 06035504 0B13096D 6963726F 736F6674 31123010 06035504
03130943 534D616E 61676572 311F301D 06092A86 4886F70D 01090116 1061646D
696E4064 6F6D6169 6E2E636F 6D301E17 0D303630 39323330 31303235 345A170D
31313039 32333031 30323534 5A304931 12301006 0355040B 13096D69 63726F73
6F667431 12301006 03550403 13094353 4D616E61 67657231 1F301D06 092A8648
86F70D01 09011610 61646D69 6E40646F 6D61696E 2E636F6D 30819F30 0D06092A
864886F7 0D010101 05000381 8D003081 89028181 00BE596C 97AD25EC 35D71F77
598DDDDB B8D30AAF 67B268D5 334EAB58 F7418364 664B920A E0011931 4EDF28D1
285B7C45 934EE887 00036A4A C0280132 88C48718 EF48F77E C9EBB27B 6FA11534
03B3B9CB 3DCEFCDC A1339BA4 22C8BFAD 47F50E51 AC04CD7A 03E81331 96BF4ACA
9A1CC2AD 3452AAEB FF84503C A571FB93 EC509A03 8B020301 0001300D 06092A86
4886F70D 01010405 00038181 003A2C37 FC8B0EF1 54E0B963 4D94C234 5EF94288
F6B0B46D 4EFECB7A D15991DE 05FE484E C9DB2AB8 A919DD2F 103545C4 EF7D9269
27975BAD 02CBDDA7 6492EC76 56845082 220A73D7 F9F60FA0 8E9EDDE8 5147E5EB
FB5A00E0 25872141 AA35FAC6 BEF300D9 97343B16 0600B102 F5D555F9 B8AA4D90
26E026CB 6F46B573 700207C8 71
username cisco privilege 15 secret 5 <removed>
channel-group 0 timeslots 1-24
channel-group 0 timeslots 1-24
ip access-group CSM_FW_ACL_Content-Engine3/0 in
ip address 10.10.46.1 255.255.255.255
ip access-group CSM_FW_ACL_GigabitEthernet0/0 in
ip inspect CSM_INSPECT_1 in
interface GigabitEthernet0/0
ip access-group CSM_FW_ACL_GigabitEthernet0/0 in
ip verify unicast source reachable-via rx
interface GigabitEthernet0/0.11
ip address 10.10.32.2 255.255.255.0
ip access-group CSM_FW_ACL_GigabitEthernet0/0.11 in
ip verify unicast source reachable-via rx
ip helper-address 192.168.42.130
ip inspect CSM_INSPECT_1 in
interface GigabitEthernet0/0.12
ip address 10.10.33.2 255.255.255.0
ip access-group CSM_FW_ACL_GigabitEthernet0/0.12 in
ip verify unicast source reachable-via rx
ip helper-address 192.168.42.130
ip inspect CSM_INSPECT_1 in
interface GigabitEthernet0/0.13
ip address 10.10.34.2 255.255.255.0
ip access-group CSM_FW_ACL_GigabitEthernet0/0.13 in
ip verify unicast source reachable-via rx
ip helper-address 192.168.42.130
ip inspect CSM_INSPECT_1 in
interface GigabitEthernet0/0.14
ip address 10.10.35.2 255.255.255.0
ip access-group CSM_FW_ACL_GigabitEthernet0/0.14 in
ip verify unicast source reachable-via rx
ip inspect CSM_INSPECT_1 in
interface GigabitEthernet0/0.15
ip address 10.10.36.2 255.255.255.0
ip access-group CSM_FW_ACL_GigabitEthernet0/0.15 in
ip verify unicast source reachable-via rx
ip inspect CSM_INSPECT_1 in
interface GigabitEthernet0/0.16
ip address 10.10.37.2 255.255.255.0
ip access-group CSM_FW_ACL_GigabitEthernet0/0.16 in
ip verify unicast source reachable-via rx
ip helper-address 192.168.42.130
ip inspect CSM_INSPECT_1 in
interface GigabitEthernet0/0.17
description WIRELESS GUEST
ip address 10.10.38.2 255.255.255.0
ip access-group CSM_FW_ACL_GigabitEthernet0/0.17 in
ip verify unicast source reachable-via rx
ip inspect CSM_INSPECT_1 in
interface GigabitEthernet0/0.18
ip address 10.10.39.2 255.255.255.0
ip access-group CSM_FW_ACL_GigabitEthernet0/0.18 in
ip verify unicast source reachable-via rx
ip helper-address 192.168.42.130
ip inspect CSM_INSPECT_1 in
interface GigabitEthernet0/0.102
description ROUTER LINK TO RMED2 VIA SMED2
ip address 10.10.46.29 255.255.255.252
ip access-group CSM_FW_ACL_GigabitEthernet0/0.102 in
ip verify unicast source reachable-via rx
ip inspect CSM_INSPECT_1 in
interface GigabitEthernet0/0.1000
ip address 10.10.47.2 255.255.255.0
ip access-group CSM_FW_ACL_GigabitEthernet0/0.1000 in
ip verify unicast source reachable-via rx
ip inspect CSM_INSPECT_1 in
standby 100 ip 10.10.47.1
interface GigabitEthernet0/1
description ROUTER LINK TO SMED-2
ip access-group CSM_FW_ACL_GigabitEthernet0/0 in
ip verify unicast source reachable-via rx
interface GigabitEthernet0/1.101
description ROUTER LINK TO RMED-2
ip address 10.10.46.25 255.255.255.252
ip access-group CSM_FW_ACL_GigabitEthernet0/0.102 in
ip verify unicast source reachable-via rx
ip inspect CSM_INSPECT_1 in
description RMED-1 to RSP-1
ip access-group CSM_FW_ACL_Content-Engine3/0 in
ip verify unicast source reachable-via rx
encapsulation frame-relay IETF
interface Serial0/0/0:0.1 point-to-point
description CONNECTION TO RWAN-1
ip address 10.10.46.17 255.255.255.252
ip access-group CSM_FW_ACL_Serial0/0/0:0.1 in
ip verify unicast source reachable-via rx
ip inspect CSM_INSPECT_1 in
frame-relay interface-dlci 102
ip access-group CSM_FW_ACL_Content-Engine3/0 in
ip verify unicast source reachable-via rx
encapsulation frame-relay IETF
interface wlan-controller1/0
ip address 10.10.46.33 255.255.255.248
ip access-group CSM_FW_ACL_wlan-controller1/0 in
ip verify unicast source reachable-via rx
ip inspect CSM_INSPECT_1 in
interface wlan-controller1/0.14
ip address 10.10.35.1 255.255.255.0
ip access-group CSM_FW_ACL_GigabitEthernet0/0.14 in
ip verify unicast source reachable-via rx
ip inspect CSM_INSPECT_1 in
interface wlan-controller1/0.15
ip address 10.10.36.1 255.255.255.0
ip access-group CSM_FW_ACL_GigabitEthernet0/0.15 in
ip verify unicast source reachable-via rx
ip inspect CSM_INSPECT_1 in
interface wlan-controller1/0.17
ip address 10.10.38.1 255.255.255.0
ip access-group CSM_FW_ACL_GigabitEthernet0/0.17 in
ip verify unicast source reachable-via rx
ip inspect CSM_INSPECT_1 in
interface Content-Engine3/0
ip access-group CSM_FW_ACL_Content-Engine3/0 in
ip verify unicast source reachable-via rx
ip access-group CSM_FW_ACL_Content-Engine3/0 in
ip verify unicast source reachable-via rx
passive-interface default
no passive-interface GigabitEthernet0/0.102
no passive-interface GigabitEthernet0/1.101
no passive-interface Serial0/0/0:0.1
network 10.10.32.0 0.0.15.255 area 2
ip http authentication aaa login-authentication RETAIL
ip http timeout-policy idle 60 life 86400 requests 10000
ip tacacs source-interface Loopback0
ip access-list extended CSM_FW_ACL_Content-Engine3/0
remark Allow CSM-Server to access device through the Serial (external) Interface
permit icmp host 192.168.42.133 host 10.10.46.1 log
permit tcp host 192.168.42.133 host 10.10.46.1 eq 22 443 log
remark Drop anything not explicitly allowed
ip access-list extended CSM_FW_ACL_GigabitEthernet0/0
remark Allow CSM-Server to access device through the Serial (external) Interface
permit icmp host 192.168.42.133 host 10.10.46.1 log
permit tcp host 192.168.42.133 host 10.10.46.1 eq 22 443 log
remark ---- permit ntp ----
permit udp any host 192.168.62.161 eq ntp
permit udp any host 192.168.62.162 eq ntp
permit udp any host 192.168.42.130 eq ntp
remark Drop anything not explicitly allowed
ip access-list extended CSM_FW_ACL_GigabitEthernet0/0.1000
remark Allow CSM-Server to access device through the Serial (external) Interface
permit icmp host 192.168.42.133 host 10.10.46.1 log
permit tcp host 192.168.42.133 host 10.10.46.1 eq 22 443 log
remark ---- permit ntp ----
permit udp any host 192.168.62.161 eq ntp
permit udp any host 192.168.62.162 eq ntp
permit udp any host 192.168.42.130 eq ntp
remark ---- Send logs to their mgmt utilities through the mgmt VLAN ----
permit tcp any host 192.168.42.134 eq 69 log
permit udp any host 192.168.42.134 eq tftp snmp snmptrap syslog log
remark ---- Ciscoworks so Managed Devices ----
permit tcp host 192.168.42.134 any eq 22 telnet www 443 log
permit udp host 192.168.42.134 any eq snmp snmptrap syslog log
remark ---- System messages to MARS ----
permit tcp any host 192.168.42.121 eq 2055 log
permit udp any host 192.168.42.121 eq snmp syslog log
remark ---- Allow network devices to use the ACS server ----
permit tcp any host 192.168.42.131 eq tacacs log
permit udp any host 192.168.42.131 eq 1812 log
remark ---- ping to Datacenter ----
permit icmp any 192.168.42.0 0.0.0.255 log
remark ---- HSRP health information ----
permit udp any host 224.0.0.2 eq 1985 log
remark ---- Ping Gateway ----
permit icmp 10.10.47.0 0.0.0.255 10.10.47.0 0.0.0.255 log
remark ---- Allow DHCP to work ----
permit udp any host 255.255.255.255 eq bootps log
permit udp any host 192.168.42.130 eq bootps log
remark Drop anything not explicitly allowed
ip access-list extended CSM_FW_ACL_GigabitEthernet0/0.102
remark ---- permit ntp ----
permit udp any host 192.168.62.161 eq ntp
remark Allow CSM-Server to access device through the Serial (external) Interface
permit icmp host 192.168.42.133 host 10.10.46.1 log
permit tcp host 192.168.42.133 host 10.10.46.1 eq 22 443 log
remark ---- Trusted ports for passing traffic in failure scenarios ----
permit udp any host 192.168.62.162 eq ntp
permit udp any host 192.168.42.130 eq ntp
remark Drop anything not explicitly allowed
remark ---- permit ntp ----
ip access-list extended CSM_FW_ACL_GigabitEthernet0/0.11
remark Allow CSM-Server to access device through the Serial (external) Interface
permit icmp host 192.168.42.133 host 10.10.46.1 log
permit tcp host 192.168.42.133 host 10.10.46.1 eq 22 443 log
remark ---- permit ntp ----
permit udp any host 192.168.62.161 eq ntp
permit udp any host 192.168.62.162 eq ntp
permit udp any host 192.168.42.130 eq ntp
permit tcp any host 192.168.42.140 eq smtp www 443 log
remark ---- HSRP health information ----
permit udp any host 224.0.0.2 eq 1985 log
remark ---- Ping Gateway ----
permit icmp 10.10.32.0 0.0.0.255 10.10.32.0 0.0.0.255 log
remark ---- Clients to ActiveDirectory Server ----
permit icmp any host 192.168.42.130 log
permit tcp any host 192.168.42.130 range 1024 65535 log
permit tcp any host 192.168.42.130 eq www 88 123 135 139 389 443 445 1028 log
permit udp any host 192.168.42.130 eq domain bootps 88 ntp 135 389 log
remark ---- POS Devices talking to Wincor ----
permit icmp any host 192.168.52.98 log
permit tcp any host 192.168.52.98 eq www 139 443 445 1433 3389 4064 log
permit udp any host 192.168.52.98 eq netbios-ns 445 1433 log
remark ---- POS to MSRMS Server ----
permit tcp any host 192.168.52.99 eq www 443 1433 1434 log
permit udp any host 192.168.52.99 eq 1433 1434 log
remark ---- Clients to CSA Manager ----
permit tcp any host 192.168.42.132 eq www 443 5401 5402 log
remark ---- Required for devices to perform windows updates ----
permit tcp any host 192.168.42.150 eq www 443 log
remark ---- Allow DHCP to work ----
permit udp any host 255.255.255.255 eq bootps log
permit udp any host 192.168.42.130 eq bootps log
remark Drop anything not explicitly allowed
ip access-list extended CSM_FW_ACL_GigabitEthernet0/0.12
remark Allow CSM-Server to access device through the Serial (external) Interface
permit icmp host 192.168.42.133 host 10.10.46.1 log
permit tcp host 192.168.42.133 host 10.10.46.1 eq 22 443 log
remark ---- permit ntp ----
permit udp any host 192.168.62.161 eq ntp
permit udp any host 192.168.62.162 eq ntp
permit udp any host 192.168.42.130 eq ntp
permit tcp any host 192.168.42.140 eq smtp www 443 log
remark ---- HSRP health information ----
permit udp any host 224.0.0.2 eq 1985 log
remark ---- Ping Gateway ----
permit icmp 10.10.33.0 0.0.0.255 10.10.33.0 0.0.0.255 log
remark ---- Clients to CSA Manager ----
permit tcp any host 192.168.42.132 eq www 443 5401 5402 log
remark ---- Required for devices to perform windows updates ----
permit tcp any host 192.168.42.150 eq www 443 log
remark ---- Allow DHCP to work ----
permit udp any host 255.255.255.255 eq bootps log
permit udp any host 192.168.42.130 eq bootps log
remark Drop anything not explicitly allowed
ip access-list extended CSM_FW_ACL_GigabitEthernet0/0.13
remark Allow CSM-Server to access device through the Serial (external) Interface
permit icmp host 192.168.42.133 host 10.10.46.1 log
permit tcp host 192.168.42.133 host 10.10.46.1 eq 22 443 log
remark ---- permit ntp ----
permit udp any host 192.168.62.161 eq ntp
permit udp any host 192.168.62.162 eq ntp
permit udp any host 192.168.42.130 eq ntp
remark ---- HSRP health information ----
permit udp any host 224.0.0.2 eq 1985 log
remark ---- Ping Gateway ----
permit icmp 10.10.34.0 0.0.0.255 10.10.34.0 0.0.0.255 log
remark Drop anything not explicitly allowed
ip access-list extended CSM_FW_ACL_GigabitEthernet0/0.14
remark Allow CSM-Server to access device through the Serial (external) Interface
permit icmp host 192.168.42.133 host 10.10.46.1 log
permit tcp host 192.168.42.133 host 10.10.46.1 eq 22 443 log
remark ---- permit ntp ----
permit udp any host 192.168.62.161 eq ntp
permit udp any host 192.168.62.162 eq ntp
permit udp any host 192.168.42.130 eq ntp
permit tcp any host 192.168.42.140 eq smtp www 443 log
remark ---- HSRP health information ----
permit udp any host 224.0.0.2 eq 1985 log
remark ---- Ping Gateway ----
permit icmp 10.10.35.0 0.0.0.255 10.10.35.0 0.0.0.255 log
remark ---- Clients to CSA Manager ----
permit tcp any host 192.168.42.132 eq www 443 5401 5402 log
remark ---- Required for devices to perform windows updates ----
permit tcp any host 192.168.42.150 eq www 443 log
remark ---- Allow DHCP to work ----
permit udp any host 255.255.255.255 eq bootps log
permit udp any host 192.168.42.130 eq bootps log
remark Drop anything not explicitly allowed
ip access-list extended CSM_FW_ACL_GigabitEthernet0/0.15
remark Allow CSM-Server to access device through the Serial (external) Interface
permit icmp host 192.168.42.133 host 10.10.46.1 log
permit tcp host 192.168.42.133 host 10.10.46.1 eq 22 443 log
remark ---- permit ntp ----
permit udp any host 192.168.62.161 eq ntp
permit udp any host 192.168.62.162 eq ntp
permit udp any host 192.168.42.130 eq ntp
permit tcp any host 192.168.42.140 eq smtp www 443 log
remark ---- HSRP health information ----
permit udp any host 224.0.0.2 eq 1985 log
remark ---- Ping Gateway ----
permit icmp 10.10.36.0 0.0.0.255 10.10.36.0 0.0.0.255 log
remark ---- Clients to ActiveDirectory Server ----
permit icmp any host 192.168.42.130 log
permit tcp any host 192.168.42.130 range 1024 65535 log
permit tcp any host 192.168.42.130 eq www 88 123 135 139 389 443 445 1028 log
permit udp any host 192.168.42.130 eq domain bootps 88 ntp 135 389 log
remark ---- POS Devices talking to Wincor ----
permit icmp any host 192.168.52.98 log
permit tcp any host 192.168.52.98 eq www 139 443 445 1433 3389 4064 log
permit udp any host 192.168.52.98 eq netbios-ns 445 1433 log
remark ---- POS to MSRMS Server ----
permit tcp any host 192.168.52.99 eq www 443 1433 1434 log
permit udp any host 192.168.52.99 eq 1433 1434 log
remark ---- Clients to CSA Manager ----
permit tcp any host 192.168.42.132 eq www 443 5401 5402 log
remark ---- Required for devices to perform windows updates ----
permit tcp any host 192.168.42.150 eq www 443 log
remark ---- Allow DHCP to work ----
permit udp any host 255.255.255.255 eq bootps log
permit udp any host 192.168.42.130 eq bootps log
remark Drop anything not explicitly allowed
ip access-list extended CSM_FW_ACL_GigabitEthernet0/0.16
remark Allow CSM-Server to access device through the Serial (external) Interface
permit icmp host 192.168.42.133 host 10.10.46.1 log
permit tcp host 192.168.42.133 host 10.10.46.1 eq 22 443 log
remark ---- permit ntp ----
permit udp any host 192.168.62.161 eq ntp
permit udp any host 192.168.62.162 eq ntp
permit udp any host 192.168.42.130 eq ntp
remark ---- HSRP health information ----
permit udp any host 224.0.0.2 eq 1985 log
remark ---- Ping Gateway ----
permit icmp 10.10.37.0 0.0.0.255 10.10.37.0 0.0.0.255 log
remark Drop anything not explicitly allowed
ip access-list extended CSM_FW_ACL_GigabitEthernet0/0.17
remark Allow CSM-Server to access device through the Serial (external) Interface
permit icmp host 192.168.42.133 host 10.10.46.1 log
permit tcp host 192.168.42.133 host 10.10.46.1 eq 22 443 log
remark ---- permit ntp ----
permit udp any host 192.168.62.161 eq ntp
permit udp any host 192.168.62.162 eq ntp
permit udp any host 192.168.42.130 eq ntp
remark ---- HSRP health information ----
permit udp any host 224.0.0.2 eq 1985 log
remark ---- Ping Gateway ----
permit icmp 10.10.38.0 0.0.0.255 10.10.38.0 0.0.0.255 log
remark ---- Allow DHCP to work ----
permit udp any host 255.255.255.255 eq bootps log
permit udp any host 192.168.42.130 eq bootps log
remark Drop anything not explicitly allowed
ip access-list extended CSM_FW_ACL_GigabitEthernet0/0.18
remark Allow CSM-Server to access device through the Serial (external) Interface
permit icmp host 192.168.42.133 host 10.10.46.1 log
permit tcp host 192.168.42.133 host 10.10.46.1 eq 22 443 log
remark ---- permit ntp ----
permit udp any host 192.168.62.161 eq ntp
permit udp any host 192.168.62.162 eq ntp
permit udp any host 192.168.42.130 eq ntp
remark ---- Send logs to their mgmt utilities through the mgmt VLAN ----
permit tcp any host 192.168.42.134 eq 69 log
permit udp any host 192.168.42.134 eq tftp snmp snmptrap syslog log
remark ---- System messages to MARS ----
permit tcp any host 192.168.42.121 eq 2055 log
permit udp any host 192.168.42.121 eq snmp syslog log
remark ---- Authenticate Wireless users ----
permit udp host 10.10.46.34 host 192.168.42.131 eq 1812 log
permit udp host 10.10.46.35 host 192.168.42.131 eq 1812 log
remark ---- HSRP health information ----
permit udp any host 224.0.0.2 eq 1985 log
remark ---- Ping Gateway ----
permit icmp 10.10.39.0 0.0.0.255 10.10.39.0 0.0.0.255 log
remark ---- Allow Wireless APs to talk to Controllers -----
permit icmp 10.10.39.0 0.0.0.255 10.10.46.32 0.0.0.7 log
permit udp 10.10.39.0 0.0.0.255 10.10.46.32 0.0.0.7 eq 12222 12223 log
remark Drop anything not explicitly allowed
ip access-list extended CSM_FW_ACL_Serial0/0/0:0.1
remark ---- All ACLs for DC to Remote will be handled at the Data Center *before* it gets
put into the WAN
remark Allow CSM-Server to access device through the Serial (external) Interface
permit icmp host 192.168.42.133 host 10.10.46.1 log
permit tcp host 192.168.42.133 host 10.10.46.1 eq 22 443 log
remark Drop anything not explicitly allowed
ip access-list extended CSM_FW_ACL_wlan-controller1/0
remark Allow CSM-Server to access device through the Serial (external) Interface
permit icmp host 192.168.42.133 host 10.10.46.1 log
permit tcp host 192.168.42.133 host 10.10.46.1 eq 22 443 log
remark ---- permit ntp ----
permit udp any host 192.168.62.161 eq ntp
permit udp any host 192.168.62.162 eq ntp
permit udp any host 192.168.42.130 eq ntp
remark ---- HSRP health information ----
permit udp any host 224.0.0.2 eq 1985 log
remark ---- Ping Gateway ----
permit icmp 10.10.46.32 0.0.0.7 10.10.46.32 0.0.0.7 log
remark ---- Allow controllers to talk to AP's ----
permit icmp 10.10.46.32 0.0.0.7 10.10.39.0 0.0.0.255 log
permit udp 10.10.46.32 0.0.0.7 eq 12222 12223 10.10.39.0 0.0.0.255 log
remark ---- Controllers to WCS Server ----
permit icmp host 10.10.46.34 host 192.168.42.135 log
permit tcp host 10.10.46.34 host 192.168.42.135 eq 69 log
permit udp host 10.10.46.34 host 192.168.42.135 eq tftp snmp snmptrap log
permit icmp host 10.10.46.35 host 192.168.42.135 log
permit tcp host 10.10.46.35 host 192.168.42.135 eq 69 log
permit udp host 10.10.46.35 host 192.168.42.135 eq tftp snmp snmptrap log
remark ---- Allow DHCP to work ----
permit udp any host 255.255.255.255 eq bootps log
permit udp any host 192.168.42.130 eq bootps log
remark Drop anything not explicitly allowed
logging source-interface Loopback0
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 192.168.42.0 0.0.0.255
access-list 88 permit 192.168.42.0 0.0.0.255
access-list 88 deny any log
snmp-server group causer v3 priv notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF7F
snmp-server group casuser v3 auth access 88
snmp-server community <removed> RO 88
snmp-server community <removed> RW 88
snmp-server trap-source Loopback0
snmp-server packetsize 8192
snmp-server location XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
snmp-server contact XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps frame-relay multilink bundle-mismatch
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps rsvp
snmp-server enable traps rtr
snmp-server host 192.168.42.134 version 3 priv <removed>
snmp-server host 192.168.42.134 <removed>
tacacs-server host 192.168.42.131
tacacs-server directed-request
tacacs-server domain-stripping
tacacs-server key 7 <removed>
**** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CISCO INC.****
**** AUTHORIZED USERS ONLY! ****
ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT
TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY
TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER
REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT
FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER
CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW
ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.
UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.
**** THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF CISCO INC.****
**** AUTHORIZED USERS ONLY! ****
ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED TO BE EXPRESS CONSENT
TO MONITORING OF SUCH USE AND TO SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY
TO IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR OR OTHER
REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR SYSTEM USE AT ANY TIME WITHOUT
FURTHER NOTICE OR CONSENT. UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER
CRIMINAL CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO LAW
ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL EXTENT OF THE LAW.
UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,CIVIL AND CRIMINAL LAWS.
THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF AUTHORIZED USERS ONLY!
session-timeout 15 output
login authentication RLOCAL
session-timeout 15 output
session-timeout 15 output
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
session-timeout 15 output
login authentication RETAIL
session-timeout 15 output
login authentication RETAIL
scheduler allocate 20000 1000
ntp clock-period 17179777
ntp server 192.168.62.162
ntp server 192.168.62.161 prefer
Medium Store Router #2
------------------ show version ------------------
Cisco IOS Software, 3800 Software (C3845-ADVIPSERVICESK9-M), Version 12.4(9)T, RELEASE
SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Sat 17-Jun-06 00:59 by prod_rel_team
ROM: System Bootstrap, Version 12.3(11r)T2, RELEASE SOFTWARE (fc1)
RMED-2 uptime is 4 weeks, 1 day, 3 hours, 30 minutes
System returned to ROM by reload at 10:06:01 PST Thu Nov 16 2006
System restarted at 10:14:14 PST Thu Nov 16 2006
System image file is "flash:c3845-advipservicesk9-mz.124-9.T.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
Cisco 3845 (revision 1.0) with 484352K/39936K bytes of memory.
Processor board ID FTX1027A08S
2 Gigabit Ethernet interfaces
2 Channelized T1/PRI ports
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
125440K bytes of ATA System CompactFlash (Read/Write)
Configuration register is 0x2102
------------------ show running-config ------------------
Building configuration...
Current configuration : 23490 bytes
! Last configuration change at 16:06:27 PST Wed Dec 13 2006 by csm-user
! NVRAM config last updated at 14:34:32 PST Wed Dec 13 2006 by csm-user
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
no service password-recovery
boot system flash flash:c3845-advipservicesk9-mz.124-9.T.bin
logging buffered 8000000 informational
enable secret 5 <removed>
aaa authentication login RETAIL group tacacs+ local
aaa authentication login RLOCAL group tacacs+ local
aaa authentication enable default enable group tacacs+
aaa authorization exec default group tacacs+ if-authenticated
aaa accounting update newinfo
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
clock summer-time PSTDST recurring
no network-clock-participate wic 0
ip domain name RETAILPCILAB.LOCAL
ip name-server 192.168.42.130
ip inspect name CSM_INSPECT_1 http alert on audit-trail on
ip inspect name CSM_INSPECT_1 dns alert on audit-trail on
ip inspect name CSM_INSPECT_1 radius alert on audit-trail on
ip inspect name CSM_INSPECT_1 tacacs alert on audit-trail on
ip inspect name CSM_INSPECT_1 ssh alert on audit-trail on
ip inspect name CSM_INSPECT_1 ftp alert on audit-trail on
ip inspect name CSM_INSPECT_1 ldap alert on audit-trail on
ip inspect name CSM_INSPECT_1 snmp alert on audit-trail on
ip inspect name CSM_INSPECT_1 icmp alert on audit-trail on
ip inspect name CSM_INSPECT_1 tcp alert on audit-trail on
ip inspect name CSM_INSPECT_1 udp alert on audit-trail on
ip ips sdf location
https://192.168.42.133:443/ids-config/servlet/com.cisco.nm.mdc.ids.config.iosids.servlet.S
DFServlet/13/sdf-complete.xml
crypto pki trustpoint TP-self-signed-2566505789
subject-name cn=IOS-Self-Signed-Certificate-2566505789
rsakeypair TP-self-signed-2566505789
crypto pki trustpoint IDSMDC_CSMANAGER
enrollment url tftp://192.168.42.133/IDSMDC_CSMANAGER
crypto pki certificate chain TP-self-signed-2566505789
certificate self-signed 01
30820251 308201BA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32353636 35303537 3839301E 170D3036 31313130 32303037
32335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 35363635
30353738 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100D023 AC4B285B EFBA5F1F 4637FFAD F6FFACEF BAD3B4EF 87A0F9D8 28009E96
1B1F42D2 6590D209 0D46EC87 CC734C6D 9B2F0C6F 91D31B7B 7F420DE2 AFBC88B8
358F4767 0B94C561 50A4D940 83F46B37 1E7EF961 93CB7765 EC6CDDD3 4DF63826
C02C2F27 037F7E00 247D8716 7C37A38E B40EFECC DE796ECD E7C8AA1E C0444DE0
70070203 010001A3 79307730 0F060355 1D130101 FF040530 030101FF 30240603
551D1104 1D301B82 19524D45 442D322E 52455441 494C5043 494C4142 2E4C4F43
414C301F 0603551D 23041830 168014CE 2E180114 EF70DB98 023EA37B 744FC6DE
0FD58930 1D060355 1D0E0416 0414CE2E 180114EF 70DB9802 3EA37B74 4FC6DE0F
D589300D 06092A86 4886F70D 01010405 00038181 00983485 2D1A2DAC 6674792D
72380397 0FBC86BE 52C86B36 6DE04340 86114976 DD274346 326160C1 569004A8
DE49FA7E 1EB18FAD 45528440 07AF1F12 4AD2875D 62252701 3C58623A DADDAA43
33164777 895B5FB1 3F41CB3D 281DBE08 5FB49106 36F35EBF 727FD526 2723CFCC
8BE3F6FB D9458586 9D757ABC 7BDE959E 278F0685 12
crypto pki certificate chain IDSMDC_CSMANAGER
certificate ca 00CE88ED0F069AE8F5
30820209 30820172 020900CE 88ED0F06 9AE8F530 0D06092A 864886F7 0D010104
05003049 31123010 06035504 0B13096D 6963726F 736F6674 31123010 06035504
03130943 534D616E 61676572 311F301D 06092A86 4886F70D 01090116 1061646D
696E4064 6F6D6169 6E2E636F 6D301E17 0D303630 39323330 31303235 345A170D
31313039 32333031 30323534 5A304931 12301006 0355040B 13096D69 63726F73
6F667431 12301006 03550403 13094353 4D616E61 67657231 1F301D06 092A8648
86F70D01 09011610 61646D69 6E40646F 6D61696E 2E636F6D 30819F30 0D06092A
864886F7 0D010101 05000381 8D003081 89028181 00BE596C 97AD25EC 35D71F77
598DDDDB B8D30AAF 67B268D5 334EAB58 F7418364 664B920A E0011931 4EDF28D1
285B7C45 934EE887 00036A4A C0280132 88C48718 EF48F77E C9EBB27B 6FA11534
03B3B9CB 3DCEFCDC A1339BA4 22C8BFAD 47F50E51 AC04CD7A 03E81331 96BF4ACA
9A1CC2AD 3452AAEB FF84503C A571FB93 EC509A03 8B020301 0001300D 06092A86
4886F70D 01010405 00038181 003A2C37 FC8B0EF1 54E0B963 4D94C234 5EF94288
F6B0B46D 4EFECB7A D15991DE 05FE484E C9DB2AB8 A919DD2F 103545C4 EF7D9269
27975BAD 02CBDDA7 6492EC76 56845082 220A73D7 F9F60FA0 8E9EDDE8 5147E5EB
FB5A00E0 25872141 AA35FAC6 BEF300D9 97343B16 0600B102 F5D555F9 B8AA4D90
26E026CB 6F46B573 700207C8 71
username cisco privilege 15 secret 5 <removed>
channel-group 0 timeslots 1-24
ip access-group CSM_FW_ACL_ATM0/1/0 in
ip address 10.10.46.2 255.255.255.255
ip access-group CSM_FW_ACL_GigabitEthernet0/0 in
ip inspect CSM_INSPECT_1 in
interface GigabitEthernet0/0
ip access-group CSM_FW_ACL_GigabitEthernet0/0 in
ip verify unicast source reachable-via rx
interface GigabitEthernet0/0.102
description ROUTER LINK TO RMED1 VIA SMED1
ip address 10.10.46.30 255.255.255.252
ip access-group CSM_FW_ACL_GigabitEthernet0/0.102 in
ip verify unicast source reachable-via rx
ip inspect CSM_INSPECT_1 in
interface GigabitEthernet0/1
ip access-group CSM_FW_ACL_GigabitEthernet0/0 in
ip verify unicast source reachable-via rx
interface GigabitEthernet0/1.11
ip address 10.10.32.3 255.255.255.0
ip access-group CSM_FW_ACL_GigabitEthernet0/1.11 in
ip verify unicast source reachable-via rx
ip helper-address 192.168.42.130
ip inspect CSM_INSPECT_1 in
interface GigabitEthernet0/1.12
ip address 10.10.33.3 255.255.255.0
ip access-group CSM_FW_ACL_GigabitEthernet0/1.12 in
ip verify unicast source reachable-via rx
ip helper-address 192.168.42.130
ip inspect CSM_INSPECT_1 in
interface GigabitEthernet0/1.13
ip address 10.10.34.3 255.255.255.0
ip access-group CSM_FW_ACL_GigabitEthernet0/1.13 in
ip verify unicast source reachable-via rx