We have been having issues for the vpn for some time now. We had a cisco certified tech fix the config, but vpn connectivity would still drop.
We must only be missing one or two lines from either side.
Maybe i have to reset the shared key on each end?
Any and all help is very appreciated.
Pix config
PIX515E# sh run
: Saved
:
PIX Version 7.1(1)
!
hostname PIX515E
domain-name arkhon.com
enable password RPN.WPaKy.QDNIg/ encrypted
names
!
interface Ethernet0
speed 100
duplex full
nameif outside
security-level 0
ip address 216.49.73.162 255.255.255.248
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.0.10.1 255.255.255.0
!
passwd RPN.WPaKy.QDNIg/ encrypted
boot system flash:/image.bin
ftp mode passive
dns server-group DefaultDNS
domain-name arkhon.com
access-list 101 extended permit ip 10.0.10.0 255.255.255.0 192.168.1.0 255.255.
55.0
access-list 101 extended permit ip 10.0.10.0 255.255.255.0 10.0.11.0 255.255.25
.0
access-list 101 extended permit ip 10.0.10.0 255.255.255.0 10.10.12.0 255.255.2
5.0
access-list 105 extended permit ip 10.0.10.0 255.255.255.0 10.10.12.0 255.255.2
5.0
access-list outside_acl extended permit tcp any host 216.49.73.163 eq smtp
access-list outside_acl extended permit tcp any host 216.49.73.164 eq 8081
access-list outside_acl extended permit tcp any host 216.49.73.164 eq www
access-list outside_acl extended permit tcp any host 216.49.73.164 eq 5721
access-list outside_acl extended permit tcp any host 216.49.73.163 eq imap4
access-list outside_acl extended permit tcp any host 216.49.73.163 eq www
access-list outside_acl extended permit tcp any host 216.49.73.163 eq https
access-list outside_acl extended permit tcp any host 216.49.73.164 eq ftp
access-list outside_acl extended permit tcp any host 216.49.73.164 eq 3389
access-list outside_acl extended permit tcp any host 216.49.73.165 eq 3389
access-list outside_acl extended permit tcp any host 216.49.73.165 eq ftp
access-list outside_acl extended permit tcp any host 216.49.73.165 eq www
access-list outside_acl extended permit tcp any host 216.49.73.165 eq https
access-list outside_acl extended permit tcp any host 216.49.73.165 eq 4242
access-list outside_acl extended permit tcp any host 216.49.73.165 eq 2401
access-list outside_acl extended permit tcp any host 216.49.73.165 eq 2402
access-list outside_acl extended permit tcp any host 216.49.73.166 eq 3389
access-list outside_acl extended permit tcp any host 216.49.73.165 eq 308
access-list outside_acl extended permit tcp any host 216.49.73.162 eq ftp
pager lines 24
logging enable
logging timestamp
logging device-id hostname
mtu outside 1500
mtu inside 1500
ip local pool vpnpool 10.0.11.1-10.0.11.254
icmp permit host 216.49.73.161 echo-reply outside
icmp permit any outside
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 216.49.73.162 ftp 10.0.10.246 ftp netmask 255.255.2
5.255
static (inside,outside) 216.49.73.163 10.0.10.252 netmask 255.255.255.255
static (inside,outside) 216.49.73.164 10.0.10.251 netmask 255.255.255.255
static (inside,outside) 216.49.73.165 10.0.10.245 netmask 255.255.255.255
static (inside,outside) 216.49.73.166 10.0.10.130 netmask 255.255.255.255
static (inside,outside) 216.49.73.167 10.0.10.216 netmask 255.255.255.255
access-group outside_acl in interface outside
route outside 0.0.0.0 0.0.0.0 216.49.73.161 1
timeout xlate 1:00:00
timeout conn 0:30:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server arkhonauth protocol radius
aaa-server arkhonauth host 10.0.10.250
timeout 5
key arkhon2
aaa-server arkhonauth host 10.0.10.252
group-policy vpnremote internal
group-policy vpnremote attributes
wins-server value 10.0.10.250
dns-server value 10.0.10.250 10.0.10.252
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 101
default-domain value arkhon.com
user-authentication-idle-timeout 1
username weinmatt password L4qZOK6SsIafyoVm encrypted privilege 15
http server enable
http 129.2.237.198 255.255.255.255 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set arkhon esp-des esp-md5-hmac
crypto ipsec transform-set toyota esp-des esp-md5-hmac
crypto ipsec transform-set gaithersburg esp-des esp-md5-hmac
crypto ipsec transform-set bethesda esp-des esp-md5-hmac
crypto ipsec transform-set GB esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set arkhon
crypto map arkhonmap 10 ipsec-isakmp dynamic dynmap
crypto map arkhonmap interface outside
crypto map gb-beth 11 match address 105
crypto map gb-beth 11 set peer 75.148.25.137
crypto map gb-beth 11 set transform-set bethesda
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group DefaultRAGroup general-attributes
authentication-server-group (outside) arkhonauth
tunnel-group vpnremote type ipsec-ra
tunnel-group vpnremote general-attributes
address-pool vpnpool
authentication-server-group (outside) arkhonauth
default-group-policy vpnremote
tunnel-group vpnremote ipsec-attributes
pre-shared-key *
tunnel-group 75.148.25.137 type ipsec-l2l
tunnel-group 75.148.25.137 ipsec-attributes
pre-shared-key *
telnet 129.2.237.198 255.255.255.255 outside
telnet 129.2.236.0 255.255.254.0 outside
telnet 216.49.77.222 255.255.255.255 outside
telnet 65.196.70.3 255.255.255.255 outside
telnet 10.0.10.0 255.255.255.0 inside
telnet timeout 5
ssh 129.2.236.0 255.255.254.0 outside
ssh timeout 3
ssh version 1
console timeout 0
dhcpd address 10.0.10.100-10.0.10.200 inside
dhcpd dns 10.0.10.252 10.0.10.250
dhcpd wins 10.0.10.252
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain arkhon.com
dhcpd auto_config outside
dhcpd enable inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect http
inspect netbios
inspect pptp
inspect rsh
inspect rtsp
inspect sqlnet
inspect sunrpc
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:f380266457497094b91e6656331d6bb5
cisco 870w config
arkhon-beth#sh run
Building configuration...
Current configuration : 9270 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname arkhon-beth
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
enable secret 5 $1$5WOH$dJdmE8t5o9WvQONv02tm40
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.12.1 10.10.12.99
!
ip dhcp pool sdm-pool1
import all
network 10.10.12.0 255.255.255.0
default-router 10.10.12.1
dns-server 10.10.12.251 68.87.73.242
netbios-name-server 10.10.12.251
domain-name arkhon.local
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name arkhon.com
ip name-server 68.87.73.242
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 http
no ip ips deny-action ips-interface
ip ips notify SDEE
no ip rcmd domain-lookup
ip rcmd rcp-enable
ip rcmd remote-host sdmRebb4d879 10.10.12.101 Lebb4d879 enable
ip rcmd remote-username sdmRebb4d879
!
!
crypto pki trustpoint TP-self-signed-480375918
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-480375918
revocation-check none
rsakeypair TP-self-signed-480375918
!
!
crypto pki certificate chain TP-self-signed-480375918
certificate self-signed 01
3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34383033 37353931 38301E17 0D303630 31323530 35343531
365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3438 30333735
39313830 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
C213EC74 219B28F3 3F2D34EB 0141C92B ACF2B9D5 6513111D C14F03DB 8FBDDD8D
8B5C904D E35ADAA7 74402A31 A4396809 733BAF9F B355E96C F61922B9 84B6DACF
F11EE611 D9944AEF 49555CF8 19AF3A60 EADFF783 DEA1702A FADFE5EC 41DA3F71
4C0525DB E75ECAF9 F2E6E3F6 8F176922 B5FD5643 D8B56221 304CC2C5 BC609011
02030100 01A37630 74300F06 03551D13 0101FF04 05300301 01FF3021 0603551D
11041A30 18821661 726B686F 6E2D6265 74682E61 726B686F 6E2E636F 6D301F06
03551D23 04183016 80141929 C99BBC78 22D3A292 5054F692 E0DBAE30 46B5301D
0603551D 0E041604 141929C9 9BBC7822 D3A29250 54F692E0 DBAE3046 B5300D06
092A8648 86F70D01 01040500 03818100 485E43C2 45BE20A1 D473CC2C 1537F31E
7A39A9DF 135EDE2E E334A4C9 7608DF00 DB091274 FE10CC1F F9AB34E2 077E3350
A0B51244 527AE48F 87D68520 F1EAA477 DFD81111 19027BB9 BB046F60 1D93920D
EC2CFDA0 C00AC362 0E07D38B C8531327 6291CCA3 EEA2DBBC 624546EC 51F69ABB
11B5F3C9 DDC97136 642A1AC0 7E32991F
quit
username arkhon privilege 15 secret 5 $1$HhrR$Q53IgNA0MplerhR4CtJgN1
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
crypto isakmp key amsurg address xxx.xxx.xxx.162
!
!
crypto ipsec transform-set GB esp-des esp-md5-hmac
crypto ipsec df-bit clear
!
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel toxxx.xxx.xxx.162
set peer xxx.xxx.xxx.162
set transform-set GB
match address 106
!
bridge irb
!
!
interface FastEthernet0
no cdp enable
!
interface FastEthernet1
no cdp enable
!
interface FastEthernet2
no cdp enable
!
interface FastEthernet3
no cdp enable
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
ip address 75.xxx.xxx.xxx 255.255.255.248
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no cdp enable
crypto map SDM_CMAP_1
!
interface Dot11Radio0
no ip address
!
encryption key 1 size 40bit 7 22D168F2095B transmit-key
encryption mode wep mandatory
!
ssid arkhon
authentication open
wpa-psk ascii 7 104F040A1005155D545C7C
!
ssid arkhon1
authentication open
guest-mode
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
station-role root
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
no ip address
bridge-group 1
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 10.10.12.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
!
ip classless
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.142
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip nat inside source static tcp 10.10.12.251 25 75.xxx.xxx.xxx 25 extendable
ip nat inside source static tcp 10.10.12.251 80 75.xxx.xxx.xxx 80 extendable
ip nat inside source static tcp 10.10.12.251 443 75.xxx.xxx.xxx 443 extendable
ip nat inside source static tcp 10.10.12.251 3389 75.xxx.xxx.xxx 3389 extendable
!
logging trap debugging
access-list 1 permit 10.10.12.0 0.0.0.255
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 100 remark auto-generated by Cisco SDM Express firewall configurati
access-list 100 remark SDM_ACL Category=1
access-list 100 remark auto-generated by Cisco SDM Express firewall configurati
access-list 100 permit ip xxx.xxx.xxx.0 0.0.0.248 host xxx.xxx.xxx.162
access-list 100 permit ip host 255.255.255.248 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 100 permit tcp host 10.10.12.251 eq smtp host 75.xxx.xxx.xxx eq smtp
access-list 100 permit tcp host 10.10.12.251 eq 75.xxx.xxx.xxx eq www
access-list 100 permit tcp host 10.10.12.251 eq 3389 host 75.xxx.xxx.xxx eq 3389
access-list 100 permit tcp host 10.10.12.251 eq 443 host 75.xxx.xxx.xxx eq 443
access-list 101 remark SDM_ACL Category=17
access-list 101 remark IPSec Rule
access-list 101 permit ip 10.0.10.0 0.0.0.255 10.10.12.0 0.0.0.255
access-list 101 permit udp host xxx.xxx.xxx.162 host 75.xxx.xxx.xxx eq non500-isakm
p
access-list 101 permit udp host xxx.xxx.xxx.162 host 75.xxx.xxx.xxx eq isakmp
access-list 101 permit esp host xxx.xxx.xxx.162 host 75.xxx.xxx.xxx
access-list 101 permit ahp host xxx.xxx.xxx.162 host 75.xxx.xxx.xxx
access-list 101 permit ip 10.10.12.0 0.0.0.255 any
access-list 101 permit icmp any host 216.49.78.2 echo-reply
access-list 101 permit icmp any host 216.49.78.2 time-exceeded
access-list 101 permit icmp any host 216.49.78.2 unreachable
access-list 101 permit ip 10.0.0.0 0.255.255.255 any
access-list 101 permit ip 172.16.0.0 0.15.255.255 any
access-list 101 permit tcp host 10.10.12.251 eq 3389 host 216.49.78.222 eq 3389
access-list 101 remark SMTP For Exchange
access-list 101 permit tcp host 10.10.12.251 eq smtp host 216.49.78.222 eq smtp
access-list 101 remark http
access-list 101 permit tcp host 10.10.12.251 eq 216.49.78.222 eq www
access-list 101 remark https
access-list 101 permit tcp host 10.10.12.251 eq 443 host 216.49.78.222 eq 443
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip host 0.0.0.0 any
access-list 101 permit ip any any
access-list 101 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
access-list 102 remark SDM_ACL Category=2
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.10.12.0 0.0.0.255 10.0.10.0 0.0.0.255
access-list 103 remark SDM_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny ip 10.10.12.0 0.0.0.255 10.0.10.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
access-list 103 permit ip 10.10.12.0 0.0.0.255 any
access-list 104 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
access-list 105 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
access-list 106 remark SDM_ACL Category=4
access-list 106 remark IPSec Rule
access-list 106 permit ip 10.10.12.0 0.0.0.255 10.0.10.0 0.0.0.255
no cdp run
!
route-map SDM_RMAP_1 permit 1
match ip address 103
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
!
scheduler max-task-time 5000
end
We must only be missing one or two lines from either side.
Maybe i have to reset the shared key on each end?
Any and all help is very appreciated.
Pix config
PIX515E# sh run
: Saved
:
PIX Version 7.1(1)
!
hostname PIX515E
domain-name arkhon.com
enable password RPN.WPaKy.QDNIg/ encrypted
names
!
interface Ethernet0
speed 100
duplex full
nameif outside
security-level 0
ip address 216.49.73.162 255.255.255.248
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.0.10.1 255.255.255.0
!
passwd RPN.WPaKy.QDNIg/ encrypted
boot system flash:/image.bin
ftp mode passive
dns server-group DefaultDNS
domain-name arkhon.com
access-list 101 extended permit ip 10.0.10.0 255.255.255.0 192.168.1.0 255.255.
55.0
access-list 101 extended permit ip 10.0.10.0 255.255.255.0 10.0.11.0 255.255.25
.0
access-list 101 extended permit ip 10.0.10.0 255.255.255.0 10.10.12.0 255.255.2
5.0
access-list 105 extended permit ip 10.0.10.0 255.255.255.0 10.10.12.0 255.255.2
5.0
access-list outside_acl extended permit tcp any host 216.49.73.163 eq smtp
access-list outside_acl extended permit tcp any host 216.49.73.164 eq 8081
access-list outside_acl extended permit tcp any host 216.49.73.164 eq www
access-list outside_acl extended permit tcp any host 216.49.73.164 eq 5721
access-list outside_acl extended permit tcp any host 216.49.73.163 eq imap4
access-list outside_acl extended permit tcp any host 216.49.73.163 eq www
access-list outside_acl extended permit tcp any host 216.49.73.163 eq https
access-list outside_acl extended permit tcp any host 216.49.73.164 eq ftp
access-list outside_acl extended permit tcp any host 216.49.73.164 eq 3389
access-list outside_acl extended permit tcp any host 216.49.73.165 eq 3389
access-list outside_acl extended permit tcp any host 216.49.73.165 eq ftp
access-list outside_acl extended permit tcp any host 216.49.73.165 eq www
access-list outside_acl extended permit tcp any host 216.49.73.165 eq https
access-list outside_acl extended permit tcp any host 216.49.73.165 eq 4242
access-list outside_acl extended permit tcp any host 216.49.73.165 eq 2401
access-list outside_acl extended permit tcp any host 216.49.73.165 eq 2402
access-list outside_acl extended permit tcp any host 216.49.73.166 eq 3389
access-list outside_acl extended permit tcp any host 216.49.73.165 eq 308
access-list outside_acl extended permit tcp any host 216.49.73.162 eq ftp
pager lines 24
logging enable
logging timestamp
logging device-id hostname
mtu outside 1500
mtu inside 1500
ip local pool vpnpool 10.0.11.1-10.0.11.254
icmp permit host 216.49.73.161 echo-reply outside
icmp permit any outside
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 216.49.73.162 ftp 10.0.10.246 ftp netmask 255.255.2
5.255
static (inside,outside) 216.49.73.163 10.0.10.252 netmask 255.255.255.255
static (inside,outside) 216.49.73.164 10.0.10.251 netmask 255.255.255.255
static (inside,outside) 216.49.73.165 10.0.10.245 netmask 255.255.255.255
static (inside,outside) 216.49.73.166 10.0.10.130 netmask 255.255.255.255
static (inside,outside) 216.49.73.167 10.0.10.216 netmask 255.255.255.255
access-group outside_acl in interface outside
route outside 0.0.0.0 0.0.0.0 216.49.73.161 1
timeout xlate 1:00:00
timeout conn 0:30:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server arkhonauth protocol radius
aaa-server arkhonauth host 10.0.10.250
timeout 5
key arkhon2
aaa-server arkhonauth host 10.0.10.252
group-policy vpnremote internal
group-policy vpnremote attributes
wins-server value 10.0.10.250
dns-server value 10.0.10.250 10.0.10.252
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 101
default-domain value arkhon.com
user-authentication-idle-timeout 1
username weinmatt password L4qZOK6SsIafyoVm encrypted privilege 15
http server enable
http 129.2.237.198 255.255.255.255 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set arkhon esp-des esp-md5-hmac
crypto ipsec transform-set toyota esp-des esp-md5-hmac
crypto ipsec transform-set gaithersburg esp-des esp-md5-hmac
crypto ipsec transform-set bethesda esp-des esp-md5-hmac
crypto ipsec transform-set GB esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set arkhon
crypto map arkhonmap 10 ipsec-isakmp dynamic dynmap
crypto map arkhonmap interface outside
crypto map gb-beth 11 match address 105
crypto map gb-beth 11 set peer 75.148.25.137
crypto map gb-beth 11 set transform-set bethesda
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group DefaultRAGroup general-attributes
authentication-server-group (outside) arkhonauth
tunnel-group vpnremote type ipsec-ra
tunnel-group vpnremote general-attributes
address-pool vpnpool
authentication-server-group (outside) arkhonauth
default-group-policy vpnremote
tunnel-group vpnremote ipsec-attributes
pre-shared-key *
tunnel-group 75.148.25.137 type ipsec-l2l
tunnel-group 75.148.25.137 ipsec-attributes
pre-shared-key *
telnet 129.2.237.198 255.255.255.255 outside
telnet 129.2.236.0 255.255.254.0 outside
telnet 216.49.77.222 255.255.255.255 outside
telnet 65.196.70.3 255.255.255.255 outside
telnet 10.0.10.0 255.255.255.0 inside
telnet timeout 5
ssh 129.2.236.0 255.255.254.0 outside
ssh timeout 3
ssh version 1
console timeout 0
dhcpd address 10.0.10.100-10.0.10.200 inside
dhcpd dns 10.0.10.252 10.0.10.250
dhcpd wins 10.0.10.252
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain arkhon.com
dhcpd auto_config outside
dhcpd enable inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect http
inspect netbios
inspect pptp
inspect rsh
inspect rtsp
inspect sqlnet
inspect sunrpc
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:f380266457497094b91e6656331d6bb5
cisco 870w config
arkhon-beth#sh run
Building configuration...
Current configuration : 9270 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname arkhon-beth
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
enable secret 5 $1$5WOH$dJdmE8t5o9WvQONv02tm40
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.12.1 10.10.12.99
!
ip dhcp pool sdm-pool1
import all
network 10.10.12.0 255.255.255.0
default-router 10.10.12.1
dns-server 10.10.12.251 68.87.73.242
netbios-name-server 10.10.12.251
domain-name arkhon.local
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name arkhon.com
ip name-server 68.87.73.242
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 http
no ip ips deny-action ips-interface
ip ips notify SDEE
no ip rcmd domain-lookup
ip rcmd rcp-enable
ip rcmd remote-host sdmRebb4d879 10.10.12.101 Lebb4d879 enable
ip rcmd remote-username sdmRebb4d879
!
!
crypto pki trustpoint TP-self-signed-480375918
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-480375918
revocation-check none
rsakeypair TP-self-signed-480375918
!
!
crypto pki certificate chain TP-self-signed-480375918
certificate self-signed 01
3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34383033 37353931 38301E17 0D303630 31323530 35343531
365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3438 30333735
39313830 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
C213EC74 219B28F3 3F2D34EB 0141C92B ACF2B9D5 6513111D C14F03DB 8FBDDD8D
8B5C904D E35ADAA7 74402A31 A4396809 733BAF9F B355E96C F61922B9 84B6DACF
F11EE611 D9944AEF 49555CF8 19AF3A60 EADFF783 DEA1702A FADFE5EC 41DA3F71
4C0525DB E75ECAF9 F2E6E3F6 8F176922 B5FD5643 D8B56221 304CC2C5 BC609011
02030100 01A37630 74300F06 03551D13 0101FF04 05300301 01FF3021 0603551D
11041A30 18821661 726B686F 6E2D6265 74682E61 726B686F 6E2E636F 6D301F06
03551D23 04183016 80141929 C99BBC78 22D3A292 5054F692 E0DBAE30 46B5301D
0603551D 0E041604 141929C9 9BBC7822 D3A29250 54F692E0 DBAE3046 B5300D06
092A8648 86F70D01 01040500 03818100 485E43C2 45BE20A1 D473CC2C 1537F31E
7A39A9DF 135EDE2E E334A4C9 7608DF00 DB091274 FE10CC1F F9AB34E2 077E3350
A0B51244 527AE48F 87D68520 F1EAA477 DFD81111 19027BB9 BB046F60 1D93920D
EC2CFDA0 C00AC362 0E07D38B C8531327 6291CCA3 EEA2DBBC 624546EC 51F69ABB
11B5F3C9 DDC97136 642A1AC0 7E32991F
quit
username arkhon privilege 15 secret 5 $1$HhrR$Q53IgNA0MplerhR4CtJgN1
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
crypto isakmp key amsurg address xxx.xxx.xxx.162
!
!
crypto ipsec transform-set GB esp-des esp-md5-hmac
crypto ipsec df-bit clear
!
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel toxxx.xxx.xxx.162
set peer xxx.xxx.xxx.162
set transform-set GB
match address 106
!
bridge irb
!
!
interface FastEthernet0
no cdp enable
!
interface FastEthernet1
no cdp enable
!
interface FastEthernet2
no cdp enable
!
interface FastEthernet3
no cdp enable
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
ip address 75.xxx.xxx.xxx 255.255.255.248
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no cdp enable
crypto map SDM_CMAP_1
!
interface Dot11Radio0
no ip address
!
encryption key 1 size 40bit 7 22D168F2095B transmit-key
encryption mode wep mandatory
!
ssid arkhon
authentication open
wpa-psk ascii 7 104F040A1005155D545C7C
!
ssid arkhon1
authentication open
guest-mode
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
station-role root
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
no ip address
bridge-group 1
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 10.10.12.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
!
ip classless
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.142
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip nat inside source static tcp 10.10.12.251 25 75.xxx.xxx.xxx 25 extendable
ip nat inside source static tcp 10.10.12.251 80 75.xxx.xxx.xxx 80 extendable
ip nat inside source static tcp 10.10.12.251 443 75.xxx.xxx.xxx 443 extendable
ip nat inside source static tcp 10.10.12.251 3389 75.xxx.xxx.xxx 3389 extendable
!
logging trap debugging
access-list 1 permit 10.10.12.0 0.0.0.255
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 100 remark auto-generated by Cisco SDM Express firewall configurati
access-list 100 remark SDM_ACL Category=1
access-list 100 remark auto-generated by Cisco SDM Express firewall configurati
access-list 100 permit ip xxx.xxx.xxx.0 0.0.0.248 host xxx.xxx.xxx.162
access-list 100 permit ip host 255.255.255.248 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 100 permit tcp host 10.10.12.251 eq smtp host 75.xxx.xxx.xxx eq smtp
access-list 100 permit tcp host 10.10.12.251 eq 75.xxx.xxx.xxx eq www
access-list 100 permit tcp host 10.10.12.251 eq 3389 host 75.xxx.xxx.xxx eq 3389
access-list 100 permit tcp host 10.10.12.251 eq 443 host 75.xxx.xxx.xxx eq 443
access-list 101 remark SDM_ACL Category=17
access-list 101 remark IPSec Rule
access-list 101 permit ip 10.0.10.0 0.0.0.255 10.10.12.0 0.0.0.255
access-list 101 permit udp host xxx.xxx.xxx.162 host 75.xxx.xxx.xxx eq non500-isakm
p
access-list 101 permit udp host xxx.xxx.xxx.162 host 75.xxx.xxx.xxx eq isakmp
access-list 101 permit esp host xxx.xxx.xxx.162 host 75.xxx.xxx.xxx
access-list 101 permit ahp host xxx.xxx.xxx.162 host 75.xxx.xxx.xxx
access-list 101 permit ip 10.10.12.0 0.0.0.255 any
access-list 101 permit icmp any host 216.49.78.2 echo-reply
access-list 101 permit icmp any host 216.49.78.2 time-exceeded
access-list 101 permit icmp any host 216.49.78.2 unreachable
access-list 101 permit ip 10.0.0.0 0.255.255.255 any
access-list 101 permit ip 172.16.0.0 0.15.255.255 any
access-list 101 permit tcp host 10.10.12.251 eq 3389 host 216.49.78.222 eq 3389
access-list 101 remark SMTP For Exchange
access-list 101 permit tcp host 10.10.12.251 eq smtp host 216.49.78.222 eq smtp
access-list 101 remark http
access-list 101 permit tcp host 10.10.12.251 eq 216.49.78.222 eq www
access-list 101 remark https
access-list 101 permit tcp host 10.10.12.251 eq 443 host 216.49.78.222 eq 443
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip host 0.0.0.0 any
access-list 101 permit ip any any
access-list 101 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
access-list 102 remark SDM_ACL Category=2
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.10.12.0 0.0.0.255 10.0.10.0 0.0.0.255
access-list 103 remark SDM_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny ip 10.10.12.0 0.0.0.255 10.0.10.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
access-list 103 permit ip 10.10.12.0 0.0.0.255 any
access-list 104 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
access-list 105 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
access-list 106 remark SDM_ACL Category=4
access-list 106 remark IPSec Rule
access-list 106 permit ip 10.10.12.0 0.0.0.255 10.0.10.0 0.0.0.255
no cdp run
!
route-map SDM_RMAP_1 permit 1
match ip address 103
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
!
scheduler max-task-time 5000
end
