ansible/backup/files/eltex/10.14.112.249.txt

hostname esr-21-2

ip firewall sessions counters
object-group service ssh
  port-range 22
exit
object-group service dhcp_server
  port-range 67
exit
object-group service dhcp_client
  port-range 68
exit
object-group service ntp
  port-range 123
exit
object-group service OBJ_SVC_VPN
  port-range 500
  port-range 4500
exit
object-group service OBJ_SVC_NAT_SSH
  port-range 777
exit

object-group network OBJ_NET_STATIC_IP
  ip address-range 12.12.12.22
exit
object-group network OBJ_SERVER_IP
  ip address-range 192.168.102.1
exit

syslog max-files 3
syslog file-size 512
syslog file tmpsys:syslog/default
  severity info
exit

username admin
  password encrypted $6$jK4EbZO6Wgf8SR4V$Qk9bbeYu.Dnz0YCTmFvSrIDfH3iXU6pgbI/boyXTVlgnc2LFvOFHhg9pA798kKV1H0vypPNMwofM5JZXLqrXc1
exit
line aux 1
  transport telnet port 2001
exit


system jumbo-frames
system config-confirm timeout 120

boot host auto-config
vlan 2
exit

no spanning-tree

security zone LAN
exit
security zone WAN
exit
security zone VPN
  description "FROM_DMVPN"
exit

ip bfd multiplier 3
route-map BGP_OUT
  rule 1
  exit
exit
router bgp 65002
  router-id 2.2.2.2
  neighbor 1.1.1.1
    remote-as 65001
    ebgp-multihop 2
    update-source 2.2.2.2
    address-family ipv4 unicast
      route-map BGP_OUT out
      enable
    exit
    enable
  exit
  address-family ipv4 unicast
    network 192.168.102.0/24
  exit
  enable
exit

router ospf 555
  router-id 2.2.2.2
  area 0.0.0.0
    network 10.255.254.0/24
    network 2.2.2.2/32
    enable
  exit
  enable
exit

interface port-channel 1
exit
interface port-channel 1.300
  security-zone LAN
  ip address 10.14.112.249/24
exit
interface port-channel 1.3
  security-zone LAN
  ip address 192.168.102.254/24
exit
interface port-channel 1.102
exit
interface gigabitethernet 1/0/1
  description "WAN"
  security-zone WAN
  ip address 11.11.11.22/24
exit
interface gigabitethernet 1/0/2
  description "WAN2"
  mtu 9500
  security-zone WAN
  ip address 12.12.12.22/24
exit
interface gigabitethernet 1/0/2.555
  description "p2p_mpls"
  mtu 9500
  security-zone VPN
  ip address 172.30.30.2/24
  ip ospf instance 555
  ip ospf mtu-ignore
  ip ospf
exit
interface gigabitethernet 1/0/3
  mode switchport
exit
interface gigabitethernet 1/0/4
  mode switchport
exit
interface gigabitethernet 1/0/5
  mode switchport
exit
interface gigabitethernet 1/0/6
  mode switchport
exit
interface gigabitethernet 1/0/7
  mode switchport
exit
interface gigabitethernet 1/0/8
  mode switchport
  channel-group 1 mode auto
exit
interface gigabitethernet 1/0/9
  mode switchport
exit
interface gigabitethernet 1/0/10
  mode switchport
exit
interface gigabitethernet 1/0/11
  mode switchport
exit
interface gigabitethernet 1/0/12
  mode switchport
exit
interface loopback 1
  ip address 2.2.2.2/32
  ip ospf instance 555
  ip ospf mtu-ignore
  ip ospf
exit
tunnel gre 101
  mtu 1400
  multipoint
  security-zone VPN
  local address 11.11.11.22
  ip address 10.255.255.2/24
  ip ospf instance 555
  ip ospf mtu-ignore
  ip ospf priority 0
  ip ospf
  ip nhrp authentication encrypted B18B2823930318AA
  ip nhrp holding-time 300
  ip nhrp map 10.255.255.1 11.11.11.11
  ip nhrp nhs 10.255.255.1/24
  ip nhrp ipsec IPSEC_VPN_HUB static
  ip nhrp ipsec IPSEC_VPN_SPOKE dynamic
  ip nhrp multicast nhs
  ip nhrp enable
  enable
exit
tunnel gre 102
  mtu 1400
  multipoint
  security-zone VPN
  local address 12.12.12.22
  ip address 10.255.254.2/24
  ip ospf instance 555
  ip ospf mtu-ignore
  ip ospf priority 0
  ip ospf network point-to-point
  ip ospf
  ip nhrp authentication encrypted B18B2823930318AA
  ip nhrp holding-time 300
  ip nhrp map 10.255.254.1 12.12.12.11
  ip nhrp nhs 10.255.254.1/32
  ip nhrp ipsec IPSEC_VPN_HUB_102 static
  ip nhrp multicast nhs
  ip nhrp enable
  enable
exit

mpls
  ldp
    router-id 2.2.2.2
    address-family ipv4
      interface gigabitethernet 1/0/2.555
      exit
    exit
  exit
  l2vpn
    pw-class L2_VPN
      description "TEST"
    exit
    p2p P2P_L2_VPN
      interface port-channel 1.102
      pw 102 1.1.1.1
        pw-class L2_VPN
        enable
      exit
      enable
    exit
  exit
  forwarding interface gigabitethernet 1/0/2.555
exit
security zone-pair VPN self
  rule 10
    description "ANY"
    action permit
    enable
  exit
exit
security zone-pair LAN self
  rule 1
    action permit
    enable
  exit
exit
security zone-pair WAN self
  rule 1
    description "GRE"
    action permit
    match protocol gre
    enable
  exit
  rule 2
    description "ISAKMP"
    action permit
    match protocol udp
    match destination-port OBJ_SVC_VPN
    enable
  exit
  rule 3
    description "ESP"
    action permit
    match protocol esp
    enable
  exit
  rule 10
    description "ICMP"
    action permit
    match protocol icmp
    enable
  exit
  rule 20
    description "AH"
    action permit
    match protocol ah
    enable
  exit
  rule 100
    description "ANY"
    action permit
    enable
  exit
exit
security zone-pair LAN VPN
  description "LAN_to_VPN"
  rule 10
    description "ANY"
    action permit
    enable
  exit
exit
security zone-pair VPN LAN
  description "VPN_to_LAN"
  rule 10
    description "ANY"
    action permit
    enable
  exit
exit
security zone-pair WAN LAN
  rule 10
    description "DNAT_777"
    action permit
    match protocol tcp
    match destination-address OBJ_SERVER_IP
    match destination-nat
    enable
  exit
exit
security zone-pair LAN WAN
  rule 10
    description "ANY"
    action permit
    enable
  exit
exit

security ike proposal IKE_PROP_1
  encryption algorithm aes128
  dh-group 2
exit

security ike policy IKE_POL_1
  pre-shared-key ascii-text encrypted 91B8083FE00447F6D804
  proposal IKE_PROP_1
exit

security ike gateway IKE_GW_HUB
  ike-policy IKE_POL_1
  local address 11.11.11.22
  local network 11.11.11.22/32 protocol gre 
  remote address 11.11.11.11
  remote network 11.11.11.11/32 protocol gre 
  mode policy-based
exit

security ike gateway IKE_GW_HUB_102
  ike-policy IKE_POL_1
  local address 12.12.12.22
  local network 12.12.12.22/32 protocol gre 
  remote address 12.12.12.11
  remote network 12.12.12.11/32 protocol gre 
  mode policy-based
exit

security ike gateway IKE_GW_SPOKE
  ike-policy IKE_POL_1
  local address 11.11.11.22
  local network 11.11.11.22/32 protocol gre 
  remote address any
  remote network any
  mode policy-based
exit

security ipsec proposal IPSEC_PROP_1
  encryption algorithm aes128
exit

security ipsec policy IPSEC_POL_HUB_1
  proposal IPSEC_PROP_1
exit

security ipsec vpn IPSEC_VPN_HUB
  mode ike
  ike establish-tunnel route
  ike gateway IKE_GW_HUB
  ike ipsec-policy IPSEC_POL_HUB_1
  enable
exit

security ipsec vpn IPSEC_VPN_HUB_102
  mode ike
  ike establish-tunnel route
  ike gateway IKE_GW_HUB_102
  ike ipsec-policy IPSEC_POL_HUB_1
  enable
exit

security ipsec vpn IPSEC_VPN_SPOKE
  mode ike
  ike establish-tunnel route
  ike gateway IKE_GW_SPOKE
  ike ipsec-policy IPSEC_POL_HUB_1
  enable
exit

security passwords default-expired
nat destination
  pool SERVER_IP
    ip address 192.168.102.1
    ip port 22
  exit
  ruleset DNAT
    from zone WAN
    rule 1
      match protocol tcp
      match destination-address OBJ_NET_STATIC_IP
      match destination-port OBJ_SVC_NAT_SSH
      action destination-nat pool SERVER_IP
      enable
    exit
  exit
exit

ip dhcp-server pool lan-pool
  network 192.168.1.0/24
  address-range 192.168.1.2-192.168.1.254
  default-router 192.168.1.1
exit

ip route 0.0.0.0/0 10.14.112.254

ip ssh server

lldp enable

clock timezone gmt +4

ntp enable
ntp server 10.1.8.2
exit
ntp server 10.1.8.1
exit
first commit 2025-10-31 08:47:26 +04:00			`hostname esr-21-2`

			`ip firewall sessions counters`
			`object-group service ssh`
			`port-range 22`
			`exit`
			`object-group service dhcp_server`
			`port-range 67`
			`exit`
			`object-group service dhcp_client`
			`port-range 68`
			`exit`
			`object-group service ntp`
			`port-range 123`
			`exit`
			`object-group service OBJ_SVC_VPN`
			`port-range 500`
			`port-range 4500`
			`exit`
			`object-group service OBJ_SVC_NAT_SSH`
			`port-range 777`
			`exit`

			`object-group network OBJ_NET_STATIC_IP`
			`ip address-range 12.12.12.22`
			`exit`
			`object-group network OBJ_SERVER_IP`
			`ip address-range 192.168.102.1`
			`exit`

			`syslog max-files 3`
			`syslog file-size 512`
			`syslog file tmpsys:syslog/default`
			`severity info`
			`exit`

			`username admin`
			`password encrypted $6$jK4EbZO6Wgf8SR4V$Qk9bbeYu.Dnz0YCTmFvSrIDfH3iXU6pgbI/boyXTVlgnc2LFvOFHhg9pA798kKV1H0vypPNMwofM5JZXLqrXc1`
			`exit`
			`line aux 1`
			`transport telnet port 2001`
			`exit`


			`system jumbo-frames`
			`system config-confirm timeout 120`

			`boot host auto-config`
			`vlan 2`
			`exit`

			`no spanning-tree`

			`security zone LAN`
			`exit`
			`security zone WAN`
			`exit`
			`security zone VPN`
			`description "FROM_DMVPN"`
			`exit`

			`ip bfd multiplier 3`
			`route-map BGP_OUT`
			`rule 1`
			`exit`
			`exit`
			`router bgp 65002`
			`router-id 2.2.2.2`
			`neighbor 1.1.1.1`
			`remote-as 65001`
			`ebgp-multihop 2`
			`update-source 2.2.2.2`
			`address-family ipv4 unicast`
			`route-map BGP_OUT out`
			`enable`
			`exit`
			`enable`
			`exit`
			`address-family ipv4 unicast`
			`network 192.168.102.0/24`
			`exit`
			`enable`
			`exit`

			`router ospf 555`
			`router-id 2.2.2.2`
			`area 0.0.0.0`
			`network 10.255.254.0/24`
			`network 2.2.2.2/32`
			`enable`
			`exit`
			`enable`
			`exit`

			`interface port-channel 1`
			`exit`
			`interface port-channel 1.300`
			`security-zone LAN`
			`ip address 10.14.112.249/24`
			`exit`
			`interface port-channel 1.3`
			`security-zone LAN`
			`ip address 192.168.102.254/24`
			`exit`
			`interface port-channel 1.102`
			`exit`
			`interface gigabitethernet 1/0/1`
			`description "WAN"`
			`security-zone WAN`
			`ip address 11.11.11.22/24`
			`exit`
			`interface gigabitethernet 1/0/2`
			`description "WAN2"`
			`mtu 9500`
			`security-zone WAN`
			`ip address 12.12.12.22/24`
			`exit`
			`interface gigabitethernet 1/0/2.555`
			`description "p2p_mpls"`
			`mtu 9500`
			`security-zone VPN`
			`ip address 172.30.30.2/24`
			`ip ospf instance 555`
			`ip ospf mtu-ignore`
			`ip ospf`
			`exit`
			`interface gigabitethernet 1/0/3`
			`mode switchport`
			`exit`
			`interface gigabitethernet 1/0/4`
			`mode switchport`
			`exit`
			`interface gigabitethernet 1/0/5`
			`mode switchport`
			`exit`
			`interface gigabitethernet 1/0/6`
			`mode switchport`
			`exit`
			`interface gigabitethernet 1/0/7`
			`mode switchport`
			`exit`
			`interface gigabitethernet 1/0/8`
			`mode switchport`
			`channel-group 1 mode auto`
			`exit`
			`interface gigabitethernet 1/0/9`
			`mode switchport`
			`exit`
			`interface gigabitethernet 1/0/10`
			`mode switchport`
			`exit`
			`interface gigabitethernet 1/0/11`
			`mode switchport`
			`exit`
			`interface gigabitethernet 1/0/12`
			`mode switchport`
			`exit`
			`interface loopback 1`
			`ip address 2.2.2.2/32`
			`ip ospf instance 555`
			`ip ospf mtu-ignore`
			`ip ospf`
			`exit`
			`tunnel gre 101`
			`mtu 1400`
			`multipoint`
			`security-zone VPN`
			`local address 11.11.11.22`
			`ip address 10.255.255.2/24`
			`ip ospf instance 555`
			`ip ospf mtu-ignore`
			`ip ospf priority 0`
			`ip ospf`
			`ip nhrp authentication encrypted B18B2823930318AA`
			`ip nhrp holding-time 300`
			`ip nhrp map 10.255.255.1 11.11.11.11`
			`ip nhrp nhs 10.255.255.1/24`
			`ip nhrp ipsec IPSEC_VPN_HUB static`
			`ip nhrp ipsec IPSEC_VPN_SPOKE dynamic`
			`ip nhrp multicast nhs`
			`ip nhrp enable`
			`enable`
			`exit`
			`tunnel gre 102`
			`mtu 1400`
			`multipoint`
			`security-zone VPN`
			`local address 12.12.12.22`
			`ip address 10.255.254.2/24`
			`ip ospf instance 555`
			`ip ospf mtu-ignore`
			`ip ospf priority 0`
			`ip ospf network point-to-point`
			`ip ospf`
			`ip nhrp authentication encrypted B18B2823930318AA`
			`ip nhrp holding-time 300`
			`ip nhrp map 10.255.254.1 12.12.12.11`
			`ip nhrp nhs 10.255.254.1/32`
			`ip nhrp ipsec IPSEC_VPN_HUB_102 static`
			`ip nhrp multicast nhs`
			`ip nhrp enable`
			`enable`
			`exit`

			`mpls`
			`ldp`
			`router-id 2.2.2.2`
			`address-family ipv4`
			`interface gigabitethernet 1/0/2.555`
			`exit`
			`exit`
			`exit`
			`l2vpn`
			`pw-class L2_VPN`
			`description "TEST"`
			`exit`
			`p2p P2P_L2_VPN`
			`interface port-channel 1.102`
			`pw 102 1.1.1.1`
			`pw-class L2_VPN`
			`enable`
			`exit`
			`enable`
			`exit`
			`exit`
			`forwarding interface gigabitethernet 1/0/2.555`
			`exit`
			`security zone-pair VPN self`
			`rule 10`
			`description "ANY"`
			`action permit`
			`enable`
			`exit`
			`exit`
			`security zone-pair LAN self`
			`rule 1`
			`action permit`
			`enable`
			`exit`
			`exit`
			`security zone-pair WAN self`
			`rule 1`
			`description "GRE"`
			`action permit`
			`match protocol gre`
			`enable`
			`exit`
			`rule 2`
			`description "ISAKMP"`
			`action permit`
			`match protocol udp`
			`match destination-port OBJ_SVC_VPN`
			`enable`
			`exit`
			`rule 3`
			`description "ESP"`
			`action permit`
			`match protocol esp`
			`enable`
			`exit`
			`rule 10`
			`description "ICMP"`
			`action permit`
			`match protocol icmp`
			`enable`
			`exit`
			`rule 20`
			`description "AH"`
			`action permit`
			`match protocol ah`
			`enable`
			`exit`
			`rule 100`
			`description "ANY"`
			`action permit`
			`enable`
			`exit`
			`exit`
			`security zone-pair LAN VPN`
			`description "LAN_to_VPN"`
			`rule 10`
			`description "ANY"`
			`action permit`
			`enable`
			`exit`
			`exit`
			`security zone-pair VPN LAN`
			`description "VPN_to_LAN"`
			`rule 10`
			`description "ANY"`
			`action permit`
			`enable`
			`exit`
			`exit`
			`security zone-pair WAN LAN`
			`rule 10`
			`description "DNAT_777"`
			`action permit`
			`match protocol tcp`
			`match destination-address OBJ_SERVER_IP`
			`match destination-nat`
			`enable`
			`exit`
			`exit`
			`security zone-pair LAN WAN`
			`rule 10`
			`description "ANY"`
			`action permit`
			`enable`
			`exit`
			`exit`

			`security ike proposal IKE_PROP_1`
			`encryption algorithm aes128`
			`dh-group 2`
			`exit`

			`security ike policy IKE_POL_1`
			`pre-shared-key ascii-text encrypted 91B8083FE00447F6D804`
			`proposal IKE_PROP_1`
			`exit`

			`security ike gateway IKE_GW_HUB`
			`ike-policy IKE_POL_1`
			`local address 11.11.11.22`
			`local network 11.11.11.22/32 protocol gre`
			`remote address 11.11.11.11`
			`remote network 11.11.11.11/32 protocol gre`
			`mode policy-based`
			`exit`

			`security ike gateway IKE_GW_HUB_102`
			`ike-policy IKE_POL_1`
			`local address 12.12.12.22`
			`local network 12.12.12.22/32 protocol gre`
			`remote address 12.12.12.11`
			`remote network 12.12.12.11/32 protocol gre`
			`mode policy-based`
			`exit`

			`security ike gateway IKE_GW_SPOKE`
			`ike-policy IKE_POL_1`
			`local address 11.11.11.22`
			`local network 11.11.11.22/32 protocol gre`
			`remote address any`
			`remote network any`
			`mode policy-based`
			`exit`

			`security ipsec proposal IPSEC_PROP_1`
			`encryption algorithm aes128`
			`exit`

			`security ipsec policy IPSEC_POL_HUB_1`
			`proposal IPSEC_PROP_1`
			`exit`

			`security ipsec vpn IPSEC_VPN_HUB`
			`mode ike`
			`ike establish-tunnel route`
			`ike gateway IKE_GW_HUB`
			`ike ipsec-policy IPSEC_POL_HUB_1`
			`enable`
			`exit`

			`security ipsec vpn IPSEC_VPN_HUB_102`
			`mode ike`
			`ike establish-tunnel route`
			`ike gateway IKE_GW_HUB_102`
			`ike ipsec-policy IPSEC_POL_HUB_1`
			`enable`
			`exit`

			`security ipsec vpn IPSEC_VPN_SPOKE`
			`mode ike`
			`ike establish-tunnel route`
			`ike gateway IKE_GW_SPOKE`
			`ike ipsec-policy IPSEC_POL_HUB_1`
			`enable`
			`exit`

			`security passwords default-expired`
			`nat destination`
			`pool SERVER_IP`
			`ip address 192.168.102.1`
			`ip port 22`
			`exit`
			`ruleset DNAT`
			`from zone WAN`
			`rule 1`
			`match protocol tcp`
			`match destination-address OBJ_NET_STATIC_IP`
			`match destination-port OBJ_SVC_NAT_SSH`
			`action destination-nat pool SERVER_IP`
			`enable`
			`exit`
			`exit`
			`exit`

			`ip dhcp-server pool lan-pool`
			`network 192.168.1.0/24`
			`address-range 192.168.1.2-192.168.1.254`
			`default-router 192.168.1.1`
			`exit`

			`ip route 0.0.0.0/0 10.14.112.254`

			`ip ssh server`

			`lldp enable`

			`clock timezone gmt +4`

			`ntp enable`
			`ntp server 10.1.8.2`
			`exit`
			`ntp server 10.1.8.1`
			`exit`