! ! Last configuration change at 14:00:00 MNT Wed Nov 7 2018 by yemenite ! version 15.0 service tcp-keepalives-in service timestamps debug datetime msec localtime show-timezone year service timestamps log datetime msec localtime show-timezone year service password-encryption ! hostname lsmr-1623-rte1 ! boot-start-marker boot-end-marker ! vrf definition SIPA rd 64750:3 ! address-family ipv4 exit-address-family ! no logging console no logging monitor ! aaa new-model ! ! aaa authentication login default group tacacs+ enable aaa authentication enable default group tacacs+ enable aaa authorization console aaa authorization config-commands aaa authorization exec default group tacacs+ none aaa authorization commands 1 default group tacacs+ none aaa authorization commands 15 default group tacacs+ none aaa authorization network default group tacacs+ none aaa accounting exec default action-type start-stop group tacacs+ ! ! ! ! ! ! aaa session-id common clock timezone MNT -7 clock summer-time MDT recurring ! no ipv6 cef no ip source-route ip cef ! ! ! ! no ip bootp server no ip domain lookup ip domain name dvn.net ip wccp check services all ip wccp 61 redirect-list WCCP_LAN password 7 120E0614020F1A0A6B ip wccp 62 redirect-list WCCP_WAN password 7 120E0614020F1A0A6B multilink bundle-name authenticated ! ! ! ! ! ! ! ip ssh version 1 ! ! ! ! interface Loopback0 ip address 10.64.79.213 255.255.255.255 ! interface Tunnel111 description SIPA-DMVPN bandwidth 10000 ip address 172.20.29.16 255.255.255.0 no ip redirects ip mtu 1400 ip wccp 62 redirect in ip flow ingress ip flow egress ip nat outside ip nhrp authentication Dev0n!nt ip nhrp map multicast 172.20.2.50 ip nhrp map 172.20.29.1 172.20.2.50 ip nhrp network-id 111 ip nhrp holdtime 600 ip nhrp nhs 172.20.29.1 ip nhrp registration no-unique ip nhrp shortcut ip nhrp redirect ip virtual-reassembly ip tcp adjust-mss 1360 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel vrf SIPA ! interface GigabitEthernet0/0 description WAN - Telus SIPA (CID:7802155642 ) vrf forwarding SIPA bandwidth 5000 ip address 10.79.248.56 255.255.255.0 duplex auto speed auto ! interface GigabitEthernet0/1 description lsmr-1612-swa1 Fa0/1 no ip address no ip redirects no ip unreachables no ip proxy-arp load-interval 30 duplex auto speed auto no snmp trap link-status ! interface GigabitEthernet0/1.2 description ## SCADA Vlan encapsulation dot1Q 2 ip address 10.74.12.129 255.255.255.128 ip wccp 61 redirect in ! interface GigabitEthernet0/1.3 description ## Admin Vlan encapsulation dot1Q 3 ip address 10.74.12.1 255.255.255.128 ip helper-address 10.64.134.69 ip helper-address 172.20.32.10 ip wccp 61 redirect in ip nat outside no ip virtual-reassembly ! interface GigabitEthernet0/1.4 description ## BP-Legacy-PI-SCADA encapsulation dot1Q 4 ip address 10.96.2.129 255.255.255.224 ip access-group catch_all in ip nat inside no ip virtual-reassembly ! interface GigabitEthernet0/1.7 description ## Security Network encapsulation dot1Q 7 ip address 10.74.13.1 255.255.255.128 ip access-group Security_Access in no ip redirects no ip unreachables no ip proxy-arp no cdp enable ! router bgp 64750 no synchronization bgp log-neighbor-changes network 10.64.79.213 mask 255.255.255.255 network 10.74.12.0 mask 255.255.255.128 network 10.74.12.128 mask 255.255.255.128 network 10.74.13.0 mask 255.255.255.128 network 10.74.33.16 mask 255.255.255.252 neighbor 172.20.29.1 remote-as 64750 neighbor 172.20.29.1 soft-reconfiguration inbound neighbor 172.20.29.1 distribute-list default_only in neighbor 172.20.29.1 distribute-list local-routes out no auto-summary ! ip forward-protocol nd ! no ip http server no ip http secure-server ip flow-cache timeout active 1 ip flow-export source Loopback0 ip flow-export version 9 ip flow-export destination 172.16.5.60 2055 ip flow-export destination 172.25.225.11 2055 ! ip nat inside source static 10.96.2.132 10.74.12.110 ip nat inside source static 10.96.2.131 10.74.12.111 ip nat outside source static 10.74.14.110 10.96.2.35 ip nat outside source static 10.74.16.110 10.96.2.67 ip nat outside source static 10.74.16.111 10.96.2.68 ip nat outside source static 10.74.16.112 10.96.2.69 ip nat outside source static 10.74.16.113 10.96.2.70 ip nat outside source static 10.74.16.114 10.96.2.71 ip nat outside source static 10.74.16.115 10.96.2.81 ip route vrf SIPA 0.0.0.0 0.0.0.0 10.79.248.1 ip tacacs source-interface GigabitEthernet0/1.3 ! ip access-list standard default_only permit 0.0.0.0 deny any ip access-list standard local-routes permit 10.64.79.213 permit 10.74.12.0 0.0.0.127 permit 10.74.12.128 0.0.0.127 permit 10.74.13.0 0.0.0.127 permit 10.74.33.16 0.0.0.3 ! ip access-list extended AccessControl permit ip host 10.52.5.69 any permit ip host 10.64.132.69 any permit ip 172.16.5.0 0.0.0.255 any permit ip 172.20.5.0 0.0.0.255 any permit ip 172.24.225.0 0.0.0.255 any permit ip 172.25.225.0 0.0.0.255 any permit tcp host 63.99.29.18 any eq 22 permit tcp host 63.99.29.40 any eq 22 permit tcp host 206.47.24.18 any eq 22 permit tcp host 206.47.24.169 any eq 22 ip access-list extended DMVPN-SIPA permit udp any any eq non500-isakmp permit udp any any eq isakmp permit esp any any permit icmp any any echo permit icmp any any echo-reply deny ip any any ip access-list extended Security_Access remark Allow local remark ****************************************** permit tcp any 10.74.13.0 0.0.0.127 permit udp any 10.74.13.0 0.0.0.127 permit icmp any 10.74.13.0 0.0.0.127 permit tcp host 10.74.13.50 10.74.12.0 0.0.0.127 permit udp host 10.74.13.50 10.74.12.0 0.0.0.127 permit icmp host 10.74.13.50 10.74.12.0 0.0.0.127 permit tcp host 10.74.13.50 10.75.34.0 0.0.0.255 permit udp host 10.74.13.50 10.75.34.0 0.0.0.255 permit icmp host 10.74.13.50 10.75.34.0 0.0.0.255 permit tcp any host 172.20.192.100 established permit tcp any host 172.20.192.104 established permit tcp any host 172.20.192.105 established permit tcp any host 172.20.192.106 established permit tcp any host 172.20.192.107 established permit tcp any host 172.20.192.108 established permit udp any range 5631 5632 host 172.20.192.100 permit udp any range 5631 5632 host 172.20.192.104 permit udp any range 5631 5632 host 172.20.192.105 permit udp any range 5631 5632 host 172.20.192.106 permit udp any range 5631 5632 host 172.20.192.107 permit udp any range 5631 5632 host 172.20.192.108 remark ******************************************************* remark Permit echo replys to mgmt networks and to trusted host permit icmp any 10.64.91.0 0.0.0.255 echo-reply deny icmp any host 172.16.5.50 remark ******************************** remark Deny access to all Internal networks deny udp 10.74.13.0 0.0.0.127 range netbios-ns netbios-dgm 10.0.0.0 0.255.255.255 deny ip 10.74.13.0 0.0.0.127 10.0.0.0 0.255.255.255 log deny ip 10.74.13.0 0.0.0.127 172.16.0.0 0.15.255.255 log deny ip 10.74.13.0 0.0.0.127 192.168.0.0 0.0.255.255 log deny ip any any log ip access-list extended WCCP_LAN permit tcp any any ip access-list extended WCCP_WAN permit tcp any any ip access-list extended catch_all deny ip any host 172.18.2.57 deny ip any host 172.18.32.27 deny ip any host 172.18.96.15 deny ip any 149.190.0.0 0.0.255.255 permit ip 10.70.23.0 0.0.0.255 10.96.2.128 0.0.0.31 log permit ip any 10.96.2.32 0.0.0.31 permit ip any 10.96.2.64 0.0.0.31 permit udp any host 10.74.12.50 eq snmp permit udp any eq isakmp any log deny udp any host 10.96.2.159 eq netbios-ns deny udp any host 10.96.2.159 eq netbios-dgm deny icmp any host 172.16.5.50 permit icmp any 10.64.91.0 0.0.0.255 echo-reply permit ip host 10.96.2.131 any log permit ip any host 10.96.2.131 log permit ip host 10.96.2.132 any log permit ip any host 10.96.2.132 log deny tcp any any log deny udp any any log ! logging trap debugging logging facility local5 logging 172.25.20.61 access-list 5 permit 10.64.79.213 access-list 5 permit 10.74.0.0 0.0.255.255 access-list 96 permit 172.18.2.37 access-list 96 permit 172.18.18.21 access-list 97 permit 10.66.37.101 access-list 97 permit 10.52.12.12 access-list 97 permit 172.16.32.30 access-list 97 permit 172.16.32.31 access-list 97 permit 172.20.32.30 access-list 97 permit 172.20.32.31 access-list 97 permit 172.16.12.104 access-list 97 permit 172.16.32.116 access-list 97 permit 10.64.146.32 access-list 97 permit 172.16.5.0 0.0.0.255 access-list 97 permit 172.20.5.0 0.0.0.255 access-list 97 permit 172.24.225.0 0.0.0.255 access-list 97 permit 172.25.225.0 0.0.0.255 access-list 98 permit 172.25.36.129 access-list 98 permit 172.25.17.190 access-list 98 permit 172.22.136.17 access-list 98 permit 172.18.200.80 access-list 98 permit 172.18.136.27 access-list 98 permit 172.18.2.121 access-list 98 permit 172.18.66.57 access-list 98 permit 172.18.2.122 access-list 98 permit 172.25.40.78 ! route-map PREPEND3 permit 30 set as-path prepend 64750 64750 ! ! snmp-server group HPpriv v3 priv read HPmib-exclude access 98 snmp-server group DevonPriv v3 priv access 97 snmp-server group DevonCutDown v3 priv read mib-exclude access 97 snmp-server view mib-exclude iso included snmp-server view HPmib-exclude iso included snmp-server view HPmib-exclude at excluded snmp-server view HPmib-exclude internet.6.3.15 excluded snmp-server view HPmib-exclude internet.6.3.16 excluded snmp-server view HPmib-exclude internet.6.3.18 excluded snmp-server view HPmib-exclude ip.21 excluded snmp-server view HPmib-exclude ip.22 excluded snmp-server ifindex persist snmp-server trap-source GigabitEthernet0/1.3 snmp-server location Leismer, AB snmp-server contact ENS,58 snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps vrrp snmp-server enable traps ds1 snmp-server enable traps eigrp snmp-server enable traps tty snmp-server enable traps ospf state-change snmp-server enable traps ospf errors snmp-server enable traps ospf retransmit snmp-server enable traps ospf lsa snmp-server enable traps ospf cisco-specific state-change nssa-trans-change snmp-server enable traps ospf cisco-specific state-change shamlink interface-old snmp-server enable traps ospf cisco-specific state-change shamlink neighbor snmp-server enable traps ospf cisco-specific errors snmp-server enable traps ospf cisco-specific retransmit snmp-server enable traps ospf cisco-specific lsa snmp-server enable traps license snmp-server enable traps envmon snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up snmp-server enable traps adslline snmp-server enable traps adsl2line snmp-server enable traps vdsl2line snmp-server enable traps c3g snmp-server enable traps icsudsu snmp-server enable traps isdn call-information snmp-server enable traps isdn layer2 snmp-server enable traps isdn chan-not-avail snmp-server enable traps isdn ietf snmp-server enable traps ds0-busyout snmp-server enable traps ds1-loopback snmp-server enable traps energywise snmp-server enable traps bgp snmp-server enable traps isis snmp-server enable traps rf snmp-server enable traps aaa_server snmp-server enable traps atm subif snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency snmp-server enable traps memory bufferpeak snmp-server enable traps cnpd snmp-server enable traps config-copy snmp-server enable traps config snmp-server enable traps config-ctid snmp-server enable traps entity snmp-server enable traps fru-ctrl snmp-server enable traps resource-policy snmp-server enable traps event-manager snmp-server enable traps frame-relay multilink bundle-mismatch snmp-server enable traps frame-relay snmp-server enable traps frame-relay subif snmp-server enable traps hsrp snmp-server enable traps ipmulticast snmp-server enable traps msdp snmp-server enable traps mvpn snmp-server enable traps nhrp nhs snmp-server enable traps nhrp nhc snmp-server enable traps nhrp nhp snmp-server enable traps nhrp quota-exceeded snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message snmp-server enable traps pppoe snmp-server enable traps cpu threshold snmp-server enable traps rsvp snmp-server enable traps syslog snmp-server enable traps l2tun session snmp-server enable traps l2tun pseudowire status snmp-server enable traps vtp snmp-server host 172.16.5.50 version 3 priv SNMPninja snmp-server host 172.16.5.60 version 3 priv SNMPninja snmp-server host 172.20.5.60 version 3 priv SNMPninja tacacs-server host 10.64.132.23 tacacs-server host 172.20.5.22 tacacs-server timeout 6 tacacs-server directed-request ! control-plane ! banner exec ^C ***********************SYSTEM DESCRIPTION*************************** * * * NAME: lsmr-1623-rte1 * * LOCATION: Leismer B Plant Field Office * * CORPORATION: Devon Canada Corporation * * SITE CONTACT: Enterprise Network Services * * MODEL: CISCO1921/K9 * * ASSET #: * ******************************************************************** ^C banner motd ^C *****************************SECURITY NOTICE************************ * * ACCESS TO THIS SYSTEM IS RESTRICTED TO AUTHORIZED PERSONNEL ONLY * USAGE OF THIS SYSTEM MAY BE LOGGED AND/OR MONITORED WITHOUT NOTICE. * DISCONNECT IMMEDIATELY IF YOU ARE NOT AN AUTHORIZED USER! * ******************************************************************** ^C ! line con 0 exec-timeout 15 0 line aux 0 exec-timeout 0 1 no exec transport output none line vty 0 4 access-class AccessControl in exec-timeout 15 0 privilege level 15 transport input ssh line vty 5 15 access-class AccessControl in exec-timeout 15 0 privilege level 15 transport input ssh ! scheduler allocate 20000 1000 ntp source GigabitEthernet0/1.3 ntp server 172.20.2.33 prefer ntp server 172.20.2.34 end