help me understand this config... Please.

[engjohn]

!
! Last configuration change at 17:08:28 PDT Tue May 26 2009 by username
! NVRAM config last updated at 17:08:33 PDT Tue May 26 2009 by username
!
version 12.4
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime localtime
service password-encryption
service sequence-numbers
!
hostname TR-2851
!
boot-start-marker
boot-end-marker
!
card type t1 0 0
card type t1 0 1
logging snmp-authfail
logging userinfo
logging buffered 32768 debugging
!
no aaa new-model
!
resource policy
!
clock timezone PST -8
clock summer-time PDT recurring
clock calendar-valid
no network-clock-participate wic 0
no network-clock-participate wic 1
no ip source-route
ip tcp synwait-time 10
ip telnet source-interface GigabitEthernet0/1
!
!
ip cef
ip dhcp excluded-address 10.0.0.1 10.0.0.99
ip dhcp excluded-address 10.0.0.252 10.0.0.254
!
!
ip ftp source-interface Loopback0
ip tftp source-interface Loopback0
no ip domain lookup
ip domain name ecicorp.local
ip host FW 10.0.0.5
ip host PHX 10.0.20.1
ip host mnt 10.0.10.1
ip host vnt 10.0.40.1
ip ssh source-interface Loopback0
login on-failure log
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-3042013792
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3042013792
revocation-check none
rsakeypair TP-self-signed-3042013792
!
!
crypto pki certificate chain TP-self-signed-3042013792
certificate self-signed 01 nvram:IOS-Self-Sig#3202.cer
username user1 privilege 15 password 7 06151B205E4248400D03
username user2 privilege 15 password 7 105D1D18171B53520410
username user3 privilege 15 password 7 0215105A190A4E78445A
!
!
controller T1 0/0/0
framing esf
linecode b8zs
channel-group 1 timeslots 1-24
description PAETECH - 30/HCGS/242819/175/PUA/DS1 LEC - 13/HCGS/689672//PT
!
controller T1 0/1/0
framing esf
linecode b8zs
channel-group 1 timeslots 1-24
description PAETECH - 30/HCGS/242820/175/PUA/DS1 LEC - 13/HCGS/689672//PT
!
!
!
!
interface Loopback0
ip address 10.16.0.224 255.255.255.255
!
interface Multilink1
description PAETECH - 30/HCGS/242819-20/175/PUA/DS1 LEC - 13/HCGS/689672//PT
ip address 74.10.218.134 255.255.255.252
no ip redirects
no ip proxy-arp
no cdp enable
ppp multilink
ppp multilink group 1
!
interface GigabitEthernet0/0
description TOR-VPN1 OUTSIDE
ip address 10.0.1.1 255.255.255.0
no ip redirects
no ip proxy-arp
duplex auto
speed auto
!
interface GigabitEthernet0/1
description SWITCH
ip address 10.0.0.1 255.255.255.0
no ip proxy-arp
ip nbar protocol-discovery
duplex auto
speed auto
standby 1 ip 10.0.0.253
!
interface Serial0/0/0:1
description PAETECH - 30/HCGS/242819/175/PUA/DS1 LEC - 13/HCGS/689672//PT
no ip address
encapsulation ppp
no cdp enable
ppp multilink
ppp multilink group 1
!
interface Serial0/1/0:1
description PAETECH - 30/HCGS/242820/175/PUA/DS1 LEC - 13/HCGS/689672//PT
no ip address
encapsulation ppp
no cdp enable
ppp multilink
ppp multilink group 1
!
router eigrp 100
redistribute bgp 65000 metric 100000 100 255 1 1500
network 10.0.0.0 0.0.0.255
network 10.0.1.0 0.0.0.255
network 10.16.0.224 0.0.0.0
no auto-summary
eigrp router-id 10.16.0.224
!
router bgp 65000
no synchronization
bgp router-id 10.16.0.224
bgp log-neighbor-changes
network 10.0.0.0 mask 255.255.255.0
network 10.0.1.0 mask 255.255.255.0
network 74.X.X.X mask 255.255.255.252
redistribute eigrp 100 metric 1
neighbor 4.2.2.2 remote-as 1501
neighbor 74.X.X.X remote-as 15270
no auto-summary
!
!
!
ip http server
ip http access-class 99
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
logging history warnings
logging trap notifications
logging facility local5
logging source-interface Loopback0
logging 10.0.0.51
access-list 11 permit 192.168.168.254
access-list 11 deny any log
access-list 99 deny any log
snmp-server community 0rgan1sm RO
snmp-server enable traps tty
snmp-server enable traps frame-relay multilink bundle-mismatch
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner motd 

BLA BLA BLA


!
line con 0
exec-timeout 5 0
login local
transport output telnet
line aux 0
line vty 0 4
login local
line vty 5
access-class 11 in
privilege level 15
login local
transport preferred telnet
transport input telnet
transport output telnet
line vty 6 15
login
no exec
!
scheduler allocate 20000 1000
ntp master 1
!
end



OK Here is what I gather, 3 users with passwords full access. I have reset those.
2 T1's bonded
Routing to 2 internal subnets 10.0.0.0/24 and 10.0.1.0/24 on 2 separate GigE interfaces.
Using BGP on the external Multilink network, and reditrubiting it as EIGRP to the 2 internal subnets...

What I dont understand is, what is this for
"crypto pki trustpoint ..."
"crypto pki certificate chain"

and isnt this Verizons DNS server
"neighbor 4.2.2.2 remote-as 1501"

After changing the passwords, is there any way for the former admin to get access?
Does the config look bad?

I know it is a lot to ask, but as you can tell i am not real strong on cisco equipment and I have inherited this client and I have to now get to know this. We have 5 locations setup just like this using 2811 though...

Thanks for looking...

 

[North323]

pki is a trusted 3rd party certificate store. its is used to authenticate the validity of the users (i think)

neighbor 4.2.2.2 remote-as 1501 is not verizon its IP address: 4.2.2.2
Host name: vnsc-bak.sys.gtei.net

the former admin could get back in if he left a back door open. i would change the user names AND passwords. overall the config does not look bad. if you want, you can install RAT from

http://www.cisecurity.org/index.html

and run your config through that. it will audit your config.

 

[Torturednacho]

Might just be safer to Delete all users besides yourself and 1 made for a backup user.