hostname MSK-MLK-NOV2-RT-1-1 ip firewall sessions counters object-group service OBJ_SVC_SSH port-range 22 exit object-group service OBJ_SVC_VPN port-range 500 port-range 4500 exit object-group network OBJ_NET_IZH_KG_P11 description "IZH-KG-P11_nets" ip prefix 91.240.179.0/24 ip prefix 5.227.124.143/32 ip prefix 78.85.13.93/32 ip prefix 62.141.96.126/32 ip prefix 84.201.247.190/32 ip prefix 88.80.33.50/32 ip prefix 94.25.46.122/32 exit object-group network OBJ_NET_IZH_MLK_IZM description "IZH-MLK-IZM_nets" ip prefix 91.240.179.0/24 ip prefix 85.140.32.27/32 ip prefix 78.85.13.42/32 ip prefix 5.227.126.169/32 ip prefix 31.173.105.54/32 ip prefix 217.14.195.253/32 ip prefix 85.175.86.74/32 exit object-group network OBJ_NET_ADM_MGMT description "Admins Net for MGMT and Routing" ip prefix 10.110.0.0/24 ip prefix 10.4.0.214/32 ip prefix 10.1.19.0/24 ip prefix 10.14.117.0/24 ip prefix 172.30.1.0/24 ip prefix 172.30.2.0/24 exit object-group network OBJ_NET_NAT_USERS ip prefix 10.14.104.0/21 exit syslog max-files 3 syslog file-size 1024 syslog file tmpsys:syslog/syslog severity info exit username admin password encrypted $6$pFzbQmya2cYltOhG$4NUtxJ1WkXRaqlhtpjfgSYAqlMsMpUZluPDvVFYQTVlNht8vsUpZgCLv7Xe/VRdD7XfRakVmVzrOWj4ZdtU4V. privilege 1 exit username remote password encrypted $6$pFzbQmya2cYltOhG$4NUtxJ1WkXRaqlhtpjfgSYAqlMsMpUZluPDvVFYQTVlNht8vsUpZgCLv7Xe/VRdD7XfRakVmVzrOWj4ZdtU4V. exit username netadmin password encrypted $6$qQ9DjGu5Ho3PsG1P$kFSYXz6vF15o8dO9siAha7hTiTtA159xVUA9BSVGM3wgsSEKeAyGQK5HZKyIkplOhc3f4eXjUoDrdc.YxlLhn1 privilege 15 ip sftp enable exit username techsuppport password encrypted $6$qQ9DjGu5Ho3PsG1P$kFSYXz6vF15o8dO9siAha7hTiTtA159xVUA9BSVGM3wgsSEKeAyGQK5HZKyIkplOhc3f4eXjUoDrdc.YxlLhn1 exit enable password encrypted $6$AfOE17s2nl/CyvEy$6iroAkDn996cy.hfE69WQHuCyKZVsrLNff9Zpdtg4j/7GUDnUaNehPe/Ej5hxuJrLTHYe109dqurFYAVni3ue1 privilege 15 aaa authentication mode break aaa authentication login CONSOLE local radius aaa authentication login SSH radius local aaa authentication enable default radius enable radius-server host 10.1.122.248 key ascii-text encrypted A9B020579B141DFFB0269F00275C72E9 source-interface loopback 1 exit radius-server host 10.4.0.248 key ascii-text encrypted A9B020579B141DFFB0269F00275C72E9 source-interface loopback 1 exit line console login authentication CONSOLE exit line ssh login authentication SSH exit system jumbo-frames system config-confirm timeout 120 no spanning-tree security zone LAN exit security zone WAN exit security zone VPN exit route-map RM_BGP_OUT rule 1 description "Universal_MGMT_Loopback" match ip address 10.111.0.0/16 le 32 exit rule 10 description "MSK-NOV2_PREFIX" match ip address 10.14.104.0/21 exit exit router bgp 64556 timers keepalive 10 timers holdtime 30 peer-group PG_BGP_IZM remote-as 64512 graceful-restart route-map RM_BGP_OUT out exit peer-group PG_BGP_P11 remote-as 64513 graceful-restart route-map RM_BGP_OUT out exit neighbor 172.30.1.1 peer-group PG_BGP_IZM address-family ipv4 unicast enable exit enable exit neighbor 172.30.1.2 peer-group PG_BGP_IZM address-family ipv4 unicast enable exit enable exit neighbor 172.30.2.1 peer-group PG_BGP_P11 address-family ipv4 unicast enable exit enable exit neighbor 172.30.2.2 peer-group PG_BGP_P11 address-family ipv4 unicast enable exit enable exit address-family ipv4 unicast network 10.14.104.0/21 network 10.111.56.1/32 exit enable exit interface port-channel 1 description "[KU]_SW-1-1" mtu 9100 exit interface port-channel 1.2 description "Users" security-zone LAN ip address 10.14.105.252/24 ip helper-address 10.4.0.5 ip helper-address 10.1.8.5 vrrp id 1 vrrp ip 10.14.105.254/32 vrrp group 1 vrrp version 3 vrrp exit interface port-channel 1.150 description "WIFI" security-zone LAN ip address 10.14.107.252/24 ip helper-address 10.4.0.5 ip helper-address 10.1.8.5 ip helper-address vrrp-group 1 vrrp id 2 vrrp ip 10.14.107.254/32 vrrp group 1 vrrp version 3 vrrp exit interface port-channel 1.300 description "MGM" security-zone LAN ip address 10.14.104.252/25 vrrp id 30 vrrp ip 10.14.104.254/32 vrrp group 1 vrrp version 3 vrrp exit interface port-channel 1.301 description "WIFI_MGM_Ubiquity" security-zone LAN ip address 10.14.106.124/25 ip helper-address 10.4.0.5 ip helper-address 10.1.8.5 ip helper-address vrrp-group 1 vrrp id 4 vrrp ip 10.14.106.126/32 vrrp group 1 vrrp version 3 vrrp exit interface port-channel 1.305 description "WIFI_MGM_Eltex" security-zone LAN ip address 10.14.106.252/25 ip helper-address 10.4.0.5 ip helper-address 10.1.8.5 ip helper-address vrrp-group 1 vrrp id 5 vrrp ip 10.14.106.254/32 vrrp group 1 vrrp version 3 vrrp exit interface port-channel 1.350 description "VOIP" security-zone LAN ip address 10.14.104.124/25 ip helper-address 10.4.0.5 ip helper-address 10.1.8.5 ip helper-address vrrp-group 1 vrrp id 6 vrrp ip 10.14.104.126/32 vrrp group 1 vrrp version 3 vrrp exit interface port-channel 1.555 description "Transit_RT-1-1_RT-1-2" security-zone LAN ip address 172.31.16.1/29 exit interface gigabitethernet 1/0/5 description "[KU]_Po1_SW-1-1" mode switchport mtu 9100 channel-group 1 mode auto exit interface gigabitethernet 1/0/6 description "[KU]_Po1_SW-1-1" mode switchport mtu 9100 channel-group 1 mode auto exit interface gigabitethernet 1/0/7 description "[ISP-xxM]_Rosfon_ISP_A" security-zone WAN ip address 91.240.179.239/24 exit interface gigabitethernet 1/0/8 description "[ISP-xxM]_WAN_ISP_B" mtu 9100 security-zone WAN exit interface loopback 1 description "MGMT_IP" ip address 10.111.56.1/32 exit tunnel gre 101 key 1001 mtu 1400 multipoint security-zone VPN local interface gigabitethernet 1/0/7 ip address 172.30.1.76/24 ip tcp adjust-mss 1360 ip nhrp authentication encrypted B18B2823930318AA ip nhrp holding-time 300 ip nhrp map 172.30.1.2 78.85.13.42 ip nhrp map 172.30.1.1 85.140.32.27 ip nhrp nhs 172.30.1.1/24 ip nhrp nhs 172.30.1.2/24 ip nhrp ipsec IPSEC_VPN_HUB static ip nhrp ipsec IPSEC_VPN_SPOKE dynamic ip nhrp multicast nhs ip nhrp enable enable exit tunnel gre 102 key 1002 mtu 1400 multipoint security-zone VPN local interface gigabitethernet 1/0/7 ip address 172.30.2.76/24 ip tcp adjust-mss 1360 ip nhrp authentication encrypted B18B2823930318A9 ip nhrp holding-time 300 ip nhrp map 172.30.2.1 5.227.124.143 ip nhrp map 172.30.2.2 78.85.13.93 ip nhrp nhs 172.30.2.1/24 ip nhrp nhs 172.30.2.2/24 ip nhrp ipsec IPSEC_VPN_HUB static ip nhrp ipsec IPSEC_VPN_SPOKE dynamic ip nhrp multicast nhs ip nhrp enable enable exit snmp-server snmp-server contact "INVENTAR_NUMBER" snmp-server location "MSK, Novodmitrovskaya,2 , kor2, et4" snmp-server community lmTUEsk6Yvlv ro security zone-pair WAN self rule 10 description "permit_any_from_P11" action permit match source-address OBJ_NET_IZH_KG_P11 enable exit rule 20 description "permit_any_from_IZM" action permit match source-address OBJ_NET_IZH_MLK_IZM enable exit exit security zone-pair LAN VPN rule 10 description "permit_any" action permit enable exit exit security zone-pair VPN LAN rule 10 description "permit_any" action permit enable exit exit security zone-pair VPN self rule 10 description "permit_icmp" action permit match protocol icmp enable exit rule 20 description "permit_admins" action permit match source-address OBJ_NET_ADM_MGMT enable exit exit security zone-pair LAN WAN rule 10 description "permit_any" action permit enable exit exit security ike proposal IKE_PROP encryption algorithm aes128 dh-group 2 exit security ike policy IKE_POL lifetime seconds 86400 pre-shared-key ascii-text encrypted 91B8083FE00447F6D804 proposal IKE_PROP exit security ike gateway IKE_GW_HUB ike-policy IKE_POL local address 91.240.179.239 local network 91.240.179.239/32 protocol gre remote address any remote network 78.85.13.42/32 protocol gre remote network 85.140.32.27/32 protocol gre remote network 5.227.124.143/32 protocol gre remote network 78.85.13.93/32 protocol gre mode policy-based exit security ike gateway IKE_GW_SPOKE ike-policy IKE_POL local address 91.240.179.239 local network 91.240.179.239/32 protocol gre remote address any remote network any protocol gre mode policy-based exit security ipsec proposal IPSEC_PROP encryption algorithm aes128 exit security ipsec policy IPSEC_POL_HUB proposal IPSEC_PROP exit security ipsec vpn IPSEC_VPN_HUB mode ike type transport ike establish-tunnel route ike gateway IKE_GW_HUB ike ipsec-policy IPSEC_POL_HUB enable exit security ipsec vpn IPSEC_VPN_SPOKE mode ike type transport ike establish-tunnel route ike gateway IKE_GW_SPOKE ike ipsec-policy IPSEC_POL_HUB enable exit security passwords min-length 5 security passwords numeric-count 1 security passwords upper-case 1 security passwords history 0 security passwords default-expired nat source ruleset SNAT to zone WAN rule 10 match source-address OBJ_NET_NAT_USERS action source-nat interface enable exit exit exit ip route 0.0.0.0/0 91.240.179.254 ip route 10.14.104.0/21 blackhole 254 ip ssh server ip ssh authentication algorithm md5 disable ip ssh authentication algorithm md5-96 disable ip ssh authentication algorithm ripemd160 disable ip ssh authentication algorithm sha1 disable ip ssh authentication algorithm sha1-96 disable ip ssh encryption algorithm aes128 disable ip ssh encryption algorithm aes128ctr disable ip ssh encryption algorithm aes192 disable ip ssh encryption algorithm aes192ctr disable ip ssh encryption algorithm arcfour disable ip ssh encryption algorithm arcfour128 disable ip ssh encryption algorithm arcfour256 disable ip ssh encryption algorithm blowfish disable ip ssh encryption algorithm cast128 disable ip ssh key-exchange algorithm dh-group-exchange-sha1 disable ip ssh key-exchange algorithm dh-group1-sha1 disable ip ssh key-exchange algorithm dh-group14-sha1 disable ip ssh key-exchange algorithm ecdh-sha2-nistp256 disable ip ssh key-exchange algorithm ecdh-sha2-nistp384 disable ip ssh key-exchange algorithm ecdh-sha2-nistp521 disable clock timezone gmt +4 ntp enable ntp server 91.240.179.254 prefer minpoll 4 exit ntp server 10.1.8.1 minpoll 4 exit ntp server 10.4.0.1 minpoll 4 exit