hostname MSK-MLK-NOV2-RT-1-2.ESR-21 ip firewall sessions counters object-group service OBJ_SVC_SSH port-range 22 exit object-group service OBJ_SVC_VPN port-range 500 port-range 4500 exit object-group service OBJ_SVC_MGMT port-range 22 port-range 23 port-range 2001-2003 exit object-group network OBJ_NET_IZH_KG_P11 description "IZH-KG-P11_nets" ip prefix 91.240.179.0/24 ip prefix 5.227.124.143/32 ip prefix 78.85.13.93/32 ip prefix 62.141.96.126/32 ip prefix 84.201.247.190/32 ip prefix 88.80.33.50/32 ip prefix 94.25.46.122/32 exit object-group network OBJ_NET_IZH_MLK_IZM description "IZH-MLK-IZM_nets" ip prefix 91.240.179.0/24 ip prefix 85.140.32.27/32 ip prefix 78.85.13.42/32 ip prefix 5.227.126.169/32 ip prefix 31.173.105.54/32 ip prefix 217.14.195.253/32 ip prefix 85.175.86.74/32 exit object-group network OBJ_NET_ADM_MGMT description "Admins Net for MGMT and Routing" ip prefix 10.110.0.0/24 ip prefix 10.4.0.214/32 ip prefix 10.1.19.0/24 ip prefix 10.14.117.0/24 ip prefix 172.30.1.0/24 ip prefix 172.30.2.0/24 ip prefix 192.168.8.99/32 ip prefix 10.4.0.58/32 exit object-group network OBJ_NET_NAT_USERS ip prefix 10.14.104.0/21 exit syslog max-files 3 syslog file-size 1024 syslog cli-commands syslog file tmpsys:syslog/syslog severity info exit logging aaa configuration logging userinfo syslog monitor warning alias q root "exit" username admin password encrypted $6$pFzbQmya2cYltOhG$4NUtxJ1WkXRaqlhtpjfgSYAqlMsMpUZluPDvVFYQTVlNht8vsUpZgCLv7Xe/VRdD7XfRakVmVzrOWj4ZdtU4V. privilege 1 exit username techsupport password encrypted $6$NIJmKExDCQQrxKeP$GHzsgRdo3wceGBiLbY9r612ZmgWO.kSaiQ7WZogUx1R28m3He/KMK4YX8/6lZom//rY3O.GxHzbySgYuQOemH0 exit username remote password encrypted $6$pFzbQmya2cYltOhG$4NUtxJ1WkXRaqlhtpjfgSYAqlMsMpUZluPDvVFYQTVlNht8vsUpZgCLv7Xe/VRdD7XfRakVmVzrOWj4ZdtU4V. exit username netadmin password encrypted $6$qQ9DjGu5Ho3PsG1P$kFSYXz6vF15o8dO9siAha7hTiTtA159xVUA9BSVGM3wgsSEKeAyGQK5HZKyIkplOhc3f4eXjUoDrdc.YxlLhn1 privilege 15 exit enable password encrypted $6$AfOE17s2nl/CyvEy$6iroAkDn996cy.hfE69WQHuCyKZVsrLNff9Zpdtg4j/7GUDnUaNehPe/Ej5hxuJrLTHYe109dqurFYAVni3ue1 privilege 15 aaa authentication mode break aaa authentication login CONSOLE local radius aaa authentication login SSH radius local aaa authentication enable default radius enable radius-server host 10.1.122.248 key ascii-text encrypted A9B020579B141DFFB0269F00275C72E9 source-interface loopback 1 exit radius-server host 10.4.0.248 key ascii-text encrypted A9B020579B141DFFB0269F00275C72E9 source-interface loopback 1 exit line console login authentication CONSOLE exit line ssh login authentication SSH exit line aux 1 description "RT-1-2" transport telnet port 2001 exit line aux 2 description "SW-2-1" speed 9600 transport telnet port 2002 exit tech-support login enable system jumbo-frames system config-confirm timeout 120 no spanning-tree security zone LAN exit security zone WAN exit security zone VPN exit route-map RM_BGP_OUT rule 1 description "Universal_MGMT_Loopback" match ip address 10.111.0.0/16 le 32 exit rule 10 description "MSK-NOV2_PREFIX" match ip address 10.14.104.0/21 exit exit router bgp 64556 timers keepalive 10 timers holdtime 30 peer-group PG_BGP_IZM remote-as 64512 graceful-restart graceful-restart timeout 120 route-map RM_BGP_OUT out exit peer-group PG_BGP_P11 remote-as 64513 bfd-enable graceful-restart graceful-restart timeout 120 route-map RM_BGP_OUT out exit neighbor 172.30.1.1 peer-group PG_BGP_IZM graceful-restart address-family ipv4 unicast enable exit enable exit neighbor 172.30.1.2 peer-group PG_BGP_IZM graceful-restart address-family ipv4 unicast enable exit enable exit neighbor 172.30.2.1 peer-group PG_BGP_P11 graceful-restart address-family ipv4 unicast enable exit enable exit neighbor 172.30.2.2 peer-group PG_BGP_P11 graceful-restart address-family ipv4 unicast enable exit enable exit neighbor 172.31.16.1 remote-as 64556 graceful-restart address-family ipv4 unicast route-map RM_BGP_OUT out next-hop-self enable exit enable exit address-family ipv4 unicast network 10.14.104.0/21 network 10.111.56.2/32 exit enable exit interface port-channel 1 description "[KU]_SW-1-1" mtu 9100 exit interface port-channel 1.2 description "Users" security-zone LAN ip address 10.14.105.253/24 ip helper-address 10.1.8.5 ip helper-address vrrp-group 1 vrrp id 1 vrrp ip 10.14.105.254/32 vrrp group 1 vrrp version 3 vrrp exit interface port-channel 1.150 description "WIFI" security-zone LAN ip address 10.14.107.253/24 ip helper-address 10.4.0.5 ip helper-address 10.1.8.5 ip helper-address vrrp-group 1 vrrp id 2 vrrp ip 10.14.107.254/32 vrrp group 1 vrrp version 3 vrrp exit interface port-channel 1.300 description "MGM" security-zone LAN ip address 10.14.104.253/25 vrrp id 30 vrrp ip 10.14.104.254/32 vrrp group 1 vrrp version 3 vrrp exit interface port-channel 1.301 description "WIFI_MGM_Ubiquity" security-zone LAN ip address 10.14.106.125/25 ip helper-address 10.4.0.5 ip helper-address 10.1.8.5 ip helper-address vrrp-group 1 vrrp id 4 vrrp ip 10.14.106.126/32 vrrp group 1 vrrp version 3 vrrp exit interface port-channel 1.305 description "WIFI_MGM_Eltex" security-zone LAN ip address 10.14.106.253/25 ip helper-address 10.4.0.5 ip helper-address 10.1.8.5 ip helper-address vrrp-group 1 vrrp id 5 vrrp ip 10.14.106.254/32 vrrp group 1 vrrp version 3 vrrp exit interface port-channel 1.350 description "VOIP" security-zone LAN ip address 10.14.104.125/25 ip helper-address 10.4.0.5 ip helper-address 10.1.8.5 ip helper-address vrrp-group 1 vrrp id 6 vrrp ip 10.14.104.126/32 vrrp group 1 vrrp version 3 vrrp exit interface port-channel 1.555 description "Transit_RT-1-1_RT-1-2" security-zone LAN ip address 172.31.16.2/29 exit interface gigabitethernet 1/0/5 description "[KU]_Po1_SW-1-1" mode switchport mtu 9100 channel-group 1 mode auto lldp transmit lldp receive exit interface gigabitethernet 1/0/6 description "[KU]_Po1_SW-1-1" mode switchport mtu 9100 channel-group 1 mode auto lldp transmit lldp receive exit interface gigabitethernet 1/0/7 description "[-ISP-xxM]_WAN_ISP_A" security-zone WAN ip address 91.240.179.239/24 exit interface gigabitethernet 1/0/8 description "[-ISP-xxM]_WAN_ISP_B" mtu 9100 security-zone WAN exit interface loopback 1 description "MGMT_IP" ip address 10.111.56.2/32 exit tunnel gre 101 key 1001 ttl 255 mtu 1400 multipoint security-zone VPN local interface gigabitethernet 1/0/7 ip address 172.30.1.77/24 ip tcp adjust-mss 1360 ip nhrp authentication encrypted B18B2823930318AA ip nhrp holding-time 300 ip nhrp map 172.30.1.1 85.140.32.27 ip nhrp map 172.30.1.2 78.85.13.42 ip nhrp nhs 172.30.1.1/24 ip nhrp nhs 172.30.1.2/24 ip nhrp ipsec IPSEC_VPN_HUB static ip nhrp ipsec IPSEC_VPN_SPOKE dynamic ip nhrp multicast nhs ip nhrp enable enable exit tunnel gre 102 key 1002 ttl 254 mtu 1400 multipoint security-zone VPN local interface gigabitethernet 1/0/7 ip address 172.30.2.77/24 ip tcp adjust-mss 1360 ip nhrp authentication encrypted B18B2823930318A9 ip nhrp holding-time 300 ip nhrp map 172.30.2.1 5.227.124.143 ip nhrp map 172.30.2.2 78.85.13.93 ip nhrp nhs 172.30.2.1/24 ip nhrp nhs 172.30.2.2/24 ip nhrp ipsec IPSEC_VPN_HUB static ip nhrp ipsec IPSEC_VPN_SPOKE dynamic ip nhrp multicast nhs ip nhrp enable enable exit snmp-server snmp-server contact "INVENTAR_NUMBER" snmp-server location "MSK, Novodmitrovskaya,2 , kor 2, of 0404" snmp-server community lmTUEsk6Yvlv ro security zone-pair WAN self rule 10 description "permit_any_from_P11" action permit match source-address OBJ_NET_IZH_KG_P11 enable exit rule 20 description "permit_any_from_IZM" action permit match source-address OBJ_NET_IZH_MLK_IZM enable exit exit security zone-pair LAN VPN rule 10 description "permit_any" action permit enable exit exit security zone-pair VPN LAN rule 10 description "permit_any" action permit enable exit exit security zone-pair VPN self rule 1 description "TEST_ANY" action permit enable exit rule 10 description "permit_icmp" action permit match protocol icmp enable exit rule 20 description "permit_admins" action permit match source-address OBJ_NET_ADM_MGMT enable exit exit security zone-pair LAN WAN rule 10 description "permit_any" action permit enable exit exit security zone-pair LAN self rule 10 description "permit_admins" action permit match source-address OBJ_NET_ADM_MGMT enable exit rule 20 description "Deny_MGMT_ports_from_LAN" action deny match protocol tcp match destination-port OBJ_SVC_MGMT enable exit rule 100 description "PERMIT_ANY" action permit enable exit exit security ike proposal IKE_PROP encryption algorithm aes128 dh-group 2 exit security ike policy IKE_POL lifetime seconds 86400 pre-shared-key ascii-text encrypted 91B8083FE00447F6D804 proposal IKE_PROP exit security ike gateway IKE_GW_HUB ike-policy IKE_POL local address 91.240.179.239 local network 91.240.179.239/32 protocol gre remote address any remote network 78.85.13.42/32 protocol gre remote network 85.140.32.27/32 protocol gre remote network 5.227.124.143/32 protocol gre remote network 78.85.13.93/32 protocol gre mode policy-based exit security ike gateway IKE_GW_SPOKE ike-policy IKE_POL local address 91.240.179.239 local network 91.240.179.239/32 protocol gre remote address any remote network any protocol gre mode policy-based exit security ipsec proposal IPSEC_PROP encryption algorithm aes128 exit security ipsec policy IPSEC_POL_HUB proposal IPSEC_PROP exit security ipsec vpn IPSEC_VPN_HUB mode ike type transport ike establish-tunnel route ike gateway IKE_GW_HUB ike ipsec-policy IPSEC_POL_HUB enable exit security ipsec vpn IPSEC_VPN_SPOKE mode ike type transport ike establish-tunnel route ike gateway IKE_GW_SPOKE ike ipsec-policy IPSEC_POL_HUB enable exit security passwords min-length 5 security passwords numeric-count 1 security passwords upper-case 1 security passwords history 0 security passwords default-expired ip firewall sessions tcp-estabilished-timeout 3600 ip firewall sessions tcp-connect-timeout 120 ip firewall sessions tcp-disconnect-timeout 60 ip firewall sessions tcp-latecome-timeout 240 nat source ruleset SNAT to zone WAN rule 10 match source-address OBJ_NET_NAT_USERS action source-nat interface enable exit exit exit ip dhcp-relay ip dhcp information option ip route 0.0.0.0/0 91.240.179.254 ip route 10.14.104.0/21 blackhole 254 ip ssh server ip ssh authentication algorithm md5 disable ip ssh authentication algorithm md5-96 disable ip ssh authentication algorithm ripemd160 disable ip ssh authentication algorithm sha1 disable ip ssh authentication algorithm sha1-96 disable ip ssh encryption algorithm aes128 disable ip ssh encryption algorithm aes128ctr disable ip ssh encryption algorithm aes192 disable ip ssh encryption algorithm aes192ctr disable ip ssh encryption algorithm arcfour disable ip ssh encryption algorithm arcfour128 disable ip ssh encryption algorithm arcfour256 disable ip ssh encryption algorithm blowfish disable ip ssh encryption algorithm cast128 disable ip ssh key-exchange algorithm dh-group-exchange-sha1 disable ip ssh key-exchange algorithm dh-group1-sha1 disable ip ssh key-exchange algorithm dh-group14-sha1 disable ip ssh key-exchange algorithm ecdh-sha2-nistp256 disable ip ssh key-exchange algorithm ecdh-sha2-nistp384 disable ip ssh key-exchange algorithm ecdh-sha2-nistp521 disable lldp enable clock timezone gmt +4 ntp enable ntp source address 10.111.56.2 ntp server 91.240.179.254 prefer minpoll 4 exit ntp server 10.1.8.1 minpoll 4 exit ntp server 10.4.0.1 minpoll 4 exit zabbix-agent active-server 192.168.8.99 hostname MSK-MLK-NOV2-RT-1-2 remote-commands server 192.168.8.99 source-address 10.111.56.2 timeout 30 enable exit