ASA5505 NAT CONFIG QUESTION? OPEN STATIC IP

Similar Messages

• Workshop Weblogic config questions

  I'm using Oracle Workshop for WebLogic 10.3 and I'm hoping someone can answer some setup/config questions.
  When I double click on the server (WebLogic Server v10.3 at localhost) a window opens with various settings that manage how workshop and weblogic work together.
  Under "Startup & Deployment" I have the following turned on:
  Launch WebLogic server in Eclipse console
  Always start WebLogic Server in debug mode
  Ignore project compilation errors when publishing (I have this turned on because of errors in a portal project, the errors aren't inmportant, and don't prevent the project form running)
  Run stand-alone web module directly from workspace
  So, first question, with these settings I was able to quickly switch to debug mode, with out restarting the server, now the server restarts whenever I turn debugging on. What have I done that has stopped this working correctly? How can I get it to start debugging without a full restart?
  next question, what happens if I turn on "Start WebLogic Server in Express Mode"? As far as I can tell nothing happens.
  Lastly, under "Automatic Publishing" I have it set to "Never publish automatically", if I choose another setting workshop essentially freezes because it's constantly publishing. So whenever I make a change, even in a jsp, I need to remove the project, then re-add it to see my changes in the browser. This is frustrating, not just because it takes 8 or 9 minutes (8 or 9 MINUTES!!!), but because the project doesn't run properly until it is redeployed. You'd think that if it needs to be re-deployed, then none of my changes should matter on the server until it is re-deployed.
  So, my question is, Is there any way to get this re-deployment to happen faster?
  Thanks for any and all help

  Well, in my experience performance is not bad as you experienced. Is it locally connected server or remotely connected server? If it is a remote server, network issue could cause this latency issue.
  Is performance better if you run the server without enabling debug mode? If yes, probably you can also review any break points set.
  You could also try out the following options
  1) Run workshop with -clean option, by opening command prompt and navigating to workshop_home\'workshop.exe -clean'
  2) Untick the option 'Launch WebLogic server in Eclipse console' and start server which would enable server to start on command prompt
  3) This would enable you to take multiple thread dumps (cutl +Break) on the server console output, while performance is very bad, to see where threads are halt.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               

• Help: startup-config file open failed (Not enough space)

  Who can help me ? I've an uc500 and he stil running. Now i want to change something and want to save the configuration first. But the following message appears : startup-config file open failed (Not enough space)
  this is the output from a dir flash:
  Directory of nvram:/
    227  -rw-       25897                    <no date>  startup-config
    228  ----        1933                    <no date>  private-config
    229  -rw-       25897                    <no date>  underlying-config
      1  ----          83                    <no date>  persistent-data
      2  -rw-           0                    <no date>  ifIndex-table
      3  -rw-         577                    <no date>  IOS-Self-Sig#1.cer
      4  -rw-         615                    <no date>  IOS-Self-Sig#2.cer
      5  -rw-         660                    <no date>  vlan.dat
      6  -rw-         107                    <no date>  cca.xml
      7  -rw-         586                    <no date>  IOS-Self-Sig#3.cer
  262144 bytes total (227094 bytes free)

  OK.
  Try this:
  conf t
  service compress-config
  And see if that helps. 
  If not, see if you can tftp the running config off the router and TFTP it back to startup-config:
  copy run tftp
  copy tftp start
  Then you can try a reload and see if it is cured.
  I googled and found a few cases where alot of ACLs or NAT rules could cause MALOC errors (you would see those in your logs) when implemented and could manifest itself in this condition, which could be cured after the next reload, which is why I suggested that.
  Of course, dont be remote when you do this and only do it during a maintenance window.
  Steve

• Need help getting simple Nat config to work

  I can't seem to get the below Nat config to work. I removed the crypto from the fa0/0 for testing.
  Why can't i get xlates when I ping 192.168.1.5 or 192.168.1.1? As you can see my access list isnt getting touched?
  What am i missing?????
  ==============================================
  CCC#sh access-lists
  Standard IP access list 1
      10 permit 10.10.10.0, wildcard bits 0.0.0.255
  ==============================================
  CCC#sh ip nat t
  CCC#
  ==============================================
  CCC#sh ip nat s
  Total active translations: 0 (0 static, 0 dynamic; 0 extended)
  Outside interfaces:
    FastEthernet0/0
  Inside interfaces:
    FastEthernet0/1
  Hits: 0  Misses: 0
  CEF Translated packets: 0, CEF Punted packets: 0
  Expired translations: 0
  Dynamic mappings:
  -- Outside Destination
  [Id: 2] access-list 1 interface FastEthernet0/0 refcount 0
  [0] prot 6: port #7 refcount 1 syscount 1 localport 4294967295, localaddr 0.0.0.
  0, flags 1
  [0] prot 6: port #9 refcount 1 syscount 1 localport 4294967295, localaddr 0.0.0.
  0, flags 1
  [0] prot 6: port #11 refcount 1 syscount 1 localport 4294967295, localaddr 0.0.0
  .0, flags 1
  [0] prot 6: port #13 refcount 1 syscount 1 localport 4294967295, localaddr 0.0.0
  .0, flags 1
  [0] prot 6: port #19 refcount 1 syscount 1 localport 4294967295, localaddr 0.0.0
  .0, flags 1
  [0] prot 6: port #21 refcount 1 syscount 1 localport 4294967295, localaddr 0.0.0
  .0, flags 1
  =============================================================================
  CCC#sh run
  Building configuration...
  Current configuration : 1490 bytes
  version 12.4
  service timestamps debug uptime
  service timestamps log uptime
  no service password-encryption
  hostname CCC
  boot-start-marker
  boot system flash c2600-adventerprisek9-mz.124-25d.bin
  boot-end-marker
  no aaa new-model
  no network-clock-participate slot 1
  no network-clock-participate wic 0
  ip cef
  no ip domain lookup
  ip auth-proxy max-nodata-conns 3
  ip admission max-nodata-conns 3
  archive
  log config
    hidekeys
  crypto isakmp policy 2
  encr 3des
  hash md5
  authentication pre-share
  group 2
  lifetime 400
  crypto isakmp key cisco123 address 1.1.1.3
  crypto ipsec transform-set Petaluma_VPN ah-sha-hmac esp-3des
  crypto map Petaluma_1 1 ipsec-isakmp
  ! Incomplete
  set peer 1.1.1.3
  set transform-set Petaluma_VPN
  match address 100
  interface FastEthernet0/0
  ip address 1.1.1.2 255.255.255.0
  ip nat outside
  ip virtual-reassembly
  speed auto
  half-duplex
  interface Serial0/0
  no ip address
  shutdown
  clock rate 56000
  interface FastEthernet0/1
  ip address 10.10.10.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
  router rip
  network 1.0.0.0
  network 10.0.0.0
  no ip forward-protocol nd
  ip route 192.168.1.0 255.255.255.0 1.1.1.3
  no ip http server
  no ip http secure-server
  ip nat source list 1 interface FastEthernet0/0 overload
  access-list 1 permit 10.10.10.0 0.0.0.255
  control-plane
  line con 0
  line aux 0
  line vty 0 4
  login
  end

  I am getting same issure:
  Dynamic mappings:
  -- Outside Destination
  [Id: 1] access-list NAT interface FastEthernet0/0 refcount 0
  [0] prot 6: port #0 refcount 2 syscount 2 localport 4294967295, localaddr 0.0.0.
  0, flags 1
  [0] prot 6: port #7 refcount 1 syscount 1 localport 4294967295, localaddr 0.0.0.
  0, flags 1 Dynamic mappings:
  -- Outside Destination
  [Id: 1] access-list NAT interface FastEthernet0/0 refcount 0
  [0] prot 6: port #0 refcount 2 syscount 2 localport 4294967295, localaddr 0.0.0.
  0, flags 1
  [0] prot 6: port #7 refcount 1 syscount 1 localport 4294967295, localaddr 0.0.0.
  0, flags 1
  I don't know what this means and will try debug ip nat and get a readout.

• Identity NAT config from Destination to Source

  Hi Everyone,
  In one of Client Network Environment i need to config static Identity NAT below to fix the traffic flow from PC to server
  statitc(X,Y) 192.168.3.1 192.168.3.1 netmask 255.255.255.255
  Traffic flow from PC to server was below
  PC was connected to interface Y of Firewall and Server was connected to interface X of Firewall.
  Where 192.168.3.1 is server IP.
  Need to confirm that above Identity NAT config is normal in network design?
  Regards
  Mahesh

  Hi Mahesh,
  This is similar to no-nat or nat exempt..... it can be done if the requirement is like this......
  Normally we do this for a inside to dmz zone in most cases...... or denying access from un-trusted zones....
  You can use that.... that should not be a problem....
  Regards
  Karthik

• SCCM 2012 application portal: config questions

  Hi,
  We have setup SCCM 2012 application portal correctly and it's working fine.
  However some config questions:
  -can we change the name of the configuration portal? Now its servername/CMApplicationCatalog ... what's not userfriendly.
  We'd like it to be applicationportal.ourcompany.com. Howto achieve that?
  -can we customize layout in a supported way (we could change html pages but after an upgrade of SCCM they would/could be erased)?
  -how does flexera (adminstudio?) plugs in into this. I've read this entry
  http://helpnet.installshield.com/appportal2014/Content/helplibrary/AP_CreatingCatItemSCCM.htm but what's the big picture here? Anybody using this? What are the advantages?
  J.
  Jan Hoedt

  We want to offer software center for overview of mandatory installs, application catalog for optional software.
  On our companies portal, we can then set a link which directs to the application portal. User can then install optional software from there.
  My current config works http://applicationportal.ourcompany.com/ goes to the sccm-server but not to the url below.
  That would be http://applicationportal.ourcompany.com/CMApplicationCatalog/#/SoftwareLibrary/AppListPageView.xaml
  how can I make sure the application portal shows up when this link is opened?
  It sounds like you want to perform a URL rewrite?
  http://www.iis.net/learn/extensions/url-rewrite-module/creating-rewrite-rules-for-the-url-rewrite-module
  You should test this to see if it's what you want - I may have misunderstood your question.
  Also, I wouldn't host this module on your AppCatalog server, I'd host the rewrite module elsewhere.
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• A few post config questions on new setup

  Hi Group,
  Just a few post config questions.
  First, how can I confirm my controller is in fact associating properly with an NTP server?  On a typically cisco product, I could just do a 'show ntp associations' or a 'show ntp status'.  I cannot see a way to confirm this on the gui or command line.
  Second, on my guest network with web-auth, if one were to choose to not use https for web-auth and instead use unsecure http, would that be possible and if so where in the gui?
  Thanks.

  The third field is from a WLC running v7.4 not v7.2.  I usually would install a 3rd party certificate, but what eles you can try is issue this command on from the CLI.  It had issues working with certain code versions, but you might as well give it a try.
  config network web-auth secureweb disable
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• (PS3)Changing NAT TYPE to Open for router WRT150N

  I need help chaning the NAT Type to open because I can't play with some of my friends on Playstation. Tell me how please
  loans personal

  A known issue with Linksys routers is the NAT Type 3 or anything related to dropping of Internet connectivity during play time. Network Address Translation (NAT) is the ability of a router or firewall to translate a public IP address to a private IP address and vice versa. It adds security to the network by keeping the private IP addresses hidden from the outside world.
  Gaming consoles such as Xbox 360®, PlayStation®3, and Wii™ often encounter NAT related issues resulting to poor gaming experience. This problem is resolved by checking the settings on your router which contribute to NAT issues.
  This is due to the built-in firewall of the router and to get past this, you will need to open ports on the router. You may do this by either doing Port Forwarding or Port Triggering. Once the ports are successfully opened, the NAT Type issue will change to Open or Moderate thus, making the gaming console work.
  Here is the link which resolve the issue: http://www6.nohold.net/Cisco2/ukp.aspx?vw=1&docid=2902de6218ed4dc1a4c595595ca1f60a_Resolving_NAT_Typ...

• Nat Type question for PS3 (wrt610N)

  I have the wrt610N on cable internet and am playing Modern Warefare 2 on the PS3. Since day 1 I have had a Type 2 Nat type according to the PS3's internet connection test.  Modern Warfare 2 has a Nat Type indicator on the lobby screen and mine has always said Moderate. 
  Well, after a little research, I forwarded my ports and presto, it said my NAt type was open. Yesterday I accidently unplugged the router and now my lobby screen is saying moderate again.  My ports are still forwarded, so I have no idea what is going on.  Any ideas? 
  Someone suggested that I can just go in the router and set it to open, but this does not sound right.  Also, I was reading some posts on here and noticed people mentioning something about home network defender in the management tab.  I have no such option.  Anyone know why?   
  Solved!
  Go to Solution.

  Open an Internet Explorer browser page on your wired computer(desktop).In the address bar type - 192.168.1.1 and press Enter...Leave Username blank & in Password use admin in lower case...
  On the set-up tab change the MTU Size to 1365 and click Save Settings...Click on "Administration" tab and disable the option UPnP and click Save Settings...Once you return to the set up page click on the Security tab and uncheck Filter Anonymous Internet Requests and click on Save Settings...
  Click on "Applications and Gaming" tab and then click on "Port Range Forwarding" subtab...
  1) On the first line in Application box type in ABC, in the start box type in 80 and End box type in 80, leave the protocol as both and under ip address type in 192.168.1.20 and check the enable box...
  2) On the second line in Application box type in DEF, in the start box type in 443 and End box type in 443, leave the protocol as both and under ip address type in 192.168.1.20 and check the enable box...
  3) On the third line in Application box type in GHI, in the start box type in 5223 and End box type in 5223, leave the protocol as both and under ip address type in 192.168.1.20 and check the enable box...
  4) On the fourth line in Application box type in JKL, in the start box type in 3478 and End box type in 3479, leave the protocol as both and under ip address type in 192.168.1.20 and check the enable box...
  5) On the fifth line in Application box type in MNO, in the start box type in 3658 and End box type in 3658, leave the protocol as both and under ip address type in 192.168.1.20 and check the enable box...
  6) On the sixth line in Application box type in PQR, in the start box type in 10070 and End box type in 10080, leave the protocol as both and under ip address type in 192.168.1.20 and check the enable box and click on Save Settings
  7) Now assign the given ip address on your PlayStation ip address :- 192.168.1.20, subnet mask :- 255.255.255.0, default gateway :- 192.168.1.1...
  8) Also assign the dns addresses on the PlayStation Primary dns :- 4.2.2.2...Secondary dns :- 192.168.1.1
  9) Turn off your modem, router, and PlayStation...Wait for a minute...
  10) Plug the modem power first, wait for another minute and plug the router power cable, wait another minute and turn on the PlayStation and test it...
  ** Also reduce the MTU and disable the UPnP on the PS3.

• NAT configuaration question

  10.10.10.4 (255.255.55.248) is my workstation on Vlan1 (10.10.10.1) see attached.
  My fw log indicates drop packet to 10.10.10.4. Does this show my 10 addr is visible externally? Is my internal addr. being NATed correctly?
  If NAT config is wrong, how do I correct it?
  Regards

  Hi there
  assuming that you have in your cbac only two interfaces inside and outside no DMZ!!!
  i would like to suggest :
  1-the vty access-list must be applied on VLAN inbound, to prevent any spoofing of your 10.10... network.
  2-the access-list 2000 is good it will allow what must be allowed from outside to your network and at the same time it implement the RFC 2829, so it s placed in the right place dialer inbound.
  3-the MARSFW inspection rule must be applied on vlan 1 inbound and removed from dialer0, this inspection rule will create the statefull database and dynamic entries those entries will be appended to your access-list 2000 the puporse of those dynamic entries is to allow the returned traffic for the session initiated from your internal network to the outside network.
  4- the nat configuratiion is correct! must work!!.
  5- but i dont see any inpspection for your HTTP traffic in the inspection RULE so it will be dropped automaticaly i think!!!, suggestion try to add to the inspection rule
  (ip inspect MARSFW http)
  also if your are using port 8080 for http instead of 80 use :
  (ip port-map http port 8080) at the global config
  try and let us know the result
  HTH
  please do rate if it does clarify

• Re: PLM4P v6003 Config Question:  Any way to configure UGM Notifications?

  After reading:
  PLM4P v6003 Config Question:  Any way to configure UGM Notifications?
  This is one of the requirements from me as well. We always wanted to customize emails sent not only for UGM but also for other modules. We wanted to conveysome message to approvers. But it seems this is still not possible. Is this functionality on road-map of AgielP4P product management?

  Currently, the subject and body of emails can be customized to an extent, as they are translations that can be overridden. The translations have some placeholder fields that get populated by the system, but you are limited to those placeholder fields. The upcoming release will give you full control of the email body and subject lines, for GSM and SCRM emails, as well as Supplier Rep emails.

• Redundant FWSM Config Question

  Hello All,
  I'm going to be configuring failover with FWSMs for our 6500 at my job and I have a config question. There is one current 6500 chassis with 2 FWSMs installed. They are both online but currently since failover isn't setup, only one FWSM is actually active. My question is since we are using mutiple contexts where do I setup the failover interface, and do I need to configure failover on every single vlan on the FWSM? We have over 10 contexts each with 2-3 interfaces on them, so do I need a failover IP for every vlan that exists on every context? Also, does the failover config get setup on the admin or system context? Any help would be greatly appreciated, and thank you so much in advance!

  Hi John.
  Failover config goes in the system context. For the data interfaces in each context, you will need a primary and a standby IP i.e. 2 IP's per VLAN. Once failover happens, the secondary FWSM will assume the active role and the secondary FWSM will take over the Primary IP address thus making the failover process transparent to end users.
  HTH.
  Regards
  Zubair

• Trying to change my NAT type from Open to Strict or Moderate.

  My NAT type is open but I can't get any games. I told my friend and he said try and change my NAT type from Open to Strict, and that it might help in joining games. I can join CoD4 games, but not MW2 or MW3 games. Can anyone help me? I am playing on XBOX360 and I use wireless internet.

  A known issue with Linksys routers is the NAT Type 3 or anything related to dropping of Internet connectivity during play time.  Network Address Translation (NAT) is the ability of a router or firewall to translate a public IP address to a private IP address and vice versa.  It adds security to the network by keeping the private IP addresses hidden from the outside world.
  Here is the link, which will you in resolving the concern:  http://www6.nohold.net/Cisco2/ukp.aspx?vw=1&docid=2902de6218ed4dc1a4c595595ca1f60a_Resolving_NAT_Typ...

• Need help opening NAT type to OPEN on a model WRT54GS router for xbox 360

  I have tried from other people's advice and when i test Xbox Live i always get a Moderate NAT type. I am becoming frustrated with how it is not working and I am hoping someone can help me. Please leave advice/suggestions and thank you for your time.

  Open the setup page of the router using 192.168.1.1 by putting the password as admin with username as blank & click the Administration tab & on the same page you will see UPNP.You need to select it as disable in order to help opening NAT type to OPEN.

• IOS XE Cisco 4431 NAT Config DNS Issues

  Hi All,
  I found out that  the XE IOS does not support IP DNS Server and therefor you are required to have a DNS sever seperately. My question is if i push all clients to a public DNS server such as google why does it not work?
  I can ping out and do NSLOOKUPS but nothing resolves in the browser. I have added an inbound rule to the WAN ACL to allow UDP/TCP 53 from 8.8.4.4 and it does not work. Ive spent ages and only thing that does work is IP ANY ANY and obviously i am not leaving that rule there. Is it a bug?
  Thanks
  Ben

  Hi Collin,
  Sorry for the delay, i have left the "IP any any" under WAN ACL 102.
  I did try CBAC at the 11th hour but was spewing up unrecognised remarks and didn't have time to go through.
  Please see confirm below for reference i have put in google DNS.
  Just to be clear No DNS resolves from DHCP clients if i remove the IP any any from WAN ACL102. The router can resolve locally i.e over serial.
  Many Thanks
  Ben
  Bespoke#sh run
  Building configuration...
  Current configuration : 12805 bytes
  ! Last configuration change at 18:24:43 GMT Sun Mar 15 2015 by admin
  ! NVRAM config last updated at 18:24:45 GMT Sun Mar 15 2015 by admin
  version 15.4
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  no platform punt-keepalive disable-kernel-core
  hostname Bespoke
  boot-start-marker
  boot system flash bootflash:isr4400-universalk9.03.13.02.S.154-3.S2-ext.SPA.bin
  boot-end-marker
  vrf definition Mgmt-intf
   address-family ipv4
   exit-address-family
   address-family ipv6
   exit-address-family
  logging buffered 16386 informational
  logging rate-limit 100 except warnings
  no logging console
  aaa new-model
  aaa authentication fail-message ^CCCC Login failed.
  This could be because your RADIUS credentials are incorrect, or the RADIUS servers are unreachable. If servers are unreachable, use a local username and password.^C
  aaa authentication login default group radius local enable
  aaa authentication enable default group radius enable
  aaa authorization console
  aaa authorization exec default group radius local
  aaa session-id common
  clock timezone GMT 0 0
  clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
  no ip source-route
  ip options drop
  no ip bootp server
  ip domain name x.net
  ip name-server x.x.x.x
  ip name-server x.x.x.x
  ip dhcp bootp ignore
  no ip dhcp conflict logging
  ip dhcp excluded-address 192.168.1.1 192.168.1.15
  ip dhcp excluded-address 10.10.10.1
  ip dhcp excluded-address 172.1.0.1
  ip dhcp excluded-address 172.1.1.1
  ip dhcp excluded-address 172.1.2.1
  ip dhcp excluded-address 172.1.3.1
  ip dhcp pool ManagementVLAN100
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 8.8.4.4
  ip dhcp pool VLAN200
   network 10.10.8.0 255.255.252.0
   default-router 10.10.10.1
   dns-server 8.8.4.4
   lease 0 1
  ip dhcp pool VLAN300
   network 172.1.0.0 255.255.255.0
   default-router 172.1.0.1
   dns-server 8.8.4.4
  ip dhcp pool VLAN400
   network 172.1.1.0 255.255.255.0
   default-router 172.1.1.1
   dns-server 8.8.4.4
  ip dhcp pool VLAN500
   network 172.1.2.0 255.255.255.0
   default-router 172.1.2.1
   dns-server 8.8.4.4
  ip dhcp pool VLAN600
   network 172.1.3.0 255.255.255.0
   default-router 172.1.3.1
   dns-server 8.8.4.4
  subscriber templating
  multilink bundle-name authenticated
  redundancy
   mode none
  no cdp run
  ip ssh time-out 60
  ip ssh authentication-retries 2
  ip ssh version 2
  class-map match-all 140mbpsratelimit
   match access-group 103
  policy-map 140mbpsratelimit
   class 140mbpsratelimit
    police cir 146800500 bc 27525120 be 55050240
     conform-action transmit
     exceed-action drop
     violate-action drop
  interface Null0
   no ip unreachables
  interface GigabitEthernet0/0/0
   no ip address
   negotiation auto
  interface GigabitEthernet0/0/0.602
   description PRIMARYWAN200MBPS
   encapsulation dot1Q 602
   ip address x.x.x.x 255.255.255.252
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip nat outside
   ip verify unicast source reachable-via rx allow-default
   ip access-group 102 in
   no cdp enable
   ip virtual-reassembly
  interface GigabitEthernet0/0/1
   no ip address
   negotiation auto
  interface GigabitEthernet0/0/1.100
   description ManagementVLAN100
   encapsulation dot1Q 100
   ip address 192.168.1.1 255.255.255.0
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip nat inside
   no cdp enable
   ip virtual-reassembly
  interface GigabitEthernet0/0/1.200
   encapsulation dot1Q 200
   ip address 10.10.10.1 255.255.252.0
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip nat inside
   no cdp enable
   service-policy input 140mbpsratelimit
   service-policy output 140mbpsratelimit
   ip virtual-reassembly
  interface GigabitEthernet0/0/1.300
   encapsulation dot1Q 300
   ip address 172.1.0.1 255.255.255.0
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip nat inside
   no cdp enable
   ip virtual-reassembly
  interface GigabitEthernet0/0/1.400
   encapsulation dot1Q 400
   ip address 172.1.1.1 255.255.255.0
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip nat inside
   no cdp enable
   ip virtual-reassembly
  interface GigabitEthernet0/0/1.500
   encapsulation dot1Q 500
   ip address 172.1.2.1 255.255.255.0
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip nat inside
   no cdp enable
   ip virtual-reassembly
  interface GigabitEthernet0/0/1.600
   encapsulation dot1Q 600
   ip address 172.1.3.1 255.255.255.0
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip nat inside
   no cdp enable
   ip virtual-reassembly
  interface GigabitEthernet0/0/2
   no ip address
   negotiation auto
  interface GigabitEthernet0/0/2.603
  interface GigabitEthernet0/0/3
   no ip address
   shutdown
   negotiation auto
  interface GigabitEthernet0
   vrf forwarding Mgmt-intf
   no ip address
   shutdown
   negotiation auto
  ip nat inside source list 1 interface GigabitEthernet0/0/0.602 overload
  ip nat inside source static tcp 192.168.1.15 443 x.x.x.x 443 extendable
  no ip forward-protocol nd
  no ip forward-protocol udp
  no ip http server
  no ip http secure-server
  ip route 0.0.0.0 0.0.0.0 x.x.x.x
  ip route 0.0.0.0 255.0.0.0 Null0
  ip route 10.0.0.0 255.0.0.0 Null0
  ip route 127.0.0.0 255.0.0.0 Null0
  ip route 169.254.0.0 255.255.0.0 Null0
  ip route 172.16.0.0 255.240.0.0 Null0
  ip route 192.0.0.0 255.255.255.0 Null0
  ip route 192.0.2.0 255.255.255.0 Null0
  ip route 192.168.0.0 255.255.0.0 Null0
  ip route 198.18.0.0 255.254.0.0 Null0
  ip route 198.51.100.0 255.255.255.0 Null0
  ip route 203.0.113.0 255.255.255.0 Null0
  ip radius source-interface GigabitEthernet0/0/0.602
  access-list 1 remark NAT-LAN
  access-list 1 permit 192.168.1.0 0.0.0.255
  access-list 1 permit 10.10.8.0 0.0.3.255
  access-list 1 permit 172.1.0.0 0.0.0.255
  access-list 1 permit 172.1.1.0 0.0.0.255
  access-list 1 permit 172.1.2.0 0.0.0.255
  access-list 1 permit 172.1.3.0 0.0.0.255
  access-list 50 remark SNMP_ACCESS
  access-list 50 permit x.x.x.x 0.0.0.31
  access-list 50 permit x.x.x.x 0.0.0.31
  access-list 51 remark NTP_ACCESS
  access-list 51 permit x.x.x.x
  access-list 51 permit x.x.x.x
  access-list 51 deny   any
  access-list 51 remark NTP_ACCESS
  access-list 102 remark WAN_INGRESSPrimary
  access-list 102 permit ip any any
  access-list 102 permit tcp any host x.x.x.x eq 443
  access-list 102 permit udp host 8.8.4.4 eq domain host x.x.x.x
  access-list 102 permit udp host 8.8.8.8 eq domain host x.x.x.x
  access-list 102 permit udp host x.x.x.x eq ntp host x.x.x.x eq ntp
  access-list 102 permit udp host x.x.x.x eq ntp host x.x.x.x eq ntp
  access-list 102 permit udp host x.x.x.x eq 1645 host x.x.x.x eq 1645
  access-list 102 permit udp host x.x.x.x eq 1645 host x.x.x.x eq 1645
  access-list 102 permit udp x.x.x.x 0.0.0.31 host x.x.x.x eq snmp
  access-list 102 permit udp x.x.x.x 0.0.0.31 host x.x.x.x eq snmp
  access-list 102 permit tcp x.x.x.x 0.0.0.31 host x.x.x.x eq telnet
  access-list 102 permit tcp x.x.x.x 0.0.0.31 host x.x.x.x eq 22
  access-list 102 permit tcp x.x.x.x 0.0.0.31 host x.x.x.x eq telnet
  access-list 102 permit tcp x.x.x.x 0.0.0.31 host x.x.x.x eq 22
  access-list 102 permit icmp x.x.x.x 0.0.0.31 any echo
  access-list 102 permit icmp x.x.x.x 0.0.0.31 any echo
  access-list 102 permit icmp any any echo-reply
  access-list 102 permit icmp any any time-exceeded
  access-list 102 permit icmp any any unreachable
  access-list 102 deny   icmp any any
  access-list 102 deny   ip host 0.0.0.0 any
  access-list 102 deny   ip host 255.255.255.255 any
  access-list 102 deny   ip any any
  access-list 103 remark 140mbpsratelimit
  access-list 103 permit udp any any
  access-list 103 permit tcp any any
  access-list 150 remark VTY_ACCESS
  access-list 150 permit tcp x.x.x.x 0.0.0.31 any eq telnet
  access-list 150 permit tcp x.x.x.x 0.0.0.31 any eq 22
  access-list 150 permit tcp x.x.x.x 0.0.0.31 any eq telnet
  access-list 150 permit tcp x.x.x.x 0.0.0.31 any eq 22
  access-list 150 deny   ip any any
  snmp-server community x.x.x.x RO 50
  radius server RadiusPR
   address ipv4 x.x.x.x auth-port 1645 acct-port 1646
   timeout 3
  radius server RadiusTC
   address ipv4 x.x.x.x auth-port 1645 acct-port 1646
   timeout 3
  control-plane
  line con 0
   logging synchronous
   transport output none
   stopbits 1
  line aux 0
   exec-timeout 0 1
   no exec
   transport output none
   stopbits 1
  line vty 0 4
   access-class 150 in
   logging synchronous
   transport input telnet ssh
   transport output none
  line vty 5 15
   access-class 150 in
   logging synchronous
   transport input telnet ssh
  ntp access-group peer 51
  ntp server x.x.x.x
  ntp server x.x.x.x
  end