Hi all,
I am new to this forum and I am hoping to use your export knowlegede to help me with a problem I am having. I am sitting behind a Cisco 871W Cisco route and trying to connect to a Windows VPN server but keep getting the following error - Error 721.
If I check this on the Microsoft Website:
Cause - This issue may occur if the network firewall does not permit Generic Routing Encapsulation (GRE) protocol traffic. GRE is IP Protocol 47. PPTP uses GRE for tunneled data.
Resolution - To resolve this issue, configure the network firewall to permit GRE protocol 47. Also, make sure that the network firewall permits TCP traffic on port 1723. Both of these conditions must be met to establish VPN connectivity by using PPTP.
Now, how to I configure this on my Cisco firewall? I have tried some online suggestions but they haven't helped. I am really stuck here so any help would be appreciated.
Thanks,
Huw
My Cisco config is as follows:
!This is the running config of the router: 192.168.211.21
!----------------------------------------------------------------------------
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ciscovpn
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 $1$neHb$fC5sCQg3qK6mi2rglvk7F0
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authentication login sdm_vpn_xauth_ml_3 local
aaa authentication login sdm_vpn_xauth_ml_4 local
aaa authentication login sdm_vpn_xauth_ml_5 local
aaa authentication login sdm_vpn_xauth_ml_6 local
aaa authentication login sdm_vpn_xauth_ml_7 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
aaa authorization network sdm_vpn_group_ml_3 local
aaa authorization network sdm_vpn_group_ml_4 local
aaa authorization network sdm_vpn_group_ml_5 local
aaa authorization network sdm_vpn_group_ml_6 local
aaa authorization network sdm_vpn_group_ml_7 local
!
!
aaa session-id common
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-526255994
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-526255994
revocation-check none
rsakeypair TP-self-signed-526255994
!
!
crypto pki certificate chain TP-self-signed-526255994
certificate self-signed 02
30820248 308201B1 A0030201 02020102 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 35323632 35353939 34301E17 0D303831 30323331 36323334
305A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3532 36323535
39393430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
C2007EB8 CAA9C0C4 15D22CE9 5DE24832 DED5E471 8C6E1531 279551D1 83D232AE
45BAD443 85A2A60C 71A44780 0E5BA182 B3981801 AF06CBDA 4E447114 2EC043CF
E4D3DBAC 69CA34F9 F89788C3 4AF6A02B 4565E5A0 A2A1870A 751545E4 C2DA22C8
DC8C5538 596B5154 19B511FA 7E3671B2 42C019BF C4A99925 7D3139E4 C7ACC00B
02030100 01A37230 70300F06 03551D13 0101FF04 05300301 01FF301D 0603551D
11041630 14821263 6973636F 76706E2E 4E55442E 6C6F6361 6C301F06 03551D23
04183016 8014A83D 9B9C3CAD 09A8D145 C897AED6 CC08D76E E28D301D 0603551D
0E041604 14A83D9B 9C3CAD09 A8D145C8 97AED6CC 08D76EE2 8D300D06 092A8648
86F70D01 01040500 03818100 3F4DAF24 D0F1E65B 1891C709 9C1B5B5A DD7CFA78
F146D413 F41CCB85 474B81F7 2031CA7B C949D4F1 95C29E4D 75C41D32 1A9E14B6
8155E63F 01FB6177 C6554B6B DB298CC1 B2EDAA8A FEC2DE42 3B166FB2 E852BCC4
7CF95D48 5A130C9A D22CBD55 4A23B728 6F859CF8 8ACD0118 9BAF28E6 713623C6
86F49985 CAFA1844 2D27060D
quit
dot11 syslog
!
dot11 ssid UK_OFFICE
authentication open
!
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.211.1 192.168.211.59
ip dhcp excluded-address 192.168.211.101 192.168.211.254
!
ip dhcp pool sdm-pool1
import all
network 192.168.211.0 255.255.255.0
dns-server 194.72.6.57 194.73.82.242
default-router 192.168.211.21
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip bootp server
ip domain name
ip name-server 194.72.6.57
ip name-server 194.73.82.242
!
!
!
username admin privilege 15 secret 5 $1$k3Ka$TSf8NfgoKGm/ut4UGrrl1
username user1 secret 5 $1FrqT$96JEXiQ2YSkIY3N.CQiA91
username user2 secret 5 $1$dn0$usTIi2nMHJbISaFwNJ9mw1
username user3 secret 5 $1$5mP$J4ywOA1mENQUPIlXDt4tT0
username user4 secret 5 $1$u04$Zi7iS2BdRDKTznswufX97.
username user5 secret 5 $1$UXA$CeaSCIkFVYw7Jd4J92ITV0
username user6 secret 5 $1$NYXZQ0SioiLXAJ5GXiiK1RqG50
username user7 secret 5 $1$J8.Y$4FS5oU8xdNb6uyTV.nuJ/
username user8 secret 5 $1$wdWe$O7Ks.qUpvOUVI8D0F5uR0
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group officevpn
key keypassphrase
dns 194.72.6.57 194.73.82.242
pool SDM_POOL_1
acl 101
include-local-lan
max-users 10
max-logins 1
netmask 255.255.255.0
banner ^CWelcome to the London Office ^C
crypto isakmp profile sdm-ike-profile-1
match identity group officevpn
client authentication list sdm_vpn_xauth_ml_7
isakmp authorization list sdm_vpn_group_ml_7
client configuration address respond
virtual-template 5
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set security-association idle-time 3600
set transform-set ESP-3DES-SHA4
set isakmp-profile sdm-ike-profile-1
!
!
archive
log config
hidekeys
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
match access-group name SDM_AH
match access-group name SDM_AH
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
match access-group name SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-protocol-http
match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-insp-traffic
inspect
class type inspect sdm-protocol-http
inspect
class class-default
policy-map type inspect sdm-permit
class type inspect SDM_EASY_VPN_SERVER_PT
pass
class class-default
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class class-default
drop log
!
zone security out-zone
zone security in-zone
zone security ezvpn-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address 88.11.71.126 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
zone-member security out-zone
ip route-cache flow
duplex auto
speed auto
!
interface Virtual-Template5 type tunnel
ip unnumbered FastEthernet4
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Dot11Radio0
no ip address
!
encryption key 1 size 128bit 7 9A64415A3649F241C70AF2192F78 transmit-key
encryption mode wep mandatory
!
ssid HMS_UK
!
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
world-mode dot11d country GB both
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 192.168.211.21 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1412
!
ip local pool SDM_POOL_1 192.168.211.201 192.168.211.210
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 88.211.41.145
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
!
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
ip access-list extended SDM_IP
remark SDM_ACL Category=1
permit ip any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.211.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 88.211.41.144 0.0.0.3 any
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 192.168.211.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 192.168.211.0 0.0.0.255 any
no cdp run
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device and
it provides the default username "cisco" for one-time use. If you have already
used the username "cisco" to login to the router and your IOS image supports the
"one-time" user option, then this username has already expired. You will not be
able to login to the router with this username after you exit this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you want to
use.
-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!
^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
I am new to this forum and I am hoping to use your export knowlegede to help me with a problem I am having. I am sitting behind a Cisco 871W Cisco route and trying to connect to a Windows VPN server but keep getting the following error - Error 721.
If I check this on the Microsoft Website:
Cause - This issue may occur if the network firewall does not permit Generic Routing Encapsulation (GRE) protocol traffic. GRE is IP Protocol 47. PPTP uses GRE for tunneled data.
Resolution - To resolve this issue, configure the network firewall to permit GRE protocol 47. Also, make sure that the network firewall permits TCP traffic on port 1723. Both of these conditions must be met to establish VPN connectivity by using PPTP.
Now, how to I configure this on my Cisco firewall? I have tried some online suggestions but they haven't helped. I am really stuck here so any help would be appreciated.
Thanks,
Huw
My Cisco config is as follows:
!This is the running config of the router: 192.168.211.21
!----------------------------------------------------------------------------
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ciscovpn
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 $1$neHb$fC5sCQg3qK6mi2rglvk7F0
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authentication login sdm_vpn_xauth_ml_3 local
aaa authentication login sdm_vpn_xauth_ml_4 local
aaa authentication login sdm_vpn_xauth_ml_5 local
aaa authentication login sdm_vpn_xauth_ml_6 local
aaa authentication login sdm_vpn_xauth_ml_7 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
aaa authorization network sdm_vpn_group_ml_3 local
aaa authorization network sdm_vpn_group_ml_4 local
aaa authorization network sdm_vpn_group_ml_5 local
aaa authorization network sdm_vpn_group_ml_6 local
aaa authorization network sdm_vpn_group_ml_7 local
!
!
aaa session-id common
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-526255994
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-526255994
revocation-check none
rsakeypair TP-self-signed-526255994
!
!
crypto pki certificate chain TP-self-signed-526255994
certificate self-signed 02
30820248 308201B1 A0030201 02020102 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 35323632 35353939 34301E17 0D303831 30323331 36323334
305A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3532 36323535
39393430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
C2007EB8 CAA9C0C4 15D22CE9 5DE24832 DED5E471 8C6E1531 279551D1 83D232AE
45BAD443 85A2A60C 71A44780 0E5BA182 B3981801 AF06CBDA 4E447114 2EC043CF
E4D3DBAC 69CA34F9 F89788C3 4AF6A02B 4565E5A0 A2A1870A 751545E4 C2DA22C8
DC8C5538 596B5154 19B511FA 7E3671B2 42C019BF C4A99925 7D3139E4 C7ACC00B
02030100 01A37230 70300F06 03551D13 0101FF04 05300301 01FF301D 0603551D
11041630 14821263 6973636F 76706E2E 4E55442E 6C6F6361 6C301F06 03551D23
04183016 8014A83D 9B9C3CAD 09A8D145 C897AED6 CC08D76E E28D301D 0603551D
0E041604 14A83D9B 9C3CAD09 A8D145C8 97AED6CC 08D76EE2 8D300D06 092A8648
86F70D01 01040500 03818100 3F4DAF24 D0F1E65B 1891C709 9C1B5B5A DD7CFA78
F146D413 F41CCB85 474B81F7 2031CA7B C949D4F1 95C29E4D 75C41D32 1A9E14B6
8155E63F 01FB6177 C6554B6B DB298CC1 B2EDAA8A FEC2DE42 3B166FB2 E852BCC4
7CF95D48 5A130C9A D22CBD55 4A23B728 6F859CF8 8ACD0118 9BAF28E6 713623C6
86F49985 CAFA1844 2D27060D
quit
dot11 syslog
!
dot11 ssid UK_OFFICE
authentication open
!
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.211.1 192.168.211.59
ip dhcp excluded-address 192.168.211.101 192.168.211.254
!
ip dhcp pool sdm-pool1
import all
network 192.168.211.0 255.255.255.0
dns-server 194.72.6.57 194.73.82.242
default-router 192.168.211.21
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip bootp server
ip domain name
ip name-server 194.72.6.57
ip name-server 194.73.82.242
!
!
!
username admin privilege 15 secret 5 $1$k3Ka$TSf8NfgoKGm/ut4UGrrl1
username user1 secret 5 $1FrqT$96JEXiQ2YSkIY3N.CQiA91
username user2 secret 5 $1$dn0$usTIi2nMHJbISaFwNJ9mw1
username user3 secret 5 $1$5mP$J4ywOA1mENQUPIlXDt4tT0
username user4 secret 5 $1$u04$Zi7iS2BdRDKTznswufX97.
username user5 secret 5 $1$UXA$CeaSCIkFVYw7Jd4J92ITV0
username user6 secret 5 $1$NYXZQ0SioiLXAJ5GXiiK1RqG50
username user7 secret 5 $1$J8.Y$4FS5oU8xdNb6uyTV.nuJ/
username user8 secret 5 $1$wdWe$O7Ks.qUpvOUVI8D0F5uR0
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group officevpn
key keypassphrase
dns 194.72.6.57 194.73.82.242
pool SDM_POOL_1
acl 101
include-local-lan
max-users 10
max-logins 1
netmask 255.255.255.0
banner ^CWelcome to the London Office ^C
crypto isakmp profile sdm-ike-profile-1
match identity group officevpn
client authentication list sdm_vpn_xauth_ml_7
isakmp authorization list sdm_vpn_group_ml_7
client configuration address respond
virtual-template 5
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set security-association idle-time 3600
set transform-set ESP-3DES-SHA4
set isakmp-profile sdm-ike-profile-1
!
!
archive
log config
hidekeys
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
match access-group name SDM_AH
match access-group name SDM_AH
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
match access-group name SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-protocol-http
match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-insp-traffic
inspect
class type inspect sdm-protocol-http
inspect
class class-default
policy-map type inspect sdm-permit
class type inspect SDM_EASY_VPN_SERVER_PT
pass
class class-default
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class class-default
drop log
!
zone security out-zone
zone security in-zone
zone security ezvpn-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address 88.11.71.126 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
zone-member security out-zone
ip route-cache flow
duplex auto
speed auto
!
interface Virtual-Template5 type tunnel
ip unnumbered FastEthernet4
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Dot11Radio0
no ip address
!
encryption key 1 size 128bit 7 9A64415A3649F241C70AF2192F78 transmit-key
encryption mode wep mandatory
!
ssid HMS_UK
!
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
world-mode dot11d country GB both
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 192.168.211.21 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1412
!
ip local pool SDM_POOL_1 192.168.211.201 192.168.211.210
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 88.211.41.145
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
!
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
ip access-list extended SDM_IP
remark SDM_ACL Category=1
permit ip any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.211.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 88.211.41.144 0.0.0.3 any
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 192.168.211.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 192.168.211.0 0.0.0.255 any
no cdp run
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device and
it provides the default username "cisco" for one-time use. If you have already
used the username "cisco" to login to the router and your IOS image supports the
"one-time" user option, then this username has already expired. You will not be
able to login to the router with this username after you exit this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you want to
use.
-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!
^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end