RE: help!! ipsec tunnel

From: John Huston (jhuston@xxxxxxxxxxx)
Date: Tue May 29 2001 - 12:09:50 GMT-3

• Next message: Manish Rajdev: "Lab swap for RTP"
• Previous message: John Elias: "Re: help!! ipsec tunnel"
• Maybe in reply to: garry baker: "help!! ipsec tunnel"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Attached are some configs for the 2 1720 routers. The configs have been
scrubed for security purposes but I'm sure you will be able to figure
out what needs to go where.

John

=============Base Router

version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Base-Router
!
logging rate-limit console 10 except errors
enable password password
!
memory-size iomem 25
ip subnet-zero
!
!
no ip finger
no ip domain-lookup
ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx
!
ip inspect name FastEthernet_0 ftp
ip inspect name FastEthernet_0 tcp
ip inspect name FastEthernet_0 smtp
ip inspect name FastEthernet_0 udp
ip audit notify log
ip audit po max-events 100
no ip dhcp-client network-discovery
!
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
crypto isakmp key ciscokey address xxx.xxx.xxx.xxx (Remote)
crypto isakmp key thekey address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10 10
crypto isakmp client configuration address-pool local clientpool
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set to_Remote esp-3des esp-md5-hmac
!
crypto dynamic-map dyna 30
 set transform-set to_Remote
!
!
crypto map myvpn client configuration address initiate
crypto map myvpn client configuration address respond
crypto map myvpn 10 ipsec-isakmp
 set peer xxx.xxx.xxx.xxx (Remote)
 set transform-set to_Remote
 match address 102
crypto map myvpn 20 ipsec-isakmp dynamic dyna
!
!
!
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.0
!
interface Tunnel1
 ip unnumbered Serial0
 tunnel source Serial0
 tunnel destination xxx.xxx.xxx.xxx (Remote)
 crypto map myvpn
!
interface FastEthernet0
 description connected to EthernetLAN
 ip address 192.168.0.3 255.255.255.0
 ip nat inside
 no ip route-cache
 ip policy route-map static
 no ip mroute-cache
 speed auto
!
interface Serial0
 description connected to Internet
 ip address xxx.xxx.xxx.xxx 255.255.255.0
 ip access-group 199 in
 ip nat outside
 ip inspect FastEthernet_0 out
 no ip route-cache
 no ip mroute-cache
 service-module t1 timeslots 17-24
 service-module t1 remote-alarm-enable
 crypto map myvpn
!
ip local pool clientpool 172.16.1.1 172.16.1.100
ip nat pool inet xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask 255.255.255.240
ip nat inside source route-map nonat pool inet overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
ip route 192.168.2.0 255.255.255.0 Tunnel1
no ip http server
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 1.1.1.0 0.0.0.255 1.1.2.0 0.0.0.255
access-list 102 permit gre host xxx.xxx.xxx.xxx(base) host
xxx.xxx.xxx.xxx(remote)
access-list 122 deny ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 122 deny ip 192.168.0.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 122 permit ip 192.168.0.0 0.0.0.255 any
access-list 123 permit ip host 192.168.0.2 192.168.2.0 0.0.0.255
access-list 123 permit ip host 192.168.0.1 192.168.2.0 0.0.0.255
access-list 123 permit ip host 192.168.0.2 172.16.1.0 0.0.0.255
access-list 123 permit ip host 192.168.0.1 172.16.1.0 0.0.0.255
access-list 199 permit icmp any any echo-reply
access-list 199 permit icmp any any packet-too-big
access-list 199 permit icmp any any time-exceeded
access-list 199 permit icmp any any traceroute
access-list 199 permit icmp any any unreachable
access-list 199 permit udp any any eq isakmp
access-list 199 permit esp any any
access-list 199 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 199 permit tcp any host xxx.xxx.xxx.xxx eq telnet
access-list 199 permit tcp any host xxx.xxx.xxx.xxx eq smtp
access-list 199 permit tcp any host xxx.xxx.xxx.xxx eq pop3
access-list 199 permit ip 1.1.2.0 0.0.0.255 1.1.1.0 0.0.0.255
access-list 199 permit ip 192.168.0.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 199 permit ip 172.16.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 199 permit gre host xxx.xxx.xxx.xxx(Remote) host
xxx.xxx.xxx.xxx(Base)
!
!
route-map static permit 10
 match ip address 123
 set ip next-hop 1.1.1.2
!
route-map nonat permit 20
 match ip address 122
!
banner motd ^C

***********************************
* Unauthorized entry into this *
* network is prohibited. Violators*
* will be prosecuted. *
***********************************

^C
!
line con 0
 exec-timeout 0 0
 password password
 login
 transport input none
line aux 0
 password password
 script dialer cisco-default
 modem InOut
 modem autoconfigure discovery
 transport input all
 stopbits 1
 speed 57600
 flowcontrol hardware
line vty 0 4
 exec-timeout 0 0
 password password
 login
!
no scheduler allocate
end

=============End Base Router

=============Remote Router

no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Remote-Router
!
logging rate-limit console 10 except errors
no logging console
enable password password
!
memory-size iomem 25
ip subnet-zero
!
!
no ip finger
no ip domain-lookup
ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx
!
ip inspect name FastEthernet_0 ftp
ip inspect name FastEthernet_0 tcp
ip inspect name FastEthernet_0 smtp
ip inspect name FastEthernet_0 udp
ip audit notify log
ip audit po max-events 100
no ip dhcp-client network-discovery
!
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 lifetime 84600
crypto isakmp key ciscokey address xxx.xxx.xxx.xxx (Base)
crypto isakmp keepalive 10 10
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set to_Remote esp-3des esp-md5-hmac
!
crypto map myvpn 10 ipsec-isakmp
 set peer xxx.xxx.xxx.xxx (Base)
 set transform-set to_Remote
 match address 102
!
!
!
!
interface Loopback0
 ip address 1.1.2.1 255.255.255.0
!
interface Loopback1
 no ip address
!
interface Tunnel1
 ip unnumbered Serial0
 tunnel source Serial0
 tunnel destination xxx.xxx.xxx.xxx (Base)
 crypto map myvpn
!
interface FastEthernet0
 description connected to EthernetLAN
 ip address 192.168.2.254 255.255.255.0
 ip nat inside
 no ip route-cache
 no ip mroute-cache
 speed auto
!
interface Serial0
 description connected to Internet
 ip address xxx.xxx.xxx.xxx (Remote) 255.255.255.252
 ip access-group 199 in
 ip nat outside
 ip inspect FastEthernet_0 out
 no ip route-cache
 no ip mroute-cache
 service-module t1 timeslots 21-24
 service-module t1 remote-alarm-enable
 crypto map myvpn
!
ip nat pool inet xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask 255.255.255.240
ip nat inside source route-map nonat pool inet overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
ip route 192.168.0.0 255.255.255.0 Tunnel1
no ip http server
!
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 host 64.212.42.49
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 permit ip 1.1.2.0 0.0.0.255 1.1.1.0 0.0.0.255
access-list 102 permit gre host xxx.xxx.xxx.xxx (Remote) host
xxx.xxx.xxx.xxx (Base)
access-list 175 deny ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 175 permit ip 192.168.2.0 0.0.0.255 any
access-list 199 permit icmp any any echo-reply
access-list 199 permit icmp any any packet-too-big
access-list 199 permit icmp any any time-exceeded
access-list 199 permit icmp any any traceroute
access-list 199 permit icmp any any unreachable
access-list 199 permit udp any any eq isakmp
access-list 199 permit esp any any
access-list 199 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 199 permit tcp any host xxx.xxx.xxx.xxx (Remote) eq telnet
access-list 199 permit ip 1.1.1.0 0.0.0.255 1.1.2.0 0.0.0.255
access-list 199 permit gre host xxx.xxx.xxx.xxx (Base) host
xxx.xxx.xxx.xxx (Remote)
!
!
route-map nonat permit 10
 match ip address 175
!
snmp-server community public RO
banner motd ^CC

***********************************
* Unauthorized entry into this *
* network is prohibited. Violators*
* will be prosecuted. *
***********************************

^C
!
line con 0
 exec-timeout 0 0
 password password
 login
 transport input none
line aux 0
 password password
 script dialer cisco-default
 modem InOut
 modem autoconfigure discovery
 transport input all
 stopbits 1
 speed 57600
 flowcontrol hardware
line vty 0 4
 exec-timeout 0 0
 password password
 login
!
end

=============End Remote Router
**Please read:http://www.groupstudy.com/list/posting.html

• Next message: Manish Rajdev: "Lab swap for RTP"
• Previous message: John Elias: "Re: help!! ipsec tunnel"
• Maybe in reply to: garry baker: "help!! ipsec tunnel"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:30:55 GMT-3