Encrypted IPSec Traffic(?)

[Jimtron26]

Hello,

I was wondering if someone could clarify something for me?

We have a Cisco 1761 router acting as an IPSec VPN server to connect multiple remote users with Cisco VPN Client software

Someone else configured the router and I am trying to figure out why he has done certain things in the config...

I am ultimately trying to resolve a problem whereby two clients connected via IPSec cannot ping each other`s VPN pool addresses. This in turn is necessary in order to allow unicast VoIP traffic between two remote users.

The first confusion I have come across is with the ISAKMP client configuration group which defines the group settings required in the VPN Client setup. It includes the crypto isakmp command "acl 140" which references access-list 140 to define which traffic should be encrypted.... however the ACL is configured as follows:

access-list 140 permit ip 192.168.42.0 0.0.0.255 192.168.42.0 0.0.0.255
access-list 140 permit ip 192.168.51.0 0.0.0.255 192.168.51.0 0.0.0.255
access-list 140 permit ip 192.168.60.0 0.0.0.255 192.168.60.0 0.0.0.255
access-list 140 permit ip 192.168.50.0 0.0.0.255 192.168.50.0 0.0.0.255

192.168.42.0/24 is our LAN subnet
192.168.50.0/24 is the subnet from which VPN client addresses are assigned dynamically
192.168.60.0/24 is our DMZ subnet
192.168.51.0/24..... no idea!! except there is a loopback interface configured with 192.168.51.1 address and a route-map with a next-hop address of 192.168.51.2!

To me, this ACL does not make sense in terms of defining which source and destination network traffic needs to be encrypted. ie all traffic from 192.168.42.0 to 192.168.42.0 should be encrypted????

Can someone please confirm I am not going mad or that the CCNP BCRAN is not feeding me nonsense....!!!!

Any thoughts most welcome

Thank you

Jim

 

[castlesmadeofsand]

Is this config an add-on to what was previously working? If so, perhaps the other configurer did not wr mem/copy run start...
if not, you could power cycle the router...
Beside that, I am still studying for my CCNP. I only know BSCI, switching, and CIT. I have yet to get into vpn's.
However, what you say makes sense. I assume the two users who cannot ping are first of all in the 192.168.50.0 subnet, trying to ping others in the same subnet? As far as why the acl's defining the subnets to be encrypted go, why aren't they standard acl's rather than extended?

Have you tried saving this config, then deleting the acl 140 and rebuilding it to what you think it should be, one statement at a time? Just my thoughts...

Tim

 

[helpdeskdan]

Dang, castlesmadeofsand! How did you pass the CIT without knowing the BCRAN vpn stuff? And, even that is just enough to make you confused.

The crypto map defines what traffic is encoded, but it in no way restricts traffic. However, if the traffic wasn't encrypted, it wouldn't get to the other side through the tunnel. Wierd - I would think it wouldn't work. Perhaps one of the security guys could enlighten us.

 

[Jimtron26]

Thanks for the comments castlemadeofsand and helpdeskdan

This is the original config the freelance engineer put on the router to get the vpn working in the first place!

This config has been running for about 18 months and there have been numerous saves to the config as well as reboots.

The biggest problem I have is that the VPN config is in use almost constantly (we have a remote worker in France!) and i am loathe to change any settings without first ensuring what i am doing is correct or as near to that as i can get! We also run a web server for our customers on a DMZ which needs to be constantly up!

Doing a "show ip access-lists" reveals matches against the first and third lines of this ACL, however as mentioned, the ACL is also in use on 2 internal interfaces included in a policy route map. I think the first step is to seperate the two functions on the router with different ACLs (or perhaps the same to begin with)

I spoke to my tutor on the CCNP last night who is as baffled as I am, as you have said dan, this implies there is no traffic being encrypted, yet if this is the case, how are the tunnels working!!!

Below is the config... it is messy!!! In particular, I would like to know why on earth there is a loopback interface configured related to the VPN and also a route map which points to an address (set next-hop 192.168.51.2) which does not even exist!!!

sh run
Building configuration...

Current configuration : 17710 bytes
!
! Last configuration change at 15:43:03 UTC Mon Oct 30 2006
! NVRAM config last updated at 15:47:48 UTC Mon Oct 30 2006
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname NCLRouter
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 <omitted>
!
username ryan password <omitted>
username mark password <omitted>
username jim password <omitted>
username sam password <omitted>
username james password <omitted>
username ian password <omitted>
username aaron password <omitted>
username dan password <omitted>
username chris password <omitted>
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network nclset local
aaa session-id common


ip subnet-zero
no ip source-route
!
!
!
!
no ip domain lookup
ip name-server <dns server>
ip name-server <dns server>
ip cef
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect name standard cuseeme
ip inspect name standard ftp
ip inspect name standard h323
ip inspect name standard rcmd
ip inspect name standard realaudio
ip inspect name standard smtp
ip inspect name standard sqlnet
ip inspect name standard streamworks
ip inspect name standard tcp
ip inspect name standard tftp
ip inspect name standard udp
ip inspect name standard vdolive
ip inspect name standard icmp
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp

ip inspect name insp http urlfilter
ip urlfilter exclusive-domain deny

http://www.yahoo.com

ip urlfilter exclusive-domain deny

http://www.bbc.co.uk

ip audit po max-events 100
no ftp-server write-enable
no scripting tcl init
no scripting tcl encdir
!
!
!
!
!
crypto isakmp policy 20
hash md5
authentication pre-share
group 2
crypto isakmp keepalive 40 5
crypto isakmp nat keepalive 20
!

crypto isakmp client configuration group <omitted>
key <omitted>
pool nclvpn
acl 140
!
!
crypto ipsec transform-set nclset esp-des esp-md5-hmac
crypto ipsec transform-set nclvpn esp-des esp-md5-hmac
!

crypto dynamic-map dynmap 1
set transform-set nclset
!
!
crypto map nclvpn client authentication list userauthen
crypto map nclvpn isakmp authorization list nclset
crypto map nclvpn client configuration address initiate
crypto map nclvpn client configuration address respond
crypto map nclvpn 20 ipsec-isakmp dynamic dynmap
!
!
!
!

interface Loopback1
ip address 192.168.51.1 255.255.255.0
!
interface ATM0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!

interface FastEthernet0/0
description LAN Port
ip address 192.168.42.1 255.255.255.0
no ip unreachables
ip nat inside
ip inspect standard in
ip policy route-map nonat
speed auto
full-duplex
!
interface Ethernet1/0
description DMZ Port
ip address 192.168.60.1 255.255.255.0
ip access-group 150 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip inspect standard in
ip route-cache flow
ip policy route-map nonat
full-duplex
no cdp enable
!
interface Virtual-Template1
no ip address
!
interface Dialer1
description ADSL Internet Port
ip address <public ip address>
ip access-group 123 in
ip nat outside
encapsulation ppp
no ip route-cache same-interface
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname <omitted>
ppp chap password <omitted>
crypto map nclvpn
!
ip local pool nclvpn 192.168.50.100 192.168.50.150
ip nat pool outsidepool <public ip address> <public ip address> netmask 255.255.255.0

ip nat inside source route-map rmap pool outsidepool overload

<static NAT output omitted>

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.0.0.0 255.0.0.0 192.168.42.50
ip route 100.100.100.120 255.255.255.255 192.168.42.50
ip route 172.16.0.0 255.240.0.0 192.168.42.50
ip route 172.37.0.161 255.255.255.255 192.168.42.50
ip route 192.168.0.0 255.255.255.0 192.168.42.50
ip route 192.168.1.0 255.255.255.0 192.168.42.50
ip route 192.168.2.3 255.255.255.255 192.168.42.50
ip route 192.168.5.9 255.255.255.255 192.168.42.50
ip route 192.168.20.98 255.255.255.255 192.168.42.50
ip route 192.168.27.4 255.255.255.255 192.168.42.50
ip route 192.168.64.0 255.255.192.0 192.168.42.50
ip route 192.168.128.0 255.255.192.0 192.168.42.50
ip route 192.168.192.0 255.255.192.0 192.168.42.50
ip route 200.9.0.0 255.255.0.0 192.168.42.50

ip http server
ip http authentication local
no ip http secure-server
!
!
!
access-list 101 deny ip 192.168.42.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 101 permit ip 192.168.42.0 0.0.0.255 any
access-list 101 deny ip any any


access-list 102 deny ip 192.168.42.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 102 deny ip 192.168.60.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 102 permit ip 192.168.42.0 0.0.0.255 any
access-list 102 permit ip 192.168.60.0 0.0.0.255 any
access-list 102 permit ip 192.168.80.0 0.0.0.255 any
access-list 102 permit ip 192.168.200.0 0.0.0.255 any


access-list 122 deny ip 192.168.42.0 0.0.0.255 any
access-list 122 permit icmp any host <public ip address> echo-reply
access-list 122 permit icmp any host <public ip address> time-exceeded
access-list 122 permit icmp any host <public ip address> unreachable
access-list 122 deny ip 10.0.0.0 0.255.255.255 any
access-list 122 deny ip 172.16.0.0 0.15.255.255 any
access-list 122 deny ip 192.160.0.0 0.15.255.255 any
access-list 122 deny ip 127.0.0.0 0.255.255.255 any
access-list 122 deny ip host 0.0.0.0 any
access-list 122 deny ip host 255.255.255.255 any
access-list 122 permit tcp any any eq smtp
access-list 122 permit tcp any any eq 1723
access-list 122 permit tcp any any eq 47
access-list 122 permit udp any any eq 47
access-list 122 permit icmp any any


access-list 123 remark Firewall_ACL
access-list 123 permit tcp any any eq www
access-list 123 permit esp any any
access-list 123 permit udp any any eq isakmp
access-list 123 permit udp any any eq non500-isakmp
access-list 123 permit ip any 192.168.42.0 0.0.0.255
access-list 123 permit tcp any any eq smtp
access-list 123 permit icmp any any
access-list 123 permit ip any 192.168.60.0 0.0.0.255
access-list 123 permit tcp any any eq 1723
access-list 123 permit gre any any
access-list 123 permit udp any any eq 47
access-list 123 permit tcp any any eq 47
access-list 123 deny ip 10.0.0.0 0.255.255.255 any
access-list 123 deny ip 172.16.0.0 0.15.255.255 any
access-list 123 deny ip 192.160.0.0 0.15.255.255 any
access-list 123 deny ip 127.0.0.0 0.255.255.255 any
access-list 123 deny ip host 0.0.0.0 any
access-list 123 deny ip host 255.255.255.255 any



access-list 124 permit tcp any any eq www
access-list 124 permit esp any any
access-list 124 permit udp any any eq isakmp
access-list 124 permit udp any any eq non500-isakmp
access-list 124 permit ip any 192.168.42.0 0.0.0.255
access-list 124 permit tcp any any eq smtp
access-list 124 permit icmp any any
access-list 124 permit ip any 192.168.60.0 0.0.0.255
access-list 124 permit tcp any any eq 1723
access-list 124 permit gre any any
access-list 124 permit udp any any eq 47
access-list 124 permit tcp any any eq 47



access-list 125 remark Dialer1 ACL
access-list 125 remark Dialer1 ACL no telnet
access-list 125 permit esp any any
access-list 125 permit udp any any eq isakmp
access-list 125 permit udp any any eq non500-isakmp
access-list 125 permit ip any 192.168.42.0 0.0.0.255
access-list 125 permit tcp any any eq smtp
access-list 125 permit icmp any any
access-list 125 permit tcp any any eq www
access-list 125 permit tcp any any eq 8081
access-list 125 permit tcp any any eq 8084
access-list 125 permit ip any 192.168.60.0 0.0.0.255
access-list 125 permit tcp any any eq 1533
access-list 125 permit tcp any any eq 8080
access-list 125 permit ip any 192.168.80.0 0.0.0.255
access-list 125 permit tcp any any eq 1723
access-list 125 permit gre any any
access-list 125 permit tcp host 224.0.1.41 host 192.168.42.50


access-list 130 permit ip 192.168.42.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 130 deny ip any any



access-list 140 permit ip 192.168.42.0 0.0.0.255 192.168.42.0 0.0.0.255
access-list 140 permit ip 192.168.51.0 0.0.0.255 192.168.51.0 0.0.0.255
access-list 140 permit ip 192.168.60.0 0.0.0.255 192.168.60.0 0.0.0.255
access-list 140 permit ip 192.168.50.0 0.0.0.255 192.168.50.0 0.0.0.255



access-list 141 permit ip 192.168.42.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 141 permit ip 192.168.51.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 141 permit ip 192.168.60.0 0.0.0.255 192.168.50.0 0.0.0.255



access-list 150 remark DMZ ACL
access-list 150 deny ip 192.168.60.0 0.0.0.255 192.168.42.0 0.0.0.255
access-list 150 permit ip host 192.168.60.10 any



dialer-list 1 protocol ip permit

snmp-server community <omitted> RW
snmp-server enable traps tty
!

route-map rmap permit 20
match ip address 102
!

route-map nonat permit 20
match ip address 140 141
set ip next-hop 192.168.51.2
!
!
control-plane
!
alias configure dsr do sh run
alias configure dsir show ip route
alias configure dsiib do sh ip int brief
alias configure dsal do sh access-lists
alias exec sr show run
alias exec sir sh ip ro
alias exec siib sh ip int brief
alias exec sal sh access-lists
alias exec crs copy run start
!
line con 0
password <omitted>
logging synchronous
line aux 0
line vty 0 4
privilege level 15
password <omitted>
transport input telnet ssh
line vty 5 15
privilege level 15
password <omitted>
transport input telnet ssh
!
no scheduler allocate
!
end

Thanks for your ideas so far,

Any more are truly appreciated

Jim )
CCNA

 

[castlesmadeofsand]

I haven't passed any tests yet, Dan. Thanks for your concern though. Guess I don't know the CIT stuff. I'll crawl back into my hole now...

 

[helpdeskdan]

castlesmadeofsand - Sorry! Thought you said you had these certifications! You certainly know a lot for not having them. Why don't you join us on the Cisco certification and testing forum? We'll get you there, my friend! I think you're ready - make a goal to get the BSCI by the end of the year.

 

[castlesmadeofsand]

What Cisco cert and testing forum? Actually, I took the BSCI 3 days ago and got a 737 (need 779). I am retaking it next Tuesday. I got hammered on IS-IS and BGP questions. Anyway, I appreciate it. Please send me the link to the site to which you are referring...

Tim

 

[helpdeskdan]

Right here!

http://www.tek-tips.com/threadminder.cfm?pid=473

 

[DanInRaleigh]

..need to break it down piece by piece..
...let me help with you the Loopback..below link..if will give you and idea why he was using it..not saying its correct or anything..

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094430.shtml

..be back later...

http://www.daniel-white.com

 

[Jimtron26]

Thank you for the document Dan, it is quite interesting

I wonder if the intention then was to bypass NAT for the IPSec traffic. If that is the case it possibly explains the bizarre ACL... (why a standard ACL was not used I don`t know)... ie, match the ACL and use NAT.

The ACL also has a statement "permit ip 192.168.50.0...." which as you can see from the config, are the IPSec dynamically assiged addresses for connected clients...

Maybe the "acl 140" command under the ISAKMP config is a typo...??!!

I will create a new ACL tomorrow for the ISAKMP stuff and see what happens....

Jim
CCNA

 

[DanInRaleigh]

Jimtron26,
...i will review these configs in more detail tonight and try to make a better understanding of them..

..where is Brent/CCSP??

http://www.daniel-white.com

 

[DanInRaleigh]

Jim,

..you will be a better man than me when you figure this out.

...i guess i am interested in a couple of minor things..

..access-lists 101,122,124,125,130 dont seem to belong to anything or *nestled" under any policy map, etc;

..the policy map nonat has acl 140 nestled under it. and is applied to e1/0 and fa0/0..it has subnets that dont go under both interfaces...probably not a problem..but i think there should be more dedicated policy route-maps...

..acl 150, not sure if i am correct in my thinking but acl 123 is allowing any ip address into dmz..and you are allowing device 192.168.60.10 into your lan. (i think)..not sure w/o testing..but if that device is in the dmz is comprimized..well..

..kinda hard to figure other stuff out with out static maps..

...you could give ficticious ip's next time..so we can draw a better topology...

..also like you mentioned ..the acl 140 under crypto isakmp.....why would we encrypt 192.168.60 to 60..etc;

..still not answer your questions..

....i would suggest a static route pointing 192.168.50.0 255.255.255.0 to something ..maybe dialer interface..
..not sure if this is going to work..

.a lot of whatifs on this production network..

...i would put a lab togethor...

..a clean vpn config example using Loopback 0...

http://www.cisco.com/en/US/products...s_configuration_example09186a008073b06b.shtml

http://www.daniel-white.com

 

[Jimtron26]

Dan thank you for your responses I am extremely grateful.

The DMZ ACL is omitted from the config (didnt think it would be relevant to the VPN problem) but there are only 3 ports open from the DMZ to the Local LAN which are used between servers. I have tested several common ports to connect from the DMZ to the LAN which have all been blocked. ACL 150 itself blocks 192.168.60.0 (DMZ) to 192.168.42.0 (LAN) and is applied inbound on E1/0, this should stop anything getting through.

The "unused" ACLs, I believe, have been set up for testing purposes and never removed. As is the case with a working config, I am reluctant to remove anything without absolute certainty I am not going to break anything!

ACL 140 contains all relevant subnets (as far as I can see) on the router including the loopback subnet, local subnet, DMZ subnet and VPN client IP subnet. Perhaps the engineer programming it was hedging his bets? In fact, here is an output from show ip access-list 140....

NCLRouter#sh ip access-list 140
Extended IP access list 140
10 permit ip 192.168.42.0 0.0.0.255 192.168.42.0 0.0.0.255 (22647 matches)
20 permit ip 192.168.51.0 0.0.0.255 192.168.51.0 0.0.0.255
30 permit ip 192.168.60.0 0.0.0.255 192.168.60.0 0.0.0.255 (19762 matches)
40 permit ip 192.168.50.0 0.0.0.255 192.168.50.0 0.0.0.255

As you can see only the 42.0 and 60.0 have any packet matches against them and I cannot tell (due to the same ACL being used for policy map and ISAKMP) which process is incrementing the packets however it suggests that the packet matches are for the policy map rather than encryption as this map is applied to Fa0/0 and E1/0

Thank you for the link as well. It looks like our friend has used the loopback interface for remote VPN clients to access the Internet via the VPN tunnel then out over the central site DSL.... I have just tried this with a connection to a customers VPN> Client connected.. tracert ran to

http://www.bbc.co.uk...

traffic routed out over OUR network and router, not through the VPN... makes me wonder why the loopback was configured at all???

The mystery continues...

Cheers

Jim
CCNA

 

[Jimtron26]

Further tests conducted:

Traceroute ran from connected VPN remote host to a web site (bbc.co.uk) on the Internet... traffic shows as routing through the users local router and NOT through the VPN tunnel and out through our network... doesnt this make the loopback and policy map requirement redundant?

Config change:
crypto isakmp client configuration group <omitted>
key <omitted>
pool nclvpn
acl 140

ACL now changed to 142 (configured the same as 140) tested with a remote client, working fine.

I am still at a loss regarding this ACL, upon viewing traffic stats on both the Client and "show crypto ipsec sa" I can see packets are being encrypted, decrytped and hashed with no problems at both ends however "show ip access-list 142" shows no packet matches against any of the ACL statements meaning surely that if the packets are being checked against this ACL, they are not finding a match and therefore not being encrypted!... What is causing these packets to be encrypted???

Just checking the VPN stuff in the BCRAN: The statement "crypto map nclvpn 20 ipsec-isakmp dynamic dynmap" tells me that ISAKMP is to define which traffic is to be encrypted (acl 142 statement).

I will be making further changes this afternoon and will update

Thanks

Jim
CCNA

 

[Jimtron26]

Update for problem

I carried out the following....

Test 1. Removed policy route-map from Fa0/0 and E1/0 interfaces. This allowed remote client to connect via VPN however could not ping any devices on either the 192.168.42.0 or 192.168.60.0 networks until the policy route-map was put back in place.

Test 2. Shut down interface Lo0 using "shutdown" command. Remote client was still able to connect to the router and access hosts on the 192.168.42.0 and 192.168.60.0 networks as well as access the Internet. However after approximately 10 minutes, client was unable to access the Internet whilst connected to the VPN. Re-enabled Lo0 interface using "no shutdown" command and after 5 minutes, all working ok.

Test 3. Removed the "acl 142" statement from ISAKMP configuration as this appears to be doing nothing.

This morning - Received an email from remote client and telephone call from another advising they now cannot access the Internet whilst connected on the VPN!!!

Here is the current config which has been tidied up some...

hostname NCLRouter
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret <omitted>
!
username ryan password <omitted>
username mark password <omitted>
username jim password <omitted>
username sam password <omitted>
username james password <omitted>
username aaron password <omitted>
username dan password <omitted>
username chris password <omitted>
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network nclset local
aaa session-id common
ip subnet-zero
no ip source-route
!
!
no ip domain lookup
ip host switch 192.168.42.172
ip name-server <external dns-server>
ip name-server <external dns-server>
ip cef
ip inspect audit-trail
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect name standard cuseeme
ip inspect name standard ftp
ip inspect name standard h323
ip inspect name standard rcmd
ip inspect name standard realaudio
ip inspect name standard smtp
ip inspect name standard sqlnet
ip inspect name standard streamworks
ip inspect name standard tcp
ip inspect name standard tftp
ip inspect name standard udp
ip inspect name standard vdolive
ip inspect name standard icmp
ip inspect name insp http urlfilter
ip urlfilter exclusive-domain deny

http://www.yahoo.com

ip urlfilter exclusive-domain deny

http://www.bbc.co.uk

ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
no scripting tcl init
no scripting tcl encdir
!
!
crypto isakmp policy 20
hash md5
authentication pre-share
group 2
crypto isakmp keepalive 40 5
crypto isakmp nat keepalive 20
!
crypto isakmp client configuration group <omitted>
key <omitted>
pool nclvpn
!
!
crypto ipsec transform-set nclset esp-des esp-md5-hmac
crypto ipsec transform-set nclvpn esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 1
set transform-set nclset
!
!
crypto map nclvpn client authentication list userauthen
crypto map nclvpn isakmp authorization list nclset
crypto map nclvpn client configuration address initiate
crypto map nclvpn client configuration address respond
crypto map nclvpn 20 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Loopback1
ip address 192.168.51.1 255.255.255.0
!
interface ATM0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0/0
description LAN Port
ip address 192.168.42.1 255.255.255.0
no ip unreachables
ip nat inside
ip inspect standard in
ip policy route-map nonat
speed auto
full-duplex
!
interface Ethernet1/0
description DMZ Port
ip address 192.168.60.1 255.255.255.0
ip access-group 150 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip inspect standard in
ip route-cache flow
ip policy route-map nonat
full-duplex
no cdp enable
!
interface Virtual-Template1
no ip address
!
interface Dialer1
description ADSL Internet Port
ip address <public ip address>
ip access-group 123 in
ip nat outside
encapsulation ppp
no ip route-cache same-interface
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname <omitted>
ppp chap password <omitted>
crypto map nclvpn
!
ip local pool nclvpn 192.168.50.100 192.168.50.150
ip nat pool outsidepool <public ip address> <public ip address> netmask 255.255.255.0

Static NAT configured to forward incoming smtp traffic from the Internet to internal mail server
Static NAT configured to forward incoming http and ports 8080, 8081 and 8084 traffic from the Internet to DMZ server


ip nat inside source route-map rmap pool outsidepool overload


ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.0.0.0 255.0.0.0 192.168.42.50
ip route 10.56.48.0 255.255.255.0 Tunnel1
ip route 100.100.100.120 255.255.255.255 192.168.42.50
ip route 172.16.0.0 255.240.0.0 192.168.42.50
ip route 172.37.0.161 255.255.255.255 192.168.42.50
ip route 192.168.0.0 255.255.255.0 192.168.42.50
ip route 192.168.1.0 255.255.255.0 192.168.42.50
ip route 192.168.2.3 255.255.255.255 192.168.42.50
ip route 192.168.5.9 255.255.255.255 192.168.42.50
ip route 192.168.20.98 255.255.255.255 192.168.42.50
ip route 192.168.27.4 255.255.255.255 192.168.42.50
ip route 192.168.64.0 255.255.192.0 192.168.42.50
ip route 192.168.128.0 255.255.192.0 192.168.42.50
ip route 192.168.192.0 255.255.192.0 192.168.42.50
ip route 200.9.0.0 255.255.0.0 192.168.42.50
ip http server
ip http authentication local
no ip http secure-server
!
!
!
ip access-list extended Test
ip access-list extended test

access-list 102 deny ip 192.168.42.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 102 deny ip 192.168.60.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 102 permit ip 192.168.42.0 0.0.0.255 any
access-list 102 permit ip 192.168.60.0 0.0.0.255 any
access-list 102 permit ip 192.168.80.0 0.0.0.255 any
access-list 102 permit ip 192.168.200.0 0.0.0.255 any

access-list 123 remark Firewall_ACL
access-list 123 permit tcp any any eq www
access-list 123 permit esp any any
access-list 123 permit udp any any eq isakmp
access-list 123 permit udp any any eq non500-isakmp
access-list 123 permit ip any 192.168.42.0 0.0.0.255
access-list 123 permit tcp any any eq smtp
access-list 123 permit icmp any any
access-list 123 permit ip any 192.168.60.0 0.0.0.255
access-list 123 permit tcp any any eq 1723
access-list 123 permit tcp any host <DMZ Server> eq 8080
access-list 123 permit tcp any host <DMZ Server> eq 8081
access-list 123 permit tcp any host <DMZ Server> eq 8084
access-list 123 permit udp any host <DMZ Server> range 49252 49284
access-list 123 permit gre any any
access-list 123 permit udp any any eq 47
access-list 123 permit tcp any any eq 47
access-list 123 deny ip 10.0.0.0 0.255.255.255 any
access-list 123 deny ip 172.16.0.0 0.15.255.255 any
access-list 123 deny ip 192.160.0.0 0.15.255.255 any
access-list 123 deny ip 127.0.0.0 0.255.255.255 any
access-list 123 deny ip host 0.0.0.0 any
access-list 123 deny ip host 255.255.255.255 any

access-list 140 permit ip 192.168.42.0 0.0.0.255 192.168.42.0 0.0.0.255
access-list 140 permit ip 192.168.51.0 0.0.0.255 192.168.51.0 0.0.0.255
access-list 140 permit ip 192.168.60.0 0.0.0.255 192.168.60.0 0.0.0.255
access-list 140 permit ip 192.168.50.0 0.0.0.255 192.168.50.0 0.0.0.255


access-list 141 permit ip 192.168.42.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 141 permit ip 192.168.51.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 141 permit ip 192.168.60.0 0.0.0.255 192.168.50.0 0.0.0.255

access-list 142 permit ip any any

access-list 150 remark DMZ ACL
access-list 150 permit tcp host <DMZ Server> 192.168.42.0 0.0.0.255 eq 1352
access-list 150 permit tcp any any eq 1533
access-list 150 permit tcp host <DMZ Server> host <LAN Server> eq 1503
access-list 150 permit tcp host <DMZ Server> host <LAN Server> eq 1516
access-list 150 permit tcp host <DMZ Server> host <LAN Server> eq 1503
access-list 150 permit tcp host <DMZ Server> host <LAN Server> eq 1516
access-list 150 deny ip 192.168.60.0 0.0.0.255 192.168.42.0 0.0.0.255
access-list 150 permit ip host <DMZ Server> any

dialer-list 1 protocol ip permit

snmp-server community <string> RW
snmp-server enable traps tty
!
route-map rmap permit 20
match ip address 102
!
route-map nonat permit 20
match ip address 141
set ip next-hop 192.168.51.2
!
!
control-plane
!
alias configure dsr do sh run
alias configure dsir show ip route
alias configure dsiib do sh ip int brief
alias configure dsal do sh access-lists
alias exec sr show run
alias exec sir sh ip ro
alias exec siib sh ip int brief
alias exec sal sh access-lists
alias exec crs copy run start
!
line con 0
password <omitted>
logging synchronous
line aux 0
line vty 0 4
privilege level 15
password <omitted>
transport input telnet ssh
line vty 5 15
privilege level 15
password <omitted>
transport input telnet ssh
!
!
end