Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Help setting up a VPN on Cisco 1800 series...

Status
Not open for further replies.

PImoose

Technical User
Dec 3, 2008
53
US
I have 2 1811 routers on 2 different ISP's that I am trying to get a test site to site VPN setup. I have tried the SDM/CCP wizard and also followed a few different sites, the last one being this one:

The 2 routers can't ping eachother. Main router is on a 172.27.0.0 network, while remote router is going to be a 10.0.0.0 network.


RPUBLIC IP is this router below's Public IP, MPUBLICIP is the main site Publiv IP.

Here is the remote router:

Building configuration...

Current configuration : 5431 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco1811East
!
boot-start-marker
warm-reboot
boot-end-marker
!
no logging buffered
enable secret 5 ***************
enable password ***********
!
no aaa new-model
!
resource policy
!
memory-size iomem 20
clock timezone NewYork -5
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1 10.0.1.255
ip dhcp excluded-address 10.0.3.255 10.0.255.254
!
ip dhcp pool Eastside10
network 10.0.0.0 255.255.0.0
dns-server 10.0.0.1
default-router 10.0.0.1
domain-name dw.local
lease 7
!
!
ip domain name dw.local
ip name-server 4.2.2.1
ip inspect name SDM_Low tcp
ip inspect name SDM_Low udp
ip inspect name SDM_Low http
ip address-pool dhcp-pool
!
!
crypto pki trustpoint TP-self-signed-975937829
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-975937829
revocation-check none
rsakeypair TP-self-signed-975937829
!
!
crypto pki certificate chain TP-self-signed-975937829
certificate self-signed 01
3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 39373539 33373832 39301E17 0D313030 36313431 33353734
335A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3937 35393337
38323930 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
BF517672 2F294F99 A4011D7E 5A5A79E8 81060533 839F479D CFAF3D8A 3174F1AB
22D9B365 4D1B9399 430F3C5D 9C4FCE6D E4C18BC0 2C06E716 792FAE4F 6EAD063E
E47F68B3 42E676C5 E6F94E1D F16C9ACA 495921DD 34F7F3E0 EF293F34 B39D5D03
51DCE7B8 DF46896E 0A2527F7 45780136 C2CD4CCB 41B04EE9 214B75C3 3416C393
02030100 01A37630 74300F06 03551D13 0101FF04 05300301 01FF3021 0603551D
11041A30 18821643 6973636F 31383131 45617374 2E64772E 6C6F6361 6C301F06
03551D23 04183016 8014576B 8CFADD07 96165FCD 07DB6502 690282DB 3FFF301D
0603551D 0E041604 14576B8C FADD0796 165FCD07 DB650269 0282DB3F FF300D06
092A8648 86F70D01 01040500 03818100 8F364314 727B8E4D C3491574 493988B5
CF5A2DE1 874981B7 FBF902B0 BB098D03 407C2538 227053B5 2CC21693 7DA7E081
BDDD2526 9F8A2C7A 8DB396C0 2BFFB6A7 134150A2 472097DE 10A87CE6 5549C4B6
54CC5C9C F0ED4398 D9EA4BA4 2A632ABF C4B765A4 6283BAA0 23E6AA93 C93B5BCC
AEB2ADE2 61DEA44D 140B030A FE4C0878
quit
username admin privilege 15 password 0 **********
!
!
!
crypto isakmp policy 9
hash md5
authentication pre-share
crypto isakmp key ********* address MPUBLICIP
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set TSET esp-3des esp-md5-hmac
!
crypto map CRYPTOMAP 10 ipsec-isakmp
set peer MPUBLICIP
set transform-set TSET
match address 111
!
!
!
!
interface FastEthernet0
description $ETH-WAN$
ip address RPUBLICIP 255.255.255.248
ip access-group 101 in
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip inspect SDM_Low out
ip virtual-reassembly
duplex auto
speed auto
crypto map CRYPTOMAP
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
ip address 10.0.0.1 255.255.0.0
ip access-group sdm_vlan1_in in
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
interface Async1
no ip address
encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 RPUBLICIP
!
ip dns server
ip dns primary dw.local soa ns.dw.local helpdesk.domain.com 21600 900 7776000 86400
!
ip http server
ip http authentication local
ip http secure-server
ip nat pool ISP1 172.27.0.0 172.27.255.255 netmask 255.255.0.0
ip nat pool ISP11 RPUBLICIP RPUBLICIP netmask 255.255.255.255
ip nat inside source list 101 interface FastEthernet0 overload
!
ip access-list extended sdm_vlan1_in
remark SDM_ACL Category=1
deny ip host 255.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
permit ip any any
!
access-list 101 remark CCP_ACL Category=19
access-list 101 permit ahp host MPUBLICIP host RPUBLICIP
access-list 101 permit esp host MPUBLICIP host RPUBLICIP
access-list 101 permit udp host MPUBLICIP host RPUBLICIP eq isakmp
access-list 101 permit udp host MPUBLICIP host RPUBLICIP eq non500-isakmp
access-list 101 permit ip 0.0.0.0 255.255.0.0 0.0.0.0 255.0.0.0
access-list 101 permit tcp any any
access-list 101 permit udp any any eq isakmp
access-list 101 permit tcp any host RPUBLICIP eq www
access-list 101 permit udp host 4.2.2.1 eq domain any
access-list 101 permit icmp any host RPUBLICIP
access-list 101 permit udp any eq domain host RPUBLICIP
access-list 101 permit ip any host RPUBLICIP
access-list 101 deny tcp any any
access-list 111 permit ip 0.0.0.0 255.0.0.0 0.0.0.0 255.255.0.0
!
!
!
!
!
!
control-plane
!
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
privilege level 15
password **********
login local
transport input telnet ssh
!
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
 
I will assume that the routers can't ping each other because of an addressing issue not a filter.

If the 2 routers can't ping each other you can't setup a vpn tunnel. you have to tie each end of the tunnel to an addressable interface.
 
I meant they can't ping the private IP as in I don't think the VPN tunnel is working.

Public IP is fine. I tied the VPN tunnel to each FE0 interface using : crypto map MAPNAME
 
ok..but then you still need to define the tunnel


interface Tunnel0
ip address 10.99.99.1 255.255.255.0
tunnel source <insertlocalexternalip>
tunnel destination <insertremoteexternalip>
!

and on the router

interface Tunnel0
ip address 10.99.99.2 255.255.255.0
tunnel source <insertlocalexternalip>
tunnel destination <insertremoteexternalip>
!

so you are defining a mini subnet withing the tunnel.
and your routing needs to reflect the new gateways.

ip route 172.27.0.0 255.255.0.0 10.99.99.1


and on the other

ip route 10.0.0.0 255.255.0.0 10.99.99.2

 
Stan---this is an IPSEC VPN, not a GRE tunnel...

Moose---you need to define the DH group under the ISAKMP policy in both routers. It should then work. However, your NAT is messed up...first, in the ISP1 pool, the last address needs to be .254, not .255 (broadcast for that network). Since it is not being used, it's not crucial. You also need acl 102 to say

access-list 102 permit ip 10.0.0.0 0.0.255.255 any
ip nat inside source list 102 int fa0 over

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
What are you referencing in DH group? Maybe I am having a brain fart but that term isn't clicking my head.



Thanks
 
Diffie-Hellman...

crypto isakmp policy 9
hash md5
authentication pre-share
group 2

It will take group 1, 2 or 5 (different encryption levels, the higher the # the greater), and they must be the same on both routers. By the way, is everything else the same except for the crypto acl in the other router? It has to be for it to work...if it still does not work, do
router#deb crypto engine
router#deb crypto ipsec
router#deb crypto isakmp
then go into the outside interface on your router, remove the crypto map, wait 10 seconds, and re-apply it. As soon as it is reapplied on the interface, you will see a whole slew of output---capture that output and paste it here, ONLY if it does not work.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Added the group to both routers. Both routers are configured from the link in my first post. The main router has more ACL's/Port forwarding as it is our main office router, but the VPN is configured the same.


With those debugs on the following is all I get when I remove the Crypto map, assuming I am doing it correctly.


Cisco1811East(config-if)#no crypto map CRYPTOMAP
Cisco1811East(config-if)#
*Jun 16 15:13:14.789: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFFcrypto map CRYPTOMAP
Cisco1811East(config-if)#
*Jun 16 15:14:32.893: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON



I'm open to other VPN walkthroughs/articles as well. The goal in the end is to have a site to site VPN setup so under 10 people will be hooked into this router and nearly all domain traffic gets sent back to the home base.
 
Did you change the NAT? Also, please post the config of the other router, and the most recent config of the first router...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Yes I added the line to NAT. The way I am trying to test the VPN is just by pinging the private IP of the other router from the router CLI, is there a better way to try?

Here is the remote router config:

Cisco1811East#sh
*Jun 16 18:42:34.728: %SYS-5-CONFIG_I: Configured from console by consolerun
Building configuration...

Current configuration : 6333 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco1811East
!
boot-start-marker
warm-reboot
boot-end-marker
!
no logging buffered
enable secret 5 ********************
enable password *******
!
no aaa new-model
!
resource policy
!
memory-size iomem 20
clock timezone NewYork -5
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1 10.0.1.255
ip dhcp excluded-address 10.0.3.255 10.0.255.254
!
ip dhcp pool Eastside10
network 10.0.0.0 255.255.0.0
dns-server 10.0.0.1
default-router 10.0.0.1
domain-name dw.local
lease 7
!
!
ip domain name dw.local
ip name-server 4.2.2.1
ip inspect name SDM_Low tcp
ip inspect name SDM_Low udp
ip inspect name SDM_Low http
ip address-pool dhcp-pool
!
!
crypto pki trustpoint TP-self-signed-975937829
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-975937829
revocation-check none
rsakeypair TP-self-signed-975937829
!
!
crypto pki certificate chain TP-self-signed-975937829
certificate self-signed 01
3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 39373539 33373832 39301E17 0D313030 36313431 33353734
335A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3937 35393337
38323930 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
BF517672 2F294F99 A4011D7E 5A5A79E8 81060533 839F479D CFAF3D8A 3174F1AB
22D9B365 4D1B9399 430F3C5D 9C4FCE6D E4C18BC0 2C06E716 792FAE4F 6EAD063E
E47F68B3 42E676C5 E6F94E1D F16C9ACA 495921DD 34F7F3E0 EF293F34 B39D5D03
51DCE7B8 DF46896E 0A2527F7 45780136 C2CD4CCB 41B04EE9 214B75C3 3416C393
02030100 01A37630 74300F06 03551D13 0101FF04 05300301 01FF3021 0603551D
11041A30 18821643 6973636F 31383131 45617374 2E64772E 6C6F6361 6C301F06
03551D23 04183016 8014576B 8CFADD07 96165FCD 07DB6502 690282DB 3FFF301D
0603551D 0E041604 14576B8C FADD0796 165FCD07 DB650269 0282DB3F FF300D06
092A8648 86F70D01 01040500 03818100 8F364314 727B8E4D C3491574 493988B5
CF5A2DE1 874981B7 FBF902B0 BB098D03 407C2538 227053B5 2CC21693 7DA7E081
BDDD2526 9F8A2C7A 8DB396C0 2BFFB6A7 134150A2 472097DE 10A87CE6 5549C4B6
54CC5C9C F0ED4398 D9EA4BA4 2A632ABF C4B765A4 6283BAA0 23E6AA93 C93B5BCC
AEB2ADE2 61DEA44D 140B030A FE4C0878
quit
username admin privilege 15 password 0 *********
!
!
!
crypto isakmp policy 9
hash md5
authentication pre-share
group 2
crypto isakmp key ********** address M_PUBLIC_IP
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set TSET esp-3des esp-md5-hmac
!
crypto map CRYPTOMAP 10 ipsec-isakmp
set peer M_PUBLIC_IP
set transform-set TSET
match address 111
!
!
!
!
interface FastEthernet0
description $ETH-WAN$
ip address R_PUBLIC_IP 255.255.255.248
ip access-group 102 in
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip inspect SDM_Low out
ip virtual-reassembly
duplex auto
speed auto
crypto map CRYPTOMAP
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
ip address 10.0.0.1 255.255.0.0
ip access-group sdm_vlan1_in in
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
interface Async1
no ip address
encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 R_PUBLIC_IP2
!
ip dns server
ip dns primary dw.local soa ns.dw.local helpdesk.domain.com 21600 900 7776000 86400
!
ip http server
ip http authentication local
ip http secure-server
ip nat pool ISP11 R_PUBLIC_IP R_PUBLIC_IP netmask 255.255.255.255
ip nat pool ISP1 172.27.0.0 172.27.255.254 netmask 255.255.0.0
ip nat inside source list 101 interface FastEthernet0 overload
ip nat inside source list 102 interface FastEthernet0 overload
!
ip access-list extended sdm_vlan1_in
remark SDM_ACL Category=1
deny ip host 255.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
permit ip any any
!
access-list 101 remark CCP_ACL Category=18
access-list 101 permit ahp host M_PUBLIC_IP host R_PUBLIC_IP
access-list 101 permit esp host M_PUBLIC_IP host R_PUBLIC_IP
access-list 101 permit udp host M_PUBLIC_IP host R_PUBLIC_IP eq isakmp
access-list 101 permit udp host M_PUBLIC_IP host R_PUBLIC_IP eq non500-isakmp
access-list 101 permit ip 0.0.0.0 255.255.0.0 0.0.0.0 255.0.0.0
access-list 101 permit tcp any any
access-list 101 permit udp any any eq isakmp
access-list 101 permit tcp any host R_PUBLIC_IP eq www
access-list 101 permit udp host 4.2.2.1 eq domain any
access-list 101 permit icmp any host R_PUBLIC_IP
access-list 101 permit udp any eq domain host R_PUBLIC_IP
access-list 101 permit ip any host R_PUBLIC_IP
access-list 101 deny tcp any any
access-list 102 remark CCP_ACL Category=1
access-list 102 permit ip 10.0.0.0 0.0.255.255 any
access-list 102 permit ahp host M_PUBLIC_IP host R_PUBLIC_IP
access-list 102 permit esp host M_PUBLIC_IP host R_PUBLIC_IP
access-list 102 permit udp host M_PUBLIC_IP host R_PUBLIC_IP eq isakmp
access-list 102 permit udp host M_PUBLIC_IP host R_PUBLIC_IP eq non500-isakmp
access-list 102 permit ip 0.0.0.0 255.255.0.0 0.0.0.0 255.0.0.0
access-list 102 permit tcp any any
access-list 102 permit udp any any eq isakmp
access-list 102 permit tcp any host R_PUBLIC_IP eq www
access-list 102 permit udp host 4.2.2.1 eq domain any
access-list 102 permit icmp any host R_PUBLIC_IP
access-list 102 permit udp any eq domain host R_PUBLIC_IP
access-list 102 permit ip any host R_PUBLIC_IP
access-list 102 deny tcp any any
access-list 111 permit ip 0.0.0.0 255.0.0.0 0.0.0.0 255.255.0.0
!
!
!
!
!
!
control-plane
!
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
privilege level 15
password ***********
login local
transport input telnet ssh
!
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end


Here is the main, I chopped out our static IP pool for desktops as it is a few pages long.


Building configuration...

Current configuration : 29843 bytes
!
! Last configuration change at 09:18:00 EDT Wed Jun 16 2010
! NVRAM config last updated at 09:03:06 EDT Mon Jun 14 2010 by admin
!
version 12.4
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service sequence-numbers
!
hostname Cisco1811
!
boot-start-marker
boot system flash:c181x-advipservicesk9-mz.124-15.XY5.bin
warm-reboot
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 52000 debugging
logging rate-limit 10000
logging console critical
enable secret 5 **************
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -5
clock summer-time EDT recurring
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 172.27.3.255 172.27.255.254
ip dhcp excluded-address 192.168.6.1 192.168.6.9
ip dhcp excluded-address 172.27.0.1 172.27.2.255
!
ip dhcp pool DW_WS1
network 172.27.0.0 255.255.0.0
domain-name dw.local
dns-server 172.27.1.10 172.27.1.20
default-router 172.27.0.9
netbios-name-server 172.27.1.10
!
ip dhcp pool DW_Pub1
network 192.168.6.0 255.255.255.0
!

!
!
ip tcp synwait-time 10
ip flow-cache timeout active 1
ip domain lookup source-interface FastEthernet0
ip domain name dw.local
ip name-server 4.2.2.1
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect audit-trail
ip inspect max-incomplete high 20000000
ip inspect one-minute high 100000000
ip inspect tcp max-incomplete host 100000 block-time 0
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW ssh
ip urlfilter source-interface FastEthernet0
ip urlfilter audit-trail
!
!
crypto pki trustpoint TP-self-signed-975937829
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-975937829
revocation-check none
rsakeypair TP-self-signed-975937829
!
crypto pki trustpoint Mcbain
enrollment terminal
serial-number none
fqdn Cisco1811.dw.local
ip-address none
password
revocation-check crl
rsakeypair SDM-RSAKey-1276520957000
!
!
crypto pki certificate chain TP-self-signed-975937829
certificate self-signed 01
30820248 308201B1 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 39373539 33373832 39301E17 0D303830 34313631 37303532
355A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3937 35393337
38323930 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
BB0FA680 5BD3E511 B0E643E3 CF84F6FC A059E9E6 009DD94B 989FF158 F1D7BB9F
96563567 86ED0B3D 4832D629 1543AF7F FF1052D1 F79C58EE A2074683 CA77BA5E
E72A240C B73D6C23 217F4D3E AD4F0251 6B38611E CACE16D6 1CF499E9 0EF34F2A
C8F56877 448B5D8F E5FB9B39 9CA13EB4 DE6A37B5 10AFCB0D 560E8DF0 A8E35B09
02030100 01A37230 70300F06 03551D13 0101FF04 05300301 01FF301D 0603551D
11041630 14821243 6973636F 31383131 2E64772E 6C6F6361 6C301F06 03551D23
04183016 8014D72D 0884FB51 61B1D061 CA72C41B 522D1113 B9E8301D 0603551D
0E041604 14D72D08 84FB5161 B1D061CA 72C41B52 2D1113B9 E8300D06 092A8648
86F70D01 01040500 03818100 02D14EB9 C8F005A3 002C7AD8 CAA3A5BE D6CC24AD
7E2246FD 8F58C58A 63929E5E CBE600B8 05DC721E 77E33B3E AD30BE17 FB18380E
013D9D8A F83A2CE6 5B7175E6 81394649 D87A5AD0 460A6801 0CC9C624 D76E4275
5841F914 4C9562F8 8C73E497 6C808C38 C2DB1926 6B947D35 136E8F7C 4D238507
2BA3EE94 C8A354C7 5302240D
quit
crypto pki certificate chain Mcbain
certificate ca 0DAA35
30820334 3082029D A0030201 0202030D AA35300D 06092A86 4886F70D 01010505
00304E31 0B300906 03550406 13025553 3110300E 06035504 0A130745 71756966
6178312D 302B0603 55040B13 24457175 69666178 20536563 75726520 43657274
69666963 61746520 41757468 6F726974 79301E17 0D303931 30333030 37353332
375A170D 31303132 30313036 33353235 5A3081BE 310B3009 06035504 06130255
53311A30 18060355 040A1411 2A2E646F 726E6572 776F726B 732E636F 6D311330
11060355 040B130A 47543738 39393035 38363131 302F0603 55040B13 28536565
20777777 2E726170 69647373 6C2E636F 6D2F7265 736F7572 6365732F 63707320
28632930 39312F30 2D060355 040B1326 446F6D61 696E2043 6F6E7472 6F6C2056
616C6964 61746564 202D2052 61706964 53534C28 5229311A 30180603 55040314
112A2E64 6F726E65 72776F72 6B732E63 6F6D3081 9F300D06 092A8648 86F70D01
01010500 03818D00 30818902 818100A0 161D60CE FEA95CBE C88D4106 DB90A932
06BD4954 300A2D7F A0CAA781 3DE136BD BFA7F3E2 92E5EFD3 6B380D91 3FECC784
1C3783AE 66D4251F A129239E 062C5B22 0E3A4FA6 BBF3D2BB 392A3942 3D772E5D
9373169A 6996685E C5EF1397 E5945771 24B19833 E44CEDE2 4495A371 D7EA4B1A
88126568 A0FD2D04 83BC3752 EAFE5902 03010001 A381AE30 81AB300E 0603551D
0F0101FF 04040302 04F0301D 0603551D 0E041604 14BFD25E 124C75FF 0D206493
FE43674D C2BBC9F6 DF303A06 03551D1F 04333031 302FA02D A02B8629 68747470
3A2F2F63 726C2E67 656F7472 7573742E 636F6D2F 63726C73 2F736563 75726563
612E6372 6C301F06 03551D23 04183016 801448E6 68F92BD2 B295D747 D8232010
4F339890 9FD4301D 0603551D 25041630 1406082B 06010505 07030106 082B0601
05050703 02300D06 092A8648 86F70D01 01050500 03818100 70C57E30 ECF3D320
621C2466 72C8D25E 44A2AE7F 63194E59 C8947310 93D97EE4 72FB4C4A 20908E21
998CAC3C D57BEB39 61EDE753 FBEC8595 16A8FA4D 1D3E80B9 FDB0C593 3DC84A80
85DAEDA7 89F78E61 B66957D4 CF6AC961 A52F39BB 97045B28 6D630DCB 58385705
54453D03 F77DE03E 80BE3685 D23717FA 2B759029 2515815C
quit
username admin privilege 15 secret 5 ***************
!
!
track 1 rtr 1 reachability
!
class-map match-any Hogs
match protocol http url "*youtube*"
match protocol http url "*facebook*"
match protocol http url "*google*"
match protocol http url "*pandora*'"
match protocol http url "*pandora*"
match protocol http url "*shoutcast*"
match protocol http url "*amazon*"
!
!
!
crypto isakmp policy 9
hash md5
authentication pre-share
group 2
crypto isakmp key *********** address R_PUBLIC_IP
crypto isakmp key ********* address 0.0.0.0 0.0.0.0
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
!
crypto map CRYPTOMAP 10 ipsec-isakmp
set peer R_PUBLIC_IP
set transform-set TSET
match address 111
!
!
!
!
interface FastEthernet0
description ISP 1$FW_OUTSIDE$$ETH-WAN$
bandwidth 7680
ip address M_Public_IP 255.255.255.248 secondary
ip address M_Public_IP 255.255.255.248 secondary
ip address M_Public_IP 255.255.255.248
ip access-group 101 in
ip verify unicast reverse-path
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
ip route-cache flow
speed 100
full-duplex
crypto map CRYPTOMAP
!
interface FastEthernet1
description ISP 2$FW_OUTSIDE$$ETH-WAN$
bandwidth 1000
bandwidth receive 3000
ip address Public_IP 255.255.255.248
ip access-group 102 in
ip verify unicast reverse-path
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
ip route-cache flow
shutdown
speed auto
full-duplex
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
description $LAN$ES_LAN$$FW_INSIDE$
ip address 172.27.0.9 255.255.0.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip policy route-map director
!
interface Vlan2
ip address 192.168.6.2 255.255.255.0
ip nat outside
ip virtual-reassembly
ip route-cache flow
shutdown
!
interface Async1
no ip address
encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 M_PUBLIC_IP track 1
ip route 0.0.0.0 0.0.0.0 M2_PUBLIC_IP 10
ip route 172.28.0.0 255.255.0.0 172.27.0.1 permanent
!
ip flow-export source FastEthernet1
ip flow-export version 5
ip flow-export interface-names
ip flow-export destination 172.27.1.70 9996
ip flow-top-talkers
top 100
sort-by bytes
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat translation tcp-timeout 1800
ip nat inside source static tcp 172.27.1.70 8888 interface FastEthernet0 8888
ip nat inside source static tcp 172.27.1.30 15238 interface FastEthernet0 15238
ip nat inside source route-map ISP1 interface FastEthernet0 overload
ip nat inside source static tcp 172.27.1.10 143 interface FastEthernet0 143
ip nat inside source static udp 172.27.1.20 500 interface FastEthernet0 500
ip nat inside source static udp 172.27.1.20 4500 interface FastEthernet0 4500
ip nat inside source static tcp 172.27.1.10 110 interface FastEthernet0 110
ip nat inside source static tcp 172.27.1.10 80 interface FastEthernet0 80
ip nat inside source static tcp 172.27.1.10 443 interface FastEthernet0 443
ip nat inside source static udp 172.27.1.20 1701 interface FastEthernet0 1701
ip nat inside source static tcp 172.27.1.20 1723 interface FastEthernet0 1723
ip nat inside source static tcp 172.27.1.30 3445 interface FastEthernet0 3445
ip nat inside source static tcp 172.27.1.30 53 interface FastEthernet0 53
ip nat inside source static tcp 172.27.1.10 25 interface FastEthernet0 25
ip nat inside source static tcp 172.27.3.15 80 interface FastEthernet0 9090
ip nat inside source static udp 172.27.1.60 67 M_Public_IP 67 extendable
ip nat inside source static tcp 172.27.1.60 22 M_Public_IP 222 extendable
ip nat inside source static udp 172.27.1.60 1194 M_Public_IP 1194 extendable
ip nat inside source static tcp 172.27.1.60 3690 M_Public_IP 3690 extendable
ip nat inside source static udp 172.27.1.60 7777 M_Public_IP 7777 extendable
ip nat inside source static udp 172.27.1.60 7778 M_Public_IP 7778 extendable
ip nat inside source static udp 172.27.1.60 7779 M_Public_IP 7779 extendable
ip nat inside source static udp 172.27.1.60 7780 M_Public_IP 7780 extendable
ip nat inside source static tcp 172.27.1.60 80 M_Public_IP 8080 extendable
ip nat inside source static udp 172.27.1.60 10777 M_Public_IP 10777 extendable
ip nat inside source static udp 172.27.1.60 27015 M_Public_IP 27015 extendable
ip nat inside source static tcp 172.27.1.30 80 M_Public_IP 80 extendable
ip nat inside source static tcp 172.27.1.30 443 M_Public_IP 443 extendable
ip nat inside source static udp 172.27.1.70 1701 M_Public_IP 1701 extendable
ip nat inside source static tcp 172.27.1.70 1723 M_Public_IP 1723 extendable
ip nat inside source static udp 172.27.1.70 4500 M_Public_IP 4500 extendable
!
ip access-list extended ISP1
remark SDM_ACL Category=18
permit ip host 172.27.1.10 any
remark SDM_ACL Category=18
remark IPs routed out ISP2 - secondary IPs on local hosts
ip access-list extended ISP2
permit ip host 172.27.1.11 any
!
access-list 1 remark LAN Addresses
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 172.27.0.0 0.0.255.255
access-list 2 permit 172.27.1.11
access-list 100 remark LAN incoming access list
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 remark Unknown
access-list 100 deny ip any host 8.18.91.74
access-list 100 permit ip any any
access-list 101 remark ISP1 Incoming access list
access-list 101 remark SDM_ACL Category=1
access-list 101 remark IPSec Rule
access-list 101 permit ip PUBLIC_IP 0.0.0.7 172.27.0.0 0.0.255.255
access-list 101 permit esp any host M_Public_IP
access-list 101 permit ahp any host M_Public_IP
access-list 101 remark Auto generated by SDM for NTP (123) 216.184.20.83
access-list 101 permit udp host 216.184.20.83 eq ntp host M_Public_IP eq ntp
access-list 101 remark Auto generated by SDM for NTP (123) time-nw.nist.gov
access-list 101 permit udp host 131.107.13.100 eq ntp host M_Public_IP eq ntp
access-list 101 permit udp host 4.2.2.1 eq domain any
access-list 101 permit udp host 4.2.2.2 eq domain any
access-list 101 permit udp host 12.127.16.68 eq domain any
access-list 101 permit udp host 12.127.16.67 eq domain any
access-list 101 permit udp host 12.127.17.62 eq domain any
access-list 101 permit icmp any PUBLIC_IP 0.0.0.7
access-list 101 permit icmp any PUBLIC_IP 0.0.0.255
access-list 101 permit tcp any host M_Public_IP eq 143
access-list 101 permit tcp any host M_Public_IP eq smtp
access-list 101 permit tcp any host M_Public_IP eq 1625
access-list 101 permit udp any host M_Public_IP eq isakmp
access-list 101 permit udp any host M_Public_IP eq 1701
access-list 101 permit tcp any host M_Public_IP
access-list 101 permit udp any host M_Public_IP eq non500-isakmp
access-list 101 permit udp any host M_Public_IP eq isakmp
access-list 101 permit udp any host M_Public_IP eq non500-isakmp
access-list 101 remark dns1
access-list 101 permit tcp any host M_Public_IP eq domain
access-list 101 permit tcp any host M_Public_IP eq pop3
access-list 101 permit tcp any host M_Public_IP eq www
access-list 101 permit tcp any host M_Public_IP eq www
access-list 101 permit tcp any host M_Public_IP eq 443
access-list 101 remark Sharepoint SSL
access-list 101 permit tcp any host M_Public_IP eq 443
access-list 101 permit udp any host M_Public_IP eq 1701
access-list 101 permit tcp any host M_Public_IP eq 1723
access-list 101 remark Project Server
access-list 101 permit tcp any host M_Public_IP eq 3445
access-list 101 remark SharePoint BeagleBoard Portal
access-list 101 permit tcp any host M_Public_IP eq 15238
access-list 101 remark Marge EventSentry
access-list 101 permit tcp any host M_Public_IP eq 8888
access-list 101 remark DW-WEBTEST
access-list 101 permit tcp any host M_Public_IP eq 9090
access-list 101 remark DW-WEBTEST
access-list 101 permit tcp any host PUBLIC_IP eq www
access-list 101 remark GRE
access-list 101 permit gre any host M_Public_IP
access-list 101 remark GRE
access-list 101 permit gre any host M_Public_IP
access-list 101 remark SSH
access-list 101 permit tcp any eq 22 host M_Public_IP eq 22
access-list 101 remark TF2 Web
access-list 101 permit tcp any host M_Public_IP eq 8080
access-list 101 remark TF2
access-list 101 permit udp any host M_Public_IP eq 7777
access-list 101 remark TF2
access-list 101 permit tcp any host M_Public_IP eq 3690
access-list 101 remark TF2
access-list 101 permit tcp any host M_Public_IP eq 222
access-list 101 remark TF2
access-list 101 permit udp any host M_Public_IP eq 27015
access-list 101 remark TF2
access-list 101 permit udp any host M_Public_IP eq 10777
access-list 101 remark Josh VPN Milhouse
access-list 101 permit udp any host M_Public_IP eq bootps
access-list 101 remark TF2
access-list 101 permit udp any host M_Public_IP eq 1194
access-list 101 remark TF2
access-list 101 permit udp any host M_Public_IP eq 7778
access-list 101 remark TF2
access-list 101 permit udp any host M_Public_IP eq 7779
access-list 101 remark TF2
access-list 101 permit udp any host M_Public_IP eq 7780
access-list 101 deny ip 172.27.0.0 0.0.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 101 remark IPSec Rule
access-list 102 remark ISP2 Incoming access list
access-list 102 remark SDM_ACL Category=1
access-list 102 remark Auto generated by SDM for NTP (123) 131.107.13.100
access-list 102 permit udp host 131.107.13.100 eq ntp host PUBLIC_IP eq ntp
access-list 102 remark Auto generated by SDM for NTP (123) 216.184.20.83
access-list 102 permit udp host 216.184.20.83 eq ntp host PUBLIC_IP eq ntp
access-list 102 permit udp host 4.2.2.1 eq domain any
access-list 102 permit udp host 12.127.16.68 eq domain any
access-list 102 permit udp host 12.127.16.67 eq domain any
access-list 102 remark Auto generated by SDM for NTP (123) 216.184.20.83
access-list 102 permit udp host 216.184.20.83 eq ntp host PUBLIC_IP eq ntp
access-list 102 remark Auto generated by SDM for NTP (123) time-nw.nist.gov
access-list 102 permit udp host 131.107.13.100 eq ntp host PUBLIC_IP eq ntp
access-list 102 permit udp any eq domain host PUBLIC_IP
access-list 102 permit icmp any PUBLIC_IP 0.0.0.7
access-list 102 permit tcp any host Public_IP eq 143
access-list 102 permit tcp any host Public_IP eq smtp
access-list 102 permit tcp any host Public_IP eq 1625
access-list 102 permit udp any host Public_IP eq isakmp
access-list 102 permit udp any host Public_IP eq non500-isakmp
access-list 102 permit tcp any host Public_IP eq pop3
access-list 102 permit tcp any host Public_IP eq www
access-list 102 permit tcp any host Public_IP eq 443
access-list 102 permit udp any host Public_IP eq 1701
access-list 102 permit tcp any host Public_IP eq 1723
access-list 102 permit tcp any host Public_IP eq 3445
access-list 102 remark VPN
access-list 102 permit gre any host Public_IP
access-list 102 deny ip 172.27.0.0 0.0.255.255 any
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any log
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 172.27.0.0 0.0.255.255 173.10.35.184 0.0.0.7
access-list 104 remark SDM_ACL Category=2
access-list 104 remark IPSec Rule
access-list 104 deny ip 172.27.0.0 0.0.255.255 173.10.35.184 0.0.0.7
access-list 104 permit ip 172.27.0.0 0.0.255.255 any
access-list 105 remark SDM_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 172.27.0.0 0.0.255.255 173.10.35.184 0.0.0.7
access-list 106 remark SDM_ACL Category=4
access-list 106 remark IPSec Rule
access-list 106 permit ip 172.27.0.0 0.0.255.255 173.10.35.184 0.0.0.7
access-list 107 remark SDM_ACL Category=2
access-list 107 remark IPSec Rule
access-list 107 deny ip 172.27.0.0 0.0.255.255 173.10.35.184 0.0.0.7
access-list 107 permit ip 172.27.0.0 0.0.255.255 any
access-list 111 remark SDM_ACL Category=16
access-list 111 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
access-list 111 permit ip 0.0.0.0 255.255.0.0 0.0.0.0 255.0.0.0
snmp-server ifindex persist
no cdp run
!
!
!
route-map director permit 9
match ip address ISP1
set ip next-hop M_Public_IP1
!
route-map director permit 10
match ip address ISP2
set ip next-hop PUBLIC_IP
!
route-map ISP2 permit 9
match ip address 2
match interface FastEthernet1
!
route-map ISP2 permit 10
match ip address 1
match interface FastEthernet1
!
route-map ISP1 permit 10
match ip address 1
match interface FastEthernet0
!
!
!
tftp-server 172.27.1.30
!
control-plane
!
banner login ^CCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
password ********
login
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17180154
ntp update-calendar
ntp server 216.184.20.83
ntp server 131.107.13.100 source FastEthernet0
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end

 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top