examples20001
MIS
Hi All
I have setup the VPN and the VPN connections are OK. The Intetnet access (with NAT overload) is also OK.
SPOKE1====HUB====SPOKE2
The ping between HUB=SPOKE1 and HUB=SPOKE2 is good.
But the ping between SPOK1 and SPOKE2 is bad.
I see that the route-map(ACL 105) is denying some packets, when I check the access-list counters(ACL 105).
Can some body help on this, is there any settings which I am missing.
Why the route-map(ACL 105) is denying the packets? The ping from HUB=SPOK1 and HUB=SPOKE2 is 100% but in route-map is see the increase in deny counter(ACL 105).
Below is the config details:
SPOKE1#
SPOKE1# ping 172.29.161.1
received from 172.29.161.1 (172.29.161.1): icmp_seq=0
received from 172.29.161.1 (172.29.161.1): icmp_seq=1
2 packets transmitted, 2 packets received
SPOKE1# ping 172.29.160.1
received from 172.29.160.1 (172.29.160.1): icmp_seq=0
received from 172.29.160.1 (172.29.160.1): icmp_seq=1
received from 172.29.160.1 (172.29.160.1): icmp_seq=2
received from 172.29.160.1 (172.29.160.1): icmp_seq=3
4 packets transmitted, 4 packets received
SPOKE1# ping 172.29.162.1
received from 172.29.162.1 (172.29.162.1): icmp_seq=0
received from 172.29.162.1 (172.29.162.1): icmp_seq=4
received from 172.29.162.1 (172.29.162.1): icmp_seq=6
received from 172.29.162.1 (172.29.162.1): icmp_seq=8
received from 172.29.162.1 (172.29.162.1): icmp_seq=10
received from 172.29.162.1 (172.29.162.1): icmp_seq=12
received from 172.29.162.1 (172.29.162.1): icmp_seq=14
15 packets transmitted, 7 packets received
SPOKE1# ping 172.29.162.2
received from 172.29.162.2 (172.29.162.2): icmp_seq=0
received from 172.29.162.2 (172.29.162.2): icmp_seq=2
received from 172.29.162.2 (172.29.162.2): icmp_seq=4
received from 172.29.162.2 (172.29.162.2): icmp_seq=6
received from 172.29.162.2 (172.29.162.2): icmp_seq=9
13 packets transmitted, 5 packets received
SPOKE1#
SPOKE2#
SPOKE2# ping 172.29.162.1
received from 172.29.162.1 (172.29.162.1): icmp_seq=0
received from 172.29.162.1 (172.29.162.1): icmp_seq=1
2 packets transmitted, 2 packets received
SPOKE2# ping 172.29.160.1
received from 172.29.160.1 (172.29.160.1): icmp_seq=0
received from 172.29.160.1 (172.29.160.1): icmp_seq=1
received from 172.29.160.1 (172.29.160.1): icmp_seq=1
received from 172.29.160.1 (172.29.160.1): icmp_seq=3
received from 172.29.160.1 (172.29.160.1): icmp_seq=4
5 packets transmitted, 5 packets received
SPOKE2# ping 172.29.161.1
received from 172.29.161.1 (172.29.161.1): icmp_seq=0
received from 172.29.161.1 (172.29.161.1): icmp_seq=4
received from 172.29.161.1 (172.29.161.1): icmp_seq=6
received from 172.29.161.1 (172.29.161.1): icmp_seq=7
received from 172.29.161.1 (172.29.161.1): icmp_seq=9
received from 172.29.161.1 (172.29.161.1): icmp_seq=11
received from 172.29.161.1 (172.29.161.1): icmp_seq=13
received from 172.29.161.1 (172.29.161.1): icmp_seq=15
received from 172.29.161.1 (172.29.161.1): icmp_seq=17
received from 172.29.161.1 (172.29.161.1): icmp_seq=19
received from 172.29.161.1 (172.29.161.1): icmp_seq=21
22 packets transmitted, 11 packets received
SPOKE2# ping 172.29.161.2
received from 172.29.161.2 (172.29.161.2): icmp_seq=0
received from 172.29.161.2 (172.29.161.2): icmp_seq=2
received from 172.29.161.2 (172.29.161.2): icmp_seq=4
received from 172.29.161.2 (172.29.161.2): icmp_seq=6
received from 172.29.161.2 (172.29.161.2): icmp_seq=8
9 packets transmitted, 5 packets received
SPOKE2#
ISR2821#show access-lists
Standard IP access list 1
10 permit 172.29.160.2
20 permit A.B.C.46 (2 matches)
Standard IP access list Nat-inside-to-outside
10 permit 172.29.160.0, wildcard bits 0.0.0.255 log
Extended IP access list 100
10 permit tcp host 172.29.160.2 host 172.29.160.1 eq telnet (372 matches)
20 permit tcp host 172.29.160.2 host 172.29.160.1 eq 22
30 permit tcp host 172.29.160.2 host 172.29.160.1 eq www
40 permit tcp host 172.29.160.2 host 172.29.160.1 eq 443
50 permit tcp host 172.29.160.2 host 172.29.160.1 eq cmd
60 deny tcp any host 172.29.160.1 eq telnet
70 deny tcp any host 172.29.160.1 eq 22
80 deny tcp any host 172.29.160.1 eq www
90 deny tcp any host 172.29.160.1 eq 443
100 deny tcp any host 172.29.160.1 eq cmd
110 deny udp any host 172.29.160.1 eq snmp
120 deny ip A.B.C.0 0.0.0.255 any
130 deny ip host 255.255.255.255 any
140 deny ip 127.0.0.0 0.255.255.255 any
150 permit ip any any log (58 matches)
Extended IP access list 101
10 permit ip 172.29.162.0 0.0.0.255 172.29.161.0 0.0.0.255 log
20 permit ip 172.29.161.0 0.0.0.255 172.29.162.0 0.0.0.255 log
30 permit ip 172.29.161.0 0.0.0.255 172.29.160.0 0.0.0.255 log
40 permit ip 172.29.161.0 0.0.0.255 172.29.160.0 0.0.0.255
50 permit udp host A.B.C.39 host A.B.C.40 eq non500-isakmp
60 permit udp host A.B.C.39 host A.B.C.40 eq isakmp (3 matches)
70 permit esp host A.B.C.39 host A.B.C.40 (35 matches)
80 permit ahp host A.B.C.39 host A.B.C.40
90 permit ip 172.29.162.0 0.0.0.255 172.29.160.0 0.0.0.255 log
100 permit udp host A.B.C.38 host A.B.C.40 eq non500-isakmp
110 permit udp host A.B.C.38 host A.B.C.40 eq isakmp (6 matches)
120 permit esp host A.B.C.38 host A.B.C.40 (87 matches)
130 permit ahp host A.B.C.38 host A.B.C.40
140 permit icmp any any log
150 permit icmp any host A.B.C.40 echo-reply log
160 permit icmp any host A.B.C.40 time-exceeded
170 permit icmp any host A.B.C.40 unreachable
180 permit tcp host A.B.C.46 host A.B.C.40 eq telnet
190 permit tcp host A.B.C.46 host A.B.C.40 eq 22
200 permit tcp host A.B.C.46 host A.B.C.40 eq www
210 permit tcp host A.B.C.46 host A.B.C.40 eq 443 (81 matches)
220 permit tcp host A.B.C.46 host A.B.C.40 eq cmd
230 permit ip host A.B.C.46 host A.B.C.40 log
240 deny udp any host A.B.C.40 eq snmp
250 deny ip 172.29.160.0 0.0.0.255 any
260 deny ip 10.0.0.0 0.255.255.255 any
270 deny ip 172.16.0.0 0.15.255.255 any
280 deny ip 192.168.0.0 0.0.255.255 any
290 deny ip 127.0.0.0 0.255.255.255 any
300 deny ip host 255.255.255.255 any
310 deny ip host 0.0.0.0 any
320 deny ip any any log (17 matches)
Extended IP access list 102
10 permit ip host 172.29.160.2 any
20 permit ip host A.B.C.46 any
Extended IP access list 103
10 permit ip 172.29.160.0 0.0.0.255 172.29.162.0 0.0.0.255 log (12 matches)
20 permit ip 172.29.161.0 0.0.0.255 172.29.162.0 0.0.0.255 log (73 matches)
Extended IP access list 104
10 permit ip 172.29.160.0 0.0.0.255 172.29.161.0 0.0.0.255 log (8 matches)
20 permit ip 172.29.162.0 0.0.0.255 172.29.161.0 0.0.0.255 log (58 matches)
Extended IP access list 105
10 deny ip 172.29.160.0 0.0.0.255 172.29.161.0 0.0.0.255 log (4 matches)
20 deny ip 172.29.162.0 0.0.0.255 172.29.161.0 0.0.0.255 log
30 deny ip 172.29.160.0 0.0.0.255 172.29.162.0 0.0.0.255 log (6 matches)
40 deny ip 172.29.161.0 0.0.0.255 172.29.162.0 0.0.0.255 log
50 permit ip 172.29.160.0 0.0.0.255 any log (1 match)
60 permit ip 172.29.161.0 0.0.0.255 any log
70 permit ip 172.29.162.0 0.0.0.255 any log
ISR2821#
ISR2821#show run
Building configuration...
Current configuration : 8061 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ISR2821
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
no logging buffered
logging console critical
enable secret 5 %%%%%%%%%%%%%%%%%%%%%%%%
enable password 7 %%%%%%%%%%%&&&&&&&&&&
!
username &&&&&&&&&&&&&&&& password 7 $$$$$$$$$$$$$%%%%%%%%&&&&&&&&
no aaa new-model
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
!
!
ip cef
!
!
no ip bootp server
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
authentication pre-share
lifetime 3600
crypto isakmp key #$#$#$#$ address A.B.C.39 255.255.255.0 no-xauth
crypto isakmp key #$#$#$#$ address A.B.C.38 255.255.255.0 no-xauth
!
!
crypto ipsec transform-set ISRTest esp-des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel toA.B.C.38
set peer A.B.C.38
set transform-set ISRTest
match address 103
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel toA.B.C.39
set peer A.B.C.39
set transform-set ISRTest
match address 104
!
!
!
!
interface Null0
no ip unreachables
!
interface GigabitEthernet0/0
description $FW_INSIDE$$ETH-LAN$
ip address 172.29.160.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
description $FW_OUTSIDE$
ip address A.B.C.40 255.255.255.0
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
crypto map SDM_CMAP_1
!
ip classless
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
!
!
ip http server
ip http access-class 1
ip http secure-server
ip nat log translations syslog
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1 overload
!
ip access-list standard Nat-inside-to-outside
remark SDM_ACL Category=2
permit 172.29.160.0 0.0.0.255 log
!
logging trap debugging
logging A.B.C.46
access-list 1 remark Auto generated by SDM Management Access feature
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 172.29.160.2
access-list 1 permit A.B.C.46
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit tcp host 172.29.160.2 host 172.29.160.1 eq telnet
access-list 100 permit tcp host 172.29.160.2 host 172.29.160.1 eq 22
access-list 100 permit tcp host 172.29.160.2 host 172.29.160.1 eq www
access-list 100 permit tcp host 172.29.160.2 host 172.29.160.1 eq 443
access-list 100 permit tcp host 172.29.160.2 host 172.29.160.1 eq cmd
access-list 100 deny tcp any host 172.29.160.1 eq telnet
access-list 100 deny tcp any host 172.29.160.1 eq 22
access-list 100 deny tcp any host 172.29.160.1 eq www
access-list 100 deny tcp any host 172.29.160.1 eq 443
access-list 100 deny tcp any host 172.29.160.1 eq cmd
access-list 100 deny udp any host 172.29.160.1 eq snmp
access-list 100 deny ip A.B.C.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any log
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip 172.29.162.0 0.0.0.255 172.29.161.0 0.0.0.255 log
access-list 101 permit ip 172.29.161.0 0.0.0.255 172.29.162.0 0.0.0.255 log
access-list 101 remark IPSec Rule
access-list 101 permit ip 172.29.161.0 0.0.0.255 172.29.160.0 0.0.0.255 log
access-list 101 remark IPSec Rule
access-list 101 permit ip 172.29.161.0 0.0.0.255 172.29.160.0 0.0.0.255
access-list 101 permit udp host A.B.C.39 host A.B.C.40 eq non500-isakmp
access-list 101 permit udp host A.B.C.39 host A.B.C.40 eq isakmp
access-list 101 permit esp host A.B.C.39 host A.B.C.40
access-list 101 permit ahp host A.B.C.39 host A.B.C.40
access-list 101 remark IPSec Rule
access-list 101 permit ip 172.29.162.0 0.0.0.255 172.29.160.0 0.0.0.255 log
access-list 101 permit udp host A.B.C.38 host A.B.C.40 eq non500-isakmp
access-list 101 permit udp host A.B.C.38 host A.B.C.40 eq isakmp
access-list 101 permit esp host A.B.C.38 host A.B.C.40
access-list 101 permit ahp host A.B.C.38 host A.B.C.40
access-list 101 permit icmp any any log
access-list 101 permit icmp any host A.B.C.40 echo-reply log
access-list 101 permit icmp any host A.B.C.40 time-exceeded
access-list 101 permit icmp any host A.B.C.40 unreachable
access-list 101 permit tcp host A.B.C.46 host A.B.C.40 eq telnet
access-list 101 permit tcp host A.B.C.46 host A.B.C.40 eq 22
access-list 101 permit tcp host A.B.C.46 host A.B.C.40 eq www
access-list 101 permit tcp host A.B.C.46 host A.B.C.40 eq 443
access-list 101 permit tcp host A.B.C.46 host A.B.C.40 eq cmd
access-list 101 permit ip host A.B.C.46 host A.B.C.40 log
access-list 101 deny udp any host A.B.C.40 eq snmp
access-list 101 deny ip 172.29.160.0 0.0.0.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip host 172.29.160.2 any
access-list 102 permit ip host A.B.C.46 any
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 172.29.160.0 0.0.0.255 172.29.162.0 0.0.0.255 log
access-list 103 permit ip 172.29.161.0 0.0.0.255 172.29.162.0 0.0.0.255 log
access-list 104 remark SDM_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 172.29.160.0 0.0.0.255 172.29.161.0 0.0.0.255 log
access-list 104 permit ip 172.29.162.0 0.0.0.255 172.29.161.0 0.0.0.255 log
access-list 105 remark SDM_ACL Category=2
access-list 105 remark IPSec Rule
access-list 105 deny ip 172.29.160.0 0.0.0.255 172.29.161.0 0.0.0.255 log
access-list 105 deny ip 172.29.162.0 0.0.0.255 172.29.161.0 0.0.0.255 log
access-list 105 deny ip 172.29.160.0 0.0.0.255 172.29.162.0 0.0.0.255 log
access-list 105 deny ip 172.29.161.0 0.0.0.255 172.29.162.0 0.0.0.255 log
access-list 105 permit ip 172.29.160.0 0.0.0.255 any log
access-list 105 permit ip 172.29.161.0 0.0.0.255 any log
access-list 105 permit ip 172.29.162.0 0.0.0.255 any log
no cdp run
!
route-map SDM_RMAP_1 permit 1
match ip address 105
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!
^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
access-class 102 in
password 7 $%&$%&$%&$%&
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
ISR2821#
I have setup the VPN and the VPN connections are OK. The Intetnet access (with NAT overload) is also OK.
SPOKE1====HUB====SPOKE2
The ping between HUB=SPOKE1 and HUB=SPOKE2 is good.
But the ping between SPOK1 and SPOKE2 is bad.
I see that the route-map(ACL 105) is denying some packets, when I check the access-list counters(ACL 105).
Can some body help on this, is there any settings which I am missing.
Why the route-map(ACL 105) is denying the packets? The ping from HUB=SPOK1 and HUB=SPOKE2 is 100% but in route-map is see the increase in deny counter(ACL 105).
Below is the config details:
SPOKE1#
SPOKE1# ping 172.29.161.1
received from 172.29.161.1 (172.29.161.1): icmp_seq=0
received from 172.29.161.1 (172.29.161.1): icmp_seq=1
2 packets transmitted, 2 packets received
SPOKE1# ping 172.29.160.1
received from 172.29.160.1 (172.29.160.1): icmp_seq=0
received from 172.29.160.1 (172.29.160.1): icmp_seq=1
received from 172.29.160.1 (172.29.160.1): icmp_seq=2
received from 172.29.160.1 (172.29.160.1): icmp_seq=3
4 packets transmitted, 4 packets received
SPOKE1# ping 172.29.162.1
received from 172.29.162.1 (172.29.162.1): icmp_seq=0
received from 172.29.162.1 (172.29.162.1): icmp_seq=4
received from 172.29.162.1 (172.29.162.1): icmp_seq=6
received from 172.29.162.1 (172.29.162.1): icmp_seq=8
received from 172.29.162.1 (172.29.162.1): icmp_seq=10
received from 172.29.162.1 (172.29.162.1): icmp_seq=12
received from 172.29.162.1 (172.29.162.1): icmp_seq=14
15 packets transmitted, 7 packets received
SPOKE1# ping 172.29.162.2
received from 172.29.162.2 (172.29.162.2): icmp_seq=0
received from 172.29.162.2 (172.29.162.2): icmp_seq=2
received from 172.29.162.2 (172.29.162.2): icmp_seq=4
received from 172.29.162.2 (172.29.162.2): icmp_seq=6
received from 172.29.162.2 (172.29.162.2): icmp_seq=9
13 packets transmitted, 5 packets received
SPOKE1#
SPOKE2#
SPOKE2# ping 172.29.162.1
received from 172.29.162.1 (172.29.162.1): icmp_seq=0
received from 172.29.162.1 (172.29.162.1): icmp_seq=1
2 packets transmitted, 2 packets received
SPOKE2# ping 172.29.160.1
received from 172.29.160.1 (172.29.160.1): icmp_seq=0
received from 172.29.160.1 (172.29.160.1): icmp_seq=1
received from 172.29.160.1 (172.29.160.1): icmp_seq=1
received from 172.29.160.1 (172.29.160.1): icmp_seq=3
received from 172.29.160.1 (172.29.160.1): icmp_seq=4
5 packets transmitted, 5 packets received
SPOKE2# ping 172.29.161.1
received from 172.29.161.1 (172.29.161.1): icmp_seq=0
received from 172.29.161.1 (172.29.161.1): icmp_seq=4
received from 172.29.161.1 (172.29.161.1): icmp_seq=6
received from 172.29.161.1 (172.29.161.1): icmp_seq=7
received from 172.29.161.1 (172.29.161.1): icmp_seq=9
received from 172.29.161.1 (172.29.161.1): icmp_seq=11
received from 172.29.161.1 (172.29.161.1): icmp_seq=13
received from 172.29.161.1 (172.29.161.1): icmp_seq=15
received from 172.29.161.1 (172.29.161.1): icmp_seq=17
received from 172.29.161.1 (172.29.161.1): icmp_seq=19
received from 172.29.161.1 (172.29.161.1): icmp_seq=21
22 packets transmitted, 11 packets received
SPOKE2# ping 172.29.161.2
received from 172.29.161.2 (172.29.161.2): icmp_seq=0
received from 172.29.161.2 (172.29.161.2): icmp_seq=2
received from 172.29.161.2 (172.29.161.2): icmp_seq=4
received from 172.29.161.2 (172.29.161.2): icmp_seq=6
received from 172.29.161.2 (172.29.161.2): icmp_seq=8
9 packets transmitted, 5 packets received
SPOKE2#
ISR2821#show access-lists
Standard IP access list 1
10 permit 172.29.160.2
20 permit A.B.C.46 (2 matches)
Standard IP access list Nat-inside-to-outside
10 permit 172.29.160.0, wildcard bits 0.0.0.255 log
Extended IP access list 100
10 permit tcp host 172.29.160.2 host 172.29.160.1 eq telnet (372 matches)
20 permit tcp host 172.29.160.2 host 172.29.160.1 eq 22
30 permit tcp host 172.29.160.2 host 172.29.160.1 eq www
40 permit tcp host 172.29.160.2 host 172.29.160.1 eq 443
50 permit tcp host 172.29.160.2 host 172.29.160.1 eq cmd
60 deny tcp any host 172.29.160.1 eq telnet
70 deny tcp any host 172.29.160.1 eq 22
80 deny tcp any host 172.29.160.1 eq www
90 deny tcp any host 172.29.160.1 eq 443
100 deny tcp any host 172.29.160.1 eq cmd
110 deny udp any host 172.29.160.1 eq snmp
120 deny ip A.B.C.0 0.0.0.255 any
130 deny ip host 255.255.255.255 any
140 deny ip 127.0.0.0 0.255.255.255 any
150 permit ip any any log (58 matches)
Extended IP access list 101
10 permit ip 172.29.162.0 0.0.0.255 172.29.161.0 0.0.0.255 log
20 permit ip 172.29.161.0 0.0.0.255 172.29.162.0 0.0.0.255 log
30 permit ip 172.29.161.0 0.0.0.255 172.29.160.0 0.0.0.255 log
40 permit ip 172.29.161.0 0.0.0.255 172.29.160.0 0.0.0.255
50 permit udp host A.B.C.39 host A.B.C.40 eq non500-isakmp
60 permit udp host A.B.C.39 host A.B.C.40 eq isakmp (3 matches)
70 permit esp host A.B.C.39 host A.B.C.40 (35 matches)
80 permit ahp host A.B.C.39 host A.B.C.40
90 permit ip 172.29.162.0 0.0.0.255 172.29.160.0 0.0.0.255 log
100 permit udp host A.B.C.38 host A.B.C.40 eq non500-isakmp
110 permit udp host A.B.C.38 host A.B.C.40 eq isakmp (6 matches)
120 permit esp host A.B.C.38 host A.B.C.40 (87 matches)
130 permit ahp host A.B.C.38 host A.B.C.40
140 permit icmp any any log
150 permit icmp any host A.B.C.40 echo-reply log
160 permit icmp any host A.B.C.40 time-exceeded
170 permit icmp any host A.B.C.40 unreachable
180 permit tcp host A.B.C.46 host A.B.C.40 eq telnet
190 permit tcp host A.B.C.46 host A.B.C.40 eq 22
200 permit tcp host A.B.C.46 host A.B.C.40 eq www
210 permit tcp host A.B.C.46 host A.B.C.40 eq 443 (81 matches)
220 permit tcp host A.B.C.46 host A.B.C.40 eq cmd
230 permit ip host A.B.C.46 host A.B.C.40 log
240 deny udp any host A.B.C.40 eq snmp
250 deny ip 172.29.160.0 0.0.0.255 any
260 deny ip 10.0.0.0 0.255.255.255 any
270 deny ip 172.16.0.0 0.15.255.255 any
280 deny ip 192.168.0.0 0.0.255.255 any
290 deny ip 127.0.0.0 0.255.255.255 any
300 deny ip host 255.255.255.255 any
310 deny ip host 0.0.0.0 any
320 deny ip any any log (17 matches)
Extended IP access list 102
10 permit ip host 172.29.160.2 any
20 permit ip host A.B.C.46 any
Extended IP access list 103
10 permit ip 172.29.160.0 0.0.0.255 172.29.162.0 0.0.0.255 log (12 matches)
20 permit ip 172.29.161.0 0.0.0.255 172.29.162.0 0.0.0.255 log (73 matches)
Extended IP access list 104
10 permit ip 172.29.160.0 0.0.0.255 172.29.161.0 0.0.0.255 log (8 matches)
20 permit ip 172.29.162.0 0.0.0.255 172.29.161.0 0.0.0.255 log (58 matches)
Extended IP access list 105
10 deny ip 172.29.160.0 0.0.0.255 172.29.161.0 0.0.0.255 log (4 matches)
20 deny ip 172.29.162.0 0.0.0.255 172.29.161.0 0.0.0.255 log
30 deny ip 172.29.160.0 0.0.0.255 172.29.162.0 0.0.0.255 log (6 matches)
40 deny ip 172.29.161.0 0.0.0.255 172.29.162.0 0.0.0.255 log
50 permit ip 172.29.160.0 0.0.0.255 any log (1 match)
60 permit ip 172.29.161.0 0.0.0.255 any log
70 permit ip 172.29.162.0 0.0.0.255 any log
ISR2821#
ISR2821#show run
Building configuration...
Current configuration : 8061 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ISR2821
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
no logging buffered
logging console critical
enable secret 5 %%%%%%%%%%%%%%%%%%%%%%%%
enable password 7 %%%%%%%%%%%&&&&&&&&&&
!
username &&&&&&&&&&&&&&&& password 7 $$$$$$$$$$$$$%%%%%%%%&&&&&&&&
no aaa new-model
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
!
!
ip cef
!
!
no ip bootp server
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
authentication pre-share
lifetime 3600
crypto isakmp key #$#$#$#$ address A.B.C.39 255.255.255.0 no-xauth
crypto isakmp key #$#$#$#$ address A.B.C.38 255.255.255.0 no-xauth
!
!
crypto ipsec transform-set ISRTest esp-des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel toA.B.C.38
set peer A.B.C.38
set transform-set ISRTest
match address 103
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel toA.B.C.39
set peer A.B.C.39
set transform-set ISRTest
match address 104
!
!
!
!
interface Null0
no ip unreachables
!
interface GigabitEthernet0/0
description $FW_INSIDE$$ETH-LAN$
ip address 172.29.160.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
description $FW_OUTSIDE$
ip address A.B.C.40 255.255.255.0
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
crypto map SDM_CMAP_1
!
ip classless
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
!
!
ip http server
ip http access-class 1
ip http secure-server
ip nat log translations syslog
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1 overload
!
ip access-list standard Nat-inside-to-outside
remark SDM_ACL Category=2
permit 172.29.160.0 0.0.0.255 log
!
logging trap debugging
logging A.B.C.46
access-list 1 remark Auto generated by SDM Management Access feature
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 172.29.160.2
access-list 1 permit A.B.C.46
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit tcp host 172.29.160.2 host 172.29.160.1 eq telnet
access-list 100 permit tcp host 172.29.160.2 host 172.29.160.1 eq 22
access-list 100 permit tcp host 172.29.160.2 host 172.29.160.1 eq www
access-list 100 permit tcp host 172.29.160.2 host 172.29.160.1 eq 443
access-list 100 permit tcp host 172.29.160.2 host 172.29.160.1 eq cmd
access-list 100 deny tcp any host 172.29.160.1 eq telnet
access-list 100 deny tcp any host 172.29.160.1 eq 22
access-list 100 deny tcp any host 172.29.160.1 eq www
access-list 100 deny tcp any host 172.29.160.1 eq 443
access-list 100 deny tcp any host 172.29.160.1 eq cmd
access-list 100 deny udp any host 172.29.160.1 eq snmp
access-list 100 deny ip A.B.C.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any log
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip 172.29.162.0 0.0.0.255 172.29.161.0 0.0.0.255 log
access-list 101 permit ip 172.29.161.0 0.0.0.255 172.29.162.0 0.0.0.255 log
access-list 101 remark IPSec Rule
access-list 101 permit ip 172.29.161.0 0.0.0.255 172.29.160.0 0.0.0.255 log
access-list 101 remark IPSec Rule
access-list 101 permit ip 172.29.161.0 0.0.0.255 172.29.160.0 0.0.0.255
access-list 101 permit udp host A.B.C.39 host A.B.C.40 eq non500-isakmp
access-list 101 permit udp host A.B.C.39 host A.B.C.40 eq isakmp
access-list 101 permit esp host A.B.C.39 host A.B.C.40
access-list 101 permit ahp host A.B.C.39 host A.B.C.40
access-list 101 remark IPSec Rule
access-list 101 permit ip 172.29.162.0 0.0.0.255 172.29.160.0 0.0.0.255 log
access-list 101 permit udp host A.B.C.38 host A.B.C.40 eq non500-isakmp
access-list 101 permit udp host A.B.C.38 host A.B.C.40 eq isakmp
access-list 101 permit esp host A.B.C.38 host A.B.C.40
access-list 101 permit ahp host A.B.C.38 host A.B.C.40
access-list 101 permit icmp any any log
access-list 101 permit icmp any host A.B.C.40 echo-reply log
access-list 101 permit icmp any host A.B.C.40 time-exceeded
access-list 101 permit icmp any host A.B.C.40 unreachable
access-list 101 permit tcp host A.B.C.46 host A.B.C.40 eq telnet
access-list 101 permit tcp host A.B.C.46 host A.B.C.40 eq 22
access-list 101 permit tcp host A.B.C.46 host A.B.C.40 eq www
access-list 101 permit tcp host A.B.C.46 host A.B.C.40 eq 443
access-list 101 permit tcp host A.B.C.46 host A.B.C.40 eq cmd
access-list 101 permit ip host A.B.C.46 host A.B.C.40 log
access-list 101 deny udp any host A.B.C.40 eq snmp
access-list 101 deny ip 172.29.160.0 0.0.0.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip host 172.29.160.2 any
access-list 102 permit ip host A.B.C.46 any
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 172.29.160.0 0.0.0.255 172.29.162.0 0.0.0.255 log
access-list 103 permit ip 172.29.161.0 0.0.0.255 172.29.162.0 0.0.0.255 log
access-list 104 remark SDM_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 172.29.160.0 0.0.0.255 172.29.161.0 0.0.0.255 log
access-list 104 permit ip 172.29.162.0 0.0.0.255 172.29.161.0 0.0.0.255 log
access-list 105 remark SDM_ACL Category=2
access-list 105 remark IPSec Rule
access-list 105 deny ip 172.29.160.0 0.0.0.255 172.29.161.0 0.0.0.255 log
access-list 105 deny ip 172.29.162.0 0.0.0.255 172.29.161.0 0.0.0.255 log
access-list 105 deny ip 172.29.160.0 0.0.0.255 172.29.162.0 0.0.0.255 log
access-list 105 deny ip 172.29.161.0 0.0.0.255 172.29.162.0 0.0.0.255 log
access-list 105 permit ip 172.29.160.0 0.0.0.255 any log
access-list 105 permit ip 172.29.161.0 0.0.0.255 any log
access-list 105 permit ip 172.29.162.0 0.0.0.255 any log
no cdp run
!
route-map SDM_RMAP_1 permit 1
match ip address 105
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!
^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
access-class 102 in
password 7 $%&$%&$%&$%&
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
ISR2821#