protocolpcs
IS-IT--Management
I have a Cisco 1811W router and it is the DHCP server for the network of about 80 devices. We just added a Metro E modem to our network that connects our main office with a branch office. I plugged the modem into a lan port on the back of the 1811. Every thing worked fine until the ARP table of the modem filled up. The ISP is telling me I have to configure the connection between the modem and my router so that the modem only can see one MAC address.
Can someone please help me with this task?
Running config is:
!This is the running config of the router: 192.168.16.1
!----------------------------------------------------------------------------
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ASN
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$i6vp$cDLzLrvB5GpIF1jt3zePs.
!
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization ipmobile default group rad_pmip
aaa authorization network sdm_vpn_group_ml_1 local
aaa accounting network acct_methods start-stop group rad_acct
!
!
aaa session-id common
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-1455584092
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1455584092
revocation-check none
rsakeypair TP-self-signed-1455584092
!
!
crypto pki certificate chain TP-self-signed-1455584092
certificate self-signed 01
30820245 308201AE A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31343535 35383430 3932301E 170D3038 30373234 32303036
33355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 34353535
38343039 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B24B 9531C717 2F21CE10 8B5CD930 0DAB8167 737CCE57 741400E3 F2BB8B26
5E0FCCFB 1039DA29 BAAAD838 E0FAE7C8 222B6C7B C1AB6C0B 7C6C6D57 F3CD2001
2A295CB5 2C8DFD6F 6744362B AA4B2C83 D8AA93C5 E0900813 30F9CED2 6D2FF4AB
A7957336 981E069C 0DD6C25C 0A8AB21F 84C71363 CA8505D9 C4DFE5CE CF7B123E
83850203 010001A3 6D306B30 0F060355 1D130101 FF040530 030101FF 30180603
551D1104 11300F82 0D41534E 2E61736E 2E6C6F63 616C301F 0603551D 23041830
16801424 DF15E354 8376EEF7 6CF05616 C34E5755 06261930 1D060355 1D0E0416
041424DF 15E35483 76EEF76C F05616C3 4E575506 2619300D 06092A86 4886F70D
01010405 00038181 00369C50 BC1C730F 5EF140B8 D47D2794 93F6A920 383E20A1
0204A3EE 01DD13D9 0D83DD45 C5FBF0FB 16D53CC0 AC9F49AF 2D99E222 97FBE987
BDCA56CF A4B21C78 10A325B9 B061A54F 60C4551A CDD9004D FC2362E4 10E2879B
9DF8E0C8 4C0DAEA1 B7E1B6A9 1A22DED5 5C817AA0 8B3CEDA3 435BB3D5 ABB4163D
7ED27B63 D59318C7 15
quit
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key fsp2asn address 174.79.x.x
!
crypto isakmp client configuration group RemoteASN
key xxxxxxx
dns 192.168.16.201
wins 192.168.16.201
pool SDM_POOL_1
acl 102
include-local-lan
max-users 10
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group RemoteASN
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set security-association idle-time 7200
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to174.79.x.x
set peer 174.79.x.x
set transform-set ESP-3DES-SHA1
match address 103
!
!
dot11 ssid ASN
vlan 1
authentication open
authentication key-management wpa
wpa-psk ascii 7 1513180214387B7C70
!
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.16.191 192.168.16.254
ip dhcp excluded-address 192.168.16.1 192.168.16.99
!
ip dhcp pool sdm-pool1
import all
network 192.168.16.0 255.255.255.0
dns-server 192.168.16.201
default-router 192.168.16.1
netbios-name-server 192.168.16.201
!
!
no ip bootp server
ip domain name asn.local
ip name-server 68.105.28.16
ip name-server 68.105.29.16
!
multilink bundle-name authenticated
parameter-map type regex sdm-regex-nonascii
pattern [^\x00-\x80]
!
!
username admin privilege 15 secret 5 $1$Rkdh$5kKGby3LAgBCBiOsxQtUf0
username elawson privilege 15 password 7 09494208100B124058
username tfuselier privilege 15 password 7 051F140E22551C58
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 105
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 104
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-protocol-http
match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-VPNOutsideToInside-1
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class class-default
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-insp-traffic
inspect
class type inspect sdm-protocol-http
inspect
class type inspect SDM-Voice-permit
inspect
class class-default
pass
policy-map type inspect sdm-permit
class type inspect SDM_VPN_PT
pass
class type inspect SDM_EASY_VPN_SERVER_PT
pass
class class-default
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class class-default
drop log
!
zone security ezvpn-zone
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-VPNOutsideToInside-1
bridge irb
!
!
!
interface FastEthernet0
description $ETH-WAN$$FW_OUTSIDE$
ip address 98.172.x.x 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
zone-member security out-zone
ip route-cache flow
duplex auto
speed auto
crypto map SDM_CMAP_1
crypto ipsec df-bit clear
!
interface FastEthernet1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Dot11Radio0
no ip address
!
encryption mode ciphers tkip
!
encryption vlan 1 mode ciphers tkip
!
ssid ASN
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
no ip address
no dot11 extension aironet
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$FW_INSIDE$
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 192.168.16.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1412
!
ip local pool SDM_POOL_1 192.168.16.80 192.168.16.99
ip route 0.0.0.0 0.0.0.0 98.172.x.x
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
!
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
ip access-list extended SDM_HTTPS
remark SDM_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_IP
remark SDM_ACL Category=1
permit ip any any
ip access-list extended SDM_SHELL
remark SDM_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark SDM_ACL Category=1
permit tcp any any eq 22
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.16.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 98.172.x.x 0.0.0.30 any
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 192.168.16.0 0.0.0.255 any
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.16.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 104 remark SDM_ACL Category=128
access-list 104 permit ip host 174.79.x.x any
access-list 105 remark SDM_ACL Category=0
access-list 105 remark IPSec Rule
access-list 105 permit ip 192.168.14.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 106 remark SDM_ACL Category=2
access-list 106 remark IPSec Rule
access-list 106 deny ip 192.168.16.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 106 remark IPSec Rule
access-list 106 permit ip 192.168.16.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 106 permit ip 192.168.16.0 0.0.0.255 any
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 106
!
!
!
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
!
control-plane
Can someone please help me with this task?
Running config is:
!This is the running config of the router: 192.168.16.1
!----------------------------------------------------------------------------
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ASN
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$i6vp$cDLzLrvB5GpIF1jt3zePs.
!
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization ipmobile default group rad_pmip
aaa authorization network sdm_vpn_group_ml_1 local
aaa accounting network acct_methods start-stop group rad_acct
!
!
aaa session-id common
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-1455584092
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1455584092
revocation-check none
rsakeypair TP-self-signed-1455584092
!
!
crypto pki certificate chain TP-self-signed-1455584092
certificate self-signed 01
30820245 308201AE A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31343535 35383430 3932301E 170D3038 30373234 32303036
33355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 34353535
38343039 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B24B 9531C717 2F21CE10 8B5CD930 0DAB8167 737CCE57 741400E3 F2BB8B26
5E0FCCFB 1039DA29 BAAAD838 E0FAE7C8 222B6C7B C1AB6C0B 7C6C6D57 F3CD2001
2A295CB5 2C8DFD6F 6744362B AA4B2C83 D8AA93C5 E0900813 30F9CED2 6D2FF4AB
A7957336 981E069C 0DD6C25C 0A8AB21F 84C71363 CA8505D9 C4DFE5CE CF7B123E
83850203 010001A3 6D306B30 0F060355 1D130101 FF040530 030101FF 30180603
551D1104 11300F82 0D41534E 2E61736E 2E6C6F63 616C301F 0603551D 23041830
16801424 DF15E354 8376EEF7 6CF05616 C34E5755 06261930 1D060355 1D0E0416
041424DF 15E35483 76EEF76C F05616C3 4E575506 2619300D 06092A86 4886F70D
01010405 00038181 00369C50 BC1C730F 5EF140B8 D47D2794 93F6A920 383E20A1
0204A3EE 01DD13D9 0D83DD45 C5FBF0FB 16D53CC0 AC9F49AF 2D99E222 97FBE987
BDCA56CF A4B21C78 10A325B9 B061A54F 60C4551A CDD9004D FC2362E4 10E2879B
9DF8E0C8 4C0DAEA1 B7E1B6A9 1A22DED5 5C817AA0 8B3CEDA3 435BB3D5 ABB4163D
7ED27B63 D59318C7 15
quit
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key fsp2asn address 174.79.x.x
!
crypto isakmp client configuration group RemoteASN
key xxxxxxx
dns 192.168.16.201
wins 192.168.16.201
pool SDM_POOL_1
acl 102
include-local-lan
max-users 10
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group RemoteASN
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set security-association idle-time 7200
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to174.79.x.x
set peer 174.79.x.x
set transform-set ESP-3DES-SHA1
match address 103
!
!
dot11 ssid ASN
vlan 1
authentication open
authentication key-management wpa
wpa-psk ascii 7 1513180214387B7C70
!
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.16.191 192.168.16.254
ip dhcp excluded-address 192.168.16.1 192.168.16.99
!
ip dhcp pool sdm-pool1
import all
network 192.168.16.0 255.255.255.0
dns-server 192.168.16.201
default-router 192.168.16.1
netbios-name-server 192.168.16.201
!
!
no ip bootp server
ip domain name asn.local
ip name-server 68.105.28.16
ip name-server 68.105.29.16
!
multilink bundle-name authenticated
parameter-map type regex sdm-regex-nonascii
pattern [^\x00-\x80]
!
!
username admin privilege 15 secret 5 $1$Rkdh$5kKGby3LAgBCBiOsxQtUf0
username elawson privilege 15 password 7 09494208100B124058
username tfuselier privilege 15 password 7 051F140E22551C58
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 105
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 104
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-protocol-http
match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-VPNOutsideToInside-1
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class class-default
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-insp-traffic
inspect
class type inspect sdm-protocol-http
inspect
class type inspect SDM-Voice-permit
inspect
class class-default
pass
policy-map type inspect sdm-permit
class type inspect SDM_VPN_PT
pass
class type inspect SDM_EASY_VPN_SERVER_PT
pass
class class-default
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class class-default
drop log
!
zone security ezvpn-zone
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-VPNOutsideToInside-1
bridge irb
!
!
!
interface FastEthernet0
description $ETH-WAN$$FW_OUTSIDE$
ip address 98.172.x.x 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
zone-member security out-zone
ip route-cache flow
duplex auto
speed auto
crypto map SDM_CMAP_1
crypto ipsec df-bit clear
!
interface FastEthernet1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Dot11Radio0
no ip address
!
encryption mode ciphers tkip
!
encryption vlan 1 mode ciphers tkip
!
ssid ASN
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
no ip address
no dot11 extension aironet
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$FW_INSIDE$
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 192.168.16.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1412
!
ip local pool SDM_POOL_1 192.168.16.80 192.168.16.99
ip route 0.0.0.0 0.0.0.0 98.172.x.x
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
!
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
ip access-list extended SDM_HTTPS
remark SDM_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_IP
remark SDM_ACL Category=1
permit ip any any
ip access-list extended SDM_SHELL
remark SDM_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark SDM_ACL Category=1
permit tcp any any eq 22
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.16.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 98.172.x.x 0.0.0.30 any
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 192.168.16.0 0.0.0.255 any
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.16.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 104 remark SDM_ACL Category=128
access-list 104 permit ip host 174.79.x.x any
access-list 105 remark SDM_ACL Category=0
access-list 105 remark IPSec Rule
access-list 105 permit ip 192.168.14.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 106 remark SDM_ACL Category=2
access-list 106 remark IPSec Rule
access-list 106 deny ip 192.168.16.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 106 remark IPSec Rule
access-list 106 permit ip 192.168.16.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 106 permit ip 192.168.16.0 0.0.0.255 any
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 106
!
!
!
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
!
control-plane
