i have a router which is creating a VPN tunnel back to a cisco 3000 concentrator. i am looking to lock down the router as best possible so anything not coming from the peer is dropped. i also want to make it so that i can access the router from one public IP address if for some reason i want to make any changes. my config is below. any help would be appreciated.
thanks. nunzeo
User Access Verification
Username: admin
Password:
VPN#show run
Building configuration...
Current configuration : 3592 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname vpn
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
!
username admin privilege 15 secret 5
no aaa new-model
ip subnet-zero
ip cef
!
!
no ip domain lookup
ip domain name yourdomain.com
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
crypto isakmp key address x.x.18.25
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set test esp-aes esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel tox.x.18.25
set peer x.x.18.25
set transform-set ESP-3DES-SHA
match address 100
!
!
!
interface FastEthernet0
no ip address
no cdp enable
!
interface FastEthernet1
no ip address
no cdp enable
!
interface FastEthernet2
no ip address
no cdp enable
!
interface FastEthernet3
no ip address
no cdp enable
!
interface FastEthernet4
ip address x.x.9.50 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map SDM_CMAP_1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.31.5.83 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip local policy route-map SDM_RMAP_1
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.9.54
ip route 10.31.0.0 255.255.252.0 10.31.5.1
ip route 10.31.6.0 255.255.255.0 10.31.5.1
ip route 10.31.200.0 255.255.255.0 10.31.5.1
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.31.5.0 0.0.0.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 any
access-list 101 deny ip 10.31.0.0 0.0.255.255 any
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.31.5.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 103 remark CCP_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.31.5.0 0.0.0.255 10.0.0.0 0.255.255.255
snmp-server community RW
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
control-plane
!
!
line con 0
login local
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
privilege level 15
login local
transport preferred all
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
end
vpn#
thanks. nunzeo
User Access Verification
Username: admin
Password:
VPN#show run
Building configuration...
Current configuration : 3592 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname vpn
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
!
username admin privilege 15 secret 5
no aaa new-model
ip subnet-zero
ip cef
!
!
no ip domain lookup
ip domain name yourdomain.com
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
crypto isakmp key address x.x.18.25
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set test esp-aes esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel tox.x.18.25
set peer x.x.18.25
set transform-set ESP-3DES-SHA
match address 100
!
!
!
interface FastEthernet0
no ip address
no cdp enable
!
interface FastEthernet1
no ip address
no cdp enable
!
interface FastEthernet2
no ip address
no cdp enable
!
interface FastEthernet3
no ip address
no cdp enable
!
interface FastEthernet4
ip address x.x.9.50 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map SDM_CMAP_1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.31.5.83 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip local policy route-map SDM_RMAP_1
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.9.54
ip route 10.31.0.0 255.255.252.0 10.31.5.1
ip route 10.31.6.0 255.255.255.0 10.31.5.1
ip route 10.31.200.0 255.255.255.0 10.31.5.1
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.31.5.0 0.0.0.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 any
access-list 101 deny ip 10.31.0.0 0.0.255.255 any
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.31.5.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 103 remark CCP_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.31.5.0 0.0.0.255 10.0.0.0 0.255.255.255
snmp-server community RW
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
control-plane
!
!
line con 0
login local
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
privilege level 15
login local
transport preferred all
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
end
vpn#