Do not use on any
shared computer
May 17, 2008 12:15am pdt
03.31.2008 at 02:00PM PDT, ID: 23283957
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
8.1
Cisco 1841 VPN Config
Zones: IPSec Security Protocol, Network Routers, Virtual Private Networking (VPN)
Tags: Cisco, Router, 1841, IPSEC VPN Tunnel
Hi,

I am configuring a IPSEC VPN tunnel between 2 x 1841's and this is the first time I have ever attempted this.

This is a lan-lan vpn. The local lan is the 10.5.11.0/24 range and the remote is the 192.168.0.0/28
The router has 1 public IP and is configured for internet access using NAT.

This is the config I have created:
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname redruth
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization network Clients local
!
aaa session-id common
ip cef
!
!
!
!
ip domain name conticosraychem.local
!
!
crypto pki trustpoint TP-self-signed-1044222562
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1044222562
 revocation-check none
 rsakeypair TP-self-signed-1044222562
!
!
crypto pki certificate chain TP-self-signed-1044222562
 certificate self-signed 01
  30820255 308201BE A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31303434 32323235 3632301E 170D3038 30333137 31313134
  34365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30343432
  32323536 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100E530 B095952C B41FE955 34C2EC9E 518B11D6 845957D9 43E1DDFA 5718236A
  866C0046 E0638E2A FC14809A 16BD8118 705A7798 0C7CE23F 4801676A F737EFBC
  6D55F1AF 73D14B1D 12768A93 98D42388 69416DA5 73143ECD 26FAF156 F2860C71
  7988F197 B8514534 8F2144AB 2A166F36 D8B1C906 05360C21 C3C067AE B97AA166
  EC770203 010001A3 7D307B30 0F060355 1D130101 FF040530 030101FF 30280603
  551D1104 21301F82 1D726564 72757468 2E636F6E 7469636F 73726179 6368656D
  2E6C6F63 616C301F 0603551D 23041830 1680147D 01F8D088 10D72025 D757C9CD
  166B016D 7C44E930 1D060355 1D0E0416 04147D01 F8D08810 D72025D7 57C9CD16
  6B016D7C 44E9300D 06092A86 4886F70D 01010405 00038181 00408756 A5F84F36
  DC1CABCB 5D6B781A 8B6A4A01 40AFC77E 2C0B3692 79821F47 8C5628C1 DF4EE8FC
  2AB5F218 78D154F6 7E8D31FA D49D60B9 A1031709 72964F9F D0E05FCD FFE1897C
  F31915C9 12C99EB5 3B43FA7E BC4D1786 71A61085 5BCBBC02 BF11A7CB C96E6429
  86F7DECE 192534B3 EA1A5FEE 5145AC6A 12DCE097 77C39548 4D
  quit
username admin privilege 15 secret 5 $1$.7WA$72qwpQFl2TFLj******
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
hash sha
group 2
crypto isakmp key 1234567890 address 194.145.xxx.xxx
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
!
crypto map VPN-Map 10 ipsec-isakmp
description vpn tunnel
set peer 194.145.xxx.xxx
set transform-set ESP-3DES-SHA
match address 102
!
!
interface FastEthernet0/0
 description Internal
 ip address 10.5.11.253 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description external
 ip address 78.33.xxx.xxx 255.255.255.240
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
crypto map VPN-Map
!
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 78.33.xxx.xxx permanent
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 100 interface FastEthernet0/1 overload
!
!
access-list 23 permit 0.0.0.0
access-list 100 permit ip 10.5.11.0 0.0.0.255 any
access-list 101 remark Inbound ACL
access-list 101 permit icmp any any echo
access-list 101 permit tcp any any eq telnet
access-list 101 permit ip 10.5.11.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit esp host 194.145.xxx.xxx any
access-list 101 permit udp host 194.145.xxx.xxx any eq isakmp
access-list 102 remark IPSEC Rule
access-list 102 permit ip 10.5.11.0 0.0.0.255 192.168.0.0 0.0.0.31
!
!
route-map vpn_nat permit 1
match ip address 102
!
!
control-plane
!
!
!
line con 0
 privilege level 15
 logging synchronous
line aux 0
line vty 0 4
 privilege level 15
 transport input telnet ssh
line vty 5 15
 privilege level 15
 transport input telnet ssh
!
scheduler allocate 20000 1000
end

This is due to go live in the next couple of days but I cant test it yet.  Can one you Cisco Guru's please look at my config for any potential issues?

Thanks in advance.

Start your free trial to view this solution
Question Stats
Zone: Networking
Question Asked By: waynewilliams
Solution Provided By: trinak96
Participating Experts: 1
Solution Grade: B
Views: 258
Translate:
Loading Advertisement...
04.01.2008 at 02:55AM PDT, ID: 21252471

Rank: Master

trinak96:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
04.01.2008 at 02:57AM PDT, ID: 21252477

Rank: Master

trinak96:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
04.01.2008 at 05:06AM PDT, ID: 21253060
waynewilliams:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
04.01.2008 at 05:11AM PDT, ID: 21253086

Rank: Master

trinak96:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
 
Loading Advertisement...
Microsoft
  • Internet Protocols
  • Applications
  • Development
  • OS
  • Hardware
  • Windows Security
Apple
  • Operating Systems
  • Hardware
  • Programming
  • Networking
  • Software
Internet
  • Search Engines
  • File Sharing
  • WebTrends / Stats
  • Spy / Ad Blockers
  • Web Browsers
  • New Net Users
  • Web Development
  • Chat / IM
  • Anti Spam
  • Web Servers
  • Anti-Virus
  • Email Clients
Gamers
  • Tips
  • Online / MMORPG
  • Puzzle
  • Emulators
  • Action / Adventure
  • Role Playing
  • Consoles
  • Game Programming
  • Strategy
  • Sports
  • Misc
  • Computer Games
Digital Living
  • Hardware
  • New Net Users
  • New Users
  • Software
  • Digital Music
  • Gaming World
  • Home Security
  • Apple
  • Networking Hardware
Virus & Spyware
  • Vulnerabilities
  • IDS
  • Encryption
  • Anti-Virus
  • Operating Systems Security
  • Software Firewalls
  • WebApplications
  • Cell Phones
  • Operating Systems
  • Internet
  • Hardware Firewalls
Hardware
  • Handhelds / PDAs
  • Displays / Monitors
  • Components
  • Networking Hardware
  • Peripherals
  • Laptops/Notebooks
  • Storage
  • Servers
  • Desktops
  • New Users
  • Misc
  • Apple
Software
  • System Utilities
  • Industry Specific
  • Network Management
  • Photos / Graphics
  • Page Layout
  • VMWare
  • Misc
  • Web Development
  • OS
  • CYGWIN
  • Voice Recognition
  • Message Queue
  • Quality Assurance
  • Security
  • Firewalls
  • MultiMedia Applications
  • Development
  • Database
  • Office / Productivity
  • Business Management
  • OS/2 Apps
  • Server Software
  • Internet / Email
ITPro
  • OS
  • Storage
  • Encryption
  • Operating Systems Security
  • Apple Hardware
  • Laptops & Notebooks
  • Servers
  • Networking Hardware
  • Peripherals
  • Devices
  • Displays / Monitors
  • WebTrends / Stats
  • Search Engines
  • Firewalls
  • WebApplications
  • IDS
  • Vulnerabilities
  • Email Clients
  • File Sharing
  • Spy / Ad Blockers
  • Web Browsers
  • Web Servers
  • Networking
  • Anti-Virus
  • Chat / IM
  • Anti Spam
Developer
  • Web Servers
  • Web Browsers
  • Game Programming
  • Dev Tools
  • Industry Specific
  • Office / Productivity
  • Database
  • CYGWIN
  • Web Development
  • Search Engines
  • File Sharing
  • WebTrends / Stats
  • Programming
  • Content Management
  • Application Servers
  • Protocols
Storage
  • Removable Backup Media
  • Storage Technology
  • Servers
  • Grid
  • Remote Access
  • Backup / Restore
  • Misc
  • Hard Drives
OS
  • Miscellaneous
  • Security
  • Development
  • Linux
  • VMWare
  • MainFrame OS
  • Unix
  • Apple
  • OS / 2
  • AS / 400
  • BeOS
  • Microsoft
  • VMS / OpenVMS
Database
  • Oracle
  • Miscellaneous
  • MySQL
  • Software
  • Sybase
  • Contact Management
  • PostgreSQL
  • Data Manipulation
  • Clarion
  • InterSystems Cache
  • Siebel
  • MUMPS
  • OLAP
  • SQLBase
  • SAS
  • GIS & GPS
  • 4GL
  • Berkeley DB
  • DB2
  • Informix
  • Interbase / Firebird
  • FoxPro
  • Reporting
  • LDAP
  • Filemaker Pro
  • MS SQL Server
  • dBase
  • MS Access
Security
  • Misc
  • Web Browsers
  • Software Firewalls
  • Operating Systems Security
  • File Sharing
  • Spy / Ad Blockers
  • Vulnerabilities
  • WebApplications
  • IDS
  • Anti-Virus
  • Encryption
  • Anti Spam
  • Email Clients
  • VPN
  • Chat / IM
Programming
  • Editors IDEs
  • Installation
  • Handhelds / PDAs
  • Multimedia Programming
  • System / Kernel
  • Algorithms
  • Game
  • Signal Processing
  • Project Management
  • Open Source
  • Database
  • Misc
  • Languages
  • Processor Platforms
  • Theory
Web Development
  • Scripting
  • Blogs
  • Web Servers
  • Software
  • Search Engines
  • Web Graphics
  • Images
  • Internet Marketing
  • Images and Photos
  • Components
  • Document Imaging
  • Web Languages/Standards
  • Illustration
  • WebApplications
  • Fonts
  • WebTrends / Stats
  • Authoring
  • Digital Camera Software
  • Miscellaneous
Networking
  • Protocols
  • Apple Networking
  • Network Management
  • Message Queue
  • Application Servers
  • Content Management
  • File Servers
  • Email Servers
  • Misc
  • Java Editors & IDEs
  • Wireless
  • Networking Hardware
  • Backup / Restore
  • System Utilities
  • ISPs & Hosting
  • Web Servers
  • Storage Technology
  • Removable Backup Media
  • Servers
  • Broadband
  • Grid
  • OS / 2
  • Novell Netware
  • Unix Networking
  • Windows Networking
  • Security
  • Telecommunications
  • Operating Systems
  • Linux Networking
Other
  • Community Advisor
  • Lounge
  • Community Support
  • New Net Users
  • Philosophy / Religion
  • Math / Science
  • Miscellaneous
  • URLs
  • Expert Lounge
  • Politics
  • Puzzles / Riddles
Community Support
  • Suggestions
  • New to EE
  • New Topics
  • Community Advisor
  • CleanUp
  • Announcements
  • General
  • Feedback
  • Input
  • EE Bugs
 
04.01.2008 at 02:55AM PDT, ID: 21252471

Rank: Master

trinak96:
Looks good apart from your NAT.
Basically you do NOT want to NAT traffic between the 2 networks, this is because the packet is encrypted and the headers contain the external interface address.
So, perform the following :

no ip nat inside source list 100 interface FastEthernet0/1 overload
route-map vpn_nat
 no match ip address 102
 match ip address 120
access-list 120 remrak NoNAT
access-list 120 deny 10.5.11.0 0.0.0.255 192.168.0.0 0.0.0.31

I'm assuming your other router is configured the same, if so make the appropriate changes on the remote side aswell.


 
04.01.2008 at 02:57AM PDT, ID: 21252477

Rank: Master

trinak96:
Sorry, and add your NAT statement back as :

ip nat inside source route-map vpn_nat  interface FastEthernet0/1 overload
 
04.01.2008 at 05:06AM PDT, ID: 21253060
waynewilliams:
Hi,

Thanks for your help.  While I was waiting for an answer I did work out that I hadnt excluded the VPN traffic from NAT so amended both my configs as below:

Local:
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 2801
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization network Clients local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
!
!
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-2140501197
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2140501197
 revocation-check none
 rsakeypair TP-self-signed-2140501197
!
!
crypto pki certificate chain TP-self-signed-2140501197
 certificate self-signed 01
  30820240 308201A9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32313430 35303131 3937301E 170D3037 31323035 31313532
  32345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 31343035
  30313139 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100DCF5 498EED8F 96C25464 82643B0E E3B0B7E6 76C496F0 A5BFC86A BA63C508
  5EEF459E E83608F6 BA83B6FD 4262238D 8883FD71 128A8AED 31549BF3 DF7C2D43
  2596DFA2 A845E4A6 5AA271E2 8AD79890 5B6AFF81 88F6BA5B 105E5C01 0D5D11C5
  A715B63B 3E5545D9 5CDD3851 D9A38277 6C16B3BC D80A951A F624C41B 7CBB283F
  0E1D0203 010001A3 68306630 0F060355 1D130101 FF040530 030101FF 30130603
  551D1104 0C300A82 08636F6E 7469636F 2E301F06 03551D23 04183016 8014B962
  129B0EFC C58864D9 903EC4B6 6F9C149E ADD8301D 0603551D 0E041604 14B96212
  9B0EFCC5 8864D990 3EC4B66F 9C149EAD D8300D06 092A8648 86F70D01 01040500
  03818100 89DB51EE 4DE8E014 5E5645B1 CBB0F593 76E572DE 242F73D0 B014968B
  9563C3CF 02C23692 B47788B9 90851B55 A690039C 23F9F34C 3CD58D5A 01F2ECA3
  889DAB56 9E31DDDC 2790675A D7D67B22 C36BF09B FBB56FA0 C3BF77D2 E84A45D2
  069E5692 495DB9F9 2DC30D85 2D165A64 EDF670C9 BF65C995 AA432670 78DA92DE 632AD6D7
  quit
username admin privilege 15 password 7 091E1A5E4F504*****
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr 3des
 hash sha
 authentication pre-share
 group 2
crypto isakmp key 1234567890 address 78.33.xxx.xxx no-xauth
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 60
crypto isakmp nat keepalive 60
crypto isakmp client configuration address-pool local ippool
!
crypto isakmp client configuration group Clients
 key pa55w0rd
 acl 105
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set 3desmd5 esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set transform-set 3desmd5
 reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm40.3
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address initiate
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 5 ipsec-isakmp dynamic dynmap
crypto map SDM_CMAP_1 10 ipsec-isakmp
 description vpn tunnel
 set peer 78.33.xxx.xxx
 set transform-set ESP-3DES-SHA
 match address 102
!
!
!
!
interface FastEthernet0/0
 description $FW_OUTSIDE$$ETH-LAN$
 ip address 194.145.xxx.xxx 255.255.255.240
 ip access-group 101 in
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet0/1/0
!
interface FastEthernet0/1/1
!
interface FastEthernet0/1/2
!
interface FastEthernet0/1/3
!
interface Vlan1
 description $FW_INSIDE$$ETH-LAN$
 ip address 192.168.0.1 255.255.255.224
 ip access-group 100 in
 ip nat inside
 ip virtual-reassembly
!
ip local pool ippool 192.168.23.1 192.168.23.30
ip classless
ip route 0.0.0.0 0.0.0.0 194.145.xxx.xxx permanent
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
!
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.31
access-list 100 permit ip any any
access-list 100 permit gre any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark IPSec Rule
access-list 101 permit ip 10.5.11.0 0.0.0.255 192.168.0.0 0.0.0.31
access-list 101 remark GRE Passthru
access-list 101 permit gre any any log
access-list 101 permit udp host 78.33.xxx.xxx host 194.145.xxx.xxx eq non500-isakmp
access-list 101 permit udp host 78.33.xxx.xxx host 194.145.xxx.xxx eq isakmp
access-list 101 permit esp host 78.33.xxx.xxx host 194.145.xxx.xxx
access-list 101 permit ahp host 78.33.xxx.xxx host 194.145.xxx.xxx
access-list 101 deny ip 192.168.0.0 0.0.0.31 any
access-list 101 remark Allow Telnet Access
access-list 101 permit tcp any host 194.145.xxx.xxx eq telnet
access-list 101 remark Allow ssh access
access-list 101 permit tcp any any eq 22
access-list 101 remark Allow cisco vpn client access
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit udp any any eq isakmp
access-list 101 permit esp any any
access-list 101 permit ahp any any
access-list 101 permit icmp any any
access-list 101 permit icmp any host 194.145.xxx.xxx time-exceeded
access-list 101 permit icmp any host 194.145.xxx.xxx unreachable
access-list 102 remark ###bypassnat
access-list 102 permit ip 192.168.0.0 0.0.0.31 10.5.11.0 0.0.0.255
access-list 103 remark SDM_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny ip 192.168.0.0 0.0.0.31 192.168.23.0 0.0.0.255
access-list 103 deny ip 192.168.0.0 0.0.0.31 10.5.11.0 0.0.0.255
access-list 103 permit ip 192.168.0.0 0.0.0.31 any
access-list 105 remark ###split tunnel
access-list 105 permit ip 192.168.0.0 0.0.0.255 192.168.23.0 0.0.0.255
!
!
route-map bypass_nat permit 1
 match ip address 102
!
route-map SDM_RMAP_1 permit 1
 match ip address 103
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
 privilege level 15
 logging synchronous
line aux 0
line vty 0 4
 privilege level 15
 transport input telnet ssh
line vty 5 15
 privilege level 15
 transport input telnet ssh
!
scheduler allocate 20000 1000
end

Remote:
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 1841
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization network Clients local
!
aaa session-id common
ip cef
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-1044222562
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1044222562
 revocation-check none
 rsakeypair TP-self-signed-1044222562
!
!
crypto pki certificate chain TP-self-signed-1044222562
 certificate self-signed 01
  30820255 308201BE A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31303434 32323235 3632301E 170D3038 30333137 31313134
  34365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30343432
  32323536 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100E530 B095952C B41FE955 34C2EC9E 518B11D6 845957D9 43E1DDFA 5718236A
  866C0046 E0638E2A FC14809A 16BD8118 705A7798 0C7CE23F 4801676A F737EFBC
  6D55F1AF 73D14B1D 12768A93 98D42388 69416DA5 73143ECD 26FAF156 F2860C71
  7988F197 B8514534 8F2144AB 2A166F36 D8B1C906 05360C21 C3C067AE B97AA166
  EC770203 010001A3 7D307B30 0F060355 1D130101 FF040530 030101FF 30280603
  551D1104 21301F82 1D726564 72757468 2E636F6E 7469636F 73726179 6368656D
  2E6C6F63 616C301F 0603551D 23041830 1680147D 01F8D088 10D72025 D757C9CD
  166B016D 7C44E930 1D060355 1D0E0416 04147D01 F8D08810 D72025D7 57C9CD16
  6B016D7C 44E9300D 06092A86 4886F70D 01010405 00038181 00408756 A5F84F36
  DC1CABCB 5D6B781A 8B6A4A01 40AFC77E 2C0B3692 79821F47 8C5628C1 DF4EE8FC
  2AB5F218 78D154F6 7E8D31FA D49D60B9 A1031709 72964F9F D0E05FCD FFE1897C
  F31915C9 12C99EB5 3B43FA7E BC4D1786 71A61085 5BCBBC02 BF11A7CB C96E6429
  86F7DECE 192534B3 EA1A5FEE 5145AC6A 12DCE097 77C39548 4D
  quit
username admin privilege 15 secret 5 $1$.7WA$72qwpQFl2TFLja/me****
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
hash sha
group 2
crypto isakmp key 1234567890 address 194.145.xxx.xxx
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
!
crypto map VPN-Map 10 ipsec-isakmp
description vpn tunnel
set peer 194.145.xxx.xxx
set transform-set ESP-3DES-SHA
match address 102
!
!
interface FastEthernet0/0
 description Internal
 ip address 10.5.11.253 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description external
 ip address 78.33.xxx.xxx 255.255.255.240
ip access-group 101 in
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
crypto map VPN-Map
!
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 78.33.xxx.xxx permanent
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map excl-vpn interface FastEthernet0/1 overload
!
!
access-list 23 permit 0.0.0.0
access-list 100 permit ip 10.5.11.0 0.0.0.255 any
access-list 101 remark Inbound ACL
access-list 101 permit icmp any any echo
access-list 101 permit tcp any any eq telnet
access-list 101 permit ip 10.5.11.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit esp host 194.145.xxx.xxx any
access-list 101 permit udp host 194.145.xxx.xxx any eq isakmp
access-list 102 remark IPSEC Rule
access-list 102 permit ip 10.5.11.0 0.0.0.255 192.168.0.0 0.0.0.31
access-list 103 remark Exclude VPN from NAT
access-list 103 deny ip 10.5.11.0 0.0.0.255 192.168.0.0 0.0.0.31
access-list 103 permit ip 10.5.11.0 0.0.0.255 any
!
!
route-map vpn_nat permit 1
match ip address 102
!
route-map excl-vpn permit 1
match ip address 103
!
!
!
control-plane
!
!
!
line con 0
 privilege level 15
 logging synchronous
line aux 0
line vty 0 4
 privilege level 15
 transport input telnet ssh
line vty 5 15
 privilege level 15
 transport input telnet ssh
!
scheduler allocate 20000 1000
end

I take it this will work the same way except I have done 2 route-maps.  I wont get to test this until tomorrow.  Does it look ok?
 
04.01.2008 at 05:11AM PDT, ID: 21253086

Rank: Master

trinak96:
Looks good, post back with your testing results tomorrow, any problems and we'll find them....

Accepted Solution
 
 
20080206-EE-VQP-25 / EE_QW_2_20070628